1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Based on arch/arm/kernel/ptrace.c 4 * 5 * By Ross Biro 1/23/92 6 * edited by Linus Torvalds 7 * ARM modifications Copyright (C) 2000 Russell King 8 * Copyright (C) 2012 ARM Ltd. 9 */ 10 11 #include <linux/audit.h> 12 #include <linux/compat.h> 13 #include <linux/kernel.h> 14 #include <linux/sched/signal.h> 15 #include <linux/sched/task_stack.h> 16 #include <linux/mm.h> 17 #include <linux/nospec.h> 18 #include <linux/smp.h> 19 #include <linux/ptrace.h> 20 #include <linux/user.h> 21 #include <linux/seccomp.h> 22 #include <linux/security.h> 23 #include <linux/init.h> 24 #include <linux/signal.h> 25 #include <linux/string.h> 26 #include <linux/uaccess.h> 27 #include <linux/perf_event.h> 28 #include <linux/hw_breakpoint.h> 29 #include <linux/regset.h> 30 #include <linux/tracehook.h> 31 #include <linux/elf.h> 32 33 #include <asm/compat.h> 34 #include <asm/cpufeature.h> 35 #include <asm/debug-monitors.h> 36 #include <asm/fpsimd.h> 37 #include <asm/mte.h> 38 #include <asm/pointer_auth.h> 39 #include <asm/stacktrace.h> 40 #include <asm/syscall.h> 41 #include <asm/traps.h> 42 #include <asm/system_misc.h> 43 44 #define CREATE_TRACE_POINTS 45 #include <trace/events/syscalls.h> 46 47 struct pt_regs_offset { 48 const char *name; 49 int offset; 50 }; 51 52 #define REG_OFFSET_NAME(r) {.name = #r, .offset = offsetof(struct pt_regs, r)} 53 #define REG_OFFSET_END {.name = NULL, .offset = 0} 54 #define GPR_OFFSET_NAME(r) \ 55 {.name = "x" #r, .offset = offsetof(struct pt_regs, regs[r])} 56 57 static const struct pt_regs_offset regoffset_table[] = { 58 GPR_OFFSET_NAME(0), 59 GPR_OFFSET_NAME(1), 60 GPR_OFFSET_NAME(2), 61 GPR_OFFSET_NAME(3), 62 GPR_OFFSET_NAME(4), 63 GPR_OFFSET_NAME(5), 64 GPR_OFFSET_NAME(6), 65 GPR_OFFSET_NAME(7), 66 GPR_OFFSET_NAME(8), 67 GPR_OFFSET_NAME(9), 68 GPR_OFFSET_NAME(10), 69 GPR_OFFSET_NAME(11), 70 GPR_OFFSET_NAME(12), 71 GPR_OFFSET_NAME(13), 72 GPR_OFFSET_NAME(14), 73 GPR_OFFSET_NAME(15), 74 GPR_OFFSET_NAME(16), 75 GPR_OFFSET_NAME(17), 76 GPR_OFFSET_NAME(18), 77 GPR_OFFSET_NAME(19), 78 GPR_OFFSET_NAME(20), 79 GPR_OFFSET_NAME(21), 80 GPR_OFFSET_NAME(22), 81 GPR_OFFSET_NAME(23), 82 GPR_OFFSET_NAME(24), 83 GPR_OFFSET_NAME(25), 84 GPR_OFFSET_NAME(26), 85 GPR_OFFSET_NAME(27), 86 GPR_OFFSET_NAME(28), 87 GPR_OFFSET_NAME(29), 88 GPR_OFFSET_NAME(30), 89 {.name = "lr", .offset = offsetof(struct pt_regs, regs[30])}, 90 REG_OFFSET_NAME(sp), 91 REG_OFFSET_NAME(pc), 92 REG_OFFSET_NAME(pstate), 93 REG_OFFSET_END, 94 }; 95 96 /** 97 * regs_query_register_offset() - query register offset from its name 98 * @name: the name of a register 99 * 100 * regs_query_register_offset() returns the offset of a register in struct 101 * pt_regs from its name. If the name is invalid, this returns -EINVAL; 102 */ 103 int regs_query_register_offset(const char *name) 104 { 105 const struct pt_regs_offset *roff; 106 107 for (roff = regoffset_table; roff->name != NULL; roff++) 108 if (!strcmp(roff->name, name)) 109 return roff->offset; 110 return -EINVAL; 111 } 112 113 /** 114 * regs_within_kernel_stack() - check the address in the stack 115 * @regs: pt_regs which contains kernel stack pointer. 116 * @addr: address which is checked. 117 * 118 * regs_within_kernel_stack() checks @addr is within the kernel stack page(s). 119 * If @addr is within the kernel stack, it returns true. If not, returns false. 120 */ 121 static bool regs_within_kernel_stack(struct pt_regs *regs, unsigned long addr) 122 { 123 return ((addr & ~(THREAD_SIZE - 1)) == 124 (kernel_stack_pointer(regs) & ~(THREAD_SIZE - 1))) || 125 on_irq_stack(addr, sizeof(unsigned long), NULL); 126 } 127 128 /** 129 * regs_get_kernel_stack_nth() - get Nth entry of the stack 130 * @regs: pt_regs which contains kernel stack pointer. 131 * @n: stack entry number. 132 * 133 * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which 134 * is specified by @regs. If the @n th entry is NOT in the kernel stack, 135 * this returns 0. 136 */ 137 unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs, unsigned int n) 138 { 139 unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs); 140 141 addr += n; 142 if (regs_within_kernel_stack(regs, (unsigned long)addr)) 143 return *addr; 144 else 145 return 0; 146 } 147 148 /* 149 * TODO: does not yet catch signals sent when the child dies. 150 * in exit.c or in signal.c. 151 */ 152 153 /* 154 * Called by kernel/ptrace.c when detaching.. 155 */ 156 void ptrace_disable(struct task_struct *child) 157 { 158 /* 159 * This would be better off in core code, but PTRACE_DETACH has 160 * grown its fair share of arch-specific worts and changing it 161 * is likely to cause regressions on obscure architectures. 162 */ 163 user_disable_single_step(child); 164 } 165 166 #ifdef CONFIG_HAVE_HW_BREAKPOINT 167 /* 168 * Handle hitting a HW-breakpoint. 169 */ 170 static void ptrace_hbptriggered(struct perf_event *bp, 171 struct perf_sample_data *data, 172 struct pt_regs *regs) 173 { 174 struct arch_hw_breakpoint *bkpt = counter_arch_bp(bp); 175 const char *desc = "Hardware breakpoint trap (ptrace)"; 176 177 #ifdef CONFIG_COMPAT 178 if (is_compat_task()) { 179 int si_errno = 0; 180 int i; 181 182 for (i = 0; i < ARM_MAX_BRP; ++i) { 183 if (current->thread.debug.hbp_break[i] == bp) { 184 si_errno = (i << 1) + 1; 185 break; 186 } 187 } 188 189 for (i = 0; i < ARM_MAX_WRP; ++i) { 190 if (current->thread.debug.hbp_watch[i] == bp) { 191 si_errno = -((i << 1) + 1); 192 break; 193 } 194 } 195 arm64_force_sig_ptrace_errno_trap(si_errno, bkpt->trigger, 196 desc); 197 return; 198 } 199 #endif 200 arm64_force_sig_fault(SIGTRAP, TRAP_HWBKPT, bkpt->trigger, desc); 201 } 202 203 /* 204 * Unregister breakpoints from this task and reset the pointers in 205 * the thread_struct. 