From db9228354851a0715881d195526b954f8229cce1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 25 Jun 2023 19:34:16 +0200 Subject: [PATCH] 6.1-stable patches added patches: x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch --- queue-6.1/series | 1 + ...ng-set_pgd-outside-of-real-pgd-pages.patch | 57 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 queue-6.1/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch diff --git a/queue-6.1/series b/queue-6.1/series index d0be1693a1d..aee963c545d 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -75,3 +75,4 @@ regmap-spi-avmm-fix-regmap_bus-max_raw_write.patch arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch +x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch diff --git a/queue-6.1/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch b/queue-6.1/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch new file mode 100644 index 00000000000..8f8553dc65f --- /dev/null +++ b/queue-6.1/x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch @@ -0,0 +1,57 @@ +From d082d48737c75d2b3cc1f972b8c8674c25131534 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Wed, 14 Jun 2023 17:38:54 +0100 +Subject: x86/mm: Avoid using set_pgd() outside of real PGD pages + +From: Lee Jones + +commit d082d48737c75d2b3cc1f972b8c8674c25131534 upstream. + +KPTI keeps around two PGDs: one for userspace and another for the +kernel. Among other things, set_pgd() contains infrastructure to +ensure that updates to the kernel PGD are reflected in the user PGD +as well. + +One side-effect of this is that set_pgd() expects to be passed whole +pages. Unfortunately, init_trampoline_kaslr() passes in a single entry: +'trampoline_pgd_entry'. + +When KPTI is on, set_pgd() will update 'trampoline_pgd_entry' (an +8-Byte globally stored [.bss] variable) and will then proceed to +replicate that value into the non-existent neighboring user page +(located +4k away), leading to the corruption of other global [.bss] +stored variables. + +Fix it by directly assigning 'trampoline_pgd_entry' and avoiding +set_pgd(). + +[ dhansen: tweak subject and changelog ] + +Fixes: 0925dda5962e ("x86/mm/KASLR: Use only one PUD entry for real mode trampoline") +Suggested-by: Dave Hansen +Signed-off-by: Lee Jones +Signed-off-by: Dave Hansen +Cc: +Link: https://lore.kernel.org/all/20230614163859.924309-1-lee@kernel.org/g +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/kaslr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/mm/kaslr.c ++++ b/arch/x86/mm/kaslr.c +@@ -172,10 +172,10 @@ void __meminit init_trampoline_kaslr(voi + set_p4d(p4d_tramp, + __p4d(_KERNPG_TABLE | __pa(pud_page_tramp))); + +- set_pgd(&trampoline_pgd_entry, +- __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp))); ++ trampoline_pgd_entry = ++ __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp)); + } else { +- set_pgd(&trampoline_pgd_entry, +- __pgd(_KERNPG_TABLE | __pa(pud_page_tramp))); ++ trampoline_pgd_entry = ++ __pgd(_KERNPG_TABLE | __pa(pud_page_tramp)); + } + } -- 2.47.3