[amd64] Don't WARN about expected W+X pages on Xen (see #852324)

2017-03-16 03:13:13 +00:00 · 2017-03-16 03:13:13 +00:00 · 4c22453363
parent 8851d0b7ac
commit 4c22453363
3 changed files with 36 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -147,6 +147,7 @@ linux (4.9.14-1) UNRELEASED; urgency=medium
  * Ignore ABI changes in rds and ufshcd, not useful to OOT modules
  * ucount: Remove the atomicity from ucount->count (CVE-2017-6874)
  * userns: Avoid ABI change for CVE-2017-6874 fix
+  * [amd64] Don't WARN about expected W+X pages on Xen (see #852324)

  [ Salvatore Bonaccorso ]
  * ACPI / EC: Use busy polling mode when GPE is not enabled.
--- a/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch
+++ b/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch
@ -0,0 +1,32 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 16 Mar 2017 03:05:43 +0000
+Subject: [amd64] Don't WARN about expected W+X pages on Xen
+Bug-Debian: https://bugs.debian.org/852324
+Forwarded: not-needed
+
+Currently Xen PV domains (or at least dom0) on amd64 tend to have a
+large number of low kernel pages with W+X permissions.  It's not
+obvious how to fix this, and we're not going to get any new
+information by WARNing about this, but we do still want to hear about
+other W+X cases.  So add a condition to the WARN_ON.
+
+---
+--- a/arch/x86/mm/dump_pagetables.c
+++ b/arch/x86/mm/dump_pagetables.c
+@@ -17,6 +17,7 @@
+ #include <linux/init.h>
+ #include <linux/sched.h>
+ #include <linux/seq_file.h>
+#include <xen/xen.h>
+ 
+ #include <asm/pgtable.h>
+ 
+@@ -220,7 +221,7 @@ static void note_page(struct seq_file *m
+ 		pgprotval_t pr = pgprot_val(st->current_prot);
+ 
+ 		if (st->check_wx && (pr & _PAGE_RW) && !(pr & _PAGE_NX)) {
+-			WARN_ONCE(1,
+			WARN_ONCE(!(IS_ENABLED(CONFIG_X86_64) && xen_pv_domain()),
+ 				  "x86/mm: Found insecure W+X mapping at address %p/%pS\n",
+ 				  (void *)st->start_address,
+ 				  (void *)st->start_address);
--- a/debian/patches/series
+++ b/debian/patches/series
@ -46,6 +46,9 @@ bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
 # Taint if dangerous features are used
 debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch

+# Reduce noise for bug #852324
+debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch
+
 # Arch bug fixes
 bugfix/x86/asoc-intel-select-dw_dmac_core-since-it-s-mandatory.patch
 bugfix/x86/platform-x86-acer-wmi-setup-accelerometer-when-machi.patch