]>
Commit | Line | Data |
---|---|---|
59d5af67 | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
321d628a FG |
2 | From: Andy Lutomirski <luto@kernel.org> |
3 | Date: Thu, 2 Nov 2017 00:59:12 -0700 | |
59d5af67 | 4 | Subject: [PATCH] x86/xen/64, x86/entry/64: Clean up SP code in |
321d628a FG |
5 | cpu_initialize_context() |
6 | MIME-Version: 1.0 | |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | CVE-2017-5754 | |
11 | ||
12 | I'm removing thread_struct::sp0, and Xen's usage of it is slightly | |
13 | dubious and unnecessary. Use appropriate helpers instead. | |
14 | ||
15 | While we're at at, reorder the code slightly to make it more obvious | |
16 | what's going on. | |
17 | ||
18 | Signed-off-by: Andy Lutomirski <luto@kernel.org> | |
19 | Reviewed-by: Juergen Gross <jgross@suse.com> | |
20 | Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
21 | Cc: Borislav Petkov <bpetkov@suse.de> | |
22 | Cc: Brian Gerst <brgerst@gmail.com> | |
23 | Cc: Dave Hansen <dave.hansen@intel.com> | |
24 | Cc: Juergen Gross <jgross@suse.com> | |
25 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
26 | Cc: Peter Zijlstra <peterz@infradead.org> | |
27 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
28 | Link: http://lkml.kernel.org/r/d5b9a3da2b47c68325bd2bbe8f82d9554dee0d0f.1509609304.git.luto@kernel.org | |
29 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
30 | (cherry picked from commit f16b3da1dc936c0f8121741d0a1731bf242f2f56) | |
31 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
32 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
33 | (cherry picked from commit 27c60a1f6c49062151f67042458a523386cc3dc5) | |
34 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
35 | --- | |
36 | arch/x86/xen/smp_pv.c | 17 ++++++++++++++--- | |
37 | 1 file changed, 14 insertions(+), 3 deletions(-) | |
38 | ||
39 | diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c | |
40 | index 51471408fdd1..8c0e047d0b80 100644 | |
41 | --- a/arch/x86/xen/smp_pv.c | |
42 | +++ b/arch/x86/xen/smp_pv.c | |
43 | @@ -13,6 +13,7 @@ | |
44 | * single-threaded. | |
45 | */ | |
46 | #include <linux/sched.h> | |
47 | +#include <linux/sched/task_stack.h> | |
48 | #include <linux/err.h> | |
49 | #include <linux/slab.h> | |
50 | #include <linux/smp.h> | |
51 | @@ -293,12 +294,19 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) | |
52 | #endif | |
53 | memset(&ctxt->fpu_ctxt, 0, sizeof(ctxt->fpu_ctxt)); | |
54 | ||
55 | + /* | |
56 | + * Bring up the CPU in cpu_bringup_and_idle() with the stack | |
57 | + * pointing just below where pt_regs would be if it were a normal | |
58 | + * kernel entry. | |
59 | + */ | |
60 | ctxt->user_regs.eip = (unsigned long)cpu_bringup_and_idle; | |
61 | ctxt->flags = VGCF_IN_KERNEL; | |
62 | ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */ | |
63 | ctxt->user_regs.ds = __USER_DS; | |
64 | ctxt->user_regs.es = __USER_DS; | |
65 | ctxt->user_regs.ss = __KERNEL_DS; | |
66 | + ctxt->user_regs.cs = __KERNEL_CS; | |
67 | + ctxt->user_regs.esp = (unsigned long)task_pt_regs(idle); | |
68 | ||
69 | xen_copy_trap_info(ctxt->trap_ctxt); | |
70 | ||
71 | @@ -313,8 +321,13 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) | |
72 | ctxt->gdt_frames[0] = gdt_mfn; | |
73 | ctxt->gdt_ents = GDT_ENTRIES; | |
74 | ||
75 | + /* | |
76 | + * Set SS:SP that Xen will use when entering guest kernel mode | |
77 | + * from guest user mode. Subsequent calls to load_sp0() can | |
78 | + * change this value. | |
79 | + */ | |
80 | ctxt->kernel_ss = __KERNEL_DS; | |
81 | - ctxt->kernel_sp = idle->thread.sp0; | |
82 | + ctxt->kernel_sp = task_top_of_stack(idle); | |
83 | ||
84 | #ifdef CONFIG_X86_32 | |
85 | ctxt->event_callback_cs = __KERNEL_CS; | |
86 | @@ -326,10 +339,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) | |
87 | (unsigned long)xen_hypervisor_callback; | |
88 | ctxt->failsafe_callback_eip = | |
89 | (unsigned long)xen_failsafe_callback; | |
90 | - ctxt->user_regs.cs = __KERNEL_CS; | |
91 | per_cpu(xen_cr3, cpu) = __pa(swapper_pg_dir); | |
92 | ||
93 | - ctxt->user_regs.esp = idle->thread.sp0 - sizeof(struct pt_regs); | |
94 | ctxt->ctrlreg[3] = xen_pfn_to_cr3(virt_to_gfn(swapper_pg_dir)); | |
95 | if (HYPERVISOR_vcpu_op(VCPUOP_initialise, xen_vcpu_nr(cpu), ctxt)) | |
96 | BUG(); | |
97 | -- | |
98 | 2.14.2 | |
99 |