linux_dsm_epyc7002/arch/powerpc/mm
Michael Ellerman ca72d88378 powerpc/mm/64s/hash: Reallocate context ids on fork
When using the Hash Page Table (HPT) MMU, userspace memory mappings
are managed at two levels. Firstly in the Linux page tables, much like
other architectures, and secondly in the SLB (Segment Lookaside
Buffer) and HPT. It's the SLB and HPT that are actually used by the
hardware to do translations.

As part of the series adding support for 4PB user virtual address
space using the hash MMU, we added support for allocating multiple
"context ids" per process, one for each 512TB chunk of address space.
These are tracked in an array called extended_id in the mm_context_t
of a process that has done a mapping above 512TB.

If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is
copied, including the mm_context_t, and then init_new_context() is
called to reinitialise parts of the mm_context_t as appropriate to
separate the address spaces of the two processes.

The key step in ensuring the two processes have separate address
spaces is to allocate a new context id for the process, this is done
at the beginning of hash__init_new_context(). If we didn't allocate a
new context id then the two processes would share mappings as far as
the SLB and HPT are concerned, even though their Linux page tables
would be separate.

For mappings above 512TB, which use the extended_id array, we
neglected to allocate new context ids on fork, meaning the parent and
child use the same ids and therefore share those mappings even though
they're supposed to be separate. This can lead to the parent seeing
writes done by the child, which is essentially memory corruption.

There is an additional exposure which is that if the child process
exits, all its context ids are freed, including the context ids that
are still in use by the parent for mappings above 512TB. One or more
of those ids can then be reallocated to a third process, that process
can then read/write to the parent's mappings above 512TB. Additionally
if the freed id is used for the third process's primary context id,
then the parent is able to read/write to the third process's mappings
*below* 512TB.

All of these are fundamental failures to enforce separation between
processes. The only mitigating factor is that the bug only occurs if a
process creates mappings above 512TB, and most applications still do
not create such mappings.

Only machines using the hash page table MMU are affected, eg. PowerPC
970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines
(powernv) use the Radix MMU and are not affected, unless the machine
has been explicitly booted in HPT mode (using disable_radix on the
kernel command line). KVM guests on Power9 may be affected if the host
or guest is configured to use the HPT MMU. LPARs under PowerVM on
Power9 are affected as they always use the HPT MMU. Kernels built with
PAGE_SIZE=4K are not affected.

The fix is relatively simple, we need to reallocate context ids for
all extended mappings on fork.

Fixes: f384796c40 ("powerpc/mm: Add support for handling > 512TB address in SLB miss")
Cc: stable@vger.kernel.org # v4.17+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2019-06-12 23:35:07 +10:00
..
ptdump powerpc/mm: Check secondary hash page table 2019-03-02 14:43:05 +11:00
8xx_mmu.c powerpc/8xx: don't disable large TLBs with CONFIG_STRICT_KERNEL_RWX 2019-02-23 21:04:32 +11:00
40x_mmu.c powerpc/mm/32: add base address to mmu_mapin_ram() 2019-02-23 21:04:31 +11:00
44x_mmu.c powerpc/mm/32: add base address to mmu_mapin_ram() 2019-02-23 21:04:31 +11:00
copro_fault.c mm: convert return type of handle_mm_fault() caller to vm_fault_t 2018-08-17 16:20:28 -07:00
dma-noncoherent.c powerpc/dma: use the generic direct mapping bypass 2019-02-18 22:41:04 +11:00
drmem.c powerpc/mm/drmem: Fix unexpected flag value in ibm,dynamic-memory-v2 2018-02-23 16:45:51 +11:00
fault.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
fsl_booke_mmu.c powerpc/mm/32: add base address to mmu_mapin_ram() 2019-02-23 21:04:31 +11:00
hash64_4k.c powerpc/mm/hash: Remove the superfluous bitwise operation when find hpte group 2018-07-24 22:03:17 +10:00
hash64_64k.c powerpc/mm/hash: Remove the superfluous bitwise operation when find hpte group 2018-07-24 22:03:17 +10:00
hash_low_32.S powerpc/6xx: fix setup and use of SPRN_SPRG_PGDIR for hash32 2019-03-19 00:30:19 +11:00
hash_native_64.c powerpc/64s/hash: Do not use PPC_INVALIDATE_ERAT on CPUs before POWER9 2018-10-04 23:16:53 +10:00
hash_utils_64.c treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
highmem.c powerpc/mm: remove warning about ‘type’ being set 2018-08-10 22:12:38 +10:00
hugepage-hash64.c arch/powerpc/mm/hash: validate the pte entries before handling the hash fault 2018-10-03 15:39:59 +10:00
hugetlbpage-book3e.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hugetlbpage-hash64.c powerpc updates for 5.1 2019-03-07 12:56:26 -08:00
hugetlbpage-radix.c powerpc updates for 5.1 2019-03-07 12:56:26 -08:00
hugetlbpage.c powerpc updates for 4.21 2018-12-27 10:43:24 -08:00
init_32.c powerpc/8xx: don't disable large TLBs with CONFIG_STRICT_KERNEL_RWX 2019-02-23 21:04:32 +11:00
init_64.c powerpc/mm: fix "section_base" set but not used 2019-03-02 14:43:05 +11:00
init-common.c powerpc/mm: remove unnecessary test in pgtable_cache_init() 2018-12-04 19:45:01 +11:00
Makefile powerpc/mm: Disable kcov for SLB routines 2019-03-12 14:06:12 +11:00
mem.c Merge branch 'topic/dma' into next 2019-02-21 23:15:10 +11:00
mmap.c exec: pass stack rlimit into mm layout functions 2018-04-11 10:28:37 -07:00
mmu_context_book3s64.c powerpc/mm/64s/hash: Reallocate context ids on fork 2019-06-12 23:35:07 +10:00
mmu_context_hash32.c powerpc: remove unnecessary inclusion of asm/tlbflush.h 2018-07-30 22:48:20 +10:00
mmu_context_iommu.c powerpc/mm_iommu: Allow pinning large regions 2019-04-17 21:36:51 +10:00
mmu_context_nohash.c treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
mmu_context.c powerpc/mm: Extend pte_fragment functionality to PPC32 2018-12-04 19:45:01 +11:00
mmu_decl.h powerpc/8xx: don't disable large TLBs with CONFIG_STRICT_KERNEL_RWX 2019-02-23 21:04:32 +11:00
numa.c memblock: memblock_phys_alloc_try_nid(): don't panic 2019-03-12 10:04:01 -07:00
pgtable_32.c powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX 2019-02-23 21:04:32 +11:00
pgtable_64.c powerpc/mm: use pte helpers in generic code 2018-10-14 18:04:09 +11:00
pgtable-book3e.c treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
pgtable-book3s64.c treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
pgtable-frag.c mm: treewide: remove unused address argument from pte_alloc functions 2019-01-04 13:13:47 -08:00
pgtable-hash64.c powerpc: handover page flags with a pgprot_t parameter 2018-10-14 18:04:09 +11:00
pgtable-radix.c treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
pgtable.c powerpc/mm: add exec protection on powerpc 603 2018-12-19 18:56:32 +11:00
pkeys.c powerpc/pkeys: Fix handling of pkey state across fork() 2018-12-21 14:46:50 +11:00
ppc_mmu_32.c powerpc/32s: Fix BATs setting with CONFIG_STRICT_KERNEL_RWX 2019-05-02 15:33:46 +10:00
slb.c powerpc/64s/hash: Fix assert_slb_presence() use of the slbfee. instruction 2019-02-22 00:10:14 +11:00
slice.c powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search 2019-02-26 16:26:29 +11:00
subpage-prot.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
tlb_hash32.c powerpc/sparse: Fix plain integer as NULL pointer warning 2018-05-25 12:04:38 +10:00
tlb_hash64.c powerpc/mm: Add support for handling > 512TB address in SLB miss 2018-03-31 00:10:38 +11:00
tlb_low_64e.S powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) 2018-12-20 22:59:03 +11:00
tlb_nohash_low.S powerpc: clean inclusions of asm/feature-fixups.h 2018-07-30 22:48:17 +10:00
tlb_nohash.c powerpc: remove unnecessary unlikely() 2019-01-15 11:38:05 +11:00
tlb-radix.c powerpc updates for 4.20 2018-10-26 14:36:21 -07:00
vphn.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
vphn.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00