Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1151969imm; Wed, 1 Aug 2018 11:02:53 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcVbsv6WF5/wRL72ZHwUgUh9U3bY8SJFlQilxUu2U+p4M1JYIletQSzcyxAD8ivYX+pORXG X-Received: by 2002:a17:902:7287:: with SMTP id d7-v6mr25338648pll.54.1533146573421; Wed, 01 Aug 2018 11:02:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533146573; cv=none; d=google.com; s=arc-20160816; b=gLuri31r0JLqZ+JAbNV2esKs9ZjmnQ7M+1W4cD0VqVV65G85JrVsz5kNMQshcqEk5m jxsuULp9kxZINYk6PE/AAhdxy78gxfhR/6YKN1hL3WlJcc3atOnrCcGT5es1rSWwYNGS QKJn18XdNUT+NnLqrxRzZbRqSNEJkuPgwSl28LGbrniUMnpFUOEbzWJ5b3o5/44RAEti nuRWBBN1zMS4Xc35B/ys2xNiiqkkikOYeDFEnbn4YdmB2FkrG7C/GOQqLGvcM6Wv/7sI qjmVj7NA5+hFHSWv2glMIRJUWn9Qxqz2ZJNAvltZTFjhKWRnqTkEZdlK+NdE5raYDu+K Ukmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:from:cc:to:subject :arc-authentication-results; bh=6337hr2xl1DWAoL9Oxgx7YtmfWwBDMEGdwKr40XPl5o=; b=rLsebgX4Xn4NhNEWr229fm8HJCGwH0nOvMDUQgTzh9Scol8U4dCtwFBGq93xOAiqjb XVubouTh+dXQK+A00rIO3kw4NBIltgve0yuhRrnbFIK+b7DEloUbv04N19nGvJW+IIk7 apoGWYPL+E7UD9/TWqIztgd2eDBH5tOkPBwjGr+ZiOcDTzyOP7q1viMEIgsZK8X3ip2T yUHgza/sOO1dva6yEZf2WthsFBfEbYZX8SWDE2Z16ZkVplLGuMCip8NLqIIMfZS6lZxu 6Vl9bnc3M4hhrhhKRklSvBVMiKvZzWACKdYl2msarYjeooRdKLdfGpwLZbkn95d5kruw F5/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m13-v6si16740492pgh.360.2018.08.01.11.02.39; Wed, 01 Aug 2018 11:02:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732606AbeHATsH (ORCPT + 99 others); Wed, 1 Aug 2018 15:48:07 -0400 Received: from mga04.intel.com ([192.55.52.120]:1770 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726972AbeHATsD (ORCPT ); Wed, 1 Aug 2018 15:48:03 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Aug 2018 11:01:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,432,1526367600"; d="scan'208";a="77895722" Received: from viggo.jf.intel.com (HELO localhost.localdomain) ([10.54.77.144]) by orsmga001.jf.intel.com with ESMTP; 01 Aug 2018 11:01:01 -0700 Subject: [PATCH 0/5] x86/mm/pti: close two Meltdown leaks with Global kernel mapping To: linux-kernel@vger.kernel.org Cc: Dave Hansen , keescook@google.com, tglx@linutronix.de, mingo@kernel.org, aarcange@redhat.com, jgross@suse.com, jpoimboe@redhat.com, gregkh@linuxfoundation.org, peterz@infradead.org, hughd@google.com, torvalds@linux-foundation.org, bp@alien8.de, luto@kernel.org, ak@linux.intel.com From: Dave Hansen Date: Wed, 01 Aug 2018 11:00:58 -0700 Message-Id: <20180801180058.EC46D963@viggo.jf.intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This applies to 4.17 and 4.18. Thanks to Hugh Dickins for initially finding the r/w kernel text issue and coming up with an initial fix. I found the "unused hole" part and came up with different approach for fixing the mess. -- Background: Process Context IDentifiers (PCIDs) are a hardware feature that allows TLB entries to survive page table switches (CR3 writes). As an optimization, the PTI code currently allows the kernel image to be Global when running on hardware without PCIDs. This results in fewer TLB misses, especially upon entry. The downside is that these Global areas are theoretically susceptible to Meltdown. The logic is that there are no secrets in the kernel image, so why pay the cost of TLB misses. Problem: The current PTI code leaves the entire area of the kernel binary between '_text' and '_end' as Global (on non-PCID hardware). However, that range contains both read-write kernel data, and two "unused" holes in addition to text. The areas which are not text or read-only might contain secrets once they are freed back into the allocator. This issue affects systems which are susceptible to Meltdown, do not have PCIDs and which are using the default PTI_AUTO mode (no pti=on/off on the cmdline). PCIDs became generally available for servers in ~2010 (Westmere) and desktop (client) parts in roughly 2011 (Sandybridge). This is not expected to affect anything newer than that. Solution: The solution for the read-write area is to clear the global bit for the area (patch #1). The "unused" holes need a bit more work since we free them in a bit of an ad-hoc way, but we fix this up in patches 2-5. Cc: Kees Cook Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Andrea Arcangeli Cc: Juergen Gross Cc: Josh Poimboeuf Cc: Greg Kroah-Hartman Cc: Peter Zijlstra Cc: Hugh Dickins Cc: Linus Torvalds Cc: Borislav Petkov Cc: Andy Lutomirski Cc: Andi Kleen