Commit 5b835d4c authored by Max Filippov's avatar Max Filippov

xtensa: use XCHAL_NUM_AREGS as pt_regs::areg size

struct pt_regs is used to access both kernel and user exception frames.
User exception frames may contain up to XCHAL_NUM_AREG registers that
task creation and signal delivery code may access, but pt_regs::areg
array has only 16 entries that cover only the kernel exception frame.
This results in the following build error:

arch/xtensa/kernel/process.c: In function 'copy_thread':
arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above
           array bounds of 'long unsigned int[16]' [-Werror=array-bounds]
  262 |                                 put_user(regs->areg[caller_ars+1],

Change struct pt_regs::areg size to XCHAL_NUM_AREGS so that it covers
the whole user exception frame. Adjust task_pt_regs and drop additional
register copying code from copy_thread now that the whole user exception
stack frame is copied.
Reported-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
parent 6fad9ddc
...@@ -44,6 +44,7 @@ ...@@ -44,6 +44,7 @@
#ifndef __ASSEMBLY__ #ifndef __ASSEMBLY__
#include <asm/coprocessor.h> #include <asm/coprocessor.h>
#include <asm/core.h>
/* /*
* This struct defines the way the registers are stored on the * This struct defines the way the registers are stored on the
...@@ -77,14 +78,12 @@ struct pt_regs { ...@@ -77,14 +78,12 @@ struct pt_regs {
/* current register frame. /* current register frame.
* Note: The ESF for kernel exceptions ends after 16 registers! * Note: The ESF for kernel exceptions ends after 16 registers!
*/ */
unsigned long areg[16]; unsigned long areg[XCHAL_NUM_AREGS];
}; };
#include <asm/core.h>
# define arch_has_single_step() (1) # define arch_has_single_step() (1)
# define task_pt_regs(tsk) ((struct pt_regs*) \ # define task_pt_regs(tsk) ((struct pt_regs*) \
(task_stack_page(tsk) + KERNEL_STACK_SIZE - (XCHAL_NUM_AREGS-16)*4) - 1) (task_stack_page(tsk) + KERNEL_STACK_SIZE) - 1)
# define user_mode(regs) (((regs)->ps & 0x00000020)!=0) # define user_mode(regs) (((regs)->ps & 0x00000020)!=0)
# define instruction_pointer(regs) ((regs)->pc) # define instruction_pointer(regs) ((regs)->pc)
# define return_pointer(regs) (MAKE_PC_FROM_RA((regs)->areg[0], \ # define return_pointer(regs) (MAKE_PC_FROM_RA((regs)->areg[0], \
......
...@@ -232,10 +232,6 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, ...@@ -232,10 +232,6 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn,
p->thread.ra = MAKE_RA_FOR_CALL( p->thread.ra = MAKE_RA_FOR_CALL(
(unsigned long)ret_from_fork, 0x1); (unsigned long)ret_from_fork, 0x1);
/* This does not copy all the regs.
* In a bout of brilliance or madness,
* ARs beyond a0-a15 exist past the end of the struct.
*/
*childregs = *regs; *childregs = *regs;
childregs->areg[1] = usp; childregs->areg[1] = usp;
childregs->areg[2] = 0; childregs->areg[2] = 0;
...@@ -265,14 +261,8 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, ...@@ -265,14 +261,8 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn,
childregs->wmask = 1; childregs->wmask = 1;
childregs->windowstart = 1; childregs->windowstart = 1;
childregs->windowbase = 0; childregs->windowbase = 0;
} else {
int len = childregs->wmask & ~0xf;
memcpy(&childregs->areg[XCHAL_NUM_AREGS - len/4],
&regs->areg[XCHAL_NUM_AREGS - len/4], len);
} }
childregs->syscall = regs->syscall;
if (clone_flags & CLONE_SETTLS) if (clone_flags & CLONE_SETTLS)
childregs->threadptr = tls; childregs->threadptr = tls;
} else { } else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment