Gentoo Archives: gentoo-commits

From: Alice Ferrazzi <alicef@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Thu, 04 Jan 2018 15:18:10
Message-Id: 1515078605.ec095309f3e13173054c6b3f03749edd89ce5944.alicef@gentoo
1 commit: ec095309f3e13173054c6b3f03749edd89ce5944
2 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jan 4 15:10:05 2018 +0000
4 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 4 15:10:05 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=ec095309
7
8 x86 page table isolation fixes
9
10 0000_README | 14 +-
11 1700_do_not_enable_PTI_on_AMD_processor.patch | 44 --
12 1700_x86-page-table-isolation-fixes.patch | 453 +++++++++++++++++++++
13 1701_make_sure_the_user_kernel_PTEs_match.patch | 56 ---
14 ...rnel_CR3_at_early_in_entry_SYSCALL_compat.patch | 68 ----
15 5 files changed, 456 insertions(+), 179 deletions(-)
16
17 diff --git a/0000_README b/0000_README
18 index d47f74d..c07cc2b 100644
19 --- a/0000_README
20 +++ b/0000_README
21 @@ -95,17 +95,9 @@ Patch: 1510_fs-enable-link-security-restrictions-by-default.patch
22 From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/
23 Desc: Enable link security restrictions by default.
24
25 -Patch: 1700_do_not_enable_PTI_on_AMD_processor.patch
26 -From: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/patch/?id=694d99d40972f12e59a3696effee8a376b79d7c8
27 -Desc: x86/cpu, x86/pti: Do not enable PTI on AMD processors.
28 -
29 -Patch: 1701_make_sure_the_user_kernel_PTEs_match.patch
30 -From: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/patch/?id=52994c256df36fda9a715697431cba9daecb6b11
31 -Desc: x86/pti: Make sure the user/kernel PTEs match
32 -
33 -Patch: 1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch
34 -From: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=WIP.x86/pti&id=d7732ba55c4b6a2da339bb12589c515830cfac2c
35 -Desc: Switch to kernel CR3 at early in entry_SYSCALL_compat()
36 +Patch: 1700_x86-page-table-isolation-fixes.patch
37 +From: https://github.com/torvalds/linux/commit/00a5ae218d57741088068799b810416ac249a9ce
38 +Desc: x86 page table isolation fixes comulative patch.
39
40 Patch: 2100_bcache-data-corruption-fix-for-bi-partno.patch
41 From: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62530ed8b1d07a45dec94d46e521c0c6c2d476e6
42
43 diff --git a/1700_do_not_enable_PTI_on_AMD_processor.patch b/1700_do_not_enable_PTI_on_AMD_processor.patch
44 deleted file mode 100644
45 index 3069c4c..0000000
46 --- a/1700_do_not_enable_PTI_on_AMD_processor.patch
47 +++ /dev/null
48 @@ -1,44 +0,0 @@
49 -From 694d99d40972f12e59a3696effee8a376b79d7c8 Mon Sep 17 00:00:00 2001
50 -From: Tom Lendacky <thomas.lendacky@×××.com>
51 -Date: Tue, 26 Dec 2017 23:43:54 -0600
52 -Subject: x86/cpu, x86/pti: Do not enable PTI on AMD processors
53 -
54 -AMD processors are not subject to the types of attacks that the kernel
55 -page table isolation feature protects against. The AMD microarchitecture
56 -does not allow memory references, including speculative references, that
57 -access higher privileged data when running in a lesser privileged mode
58 -when that access would result in a page fault.
59 -
60 -Disable page table isolation by default on AMD processors by not setting
61 -the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
62 -is set.
