From nobody Sat Sep 13 16:56:15 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 37E8DC38142
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 22:21:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231802AbjAaWU6 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 17:20:58 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48624 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230215AbjAaWUy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 17:20:54 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5007299
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 14:20:53 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id D954A6173D
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 22:20:52 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3A91CC4339E;
        Tue, 31 Jan 2023 22:20:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1675203652;
        bh=D80eThzhKADVxqMORjVE0hDBHtRmV9viVdr2cZRnMSo=;
        h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
        b=S2cVe/5sEOqaNnnne3v6HNZSuV5Ucgco7KfF4OGjPCfTc3vsXbaS3/GIsQJsjJ9gv
         k1z6qjS+kmuS+ZC/ZTI/BJ7Tli2LK4UtloP2IqeYcEQFeVQQXeIOn5dp/UYhWOtoeD
         LhXgxIXAwK9fdyVL8im/tyQnvzo4vCvXxHS7fqPRKbMLOrF/nl7ZIIQi4EpRUsDVSX
         egAvwEv82lWT0n59zXIpfhdk/y2gD/ZWhHexM2Y8h6TNfly2VFk9BsJC/LUPXKqQde
         ZkXIfBAzo+k6Qf9E7Z23A+AfCo2J9gEA/xAozlq8ZDkFM3GHtllzsBdDHNhmgFW3kR
         R6IUUCJTJWnUg==
From: Mark Brown <broonie@kernel.org>
Date: Tue, 31 Jan 2023 22:20:39 +0000
Subject: [PATCH v3 1/7] arm64/signal: Don't redundantly verify FPSIMD magic
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221212-arm64-signal-cleanup-v3-1-4545c94b20ff@kernel.org>
References: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
In-Reply-To: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Mark Brown <broonie@kernel.org>
X-Mailer: b4 0.12.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1247; i=broonie@kernel.org;
 h=from:subject:message-id; bh=D80eThzhKADVxqMORjVE0hDBHtRmV9viVdr2cZRnMSo=;
 b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBj2ZQ7UzzHkKaY6VK1I/m/Lz0hseWd/eVXEpv3YpLD
 9Dd2xROJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY9mUOwAKCRAk1otyXVSH0IyUB/
 4hrvAnYvY7TY/SANWUu7jwCm9cEOqT8xGxiaNJ1/QpC2n4LoWPH05t66HkgEKjXp4TcOdAhu35Hn44
 FuIiOihlcODzU8Q/5u4rFVfWGgpxNoaU9keUDV2XnrKwMMS6DaxmZztH4t4q9QvW6gI0wuDwxJhgQh
 OJxuEzmbF0+Httqm4k+WbMZ5Xp9D+FQ3GWOXSbrZ1urAoUbP7Jrjw9+7uXpxO0vIGSBMpiPA7C5WV2
 BEuWhmSTzptMPSiiddfhubSLeai8eEW+WiPQtnQlusvK/5Ux0X9gAPjO+M2y5w4xQYpQdLFJ+17Ozp
 YT28GXwxVulxWe0l0xVMnBNDp1spF9
X-Developer-Key: i=broonie@kernel.org; a=openpgp;
 fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We validate that the magic in the struct fpsimd_context is correct in
restore_fpsimd_context() but this is redundant since parse_user_sigframe()
uses this magic to decide to call the function in the first place. Remove
the extra validation.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kernel/signal.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index ed692284f199..882f6d913508 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -191,15 +191,14 @@ static int preserve_fpsimd_context(struct fpsimd_cont=
ext __user *ctx)
 static int restore_fpsimd_context(struct fpsimd_context __user *ctx)
 {
 	struct user_fpsimd_state fpsimd;
-	__u32 magic, size;
+	__u32 size;
 	int err =3D 0;
=20
-	/* check the magic/size information */
-	__get_user_error(magic, &ctx->head.magic, err);
+	/* check the size information */
 	__get_user_error(size, &ctx->head.size, err);
 	if (err)
 		return -EFAULT;
-	if (magic !=3D FPSIMD_MAGIC || size !=3D sizeof(struct fpsimd_context))
+	if (size !=3D sizeof(struct fpsimd_context))
 		return -EINVAL;
=20
 	/* copy the FP and status/control registers */

--=20
2.30.2
From nobody Sat Sep 13 16:56:15 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DBCA3C636D4
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 22:21:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231795AbjAaWVA (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 17:21:00 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48632 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231571AbjAaWUz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 17:20:55 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C237199
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 14:20:54 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 57D1A6172A
