From: Greg Kroah-Hartman Date: Mon, 12 Mar 2018 16:34:07 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.14.27~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e3526d0b8f924549a0965eecc67b391751b16768;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: dt-bindings-document-mti-mips-cpc-binding.patch mips-cpc-map-registers-using-dt-in-mips_cpc_default_phys_base.patch nospec-include-asm-barrier.h-dependency.patch nospec-kill-array_index_nospec_mask_check.patch revert-x86-retpoline-simplify-vmexit_fill_rsb.patch x86-64-realmode-add-instruction-suffix.patch x86-asm-improve-how-gen_-_suffixed_rmwcc-specify-clobbers.patch x86-entry-64-use-xorl-for-faster-register-clearing.patch x86-entry-reduce-the-code-footprint-of-the-idtentry-macro.patch x86-ldt-avoid-warning-in-32-bit-builds-with-older-gcc.patch x86-mm-remove-stale-comment-about-kmemcheck.patch x86-retpoline-support-retpoline-builds-with-clang.patch x86-speculation-objtool-annotate-indirect-calls-jumps-for-objtool.patch x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch --- diff --git a/queue-4.14/dt-bindings-document-mti-mips-cpc-binding.patch b/queue-4.14/dt-bindings-document-mti-mips-cpc-binding.patch new file mode 100644 index 00000000000..6bc9835e2d1 --- /dev/null +++ b/queue-4.14/dt-bindings-document-mti-mips-cpc-binding.patch @@ -0,0 +1,47 @@ +From aece34cd576c7625181b0488a8129c1e165355f7 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 19 Jan 2018 16:40:48 +0100 +Subject: dt-bindings: Document mti,mips-cpc binding + +From: Paul Burton + +commit aece34cd576c7625181b0488a8129c1e165355f7 upstream. + +Document a binding for the MIPS Cluster Power Controller (CPC) that +allows the device tree to specify where the CPC registers are located. + +Signed-off-by: Paul Burton +Signed-off-by: Aleksandar Markovic +Reviewed-by: Rob Herring +Cc: linux-mips@linux-mips.org +Cc: devicetree@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/18512/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/power/mti,mips-cpc.txt | 8 ++++++++ + MAINTAINERS | 1 + + 2 files changed, 9 insertions(+) + +--- /dev/null ++++ b/Documentation/devicetree/bindings/power/mti,mips-cpc.txt +@@ -0,0 +1,8 @@ ++Binding for MIPS Cluster Power Controller (CPC). ++ ++This binding allows a system to specify where the CPC registers are ++located. ++ ++Required properties: ++compatible : Should be "mti,mips-cpc". ++regs: Should describe the address & size of the CPC register region. +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -9001,6 +9001,7 @@ MIPS GENERIC PLATFORM + M: Paul Burton + L: linux-mips@linux-mips.org + S: Supported ++F: Documentation/devicetree/bindings/power/mti,mips-cpc.txt + F: arch/mips/generic/ + F: arch/mips/tools/generic-board-config.sh + diff --git a/queue-4.14/mips-cpc-map-registers-using-dt-in-mips_cpc_default_phys_base.patch b/queue-4.14/mips-cpc-map-registers-using-dt-in-mips_cpc_default_phys_base.patch new file mode 100644 index 00000000000..1c5ba809f81 --- /dev/null +++ b/queue-4.14/mips-cpc-map-registers-using-dt-in-mips_cpc_default_phys_base.patch @@ -0,0 +1,59 @@ +From 791412dafbbfd860e78983d45cf71db603a82f67 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 19 Jan 2018 16:40:49 +0100 +Subject: MIPS: CPC: Map registers using DT in mips_cpc_default_phys_base() + +From: Paul Burton + +commit 791412dafbbfd860e78983d45cf71db603a82f67 upstream. + +Reading mips_cpc_base value from the DT allows each platform to +define it according to its needs. This is especially convenient +for MIPS_GENERIC kernel where this kind of information should be +determined in runtime. + +Use mti,mips-cpc compatible string with just a reg property to +specify the register location for your platform. + +Signed-off-by: Paul Burton +Signed-off-by: Miodrag Dinic +Signed-off-by: Aleksandar Markovic +Cc: linux-mips@linux-mips.org +Cc: Ralf Baechle +Patchwork: https://patchwork.linux-mips.org/patch/18513/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/mips-cpc.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/mips/kernel/mips-cpc.c ++++ b/arch/mips/kernel/mips-cpc.c +@@ -10,6 +10,8 @@ + + #include + #include ++#include ++#include + #include + + #include +@@ -22,6 +24,17 @@ static DEFINE_PER_CPU_ALIGNED(unsigned l + + phys_addr_t __weak mips_cpc_default_phys_base(void) + { ++ struct device_node *cpc_node; ++ struct resource res; ++ int err; ++ ++ cpc_node = of_find_compatible_node(of_root, NULL, "mti,mips-cpc"); ++ if (cpc_node) { ++ err = of_address_to_resource(cpc_node, 0, &res); ++ if (!err) ++ return res.start; ++ } ++ + return 0; + } + diff --git a/queue-4.14/nospec-include-asm-barrier.h-dependency.patch b/queue-4.14/nospec-include-asm-barrier.h-dependency.patch new file mode 100644 index 00000000000..115c5b30b71 --- /dev/null +++ b/queue-4.14/nospec-include-asm-barrier.h-dependency.patch @@ -0,0 +1,49 @@ +From eb6174f6d1be16b19cfa43dac296bfed003ce1a6 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 16 Feb 2018 13:20:54 -0800 +Subject: nospec: Include dependency + +From: Dan Williams + +commit eb6174f6d1be16b19cfa43dac296bfed003ce1a6 upstream. + +The nospec.h header expects the per-architecture header file + to optionally define array_index_mask_nospec(). Include +that dependency to prevent inadvertent fallback to the default +array_index_mask_nospec() implementation. + +The default implementation may not provide a full mitigation +on architectures that perform data value speculation. + +Reported-by: Christian Borntraeger +Signed-off-by: Dan Williams +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-arch@vger.kernel.org +Link: http://lkml.kernel.org/r/151881605404.17395.1341935530792574707.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nospec.