Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp15858980rwd; Mon, 26 Jun 2023 02:15:17 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7KtjDSYERygX+tIYM/M9owz2yw5jxhv41jDYP2Keppa/bD9XG3dmM+nYahM9QUBqkjaNct X-Received: by 2002:a05:651c:102a:b0:2b6:a23c:580 with SMTP id w10-20020a05651c102a00b002b6a23c0580mr867603ljm.5.1687770917158; Mon, 26 Jun 2023 02:15:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687770917; cv=none; d=google.com; s=arc-20160816; b=CMm/nFSVg1WlzMCfKzwL/ixDx+Y1dScQqzogYOvJeDJec/RcW4ffD3IDxoVTlCei8G tvvc4yNYlwamW7jtX4KbkpKeCKlEKPnfezlKfH/QOyxXcRawbbkFKESW7oS/VXCRJQ43 CoEh/IlNhP5QNci6lUrTAMiayAsPL+xJc3oJfmGnsdX9JOt6h6FKiojHOv4qoA/Qfvwv Oz1u24rjUKceaFk4P7uU+VtxRPUEkiLyc1CCxiATmfYxwwpI0lq3qcYCNTld+H6bZi4b RE95TP9ASQPUlmcGp6hvpQh1luoZHmuTqJ0YRsDDgLtuLWQG+/8WWy7JSlXeRW2ClxB2 GnqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=U5iof5v0tmuHvnDMtrWEKoERg5HTvn5tg93/cPzDec4=; fh=SDqB1hD70PpogBiwznsE6gPdzgCGnsmd2Uut13vthCw=; b=WNfKOt11pUkJgkJwx1b0KjuB0hLdhBSQAF1egO9Z1o2xcUsLE8ORkO50SD2wjifwVe kHDRKLu4Av6iNPS2AcZslJvPecwBEKa0G6Pqmq+08l0G1P9KYvc2pa8e3dI9LmeRFhR9 0dxTdgn8eUTdcwzOqsXrGo3rfbKj/CnvdGhIXyh9r5YMdmRTlxSPInlTL5+AaNGce3BT 9zizy5+fTQZQ0QBCfPDuSHtkgk7eyaHeZPu90FWMBA+xKOlcxQ9FFJlXrHVFEDM+Vu14 v7iPywJkLvYige9mzLkC+tNejv76Gl7WlwCJXYVPWGMtAo4NqRs+SYIraGvcnlx9/WVR SNqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="CPz/03UF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d20-20020aa7d5d4000000b0051d961c4304si1321675eds.303.2023.06.26.02.14.52; Mon, 26 Jun 2023 02:15:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="CPz/03UF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230013AbjFZJAH (ORCPT + 99 others); Mon, 26 Jun 2023 05:00:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231169AbjFZI7j (ORCPT ); Mon, 26 Jun 2023 04:59:39 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6BD7A3A96; Mon, 26 Jun 2023 01:55:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9EB3760CF4; Mon, 26 Jun 2023 08:54:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 551BBC433C8; Mon, 26 Jun 2023 08:54:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1687769696; bh=DEIMe5XDnPx9xmBprqQ4BwzUKNcmLu7DPgVnu+X2mBg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CPz/03UFZKoppLCLlRCHYWZ+OA1yeujxHkjvqDTtpPj2lLWm4Jt2bfzuqsK2MC9Fe GpVACk/1wB/rbPlli3yts3ixM6U7QP2+CF/iVBEu7IwRLH1iUUhlNGt63MmnGlqCV2 ORqBEGc/TNHcpT+96MGN+gubQZFUCTk+X4uexo0IBeAyistYA9ouPyTsgmBzytICiN qC2vR5JM0CxD4Obrg0nhN1RLGe7KN4noB6heXJyJf35XJnVQlCDbeHREPZYKnx7LzL 530MlrGSE07S0sszDhsPA9kTMEggV1cUFkj/qa22JNRk3kqegO1WqPrDean1Sb4rPR 3Ni8zcOkbLuaw== Date: Mon, 26 Jun 2023 09:54:50 +0100 From: Lee Jones To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: linux-tip-commits@vger.kernel.org, Dave Hansen , stable@vger.kernel.org, x86@kernel.org Subject: Re: [tip: x86/urgent] x86/mm: Avoid using set_pgd() outside of real PGD pages Message-ID: <20230626085450.GA1344014@google.com> References: <168694160067.404.13343792487331756749.tip-bot2@tip-bot2> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <168694160067.404.13343792487331756749.tip-bot2@tip-bot2> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Dear Stable, On Fri, 16 Jun 2023, tip-bot2 for Lee Jones wrote: > The following commit has been merged into the x86/urgent branch of tip: > > Commit-ID: d082d48737c75d2b3cc1f972b8c8674c25131534 > Gitweb: https://git.kernel.org/tip/d082d48737c75d2b3cc1f972b8c8674c25131534 > Author: Lee Jones > AuthorDate: Wed, 14 Jun 2023 17:38:54 +01:00 > Committer: Dave Hansen > CommitterDate: Fri, 16 Jun 2023 11:46:42 -07:00 > > x86/mm: Avoid using set_pgd() outside of real PGD pages > > KPTI keeps around two PGDs: one for userspace and another for the > kernel. Among other things, set_pgd() contains infrastructure to > ensure that updates to the kernel PGD are reflected in the user PGD > as well. > > One side-effect of this is that set_pgd() expects to be passed whole > pages. Unfortunately, init_trampoline_kaslr() passes in a single entry: > 'trampoline_pgd_entry'. > > When KPTI is on, set_pgd() will update 'trampoline_pgd_entry' (an > 8-Byte globally stored [.bss] variable) and will then proceed to > replicate that value into the non-existent neighboring user page > (located +4k away), leading to the corruption of other global [.bss] > stored variables. > > Fix it by directly assigning 'trampoline_pgd_entry' and avoiding > set_pgd(). > > [ dhansen: tweak subject and changelog ] > > Fixes: 0925dda5962e ("x86/mm/KASLR: Use only one PUD entry for real mode trampoline") > Suggested-by: Dave Hansen > Signed-off-by: Lee Jones > Signed-off-by: Dave Hansen > Cc: > Link: https://lore.kernel.org/all/20230614163859.924309-1-lee@kernel.org/g > --- > arch/x86/mm/kaslr.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c > index 557f0fe..37db264 100644 > --- a/arch/x86/mm/kaslr.c > +++ b/arch/x86/mm/kaslr.c > @@ -172,10 +172,10 @@ void __meminit init_trampoline_kaslr(void) > set_p4d(p4d_tramp, > __p4d(_KERNPG_TABLE | __pa(pud_page_tramp))); > > - set_pgd(&trampoline_pgd_entry, > - __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp))); > + trampoline_pgd_entry = > + __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp)); > } else { > - set_pgd(&trampoline_pgd_entry, > - __pgd(_KERNPG_TABLE | __pa(pud_page_tramp))); > + trampoline_pgd_entry = > + __pgd(_KERNPG_TABLE | __pa(pud_page_tramp)); > } > } Could we have this expedited please? There are users waiting for it. Upstream commit is: d082d48737c75 ("x86/mm: Avoid using set_pgd() outside of real PGD pages") Thanks muchly. -- Lee Jones [李琼斯]