[RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

Hi Greg,

This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
and patches for the Speculative Store Bypass vulnerability to 4.4.y
(they apply cleanly on top of 4.4.140).

I used 4.9.y as my reference when backporting to 4.4.y (as I thought
that would minimize the amount of fixing up necessary). Unfortunately
I had to skip the KVM fixes for these vulnerabilities, as the KVM
codebase is drastically different in 4.4 as compared to 4.9. (I tried
my best to backport them initially, but wasn't confident that they
were correct, so I decided to drop them from this series).

You'll notice that the initial few patches in this series include
cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
patches are aimed at getting the cpufeature.h vs cpufeatures.h split
into 4.4, since a lot of the subsequent patches update these headers.
On my first attempt to backport these patches to 4.4.y, I had actually
tried to do all the updates on the cpufeature.h file itself, but it
started getting very cumbersome, so I resorted to backporting the
cpufeature.h vs cpufeatures.h split and their dependencies as well. I
think apart from these initial patches, the rest of the patchset
doesn't have all that much noise. 

This patchset has been tested on both Intel and AMD machines (Intel
Xeon CPU E5-2660 v4 and AMD EPYC 7281 16-Core Processor, respectively)
with updated microcode. All the patch backports have been
independently reviewed by Matt Helsley, Alexey Makhalov and Bo Gan.

I would appreciate if you could kindly consider these patches for
review and inclusion in a future 4.4.y release.

Thank you very much!

Regards,
Srivatsa
VMware Photon OS

P.S. This patchset is also available in the following repo if anyone
     is interested in giving it a try:

https://github.com/srivatsabhat/linux-stable spectre-v2-fixes-nokvm-4.4.140


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH 4.4.y 015/101] x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions

[Srivatsa S. Bhat]

From: Dave Hansen <dave.hansen@linux.intel.com>

commit dfb4a70f20c5b3880da56ee4c9484bdb4e8f1e65 upstream

There are two CPUID bits for protection keys.  One is for whether
the CPU contains the feature, and the other will appear set once
the OS enables protection keys.  Specifically:

	Bit 04: OSPKE. If 1, OS has set CR4.PKE to enable
	Protection keys (and the RDPKRU/WRPKRU instructions)

This is because userspace can not see CR4 contents, but it can
see CPUID contents.

X86_FEATURE_PKU is referred to as "PKU" in the hardware documentation:

	CPUID.(EAX=07H,ECX=0H):ECX.PKU [bit 3]

X86_FEATURE_OSPKE is "OSPKU":

	CPUID.(EAX=07H,ECX=0H):ECX.OSPKE [bit 4]

These are the first CPU features which need to look at the
ECX word in CPUID leaf 0x7, so this patch also includes
fetching that word in to the cpuinfo->x86_capability[] array.

Add it to the disabled-features mask when its config option is
off.  Even though we are not using it here, we also extend the
REQUIRED_MASK_BIT_SET() macro to keep it mirroring the
DISABLED_MASK_BIT_SET() version.

This means that in almost all code, you should use:

	cpu_has(c, X86_FEATURE_PKU)

and *not* the CONFIG option.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20160212210201.7714C250@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Matt Helsley (VMware) <matt.helsley@gmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
---

 arch/x86/include/asm/cpufeature.h        |   59 ++++++++++++++++++++----------
 arch/x86/include/asm/cpufeatures.h       |    2 +
 arch/x86/include/asm/disabled-features.h |   15 ++++++++
 arch/x86/include/asm/required-features.h |    7 ++++
 arch/x86/kernel/cpu/common.c             |    1 +
 5 files changed, 63 insertions(+), 21 deletions(-)

diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
index 03ca602..7fdd717 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -26,6 +26,7 @@ enum cpuid_leafs
 	CPUID_8000_0008_EBX,
 	CPUID_6_EAX,
 	CPUID_8000_000A_EDX,
+	CPUID_7_ECX,
 };
 
 #ifdef CONFIG_X86_FEATURE_NAMES
@@ -48,28 +49,42 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
 	 test_bit(bit, (unsigned long *)((c)->x86_capability))
 
 #define REQUIRED_MASK_BIT_SET(bit)					\
-	 ( (((bit)>>5)==0 && (1UL<<((bit)&31) & REQUIRED_MASK0)) ||	\
-	   (((bit)>>5)==1 && (1UL<<((bit)&31) & REQUIRED_MASK1)) ||	\
-	   (((bit)>>5)==2 && (1UL<<((bit)&31) & REQUIRED_MASK2)) ||	\
-	   (((bit)>>5)==3 && (1UL<<((bit)&31) & REQUIRED_MASK3)) ||	\
-	   (((bit)>>5)==4 && (1UL<<((bit)&31) & REQUIRED_MASK4)) ||	\
-	   (((bit)>>5)==5 && (1UL<<((bit)&31) & REQUIRED_MASK5)) ||	\
-	   (((bit)>>5)==6 && (1UL<<((bit)&31) & REQUIRED_MASK6)) ||	\
-	   (((bit)>>5)==7 && (1UL<<((bit)&31) & REQUIRED_MASK7)) ||	\
-	   (((bit)>>5)==8 && (1UL<<((bit)&31) & REQUIRED_MASK8)) ||	\
-	   (((bit)>>5)==9 && (1UL<<((bit)&31) & REQUIRED_MASK9)) )
+	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & REQUIRED_MASK0 )) ||	\
+	   (((bit)>>5)==1  && (1UL<<((bit)&31) & REQUIRED_MASK1 )) ||	\
+	   (((bit)>>5)==2  && (1UL<<((bit)&31) & REQUIRED_MASK2 )) ||	\
+	   (((bit)>>5)==3  && (1UL<<((bit)&31) & REQUIRED_MASK3 )) ||	\
+	   (((bit)>>5)==4  && (1UL<<((bit)&31) & REQUIRED_MASK4 )) ||	\
+	   (((bit)>>5)==5  && (1UL<<((bit)&31) & REQUIRED_MASK5 )) ||	\
+	   (((bit)>>5)==6  && (1UL<<((bit)&31) & REQUIRED_MASK6 )) ||	\
+	   (((bit)>>5)==7  && (1UL<<((bit)&31) & REQUIRED_MASK7 )) ||	\
+	   (((bit)>>5)==8  && (1UL<<((bit)&31) & REQUIRED_MASK8 )) ||	\
+	   (((bit)>>5)==9  && (1UL<<((bit)&31) & REQUIRED_MASK9 )) ||	\
+	   (((bit)>>5)==10 && (1UL<<((bit)&31) & REQUIRED_MASK10)) ||	\
+	   (((bit)>>5)==11 && (1UL<<((bit)&31) & REQUIRED_MASK11)) ||	\
+	   (((bit)>>5)==12 && (1UL<<((bit)&31) & REQUIRED_MASK12)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK13)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
+	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK16)) )
 
