From: Greg Kroah-Hartman Date: Tue, 20 Feb 2018 10:25:51 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.15.5~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e1c2c070ce21a37f8ae611a41a6fecfdca3f044;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: nospec-move-array_index_nospec-parameter-checking-into-separate-macro.patch objtool-fix-segfault-in-ignore_unreachable_insn.patch selftests-x86-clean-up-and-document-sscanf-usage.patch selftests-x86-disable-tests-requiring-32-bit-support-on-pure-64-bit-systems.patch selftests-x86-do-not-rely-on-int-0x80-in-single_step_syscall.c.patch selftests-x86-do-not-rely-on-int-0x80-in-test_mremap_vdso.c.patch selftests-x86-fix-vdso-selftest-segfault-for-vsyscall-none.patch selftests-x86-mpx-fix-incorrect-bounds-with-old-_sigfault.patch selftests-x86-pkeys-remove-unused-functions.patch x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch x86-debug-objtool-annotate-warn-related-ud2-as-reachable.patch x86-debug-use-ud2-for-warn.patch x86-entry-64-clear-registers-for-exceptions-interrupts-to-reduce-speculation-attack-surface.patch x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch x86-entry-64-fix-paranoid_entry-frame-pointer-warning.patch x86-entry-64-get-rid-of-the-alloc_pt_gpregs_on_stack-and-save_and_clear_regs-macros.patch x86-entry-64-indent-push_and_clear_regs-and-pop_regs-properly.patch x86-entry-64-interleave-xor-register-clearing-with-push-instructions.patch x86-entry-64-introduce-the-push_and_clean_regs-macro.patch x86-entry-64-merge-save_c_regs-and-save_extra_regs-remove-unused-extensions.patch x86-entry-64-merge-the-pop_c_regs-and-pop_extra_regs-macros-into-a-single-pop_regs-macro.patch x86-entry-64-remove-the-unused-icebp-macro.patch x86-entry-64-use-push_and_clean_regs-in-more-cases.patch x86-mm-rename-flush_tlb_single-and-flush_tlb_one-to-__flush_tlb_one_.patch x86-spectre-fix-an-error-message.patch x86-speculation-add-asm-msr-index.h-dependency.patch x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch --- diff --git a/queue-4.14/nospec-move-array_index_nospec-parameter-checking-into-separate-macro.patch b/queue-4.14/nospec-move-array_index_nospec-parameter-checking-into-separate-macro.patch new file mode 100644 index 00000000000..99770309cce --- /dev/null +++ b/queue-4.14/nospec-move-array_index_nospec-parameter-checking-into-separate-macro.patch @@ -0,0 +1,89 @@ +From 8fa80c503b484ddc1abbd10c7cb2ab81f3824a50 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 5 Feb 2018 14:16:06 +0000 +Subject: nospec: Move array_index_nospec() parameter checking into separate macro + +From: Will Deacon + +commit 8fa80c503b484ddc1abbd10c7cb2ab81f3824a50 upstream. + +For architectures providing their own implementation of +array_index_mask_nospec() in asm/barrier.h, attempting to use WARN_ONCE() to +complain about out-of-range parameters using WARN_ON() results in a mess +of mutually-dependent include files. + +Rather than unpick the dependencies, simply have the core code in nospec.h +perform the checking for us. + +Signed-off-by: Will Deacon +Acked-by: Thomas Gleixner +Cc: Dan Williams +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1517840166-15399-1-git-send-email-will.deacon@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nospec.h | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -20,20 +20,6 @@ static inline unsigned long array_index_ + unsigned long size) + { + /* +- * Warn developers about inappropriate array_index_nospec() usage. +- * +- * Even if the CPU speculates past the WARN_ONCE branch, the +- * sign bit of @index is taken into account when generating the +- * mask. +- * +- * This warning is compiled out when the compiler can infer that +- * @index and @size are less than LONG_MAX. +- */ +- if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, +- "array_index_nospec() limited to range of [0, LONG_MAX]\n")) +- return 0; +- +- /* + * Always calculate and emit the mask even if the compiler + * thinks the mask is not needed. The compiler does not take + * into account the value of @index under speculation. +@@ -44,6 +30,26 @@ static inline unsigned long array_index_ + #endif + + /* ++ * Warn developers about inappropriate array_index_nospec() usage. ++ * ++ * Even if the CPU speculates past the WARN_ONCE branch, the ++ * sign bit of @index is taken into account when generating the ++ * mask. ++ * ++ * This warning is compiled out when the compiler can infer that ++ * @index and @size are less than LONG_MAX. ++ */ ++#define array_index_mask_nospec_check(index, size) \ ++({ \ ++ if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, \ ++ "array_index_nospec() limited to range of [0, LONG_MAX]\n")) \ ++ _mask = 0; \ ++ else \ ++ _mask = array_index_mask_nospec(index, size); \ ++ _mask; \ ++}) ++ ++/* + * array_index_nospec - sanitize an array index after a bounds check + * + * For a code sequence like: +@@ -61,7 +67,7 @@ static inline unsigned long array_index_ + ({ \ + typeof(index) _i = (index); \ + typeof(size) _s = (size); \ +- unsigned long _mask = array_index_mask_nospec(_i, _s); \ ++ unsigned long _mask = array_index_mask_nospec_check(_i, _s); \ + \ + BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \ + BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \ diff --git a/queue-4.14/objtool-fix-segfault-in-ignore_unreachable_insn.patch b/queue-4.14/objtool-fix-segfault-in-ignore_unreachable_insn.patch new file mode 100644 index 00000000000..42567fb22dc --- /dev/null +++ b/queue-4.14/objtool-fix-segfault-in-ignore_unreachable_insn.patch @@ -0,0 +1,67 @@ +From fe24e27128252c230a34a6c628da2bf1676781ea Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Thu, 8 Feb 2018 17:09:25 -0600 +Subject: objtool: Fix segfault in ignore_unreachable_insn() + +From: Josh Poimboeuf + +commit fe24e27128252c230a34a6c628da2bf1676781ea upstream. + +Peter Zijlstra's patch for converting WARN() to use UD2 triggered a +bunch of false "unreachable instruction" warnings, which then triggered +a seg fault in ignore_unreachable_insn(). + +The seg fault happened when it tried to dereference a NULL 'insn->func' +pointer. Thanks to static_cpu_has(), some functions can jump to a +non-function area in the .altinstr_aux section. That breaks +ignore_unreachable_insn()'s assumption that it's always inside the +original function. + +Make sure ignore_unreachable_insn() only follows jumps within the +current function. + +Reported-by: Borislav Petkov +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kbuild test robot +Link: http://lkml.kernel.org/r/bace77a60d5af9b45eddb8f8fb9c776c8de657ef.1518130694.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/objtool/check.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -1935,13 +1935,19 @@ static bool ignore_unreachable_insn(stru + if (is_kasan_insn(insn) || is_ubsan_insn(insn)) + return true; + +- if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest) { +- insn = insn->jump_dest; +- continue; ++ if (insn->type == INSN_JUMP_UNCONDITIONAL) { ++ if (insn->jump_dest && ++ insn->jump_dest->func == insn->func) { ++ insn = insn->jump_dest; ++ continue; ++ } ++ ++ break; + } + + if (insn->offset + insn->len >= insn->func->offset + insn->func->len) + break; ++ + insn = list_next_entry(insn, list); + } + diff --git a/queue-4.14/selftests-x86-clean-up-and-document-sscanf-usage.patch b/queue-4.14/selftests-x86-clean-up-and-document-sscanf-usage.patch new file mode 100644 index 00000000000..7489c2917e8 --- /dev/null +++ b/queue-4.14/selftests-x86-clean-up-and-document-sscanf-usage.patch @@ -0,0 +1,104 @@ +From d8e92de8ef952bed88c56c7a44c02d8dcae0984e Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 21:59:24 +0100 +Subject: selftests/x86: Clean up and document sscanf() usage + +From: Dominik Brodowski + +commit d8e92de8ef952bed88c56c7a44c02d8dcae0984e upstream. + +Replace a couple of magically connected buffer length literal constants with +a common definition that makes their relationship obvious. Also document +why our sscanf() usage is safe. + +No intended functional changes. + +Suggested-by: Ingo Molnar +Signed-off-by: Dominik Brodowski +Cc: Andrew Lutomirski +Cc: Andy Lutomirski +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kselftest@vger.kernel.org +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180211205924.GA23210@light.dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/test_vdso.c | 11 ++++++++--- + tools/testing/selftests/x86/test_vsyscall.c | 11 ++++++++--- + 2 files changed, 16 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/x86/test_vdso.c ++++ b/tools/testing/selftests/x86/test_vdso.c +@@ -26,6 +26,9 @@ + # endif + #endif + ++/* max length of lines in /proc/self/maps - anything longer is skipped here */ ++#define MAPS_LINE_LEN 128 ++ + int nerrs = 0; + + typedef long (*getcpu_t)(unsigned *, unsigned *, void *); +@@ -37,17 +40,19 @@ static void *vsyscall_getcpu(void) + { + #ifdef __x86_64__ + FILE *maps; +- char line[128]; ++ char line[MAPS_LINE_LEN]; + bool found = false; + + maps = fopen("/proc/self/maps", "r"); + if (!maps) /* might still be present, but ignore it here, as we test vDSO not vsyscall */ + return NULL; + +- while (fgets(line, sizeof(line), maps)) { ++ while (fgets(line, MAPS_LINE_LEN, maps)) { + char r, x; + void *start, *end; +- char name[128]; ++ char name[MAPS_LINE_LEN]; ++ ++ /* sscanf() is safe here as strlen(name) >= strlen(line) */ + if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s", + &start, &end, &r, &x, name) != 5) + continue; +--- a/tools/testing/selftests/x86/test_vsyscall.c ++++ b/tools/testing/selftests/x86/test_vsyscall.c +@@ -33,6 +33,9 @@ + # endif + #endif + ++/* max length of lines in /proc/self/maps - anything longer is skipped here */ ++#define MAPS_LINE_LEN 128 ++ + static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), + int flags) + { +@@ -98,7 +101,7 @@ static int init_vsys(void) + #ifdef __x86_64__ + int nerrs = 0; + FILE *maps; +- char line[128]; ++ char line[MAPS_LINE_LEN]; + bool found = false; + + maps = fopen("/proc/self/maps", "r"); +@@ -108,10 +111,12 @@ static int init_vsys(void) + return 0; + } + +- while (fgets(line, sizeof(line), maps)) { ++ while (fgets(line, MAPS_LINE_LEN, maps)) { + char r, x; + void *start, *end; +- char name[128]; ++ char name[MAPS_LINE_LEN]; ++ ++ /* sscanf() is safe here as strlen(name) >= strlen(line) */ + if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s", + &start, &end, &r, &x, name) != 5) + continue; diff --git a/queue-4.14/selftests-x86-disable-tests-requiring-32-bit-support-on-pure-64-bit-systems.patch b/queue-4.14/selftests-x86-disable-tests-requiring-32-bit-support-on-pure-64-bit-systems.patch new file mode 100644 index 00000000000..12d67a26638 --- /dev/null +++ b/queue-4.14/selftests-x86-disable-tests-requiring-32-bit-support-on-pure-64-bit-systems.patch @@ -0,0 +1,76 @@ +From 9279ddf23ce78ff2676e8e8e19fec0f022c26d04 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Tue, 13 Feb 2018 09:15:19 +0100 +Subject: selftests/x86: Disable tests requiring 32-bit support on pure 64-bit systems + +From: Dominik Brodowski + +commit 9279ddf23ce78ff2676e8e8e19fec0f022c26d04 upstream. + +The ldt_gdt and ptrace_syscall selftests, even in their 64-bit variant, use +hard-coded 32-bit syscall numbers and call "int $0x80". + +This will fail on 64-bit systems with CONFIG_IA32_EMULATION=y disabled. + +Therefore, do not build these tests if we cannot build 32-bit binaries +(which should be a good approximation for CONFIG_IA32_EMULATION=y being enabled). + +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Dmitry Safonov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kselftest@vger.kernel.org +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180211111013.16888-6-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/Makefile | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -5,16 +5,26 @@ include ../lib.mk + + .PHONY: all all_32 all_64 warn_32bit_failure clean + +-TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt ptrace_syscall test_mremap_vdso \ +- check_initial_reg_state sigreturn ldt_gdt iopl mpx-mini-test ioperm \ ++UNAME_M := $(shell uname -m) ++CAN_BUILD_I386 := $(shell ./check_cc.sh $(CC) trivial_32bit_program.c -m32) ++CAN_BUILD_X86_64 := $(shell ./check_cc.sh $(CC) trivial_64bit_program.c) ++ ++TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ ++ check_initial_reg_state sigreturn iopl mpx-mini-test ioperm \ + protection_keys test_vdso test_vsyscall + TARGETS_C_32BIT_ONLY := entry_from_vm86 syscall_arg_fault test_syscall_vdso unwind_vdso \ + test_FCMOV test_FCOMI test_FISTTP \ + vdso_restorer + TARGETS_C_64BIT_ONLY := fsgsbase sysret_rip ++# Some selftests require 32bit support enabled also on 64bit systems ++TARGETS_C_32BIT_NEEDED := ldt_gdt ptrace_syscall + +-TARGETS_C_32BIT_ALL := $(TARGETS_C_BOTHBITS) $(TARGETS_C_32BIT_ONLY) ++TARGETS_C_32BIT_ALL := $(TARGETS_C_BOTHBITS) $(TARGETS_C_32BIT_ONLY) $(TARGETS_C_32BIT_NEEDED) + TARGETS_C_64BIT_ALL := $(TARGETS_C_BOTHBITS) $(TARGETS_C_64BIT_ONLY) ++ifeq ($(CAN_BUILD_I386)$(CAN_BUILD_X86_64),11) ++TARGETS_C_64BIT_ALL += $(TARGETS_C_32BIT_NEEDED) ++endif ++ + BINARIES_32 := $(TARGETS_C_32BIT_ALL:%=%_32) + BINARIES_64 := $(TARGETS_C_64BIT_ALL:%=%_64) + +@@ -23,10 +33,6 @@ BINARIES_64 := $(patsubst %,$(OUTPUT)/%, + + CFLAGS := -O2 -g -std=gnu99 -pthread -Wall -no-pie + +-UNAME_M := $(shell uname -m) +-CAN_BUILD_I386 := $(shell ./check_cc.sh $(CC) trivial_32bit_program.c -m32) +-CAN_BUILD_X86_64 := $(shell ./check_cc.sh $(CC) trivial_64bit_program.c) +- + ifeq ($(CAN_BUILD_I386),1) + all: all_32 + TEST_PROGS += $(BINARIES_32) diff --git a/queue-4.14/selftests-x86-do-not-rely-on-int-0x80-in-single_step_syscall.c.patch b/queue-4.14/selftests-x86-do-not-rely-on-int-0x80-in-single_step_syscall.c.patch new file mode 100644 index 00000000000..fb379c9ad24 --- /dev/null +++ b/queue-4.14/selftests-x86-do-not-rely-on-int-0x80-in-single_step_syscall.c.patch @@ -0,0 +1,75 @@ +From 4105c69703cdeba76f384b901712c9397b04e9c2 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Tue, 13 Feb 2018 09:13:21 +0100 +Subject: selftests/x86: Do not rely on "int $0x80" in single_step_syscall.c + +From: Dominik Brodowski + +commit 4105c69703cdeba76f384b901712c9397b04e9c2 upstream. + +On 64-bit builds, we should not rely on "int $0x80" working (it only does if +CONFIG_IA32_EMULATION=y is enabled). To keep the "Set TF and check int80" +test running on 64-bit installs with CONFIG_IA32_EMULATION=y enabled, build +this test only if we can also build 32-bit binaries (which should be a +good approximation for that). + +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Dmitry Safonov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kselftest@vger.kernel.org +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180211111013.16888-5-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/Makefile | 2 ++ + tools/testing/selftests/x86/single_step_syscall.c | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -30,11 +30,13 @@ CAN_BUILD_X86_64 := $(shell ./check_cc.s + ifeq ($(CAN_BUILD_I386),1) + all: all_32 + TEST_PROGS += $(BINARIES_32) ++EXTRA_CFLAGS += -DCAN_BUILD_32 + endif + + ifeq ($(CAN_BUILD_X86_64),1) + all: all_64 + TEST_PROGS += $(BINARIES_64) ++EXTRA_CFLAGS += -DCAN_BUILD_64 + endif + + all_32: $(BINARIES_32) +--- a/tools/testing/selftests/x86/single_step_syscall.c ++++ b/tools/testing/selftests/x86/single_step_syscall.c +@@ -119,7 +119,9 @@ static void check_result(void) + + int main() + { ++#ifdef CAN_BUILD_32 + int tmp; ++#endif + + sethandler(SIGTRAP, sigtrap, 0); + +@@ -139,12 +141,13 @@ int main() + : : "c" (post_nop) : "r11"); + check_result(); + #endif +- ++#ifdef CAN_BUILD_32 + printf("[RUN]\tSet TF and check int80\n"); + set_eflags(get_eflags() | X86_EFLAGS_TF); + asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid) + : INT80_CLOBBERS); + check_result(); ++#endif + + /* + * This test is particularly interesting if fast syscalls use diff --git a/queue-4.14/selftests-x86-do-not-rely-on-int-0x80-in-test_mremap_vdso.c.patch b/queue-4.14/selftests-x86-do-not-rely-on-int-0x80-in-test_mremap_vdso.c.patch new file mode 100644 index 00000000000..32a30d53cb9 --- /dev/null +++ b/queue-4.14/selftests-x86-do-not-rely-on-int-0x80-in-test_mremap_vdso.c.patch @@ -0,0 +1,46 @@ +From 2cbc0d66de0480449c75636f55697c7ff3af61fc Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 12:10:11 +0100 +Subject: selftests/x86: Do not rely on "int $0x80" in test_mremap_vdso.c + +From: Dominik Brodowski + +commit 2cbc0d66de0480449c75636f55697c7ff3af61fc upstream. + +On 64-bit builds, we should not rely on "int $0x80" working (it only does if +CONFIG_IA32_EMULATION=y is enabled). + +Without this patch, the move test may succeed, but the "int $0x80" causes +a segfault, resulting in a false negative output of this self-test. + +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Dmitry Safonov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kselftest@vger.kernel.org +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180211111013.16888-4-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/test_mremap_vdso.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/x86/test_mremap_vdso.c ++++ b/tools/testing/selftests/x86/test_mremap_vdso.c +@@ -90,8 +90,12 @@ int main(int argc, char **argv, char **e + vdso_size += PAGE_SIZE; + } + ++#ifdef __i386__ + /* Glibc is likely to explode now - exit with raw syscall */ + asm volatile ("int $0x80" : : "a" (__NR_exit), "b" (!!ret)); ++#else /* __x86_64__ */ ++ syscall(SYS_exit, ret); ++#endif + } else { + int status; + diff --git a/queue-4.14/selftests-x86-fix-vdso-selftest-segfault-for-vsyscall-none.patch b/queue-4.14/selftests-x86-fix-vdso-selftest-segfault-for-vsyscall-none.patch new file mode 100644 index 00000000000..c0c44390f5f --- /dev/null +++ b/queue-4.14/selftests-x86-fix-vdso-selftest-segfault-for-vsyscall-none.patch @@ -0,0 +1,100 @@ +From 198ee8e17502da2634f7366395db1d77630e0219 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 12:10:10 +0100 +Subject: selftests/x86: Fix vDSO selftest segfault for vsyscall=none + +From: Dominik Brodowski + +commit 198ee8e17502da2634f7366395db1d77630e0219 upstream. + +The vDSO selftest tries to execute a vsyscall unconditionally, even if it +is not present on the test system (e.g. if booted with vsyscall=none or +with CONFIG_LEGACY_VSYSCALL_NONE=y set. Fix this by copying (and tweaking) +the vsyscall check from test_vsyscall.c + +Signed-off-by: Dominik Brodowski +Cc: Andrew Lutomirski +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kselftest@vger.kernel.org +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180211111013.16888-3-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/test_vdso.c | 50 +++++++++++++++++++++++++++----- + 1 file changed, 43 insertions(+), 7 deletions(-) + +--- a/tools/testing/selftests/x86/test_vdso.c ++++ b/tools/testing/selftests/x86/test_vdso.c +@@ -28,18 +28,52 @@ + + int nerrs = 0; + ++typedef long (*getcpu_t)(unsigned *, unsigned *, void *); ++ ++getcpu_t vgetcpu; ++getcpu_t vdso_getcpu; ++ ++static void *vsyscall_getcpu(void) ++{ + #ifdef __x86_64__ +-# define VSYS(x) (x) ++ FILE *maps; ++ char line[128]; ++ bool found = false; ++ ++ maps = fopen("/proc/self/maps", "r"); ++ if (!maps) /* might still be present, but ignore it here, as we test vDSO not vsyscall */ ++ return NULL; ++ ++ while (fgets(line, sizeof(line), maps)) { ++ char r, x; ++ void *start, *end; ++ char name[128]; ++ if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s", ++ &start, &end, &r, &x, name) != 5) ++ continue; ++ ++ if (strcmp(name, "[vsyscall]")) ++ continue; ++ ++ /* assume entries are OK, as we test vDSO here not vsyscall */ ++ found = true; ++ break; ++ } ++ ++ fclose(maps); ++ ++ if (!found) { ++ printf("Warning: failed to find vsyscall getcpu\n"); ++ return NULL; ++ } ++ return (void *) (0xffffffffff600800); + #else +-# define VSYS(x) 0 ++ return NULL; + #endif ++} + +-typedef long (*getcpu_t)(unsigned *, unsigned *, void *); +- +-const getcpu_t vgetcpu = (getcpu_t)VSYS(0xffffffffff600800); +-getcpu_t vdso_getcpu; + +-void fill_function_pointers() ++static void fill_function_pointers() + { + void *vdso = dlopen("linux-vdso.so.1", + RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD); +@@ -54,6 +88,8 @@ void fill_function_pointers() + vdso_getcpu = (getcpu_t)dlsym(vdso, "__vdso_getcpu"); + if (!vdso_getcpu) + printf("Warning: failed to find getcpu in vDSO\n"); ++ ++ vgetcpu = (getcpu_t) vsyscall_getcpu(); + } + + static long sys_getcpu(unsigned * cpu, unsigned * node, diff --git a/queue-4.14/selftests-x86-mpx-fix-incorrect-bounds-with-old-_sigfault.patch b/queue-4.14/selftests-x86-mpx-fix-incorrect-bounds-with-old-_sigfault.patch new file mode 100644 index 00000000000..cfa8a98634c --- /dev/null +++ b/queue-4.14/selftests-x86-mpx-fix-incorrect-bounds-with-old-_sigfault.patch @@ -0,0 +1,91 @@ +From 961888b1d76d84efc66a8f5604b06ac12ac2f978 Mon Sep 17 00:00:00 2001 +From: Rui Wang +Date: Mon, 18 Dec 2017 16:34:10 +0800 +Subject: selftests/x86/mpx: Fix incorrect bounds with old _sigfault + +From: Rui Wang + +commit 961888b1d76d84efc66a8f5604b06ac12ac2f978 upstream. + +For distributions with old userspace header files, the _sigfault +structure is different. mpx-mini-test fails with the following +error: + + [root@Purley]# mpx-mini-test_64 tabletest + XSAVE is supported by HW & OS + XSAVE processor supported state mask: 0x2ff + XSAVE OS supported state mask: 0x2ff + BNDREGS: size: 64 user: 1 supervisor: 0 aligned: 0 + BNDCSR: size: 64 user: 1 supervisor: 0 aligned: 0 + starting mpx bounds table test + ERROR: siginfo bounds do not match shadow bounds for register 0 + +Fix it by using the correct offset of _lower/_upper in _sigfault. +RHEL needs this patch to work. + +Signed-off-by: Rui Wang +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dave.hansen@linux.intel.com +Fixes: e754aedc26ef ("x86/mpx, selftests: Add MPX self test") +Link: http://lkml.kernel.org/r/1513586050-1641-1-git-send-email-rui.y.wang@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/mpx-mini-test.c | 32 ++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/x86/mpx-mini-test.c ++++ b/tools/testing/selftests/x86/mpx-mini-test.c +@@ -315,11 +315,39 @@ static inline void *__si_bounds_upper(si + return si->si_upper; + } + #else ++ ++/* ++ * This deals with old version of _sigfault in some distros: ++ * ++ ++old _sigfault: ++ struct { ++ void *si_addr; ++ } _sigfault; ++ ++new _sigfault: ++ struct { ++ void __user *_addr; ++ int _trapno; ++ short _addr_lsb; ++ union { ++ struct { ++ void __user *_lower; ++ void __user *_upper; ++ } _addr_bnd; ++ __u32 _pkey; ++ }; ++ } _sigfault; ++ * ++ */ ++ + static inline void **__si_bounds_hack(siginfo_t *si) + { + void *sigfault = &si->_sifields._sigfault; + void *end_sigfault = sigfault + sizeof(si->_sifields._sigfault); +- void **__si_lower = end_sigfault; ++ int *trapno = (int*)end_sigfault; ++ /* skip _trapno and _addr_lsb */ ++ void **__si_lower = (void**)(trapno + 2); + + return __si_lower; + } +@@ -331,7 +359,7 @@ static inline void *__si_bounds_lower(si + + static inline void *__si_bounds_upper(siginfo_t *si) + { +- return (*__si_bounds_hack(si)) + sizeof(void *); ++ return *(__si_bounds_hack(si) + 1); + } + #endif + diff --git a/queue-4.14/selftests-x86-pkeys-remove-unused-functions.patch b/queue-4.14/selftests-x86-pkeys-remove-unused-functions.patch new file mode 100644 index 00000000000..1372eda6e4e --- /dev/null +++ b/queue-4.14/selftests-x86-pkeys-remove-unused-functions.patch @@ -0,0 +1,70 @@ +From ce676638fe7b284132a7d7d5e7e7ad81bab9947e Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Tue, 13 Feb 2018 08:26:17 +0100 +Subject: selftests/x86/pkeys: Remove unused functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ingo Molnar + +commit ce676638fe7b284132a7d7d5e7e7ad81bab9947e upstream. + +This also gets rid of two build warnings: + + protection_keys.c: In function ‘dumpit’: + protection_keys.c:419:3: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] + write(1, buf, nr_read); + ^~~~~~~~~~~~~~~~~~~~~~ + +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Dave Hansen +Cc: Shuah Khan +Cc: Andy Lutomirski +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/protection_keys.c | 28 -------------------------- + 1 file changed, 28 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -393,34 +393,6 @@ pid_t fork_lazy_child(void) + return forkret; + } + +-void davecmp(void *_a, void *_b, int len) +-{ +- int i; +- unsigned long *a = _a; +- unsigned long *b = _b; +- +- for (i = 0; i < len / sizeof(*a); i++) { +- if (a[i] == b[i]) +- continue; +- +- dprintf3("[%3d]: a: %016lx b: %016lx\n", i, a[i], b[i]); +- } +-} +- +-void dumpit(char *f) +-{ +- int fd = open(f, O_RDONLY); +- char buf[100]; +- int nr_read; +- +- dprintf2("maps fd: %d\n", fd); +- do { +- nr_read = read(fd, &buf[0], sizeof(buf)); +- write(1, buf, nr_read); +- } while (nr_read > 0); +- close(fd); +-} +- + #define PKEY_DISABLE_ACCESS 0x1 + #define PKEY_DISABLE_WRITE 0x2 + diff --git a/queue-4.14/series b/queue-4.14/series index 70f1770f9ce..0a22aecbb1e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -54,3 +54,31 @@ kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.pat x86-speculation-clean-up-various-spectre-related-details.patch pm-runtime-update-links_count-also-if-config_srcu.patch pm-cpuidle-fix-cpuidle_poll_state_init-prototype.patch +x86-entry-64-clear-registers-for-exceptions-interrupts-to-reduce-speculation-attack-surface.patch +x86-entry-64-merge-save_c_regs-and-save_extra_regs-remove-unused-extensions.patch +x86-entry-64-merge-the-pop_c_regs-and-pop_extra_regs-macros-into-a-single-pop_regs-macro.patch +x86-entry-64-interleave-xor-register-clearing-with-push-instructions.patch +x86-entry-64-introduce-the-push_and_clean_regs-macro.patch +x86-entry-64-use-push_and_clean_regs-in-more-cases.patch +x86-entry-64-get-rid-of-the-alloc_pt_gpregs_on_stack-and-save_and_clear_regs-macros.patch +x86-entry-64-indent-push_and_clear_regs-and-pop_regs-properly.patch +x86-entry-64-fix-paranoid_entry-frame-pointer-warning.patch +x86-entry-64-remove-the-unused-icebp-macro.patch +selftests-x86-fix-vdso-selftest-segfault-for-vsyscall-none.patch +selftests-x86-clean-up-and-document-sscanf-usage.patch +selftests-x86-pkeys-remove-unused-functions.patch +selftests-x86-do-not-rely-on-int-0x80-in-test_mremap_vdso.c.patch +selftests-x86-do-not-rely-on-int-0x80-in-single_step_syscall.c.patch +selftests-x86-disable-tests-requiring-32-bit-support-on-pure-64-bit-systems.patch +objtool-fix-segfault-in-ignore_unreachable_insn.patch +x86-debug-objtool-annotate-warn-related-ud2-as-reachable.patch +x86-debug-use-ud2-for-warn.patch +x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch +nospec-move-array_index_nospec-parameter-checking-into-separate-macro.patch +x86-speculation-add-asm-msr-index.h-dependency.patch +x86-mm-rename-flush_tlb_single-and-flush_tlb_one-to-__flush_tlb_one_.patch +selftests-x86-mpx-fix-incorrect-bounds-with-old-_sigfault.patch +x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch +x86-spectre-fix-an-error-message.patch +x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch +x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch diff --git a/queue-4.14/x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch b/queue-4.14/x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch new file mode 100644 index 00000000000..bfe56f020ef --- /dev/null +++ b/queue-4.14/x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch @@ -0,0 +1,77 @@ +From 24dbc6000f4b9b0ef5a9daecb161f1907733765a Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 13 Feb 2018 13:22:08 -0600 +Subject: x86/cpu: Change type of x86_cache_size variable to unsigned int + +From: Gustavo A. R. Silva + +commit 24dbc6000f4b9b0ef5a9daecb161f1907733765a upstream. + +Currently, x86_cache_size is of type int, which makes no sense as we +will never have a valid cache size equal or less than 0. So instead of +initializing this variable to -1, it can perfectly be initialized to 0 +and use it as an unsigned variable instead. + +Suggested-by: Thomas Gleixner +Signed-off-by: Gustavo A. R. Silva +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Addresses-Coverity-ID: 1464429 +Link: http://lkml.kernel.org/r/20180213192208.GA26414@embeddedor.