[linux-2.6-block.git] / arch / x86 / include / asm / uaccess.h

/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _ASM_X86_UACCESS_H
#define _ASM_X86_UACCESS_H
/*
 * User space memory access functions
 */
#include <linux/compiler.h>
#include <linux/kasan-checks.h>
#include <linux/string.h>
#include <asm/asm.h>
#include <asm/page.h>
#include <asm/smap.h>
#include <asm/extable.h>

/*
 * The fs value determines whether argument validity checking should be
 * performed or not.  If get_fs() == USER_DS, checking is performed, with
 * get_fs() == KERNEL_DS, checking is bypassed.
 *
 * For historical reasons, these macros are grossly misnamed.
 */

#define MAKE_MM_SEG(s)	((mm_segment_t) { (s) })

#define KERNEL_DS	MAKE_MM_SEG(-1UL)
#define USER_DS 	MAKE_MM_SEG(TASK_SIZE_MAX)

#define get_fs()	(current->thread.addr_limit)
static inline void set_fs(mm_segment_t fs)
{
	current->thread.addr_limit = fs;
	/* On user-mode return, check fs is correct */
	set_thread_flag(TIF_FSCHECK);
}

#define segment_eq(a, b)	((a).seg == (b).seg)
#define user_addr_max() (current->thread.addr_limit.seg)

/*
 * Test whether a block of memory is a valid user space address.
 * Returns 0 if the range is valid, nonzero otherwise.
 */
static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, unsigned long limit)
{
	/*
	 * If we have used "sizeof()" for the size,
	 * we know it won't overflow the limit (but
	 * it might overflow the 'addr', so it's
	 * important to subtract the size from the
	 * limit, not add it to the address).
	 */
	if (__builtin_constant_p(size))
		return unlikely(addr > limit - size);

	/* Arbitrary sizes? Be careful about overflow */
	addr += size;
	if (unlikely(addr < size))
		return true;
	return unlikely(addr > limit);
}

#define __range_not_ok(addr, size, limit)				\
({									\
	__chk_user_ptr(addr);						\
	__chk_range_not_ok((unsigned long __force)(addr), size, limit); \
})

#ifdef CONFIG_DEBUG_ATOMIC_SLEEP
static inline bool pagefault_disabled(void);
# define WARN_ON_IN_IRQ()	\
	WARN_ON_ONCE(!in_task() && !pagefault_disabled())
#else
# define WARN_ON_IN_IRQ()
#endif

/**
 * access_ok - Checks if a user space pointer is valid
 * @addr: User space pointer to start of block to check
 * @size: Size of block to check
 *
 * Context: User context only. This function may sleep if pagefaults are
 *          enabled.
 *
 * Checks if a pointer to a block of memory in user space is valid.
 *
 * Note that, depending on architecture, this function probably just
 * checks that the pointer is in the user space range - after calling
 * this function, memory access functions may still return -EFAULT.
 *
 * Return: true (nonzero) if the memory block may be valid, false (zero)
 * if it is definitely invalid.
 */
#define access_ok(addr, size)					\
({									\
	WARN_ON_IN_IRQ();						\
	likely(!__range_not_ok(addr, size, user_addr_max()));		\
})

/*
 * These are the main single-value transfer routines.  They automatically
 * use the right size if we just have the right pointer type.
 *
 * This gets kind of ugly. We want to return _two_ values in "get_user()"
 * and yet we don't want to do any pointers, because that is too much
 * of a performance impact. Thus we have a few rather ugly macros here,
 * and hide all the ugliness from the user.
 *
 * The "__xxx" versions of the user access functions are versions that
 * do not verify the address space, that must have been done previously
 * with a separate "access_ok()" call (this is used when we do multiple
 * accesses to the same area of user memory).
 */

extern int __get_user_1(void);
extern int __get_user_2(void);
extern int __get_user_4(void);
extern int __get_user_8(void);
extern int __get_user_bad(void);

#define __uaccess_begin() stac()
#define __uaccess_end()   clac()
#define __uaccess_begin_nospec()	\
({					\
	stac();				\
	barrier_nospec();		\
})

/*
 * This is the smallest unsigned integer type that can fit a value
 * (up to 'long long')
 */
#define __inttype(x) __typeof__(		\
	__typefits(x,char,			\
	  __typefits(x,short,			\
	    __typefits(x,int,			\
	      __typefits(x,long,0ULL)))))

#define __typefits(x,type,not) \
	__builtin_choose_expr(sizeof(x)<=sizeof(type),(unsigned type)0,not)

/**
 * get_user - Get a simple variable from user space.
 * @x:   Variable to store result.
 * @ptr: Source address, in user space.
 *
 * Context: User context only. This function may sleep if pagefaults are
 *          enabled.
 *
 * This macro copies a single simple variable from user space to kernel
 * space.  It supports simple types like char and int, but not larger
 * data types like structures or arrays.
 *
 * @ptr must have pointer-to-simple-variable type, and the result of
 * dereferencing @ptr must be assignable to @x without a cast.
 *
 * Return: zero on success, or -EFAULT on error.
 * On error, the variable @x is set to zero.
 */
/*
 * Careful: we have to cast the result to the type of the pointer
 * for sign reasons.
 *
 * The use of _ASM_DX as the register specifier is a bit of a
 * simplification, as gcc only cares about it as the starting point
 * and not size: for a 64-bit value it will use %ecx:%edx on 32 bits
 * (%ecx being the next register in gcc's x86 register sequence), and
 * %rdx on 64 bits.
 *
 * Clang/LLVM cares about the size of the register, but still wants
 * the base register for something that ends up being a pair.
 */
#define get_user(x, ptr)						\
({									\
	int __ret_gu;							\
	register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX);		\
	__chk_user_ptr(ptr);						\
	might_fault();							\
	asm volatile("call __get_user_%P4"				\
		     : "=a" (__ret_gu), "=r" (__val_gu),		\
			ASM_CALL_CONSTRAINT				\
		     : "0" (ptr), "i" (sizeof(*(ptr))));		\
	(x) = (__force __typeof__(*(ptr))) __val_gu;			\
	__builtin_expect(__ret_gu, 0);					\
})

