Description
In the Linux kernel, the following vulnerability has been resolved: riscv: ftrace: Fixup panic by disabling preemption In RISCV, we must use an AUIPC + JALR pair to encode an immediate, forming a jump that jumps to an address over 4K. This may cause errors if we want to enable kernel preemption and remove dependency from patching code with stop_machine(). For example, if a task was switched out on auipc. And, if we changed the ftrace function before it was switched back, then it would jump to an address that has updated 11:0 bits mixing with previous XLEN:12 part. p: patched area performed by dynamic ftrace ftrace_prologue: p| REG_S ra, -SZREG(sp) p| auipc ra, 0x? ------------> preempted ... change ftrace function ... p| jalr -?(ra) <------------- switched back p| REG_L ra, -SZREG(sp) func: xxx ret
Product status
afc76b8b80112189b6f11e67e19cf58301944814 (git) before 84cfcf240f4a577733b1d98fcd2611a611612b03
afc76b8b80112189b6f11e67e19cf58301944814 (git) before 20a7510e781084364691b4962de31de758194cc9
afc76b8b80112189b6f11e67e19cf58301944814 (git) before 8547649981e6631328cd64f583667501ae385531
5.12
Any version before 5.12
6.1.23 (semver)
6.2.3 (semver)
6.3 (original_commit_for_fix)
References
git.kernel.org/...c/84cfcf240f4a577733b1d98fcd2611a611612b03
git.kernel.org/...c/20a7510e781084364691b4962de31de758194cc9
git.kernel.org/...c/8547649981e6631328cd64f583667501ae385531
