From: Greg Kroah-Hartman Date: Tue, 20 Feb 2018 08:46:37 +0000 (+0100) Subject: 4.15-stable patches X-Git-Tag: v4.15.5~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=147ec77a309ace947c5be866218f3d3aa5f5f47c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.15-stable patches added patches: compiler-gcc.h-__nostackprotector-needs-gcc-4.4-and-up.patch compiler-gcc.h-introduce-__optimize-function-attribute.patch crypto-sun4i_ss_prng-convert-lock-to-_bh-in-sun4i_ss_prng_generate.patch crypto-sun4i_ss_prng-fix-return-value-of-sun4i_ss_prng_generate.patch kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.patch kvm-x86-reduce-retpoline-performance-impact-in-slot_handle_level_range-by-always-inlining-iterator-helper-methods.patch powerpc-mm-radix-split-linear-mapping-on-hot-unplug.patch revert-x86-speculation-simplify-indirect_branch_prediction_barrier.patch x86-entry-64-clear-extra-registers-beyond-syscall-arguments-to-reduce-speculation-attack-surface.patch x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch x86-mm-pti-fix-pti-comment-in-entry_syscall_64.patch x86-nvmx-properly-set-spec_ctrl-and-pred_cmd-before-merging-msrs.patch x86-speculation-clean-up-various-spectre-related-details.patch x86-speculation-correct-speculation-control-microcode-blacklist-again.patch x86-speculation-update-speculation-control-microcode-blacklist.patch --- diff --git a/queue-4.15/compiler-gcc.h-__nostackprotector-needs-gcc-4.4-and-up.patch b/queue-4.15/compiler-gcc.h-__nostackprotector-needs-gcc-4.4-and-up.patch new file mode 100644 index 00000000000..a4722de0c2d --- /dev/null +++ b/queue-4.15/compiler-gcc.h-__nostackprotector-needs-gcc-4.4-and-up.patch @@ -0,0 +1,45 @@ +From d9afaaa4ff7af8b87d4a205e48cb8a6f666d7f01 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 1 Feb 2018 11:21:59 +0100 +Subject: compiler-gcc.h: __nostackprotector needs gcc-4.4 and up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +commit d9afaaa4ff7af8b87d4a205e48cb8a6f666d7f01 upstream. + +Gcc versions before 4.4 do not recognize the __optimize__ compiler +attribute: + + warning: ‘__optimize__’ attribute directive ignored + +Fixes: 7375ae3a0b79ea07 ("compiler-gcc.h: Introduce __nostackprotector function attribute") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler-gcc.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -167,8 +167,6 @@ + + #if GCC_VERSION >= 40100 + # define __compiletime_object_size(obj) __builtin_object_size(obj, 0) +- +-#define __nostackprotector __attribute__((__optimize__("no-stack-protector"))) + #endif + + #if GCC_VERSION >= 40300 +@@ -198,6 +196,7 @@ + + #if GCC_VERSION >= 40400 + #define __optimize(level) __attribute__((__optimize__(level))) ++#define __nostackprotector __optimize("no-stack-protector") + #endif /* GCC_VERSION >= 40400 */ + + #if GCC_VERSION >= 40500 diff --git a/queue-4.15/compiler-gcc.h-introduce-__optimize-function-attribute.patch b/queue-4.15/compiler-gcc.h-introduce-__optimize-function-attribute.patch new file mode 100644 index 00000000000..c51fbbd7172 --- /dev/null +++ b/queue-4.15/compiler-gcc.h-introduce-__optimize-function-attribute.patch @@ -0,0 +1,48 @@ +From df5d45aa08f848b79caf395211b222790534ccc7 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 1 Feb 2018 11:21:58 +0100 +Subject: compiler-gcc.h: Introduce __optimize function attribute + +From: Geert Uytterhoeven + +commit df5d45aa08f848b79caf395211b222790534ccc7 upstream. + +Create a new function attribute __optimize, which allows to specify an +optimization level on a per-function basis. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler-gcc.h | 4 ++++ + include/linux/compiler.h | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -196,6 +196,10 @@ + #endif /* __CHECKER__ */ + #endif /* GCC_VERSION >= 40300 */ + ++#if GCC_VERSION >= 40400 ++#define __optimize(level) __attribute__((__optimize__(level))) ++#endif /* GCC_VERSION >= 40400 */ ++ + #if GCC_VERSION >= 40500 + + #ifndef __CHECKER__ +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -271,6 +271,10 @@ static __always_inline void __write_once + + #endif /* __ASSEMBLY__ */ + ++#ifndef __optimize ++# define __optimize(level) ++#endif ++ + /* Compile time object size, -1 for unknown */ + #ifndef __compiletime_object_size + # define __compiletime_object_size(obj) -1 diff --git a/queue-4.15/crypto-sun4i_ss_prng-convert-lock-to-_bh-in-sun4i_ss_prng_generate.patch b/queue-4.15/crypto-sun4i_ss_prng-convert-lock-to-_bh-in-sun4i_ss_prng_generate.patch new file mode 100644 index 00000000000..0c67e8ea850 --- /dev/null +++ b/queue-4.15/crypto-sun4i_ss_prng-convert-lock-to-_bh-in-sun4i_ss_prng_generate.patch @@ -0,0 +1,41 @@ +From 2e7d1d61ea6c0f1c4da5eb82cafac750d55637a7 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 6 Feb 2018 22:20:22 +0100 +Subject: crypto: sun4i_ss_prng - convert lock to _bh in sun4i_ss_prng_generate + +From: Artem Savkov + +commit 2e7d1d61ea6c0f1c4da5eb82cafac750d55637a7 upstream. + +Lockdep detects a possible deadlock in sun4i_ss_prng_generate() and +throws an "inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage" warning. +Disabling softirqs to fix this. + +Fixes: b8ae5c7387ad ("crypto: sun4i-ss - support the Security System PRNG") +Signed-off-by: Artem Savkov +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/sunxi-ss/sun4i-ss-prng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-prng.