Currently Ubuntu kernel has this kernel config disabled.
But in some cases, Intel's Sapphire Rapids High Bandwith
Memory (SPR-HBM) needs this option.
Memory bandwidth has been a bottleneck of increasingly memory bound
workloads. Sapphire Rapids plus HBM is specifically targeted to
cater to these workloads, traditionally served using overprovisioning
of memory devices.
Signed-off-by: Michael Reed <email address hidden>
bc2e133...
by
=?utf-8?q?Michal_Koutn=C3=BD?= <email address hidden>
x86/mm: Do not shuffle CPU entry areas without KASLR
The commit 97e3d26b5e5f ("x86/mm: Randomize per-cpu entry area") fixed
an omission of KASLR on CPU entry areas. It doesn't take into account
KASLR switches though, which may result in unintended non-determinism
when a user wants to avoid it (e.g. debugging, benchmarking).
Generate only a single combination of CPU entry areas offsets -- the
linear array that existed prior randomization when KASLR is turned off.
Since we have 3f148f331814 ("x86/kasan: Map shadow for percpu pages on
demand") and followups, we can use the more relaxed guard
kasrl_enabled() (in contrast to kaslr_memory_enabled()).
Fixes: 97e3d26b5e5f ("x86/mm: Randomize per-cpu entry area")
Signed-off-by: Michal Koutný <email address hidden>
Signed-off-by: Dave Hansen <email address hidden>
Cc: <email address hidden>
Link: https://lore.kernel.org/all/20230306193144.24605-1-mkoutny%40suse.com
CVE-2023-0597
(cherry picked from commit a3f547addcaa10df5a226526bc9e2d9a94542344)
Signed-off-by: Cengiz Can <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
2c1a2ce...
by
Sean Christopherson <email address hidden>
x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry area
Populate a KASAN shadow for the entire possible per-CPU range of the CPU
entry area instead of requiring that each individual chunk map a shadow.
Mapping shadows individually is error prone, e.g. the per-CPU GDT mapping
was left behind, which can lead to not-present page faults during KASAN
validation if the kernel performs a software lookup into the GDT. The DS
buffer is also likely affected.
The motivation for mapping the per-CPU areas on-demand was to avoid
mapping the entire 512GiB range that's reserved for the CPU entry area,
shaving a few bytes by not creating shadows for potentially unused memory
was not a goal.
The bug is most easily reproduced by doing a sigreturn with a garbage
CS in the sigcontext, e.g.
to coerce the kernel into doing a GDT lookup to compute CS.base when
reading the instruction bytes on the subsequent #GP to determine whether
or not the #GP is something the kernel should handle, e.g. to fixup UMIP
violations or to emulate CLI/STI for IOPL=3 applications.
Fixes: 9fd429c28073 ("x86/kasan: Map shadow for percpu pages on demand")
Reported-by: <email address hidden>
Suggested-by: Andrey Ryabinin <email address hidden>
Signed-off-by: Sean Christopherson <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Reviewed-by: Andrey Ryabinin <email address hidden>
Link: https://<email address hidden>
CVE-2023-0597
(cherry picked from commit 97650148a15e0b30099d6175ffe278b9f55ec66a)
Signed-off-by: Cengiz Can <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
1623168...
by
Sean Christopherson <email address hidden>
x86/mm: Recompute physical address for every page of per-CPU CEA mapping
Recompute the physical address for each per-CPU page in the CPU entry
area, a recent commit inadvertantly modified cea_map_percpu_pages() such
that every PTE is mapped to the physical address of the first page.
Fixes: 9fd429c28073 ("x86/kasan: Map shadow for percpu pages on demand")
Signed-off-by: Sean Christopherson <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Reviewed-by: Andrey Ryabinin <email address hidden>
Link: https://<email address hidden>
CVE-2023-0597
(cherry picked from commit 80d72a8f76e8f3f0b5a70b8c7022578e17bde8e7)
Signed-off-by: Cengiz Can <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
6bdab74...
by
Peter Zijlstra <email address hidden>
x86/mm: Randomize per-cpu entry area
Seth found that the CPU-entry-area; the piece of per-cpu data that is
mapped into the userspace page-tables for kPTI is not subject to any
randomization -- irrespective of kASLR settings.
On x86_64 a whole P4D (512 GB) of virtual address space is reserved for
this structure, which is plenty large enough to randomize things a
little.
As such, use a straight forward randomization scheme that avoids
duplicates to spread the existing CPUs over the available space.
[ bp: Fix le build. ]
Reported-by: Seth Jenkins <email address hidden>
Reviewed-by: Kees Cook <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Signed-off-by: Dave Hansen <email address hidden>
Signed-off-by: Borislav Petkov <email address hidden>
CVE-2023-0597
(backported from commit 97e3d26b5e5f371b3ee223d94dd123e6c442ba80)
[cengizcan: include random.h for newly introduced `prandom_u32_max` call]
Signed-off-by: Cengiz Can <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
9862993...
by
Andrey Ryabinin <email address hidden>
x86/kasan: Map shadow for percpu pages on demand
KASAN maps shadow for the entire CPU-entry-area:
[CPU_ENTRY_AREA_BASE, CPU_ENTRY_AREA_BASE + CPU_ENTRY_AREA_MAP_SIZE]
This will explode once the per-cpu entry areas are randomized since it
will increase CPU_ENTRY_AREA_MAP_SIZE to 512 GB and KASAN fails to
allocate shadow for such big area.
Fix this by allocating KASAN shadow only for really used cpu entry area
addresses mapped by cea_map_percpu_pages()
Thanks to the 0day folks for finding and reporting this to be an issue.
[ dhansen: tweak changelog since this will get committed before peterz's
actual cpu-entry-area randomization ]
Signed-off-by: Andrey Ryabinin <email address hidden>
Signed-off-by: Dave Hansen <email address hidden>
Tested-by: Yujie Liu <email address hidden>
Cc: kernel test robot <email address hidden>
Link: https://<email address hidden>
CVE-2023-0597
(cherry picked from commit 3f148f3318140035e87decc1214795ff0755757b)
[cengizcan: prerequisite commit]
Signed-off-by: Cengiz Can <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
size is 252 bytes(key->enc_opts.len = 252) then
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
bypasses the next bounds check and results in an out-of-bounds.
Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
Signed-off-by: Hangyu Hua <email address hidden>
Reviewed-by: Simon Horman <email address hidden>
Reviewed-by: Pieter Jansen van Vuuren <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Paolo Abeni <email address hidden>
(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Khaled Elmously <email address hidden>
Acked-by: Ian May <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
The INVLPG instruction is used to invalidate TLB entries for a
specified virtual address. When PCIDs are enabled, INVLPG is supposed
to invalidate TLB entries for the specified address for both the
current PCID *and* Global entries. (Note: Only kernel mappings set
Global=1.)
Unfortunately, some INVLPG implementations can leave Global
translations unflushed when PCIDs are enabled.
As a workaround, never enable PCIDs on affected processors.
I expect there to eventually be microcode mitigations to replace this
software workaround. However, the exact version numbers where that
will happen are not known today. Once the version numbers are set in
stone, the processor list can be tweaked to only disable PCIDs on
affected processors with affected microcode.
Note: if anyone wants a quick fix that doesn't require patching, just
stick 'nopcid' on your kernel command-line.
Signed-off-by: Dave Hansen <email address hidden>
Reviewed-by: Thomas Gleixner <email address hidden>
Cc: <email address hidden>
(cherry picked from commit ce0b15d11ad837fbacc5356941712218e38a0a83)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Luke Nowakowski-Krijger <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