63 -
64 -Signed-off-by: Tom Lendacky <thomas.lendacky@×××.com>
65 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
66 -Reviewed-by: Borislav Petkov <bp@××××.de>
67 -Cc: Dave Hansen <dave.hansen@×××××××××××.com>
68 -Cc: Andy Lutomirski <luto@××××××.org>
69 -Cc: stable@×××××××××××.org
70 -Link: https://lkml.kernel.org/r/20171227054354.20369.94587.stgit@×××××××××××××××××××××.net
71 ----
72 - arch/x86/kernel/cpu/common.c | 4 ++--
73 - 1 file changed, 2 insertions(+), 2 deletions(-)
74 -
75 -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
76 -index f2a94df..b1be494 100644
77 ---- a/arch/x86/kernel/cpu/common.c
78 -+++ b/arch/x86/kernel/cpu/common.c
79 -@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
80 -
81 - setup_force_cpu_cap(X86_FEATURE_ALWAYS);
82 -
83 -- /* Assume for now that ALL x86 CPUs are insecure */
84 -- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
85 -+ if (c->x86_vendor != X86_VENDOR_AMD)
86 -+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
87 -
88 - fpu__init_system(c);
89 -
90 ---
91 -cgit v1.1
92 -
93
94 diff --git a/1700_x86-page-table-isolation-fixes.patch b/1700_x86-page-table-isolation-fixes.patch
95 new file mode 100644
96 index 0000000..6fcbf41
97 --- /dev/null
98 +++ b/1700_x86-page-table-isolation-fixes.patch
99 @@ -0,0 +1,453 @@
100 +From 87faa0d9b43b4755ff6963a22d1fd1bee1aa3b39 Mon Sep 17 00:00:00 2001
101 +From: Thomas Gleixner <tglx@××××××××××.de>
102 +Date: Wed, 3 Jan 2018 15:18:44 +0100
103 +Subject: [PATCH 1/7] x86/pti: Enable PTI by default
104 +
105 +This really want's to be enabled by default. Users who know what they are
106 +doing can disable it either in the config or on the kernel command line.
107 +
108 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
109 +Cc: stable@×××××××××××.org
110 +---
111 + security/Kconfig | 1 +
112 + 1 file changed, 1 insertion(+)
113 +
114 +diff --git a/security/Kconfig b/security/Kconfig
115 +index a623d13bf2884..3d4debd0257e2 100644
116 +--- a/security/Kconfig
117 ++++ b/security/Kconfig
118 +@@ -56,6 +56,7 @@ config SECURITY_NETWORK
119 +
120 + config PAGE_TABLE_ISOLATION
121 + bool "Remove the kernel mapping in user mode"
122 ++ default y
123 + depends on X86_64 && !UML
124 + help
125 + This feature reduces the number of hardware side channels by
126 +
127 +From 694d99d40972f12e59a3696effee8a376b79d7c8 Mon Sep 17 00:00:00 2001
128 +From: Tom Lendacky <thomas.lendacky@×××.com>
129 +Date: Tue, 26 Dec 2017 23:43:54 -0600
130 +Subject: [PATCH 2/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors
131 +
132 +AMD processors are not subject to the types of attacks that the kernel
133 +page table isolation feature protects against. The AMD microarchitecture
134 +does not allow memory references, including speculative references, that
135 +access higher privileged data when running in a lesser privileged mode
136 +when that access would result in a page fault.
137 +
138 +Disable page table isolation by default on AMD processors by not setting
139 +the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
140 +is set.
141 +
142 +Signed-off-by: Tom Lendacky <thomas.lendacky@×××.com>
143 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
144 +Reviewed-by: Borislav Petkov <bp@××××.de>
145 +Cc: Dave Hansen <dave.hansen@×××××××××××.com>
146 +Cc: Andy Lutomirski <luto@××××××.org>
147 +Cc: stable@×××××××××××.org
148 +Link: https://lkml.kernel.org/r/20171227054354.20369.94587.stgit@×××××××××××××××××××××.net
149 +---
150 + arch/x86/kernel/cpu/common.c | 4 ++--
151 + 1 file changed, 2 insertions(+), 2 deletions(-)
152 +
153 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
154 +index f2a94dfb434e9..b1be494ab4e8b 100644
155 +--- a/arch/x86/kernel/cpu/common.c
156 ++++ b/arch/x86/kernel/cpu/common.c
157 +@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
158 +
159 + setup_force_cpu_cap(X86_FEATURE_ALWAYS);
160 +
161 +- /* Assume for now that ALL x86 CPUs are insecure */
162 +- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
163 ++ if (c->x86_vendor != X86_VENDOR_AMD)
164 ++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
165 +
166 + fpu__init_system(c);
167 +
168 +
169 +From 52994c256df36fda9a715697431cba9daecb6b11 Mon Sep 17 00:00:00 2001
170 +From: Thomas Gleixner <tglx@××××××××××.de>
171 +Date: Wed, 3 Jan 2018 15:57:59 +0100
172 +Subject: [PATCH 3/7] x86/pti: Make sure the user/kernel PTEs match
173 +
174 +Meelis reported that his K8 Athlon64 emits MCE warnings when PTI is
175 +enabled:
176 +
177 +[Hardware Error]: Error Addr: 0x0000ffff81e000e0
178 +[Hardware Error]: MC1 Error: L1 TLB multimatch.
