- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] Patch "x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:44 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit b5c4ae4f35325d520b230bab6eb3310613b72ac1 In preparation for converting some __uaccess_begin() instances to __uacess_begin_nospec(), make sure all 'from user' uaccess paths are using the _begin(), _end() helpers rather than open-coded stac() and clac(). No functional changes. Suggested-by: Ingo Molnar <mingo(a)redhat.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: torvalds(a)linux-foundation.org Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727416438.33451.17309465232057176966.stgit@dwi… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/lib/usercopy_32.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/arch/x86/lib/usercopy_32.c +++ b/arch/x86/lib/usercopy_32.c @@ -331,12 +331,12 @@ do { \ unsigned long __copy_user_ll(void *to, const void *from, unsigned long n) { - stac(); + __uaccess_begin(); if (movsl_is_ok(to, from, n)) __copy_user(to, from, n); else n = __copy_user_intel(to, from, n); - clac(); + __uaccess_end(); return n; } EXPORT_SYMBOL(__copy_user_ll); @@ -344,7 +344,7 @@ EXPORT_SYMBOL(__copy_user_ll); unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *from, unsigned long n) { - stac(); + __uaccess_begin(); #ifdef CONFIG_X86_INTEL_USERCOPY if (n > 64 && static_cpu_has(X86_FEATURE_XMM2)) n = __copy_user_intel_nocache(to, from, n); @@ -353,7 +353,7 @@ unsigned long __copy_from_user_ll_nocach #else __copy_user(to, from, n); #endif - clac(); + __uaccess_end(); return n; } EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero); Patches currently in stable-queue which might be from mingo(a)redhat.com are queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/syscall: Sanitize syscall table de-references under speculation" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/syscall: Sanitize syscall table de-references under speculation to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/syscall: Sanitize syscall table de-references under speculation From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:59 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit 2fbd7af5af8665d18bcefae3e9700be07e22b681 The syscall table base is a user controlled function pointer in kernel space. Use array_index_nospec() to prevent any out of bounds speculation. While retpoline prevents speculating into a userspace directed target it does not stop the pointer de-reference, the concern is leaking memory relative to the syscall table base, by observing instruction cache behavior. Reported-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Andy Lutomirski <luto(a)kernel.org> Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/entry/common.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -21,6 +21,7 @@ #include <linux/export.h> #include <linux/context_tracking.h> #include <linux/user-return-notifier.h> +#include <linux/nospec.h> #include <linux/uprobes.h> #include <linux/livepatch.h> #include <linux/syscalls.h> @@ -284,7 +285,8 @@ __visible void do_syscall_64(struct pt_r * regs->orig_ax, which changes the behavior of some syscalls. */ if (likely((nr & __SYSCALL_MASK) < NR_syscalls)) { - regs->ax = sys_call_table[nr & __SYSCALL_MASK]( + nr = array_index_nospec(nr & __SYSCALL_MASK, NR_syscalls); + regs->ax = sys_call_table[nr]( regs->di, regs->si, regs->dx, regs->r10, regs->r8, regs->r9); } @@ -320,6 +322,7 @@ static __always_inline void do_syscall_3 } if (likely(nr < IA32_NR_syscalls)) { + nr = array_index_nospec(nr, IA32_NR_syscalls); /* * It's possible that a 32-bit syscall implementation * takes a 64-bit parameter but nonetheless assumes that Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.14/Documentation_Document_array_index_nospec.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/scripts-faddr2line-fix-cross_compile-unset-error.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/x86_Implement_array_index_mask_nospec.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/speculation: Use Indirect Branch Prediction Barrier in context switch" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/speculation: Use Indirect Branch Prediction Barrier in context switch to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/speculation: Use Indirect Branch Prediction Barrier in context switch From: Tim Chen tim.c.chen(a)linux.intel.com Date: Mon Jan 29 22:04:47 2018 +0000 From: Tim Chen tim.c.chen(a)linux.intel.com commit 18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7 Flush indirect branches when switching into a process that marked itself non dumpable. This protects high value processes like gpg better, without having too high performance overhead. If done naïvely, we could switch to a kernel idle thread and then back to the original process, such as: process A -> idle -> process A In such scenario, we do not have to do IBPB here even though the process is non-dumpable, as we are switching back to the same process after a hiatus. To avoid the redundant IBPB, which is expensive, we track the last mm user context ID. The cost is to have an extra u64 mm context id to track the last mm we were using before switching to the init_mm used by idle. Avoiding the extra IBPB is probably worth the extra memory for this common scenario. For those cases where tlb_defer_switch_to_init_mm() returns true (non PCID), lazy tlb will defer switch to init_mm, so we will not be changing the mm for the process A -> idle -> process A switch. So IBPB will be skipped for this case. Thanks to the reviewers and Andy Lutomirski for the suggestion of using ctx_id which got rid of the problem of mm pointer recycling. Signed-off-by: Tim Chen <tim.c.chen(a)linux.intel.com> Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: ak(a)linux.intel.com Cc: karahmed(a)amazon.de Cc: arjan(a)linux.intel.com Cc: torvalds(a)linux-foundation.org Cc: linux(a)dominikbrodowski.net Cc: peterz(a)infradead.org Cc: bp(a)alien8.de Cc: luto(a)kernel.org Cc: pbonzini(a)redhat.com Cc: gregkh(a)linux-foundation.org Link: https://lkml.kernel.org/r/1517263487-3708-1-git-send-email-dwmw@amazon.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/tlbflush.h | 2 ++ arch/x86/mm/tlb.c | 33 ++++++++++++++++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h @@ -174,6 +174,8 @@ struct tlb_state { struct mm_struct *loaded_mm; u16 loaded_mm_asid; u16 next_asid; + /* last user mm's ctx id */ + u64 last_ctx_id; /* * We can be in one of several states: --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -6,13 +6,14 @@ #include <linux/interrupt.h> #include <linux/export.h> #include <linux/cpu.h> +#include <linux/debugfs.h> #include <asm/tlbflush.h> #include <asm/mmu_context.h> +#include <asm/nospec-branch.h> #include <asm/cache.h> #include <asm/apic.h> #include <asm/uv/uv.h> -#include <linux/debugfs.h> /* * TLB flushing, formerly SMP-only @@ -247,6 +248,27 @@ void switch_mm_irqs_off(struct mm_struct } else { u16 new_asid; bool need_flush; + u64 last_ctx_id = this_cpu_read(cpu_tlbstate.last_ctx_id); + + /* + * Avoid user/user BTB poisoning by flushing the branch + * predictor when switching between processes. This stops + * one process from doing Spectre-v2 attacks on another. + * + * As an optimization, flush indirect branches only when + * switching into processes that disable dumping. This + * protects high value processes like gpg, without having + * too high performance overhead. IBPB is *expensive*! + * + * This will not flush branches when switching into kernel + * threads. It will also not flush if we switch to idle + * thread and back to the same process. It will flush if we + * switch to a different non-dumpable process. + */ + if (tsk && tsk->mm && + tsk->mm->context.ctx_id != last_ctx_id && + get_dumpable(tsk->mm) != SUID_DUMP_USER) + indirect_branch_prediction_barrier(); if (IS_ENABLED(CONFIG_VMAP_STACK)) { /* @@ -292,6 +314,14 @@ void switch_mm_irqs_off(struct mm_struct trace_tlb_flush_rcuidle(TLB_FLUSH_ON_TASK_SWITCH, 0); } + /* + * Record last user mm's context id, so we can avoid + * flushing branch buffer with IBPB if we switch back + * to the same user. + */ + if (next != &init_mm) + this_cpu_write(cpu_tlbstate.last_ctx_id, next->context.ctx_id); + this_cpu_write(cpu_tlbstate.loaded_mm, next); this_cpu_write(cpu_tlbstate.loaded_mm_asid, new_asid); } @@ -369,6 +399,7 @@ void initialize_tlbstate_and_flush(void) write_cr3(build_cr3(mm->pgd, 0)); /* Reinitialize tlbstate. */ + this_cpu_write(cpu_tlbstate.last_ctx_id, mm->context.ctx_id); this_cpu_write(cpu_tlbstate.loaded_mm_asid, 0); this_cpu_write(cpu_tlbstate.next_asid, 1); this_cpu_write(cpu_tlbstate.ctxs[0].ctx_id, mm->context.ctx_id); Patches currently in stable-queue which might be from tim.c.chen(a)linux.intel.com are queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86speculation_Fix_typo_IBRS_ATT_which_should_be_IBRS_ALL.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL From: Darren Kenny darren.kenny(a)oracle.com Date: Fri Feb 2 19:12:20 2018 +0000 From: Darren Kenny darren.kenny(a)oracle.com commit af189c95a371b59f493dbe0f50c0a09724868881 Fixes: 117cc7a908c83 ("x86/retpoline: Fill return stack buffer on vmexit") Signed-off-by: Darren Kenny <darren.kenny(a)oracle.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Arjan van de Ven <arjan(a)linux.intel.com> Cc: David Woodhouse <dwmw(a)amazon.co.uk> Link: https://lkml.kernel.org/r/20180202191220.blvgkgutojecxr3b@starbug-vm.ie.ora… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/nospec-branch.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -150,7 +150,7 @@ extern char __indirect_thunk_end[]; * On VMEXIT we must ensure that no RSB predictions learned in the guest * can be followed in the host, by overwriting the RSB completely. Both * retpoline and IBRS mitigations for Spectre v2 need this; only on future - * CPUs with IBRS_ATT *might* it be avoided. + * CPUs with IBRS_ALL *might* it be avoided. */ static inline void vmexit_fill_RSB(void) { Patches currently in stable-queue which might be from darren.kenny(a)oracle.com are queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/x86speculation_Fix_typo_IBRS_ATT_which_should_be_IBRS_ALL.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/spectre: Simplify spectre_v2 command line parsing" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/spectre: Simplify spectre_v2 command line parsing to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86spectre_Simplify_spectre_v2_command_line_parsing.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/spectre: Simplify spectre_v2 command line parsing From: KarimAllah Ahmed karahmed(a)amazon.de Date: Thu Feb 1 11:27:21 2018 +0000 From: KarimAllah Ahmed karahmed(a)amazon.de commit 9005c6834c0ffdfe46afa76656bd9276cca864f6 [dwmw2: Use ARRAY_SIZE] Signed-off-by: KarimAllah Ahmed <karahmed(a)amazon.de> Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: peterz(a)infradead.org Cc: bp(a)alien8.de Link: https://lkml.kernel.org/r/1517484441-1420-3-git-send-email-dwmw@amazon.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/cpu/bugs.c | 84 +++++++++++++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 29 deletions(-) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -119,13 +119,13 @@ static inline const char *spectre_v2_mod static void __init spec2_print_if_insecure(const char *reason) { if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) - pr_info("%s\n", reason); + pr_info("%s selected on command line.\n", reason); } static void __init spec2_print_if_secure(const char *reason) { if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) - pr_info("%s\n", reason); + pr_info("%s selected on command line.\n", reason); } static inline bool retp_compiler(void) @@ -140,42 +140,68 @@ static inline bool match_option(const ch return len == arglen && !strncmp(arg, opt, len); } +static const struct { + const char *option; + enum spectre_v2_mitigation_cmd cmd; + bool secure; +} mitigation_options[] = { + { "off", SPECTRE_V2_CMD_NONE, false }, + { "on", SPECTRE_V2_CMD_FORCE, true }, + { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, + { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false }, + { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, + { "auto", SPECTRE_V2_CMD_AUTO, false }, +}; + static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) { char arg[20]; - int ret; + int ret, i; + enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO; + + if (cmdline_find_option_bool(boot_command_line, "nospectre_v2")) + return SPECTRE_V2_CMD_NONE; + else { + ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, + sizeof(arg)); + if (ret < 0) + return SPECTRE_V2_CMD_AUTO; - ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, - sizeof(arg)); - if (ret > 0) { - if (match_option(arg, ret, "off")) { - goto disable; - } else if (match_option(arg, ret, "on")) { - spec2_print_if_secure("force enabled on command line."); - return SPECTRE_V2_CMD_FORCE; - } else if (match_option(arg, ret, "retpoline")) { - spec2_print_if_insecure("retpoline selected on command line."); - return SPECTRE_V2_CMD_RETPOLINE; - } else if (match_option(arg, ret, "retpoline,amd")) { - if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) { - pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n"); - return SPECTRE_V2_CMD_AUTO; - } - spec2_print_if_insecure("AMD retpoline selected on command line."); - return SPECTRE_V2_CMD_RETPOLINE_AMD; - } else if (match_option(arg, ret, "retpoline,generic")) { - spec2_print_if_insecure("generic retpoline selected on command line."); - return SPECTRE_V2_CMD_RETPOLINE_GENERIC; - } else if (match_option(arg, ret, "auto")) { + for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) { + if (!match_option(arg, ret, mitigation_options[i].option)) + continue; + cmd = mitigation_options[i].cmd; + break; + } + + if (i >= ARRAY_SIZE(mitigation_options)) { + pr_err("unknown option (%s). Switching to AUTO select\n", + mitigation_options[i].option); return SPECTRE_V2_CMD_AUTO; } } - if (!cmdline_find_option_bool(boot_command_line, "nospectre_v2")) + if ((cmd == SPECTRE_V2_CMD_RETPOLINE || + cmd == SPECTRE_V2_CMD_RETPOLINE_AMD || + cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && + !IS_ENABLED(CONFIG_RETPOLINE)) { + pr_err("%s selected but not compiled in. Switching to AUTO select\n", + mitigation_options[i].option); return SPECTRE_V2_CMD_AUTO; -disable: - spec2_print_if_insecure("disabled on command line."); - return SPECTRE_V2_CMD_NONE; + } + + if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD && + boot_cpu_data.x86_vendor != X86_VENDOR_AMD) { + pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n"); + return SPECTRE_V2_CMD_AUTO; + } + + if (mitigation_options[i].secure) + spec2_print_if_secure(mitigation_options[i].option); + else + spec2_print_if_insecure(mitigation_options[i].option); + + return cmd; } /* Check for Skylake-like CPUs (for RSB handling) */ Patches currently in stable-queue which might be from karahmed(a)amazon.de are queue-4.14/x86spectre_Simplify_spectre_v2_command_line_parsing.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86cpuid_Fix_up_virtual_IBRSIBPBSTIBP_feature_bits_on_Intel.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/KVMx86_Update_the_reverse_cpuid_list_to_include_CPUID_7_EDX.patch queue-4.14/x86retpoline_Avoid_retpolines_for_built-in___init_functions.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/spectre: Report get_user mitigation for spectre_v1" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/spectre: Report get_user mitigation for spectre_v1 to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86spectre_Report_get_user_mitigation_for_spectre_v1.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/spectre: Report get_user mitigation for spectre_v1 From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:03:21 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit edfbae53dab8348fca778531be9f4855d2ca0360 Reflect the presence of get_user(), __get_user(), and 'syscall' protections in sysfs. The expectation is that new and better tooling will allow the kernel to grow more usages of array_index_nospec(), for now, only claim mitigation for __user pointer de-references. Reported-by: Jiri Slaby <jslaby(a)suse.cz> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: torvalds(a)linux-foundation.org Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727420158.33451.11658324346540434635.stgit@dwi… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/cpu/bugs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -297,7 +297,7 @@ ssize_t cpu_show_spectre_v1(struct devic { if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1)) return sprintf(buf, "Not affected\n"); - return sprintf(buf, "Vulnerable\n"); + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); } ssize_t cpu_show_spectre_v2(struct device *dev, Patches currently in stable-queue which might be from jslaby(a)suse.cz are queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/retpoline: Avoid retpolines for built-in __init functions" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/retpoline: Avoid retpolines for built-in __init functions to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86retpoline_Avoid_retpolines_for_built-in___init_functions.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/retpoline: Avoid retpolines for built-in __init functions From: David Woodhouse dwmw(a)amazon.co.uk Date: Thu Feb 1 11:27:20 2018 +0000 From: David Woodhouse dwmw(a)amazon.co.uk commit 66f793099a636862a71c59d4a6ba91387b155e0c There's no point in building init code with retpolines, since it runs before any potentially hostile userspace does. And before the retpoline is actually ALTERNATIVEd into place, for much of it. Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: karahmed(a)amazon.de Cc: peterz(a)infradead.org Cc: bp(a)alien8.de Link: https://lkml.kernel.org/r/1517484441-1420-2-git-send-email-dwmw@amazon.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/linux/init.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/include/linux/init.h +++ b/include/linux/init.h @@ -5,6 +5,13 @@ #include <linux/compiler.h> #include <linux/types.h> +/* Built-in __init functions needn't be compiled with retpoline */ +#if defined(RETPOLINE) && !defined(MODULE) +#define __noretpoline __attribute__((indirect_branch("keep"))) +#else +#define __noretpoline +#endif + /* These macros are used to mark some functions or * initialized data (doesn't apply to uninitialized data) * as `initialization' functions. The kernel can take this @@ -40,7 +47,7 @@ /* These are for everybody (although not all archs will actually discard it in modules) */ -#define __init __section(.init.text) __cold __inittrace __latent_entropy +#define __init __section(.init.text) __cold __inittrace __latent_entropy __noretpoline #define __initdata __section(.init.data) #define __initconst __section(.init.rodata) #define __exitdata __section(.exit.data) Patches currently in stable-queue which might be from dwmw(a)amazon.co.uk are queue-4.14/x86spectre_Simplify_spectre_v2_command_line_parsing.patch queue-4.14/x86pti_Mark_constant_arrays_as___initconst.