Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5444522ybe; Tue, 10 Sep 2019 03:54:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqwNolJZcog9Cdeh5BlSAodnb+X6sTF3NfuS1sw94PC/mEONu9hlbDxXa3rFkpLuhDUWKaLr X-Received: by 2002:a05:6402:160d:: with SMTP id f13mr29896266edv.227.1568112868061; Tue, 10 Sep 2019 03:54:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568112868; cv=none; d=google.com; s=arc-20160816; b=nnxMi7S2lYfOyinn5BoiN40KtJtFYF0wVyOSFGJVZRD3dCBVtxNsRKUkSASM6hO+wb moFRqc9FK/HbFb64G7LAPlnb4pnfhgS3ZPC2fSLT3ccyLtOLJc4fdYrqE2+ws+C+uG8b ZctM1oNs+7EvzaXAQNnj+yHLmMMYhml8ZjeU1xDqfW+SLl/TiQdkd8Tb+pz1+9C7g5Py PbRniXlscvzgm7s2n8DsEA9p2IuJver9DiV2hqy9Bna2TcuOazqtGznUPNSE3eNj/arL BhUI4C8bjpyFnqdqg8TDy8uk2Xh+/9yOC4GbUie4XC3RHcp7cwZKxnDKo9WxkL4JGd5a J4hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=lcRZ+gmqkRI/8wjYYIRGOzRppQSTNB6wSfg2biqLEWM=; b=alx469ABnVeNhuhg9c7Y8g7mdlIbtvWWCimRaiCnY4okU7s+VJu+A1CCkGVvk9g4P0 gMKiUsxTgU04aTcMQvu/xWFlV7hWSmQqX9qJ+BJEnaXmqFwpvDuB48oG7dcFAaUUf02f ElyAUgeX58u077PJ3Ankg9ki4Y9C0rdLBSvGSMXmT2+0QTz09YYzrEsh/HV1CAW6a4Rf WCsN/9jQpDUmdc0SByAbf1XpCEfiBlY+mn5yId+Q59ViL739mzY8iaCY4B8BvvFlCMze u99AEh4mp3IIUBb/4ym7UeSXx9uBjIfcbUM1kNzKYrD32I09iLBEY+50x7Smnh0Qpn+5 LQDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=uYfxvbHG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ov28si8973263ejb.394.2019.09.10.03.54.04; Tue, 10 Sep 2019 03:54:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=uYfxvbHG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393377AbfIJGSX (ORCPT + 99 others); Tue, 10 Sep 2019 02:18:23 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:41145 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730336AbfIJGSW (ORCPT ); Tue, 10 Sep 2019 02:18:22 -0400 Received: by mail-wr1-f67.google.com with SMTP id h7so16519202wrw.8 for ; Mon, 09 Sep 2019 23:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=lcRZ+gmqkRI/8wjYYIRGOzRppQSTNB6wSfg2biqLEWM=; b=uYfxvbHG4hrOBB2ocromyu9I9NtZXbvsfyVPCGC4CwdZbuEJsGP2WnFSTWzItCgtjc 2bMYfEmuXS0jDGFyXcHq8SUFs50EUkX0/xae84/Fmm0f3X4mRQIlvFbbBIuwIL1hbKQW EJSEDgJTohSuijRirnp0IYaaogOEe5sVvTw31L/Q/5G4TcsnxQVI2PKQZV5X6+sIwVi+ RilmfzXpaoTc+M8k43GUxIIXnXoUhiMyCLroMRtTprHdTvICXqP2qiVuyWoszmbmCG1b bxH9Mq0S8V9PcpN7x+zjMYUF32EB4l6hDxKb4egP3t4bRVEt2zOE8jmca51GXIGQl14Z zeBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=lcRZ+gmqkRI/8wjYYIRGOzRppQSTNB6wSfg2biqLEWM=; b=bfEetsnBdYbWPTI/3ILOzvCcPiq+xsTUei8NFvVqwsfs+/ZV8EOrA80MvInNhAl5fF EbGkxrkVLIDNYKIDMQxuQ5lJdo3RkPVAC6PNzKockY8j5u2YQE/k22x2nF8XiFsl5pq8 RfkuC07tIkUbUi0vfICeL/3a81wTJUEWZkOSw0Hre5qu2/t8ePPXblqdVmTB6ys5IRya 25lE0ay5UR/wjbah65h3G15dJ5p/5MCGSKCYIuVP8o+BkMtvDLmXUCgC6pc9ivopQrI0 pYEi/ArcjCllUnH1xKKlH3IRsq+tFawXy/VtPpuT7xVFzcJ5ccCwTAyBM4ERRjWg1Ebp hhOA== X-Gm-Message-State: APjAAAWmEAiiRr7WmS3lqiO9SiSjsP/ZEZWV5lPk9mmwOCJCvoT/KJ0e gtQ3Wuh+MUbLRTeGP6/WATs= X-Received: by 2002:adf:f303:: with SMTP id i3mr5465116wro.242.1568096299298; Mon, 09 Sep 2019 23:18:19 -0700 (PDT) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id b184sm3773148wmg.47.2019.09.09.23.18.