Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2227765imm; Thu, 18 Oct 2018 11:02:17 -0700 (PDT) X-Google-Smtp-Source: ACcGV62wFgNCsayuo1/gDoXBzgNMxUUrzQyis5UIPvyl23XySsUphyiOo8j7TWkMKiavbB2UZHyN X-Received: by 2002:a63:991a:: with SMTP id d26-v6mr29692154pge.434.1539885737681; Thu, 18 Oct 2018 11:02:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539885737; cv=none; d=google.com; s=arc-20160816; b=AeiRT4wIwr/Bx/o9LM1AJbr4WWnkfUh2cLih3d6/mYWRvX9lXxwuAHwc438FfiHfK7 RIv4SadJSjGqg+JKzEVFdddNDbzVlXaqD7PVT+KmvIG9KKy7zJY06Cq0fGB2zPnazlt6 qQXeEcvV6++7Dq1MjmbGFUpbIENlg7rsRd2Pwm0wBa7se0l3AnUbowell8ZEvJf0wsnl /MvEHnTETIXh+FsUpyYzzT98B+uyUsPibcSxazWByeyHFH1bInCnIZ0JpLv7/PNP6ins YlF04rOhOE9yVBbwUVMMGQWCbpyeEh+FAMa1Jv4AkSPgCClnCbEq2sn78uSFgTFyop0+ NvQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VfhbZkO/xNMbuFTtTA7bzBkuFksrCzeK3KyigwbAfVc=; b=VtcC0a3AiAzyzNWDx7PTz62Y6u0bKCjnxNR8eCMU6AXruwddqB9hBwMnKhOTWDFRY6 ciWUZUBnFIRGURpEKuL+Pnas7D6t1q8UnAKkDKMGeeF7hx4u73yMruvP/2H0paQ/uQIB YCLHcAAjif2QOa/tdfadlgCNPCWWP9BCw8Y9w0J3WNyGKYYYenFYPRItnbdBJD9ad+kh zGmqjQ/g4ttMNustzEZB45sKD6ivsTiobKZ/NmB1CUEX5vsIodl/XjFMrJIztx3xOfF1 ippd2DMIPP5x15goG946VqAFkIEDzwT4lrQ9wNSCfMYzVQ4AAYnLiP0byq/FY3Iu9iBZ E5sQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="qDL5BaZ/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 75-v6si19999383pfy.169.2018.10.18.11.02.01; Thu, 18 Oct 2018 11:02:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="qDL5BaZ/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729479AbeJSCC7 (ORCPT + 99 others); Thu, 18 Oct 2018 22:02:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:51092 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728298AbeJSCC6 (ORCPT ); Thu, 18 Oct 2018 22:02:58 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 95B97205C9; Thu, 18 Oct 2018 18:00:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539885653; bh=Ja9dEpekj3KCx6Vd44lU9DY3JgIR9fgPXH17UI3Cz84=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qDL5BaZ/ztUWWQf5b8Ue1rdKHrcNY9sZPmXJDFhKb5mmiHckD5JSA+vG++FuAZr1q Ozg6mME4z/R5aSADec7C9lSEZjkD7ws6Cg47HMgMD2cFbfZ5aOSuaSknA1gHt/a1EJ wdyUprF4mremCOLFvbftkg2sKH15ma1HtzpVDnVI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Neuling , Breno Leitao , Michael Ellerman , Sasha Levin Subject: [PATCH 4.14 27/41] powerpc/tm: Fix userspace r13 corruption Date: Thu, 18 Oct 2018 19:54:42 +0200 Message-Id: <20181018175421.682751775@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181018175416.718399607@linuxfoundation.org> References: <20181018175416.718399607@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michael Neuling [ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ] When we treclaim we store the userspace checkpointed r13 to a scratch SPR and then later save the scratch SPR to the user thread struct. Unfortunately, this doesn't work as accessing the user thread struct can take an SLB fault and the SLB fault handler will write the same scratch SPRG that now contains the userspace r13. To fix this, we store r13 to the kernel stack (which can't fault) before we access the user thread struct. Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen as a random userspace segfault with r13 looking like a kernel address. Signed-off-by: Michael Neuling Reviewed-by: Breno Leitao Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/kernel/tm.S | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- a/arch/powerpc/kernel/tm.S +++ b/arch/powerpc/kernel/tm.S @@ -167,13 +167,20 @@ _GLOBAL(tm_reclaim) std r1, PACATMSCRATCH(r13) ld r1, PACAR1(r13) - /* Store the PPR in r11 and reset to decent value */ std r11, GPR11(r1) /* Temporary stash */ + /* + * Store r13 away so we can free up the scratch SPR for the SLB fault + * handler (needed once we start accessing the thread_struct). + */ + GET_SCRATCH0(r11) + std r11, GPR13(r1) + /* Reset MSR RI so we can take SLB faults again */ li r11, MSR_RI mtmsrd r11, 1 + /* Store the PPR in r11 and reset to decent value */ mfspr r11, SPRN_PPR HMT_MEDIUM @@ -202,7 +209,7 @@ _GLOBAL(tm_reclaim) ld r4, GPR7(r1) /* user r7 */ ld r5, GPR11(r1) /* user r11 */ ld r6, GPR12(r1) /* user r12 */ - GET_SCRATCH0(8) /* user r13 */ + ld r8, GPR13(r1) /* user r13 */ std r3, GPR1(r7) std r4, GPR7(r7) std r5, GPR11(r7)