1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Based on arch/arm/kernel/ptrace.c 4 * 5 * By Ross Biro 1/23/92 6 * edited by Linus Torvalds 7 * ARM modifications Copyright (C) 2000 Russell King 8 * Copyright (C) 2012 ARM Ltd. 9 */ 10 11 #include <linux/audit.h> 12 #include <linux/compat.h> 13 #include <linux/kernel.h> 14 #include <linux/sched/signal.h> 15 #include <linux/sched/task_stack.h> 16 #include <linux/mm.h> 17 #include <linux/nospec.h> 18 #include <linux/smp.h> 19 #include <linux/ptrace.h> 20 #include <linux/user.h> 21 #include <linux/seccomp.h> 22 #include <linux/security.h> 23 #include <linux/init.h> 24 #include <linux/signal.h> 25 #include <linux/string.h> 26 #include <linux/uaccess.h> 27 #include <linux/perf_event.h> 28 #include <linux/hw_breakpoint.h> 29 #include <linux/regset.h> 30 #include <linux/tracehook.h> 31 #include <linux/elf.h> 32 33 #include <asm/compat.h> 34 #include <asm/cpufeature.h> 35 #include <asm/debug-monitors.h> 36 #include <asm/fpsimd.h> 37 #include <asm/mte.h> 38 #include <asm/pointer_auth.h> 39 #include <asm/stacktrace.h> 40 #include <asm/syscall.h> 41 #include <asm/traps.h> 42 #include <asm/system_misc.h> 43 44 #define CREATE_TRACE_POINTS 45 #include <trace/events/syscalls.h> 46 47 struct pt_regs_offset { 48 const char *name; 49 int offset; 50 }; 51 52 #define REG_OFFSET_NAME(r) {.name = #r, .offset = offsetof(struct pt_regs, r)} 53 #define REG_OFFSET_END {.name = NULL, .offset = 0} 54 #define GPR_OFFSET_NAME(r) \ 55 {.name = "x" #r, .offset = offsetof(struct pt_regs, regs[r])} 56 57 static const struct pt_regs_offset regoffset_table[] = { 58 GPR_OFFSET_NAME(0), 59 GPR_OFFSET_NAME(1), 60 GPR_OFFSET_NAME(2), 61 GPR_OFFSET_NAME(3), 62 GPR_OFFSET_NAME(4), 63 GPR_OFFSET_NAME(5), 64 GPR_OFFSET_NAME(6), 65 GPR_OFFSET_NAME(7), 66 GPR_OFFSET_NAME(8), 67 GPR_OFFSET_NAME(9), 68 GPR_OFFSET_NAME(10), 69 GPR_OFFSET_NAME(11), 70 GPR_OFFSET_NAME(12), 71 GPR_OFFSET_NAME(13), 72 GPR_OFFSET_NAME(14), 73 GPR_OFFSET_NAME(15), 74 GPR_OFFSET_NAME(16), 75 GPR_OFFSET_NAME(17), 76 GPR_OFFSET_NAME(18), 77 GPR_OFFSET_NAME(19), 78 GPR_OFFSET_NAME(20), 79 GPR_OFFSET_NAME(21), 80 GPR_OFFSET_NAME(22), 81 GPR_OFFSET_NAME(23), 82 GPR_OFFSET_NAME(24), 83 GPR_OFFSET_NAME(25), 84 GPR_OFFSET_NAME(26), 85 GPR_OFFSET_NAME(27), 86 GPR_OFFSET_NAME(28), 87 GPR_OFFSET_NAME(29), 88 GPR_OFFSET_NAME(30), 89 {.name = "lr", .offset = offsetof(struct pt_regs, regs[30])}, 90 REG_OFFSET_NAME(sp), 91 REG_OFFSET_NAME(pc), 92 REG_OFFSET_NAME(pstate), 93 REG_OFFSET_END, 94 }; 95 96 /** 97 * regs_query_register_offset() - query register offset from its name 98 * @name: the name of a register 99 * 100 * regs_query_register_offset() returns the offset of a register in struct 101 * pt_regs from its name. If the name is invalid, this returns -EINVAL; 102 */ 103 int regs_query_register_offset(const char *name) 104 { 105 const struct pt_regs_offset *roff; 106 107 for (roff = regoffset_table; roff->name != NULL; roff++) 108 if (!strcmp(roff->name, name)) 109 return roff->offset; 110 return -EINVAL; 111 } 112 113 /** 114 * regs_within_kernel_stack() - check the address in the stack 115 * @regs: pt_regs which contains kernel stack pointer. 116 * @addr: address which is checked. 117 * 118 * regs_within_kernel_stack() checks @addr is within the kernel stack page(s). 119 * If @addr is within the kernel stack, it returns true. If not, returns false. 120 */ 121 static bool regs_within_kernel_stack(struct pt_regs *regs, unsigned long addr) 122 { 123 return ((addr & ~(THREAD_SIZE - 1)) == 124 (kernel_stack_pointer(regs) & ~(THREAD_SIZE - 1))) || 125 on_irq_stack(addr, sizeof(unsigned long), NULL); 126 } 127 128 /** 129 * regs_get_kernel_stack_nth() - get Nth entry of the stack 130 * @regs: pt_regs which contains kernel stack pointer. 131 * @n: stack entry number. 132 * 133 * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which 134 * is specified by @regs. If the @n th entry is NOT in the kernel stack, 135 * this returns 0. 136 */ 137 unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs, unsigned int n) 138 { 139 unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs); 140 141 addr += n; 142 if (regs_within_kernel_stack(regs, (unsigned long)addr)) 143 return *addr; 144 else 145 return 0; 146 } 147 148 /* 149 * TODO: does not yet catch signals sent when the child dies. 150 * in exit.c or in signal.c. 151 */ 152 153 /* 154 * Called by kernel/ptrace.c when detaching.. 155 */ 156 void ptrace_disable(struct task_struct *child) 157 { 158 /* 159 * This would be better off in core code, but PTRACE_DETACH has 160 * grown its fair share of arch-specific worts and changing it 161 * is likely to cause regressions on obscure architectures. 162 */ 163 user_disable_single_step(child); 164 } 165 166 #ifdef CONFIG_HAVE_HW_BREAKPOINT 167 /* 168 * Handle hitting a HW-breakpoint. 169 */ 170 static void ptrace_hbptriggered(struct perf_event *bp, 171 struct perf_sample_data *data, 172 struct pt_regs *regs) 173 { 174 struct arch_hw_breakpoint *bkpt = counter_arch_bp(bp); 175 const char *desc = "Hardware breakpoint trap (ptrace)"; 176 177 #ifdef CONFIG_COMPAT 178 if (is_compat_task()) { 179 int si_errno = 0; 180 int i; 181 182 for (i = 0; i < ARM_MAX_BRP; ++i) { 183 if (current->thread.debug.hbp_break[i] == bp) { 184 si_errno = (i << 1) + 1; 185 break; 186 } 187 } 188 189 for (i = 0; i < ARM_MAX_WRP; ++i) { 190 if (current->thread.debug.hbp_watch[i] == bp) { 191 si_errno = -((i << 1) + 1); 192 break; 193 } 194 } 195 arm64_force_sig_ptrace_errno_trap(si_errno, bkpt->trigger, 196 desc); 197 return; 198 } 199 #endif 200 arm64_force_sig_fault(SIGTRAP, TRAP_HWBKPT, bkpt->trigger, desc); 201 } 202 203 /* 204 * Unregister breakpoints from this task and reset the pointers in 205 * the thread_struct. 206 */ 207 void flush_ptrace_hw_breakpoint(struct task_struct *tsk) 208 { 209 int i; 210 struct thread_struct *t = &tsk->thread; 211 212 for (i = 0; i < ARM_MAX_BRP; i++) { 213 if (t->debug.hbp_break[i]) { 214 unregister_hw_breakpoint(t->debug.hbp_break[i]); 215 t->debug.hbp_break[i] = NULL; 216 } 217 } 218 219 for (i = 0; i < ARM_MAX_WRP; i++) { 220 if (t->debug.hbp_watch[i]) { 221 unregister_hw_breakpoint(t->debug.hbp_watch[i]); 222 t->debug.hbp_watch[i] = NULL; 223 } 224 } 225 } 226 227 void ptrace_hw_copy_thread(struct task_struct *tsk) 228 { 229 memset(&tsk->thread.debug, 0, sizeof(struct debug_info)); 230 } 231 232 static struct perf_event *ptrace_hbp_get_event(unsigned int note_type, 233 struct task_struct *tsk, 234 unsigned long idx) 235 { 236 struct perf_event *bp = ERR_PTR(-EINVAL); 237 238 switch (note_type) { 239 case NT_ARM_HW_BREAK: 240 if (idx >= ARM_MAX_BRP) 241 goto out; 242 idx = array_index_nospec(idx, ARM_MAX_BRP); 243 bp = tsk->thread.debug.hbp_break[idx]; 244 break; 245 case NT_ARM_HW_WATCH: 246 if (idx >= ARM_MAX_WRP) 247 goto out; 248 idx = array_index_nospec(idx, ARM_MAX_WRP); 249 bp = tsk->thread.debug.hbp_watch[idx]; 250 break; 251 } 252 253 out: 254 return bp; 255 } 256 257 static int ptrace_hbp_set_event(unsigned int note_type, 258 struct task_struct *tsk, 259 unsigned long idx, 260 struct perf_event *bp) 261 { 262 int err = -EINVAL; 263 264 switch (note_type) { 265 case NT_ARM_HW_BREAK: 266 if (idx >= ARM_MAX_BRP) 267 goto out; 268 idx = array_index_nospec(idx, ARM_MAX_BRP); 269 tsk->thread.debug.hbp_break[idx] = bp; 270 err = 0; 271 break; 272 case NT_ARM_HW_WATCH: 273 if (idx >= ARM_MAX_WRP) 274 goto out; 275 idx = array_index_nospec(idx, ARM_MAX_WRP); 276 tsk->thread.debug.hbp_watch[idx] = bp; 277 err = 0; 278 break; 279 } 280 281 out: 282 return err; 283 } 284 285 static struct perf_event *ptrace_hbp_create(unsigned int note_type, 286 struct task_struct *tsk, 287 unsigned long idx) 288 { 289 struct perf_event *bp; 290 struct perf_event_attr attr; 291 int err, type; 292 293 switch (note_type) { 294 case NT_ARM_HW_BREAK: 295 type = HW_BREAKPOINT_X; 296 break; 297 case NT_ARM_HW_WATCH: 298 type = HW_BREAKPOINT_RW; 299 break; 300 default: 301 return ERR_PTR(-EINVAL); 302 } 303 304 ptrace_breakpoint_init(&attr); 305 306 /* 307 * Initialise fields to sane defaults 308 * (i.e. values that will pass validation). 309 */ 310 attr.bp_addr = 0; 311 attr.bp_len = HW_BREAKPOINT_LEN_4; 312 attr.bp_type = type; 313 attr.disabled = 1; 314 315 bp = register_user_hw_breakpoint(&attr, ptrace_hbptriggered, NULL, tsk); 316 if (IS_ERR(bp)) 317 return bp; 318 319 err = ptrace_hbp_set_event(note_type, tsk, idx, bp); 320 if (err) 321 return ERR_PTR(err); 322 323 return bp; 324 } 325 326 static int ptrace_hbp_fill_attr_ctrl(unsigned int note_type, 327 struct arch_hw_breakpoint_ctrl ctrl, 328 struct perf_event_attr *attr) 329 { 330 int err, len, type, offset, disabled = !ctrl.enabled; 331 332 attr->disabled = disabled; 333 if (disabled) 334 return 0; 335 336 err = arch_bp_generic_fields(ctrl, &len, &type, &offset); 337 if (err) 338 return err; 339 340 switch (note_type) { 341 case NT_ARM_HW_BREAK: 342 if ((type & HW_BREAKPOINT_X) != type) 343 return -EINVAL; 344 break; 345 case NT_ARM_HW_WATCH: 346 if ((type & HW_BREAKPOINT_RW) != type) 347 return -EINVAL; 348 break; 349 default: 350 return -EINVAL; 351 } 352 353 attr->bp_len = len; 354 attr->bp_type = type; 355 attr->bp_addr += offset; 356 357 return 0; 358 } 359 360 static int ptrace_hbp_get_resource_info(unsigned int note_type, u32 *info) 361 { 362 u8 num; 363 u32 reg = 0; 364 365 switch (note_type) { 366 case NT_ARM_HW_BREAK: 367 num = hw_breakpoint_slots(TYPE_INST); 368 break; 369 case NT_ARM_HW_WATCH: 370 num = hw_breakpoint_slots(TYPE_DATA); 371 break; 372 default: 373 return -EINVAL; 374 } 375 376 reg |= debug_monitors_arch(); 377 reg <<= 8; 378 reg |= num; 379 380 *info = reg; 381 return 0; 382 } 383 384 static int ptrace_hbp_get_ctrl(unsigned int note_type, 385 struct task_struct *tsk, 386 unsigned long idx, 387 u32 *ctrl) 388 { 389 struct perf_event *bp = ptrace_hbp_get_event(note_type, tsk, idx); 390 391 if (IS_ERR(bp)) 392 return PTR_ERR(bp); 393 394 *ctrl = bp ? encode_ctrl_reg(counter_arch_bp(bp)->ctrl) : 0; 395 return 0; 396 } 397 398 static int ptrace_hbp_get_addr(unsigned int note_type, 399 struct task_struct *tsk, 400 unsigned long idx, 401 u64 *addr) 402 { 403 struct perf_event *bp = ptrace_hbp_get_event(note_type, tsk, idx); 404 405 if (IS_ERR(bp)) 406 return PTR_ERR(bp); 407 408 *addr = bp ? counter_arch_bp(bp)->address : 0; 409 return 0; 410 } 411 412 static struct perf_event *ptrace_hbp_get_initialised_bp(unsigned int note_type, 413 struct task_struct *tsk, 414 unsigned long idx) 415 { 416 struct perf_event *bp = ptrace_hbp_get_event(note_type, tsk, idx); 417 418 if (!bp) 419 bp = ptrace_hbp_create(note_type, tsk, idx); 420 421 return bp; 422 } 423 424 static int ptrace_hbp_set_ctrl(unsigned int note_type, 425 struct task_struct *tsk, 426 unsigned long idx, 427 u32 uctrl) 428 { 429 int err; 430 struct perf_event *bp; 431 struct perf_event_attr attr; 432 struct arch_hw_breakpoint_ctrl ctrl; 433 434 bp = ptrace_hbp_get_initialised_bp(note_type, tsk, idx); 435 if (IS_ERR(bp)) { 436 err = PTR_ERR(bp); 437 return err; 438 } 439 440 attr = bp->attr; 441 decode_ctrl_reg(uctrl, &ctrl); 442 err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); 443 if (err) 444 return err; 445 446 return modify_user_hw_breakpoint(bp, &attr); 447 } 448 449 static int ptrace_hbp_set_addr(unsigned int note_type, 450 struct task_struct *tsk, 451 unsigned long idx, 452 u64 addr) 453 { 454 int err; 455 struct perf_event *bp; 456 struct perf_event_attr attr; 457 458 bp = ptrace_hbp_get_initialised_bp(note_type, tsk, idx); 459 if (IS_ERR(bp)) { 460 err = PTR_ERR(bp); 461 return err; 462 } 463 464 attr = bp->attr; 465 attr.bp_addr = addr; 466 err = modify_user_hw_breakpoint(bp, &attr); 467 return err; 468 } 469 470 #define PTRACE_HBP_ADDR_SZ sizeof(u64) 471 #define PTRACE_HBP_CTRL_SZ sizeof(u32) 472 #define PTRACE_HBP_PAD_SZ sizeof(u32) 473 474 static int hw_break_get(struct task_struct *target, 475 const struct user_regset *regset, 476 struct membuf to) 477 { 478 unsigned int note_type = regset->core_note_type; 479 int ret, idx = 0; 480 u32 info, ctrl; 481 u64 addr; 482 483 /* Resource info */ 484 ret = ptrace_hbp_get_resource_info(note_type, &info); 485 if (ret) 486 return ret; 487 488 membuf_write(&to, &info, sizeof(info)); 489 membuf_zero(&to, sizeof(u32)); 490 /* (address, ctrl) registers */ 491 while (to.left) { 492 ret = ptrace_hbp_get_addr(note_type, target, idx, &addr); 493 if (ret) 494 return ret; 495 ret = ptrace_hbp_get_ctrl(note_type, target, idx, &ctrl); 496 if (ret) 497 return ret; 498 membuf_store(&to, addr); 499 membuf_store(&to, ctrl); 500 membuf_zero(&to, sizeof(u32)); 501 idx++; 502 } 503 return 0; 504 } 505 506 static int hw_break_set(struct task_struct *target, 507 const struct user_regset *regset, 508 unsigned int pos, unsigned int count, 509 const void *kbuf, const void __user *ubuf) 510 { 511 unsigned int note_type = regset->core_note_type; 512 int ret, idx = 0, offset, limit; 513 u32 ctrl; 514 u64 addr; 515 516 /* Resource info and pad */ 517 offset = offsetof(struct user_hwdebug_state, dbg_regs); 518 ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 0, offset); 519 if (ret) 520 return ret; 521 522 /* (address, ctrl) registers */ 523 limit = regset->n * regset->size; 524 while (count && offset < limit) { 525 if (count < PTRACE_HBP_ADDR_SZ) 526 return -EINVAL; 527 