Home Explore Help
Register Sign In
Apq
/
pve-edge-kernel
mirror of https://github.com/fabianishere/pve-edge-kernel.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 321d628a98
Branches Tags
pve-edge-kernel
/
patches
/
kernel
/
0203-x86-events-intel-ds-Map-debug-buffers-in-cpu_entry_a.patch

0203-x86-events-intel-ds-Map-debug-buffers-in-cpu_entry_a.patch 8.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281 
  1. From 68338a3b7267b4fc346630b2d82a3599b5fbf54e Mon Sep 17 00:00:00 2001
    2. 

  2. From: Hugh Dickins <[email protected]>
    3. 

  3. Date: Mon, 4 Dec 2017 15:07:50 +0100
    4. 

  4. Subject: [PATCH 203/231] x86/events/intel/ds: Map debug buffers in
    5. 

  5.  cpu_entry_area
    6. 

  6. MIME-Version: 1.0
    7. 

  7. Content-Type: text/plain; charset=UTF-8
    8. 

  8. Content-Transfer-Encoding: 8bit
    9. 

  9. 

  10. CVE-2017-5754
    11. 

  11. 

  12. The BTS and PEBS buffers both have their virtual addresses programmed into
    13. 

  13. the hardware.  This means that any access to them is performed via the page
    14. 

  14. tables.  The times that the hardware accesses these are entirely dependent
    15. 

  15. on how the performance monitoring hardware events are set up.  In other
    16. 

  16. words, there is no way for the kernel to tell when the hardware might
    17. 

  17. access these buffers.
    18. 

  18. 

  19. To avoid perf crashes, place 'debug_store' allocate pages and map them into
    20. 

  20. the cpu_entry_area.
    21. 

  21. 

  22. The PEBS fixup buffer does not need this treatment.
    23. 

  23. 

  24. [ tglx: Got rid of the kaiser_add_mapping() complication ]
    25. 

  25. 

  26. Signed-off-by: Hugh Dickins <[email protected]>
    27. 

  27. Signed-off-by: Dave Hansen <[email protected]>
    28. 

  28. Signed-off-by: Thomas Gleixner <[email protected]>
    29. 

  29. Cc: Andy Lutomirski <[email protected]>
    30. 

  30. Cc: Boris Ostrovsky <[email protected]>
    31. 

  31. Cc: Borislav Petkov <[email protected]>
    32. 

  32. Cc: Brian Gerst <[email protected]>
    33. 

  33. Cc: David Laight <[email protected]>
    34. 

  34. Cc: Denys Vlasenko <[email protected]>
    35. 

  35. Cc: Eduardo Valentin <[email protected]>
    36. 

  36. Cc: Greg KH <[email protected]>
    37. 

  37. Cc: H. Peter Anvin <[email protected]>
    38. 

  38. Cc: Josh Poimboeuf <[email protected]>
    39. 

  39. Cc: Juergen Gross <[email protected]>
    40. 

  40. Cc: Linus Torvalds <[email protected]>
    41. 

  41. Cc: Peter Zijlstra <[email protected]>
    42. 

  42. Cc: Will Deacon <[email protected]>
    43. 

  43. Cc: [email protected]
    44. 

  44. Cc: [email protected]
    45. 

  45. Cc: [email protected]
    46. 

  46. Signed-off-by: Ingo Molnar <[email protected]>
    47. 

  47. (cherry picked from commit c1961a4631daef4aeabee8e368b1b13e8f173c91)
    48. 

  48. Signed-off-by: Andy Whitcroft <[email protected]>
    49. 

  49. Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
    50. 

  50. (cherry picked from commit 569dedbb62e16e3268f006dcf745b8d27690ef91)
    51. 

  51. Signed-off-by: Fabian Grünbichler <[email protected]>
    52. 

  52. ---
    53. 

  53.  arch/x86/events/perf_event.h |   2 +
    54. 

  54.  arch/x86/events/intel/ds.c   | 125 +++++++++++++++++++++++++++----------------
    55. 

  55.  2 files changed, 82 insertions(+), 45 deletions(-)
    56. 

  56. 

  57. diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
    58. 

  58. index 308bc14f58af..eb0876475f18 100644
    59. 

  59. --- a/arch/x86/events/perf_event.h
    60. 

