首頁 探索 說明
註冊 登入
Apq
/
pve-edge-kernel
镜像来自 https://github.com/fabianishere/pve-edge-kernel.git
1
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: 633c5ed17f
分支列表 標籤列表
pve-edge-kernel
/
patches
/
kernel
/
0043-x86-mm-Factor-out-CR3-building-code.patch

0043-x86-mm-Factor-out-CR3-building-code.patch 6.5 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 
  1. From ddb5e7b381d37d0f8bca61f0b761ae5c3a2f5ee0 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Andy Lutomirski <[email protected]>
    3. 

  3. Date: Sun, 17 Sep 2017 09:03:48 -0700
    4. 

  4. Subject: [PATCH 043/242] x86/mm: Factor out CR3-building code
    5. 

  5. MIME-Version: 1.0
    6. 

  6. Content-Type: text/plain; charset=UTF-8
    7. 

  7. Content-Transfer-Encoding: 8bit
    8. 

  8. 

  9. CVE-2017-5754
    10. 

  10. 

  11. Current, the code that assembles a value to load into CR3 is
    12. 

  12. open-coded everywhere.  Factor it out into helpers build_cr3() and
    13. 

  13. build_cr3_noflush().
    14. 

  14. 

  15. This makes one semantic change: __get_current_cr3_fast() was wrong
    16. 

  16. on SME systems.  No one noticed because the only caller is in the
    17. 

  17. VMX code, and there are no CPUs with both SME and VMX.
    18. 

  18. 

  19. Signed-off-by: Andy Lutomirski <[email protected]>
    20. 

  20. Cc: Borislav Petkov <[email protected]>
    21. 

  21. Cc: Linus Torvalds <[email protected]>
    22. 

  22. Cc: Peter Zijlstra <[email protected]>
    23. 

  23. Cc: Thomas Gleixner <[email protected]>
    24. 

  24. Cc: Tom Lendacky <[email protected]>
    25. 

  25. Link: http://lkml.kernel.org/r/ce350cf11e93e2842d14d0b95b0199c7d881f527.1505663533.git.luto@kernel.org
    26. 

  26. Signed-off-by: Ingo Molnar <[email protected]>
    27. 

  27. (backported from commit 47061a24e2ee5bd8a40d473d47a5bd823fa0081f)
    28. 

  28. Signed-off-by: Andy Whitcroft <[email protected]>
    29. 

  29. Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
    30. 

  30. (cherry picked from commit 72be211bac7be521f128d419d63cae38ba60ace8)
    31. 

  31. Signed-off-by: Fabian Grünbichler <[email protected]>
    32. 

  32. ---
    33. 

  33.  arch/x86/include/asm/mmu_context.h | 15 ++++++---
    34. 

  34.  arch/x86/mm/tlb.c                  | 68 +++++++++++++++++++++++++++++++++++---
    35. 

  35.  2 files changed, 75 insertions(+), 8 deletions(-)
    36. 

  36. 

  37. diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
    38. 

  38. index 7ae318c340d9..a999ba6b721f 100644
    39. 

  39. --- a/arch/x86/include/asm/mmu_context.h
    40. 

  40. +++ b/arch/x86/include/asm/mmu_context.h
    41. 

  41. @@ -286,6 +286,15 @@ static inline bool arch_vma_access_permitted(struct vm_area_struct *vma,
    42. 

  42.  	return __pkru_allows_pkey(vma_pkey(vma), write);
    43. 

  43.  }
    44. 

  44.  
    45. 

  45. +static inline unsigned long build_cr3(struct mm_struct *mm, u16 asid)
    46. 

  46. +{
    47. 

  47. +	return __sme_pa(mm->pgd) | asid;
    48. 

  48. +}
    49. 

  49. +
    50. 

  50. +static inline unsigned long build_cr3_noflush(struct mm_struct *mm, u16 asid)
    51. 

  51. +{
    52. 

  52. +	return __sme_pa(mm->pgd) | asid | CR3_NOFLUSH;
    53. 

  53. +}
    54. 

  54.  
    55. 

