* [PATCH 4.14 0/2] x86/speculation: Regression fixes
@ 2022-12-05 22:09 Ben Hutchings
2022-12-05 22:10 ` [PATCH 4.14 1/2] x86/nospec: Fix i386 RSB stuffing Peter Zijlstra
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Ben Hutchings @ 2022-12-05 22:09 UTC (permalink / raw)
To: stable
Cc: Peter Zijlstra, Alexandre Chartre, Josh Poimboeuf,
Thadeu Lima de Souza Cascardo, Suleiman Souhlal
[-- Attachment #1: Type: text/plain, Size: 432 bytes --]
Fix two regressions introudced by recent speculation mitigations
on the 4.14 branch:
- Crash on older 32-bit processors
- Build warning from objtool
Ben.
Ben Hutchings (1):
Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with
objtool"
Peter Zijlstra (1):
x86/nospec: Fix i386 RSB stuffing
arch/x86/include/asm/nospec-branch.h | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 4.14 1/2] x86/nospec: Fix i386 RSB stuffing
2022-12-05 22:09 [PATCH 4.14 0/2] x86/speculation: Regression fixes Ben Hutchings
@ 2022-12-05 22:10 ` Peter Zijlstra
2022-12-05 22:10 ` [PATCH 4.14 2/2] Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool" Ben Hutchings
2022-12-06 12:30 ` [PATCH 4.14 0/2] x86/speculation: Regression fixes Greg KH
2 siblings, 0 replies; 4+ messages in thread
From: Peter Zijlstra @ 2022-12-05 22:10 UTC (permalink / raw)
To: stable; +Cc: Peter Zijlstra
[-- Attachment #1: Type: text/plain, Size: 1667 bytes --]
commit 332924973725e8cdcc783c175f68cf7e162cb9e5 upstream.
Turns out that i386 doesn't unconditionally have LFENCE, as such the
loop in __FILL_RETURN_BUFFER isn't actually speculation safe on such
chips.
Fixes: ba6e31af2be9 ("x86/speculation: Add LFENCE to RSB fill sequence")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/Yv9tj9vbQ9nNlXoY@worktop.programming.kicks-ass.net
[bwh: Backported to 4.14:
- __FILL_RETURN_BUFFER takes an sp parameter
- Open-code __FILL_RETURN_SLOT]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/nospec-branch.h | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 118441f53399..d5d4927e7683 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -38,6 +38,7 @@
* the optimal version — two calls, each with their own speculation
* trap should their return address end up getting used, in a loop.
*/
+#ifdef CONFIG_X86_64
#define __FILL_RETURN_BUFFER(reg, nr, sp) \
mov $(nr/2), reg; \
771: \
@@ -58,6 +59,19 @@
jnz 771b; \
/* barrier for jnz misprediction */ \
lfence;
+#else
+/*
+ * i386 doesn't unconditionally have LFENCE, as such it can't
+ * do a loop.
+ */
+#define __FILL_RETURN_BUFFER(reg, nr, sp) \
+ .rept nr; \
+ call 772f; \
+ int3; \
+772:; \
+ .endr; \
+ add $(BITS_PER_LONG/8) * nr, sp;
+#endif
#define ISSUE_UNBALANCED_RET_GUARD(sp) \
call 992f; \
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 4.14 2/2] Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool"
2022-12-05 22:09 [PATCH 4.14 0/2] x86/speculation: Regression fixes Ben Hutchings
2022-12-05 22:10 ` [PATCH 4.14 1/2] x86/nospec: Fix i386 RSB stuffing Peter Zijlstra
@ 2022-12-05 22:10 ` Ben Hutchings
2022-12-06 12:30 ` [PATCH 4.14 0/2] x86/speculation: Regression fixes Greg KH
2 siblings, 0 replies; 4+ messages in thread
From: Ben Hutchings @ 2022-12-05 22:10 UTC (permalink / raw)
To: stable
Cc: Peter Zijlstra, Alexandre Chartre, Josh Poimboeuf,
Thadeu Lima de Souza Cascardo, Suleiman Souhlal
[-- Attachment #1: Type: text/plain, Size: 1566 bytes --]
This reverts commit c95afe5bcad40e1f0292bfc0a625c4aa080cc971, which
was commit 089dd8e53126ebaf506e2dc0bf89d652c36bfc12 upstream.
The necessary changes to objtool have not been backported to 4.14.
Backporting this commit alone only added build warnings.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/nospec-branch.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index d5d4927e7683..0cd3b0c74d05 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -4,13 +4,11 @@
#define _ASM_X86_NOSPEC_BRANCH_H_
#include <linux/static_key.h>
-#include <linux/frame.h>
#include <asm/alternative.h>
#include <asm/alternative-asm.h>
#include <asm/cpufeatures.h>
#include <asm/msr-index.h>
-#include <asm/unwind_hints.h>
#include <asm/percpu.h>
/*
@@ -54,9 +52,9 @@
lfence; \
jmp 775b; \
774: \
- add $(BITS_PER_LONG/8) * 2, sp; \
dec reg; \
jnz 771b; \
+ add $(BITS_PER_LONG/8) * nr, sp; \
/* barrier for jnz misprediction */ \
lfence;
#else
@@ -167,8 +165,10 @@
* monstrosity above, manually.
*/
.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
- ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
- __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
+ ANNOTATE_NOSPEC_ALTERNATIVE
+ ALTERNATIVE "jmp .Lskip_rsb_\@", \
+ __stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)) \
+ \ftr
.Lskip_rsb_\@:
.endm
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 4.14 0/2] x86/speculation: Regression fixes
2022-12-05 22:09 [PATCH 4.14 0/2] x86/speculation: Regression fixes Ben Hutchings
2022-12-05 22:10 ` [PATCH 4.14 1/2] x86/nospec: Fix i386 RSB stuffing Peter Zijlstra
2022-12-05 22:10 ` [PATCH 4.14 2/2] Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool" Ben Hutchings
@ 2022-12-06 12:30 ` Greg KH
2 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2022-12-06 12:30 UTC (permalink / raw)
To: Ben Hutchings
Cc: stable, Peter Zijlstra, Alexandre Chartre, Josh Poimboeuf,
Thadeu Lima de Souza Cascardo, Suleiman Souhlal
On Mon, Dec 05, 2022 at 11:09:55PM +0100, Ben Hutchings wrote:
> Fix two regressions introudced by recent speculation mitigations
> on the 4.14 branch:
>
> - Crash on older 32-bit processors
> - Build warning from objtool
>
> Ben.
>
> Ben Hutchings (1):
> Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with
> objtool"
>
> Peter Zijlstra (1):
> x86/nospec: Fix i386 RSB stuffing
>
> arch/x86/include/asm/nospec-branch.h | 24 +++++++++++++++++++-----
> 1 file changed, 19 insertions(+), 5 deletions(-)
>
Now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-12-06 12:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-05 22:09 [PATCH 4.14 0/2] x86/speculation: Regression fixes Ben Hutchings
2022-12-05 22:10 ` [PATCH 4.14 1/2] x86/nospec: Fix i386 RSB stuffing Peter Zijlstra
2022-12-05 22:10 ` [PATCH 4.14 2/2] Revert "x86/speculation: Change FILL_RETURN_BUFFER to work with objtool" Ben Hutchings
2022-12-06 12:30 ` [PATCH 4.14 0/2] x86/speculation: Regression fixes Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.