4.9-stable patches

added patches:
	powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch

diff --git a/queue-4.9/powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch b/queue-4.9/powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch
new file mode 100644 (file)
index 0000000..a79dafe
--- /dev/null
+++ b/queue-4.9/powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch
@@ -0,0 +1,64 @@
+From c7def7fbdeaa25feaa19caf4a27c5d10bd8789e4 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 31 Mar 2020 22:47:19 +1100
+Subject: powerpc/64/tm: Don't let userspace set regs->trap via sigreturn
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit c7def7fbdeaa25feaa19caf4a27c5d10bd8789e4 upstream.
+
+In restore_tm_sigcontexts() we take the trap value directly from the
+user sigcontext with no checking:
+
+       err |= __get_user(regs->trap, &sc->gp_regs[PT_TRAP]);
+
+This means we can be in the kernel with an arbitrary regs->trap value.
+
+Although that's not immediately problematic, there is a risk we could
+trigger one of the uses of CHECK_FULL_REGS():
+
+       #define CHECK_FULL_REGS(regs)   BUG_ON(regs->trap & 1)
+
+It can also cause us to unnecessarily save non-volatile GPRs again in
+save_nvgprs(), which shouldn't be problematic but is still wrong.
+
+It's also possible it could trick the syscall restart machinery, which
+relies on regs->trap not being == 0xc00 (see 9a81c16b5275 ("powerpc:
+fix double syscall restarts")), though I haven't been able to make
+that happen.
+
+Finally it doesn't match the behaviour of the non-TM case, in
+restore_sigcontext() which zeroes regs->trap.
+
+So change restore_tm_sigcontexts() to zero regs->trap.
+
+This was discovered while testing Nick's upcoming rewrite of the
+syscall entry path. In that series the call to save_nvgprs() prior to
+signal handling (do_notify_resume()) is removed, which leaves the
+low-bit of regs->trap uncleared which can then trigger the FULL_REGS()
+WARNs in setup_tm_sigcontexts().
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200401023836.3286664-1-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/signal_64.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -469,8 +469,10 @@ static long restore_tm_sigcontexts(struc
+       err |= __get_user(tsk->thread.ckpt_regs.ccr,
+                         &sc->gp_regs[PT_CCR]);
+ 
++      /* Don't allow userspace to set the trap value */
++      regs->trap = 0;
++
+       /* These regs are not checkpointed; they can go in 'regs'. */
+-      err |= __get_user(regs->trap, &sc->gp_regs[PT_TRAP]);
+       err |= __get_user(regs->dar, &sc->gp_regs[PT_DAR]);
+       err |= __get_user(regs->dsisr, &sc->gp_regs[PT_DSISR]);
+       err |= __get_user(regs->result, &sc->gp_regs[PT_RESULT]);

diff --git a/queue-4.9/series b/queue-4.9/series
index ff4794b9b2d7cb60d8265101cd028556a5f5d625..4f66f700d810f490c9559c74f433d238878b4fdb 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -55,3 +55,4 @@ kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch
 cpufreq-powernv-fix-use-after-free.patch
 hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch
 libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch
+powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch