Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f7154aa5 authored by Andy Lutomirski's avatar Andy Lutomirski Committed by Greg Kroah-Hartman
Browse files

x86/speculation/mds: Revert CPU buffer clear on double fault exit 



commit 88640e1dcd089879530a49a8d212d1814678dfe7 upstream.

The double fault ESPFIX path doesn't return to user mode at all --
it returns back to the kernel by simulating a #GP fault.
prepare_exit_to_usermode() will run on the way out of
general_protection before running user code.

Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/ac97612445c0a44ee10374f6ea79c222fe22a5c4.1557865329.git.luto@kernel.org


Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7227474b

Documentation/x86/mds.rst

+0 −7
Original line number Diff line number Diff line
@@ -158,13 +158,6 @@ Mitigation points 
     mitigated on the return from do_nmi() to provide almost complete

     coverage.



   - Double fault (#DF):



     A double fault is usually fatal, but the ESPFIX workaround, which can

     be triggered from user space through modify_ldt(2) is a recoverable

     double fault. #DF uses the paranoid exit path, so explicit mitigation

     in the double fault handler is required.



   - Machine Check Exception (#MC):



     Another corner case is a #MC which hits between the CPU buffer clear

arch/x86/kernel/traps.c

+0 −8
Original line number Diff line number Diff line
@@ -62,7 +62,6 @@ 
#include <asm/alternative.h>

#include <asm/fpu/xstate.h>

#include <asm/trace/mpx.h>

#include <asm/nospec-branch.h>

#include <asm/mpx.h>

#include <asm/vm86.h>
@@ -341,13 +340,6 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) 
		regs->ip = (unsigned long)general_protection;

		regs->sp = (unsigned long)&normal_regs->orig_ax;



		/*

		 * This situation can be triggered by userspace via

		 * modify_ldt(2) and the return does not take the regular

		 * user space exit, so a CPU buffer clear is required when

		 * MDS mitigation is enabled.

		 */

		mds_user_clear_cpu_buffers();

		return;

	}

#endif