+++ /dev/null
-From 8caa016bfc129f2c925d52da43022171d1d1de91 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Wed, 20 Nov 2019 12:59:13 -0800
-Subject: selftests/x86/mov_ss_trap: Fix the SYSENTER test
-
-From: Andy Lutomirski <luto@kernel.org>
-
-commit 8caa016bfc129f2c925d52da43022171d1d1de91 upstream.
-
-For reasons that I haven't quite fully diagnosed, running
-mov_ss_trap_32 on a 32-bit kernel results in an infinite loop in
-userspace. This appears to be because the hacky SYSENTER test
-doesn't segfault as desired; instead it corrupts the program state
-such that it infinite loops.
-
-Fix it by explicitly clearing EBP before doing SYSENTER. This will
-give a more reliable segfault.
-
-Fixes: 59c2a7226fc5 ("x86/selftests: Add mov_to_ss test")
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: stable@kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- tools/testing/selftests/x86/mov_ss_trap.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/tools/testing/selftests/x86/mov_ss_trap.c
-+++ b/tools/testing/selftests/x86/mov_ss_trap.c
-@@ -257,7 +257,8 @@ int main()
- err(1, "sigaltstack");
- sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK);
- nr = SYS_getpid;
-- asm volatile ("mov %[ss], %%ss; SYSENTER" : "+a" (nr)
-+ /* Clear EBP first to make sure we segfault cleanly. */
-+ asm volatile ("xorl %%ebp, %%ebp; mov %[ss], %%ss; SYSENTER" : "+a" (nr)
- : [ss] "m" (ss) : "flags", "rcx"
- #ifdef __x86_64__
- , "r11"
+++ /dev/null
-From 4d2fa82d98d2d296043a04eb517d7dbade5b13b8 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Wed, 20 Nov 2019 11:58:32 -0800
-Subject: selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel
-
-From: Andy Lutomirski <luto@kernel.org>
-
-commit 4d2fa82d98d2d296043a04eb517d7dbade5b13b8 upstream.
-
-If the kernel accidentally uses DS or ES while the user values are
-loaded, it will work fine for sane userspace. In the interest of
-simulating maximally insane userspace, make sigreturn_32 zero out DS
-and ES for the nasty parts so that inadvertent use of these segments
-will crash.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: stable@kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- tools/testing/selftests/x86/sigreturn.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
---- a/tools/testing/selftests/x86/sigreturn.c
-+++ b/tools/testing/selftests/x86/sigreturn.c
-@@ -459,6 +459,19 @@ static void sigusr1(int sig, siginfo_t *
- ctx->uc_mcontext.gregs[REG_SP] = (unsigned long)0x8badf00d5aadc0deULL;
- ctx->uc_mcontext.gregs[REG_CX] = 0;
-
-+#ifdef __i386__
-+ /*
-+ * Make sure the kernel doesn't inadvertently use DS or ES-relative
-+ * accesses in a region where user DS or ES is loaded.
-+ *
-+ * Skip this for 64-bit builds because long mode doesn't care about
-+ * DS and ES and skipping it increases test coverage a little bit,
-+ * since 64-bit kernels can still run the 32-bit build.
-+ */
-+ ctx->uc_mcontext.gregs[REG_DS] = 0;
-+ ctx->uc_mcontext.gregs[REG_ES] = 0;
-+#endif
-+
- memcpy(&requested_regs, &ctx->uc_mcontext.gregs, sizeof(gregset_t));
- requested_regs[REG_CX] = *ssptr(ctx); /* The asm code does this. */
-
+++ /dev/null
-From 05b042a1944322844eaae7ea596d5f154166d68a Mon Sep 17 00:00:00 2001
-From: Ingo Molnar <mingo@kernel.org>
-Date: Sun, 24 Nov 2019 11:21:44 +0100
-Subject: x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Ingo Molnar <mingo@kernel.org>
-
-commit 05b042a1944322844eaae7ea596d5f154166d68a upstream.
