forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/arch/powerpc/kernel
History
Gustavo Romero 569775bd53 powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts 
[ Upstream commit a8318c13e7 ]

When in userspace and MSR FP=0 the hardware FP state is unrelated to
the current process. This is extended for transactions where if tbegin
is run with FP=0, the hardware checkpoint FP state will also be
unrelated to the current process. Due to this, we need to ensure this
hardware checkpoint is updated with the correct state before we enable
FP for this process.

Unfortunately we get this wrong when returning to a process from a
hardware interrupt. A process that starts a transaction with FP=0 can
take an interrupt. When the kernel returns back to that process, we
change to FP=1 but with hardware checkpoint FP state not updated. If
this transaction is then rolled back, the FP registers now contain the
wrong state.

The process looks like this:
   Userspace:                      Kernel

               Start userspace
                with MSR FP=0 TM=1
                  < -----
   ...
   tbegin
   bne
               Hardware interrupt
                   ---- >
                                    <do_IRQ...>
                                    ....
                                    ret_from_except
                                      restore_math()
				        /* sees FP=0 */
                                        restore_fp()
                                          tm_active_with_fp()
					    /* sees FP=1 (Incorrect) */
                                          load_fp_state()
                                        FP = 0 -> 1
                  < -----
               Return to userspace
                 with MSR TM=1 FP=1
                 with junk in the FP TM checkpoint
   TM rollback
   reads FP junk

When returning from the hardware exception, tm_active_with_fp() is
incorrectly making restore_fp() call load_fp_state() which is setting
FP=1.

The fix is to remove tm_active_with_fp().

tm_active_with_fp() is attempting to handle the case where FP state
has been changed inside a transaction. In this case the checkpointed
and transactional FP state is different and hence we must restore the
FP state (ie. we can't do lazy FP restore inside a transaction that's
used FP). It's safe to remove tm_active_with_fp() as this case is
handled by restore_tm_state(). restore_tm_state() detects if FP has
been using inside a transaction and will set load_fp and call
restore_math() to ensure the FP state (checkpoint and transaction) is
restored.

This is a data integrity problem for the current process as the FP
registers are corrupted. It's also a security problem as the FP
registers from one process may be leaked to another.

Similarly for VMX.

A simple testcase to replicate this will be posted to
tools/testing/selftests/powerpc/tm/tm-poison.c

This fixes CVE-2019-15031.

