February 2018 - Linux-stable-mirror

[Linux-stable-mirror] Patch "x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86cpuid_Fix_up_virtual_IBRSIBPBSTIBP_feature_bits_on_Intel.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel From: David Woodhouse dwmw(a)amazon.co.uk Date: Tue Jan 30 14:30:23 2018 +0000 From: David Woodhouse dwmw(a)amazon.co.uk commit 7fcae1118f5fd44a862aa5c3525248e35ee67c3b Despite the fact that all the other code there seems to be doing it, just using set_cpu_cap() in early_intel_init() doesn't actually work. For CPUs with PKU support, setup_pku() calls get_cpu_cap() after c->c_init() has set those feature bits. That resets those bits back to what was queried from the hardware. Turning the bits off for bad microcode is easy to fix. That can just use setup_clear_cpu_cap() to force them off for all CPUs. I was less keen on forcing the feature bits *on* that way, just in case of inconsistencies. I appreciate that the kernel is going to get this utterly wrong if CPU features are not consistent, because it has already applied alternatives by the time secondary CPUs are brought up. But at least if setup_force_cpu_cap() isn't being used, we might have a chance of *detecting* the lack of the corresponding bit and either panicking or refusing to bring the offending CPU online. So ensure that the appropriate feature bits are set within get_cpu_cap() regardless of how many extra times it's called. Fixes: 2961298e ("x86/cpufeatures: Clean up Spectre v2 related CPUID flags") Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: karahmed(a)amazon.de Cc: peterz(a)infradead.org Cc: bp(a)alien8.de Link: https://lkml.kernel.org/r/1517322623-15261-1-git-send-email-dwmw@amazon.co.… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/cpu/common.c | 21 +++++++++++++++++++++ arch/x86/kernel/cpu/intel.c | 27 ++++++++------------------- 2 files changed, 29 insertions(+), 19 deletions(-) --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -750,6 +750,26 @@ static void apply_forced_caps(struct cpu } } +static void init_speculation_control(struct cpuinfo_x86 *c) +{ + /* + * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support, + * and they also have a different bit for STIBP support. Also, + * a hypervisor might have set the individual AMD bits even on + * Intel CPUs, for finer-grained selection of what's available. + * + * We use the AMD bits in 0x8000_0008 EBX as the generic hardware + * features, which are visible in /proc/cpuinfo and used by the + * kernel. So set those accordingly from the Intel bits. + */ + if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { + set_cpu_cap(c, X86_FEATURE_IBRS); + set_cpu_cap(c, X86_FEATURE_IBPB); + } + if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) + set_cpu_cap(c, X86_FEATURE_STIBP); +} + void get_cpu_cap(struct cpuinfo_x86 *c) { u32 eax, ebx, ecx, edx; @@ -844,6 +864,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c) c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a); init_scattered_cpuid_features(c); + init_speculation_control(c); /* * Clear/Set all flags overridden by options, after probe. --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -175,28 +175,17 @@ static void early_init_intel(struct cpui if (c->x86 >= 6 && !cpu_has(c, X86_FEATURE_IA64)) c->microcode = intel_get_microcode_revision(); - /* - * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support, - * and they also have a different bit for STIBP support. Also, - * a hypervisor might have set the individual AMD bits even on - * Intel CPUs, for finer-grained selection of what's available. - */ - if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { - set_cpu_cap(c, X86_FEATURE_IBRS); - set_cpu_cap(c, X86_FEATURE_IBPB); - } - if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) - set_cpu_cap(c, X86_FEATURE_STIBP); - /* Now if any of them are set, check the blacklist and clear the lot */ - if ((cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) || + if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) || + cpu_has(c, X86_FEATURE_INTEL_STIBP) || + cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) || cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) { pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n"); - clear_cpu_cap(c, X86_FEATURE_IBRS); - clear_cpu_cap(c, X86_FEATURE_IBPB); - clear_cpu_cap(c, X86_FEATURE_STIBP); - clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL); - clear_cpu_cap(c, X86_FEATURE_INTEL_STIBP); + setup_clear_cpu_cap(X86_FEATURE_IBRS); + setup_clear_cpu_cap(X86_FEATURE_IBPB); + setup_clear_cpu_cap(X86_FEATURE_STIBP); + setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); + setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); } /* Patches currently in stable-queue which might be from dwmw(a)amazon.co.uk are queue-4.15/x86spectre_Simplify_spectre_v2_command_line_parsing.patch queue-4.15/x86pti_Mark_constant_arrays_as___initconst.patch queue-4.15/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.15/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.15/x86cpuid_Fix_up_virtual_IBRSIBPBSTIBP_feature_bits_on_Intel.patch queue-4.15/x86spectre_Fix_spelling_mistake_vunerable-_vulnerable.patch