Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp4783194ooa; Tue, 14 Aug 2018 10:29:19 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzjIXHxNR3ZNwnjrCiAIn/9S1YdOosSjnXJQ3EGzszMvE7hamijxXqPYph8KPUPJcPCZ85I X-Received: by 2002:a63:5c7:: with SMTP id 190-v6mr21507030pgf.385.1534267759470; Tue, 14 Aug 2018 10:29:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534267759; cv=none; d=google.com; s=arc-20160816; b=RQ70xgnjbTEsTrQTPdz24Ua+Jvk26uf/QxZ0aTuJ4zSyZhT2xLWO9pTT7rc0cSs2LU QXyOKjoRiIenqrR7pwZNbtuO7UU2T8yN/z3JD2JQ1YpUFTmbxlpsrWFO8XmJjCaf3GXb MidOdRA2DR4NhWcd1otSItIHW8TzNXCHqdSIyqlROkgyDbr5vPvkbSuy/dnN94QHGFTR SO2C7nIQ8i6DAy0gEARIC3PJTpOtixBPy9khn0fmqSaiHDmnFRAGUYlKSq1teug7wivR U3RvK5NRwugyL2Kx3rZd7lJm85Q930kLb6WnRKkMUlPXqVPqTc1ryfjMbj5n3t6FgLRh 2W5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=R28Lm7FSAKK/kl14IhjNvZ3Gkd/4IoP/oxsNzKW8YZQ=; b=JyuHwl8eOgAqCaom1DvkocIrgyKOF4wO5+XApkS31nYTDmI7gRBqANlSYXuKrXGaau umCgDfh+ZtNaSJSIVtVHYqCZMNJoOuSl0Zj3zCptN0++YnEwRpEALpqjVJgFwf00L4Ut Zl1ORB4YQh5ddESLPWxwKkGWYYcESNO3Ad4/PHb3eQ19d0ZXNprsbqhkYb4wYVSCTkE+ kfKr5A2EomxETxtDQk4c8QD+G6q06la/L33kgN6Ia2iCgDOtqizhhsNmF6IoqCgdn8D9 ozZqXzQz255tfGUKcHEt4jwZ0lovCiElgZGMlwM9r0I25E7b6UdbNxcu7wmeMIg/Bscg C7hQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i123-v6si20993420pfe.145.2018.08.14.10.29.04; Tue, 14 Aug 2018 10:29:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388546AbeHNUOy (ORCPT + 99 others); Tue, 14 Aug 2018 16:14:54 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:52088 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387702AbeHNUOx (ORCPT ); Tue, 14 Aug 2018 16:14:53 -0400 Received: from localhost (unknown [194.244.16.108]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 65948CD8; Tue, 14 Aug 2018 17:26:46 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicolai Stange , Thomas Gleixner Subject: [PATCH 4.18 58/79] x86/KVM/VMX: Initialize the vmx_l1d_flush_pages content Date: Tue, 14 Aug 2018 19:17:17 +0200 Message-Id: <20180814171340.100860318@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180814171336.799314117@linuxfoundation.org> References: <20180814171336.799314117@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Nicolai Stange The slow path in vmx_l1d_flush() reads from vmx_l1d_flush_pages in order to evict the L1d cache. However, these pages are never cleared and, in theory, their data could be leaked. More importantly, KSM could merge a nested hypervisor's vmx_l1d_flush_pages to fewer than 1 << L1D_CACHE_ORDER host physical pages and this would break the L1d flushing algorithm: L1D on x86_64 is tagged by physical addresses. Fix this by initializing the individual vmx_l1d_flush_pages with a different pattern each. Rename the "empty_zp" asm constraint identifier in vmx_l1d_flush() to "flush_pages" to reflect this change. Fixes: a47dd5f06714 ("x86/KVM/VMX: Add L1D flush algorithm") Signed-off-by: Nicolai Stange Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -211,6 +211,7 @@ static void *vmx_l1d_flush_pages; static int vmx_setup_l1d_flush(enum vmx_l1d_flush_state l1tf) { struct page *page; + unsigned int i; if (!enable_ept) { l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_EPT_DISABLED; @@ -243,6 +244,16 @@ static int vmx_setup_l1d_flush(enum vmx_ if (!page) return -ENOMEM; vmx_l1d_flush_pages = page_address(page); + + /* + * Initialize each page with a different pattern in + * order to protect against KSM in the nested + * virtualization case. + */ + for (i = 0; i < 1u << L1D_CACHE_ORDER; ++i) { + memset(vmx_l1d_flush_pages + i * PAGE_SIZE, i + 1, + PAGE_SIZE); + } } l1tf_vmx_mitigation = l1tf; @@ -9737,7 +9748,7 @@ static void vmx_l1d_flush(struct kvm_vcp /* First ensure the pages are in the TLB */ "xorl %%eax, %%eax\n" ".Lpopulate_tlb:\n\t" - "movzbl (%[empty_zp], %%" _ASM_AX "), %%ecx\n\t" + "movzbl (%[flush_pages], %%" _ASM_AX "), %%ecx\n\t" "addl $4096, %%eax\n\t" "cmpl %%eax, %[size]\n\t" "jne .Lpopulate_tlb\n\t" @@ -9746,12 +9757,12 @@ static void vmx_l1d_flush(struct kvm_vcp /* Now fill the cache */ "xorl %%eax, %%eax\n" ".Lfill_cache:\n" - "movzbl (%[empty_zp], %%" _ASM_AX "), %%ecx\n\t" + "movzbl (%[flush_pages], %%" _ASM_AX "), %%ecx\n\t" "addl $64, %%eax\n\t" "cmpl %%eax, %[size]\n\t" "jne .Lfill_cache\n\t" "lfence\n" - :: [empty_zp] "r" (vmx_l1d_flush_pages), + :: [flush_pages] "r" (vmx_l1d_flush_pages), [size] "r" (size) : "eax", "ebx", "ecx", "edx"); }