On Wed, 23 Jul 2025 16:32:03 +0000 Jimmy Tran jtoantran@google.com wrote:
This patch series backports a critical security fix, identified as CVE-2020-12965 ("Transient Execution of Non-Canonical Accesses"), to the 6.6.y stable kernel tree.
You probably want to pick up the 'cmov' variant of:
+static inline void __user *mask_user_address(const void __user *ptr) +{ + unsigned long mask; + + asm("cmp %1,%0\n\t" + "sbb %0,%0" + : "=r" (mask) + : "r" (ptr), + "0" (runtime_const_ptr(USER_PTR_MAX))); + return (__force void __user *)(mask | (__force unsigned long)ptr); +}
Converting kernel addresses to USER_PTR_MAX instead of ~0 means that is isn't critical that the base address is accessed first. (I'm not sure that x86 completely disables mapping to user address zero.)
That is more problematic for 32bit (address masking wasn't enabled last time I looked) because not all supported cpu support cmov.
David
commit 573f45a9f9a47fed4c7957609689b772121b33d7 upstream.
David Laight (1): x86: fix off-by-one in access_ok()
Linus Torvalds (5): vfs: dcache: move hashlen_hash() from callers into d_hash() runtime constants: add default dummy infrastructure runtime constants: add x86 architecture support arm64: add 'runtime constant' support x86: fix user address masking non-canonical speculation issue
arch/arm64/include/asm/runtime-const.h | 92 ++++++++++++++++++++++++++ arch/arm64/kernel/vmlinux.lds.S | 3 + arch/x86/include/asm/runtime-const.h | 61 +++++++++++++++++ arch/x86/include/asm/uaccess_64.h | 45 ++++++++----- arch/x86/kernel/cpu/common.c | 10 +++ arch/x86/kernel/vmlinux.lds.S | 4 ++ arch/x86/lib/getuser.S | 9 ++- fs/dcache.c | 17 +++-- include/asm-generic/Kbuild | 1 + include/asm-generic/runtime-const.h | 15 +++++ include/asm-generic/vmlinux.lds.h | 8 +++ 11 files changed, 243 insertions(+), 22 deletions(-) create mode 100644 arch/arm64/include/asm/runtime-const.h create mode 100644 arch/x86/include/asm/runtime-const.h create mode 100644 include/asm-generic/runtime-const.h
-- 2.50.0.727.gbf7dc18ff4-goog