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/processor.h | 2 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/cpu/microcode/intel.c | 2 +- + arch/x86/kernel/cpu/proc.c | 4 ++-- + 4 files changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -109,7 +109,7 @@ struct cpuinfo_x86 { + char x86_vendor_id[16]; + char x86_model_id[64]; + /* in KB - valid for CPUS which support this call: */ +- int x86_cache_size; ++ unsigned int x86_cache_size; + int x86_cache_alignment; /* In bytes */ + /* Cache QoS architectural values: */ + int x86_cache_max_rmid; /* max index */ +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1160,7 +1160,7 @@ static void identify_cpu(struct cpuinfo_ + int i; + + c->loops_per_jiffy = loops_per_jiffy; +- c->x86_cache_size = -1; ++ c->x86_cache_size = 0; + c->x86_vendor = X86_VENDOR_UNKNOWN; + c->x86_model = c->x86_stepping = 0; /* So far unknown... */ + c->x86_vendor_id[0] = '\0'; /* Unset */ +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -982,7 +982,7 @@ static struct microcode_ops microcode_in + + static int __init calc_llc_size_per_core(struct cpuinfo_x86 *c) + { +- u64 llc_size = c->x86_cache_size * 1024; ++ u64 llc_size = c->x86_cache_size * 1024ULL; + + do_div(llc_size, c->x86_max_cores); + +--- a/arch/x86/kernel/cpu/proc.c ++++ b/arch/x86/kernel/cpu/proc.c +@@ -91,8 +91,8 @@ static int show_cpuinfo(struct seq_file + } + + /* Cache size */ +- if (c->x86_cache_size >= 0) +- seq_printf(m, "cache size\t: %d KB\n", c->x86_cache_size); ++ if (c->x86_cache_size) ++ seq_printf(m, "cache size\t: %u KB\n", c->x86_cache_size); + + show_cpuinfo_core(m, c, cpu); + show_cpuinfo_misc(m, c); diff --git a/queue-4.14/x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch b/queue-4.14/x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch new file mode 100644 index 00000000000..68aa210f716 --- /dev/null +++ b/queue-4.14/x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch @@ -0,0 +1,739 @@ +From b399151cb48db30ad1e0e93dd40d68c6d007b637 Mon Sep 17 00:00:00 2001 +From: Jia Zhang +Date: Mon, 1 Jan 2018 09:52:10 +0800 +Subject: x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping + +From: Jia Zhang + +commit b399151cb48db30ad1e0e93dd40d68c6d007b637 upstream. + +x86_mask is a confusing name which is hard to associate with the +processor's stepping. + +Additionally, correct an indent issue in lib/cpu.c. + +Signed-off-by: Jia Zhang +[ Updated it to more recent kernels. ] +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: bp@alien8.de +Cc: tony.luck@intel.com +Link: http://lkml.kernel.org/r/1514771530-70829-1-git-send-email-qianyue.zj@alibaba-inc.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/core.c | 2 +- + arch/x86/events/intel/lbr.c | 2 +- + arch/x86/events/intel/p6.c | 2 +- + arch/x86/include/asm/acpi.h | 2 +- + arch/x86/include/asm/processor.h | 2 +- + arch/x86/kernel/amd_nb.c | 2 +- + arch/x86/kernel/apic/apic.c | 6 +++--- + arch/x86/kernel/asm-offsets_32.c | 2 +- + arch/x86/kernel/cpu/amd.c | 28 ++++++++++++++-------------- + arch/x86/kernel/cpu/centaur.c | 4 ++-- + arch/x86/kernel/cpu/common.c | 8 ++++---- + arch/x86/kernel/cpu/cyrix.c | 2 +- + arch/x86/kernel/cpu/intel.c | 18 +++++++++--------- + arch/x86/kernel/cpu/intel_rdt.c | 2 +- + arch/x86/kernel/cpu/microcode/intel.c | 4 ++-- + arch/x86/kernel/cpu/mtrr/generic.c | 2 +- + arch/x86/kernel/cpu/mtrr/main.c | 4 ++-- + arch/x86/kernel/cpu/proc.c | 4 ++-- + arch/x86/kernel/head_32.S | 4 ++-- + arch/x86/kernel/mpparse.c | 2 +- + arch/x86/lib/cpu.c | 2 +- + drivers/char/hw_random/via-rng.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 2 +- + drivers/cpufreq/longhaul.c | 6 +++--- + drivers/cpufreq/p4-clockmod.c | 2 +- + drivers/cpufreq/powernow-k7.c | 2 +- + drivers/cpufreq/speedstep-centrino.c | 4 ++-- + drivers/cpufreq/speedstep-lib.c | 6 +++--- + drivers/crypto/padlock-aes.c | 2 +- + drivers/edac/amd64_edac.c | 2 +- + drivers/hwmon/coretemp.c | 6 +++--- + drivers/hwmon/hwmon-vid.c | 2 +- + drivers/hwmon/k10temp.c | 2 +- + drivers/hwmon/k8temp.c | 2 +- + drivers/video/fbdev/geode/video_gx.c | 2 +- + 35 files changed, 73 insertions(+), 73 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3559,7 +3559,7 @@ static int intel_snb_pebs_broken(int cpu + break; + + case INTEL_FAM6_SANDYBRIDGE_X: +- switch (cpu_data(cpu).x86_mask) { ++ switch (cpu_data(cpu).x86_stepping) { + case 6: rev = 0x618; break; + case 7: rev = 0x70c; break; + } +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -1186,7 +1186,7 @@ void __init intel_pmu_lbr_init_atom(void + * on PMU interrupt + */ + if (boot_cpu_data.x86_model == 28 +- && boot_cpu_data.x86_mask < 10) { ++ && boot_cpu_data.x86_stepping < 10) { + pr_cont("LBR disabled due to erratum"); + return; + } +--- a/arch/x86/events/intel/p6.c ++++ b/arch/x86/events/intel/p6.c +@@ -234,7 +234,7 @@ static __initconst const struct x86_pmu + + static __init void p6_pmu_rdpmc_quirk(void) + { +- if (boot_cpu_data.x86_mask < 9) { ++ if (boot_cpu_data.x86_stepping < 9) { + /* + * PPro erratum 26; fixed in stepping 9 and above. + */ +--- a/arch/x86/include/asm/acpi.h ++++ b/arch/x86/include/asm/acpi.h +@@ -94,7 +94,7 @@ static inline unsigned int acpi_processo + if (boot_cpu_data.x86 == 0x0F && + boot_cpu_data.x86_vendor == X86_VENDOR_AMD && + boot_cpu_data.x86_model <= 0x05 && +- boot_cpu_data.x86_mask < 0x0A) ++ boot_cpu_data.x86_stepping < 0x0A) + return 1; + else if (boot_cpu_has(X86_BUG_AMD_APIC_C1E)) + return 1; +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -91,7 +91,7 @@ struct cpuinfo_x86 { + __u8 x86; /* CPU family */ + __u8 x86_vendor; /* CPU vendor */ + __u8 x86_model; +- __u8 x86_mask; ++ __u8 x86_stepping; + #ifdef CONFIG_X86_64 + /* Number of 4K pages in DTLB/ITLB combined(in pages): */ + int x86_tlbsize; +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -235,7 +235,7 @@ int amd_cache_northbridges(void) + if (boot_cpu_data.x86 == 0x10 && + boot_cpu_data.x86_model >= 0x8 && + (boot_cpu_data.x86_model > 0x9 || +- boot_cpu_data.x86_mask >= 0x1)) ++ boot_cpu_data.x86_stepping >= 0x1)) + amd_northbridges.flags |= AMD_NB_L3_INDEX_DISABLE; + + if (boot_cpu_data.x86 == 0x15) +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -553,7 +553,7 @@ static DEFINE_PER_CPU(struct clock_event + + static u32 hsx_deadline_rev(void) + { +- switch (boot_cpu_data.x86_mask) { ++ switch (boot_cpu_data.x86_stepping) { + case 0x02: return 0x3a; /* EP */ + case 0x04: return 0x0f; /* EX */ + } +@@ -563,7 +563,7 @@ static u32 hsx_deadline_rev(void) + + static u32 bdx_deadline_rev(void) + { +- switch (boot_cpu_data.x86_mask) { ++ switch (boot_cpu_data.x86_stepping) { + case 0x02: return 0x00000011; + case 0x03: return 0x0700000e; + case 0x04: return 0x0f00000c; +@@ -575,7 +575,7 @@ static u32 bdx_deadline_rev(void) + + static u32 skx_deadline_rev(void) + { +- switch (boot_cpu_data.x86_mask) { ++ switch (boot_cpu_data.x86_stepping) { + case 0x03: return 0x01000136; + case 0x04: return 0x02000014; + } +--- a/arch/x86/kernel/asm-offsets_32.c ++++ b/arch/x86/kernel/asm-offsets_32.c +@@ -18,7 +18,7 @@ void foo(void) + OFFSET(CPUINFO_x86, cpuinfo_x86, x86); + OFFSET(CPUINFO_x86_vendor, cpuinfo_x86, x86_vendor); + OFFSET(CPUINFO_x86_model, cpuinfo_x86, x86_model); +- OFFSET(CPUINFO_x86_mask, cpuinfo_x86, x86_mask); ++ OFFSET(CPUINFO_x86_stepping, cpuinfo_x86, x86_stepping); + OFFSET(CPUINFO_cpuid_level, cpuinfo_x86, cpuid_level); + OFFSET(CPUINFO_x86_capability, cpuinfo_x86, x86_capability); + OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id); +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -119,7 +119,7 @@ static void init_amd_k6(struct cpuinfo_x + return; + } + +- if (c->x86_model == 6 && c->x86_mask == 1) { ++ if (c->x86_model == 6 && c->x86_stepping == 1) { + const int K6_BUG_LOOP = 1000000; + int n; + void (*f_vide)(void); +@@ -149,7 +149,7 @@ static void init_amd_k6(struct cpuinfo_x + + /* K6 with old style WHCR */ + if (c->x86_model < 8 || +- (c->x86_model == 8 && c->x86_mask < 8)) { ++ (c->x86_model == 8 && c->x86_stepping < 8)) { + /* We can only write allocate on the low 508Mb */ + if (mbytes > 508) + mbytes = 508; +@@ -168,7 +168,7 @@ static void init_amd_k6(struct cpuinfo_x + return; + } + +- if ((c->x86_model == 8 && c->x86_mask > 7) || ++ if ((c->x86_model == 8 && c->x86_stepping > 7) || + c->x86_model == 9 || c->x86_model == 13) { + /* The more serious chips .. */ + +@@ -221,7 +221,7 @@ static void init_amd_k7(struct cpuinfo_x + * are more robust with CLK_CTL set to 200xxxxx instead of 600xxxxx + * As per AMD technical note 27212 0.2 + */ +- if ((c->x86_model == 8 && c->x86_mask >= 1) || (c->x86_model > 8)) { ++ if ((c->x86_model == 8 && c->x86_stepping >= 1) || (c->x86_model > 8)) { + rdmsr(MSR_K7_CLK_CTL, l, h); + if ((l & 0xfff00000) != 0x20000000) { + pr_info("CPU: CLK_CTL MSR was %x. Reprogramming to %x\n", +@@ -241,12 +241,12 @@ static void init_amd_k7(struct cpuinfo_x + * but they are not certified as MP capable. + */ + /* Athlon 660/661 is valid. */ +- if ((c->x86_model == 6) && ((c->x86_mask == 0) || +- (c->x86_mask == 1))) ++ if ((c->x86_model == 6) && ((c->x86_stepping == 0) || ++ (c->x86_stepping == 1))) + return; + + /* Duron 670 is valid */ +- if ((c->x86_model == 7) && (c->x86_mask == 0)) ++ if ((c->x86_model == 7) && (c->x86_stepping == 0)) + return; + + /* +@@ -256,8 +256,8 @@ static void init_amd_k7(struct cpuinfo_x + * See http://www.heise.de/newsticker/data/jow-18.10.01-000 for + * more. + */ +- if (((c->x86_model == 6) && (c->x86_mask >= 2)) || +- ((c->x86_model == 7) && (c->x86_mask >= 1)) || ++ if (((c->x86_model == 6) && (c->x86_stepping >= 2)) || ++ ((c->x86_model == 7) && (c->x86_stepping >= 1)) || + (c->x86_model > 7)) + if (cpu_has(c, X86_FEATURE_MP)) + return; +@@ -583,7 +583,7 @@ static void early_init_amd(struct cpuinf + /* Set MTRR capability flag if appropriate */ + if (c->x86 == 5) + if (c->x86_model == 13 || c->x86_model == 9 || +- (c->x86_model == 8 && c->x86_mask >= 8)) ++ (c->x86_model == 8 && c->x86_stepping >= 8)) + set_cpu_cap(c, X86_FEATURE_K6_MTRR); + #endif + #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_PCI) +@@ -769,7 +769,7 @@ static void init_amd_zn(struct cpuinfo_x + * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects + * all up to and including B1. + */ +- if (c->x86_model <= 1 && c->x86_mask <= 1) ++ if (c->x86_model <= 1 && c->x86_stepping <= 1) + set_cpu_cap(c, X86_FEATURE_CPB); + } + +@@ -880,11 +880,11 @@ static unsigned int amd_size_cache(struc + /* AMD errata T13 (order #21922) */ + if ((c->x86 == 6)) { + /* Duron Rev A0 */ +- if (c->x86_model == 3 && c->x86_mask == 0) ++ if (c->x86_model == 3 && c->x86_stepping == 0) + size = 64; + /* Tbird rev A1/A2 */ + if (c->x86_model == 4 && +- (c->x86_mask == 0 || c->x86_mask == 1)) ++ (c->x86_stepping == 0 || c->x86_stepping == 1)) + size = 256; + } + return size; +@@ -1021,7 +1021,7 @@ static bool cpu_has_amd_erratum(struct c + } + + /* OSVW unavailable or ID unknown, match family-model-stepping range */ +- ms = (cpu->x86_model << 4) | cpu->x86_mask; ++ ms = (cpu->x86_model << 4) | cpu->x86_stepping; + while ((range = *erratum++)) + if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && + (ms >= AMD_MODEL_RANGE_START(range)) && +--- a/arch/x86/kernel/cpu/centaur.c ++++ b/arch/x86/kernel/cpu/centaur.c +@@ -136,7 +136,7 @@ static void init_centaur(struct cpuinfo_ + clear_cpu_cap(c, X86_FEATURE_TSC); + break; + case 8: +- switch (c->x86_mask) { ++ switch (c->x86_stepping) { + default: + name = "2"; + break; +@@ -211,7 +211,7 @@ centaur_size_cache(struct cpuinfo_x86 *c + * - Note, it seems this may only be in engineering samples. + */ + if ((c->x86 == 6) && (c->x86_model == 9) && +- (c->x86_mask == 1) && (size == 65)) ++ (c->x86_stepping == 1) && (size == 65)) + size -= 1; + return size; + } +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -707,7 +707,7 @@ void cpu_detect(struct cpuinfo_x86 *c) + cpuid(0x00000001, &tfms, &misc, &junk, &cap0); + c->x86 = x86_family(tfms); + c->x86_model = x86_model(tfms); +- c->x86_mask = x86_stepping(tfms); ++ c->x86_stepping = x86_stepping(tfms); + + if (cap0 & (1<<19)) { + c->x86_clflush_size = ((misc >> 8) & 0xff) * 8; +@@ -1162,7 +1162,7 @@ static void identify_cpu(struct cpuinfo_ + c->loops_per_jiffy = loops_per_jiffy; + c->x86_cache_size = -1; + c->x86_vendor = X86_VENDOR_UNKNOWN; +- c->x86_model = c->x86_mask = 0; /* So far unknown... */ ++ c->x86_model = c->x86_stepping = 0; /* So far unknown... */ + c->x86_vendor_id[0] = '\0'; /* Unset */ + c->x86_model_id[0] = '\0'; /* Unset */ + c->x86_max_cores = 1; +@@ -1353,8 +1353,8 @@ void print_cpu_info(struct cpuinfo_x86 * + + pr_cont(" (family: 0x%x, model: 0x%x", c->x86, c->x86_model); + +- if (c->x86_mask || c->cpuid_level >= 0) +- pr_cont(", stepping: 0x%x)\n", c->x86_mask); ++ if (c->x86_stepping || c->cpuid_level >= 0) ++ pr_cont(", stepping: 0x%x)\n", c->x86_stepping); + else + pr_cont(")\n"); + } +--- a/arch/x86/kernel/cpu/cyrix.c ++++ b/arch/x86/kernel/cpu/cyrix.c +@@ -215,7 +215,7 @@ static void init_cyrix(struct cpuinfo_x8 + + /* common case step number/rev -- exceptions handled below */ + c->x86_model = (dir1 >> 4) + 1; +- c->x86_mask = dir1 & 0xf; ++ c->x86_stepping = dir1 & 0xf; + + /* Now cook; the original recipe is by Channing Corn, from Cyrix. + * We do the same thing for each generation: we work out +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -146,7 +146,7 @@ static bool bad_spectre_microcode(struct + + for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) { + if (c->x86_model == spectre_bad_microcodes[i].model && +- c->x86_mask == spectre_bad_microcodes[i].stepping) ++ c->x86_stepping == spectre_bad_microcodes[i].stepping) + return (c->microcode <= spectre_bad_microcodes[i].microcode); + } + return false; +@@ -193,7 +193,7 @@ static void early_init_intel(struct cpui + * need the microcode to have already been loaded... so if it is + * not, recommend a BIOS update and disable large pages. + */ +- if (c->x86 == 6 && c->x86_model == 0x1c && c->x86_mask <= 2 && ++ if (c->x86 == 6 && c->x86_model == 0x1c && c->x86_stepping <= 2 && + c->microcode < 0x20e) { + pr_warn("Atom PSE erratum detected, BIOS microcode update recommended\n"); + clear_cpu_cap(c, X86_FEATURE_PSE); +@@ -209,7 +209,7 @@ static void early_init_intel(struct cpui + + /* CPUID workaround for 0F33/0F34 CPU */ + if (c->x86 == 0xF && c->x86_model == 0x3 +- && (c->x86_mask == 0x3 || c->x86_mask == 0x4)) ++ && (c->x86_stepping == 0x3 || c->x86_stepping == 0x4)) + c->x86_phys_bits = 36; + + /* +@@ -322,7 +322,7 @@ int ppro_with_ram_bug(void) + if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && + boot_cpu_data.x86 == 6 && + boot_cpu_data.x86_model == 1 && +- boot_cpu_data.x86_mask < 8) { ++ boot_cpu_data.x86_stepping < 8) { + pr_info("Pentium Pro with Errata#50 detected. Taking evasive action.