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 22:20:54 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B8258C433EF;
        Tue, 31 Jan 2023 22:20:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1675203653;
        bh=Bvjd0wKL3IezF1RIcyZzfYSmixW4eXGxsRFPUFTikY0=;
        h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
        b=GxyNY8Gigyx5SY8G0zQZa8KeGq3ntE8x1y2m01Dro0WF5AAd+l5nMh/c0R2ZHLKmi
         PGYQcCGgSNDd/Xaiwh3ILsT/De0jXoHGOzhNViJijVJ9s25Wyzqu/GQJ5BXQuCzaJ4
         mFS5X1cPpfurTqhj0TQp3jyorjDdjZHQ+9ETgF1Ml/swjaxEyM/fm0A9pX1HYoht9m
         FeJNMGW4sct1SGWGG0LV0dDnZ/bUjJCuwvAlOFFFVP6yp1SM/GlNd80Q9BoWFebGBQ
         BzU5ezwoTPRIaaInYZCIuhmV6Vgsb1gsgqZAQBji6wPWoIotDm++QqKoTSDrSvMjco
         eAMsTxk0RZ1eg==
From: Mark Brown <broonie@kernel.org>
Date: Tue, 31 Jan 2023 22:20:40 +0000
Subject: [PATCH v3 2/7] arm64/signal: Remove redundant size validation from
 parse_user_sigframe()
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221212-arm64-signal-cleanup-v3-2-4545c94b20ff@kernel.org>
References: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
In-Reply-To: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Mark Brown <broonie@kernel.org>
X-Mailer: b4 0.12.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2702; i=broonie@kernel.org;
 h=from:subject:message-id; bh=Bvjd0wKL3IezF1RIcyZzfYSmixW4eXGxsRFPUFTikY0=;
 b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBj2ZQ8fd+t/jv/LtlkcIgmR1L3zvdjC5XmHVLvRKFX
 udHpDpKJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY9mUPAAKCRAk1otyXVSH0HgYB/
 99cPZKE0Jkozh61lbraxE3reOXEccVY9lpN7tzcIvqReeuet0AHZ+telIRwHBbWbsWtU3GC1LHZgDb
 2CB6F04ZbOiTMc1PwWif8GQguQHb1RiYpqsN+pZvkfnqP40Ev6gTH4x8IqvirzRjPYMK1PlMr2vAni
 oqLjclS6m16x2W92tLfs+Ef5OP+UISV5j3qF0dmr4X7VAuxfF7VbdLBme4hI9WVc9Yev+0XCCq9q8Q
 Lb0QNdA0UxDcRqF30M6eSaugjbzfbJdFWtrfky5OxLIS+/gBMfqckn5POSyg5h2Rk5lJdRiB5B9Ier
 im2YmCNBn2guclR3inEEHjis4e26+k
X-Developer-Key: i=broonie@kernel.org; a=openpgp;
 fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There is some minimal size validation in parse_user_sigframe() however
all of the individual parsing functions perform frame specific validation
of the sizing information, remove the frame specific size checks in the
core so that there isn't any confusion about what we validate for size.

Since the checks in the SVE and ZA parsing are after we have read the
relevant context and since they won't report an error if the frame is
undersized they are adjusted to check for this before doing anything else.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kernel/signal.c | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 882f6d913508..3228b5a1dfe3 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -278,6 +278,9 @@ static int restore_sve_fpsimd_context(struct user_ctxs =
*user)
 	if (__copy_from_user(&sve, user->sve, sizeof(sve)))
 		return -EFAULT;
=20
+	if (sve.head.size < sizeof(*user->sve))
+		return -EINVAL;
+
 	if (sve.flags & SVE_SIG_FLAG_SM) {
 		if (!system_supports_sme())
 			return -EINVAL;
@@ -293,7 +296,7 @@ static int restore_sve_fpsimd_context(struct user_ctxs =
*user)
 	if (sve.vl !=3D vl)
 		return -EINVAL;
=20
-	if (sve.head.size <=3D sizeof(*user->sve)) {
+	if (sve.head.size =3D=3D sizeof(*user->sve)) {
 		clear_thread_flag(TIF_SVE);
 		current->thread.svcr &=3D ~SVCR_SM_MASK;
 		current->thread.fp_type =3D FP_STATE_FPSIMD;
@@ -434,10 +437,13 @@ static int restore_za_context(struct user_ctxs *user)
 	if (__copy_from_user(&za, user->za, sizeof(za)))
 		return -EFAULT;
=20
+	if (za.head.size < sizeof(*user->za))
+		return -EINVAL;
+
 	if (za.vl !=3D task_get_sme_vl(current))
 		return -EINVAL;
=20
-	if (za.head.size <=3D sizeof(*user->za)) {
+	if (za.head.size =3D=3D sizeof(*user->za)) {
 		current->thread.svcr &=3D ~SVCR_ZA_MASK;
 		return 0;
 	}
@@ -614,9 +620,6 @@ static int parse_user_sigframe(struct user_ctxs *user,
 			if (user->fpsimd)
 				goto invalid;
=20
-			if (size < sizeof(*user->fpsimd))
-				goto invalid;
-
 			user->fpsimd =3D (struct fpsimd_context __user *)head;
 			break;
=20
@@ -631,9 +634,6 @@ static int parse_user_sigframe(struct user_ctxs *user,
 			if (user->sve)
 				goto invalid;
=20
-			if (size < sizeof(*user->sve))
-				goto invalid;
-
 			user->sve =3D (struct sve_context __user *)head;
 			break;
=20
@@ -657,9 +657,6 @@ static int parse_user_sigframe(struct user_ctxs *user,
 			if (user->za)
 				goto invalid;
