1 /*
2  * Copyright (c) 2017, Intel Corporation
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 #ifndef ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_
7 #define ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_
8 
9 /**
10  * @brief User mode and Syscall APIs
11  * @defgroup syscall_apis User mode and Syscall APIs
12  * @ingroup internal_api
13  * @{
14  */
15 
16 #if defined(CONFIG_USERSPACE) || defined(__DOXYGEN__)
17 
18 #ifndef _ASMLANGUAGE
19 #include <zephyr/kernel.h>
20 #include <zephyr/arch/arch_interface.h>
21 #include <zephyr/sys/math_extras.h>
22 #include <stdbool.h>
23 #include <zephyr/logging/log.h>
24 
25 extern const _k_syscall_handler_t _k_syscall_table[K_SYSCALL_LIMIT];
26 
27 enum _obj_init_check {
28 	_OBJ_INIT_TRUE = 0,
29 	_OBJ_INIT_FALSE = -1,
30 	_OBJ_INIT_ANY = 1
31 };
32 
33 /**
34  * Return true if we are currently handling a system call from user mode
35  *
36  * Inside z_vrfy functions, we always know that we are handling
37  * a system call invoked from user context.
38  *
39  * However, some checks that are only relevant to user mode must
40  * instead be placed deeper within the implementation. This
41  * API is useful to conditionally make these checks.
42  *
43  * For performance reasons, whenever possible, checks should be placed
44  * in the relevant z_vrfy function since these are completely skipped
45  * when a syscall is invoked.
46  *
47  * This will return true only if we are handling a syscall for a
48  * user thread. If the system call was invoked from supervisor mode,
49  * or we are not handling a system call, this will return false.
50  *
51  * @note This is an internal API. Do not use unless you are extending
52  *       functionality in the Zephyr tree.
53  *
54  * @return whether the current context is handling a syscall for a user
55  *         mode thread
56  */
k_is_in_user_syscall(void)57 static inline bool k_is_in_user_syscall(void)
58 {
59 	/* This gets set on entry to the syscall's generated z_mrsh
60 	 * function and then cleared on exit. This code path is only
61 	 * encountered when a syscall is made from user mode, system
62 	 * calls from supervisor mode bypass everything directly to
63 	 * the implementation function.
64 	 */
65 	return !k_is_in_isr() && (arch_current_thread()->syscall_frame != NULL);
66 }
67 
68 /**
69  * Ensure a system object is a valid object of the expected type
70  *
71  * Searches for the object and ensures that it is indeed an object
72  * of the expected type, that the caller has the right permissions on it,
73  * and that the object has been initialized.
74  *
75  * This function is intended to be called on the kernel-side system
76  * call handlers to validate kernel object pointers passed in from
77  * userspace.
78  *
79  * @param ko Kernel object metadata pointer, or NULL
80  * @param otype Expected type of the kernel object, or K_OBJ_ANY if type
81  *	  doesn't matter
82  * @param init Indicate whether the object needs to already be in initialized
83  *             or uninitialized state, or that we don't care
84  * @note This is an internal API. Do not use unless you are extending
85  *       functionality in the Zephyr tree.
86  *
87  * @return 0 If the object is valid
88  *         -EBADF if not a valid object of the specified type
89  *         -EPERM If the caller does not have permissions
90  *         -EINVAL Object is not initialized
91  */
92 int k_object_validate(struct k_object *ko, enum k_objects otype,
93 		      enum _obj_init_check init);
94 
95 /**
96  * Dump out error information on failed k_object_validate() call
97  *
98  * @param retval Return value from k_object_validate()
99  * @param obj Kernel object we were trying to verify
100  * @param ko If retval=-EPERM, struct k_object * that was looked up, or NULL
101  * @param otype Expected type of the kernel object
102  * @note This is an internal API. Do not use unless you are extending
103  *       functionality in the Zephyr tree.
104  *
105  */
106 void k_object_dump_error(int retval, const void *obj,
107 			 struct k_object *ko, enum k_objects otype);
108 
109 /**
110  * Kernel object validation function
111  *
112  * Retrieve metadata for a kernel object. This function is implemented in
113  * the gperf script footer, see gen_kobject_list.py
114  *
115  * @param obj Address of kernel object to get metadata
116  * @return Kernel object's metadata, or NULL if the parameter wasn't the
117  * memory address of a kernel object
118  * @note This is an internal API. Do not use unless you are extending
119  *       functionality in the Zephyr tree.
