CVE-2021-47350

In the Linux kernel, the following vulnerability has been resolved:
powerpc/mm: Fix lockup on kernel exec fault The powerpc kernel is not
prepared to handle exec faults from kernel. Especially, the function
is_exec_fault() will return ‘false’ when an exec fault is taken by kernel,
because the check is based on reading current->thread.regs->trap which
contains the trap from user. For instance, when provoking a LKDTM
EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap
(0xc00), and the fault taken by the kernel is not seen as an exec fault by
set_access_flags_filter(). Commit d7df2443cd5f (“powerpc/mm: Fix spurious
segfaults on radix with autonuma”) made it clear and handled it properly.
But later on commit d3ca587404b3 (“powerpc/mm: Fix reporting of kernel
execute faults”) removed that handling, introducing test based on
error_code. And here is the problem, because on the 603 all upper bits of
SRR1 get cleared when the TLB instruction miss handler bails out to ISI.
Until commit cbd7e6ca0210 (“powerpc/fault: Avoid heavy
search_exception_tables() verification”), an exec fault from kernel at a
userspace address was indirectly caught by the lack of entry for that
address in the exception tables. But after that commit the kernel mainly
relies on KUAP or on core mm handling to catch wrong user accesses. Here
the access is not wrong, so mm handles it. It is a minor fault because
PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and
voila. But as is_exec_fault() returns false as explained in the beginning,
set_access_flags_filter() bails out without setting PAGE_EXEC flag, which
leads to a forever minor exec fault. As the kernel is not prepared to
handle such exec faults, the thing to do is to fire in bad_kernel_fault()
for any exec fault taken by the kernel, as it was prior to commit
d3ca587404b3.