patches/kernel/0181-x86-mm-Put-MMU-to-hardware-ASID-translation-in-one-p.patch

   1 From 427fbe54a8df451acd3cd31a4d6dbb1753036dee Mon Sep 17 00:00:00 2001
   2 From: Dave Hansen <dave.hansen@linux.intel.com>
   3 Date: Mon, 4 Dec 2017 15:07:56 +0100
   4 Subject: [PATCH 181/241] x86/mm: Put MMU to hardware ASID translation in one
   5  place
   6 MIME-Version: 1.0
   7 Content-Type: text/plain; charset=UTF-8
   8 Content-Transfer-Encoding: 8bit
   9
  10 CVE-2017-5754
  11
  12 There are effectively two ASID types:
  13
  14  1. The one stored in the mmu_context that goes from 0..5
  15  2. The one programmed into the hardware that goes from 1..6
  16
  17 This consolidates the locations where converting between the two (by doing
  18 a +1) to a single place which gives us a nice place to comment.
  19 PAGE_TABLE_ISOLATION will also need to, given an ASID, know which hardware
  20 ASID to flush for the userspace mapping.
  21
  22 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
  23 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  24 Cc: Andy Lutomirski <luto@kernel.org>
  25 Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
  26 Cc: Borislav Petkov <bp@alien8.de>
  27 Cc: Brian Gerst <brgerst@gmail.com>
  28 Cc: Dave Hansen <dave.hansen@intel.com>
  29 Cc: David Laight <David.Laight@aculab.com>
  30 Cc: Denys Vlasenko <dvlasenk@redhat.com>
  31 Cc: Eduardo Valentin <eduval@amazon.com>
  32 Cc: Greg KH <gregkh@linuxfoundation.org>
  33 Cc: H. Peter Anvin <hpa@zytor.com>
  34 Cc: Josh Poimboeuf <jpoimboe@redhat.com>
  35 Cc: Juergen Gross <jgross@suse.com>
  36 Cc: Linus Torvalds <torvalds@linux-foundation.org>
  37 Cc: Peter Zijlstra <peterz@infradead.org>
  38 Cc: Will Deacon <will.deacon@arm.com>
  39 Cc: aliguori@amazon.com
  40 Cc: daniel.gruss@iaik.tugraz.at
  41 Cc: hughd@google.com
  42 Cc: keescook@google.com
  43 Cc: linux-mm@kvack.org
  44 Signed-off-by: Ingo Molnar <mingo@kernel.org>
  45 (cherry picked from commit dd95f1a4b5ca904c78e6a097091eb21436478abb)
  46 Signed-off-by: Andy Whitcroft <apw@canonical.com>
  47 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  48 (cherry picked from commit 6f3e88a8f41123ac339d28cfdda5da0e85bec550)
  49 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  50 ---
  51  arch/x86/include/asm/tlbflush.h | 31 +++++++++++++++++++------------
  52  1 file changed, 19 insertions(+), 12 deletions(-)
  53
  54 diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
  55 index c1c10db4156c..ecd634f87e4e 100644
  56 --- a/arch/x86/include/asm/tlbflush.h
  57 +++ b/arch/x86/include/asm/tlbflush.h
  58 @@ -84,30 +84,37 @@ static inline u64 inc_mm_tlb_gen(struct mm_struct *mm)
  59   */
  60  #define MAX_ASID_AVAILABLE ((1 << CR3_AVAIL_ASID_BITS) - 2)
  61
  62 -/*
  63 - * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID bits.
  64 - * This serves two purposes.  It prevents a nasty situation in which
  65 - * PCID-unaware code saves CR3, loads some other value (with PCID == 0),
  66 - * and then restores CR3, thus corrupting the TLB for ASID 0 if the saved
  67 - * ASID was nonzero.  It also means that any bugs involving loading a
  68 - * PCID-enabled CR3 with CR4.PCIDE off will trigger deterministically.
  69 - */
  70 +static inline u16 kern_pcid(u16 asid)
  71 +{
  72 +       VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE);
  73 +       /*
  74 +        * If PCID is on, ASID-aware code paths put the ASID+1 into the
  75 +        * PCID bits.  This serves two purposes.  It prevents a nasty
  76 +        * situation in which PCID-unaware code saves CR3, loads some other
  77 +        * value (with PCID == 0), and then restores CR3, thus corrupting
  78 +        * the TLB for ASID 0 if the saved ASID was nonzero.  It also means
  79 +        * that any bugs involving loading a PCID-enabled CR3 with
  80 +        * CR4.PCIDE off will trigger deterministically.
  81 +        */
  82 +       return asid + 1;
  83 +}
  84 +
  85  struct pgd_t;
  86  static inline unsigned long build_cr3(pgd_t *pgd, u16 asid)
  87  {
  88         if (static_cpu_has(X86_FEATURE_PCID)) {
  89 -               VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE);
  90 -               return __sme_pa(pgd) | (asid + 1);
  91 +               return __pa(pgd) | kern_pcid(asid);
  92         } else {
  93                 VM_WARN_ON_ONCE(asid != 0);
  94 -               return __sme_pa(pgd);
  95 +               return __pa(pgd);
  96         }
  97  }
  98
  99  static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid)
 100  {
 101         VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE);
 102 -       return __sme_pa(pgd) | (asid + 1) | CR3_NOFLUSH;
 103 +       VM_WARN_ON_ONCE(!this_cpu_has(X86_FEATURE_PCID));
 104 +       return __pa(pgd) | kern_pcid(asid) | CR3_NOFLUSH;
 105  }
 106
 107  #ifdef CONFIG_PARAVIRT
 108 --
 109 2.14.2
 110