• Linus Torvalds's avatar
    x86/speculation/l1tf: Change order of offset/type in swap entry · 0f4bae8b
    Linus Torvalds authored
    If pages are swapped out, the swap entry is stored in the corresponding
    PTE, which has the Present bit cleared. CPUs vulnerable to L1TF speculate
    on PTE entries which have the present bit set and would treat the swap
    entry as phsyical address (PFN). To mitigate that the upper bits of the PTE
    must be set so the PTE points to non existent memory.
    
    The swap entry stores the type and the offset of a swapped out page in the
    PTE. type is stored in bit 9-13 and offset in bit 14-63. The hardware
    ignores the bits beyond the phsyical address space limit, so to make the
    mitigation effective its required to start 'offset' at the lowest possible
    bit so that even large swap offsets do not reach into the physical address
    space limit bits.
    
    Move offset to bit 9-58 and type to bit 59-63 which are the bits that
    hardware generally doesn't care about.
    
    That, in turn, means that if you on desktop chip with only 40 bits of
    physical addressing, now that the offset starts at bit 9, there needs to be
    30 bits of offset actually *in use* until bit 39 ends up being set, which
    means when inverted it will again point into existing memory.
    
    So that's 4 terabyte of swap space (because the offset is counted in pages,
    so 30 bits of offset is 42 bits of actual coverage). With bigger physical
    addressing, that obviously grows further, until the limit of the offset is
    hit (at 50 bits of offset - 62 bits of actual swap file coverage).
    
    This is a preparatory change for the actual swap entry inversion to protect
    against L1TF.
    
    [ AK: Updated description and minor tweaks. Split into two parts ]
    [ tglx: Massaged changelog ]
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Tested-by: default avatarAndi Kleen <ak@linux.intel.com>
    Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
    Acked-by: default avatarMichal Hocko <mhocko@suse.com>
    Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
    Acked-by: default avatarDave Hansen <dave.hansen@intel.com>
    
    CVE-2018-3620
    CVE-2018-3646
    
    [smb: context adjustments around commentary]
    Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
    0f4bae8b
pgtable_64.h 5.41 KB