\n"); + return 1; + } +@@ -339,7 +339,7 @@ static void intel_smp_check(struct cpuin + * Mask B, Pentium, but not Pentium MMX + */ + if (c->x86 == 5 && +- c->x86_mask >= 1 && c->x86_mask <= 4 && ++ c->x86_stepping >= 1 && c->x86_stepping <= 4 && + c->x86_model <= 3) { + /* + * Remember we have B step Pentia with bugs +@@ -382,7 +382,7 @@ static void intel_workarounds(struct cpu + * SEP CPUID bug: Pentium Pro reports SEP but doesn't have it until + * model 3 mask 3 + */ +- if ((c->x86<<8 | c->x86_model<<4 | c->x86_mask) < 0x633) ++ if ((c->x86<<8 | c->x86_model<<4 | c->x86_stepping) < 0x633) + clear_cpu_cap(c, X86_FEATURE_SEP); + + /* +@@ -400,7 +400,7 @@ static void intel_workarounds(struct cpu + * P4 Xeon erratum 037 workaround. + * Hardware prefetcher may cause stale data to be loaded into the cache. + */ +- if ((c->x86 == 15) && (c->x86_model == 1) && (c->x86_mask == 1)) { ++ if ((c->x86 == 15) && (c->x86_model == 1) && (c->x86_stepping == 1)) { + if (msr_set_bit(MSR_IA32_MISC_ENABLE, + MSR_IA32_MISC_ENABLE_PREFETCH_DISABLE_BIT) > 0) { + pr_info("CPU: C0 stepping P4 Xeon detected.\n"); +@@ -415,7 +415,7 @@ static void intel_workarounds(struct cpu + * Specification Update"). + */ + if (boot_cpu_has(X86_FEATURE_APIC) && (c->x86<<8 | c->x86_model<<4) == 0x520 && +- (c->x86_mask < 0x6 || c->x86_mask == 0xb)) ++ (c->x86_stepping < 0x6 || c->x86_stepping == 0xb)) + set_cpu_bug(c, X86_BUG_11AP); + + +@@ -662,7 +662,7 @@ static void init_intel(struct cpuinfo_x8 + case 6: + if (l2 == 128) + p = "Celeron (Mendocino)"; +- else if (c->x86_mask == 0 || c->x86_mask == 5) ++ else if (c->x86_stepping == 0 || c->x86_stepping == 5) + p = "Celeron-A"; + break; + +--- a/arch/x86/kernel/cpu/intel_rdt.c ++++ b/arch/x86/kernel/cpu/intel_rdt.c +@@ -771,7 +771,7 @@ static __init void rdt_quirks(void) + cache_alloc_hsw_probe(); + break; + case INTEL_FAM6_SKYLAKE_X: +- if (boot_cpu_data.x86_mask <= 4) ++ if (boot_cpu_data.x86_stepping <= 4) + set_rdt_options("!cmt,!mbmtotal,!mbmlocal,!l3cat"); + } + } +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -921,7 +921,7 @@ static bool is_blacklisted(unsigned int + */ + if (c->x86 == 6 && + c->x86_model == INTEL_FAM6_BROADWELL_X && +- c->x86_mask == 0x01 && ++ c->x86_stepping == 0x01 && + llc_size_per_core > 2621440 && + c->microcode < 0x0b000021) { + pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode); +@@ -944,7 +944,7 @@ static enum ucode_state request_microcod + return UCODE_NFOUND; + + sprintf(name, "intel-ucode/%02x-%02x-%02x", +- c->x86, c->x86_model, c->x86_mask); ++ c->x86, c->x86_model, c->x86_stepping); + + if (request_firmware_direct(&firmware, name, device)) { + pr_debug("data file %s load failed\n", name); +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -859,7 +859,7 @@ int generic_validate_add_page(unsigned l + */ + if (is_cpu(INTEL) && boot_cpu_data.x86 == 6 && + boot_cpu_data.x86_model == 1 && +- boot_cpu_data.x86_mask <= 7) { ++ boot_cpu_data.x86_stepping <= 7) { + if (base & ((1 << (22 - PAGE_SHIFT)) - 1)) { + pr_warn("mtrr: base(0x%lx000) is not 4 MiB aligned\n", base); + return -EINVAL; +--- a/arch/x86/kernel/cpu/mtrr/main.c ++++ b/arch/x86/kernel/cpu/mtrr/main.c +@@ -711,8 +711,8 @@ void __init mtrr_bp_init(void) + if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && + boot_cpu_data.x86 == 0xF && + boot_cpu_data.x86_model == 0x3 && +- (boot_cpu_data.x86_mask == 0x3 || +- boot_cpu_data.x86_mask == 0x4)) ++ (boot_cpu_data.x86_stepping == 0x3 || ++ boot_cpu_data.x86_stepping == 0x4)) + phys_addr = 36; + + size_or_mask = SIZE_OR_MASK_BITS(phys_addr); +--- a/arch/x86/kernel/cpu/proc.c ++++ b/arch/x86/kernel/cpu/proc.c +@@ -72,8 +72,8 @@ static int show_cpuinfo(struct seq_file + c->x86_model, + c->x86_model_id[0] ? c->x86_model_id : "unknown"); + +- if (c->x86_mask || c->cpuid_level >= 0) +- seq_printf(m, "stepping\t: %d\n", c->x86_mask); ++ if (c->x86_stepping || c->cpuid_level >= 0) ++ seq_printf(m, "stepping\t: %d\n", c->x86_stepping); + else + seq_puts(m, "stepping\t: unknown\n"); + if (c->microcode) +--- a/arch/x86/kernel/head_32.S ++++ b/arch/x86/kernel/head_32.S +@@ -37,7 +37,7 @@ + #define X86 new_cpu_data+CPUINFO_x86 + #define X86_VENDOR new_cpu_data+CPUINFO_x86_vendor + #define X86_MODEL new_cpu_data+CPUINFO_x86_model +-#define X86_MASK new_cpu_data+CPUINFO_x86_mask ++#define X86_STEPPING new_cpu_data+CPUINFO_x86_stepping + #define X86_HARD_MATH new_cpu_data+CPUINFO_hard_math + #define X86_CPUID new_cpu_data+CPUINFO_cpuid_level + #define X86_CAPABILITY new_cpu_data+CPUINFO_x86_capability +@@ -332,7 +332,7 @@ ENTRY(startup_32_smp) + shrb $4,%al + movb %al,X86_MODEL + andb $0x0f,%cl # mask mask revision +- movb %cl,X86_MASK ++ movb %cl,X86_STEPPING + movl %edx,X86_CAPABILITY + + .Lis486: +--- a/arch/x86/kernel/mpparse.c ++++ b/arch/x86/kernel/mpparse.c +@@ -407,7 +407,7 @@ static inline void __init construct_defa + processor.apicver = mpc_default_type > 4 ? 0x10 : 0x01; + processor.cpuflag = CPU_ENABLED; + processor.cpufeature = (boot_cpu_data.x86 << 8) | +- (boot_cpu_data.x86_model << 4) | boot_cpu_data.x86_mask; ++ (boot_cpu_data.x86_model << 4) | boot_cpu_data.x86_stepping; + processor.featureflag = boot_cpu_data.x86_capability[CPUID_1_EDX]; + processor.reserved[0] = 0; + processor.reserved[1] = 0; +--- a/arch/x86/lib/cpu.c ++++ b/arch/x86/lib/cpu.c +@@ -18,7 +18,7 @@ unsigned int x86_model(unsigned int sig) + { + unsigned int fam, model; + +- fam = x86_family(sig); ++ fam = x86_family(sig); + + model = (sig >> 4) & 0xf; + +--- a/drivers/char/hw_random/via-rng.c ++++ b/drivers/char/hw_random/via-rng.c +@@ -162,7 +162,7 @@ static int via_rng_init(struct hwrng *rn + /* Enable secondary noise source on CPUs where it is present. */ + + /* Nehemiah stepping 8 and higher */ +- if ((c->x86_model == 9) && (c->x86_mask > 7)) ++ if ((c->x86_model == 9) && (c->x86_stepping > 7)) + lo |= VIA_NOISESRC2; + + /* Esther */ +--- a/drivers/cpufreq/acpi-cpufreq.c ++++ b/drivers/cpufreq/acpi-cpufreq.c +@@ -629,7 +629,7 @@ static int acpi_cpufreq_blacklist(struct + if (c->x86_vendor == X86_VENDOR_INTEL) { + if ((c->x86 == 15) && + (c->x86_model == 6) && +- (c->x86_mask == 8)) { ++ (c->x86_stepping == 8)) { + pr_info("Intel(R) Xeon(R) 7100 Errata AL30, processors may lock up on frequency changes: disabling acpi-cpufreq\n"); + return -ENODEV; + } +--- a/drivers/cpufreq/longhaul.c ++++ b/drivers/cpufreq/longhaul.c +@@ -775,7 +775,7 @@ static int longhaul_cpu_init(struct cpuf + break; + + case 7: +- switch (c->x86_mask) { ++ switch (c->x86_stepping) { + case 0: + longhaul_version = TYPE_LONGHAUL_V1; + cpu_model = CPU_SAMUEL2; +@@ -787,7 +787,7 @@ static int longhaul_cpu_init(struct cpuf + break; + case 1 ... 15: + longhaul_version = TYPE_LONGHAUL_V2; +- if (c->x86_mask < 8) { ++ if (c->x86_stepping < 8) { + cpu_model = CPU_SAMUEL2; + cpuname = "C3 'Samuel 2' [C5B]"; + } else { +@@ -814,7 +814,7 @@ static int longhaul_cpu_init(struct cpuf + numscales = 32; + memcpy(mults, nehemiah_mults, sizeof(nehemiah_mults)); + memcpy(eblcr, nehemiah_eblcr, sizeof(nehemiah_eblcr)); +- switch (c->x86_mask) { ++ switch (c->x86_stepping) { + case 0 ... 1: + cpu_model = CPU_NEHEMIAH; + cpuname = "C3 'Nehemiah A' [C5XLOE]"; +--- a/drivers/cpufreq/p4-clockmod.c ++++ b/drivers/cpufreq/p4-clockmod.c +@@ -168,7 +168,7 @@ static int cpufreq_p4_cpu_init(struct cp + #endif + + /* Errata workaround */ +- cpuid = (c->x86 << 8) | (c->x86_model << 4) | c->x86_mask; ++ cpuid = (c->x86 << 8) | (c->x86_model << 4) | c->x86_stepping; + switch (cpuid) { + case 0x0f07: + case 0x0f0a: +--- a/drivers/cpufreq/powernow-k7.c ++++ b/drivers/cpufreq/powernow-k7.c +@@ -131,7 +131,7 @@ static int check_powernow(void) + return 0; + } + +- if ((c->x86_model == 6) && (c->x86_mask == 0)) { ++ if ((c->x86_model == 6) && (c->x86_stepping == 0)) { + pr_info("K7 660[A0] core detected, enabling errata workarounds\n"); + have_a0 = 1; + } +--- a/drivers/cpufreq/speedstep-centrino.c ++++ b/drivers/cpufreq/speedstep-centrino.c +@@ -37,7 +37,7 @@ struct cpu_id + { + __u8 x86; /* CPU family */ + __u8 x86_model; /* model */ +- __u8 x86_mask; /* stepping */ ++ __u8 x86_stepping; /* stepping */ + }; + + enum { +@@ -277,7 +277,7 @@ static int centrino_verify_cpu_id(const + { + if ((c->x86 == x->x86) && + (c->x86_model == x->x86_model) && +- (c->x86_mask == x->x86_mask)) ++ (c->x86_stepping == x->x86_stepping)) + return 1; + return 0; + } +--- a/drivers/cpufreq/speedstep-lib.c ++++ b/drivers/cpufreq/speedstep-lib.c +@@ -272,9 +272,9 @@ unsigned int speedstep_detect_processor( + ebx = cpuid_ebx(0x00000001); + ebx &= 0x000000FF; + +- pr_debug("ebx value is %x, x86_mask is %x\n", ebx, c->x86_mask); ++ pr_debug("ebx value is %x, x86_stepping is %x\n", ebx, c->x86_stepping); + +- switch (c->x86_mask) { ++ switch (c->x86_stepping) { + case 4: + /* + * B-stepping [M-P4-M] +@@ -361,7 +361,7 @@ unsigned int speedstep_detect_processor( + msr_lo, msr_hi); + if ((msr_hi & (1<<18)) && + (relaxed_check ? 1 : (msr_hi & (3<<24)))) { +- if (c->x86_mask == 0x01) { ++ if (c->x86_stepping == 0x01) { + pr_debug("early PIII version\n"); + return SPEEDSTEP_CPU_PIII_C_EARLY; + } else +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -512,7 +512,7 @@ static int __init padlock_init(void) + + printk(KERN_NOTICE PFX "Using VIA PadLock ACE for AES algorithm.\n"); + +- if (c->x86 == 6 && c->x86_model == 15 && c->x86_mask == 2) { ++ if (c->x86 == 6 && c->x86_model == 15 && c->x86_stepping == 2) { + ecb_fetch_blocks = MAX_ECB_FETCH_BLOCKS; + cbc_fetch_blocks = MAX_CBC_FETCH_BLOCKS; + printk(KERN_NOTICE PFX "VIA Nano stepping 2 detected: enabling workaround.\n"); +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -3147,7 +3147,7 @@ static struct amd64_family_type *per_fam + struct amd64_family_type *fam_type = NULL; + + pvt->ext_model = boot_cpu_data.x86_model >> 4; +- pvt->stepping = boot_cpu_data.x86_mask; ++ pvt->stepping = boot_cpu_data.x86_stepping; + pvt->model = boot_cpu_data.x86_model; + pvt->fam = boot_cpu_data.x86; + +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -268,13 +268,13 @@ static int adjust_tjmax(struct cpuinfo_x + for (i = 0; i < ARRAY_SIZE(tjmax_model_table); i++) { + const struct tjmax_model *tm = &tjmax_model_table[i]; + if (c->x86_model == tm->model && +- (tm->mask == ANY || c->x86_mask == tm->mask)) ++ (tm->mask == ANY || c->x86_stepping == tm->mask)) + return tm->tjmax; + } + + /* Early chips have no MSR for TjMax */ + +- if (c->x86_model == 0xf && c->x86_mask < 4) ++ if (c->x86_model == 0xf && c->x86_stepping < 4) + usemsr_ee = 0; + + if (c->x86_model > 0xe && usemsr_ee) { +@@ -425,7 +425,7 @@ static int chk_ucode_version(unsigned in + * Readings might stop update when processor visited too deep sleep, + * fixed for stepping D0 (6EC). + */ +- if (c->x86_model == 0xe && c->x86_mask < 0xc && c->microcode < 0x39) { ++ if (c->x86_model == 0xe && c->x86_stepping < 0xc && c->microcode < 0x39) { + pr_err("Errata AE18 not fixed, update BIOS or microcode of the CPU!\n"); + return -ENODEV; + } +--- a/drivers/hwmon/hwmon-vid.c ++++ b/drivers/hwmon/hwmon-vid.c +@@ -293,7 +293,7 @@ u8 vid_which_vrm(void) + if (c->x86 < 6) /* Any CPU with family lower than 6 */ + return 0; /* doesn't have VID */ + +- vrm_ret = find_vrm(c->x86, c->x86_model, c->x86_mask, c->x86_vendor); ++ vrm_ret = find_vrm(c->x86, c->x86_model, c->x86_stepping, c->x86_vendor); + if (vrm_ret == 134) + vrm_ret = get_via_model_d_vrm(); + if (vrm_ret == 0) +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -179,7 +179,7 @@ static bool has_erratum_319(struct pci_d + * and AM3 formats, but that's the best we can do. + */ + return boot_cpu_data.x86_model < 4 || +- (boot_cpu_data.x86_model == 4 && boot_cpu_data.x86_mask <= 2); ++ (boot_cpu_data.x86_model == 4 && boot_cpu_data.x86_stepping <= 2); + } + + static int k10temp_probe(struct pci_dev *pdev, +--- a/drivers/hwmon/k8temp.c ++++ b/drivers/hwmon/k8temp.c +@@ -187,7 +187,7 @@ static int k8temp_probe(struct pci_dev * + return -ENOMEM; + + model = boot_cpu_data.x86_model; +- stepping = boot_cpu_data.x86_mask; ++ stepping = boot_cpu_data.x86_stepping; + + /* feature available since SH-C0, exclude older revisions */ + if ((model == 4 && stepping == 0) || +--- a/drivers/video/fbdev/geode/video_gx.c ++++ b/drivers/video/fbdev/geode/video_gx.c +@@ -127,7 +127,7 @@ void gx_set_dclk_frequency(struct fb_inf + int timeout = 1000; + + /* Rev. 1 Geode GXs use a 14 MHz reference clock instead of 48 MHz. */ +- if (cpu_data(0).x86_mask == 1) { ++ if (cpu_data(0).x86_stepping == 1) { + pll_table = gx_pll_table_14MHz; + pll_table_len = ARRAY_SIZE(gx_pll_table_14MHz); + } else { diff --git a/queue-4.14/x86-debug-objtool-annotate-warn-related-ud2-as-reachable.patch b/queue-4.14/x86-debug-objtool-annotate-warn-related-ud2-as-reachable.patch new file mode 100644 index 00000000000..61291946729 --- /dev/null +++ b/queue-4.14/x86-debug-objtool-annotate-warn-related-ud2-as-reachable.patch @@ -0,0 +1,51 @@ +From 2b5db66862b95532cb6cca8165ae6eb73633cf85 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Thu, 8 Feb 2018 17:09:26 -0600 +Subject: x86/debug, objtool: Annotate WARN()-related UD2 as reachable + +From: Josh Poimboeuf + +commit 2b5db66862b95532cb6cca8165ae6eb73633cf85 upstream. + +By default, objtool assumes that a UD2 is a dead end. This is mainly +because GCC 7+ sometimes inserts a UD2 when it detects a divide-by-zero +condition. + +Now that WARN() is moving back to UD2, annotate the code after it as +reachable so objtool can follow the code flow. + +Reported-by: Borislav Petkov +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kbuild test robot +Link: http://lkml.kernel.org/r/0e483379275a42626ba8898117f918e1bf661e40.1518130694.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/bug.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/bug.h ++++ b/arch/x86/include/asm/bug.h +@@ -77,7 +77,11 @@ do { \ + unreachable(); \ + } while (0) + +-#define __WARN_FLAGS(flags) _BUG_FLAGS(ASM_UD0, BUGFLAG_WARNING|(flags)) ++#define __WARN_FLAGS(flags) \ ++do { \ ++ _BUG_FLAGS(ASM_UD0, BUGFLAG_WARNING|(flags)); \ ++ annotate_reachable(); \ ++} while (0) + + #include + diff --git a/queue-4.14/x86-debug-use-ud2-for-warn.patch b/queue-4.14/x86-debug-use-ud2-for-warn.patch new file mode 100644 index 00000000000..7eee985e3fc --- /dev/null +++ b/queue-4.14/x86-debug-use-ud2-for-warn.patch @@ -0,0 +1,89 @@ +From 3b3a371cc9bc980429baabe0a8e5f307f3d1f463 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 9 Feb 2018 13:16:59 +0100 +Subject: x86/debug: Use UD2 for WARN() + +From: Peter Zijlstra + +commit 3b3a371cc9bc980429baabe0a8e5f307f3d1f463 upstream. + +Since the Intel SDM added an ModR/M byte to UD0 and binutils followed +that specification, we now cannot disassemble our kernel anymore. + +This now means Intel and AMD disagree on the encoding of UD0. And instead +of playing games with additional bytes that are valid ModR/M and single +byte instructions (0xd6 for instance), simply use UD2 for both WARN() and +BUG(). + +Requested-by: Linus Torvalds +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Linus Torvalds +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180208194406.GD25181@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/bug.h | 15 ++++++--------- + arch/x86/kernel/traps.c | 2 +- + 2 files changed, 7 insertions(+), 10 deletions(-) + +--- a/arch/x86/include/asm/bug.h ++++ b/arch/x86/include/asm/bug.h +@@ -5,23 +5,20 @@ + #include + + /* +- * Since some emulators terminate on UD2, we cannot use it for WARN. +- * Since various instruction decoders disagree on the length of UD1, +- * we cannot use it either. So use UD0 for WARN. ++ * Despite that some emulators terminate on UD2, we use it for WARN(). + * +- * (binutils knows about "ud1" but {en,de}codes it as 2 bytes, whereas +- * our kernel decoder thinks it takes a ModRM byte, which seems consistent +- * with various things like the Intel SDM instruction encoding rules) ++ * Since various instruction decoders/specs disagree on the encoding of ++ * UD0/UD1. + */ + +-#define ASM_UD0 ".byte 0x0f, 0xff" ++#define ASM_UD0 ".byte 0x0f, 0xff" /* + ModRM (for Intel) */ + #define ASM_UD1 ".byte 0x0f, 0xb9" /* + ModRM */ + #define ASM_UD2 ".byte 0x0f, 0x0b" + + #define INSN_UD0 0xff0f + #define INSN_UD2 0x0b0f + +-#define LEN_UD0 2 ++#define LEN_UD2 2 + + #ifdef CONFIG_GENERIC_BUG + +@@ -79,7 +76,7 @@ do { \ + + #define __WARN_FLAGS(flags) \ + do { \ +- _BUG_FLAGS(ASM_UD0, BUGFLAG_WARNING|(flags)); \ ++ _BUG_FLAGS(ASM_UD2, BUGFLAG_WARNING|(flags)); \ + annotate_reachable(); \ + } while (0) + +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -181,7 +181,7 @@ int fixup_bug(struct pt_regs *regs, int + break; + + case BUG_TRAP_TYPE_WARN: +- regs->ip += LEN_UD0; ++ regs->ip += LEN_UD2; + return 1; + } + diff --git a/queue-4.14/x86-entry-64-clear-registers-for-exceptions-interrupts-to-reduce-speculation-attack-surface.patch b/queue-4.14/x86-entry-64-clear-registers-for-exceptions-interrupts-to-reduce-speculation-attack-surface.patch new file mode 100644 index 00000000000..42162d5d3f3 --- /dev/null +++ b/queue-4.14/x86-entry-64-clear-registers-for-exceptions-interrupts-to-reduce-speculation-attack-surface.patch @@ -0,0 +1,108 @@ +From 3ac6d8c787b835b997eb23e43e09aa0895ef7d58 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 5 Feb 2018 17:18:11 -0800 +Subject: x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface + +From: Dan Williams + +commit 3ac6d8c787b835b997eb23e43e09aa0895ef7d58 upstream. + +Clear the 'extra' registers on entering the 64-bit kernel for exceptions +and interrupts. The common registers are not cleared since they are +likely clobbered well before they can be exploited in a speculative +execution attack. + +Originally-From: Andi Kleen +Signed-off-by: Dan Williams +Cc: +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/151787989146.7847.15749181712358213254.stgit@dwillia2-desk3.amr.corp.intel.com +[ Made small improvements to the changelog and the code comments. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 19 +++++++++++++++++++ + arch/x86/entry/entry_64.S | 6 +++++- + 2 files changed, 24 insertions(+), 1 deletion(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -147,6 +147,25 @@ For 32-bit we have the following convent + UNWIND_HINT_REGS offset=\offset + .endm + ++ /* ++ * Sanitize registers of values that a speculation attack ++ * might otherwise want to exploit. The lower registers are ++ * likely clobbered well before they could be put to use in ++ * a speculative execution gadget: ++ */ ++ .macro CLEAR_REGS_NOSPEC ++ xorl %ebp, %ebp ++ xorl %ebx, %ebx ++ xorq %r8, %r8 ++ xorq %r9, %r9 ++ xorq %r10, %r10 ++ xorq %r11, %r11 ++ xorq %r12, %r12 ++ xorq %r13, %r13 ++ xorq %r14, %r14 ++ xorq %r15, %r15 ++ .endm ++ + .macro POP_EXTRA_REGS + popq %r15 + popq %r14 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -571,6 +571,7 @@ END(irq_entries_start) + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS ++ CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER + + testb $3, CS(%rsp) +@@ -1127,6 +1128,7 @@ ENTRY(xen_failsafe_callback) + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS ++ CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER + jmp error_exit + END(xen_failsafe_callback) +@@ -1172,6 +1174,7 @@ ENTRY(paranoid_entry) + cld + SAVE_C_REGS 8 + SAVE_EXTRA_REGS 8 ++ CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER 8 + movl $1, %ebx + movl $MSR_GS_BASE, %ecx +@@ -1224,8 +1227,8 @@ ENTRY(error_entry) + cld + SAVE_C_REGS 8 + SAVE_EXTRA_REGS 8 ++ CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER 8 +- xorl %ebx, %ebx + testb $3, CS+8(%rsp) + jz .Lerror_kernelspace + +@@ -1422,6 +1425,7 @@ ENTRY(nmi) + pushq %r14 /* pt_regs->r14 */ + pushq %r15 /* pt_regs->r15 */ + UNWIND_HINT_REGS ++ CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER + + /* diff --git a/queue-4.14/x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch b/queue-4.14/x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch new file mode 100644 index 00000000000..734d0543e36 --- /dev/null +++ b/queue-4.14/x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch @@ -0,0 +1,65 @@ +From e48657573481a5dff7cfdc3d57005c80aa816500 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Wed, 14 Feb 2018 08:39:11 +0100 +Subject: x86/entry/64: Fix CR3 restore in paranoid_exit() + +From: Ingo Molnar + +commit e48657573481a5dff7cfdc3d57005c80aa816500 upstream. + +Josh Poimboeuf noticed the following bug: + + "The paranoid exit code only restores the saved CR3 when it switches back + to the user GS. However, even in the kernel GS case, it's possible that + it needs to restore a user CR3, if for example, the paranoid exception + occurred in the syscall exit path between SWITCH_TO_USER_CR3_STACK and + SWAPGS." + +Josh also confirmed via targeted testing that it's possible to hit this bug. + +Fix the bug by also restoring CR3 in the paranoid_exit_no_swapgs branch. + +The reason we haven't seen this bug reported by users yet is probably because +"paranoid" entry points are limited to the following cases: + + idtentry double_fault do_double_fault has_error_code=1 paranoid=2 + idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK + idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK + idtentry machine_check do_mce has_error_code=0 paranoid=1 + +Amongst those entry points only machine_check is one that will interrupt an +IRQS-off critical section asynchronously - and machine check events are rare. + +The other main asynchronous entries are NMI entries, which can be very high-freq +with perf profiling, but they are special: they don't use the 'idtentry' macro but +are open coded and restore user CR3 unconditionally so don't have this bug. + +Reported-and-tested-by: Josh Poimboeuf +Reviewed-by: Andy Lutomirski +Acked-by: Thomas Gleixner +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180214073910.boevmg65upbk3vqb@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1162,6 +1162,7 @@ ENTRY(paranoid_exit) + jmp .Lparanoid_exit_restore + .Lparanoid_exit_no_swapgs: + TRACE_IRQS_IRETQ_DEBUG ++ RESTORE_CR3 scratch_reg=%rbx save_reg=%r14 + .Lparanoid_exit_restore: + jmp restore_regs_and_return_to_kernel + END(paranoid_exit) diff --git a/queue-4.14/x86-entry-64-fix-paranoid_entry-frame-pointer-warning.patch b/queue-4.14/x86-entry-64-fix-paranoid_entry-frame-pointer-warning.patch new file mode 100644 index 00000000000..0a411ff0955 --- /dev/null +++ b/queue-4.14/x86-entry-64-fix-paranoid_entry-frame-pointer-warning.patch @@ -0,0 +1,61 @@ +From b3ccefaed922529e6a67de7b30af5aa38c76ace9 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Mon, 12 Feb 2018 11:45:03 -0600 +Subject: x86/entry/64: Fix paranoid_entry() frame pointer warning + +From: Josh Poimboeuf + +commit b3ccefaed922529e6a67de7b30af5aa38c76ace9 upstream. + +With the following commit: + + f09d160992d1 ("x86/entry/64: Get rid of the ALLOC_PT_GPREGS_ON_STACK and SAVE_AND_CLEAR_REGS macros") + +... one of my suggested improvements triggered a frame pointer warning: + + arch/x86/entry/entry_64.o: warning: objtool: paranoid_entry()+0x11: call without frame pointer save/setup + +The warning is correct for the build-time code, but it's actually not +relevant at runtime because of paravirt patching. The paravirt swapgs +call gets replaced with either a SWAPGS instruction or NOPs at runtime. + +Go back to the previous behavior by removing the ELF function annotation +for paranoid_entry() and adding an unwind hint, which effectively +silences the warning. + +Reported-by: kbuild test robot +Signed-off-by: Josh Poimboeuf +Cc: Dominik Brodowski +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kbuild-all@01.org +Cc: tipbuild@zytor.com +Fixes: f09d160992d1 ("x86/entry/64: Get rid of the ALLOC_PT_GPREGS_ON_STACK and SAVE_AND_CLEAR_REGS macros") +Link: http://lkml.kernel.org/r/20180212174503.5acbymg5z6p32snu@treble +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1122,6 +1122,7 @@ idtentry machine_check do_mce has_err + * Return: ebx=0: need swapgs on exit, ebx=1: otherwise + */ + ENTRY(paranoid_entry) ++ UNWIND_HINT_FUNC + cld + movl $1, %ebx + movl $MSR_GS_BASE, %ecx +@@ -1135,7 +1136,7 @@ ENTRY(paranoid_entry) + SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 + + ret +-ENDPROC(paranoid_entry) ++END(paranoid_entry) + + /* + * "Paranoid" exit path from exception stack. This is invoked diff --git a/queue-4.14/x86-entry-64-get-rid-of-the-alloc_pt_gpregs_on_stack-and-save_and_clear_regs-macros.patch b/queue-4.14/x86-entry-64-get-rid-of-the-alloc_pt_gpregs_on_stack-and-save_and_clear_regs-macros.patch new file mode 100644 index 00000000000..e6daf449c90 --- /dev/null +++ b/queue-4.14/x86-entry-64-get-rid-of-the-alloc_pt_gpregs_on_stack-and-save_and_clear_regs-macros.patch @@ -0,0 +1,205 @@ +From dde3036d62ba3375840b10ab9ec0d568fd773b07 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:49:47 +0100 +Subject: x86/entry/64: Get rid of the ALLOC_PT_GPREGS_ON_STACK and SAVE_AND_CLEAR_REGS macros + +From: Dominik Brodowski + +commit dde3036d62ba3375840b10ab9ec0d568fd773b07 upstream. + +Previously, error_entry() and paranoid_entry() saved the GP registers +onto stack space previously allocated by its callers. Combine these two +steps in the callers, and use the generic PUSH_AND_CLEAR_REGS macro +for that. + +This adds a significant amount ot text size. However, Ingo Molnar points +out that: + + "these numbers also _very_ significantly over-represent the + extra footprint. The assumptions that resulted in + us compressing the IRQ entry code have changed very + significantly with the new x86 IRQ allocation code we + introduced in the last year: + + - IRQ vectors are usually populated in tightly clustered + groups. + + With our new vector allocator code the typical per CPU + allocation percentage on x86 systems is ~3 device vectors + and ~10 fixed vectors out of ~220 vectors - i.e. a very + low ~6% utilization (!). [...] + + The days where we allocated a lot of vectors on every + CPU and the compression of the IRQ entry code text + mattered are over. + + - Another issue is that only a small minority of vectors + is frequent enough to actually matter to cache utilization + in practice: 3-4 key IPIs and 1-2 device IRQs at most - and + those vectors tend to be tightly clustered as well into about + two groups, and are probably already on 2-3 cache lines in + practice. + + For the common case of 'cache cold' IRQs it's the depth of + the call chain and the fragmentation of the resulting I$ + that should be the main performance limit - not the overall + size of it. + + - The CPU side cost of IRQ delivery is still very expensive + even in the best, most cached case, as in 'over a thousand + cycles'. So much stuff is done that maybe contemporary x86 + IRQ entry microcode already prefetches the IDT entry and its + expected call target address."