  55.  /*
    56. 

  56.   * This can be used from process context to figure out what the value of
    57. 

  57. @@ -296,10 +305,8 @@ static inline bool arch_vma_access_permitted(struct vm_area_struct *vma,
    58. 

  58.   */
    59. 

  59.  static inline unsigned long __get_current_cr3_fast(void)
    60. 

  60.  {
    61. 

  61. -	unsigned long cr3 = __pa(this_cpu_read(cpu_tlbstate.loaded_mm)->pgd);
    62. 

  62. -
    63. 

  63. -	if (static_cpu_has(X86_FEATURE_PCID))
    64. 

  64. -		cr3 |= this_cpu_read(cpu_tlbstate.loaded_mm_asid);
    65. 

  65. +	unsigned long cr3 = build_cr3(this_cpu_read(cpu_tlbstate.loaded_mm),
    66. 

  66. +		this_cpu_read(cpu_tlbstate.loaded_mm_asid));
    67. 

  67.  
    68. 

  68.  	/* For now, be very restrictive about when this can be called. */
    69. 

  69.  	VM_WARN_ON(in_nmi() || preemptible());
    70. 

  70. diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
    71. 

  71. index 57943b4d8f2e..440400316c8a 100644
    72. 

  72. --- a/arch/x86/mm/tlb.c
    73. 

  73. +++ b/arch/x86/mm/tlb.c
    74. 

  74. @@ -123,7 +123,23 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
    75. 

  75.  	 * without going through leave_mm() / switch_mm_irqs_off() or that
    76. 

  76.  	 * does something like write_cr3(read_cr3_pa()).
    77. 

  77.  	 */
    78. 

  78. -	VM_BUG_ON(__read_cr3() != (__sme_pa(real_prev->pgd) | prev_asid));
    79. 

  79. +#ifdef CONFIG_DEBUG_VM
    80. 

  80. +	if (WARN_ON_ONCE(__read_cr3() != build_cr3(real_prev, prev_asid))) {
    81. 

  81. +		/*
    82. 

  82. +		 * If we were to BUG here, we'd be very likely to kill
    83. 

  83. +		 * the system so hard that we don't see the call trace.
    84. 

  84. +		 * Try to recover instead by ignoring the error and doing
    85. 

  85. +		 * a global flush to minimize the chance of corruption.
    86. 

  86. +		 *
    87. 

  87. +		 * (This is far from being a fully correct recovery.
    88. 

  88. +		 *  Architecturally, the CPU could prefetch something
    89. 

  89. +		 *  back into an incorrect ASID slot and leave it there
    90. 

  90. +		 *  to cause trouble down the road.  It's better than
    91. 

  91. +		 *  nothing, though.)
    92. 

  92. +		 */
    93. 

  93. +		__flush_tlb_all();
    94. 

  94. +	}
    95. 

  95. +#endif
    96. 

  96.  
    97. 

  97.  	if (real_prev == next) {
    98. 

  98.  		VM_BUG_ON(this_cpu_read(cpu_tlbstate.ctxs[prev_asid].ctx_id) !=
    99. 

  99. @@ -153,7 +169,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
    100. 

  100.  			 */
    101. 

  101.  			this_cpu_write(cpu_tlbstate.ctxs[prev_asid].tlb_gen,
    102. 

  102.  				       next_tlb_gen);
    103. 

  103. -			write_cr3(__pa(next->pgd) | prev_asid);
    104. 

  104. +			write_cr3(build_cr3(next, prev_asid));
    105. 

  105.  
    106. 

  106.  			/*
    107. 

  107.  			 * This gets called via leave_mm() in the idle path
    108. 

  108. @@ -204,12 +220,12 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
    109. 

  109.  		if (need_flush) {
    110. 

  110.  			this_cpu_write(cpu_tlbstate.ctxs[new_asid].ctx_id, next->context.ctx_id);
    111. 

  111.  			this_cpu_write(cpu_tlbstate.ctxs[new_asid].tlb_gen, next_tlb_gen);
    112. 

