[PATCH v2 4/8] powerpc/signal64: Access function descriptor with scoped user access

[PATCH v2 0/8] powerpc/signal: Convert to scoped user access · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 1/8] powerpc/signal32: Convert to scoped user access · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 2/8] powerpc/signal64: Untangle setup_tm_sigcontexts() and user_access_begin() · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 3/8] powerpc/signal64: Convert to scoped user access · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 4/8] powerpc/signal64: Access function descriptor with scoped user access · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 5/8] powerpc/signal: Include the new stack frame inside the user access block · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 6/8] signal: Add unsafe_copy_siginfo_to_user() · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 7/8] powerpc/uaccess: Add unsafe_clear_user() · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02
[PATCH v2 8/8] powerpc/signal: Use unsafe_copy_siginfo_to_user() · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-02

COLD23d

Revisions (2)

2026-05-22 v1 [diff vs current]
2026-06-02 v2 current

From: "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>
Date: 2026-06-02 08:47:20
Also in: lkml
Subsystem: linux for powerpc (32-bit and 64-bit), the rest · Maintainers: Madhavan Srinivasan, Michael Ellerman, Linus Torvalds

Access the function descriptor of the handler within a scoped
user access block.

Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
---
 arch/powerpc/kernel/signal_64.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 4ff8ad5d60d0..d23a980b32a8 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c

@@ -932,8 +932,10 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
 		struct func_desc __user *ptr =
 			(struct func_desc __user *)ksig->ka.sa.sa_handler;
 
-		err |= get_user(regs->ctr, &ptr->addr);
-		err |= get_user(regs->gpr[2], &ptr->toc);
+		scoped_user_read_access(ptr, badfunc) {
+			unsafe_get_user(regs->ctr, &ptr->addr, badfunc);
+			unsafe_get_user(regs->gpr[2], &ptr->toc, badfunc);
+		}
 	}
 
 	/* enter the signal handler in native-endian mode */

@@ -956,5 +958,10 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
 badframe:
 	signal_fault(current, regs, "handle_rt_signal64", frame);
 
+	return 1;
+
+badfunc:
+	signal_fault(current, regs, __func__, (void __user *)ksig->ka.sa.sa_handler);
+
 	return 1;
 }

-- 
2.54.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help