2019-06-03 13:44:50 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2012-03-05 19:49:32 +08:00
|
|
|
/*
|
|
|
|
* Based on arch/arm/kernel/sys_arm.c
|
|
|
|
*
|
|
|
|
* Copyright (C) People who wrote linux/arch/i386/kernel/sys_i386.c
|
|
|
|
* Copyright (C) 1995, 1996 Russell King.
|
|
|
|
* Copyright (C) 2012 ARM Ltd.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/compat.h>
|
2019-10-18 01:43:00 +08:00
|
|
|
#include <linux/cpufeature.h>
|
2012-03-05 19:49:32 +08:00
|
|
|
#include <linux/sched.h>
|
2017-02-04 06:47:37 +08:00
|
|
|
#include <linux/sched/signal.h>
|
2012-03-05 19:49:32 +08:00
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/syscalls.h>
|
|
|
|
#include <linux/uaccess.h>
|
|
|
|
|
|
|
|
#include <asm/cacheflush.h>
|
2018-02-02 06:13:37 +08:00
|
|
|
#include <asm/system_misc.h>
|
2019-10-18 01:43:00 +08:00
|
|
|
#include <asm/tlbflush.h>
|
2014-01-31 01:56:56 +08:00
|
|
|
#include <asm/unistd.h>
|
2012-03-05 19:49:32 +08:00
|
|
|
|
2014-12-01 18:53:08 +08:00
|
|
|
static long
|
|
|
|
__do_compat_cache_op(unsigned long start, unsigned long end)
|
2012-03-05 19:49:32 +08:00
|
|
|
{
|
2014-12-01 18:53:08 +08:00
|
|
|
long ret;
|
2012-03-05 19:49:32 +08:00
|
|
|
|
2014-12-01 18:53:08 +08:00
|
|
|
do {
|
|
|
|
unsigned long chunk = min(PAGE_SIZE, end - start);
|
2012-03-05 19:49:32 +08:00
|
|
|
|
2014-12-01 18:53:08 +08:00
|
|
|
if (fatal_signal_pending(current))
|
|
|
|
return 0;
|
|
|
|
|
arm64: Avoid cpus_have_const_cap() for ARM64_WORKAROUND_1542419
We use cpus_have_const_cap() to check for ARM64_WORKAROUND_1542419 but
this is not necessary and cpus_have_final_cap() would be preferable.
For historical reasons, cpus_have_const_cap() is more complicated than
it needs to be. Before cpucaps are finalized, it will perform a bitmap
test of the system_cpucaps bitmap, and once cpucaps are finalized it
will use an alternative branch. This used to be necessary to handle some
race conditions in the window between cpucap detection and the
subsequent patching of alternatives and static branches, where different
branches could be out-of-sync with one another (or w.r.t. alternative
sequences). Now that we use alternative branches instead of static
branches, these are all patched atomically w.r.t. one another, and there
are only a handful of cases that need special care in the window between
cpucap detection and alternative patching.
Due to the above, it would be nice to remove cpus_have_const_cap(), and
migrate callers over to alternative_has_cap_*(), cpus_have_final_cap(),
or cpus_have_cap() depending on when their requirements. This will
remove redundant instructions and improve code generation, and will make
it easier to determine how each callsite will behave before, during, and
after alternative patching.
The ARM64_WORKAROUND_1542419 cpucap is detected and patched before any
userspace code can run, and the both __do_compat_cache_op() and
ctr_read_handler() are only reachable from exceptions taken from
userspace. Thus it is not necessary for either to use
cpus_have_const_cap(), and cpus_have_final_cap() is equivalent.
This patch replaces the use of cpus_have_const_cap() with
cpus_have_final_cap(), which will avoid generating code to test the
system_cpucaps bitmap and should be better for all subsequent calls at
runtime. Using cpus_have_final_cap() clearly documents that we do not
expect this code to run before cpucaps are finalized, and will make it
easier to spot issues if code is changed in future to allow these
functions to be reached earlier.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2023-10-16 18:24:55 +08:00
|
|
|
if (cpus_have_final_cap(ARM64_WORKAROUND_1542419)) {
|
2019-10-18 01:43:00 +08:00
|
|
|
/*
|
|
|
|
* The workaround requires an inner-shareable tlbi.
|
|
|
|
* We pick the reserved-ASID to minimise the impact.
|
|
|
|
*/
|
2019-10-28 17:08:34 +08:00
|
|
|
__tlbi(aside1is, __TLBI_VADDR(0, 0));
|
2019-10-18 01:43:00 +08:00
|
|
|
dsb(ish);
|
|
|
|
}
|
|
|
|
|
arm64: Rename arm64-internal cache maintenance functions
Although naming across the codebase isn't that consistent, it
tends to follow certain patterns. Moreover, the term "flush"
isn't defined in the Arm Architecture reference manual, and might
be interpreted to mean clean, invalidate, or both for a cache.
Rename arm64-internal functions to make the naming internally
consistent, as well as making it consistent with the Arm ARM, by
specifying whether it applies to the instruction, data, or both
caches, whether the operation is a clean, invalidate, or both.
Also specify which point the operation applies to, i.e., to the
point of unification (PoU), coherency (PoC), or persistence
(PoP).
This commit applies the following sed transformation to all files
under arch/arm64:
"s/\b__flush_cache_range\b/caches_clean_inval_pou_macro/g;"\
"s/\b__flush_icache_range\b/caches_clean_inval_pou/g;"\
"s/\binvalidate_icache_range\b/icache_inval_pou/g;"\
"s/\b__flush_dcache_area\b/dcache_clean_inval_poc/g;"\
"s/\b__inval_dcache_area\b/dcache_inval_poc/g;"\
"s/__clean_dcache_area_poc\b/dcache_clean_poc/g;"\
"s/\b__clean_dcache_area_pop\b/dcache_clean_pop/g;"\
"s/\b__clean_dcache_area_pou\b/dcache_clean_pou/g;"\
"s/\b__flush_cache_user_range\b/caches_clean_inval_user_pou/g;"\
"s/\b__flush_icache_all\b/icache_inval_all_pou/g;"
Note that __clean_dcache_area_poc is deliberately missing a word
boundary check at the beginning in order to match the efistub
symbols in image-vars.h.
Also note that, despite its name, __flush_icache_range operates
on both instruction and data caches. The name change here
reflects that.
No functional change intended.
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20210524083001.2586635-19-tabba@google.com
Signed-off-by: Will Deacon <will@kernel.org>
2021-05-24 16:30:01 +08:00
|
|
|
ret = caches_clean_inval_user_pou(start, start + chunk);
|
2014-12-01 18:53:08 +08:00
|
|
|
if (ret)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
cond_resched();
|
|
|
|
start += chunk;
|
|
|
|
} while (start < end);
|
|
|
|
|
|
|
|
return 0;
|
2012-03-05 19:49:32 +08:00
|
|
|
}
|
|
|
|
|
2014-12-01 18:53:08 +08:00
|
|
|
static inline long
|
|
|
|
do_compat_cache_op(unsigned long start, unsigned long end, int flags)
|
|
|
|
{
|
|
|
|
if (end < start || flags)
|
|
|
|
return -EINVAL;
|
|
|
|
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (!access_ok((const void __user *)start, end - start))
|
2014-12-01 18:53:08 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return __do_compat_cache_op(start, end);
|
|
|
|
}
|
2012-03-05 19:49:32 +08:00
|
|
|
/*
|
|
|
|
* Handle all unrecognised system calls.
|
|
|
|
*/
|
2019-01-04 02:00:39 +08:00
|
|
|
long compat_arm_syscall(struct pt_regs *regs, int scno)
|
2012-03-05 19:49:32 +08:00
|
|
|
{
|
2020-11-21 04:33:46 +08:00
|
|
|
unsigned long addr;
|
2012-03-05 19:49:32 +08:00
|
|
|
|
2019-01-04 02:00:39 +08:00
|
|
|
switch (scno) {
|
2012-03-05 19:49:32 +08:00
|
|
|
/*
|
|
|
|
* Flush a region from virtual address 'r0' to virtual address 'r1'
|
|
|
|
* _exclusive_. There is no alignment requirement on either address;
|
|
|
|
* user space does not need to know the hardware cache layout.
