Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp4806743ooa; Tue, 14 Aug 2018 10:49:02 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyFG4emoqv+CpD82kzcZ692gnQ+rYWL9+uE5XhKBM8tsybX1MtjhLbKFftMEIykKzMndWdO X-Received: by 2002:a17:902:e10d:: with SMTP id cc13-v6mr21200001plb.96.1534268942204; Tue, 14 Aug 2018 10:49:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534268942; cv=none; d=google.com; s=arc-20160816; b=oLb/guGynt1vL6KZRswaVomqMA1QSfjAuOJrsLtpGPqepeptiEblRDzHs/7tB+ejNR 7ghleLslvPEl7dg14PMwwDfxu8Adhxzq2N1q280DzWU0JdzPJnxNk/QT+p5AyeH2ROix IUAQgIA8K+s5phXNFcJEFKNQRq7AOjSFxaEobgiHSjIzLSKc4jJXpu5LAmC/F/UkJ3vo HrQreaLlV24yKb1VoYkGBVjyC9Hl5WvuPF5+Znn+Z+fhqAXqAgfB+tsAaWcdN/BWKYa4 +wyY+7erUinn3AeQrroD9N6IZODe8QocvzyFlyJrJ2/WgKgM92d4mNwpDLaGwfDNqwnB jmhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=bZKEiOeRSZSMbuGcij/tZ7NHqnFQQpPhKPv63apbr5M=; b=oJ6m1j5aZuz1x86oQgN0x2zROB9DIFxqkz+mifA8U3Aj7DKCkHjaazZ9x0rgRKqjO7 DGAcTtnpriYrO2vNe5kXeSNkXU1a7SDiHcaFZzb+gPtYd4h0oYYhN4isz9FQ6HqoQ4x5 VXM/Yqm2i0V7GSL2fqWvlwGabl0twukjYozfL9MJ8uD6tTVXBcdAszTfCdrG+00xuqnA UQQ4rxJv6XZv4OCagtRLIw5WpqdIE2Dflm9EnnI/Eh7OgwP6bbrJ7R4chgbkpGWtjE93 WH5fbSmyLyJZXd4zDBahzMJyxvK2DE5LIVpNaZ3UCMgvoqTF99AiRbM8MCGDj2hF1y5E 1omw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g12-v6si16198084pla.403.2018.08.14.10.48.47; Tue, 14 Aug 2018 10:49:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403826AbeHNUfj (ORCPT + 99 others); Tue, 14 Aug 2018 16:35:39 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:60994 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390379AbeHNUfi (ORCPT ); Tue, 14 Aug 2018 16:35:38 -0400 Received: from localhost (unknown [194.244.16.108]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id EA5B1D08; Tue, 14 Aug 2018 17:47:25 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andi Kleen , Thomas Gleixner , Josh Poimboeuf , Michal Hocko , Dave Hansen , David Woodhouse , Guenter Roeck Subject: [PATCH 4.4 33/43] x86/speculation/l1tf: Limit swap file size to MAX_PA/2 Date: Tue, 14 Aug 2018 19:18:09 +0200 Message-Id: <20180814171519.273142378@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180814171517.014285600@linuxfoundation.org> References: <20180814171517.014285600@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Andi Kleen commit 377eeaa8e11fe815b1d07c81c4a0e2843a8c15eb upstream For the L1TF workaround its necessary to limit the swap file size to below MAX_PA/2, so that the higher bits of the swap offset inverted never point to valid memory. Add a mechanism for the architecture to override the swap file size check in swapfile.c and add a x86 specific max swapfile check function that enforces that limit. The check is only enabled if the CPU is vulnerable to L1TF. In VMs with 42bit MAX_PA the typical limit is 2TB now, on a native system with 46bit PA it is 32TB. The limit is only per individual swap file, so it's always possible to exceed these limits with multiple swap files or partitions. Signed-off-by: Andi Kleen Signed-off-by: Thomas Gleixner Reviewed-by: Josh Poimboeuf Acked-by: Michal Hocko Acked-by: Dave Hansen Signed-off-by: David Woodhouse Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman --- arch/x86/mm/init.c | 15 +++++++++++++++ include/linux/swapfile.h | 2 ++ mm/swapfile.c | 46 ++++++++++++++++++++++++++++++---------------- 3 files changed, 47 insertions(+), 16 deletions(-) --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -4,6 +4,8 @@ #include #include #include /* for max_low_pfn */ +#include +#include #include #include @@ -767,3 +769,16 @@ void update_cache_mode_entry(unsigned en __cachemode2pte_tbl[cache] = __cm_idx2pte(entry); __pte2cachemode_tbl[entry] = cache; } + +unsigned long max_swapfile_size(void) +{ + unsigned long pages; + + pages = generic_max_swapfile_size(); + + if (boot_cpu_has_bug(X86_BUG_L1TF)) { + /* Limit the swap file size to MAX_PA/2 for L1TF workaround */ + pages = min_t(unsigned long, l1tf_pfn_limit() + 1, pages); + } + return pages; +} --- a/include/linux/swapfile.h +++ b/include/linux/swapfile.h @@ -9,5 +9,7 @@ extern spinlock_t swap_lock; extern struct plist_head swap_active_head; extern struct swap_info_struct *swap_info[]; extern int try_to_unuse(unsigned int, bool, unsigned long); +extern unsigned long generic_max_swapfile_size(void); +extern unsigned long max_swapfile_size(void); #endif /* _LINUX_SWAPFILE_H */ --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2206,6 +2206,35 @@ static int claim_swapfile(struct swap_in return 0; } + +/* + * Find out how many pages are allowed for a single swap device. There + * are two limiting factors: + * 1) the number of bits for the swap offset in the swp_entry_t type, and + * 2) the number of bits in the swap pte, as defined by the different + * architectures. + * + * In order to find the largest possible bit mask, a swap entry with + * swap type 0 and swap offset ~0UL is created, encoded to a swap pte, + * decoded to a swp_entry_t again, and finally the swap offset is + * extracted. + * + * This will mask all the bits from the initial ~0UL mask that can't + * be encoded in either the swp_entry_t or the architecture definition + * of a swap pte. + */ +unsigned long generic_max_swapfile_size(void) +{ + return swp_offset(pte_to_swp_entry( + swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; +} + +/* Can be overridden by an architecture for additional checks. */ +__weak unsigned long max_swapfile_size(void) +{ + return generic_max_swapfile_size(); +} + static unsigned long read_swap_header(struct swap_info_struct *p, union swap_header *swap_header, struct inode *inode) @@ -2241,22 +2270,7 @@ static unsigned long read_swap_header(st p->cluster_next = 1; p->cluster_nr = 0; - /* - * Find out how many pages are allowed for a single swap - * device. There are two limiting factors: 1) the number - * of bits for the swap offset in the swp_entry_t type, and - * 2) the number of bits in the swap pte as defined by the - * different architectures. In order to find the - * largest possible bit mask, a swap entry with swap type 0 - * and swap offset ~0UL is created, encoded to a swap pte, - * decoded to a swp_entry_t again, and finally the swap - * offset is extracted. This will mask all the bits from - * the initial ~0UL mask that can't be encoded in either - * the swp_entry_t or the architecture definition of a - * swap pte. - */ - maxpages = swp_offset(pte_to_swp_entry( - swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; + maxpages = max_swapfile_size(); last_page = swap_header->info.last_page; if (!last_page) { pr_warn("Empty swap-file\n");