diff options
| author | Max Filippov <jcmvbkbc@gmail.com> | 2022-03-06 06:05:54 +0100 |
|---|---|---|
| committer | Max Filippov <jcmvbkbc@gmail.com> | 2022-03-07 21:02:54 +0100 |
| commit | 5b835d4cade1723c5944a231cc685801f5a5cc6c (patch) | |
| tree | c744c4af85ce0ee3c6a83e328cf7b445b5170a88 /arch/xtensa/kernel | |
| parent | xtensa: rename PT_SIZE to PT_KERNEL_SIZE (diff) | |
| download | linux-5b835d4cade1723c5944a231cc685801f5a5cc6c.tar.xz linux-5b835d4cade1723c5944a231cc685801f5a5cc6c.zip | |
xtensa: use XCHAL_NUM_AREGS as pt_regs::areg size
struct pt_regs is used to access both kernel and user exception frames.
User exception frames may contain up to XCHAL_NUM_AREG registers that
task creation and signal delivery code may access, but pt_regs::areg
array has only 16 entries that cover only the kernel exception frame.
This results in the following build error:
arch/xtensa/kernel/process.c: In function 'copy_thread':
arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above
array bounds of 'long unsigned int[16]' [-Werror=array-bounds]
262 | put_user(regs->areg[caller_ars+1],
Change struct pt_regs::areg size to XCHAL_NUM_AREGS so that it covers
the whole user exception frame. Adjust task_pt_regs and drop additional
register copying code from copy_thread now that the whole user exception
stack frame is copied.
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'arch/xtensa/kernel')
| -rw-r--r-- | arch/xtensa/kernel/process.c | 10 |
1 files changed, 0 insertions, 10 deletions
diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index bd80df890b1e..e8bfbca5f001 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -232,10 +232,6 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, p->thread.ra = MAKE_RA_FOR_CALL( (unsigned long)ret_from_fork, 0x1); - /* This does not copy all the regs. - * In a bout of brilliance or madness, - * ARs beyond a0-a15 exist past the end of the struct. - */ *childregs = *regs; childregs->areg[1] = usp; childregs->areg[2] = 0; @@ -265,14 +261,8 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, childregs->wmask = 1; childregs->windowstart = 1; childregs->windowbase = 0; - } else { - int len = childregs->wmask & ~0xf; - memcpy(&childregs->areg[XCHAL_NUM_AREGS - len/4], - ®s->areg[XCHAL_NUM_AREGS - len/4], len); } - childregs->syscall = regs->syscall; - if (clone_flags & CLONE_SETTLS) childregs->threadptr = tls; } else { |