In the "Fast Short REP MOVSB" path of memmove, if we take the path where the FSRM flag is enabled but the ERMS flag is not, there is no longer a check for length >= 0x20 (both alternatives will be replaced with NOPs). If a memmove() requiring a forward copy of less than 0x20 bytes happens in this case, the `sub $0x20, %rdx` will cause the length to roll around to a huge value and the copy will eventually hit a page fault.
This is not intended to happen, as the comment above the alternatives mentions "FSRM implies ERMS".
However, there is a check in early_init_intel() that can disable ERMS, so we should also be disabling FSRM in this path to maintain correctness of the memmove() optimization.
Cc: stable@vger.kernel.org Fixes: f444a5ff95dc ("x86/cpufeatures: Add support for fast short REP; MOVSB") Signed-off-by: Daniel Verkamp dverkamp@chromium.org --- arch/x86/kernel/cpu/intel.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c index 2d7ea5480ec3..71b412f820c7 100644 --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -328,6 +328,7 @@ static void early_init_intel(struct cpuinfo_x86 *c) pr_info("Disabled fast string operations\n"); setup_clear_cpu_cap(X86_FEATURE_REP_GOOD); setup_clear_cpu_cap(X86_FEATURE_ERMS); + setup_clear_cpu_cap(X86_FEATURE_FSRM); } }