diff --git a/patches.kernel.org/6.3.3-240-x86-fix-clear_user_rep_good-exception-handling-.patch b/patches.kernel.org/6.3.3-240-x86-fix-clear_user_rep_good-exception-handling-.patch new file mode 100644 index 0000000..926406a --- /dev/null +++ b/patches.kernel.org/6.3.3-240-x86-fix-clear_user_rep_good-exception-handling-.patch @@ -0,0 +1,103 @@ +From: Linus Torvalds +Date: Sun, 14 May 2023 15:46:19 -0700 +Subject: [PATCH] x86: fix clear_user_rep_good() exception handling annotation +References: bsc#1012628 +Patch-mainline: 6.3.3 +Git-commit: b805d212c394f291f116b12c53401e7ba0c4d408 + +This code no longer exists in mainline, because it was removed in +commit d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory +clearing") upstream. + +However, rather than backport the full range of x86 memory clearing and +copying cleanups, fix the exception table annotation placement for the +final 'rep movsb' in clear_user_rep_good(): rather than pointing at the +actual instruction that did the user space access, it pointed to the +register move just before it. + +That made sense from a code flow standpoint, but not from an actual +usage standpoint: it means that if user access takes an exception, the +exception handler won't actually find the instruction in the exception +tables. + +As a result, rather than fixing it up and returning -EFAULT, it would +then turn it into a kernel oops report instead, something like: + + BUG: unable to handle page fault for address: 0000000020081000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + ... + RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147 + ... + Call Trace: + __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline] + clear_user arch/x86/include/asm/uaccess_64.h:124 [inline] + iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 + iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline] + iomap_dio_iter fs/iomap/direct-io.c:440 [inline] + __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 + iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 + ext4_dio_read_iter fs/ext4/file.c:94 [inline] + ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 + call_read_iter include/linux/fs.h:2183 [inline] + do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 + do_iter_read+0x2f2/0x750 fs/read_write.c:796 + vfs_readv+0xe5/0x150 fs/read_write.c:916 + do_preadv+0x1b6/0x270 fs/read_write.c:1008 + __do_sys_preadv2 fs/read_write.c:1070 [inline] + __se_sys_preadv2 fs/read_write.c:1061 [inline] + __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +which then looks like a filesystem bug rather than the incorrect +exception annotation that it is. + +[ The alternative to this one-liner fix is to take the upstream series + that cleans this all up: + + 68674f94ffc9 ("x86: don't use REP_GOOD or ERMS for small memory copies") + 20f3337d350c ("x86: don't use REP_GOOD or ERMS for small memory clearing") + adfcf4231b8c ("x86: don't use REP_GOOD or ERMS for user memory copies") + * d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") + 3639a535587d ("x86: move stac/clac from user copy routines into callers") + 577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRM case") + 8c9b6a88b7e2 ("x86: improve on the non-rep 'clear_user' function") + 427fda2c8a49 ("x86: improve on the non-rep 'copy_user' function") + * e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM") + e1f2750edc4a ("x86: remove 'zerorest' argument from __copy_user_nocache()") + 034ff37d3407 ("x86: rewrite '__copy_user_nocache' function") + + with either the whole series or at a minimum the two marked commits + being needed to fix this issue ] + +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=401145a9a237779feb26 +Fixes: 0db7058e8e23 ("x86/clear_user: Make it faster") +Cc: Borislav Petkov +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/x86/lib/clear_page_64.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S +index ecbfb4dd..faa4cdc7 100644 +--- a/arch/x86/lib/clear_page_64.S ++++ b/arch/x86/lib/clear_page_64.S +@@ -142,8 +142,8 @@ SYM_FUNC_START(clear_user_rep_good) + and $7, %edx + jz .Lrep_good_exit + +-.Lrep_good_bytes: + mov %edx, %ecx ++.Lrep_good_bytes: + rep stosb + + .Lrep_good_exit: +-- +2.35.3 + diff --git a/series.conf b/series.conf index f7308dc..8e44732 100644 --- a/series.conf +++ b/series.conf @@ -973,6 +973,7 @@ patches.kernel.org/6.3.3-237-ext4-remove-a-BUG_ON-in-ext4_mb_release_group_p.patch patches.kernel.org/6.3.3-238-ext4-fix-invalid-free-tracking-in-ext4_xattr_mo.patch patches.kernel.org/6.3.3-239-x86-amd_nb-Add-PCI-ID-for-family-19h-model-78h.patch + patches.kernel.org/6.3.3-240-x86-fix-clear_user_rep_good-exception-handling-.patch ######################################################## # Build fixes that apply to the vanilla kernel too.