git.baikalelectronics.ru Git - kernel.git/commit

author	Andre Przywara <andre.przywara@arm.com>
	Wed, 19 Oct 2016 13:40:54 +0000 (14:40 +0100)
committer	Will Deacon <will.deacon@arm.com>
	Thu, 20 Oct 2016 08:50:49 +0000 (09:50 +0100)
commit	792ba64f6ba41e054552e3eca064ababb2d15ff7
tree	5e27605b4c18c29fbc1307d92bc1ef30e4ab6883	tree \| snapshot
parent	5c7b8e385e4c358c602d10723a16b4d948087492	commit \| diff

arm64: Cortex-A53 errata workaround: check for kernel addresses

Commit c63e95993dcb ("arm64: trap userspace "dc cvau" cache operation on
errata-affected core") adds code to execute cache maintenance instructions
in the kernel on behalf of userland on CPUs with certain ARM CPU errata.
It turns out that the address hasn't been checked to be a valid user
space address, allowing userland to clean cache lines in kernel space.
Fix this by introducing an address check before executing the
instructions on behalf of userland.

Since the address doesn't come via a syscall parameter, we can't just
reject tagged pointers and instead have to remove the tag when checking
against the user address limit.

Cc: <stable@vger.kernel.org>
Fixes: c63e95993dcb ("arm64: trap userspace "dc cvau" cache operation on errata-affected core")
Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
[will: rework commit message + replace access_ok with max_user_addr()]
Signed-off-by: Will Deacon <will.deacon@arm.com>

arch/arm64/include/asm/uaccess.h		diff \| blob \| history
arch/arm64/kernel/traps.c		diff \| blob \| history