arm64: entry: Free up another register on kpti's tramp_exit path

stable inclusion from stable-v4.19.236 commit 51acb81130d1feee7fd043760b75f5377ab8d4f0 category: bugfix bugzilla: 186460, https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960 -------------------------------- commit 03aff3a7 upstream. Kpti stashes x30 in far_el1 while it uses x30 for all its work. Making the vectors a per-cpu data structure will require a second register. Allow tramp_exit two registers before it unmaps the kernel, by leaving x30 on the stack, and stashing x29 in far_el1. Reviewed-by: N Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Reviewed-by: N Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: N James Morse <james.morse@arm.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by: N Hanjun Guo <guohanjun@huawei.com> Reviewed-by: N Liao Chang <liaochang1@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

arm64: entry: Free up another register on kpti's tramp_exit path
stable inclusion from stable-v4.19.236 commit 51acb81130d1feee7fd043760b75f5377ab8d4f0 category: bugfix bugzilla: 186460, https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960 -------------------------------- commit 03aff3a7 upstream. Kpti stashes x30 in far_el1 while it uses x30 for all its work. Making the vectors a per-cpu data structure will require a second register. Allow tramp_exit two registers before it unmaps the kernel, by leaving x30 on the stack, and stashing x29 in far_el1. Reviewed-by: N Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Reviewed-by: N Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: N James Morse <james.morse@arm.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by: N Hanjun Guo <guohanjun@huawei.com> Reviewed-by: N Liao Chang <liaochang1@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
c74a988a · James Morse · Yongqiang Liu · 7a79d423 · c74a988a
隐藏空白更改
内联并排

Showing with 12 addition and 6 deletion

arch/arm64/kernel/entry.S arch/arm64/kernel/entry.S +12 -6

未找到文件。
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -365,18 +365,20 @@ alternative_else_nop_endif
 	ldp	x24, x25, [sp, #16 * 12]
 	ldp	x26, x27, [sp, #16 * 13]
 	ldp	x28, x29, [sp, #16 * 14]
-	ldr	lr, [sp, #S_LR]
-	add	sp, sp, #S_FRAME_SIZE		// restore sp
 	/*
 	 * ARCH_HAS_MEMBARRIER_SYNC_CORE rely on eret context synchronization
 	 * when returning from IPI handler, and when returning to user-space.
 	 */
 	.if	\el == 0
-alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
+alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0
+	ldr	lr, [sp, #S_LR]
+	add	sp, sp, #S_FRAME_SIZE		// restore sp
+	eret
+alternative_else_nop_endif
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
 	bne	4f
-	msr	far_el1, x30
+	msr	far_el1, x29
 	tramp_alias	x30, tramp_exit_native
 	br	x30
 4:
@@ -384,6 +386,8 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
 	br	x30
 #endif
 	.else
+	ldr	lr, [sp, #S_LR]
+	add	sp, sp, #S_FRAME_SIZE		// restore sp
 	eret
 	.endif
 	.endm
@@ -1096,10 +1100,12 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003
 	.macro tramp_exit, regsize = 64
 	adr	x30, tramp_vectors
 	msr	vbar_el1, x30
-	tramp_unmap_kernel	x30
+	ldr	lr, [sp, #S_LR]
+	tramp_unmap_kernel	x29
 	.if	\regsize == 64
-	mrs	x30, far_el1
+	mrs	x29, far_el1
 	.endif
+	add	sp, sp, #S_FRAME_SIZE		// restore sp
 	eret
 	.endm