120  *
121  */
122 struct k_object *k_object_find(const void *obj);
123 
124 typedef void (*_wordlist_cb_func_t)(struct k_object *ko, void *context);
125 
126 /**
127  * Iterate over all the kernel object metadata in the system
128  *
129  * @param func function to run on each struct k_object
130  * @param context Context pointer to pass to each invocation
131  * @note This is an internal API. Do not use unless you are extending
132  *       functionality in the Zephyr tree.
133  *
134  */
135 void k_object_wordlist_foreach(_wordlist_cb_func_t func, void *context);
136 
137 /**
138  * Copy all kernel object permissions from the parent to the child
139  *
140  * @param parent Parent thread, to get permissions from
141  * @param child Child thread, to copy permissions to
142  * @note This is an internal API. Do not use unless you are extending
143  *       functionality in the Zephyr tree.
144  *
145  */
146 void k_thread_perms_inherit(struct k_thread *parent, struct k_thread *child);
147 
148 /**
149  * Grant a thread permission to a kernel object
150  *
151  * @param ko Kernel object metadata to update
152  * @param thread The thread to grant permission
153  * @note This is an internal API. Do not use unless you are extending
154  *       functionality in the Zephyr tree.
155  *
156  */
157 void k_thread_perms_set(struct k_object *ko, struct k_thread *thread);
158 
159 /**
160  * Revoke a thread's permission to a kernel object
161  *
162  * @param ko Kernel object metadata to update
163  * @param thread The thread to grant permission
164  * @note This is an internal API. Do not use unless you are extending
165  *       functionality in the Zephyr tree.
166  *
167  */
168 void k_thread_perms_clear(struct k_object *ko, struct k_thread *thread);
169 
170 /**
171  * Revoke access to all objects for the provided thread
172  *
173  * @note Unlike k_thread_perms_clear(), this function will not clear
174  * permissions on public objects.
175  *
176  * @note This is an internal API. Do not use unless you are extending
177  *       functionality in the Zephyr tree.
178  *
179  * @param thread Thread object to revoke access
180  */
181 void k_thread_perms_all_clear(struct k_thread *thread);
182 
183 /**
184  * Clear initialization state of a kernel object
185  *
186  * Intended for thread objects upon thread exit, or for other kernel objects
187  * that were released back to an object pool.
188  *
189  * @param obj Address of the kernel object
190  *
191  * @note This is an internal API. Do not use unless you are extending
192  *       functionality in the Zephyr tree.
193  */
194 void k_object_uninit(const void *obj);
195 
196 /**
197  * Initialize and reset permissions to only access by the caller
198  *
199  * Intended for scenarios where objects are fetched from slab pools
200  * and may have had different permissions set during prior usage.
201  *
202  * This is only intended for pools of objects, where such objects are
203  * acquired and released to the pool. If an object has already been used,
204  * we do not want stale permission information hanging around, the object
205  * should only have permissions on the caller. Objects which are not
206  * managed by a pool-like mechanism should not use this API.
207  *
208  * The object will be marked as initialized and the calling thread
209  * granted access to it.
210  *
211  * @param obj Address of the kernel object
212  * @note This is an internal API. Do not use unless you are extending
213  *       functionality in the Zephyr tree.
214  */
215 void k_object_recycle(const void *obj);
216 
217 /**
218  * @brief Obtain the size of a C string passed from user mode
219  *
220  * Given a C string pointer and a maximum size, obtain the true
221  * size of the string (not including the trailing NULL byte) just as
222  * if calling strnlen() on it, with the same semantics of strnlen() with
223  * respect to the return value and the maxlen parameter.
224  *
225  * Any memory protection faults triggered by the examination of the string
226  * will be safely handled and an error code returned.
227  *
228  * NOTE: Doesn't guarantee that user mode has actual access to this
229  * string, you will need to still do a K_SYSCALL_MEMORY_READ()
230  * with the obtained size value to guarantee this.
231  *
232  * @param src String to measure size of
233  * @param maxlen Maximum number of characters to examine
234  * @param err Pointer to int, filled in with -1 on memory error, 0 on
235  *	success
236  * @return undefined on error, or strlen(src) if that is less than maxlen, or
237  *	maxlen if there were no NULL terminating characters within the
238  *	first maxlen bytes.