Fixes: a7771176b4 ("powerpc: Don't enable FP/Altivec if not checkpointed")
Cc: stable@vger.kernel.org # 4.15+
Signed-off-by: Gustavo Romero <gromero@linux.ibm.com>
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190904045529.23002-2-gromero@linux.vnet.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-09-16 08:22:25 +02:00
..
trace powerpc: consolidate -mno-sched-epilog into FTRACE flags 2019-01-13 09:51:05 +01:00
vdso32 powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 2019-05-02 09:58:52 +02:00
vdso64 powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 2019-03-27 14:14:40 +09:00
.gitignore
align.c powerpc/sstep: Introduce GETTYPE macro 2018-06-03 21:19:40 +10:00
asm-offsets.c KVM: PPC: Use ccr field in pt_regs struct embedded in vcpu struct 2019-09-16 08:22:18 +02:00
audit.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
btext.c powerpc: Make function btext_initialize static 2018-05-25 12:04:44 +10:00
cacheinfo.c
cacheinfo.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
compat_audit.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cpu_setup_6xx.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
cpu_setup_44x.S
cpu_setup_fsl_booke.S powerpc: Free up CPU feature bits on 64-bit machines 2018-03-24 00:38:51 +11:00
cpu_setup_pa6t.S
cpu_setup_power.S powerpc/64s: Clear PCR on boot 2018-05-18 16:05:15 +10:00
cpu_setup_ppc970.S
cputable.c Merge branch 'topic/ppc-kvm' into next 2018-07-19 14:37:57 +10:00
crash.c powerpc: remove kdump.h from page.h 2018-07-30 22:47:53 +10:00
crash_dump.c
dbell.c
dma-iommu.c powerpc: rename dma_direct_ to dma_nommu_ 2018-01-10 16:41:14 +01:00
dma-swiotlb.c swiotlb: rename swiotlb_free to swiotlb_exit 2018-01-15 09:35:39 +01:00
dma.c PCI: Call dma_debug_add_bus() for pci_bus_type from PCI core 2018-07-30 15:58:01 -05:00
dt_cpu_ftrs.c Merge branch 'topic/ppc-kvm' into next 2018-07-19 14:37:57 +10:00
eeh.c powerpc/eeh: Handle hugepages in ioremap space 2019-07-31 07:27:07 +02:00
eeh_cache.c powerpc/eeh: Fix misleading comment in __eeh_addr_cache_get_device() 2018-03-27 23:44:58 +11:00
eeh_dev.c powerpc/eeh: Create PHB PEs after EEH is initialized 2017-09-21 14:56:00 +10:00
eeh_driver.c powerpc/eeh: Refactor report functions 2018-06-03 20:43:41 +10:00
eeh_event.c powerpc/eeh: Manage EEH_PE_RECOVERING inside eeh_handle_normal_event() 2018-03-27 23:44:58 +11:00
eeh_pe.c powerpc/eeh: Introduce eeh_for_each_pe() 2018-06-03 20:43:39 +10:00
eeh_sysfs.c powerpc/eeh: Add EEH notify resume sysfs 2018-01-27 20:02:52 +11:00
entry_32.S powerpc/32: Clear on-stack exception marker upon exception return 2019-03-23 20:10:07 +01:00
entry_64.S powerpc/64s: Clear on-stack exception marker upon exception return 2019-04-05 22:33:13 +02:00
epapr_hcalls.S
epapr_paravirt.c
exceptions-64e.S powerpc/fsl: Fix the flush of branch predictor. 2019-04-03 06:26:20 +02:00
exceptions-64s.S powerpc/watchpoint: Restore NV GPRs while returning from exception 2019-07-26 09:14:29 +02:00
fadump.c powerpc/fadump: Do not allow hot-remove memory from fadump reserved area. 2019-02-12 19:47:16 +01:00
firmware.c
fpu.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
fsl_booke_entry_mapping.S License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
head_8xx.S powerpc/8xx: fix setting of pagetable for Abatron BDI debug tool. 2019-02-27 10:08:54 +01:00
head_32.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
head_40x.S powerpc/405: move PPC405_ERR77 in asm-405.h 2018-07-30 22:48:13 +10:00
head_44x.S
head_64.S powerpc/64: mark start_here_multiplatform as __ref 2019-09-16 08:21:43 +02:00
head_booke.h powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup' 2019-04-03 06:26:20 +02:00
head_fsl_booke.S powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) 2019-04-03 06:26:20 +02:00
hw_breakpoint.c perf/arch/powerpc: Implement hw_breakpoint_arch_parse() 2018-06-26 09:07:55 +02:00
