Patch "powerpc/8xx: Fix kernel vs user address comparison" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 30 Sep 2024 20:12:56 -0400

This is a note to let you know that I've just added the patch titled

    powerpc/8xx: Fix kernel vs user address comparison

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     powerpc-8xx-fix-kernel-vs-user-address-comparison.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 18de5e723bc423a780caf939307835ab0c93f9c7
Author: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
Date:   Tue Aug 20 19:23:46 2024 +0200

    powerpc/8xx: Fix kernel vs user address comparison
    
    [ Upstream commit 65a82e117ffeeab0baf6f871a1cab11a28ace183 ]
    
    Since commit 9132a2e82adc ("powerpc/8xx: Define a MODULE area below
    kernel text"), module exec space is below PAGE_OFFSET so not only
    space above PAGE_OFFSET, but space above TASK_SIZE need to be seen
    as kernel space.
    
    Until now the problem went undetected because by default TASK_SIZE
    is 0x8000000 which means address space is determined by just
    checking upper address bit. But when TASK_SIZE is over 0x80000000,
    PAGE_OFFSET is used for comparison, leading to thinking module
    addresses are part of user space.
    
    Fix it by using TASK_SIZE instead of PAGE_OFFSET for address
    comparison.
    
    Fixes: 9132a2e82adc ("powerpc/8xx: Define a MODULE area below kernel text")
    Signed-off-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
    Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
    Link: https://msgid.link/3f574c9845ff0a023b46cb4f38d2c45aecd769bd.1724173828.git.christophe.leroy@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 0b05f2be66b9f..f267e1587a9ba 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -40,12 +40,12 @@
 #include "head_32.h"
 
 .macro compare_to_kernel_boundary scratch, addr
-#if CONFIG_TASK_SIZE <= 0x80000000 && CONFIG_PAGE_OFFSET >= 0x80000000
+#if CONFIG_TASK_SIZE <= 0x80000000 && MODULES_VADDR >= 0x80000000
 /* By simply checking Address >= 0x80000000, we know if its a kernel address */
 	not.	\scratch, \addr
 #else
 	rlwinm	\scratch, \addr, 16, 0xfff8
-	cmpli	cr0, \scratch, PAGE_OFFSET@h
+	cmpli	cr0, \scratch, TASK_SIZE@h
 #endif
 .endm
 
@@ -403,7 +403,7 @@ FixupDAR:/* Entry point for dcbx workaround. */
 	mfspr	r10, SPRN_SRR0
 	mtspr	SPRN_MD_EPN, r10
 	rlwinm	r11, r10, 16, 0xfff8
-	cmpli	cr1, r11, PAGE_OFFSET@h
+	cmpli	cr1, r11, TASK_SIZE@h
 	mfspr	r11, SPRN_M_TWB	/* Get level 1 table */
 	blt+	cr1, 3f
 