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -5,6 +5,7 @@ + + #ifndef _LINUX_NOSPEC_H + #define _LINUX_NOSPEC_H ++#include + + /** + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise diff --git a/queue-4.14/nospec-kill-array_index_nospec_mask_check.patch b/queue-4.14/nospec-kill-array_index_nospec_mask_check.patch new file mode 100644 index 00000000000..18bedfdd7e1 --- /dev/null +++ b/queue-4.14/nospec-kill-array_index_nospec_mask_check.patch @@ -0,0 +1,83 @@ +From 1d91c1d2c80cb70e2e553845e278b87a960c04da Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 16 Feb 2018 13:20:42 -0800 +Subject: nospec: Kill array_index_nospec_mask_check() + +From: Dan Williams + +commit 1d91c1d2c80cb70e2e553845e278b87a960c04da upstream. + +There are multiple problems with the dynamic sanity checking in +array_index_nospec_mask_check(): + +* It causes unnecessary overhead in the 32-bit case since integer sized + @index values will no longer cause the check to be compiled away like + in the 64-bit case. + +* In the 32-bit case it may trigger with user controllable input when + the expectation is that should only trigger during development of new + kernel enabling. + +* The macro reuses the input parameter in multiple locations which is + broken if someone passes an expression like 'index++' to + array_index_nospec(). + +Reported-by: Linus Torvalds +Signed-off-by: Dan Williams +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-arch@vger.kernel.org +Link: http://lkml.kernel.org/r/151881604278.17395.6605847763178076520.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nospec.h | 22 +--------------------- + 1 file changed, 1 insertion(+), 21 deletions(-) + +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -30,26 +30,6 @@ static inline unsigned long array_index_ + #endif + + /* +- * Warn developers about inappropriate array_index_nospec() usage. +- * +- * Even if the CPU speculates past the WARN_ONCE branch, the +- * sign bit of @index is taken into account when generating the +- * mask. +- * +- * This warning is compiled out when the compiler can infer that +- * @index and @size are less than LONG_MAX. +- */ +-#define array_index_mask_nospec_check(index, size) \ +-({ \ +- if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, \ +- "array_index_nospec() limited to range of [0, LONG_MAX]\n")) \ +- _mask = 0; \ +- else \ +- _mask = array_index_mask_nospec(index, size); \ +- _mask; \ +-}) +- +-/* + * array_index_nospec - sanitize an array index after a bounds check + * + * For a code sequence like: +@@ -67,7 +47,7 @@ static inline unsigned long array_index_ + ({ \ + typeof(index) _i = (index); \ + typeof(size) _s = (size); \ +- unsigned long _mask = array_index_mask_nospec_check(_i, _s); \ ++ unsigned long _mask = array_index_mask_nospec(_i, _s); \ + \ + BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \ + BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \ diff --git a/queue-4.14/revert-x86-retpoline-simplify-vmexit_fill_rsb.patch b/queue-4.14/revert-x86-retpoline-simplify-vmexit_fill_rsb.patch new file mode 100644 index 00000000000..d256fcb00a9 --- /dev/null +++ b/queue-4.14/revert-x86-retpoline-simplify-vmexit_fill_rsb.patch @@ -0,0 +1,251 @@ +From d1c99108af3c5992640aa2afa7d2e88c3775c06e Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Mon, 19 Feb 2018 10:50:56 +0000 +Subject: Revert "x86/retpoline: Simplify vmexit_fill_RSB()" + +From: David Woodhouse + +commit d1c99108af3c5992640aa2afa7d2e88c3775c06e upstream. + +This reverts commit 1dde7415e99933bb7293d6b2843752cbdb43ec11. By putting +the RSB filling out of line and calling it, we waste one RSB slot for +returning from the function itself, which means one fewer actual function +call we can make if we're doing the Skylake abomination of call-depth +counting. + +It also changed the number of RSB stuffings we do on vmexit from 32, +which was correct, to 16. Let's just stop with the bikeshedding; it +didn't actually *fix* anything anyway. + +Signed-off-by: David Woodhouse +Acked-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: arjan.van.de.ven@intel.com +Cc: bp@alien8.de +Cc: dave.hansen@intel.com +Cc: jmattson@google.com +Cc: karahmed@amazon.de +Cc: kvm@vger.kernel.org +Cc: pbonzini@redhat.com +Cc: rkrcmar@redhat.com +Link: http://lkml.kernel.org/r/1519037457-7643-4-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_32.S | 3 - + arch/x86/entry/entry_64.S | 3 - + arch/x86/include/asm/asm-prototypes.h | 3 - + arch/x86/include/asm/nospec-branch.h | 70 ++++++++++++++++++++++++++++++---- + arch/x86/lib/Makefile | 1 + arch/x86/lib/retpoline.S | 56 --------------------------- + 6 files changed, 65 insertions(+), 71 deletions(-) + +--- a/arch/x86/entry/entry_32.S ++++ b/arch/x86/entry/entry_32.S +@@ -252,8 +252,7 @@ ENTRY(__switch_to_asm) + * exist, overwrite the RSB with entries which capture + * speculative execution to prevent attack. + */ +- /* Clobbers %ebx */ +- FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW ++ FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW + #endif + + /* restore callee-saved registers */ +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -360,8 +360,7 @@ ENTRY(__switch_to_asm) + * exist, overwrite the RSB with entries which capture + * speculative execution to prevent attack. + */ +- /* Clobbers %rbx */ +- FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW ++ FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW + #endif + + /* restore callee-saved registers */ +--- a/arch/x86/include/asm/asm-prototypes.h ++++ b/arch/x86/include/asm/asm-prototypes.h +@@ -38,7 +38,4 @@ INDIRECT_THUNK(dx) + INDIRECT_THUNK(si) + INDIRECT_THUNK(di) + INDIRECT_THUNK(bp) +-asmlinkage void __fill_rsb(void); +-asmlinkage void __clear_rsb(void); +- + #endif /* CONFIG_RETPOLINE */ +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -8,6 +8,50 @@ + #include + #include + ++/* ++ * Fill the CPU return stack buffer. ++ * ++ * Each entry in the RSB, if used for a speculative 'ret', contains an ++ * infinite 'pause; lfence; jmp' loop to capture speculative execution. ++ * ++ * This is required in various cases for retpoline and IBRS-based ++ * mitigations for the Spectre variant 2 vulnerability. Sometimes to ++ * eliminate potentially bogus entries from the RSB, and sometimes ++ * purely to ensure that it doesn't get empty, which on some CPUs would ++ * allow predictions from other (unwanted!) sources