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86cpuid_Fix_up_virtual_IBRSIBPBSTIBP_feature_bits_on_Intel.patch queue-4.14/x86spectre_Fix_spelling_mistake_vunerable-_vulnerable.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86spectre_Check_CONFIG_RETPOLINE_in_command_line_parser.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86speculation_Fix_typo_IBRS_ATT_which_should_be_IBRS_ALL.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/KVMx86_Update_the_reverse_cpuid_list_to_include_CPUID_7_EDX.patch queue-4.14/x86retpoline_Avoid_retpolines_for_built-in___init_functions.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/spectre: Check CONFIG_RETPOLINE in command line parser" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/spectre: Check CONFIG_RETPOLINE in command line parser to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86spectre_Check_CONFIG_RETPOLINE_in_command_line_parser.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/spectre: Check CONFIG_RETPOLINE in command line parser From: Dou Liyang douly.fnst(a)cn.fujitsu.com Date: Tue Jan 30 14:13:50 2018 +0800 From: Dou Liyang douly.fnst(a)cn.fujitsu.com commit 9471eee9186a46893726e22ebb54cade3f9bc043 The spectre_v2 option 'auto' does not check whether CONFIG_RETPOLINE is enabled. As a consequence it fails to emit the appropriate warning and sets feature flags which have no effect at all. Add the missing IS_ENABLED() check. Fixes: da285121560e ("x86/spectre: Add boot time option to select Spectre v2 mitigation") Signed-off-by: Dou Liyang <douly.fnst(a)cn.fujitsu.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: ak(a)linux.intel.com Cc: peterz(a)infradead.org Cc: Tomohiro" <misono.tomohiro(a)jp.fujitsu.com> Cc: dave.hansen(a)intel.com Cc: bp(a)alien8.de Cc: arjan(a)linux.intel.com Cc: dwmw(a)amazon.co.uk Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/f5892721-7528-3647-08fb-f8d10e65ad87@cn.fujitsu.c… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/cpu/bugs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -213,10 +213,10 @@ static void __init spectre_v2_select_mit return; case SPECTRE_V2_CMD_FORCE: - /* FALLTRHU */ case SPECTRE_V2_CMD_AUTO: - goto retpoline_auto; - + if (IS_ENABLED(CONFIG_RETPOLINE)) + goto retpoline_auto; + break; case SPECTRE_V2_CMD_RETPOLINE_AMD: if (IS_ENABLED(CONFIG_RETPOLINE)) goto retpoline_amd; Patches currently in stable-queue which might be from douly.fnst(a)cn.fujitsu.com are queue-4.14/x86spectre_Check_CONFIG_RETPOLINE_in_command_line_parser.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86spectre_Fix_spelling_mistake_vunerable-_vulnerable.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" From: Colin Ian King colin.king(a)canonical.com Date: Tue Jan 30 19:32:18 2018 +0000 From: Colin Ian King colin.king(a)canonical.com commit e698dcdfcda41efd0984de539767b4cddd235f1e Trivial fix to spelling mistake in pr_err error message text. Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: kernel-janitors(a)vger.kernel.org Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)suse.de> Cc: David Woodhouse <dwmw(a)amazon.co.uk> Link: https://lkml.kernel.org/r/20180130193218.9271-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/cpu/bugs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -103,7 +103,7 @@ bool retpoline_module_ok(bool has_retpol if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline) return true; - pr_err("System may be vunerable to spectre v2\n"); + pr_err("System may be vulnerable to spectre v2\n"); spectre_v2_bad_module = true; return false; } Patches currently in stable-queue which might be from colin.king(a)canonical.com are queue-4.14/x86spectre_Fix_spelling_mistake_vunerable-_vulnerable.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/pti: Mark constant arrays as __initconst" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/pti: Mark constant arrays as __initconst to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86pti_Mark_constant_arrays_as___initconst.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/pti: Mark constant arrays as __initconst From: Arnd Bergmann arnd(a)arndb.de Date: Fri Feb 2 22:39:23 2018 +0100 From: Arnd Bergmann arnd(a)arndb.de commit 4bf5d56d429cbc96c23d809a08f63cd29e1a702e I'm seeing build failures from the two newly introduced arrays that are marked 'const' and '__initdata', which are mutually exclusive: arch/x86/kernel/cpu/common.c:882:43: error: 'cpu_no_speculation' causes a section type conflict with 'e820_table_firmware_init' arch/x86/kernel/cpu/common.c:895:43: error: 'cpu_no_meltdown' causes a section type conflict with 'e820_table_firmware_init' The correct annotation is __initconst. Fixes: fec9434a12f3 ("x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ricardo Neri <ricardo.neri-calderon(a)linux.intel.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)suse.de> Cc: Thomas Garnier <thgarnie(a)google.com> Cc: David Woodhouse <dwmw(a)amazon.co.uk> Link: https://lkml.kernel.org/r/20180202213959.611210-1-arnd@arndb.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/cpu/common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -876,7 +876,7 @@ static void identify_cpu_without_cpuid(s #endif } -static const __initdata struct x86_cpu_id cpu_no_speculation[] = { +static const __initconst struct x86_cpu_id cpu_no_speculation[] = { { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW, X86_FEATURE_ANY }, { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW, X86_FEATURE_ANY }, { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT, X86_FEATURE_ANY }, @@ -889,7 +889,7 @@ static const __initdata struct x86_cpu_i {} }; -static const __initdata struct x86_cpu_id cpu_no_meltdown[] = { +static const __initconst struct x86_cpu_id cpu_no_meltdown[] = { { X86_VENDOR_AMD }, {} }; Patches currently in stable-queue which might be from arnd(a)arndb.de are queue-4.14/x86pti_Mark_constant_arrays_as___initconst.patch queue-4.14/auxdisplay-img-ascii-lcd-add-missing-module_description-author-license.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/paravirt: Remove 'noreplace-paravirt' cmdline option" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/paravirt: Remove 'noreplace-paravirt' cmdline option to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/paravirt: Remove 'noreplace-paravirt' cmdline option From: Josh Poimboeuf jpoimboe(a)redhat.com Date: Tue Jan 30 22:13:33 2018 -0600 From: Josh Poimboeuf jpoimboe(a)redhat.com commit 12c69f1e94c89d40696e83804dd2f0965b5250cd The 'noreplace-paravirt' option disables paravirt patching, leaving the original pv indirect calls in place. That's highly incompatible with retpolines, unless we want to uglify paravirt even further and convert the paravirt calls to retpolines. As far as I can tell, the option doesn't seem to be useful for much other than introducing surprising corner cases and making the kernel vulnerable to Spectre v2. It was probably a debug option from the early paravirt days. So just remove it. Signed-off-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Juergen Gross <jgross(a)suse.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Ashok Raj <ashok.raj(a)intel.com> Cc: Greg KH <gregkh(a)linuxfoundation.org> Cc: Jun Nakajima <jun.nakajima(a)intel.com> Cc: Tim Chen <tim.c.chen(a)linux.intel.com> Cc: Rusty Russell <rusty(a)rustcorp.com.au> Cc: Dave Hansen <dave.hansen(a)intel.com> Cc: Asit Mallick <asit.k.mallick(a)intel.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Jason Baron <jbaron(a)akamai.com> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Alok Kataria <akataria(a)vmware.com> Cc: Arjan Van De Ven <arjan.van.de.ven(a)intel.com> Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Dan Williams <dan.j.williams(a)intel.com> Link: https://lkml.kernel.org/r/20180131041333.2x6blhxirc2kclrq@treble Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- Documentation/admin-guide/kernel-parameters.txt | 2 -- arch/x86/kernel/alternative.c | 14 -------------- 2 files changed, 16 deletions(-) --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2718,8 +2718,6 @@ norandmaps Don't use address space randomization. Equivalent to echo 0 > /proc/sys/kernel/randomize_va_space - noreplace-paravirt [X86,IA-64,PV_OPS] Don't patch paravirt_ops - noreplace-smp [X86-32,SMP] Don't replace SMP instructions with UP alternatives --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -46,17 +46,6 @@ static int __init setup_noreplace_smp(ch } __setup("noreplace-smp", setup_noreplace_smp); -#ifdef CONFIG_PARAVIRT -static int __initdata_or_module noreplace_paravirt = 0; - -static int __init setup_noreplace_paravirt(char *str) -{ - noreplace_paravirt = 1; - return 1; -} -__setup("noreplace-paravirt", setup_noreplace_paravirt); -#endif - #define DPRINTK(fmt, args...) \ do { \ if (debug_alternative) \ @@ -599,9 +588,6 @@ void __init_or_module apply_paravirt(str struct paravirt_patch_site *p; char insnbuf[MAX_PATCH_LEN]; - if (noreplace_paravirt) - return; - for (p = start; p < end; p++) { unsigned int used; Patches currently in stable-queue which might be from jpoimboe(a)redhat.com are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/mm: Fix overlap of i386 CPU_ENTRY_AREA with FIX_BTMAP" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/mm: Fix overlap of i386 CPU_ENTRY_AREA with FIX_BTMAP to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86mm_Fix_overlap_of_i386_CPU_ENTRY_AREA_with_FIX_BTMAP.