From: Greg Kroah-Hartman Date: Fri, 22 Jul 2022 08:38:42 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.57~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=77a4eab323b53eb1b4fee13b9177abbf7788c8ac;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: efi-x86-use-naked-ret-on-mixed-mode-call-wrapper.patch kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch x86-kvm-fix-fastop_size-when-return-thunks-are-enabled.patch --- diff --git a/queue-5.15/efi-x86-use-naked-ret-on-mixed-mode-call-wrapper.patch b/queue-5.15/efi-x86-use-naked-ret-on-mixed-mode-call-wrapper.patch new file mode 100644 index 00000000000..f3d28be3e62 --- /dev/null +++ b/queue-5.15/efi-x86-use-naked-ret-on-mixed-mode-call-wrapper.patch @@ -0,0 +1,79 @@ +From 51a6fa0732d6be6a44e0032752ad2ac10d67c796 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 15 Jul 2022 16:45:50 -0300 +Subject: efi/x86: use naked RET on mixed mode call wrapper + +From: Thadeu Lima de Souza Cascardo + +commit 51a6fa0732d6be6a44e0032752ad2ac10d67c796 upstream. + +When running with return thunks enabled under 32-bit EFI, the system +crashes with: + + kernel tried to execute NX-protected page - exploit attempt? (uid: 0) + BUG: unable to handle page fault for address: 000000005bc02900 + #PF: supervisor instruction fetch in kernel mode + #PF: error_code(0x0011) - permissions violation + PGD 18f7063 P4D 18f7063 PUD 18ff063 PMD 190e063 PTE 800000005bc02063 + Oops: 0011 [#1] PREEMPT SMP PTI + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc6+ #166 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:0x5bc02900 + Code: Unable to access opcode bytes at RIP 0x5bc028d6. + RSP: 0018:ffffffffb3203e10 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000048 + RDX: 000000000190dfac RSI: 0000000000001710 RDI: 000000007eae823b + RBP: ffffffffb3203e70 R08: 0000000001970000 R09: ffffffffb3203e28 + R10: 747563657865206c R11: 6c6977203a696665 R12: 0000000000001710 + R13: 0000000000000030 R14: 0000000001970000 R15: 0000000000000001 + FS: 0000000000000000(0000) GS:ffff8e013ca00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0018 ES: 0018 CR0: 0000000080050033 + CR2: 000000005bc02900 CR3: 0000000001930000 CR4: 00000000000006f0 + Call Trace: + ? efi_set_virtual_address_map+0x9c/0x175 + efi_enter_virtual_mode+0x4a6/0x53e + start_kernel+0x67c/0x71e + x86_64_start_reservations+0x24/0x2a + x86_64_start_kernel+0xe9/0xf4 + secondary_startup_64_no_verify+0xe5/0xeb + +That's because it cannot jump to the return thunk from the 32-bit code. + +Using a naked RET and marking it as safe allows the system to proceed +booting. + +Fixes: aa3d480315ba ("x86: Use return-thunk in asm code") +Reported-by: Guenter Roeck +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: +Tested-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/platform/efi/efi_thunk_64.S | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/platform/efi/efi_thunk_64.S ++++ b/arch/x86/platform/efi/efi_thunk_64.S +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + .text + .code64 +@@ -63,7 +64,9 @@ SYM_CODE_START(__efi64_thunk) + 1: movq 24(%rsp), %rsp + pop %rbx + pop %rbp +- RET ++ ANNOTATE_UNRET_SAFE ++ ret ++ int3 + + .code32 + 2: pushl $__KERNEL_CS diff --git a/queue-5.15/kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch b/queue-5.15/kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch new file mode 100644 index 00000000000..f44565b785e --- /dev/null +++ b/queue-5.15/kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch @@ -0,0 +1,68 @@ +From 79629181607e801c0b41b8790ac4ee2eb5d7bc3e Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 15 Jul 2022 07:34:55 -0400 +Subject: KVM: emulate: do not adjust size of fastop and setcc subroutines + +From: Paolo Bonzini + +commit 79629181607e801c0b41b8790ac4ee2eb5d7bc3e upstream. + +Instead of doing complicated calculations to find the size of the subroutines +(which are even more complicated because they need to be stringified into +an asm statement), just hardcode to 16. + +It is less dense for a few combinations of IBT/SLS/retbleed, but it has +the advantage of being really simple. + +Cc: stable@vger.kernel.org # 5.15.x: 84e7051c0bc1: x86/kvm: fix FASTOP_SIZE when return thunks are enabled +Cc: stable@vger.kernel.org +Suggested-by: Linus Torvalds +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -187,13 +187,6 @@ + #define X8(x...) X4(x), X4(x) + #define X16(x...) X8(x), X8(x) + +-#define NR_FASTOP (ilog2(sizeof(ulong)) + 1) +-#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \ +- IS_ENABLED(CONFIG_SLS)) +-#define FASTOP_LENGTH (ENDBR_INSN_SIZE + 7 + RET_LENGTH) +-#define FASTOP_SIZE (8 << ((FASTOP_LENGTH > 8) & 1) << ((FASTOP_LENGTH > 16) & 1)) +-static_assert(FASTOP_LENGTH <= FASTOP_SIZE); +- + struct opcode { + u64 flags : 56; + u64 intercept : 8; +@@ -307,9 +300,15 @@ static void invalidate_registers(struct + * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for + * different operand sizes can be reached by calculation, rather than a jump + * table (which would be bigger than the code). ++ * ++ * The 16 byte alignment, considering 5 bytes for the RET thunk, 3 for ENDBR ++ * and 1 for the straight line speculation INT3, leaves 7 bytes for the ++ * body of the function. Currently none is larger than 4. + */ + static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); + ++#define FASTOP_SIZE 16 ++ + #define __FOP_FUNC(name) \ + ".align " __stringify(FASTOP_SIZE) " \n\t" \ + ".type " name ", @function \n\t" \ +@@ -441,9 +440,7 @@ static int fastop(struct x86_emulate_ctx + * RET | JMP __x86_return_thunk [1,5 bytes; CONFIG_RETHUNK] + * INT3 [1 byte; CONFIG_SLS] + */ +-#define SETCC_LENGTH (3 + RET_LENGTH) +-#define SETCC_ALIGN (4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1)) +-static_assert(SETCC_LENGTH <= SETCC_ALIGN); ++#define SETCC_ALIGN 16 + + #define FOP_SETCC(op) \ + ".align " __stringify(SETCC_ALIGN) " \n\t" \ diff --git a/queue-5.15/series b/queue-5.15/series index ddefd3857e6..6a76b83c14b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -79,3 +79,6 @@ x86-static_call-serialize-__static_call_fixup-properly.patch x86-xen-fix-initialisation-in-hypercall_page-after-rethunk.patch x86-asm-32-fix-annotate_unret_safe-use-on-32-bit.patch x86-speculation-use-declare_per_cpu-for-x86_spec_ctrl_current.patch +efi-x86-use-naked-ret-on-mixed-mode-call-wrapper.patch +x86-kvm-fix-fastop_size-when-return-thunks-are-enabled.patch +kvm-emulate-do-not-adjust-size-of-fastop-and-setcc-subroutines.patch diff --git a/queue-5.15/x86-kvm-fix-fastop_size-when-return-thunks-are-enabled.patch b/queue-5.15/x86-kvm-fix-fastop_size-when-return-thunks-are-enabled.patch new file mode 100644 index 00000000000..a4ae4faabce --- /dev/null +++ b/queue-5.15/x86-kvm-fix-fastop_size-when-return-thunks-are-enabled.patch @@ -0,0 +1,127 @@ +From 84e7051c0bc1f2a13101553959b3a9d9a8e24939 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 13 Jul 2022 14:12:41 -0300 +Subject: x86/kvm: fix FASTOP_SIZE when return thunks are enabled + +From: Thadeu Lima de Souza Cascardo + +commit 84e7051c0bc1f2a13101553959b3a9d9a8e24939 upstream. + +The return thunk call makes the fastop functions larger, just like IBT +does. Consider a 16-byte FASTOP_SIZE when CONFIG_RETHUNK is enabled. + +Otherwise, functions will be incorrectly aligned and when computing their +position for differently sized operators, they will executed in the middle +or end of a function, which may as well be an int3, leading to a crash +like: + +[ 36.091116] int3: 0000 [#1] SMP NOPTI +[ 36.091119] CPU: 3 PID: 1371 Comm: qemu-system-x86 Not tainted 5.15.0-41-generic #44 +[ 36.091120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 36.091121] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm] +[ 36.091185] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc +[ 36.091186] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202 +[ 36.091188] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000 +[ 36.091188] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200 +[ 36.091189] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002 +[ 36.091190] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70 +[ 36.091190] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000 +[ 36.091191] FS: 00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000 +[ 36.091192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.091192] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0 +[ 36.091195] PKRU: 55555554 +[ 36.091195] Call Trace: +[ 36.091197] +[ 36.091198] ? fastop+0x5a/0xa0 [kvm] +[ 36.091222] x86_emulate_insn+0x7b8/0xe90 [kvm] +[ 36.091244] x86_emulate_instruction+0x2f4/0x630 [kvm] +[ 36.091263] ? kvm_arch_vcpu_load+0x7c/0x230 [kvm] +[ 36.091283] ? vmx_prepare_switch_to_host+0xf7/0x190 [kvm_intel] +[ 36.091290] complete_emulated_mmio+0x297/0x320 [kvm] +[ 36.091310] kvm_arch_vcpu_ioctl_run+0x32f/0x550 [kvm] +[ 36.091330] kvm_vcpu_ioctl+0x29e/0x6d0 [kvm] +[ 36.091344] ? kvm_vcpu_ioctl+0x120/0x6d0 [kvm] +[ 36.091357] ? __fget_files+0x86/0xc0 +[ 36.091362] ? __fget_files+0x86/0xc0 +[ 36.091363] __x64_sys_ioctl+0x92/0xd0 +[ 36.091366] do_syscall_64+0x59/0xc0 +[ 36.091369] ? syscall_exit_to_user_mode+0x27/0x50 +[ 36.091370] ? do_syscall_64+0x69/0xc0 +[ 36.091371] ? syscall_exit_to_user_mode+0x27/0x50 +[ 36.091372] ? __x64_sys_writev+0x1c/0x30 +[ 36.091374] ? do_syscall_64+0x69/0xc0 +[ 36.091374] ? exit_to_user_mode_prepare+0x37/0xb0 +[ 36.091378] ? syscall_exit_to_user_mode+0x27/0x50 +[ 36.091379] ? do_syscall_64+0x69/0xc0 +[ 36.091379] ? do_syscall_64+0x69/0xc0 +[ 36.091380] ? do_syscall_64+0x69/0xc0 +[ 36.091381] ? do_syscall_64+0x69/0xc0 +[ 36.091381] entry_SYSCALL_64_after_hwframe+0x61/0xcb +[ 36.091384] RIP: 0033:0x7efdfe6d1aff +[ 36.091390] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 +[ 36.091391] RSP: 002b:00007efdfce8c460 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 36.091393] RAX: ffffffffffffffda RBX: 000000000000ae80 RCX: 00007efdfe6d1aff +[ 36.091393] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 000000000000000c +[ 36.091394] RBP: 0000558f1609e220 R08: 0000558f13fb8190 R09: 00000000ffffffff +[ 36.091394] R10: 0000558f16b5e950 R11: 0000000000000246 R12: 0000000000000000 +[ 36.091394] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +[ 36.091396] +[ 36.091397] Modules linked in: isofs nls_iso8859_1 kvm_intel joydev kvm input_leds serio_raw sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ipmi_devintf ipmi_msghandler drm msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net net_failover crypto_simd ahci xhci_pci cryptd psmouse virtio_blk libahci xhci_pci_renesas failover +[ 36.123271] ---[ end trace db3c0ab5a48fabcc ]--- +[ 36.123272] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm] +[ 36.123319] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc +[ 36.123320] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202 +[ 36.123321] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000 +[ 36.123321] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200 +[ 36.123322] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002 +[ 36.123322] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70 +[ 36.123323] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000 +[ 36.123323] FS: 00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000 +[ 36.123324] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.123325] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0 +[ 36.123327] PKRU: 55555554 +[ 36.123328] Kernel panic - not syncing: Fatal exception in interrupt +[ 36.123410] Kernel Offset: 0x1400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 36.135305] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fixes: aa3d480315ba ("x86: Use return-thunk in asm code") +Signed-off-by: Thadeu Lima de Souza Cascardo +Co-developed-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Paolo Bonzini +Reported-by: Linux Kernel Functional Testing +Message-Id: <20220713171241.184026-1-cascardo@canonical.com> +Tested-by: Jack Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -187,8 +187,12 @@ + #define X8(x...) X4(x), X4(x) + #define X16(x...) X8(x), X8(x) + +-#define NR_FASTOP (ilog2(sizeof(ulong)) + 1) +-#define FASTOP_SIZE 8 ++#define NR_FASTOP (ilog2(sizeof(ulong)) + 1) ++#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \ ++ IS_ENABLED(CONFIG_SLS)) ++#define FASTOP_LENGTH (ENDBR_INSN_SIZE + 7 + RET_LENGTH) ++#define FASTOP_SIZE (8 << ((FASTOP_LENGTH > 8) & 1) << ((FASTOP_LENGTH > 16) & 1)) ++static_assert(FASTOP_LENGTH <= FASTOP_SIZE); + + struct opcode { + u64 flags : 56; +@@ -437,8 +441,6 @@ static int fastop(struct x86_emulate_ctx + * RET | JMP __x86_return_thunk [1,5 bytes; CONFIG_RETHUNK] + * INT3 [1 byte; CONFIG_SLS] + */ +-#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \ +- IS_ENABLED(CONFIG_SLS)) + #define SETCC_LENGTH (3 + RET_LENGTH) + #define SETCC_ALIGN (4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1)) + static_assert(SETCC_LENGTH <= SETCC_ALIGN); diff --git a/queue-5.15/x86-kvm-vmx-make-noinstr-clean.patch b/queue-5.15/x86-kvm-vmx-make-noinstr-clean.patch index 77d2db7fc3b..30b2fabfec1 100644 --- a/queue-5.15/x86-kvm-vmx-make-noinstr-clean.patch +++ b/queue-5.15/x86-kvm-vmx-make-noinstr-clean.patch @@ -49,7 +49,7 @@ Signed-off-by: Greg Kroah-Hartman static void vmx_update_fb_clear_dis(struct kvm_vcpu *vcpu, struct vcpu_vmx *vmx) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -12177,9 +12177,9 @@ void kvm_arch_end_assignment(struct kvm +@@ -12179,9 +12179,9 @@ void kvm_arch_end_assignment(struct kvm } EXPORT_SYMBOL_GPL(kvm_arch_end_assignment);