Date: Thu, 02 Aug 2018 15:58:23 -0700 From: Dave Hansen To: linux-kernel@...r.kernel.org Cc: Dave Hansen , keescook@...gle.com, tglx@...utronix.de, mingo@...nel.org, aarcange@...hat.com, jgross@...e.com, jpoimboe@...hat.com, gregkh@...uxfoundation.org, peterz@...radead.org, hughd@...gle.com, torvalds@...ux-foundation.org, bp@...en8.de, luto@...nel.org, ak@...ux.intel.com Subject: [PATCH 0/7] [v2] x86/mm/pti: close two Meltdown leaks with Global kernel mapping The fixes for the problem Hugh reported took a bit more surgery than I would have liked, but they do appear to work. Note that the last two patches are unnecessary cleanups that could be removed from backports. Changes from v1: * Modify set_memory_np() to avoid messing with the direct map by limiting its changes to the high kernel image map. -- This applies to 4.17 and 4.18. Thanks to Hugh Dickins for initially finding the r/w kernel text issue and coming up with an initial fix. I found the "unused hole" part and came up with different approach for fixing the mess. -- Background: Process Context IDentifiers (PCIDs) are a hardware feature that allows TLB entries to survive page table switches (CR3 writes). As an optimization, the PTI code currently allows the kernel image to be Global when running on hardware without PCIDs. This results in fewer TLB misses, especially upon entry. The downside is that these Global areas are theoretically susceptible to Meltdown. The logic is that there are no secrets in the kernel image, so why pay the cost of TLB misses. Problem: The current PTI code leaves the entire area of the kernel binary between '_text' and '_end' as Global (on non-PCID hardware). However, that range contains both read-write kernel data, and two "unused" holes in addition to text. The areas which are not text or read-only might contain secrets once they are freed back into the allocator. This issue affects systems which are susceptible to Meltdown, do not have PCIDs and which are using the default PTI_AUTO mode (no pti=on/off on the cmdline). PCIDs became generally available for servers in ~2010 (Westmere) and desktop (client) parts in roughly 2011 (Sandybridge). This is not expected to affect anything newer than that. Solution: The solution for the read-write area is to clear the global bit for the area (patch #1). The "unused" holes need a bit more work since we free them in a bit of an ad-hoc way, but we fix this up in patches 2-5. Cc: Kees Cook Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Andrea Arcangeli Cc: Juergen Gross Cc: Josh Poimboeuf Cc: Greg Kroah-Hartman Cc: Peter Zijlstra Cc: Hugh Dickins Cc: Linus Torvalds Cc: Borislav Petkov Cc: Andy Lutomirski Cc: Andi Kleen