LKML Archive on lore.kernel.org
 help / Atom feed
* [PATCH 0/3] PTI x86-32 Updates and Fixes
@ 2018-07-25 15:48 Joerg Roedel
  2018-07-25 15:48 ` [PATCH 1/3] x86/mm: Remove in_nmi() warning from vmalloc_fault() Joerg Roedel
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Joerg Roedel @ 2018-07-25 15:48 UTC (permalink / raw)
  To: Thomas Gleixner, Ingo Molnar, H . Peter Anvin
  Cc: x86, linux-kernel, linux-mm, Linus Torvalds, Andy Lutomirski,
	Dave Hansen, Josh Poimboeuf, Juergen Gross, Peter Zijlstra,
	Borislav Petkov, Jiri Kosina, Boris Ostrovsky, Brian Gerst,
	David Laight, Denys Vlasenko, Eduardo Valentin, Greg KH,
	Will Deacon, aliguori, daniel.gruss, hughd, keescook,
	Andrea Arcangeli, Waiman Long, Pavel Machek,
	David H . Gutteridge, jroedel, Arnaldo Carvalho de Melo,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, joro

Hi,

here are three patches on-top of tip/x86/pti to update the
vmallo_fault() fix and also with another important fix.

The first two patches remove the WARN_ON_ONCE(in_nmi) from
the vmalloc_fault() function and revert the previous fix, as
discussed at the last patch-set.

The third patch is an important fix for a silent memory
corruption issue found by the trinity fuzzer, which did take
a while to track down. But I found it and with the fix the
fuzzer already runs for couple of hours now and the VM is
still alive.

Regards,

	Joerg

Joerg Roedel (3):
  x86/mm: Remove in_nmi() warning from vmalloc_fault()
  Revert "perf/core: Make sure the ring-buffer is mapped in all
    page-tables"
  x86/kexec: Allocate 8k PGDs for PTI

 arch/x86/kernel/machine_kexec_32.c |  5 +++--
 arch/x86/mm/fault.c                |  2 --
 kernel/events/ring_buffer.c        | 16 ----------------
 3 files changed, 3 insertions(+), 20 deletions(-)

-- 
2.7.4


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 1/3] x86/mm: Remove in_nmi() warning from vmalloc_fault()
  2018-07-25 15:48 [PATCH 0/3] PTI x86-32 Updates and Fixes Joerg Roedel
@ 2018-07-25 15:48 ` Joerg Roedel
  2018-07-30 11:57   ` [tip:x86/pti] " tip-bot for Joerg Roedel
  2018-07-25 15:48 ` [PATCH 2/3] Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables" Joerg Roedel
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 8+ messages in thread
From: Joerg Roedel @ 2018-07-25 15:48 UTC (permalink / raw)
  To: Thomas Gleixner, Ingo Molnar, H . Peter Anvin
  Cc: x86, linux-kernel, linux-mm, Linus Torvalds, Andy Lutomirski,
	Dave Hansen, Josh Poimboeuf, Juergen Gross, Peter Zijlstra,
	Borislav Petkov, Jiri Kosina, Boris Ostrovsky, Brian Gerst,
	David Laight, Denys Vlasenko, Eduardo Valentin, Greg KH,
	Will Deacon, aliguori, daniel.gruss, hughd, keescook,
	Andrea Arcangeli, Waiman Long, Pavel Machek,
	David H . Gutteridge, jroedel, Arnaldo Carvalho de Melo,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, joro

From: Joerg Roedel <jroedel@suse.de>

It is perfectly okay to take page-faults, especially on the
vmalloc area while executing an NMI handler. Remove the
warning.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 arch/x86/mm/fault.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 2aafa6a..db1c042 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -317,8 +317,6 @@ static noinline int vmalloc_fault(unsigned long address)
 	if (!(address >= VMALLOC_START && address < VMALLOC_END))
 		return -1;
 
-	WARN_ON_ONCE(in_nmi());
-
 	/*
 	 * Synchronize this task's top level page-table
 	 * with the 'reference' page table.
-- 
2.7.4


