summaryrefslogtreecommitdiffstats
path: root/drivers/firmware
diff options
context:
space:
mode:
authorJames Morse <james.morse@arm.com>2020-05-19 20:21:08 +0200
committerWill Deacon <will@kernel.org>2020-05-20 10:36:01 +0200
commit472de63b0b8383565e103f809f5df37d1c4390ab (patch)
treed2bc2eb495a0b2e8a8bde740987a2a7104c0d9d4 /drivers/firmware
parentfirmware: arm_sdei: remove unused interfaces (diff)
downloadlinux-472de63b0b8383565e103f809f5df37d1c4390ab.tar.xz
linux-472de63b0b8383565e103f809f5df37d1c4390ab.zip
firmware: arm_sdei: Document the motivation behind these set_fs() calls
The SDEI handler save/restores the addr_limit using set_fs(). It isn't very clear why. The reason is to mirror the arch code's entry assembly. The arch code does this because perf may access user-space, and inheriting the addr_limit may be a problem. Add a comment explaining why this is here. Suggested-by: Christoph Hellwig <hch@lst.de> Signed-off-by: James Morse <james.morse@arm.com> Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=822 Link: https://lore.kernel.org/r/20200519182108.13693-4-james.morse@arm.com Signed-off-by: Will Deacon <will@kernel.org>
Diffstat (limited to 'drivers/firmware')
-rw-r--r--drivers/firmware/arm_sdei.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
index b12b99a19f66..e7e36aab2386 100644
--- a/drivers/firmware/arm_sdei.c
+++ b/drivers/firmware/arm_sdei.c
@@ -1128,6 +1128,14 @@ int sdei_event_handler(struct pt_regs *regs,
mm_segment_t orig_addr_limit;
u32 event_num = arg->event_num;
+ /*
+ * Save restore 'fs'.
+ * The architecture's entry code save/restores 'fs' when taking an
+ * exception from the kernel. This ensures addr_limit isn't inherited
+ * if you interrupted something that allowed the uaccess routines to
+ * access kernel memory.
+ * Do the same here because this doesn't come via the same entry code.
+ */
orig_addr_limit = get_fs();
set_fs(USER_DS);