5 files changed, 41 insertions, 70 deletions

diff --git a/arch/sh/include/asm/hw_breakpoint.h b/arch/sh/include/asm/hw_breakpoint.h
index 965dd780d51b..382bad937dcc 100644
--- a/arch/sh/include/asm/hw_breakpoint.h
+++ b/arch/sh/include/asm/hw_breakpoint.h
@@ -47,9 +47,8 @@ struct pmu;
 #define HBP_NUM         2
 
 /* arch/sh/kernel/hw_breakpoint.c */
-extern int arch_check_va_in_userspace(unsigned long va, u16 hbp_len);
-extern int arch_validate_hwbkpt_settings(struct perf_event *bp,
-                                         struct task_struct *tsk);
+extern int arch_check_bp_in_kernelspace(struct perf_event *bp);
+extern int arch_validate_hwbkpt_settings(struct perf_event *bp);
 extern int hw_breakpoint_exceptions_notify(struct notifier_block *unused,
                                            unsigned long val, void *data);
 
diff --git a/arch/sh/kernel/hw_breakpoint.c b/arch/sh/kernel/hw_breakpoint.c
index 675eea7785d9..1f2cf6229862 100644
--- a/arch/sh/kernel/hw_breakpoint.c
+++ b/arch/sh/kernel/hw_breakpoint.c
@@ -120,25 +120,16 @@ static int get_hbp_len(u16 hbp_len)
 }
 
 /*
- * Check for virtual address in user space.
- */
-int arch_check_va_in_userspace(unsigned long va, u16 hbp_len)
-{
-        unsigned int len;
-
-        len = get_hbp_len(hbp_len);
-
-        return (va <= TASK_SIZE - len);
-}
-
-/*
  * Check for virtual address in kernel space.
  */
-static int arch_check_va_in_kernelspace(unsigned long va, u8 hbp_len)
+int arch_check_bp_in_kernelspace(struct perf_event *bp)
 {
         unsigned int len;
+        unsigned long va;
+        struct arch_hw_breakpoint *info = counter_arch_bp(bp);
 
-        len = get_hbp_len(hbp_len);
+        va = info->address;
+        len = get_hbp_len(info->len);
 
         return (va >= TASK_SIZE) && ((va + len - 1) >= TASK_SIZE);
 }
@@ -226,8 +217,7 @@ static int arch_build_bp_info(struct perf_event *bp)
 /*
  * Validate the arch-specific HW Breakpoint register settings
  */
-int arch_validate_hwbkpt_settings(struct perf_event *bp,
-                                  struct task_struct *tsk)
+int arch_validate_hwbkpt_settings(struct perf_event *bp)
 {
         struct arch_hw_breakpoint *info = counter_arch_bp(bp);
         unsigned int align;
@@ -270,15 +260,6 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp,
         if (info->address & align)
                 return -EINVAL;
 
-        /* Check that the virtual address is in the proper range */
-        if (tsk) {
-                if (!arch_check_va_in_userspace(info->address, info->len))
-                        return -EFAULT;
-        } else {
-                if (!arch_check_va_in_kernelspace(info->address, info->len))
-                        return -EFAULT;
-        }
-
         return 0;
 }
 
@@ -363,8 +344,7 @@ static int __kprobes hw_breakpoint_handler(struct die_args *args)
                 perf_bp_event(bp, args->regs);
 
                 /* Deliver the signal to userspace */
-                if (arch_check_va_in_userspace(bp->attr.bp_addr,
-                                               bp->attr.bp_len)) {
+                if (!arch_check_bp_in_kernelspace(bp)) {
                         siginfo_t info;
 
                         info.si_signo = args->signr;
diff --git a/arch/x86/include/asm/hw_breakpoint.h b/arch/x86/include/asm/hw_breakpoint.h
index 2a1bd8f4f23a..c77a5a6fab9d 100644
--- a/arch/x86/include/asm/hw_breakpoint.h
+++ b/arch/x86/include/asm/hw_breakpoint.h
@@ -44,9 +44,8 @@ struct arch_hw_breakpoint {
 struct perf_event;
 struct pmu;
 
-extern int arch_check_va_in_userspace(unsigned long va, u8 hbp_len);
-extern int arch_validate_hwbkpt_settings(struct perf_event *bp,
-                                         struct task_struct *tsk);
+extern int arch_check_bp_in_kernelspace(struct perf_event *bp);
+extern int arch_validate_hwbkpt_settings(struct perf_event *bp);
 extern int hw_breakpoint_exceptions_notify(struct notifier_block *unused,
                                            unsigned long val, void *data);
 
diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
index d6cc065f519f..a8f1b803d2fd 100644
--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -189,25 +189,16 @@ static int get_hbp_len(u8 hbp_len)
 }
 
 /*
- * Check for virtual address in user space.
- */
-int arch_check_va_in_userspace(unsigned long va, u8 hbp_len)
-{
-        unsigned int len;
-
-        len = get_hbp_len(hbp_len);
-
-        return (va <= TASK_SIZE - len);
-}
-
-/*
  * Check for virtual address in kernel space.
  */
-static int arch_check_va_in_kernelspace(unsigned long va, u8 hbp_len)
+int arch_check_bp_in_kernelspace(struct perf_event *bp)
 {
         unsigned int len;
+        unsigned long va;
+        struct arch_hw_breakpoint *info = counter_arch_bp(bp);
 
-        len = get_hbp_len(hbp_len);
+        va = info->address;
+        len = get_hbp_len(info->len);
 
         return (va >= TASK_SIZE) && ((va + len - 1) >= TASK_SIZE);
 }
@@ -300,8 +291,7 @@ static int arch_build_bp_info(struct perf_event *bp)
 /*
  * Validate the arch-specific HW Breakpoint register settings
  */
-int arch_validate_hwbkpt_settings(struct perf_event *bp,
-                                  struct task_struct *tsk)
+int arch_validate_hwbkpt_settings(struct perf_event *bp)
 {
         struct arch_hw_breakpoint *info = counter_arch_bp(bp);
         unsigned int align;
@@ -314,16 +304,6 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp,
 
         ret = -EINVAL;
 
-        if (info->type == X86_BREAKPOINT_EXECUTE)
-                /*
-                 * Ptrace-refactoring code
-                 * For now, we'll allow instruction breakpoint only for user-space
-                 * addresses
-                 */
-                if ((!arch_check_va_in_userspace(info->address, info->len)) &&
-                        info->len != X86_BREAKPOINT_EXECUTE)
-                        return ret;
-
         switch (info->len) {
         case X86_BREAKPOINT_LEN_1:
                 align = 0;
@@ -350,15 +330,6 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp,
         if (info->address & align)
                 return -EINVAL;
 
-        /* Check that the virtual address is in the proper range */
-        if (tsk) {
-                if (!arch_check_va_in_userspace(info->address, info->len))
-                        return -EFAULT;
-        } else {
-                if (!arch_check_va_in_kernelspace(info->address, info->len))
-                        return -EFAULT;
-        }
-
         return 0;
 }
 
diff --git a/kernel/hw_breakpoint.c b/kernel/hw_breakpoint.c
index 9ed9ae3a48b3..89e8a050c43a 100644
--- a/kernel/hw_breakpoint.c
+++ b/kernel/hw_breakpoint.c
@@ -308,6 +308,28 @@ int dbg_release_bp_slot(struct perf_event *bp)
         return 0;
 }
 
+static int validate_hw_breakpoint(struct perf_event *bp)
+{
+        int ret;
+
+        ret = arch_validate_hwbkpt_settings(bp);
+        if (ret)
+                return ret;
+
+        if (arch_check_bp_in_kernelspace(bp)) {
+                if (bp->attr.exclude_kernel)
+                        return -EINVAL;
+                /*
+                 * Don't let unprivileged users set a breakpoint in the trap
+                 * path to avoid trap recursion attacks.
+                 */
+                if (!capable(CAP_SYS_ADMIN))
+                        return -EPERM;
+        }
+
+        return 0;
+}
+
 int register_perf_hw_breakpoint(struct perf_event *bp)
 {
         int ret;
@@ -316,7 +338,7 @@ int register_perf_hw_breakpoint(struct perf_event *bp)
         if (ret)
                 return ret;
 
-        ret = arch_validate_hwbkpt_settings(bp, bp->ctx->task);
+        ret = validate_hw_breakpoint(bp);
 
         /* if arch_validate_hwbkpt_settings() fails then release bp slot */
         if (ret)
@@ -363,7 +385,7 @@ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *att
         if (attr->disabled)
                 goto end;
 
-        err = arch_validate_hwbkpt_settings(bp, bp->ctx->task);
+        err = validate_hw_breakpoint(bp);
         if (!err)
                 perf_event_enable(bp);