  112. -			write_cr3(__pa(next->pgd) | new_asid);
    113. 

  113. +			write_cr3(build_cr3(next, new_asid));
    114. 

  114.  			trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH,
    115. 

  115.  					TLB_FLUSH_ALL);
    116. 

  116.  		} else {
    117. 

  117.  			/* The new ASID is already up to date. */
    118. 

  118. -			write_cr3(__sme_pa(next->pgd) | new_asid | CR3_NOFLUSH);
    119. 

  119. +			write_cr3(build_cr3_noflush(next, new_asid));
    120. 

  120.  			trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, 0);
    121. 

  121.  		}
    122. 

  122.  
    123. 

  123. @@ -221,6 +237,50 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
    124. 

  124.  	switch_ldt(real_prev, next);
    125. 

  125.  }
    126. 

  126.  
    127. 

  127. +/*
    128. 

  128. + * Call this when reinitializing a CPU.  It fixes the following potential
    129. 

  129. + * problems:
    130. 

  130. + *
    131. 

  131. + * - The ASID changed from what cpu_tlbstate thinks it is (most likely
    132. 

  132. + *   because the CPU was taken down and came back up with CR3's PCID
    133. 

  133. + *   bits clear.  CPU hotplug can do this.
    134. 

  134. + *
    135. 

  135. + * - The TLB contains junk in slots corresponding to inactive ASIDs.
    136. 

  136. + *
    137. 

  137. + * - The CPU went so far out to lunch that it may have missed a TLB
    138. 

  138. + *   flush.
    139. 

  139. + */
    140. 

  140. +void initialize_tlbstate_and_flush(void)
    141. 

  141. +{
    142. 

  142. +	int i;
    143. 

  143. +	struct mm_struct *mm = this_cpu_read(cpu_tlbstate.loaded_mm);
    144. 

  144. +	u64 tlb_gen = atomic64_read(&init_mm.context.tlb_gen);
    145. 

  145. +	unsigned long cr3 = __read_cr3();
    146. 

  146. +
    147. 

  147. +	/* Assert that CR3 already references the right mm. */
    148. 

  148. +	WARN_ON((cr3 & CR3_ADDR_MASK) != __pa(mm->pgd));
    149. 

  149. +
    150. 

  150. +	/*
    151. 

  151. +	 * Assert that CR4.PCIDE is set if needed.  (CR4.PCIDE initialization
    152. 

  152. +	 * doesn't work like other CR4 bits because it can only be set from
    153. 

  153. +	 * long mode.)
    154. 

  154. +	 */
    155. 

  155. +	WARN_ON(boot_cpu_has(X86_FEATURE_PCID) &&
    156. 

  156. +		!(cr4_read_shadow() & X86_CR4_PCIDE));
    157. 

  157. +
    158. 

  158. +	/* Force ASID 0 and force a TLB flush. */
    159. 

  159. +	write_cr3(build_cr3(mm, 0));
    160. 

  160. +
    161. 

  161. +	/* Reinitialize tlbstate. */
    162. 

  162. +	this_cpu_write(cpu_tlbstate.loaded_mm_asid, 0);
    163. 

  163. +	this_cpu_write(cpu_tlbstate.next_asid, 1);
    164. 

  164. +	this_cpu_write(cpu_tlbstate.ctxs[0].ctx_id, mm->context.ctx_id);
    165. 

  165. +	this_cpu_write(cpu_tlbstate.ctxs[0].tlb_gen, tlb_gen);
    166. 

  166. +
    167. 

  167. +	for (i = 1; i < TLB_NR_DYN_ASIDS; i++)
    168. 

  168. +		this_cpu_write(cpu_tlbstate.ctxs[i].ctx_id, 0);
    169. 

  169. +}
    170. 

  170. +
    171. 

  171.  /*
    172. 

  172.   * flush_tlb_func_common()'s memory ordering requirement is that any
    173. 

  173.   * TLB fills that happen after we flush the TLB are ordered after we
    174. 

  174. -- 
    175. 

  175. 2.14.2
    176. 

  176.