Issue metadata
Sign in to add a comment
|
CVE-2018-3620: L1 Terminal Fault: OS/SMM |
||||||||||||||||||||||
Issue descriptionSystems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. 7.1 High CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0ada2dc10f34649e99b6087ca7fb03e27379b5cd commit 0ada2dc10f34649e99b6087ca7fb03e27379b5cd Author: Guenter Roeck <groeck@chromium.org> Date: Wed Aug 15 21:56:04 2018 CHROMIUM: Merge 'v4.4.148' into chromeos-4.4 Merge of v4.4.148 into chromeos-4.4 Conflicts: drivers/char/tpm/tpm-dev.c Changelog: ---------------------------------------------------------------- Al Viro (3): root dentries need RCU-delayed freeing fix mntput/mntput race fix __legitimize_mnt()/mntput() race Andi Kleen (10): x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation x86/speculation/l1tf: Make sure the first page is always reserved x86/speculation/l1tf: Add sysfs reporting for l1tf x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings x86/speculation/l1tf: Limit swap file size to MAX_PA/2 x86/speculation/l1tf: Invert all not present mappings x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert x86/mm/pat: Make set_memory_np() L1TF safe x86/mm/kmmio: Make the tracer robust against L1TF Andy Lutomirski (1): mm: Add vm_insert_pfn_prot() Bart Van Assche (1): scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Dan Williams (1): mm: fix cache mode tracking in vm_insert_mixed() Dave Hansen (2): x86/mm: Move swap offset/type up in PTE to work around erratum x86/mm: Fix swap entry comment and macro Greg Kroah-Hartman (1): Linux 4.4.148 Guenter Roeck (2): x86/speculation/l1tf: Fix up CPU feature flags Merge remote-tracking branch 'origin/linux/v4.4.148' into merge/chromeos-4.4-v4.4.148 Hans de Goede (1): ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Helge Deller (1): parisc: Enable CONFIG_MLONGCALLS by default Jack Morgenstein (2): IB/core: Make testing MR flags for writability a static inline function IB/mlx4: Mark user MR as writable if actual virtual memory is writable Jiri Kosina (2): x86/speculation: Protect against userspace-userspace spectreRSB x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures John David Anglin (1): parisc: Define mb() and add memory barriers to assembler unlock sequences Juergen Gross (1): xen/netfront: don't cache skb_shinfo() Kees Cook (1): fork: unconditionally clear stack on fork Konrad Rzeszutek Wilk (2): x86/bugs: Move the l1tf function and define pr_fmt properly x86/cpufeatures: Add detection of L1D cache flush support. Linus Torvalds (2): x86/speculation/l1tf: Change order of offset/type in swap entry x86/speculation/l1tf: Protect swap entries against L1TF Masami Hiramatsu (1): kprobes/x86: Fix %p uses in error messages Michael Mera (1): IB/ocrdma: fix out of bounds access to local buffer Michal Hocko (1): x86/speculation/l1tf: Fix up pte->pfn conversion for PAE Naoya Horiguchi (1): mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 Nick Desaulniers (1): x86/irqflags: Provide a declaration for native_save_fl Oleksij Rempel (1): ARM: dts: imx6sx: fix irq for pcie bridge Peter Zijlstra (1): x86/paravirt: Fix spectre-v2 mitigations for paravirt guests Tadeusz Struk (1): tpm: fix race condition in tpm_common_write() Theodore Ts'o (1): ext4: fix check to prevent initializing reserved inodes Thomas Egerer (1): ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV Vlastimil Babka (3): x86/speculation/l1tf: Extend 64bit swap file size limit x86/speculation/l1tf: Protect PAE swap entries against L1TF x86/init: fix build with CONFIG_SWAP=n Makefile | 2 +- arch/arm/boot/dts/imx6sx.dtsi | 2 +- arch/parisc/Kconfig | 2 +- arch/parisc/include/asm/barrier.h | 32 +++++++++++ arch/parisc/kernel/entry.S | 2 + arch/parisc/kernel/pacache.S | 1 + arch/parisc/kernel/syscall.S | 4 ++ arch/x86/include/asm/cpufeatures.h | 10 ++-- arch/x86/include/asm/irqflags.h | 2 + arch/x86/include/asm/page_32_types.h | 9 +++- arch/x86/include/asm/pgtable-2level.h | 17 ++++++ arch/x86/include/asm/pgtable-3level.h | 37 ++++++++++++- arch/x86/include/asm/pgtable-invert.h | 32 +++++++++++ arch/x86/include/asm/pgtable.h | 84 +++++++++++++++++++++++------ arch/x86/include/asm/pgtable_64.h | 54 +++++++++++++++---- arch/x86/include/asm/pgtable_types.h | 10 ++-- arch/x86/include/asm/processor.h | 5 ++ arch/x86/kernel/cpu/bugs.c | 81 +++++++++++++++++----------- arch/x86/kernel/cpu/common.c | 20 +++++++ arch/x86/kernel/kprobes/core.c | 4 +- arch/x86/kernel/paravirt.c | 14 +++-- arch/x86/kernel/setup.c | 6 +++ arch/x86/mm/init.c | 25 +++++++++ arch/x86/mm/kmmio.c | 25 +++++---- arch/x86/mm/mmap.c | 21 ++++++++ arch/x86/mm/pageattr.c | 8 +-- drivers/acpi/acpi_lpss.c | 2 + drivers/base/cpu.c | 8 +++ drivers/char/tpm/tpm-dev.c | 43 +++++++-------- drivers/infiniband/core/umem.c | 11 +--- drivers/infiniband/hw/mlx4/mr.c | 50 ++++++++++++++--- drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +- drivers/net/xen-netfront.c | 8 +-- drivers/scsi/sr.c | 29 +++++++--- fs/dcache.c | 6 ++- fs/ext4/ialloc.c | 5 +- fs/ext4/super.c | 8 +-- fs/namespace.c | 28 +++++++++- include/asm-generic/pgtable.h | 12 +++++ include/linux/cpu.h | 2 + include/linux/mm.h | 2 + include/linux/swapfile.h | 2 + include/linux/thread_info.h | 6 +-- include/rdma/ib_verbs.h | 14 +++++ mm/memory.c | 62 +++++++++++++++++---- mm/mprotect.c | 49 +++++++++++++++++ mm/swapfile.c | 46 ++++++++++------ net/ipv4/Kconfig | 1 + net/ipv6/Kconfig | 1 + 49 files changed, 715 insertions(+), 191 deletions(-) create mode 100644 arch/parisc/include/asm/barrier.h create mode 100644 arch/x86/include/asm/pgtable-invert.h BUG= chromium:873810 , chromium:874617 , chromium:874614 , chromium:874613 TEST=Build and test on various affected systems Change-Id: Ibd224d2fad9f9572915f753aed0981a15a36cc74 Signed-off-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/0ada2dc10f34649e99b6087ca7fb03e27379b5cd/drivers/char/tpm/tpm-dev.c
,
Aug 16
,
Aug 16
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 16
,
Aug 16
Same as the other security bug, if Guenter thinks this is a good idea to go directly into stable, we can do it.