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/mm: Fix overlap of i386 CPU_ENTRY_AREA with FIX_BTMAP From: William Grant william.grant(a)canonical.com Date: Tue Jan 30 22:22:55 2018 +1100 From: William Grant william.grant(a)canonical.com commit 55f49fcb879fbeebf2a8c1ac7c9e6d90df55f798 Since commit 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap"), i386's CPU_ENTRY_AREA has been mapped to the memory area just below FIXADDR_START. But already immediately before FIXADDR_START is the FIX_BTMAP area, which means that early_ioremap can collide with the entry area. It's especially bad on PAE where FIX_BTMAP_BEGIN gets aligned to exactly match CPU_ENTRY_AREA_BASE, so the first early_ioremap slot clobbers the IDT and causes interrupts during early boot to reset the system. The overlap wasn't a problem before the CPU entry area was introduced, as the fixmap has classically been preceded by the pkmap or vmalloc areas, neither of which is used until early_ioremap is out of the picture. Relocate CPU_ENTRY_AREA to below FIX_BTMAP, not just below the permanent fixmap area. Fixes: commit 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap") Signed-off-by: William Grant <william.grant(a)canonical.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/7041d181-a019-e8b9-4e4e-48215f841e2c@canonical.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/fixmap.h | 6 ++++-- arch/x86/include/asm/pgtable_32_types.h | 5 +++-- 2 files changed, 7 insertions(+), 4 deletions(-) --- a/arch/x86/include/asm/fixmap.h +++ b/arch/x86/include/asm/fixmap.h @@ -137,8 +137,10 @@ enum fixed_addresses { extern void reserve_top_address(unsigned long reserve); -#define FIXADDR_SIZE (__end_of_permanent_fixed_addresses << PAGE_SHIFT) -#define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE) +#define FIXADDR_SIZE (__end_of_permanent_fixed_addresses << PAGE_SHIFT) +#define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE) +#define FIXADDR_TOT_SIZE (__end_of_fixed_addresses << PAGE_SHIFT) +#define FIXADDR_TOT_START (FIXADDR_TOP - FIXADDR_TOT_SIZE) extern int fixmaps_set; --- a/arch/x86/include/asm/pgtable_32_types.h +++ b/arch/x86/include/asm/pgtable_32_types.h @@ -44,8 +44,9 @@ extern bool __vmalloc_start_set; /* set */ #define CPU_ENTRY_AREA_PAGES (NR_CPUS * 40) -#define CPU_ENTRY_AREA_BASE \ - ((FIXADDR_START - PAGE_SIZE * (CPU_ENTRY_AREA_PAGES + 1)) & PMD_MASK) +#define CPU_ENTRY_AREA_BASE \ + ((FIXADDR_TOT_START - PAGE_SIZE * (CPU_ENTRY_AREA_PAGES + 1)) \ + & PMD_MASK) #define PKMAP_BASE \ ((CPU_ENTRY_AREA_BASE - PAGE_SIZE) & PMD_MASK) Patches currently in stable-queue which might be from william.grant(a)canonical.com are queue-4.14/x86mm_Fix_overlap_of_i386_CPU_ENTRY_AREA_with_FIX_BTMAP.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/get_user: Use pointer masking to limit speculation" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/get_user: Use pointer masking to limit speculation to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86get_user_Use_pointer_masking_to_limit_speculation.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/get_user: Use pointer masking to limit speculation From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:54 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit c7f631cb07e7da06ac1d231ca178452339e32a94 Quoting Linus: I do think that it would be a good idea to very expressly document the fact that it's not that the user access itself is unsafe. I do agree that things like "get_user()" want to be protected, but not because of any direct bugs or problems with get_user() and friends, but simply because get_user() is an excellent source of a pointer that is obviously controlled from a potentially attacking user space. So it's a prime candidate for then finding _subsequent_ accesses that can then be used to perturb the cache. Unlike the __get_user() case get_user() includes the address limit check near the pointer de-reference. With that locality the speculation can be mitigated with pointer narrowing rather than a barrier, i.e. array_index_nospec(). Where the narrowing is performed by: cmp %limit, %ptr sbb %mask, %mask and %mask, %ptr With respect to speculation the value of %ptr is either less than %limit or NULL. Co-developed-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: Kees Cook <keescook(a)chromium.org> Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: torvalds(a)linux-foundation.org Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727417469.33451.11804043010080838495.stgit@dwi… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/lib/getuser.S | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/arch/x86/lib/getuser.S +++ b/arch/x86/lib/getuser.S @@ -40,6 +40,8 @@ ENTRY(__get_user_1) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 1: movzbl (%_ASM_AX),%edx xor %eax,%eax @@ -54,6 +56,8 @@ ENTRY(__get_user_2) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 2: movzwl -1(%_ASM_AX),%edx xor %eax,%eax @@ -68,6 +72,8 @@ ENTRY(__get_user_4) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 3: movl -3(%_ASM_AX),%edx xor %eax,%eax @@ -83,6 +89,8 @@ ENTRY(__get_user_8) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 4: movq -7(%_ASM_AX),%rdx xor %eax,%eax @@ -94,6 +102,8 @@ ENTRY(__get_user_8) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user_8 + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 4: movl -7(%_ASM_AX),%edx 5: movl -3(%_ASM_AX),%ecx Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.14/Documentation_Document_array_index_nospec.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/scripts-faddr2line-fix-cross_compile-unset-error.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/x86_Implement_array_index_mask_nospec.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/kvm: Update spectre-v1 mitigation" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/kvm: Update spectre-v1 mitigation to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86kvm_Update_spectre-v1_mitigation.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/kvm: Update spectre-v1 mitigation From: Dan Williams dan.j.williams(a)intel.com Date: Wed Jan 31 17:47:03 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit 085331dfc6bbe3501fb936e657331ca943827600 Commit 75f139aaf896 "KVM: x86: Add memory barrier on vmcs field lookup" added a raw 'asm("lfence");' to prevent a bounds check bypass of 'vmcs_field_to_offset_table'. The lfence can be avoided in this path by using the array_index_nospec() helper designed for these types of fixes. Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Andrew Honig <ahonig(a)google.com> Cc: kvm(a)vger.kernel.org Cc: Jim Mattson <jmattson(a)google.com> Link: https://lkml.kernel.org/r/151744959670.6342.3001723920950249067.stgit@dwill… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kvm/vmx.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -34,6 +34,7 @@ #include <linux/tboot.h> #include <linux/hrtimer.h> #include <linux/frame.h> +#include <linux/nospec.h> #include "kvm_cache_regs.h" #include "x86.h" @@ -887,21 +888,18 @@ static const unsigned short vmcs_field_t static inline short vmcs_field_to_offset(unsigned long field) { - BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX); + const size_t size = ARRAY_SIZE(vmcs_field_to_offset_table); + unsigned short offset; - if (field >= ARRAY_SIZE(vmcs_field_to_offset_table)) + BUILD_BUG_ON(size > SHRT_MAX); + if (field >= size) return -ENOENT; - /* - * FIXME: Mitigation for CVE-2017-5753. To be replaced with a - * generic mechanism. - */ - asm("lfence"); - - if (vmcs_field_to_offset_table[field] == 0) + field = array_index_nospec(field, size); + offset = vmcs_field_to_offset_table[field]; + if (offset == 0) return -ENOENT; - - return vmcs_field_to_offset_table[field]; + return offset; } static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu) Patches currently in stable-queue which might be from dan.j.williams(a)intel.com are queue-4.14/x86kvm_Update_spectre-v1_mitigation.patch queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.14/Documentation_Document_array_index_nospec.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/x86_Implement_array_index_mask_nospec.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/entry/64: Push extra regs right away" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/entry/64: Push extra regs right away to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86entry64_Push_extra_regs_right_away.