[*] + +[*] http://lkml.kernel.org/r/20180208094710.qnjixhm6hybebdv7@gmail.com + +The "testb $3, CS(%rsp)" instruction in the idtentry macro does not need +modification. Previously, %rsp was manually decreased by 15*8; with +this patch, %rsp is decreased by 15 pushq instructions. + +[jpoimboe@redhat.com: unwind hint improvements] + +Suggested-by: Linus Torvalds +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dan.j.williams@intel.com +Link: http://lkml.kernel.org/r/20180211104949.12992-7-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 42 +----------------------------------------- + arch/x86/entry/entry_64.S | 20 +++++++++----------- + 2 files changed, 10 insertions(+), 52 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -97,46 +97,6 @@ For 32-bit we have the following convent + + #define SIZEOF_PTREGS 21*8 + +- .macro ALLOC_PT_GPREGS_ON_STACK +- addq $-(15*8), %rsp +- .endm +- +- .macro SAVE_AND_CLEAR_REGS offset=0 +- /* +- * Save registers and sanitize registers of values that a +- * speculation attack might otherwise want to exploit. The +- * lower registers are likely clobbered well before they +- * could be put to use in a speculative execution gadget. +- * Interleave XOR with PUSH for better uop scheduling: +- */ +- movq %rdi, 14*8+\offset(%rsp) +- movq %rsi, 13*8+\offset(%rsp) +- movq %rdx, 12*8+\offset(%rsp) +- movq %rcx, 11*8+\offset(%rsp) +- movq %rax, 10*8+\offset(%rsp) +- movq %r8, 9*8+\offset(%rsp) +- xorq %r8, %r8 /* nospec r8 */ +- movq %r9, 8*8+\offset(%rsp) +- xorq %r9, %r9 /* nospec r9 */ +- movq %r10, 7*8+\offset(%rsp) +- xorq %r10, %r10 /* nospec r10 */ +- movq %r11, 6*8+\offset(%rsp) +- xorq %r11, %r11 /* nospec r11 */ +- movq %rbx, 5*8+\offset(%rsp) +- xorl %ebx, %ebx /* nospec rbx */ +- movq %rbp, 4*8+\offset(%rsp) +- xorl %ebp, %ebp /* nospec rbp */ +- movq %r12, 3*8+\offset(%rsp) +- xorq %r12, %r12 /* nospec r12 */ +- movq %r13, 2*8+\offset(%rsp) +- xorq %r13, %r13 /* nospec r13 */ +- movq %r14, 1*8+\offset(%rsp) +- xorq %r14, %r14 /* nospec r14 */ +- movq %r15, 0*8+\offset(%rsp) +- xorq %r15, %r15 /* nospec r15 */ +- UNWIND_HINT_REGS offset=\offset +- .endm +- + .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax + /* + * Push registers and sanitize registers of values that a +@@ -211,7 +171,7 @@ For 32-bit we have the following convent + * is just setting the LSB, which makes it an invalid stack address and is also + * a signal to the unwinder that it's a pt_regs pointer in disguise. + * +- * NOTE: This macro must be used *after* SAVE_AND_CLEAR_REGS because it corrupts ++ * NOTE: This macro must be used *after* PUSH_AND_CLEAR_REGS because it corrupts + * the original rbp. + */ + .macro ENCODE_FRAME_POINTER ptregs_offset=0 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -867,7 +867,9 @@ ENTRY(\sym) + pushq $-1 /* ORIG_RAX: no syscall to restart */ + .endif + +- ALLOC_PT_GPREGS_ON_STACK ++ /* Save all registers in pt_regs */ ++ PUSH_AND_CLEAR_REGS ++ ENCODE_FRAME_POINTER + + .if \paranoid < 2 + testb $3, CS(%rsp) /* If coming from userspace, switch stacks */ +@@ -1115,15 +1117,12 @@ idtentry machine_check do_mce has_err + #endif + + /* +- * Save all registers in pt_regs, and switch gs if needed. ++ * Switch gs if needed. + * Use slow, but surefire "are we in kernel?" check. + * Return: ebx=0: need swapgs on exit, ebx=1: otherwise + */ + ENTRY(paranoid_entry) +- UNWIND_HINT_FUNC + cld +- SAVE_AND_CLEAR_REGS 8 +- ENCODE_FRAME_POINTER 8 + movl $1, %ebx + movl $MSR_GS_BASE, %ecx + rdmsr +@@ -1136,7 +1135,7 @@ ENTRY(paranoid_entry) + SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 + + ret +-END(paranoid_entry) ++ENDPROC(paranoid_entry) + + /* + * "Paranoid" exit path from exception stack. This is invoked +@@ -1167,14 +1166,12 @@ ENTRY(paranoid_exit) + END(paranoid_exit) + + /* +- * Save all registers in pt_regs, and switch gs if needed. ++ * Switch gs if needed. + * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) +- UNWIND_HINT_FUNC ++ UNWIND_HINT_REGS offset=8 + cld +- SAVE_AND_CLEAR_REGS 8 +- ENCODE_FRAME_POINTER 8 + testb $3, CS+8(%rsp) + jz .Lerror_kernelspace + +@@ -1565,7 +1562,8 @@ end_repeat_nmi: + * frame to point back to repeat_nmi. + */ + pushq $-1 /* ORIG_RAX: no syscall to restart */ +- ALLOC_PT_GPREGS_ON_STACK ++ PUSH_AND_CLEAR_REGS ++ ENCODE_FRAME_POINTER + + /* + * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit diff --git a/queue-4.14/x86-entry-64-indent-push_and_clear_regs-and-pop_regs-properly.patch b/queue-4.14/x86-entry-64-indent-push_and_clear_regs-and-pop_regs-properly.patch new file mode 100644 index 00000000000..b2a867fbc06 --- /dev/null +++ b/queue-4.14/x86-entry-64-indent-push_and_clear_regs-and-pop_regs-properly.patch @@ -0,0 +1,62 @@ +From 92816f571af81e9a71cc6f3dc8ce1e2fcdf7b6b8 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:49:48 +0100 +Subject: x86/entry/64: Indent PUSH_AND_CLEAR_REGS and POP_REGS properly + +From: Dominik Brodowski + +commit 92816f571af81e9a71cc6f3dc8ce1e2fcdf7b6b8 upstream. + +... same as the other macros in arch/x86/entry/calling.h + +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dan.j.williams@intel.com +Link: http://lkml.kernel.org/r/20180211104949.12992-8-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -97,7 +97,7 @@ For 32-bit we have the following convent + + #define SIZEOF_PTREGS 21*8 + +- .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax ++.macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax + /* + * Push registers and sanitize registers of values that a + * speculation attack might otherwise want to exploit. The +@@ -131,9 +131,9 @@ For 32-bit we have the following convent + pushq %r15 /* pt_regs->r15 */ + xorq %r15, %r15 /* nospec r15*/ + UNWIND_HINT_REGS +- .endm ++.endm + +- .macro POP_REGS pop_rdi=1 skip_r11rcx=0 ++.macro POP_REGS pop_rdi=1 skip_r11rcx=0 + popq %r15 + popq %r14 + popq %r13 +@@ -163,7 +163,7 @@ For 32-bit we have the following convent + + .macro icebp + .byte 0xf1 +- .endm ++.endm + + /* + * This is a sneaky trick to help the unwinder find pt_regs on the stack. The diff --git a/queue-4.14/x86-entry-64-interleave-xor-register-clearing-with-push-instructions.patch b/queue-4.14/x86-entry-64-interleave-xor-register-clearing-with-push-instructions.patch new file mode 100644 index 00000000000..2657dc65cff --- /dev/null +++ b/queue-4.14/x86-entry-64-interleave-xor-register-clearing-with-push-instructions.patch @@ -0,0 +1,185 @@ +From f7bafa2b05ef25eda1d9179fd930b0330cf2b7d1 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:49:44 +0100 +Subject: x86/entry/64: Interleave XOR register clearing with PUSH instructions + +From: Dominik Brodowski + +commit f7bafa2b05ef25eda1d9179fd930b0330cf2b7d1 upstream. + +Same as is done for syscalls, interleave XOR with PUSH instructions +for exceptions/interrupts, in order to minimize the cost of the +additional instructions required for register clearing. + +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dan.j.williams@intel.com +Link: http://lkml.kernel.org/r/20180211104949.12992-4-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 40 +++++++++++++++++++--------------------- + arch/x86/entry/entry_64.S | 30 +++++++++++++++++++++--------- + 2 files changed, 40 insertions(+), 30 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -101,44 +101,42 @@ For 32-bit we have the following convent + addq $-(15*8), %rsp + .endm + +- .macro SAVE_REGS offset=0 ++ .macro SAVE_AND_CLEAR_REGS offset=0 ++ /* ++ * Save registers and sanitize registers of values that a ++ * speculation attack might otherwise want to exploit. The ++ * lower registers are likely clobbered well before they ++ * could be put to use in a speculative execution gadget. ++ * Interleave XOR with PUSH for better uop scheduling: ++ */ + movq %rdi, 14*8+\offset(%rsp) + movq %rsi, 13*8+\offset(%rsp) + movq %rdx, 12*8+\offset(%rsp) + movq %rcx, 11*8+\offset(%rsp) + movq %rax, 10*8+\offset(%rsp) + movq %r8, 9*8+\offset(%rsp) ++ xorq %r8, %r8 /* nospec r8 */ + movq %r9, 8*8+\offset(%rsp) ++ xorq %r9, %r9 /* nospec r9 */ + movq %r10, 7*8+\offset(%rsp) ++ xorq %r10, %r10 /* nospec r10 */ + movq %r11, 6*8+\offset(%rsp) ++ xorq %r11, %r11 /* nospec r11 */ + movq %rbx, 5*8+\offset(%rsp) ++ xorl %ebx, %ebx /* nospec rbx */ + movq %rbp, 4*8+\offset(%rsp) ++ xorl %ebp, %ebp /* nospec rbp */ + movq %r12, 3*8+\offset(%rsp) ++ xorq %r12, %r12 /* nospec r12 */ + movq %r13, 2*8+\offset(%rsp) ++ xorq %r13, %r13 /* nospec r13 */ + movq %r14, 1*8+\offset(%rsp) ++ xorq %r14, %r14 /* nospec r14 */ + movq %r15, 0*8+\offset(%rsp) ++ xorq %r15, %r15 /* nospec r15 */ + UNWIND_HINT_REGS offset=\offset + .endm + +- /* +- * Sanitize registers of values that a speculation attack +- * might otherwise want to exploit. The lower registers are +- * likely clobbered well before they could be put to use in +- * a speculative execution gadget: +- */ +- .macro CLEAR_REGS_NOSPEC +- xorl %ebp, %ebp +- xorl %ebx, %ebx +- xorq %r8, %r8 +- xorq %r9, %r9 +- xorq %r10, %r10 +- xorq %r11, %r11 +- xorq %r12, %r12 +- xorq %r13, %r13 +- xorq %r14, %r14 +- xorq %r15, %r15 +- .endm +- + .macro POP_REGS pop_rdi=1 skip_r11rcx=0 + popq %r15 + popq %r14 +@@ -177,7 +175,7 @@ For 32-bit we have the following convent + * is just setting the LSB, which makes it an invalid stack address and is also + * a signal to the unwinder that it's a pt_regs pointer in disguise. + * +- * NOTE: This macro must be used *after* SAVE_REGS because it corrupts ++ * NOTE: This macro must be used *after* SAVE_AND_CLEAR_REGS because it corrupts + * the original rbp. + */ + .macro ENCODE_FRAME_POINTER ptregs_offset=0 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -561,8 +561,7 @@ END(irq_entries_start) + 1: + + ALLOC_PT_GPREGS_ON_STACK +- SAVE_REGS +- CLEAR_REGS_NOSPEC ++ SAVE_AND_CLEAR_REGS + ENCODE_FRAME_POINTER + + testb $3, CS(%rsp) +@@ -1108,8 +1107,7 @@ ENTRY(xen_failsafe_callback) + UNWIND_HINT_IRET_REGS + pushq $-1 /* orig_ax = -1 => not a system call */ + ALLOC_PT_GPREGS_ON_STACK +- SAVE_REGS +- CLEAR_REGS_NOSPEC ++ SAVE_AND_CLEAR_REGS + ENCODE_FRAME_POINTER + jmp error_exit + END(xen_failsafe_callback) +@@ -1153,8 +1151,7 @@ idtentry machine_check do_mce has_err + ENTRY(paranoid_entry) + UNWIND_HINT_FUNC + cld +- SAVE_REGS 8 +- CLEAR_REGS_NOSPEC ++ SAVE_AND_CLEAR_REGS 8 + ENCODE_FRAME_POINTER 8 + movl $1, %ebx + movl $MSR_GS_BASE, %ecx +@@ -1205,8 +1202,7 @@ END(paranoid_exit) + ENTRY(error_entry) + UNWIND_HINT_FUNC + cld +- SAVE_REGS 8 +- CLEAR_REGS_NOSPEC ++ SAVE_AND_CLEAR_REGS 8 + ENCODE_FRAME_POINTER 8 + testb $3, CS+8(%rsp) + jz .Lerror_kernelspace +@@ -1393,18 +1389,34 @@ ENTRY(nmi) + pushq (%rdx) /* pt_regs->dx */ + pushq %rcx /* pt_regs->cx */ + pushq %rax /* pt_regs->ax */ ++ /* ++ * Sanitize registers of values that a speculation attack ++ * might otherwise want to exploit. The lower registers are ++ * likely clobbered well before they could be put to use in ++ * a speculative execution gadget. Interleave XOR with PUSH ++ * for better uop scheduling: ++ */ + pushq %r8 /* pt_regs->r8 */ ++ xorq %r8, %r8 /* nospec r8 */ + pushq %r9 /* pt_regs->r9 */ ++ xorq %r9, %r9 /* nospec r9 */ + pushq %r10 /* pt_regs->r10 */ ++ xorq %r10, %r10 /* nospec r10 */ + pushq %r11 /* pt_regs->r11 */ ++ xorq %r11, %r11 /* nospec r11*/ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx*/ + pushq %rbp /* pt_regs->rbp */ ++ xorl %ebp, %ebp /* nospec rbp*/ + pushq %r12 /* pt_regs->r12 */ ++ xorq %r12, %r12 /* nospec r12*/ + pushq %r13 /* pt_regs->r13 */ ++ xorq %r13, %r13 /* nospec r13*/ + pushq %r14 /* pt_regs->r14 */ ++ xorq %r14, %r14 /* nospec r14*/ + pushq %r15 /* pt_regs->r15 */ ++ xorq %r15, %r15 /* nospec r15*/ + UNWIND_HINT_REGS +- CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER + + /* diff --git a/queue-4.14/x86-entry-64-introduce-the-push_and_clean_regs-macro.patch b/queue-4.14/x86-entry-64-introduce-the-push_and_clean_regs-macro.patch new file mode 100644 index 00000000000..6af7a95454c --- /dev/null +++ b/queue-4.14/x86-entry-64-introduce-the-push_and_clean_regs-macro.patch @@ -0,0 +1,101 @@ +From 3f01daecd545e818098d84fd1ad43e19a508d705 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:49:45 +0100 +Subject: x86/entry/64: Introduce the PUSH_AND_CLEAN_REGS macro + +From: Dominik Brodowski + +commit 3f01daecd545e818098d84fd1ad43e19a508d705 upstream. + +Those instances where ALLOC_PT_GPREGS_ON_STACK is called just before +SAVE_AND_CLEAR_REGS can trivially be replaced by PUSH_AND_CLEAN_REGS. +This macro uses PUSH instead of MOV and should therefore be faster, at +least on newer CPUs. + +Suggested-by: Linus Torvalds +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dan.j.williams@intel.com +Link: http://lkml.kernel.org/r/20180211104949.12992-5-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 36 ++++++++++++++++++++++++++++++++++++ + arch/x86/entry/entry_64.S | 6 ++---- + 2 files changed, 38 insertions(+), 4 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -137,6 +137,42 @@ For 32-bit we have the following convent + UNWIND_HINT_REGS offset=\offset + .endm + ++ .macro PUSH_AND_CLEAR_REGS ++ /* ++ * Push registers and sanitize registers of values that a ++ * speculation attack might otherwise want to exploit. The ++ * lower registers are likely clobbered well before they ++ * could be put to use in a speculative execution gadget. ++ * Interleave XOR with PUSH for better uop scheduling: ++ */ ++ pushq %rdi /* pt_regs->di */ ++ pushq %rsi /* pt_regs->si */ ++ pushq %rdx /* pt_regs->dx */ ++ pushq %rcx /* pt_regs->cx */ ++ pushq %rax /* pt_regs->ax */ ++ pushq %r8 /* pt_regs->r8 */ ++ xorq %r8, %r8 /* nospec r8 */ ++ pushq %r9 /* pt_regs->r9 */ ++ xorq %r9, %r9 /* nospec r9 */ ++ pushq %r10 /* pt_regs->r10 */ ++ xorq %r10, %r10 /* nospec r10 */ ++ pushq %r11 /* pt_regs->r11 */ ++ xorq %r11, %r11 /* nospec r11*/ ++ pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx*/ ++ pushq %rbp /* pt_regs->rbp */ ++ xorl %ebp, %ebp /* nospec rbp*/ ++ pushq %r12 /* pt_regs->r12 */ ++ xorq %r12, %r12 /* nospec r12*/ ++ pushq %r13 /* pt_regs->r13 */ ++ xorq %r13, %r13 /* nospec r13*/ ++ pushq %r14 /* pt_regs->r14 */ ++ xorq %r14, %r14 /* nospec r14*/ ++ pushq %r15 /* pt_regs->r15 */ ++ xorq %r15, %r15 /* nospec r15*/ ++ UNWIND_HINT_REGS ++ .endm ++ + .macro POP_REGS pop_rdi=1 skip_r11rcx=0 + popq %r15 + popq %r14 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -560,8 +560,7 @@ END(irq_entries_start) + call switch_to_thread_stack + 1: + +- ALLOC_PT_GPREGS_ON_STACK +- SAVE_AND_CLEAR_REGS ++ PUSH_AND_CLEAR_REGS + ENCODE_FRAME_POINTER + + testb $3, CS(%rsp) +@@ -1106,8 +1105,7 @@ ENTRY(xen_failsafe_callback) + addq $0x30, %rsp + UNWIND_HINT_IRET_REGS + pushq $-1 /* orig_ax = -1 => not a system call */ +- ALLOC_PT_GPREGS_ON_STACK +- SAVE_AND_CLEAR_REGS ++ PUSH_AND_CLEAR_REGS + ENCODE_FRAME_POINTER + jmp error_exit + END(xen_failsafe_callback) diff --git a/queue-4.14/x86-entry-64-merge-save_c_regs-and-save_extra_regs-remove-unused-extensions.patch b/queue-4.14/x86-entry-64-merge-save_c_regs-and-save_extra_regs-remove-unused-extensions.patch new file mode 100644 index 00000000000..af099496cf2 --- /dev/null +++ b/queue-4.14/x86-entry-64-merge-save_c_regs-and-save_extra_regs-remove-unused-extensions.patch @@ -0,0 +1,153 @@ +From 2e3f0098bc45f710a2f4cbcc94b80a1fae7a99a1 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:49:42 +0100 +Subject: x86/entry/64: Merge SAVE_C_REGS and SAVE_EXTRA_REGS, remove unused extensions + +From: Dominik Brodowski + +commit 2e3f0098bc45f710a2f4cbcc94b80a1fae7a99a1 upstream. + +All current code paths call SAVE_C_REGS and then immediately +SAVE_EXTRA_REGS. Therefore, merge these two macros and order the MOV +sequeneces properly. + +While at it, remove the macros to save all except specific registers, +as these macros have been unused for a long time. + +Suggested-by: Linus Torvalds +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dan.j.williams@intel.com +Link: http://lkml.kernel.org/r/20180211104949.12992-2-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 57 ++++++++++++---------------------------------- + arch/x86/entry/entry_64.S | 12 +++------ + 2 files changed, 19 insertions(+), 50 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -101,49 +101,22 @@ For 32-bit we have the following convent + addq $-(15*8), %rsp + .endm + +- .macro SAVE_C_REGS_HELPER offset=0 rax=1 rcx=1 r8910=1 r11=1 +- .if \r11 +- movq %r11, 6*8+\offset(%rsp) +- .endif +- .if \r8910 +- movq %r10, 7*8+\offset(%rsp) +- movq %r9, 8*8+\offset(%rsp) +- movq %r8, 9*8+\offset(%rsp) +- .endif +- .if \rax +- movq %rax, 10*8+\offset(%rsp) +- .endif +- .if \rcx +- movq %rcx, 11*8+\offset(%rsp) +- .endif +- movq %rdx, 12*8+\offset(%rsp) +- movq %rsi, 13*8+\offset(%rsp) ++ .macro SAVE_REGS offset=0 + movq %rdi, 14*8+\offset(%rsp) +- UNWIND_HINT_REGS offset=\offset extra=0 +- .endm +- .macro SAVE_C_REGS offset=0 +- SAVE_C_REGS_HELPER \offset, 1, 1, 1, 1 +- .endm +- .macro SAVE_C_REGS_EXCEPT_RAX_RCX offset=0 +- SAVE_C_REGS_HELPER \offset, 0, 0, 1, 1 +- .endm +- .macro SAVE_C_REGS_EXCEPT_R891011 +- SAVE_C_REGS_HELPER 0, 1, 1, 0, 0 +- .endm +- .macro SAVE_C_REGS_EXCEPT_RCX_R891011 +- SAVE_C_REGS_HELPER 0, 1, 0, 0, 0 +- .endm +- .macro SAVE_C_REGS_EXCEPT_RAX_RCX_R11 +- SAVE_C_REGS_HELPER 0, 0, 0, 1, 0 +- .endm +- +- .macro SAVE_EXTRA_REGS offset=0 +- movq %r15, 0*8+\offset(%rsp) +- movq %r14, 1*8+\offset(%rsp) +- movq %r13, 2*8+\offset(%rsp) +- movq %r12, 3*8+\offset(%rsp) +- movq %rbp, 4*8+\offset(%rsp) ++ movq %rsi, 13*8+\offset(%rsp) ++ movq %rdx, 12*8+\offset(%rsp) ++ movq %rcx, 11*8+\offset(%rsp) ++ movq %rax, 10*8+\offset(%rsp) ++ movq %r8, 9*8+\offset(%rsp) ++ movq %r9, 8*8+\offset(%rsp) ++ movq %r10, 7*8+\offset(%rsp) ++ movq %r11, 6*8+\offset(%rsp) + movq %rbx, 5*8+\offset(%rsp) ++ movq %rbp, 4*8+\offset(%rsp) ++ movq %r12, 3*8+\offset(%rsp) ++ movq %r13, 2*8+\offset(%rsp) ++ movq %r14, 1*8+\offset(%rsp) ++ movq %r15, 0*8+\offset(%rsp) + UNWIND_HINT_REGS offset=\offset + .endm + +@@ -197,7 +170,7 @@ For 32-bit we have the following convent + * is just setting the LSB, which makes it an invalid stack address and is also + * a signal to the unwinder that it's a pt_regs pointer in disguise. + * +- * NOTE: This macro must be used *after* SAVE_EXTRA_REGS because it corrupts ++ * NOTE: This macro must be used *after* SAVE_REGS because it corrupts + * the original rbp. + */ + .macro ENCODE_FRAME_POINTER ptregs_offset=0 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -569,8 +569,7 @@ END(irq_entries_start) + 1: + + ALLOC_PT_GPREGS_ON_STACK +- SAVE_C_REGS +- SAVE_EXTRA_REGS ++ SAVE_REGS + CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER + +@@ -1126,8 +1125,7 @@ ENTRY(xen_failsafe_callback) + UNWIND_HINT_IRET_REGS + pushq $-1 /* orig_ax = -1 => not a system call */ + ALLOC_PT_GPREGS_ON_STACK +- SAVE_C_REGS +- SAVE_EXTRA_REGS ++ SAVE_REGS + CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER + jmp error_exit +@@ -1172,8 +1170,7 @@ idtentry machine_check do_mce has_err + ENTRY(paranoid_entry) + UNWIND_HINT_FUNC + cld +- SAVE_C_REGS 8 +- SAVE_EXTRA_REGS 8 ++ SAVE_REGS 8 + CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER 8 + movl $1, %ebx +@@ -1225,8 +1222,7 @@ END(paranoid_exit) + ENTRY(error_entry) + UNWIND_HINT_FUNC + cld +- SAVE_C_REGS 8 +- SAVE_EXTRA_REGS 8 ++ SAVE_REGS 8 + CLEAR_REGS_NOSPEC + ENCODE_FRAME_POINTER 8 + testb $3, CS+8(%rsp) diff --git a/queue-4.14/x86-entry-64-merge-the-pop_c_regs-and-pop_extra_regs-macros-into-a-single-pop_regs-macro.patch b/queue-4.14/x86-entry-64-merge-the-pop_c_regs-and-pop_extra_regs-macros-into-a-single-pop_regs-macro.patch new file mode 100644 index 00000000000..dfd83872816 --- /dev/null +++ b/queue-4.14/x86-entry-64-merge-the-pop_c_regs-and-pop_extra_regs-macros-into-a-single-pop_regs-macro.patch @@ -0,0 +1,127 @@ +From 502af0d70843c2a9405d7ba1f79b4b0305aaf5f5 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:49:43 +0100 +Subject: x86/entry/64: Merge the POP_C_REGS and POP_EXTRA_REGS macros into a single POP_REGS macro + +From: Dominik Brodowski + +commit 502af0d70843c2a9405d7ba1f79b4b0305aaf5f5 upstream. + +The two special, opencoded cases for POP_C_REGS can be handled by ASM +macros. + +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dan.j.williams@intel.com +Link: http://lkml.kernel.org/r/20180211104949.12992-3-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 15 +++++++++++---- + arch/x86/entry/entry_64.S | 26 ++++---------------------- + 2 files changed, 15 insertions(+), 26 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -139,25 +139,32 @@ For 32-bit we have the following convent + xorq %r15, %r15 + .endm + +- .macro POP_EXTRA_REGS ++ .macro POP_REGS pop_rdi=1 skip_r11rcx=0 + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx +- .endm +- +- .macro POP_C_REGS ++ .if \skip_r11rcx ++ popq %rsi ++ .else + popq %r11 ++ .endif + popq %r10 + popq %r9 + popq %r8 + popq %rax ++ .if \skip_r11rcx ++ popq %rsi ++ .else + popq %rcx ++ .endif + popq %rdx + popq %rsi ++ .if \pop_rdi + popq %rdi ++ .endif + .endm + + .macro icebp +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -330,15 +330,7 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) + syscall_return_via_sysret: + /* rcx and r11 are already restored (see code above) */ + UNWIND_HINT_EMPTY +- POP_EXTRA_REGS +- popq %rsi /* skip r11 */ +- popq %r10 +- popq %r9 +- popq %r8 +- popq %rax +- popq %rsi /* skip rcx */ +- popq %rdx +- popq %rsi ++ POP_REGS pop_rdi=0 skip_r11rcx=1 + + /* + * Now all regs are restored except RSP and RDI. +@@ -631,15 +623,7 @@ GLOBAL(swapgs_restore_regs_and_return_to + ud2 + 1: + #endif +- POP_EXTRA_REGS +- popq %r11 +- popq %r10 +- popq %r9 +- popq %r8 +- popq %rax +- popq %rcx +- popq %rdx +- popq %rsi ++ POP_REGS pop_rdi=0 + + /* + * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS. +@@ -697,8 +681,7 @@ GLOBAL(restore_regs_and_return_to_kernel + ud2 + 1: + #endif +- POP_EXTRA_REGS +- POP_C_REGS ++ POP_REGS + addq $8, %rsp /* skip regs->orig_ax */ + INTERRUPT_RETURN + +@@ -1655,8 +1638,7 @@ end_repeat_nmi: + nmi_swapgs: + SWAPGS_UNSAFE_STACK + nmi_restore: +- POP_EXTRA_REGS +- POP_C_REGS ++ POP_REGS + + /* + * Skip orig_ax and the "outermost" frame to point RSP at the "iret" diff --git a/queue-4.14/x86-entry-64-remove-the-unused-icebp-macro.patch b/queue-4.14/x86-entry-64-remove-the-unused-icebp-macro.patch new file mode 100644 index 00000000000..aa3243b6b22 --- /dev/null +++ b/queue-4.14/x86-entry-64-remove-the-unused-icebp-macro.patch @@ -0,0 +1,44 @@ +From b498c261107461d5c42140dfddd05df83d8ca078 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Mon, 12 Feb 2018 21:13:18 +0100 +Subject: x86/entry/64: Remove the unused 'icebp' macro + +From: Borislav Petkov + +commit b498c261107461d5c42140dfddd05df83d8ca078 upstream. + +That macro was touched around 2.5.8 times, judging by the full history +linux repo, but it was unused even then. Get rid of it already. + +Signed-off-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux@dominikbrodowski.net +Link: http://lkml.kernel.org/r/20180212201318.GD14640@pd.tnic +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -159,10 +159,6 @@ For 32-bit we have the following convent + .if \pop_rdi + popq %rdi + .endif +- .endm +- +- .macro icebp +- .byte 0xf1 + .endm + + /* diff --git a/queue-4.14/x86-entry-64-use-push_and_clean_regs-in-more-cases.patch b/queue-4.14/x86-entry-64-use-push_and_clean_regs-in-more-cases.patch new file mode 100644 index 00000000000..f74cdea3d36 --- /dev/null +++ b/queue-4.14/x86-entry-64-use-push_and_clean_regs-in-more-cases.patch @@ -0,0 +1,139 @@ +From 30907fd13bb593202574bb20af58d67c70a1ee14 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:49:46 +0100 +Subject: x86/entry/64: Use PUSH_AND_CLEAN_REGS in more cases + +From: Dominik Brodowski + +commit 30907fd13bb593202574bb20af58d67c70a1ee14 upstream. + +entry_SYSCALL_64_after_hwframe() and nmi() can be converted to use +PUSH_AND_CLEAN_REGS instead of opencoded variants thereof. Due to +the interleaving, the additional XOR-based clearing of R8 and R9 +in entry_SYSCALL_64_after_hwframe() should not have any noticeable +negative implications. + +Suggested-by: Linus Torvalds +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dan.j.williams@intel.com +Link: http://lkml.kernel.org/r/20180211104949.12992-6-linux@dominikbrodowski.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 6 ++-- + arch/x86/entry/entry_64.S | 65 ++-------------------------------------------- + 2 files changed, 6 insertions(+), 65 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -137,7 +137,7 @@ For 32-bit we have the following convent + UNWIND_HINT_REGS offset=\offset + .endm + +- .macro PUSH_AND_CLEAR_REGS ++ .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax + /* + * Push registers and sanitize registers of values that a + * speculation attack might otherwise want to exploit. The +@@ -147,9 +147,9 @@ For 32-bit we have the following convent + */ + pushq %rdi /* pt_regs->di */ + pushq %rsi /* pt_regs->si */ +- pushq %rdx /* pt_regs->dx */ ++ pushq \rdx /* pt_regs->dx */ + pushq %rcx /* pt_regs->cx */ +- pushq %rax /* pt_regs->ax */ ++ pushq \rax /* pt_regs->ax */ + pushq %r8 /* pt_regs->r8 */ + xorq %r8, %r8 /* nospec r8 */ + pushq %r9 /* pt_regs->r9 */ +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -223,35 +223,8 @@ ENTRY(entry_SYSCALL_64) + pushq %rcx /* pt_regs->ip */ + GLOBAL(entry_SYSCALL_64_after_hwframe) + pushq %rax /* pt_regs->orig_ax */ +- pushq %rdi /* pt_regs->di */ +- pushq %rsi /* pt_regs->si */ +- pushq %rdx /* pt_regs->dx */ +- pushq %rcx /* pt_regs->cx */ +- pushq $-ENOSYS /* pt_regs->ax */ +- pushq %r8 /* pt_regs->r8 */ +- pushq %r9 /* pt_regs->r9 */ +- pushq %r10 /* pt_regs->r10 */ +- /* +- * Clear extra registers that a speculation attack might +- * otherwise want to exploit. Interleave XOR with PUSH +- * for better uop scheduling: +- */ +- xorq %r10, %r10 /* nospec r10 */ +- pushq %r11 /* pt_regs->r11 */ +- xorq %r11, %r11 /* nospec r11 */ +- pushq %rbx /* pt_regs->rbx */ +- xorl %ebx, %ebx /* nospec rbx */ +- pushq %rbp /* pt_regs->rbp */ +- xorl %ebp, %ebp /* nospec rbp */ +- pushq %r12 /* pt_regs->r12 */ +- xorq %r12, %r12 /* nospec r12 */ +- pushq %r13 /* pt_regs->r13 */ +- xorq %r13, %r13 /* nospec r13 */ +- pushq %r14 /* pt_regs->r14 */ +- xorq %r14, %r14 /* nospec r14 */ +- pushq %r15 /* pt_regs->r15 */ +- xorq %r15, %r15 /* nospec r15 */ +- UNWIND_HINT_REGS ++ ++ PUSH_AND_CLEAR_REGS rax=$-ENOSYS + + TRACE_IRQS_OFF + +@@ -1382,39 +1355,7 @@ ENTRY(nmi) + pushq 1*8(%rdx) /* pt_regs->rip */ + UNWIND_HINT_IRET_REGS + pushq $-1 /* pt_regs->orig_ax */ +- pushq %rdi /* pt_regs->di */ +- pushq %rsi /* pt_regs->si */ +- pushq (%rdx) /* pt_regs->dx */ +- pushq %rcx /* pt_regs->cx */ +- pushq %rax /* pt_regs->ax */ +- /* +- * Sanitize registers of values that a speculation attack +- * might otherwise want to exploit. The lower registers are +- * likely clobbered well before they could be put to use in +- * a speculative execution gadget. Interleave XOR with PUSH +- * for better uop scheduling: +- */ +- pushq %r8 /* pt_regs->r8 */ +- xorq %r8, %r8 /* nospec r8 */ +- pushq %r9 /* pt_regs->r9 */ +- xorq %r9, %r9 /* nospec r9 */ +- pushq %r10 /* pt_regs->r10 */ +- xorq %r10, %r10 /* nospec r10 */ +- pushq %r11 /* pt_regs->r11 */ +- xorq %r11, %r11 /* nospec r11*/ +- pushq %rbx /* pt_regs->rbx */ +- xorl %ebx, %ebx /* nospec rbx*/ +- pushq %rbp /* pt_regs->rbp */ +- xorl %ebp, %ebp /* nospec rbp*/ +- pushq %r12 /* pt_regs->r12 */ +- xorq %r12, %r12 /* nospec r12*/ +- pushq %r13 /* pt_regs->r13 */ +- xorq %r13, %r13 /* nospec r13*/ +- pushq %r14 /* pt_regs->r14 */ +- xorq %r14, %r14 /* nospec r14*/ +- pushq %r15 /* pt_regs->r15 */ +- xorq %r15, %r15 /* nospec r15*/ +- UNWIND_HINT_REGS ++ PUSH_AND_CLEAR_REGS rdx=(%rdx) + ENCODE_FRAME_POINTER + + /* diff --git a/queue-4.14/x86-mm-rename-flush_tlb_single-and-flush_tlb_one-to-__flush_tlb_one_.patch b/queue-4.14/x86-mm-rename-flush_tlb_single-and-flush_tlb_one-to-__flush_tlb_one_.patch new file mode 100644 index 00000000000..63a51c35b62 --- /dev/null +++ b/queue-4.14/x86-mm-rename-flush_tlb_single-and-flush_tlb_one-to-__flush_tlb_one_.patch @@ -0,0 +1,290 @@ +From 1299ef1d8870d2d9f09a5aadf2f8b2c887c2d033 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 31 Jan 2018 08:03:10 -0800 +Subject: x86/mm: Rename flush_tlb_single() and flush_tlb_one() to __flush_tlb_one_[user|kernel]() + +From: Andy Lutomirski + +commit 1299ef1d8870d2d9f09a5aadf2f8b2c887c2d033 upstream. + +flush_tlb_single() and flush_tlb_one() sound almost identical, but +they really mean "flush one user translation" and "flush one kernel +translation". Rename them to flush_tlb_one_user() and +flush_tlb_one_kernel() to make the semantics more obvious. + +[ I was looking at some PTI-related code, and the flush-one-address code + is unnecessarily hard to understand because the names of the helpers are + uninformative. This came up during PTI review, but no one got around to + doing it. ] + +Signed-off-by: Andy Lutomirski +Acked-by: Peter Zijlstra (Intel) +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Eduardo Valentin +Cc: Hugh Dickins +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Linux-MM +Cc: Rik van Riel +Cc: Thomas Gleixner +Cc: Will Deacon +Link: http://lkml.kernel.org/r/3303b02e3c3d049dc5235d5651e0ae6d29a34354.1517414378.