From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kim Phillips <kim.phillips@amd.com>,
Alexandre Chartre <alexandre.chartre@oracle.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Borislav Petkov <bp@suse.de>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Subject: [PATCH 5.18 24/61] x86/bugs: Report AMD retbleed vulnerability
Date: Tue, 12 Jul 2022 20:39:21 +0200 [thread overview]
Message-ID: <20220712183237.922322019@linuxfoundation.org> (raw)
In-Reply-To: <20220712183236.931648980@linuxfoundation.org>
From: Alexandre Chartre <alexandre.chartre@oracle.com>
commit 6b80b59b3555706508008f1f127b5412c89c7fd8 upstream.
Report that AMD x86 CPUs are vulnerable to the RETBleed (Arbitrary
Speculative Code Execution with Return Instructions) attack.
[peterz: add hygon]
[kim: invert parity; fam15h]
Co-developed-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/kernel/cpu/bugs.c | 13 +++++++++++++
arch/x86/kernel/cpu/common.c | 19 +++++++++++++++++++
drivers/base/cpu.c | 8 ++++++++
include/linux/cpu.h | 2 ++
5 files changed, 43 insertions(+)
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -450,5 +450,6 @@
#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
#define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
#define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
+#define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */
#endif /* _ASM_X86_CPUFEATURES_H */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1987,6 +1987,11 @@ static ssize_t srbds_show_state(char *bu
return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
}
+static ssize_t retbleed_show_state(char *buf)
+{
+ return sprintf(buf, "Vulnerable\n");
+}
+
static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
char *buf, unsigned int bug)
{
@@ -2032,6 +2037,9 @@ static ssize_t cpu_show_common(struct de
case X86_BUG_MMIO_STALE_DATA:
return mmio_stale_data_show_state(buf);
+ case X86_BUG_RETBLEED:
+ return retbleed_show_state(buf);
+
default:
break;
}
@@ -2088,4 +2096,9 @@ ssize_t cpu_show_mmio_stale_data(struct
{
return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
}
+
+ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
+{
+ return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
+}
#endif
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1231,16 +1231,27 @@ static const __initconst struct x86_cpu_
{}
};
+#define VULNBL(vendor, family, model, blacklist) \
+ X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, blacklist)
+
#define VULNBL_INTEL_STEPPINGS(model, steppings, issues) \
X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(INTEL, 6, \
INTEL_FAM6_##model, steppings, \
X86_FEATURE_ANY, issues)
+#define VULNBL_AMD(family, blacklist) \
+ VULNBL(AMD, family, X86_MODEL_ANY, blacklist)
+
+#define VULNBL_HYGON(family, blacklist) \
+ VULNBL(HYGON, family, X86_MODEL_ANY, blacklist)
+
#define SRBDS BIT(0)
/* CPU is affected by X86_BUG_MMIO_STALE_DATA */
#define MMIO BIT(1)
/* CPU is affected by Shared Buffers Data Sampling (SBDS), a variant of X86_BUG_MMIO_STALE_DATA */
#define MMIO_SBDS BIT(2)
+/* CPU is affected by RETbleed, speculating where you would not expect it */
+#define RETBLEED BIT(3)
static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS),
@@ -1273,6 +1284,11 @@ static const struct x86_cpu_id cpu_vuln_
VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPINGS(0x1, 0x1), MMIO | MMIO_SBDS),
VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO),
VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPINGS(0x0, 0x0), MMIO | MMIO_SBDS),
+
+ VULNBL_AMD(0x15, RETBLEED),
+ VULNBL_AMD(0x16, RETBLEED),
+ VULNBL_AMD(0x17, RETBLEED),
+ VULNBL_HYGON(0x18, RETBLEED),
{}
};
@@ -1374,6 +1390,9 @@ static void __init cpu_set_bug_bits(stru
!arch_cap_mmio_immune(ia32_cap))
setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
+ if (cpu_matches(cpu_vuln_blacklist, RETBLEED))
+ setup_force_cpu_bug(X86_BUG_RETBLEED);
+
if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
return;
--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
@@ -570,6 +570,12 @@ ssize_t __weak cpu_show_mmio_stale_data(
return sysfs_emit(buf, "Not affected\n");
}
+ssize_t __weak cpu_show_retbleed(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ return sysfs_emit(buf, "Not affected\n");
+}
+
static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
@@ -580,6 +586,7 @@ static DEVICE_ATTR(tsx_async_abort, 0444
static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL);
+static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
static struct attribute *cpu_root_vulnerabilities_attrs[] = {
&dev_attr_meltdown.attr,
@@ -592,6 +599,7 @@ static struct attribute *cpu_root_vulner
&dev_attr_itlb_multihit.attr,
&dev_attr_srbds.attr,
&dev_attr_mmio_stale_data.attr,
+ &dev_attr_retbleed.attr,
NULL
};
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -68,6 +68,8 @@ extern ssize_t cpu_show_srbds(struct dev
extern ssize_t cpu_show_mmio_stale_data(struct device *dev,
struct device_attribute *attr,
char *buf);
+extern ssize_t cpu_show_retbleed(struct device *dev,
+ struct device_attribute *attr, char *buf);
extern __printf(4, 5)
struct device *cpu_device_create(struct device *parent, void *drvdata,
next prev parent reply other threads:[~2022-07-12 19:10 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-12 18:38 [PATCH 5.18 00/61] 5.18.12-rc1 review Greg Kroah-Hartman
2022-07-12 18:38 ` [PATCH 5.18 01/61] x86/traps: Use pt_regs directly in fixup_bad_iret() Greg Kroah-Hartman
