Skip to content

Commit d52888a

Browse files
kirylKAGA-KOKO
kiryl
authored and
KAGA-KOKO
committed
x86/mm: Move LDT remap out of KASLR region on 5-level paging
On 5-level paging the LDT remap area is placed in the middle of the KASLR randomization region and it can overlap with the direct mapping, the vmalloc or the vmap area. The LDT mapping is per mm, so it cannot be moved into the P4D page table next to the CPU_ENTRY_AREA without complicating PGD table allocation for 5-level paging. The 4 PGD slot gap just before the direct mapping is reserved for hypervisors, so it cannot be used. Move the direct mapping one slot deeper and use the resulting gap for the LDT remap area. The resulting layout is the same for 4 and 5 level paging. [ tglx: Massaged changelog ] Fixes: f55f050 ("x86/pti: Put the LDT in its own PGD if PTI is on") Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Andy Lutomirski <luto@kernel.org> Cc: bp@alien8.de Cc: hpa@zytor.com Cc: dave.hansen@linux.intel.com Cc: peterz@infradead.org Cc: boris.ostrovsky@oracle.com Cc: jgross@suse.com Cc: bhe@redhat.com Cc: willy@infradead.org Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20181026122856.66224-2-kirill.shutemov@linux.intel.com
1 parent e8a308e commit d52888a

File tree

4 files changed

+29
-27
lines changed

4 files changed

+29
-27
lines changed

Documentation/x86/x86_64/mm.txt

Lines changed: 18 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -34,23 +34,24 @@ __________________|____________|__________________|_________|___________________
3434
____________________________________________________________|___________________________________________________________
3535
| | | |
3636
ffff800000000000 | -128 TB | ffff87ffffffffff | 8 TB | ... guard hole, also reserved for hypervisor
37-
ffff880000000000 | -120 TB | ffffc7ffffffffff | 64 TB | direct mapping of all physical memory (page_offset_base)
38-
ffffc80000000000 | -56 TB | ffffc8ffffffffff | 1 TB | ... unused hole
37+
ffff880000000000 | -120 TB | ffff887fffffffff | 0.5 TB | LDT remap for PTI
38+
ffff888000000000 | -119.5 TB | ffffc87fffffffff | 64 TB | direct mapping of all physical memory (page_offset_base)
39+
ffffc88000000000 | -55.5 TB | ffffc8ffffffffff | 0.5 TB | ... unused hole
3940
ffffc90000000000 | -55 TB | ffffe8ffffffffff | 32 TB | vmalloc/ioremap space (vmalloc_base)
4041
ffffe90000000000 | -23 TB | ffffe9ffffffffff | 1 TB | ... unused hole
4142
ffffea0000000000 | -22 TB | ffffeaffffffffff | 1 TB | virtual memory map (vmemmap_base)
4243
ffffeb0000000000 | -21 TB | ffffebffffffffff | 1 TB | ... unused hole
4344
ffffec0000000000 | -20 TB | fffffbffffffffff | 16 TB | KASAN shadow memory
44-
fffffc0000000000 | -4 TB | fffffdffffffffff | 2 TB | ... unused hole
45-
| | | | vaddr_end for KASLR
46-
fffffe0000000000 | -2 TB | fffffe7fffffffff | 0.5 TB | cpu_entry_area mapping
47-
fffffe8000000000 | -1.5 TB | fffffeffffffffff | 0.5 TB | LDT remap for PTI
48-
ffffff0000000000 | -1 TB | ffffff7fffffffff | 0.5 TB | %esp fixup stacks
4945
__________________|____________|__________________|_________|____________________________________________________________
5046
|
51-
| Identical layout to the 47-bit one from here on:
47+
| Identical layout to the 56-bit one from here on:
5248
____________________________________________________________|____________________________________________________________
5349
| | | |
50+
fffffc0000000000 | -4 TB | fffffdffffffffff | 2 TB | ... unused hole
51+
| | | | vaddr_end for KASLR
52+
fffffe0000000000 | -2 TB | fffffe7fffffffff | 0.5 TB | cpu_entry_area mapping
53+
fffffe8000000000 | -1.5 TB | fffffeffffffffff | 0.5 TB | ... unused hole
54+
ffffff0000000000 | -1 TB | ffffff7fffffffff | 0.5 TB | %esp fixup stacks
5455
ffffff8000000000 | -512 GB | ffffffeeffffffff | 444 GB | ... unused hole
5556
ffffffef00000000 | -68 GB | fffffffeffffffff | 64 GB | EFI region mapping space
5657
ffffffff00000000 | -4 GB | ffffffff7fffffff | 2 GB | ... unused hole
@@ -83,31 +84,32 @@ Notes:
8384
__________________|____________|__________________|_________|___________________________________________________________
8485
| | | |
8586
0000800000000000 | +64 PB | ffff7fffffffffff | ~16K PB | ... huge, still almost 64 bits wide hole of non-canonical
86-
| | | | virtual memory addresses up to the -128 TB
87+
| | | | virtual memory addresses up to the -64 PB
8788
| | | | starting offset of kernel mappings.
8889
__________________|____________|__________________|_________|___________________________________________________________
8990
|
9091
| Kernel-space virtual memory, shared between all processes:
9192
____________________________________________________________|___________________________________________________________
9293
| | | |
9394
ff00000000000000 | -64 PB | ff0fffffffffffff | 4 PB | ... guard hole, also reserved for hypervisor
94-
ff10000000000000 | -60 PB | ff8fffffffffffff | 32 PB | direct mapping of all physical memory (page_offset_base)
95-
ff90000000000000 | -28 PB | ff9fffffffffffff | 4 PB | LDT remap for PTI
95+
ff10000000000000 | -60 PB | ff10ffffffffffff | 0.25 PB | LDT remap for PTI
96+
ff11000000000000 | -59.75 PB | ff90ffffffffffff | 32 PB | direct mapping of all physical memory (page_offset_base)
97+
ff91000000000000 | -27.75 PB | ff9fffffffffffff | 3.75 PB | ... unused hole
9698
ffa0000000000000 | -24 PB | ffd1ffffffffffff | 12.5 PB | vmalloc/ioremap space (vmalloc_base)
9799
ffd2000000000000 | -11.5 PB | ffd3ffffffffffff | 0.5 PB | ... unused hole
98100
ffd4000000000000 | -11 PB | ffd5ffffffffffff | 0.5 PB | virtual memory map (vmemmap_base)
99101
ffd6000000000000 | -10.5 PB | ffdeffffffffffff | 2.25 PB | ... unused hole
100102
ffdf000000000000 | -8.25 PB | fffffdffffffffff | ~8 PB | KASAN shadow memory
101-
fffffc0000000000 | -4 TB | fffffdffffffffff | 2 TB | ... unused hole
102-
| | | | vaddr_end for KASLR
103-
fffffe0000000000 | -2 TB | fffffe7fffffffff | 0.5 TB | cpu_entry_area mapping
104-
fffffe8000000000 | -1.5 TB | fffffeffffffffff | 0.5 TB | ... unused hole
105-
ffffff0000000000 | -1 TB | ffffff7fffffffff | 0.5 TB | %esp fixup stacks
106103
__________________|____________|__________________|_________|____________________________________________________________
107104
|
108105
| Identical layout to the 47-bit one from here on:
109106
____________________________________________________________|____________________________________________________________
110107
| | | |
108+
fffffc0000000000 | -4 TB | fffffdffffffffff | 2 TB | ... unused hole
109+
| | | | vaddr_end for KASLR
110+
fffffe0000000000 | -2 TB | fffffe7fffffffff | 0.5 TB | cpu_entry_area mapping
111+
fffffe8000000000 | -1.5 TB | fffffeffffffffff | 0.5 TB | ... unused hole
112+
ffffff0000000000 | -1 TB | ffffff7fffffffff | 0.5 TB | %esp fixup stacks
111113
ffffff8000000000 | -512 GB | ffffffeeffffffff | 444 GB | ... unused hole
112114
ffffffef00000000 | -68 GB | fffffffeffffffff | 64 GB | EFI region mapping space
113115
ffffffff00000000 | -4 GB | ffffffff7fffffff | 2 GB | ... unused hole

arch/x86/include/asm/page_64_types.h

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,12 +33,14 @@
3333

3434
/*
3535
* Set __PAGE_OFFSET to the most negative possible address +
36-
* PGDIR_SIZE*16 (pgd slot 272). The gap is to allow a space for a
37-
* hypervisor to fit. Choosing 16 slots here is arbitrary, but it's
38-
* what Xen requires.
36+
* PGDIR_SIZE*17 (pgd slot 273).
37+
*
38+
* The gap is to allow a space for LDT remap for PTI (1 pgd slot) and space for
39+
* a hypervisor (16 slots). Choosing 16 slots for a hypervisor is arbitrary,
40+
* but it's what Xen requires.
3941
*/
40-
#define __PAGE_OFFSET_BASE_L5 _AC(0xff10000000000000, UL)
41-
#define __PAGE_OFFSET_BASE_L4 _AC(0xffff880000000000, UL)
42+
#define __PAGE_OFFSET_BASE_L5 _AC(0xff11000000000000, UL)
43+
#define __PAGE_OFFSET_BASE_L4 _AC(0xffff888000000000, UL)
4244

4345
#ifdef CONFIG_DYNAMIC_MEMORY_LAYOUT
4446
#define __PAGE_OFFSET page_offset_base

arch/x86/include/asm/pgtable_64_types.h

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -111,9 +111,7 @@ extern unsigned int ptrs_per_p4d;
111111
*/
112112
#define MAXMEM (1UL << MAX_PHYSMEM_BITS)
113113

114-
#define LDT_PGD_ENTRY_L4 -3UL
115-
#define LDT_PGD_ENTRY_L5 -112UL
116-
#define LDT_PGD_ENTRY (pgtable_l5_enabled() ? LDT_PGD_ENTRY_L5 : LDT_PGD_ENTRY_L4)
114+
#define LDT_PGD_ENTRY -240UL
117115
#define LDT_BASE_ADDR (LDT_PGD_ENTRY << PGDIR_SHIFT)
118116
#define LDT_END_ADDR (LDT_BASE_ADDR + PGDIR_SIZE)
119117

arch/x86/xen/mmu_pv.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1905,7 +1905,7 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
19051905
init_top_pgt[0] = __pgd(0);
19061906

19071907
/* Pre-constructed entries are in pfn, so convert to mfn */
1908-
/* L4[272] -> level3_ident_pgt */
1908+
/* L4[273] -> level3_ident_pgt */
19091909
/* L4[511] -> level3_kernel_pgt */
19101910
convert_pfn_mfn(init_top_pgt);
19111911

@@ -1925,8 +1925,8 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
19251925
addr[0] = (unsigned long)pgd;
19261926
addr[1] = (unsigned long)l3;
19271927
addr[2] = (unsigned long)l2;
1928-
/* Graft it onto L4[272][0]. Note that we creating an aliasing problem:
1929-
* Both L4[272][0] and L4[511][510] have entries that point to the same
1928+
/* Graft it onto L4[273][0]. Note that we creating an aliasing problem:
1929+
* Both L4[273][0] and L4[511][510] have entries that point to the same
19301930
* L2 (PMD) tables. Meaning that if you modify it in __va space
19311931
* it will be also modified in the __ka space! (But if you just
19321932
* modify the PMD table to point to other PTE's or none, then you

0 commit comments

Comments
 (0)