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/paravirt.h | 4 ++-- + arch/x86/include/asm/paravirt_types.h | 2 +- + arch/x86/include/asm/pgtable_32.h | 2 +- + arch/x86/include/asm/tlbflush.h | 27 ++++++++++++++++++++------- + arch/x86/kernel/paravirt.c | 6 +++--- + arch/x86/mm/init_64.c | 2 +- + arch/x86/mm/ioremap.c | 2 +- + arch/x86/mm/kmmio.c | 2 +- + arch/x86/mm/pgtable_32.c | 2 +- + arch/x86/mm/tlb.c | 6 +++--- + arch/x86/platform/uv/tlb_uv.c | 2 +- + arch/x86/xen/mmu_pv.c | 6 +++--- + include/trace/events/xen.h | 2 +- + 13 files changed, 39 insertions(+), 26 deletions(-) + +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -297,9 +297,9 @@ static inline void __flush_tlb_global(vo + { + PVOP_VCALL0(pv_mmu_ops.flush_tlb_kernel); + } +-static inline void __flush_tlb_single(unsigned long addr) ++static inline void __flush_tlb_one_user(unsigned long addr) + { +- PVOP_VCALL1(pv_mmu_ops.flush_tlb_single, addr); ++ PVOP_VCALL1(pv_mmu_ops.flush_tlb_one_user, addr); + } + + static inline void flush_tlb_others(const struct cpumask *cpumask, +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -217,7 +217,7 @@ struct pv_mmu_ops { + /* TLB operations */ + void (*flush_tlb_user)(void); + void (*flush_tlb_kernel)(void); +- void (*flush_tlb_single)(unsigned long addr); ++ void (*flush_tlb_one_user)(unsigned long addr); + void (*flush_tlb_others)(const struct cpumask *cpus, + const struct flush_tlb_info *info); + +--- a/arch/x86/include/asm/pgtable_32.h ++++ b/arch/x86/include/asm/pgtable_32.h +@@ -61,7 +61,7 @@ void paging_init(void); + #define kpte_clear_flush(ptep, vaddr) \ + do { \ + pte_clear(&init_mm, (vaddr), (ptep)); \ +- __flush_tlb_one((vaddr)); \ ++ __flush_tlb_one_kernel((vaddr)); \ + } while (0) + + #endif /* !__ASSEMBLY__ */ +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -140,7 +140,7 @@ static inline unsigned long build_cr3_no + #else + #define __flush_tlb() __native_flush_tlb() + #define __flush_tlb_global() __native_flush_tlb_global() +-#define __flush_tlb_single(addr) __native_flush_tlb_single(addr) ++#define __flush_tlb_one_user(addr) __native_flush_tlb_one_user(addr) + #endif + + static inline bool tlb_defer_switch_to_init_mm(void) +@@ -397,7 +397,7 @@ static inline void __native_flush_tlb_gl + /* + * flush one page in the user mapping + */ +-static inline void __native_flush_tlb_single(unsigned long addr) ++static inline void __native_flush_tlb_one_user(unsigned long addr) + { + u32 loaded_mm_asid = this_cpu_read(cpu_tlbstate.loaded_mm_asid); + +@@ -434,18 +434,31 @@ static inline void __flush_tlb_all(void) + /* + * flush one page in the kernel mapping + */ +-static inline void __flush_tlb_one(unsigned long addr) ++static inline void __flush_tlb_one_kernel(unsigned long addr) + { + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ONE); +- __flush_tlb_single(addr); ++ ++ /* ++ * If PTI is off, then __flush_tlb_one_user() is just INVLPG or its ++ * paravirt equivalent. Even with PCID, this is sufficient: we only ++ * use PCID if we also use global PTEs for the kernel mapping, and ++ * INVLPG flushes global translations across all address spaces. ++ * ++ * If PTI is on, then the kernel is mapped with non-global PTEs, and ++ * __flush_tlb_one_user() will flush the given address for the current ++ * kernel address space and for its usermode counterpart, but it does ++ * not flush it for other address spaces. ++ */ ++ __flush_tlb_one_user(addr); + + if (!static_cpu_has(X86_FEATURE_PTI)) + return; + + /* +- * __flush_tlb_single() will have cleared the TLB entry for this ASID, +- * but since kernel space is replicated across all, we must also +- * invalidate all others. ++ * See above. We need to propagate the flush to all other address ++ * spaces. In principle, we only need to propagate it to kernelmode ++ * address spaces, but the extra bookkeeping we would need is not ++ * worth it. + */ + invalidate_other_asid(); + } +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -190,9 +190,9 @@ static void native_flush_tlb_global(void + __native_flush_tlb_global(); + } + +-static void native_flush_tlb_single(unsigned long addr) ++static void native_flush_tlb_one_user(unsigned long addr) + { +- __native_flush_tlb_single(addr); ++ __native_flush_tlb_one_user(addr); + } + + struct static_key paravirt_steal_enabled; +@@ -391,7 +391,7 @@ struct pv_mmu_ops pv_mmu_ops __ro_after_ + + .flush_tlb_user = native_flush_tlb, + .flush_tlb_kernel = native_flush_tlb_global, +- .flush_tlb_single = native_flush_tlb_single, ++ .flush_tlb_one_user = native_flush_tlb_one_user, + .flush_tlb_others = native_flush_tlb_others, + + .pgd_alloc = __paravirt_pgd_alloc, +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -256,7 +256,7 @@ static void __set_pte_vaddr(pud_t *pud, + * It's enough to flush this one mapping. + * (PGE mappings get flushed as well) + */ +- __flush_tlb_one(vaddr); ++ __flush_tlb_one_kernel(vaddr); + } + + void set_pte_vaddr_p4d(p4d_t *p4d_page, unsigned long vaddr, pte_t new_pte) +--- a/arch/x86/mm/ioremap.c ++++ b/arch/x86/mm/ioremap.c +@@ -749,5 +749,5 @@ void __init __early_set_fixmap(enum fixe + set_pte(pte, pfn_pte(phys >> PAGE_SHIFT, flags)); + else + pte_clear(&init_mm, addr, pte); +- __flush_tlb_one(addr); ++ __flush_tlb_one_kernel(addr); + } +--- a/arch/x86/mm/kmmio.c ++++ b/arch/x86/mm/kmmio.c +@@ -168,7 +168,7 @@ static int clear_page_presence(struct km + return -1; + } + +- __flush_tlb_one(f->addr); ++ __flush_tlb_one_kernel(f->addr); + return 0; + } + +--- a/arch/x86/mm/pgtable_32.c ++++ b/arch/x86/mm/pgtable_32.c +@@ -63,7 +63,7 @@ void set_pte_vaddr(unsigned long vaddr, + * It's enough to flush this one mapping. + * (PGE mappings get flushed as well) + */ +- __flush_tlb_one(vaddr); ++ __flush_tlb_one_kernel(vaddr); + } + + unsigned long __FIXADDR_TOP = 0xfffff000; +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -492,7 +492,7 @@ static void flush_tlb_func_common(const + * flush that changes context.tlb_gen from 2 to 3. If they get + * processed on this CPU in reverse order, we'll see + * local_tlb_gen == 1, mm_tlb_gen == 3, and end != TLB_FLUSH_ALL. +- * If we were to use __flush_tlb_single() and set local_tlb_gen to ++ * If we were to use __flush_tlb_one_user() and set local_tlb_gen to + * 3, we'd be break the invariant: we'd update local_tlb_gen above + * 1 without the full flush that's needed for tlb_gen 2. + * +@@ -513,7 +513,7 @@ static void flush_tlb_func_common(const + + addr = f->start; + while (addr < f->end) { +- __flush_tlb_single(addr); ++ __flush_tlb_one_user(addr); + addr += PAGE_SIZE; + } + if (local) +@@ -660,7 +660,7 @@ static void do_kernel_range_flush(void * + + /* flush range by one by one 'invlpg' */ + for (addr = f->start; addr < f->end; addr += PAGE_SIZE) +- __flush_tlb_one(addr); ++ __flush_tlb_one_kernel(addr); + } + + void flush_tlb_kernel_range(unsigned long start, unsigned long end) +--- a/arch/x86/platform/uv/tlb_uv.c ++++ b/arch/x86/platform/uv/tlb_uv.c +@@ -299,7 +299,7 @@ static void bau_process_message(struct m + local_flush_tlb(); + stat->d_alltlb++; + } else { +- __flush_tlb_single(msg->address); ++ __flush_tlb_one_user(msg->address); + stat->d_onetlb++; + } + stat->d_requestee++; +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -1300,12 +1300,12 @@ static void xen_flush_tlb(void) + preempt_enable(); + } + +-static void xen_flush_tlb_single(unsigned long addr) ++static void xen_flush_tlb_one_user(unsigned long addr) + { + struct mmuext_op *op; + struct multicall_space mcs; + +- trace_xen_mmu_flush_tlb_single(addr); ++ trace_xen_mmu_flush_tlb_one_user(addr); + + preempt_disable(); + +@@ -2360,7 +2360,7 @@ static const struct pv_mmu_ops xen_mmu_o + + .flush_tlb_user = xen_flush_tlb, + .flush_tlb_kernel = xen_flush_tlb, +- .flush_tlb_single = xen_flush_tlb_single, ++ .flush_tlb_one_user = xen_flush_tlb_one_user, + .flush_tlb_others = xen_flush_tlb_others, + + .pgd_alloc = xen_pgd_alloc, +--- a/include/trace/events/xen.h ++++ b/include/trace/events/xen.h +@@ -365,7 +365,7 @@ TRACE_EVENT(xen_mmu_flush_tlb, + TP_printk("%s", "") + ); + +-TRACE_EVENT(xen_mmu_flush_tlb_single, ++TRACE_EVENT(xen_mmu_flush_tlb_one_user, + TP_PROTO(unsigned long addr), + TP_ARGS(addr), + TP_STRUCT__entry( diff --git a/queue-4.14/x86-spectre-fix-an-error-message.patch b/queue-4.14/x86-spectre-fix-an-error-message.patch new file mode 100644 index 00000000000..2750f0a70ac --- /dev/null +++ b/queue-4.14/x86-spectre-fix-an-error-message.patch @@ -0,0 +1,42 @@ +From 9de29eac8d2189424d81c0d840cd0469aa3d41c8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 14 Feb 2018 10:14:17 +0300 +Subject: x86/spectre: Fix an error message + +From: Dan Carpenter + +commit 9de29eac8d2189424d81c0d840cd0469aa3d41c8 upstream. + +If i == ARRAY_SIZE(mitigation_options) then we accidentally print +garbage from one space beyond the end of the mitigation_options[] array. + +Signed-off-by: Dan Carpenter +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: KarimAllah Ahmed +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kernel-janitors@vger.kernel.org +Fixes: 9005c6834c0f ("x86/spectre: Simplify spectre_v2 command line parsing") +Link: http://lkml.kernel.org/r/20180214071416.GA26677@mwanda +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/bugs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -174,7 +174,7 @@ static enum spectre_v2_mitigation_cmd __ + } + + if (i >= ARRAY_SIZE(mitigation_options)) { +- pr_err("unknown option (%s). Switching to AUTO select\n", mitigation_options[i].option); ++ pr_err("unknown option (%s). Switching to AUTO select\n", arg); + return SPECTRE_V2_CMD_AUTO; + } + } diff --git a/queue-4.14/x86-speculation-add-asm-msr-index.h-dependency.patch b/queue-4.14/x86-speculation-add-asm-msr-index.h-dependency.patch new file mode 100644 index 00000000000..fe2a5b6fd13 --- /dev/null +++ b/queue-4.14/x86-speculation-add-asm-msr-index.h-dependency.patch @@ -0,0 +1,48 @@ +From ea00f301285ea2f07393678cd2b6057878320c9d Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 13 Feb 2018 14:28:19 +0100 +Subject: x86/speculation: Add dependency + +From: Peter Zijlstra + +commit ea00f301285ea2f07393678cd2b6057878320c9d upstream. + +Joe Konno reported a compile failure resulting from using an MSR +without inclusion of , and while the current code builds +fine (by accident) this needs fixing for future patches. + +Reported-by: Joe Konno +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: arjan@linux.intel.com +Cc: bp@alien8.de +Cc: dan.j.williams@intel.com +Cc: dave.hansen@linux.intel.com +Cc: dwmw2@infradead.org +Cc: dwmw@amazon.co.uk +Cc: gregkh@linuxfoundation.org +Cc: hpa@zytor.com +Cc: jpoimboe@redhat.com +Cc: linux-tip-commits@vger.kernel.org +Cc: luto@kernel.org +Fixes: 20ffa1caecca ("x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support") +Link: http://lkml.kernel.org/r/20180213132819.GJ25201@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/nospec-branch.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + #ifdef __ASSEMBLY__ + diff --git a/queue-4.14/x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch b/queue-4.14/x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch new file mode 100644 index 00000000000..a6b9152090d --- /dev/null +++ b/queue-4.14/x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch @@ -0,0 +1,36 @@ +From be3233fbfcb8f5acb6e3bcd0895c3ef9e100d470 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 6 Feb 2018 18:22:40 -0800 +Subject: x86/speculation: Fix up array_index_nospec_mask() asm constraint + +From: Dan Williams + +commit be3233fbfcb8f5acb6e3bcd0895c3ef9e100d470 upstream. + +Allow the compiler to handle @size as an immediate value or memory +directly rather than allocating a register. + +Reported-by: Linus Torvalds +Signed-off-by: Dan Williams +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/151797010204.1289.1510000292250184993.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/barrier.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -40,7 +40,7 @@ static inline unsigned long array_index_ + + asm ("cmp %1,%2; sbb %0,%0;" + :"=r" (mask) +- :"r"(size),"r" (index) ++ :"g"(size),"r" (index) + :"cc"); + return mask; + }