• Gustavo Romero's avatar
    powerpc/tm: Fix illegal TM state in signal handler · 044215d1
    Gustavo Romero authored
    Currently it's possible that on returning from the signal handler
    through the restore_tm_sigcontexts() code path (e.g. from a signal
    caught due to a `trap` instruction executed in the middle of an HTM
    block, or a deliberately constructed sigframe) an illegal TM state
    (like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
    implicitly the MSR register from SRR1 register on return to userspace
    it causes a TM Bad Thing exception.
    
    That illegal state can be set (a) by a malicious user that disables
    the TM bit by tweaking the bits in uc_mcontext before returning from
    the signal handler or (b) by a sufficient number of context switches
    occurring such that the load_tm counter overflows and TM is disabled
    whilst in the signal handler.
    
    This commit fixes the illegal TM state by ensuring that TM bit is
    always enabled before we return from restore_tm_sigcontexts(). A small
    comment correction is made as well.
    
    Fixes: 5d176f75 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
    Cc: stable@vger.kernel.org # v4.9+
    Signed-off-by: default avatarGustavo Romero <gromero@linux.vnet.ibm.com>
    Signed-off-by: default avatarBreno Leitao <leitao@debian.org>
    Signed-off-by: default avatarCyril Bur <cyrilbur@gmail.com>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    044215d1
signal_64.c 26.4 KB