206 */ 207 void flush_ptrace_hw_breakpoint(struct task_struct *tsk) 208 { 209 int i; 210 struct thread_struct *t = &tsk->thread; 211 212 for (i = 0; i < ARM_MAX_BRP; i++) { 213 if (t->debug.hbp_break[i]) { 214 unregister_hw_breakpoint(t->debug.hbp_break[i]); 215 t->debug.hbp_break[i] = NULL; 216 } 217 } 218 219 for (i = 0; i < ARM_MAX_WRP; i++) { 220 if (t->debug.hbp_watch[i]) { 221 unregister_hw_breakpoint(t->debug.hbp_watch[i]); 222 t->debug.hbp_watch[i] = NULL; 223 } 224 } 225 } 226 227 void ptrace_hw_copy_thread(struct task_struct *tsk) 228 { 229 memset(&tsk->thread.debug, 0, sizeof(struct debug_info)); 230 } 231 232 static struct perf_event *ptrace_hbp_get_event(unsigned int note_type, 233 struct task_struct *tsk, 234 unsigned long idx) 235 { 236 struct perf_event *bp = ERR_PTR(-EINVAL); 237 238 switch (note_type) { 239 case NT_ARM_HW_BREAK: 240 if (idx >= ARM_MAX_BRP) 241 goto out; 242 idx = array_index_nospec(idx, ARM_MAX_BRP); 243 bp = tsk->thread.debug.hbp_break[idx]; 244 break; 245 case NT_ARM_HW_WATCH: 246 if (idx >= ARM_MAX_WRP) 247 goto out; 248 idx = array_index_nospec(idx, ARM_MAX_WRP); 249 bp = tsk->thread.debug.hbp_watch[idx]; 250 break; 251 } 252 253 out: 254 return bp; 255 } 256 257 static int ptrace_hbp_set_event(unsigned int note_type, 258 struct task_struct *tsk, 259 unsigned long idx, 260 struct perf_event *bp) 261 { 262 int err = -EINVAL; 263 264 switch (note_type) { 265 case NT_ARM_HW_BREAK: 266 if (idx >= ARM_MAX_BRP) 267 goto out; 268 idx = array_index_nospec(idx, ARM_MAX_BRP); 269 tsk->thread.debug.hbp_break[idx] = bp; 270 err = 0; 271 break; 272 case NT_ARM_HW_WATCH: 273 if (idx >= ARM_MAX_WRP) 274 goto out; 275 idx = array_index_nospec(idx, ARM_MAX_WRP); 276 tsk->thread.debug.hbp_watch[idx] = bp; 277 err = 0; 278 break; 279 } 280 281 out: 282 return err; 283 } 284 285 static struct perf_event *ptrace_hbp_create(unsigned int note_type, 286 struct task_struct *tsk, 287 unsigned long idx) 288 { 289 struct perf_event *bp; 290 struct perf_event_attr attr; 291 int err, type; 292 293 switch (note_type) { 294 case NT_ARM_HW_BREAK: 295 type = HW_BREAKPOINT_X; 296 break; 297 case NT_ARM_HW_WATCH: 298 type = HW_BREAKPOINT_RW; 299 break; 300 default: 301 return ERR_PTR(-EINVAL); 302 } 303 304 ptrace_breakpoint_init(&attr); 305 306 /* 307 * Initialise fields to sane defaults 308 * (i.e. values that will pass validation). 309 */ 310 attr.bp_addr = 0; 311 attr.bp_len = HW_BREAKPOINT_LEN_4; 312 attr.bp_type = type; 313 attr.disabled = 1; 314 315 bp = register_user_hw_breakpoint(&attr, ptrace_hbptriggered, NULL, tsk); 316 if (IS_ERR(bp)) 317 return bp; 318 319 err = ptrace_hbp_set_event(note_type, tsk, idx, bp); 320 if (err) 321 return ERR_PTR(err); 322 323 return bp; 324 } 325 326 static int ptrace_hbp_fill_attr_ctrl(unsigned int note_type, 327 struct arch_hw_breakpoint_ctrl ctrl, 328 struct perf_event_attr *attr) 329 { 330 int err, len, type, offset, disabled = !ctrl.enabled; 331 332 attr->disabled = disabled; 333 if (disabled) 334 return 0; 335 336 err = arch_bp_generic_fields(ctrl, &len, &type, &offset); 337 if (err) 338 return err; 339 340 switch (note_type) { 341 case NT_ARM_HW_BREAK: 342 if ((type & HW_BREAKPOINT_X) != type) 343 return -EINVAL; 344 break; 345 case NT_ARM_HW_WATCH: 346 if ((type & HW_BREAKPOINT_RW) != type) 347 return -EINVAL; 348 break; 349 default: 350 return -EINVAL; 351 } 352 353 attr->bp_len = len; 354 attr->bp_type = type; 355 attr->bp_addr += offset; 356 357 return 0; 358 } 359 360 static int ptrace_hbp_get_resource_info(unsigned int note_type, u32 *info) 361 { 362 u8 num; 363 u32 reg = 0; 364 365 switch (note_type) { 366 case NT_ARM_HW_BREAK: 367 num = hw_breakpoint_slots(TYPE_INST); 368 break; 369 case NT_ARM_HW_WATCH: 370 num = hw_breakpoint_slots(TYPE_DATA); 371 break; 372 default: 373 return -EINVAL; 374 } 375 376 reg |= debug_monitors_arch(); 377 reg <<= 8; 378 reg |= num; 379 380 *info = reg; 381 return 0; 382 } 383 384 static int ptrace_hbp_get_ctrl(unsigned int note_type, 385 struct task_struct *tsk, 386 unsigned long idx, 387 u32 *ctrl) 388 { 389 struct perf_event *bp = ptrace_hbp_get_event(note_type, tsk, idx); 390 391 if (IS_ERR(bp)) 392 return PTR_ERR(bp); 393 394 *ctrl = bp ? encode_ctrl_reg(counter_arch_bp(bp)->ctrl) : 0; 395 return 0; 396 } 397 398 static int ptrace_hbp_get_addr(unsigned int note_type, 399 struct task_struct *tsk, 400 unsigned long idx, 401 u64 *addr) 402 { 403 struct perf_event *bp = ptrace_hbp_get_event(note_type, tsk, idx); 404 405 if (IS_ERR(bp)) 406 return PTR_ERR(bp); 407 408 *addr = bp ? counter_arch_bp(bp)->address : 0; 409 return 0; 410 } 411 412 static struct perf_event *ptrace_hbp_get_initialised_bp(unsigned int note_type, 413 struct task_struct *tsk, 414 unsigned long idx) 415 { 416 struct perf_event *bp = ptrace_hbp_get_event(note_type, tsk, idx); 417 418 if (!bp) 419 bp = ptrace_hbp_create(note_type, tsk, idx); 420 421 return bp; 422 } 423 424 static int ptrace_hbp_set_ctrl(unsigned int note_type, 425 struct task_struct *tsk, 426 unsigned long idx, 427 u32 uctrl) 428 { 429 int err; 430 struct perf_event *bp; 431 struct perf_event_attr attr; 432 struct arch_hw_breakpoint_ctrl ctrl; 433 434 bp = ptrace_hbp_get_initialised_bp(note_type, tsk, idx); 435 if (IS_ERR(bp)) { 436 err = PTR_ERR(bp); 437 return err; 438 } 439 440 attr = bp->attr; 441 decode_ctrl_reg(uctrl, &ctrl); 442 err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); 443 if (err) 444 return err; 445 446 return modify_user_hw_breakpoint(bp, &attr); 447 } 448 449 static int ptrace_hbp_set_addr(unsigned int note_type, 450 struct task_struct *tsk, 451 unsigned long idx, 452 u64 addr) 453 { 454 int err; 455 struct perf_event *bp; 456 struct perf_event_attr attr; 457 458 bp = ptrace_hbp_get_initialised_bp(note_type, tsk, idx); 459 if (IS_ERR(bp)) { 460 err = PTR_ERR(bp); 461 return err; 462 } 463 464 attr = bp->attr; 465 attr.bp_addr = addr; 466 err = modify_user_hw_breakpoint(bp, &attr); 467 return err; 468 } 469 470 #define PTRACE_HBP_ADDR_SZ sizeof(u64) 471 #define PTRACE_HBP_CTRL_SZ sizeof(u32) 472 #define PTRACE_HBP_PAD_SZ sizeof(u32) 473 474 static int hw_break_get(struct task_struct *target, 475 const struct user_regset *regset, 476 struct membuf to) 477 { 478 unsigned int note_type = regset->core_note_type; 479 int ret, idx = 0; 480 u32 info, ctrl; 481 u64 addr; 482 483 /* Resource info */ 484 ret = ptrace_hbp_get_resource_info(note_type, &info); 485 if (ret) 486 return ret; 487 488 membuf_write(&to, &info, sizeof(info)); 489 membuf_zero(&to, sizeof(u32)); 490 /* (address, ctrl) registers */ 491 while (to.left) { 492 ret = ptrace_hbp_get_addr(note_type, target, idx, &addr); 493 if (ret) 494 return ret; 495 ret = ptrace_hbp_get_ctrl(note_type, target, idx, &ctrl); 496 if (ret) 497 return ret; 498 membuf_store(&to, addr); 499 membuf_store(&to, ctrl); 500 membuf_zero(&to, sizeof(u32)); 501 idx++; 502 } 503 return 0; 504 } 505 506 static int hw_break_set(struct task_struct *target, 507 const struct user_regset *regset, 508 unsigned int pos, unsigned int count, 509 const void *kbuf, const void __user *ubuf) 510 { 511 unsigned int note_type = regset->core_note_type; 512 int ret, idx = 0, offset, limit; 513 u32 ctrl; 514 u64 addr; 515 516 /* Resource info and pad */ 517 offset = offsetof(struct user_hwdebug_state, dbg_regs); 518 ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 0, offset); 519 if (ret) 520 return ret; 521 522 /* (address, ctrl) registers */ 523 limit = regset->n * regset->size; 524 while (count && offset < limit) { 525 if (count < PTRACE_HBP_ADDR_SZ) 526 return -EINVAL; 527 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr, 528 offset, offset + PTRACE_HBP_ADDR_SZ); 529 if (ret) 530 return ret; 531 ret = ptrace_hbp_set_addr(note_type, target, idx, addr); 532 if (ret) 533 return ret; 534 offset += PTRACE_HBP_ADDR_SZ; 535 536 if (!count) 537 break; 538 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 539 offset, offset + PTRACE_HBP_CTRL_SZ); 540 if (ret) 541 return ret; 542 ret = ptrace_hbp_set_ctrl(note_type, target, idx, ctrl); 543 if (ret) 544 return ret; 545 offset += PTRACE_HBP_CTRL_SZ; 546 547 ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 548 offset, 549 offset + PTRACE_HBP_PAD_SZ); 550 if (ret) 551 return ret; 552 offset += PTRACE_HBP_PAD_SZ; 553 idx++; 554 } 555 556 return 0; 557 } 558 #endif /* CONFIG_HAVE_HW_BREAKPOINT */ 559 560 static int gpr_get(struct task_struct *target, 561 const struct user_regset *regset, 562 struct membuf to) 563 { 564 struct user_pt_regs *uregs = &task_pt_regs(target)->user_regs; 565 return membuf_write(&to, uregs, sizeof(*uregs)); 566 } 567 568 static int gpr_set(struct task_struct *target, const struct user_regset *regset, 569 unsigned int pos, unsigned int count, 570 const void *kbuf, const void __user *ubuf) 571 { 572 int ret; 573 struct user_pt_regs newregs = task_pt_regs(target)->user_regs; 574 575 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1); 576 if (ret) 577 return ret; 578 579 if (!valid_user_regs(&newregs, target)) 580 return -EINVAL; 581 582 task_pt_regs(target)->user_regs = newregs; 583 return 0; 584 } 585 586 static int fpr_active(struct task_struct *target, const struct user_regset *regset) 587 { 588 if (!system_supports_fpsimd()) 589 return -ENODEV; 590 return regset->n; 591 } 592 593 /* 594 * TODO: update fp accessors for lazy context switching (sync/flush hwstate) 595 */ 596 static int __fpr_get(struct task_struct *target, 597 const struct user_regset *regset, 598 struct membuf to) 599 { 600 struct user_fpsimd_state *uregs; 601 602 sve_sync_to_fpsimd(target); 603 604 uregs = &target->thread.uw.fpsimd_state; 605 606 return membuf_write(&to, uregs, sizeof(*uregs)); 607 } 608 609 static int fpr_get(struct task_struct *target, const struct user_regset *regset, 610 struct membuf to) 611 { 612 if (!system_supports_fpsimd()) 613 return -EINVAL; 614 615 if (target == current) 616 fpsimd_preserve_current_state(); 617 618 return __fpr_get(target, regset, to); 619 } 620 621 static int __fpr_set(struct task_struct *target, 622 const struct user_regset *regset, 623 unsigned int pos, unsigned int count, 624 const void *kbuf, const void __user *ubuf, 625 unsigned int start_pos) 626 { 627 int ret; 628 struct user_fpsimd_state newstate; 629 630 /* 631 * Ensure target->thread.uw.fpsimd_state is up to date, so that a 632 * short copyin can't resurrect stale data. 633 */ 634 sve_sync_to_fpsimd(target); 635 636 newstate = target->thread.uw.fpsimd_state; 637 638 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 639 start_pos, start_pos + sizeof(newstate)); 640 if (ret) 641 return ret; 642 643 target->thread.uw.fpsimd_state = newstate; 644 645 return ret; 646 } 647 648 static int fpr_set(struct task_struct *target, const struct user_regset *regset, 649 unsigned int pos, unsigned int count, 650 const void *kbuf, const void __user *ubuf) 651 { 652 int ret; 653 654 if (!system_supports_fpsimd()) 655 return -EINVAL; 656 657 ret = __fpr_set(target, regset, pos, count, kbuf, ubuf, 0); 658 if (ret) 659 return ret; 660 661 sve_sync_from_fpsimd_zeropad(target); 662 fpsimd_flush_task_state(target); 663 664 return ret; 665 } 666 667 static int tls_get(struct task_struct *target, const struct user_regset *regset, 668 struct membuf to) 669 { 670 if (target == current) 671 tls_preserve_current_state(); 672 673 return membuf_store(&to, target->thread.uw.tp_value); 674 } 675 676 static int tls_set(struct task_struct *target, const struct user_regset *regset, 677 unsigned int pos, unsigned int count, 678 const void *kbuf, const void __user *ubuf) 679 { 680 int ret; 681 unsigned long tls = target->thread.uw.tp_value; 682 683 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); 684 if (ret) 685 return ret; 686 687 target->thread.uw.tp_value = tls; 688 return ret; 689 } 690 691 static int system_call_get(struct task_struct *target, 692 const struct user_regset *regset, 693 struct membuf to) 694 { 695 return membuf_store(&to, task_pt_regs(target)->syscallno); 696 } 697 698 static int system_call_set(struct task_struct *target, 699 const struct user_regset *regset, 700 unsigned int pos, unsigned int count, 701 const void *kbuf, const void __user *ubuf) 702 { 703 int syscallno = task_pt_regs(target)->syscallno; 704 int ret; 705 706 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &syscallno, 0, -1); 707 if (ret) 708 return ret; 709 710 task_pt_regs(target)->syscallno = syscallno; 711 return ret; 712 } 713 714 #ifdef CONFIG_ARM64_SVE 715 716 static void sve_init_header_from_task(struct user_sve_header *header, 717 struct task_struct *target) 718 { 719 unsigned int vq; 720 721 memset(header, 0, sizeof(*header)); 722 723 header->flags = test_tsk_thread_flag(target, TIF_SVE) ? 724 SVE_PT_REGS_SVE : SVE_PT_REGS_FPSIMD; 725 if (test_tsk_thread_flag(target, TIF_SVE_VL_INHERIT)) 726 header->flags |= SVE_PT_VL_INHERIT; 727 728 header->vl = target->thread.sve_vl; 729 vq = sve_vq_from_vl(header->vl); 730 731 header->max_vl = sve_max_vl; 732 header->size = SVE_PT_SIZE(vq, header->flags); 733 header->max_size = SVE_PT_SIZE(sve_vq_from_vl(header->max_vl), 734 SVE_PT_REGS_SVE); 735 } 736 737 static unsigned int sve_size_from_header(struct user_sve_header const *header) 738 { 739 return ALIGN(header->size, SVE_VQ_BYTES); 740 } 741 742 static int sve_get(struct task_struct *target, 743 const struct user_regset *regset, 744 struct membuf to) 745 { 746 struct user_sve_header header; 747 unsigned int vq; 748 unsigned long start, end; 749 750 if (!system_supports_sve()) 751 return -EINVAL; 752 753 /* Header */ 754 sve_init_header_from_task(&header, target); 755 vq = sve_vq_from_vl(header.vl); 756 757 membuf_write(&to, &header, sizeof(header)); 758 759 if (target == current) 760 fpsimd_preserve_current_state(); 761 762 /* Registers: FPSIMD-only case */ 763 764 BUILD_BUG_ON(SVE_PT_FPSIMD_OFFSET != sizeof(header)); 765 if ((header.flags & SVE_PT_REGS_MASK) == SVE_PT_REGS_FPSIMD) 766 return __fpr_get(target, regset, to); 767 768 /* Otherwise: full SVE case */ 769 770 BUILD_BUG_ON(SVE_PT_SVE_OFFSET != sizeof(header)); 771 start = SVE_PT_SVE_OFFSET; 772 end = SVE_PT_SVE_FFR_OFFSET(vq) + SVE_PT_SVE_FFR_SIZE(vq); 773 membuf_write(&to, target->thread.sve_state, end - start); 774 775 start = end; 776 end = SVE_PT_SVE_FPSR_OFFSET(vq); 777 membuf_zero(&to, end - start); 778 779 /* 780 * Copy fpsr, and fpcr which must follow contiguously in 781 * struct fpsimd_state: 782 */ 783 start = end; 784 end = SVE_PT_SVE_FPCR_OFFSET(vq) + SVE_PT_SVE_FPCR_SIZE; 785 membuf_write(&to, &target->thread.uw.fpsimd_state.fpsr, end - start); 786 787 start = end; 788 end = sve_size_from_header(&header); 789 return membuf_zero(&to, end - start); 790 } 791 792 static int sve_set(struct task_struct *target, 793 const struct user_regset *regset, 794 unsigned int pos, unsigned int count, 795 const void *kbuf, const void __user *ubuf) 796 { 797 int ret; 798 struct user_sve_header header; 799 unsigned int vq; 800 unsigned long start, end; 801 802 if (!system_supports_sve()) 803 return -EINVAL; 804 805 /* Header */ 806 if (count < sizeof(header)) 807 return -EINVAL; 808 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &header, 809 0, sizeof(header)); 810 if (ret) 811 goto out; 812 813 /* 814 * Apart from SVE_PT_REGS_MASK, all SVE_PT_* flags are consumed by 815 * sve_set_vector_length(), which will also validate them for us: 816 */ 817 ret = sve_set_vector_length(target, header.vl, 818 ((unsigned long)header.flags & ~SVE_PT_REGS_MASK) << 16); 819 if (ret) 820 goto out; 821 822 /* Actual VL set may be less than the user asked for: */ 823 vq = sve_vq_from_vl(target->thread.sve_vl); 824 825 /* Registers: FPSIMD-only case */ 826 827 BUILD_BUG_ON(SVE_PT_FPSIMD_OFFSET != sizeof(header)); 828 if ((header.flags & SVE_PT_REGS_MASK) == SVE_PT_REGS_FPSIMD) { 829 ret = __fpr_set(target, regset, pos, count, kbuf, ubuf, 830 SVE_PT_FPSIMD_OFFSET); 831 clear_tsk_thread_flag(target, TIF_SVE); 832 goto out; 833 } 834 835 /* Otherwise: full SVE case */ 836 837 /* 838 * If setting a different VL from the requested VL and there is 839 * register data, the data layout will be wrong: don't even 840 * try to set the registers in this case. 841 */ 842 if (count && vq != sve_vq_from_vl(header.vl)) { 843 ret = -EIO; 844 goto out; 845 } 846 847 sve_alloc(target); 848 849 /* 850 * Ensure target->thread.sve_state is up to date with target's 851 * FPSIMD regs, so that a short copyin leaves trailing registers 852 * unmodified. 853 */ 854 fpsimd_sync_to_sve(target); 855 set_tsk_thread_flag(target, TIF_SVE); 856 857 BUILD_BUG_ON(SVE_PT_SVE_OFFSET != sizeof(header)); 858 start = SVE_PT_SVE_OFFSET; 859 end = SVE_PT_SVE_FFR_OFFSET(vq) + SVE_PT_SVE_FFR_SIZE(vq); 860 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 861 target->thread.sve_state, 862 start, end); 863 if (ret) 864 goto out; 865 866 start = end; 867 end = SVE_PT_SVE_FPSR_OFFSET(vq); 868 ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 869 start, end); 870 if (ret) 871 goto out; 872 873 /* 874 * Copy fpsr, and fpcr which must follow contiguously in 875 * struct fpsimd_state: 876 */ 877 start = end; 878 end = SVE_PT_SVE_FPCR_OFFSET(vq) + SVE_PT_SVE_FPCR_SIZE; 879 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 880 &target->thread.uw.fpsimd_state.fpsr, 881 start, end); 882 883 out: 884 fpsimd_flush_task_state(target); 885 return ret; 886 } 887 888 #endif /* CONFIG_ARM64_SVE */ 889 890 #ifdef CONFIG_ARM64_PTR_AUTH 891 static int pac_mask_get(struct task_struct *target, 892 const struct user_regset *regset, 893 struct membuf to) 894 { 895 /* 896 * The PAC bits can differ across data and instruction pointers 897 * depending on TCR_EL1.TBID*, which we may make use of in future, so 898 * we expose separate masks. 899 */ 900 unsigned long mask = ptrauth_user_pac_mask(); 901 struct user_pac_mask uregs = { 902 .data_mask = mask, 903 .insn_mask = mask, 904 }; 905 906 if (!system_supports_address_auth()) 907 return -EINVAL; 908 909 return membuf_write(&to, &uregs, sizeof(uregs)); 910 } 911 912 static int pac_enabled_keys_get(struct task_struct *target, 913 const struct user_regset *regset, 914 struct membuf to) 915 { 916 long enabled_keys = ptrauth_get_enabled_keys(target); 917 918 if (IS_ERR_VALUE(enabled_keys)) 919 return enabled_keys; 920 921 return membuf_write(&to, &enabled_keys, sizeof(enabled_keys)); 922 } 923 924 static int pac_enabled_keys_set(struct task_struct *target, 925 const struct user_regset *regset, 926 unsigned int pos, unsigned int count, 927 const void *kbuf, const void __user *ubuf) 928 { 929 int ret; 930 long enabled_keys = ptrauth_get_enabled_keys(target); 931 932 if (IS_ERR_VALUE(enabled_keys)) 933 return enabled_keys; 934 935 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &enabled_keys, 0, 936 sizeof(long)); 937 if (ret) 938 return ret; 939 940 return ptrauth_set_enabled_keys(target, PR_PAC_ENABLED_KEYS_MASK, 941 enabled_keys); 942 } 943 944 #ifdef CONFIG_CHECKPOINT_RESTORE 945 static __uint128_t pac_key_to_user(const struct ptrauth_key *key) 946 { 947 return (__uint128_t)key->hi << 64 | key->lo; 948 } 949 950 static struct ptrauth_key pac_key_from_user(__uint128_t ukey) 951 { 952 struct ptrauth_key key = { 953 .lo = (unsigned long)ukey, 954 .hi = (unsigned long)(ukey >> 64), 955 }; 956 957 return key; 958 } 959 960 static void pac_address_keys_to_user(struct user_pac_address_keys *ukeys, 961 const struct ptrauth_keys_user *keys) 962 { 963 ukeys->apiakey = pac_key_to_user(&keys->apia); 964 ukeys->apibkey = pac_key_to_user(&keys->apib); 965 ukeys->apdakey = pac_key_to_user(&keys->apda); 966 ukeys->apdbkey = pac_key_to_user(&keys->apdb); 967 } 968 969 static void pac_address_keys_from_user(struct ptrauth_keys_user *keys, 970 const struct user_pac_address_keys *ukeys) 971 { 972 keys->apia = pac_key_from_user(ukeys->apiakey); 973 keys->apib = pac_key_from_user(ukeys->apibkey); 974 keys->apda = pac_key_from_user(ukeys->apdakey); 975 keys->apdb = pac_key_from_user(ukeys->apdbkey); 976 } 977 978 static int pac_address_keys_get(struct task_struct *target, 979 const struct user_regset *regset, 980 struct membuf to) 981 { 982 struct ptrauth_keys_user *keys = &target->thread.keys_user; 983 struct user_pac_address_keys user_keys; 984 985 if (!system_supports_address_auth()) 986 return -EINVAL; 987 988 pac_address_keys_to_user(&user_keys, keys); 989 990 return membuf_write(&to, &user_keys, sizeof(user_keys)); 991 } 992 993 static int pac_address_keys_set(struct task_struct *target, 994 const struct user_regset *regset, 995 unsigned int pos, unsigned int count, 996 const void *kbuf, const void __user *ubuf) 997 { 998 struct ptrauth_keys_user *keys = &target->thread.keys_user; 999 struct user_pac_address_keys user_keys; 1000 int ret; 1001 1002 if (!system_supports_address_auth()) 1003 return -EINVAL; 1004 1005 pac_address_keys_to_user(&user_keys, keys); 1006 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 