Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp4802375ooa; Tue, 14 Aug 2018 10:45:17 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxk5o65qrzyCtUUF8pM+ufjO0mv6uZvaEexXdJCKNah9Ws5yS9WgyIaad51Uv2vk/T3ddx9 X-Received: by 2002:a63:175b:: with SMTP id 27-v6mr21778904pgx.31.1534268717471; Tue, 14 Aug 2018 10:45:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534268717; cv=none; d=google.com; s=arc-20160816; b=UroR5N7nrOmhn3PuyzwEhRe13s+2B1o7kJBkmSCwQhfttFxz/H+gE7BlYbXFjcLa2S 1s0PF6kWSrFqQyPSi9vwCgov/bMiq+XIVE5QmXKGBdQEIwGVsqSUC5CkOOdC8rrWLqTc u1JvwS7fvvXqga6WgZCPyvp2GQ724j8a99U+CW+XkS8GdFozvt0QJXA1HvxISf0TPiBU XTtSwrxvCxMQnin5NHO39E8LTTdqQBT92n1cCSICz/ji8AQ39nfN+b1IMP+yJl1X7BGT ztXQe4o1xP+fc7JlWjQFClcQITd5fzbSdBTT87OwuQQvHsbWJsRIk8TCOD4rCAtkra0z muHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ZA9esOD2BHyOLnG2A7BtuoO4ZmTaAoGd3Ka38UHWn1I=; b=bnk8QQArPQOzHq+szcQ++wGGrxv1u5EJwGtn5dAV4Omz1esUrpbIU/Svl1i8W4XPhm EYfL4INF3dJJTDu1bP9Qg1FVUpxbDbK3UnJAP/V2RxA9NOdDLErEMmT+iZAfS16Hy6yz 1/oQt5/K+fTeqPopTKxsbafgqFvq+Wlt4jCUSTRhKeXn/EeMvTixl0OY5cs/Lhz3xIBH 1cSXXUGnARpd0DSuWRwvNkY3Y++7KhMOlQw8Ua/Gh1qrAcHo8LKyORPyuV2GRsVZX0BA 0E3wut1knU4v4vRGL3yFN8ZGidjwhUpALj76S2D+rW3X0lQttmAR4v61ETgx+NrPD+vw UuvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r21-v6si21188609pgi.690.2018.08.14.10.45.02; Tue, 14 Aug 2018 10:45:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390605AbeHNUbv (ORCPT + 99 others); Tue, 14 Aug 2018 16:31:51 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59870 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728642AbeHNUbu (ORCPT ); Tue, 14 Aug 2018 16:31:50 -0400 Received: from localhost (unknown [194.244.16.108]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 6E45040B; Tue, 14 Aug 2018 17:43:38 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicolai Stange , Thomas Gleixner , David Woodhouse Subject: [PATCH 4.9 080/107] x86/KVM/VMX: Initialize the vmx_l1d_flush_pages content Date: Tue, 14 Aug 2018 19:17:43 +0200 Message-Id: <20180814171525.674746858@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180814171520.883143803@linuxfoundation.org> References: <20180814171520.883143803@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Nicolai Stange commit 288d152c23dcf3c09da46c5c481903ca10ebfef7 upstream The slow path in vmx_l1d_flush() reads from vmx_l1d_flush_pages in order to evict the L1d cache. However, these pages are never cleared and, in theory, their data could be leaked. More importantly, KSM could merge a nested hypervisor's vmx_l1d_flush_pages to fewer than 1 << L1D_CACHE_ORDER host physical pages and this would break the L1d flushing algorithm: L1D on x86_64 is tagged by physical addresses. Fix this by initializing the individual vmx_l1d_flush_pages with a different pattern each. Rename the "empty_zp" asm constraint identifier in vmx_l1d_flush() to "flush_pages" to reflect this change. Fixes: a47dd5f06714 ("x86/KVM/VMX: Add L1D flush algorithm") Signed-off-by: Nicolai Stange Signed-off-by: Thomas Gleixner Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -212,6 +212,7 @@ static void *vmx_l1d_flush_pages; static int vmx_setup_l1d_flush(enum vmx_l1d_flush_state l1tf) { struct page *page; + unsigned int i; if (!enable_ept) { l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_EPT_DISABLED; @@ -244,6 +245,16 @@ static int vmx_setup_l1d_flush(enum vmx_ if (!page) return -ENOMEM; vmx_l1d_flush_pages = page_address(page); + + /* + * Initialize each page with a different pattern in + * order to protect against KSM in the nested + * virtualization case. + */ + for (i = 0; i < 1u << L1D_CACHE_ORDER; ++i) { + memset(vmx_l1d_flush_pages + i * PAGE_SIZE, i + 1, + PAGE_SIZE); + } } l1tf_vmx_mitigation = l1tf; @@ -8675,7 +8686,7 @@ static void vmx_l1d_flush(struct kvm_vcp /* First ensure the pages are in the TLB */ "xorl %%eax, %%eax\n" ".Lpopulate_tlb:\n\t" - "movzbl (%[empty_zp], %%" _ASM_AX "), %%ecx\n\t" + "movzbl (%[flush_pages], %%" _ASM_AX "), %%ecx\n\t" "addl $4096, %%eax\n\t" "cmpl %%eax, %[size]\n\t" "jne .Lpopulate_tlb\n\t" @@ -8684,12 +8695,12 @@ static void vmx_l1d_flush(struct kvm_vcp /* Now fill the cache */ "xorl %%eax, %%eax\n" ".Lfill_cache:\n" - "movzbl (%[empty_zp], %%" _ASM_AX "), %%ecx\n\t" + "movzbl (%[flush_pages], %%" _ASM_AX "), %%ecx\n\t" "addl $64, %%eax\n\t" "cmpl %%eax, %[size]\n\t" "jne .Lfill_cache\n\t" "lfence\n" - :: [empty_zp] "r" (vmx_l1d_flush_pages), + :: [flush_pages] "r" (vmx_l1d_flush_pages), [size] "r" (size) : "eax", "ebx", "ecx", "edx"); }