+++ /dev/null
-From d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb Mon Sep 17 00:00:00 2001
-From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
-Date: Fri, 18 Jul 2025 15:28:14 +0100
-Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
-
-From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
-
-commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb upstream.
-
-`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
-to different stacks along with the Shadow Call Stack if it is enabled.
-Those two stack changes cannot be done atomically and both functions
-can be interrupted by SErrors or Debug Exceptions which, though unlikely,
-is very much broken : if interrupted, we can end up with mismatched stacks
-and Shadow Call Stack leading to clobbered stacks.
-
-In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
-but x18 stills points to the old task's SCS. When the interrupt handler
-tries to save the task's SCS pointer, it will save the old task
-SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
-clobbering it.
-
-In `call_on_irq_stack()`, it can happen when switching from the task stack
-to the IRQ stack and when switching back. In both cases, we can be
-interrupted when the SCS pointer points to the IRQ SCS, but SP points to
-the task stack. The nested interrupt handler pushes its return addresses
-on the IRQ SCS. It then detects that SP points to the task stack,
-calls `call_on_irq_stack()` and clobbers the task SCS pointer with
-the IRQ SCS pointer, which it will also use !
-
-This leads to tasks returning to addresses on the wrong SCS,
-or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
-or FPAC if enabled.
-
-This is possible on a default config, but unlikely.
-However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
-instead the GIC is responsible for filtering what interrupts the CPU
-should receive based on priority.
-Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
-even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
-frequently depending on the system configuration and workload, leading
-to unpredictable kernel panics.
-
-Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
-Do the same in `call_on_irq_stack()`, but restore and mask around
-the branch.
-Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
-of behaviour between all configurations.
-
-Introduce and use an assembly macro for saving and masking DAIF,
-as the existing one saves but only masks IF.
-
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
-Reported-by: Cristian Prundeanu <cpru@amazon.com>
-Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt")
-Tested-by: Cristian Prundeanu <cpru@amazon.com>
-Acked-by: Will Deacon <will@kernel.org>
-Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com
-Signed-off-by: Will Deacon <will@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm64/include/asm/assembler.h | 5 +++++
- arch/arm64/kernel/entry.S | 6 ++++++
- 2 files changed, 11 insertions(+)
-
---- a/arch/arm64/include/asm/assembler.h
-+++ b/arch/arm64/include/asm/assembler.h
-@@ -58,6 +58,11 @@
- /*
- * Save/restore interrupts.
- */
-+ .macro save_and_disable_daif, flags
-+ mrs \flags, daif
-+ msr daifset, #0xf
-+ .endm
-+
- .macro save_and_disable_irq, flags
- mrs \flags, daif
- msr daifset, #3
---- a/arch/arm64/kernel/entry.S
-+++ b/arch/arm64/kernel/entry.S
-@@ -833,6 +833,7 @@ SYM_CODE_END(__bp_harden_el1_vectors)
- *
- */
- SYM_FUNC_START(cpu_switch_to)
-+ save_and_disable_daif x11
- mov x10, #THREAD_CPU_CONTEXT
- add x8, x0, x10
- mov x9, sp
-@@ -856,6 +857,7 @@ SYM_FUNC_START(cpu_switch_to)
- ptrauth_keys_install_kernel x1, x8, x9, x10
- scs_save x0
- scs_load_current
-+ restore_irq x11
- ret
- SYM_FUNC_END(cpu_switch_to)
- NOKPROBE(cpu_switch_to)
-@@ -882,6 +884,7 @@ NOKPROBE(ret_from_fork)
- * Calls func(regs) using this CPU's irq stack and shadow irq stack.
- */
- SYM_FUNC_START(call_on_irq_stack)
-+ save_and_disable_daif x9
- #ifdef CONFIG_SHADOW_CALL_STACK
- get_current_task x16
- scs_save x16
-@@ -896,8 +899,10 @@ SYM_FUNC_START(call_on_irq_stack)
-
- /* Move to the new stack and call the function there */
- add sp, x16, #IRQ_STACK_SIZE
-+ restore_irq x9
- blr x1
-
-+ save_and_disable_daif x9
- /*
- * Restore the SP from the FP, and restore the FP and LR from the frame
- * record.
-@@ -905,6 +910,7 @@ SYM_FUNC_START(call_on_irq_stack)
- mov sp, x29
- ldp x29, x30, [sp], #16
- scs_load_current
-+ restore_irq x9
- ret
- SYM_FUNC_END(call_on_irq_stack)
- NOKPROBE(call_on_irq_stack)
i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch
bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch
alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch
-arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch
dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch
dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch
e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch
+++ /dev/null
-From d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb Mon Sep 17 00:00:00 2001
-From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
-Date: Fri, 18 Jul 2025 15:28:14 +0100
-Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
-
-From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
-
-commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb upstream.