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 2/3] Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables"
  2018-07-25 15:48 [PATCH 0/3] PTI x86-32 Updates and Fixes Joerg Roedel
  2018-07-25 15:48 ` [PATCH 1/3] x86/mm: Remove in_nmi() warning from vmalloc_fault() Joerg Roedel
@ 2018-07-25 15:48 ` Joerg Roedel
  2018-07-30 11:58   ` [tip:x86/pti] " tip-bot for Joerg Roedel
  2018-07-25 15:48 ` [PATCH 3/3] x86/kexec: Allocate 8k PGDs for PTI Joerg Roedel
  2018-07-30  7:08 ` [PATCH 0/3] PTI x86-32 Updates and Fixes David H. Gutteridge
  3 siblings, 1 reply; 8+ messages in thread
From: Joerg Roedel @ 2018-07-25 15:48 UTC (permalink / raw)
  To: Thomas Gleixner, Ingo Molnar, H . Peter Anvin
  Cc: x86, linux-kernel, linux-mm, Linus Torvalds, Andy Lutomirski,
	Dave Hansen, Josh Poimboeuf, Juergen Gross, Peter Zijlstra,
	Borislav Petkov, Jiri Kosina, Boris Ostrovsky, Brian Gerst,
	David Laight, Denys Vlasenko, Eduardo Valentin, Greg KH,
	Will Deacon, aliguori, daniel.gruss, hughd, keescook,
	Andrea Arcangeli, Waiman Long, Pavel Machek,
	David H . Gutteridge, jroedel, Arnaldo Carvalho de Melo,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, joro

From: Joerg Roedel <jroedel@suse.de>

This reverts commit 77754cfa09a6c528c38cbca9ee4cc4f7cf6ad6f2.

The patch was necessary to silence a WARN_ON_ONCE(in_nmi())
that triggered in the vmalloc_fault() function when PTI was
enabled on x86-32.

Faulting in an NMI handler turned out to be safe and the
warning in vmalloc_fault() is gone now. So the above patch
can be reverted.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 kernel/events/ring_buffer.c | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index df2d8cf..5d3cf40 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -814,13 +814,6 @@ static void rb_free_work(struct work_struct *work)
 
 	vfree(base);
 	kfree(rb);
-
-	/*
-	 * FIXME: PAE workaround for vmalloc_fault(): Make sure buffer is
-	 * unmapped in all page-tables.
-	 */
-	if (IS_ENABLED(CONFIG_X86_PAE))
-		vmalloc_sync_all();
 }
 
 void rb_free(struct ring_buffer *rb)
@@ -847,15 +840,6 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags)
 	if (!all_buf)
 		goto fail_all_buf;
 
-	/*
-	 * FIXME: PAE workaround for vmalloc_fault(): The buffer is
-	 * accessed in NMI handlers, make sure it is mapped in all
-	 * page-tables in the system so that we don't fault on the range in
-	 * an NMI handler.
-	 */
-	if (IS_ENABLED(CONFIG_X86_PAE))
-		vmalloc_sync_all();
-
 	rb->user_page = all_buf;
 	rb->data_pages[0] = all_buf + PAGE_SIZE;
 	if (nr_pages) {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 3/3] x86/kexec: Allocate 8k PGDs for PTI
  2018-07-25 15:48 [PATCH 0/3] PTI x86-32 Updates and Fixes Joerg Roedel
  2018-07-25 15:48 ` [PATCH 1/3] x86/mm: Remove in_nmi() warning from vmalloc_fault() Joerg Roedel
  2018-07-25 15:48 ` [PATCH 2/3] Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables" Joerg Roedel
@ 2018-07-25 15:48 ` Joerg Roedel
  2018-07-30 11:58   ` [tip:x86/pti] " tip-bot for Joerg Roedel
  2018-07-30  7:08 ` [PATCH 0/3] PTI x86-32 Updates and Fixes David H. Gutteridge
  3 siblings, 1 reply; 8+ messages in thread
From: Joerg Roedel @ 2018-07-25 15:48 UTC (permalink / raw)
  To: Thomas Gleixner, Ingo Molnar, H . Peter Anvin
  Cc: x86, linux-kernel, linux-mm, Linus Torvalds, Andy Lutomirski,
	Dave Hansen, Josh Poimboeuf, Juergen Gross, Peter Zijlstra,
	Borislav Petkov, Jiri Kosina, Boris Ostrovsky, Brian Gerst,
	David Laight, Denys Vlasenko, Eduardo Valentin, Greg KH,
	Will Deacon, aliguori, daniel.gruss, hughd, keescook,
	Andrea Arcangeli, Waiman Long, Pavel Machek,
	David H . Gutteridge, jroedel, Arnaldo Carvalho de Melo,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, joro

From: Joerg Roedel <jroedel@suse.de>

Fuzzing the PTI-x86-32 code with trinity showed unhandled
kernel paging request oops-messages that looked a lot like
silent data corruption.