 #define DISABLED_MASK_BIT_SET(bit)					\
-	 ( (((bit)>>5)==0 && (1UL<<((bit)&31) & DISABLED_MASK0)) ||	\
-	   (((bit)>>5)==1 && (1UL<<((bit)&31) & DISABLED_MASK1)) ||	\
-	   (((bit)>>5)==2 && (1UL<<((bit)&31) & DISABLED_MASK2)) ||	\
-	   (((bit)>>5)==3 && (1UL<<((bit)&31) & DISABLED_MASK3)) ||	\
-	   (((bit)>>5)==4 && (1UL<<((bit)&31) & DISABLED_MASK4)) ||	\
-	   (((bit)>>5)==5 && (1UL<<((bit)&31) & DISABLED_MASK5)) ||	\
-	   (((bit)>>5)==6 && (1UL<<((bit)&31) & DISABLED_MASK6)) ||	\
-	   (((bit)>>5)==7 && (1UL<<((bit)&31) & DISABLED_MASK7)) ||	\
-	   (((bit)>>5)==8 && (1UL<<((bit)&31) & DISABLED_MASK8)) ||	\
-	   (((bit)>>5)==9 && (1UL<<((bit)&31) & DISABLED_MASK9)) )
+	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & DISABLED_MASK0 )) ||	\
+	   (((bit)>>5)==1  && (1UL<<((bit)&31) & DISABLED_MASK1 )) ||	\
+	   (((bit)>>5)==2  && (1UL<<((bit)&31) & DISABLED_MASK2 )) ||	\
+	   (((bit)>>5)==3  && (1UL<<((bit)&31) & DISABLED_MASK3 )) ||	\
+	   (((bit)>>5)==4  && (1UL<<((bit)&31) & DISABLED_MASK4 )) ||	\
+	   (((bit)>>5)==5  && (1UL<<((bit)&31) & DISABLED_MASK5 )) ||	\
+	   (((bit)>>5)==6  && (1UL<<((bit)&31) & DISABLED_MASK6 )) ||	\
+	   (((bit)>>5)==7  && (1UL<<((bit)&31) & DISABLED_MASK7 )) ||	\
+	   (((bit)>>5)==8  && (1UL<<((bit)&31) & DISABLED_MASK8 )) ||	\
+	   (((bit)>>5)==9  && (1UL<<((bit)&31) & DISABLED_MASK9 )) ||	\
+	   (((bit)>>5)==10 && (1UL<<((bit)&31) & DISABLED_MASK10)) ||	\
+	   (((bit)>>5)==11 && (1UL<<((bit)&31) & DISABLED_MASK11)) ||	\
+	   (((bit)>>5)==12 && (1UL<<((bit)&31) & DISABLED_MASK12)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK13)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
+	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK16)) )
 
 #define cpu_has(c, bit)							\
 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\
@@ -79,6 +94,10 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : 	\
 	 x86_this_cpu_test_bit(bit, (unsigned long *)&cpu_info.x86_capability))
 
+/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */
+#define X86_FEATURE_PKU		(16*32+ 3) /* Protection Keys for Userspace */
+#define X86_FEATURE_OSPKE	(16*32+ 4) /* OS Protection Keys Enable */
+
 /*
  * This macro is for detection of features which need kernel
  * infrastructure to be used.  It may *not* directly test the CPU
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 255ea74..6ebb4c2d 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -12,7 +12,7 @@
 /*
  * Defines x86 CPU feature bits
  */
-#define NCAPINTS	16	/* N 32-bit words worth of info */
+#define NCAPINTS	17	/* N 32-bit words worth of info */
 #define NBUGINTS	1	/* N 32-bit bug flags */
 
 /*
diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
index 8b17c2a..522a069 100644
--- a/arch/x86/include/asm/disabled-features.h
+++ b/arch/x86/include/asm/disabled-features.h
@@ -30,6 +30,14 @@
 # define DISABLE_PCID		(1<<(X86_FEATURE_PCID & 31))
 #endif /* CONFIG_X86_64 */
 
+#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
+# define DISABLE_PKU		(1<<(X86_FEATURE_PKU))
+# define DISABLE_OSPKE		(1<<(X86_FEATURE_OSPKE))
+#else
+# define DISABLE_PKU		0
+# define DISABLE_OSPKE		0
+#endif /* CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS */
+
 /*
  * Make sure to add features to the correct mask
  */
@@ -43,5 +51,12 @@
 #define DISABLED_MASK7	0
 #define DISABLED_MASK8	0
 #define DISABLED_MASK9	(DISABLE_MPX)
+#define DISABLED_MASK10	0
+#define DISABLED_MASK11	0
+#define DISABLED_MASK12	0
+#define DISABLED_MASK13	0
+#define DISABLED_MASK14	0
+#define DISABLED_MASK15	0
+#define DISABLED_MASK16	(DISABLE_PKU|DISABLE_OSPKE)
 
 #endif /* _ASM_X86_DISABLED_FEATURES_H */
diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h
index 5c6e4fb..4916144 100644
--- a/arch/x86/include/asm/required-features.h
+++ b/arch/x86/include/asm/required-features.h
@@ -92,5 +92,12 @@
 #define REQUIRED_MASK7	0
 #define REQUIRED_MASK8	0
 #define REQUIRED_MASK9	0
+#define REQUIRED_MASK10	0
+#define REQUIRED_MASK11	0
+#define REQUIRED_MASK12	0
+#define REQUIRED_MASK13	0
+#define REQUIRED_MASK14	0
+#define REQUIRED_MASK15	0
+#define REQUIRED_MASK16	0
 
 #endif /* _ASM_X86_REQUIRED_FEATURES_H */
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 58d56c4..d6a7b6f2 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -693,6 +693,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
 		c->x86_capability[CPUID_7_0_EBX] = ebx;
 
 		c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006);
+		c->x86_capability[CPUID_7_ECX] = ecx;
 	}
 
 	/* Extended state features: level 0x0000000d */

Patch "[PATCH 4.4.y 015/101] x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    [PATCH 4.4.y 015/101] x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-cpufeature-x86-mm-pkeys-add-protection-keys-related-cpuid-definitions.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Sun Jul 15 12:18:31 CEST 2018
From: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
Date: Sat, 14 Jul 2018 02:28:04 -0700
Subject: [PATCH 4.4.y 015/101] x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions
To: gregkh@linuxfoundation.org, stable@vger.kernel.org
Cc: Dave Hansen <dave.hansen@linux.intel.com>, Thomas Gleixner <tglx@linutronix.de>, Andrew Morton <akpm@linux-foundation.org>, Andy Lutomirski <luto@amacapital.net>, Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>, Dave Hansen <dave@sr71.net>, Denys Vlasenko <dvlasenk@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>, Linus Torvalds <torvalds@linux-foundation.org>, Peter Zijlstra <peterz@infradead.org>, Rik van Riel <riel@redhat.com>, linux-mm@kvack.org, Ingo Molnar <mingo@kernel.org>, "Matt Helsley \(VMware\)" <matt.helsley@gmail.com>, Alexey Makhalov <amakhalov@vmware.com>, Bo Gan <ganb@vmware.com>, matt.helsley@gmail.com, rostedt@goodmis.org, amakhalov@vmware.com, ganb@vmware.com, srivatsa@csail.mit.edu, srivatsab@vmware.com
Message-ID: <153156048404.10043.9924019452796692128.stgit@srivatsa-ubuntu>

From: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>

From: Dave Hansen <dave.hansen@linux.intel.com>

commit dfb4a70f20c5b3880da56ee4c9484bdb4e8f1e65 upstream

There are two CPUID bits for protection keys.  One is for whether
the CPU contains the feature, and the other will appear set once
the OS enables protection keys.  Specifically:

	Bit 04: OSPKE. If 1, OS has set CR4.PKE to enable
	Protection keys (and the RDPKRU/WRPKRU instructions)

This is because userspace can not see CR4 contents, but it can
see CPUID contents.

