From: Greg Kroah-Hartman Date: Mon, 28 Jul 2025 15:38:38 +0000 (+0200) Subject: drop arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch from 5.15 and 6.1 X-Git-Tag: v6.6.101~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=039ff0b7cbf4a63c098c4e23c8e21f6d8bf70d0b;p=thirdparty%2Fkernel%2Fstable-queue.git drop arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch from 5.15 and 6.1 Was breaking the build --- diff --git a/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch b/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch deleted file mode 100644 index 5f315cab48..0000000000 --- a/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch +++ /dev/null @@ -1,125 +0,0 @@ -From d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb Mon Sep 17 00:00:00 2001 -From: Ada Couprie Diaz -Date: Fri, 18 Jul 2025 15:28:14 +0100 -Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() - -From: Ada Couprie Diaz - -commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb upstream. - -`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change -to different stacks along with the Shadow Call Stack if it is enabled. -Those two stack changes cannot be done atomically and both functions -can be interrupted by SErrors or Debug Exceptions which, though unlikely, -is very much broken : if interrupted, we can end up with mismatched stacks -and Shadow Call Stack leading to clobbered stacks. - -In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, -but x18 stills points to the old task's SCS. When the interrupt handler -tries to save the task's SCS pointer, it will save the old task -SCS pointer (x18) into the new task struct (pointed to by SP_EL0), -clobbering it. - -In `call_on_irq_stack()`, it can happen when switching from the task stack -to the IRQ stack and when switching back. In both cases, we can be -interrupted when the SCS pointer points to the IRQ SCS, but SP points to -the task stack. The nested interrupt handler pushes its return addresses -on the IRQ SCS. It then detects that SP points to the task stack, -calls `call_on_irq_stack()` and clobbers the task SCS pointer with -the IRQ SCS pointer, which it will also use ! - -This leads to tasks returning to addresses on the wrong SCS, -or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK -or FPAC if enabled. - -This is possible on a default config, but unlikely. -However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and -instead the GIC is responsible for filtering what interrupts the CPU -should receive based on priority. -Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU -even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* -frequently depending on the system configuration and workload, leading -to unpredictable kernel panics. - -Completely mask DAIF in `cpu_switch_to()` and restore it when returning. -Do the same in `call_on_irq_stack()`, but restore and mask around -the branch. -Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency -of behaviour between all configurations. - -Introduce and use an assembly macro for saving and masking DAIF, -as the existing one saves but only masks IF. - -Cc: -Signed-off-by: Ada Couprie Diaz -Reported-by: Cristian Prundeanu -Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt") -Tested-by: Cristian Prundeanu -Acked-by: Will Deacon -Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com -Signed-off-by: Will Deacon -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/include/asm/assembler.h | 5 +++++ - arch/arm64/kernel/entry.S | 6 ++++++ - 2 files changed, 11 insertions(+) - ---- a/arch/arm64/include/asm/assembler.h -+++ b/arch/arm64/include/asm/assembler.h -@@ -58,6 +58,11 @@ - /* - * Save/restore interrupts. - */ -+ .macro save_and_disable_daif, flags -+ mrs \flags, daif -+ msr daifset, #0xf -+ .endm -+ - .macro save_and_disable_irq, flags - mrs \flags, daif - msr daifset, #3 ---- a/arch/arm64/kernel/entry.S -+++ b/arch/arm64/kernel/entry.S -@@ -833,6 +833,7 @@ SYM_CODE_END(__bp_harden_el1_vectors) - * - */ - SYM_FUNC_START(cpu_switch_to) -+ save_and_disable_daif x11 - mov x10, #THREAD_CPU_CONTEXT - add x8, x0, x10 - mov x9, sp -@@ -856,6 +857,7 @@ SYM_FUNC_START(cpu_switch_to) - ptrauth_keys_install_kernel x1, x8, x9, x10 - scs_save x0 - scs_load_current -+ restore_irq x11 - ret - SYM_FUNC_END(cpu_switch_to) - NOKPROBE(cpu_switch_to) -@@ -882,6 +884,7 @@ NOKPROBE(ret_from_fork) - * Calls func(regs) using this CPU's irq stack and shadow irq stack. - */ - SYM_FUNC_START(call_on_irq_stack) -+ save_and_disable_daif x9 - #ifdef CONFIG_SHADOW_CALL_STACK - get_current_task x16 - scs_save x16 -@@ -896,8 +899,10 @@ SYM_FUNC_START(call_on_irq_stack) - - /* Move to the new stack and call the function there */ - add sp, x16, #IRQ_STACK_SIZE -+ restore_irq x9 - blr x1 - -+ save_and_disable_daif x9 - /* - * Restore the SP from the FP, and restore the FP and LR from the frame - * record. -@@ -905,6 +910,7 @@ SYM_FUNC_START(call_on_irq_stack) - mov sp, x29 - ldp x29, x30, [sp], #16 - scs_load_current -+ restore_irq x9 - ret - SYM_FUNC_END(call_on_irq_stack) - NOKPROBE(call_on_irq_stack) diff --git a/queue-5.15/series b/queue-5.15/series index 9f6d285ebb..028b182786 