63 lines
2.6 KiB
Diff
63 lines
2.6 KiB
Diff
From: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
|
Date: Tue, 22 Aug 2017 17:20:09 -0400
|
|
Subject: powerpc/tm: Fix illegal TM state in signal handler
|
|
Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
|
|
|
|
Currently it's possible that on returning from the signal handler
|
|
through the restore_tm_sigcontexts() code path (e.g. from a signal
|
|
caught due to a `trap` instruction executed in the middle of an HTM
|
|
block, or a deliberately constructed sigframe) an illegal TM state
|
|
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
|
|
implicitly the MSR register from SRR1 register on return to userspace
|
|
it causes a TM Bad Thing exception.
|
|
|
|
That illegal state can be set (a) by a malicious user that disables
|
|
the TM bit by tweaking the bits in uc_mcontext before returning from
|
|
the signal handler or (b) by a sufficient number of context switches
|
|
occurring such that the load_tm counter overflows and TM is disabled
|
|
whilst in the signal handler.
|
|
|
|
This commit fixes the illegal TM state by ensuring that TM bit is
|
|
always enabled before we return from restore_tm_sigcontexts(). A small
|
|
comment correction is made as well.
|
|
|
|
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
|
Cc: stable@vger.kernel.org # v4.9+
|
|
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
|
Signed-off-by: Breno Leitao <leitao@debian.org>
|
|
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
|
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
|
---
|
|
arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
|
|
index c83c115858c1..b2c002993d78 100644
|
|
--- a/arch/powerpc/kernel/signal_64.c
|
|
+++ b/arch/powerpc/kernel/signal_64.c
|
|
@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
|
|
if (MSR_TM_RESV(msr))
|
|
return -EINVAL;
|
|
|
|
- /* pull in MSR TM from user context */
|
|
+ /* pull in MSR TS bits from user context */
|
|
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
|
|
|
|
+ /*
|
|
+ * Ensure that TM is enabled in regs->msr before we leave the signal
|
|
+ * handler. It could be the case that (a) user disabled the TM bit
|
|
+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
|
|
+ * TM bit was disabled because a sufficient number of context switches
|
|
+ * happened whilst in the signal handler and load_tm overflowed,
|
|
+ * disabling the TM bit. In either case we can end up with an illegal
|
|
+ * TM state leading to a TM Bad Thing when we return to userspace.
|
|
+ */
|
|
+ regs->msr |= MSR_TM;
|
|
+
|
|
/* pull in MSR LE from user context */
|
|
regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
|
|
|
|
--
|
|
2.11.0
|
|
|