• Kirill A. Shutemov's avatar
    x86/ldt: Unmap PTEs for the slot before freeing LDT pages · a0e6e083
    Kirill A. Shutemov authored
    modify_ldt(2) leaves the old LDT mapped after switching over to the new
    one. The old LDT gets freed and the pages can be re-used.
    
    Leaving the mapping in place can have security implications. The mapping is
    present in the userspace page tables and Meltdown-like attacks can read
    these freed and possibly reused pages.
    
    It's relatively simple to fix: unmap the old LDT and flush TLB before
    freeing the old LDT memory.
    
    This further allows to avoid flushing the TLB in map_ldt_struct() as the
    slot is unmapped and flushed by unmap_ldt_struct() or has never been mapped
    at all.
    
    [ tglx: Massaged changelog and removed the needless line breaks ]
    
    Fixes: f55f0501 ("x86/pti: Put the LDT in its own PGD if PTI is on")
    Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: bp@alien8.de
    Cc: hpa@zytor.com
    Cc: dave.hansen@linux.intel.com
    Cc: luto@kernel.org
    Cc: peterz@infradead.org
    Cc: boris.ostrovsky@oracle.com
    Cc: jgross@suse.com
    Cc: bhe@redhat.com
    Cc: willy@infradead.org
    Cc: linux-mm@kvack.org
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20181026122856.66224-3-kirill.shutemov@linux.intel.com
    a0e6e083
ldt.c 13.7 KB