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/entry/64: Push extra regs right away From: Andy Lutomirski luto(a)kernel.org Date: Sun Jan 28 10:38:49 2018 -0800 From: Andy Lutomirski luto(a)kernel.org commit d1f7732009e0549eedf8ea1db948dc37be77fd46 With the fast path removed there is no point in splitting the push of the normal and the extra register set. Just push the extra regs right away. [ tglx: Split out from 'x86/entry/64: Remove the SYSCALL64 fast path' ] Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Ingo Molnar <mingo(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Kernel Hardening <kernel-hardening(a)lists.openwall.com> Link: https://lkml.kernel.org/r/462dff8d4d64dfbfc851fbf3130641809d980ecd.15171644… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/entry/entry_64.S | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -232,13 +232,17 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) pushq %r9 /* pt_regs->r9 */ pushq %r10 /* pt_regs->r10 */ pushq %r11 /* pt_regs->r11 */ - sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */ - UNWIND_HINT_REGS extra=0 + pushq %rbx /* pt_regs->rbx */ + pushq %rbp /* pt_regs->rbp */ + pushq %r12 /* pt_regs->r12 */ + pushq %r13 /* pt_regs->r13 */ + pushq %r14 /* pt_regs->r14 */ + pushq %r15 /* pt_regs->r15 */ + UNWIND_HINT_REGS TRACE_IRQS_OFF /* IRQs are off. */ - SAVE_EXTRA_REGS movq %rsp, %rdi call do_syscall_64 /* returns with IRQs disabled */ Patches currently in stable-queue which might be from luto(a)kernel.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Mark_constant_arrays_as___initconst.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86spectre_Fix_spelling_mistake_vunerable-_vulnerable.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/entry/64: Remove the SYSCALL64 fast path" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/entry/64: Remove the SYSCALL64 fast path to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86entry64_Remove_the_SYSCALL64_fast_path.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/entry/64: Remove the SYSCALL64 fast path From: Andy Lutomirski luto(a)kernel.org Date: Sun Jan 28 10:38:49 2018 -0800 From: Andy Lutomirski luto(a)kernel.org commit 21d375b6b34ff511a507de27bf316b3dde6938d9 The SYCALLL64 fast path was a nice, if small, optimization back in the good old days when syscalls were actually reasonably fast. Now there is PTI to slow everything down, and indirect branches are verboten, making everything messier. The retpoline code in the fast path is particularly nasty. Just get rid of the fast path. The slow path is barely slower. [ tglx: Split out the 'push all extra regs' part ] Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Ingo Molnar <mingo(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Kernel Hardening <kernel-hardening(a)lists.openwall.com> Link: https://lkml.kernel.org/r/462dff8d4d64dfbfc851fbf3130641809d980ecd.15171644… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/entry/entry_64.S | 117 -------------------------------------------- arch/x86/entry/syscall_64.c | 7 -- 2 files changed, 2 insertions(+), 122 deletions(-) --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -237,86 +237,11 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) TRACE_IRQS_OFF - /* - * If we need to do entry work or if we guess we'll need to do - * exit work, go straight to the slow path. - */ - movq PER_CPU_VAR(current_task), %r11 - testl $_TIF_WORK_SYSCALL_ENTRY|_TIF_ALLWORK_MASK, TASK_TI_flags(%r11) - jnz entry_SYSCALL64_slow_path - -entry_SYSCALL_64_fastpath: - /* - * Easy case: enable interrupts and issue the syscall. If the syscall - * needs pt_regs, we'll call a stub that disables interrupts again - * and jumps to the slow path. - */ - TRACE_IRQS_ON - ENABLE_INTERRUPTS(CLBR_NONE) -#if __SYSCALL_MASK == ~0 - cmpq $__NR_syscall_max, %rax -#else - andl $__SYSCALL_MASK, %eax - cmpl $__NR_syscall_max, %eax -#endif - ja 1f /* return -ENOSYS (already in pt_regs->ax) */ - movq %r10, %rcx - - /* - * This call instruction is handled specially in stub_ptregs_64. - * It might end up jumping to the slow path. If it jumps, RAX - * and all argument registers are clobbered. - */ -#ifdef CONFIG_RETPOLINE - movq sys_call_table(, %rax, 8), %rax - call __x86_indirect_thunk_rax -#else - call *sys_call_table(, %rax, 8) -#endif -.Lentry_SYSCALL_64_after_fastpath_call: - - movq %rax, RAX(%rsp) -1: - - /* - * If we get here, then we know that pt_regs is clean for SYSRET64. - * If we see that no exit work is required (which we are required - * to check with IRQs off), then we can go straight to SYSRET64. - */ - DISABLE_INTERRUPTS(CLBR_ANY) - TRACE_IRQS_OFF - movq PER_CPU_VAR(current_task), %r11 - testl $_TIF_ALLWORK_MASK, TASK_TI_flags(%r11) - jnz 1f - - LOCKDEP_SYS_EXIT - TRACE_IRQS_ON /* user mode is traced as IRQs on */ - movq RIP(%rsp), %rcx - movq EFLAGS(%rsp), %r11 - addq $6*8, %rsp /* skip extra regs -- they were preserved */ - UNWIND_HINT_EMPTY - jmp .Lpop_c_regs_except_rcx_r11_and_sysret - -1: - /* - * The fast path looked good when we started, but something changed - * along the way and we need to switch to the slow path. Calling - * raise(3) will trigger this, for example. IRQs are off. - */ - TRACE_IRQS_ON - ENABLE_INTERRUPTS(CLBR_ANY) - SAVE_EXTRA_REGS - movq %rsp, %rdi - call syscall_return_slowpath /* returns with IRQs disabled */ - jmp return_from_SYSCALL_64 - -entry_SYSCALL64_slow_path: /* IRQs are off. */ SAVE_EXTRA_REGS movq %rsp, %rdi call do_syscall_64 /* returns with IRQs disabled */ -return_from_SYSCALL_64: TRACE_IRQS_IRETQ /* we're about to change IF */ /* @@ -389,7 +314,6 @@ syscall_return_via_sysret: /* rcx and r11 are already restored (see code above) */ UNWIND_HINT_EMPTY POP_EXTRA_REGS -.Lpop_c_regs_except_rcx_r11_and_sysret: popq %rsi /* skip r11 */ popq %r10 popq %r9 @@ -420,47 +344,6 @@ syscall_return_via_sysret: USERGS_SYSRET64 END(entry_SYSCALL_64) -ENTRY(stub_ptregs_64) - /* - * Syscalls marked as needing ptregs land here. - * If we are on the fast path, we need to save the extra regs, - * which we achieve by trying again on the slow path. If we are on - * the slow path, the extra regs are already saved. - * - * RAX stores a pointer to the C function implementing the syscall. - * IRQs are on. - */ - cmpq $.Lentry_SYSCALL_64_after_fastpath_call, (%rsp) - jne 1f - - /* - * Called from fast path -- disable IRQs again, pop return address - * and jump to slow path - */ - DISABLE_INTERRUPTS(CLBR_ANY) - TRACE_IRQS_OFF - popq %rax - UNWIND_HINT_REGS extra=0 - jmp entry_SYSCALL64_slow_path - -1: - JMP_NOSPEC %rax /* Called from C */ -END(stub_ptregs_64) - -.macro ptregs_stub func -ENTRY(ptregs_\func) - UNWIND_HINT_FUNC - leaq \func(%rip), %rax - jmp stub_ptregs_64 -END(ptregs_\func) -.endm - -/* Instantiate ptregs_stub for each ptregs-using syscall */ -#define __SYSCALL_64_QUAL_(sym) -#define __SYSCALL_64_QUAL_ptregs(sym) ptregs_stub sym -#define __SYSCALL_64(nr, sym, qual) __SYSCALL_64_QUAL_##qual(sym) -#include <asm/syscalls_64.h> - /* * %rdi: prev task * %rsi: next task --- a/arch/x86/entry/syscall_64.c +++ b/arch/x86/entry/syscall_64.c @@ -7,14 +7,11 @@ #include <asm/asm-offsets.h> #include <asm/syscall.h> -#define __SYSCALL_64_QUAL_(sym) sym -#define __SYSCALL_64_QUAL_ptregs(sym) ptregs_##sym - -#define __SYSCALL_64(nr, sym, qual) extern asmlinkage long __SYSCALL_64_QUAL_##qual(sym)(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); +#define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); #include <asm/syscalls_64.h> #undef __SYSCALL_64 -#define __SYSCALL_64(nr, sym, qual) [nr] = __SYSCALL_64_QUAL_##qual(sym), +#define __SYSCALL_64(nr, sym, qual) [nr] = sym, extern long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); Patches currently in stable-queue which might be from luto(a)kernel.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Mark_constant_arrays_as___initconst.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86spectre_Fix_spelling_mistake_vunerable-_vulnerable.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86cpuid_Fix_up_virtual_IBRSIBPBSTIBP_feature_bits_on_Intel.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel From: David Woodhouse dwmw(a)amazon.co.uk Date: Tue Jan 30 14:30:23 2018 +0000 From: David Woodhouse dwmw(a)amazon.co.uk commit 7fcae1118f5fd44a862aa5c3525248e35ee67c3b Despite the fact that all the other code there seems to be doing it, just using set_cpu_cap() in early_intel_init() doesn't actually work. For CPUs with PKU support, setup_pku() calls get_cpu_cap() after c->c_init() has set those feature bits. That resets those bits back to what was queried from the hardware. Turning the bits off for bad microcode is easy to fix. That can just use setup_clear_cpu_cap() to force them off for all CPUs. I was less keen on forcing the feature bits *on* that way, just in case of inconsistencies. I appreciate that the kernel is going to get this utterly wrong if CPU features are not consistent, because it has already applied alternatives by the time secondary CPUs are brought up. But at least if setup_force_cpu_cap() isn't being used, we might have a chance of *detecting* the lack of the corresponding bit and either panicking or refusing to bring the offending CPU online. So ensure that the appropriate feature bits are set within get_cpu_cap() regardless of how many extra times it's called. Fixes: 2961298e ("x86/cpufeatures: Clean up Spectre v2 related CPUID flags") Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: karahmed(a)amazon.de Cc: peterz(a)infradead.org Cc: bp(a)alien8.de Link: https://lkml.kernel.org/r/1517322623-15261-1-git-send-email-dwmw@amazon.co.… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/cpu/common.c | 21 +++++++++++++++++++++ arch/x86/kernel/cpu/intel.c | 27 ++++++++------------------- 2 files changed, 29 insertions(+), 19 deletions(-) --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -726,6 +726,26 @@ static void apply_forced_caps(struct cpu } } +static void init_speculation_control(struct cpuinfo_x86 *c) +{ + /* + * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support, + * and they also have a different bit for STIBP support. Also, + * a hypervisor might have set the individual AMD bits even on + * Intel CPUs, for finer-grained selection of what's available. + * + * We use the AMD bits in 0x8000_0008 EBX as the generic hardware + * features, which are visible in /proc/cpuinfo and used by the + * kernel. So set those accordingly from the Intel bits. + */ + if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { + set_cpu_cap(c, X86_FEATURE_IBRS); + set_cpu_cap(c, X86_FEATURE_IBPB); + } + if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) + set_cpu_cap(c, X86_FEATURE_STIBP); +} + void get_cpu_cap(struct cpuinfo_x86 *c) { u32 eax, ebx, ecx, edx; @@ -820,6 +840,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c) c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a); init_scattered_cpuid_features(c); + init_speculation_control(c); /* * Clear/Set all flags overridden by options, after probe. --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -175,28 +175,17 @@ static void early_init_intel(struct cpui if (c->x86 >= 6 && !cpu_has(c, X86_FEATURE_IA64)) c->microcode = intel_get_microcode_revision(); - /* - * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support, - * and they also have a different bit for STIBP support. Also, - * a hypervisor might have set the individual AMD bits even on - * Intel CPUs, for finer-grained selection of what's available. - */ - if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { - set_cpu_cap(c, X86_FEATURE_IBRS); - set_cpu_cap(c, X86_FEATURE_IBPB); - } - if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) - set_cpu_cap(c, X86_FEATURE_STIBP); - /* Now if any of them are set, check the blacklist and clear the lot */ - if ((cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) || + if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) || + cpu_has(c, X86_FEATURE_INTEL_STIBP) || + cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) || cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) { pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n"); - clear_cpu_cap(c, X86_FEATURE_IBRS); - clear_cpu_cap(c, X86_FEATURE_IBPB); - clear_cpu_cap(c, X86_FEATURE_STIBP); - clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL); - clear_cpu_cap(c, X86_FEATURE_INTEL_STIBP); + setup_clear_cpu_cap(X86_FEATURE_IBRS); + setup_clear_cpu_cap(X86_FEATURE_IBPB); + setup_clear_cpu_cap(X86_FEATURE_STIBP); + setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); + setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); } /* Patches currently in stable-queue which might be from dwmw(a)amazon.co.uk are queue-4.14/x86spectre_Simplify_spectre_v2_command_line_parsing.patch queue-4.14/x86pti_Mark_constant_arrays_as___initconst.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86cpuid_Fix_up_virtual_IBRSIBPBSTIBP_feature_bits_on_Intel.patch queue-4.14/x86spectre_Fix_spelling_mistake_vunerable-_vulnerable.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86spectre_Check_CONFIG_RETPOLINE_in_command_line_parser.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86speculation_Fix_typo_IBRS_ATT_which_should_be_IBRS_ALL.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/KVMx86_Update_the_reverse_cpuid_list_to_include_CPUID_7_EDX.patch queue-4.14/x86retpoline_Avoid_retpolines_for_built-in___init_functions.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86: Introduce barrier_nospec" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86: Introduce barrier_nospec to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86_Introduce_barrier_nospec.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86: Introduce barrier_nospec From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:33 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit b3d7ad85b80bbc404635dca80f5b129f6242bc7a Rename the open coded form of this instruction sequence from rdtsc_ordered() into a generic barrier primitive, barrier_nospec(). One of the mitigations for Spectre variant1 vulnerabilities is to fence speculative execution after successfully validating a bounds check. I.e. force the result of a bounds check to resolve in the instruction pipeline to ensure speculative execution honors that result before potentially operating on out-of-bounds data. No functional changes. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Suggested-by: Andi Kleen <ak(a)linux.intel.com> Suggested-by: Ingo Molnar <mingo(a)redhat.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727415361.33451.9049453007262764675.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/barrier.h | 4 ++++ arch/x86/include/asm/msr.h | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -48,6 +48,10 @@ static inline unsigned long array_index_ /* Override the default implementation from linux/nospec.h. */ #define array_index_mask_nospec array_index_mask_nospec +/* Prevent speculative execution past this barrier. */ +#define barrier_nospec() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \ + "lfence", X86_FEATURE_LFENCE_RDTSC) + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else --- a/arch/x86/include/asm/msr.h +++ b/arch/x86/include/asm/msr.h @@ -214,8 +214,7 @@ static __always_inline unsigned long lon * that some other imaginary CPU is updating continuously with a * time stamp. */ - alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, - "lfence", X86_FEATURE_LFENCE_RDTSC); + barrier_nospec(); return rdtsc(); } Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.14/Documentation_Document_array_index_nospec.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/scripts-faddr2line-fix-cross_compile-unset-error.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/x86_Implement_array_index_mask_nospec.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/asm: Move 'status' from thread_struct to thread_info" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/asm: Move 'status' from thread_struct to thread_info to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86asm_Move_status_from_thread_struct_to_thread_info.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/asm: Move 'status' from thread_struct to thread_info From: Andy Lutomirski luto(a)kernel.org Date: Sun Jan 28 10:38:50 2018 -0800 From: Andy Lutomirski luto(a)kernel.org commit 37a8f7c38339b22b69876d6f5a0ab851565284e3 The TS_COMPAT bit is very hot and is accessed from code paths that mostly also touch thread_info::flags. Move it into struct thread_info to improve cache locality. The only reason it was in thread_struct is that there was a brief period during which arch-specific fields were not allowed in struct thread_info. Linus suggested further changing: ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED); to: if (unlikely(ti->status & (TS_COMPAT|TS_I386_REGS_POKED))) ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED); on the theory that frequently dirtying the cacheline even in pure 64-bit code that never needs to modify status hurts performance. That could be a reasonable followup patch, but I suspect it matters less on top of this patch. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Ingo Molnar <mingo(a)kernel.org> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Kernel Hardening <kernel-hardening(a)lists.openwall.com> Link: https://lkml.kernel.org/r/03148bcc1b217100e6e8ecf6a5468c45cf4304b6.15171644… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/entry/common.c | 4 ++-- arch/x86/include/asm/processor.h | 2 -- arch/x86/include/asm/syscall.h | 6 +++--- arch/x86/include/asm/thread_info.h | 3 ++- arch/x86/kernel/process_64.c | 4 ++-- arch/x86/kernel/ptrace.c | 2 +- arch/x86/kernel/signal.c | 2 +- 7 files changed, 11 insertions(+), 12 deletions(-) --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -208,7 +208,7 @@ __visible inline void prepare_exit_to_us * special case only applies after poking regs and before the * very next return to user mode. */ - current->thread.status &= ~(TS_COMPAT|TS_I386_REGS_POKED); + ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED); #endif user_enter_irqoff(); @@ -306,7 +306,7 @@ static __always_inline void do_syscall_3 unsigned int nr = (unsigned int)regs->orig_ax; #ifdef CONFIG_IA32_EMULATION - current->thread.status |= TS_COMPAT; + ti->status |= TS_COMPAT; #endif if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY) { --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -459,8 +459,6 @@ struct thread_struct { unsigned short gsindex; #endif - u32 status; /* thread synchronous flags */ - #ifdef CONFIG_X86_64 unsigned long fsbase; unsigned long gsbase; --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -60,7 +60,7 @@ static inline long syscall_get_error(str * TS_COMPAT is set for 32-bit syscall entries and then * remains set until we return to user mode. */ - if (task->thread.status & (TS_COMPAT|TS_I386_REGS_POKED)) + if (task->thread_info.status & (TS_COMPAT|TS_I386_REGS_POKED)) /* * Sign-extend the value so (int)-EFOO becomes (long)-EFOO * and will match correctly in comparisons. @@ -116,7 +116,7 @@ static inline void syscall_get_arguments unsigned long *args) { # ifdef CONFIG_IA32_EMULATION - if (task->thread.status & TS_COMPAT) + if (task->thread_info.status & TS_COMPAT) switch (i) { case 0: if (!n--) break; @@ -177,7 +177,7 @@ static inline void syscall_set_arguments const unsigned long *args) { # ifdef CONFIG_IA32_EMULATION - if (task->thread.status & TS_COMPAT) + if (task->thread_info.status & TS_COMPAT) switch (i) { case 0: if (!n--) break; --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -55,6 +55,7 @@ struct task_struct; struct thread_info { unsigned long flags; /* low level flags */ + u32 status; /* thread synchronous flags */ }; #define INIT_THREAD_INFO(tsk) \ @@ -221,7 +222,7 @@ static inline int arch_within_stack_fram #define in_ia32_syscall() true #else #define in_ia32_syscall() (IS_ENABLED(CONFIG_IA32_EMULATION) && \ - current->thread.status & TS_COMPAT) + current_thread_info()->status & TS_COMPAT) #endif /* --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -557,7 +557,7 @@ static void __set_personality_x32(void) * Pretend to come from a x32 execve. */ task_pt_regs(current)->orig_ax = __NR_x32_execve | __X32_SYSCALL_BIT; - current->thread.status &= ~TS_COMPAT; + current_thread_info()->status &= ~TS_COMPAT; #endif } @@ -571,7 +571,7 @@ static void __set_personality_ia32(void) current->personality |= force_personality32; /* Prepare the first "return" to user space */ task_pt_regs(current)->orig_ax = __NR_ia32_execve; - current->thread.status |= TS_COMPAT; + current_thread_info()->status |= TS_COMPAT; #endif } --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -935,7 +935,7 @@ static int putreg32(struct task_struct * */ regs->orig_ax = value; if (syscall_get_nr(child, regs) >= 0) - child->thread.status |= TS_I386_REGS_POKED; + child->thread_info.status |= TS_I386_REGS_POKED; break; case offsetof(struct user32, regs.eflags): --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -787,7 +787,7 @@ static inline unsigned long get_nr_resta * than the tracee. */ #ifdef CONFIG_IA32_EMULATION - if (current->thread.status & (TS_COMPAT|TS_I386_REGS_POKED)) + if (current_thread_info()->status & (TS_COMPAT|TS_I386_REGS_POKED)) return __NR_ia32_restart_syscall; #endif #ifdef CONFIG_X86_X32_ABI Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.14/Documentation_Document_array_index_nospec.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/scripts-faddr2line-fix-cross_compile-unset-error.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/x86_Implement_array_index_mask_nospec.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:39 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd For __get_user() paths, do not allow the kernel to speculate on the value of a user controlled pointer. In addition to the 'stac' instruction for Supervisor Mode Access Protection (SMAP), a barrier_nospec() causes the access_ok() result to resolve in the pipeline before the CPU might take any speculative action on the pointer value. Given the cost of 'stac' the speculation barrier is placed after 'stac' to hopefully overlap the cost of disabling SMAP with the cost of flushing the instruction pipeline. Since __get_user is a major kernel interface that deals with user controlled pointers, the __uaccess_begin_nospec() mechanism will prevent speculative execution past an access_ok() permission check. While speculative execution past access_ok() is not enough to lead to a kernel memory leak, it is a necessary precondition. To be clear, __uaccess_begin_nospec() is addressing a class of potential problems near __get_user() usages. Note, that while the barrier_nospec() in __uaccess_begin_nospec() is used to protect __get_user(), pointer masking similar to array_index_nospec() will be used for get_user() since it incorporates a bounds check near the usage. uaccess_try_nospec provides the same mechanism for get_user_try. No functional changes. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Suggested-by: Andi Kleen <ak(a)linux.intel.com> Suggested-by: Ingo Molnar <mingo(a)redhat.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727415922.33451.5796614273104346583.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/uaccess.h | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -124,6 +124,11 @@ extern int __get_user_bad(void); #define __uaccess_begin() stac() #define __uaccess_end() clac() +#define __uaccess_begin_nospec() \ +({ \ + stac(); \ + barrier_nospec(); \ +}) /* * This is a type: either unsigned long, if the argument fits into @@ -487,6 +492,10 @@ struct __large_struct { unsigned long bu __uaccess_begin(); \ barrier(); +#define uaccess_try_nospec do { \ + current->thread.uaccess_err = 0; \ + __uaccess_begin_nospec(); \ + #define uaccess_catch(err) \ __uaccess_end(); \ (err) |= (current->thread.uaccess_err ? -EFAULT : 0); \ Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.14/Documentation_Document_array_index_nospec.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/scripts-faddr2line-fix-cross_compile-unset-error.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/x86_Implement_array_index_mask_nospec.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86: Implement array_index_mask_nospec" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86: Implement array_index_mask_nospec to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86_Implement_array_index_mask_nospec.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86: Implement array_index_mask_nospec From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:28 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit babdde2698d482b6c0de1eab4f697cf5856c5859 array_index_nospec() uses a mask to sanitize user controllable array indexes, i.e. generate a 0 mask if 'index' >= 'size', and a ~0 mask otherwise. While the default array_index_mask_nospec() handles the carry-bit from the (index - size) result in software. The x86 array_index_mask_nospec() does the same, but the carry-bit is handled in the processor CF flag without conditional instructions in the control flow. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727414808.33451.1873237130672785331.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/barrier.h | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -24,6 +24,30 @@ #define wmb() asm volatile("sfence" ::: "memory") #endif +/** + * array_index_mask_nospec() - generate a mask that is ~0UL when the + * bounds check succeeds and 0 otherwise + * @index: array element index + * @size: number of elements in array + * + * Returns: + * 0 - (index < size) + */ +static inline unsigned long array_index_mask_nospec(unsigned long index, + unsigned long size) +{ + unsigned long mask; + + asm ("cmp %1,%2; sbb %0,%0;" + :"=r" (mask) + :"r"(size),"r" (index) + :"cc"); + return mask; +} + +/* Override the default implementation from linux/nospec.h. */ +#define array_index_mask_nospec array_index_mask_nospec + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.14/x86_Introduce_barrier_nospec.patch queue-4.14/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.14/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.14/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.14/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.14/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.14/Documentation_Document_array_index_nospec.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.14/scripts-faddr2line-fix-cross_compile-unset-error.patch queue-4.14/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/KVMx86_Add_IBPB_support.patch queue-4.14/x86_Implement_array_index_mask_nospec.patch queue-4.14/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.14/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.14/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.14/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.14/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.14/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "vfs, fdtable: Prevent bounds-check bypass via speculative execution" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled vfs, fdtable: Prevent bounds-check bypass via speculative execution to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: vfs, fdtable: Prevent bounds-check bypass via speculative execution From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:03:05 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit 56c30ba7b348b90484969054d561f711ba196507 'fd' is a user controlled value that is used as a data dependency to read from the 'fdt->fd' array. In order to avoid potential leaks of kernel memory values, block speculative execution of the instruction stream that could issue reads based on an invalid 'file *' returned from __fcheck_files. Co-developed-by: Elena Reshetova <elena.reshetova(a)intel.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: torvalds(a)linux-foundation.org Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727418500.33451.17392199002892248656.stgit@dwi… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/linux/fdtable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -10,6 +10,7 @@ #include <linux/compiler.h> #include <linux/spinlock.h> #include <linux/rcupdate.h> +#include <linux/nospec.h> #include <linux/types.h> #include <linux/init.h> #include <linux/fs.h> @@ -82,8 +83,10 @@ static inline struct file *__fcheck_file { struct fdtable *fdt = rcu_dereference_raw(files->fdt); - if (fd < fdt->max_fds) + if (fd < fdt->max_fds) { + fd = array_index_nospec(fd, fdt->max_fds); return rcu_dereference_raw(fdt->fd[fd]); + } return NULL; } Patches currently in stable-queue which might be from elena.reshetova(a)intel.com are queue-4.14/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.14/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "objtool: Improve retpoline alternative handling" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled objtool: Improve retpoline alternative handling to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: objtool_Improve_retpoline_alternative_handling.