179 +[Hardware Error]: cache level: L1, tx: INSN
180 +
181 +The address is in the entry area, which is mapped into kernel _AND_ user
182 +space. That's special because we switch CR3 while we are executing
183 +there.
184 +
185 +User mapping:
186 +0xffffffff81e00000-0xffffffff82000000 2M ro PSE GLB x pmd
187 +
188 +Kernel mapping:
189 +0xffffffff81000000-0xffffffff82000000 16M ro PSE x pmd
190 +
191 +So the K8 is complaining that the TLB entries differ. They differ in the
192 +GLB bit.
193 +
194 +Drop the GLB bit when installing the user shared mapping.
195 +
196 +Fixes: 6dc72c3cbca0 ("x86/mm/pti: Share entry text PMD")
197 +Reported-by: Meelis Roos <mroos@×××××.ee>
198 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
199 +Tested-by: Meelis Roos <mroos@×××××.ee>
200 +Cc: Borislav Petkov <bp@××××××.de>
201 +Cc: Tom Lendacky <thomas.lendacky@×××.com>
202 +Cc: stable@×××××××××××.org
203 +Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031407180.1957@nanos
204 +---
205 + arch/x86/mm/pti.c | 3 ++-
206 + 1 file changed, 2 insertions(+), 1 deletion(-)
207 +
208 +diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
209 +index bce8aea656062..2da28ba975082 100644
210 +--- a/arch/x86/mm/pti.c
211 ++++ b/arch/x86/mm/pti.c
212 +@@ -367,7 +367,8 @@ static void __init pti_setup_espfix64(void)
213 + static void __init pti_clone_entry_text(void)
214 + {
215 + pti_clone_pmds((unsigned long) __entry_text_start,
216 +- (unsigned long) __irqentry_text_end, _PAGE_RW);
217 ++ (unsigned long) __irqentry_text_end,
218 ++ _PAGE_RW | _PAGE_GLOBAL);
219 + }
220 +
221 + /*
222 +
223 +From a9cdbe72c4e8bf3b38781c317a79326e2e1a230d Mon Sep 17 00:00:00 2001
224 +From: Josh Poimboeuf <jpoimboe@××××××.com>
225 +Date: Sun, 31 Dec 2017 10:18:06 -0600
226 +Subject: [PATCH 4/7] x86/dumpstack: Fix partial register dumps
227 +MIME-Version: 1.0
228 +Content-Type: text/plain; charset=UTF-8
229 +Content-Transfer-Encoding: 8bit
230 +
231 +The show_regs_safe() logic is wrong. When there's an iret stack frame,
232 +it prints the entire pt_regs -- most of which is random stack data --
233 +instead of just the five registers at the end.
234 +
235 +show_regs_safe() is also poorly named: the on_stack() checks aren't for
236 +safety. Rename the function to show_regs_if_on_stack() and add a
237 +comment to explain why the checks are needed.
238 +
239 +These issues were introduced with the "partial register dump" feature of
240 +the following commit:
241 +
242 + b02fcf9ba121 ("x86/unwinder: Handle stack overflows more gracefully")
243 +
244 +That patch had gone through a few iterations of development, and the
245 +above issues were artifacts from a previous iteration of the patch where
246 +'regs' pointed directly to the iret frame rather than to the (partially
247 +empty) pt_regs.
