Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 88dc7fca authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull x86 pti bits and fixes from Thomas Gleixner:
 "This last update contains:

   - An objtool fix to prevent a segfault with the gold linker by
     changing the invocation order. That's not just for gold, it's a
     general robustness improvement.

   - An improved error message for objtool which spares tearing hairs.

   - Make KASAN fail loudly if there is not enough memory instead of
     oopsing at some random place later

   - RSB fill on context switch to prevent RSB underflow and speculation
     through other units.

   - Make the retpoline/RSB functionality work reliably for both Intel
     and AMD

   - Add retpoline to the module version magic so mismatch can be
     detected

   - A small (non-fix) update for cpufeatures which prevents cpu feature
     clashing for the upcoming extra mitigation bits to ease
     backporting"

* 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  module: Add retpoline tag to VERMAGIC
  x86/cpufeature: Move processor tracing out of scattered features
  objtool: Improve error message for bad file argument
  objtool: Fix seg fault with gold linker
  x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
  x86/retpoline: Fill RSB on context switch for affected CPUs
  x86/kasan: Panic if there is not enough memory to boot
parents dd43f346 6cfb521a

arch/x86/entry/entry_32.S

+11 −0
Original line number Diff line number Diff line
@@ -244,6 +244,17 @@ ENTRY(__switch_to_asm) 
	movl	%ebx, PER_CPU_VAR(stack_canary)+stack_canary_offset

#endif



#ifdef CONFIG_RETPOLINE

	/*

	 * When switching from a shallower to a deeper call stack

	 * the RSB may either underflow or use entries populated

	 * with userspace addresses. On CPUs where those concerns

	 * exist, overwrite the RSB with entries which capture

	 * speculative execution to prevent attack.

	 */

	FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW

#endif



	/* restore callee-saved registers */

	popl	%esi

	popl	%edi

arch/x86/entry/entry_64.S

+11 −0
Original line number Diff line number Diff line
@@ -491,6 +491,17 @@ ENTRY(__switch_to_asm) 
	movq	%rbx, PER_CPU_VAR(irq_stack_union)+stack_canary_offset

#endif



#ifdef CONFIG_RETPOLINE

	/*

	 * When switching from a shallower to a deeper call stack

	 * the RSB may either underflow or use entries populated

	 * with userspace addresses. On CPUs where those concerns

	 * exist, overwrite the RSB with entries which capture

	 * speculative execution to prevent attack.

	 */

	FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW

#endif



	/* restore callee-saved registers */

	popq	%r15

	popq	%r14

arch/x86/include/asm/cpufeatures.h

+2 −1
Original line number Diff line number Diff line
@@ -206,11 +206,11 @@ 
#define X86_FEATURE_RETPOLINE		( 7*32+12) /* Generic Retpoline mitigation for Spectre variant 2 */

#define X86_FEATURE_RETPOLINE_AMD	( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */

#define X86_FEATURE_INTEL_PPIN		( 7*32+14) /* Intel Processor Inventory Number */

#define X86_FEATURE_INTEL_PT		( 7*32+15) /* Intel Processor Trace */

#define X86_FEATURE_AVX512_4VNNIW	( 7*32+16) /* AVX-512 Neural Network Instructions */

#define X86_FEATURE_AVX512_4FMAPS	( 7*32+17) /* AVX-512 Multiply Accumulation Single precision */



#define X86_FEATURE_MBA			( 7*32+18) /* Memory Bandwidth Allocation */

#define X86_FEATURE_RSB_CTXSW		( 7*32+19) /* Fill RSB on context switches */



/* Virtualization flags: Linux defined, word 8 */

#define X86_FEATURE_TPR_SHADOW		( 8*32+ 0) /* Intel TPR Shadow */
@@ -245,6 +245,7 @@ 
#define X86_FEATURE_AVX512IFMA		( 9*32+21) /* AVX-512 Integer Fused Multiply-Add instructions */