Lot's of debugging and testing lead to the kexec-32bit code,
which is still allocating 4k PGDs when PTI is enabled. But
since it uses native_set_pud() to build the page-table, it
will unevitably call into __pti_set_user_pgtbl(), which
writes beyond the allocated 4k page.

Use PGD_ALLOCATION_ORDER to allocate PGDs in the kexec code
to fix the issue.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 arch/x86/kernel/machine_kexec_32.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
index d1ab07e..5409c28 100644
--- a/arch/x86/kernel/machine_kexec_32.c
+++ b/arch/x86/kernel/machine_kexec_32.c
@@ -56,7 +56,7 @@ static void load_segments(void)
 
 static void machine_kexec_free_page_tables(struct kimage *image)
 {
-	free_page((unsigned long)image->arch.pgd);
+	free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER);
 	image->arch.pgd = NULL;
 #ifdef CONFIG_X86_PAE
 	free_page((unsigned long)image->arch.pmd0);
@@ -72,7 +72,8 @@ static void machine_kexec_free_page_tables(struct kimage *image)
 
 static int machine_kexec_alloc_page_tables(struct kimage *image)
 {
-	image->arch.pgd = (pgd_t *)get_zeroed_page(GFP_KERNEL);
+	image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO,
+						    PGD_ALLOCATION_ORDER);
 #ifdef CONFIG_X86_PAE
 	image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL);
 	image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/3] PTI x86-32 Updates and Fixes
  2018-07-25 15:48 [PATCH 0/3] PTI x86-32 Updates and Fixes Joerg Roedel
                   ` (2 preceding siblings ...)
  2018-07-25 15:48 ` [PATCH 3/3] x86/kexec: Allocate 8k PGDs for PTI Joerg Roedel
@ 2018-07-30  7:08 ` David H. Gutteridge
  3 siblings, 0 replies; 8+ messages in thread
From: David H. Gutteridge @ 2018-07-30  7:08 UTC (permalink / raw)
  To: Joerg Roedel, Thomas Gleixner, Ingo Molnar, H . Peter Anvin
  Cc: x86, linux-kernel, linux-mm, Linus Torvalds, Andy Lutomirski,
	Dave Hansen, Josh Poimboeuf, Juergen Gross, Peter Zijlstra,
	Borislav Petkov, Jiri Kosina, Boris Ostrovsky, Brian Gerst,
	David Laight, Denys Vlasenko, Eduardo Valentin, Greg KH,
	Will Deacon, aliguori, daniel.gruss, hughd, keescook,
	Andrea Arcangeli, Waiman Long, Pavel Machek, jroedel,
	Arnaldo Carvalho de Melo, Alexander Shishkin, Jiri Olsa,
	Namhyung Kim

On Wed, 2018-07-25 at 17:48 +0200, Joerg Roedel wrote:
> Hi,
> 
> here are three patches on-top of tip/x86/pti to update the
> vmallo_fault() fix and also with another important fix.
> 
> The first two patches remove the WARN_ON_ONCE(in_nmi) from
> the vmalloc_fault() function and revert the previous fix, as
> discussed at the last patch-set.
> 
> The third patch is an important fix for a silent memory
> corruption issue found by the trinity fuzzer, which did take
> a while to track down. But I found it and with the fix the
> fuzzer already runs for couple of hours now and the VM is
> still alive.
> 
> Regards,
> 
> 	Joerg
> 
> Joerg Roedel (3):
>   x86/mm: Remove in_nmi() warning from vmalloc_fault()
>   Revert "perf/core: Make sure the ring-buffer is mapped in all
>     page-tables"
>   x86/kexec: Allocate 8k PGDs for PTI
> 
>  arch/x86/kernel/machine_kexec_32.c |  5 +++--
>  arch/x86/mm/fault.c                |  2 --
>  kernel/events/ring_buffer.c        | 16 ----------------
>  3 files changed, 3 insertions(+), 20 deletions(-)

Hi Joerg,

I've found no significant issues in my testing of this patch set.
The only minor thing I noted is that in your previous "v8" patch set
([PATCH 38/39] x86/mm/pti: Add Warning when booting on a PCID capable
CPU), it reports the warning on non-PCID capable CPUs: I think you
intended a bitwise "&", not a logical "&&" in the if statement?