queue-4.15/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.15/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.15/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.15/x86spectre_Check_CONFIG_RETPOLINE_in_command_line_parser.patch queue-4.15/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.15/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.15/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.15/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/KVMx86_Add_IBPB_support.patch queue-4.15/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.15/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.15/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.15/x86speculation_Fix_typo_IBRS_ATT_which_should_be_IBRS_ALL.patch queue-4.15/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.15/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.15/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.15/KVMx86_Update_the_reverse_cpuid_list_to_include_CPUID_7_EDX.patch queue-4.15/x86retpoline_Avoid_retpolines_for_built-in___init_functions.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/asm: Move 'status' from thread_struct to thread_info" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/asm: Move 'status' from thread_struct to thread_info to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86asm_Move_status_from_thread_struct_to_thread_info.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86/asm: Move 'status' from thread_struct to thread_info From: Andy Lutomirski luto(a)kernel.org Date: Sun Jan 28 10:38:50 2018 -0800 From: Andy Lutomirski luto(a)kernel.org commit 37a8f7c38339b22b69876d6f5a0ab851565284e3 The TS_COMPAT bit is very hot and is accessed from code paths that mostly also touch thread_info::flags. Move it into struct thread_info to improve cache locality. The only reason it was in thread_struct is that there was a brief period during which arch-specific fields were not allowed in struct thread_info. Linus suggested further changing: ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED); to: if (unlikely(ti->status & (TS_COMPAT|TS_I386_REGS_POKED))) ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED); on the theory that frequently dirtying the cacheline even in pure 64-bit code that never needs to modify status hurts performance. That could be a reasonable followup patch, but I suspect it matters less on top of this patch. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Ingo Molnar <mingo(a)kernel.org> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Kernel Hardening <kernel-hardening(a)lists.openwall.com> Link: https://lkml.kernel.org/r/03148bcc1b217100e6e8ecf6a5468c45cf4304b6.15171644… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/entry/common.c | 4 ++-- arch/x86/include/asm/processor.h | 2 -- arch/x86/include/asm/syscall.h | 6 +++--- arch/x86/include/asm/thread_info.h | 3 ++- arch/x86/kernel/process_64.c | 4 ++-- arch/x86/kernel/ptrace.c | 2 +- arch/x86/kernel/signal.c | 2 +- 7 files changed, 11 insertions(+), 12 deletions(-) --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -206,7 +206,7 @@ __visible inline void prepare_exit_to_us * special case only applies after poking regs and before the * very next return to user mode. */ - current->thread.status &= ~(TS_COMPAT|TS_I386_REGS_POKED); + ti->status &= ~(TS_COMPAT|TS_I386_REGS_POKED); #endif user_enter_irqoff(); @@ -304,7 +304,7 @@ static __always_inline void do_syscall_3 unsigned int nr = (unsigned int)regs->orig_ax; #ifdef CONFIG_IA32_EMULATION - current->thread.status |= TS_COMPAT; + ti->status |= TS_COMPAT; #endif if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY) { --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -460,8 +460,6 @@ struct thread_struct { unsigned short gsindex; #endif - u32 status; /* thread synchronous flags */ - #ifdef CONFIG_X86_64 unsigned long fsbase; unsigned long gsbase; --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -60,7 +60,7 @@ static inline long syscall_get_error(str * TS_COMPAT is set for 32-bit syscall entries and then * remains set until we return to user mode. */ - if (task->thread.status & (TS_COMPAT|TS_I386_REGS_POKED)) + if (task->thread_info.status & (TS_COMPAT|TS_I386_REGS_POKED)) /* * Sign-extend the value so (int)-EFOO becomes (long)-EFOO * and will match correctly in comparisons. @@ -116,7 +116,7 @@ static inline void syscall_get_arguments unsigned long *args) { # ifdef CONFIG_IA32_EMULATION - if (task->thread.status & TS_COMPAT) + if (task->thread_info.status & TS_COMPAT) switch (i) { case 0: if (!n--) break; @@ -177,7 +177,7 @@ static inline void syscall_set_arguments const unsigned long *args) { # ifdef CONFIG_IA32_EMULATION - if (task->thread.status & TS_COMPAT) + if (task->thread_info.status & TS_COMPAT) switch (i) { case 0: if (!n--) break; --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -55,6 +55,7 @@ struct task_struct; struct thread_info { unsigned long flags; /* low level flags */ + u32 status; /* thread synchronous flags */ }; #define INIT_THREAD_INFO(tsk) \ @@ -221,7 +222,7 @@ static inline int arch_within_stack_fram #define in_ia32_syscall() true #else #define in_ia32_syscall() (IS_ENABLED(CONFIG_IA32_EMULATION) && \ - current->thread.status & TS_COMPAT) + current_thread_info()->status & TS_COMPAT) #endif /* --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -557,7 +557,7 @@ static void __set_personality_x32(void) * Pretend to come from a x32 execve. */ task_pt_regs(current)->orig_ax = __NR_x32_execve | __X32_SYSCALL_BIT; - current->thread.status &= ~TS_COMPAT; + current_thread_info()->status &= ~TS_COMPAT; #endif } @@ -571,7 +571,7 @@ static void __set_personality_ia32(void) current->personality |= force_personality32; /* Prepare the first "return" to user space */ task_pt_regs(current)->orig_ax = __NR_ia32_execve; - current->thread.status |= TS_COMPAT; + current_thread_info()->status |= TS_COMPAT; #endif } --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -935,7 +935,7 @@ static int putreg32(struct task_struct * */ regs->orig_ax = value; if (syscall_get_nr(child, regs) >= 0) - child->thread.status |= TS_I386_REGS_POKED; + child->thread_info.status |= TS_I386_REGS_POKED; break; case offsetof(struct user32, regs.eflags): --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -787,7 +787,7 @@ static inline unsigned long get_nr_resta * than the tracee. */ #ifdef CONFIG_IA32_EMULATION - if (current->thread.status & (TS_COMPAT|TS_I386_REGS_POKED)) + if (current_thread_info()->status & (TS_COMPAT|TS_I386_REGS_POKED)) return __NR_ia32_restart_syscall; #endif #ifdef CONFIG_X86_X32_ABI Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.15/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.15/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.15/x86_Introduce_barrier_nospec.patch queue-4.15/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.15/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.15/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.15/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.15/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.15/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.15/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.15/x86alternative_Print_unadorned_pointers.patch queue-4.15/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.15/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.15/Documentation_Document_array_index_nospec.patch queue-4.15/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.15/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.15/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.15/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.15/KVMx86_Add_IBPB_support.patch queue-4.15/x86_Implement_array_index_mask_nospec.patch queue-4.15/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.15/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.15/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.15/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.15/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.15/x86nospec_Fix_header_guards_names.patch queue-4.15/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.15/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86entry64_Push_extra_regs_right_away.patch queue-4.15/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.15/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.15/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.15/objtool_Warn_on_stripped_section_symbol.patch queue-4.15/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.15/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.15/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.15/objtool_Improve_retpoline_alternative_handling.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:39 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd For __get_user() paths, do not allow the kernel to speculate on the value of a user controlled pointer. In addition to the 'stac' instruction for Supervisor Mode Access Protection (SMAP), a barrier_nospec() causes the access_ok() result to resolve in the pipeline before the CPU might take any speculative action on the pointer value. Given the cost of 'stac' the speculation barrier is placed after 'stac' to hopefully overlap the cost of disabling SMAP with the cost of flushing the instruction pipeline. Since __get_user is a major kernel interface that deals with user controlled pointers, the __uaccess_begin_nospec() mechanism will prevent speculative execution past an access_ok() permission check. While speculative execution past access_ok() is not enough to lead to a kernel memory leak, it is a necessary precondition. To be clear, __uaccess_begin_nospec() is addressing a class of potential problems near __get_user() usages. Note, that while the barrier_nospec() in __uaccess_begin_nospec() is used to protect __get_user(), pointer masking similar to array_index_nospec() will be used for get_user() since it incorporates a bounds check near the usage. uaccess_try_nospec provides the same mechanism for get_user_try. No functional changes. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Suggested-by: Andi Kleen <ak(a)linux.intel.com> Suggested-by: Ingo Molnar <mingo(a)redhat.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727415922.33451.5796614273104346583.