Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp4781030ooa;
        Tue, 14 Aug 2018 10:27:17 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPyWtnxNipV1kICT3XVvNdJ8d0Sex+9fZyxPU0C8ij/TLWM+cNZXSZDhF7A4Q7/+bHoYdqFh
X-Received: by 2002:a65:6104:: with SMTP id z4-v6mr22036631pgu.361.1534267637373;
        Tue, 14 Aug 2018 10:27:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534267637; cv=none;
        d=google.com; s=arc-20160816;
        b=QSkSonYfhDLJDkw8Qo01Z0RhI5SmX+dBKWTs5SHgbWvsJ1GaTXfcymL82RmkRAAGrP
         +iVH/gfNoq/UAJfkieLBRazAafu2BBEILizyWH+mQG+JrDCr2ThdZSZ03yErmaQUy/4J
         WJrI/TKtcRYnsAx4gjm0nsY6tgYtY9hkzOWmYJP9DKya05tmOLmbrGSc63/9iF/IQ5Tf
         28Of2lQz6NihShuWIch8GZ57QtfVMp6KDbJ1bPXlxfSj/LaVLUlCbCigfHuNWyJEMTPD
         zbEoTFAwIHiWvkJkgYiOQs5/HJERGn+CHXE24CuF7eNG7gHMsZXEHeI8uQV2XPzXML0s
         N20A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=HL5ZQ9/JHEtlngeAsRjQkQONEPLv55/AQfMgM6TFjzw=;
        b=cPa//4e7JdJ8ovR5nX6WC0ZleEJbrIhofzvovR6n801zJape/6/1wX0N6xTNx8Cahm
         sS+hqP9RW5uNgKqZvYu6vmO1QwNBlY8AaKILnhqN6n3d2aAsA/J5SnkCoiTcmzhXjb8D
         HC0I5ocXDZ5vbPbqTvSyELHpQxOXCX/BYj8JJVmGAkbBuYEsJj67aTVVgGAK8ldcixUY
         U/6kYYLwz/g50LZvwRYZe31nMZpnfjv1O0bZGqqfO4vCn3yfO9IiaIH0paCuZ9JdgqyQ
         xO0+Wox7SW+Ay7AzQsjyKJqPp9M2wFJXt5C3yR73vcwfmiHflml1WJblL7qAXCUgqlAU
         u9Gg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n34-v6si16569683pld.99.2018.08.14.10.27.02;
        Tue, 14 Aug 2018 10:27:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388197AbeHNUNc (ORCPT <rfc822;speed.demon0047@gmail.com>
        + 99 others); Tue, 14 Aug 2018 16:13:32 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:51676 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1733240AbeHNUNc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Aug 2018 16:13:32 -0400
Received: from localhost (unknown [194.244.16.108])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 379FFD67;
        Tue, 14 Aug 2018 17:25:25 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Michal Hocko <mhocko@suse.com>,
        Dave Hansen <dave.hansen@intel.com>
Subject: [PATCH 4.18 05/79] x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT
Date:   Tue, 14 Aug 2018 19:16:24 +0200
Message-Id: <20180814171337.001114399@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180814171336.799314117@linuxfoundation.org>
References: <20180814171336.799314117@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andi Kleen <ak@linux.intel.com>

L1 Terminal Fault (L1TF) is a speculation related vulnerability. The CPU
speculates on PTE entries which do not have the PRESENT bit set, if the
content of the resulting physical address is available in the L1D cache.

The OS side mitigation makes sure that a !PRESENT PTE entry points to a
physical address outside the actually existing and cachable memory
space. This is achieved by inverting the upper bits of the PTE. Due to the
address space limitations this only works for 64bit and 32bit PAE kernels,
but not for 32bit non PAE.

This mitigation applies to both host and guest kernels, but in case of a
64bit host (hypervisor) and a 32bit PAE guest, inverting the upper bits of
the PAE address space (44bit) is not enough if the host has more than 43
bits of populated memory address space, because the speculation treats the
PTE content as a physical host address bypassing EPT.

The host (hypervisor) protects itself against the guest by flushing L1D as
needed, but pages inside the guest are not protected against attacks from
other processes inside the same guest.

For the guest the inverted PTE mask has to match the host to provide the
full protection for all pages the host could possibly map into the
guest. The hosts populated address space is not known to the guest, so the
mask must cover the possible maximal host address space, i.e. 52 bit.

On 32bit PAE the maximum PTE mask is currently set to 44 bit because that
is the limit imposed by 32bit unsigned long PFNs in the VMs. This limits
the mask to be below what the host could possible use for physical pages.

The L1TF PROT_NONE protection code uses the PTE masks to determine which
bits to invert to make sure the higher bits are set for unmapped entries to
prevent L1TF speculation attacks against EPT inside guests.

In order to invert all bits that could be used by the host, increase
__PHYSICAL_PAGE_SHIFT to 52 to match 64bit.

The real limit for a 32bit PAE kernel is still 44 bits because all Linux
PTEs are created from unsigned long PFNs, so they cannot be higher than 44
bits on a 32bit kernel. So these extra PFN bits should be never set. The
only users of this macro are using it to look at PTEs, so it's safe.

[ tglx: Massaged changelog ]

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Dave Hansen <dave.hansen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/page_32_types.h |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -29,8 +29,13 @@
 #define N_EXCEPTION_STACKS 1
 
 #ifdef CONFIG_X86_PAE
-/* 44=32+12, the limit we can fit into an unsigned long pfn */
-#define __PHYSICAL_MASK_SHIFT	44
+/*
+ * This is beyond the 44 bit limit imposed by the 32bit long pfns,
+ * but we need the full mask to make sure inverted PROT_NONE
+ * entries have all the host bits set in a guest.
+ * The real limit is still 44 bits.
+ */
+#define __PHYSICAL_MASK_SHIFT	52
 #define __VIRTUAL_MASK_SHIFT	32
 
 #else  /* !CONFIG_X86_PAE */