=20
-			if (size < sizeof(*user->za))
-				goto invalid;
-
 			user->za =3D (struct za_context __user *)head;
 			break;
=20

--=20
2.30.2
From nobody Sat Sep 13 16:56:15 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F2335C636CC
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 22:21:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231861AbjAaWVD (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 17:21:03 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48658 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231761AbjAaWU5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 17:20:57 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 336928A67
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 14:20:56 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id C4CE261735
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 22:20:55 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 34E1AC4339E;
        Tue, 31 Jan 2023 22:20:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1675203655;
        bh=YpH6fafYhYf6x8eZ1M52Uvm+n4ibYwRkXd68E+NmahA=;
        h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
        b=ptf92ot01JM8ibIKFVKAzJ8iWzbEdOzZCbejJ0uCr7PWP9R6hM/F1WU6KLOw9YxQQ
         M1ej0b6SM3h7UP/t9eTKeFU+QIvkaOzCQanpctrZXcU//Tjg1JCJS9F6fbU6kQhc20
         t/EXSrh61ZvBYv6S8ta8b55bjIX7Oajv/TvjKMON6I8XM2bPCLzjy+oKXZvIM2smJW
         K/Q1zgKAiIOrb833XbJcyw6i+VN3C10jsabz/wd4c2DxmGCbkKemheBQo80/XZTxAo
         Ts7tEupTB5e30U+tIXkMGv1pi7CGhnXbmJNkZybd/k0HH0ufX4HCC3g197B8MVOve4
         w4o+rJtOREWqA==
From: Mark Brown <broonie@kernel.org>
Date: Tue, 31 Jan 2023 22:20:41 +0000
Subject: [PATCH v3 3/7] arm64/signal: Make interface for
 restore_fpsimd_context() consistent
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221212-arm64-signal-cleanup-v3-3-4545c94b20ff@kernel.org>
References: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
In-Reply-To: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Mark Brown <broonie@kernel.org>
X-Mailer: b4 0.12.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2986; i=broonie@kernel.org;
 h=from:subject:message-id; bh=YpH6fafYhYf6x8eZ1M52Uvm+n4ibYwRkXd68E+NmahA=;
 b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBj2ZQ9fHCnj8dkZztyALYAHjjyd8EPZIlYCtsqjP5c
 GDSfij2JATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY9mUPQAKCRAk1otyXVSH0FS4B/
 4zVVkW0f2BCTCH7L1lh6Da+09h/d60AJzBcMEyfUVqKXwQ9elJsAklmELyXt9gvN57iRvLLkdsBbDF
 7Ahk8fmDgYwtcLi/KoQhb4v8O9niZ1z1Afx7v0SmEtVW4S45D6ZmkrdeIGNtiG0FlfgURY9vfMaij+
 si5mj9Hhxrkjtiys7goDhYcxx1qorL64r7VVlU5D0QnCKVbNRG8j3/oi1c+0HiMnjolDv+oGXQ9W3B
 xfAm6UBYgzilpRgadLDGiWVSECiBVinF/TbEVCqtHOXmR9JSmybB0LoMFQSgTJJPIRAmJsVSrADaI3
 Te3LClDqPCtl1FrF9xJzO/REvVwnNg
X-Developer-Key: i=broonie@kernel.org; a=openpgp;
 fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Instead of taking a pointer to struct user_ctxs like the other two
restore_blah_context() functions the FPSIMD function takes a pointer to the
user struct it should read. Change it to be consistent with the rest, both
for consistency and to prepare for changes which avoid rereading data that
has already been read by the core parsing code.

There should be no functional change from this patch.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kernel/signal.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 3228b5a1dfe3..49321871783d 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -170,6 +170,14 @@ static void __user *apply_user_offset(
 	return base + offset;
 }
=20
+struct user_ctxs {
+	struct fpsimd_context __user *fpsimd;
+	struct sve_context __user *sve;
+	struct tpidr2_context __user *tpidr2;
+	struct za_context __user *za;
+	struct zt_context __user *zt;
+};
+
 static int preserve_fpsimd_context(struct fpsimd_context __user *ctx)
 {
 	struct user_fpsimd_state const *fpsimd =3D
@@ -188,24 +196,24 @@ static int preserve_fpsimd_context(struct fpsimd_cont=
ext __user *ctx)
 	return err ? -EFAULT : 0;
 }
=20
-static int restore_fpsimd_context(struct fpsimd_context __user *ctx)
+static int restore_fpsimd_context(struct user_ctxs *user)
 {
 	struct user_fpsimd_state fpsimd;
 	__u32 size;
 	int err =3D 0;
=20
 	/* check the size information */
-	__get_user_error(size, &ctx->head.size, err);
+	__get_user_error(size, &user->fpsimd->head.size, err);
 	if (err)
 		return -EFAULT;
 	if (size !=3D sizeof(struct fpsimd_context))
 		return -EINVAL;
=20
 	/* copy the FP and status/control registers */
-	err =3D __copy_from_user(fpsimd.vregs, ctx->vregs,
+	err =3D __copy_from_user(fpsimd.vregs, &(user->fpsimd->vregs),
 			       sizeof(fpsimd.vregs));
-	__get_user_error(fpsimd.fpsr, &ctx->fpsr, err);
-	__get_user_error(fpsimd.fpcr, &ctx->fpcr, err);
+	__get_user_error(fpsimd.fpsr, &(user->fpsimd->fpsr), err);
+	__get_user_error(fpsimd.fpcr, &(user->fpsimd->fpcr), err);
=20
 	clear_thread_flag(TIF_SVE);
 	current->thread.fp_type =3D FP_STATE_FPSIMD;
@@ -218,14 +226,6 @@ static int restore_fpsimd_context(struct fpsimd_contex=
t __user *ctx)
 }
=20
=20
-struct user_ctxs {
-	struct fpsimd_context __user *fpsimd;
-	struct sve_context __user *sve;
-	struct tpidr2_context __user *tpidr2;
-	struct za_context __user *za;
-	struct zt_context __user *zt;
-};
-
 #ifdef CONFIG_ARM64_SVE
=20
 static int preserve_sve_context(struct sve_context __user *ctx)
@@ -789,7 +789,7 @@ static int restore_sigframe(struct pt_regs *regs,
 		if (user.sve)
 			err =3D restore_sve_fpsimd_context(&user);
 		else
-			err =3D restore_fpsimd_context(user.fpsimd);
+			err =3D restore_fpsimd_context(&user);
 	}
=20
 	if (err =3D=3D 0 && system_supports_sme() && user.tpidr2)

--=20
2.30.2
From nobody Sat Sep 13 16:56:15 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5442EC636CC
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 22:21:09 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231838AbjAaWVH (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 17:21:07 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48764 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231827AbjAaWU6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 17:20:58 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC37149026
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 14:20:57 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 4373561741
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 22:20:57 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A5015C4339C;
        Tue, 31 Jan 2023 22:20:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1675203656;
        bh=eeqciihnDg2sEO/vf9yVNE4k6Cr0hu6F8Uy6SJu5kEw=;
        h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
        b=GzUIaeC1G+aXThwpEWPvfSuYozQKYQYujuRGrB8J6iQwoarElqKp56r/6uS1aHv94
         YyP2ldIzMMSzU1QXwm4ADKJgosJKUorP56yzfgcbwNoHuDHdRGsMgdm/TKDF40d1KO
         1ikJiJs+MLXA0eybuul3vj6Q0pitoQcHoVwkszuzDu/5wX1O9uQDPcMsogCMlbkOag
         WHI8d3pXkJScxFvEV+TIpvoESZh+EDIH+jZjZDq+oLiqawD/yCA48eZcvVZK1xdx3g
         x41jjlPCMpYJvbxOHOz3mDK+Fb53kaLPlbrKp9s2jEGSz92TkRPTZ9ZMgUoSPjzN8e
         xaUsVcrdYGIcg==
From: Mark Brown <broonie@kernel.org>
Date: Tue, 31 Jan 2023 22:20:42 +0000
Subject: [PATCH v3 4/7] arm64/signal: Avoid rereading context frame sizes
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221212-arm64-signal-cleanup-v3-4-4545c94b20ff@kernel.org>
References: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
In-Reply-To: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Mark Brown <broonie@kernel.org>
X-Mailer: b4 0.12.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=6019; i=broonie@kernel.org;
 h=from:subject:message-id; bh=eeqciihnDg2sEO/vf9yVNE4k6Cr0hu6F8Uy6SJu5kEw=;
 b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBj2ZQ+3qWgnKCw814R1AN3FG16085v5ma2/mFrqku8
 1QGHOSCJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY9mUPgAKCRAk1otyXVSH0LrmB/
 45Lld0chZkMPbu2t2LbbANNnKkUT0l5jF+OopYAKtV+i4DLS0k5uGlRN2bqSOISKDhLkivyi38Zv4/
 HcRuu8xCqd2jolNlBUYuFZK92qpbb5s5gbOCMAh+rKjgl3E/sYYkXNdYxw9FltkFnvoDe/jxxM+KAe
 0S9hnMqEneIgywQ6rlorQ7oxzrheYj8gKwt8uiNfgQb5P6dWgYgkDNi4qWaFCjsCL2MmOG3uAO21rW
 pSC7ChVcfCDFwARnKWb0hO/Mv32YVUq2/UMA89UYcXwyETpnIuDjW2PVjU1SMgaAPacWkEwyygMf+Z
 vqOxlBliOgEHtv4iX4OT+ax2Skezme
X-Developer-Key: i=broonie@kernel.org; a=openpgp;
 fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We need to read the sizes of the signal context frames as part of parsing
the overall signal context in parse_user_sigframe(). In the cases where we
defer frame specific parsing to other functions those functions (other
than the recently added TPIDR2 parser) reread the size and validate the
version they read, opening the possibility that the value may change.
Avoid this possibility by passing the size read in parse_user_sigframe()
through user_ctxs and referring to that.

For consistency we move the size check for the TPIDR2 context into the
TPIDR2 parsing function.