idle.c
idle_6xx.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
idle_book3e.S powerpc/64s: make PACA_IRQ_HARD_DIS track MSR[EE] closely 2018-07-24 22:03:14 +10:00
idle_book3s.S powerpc/powernv/idle: Restore IAMR after idle 2019-05-16 19:41:31 +02:00
idle_e500.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
idle_power4.S powerpc/64s: Fix PACA_IRQ_HARD_DIS accounting in idle_power4() 2018-08-14 15:36:02 +10:00
ima_kexec.c
io-workarounds.c
io.c
iomap.c powerpc: iomap.c: introduce io{read|write}64_{lo_hi|hi_lo} 2018-04-05 14:59:26 +10:00
iommu.c KVM: PPC: Avoid marking DMA-mapped pages dirty in real mode 2018-09-12 08:49:54 +10:00
irq.c powerpc/64: Disable irq restore warning for now 2018-08-07 21:49:24 +10:00
isa-bridge.c
jump_label.c jump_label: move 'asm goto' support test to Kconfig 2019-06-04 08:02:34 +02:00
kexec_elf_64.c kernel/kexec_file.c: allow archs to set purgatory load address 2018-04-13 17:10:28 -07:00
kgdb.c
kprobes-ftrace.c bpf/error-inject/kprobes: Clear current_kprobe and enable preempt in kprobe 2018-06-21 12:33:19 +02:00
kprobes.c bpf/error-inject/kprobes: Clear current_kprobe and enable preempt in kprobe 2018-06-21 12:33:19 +02:00
kvm.c kmemleak: powerpc: skip scanning holes in the .bss section 2019-05-08 07:21:50 +02:00
kvm_emul.S powerpc: move ASM_CONST and stringify_in_c() into asm-const.h 2018-07-30 22:48:16 +10:00
l2cr_6xx.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
legacy_serial.c powerpc: Look for "stdout-path" when setting up legacy consoles 2018-12-19 19:19:52 +01:00
machine_kexec.c powerpc: remove kdump.h from page.h 2018-07-30 22:47:53 +10:00
machine_kexec_32.c
machine_kexec_64.c powerpc/64/kexec: fix race in kexec when XIVE is shutdown 2018-05-10 23:25:08 +10:00
machine_kexec_file_64.c powerpc/kexec: Use common error handling code in setup_new_fdt() 2018-08-10 22:12:36 +10:00
Makefile powerpc: Disable -Wbuiltin-requires-header when setjmp is used 2019-01-13 09:51:05 +01:00
mce.c powerpc updates for 4.16 2018-02-02 10:01:04 -08:00
mce_power.c powerpc/64s/hash: Do not use PPC_INVALIDATE_ERAT on CPUs before POWER9 2018-11-13 11:08:50 -08:00
misc.S powerpc/misc: merge reloc_offset() and add_reloc_offset() 2018-06-04 00:39:17 +10:00
misc_32.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
misc_64.S powerpc: Allow flush_(inval_)dcache_range to work across ranges >4GB 2019-08-29 08:28:59 +02:00
module.c powerpc64/module elfv1: Set opd addresses after module relocation 2018-11-13 11:08:50 -08:00
module.lds powerpc/modules: Fix alignment of .toc section in kernel modules 2017-12-11 13:03:35 +11:00
module_32.c powerpc/sparse: Fix plain integer as NULL pointer warning 2018-05-25 12:04:38 +10:00
module_64.c powerpc/64/module: REL32 relocation range check 2018-11-21 09:19:08 +01:00
msi.c powerpc/msi: Fix NULL pointer access in teardown code 2018-12-19 19:19:52 +01:00
nvram_64.c pstore: Convert buf_lock to semaphore 2019-06-11 12:20:52 +02:00
of_platform.c
optprobes.c powerpc/kprobes: Do not disable interrupts for optprobes and kprobes_on_ftrace 2017-11-12 23:51:41 +11:00
optprobes_head.S powerpc/64: Rename soft_enabled to irq_soft_mask 2018-01-19 22:37:01 +11:00
paca.c Merge branch 'topic/paca' into next 2018-03-31 09:09:36 +11:00
pci-common.c powerpc updates for 4.19 2018-08-17 11:32:50 -07:00
pci-hotplug.c powerpc/pci: Unroll two pass loop when scanning bridges 2017-12-18 23:05:52 -06:00
pci_32.c powerpc: Remove -Wattribute-alias pragmas 2018-06-25 23:21:13 +09:00
pci_64.c powerpc: Remove -Wattribute-alias pragmas 2018-06-25 23:21:13 +09:00
pci_dn.c powerpc/pci: Separate SR-IOV Calls 2017-12-11 13:03:35 +11:00
pci_of_scan.c powerpc/pci/of: Fix OF flags parsing for 64bit BARs 2019-07-31 07:27:01 +02:00
pmc.c
ppc32.h
ppc_save_regs.S powerpc: move ASM_CONST and stringify_in_c() into asm-const.h 2018-07-30 22:48:16 +10:00
proc_powerpc.c powerpc: Use octal numbers for file permissions 2018-01-22 05:48:33 +11:00
process.c powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts 2019-09-16 08:22:25 +02:00
prom.c powerpc: clean the inclusion of stringify.h 2018-07-30 22:48:17 +10:00
prom_init.c powerpc: Move path variable inside DEBUG_PROM 2018-08-10 22:12:38 +10:00
prom_init_check.sh powerpc/mm/radix: Update command line parsing for disable_radix 2018-04-04 16:59:50 +10:00
prom_parse.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ptrace.c powerpc/ptrace: Simplify vr_get/set() to avoid GCC warning 2019-03-23 20:10:07 +01:00
ptrace32.c
reloc_32.S
reloc_64.S powerpc/asm: Convert .llong directives to .8byte 2017-08-31 14:26:47 +10:00
rtas-proc.c powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
rtas-rtc.c powerpc: use time64_t in read_persistent_clock 2018-06-03 20:43:33 +10:00
rtas.c powerpc: Remove -Wattribute-alias pragmas 2018-06-25 23:21:13 +09:00
rtas_flash.c powerpc: Use octal numbers for file permissions 2018-01-22 05:48:33 +11:00
rtas_pci.c powerpc/kernel: Change retrieval of pci_dn 2017-08-31 14:26:40 +10:00
rtasd.c powerpc/pseries: Remove prrn_work workqueue 2019-04-20 09:16:01 +02:00
security.c powerpc/64s: Include cpu header 2019-05-16 19:41:28 +02:00
setup-common.c powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used 2019-04-03 06:26:20 +02:00
setup.h powerpc/tau: Synchronize function prototypes and body 2018-05-25 12:04:43 +10:00
setup_32.c powerpc/32: Include setup.h header file to fix warnings 2018-08-10 22:12:38 +10:00
setup_64.c powerpc/speculation: Support 'mitigations=' cmdline option 2019-05-14 19:17:59 +02:00
signal.c rseq: Avoid infinite recursion when delivering SIGSEGV 2018-06-22 19:04:22 +02:00
signal.h powerpc/syscalls: signal_{32, 64} - switch to SYSCALL_DEFINE 2018-05-10 23:25:13 +10:00
signal_32.c powerpc/tm: Fix oops on sigreturn on systems without TM 2019-07-31 07:27:11 +02:00
signal_64.c powerpc/tm: Fix oops on sigreturn on systems without TM 2019-07-31 07:27:11 +02:00
smp-tbsync.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
smp.c powerpc/smp: Fix NMI IPI xmon timeout 2019-05-16 19:41:26 +02:00
stacktrace.c powerpc/64s: Fix build failures with CONFIG_NMI_IPI=n 2018-06-19 23:03:50 +10:00
suspend.c
swsusp.c
swsusp_32.S powerpc/32s: fix suspend/resume when IBATs 4-7 are used 2019-07-26 09:14:29 +02:00
swsusp_64.c
swsusp_asm64.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
swsusp_booke.S License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sys_ppc32.c powerpc/syscalls: kill ppc32_select() 2018-05-10 23:25:15 +10:00
syscalls.c powerpc: Remove -Wattribute-alias pragmas 2018-06-25 23:21:13 +09:00
sysfs.c Merge branch 'topic/paca' into next 2018-03-31 09:09:36 +11:00
systbl.S powerpc/syscalls: Add COMPAT_SPU_NEW() macro 2018-05-10 23:25:14 +10:00
systbl_chk.c powerpc/syscalls: Add COMPAT_SPU_NEW() macro 2018-05-10 23:25:14 +10:00
systbl_chk.sh powerpc: Make it clearer that systbl check errors are errors 2018-05-10 23:25:16 +10:00
tau_6xx.c powerpc/tau: Make some function static 2018-05-25 12:04:44 +10:00
time.c powerpc/time: inline arch_vtime_task_switch() 2018-06-04 00:39:20 +10:00
tm.S powerpc/tm: Avoid possible userspace r1 corruption on reclaim 2018-09-25 22:51:32 +10:00
traps.c powerpc/traps: Fix the message printed when stack overflows 2019-03-23 20:10:08 +01:00
udbg.c
udbg_16550.c
uprobes.c
vdso.c powerpc: remove unneeded inclusions of cpu_has_feature.h 2018-07-30 22:47:54 +10:00
vecemu.c powerpc: Add a missing include header 2018-05-25 12:04:46 +10:00
vector.S powerpc: move ASM_CONST and stringify_in_c() into asm-const.h 2018-07-30 22:48:16 +10:00
vmlinux.lds.S powerpc/fsl: Add infrastructure to fixup branch predictor flush 2019-04-03 06:26:19 +02:00
watchdog.c powerpc/watchdog: Use hrtimers for per-CPU heartbeat 2019-05-31 06:46:12 -07:00