-
-When two recent commits that increased the size of the 'struct cpu_entry_area'
-were merged in -tip, the 32-bit defconfig build started failing on the following
-build time assert:
-
- ./include/linux/compiler.h:391:38: error: call to ‘__compiletime_assert_189’ declared with attribute error: BUILD_BUG_ON failed: CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE
- arch/x86/mm/cpu_entry_area.c:189:2: note: in expansion of macro ‘BUILD_BUG_ON’
- In function ‘setup_cpu_entry_area_ptes’,
-
-Which corresponds to the following build time assert:
-
- BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE);
-
-The purpose of this assert is to sanity check the fixed-value definition of
-CPU_ENTRY_AREA_PAGES arch/x86/include/asm/pgtable_32_types.h:
-
- #define CPU_ENTRY_AREA_PAGES (NR_CPUS * 41)
-
-The '41' is supposed to match sizeof(struct cpu_entry_area)/PAGE_SIZE, which value
-we didn't want to define in such a low level header, because it would cause
-dependency hell.
-
-Every time the size of cpu_entry_area is changed, we have to adjust CPU_ENTRY_AREA_PAGES
-accordingly - and this assert is checking that constraint.
-
-But the assert is both imprecise and buggy, primarily because it doesn't
-include the single readonly IDT page that is mapped at CPU_ENTRY_AREA_BASE
-(which begins at a PMD boundary).
-
-This bug was hidden by the fact that by accident CPU_ENTRY_AREA_PAGES is defined
-too large upstream (v5.4-rc8):
-
- #define CPU_ENTRY_AREA_PAGES (NR_CPUS * 40)
-
-While 'struct cpu_entry_area' is 155648 bytes, or 38 pages. So we had two extra
-pages, which hid the bug.
-
-The following commit (not yet upstream) increased the size to 40 pages:
-
- x86/iopl: ("Restrict iopl() permission scope")
-
-... but increased CPU_ENTRY_AREA_PAGES only 41 - i.e. shortening the gap
-to just 1 extra page.
-
-Then another not-yet-upstream commit changed the size again:
-
- 880a98c33996: ("x86/cpu_entry_area: Add guard page for entry stack on 32bit")
-
-Which increased the cpu_entry_area size from 38 to 39 pages, but
-didn't change CPU_ENTRY_AREA_PAGES (kept it at 40). This worked
-fine, because we still had a page left from the accidental 'reserve'.
-
-But when these two commits were merged into the same tree, the
-combined size of cpu_entry_area grew from 38 to 40 pages, while
-CPU_ENTRY_AREA_PAGES finally caught up to 40 as well.
-
-Which is fine in terms of functionality, but the assert broke:
-
- BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE);
-
-because CPU_ENTRY_AREA_MAP_SIZE is the total size of the area,
-which is 1 page larger due to the IDT page.
-
-To fix all this, change the assert to two precise asserts:
-
- BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
- BUILD_BUG_ON(CPU_ENTRY_AREA_TOTAL_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
-
-This takes the IDT page into account, and also connects the size-based
-define of CPU_ENTRY_AREA_TOTAL_SIZE with the address-subtraction based
-define of CPU_ENTRY_AREA_MAP_SIZE.
-
-Also clean up some of the names which made it rather confusing:
-
- - 'CPU_ENTRY_AREA_TOT_SIZE' wasn't actually the 'total' size of
- the cpu-entry-area, but the per-cpu array size, so rename this
- to CPU_ENTRY_AREA_ARRAY_SIZE.
-
- - Introduce CPU_ENTRY_AREA_TOTAL_SIZE that _is_ the total mapping
- size, with the IDT included.
-
- - Add comments where '+1' denotes the IDT mapping - it wasn't
- obvious and took me about 3 hours to decode...
-
-Finally, because this particular commit is actually applied after
-this patch:
-
- 880a98c33996: ("x86/cpu_entry_area: Add guard page for entry stack on 32bit")
-
-Fix the CPU_ENTRY_AREA_PAGES value from 40 pages to the correct 39 pages.
-
-All future commits that change cpu_entry_area will have to adjust
-this value precisely.
-
-As a side note, we should probably attempt to remove CPU_ENTRY_AREA_PAGES
-and derive its value directly from the structure, without causing
-header hell - but that is an adventure for another day! :-)
-
-Fixes: 880a98c33996: ("x86/cpu_entry_area: Add guard page for entry stack on 32bit")
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: stable@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/x86/include/asm/cpu_entry_area.h | 12 +++++++-----
- arch/x86/include/asm/pgtable_32_types.h | 8 ++++----
- arch/x86/mm/cpu_entry_area.c | 4 +++-
- 3 files changed, 14 insertions(+), 10 deletions(-)
-
---- a/arch/x86/include/asm/cpu_entry_area.h
-+++ b/arch/x86/include/asm/cpu_entry_area.h
-@@ -45,7 +45,6 @@ struct cpu_entry_area {
- */
- char exception_stacks[(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ];
- #endif
--#ifdef CONFIG_CPU_SUP_INTEL
- /*
- * Per CPU debug store for Intel performance monitoring. Wastes a
- * full page at the moment.