2022-07-12 18:38 ` [PATCH 5.18 02/61] x86/entry: Switch the stack after error_entry() returns Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 03/61] x86/entry: Move PUSH_AND_CLEAR_REGS out of error_entry() Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 04/61] x86/entry: Dont call error_entry() for XENPV Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 05/61] x86/entry: Remove skip_r11rcx Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 06/61] x86/kvm/vmx: Make noinstr clean Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 07/61] x86/cpufeatures: Move RETPOLINE flags to word 11 Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 08/61] x86/retpoline: Cleanup some #ifdefery Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 09/61] x86/retpoline: Swizzle retpoline thunk Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 10/61] x86/retpoline: Use -mfunction-return Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 11/61] x86: Undo return-thunk damage Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 12/61] x86,objtool: Create .return_sites Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 13/61] objtool: skip non-text sections when adding return-thunk sites Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 14/61] x86,static_call: Use alternative RET encoding Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 15/61] x86/ftrace: " Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 16/61] x86/bpf: " Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 17/61] x86/kvm: Fix SETcc emulation for return thunks Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 18/61] x86/vsyscall_emu/64: Dont use RET in vsyscall emulation Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 19/61] x86/sev: Avoid using __x86_return_thunk Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 20/61] x86: Use return-thunk in asm code Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 21/61] x86/entry: Avoid very early RET Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 22/61] objtool: Treat .text.__x86.* as noinstr Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 23/61] x86: Add magic AMD return-thunk Greg Kroah-Hartman
2022-07-12 18:39 ` Greg Kroah-Hartman [this message]
2022-07-12 18:39 ` [PATCH 5.18 25/61] x86/bugs: Add AMD retbleed= boot parameter Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 26/61] x86/bugs: Enable STIBP for JMP2RET Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 27/61] x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 28/61] x86/entry: Add kernel IBRS implementation Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 29/61] x86/bugs: Optimize SPEC_CTRL MSR writes Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 30/61] x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 31/61] x86/bugs: Split spectre_v2_select_mitigation() and spectre_v2_user_select_mitigation() Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 32/61] x86/bugs: Report Intel retbleed vulnerability Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 33/61] intel_idle: Disable IBRS during long idle Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 34/61] objtool: Update Retpoline validation Greg Kroah-Hartman
2022-07-13 7:45 ` Jiri Slaby
2022-07-13 7:54 ` Jiri Slaby
2022-07-13 8:17 ` Greg Kroah-Hartman
2022-07-13 9:21 ` Borislav Petkov
2022-07-13 9:50 ` [PATCH] x86/asm/32: fix ANNOTATE_UNRET_SAFE use on 32bit Jiri Slaby
2022-07-13 10:45 ` [tip: x86/urgent] x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit tip-bot2 for Jiri Slaby
2022-07-13 10:52 ` tip-bot2 for Jiri Slaby
2022-07-12 18:39 ` [PATCH 5.18 35/61] x86/xen: Rename SYS* entry points Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 36/61] x86/xen: Add UNTRAIN_RET Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 37/61] x86/bugs: Add retbleed=ibpb Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 38/61] x86/bugs: Do IBPB fallback check only once Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 39/61] objtool: Add entry UNRET validation Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 40/61] x86/cpu/amd: Add Spectral Chicken Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 41/61] x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 42/61] x86/speculation: Fix firmware entry SPEC_CTRL handling Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 43/61] x86/speculation: Fix SPEC_CTRL write on SMT state change Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 44/61] x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 45/61] x86/speculation: Remove x86_spec_ctrl_mask Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 46/61] objtool: Re-add UNWIND_HINT_{SAVE_RESTORE} Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 47/61] KVM: VMX: Flatten __vmx_vcpu_run() Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 48/61] KVM: VMX: Convert launched argument to flags Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 49/61] KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 50/61] KVM: VMX: Fix IBRS handling after vmexit Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 51/61] x86/speculation: Fill RSB on vmexit for IBRS Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 52/61] KVM: VMX: Prevent RSB underflow before vmenter Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 53/61] x86/common: Stamp out the stepping madness Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 54/61] x86/cpu/amd: Enumerate BTC_NO Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 55/61] x86/retbleed: Add fine grained Kconfig knobs Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 56/61] x86/bugs: Add Cannon lake to RETBleed affected CPU list Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 57/61] x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 58/61] x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 59/61] x86/kexec: Disable RET on kexec Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 60/61] x86/speculation: Disable RRSBA behavior Greg Kroah-Hartman
2022-07-12 18:39 ` [PATCH 5.18 61/61] x86/static_call: Serialize __static_call_fixup() properly Greg Kroah-Hartman
2022-07-12 23:52 ` [PATCH 5.18 00/61] 5.18.12-rc1 review Florian Fainelli
2022-07-13 0:43 ` Zan Aziz
2022-07-13 3:16 ` Shuah Khan
2022-07-13 7:17 ` Jon Hunter
2022-07-13 8:30 ` Bagas Sanjaya
2022-07-13 9:34 ` Fenil Jain
2022-07-13 10:06 ` Sudip Mukherjee (Codethink)
2022-07-13 10:17 ` Ron Economos
2022-07-13 11:03 ` Naresh Kamboju
2022-07-13 13:03 ` Greg Kroah-Hartman
2022-07-13 13:58 ` Naresh Kamboju
2022-07-13 16:54 ` Thadeu Lima de Souza Cascardo
2022-07-13 14:12 ` Peter Zijlstra
2022-07-13 22:18 ` Guenter Roeck
2022-07-13 22:21 ` Rudi Heitbaum
2022-07-15 11:27 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220712183237.922322019@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexandre.chartre@oracle.com \
--cc=bp@suse.de \
--cc=cascardo@canonical.com \
--cc=jpoimboe@kernel.org \
--cc=kim.phillips@amd.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.