linux/arch/x86/kernel
Zhang Yanfei e9d0626ed4 x86-64, init: Fix a possible wraparound bug in switchover in head_64.S
In head_64.S, a switchover has been used to handle kernel crossing
1G, 512G boundaries.

And commit 8170e6bed4
    x86, 64bit: Use a #PF handler to materialize early mappings on demand
said:
    During the switchover in head_64.S, before #PF handler is available,
    we use three pages to handle kernel crossing 1G, 512G boundaries with
    sharing page by playing games with page aliasing: the same page is
    mapped twice in the higher-level tables with appropriate wraparound.

But from the switchover code, when we set up the PUD table:
114         addq    $4096, %rdx
115         movq    %rdi, %rax
116         shrq    $PUD_SHIFT, %rax
117         andl    $(PTRS_PER_PUD-1), %eax
118         movq    %rdx, (4096+0)(%rbx,%rax,8)
119         movq    %rdx, (4096+8)(%rbx,%rax,8)

It seems line 119 has a potential bug there. For example,
if the kernel is loaded at physical address 511G+1008M, that is
    000000000 111111111 111111000 000000000000000000000
and the kernel _end is 512G+2M, that is
    000000001 000000000 000000001 000000000000000000000
So in this example, when using the 2nd page to setup PUD (line 114~119),
rax is 511.
In line 118, we put rdx which is the address of the PMD page (the 3rd page)
into entry 511 of the PUD table. But in line 119, the entry we calculate from
(4096+8)(%rbx,%rax,8) has exceeded the PUD page. IMO, the entry in line
119 should be wraparound into entry 0 of the PUD table.

The patch fixes the bug.

