From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 2 Oct 2024 12:44:35 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.6.54~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b398284454631c2f8938f9db7c23336a1840bef0;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	x86-tdx-fix-in-kernel-mmio-check.patch
---

diff --git a/queue-6.1/series b/queue-6.1/series
index 1861431e036..58400f2a3aa 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -386,3 +386,4 @@ iio-magnetometer-ak8975-fix-unexpected-device-error.patch
 libbpf-ensure-undefined-bpf_attr-field-stays-0.patch
 powerpc-allow-config_ppc64_big_endian_elf_abi_v2-with-ld.lld-15.patch
 pci-pm-mark-devices-disconnected-if-upstream-pcie-link-is-down-on-resume.patch
+x86-tdx-fix-in-kernel-mmio-check.patch
diff --git a/queue-6.1/x86-tdx-fix-in-kernel-mmio-check.patch b/queue-6.1/x86-tdx-fix-in-kernel-mmio-check.patch
new file mode 100644
index 00000000000..5ee457870e1
--- /dev/null
+++ b/queue-6.1/x86-tdx-fix-in-kernel-mmio-check.patch
@@ -0,0 +1,56 @@
+From d4fc4d01471528da8a9797a065982e05090e1d81 Mon Sep 17 00:00:00 2001
+From: "Alexey Gladkov (Intel)" <legion@kernel.org>
+Date: Fri, 13 Sep 2024 19:05:56 +0200
+Subject: x86/tdx: Fix "in-kernel MMIO" check
+
+From: Alexey Gladkov (Intel) <legion@kernel.org>
+
+commit d4fc4d01471528da8a9797a065982e05090e1d81 upstream.
+
+TDX only supports kernel-initiated MMIO operations. The handle_mmio()
+function checks if the #VE exception occurred in the kernel and rejects
+the operation if it did not.
+
+However, userspace can deceive the kernel into performing MMIO on its
+behalf. For example, if userspace can point a syscall to an MMIO address,
+syscall does get_user() or put_user() on it, triggering MMIO #VE. The
+kernel will treat the #VE as in-kernel MMIO.
+
+Ensure that the target MMIO address is within the kernel before decoding
+instruction.
+
+Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO")
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.1726237595.git.legion%40kernel.org
+Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/coco/tdx/tdx.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/coco/tdx/tdx.c
++++ b/arch/x86/coco/tdx/tdx.c
+@@ -12,6 +12,7 @@
+ #include <asm/insn.h>
+ #include <asm/insn-eval.h>
+ #include <asm/pgtable.h>
++#include <asm/traps.h>
+ 
+ /* TDX module Call Leaf IDs */
+ #define TDX_GET_INFO			1
+@@ -371,6 +372,11 @@ static int handle_mmio(struct pt_regs *r
+ 			return -EINVAL;
+ 	}
+ 
++	if (!fault_in_kernel_space(ve->gla)) {
++		WARN_ONCE(1, "Access to userspace address is not supported");
++		return -EINVAL;
++	}
++
+ 	/*
+ 	 * Reject EPT violation #VEs that split pages.
+ 	 *