x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()4.14-15

2 files changed, 72 insertions, 0 deletions

diff --git a/0000_README b/0000_README
index 0cab5bc6..d47f74d6 100644
--- a/0000_README
+++ b/0000_README
@@ -103,6 +103,10 @@ Patch:  1701_make_sure_the_user_kernel_PTEs_match.patch
 From:   https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/patch/?id=52994c256df36fda9a715697431cba9daecb6b11
 Desc:   x86/pti: Make sure the user/kernel PTEs match
 
+Patch:  1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch
+From:   https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=WIP.x86/pti&id=d7732ba55c4b6a2da339bb12589c515830cfac2c
+Desc:   Switch to kernel CR3 at early in entry_SYSCALL_compat()
+
 Patch: 	2100_bcache-data-corruption-fix-for-bi-partno.patch
 From:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62530ed8b1d07a45dec94d46e521c0c6c2d476e6
 Desc:   bio: ensure __bio_clone_fast copies bi_partno. 
diff --git a/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch b/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch
new file mode 100644
index 00000000..12d9555a
--- /dev/null
+++ b/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch
@@ -0,0 +1,68 @@
+From d7732ba55c4b6a2da339bb12589c515830cfac2c Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 3 Jan 2018 19:52:04 +0100
+Subject: x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()
+
+The preparation for PTI which added CR3 switching to the entry code
+misplaced the CR3 switch in entry_SYSCALL_compat().
+
+With PTI enabled the entry code tries to access a per cpu variable after
+switching to kernel GS. This fails because that variable is not mapped to
+user space. This results in a double fault and in the worst case a kernel
+crash.
+
+Move the switch ahead of the access and clobber RSP which has been saved
+already.
+
+Fixes: 8a09317b895f ("x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching")
+Reported-by: Lars Wendler <wendler.lars@web.de>
+Reported-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Betkov <bp@alien8.de>
+Cc: Andy Lutomirski <luto@kernel.org>,
+Cc: Dave Hansen <dave.hansen@linux.intel.com>,
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Greg KH <gregkh@linuxfoundation.org>, ,
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>,
+Cc: Juergen Gross <jgross@suse.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031949200.1957@nanos
+---
+ arch/x86/entry/entry_64_compat.S | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
+index 40f1700..98d5358 100644
+--- a/arch/x86/entry/entry_64_compat.S
++++ b/arch/x86/entry/entry_64_compat.S
+@@ -190,8 +190,13 @@ ENTRY(entry_SYSCALL_compat)
+ 	/* Interrupts are off on entry. */
+ 	swapgs
+ 
+-	/* Stash user ESP and switch to the kernel stack. */
++	/* Stash user ESP */
+ 	movl	%esp, %r8d
++
++	/* Use %rsp as scratch reg. User ESP is stashed in r8 */
++	SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
++
++	/* Switch to the kernel stack */
+ 	movq	PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+ 
+ 	/* Construct struct pt_regs on stack */
+@@ -220,12 +225,6 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
+ 	pushq   $0			/* pt_regs->r15 = 0 */
+ 
+ 	/*
+-	 * We just saved %rdi so it is safe to clobber.  It is not
+-	 * preserved during the C calls inside TRACE_IRQS_OFF anyway.
+-	 */
+-	SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
+-
+-	/*
+ 	 * User mode is traced as though IRQs are on, and SYSENTER
+ 	 * turned them off.
+ 	 */
+-- 
+cgit v1.1
+