-@@ -56,24 +55,27 @@ struct cpu_entry_area {
- * Reserve enough fixmap PTEs.
- */
- struct debug_store_buffers cpu_debug_buffers;
--#endif
- };
-
--#define CPU_ENTRY_AREA_SIZE (sizeof(struct cpu_entry_area))
--#define CPU_ENTRY_AREA_TOT_SIZE (CPU_ENTRY_AREA_SIZE * NR_CPUS)
-+#define CPU_ENTRY_AREA_SIZE (sizeof(struct cpu_entry_area))
-+#define CPU_ENTRY_AREA_ARRAY_SIZE (CPU_ENTRY_AREA_SIZE * NR_CPUS)
-+
-+/* Total size includes the readonly IDT mapping page as well: */
-+#define CPU_ENTRY_AREA_TOTAL_SIZE (CPU_ENTRY_AREA_ARRAY_SIZE + PAGE_SIZE)
-
- DECLARE_PER_CPU(struct cpu_entry_area *, cpu_entry_area);
-
- extern void setup_cpu_entry_areas(void);
- extern void cea_set_pte(void *cea_vaddr, phys_addr_t pa, pgprot_t flags);
-
-+/* Single page reserved for the readonly IDT mapping: */
- #define CPU_ENTRY_AREA_RO_IDT CPU_ENTRY_AREA_BASE
- #define CPU_ENTRY_AREA_PER_CPU (CPU_ENTRY_AREA_RO_IDT + PAGE_SIZE)
-
- #define CPU_ENTRY_AREA_RO_IDT_VADDR ((void *)CPU_ENTRY_AREA_RO_IDT)
-
- #define CPU_ENTRY_AREA_MAP_SIZE \
-- (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_TOT_SIZE - CPU_ENTRY_AREA_BASE)
-+ (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_ARRAY_SIZE - CPU_ENTRY_AREA_BASE)
-
- extern struct cpu_entry_area *get_cpu_entry_area(int cpu);
-
---- a/arch/x86/include/asm/pgtable_32_types.h
-+++ b/arch/x86/include/asm/pgtable_32_types.h
-@@ -42,11 +42,11 @@ extern bool __vmalloc_start_set; /* set
- * Define this here and validate with BUILD_BUG_ON() in pgtable_32.c
- * to avoid include recursion hell
- */
--#define CPU_ENTRY_AREA_PAGES (NR_CPUS * 40)
-+#define CPU_ENTRY_AREA_PAGES (NR_CPUS * 39)
-
--#define CPU_ENTRY_AREA_BASE \
-- ((FIXADDR_TOT_START - PAGE_SIZE * (CPU_ENTRY_AREA_PAGES + 1)) \
-- & PMD_MASK)
-+/* The +1 is for the readonly IDT page: */
-+#define CPU_ENTRY_AREA_BASE \
-+ ((FIXADDR_TOT_START - PAGE_SIZE*(CPU_ENTRY_AREA_PAGES+1)) & PMD_MASK)
-
- #define PKMAP_BASE \
- ((CPU_ENTRY_AREA_BASE - PAGE_SIZE) & PMD_MASK)
---- a/arch/x86/mm/cpu_entry_area.c
-+++ b/arch/x86/mm/cpu_entry_area.c
-@@ -143,7 +143,9 @@ static __init void setup_cpu_entry_area_
- #ifdef CONFIG_X86_32
- unsigned long start, end;
-
-- BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE);
-+ /* The +1 is for the readonly IDT: */
-+ BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
-+ BUILD_BUG_ON(CPU_ENTRY_AREA_TOTAL_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
- BUG_ON(CPU_ENTRY_AREA_BASE & ~PMD_MASK);
-
- start = CPU_ENTRY_AREA_BASE;
projects / thirdparty / kernel / stable-queue.git / commitdiff
