From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Timothy Pearson <tpearson@raptorengineering.com>,
Jens Axboe <axboe@kernel.dk>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 4.14 24/30] powerpc: Dont clobber f0/vs0 during fp|altivec register save
Date: Tue, 5 Dec 2023 12:16:31 +0900 [thread overview]
Message-ID: <20231205031512.914091739@linuxfoundation.org> (raw)
In-Reply-To: <20231205031511.476698159@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timothy Pearson <tpearson@raptorengineering.com>
commit 5e1d824f9a283cbf90f25241b66d1f69adb3835b upstream.
During floating point and vector save to thread data f0/vs0 are
clobbered by the FPSCR/VSCR store routine. This has been obvserved to
lead to userspace register corruption and application data corruption
with io-uring.
Fix it by restoring f0/vs0 after FPSCR/VSCR store has completed for
all the FP, altivec, VMX register save paths.
Tested under QEMU in kvm mode, running on a Talos II workstation with
dual POWER9 DD2.2 CPUs.
Additional detail (mpe):
Typically save_fpu() is called from __giveup_fpu() which saves the FP
regs and also *turns off FP* in the tasks MSR, meaning the kernel will
reload the FP regs from the thread struct before letting the task use FP
again. So in that case save_fpu() is free to clobber f0 because the FP
regs no longer hold live values for the task.
There is another case though, which is the path via:
sys_clone()
...
copy_process()
dup_task_struct()
arch_dup_task_struct()
flush_all_to_thread()
save_all()
That path saves the FP regs but leaves them live. That's meant as an
optimisation for a process that's using FP/VSX and then calls fork(),
leaving the regs live means the parent process doesn't have to take a
fault after the fork to get its FP regs back. The optimisation was added
in commit 8792468da5e1 ("powerpc: Add the ability to save FPU without
giving it up").
That path does clobber f0, but f0 is volatile across function calls,
and typically programs reach copy_process() from userspace via a syscall
wrapper function. So in normal usage f0 being clobbered across a
syscall doesn't cause visible data corruption.
But there is now a new path, because io-uring can call copy_process()
via create_io_thread() from the signal handling path. That's OK if the
signal is handled as part of syscall return, but it's not OK if the
signal is handled due to some other interrupt.
That path is:
interrupt_return_srr_user()
interrupt_exit_user_prepare()
interrupt_exit_user_prepare_main()
do_notify_resume()
get_signal()
task_work_run()
create_worker_cb()
create_io_worker()
copy_process()
dup_task_struct()
arch_dup_task_struct()
flush_all_to_thread()
save_all()
if (tsk->thread.regs->msr & MSR_FP)
save_fpu()
# f0 is clobbered and potentially live in userspace
Note the above discussion applies equally to save_altivec().
Fixes: 8792468da5e1 ("powerpc: Add the ability to save FPU without giving it up")
Cc: stable@vger.kernel.org # v4.6+
Closes: https://lore.kernel.org/all/480932026.45576726.1699374859845.JavaMail.zimbra@raptorengineeringinc.com/
Closes: https://lore.kernel.org/linuxppc-dev/480221078.47953493.1700206777956.JavaMail.zimbra@raptorengineeringinc.com/
Tested-by: Timothy Pearson <tpearson@raptorengineering.com>
Tested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
[mpe: Reword change log to describe exact path of corruption & other minor tweaks]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/1921539696.48534988.1700407082933.JavaMail.zimbra@raptorengineeringinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/fpu.S | 13 +++++++++++++
arch/powerpc/kernel/vector.S | 2 ++
2 files changed, 15 insertions(+)
--- a/arch/powerpc/kernel/fpu.S
+++ b/arch/powerpc/kernel/fpu.S
@@ -27,6 +27,15 @@
#include <asm/export.h>
#ifdef CONFIG_VSX
+#define __REST_1FPVSR(n,c,base) \
+BEGIN_FTR_SECTION \
+ b 2f; \
+END_FTR_SECTION_IFSET(CPU_FTR_VSX); \
+ REST_FPR(n,base); \
+ b 3f; \
+2: REST_VSR(n,c,base); \
+3:
+
#define __REST_32FPVSRS(n,c,base) \
BEGIN_FTR_SECTION \
b 2f; \
@@ -45,9 +54,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX);
2: SAVE_32VSRS(n,c,base); \
3:
#else
+#define __REST_1FPVSR(n,b,base) REST_FPR(n, base)
#define __REST_32FPVSRS(n,b,base) REST_32FPRS(n, base)
#define __SAVE_32FPVSRS(n,b,base) SAVE_32FPRS(n, base)
#endif
+#define REST_1FPVSR(n,c,base) __REST_1FPVSR(n,__REG_##c,__REG_##base)
#define REST_32FPVSRS(n,c,base) __REST_32FPVSRS(n,__REG_##c,__REG_##base)
#define SAVE_32FPVSRS(n,c,base) __SAVE_32FPVSRS(n,__REG_##c,__REG_##base)