X86_FEATURE_PKU is referred to as "PKU" in the hardware documentation:

	CPUID.(EAX=07H,ECX=0H):ECX.PKU [bit 3]

X86_FEATURE_OSPKE is "OSPKU":

	CPUID.(EAX=07H,ECX=0H):ECX.OSPKE [bit 4]

These are the first CPU features which need to look at the
ECX word in CPUID leaf 0x7, so this patch also includes
fetching that word in to the cpuinfo->x86_capability[] array.

Add it to the disabled-features mask when its config option is
off.  Even though we are not using it here, we also extend the
REQUIRED_MASK_BIT_SET() macro to keep it mirroring the
DISABLED_MASK_BIT_SET() version.

This means that in almost all code, you should use:

	cpu_has(c, X86_FEATURE_PKU)

and *not* the CONFIG option.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20160212210201.7714C250@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Matt Helsley (VMware) <matt.helsley@gmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

 arch/x86/include/asm/cpufeature.h        |   59 ++++++++++++++++++++-----------
 arch/x86/include/asm/cpufeatures.h       |    2 -
 arch/x86/include/asm/disabled-features.h |   15 +++++++
 arch/x86/include/asm/required-features.h |    7 +++
 arch/x86/kernel/cpu/common.c             |    1 
 5 files changed, 63 insertions(+), 21 deletions(-)

--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -26,6 +26,7 @@ enum cpuid_leafs
 	CPUID_8000_0008_EBX,
 	CPUID_6_EAX,
 	CPUID_8000_000A_EDX,
+	CPUID_7_ECX,
 };
 
 #ifdef CONFIG_X86_FEATURE_NAMES
@@ -48,28 +49,42 @@ extern const char * const x86_bug_flags[
 	 test_bit(bit, (unsigned long *)((c)->x86_capability))
 
 #define REQUIRED_MASK_BIT_SET(bit)					\
-	 ( (((bit)>>5)==0 && (1UL<<((bit)&31) & REQUIRED_MASK0)) ||	\
-	   (((bit)>>5)==1 && (1UL<<((bit)&31) & REQUIRED_MASK1)) ||	\
-	   (((bit)>>5)==2 && (1UL<<((bit)&31) & REQUIRED_MASK2)) ||	\
-	   (((bit)>>5)==3 && (1UL<<((bit)&31) & REQUIRED_MASK3)) ||	\
-	   (((bit)>>5)==4 && (1UL<<((bit)&31) & REQUIRED_MASK4)) ||	\
-	   (((bit)>>5)==5 && (1UL<<((bit)&31) & REQUIRED_MASK5)) ||	\
-	   (((bit)>>5)==6 && (1UL<<((bit)&31) & REQUIRED_MASK6)) ||	\
-	   (((bit)>>5)==7 && (1UL<<((bit)&31) & REQUIRED_MASK7)) ||	\
-	   (((bit)>>5)==8 && (1UL<<((bit)&31) & REQUIRED_MASK8)) ||	\
-	   (((bit)>>5)==9 && (1UL<<((bit)&31) & REQUIRED_MASK9)) )
+	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & REQUIRED_MASK0 )) ||	\
+	   (((bit)>>5)==1  && (1UL<<((bit)&31) & REQUIRED_MASK1 )) ||	\
+	   (((bit)>>5)==2  && (1UL<<((bit)&31) & REQUIRED_MASK2 )) ||	\
+	   (((bit)>>5)==3  && (1UL<<((bit)&31) & REQUIRED_MASK3 )) ||	\
+	   (((bit)>>5)==4  && (1UL<<((bit)&31) & REQUIRED_MASK4 )) ||	\
+	   (((bit)>>5)==5  && (1UL<<((bit)&31) & REQUIRED_MASK5 )) ||	\
+	   (((bit)>>5)==6  && (1UL<<((bit)&31) & REQUIRED_MASK6 )) ||	\
+	   (((bit)>>5)==7  && (1UL<<((bit)&31) & REQUIRED_MASK7 )) ||	\
+	   (((bit)>>5)==8  && (1UL<<((bit)&31) & REQUIRED_MASK8 )) ||	\
+	   (((bit)>>5)==9  && (1UL<<((bit)&31) & REQUIRED_MASK9 )) ||	\
+	   (((bit)>>5)==10 && (1UL<<((bit)&31) & REQUIRED_MASK10)) ||	\
+	   (((bit)>>5)==11 && (1UL<<((bit)&31) & REQUIRED_MASK11)) ||	\
+	   (((bit)>>5)==12 && (1UL<<((bit)&31) & REQUIRED_MASK12)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK13)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
+	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK16)) )
 
 #define DISABLED_MASK_BIT_SET(bit)					\
-	 ( (((bit)>>5)==0 && (1UL<<((bit)&31) & DISABLED_MASK0)) ||	\
-	   (((bit)>>5)==1 && (1UL<<((bit)&31) & DISABLED_MASK1)) ||	\
-	   (((bit)>>5)==2 && (1UL<<((bit)&31) & DISABLED_MASK2)) ||	\
-	   (((bit)>>5)==3 && (1UL<<((bit)&31) & DISABLED_MASK3)) ||	\
-	   (((bit)>>5)==4 && (1UL<<((bit)&31) & DISABLED_MASK4)) ||	\
-	   (((bit)>>5)==5 && (1UL<<((bit)&31) & DISABLED_MASK5)) ||	\
-	   (((bit)>>5)==6 && (1UL<<((bit)&31) & DISABLED_MASK6)) ||	\
-	   (((bit)>>5)==7 && (1UL<<((bit)&31) & DISABLED_MASK7)) ||	\
-	   (((bit)>>5)==8 && (1UL<<((bit)&31) & DISABLED_MASK8)) ||	\
-	   (((bit)>>5)==9 && (1UL<<((bit)&31) & DISABLED_MASK9)) )
+	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & DISABLED_MASK0 )) ||	\
+	   (((bit)>>5)==1  && (1UL<<((bit)&31) & DISABLED_MASK1 )) ||	\
+	   (((bit)>>5)==2  && (1UL<<((bit)&31) & DISABLED_MASK2 )) ||	\
+	   (((bit)>>5)==3  && (1UL<<((bit)&31) & DISABLED_MASK3 )) ||	\
+	   (((bit)>>5)==4  && (1UL<<((bit)&31) & DISABLED_MASK4 )) ||	\
+	   (((bit)>>5)==5  && (1UL<<((bit)&31) & DISABLED_MASK5 )) ||	\
+	   (((bit)>>5)==6  && (1UL<<((bit)&31) & DISABLED_MASK6 )) ||	\
+	   (((bit)>>5)==7  && (1UL<<((bit)&31) & DISABLED_MASK7 )) ||	\
+	   (((bit)>>5)==8  && (1UL<<((bit)&31) & DISABLED_MASK8 )) ||	\
+	   (((bit)>>5)==9  && (1UL<<((bit)&31) & DISABLED_MASK9 )) ||	\
+	   (((bit)>>5)==10 && (1UL<<((bit)&31) & DISABLED_MASK10)) ||	\
+	   (((bit)>>5)==11 && (1UL<<((bit)&31) & DISABLED_MASK11)) ||	\
+	   (((bit)>>5)==12 && (1UL<<((bit)&31) & DISABLED_MASK12)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK13)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
+	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
+	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK16)) )
 
