Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3727246imm; Mon, 8 Oct 2018 08:34:58 -0700 (PDT) X-Google-Smtp-Source: ACcGV625WzAyrnk8gSbWnfxWrOt/qFKwWW7as4YY6JKoVcA/5zqCJ4/8hLAP1MNKmEVQaS9KoC5N X-Received: by 2002:a17:902:5a0f:: with SMTP id q15-v6mr25094416pli.253.1539012897884; Mon, 08 Oct 2018 08:34:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539012897; cv=none; d=google.com; s=arc-20160816; b=igYoj1rpjdd7gu2wXFneXQt7XjbeehjVA6cedEYjLyRLvgjFrTALTXWmsUOqLAnSHo q6v2Ht8GcslIWBahMvmb6kvY0xi4z0Tp6Bg01YGtYx3XmNmblmKhkbuWfZz8c1bC31pr Kwr1gZRCMlwvTp4TaPNpI26Vd4oKQsxwBoVzY2xxlPsvZ7rhxQXVFqogtV+Gv1//ijg9 AmahEFvkQPy00HzsmpflMn3C6CMht+ZItejJQoB0Av+zWg2k02w6sXm0Xhbc/qN1Lu1w GYYApDegzHkLcnNueEfLJzCXYLxvJy8RGTsMf/VRwzh5067TfGsAi5dtgI8/0eS6WSrk jkbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=2tB9wQYv0rlDS2p0ZUSmp19KhSGtfYiQtz8I2a8B15g=; b=KUOfk8rKhnMRzrYRnnNJE/R8gDdX/tkM2/W7j8jcPmvw9jkD31PMyR2plamJZde3Rv AyxmCxYnCesY45hp+lk+QyMXqZg51Cfe/ITXLeN9VSpg+PF/AYQWfmMG1O6xlxnzv6zx 2dmzzohLW1kT65VheiR5sQTLGT8T/aN4tI1tTAPFopW50BwJN4/OyO5glAdOUttxUKGZ s4/Io99NAwTKsUCg71tvFGFMaoo/tols6kaiU+L8+kWu1w5gASTwYjseMeMr/i/Y/ahm S6Oik6NTuuIL7Fanzx0azK8chIHxZg13fH1yC1/7ia7GJO9NZoIvzgijVDwGRn+/4Hov MJzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=x3+9mCXu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b12-v6si17619443plr.101.2018.10.08.08.34.42; Mon, 08 Oct 2018 08:34:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=x3+9mCXu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728552AbeJHWqU (ORCPT + 99 others); Mon, 8 Oct 2018 18:46:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:57162 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728092AbeJHWic (ORCPT ); Mon, 8 Oct 2018 18:38:32 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E5D8C2151C; Mon, 8 Oct 2018 15:26:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539012377; bh=jcfC3N+Jx2LHVmfI21r5AZSD22cmwZkFjW98gVuZ8ks=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=x3+9mCXu0EX7wXhc733xHRSTRXfc+/HW/u/qmvwyNeAownshVDnxsxLc/IH3Y/lbv lAEDR4Tmh60klNTasB8ws1TZG/GdZHidi1HcrMFhMt9BIIyL6jXBhRHEQBA41v1fDa 3rwFjmqvfskdJ0gcDpg/jWjiQn4fFF44OHasRZ70= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Michael Neuling , Michael Ellerman , Sasha Levin Subject: [PATCH AUTOSEL 4.18 54/58] powerpc/tm: Fix userspace r13 corruption Date: Mon, 8 Oct 2018 11:25:19 -0400 Message-Id: <20181008152523.70705-54-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181008152523.70705-1-sashal@kernel.org> References: <20181008152523.70705-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Michael Neuling [ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ] When we treclaim we store the userspace checkpointed r13 to a scratch SPR and then later save the scratch SPR to the user thread struct. Unfortunately, this doesn't work as accessing the user thread struct can take an SLB fault and the SLB fault handler will write the same scratch SPRG that now contains the userspace r13. To fix this, we store r13 to the kernel stack (which can't fault) before we access the user thread struct. Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen as a random userspace segfault with r13 looking like a kernel address. Signed-off-by: Michael Neuling Reviewed-by: Breno Leitao Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin --- arch/powerpc/kernel/tm.S | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/tm.S b/arch/powerpc/kernel/tm.S index ff12f47a96b6..11a8f0b71422 100644 --- a/arch/powerpc/kernel/tm.S +++ b/arch/powerpc/kernel/tm.S @@ -175,13 +175,20 @@ _GLOBAL(tm_reclaim) std r1, PACATMSCRATCH(r13) ld r1, PACAR1(r13) - /* Store the PPR in r11 and reset to decent value */ std r11, GPR11(r1) /* Temporary stash */ + /* + * Store r13 away so we can free up the scratch SPR for the SLB fault + * handler (needed once we start accessing the thread_struct). + */ + GET_SCRATCH0(r11) + std r11, GPR13(r1) + /* Reset MSR RI so we can take SLB faults again */ li r11, MSR_RI mtmsrd r11, 1 + /* Store the PPR in r11 and reset to decent value */ mfspr r11, SPRN_PPR HMT_MEDIUM @@ -210,7 +217,7 @@ _GLOBAL(tm_reclaim) ld r4, GPR7(r1) /* user r7 */ ld r5, GPR11(r1) /* user r11 */ ld r6, GPR12(r1) /* user r12 */ - GET_SCRATCH0(8) /* user r13 */ + ld r8, GPR13(r1) /* user r13 */ std r3, GPR1(r7) std r4, GPR7(r7) std r5, GPR11(r7) -- 2.17.1