Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVlastimil Babka <vbabka@suse.cz>2018-10-15 11:05:16 +0200
committerVlastimil Babka <vbabka@suse.cz>2018-10-15 11:05:16 +0200
commit5db1aea15b4ff9fb1ffdcbb8975c3210c432a3a1 (patch)
tree952d49c047eeda477699ba829c526cd233f4599c
parent2624e2e94896a8946b30b29a637780c07cd9acc5 (diff)
- x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
(bsc#1105536). - Refresh patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch. - Refresh patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch. - Refresh patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit. - Refresh patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf.
-rw-r--r--patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch18
-rw-r--r--patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch6
-rw-r--r--patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit6
-rw-r--r--patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch71
-rw-r--r--patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf6
-rw-r--r--series.conf3
6 files changed, 91 insertions, 19 deletions
diff --git a/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch b/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
index abf870f9ad..13067a549b 100644
--- a/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
+++ b/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
@@ -51,24 +51,24 @@ Acked-by: Michal Hocko <mhocko@suse.com>
+++ b/arch/x86/include/asm/processor.h
@@ -184,7 +184,7 @@ extern void cpu_detect(struct cpuinfo_x8
- static inline unsigned long l1tf_pfn_limit(void)
+ static inline unsigned long long l1tf_pfn_limit(void)
{
-- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
-+ return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
+- return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
++ return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
}
extern void early_cpu_init(void);
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
-@@ -891,7 +891,7 @@ unsigned long max_swapfile_size(void)
+@@ -893,7 +893,7 @@ unsigned long max_swapfile_size(void)
if (boot_cpu_has_bug(X86_BUG_L1TF)) {
/* Limit the swap file size to MAX_PA/2 for L1TF workaround */
-- pages = min_t(unsigned long, l1tf_pfn_limit() + 1, pages);
-+ pages = min_t(unsigned long, l1tf_pfn_limit(), pages);
- }
- return pages;
- }
+- unsigned long long l1tf_limit = l1tf_pfn_limit() + 1;
++ unsigned long long l1tf_limit = l1tf_pfn_limit();
+ /*
+ * We encode swap offsets also with 3 bits below those for pfn
+ * which makes the usable limit higher.
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -189,7 +189,7 @@ bool pfn_modify_allowed(unsigned long pf
diff --git a/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch b/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
index 437fd86d9d..52e5564ca4 100644
--- a/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
+++ b/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
@@ -60,10 +60,10 @@ Acked-by: Michal Hocko <mhocko@suse.com>
#endif
@@ -184,7 +189,7 @@ extern void cpu_detect(struct cpuinfo_x8
- static inline unsigned long l1tf_pfn_limit(void)
+ static inline unsigned long long l1tf_pfn_limit(void)
{
-- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
-+ return BIT(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT);
+- return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
++ return BIT_ULL(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT);
}
extern void early_cpu_init(void);
diff --git a/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit b/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
index b282af7a53..31c9979c84 100644
--- a/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
+++ b/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
@@ -19,16 +19,16 @@ Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/x86/mm/init.c | 10 +++++++++-
+ arch/x86/mm/init.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
-@@ -894,7 +894,15 @@ unsigned long max_swapfile_size(void)
+@@ -893,7 +893,15 @@ unsigned long max_swapfile_size(void)
if (boot_cpu_has_bug(X86_BUG_L1TF)) {
/* Limit the swap file size to MAX_PA/2 for L1TF workaround */
-- pages = min_t(unsigned long, l1tf_pfn_limit(), pages);
+- pages = min_t(unsigned long, l1tf_pfn_limit() + 1, pages);
+ unsigned long l1tf_limit = l1tf_pfn_limit() + 1;
+ /*
+ * We encode swap offsets also with 3 bits below those for pfn
diff --git a/patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch b/patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch
new file mode 100644
index 0000000000..764aee1138
--- /dev/null
+++ b/patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch
@@ -0,0 +1,71 @@
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Mon, 20 Aug 2018 11:58:35 +0200
+Subject: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
+Git-commit: 9df9516940a61d29aedf4d91b483ca6597e7d480
+Patch-mainline: v4.19-rc1
+References: bsc#1105536
+
+On 32bit PAE kernels on 64bit hardware with enough physical bits,
+l1tf_pfn_limit() will overflow unsigned long. This in turn affects
+max_swapfile_size() and can lead to swapon returning -EINVAL. This has been
+observed in a 32bit guest with 42 bits physical address size, where
+max_swapfile_size() overflows exactly to 1 << 32, thus zero, and produces
+the following warning to dmesg:
+
+[ 6.396845] Truncating oversized swap area, only using 0k out of 2047996k
+
+Fix this by using unsigned long long instead.
