4.14-stable patches

added patches:
	revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
	x86-nospec-fix-i386-rsb-stuffing.patch

diff --git a/queue-4.14/revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch b/queue-4.14/revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
new file mode 100644 (file)
index 0000000..2737dd3
--- /dev/null
+++ b/queue-4.14/revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
@@ -0,0 +1,63 @@
+From foo@baz Tue Dec  6 01:29:51 PM CET 2022
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 5 Dec 2022 23:10:41 +0100
+Subject: Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool"
+To: stable@vger.kernel.org
+Cc: Peter Zijlstra <peterz@infradead.org>, Alexandre Chartre <alexandre.chartre@oracle.com>, Josh Poimboeuf <jpoimboe@redhat.com>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, Suleiman Souhlal <suleiman@google.com>
+Message-ID: <Y45sYZzXW9/fKPbz@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+This reverts commit c95afe5bcad40e1f0292bfc0a625c4aa080cc971, which
+was commit 089dd8e53126ebaf506e2dc0bf89d652c36bfc12 upstream.
+
+The necessary changes to objtool have not been backported to 4.14.
+Backporting this commit alone only added build warnings.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/nospec-branch.h |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -4,13 +4,11 @@
+ #define _ASM_X86_NOSPEC_BRANCH_H_
+ 
+ #include <linux/static_key.h>
+-#include <linux/frame.h>
+ 
+ #include <asm/alternative.h>
+ #include <asm/alternative-asm.h>
+ #include <asm/cpufeatures.h>
+ #include <asm/msr-index.h>
+-#include <asm/unwind_hints.h>
+ #include <asm/percpu.h>
+ 
+ /*
+@@ -54,9 +52,9 @@
+       lfence;                                 \
+       jmp     775b;                           \
+ 774:                                          \
+-      add     $(BITS_PER_LONG/8) * 2, sp;     \
+       dec     reg;                            \
+       jnz     771b;                           \
++      add     $(BITS_PER_LONG/8) * nr, sp;    \
+       /* barrier for jnz misprediction */     \
+       lfence;
+ #else
+@@ -167,8 +165,10 @@
+   * monstrosity above, manually.
+   */
+ .macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
+-      ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
+-      __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
++      ANNOTATE_NOSPEC_ALTERNATIVE
++      ALTERNATIVE "jmp .Lskip_rsb_\@",                                \
++              __stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP))    \
++              \ftr
+ .Lskip_rsb_\@:
+ .endm
+ 

diff --git a/queue-4.14/series b/queue-4.14/series
index 5f20d382bb4109eda2943b2b8911ad62a4de09a2..a4642855549ff10a570a59ca17c6d57fee6a16cb 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -79,3 +79,5 @@ proc-avoid-integer-type-confusion-in-get_proc_long.patch
 proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch
 v4l2-don-t-fall-back-to-follow_pfn-if-pin_user_pages_fast-fails.patch
 ipc-sem-fix-dangling-sem_array-access-in-semtimedop-.patch
+x86-nospec-fix-i386-rsb-stuffing.patch
+revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch

diff --git a/queue-4.14/x86-nospec-fix-i386-rsb-stuffing.patch b/queue-4.14/x86-nospec-fix-i386-rsb-stuffing.patch
new file mode 100644 (file)
index 0000000..6d6e68b
--- /dev/null
+++ b/queue-4.14/x86-nospec-fix-i386-rsb-stuffing.patch
@@ -0,0 +1,60 @@
+From foo@baz Tue Dec  6 01:29:51 PM CET 2022
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 5 Dec 2022 23:10:26 +0100
+Subject: x86/nospec: Fix i386 RSB stuffing
+To: stable@vger.kernel.org
+Cc: Peter Zijlstra <peterz@infradead.org>
+Message-ID: <Y45sUiyu2/cjze66@decadent.org.uk>
+Content-Disposition: inline
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 332924973725e8cdcc783c175f68cf7e162cb9e5 upstream.
+
+Turns out that i386 doesn't unconditionally have LFENCE, as such the
+loop in __FILL_RETURN_BUFFER isn't actually speculation safe on such
+chips.
+
+Fixes: ba6e31af2be9 ("x86/speculation: Add LFENCE to RSB fill sequence")
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/Yv9tj9vbQ9nNlXoY@worktop.programming.kicks-ass.net
+[bwh: Backported to 4.14:
+ - __FILL_RETURN_BUFFER takes an sp parameter
+ - Open-code __FILL_RETURN_SLOT]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/nospec-branch.h |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -38,6 +38,7 @@
+  * the optimal version — two calls, each with their own speculation
+  * trap should their return address end up getting used, in a loop.
+  */
++#ifdef CONFIG_X86_64
+ #define __FILL_RETURN_BUFFER(reg, nr, sp)     \
+       mov     $(nr/2), reg;                   \
+ 771:                                          \
+@@ -58,6 +59,19 @@
+       jnz     771b;                           \
+       /* barrier for jnz misprediction */     \
+       lfence;
++#else
++/*
++ * i386 doesn't unconditionally have LFENCE, as such it can't
++ * do a loop.
++ */
++#define __FILL_RETURN_BUFFER(reg, nr, sp)     \
++      .rept nr;                               \
++      call    772f;                           \
++      int3;                                   \
++772:;                                         \
++      .endr;                                  \
++      add     $(BITS_PER_LONG/8) * nr, sp;
++#endif
+ 
+ #define ISSUE_UNBALANCED_RET_GUARD(sp)                \
+       call 992f;                              \