On Wed, 23 Jul 2025 at 09:32, Jimmy Tran jtoantran@google.com wrote:
This patch series backports a critical security fix, identified as CVE-2020-12965 ("Transient Execution of Non-Canonical Accesses"), to the 6.6.y stable kernel tree.
I suspect it's fine just backporting the whole thing, but the actual fix is just the workaround for the AMD speculation issue with non-canonical addresses:
x86: fix user address masking non-canonical speculation issue
and the rest is purely "set up the infrastructure so that that can be back-ported".
A different alternative would be to just take the logic of that user address masking, which exists in two places:
arch/x86/include/asm/uaccess_64.h:
#define mask_user_address(x) ((typeof(x))((long)(x)|((long)(x)>>63)))
arch/x86/lib/getuser.S:
mov %rax, %rdx sar $63, %rdx or %rdx, %rax
and make that generate worse code - by *instead* of using the runtime-const infrastructure, only introduce a single new variable for that USER_PTR_MAX value, and use an actual memory load instead of the runtime constant.
I dunno. That would be a noticeably smaller and more targeted patch, but it would be different from what any mainline kernel has done, so somebody would have to test it a lot.
So I guess back-porting this all is the simpler thing (and does generate better code).
But I did want to point out that the backport results in 250+ lines of patches, and I suspect you *could* do it in a quarter of the size or less. At the cost of having to have somebody who really cares.
Linus