Commit 69e73467 authored Apr 27, 2022 by James Morse Committed by Zheng Zengkai Apr 27, 2022

arm64: entry: Free up another register on kpti's tramp_exit path

stable inclusion
from stable-v5.10.105
commit d93b25a6654812e0511b71a6d4a207f6b1ce5dfe
category: bugfix
bugzilla: 186460 https://gitee.com/src-openeuler/kernel/issues/I53MHA
CVE: CVE-2022-23960

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d93b25a66548



--------------------------------

commit 03aff3a7 upstream.

Kpti stashes x30 in far_el1 while it uses x30 for all its work.

Making the vectors a per-cpu data structure will require a second
register.

Allow tramp_exit two registers before it unmaps the kernel, by
leaving x30 on the stack, and stashing x29 in far_el1.

Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 24dd997e

arch/arm64/kernel/entry.S

+13 −6

Original line number	Diff line number	Diff line
		@@ -345,14 +345,16 @@ alternative_else_nop_endif
		ldp x24, x25, [sp, #16 * 12]
		ldp x26, x27, [sp, #16 * 13]
		ldp x28, x29, [sp, #16 * 14]
		ldr lr, [sp, #S_LR]
		add sp, sp, #S_FRAME_SIZE // restore sp

		.if \el == 0
		alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
		alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0
		ldr lr, [sp, #S_LR]
		add sp, sp, #S_FRAME_SIZE // restore sp
		eret
		alternative_else_nop_endif
		#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
		bne 4f
		msr far_el1, x30
		msr far_el1, x29
		tramp_alias x30, tramp_exit_native
		br x30
		4:
		@@ -360,6 +362,9 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
		br x30
		#endif
		.else
		ldr lr, [sp, #S_LR]
		add sp, sp, #S_FRAME_SIZE // restore sp

		/* Ensure any device/NC reads complete */
		alternative_insn nop, "dmb sy", ARM64_WORKAROUND_1508412

		@@ -832,10 +837,12 @@ alternative_else_nop_endif
		.macro tramp_exit, regsize = 64
		adr x30, tramp_vectors
		msr vbar_el1, x30
		tramp_unmap_kernel x30
		ldr lr, [sp, #S_LR]
		tramp_unmap_kernel x29
		.if \regsize == 64
		mrs x30, far_el1
		mrs x29, far_el1
		.endif
		add sp, sp, #S_FRAME_SIZE // restore sp
		eret
		sb
		.endm