mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-26 20:38:12 +00:00
Code Issues Releases Wiki Activity
linux-stable/arch/x86
History
Sean Christopherson ba5ca5e5e6 x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() 
Use LEA instead of ADD when adjusting %rsp in srso_safe_ret{,_alias}()
so as to avoid clobbering flags.  Drop one of the INT3 instructions to
account for the LEA consuming one more byte than the ADD.

KVM's emulator makes indirect calls into a jump table of sorts, where
the destination of each call is a small blob of code that performs fast
emulation by executing the target instruction with fixed operands.

E.g. to emulate ADC, fastop() invokes adcb_al_dl():

  adcb_al_dl:
    <+0>:  adc    %dl,%al
    <+2>:  jmp    <__x86_return_thunk>

A major motivation for doing fast emulation is to leverage the CPU to
handle consumption and manipulation of arithmetic flags, i.e. RFLAGS is
both an input and output to the target of the call.  fastop() collects
the RFLAGS result by pushing RFLAGS onto the stack and popping them back
into a variable (held in %rdi in this case):

  asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"

  <+71>: mov    0xc0(%r8),%rdx
  <+78>: mov    0x100(%r8),%rcx
  <+85>: push   %rdi
  <+86>: popf
  <+87>: call   *%rsi
  <+89>: nop
  <+90>: nop
  <+91>: nop
  <+92>: pushf
  <+93>: pop    %rdi

and then propagating the arithmetic flags into the vCPU's emulator state:

  ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);

  <+64>:  and    $0xfffffffffffff72a,%r9
  <+94>:  and    $0x8d5,%edi
  <+109>: or     %rdi,%r9
  <+122>: mov    %r9,0x10(%r8)

The failures can be most easily reproduced by running the "emulator"
test in KVM-Unit-Tests.

If you're feeling a bit of deja vu, see commit b63f20a778
("x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386").

In addition, this breaks booting of clang-compiled guest on
a gcc-compiled host where the host contains the %rsp-modifying SRSO
mitigations.

  [ bp: Massage commit message, extend, remove addresses. ]

Fixes: fb3bd914b3 ("x86/srso: Add a Speculative RAS Overflow mitigation")
Closes: https://lore.kernel.org/all/de474347-122d-54cd-eabf-9dcc95ab9eae@amd.com
Reported-by: Srikanth Aithal <sraithal@amd.com>
Reported-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20230810013334.GA5354@dev-arch.thelio-3990X/
Link: https://lore.kernel.org/r/20230811155255.250835-1-seanjc@google.com
2023-08-14 10:47:55 +02:00
..
boot x86/sev: Do not try to parse for the CC blob on non-AMD hardware 2023-08-07 18:05:13 +02:00
coco - Some SEV and CC platform helpers cleanup and simplifications now that 2023-06-27 13:26:30 -07:00
configs arch/*/configs/*defconfig: Replace AUTOFS4_FS by AUTOFS_FS 2023-07-29 14:08:22 -07:00
crypto This push fixes an alignment crash in x86/aria. 2023-05-29 07:05:49 -04:00
entry x86/mm: Fix VDSO and VVAR placement on 5-level paging machines 2023-08-09 13:38:48 -07:00
events perf/x86: Fix lockdep warning in for_each_sibling_event() on SPR 2023-07-10 09:52:20 +02:00
hyperv hyperv-fixes for 6.5-rc5 2023-08-04 17:16:14 -07:00
ia32
include locking: remove spin_lock_prefetch 2023-08-12 09:18:47 -07:00
kernel - Do not parse the confidential computing blob on non-AMD hardware as it 2023-08-12 08:47:01 -07:00
kvm x86: Move gds_ucode_mitigated() declaration to header 2023-08-10 09:13:21 -07:00
lib x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() 2023-08-14 10:47:55 +02:00
math-emu x86/fpu: Include asm/fpu/regset.h 2023-05-18 11:56:18 -07:00
mm Merge branch 'expand-stack' 2023-06-28 20:35:21 -07:00
net bpf: Fix a bpf_jit_dump issue for x86_64 with sysctl bpf_jit_enable. 2023-06-12 16:47:18 +02:00
pci - Address -Wmissing-prototype warnings 2023-06-26 16:43:54 -07:00
platform A single regression fix for x86: 2023-07-01 11:40:01 -07:00
power x86/topology: Remove CPU0 hotplug option 2023-05-15 13:44:49 +02:00
purgatory hardening updates for v6.5-rc1 2023-06-27 21:24:18 -07:00
ras
realmode x86/realmode: Make stack lock work in trampoline_compat() 2023-05-30 14:11:47 +02:00
tools ELF: fix all "Elf" typos 2023-04-08 13:45:37 -07:00
um um: make stub data pages size tweakable 2023-04-20 23:08:43 +02:00
video drm changes for 6.5-rc1: 2023-06-29 11:00:17 -07:00
virt/vmx/tdx
xen xen: branch for v6.5-rc2 2023-07-13 13:39:36 -07:00
.gitignore
Kbuild
Kconfig Mitigate Gather Data Sampling issue 2023-08-07 17:03:54 -07:00
Kconfig.assembler
Kconfig.cpu x86/cpu: Remove X86_FEATURE_NAMES 2023-05-15 20:03:08 +02:00
Kconfig.debug docs: move x86 documentation into Documentation/arch/ 2023-03-30 12:58:51 -06:00
Makefile x86/unwind/orc: Add ELF section with ORC version identifier 2023-06-16 17:17:42 +02:00
Makefile.postlink x86/build: Avoid relocation information in final vmlinux 2023-06-14 19:54:40 +02:00
Makefile.um um: Only disable SSE on clang to work around old GCC bugs 2023-04-04 09:57:05 +02:00
Makefile_32.cpu