Etusivu Tutki Apua
Kirjaudu sisään
GfA
/
linux_kernel
5
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Selaa lähdekoodia

powerpc/tm: Fix illegal TM state in signal handler

Currently it's possible that on returning from the signal handler
through the restore_tm_sigcontexts() code path (e.g. from a signal
caught due to a `trap` instruction executed in the middle of an HTM
block, or a deliberately constructed sigframe) an illegal TM state
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
implicitly the MSR register from SRR1 register on return to userspace
it causes a TM Bad Thing exception.

That illegal state can be set (a) by a malicious user that disables
the TM bit by tweaking the bits in uc_mcontext before returning from
the signal handler or (b) by a sufficient number of context switches
occurring such that the load_tm counter overflows and TM is disabled
whilst in the signal handler.

This commit fixes the illegal TM state by ensuring that TM bit is
always enabled before we return from restore_tm_sigcontexts(). A small
comment correction is made as well.

Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Gustavo Romero 8 vuotta sitten
vanhempi
265e60a170
commit
044215d145
1 muutettua tiedostoa jossa 12 lisäystä ja 1 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 12 1
      arch/powerpc/kernel/signal_64.c

+ 12 - 1
arch/powerpc/kernel/signal_64.c
Näytä tiedosto 

@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
 
 	if (MSR_TM_RESV(msr))
 
 		return -EINVAL;
 
 
-	/* pull in MSR TM from user context */
 
+	/* pull in MSR TS bits from user context */
 
 	regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
 
 
+	/*
 
+	 * Ensure that TM is enabled in regs->msr before we leave the signal
 
+	 * handler. It could be the case that (a) user disabled the TM bit
 
+	 * through the manipulation of the MSR bits in uc_mcontext or (b) the
 
+	 * TM bit was disabled because a sufficient number of context switches
 
+	 * happened whilst in the signal handler and load_tm overflowed,
 
+	 * disabling the TM bit. In either case we can end up with an illegal
 
+	 * TM state leading to a TM Bad Thing when we return to userspace.
 
+	 */
 
+	regs->msr |= MSR_TM;
 
+
 
 	/* pull in MSR LE from user context */
 
 	regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);