From d9d4a24022e6dbd8d5a3bb7aa7882857340180d8 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 6 Dec 2022 13:30:10 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
	x86-nospec-fix-i386-rsb-stuffing.patch
---
 ...l_return_buffer-to-work-with-objtool.patch | 63 +++++++++++++++++++
 queue-4.14/series                             |  2 +
 .../x86-nospec-fix-i386-rsb-stuffing.patch    | 60 ++++++++++++++++++
 3 files changed, 125 insertions(+)
 create mode 100644 queue-4.14/revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
 create mode 100644 queue-4.14/x86-nospec-fix-i386-rsb-stuffing.patch

diff --git a/queue-4.14/revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch b/queue-4.14/revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
new file mode 100644
index 00000000000..2737dd33e10
--- /dev/null
+++ b/queue-4.14/revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
@@ -0,0 +1,63 @@
+From foo@baz Tue Dec  6 01:29:51 PM CET 2022
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 5 Dec 2022 23:10:41 +0100
+Subject: Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool"
+To: stable@vger.kernel.org
+Cc: Peter Zijlstra <peterz@infradead.org>, Alexandre Chartre <alexandre.chartre@oracle.com>, Josh Poimboeuf <jpoimboe@redhat.com>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, Suleiman Souhlal <suleiman@google.com>
+Message-ID: <Y45sYZzXW9/fKPbz@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+This reverts commit c95afe5bcad40e1f0292bfc0a625c4aa080cc971, which
+was commit 089dd8e53126ebaf506e2dc0bf89d652c36bfc12 upstream.
+
+The necessary changes to objtool have not been backported to 4.14.
+Backporting this commit alone only added build warnings.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/nospec-branch.h |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -4,13 +4,11 @@
+ #define _ASM_X86_NOSPEC_BRANCH_H_
+ 
+ #include <linux/static_key.h>
+-#include <linux/frame.h>
+ 
+ #include <asm/alternative.h>
+ #include <asm/alternative-asm.h>
+ #include <asm/cpufeatures.h>
+ #include <asm/msr-index.h>
+-#include <asm/unwind_hints.h>
+ #include <asm/percpu.h>
+ 
+ /*
+@@ -54,9 +52,9 @@
+ 	lfence;					\
+ 	jmp	775b;				\
+ 774:						\
+-	add	$(BITS_PER_LONG/8) * 2, sp;	\
+ 	dec	reg;				\
+ 	jnz	771b;				\
++	add	$(BITS_PER_LONG/8) * nr, sp;	\
+ 	/* barrier for jnz misprediction */	\
+ 	lfence;
+ #else
+@@ -167,8 +165,10 @@
+   * monstrosity above, manually.
+   */
+ .macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
+-	ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
+-	__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
++	ANNOTATE_NOSPEC_ALTERNATIVE
++	ALTERNATIVE "jmp .Lskip_rsb_\@",				\
++		__stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP))	\
++		\ftr
+ .Lskip_rsb_\@:
+ .endm
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index 5f20d382bb4..a4642855549 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -79,3 +79,5 @@ proc-avoid-integer-type-confusion-in-get_proc_long.patch
 proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch
 v4l2-don-t-fall-back-to-follow_pfn-if-pin_user_pages_fast-fails.patch
 ipc-sem-fix-dangling-sem_array-access-in-semtimedop-.patch
+x86-nospec-fix-i386-rsb-stuffing.patch
+revert-x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch
diff --git a/queue-4.14/x86-nospec-fix-i386-rsb-stuffing.patch b/queue-4.14/x86-nospec-fix-i386-rsb-stuffing.patch
new file mode 100644
index 00000000000..6d6e68b442c
--- /dev/null
+++ b/queue-4.14/x86-nospec-fix-i386-rsb-stuffing.patch
@@ -0,0 +1,60 @@
+From foo@baz Tue Dec  6 01:29:51 PM CET 2022
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 5 Dec 2022 23:10:26 +0100
+Subject: x86/nospec: Fix i386 RSB stuffing
+To: stable@vger.kernel.org
+Cc: Peter Zijlstra <peterz@infradead.org>
+Message-ID: <Y45sUiyu2/cjze66@decadent.org.uk>
+Content-Disposition: inline
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 332924973725e8cdcc783c175f68cf7e162cb9e5 upstream.
+
+Turns out that i386 doesn't unconditionally have LFENCE, as such the
+loop in __FILL_RETURN_BUFFER isn't actually speculation safe on such
+chips.
+
+Fixes: ba6e31af2be9 ("x86/speculation: Add LFENCE to RSB fill sequence")
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/Yv9tj9vbQ9nNlXoY@worktop.programming.kicks-ass.net
+[bwh: Backported to 4.14:
+ - __FILL_RETURN_BUFFER takes an sp parameter
+ - Open-code __FILL_RETURN_SLOT]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/nospec-branch.h |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -38,6 +38,7 @@
+  * the optimal version â two calls, each with their own speculation
+  * trap should their return address end up getting used, in a loop.
+  */
++#ifdef CONFIG_X86_64
+ #define __FILL_RETURN_BUFFER(reg, nr, sp)	\
+ 	mov	$(nr/2), reg;			\
+ 771:						\
+@@ -58,6 +59,19 @@
+ 	jnz	771b;				\
+ 	/* barrier for jnz misprediction */	\
+ 	lfence;
++#else
++/*
++ * i386 doesn't unconditionally have LFENCE, as such it can't
++ * do a loop.
++ */
++#define __FILL_RETURN_BUFFER(reg, nr, sp)	\
++	.rept nr;				\
++	call	772f;				\
++	int3;					\
++772:;						\
++	.endr;					\
++	add	$(BITS_PER_LONG/8) * nr, sp;
++#endif
+ 
+ #define ISSUE_UNBALANCED_RET_GUARD(sp)		\
+ 	call 992f;				\
-- 
2.47.3