From: Greg Kroah-Hartman Date: Mon, 14 Apr 2025 11:58:02 +0000 (+0200) Subject: drop ident_map patch X-Git-Tag: v6.12.24~105 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7608d80911b5a8ef27def10b59072baf819a0931;p=thirdparty%2Fkernel%2Fstable-queue.git drop ident_map patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 4ba6b54584..1b71efd9e2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -13,7 +13,6 @@ x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch hid-pidff-convert-infinite-length-from-linux-api-to-.patch hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch diff --git a/queue-5.10/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-5.10/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index 469f3ff212..0000000000 --- a/queue-5.10/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 5b511ca368ba896f40559c7639510ed199bf2a1e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index 968d7005f4a72..2f383e288c430 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -27,9 +27,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pud_t *pud = pud_page + pud_index(addr); - pmd_t *pmd; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - if (info->direct_gbpages) { - pud_t pudval; -@@ -68,10 +66,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -113,10 +108,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 - diff --git a/queue-5.15/series b/queue-5.15/series index dc802b0bda..22c7247eff 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -14,7 +14,6 @@ x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch hid-pidff-convert-infinite-length-from-linux-api-to-.patch hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch diff --git a/queue-5.15/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-5.15/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index 0da43b2c57..0000000000 --- a/queue-5.15/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From f915f4bd41ad619ca5a481a67c0f10b3c63028b2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index 968d7005f4a72..2f383e288c430 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -27,9 +27,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pud_t *pud = pud_page + pud_index(addr); - pmd_t *pmd; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - if (info->direct_gbpages) { - pud_t pudval; -@@ -68,10 +66,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -113,10 +108,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 - diff --git a/queue-5.4/series b/queue-5.4/series index 68de8876e1..f343575a1d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -8,7 +8,6 @@ pm-cpupower-bench-prevent-null-dereference-on-malloc.patch x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch hid-pidff-convert-infinite-length-from-linux-api-to-.patch hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch diff --git a/queue-5.4/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-5.4/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index a209b5c400..0000000000 --- a/queue-5.4/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From c838fe3ec8d4e3f10a5e784fb8caad02e6aa9683 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index 968d7005f4a72..2f383e288c430 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -27,9 +27,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pud_t *pud = pud_page + pud_index(addr); - pmd_t *pmd; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - if (info->direct_gbpages) { - pud_t pudval; -@@ -68,10 +66,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -113,10 +108,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 - diff --git a/queue-6.1/series b/queue-6.1/series index a4929294cf..3d1b036ceb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -23,7 +23,6 @@ x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch hid-pidff-convert-infinite-length-from-linux-api-to-.patch hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch diff --git a/queue-6.1/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-6.1/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index 5d8c6d23d1..0000000000 --- a/queue-6.1/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From cd3413b149bb9ca0c632f403a6ef0f6ab9e29ad9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index 968d7005f4a72..2f383e288c430 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -27,9 +27,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pud_t *pud = pud_page + pud_index(addr); - pmd_t *pmd; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - if (info->direct_gbpages) { - pud_t pudval; -@@ -68,10 +66,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -113,10 +108,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 - diff --git a/queue-6.12/series b/queue-6.12/series index 77d24013ff..ac40e7771b 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -55,7 +55,6 @@ pm-hibernate-avoid-deadlock-in-hibernate_compressor_.patch flush-console-log-from-kernel_power_off.patch arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch zstd-increase-dynamic_bmi2-gcc-version-cutoff-from-4.patch platform-chrome-cros_ec_lpc-match-on-framework-acpi-.patch asoc-sof-topology-use-krealloc_array-to-replace-krea.patch diff --git a/queue-6.12/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-6.12/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index 81b4f90389..0000000000 --- a/queue-6.12/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 8e1fbc0ef68e8d7e62211c000c46c6342d61eee7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index 5ab7bd2f1983c..bd5d101c5c379 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -101,9 +101,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pmd_t *pmd; - bool use_gbpage; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - /* if this is already a gbpage, this portion is already mapped */ - if (pud_leaf(*pud)) -@@ -154,10 +152,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -199,10 +194,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 - diff --git a/queue-6.13/series b/queue-6.13/series index 45456f086f..dd4c9ee804 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -54,7 +54,6 @@ pm-hibernate-avoid-deadlock-in-hibernate_compressor_.patch flush-console-log-from-kernel_power_off.patch arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch zstd-increase-dynamic_bmi2-gcc-version-cutoff-from-4.patch tracing-disable-branch-profiling-in-noinstr-code.patch platform-chrome-cros_ec_lpc-match-on-framework-acpi-.patch diff --git a/queue-6.13/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-6.13/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index b520eaa2cb..0000000000 --- a/queue-6.13/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 7128b2f4e41a2b021024562af7b93cfd788d2b46 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index 5ab7bd2f1983c..bd5d101c5c379 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -101,9 +101,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pmd_t *pmd; - bool use_gbpage; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - /* if this is already a gbpage, this portion is already mapped */ - if (pud_leaf(*pud)) -@@ -154,10 +152,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -199,10 +194,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 - diff --git a/queue-6.14/series b/queue-6.14/series index 66503b5f00..882c25322b 100644 --- a/queue-6.14/series +++ b/queue-6.14/series @@ -63,7 +63,6 @@ flush-console-log-from-kernel_power_off.patch cpufreq-amd-pstate-invalidate-cppc_req_cached-during.patch arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch zstd-increase-dynamic_bmi2-gcc-version-cutoff-from-4.patch tracing-disable-branch-profiling-in-noinstr-code.patch platform-chrome-cros_ec_lpc-match-on-framework-acpi-.patch diff --git a/queue-6.14/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-6.14/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index e008bbe60d..0000000000 --- a/queue-6.14/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 271133a4928763e7abb7c4f3aad1bb3e515e0805 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index 5ab7bd2f1983c..bd5d101c5c379 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -101,9 +101,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pmd_t *pmd; - bool use_gbpage; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - /* if this is already a gbpage, this portion is already mapped */ - if (pud_leaf(*pud)) -@@ -154,10 +152,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -199,10 +194,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 - diff --git a/queue-6.6/series b/queue-6.6/series index 1adc8ab088..054cfa782d 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -43,7 +43,6 @@ x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch xen-mcelog-add-__nonstring-annotations-for-untermina.patch -x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch zstd-increase-dynamic_bmi2-gcc-version-cutoff-from-4.patch asoc-sof-topology-use-krealloc_array-to-replace-krea.patch hid-pidff-convert-infinite-length-from-linux-api-to-.patch diff --git a/queue-6.6/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-6.6/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch deleted file mode 100644 index 68f2330da3..0000000000 --- a/queue-6.6/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 9a43b0aa210e8eb94b82fac7690a126290d8a755 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 16 Oct 2024 14:14:55 +0300 -Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero - -From: Kirill A. Shutemov - -[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] - -The current calculation of the 'next' virtual address in the -page table initialization functions in arch/x86/mm/ident_map.c -doesn't protect against wrapping to zero. - -This is a theoretical issue that cannot happen currently, -the problematic case is possible only if the user sets a -high enough x86_mapping_info::offset value - which no -current code in the upstream kernel does. - -( The wrapping to zero only occurs if the top PGD entry is accessed. - There are no such users upstream. Only hibernate_64.c uses - x86_mapping_info::offset, and it operates on the direct mapping - range, which is not the top PGD entry. ) - -Should such an overflow happen, it can result in page table -corruption and a hang. - -To future-proof this code, replace the manual 'next' calculation -with p?d_addr_end() which handles wrapping correctly. - -[ Backporter's note: there's no need to backport this patch. ] - -Signed-off-by: Kirill A. Shutemov -Signed-off-by: Ingo Molnar -Reviewed-by: Kai Huang -Reviewed-by: Tom Lendacky -Cc: Andy Lutomirski -Cc: Linus Torvalds -Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com -Signed-off-by: Sasha Levin ---- - arch/x86/mm/ident_map.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c -index fe0b2e66ded93..7adf7001473e7 100644 ---- a/arch/x86/mm/ident_map.c -+++ b/arch/x86/mm/ident_map.c -@@ -28,9 +28,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, - pmd_t *pmd; - bool use_gbpage; - -- next = (addr & PUD_MASK) + PUD_SIZE; -- if (next > end) -- next = end; -+ next = pud_addr_end(addr, end); - - /* if this is already a gbpage, this portion is already mapped */ - if (pud_leaf(*pud)) -@@ -81,10 +79,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, - p4d_t *p4d = p4d_page + p4d_index(addr); - pud_t *pud; - -- next = (addr & P4D_MASK) + P4D_SIZE; -- if (next > end) -- next = end; -- -+ next = p4d_addr_end(addr, end); - if (p4d_present(*p4d)) { - pud = pud_offset(p4d, 0); - result = ident_pud_init(info, pud, addr, next); -@@ -126,10 +121,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, - pgd_t *pgd = pgd_page + pgd_index(addr); - p4d_t *p4d; - -- next = (addr & PGDIR_MASK) + PGDIR_SIZE; -- if (next > end) -- next = end; -- -+ next = pgd_addr_end(addr, end); - if (pgd_present(*pgd)) { - p4d = p4d_offset(pgd, 0); - result = ident_p4d_init(info, p4d, addr, next); --- -2.39.5 -