From: Sasha Levin <sashal@kernel.org>
Date: Thu, 6 Jun 2019 13:27:15 +0000 (-0400)
Subject: fixes for 5.1
X-Git-Tag: v5.1.8~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93cb7efba07833bf85a316566afa8d3f5d85a1bf;p=thirdparty%2Fkernel%2Fstable-queue.git

fixes for 5.1

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.1/series b/queue-5.1/series
index 05ee8a6472..3d446f69d7 100644
--- a/queue-5.1/series
+++ b/queue-5.1/series
@@ -82,3 +82,4 @@ drm-rockchip-shutdown-drm-subsystem-on-shutdown.patch
 drm-lease-make-sure-implicit-planes-are-leased.patch
 drm-cma-helper-fix-drm_gem_cma_free_object.patch
 revert-x86-build-move-_etext-to-actual-end-of-.text.patch
+x86-kprobes-set-instruction-page-as-executable.patch
diff --git a/queue-5.1/x86-kprobes-set-instruction-page-as-executable.patch b/queue-5.1/x86-kprobes-set-instruction-page-as-executable.patch
new file mode 100644
index 0000000000..7518adf6f7
--- /dev/null
+++ b/queue-5.1/x86-kprobes-set-instruction-page-as-executable.patch
@@ -0,0 +1,83 @@
+From 762f9e6a8d492f6568700d856b47cc6346962b4c Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Thu, 25 Apr 2019 17:11:30 -0700
+Subject: x86/kprobes: Set instruction page as executable
+
+[ Upstream commit 7298e24f904224fa79eb8fd7e0fbd78950ccf2db ]
+
+Set the page as executable after allocation.  This patch is a
+preparatory patch for a following patch that makes module allocated
+pages non-executable.
+
+While at it, do some small cleanup of what appears to be unnecessary
+masking.
+
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <akpm@linux-foundation.org>
+Cc: <ard.biesheuvel@linaro.org>
+Cc: <deneen.t.dock@intel.com>
+Cc: <kernel-hardening@lists.openwall.com>
+Cc: <kristen@linux.intel.com>
+Cc: <linux_dti@icloud.com>
+Cc: <will.deacon@arm.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190426001143.4983-11-namit@vmware.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/kprobes/core.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
+index fed46ddb1eef..06058c44ab57 100644
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -431,8 +431,20 @@ void *alloc_insn_page(void)
+ 	void *page;
+ 
+ 	page = module_alloc(PAGE_SIZE);
+-	if (page)
+-		set_memory_ro((unsigned long)page & PAGE_MASK, 1);
++	if (!page)
++		return NULL;
++
++	/*
++	 * First make the page read-only, and only then make it executable to
++	 * prevent it from being W+X in between.
++	 */
++	set_memory_ro((unsigned long)page, 1);
++
++	/*
++	 * TODO: Once additional kernel code protection mechanisms are set, ensure
++	 * that the page was not maliciously altered and it is still zeroed.
++	 */
++	set_memory_x((unsigned long)page, 1);
+ 
+ 	return page;
+ }
+@@ -440,8 +452,12 @@ void *alloc_insn_page(void)
+ /* Recover page to RW mode before releasing it */
+ void free_insn_page(void *page)
+ {
+-	set_memory_nx((unsigned long)page & PAGE_MASK, 1);
+-	set_memory_rw((unsigned long)page & PAGE_MASK, 1);
++	/*
++	 * First make the page non-executable, and only then make it writable to
++	 * prevent it from being W+X in between.
++	 */
++	set_memory_nx((unsigned long)page, 1);
++	set_memory_rw((unsigned long)page, 1);
+ 	module_memfree(page);
+ }
+ 
+-- 
+2.20.1
+