239  * @note This is an internal API. Do not use unless you are extending
240  *       functionality in the Zephyr tree.
241  */
k_usermode_string_nlen(const char * src,size_t maxlen,int * err)242 static inline size_t k_usermode_string_nlen(const char *src, size_t maxlen,
243 					int *err)
244 {
245 	return arch_user_string_nlen(src, maxlen, err);
246 }
247 
248 /**
249  * @brief Copy data from userspace into a resource pool allocation
250  *
251  * Given a pointer and a size, allocate a similarly sized buffer in the
252  * caller's resource pool and copy all the data within it to the newly
253  * allocated buffer. This will need to be freed later with k_free().
254  *
255  * Checks are done to ensure that the current thread would have read
256  * access to the provided buffer.
257  *
258  * @param src Source memory address
259  * @param size Size of the memory buffer
260  * @return An allocated buffer with the data copied within it, or NULL
261  *	if some error condition occurred
262  * @note This is an internal API. Do not use unless you are extending
263  *       functionality in the Zephyr tree.
264  */
265 void *k_usermode_alloc_from_copy(const void *src, size_t size);
266 
267 /**
268  * @brief Copy data from user mode
269  *
270  * Given a userspace pointer and a size, copies data from it into a provided
271  * destination buffer, performing checks to ensure that the caller would have
272  * appropriate access when in user mode.
273  *
274  * @param dst Destination memory buffer
275  * @param src Source memory buffer, in userspace
276  * @param size Number of bytes to copy
277  * @retval 0 On success
278  * @retval EFAULT On memory access error
279  * @note This is an internal API. Do not use unless you are extending
280  *       functionality in the Zephyr tree.
281  */
282 int k_usermode_from_copy(void *dst, const void *src, size_t size);
283 
284 /**
285  * @brief Copy data to user mode
286  *
287  * Given a userspace pointer and a size, copies data to it from a provided
288  * source buffer, performing checks to ensure that the caller would have
289  * appropriate access when in user mode.
290  *
291  * @param dst Destination memory buffer, in userspace
292  * @param src Source memory buffer
293  * @param size Number of bytes to copy
294  * @retval 0 On success
295  * @retval EFAULT On memory access error
296  * @note This is an internal API. Do not use unless you are extending
297  *       functionality in the Zephyr tree.
298  */
299 int k_usermode_to_copy(void *dst, const void *src, size_t size);
300 
301 /**
302  * @brief Copy a C string from userspace into a resource pool allocation
303  *
304  * Given a C string and maximum length, duplicate the string using an
305  * allocation from the calling thread's resource pool. This will need to be
306  * freed later with k_free().
307  *
308  * Checks are performed to ensure that the string is valid memory and that
309  * the caller has access to it in user mode.
310  *
311  * @param src Source string pointer, in userspace
312  * @param maxlen Maximum size of the string including trailing NULL
313  * @return The duplicated string, or NULL if an error occurred.
314  * @note This is an internal API. Do not use unless you are extending
315  *       functionality in the Zephyr tree.
316  */
317 char *k_usermode_string_alloc_copy(const char *src, size_t maxlen);
318 
319 /**
320  * @brief Copy a C string from userspace into a provided buffer
321  *
322  * Given a C string and maximum length, copy the string into a buffer.
323  *
324  * Checks are performed to ensure that the string is valid memory and that
325  * the caller has access to it in user mode.
326  *
327  * @param dst Destination buffer
328  * @param src Source string pointer, in userspace
329  * @param maxlen Maximum size of the string including trailing NULL
330  * @retval 0 on success
331  * @retval EINVAL if the source string is too long with respect
332  *	to maxlen
333  * @retval EFAULT On memory access error
334  * @note This is an internal API. Do not use unless you are extending
335  *       functionality in the Zephyr tree.
336  */
337 int k_usermode_string_copy(char *dst, const char *src, size_t maxlen);
338 
339 /**
340  * @brief Induce a kernel oops
341  *
342  * This macro can be used to induce a kernel oops which will kill the
343  * calling thread.
344  *
345  * @param expr Expression to be evaluated
346  *
347  * @note This is an internal API. Do not use unless you are extending
348  *       functionality in the Zephyr tree.
349  */
350 #define K_OOPS(expr) \
351 	do { \
352 		if (expr) { \
353 			arch_syscall_oops(arch_current_thread()->syscall_frame); \
354 		} \
355 	} while (false)
356 
357 /**
358  * @brief Runtime expression check for system call arguments
359  *
360  * Used in handler functions to perform various runtime checks on arguments,
361  * and generate a kernel oops if anything is not expected, printing a custom
362  * message.
363  *
364  * @param expr Boolean expression to verify, a false result will trigger an
365  *             oops
366  * @param fmt Printf-style format string (followed by appropriate variadic
367  *            arguments) to print on verification failure
368  * @return False on success, True on failure
369  * @note This is an internal API. Do not use unless you are extending
370  *       functionality in the Zephyr tree.
371  */
372 #define K_SYSCALL_VERIFY_MSG(expr, fmt, ...) ({ \
373 	bool expr_copy = !(expr); \
374 	if (expr_copy) { \
375 		TOOLCHAIN_IGNORE_WSHADOW_BEGIN \
376 		LOG_MODULE_DECLARE(os, CONFIG_KERNEL_LOG_LEVEL); \
377 		TOOLCHAIN_IGNORE_WSHADOW_END \
378 		LOG_ERR("syscall %s failed check: " fmt, \
379 			__func__, ##__VA_ARGS__); \
380 	} \
381 	expr_copy; })
382 
383 /**
384  * @brief Runtime expression check for system call arguments
385  *
386  * Used in handler functions to perform various runtime checks on arguments,
387  * and generate a kernel oops if anything is not expected.
388  *
389  * @param expr Boolean expression to verify, a false result will trigger an
390  *             oops. A stringified version of this expression will be printed.
391  * @return 0 on success, nonzero on failure
392  * @note This is an internal API. Do not use unless you are extending
393  *       functionality in the Zephyr tree.
394  */
395 #define K_SYSCALL_VERIFY(expr) K_SYSCALL_VERIFY_MSG(expr, #expr)
396 
397 /**
398  * @brief Macro to check if size is negative
399  *
400  * K_SYSCALL_MEMORY can be called with signed/unsigned types
401  * and because of that if we check if size is greater or equal to
402  * zero, many static analyzers complain about no effect expression.
403  *
404  * @param ptr Memory area to examine
405  * @param size Size of the memory area
406  * @return true if size is valid, false otherwise
407  * @note This is an internal API. Do not use unless you are extending
408  *       functionality in the Zephyr tree.
409  */
410 #define K_SYSCALL_MEMORY_SIZE_CHECK(ptr, size) \
411 	(((uintptr_t)(ptr) + (size)) >= (uintptr_t)(ptr))
412 
413 /**
414  * @brief Runtime check that a user thread has read and/or write permission to
415  *        a memory area
416  *
417  * Checks that the particular memory area is readable and/or writeable by the
418  * currently running thread if the CPU was in user mode, and generates a kernel
419  * oops if it wasn't. Prevents userspace from getting the kernel to read and/or
420  * modify memory the thread does not have access to, or passing in garbage
421  * pointers that would crash/pagefault the kernel if dereferenced.
422  *
423  * @param ptr Memory area to examine
424  * @param size Size of the memory area
425  * @param write If the thread should be able to write to this memory, not just
426  *		read it
427  * @return 0 on success, nonzero on failure
428  * @note This is an internal API. Do not use unless you are extending
429  *       functionality in the Zephyr tree.
430  */
431 #define K_SYSCALL_MEMORY(ptr, size, write) \
432 	K_SYSCALL_VERIFY_MSG(K_SYSCALL_MEMORY_SIZE_CHECK(ptr, size) \
433 			     && !Z_DETECT_POINTER_OVERFLOW(ptr, size) \
434 			     && (arch_buffer_validate((void *)(ptr), (size), (write)) \
435 			     == 0), \
436 			     "Memory region %p (size %zu) %s access denied", \
437 			     (void *)(ptr), (size_t)(size), \
438 			     (write) ? "write" : "read")
439 
440 /**
441  * @brief Runtime check that a user thread has read permission to a memory area
442  *
443  * Checks that the particular memory area is readable by the currently running
444  * thread if the CPU was in user mode, and generates a kernel oops if it
445  * wasn't. Prevents userspace from getting the kernel to read memory the thread
446  * does not have access to, or passing in garbage pointers that would
447  * crash/pagefault the kernel if dereferenced.
