100 lines
3.5 KiB
Diff
100 lines
3.5 KiB
Diff
From 232ab20b1af958a04a82fb7290a1e54c3632f771 Mon Sep 17 00:00:00 2001
|
|
From: Andy Lutomirski <luto@kernel.org>
|
|
Date: Thu, 2 Nov 2017 00:59:12 -0700
|
|
Subject: [PATCH 100/233] x86/xen/64, x86/entry/64: Clean up SP code in
|
|
cpu_initialize_context()
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2017-5754
|
|
|
|
I'm removing thread_struct::sp0, and Xen's usage of it is slightly
|
|
dubious and unnecessary. Use appropriate helpers instead.
|
|
|
|
While we're at at, reorder the code slightly to make it more obvious
|
|
what's going on.
|
|
|
|
Signed-off-by: Andy Lutomirski <luto@kernel.org>
|
|
Reviewed-by: Juergen Gross <jgross@suse.com>
|
|
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
|
|
Cc: Borislav Petkov <bpetkov@suse.de>
|
|
Cc: Brian Gerst <brgerst@gmail.com>
|
|
Cc: Dave Hansen <dave.hansen@intel.com>
|
|
Cc: Juergen Gross <jgross@suse.com>
|
|
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Cc: Peter Zijlstra <peterz@infradead.org>
|
|
Cc: Thomas Gleixner <tglx@linutronix.de>
|
|
Link: http://lkml.kernel.org/r/d5b9a3da2b47c68325bd2bbe8f82d9554dee0d0f.1509609304.git.luto@kernel.org
|
|
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
|
(cherry picked from commit f16b3da1dc936c0f8121741d0a1731bf242f2f56)
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
|
(cherry picked from commit 27c60a1f6c49062151f67042458a523386cc3dc5)
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
arch/x86/xen/smp_pv.c | 17 ++++++++++++++---
|
|
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c
|
|
index 51471408fdd1..8c0e047d0b80 100644
|
|
--- a/arch/x86/xen/smp_pv.c
|
|
+++ b/arch/x86/xen/smp_pv.c
|
|
@@ -13,6 +13,7 @@
|
|
* single-threaded.
|
|
*/
|
|
#include <linux/sched.h>
|
|
+#include <linux/sched/task_stack.h>
|
|
#include <linux/err.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/smp.h>
|
|
@@ -293,12 +294,19 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
|
|
#endif
|
|
memset(&ctxt->fpu_ctxt, 0, sizeof(ctxt->fpu_ctxt));
|
|
|
|
+ /*
|
|
+ * Bring up the CPU in cpu_bringup_and_idle() with the stack
|
|
+ * pointing just below where pt_regs would be if it were a normal
|
|
+ * kernel entry.
|
|
+ */
|
|
ctxt->user_regs.eip = (unsigned long)cpu_bringup_and_idle;
|
|
ctxt->flags = VGCF_IN_KERNEL;
|
|
ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
|
|
ctxt->user_regs.ds = __USER_DS;
|
|
ctxt->user_regs.es = __USER_DS;
|
|
ctxt->user_regs.ss = __KERNEL_DS;
|
|
+ ctxt->user_regs.cs = __KERNEL_CS;
|
|
+ ctxt->user_regs.esp = (unsigned long)task_pt_regs(idle);
|
|
|
|
xen_copy_trap_info(ctxt->trap_ctxt);
|
|
|
|
@@ -313,8 +321,13 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
|
|
ctxt->gdt_frames[0] = gdt_mfn;
|
|
ctxt->gdt_ents = GDT_ENTRIES;
|
|
|
|
+ /*
|
|
+ * Set SS:SP that Xen will use when entering guest kernel mode
|
|
+ * from guest user mode. Subsequent calls to load_sp0() can
|
|
+ * change this value.
|
|
+ */
|
|
ctxt->kernel_ss = __KERNEL_DS;
|
|
- ctxt->kernel_sp = idle->thread.sp0;
|
|
+ ctxt->kernel_sp = task_top_of_stack(idle);
|
|
|
|
#ifdef CONFIG_X86_32
|
|
ctxt->event_callback_cs = __KERNEL_CS;
|
|
@@ -326,10 +339,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
|
|
(unsigned long)xen_hypervisor_callback;
|
|
ctxt->failsafe_callback_eip =
|
|
(unsigned long)xen_failsafe_callback;
|
|
- ctxt->user_regs.cs = __KERNEL_CS;
|
|
per_cpu(xen_cr3, cpu) = __pa(swapper_pg_dir);
|
|
|
|
- ctxt->user_regs.esp = idle->thread.sp0 - sizeof(struct pt_regs);
|
|
ctxt->ctrlreg[3] = xen_pfn_to_cr3(virt_to_gfn(swapper_pg_dir));
|
|
if (HYPERVISOR_vcpu_op(VCPUOP_initialise, xen_vcpu_nr(cpu), ctxt))
|
|
BUG();
|
|
--
|
|
2.14.2
|
|
|