6.6-stable patches

added patches:
	x86-tdx-fix-in-kernel-mmio-check.patch

diff --git a/queue-6.6/series b/queue-6.6/series
index 01f630aa573c8786a5e8d7744214c38f11610b9e..62c68b33555d1944c9a599b3f4df40816bf0fa70 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -535,3 +535,4 @@ libbpf-ensure-undefined-bpf_attr-field-stays-0.patch
 thunderbolt-send-uevent-after-asymmetric-symmetric-switch.patch
 thunderbolt-fix-minimum-allocated-usb-3.x-and-pcie-bandwidth.patch
 thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch
+x86-tdx-fix-in-kernel-mmio-check.patch

diff --git a/queue-6.6/x86-tdx-fix-in-kernel-mmio-check.patch b/queue-6.6/x86-tdx-fix-in-kernel-mmio-check.patch
new file mode 100644 (file)
index 0000000..5db8f34
--- /dev/null
+++ b/queue-6.6/x86-tdx-fix-in-kernel-mmio-check.patch
@@ -0,0 +1,56 @@
+From d4fc4d01471528da8a9797a065982e05090e1d81 Mon Sep 17 00:00:00 2001
+From: "Alexey Gladkov (Intel)" <legion@kernel.org>
+Date: Fri, 13 Sep 2024 19:05:56 +0200
+Subject: x86/tdx: Fix "in-kernel MMIO" check
+
+From: Alexey Gladkov (Intel) <legion@kernel.org>
+
+commit d4fc4d01471528da8a9797a065982e05090e1d81 upstream.
+
+TDX only supports kernel-initiated MMIO operations. The handle_mmio()
+function checks if the #VE exception occurred in the kernel and rejects
+the operation if it did not.
+
+However, userspace can deceive the kernel into performing MMIO on its
+behalf. For example, if userspace can point a syscall to an MMIO address,
+syscall does get_user() or put_user() on it, triggering MMIO #VE. The
+kernel will treat the #VE as in-kernel MMIO.
+
+Ensure that the target MMIO address is within the kernel before decoding
+instruction.
+
+Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO")
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.1726237595.git.legion%40kernel.org
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/coco/tdx/tdx.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/coco/tdx/tdx.c
++++ b/arch/x86/coco/tdx/tdx.c
+@@ -14,6 +14,7 @@
+ #include <asm/insn.h>
+ #include <asm/insn-eval.h>
+ #include <asm/pgtable.h>
++#include <asm/traps.h>
+ 
+ /* MMIO direction */
+ #define EPT_READ      0
+@@ -405,6 +406,11 @@ static int handle_mmio(struct pt_regs *r
+                       return -EINVAL;
+       }
+ 
++      if (!fault_in_kernel_space(ve->gla)) {
++              WARN_ONCE(1, "Access to userspace address is not supported");
++              return -EINVAL;
++      }
++
+       /*
+        * Reject EPT violation #VEs that split pages.
+        *