From: Greg Kroah-Hartman Date: Thu, 21 Jul 2022 17:47:52 +0000 (+0200) Subject: drop some 5.18 retbleed commits X-Git-Tag: v4.9.324~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3dbc4451a5f329350bf8c4ec80dfa0c93727bb27;p=thirdparty%2Fkernel%2Fstable-queue.git drop some 5.18 retbleed commits --- diff --git a/queue-5.18/objtool-update-retpoline-validation.patch b/queue-5.18/objtool-update-retpoline-validation.patch deleted file mode 100644 index 2af5359a55f..00000000000 --- a/queue-5.18/objtool-update-retpoline-validation.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 13d4841cf81b8750beb3ead5c8bf1051fad2adda Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 23:15:59 +0200 -Subject: objtool: Update Retpoline validation - -From: Peter Zijlstra - -[ Upstream commit 9bb2ec608a209018080ca262f771e6a9ff203b6f ] - -Update retpoline validation with the new CONFIG_RETPOLINE requirement of -not having bare naked RET instructions. - -Signed-off-by: Peter Zijlstra (Intel) -Signed-off-by: Borislav Petkov -Reviewed-by: Josh Poimboeuf -Signed-off-by: Borislav Petkov -Signed-off-by: Sasha Levin ---- - arch/x86/include/asm/nospec-branch.h | 6 ++++++ - arch/x86/mm/mem_encrypt_boot.S | 2 ++ - arch/x86/xen/xen-head.S | 1 + - tools/objtool/check.c | 19 +++++++++++++------ - 4 files changed, 22 insertions(+), 6 deletions(-) - -diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h -index da251a5645b0..f1a7ecd0a7c7 100644 ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -75,6 +75,12 @@ - .popsection - .endm - -+/* -+ * (ab)use RETPOLINE_SAFE on RET to annotate away 'bare' RET instructions -+ * vs RETBleed validation. -+ */ -+#define ANNOTATE_UNRET_SAFE ANNOTATE_RETPOLINE_SAFE -+ - /* - * JMP_NOSPEC and CALL_NOSPEC macros can be used instead of a simple - * indirect jmp/call which may be susceptible to the Spectre variant 2 -diff --git a/arch/x86/mm/mem_encrypt_boot.S b/arch/x86/mm/mem_encrypt_boot.S -index d94dea450fa6..9de3d900bc92 100644 ---- a/arch/x86/mm/mem_encrypt_boot.S -+++ b/arch/x86/mm/mem_encrypt_boot.S -@@ -66,6 +66,7 @@ SYM_FUNC_START(sme_encrypt_execute) - pop %rbp - - /* Offset to __x86_return_thunk would be wrong here */ -+ ANNOTATE_UNRET_SAFE - ret - int3 - SYM_FUNC_END(sme_encrypt_execute) -@@ -154,6 +155,7 @@ SYM_FUNC_START(__enc_copy) - pop %r15 - - /* Offset to __x86_return_thunk would be wrong here */ -+ ANNOTATE_UNRET_SAFE - ret - int3 - .L__enc_copy_end: -diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S -index 13af6fe453e3..ffaa62167f6e 100644 ---- a/arch/x86/xen/xen-head.S -+++ b/arch/x86/xen/xen-head.S -@@ -26,6 +26,7 @@ SYM_CODE_START(hypercall_page) - .rept (PAGE_SIZE / 32) - UNWIND_HINT_FUNC - ANNOTATE_NOENDBR -+ ANNOTATE_UNRET_SAFE - ret - /* - * Xen will write the hypercall page, and sort out ENDBR. -diff --git a/tools/objtool/check.c b/tools/objtool/check.c -index f66e4ac0af94..fbe41203fc9b 100644 ---- a/tools/objtool/check.c -+++ b/tools/objtool/check.c -@@ -2030,8 +2030,9 @@ static int read_retpoline_hints(struct objtool_file *file) - } - - if (insn->type != INSN_JUMP_DYNAMIC && -- insn->type != INSN_CALL_DYNAMIC) { -- WARN_FUNC("retpoline_safe hint not an indirect jump/call", -+ insn->type != INSN_CALL_DYNAMIC && -+ insn->type != INSN_RETURN) { -+ WARN_FUNC("retpoline_safe hint not an indirect jump/call/ret", - insn->sec, insn->offset); - return -1; - } -@@ -3561,7 +3562,8 @@ static int validate_retpoline(struct objtool_file *file) - - for_each_insn(file, insn) { - if (insn->type != INSN_JUMP_DYNAMIC && -- insn->type != INSN_CALL_DYNAMIC) -+ insn->type != INSN_CALL_DYNAMIC && -+ insn->type != INSN_RETURN) - continue; - - if (insn->retpoline_safe) -@@ -3576,9 +3578,14 @@ static int validate_retpoline(struct objtool_file *file) - if (!strcmp(insn->sec->name, ".init.text") && !module) - continue; - -- WARN_FUNC("indirect %s found in RETPOLINE build", -- insn->sec, insn->offset, -- insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call"); -+ if (insn->type == INSN_RETURN) { -+ WARN_FUNC("'naked' return found in RETPOLINE build", -+ insn->sec, insn->offset); -+ } else { -+ WARN_FUNC("indirect %s found in RETPOLINE build", -+ insn->sec, insn->offset, -+ insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call"); -+ } - - warnings++; - } --- -2.35.1 - diff --git a/queue-5.18/series b/queue-5.18/series index 30a75697f97..584b09f4433 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -142,10 +142,6 @@ net-atlantic-remove-aq_nic_deinit-when-resume.patch kvm-x86-fully-initialize-struct-kvm_lapic_irq-in-kvm.patch net-tls-check-for-errors-in-tls_device_init.patch mm-sysctl-fix-missing-numa_stat-when-config_hugetlb_.patch -x86-kvm-fix-setcc-emulation-for-return-thunks.patch -x86-sev-avoid-using-__x86_return_thunk.patch -x86-bugs-report-amd-retbleed-vulnerability.patch -objtool-update-retpoline-validation.patch x86-xen-rename-sys-entry-points.patch x86-cpu-amd-add-spectral-chicken.patch arm-9211-1-domain-drop-modify_domain.patch diff --git a/queue-5.18/x86-bugs-report-amd-retbleed-vulnerability.patch b/queue-5.18/x86-bugs-report-amd-retbleed-vulnerability.patch deleted file mode 100644 index 6e6fa1be689..00000000000 --- a/queue-5.18/x86-bugs-report-amd-retbleed-vulnerability.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 11ec092a5ddd50700e667a569d3337bdc54f5afb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 23:15:49 +0200 -Subject: x86/bugs: Report AMD retbleed vulnerability - -From: Alexandre Chartre - -[ Upstream commit 6b80b59b3555706508008f1f127b5412c89c7fd8 ] - -Report that AMD x86 CPUs are vulnerable to the RETBleed (Arbitrary -Speculative Code Execution with Return Instructions) attack. - - [peterz: add hygon] - [kim: invert parity; fam15h] - -Co-developed-by: Kim Phillips -Signed-off-by: Kim Phillips -Signed-off-by: Alexandre Chartre -Signed-off-by: Peter Zijlstra (Intel) -Signed-off-by: Borislav Petkov -Reviewed-by: Josh Poimboeuf -Signed-off-by: Borislav Petkov -Signed-off-by: Sasha Levin ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/kernel/cpu/bugs.c | 13 +++++++++++++ - arch/x86/kernel/cpu/common.c | 19 +++++++++++++++++++ - drivers/base/cpu.c | 8 ++++++++ - include/linux/cpu.h | 2 ++ - 5 files changed, 43 insertions(+) - -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index e17de69faa54..cf5553744e83 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -444,5 +444,6 @@ - #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ - #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */ - #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */ -+#define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */ - - #endif /* _ASM_X86_CPUFEATURES_H */ -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index a8a9f6406331..425ff2f32669 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -1987,6 +1987,11 @@ static ssize_t srbds_show_state(char *buf) - return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]); - } - -+static ssize_t retbleed_show_state(char *buf) -+{ -+ return sprintf(buf, "Vulnerable\n"); -+} -+ - static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, - char *buf, unsigned int bug) - { -@@ -2032,6 +2037,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr - case X86_BUG_MMIO_STALE_DATA: - return mmio_stale_data_show_state(buf); - -+ case X86_BUG_RETBLEED: -+ return retbleed_show_state(buf); -+ - default: - break; - } -@@ -2088,4 +2096,9 @@ ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *at - { - return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA); - } -+ -+ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf) -+{ -+ return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED); -+} - #endif -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index af5d0c188f7b..796cc55313f4 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1231,16 +1231,27 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { - {} - }; - -+#define VULNBL(vendor, family, model, blacklist) \ -+ X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, blacklist) -+ - #define VULNBL_INTEL_STEPPINGS(model, steppings, issues) \ - X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(INTEL, 6, \ - INTEL_FAM6_##model, steppings, \ - X86_FEATURE_ANY, issues) - -+#define VULNBL_AMD(family, blacklist) \ -+ VULNBL(AMD, family, X86_MODEL_ANY, blacklist) -+ -+#define VULNBL_HYGON(family, blacklist) \ -+ VULNBL(HYGON, family, X86_MODEL_ANY, blacklist) -+ - #define SRBDS BIT(0) - /* CPU is affected by X86_BUG_MMIO_STALE_DATA */ - #define MMIO BIT(1) - /* CPU is affected by Shared Buffers Data Sampling (SBDS), a variant of X86_BUG_MMIO_STALE_DATA */ - #define MMIO_SBDS BIT(2) -+/* CPU is affected by RETbleed, speculating where you would not expect it */ -+#define RETBLEED BIT(3) - - static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { - VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS), -@@ -1273,6 +1284,11 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { - VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPINGS(0x1, 0x1), MMIO | MMIO_SBDS), - VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO), - VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPINGS(0x0, 0x0), MMIO | MMIO_SBDS), -+ -+ VULNBL_AMD(0x15, RETBLEED), -+ VULNBL_AMD(0x16, RETBLEED), -+ VULNBL_AMD(0x17, RETBLEED), -+ VULNBL_HYGON(0x18, RETBLEED), - {} - }; - -@@ -1374,6 +1390,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - !arch_cap_mmio_immune(ia32_cap)) - setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); - -+ if (cpu_matches(cpu_vuln_blacklist, RETBLEED)) -+ setup_force_cpu_bug(X86_BUG_RETBLEED); -+ - if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) - return; - -diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c -index a97776ea9d99..4c98849577d4 100644 ---- a/drivers/base/cpu.c -+++ b/drivers/base/cpu.c -@@ -570,6 +570,12 @@ ssize_t __weak cpu_show_mmio_stale_data(struct device *dev, - return sysfs_emit(buf, "Not affected\n"); - } - -+ssize_t __weak cpu_show_retbleed(struct device *dev, -+ struct device_attribute *attr, char *buf) -+{ -+ return sysfs_emit(buf, "Not affected\n"); -+} -+ - static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); - static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); - static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); -@@ -580,6 +586,7 @@ static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL); - static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL); - static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL); - static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL); -+static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL); - - static struct attribute *cpu_root_vulnerabilities_attrs[] = { - &dev_attr_meltdown.attr, -@@ -592,6 +599,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { - &dev_attr_itlb_multihit.attr, - &dev_attr_srbds.attr, - &dev_attr_mmio_stale_data.attr, -+ &dev_attr_retbleed.attr, - NULL - }; - -diff --git a/include/linux/cpu.h b/include/linux/cpu.h -index 2c7477354744..314802f98b9d 100644 ---- a/include/linux/cpu.h -+++ b/include/linux/cpu.h -@@ -68,6 +68,8 @@ extern ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, - extern ssize_t cpu_show_mmio_stale_data(struct device *dev, - struct device_attribute *attr, - char *buf); -+extern ssize_t cpu_show_retbleed(struct device *dev, -+ struct device_attribute *attr, char *buf); - - extern __printf(4, 5) - struct device *cpu_device_create(struct device *parent, void *drvdata, --- -2.35.1 - diff --git a/queue-5.18/x86-kvm-fix-setcc-emulation-for-return-thunks.patch b/queue-5.18/x86-kvm-fix-setcc-emulation-for-return-thunks.patch deleted file mode 100644 index 09399de11c4..00000000000 --- a/queue-5.18/x86-kvm-fix-setcc-emulation-for-return-thunks.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 96ec7e0685f92832aa26ab0db0fec15711ea73e9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 23:15:42 +0200 -Subject: x86/kvm: Fix SETcc emulation for return thunks - -From: Peter Zijlstra - -[ Upstream commit af2e140f34208a5dfb6b7a8ad2d56bda88f0524d ] - -Prepare the SETcc fastop stuff for when RET can be larger still. - -The tricky bit here is that the expressions should not only be -constant C expressions, but also absolute GAS expressions. This means -no ?: and 'true' is ~0. - -Also ensure em_setcc() has the same alignment as the actual FOP_SETCC() -ops, this ensures there cannot be an alignment hole between em_setcc() -and the first op. - -Additionally, add a .skip directive to the FOP_SETCC() macro to fill -any