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/uaccess.h | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -124,6 +124,11 @@ extern int __get_user_bad(void); #define __uaccess_begin() stac() #define __uaccess_end() clac() +#define __uaccess_begin_nospec() \ +({ \ + stac(); \ + barrier_nospec(); \ +}) /* * This is a type: either unsigned long, if the argument fits into @@ -487,6 +492,10 @@ struct __large_struct { unsigned long bu __uaccess_begin(); \ barrier(); +#define uaccess_try_nospec do { \ + current->thread.uaccess_err = 0; \ + __uaccess_begin_nospec(); \ + #define uaccess_catch(err) \ __uaccess_end(); \ (err) |= (current->thread.uaccess_err ? -EFAULT : 0); \ Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.15/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.15/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.15/x86_Introduce_barrier_nospec.patch queue-4.15/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.15/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.15/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.15/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.15/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.15/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.15/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.15/x86alternative_Print_unadorned_pointers.patch queue-4.15/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.15/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.15/Documentation_Document_array_index_nospec.patch queue-4.15/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.15/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.15/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.15/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.15/KVMx86_Add_IBPB_support.patch queue-4.15/x86_Implement_array_index_mask_nospec.patch queue-4.15/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.15/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.15/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.15/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.15/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.15/x86nospec_Fix_header_guards_names.patch queue-4.15/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.15/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86entry64_Push_extra_regs_right_away.patch queue-4.15/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.15/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.15/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.15/objtool_Warn_on_stripped_section_symbol.patch queue-4.15/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.15/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.15/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.15/objtool_Improve_retpoline_alternative_handling.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "x86: Introduce barrier_nospec" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86: Introduce barrier_nospec to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86_Introduce_barrier_nospec.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86: Introduce barrier_nospec From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:33 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit b3d7ad85b80bbc404635dca80f5b129f6242bc7a Rename the open coded form of this instruction sequence from rdtsc_ordered() into a generic barrier primitive, barrier_nospec(). One of the mitigations for Spectre variant1 vulnerabilities is to fence speculative execution after successfully validating a bounds check. I.e. force the result of a bounds check to resolve in the instruction pipeline to ensure speculative execution honors that result before potentially operating on out-of-bounds data. No functional changes. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Suggested-by: Andi Kleen <ak(a)linux.intel.com> Suggested-by: Ingo Molnar <mingo(a)redhat.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727415361.33451.9049453007262764675.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/barrier.h | 4 ++++ arch/x86/include/asm/msr.h | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -48,6 +48,10 @@ static inline unsigned long array_index_ /* Override the default implementation from linux/nospec.h. */ #define array_index_mask_nospec array_index_mask_nospec +/* Prevent speculative execution past this barrier. */ +#define barrier_nospec() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \ + "lfence", X86_FEATURE_LFENCE_RDTSC) + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else --- a/arch/x86/include/asm/msr.h +++ b/arch/x86/include/asm/msr.h @@ -214,8 +214,7 @@ static __always_inline unsigned long lon * that some other imaginary CPU is updating continuously with a * time stamp. */ - alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, - "lfence", X86_FEATURE_LFENCE_RDTSC); + barrier_nospec(); return rdtsc(); } Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.15/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.15/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.15/x86_Introduce_barrier_nospec.patch queue-4.15/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.15/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.15/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.15/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.15/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.15/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.15/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.15/x86alternative_Print_unadorned_pointers.patch