Currently, vsyscall emulation is rejected for write faults and
kernel-privilege faults. Other page fault error codes such as X86_PF_PK
and X86_PF_SHSTK are unlikely to be set in the vsyscall context.

However, it is good to explicitly reject them from a defensive point of
view. So, avoid vsyscall emulation if X86_PF_PK or X86_PF_SHSTK is set.

Note, X86_PF_RSVD is already handled in do_user_addr_fault() before
vsyscall emulation is attempted.

Suggested-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Signed-off-by: Sohil Mehta <sohil.mehta@intel.com>
---
 arch/x86/entry/vsyscall/vsyscall_64.c | 5 +++--
 arch/x86/mm/fault.c                   | 3 ---
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
index b1f8f8a57b02..bf0ae314a0fb 100644
--- a/arch/x86/entry/vsyscall/vsyscall_64.c
+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
@@ -257,8 +257,9 @@ static bool __emulate_vsyscall(struct pt_regs *regs, unsigned long address)
 bool emulate_vsyscall_pf(unsigned long error_code, struct pt_regs *regs,
 			 unsigned long address)
 {
-	/* Write faults or kernel-privilege faults never get fixed up. */
-	if ((error_code & (X86_PF_WRITE | X86_PF_USER)) != X86_PF_USER)
+	/* Only simple user read faults get fixed up (no write, PK or shadow stack). */
+	if ((error_code & (X86_PF_WRITE | X86_PF_PK | X86_PF_SHSTK | X86_PF_USER)) !=
+	    X86_PF_USER)
 		return false;
 
 	/*
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index f0e77e084482..004b242ebbf8 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1309,9 +1309,6 @@ void do_user_addr_fault(struct pt_regs *regs,
 	 *
 	 * The vsyscall page does not have a "real" VMA, so do this
 	 * emulation before we go searching for VMAs.
-	 *
-	 * PKRU never rejects instruction fetches, so we don't need
-	 * to consider the PF_PK bit.
 	 */
 	if (is_vsyscall_vaddr(address)) {
 		if (emulate_vsyscall_pf(error_code, regs, address))
-- 
2.43.0