remaining space with INT3 traps; however the primary purpose of -this directive is to generate AS warnings when the remaining space -goes negative. Which is a very good indication the alignment magic -went side-ways. - -Signed-off-by: Peter Zijlstra (Intel) -Signed-off-by: Borislav Petkov -Reviewed-by: Josh Poimboeuf -Signed-off-by: Borislav Petkov -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/emulate.c | 28 +++++++++++++++------------- - 1 file changed, 15 insertions(+), 13 deletions(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 89b11e7dca8a..b01437015f99 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -325,13 +325,15 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); - #define FOP_RET(name) \ - __FOP_RET(#name) - --#define FOP_START(op) \ -+#define __FOP_START(op, align) \ - extern void em_##op(struct fastop *fake); \ - asm(".pushsection .text, \"ax\" \n\t" \ - ".global em_" #op " \n\t" \ -- ".align " __stringify(FASTOP_SIZE) " \n\t" \ -+ ".align " __stringify(align) " \n\t" \ - "em_" #op ":\n\t" - -+#define FOP_START(op) __FOP_START(op, FASTOP_SIZE) -+ - #define FOP_END \ - ".popsection") - -@@ -435,16 +437,15 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); - /* - * Depending on .config the SETcc functions look like: - * -- * ENDBR [4 bytes; CONFIG_X86_KERNEL_IBT] -- * SETcc %al [3 bytes] -- * RET [1 byte] -- * INT3 [1 byte; CONFIG_SLS] -- * -- * Which gives possible sizes 4, 5, 8 or 9. When rounded up to the -- * next power-of-two alignment they become 4, 8 or 16 resp. -+ * ENDBR [4 bytes; CONFIG_X86_KERNEL_IBT] -+ * SETcc %al [3 bytes] -+ * RET | JMP __x86_return_thunk [1,5 bytes; CONFIG_RETPOLINE] -+ * INT3 [1 byte; CONFIG_SLS] - */ --#define SETCC_LENGTH (ENDBR_INSN_SIZE + 4 + IS_ENABLED(CONFIG_SLS)) --#define SETCC_ALIGN (4 << IS_ENABLED(CONFIG_SLS) << HAS_KERNEL_IBT) -+#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETPOLINE)) + \ -+ IS_ENABLED(CONFIG_SLS)) -+#define SETCC_LENGTH (ENDBR_INSN_SIZE + 3 + RET_LENGTH) -+#define SETCC_ALIGN (4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1)) - static_assert(SETCC_LENGTH <= SETCC_ALIGN); - - #define FOP_SETCC(op) \ -@@ -453,9 +454,10 @@ static_assert(SETCC_LENGTH <= SETCC_ALIGN); - #op ": \n\t" \ - ASM_ENDBR \ - #op " %al \n\t" \ -- __FOP_RET(#op) -+ __FOP_RET(#op) \ -+ ".skip " __stringify(SETCC_ALIGN) " - (.-" #op "), 0xcc \n\t" - --FOP_START(setcc) -+__FOP_START(setcc, SETCC_ALIGN) - FOP_SETCC(seto) - FOP_SETCC(setno) - FOP_SETCC(setc) --- -2.35.1 - diff --git a/queue-5.18/x86-sev-avoid-using-__x86_return_thunk.patch b/queue-5.18/x86-sev-avoid-using-__x86_return_thunk.patch deleted file mode 100644 index 4275d798831..00000000000 --- a/queue-5.18/x86-sev-avoid-using-__x86_return_thunk.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 6557a4fb5d40b4c562801bb163745fe56bdde1bd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 23:15:44 +0200 -Subject: x86/sev: Avoid using __x86_return_thunk - -From: Kim Phillips - -[ Upstream commit 0ee9073000e8791f8b134a8ded31bcc767f7f232 ] - -Specifically, it's because __enc_copy() encrypts the kernel after -being relocated outside the kernel in sme_encrypt_execute(), and the -RET macro's jmp offset isn't amended prior to execution. - -Signed-off-by: Kim Phillips -Signed-off-by: Peter Zijlstra (Intel) -Signed-off-by: Borislav Petkov -Reviewed-by: Josh Poimboeuf -Signed-off-by: Borislav Petkov -Signed-off-by: Sasha Levin ---- - arch/x86/mm/mem_encrypt_boot.S | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/mm/mem_encrypt_boot.S b/arch/x86/mm/mem_encrypt_boot.S -index 3d1dba05fce4..d94dea450fa6 100644 ---- a/arch/x86/mm/mem_encrypt_boot.S -+++ b/arch/x86/mm/mem_encrypt_boot.S -@@ -65,7 +65,9 @@ SYM_FUNC_START(sme_encrypt_execute) - movq %rbp, %rsp /* Restore original stack pointer */ - pop %rbp - -- RET -+ /* Offset to __x86_return_thunk would be wrong here */ -+ ret -+ int3 - SYM_FUNC_END(sme_encrypt_execute) - - SYM_FUNC_START(__enc_copy) -@@ -151,6 +153,8 @@ SYM_FUNC_START(__enc_copy) - pop %r12 - pop %r15 - -- RET -+ /* Offset to __x86_return_thunk would be wrong here */ -+ ret -+ int3 - .L__enc_copy_end: - SYM_FUNC_END(__enc_copy) --- -2.35.1 -