Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp871533pxb;
        Tue, 1 Feb 2022 12:08:50 -0800 (PST)
X-Google-Smtp-Source: ABdhPJweBW+ErN6dq2mJ3ZYF/h7gcH4Lz1wdsQV5BEYDiNPkuGEnHysAffGTsZuAZk7BFGnAjD1P
X-Received: by 2002:a17:902:a9c2:: with SMTP id b2mr25550357plr.135.1643746129980;
        Tue, 01 Feb 2022 12:08:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643746129; cv=none;
        d=google.com; s=arc-20160816;
        b=J1tKKoX6/ClqP/1nii/PptHP/8Pi2TH9smHbgH7C/Mg3vOyHCSvr8gJfvKWdS8MtcO
         uyz1rFYA3bfOLLQgq4uRI7HIbIBDZLd4Ct8XN0GtehmzBPnyzeVD4I88ZWTxmCKhrPdg
         wYEx4mbpmk/2PVydSLcPv4cnBEYrJCkQuxrevqTAMwuGnvuU6rOfe4mjYz+N5aFJ+LmK
         CElAXHdy41aD1hMTF4LXFx7xoKgMjjNDoVab1OuWWZFXE90/KPBPXvpuIhuYzeQisDzx
         g8+rpzq35ZKEZLucJ+IwMPaCUbLa/+5zIusi8UMeo3m+XMxPIKSKluLcZT4n3CjusHQf
         JrXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=eEGmAmAQkPF0QfkomqevIriCo3hQ13+VI/dmTJ6mn9k=;
        b=pZH4/hR5txggLyGH1Wpm7Cr1Y+GDUo1BOjU8n0zlLeHDwanGaHUX9wDZAUEzqGaeqt
         VGXbOMcW4ERkqSAoYUh1IUI7Br+CPK+O4XQYdAhYArLwFWH3jkjSzj83StYfvbIBOqCi
         IWujB4zBEHiGbQIppFzRa283eFjmzN8kGhfYqbt9RSCB+BK4E2t/0bQ+z+Eu/BVRvWaO
         GJ3HdEfKdPTYccerDTt3vNUymxFxbrgqEapVAbAM+4gjjkmROwoC2Tk1PMw7uw3UOmJg
         saiq6r0FFkwqi8a/uYJxeHDC7Dyt4tYE0zUsfdqBwPeJur1e+whYp5i+7wqQEicQlZUC
         pTCw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=biLKh+mx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c70si4300651pfc.24.2022.02.01.12.08.38;
        Tue, 01 Feb 2022 12:08:49 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=biLKh+mx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1378829AbiAaL3V (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Mon, 31 Jan 2022 06:29:21 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47586 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1377884AbiAaLTO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Jan 2022 06:19:14 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4ADD2C06135E;
        Mon, 31 Jan 2022 03:11:48 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id DF58E60F96;
        Mon, 31 Jan 2022 11:11:47 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA610C36AE2;
        Mon, 31 Jan 2022 11:11:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1643627507;
        bh=rEqdq7v63HYoM1RUtMY3FTYSi4VVJnZarw6/dAiwbJE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=biLKh+mxPlcr9kkfT2gmwdXWXNiVUid9ptMKbDjyooN0VRErAJwdy9fAYnUjac8/5
         EHyKVVVxilvoPX0LGIDVfjA4IfUEWfTxa5zpl0NQxpsIwSU+o6IEqsxd/4Y68B1j7q
         Xs8fu0giwjfZvjsfhiCCR8nUHJAUOCMr+kAHKiTw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Nicholas Piggin <npiggin@gmail.com>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 107/171] powerpc/64s: Mask SRR0 before checking against the masked NIP
Date:   Mon, 31 Jan 2022 11:56:12 +0100
Message-Id: <20220131105233.660265910@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220131105229.959216821@linuxfoundation.org>
References: <20220131105229.959216821@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Nicholas Piggin <npiggin@gmail.com>

[ Upstream commit aee101d7b95a03078945681dd7f7ea5e4a1e7686 ]

Commit 314f6c23dd8d ("powerpc/64s: Mask NIP before checking against
SRR0") masked off the low 2 bits of the NIP value in the interrupt
stack frame in case they are non-zero and mis-compare against a SRR0
register value of a CPU which always reads back 0 from the 2 low bits
which are reserved.

This now causes the opposite problem that an implementation which does
implement those bits in SRR0 will mis-compare against the masked NIP
value in which they have been cleared. QEMU is one such implementation,
and this is allowed by the architecture.

This can be triggered by sigfuz by setting low bits of PT_NIP in the
signal context.

Fix this for now by masking the SRR0 bits as well. Cleaner is probably
to sanitise these values before putting them in registers or stack, but
this is the quick and backportable fix.

Fixes: 314f6c23dd8d ("powerpc/64s: Mask NIP before checking against SRR0")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220117134403.2995059-1-npiggin@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/interrupt_64.S | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/powerpc/kernel/interrupt_64.S b/arch/powerpc/kernel/interrupt_64.S
index 4b1ff94e67eb4..4c6d1a8dcefed 100644
--- a/arch/powerpc/kernel/interrupt_64.S
+++ b/arch/powerpc/kernel/interrupt_64.S
@@ -30,6 +30,7 @@ COMPAT_SYS_CALL_TABLE:
 	.ifc \srr,srr
 	mfspr	r11,SPRN_SRR0
 	ld	r12,_NIP(r1)
+	clrrdi  r11,r11,2
 	clrrdi  r12,r12,2
 100:	tdne	r11,r12
 	EMIT_WARN_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
@@ -40,6 +41,7 @@ COMPAT_SYS_CALL_TABLE:
 	.else
 	mfspr	r11,SPRN_HSRR0
 	ld	r12,_NIP(r1)
+	clrrdi  r11,r11,2
 	clrrdi  r12,r12,2
 100:	tdne	r11,r12
 	EMIT_WARN_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
-- 
2.34.1