Patch "KVM: VMX: Make indirect call speculation safe" has been added to the 4.4-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    KVM: VMX: Make indirect call speculation safe

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-vmx-make-indirect-call-speculation-safe.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Fri Feb 23 17:23:58 CET 2018
From: Jack Wang <jinpu.wang@profitbricks.com>
Date: Fri, 23 Feb 2018 11:41:53 +0100
Subject: KVM: VMX: Make indirect call speculation safe
To: gregkh@linuxfoundation.org, stable@vger.kernel.org
Cc: Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Andrea Arcangeli <aarcange@redhat.com>, Andi Kleen <ak@linux.intel.com>, Ashok Raj <ashok.raj@intel.com>, Jun Nakajima <jun.nakajima@intel.com>, David Woodhouse <dwmw2@infradead.org>, Linus Torvalds <torvalds@linux-foundation.org>, rga@amazon.de, Dave Hansen <dave.hansen@intel.com>, Asit Mallick <asit.k.mallick@intel.com>, Andy Lutomirski <luto@kernel.org>, Josh Poimboeuf <jpoimboe@redhat.com>, Jason Baron <jbaron@akamai.com>, Paolo Bonzini <pbonzini@redhat.com>, Dan Williams <dan.j.williams@intel.com>, Arjan Van De Ven <arjan.van.de.ven@intel.com>, Tim Chen <tim.c.chen@linux.intel.com>, David Woodhouse <dwmw@amazon.co.uk>, Jack Wang <jinpu.wang@profitbricks.com>
Message-ID: <1519382538-15143-5-git-send-email-jinpu.wangl@profitbricks.com>

From: Peter Zijlstra <peterz@infradead.org>

(cherry picked from commit c940a3fb1e2e9b7d03228ab28f375fb5a47ff699)

Replace indirect call with CALL_NOSPEC.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Ashok Raj <ashok.raj@intel.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: rga@amazon.de
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Jason Baron <jbaron@akamai.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Link: https://lkml.kernel.org/r/20180125095843.645776917@infradead.org
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
[backport to 4.4]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8377,13 +8377,13 @@ static void vmx_handle_external_intr(str
 			"pushf\n\t"
 			"orl $0x200, (%%" _ASM_SP ")\n\t"
 			__ASM_SIZE(push) " $%c[cs]\n\t"
-			"call *%[entry]\n\t"
+			CALL_NOSPEC
 			:
 #ifdef CONFIG_X86_64
 			[sp]"=&r"(tmp)
 #endif
 			:
-			[entry]"r"(entry),
+			THUNK_TARGET(entry),
 			[ss]"i"(__KERNEL_DS),
 			[cs]"i"(__KERNEL_CS)
 			);


Patches currently in stable-queue which might be from jinpu.wang@profitbricks.com are

queue-4.4/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch
queue-4.4/documentation-document-array_index_nospec.patch
queue-4.4/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch
queue-4.4/x86-nospec-fix-header-guards-names.patch
queue-4.4/x86-retpoline-avoid-retpolines-for-built-in-__init-functions.patch
queue-4.4/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch
queue-4.4/kvm-nvmx-invvpid-handling-improvements.patch
queue-4.4/x86-cpu-bugs-make-retpoline-module-warning-conditional.patch
queue-4.4/x86-spectre-check-config_retpoline-in-command-line-parser.patch
queue-4.4/x86-implement-array_index_mask_nospec.patch
queue-4.4/array_index_nospec-sanitize-speculative-array-de-references.patch
queue-4.4/kvm-vmx-make-indirect-call-speculation-safe.patch
queue-4.4/x86-spectre-fix-spelling-mistake-vunerable-vulnerable.patch
queue-4.4/kvm-nvmx-fix-kernel-panics-induced-by-illegal-invept-invvpid-types.patch
queue-4.4/module-retpoline-warn-about-missing-retpoline-in-module.patch
queue-4.4/x86-kvm-update-spectre-v1-mitigation.patch
queue-4.4/x86-get_user-use-pointer-masking-to-limit-speculation.patch
queue-4.4/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch
queue-4.4/kvm-nvmx-vmx_complete_nested_posted_interrupt-can-t-fail.patch
queue-4.4/x86-spectre-simplify-spectre_v2-command-line-parsing.patch
queue-4.4/x86-speculation-fix-typo-ibrs_att-which-should-be-ibrs_all.patch
queue-4.4/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch
queue-4.4/x86-introduce-barrier_nospec.patch
queue-4.4/kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously.patch
queue-4.4/kvm-vmx-clean-up-declaration-of-vpid-ept-invalidation-types.patch
queue-4.4/x86-bugs-drop-one-mitigation-from-dmesg.patch
queue-4.4/x86-retpoline-remove-the-esp-rsp-thunk.patch
queue-4.4/nl80211-sanitize-array-index-in-parse_txq_params.patch
queue-4.4/kvm-nvmx-kmap-can-t-fail.patch