Michael Neuling <mi...@neuling.org> writes:
> On Fri, 2022-03-11 at 12:47 +1000, Nicholas Piggin wrote:
>> Commit cf13435b730a ("powerpc/tm: Fix userspace r13 corruption") fixes
>> a problem in treclaim where a SLB miss can occur on the
>> thread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13
>> value, clobbering it with the kernel r13 and ultimately resulting in
>> kernel r13 being stored in ckpt_regs.
>>
>> There is an equivalent problem in trechkpt where the user r13 value is
>> loaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss
>> could occur on ckpt_regs accesses after that, which will result in r13
>> being clobbered with a kernel value and that will get recheckpointed and
>> then restored to user registers.
>>
>> The same memory page is accessed right before this critical window where
>> a SLB miss could cause corruption, so hitting the bug requires the SLB
>> entry be removed within a small window of instructions, which is possible
>> if a SLB related MCE hits there. PAPR also permits the hypervisor to
>> discard this SLB entry (because slb_shadow->persistent is only set to
>> SLB_NUM_BOLTED) although it's not known whether any implementations would
>> do this (KVM does not). So this is an extremely unlikely bug, only found
>> by inspection.
>>
>> Fix this by also storing user r13 in a temporary location on the kernel
>> stack and don't chane the r13 register from kernel r13 until the RI=0
>> critical section that does not fault.
>
> s/chane/change/
Fixed.
>> [ The SCRATCH0 change is not strictly part of the fix, it's only used in
>> the RI=0 section so it does not have the same problem as the previous
>> SCRATCH0 bug. ]
>>
>> Signed-off-by: Nicholas Piggin <npig...@gmail.com>
>
> This needs to be marked for stable also. Other than that:
I added:
Fixes: 98ae22e15b43 ("powerpc: Add helper functions for transactional memory
context switching")
Cc: sta...@vger.kernel.org # v3.9+
cheers