Signed-off-by: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Link: http://lkml.kernel.org/r/5191DE5A.3020302@cn.fujitsu.com
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Cc: <stable@vger.kernel.org> v3.9
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
2013-05-28 15:41:59 -07:00
..
acpi Merge branch 'x86-paravirt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-04-30 08:41:21 -07:00
apic Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-02-26 19:45:29 -08:00
cpu Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-05-05 11:37:16 -07:00
kprobes kprobes/x86: Just return error for sanity check failure instead of using BUG_ON 2013-04-08 17:28:34 +02:00
.gitignore
Makefile Merge branch 'x86/microcode' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-02-22 19:22:52 -08:00
alternative.c x86, cpu: Expand cpufeature facility to include cpu bugs 2013-04-02 10:12:52 -07:00
amd_gart_64.c x86, mm: use pfn_range_is_mapped() with gart 2012-11-17 11:59:10 -08:00
amd_nb.c Merge branch 'x86-ras-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-04-30 08:42:45 -07:00
apb_timer.c Merge branch 'x86-platform-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-02-19 20:11:07 -08:00
aperture_64.c x86/mm/gart: Drop unnecessary check 2013-04-16 10:54:40 +02:00
apm_32.c cpuidle: remove en_core_tk_irqen flag 2013-04-23 13:45:22 +02:00
asm-offsets.c x86, um/x86: switch to generic sys_execve and kernel_execve 2012-09-30 22:53:32 -04:00
asm-offsets_32.c x86, gdt, hibernate: Store/load GDT for hibernate path. 2013-05-02 11:27:35 -07:00
asm-offsets_64.c x86, gdt, hibernate: Store/load GDT for hibernate path. 2013-05-02 11:27:35 -07:00
audit_64.c
bootflag.c
check.c x86: kernel/check.c simple_strtoul cleanup 2012-05-15 15:36:41 -07:00
cpuid.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
crash.c x86/kexec: crash_vmclear_local_vmcss needs __rcu 2012-12-11 19:55:23 -02:00
crash_dump_32.c x86: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:15 +08:00
crash_dump_64.c
devicetree.c x86: dt: Use linear irq domain for ioapic(s) 2012-08-21 22:16:57 +02:00
doublefault_32.c x86, xen, gdt: Remove the pvops variant of store_gdt. 2013-04-11 15:40:38 -07:00
dumpstack.c dump_stack: consolidate dump_stack() implementations and unify their behaviors 2013-04-30 17:04:02 -07:00
dumpstack_32.c dump_stack: unify debug information printed by show_regs() 2013-04-30 17:04:02 -07:00
dumpstack_64.c dump_stack: unify debug information printed by show_regs() 2013-04-30 17:04:02 -07:00
e820.c x86, mm: Let "memmap=" take more entries one time 2012-11-17 11:59:51 -08:00
early-quirks.c iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets 2013-04-18 17:00:47 +02:00
early_printk.c early_printk: consolidate random copies of identical code 2013-04-29 18:28:13 -07:00
entry_32.S Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal 2013-02-23 18:50:11 -08:00
entry_64.S KVM: VMX: Register a new IPI for posted interrupt 2013-04-16 16:32:39 -03:00
ftrace.c x86/ftrace: Use __pa_symbol instead of __pa on C visible symbols 2012-11-16 16:42:09 -08:00
head.c x86: Make sure we can boot in the case the BDA contains pure garbage 2013-02-27 13:38:57 -08:00
head32.c x86: Merge early kernel reserve for 32bit and 64bit 2013-01-29 19:32:58 -08:00
head64.c x86-64, init: Do not set NX bits on non-NX capable hardware 2013-05-02 11:27:35 -07:00
head_32.S Merge branch 'x86/microcode' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-02-22 19:22:52 -08:00
head_64.S x86-64, init: Fix a possible wraparound bug in switchover in head_64.S 2013-05-28 15:41:59 -07:00
hpet.c x86, hpet: Introduce x86_msi_ops.setup_hpet_msi 2013-01-28 10:48:30 +01:00
hw_breakpoint.c
i386_ksyms_32.c x86-32: Add support for 64bit get_user() 2013-02-07 15:07:28 -08:00
i387.c x86/i387.c: Initialize thread xstate only on CPU0 only once 2012-11-14 15:28:11 -08:00
i8237.c
i8253.c
i8259.c x86/irq/i8259: Fix incorrect comment 2012-08-22 09:34:24 +02:00
io_delay.c
ioport.c x86: get rid of pt_regs argument of iopl(2) 2013-02-03 18:16:24 -05:00
irq.c Merge tag 'kvm-3.10-1' of git://git.kernel.org/pub/scm/virt/kvm/kvm 2013-05-05 14:47:31 -07:00
irq_32.c x86: Use common threadinfo allocator 2012-05-08 14:08:44 +02:00
irq_64.c
irq_work.c
irqinit.c KVM: VMX: Register a new IPI for posted interrupt 2013-04-16 16:32:39 -03:00
jump_label.c
kdebugfs.c arch/x86/kernel/kdebugfs.c: Ensure a consistent return value in error case 2012-07-26 15:07:20 +02:00
kgdb.c kgdb,x86: fix warning about unused variable 2012-10-12 06:37:34 -05:00
kvm.c context_tracking: Restore correct previous context state on exception exit 2013-03-07 17:10:11 +01:00
kvmclock.c Merge branch 'master' into queue 2013-03-04 20:10:32 -03:00
ldt.c Disintegrate asm/system.h for X86 2012-03-28 18:11:12 +01:00
machine_kexec_32.c Disintegrate asm/system.h for X86 2012-03-28 18:11:12 +01:00
machine_kexec_64.c x86, kexec, 64bit: Only set ident mapping for ram. 2013-01-29 15:26:35 -08:00
microcode_amd.c x86, microcode, AMD: Add support for family 16h processors 2012-11-20 22:23:28 -08:00