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Sep 2019 23:18:18 -0700 (PDT) Date: Tue, 10 Sep 2019 08:18:15 +0200 From: Ingo Molnar To: "Kirill A. Shutemov" Cc: Steve Wahl , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, Juergen Gross , Brijesh Singh , Jordan Borgner , Feng Tang , linux-kernel@vger.kernel.org, Baoquan He , russ.anderson@hpe.com, dimitri.sivanich@hpe.com, mike.travis@hpe.com Subject: Re: [PATCH] x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area. Message-ID: <20190910061815.GA40059@gmail.com> References: <20190906212950.GA7792@swahl-linux> <20190909081414.5e3q47fzzruesscx@box> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190909081414.5e3q47fzzruesscx@box> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Kirill A. Shutemov wrote: > On Fri, Sep 06, 2019 at 04:29:50PM -0500, Steve Wahl wrote: > > Our hardware (UV aka Superdome Flex) has address ranges marked > > reserved by the BIOS. These ranges can cause the system to halt if > > accessed. > > > > During kernel initialization, the processor was speculating into > > reserved memory causing system halts. The processor speculation is > > enabled because the reserved memory is being mapped by the kernel. > > > > The page table level2_kernel_pgt is 1 GiB in size, and had all pages > > initially marked as valid, and the kernel is placed anywhere in this > > range depending on the virtual address selected by KASLR. Later on in > > the boot process, the valid area gets trimmed back to the space > > occupied by the kernel. > > > > But during the interval of time when the full 1 GiB space was marked > > as valid, if the kernel physical address chosen by KASLR was close > > enough to our reserved memory regions, the valid pages outside the > > actual kernel space were allowing the processor to issue speculative > > accesses to the reserved space, causing the system to halt. > > > > This was encountered somewhat rarely on a normal system boot, and > > somewhat more often when starting the crash kernel if > > "crashkernel=512M,high" was specified on the command line (because > > this heavily restricts the physical address of the crash kernel, > > usually to within 1 GiB of our reserved space). > > > > The answer is to invalidate the pages of this table outside the > > address range occupied by the kernel before the page table is > > activated. This patch has been validated to fix this problem on our > > hardware. > > If the goal is to avoid *any* mapping of the reserved region to stop > speculation, I don't think this patch will do the job. We still (likely) > have the same memory mapped as part of the identity mapping. And it > happens at least in two places: here and before on decompression stage. Yeah, this really needs a fix at the KASLR level: it should only ever map into regions that are fully RAM backed. Is the problem that the 1 GiB mapping is a direct mapping, which can be speculated into? I presume KASLR won't accidentally map the kernel into the reserved region, right? Thanks, Ingo