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-prng.c +@@ -28,7 +28,7 @@ int sun4i_ss_prng_generate(struct crypto + algt = container_of(alg, struct sun4i_ss_alg_template, alg.rng); + ss = algt->ss; + +- spin_lock(&ss->slock); ++ spin_lock_bh(&ss->slock); + + writel(mode, ss->base + SS_CTL); + +@@ -51,6 +51,6 @@ int sun4i_ss_prng_generate(struct crypto + } + + writel(0, ss->base + SS_CTL); +- spin_unlock(&ss->slock); ++ spin_unlock_bh(&ss->slock); + return 0; + } diff --git a/queue-4.15/crypto-sun4i_ss_prng-fix-return-value-of-sun4i_ss_prng_generate.patch b/queue-4.15/crypto-sun4i_ss_prng-fix-return-value-of-sun4i_ss_prng_generate.patch new file mode 100644 index 00000000000..fee04f323c6 --- /dev/null +++ b/queue-4.15/crypto-sun4i_ss_prng-fix-return-value-of-sun4i_ss_prng_generate.patch @@ -0,0 +1,31 @@ +From dd78c832ffaf86eb6434e56de4bc3bc31f03f771 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 6 Feb 2018 22:20:21 +0100 +Subject: crypto: sun4i_ss_prng - fix return value of sun4i_ss_prng_generate + +From: Artem Savkov + +commit dd78c832ffaf86eb6434e56de4bc3bc31f03f771 upstream. + +According to crypto/rng.h generate function should return 0 on success +and < 0 on error. + +Fixes: b8ae5c7387ad ("crypto: sun4i-ss - support the Security System PRNG") +Signed-off-by: Artem Savkov +Acked-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/sunxi-ss/sun4i-ss-prng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-prng.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-prng.c +@@ -52,5 +52,5 @@ int sun4i_ss_prng_generate(struct crypto + + writel(0, ss->base + SS_CTL); + spin_unlock(&ss->slock); +- return dlen; ++ return 0; + } diff --git a/queue-4.15/kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.patch b/queue-4.15/kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.patch new file mode 100644 index 00000000000..241bd3cb45e --- /dev/null +++ b/queue-4.15/kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.patch @@ -0,0 +1,66 @@ +From 3712caeb14dcb33fb4d5114f14c0beef10aca101 Mon Sep 17 00:00:00 2001 +From: KarimAllah Ahmed +Date: Sat, 10 Feb 2018 23:39:26 +0000 +Subject: KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02 MSR bitmap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: KarimAllah Ahmed + +commit 3712caeb14dcb33fb4d5114f14c0beef10aca101 upstream. + +We either clear the CPU_BASED_USE_MSR_BITMAPS and end up intercepting all +MSR accesses or create a valid L02 MSR bitmap and use that. This decision +has to be made every time we evaluate whether we are going to generate the +L02 MSR bitmap. + +Before commit: + + d28b387fb74d ("KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL") + +... this was probably OK since the decision was always identical. + +This is no longer the case now since the MSR bitmap might actually +change once we decide to not intercept SPEC_CTRL and PRED_CMD. + +Signed-off-by: KarimAllah Ahmed +Signed-off-by: David Woodhouse +Acked-by: Paolo Bonzini +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: arjan.van.de.ven@intel.com +Cc: dave.hansen@intel.com +Cc: jmattson@google.com +Cc: kvm@vger.kernel.org +Cc: sironi@amazon.de +Link: http://lkml.kernel.org/r/1518305967-31356-6-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10131,7 +10131,8 @@ static void nested_get_vmcs12_pages(stru + if (cpu_has_vmx_msr_bitmap() && + nested_cpu_has(vmcs12, CPU_BASED_USE_MSR_BITMAPS) && + nested_vmx_merge_msr_bitmap(vcpu, vmcs12)) +- ; ++ vmcs_set_bits(CPU_BASED_VM_EXEC_CONTROL, ++ CPU_BASED_USE_MSR_BITMAPS); + else + vmcs_clear_bits(CPU_BASED_VM_EXEC_CONTROL, + CPU_BASED_USE_MSR_BITMAPS); diff --git a/queue-4.15/kvm-x86-reduce-retpoline-performance-impact-in-slot_handle_level_range-by-always-inlining-iterator-helper-methods.patch b/queue-4.15/kvm-x86-reduce-retpoline-performance-impact-in-slot_handle_level_range-by-always-inlining-iterator-helper-methods.patch new file mode 100644 index 00000000000..f7d0e4b395e --- /dev/null +++ b/queue-4.15/kvm-x86-reduce-retpoline-performance-impact-in-slot_handle_level_range-by-always-inlining-iterator-helper-methods.patch @@ -0,0 +1,100 @@ +From 928a4c39484281f8ca366f53a1db79330d058401 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Sat, 10 Feb 2018 23:39:24 +0000 +Subject: KVM/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Woodhouse + +commit 928a4c39484281f8ca366f53a1db79330d058401 upstream. + +With retpoline, tight loops of "call this function for every XXX" are +very much pessimised by taking a prediction miss *every* time. This one +is by far the biggest contributor to the guest launch time with retpoline. + +By marking the iterator slot_handle_…() functions always_inline, we can +ensure that the indirect function call can be optimised away into a +direct call and it actually generates slightly smaller code because +some of the other conditionals can get optimised away too. + +Performance