CVE-2022-49214

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/64s: Don&amp;#39;t use DSISR for SLB faults<br /> <br /> Since commit 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data<br /> is read or write.") we use page_fault_is_write(regs-&gt;dsisr) in<br /> __bad_page_fault() to determine if the fault is for a read or write, and<br /> change the message printed accordingly.<br /> <br /> But SLB faults, aka Data Segment Interrupts, don&amp;#39;t set DSISR (Data<br /> Storage Interrupt Status Register) to a useful value. All ISA versions<br /> from v2.03 through v3.1 specify that the Data Segment Interrupt sets<br /> DSISR "to an undefined value". As far as I can see there&amp;#39;s no mention of<br /> SLB faults setting DSISR in any BookIV content either.<br /> <br /> This manifests as accesses that should be a read being incorrectly<br /> reported as writes, for example, using the xmon "dump" command:<br /> <br /> 0:mon&gt; d 0x5deadbeef0000000<br /> 5deadbeef0000000<br /> [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000<br /> [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300<br /> cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400]<br /> pc: c00000000010a300: mread+0x90/0x190<br /> <br /> If we disassemble the PC, we see a load instruction:<br /> <br /> 0:mon&gt; di c00000000010a300<br /> c00000000010a300 89490000 lbz r10,0(r9)<br /> <br /> We can also see in exceptions-64s.S that the data_access_slb block<br /> doesn&amp;#39;t set IDSISR=1, which means it doesn&amp;#39;t load DSISR into pt_regs. So<br /> the value we&amp;#39;re using to determine if the fault is a read/write is some<br /> stale value in pt_regs from a previous page fault.<br /> <br /> Rework the printing logic to separate the SLB fault case out, and only<br /> print read/write in the cases where we can determine it.<br /> <br /> The result looks like eg:<br /> <br /> 0:mon&gt; d 0x5deadbeef0000000<br /> 5deadbeef0000000<br /> [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000<br /> [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0<br /> cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]<br /> <br /> 0:mon&gt; d 0<br /> 0000000000000000<br /> [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000<br /> [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0<br /> cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]