 #define cpu_has(c, bit)							\
 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\
@@ -79,6 +94,10 @@ extern const char * const x86_bug_flags[
 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : 	\
 	 x86_this_cpu_test_bit(bit, (unsigned long *)&cpu_info.x86_capability))
 
+/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */
+#define X86_FEATURE_PKU		(16*32+ 3) /* Protection Keys for Userspace */
+#define X86_FEATURE_OSPKE	(16*32+ 4) /* OS Protection Keys Enable */
+
 /*
  * This macro is for detection of features which need kernel
  * infrastructure to be used.  It may *not* directly test the CPU
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -12,7 +12,7 @@
 /*
  * Defines x86 CPU feature bits
  */
-#define NCAPINTS	16	/* N 32-bit words worth of info */
+#define NCAPINTS	17	/* N 32-bit words worth of info */
 #define NBUGINTS	1	/* N 32-bit bug flags */
 
 /*
--- a/arch/x86/include/asm/disabled-features.h
+++ b/arch/x86/include/asm/disabled-features.h
@@ -30,6 +30,14 @@
 # define DISABLE_PCID		(1<<(X86_FEATURE_PCID & 31))
 #endif /* CONFIG_X86_64 */
 
+#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
+# define DISABLE_PKU		(1<<(X86_FEATURE_PKU))
+# define DISABLE_OSPKE		(1<<(X86_FEATURE_OSPKE))
+#else
+# define DISABLE_PKU		0
+# define DISABLE_OSPKE		0
+#endif /* CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS */
+
 /*
  * Make sure to add features to the correct mask
  */
@@ -43,5 +51,12 @@
 #define DISABLED_MASK7	0
 #define DISABLED_MASK8	0
 #define DISABLED_MASK9	(DISABLE_MPX)
+#define DISABLED_MASK10	0
+#define DISABLED_MASK11	0
+#define DISABLED_MASK12	0
+#define DISABLED_MASK13	0
+#define DISABLED_MASK14	0
+#define DISABLED_MASK15	0
+#define DISABLED_MASK16	(DISABLE_PKU|DISABLE_OSPKE)
 
 #endif /* _ASM_X86_DISABLED_FEATURES_H */
--- a/arch/x86/include/asm/required-features.h
+++ b/arch/x86/include/asm/required-features.h
@@ -92,5 +92,12 @@
 #define REQUIRED_MASK7	0
 #define REQUIRED_MASK8	0
 #define REQUIRED_MASK9	0
+#define REQUIRED_MASK10	0
+#define REQUIRED_MASK11	0
+#define REQUIRED_MASK12	0
+#define REQUIRED_MASK13	0
+#define REQUIRED_MASK14	0
+#define REQUIRED_MASK15	0
+#define REQUIRED_MASK16	0
 
 #endif /* _ASM_X86_REQUIRED_FEATURES_H */
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -693,6 +693,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
 		c->x86_capability[CPUID_7_0_EBX] = ebx;
 
 		c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006);
+		c->x86_capability[CPUID_7_ECX] = ecx;
 	}
 
 	/* Extended state features: level 0x0000000d */


Patches currently in stable-queue which might be from srivatsa@csail.mit.edu are

queue-4.4/x86-cpufeature-x86-mm-pkeys-add-protection-keys-related-cpuid-definitions.patch
queue-4.4/x86-cpufeature-get-rid-of-the-non-asm-goto-variant.patch
queue-4.4/x86-boot-simplify-kernel-load-address-alignment-check.patch
queue-4.4/x86-cpufeature-speed-up-cpu_feature_enabled.patch
queue-4.4/x86-fpu-get-rid-of-xstate_fault.patch
queue-4.4/x86-cpufeature-x86-mm-pkeys-fix-broken-compile-time-disabling-of-pkeys.patch
queue-4.4/x86-cpufeature-add-helper-macro-for-mask-check-macros.patch
queue-4.4/x86-cpufeature-move-some-of-the-scattered-feature-bits-to-x86_capability.patch
queue-4.4/x86-cpu-add-detection-of-amd-ras-capabilities.patch
queue-4.4/x86-cpu-provide-a-config-option-to-disable-static_cpu_has.patch
queue-4.4/x86-fpu-add-an-xstate_op-macro.patch
queue-4.4/x86-cpufeature-make-sure-disabled-required-macros-are-updated.patch
queue-4.4/x86-headers-don-t-include-asm-processor.h-in-asm-atomic.h.patch
queue-4.4/x86-cpufeature-cleanup-get_cpu_cap.patch
queue-4.4/x86-mm-pkeys-fix-mismerge-of-protection-keys-cpuid-bits.patch
queue-4.4/x86-cpufeature-carve-out-x86_feature_.patch
queue-4.4/x86-cpufeature-update-cpufeaure-macros.patch
queue-4.4/x86-cpufeature-replace-the-old-static_cpu_has-with-safe-variant.patch
queue-4.4/x86-vdso-use-static_cpu_has.patch
queue-4.4/x86-alternatives-discard-dynamic-check-after-init.patch
queue-4.4/x86-alternatives-add-an-auxilary-section.patch

[PATCH 4.4.y 041/101] x86/mm: Factor out LDT init from context init

[Srivatsa S. Bhat]

From: Dave Hansen <dave.hansen@linux.intel.com>

commit 39a0526fb3f7d93433d146304278477eb463f8af upstream

The arch-specific mm_context_t is a great place to put
protection-key allocation state.

