]>
Commit | Line | Data |
---|---|---|
59d5af67 | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
321d628a FG |
2 | From: Peter Zijlstra <peterz@infradead.org> |
3 | Date: Tue, 5 Dec 2017 13:34:51 +0100 | |
59d5af67 | 4 | Subject: [PATCH] x86/microcode: Dont abuse the TLB-flush interface |
321d628a FG |
5 | MIME-Version: 1.0 |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | CVE-2017-5754 | |
10 | ||
11 | Commit: | |
12 | ||
13 | ec400ddeff20 ("x86/microcode_intel_early.c: Early update ucode on Intel's CPU") | |
14 | ||
15 | ... grubbed into tlbflush internals without coherent explanation. | |
16 | ||
17 | Since it says its a precaution and the SDM doesn't mention anything like | |
18 | this, take it out back. | |
19 | ||
20 | Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> | |
21 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
22 | Cc: Andy Lutomirski <luto@kernel.org> | |
23 | Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
24 | Cc: Borislav Petkov <bp@alien8.de> | |
25 | Cc: Brian Gerst <brgerst@gmail.com> | |
26 | Cc: Dave Hansen <dave.hansen@linux.intel.com> | |
27 | Cc: David Laight <David.Laight@aculab.com> | |
28 | Cc: Denys Vlasenko <dvlasenk@redhat.com> | |
29 | Cc: Eduardo Valentin <eduval@amazon.com> | |
30 | Cc: Greg KH <gregkh@linuxfoundation.org> | |
31 | Cc: H. Peter Anvin <hpa@zytor.com> | |
32 | Cc: Josh Poimboeuf <jpoimboe@redhat.com> | |
33 | Cc: Juergen Gross <jgross@suse.com> | |
34 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
35 | Cc: Peter Zijlstra <peterz@infradead.org> | |
36 | Cc: Will Deacon <will.deacon@arm.com> | |
37 | Cc: aliguori@amazon.com | |
38 | Cc: daniel.gruss@iaik.tugraz.at | |
39 | Cc: fenghua.yu@intel.com | |
40 | Cc: hughd@google.com | |
41 | Cc: keescook@google.com | |
42 | Cc: linux-mm@kvack.org | |
43 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
44 | (cherry picked from commit 23cb7d46f371844c004784ad9552a57446f73e5a) | |
45 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
46 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
47 | (cherry picked from commit 0f3d96d1e5aa4d9538ab1a918fb49f2c57ebb6f5) | |
48 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
49 | --- | |
50 | arch/x86/include/asm/tlbflush.h | 19 ++++++------------- | |
51 | arch/x86/kernel/cpu/microcode/intel.c | 13 ------------- | |
52 | 2 files changed, 6 insertions(+), 26 deletions(-) | |
53 | ||
54 | diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h | |
55 | index 6533da3036c9..6d2688a6fda0 100644 | |
56 | --- a/arch/x86/include/asm/tlbflush.h | |
57 | +++ b/arch/x86/include/asm/tlbflush.h | |
58 | @@ -234,20 +234,9 @@ static inline void __native_flush_tlb(void) | |
59 | preempt_enable(); | |
60 | } | |
61 | ||
62 | -static inline void __native_flush_tlb_global_irq_disabled(void) | |
63 | -{ | |
64 | - unsigned long cr4; | |
65 | - | |
66 | - cr4 = this_cpu_read(cpu_tlbstate.cr4); | |
67 | - /* clear PGE */ | |
68 | - native_write_cr4(cr4 & ~X86_CR4_PGE); | |
69 | - /* write old PGE again and flush TLBs */ | |
70 | - native_write_cr4(cr4); | |
71 | -} | |
72 | - | |
73 | static inline void __native_flush_tlb_global(void) | |
74 | { | |
75 | - unsigned long flags; | |
76 | + unsigned long cr4, flags; | |
77 | ||
78 | if (static_cpu_has(X86_FEATURE_INVPCID)) { | |
79 | /* | |
80 | @@ -265,7 +254,11 @@ static inline void __native_flush_tlb_global(void) | |
81 | */ | |
82 | raw_local_irq_save(flags); | |
83 | ||
84 | - __native_flush_tlb_global_irq_disabled(); | |
85 | + cr4 = this_cpu_read(cpu_tlbstate.cr4); | |
86 | + /* toggle PGE */ | |
87 | + native_write_cr4(cr4 ^ X86_CR4_PGE); | |
88 | + /* write old PGE again and flush TLBs */ | |
89 | + native_write_cr4(cr4); | |
90 | ||
91 | raw_local_irq_restore(flags); | |
92 | } | |
93 | diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c | |
94 | index 636a5fcfdeb7..d9a8f69101aa 100644 | |
95 | --- a/arch/x86/kernel/cpu/microcode/intel.c | |
96 | +++ b/arch/x86/kernel/cpu/microcode/intel.c | |
97 | @@ -564,15 +564,6 @@ static void print_ucode(struct ucode_cpu_info *uci) | |
98 | } | |
99 | #else | |
100 | ||
101 | -/* | |
102 | - * Flush global tlb. We only do this in x86_64 where paging has been enabled | |
103 | - * already and PGE should be enabled as well. | |
104 | - */ | |
105 | -static inline void flush_tlb_early(void) | |
106 | -{ | |
107 | - __native_flush_tlb_global_irq_disabled(); | |
108 | -} | |
109 | - | |
110 | static inline void print_ucode(struct ucode_cpu_info *uci) | |
111 | { | |
112 | struct microcode_intel *mc; | |
113 | @@ -601,10 +592,6 @@ static int apply_microcode_early(struct ucode_cpu_info *uci, bool early) | |
114 | if (rev != mc->hdr.rev) | |
115 | return -1; | |
116 | ||
117 | -#ifdef CONFIG_X86_64 | |
118 | - /* Flush global tlb. This is precaution. */ | |
119 | - flush_tlb_early(); | |
120 | -#endif | |
121 | uci->cpu_sig.rev = rev; | |
122 | ||
123 | if (early) | |
124 | -- | |
125 | 2.14.2 | |
126 |