x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
is too narrow. The effect being mitigated in that commit is caused by
ZONE_DEVICE which PCI_P2PDMA has a dependency. ZONE_DEVICE, in general,
lets any physical address be added to the direct-map. I.e. not only ACPI
hotplug ranges, CXL Memory Windows, or EFI Specific Purpose Memory, but
also any PCI MMIO range for the DEVICE_PRIVATE and PCI_P2PDMA cases. Update
the mitigation, limit KASLR entropy, to apply in all ZONE_DEVICE=y cases.

Distro kernels typically have PCI_P2PDMA=y, so the practical exposure of
this problem is limited to the PCI_P2PDMA=n case.

A potential path to recover entropy would be to walk ACPI and determine the
limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
smaller systems that could yield some KASLR address bits. This needs
additional investigation to determine if some limited ACPI table scanning
can happen this early without an open coded solution like
arch/x86/boot/compressed/acpi.c needs to deploy.

Cc: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Logan Gunthorpe <logang@deltatee.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
Cc: <stable@vger.kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Tested-by: Yasunori Goto <y-goto@fujitsu.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: http://patch.msgid.link/692e08b2516d4_261c1100a3@dwillia2-mobl4.notmuch
Signed-off-by: Dave Jiang <dave.jiang@intel.com>

authored by

Dan Williams and committed by

Dave Jiang 3 months ago 269031b1 9ace4753

+12 -14

3 changed files

expand all

arch

x86

kaslr.c

drivers

pci

Kconfig

+5 -5

arch/x86/mm/kaslr.c

··· 115 115 116 116 /* 117 117 * Adapt physical memory region size based on available memory, 118 - * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the 119 - * device BAR space assuming the direct map space is large enough 120 - * for creating a ZONE_DEVICE mapping in the direct map corresponding 121 - * to the physical BAR address. 118 + * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map 119 + * any physical address into the direct-map. KASLR wants to reliably 120 + * steal some physical address bits. Those design choices are in direct 121 + * conflict. 122 122 */ 123 - if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb)) 123 + if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb)) 124 124 kaslr_regions[0].size_tb = memory_tb; 125 125 126 126 /*

-6

drivers/pci/Kconfig

··· 225 225 P2P DMA transactions must be between devices behind the same root 226 226 port. 227 227 228 - Enabling this option will reduce the entropy of x86 KASLR memory 229 - regions. For example - on a 46 bit system, the entropy goes down 230 - from 16 bits to 15 bits. The actual reduction in entropy depends 231 - on the physical address bits, on processor features, kernel config 232 - (5 level page table) and physical memory present on the system. 233 - 234 228 If unsure, say N. 235 229 236 230 config PCI_LABEL

+7 -3

mm/Kconfig

··· 1220 1220 Device memory hotplug support allows for establishing pmem, 1221 1221 or other device driver discovered memory regions, in the 1222 1222 memmap. This allows pfn_to_page() lookups of otherwise 1223 - "device-physical" addresses which is needed for using a DAX 1224 - mapping in an O_DIRECT operation, among other things. 1223 + "device-physical" addresses which is needed for DAX, PCI_P2PDMA, and 1224 + DEVICE_PRIVATE features among others. 1225 1225 1226 - If FS_DAX is enabled, then say Y. 1226 + Enabling this option will reduce the entropy of x86 KASLR memory 1227 + regions. For example - on a 46 bit system, the entropy goes down 1228 + from 16 bits to 15 bits. The actual reduction in entropy depends 1229 + on the physical address bits, on processor features, kernel config 1230 + (5 level page table) and physical memory present on the system. 1227 1231 1228 1232 # 1229 1233 # Helpers to mirror range of the CPU page tables of a process into device page