From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 25 Jun 2023 17:33:55 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.14.320~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=78ce2b101f5c0cf4794fcede8eb6f3e8b175cecf;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index be156270e99..06a0c9549a7 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -24,3 +24,4 @@ io_uring-net-save-msghdr-msg_control-for-retries.patch
 io_uring-net-clear-msg_controllen-on-partial-sendmsg-retry.patch
 io_uring-net-disable-partial-retries-for-recvmsg-with-cmsg.patch
 nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch
+x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
diff --git a/queue-5.10/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch b/queue-5.10/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
new file mode 100644
index 00000000000..8f8553dc65f
--- /dev/null
+++ b/queue-5.10/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
@@ -0,0 +1,57 @@
+From d082d48737c75d2b3cc1f972b8c8674c25131534 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee@kernel.org>
+Date: Wed, 14 Jun 2023 17:38:54 +0100
+Subject: x86/mm: Avoid using set_pgd() outside of real PGD pages
+
+From: Lee Jones <lee@kernel.org>
+
+commit d082d48737c75d2b3cc1f972b8c8674c25131534 upstream.
+
+KPTI keeps around two PGDs: one for userspace and another for the
+kernel. Among other things, set_pgd() contains infrastructure to
+ensure that updates to the kernel PGD are reflected in the user PGD
+as well.
+
+One side-effect of this is that set_pgd() expects to be passed whole
+pages.  Unfortunately, init_trampoline_kaslr() passes in a single entry:
+'trampoline_pgd_entry'.
+
+When KPTI is on, set_pgd() will update 'trampoline_pgd_entry' (an
+8-Byte globally stored [.bss] variable) and will then proceed to
+replicate that value into the non-existent neighboring user page
+(located +4k away), leading to the corruption of other global [.bss]
+stored variables.
+
+Fix it by directly assigning 'trampoline_pgd_entry' and avoiding
+set_pgd().
+
+[ dhansen: tweak subject and changelog ]
+
+Fixes: 0925dda5962e ("x86/mm/KASLR: Use only one PUD entry for real mode trampoline")
+Suggested-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/all/20230614163859.924309-1-lee@kernel.org/g
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/kaslr.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/mm/kaslr.c
++++ b/arch/x86/mm/kaslr.c
+@@ -172,10 +172,10 @@ void __meminit init_trampoline_kaslr(voi
+ 		set_p4d(p4d_tramp,
+ 			__p4d(_KERNPG_TABLE | __pa(pud_page_tramp)));
+ 
+-		set_pgd(&trampoline_pgd_entry,
+-			__pgd(_KERNPG_TABLE | __pa(p4d_page_tramp)));
++		trampoline_pgd_entry =
++			__pgd(_KERNPG_TABLE | __pa(p4d_page_tramp));
+ 	} else {
+-		set_pgd(&trampoline_pgd_entry,
+-			__pgd(_KERNPG_TABLE | __pa(pud_page_tramp)));
++		trampoline_pgd_entry =
++			__pgd(_KERNPG_TABLE | __pa(pud_page_tramp));
+ 	}
+ }