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr, 528 offset, offset + PTRACE_HBP_ADDR_SZ); 529 if (ret) 530 return ret; 531 ret = ptrace_hbp_set_addr(note_type, target, idx, addr); 532 if (ret) 533 return ret; 534 offset += PTRACE_HBP_ADDR_SZ; 535 536 if (!count) 537 break; 538 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 539 offset, offset + PTRACE_HBP_CTRL_SZ); 540 if (ret) 541 return ret; 542 ret = ptrace_hbp_set_ctrl(note_type, target, idx, ctrl); 543 if (ret) 544 return ret; 545 offset += PTRACE_HBP_CTRL_SZ; 546 547 ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 548 offset, 549 offset + PTRACE_HBP_PAD_SZ); 550 if (ret) 551 return ret; 552 offset += PTRACE_HBP_PAD_SZ; 553 idx++; 554 } 555 556 return 0; 557 } 558 #endif /* CONFIG_HAVE_HW_BREAKPOINT */ 559 560 static int gpr_get(struct task_struct *target, 561 const struct user_regset *regset, 562 struct membuf to) 563 { 564 struct user_pt_regs *uregs = &task_pt_regs(target)->user_regs; 565 return membuf_write(&to, uregs, sizeof(*uregs)); 566 } 567 568 static int gpr_set(struct task_struct *target, const struct user_regset *regset, 569 unsigned int pos, unsigned int count, 570 const void *kbuf, const void __user *ubuf) 571 { 572 int ret; 573 struct user_pt_regs newregs = task_pt_regs(target)->user_regs; 574 575 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1); 576 if (ret) 577 return ret; 578 579 if (!valid_user_regs(&newregs, target)) 580 return -EINVAL; 581 582 task_pt_regs(target)->user_regs = newregs; 583 return 0; 584 } 585 586 static int fpr_active(struct task_struct *target, const struct user_regset *regset) 587 { 588 if (!system_supports_fpsimd()) 589 return -ENODEV; 590 return regset->n; 591 } 592 593 /* 594 * TODO: update fp accessors for lazy context switching (sync/flush hwstate) 595 */ 596 static int __fpr_get(struct task_struct *target, 597 const struct user_regset *regset, 598 struct membuf to) 599 { 600 struct user_fpsimd_state *uregs; 601 602 sve_sync_to_fpsimd(target); 603 604 uregs = &target->thread.uw.fpsimd_state; 605 606 return membuf_write(&to, uregs, sizeof(*uregs)); 607 } 608 609 static int fpr_get(struct task_struct *target, const struct user_regset *regset, 610 struct membuf to) 611 { 612 if (!system_supports_fpsimd()) 613 return -EINVAL; 614 615 if (target == current) 616 fpsimd_preserve_current_state(); 617 618 return __fpr_get(target, regset, to); 619 } 620 621 static int __fpr_set(struct task_struct *target, 622 const struct user_regset *regset, 623 unsigned int pos, unsigned int count, 624 const void *kbuf, const void __user *ubuf, 625 unsigned int start_pos) 626 { 627 int ret; 628 struct user_fpsimd_state newstate; 629 630 /* 631 * Ensure target->thread.uw.fpsimd_state is up to date, so that a 632 * short copyin can't resurrect stale data. 633 */ 634 sve_sync_to_fpsimd(target); 635 636 newstate = target->thread.uw.fpsimd_state; 637 638 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 639 start_pos, start_pos + sizeof(newstate)); 640 if (ret) 641 return ret; 642 643 target->thread.uw.fpsimd_state = newstate; 644 645 return ret; 646 } 647 648 static int fpr_set(struct task_struct *target, const struct user_regset *regset, 649 unsigned int pos, unsigned int count, 650 const void *kbuf, const void __user *ubuf) 651 { 652 int ret; 653 654 if (!system_supports_fpsimd()) 655 return -EINVAL; 656 657 ret = __fpr_set(target, regset, pos, count, kbuf, ubuf, 0); 658 if (ret) 659 return ret; 660 661 sve_sync_from_fpsimd_zeropad(target); 662 fpsimd_flush_task_state(target); 663 664 return ret; 665 } 666 667 static int tls_get(struct task_struct *target, const struct user_regset *regset, 668 struct membuf to) 669 { 670 if (target == current) 671 tls_preserve_current_state(); 672 673 return membuf_store(&to, target->thread.uw.tp_value); 674 } 675 676 static int tls_set(struct task_struct *target, const struct user_regset *regset, 677 unsigned int pos, unsigned int count, 678 const void *kbuf, const void __user *ubuf) 679 { 680 int ret; 681 unsigned long tls = target->thread.uw.tp_value; 682 683 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); 684 if (ret) 685 return ret; 686 687 target->thread.uw.tp_value = tls; 688 return ret; 689 } 690 691 static int system_call_get(struct task_struct *target, 692 const struct user_regset *regset, 693 struct membuf to) 694 { 695 return membuf_store(&to, task_pt_regs(target)->syscallno); 696 } 697 698 static int system_call_set(struct task_struct *target, 699 const struct user_regset *regset, 700 unsigned int pos, unsigned int count, 701 const void *kbuf, const void __user *ubuf) 702 { 703 int syscallno = task_pt_regs(target)->syscallno; 704 int ret; 705 706 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &syscallno, 0, -1); 707 if (ret) 708 return ret; 709 710 task_pt_regs(target)->syscallno = syscallno; 711 return ret; 712 } 713 714 #ifdef CONFIG_ARM64_SVE 715 716 static void sve_init_header_from_task(struct user_sve_header *header, 717 struct task_struct *target) 718 { 719 unsigned int vq; 720 721 memset(header, 0, sizeof(*header)); 722 723 header->flags = test_tsk_thread_flag(target, TIF_SVE) ? 724 SVE_PT_REGS_SVE : SVE_PT_REGS_FPSIMD; 725 if (test_tsk_thread_flag(target, TIF_SVE_VL_INHERIT)) 726 header->flags |= SVE_PT_VL_INHERIT; 727 728 header->vl = task_get_sve_vl(target); 729 vq = sve_vq_from_vl(header->vl); 730 731 header->max_vl = sve_max_vl(); 732 header->size = SVE_PT_SIZE(vq, header->flags); 733 header->max_size = SVE_PT_SIZE(sve_vq_from_vl(header->max_vl), 734 SVE_PT_REGS_SVE); 735 } 736 737 static unsigned int sve_size_from_header(struct user_sve_header const *header) 738 { 739 return ALIGN(header->size, SVE_VQ_BYTES); 740 } 741 742 static int sve_get(struct task_struct *target, 743 const struct user_regset *regset, 744 struct membuf to) 745 { 746 struct user_sve_header header; 747 unsigned int vq; 748 unsigned long start, end; 749 750 if (!system_supports_sve()) 751 return -EINVAL; 752 753 /* Header */ 754 sve_init_header_from_task(&header, target); 755 vq = sve_vq_from_vl(header.vl); 756 757 membuf_write(&to, &header, sizeof(header)); 758 759 if (target == current) 760 fpsimd_preserve_current_state(); 761 762 /* Registers: FPSIMD-only case */ 763 764 BUILD_BUG_ON(SVE_PT_FPSIMD_OFFSET != sizeof(header)); 765 if ((header.flags & SVE_PT_REGS_MASK) == SVE_PT_REGS_FPSIMD) 766 return __fpr_get(target, regset, to); 767 768 /* Otherwise: full SVE case */ 769 770 BUILD_BUG_ON(SVE_PT_SVE_OFFSET != sizeof(header)); 771 start = SVE_PT_SVE_OFFSET; 772 end = SVE_PT_SVE_FFR_OFFSET(vq) + SVE_PT_SVE_FFR_SIZE(vq); 773 membuf_write(&to, target->thread.sve_state, end - start); 774 775 start = end; 776 end = SVE_PT_SVE_FPSR_OFFSET(vq); 777 membuf_zero(&to, end - start); 778 779 /* 780 * Copy fpsr, and fpcr which must follow contiguously in 781 * struct fpsimd_state: 782 */ 783 start = end; 784 end = SVE_PT_SVE_FPCR_OFFSET(vq) + SVE_PT_SVE_FPCR_SIZE; 785 membuf_write(&to, &target->thread.uw.fpsimd_state.fpsr, end - start); 786 787 start = end; 788 end = sve_size_from_header(&header); 789 return membuf_zero(&to, end - start); 790 } 791 792 static int sve_set(struct task_struct *target, 793 const struct user_regset *regset, 794 unsigned int pos, unsigned int count, 795 const void *kbuf, const void __user *ubuf) 796 { 797 int ret; 798 struct user_sve_header header; 799 unsigned int vq; 800 unsigned long start, end; 801 802 if (!system_supports_sve()) 803 return -EINVAL; 804 805 /* Header */ 806 if (count < sizeof(header)) 807 return -EINVAL; 808 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &header, 809 0, sizeof(header)); 810 if (ret) 811 goto out; 812 813 /* 814 * Apart from SVE_PT_REGS_MASK, all SVE_PT_* flags are consumed by 815 * vec_set_vector_length(), which will also validate them for us: 816 */ 817 ret = vec_set_vector_length(target, ARM64_VEC_SVE, header.vl, 818 ((unsigned long)header.flags & ~SVE_PT_REGS_MASK) << 16); 819 if (ret) 820 goto out; 821 822 /* Actual VL set may be less than the user asked for: */ 823 vq = sve_vq_from_vl(task_get_sve_vl(target)); 824 825 /* Registers: FPSIMD-only case */ 826 827 BUILD_BUG_ON(SVE_PT_FPSIMD_OFFSET != sizeof(header)); 828 if ((header.flags & SVE_PT_REGS_MASK) == SVE_PT_REGS_FPSIMD) { 829 ret = __fpr_set(target, regset, pos, count, kbuf, ubuf, 830 SVE_PT_FPSIMD_OFFSET); 831 clear_tsk_thread_flag(target, TIF_SVE); 832 goto out; 833 } 834 835 /* Otherwise: full SVE case */ 836 837 /* 838 * If setting a different VL from the requested VL and there is 839 * register data, the data layout will be wrong: don't even 840 * try to set the registers in this case. 841 */ 842 if (count && vq != sve_vq_from_vl(header.vl)) { 843 ret = -EIO; 844 goto out; 845 } 846 847 sve_alloc(target); 848 if (!target->thread.sve_state) { 849 ret = -ENOMEM; 850 clear_tsk_thread_flag(target, TIF_SVE); 851 goto out; 852 } 853 854 /* 855 * Ensure target->thread.sve_state is up to date with target's 856 * FPSIMD regs, so that a short copyin leaves trailing registers 857 * unmodified. 858 */ 859 fpsimd_sync_to_sve(target); 860 set_tsk_thread_flag(target, TIF_SVE); 861 862 BUILD_BUG_ON(SVE_PT_SVE_OFFSET != sizeof(header)); 863 start = SVE_PT_SVE_OFFSET; 864 end = SVE_PT_SVE_FFR_OFFSET(vq) + SVE_PT_SVE_FFR_SIZE(vq); 865 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 866 target->thread.sve_state, 867 start, end); 868 if (ret) 869 goto out; 870 871 start = end; 872 end = SVE_PT_SVE_FPSR_OFFSET(vq); 873 ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 874 start, end); 875 if (ret) 876 goto out; 877 878 /* 879 * Copy fpsr, and fpcr which must follow contiguously in 880 * struct fpsimd_state: 881 */ 882 start = end; 883 end = SVE_PT_SVE_FPCR_OFFSET(vq) + SVE_PT_SVE_FPCR_SIZE; 884 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 885 &target->thread.uw.fpsimd_state.fpsr, 886 start, end); 887 888 out: 889 fpsimd_flush_task_state(target); 890 return ret; 891 } 892 893 #endif /* CONFIG_ARM64_SVE */ 894 895 #ifdef CONFIG_ARM64_PTR_AUTH 896 static int pac_mask_get(struct task_struct *target, 897 const struct user_regset *regset, 898 struct membuf to) 899 { 900 /* 901 * The PAC bits can differ across data and instruction pointers 902 * depending on TCR_EL1.TBID*, which we may make use of in future, so 903 * we expose separate masks. 904 */ 905 unsigned long mask = ptrauth_user_pac_mask(); 906 struct user_pac_mask uregs = { 907 .data_mask = mask, 908 .insn_mask = mask, 909 }; 910 911 if (!system_supports_address_auth()) 912 return -EINVAL; 913 914 return membuf_write(&to, &uregs, sizeof(uregs)); 915 } 916 917 static int pac_enabled_keys_get(struct task_struct *target, 918 const struct user_regset *regset, 919 struct membuf to) 920 { 921 long enabled_keys = ptrauth_get_enabled_keys(target); 922 923 if (IS_ERR_VALUE(enabled_keys)) 924 return enabled_keys; 925 926 return membuf_write(&to, &enabled_keys, sizeof(enabled_keys)); 927 } 928 929 static int pac_enabled_keys_set(struct task_struct *target, 930 const struct user_regset *regset, 931 unsigned int pos, unsigned int count, 932 const void *kbuf, const void __user *ubuf) 933 { 934 int ret; 935 long enabled_keys = ptrauth_get_enabled_keys(target); 936 937 if (IS_ERR_VALUE(enabled_keys)) 938 return enabled_keys; 939 940 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &enabled_keys, 0, 941 sizeof(long)); 942 if (ret) 943 return ret; 944 945 return ptrauth_set_enabled_keys(target, PR_PAC_ENABLED_KEYS_MASK, 946 enabled_keys); 947 } 948 949 #ifdef CONFIG_CHECKPOINT_RESTORE 950 static __uint128_t pac_key_to_user(const struct ptrauth_key *key) 951 { 952 return (__uint128_t)key->hi << 64 | key->lo; 953 } 954 955 static struct ptrauth_key pac_key_from_user(__uint128_t ukey) 956 { 957 struct ptrauth_key key = { 958 .lo = (unsigned long)ukey, 959 .hi = (unsigned long)(ukey >> 64), 960 }; 961 962 return key; 963 } 964 965 static void pac_address_keys_to_user(struct user_pac_address_keys *ukeys, 966 const struct ptrauth_keys_user *keys) 967 { 968 ukeys->apiakey = pac_key_to_user(&keys->apia); 969 ukeys->apibkey = pac_key_to_user(&keys->apib); 970 ukeys->apdakey = pac_key_to_user(&keys->apda); 971 ukeys->apdbkey = pac_key_to_user(&keys->apdb); 972 } 973 974 static void pac_address_keys_from_user(struct ptrauth_keys_user *keys, 975 const struct user_pac_address_keys *ukeys) 976 { 977 keys->apia = pac_key_from_user(ukeys->apiakey); 978 keys->apib = pac_key_from_user(ukeys->apibkey); 979 keys->apda = pac_key_from_user(ukeys->apdakey); 980 keys->apdb = pac_key_from_user(ukeys->apdbkey); 981 } 982 983 static int pac_address_keys_get(struct task_struct *target, 984 const struct user_regset *regset, 985 struct membuf to) 986 { 987 struct ptrauth_keys_user *keys = &target->thread.keys_user; 988 struct user_pac_address_keys user_keys; 989 990 if (!system_supports_address_auth()) 991 return -EINVAL; 992 993 pac_address_keys_to_user(&user_keys, keys); 994 995 return membuf_write(&to, &user_keys, sizeof(user_keys)); 996 } 997 998 static int pac_address_keys_set(struct task_struct *target, 999 const struct user_regset *regset, 1000 unsigned int pos, unsigned int count, 1001 const void *kbuf, const void __user *ubuf) 1002 { 1003 struct ptrauth_keys_user *keys = &target->thread.keys_user; 1004 struct user_pac_address_keys user_keys; 1005 int ret; 1006 1007 if (!system_supports_address_auth()) 1008 return -EINVAL; 1009 1010 