Skip to content

Commit 377eeaa

Browse files
Andi KleenKAGA-KOKO
Andi Kleen
authored and
KAGA-KOKO
committed
x86/speculation/l1tf: Limit swap file size to MAX_PA/2
For the L1TF workaround its necessary to limit the swap file size to below MAX_PA/2, so that the higher bits of the swap offset inverted never point to valid memory. Add a mechanism for the architecture to override the swap file size check in swapfile.c and add a x86 specific max swapfile check function that enforces that limit. The check is only enabled if the CPU is vulnerable to L1TF. In VMs with 42bit MAX_PA the typical limit is 2TB now, on a native system with 46bit PA it is 32TB. The limit is only per individual swap file, so it's always possible to exceed these limits with multiple swap files or partitions. Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: Dave Hansen <dave.hansen@intel.com>
1 parent 42e4089 commit 377eeaa

File tree

3 files changed

+47
-16
lines changed

3 files changed

+47
-16
lines changed

arch/x86/mm/init.c

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@
44
#include <linux/swap.h>
55
#include <linux/memblock.h>
66
#include <linux/bootmem.h> /* for max_low_pfn */
7+
#include <linux/swapfile.h>
8+
#include <linux/swapops.h>
79

810
#include <asm/set_memory.h>
911
#include <asm/e820/api.h>
@@ -880,3 +882,16 @@ void update_cache_mode_entry(unsigned entry, enum page_cache_mode cache)
880882
__cachemode2pte_tbl[cache] = __cm_idx2pte(entry);
881883
__pte2cachemode_tbl[entry] = cache;
882884
}
885+
886+
unsigned long max_swapfile_size(void)
887+
{
888+
unsigned long pages;
889+
890+
pages = generic_max_swapfile_size();
891+
892+
if (boot_cpu_has_bug(X86_BUG_L1TF)) {
893+
/* Limit the swap file size to MAX_PA/2 for L1TF workaround */
894+
pages = min_t(unsigned long, l1tf_pfn_limit() + 1, pages);
895+
}
896+
return pages;
897+
}

include/linux/swapfile.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,7 @@ extern spinlock_t swap_lock;
1010
extern struct plist_head swap_active_head;
1111
extern struct swap_info_struct *swap_info[];
1212
extern int try_to_unuse(unsigned int, bool, unsigned long);
13+
extern unsigned long generic_max_swapfile_size(void);
14+
extern unsigned long max_swapfile_size(void);
1315

1416
#endif /* _LINUX_SWAPFILE_H */

mm/swapfile.c

Lines changed: 30 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -2909,6 +2909,35 @@ static int claim_swapfile(struct swap_info_struct *p, struct inode *inode)
29092909
return 0;
29102910
}
29112911

2912+
2913+
/*
2914+
* Find out how many pages are allowed for a single swap device. There
2915+
* are two limiting factors:
2916+
* 1) the number of bits for the swap offset in the swp_entry_t type, and
2917+
* 2) the number of bits in the swap pte, as defined by the different
2918+
* architectures.
2919+
*
2920+
* In order to find the largest possible bit mask, a swap entry with
2921+
* swap type 0 and swap offset ~0UL is created, encoded to a swap pte,
2922+
* decoded to a swp_entry_t again, and finally the swap offset is
2923+
* extracted.
2924+
*
2925+
* This will mask all the bits from the initial ~0UL mask that can't
2926+
* be encoded in either the swp_entry_t or the architecture definition
2927+
* of a swap pte.
2928+
*/
2929+
unsigned long generic_max_swapfile_size(void)
2930+
{
2931+
return swp_offset(pte_to_swp_entry(
2932+
swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
2933+
}
2934+
2935+
/* Can be overridden by an architecture for additional checks. */
2936+
__weak unsigned long max_swapfile_size(void)
2937+
{
2938+
return generic_max_swapfile_size();
2939+
}
2940+
29122941
static unsigned long read_swap_header(struct swap_info_struct *p,
29132942
union swap_header *swap_header,
29142943
struct inode *inode)
@@ -2944,22 +2973,7 @@ static unsigned long read_swap_header(struct swap_info_struct *p,
29442973
p->cluster_next = 1;
29452974
p->cluster_nr = 0;
29462975

2947-
/*
2948-
* Find out how many pages are allowed for a single swap
2949-
* device. There are two limiting factors: 1) the number
2950-
* of bits for the swap offset in the swp_entry_t type, and
2951-
* 2) the number of bits in the swap pte as defined by the
2952-
* different architectures. In order to find the
2953-
* largest possible bit mask, a swap entry with swap type 0
2954-
* and swap offset ~0UL is created, encoded to a swap pte,
2955-
* decoded to a swp_entry_t again, and finally the swap
2956-
* offset is extracted. This will mask all the bits from
2957-
* the initial ~0UL mask that can't be encoded in either
2958-
* the swp_entry_t or the architecture definition of a
2959-
* swap pte.
2960-
*/
2961-
maxpages = swp_offset(pte_to_swp_entry(
2962-
swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
2976+
maxpages = max_swapfile_size();
29632977
last_page = swap_header->info.last_page;
29642978
if (!last_page) {
29652979
pr_warn("Empty swap-file\n");

0 commit comments

Comments
 (0)