microcode_core.c x86/microcode_intel.h: Define functions and macros for early loading ucode 2013-01-31 13:18:50 -08:00
microcode_core_early.c x86, microcode: Verify the family before dispatching microcode patching 2013-04-19 16:36:03 -07:00
microcode_intel.c x86/microcode_intel.h: Define functions and macros for early loading ucode 2013-01-31 13:18:50 -08:00
microcode_intel_early.c x86/microcode: Add local mutex to fix physical CPU hot-add deadlock 2013-05-09 11:10:00 +02:00
microcode_intel_lib.c x86/microcode_intel_lib.c: Early update ucode on Intel's CPU 2013-01-31 13:19:14 -08:00
mmconf-fam10h_64.c
module.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-07-24 13:34:56 -07:00
mpparse.c Merge branch 'x86-trampoline-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-05-29 20:14:53 -07:00
msr.c more file_inode() open-coded instances 2013-02-27 16:59:05 -05:00
nmi.c x86/nmi: export local_touch_nmi() symbol for modules 2013-01-17 22:25:57 +08:00
nmi_selftest.c x86/nmi: Clean up register_nmi_handler() usage 2012-06-20 14:23:17 +02:00
paravirt-spinlocks.c
paravirt.c Merge branch 'x86-paravirt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-04-30 08:41:21 -07:00
paravirt_patch_32.c
paravirt_patch_64.c
pci-calgary_64.c x86/debug: Add KERN_<LEVEL> to bare printks, convert printks to pr_<level> 2012-06-06 09:17:22 +02:00
pci-dma.c x86/dma-debug: Bump PREALLOC_DMA_DEBUG_ENTRIES 2013-01-24 17:34:18 +01:00
pci-iommu_table.c
pci-nommu.c X86: integrate CMA with DMA-mapping subsystem 2012-05-21 15:09:38 +02:00
pci-swiotlb.c X86 & IA64: adapt for dma_map_ops changes 2012-03-28 16:36:31 +02:00
pcspeaker.c
perf_regs.c perf: Fix off by one test in perf_reg_value() 2012-09-19 17:08:40 +02:00
probe_roms.c x86/pci/probe_roms: Add missing __iomem annotation to pci_map_biosrom() 2012-09-05 10:52:25 +02:00
process.c x86: Fix idle consolidation fallout 2013-05-07 16:24:03 +02:00
process_32.c dump_stack: unify debug information printed by show_regs() 2013-04-30 17:04:02 -07:00
process_64.c dump_stack: unify debug information printed by show_regs() 2013-04-30 17:04:02 -07:00
ptrace.c x86: ptrace.c only needs export.h and not the full module.h 2013-02-14 12:56:12 -08:00
pvclock.c x86/kvm: Fix pvclock vsyscall fixmap 2013-02-28 08:50:11 +02:00
quirks.c x86, quirks: Shut-up a long-standing gcc warning 2013-04-02 16:03:34 -07:00
reboot.c efi: Make 'efi_enabled' a function to query EFI facilities 2013-01-30 11:51:59 -08:00
reboot_fixups_32.c
relocate_kernel_32.S
relocate_kernel_64.S
resource.c
rtc.c x86: Do full rtc synchronization with ntp 2013-03-15 16:50:26 -07:00
setup.c dump_stack: implement arch-specific hardware description in task dumps 2013-04-30 17:04:02 -07:00
setup_percpu.c x86: Add read_mostly declaration/definition to variables from smp.h 2012-06-14 12:42:11 +02:00
signal.c x86: convert to ksignal 2013-02-14 09:21:17 -05:00
smp.c x86/reboot: Update nonmi_ipi parameter 2012-05-14 11:49:38 +02:00
smpboot.c x86: Use generic idle loop 2013-04-08 17:39:29 +02:00
stacktrace.c
step.c ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL 2013-01-22 10:08:00 -08:00
sys_x86_64.c x86: Fix a typo 2013-01-24 16:22:10 +01:00
syscall_32.c
syscall_64.c x32: If configured, add x32 system calls to system call tables 2012-02-20 12:52:06 -08:00
tboot.c Revert "x86-64/efi: Use EFI to deal with platform wall clock (again)" 2012-12-15 15:20:41 -08:00
tce_64.c Disintegrate asm/system.h for X86 2012-03-28 18:11:12 +01:00
test_nx.c
test_rodata.c x86, extable: Remove open-coded exception table entries in arch/x86/kernel/test_rodata.c 2012-04-20 13:51:38 -07:00
time.c MCA: delete all remaining traces of microchannel bus support. 2012-05-17 19:06:13 -04:00
tls.c make SYSCALL_DEFINE<n>-generated wrappers do asmlinkage_protect 2013-03-03 22:58:33 -05:00
tls.h
topology.c x86, topology: Debug CPU0 hotplug 2012-11-14 15:28:11 -08:00
trace_clock.c tracing,x86: Add a TSC trace_clock 2012-11-13 15:48:27 -05:00
traps.c Merge branch 'x86-kaslr-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-04-30 08:37:24 -07:00
tsc.c x86: tsc: Add support for new S3_NONSTOP feature 2013-03-15 16:51:18 -07:00
tsc_sync.c x86/tsc: Reduce the TSC sync check time for core-siblings 2012-02-22 11:49:40 +01:00
uprobes.c uretprobes/x86: Hijack return address 2013-04-13 15:31:55 +02:00
verify_cpu.S
vm86_32.c x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...) 2013-05-02 20:36:32 -04:00
vmlinux.lds.S x86: Drop always empty .text..page_aligned section 2013-03-11 15:07:56 +01:00
vsmp_64.c x86/apic/x2apic: Limit the vector reservation to the user specified mask 2012-07-06 11:00:22 +02:00
vsyscall_64.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-12-16 15:40:50 -08:00
vsyscall_emu_64.S
vsyscall_trace.h
x86_init.c Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-02-21 18:06:55 -08:00
x8664_ksyms_64.c x86: Improve __phys_addr performance by making use of carry flags and inlining 2012-11-16 16:42:08 -08:00
xsave.c x86, smap: Do not abuse the [f][x]rstor_checking() functions for user space 2012-09-25 15:42:18 -07:00