www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Vlastimil Babka <vbabka@suse.cz>
	Fri, 22 Jun 2018 15:39:33 +0000 (17:39 +0200)
committer	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
	Sat, 11 Aug 2018 00:44:35 +0000 (20:44 -0400)
commit	ab50e36746e97ece8b087a7093e6fc44e6ba2e08
tree	dc9851edf79e8e41fd8cf11a107d03b3b64dff61	tree
parent	2417aeaaa1b76cd5285571c2aaab7b3d86ec40e6	commit \| diff

x86/speculation/l1tf: Protect PAE swap entries against L1TF

The PAE 3-level paging code currently doesn't mitigate L1TF by flipping the
offset bits, and uses the high PTE word, thus bits 32-36 for type, 37-63 for
offset. The lower word is zeroed, thus systems with less than 4GB memory are
safe. With 4GB to 128GB the swap type selects the memory locations vulnerable
to L1TF; with even more memory, also the swap offfset influences the address.
This might be a problem with 32bit PAE guests running on large 64bit hosts.

By continuing to keep the whole swap entry in either high or low 32bit word of
PTE we would limit the swap size too much. Thus this patch uses the whole PAE
PTE with the same layout as the 64bit version does. The macros just become a
bit tricky since they assume the arch-dependent swp_entry_t to be 32bit.

Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Orabug: 28220674
CVE: CVE-2018-3620

(cherry picked from commit 0d0f6249058834ffe1ceaad0bb31464af66f6e7a)

Signed-off-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

arch/x86/include/asm/pgtable-3level.h		diff \| blob \| history
arch/x86/mm/init.c		diff \| blob \| history