arm64: mops: Do not dereference src reg for a set operation

JIRA: https://issues.redhat.com/browse/RHEL-101059

commit a13bfa4
Author: Keir Fraser <keirf@google.com>
Date: Wed, 26 Mar 2025 11:04:47 +0000

    The source register is not used for SET* and reading it can result in
    a UBSAN out-of-bounds array access error, specifically when the MOPS
    exception is taken from a SET* sequence with XZR (reg 31) as the
    source. Architecturally this is the only case where a src/dst/size
    field in the ESR can be reported as 31.

    Prior to 2de451a the code in do_el0_mops() was benign as the
    use of pt_regs_read_reg() prevented the out-of-bounds access.

    Fixes: 2de451a ("KVM: arm64: Add handler for MOPS exceptions")
    Cc: <stable@vger.kernel.org> # 6.12.x
    Cc: Kristina Martsenko <kristina.martsenko@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Cc: stable@vger.kernel.org
    Reviewed-by: Marc Zyngier <maz@kernel.org>
    Signed-off-by: Keir Fraser <keirf@google.com>
    Reviewed-by: Kristina Martšenko <kristina.martsenko@arm.com>
    Acked-by: Mark Rutland <mark.rutland@arm.com>
    Link: https://lore.kernel.org/r/20250326110448.3792396-1-keirf@google.com
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

Signed-off-by: Mark Salter <msalter@redhat.com>

Author: mosalter

arch/arm64/include/asm/traps.h

@@ -115,10 +115,9 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon
 	int dstreg = ESR_ELx_MOPS_ISS_DESTREG(esr);
 	int srcreg = ESR_ELx_MOPS_ISS_SRCREG(esr);
 	int sizereg = ESR_ELx_MOPS_ISS_SIZEREG(esr);
-	unsigned long dst, src, size;
+	unsigned long dst, size;
 
 	dst = regs->regs[dstreg];
-	src = regs->regs[srcreg];
 	size = regs->regs[sizereg];
 
 	/*
@@ -135,6 +134,7 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon
 		}
 	} else {
 		/* CPY* instruction */
+		unsigned long src = regs->regs[srcreg];
 		if (!(option_a ^ wrong_option)) {
 			/* Format is from Option B */
 			if (regs->pstate & PSR_N_BIT) {