queue-4.15/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.15/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.15/Documentation_Document_array_index_nospec.patch queue-4.15/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.15/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.15/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.15/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.15/KVMx86_Add_IBPB_support.patch queue-4.15/x86_Implement_array_index_mask_nospec.patch queue-4.15/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.15/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.15/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.15/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.15/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.15/x86nospec_Fix_header_guards_names.patch queue-4.15/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.15/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86entry64_Push_extra_regs_right_away.patch queue-4.15/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.15/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.15/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.15/objtool_Warn_on_stripped_section_symbol.patch queue-4.15/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.15/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.15/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.15/objtool_Improve_retpoline_alternative_handling.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "x86: Implement array_index_mask_nospec" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86: Implement array_index_mask_nospec to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86_Implement_array_index_mask_nospec.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: x86: Implement array_index_mask_nospec From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:02:28 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit babdde2698d482b6c0de1eab4f697cf5856c5859 array_index_nospec() uses a mask to sanitize user controllable array indexes, i.e. generate a 0 mask if 'index' >= 'size', and a ~0 mask otherwise. While the default array_index_mask_nospec() handles the carry-bit from the (index - size) result in software. The x86 array_index_mask_nospec() does the same, but the carry-bit is handled in the processor CF flag without conditional instructions in the control flow. Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727414808.33451.1873237130672785331.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/barrier.h | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -24,6 +24,30 @@ #define wmb() asm volatile("sfence" ::: "memory") #endif +/** + * array_index_mask_nospec() - generate a mask that is ~0UL when the + * bounds check succeeds and 0 otherwise + * @index: array element index + * @size: number of elements in array + * + * Returns: + * 0 - (index < size) + */ +static inline unsigned long array_index_mask_nospec(unsigned long index, + unsigned long size) +{ + unsigned long mask; + + asm ("cmp %1,%2; sbb %0,%0;" + :"=r" (mask) + :"r"(size),"r" (index) + :"cc"); + return mask; +} + +/* Override the default implementation from linux/nospec.h. */ +#define array_index_mask_nospec array_index_mask_nospec + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are queue-4.15/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.15/x86pti_Do_not_enable_PTI_on_CPUs_which_are_not_vulnerable_to_Meltdown.patch queue-4.15/x86_Introduce_barrier_nospec.patch queue-4.15/x86speculation_Use_Indirect_Branch_Prediction_Barrier_in_context_switch.patch queue-4.15/x86get_user_Use_pointer_masking_to_limit_speculation.patch queue-4.15/x86_Introduce___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86cpufeature_Blacklist_SPEC_CTRLPRED_CMD_on_early_Spectre_v2_microcodes.patch queue-4.15/x86cpufeatures_Add_Intel_feature_bits_for_Speculation_Control.patch queue-4.15/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.15/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.15/x86msr_Add_definitions_for_new_speculation_control_MSRs.patch queue-4.15/x86alternative_Print_unadorned_pointers.patch queue-4.15/KVMVMX_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86cpufeatures_Add_CPUID_7_EDX_CPUID_leaf.patch queue-4.15/array_index_nospec_Sanitize_speculative_array_de-references.patch queue-4.15/Documentation_Document_array_index_nospec.patch queue-4.15/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.15/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.15/x86cpufeatures_Add_AMD_feature_bits_for_Speculation_Control.patch queue-4.15/KVMSVM_Allow_direct_access_to_MSR_IA32_SPEC_CTRL.patch queue-4.15/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.15/KVMx86_Add_IBPB_support.patch queue-4.15/x86_Implement_array_index_mask_nospec.patch queue-4.15/KVMVMX_Emulate_MSR_IA32_ARCH_CAPABILITIES.patch queue-4.15/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.15/moduleretpoline_Warn_about_missing_retpoline_in_module.patch queue-4.15/x86speculation_Add_basic_IBPB_(Indirect_Branch_Prediction_Barrier)_support.patch queue-4.15/x86speculation_Simplify_indirect_branch_prediction_barrier().patch queue-4.15/x86nospec_Fix_header_guards_names.patch queue-4.15/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.15/x86uaccess_Use___uaccess_begin_nospec()_and_uaccess_try_nospec.patch queue-4.15/x86entry64_Push_extra_regs_right_away.patch queue-4.15/x86usercopy_Replace_open_coded_stacclac_with___uaccess_begin_end.patch queue-4.15/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch queue-4.15/x86retpoline_Simplify_vmexit_fill_RSB().patch queue-4.15/objtool_Warn_on_stripped_section_symbol.patch queue-4.15/x86spectre_Report_get_user_mitigation_for_spectre_v1.patch queue-4.15/x86cpufeatures_Clean_up_Spectre_v2_related_CPUID_flags.patch queue-4.15/x86syscall_Sanitize_syscall_table_de-references_under_speculation.patch queue-4.15/objtool_Improve_retpoline_alternative_handling.