@@ -70,6 +81,7 @@ _GLOBAL(store_fp_state)
SAVE_32FPVSRS(0, R4, R3)
mffs fr0
stfd fr0,FPSTATE_FPSCR(r3)
+ REST_1FPVSR(0, R4, R3)
blr
EXPORT_SYMBOL(store_fp_state)
@@ -134,6 +146,7 @@ _GLOBAL(save_fpu)
2: SAVE_32FPVSRS(0, R4, R6)
mffs fr0
stfd fr0,FPSTATE_FPSCR(r6)
+ REST_1FPVSR(0, R4, R6)
blr
/*
--- a/arch/powerpc/kernel/vector.S
+++ b/arch/powerpc/kernel/vector.S
@@ -30,6 +30,7 @@ _GLOBAL(store_vr_state)
mfvscr v0
li r4, VRSTATE_VSCR
stvx v0, r4, r3
+ lvx v0, 0, r3
blr
EXPORT_SYMBOL(store_vr_state)
@@ -100,6 +101,7 @@ _GLOBAL(save_altivec)
mfvscr v0
li r4,VRSTATE_VSCR
stvx v0,r4,r7
+ lvx v0,0,r7
blr
#ifdef CONFIG_VSX
next prev parent reply other threads:[~2023-12-05 3:19 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 3:16 [PATCH 4.14 00/30] 4.14.332-rc1 review Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 01/30] RDMA/irdma: Prevent zero-length STAG registration Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 02/30] drm/panel: simple: Fix Innolux G101ICE-L01 timings Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 03/30] ata: pata_isapnp: Add missing error check for devm_ioport_map() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 04/30] drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 05/30] ipv4: Correct/silence an endian warning in __ip_do_redirect Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 06/30] net: usb: ax88179_178a: fix failed operations during ax88179_reset Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 07/30] arm/xen: fix xen_vcpu_info allocation alignment Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 08/30] amd-xgbe: handle corner-case during sfp hotplug Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 09/30] amd-xgbe: propagate the correct speed and duplex status Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 10/30] net: axienet: Fix check for partial TX checksum Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 11/30] mtd: rawnand: brcmnand: Fix ecc chunk calculation for erased page bitfips Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 12/30] s390/dasd: protect device queue against concurrent access Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 13/30] USB: serial: option: add Luat Air72*U series products Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 14/30] bcache: check return value from btree_node_alloc_replacement() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 15/30] bcache: prevent potential division by zero error Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 16/30] USB: serial: option: add Fibocom L7xx modules Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 17/30] USB: serial: option: fix FM101R-GL defines Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 18/30] USB: serial: option: dont claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 19/30] usb: dwc3: set the dma max_seg_size Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 20/30] pinctrl: avoid reload of p state in list iteration Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 21/30] firewire: core: fix possible memory leak in create_units() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 22/30] dm-verity: align struct dm_verity_fec_io properly Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 23/30] dm verity: dont perform FEC for failed readahead IO Greg Kroah-Hartman
2023-12-05 3:16 ` Greg Kroah-Hartman [this message]
2023-12-05 3:16 ` [PATCH 4.14 25/30] btrfs: fix off-by-one when checking chunk map includes logical address Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 26/30] btrfs: send: ensure send_fd is writable Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 27/30] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 28/30] ravb: Fix races between ravb_tx_timeout_work() and net related ops Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 29/30] net: ravb: Start TX queues after HW initialization succeeded Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 30/30] driver core: Release all resources during unbind before updating device links Greg Kroah-Hartman
2023-12-05 9:10 ` [PATCH 4.14 00/30] 4.14.332-rc1 review Harshit Mogalapalli
2023-12-05 10:37 ` Pavel Machek
2023-12-05 11:09 ` Jon Hunter
2023-12-05 14:01 ` Naresh Kamboju
2023-12-05 16:44 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231205031512.914091739@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=mpe@ellerman.id.au \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=tpearson@raptorengineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox