30b807d736
commit 5e1d824f9a283cbf90f25241b66d1f69adb3835b upstream. During floating point and vector save to thread data f0/vs0 are clobbered by the FPSCR/VSCR store routine. This has been obvserved to lead to userspace register corruption and application data corruption with io-uring. Fix it by restoring f0/vs0 after FPSCR/VSCR store has completed for all the FP, altivec, VMX register save paths. Tested under QEMU in kvm mode, running on a Talos II workstation with dual POWER9 DD2.2 CPUs. Additional detail (mpe): Typically save_fpu() is called from __giveup_fpu() which saves the FP regs and also *turns off FP* in the tasks MSR, meaning the kernel will reload the FP regs from the thread struct before letting the task use FP again. So in that case save_fpu() is free to clobber f0 because the FP regs no longer hold live values for the task. There is another case though, which is the path via: sys_clone() ... copy_process() dup_task_struct() arch_dup_task_struct() flush_all_to_thread() save_all() That path saves the FP regs but leaves them live. That's meant as an optimisation for a process that's using FP/VSX and then calls fork(), leaving the regs live means the parent process doesn't have to take a fault after the fork to get its FP regs back. The optimisation was added in commit8792468da5
("powerpc: Add the ability to save FPU without giving it up"). That path does clobber f0, but f0 is volatile across function calls, and typically programs reach copy_process() from userspace via a syscall wrapper function. So in normal usage f0 being clobbered across a syscall doesn't cause visible data corruption. But there is now a new path, because io-uring can call copy_process() via create_io_thread() from the signal handling path. That's OK if the signal is handled as part of syscall return, but it's not OK if the signal is handled due to some other interrupt. That path is: interrupt_return_srr_user() interrupt_exit_user_prepare() interrupt_exit_user_prepare_main() do_notify_resume() get_signal() task_work_run() create_worker_cb() create_io_worker() copy_process() dup_task_struct() arch_dup_task_struct() flush_all_to_thread() save_all() if (tsk->thread.regs->msr & MSR_FP) save_fpu() # f0 is clobbered and potentially live in userspace Note the above discussion applies equally to save_altivec(). Fixes:8792468da5
("powerpc: Add the ability to save FPU without giving it up") Cc: stable@vger.kernel.org # v4.6+ Closes: https://lore.kernel.org/all/480932026.45576726.1699374859845.JavaMail.zimbra@raptorengineeringinc.com/ Closes: https://lore.kernel.org/linuxppc-dev/480221078.47953493.1700206777956.JavaMail.zimbra@raptorengineeringinc.com/ Tested-by: Timothy Pearson <tpearson@raptorengineering.com> Tested-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com> [mpe: Reword change log to describe exact path of corruption & other minor tweaks] Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://msgid.link/1921539696.48534988.1700407082933.JavaMail.zimbra@raptorengineeringinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
164 lines
4.1 KiB
ArmAsm
164 lines
4.1 KiB
ArmAsm
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/*
|
|
* FPU support code, moved here from head.S so that it can be used
|
|
* by chips which use other head-whatever.S files.
|
|
*
|
|
* Copyright (C) 1995-1996 Gary Thomas (gdt@linuxppc.org)
|
|
* Copyright (C) 1996 Cort Dougan <cort@cs.nmt.edu>
|
|
* Copyright (C) 1996 Paul Mackerras.
|
|
* Copyright (C) 1997 Dan Malek (dmalek@jlc.net).
|
|
*/
|
|
|
|
#include <asm/reg.h>
|
|
#include <asm/page.h>
|
|
#include <asm/mmu.h>
|
|
#include <asm/pgtable.h>
|
|
#include <asm/cputable.h>
|
|
#include <asm/cache.h>
|
|
#include <asm/thread_info.h>
|
|
#include <asm/ppc_asm.h>
|
|
#include <asm/asm-offsets.h>
|
|
#include <asm/ptrace.h>
|
|
#include <asm/export.h>
|
|
#include <asm/asm-compat.h>
|
|
#include <asm/feature-fixups.h>
|
|
|
|
#ifdef CONFIG_VSX
|
|
#define __REST_1FPVSR(n,c,base) \
|
|
BEGIN_FTR_SECTION \
|
|
b 2f; \
|
|
END_FTR_SECTION_IFSET(CPU_FTR_VSX); \
|
|
REST_FPR(n,base); \
|
|
b 3f; \
|
|
2: REST_VSR(n,c,base); \
|
|
3:
|
|
|
|
#define __REST_32FPVSRS(n,c,base) \
|
|
BEGIN_FTR_SECTION \
|
|
b 2f; \
|
|
END_FTR_SECTION_IFSET(CPU_FTR_VSX); \
|
|
REST_32FPRS(n,base); \
|
|
b 3f; \
|
|
2: REST_32VSRS(n,c,base); \
|
|
3:
|
|
|
|
#define __SAVE_32FPVSRS(n,c,base) \
|
|
BEGIN_FTR_SECTION \
|
|
b 2f; \
|
|
END_FTR_SECTION_IFSET(CPU_FTR_VSX); \
|
|
SAVE_32FPRS(n,base); \
|
|
b 3f; \
|
|
2: SAVE_32VSRS(n,c,base); \
|
|
3:
|
|
#else
|
|
#define __REST_1FPVSR(n,b,base) REST_FPR(n, base)
|
|
#define __REST_32FPVSRS(n,b,base) REST_32FPRS(n, base)
|
|
#define __SAVE_32FPVSRS(n,b,base) SAVE_32FPRS(n, base)
|
|
#endif
|
|
#define REST_1FPVSR(n,c,base) __REST_1FPVSR(n,__REG_##c,__REG_##base)
|
|
#define REST_32FPVSRS(n,c,base) __REST_32FPVSRS(n,__REG_##c,__REG_##base)
|
|
#define SAVE_32FPVSRS(n,c,base) __SAVE_32FPVSRS(n,__REG_##c,__REG_##base)
|
|
|
|
/*
|
|
* Load state from memory into FP registers including FPSCR.
|
|
* Assumes the caller has enabled FP in the MSR.
|
|
*/
|
|
_GLOBAL(load_fp_state)
|
|
lfd fr0,FPSTATE_FPSCR(r3)
|
|
MTFSF_L(fr0)
|
|
REST_32FPVSRS(0, R4, R3)
|
|
blr
|
|
EXPORT_SYMBOL(load_fp_state)
|
|
_ASM_NOKPROBE_SYMBOL(load_fp_state); /* used by restore_math */
|
|
|
|
/*
|
|
* Store FP state into memory, including FPSCR
|
|
* Assumes the caller has enabled FP in the MSR.
|
|
*/
|
|
_GLOBAL(store_fp_state)
|
|
SAVE_32FPVSRS(0, R4, R3)
|
|
mffs fr0
|
|
stfd fr0,FPSTATE_FPSCR(r3)
|
|
REST_1FPVSR(0, R4, R3)
|
|
blr
|
|
EXPORT_SYMBOL(store_fp_state)
|
|
|
|
/*
|
|
* This task wants to use the FPU now.
|
|
* On UP, disable FP for the task which had the FPU previously,
|
|
* and save its floating-point registers in its thread_struct.
|
|
* Load up this task's FP registers from its thread_struct,
|
|
* enable the FPU for the current task and return to the task.
|
|
* Note that on 32-bit this can only use registers that will be
|
|
* restored by fast_exception_return, i.e. r3 - r6, r10 and r11.
|
|
*/
|
|
_GLOBAL(load_up_fpu)
|
|
mfmsr r5
|
|
ori r5,r5,MSR_FP
|
|
#ifdef CONFIG_VSX
|
|
BEGIN_FTR_SECTION
|
|
oris r5,r5,MSR_VSX@h
|
|
END_FTR_SECTION_IFSET(CPU_FTR_VSX)
|
|
#endif
|
|
SYNC
|
|
MTMSRD(r5) /* enable use of fpu now */
|
|
isync
|
|
/* enable use of FP after return */
|
|
#ifdef CONFIG_PPC32
|
|
mfspr r5,SPRN_SPRG_THREAD /* current task's THREAD (phys) */
|
|
lwz r4,THREAD_FPEXC_MODE(r5)
|
|
ori r9,r9,MSR_FP /* enable FP for current */
|
|
or r9,r9,r4
|
|
#else
|
|
ld r4,PACACURRENT(r13)
|
|
addi r5,r4,THREAD /* Get THREAD */
|
|
lwz r4,THREAD_FPEXC_MODE(r5)
|
|
ori r12,r12,MSR_FP
|
|
or r12,r12,r4
|
|
std r12,_MSR(r1)
|
|
#endif
|
|
/* Don't care if r4 overflows, this is desired behaviour */
|
|
lbz r4,THREAD_LOAD_FP(r5)
|
|
addi r4,r4,1
|
|
stb r4,THREAD_LOAD_FP(r5)
|
|
addi r10,r5,THREAD_FPSTATE
|
|
lfd fr0,FPSTATE_FPSCR(r10)
|
|
MTFSF_L(fr0)
|
|
REST_32FPVSRS(0, R4, R10)
|
|
/* restore registers and return */
|
|
/* we haven't used ctr or xer or lr */
|
|
blr
|
|
|
|
/*
|
|
* save_fpu(tsk)
|
|
* Save the floating-point registers in its thread_struct.
|
|
* Enables the FPU for use in the kernel on return.
|
|
*/
|
|
_GLOBAL(save_fpu)
|
|
addi r3,r3,THREAD /* want THREAD of task */
|
|
PPC_LL r6,THREAD_FPSAVEAREA(r3)
|
|
PPC_LL r5,PT_REGS(r3)
|
|
PPC_LCMPI 0,r6,0
|
|
bne 2f
|
|
addi r6,r3,THREAD_FPSTATE
|
|
2: SAVE_32FPVSRS(0, R4, R6)
|
|
mffs fr0
|
|
stfd fr0,FPSTATE_FPSCR(r6)
|
|
REST_1FPVSR(0, R4, R6)
|
|
blr
|
|
|
|
/*
|
|
* These are used in the alignment trap handler when emulating
|
|
* single-precision loads and stores.
|
|
*/
|
|
|
|
_GLOBAL(cvt_fd)
|
|
lfs 0,0(r3)
|
|
stfd 0,0(r4)
|
|
blr
|
|
|
|
_GLOBAL(cvt_df)
|
|
lfd 0,0(r3)
|
|
stfs 0,0(r4)
|
|
blr
|