tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'x86-urgent-2026-04-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Ingo Molnar:

- Prevent deadlock during shstk sigreturn (Rick Edgecombe)

- Disable FRED when PTI is forced on (Dave Hansen)

- Revert a CPA INVLPGB optimization that did not properly handle
discontiguous virtual addresses (Dave Hansen)

* tag 'x86-urgent-2026-04-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/mm: Revert INVLPGB optimization for set_memory code
x86/cpu: Disable FRED when PTI is forced on
x86/shstk: Prevent deadlock during shstk sigreturn

Linus Torvalds 8f4e8687 feff82eb

+42 -26
+1
arch/x86/Kconfig
··· 1885 1885 bool "X86 userspace shadow stack" 1886 1886 depends on AS_WRUSS 1887 1887 depends on X86_64 1888 + depends on PER_VMA_LOCK 1888 1889 select ARCH_USES_HIGH_VMA_FLAGS 1889 1890 select ARCH_HAS_USER_SHADOW_STACK 1890 1891 select X86_CET
+23 -19
arch/x86/kernel/shstk.c
··· 326 326 327 327 static int shstk_pop_sigframe(unsigned long *ssp) 328 328 { 329 - struct vm_area_struct *vma; 330 329 unsigned long token_addr; 331 - bool need_to_check_vma; 332 - int err = 1; 330 + unsigned int seq; 333 331 334 332 /* 335 333 * It is possible for the SSP to be off the end of a shadow stack by 4 ··· 338 340 if (!IS_ALIGNED(*ssp, 8)) 339 341 return -EINVAL; 340 342 341 - need_to_check_vma = PAGE_ALIGN(*ssp) == *ssp; 343 + do { 344 + struct vm_area_struct *vma; 345 + bool valid_vma; 346 + int err; 342 347 343 - if (need_to_check_vma) 344 348 if (mmap_read_lock_killable(current->mm)) 345 349 return -EINTR; 346 350 347 - err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp); 348 - if (unlikely(err)) 349 - goto out_err; 350 - 351 - if (need_to_check_vma) { 352 351 vma = find_vma(current->mm, *ssp); 353 - if (!vma || !(vma->vm_flags & VM_SHADOW_STACK)) { 354 - err = -EFAULT; 355 - goto out_err; 356 - } 352 + valid_vma = vma && (vma->vm_flags & VM_SHADOW_STACK); 357 353 354 + /* 355 + * VMAs can change between get_shstk_data() and find_vma(). 356 + * Watch for changes and ensure that 'token_addr' comes from 357 + * 'vma' by recording a seqcount. 358 + * 359 + * Ignore the return value of mmap_lock_speculate_try_begin() 360 + * because the mmap lock excludes the possibility of writers. 361 + */ 362 + mmap_lock_speculate_try_begin(current->mm, &seq); 358 363 mmap_read_unlock(current->mm); 359 - } 364 + 365 + if (!valid_vma) 366 + return -EINVAL; 367 + 368 + err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp); 369 + if (err) 370 + return err; 371 + } while (mmap_lock_speculate_retry(current->mm, seq)); 360 372 361 373 /* Restore SSP aligned? */ 362 374 if (unlikely(!IS_ALIGNED(token_addr, 8))) ··· 379 371 *ssp = token_addr; 380 372 381 373 return 0; 382 - out_err: 383 - if (need_to_check_vma) 384 - mmap_read_unlock(current->mm); 385 - return err; 386 374 } 387 375 388 376 int setup_signal_shadow_stack(struct ksignal *ksig)
+13 -7
arch/x86/mm/pat/set_memory.c
··· 399 399 on_each_cpu(__cpa_flush_all, (void *) cache, 1); 400 400 } 401 401 402 + static void __cpa_flush_tlb(void *data) 403 + { 404 + struct cpa_data *cpa = data; 405 + unsigned int i; 406 + 407 + for (i = 0; i < cpa->numpages; i++) 408 + flush_tlb_one_kernel(fix_addr(__cpa_addr(cpa, i))); 409 + } 410 + 402 411 static int collapse_large_pages(unsigned long addr, struct list_head *pgtables); 403 412 404 413 static void cpa_collapse_large_pages(struct cpa_data *cpa) ··· 444 435 445 436 static void cpa_flush(struct cpa_data *cpa, int cache) 446 437 { 447 - unsigned long start, end; 448 438 unsigned int i; 449 439 450 440 BUG_ON(irqs_disabled() && !early_boot_irqs_disabled); ··· 453 445 goto collapse_large_pages; 454 446 } 455 447 456 - start = fix_addr(__cpa_addr(cpa, 0)); 457 - end = start + cpa->numpages * PAGE_SIZE; 458 - if (cpa->force_flush_all) 459 - end = TLB_FLUSH_ALL; 460 - 461 - flush_tlb_kernel_range(start, end); 448 + if (cpa->force_flush_all || cpa->numpages > tlb_single_page_flush_ceiling) 449 + flush_tlb_all(); 450 + else 451 + on_each_cpu(__cpa_flush_tlb, cpa, 1); 462 452 463 453 if (!cache) 464 454 goto collapse_large_pages;
+5
arch/x86/mm/pti.c
··· 105 105 pr_debug("PTI enabled, disabling INVLPGB\n"); 106 106 setup_clear_cpu_cap(X86_FEATURE_INVLPGB); 107 107 } 108 + 109 + if (cpu_feature_enabled(X86_FEATURE_FRED)) { 110 + pr_debug("PTI enabled, disabling FRED\n"); 111 + setup_clear_cpu_cap(X86_FEATURE_FRED); 112 + } 108 113 } 109 114 110 115 static int __init pti_parse_cmdline(char *arg)