to be used. ++ * ++ * We define a CPP macro such that it can be used from both .S files and ++ * inline assembly. It's possible to do a .macro and then include that ++ * from C via asm(".include ") but let's not go there. ++ */ ++ ++#define RSB_CLEAR_LOOPS 32 /* To forcibly overwrite all entries */ ++#define RSB_FILL_LOOPS 16 /* To avoid underflow */ ++ ++/* ++ * Google experimented with loop-unrolling and this turned out to be ++ * the optimal version — two calls, each with their own speculation ++ * trap should their return address end up getting used, in a loop. ++ */ ++#define __FILL_RETURN_BUFFER(reg, nr, sp) \ ++ mov $(nr/2), reg; \ ++771: \ ++ call 772f; \ ++773: /* speculation trap */ \ ++ pause; \ ++ lfence; \ ++ jmp 773b; \ ++772: \ ++ call 774f; \ ++775: /* speculation trap */ \ ++ pause; \ ++ lfence; \ ++ jmp 775b; \ ++774: \ ++ dec reg; \ ++ jnz 771b; \ ++ add $(BITS_PER_LONG/8) * nr, sp; ++ + #ifdef __ASSEMBLY__ + + /* +@@ -78,10 +122,17 @@ + #endif + .endm + +-/* This clobbers the BX register */ +-.macro FILL_RETURN_BUFFER nr:req ftr:req ++ /* ++ * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP ++ * monstrosity above, manually. ++ */ ++.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req + #ifdef CONFIG_RETPOLINE +- ALTERNATIVE "", "call __clear_rsb", \ftr ++ ANNOTATE_NOSPEC_ALTERNATIVE ++ ALTERNATIVE "jmp .Lskip_rsb_\@", \ ++ __stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)) \ ++ \ftr ++.Lskip_rsb_\@: + #endif + .endm + +@@ -156,10 +207,15 @@ extern char __indirect_thunk_end[]; + static inline void vmexit_fill_RSB(void) + { + #ifdef CONFIG_RETPOLINE +- alternative_input("", +- "call __fill_rsb", +- X86_FEATURE_RETPOLINE, +- ASM_NO_INPUT_CLOBBER(_ASM_BX, "memory")); ++ unsigned long loops; ++ ++ asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE ++ ALTERNATIVE("jmp 910f", ++ __stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1)), ++ X86_FEATURE_RETPOLINE) ++ "910:" ++ : "=r" (loops), ASM_CALL_CONSTRAINT ++ : : "memory" ); + #endif + } + +--- a/arch/x86/lib/Makefile ++++ b/arch/x86/lib/Makefile +@@ -27,7 +27,6 @@ lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += + lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o + lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o + lib-$(CONFIG_RETPOLINE) += retpoline.o +-OBJECT_FILES_NON_STANDARD_retpoline.o :=y + + obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o + +--- a/arch/x86/lib/retpoline.S ++++ b/arch/x86/lib/retpoline.S +@@ -7,7 +7,6 @@ + #include + #include + #include +-#include + + .macro THUNK reg + .section .text.__x86.indirect_thunk +@@ -47,58 +46,3 @@ GENERATE_THUNK(r13) + GENERATE_THUNK(r14) + GENERATE_THUNK(r15) + #endif +- +-/* +- * Fill the CPU return stack buffer. +- * +- * Each entry in the RSB, if used for a speculative 'ret', contains an +- * infinite 'pause; lfence; jmp' loop to capture speculative execution. +- * +- * This is required in various cases for retpoline and IBRS-based +- * mitigations for the Spectre variant 2 vulnerability. Sometimes to +- * eliminate potentially bogus entries from the RSB, and sometimes +- * purely to ensure that it doesn't get empty, which on some CPUs would +- * allow predictions from other (unwanted!) sources to be used. +- * +- * Google experimented with loop-unrolling and this turned out to be +- * the optimal version - two calls, each with their own speculation +- * trap should their return address end up getting used, in a loop. +- */ +-.macro STUFF_RSB nr:req sp:req +- mov $(\nr / 2), %_ASM_BX +- .align 16 +-771: +- call 772f +-773: /* speculation trap */ +- pause +- lfence +- jmp 773b +- .align 16 +-772: +- call 774f +-775: /* speculation trap */ +- pause +- lfence +- jmp 775b +- .align 16 +-774: +- dec %_ASM_BX +- jnz 771b +- add $((BITS_PER_LONG/8) * \nr), \sp +-.endm +- +-#define RSB_FILL_LOOPS 16 /* To avoid underflow */ +- +-ENTRY(__fill_rsb) +- STUFF_RSB RSB_FILL_LOOPS, %_ASM_SP +- ret +-END(__fill_rsb) +-EXPORT_SYMBOL_GPL(__fill_rsb) +- +-#define RSB_CLEAR_LOOPS 32 /* To forcibly overwrite all entries */ +- +-ENTRY(__clear_rsb) +- STUFF_RSB RSB_CLEAR_LOOPS, %_ASM_SP +- ret +-END(__clear_rsb) +-EXPORT_SYMBOL_GPL(__clear_rsb) diff --git a/queue-4.14/series b/queue-4.14/series index 7cf0c58867f..bdb35b84038 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -66,3 +66,17 @@ alsa-hda-add-dock-and-led-support-for-hp-elitebook-820-g3.patch alsa-hda-add-dock-and-led-support-for-hp-probook-640-g2.patch scsi-qla2xxx-fix-null-pointer-crash-due-to-probe-failure.patch scsi-qla2xxx-fix-recursion-while-sending-terminate-exchange.patch +dt-bindings-document-mti-mips-cpc-binding.patch +mips-cpc-map-registers-using-dt-in-mips_cpc_default_phys_base.patch +nospec-kill-array_index_nospec_mask_check.patch +nospec-include-asm-barrier.h-dependency.patch +x86-entry-reduce-the-code-footprint-of-the-idtentry-macro.patch +x86-entry-64-use-xorl-for-faster-register-clearing.patch +x86-mm-remove-stale-comment-about-kmemcheck.patch +x86-asm-improve-how-gen_-_suffixed_rmwcc-specify-clobbers.patch +x86-ldt-avoid-warning-in-32-bit-builds-with-older-gcc.patch +x86-64-realmode-add-instruction-suffix.patch +revert-x86-retpoline-simplify-vmexit_fill_rsb.patch +x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch +x86-retpoline-support-retpoline-builds-with-clang.patch +x86-speculation-objtool-annotate-indirect-calls-jumps-for-objtool.patch diff --git a/queue-4.14/x86-64-realmode-add-instruction-suffix.patch b/queue-4.14/x86-64-realmode-add-instruction-suffix.patch new file mode 100644 index 00000000000..4e5749bf588 --- /dev/null +++ b/queue-4.14/x86-64-realmode-add-instruction-suffix.patch @@ -0,0 +1,43 @@ +From 8554004a0231dedf44d4d62147fb3d6a6db489aa Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 19 Feb 2018 08:06:14 -0700 +Subject: x86-64/realmode: Add instruction suffix + +From: Jan Beulich + +commit 8554004a0231dedf44d4d62147fb3d6a6db489aa upstream. + +Omitting suffixes from instructions in AT&T mode is bad practice when +operand size cannot be determined by the assembler from register +operands, and is likely going to be warned about by upstream GAS in the +future (mine does already). Add the single missing suffix here. + +Signed-off-by: Jan Beulich +Acked-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/5A8AF5F602000078001A9230@prv-mh.provo.novell.