Tested-by: David H. Gutteridge <dhgutteridge@sympatico.ca>

Regards,

Dave



^ permalink raw reply	[flat|nested] 8+ messages in thread

* [tip:x86/pti] x86/mm: Remove in_nmi() warning from vmalloc_fault()
  2018-07-25 15:48 ` [PATCH 1/3] x86/mm: Remove in_nmi() warning from vmalloc_fault() Joerg Roedel
@ 2018-07-30 11:57   ` " tip-bot for Joerg Roedel
  0 siblings, 0 replies; 8+ messages in thread
From: tip-bot for Joerg Roedel @ 2018-07-30 11:57 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: will.deacon, tglx, jroedel, gregkh, jkosina, linux-kernel,
	boris.ostrovsky, bp, namhyung, torvalds, hpa, dave.hansen,
	dhgutteridge, eduval, dvlasenk, alexander.shishkin, acme, jgross,
	llong, mingo, peterz, jpoimboe, aarcange, pavel, jolsa,
	David.Laight, brgerst, luto

Commit-ID:  6863ea0cda8725072522cd78bda332d9a0b73150
Gitweb:     https://git.kernel.org/tip/6863ea0cda8725072522cd78bda332d9a0b73150
Author:     Joerg Roedel <jroedel@suse.de>
AuthorDate: Wed, 25 Jul 2018 17:48:01 +0200
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Mon, 30 Jul 2018 13:53:48 +0200

x86/mm: Remove in_nmi() warning from vmalloc_fault()

It is perfectly okay to take page-faults, especially on the
vmalloc area while executing an NMI handler. Remove the
warning.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: David H. Gutteridge <dhgutteridge@sympatico.ca>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: linux-mm@kvack.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Waiman Long <llong@redhat.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: joro@8bytes.org
Link: https://lkml.kernel.org/r/1532533683-5988-2-git-send-email-joro@8bytes.org

---
 arch/x86/mm/fault.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 2aafa6ab6103..db1c042e9853 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -317,8 +317,6 @@ static noinline int vmalloc_fault(unsigned long address)
 	if (!(address >= VMALLOC_START && address < VMALLOC_END))
 		return -1;
 
-	WARN_ON_ONCE(in_nmi());
-
 	/*
 	 * Synchronize this task's top level page-table
 	 * with the 'reference' page table.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [tip:x86/pti] Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables"
  2018-07-25 15:48 ` [PATCH 2/3] Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables" Joerg Roedel
@ 2018-07-30 11:58   ` " tip-bot for Joerg Roedel
  0 siblings, 0 replies; 8+ messages in thread
From: tip-bot for Joerg Roedel @ 2018-07-30 11:58 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: dave.hansen, linux-kernel, aarcange, dhgutteridge, luto,
	David.Laight, peterz, namhyung, mingo, jroedel, jolsa, dvlasenk,
	brgerst, eduval, boris.ostrovsky, alexander.shishkin, llong,
	torvalds, pavel, tglx, gregkh, jgross, jkosina, jpoimboe, hpa,
	will.deacon, bp, acme

Commit-ID:  0e664eee65337082be49fbbd2ee24aa0d111d0f2
Gitweb:     https://git.kernel.org/tip/0e664eee65337082be49fbbd2ee24aa0d111d0f2
Author:     Joerg Roedel <jroedel@suse.de>
AuthorDate: Wed, 25 Jul 2018 17:48:02 +0200
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Mon, 30 Jul 2018 13:53:48 +0200

Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables"

This reverts commit 77754cfa09a6c528c38cbca9ee4cc4f7cf6ad6f2.

The patch was necessary to silence a WARN_ON_ONCE(in_nmi())
that triggered in the vmalloc_fault() function when PTI was
enabled on x86-32.

Faulting in an NMI handler turned out to be safe and the
warning in vmalloc_fault() is gone now. So the above patch
can be reverted.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: David H. Gutteridge <dhgutteridge@sympatico.ca>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: linux-mm@kvack.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Waiman Long <llong@redhat.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: joro@8bytes.org
Link: https://lkml.kernel.org/r/1532533683-5988-3-git-send-email-joro@8bytes.org

---
 kernel/events/ring_buffer.c | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index df2d8cf0072c..5d3cf407e374 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -814,13 +814,6 @@ static void rb_free_work(struct work_struct *work)
 
 	vfree(base);
 	kfree(rb);
-
-	/*
-	 * FIXME: PAE workaround for vmalloc_fault(): Make sure buffer is
-	 * unmapped in all page-tables.
-	 */
-	if (IS_ENABLED(CONFIG_X86_PAE))
-		vmalloc_sync_all();
 }
 
 void rb_free(struct ring_buffer *rb)
@@ -847,15 +840,6 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags)
 	if (!all_buf)
 		goto fail_all_buf;
 
-	/*
-	 * FIXME: PAE workaround for vmalloc_fault(): The buffer is
-	 * accessed in NMI handlers, make sure it is mapped in all
-	 * page-tables in the system so that we don't fault on the range in
-	 * an NMI handler.
-	 */
-	if (IS_ENABLED(CONFIG_X86_PAE))
-		vmalloc_sync_all();
-
 	rb->user_page = all_buf;
 	rb->data_pages[0] = all_buf + PAGE_SIZE;
 	if (nr_pages) {

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [tip:x86/pti] x86/kexec: Allocate 8k PGDs for PTI
  2018-07-25 15:48 ` [PATCH 3/3] x86/kexec: Allocate 8k PGDs for PTI Joerg Roedel
@ 2018-07-30 11:58   ` " tip-bot for Joerg Roedel
  0 siblings, 0 replies; 8+ messages in thread
From: tip-bot for Joerg Roedel @ 2018-07-30 11:58 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: aarcange, boris.ostrovsky, llong, dave.hansen, namhyung,
	torvalds, eduval, bp, dhgutteridge, gregkh, acme, jolsa, jgross,
	tglx, mingo, alexander.shishkin, dvlasenk, jroedel, David.Laight,
	hpa, will.deacon, jpoimboe, luto, brgerst, linux-kernel, jkosina,
	pavel, peterz

Commit-ID:  ca38dc8f2724d101038b1205122c93a1c7f38f11
Gitweb:     https://git.kernel.org/tip/ca38dc8f2724d101038b1205122c93a1c7f38f11
Author:     Joerg Roedel <jroedel@suse.de>
AuthorDate: Wed, 25 Jul 2018 17:48:03 +0200
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Mon, 30 Jul 2018 13:53:48 +0200

x86/kexec: Allocate 8k PGDs for PTI

Fuzzing the PTI-x86-32 code with trinity showed unhandled
kernel paging request oops-messages that looked a lot like
silent data corruption.

Lot's of debugging and testing lead to the kexec-32bit code,
which is still allocating 4k PGDs when PTI is enabled. But
since it uses native_set_pud() to build the page-table, it
will unevitably call into __pti_set_user_pgtbl(), which
writes beyond the allocated 4k page.

Use PGD_ALLOCATION_ORDER to allocate PGDs in the kexec code
to fix the issue.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: David H. Gutteridge <dhgutteridge@sympatico.ca>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: linux-mm@kvack.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Waiman Long <llong@redhat.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: joro@8bytes.org
Link: https://lkml.kernel.org/r/1532533683-5988-4-git-send-email-joro@8bytes.org

---
 arch/x86/kernel/machine_kexec_32.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
index d1ab07ec8c9a..5409c2800ab5 100644
--- a/arch/x86/kernel/machine_kexec_32.c
+++ b/arch/x86/kernel/machine_kexec_32.c
@@ -56,7 +56,7 @@ static void load_segments(void)
 
 static void machine_kexec_free_page_tables(struct kimage *image)
 {
-	free_page((unsigned long)image->arch.pgd);
+	free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER);
 	image->arch.pgd = NULL;
 #ifdef CONFIG_X86_PAE
 	free_page((unsigned long)image->arch.pmd0);
@@ -72,7 +72,8 @@ static void machine_kexec_free_page_tables(struct kimage *image)
 
 static int machine_kexec_alloc_page_tables(struct kimage *image)
 {
-	image->arch.pgd = (pgd_t *)get_zeroed_page(GFP_KERNEL);
+	image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO,
+						    PGD_ALLOCATION_ORDER);
 #ifdef CONFIG_X86_PAE
 	image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL);
 	image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL);

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-25 15:48 [PATCH 0/3] PTI x86-32 Updates and Fixes Joerg Roedel
2018-07-25 15:48 ` [PATCH 1/3] x86/mm: Remove in_nmi() warning from vmalloc_fault() Joerg Roedel
2018-07-30 11:57   ` [tip:x86/pti] " tip-bot for Joerg Roedel
2018-07-25 15:48 ` [PATCH 2/3] Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables" Joerg Roedel
2018-07-30 11:58   ` [tip:x86/pti] " tip-bot for Joerg Roedel
2018-07-25 15:48 ` [PATCH 3/3] x86/kexec: Allocate 8k PGDs for PTI Joerg Roedel
2018-07-30 11:58   ` [tip:x86/pti] " tip-bot for Joerg Roedel
2018-07-30  7:08 ` [PATCH 0/3] PTI x86-32 Updates and Fixes David H. Gutteridge

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox