Patch "sparc: Don't leak context bits into thread->fault_address" has been added to the 4.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    sparc: Don't leak context bits into thread->fault_address

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sparc-don-t-leak-context-bits-into-thread-fault_address.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Sat Nov 19 09:52:37 CET 2016
From: "David S. Miller" <davem@xxxxxxxxxxxxx>
Date: Wed, 27 Jul 2016 17:50:26 -0700
Subject: sparc: Don't leak context bits into thread->fault_address

From: "David S. Miller" <davem@xxxxxxxxxxxxx>


[ Upstream commit 4f6deb8cbab532a8d7250bc09234c1795ecb5e2c ]

On pre-Niagara systems, we fetch the fault address on data TLB
exceptions from the TLB_TAG_ACCESS register.  But this register also
contains the context ID assosciated with the fault in the low 13 bits
of the register value.

This propagates into current_thread_info()->fault_address and can
cause trouble later on.

So clear the low 13-bits out of the TLB_TAG_ACCESS value in the cases
where it matters.

Reported-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 arch/sparc/kernel/dtlb_prot.S |    4 ++--
 arch/sparc/kernel/ktlb.S      |   12 ++++++++++++
 arch/sparc/kernel/tsb.S       |   12 ++++++++++--
 3 files changed, 24 insertions(+), 4 deletions(-)

--- a/arch/sparc/kernel/dtlb_prot.S
+++ b/arch/sparc/kernel/dtlb_prot.S
@@ -25,13 +25,13 @@
 
 /* PROT ** ICACHE line 2: More real fault processing */
 	ldxa		[%g4] ASI_DMMU, %g5		! Put tagaccess in %g5
+	srlx		%g5, PAGE_SHIFT, %g5
+	sllx		%g5, PAGE_SHIFT, %g5		! Clear context ID bits
 	bgu,pn		%xcc, winfix_trampoline		! Yes, perform winfixup
 	 mov		FAULT_CODE_DTLB | FAULT_CODE_WRITE, %g4
 	ba,pt		%xcc, sparc64_realfault_common	! Nope, normal fault
 	 nop
 	nop
-	nop
-	nop
 
 /* PROT ** ICACHE line 3: Unused...	*/
 	nop
--- a/arch/sparc/kernel/ktlb.S
+++ b/arch/sparc/kernel/ktlb.S
@@ -20,6 +20,10 @@ kvmap_itlb:
 	mov		TLB_TAG_ACCESS, %g4
 	ldxa		[%g4] ASI_IMMU, %g4
 
+	/* The kernel executes in context zero, therefore we do not
+	 * need to clear the context ID bits out of %g4 here.
+	 */
+
 	/* sun4v_itlb_miss branches here with the missing virtual
 	 * address already loaded into %g4
 	 */
@@ -128,6 +132,10 @@ kvmap_dtlb:
 	mov		TLB_TAG_ACCESS, %g4
 	ldxa		[%g4] ASI_DMMU, %g4
 
+	/* The kernel executes in context zero, therefore we do not
+	 * need to clear the context ID bits out of %g4 here.
+	 */
+
 	/* sun4v_dtlb_miss branches here with the missing virtual
 	 * address already loaded into %g4
 	 */
@@ -251,6 +259,10 @@ kvmap_dtlb_longpath:
 	nop
 	.previous
 
+	/* The kernel executes in context zero, therefore we do not
+	 * need to clear the context ID bits out of %g5 here.
+	 */
+
 	be,pt	%xcc, sparc64_realfault_common
 	 mov	FAULT_CODE_DTLB, %g4
 	ba,pt	%xcc, winfix_trampoline
--- a/arch/sparc/kernel/tsb.S
+++ b/arch/sparc/kernel/tsb.S
@@ -29,13 +29,17 @@
 	 */
 tsb_miss_dtlb:
 	mov		TLB_TAG_ACCESS, %g4
+	ldxa		[%g4] ASI_DMMU, %g4
+	srlx		%g4, PAGE_SHIFT, %g4
 	ba,pt		%xcc, tsb_miss_page_table_walk
-	 ldxa		[%g4] ASI_DMMU, %g4
+	 sllx		%g4, PAGE_SHIFT, %g4
 
 tsb_miss_itlb:
 	mov		TLB_TAG_ACCESS, %g4
+	ldxa		[%g4] ASI_IMMU, %g4
+	srlx		%g4, PAGE_SHIFT, %g4
 	ba,pt		%xcc, tsb_miss_page_table_walk
-	 ldxa		[%g4] ASI_IMMU, %g4
+	 sllx		%g4, PAGE_SHIFT, %g4
 