is now pretty close to what we see with nospectre_v2 on +the command line. + +Suggested-by: Linus Torvalds +Tested-by: Filippo Sironi +Signed-off-by: David Woodhouse +Reviewed-by: Filippo Sironi +Acked-by: Paolo Bonzini +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: arjan.van.de.ven@intel.com +Cc: dave.hansen@intel.com +Cc: jmattson@google.com +Cc: karahmed@amazon.de +Cc: kvm@vger.kernel.org +Cc: rkrcmar@redhat.com +Link: http://lkml.kernel.org/r/1518305967-31356-4-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -5058,7 +5058,7 @@ void kvm_mmu_uninit_vm(struct kvm *kvm) + typedef bool (*slot_level_handler) (struct kvm *kvm, struct kvm_rmap_head *rmap_head); + + /* The caller should hold mmu-lock before calling this function. */ +-static bool ++static __always_inline bool + slot_handle_level_range(struct kvm *kvm, struct kvm_memory_slot *memslot, + slot_level_handler fn, int start_level, int end_level, + gfn_t start_gfn, gfn_t end_gfn, bool lock_flush_tlb) +@@ -5088,7 +5088,7 @@ slot_handle_level_range(struct kvm *kvm, + return flush; + } + +-static bool ++static __always_inline bool + slot_handle_level(struct kvm *kvm, struct kvm_memory_slot *memslot, + slot_level_handler fn, int start_level, int end_level, + bool lock_flush_tlb) +@@ -5099,7 +5099,7 @@ slot_handle_level(struct kvm *kvm, struc + lock_flush_tlb); + } + +-static bool ++static __always_inline bool + slot_handle_all_level(struct kvm *kvm, struct kvm_memory_slot *memslot, + slot_level_handler fn, bool lock_flush_tlb) + { +@@ -5107,7 +5107,7 @@ slot_handle_all_level(struct kvm *kvm, s + PT_MAX_HUGEPAGE_LEVEL, lock_flush_tlb); + } + +-static bool ++static __always_inline bool + slot_handle_large_level(struct kvm *kvm, struct kvm_memory_slot *memslot, + slot_level_handler fn, bool lock_flush_tlb) + { +@@ -5115,7 +5115,7 @@ slot_handle_large_level(struct kvm *kvm, + PT_MAX_HUGEPAGE_LEVEL, lock_flush_tlb); + } + +-static bool ++static __always_inline bool + slot_handle_leaf(struct kvm *kvm, struct kvm_memory_slot *memslot, + slot_level_handler fn, bool lock_flush_tlb) + { diff --git a/queue-4.15/powerpc-mm-radix-split-linear-mapping-on-hot-unplug.patch b/queue-4.15/powerpc-mm-radix-split-linear-mapping-on-hot-unplug.patch new file mode 100644 index 00000000000..4d2b510c2ef --- /dev/null +++ b/queue-4.15/powerpc-mm-radix-split-linear-mapping-on-hot-unplug.patch @@ -0,0 +1,173 @@ +From 4dd5f8a99e791a8c6500e3592f3ce81ae7edcde1 Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Wed, 7 Feb 2018 17:35:51 +1100 +Subject: powerpc/mm/radix: Split linear mapping on hot-unplug + +From: Balbir Singh + +commit 4dd5f8a99e791a8c6500e3592f3ce81ae7edcde1 upstream. + +This patch splits the linear mapping if the hot-unplug range is +smaller than the mapping size. The code detects if the mapping needs +to be split into a smaller size and if so, uses the stop machine +infrastructure to clear the existing mapping and then remap the +remaining range using a smaller page size. + +The code will skip any region of the mapping that overlaps with kernel +text and warn about it once. We don't want to remove a mapping where +the kernel text and the LMB we intend to remove overlap in the same +TLB mapping as it may affect the currently executing code. + +I've tested these changes under a kvm guest with 2 vcpus, from a split +mapping point of view, some of the caveats mentioned above applied to +the testing I did. + +Fixes: 4b5d62ca17a1 ("powerpc/mm: add radix__remove_section_mapping()") +Signed-off-by: Balbir Singh +[mpe: Tweak change log to match updated behaviour] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pgtable-radix.c | 95 +++++++++++++++++++++++++++++++--------- + 1 file changed, 74 insertions(+), 21 deletions(-) + +--- a/arch/powerpc/mm/pgtable-radix.c ++++ b/arch/powerpc/mm/pgtable-radix.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -671,6 +672,30 @@ static void free_pmd_table(pmd_t *pmd_st + pud_clear(pud); + } + ++struct change_mapping_params { ++ pte_t *pte; ++ unsigned long start; ++ unsigned long end; ++ unsigned long aligned_start; ++ unsigned long aligned_end; ++}; ++ ++static int stop_machine_change_mapping(void *data) ++{ ++ struct change_mapping_params *params = ++ (struct change_mapping_params *)data; ++ ++ if (!data) ++ return -1; ++ ++ spin_unlock(&init_mm.page_table_lock); ++ pte_clear(&init_mm, params->aligned_start, params->pte); ++ create_physical_mapping(params->aligned_start, params->start); ++ create_physical_mapping(params->end, params->aligned_end); ++ spin_lock(&init_mm.page_table_lock); ++ return 0; ++} ++ + static void remove_pte_table(pte_t *pte_start, unsigned long addr, + unsigned long end) + { +@@ -699,6 +724,52 @@ static void remove_pte_table(pte_t *pte_ + } + } + ++/* ++ * clear the pte and potentially split the mapping helper ++ */ ++static void split_kernel_mapping(unsigned long addr, unsigned long end, ++ unsigned long size, pte_t *pte) ++{ ++ unsigned long mask = ~(size - 1); ++ unsigned long aligned_start = addr & mask; ++ unsigned long aligned_end = addr + size; ++ struct change_mapping_params params; ++ bool split_region = false; ++ ++ if ((end - addr) < size) { ++ /* ++ * We're going to clear the PTE, but not flushed ++ * the mapping, time to remap and flush. The ++ * effects if visible outside the processor or ++ * if we are running in code close to the ++ * mapping we cleared, we are in trouble. ++ */ ++ if (overlaps_kernel_text(aligned_start, addr) || ++ overlaps_kernel_text(end, aligned_end)) { ++ /* ++ * Hack, just return, don't pte_clear ++ */ ++ WARN_ONCE(1, "Linear mapping %lx->%lx overlaps kernel " ++ "text, not splitting\n", addr, end); ++ return; ++ } ++ split_region = true; ++ } ++ ++ if (split_region) { ++ params.pte = pte; ++ params.start = addr; ++ params.end = end; ++ params.aligned_start = addr & ~(size - 1); ++ params.aligned_end = min_t(unsigned long, aligned_end, ++ (unsigned long)__va(memblock_end_of_DRAM())); ++ stop_machine(stop_machine_change_mapping, ¶ms, NULL); ++ return; ++ } ++ ++ pte_clear(&init_mm, addr, pte); ++} ++ + static void remove_pmd_table(pmd_t *pmd_start, unsigned long addr, + unsigned long end) + { +@@ -714,13 +785,7 @@ static void remove_pmd_table(pmd_t *pmd_ + continue; + + if (pmd_huge(*pmd)) { +- if (!IS_ALIGNED(addr, PMD_SIZE) || +- !IS_ALIGNED(next, PMD_SIZE)) { +- WARN_ONCE(1, "%s: unaligned range\n", __func__); +- continue; +- } +- +- pte_clear(&init_mm, addr, (pte_t *)pmd); ++ split_kernel_mapping(addr, end, PMD_SIZE, (pte_t *)pmd); + continue; + } + +@@ -745,13 +810,7 @@ static void remove_pud_table(pud_t *pud_ + continue; + + if (pud_huge(*pud)) { +- if (!IS_ALIGNED(addr, PUD_SIZE) || +- !IS_ALIGNED(next, PUD_SIZE)) { +- WARN_ONCE(1, "%s: unaligned range\n", __func__); +- continue; +- } +- +- pte_clear(&init_mm, addr, (pte_t *)pud); ++ split_kernel_mapping(addr, end, PUD_SIZE, (pte_t *)pud); + continue; + } + +@@ -777,13 +836,7 @@ static void remove_pagetable(unsigned lo + continue; + + if (pgd_huge(*pgd)) { +- if (!IS_ALIGNED(addr, PGDIR_SIZE) || +- !IS_ALIGNED(next, PGDIR_SIZE)) { +- WARN_ONCE(1, "%s: unaligned range\n", __func__); +- continue; +- } +- +- pte_clear(&init_mm, addr, (pte_t *)pgd); ++ split_kernel_mapping(addr, end, PGDIR_SIZE, (pte_t *)pgd); + continue; + } + diff --git a/queue-4.15/revert-x86-speculation-simplify-indirect_branch_prediction_barrier.patch b/queue-4.15/revert-x86-speculation-simplify-indirect_branch_prediction_barrier.patch new file mode 100644 index 00000000000..06cb4f2befc --- /dev/null +++ b/queue-4.15/revert-x86-speculation-simplify-indirect_branch_prediction_barrier.patch @@ -0,0 +1,90 @@ +From f208820a321f9b23d77d7eed89945d862d62a3ed Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Sat, 10 Feb 2018 23:39:23 +0000 +Subject: Revert "x86/speculation: Simplify indirect_branch_prediction_barrier()" + +From: David Woodhouse + +commit f208820a321f9b23d77d7eed89945d862d62a3ed upstream. + +This reverts commit 64e16720ea0879f8ab4547e3b9758936d483909b. + +We cannot call C functions like that, without marking all the +call-clobbered registers as, well, clobbered. We might have got away +with it for now because the __ibp_barrier() function was *fairly* +unlikely to actually use any other registers. But no. Just no. + +Signed-off-by: David Woodhouse +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: arjan.van.de.ven@intel.com +Cc: dave.hansen@intel.com +Cc: jmattson@google.com +Cc: karahmed@amazon.de +Cc: kvm@vger.kernel.org +Cc: pbonzini@redhat.com +Cc: rkrcmar@redhat.com +Cc: sironi@amazon.de +Link: http://lkml.kernel.org/r/1518305967-31356-3-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/nospec-branch.h | 13 +++++++++---- + arch/x86/include/asm/processor.h | 3 --- + arch/x86/kernel/cpu/bugs.c | 6 ------ + 3 files changed, 9 insertions(+), 13 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -164,10 +164,15 @@ static inline void vmexit_fill_RSB(void) + + static inline void indirect_branch_prediction_barrier(void) + { +- alternative_input("", +- "call __ibp_barrier", +- X86_FEATURE_USE_IBPB, +- ASM_NO_INPUT_CLOBBER("eax", "ecx", "edx", "memory")); ++ asm volatile(ALTERNATIVE("", ++ "movl %[msr], %%ecx\n\t" ++ "movl %[val], %%eax\n\t" ++ "movl $0, %%edx\n\t" ++ "wrmsr", ++ X86_FEATURE_USE_IBPB) ++ : : [msr] "i" (MSR_IA32_PRED_CMD), ++ [val] "i" (PRED_CMD_IBPB) ++ : "eax", "ecx", "edx", "memory"); + } + + #endif /* __ASSEMBLY__ */ +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -969,7 +969,4 @@ bool xen_set_default_idle(void); + + void stop_this_cpu(void *dummy); + void df_debug(struct pt_regs *regs, long error_code); +- +-void __ibp_barrier(void); +- + #endif /* _ASM_X86_PROCESSOR_H */ +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -337,9 +337,3 @@ ssize_t cpu_show_spectre_v2(struct devic + spectre_v2_module_string()); + } + #endif +- +-void __ibp_barrier(void) +-{ +- __wrmsr(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, 0); +-} +-EXPORT_SYMBOL_GPL(__ibp_barrier); diff --git a/queue-4.15/series b/queue-4.15/series index d57474b670b..0695980897c 100644 --- a/queue-4.15/series +++ b/queue-4.15/series @@ -37,3 +37,18 @@ x86-kexec-make-kexec-mostly-work-in-5-level-paging-mode.patch x86-xen-init-gs-very-early-to-avoid-page-faults-with-stack-protector.patch