Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-10-15 14:30:53 +0200
committerPetr Tesarik <ptesarik@suse.cz>2019-10-15 14:30:53 +0200
commita9359cc0344b49946bd08ed91b86268966d9aea8 (patch)
treea622bcf20f46972ae7cd14f09b4b32e8dccb63e5
parent86c08890212b5b4366e17d9ef21cce57d58c9424 (diff)
parent80e95be7c50f3e6b7b6d7b744124ff7d2c2b0b9e (diff)
Merge branch 'users/bpetkov/SLE15/for-next' into SLE15SLE15
Pull an x86 fix from Borislav Petkov
-rw-r--r--patches.suse/x86-mm-use-write_once-when-setting-ptes.patch142
-rw-r--r--series.conf1
2 files changed, 143 insertions, 0 deletions
diff --git a/patches.suse/x86-mm-use-write_once-when-setting-ptes.patch b/patches.suse/x86-mm-use-write_once-when-setting-ptes.patch
new file mode 100644
index 0000000000..c0f2b3b380
--- /dev/null
+++ b/patches.suse/x86-mm-use-write_once-when-setting-ptes.patch
@@ -0,0 +1,142 @@
+From: Nadav Amit <namit@vmware.com>
+Date: Sun, 2 Sep 2018 11:14:50 -0700
+Subject: x86/mm: Use WRITE_ONCE() when setting PTEs
+Git-commit: 9bc4f28af75a91aea0ae383f50b0a430c4509303
+Patch-mainline: v4.19-rc3
+References: bsc#1114279
+
+When page-table entries are set, the compiler might optimize their
+assignment by using multiple instructions to set the PTE. This might
+turn into a security hazard if the user somehow manages to use the
+interim PTE. L1TF does not make our lives easier, making even an interim
+non-present PTE a security hazard.
+
+Using WRITE_ONCE() to set PTEs and friends should prevent this potential
+security hazard.
+
+I skimmed the differences in the binary with and without this patch. The
+differences are (obviously) greater when CONFIG_PARAVIRT=n as more
+code optimizations are possible. For better and worse, the impact on the
+binary with this patch is pretty small. Skimming the code did not cause
+anything to jump out as a security hazard, but it seems that at least
+move_soft_dirty_pte() caused set_pte_at() to use multiple writes.
+
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180902181451.80520-1-namit@vmware.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/include/asm/pgtable_64.h | 20 ++++++++++----------
+ arch/x86/mm/pgtable.c | 8 ++++----
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/include/asm/pgtable_64.h
++++ b/arch/x86/include/asm/pgtable_64.h
+@@ -53,15 +53,15 @@ struct mm_struct;
+ void set_pte_vaddr_p4d(p4d_t *p4d_page, unsigned long vaddr, pte_t new_pte);
+ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte);
+
+-static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
+- pte_t *ptep)
++static inline void native_set_pte(pte_t *ptep, pte_t pte)
+ {
+- *ptep = native_make_pte(0);
++ WRITE_ONCE(*ptep, pte);
+ }
+
+-static inline void native_set_pte(pte_t *ptep, pte_t pte)
++static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
++ pte_t *ptep)
+ {
+- *ptep = pte;
++ native_set_pte(ptep, native_make_pte(0));
+ }
+
+ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
+@@ -71,7 +71,7 @@ static inline void native_set_pte_atomic
+
+ static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
+ {
+- *pmdp = pmd;
++ WRITE_ONCE(*pmdp, pmd);
+ }
+
+ static inline void native_pmd_clear(pmd_t *pmd)
+@@ -107,7 +107,7 @@ static inline pmd_t native_pmdp_get_and_
+
+ static inline void native_set_pud(pud_t *pudp, pud_t pud)
+ {
+- *pudp = pud;
++ WRITE_ONCE(*pudp, pud);
+ }
+
+ static inline void native_pud_clear(pud_t *pud)
+@@ -219,7 +219,7 @@ static inline void native_set_p4d(p4d_t
+ #if defined(CONFIG_PAGE_TABLE_ISOLATION) && !defined(CONFIG_X86_5LEVEL)
+ p4dp->pgd = pti_set_user_pgd(&p4dp->pgd, p4d.pgd);
+ #else
+- *p4dp = p4d;
++ WRITE_ONCE(*p4dp, p4d);
+ #endif
+ }
+
+@@ -235,9 +235,9 @@ static inline void native_p4d_clear(p4d_
+ static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
+ {
+ #ifdef CONFIG_PAGE_TABLE_ISOLATION
+- *pgdp = pti_set_user_pgd(pgdp, pgd);
++ WRITE_ONCE(*pgdp, pti_set_user_pgd(pgdp, pgd));
+ #else
+- *pgdp = pgd;
++ WRITE_ONCE(*pgdp, pgd);
+ #endif
+ }
+
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -259,7 +259,7 @@ static void pgd_mop_up_pmds(struct mm_st
+ if (pgd_val(pgd) != 0) {
+ pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
+
+- pgdp[i] = native_make_pgd(0);
++ pgd_clear(&pgdp[i]);
+
+ paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
+ pmd_free(mm, pmd);
+@@ -429,7 +429,7 @@ int ptep_set_access_flags(struct vm_area
+ int changed = !pte_same(*ptep, entry);
+
+ if (changed && dirty) {
+- *ptep = entry;
++ set_pte(ptep, entry);
+ pte_update(vma->vm_mm, address, ptep);
+ }
+
+@@ -446,7 +446,7 @@ int pmdp_set_access_flags(struct vm_area
+ VM_BUG_ON(address & ~HPAGE_PMD_MASK);
+
+ if (changed && dirty) {
+- *pmdp = entry;
++ set_pmd(pmdp, entry);
+ /*
+ * We had a write-protection fault here and changed the pmd
+ * to to more permissive. No need to flush the TLB for that,
+@@ -466,7 +466,7 @@ int pudp_set_access_flags(struct vm_area
+ VM_BUG_ON(address & ~HPAGE_PUD_MASK);
+
+ if (changed && dirty) {
+- *pudp = entry;
++ set_pud(pudp, entry);
+ /*
+ * We had a write-protection fault here and changed the pud
+ * to to more permissive. No need to flush the TLB for that,
diff --git a/series.conf b/series.conf
index b06ff098b9..8905b9ecbc 100644
--- a/series.conf
+++ b/series.conf
@@ -19508,6 +19508,7 @@
patches.suse/x86-microcode-make-sure-boot_cpu_data-microcode-is-up-to-date
patches.suse/x86-microcode-update-the-new-microcode-revision-unconditionally
patches.suse/x86-process-don-t-mix-user-kernel-regs-in-64bit-_show_regs
+ patches.suse/x86-mm-use-write_once-when-setting-ptes.patch
patches.suse/iw_cxgb4-only-allow-1-flush-on-user-qps.patch
patches.suse/IB-ipoib-Avoid-a-race-condition-between-start_xmit-a.patch
patches.suse/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch