25 Sep
2025
25 Sep
'25
4:46 p.m.
On Sun, Sep 21, 2025 at 02:21:35PM +0100, Mark Brown wrote:
diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c index fd1d5a6655de..4649c2b107a7 100644 --- a/arch/arm64/mm/gcs.c +++ b/arch/arm64/mm/gcs.c @@ -199,14 +199,37 @@ void gcs_set_el0_mode(struct task_struct *task) void gcs_free(struct task_struct *task) {
- unsigned long __user *cap_ptr;
- unsigned long cap_val;
- int ret;
- if (!system_supports_gcs()) return;
if (!task->mm || task->mm != current->mm) return;
- if (task->thread.gcs_base)
- if (task->thread.gcs_base) { vm_munmap(task->thread.gcs_base, task->thread.gcs_size);
- } else if (task == current &&
task->thread.gcs_el0_mode & PR_SHADOW_STACK_EXIT_TOKEN) {
I checked the code paths leading here and task is always current. But better to keep the test in case the core code ever changes.
cap_ptr = (unsigned long __user *)read_sysreg_s(SYS_GCSPR_EL0);cap_ptr--;cap_val = GCS_CAP(cap_ptr);/** We can't do anything constructive if this fails,* and the thread might be exiting due to being in a* bad state anyway.*/put_user_gcs(cap_val, cap_ptr, &ret);/** Ensure the new cap is ordered before standard* memory accesses to the same location.*/gcsb_dsync();- }
The only downside is that, if the thread did not unwind properly, we don't write the token where it was initially. We could save the token address from clone3() and restore it there instead.
--
Catalin