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e7536a5add01c50cc658a8f9bf7ea22d0e83f66c commit e7536a5add01c50cc658a8f9bf7ea22d0e83f66c Author: Guenter Roeck <groeck@chromium.org> Date: Wed Aug 15 21:55:06 2018 CHROMIUM: Merge 'v4.14.63' into chromeos-4.14 Merge of v4.14.63 into chromeos-4.14 Conflicts: include/linux/compiler-clang.h arch/x86/mm/mmap.c Changes applied on top of 'v4.14.63' prior to merge: 4b7b737602be x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled Changelog: ---------------------------------------------------------------- Abel Vesa (1): cpu/hotplug: Non-SMP machines do not make use of booted_once Al Viro (4): root dentries need RCU-delayed freeing make sure that __dentry_kill() always invalidates d_seq, unhashed or not fix mntput/mntput race fix __legitimize_mnt()/mntput() race Andi Kleen (10): x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation x86/speculation/l1tf: Make sure the first page is always reserved x86/speculation/l1tf: Add sysfs reporting for l1tf x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings x86/speculation/l1tf: Limit swap file size to MAX_PA/2 x86/speculation/l1tf: Invert all not present mappings x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert x86/mm/pat: Make set_memory_np() L1TF safe x86/mm/kmmio: Make the tracer robust against L1TF Andrey Konovalov (1): kasan: add no_sanitize attribute for clang builds Bart Van Assche (1): scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Borislav Petkov (3): x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings x86/CPU/AMD: Have smp_num_siblings and cpu_llc_id always be present Chunfeng Yun (1): phy: phy-mtk-tphy: use auto instead of force to bypass utmi signals David Woodhouse (1): tools headers: Synchronise x86 cpufeatures.h for L1TF additions Fabio Estevam (1): mtd: nand: qcom: Add a NULL check for devm_kasprintf() Greg Kroah-Hartman (1): Linux 4.14.63 Guenter Roeck (2): x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled Merge remote-tracking branch 'origin/linux/v4.14.63' into merge/chromeos-4.14-v4.14.63 Helge Deller (1): parisc: Enable CONFIG_MLONGCALLS by default Isaac J. Manjarres (1): stop_machine: Disable preemption after queueing stopper threads Jiri Kosina (4): x86/speculation: Protect against userspace-userspace spectreRSB cpu/hotplug: Expose SMT control init function x86/bugs, kvm: Introduce boot-time control of L1TF mitigations x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures John David Anglin (1): parisc: Define mb() and add memory barriers to assembler unlock sequences Josh Poimboeuf (2): cpu/hotplug: detect SMT disabled by BIOS x86/microcode: Allow late microcode loading with SMT disabled Juergen Gross (1): xen/netfront: don't cache skb_shinfo() Konrad Rzeszutek Wilk (9): x86/bugs: Move the l1tf function and define pr_fmt properly x86/cpufeatures: Add detection of L1D cache flush support. x86/KVM: Warn user if KVM is loaded SMT and L1TF CPU bug being present x86/KVM/VMX: Add module argument for L1TF mitigation x86/KVM/VMX: Split the VMX MSR LOAD structures to have an host/guest numbers x86/KVM/VMX: Add find_msr() helper function x86/KVM/VMX: Separate the VMX AUTOLOAD guest/host number accounting x86/KVM/VMX: Extend add_atomic_switch_msr() to allow VMENTER only MSRs x86/KVM/VMX: Use MSR save list for IA32_FLUSH_CMD if required Linus Torvalds (4): Mark HI and TASKLET softirq synchronous init: rename and re-order boot_cpu_state_init() x86/speculation/l1tf: Change order of offset/type in swap entry x86/speculation/l1tf: Protect swap entries against L1TF Lukas Wunner (1): Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops Masami Hiramatsu (1): kprobes/x86: Fix %p uses in error messages Michal Hocko (1): x86/speculation/l1tf: Fix up pte->pfn conversion for PAE Ming Lei (3): scsi: hpsa: fix selection of reply queue scsi: core: introduce force_blk_mq scsi: virtio_scsi: fix IO hang caused by automatic irq vector affinity Nick Desaulniers (1): x86/irqflags: Provide a declaration for native_save_fl Nicolai Stange (9): x86/KVM/VMX: Initialize the vmx_l1d_flush_pages' content x86/KVM/VMX: Don't set l1tf_flush_l1d to true from vmx_l1d_flush() x86/KVM/VMX: Replace 'vmx_l1d_flush_always' with 'vmx_l1d_flush_cond' x86/KVM/VMX: Move the l1tf_flush_l1d test to vmx_l1d_flush() x86/irq: Demote irq_cpustat_t::__softirq_pending to u16 x86/KVM/VMX: Introduce per-host-cpu analogue of l1tf_flush_l1d x86: Don't include linux/irq.h from asm/hardirq.h x86/irq: Let interrupt handlers set kvm_cpu_l1tf_flush_l1d x86/KVM/VMX: Don't set l1tf_flush_l1d from vmx_handle_external_intr() Oleksij Rempel (1): ARM: dts: imx6sx: fix irq for pcie bridge Paolo Bonzini (7): x86/KVM/VMX: Add L1D flush algorithm x86/KVM/VMX: Add L1D MSR based flush x86/KVM/VMX: Add L1D flush logic KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR x86/speculation: Simplify sysfs report of VMX L1TF vulnerability x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry Peter Zijlstra (2): x86/paravirt: Fix spectre-v2 mitigations for paravirt guests sched/smt: Update sched_smt_present at runtime Quinn Tran (1): scsi: qla2xxx: Fix memory leak for allocating abort IOCB Ronald Tschalär (1): Bluetooth: hci_ldisc: Allow sleeping while proto locks are held. Thomas Gleixner (26): x86/smp: Provide topology_is_primary_thread() x86/topology: Provide topology_smt_supported() cpu/hotplug: Make bringup/teardown of smp threads symmetric cpu/hotplug: Split do_cpu_down() cpu/hotplug: Provide knobs to control SMT x86/cpu: Remove the pointless CPU printout x86/cpu/AMD: Remove the pointless detect_ht() call x86/cpu/common: Provide detect_ht_early() x86/cpu/topology: Provide detect_extended_topology_early() x86/cpu/intel: Evaluate smp_num_siblings early x86/cpu/AMD: Evaluate smp_num_siblings early x86/apic: Ignore secondary threads if nosmt=force Revert "x86/apic: Ignore secondary threads if nosmt=force" cpu/hotplug: Boot HT siblings at least once cpu/hotplug: Online siblings when SMT control is turned on x86/litf: Introduce vmx status variable x86/kvm: Drop L1TF MSR list approach x86/l1tf: Handle EPT disabled state proper x86/kvm: Move l1tf setup function x86/kvm: Add static key for flush always x86/kvm: Serialize L1D flush parameter setter x86/kvm: Allow runtime control of L1D flush cpu/hotplug: Set CPU_SMT_NOT_SUPPORTED early Documentation: Add section about CPU vulnerabilities Documentation/l1tf: Remove Yonah processors from not vulnerable list cpu/hotplug: Fix SMT supported evaluation Tom Lendacky (2): KVM: x86: Add a framework for supporting MSR-based features KVM: SVM: Add MSR-based feature support for serializing LFENCE Tony Luck (1): Documentation/l1tf: Fix typos Vlastimil Babka (4): x86/speculation/l1tf: Extend 64bit swap file size limit x86/speculation/l1tf: Protect PAE swap entries against L1TF x86/smp: fix non-SMP broken build due to redefinition of apic_id_is_primary_thread x86/init: fix build with CONFIG_SWAP=n Wanpeng Li (2): KVM: X86: Introduce kvm_get_msr_feature() KVM: X86: Allow userspace to define the microcode version Documentation/ABI/testing/sysfs-devices-system-cpu | 24 + Documentation/admin-guide/index.rst | 9 + Documentation/admin-guide/kernel-parameters.txt | 78 +++ Documentation/admin-guide/l1tf.rst | 610 +++++++++++++++++++++ Documentation/virtual/kvm/api.txt | 40 +- Makefile | 2 +- arch/Kconfig | 3 + arch/arm/boot/dts/imx6sx.dtsi | 2 +- arch/parisc/Kconfig | 2 +- arch/parisc/include/asm/barrier.h | 32 ++ arch/parisc/kernel/entry.S | 2 + arch/parisc/kernel/pacache.S | 1 + arch/parisc/kernel/syscall.S | 4 + arch/x86/Kconfig | 1 + arch/x86/include/asm/apic.h | 10 + arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/dmi.h | 2 +- arch/x86/include/asm/hardirq.h | 26 +- arch/x86/include/asm/irqflags.h | 2 + arch/x86/include/asm/kvm_host.h | 9 + arch/x86/include/asm/msr-index.h | 7 + arch/x86/include/asm/page_32_types.h | 9 +- arch/x86/include/asm/pgtable-2level.h | 17 + arch/x86/include/asm/pgtable-3level.h | 37 +- arch/x86/include/asm/pgtable-invert.h | 32 ++ arch/x86/include/asm/pgtable.h | 74 ++- arch/x86/include/asm/pgtable_64.h | 38 +- arch/x86/include/asm/processor.h | 17 + arch/x86/include/asm/smp.h | 1 - arch/x86/include/asm/topology.h | 6 +- arch/x86/include/asm/vmx.h | 11 + arch/x86/kernel/apic/apic.c | 19 + arch/x86/kernel/apic/htirq.c | 2 + arch/x86/kernel/apic/io_apic.c | 1 + arch/x86/kernel/apic/msi.c | 1 + arch/x86/kernel/apic/vector.c | 1 + arch/x86/kernel/cpu/amd.c | 59 +- arch/x86/kernel/cpu/bugs.c | 170 ++++-- arch/x86/kernel/cpu/common.c | 63 ++- arch/x86/kernel/cpu/cpu.h | 2 + arch/x86/kernel/cpu/intel.c | 7 + arch/x86/kernel/cpu/microcode/core.c | 16 +- arch/x86/kernel/cpu/topology.c | 41 +- arch/x86/kernel/fpu/core.c | 1 + arch/x86/kernel/ftrace.c | 1 + arch/x86/kernel/hpet.c | 1 + arch/x86/kernel/i8259.c | 1 + arch/x86/kernel/idt.c | 1 + arch/x86/kernel/irq.c | 1 + arch/x86/kernel/irq_32.c | 1 + arch/x86/kernel/irq_64.c | 1 + arch/x86/kernel/irqinit.c | 1 + arch/x86/kernel/kprobes/core.c | 6 +- arch/x86/kernel/paravirt.c | 14 +- arch/x86/kernel/setup.c | 6 + arch/x86/kernel/smp.c | 1 + arch/x86/kernel/smpboot.c | 25 +- arch/x86/kernel/time.c | 1 + arch/x86/kvm/mmu.c | 1 + arch/x86/kvm/svm.c | 44 +- arch/x86/kvm/vmx.c | 426 ++++++++++++-- arch/x86/kvm/x86.c | 133 ++++- arch/x86/mm/fault.c | 1 + arch/x86/mm/init.c | 25 + arch/x86/mm/kmmio.c | 25 +- arch/x86/mm/mmap.c | 21 + arch/x86/mm/pageattr.c | 8 +- arch/x86/mm/pti.c | 1 + .../intel-mid/device_libs/platform_mrfld_wdt.c | 1 + arch/x86/platform/uv/tlb_uv.c | 1 + arch/x86/xen/enlighten.c | 1 + drivers/base/cpu.c | 8 + drivers/gpu/drm/i915/intel_lpe_audio.c | 1 + drivers/mtd/nand/qcom_nandc.c | 3 + drivers/net/xen-netfront.c | 8 +- drivers/pci/host/pci-hyperv.c | 2 + drivers/phy/mediatek/phy-mtk-tphy.c | 19 +- drivers/scsi/hosts.c | 1 + drivers/scsi/hpsa.c | 73 ++- drivers/scsi/hpsa.h | 1 + drivers/scsi/qla2xxx/qla_iocb.c | 53 +- drivers/scsi/sr.c | 29 +- drivers/scsi/virtio_scsi.c | 59 +- fs/dcache.c | 13 +- fs/namespace.c | 28 +- include/asm-generic/pgtable.h | 12 + include/linux/compiler-clang.h | 3 + include/linux/cpu.h | 23 +- include/linux/swapfile.h | 2 + include/scsi/scsi_host.h | 3 + include/uapi/linux/kvm.h | 2 + init/main.c | 2 +- kernel/cpu.c | 284 +++++++++- kernel/sched/core.c | 30 +- kernel/sched/fair.c | 1 + kernel/smp.c | 2 + kernel/softirq.c | 12 +- kernel/stop_machine.c | 10 +- mm/memory.c | 37 +- mm/mprotect.c | 49 ++ mm/swapfile.c | 46 +- tools/arch/x86/include/asm/cpufeatures.h | 3 + 102 files changed, 2607 insertions(+), 455 deletions(-) create mode 100644 Documentation/admin-guide/l1tf.rst create mode 100644 arch/parisc/include/asm/barrier.h create mode 100644 arch/x86/include/asm/pgtable-invert.h BUG= chromium:873809 , chromium:874617 , chromium:874614 , chromium:874613 TEST=Build and test on various affected systems Change-Id: I475b17b5e7da5d9c83f762b6c57f0dad14aa77ff Signed-off-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e7536a5add01c50cc658a8f9bf7ea22d0e83f66c/arch/x86/mm/mmap.c [modify] https://crrev.com/e7536a5add01c50cc658a8f9bf7ea22d0e83f66c/include/linux/compiler-clang.h
,
Aug 17
Update on R69: I am having trouble testing the patch series for R69. There is a mix of issues with conflicts due to Lakitu's private patch set - which stubbornly refuses to have itself reverted - and with trybots. Since I'll be out Monday and Tuesday next week, I'll give up for now and retry starting next Wednesday. Update on R68: Not even started. Given the problems seen with R69, I am inclined to not address the problem in R68 at all.
