diff options
| author | Kirill A. Shutemov <kirill.shutemov@linux.intel.com> | 2018-10-26 15:28:55 +0300 |
|---|---|---|
| committer | Thomas Gleixner <tglx@linutronix.de> | 2018-11-06 21:35:11 +0100 |
| commit | a0e6e0831c516860fc7f9be1db6c081fe902ebcf (patch) | |
| tree | 4ab250ebf9add4debdd238e620fe15b3838db159 /net/sctp/socket.c | |
| parent | d52888aa2753e3063a9d3a0c9f72f94aa9809c15 (diff) | |
| download | linux-a0e6e0831c516860fc7f9be1db6c081fe902ebcf.tar.bz2 | |
x86/ldt: Unmap PTEs for the slot before freeing LDT pages
modify_ldt(2) leaves the old LDT mapped after switching over to the new
one. The old LDT gets freed and the pages can be re-used.
Leaving the mapping in place can have security implications. The mapping is
present in the userspace page tables and Meltdown-like attacks can read
these freed and possibly reused pages.
It's relatively simple to fix: unmap the old LDT and flush TLB before
freeing the old LDT memory.
This further allows to avoid flushing the TLB in map_ldt_struct() as the
slot is unmapped and flushed by unmap_ldt_struct() or has never been mapped
at all.
[ tglx: Massaged changelog and removed the needless line breaks ]
Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: bp@alien8.de
Cc: hpa@zytor.com
Cc: dave.hansen@linux.intel.com
Cc: luto@kernel.org
Cc: peterz@infradead.org
Cc: boris.ostrovsky@oracle.com
Cc: jgross@suse.com
Cc: bhe@redhat.com
Cc: willy@infradead.org
Cc: linux-mm@kvack.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20181026122856.66224-3-kirill.shutemov@linux.intel.com
Diffstat (limited to 'net/sctp/socket.c')
0 files changed, 0 insertions, 0 deletions