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "objtool: Warn on stripped section symbol" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled objtool: Warn on stripped section symbol to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: objtool_Warn_on_stripped_section_symbol.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: objtool: Warn on stripped section symbol From: Josh Poimboeuf jpoimboe(a)redhat.com Date: Mon Jan 29 22:00:41 2018 -0600 From: Josh Poimboeuf jpoimboe(a)redhat.com commit 830c1e3d16b2c1733cd1ec9c8f4d47a398ae31bc With the following fix: 2a0098d70640 ("objtool: Fix seg fault with gold linker") ... a seg fault was avoided, but the original seg fault condition in objtool wasn't fixed. Replace the seg fault with an error message. Suggested-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Guenter Roeck <linux(a)roeck-us.net> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: http://lkml.kernel.org/r/dc4585a70d6b975c99fc51d1957ccdde7bd52f3a.151728434… Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- tools/objtool/orc_gen.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/tools/objtool/orc_gen.c +++ b/tools/objtool/orc_gen.c @@ -98,6 +98,11 @@ static int create_orc_entry(struct secti struct orc_entry *orc; struct rela *rela; + if (!insn_sec->sym) { + WARN("missing symbol for section %s", insn_sec->name); + return -1; + } + /* populate ORC data */ orc = (struct orc_entry *)u_sec->data->d_buf + idx; memcpy(orc, o, sizeof(*orc)); Patches currently in stable-queue which might be from mingo(a)kernel.org are queue-4.15/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.15/x86entry64_Remove_the_SYSCALL64_fast_path.patch queue-4.15/x86asm_Move_status_from_thread_struct_to_thread_info.patch queue-4.15/x86entry64_Push_extra_regs_right_away.patch queue-4.15/objtool_Warn_on_stripped_section_symbol.patch queue-4.15/objtool_Improve_retpoline_alternative_handling.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "vfs, fdtable: Prevent bounds-check bypass via speculative execution" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled vfs, fdtable: Prevent bounds-check bypass via speculative execution to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: vfs, fdtable: Prevent bounds-check bypass via speculative execution From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:03:05 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit 56c30ba7b348b90484969054d561f711ba196507 'fd' is a user controlled value that is used as a data dependency to read from the 'fdt->fd' array. In order to avoid potential leaks of kernel memory values, block speculative execution of the instruction stream that could issue reads based on an invalid 'file *' returned from __fcheck_files. Co-developed-by: Elena Reshetova <elena.reshetova(a)intel.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-arch(a)vger.kernel.org Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: torvalds(a)linux-foundation.org Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727418500.33451.17392199002892248656.stgit@dwi… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/linux/fdtable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -10,6 +10,7 @@ #include <linux/compiler.h> #include <linux/spinlock.h> #include <linux/rcupdate.h> +#include <linux/nospec.h> #include <linux/types.h> #include <linux/init.h> #include <linux/fs.h> @@ -82,8 +83,10 @@ static inline struct file *__fcheck_file { struct fdtable *fdt = rcu_dereference_raw(files->fdt); - if (fd < fdt->max_fds) + if (fd < fdt->max_fds) { + fd = array_index_nospec(fd, fdt->max_fds); return rcu_dereference_raw(fdt->fd[fd]); + } return NULL; } Patches currently in stable-queue which might be from elena.reshetova(a)intel.com are queue-4.15/nl80211_Sanitize_array_index_in_parse_txq_params.patch queue-4.15/vfs_fdtable_Prevent_bounds-check_bypass_via_speculative_execution.