But, we need to initialize the allocation state because pkey 0 is
always "allocated".  All of the runtime initialization of
mm_context_t is done in *_ldt() manipulation functions.  This
renames the existing LDT functions like this:

	init_new_context() -> init_new_context_ldt()
	destroy_context() -> destroy_context_ldt()

and makes init_new_context() and destroy_context() available for
generic use.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20160212210234.DB34FCC5@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Matt Helsley (VMware) <matt.helsley@gmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
---

 arch/x86/include/asm/mmu_context.h |   21 ++++++++++++++++-----
 arch/x86/kernel/ldt.c              |    4 ++--
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 9bfc5fd..1c4794f 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -52,15 +52,15 @@ struct ldt_struct {
 /*
  * Used for LDT copy/destruction.
  */
-int init_new_context(struct task_struct *tsk, struct mm_struct *mm);
-void destroy_context(struct mm_struct *mm);
+int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm);
+void destroy_context_ldt(struct mm_struct *mm);
 #else	/* CONFIG_MODIFY_LDT_SYSCALL */
-static inline int init_new_context(struct task_struct *tsk,
-				   struct mm_struct *mm)
+static inline int init_new_context_ldt(struct task_struct *tsk,
+				       struct mm_struct *mm)
 {
 	return 0;
 }
-static inline void destroy_context(struct mm_struct *mm) {}
+static inline void destroy_context_ldt(struct mm_struct *mm) {}
 #endif
 
 static inline void load_mm_ldt(struct mm_struct *mm)
@@ -102,6 +102,17 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
 		this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
 }
 
+static inline int init_new_context(struct task_struct *tsk,
+				   struct mm_struct *mm)
+{
+	init_new_context_ldt(tsk, mm);
+	return 0;
+}
+static inline void destroy_context(struct mm_struct *mm)
+{
+	destroy_context_ldt(mm);
+}
+
 extern void switch_mm(struct mm_struct *prev, struct mm_struct *next,
 		      struct task_struct *tsk);
 
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index bc42936..8bc68cf 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -119,7 +119,7 @@ static void free_ldt_struct(struct ldt_struct *ldt)
  * we do not have to muck with descriptors here, that is
  * done in switch_mm() as needed.
  */
-int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
+int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm)
 {
 	struct ldt_struct *new_ldt;
 	struct mm_struct *old_mm;
@@ -160,7 +160,7 @@ out_unlock:
  *
  * 64bit: Don't touch the LDT register - we're already in the next thread.
  */
-void destroy_context(struct mm_struct *mm)
+void destroy_context_ldt(struct mm_struct *mm)
 {
 	free_ldt_struct(mm->context.ldt);
 	mm->context.ldt = NULL;

Patch "x86/mm: Factor out LDT init from context init" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    x86/mm: Factor out LDT init from context init

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-mm-factor-out-ldt-init-from-context-init.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Mon Jul 23 10:04:05 CEST 2018
From: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
Date: Sat, 14 Jul 2018 02:31:57 -0700
Subject: x86/mm: Factor out LDT init from context init
To: gregkh@linuxfoundation.org, stable@vger.kernel.org
Cc: Dave Hansen <dave.hansen@linux.intel.com>, Thomas Gleixner <tglx@linutronix.de>, Andrew Morton <akpm@linux-foundation.org>, Andy Lutomirski <luto@amacapital.net>, Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>, Dave Hansen <dave@sr71.net>, Denys Vlasenko <dvlasenk@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>, Linus Torvalds <torvalds@linux-foundation.org>, Peter Zijlstra <peterz@infradead.org>, Rik van Riel <riel@redhat.com>, linux-mm@kvack.org, Ingo Molnar <mingo@kernel.org>, "Matt Helsley \(VMware\)" <matt.helsley@gmail.com>, Alexey Makhalov <amakhalov@vmware.com>, Bo Gan <ganb@vmware.com>, matt.helsley@gmail.com, rostedt@goodmis.org, amakhalov@vmware.com, ganb@vmware.com, srivatsa@csail.mit.edu, srivatsab@vmware.com
Message-ID: <153156071778.10043.13239124304280929230.stgit@srivatsa-ubuntu>

From: Dave Hansen <dave.hansen@linux.intel.com>

commit 39a0526fb3f7d93433d146304278477eb463f8af upstream

The arch-specific mm_context_t is a great place to put
protection-key allocation state.

But, we need to initialize the allocation state because pkey 0 is
always "allocated".  All of the runtime initialization of
mm_context_t is done in *_ldt() manipulation functions.  This
renames the existing LDT functions like this:

	init_new_context() -> init_new_context_ldt()
	destroy_context() -> destroy_context_ldt()

and makes init_new_context() and destroy_context() available for
generic use.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20160212210234.DB34FCC5@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Matt Helsley (VMware) <matt.helsley@gmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

 arch/x86/include/asm/mmu_context.h |   21 ++++++++++++++++-----
 arch/x86/kernel/ldt.c              |    4 ++--
 2 files changed, 18 insertions(+), 7 deletions(-)

--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -52,15 +52,15 @@ struct ldt_struct {
 /*
  * Used for LDT copy/destruction.
  */
-int init_new_context(struct task_struct *tsk, struct mm_struct *mm);
-void destroy_context(struct mm_struct *mm);
+int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm);
+void destroy_context_ldt(struct mm_struct *mm);
 #else	/* CONFIG_MODIFY_LDT_SYSCALL */
-static inline int init_new_context(struct task_struct *tsk,
-				   struct mm_struct *mm)
+static inline int init_new_context_ldt(struct task_struct *tsk,
+				       struct mm_struct *mm)
 {
 	return 0;
 }
-static inline void destroy_context(struct mm_struct *mm) {}
+static inline void destroy_context_ldt(struct mm_struct *mm) {}
 #endif
 
 static inline void load_mm_ldt(struct mm_struct *mm)
@@ -102,6 +102,17 @@ static inline void enter_lazy_tlb(struct
 		this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
 }
 
+static inline int init_new_context(struct task_struct *tsk,
+				   struct mm_struct *mm)
+{
+	init_new_context_ldt(tsk, mm);
+	return 0;
+}
+static inline void destroy_context(struct mm_struct *mm)
+{
+	destroy_context_ldt(mm);
+}
+
 extern void switch_mm(struct mm_struct *prev, struct mm_struct *next,
 		      struct task_struct *tsk);
 
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -119,7 +119,7 @@ static void free_ldt_struct(struct ldt_s
  * we do not have to muck with descriptors here, that is
  * done in switch_mm() as needed.
  */
-int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
+int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm)
 {
 	struct ldt_struct *new_ldt;
 	struct mm_struct *old_mm;
@@ -160,7 +160,7 @@ out_unlock:
  *
  * 64bit: Don't touch the LDT register - we're already in the next thread.
  */
-void destroy_context(struct mm_struct *mm)
+void destroy_context_ldt(struct mm_struct *mm)
 {
 	free_ldt_struct(mm->context.ldt);
 	mm->context.ldt = NULL;