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -90,7 +90,6 @@ i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch -arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch diff --git a/queue-6.1/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch b/queue-6.1/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch deleted file mode 100644 index 2112d5f688..0000000000 --- a/queue-6.1/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch +++ /dev/null @@ -1,125 +0,0 @@ -From d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb Mon Sep 17 00:00:00 2001 -From: Ada Couprie Diaz -Date: Fri, 18 Jul 2025 15:28:14 +0100 -Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() - -From: Ada Couprie Diaz - -commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb upstream. - -`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change -to different stacks along with the Shadow Call Stack if it is enabled. -Those two stack changes cannot be done atomically and both functions -can be interrupted by SErrors or Debug Exceptions which, though unlikely, -is very much broken : if interrupted, we can end up with mismatched stacks -and Shadow Call Stack leading to clobbered stacks. - -In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, -but x18 stills points to the old task's SCS. When the interrupt handler -tries to save the task's SCS pointer, it will save the old task -SCS pointer (x18) into the new task struct (pointed to by SP_EL0), -clobbering it. - -In `call_on_irq_stack()`, it can happen when switching from the task stack -to the IRQ stack and when switching back. In both cases, we can be -interrupted when the SCS pointer points to the IRQ SCS, but SP points to -the task stack. The nested interrupt handler pushes its return addresses -on the IRQ SCS. It then detects that SP points to the task stack, -calls `call_on_irq_stack()` and clobbers the task SCS pointer with -the IRQ SCS pointer, which it will also use ! - -This leads to tasks returning to addresses on the wrong SCS, -or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK -or FPAC if enabled. - -This is possible on a default config, but unlikely. -However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and -instead the GIC is responsible for filtering what interrupts the CPU -should receive based on priority. -Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU -even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* -frequently depending on the system configuration and workload, leading -to unpredictable kernel panics. - -Completely mask DAIF in `cpu_switch_to()` and restore it when returning. -Do the same in `call_on_irq_stack()`, but restore and mask around -the branch. -Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency -of behaviour between all configurations. - -Introduce and use an assembly macro for saving and masking DAIF, -as the existing one saves but only masks IF. - -Cc: -Signed-off-by: Ada Couprie Diaz -Reported-by: Cristian Prundeanu -Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt") -Tested-by: Cristian Prundeanu -Acked-by: Will Deacon -Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com -Signed-off-by: Will Deacon -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/include/asm/assembler.h | 5 +++++ - arch/arm64/kernel/entry.S | 6 ++++++ - 2 files changed, 11 insertions(+) - ---- a/arch/arm64/include/asm/assembler.h -+++ b/arch/arm64/include/asm/assembler.h -@@ -59,6 +59,11 @@ - /* - * Save/restore interrupts. - */ -+ .macro save_and_disable_daif, flags -+ mrs \flags, daif -+ msr daifset, #0xf -+ .endm -+ - .macro save_and_disable_irq, flags - mrs \flags, daif - msr daifset, #3 ---- a/arch/arm64/kernel/entry.S -+++ b/arch/arm64/kernel/entry.S -@@ -827,6 +827,7 @@ SYM_CODE_END(__bp_harden_el1_vectors) - * - */ - SYM_FUNC_START(cpu_switch_to) -+ save_and_disable_daif x11 - mov x10, #THREAD_CPU_CONTEXT - add x8, x0, x10 - mov x9, sp -@@ -850,6 +851,7 @@ SYM_FUNC_START(cpu_switch_to) - ptrauth_keys_install_kernel x1, x8, x9, x10 - scs_save x0 - scs_load_current -+ restore_irq x11 - ret - SYM_FUNC_END(cpu_switch_to) - NOKPROBE(cpu_switch_to) -@@ -876,6 +878,7 @@ NOKPROBE(ret_from_fork) - * Calls func(regs) using this CPU's irq stack and shadow irq stack. - */ - SYM_FUNC_START(call_on_irq_stack) -+ save_and_disable_daif x9 - #ifdef CONFIG_SHADOW_CALL_STACK - get_current_task x16 - scs_save x16 -@@ -890,8 +893,10 @@ SYM_FUNC_START(call_on_irq_stack) - - /* Move to the new stack and call the function there */ - add sp, x16, #IRQ_STACK_SIZE -+ restore_irq x9 - blr x1 - -+ save_and_disable_daif x9 - /* - * Restore the SP from the FP, and restore the FP and LR from the frame - * record. -@@ -899,6 +904,7 @@ SYM_FUNC_START(call_on_irq_stack) - mov sp, x29 - ldp x29, x30, [sp], #16 - scs_load_current -+ restore_irq x9 - ret - SYM_FUNC_END(call_on_irq_stack) - NOKPROBE(call_on_irq_stack) diff --git a/queue-6.1/series b/queue-6.1/series index 3a4f535e1f..5b3a2c5ebd 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -29,7 +29,6 @@ i2c-tegra-fix-reset-error-handling-with-acpi.patch i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch -arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch