Patch "powerpc/32s: Fix kuap_kernel_restore()" has been added to the 5.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 10 Oct 2021 21:14:12 -0400

This is a note to let you know that I've just added the patch titled

    powerpc/32s: Fix kuap_kernel_restore()

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     powerpc-32s-fix-kuap_kernel_restore.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 673807cf4980bfaefbf329d69064d884e5344bfd
Author: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
Date:   Wed Sep 15 16:12:24 2021 +0200

    powerpc/32s: Fix kuap_kernel_restore()
    
    [ Upstream commit d93f9e23744b7bf11a98b2ddb091d129482ae179 ]
    
    At interrupt exit, kuap_kernel_restore() calls kuap_unlock() with the
    value contained in regs->kuap. However, when regs->kuap contains
    0xffffffff it means that KUAP was not unlocked so calling kuap_unlock()
    is unrelevant and results in jeopardising the contents of kernel space
    segment registers.
    
    So check that regs->kuap doesn't contain KUAP_NONE before calling
    kuap_unlock(). In the meantime it also means that if KUAP has not
    been correcly locked back at interrupt exit, it must be locked
    before continuing. This is done by checking the content of
    current->thread.kuap which was returned by kuap_get_and_assert_locked()
    
    Fixes: 16132529cee5 ("powerpc/32s: Rework Kernel Userspace Access Protection")
    Reported-by: Stan Johnson <userm57@xxxxxxxxx>
    Signed-off-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
    Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/0d0c4d0f050a637052287c09ba521bad960a2790.1631715131.git.christophe.leroy@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h
index d4b145b279f6..9f38040f0641 100644
--- a/arch/powerpc/include/asm/book3s/32/kup.h
+++ b/arch/powerpc/include/asm/book3s/32/kup.h
@@ -136,6 +136,14 @@ static inline void kuap_kernel_restore(struct pt_regs *regs, unsigned long kuap)
 	if (kuap_is_disabled())
 		return;
 
+	if (unlikely(kuap != KUAP_NONE)) {
+		current->thread.kuap = KUAP_NONE;
+		kuap_lock(kuap, false);
+	}
+
+	if (likely(regs->kuap == KUAP_NONE))
+		return;
+
 	current->thread.kuap = regs->kuap;
 
 	kuap_unlock(regs->kuap, false);