Note that for SVE, ZA and ZT contexts we still read the size again but
after this change we no longer use the value, further changes will avoid
the read.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kernel/signal.c | 52 ++++++++++++++++++++++++------------------=
----
 1 file changed, 27 insertions(+), 25 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 49321871783d..567e8e5b6998 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -172,10 +172,15 @@ static void __user *apply_user_offset(
=20
 struct user_ctxs {
 	struct fpsimd_context __user *fpsimd;
+	u32 fpsimd_size;
 	struct sve_context __user *sve;
+	u32 sve_size;
 	struct tpidr2_context __user *tpidr2;
+	u32 tpidr2_size;
 	struct za_context __user *za;
+	u32 za_size;
 	struct zt_context __user *zt;
+	u32 zt_size;
 };
=20
 static int preserve_fpsimd_context(struct fpsimd_context __user *ctx)
@@ -199,14 +204,10 @@ static int preserve_fpsimd_context(struct fpsimd_cont=
ext __user *ctx)
 static int restore_fpsimd_context(struct user_ctxs *user)
 {
 	struct user_fpsimd_state fpsimd;
-	__u32 size;
 	int err =3D 0;
=20
 	/* check the size information */
-	__get_user_error(size, &user->fpsimd->head.size, err);
-	if (err)
-		return -EFAULT;
-	if (size !=3D sizeof(struct fpsimd_context))
+	if (user->fpsimd_size !=3D sizeof(struct fpsimd_context))
 		return -EINVAL;
=20
 	/* copy the FP and status/control registers */
@@ -275,12 +276,12 @@ static int restore_sve_fpsimd_context(struct user_ctx=
s *user)
 	struct user_fpsimd_state fpsimd;
 	struct sve_context sve;
=20
+	if (user->sve_size < sizeof(*user->sve))
+		return -EINVAL;
+
 	if (__copy_from_user(&sve, user->sve, sizeof(sve)))
 		return -EFAULT;
=20
-	if (sve.head.size < sizeof(*user->sve))
-		return -EINVAL;
-
 	if (sve.flags & SVE_SIG_FLAG_SM) {
 		if (!system_supports_sme())
 			return -EINVAL;
@@ -296,7 +297,7 @@ static int restore_sve_fpsimd_context(struct user_ctxs =
*user)
 	if (sve.vl !=3D vl)
 		return -EINVAL;
=20
-	if (sve.head.size =3D=3D sizeof(*user->sve)) {
+	if (user->sve_size =3D=3D sizeof(*user->sve)) {
 		clear_thread_flag(TIF_SVE);
 		current->thread.svcr &=3D ~SVCR_SM_MASK;
 		current->thread.fp_type =3D FP_STATE_FPSIMD;
@@ -305,7 +306,7 @@ static int restore_sve_fpsimd_context(struct user_ctxs =
*user)
=20
 	vq =3D sve_vq_from_vl(sve.vl);
=20
-	if (sve.head.size < SVE_SIG_CONTEXT_SIZE(vq))
+	if (user->sve_size < SVE_SIG_CONTEXT_SIZE(vq))
 		return -EINVAL;
=20
 	/*
@@ -385,7 +386,9 @@ static int restore_tpidr2_context(struct user_ctxs *use=
r)
 	u64 tpidr2_el0;
 	int err =3D 0;
=20
-	/* Magic and size were validated deciding to call this function */
+	if (user->tpidr2_size !=3D sizeof(*user->tpidr2))
+		return -EINVAL;
+
 	__get_user_error(tpidr2_el0, &user->tpidr2->tpidr2, err);
 	if (!err)
 		current->thread.tpidr2_el0 =3D tpidr2_el0;
@@ -434,23 +437,23 @@ static int restore_za_context(struct user_ctxs *user)
 	unsigned int vq;
 	struct za_context za;
=20
+	if (user->za_size < sizeof(*user->za))
+		return -EINVAL;
+
 	if (__copy_from_user(&za, user->za, sizeof(za)))
 		return -EFAULT;
=20
-	if (za.head.size < sizeof(*user->za))
-		return -EINVAL;
-
 	if (za.vl !=3D task_get_sme_vl(current))
 		return -EINVAL;
=20
-	if (za.head.size =3D=3D sizeof(*user->za)) {
+	if (user->za_size =3D=3D sizeof(*user->za)) {
 		current->thread.svcr &=3D ~SVCR_ZA_MASK;
 		return 0;
 	}
=20
 	vq =3D sve_vq_from_vl(za.vl);
=20
-	if (za.head.size < ZA_SIG_CONTEXT_SIZE(vq))
+	if (user->za_size < ZA_SIG_CONTEXT_SIZE(vq))
 		return -EINVAL;
=20
 	/*
@@ -521,15 +524,15 @@ static int restore_zt_context(struct user_ctxs *user)
 	if (!thread_za_enabled(&current->thread))
 		return -EINVAL;
=20
+	if (user->zt_size !=3D ZT_SIG_CONTEXT_SIZE(1))
+		return -EINVAL;
+
 	if (__copy_from_user(&zt, user->zt, sizeof(zt)))
 		return -EFAULT;
=20
 	if (zt.nregs !=3D 1)
 		return -EINVAL;
=20
-	if (zt.head.size !=3D ZT_SIG_CONTEXT_SIZE(zt.nregs))
-		return -EINVAL;
-
 	/*
 	 * Careful: we are about __copy_from_user() directly into
 	 * thread.zt_state with preemption enabled, so protection is
@@ -621,6 +624,7 @@ static int parse_user_sigframe(struct user_ctxs *user,
 				goto invalid;
=20
 			user->fpsimd =3D (struct fpsimd_context __user *)head;
+			user->fpsimd_size =3D size;
 			break;
=20
 		case ESR_MAGIC:
@@ -635,6 +639,7 @@ static int parse_user_sigframe(struct user_ctxs *user,
 				goto invalid;
=20
 			user->sve =3D (struct sve_context __user *)head;
+			user->sve_size =3D size;
 			break;
=20
 		case TPIDR2_MAGIC:
