queue-4.4/x86-speculation-mds-revert-cpu-buffer-clear-on-double-fault-exit.patch

   1 From 88640e1dcd089879530a49a8d212d1814678dfe7 Mon Sep 17 00:00:00 2001
   2 From: Andy Lutomirski <luto@kernel.org>
   3 Date: Tue, 14 May 2019 13:24:39 -0700
   4 Subject: x86/speculation/mds: Revert CPU buffer clear on double fault exit
   5
   6 From: Andy Lutomirski <luto@kernel.org>
   7
   8 commit 88640e1dcd089879530a49a8d212d1814678dfe7 upstream.
   9
  10 The double fault ESPFIX path doesn't return to user mode at all --
  11 it returns back to the kernel by simulating a #GP fault.
  12 prepare_exit_to_usermode() will run on the way out of
  13 general_protection before running user code.
  14
  15 Signed-off-by: Andy Lutomirski <luto@kernel.org>
  16 Cc: Borislav Petkov <bp@suse.de>
  17 Cc: Frederic Weisbecker <frederic@kernel.org>
  18 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19 Cc: Jon Masters <jcm@redhat.com>
  20 Cc: Linus Torvalds <torvalds@linux-foundation.org>
  21 Cc: Peter Zijlstra <peterz@infradead.org>
  22 Cc: Thomas Gleixner <tglx@linutronix.de>
  23 Cc: stable@vger.kernel.org
  24 Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
  25 Link: http://lkml.kernel.org/r/ac97612445c0a44ee10374f6ea79c222fe22a5c4.1557865329.git.luto@kernel.org
  26 Signed-off-by: Ingo Molnar <mingo@kernel.org>
  27 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  28
  29 ---
  30  Documentation/x86/mds.rst |    7 -------
  31  arch/x86/kernel/traps.c   |    8 --------
  32  2 files changed, 15 deletions(-)
  33
  34 --- a/Documentation/x86/mds.rst
  35 +++ b/Documentation/x86/mds.rst
  36 @@ -158,13 +158,6 @@ Mitigation points
  37       mitigated on the return from do_nmi() to provide almost complete
  38       coverage.
  39
  40 -   - Double fault (#DF):
  41 -
  42 -     A double fault is usually fatal, but the ESPFIX workaround, which can
  43 -     be triggered from user space through modify_ldt(2) is a recoverable
  44 -     double fault. #DF uses the paranoid exit path, so explicit mitigation
  45 -     in the double fault handler is required.
  46 -
  47     - Machine Check Exception (#MC):
  48
  49       Another corner case is a #MC which hits between the CPU buffer clear
  50 --- a/arch/x86/kernel/traps.c
  51 +++ b/arch/x86/kernel/traps.c
  52 @@ -61,7 +61,6 @@
  53  #include <asm/alternative.h>
  54  #include <asm/fpu/xstate.h>
  55  #include <asm/trace/mpx.h>
  56 -#include <asm/nospec-branch.h>
  57  #include <asm/mpx.h>
  58  #include <asm/vm86.h>
  59
  60 @@ -338,13 +337,6 @@ dotraplinkage void do_double_fault(struc
  61                 regs->ip = (unsigned long)general_protection;
  62                 regs->sp = (unsigned long)&normal_regs->orig_ax;
  63
  64 -               /*
  65 -                * This situation can be triggered by userspace via
  66 -                * modify_ldt(2) and the return does not take the regular
  67 -                * user space exit, so a CPU buffer clear is required when
  68 -                * MDS mitigation is enabled.
  69 -                */
  70 -               mds_user_clear_cpu_buffers();
  71                 return;
  72         }
  73  #endif