pac_address_keys_to_user(&user_keys, keys); 1011 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 1012 &user_keys, 0, -1); 1013 if (ret) 1014 return ret; 1015 pac_address_keys_from_user(keys, &user_keys); 1016 1017 return 0; 1018 } 1019 1020 static void pac_generic_keys_to_user(struct user_pac_generic_keys *ukeys, 1021 const struct ptrauth_keys_user *keys) 1022 { 1023 ukeys->apgakey = pac_key_to_user(&keys->apga); 1024 } 1025 1026 static void pac_generic_keys_from_user(struct ptrauth_keys_user *keys, 1027 const struct user_pac_generic_keys *ukeys) 1028 { 1029 keys->apga = pac_key_from_user(ukeys->apgakey); 1030 } 1031 1032 static int pac_generic_keys_get(struct task_struct *target, 1033 const struct user_regset *regset, 1034 struct membuf to) 1035 { 1036 struct ptrauth_keys_user *keys = &target->thread.keys_user; 1037 struct user_pac_generic_keys user_keys; 1038 1039 if (!system_supports_generic_auth()) 1040 return -EINVAL; 1041 1042 pac_generic_keys_to_user(&user_keys, keys); 1043 1044 return membuf_write(&to, &user_keys, sizeof(user_keys)); 1045 } 1046 1047 static int pac_generic_keys_set(struct task_struct *target, 1048 const struct user_regset *regset, 1049 unsigned int pos, unsigned int count, 1050 const void *kbuf, const void __user *ubuf) 1051 { 1052 struct ptrauth_keys_user *keys = &target->thread.keys_user; 1053 struct user_pac_generic_keys user_keys; 1054 int ret; 1055 1056 if (!system_supports_generic_auth()) 1057 return -EINVAL; 1058 1059 pac_generic_keys_to_user(&user_keys, keys); 1060 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 1061 &user_keys, 0, -1); 1062 if (ret) 1063 return ret; 1064 pac_generic_keys_from_user(keys, &user_keys); 1065 1066 return 0; 1067 } 1068 #endif /* CONFIG_CHECKPOINT_RESTORE */ 1069 #endif /* CONFIG_ARM64_PTR_AUTH */ 1070 1071 #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI 1072 static int tagged_addr_ctrl_get(struct task_struct *target, 1073 const struct user_regset *regset, 1074 struct membuf to) 1075 { 1076 long ctrl = get_tagged_addr_ctrl(target); 1077 1078 if (IS_ERR_VALUE(ctrl)) 1079 return ctrl; 1080 1081 return membuf_write(&to, &ctrl, sizeof(ctrl)); 1082 } 1083 1084 static int tagged_addr_ctrl_set(struct task_struct *target, const struct 1085 user_regset *regset, unsigned int pos, 1086 unsigned int count, const void *kbuf, const 1087 void __user *ubuf) 1088 { 1089 int ret; 1090 long ctrl; 1091 1092 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 0, -1); 1093 if (ret) 1094 return ret; 1095 1096 return set_tagged_addr_ctrl(target, ctrl); 1097 } 1098 #endif 1099 1100 enum aarch64_regset { 1101 REGSET_GPR, 1102 REGSET_FPR, 1103 REGSET_TLS, 1104 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1105 REGSET_HW_BREAK, 1106 REGSET_HW_WATCH, 1107 #endif 1108 REGSET_SYSTEM_CALL, 1109 #ifdef CONFIG_ARM64_SVE 1110 REGSET_SVE, 1111 #endif 1112 #ifdef CONFIG_ARM64_PTR_AUTH 1113 REGSET_PAC_MASK, 1114 REGSET_PAC_ENABLED_KEYS, 1115 #ifdef CONFIG_CHECKPOINT_RESTORE 1116 REGSET_PACA_KEYS, 1117 REGSET_PACG_KEYS, 1118 #endif 1119 #endif 1120 #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI 1121 REGSET_TAGGED_ADDR_CTRL, 1122 #endif 1123 }; 1124 1125 static const struct user_regset aarch64_regsets[] = { 1126 [REGSET_GPR] = { 1127 .core_note_type = NT_PRSTATUS, 1128 .n = sizeof(struct user_pt_regs) / sizeof(u64), 1129 .size = sizeof(u64), 1130 .align = sizeof(u64), 1131 .regset_get = gpr_get, 1132 .set = gpr_set 1133 }, 1134 [REGSET_FPR] = { 1135 .core_note_type = NT_PRFPREG, 1136 .n = sizeof(struct user_fpsimd_state) / sizeof(u32), 1137 /* 1138 * We pretend we have 32-bit registers because the fpsr and 1139 * fpcr are 32-bits wide. 1140 */ 1141 .size = sizeof(u32), 1142 .align = sizeof(u32), 1143 .active = fpr_active, 1144 .regset_get = fpr_get, 1145 .set = fpr_set 1146 }, 1147 [REGSET_TLS] = { 1148 .core_note_type = NT_ARM_TLS, 1149 .n = 1, 1150 .size = sizeof(void *), 1151 .align = sizeof(void *), 1152 .regset_get = tls_get, 1153 .set = tls_set, 1154 }, 1155 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1156 [REGSET_HW_BREAK] = { 1157 .core_note_type = NT_ARM_HW_BREAK, 1158 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1159 .size = sizeof(u32), 1160 .align = sizeof(u32), 1161 .regset_get = hw_break_get, 1162 .set = hw_break_set, 1163 }, 1164 [REGSET_HW_WATCH] = { 1165 .core_note_type = NT_ARM_HW_WATCH, 1166 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1167 .size = sizeof(u32), 1168 .align = sizeof(u32), 1169 .regset_get = hw_break_get, 1170 .set = hw_break_set, 1171 }, 1172 #endif 1173 [REGSET_SYSTEM_CALL] = { 1174 .core_note_type = NT_ARM_SYSTEM_CALL, 1175 .n = 1, 1176 .size = sizeof(int), 1177 .align = sizeof(int), 1178 .regset_get = system_call_get, 1179 .set = system_call_set, 1180 }, 1181 #ifdef CONFIG_ARM64_SVE 1182 [REGSET_SVE] = { /* Scalable Vector Extension */ 1183 .core_note_type = NT_ARM_SVE, 1184 .n = DIV_ROUND_UP(SVE_PT_SIZE(SVE_VQ_MAX, SVE_PT_REGS_SVE), 1185 SVE_VQ_BYTES), 1186 .size = SVE_VQ_BYTES, 1187 .align = SVE_VQ_BYTES, 1188 .regset_get = sve_get, 1189 .set = sve_set, 1190 }, 1191 #endif 1192 #ifdef CONFIG_ARM64_PTR_AUTH 1193 [REGSET_PAC_MASK] = { 1194 .core_note_type = NT_ARM_PAC_MASK, 1195 .n = sizeof(struct user_pac_mask) / sizeof(u64), 1196 .size = sizeof(u64), 1197 .align = sizeof(u64), 1198 .regset_get = pac_mask_get, 1199 /* this cannot be set dynamically */ 1200 }, 1201 [REGSET_PAC_ENABLED_KEYS] = { 1202 .core_note_type = NT_ARM_PAC_ENABLED_KEYS, 1203 .n = 1, 1204 .size = sizeof(long), 1205 .align = sizeof(long), 1206 .regset_get = pac_enabled_keys_get, 1207 .set = pac_enabled_keys_set, 1208 }, 1209 #ifdef CONFIG_CHECKPOINT_RESTORE 1210 [REGSET_PACA_KEYS] = { 1211 .core_note_type = NT_ARM_PACA_KEYS, 1212 .n = sizeof(struct user_pac_address_keys) / sizeof(__uint128_t), 1213 .size = sizeof(__uint128_t), 1214 .align = sizeof(__uint128_t), 1215 .regset_get = pac_address_keys_get, 1216 .set = pac_address_keys_set, 1217 }, 1218 [REGSET_PACG_KEYS] = { 1219 .core_note_type = NT_ARM_PACG_KEYS, 1220 .n = sizeof(struct user_pac_generic_keys) / sizeof(__uint128_t), 1221 .size = sizeof(__uint128_t), 1222 .align = sizeof(__uint128_t), 1223 .regset_get = pac_generic_keys_get, 1224 .set = pac_generic_keys_set, 1225 }, 1226 #endif 1227 #endif 1228 #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI 1229 [REGSET_TAGGED_ADDR_CTRL] = { 1230 .core_note_type = NT_ARM_TAGGED_ADDR_CTRL, 1231 .n = 1, 1232 .size = sizeof(long), 1233 .align = sizeof(long), 1234 .regset_get = tagged_addr_ctrl_get, 1235 .set = tagged_addr_ctrl_set, 1236 }, 1237 #endif 1238 }; 1239 1240 static const struct user_regset_view user_aarch64_view = { 1241 .name = "aarch64", .e_machine = EM_AARCH64, 1242 .regsets = aarch64_regsets, .n = ARRAY_SIZE(aarch64_regsets) 1243 }; 1244 1245 #ifdef CONFIG_COMPAT 1246 enum compat_regset { 1247 REGSET_COMPAT_GPR, 1248 REGSET_COMPAT_VFP, 1249 }; 1250 1251 static inline compat_ulong_t compat_get_user_reg(struct task_struct *task, int idx) 1252 { 1253 struct pt_regs *regs = task_pt_regs(task); 1254 1255 switch (idx) { 1256 case 15: 1257 return regs->pc; 1258 case 16: 1259 return pstate_to_compat_psr(regs->pstate); 1260 case 17: 1261 return regs->orig_x0; 1262 default: 1263 return regs->regs[idx]; 1264 } 1265 } 1266 1267 static int compat_gpr_get(struct task_struct *target, 1268 const struct user_regset *regset, 1269 struct membuf to) 1270 { 1271 int i = 0; 1272 1273 while (to.left) 1274 membuf_store(&to, compat_get_user_reg(target, i++)); 1275 return 0; 1276 } 1277 1278 static int compat_gpr_set(struct task_struct *target, 1279 const struct user_regset *regset, 1280 unsigned int pos, unsigned int count, 1281 const void *kbuf, const void __user *ubuf) 1282 { 1283 struct pt_regs newregs; 1284 int ret = 0; 1285 unsigned int i, start, num_regs; 1286 1287 /* Calculate the number of AArch32 registers contained in count */ 1288 num_regs = count / regset->size; 1289 1290 /* Convert pos into an register number */ 1291 start = pos / regset->size; 1292 1293 if (start + num_regs > regset->n) 1294 return -EIO; 1295 1296 newregs = *task_pt_regs(target); 1297 1298 for (i = 0; i < num_regs; ++i) { 1299 unsigned int idx = start + i; 1300 compat_ulong_t reg; 1301 1302 if (kbuf) { 1303 memcpy(®, kbuf, sizeof(reg)); 1304 kbuf += sizeof(reg); 1305 } else { 1306 ret = copy_from_user(®, ubuf, sizeof(reg)); 1307 if (ret) { 1308 ret = -EFAULT; 1309 break; 1310 } 1311 1312 ubuf += sizeof(reg); 1313 } 1314 1315 switch (idx) { 1316 case 15: 1317 newregs.pc = reg; 1318 break; 1319 case 16: 1320 reg = compat_psr_to_pstate(reg); 1321 newregs.pstate = reg; 1322 break; 1323 case 17: 1324 newregs.orig_x0 = reg; 1325 break; 1326 default: 1327 newregs.regs[idx] = reg; 1328 } 1329 1330 } 1331 1332 if (valid_user_regs(&newregs.user_regs, target)) 1333 *task_pt_regs(target) = newregs; 1334 else 1335 ret = -EINVAL; 1336 1337 return ret; 1338 } 1339 1340 static int compat_vfp_get(struct task_struct *target, 1341 const struct user_regset *regset, 1342 struct membuf to) 1343 { 1344 struct user_fpsimd_state *uregs; 1345 compat_ulong_t fpscr; 1346 1347 if (!system_supports_fpsimd()) 1348 return -EINVAL; 1349 1350 uregs = &target->thread.uw.fpsimd_state; 1351 1352 if (target == current) 1353 fpsimd_preserve_current_state(); 1354 1355 /* 1356 * The VFP registers are packed into the fpsimd_state, so they all sit 1357 * nicely together for us. We just need to create the fpscr separately. 1358 */ 1359 membuf_write(&to, uregs, VFP_STATE_SIZE - sizeof(compat_ulong_t)); 1360 fpscr = (uregs->fpsr & VFP_FPSCR_STAT_MASK) | 1361 (uregs->fpcr & VFP_FPSCR_CTRL_MASK); 1362 return membuf_store(&to, fpscr); 1363 } 1364 1365 static int compat_vfp_set(struct task_struct *target, 1366 const struct user_regset *regset, 1367 unsigned int pos, unsigned int count, 1368 const void *kbuf, const void __user *ubuf) 1369 { 1370 struct user_fpsimd_state *uregs; 1371 compat_ulong_t fpscr; 1372 int ret, vregs_end_pos; 1373 1374 if (!system_supports_fpsimd()) 1375 return -EINVAL; 1376 1377 uregs = &target->thread.uw.fpsimd_state; 1378 1379 vregs_end_pos = VFP_STATE_SIZE - sizeof(compat_ulong_t); 1380 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, uregs, 0, 1381 vregs_end_pos); 1382 1383 if (count && !ret) { 1384 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &fpscr, 1385 vregs_end_pos, VFP_STATE_SIZE); 1386 if (!ret) { 1387 uregs->fpsr = fpscr & VFP_FPSCR_STAT_MASK; 1388 uregs->fpcr = fpscr & VFP_FPSCR_CTRL_MASK; 1389 } 1390 } 1391 1392 fpsimd_flush_task_state(target); 1393 return ret; 1394 } 1395 1396 static int compat_tls_get(struct task_struct *target, 1397 const struct user_regset *regset, 1398 struct membuf to) 1399 { 1400 return membuf_store(&to, (compat_ulong_t)target->thread.uw.tp_value); 1401 } 1402 1403 static int compat_tls_set(struct task_struct *target, 1404 const struct user_regset *regset, unsigned int pos, 1405 unsigned int count, const void *kbuf, 1406 const void __user *ubuf) 1407 { 1408 int ret; 1409 compat_ulong_t tls = target->thread.uw.tp_value; 1410 1411 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); 1412 if (ret) 1413 return ret; 1414 1415 target->thread.uw.tp_value = tls; 1416 return ret; 1417 } 1418 1419 static const struct user_regset aarch32_regsets[] = { 1420 [REGSET_COMPAT_GPR] = { 1421 .core_note_type = NT_PRSTATUS, 1422 .n = COMPAT_ELF_NGREG, 1423 .size = sizeof(compat_elf_greg_t), 1424 .align = sizeof(compat_elf_greg_t), 1425 .regset_get = compat_gpr_get, 1426 .set = compat_gpr_set 1427 }, 1428 [REGSET_COMPAT_VFP] = { 1429 .core_note_type = NT_ARM_VFP, 1430 .n = VFP_STATE_SIZE / sizeof(compat_ulong_t), 1431 .size = sizeof(compat_ulong_t), 1432 .align = sizeof(compat_ulong_t), 1433 .active = fpr_active, 1434 .regset_get = compat_vfp_get, 1435 .set = compat_vfp_set 1436 }, 1437 }; 1438 1439 static const struct user_regset_view user_aarch32_view = { 1440 .name = "aarch32", .e_machine = EM_ARM, 1441 .regsets = aarch32_regsets, .n = ARRAY_SIZE(aarch32_regsets) 1442 }; 1443 1444 static const struct user_regset aarch32_ptrace_regsets[] = { 1445 [REGSET_GPR] = { 1446 .core_note_type = NT_PRSTATUS, 1447 .n = COMPAT_ELF_NGREG, 1448 .size = sizeof(compat_elf_greg_t), 1449 .align = sizeof(compat_elf_greg_t), 1450 .regset_get = compat_gpr_get, 1451 .set = compat_gpr_set 1452 }, 1453 [REGSET_FPR] = { 1454 .core_note_type = NT_ARM_VFP, 1455 .n = VFP_STATE_SIZE / sizeof(compat_ulong_t), 1456 .size = sizeof(compat_ulong_t), 1457 .align = sizeof(compat_ulong_t), 1458 .regset_get = compat_vfp_get, 1459 .set = compat_vfp_set 1460 }, 1461 [REGSET_TLS] = { 1462 .core_note_type = NT_ARM_TLS, 1463 .n = 1, 1464 .size = sizeof(compat_ulong_t), 1465 .align = sizeof(compat_ulong_t), 1466 .regset_get = compat_tls_get, 1467 .set = compat_tls_set, 1468 }, 1469 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1470 [REGSET_HW_BREAK] = { 1471 .core_note_type = NT_ARM_HW_BREAK, 1472 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1473 .size = sizeof(u32), 1474 .align = sizeof(u32), 1475 .regset_get = hw_break_get, 1476 .set = hw_break_set, 1477 }, 1478 [REGSET_HW_WATCH] = { 1479 .core_note_type = NT_ARM_HW_WATCH, 1480 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1481 .size = sizeof(u32), 1482 .align = sizeof(u32), 1483 .regset_get = hw_break_get, 1484 .set = hw_break_set, 1485 }, 1486 #endif 1487 [REGSET_SYSTEM_CALL] = { 1488 .core_note_type = NT_ARM_SYSTEM_CALL, 1489 .n = 1, 1490 .size = sizeof(int), 1491 .align = sizeof(int), 1492 .regset_get = system_call_get, 1493 .set = system_call_set, 1494 }, 1495 }; 1496 1497 static const struct user_regset_view user_aarch32_ptrace_view = { 1498 .name = "aarch32", .e_machine = EM_ARM, 1499 .regsets = aarch32_ptrace_regsets, .n = ARRAY_SIZE(aarch32_ptrace_regsets) 1500 }; 1501 1502 static int compat_ptrace_read_user(struct task_struct *tsk, compat_ulong_t off, 1503 compat_ulong_t __user *ret) 1504 { 1505 compat_ulong_t tmp; 1506 1507 if (off & 3) 1508 return -EIO; 1509 1510 if (off == COMPAT_PT_TEXT_ADDR) 1511 tmp = tsk->mm->start_code; 1512 else if (off == COMPAT_PT_DATA_ADDR) 1513 tmp = tsk->mm->start_data; 1514 else if (off == COMPAT_PT_TEXT_END_ADDR) 1515 tmp = tsk->mm->end_code; 1516 else if (off < sizeof(compat_elf_gregset_t)) 1517 tmp = compat_get_user_reg(tsk, off >> 2); 1518 else if (off >= COMPAT_USER_SZ) 1519 return -EIO; 1520 else 1521 tmp = 0; 1522 1523 return put_user(tmp, ret); 1524 } 1525 1526 static int compat_ptrace_write_user(struct task_struct *tsk, compat_ulong_t off, 1527 compat_ulong_t val) 1528 { 1529 struct pt_regs newregs = *task_pt_regs(tsk); 1530 unsigned int idx = off / 4; 1531 1532 if (off & 3 || off >= COMPAT_USER_SZ) 1533 return -EIO; 1534 1535 if (off >= sizeof(compat_elf_gregset_t)) 1536 return 0; 1537 1538 switch (idx) { 1539 case 15: 1540 newregs.pc = val; 1541 break; 1542 case 16: 1543 newregs.pstate = compat_psr_to_pstate(val); 1544 break; 1545 case 17: 1546 newregs.orig_x0 = val; 1547 break; 1548 default: 1549 newregs.regs[idx] = val; 1550 } 1551 1552 if (!valid_user_regs(&newregs.user_regs, tsk)) 1553 return -EINVAL; 1554 1555 *task_pt_regs(tsk) = newregs; 1556 return 0; 1557 } 1558 1559 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1560 1561 /* 1562 * Convert a virtual register number into an index for a thread_info 1563 * breakpoint array. Breakpoints are identified using positive numbers 1564 * whilst watchpoints are negative. The registers are laid out as pairs 1565 * of (address, control), each pair mapping to a unique hw_breakpoint struct. 1566 * Register 0 is reserved for describing resource information. 1567 */ 1568 static int compat_ptrace_hbp_num_to_idx(compat_long_t num) 1569 { 1570 return (abs(num) - 1) >> 1; 1571 } 1572 1573 static int compat_ptrace_hbp_get_resource_info(u32 *kdata) 1574 { 1575 u8 num_brps, num_wrps, debug_arch, wp_len; 1576 u32 reg = 0; 1577 1578 num_brps = hw_breakpoint_slots(TYPE_INST); 1579 num_wrps = hw_breakpoint_slots(TYPE_DATA); 1580 1581 debug_arch = debug_monitors_arch(); 1582 wp_len = 8; 1583 reg |= debug_arch; 1584 reg <<= 8; 1585 reg |= wp_len; 1586 reg <<= 8; 1587 reg |= num_wrps; 1588 reg <<= 8; 1589 reg |= num_brps; 1590 1591 *kdata = reg; 1592 return 0; 1593 } 1594 1595 static int compat_ptrace_hbp_get(unsigned int note_type, 1596 struct task_struct *tsk, 1597 compat_long_t num, 1598 u32 *kdata) 1599 { 1600 u64 addr = 0; 1601 u32 ctrl = 0; 1602 1603 int err, idx = compat_ptrace_hbp_num_to_idx(num); 1604 1605 if (num & 1) { 1606 err = ptrace_hbp_get_addr(note_type, tsk, idx, &addr); 1607 *kdata = (u32)addr; 1608 } else { 1609 err = ptrace_hbp_get_ctrl(note_type, tsk, idx, &ctrl); 1610 *kdata = ctrl; 1611 } 1612 1613 return err; 1614 } 1615 1616 static int compat_ptrace_hbp_set(unsigned int note_type, 1617 struct task_struct *tsk, 1618 compat_long_t num, 1619 u32 *kdata) 1620 { 1621 u64 addr; 1622 u32 ctrl; 1623 1624 int err, idx = compat_ptrace_hbp_num_to_idx(num); 1625 1626 if (num & 1) { 1627 addr = *kdata; 1628 err = ptrace_hbp_set_addr(note_type, tsk, idx, addr); 1629 } else { 1630 ctrl = *kdata; 1631 err = ptrace_hbp_set_ctrl(note_type, tsk, idx, ctrl); 1632 } 1633 1634 return err; 1635 } 1636 1637 static int compat_ptrace_gethbpregs(struct task_struct *tsk, compat_long_t num, 1638 compat_ulong_t __user *data) 1639 { 1640 int ret; 1641 u32 kdata; 1642 1643 /* Watchpoint */ 1644 if (num < 0) { 1645 ret = compat_ptrace_hbp_get(NT_ARM_HW_WATCH, tsk, num, &kdata); 1646 /* Resource info */ 1647 } else if (num == 0) { 1648 ret = compat_ptrace_hbp_get_resource_info(&kdata); 1649 /* Breakpoint */ 1650 } else { 1651 ret = compat_ptrace_hbp_get(NT_ARM_HW_BREAK, tsk, num, &kdata); 1652 } 1653 1654 if (!ret) 1655 ret = put_user(kdata, data); 1656 1657 return ret; 1658 } 1659 1660 static int compat_ptrace_sethbpregs(struct task_struct *tsk, compat_long_t num, 1661 compat_ulong_t __user *data) 1662 { 1663 int ret; 1664 u32 kdata = 0; 1665 1666 if (num == 0) 1667 return 0; 1668 1669 ret = get_user(kdata, data); 1670 if (ret) 1671 return ret; 1672 1673 if (num < 0) 1674 ret = compat_ptrace_hbp_set(NT_ARM_HW_WATCH, tsk, num, &kdata); 1675 else 1676 ret = compat_ptrace_hbp_set(NT_ARM_HW_BREAK, tsk, num, &kdata); 1677 1678 return ret; 1679 } 1680 #endif /* CONFIG_HAVE_HW_BREAKPOINT */ 1681 1682 long compat_arch_ptrace(struct task_struct *child, compat_long_t request, 1683 compat_ulong_t caddr, compat_ulong_t cdata) 1684 { 1685 unsigned long addr = caddr; 1686 unsigned long data = cdata; 1687 void __user *datap = compat_ptr(data); 1688 int ret; 1689 1690 switch (request) { 1691 case PTRACE_PEEKUSR: 1692 ret = compat_ptrace_read_user(child, addr, datap); 1693 break; 1694 1695 case PTRACE_POKEUSR: 1696 ret = compat_ptrace_write_user(child, addr, data); 1697 break; 1698 1699 case COMPAT_PTRACE_GETREGS: 1700 ret = copy_regset_to_user(child, 1701 &user_aarch32_view, 1702 REGSET_COMPAT_GPR, 1703 0, sizeof(compat_elf_gregset_t), 1704 datap); 1705 break; 1706 1707 case COMPAT_PTRACE_SETREGS: 1708 ret = copy_regset_from_user(child, 1709 &user_aarch32_view, 1710 REGSET_COMPAT_GPR, 1711 0, sizeof(compat_elf_gregset_t), 1712 datap); 1713 break; 1714 1715 case COMPAT_PTRACE_GET_THREAD_AREA: 1716 ret = put_user((compat_ulong_t)child->thread.uw.tp_value, 1717 (compat_ulong_t __user *)datap); 1718 break; 1719 1720 case COMPAT_PTRACE_SET_SYSCALL: 1721 task_pt_regs(child)->syscallno = data; 1722 ret = 0; 1723 break; 1724 1725 case COMPAT_PTRACE_GETVFPREGS: 1726 ret = copy_regset_to_user(child, 1727 &user_aarch32_view, 1728 REGSET_COMPAT_VFP, 1729 0, VFP_STATE_SIZE, 1730 datap); 1731 break; 1732 1733 case COMPAT_PTRACE_SETVFPREGS: 1734 ret = copy_regset_from_user(child, 1735 &user_aarch32_view, 1736 REGSET_COMPAT_VFP, 1737 0, VFP_STATE_SIZE, 1738 datap); 1739 break; 1740 1741 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1742 case COMPAT_PTRACE_GETHBPREGS: 1743 ret = compat_ptrace_gethbpregs(child, addr, datap); 1744 break; 1745 1746 case COMPAT_PTRACE_SETHBPREGS: 1747 ret = compat_ptrace_sethbpregs(child, addr, datap); 1748 break; 1749 #endif 1750 1751 default: 1752 ret = compat_ptrace_request(child, request, addr, 1753 data); 1754 break; 1755 } 1756 1757 return ret; 1758 } 1759 #endif /* CONFIG_COMPAT */ 1760 1761 const struct user_regset_view *task_user_regset_view(struct task_struct *task) 1762 { 1763 #ifdef CONFIG_COMPAT 1764 /* 1765 * Core dumping of 32-bit tasks or compat ptrace requests must use the 1766 * user_aarch32_view compatible with arm32. Native ptrace requests on 1767 * 32-bit children use an extended user_aarch32_ptrace_view to allow 1768 * access to the TLS register. 1769 */ 1770 if (is_compat_task()) 1771 return &user_aarch32_view; 1772 else if (is_compat_thread(task_thread_info(task))) 1773 return &user_aarch32_ptrace_view; 1774 #endif 1775 return &user_aarch64_view; 1776 } 1777 1778 long arch_ptrace(struct task_struct *child, long request, 1779 unsigned long addr, unsigned long data) 1780 { 1781 switch (request) { 1782 case PTRACE_PEEKMTETAGS: 1783 case PTRACE_POKEMTETAGS: 1784 return mte_ptrace_copy_tags(child, request, addr, data); 1785 } 1786 1787 return ptrace_request(child, request, addr, data); 1788 } 1789 1790 enum ptrace_syscall_dir { 1791 PTRACE_SYSCALL_ENTER = 0, 1792 PTRACE_SYSCALL_EXIT, 1793 }; 1794 1795 static void tracehook_report_syscall(struct pt_regs *regs, 1796 enum ptrace_syscall_dir dir) 1797 { 1798 int regno; 1799 unsigned long saved_reg; 1800 1801 /* 1802 * We have some ABI weirdness here in the way that we handle syscall 1803 * exit stops because we indicate whether or not the stop has been 1804 * signalled from syscall entry or syscall exit by clobbering a general 1805 * purpose register (ip/r12 for AArch32, x7 for AArch64) in the tracee 1806 * and restoring its old value after the stop. This means that: 1807 * 1808 * - Any writes by the tracer to this register during the stop are 1809 * ignored/discarded. 1810 * 1811 * - The actual value of the register is not available during the stop, 1812 * so the tracer cannot save it and restore it later. 1813 * 1814 * - Syscall stops behave differently to seccomp and pseudo-step traps 1815 * (the latter do not nobble any registers). 1816 */ 1817 regno = (is_compat_task() ? 12 : 7); 1818 saved_reg = regs->regs[regno]; 1819 regs->regs[regno] = dir; 1820 1821 if (dir == PTRACE_SYSCALL_ENTER) { 1822 if (tracehook_report_syscall_entry(regs)) 1823 forget_syscall(regs); 1824 regs->regs[regno] = saved_reg; 1825 } else if (!test_thread_flag(TIF_SINGLESTEP)) { 1826 tracehook_report_syscall_exit(regs, 0); 1827 regs->regs[regno] = saved_reg; 1828 } else { 1829 regs->regs[regno] = saved_reg; 1830 1831 /* 1832 * Signal a pseudo-step exception since we are stepping but 1833 * tracer modifications to the registers may have rewound the 1834 * state machine. 1835 */ 1836 tracehook_report_syscall_exit(regs, 1); 1837 } 1838 } 1839 1840 int syscall_trace_enter(struct pt_regs *regs) 1841 { 1842 unsigned long flags = read_thread_flags(); 1843 1844 if (flags & (_TIF_SYSCALL_EMU | _TIF_SYSCALL_TRACE)) { 1845 tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); 1846 if (flags & _TIF_SYSCALL_EMU) 1847 return NO_SYSCALL; 1848 } 1849 1850 /* Do the secure computing after ptrace; failures should be fast. */ 1851 if (secure_computing() == -1) 1852 return NO_SYSCALL; 1853 1854 if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) 1855 trace_sys_enter(regs, regs->syscallno); 1856 1857 audit_syscall_entry(regs->syscallno, regs->orig_x0, regs->regs[1], 1858 regs->regs[2], regs->regs[3]); 1859 1860 return regs->syscallno; 1861 } 1862 1863 void syscall_trace_exit(struct pt_regs *regs) 1864 { 1865 unsigned long flags = read_thread_flags(); 1866 1867 audit_syscall_exit(regs); 1868 1869 if (flags & _TIF_SYSCALL_TRACEPOINT) 1870 trace_sys_exit(regs, syscall_get_return_value(current, regs)); 1871 1872 if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP)) 1873 tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); 1874 1875 rseq_syscall(regs); 1876 } 1877 1878 /* 1879 * SPSR_ELx bits which are always architecturally RES0 per ARM DDI 0487D.a. 1880 * We permit userspace to set SSBS (AArch64 bit 12, AArch32 bit 23) which is 1881 * not described in ARM DDI 0487D.a. 1882 * We treat PAN and UAO as RES0 bits, as they are meaningless at EL0, and may 1883 * be allocated an EL0 meaning in future. 1884 * Userspace cannot use these until they have an architectural meaning. 1885 * Note that this follows the SPSR_ELx format, not the AArch32 PSR format. 1886 * We also reserve IL for the kernel; SS is handled dynamically. 1887 */ 1888 #define SPSR_EL1_AARCH64_RES0_BITS \ 1889 (GENMASK_ULL(63, 32) | GENMASK_ULL(27, 26) | GENMASK_ULL(23, 22) | \ 1890 GENMASK_ULL(20, 13) | GENMASK_ULL(5, 5)) 1891 #define SPSR_EL1_AARCH32_RES0_BITS \ 1892 (GENMASK_ULL(63, 32) | GENMASK_ULL(22, 22) | GENMASK_ULL(20, 20)) 1893 1894 static int valid_compat_regs(struct user_pt_regs *regs) 1895 { 1896 regs->pstate &= ~SPSR_EL1_AARCH32_RES0_BITS; 1897 1898 if (!system_supports_mixed_endian_el0()) { 1899 if (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) 1900 regs->pstate |= PSR_AA32_E_BIT; 1901 else 1902 regs->pstate &= ~PSR_AA32_E_BIT; 1903 } 1904 1905 if (user_mode(regs) && (regs->pstate & PSR_MODE32_BIT) && 1906 (regs->pstate & PSR_AA32_A_BIT) == 0 && 1907 (regs->pstate & PSR_AA32_I_BIT) == 0 && 1908 (regs->pstate & PSR_AA32_F_BIT) == 0) { 1909 return 1; 1910 } 1911 1912 /* 1913 * Force PSR to a valid 32-bit EL0t, preserving the same bits as 1914 * arch/arm. 1915 */ 1916 regs->pstate &= PSR_AA32_N_BIT | PSR_AA32_Z_BIT | 1917 PSR_AA32_C_BIT | PSR_AA32_V_BIT | 1918 PSR_AA32_Q_BIT | PSR_AA32_IT_MASK | 1919 PSR_AA32_GE_MASK | PSR_AA32_E_BIT | 1920 PSR_AA32_T_BIT; 1921 regs->pstate |= PSR_MODE32_BIT; 1922 1923 return 0; 1924 } 1925 1926 static int valid_native_regs(struct user_pt_regs *regs) 1927 { 1928 regs->pstate &= ~SPSR_EL1_AARCH64_RES0_BITS; 1929 1930 if (user_mode(regs) && !(regs->pstate & PSR_MODE32_BIT) && 1931 (regs->pstate & PSR_D_BIT) == 0 && 1932 (regs->pstate & PSR_A_BIT) == 0 && 1933 (regs->pstate & PSR_I_BIT) == 0 && 1934 (regs->pstate & PSR_F_BIT) == 0) { 1935 return 1; 1936 } 1937 1938 /* Force PSR to a valid 64-bit EL0t */ 1939 regs->pstate &= PSR_N_BIT | PSR_Z_BIT | PSR_C_BIT | PSR_V_BIT; 1940 1941 return 0; 1942 } 1943 1944 /* 1945 * Are the current registers suitable for user mode? (used to maintain 1946 * security in signal handlers) 1947 */ 1948 int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task) 1949 { 1950 /* https://lore.kernel.org/lkml/20191118131525.GA4180@willie-the-truck */ 1951 user_regs_reset_single_step(regs, task); 1952 1953 if (is_compat_thread(task_thread_info(task))) 1954 return valid_compat_regs(regs); 1955 else 1956 return valid_native_regs(regs); 1957 } 1958