#define __put_user_x(size, x, ptr, __ret_pu)			\
	asm volatile("call __put_user_" #size : "=a" (__ret_pu)	\
		     : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")


#ifdef CONFIG_X86_32
#define __put_user_goto_u64(x, addr, label)			\
	asm_volatile_goto("\n"					\
		     "1:	movl %%eax,0(%1)\n"		\
		     "2:	movl %%edx,4(%1)\n"		\
		     _ASM_EXTABLE_UA(1b, %l2)			\
		     _ASM_EXTABLE_UA(2b, %l2)			\
		     : : "A" (x), "r" (addr)			\
		     : : label)

#define __put_user_x8(x, ptr, __ret_pu)				\
	asm volatile("call __put_user_8" : "=a" (__ret_pu)	\
		     : "A" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
#else
#define __put_user_goto_u64(x, ptr, label) \
	__put_user_goto(x, ptr, "q", "er", label)
#define __put_user_x8(x, ptr, __ret_pu) __put_user_x(8, x, ptr, __ret_pu)
#endif

extern void __put_user_bad(void);

/*
 * Strange magic calling convention: pointer in %ecx,
 * value in %eax(:%edx), return value in %eax. clobbers %rbx
 */
extern void __put_user_1(void);
extern void __put_user_2(void);
extern void __put_user_4(void);
extern void __put_user_8(void);

/**
 * put_user - Write a simple value into user space.
 * @x:   Value to copy to user space.
 * @ptr: Destination address, in user space.
 *
 * Context: User context only. This function may sleep if pagefaults are
 *          enabled.
 *
 * This macro copies a single simple value from kernel space to user
 * space.  It supports simple types like char and int, but not larger
 * data types like structures or arrays.
 *
 * @ptr must have pointer-to-simple-variable type, and @x must be assignable
 * to the result of dereferencing @ptr.
 *
 * Return: zero on success, or -EFAULT on error.
 */
#define put_user(x, ptr)					\
({								\
	int __ret_pu;						\
	__typeof__(*(ptr)) __pu_val;				\
	__chk_user_ptr(ptr);					\
	might_fault();						\
	__pu_val = x;						\
	switch (sizeof(*(ptr))) {				\
	case 1:							\
		__put_user_x(1, __pu_val, ptr, __ret_pu);	\
		break;						\
	case 2:							\
		__put_user_x(2, __pu_val, ptr, __ret_pu);	\
		break;						\
	case 4:							\
		__put_user_x(4, __pu_val, ptr, __ret_pu);	\
		break;						\
	case 8:							\
		__put_user_x8(__pu_val, ptr, __ret_pu);		\
		break;						\
	default:						\
		__put_user_x(X, __pu_val, ptr, __ret_pu);	\
		break;						\
	}							\
	__builtin_expect(__ret_pu, 0);				\
})

#define __put_user_size(x, ptr, size, label)				\
do {									\
	__chk_user_ptr(ptr);						\
	switch (size) {							\
	case 1:								\
		__put_user_goto(x, ptr, "b", "iq", label);		\
		break;							\
	case 2:								\
		__put_user_goto(x, ptr, "w", "ir", label);		\
		break;							\
	case 4:								\
		__put_user_goto(x, ptr, "l", "ir", label);		\
		break;							\
	case 8:								\
		__put_user_goto_u64(x, ptr, label);			\
		break;							\
	default:							\
		__put_user_bad();					\
	}								\
} while (0)

#ifdef CONFIG_X86_32
#define __get_user_asm_u64(x, ptr, retval)				\
({									\
	__typeof__(ptr) __ptr = (ptr);					\
	asm volatile("\n"						\
		     "1:	movl %[lowbits],%%eax\n"		\
		     "2:	movl %[highbits],%%edx\n"		\
		     "3:\n"						\
		     ".section .fixup,\"ax\"\n"				\
		     "4:	mov %[efault],%[errout]\n"		\
		     "	xorl %%eax,%%eax\n"				\
		     "	xorl %%edx,%%edx\n"				\
		     "	jmp 3b\n"					\
		     ".previous\n"					\
		     _ASM_EXTABLE_UA(1b, 4b)				\
		     _ASM_EXTABLE_UA(2b, 4b)				\
		     : [errout] "=r" (retval),				\
		       [output] "=&A"(x)				\
		     : [lowbits] "m" (__m(__ptr)),			\
		       [highbits] "m" __m(((u32 __user *)(__ptr)) + 1),	\
		       [efault] "i" (-EFAULT), "0" (retval));		\
})

#else
#define __get_user_asm_u64(x, ptr, retval) \
	 __get_user_asm(x, ptr, retval, "q", "=r")
#endif

