RE: [PATCH v2] x86: Allow user accesses to the base of the guard page

From: David Laight
Date: Sun Dec 01 2024 - 06:26:11 EST


CC stable.

This needs picking up for 6.12

Head commit 573f45a9f9a47 applied by Linus with a modified commit message.

David

> -----Original Message-----
> From: David Laight
> Sent: 24 November 2024 15:39
> To: 'Linus Torvalds' <torvalds@xxxxxxxxxxxxxxxxxxxx>; 'Andrew Cooper' <andrew.cooper3@xxxxxxxxxx>;
> 'bp@xxxxxxxxx' <bp@xxxxxxxxx>; 'Josh Poimboeuf' <jpoimboe@xxxxxxxxxx>
> Cc: 'x86@xxxxxxxxxx' <x86@xxxxxxxxxx>; 'linux-kernel@xxxxxxxxxxxxxxx' <linux-kernel@xxxxxxxxxxxxxxx>;
> 'Arnd Bergmann' <arnd@xxxxxxxxxx>; 'Mikel Rychliski' <mikel@xxxxxxxxxx>; 'Thomas Gleixner'
> <tglx@xxxxxxxxxxxxx>; 'Ingo Molnar' <mingo@xxxxxxxxxx>; 'Borislav Petkov' <bp@xxxxxxxxx>; 'Dave
> Hansen' <dave.hansen@xxxxxxxxxxxxxxx>; 'H. Peter Anvin' <hpa@xxxxxxxxx>
> Subject: [PATCH v2] x86: Allow user accesses to the base of the guard page
>
> __access_ok() calls valid_user_address() with the address after
> the last byte of the user buffer.
> It is valid for a buffer to end with the last valid user address
> so valid_user_address() must allow accesses to the base of the
> guard page.
>
> Fixes: 86e6b1547b3d0 ("x86: fix user address masking non-canonical speculation issue")
> Signed-off-by: David Laight <david.laight@xxxxxxxxxx>
> ---
>
> v2: Rewritten commit message.
>
> arch/x86/kernel/cpu/common.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index 06a516f6795b..ca327cfa42ae 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -2389,12 +2389,12 @@ void __init arch_cpu_finalize_init(void)
> alternative_instructions();
>
> if (IS_ENABLED(CONFIG_X86_64)) {
> - unsigned long USER_PTR_MAX = TASK_SIZE_MAX-1;
> + unsigned long USER_PTR_MAX = TASK_SIZE_MAX;
>
> /*
> * Enable this when LAM is gated on LASS support
> if (cpu_feature_enabled(X86_FEATURE_LAM))
> - USER_PTR_MAX = (1ul << 63) - PAGE_SIZE - 1;
> + USER_PTR_MAX = (1ul << 63) - PAGE_SIZE;
> */
> runtime_const_init(ptr, USER_PTR_MAX);
>
> --
> 2.17.1

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)