On Fri, 2016-07-22 at 17:27 +1000, Nicholas Piggin wrote: > tabort_syscall runs with RI=1, so a nested recoverable machine > check will load the paca into r13 and overwrite what we loaded > it with, because exceptions returning to privileged mode do not > restore r13. > > This has survived testing with sc instruction inside transaction > (bare sc, not glibc syscall because glibc can tabort before sc). > Verified the transaction is failing failing with with > TM_CAUSE_SYSCALL. > > Signed-off-by: Nick Piggin <npig...@gmail.com> > Cc: Michael Neuling <mi...@neuling.org>
FWIW Acked-by: Michael Neuling <mi...@neuling.org> > Cc: Sam Bobroff <sam.bobr...@au1.ibm.com> > Cc: Michael Ellerman <m...@ellerman.id.au> > > --- > > arch/powerpc/kernel/entry_64.S | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/arch/powerpc/kernel/entry_64.S > b/arch/powerpc/kernel/entry_64.S > index 73e461a..387dee3 100644 > --- a/arch/powerpc/kernel/entry_64.S > +++ b/arch/powerpc/kernel/entry_64.S > @@ -368,13 +368,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) > tabort_syscall: > /* Firstly we need to enable TM in the kernel */ > mfmsr r10 > - li r13, 1 > - rldimi r10, r13, MSR_TM_LG, 63-MSR_TM_LG > - mtmsrd r10, 0 > + li r9,1 > + rldimi r10,r9,MSR_TM_LG,63-MSR_TM_LG > + mtmsrd r10,0 > > /* tabort, this dooms the transaction, nothing else */ > - li r13, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT) > - TABORT(R13) > + li r9,(TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT) > + TABORT(R9) > > /* > * Return directly to userspace. We have corrupted user register > state, > @@ -382,11 +382,11 @@ tabort_syscall: > * resume after the tbegin of the aborted transaction with the > * checkpointed register state. > */ > - li r13, MSR_RI > - andc r10, r10, r13 > - mtmsrd r10, 1 > - mtspr SPRN_SRR0, r11 > - mtspr SPRN_SRR1, r12 > + li r9,MSR_RI > + andc r10,r10,r9 > + mtmsrd r10,1 > + mtspr SPRN_SRR0,r11 > + mtspr SPRN_SRR1,r12 > > rfid > b . /* prevent speculative execution */