x86-pm-make-apm-idle-driver-initialize-polling-state.patch mm-memory_hotplug-fix-memmap-initialization.patch +x86-entry-64-clear-extra-registers-beyond-syscall-arguments-to-reduce-speculation-attack-surface.patch +x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch +compiler-gcc.h-introduce-__optimize-function-attribute.patch +compiler-gcc.h-__nostackprotector-needs-gcc-4.4-and-up.patch +crypto-sun4i_ss_prng-fix-return-value-of-sun4i_ss_prng_generate.patch +crypto-sun4i_ss_prng-convert-lock-to-_bh-in-sun4i_ss_prng_generate.patch +powerpc-mm-radix-split-linear-mapping-on-hot-unplug.patch +x86-mm-pti-fix-pti-comment-in-entry_syscall_64.patch +x86-speculation-update-speculation-control-microcode-blacklist.patch +x86-speculation-correct-speculation-control-microcode-blacklist-again.patch +revert-x86-speculation-simplify-indirect_branch_prediction_barrier.patch +kvm-x86-reduce-retpoline-performance-impact-in-slot_handle_level_range-by-always-inlining-iterator-helper-methods.patch +x86-nvmx-properly-set-spec_ctrl-and-pred_cmd-before-merging-msrs.patch +kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.patch +x86-speculation-clean-up-various-spectre-related-details.patch diff --git a/queue-4.15/x86-entry-64-clear-extra-registers-beyond-syscall-arguments-to-reduce-speculation-attack-surface.patch b/queue-4.15/x86-entry-64-clear-extra-registers-beyond-syscall-arguments-to-reduce-speculation-attack-surface.patch new file mode 100644 index 00000000000..82fe0e0285f --- /dev/null +++ b/queue-4.15/x86-entry-64-clear-extra-registers-beyond-syscall-arguments-to-reduce-speculation-attack-surface.patch @@ -0,0 +1,76 @@ +From 8e1eb3fa009aa7c0b944b3c8b26b07de0efb3200 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 5 Feb 2018 17:18:05 -0800 +Subject: x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface + +From: Dan Williams + +commit 8e1eb3fa009aa7c0b944b3c8b26b07de0efb3200 upstream. + +At entry userspace may have (maliciously) populated the extra registers +outside the syscall calling convention with arbitrary values that could +be useful in a speculative execution (Spectre style) attack. + +Clear these registers to minimize the kernel's attack surface. + +Note, this only clears the extra registers and not the unused +registers for syscalls less than 6 arguments, since those registers are +likely to be clobbered well before their values could be put to use +under speculation. + +Note, Linus found that the XOR instructions can be executed with +minimized cost if interleaved with the PUSH instructions, and Ingo's +analysis found that R10 and R11 should be included in the register +clearing beyond the typical 'extra' syscall calling convention +registers. + +Suggested-by: Linus Torvalds +Reported-by: Andi Kleen +Signed-off-by: Dan Williams +Cc: +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/151787988577.7847.16733592218894189003.stgit@dwillia2-desk3.amr.corp.intel.com +[ Made small improvements to the changelog and the code comments. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -235,13 +235,26 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) + pushq %r8 /* pt_regs->r8 */ + pushq %r9 /* pt_regs->r9 */ + pushq %r10 /* pt_regs->r10 */ ++ /* ++ * Clear extra registers that a speculation attack might ++ * otherwise want to exploit. Interleave XOR with PUSH ++ * for better uop scheduling: ++ */ ++ xorq %r10, %r10 /* nospec r10 */ + pushq %r11 /* pt_regs->r11 */ ++ xorq %r11, %r11 /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp */ ++ xorl %ebp, %ebp /* nospec rbp */ + pushq %r12 /* pt_regs->r12 */ ++ xorq %r12, %r12 /* nospec r12 */ + pushq %r13 /* pt_regs->r13 */ ++ xorq %r13, %r13 /* nospec r13 */ + pushq %r14 /* pt_regs->r14 */ ++ xorq %r14, %r14 /* nospec r14 */ + pushq %r15 /* pt_regs->r15 */ ++ xorq %r15, %r15 /* nospec r15 */ + UNWIND_HINT_REGS + + TRACE_IRQS_OFF diff --git a/queue-4.15/x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch b/queue-4.15/x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch new file mode 100644 index 00000000000..f36ac68aa8a --- /dev/null +++ b/queue-4.15/x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch @@ -0,0 +1,114 @@ +From 6b8cf5cc9965673951f1ab3f0e3cf23d06e3e2ee Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 5 Feb 2018 17:18:17 -0800 +Subject: x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface + +From: Dan Williams + +commit 6b8cf5cc9965673951f1ab3f0e3cf23d06e3e2ee upstream. + +At entry userspace may have populated registers with values that could +otherwise be useful in a speculative execution attack. Clear them to +minimize the kernel's attack surface. + +Originally-From: Andi Kleen +Signed-off-by: Dan Williams +Cc: +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/151787989697.7847.4083702787288600552.stgit@dwillia2-desk3.amr.corp.intel.com +[ Made small improvements to the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64_compat.S | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -85,15 +85,25 @@ ENTRY(entry_SYSENTER_compat) + pushq %rcx /* pt_regs->cx */ + pushq $-ENOSYS /* pt_regs->ax */ + pushq $0 /* pt_regs->r8 = 0 */ ++ xorq %r8, %r8 /* nospec r8 */ + pushq $0 /* pt_regs->r9 = 0 */ ++ xorq %r9, %r9 /* nospec r9 */ + pushq $0 /* pt_regs->r10 = 0 */ ++ xorq %r10, %r10 /* nospec r10 */ + pushq $0 /* pt_regs->r11 = 0 */ ++ xorq %r11, %r11 /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp (will be overwritten) */ ++ xorl %ebp, %ebp /* nospec rbp */ + pushq $0 /* pt_regs->r12 = 0 */ ++ xorq %r12, %r12 /* nospec r12 */ + pushq $0 /* pt_regs->r13 = 0 */ ++ xorq %r13, %r13 /* nospec r13 */ + pushq $0 /* pt_regs->r14 = 0 */ ++ xorq %r14, %r14 /* nospec r14 */ + pushq $0 /* pt_regs->r15 = 0 */ ++ xorq %r15, %r15 /* nospec r15 */ + cld + + /* +@@ -214,15 +224,25 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram + pushq %rbp /* pt_regs->cx (stashed in bp) */ + pushq $-ENOSYS /* pt_regs->ax */ + pushq $0 /* pt_regs->r8 = 0 */ ++ xorq %r8, %r8 /* nospec r8 */ + pushq $0 /* pt_regs->r9 = 0 */ ++ xorq %r9, %r9 /* nospec r9 */ + pushq $0 /* pt_regs->r10 = 0 */ ++ xorq %r10, %r10 /* nospec r10 */ + pushq $0 /* pt_regs->r11 = 0 */ ++ xorq %r11, %r11 /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp (will be overwritten) */ ++ xorl %ebp, %ebp /* nospec rbp */ + pushq $0 /* pt_regs->r12 = 0 */ ++ xorq %r12, %r12 /* nospec r12 */ + pushq $0 /* pt_regs->r13 = 0 */ ++ xorq %r13, %r13 /* nospec r13 */ + pushq $0 /* pt_regs->r14 = 0 */ ++ xorq %r14, %r14 /* nospec r14 */ + pushq $0 /* pt_regs->r15 = 0 */ ++ xorq %r15, %r15 /* nospec r15 */ + + /* + * User mode is traced as though IRQs are on, and SYSENTER +@@ -338,15 +358,25 @@ ENTRY(entry_INT80_compat) + pushq %rcx /* pt_regs->cx */ + pushq $-ENOSYS /* pt_regs->ax */ + pushq $0 /* pt_regs->r8 = 0 */ ++ xorq %r8, %r8 /* nospec r8 */ + pushq $0 /* pt_regs->r9 = 0 */ ++ xorq %r9, %r9 /* nospec r9 */ + pushq $0 /* pt_regs->r10 = 0 */ ++ xorq %r10, %r10 /* nospec r10 */ + pushq $0 /* pt_regs->r11 = 0 */ ++ xorq %r11, %r11 /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp */ ++ xorl %ebp, %ebp /* nospec rbp */ + pushq %r12 /* pt_regs->r12 */ ++ xorq %r12, %r12 /* nospec r12 */ + pushq %r13 /* pt_regs->r13 */ ++ xorq %r13, %r13 /* nospec r13 */ + pushq %r14 /* pt_regs->r14 */ ++ xorq %r14, %r14 /* nospec r14 */ + pushq %r15 /* pt_regs->r15 */ ++ xorq %r15, %r15 /* nospec r15 */ + cld + + /* diff --git a/queue-4.15/x86-mm-pti-fix-pti-comment-in-entry_syscall_64.patch b/queue-4.15/x86-mm-pti-fix-pti-comment-in-entry_syscall_64.patch new file mode 100644 index 00000000000..9e4913cd68a --- /dev/null +++ b/queue-4.15/x86-mm-pti-fix-pti-comment-in-entry_syscall_64.patch @@ -0,0 +1,45 @@ +From 14b1fcc62043729d12e8ae00f8297ab2ffe9fa91 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Fri, 9 Feb 2018 09:06:38 -0800 +Subject: x86/mm/pti: Fix PTI comment in entry_SYSCALL_64() + +From: Nadav Amit + +commit 14b1fcc62043729d12e8ae00f8297ab2ffe9fa91 upstream. + +The comment is confusing since the path is taken when +CONFIG_PAGE_TABLE_ISOLATION=y is disabled (while the comment says it is not +taken). + +Signed-off-by: Nadav Amit +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: nadav.amit@gmail.com +Link: http://lkml.kernel.org/r/20180209170638.15161-1-namit@vmware.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -213,7 +213,7 @@ ENTRY(entry_SYSCALL_64) + + swapgs + /* +- * This path is not taken when PAGE_TABLE_ISOLATION is disabled so it ++ * This path is only taken when PAGE_TABLE_ISOLATION is disabled so it + * is not required to switch CR3. + */ + movq %rsp, PER_CPU_VAR(rsp_scratch) diff --git a/queue-4.15/x86-nvmx-properly-set-spec_ctrl-and-pred_cmd-before-merging-msrs.patch b/queue-4.15/x86-nvmx-properly-set-spec_ctrl-and-pred_cmd-before-merging-msrs.patch new file mode 100644 index 00000000000..226ad6d3855 --- /dev/null +++ b/queue-4.15/x86-nvmx-properly-set-spec_ctrl-and-pred_cmd-before-merging-msrs.patch @@ -0,0 +1,61 @@ +From 206587a9fb764d71f035dc7f6d3b6488f5d5b304 Mon Sep 17 00:00:00 2001 +From: KarimAllah Ahmed +Date: Sat, 10 Feb 2018 23:39:25 +0000 +Subject: X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: KarimAllah Ahmed + +commit 206587a9fb764d71f035dc7f6d3b6488f5d5b304 upstream. + +These two variables should check whether SPEC_CTRL and PRED_CMD are +supposed to be passed through to L2 guests or not. While +msr_write_intercepted_l01 would return 'true' if it is not passed through. + +So just invert the result of msr_write_intercepted_l01 to implement the +correct semantics. + +Signed-off-by: KarimAllah Ahmed +Signed-off-by: David Woodhouse +Reviewed-by: Jim Mattson +Acked-by: Paolo Bonzini +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: arjan.van.de.ven@intel.com +Cc: dave.hansen@intel.com +Cc: kvm@vger.kernel.org +Cc: sironi@amazon.de +Fixes: 086e7d4118cc ("KVM: VMX: Allow direct access to MSR_IA32_SPEC_CTRL") +Link: http://lkml.kernel.org/r/1518305967-31356-5-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10220,8 +10220,8 @@ static inline bool nested_vmx_merge_msr_ + * updated to reflect this when L1 (or its L2s) actually write to + * the MSR. + */ +- bool pred_cmd = msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD); +- bool spec_ctrl = msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL); ++ bool pred_cmd = !msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD); ++ bool spec_ctrl = !msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL); + + if (!nested_cpu_has_virt_x2apic_mode(vmcs12) && + !pred_cmd && !spec_ctrl) diff --git a/queue-4.15/x86-speculation-clean-up-various-spectre-related-details.patch b/queue-4.15/x86-speculation-clean-up-various-spectre-related-details.patch new file mode 100644 index 00000000000..18b52aac72b --- /dev/null +++ b/queue-4.15/x86-speculation-clean-up-various-spectre-related-details.patch @@ -0,0 +1,145 @@ +From 21e433bdb95bdf3aa48226fd3d33af608437f293 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Tue, 13 Feb 2018 09:03:08 +0100 +Subject: x86/speculation: Clean up various Spectre related details + +From: Ingo Molnar + +commit 21e433bdb95bdf3aa48226fd3d33af608437f293 upstream. + +Harmonize all the Spectre messages so that a: + + dmesg | grep -i spectre + +... gives us most Spectre related kernel boot messages. + +Also fix a few other details: + + - clarify a comment about firmware speculation control + + - s/KPTI/PTI + + - remove various line-breaks that made the code uglier + +Acked-by: David Woodhouse +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/bugs.c | 28 +++++++++++----------------- + 1 file changed, 11 insertions(+), 17 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -162,8 +162,7 @@ static enum spectre_v2_mitigation_cmd __ + if (cmdline_find_option_bool(boot_command_line, "nospectre_v2")) + return SPECTRE_V2_CMD_NONE; + else { +- ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, +- sizeof(arg)); ++ ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg)); + if (ret < 0) + return SPECTRE_V2_CMD_AUTO; + +@@ -175,8 +174,7 @@ static enum spectre_v2_mitigation_cmd __ + } + + if (i >= ARRAY_SIZE(mitigation_options)) { +- pr_err("unknown option (%s). Switching to AUTO select\n", +- mitigation_options[i].option); ++ pr_err("unknown option (%s). Switching to AUTO select\n", mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + } +@@ -185,8 +183,7 @@ static enum spectre_v2_mitigation_cmd __ + cmd == SPECTRE_V2_CMD_RETPOLINE_AMD || + cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && + !IS_ENABLED(CONFIG_RETPOLINE)) { +- pr_err("%s selected but not compiled in. Switching to AUTO select\n", +- mitigation_options[i].option); ++ pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + +@@ -256,14 +253,14 @@ static void __init spectre_v2_select_mit + goto retpoline_auto; + break; + } +- pr_err("kernel not compiled with retpoline; no mitigation available!"); ++ pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!"); + return; + + retpoline_auto: + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) { + retpoline_amd: + if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("LFENCE not serializing. Switching to generic retpoline\n"); ++ pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); + goto retpoline_generic; + } + mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD : +@@ -281,7 +278,7 @@ retpoline_auto: + pr_info("%s\n", spectre_v2_strings[mode]); + + /* +- * If neither SMEP or KPTI are available, there is a risk of ++ * If neither SMEP nor PTI are available, there is a risk of + * hitting userspace addresses in the RSB after a context switch + * from a shallow call stack to a deeper one. To prevent this fill + * the entire RSB, even when using IBRS. +@@ -295,21 +292,20 @@ retpoline_auto: + if ((!boot_cpu_has(X86_FEATURE_PTI) && + !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); +- pr_info("Filling RSB on context switch\n"); ++ pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); + } + + /* Initialize Indirect Branch Prediction Barrier if supported */ + if (boot_cpu_has(X86_FEATURE_IBPB)) { + setup_force_cpu_cap(X86_FEATURE_USE_IBPB); +- pr_info("Enabling Indirect Branch Prediction Barrier\n"); ++ pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n"); + } + } + + #undef pr_fmt + + #ifdef CONFIG_SYSFS +-ssize_t cpu_show_meltdown(struct device *dev, +- struct device_attribute *attr, char *buf) ++ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) + { + if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN)) + return sprintf(buf, "Not affected\n"); +@@ -318,16 +314,14 @@ ssize_t cpu_show_meltdown(struct device + return sprintf(buf, "Vulnerable\n"); + } + +-ssize_t cpu_show_spectre_v1(struct device *dev, +- struct device_attribute *attr, char *buf) ++ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) + { + if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1)) + return sprintf(buf, "Not affected\n"); + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); + } + +-ssize_t cpu_show_spectre_v2(struct device *dev, +- struct device_attribute *attr, char *buf) ++ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) + { + if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) + return sprintf(buf, "Not affected\n"); diff --git a/queue-4.15/x86-speculation-correct-speculation-control-microcode-blacklist-again.patch b/queue-4.15/x86-speculation-correct-speculation-control-microcode-blacklist-again.patch