[thirdparty/kernel/stable-queue.git] / queue-5.10 / x86-bugs-fix-the-srso-mitigation-on-zen3-4.patch

From stable+bounces-36112-greg=kroah.com@vger.kernel.org Fri Apr  5 16:21:01 2024
From: Borislav Petkov <bp@alien8.de>
Date: Fri, 5 Apr 2024 16:19:51 +0200
Subject: x86/bugs: Fix the SRSO mitigation on Zen3/4
To: gregkh@linuxfoundation.org
Cc: mingo@kernel.org, torvalds@linux-foundation.org, stable@vger.kernel.org
Message-ID: <20240405141951.GCZhAIh6sy03J5k6iJ@fat_crate.local>
Content-Disposition: inline

From: "Borislav Petkov (AMD)" <bp@alien8.de>

Commit 4535e1a4174c4111d92c5a9a21e542d232e0fcaa upstream.

The original version of the mitigation would patch in the calls to the
untraining routines directly.  That is, the alternative() in UNTRAIN_RET
will patch in the CALL to srso_alias_untrain_ret() directly.

However, even if commit e7c25c441e9e ("x86/cpu: Cleanup the untrain
mess") meant well in trying to clean up the situation, due to micro-
architectural reasons, the untraining routine srso_alias_untrain_ret()
must be the target of a CALL instruction and not of a JMP instruction as
it is done now.

Reshuffle the alternative macros to accomplish that.

Fixes: e7c25c441e9e ("x86/cpu: Cleanup the untrain mess")
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/asm-prototypes.h |    1 +
 arch/x86/include/asm/nospec-branch.h  |   20 ++++++++++++++------
 arch/x86/lib/retpoline.S              |    4 +---
 3 files changed, 16 insertions(+), 9 deletions(-)

--- a/arch/x86/include/asm/asm-prototypes.h
+++ b/arch/x86/include/asm/asm-prototypes.h
@@ -12,6 +12,7 @@
 #include <asm/special_insns.h>
 #include <asm/preempt.h>
 #include <asm/asm.h>
+#include <asm/nospec-branch.h>
 
 #ifndef CONFIG_X86_CMPXCHG64
 extern void cmpxchg8b_emu(void);
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -155,11 +155,20 @@
 .Lskip_rsb_\@:
 .endm
 
+/*
+ * The CALL to srso_alias_untrain_ret() must be patched in directly at
+ * the spot where untraining must be done, ie., srso_alias_untrain_ret()
+ * must be the target of a CALL instruction instead of indirectly
+ * jumping to a wrapper which then calls it. Therefore, this macro is
+ * called outside of __UNTRAIN_RET below, for the time being, before the
+ * kernel can support nested alternatives with arbitrary nesting.
+ */
+.macro CALL_UNTRAIN_RET
 #ifdef CONFIG_CPU_UNRET_ENTRY
-#define CALL_UNTRAIN_RET	"call entry_untrain_ret"
-#else
-#define CALL_UNTRAIN_RET	""
+	ALTERNATIVE_2 "", "call entry_untrain_ret", X86_FEATURE_UNRET, \
+		          "call srso_alias_untrain_ret", X86_FEATURE_SRSO_ALIAS
 #endif
+.endm
 
 /*
  * Mitigate RETBleed for AMD/Hygon Zen uarch. Requires KERNEL CR3 because the
@@ -176,9 +185,8 @@
 #if defined(CONFIG_CPU_UNRET_ENTRY) || defined(CONFIG_CPU_IBPB_ENTRY) || \
 	defined(CONFIG_CPU_SRSO)
 	ANNOTATE_UNRET_END
-	ALTERNATIVE_2 "",						\
-		      CALL_UNTRAIN_RET, X86_FEATURE_UNRET,		\
-		      "call entry_ibpb", X86_FEATURE_ENTRY_IBPB
+	CALL_UNTRAIN_RET
+	ALTERNATIVE "", "call entry_ibpb", X86_FEATURE_ENTRY_IBPB
 #endif
 .endm
 
--- a/arch/x86/lib/retpoline.S
+++ b/arch/x86/lib/retpoline.S
@@ -249,9 +249,7 @@ SYM_CODE_START(srso_return_thunk)
 SYM_CODE_END(srso_return_thunk)
 