#define __get_user_size(x, ptr, size, retval)				\
do {									\
	retval = 0;							\
	__chk_user_ptr(ptr);						\
	switch (size) {							\
	case 1:								\
		__get_user_asm(x, ptr, retval, "b", "=q");		\
		break;							\
	case 2:								\
		__get_user_asm(x, ptr, retval, "w", "=r");		\
		break;							\
	case 4:								\
		__get_user_asm(x, ptr, retval, "l", "=r");		\
		break;							\
	case 8:								\
		__get_user_asm_u64(x, ptr, retval);			\
		break;							\
	default:							\
		(x) = __get_user_bad();					\
	}								\
} while (0)

#define __get_user_asm(x, addr, err, itype, ltype)			\
	asm volatile("\n"						\
		     "1:	mov"itype" %[umem],%[output]\n"		\
		     "2:\n"						\
		     ".section .fixup,\"ax\"\n"				\
		     "3:	mov %[efault],%[errout]\n"		\
		     "	xor"itype" %[output],%[output]\n"		\
		     "	jmp 2b\n"					\
		     ".previous\n"					\
		     _ASM_EXTABLE_UA(1b, 3b)				\
		     : [errout] "=r" (err),				\
		       [output] ltype(x)				\
		     : [umem] "m" (__m(addr)),				\
		       [efault] "i" (-EFAULT), "0" (err))

#define __put_user_nocheck(x, ptr, size)			\
({								\
	__label__ __pu_label;					\
	int __pu_err = -EFAULT;					\
	__typeof__(*(ptr)) __pu_val = (x);			\
	__typeof__(ptr) __pu_ptr = (ptr);			\
	__typeof__(size) __pu_size = (size);			\
	__uaccess_begin();					\
	__put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label);	\
	__pu_err = 0;						\
__pu_label:							\
	__uaccess_end();					\
	__builtin_expect(__pu_err, 0);				\
})

#define __get_user_nocheck(x, ptr, size)				\
({									\
	int __gu_err;							\
	__inttype(*(ptr)) __gu_val;					\
	__typeof__(ptr) __gu_ptr = (ptr);				\
	__typeof__(size) __gu_size = (size);				\
	__uaccess_begin_nospec();					\
	__get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err);	\
	__uaccess_end();						\
	(x) = (__force __typeof__(*(ptr)))__gu_val;			\
	__builtin_expect(__gu_err, 0);					\
})

/* FIXME: this hack is definitely wrong -AK */
struct __large_struct { unsigned long buf[100]; };
#define __m(x) (*(struct __large_struct __user *)(x))

/*
 * Tell gcc we read from memory instead of writing: this is because
 * we do not write to any memory gcc knows about, so there are no
 * aliasing issues.
 */
#define __put_user_goto(x, addr, itype, ltype, label)			\
	asm_volatile_goto("\n"						\
		"1:	mov"itype" %0,%1\n"				\
		_ASM_EXTABLE_UA(1b, %l2)				\
		: : ltype(x), "m" (__m(addr))				\
		: : label)

/**
 * __get_user - Get a simple variable from user space, with less checking.
 * @x:   Variable to store result.
 * @ptr: Source address, in user space.
 *
 * Context: User context only. This function may sleep if pagefaults are
 *          enabled.
 *
 * This macro copies a single simple variable from user space to kernel
 * space.  It supports simple types like char and int, but not larger
 * data types like structures or arrays.
 *
 * @ptr must have pointer-to-simple-variable type, and the result of
 * dereferencing @ptr must be assignable to @x without a cast.
 *
 * Caller must check the pointer with access_ok() before calling this
 * function.
 *
 * Return: zero on success, or -EFAULT on error.
 * On error, the variable @x is set to zero.
 */

#define __get_user(x, ptr)						\
	__get_user_nocheck((x), (ptr), sizeof(*(ptr)))

/**
 * __put_user - Write a simple value into user space, with less checking.
 * @x:   Value to copy to user space.
 * @ptr: Destination address, in user space.
 *
 * Context: User context only. This function may sleep if pagefaults are
 *          enabled.
 *
 * This macro copies a single simple value from kernel space to user
 * space.  It supports simple types like char and int, but not larger
 * data types like structures or arrays.
 *
 * @ptr must have pointer-to-simple-variable type, and @x must be assignable
 * to the result of dereferencing @ptr.
 *
 * Caller must check the pointer with access_ok() before calling this
 * function.
 *
 * Return: zero on success, or -EFAULT on error.
 */

#define __put_user(x, ptr)						\
	__put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))

extern unsigned long
copy_from_user_nmi(void *to, const void __user *from, unsigned long n);
extern __must_check long
strncpy_from_user(char *dst, const char __user *src, long count);

extern __must_check long strnlen_user(const char __user *str, long n);

unsigned long __must_check clear_user(void __user *mem, unsigned long len);
unsigned long __must_check __clear_user(void __user *mem, unsigned long len);

/*
 * movsl can be slow when source and dest are not both 8-byte aligned
 */
#ifdef CONFIG_X86_INTEL_USERCOPY
extern struct movsl_mask {
	int mask;
} ____cacheline_aligned_in_smp movsl_mask;
#endif

#define ARCH_HAS_NOCACHE_UACCESS 1

#ifdef CONFIG_X86_32
# include <asm/uaccess_32.h>
#else
# include <asm/uaccess_64.h>
#endif

/*
 * The "unsafe" user accesses aren't really "unsafe", but the naming
 * is a big fat warning: you have to not only do the access_ok()
 * checking before using them, but you have to surround them with the
 * user_access_begin/end() pair.
 */
static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len)
{
	if (unlikely(!access_ok(ptr,len)))
		return 0;
	__uaccess_begin_nospec();
	return 1;
}
#define user_access_begin(a,b)	user_access_begin(a,b)
#define user_access_end()	__uaccess_end()

#define user_access_save()	smap_save()
#define user_access_restore(x)	smap_restore(x)

#define unsafe_put_user(x, ptr, label)	\
	__put_user_size((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), label)

#define unsafe_get_user(x, ptr, err_label)					\
do {										\
	int __gu_err;								\
	__inttype(*(ptr)) __gu_val;						\
	__get_user_size(__gu_val, (ptr), sizeof(*(ptr)), __gu_err);		\
	(x) = (__force __typeof__(*(ptr)))__gu_val;				\
	if (unlikely(__gu_err)) goto err_label;					\
} while (0)

/*
 * We want the unsafe accessors to always be inlined and use
 * the error labels - thus the macro games.
 */
#define unsafe_copy_loop(dst, src, len, type, label)			\
	while (len >= sizeof(type)) {					\
		unsafe_put_user(*(type *)src,(type __user *)dst,label);	\
		dst += sizeof(type);					\
		src += sizeof(type);					\
		len -= sizeof(type);					\
	}

#define unsafe_copy_to_user(_dst,_src,_len,label)			\
do {									\
	char __user *__ucu_dst = (_dst);				\
	const char *__ucu_src = (_src);					\
	size_t __ucu_len = (_len);					\
	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u64, label);	\
	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u32, label);	\
	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u16, label);	\
	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u8, label);	\
} while (0)

#endif /* _ASM_X86_UACCESS_H */
Commit	Line	Data
b2441318	1	/* SPDX-License-Identifier: GPL-2.0 */
1965aae3 PA	2	#ifndef _ASM_X86_UACCESS_H
1965aae3 PA	3	#define _ASM_X86_UACCESS_H
ca233862 GC	4	/*
	5	* User space memory access functions
	6	*/
ca233862	7	#include <linux/compiler.h>
1771c6e1	8	#include <linux/kasan-checks.h>
ca233862 GC	9	#include <linux/string.h>
	10	#include <asm/asm.h>
	11	#include <asm/page.h>
63bcff2a	12	#include <asm/smap.h>
45caf470	13	#include <asm/extable.h>
ca233862	14
ca233862 GC	15	/*
	16	* The fs value determines whether argument validity checking should be
	17	* performed or not. If get_fs() == USER_DS, checking is performed, with
	18	* get_fs() == KERNEL_DS, checking is bypassed.
	19	*
	20	* For historical reasons, these macros are grossly misnamed.
	21	*/
	22
	23	#define MAKE_MM_SEG(s) ((mm_segment_t) { (s) })
	24
	25	#define KERNEL_DS MAKE_MM_SEG(-1UL)
9063c61f	26	#define USER_DS MAKE_MM_SEG(TASK_SIZE_MAX)
ca233862	27
13d4ea09	28	#define get_fs() (current->thread.addr_limit)
5ea0727b TG	29	static inline void set_fs(mm_segment_t fs)
	30	{
	31	current->thread.addr_limit = fs;
	32	/* On user-mode return, check fs is correct */
	33	set_thread_flag(TIF_FSCHECK);
	34	}
ca233862 GC	35
ca233862 GC	36	#define segment_eq(a, b) ((a).seg == (b).seg)
13d4ea09	37	#define user_addr_max() (current->thread.addr_limit.seg)
002ca169	38
ca233862 GC	39	/*
	40	* Test whether a block of memory is a valid user space address.
	41	* Returns 0 if the range is valid, nonzero otherwise.
ca233862	42	*/
a740576a	43	static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, unsigned long limit)
c5fe5d80 LT	44	{
	45	/*
	46	* If we have used "sizeof()" for the size,
	47	* we know it won't overflow the limit (but
	48	* it might overflow the 'addr', so it's
	49	* important to subtract the size from the
	50	* limit, not add it to the address).
	51	*/
	52	if (__builtin_constant_p(size))
7e0f51cb	53	return unlikely(addr > limit - size);
c5fe5d80 LT	54
	55	/* Arbitrary sizes? Be careful about overflow */
	56	addr += size;
7e0f51cb	57	if (unlikely(addr < size))
a740576a	58	return true;
7e0f51cb	59	return unlikely(addr > limit);
c5fe5d80	60	}
ca233862	61
bc6ca7b3	62	#define __range_not_ok(addr, size, limit) \
ca233862	63	({ \
ca233862	64	__chk_user_ptr(addr); \
c5fe5d80	65	__chk_range_not_ok((unsigned long __force)(addr), size, limit); \
ca233862 GC	66	})
ca233862 GC	67
7c478895	68	#ifdef CONFIG_DEBUG_ATOMIC_SLEEP
2d8d8fac MH	69	static inline bool pagefault_disabled(void);
	70	# define WARN_ON_IN_IRQ() \
	71	WARN_ON_ONCE(!in_task() && !pagefault_disabled())
7c478895 PZ	72	#else
	73	# define WARN_ON_IN_IRQ()
	74	#endif
	75
ca233862	76	/**
bc8ff3ca	77	* access_ok - Checks if a user space pointer is valid
ca233862 GC	78	* @addr: User space pointer to start of block to check
	79	* @size: Size of block to check
	80	*
b3c395ef DH	81	* Context: User context only. This function may sleep if pagefaults are
b3c395ef DH	82	* enabled.
ca233862 GC	83	*
	84	* Checks if a pointer to a block of memory in user space is valid.
	85	*
ca233862 GC	86	* Note that, depending on architecture, this function probably just
	87	* checks that the pointer is in the user space range - after calling
	88	* this function, memory access functions may still return -EFAULT.
bc8ff3ca MR	89	*
	90	* Return: true (nonzero) if the memory block may be valid, false (zero)
	91	* if it is definitely invalid.
ca233862	92	*/
96d4f267	93	#define access_ok(addr, size) \
7c478895 PZ	94	({ \
	95	WARN_ON_IN_IRQ(); \
	96	likely(!__range_not_ok(addr, size, user_addr_max())); \
	97	})
ca233862	98
ca233862 GC	99	/*
	100	* These are the main single-value transfer routines. They automatically
	101	* use the right size if we just have the right pointer type.
	102	*
	103	* This gets kind of ugly. We want to return _two_ values in "get_user()"
	104	* and yet we don't want to do any pointers, because that is too much
	105	* of a performance impact. Thus we have a few rather ugly macros here,
	106	* and hide all the ugliness from the user.
	107	*
	108	* The "__xxx" versions of the user access functions are versions that
	109	* do not verify the address space, that must have been done previously
	110	* with a separate "access_ok()" call (this is used when we do multiple
	111	* accesses to the same area of user memory).
	112	*/
	113
	114	extern int __get_user_1(void);
	115	extern int __get_user_2(void);
	116	extern int __get_user_4(void);
	117	extern int __get_user_8(void);
	118	extern int __get_user_bad(void);
	119
11f1a4b9 LT	120	#define __uaccess_begin() stac()
11f1a4b9 LT	121	#define __uaccess_end() clac()
b3bbfb3f DW	122	#define __uaccess_begin_nospec() \
	123	({ \
	124	stac(); \
	125	barrier_nospec(); \
	126	})
11f1a4b9	127
3578baae	128	/*
7da63b3d LT	129	* This is the smallest unsigned integer type that can fit a value
7da63b3d LT	130	* (up to 'long long')
3578baae	131	*/
7da63b3d LT	132	#define __inttype(x) __typeof__( \
	133	__typefits(x,char, \
	134	__typefits(x,short, \
	135	__typefits(x,int, \
	136	__typefits(x,long,0ULL)))))
	137
	138	#define __typefits(x,type,not) \
	139	__builtin_choose_expr(sizeof(x)<=sizeof(type),(unsigned type)0,not)
865e5b76 GC	140
865e5b76 GC	141	/**
bc8ff3ca	142	* get_user - Get a simple variable from user space.
865e5b76 GC	143	* @x: Variable to store result.
	144	* @ptr: Source address, in user space.
	145	*
b3c395ef DH	146	* Context: User context only. This function may sleep if pagefaults are
b3c395ef DH	147	* enabled.
865e5b76 GC	148	*
	149	* This macro copies a single simple variable from user space to kernel
	150	* space. It supports simple types like char and int, but not larger
	151	* data types like structures or arrays.
	152	*
	153	* @ptr must have pointer-to-simple-variable type, and the result of
	154	* dereferencing @ptr must be assignable to @x without a cast.
	155	*
bc8ff3ca	156	* Return: zero on success, or -EFAULT on error.
865e5b76	157	* On error, the variable @x is set to zero.
ff52c3b0 PA	158	*/
ff52c3b0 PA	159	/*
3578baae PA	160	* Careful: we have to cast the result to the type of the pointer
3578baae PA	161	* for sign reasons.
ff52c3b0	162	*
f69fa9a9	163	* The use of _ASM_DX as the register specifier is a bit of a
ff52c3b0 PA	164	* simplification, as gcc only cares about it as the starting point
	165	* and not size: for a 64-bit value it will use %ecx:%edx on 32 bits
	166	* (%ecx being the next register in gcc's x86 register sequence), and
	167	* %rdx on 64 bits.
f69fa9a9 PA	168	*
	169	* Clang/LLVM cares about the size of the register, but still wants
	170	* the base register for something that ends up being a pair.
865e5b76	171	*/
865e5b76 GC	172	#define get_user(x, ptr) \
	173	({ \
	174	int __ret_gu; \
bdfc017e	175	register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
865e5b76	176	__chk_user_ptr(ptr); \
3ee1afa3	177	might_fault(); \
f05058c4	178	asm volatile("call __get_user_%P4" \
f5caf621 JP	179	: "=a" (__ret_gu), "=r" (__val_gu), \
f5caf621 JP	180	ASM_CALL_CONSTRAINT \
3578baae	181	: "0" (ptr), "i" (sizeof(*(ptr)))); \
e182c570	182	(x) = (__force __typeof__(*(ptr))) __val_gu; \
a76cf66e	183	__builtin_expect(__ret_gu, 0); \
865e5b76 GC	184	})
865e5b76 GC	185
e30a44fd GC	186	#define __put_user_x(size, x, ptr, __ret_pu) \
e30a44fd GC	187	asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
4d5d7838	188	: "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
e30a44fd GC	189
	190
	191
dc70ddf4	192	#ifdef CONFIG_X86_32
a959dc88 LT	193	#define __put_user_goto_u64(x, addr, label) \
	194	asm_volatile_goto("\n" \
	195	"1: movl %%eax,0(%1)\n" \
	196	"2: movl %%edx,4(%1)\n" \
	197	_ASM_EXTABLE_UA(1b, %l2) \
	198	_ASM_EXTABLE_UA(2b, %l2) \
	199	: : "A" (x), "r" (addr) \
	200	: : label)
e30a44fd GC	201
	202	#define __put_user_x8(x, ptr, __ret_pu) \
	203	asm volatile("call __put_user_8" : "=a" (__ret_pu) \
	204	: "A" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
dc70ddf4	205	#else
a959dc88	206	#define __put_user_goto_u64(x, ptr, label) \
36807856	207	__put_user_goto(x, ptr, "q", "er", label)
e30a44fd	208	#define __put_user_x8(x, ptr, __ret_pu) __put_user_x(8, x, ptr, __ret_pu)
dc70ddf4 GC	209	#endif
dc70ddf4 GC	210
e30a44fd GC	211	extern void __put_user_bad(void);
	212
	213	/*
	214	* Strange magic calling convention: pointer in %ecx,
	215	* value in %eax(:%edx), return value in %eax. clobbers %rbx
	216	*/
	217	extern void __put_user_1(void);
	218	extern void __put_user_2(void);
	219	extern void __put_user_4(void);
	220	extern void __put_user_8(void);
	221
e30a44fd	222	/**
bc8ff3ca	223	* put_user - Write a simple value into user space.
e30a44fd GC	224	* @x: Value to copy to user space.
	225	* @ptr: Destination address, in user space.
	226	*
b3c395ef DH	227	* Context: User context only. This function may sleep if pagefaults are
b3c395ef DH	228	* enabled.
e30a44fd GC	229	*
	230	* This macro copies a single simple value from kernel space to user
	231	* space. It supports simple types like char and int, but not larger
	232	* data types like structures or arrays.
	233	*
	234	* @ptr must have pointer-to-simple-variable type, and @x must be assignable
	235	* to the result of dereferencing @ptr.
	236	*
bc8ff3ca	237	* Return: zero on success, or -EFAULT on error.
e30a44fd GC	238	*/
	239	#define put_user(x, ptr) \
	240	({ \
	241	int __ret_pu; \
	242	__typeof__(*(ptr)) __pu_val; \
	243	__chk_user_ptr(ptr); \
3ee1afa3	244	might_fault(); \
e30a44fd GC	245	__pu_val = x; \
	246	switch (sizeof(*(ptr))) { \
	247	case 1: \
	248	__put_user_x(1, __pu_val, ptr, __ret_pu); \
	249	break; \
	250	case 2: \
	251	__put_user_x(2, __pu_val, ptr, __ret_pu); \
	252	break; \
	253	case 4: \
	254	__put_user_x(4, __pu_val, ptr, __ret_pu); \
	255	break; \
	256	case 8: \
	257	__put_user_x8(__pu_val, ptr, __ret_pu); \
	258	break; \
	259	default: \
	260	__put_user_x(X, __pu_val, ptr, __ret_pu); \
	261	break; \
	262	} \
a76cf66e	263	__builtin_expect(__ret_pu, 0); \
e30a44fd GC	264	})
e30a44fd GC	265
a959dc88	266	#define __put_user_size(x, ptr, size, label) \
dc70ddf4	267	do { \
dc70ddf4 GC	268	__chk_user_ptr(ptr); \
	269	switch (size) { \
	270	case 1: \
36807856	271	__put_user_goto(x, ptr, "b", "iq", label); \
dc70ddf4 GC	272	break; \
dc70ddf4 GC	273	case 2: \
36807856	274	__put_user_goto(x, ptr, "w", "ir", label); \
dc70ddf4 GC	275	break; \
dc70ddf4 GC	276	case 4: \
36807856	277	__put_user_goto(x, ptr, "l", "ir", label); \
dc70ddf4 GC	278	break; \
dc70ddf4 GC	279	case 8: \
2a418cf3	280	__put_user_goto_u64(x, ptr, label); \
dc70ddf4 GC	281	break; \
	282	default: \
	283	__put_user_bad(); \
	284	} \
	285	} while (0)
	286
3f168221	287	#ifdef CONFIG_X86_32
1a323ea5	288	#define __get_user_asm_u64(x, ptr, retval) \
b2f68038 BL	289	({ \
b2f68038 BL	290	__typeof__(ptr) __ptr = (ptr); \
1a323ea5	291	asm volatile("\n" \
890f0b0d LT	292	"1: movl %[lowbits],%%eax\n" \
890f0b0d LT	293	"2: movl %[highbits],%%edx\n" \
1a323ea5	294	"3:\n" \
b2f68038	295	".section .fixup,\"ax\"\n" \
890f0b0d	296	"4: mov %[efault],%[errout]\n" \
b2f68038 BL	297	" xorl %%eax,%%eax\n" \
	298	" xorl %%edx,%%edx\n" \
	299	" jmp 3b\n" \
	300	".previous\n" \
75045f77 JH	301	_ASM_EXTABLE_UA(1b, 4b) \
75045f77 JH	302	_ASM_EXTABLE_UA(2b, 4b) \
890f0b0d LT	303	: [errout] "=r" (retval), \
	304	[output] "=&A"(x) \
	305	: [lowbits] "m" (__m(__ptr)), \
	306	[highbits] "m" __m(((u32 __user *)(__ptr)) + 1), \
	307	[efault] "i" (-EFAULT), "0" (retval)); \
b2f68038 BL	308	})
b2f68038 BL	309
3f168221	310	#else
1a323ea5	311	#define __get_user_asm_u64(x, ptr, retval) \
7da63b3d	312	__get_user_asm(x, ptr, retval, "q", "=r")
3f168221 GC	313	#endif
3f168221 GC	314
1a323ea5	315	#define __get_user_size(x, ptr, size, retval) \
3f168221 GC	316	do { \
	317	retval = 0; \
	318	__chk_user_ptr(ptr); \
	319	switch (size) { \
	320	case 1: \
7da63b3d	321	__get_user_asm(x, ptr, retval, "b", "=q"); \
3f168221 GC	322	break; \
3f168221 GC	323	case 2: \
7da63b3d	324	__get_user_asm(x, ptr, retval, "w", "=r"); \
3f168221 GC	325	break; \
3f168221 GC	326	case 4: \
7da63b3d	327	__get_user_asm(x, ptr, retval, "l", "=r"); \
3f168221 GC	328	break; \
3f168221 GC	329	case 8: \
1a323ea5	330	__get_user_asm_u64(x, ptr, retval); \
3f168221 GC	331	break; \
	332	default: \
	333	(x) = __get_user_bad(); \
	334	} \
	335	} while (0)
	336
7da63b3d	337	#define __get_user_asm(x, addr, err, itype, ltype) \
11f1a4b9	338	asm volatile("\n" \
890f0b0d	339	"1: mov"itype" %[umem],%[output]\n" \
11f1a4b9	340	"2:\n" \
3f168221	341	".section .fixup,\"ax\"\n" \
890f0b0d LT	342	"3: mov %[efault],%[errout]\n" \
890f0b0d LT	343	" xor"itype" %[output],%[output]\n" \
3f168221 GC	344	" jmp 2b\n" \
3f168221 GC	345	".previous\n" \
75045f77	346	_ASM_EXTABLE_UA(1b, 3b) \
890f0b0d LT	347	: [errout] "=r" (err), \
	348	[output] ltype(x) \
	349	: [umem] "m" (__m(addr)), \
	350	[efault] "i" (-EFAULT), "0" (err))
3f168221	351
dc70ddf4 GC	352	#define __put_user_nocheck(x, ptr, size) \
dc70ddf4 GC	353	({ \
a959dc88 LT	354	__label__ __pu_label; \
a959dc88 LT	355	int __pu_err = -EFAULT; \
6ae86561 PZ	356	__typeof__(*(ptr)) __pu_val = (x); \
	357	__typeof__(ptr) __pu_ptr = (ptr); \
	358	__typeof__(size) __pu_size = (size); \
11f1a4b9	359	__uaccess_begin(); \
6ae86561	360	__put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label); \
a959dc88 LT	361	__pu_err = 0; \
a959dc88 LT	362	__pu_label: \
11f1a4b9	363	__uaccess_end(); \
a76cf66e	364	__builtin_expect(__pu_err, 0); \
dc70ddf4 GC	365	})
dc70ddf4 GC	366
3f168221 GC	367	#define __get_user_nocheck(x, ptr, size) \
3f168221 GC	368	({ \
16855f87	369	int __gu_err; \
b2f68038	370	__inttype(*(ptr)) __gu_val; \
9b8bd476 PZ	371	__typeof__(ptr) __gu_ptr = (ptr); \
9b8bd476 PZ	372	__typeof__(size) __gu_size = (size); \
304ec1b0	373	__uaccess_begin_nospec(); \
1a323ea5	374	__get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err); \
11f1a4b9	375	__uaccess_end(); \
3f168221	376	(x) = (__force __typeof__(*(ptr)))__gu_val; \
a76cf66e	377	__builtin_expect(__gu_err, 0); \
3f168221	378	})
dc70ddf4 GC	379
	380	/* FIXME: this hack is definitely wrong -AK */
	381	struct __large_struct { unsigned long buf[100]; };
	382	#define __m(x) ((struct __large_struct __user )(x))
	383
	384	/*
	385	* Tell gcc we read from memory instead of writing: this is because
	386	* we do not write to any memory gcc knows about, so there are no
	387	* aliasing issues.
	388	*/
36807856	389	#define __put_user_goto(x, addr, itype, ltype, label) \
4a789213	390	asm_volatile_goto("\n" \
36807856 LT	391	"1: mov"itype" %0,%1\n" \
36807856 LT	392	_ASM_EXTABLE_UA(1b, %l2) \
4a789213 LT	393	: : ltype(x), "m" (__m(addr)) \
	394	: : label)
	395
8cb834e9	396	/**
bc8ff3ca	397	* __get_user - Get a simple variable from user space, with less checking.
8cb834e9 GC	398	* @x: Variable to store result.
	399	* @ptr: Source address, in user space.
	400	*
b3c395ef DH	401	* Context: User context only. This function may sleep if pagefaults are
b3c395ef DH	402	* enabled.
8cb834e9 GC	403	*
	404	* This macro copies a single simple variable from user space to kernel
	405	* space. It supports simple types like char and int, but not larger
	406	* data types like structures or arrays.
	407	*
	408	* @ptr must have pointer-to-simple-variable type, and the result of
	409	* dereferencing @ptr must be assignable to @x without a cast.
	410	*
	411	* Caller must check the pointer with access_ok() before calling this
	412	* function.
	413	*
bc8ff3ca	414	* Return: zero on success, or -EFAULT on error.
8cb834e9 GC	415	* On error, the variable @x is set to zero.
	416	*/
	417
	418	#define __get_user(x, ptr) \
	419	__get_user_nocheck((x), (ptr), sizeof(*(ptr)))
fe40c0af	420
8cb834e9	421	/**
bc8ff3ca	422	* __put_user - Write a simple value into user space, with less checking.
8cb834e9 GC	423	* @x: Value to copy to user space.
	424	* @ptr: Destination address, in user space.
	425	*
b3c395ef DH	426	* Context: User context only. This function may sleep if pagefaults are
b3c395ef DH	427	* enabled.
8cb834e9 GC	428	*
	429	* This macro copies a single simple value from kernel space to user
	430	* space. It supports simple types like char and int, but not larger
	431	* data types like structures or arrays.
	432	*
	433	* @ptr must have pointer-to-simple-variable type, and @x must be assignable
	434	* to the result of dereferencing @ptr.
	435	*
	436	* Caller must check the pointer with access_ok() before calling this
	437	* function.
	438	*
bc8ff3ca	439	* Return: zero on success, or -EFAULT on error.
8cb834e9 GC	440	*/
	441
	442	#define __put_user(x, ptr) \
	443	__put_user_nocheck((__typeof__((ptr)))(x), (ptr), sizeof((ptr)))
dc70ddf4	444
1ac2e6ca RR	445	extern unsigned long
1ac2e6ca RR	446	copy_from_user_nmi(void to, const void __user from, unsigned long n);
92ae03f2 LT	447	extern __must_check long
92ae03f2 LT	448	strncpy_from_user(char dst, const char __user src, long count);
1ac2e6ca	449
5723aa99 LT	450	extern __must_check long strnlen_user(const char __user *str, long n);
5723aa99 LT	451
a052858f PA	452	unsigned long __must_check clear_user(void __user *mem, unsigned long len);
	453	unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
	454
8bc7de0c GC	455	/*
	456	* movsl can be slow when source and dest are not both 8-byte aligned
	457	*/
	458	#ifdef CONFIG_X86_INTEL_USERCOPY
	459	extern struct movsl_mask {
	460	int mask;
	461	} ____cacheline_aligned_in_smp movsl_mask;
	462	#endif
	463
22cac167 GC	464	#define ARCH_HAS_NOCACHE_UACCESS 1
22cac167 GC	465
96a388de	466	#ifdef CONFIG_X86_32
a1ce3928	467	# include <asm/uaccess_32.h>
96a388de	468	#else
a1ce3928	469	# include <asm/uaccess_64.h>
96a388de	470	#endif
ca233862	471
5b24a7a2 LT	472	/*
	473	* The "unsafe" user accesses aren't really "unsafe", but the naming
	474	* is a big fat warning: you have to not only do the access_ok()
	475	* checking before using them, but you have to surround them with the
	476	* user_access_begin/end() pair.
	477	*/
b7f89bfe	478	static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len)
594cc251 LT	479	{
	480	if (unlikely(!access_ok(ptr,len)))
	481	return 0;
6e693b3f	482	__uaccess_begin_nospec();
594cc251 LT	483	return 1;
	484	}
	485	#define user_access_begin(a,b) user_access_begin(a,b)
5b24a7a2 LT	486	#define user_access_end() __uaccess_end()
5b24a7a2 LT	487
e74deb11 PZ	488	#define user_access_save() smap_save()
	489	#define user_access_restore(x) smap_restore(x)
	490
a959dc88 LT	491	#define unsafe_put_user(x, ptr, label) \
a959dc88 LT	492	__put_user_size((__typeof__((ptr)))(x), (ptr), sizeof((ptr)), label)
5b24a7a2	493
1bd4403d LT	494	#define unsafe_get_user(x, ptr, err_label) \
1bd4403d LT	495	do { \
5b24a7a2	496	int __gu_err; \
334a023e	497	__inttype(*(ptr)) __gu_val; \
1a323ea5	498	__get_user_size(__gu_val, (ptr), sizeof(*(ptr)), __gu_err); \
5b24a7a2	499	(x) = (__force __typeof__(*(ptr)))__gu_val; \
1bd4403d LT	500	if (unlikely(__gu_err)) goto err_label; \
1bd4403d LT	501	} while (0)
5b24a7a2	502
c512c691 LT	503	/*
	504	* We want the unsafe accessors to always be inlined and use
	505	* the error labels - thus the macro games.
	506	*/
	507	#define unsafe_copy_loop(dst, src, len, type, label) \
	508	while (len >= sizeof(type)) { \
	509	unsafe_put_user((type )src,(type __user *)dst,label); \
	510	dst += sizeof(type); \
	511	src += sizeof(type); \
	512	len -= sizeof(type); \
	513	}
	514
	515	#define unsafe_copy_to_user(_dst,_src,_len,label) \
	516	do { \
	517	char __user *__ucu_dst = (_dst); \
	518	const char *__ucu_src = (_src); \
	519	size_t __ucu_len = (_len); \
	520	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u64, label); \
	521	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u32, label); \
	522	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u16, label); \
	523	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u8, label); \
	524	} while (0)
	525
1965aae3	526	#endif /* _ASM_X86_UACCESS_H */
8174c430	527