From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Andrew Cooper <andrew.cooper3@citrix.com>,
Juergen Gross <jgross@suse.com>, Jan Beulich <jbeulich@suse.com>
Subject: [PATCH 6.6 105/109] x86/xen: dont do PV iret hypercall through hypercall page
Date: Tue, 17 Dec 2024 18:08:29 +0100 [thread overview]
Message-ID: <20241217170537.788609438@linuxfoundation.org> (raw)
In-Reply-To: <20241217170533.329523616@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
commit a2796dff62d6c6bfc5fbebdf2bee0d5ac0438906 upstream.
Instead of jumping to the Xen hypercall page for doing the iret
hypercall, directly code the required sequence in xen-asm.S.
This is done in preparation of no longer using hypercall page at all,
as it has shown to cause problems with speculation mitigations.
This is part of XSA-466 / CVE-2024-53241.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/xen/xen-asm.S | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
--- a/arch/x86/xen/xen-asm.S
+++ b/arch/x86/xen/xen-asm.S
@@ -176,7 +176,6 @@ SYM_CODE_START(xen_early_idt_handler_arr
SYM_CODE_END(xen_early_idt_handler_array)
__FINIT
-hypercall_iret = hypercall_page + __HYPERVISOR_iret * 32
/*
* Xen64 iret frame:
*
@@ -186,17 +185,28 @@ hypercall_iret = hypercall_page + __HYPE
* cs
* rip <-- standard iret frame
*
- * flags
+ * flags <-- xen_iret must push from here on
*
- * rcx }
- * r11 }<-- pushed by hypercall page
- * rsp->rax }
+ * rcx
+ * r11
+ * rsp->rax
*/
+.macro xen_hypercall_iret
+ pushq $0 /* Flags */
+ push %rcx
+ push %r11
+ push %rax
+ mov $__HYPERVISOR_iret, %eax
+ syscall /* Do the IRET. */
+#ifdef CONFIG_MITIGATION_SLS
+ int3
+#endif
+.endm
+
SYM_CODE_START(xen_iret)
UNWIND_HINT_UNDEFINED
ANNOTATE_NOENDBR
- pushq $0
- jmp hypercall_iret
+ xen_hypercall_iret
SYM_CODE_END(xen_iret)
/*
@@ -301,8 +311,7 @@ SYM_CODE_START(xen_entry_SYSENTER_compat
ENDBR
lea 16(%rsp), %rsp /* strip %rcx, %r11 */
mov $-ENOSYS, %rax
- pushq $0
- jmp hypercall_iret
+ xen_hypercall_iret
SYM_CODE_END(xen_entry_SYSENTER_compat)
SYM_CODE_END(xen_entry_SYSCALL_compat)
next prev parent reply other threads:[~2024-12-17 17:23 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-17 17:06 [PATCH 6.6 000/109] 6.6.67-rc1 review Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 001/109] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 002/109] perf/x86/intel/ds: Unconditionally drain PEBS DS when changing PEBS_DATA_CFG Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 003/109] ksmbd: fix racy issue from session lookup and expire Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 004/109] splice: do not checksum AF_UNIX sockets Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 005/109] tcp: check space before adding MPTCP SYN options Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 006/109] riscv: Fix wrong usage of __pa() on a fixmap address Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 007/109] blk-cgroup: Fix UAF in blkcg_unpin_online() Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 008/109] ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5 Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 009/109] riscv: Fix IPIs usage in kfence_protect_page() Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 010/109] usb: host: max3421-hcd: Correctly abort a USB request Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 011/109] ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 012/109] usb: dwc2: Fix HCD resume Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 013/109] usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 014/109] usb: dwc2: Fix HCD port connection race Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 6.6 015/109] scsi: ufs: core: Update compl_time_stamp_local_clock after completing a cqe Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 016/109] usb: gadget: midi2: Fix interpretation of is_midi1 bits Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 017/109] usb: ehci-hcd: fix call balance of clocks handling routines Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 018/109] usb: typec: anx7411: fix fwnode_handle reference leak Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 019/109] usb: typec: anx7411: fix OF node reference leaks in anx7411_typec_switch_probe() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 020/109] usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 021/109] usb: dwc3: xilinx: make sure pipe clock is deselected in usb2 only mode Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 022/109] drm/i915: Fix memory leak by correcting cache object name in error handler Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 023/109] drm/i915: Fix NULL pointer dereference in capture_engine Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 024/109] xfs: update btree keys correctly when _insrec splits an inode root block Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 025/109] xfs: dont drop errno values when we fail to ficlone the entire range Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 026/109] xfs: return from xfs_symlink_verify early on V4 filesystems Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 027/109] xfs: fix scrub tracepoints when inode-rooted btrees are involved Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 028/109] xfs: only run precommits once per transaction object Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 029/109] bpf: Check size for BTF-based ctx access of pointer members Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 030/109] bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 031/109] bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 032/109] bpf, sockmap: Fix race between element replace and close() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 033/109] bpf, sockmap: Fix update element with same Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 034/109] rtla/timerlat: Make timerlat_hist_cpu->*_count unsigned long long Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 035/109] wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 036/109] wifi: mac80211: init cnt before accessing elem in ieee80211_copy_mbssid_beacon Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 037/109] wifi: mac80211: clean up ret in sta_link_apply_parameters() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 038/109] wifi: mac80211: fix station NSS capability initialization order Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 039/109] acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 040/109] amdgpu/uvd: get ring reference from rq scheduler Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 041/109] batman-adv: Do not send uninitialized TT changes Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 042/109] batman-adv: Remove uninitialized data in full table TT response Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 043/109] batman-adv: Do not let TT changes list grows indefinitely Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 044/109] tipc: fix NULL deref in cleanup_bearer() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 045/109] net/mlx5: DR, prevent potential error pointer dereference Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 046/109] wifi: cfg80211: sme: init n_channels before channels[] access Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 047/109] selftests: mlxsw: sharedbuffer: Remove h1 ingress test case Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 048/109] selftests: mlxsw: sharedbuffer: Remove duplicate test cases Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 049/109] selftests: mlxsw: sharedbuffer: Ensure no extra packets are counted Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 050/109] ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from kvm_arch_ptp_init() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 051/109] net: lapb: increase LAPB_HEADER_LEN Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 052/109] net: defer final struct net free in netns dismantle Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 053/109] net: mscc: ocelot: fix memory leak on ocelot_port_add_txtstamp_skb() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 054/109] net: mscc: ocelot: improve handling of TX timestamp for unknown skb Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 055/109] net: mscc: ocelot: ocelot->ts_id_lock and ocelot_port->tx_skbs.lock are IRQ-safe Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 056/109] net: mscc: ocelot: be resilient to loss of PTP packets during transmission Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 057/109] net: mscc: ocelot: perform error cleanup in ocelot_hwstamp_set() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 058/109] spi: aspeed: Fix an error handling path in aspeed_spi_[read|write]_user() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 059/109] net: sparx5: fix FDMA performance issue Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 060/109] net: sparx5: fix the maximum frame length register Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 061/109] ACPI: resource: Fix memory resource type union access Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 062/109] cxgb4: use port number to set mac addr Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 063/109] qca_spi: Fix clock speed for multiple QCA7000 Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 064/109] qca_spi: Make driver probing reliable Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 065/109] ALSA: control: Avoid WARN() for symlink errors Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 066/109] ASoC: amd: yc: Fix the wrong return value Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 067/109] Documentation: PM: Clarify pm_runtime_resume_and_get() " Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 068/109] net: rswitch: Drop unused argument/return value Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 069/109] net: rswitch: Use unsigned int for desc related array index Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 070/109] net: rswitch: Use build_skb() for RX Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 071/109] net: rswitch: Add unmap_addrs instead of dma address in each desc Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 072/109] net: rswitch: Add a setting ext descriptor function Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 073/109] net: rswitch: Add jumbo frames handling for TX Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 074/109] net: renesas: rswitch: fix race window between tx start and complete Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 6.6 075/109] net: renesas: rswitch: fix leaked pointer on error path Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 076/109] net: renesas: rswitch: avoid use-after-put for a device tree node Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 077/109] net: renesas: rswitch: handle stop vs interrupt race Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 078/109] libperf: evlist: Fix --cpu argument on hybrid platform Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 079/109] netfilter: IDLETIMER: Fix for possible ABBA deadlock Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 080/109] netfilter: nf_tables: do not defer rule destruction via call_rcu Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 081/109] net: dsa: felix: fix stuck CPU-injected packets with short taprio windows Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 082/109] net/sched: netem: account for backlog updates from child qdisc Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 083/109] bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 084/109] team: " Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 085/109] ACPICA: events/evxfregn: dont release the ContextMutex that was never acquired Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 086/109] Bluetooth: ISO: Reassociate a socket with an active BIS Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 087/109] Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 088/109] Bluetooth: iso: Fix recursive locking warning Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 089/109] Bluetooth: SCO: Add support for 16 bits transparent voice setting Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 090/109] Bluetooth: btmtk: avoid UAF in btmtk_process_coredump Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 091/109] net: renesas: rswitch: fix initial MPIC register setting Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 092/109] net: dsa: microchip: KSZ9896 register regmap alignment to 32 bit boundaries Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 093/109] blk-iocost: Avoid using clamp() on inuse in __propagate_weights() Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 094/109] kselftest/arm64: abi: fix SVCR detection Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 095/109] KVM: arm64: Disable MPAM visibility by default and ignore VMM writes Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 096/109] bpf: sync_linked_regs() must preserve subreg_def Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 097/109] tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe() Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 098/109] selftests/bpf: Add netlink helper library Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 099/109] selftests/bpf: remove use of __xlated() Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 100/109] net: rswitch: Avoid use-after-free in rswitch_poll() Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 101/109] xen/netfront: fix crash when removing device Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 102/109] x86: make get_cpu_vendor() accessible from Xen code Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 103/109] objtool/x86: allow syscall instruction Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 104/109] x86/static-call: provide a way to do very early static-call updates Greg Kroah-Hartman
2024-12-17 17:08 ` Greg Kroah-Hartman [this message]
2024-12-17 17:08 ` [PATCH 6.6 106/109] x86/xen: add central hypercall functions Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 107/109] x86/xen: use new hypercall functions instead of hypercall page Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 108/109] x86/xen: remove " Greg Kroah-Hartman
2024-12-17 17:08 ` [PATCH 6.6 109/109] ALSA: usb-audio: Fix a DMA to stack memory bug Greg Kroah-Hartman
2024-12-17 20:00 ` [PATCH 6.6 000/109] 6.6.67-rc1 review Florian Fainelli
2024-12-19 16:05 ` Greg Kroah-Hartman
2024-12-17 23:00 ` Shuah Khan
2024-12-18 5:49 ` Harshit Mogalapalli
2024-12-19 16:05 ` Greg Kroah-Hartman
2024-12-18 6:49 ` Ron Economos
2024-12-18 12:11 ` Peter Schneider
2024-12-18 12:37 ` Mark Brown
2024-12-18 14:13 ` Naresh Kamboju
2024-12-18 17:23 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241217170537.788609438@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox