]>
Commit | Line | Data |
---|---|---|
be7e94f8 GKH |
1 | From foo@baz Thu Oct 18 11:11:32 CEST 2018 |
2 | From: Michael Neuling <mikey@neuling.org> | |
3 | Date: Tue, 25 Sep 2018 19:36:47 +1000 | |
4 | Subject: powerpc/tm: Avoid possible userspace r1 corruption on reclaim | |
5 | ||
6 | From: Michael Neuling <mikey@neuling.org> | |
7 | ||
8 | [ Upstream commit 96dc89d526ef77604376f06220e3d2931a0bfd58 ] | |
9 | ||
10 | Current we store the userspace r1 to PACATMSCRATCH before finally | |
11 | saving it to the thread struct. | |
12 | ||
13 | In theory an exception could be taken here (like a machine check or | |
14 | SLB miss) that could write PACATMSCRATCH and hence corrupt the | |
15 | userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but | |
16 | others do. | |
17 | ||
18 | We've never actually seen this happen but it's theoretically | |
19 | possible. Either way, the code is fragile as it is. | |
20 | ||
21 | This patch saves r1 to the kernel stack (which can't fault) before we | |
22 | turn MSR[RI] back on. PACATMSCRATCH is still used but only with | |
23 | MSR[RI] off. We then copy r1 from the kernel stack to the thread | |
24 | struct once we have MSR[RI] back on. | |
25 | ||
26 | Suggested-by: Breno Leitao <leitao@debian.org> | |
27 | Signed-off-by: Michael Neuling <mikey@neuling.org> | |
28 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> | |
29 | Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> | |
30 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
31 | --- | |
32 | arch/powerpc/kernel/tm.S | 9 ++++++++- | |
33 | 1 file changed, 8 insertions(+), 1 deletion(-) | |
34 | ||
35 | --- a/arch/powerpc/kernel/tm.S | |
36 | +++ b/arch/powerpc/kernel/tm.S | |
37 | @@ -169,6 +169,13 @@ _GLOBAL(tm_reclaim) | |
38 | std r11, GPR11(r1) /* Temporary stash */ | |
39 | ||
40 | /* | |
41 | + * Move the saved user r1 to the kernel stack in case PACATMSCRATCH is | |
42 | + * clobbered by an exception once we turn on MSR_RI below. | |
43 | + */ | |
44 | + ld r11, PACATMSCRATCH(r13) | |
45 | + std r11, GPR1(r1) | |
46 | + | |
47 | + /* | |
48 | * Store r13 away so we can free up the scratch SPR for the SLB fault | |
49 | * handler (needed once we start accessing the thread_struct). | |
50 | */ | |
51 | @@ -204,7 +211,7 @@ _GLOBAL(tm_reclaim) | |
52 | SAVE_GPR(8, r7) /* user r8 */ | |
53 | SAVE_GPR(9, r7) /* user r9 */ | |
54 | SAVE_GPR(10, r7) /* user r10 */ | |
55 | - ld r3, PACATMSCRATCH(r13) /* user r1 */ | |
56 | + ld r3, GPR1(r1) /* user r1 */ | |
57 | ld r4, GPR7(r1) /* user r7 */ | |
58 | ld r5, GPR11(r1) /* user r11 */ | |
59 | ld r6, GPR12(r1) /* user r12 */ |