6.1-stable patches

added patches:
	x86-tdx-fix-in-kernel-mmio-check.patch

diff --git a/queue-6.1/series b/queue-6.1/series
index 1861431e036cdf728a94324b0023d52dd90020fa..58400f2a3aa84ec0ff2004b0fa802382447000b9 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -386,3 +386,4 @@ iio-magnetometer-ak8975-fix-unexpected-device-error.patch
 libbpf-ensure-undefined-bpf_attr-field-stays-0.patch
 powerpc-allow-config_ppc64_big_endian_elf_abi_v2-with-ld.lld-15.patch
 pci-pm-mark-devices-disconnected-if-upstream-pcie-link-is-down-on-resume.patch
+x86-tdx-fix-in-kernel-mmio-check.patch

diff --git a/queue-6.1/x86-tdx-fix-in-kernel-mmio-check.patch b/queue-6.1/x86-tdx-fix-in-kernel-mmio-check.patch
new file mode 100644 (file)
index 0000000..5ee4578
--- /dev/null
+++ b/queue-6.1/x86-tdx-fix-in-kernel-mmio-check.patch
@@ -0,0 +1,56 @@
+From d4fc4d01471528da8a9797a065982e05090e1d81 Mon Sep 17 00:00:00 2001
+From: "Alexey Gladkov (Intel)" <legion@kernel.org>
+Date: Fri, 13 Sep 2024 19:05:56 +0200
+Subject: x86/tdx: Fix "in-kernel MMIO" check
+
+From: Alexey Gladkov (Intel) <legion@kernel.org>
+
+commit d4fc4d01471528da8a9797a065982e05090e1d81 upstream.
+
+TDX only supports kernel-initiated MMIO operations. The handle_mmio()
+function checks if the #VE exception occurred in the kernel and rejects
+the operation if it did not.
+
+However, userspace can deceive the kernel into performing MMIO on its
+behalf. For example, if userspace can point a syscall to an MMIO address,
+syscall does get_user() or put_user() on it, triggering MMIO #VE. The
+kernel will treat the #VE as in-kernel MMIO.
+
+Ensure that the target MMIO address is within the kernel before decoding
+instruction.
+
+Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO")
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.1726237595.git.legion%40kernel.org
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/coco/tdx/tdx.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/coco/tdx/tdx.c
++++ b/arch/x86/coco/tdx/tdx.c
+@@ -12,6 +12,7 @@
+ #include <asm/insn.h>
+ #include <asm/insn-eval.h>
+ #include <asm/pgtable.h>
++#include <asm/traps.h>
+ 
+ /* TDX module Call Leaf IDs */
+ #define TDX_GET_INFO                  1
+@@ -371,6 +372,11 @@ static int handle_mmio(struct pt_regs *r
+                       return -EINVAL;
+       }
+ 
++      if (!fault_in_kernel_space(ve->gla)) {
++              WARN_ONCE(1, "Access to userspace address is not supported");
++              return -EINVAL;
++      }
++
+       /*
+        * Reject EPT violation #VEs that split pages.
+        *