@@ -644,10 +649,8 @@ static int parse_user_sigframe(struct user_ctxs *user,
 			if (user->tpidr2)
 				goto invalid;
=20
-			if (size !=3D sizeof(*user->tpidr2))
-				goto invalid;
-
 			user->tpidr2 =3D (struct tpidr2_context __user *)head;
+			user->tpidr2_size =3D size;
 			break;
=20
 		case ZA_MAGIC:
@@ -658,6 +661,7 @@ static int parse_user_sigframe(struct user_ctxs *user,
 				goto invalid;
=20
 			user->za =3D (struct za_context __user *)head;
+			user->za_size =3D size;
 			break;
=20
 		case ZT_MAGIC:
@@ -667,10 +671,8 @@ static int parse_user_sigframe(struct user_ctxs *user,
 			if (user->zt)
 				goto invalid;
=20
-			if (size < sizeof(*user->zt))
-				goto invalid;
-
 			user->zt =3D (struct zt_context __user *)head;
+			user->zt_size =3D size;
 			break;
=20
 		case EXTRA_MAGIC:

--=20
2.30.2
From nobody Sat Sep 13 16:56:15 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2A709C38142
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 22:21:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231880AbjAaWVS (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 17:21:18 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49106 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229919AbjAaWVG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 17:21:06 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDED25A814
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 14:21:00 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 6D62CB81F6F
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 22:20:59 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 219E7C433EF;
        Tue, 31 Jan 2023 22:20:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1675203658;
        bh=IN6lMV+oaoaxi8+vZVcEWJL7NnQKJn0obuqWcAFzEg8=;
        h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
        b=rZQkjJBL00CKKDPNfnoDEsYzjJol2KMDyLu1Ng6W7e17+eFMFgx6MFwH96ywTneNo
         oJtkGMLVJQMo5krm4NyRKDrkSiFx/eUjAVOWVvHvcrfnwzcKV12Ma0ayEwmEmoRlwc
         iMIwl5ctFhu+T5oidPQHJUQNZZvtZsigo/kSqlalRF3OriuOYZGeJ4J8YkG6rVw9Ay
         lPUZQXyV8V0/2MhoPNoScw9kkXUiGeFiGPDyy3r+O8rwQOahZgTcoAkI2u7nS7/yvz
         lN3x3y7XArRQYOopNhCbBlE7hntuDyxZ0vyE0mpek+WgkG+5aSA8D231Hwa3kbHLP4
         IdVo1675wdNpA==
From: Mark Brown <broonie@kernel.org>
Date: Tue, 31 Jan 2023 22:20:43 +0000
Subject: [PATCH v3 5/7] arm64/signal: Only read new data when parsing the
 SVE context
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221212-arm64-signal-cleanup-v3-5-4545c94b20ff@kernel.org>
References: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
In-Reply-To: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Mark Brown <broonie@kernel.org>
X-Mailer: b4 0.12.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2160; i=broonie@kernel.org;
 h=from:subject:message-id; bh=IN6lMV+oaoaxi8+vZVcEWJL7NnQKJn0obuqWcAFzEg8=;
 b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBj2ZQ/3uckocqxHNHA3IsS8LkF9bc1GcaI+LosFUw7
 ix6iH6GJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY9mUPwAKCRAk1otyXVSH0LPIB/
 45Iu7NrW9B+QYf6wdBo8V27T7fN1GCaIyBz5rjgUQM/m7lR7gdOlRjinTIvcMdCmeB+cpF2rC7qQv5
 BUXA+QSOkcwAcwdbwdYq7BbIX3jr/Clqqv5OImF9sg7LznvhM3Ar/1+VKDIf+0P1Cd8AvfhWHR81ve
 iku3xHI/sKP6nIl+T9w3rR7w70Ixnj7U59SLdXZ9vIjud9/isq4iGD4v1QGMgUXGx3n1cNeekZlXOj
 blT/DdXm1YUtAriHHgS0dodmAGf2kKYxYLaMr7hlOX3PPztmuVSBaxYBVrpdnuxY/e9y3rAz2oZJzG
 J3AAIn+MYCQ68mXU97Cr8gF4fL4bM7
X-Developer-Key: i=broonie@kernel.org; a=openpgp;
 fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When we parse the SVE signal context we read the entire context from
userspace, including the generic signal context header which was already
read by parse_user_sigframe() and padding bytes that we ignore. Avoid the
possibility of relying on the second read of the data read twice by only
reading the data which we are actually going to use.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kernel/signal.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 567e8e5b6998..27a1fa37f926 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -271,18 +271,20 @@ static int preserve_sve_context(struct sve_context __=
user *ctx)
=20
 static int restore_sve_fpsimd_context(struct user_ctxs *user)
 {
-	int err;
+	int err =3D 0;
 	unsigned int vl, vq;
 	struct user_fpsimd_state fpsimd;
-	struct sve_context sve;
+	u16 user_vl, flags;
=20
 	if (user->sve_size < sizeof(*user->sve))
 		return -EINVAL;
=20
-	if (__copy_from_user(&sve, user->sve, sizeof(sve)))
-		return -EFAULT;
+	__get_user_error(user_vl, &(user->sve->vl), err);