#define X86_FEATURE_CLFLUSHOPT		( 9*32+23) /* CLFLUSHOPT instruction */

#define X86_FEATURE_CLWB		( 9*32+24) /* CLWB instruction */

#define X86_FEATURE_INTEL_PT		( 9*32+25) /* Intel Processor Trace */

#define X86_FEATURE_AVX512PF		( 9*32+26) /* AVX-512 Prefetch */

#define X86_FEATURE_AVX512ER		( 9*32+27) /* AVX-512 Exponential and Reciprocal */

#define X86_FEATURE_AVX512CD		( 9*32+28) /* AVX-512 Conflict Detection */

arch/x86/include/asm/nospec-branch.h

+5 −1
Original line number Diff line number Diff line
@@ -11,7 +11,7 @@ 
 * Fill the CPU return stack buffer.

 *

 * Each entry in the RSB, if used for a speculative 'ret', contains an

 * infinite 'pause; jmp' loop to capture speculative execution.

 * infinite 'pause; lfence; jmp' loop to capture speculative execution.

 *

 * This is required in various cases for retpoline and IBRS-based

 * mitigations for the Spectre variant 2 vulnerability. Sometimes to
@@ -38,11 +38,13 @@ 
	call	772f;				\

773:	/* speculation trap */			\

	pause;					\

	lfence;					\

	jmp	773b;				\

772:						\

	call	774f;				\

775:	/* speculation trap */			\

	pause;					\

	lfence;					\

	jmp	775b;				\

774:						\

	dec	reg;				\
@@ -73,6 +75,7 @@ 
	call	.Ldo_rop_\@

.Lspec_trap_\@:

	pause

	lfence

	jmp	.Lspec_trap_\@

.Ldo_rop_\@:

	mov	\reg, (%_ASM_SP)
@@ -165,6 +168,7 @@ 
	"       .align 16\n"					\

	"901:	call   903f;\n"					\

	"902:	pause;\n"					\

	"    	lfence;\n"					\

	"       jmp    902b;\n"					\

	"       .align 16\n"					\

	"903:	addl   $4, %%esp;\n"				\

arch/x86/kernel/cpu/bugs.c

+36 −0
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ 
#include <asm/alternative.h>

#include <asm/pgtable.h>

#include <asm/set_memory.h>

#include <asm/intel-family.h>



static void __init spectre_v2_select_mitigation(void);
@@ -155,6 +156,23 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) 
	return SPECTRE_V2_CMD_NONE;

}



/* Check for Skylake-like CPUs (for RSB handling) */

static bool __init is_skylake_era(void)

{

	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&

	    boot_cpu_data.x86 == 6) {

		switch (boot_cpu_data.x86_model) {

		case INTEL_FAM6_SKYLAKE_MOBILE:

		case INTEL_FAM6_SKYLAKE_DESKTOP:

		case INTEL_FAM6_SKYLAKE_X:

		case INTEL_FAM6_KABYLAKE_MOBILE:

		case INTEL_FAM6_KABYLAKE_DESKTOP:

			return true;

		}

	}

	return false;

}



static void __init spectre_v2_select_mitigation(void)

{

	enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
@@ -213,6 +231,24 @@ static void __init spectre_v2_select_mitigation(void) 


	spectre_v2_enabled = mode;

	pr_info("%s\n", spectre_v2_strings[mode]);



	/*

	 * If neither SMEP or KPTI are available, there is a risk of

	 * hitting userspace addresses in the RSB after a context switch

	 * from a shallow call stack to a deeper one. To prevent this fill

	 * the entire RSB, even when using IBRS.

	 *

	 * Skylake era CPUs have a separate issue with *underflow* of the

	 * RSB, when they will predict 'ret' targets from the generic BTB.

	 * The proper mitigation for this is IBRS. If IBRS is not supported

	 * or deactivated in favour of retpolines the RSB fill on context

	 * switch is required.

	 */

	if ((!boot_cpu_has(X86_FEATURE_PTI) &&

	     !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {

		setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);

		pr_info("Filling RSB on context switch\n");

	}

}



#undef pr_fmt