Patches currently in stable-queue which might be from srivatsa@csail.mit.edu are

queue-4.4/x86-bugs-rename-_rds-to-_ssbd.patch
queue-4.4/x86-speculation-remove-skylake-c2-from-speculation-control-microcode-blacklist.patch
queue-4.4/documentation-spec_ctrl-do-some-minor-cleanups.patch
queue-4.4/x86-speculation-handle-ht-correctly-on-amd.patch
queue-4.4/x86-cpufeatures-add-x86_feature_rds.patch
queue-4.4/x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch
queue-4.4/x86-bugs-remove-x86_spec_ctrl_set.patch
queue-4.4/x86-speculation-add-asm-msr-index.h-dependency.patch
queue-4.4/x86-cpu-intel-add-knights-mill-to-intel-family.patch
queue-4.4/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch
queue-4.4/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch
queue-4.4/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch
queue-4.4/prctl-add-force-disable-speculation.patch
queue-4.4/x86-cpufeatures-add-intel-feature-bits-for-speculation-control.patch
queue-4.4/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch
queue-4.4/x86-cpuid-fix-up-virtual-ibrs-ibpb-stibp-feature-bits-on-intel.patch
queue-4.4/x86-nospec-simplify-alternative_msr_write.patch
queue-4.4/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch
queue-4.4/x86-speculation-use-indirect-branch-prediction-barrier-in-context-switch.patch
queue-4.4/x86-process-correct-and-optimize-tif_blockstep-switch.patch
queue-4.4/x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch
queue-4.4/x86-speculation-rework-speculative_store_bypass_update.patch
queue-4.4/x86-asm-entry-32-simplify-pushes-of-zeroed-pt_regs-regs.patch
queue-4.4/x86-bugs-make-cpu_show_common-static.patch
queue-4.4/seccomp-use-pr_spec_force_disable.patch
queue-4.4/x86-cpufeatures-disentangle-ssbd-enumeration.patch
queue-4.4/x86-cpu-amd-fix-erratum-1076-cpb-bit.patch
queue-4.4/x86-speculation-correct-speculation-control-microcode-blacklist-again.patch
queue-4.4/x86-cpu-rename-merrifield2-to-moorefield.patch
queue-4.4/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch
queue-4.4/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch
queue-4.4/x86-cpufeatures-add-cpuid_7_edx-cpuid-leaf.patch
queue-4.4/x86-bugs-fix-__ssb_select_mitigation-return-type.patch
queue-4.4/x86-cpufeatures-add-feature_zen.patch
queue-4.4/xen-set-cpu-capabilities-from-xen_start_kernel.patch
queue-4.4/x86-bugs-rename-ssbd_no-to-ssb_no.patch
queue-4.4/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch
queue-4.4/x86-msr-add-definitions-for-new-speculation-control-msrs.patch
queue-4.4/seccomp-enable-speculation-flaw-mitigations.patch
queue-4.4/x86-spectre_v2-don-t-check-microcode-versions-when-running-under-hypervisors.patch
queue-4.4/selftest-seccomp-fix-the-seccomp-2-signature.patch
queue-4.4/proc-use-underscores-for-ssbd-in-status.patch
queue-4.4/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch
queue-4.4/x86-cpufeature-blacklist-spec_ctrl-pred_cmd-on-early-spectre-v2-microcodes.patch
queue-4.4/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch
queue-4.4/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch
queue-4.4/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch
queue-4.4/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch
queue-4.4/selftest-seccomp-fix-the-flag-name-seccomp_filter_flag_tsync.patch
queue-4.4/x86-mm-factor-out-ldt-init-from-context-init.patch
queue-4.4/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch
queue-4.4/x86-cpufeatures-clean-up-spectre-v2-related-cpuid-flags.patch
queue-4.4/x86-bugs-expose-sys-..-spec_store_bypass.patch
queue-4.4/nospec-allow-getting-setting-on-non-current-task.patch
queue-4.4/x86-speculation-clean-up-various-spectre-related-details.patch
queue-4.4/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch
queue-4.4/x86-pti-mark-constant-arrays-as-__initconst.patch
queue-4.4/x86-cpufeatures-add-amd-feature-bits-for-speculation-control.patch
queue-4.4/x86-pti-do-not-enable-pti-on-cpus-which-are-not-vulnerable-to-meltdown.patch
queue-4.4/x86-mm-give-each-mm-tlb-flush-generation-a-unique-id.patch
queue-4.4/seccomp-move-speculation-migitation-control-to-arch-code.patch
queue-4.4/x86-speculation-move-firmware_restrict_branch_speculation_-from-c-to-cpp.patch
queue-4.4/x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch
queue-4.4/x86-amd-don-t-set-x86_bug_sysret_ss_attrs-when-running-under-xen.patch
queue-4.4/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch
queue-4.4/prctl-add-speculation-control-prctls.patch
queue-4.4/x86-process-optimize-tif_notsc-switch.patch
queue-4.4/x86-process-allow-runtime-control-of-speculative-store-bypass.patch
queue-4.4/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch
queue-4.4/x86-bugs-expose-x86_spec_ctrl_base-directly.patch
queue-4.4/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch
queue-4.4/x86-speculation-update-speculation-control-microcode-blacklist.patch
queue-4.4/proc-provide-details-on-speculation-flaw-mitigations.patch
queue-4.4/x86-speculation-add-basic-ibpb-indirect-branch-prediction-barrier-support.patch
queue-4.4/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch
queue-4.4/x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch
queue-4.4/x86-process-optimize-tif-checks-in-__switch_to_xtra.patch
queue-4.4/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch
queue-4.4/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch

[PATCH 4.4.y 042/101] x86/mm: Give each mm TLB flush generation a unique ID

[Srivatsa S. Bhat]

From: Andy Lutomirski <luto@kernel.org>

commit f39681ed0f48498b80455095376f11535feea332 upstream.

This adds two new variables to mmu_context_t: ctx_id and tlb_gen.
ctx_id uniquely identifies the mm_struct and will never be reused.
For a given mm_struct (and hence ctx_id), tlb_gen is a monotonic
count of the number of times that a TLB flush has been requested.
The pair (ctx_id, tlb_gen) can be used as an identifier for TLB
flush actions and will be used in subsequent patches to reliably
determine whether all needed TLB flushes have occurred on a given
CPU.

This patch is split out for ease of review.  By itself, it has no
real effect other than creating and updating the new variables.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Nadav Amit <nadav.amit@gmail.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/413a91c24dab3ed0caa5f4e4d017d87b0857f920.1498751203.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Matt Helsley (VMware) <matt.helsley@gmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
---

 arch/x86/include/asm/mmu.h         |   15 +++++++++++++--
 arch/x86/include/asm/mmu_context.h |    4 ++++
 arch/x86/mm/tlb.c                  |    2 ++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
index 7680b76..3359dfe 100644
--- a/arch/x86/include/asm/mmu.h
+++ b/arch/x86/include/asm/mmu.h
@@ -3,12 +3,18 @@
 
 #include <linux/spinlock.h>
 #include <linux/mutex.h>
+#include <linux/atomic.h>
 
 /*
- * The x86 doesn't have a mmu context, but
- * we put the segment information here.
+ * x86 has arch-specific MMU state beyond what lives in mm_struct.
  */
 typedef struct {
+	/*
+	 * ctx_id uniquely identifies this mm_struct.  A ctx_id will never
+	 * be reused, and zero is not a valid ctx_id.
+	 */
+	u64 ctx_id;
+
 #ifdef CONFIG_MODIFY_LDT_SYSCALL
 	struct ldt_struct *ldt;
 #endif
@@ -24,6 +30,11 @@ typedef struct {
 	atomic_t perf_rdpmc_allowed;	/* nonzero if rdpmc is allowed */
 } mm_context_t;
 
+#define INIT_MM_CONTEXT(mm)						\
+	.context = {							\
+		.ctx_id = 1,						\
+	}
+
 void leave_mm(int cpu);
 
 #endif /* _ASM_X86_MMU_H */
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 1c4794f..effc127 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -11,6 +11,9 @@
 #include <asm/tlbflush.h>
 #include <asm/paravirt.h>
 #include <asm/mpx.h>
+
+extern atomic64_t last_mm_ctx_id;
+
 #ifndef CONFIG_PARAVIRT
 static inline void paravirt_activate_mm(struct mm_struct *prev,
 					struct mm_struct *next)
@@ -105,6 +108,7 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
 static inline int init_new_context(struct task_struct *tsk,
 				   struct mm_struct *mm)
 {
+	mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
 	init_new_context_ldt(tsk, mm);
 	return 0;
 }
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
index 7cad01af..efec198 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -29,6 +29,8 @@
  *	Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
  */
 
+atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1);
+
 struct flush_tlb_info {
 	struct mm_struct *flush_mm;
 	unsigned long flush_start;

Patch "x86/mm: Give each mm TLB flush generation a unique ID" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    x86/mm: Give each mm TLB flush generation a unique ID

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-mm-give-each-mm-tlb-flush-generation-a-unique-id.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Mon Jul 23 10:04:05 CEST 2018
From: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
Date: Sat, 14 Jul 2018 02:32:07 -0700
Subject: x86/mm: Give each mm TLB flush generation a unique ID
To: gregkh@linuxfoundation.org, stable@vger.kernel.org
Cc: Andy Lutomirski <luto@kernel.org>, Nadav Amit <nadav.amit@gmail.com>, Thomas Gleixner <tglx@linutronix.de>, Andrew Morton <akpm@linux-foundation.org>, Arjan van de Ven <arjan@linux.intel.com>, Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@intel.com>, Linus Torvalds <torvalds@linux-foundation.org>, Mel Gorman <mgorman@suse.de>, Peter Zijlstra <peterz@infradead.org>, Rik van Riel <riel@redhat.com>, linux-mm@kvack.org, Ingo Molnar <mingo@kernel.org>, Tim Chen <tim.c.chen@linux.intel.com>, "Matt Helsley \(VMware\)" <matt.helsley@gmail.com>, Alexey Makhalov <amakhalov@vmware.com>, Bo Gan <ganb@vmware.com>, matt.helsley@gmail.com, rostedt@goodmis.org, amakhalov@vmware.com, ganb@vmware.com, srivatsa@csail.mit.edu, srivatsab@vmware.com
Message-ID: <153156072694.10043.1719994417190491710.stgit@srivatsa-ubuntu>

From: Andy Lutomirski <luto@kernel.org>

commit f39681ed0f48498b80455095376f11535feea332 upstream.

This adds two new variables to mmu_context_t: ctx_id and tlb_gen.
ctx_id uniquely identifies the mm_struct and will never be reused.
For a given mm_struct (and hence ctx_id), tlb_gen is a monotonic
count of the number of times that a TLB flush has been requested.
The pair (ctx_id, tlb_gen) can be used as an identifier for TLB
flush actions and will be used in subsequent patches to reliably
determine whether all needed TLB flushes have occurred on a given
CPU.

This patch is split out for ease of review.  By itself, it has no
real effect other than creating and updating the new variables.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Nadav Amit <nadav.amit@gmail.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/413a91c24dab3ed0caa5f4e4d017d87b0857f920.1498751203.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Matt Helsley (VMware) <matt.helsley@gmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

 arch/x86/include/asm/mmu.h         |   15 +++++++++++++--
 arch/x86/include/asm/mmu_context.h |    4 ++++
 arch/x86/mm/tlb.c                  |    2 ++
 3 files changed, 19 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/mmu.h
+++ b/arch/x86/include/asm/mmu.h
@@ -3,12 +3,18 @@
 
 #include <linux/spinlock.h>
 #include <linux/mutex.h>
+#include <linux/atomic.h>
 
 /*
- * The x86 doesn't have a mmu context, but
- * we put the segment information here.
+ * x86 has arch-specific MMU state beyond what lives in mm_struct.
  */
 typedef struct {
+	/*
+	 * ctx_id uniquely identifies this mm_struct.  A ctx_id will never
+	 * be reused, and zero is not a valid ctx_id.
+	 */
+	u64 ctx_id;
+
 #ifdef CONFIG_MODIFY_LDT_SYSCALL
 	struct ldt_struct *ldt;
 #endif
@@ -24,6 +30,11 @@ typedef struct {
 	atomic_t perf_rdpmc_allowed;	/* nonzero if rdpmc is allowed */
 } mm_context_t;
 
+#define INIT_MM_CONTEXT(mm)						\
+	.context = {							\
+		.ctx_id = 1,						\
+	}
+
 void leave_mm(int cpu);
 
 #endif /* _ASM_X86_MMU_H */
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -11,6 +11,9 @@
 #include <asm/tlbflush.h>
 #include <asm/paravirt.h>
 #include <asm/mpx.h>
+
+extern atomic64_t last_mm_ctx_id;
+
 #ifndef CONFIG_PARAVIRT
 static inline void paravirt_activate_mm(struct mm_struct *prev,
 					struct mm_struct *next)
@@ -105,6 +108,7 @@ static inline void enter_lazy_tlb(struct
 static inline int init_new_context(struct task_struct *tsk,
 				   struct mm_struct *mm)
 {
+	mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
 	init_new_context_ldt(tsk, mm);
 	return 0;
 }
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -29,6 +29,8 @@
  *	Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
  */
 
+atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1);
+
 struct flush_tlb_info {
 	struct mm_struct *flush_mm;
 	unsigned long flush_start;