+
+Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
+Fixes: 377eeaa8e11f ("x86/speculation/l1tf: Limit swap file size to MAX_PA/2")
+Reported-by: Dominique Leuenberger <dimstar@suse.de>
+Reported-by: Adrian Schroeter <adrian@suse.de>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180820095835.5298-1-vbabka@suse.cz
+---
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/mm/init.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -182,9 +182,9 @@ extern const struct seq_operations cpuin
+
+ extern void cpu_detect(struct cpuinfo_x86 *c);
+
+-static inline unsigned long l1tf_pfn_limit(void)
++static inline unsigned long long l1tf_pfn_limit(void)
+ {
+- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
++ return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
+ }
+
+ extern void early_cpu_init(void);
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -893,7 +893,7 @@ unsigned long max_swapfile_size(void)
+
+ if (boot_cpu_has_bug(X86_BUG_L1TF)) {
+ /* Limit the swap file size to MAX_PA/2 for L1TF workaround */
+- unsigned long l1tf_limit = l1tf_pfn_limit() + 1;
++ unsigned long long l1tf_limit = l1tf_pfn_limit() + 1;
+ /*
+ * We encode swap offsets also with 3 bits below those for pfn
+ * which makes the usable limit higher.
+@@ -901,7 +901,7 @@ unsigned long max_swapfile_size(void)
+ #ifdef CONFIG_X86_64
+ l1tf_limit <<= PAGE_SHIFT - SWP_OFFSET_FIRST_BIT;
+ #endif
+- pages = min_t(unsigned long, l1tf_limit, pages);
++ pages = min_t(unsigned long long, l1tf_limit, pages);
+ }
+ return pages;
+ }
diff --git a/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf b/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
index 33b63c1b9b..cbaba47bf4 100644
--- a/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
+++ b/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
@@ -22,8 +22,8 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/x86/include/asm/pgtable-3level.h | 35 +++++++++++++++++++++++++++++++++--
- arch/x86/mm/init.c | 2 +-
+ arch/x86/include/asm/pgtable-3level.h | 35 ++++++++++++++++++++++++++++++++--
+ arch/x86/mm/init.c | 2 -
2 files changed, 34 insertions(+), 3 deletions(-)
--- a/arch/x86/include/asm/pgtable-3level.h
@@ -84,4 +84,4 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
+#if CONFIG_PGTABLE_LEVELS > 2
l1tf_limit <<= PAGE_SHIFT - SWP_OFFSET_FIRST_BIT;
#endif
- pages = min_t(unsigned long, l1tf_limit, pages);
+ pages = min_t(unsigned long long, l1tf_limit, pages);
diff --git a/series.conf b/series.conf
index 01c5959f31..9cd07343e3 100644
--- a/series.conf
+++ b/series.conf
@@ -18822,6 +18822,8 @@
patches.arch/x86-speculation-Protect-against-userspace-userspace-.patch
+ patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
+ patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch
patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
patches.arch/0001-x86-speculation-l1tf-Suggest-what-to-do-on-systems-w.patch
patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
@@ -18842,7 +18844,6 @@
patches.fixes/0001-xen-issue-warning-message-when-out-of-grant-maptrack.patch
# bsc#1110006
- patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
patches.arch/x86-speculation-l1tf-fix-up-pte-pfn-conversion-for-pae
patches.arch/x86-kvm-vmx-don-t-set-l1tf_flush_l1d-to-true-from-vmx_l1d_flush