Commit 8dee0149 authored by James Morse's avatar James Morse Committed by Zheng Zengkai
Browse files

arm64: entry: Allow the trampoline text to occupy multiple pages 

stable inclusion
from stable-v5.10.105
commit 26211252c1c104732a0fea6c37645f1b670587f5
category: bugfix
bugzilla: 186460 https://gitee.com/src-openeuler/kernel/issues/I53MHA
CVE: CVE-2022-23960

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=26211252c1c1



--------------------------------

commit a9c406e6 upstream.

Adding a second set of vectors to .entry.tramp.text will make it
larger than a single 4K page.

Allow the trampoline text to occupy up to three pages by adding two
more fixmap slots. Previous changes to tramp_valias allowed it to reach
beyond a single page.

Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
Signed-off-by: default avatarJames Morse <james.morse@arm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarChen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: default avatarLiao Chang <liaochang1@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent d2f4c017

arch/arm64/include/asm/fixmap.h

+4 −2
Original line number Diff line number Diff line
@@ -62,9 +62,11 @@ enum fixed_addresses { 
#endif /* CONFIG_ACPI_APEI_GHES */



#ifdef CONFIG_UNMAP_KERNEL_AT_EL0

	FIX_ENTRY_TRAMP_TEXT,

	FIX_ENTRY_TRAMP_TEXT3,

	FIX_ENTRY_TRAMP_TEXT2,

	FIX_ENTRY_TRAMP_TEXT1,

	FIX_ENTRY_TRAMP_DATA,

#define TRAMP_VALIAS		(__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))

#define TRAMP_VALIAS		(__fix_to_virt(FIX_ENTRY_TRAMP_TEXT1))

#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */

	__end_of_permanent_fixed_addresses,

arch/arm64/include/asm/sections.h

+5 −0
Original line number Diff line number Diff line
@@ -19,4 +19,9 @@ extern char __irqentry_text_start[], __irqentry_text_end[]; 
extern char __mmuoff_data_start[], __mmuoff_data_end[];

extern char __entry_tramp_text_start[], __entry_tramp_text_end[];



static inline size_t entry_tramp_text_size(void)

{

	return __entry_tramp_text_end - __entry_tramp_text_start;

}



#endif /* __ASM_SECTIONS_H */

arch/arm64/kernel/entry.S

+1 −1
Original line number Diff line number Diff line
@@ -800,7 +800,7 @@ alternative_else_nop_endif 
	.endm



	.macro tramp_data_page	dst

	adr	\dst, .entry.tramp.text

	adr_l	\dst, .entry.tramp.text

	sub	\dst, \dst, PAGE_SIZE

	.endm

arch/arm64/kernel/vmlinux.lds.S

+1 −1
Original line number Diff line number Diff line
@@ -299,7 +299,7 @@ ASSERT(__hibernate_exit_text_end - (__hibernate_exit_text_start & ~(SZ_4K - 1)) 
	<= SZ_4K, "Hibernate exit text too big or misaligned")

#endif

#ifdef CONFIG_UNMAP_KERNEL_AT_EL0

ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) == PAGE_SIZE,

ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) <= 3*PAGE_SIZE,

	"Entry trampoline text too big")

#endif

/*

arch/arm64/mm/mmu.c

+9 −3
Original line number Diff line number Diff line
@@ -616,6 +616,8 @@ early_param("rodata", parse_rodata); 
#ifdef CONFIG_UNMAP_KERNEL_AT_EL0

static int __init map_entry_trampoline(void)

{

	int i;



	pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;

	phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start);
@@ -624,11 +626,15 @@ static int __init map_entry_trampoline(void) 


	/* Map only the text into the trampoline page table */

	memset(tramp_pg_dir, 0, PGD_SIZE);

	__create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE,

			     prot, __pgd_pgtable_alloc, 0);

	__create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS,

			     entry_tramp_text_size(), prot,

			     __pgd_pgtable_alloc, NO_BLOCK_MAPPINGS);



	/* Map both the text and data into the kernel page table */

	__set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot);

	for (i = 0; i < DIV_ROUND_UP(entry_tramp_text_size(), PAGE_SIZE); i++)

		__set_fixmap(FIX_ENTRY_TRAMP_TEXT1 - i,

			     pa_start + i * PAGE_SIZE, prot);



	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) {

		extern char __entry_tramp_data_start[];