• C
    powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks · 265e60a1
    Cyril Bur 提交于
    When using transactional memory (TM), the CPU can be in one of six
    states as far as TM is concerned, encoded in the Machine State
    Register (MSR). Certain state transitions are illegal and if attempted
    trigger a "TM Bad Thing" type program check exception.
    
    If we ever hit one of these exceptions it's treated as a bug, ie. we
    oops, and kill the process and/or panic, depending on configuration.
    
    One case where we can trigger a TM Bad Thing, is when returning to
    userspace after a system call or interrupt, using RFID. When this
    happens the CPU first restores the user register state, in particular
    r1 (the stack pointer) and then attempts to update the MSR. However
    the MSR update is not allowed and so we take the program check with
    the user register state, but the kernel MSR.
    
    This tricks the exception entry code into thinking we have a bad
    kernel stack pointer, because the MSR says we're coming from the
    kernel, but r1 is pointing to userspace.
    
    To avoid this we instead always switch to the emergency stack if we
    take a TM Bad Thing from the kernel. That way none of the user
    register values are used, other than for printing in the oops message.
    
    This is the fix for CVE-2017-1000255.
    
    Fixes: 5d176f75 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
    Cc: stable@vger.kernel.org # v4.9+
    Signed-off-by: NCyril Bur <cyrilbur@gmail.com>
    [mpe: Rewrite change log & comments, tweak asm slightly]
    Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
    265e60a1
exceptions-64s.S 49.3 KB