-
-`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
-to different stacks along with the Shadow Call Stack if it is enabled.
-Those two stack changes cannot be done atomically and both functions
-can be interrupted by SErrors or Debug Exceptions which, though unlikely,
-is very much broken : if interrupted, we can end up with mismatched stacks
-and Shadow Call Stack leading to clobbered stacks.
-
-In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
-but x18 stills points to the old task's SCS. When the interrupt handler
-tries to save the task's SCS pointer, it will save the old task
-SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
-clobbering it.
-
-In `call_on_irq_stack()`, it can happen when switching from the task stack
-to the IRQ stack and when switching back. In both cases, we can be
-interrupted when the SCS pointer points to the IRQ SCS, but SP points to
-the task stack. The nested interrupt handler pushes its return addresses
-on the IRQ SCS. It then detects that SP points to the task stack,
-calls `call_on_irq_stack()` and clobbers the task SCS pointer with
-the IRQ SCS pointer, which it will also use !
-
-This leads to tasks returning to addresses on the wrong SCS,
-or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
-or FPAC if enabled.
-
-This is possible on a default config, but unlikely.
-However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
-instead the GIC is responsible for filtering what interrupts the CPU
-should receive based on priority.
-Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
-even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
-frequently depending on the system configuration and workload, leading
-to unpredictable kernel panics.
-
-Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
-Do the same in `call_on_irq_stack()`, but restore and mask around
-the branch.
-Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
-of behaviour between all configurations.
-
-Introduce and use an assembly macro for saving and masking DAIF,
-as the existing one saves but only masks IF.
-
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
-Reported-by: Cristian Prundeanu <cpru@amazon.com>
-Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt")
-Tested-by: Cristian Prundeanu <cpru@amazon.com>
-Acked-by: Will Deacon <will@kernel.org>
-Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com
-Signed-off-by: Will Deacon <will@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm64/include/asm/assembler.h | 5 +++++
- arch/arm64/kernel/entry.S | 6 ++++++
- 2 files changed, 11 insertions(+)
-
---- a/arch/arm64/include/asm/assembler.h
-+++ b/arch/arm64/include/asm/assembler.h
-@@ -59,6 +59,11 @@
- /*
- * Save/restore interrupts.
- */
-+ .macro save_and_disable_daif, flags
-+ mrs \flags, daif
-+ msr daifset, #0xf
-+ .endm
-+
- .macro save_and_disable_irq, flags
- mrs \flags, daif
- msr daifset, #3
---- a/arch/arm64/kernel/entry.S
-+++ b/arch/arm64/kernel/entry.S
-@@ -827,6 +827,7 @@ SYM_CODE_END(__bp_harden_el1_vectors)
- *
- */
- SYM_FUNC_START(cpu_switch_to)
-+ save_and_disable_daif x11
- mov x10, #THREAD_CPU_CONTEXT
- add x8, x0, x10
- mov x9, sp
-@@ -850,6 +851,7 @@ SYM_FUNC_START(cpu_switch_to)
- ptrauth_keys_install_kernel x1, x8, x9, x10
- scs_save x0
- scs_load_current
-+ restore_irq x11
- ret
- SYM_FUNC_END(cpu_switch_to)
- NOKPROBE(cpu_switch_to)
-@@ -876,6 +878,7 @@ NOKPROBE(ret_from_fork)
- * Calls func(regs) using this CPU's irq stack and shadow irq stack.
- */
- SYM_FUNC_START(call_on_irq_stack)
-+ save_and_disable_daif x9
- #ifdef CONFIG_SHADOW_CALL_STACK
- get_current_task x16
- scs_save x16
-@@ -890,8 +893,10 @@ SYM_FUNC_START(call_on_irq_stack)
-
- /* Move to the new stack and call the function there */
- add sp, x16, #IRQ_STACK_SIZE
-+ restore_irq x9
- blr x1
-
-+ save_and_disable_daif x9
- /*
- * Restore the SP from the FP, and restore the FP and LR from the frame
- * record.
-@@ -899,6 +904,7 @@ SYM_FUNC_START(call_on_irq_stack)
- mov sp, x29
- ldp x29, x30, [sp], #16
- scs_load_current
-+ restore_irq x9
- ret
- SYM_FUNC_END(call_on_irq_stack)
- NOKPROBE(call_on_irq_stack)
i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch
bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch
alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch
-arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch
dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch
dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch
e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
