commit: 699a12a2e1c3b010def959c76faf7dddc4588b8d Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> AuthorDate: Thu Jan 4 07:36:45 2018 +0000 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> CommitDate: Thu Jan 4 07:36:45 2018 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=699a12a2
x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat() 0000_README | 4 ++ ...rnel_CR3_at_early_in_entry_SYSCALL_compat.patch | 68 ++++++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/0000_README b/0000_README index 0cab5bc..d47f74d 100644 --- a/0000_README +++ b/0000_README @@ -103,6 +103,10 @@ Patch: 1701_make_sure_the_user_kernel_PTEs_match.patch From: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/patch/?id=52994c256df36fda9a715697431cba9daecb6b11 Desc: x86/pti: Make sure the user/kernel PTEs match +Patch: 1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch +From: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=WIP.x86/pti&id=d7732ba55c4b6a2da339bb12589c515830cfac2c +Desc: Switch to kernel CR3 at early in entry_SYSCALL_compat() + Patch: 2100_bcache-data-corruption-fix-for-bi-partno.patch From: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62530ed8b1d07a45dec94d46e521c0c6c2d476e6 Desc: bio: ensure __bio_clone_fast copies bi_partno. diff --git a/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch b/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch new file mode 100644 index 0000000..12d9555 --- /dev/null +++ b/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch @@ -0,0 +1,68 @@ +From d7732ba55c4b6a2da339bb12589c515830cfac2c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <t...@linutronix.de> +Date: Wed, 3 Jan 2018 19:52:04 +0100 +Subject: x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat() + +The preparation for PTI which added CR3 switching to the entry code +misplaced the CR3 switch in entry_SYSCALL_compat(). + +With PTI enabled the entry code tries to access a per cpu variable after +switching to kernel GS. This fails because that variable is not mapped to +user space. This results in a double fault and in the worst case a kernel +crash. + +Move the switch ahead of the access and clobber RSP which has been saved +already. + +Fixes: 8a09317b895f ("x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching") +Reported-by: Lars Wendler <wendler.l...@web.de> +Reported-by: Laura Abbott <labb...@redhat.com> +Signed-off-by: Thomas Gleixner <t...@linutronix.de> +Cc: Borislav Betkov <b...@alien8.de> +Cc: Andy Lutomirski <l...@kernel.org>, +Cc: Dave Hansen <dave.han...@linux.intel.com>, +Cc: Peter Zijlstra <pet...@infradead.org>, +Cc: Greg KH <gre...@linuxfoundation.org>, , +Cc: Boris Ostrovsky <boris.ostrov...@oracle.com>, +Cc: Juergen Gross <jgr...@suse.com> +Cc: sta...@vger.kernel.org +Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031949200.1957@nanos +--- + arch/x86/entry/entry_64_compat.S | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S +index 40f1700..98d5358 100644 +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -190,8 +190,13 @@ ENTRY(entry_SYSCALL_compat) + /* Interrupts are off on entry. */ + swapgs + +- /* Stash user ESP and switch to the kernel stack. */ ++ /* Stash user ESP */ + movl %esp, %r8d ++ ++ /* Use %rsp as scratch reg. User ESP is stashed in r8 */ ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp ++ ++ /* Switch to the kernel stack */ + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp + + /* Construct struct pt_regs on stack */ +@@ -220,12 +225,6 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe) + pushq $0 /* pt_regs->r15 = 0 */ + + /* +- * We just saved %rdi so it is safe to clobber. It is not +- * preserved during the C calls inside TRACE_IRQS_OFF anyway. +- */ +- SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi +- +- /* + * User mode is traced as though IRQs are on, and SYSENTER + * turned them off. + */ +-- +cgit v1.1 +
