git.ipfire.org Git - people/arne

author	Andre Przywara <andre.przywara@arm.com>
	Wed, 19 Oct 2016 13:40:54 +0000 (14:40 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 28 Oct 2016 07:45:29 +0000 (03:45 -0400)
commit	ac591c10110bf1fb1da55dd7e2bda3adb8c713be
tree	103c3a4115ca6047fca1eb71e81cd6fe42475f7b	tree \| snapshot
parent	32c0a66fad76d8dc6b83ed53db3c336d0a1706b9	commit \| diff

arm64: Cortex-A53 errata workaround: check for kernel addresses

commit 87261d19046aeaeed8eb3d2793fde850ae1b5c9e upstream.

Commit 7dd01aef0557 ("arm64: trap userspace "dc cvau" cache operation on
errata-affected core") adds code to execute cache maintenance instructions
in the kernel on behalf of userland on CPUs with certain ARM CPU errata.
It turns out that the address hasn't been checked to be a valid user
space address, allowing userland to clean cache lines in kernel space.
Fix this by introducing an address check before executing the
instructions on behalf of userland.

Since the address doesn't come via a syscall parameter, we can't just
reject tagged pointers and instead have to remove the tag when checking
against the user address limit.

Fixes: 7dd01aef0557 ("arm64: trap userspace "dc cvau" cache operation on errata-affected core")
Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
[will: rework commit message + replace access_ok with max_user_addr()]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

arch/arm64/include/asm/uaccess.h		diff \| blob \| blame \| history
arch/arm64/kernel/traps.c		diff \| blob \| blame \| history