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/realmode/rm/trampoline_64.S ++++ b/arch/x86/realmode/rm/trampoline_64.S +@@ -102,7 +102,7 @@ ENTRY(startup_32) + * don't we'll eventually crash trying to execute encrypted + * instructions. + */ +- bt $TH_FLAGS_SME_ACTIVE_BIT, pa_tr_flags ++ btl $TH_FLAGS_SME_ACTIVE_BIT, pa_tr_flags + jnc .Ldone + movl $MSR_K8_SYSCFG, %ecx + rdmsr diff --git a/queue-4.14/x86-asm-improve-how-gen_-_suffixed_rmwcc-specify-clobbers.patch b/queue-4.14/x86-asm-improve-how-gen_-_suffixed_rmwcc-specify-clobbers.patch new file mode 100644 index 00000000000..3e6ce208945 --- /dev/null +++ b/queue-4.14/x86-asm-improve-how-gen_-_suffixed_rmwcc-specify-clobbers.patch @@ -0,0 +1,102 @@ +From 700b7c5409c3e9da279fbea78cf28a78fbc176cd Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 19 Feb 2018 07:49:12 -0700 +Subject: x86/asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers + +From: Jan Beulich + +commit 700b7c5409c3e9da279fbea78cf28a78fbc176cd upstream. + +Commit: + + df3405245a ("x86/asm: Add suffix macro for GEN_*_RMWcc()") + +... introduced "suffix" RMWcc operations, adding bogus clobber specifiers: +For one, on x86 there's no point explicitly clobbering "cc". + +In fact, with GCC properly fixed, this results in an overlap being detected by +the compiler between outputs and clobbers. + +Furthermore it seems bad practice to me to have clobber specification +and use of the clobbered register(s) disconnected - it should rather be +at the invocation place of that GEN_{UN,BIN}ARY_SUFFIXED_RMWcc() macros +that the clobber is specified which this particular invocation needs. + +Drop the "cc" clobber altogether and move the "cx" one to refcount.h. + +Signed-off-by: Jan Beulich +Acked-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/5A8AF1F802000078001A91E1@prv-mh.provo.novell.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/refcount.h | 4 ++-- + arch/x86/include/asm/rmwcc.h | 16 ++++++++-------- + 2 files changed, 10 insertions(+), 10 deletions(-) + +--- a/arch/x86/include/asm/refcount.h ++++ b/arch/x86/include/asm/refcount.h +@@ -67,13 +67,13 @@ static __always_inline __must_check + bool refcount_sub_and_test(unsigned int i, refcount_t *r) + { + GEN_BINARY_SUFFIXED_RMWcc(LOCK_PREFIX "subl", REFCOUNT_CHECK_LT_ZERO, +- r->refs.counter, "er", i, "%0", e); ++ r->refs.counter, "er", i, "%0", e, "cx"); + } + + static __always_inline __must_check bool refcount_dec_and_test(refcount_t *r) + { + GEN_UNARY_SUFFIXED_RMWcc(LOCK_PREFIX "decl", REFCOUNT_CHECK_LT_ZERO, +- r->refs.counter, "%0", e); ++ r->refs.counter, "%0", e, "cx"); + } + + static __always_inline __must_check +--- a/arch/x86/include/asm/rmwcc.h ++++ b/arch/x86/include/asm/rmwcc.h +@@ -2,8 +2,7 @@ + #ifndef _ASM_X86_RMWcc + #define _ASM_X86_RMWcc + +-#define __CLOBBERS_MEM "memory" +-#define __CLOBBERS_MEM_CC_CX "memory", "cc", "cx" ++#define __CLOBBERS_MEM(clb...) "memory", ## clb + + #if !defined(__GCC_ASM_FLAG_OUTPUTS__) && defined(CC_HAVE_ASM_GOTO) + +@@ -40,18 +39,19 @@ do { \ + #endif /* defined(__GCC_ASM_FLAG_OUTPUTS__) || !defined(CC_HAVE_ASM_GOTO) */ + + #define GEN_UNARY_RMWcc(op, var, arg0, cc) \ +- __GEN_RMWcc(op " " arg0, var, cc, __CLOBBERS_MEM) ++ __GEN_RMWcc(op " " arg0, var, cc, __CLOBBERS_MEM()) + +-#define GEN_UNARY_SUFFIXED_RMWcc(op, suffix, var, arg0, cc) \ ++#define GEN_UNARY_SUFFIXED_RMWcc(op, suffix, var, arg0, cc, clobbers...)\ + __GEN_RMWcc(op " " arg0 "\n\t" suffix, var, cc, \ +- __CLOBBERS_MEM_CC_CX) ++ __CLOBBERS_MEM(clobbers)) + + #define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \ + __GEN_RMWcc(op __BINARY_RMWcc_ARG arg0, var, cc, \ +- __CLOBBERS_MEM, vcon (val)) ++ __CLOBBERS_MEM(), vcon (val)) + +-#define GEN_BINARY_SUFFIXED_RMWcc(op, suffix, var, vcon, val, arg0, cc) \ ++#define GEN_BINARY_SUFFIXED_RMWcc(op, suffix, var, vcon, val, arg0, cc, \ ++ clobbers...) \ + __GEN_RMWcc(op __BINARY_RMWcc_ARG arg0 "\n\t" suffix, var, cc, \ +- __CLOBBERS_MEM_CC_CX, vcon (val)) ++ __CLOBBERS_MEM(clobbers), vcon (val)) + + #endif /* _ASM_X86_RMWcc */ diff --git a/queue-4.14/x86-entry-64-use-xorl-for-faster-register-clearing.patch b/queue-4.14/x86-entry-64-use-xorl-for-faster-register-clearing.patch new file mode 100644 index 00000000000..af7273c63d2 --- /dev/null +++ b/queue-4.14/x86-entry-64-use-xorl-for-faster-register-clearing.patch @@ -0,0 +1,201 @@ +From ced5d0bf603fa0baee8ea889e1d70971fd210894 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Wed, 14 Feb 2018 18:59:24 +0100 +Subject: x86/entry/64: Use 'xorl' for faster register clearing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dominik Brodowski + +commit ced5d0bf603fa0baee8ea889e1d70971fd210894 upstream. + +On some x86 CPU microarchitectures using 'xorq' to clear general-purpose +registers is slower than 'xorl'. As 'xorl' is sufficient to clear all +64 bits of these registers due to zero-extension [*], switch the x86 +64-bit entry code to use 'xorl'. + +No change in functionality and no change in code size. + +[*] According to Intel 64 and IA-32 Architecture Software Developer's + Manual, section 3.4.1.1, the result of 32-bit operands are "zero- + extended to a 64-bit result in the destination general-purpose + register." The AMD64 Architecture Programmer’s Manual Volume 3, + Appendix B.1, describes the same behaviour. + +Suggested-by: Denys Vlasenko +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180214175924.23065-3-linux@dominikbrodowski.net +[ Improved on the changelog a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 16 +++++------ + arch/x86/entry/entry_64_compat.S | 54 +++++++++++++++++++-------------------- + 2 files changed, 35 insertions(+), 35 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -117,25 +117,25 @@ For 32-bit we have the following convent + pushq %rcx /* pt_regs->cx */ + pushq \rax /* pt_regs->ax */ + pushq %r8 /* pt_regs->r8 */ +- xorq %r8, %r8 /* nospec r8 */ ++ xorl %r8d, %r8d /* nospec r8 */ + pushq %r9 /* pt_regs->r9 */ +- xorq %r9, %r9 /* nospec r9 */ ++ xorl %r9d, %r9d /* nospec r9 */ + pushq %r10 /* pt_regs->r10 */ +- xorq %r10, %r10 /* nospec r10 */ ++ xorl %r10d, %r10d /* nospec r10 */ + pushq %r11 /* pt_regs->r11 */ +- xorq %r11, %r11 /* nospec r11*/ ++ xorl %r11d, %r11d /* nospec r11*/ + pushq %rbx /* pt_regs->rbx */ + xorl %ebx, %ebx /* nospec rbx*/ + pushq %rbp /* pt_regs->rbp */ + xorl %ebp, %ebp /* nospec rbp*/ + pushq %r12 /* pt_regs->r12 */ +- xorq %r12, %r12 /* nospec r12*/ ++ xorl %r12d, %r12d /* nospec r12*/ + pushq %r13 /* pt_regs->r13 */ +- xorq %r13, %r13 /* nospec r13*/ ++ xorl %r13d, %r13d /* nospec r13*/ + pushq %r14 /* pt_regs->r14 */ +- xorq %r14, %r14 /* nospec r14*/ ++ xorl %r14d, %r14d /* nospec r14*/ + pushq %r15 /* pt_regs->r15 */ +- xorq %r15, %r15 /* nospec r15*/ ++ xorl %r15d, %r15d /* nospec r15*/ + UNWIND_HINT_REGS + .if \save_ret + pushq %rsi /* return address on top of stack */ +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -85,25 +85,25 @@ ENTRY(entry_SYSENTER_compat) + pushq %rcx /* pt_regs->cx */ + pushq $-ENOSYS /* pt_regs->ax */ + pushq $0 /* pt_regs->r8 = 0 */ +- xorq %r8, %r8 /* nospec r8 */ ++ xorl %r8d, %r8d /* nospec r8 */ + pushq $0 /* pt_regs->r9 = 0 */ +- xorq %r9, %r9 /* nospec r9 */ ++ xorl %r9d, %r9d /* nospec r9 */ + pushq $0 /* pt_regs->r10 = 0 */ +- xorq %r10, %r10 /* nospec r10 */ ++ xorl %r10d, %r10d /* nospec r10 */ + pushq $0 /* pt_regs->r11 = 0 */ +- xorq %r11, %r11 /* nospec r11 */ ++ xorl %r11d, %r11d /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ + xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp (will be overwritten) */ + xorl %ebp, %ebp /* nospec rbp */ + pushq $0 /* pt_regs->r12 = 0 */ +- xorq %r12, %r12 /* nospec r12 */ ++ xorl %r12d, %r12d /* nospec r12 */ + pushq $0 /* pt_regs->r13 = 0 */ +- xorq %r13, %r13 /* nospec r13 */ ++ xorl %r13d, %r13d /* nospec r13 */ + pushq $0 /* pt_regs->r14 = 0 */ +- xorq %r14, %r14 /* nospec r14 */ ++ xorl %r14d, %r14d /* nospec r14 */ + pushq $0 /* pt_regs->r15 = 0 */ +- xorq %r15, %r15 /* nospec r15 */ ++ xorl %r15d, %r15d /* nospec r15 */ + cld + + /* +@@ -224,25 +224,25 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram + pushq %rbp /* pt_regs->cx (stashed in bp) */ + pushq $-ENOSYS /* pt_regs->ax */ + pushq $0 /* pt_regs->r8 = 0 */ +- xorq %r8, %r8 /* nospec r8 */ ++ xorl %r8d, %r8d /* nospec r8 */ + pushq $0 /* pt_regs->r9 = 0 */ +- xorq %r9, %r9 /* nospec r9 */ ++ xorl %r9d, %r9d /* nospec r9 */ + pushq $0 /* pt_regs->r10 = 0 */ +- xorq %r10, %r10 /* nospec r10 */ ++ xorl %r10d, %r10d /* nospec r10 */ + pushq $0 /* pt_regs->r11 = 0 */ +- xorq %r11, %r11 /* nospec r11 */ ++ xorl %r11d, %r11d /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ + xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp (will be overwritten) */ + xorl %ebp, %ebp /* nospec rbp */ + pushq $0 /* pt_regs->r12 = 0 */ +- xorq %r12, %r12 /* nospec r12 */ ++ xorl %r12d, %r12d /* nospec r12 */ + pushq $0 /* pt_regs->r13 = 0 */ +- xorq %r13, %r13 /* nospec r13 */ ++ xorl %r13d, %r13d /* nospec r13 */ + pushq $0 /* pt_regs->r14 = 0 */ +- xorq %r14, %r14 /* nospec r14 */ ++ xorl %r14d, %r14d /* nospec r14 */ + pushq $0 /* pt_regs->r15 = 0 */ +- xorq %r15, %r15 /* nospec r15 */ ++ xorl %r15d, %r15d /* nospec r15 */ + + /* + * User mode is traced as though IRQs are on, and SYSENTER +@@ -298,9 +298,9 @@ sysret32_from_system_call: + */ + SWITCH_TO_USER_CR3_NOSTACK scratch_reg=%r8 scratch_reg2=%r9 + +- xorq %r8, %r8 +- xorq %r9, %r9 +- xorq %r10, %r10 ++ xorl %r8d, %r8d ++ xorl %r9d, %r9d ++ xorl %r10d, %r10d + swapgs + sysretl + END(entry_SYSCALL_compat) +@@ -358,25 +358,25 @@ ENTRY(entry_INT80_compat) + pushq %rcx /* pt_regs->cx */ + pushq $-ENOSYS /* pt_regs->ax */ + pushq $0 /* pt_regs->r8 = 0 */ +- xorq %r8, %r8 /* nospec r8 */ ++ xorl %r8d, %r8d /* nospec r8 */ + pushq $0 /* pt_regs->r9 = 0 */ +- xorq %r9, %r9 /* nospec r9 */ ++ xorl %r9d, %r9d /* nospec r9 */ + pushq $0 /* pt_regs->r10 = 0 */ +- xorq %r10, %r10 /* nospec r10 */ ++ xorl %r10d, %r10d /* nospec r10 */ + pushq $0 /* pt_regs->r11 = 0 */ +- xorq %r11, %r11 /* nospec r11 */ ++ xorl %r11d, %r11d /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ + xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp */ + xorl %ebp, %ebp /* nospec rbp */ + pushq %r12 /* pt_regs->r12 */ +- xorq %r12, %r12 /* nospec r12 */ ++ xorl %r12d, %r12d /* nospec r12 */ + pushq %r13 /* pt_regs->r13 */ +- xorq %r13, %r13 /* nospec r13 */ ++ xorl %r13d, %r13d /* nospec r13 */ + pushq %r14 /* pt_regs->r14 */ +- xorq %r14, %r14 /* nospec r14 */ ++ xorl %r14d, %r14d /* nospec r14 */ + pushq %r15 /* pt_regs->r15 */ +- xorq %r15, %r15 /* nospec r15 */ ++ xorl %r15d, %r15d /* nospec r15 */ + cld + + /* diff --git a/queue-4.14/x86-entry-reduce-the-code-footprint-of-the-idtentry-macro.patch b/queue-4.14/x86-entry-reduce-the-code-footprint-of-the-idtentry-macro.patch new file mode 100644 index 00000000000..0a007b380ea --- /dev/null +++ b/queue-4.14/x86-entry-reduce-the-code-footprint-of-the-idtentry-macro.patch @@ -0,0 +1,138 @@ +From 9e809d15d6b692fa061d74be7aaab1c79f6784b8 Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Wed, 14 Feb 2018 18:59:23 +0100 +Subject: x86/entry: Reduce the code footprint of the 'idtentry' macro + +From: Dominik Brodowski + +commit 9e809d15d6b692fa061d74be7aaab1c79f6784b8 upstream. + +Play a little trick in the generic PUSH_AND_CLEAR_REGS macro +to insert the GP registers "above" the original return address. + +This allows us to (re-)insert the macro in error_entry() and +paranoid_entry() and to remove it from the idtentry macro. This +reduces the static footprint significantly: + + text data bss dec hex filename + 24307 0 0 24307 5ef3 entry_64.o-orig + 20987 0 0 20987 51fb entry_64.o + +Co-developed-by: Linus Torvalds +Signed-off-by: Dominik Brodowski +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180214175924.23065-2-linux@dominikbrodowski.net +[ Small tweaks to comments. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/calling.h | 11 ++++++++++- + arch/x86/entry/entry_64.S | 18 ++++++++---------- + 2 files changed, 18 insertions(+), 11 deletions(-) + +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -97,7 +97,7 @@ For 32-bit we have the following convent + + #define SIZEOF_PTREGS 21*8 + +-.macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax ++.macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax save_ret=0 + /* + * Push registers and sanitize registers of values that a + * speculation attack might otherwise want to exploit. The +@@ -105,8 +105,14 @@ For 32-bit we have the following convent + * could be put to use in a speculative execution gadget. + * Interleave XOR with PUSH for better uop scheduling: + */ ++ .if \save_ret ++ pushq %rsi /* pt_regs->si */ ++ movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */ ++ movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */ ++ .else + pushq %rdi /* pt_regs->di */ + pushq %rsi /* pt_regs->si */ ++ .endif + pushq \rdx /* pt_regs->dx */ + pushq %rcx /* pt_regs->cx */ + pushq \rax /* pt_regs->ax */ +@@ -131,6 +137,9 @@ For 32-bit we have the following convent + pushq %r15 /* pt_regs->r15 */ + xorq %r15, %r15 /* nospec r15*/ + UNWIND_HINT_REGS ++ .if \save_ret ++ pushq %rsi /* return address on top of stack */ ++ .endif + .endm + + .macro POP_REGS pop_rdi=1 skip_r11rcx=0 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -867,12 +867,8 @@ ENTRY(\sym) + pushq $-1 /* ORIG_RAX: no syscall to restart */ + .endif + +- /* Save all registers in pt_regs */ +- PUSH_AND_CLEAR_REGS +- ENCODE_FRAME_POINTER +- + .if \paranoid < 2 +- testb $3, CS(%rsp) /* If coming from userspace, switch stacks */ ++ testb $3, CS-ORIG_RAX(%rsp) /* If coming from userspace, switch stacks */ + jnz .Lfrom_usermode_switch_stack_\@ + .endif + +@@ -1117,13 +1113,15 @@ idtentry machine_check do_mce has_err + #endif + + /* +- * Switch gs if needed. ++ * Save all registers in pt_regs, and switch gs if needed. + * Use slow, but surefire "are we in kernel?" check. + * Return: ebx=0: need swapgs on exit, ebx=1: otherwise + */ + ENTRY(paranoid_entry) + UNWIND_HINT_FUNC + cld ++ PUSH_AND_CLEAR_REGS save_ret=1 ++ ENCODE_FRAME_POINTER 8 + movl $1, %ebx + movl $MSR_GS_BASE, %ecx + rdmsr +@@ -1168,12 +1166,14 @@ ENTRY(paranoid_exit) + END(paranoid_exit) + + /* +- * Switch gs if needed. ++ * Save all registers in pt_regs, and switch GS if needed. + * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) +- UNWIND_HINT_REGS offset=8 ++ UNWIND_HINT_FUNC + cld ++ PUSH_AND_CLEAR_REGS save_ret=1 ++ ENCODE_FRAME_POINTER 8 + testb $3, CS+8(%rsp) + jz .Lerror_kernelspace + +@@ -1564,8 +1564,6 @@ end_repeat_nmi: + * frame to point back to repeat_nmi. + */ + pushq $-1 /* ORIG_RAX: no syscall to restart */ +- PUSH_AND_CLEAR_REGS +- ENCODE_FRAME_POINTER + + /* + * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit diff --git a/queue-4.14/x86-ldt-avoid-warning-in-32-bit-builds-with-older-gcc.patch b/queue-4.14/x86-ldt-avoid-warning-in-32-bit-builds-with-older-gcc.patch new file mode 100644 index 00000000000..1ab4209d299 --- /dev/null +++ b/queue-4.14/x86-ldt-avoid-warning-in-32-bit-builds-with-older-gcc.patch @@ -0,0 +1,40 @@ +From f2f18b16c779978ece4a04f304a92ff9ac8fbce5 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 19 Feb 2018 07:52:10 -0700 +Subject: x86/LDT: Avoid warning in 32-bit builds with older gcc + +From: Jan Beulich + +commit f2f18b16c779978ece4a04f304a92ff9ac8fbce5 upstream. + +BUG() doesn't always imply "no return", and hence should be followed by +a return statement even if that's obviously (to a human) unreachable. + +Signed-off-by: Jan Beulich +Acked-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/5A8AF2AA02000078001A91E9@prv-mh.provo.novell.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/mmu_context.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -74,6 +74,7 @@ static inline void *ldt_slot_va(int slot + return (void *)(LDT_BASE_ADDR + LDT_SLOT_STRIDE * slot); + #else + BUG(); ++ return (void *)fix_to_virt(FIX_HOLE); + #endif + } + diff --git a/queue-4.14/x86-mm-remove-stale-comment-about-kmemcheck.patch b/queue-4.14/x86-mm-remove-stale-comment-about-kmemcheck.patch new file mode 100644 index 00000000000..ad7c810dbbe --- /dev/null +++ b/queue-4.14/x86-mm-remove-stale-comment-about-kmemcheck.patch @@ -0,0 +1,45 @@ +From 3b3a9268bba62b35a29bafe0931715b1725fdf26 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 19 Feb 2018 18:50:39 +0100 +Subject: x86/mm: Remove stale comment about KMEMCHECK + +From: Jann Horn + +commit 3b3a9268bba62b35a29bafe0931715b1725fdf26 upstream. + +This comment referred to a conditional call to kmemcheck_hide() that was +here until commit 4950276672fc ("kmemcheck: remove annotations"). + +Now that kmemcheck has been removed, it doesn't make sense anymore. + +Signed-off-by: Jann Horn +Acked-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180219175039.253089-1-jannh@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/fault.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -1252,10 +1252,6 @@ __do_page_fault(struct pt_regs *regs, un + tsk = current; + mm = tsk->mm; + +- /* +- * Detect and handle instructions that would cause a page fault for +- * both a tracked kernel page and a userspace page. +- */ + prefetchw(&mm->mmap_sem); + + if (unlikely(kmmio_fault(regs, address))) diff --git a/queue-4.14/x86-retpoline-support-retpoline-builds-with-clang.patch b/queue-4.14/x86-retpoline-support-retpoline-builds-with-clang.patch new file mode 100644 index 00000000000..0a417808514 --- /dev/null +++ b/queue-4.14/x86-retpoline-support-retpoline-builds-with-clang.patch @@ -0,0 +1,95 @@ +From 87358710c1fb4f1bf96bbe2349975ff9953fc9b2 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Mon, 19 Feb 2018 10:50:57 +0000 +Subject: x86/retpoline: Support retpoline builds with Clang + +From: David Woodhouse + +commit 87358710c1fb4f1bf96bbe2349975ff9953fc9b2 upstream. + +Signed-off-by: David Woodhouse +Reviewed-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: arjan.van.de.ven@intel.com +Cc: bp@alien8.de +Cc: dave.hansen@intel.com +Cc: jmattson@google.com +Cc: karahmed@amazon.de +Cc: kvm@vger.kernel.org +Cc: pbonzini@redhat.com +Cc: rkrcmar@redhat.com +Link: http://lkml.kernel.org/r/1519037457-7643-5-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/Makefile | 5 ++++- + include/linux/compiler-clang.h | 5 +++++ + include/linux/compiler-gcc.h | 4 ++++ + include/linux/init.h | 8 ++++---- + 4 files changed, 17 insertions(+), 5 deletions(-) + +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -232,7 +232,10 @@ KBUILD_CFLAGS += -fno-asynchronous-unwin + + # Avoid indirect branches in kernel to deal with Spectre + ifdef CONFIG_RETPOLINE +- RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) ++ RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register ++ RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk ++ ++ RETPOLINE_CFLAGS += $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG))) + ifneq ($(RETPOLINE_CFLAGS),) + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE + endif +--- a/include/linux/compiler-clang.h ++++ b/include/linux/compiler-clang.h +@@ -19,3 +19,8 @@ + + #define randomized_struct_fields_start struct { + #define randomized_struct_fields_end }; ++ ++/* Clang doesn't have a way to turn it off per-function, yet. */ ++#ifdef __noretpoline ++#undef __noretpoline ++#endif +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -93,6 +93,10 @@ + #define __weak __attribute__((weak)) + #define __alias(symbol) __attribute__((alias(#symbol))) + ++#ifdef RETPOLINE ++#define __noretpoline __attribute__((indirect_branch("keep"))) ++#endif ++ + /* + * it doesn't make sense on ARM (currently the only user of __naked) + * to trace naked functions because then mcount is called without +--- a/include/linux/init.h ++++ b/include/linux/init.h +@@ -6,10 +6,10 @@ + #include + + /* Built-in __init functions needn't be compiled with retpoline */ +-#if defined(RETPOLINE) && !defined(MODULE) +-#define __noretpoline __attribute__((indirect_branch("keep"))) ++#if defined(__noretpoline) && !defined(MODULE) ++#define __noinitretpoline __noretpoline + #else +-#define __noretpoline ++#define __noinitretpoline + #endif + + /* These macros are used to mark some functions or +@@ -47,7 +47,7 @@ + + /* These are for everybody (although not all archs will actually + discard it in modules) */ +-#define __init __section(.init.text) __cold __inittrace __latent_entropy __noretpoline ++#define __init __section(.init.text) __cold __inittrace __latent_entropy __noinitretpoline + #define __initdata __section(.init.data) + #define __initconst __section(.init.rodata) + #define __exitdata __section(.exit.data) diff --git a/queue-4.14/x86-speculation-objtool-annotate-indirect-calls-jumps-for-objtool.patch b/queue-4.14/x86-speculation-objtool-annotate-indirect-calls-jumps-for-objtool.patch new file mode 100644 index 00000000000..a8fe0de36d9 --- /dev/null +++ b/queue-4.14/x86-speculation-objtool-annotate-indirect-calls-jumps-for-objtool.patch @@ -0,0 +1,98 @@ +From 9e0e3c5130e949c389caabc8033e9799b129e429 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 17 Jan 2018 22:34:34 +0100 +Subject: x86/speculation, objtool: Annotate indirect calls/jumps for objtool + +From: Peter Zijlstra + +commit 9e0e3c5130e949c389caabc8033e9799b129e429 upstream. + +Annotate the indirect calls/jumps in the CALL_NOSPEC/JUMP_NOSPEC +alternatives. + +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: David Woodhouse +Acked-by: Thomas Gleixner +Acked-by: Josh Poimboeuf +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/nospec-branch.h | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -68,6 +68,18 @@ + .endm + + /* ++ * This should be used immediately before an indirect jump/call. It tells ++ * objtool the subsequent indirect jump/call is vouched safe for retpoline ++ * builds. ++ */ ++.macro ANNOTATE_RETPOLINE_SAFE ++ .Lannotate_\@: ++ .pushsection .discard.retpoline_safe ++ _ASM_PTR .Lannotate_\@ ++ .popsection ++.endm ++ ++/* + * These are the bare retpoline primitives for indirect jmp and call. + * Do not use these directly; they only exist to make the ALTERNATIVE + * invocation below less ugly. +@@ -103,9 +115,9 @@ + .macro JMP_NOSPEC reg:req + #ifdef CONFIG_RETPOLINE + ANNOTATE_NOSPEC_ALTERNATIVE +- ALTERNATIVE_2 __stringify(jmp *\reg), \ ++ ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *\reg), \ + __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \ +- __stringify(lfence; jmp *\reg), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg), X86_FEATURE_RETPOLINE_AMD + #else + jmp *\reg + #endif +@@ -114,9 +126,9 @@ + .macro CALL_NOSPEC reg:req + #ifdef CONFIG_RETPOLINE + ANNOTATE_NOSPEC_ALTERNATIVE +- ALTERNATIVE_2 __stringify(call *\reg), \ ++ ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; call *\reg), \ + __stringify(RETPOLINE_CALL \reg), X86_FEATURE_RETPOLINE,\ +- __stringify(lfence; call *\reg), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; call *\reg), X86_FEATURE_RETPOLINE_AMD + #else + call *\reg + #endif +@@ -144,6 +156,12 @@ + ".long 999b - .