On Thu, 2018-01-18 at 16:28 +0100, Thomas Gleixner wrote:
> The machine check idtentry uses an indirect branch directly from the low
> level code. This evades the speculation protection.
> 
> Replace it by a direct call into C code and issue the indirect call there
> so the compiler can apply the proper speculation protection.
> 
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

Cc: stable for at least 4.9.

> ---
>  arch/x86/entry/entry_64.S        |    2 +-
>  arch/x86/include/asm/traps.h     |    1 +
>  arch/x86/kernel/cpu/mcheck/mce.c |    5 +++++
>  3 files changed, 7 insertions(+), 1 deletion(-)
> 
> --- a/arch/x86/entry/entry_64.S
> +++ b/arch/x86/entry/entry_64.S
> @@ -1264,7 +1264,7 @@ idtentry async_page_fault	do_async_page_
>  #endif
>  
>  #ifdef CONFIG_X86_MCE
> -idtentry machine_check					has_error_code=0	paranoid=1 do_sym=*machine_check_vector(%rip)
> +idtentry machine_check		do_mce			has_error_code=0	paranoid=1
>  #endif
>  
>  /*
> --- a/arch/x86/include/asm/traps.h
> +++ b/arch/x86/include/asm/traps.h
> @@ -88,6 +88,7 @@ dotraplinkage void do_simd_coprocessor_e
>  #ifdef CONFIG_X86_32
>  dotraplinkage void do_iret_error(struct pt_regs *, long);
>  #endif
> +dotraplinkage void do_mce(struct pt_regs *, long);
>  
>  static inline int get_si_code(unsigned long condition)
>  {
> --- a/arch/x86/kernel/cpu/mcheck/mce.c
> +++ b/arch/x86/kernel/cpu/mcheck/mce.c
> @@ -1785,6 +1785,11 @@ static void unexpected_machine_check(str
>  void (*machine_check_vector)(struct pt_regs *, long error_code) =
>  						unexpected_machine_check;
>  
> +dotraplinkage void do_mce(struct pt_regs *regs, long error_code)
> +{
> +	machine_check_vector(regs, error_code);
> +}
> +
>  /*
>   * Called for each booted CPU to set up machine checks.
>   * Must be called with preempt off:
>