1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
4 #include <linux/sched.h>
5 #include <linux/user.h>
6 #include <linux/regset.h>
7 #include <linux/syscalls.h>
9 #include <linux/uaccess.h>
12 #include <asm/processor.h>
13 #include <asm/proto.h>
18 * sys_alloc_thread_area: get a yet unused TLS descriptor index.
20 static int get_free_idx(void)
22 struct thread_struct *t = ¤t->thread;
25 for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++)
26 if (desc_empty(&t->tls_array[idx]))
27 return idx + GDT_ENTRY_TLS_MIN;
31 static bool tls_desc_okay(const struct user_desc *info)
34 * For historical reasons (i.e. no one ever documented how any
35 * of the segmentation APIs work), user programs can and do
36 * assume that a struct user_desc that's all zeros except for
37 * entry_number means "no segment at all". This never actually
38 * worked. In fact, up to Linux 3.19, a struct user_desc like
39 * this would create a 16-bit read-write segment with base and
40 * limit both equal to zero.
42 * That was close enough to "no segment at all" until we
43 * hardened this function to disallow 16-bit TLS segments. Fix
44 * it up by interpreting these zeroed segments the way that they
45 * were almost certainly intended to be interpreted.
47 * The correct way to ask for "no segment at all" is to specify
48 * a user_desc that satisfies LDT_empty. To keep everything
49 * working, we accept both.
51 * Note that there's a similar kludge in modify_ldt -- look at
52 * the distinction between modes 1 and 0x11.
54 if (LDT_empty(info) || LDT_zero(info))
58 * espfix is required for 16-bit data segments, but espfix
59 * only works for LDT segments.
64 /* Only allow data segments in the TLS array. */
65 if (info->contents > 1)
69 * Non-present segments with DPL 3 present an interesting attack
70 * surface. The kernel should handle such segments correctly,
71 * but TLS is very difficult to protect in a sandbox, so prevent
72 * such segments from being created.
74 * If userspace needs to remove a TLS entry, it can still delete
77 if (info->seg_not_present)
83 static void set_tls_desc(struct task_struct *p, int idx,
84 const struct user_desc *info, int n)
86 struct thread_struct *t = &p->thread;
87 struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN];
91 * We must not get preempted while modifying the TLS.
96 if (LDT_empty(info) || LDT_zero(info)) {
97 memset(desc, 0, sizeof(*desc));
102 * Always set the accessed bit so that the CPU
103 * doesn't try to write to the (read-only) GDT.
111 if (t == ¤t->thread)
118 * Set a given TLS descriptor:
120 int do_set_thread_area(struct task_struct *p, int idx,
121 struct user_desc __user *u_info,
124 struct user_desc info;
125 unsigned short __maybe_unused sel, modified_sel;
127 if (copy_from_user(&info, u_info, sizeof(info)))
130 if (!tls_desc_okay(&info))
134 idx = info.entry_number;
137 * index -1 means the kernel should try to find and
138 * allocate an empty descriptor:
140 if (idx == -1 && can_allocate) {
141 idx = get_free_idx();
144 if (put_user(idx, &u_info->entry_number))
148 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
151 set_tls_desc(p, idx, &info, 1);
154 * If DS, ES, FS, or GS points to the modified segment, forcibly
155 * refresh it. Only needed on x86_64 because x86_32 reloads them
156 * on return to user mode.
158 modified_sel = (idx << 3) | 3;
162 savesegment(ds, sel);
163 if (sel == modified_sel)
164 loadsegment(ds, sel);
166 savesegment(es, sel);
167 if (sel == modified_sel)
168 loadsegment(es, sel);
170 savesegment(fs, sel);
171 if (sel == modified_sel)
172 loadsegment(fs, sel);
174 savesegment(gs, sel);
175 if (sel == modified_sel)
179 #ifdef CONFIG_X86_32_LAZY_GS
180 savesegment(gs, sel);
181 if (sel == modified_sel)
182 loadsegment(gs, sel);
186 if (p->thread.fsindex == modified_sel)
187 p->thread.fsbase = info.base_addr;
189 if (p->thread.gsindex == modified_sel)
190 p->thread.gsbase = info.base_addr;
197 SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info)
199 return do_set_thread_area(current, -1, u_info, 1);
204 * Get the current Thread-Local Storage area:
207 static void fill_user_desc(struct user_desc *info, int idx,
208 const struct desc_struct *desc)
211 memset(info, 0, sizeof(*info));
212 info->entry_number = idx;
213 info->base_addr = get_desc_base(desc);
214 info->limit = get_desc_limit(desc);
215 info->seg_32bit = desc->d;
216 info->contents = desc->type >> 2;
217 info->read_exec_only = !(desc->type & 2);
218 info->limit_in_pages = desc->g;
219 info->seg_not_present = !desc->p;
220 info->useable = desc->avl;
226 int do_get_thread_area(struct task_struct *p, int idx,
227 struct user_desc __user *u_info)
229 struct user_desc info;
231 if (idx == -1 && get_user(idx, &u_info->entry_number))
234 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
237 fill_user_desc(&info, idx,
238 &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]);
240 if (copy_to_user(u_info, &info, sizeof(info)))
245 SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info)
247 return do_get_thread_area(current, -1, u_info);
250 int regset_tls_active(struct task_struct *target,
251 const struct user_regset *regset)
253 struct thread_struct *t = &target->thread;
254 int n = GDT_ENTRY_TLS_ENTRIES;
255 while (n > 0 && desc_empty(&t->tls_array[n - 1]))
260 int regset_tls_get(struct task_struct *target, const struct user_regset *regset,
261 unsigned int pos, unsigned int count,
262 void *kbuf, void __user *ubuf)
264 const struct desc_struct *tls;
266 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
267 (pos % sizeof(struct user_desc)) != 0 ||
268 (count % sizeof(struct user_desc)) != 0)
271 pos /= sizeof(struct user_desc);
272 count /= sizeof(struct user_desc);
274 tls = &target->thread.tls_array[pos];
277 struct user_desc *info = kbuf;
279 fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++,
282 struct user_desc __user *u_info = ubuf;
283 while (count-- > 0) {
284 struct user_desc info;
285 fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++);
286 if (__copy_to_user(u_info++, &info, sizeof(info)))
294 int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
295 unsigned int pos, unsigned int count,
296 const void *kbuf, const void __user *ubuf)
298 struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
299 const struct user_desc *info;
302 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
303 (pos % sizeof(struct user_desc)) != 0 ||
304 (count % sizeof(struct user_desc)) != 0)
309 else if (__copy_from_user(infobuf, ubuf, count))
314 for (i = 0; i < count / sizeof(struct user_desc); i++)
315 if (!tls_desc_okay(info + i))
319 GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
320 info, count / sizeof(struct user_desc));