1007 &user_keys, 0, -1); 1008 if (ret) 1009 return ret; 1010 pac_address_keys_from_user(keys, &user_keys); 1011 1012 return 0; 1013 } 1014 1015 static void pac_generic_keys_to_user(struct user_pac_generic_keys *ukeys, 1016 const struct ptrauth_keys_user *keys) 1017 { 1018 ukeys->apgakey = pac_key_to_user(&keys->apga); 1019 } 1020 1021 static void pac_generic_keys_from_user(struct ptrauth_keys_user *keys, 1022 const struct user_pac_generic_keys *ukeys) 1023 { 1024 keys->apga = pac_key_from_user(ukeys->apgakey); 1025 } 1026 1027 static int pac_generic_keys_get(struct task_struct *target, 1028 const struct user_regset *regset, 1029 struct membuf to) 1030 { 1031 struct ptrauth_keys_user *keys = &target->thread.keys_user; 1032 struct user_pac_generic_keys user_keys; 1033 1034 if (!system_supports_generic_auth()) 1035 return -EINVAL; 1036 1037 pac_generic_keys_to_user(&user_keys, keys); 1038 1039 return membuf_write(&to, &user_keys, sizeof(user_keys)); 1040 } 1041 1042 static int pac_generic_keys_set(struct task_struct *target, 1043 const struct user_regset *regset, 1044 unsigned int pos, unsigned int count, 1045 const void *kbuf, const void __user *ubuf) 1046 { 1047 struct ptrauth_keys_user *keys = &target->thread.keys_user; 1048 struct user_pac_generic_keys user_keys; 1049 int ret; 1050 1051 if (!system_supports_generic_auth()) 1052 return -EINVAL; 1053 1054 pac_generic_keys_to_user(&user_keys, keys); 1055 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, 1056 &user_keys, 0, -1); 1057 if (ret) 1058 return ret; 1059 pac_generic_keys_from_user(keys, &user_keys); 1060 1061 return 0; 1062 } 1063 #endif /* CONFIG_CHECKPOINT_RESTORE */ 1064 #endif /* CONFIG_ARM64_PTR_AUTH */ 1065 1066 #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI 1067 static int tagged_addr_ctrl_get(struct task_struct *target, 1068 const struct user_regset *regset, 1069 struct membuf to) 1070 { 1071 long ctrl = get_tagged_addr_ctrl(target); 1072 1073 if (IS_ERR_VALUE(ctrl)) 1074 return ctrl; 1075 1076 return membuf_write(&to, &ctrl, sizeof(ctrl)); 1077 } 1078 1079 static int tagged_addr_ctrl_set(struct task_struct *target, const struct 1080 user_regset *regset, unsigned int pos, 1081 unsigned int count, const void *kbuf, const 1082 void __user *ubuf) 1083 { 1084 int ret; 1085 long ctrl; 1086 1087 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 0, -1); 1088 if (ret) 1089 return ret; 1090 1091 return set_tagged_addr_ctrl(target, ctrl); 1092 } 1093 #endif 1094 1095 enum aarch64_regset { 1096 REGSET_GPR, 1097 REGSET_FPR, 1098 REGSET_TLS, 1099 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1100 REGSET_HW_BREAK, 1101 REGSET_HW_WATCH, 1102 #endif 1103 REGSET_SYSTEM_CALL, 1104 #ifdef CONFIG_ARM64_SVE 1105 REGSET_SVE, 1106 #endif 1107 #ifdef CONFIG_ARM64_PTR_AUTH 1108 REGSET_PAC_MASK, 1109 REGSET_PAC_ENABLED_KEYS, 1110 #ifdef CONFIG_CHECKPOINT_RESTORE 1111 REGSET_PACA_KEYS, 1112 REGSET_PACG_KEYS, 1113 #endif 1114 #endif 1115 #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI 1116 REGSET_TAGGED_ADDR_CTRL, 1117 #endif 1118 }; 1119 1120 static const struct user_regset aarch64_regsets[] = { 1121 [REGSET_GPR] = { 1122 .core_note_type = NT_PRSTATUS, 1123 .n = sizeof(struct user_pt_regs) / sizeof(u64), 1124 .size = sizeof(u64), 1125 .align = sizeof(u64), 1126 .regset_get = gpr_get, 1127 .set = gpr_set 1128 }, 1129 [REGSET_FPR] = { 1130 .core_note_type = NT_PRFPREG, 1131 .n = sizeof(struct user_fpsimd_state) / sizeof(u32), 1132 /* 1133 * We pretend we have 32-bit registers because the fpsr and 1134 * fpcr are 32-bits wide. 1135 */ 1136 .size = sizeof(u32), 1137 .align = sizeof(u32), 1138 .active = fpr_active, 1139 .regset_get = fpr_get, 1140 .set = fpr_set 1141 }, 1142 [REGSET_TLS] = { 1143 .core_note_type = NT_ARM_TLS, 1144 .n = 1, 1145 .size = sizeof(void *), 1146 .align = sizeof(void *), 1147 .regset_get = tls_get, 1148 .set = tls_set, 1149 }, 1150 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1151 [REGSET_HW_BREAK] = { 1152 .core_note_type = NT_ARM_HW_BREAK, 1153 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1154 .size = sizeof(u32), 1155 .align = sizeof(u32), 1156 .regset_get = hw_break_get, 1157 .set = hw_break_set, 1158 }, 1159 [REGSET_HW_WATCH] = { 1160 .core_note_type = NT_ARM_HW_WATCH, 1161 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1162 .size = sizeof(u32), 1163 .align = sizeof(u32), 1164 .regset_get = hw_break_get, 1165 .set = hw_break_set, 1166 }, 1167 #endif 1168 [REGSET_SYSTEM_CALL] = { 1169 .core_note_type = NT_ARM_SYSTEM_CALL, 1170 .n = 1, 1171 .size = sizeof(int), 1172 .align = sizeof(int), 1173 .regset_get = system_call_get, 1174 .set = system_call_set, 1175 }, 1176 #ifdef CONFIG_ARM64_SVE 1177 [REGSET_SVE] = { /* Scalable Vector Extension */ 1178 .core_note_type = NT_ARM_SVE, 1179 .n = DIV_ROUND_UP(SVE_PT_SIZE(SVE_VQ_MAX, SVE_PT_REGS_SVE), 1180 SVE_VQ_BYTES), 1181 .size = SVE_VQ_BYTES, 1182 .align = SVE_VQ_BYTES, 1183 .regset_get = sve_get, 1184 .set = sve_set, 1185 }, 1186 #endif 1187 #ifdef CONFIG_ARM64_PTR_AUTH 1188 [REGSET_PAC_MASK] = { 1189 .core_note_type = NT_ARM_PAC_MASK, 1190 .n = sizeof(struct user_pac_mask) / sizeof(u64), 1191 .size = sizeof(u64), 1192 .align = sizeof(u64), 1193 .regset_get = pac_mask_get, 1194 /* this cannot be set dynamically */ 1195 }, 1196 [REGSET_PAC_ENABLED_KEYS] = { 1197 .core_note_type = NT_ARM_PAC_ENABLED_KEYS, 1198 .n = 1, 1199 .size = sizeof(long), 1200 .align = sizeof(long), 1201 .regset_get = pac_enabled_keys_get, 1202 .set = pac_enabled_keys_set, 1203 }, 1204 #ifdef CONFIG_CHECKPOINT_RESTORE 1205 [REGSET_PACA_KEYS] = { 1206 .core_note_type = NT_ARM_PACA_KEYS, 1207 .n = sizeof(struct user_pac_address_keys) / sizeof(__uint128_t), 1208 .size = sizeof(__uint128_t), 1209 .align = sizeof(__uint128_t), 1210 .regset_get = pac_address_keys_get, 1211 .set = pac_address_keys_set, 1212 }, 1213 [REGSET_PACG_KEYS] = { 1214 .core_note_type = NT_ARM_PACG_KEYS, 1215 .n = sizeof(struct user_pac_generic_keys) / sizeof(__uint128_t), 1216 .size = sizeof(__uint128_t), 1217 .align = sizeof(__uint128_t), 1218 .regset_get = pac_generic_keys_get, 1219 .set = pac_generic_keys_set, 1220 }, 1221 #endif 1222 #endif 1223 #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI 1224 [REGSET_TAGGED_ADDR_CTRL] = { 1225 .core_note_type = NT_ARM_TAGGED_ADDR_CTRL, 1226 .n = 1, 1227 .size = sizeof(long), 1228 .align = sizeof(long), 1229 .regset_get = tagged_addr_ctrl_get, 1230 .set = tagged_addr_ctrl_set, 1231 }, 1232 #endif 1233 }; 1234 1235 static const struct user_regset_view user_aarch64_view = { 1236 .name = "aarch64", .e_machine = EM_AARCH64, 1237 .regsets = aarch64_regsets, .n = ARRAY_SIZE(aarch64_regsets) 