Commit 378ee00f authored Oct 31, 2024 by Alexandre Ghiti Committed by Chen Ridong Oct 31, 2024

riscv: Sync efi page table's kernel mappings before switching

mainline inclusion
from mainline-v6.1-rc8
commit 3f105a74
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRII
CVE: CVE-2022-49004

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3f105a742725a1b78766a55169f1d827732e62b8



----------------------------------------------------------------------

The EFI page table is initially created as a copy of the kernel page table.
With VMAP_STACK enabled, kernel stacks are allocated in the vmalloc area:
if the stack is allocated in a new PGD (one that was not present at the
moment of the efi page table creation or not synced in a previous vmalloc
fault), the kernel will take a trap when switching to the efi page table
when the vmalloc kernel stack is accessed, resulting in a kernel panic.

Fix that by updating the efi kernel mappings before switching to the efi
page table.

Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Fixes: b91540d5 ("RISC-V: Add EFI runtime services")
Tested-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Link: https://lore.kernel.org/r/20221121133303.1782246-1-alexghiti@rivosinc.com


Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>

Conflicts:
	arch/riscv/include/asm/pgalloc.h
[context is mismatch]
Signed-off-by: Chen Ridong <chenridong@huawei.com>

parent d75a60a4

arch/riscv/include/asm/efi.h

+5 −1

Original line number	Diff line number	Diff line
		@@ -10,6 +10,7 @@
		#include <asm/mmu_context.h>
		#include <asm/ptrace.h>
		#include <asm/tlbflush.h>
		#include <asm/pgalloc.h>

		#ifdef CONFIG_EFI
		extern void efi_init(void);
		@@ -20,7 +21,10 @@ extern void efi_init(void);
		int efi_create_mapping(struct mm_struct mm, efi_memory_desc_t md);
		int efi_set_mapping_permissions(struct mm_struct mm, efi_memory_desc_t md);

		#define arch_efi_call_virt_setup() efi_virtmap_load()
		#define arch_efi_call_virt_setup() ({ \
		sync_kernel_mappings(efi_mm.pgd); \
		efi_virtmap_load(); \
		})
		#define arch_efi_call_virt_teardown() efi_virtmap_unload()

		#define ARCH_EFI_IRQ_FLAGS_MASK (SR_IE \| SR_SPIE)

arch/riscv/include/asm/pgalloc.h

+8 −3

Original line number	Diff line number	Diff line
		@@ -40,6 +40,13 @@ static inline void pud_populate(struct mm_struct mm, pud_t pud, pmd_t *pmd)

		#define pmd_pgtable(pmd) pmd_page(pmd)

		static inline void sync_kernel_mappings(pgd_t *pgd)
		{
		memcpy(pgd + USER_PTRS_PER_PGD,
		init_mm.pgd + USER_PTRS_PER_PGD,
		(PTRS_PER_PGD - USER_PTRS_PER_PGD) * sizeof(pgd_t));
		}

		static inline pgd_t pgd_alloc(struct mm_struct mm)
		{
		pgd_t *pgd;
		@@ -48,9 +55,7 @@ static inline pgd_t pgd_alloc(struct mm_struct mm)
		if (likely(pgd != NULL)) {
		memset(pgd, 0, USER_PTRS_PER_PGD * sizeof(pgd_t));
		/* Copy kernel mappings */
		memcpy(pgd + USER_PTRS_PER_PGD,
		init_mm.pgd + USER_PTRS_PER_PGD,
		(PTRS_PER_PGD - USER_PTRS_PER_PGD) * sizeof(pgd_t));
		sync_kernel_mappings(pgd);
		}
		return pgd;
		}