 	/* At this point we have:
 	 * %g1 --	PAGE_SIZE TSB entry address
@@ -284,6 +288,10 @@ tsb_do_dtlb_fault:
 	nop
 	.previous
 
+	/* Clear context ID bits.  */
+	srlx		%g5, PAGE_SHIFT, %g5
+	sllx		%g5, PAGE_SHIFT, %g5
+
 	be,pt	%xcc, sparc64_realfault_common
 	 mov	FAULT_CODE_DTLB, %g4
 	ba,pt	%xcc, winfix_trampoline


Patches currently in stable-queue which might be from davem@xxxxxxxxxxxxx are

queue-4.4/sparc64-delete-now-unused-user-copy-fixup-functions.patch
queue-4.4/net-__skb_flow_dissect-must-cap-its-return-value.patch
queue-4.4/tcp-take-care-of-truncations-done-by-sk_filter.patch
queue-4.4/net-clear-sk_err_soft-in-sk_clone_lock.patch
queue-4.4/sparc64-convert-copy_in_user-to-accurate-exception-reporting.patch
queue-4.4/sparc64-handle-extremely-large-kernel-tlb-range-flushes-more-gracefully.patch
queue-4.4/sparc-handle-negative-offsets-in-arch_jump_label_transform.patch
queue-4.4/sparc64-delete-__ret_efault.patch
queue-4.4/dctcp-avoid-bogus-doubling-of-cwnd-after-loss.patch
queue-4.4/sparc64-delete-now-unused-user-copy-assembler-helpers.patch
queue-4.4/net-mangle-zero-checksum-in-skb_checksum_help.patch
queue-4.4/sparc64-mm-fix-base-tsb-sizing-when-hugetlb-pages-are-used.patch
queue-4.4/ip6_tunnel-clear-ip6cb-in-ip6tunnel_xmit.patch
queue-4.4/sctp-assign-assoc_id-earlier-in-__sctp_connect.patch
queue-4.4/sparc64-convert-ng4copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.4/ipv6-dccp-fix-out-of-bound-access-in-dccp_v6_err.patch
queue-4.4/sparc64-convert-u3copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.4/sparc64-convert-ng2copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.4/sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-code.patch
queue-4.4/sparc64-convert-gencopy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.4/sparc64-convert-u1copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.4/sparc-don-t-leak-context-bits-into-thread-fault_address.patch
queue-4.4/sparc64-prepare-to-move-to-more-saner-user-copy-exception-handling.patch
queue-4.4/bgmac-stop-clearing-dma-receive-control-register-right-after-it-is-set.patch
queue-4.4/ipv6-dccp-add-missing-bind_conflict-to-dccp_ipv6_mapped.patch
queue-4.4/tcp-fix-potential-memory-corruption.patch
queue-4.4/sparc64-convert-ngcopy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.4/fib_trie-correct-proc-net-route-off-by-one-error.patch
queue-4.4/sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-cross-call-code.patch
queue-4.4/sparc64-handle-extremely-large-kernel-tsb-range-flushes-sanely.patch
queue-4.4/sparc64-fix-instruction-count-in-comment-for-__hypervisor_flush_tlb_pending.patch
queue-4.4/sparc-serial-sunhv-fix-a-double-lock-bug.patch
queue-4.4/dccp-do-not-send-reset-to-already-closed-sockets.patch
queue-4.4/ipv4-use-new_gw-for-redirect-neigh-lookup.patch
queue-4.4/dccp-fix-out-of-bound-access-in-dccp_v4_err.patch
queue-4.4/sock-fix-sendmmsg-for-partial-sendmsg.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]