new file mode 100644 index 00000000000..deed2b88044 --- /dev/null +++ b/queue-4.15/x86-speculation-correct-speculation-control-microcode-blacklist-again.patch @@ -0,0 +1,75 @@ +From d37fc6d360a404b208547ba112e7dabb6533c7fc Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Mon, 12 Feb 2018 15:27:34 +0000 +Subject: x86/speculation: Correct Speculation Control microcode blacklist again + +From: David Woodhouse + +commit d37fc6d360a404b208547ba112e7dabb6533c7fc upstream. + +Arjan points out that the Intel document only clears the 0xc2 microcode +on *some* parts with CPUID 506E3 (INTEL_FAM6_SKYLAKE_DESKTOP stepping 3). +For the Skylake H/S platform it's OK but for Skylake E3 which has the +same CPUID it isn't (yet) cleared. + +So removing it from the blacklist was premature. Put it back for now. + +Also, Arjan assures me that the 0x84 microcode for Kaby Lake which was +featured in one of the early revisions of the Intel document was never +released to the public, and won't be until/unless it is also validated +as safe. So those can change to 0x80 which is what all *other* versions +of the doc have identified. + +Once the retrospective testing of existing public microcodes is done, we +should be back into a mode where new microcodes are only released in +batches and we shouldn't even need to update the blacklist for those +anyway, so this tweaking of the list isn't expected to be a thing which +keeps happening. + +Requested-by: Arjan van de Ven +Signed-off-by: David Woodhouse +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: arjan.van.de.ven@intel.com +Cc: dave.hansen@intel.com +Cc: kvm@vger.kernel.org +Cc: pbonzini@redhat.com +Link: http://lkml.kernel.org/r/1518449255-2182-1-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -116,13 +116,14 @@ struct sku_microcode { + u32 microcode; + }; + static const struct sku_microcode spectre_bad_microcodes[] = { +- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x84 }, +- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x84 }, +- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x84 }, +- { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x84 }, +- { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 }, ++ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x80 }, + { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e }, + { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c }, ++ { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 }, + { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 }, + { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b }, + { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 }, diff --git a/queue-4.15/x86-speculation-update-speculation-control-microcode-blacklist.patch b/queue-4.15/x86-speculation-update-speculation-control-microcode-blacklist.patch new file mode 100644 index 00000000000..e1f9d6981a7 --- /dev/null +++ b/queue-4.15/x86-speculation-update-speculation-control-microcode-blacklist.patch @@ -0,0 +1,66 @@ +From 1751342095f0d2b36fa8114d8e12c5688c455ac4 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Sat, 10 Feb 2018 23:39:22 +0000 +Subject: x86/speculation: Update Speculation Control microcode blacklist + +From: David Woodhouse + +commit 1751342095f0d2b36fa8114d8e12c5688c455ac4 upstream. + +Intel have retroactively blessed the 0xc2 microcode on Skylake mobile +and desktop parts, and the Gemini Lake 0x22 microcode is apparently fine +too. We blacklisted the latter purely because it was present with all +the other problematic ones in the 2018-01-08 release, but now it's +explicitly listed as OK. + +We still list 0x84 for the various Kaby Lake / Coffee Lake parts, as +that appeared in one version of the blacklist and then reverted to +0x80 again. We can change it if 0x84 is actually announced to be safe. + +Signed-off-by: David Woodhouse +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: arjan.van.de.ven@intel.com +Cc: jmattson@google.com +Cc: karahmed@amazon.de +Cc: kvm@vger.kernel.org +Cc: pbonzini@redhat.com +Cc: rkrcmar@redhat.com +Cc: sironi@amazon.de +Link: http://lkml.kernel.org/r/1518305967-31356-2-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -123,8 +123,6 @@ static const struct sku_microcode spectr + { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 }, + { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e }, + { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c }, +- { INTEL_FAM6_SKYLAKE_MOBILE, 0x03, 0xc2 }, +- { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 }, + { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 }, + { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b }, + { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 }, +@@ -136,8 +134,6 @@ static const struct sku_microcode spectr + { INTEL_FAM6_HASWELL_X, 0x02, 0x3b }, + { INTEL_FAM6_HASWELL_X, 0x04, 0x10 }, + { INTEL_FAM6_IVYBRIDGE_X, 0x04, 0x42a }, +- /* Updated in the 20180108 release; blacklist until we know otherwise */ +- { INTEL_FAM6_ATOM_GEMINI_LAKE, 0x01, 0x22 }, + /* Observed in the wild */ + { INTEL_FAM6_SANDYBRIDGE_X, 0x06, 0x61b }, + { INTEL_FAM6_SANDYBRIDGE_X, 0x07, 0x712 },