1238 }; 1239 1240 #ifdef CONFIG_COMPAT 1241 enum compat_regset { 1242 REGSET_COMPAT_GPR, 1243 REGSET_COMPAT_VFP, 1244 }; 1245 1246 static inline compat_ulong_t compat_get_user_reg(struct task_struct *task, int idx) 1247 { 1248 struct pt_regs *regs = task_pt_regs(task); 1249 1250 switch (idx) { 1251 case 15: 1252 return regs->pc; 1253 case 16: 1254 return pstate_to_compat_psr(regs->pstate); 1255 case 17: 1256 return regs->orig_x0; 1257 default: 1258 return regs->regs[idx]; 1259 } 1260 } 1261 1262 static int compat_gpr_get(struct task_struct *target, 1263 const struct user_regset *regset, 1264 struct membuf to) 1265 { 1266 int i = 0; 1267 1268 while (to.left) 1269 membuf_store(&to, compat_get_user_reg(target, i++)); 1270 return 0; 1271 } 1272 1273 static int compat_gpr_set(struct task_struct *target, 1274 const struct user_regset *regset, 1275 unsigned int pos, unsigned int count, 1276 const void *kbuf, const void __user *ubuf) 1277 { 1278 struct pt_regs newregs; 1279 int ret = 0; 1280 unsigned int i, start, num_regs; 1281 1282 /* Calculate the number of AArch32 registers contained in count */ 1283 num_regs = count / regset->size; 1284 1285 /* Convert pos into an register number */ 1286 start = pos / regset->size; 1287 1288 if (start + num_regs > regset->n) 1289 return -EIO; 1290 1291 newregs = *task_pt_regs(target); 1292 1293 for (i = 0; i < num_regs; ++i) { 1294 unsigned int idx = start + i; 1295 compat_ulong_t reg; 1296 1297 if (kbuf) { 1298 memcpy(®, kbuf, sizeof(reg)); 1299 kbuf += sizeof(reg); 1300 } else { 1301 ret = copy_from_user(®, ubuf, sizeof(reg)); 1302 if (ret) { 1303 ret = -EFAULT; 1304 break; 1305 } 1306 1307 ubuf += sizeof(reg); 1308 } 1309 1310 switch (idx) { 1311 case 15: 1312 newregs.pc = reg; 1313 break; 1314 case 16: 1315 reg = compat_psr_to_pstate(reg); 1316 newregs.pstate = reg; 1317 break; 1318 case 17: 1319 newregs.orig_x0 = reg; 1320 break; 1321 default: 1322 newregs.regs[idx] = reg; 1323 } 1324 1325 } 1326 1327 if (valid_user_regs(&newregs.user_regs, target)) 1328 *task_pt_regs(target) = newregs; 1329 else 1330 ret = -EINVAL; 1331 1332 return ret; 1333 } 1334 1335 static int compat_vfp_get(struct task_struct *target, 1336 const struct user_regset *regset, 1337 struct membuf to) 1338 { 1339 struct user_fpsimd_state *uregs; 1340 compat_ulong_t fpscr; 1341 1342 if (!system_supports_fpsimd()) 1343 return -EINVAL; 1344 1345 uregs = &target->thread.uw.fpsimd_state; 1346 1347 if (target == current) 1348 fpsimd_preserve_current_state(); 1349 1350 /* 1351 * The VFP registers are packed into the fpsimd_state, so they all sit 1352 * nicely together for us. We just need to create the fpscr separately. 1353 */ 1354 membuf_write(&to, uregs, VFP_STATE_SIZE - sizeof(compat_ulong_t)); 1355 fpscr = (uregs->fpsr & VFP_FPSCR_STAT_MASK) | 1356 (uregs->fpcr & VFP_FPSCR_CTRL_MASK); 1357 return membuf_store(&to, fpscr); 1358 } 1359 1360 static int compat_vfp_set(struct task_struct *target, 1361 const struct user_regset *regset, 1362 unsigned int pos, unsigned int count, 1363 const void *kbuf, const void __user *ubuf) 1364 { 1365 struct user_fpsimd_state *uregs; 1366 compat_ulong_t fpscr; 1367 int ret, vregs_end_pos; 1368 1369 if (!system_supports_fpsimd()) 1370 return -EINVAL; 1371 1372 uregs = &target->thread.uw.fpsimd_state; 1373 1374 vregs_end_pos = VFP_STATE_SIZE - sizeof(compat_ulong_t); 1375 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, uregs, 0, 1376 vregs_end_pos); 1377 1378 if (count && !ret) { 1379 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &fpscr, 1380 vregs_end_pos, VFP_STATE_SIZE); 1381 if (!ret) { 1382 uregs->fpsr = fpscr & VFP_FPSCR_STAT_MASK; 1383 uregs->fpcr = fpscr & VFP_FPSCR_CTRL_MASK; 1384 } 1385 } 1386 1387 fpsimd_flush_task_state(target); 1388 return ret; 1389 } 1390 1391 static int compat_tls_get(struct task_struct *target, 1392 const struct user_regset *regset, 1393 struct membuf to) 1394 { 1395 return membuf_store(&to, (compat_ulong_t)target->thread.uw.tp_value); 1396 } 1397 1398 static int compat_tls_set(struct task_struct *target, 1399 const struct user_regset *regset, unsigned int pos, 1400 unsigned int count, const void *kbuf, 1401 const void __user *ubuf) 1402 { 1403 int ret; 1404 compat_ulong_t tls = target->thread.uw.tp_value; 1405 1406 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); 1407 if (ret) 1408 return ret; 1409 1410 target->thread.uw.tp_value = tls; 1411 return ret; 1412 } 1413 1414 static const struct user_regset aarch32_regsets[] = { 1415 [REGSET_COMPAT_GPR] = { 1416 .core_note_type = NT_PRSTATUS, 1417 .n = COMPAT_ELF_NGREG, 1418 .size = sizeof(compat_elf_greg_t), 1419 .align = sizeof(compat_elf_greg_t), 1420 .regset_get = compat_gpr_get, 1421 .set = compat_gpr_set 1422 }, 1423 [REGSET_COMPAT_VFP] = { 1424 .core_note_type = NT_ARM_VFP, 1425 .n = VFP_STATE_SIZE / sizeof(compat_ulong_t), 1426 .size = sizeof(compat_ulong_t), 1427 .align = sizeof(compat_ulong_t), 1428 .active = fpr_active, 1429 .regset_get = compat_vfp_get, 1430 .set = compat_vfp_set 1431 }, 1432 }; 1433 1434 static const struct user_regset_view user_aarch32_view = { 1435 .name = "aarch32", .e_machine = EM_ARM, 1436 .regsets = aarch32_regsets, .n = ARRAY_SIZE(aarch32_regsets) 1437 }; 1438 1439 static const struct user_regset aarch32_ptrace_regsets[] = { 1440 [REGSET_GPR] = { 1441 .core_note_type = NT_PRSTATUS, 1442 .n = COMPAT_ELF_NGREG, 1443 .size = sizeof(compat_elf_greg_t), 1444 .align = sizeof(compat_elf_greg_t), 1445 .regset_get = compat_gpr_get, 1446 .set = compat_gpr_set 1447 }, 1448 [REGSET_FPR] = { 1449 .core_note_type = NT_ARM_VFP, 1450 .n = VFP_STATE_SIZE / sizeof(compat_ulong_t), 1451 .size = sizeof(compat_ulong_t), 1452 .align = sizeof(compat_ulong_t), 1453 .regset_get = compat_vfp_get, 1454 .set = compat_vfp_set 1455 }, 1456 [REGSET_TLS] = { 1457 .core_note_type = NT_ARM_TLS, 1458 .n = 1, 1459 .size = sizeof(compat_ulong_t), 1460 .align = sizeof(compat_ulong_t), 1461 .regset_get = compat_tls_get, 1462 .set = compat_tls_set, 1463 }, 1464 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1465 [REGSET_HW_BREAK] = { 1466 .core_note_type = NT_ARM_HW_BREAK, 1467 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1468 .size = sizeof(u32), 1469 .align = sizeof(u32), 1470 .regset_get = hw_break_get, 1471 .set = hw_break_set, 1472 }, 1473 [REGSET_HW_WATCH] = { 1474 .core_note_type = NT_ARM_HW_WATCH, 1475 .n = sizeof(struct user_hwdebug_state) / sizeof(u32), 1476 .size = sizeof(u32), 1477 .align = sizeof(u32), 1478 .regset_get = hw_break_get, 1479 .set = hw_break_set, 1480 }, 1481 #endif 1482 [REGSET_SYSTEM_CALL] = { 1483 .core_note_type = NT_ARM_SYSTEM_CALL, 1484 .n = 1, 1485 .size = sizeof(int), 1486 .align = sizeof(int), 1487 .regset_get = system_call_get, 1488 .set = system_call_set, 1489 }, 1490 }; 1491 1492 static const struct user_regset_view user_aarch32_ptrace_view = { 1493 .name = "aarch32", .e_machine = EM_ARM, 1494 .regsets = aarch32_ptrace_regsets, .n = ARRAY_SIZE(aarch32_ptrace_regsets) 1495 }; 1496 1497 static int compat_ptrace_read_user(struct task_struct *tsk, compat_ulong_t off, 1498 compat_ulong_t __user *ret) 1499 { 1500 compat_ulong_t tmp; 1501 1502 if (off & 3) 1503 return -EIO; 1504 1505 if (off == COMPAT_PT_TEXT_ADDR) 1506 tmp = tsk->mm->start_code; 1507 else if (off == COMPAT_PT_DATA_ADDR) 1508 tmp = tsk->mm->start_data; 1509 else if (off == COMPAT_PT_TEXT_END_ADDR) 1510 tmp = tsk->mm->end_code; 1511 else if (off < sizeof(compat_elf_gregset_t)) 1512 tmp = compat_get_user_reg(tsk, off >> 2); 1513 else if (off >= COMPAT_USER_SZ) 1514 return -EIO; 1515 else 1516 tmp = 0; 1517 1518 return put_user(tmp, ret); 1519 } 1520 1521 static int compat_ptrace_write_user(struct task_struct *tsk, compat_ulong_t off, 1522 compat_ulong_t val) 1523 { 1524 struct pt_regs newregs = *task_pt_regs(tsk); 1525 unsigned int idx = off / 4; 1526 1527 if (off & 3 || off >= COMPAT_USER_SZ) 1528 return -EIO; 1529 1530 if (off >= sizeof(compat_elf_gregset_t)) 1531 return 0; 1532 1533 switch (idx) { 1534 case 15: 1535 newregs.pc = val; 1536 break; 1537 case 16: 1538 newregs.pstate = compat_psr_to_pstate(val); 1539 break; 1540 case 17: 1541 newregs.orig_x0 = val; 1542 break; 1543 default: 1544 newregs.regs[idx] = val; 1545 } 1546 1547 if (!valid_user_regs(&newregs.user_regs, tsk)) 1548 return -EINVAL; 1549 1550 *task_pt_regs(tsk) = newregs; 1551 return 0; 1552 } 1553 1554 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1555 1556 /* 1557 * Convert a virtual register number into an index for a thread_info 1558 * breakpoint array. Breakpoints are identified using positive numbers 1559 * whilst watchpoints are negative. The registers are laid out as pairs 1560 * of (address, control), each pair mapping to a unique hw_breakpoint struct. 1561 * Register 0 is reserved for describing resource information. 1562 */ 1563 static int compat_ptrace_hbp_num_to_idx(compat_long_t num) 1564 { 1565 return (abs(num) - 1) >> 1; 1566 } 1567 1568 static int compat_ptrace_hbp_get_resource_info(u32 *kdata) 1569 { 1570 u8 num_brps, num_wrps, debug_arch, wp_len; 1571 u32 reg = 0; 1572 1573 num_brps = hw_breakpoint_slots(TYPE_INST); 1574 num_wrps = hw_breakpoint_slots(TYPE_DATA); 1575 1576 debug_arch = debug_monitors_arch(); 1577 wp_len = 8; 1578 reg |= debug_arch; 1579 reg <<= 8; 1580 reg |= wp_len; 1581 reg <<= 8; 1582 reg |= num_wrps; 1583 reg <<= 8; 1584 reg |= num_brps; 1585 1586 *kdata = reg; 1587 return 0; 1588 } 1589 1590 static int compat_ptrace_hbp_get(unsigned int note_type, 1591 struct task_struct *tsk, 1592 compat_long_t num, 1593 u32 *kdata) 1594 { 1595 u64 addr = 0; 1596 u32 ctrl = 0; 1597 1598 int err, idx = compat_ptrace_hbp_num_to_idx(num); 1599 1600 if (num & 1) { 1601 err = ptrace_hbp_get_addr(note_type, tsk, idx, &addr); 1602 *kdata = (u32)addr; 1603 } else { 1604 err = ptrace_hbp_get_ctrl(note_type, tsk, idx, &ctrl); 1605 *kdata = ctrl; 1606 } 1607 1608 return err; 1609 } 1610 1611 static int compat_ptrace_hbp_set(unsigned int note_type, 1612 struct task_struct *tsk, 1613 compat_long_t num, 1614 u32 *kdata) 1615 { 1616 u64 addr; 1617 u32 ctrl; 1618 1619 int err, idx = compat_ptrace_hbp_num_to_idx(num); 1620 1621 if (num & 1) { 1622 addr = *kdata; 1623 err = ptrace_hbp_set_addr(note_type, tsk, idx, addr); 1624 } else { 1625 ctrl = *kdata; 1626 err = ptrace_hbp_set_ctrl(note_type, tsk, idx, ctrl); 1627 } 1628 1629 return err; 1630 } 1631 1632 static int compat_ptrace_gethbpregs(struct task_struct *tsk, compat_long_t num, 1633 compat_ulong_t __user *data) 1634 { 1635 int ret; 1636 u32 kdata; 1637 1638 /* Watchpoint */ 1639 if (num < 0) { 1640 ret = compat_ptrace_hbp_get(NT_ARM_HW_WATCH, tsk, num, &kdata); 1641 /* Resource info */ 1642 } else if (num == 0) { 1643 ret = compat_ptrace_hbp_get_resource_info(&kdata); 1644 /* Breakpoint */ 1645 } else { 1646 ret = compat_ptrace_hbp_get(NT_ARM_HW_BREAK, tsk, num, &kdata); 1647 } 1648 1649 if (!ret) 1650 ret = put_user(kdata, data); 1651 1652 return ret; 1653 } 1654 1655 static int compat_ptrace_sethbpregs(struct task_struct *tsk, compat_long_t num, 1656 compat_ulong_t __user *data) 1657 { 1658 int ret; 1659 u32 kdata = 0; 1660 1661 if (num == 0) 1662 return 0; 1663 1664 ret = get_user(kdata, data); 1665 if (ret) 1666 return ret; 1667 1668 if (num < 0) 1669 ret = compat_ptrace_hbp_set(NT_ARM_HW_WATCH, tsk, num, &kdata); 1670 else 1671 ret = compat_ptrace_hbp_set(NT_ARM_HW_BREAK, tsk, num, &kdata); 1672 1673 return ret; 1674 } 1675 #endif /* CONFIG_HAVE_HW_BREAKPOINT */ 1676 1677 long compat_arch_ptrace(struct task_struct *child, compat_long_t request, 1678 compat_ulong_t caddr, compat_ulong_t cdata) 1679 { 1680 unsigned long addr = caddr; 1681 unsigned long data = cdata; 1682 void __user *datap = compat_ptr(data); 1683 int ret; 1684 1685 switch (request) { 1686 case PTRACE_PEEKUSR: 1687 ret = compat_ptrace_read_user(child, addr, datap); 1688 break; 1689 1690 case PTRACE_POKEUSR: 1691 ret = compat_ptrace_write_user(child, addr, data); 1692 break; 1693 1694 case COMPAT_PTRACE_GETREGS: 1695 ret = copy_regset_to_user(child, 1696 &user_aarch32_view, 1697 REGSET_COMPAT_GPR, 1698 0, sizeof(compat_elf_gregset_t), 1699 datap); 1700 break; 1701 1702 case COMPAT_PTRACE_SETREGS: 1703 ret = copy_regset_from_user(child, 1704 &user_aarch32_view, 1705 REGSET_COMPAT_GPR, 1706 0, sizeof(compat_elf_gregset_t), 1707 datap); 1708 break; 1709 1710 case COMPAT_PTRACE_GET_THREAD_AREA: 1711 ret = put_user((compat_ulong_t)child->thread.uw.tp_value, 1712 (compat_ulong_t __user *)datap); 1713 break; 1714 1715 case COMPAT_PTRACE_SET_SYSCALL: 1716 task_pt_regs(child)->syscallno = data; 1717 ret = 0; 1718 break; 1719 1720 case COMPAT_PTRACE_GETVFPREGS: 1721 ret = copy_regset_to_user(child, 1722 &user_aarch32_view, 1723 REGSET_COMPAT_VFP, 1724 0, VFP_STATE_SIZE, 1725 datap); 1726 break; 1727 1728 case COMPAT_PTRACE_SETVFPREGS: 1729 ret = copy_regset_from_user(child, 1730 &user_aarch32_view, 1731 REGSET_COMPAT_VFP, 1732 0, VFP_STATE_SIZE, 1733 datap); 1734 break; 1735 1736 #ifdef CONFIG_HAVE_HW_BREAKPOINT 1737 case COMPAT_PTRACE_GETHBPREGS: 1738 ret = compat_ptrace_gethbpregs(child, addr, datap); 1739 break; 1740 1741 case COMPAT_PTRACE_SETHBPREGS: 1742 ret = compat_ptrace_sethbpregs(child, addr, datap); 1743 break; 1744 #endif 1745 1746 default: 1747 ret = compat_ptrace_request(child, request, addr, 1748 data); 1749 break; 1750 } 1751 1752 return ret; 1753 } 1754 #endif /* CONFIG_COMPAT */ 1755 1756 const struct user_regset_view *task_user_regset_view(struct task_struct *task) 1757 { 1758 #ifdef CONFIG_COMPAT 1759 /* 1760 * Core dumping of 32-bit tasks or compat ptrace requests must use the 1761 * user_aarch32_view compatible with arm32. Native ptrace requests on 1762 * 32-bit children use an extended user_aarch32_ptrace_view to allow 1763 * access to the TLS register. 1764 */ 1765 if (is_compat_task()) 1766 return &user_aarch32_view; 1767 else if (is_compat_thread(task_thread_info(task))) 1768 return &user_aarch32_ptrace_view; 1769 #endif 1770 return &user_aarch64_view; 1771 } 1772 1773 long arch_ptrace(struct task_struct *child, long request, 1774 unsigned long addr, unsigned long data) 1775 { 1776 switch (request) { 1777 case PTRACE_PEEKMTETAGS: 1778 case PTRACE_POKEMTETAGS: 1779 return mte_ptrace_copy_tags(child, request, addr, data); 1780 } 1781 1782 return ptrace_request(child, request, addr, data); 1783 } 1784 1785 enum ptrace_syscall_dir { 1786 PTRACE_SYSCALL_ENTER = 0, 1787 PTRACE_SYSCALL_EXIT, 1788 }; 1789 1790 static void tracehook_report_syscall(struct pt_regs *regs, 1791 enum ptrace_syscall_dir dir) 1792 { 1793 int regno; 1794 unsigned long saved_reg; 1795 1796 /* 1797 * We have some ABI weirdness here in the way that we handle syscall 1798 * exit stops because we indicate whether or not the stop has been 1799 * signalled from syscall entry or syscall exit by clobbering a general 1800 * purpose register (ip/r12 for AArch32, x7 for AArch64) in the tracee 1801 * and restoring its old value after the stop. This means that: 1802 * 1803 * - Any writes by the tracer to this register during the stop are 1804 * ignored/discarded. 1805 * 1806 * - The actual value of the register is not available during the stop, 1807 * so the tracer cannot save it and restore it later. 1808 * 1809 * - Syscall stops behave differently to seccomp and pseudo-step traps 1810 * (the latter do not nobble any registers). 1811 */ 1812 regno = (is_compat_task() ? 12 : 7); 1813 saved_reg = regs->regs[regno]; 1814 regs->regs[regno] = dir; 1815 1816 if (dir == PTRACE_SYSCALL_ENTER) { 1817 if (tracehook_report_syscall_entry(regs)) 1818 forget_syscall(regs); 1819 regs->regs[regno] = saved_reg; 1820 } else if (!test_thread_flag(TIF_SINGLESTEP)) { 1821 tracehook_report_syscall_exit(regs, 0); 1822 regs->regs[regno] = saved_reg; 1823 } else { 1824 regs->regs[regno] = saved_reg; 1825 1826 /* 1827 * Signal a pseudo-step exception since we are stepping but 1828 * tracer modifications to the registers may have rewound the 1829 * state machine. 1830 */ 1831 tracehook_report_syscall_exit(regs, 1); 1832 } 1833 } 1834 1835 int syscall_trace_enter(struct pt_regs *regs) 1836 { 1837 unsigned long flags = READ_ONCE(current_thread_info()->flags); 1838 1839 if (flags & (_TIF_SYSCALL_EMU | _TIF_SYSCALL_TRACE)) { 1840 tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); 1841 if (flags & _TIF_SYSCALL_EMU) 1842 return NO_SYSCALL; 1843 } 1844 1845 /* Do the secure computing after ptrace; failures should be fast. */ 1846 if (secure_computing() == -1) 1847 return NO_SYSCALL; 1848 1849 if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) 1850 trace_sys_enter(regs, regs->syscallno); 1851 1852 audit_syscall_entry(regs->syscallno, regs->orig_x0, regs->regs[1], 1853 regs->regs[2], regs->regs[3]); 1854 1855 return regs->syscallno; 1856 } 1857 1858 void syscall_trace_exit(struct pt_regs *regs) 1859 { 1860 unsigned long flags = READ_ONCE(current_thread_info()->flags); 1861 1862 audit_syscall_exit(regs); 1863 1864 if (flags & _TIF_SYSCALL_TRACEPOINT) 1865 trace_sys_exit(regs, syscall_get_return_value(current, regs)); 1866 1867 if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP)) 1868 tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); 1869 1870 rseq_syscall(regs); 1871 } 1872 1873 /* 1874 * SPSR_ELx bits which are always architecturally RES0 per ARM DDI 0487D.a. 1875 * We permit userspace to set SSBS (AArch64 bit 12, AArch32 bit 23) which is 1876 * not described in ARM DDI 0487D.a. 1877 * We treat PAN and UAO as RES0 bits, as they are meaningless at EL0, and may 1878 * be allocated an EL0 meaning in future. 1879 * Userspace cannot use these until they have an architectural meaning. 1880 * Note that this follows the SPSR_ELx format, not the AArch32 PSR format. 1881 * We also reserve IL for the kernel; SS is handled dynamically. 1882 */ 1883 #define SPSR_EL1_AARCH64_RES0_BITS \ 1884 (GENMASK_ULL(63, 32) | GENMASK_ULL(27, 26) | GENMASK_ULL(23, 22) | \ 1885 GENMASK_ULL(20, 13) | GENMASK_ULL(5, 5)) 1886 #define SPSR_EL1_AARCH32_RES0_BITS \ 1887 (GENMASK_ULL(63, 32) | GENMASK_ULL(22, 22) | GENMASK_ULL(20, 20)) 1888 1889 static int valid_compat_regs(struct user_pt_regs *regs) 1890 { 1891 regs->pstate &= ~SPSR_EL1_AARCH32_RES0_BITS; 1892 1893 if (!system_supports_mixed_endian_el0()) { 1894 if (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) 1895 regs->pstate |= PSR_AA32_E_BIT; 1896 else 1897 regs->pstate &= ~PSR_AA32_E_BIT; 1898 } 1899 1900 if (user_mode(regs) && (regs->pstate & PSR_MODE32_BIT) && 1901 (regs->pstate & PSR_AA32_A_BIT) == 0 && 1902 (regs->pstate & PSR_AA32_I_BIT) == 0 && 1903 (regs->pstate & PSR_AA32_F_BIT) == 0) { 1904 return 1; 1905 } 1906 1907 /* 1908 * Force PSR to a valid 32-bit EL0t, preserving the same bits as 1909 * arch/arm. 1910 */ 1911 regs->pstate &= PSR_AA32_N_BIT | PSR_AA32_Z_BIT | 1912 PSR_AA32_C_BIT | PSR_AA32_V_BIT | 1913 PSR_AA32_Q_BIT | PSR_AA32_IT_MASK | 1914 PSR_AA32_GE_MASK | PSR_AA32_E_BIT | 1915 PSR_AA32_T_BIT; 1916 regs->pstate |= PSR_MODE32_BIT; 1917 1918 return 0; 1919 } 1920 1921 static int valid_native_regs(struct user_pt_regs *regs) 1922 { 1923 regs->pstate &= ~SPSR_EL1_AARCH64_RES0_BITS; 1924 1925 if (user_mode(regs) && !(regs->pstate & PSR_MODE32_BIT) && 1926 (regs->pstate & PSR_D_BIT) == 0 && 1927 (regs->pstate & PSR_A_BIT) == 0 && 1928 (regs->pstate & PSR_I_BIT) == 0 && 1929 (regs->pstate & PSR_F_BIT) == 0) { 1930 return 1; 1931 } 1932 1933 /* Force PSR to a valid 64-bit EL0t */ 1934 regs->pstate &= PSR_N_BIT | PSR_Z_BIT | PSR_C_BIT | PSR_V_BIT; 1935 1936 return 0; 1937 } 1938 1939 /* 1940 * Are the current registers suitable for user mode? (used to maintain 1941 * security in signal handlers) 1942 */ 1943 int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task) 1944 { 1945 /* https://lore.kernel.org/lkml/20191118131525.GA4180@willie-the-truck */ 1946 user_regs_reset_single_step(regs, task); 1947 1948 if (is_compat_thread(task_thread_info(task))) 1949 return valid_compat_regs(regs); 1950 else 1951 return valid_native_regs(regs); 1952 } 1953