x86/mm: Fix guard hole handling (16877a55) · Commits · 戴 / test

There is a guard hole at the beginning of the kernel address space, also used by hypervisors. It occupies 16 PGD entries. This reserved range is not defined explicitely, it is calculated relative to other entities: direct mapping and user space ranges. The calculation got broken by recent changes of the kernel memory layout: LDT remap range is now mapped before direct mapping and makes the calculation invalid. The breakage leads to crash on Xen dom0 boot[1]. Define the reserved range explicitely. It's part of kernel ABI (hypervisors expect it to be stable) and must not depend on changes in the rest of kernel memory layout. [1] https://lists.xenproject.org/archives/html/xen-devel/2018-11/msg03313.html Fixes: ("x86/mm: Move LDT remap out of KASLR region on 5-level paging") Reported-by:

Hans van Kranenburg <hans.van.kranenburg@mendix.com> Signed-off-by:

Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Signed-off-by:

Thomas Gleixner <tglx@linutronix.de> Tested-by:

Hans van Kranenburg <hans.van.kranenburg@mendix.com> Reviewed-by:

Juergen Gross <jgross@suse.com> Cc: bp@alien8.de Cc: hpa@zytor.com Cc: dave.hansen@linux.intel.com Cc: luto@kernel.org Cc: peterz@infradead.org Cc: boris.ostrovsky@oracle.com Cc: bhe@redhat.com Cc: linux-mm@kvack.org Cc: xen-devel@lists.xenproject.org Link: https://lkml.kernel.org/r/20181130202328.65359-2-kirill.shutemov@linux.intel.com

arch/x86/include/asm/pgtable_64_types.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -111,6 +111,11 @@ extern unsigned int ptrs_per_p4d;
		*/
		#define MAXMEM (1UL << MAX_PHYSMEM_BITS)

		#define GUARD_HOLE_PGD_ENTRY -256UL
		#define GUARD_HOLE_SIZE (16UL << PGDIR_SHIFT)
		#define GUARD_HOLE_BASE_ADDR (GUARD_HOLE_PGD_ENTRY << PGDIR_SHIFT)
		#define GUARD_HOLE_END_ADDR (GUARD_HOLE_BASE_ADDR + GUARD_HOLE_SIZE)

		#define LDT_PGD_ENTRY -240UL
		#define LDT_BASE_ADDR (LDT_PGD_ENTRY << PGDIR_SHIFT)
		#define LDT_END_ADDR (LDT_BASE_ADDR + PGDIR_SIZE)

arch/x86/mm/dump_pagetables.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -512,11 +512,11 @@ static inline bool is_hypervisor_range(int idx)
		{
		#ifdef CONFIG_X86_64
		/*
		* ffff800000000000 - ffff87ffffffffff is reserved for
		* the hypervisor.
		* A hole in the beginning of kernel address space reserved
		* for a hypervisor.
		*/
		return (idx >= pgd_index(__PAGE_OFFSET) - 16) &&
		(idx < pgd_index(__PAGE_OFFSET));
		return (idx >= pgd_index(GUARD_HOLE_BASE_ADDR)) &&
		(idx < pgd_index(GUARD_HOLE_END_ADDR));
		#else
		return false;
		#endif

arch/x86/xen/mmu_pv.c

+6 −5

Original line number	Diff line number	Diff line
		@@ -648,19 +648,20 @@ static int __xen_pgd_walk(struct mm_struct mm, pgd_t pgd,
		unsigned long limit)
		{
		int i, nr, flush = 0;
		unsigned hole_low, hole_high;
		unsigned hole_low = 0, hole_high = 0;

		/* The limit is the last byte to be touched */
		limit--;
		BUG_ON(limit >= FIXADDR_TOP);

		#ifdef CONFIG_X86_64
		/*
		* 64-bit has a great big hole in the middle of the address
		* space, which contains the Xen mappings. On 32-bit these
		* will end up making a zero-sized hole and so is a no-op.
		* space, which contains the Xen mappings.
		*/
		hole_low = pgd_index(USER_LIMIT);
		hole_high = pgd_index(PAGE_OFFSET);
		hole_low = pgd_index(GUARD_HOLE_BASE_ADDR);
		hole_high = pgd_index(GUARD_HOLE_END_ADDR);
		#endif

		nr = pgd_index(limit) + 1;
		for (i = 0; i < nr; i++) {

Admin message