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "objtool: Add support for alternatives at the end of a section" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled objtool: Add support for alternatives at the end of a section to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: objtool: Add support for alternatives at the end of a section From: Josh Poimboeuf jpoimboe(a)redhat.com Date: Mon Jan 29 22:00:40 2018 -0600 From: Josh Poimboeuf jpoimboe(a)redhat.com commit 17bc33914bcc98ba3c6b426fd1c49587a25c0597 Now that the previous patch gave objtool the ability to read retpoline alternatives, it shows a new warning: arch/x86/entry/entry_64.o: warning: objtool: .entry_trampoline: don't know how to handle alternatives at end of section This is due to the JMP_NOSPEC in entry_SYSCALL_64_trampoline(). Previously, objtool ignored this situation because it wasn't needed, and it would have required a bit of extra code. Now that this case exists, add proper support for it. Signed-off-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Guenter Roeck <linux(a)roeck-us.net> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: http://lkml.kernel.org/r/2a30a3c2158af47d891a76e69bb1ef347e0443fd.151728434… Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- tools/objtool/check.c | 53 +++++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 22 deletions(-) --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -594,7 +594,7 @@ static int handle_group_alt(struct objto struct instruction *orig_insn, struct instruction **new_insn) { - struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump; + struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump = NULL; unsigned long dest_off; last_orig_insn = NULL; @@ -610,28 +610,30 @@ static int handle_group_alt(struct objto last_orig_insn = insn; } - if (!next_insn_same_sec(file, last_orig_insn)) { - WARN("%s: don't know how to handle alternatives at end of section", - special_alt->orig_sec->name); - return -1; - } - - fake_jump = malloc(sizeof(*fake_jump)); - if (!fake_jump) { - WARN("malloc failed"); - return -1; + if (next_insn_same_sec(file, last_orig_insn)) { + fake_jump = malloc(sizeof(*fake_jump)); + if (!fake_jump) { + WARN("malloc failed"); + return -1; + } + memset(fake_jump, 0, sizeof(*fake_jump)); + INIT_LIST_HEAD(&fake_jump->alts); + clear_insn_state(&fake_jump->state); + + fake_jump->sec = special_alt->new_sec; + fake_jump->offset = -1; + fake_jump->type = INSN_JUMP_UNCONDITIONAL; + fake_jump->jump_dest = list_next_entry(last_orig_insn, list); + fake_jump->ignore = true; } - memset(fake_jump, 0, sizeof(*fake_jump)); - INIT_LIST_HEAD(&fake_jump->alts); - clear_insn_state(&fake_jump->state); - - fake_jump->sec = special_alt->new_sec; - fake_jump->offset = -1; - fake_jump->type = INSN_JUMP_UNCONDITIONAL; - fake_jump->jump_dest = list_next_entry(last_orig_insn, list); - fake_jump->ignore = true; if (!special_alt->new_len) { + if (!fake_jump) { + WARN("%s: empty alternative at end of section", + special_alt->orig_sec->name); + return -1; + } + *new_insn = fake_jump; return 0; } @@ -654,8 +656,14 @@ static int handle_group_alt(struct objto continue; dest_off = insn->offset + insn->len + insn->immediate; - if (dest_off == special_alt->new_off + special_alt->new_len) + if (dest_off == special_alt->new_off + special_alt->new_len) { + if (!fake_jump) { + WARN("%s: alternative jump to end of section", + special_alt->orig_sec->name); + return -1; + } insn->jump_dest = fake_jump; + } if (!insn->jump_dest) { WARN_FUNC("can't find alternative jump destination", @@ -670,7 +678,8 @@ static int handle_group_alt(struct objto return -1; } - list_add(&fake_jump->list, &last_new_insn->list); + if (fake_jump) + list_add(&fake_jump->list, &last_new_insn->list); return 0; } Patches currently in stable-queue which might be from jpoimboe(a)redhat.com are queue-4.15/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.15/x86paravirt_Remove_noreplace-paravirt_cmdline_option.patch queue-4.15/KVM_VMX_Make_indirect_call_speculation_safe.patch queue-4.15/x86alternative_Print_unadorned_pointers.patch queue-4.15/x86bugs_Drop_one_mitigation_from_dmesg.patch queue-4.15/x86nospec_Fix_header_guards_names.patch queue-4.15/KVM_x86_Make_indirect_calls_in_emulator_speculation_safe.patch queue-4.15/objtool_Warn_on_stripped_section_symbol.patch queue-4.15/objtool_Improve_retpoline_alternative_handling.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "objtool: Improve retpoline alternative handling" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled objtool: Improve retpoline alternative handling to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: objtool_Improve_retpoline_alternative_handling.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: objtool: Improve retpoline alternative handling From: Josh Poimboeuf jpoimboe(a)redhat.com Date: Mon Jan 29 22:00:39 2018 -0600 From: Josh Poimboeuf jpoimboe(a)redhat.com commit a845c7cf4b4cb5e9e3b2823867892b27646f3a98 Currently objtool requires all retpolines to be: a) patched in with alternatives; and b) annotated with ANNOTATE_NOSPEC_ALTERNATIVE. If you forget to do both of the above, objtool segfaults trying to dereference a NULL 'insn->call_dest' pointer. Avoid that situation and print a more helpful error message: quirks.o: warning: objtool: efi_delete_dummy_variable()+0x99: unsupported intra-function call quirks.o: warning: objtool: If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE. Future improvements can be made to make objtool smarter with respect to retpolines, but this is a good incremental improvement for now. Reported-and-tested-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: http://lkml.kernel.org/r/819e50b6d9c2e1a22e34c1a636c0b2057cc8c6e5.151728434… Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- tools/objtool/check.c | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -543,18 +543,14 @@ static int add_call_destinations(struct dest_off = insn->offset + insn->len + insn->immediate; insn->call_dest = find_symbol_by_offset(insn->sec, dest_off); - /* - * FIXME: Thanks to retpolines, it's now considered - * normal for a function to call within itself. So - * disable this warning for now. - */ -#if 0 - if (!insn->call_dest) { - WARN_FUNC("can't find call dest symbol at offset 0x%lx", - insn->sec, insn->offset, dest_off); + + if (!insn->call_dest && !insn->ignore) { + WARN_FUNC("unsupported intra-function call", + insn->sec, insn->offset); + WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE."); return -1; } -#endif + } else if (rela->sym->type == STT_SECTION) { insn->call_dest = find_symbol_by_offset(rela->sym->sec, rela->addend+4); @@ -648,6 +644,8 @@ static int handle_group_alt(struct objto last_new_insn = insn; + insn->ignore = orig_insn->ignore_alts; + if (insn->type != INSN_JUMP_CONDITIONAL && insn->type != INSN_JUMP_UNCONDITIONAL) continue; @@ -729,10 +727,6 @@ static int add_special_section_alts(stru goto out; } - /* Ignore retpoline alternatives. */ - if (orig_insn->ignore_alts) - continue; - new_insn = NULL; if (!special_alt->group || special_alt->new_len) { new_insn = find_insn(file, special_alt->new_sec, @@ -1089,11 +1083,11 @@ static int decode_sections(struct objtoo if (ret) return ret; - ret = add_call_destinations(file); + ret = add_special_section_alts(file); if (ret) return ret; - ret = add_special_section_alts(file); + ret = add_call_destinations(file); if (ret) return ret; @@ -1720,10 +1714,12 @@ static int validate_branch(struct objtoo insn->visited = true; - list_for_each_entry(alt, &insn->alts, list) { - ret = validate_branch(file, alt->insn, state); - if (ret) - return 1; + if (!insn->ignore_alts) { + list_for_each_entry(alt, &insn->alts, list) { + ret = validate_branch(file, alt->insn, state); + if (ret) + return 1; + } } switch (insn->type) { Patches currently in stable-queue which might be from linux(a)roeck-us.net are queue-4.15/objtool_Add_support_for_alternatives_at_the_end_of_a_section.patch queue-4.15/objtool_Warn_on_stripped_section_symbol.patch queue-4.15/objtool_Improve_retpoline_alternative_handling.patch

6 years, 11 months

1
0
0 0

[Linux-stable-mirror] Patch "nl80211: Sanitize array index in parse_txq_params" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled nl80211: Sanitize array index in parse_txq_params to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: nl80211_Sanitize_array_index_in_parse_txq_params.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. Subject: nl80211: Sanitize array index in parse_txq_params From: Dan Williams dan.j.williams(a)intel.com Date: Mon Jan 29 17:03:15 2018 -0800 From: Dan Williams dan.j.williams(a)intel.com commit 259d8c1e984318497c84eef547bbb6b1d9f4eb05 Wireless drivers rely on parse_txq_params to validate that txq_params->ac is less than NL80211_NUM_ACS by the time the low-level driver's ->conf_tx() handler is called. Use a new helper, array_index_nospec(), to sanitize txq_params->ac with respect to speculation. I.e. ensure that any speculation into ->conf_tx() handlers is done with a value of txq_params->ac that is within the bounds of [0, NL80211_NUM_ACS). Reported-by: Christian Lamparter <chunkeey(a)gmail.com> Reported-by: Elena Reshetova <elena.reshetova(a)intel.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Johannes Berg <johannes(a)sipsolutions.net> Cc: linux-arch(a)vger.kernel.org Cc: kernel-hardening(a)lists.openwall.com Cc: gregkh(a)linuxfoundation.org Cc: linux-wireless(a)vger.kernel.org Cc: torvalds(a)linux-foundation.org Cc: "David S. Miller" <davem(a)davemloft.net> Cc: alan(a)linux.intel.com Link: https://lkml.kernel.org/r/151727419584.33451.7700736761686184303.stgit@dwil… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/wireless/nl80211.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -16,6 +16,7 @@ #include <linux/nl80211.h> #include <linux/rtnetlink.h> #include <linux/netlink.h> +#include <linux/nospec.h> #include <linux/etherdevice.h> #include <net/net_namespace.h> #include <net/genetlink.h> @@ -2056,20 +2057,22 @@ static const struct nla_policy txq_param static int parse_txq_params(struct nlattr *tb[], struct ieee80211_txq_params *txq_params) { + u8 ac; + if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] || !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] || !tb[NL80211_TXQ_ATTR_AIFS]) return -EINVAL; - txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]); + ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]); txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]); txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]); txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]); txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]); - if (txq_params->ac >= NL80211_NUM_ACS) + if (ac >= NL80211_NUM_ACS) return -EINVAL; - + txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS); return 0; } Patches currently in stable-queue which might be from chunkeey(a)gmail.com are queue-4.15/nl80211_Sanitize_array_index_in_parse_txq_params.patch

6 years, 11 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror February 2018