From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 25 Jun 2023 17:34:27 +0000 (+0200)
Subject: 6.3-stable patches
X-Git-Tag: v4.14.320~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=375d3ed3b51647c05496783d472ef3a9c05a459c;p=thirdparty%2Fkernel%2Fstable-queue.git

6.3-stable patches

added patches:
	x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
---

diff --git a/queue-6.3/series b/queue-6.3/series
index 4d72f0db121..6a86c169b2f 100644
--- a/queue-6.3/series
+++ b/queue-6.3/series
@@ -95,3 +95,4 @@ ksmbd-add-mnt_want_write-to-ksmbd-vfs-functions.patch
 arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch
 block-make-sure-local-irq-is-disabled-when-calling-__blkcg_rstat_flush.patch
 io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch
+x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
diff --git a/queue-6.3/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch b/queue-6.3/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
new file mode 100644
index 00000000000..8f8553dc65f
--- /dev/null
+++ b/queue-6.3/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
@@ -0,0 +1,57 @@
+From d082d48737c75d2b3cc1f972b8c8674c25131534 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee@kernel.org>
+Date: Wed, 14 Jun 2023 17:38:54 +0100
+Subject: x86/mm: Avoid using set_pgd() outside of real PGD pages
+
+From: Lee Jones <lee@kernel.org>
+
+commit d082d48737c75d2b3cc1f972b8c8674c25131534 upstream.
+
+KPTI keeps around two PGDs: one for userspace and another for the
+kernel. Among other things, set_pgd() contains infrastructure to
+ensure that updates to the kernel PGD are reflected in the user PGD
+as well.
+
+One side-effect of this is that set_pgd() expects to be passed whole
+pages.  Unfortunately, init_trampoline_kaslr() passes in a single entry:
+'trampoline_pgd_entry'.
+
+When KPTI is on, set_pgd() will update 'trampoline_pgd_entry' (an
+8-Byte globally stored [.bss] variable) and will then proceed to
+replicate that value into the non-existent neighboring user page
+(located +4k away), leading to the corruption of other global [.bss]
+stored variables.
+
+Fix it by directly assigning 'trampoline_pgd_entry' and avoiding
+set_pgd().
+
+[ dhansen: tweak subject and changelog ]
+
+Fixes: 0925dda5962e ("x86/mm/KASLR: Use only one PUD entry for real mode trampoline")
+Suggested-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/all/20230614163859.924309-1-lee@kernel.org/g
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/kaslr.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/mm/kaslr.c
++++ b/arch/x86/mm/kaslr.c
+@@ -172,10 +172,10 @@ void __meminit init_trampoline_kaslr(voi
+ 		set_p4d(p4d_tramp,
+ 			__p4d(_KERNPG_TABLE | __pa(pud_page_tramp)));
+ 
+-		set_pgd(&trampoline_pgd_entry,
+-			__pgd(_KERNPG_TABLE | __pa(p4d_page_tramp)));
++		trampoline_pgd_entry =
++			__pgd(_KERNPG_TABLE | __pa(p4d_page_tramp));
+ 	} else {
+-		set_pgd(&trampoline_pgd_entry,
+-			__pgd(_KERNPG_TABLE | __pa(pud_page_tramp)));
++		trampoline_pgd_entry =
++			__pgd(_KERNPG_TABLE | __pa(pud_page_tramp));
+ 	}
+ }