 SYM_FUNC_START(entry_untrain_ret)
-	ALTERNATIVE_2 "jmp retbleed_untrain_ret", \
-		      "jmp srso_untrain_ret", X86_FEATURE_SRSO, \
-		      "jmp srso_alias_untrain_ret", X86_FEATURE_SRSO_ALIAS
+	ALTERNATIVE "jmp retbleed_untrain_ret", "jmp srso_untrain_ret", X86_FEATURE_SRSO
 SYM_FUNC_END(entry_untrain_ret)
 __EXPORT_THUNK(entry_untrain_ret)
Commit	Line	Data
3c32162f GKH	1	From stable+bounces-36112-greg=kroah.com@vger.kernel.org Fri Apr 5 16:21:01 2024
	2	From: Borislav Petkov <bp@alien8.de>
	3	Date: Fri, 5 Apr 2024 16:19:51 +0200
	4	Subject: x86/bugs: Fix the SRSO mitigation on Zen3/4
	5	To: gregkh@linuxfoundation.org
	6	Cc: mingo@kernel.org, torvalds@linux-foundation.org, stable@vger.kernel.org
	7	Message-ID: <20240405141951.GCZhAIh6sy03J5k6iJ@fat_crate.local>
	8	Content-Disposition: inline
	9
	10	From: "Borislav Petkov (AMD)" <bp@alien8.de>
	11
	12	Commit 4535e1a4174c4111d92c5a9a21e542d232e0fcaa upstream.
	13
	14	The original version of the mitigation would patch in the calls to the
	15	untraining routines directly. That is, the alternative() in UNTRAIN_RET
	16	will patch in the CALL to srso_alias_untrain_ret() directly.
	17
	18	However, even if commit e7c25c441e9e ("x86/cpu: Cleanup the untrain
	19	mess") meant well in trying to clean up the situation, due to micro-
	20	architectural reasons, the untraining routine srso_alias_untrain_ret()
	21	must be the target of a CALL instruction and not of a JMP instruction as
	22	it is done now.
	23
	24	Reshuffle the alternative macros to accomplish that.
	25
	26	Fixes: e7c25c441e9e ("x86/cpu: Cleanup the untrain mess")
	27	Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
	28	Reviewed-by: Ingo Molnar <mingo@kernel.org>
	29	Cc: stable@kernel.org
	30	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	31	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	32	---
	33	arch/x86/include/asm/asm-prototypes.h \| 1 +
	34	arch/x86/include/asm/nospec-branch.h \| 20 ++++++++++++++------
	35	arch/x86/lib/retpoline.S \| 4 +---
	36	3 files changed, 16 insertions(+), 9 deletions(-)
	37
	38	--- a/arch/x86/include/asm/asm-prototypes.h
	39	+++ b/arch/x86/include/asm/asm-prototypes.h
	40	@@ -12,6 +12,7 @@
	41	#include <asm/special_insns.h>
	42	#include <asm/preempt.h>
	43	#include <asm/asm.h>
	44	+#include <asm/nospec-branch.h>
	45
	46	#ifndef CONFIG_X86_CMPXCHG64
	47	extern void cmpxchg8b_emu(void);
	48	--- a/arch/x86/include/asm/nospec-branch.h
	49	+++ b/arch/x86/include/asm/nospec-branch.h
	50	@@ -155,11 +155,20 @@
	51	.Lskip_rsb_\@:
	52	.endm
	53
	54	+/*
	55	+ * The CALL to srso_alias_untrain_ret() must be patched in directly at
	56	+ * the spot where untraining must be done, ie., srso_alias_untrain_ret()
	57	+ * must be the target of a CALL instruction instead of indirectly
	58	+ * jumping to a wrapper which then calls it. Therefore, this macro is
	59	+ * called outside of __UNTRAIN_RET below, for the time being, before the
	60	+ * kernel can support nested alternatives with arbitrary nesting.
	61	+ */
	62	+.macro CALL_UNTRAIN_RET
	63	#ifdef CONFIG_CPU_UNRET_ENTRY
	64	-#define CALL_UNTRAIN_RET "call entry_untrain_ret"
65	-#else
66	-#define CALL_UNTRAIN_RET ""
67	+ ALTERNATIVE_2 "", "call entry_untrain_ret", X86_FEATURE_UNRET, \
68	+ "call srso_alias_untrain_ret", X86_FEATURE_SRSO_ALIAS
69	#endif
70	+.endm
71
72	/*
73	* Mitigate RETBleed for AMD/Hygon Zen uarch. Requires KERNEL CR3 because the
74	@@ -176,9 +185,8 @@
75	#if defined(CONFIG_CPU_UNRET_ENTRY) \|\| defined(CONFIG_CPU_IBPB_ENTRY) \|\| \
76	defined(CONFIG_CPU_SRSO)
77	ANNOTATE_UNRET_END
78	- ALTERNATIVE_2 "", \
79	- CALL_UNTRAIN_RET, X86_FEATURE_UNRET, \
80	- "call entry_ibpb", X86_FEATURE_ENTRY_IBPB
81	+ CALL_UNTRAIN_RET
82	+ ALTERNATIVE "", "call entry_ibpb", X86_FEATURE_ENTRY_IBPB
83	#endif
84	.endm
85
86	--- a/arch/x86/lib/retpoline.S
87	+++ b/arch/x86/lib/retpoline.S
88	@@ -249,9 +249,7 @@ SYM_CODE_START(srso_return_thunk)
89	SYM_CODE_END(srso_return_thunk)
90
91	SYM_FUNC_START(entry_untrain_ret)
92	- ALTERNATIVE_2 "jmp retbleed_untrain_ret", \
93	- "jmp srso_untrain_ret", X86_FEATURE_SRSO, \
94	- "jmp srso_alias_untrain_ret", X86_FEATURE_SRSO_ALIAS
95	+ ALTERNATIVE "jmp retbleed_untrain_ret", "jmp srso_untrain_ret", X86_FEATURE_SRSO
96	SYM_FUNC_END(entry_untrain_ret)
97	__EXPORT_THUNK(entry_untrain_ret)
98