Fix two regressions introudced by recent speculation mitigations on the 4.14 branch:
- Crash on older 32-bit processors - Build warning from objtool
Ben.
Ben Hutchings (1): Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool"
Peter Zijlstra (1): x86/nospec: Fix i386 RSB stuffing
arch/x86/include/asm/nospec-branch.h | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-)
commit 332924973725e8cdcc783c175f68cf7e162cb9e5 upstream.
Turns out that i386 doesn't unconditionally have LFENCE, as such the loop in __FILL_RETURN_BUFFER isn't actually speculation safe on such chips.
Fixes: ba6e31af2be9 ("x86/speculation: Add LFENCE to RSB fill sequence") Reported-by: Ben Hutchings ben@decadent.org.uk Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Link: https://lkml.kernel.org/r/Yv9tj9vbQ9nNlXoY@worktop.programming.kicks-ass.net [bwh: Backported to 4.14: - __FILL_RETURN_BUFFER takes an sp parameter - Open-code __FILL_RETURN_SLOT] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/include/asm/nospec-branch.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 118441f53399..d5d4927e7683 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -38,6 +38,7 @@ * the optimal version — two calls, each with their own speculation * trap should their return address end up getting used, in a loop. */ +#ifdef CONFIG_X86_64 #define __FILL_RETURN_BUFFER(reg, nr, sp) \ mov $(nr/2), reg; \ 771: \ @@ -58,6 +59,19 @@ jnz 771b; \ /* barrier for jnz misprediction */ \ lfence; +#else +/* + * i386 doesn't unconditionally have LFENCE, as such it can't + * do a loop. + */ +#define __FILL_RETURN_BUFFER(reg, nr, sp) \ + .rept nr; \ + call 772f; \ + int3; \ +772:; \ + .endr; \ + add $(BITS_PER_LONG/8) * nr, sp; +#endif
#define ISSUE_UNBALANCED_RET_GUARD(sp) \ call 992f; \
This reverts commit c95afe5bcad40e1f0292bfc0a625c4aa080cc971, which was commit 089dd8e53126ebaf506e2dc0bf89d652c36bfc12 upstream.
The necessary changes to objtool have not been backported to 4.14. Backporting this commit alone only added build warnings.
Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/include/asm/nospec-branch.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index d5d4927e7683..0cd3b0c74d05 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -4,13 +4,11 @@ #define _ASM_X86_NOSPEC_BRANCH_H_
#include <linux/static_key.h> -#include <linux/frame.h>
#include <asm/alternative.h> #include <asm/alternative-asm.h> #include <asm/cpufeatures.h> #include <asm/msr-index.h> -#include <asm/unwind_hints.h> #include <asm/percpu.h>
/* @@ -54,9 +52,9 @@ lfence; \ jmp 775b; \ 774: \ - add $(BITS_PER_LONG/8) * 2, sp; \ dec reg; \ jnz 771b; \ + add $(BITS_PER_LONG/8) * nr, sp; \ /* barrier for jnz misprediction */ \ lfence; #else @@ -167,8 +165,10 @@ * monstrosity above, manually. */ .macro FILL_RETURN_BUFFER reg:req nr:req ftr:req - ALTERNATIVE "jmp .Lskip_rsb_@", "", \ftr - __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP) + ANNOTATE_NOSPEC_ALTERNATIVE + ALTERNATIVE "jmp .Lskip_rsb_@", \ + __stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)) \ + \ftr .Lskip_rsb_@: .endm
On Mon, Dec 05, 2022 at 11:09:55PM +0100, Ben Hutchings wrote:
Fix two regressions introudced by recent speculation mitigations on the 4.14 branch:
- Crash on older 32-bit processors
- Build warning from objtool
Ben.
Ben Hutchings (1): Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool"
Peter Zijlstra (1): x86/nospec: Fix i386 RSB stuffing
arch/x86/include/asm/nospec-branch.h | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-)
Now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Ben Hutchings -
Greg KH -
Peter Zijlstra