]>
Commit | Line | Data |
---|---|---|
035dbe67 FG |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Thomas Gleixner <tglx@linutronix.de> | |
3 | Date: Wed, 3 Jan 2018 15:57:59 +0100 | |
4 | Subject: [PATCH] x86/pti: Make sure the user/kernel PTEs match | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | CVE-2017-5754 | |
10 | ||
11 | Meelis reported that his K8 Athlon64 emits MCE warnings when PTI is | |
12 | enabled: | |
13 | ||
14 | [Hardware Error]: Error Addr: 0x0000ffff81e000e0 | |
15 | [Hardware Error]: MC1 Error: L1 TLB multimatch. | |
16 | [Hardware Error]: cache level: L1, tx: INSN | |
17 | ||
18 | The address is in the entry area, which is mapped into kernel _AND_ user | |
19 | space. That's special because we switch CR3 while we are executing | |
20 | there. | |
21 | ||
22 | User mapping: | |
23 | 0xffffffff81e00000-0xffffffff82000000 2M ro PSE GLB x pmd | |
24 | ||
25 | Kernel mapping: | |
26 | 0xffffffff81000000-0xffffffff82000000 16M ro PSE x pmd | |
27 | ||
28 | So the K8 is complaining that the TLB entries differ. They differ in the | |
29 | GLB bit. | |
30 | ||
31 | Drop the GLB bit when installing the user shared mapping. | |
32 | ||
33 | Fixes: 6dc72c3cbca0 ("x86/mm/pti: Share entry text PMD") | |
34 | Reported-by: Meelis Roos <mroos@linux.ee> | |
35 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
36 | Tested-by: Meelis Roos <mroos@linux.ee> | |
37 | Cc: Borislav Petkov <bp@alien8.de> | |
38 | Cc: Tom Lendacky <thomas.lendacky@amd.com> | |
39 | Cc: stable@vger.kernel.org | |
40 | Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031407180.1957@nanos | |
41 | (cherry picked from commit 52994c256df36fda9a715697431cba9daecb6b11) | |
42 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
43 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
44 | (cherry picked from commit 8a95d206afc447d8461815c67e618bd8b2c6457f) | |
45 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
46 | --- | |
47 | arch/x86/mm/pti.c | 3 ++- | |
48 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
49 | ||
50 | diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c | |
51 | index bce8aea65606..2da28ba97508 100644 | |
52 | --- a/arch/x86/mm/pti.c | |
53 | +++ b/arch/x86/mm/pti.c | |
54 | @@ -367,7 +367,8 @@ static void __init pti_setup_espfix64(void) | |
55 | static void __init pti_clone_entry_text(void) | |
56 | { | |
57 | pti_clone_pmds((unsigned long) __entry_text_start, | |
58 | - (unsigned long) __irqentry_text_end, _PAGE_RW); | |
59 | + (unsigned long) __irqentry_text_end, | |
60 | + _PAGE_RW | _PAGE_GLOBAL); | |
61 | } | |
62 | ||
63 | /* | |
64 | -- | |
65 | 2.14.2 | |
66 |