From: Greg Kroah-Hartman Date: Fri, 19 Jan 2018 09:27:08 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.113~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1f37e6d28ee51cc05d9bec8bb7914a61e05f481;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: module-add-retpoline-tag-to-vermagic.patch x86-retpoline-add-lfence-to-the-retpoline-rsb-filling-rsb-macros.patch --- diff --git a/queue-4.4/module-add-retpoline-tag-to-vermagic.patch b/queue-4.4/module-add-retpoline-tag-to-vermagic.patch new file mode 100644 index 00000000000..7870bc46024 --- /dev/null +++ b/queue-4.4/module-add-retpoline-tag-to-vermagic.patch @@ -0,0 +1,53 @@ +From 6cfb521ac0d5b97470883ff9b7facae264b7ab12 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Tue, 16 Jan 2018 12:52:28 -0800 +Subject: module: Add retpoline tag to VERMAGIC + +From: Andi Kleen + +commit 6cfb521ac0d5b97470883ff9b7facae264b7ab12 upstream. + +Add a marker for retpoline to the module VERMAGIC. This catches the case +when a non RETPOLINE compiled module gets loaded into a retpoline kernel, +making it insecure. + +It doesn't handle the case when retpoline has been runtime disabled. Even +in this case the match of the retcompile status will be enforced. This +implies that even with retpoline run time disabled all modules loaded need +to be recompiled. + +Signed-off-by: Andi Kleen +Signed-off-by: Thomas Gleixner +Reviewed-by: Greg Kroah-Hartman +Acked-by: David Woodhouse +Cc: rusty@rustcorp.com.au +Cc: arjan.van.de.ven@intel.com +Cc: jeyu@kernel.org +Cc: torvalds@linux-foundation.org +Link: https://lkml.kernel.org/r/20180116205228.4890-1-andi@firstfloor.org +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/vermagic.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/include/linux/vermagic.h ++++ b/include/linux/vermagic.h +@@ -24,10 +24,16 @@ + #ifndef MODULE_ARCH_VERMAGIC + #define MODULE_ARCH_VERMAGIC "" + #endif ++#ifdef RETPOLINE ++#define MODULE_VERMAGIC_RETPOLINE "retpoline " ++#else ++#define MODULE_VERMAGIC_RETPOLINE "" ++#endif + + #define VERMAGIC_STRING \ + UTS_RELEASE " " \ + MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \ + MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \ +- MODULE_ARCH_VERMAGIC ++ MODULE_ARCH_VERMAGIC \ ++ MODULE_VERMAGIC_RETPOLINE + diff --git a/queue-4.4/series b/queue-4.4/series index f9bef63e3e9..9a3a20cee94 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -27,3 +27,5 @@ af_key-fix-buffer-overread-in-verify_address_len.patch af_key-fix-buffer-overread-in-parse_exthdrs.patch scsi-hpsa-fix-volume-offline-state.patch sched-deadline-zero-out-positive-runtime-after-throttling-constrained-tasks.patch +x86-retpoline-add-lfence-to-the-retpoline-rsb-filling-rsb-macros.patch +module-add-retpoline-tag-to-vermagic.patch diff --git a/queue-4.4/x86-retpoline-add-lfence-to-the-retpoline-rsb-filling-rsb-macros.patch b/queue-4.4/x86-retpoline-add-lfence-to-the-retpoline-rsb-filling-rsb-macros.patch new file mode 100644 index 00000000000..d1382c82427 --- /dev/null +++ b/queue-4.4/x86-retpoline-add-lfence-to-the-retpoline-rsb-filling-rsb-macros.patch @@ -0,0 +1,91 @@ +From 28d437d550e1e39f805d99f9f8ac399c778827b7 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Sat, 13 Jan 2018 17:27:30 -0600 +Subject: x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros + +From: Tom Lendacky + +commit 28d437d550e1e39f805d99f9f8ac399c778827b7 upstream. + +The PAUSE instruction is currently used in the retpoline and RSB filling +macros as a speculation trap. The use of PAUSE was originally suggested +because it showed a very, very small difference in the amount of +cycles/time used to execute the retpoline as compared to LFENCE. On AMD, +the PAUSE instruction is not a serializing instruction, so the pause/jmp +loop will use excess power as it is speculated over waiting for return +to mispredict to the correct target. + +The RSB filling macro is applicable to AMD, and, if software is unable to +verify that LFENCE is serializing on AMD (possible when running under a +hypervisor), the generic retpoline support will be used and, so, is also +applicable to AMD. Keep the current usage of PAUSE for Intel, but add an +LFENCE instruction to the speculation trap for AMD. + +The same sequence has been adopted by GCC for the GCC generated retpolines. + +Signed-off-by: Tom Lendacky +Signed-off-by: Thomas Gleixner +Reviewed-by: Borislav Petkov +Acked-by: David Woodhouse +Acked-by: Arjan van de Ven +Cc: Rik van Riel +Cc: Andi Kleen +Cc: Paul Turner +Cc: Peter Zijlstra +Cc: Tim Chen +Cc: Jiri Kosina +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Josh Poimboeuf +Cc: Dan Williams +Cc: Linus Torvalds +Cc: Greg Kroah-Hartman +Cc: Kees Cook +Link: https://lkml.kernel.org/r/20180113232730.31060.36287.stgit@tlendack-t1.amdoffice.net +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/nospec-branch.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -11,7 +11,7 @@ + * Fill the CPU return stack buffer. + * + * Each entry in the RSB, if used for a speculative 'ret', contains an +- * infinite 'pause; jmp' loop to capture speculative execution. ++ * infinite 'pause; lfence; jmp' loop to capture speculative execution. + * + * This is required in various cases for retpoline and IBRS-based + * mitigations for the Spectre variant 2 vulnerability. Sometimes to +@@ -38,11 +38,13 @@ + call 772f; \ + 773: /* speculation trap */ \ + pause; \ ++ lfence; \ + jmp 773b; \ + 772: \ + call 774f; \ + 775: /* speculation trap */ \ + pause; \ ++ lfence; \ + jmp 775b; \ + 774: \ + dec reg; \ +@@ -60,6 +62,7 @@ + call .Ldo_rop_\@ + .Lspec_trap_\@: + pause ++ lfence + jmp .Lspec_trap_\@ + .Ldo_rop_\@: + mov \reg, (%_ASM_SP) +@@ -142,6 +145,7 @@ + " .align 16\n" \ + "901: call 903f;\n" \ + "902: pause;\n" \ ++ " lfence;\n" \ + " jmp 902b;\n" \ + " .align 16\n" \ + "903: addl $4, %%esp;\n" \