248 +
249 +Tested-by: Alexander Tsoy <alexander@××××.me>
250 +Signed-off-by: Josh Poimboeuf <jpoimboe@××××××.com>
251 +Cc: Andy Lutomirski <luto@××××××.org>
252 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
253 +Cc: Peter Zijlstra <peterz@×××××××××.org>
254 +Cc: Thomas Gleixner <tglx@××××××××××.de>
255 +Cc: Toralf Förster <toralf.foerster@×××.de>
256 +Cc: stable@×××××××××××.org
257 +Fixes: b02fcf9ba121 ("x86/unwinder: Handle stack overflows more gracefully")
258 +Link: http://lkml.kernel.org/r/5b05b8b344f59db2d3d50dbdeba92d60f2304c54.1514736742.git.jpoimboe@××××××.com
259 +Signed-off-by: Ingo Molnar <mingo@××××××.org>
260 +---
261 + arch/x86/include/asm/unwind.h | 17 +++++++++++++----
262 + arch/x86/kernel/dumpstack.c | 28 ++++++++++++++++++++--------
263 + arch/x86/kernel/stacktrace.c | 2 +-
264 + 3 files changed, 34 insertions(+), 13 deletions(-)
265 +
266 +diff --git a/arch/x86/include/asm/unwind.h b/arch/x86/include/asm/unwind.h
267 +index c1688c2d0a128..1f86e1b0a5cdc 100644
268 +--- a/arch/x86/include/asm/unwind.h
269 ++++ b/arch/x86/include/asm/unwind.h
270 +@@ -56,18 +56,27 @@ void unwind_start(struct unwind_state *state, struct task_struct *task,
271 +
272 + #if defined(CONFIG_UNWINDER_ORC) || defined(CONFIG_UNWINDER_FRAME_POINTER)
273 + /*
274 +- * WARNING: The entire pt_regs may not be safe to dereference. In some cases,
275 +- * only the iret frame registers are accessible. Use with caution!
276 ++ * If 'partial' returns true, only the iret frame registers are valid.
277 + */
278 +-static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state)
279 ++static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state,
280 ++ bool *partial)
281 + {
282 + if (unwind_done(state))
283 + return NULL;
284 +
285 ++ if (partial) {
286 ++#ifdef CONFIG_UNWINDER_ORC
287 ++ *partial = !state->full_regs;
288 ++#else
289 ++ *partial = false;
290 ++#endif
291 ++ }
292 ++
293 + return state->regs;
294 + }
295 + #else
296 +-static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state)
297 ++static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state,
298 ++ bool *partial)
299 + {
300 + return NULL;
301 + }
302 +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
303 +index 5fa110699ed27..d0bb176a7261a 100644
304 +--- a/arch/x86/kernel/dumpstack.c
305 ++++ b/arch/x86/kernel/dumpstack.c
306 +@@ -76,12 +76,23 @@ void show_iret_regs(struct pt_regs *regs)
307 + regs->sp, regs->flags);
308 + }
309 +
310 +-static void show_regs_safe(struct stack_info *info, struct pt_regs *regs)
311 ++static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs,
312 ++ bool partial)
313 + {
314 +- if (on_stack(info, regs, sizeof(*regs)))
315 ++ /*
316 ++ * These on_stack() checks aren't strictly necessary: the unwind code
317 ++ * has already validated the 'regs' pointer. The checks are done for
318 ++ * ordering reasons: if the registers are on the next stack, we don't
319 ++ * want to print them out yet. Otherwise they'll be shown as part of
320 ++ * the wrong stack. Later, when show_trace_log_lvl() switches to the
321 ++ * next stack, this function will be called again with the same regs so
322 ++ * they can be printed in the right context.
323 ++ */
324 ++ if (!partial && on_stack(info, regs, sizeof(*regs))) {
325 + __show_regs(regs, 0);
326 +- else if (on_stack(info, (void *)regs + IRET_FRAME_OFFSET,
327 +- IRET_FRAME_SIZE)) {
328 ++
329 ++ } else if (partial && on_stack(info, (void *)regs + IRET_FRAME_OFFSET,
330 ++ IRET_FRAME_SIZE)) {
331 + /*
332 + * When an interrupt or exception occurs in entry code, the
333 + * full pt_regs might not have been saved yet. In that case
334 +@@ -98,6 +109,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
335 + struct stack_info stack_info = {0};
336 + unsigned long visit_mask = 0;
337 + int graph_idx = 0;
338 ++ bool partial;
339 +
340 + printk("%sCall Trace:\n", log_lvl);
341 +
342 +@@ -140,7 +152,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
343 + printk("%s <%s>\n", log_lvl, stack_name);
344 +
345 + if (regs)
346 +- show_regs_safe(&stack_info, regs);
347 ++ show_regs_if_on_stack(&stack_info, regs, partial);
348 +
349 + /*
350 + * Scan the stack, printing any text addresses we find. At the
351 +@@ -164,7 +176,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
352 +
353 + /*
354 + * Don't print regs->ip again if it was already printed
355 +- * by show_regs_safe() below.