448  *
449  * @param ptr Memory area to examine
450  * @param size Size of the memory area
451  * @return 0 on success, nonzero on failure
452  * @note This is an internal API. Do not use unless you are extending
453  *       functionality in the Zephyr tree.
454  */
455 #define K_SYSCALL_MEMORY_READ(ptr, size) \
456 	K_SYSCALL_MEMORY(ptr, size, 0)
457 
458 /**
459  * @brief Runtime check that a user thread has write permission to a memory area
460  *
461  * Checks that the particular memory area is readable and writable by the
462  * currently running thread if the CPU was in user mode, and generates a kernel
463  * oops if it wasn't. Prevents userspace from getting the kernel to read or
464  * modify memory the thread does not have access to, or passing in garbage
465  * pointers that would crash/pagefault the kernel if dereferenced.
466  *
467  * @param ptr Memory area to examine
468  * @param size Size of the memory area
469  * @return 0 on success, nonzero on failure
470  *
471  * @note This is an internal API. Do not use unless you are extending
472  *       functionality in the Zephyr tree.
473  */
474 #define K_SYSCALL_MEMORY_WRITE(ptr, size) \
475 	K_SYSCALL_MEMORY(ptr, size, 1)
476 
477 #define K_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, write) \
478 	({ \
479 		size_t product; \
480 		K_SYSCALL_VERIFY_MSG(!size_mul_overflow((size_t)(nmemb), \
481 							(size_t)(size), \
482 							&product), \
483 				     "%zux%zu array is too large", \
484 				     (size_t)(nmemb), (size_t)(size)) ||  \
485 			K_SYSCALL_MEMORY(ptr, product, write); \
486 	})
487 
488 /**
489  * @brief Validate user thread has read permission for sized array
490  *
491  * Used when the memory region is expressed in terms of number of elements and
492  * each element size, handles any overflow issues with computing the total
493  * array bounds. Otherwise see _SYSCALL_MEMORY_READ.
494  *
495  * @param ptr Memory area to examine
496  * @param nmemb Number of elements in the array
497  * @param size Size of each array element
498  * @return 0 on success, nonzero on failure
499  * @note This is an internal API. Do not use unless you are extending
500  *       functionality in the Zephyr tree.
501  */
502 #define K_SYSCALL_MEMORY_ARRAY_READ(ptr, nmemb, size) \
503 	K_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 0)
504 
505 /**
506  * @brief Validate user thread has read/write permission for sized array
507  *
508  * Used when the memory region is expressed in terms of number of elements and
509  * each element size, handles any overflow issues with computing the total
510  * array bounds. Otherwise see _SYSCALL_MEMORY_WRITE.
511  *
512  * @param ptr Memory area to examine
513  * @param nmemb Number of elements in the array
514  * @param size Size of each array element
515  * @return 0 on success, nonzero on failure
516  * @note This is an internal API. Do not use unless you are extending
517  *       functionality in the Zephyr tree.
518  */
519 #define K_SYSCALL_MEMORY_ARRAY_WRITE(ptr, nmemb, size) \
520 	K_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 1)
521 
k_object_validation_check(struct k_object * ko,const void * obj,enum k_objects otype,enum _obj_init_check init)522 static inline int k_object_validation_check(struct k_object *ko,
523 					 const void *obj,
524 					 enum k_objects otype,
525 					 enum _obj_init_check init)
526 {
527 	int ret;
528 
529 	ret = k_object_validate(ko, otype, init);
530 
531 #ifdef CONFIG_LOG
532 	if (ret != 0) {
533 		k_object_dump_error(ret, obj, ko, otype);
534 	}
535 #else
536 	ARG_UNUSED(obj);
537 #endif
538 
539 	return ret;
540 }
541 
542 #define K_SYSCALL_IS_OBJ(ptr, type, init) \
543 	K_SYSCALL_VERIFY_MSG(k_object_validation_check(			\
544 				     k_object_find((const void *)(ptr)),	\
545 				     (const void *)(ptr),		\
546 				     (type), (init)) == 0, "access denied")
547 
548 /**
549  * @brief Runtime check driver object pointer for presence of operation
550  *
551  * Validates if the driver object is capable of performing a certain operation.
552  *
553  * @param ptr Untrusted device instance object pointer
554  * @param api_name Name of the driver API struct (e.g. gpio_driver_api)
555  * @param op Driver operation (e.g. manage_callback)
556  *
557  * @return 0 on success, nonzero on failure
558  *
559  * @note This is an internal API. Do not use unless you are extending
560  *       functionality in the Zephyr tree.
561  */
562 #define K_SYSCALL_DRIVER_OP(ptr, api_name, op) \
563 	({ \
564 		struct api_name *__device__ = (struct api_name *) \
565 			((const struct device *)(ptr))->api; \
566 		K_SYSCALL_VERIFY_MSG(__device__->op != NULL, \
567 				    "Operation %s not defined for driver " \
568 				    "instance %p", \
569 				    # op, __device__); \
570 	})
571 
572 /**
573  * @brief Runtime check that device object is of a specific driver type
574  *
575  * Checks that the driver object passed in is initialized, the caller has
576  * correct permissions, and that it belongs to the specified driver
577  * subsystems. Additionally, all devices store a structure pointer of the
578  * driver's API. If this doesn't match the value provided, the check will fail.
579  *
580  * This provides an easy way to determine if a device object not only
581  * belongs to a particular subsystem, but is of a specific device driver
582  * implementation. Useful for defining out-of-subsystem system calls
583  * which are implemented for only one driver.
584  *
585  * @param _device Untrusted device pointer
586  * @param _dtype Expected kernel object type for the provided device pointer
587  * @param _api Expected driver API structure memory address
588  * @return 0 on success, nonzero on failure
589  * @note This is an internal API. Do not use unless you are extending
590  *       functionality in the Zephyr tree.
591  */
592 #define K_SYSCALL_SPECIFIC_DRIVER(_device, _dtype, _api) \
593 	({ \
594 		const struct device *_dev = (const struct device *)_device; \
595 		K_SYSCALL_OBJ(_dev, _dtype) || \
596 			K_SYSCALL_VERIFY_MSG(_dev->api == _api, \
597 					     "API structure mismatch"); \
598 	})
599 
600 /**
601  * @brief Runtime check kernel object pointer for non-init functions
602  *
603  * Calls k_object_validate and triggers a kernel oops if the check fails.
604  * For use in system call handlers which are not init functions; a fatal
605  * error will occur if the object is not initialized.
606  *
607  * @param ptr Untrusted kernel object pointer
608  * @param type Expected kernel object type
609  * @return 0 on success, nonzero on failure
610  * @note This is an internal API. Do not use unless you are extending
611  *       functionality in the Zephyr tree.
612  */
613 #define K_SYSCALL_OBJ(ptr, type) \
614 	K_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_TRUE)
615 
616 /**
617  * @brief Runtime check kernel object pointer for non-init functions
618  *
619  * See description of _SYSCALL_IS_OBJ. No initialization checks are done.
620  * Intended for init functions where objects may be re-initialized at will.
621  *
622  * @param ptr Untrusted kernel object pointer
623  * @param type Expected kernel object type
624  * @return 0 on success, nonzero on failure
625  * @note This is an internal API. Do not use unless you are extending
626  *       functionality in the Zephyr tree.
627  */
628 
629 #define K_SYSCALL_OBJ_INIT(ptr, type) \
630 	K_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_ANY)
631 
632 /**
633  * @brief Runtime check kernel object pointer for non-init functions
634  *
635  * See description of _SYSCALL_IS_OBJ. Triggers a fatal error if the object is
636  * initialized. Intended for init functions where objects, once initialized,
637  * can only be re-used when their initialization state expires due to some
638  * other mechanism.
639  *
640  * @param ptr Untrusted kernel object pointer
641  * @param type Expected kernel object type
642  * @return 0 on success, nonzero on failure
643  * @note This is an internal API. Do not use unless you are extending
644  *       functionality in the Zephyr tree.
645  */
646 
647 #define K_SYSCALL_OBJ_NEVER_INIT(ptr, type) \
648 	K_SYSCALL_IS_OBJ(ptr, type, _OBJ_INIT_FALSE)
649 
650 #include <zephyr/driver-validation.h>
651 
652 #endif /* _ASMLANGUAGE */
653 
654 #endif /* CONFIG_USERSPACE */
655 /**
656  * @}
657  */
658 
659 #endif /* ZEPHYR_INCLUDE_SYSCALL_HANDLER_H_ */
660