On Mon, 2022-08-29 at 10:30 +0200, gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
You need commit 4e3aa9238277 "x86/nospec: Unwreck the RSB stuffing" before this one. I've attached the backport of that for 5.10. I haven't checked the older branches.
Ben.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 332924973725e8cdcc783c175f68cf7e162cb9e5 Mon Sep 17 00:00:00 2001 From: Peter Zijlstra peterz@infradead.org Date: Fri, 19 Aug 2022 13:01:35 +0200 Subject: [PATCH] x86/nospec: Fix i386 RSB stuffing
Turns out that i386 doesn't unconditionally have LFENCE, as such the loop in __FILL_RETURN_BUFFER isn't actually speculation safe on such chips.
Fixes: ba6e31af2be9 ("x86/speculation: Add LFENCE to RSB fill sequence") Reported-by: Ben Hutchings ben@decadent.org.uk Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Link: https://lkml.kernel.org/r/Yv9tj9vbQ9nNlXoY@worktop.programming.kicks-ass.net
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 10731ccfed37..c936ce9f0c47 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -50,6 +50,7 @@
- the optimal version - two calls, each with their own speculation
- trap should their return address end up getting used, in a loop.
*/ +#ifdef CONFIG_X86_64 #define __FILL_RETURN_BUFFER(reg, nr) \ mov $(nr/2), reg; \ 771: \ @@ -60,6 +61,17 @@ jnz 771b; \ /* barrier for jnz misprediction */ \ lfence; +#else +/*
- i386 doesn't unconditionally have LFENCE, as such it can't
- do a loop.
- */
+#define __FILL_RETURN_BUFFER(reg, nr) \
- .rept nr; \
- __FILL_RETURN_SLOT; \
- .endr; \
- add $(BITS_PER_LONG/8) * nr, %_ASM_SP;
+#endif /*
- Stuff a single RSB slot.