356 ++ * by show_regs_if_on_stack().
357 + */
358 + if (regs && stack == &regs->ip)
359 + goto next;
360 +@@ -199,9 +211,9 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
361 + unwind_next_frame(&state);
362 +
363 + /* if the frame has entry regs, print them */
364 +- regs = unwind_get_entry_regs(&state);
365 ++ regs = unwind_get_entry_regs(&state, &partial);
366 + if (regs)
367 +- show_regs_safe(&stack_info, regs);
368 ++ show_regs_if_on_stack(&stack_info, regs, partial);
369 + }
370 +
371 + if (stack_name)
372 +diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
373 +index 8dabd7bf16730..60244bfaf88f6 100644
374 +--- a/arch/x86/kernel/stacktrace.c
375 ++++ b/arch/x86/kernel/stacktrace.c
376 +@@ -98,7 +98,7 @@ static int __save_stack_trace_reliable(struct stack_trace *trace,
377 + for (unwind_start(&state, task, NULL, NULL); !unwind_done(&state);
378 + unwind_next_frame(&state)) {
379 +
380 +- regs = unwind_get_entry_regs(&state);
381 ++ regs = unwind_get_entry_regs(&state, NULL);
382 + if (regs) {
383 + /*
384 + * Kernel mode registers on the stack indicate an
385 +
386 +From 3ffdeb1a02be3086f1411a15c5b9c481fa28e21f Mon Sep 17 00:00:00 2001
387 +From: Josh Poimboeuf <jpoimboe@××××××.com>
388 +Date: Sun, 31 Dec 2017 10:18:07 -0600
389 +Subject: [PATCH 5/7] x86/dumpstack: Print registers for first stack frame
390 +MIME-Version: 1.0
391 +Content-Type: text/plain; charset=UTF-8
392 +Content-Transfer-Encoding: 8bit
393 +
394 +In the stack dump code, if the frame after the starting pt_regs is also
395 +a regs frame, the registers don't get printed. Fix that.
396 +
397 +Reported-by: Andy Lutomirski <luto@××××××××××.net>
398 +Tested-by: Alexander Tsoy <alexander@××××.me>
399 +Signed-off-by: Josh Poimboeuf <jpoimboe@××××××.com>
400 +Cc: Andy Lutomirski <luto@××××××.org>
401 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
402 +Cc: Peter Zijlstra <peterz@×××××××××.org>
403 +Cc: Thomas Gleixner <tglx@××××××××××.de>
404 +Cc: Toralf Förster <toralf.foerster@×××.de>
405 +Cc: stable@×××××××××××.org
406 +Fixes: 3b3fa11bc700 ("x86/dumpstack: Print any pt_regs found on the stack")
407 +Link: http://lkml.kernel.org/r/396f84491d2f0ef64eda4217a2165f5712f6a115.1514736742.git.jpoimboe@××××××.com
408 +Signed-off-by: Ingo Molnar <mingo@××××××.org>
409 +---
410 + arch/x86/kernel/dumpstack.c | 3 ++-
411 + 1 file changed, 2 insertions(+), 1 deletion(-)
412 +
413 +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
414 +index d0bb176a7261a..afbecff161d16 100644
415 +--- a/arch/x86/kernel/dumpstack.c
416 ++++ b/arch/x86/kernel/dumpstack.c
417 +@@ -115,6 +115,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
418 +
419 + unwind_start(&state, task, regs, stack);
420 + stack = stack ? : get_stack_pointer(task, regs);
421 ++ regs = unwind_get_entry_regs(&state, &partial);
422 +
423 + /*
424 + * Iterate through the stacks, starting with the current stack pointer.
425 +@@ -132,7 +133,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
426 + * - hardirq stack
427 + * - entry stack
428 + */
429 +- for (regs = NULL; stack; stack = PTR_ALIGN(stack_info.next_sp, sizeof(long))) {
430 ++ for ( ; stack; stack = PTR_ALIGN(stack_info.next_sp, sizeof(long))) {
431 + const char *stack_name;
432 +
433 + if (get_stack_info(stack, task, &stack_info, &visit_mask)) {
434 +
435 +From d7732ba55c4b6a2da339bb12589c515830cfac2c Mon Sep 17 00:00:00 2001
436 +From: Thomas Gleixner <tglx@××××××××××.de>
437 +Date: Wed, 3 Jan 2018 19:52:04 +0100
438 +Subject: [PATCH 6/7] x86/pti: Switch to kernel CR3 at early in
439 + entry_SYSCALL_compat()
440 +
441 +The preparation for PTI which added CR3 switching to the entry code
442 +misplaced the CR3 switch in entry_SYSCALL_compat().
443 +
444 +With PTI enabled the entry code tries to access a per cpu variable after
445 +switching to kernel GS. This fails because that variable is not mapped to
446 +user space. This results in a double fault and in the worst case a kernel
447 +crash.
448 +
449 +Move the switch ahead of the access and clobber RSP which has been saved
450 +already.
451 +
452 +Fixes: 8a09317b895f ("x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching")
453 +Reported-by: Lars Wendler <wendler.lars@×××.de>
454 +Reported-by: Laura Abbott <labbott@××××××.com>
455 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
456 +Cc: Borislav Betkov <bp@××××××.de>
457 +Cc: Andy Lutomirski <luto@××××××.org>,
458 +Cc: Dave Hansen <dave.hansen@×××××××××××.com>,
459 +Cc: Peter Zijlstra <peterz@×××××××××.org>,
460 +Cc: Greg KH <gregkh@×××××××××××××××.org>, ,
461 +Cc: Boris Ostrovsky <boris.ostrovsky@××××××.com>,
462 +Cc: Juergen Gross <jgross@××××.com>
463 +Cc: stable@×××××××××××.org
464 +Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031949200.1957@nanos
465 +---
466 + arch/x86/entry/entry_64_compat.S | 13 ++++++-------
467 + 1 file changed, 6 insertions(+), 7 deletions(-)
468 +
469 +diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
470 +index 40f17009ec20c..98d5358e4041a 100644
471 +--- a/arch/x86/entry/entry_64_compat.S
472 ++++ b/arch/x86/entry/entry_64_compat.S
473 +@@ -190,8 +190,13 @@ ENTRY(entry_SYSCALL_compat)
474 + /* Interrupts are off on entry. */
475 + swapgs
476 +
477 +- /* Stash user ESP and switch to the kernel stack. */
478 ++ /* Stash user ESP */
479 + movl %esp, %r8d
480 ++
481 ++ /* Use %rsp as scratch reg. User ESP is stashed in r8 */
482 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
483 ++
484 ++ /* Switch to the kernel stack */
485 + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
486 +
487 + /* Construct struct pt_regs on stack */
488 +@@ -219,12 +224,6 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
489 + pushq $0 /* pt_regs->r14 = 0 */
490 + pushq $0 /* pt_regs->r15 = 0 */
491 +
492 +- /*
493 +- * We just saved %rdi so it is safe to clobber. It is not
494 +- * preserved during the C calls inside TRACE_IRQS_OFF anyway.
495 +- */
496 +- SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
497 +-
498 + /*
499 + * User mode is traced as though IRQs are on, and SYSENTER
500 + * turned them off.
501 +
502 +From 2fd9c41aea47f4ad071accf94b94f94f2c4d31eb Mon Sep 17 00:00:00 2001
503 +From: Nick Desaulniers <ndesaulniers@××××××.com>
504 +Date: Wed, 3 Jan 2018 12:39:52 -0800
505 +Subject: [PATCH 7/7] x86/process: Define cpu_tss_rw in same section as
506 + declaration
507 +
508 +cpu_tss_rw is declared with DECLARE_PER_CPU_PAGE_ALIGNED
509 +but then defined with DEFINE_PER_CPU_SHARED_ALIGNED
510 +leading to section mismatch warnings.
511 +
512 +Use DEFINE_PER_CPU_PAGE_ALIGNED consistently. This is necessary because
513 +it's mapped to the cpu entry area and must be page aligned.
514 +
515 +[ tglx: Massaged changelog a bit ]
516 +
517 +Fixes: 1a935bc3d4ea ("x86/entry: Move SYSENTER_stack to the beginning of struct tss_struct")
518 +Suggested-by: Thomas Gleixner <tglx@××××××××××.de>
519 +Signed-off-by: Nick Desaulniers <ndesaulniers@××××××.com>
520 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
521 +Cc: thomas.lendacky@×××.com
522 +Cc: Borislav Petkov <bpetkov@××××.de>
523 +Cc: tklauser@×××××××.ch
524 +Cc: minipli@××××××××××.com
525 +Cc: me@××××××××.com
526 +Cc: namit@××××××.com
527 +Cc: luto@××××××.org
528 +Cc: jpoimboe@××××××.com
529 +Cc: tj@××××××.org
530 +Cc: cl@×××××.com
531 +Cc: bp@××××.de
532 +Cc: thgarnie@××××××.com
533 +Cc: kirill.shutemov@×××××××××××.com
534 +Cc: stable@×××××××××××.org
535 +Link: https://lkml.kernel.org/r/20180103203954.183360-1-ndesaulniers@××××××.com
536 +---
537 + arch/x86/kernel/process.c | 2 +-
538 + 1 file changed, 1 insertion(+), 1 deletion(-)
539 +
540 +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
541 +index 5174159784093..3cb2486c47e48 100644
542 +--- a/arch/x86/kernel/process.c
543 ++++ b/arch/x86/kernel/process.c
544 +@@ -47,7 +47,7 @@
545 + * section. Since TSS's are completely CPU-local, we want them
546 + * on exact cacheline boundaries, to eliminate cacheline ping-pong.
547 + */
548 +-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss_rw) = {
549 ++__visible DEFINE_PER_CPU_PAGE_ALIGNED(struct tss_struct, cpu_tss_rw) = {
550 + .x86_tss = {
551 + /*
552 + * .sp0 is only used when entering ring 0 from a lower
553
554 diff --git a/1701_make_sure_the_user_kernel_PTEs_match.patch b/1701_make_sure_the_user_kernel_PTEs_match.patch
555 deleted file mode 100644
556 index 601940b..0000000
557 --- a/1701_make_sure_the_user_kernel_PTEs_match.patch
558 +++ /dev/null
559 @@ -1,56 +0,0 @@
560 -From 52994c256df36fda9a715697431cba9daecb6b11 Mon Sep 17 00:00:00 2001
561 -From: Thomas Gleixner <tglx@××××××××××.de>
562 -Date: Wed, 3 Jan 2018 15:57:59 +0100
563 -Subject: x86/pti: Make sure the user/kernel PTEs match
564 -
565 -Meelis reported that his K8 Athlon64 emits MCE warnings when PTI is
566 -enabled:
567 -
568 -[Hardware Error]: Error Addr: 0x0000ffff81e000e0
569 -[Hardware Error]: MC1 Error: L1 TLB multimatch.
570 -[Hardware Error]: cache level: L1, tx: INSN
571 -
572 -The address is in the entry area, which is mapped into kernel _AND_ user
573 -space. That's special because we switch CR3 while we are executing
574 -there.
575 -
576 -User mapping:
577 -0xffffffff81e00000-0xffffffff82000000 2M ro PSE GLB x pmd
578 -
579 -Kernel mapping:
580 -0xffffffff81000000-0xffffffff82000000 16M ro PSE x pmd
581 -
582 -So the K8 is complaining that the TLB entries differ. They differ in the
583 -GLB bit.
584 -
585 -Drop the GLB bit when installing the user shared mapping.
586 -
587 -Fixes: 6dc72c3cbca0 ("x86/mm/pti: Share entry text PMD")
588 -Reported-by: Meelis Roos <mroos@×××××.ee>
589 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
590 -Tested-by: Meelis Roos <mroos@×××××.ee>
591 -Cc: Borislav Petkov <bp@××××××.de>
592 -Cc: Tom Lendacky <thomas.lendacky@×××.com>
593 -Cc: stable@×××××××××××.org
594 -Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031407180.1957@nanos
595 ----
596 - arch/x86/mm/pti.c | 3 ++-
597 - 1 file changed, 2 insertions(+), 1 deletion(-)
598 -
599 -diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
600 -index bce8aea..2da28ba 100644
601 ---- a/arch/x86/mm/pti.c
602 -+++ b/arch/x86/mm/pti.c
603 -@@ -367,7 +367,8 @@ static void __init pti_setup_espfix64(void)
604 - static void __init pti_clone_entry_text(void)
605 - {
606 - pti_clone_pmds((unsigned long) __entry_text_start,
607 -- (unsigned long) __irqentry_text_end, _PAGE_RW);
608 -+ (unsigned long) __irqentry_text_end,
609 -+ _PAGE_RW | _PAGE_GLOBAL);
610 - }
611 -
612 - /*
613 ---
614 -cgit v1.1
615 -
616
617 diff --git a/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch b/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch
618 deleted file mode 100644
619 index 12d9555..0000000
620 --- a/1702_switch_to_kernel_CR3_at_early_in_entry_SYSCALL_compat.patch
621 +++ /dev/null
622 @@ -1,68 +0,0 @@
623 -From d7732ba55c4b6a2da339bb12589c515830cfac2c Mon Sep 17 00:00:00 2001
624 -From: Thomas Gleixner <tglx@××××××××××.de>
625 -Date: Wed, 3 Jan 2018 19:52:04 +0100
626 -Subject: x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()
627 -
628 -The preparation for PTI which added CR3 switching to the entry code
629 -misplaced the CR3 switch in entry_SYSCALL_compat().
630 -
631 -With PTI enabled the entry code tries to access a per cpu variable after
632 -switching to kernel GS. This fails because that variable is not mapped to
633 -user space. This results in a double fault and in the worst case a kernel
634 -crash.
635 -
636 -Move the switch ahead of the access and clobber RSP which has been saved
637 -already.
638 -
639 -Fixes: 8a09317b895f ("x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching")
640 -Reported-by: Lars Wendler <wendler.lars@×××.de>
641 -Reported-by: Laura Abbott <labbott@××××××.com>
642 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
643 -Cc: Borislav Betkov <bp@××××××.de>
644 -Cc: Andy Lutomirski <luto@××××××.org>,
645 -Cc: Dave Hansen <dave.hansen@×××××××××××.com>,
646 -Cc: Peter Zijlstra <peterz@×××××××××.org>,
647 -Cc: Greg KH <gregkh@×××××××××××××××.org>, ,
648 -Cc: Boris Ostrovsky <boris.ostrovsky@××××××.com>,
649 -Cc: Juergen Gross <jgross@××××.com>
650 -Cc: stable@×××××××××××.org
651 -Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031949200.1957@nanos
652 ----
653 - arch/x86/entry/entry_64_compat.S | 13 ++++++-------
654 - 1 file changed, 6 insertions(+), 7 deletions(-)
655 -
656 -diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
657 -index 40f1700..98d5358 100644
658 ---- a/arch/x86/entry/entry_64_compat.S
659 -+++ b/arch/x86/entry/entry_64_compat.S
660 -@@ -190,8 +190,13 @@ ENTRY(entry_SYSCALL_compat)
661 - /* Interrupts are off on entry. */
662 - swapgs
663 -
664 -- /* Stash user ESP and switch to the kernel stack. */
665 -+ /* Stash user ESP */
666 - movl %esp, %r8d
667 -+
668 -+ /* Use %rsp as scratch reg. User ESP is stashed in r8 */
669 -+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
670 -+
671 -+ /* Switch to the kernel stack */
672 - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
673 -
674 - /* Construct struct pt_regs on stack */
675 -@@ -220,12 +225,6 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
676 - pushq $0 /* pt_regs->r15 = 0 */
677 -
678 - /*
679 -- * We just saved %rdi so it is safe to clobber. It is not
680 -- * preserved during the C calls inside TRACE_IRQS_OFF anyway.
681 -- */
682 -- SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
683 --
684 -- /*
685 - * User mode is traced as though IRQs are on, and SYSENTER
686 - * turned them off.
687 - */
688 ---
689 -cgit v1.1
690 -