powerpc/64s: Fix copy-paste data exposure into newly created tasks

author Nicholas Piggin <npiggin@gmail.com>

Tue, 22 Jun 2021 05:30:36 +0000 (15:30 +1000)

committer Michael Ellerman <mpe@ellerman.id.au>

Thu, 24 Jun 2021 14:07:11 +0000 (00:07 +1000)
author Nicholas Piggin <npiggin@gmail.com>
Tue, 22 Jun 2021 05:30:36 +0000 (15:30 +1000)
committer Michael Ellerman <mpe@ellerman.id.au>
Thu, 24 Jun 2021 14:07:11 +0000 (00:07 +1000)
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c

index 8ab1bfdfd31a268e52edbd7077080dc4bb5a51b4..77facd9d41a6ae15c9680aaf1703094e53a6bc80 100644 (file)
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1223,6 +1223,19 @@ struct task_struct *__switch_to(struct task_struct *prev,
                         __flush_tlb_pending(batch);
                 batch->active = 0;
         }
+
+       /*
+        * On POWER9 the copy-paste buffer can only paste into
+        * foreign real addresses, so unprivileged processes can not
+        * see the data or use it in any way unless they have
+        * foreign real mappings. If the new process has the foreign
+        * real address mappings, we must issue a cp_abort to clear
+        * any state and prevent snooping, corruption or a covert
+        * channel. ISA v3.1 supports paste into local memory.
+        */
+       if (new->mm && (cpu_has_feature(CPU_FTR_ARCH_31) ||
+                       atomic_read(&new->mm->context.vas_windows)))
+               asm volatile(PPC_CP_ABORT);
  #endif /* CONFIG_PPC_BOOK3S_64 */
  
  #ifdef CONFIG_PPC_ADV_DEBUG_REGS
@@ -1273,30 +1286,33 @@ struct task_struct *__switch_to(struct task_struct *prev,
  #endif
         last = _switch(old_thread, new_thread);
  
+       /*
+        * Nothing after _switch will be run for newly created tasks,
+        * because they switch directly to ret_from_fork/ret_from_kernel_thread
+        * etc. Code added here should have a comment explaining why that is
+        * okay.
+        */
+
  #ifdef CONFIG_PPC_BOOK3S_64
+       /*
+        * This applies to a process that was context switched while inside
+        * arch_enter_lazy_mmu_mode(), to re-activate the batch that was
+        * deactivated above, before _switch(). This will never be the case
+        * for new tasks.
+        */
         if (current_thread_info()->local_flags & _TLF_LAZY_MMU) {
                 current_thread_info()->local_flags &= ~_TLF_LAZY_MMU;
                 batch = this_cpu_ptr(&ppc64_tlb_batch);
                 batch->active = 1;
         }
  
-       if (current->thread.regs) {
+       /*
+        * Math facilities are masked out of the child MSR in copy_thread.
+        * A new task does not need to restore_math because it will
+        * demand fault them.
+        */
+       if (current->thread.regs)
                 restore_math(current->thread.regs);
-
-               /*
-                * On POWER9 the copy-paste buffer can only paste into
-                * foreign real addresses, so unprivileged processes can not
-                * see the data or use it in any way unless they have
-                * foreign real mappings. If the new process has the foreign
-                * real address mappings, we must issue a cp_abort to clear
-                * any state and prevent snooping, corruption or a covert
-                * channel. ISA v3.1 supports paste into local memory.
-                */
-               if (current->mm &&
-                       (cpu_has_feature(CPU_FTR_ARCH_31) ||
-                       atomic_read(&current->mm->context.vas_windows)))
-                       asm volatile(PPC_CP_ABORT);
-       }
  #endif /* CONFIG_PPC_BOOK3S_64 */
  
         return last;
author	Nicholas Piggin <npiggin@gmail.com>
	Tue, 22 Jun 2021 05:30:36 +0000 (15:30 +1000)
committer	Michael Ellerman <mpe@ellerman.id.au>
	Thu, 24 Jun 2021 14:07:11 +0000 (00:07 +1000)