+	__get_user_error(flags, &(user->sve->flags), err);
+	if (err)
+		return err;
=20
-	if (sve.flags & SVE_SIG_FLAG_SM) {
+	if (flags & SVE_SIG_FLAG_SM) {
 		if (!system_supports_sme())
 			return -EINVAL;
=20
@@ -294,7 +296,7 @@ static int restore_sve_fpsimd_context(struct user_ctxs =
*user)
 		vl =3D task_get_sve_vl(current);
 	}
=20
-	if (sve.vl !=3D vl)
+	if (user_vl !=3D vl)
 		return -EINVAL;
=20
 	if (user->sve_size =3D=3D sizeof(*user->sve)) {
@@ -304,7 +306,7 @@ static int restore_sve_fpsimd_context(struct user_ctxs =
*user)
 		goto fpsimd_only;
 	}
=20
-	vq =3D sve_vq_from_vl(sve.vl);
+	vq =3D sve_vq_from_vl(vl);
=20
 	if (user->sve_size < SVE_SIG_CONTEXT_SIZE(vq))
 		return -EINVAL;
@@ -332,7 +334,7 @@ static int restore_sve_fpsimd_context(struct user_ctxs =
*user)
 	if (err)
 		return -EFAULT;
=20
-	if (sve.flags & SVE_SIG_FLAG_SM)
+	if (flags & SVE_SIG_FLAG_SM)
 		current->thread.svcr |=3D SVCR_SM_MASK;
 	else
 		set_thread_flag(TIF_SVE);

--=20
2.30.2
From nobody Sat Sep 13 16:56:15 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5132CC636D4
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 22:21:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232000AbjAaWVY (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 17:21:24 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49166 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231868AbjAaWVN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 17:21:13 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F6284E537
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 14:21:02 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id DD1DEB81F68
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 22:21:00 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 977F8C433D2;
        Tue, 31 Jan 2023 22:20:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1675203659;
        bh=s9F37xM7LhFLJp/xf/SllF+Kjwk5ytmvBvB+YyKKABs=;
        h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
        b=skGxjp2ImrOUOXpJCDOVO8Be8XE9TWgnCf+cH0nq9VeYJCKo8FsunY7CSXM37usUl
         7e2VsaKxrzMbaKPvPPmlyCD4mA2cGBzAcA4APSJN1yBmE+xwasE+4EqG42mtllcCIE
         04zEszNtcvR1+c9wEi29GDPpl71Xj/DQB01P67F1ANU/uGeIOLvdXdDnx3yu8wTZ0g
         hDENCrGEsXkdJyKX0rpi5G/hRqHAz6cPHx+conpcbD07jG0+iqnwEmVWAFBI7+geaf
         3d5HIUSfamsy6MkRDoQIANXwWj4mlv9H/msv1QqsCr5AjXbQB73SG2nMXumlw3itSe
         274akND6evaxg==
From: Mark Brown <broonie@kernel.org>
Date: Tue, 31 Jan 2023 22:20:44 +0000
Subject: [PATCH v3 6/7] arm64/signal: Only read new data when parsing the
 ZA context
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221212-arm64-signal-cleanup-v3-6-4545c94b20ff@kernel.org>
References: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
In-Reply-To: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Mark Brown <broonie@kernel.org>
X-Mailer: b4 0.12.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1541; i=broonie@kernel.org;
 h=from:subject:message-id; bh=s9F37xM7LhFLJp/xf/SllF+Kjwk5ytmvBvB+YyKKABs=;
 b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBj2ZQ/xEqlBNbZLtXQ9Mx5CTs4LeILuHeNxC9RBFC+
 YegP0giJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY9mUPwAKCRAk1otyXVSH0OlXB/
 9CpCkNmNGmjiSjxyBmSjmSnmYu3Mb7tkZudCsaFPGCOiB1UgNwOgtUIQe7Pod4w7t8eVBrxov3/MIr
 DHLaKHQZJ+6QmmisBQN62rr/oKLhq3gFj+p2F2yi1RfxlCvYMOTHmxSCJc2/dOJkliigpI4KhRy48z
 pjxL/YlBC+gPeUfktYf3pS3VR71uzhczPe9SQlcdLBIJsdc157DysZ/6nLWCkcqhR2/r/T+SdtuPo6
 ClGiTXvOMUg7C6fRtR/Z39QoQhl+JQ9yUlaB6iyvGyVFHXP7MI1k/nX5UVXQYm2V24ijKe/ePEjpEj
 efmd6L5XEHoJqWXFlyHzxe0GL1kqs5
X-Developer-Key: i=broonie@kernel.org; a=openpgp;
 fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When we parse the ZA signal context we read the entire context from
userspace, including the generic signal context header which was already
read by parse_user_sigframe() and padding bytes that we ignore. Avoid the
possibility of relying on the second read of the data read twice by only
reading the data which we are actually going to use.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kernel/signal.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 27a1fa37f926..7810d090c025 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -435,17 +435,18 @@ static int preserve_za_context(struct za_context __us=
er *ctx)
=20
 static int restore_za_context(struct user_ctxs *user)
 {
-	int err;
+	int err =3D 0;
 	unsigned int vq;
-	struct za_context za;
+	u16 user_vl;
=20
 	if (user->za_size < sizeof(*user->za))
 		return -EINVAL;
=20
-	if (__copy_from_user(&za, user->za, sizeof(za)))
-		return -EFAULT;
+	__get_user_error(user_vl, &(user->za->vl), err);
+	if (err)
+		return err;
=20
-	if (za.vl !=3D task_get_sme_vl(current))
+	if (user_vl !=3D task_get_sme_vl(current))
 		return -EINVAL;
=20
 	if (user->za_size =3D=3D sizeof(*user->za)) {
@@ -453,7 +454,7 @@ static int restore_za_context(struct user_ctxs *user)
 		return 0;
 	}
=20
-	vq =3D sve_vq_from_vl(za.vl);
+	vq =3D sve_vq_from_vl(user_vl);
=20
 	if (user->za_size < ZA_SIG_CONTEXT_SIZE(vq))
 		return -EINVAL;

--=20
2.30.2
From nobody Sat Sep 13 16:56:15 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D7E2DC636CC
	for <linux-kernel@archiver.kernel.org>; Tue, 31 Jan 2023 22:21:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230521AbjAaWVW (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 31 Jan 2023 17:21:22 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49196 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231896AbjAaWVG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jan 2023 17:21:06 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C5525A83B
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 14:21:02 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id B63C16172A
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Jan 2023 22:21:01 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 152FEC4339B;
        Tue, 31 Jan 2023 22:20:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1675203661;
        bh=v3FjEdRmmEt3NyVgaKzEfe9CNRFEtOqilNNlSnvu+VA=;
        h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
        b=R4IgY3/BayvBrlVlgVHD9c2rtsypzG7Sz3pee1ZxmG8T++MoOVZVDikEJ1F63udi2
         PdEdg58Z5q2LUGZPSYJhSz/Pzeqsytaebbd644gaFZgiB3SCj5f7mjBPrgha9ITILm
         QjB4jvyQ5xk8Lwo3u6DRCvPsZ2oOg0JmzNCdgpVe67V4q1PnRAzXZ+xgLA7+ncNCge
         vkzvoXo38U2syseapUOGGOjBbkmdEXUW21POKFKha9gsm2w1fDId1E/OnEgiHt5OKP
         9Bb1X0YP9M3iKhyFrWdTaea9hLDglv3gb1afjfqulxyy4QOnQFRRDGM0D/OTQh27Wu
         Iu1v1S+0pZUVw==
From: Mark Brown <broonie@kernel.org>
Date: Tue, 31 Jan 2023 22:20:45 +0000
Subject: [PATCH v3 7/7] arm64/signal: Only read new data when parsing the
 ZT context
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20221212-arm64-signal-cleanup-v3-7-4545c94b20ff@kernel.org>
References: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
In-Reply-To: <20221212-arm64-signal-cleanup-v3-0-4545c94b20ff@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Mark Brown <broonie@kernel.org>
X-Mailer: b4 0.12.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1352; i=broonie@kernel.org;
 h=from:subject:message-id; bh=v3FjEdRmmEt3NyVgaKzEfe9CNRFEtOqilNNlSnvu+VA=;
 b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBj2ZRALr0svZCl9sk06hJBwcGaS+7GOBnxP/4lIysy
 3PhsAIuJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCY9mUQAAKCRAk1otyXVSH0GwrB/
 9pa2+QCNmzp2hYTGFfcZUm/fCzdSM8BCi0zTOykaFZAJek1FpPgVW2CbYFmPAtZdzk2ivw56QVk3hB
 E9w2hFr/ktL0C5ZuRPJTzfj3xbzJaH8ALvCY5MtL30ytV7xDAbpsN1V0ZbvylCwx3Xu0N/TX1a4QY9
 sObfG7NR0aKsQ6FIGlkEbu/oWSJDEpGpIN820K14QGNtQCtTRdZBkLCbJGAsLu0h9uDeykqGUgnV+b
 gEV/D1BL7rcEi4vL3CmaQd0F7BYP/6n/fK8vQpLp16MaPmHhUPmGcUBtDoHKUTCj5YwnXVM66hdoFl
 CW+jJI7nwD7E6jXCUVZYf0V7iKN9pu
X-Developer-Key: i=broonie@kernel.org; a=openpgp;
 fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When we parse the ZT signal context we read the entire context from
userspace, including the generic signal context header which was already
read by parse_user_sigframe() and padding bytes that we ignore. Avoid the
possibility of relying on the second read of the data read twice by only
reading the data which we are actually going to use.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/kernel/signal.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 7810d090c025..d7b5ed8a9b7f 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -521,7 +521,7 @@ static int preserve_zt_context(struct zt_context __user=
 *ctx)
 static int restore_zt_context(struct user_ctxs *user)
 {
 	int err;
-	struct zt_context zt;
+	u16 nregs;
=20
 	/* ZA must be restored first for this check to be valid */
 	if (!thread_za_enabled(&current->thread))
@@ -530,10 +530,10 @@ static int restore_zt_context(struct user_ctxs *user)
 	if (user->zt_size !=3D ZT_SIG_CONTEXT_SIZE(1))
 		return -EINVAL;
=20
-	if (__copy_from_user(&zt, user->zt, sizeof(zt)))
+	if (__copy_from_user(&nregs, &(user->zt->nregs), sizeof(nregs)))
 		return -EFAULT;
=20
-	if (zt.nregs !=3D 1)
+	if (nregs !=3D 1)
 		return -EINVAL;
=20
 	/*

--=20
2.30.2