  60. +++ b/arch/x86/events/perf_event.h
    61. 

  61. @@ -199,6 +199,8 @@ struct cpu_hw_events {
    62. 

  62.  	 * Intel DebugStore bits
    63. 

  63.  	 */
    64. 

  64.  	struct debug_store	*ds;
    65. 

  65. +	void			*ds_pebs_vaddr;
    66. 

  66. +	void			*ds_bts_vaddr;
    67. 

  67.  	u64			pebs_enabled;
    68. 

  68.  	int			n_pebs;
    69. 

  69.  	int			n_large_pebs;
    70. 

  70. diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
    71. 

  71. index 21a4ed789ec0..85df1f12c49e 100644
    72. 

  72. --- a/arch/x86/events/intel/ds.c
    73. 

  73. +++ b/arch/x86/events/intel/ds.c
    74. 

  74. @@ -2,6 +2,7 @@
    75. 

  75.  #include <linux/types.h>
    76. 

  76.  #include <linux/slab.h>
    77. 

  77.  
    78. 

  78. +#include <asm/cpu_entry_area.h>
    79. 

  79.  #include <asm/perf_event.h>
    80. 

  80.  #include <asm/insn.h>
    81. 

  81.  
    82. 

  82. @@ -279,17 +280,52 @@ void fini_debug_store_on_cpu(int cpu)
    83. 

  83.  
    84. 

  84.  static DEFINE_PER_CPU(void *, insn_buffer);
    85. 

  85.  
    86. 

  86. -static int alloc_pebs_buffer(int cpu)
    87. 

  87. +static void ds_update_cea(void *cea, void *addr, size_t size, pgprot_t prot)
    88. 

  88.  {
    89. 

  89. -	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
    90. 

  90. +	phys_addr_t pa;
    91. 

  91. +	size_t msz = 0;
    92. 

  92. +
    93. 

  93. +	pa = virt_to_phys(addr);
    94. 

  94. +	for (; msz < size; msz += PAGE_SIZE, pa += PAGE_SIZE, cea += PAGE_SIZE)
    95. 

  95. +		cea_set_pte(cea, pa, prot);
    96. 

  96. +}
    97. 

  97. +
    98. 

  98. +static void ds_clear_cea(void *cea, size_t size)
    99. 

  99. +{
    100. 

  100. +	size_t msz = 0;
    101. 

  101. +
    102. 

  102. +	for (; msz < size; msz += PAGE_SIZE, cea += PAGE_SIZE)
    103. 

  103. +		cea_set_pte(cea, 0, PAGE_NONE);
    104. 

  104. +}
    105. 

  105. +
    106. 

  106. +static void *dsalloc_pages(size_t size, gfp_t flags, int cpu)
    107. 

  107. +{
    108. 

  108. +	unsigned int order = get_order(size);
    109. 

  109.  	int node = cpu_to_node(cpu);
    110. 

  110. -	int max;
    111. 

  111. -	void *buffer, *ibuffer;
    112. 

  112. +	struct page *page;
    113. 

  113. +
    114. 

  114. +	page = __alloc_pages_node(node, flags | __GFP_ZERO, order);
    115. 

  115. +	return page ? page_address(page) : NULL;
    116. 

  116. +}
    117. 

  117. +
    118. 

  118. +static void dsfree_pages(const void *buffer, size_t size)
    119. 

  119. +{
    120. 

  120. +	if (buffer)
    121. 

  121. +		free_pages((unsigned long)buffer, get_order(size));
    122. 

  122. +}
    123. 

  123. +
    124. 

  124. +static int alloc_pebs_buffer(int cpu)
    125. 

  125. +{
    126. 

  126. +	struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
    127. 

  127. +	struct debug_store *ds = hwev->ds;
    128. 

  128. +	size_t bsiz = x86_pmu.pebs_buffer_size;
    129. 

  129. +	int max, node = cpu_to_node(cpu);
    130. 

  130. +	void *buffer, *ibuffer, *cea;
    131. 

  131.  
    132. 

  132.  	if (!x86_pmu.pebs)
    133. 

  133.  		return 0;
    134. 

  134.  
    135. 

  135. -	buffer = kzalloc_node(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
    136. 

  136. +	buffer = dsalloc_pages(bsiz, GFP_KERNEL, cpu);
    137. 