|
|
|
|
*
|
|
|
|
* r2 contains flags. It should ALWAYS be passed as ZERO until it
|
|
|
|
* is defined to be something else. For now we ignore it, but may
|
|
|
|
* the fires of hell burn in your belly if you break this rule. ;)
|
|
|
|
*
|
|
|
|
* (at a later date, we may want to allow this call to not flush
|
|
|
|
* various aspects of the cache. Passing '0' will guarantee that
|
|
|
|
* everything necessary gets flushed to maintain consistency in
|
|
|
|
* the specified region).
|
|
|
|
*/
|
|
|
|
case __ARM_NR_compat_cacheflush:
|
2014-12-01 18:53:08 +08:00
|
|
|
return do_compat_cache_op(regs->regs[0], regs->regs[1], regs->regs[2]);
|
2012-03-05 19:49:32 +08:00
|
|
|
|
|
|
|
case __ARM_NR_compat_set_tls:
|
2018-03-28 17:50:49 +08:00
|
|
|
current->thread.uw.tp_value = regs->regs[0];
|
2014-09-11 21:38:16 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Protect against register corruption from context switch.
|
|
|
|
* See comment in tls_thread_flush.
|
|
|
|
*/
|
|
|
|
barrier();
|
2016-09-08 20:55:38 +08:00
|
|
|
write_sysreg(regs->regs[0], tpidrro_el0);
|
2012-03-05 19:49:32 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
default:
|
2018-02-02 06:13:37 +08:00
|
|
|
/*
|
2019-01-04 01:45:07 +08:00
|
|
|
* Calls 0xf0xxx..0xf07ff are defined to return -ENOSYS
|
2018-02-02 06:13:37 +08:00
|
|
|
* if not implemented, rather than raising SIGILL. This
|
|
|
|
* way the calling program can gracefully determine whether
|
|
|
|
* a feature is supported.
|
|
|
|
*/
|
2019-01-04 02:00:39 +08:00
|
|
|
if (scno < __ARM_NR_COMPAT_END)
|
2018-02-02 06:13:37 +08:00
|
|
|
return -ENOSYS;
|
|
|
|
break;
|
2012-03-05 19:49:32 +08:00
|
|
|
}
|
2018-02-02 06:13:37 +08:00
|
|
|
|
2020-11-21 04:33:46 +08:00
|
|
|
addr = instruction_pointer(regs) - (compat_thumb_mode(regs) ? 2 : 4);
|
2018-02-02 06:13:37 +08:00
|
|
|
|
2018-09-21 23:24:40 +08:00
|
|
|
arm64_notify_die("Oops - bad compat syscall(2)", regs,
|
arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall
If a compat process tries to execute an unknown system call above the
__ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the
offending process. Information about the error is printed to dmesg in
compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() ->
arm64_show_signal().
arm64_show_signal() interprets a non-zero value for
current->thread.fault_code as an exception syndrome and displays the
message associated with the ESR_ELx.EC field (bits 31:26).
current->thread.fault_code is set in compat_arm_syscall() ->
arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx
value. This means that the ESR_ELx.EC field has the value that the user set
for the syscall number and the kernel can end up printing bogus exception
messages*. For example, for the syscall number 0x68000000, which evaluates
to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error:
[ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000]
[ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79
[ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT)
[..]
which is misleading, as the bad compat syscall has nothing to do with
pointer authentication.
Stop arm64_show_signal() from printing exception syndrome information by
having compat_arm_syscall() set the ESR_ELx value to 0, as it has no
meaning for an invalid system call number. The example above now becomes:
[ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000]
[ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80
[ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT)
[..]
which although shows less information because the syscall number,
wrongfully advertised as the ESR value, is missing, it is better than
showing plainly wrong information. The syscall number can be easily
obtained with strace.
*A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative
integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END
evaluates to true; the syscall will exit to userspace in this case with the
ENOSYS error code instead of arm64_notify_die() being called.
Signed-off-by: Alexandru Elisei <alexandru.elisei@arm.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20220425114444.368693-3-alexandru.elisei@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2022-04-25 19:44:41 +08:00
|
|
|
SIGILL, ILL_ILLTRP, addr, 0);
|
2018-02-02 06:13:37 +08:00
|
|
|
return 0;
|
2012-03-05 19:49:32 +08:00
|
|
|
}
|