,
Aug 20
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 21
,
Aug 21
,
Aug 23
Merge approved, M69.
,
Aug 23
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4f4a66c0bc19a6893f668522e3b6c23ab00b2573 commit 4f4a66c0bc19a6893f668522e3b6c23ab00b2573 Author: Guenter Roeck <groeck@chromium.org> Date: Wed Aug 22 16:33:16 2018 CHROMIUM: Merge 'v4.4.141-14557-g4283c0c841a4' into release-R69-10895.B-chromeos-4.4 Merge of release-R69-10895.B-chromeos-4.4-CapeHorn-Candidate-180822 into release-R69-10895.B-chromeos-4.4 Changelog: ---------------------------------------------------------------- Andi Kleen (10): x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation x86/speculation/l1tf: Make sure the first page is always reserved x86/speculation/l1tf: Add sysfs reporting for l1tf x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings x86/speculation/l1tf: Limit swap file size to MAX_PA/2 x86/speculation/l1tf: Invert all not present mappings x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert x86/mm/pat: Make set_memory_np() L1TF safe x86/mm/kmmio: Make the tracer robust against L1TF Andy Lutomirski (1): mm: Add vm_insert_pfn_prot() Andy Shevchenko (1): x86/cpu: Rename Merrifield2 to Moorefield Dan Williams (1): mm: fix cache mode tracking in vm_insert_mixed() Dave Hansen (2): x86/mm: Move swap offset/type up in PTE to work around erratum x86/mm: Fix swap entry comment and macro Guenter Roeck (1): Merge remote-tracking branch 'origin/linux/v4.4.141-14557-g4283c0c841a4' into merge/release-R69-10895.B-chromeos-4.4-v4.4.141-14557-g4283c0c841a4 Konrad Rzeszutek Wilk (1): x86/bugs: Move the l1tf function and define pr_fmt properly Linus Torvalds (2): x86/speculation/l1tf: Change order of offset/type in swap entry x86/speculation/l1tf: Protect swap entries against L1TF Michal Hocko (1): x86/speculation/l1tf: Fix up pte->pfn conversion for PAE Naoya Horiguchi (1): mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 Piotr Luc (1): x86/cpu/intel: Add Knights Mill to Intel family Sean Christopherson (1): x86/speculation/l1tf: Exempt zeroed PTEs from inversion Tom Lendacky (1): x86/mm: Simplify p[g4um]d_page() macros Vlastimil Babka (3): x86/speculation/l1tf: Extend 64bit swap file size limit x86/speculation/l1tf: Protect PAE swap entries against L1TF x86/init: fix build with CONFIG_SWAP=n arch/x86/include/asm/cpufeatures.h | 9 +++- arch/x86/include/asm/intel-family.h | 6 ++- arch/x86/include/asm/page_32_types.h | 9 +++- arch/x86/include/asm/pgtable-2level.h | 17 ++++++ arch/x86/include/asm/pgtable-3level.h | 37 ++++++++++++- arch/x86/include/asm/pgtable-invert.h | 41 +++++++++++++++ arch/x86/include/asm/pgtable.h | 97 +++++++++++++++++++++++++++-------- arch/x86/include/asm/pgtable_64.h | 54 +++++++++++++++---- arch/x86/include/asm/pgtable_types.h | 10 ++-- arch/x86/include/asm/processor.h | 5 ++ arch/x86/kernel/cpu/bugs.c | 40 +++++++++++++++ arch/x86/kernel/cpu/common.c | 20 ++++++++ arch/x86/kernel/setup.c | 6 +++ arch/x86/mm/init.c | 25 +++++++++ arch/x86/mm/kmmio.c | 25 +++++---- arch/x86/mm/mmap.c | 21 ++++++++ arch/x86/mm/pageattr.c | 8 +-- drivers/base/cpu.c | 8 +++ include/asm-generic/pgtable.h | 12 +++++ include/linux/cpu.h | 2 + include/linux/mm.h | 2 + include/linux/swapfile.h | 2 + mm/memory.c | 62 ++++++++++++++++++---- mm/mprotect.c | 49 ++++++++++++++++++ mm/swapfile.c | 46 +++++++++++------ 25 files changed, 529 insertions(+), 84 deletions(-) create mode 100644 arch/x86/include/asm/pgtable-invert.h BUG= chromium:874617 chromium:874614 TEST=Build and test on various affected systems Change-Id: I15533e4e772a7f6d105c64be97b1795c8dad74a3 Signed-off-by: Guenter Roeck <groeck@chromium.org>
,
Aug 24
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/overlay-lakitu-private/+/e2b5fb7753f2b5ad74c6f585c238d920caa81d48 commit e2b5fb7753f2b5ad74c6f585c238d920caa81d48 Author: Guenter Roeck <groeck@google.com> Date: Fri Aug 24 17:52:57 2018
,
Aug 24
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/overlay-lakitu-private/+/fc97c8aa92fe50197758a83fab1a0823ccfa8bac commit fc97c8aa92fe50197758a83fab1a0823ccfa8bac Author: Guenter Roeck <groeck@google.com> Date: Fri Aug 24 18:01:14 2018
,
Aug 27
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 29
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/78fd9f781aae21f3ce91baeb372b97849780b00c commit 78fd9f781aae21f3ce91baeb372b97849780b00c Author: Andi Kleen <ak@linux.intel.com> Date: Wed Aug 29 19:50:45 2018 BACKPORT: x86/mm/pat: Fix L1TF stable backport for CPA Patch for stable only to fix boot resets caused by the L1TF patches. Stable trees reverted the following patch Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream. but the L1TF patch backported here x86/mm/pat: Make set_memory_np() L1TF safe commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream set_memory_np() is used to mark kernel mappings not present, but it has it's own open coded mechanism which does not have the L1TF protection of inverting the address bits. assumed that cpa->pfn contains a PFN. With the above patch reverted it does not, which causes the PMD to be set to an incorrect address shifted by 12 bits, which can cause early boot reset on some systems, like an Apollo Lake embedded system. Convert the address to a PFN before passing it to pmd_pfn() Thanks to Bernhard for bisecting and testing. BUG= chromium:874617 , chromium:874614 TEST=EFI boot on affected system works Cc: stable@vger.kernel.org # 4.4 and 4.9 Reported-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com> Tested-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com> Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit adaba23ccd7d1625942f2c27612d2b416c87e011) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I3a6e314b4e44a406ac3e2f7cbc4e6c95364b511d Reviewed-on: https://chromium-review.googlesource.com/1195036 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/78fd9f781aae21f3ce91baeb372b97849780b00c/arch/x86/mm/pageattr.c
,
Aug 29
Declaring this done. Patches applied to chromeos-4.14 (R68 and later) as well as chromeos-4.4 (R69 and later). No plan to fix the problem in chromeos-4.4:R68 or in earlier kernel releases.
,
Aug 30
,
Dec 6
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Aug 15