Commit 963f039a authored by Thomas Gleixner's avatar Thomas Gleixner Committed by Zheng Zengkai
Browse files

x86/static_call: Serialize __static_call_fixup() properly 

stable inclusion
from stable-v5.10.133
commit c035ca88b0742952150b1671bb5d26b96f921245
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5PTAS
CVE: CVE-2022-29900,CVE-2022-23816,CVE-2022-29901

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c035ca88b0742952150b1671bb5d26b96f921245



--------------------------------

commit c27c753e upstream.

__static_call_fixup() invokes __static_call_transform() without holding
text_mutex, which causes lockdep to complain in text_poke_bp().

Adding the proper locking cures that, but as this is either used during
early boot or during module finalizing, it's not required to use
text_poke_bp(). Add an argument to __static_call_transform() which tells
it to use text_poke_early() for it.

Fixes: ee88d363 ("x86,static_call: Use alternative RET encoding")
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>

conflict:
	arch/x86/kernel/static_call.c

Signed-off-by: default avatarLin Yujun <linyujun809@huawei.com>
Reviewed-by: default avatarZhang Jianhua <chris.zjh@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 80aa682e

arch/x86/kernel/static_call.c

+8 −5
Original line number Diff line number Diff line
@@ -26,7 +26,8 @@ static const u8 tramp_ud[] = { 0x0f, 0xb9, 0xcc }; 


static const u8 retinsn[] = { RET_INSN_OPCODE, 0xcc, 0xcc, 0xcc, 0xcc };



static void __ref __static_call_transform(void *insn, enum insn_type type, void *func)

static void __ref __static_call_transform(void *insn, enum insn_type type,

                                         void *func, bool modinit)

{

	const void *emulate = NULL;

	int size = CALL_INSN_SIZE;
@@ -61,7 +62,7 @@ static void __ref __static_call_transform(void *insn, enum insn_type type, void 
	if (memcmp(insn, code, size) == 0)

		return;



	if (unlikely(system_state == SYSTEM_BOOTING))

	if (system_state == SYSTEM_BOOTING || modinit)

		return text_poke_early(insn, code, size);



	text_poke_bp(insn, code, size, emulate);
@@ -109,12 +110,12 @@ void arch_static_call_transform(void *site, void *tramp, void *func, bool tail) 


	if (tramp) {

		__static_call_validate(tramp, true);

		__static_call_transform(tramp, __sc_insn(!func, true), func);

		__static_call_transform(tramp, __sc_insn(!func, true), func, false);

	}



	if (IS_ENABLED(CONFIG_HAVE_STATIC_CALL_INLINE) && site) {

		__static_call_validate(site, tail);

		__static_call_transform(site, __sc_insn(!func, tail), func);

		__static_call_transform(site, __sc_insn(!func, tail), func, false);

	}



	mutex_unlock(&text_mutex);
@@ -140,8 +141,10 @@ bool __static_call_fixup(void *tramp, u8 op, void *dest) 
		return false;

	}



	mutex_lock(&text_mutex);

	if (op == RET_INSN_OPCODE || dest == &__x86_return_thunk)

		__static_call_transform(tramp, RET, NULL);

		__static_call_transform(tramp, RET, NULL, true);

	mutex_unlock(&text_mutex);



	return true;

}