tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ARM: 7735/2: Preserve the user r/w register TPIDRURW on context switch and fork

Since commit 6a1c53124aa1 the user writeable TLS register was zeroed to
prevent it from being used as a covert channel between two tasks.

There are more and more applications coming to Windows RT,
Wine could support them, but mostly they expect to have
the thread environment block (TEB) in TPIDRURW.

This patch preserves that register per thread instead of clearing it.
Unlike the TPIDRURO, which is already switched, the TPIDRURW
can be updated from userspace so needs careful treatment in the case that we
modify TPIDRURW and call fork(). To avoid this we must always read
TPIDRURW in copy_thread.

Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jonathan Austin <jonathan.austin@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

authored by

André Hentschel and committed by
Russell King a4780ade 4a1b5733

+37 -20
+1 -1
arch/arm/include/asm/thread_info.h
··· 58 58 struct cpu_context_save cpu_context; /* cpu context */ 59 59 __u32 syscall; /* syscall number */ 60 60 __u8 used_cp[16]; /* thread used copro */ 61 - unsigned long tp_value; 61 + unsigned long tp_value[2]; /* TLS registers */ 62 62 #ifdef CONFIG_CRUNCH 63 63 struct crunch_state crunchstate; 64 64 #endif
+27 -13
arch/arm/include/asm/tls.h
··· 2 2 #define __ASMARM_TLS_H 3 3 4 4 #ifdef __ASSEMBLY__ 5 - .macro set_tls_none, tp, tmp1, tmp2 5 + #include <asm/asm-offsets.h> 6 + .macro switch_tls_none, base, tp, tpuser, tmp1, tmp2 6 7 .endm 7 8 8 - .macro set_tls_v6k, tp, tmp1, tmp2 9 + .macro switch_tls_v6k, base, tp, tpuser, tmp1, tmp2 10 + mrc p15, 0, \tmp2, c13, c0, 2 @ get the user r/w register 9 11 mcr p15, 0, \tp, c13, c0, 3 @ set TLS register 10 - mov \tmp1, #0 11 - mcr p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register 12 + mcr p15, 0, \tpuser, c13, c0, 2 @ and the user r/w register 13 + str \tmp2, [\base, #TI_TP_VALUE + 4] @ save it 12 14 .endm 13 15 14 - .macro set_tls_v6, tp, tmp1, tmp2 16 + .macro switch_tls_v6, base, tp, tpuser, tmp1, tmp2 15 17 ldr \tmp1, =elf_hwcap 16 18 ldr \tmp1, [\tmp1, #0] 17 19 mov \tmp2, #0xffff0fff 18 20 tst \tmp1, #HWCAP_TLS @ hardware TLS available? 19 - mcrne p15, 0, \tp, c13, c0, 3 @ yes, set TLS register 20 - movne \tmp1, #0 21 - mcrne p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register 22 21 streq \tp, [\tmp2, #-15] @ set TLS value at 0xffff0ff0 22 + mrcne p15, 0, \tmp2, c13, c0, 2 @ get the user r/w register 23 + mcrne p15, 0, \tp, c13, c0, 3 @ yes, set TLS register 24 + mcrne p15, 0, \tpuser, c13, c0, 2 @ set user r/w register 25 + strne \tmp2, [\base, #TI_TP_VALUE + 4] @ save it 23 26 .endm 24 27 25 - .macro set_tls_software, tp, tmp1, tmp2 28 + .macro switch_tls_software, base, tp, tpuser, tmp1, tmp2 26 29 mov \tmp1, #0xffff0fff 27 30 str \tp, [\tmp1, #-15] @ set TLS value at 0xffff0ff0 28 31 .endm ··· 34 31 #ifdef CONFIG_TLS_REG_EMUL 35 32 #define tls_emu 1 36 33 #define has_tls_reg 1 37 - #define set_tls set_tls_none 34 + #define switch_tls switch_tls_none 38 35 #elif defined(CONFIG_CPU_V6) 39 36 #define tls_emu 0 40 37 #define has_tls_reg (elf_hwcap & HWCAP_TLS) 41 - #define set_tls set_tls_v6 38 + #define switch_tls switch_tls_v6 42 39 #elif defined(CONFIG_CPU_32v6K) 43 40 #define tls_emu 0 44 41 #define has_tls_reg 1 45 - #define set_tls set_tls_v6k 42 + #define switch_tls switch_tls_v6k 46 43 #else 47 44 #define tls_emu 0 48 45 #define has_tls_reg 0 49 - #define set_tls set_tls_software 46 + #define switch_tls switch_tls_software 50 47 #endif 51 48 49 + #ifndef __ASSEMBLY__ 50 + static inline unsigned long get_tpuser(void) 51 + { 52 + unsigned long reg = 0; 53 + 54 + if (has_tls_reg && !tls_emu) 55 + __asm__("mrc p15, 0, %0, c13, c0, 2" : "=r" (reg)); 56 + 57 + return reg; 58 + } 59 + #endif 52 60 #endif /* __ASMARM_TLS_H */
+3 -2
arch/arm/kernel/entry-armv.S
··· 685 685 UNWIND(.fnstart ) 686 686 UNWIND(.cantunwind ) 687 687 add ip, r1, #TI_CPU_SAVE 688 - ldr r3, [r2, #TI_TP_VALUE] 689 688 ARM( stmia ip!, {r4 - sl, fp, sp, lr} ) @ Store most regs on stack 690 689 THUMB( stmia ip!, {r4 - sl, fp} ) @ Store most regs on stack 691 690 THUMB( str sp, [ip], #4 ) 692 691 THUMB( str lr, [ip], #4 ) 692 + ldr r4, [r2, #TI_TP_VALUE] 693 + ldr r5, [r2, #TI_TP_VALUE + 4] 693 694 #ifdef CONFIG_CPU_USE_DOMAINS 694 695 ldr r6, [r2, #TI_CPU_DOMAIN] 695 696 #endif 696 - set_tls r3, r4, r5 697 + switch_tls r1, r4, r5, r3, r7 697 698 #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) 698 699 ldr r7, [r2, #TI_TASK] 699 700 ldr r8, =__stack_chk_guard
+3 -1
arch/arm/kernel/process.c
··· 39 39 #include <asm/thread_notify.h> 40 40 #include <asm/stacktrace.h> 41 41 #include <asm/mach/time.h> 42 + #include <asm/tls.h> 42 43 43 44 #ifdef CONFIG_CC_STACKPROTECTOR 44 45 #include <linux/stackprotector.h> ··· 344 343 clear_ptrace_hw_breakpoint(p); 345 344 346 345 if (clone_flags & CLONE_SETTLS) 347 - thread->tp_value = childregs->ARM_r3; 346 + thread->tp_value[0] = childregs->ARM_r3; 347 + thread->tp_value[1] = get_tpuser(); 348 348 349 349 thread_notify(THREAD_NOTIFY_COPY, thread); 350 350
+1 -1
arch/arm/kernel/ptrace.c
··· 849 849 #endif 850 850 851 851 case PTRACE_GET_THREAD_AREA: 852 - ret = put_user(task_thread_info(child)->tp_value, 852 + ret = put_user(task_thread_info(child)->tp_value[0], 853 853 datap); 854 854 break; 855 855
+2 -2
arch/arm/kernel/traps.c
··· 581 581 return regs->ARM_r0; 582 582 583 583 case NR(set_tls): 584 - thread->tp_value = regs->ARM_r0; 584 + thread->tp_value[0] = regs->ARM_r0; 585 585 if (tls_emu) 586 586 return 0; 587 587 if (has_tls_reg) { ··· 699 699 int reg = (instr >> 12) & 15; 700 700 if (reg == 15) 701 701 return 1; 702 - regs->uregs[reg] = current_thread_info()->tp_value; 702 + regs->uregs[reg] = current_thread_info()->tp_value[0]; 703 703 regs->ARM_pc += 4; 704 704 return 0; 705 705 }