\n\t" \ + ".popsection\n\t" + ++#define ANNOTATE_RETPOLINE_SAFE \ ++ "999:\n\t" \ ++ ".pushsection .discard.retpoline_safe\n\t" \ ++ _ASM_PTR " 999b\n\t" \ ++ ".popsection\n\t" ++ + #if defined(CONFIG_X86_64) && defined(RETPOLINE) + + /* +@@ -153,6 +171,7 @@ + # define CALL_NOSPEC \ + ANNOTATE_NOSPEC_ALTERNATIVE \ + ALTERNATIVE( \ ++ ANNOTATE_RETPOLINE_SAFE \ + "call *%[thunk_target]\n", \ + "call __x86_indirect_thunk_%V[thunk_target]\n", \ + X86_FEATURE_RETPOLINE) diff --git a/queue-4.14/x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch b/queue-4.14/x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch new file mode 100644 index 00000000000..d63a96d1c00 --- /dev/null +++ b/queue-4.14/x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch @@ -0,0 +1,221 @@ +From dd84441a797150dcc49298ec95c459a8891d8bb1 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Mon, 19 Feb 2018 10:50:54 +0000 +Subject: x86/speculation: Use IBRS if available before calling into firmware + +From: David Woodhouse + +commit dd84441a797150dcc49298ec95c459a8891d8bb1 upstream. + +Retpoline means the kernel is safe because it has no indirect branches. +But firmware isn't, so use IBRS for firmware calls if it's available. + +Block preemption while IBRS is set, although in practice the call sites +already had to be doing that. + +Ignore hpwdt.c for now. It's taking spinlocks and calling into firmware +code, from an NMI handler. I don't want to touch that with a bargepole. + +Signed-off-by: David Woodhouse +Reviewed-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: arjan.van.de.ven@intel.com +Cc: bp@alien8.de +Cc: dave.hansen@intel.com +Cc: jmattson@google.com +Cc: karahmed@amazon.de +Cc: kvm@vger.kernel.org +Cc: pbonzini@redhat.com +Cc: rkrcmar@redhat.com +Link: http://lkml.kernel.org/r/1519037457-7643-2-git-send-email-dwmw@amazon.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/apm.h | 6 +++++ + arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/efi.h | 17 +++++++++++++-- + arch/x86/include/asm/nospec-branch.h | 39 ++++++++++++++++++++++++++--------- + arch/x86/kernel/cpu/bugs.c | 12 +++++++++- + 5 files changed, 63 insertions(+), 12 deletions(-) + +--- a/arch/x86/include/asm/apm.h ++++ b/arch/x86/include/asm/apm.h +@@ -7,6 +7,8 @@ + #ifndef _ASM_X86_MACH_DEFAULT_APM_H + #define _ASM_X86_MACH_DEFAULT_APM_H + ++#include ++ + #ifdef APM_ZERO_SEGS + # define APM_DO_ZERO_SEGS \ + "pushl %%ds\n\t" \ +@@ -32,6 +34,7 @@ static inline void apm_bios_call_asm(u32 + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ ++ firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -44,6 +47,7 @@ static inline void apm_bios_call_asm(u32 + "=S" (*esi) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); ++ firmware_restrict_branch_speculation_end(); + } + + static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, +@@ -56,6 +60,7 @@ static inline bool apm_bios_call_simple_ + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ ++ firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -68,6 +73,7 @@ static inline bool apm_bios_call_simple_ + "=S" (si) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); ++ firmware_restrict_branch_speculation_end(); + return error; + } + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -211,6 +211,7 @@ + #define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ + + #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ ++#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ + + /* Virtualization flags: Linux defined, word 8 */ + #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + /* + * We map the EFI regions needed for runtime services non-contiguously, +@@ -36,8 +37,18 @@ + + extern asmlinkage unsigned long efi_call_phys(void *, ...); + +-#define arch_efi_call_virt_setup() kernel_fpu_begin() +-#define arch_efi_call_virt_teardown() kernel_fpu_end() ++#define arch_efi_call_virt_setup() \ ++({ \ ++ kernel_fpu_begin(); \ ++ firmware_restrict_branch_speculation_start(); \ ++}) ++ ++#define arch_efi_call_virt_teardown() \ ++({ \ ++ firmware_restrict_branch_speculation_end(); \ ++ kernel_fpu_end(); \ ++}) ++ + + /* + * Wrap all the virtual calls in a way that forces the parameters on the stack. +@@ -73,6 +84,7 @@ struct efi_scratch { + efi_sync_low_kernel_mappings(); \ + preempt_disable(); \ + __kernel_fpu_begin(); \ ++ firmware_restrict_branch_speculation_start(); \ + \ + if (efi_scratch.use_pgd) { \ + efi_scratch.prev_cr3 = __read_cr3(); \ +@@ -91,6 +103,7 @@ struct efi_scratch { + __flush_tlb_all(); \ + } \ + \ ++ firmware_restrict_branch_speculation_end(); \ + __kernel_fpu_end(); \ + preempt_enable(); \ + }) +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -219,17 +219,38 @@ static inline void vmexit_fill_RSB(void) + #endif + } + ++#define alternative_msr_write(_msr, _val, _feature) \ ++ asm volatile(ALTERNATIVE("", \ ++ "movl %[msr], %%ecx\n\t" \ ++ "movl %[val], %%eax\n\t" \ ++ "movl $0, %%edx\n\t" \ ++ "wrmsr", \ ++ _feature) \ ++ : : [msr] "i" (_msr), [val] "i" (_val) \ ++ : "eax", "ecx", "edx", "memory") ++ + static inline void indirect_branch_prediction_barrier(void) + { +- asm volatile(ALTERNATIVE("", +- "movl %[msr], %%ecx\n\t" +- "movl %[val], %%eax\n\t" +- "movl $0, %%edx\n\t" +- "wrmsr", +- X86_FEATURE_USE_IBPB) +- : : [msr] "i" (MSR_IA32_PRED_CMD), +- [val] "i" (PRED_CMD_IBPB) +- : "eax", "ecx", "edx", "memory"); ++ alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, ++ X86_FEATURE_USE_IBPB); ++} ++ ++/* ++ * With retpoline, we must use IBRS to restrict branch prediction ++ * before calling into firmware. ++ */ ++static inline void firmware_restrict_branch_speculation_start(void) ++{ ++ preempt_disable(); ++ alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, ++ X86_FEATURE_USE_IBRS_FW); ++} ++ ++static inline void firmware_restrict_branch_speculation_end(void) ++{ ++ alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, ++ X86_FEATURE_USE_IBRS_FW); ++ preempt_enable(); + } + + #endif /* __ASSEMBLY__ */ +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -300,6 +300,15 @@ retpoline_auto: + setup_force_cpu_cap(X86_FEATURE_USE_IBPB); + pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n"); + } ++ ++ /* ++ * Retpoline means the kernel is safe because it has no indirect ++ * branches. But firmware isn't, so use IBRS to protect that. ++ */ ++ if (boot_cpu_has(X86_FEATURE_IBRS)) { ++ setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); ++ pr_info("Enabling Restricted Speculation for firmware calls\n"); ++ } + } + + #undef pr_fmt +@@ -326,8 +335,9 @@ ssize_t cpu_show_spectre_v2(struct devic + if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) + return sprintf(buf, "Not affected\n"); + +- return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ++ return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], + boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", ++ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", + spectre_v2_module_string()); + } + #endif