• Mark Rutland's avatar
    arm64: Rework valid_user_regs · cff5b236
    Mark Rutland authored
    commit dbd4d7ca upstream.
    
    We validate pstate using PSR_MODE32_BIT, which is part of the
    user-provided pstate (and cannot be trusted). Also, we conflate
    validation of AArch32 and AArch64 pstate values, making the code
    difficult to reason about.
    
    Instead, validate the pstate value based on the associated task. The
    task may or may not be current (e.g. when using ptrace), so this must be
    passed explicitly by callers. To avoid circular header dependencies via
    sched.h, is_compat_task is pulled out of asm/ptrace.h.
    
    To make the code possible to reason about, the AArch64 and AArch32
    validation is split into separate functions. Software must respect the
    RES0 policy for SPSR bits, and thus the kernel mirrors the hardware
    policy (RAZ/WI) for bits as-yet unallocated. When these acquire an
    architected meaning writes may be permitted (potentially with additional
    validation).
    Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
    Acked-by: default avatarWill Deacon <will.deacon@arm.com>
    Cc: Dave Martin <dave.martin@arm.com>
    Cc: James Morse <james.morse@arm.com>
    Cc: Peter Maydell <peter.maydell@linaro.org>
    Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
    Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    [ rebased for v4.1+
      This avoids a user-triggerable Oops() if a task is switched to a mode
      not supported by the kernel (e.g. switching a 64-bit task to AArch32).
    ]
    Signed-off-by: default avatarJames Morse <james.morse@arm.com>
    Reviewed-by: Mark Rutland <mark.rutland@arm.com> [backport]
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    cff5b236
signal32.c 17.2 KB