Merge PTRACE_SETREGSET leakage fixes from Dave Martin:
"This series is the collection of fixes I proposed on this topic, that
have not yet appeared upstream or in the stable branches,
The issue can leak kernel stack, but doesn't appear to allow userspace
to attack the kernel directly. The affected architectures are c6x,
h8300, metag, mips and sparc.
[ Mark Salter points out that c6x has no MMU or other mechanism to
prevent userspace access to kernel code or data on c6x, but it
doesn't hurt to clean that case up too. ]
The bugs arise from use of user_regset_copyin(). Users of
user_regset_copyin() can work in one of two ways:
1) Copy directly to thread_struct or equivalent. (This seems to be
the design assumption of the regset API, and is the most common
approach.)
2) Copy to a local variable and then transfer to thread_struct. (A
significant minority of cases.)
Buggy code typically involves approach 2"
* emailed patches from Dave Martin <Dave.Martin@arm.com>:
sparc/ptrace: Preserve previous registers for short regset write
mips/ptrace: Preserve previous registers for short regset write
metag/ptrace: Reject partial NT_METAG_RPIPE writes
metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
metag/ptrace: Preserve previous registers for short regset write
h8300/ptrace: Fix incorrect register transfer count
c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
It's not clear what behaviour is sensible when doing partial write of
NT_METAG_RPIPE, so just don't bother.
This patch assumes that userspace will never rely on a partial SETREGSET
in this case, since it's not clear what should happen anyway.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill TXSTATUS, a well-defined default value is used, based on the
task's current value.
Suggested-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun
if CONFIG_CPU_H8S is set, since this adds an extra entry to
register_offset[] but not to user_regs_struct.
So, iterate over user_regs_struct based on its actual size, not based on
the length of register_offset[].
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
gpr_set won't work correctly and can never have been tested, and the
correct behaviour is not clear due to the endianness-dependent task
layout.
So, just remove it. The core code will now return -EOPNOTSUPPORT when
trying to set NT_PRSTATUS on this architecture until/unless a correct
implementation is supplied.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The two st231-rproc nodes have the same name; Due to that it was
impossible to distinguish them in remoteproc sysfs and debugfs
interface.
This patch provides them a name related to their functionality.
Signed-off-by: Loic Pallardy <loic.pallardy@st.com>
The display backend on sun5i shares the same interrupt line as the
display frontend. Add it.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
LS1088A contains eight ARM v8 CortexA53 processor cores
with 32 KB L1-D cache and 32 KB L1-I cache
Features summary
Eight 32-bit / 64-bit ARM v8 Cortex-A53 CPUs
- Arranged as two clusters of four cores sharing a 1 MB L2 cache
- Speed Up to 1.5 GHz
- Support for cluster power-gating.
Cache coherent interconnect (CCI-400)
- Hardware-managed data coherency
- Up to 700 MHz
One 64-bit DDR4 SDRAM memory controller with ECC
Data path acceleration architecture 2.0 (DPAA2)
Three PCIe 3.0 controllers
One serial ATA (SATA 3.0) controller
Three high-speed USB 3.0 controllers with integrated PHY
Following levels of DTSI/DTS files have been created for the LS1088A
SoC family:
- fsl-ls1088a.dtsi:
DTS-Include file for NXP LS1088A SoC.
- fsl-ls1088a-qds.dts:
DTS file for NXP LS1088A QDS board.
- fsl-ls1088a-rdb.dts:
DTS file for NXP LS1088A RDB board
Signed-off-by: Harninder Rai <harninder.rai@nxp.com>
Signed-off-by: Ashish Kumar <ashish.kumar@nxp.com>
Signed-off-by: Raghav Dogra <raghav.dogra@nxp.com>`
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
... and the only reason it worked is that access_ok() discards the
first argument before parser even gets a chance of looking at it.
Still, no point keeping that typo.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Massage frv search_exception_table() to
a) taking pt_regs pointer as explicit argument
b) updating ->pc on success
Simplifies callers a bit and allows to convert to generic extable.h,
while we are at it.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