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: objtool: Improve retpoline alternative handling From: Josh Poimboeuf jpoimboe(a)redhat.com Date: Mon Jan 29 22:00:39 2018 -0600 From: Josh Poimboeuf jpoimboe(a)redhat.com commit a845c7cf4b4cb5e9e3b2823867892b27646f3a98 Currently objtool requires all retpolines to be: a) patched in with alternatives; and b) annotated with ANNOTATE_NOSPEC_ALTERNATIVE. If you forget to do both of the above, objtool segfaults trying to dereference a NULL 'insn->call_dest' pointer. Avoid that situation and print a more helpful error message: quirks.o: warning: objtool: efi_delete_dummy_variable()+0x99: unsupported intra-function call quirks.o: warning: objtool: If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE. Future improvements can be made to make objtool smarter with respect to retpolines, but this is a good incremental improvement for now. Reported-and-tested-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: http://lkml.kernel.org/r/819e50b6d9c2e1a22e34c1a636c0b2057cc8c6e5.151728434… Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- tools/objtool/check.c | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -543,18 +543,14 @@ static int add_call_destinations(struct dest_off = insn->offset + insn->len + insn->immediate; insn->call_dest = find_symbol_by_offset(insn->sec, dest_off); - /* - * FIXME: Thanks to retpolines, it's now considered - * normal for a function to call within itself. So - * disable this warning for now. - */ -#if 0 - if (!insn->call_dest) { - WARN_FUNC("can't find call dest symbol at offset 0x%lx", - insn->sec, insn->offset, dest_off); + + if (!insn->call_dest && !insn->ignore) { + WARN_FUNC("unsupported intra-function call", + insn->sec, insn->offset); + WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE."); return -1; } -#endif + } else if (rela->sym->type == STT_SECTION) { insn->call_dest = find_symbol_by_offset(rela->sym->sec, rela->addend+4); @@ -648,6 +644,8 @@ static int handle_group_alt(struct objto last_new_insn = insn; + insn->ignore = orig_insn->ignore_alts; + if (insn->type != INSN_JUMP_CONDITIONAL && insn->type != INSN_JUMP_UNCONDITIONAL) continue; @@ -729,10 +727,6 @@ static int add_special_section_alts(stru goto out; } - /* Ignore retpoline alternatives. */ - if (orig_insn->ignore_alts) - continue; - new_insn = NULL; if (!special_alt->group || special_alt->new_len) { new_insn = find_insn(file, special_alt->new_sec, @@ -1089,11 +1083,11 @@ static int decode_sections(struct objtoo if (ret) return ret; - ret = add_call_destinations(file); + ret = add_special_section_alts(file); if (ret) return ret; - ret = add_special_section_alts(file); + ret = add_call_destinations(file); if (ret) return ret; @@ -1720,10 +1714,12 @@ static int validate_branch(struct objtoo insn->visited = true; - list_for_each_entry(alt, &insn->alts, list) { - ret = validate_branch(file, alt->insn, state); - if (ret) - return 1; + if (!insn->ignore_alts) { + list_for_each_entry(alt, &insn->alts, list) { + ret = validate_branch(file, alt->insn, state); + if (ret) + return 1; + } } switch (insn->type) { Patches currently in stable-queue which might be from linux(a)roeck-us.net are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "objtool: Warn on stripped section symbol" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled objtool: Warn on stripped section symbol to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: objtool_Warn_on_stripped_section_symbol.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: objtool: Warn on stripped section symbol From: Josh Poimboeuf jpoimboe(a)redhat.com Date: Mon Jan 29 22:00:41 2018 -0600 From: Josh Poimboeuf jpoimboe(a)redhat.com commit 830c1e3d16b2c1733cd1ec9c8f4d47a398ae31bc With the following fix: 2a0098d70640 ("objtool: Fix seg fault with gold linker") ... a seg fault was avoided, but the original seg fault condition in objtool wasn't fixed. Replace the seg fault with an error message. Suggested-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Guenter Roeck <linux(a)roeck-us.net> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: http://lkml.kernel.org/r/dc4585a70d6b975c99fc51d1957ccdde7bd52f3a.151728434… Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- tools/objtool/orc_gen.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/tools/objtool/orc_gen.c +++ b/tools/objtool/orc_gen.c @@ -98,6 +98,11 @@ static int create_orc_entry(struct secti struct orc_entry *orc; struct rela *rela; + if (!insn_sec->sym) { + WARN("missing symbol for section %s", insn_sec->name); + return -1; + } + /* populate ORC data */ orc = (struct orc_entry *)u_sec->data->d_buf + idx; memcpy(orc, o, sizeof(*orc)); Patches currently in stable-queue which might be from mingo(a)kernel.org are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.14/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.14/x86entry64_Push_extra_regs_right_away.patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "objtool: Add support for alternatives at the end of a section" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled objtool: Add support for alternatives at the end of a section to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: objtool: Add support for alternatives at the end of a section From: Josh Poimboeuf jpoimboe(a)redhat.com Date: Mon Jan 29 22:00:40 2018 -0600 From: Josh Poimboeuf jpoimboe(a)redhat.com commit 17bc33914bcc98ba3c6b426fd1c49587a25c0597 Now that the previous patch gave objtool the ability to read retpoline alternatives, it shows a new warning: arch/x86/entry/entry_64.o: warning: objtool: .entry_trampoline: don't know how to handle alternatives at end of section This is due to the JMP_NOSPEC in entry_SYSCALL_64_trampoline(). Previously, objtool ignored this situation because it wasn't needed, and it would have required a bit of extra code. Now that this case exists, add proper support for it. Signed-off-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Guenter Roeck <linux(a)roeck-us.net> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: http://lkml.kernel.org/r/2a30a3c2158af47d891a76e69bb1ef347e0443fd.151728434… Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- tools/objtool/check.c | 53 +++++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 22 deletions(-) --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -594,7 +594,7 @@ static int handle_group_alt(struct objto struct instruction *orig_insn, struct instruction **new_insn) { - struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump; + struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump = NULL; unsigned long dest_off; last_orig_insn = NULL; @@ -610,28 +610,30 @@ static int handle_group_alt(struct objto last_orig_insn = insn; } - if (!next_insn_same_sec(file, last_orig_insn)) { - WARN("%s: don't know how to handle alternatives at end of section", - special_alt->orig_sec->name); - return -1; - } - - fake_jump = malloc(sizeof(*fake_jump)); - if (!fake_jump) { - WARN("malloc failed"); - return -1; + if (next_insn_same_sec(file, last_orig_insn)) { + fake_jump = malloc(sizeof(*fake_jump)); + if (!fake_jump) { + WARN("malloc failed"); + return -1; + } + memset(fake_jump, 0, sizeof(*fake_jump)); + INIT_LIST_HEAD(&fake_jump->alts); + clear_insn_state(&fake_jump->state); + + fake_jump->sec = special_alt->new_sec; + fake_jump->offset = -1; + fake_jump->type = INSN_JUMP_UNCONDITIONAL; + fake_jump->jump_dest = list_next_entry(last_orig_insn, list); + fake_jump->ignore = true; } - memset(fake_jump, 0, sizeof(*fake_jump)); - INIT_LIST_HEAD(&fake_jump->alts); - clear_insn_state(&fake_jump->state); - - fake_jump->sec = special_alt->new_sec; - fake_jump->offset = -1; - fake_jump->type = INSN_JUMP_UNCONDITIONAL; - fake_jump->jump_dest = list_next_entry(last_orig_insn, list); - fake_jump->ignore = true; if (!special_alt->new_len) { + if (!fake_jump) { + WARN("%s: empty alternative at end of section", + special_alt->orig_sec->name); + return -1; + } + *new_insn = fake_jump; return 0; } @@ -654,8 +656,14 @@ static int handle_group_alt(struct objto continue; dest_off = insn->offset + insn->len + insn->immediate; - if (dest_off == special_alt->new_off + special_alt->new_len) + if (dest_off == special_alt->new_off + special_alt->new_len) { + if (!fake_jump) { + WARN("%s: alternative jump to end of section", + special_alt->orig_sec->name); + return -1; + } insn->jump_dest = fake_jump; + } if (!insn->jump_dest) { WARN_FUNC("can't find alternative jump destination", @@ -670,7 +678,8 @@ static int handle_group_alt(struct objto return -1; } - list_add(&fake_jump->list, &last_new_insn->list); + if (fake_jump) + list_add(&fake_jump->list, &last_new_insn->list); return 0; } Patches currently in stable-queue which might be from jpoimboe(a)redhat.com are queue-4.14/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.14/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.14/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.14/x86alternative_Print_unadorned_pointers.patch queue-4.14/x86retpoline_Remove_the_esprsp_thunk.patch queue-4.14/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.14/x86nospec_Fix_header_guards_names.patch queue-4.14/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.14/objtool_Warn_on_stripped_section_symbol.patch queue-4.14/objtool_Improve_retpoline_alternative_handling.patch

7 years, 9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror