From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 2 Oct 2024 12:44:48 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Tag: v6.6.54~14
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3cb87f031fbf78d4b42a2a68b07bfc2f135c8fbe;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	x86-tdx-fix-in-kernel-mmio-check.patch
---

diff --git a/queue-6.6/series b/queue-6.6/series
index 01f630aa573..62c68b33555 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -535,3 +535,4 @@ libbpf-ensure-undefined-bpf_attr-field-stays-0.patch
 thunderbolt-send-uevent-after-asymmetric-symmetric-switch.patch
 thunderbolt-fix-minimum-allocated-usb-3.x-and-pcie-bandwidth.patch
 thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch
+x86-tdx-fix-in-kernel-mmio-check.patch
diff --git a/queue-6.6/x86-tdx-fix-in-kernel-mmio-check.patch b/queue-6.6/x86-tdx-fix-in-kernel-mmio-check.patch
new file mode 100644
index 00000000000..5db8f348946
--- /dev/null
+++ b/queue-6.6/x86-tdx-fix-in-kernel-mmio-check.patch
@@ -0,0 +1,56 @@
+From d4fc4d01471528da8a9797a065982e05090e1d81 Mon Sep 17 00:00:00 2001
+From: "Alexey Gladkov (Intel)" <legion@kernel.org>
+Date: Fri, 13 Sep 2024 19:05:56 +0200
+Subject: x86/tdx: Fix "in-kernel MMIO" check
+
+From: Alexey Gladkov (Intel) <legion@kernel.org>
+
+commit d4fc4d01471528da8a9797a065982e05090e1d81 upstream.
+
+TDX only supports kernel-initiated MMIO operations. The handle_mmio()
+function checks if the #VE exception occurred in the kernel and rejects
+the operation if it did not.
+
+However, userspace can deceive the kernel into performing MMIO on its
+behalf. For example, if userspace can point a syscall to an MMIO address,
+syscall does get_user() or put_user() on it, triggering MMIO #VE. The
+kernel will treat the #VE as in-kernel MMIO.
+
+Ensure that the target MMIO address is within the kernel before decoding
+instruction.
+
+Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO")
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.1726237595.git.legion%40kernel.org
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/coco/tdx/tdx.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/coco/tdx/tdx.c
++++ b/arch/x86/coco/tdx/tdx.c
+@@ -14,6 +14,7 @@
+ #include <asm/insn.h>
+ #include <asm/insn-eval.h>
+ #include <asm/pgtable.h>
++#include <asm/traps.h>
+ 
+ /* MMIO direction */
+ #define EPT_READ	0
+@@ -405,6 +406,11 @@ static int handle_mmio(struct pt_regs *r
+ 			return -EINVAL;
+ 	}
+ 
++	if (!fault_in_kernel_space(ve->gla)) {
++		WARN_ONCE(1, "Access to userspace address is not supported");
++		return -EINVAL;
++	}
++
+ 	/*
+ 	 * Reject EPT violation #VEs that split pages.
+ 	 *