  137.  	if (unlikely(!buffer))
    138. 

  138.  		return -ENOMEM;
    139. 

  139.  
    140. 

  140. @@ -300,25 +336,27 @@ static int alloc_pebs_buffer(int cpu)
    141. 

  141.  	if (x86_pmu.intel_cap.pebs_format < 2) {
    142. 

  142.  		ibuffer = kzalloc_node(PEBS_FIXUP_SIZE, GFP_KERNEL, node);
    143. 

  143.  		if (!ibuffer) {
    144. 

  144. -			kfree(buffer);
    145. 

  145. +			dsfree_pages(buffer, bsiz);
    146. 

  146.  			return -ENOMEM;
    147. 

  147.  		}
    148. 

  148.  		per_cpu(insn_buffer, cpu) = ibuffer;
    149. 

  149.  	}
    150. 

  150. -
    151. 

  151. -	max = x86_pmu.pebs_buffer_size / x86_pmu.pebs_record_size;
    152. 

  152. -
    153. 

  153. -	ds->pebs_buffer_base = (u64)(unsigned long)buffer;
    154. 

  154. +	hwev->ds_pebs_vaddr = buffer;
    155. 

  155. +	/* Update the cpu entry area mapping */
    156. 

  156. +	cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.pebs_buffer;
    157. 

  157. +	ds->pebs_buffer_base = (unsigned long) cea;
    158. 

  158. +	ds_update_cea(cea, buffer, bsiz, PAGE_KERNEL);
    159. 

  159.  	ds->pebs_index = ds->pebs_buffer_base;
    160. 

  160. -	ds->pebs_absolute_maximum = ds->pebs_buffer_base +
    161. 

  161. -		max * x86_pmu.pebs_record_size;
    162. 

  162. -
    163. 

  163. +	max = x86_pmu.pebs_record_size * (bsiz / x86_pmu.pebs_record_size);
    164. 

  164. +	ds->pebs_absolute_maximum = ds->pebs_buffer_base + max;
    165. 

  165.  	return 0;
    166. 

  166.  }
    167. 

  167.  
    168. 

  168.  static void release_pebs_buffer(int cpu)
    169. 

  169.  {
    170. 

  170. -	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
    171. 

  171. +	struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
    172. 

  172. +	struct debug_store *ds = hwev->ds;
    173. 

  173. +	void *cea;
    174. 

  174.  
    175. 

  175.  	if (!ds || !x86_pmu.pebs)
    176. 

  176.  		return;
    177. 

  177. @@ -326,73 +364,70 @@ static void release_pebs_buffer(int cpu)
    178. 

  178.  	kfree(per_cpu(insn_buffer, cpu));
    179. 

  179.  	per_cpu(insn_buffer, cpu) = NULL;
    180. 

  180.  
    181. 

  181. -	kfree((void *)(unsigned long)ds->pebs_buffer_base);
    182. 

  182. +	/* Clear the fixmap */
    183. 

  183. +	cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.pebs_buffer;
    184. 

  184. +	ds_clear_cea(cea, x86_pmu.pebs_buffer_size);
    185. 

  185.  	ds->pebs_buffer_base = 0;
    186. 

  186. +	dsfree_pages(hwev->ds_pebs_vaddr, x86_pmu.pebs_buffer_size);
    187. 

  187. +	hwev->ds_pebs_vaddr = NULL;
    188. 

  188.  }
    189. 

  189.  
    190. 

  190.  static int alloc_bts_buffer(int cpu)
    191. 

  191.  {
    192. 

  192. -	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
    193. 

  193. -	int node = cpu_to_node(cpu);
    194. 

  194. -	int max, thresh;
    195. 

  195. -	void *buffer;
    196. 

  196. +	struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
    197. 

  197. +	struct debug_store *ds = hwev->ds;
    198. 

  198. +	void *buffer, *cea;
    199. 

  199. +	int max;
    200. 

  200.  
    201. 

  201.  	if (!x86_pmu.bts)
    202. 

  202.  		return 0;
    203. 

  203.  
    204. 

  204. -	buffer = kzalloc_node(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
    205. 

  205. +	buffer = dsalloc_pages(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, cpu);
    206. 

  206.  	if (unlikely(!buffer)) {
    207. 

  207.  		WARN_ONCE(1, "%s: BTS buffer allocation failure\n", __func__);
    208. 

  208.  		return -ENOMEM;
    209. 

  209.  	}
    210. 

  210. -
    211. 

  211. -	max = BTS_BUFFER_SIZE / BTS_RECORD_SIZE;
    212. 

  212. -	thresh = max / 16;
    213. 

  213. -
    214. 

  214. -	ds->bts_buffer_base = (u64)(unsigned long)buffer;
    215. 

  215. +	hwev->ds_bts_vaddr = buffer;
    216. 

  216. +	/* Update the fixmap */
    217. 

  217. +	cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.bts_buffer;
    218. 

  218. +	ds->bts_buffer_base = (unsigned long) cea;
    219. 

  219. +	ds_update_cea(cea, buffer, BTS_BUFFER_SIZE, PAGE_KERNEL);
    220. 

  220.  	ds->bts_index = ds->bts_buffer_base;
    221. 

  221. -	ds->bts_absolute_maximum = ds->bts_buffer_base +
    222. 

  222. -		max * BTS_RECORD_SIZE;
    223. 

  223. -	ds->bts_interrupt_threshold = ds->bts_absolute_maximum -
    224. 

  224. -		thresh * BTS_RECORD_SIZE;
    225. 

  225. -
    226. 

  226. +	max = BTS_RECORD_SIZE * (BTS_BUFFER_SIZE / BTS_RECORD_SIZE);
    227. 

  227. +	ds->bts_absolute_maximum = ds->bts_buffer_base + max;
    228. 

  228. +	ds->bts_interrupt_threshold = ds->bts_absolute_maximum - (max / 16);
    229. 

  229.  	return 0;
    230. 

  230.  }
    231. 

  231.  
    232. 

  232.  static void release_bts_buffer(int cpu)
    233. 

  233.  {
    234. 

  234. -	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
    235. 

  235. +	struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
    236. 

  236. +	struct debug_store *ds = hwev->ds;
    237. 

  237. +	void *cea;
    238. 

  238.  
    239. 

  239.  	if (!ds || !x86_pmu.bts)
    240. 

  240.  		return;
    241. 

  241.  
    242. 

  242. -	kfree((void *)(unsigned long)ds->bts_buffer_base);
    243. 

  243. +	/* Clear the fixmap */
    244. 

  244. +	cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.bts_buffer;
    245. 

  245. +	ds_clear_cea(cea, BTS_BUFFER_SIZE);
    246. 

  246.  	ds->bts_buffer_base = 0;
    247. 

  247. +	dsfree_pages(hwev->ds_bts_vaddr, BTS_BUFFER_SIZE);
    248. 

  248. +	hwev->ds_bts_vaddr = NULL;
    249. 

  249.  }
    250. 

  250.  
    251. 

  251.  static int alloc_ds_buffer(int cpu)
    252. 

  252.  {
    253. 

  253. -	int node = cpu_to_node(cpu);
    254. 

  254. -	struct debug_store *ds;
    255. 

  255. -
    256. 

  256. -	ds = kzalloc_node(sizeof(*ds), GFP_KERNEL, node);
    257. 

  257. -	if (unlikely(!ds))
    258. 

  258. -		return -ENOMEM;
    259. 

  259. +	struct debug_store *ds = &get_cpu_entry_area(cpu)->cpu_debug_store;
    260. 

  260.  
    261. 

  261. +	memset(ds, 0, sizeof(*ds));
    262. 

  262.  	per_cpu(cpu_hw_events, cpu).ds = ds;
    263. 

  263. -
    264. 

  264.  	return 0;
    265. 

  265.  }
    266. 

  266.  
    267. 

  267.  static void release_ds_buffer(int cpu)
    268. 

  268.  {
    269. 

  269. -	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
    270. 

  270. -
    271. 

  271. -	if (!ds)
    272. 

  272. -		return;
    273. 

  273. -
    274. 

  274.  	per_cpu(cpu_hw_events, cpu).ds = NULL;
    275. 

  275. -	kfree(ds);
    276. 

  276.  }
    277. 

  277.  
    278. 

  278.  void release_ds_buffers(void)
    279. 

  279. -- 
    280. 

  280. 2.14.2
    281. 

  281.