Patches currently in stable-queue which might be from srivatsa@csail.mit.edu are

queue-4.4/x86-bugs-rename-_rds-to-_ssbd.patch
queue-4.4/x86-speculation-remove-skylake-c2-from-speculation-control-microcode-blacklist.patch
queue-4.4/documentation-spec_ctrl-do-some-minor-cleanups.patch
queue-4.4/x86-speculation-handle-ht-correctly-on-amd.patch
queue-4.4/x86-cpufeatures-add-x86_feature_rds.patch
queue-4.4/x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch
queue-4.4/x86-bugs-remove-x86_spec_ctrl_set.patch
queue-4.4/x86-speculation-add-asm-msr-index.h-dependency.patch
queue-4.4/x86-cpu-intel-add-knights-mill-to-intel-family.patch
queue-4.4/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch
queue-4.4/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch
queue-4.4/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch
queue-4.4/prctl-add-force-disable-speculation.patch
queue-4.4/x86-cpufeatures-add-intel-feature-bits-for-speculation-control.patch
queue-4.4/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch
queue-4.4/x86-cpuid-fix-up-virtual-ibrs-ibpb-stibp-feature-bits-on-intel.patch
queue-4.4/x86-nospec-simplify-alternative_msr_write.patch
queue-4.4/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch
queue-4.4/x86-speculation-use-indirect-branch-prediction-barrier-in-context-switch.patch
queue-4.4/x86-process-correct-and-optimize-tif_blockstep-switch.patch
queue-4.4/x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch
queue-4.4/x86-speculation-rework-speculative_store_bypass_update.patch
queue-4.4/x86-asm-entry-32-simplify-pushes-of-zeroed-pt_regs-regs.patch
queue-4.4/x86-bugs-make-cpu_show_common-static.patch
queue-4.4/seccomp-use-pr_spec_force_disable.patch
queue-4.4/x86-cpufeatures-disentangle-ssbd-enumeration.patch
queue-4.4/x86-cpu-amd-fix-erratum-1076-cpb-bit.patch
queue-4.4/x86-speculation-correct-speculation-control-microcode-blacklist-again.patch
queue-4.4/x86-cpu-rename-merrifield2-to-moorefield.patch
queue-4.4/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch
queue-4.4/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch
queue-4.4/x86-cpufeatures-add-cpuid_7_edx-cpuid-leaf.patch
queue-4.4/x86-bugs-fix-__ssb_select_mitigation-return-type.patch
queue-4.4/x86-cpufeatures-add-feature_zen.patch
queue-4.4/xen-set-cpu-capabilities-from-xen_start_kernel.patch
queue-4.4/x86-bugs-rename-ssbd_no-to-ssb_no.patch
queue-4.4/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch
queue-4.4/x86-msr-add-definitions-for-new-speculation-control-msrs.patch
queue-4.4/seccomp-enable-speculation-flaw-mitigations.patch
queue-4.4/x86-spectre_v2-don-t-check-microcode-versions-when-running-under-hypervisors.patch
queue-4.4/selftest-seccomp-fix-the-seccomp-2-signature.patch
queue-4.4/proc-use-underscores-for-ssbd-in-status.patch
queue-4.4/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch
queue-4.4/x86-cpufeature-blacklist-spec_ctrl-pred_cmd-on-early-spectre-v2-microcodes.patch
queue-4.4/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch
queue-4.4/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch
queue-4.4/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch
queue-4.4/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch
queue-4.4/selftest-seccomp-fix-the-flag-name-seccomp_filter_flag_tsync.patch
queue-4.4/x86-mm-factor-out-ldt-init-from-context-init.patch
queue-4.4/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch
queue-4.4/x86-cpufeatures-clean-up-spectre-v2-related-cpuid-flags.patch
queue-4.4/x86-bugs-expose-sys-..-spec_store_bypass.patch
queue-4.4/nospec-allow-getting-setting-on-non-current-task.patch
queue-4.4/x86-speculation-clean-up-various-spectre-related-details.patch
queue-4.4/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch
queue-4.4/x86-pti-mark-constant-arrays-as-__initconst.patch
queue-4.4/x86-cpufeatures-add-amd-feature-bits-for-speculation-control.patch
queue-4.4/x86-pti-do-not-enable-pti-on-cpus-which-are-not-vulnerable-to-meltdown.patch
queue-4.4/x86-mm-give-each-mm-tlb-flush-generation-a-unique-id.patch
queue-4.4/seccomp-move-speculation-migitation-control-to-arch-code.patch
queue-4.4/x86-speculation-move-firmware_restrict_branch_speculation_-from-c-to-cpp.patch
queue-4.4/x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch
queue-4.4/x86-amd-don-t-set-x86_bug_sysret_ss_attrs-when-running-under-xen.patch
queue-4.4/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch
queue-4.4/prctl-add-speculation-control-prctls.patch
queue-4.4/x86-process-optimize-tif_notsc-switch.patch
queue-4.4/x86-process-allow-runtime-control-of-speculative-store-bypass.patch
queue-4.4/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch
queue-4.4/x86-bugs-expose-x86_spec_ctrl_base-directly.patch
queue-4.4/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch
queue-4.4/x86-speculation-update-speculation-control-microcode-blacklist.patch
queue-4.4/proc-provide-details-on-speculation-flaw-mitigations.patch
queue-4.4/x86-speculation-add-basic-ibpb-indirect-branch-prediction-barrier-support.patch
queue-4.4/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch
queue-4.4/x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch
queue-4.4/x86-process-optimize-tif-checks-in-__switch_to_xtra.patch
queue-4.4/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch
queue-4.4/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
> Hi Greg,
> 
> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
> and patches for the Speculative Store Bypass vulnerability to 4.4.y
> (they apply cleanly on top of 4.4.140).
> 
> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
> that would minimize the amount of fixing up necessary). Unfortunately
> I had to skip the KVM fixes for these vulnerabilities, as the KVM
> codebase is drastically different in 4.4 as compared to 4.9. (I tried
> my best to backport them initially, but wasn't confident that they
> were correct, so I decided to drop them from this series).
> 
> You'll notice that the initial few patches in this series include
> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
> into 4.4, since a lot of the subsequent patches update these headers.
> On my first attempt to backport these patches to 4.4.y, I had actually
> tried to do all the updates on the cpufeature.h file itself, but it
> started getting very cumbersome, so I resorted to backporting the
> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
> think apart from these initial patches, the rest of the patchset
> doesn't have all that much noise. 

I've applied the "initial" patches to the 4.4-stable queue right now, as
those were all just "housekeeping" stuff.  I'll let others review the
rest of the series this week and see if anyone objects before throwing
them at the test-bots.

Many thanks for doing all of this work.

greg k-h

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 7/15/18 4:26 AM, Greg KH wrote:
> On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
>> Hi Greg,
>>
>> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
>> and patches for the Speculative Store Bypass vulnerability to 4.4.y
>> (they apply cleanly on top of 4.4.140).
>>
>> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
>> that would minimize the amount of fixing up necessary). Unfortunately
>> I had to skip the KVM fixes for these vulnerabilities, as the KVM
>> codebase is drastically different in 4.4 as compared to 4.9. (I tried
>> my best to backport them initially, but wasn't confident that they
>> were correct, so I decided to drop them from this series).
>>
>> You'll notice that the initial few patches in this series include
>> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
>> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
>> into 4.4, since a lot of the subsequent patches update these headers.
>> On my first attempt to backport these patches to 4.4.y, I had actually
>> tried to do all the updates on the cpufeature.h file itself, but it
>> started getting very cumbersome, so I resorted to backporting the
>> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
>> think apart from these initial patches, the rest of the patchset
>> doesn't have all that much noise. 
> 
> I've applied the "initial" patches to the 4.4-stable queue right now, as
> those were all just "housekeeping" stuff.  I'll let others review the
> rest of the series this week and see if anyone objects before throwing
> them at the test-bots.
> 

Sounds great! Thanks a lot!

> Many thanks for doing all of this work.
> 

Thank you Greg!
 
Regards,
Srivatsa
VMware Photon OS

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
> Hi Greg,
> 
> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
> and patches for the Speculative Store Bypass vulnerability to 4.4.y
> (they apply cleanly on top of 4.4.140).
> 
> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
> that would minimize the amount of fixing up necessary). Unfortunately
> I had to skip the KVM fixes for these vulnerabilities, as the KVM
> codebase is drastically different in 4.4 as compared to 4.9. (I tried
> my best to backport them initially, but wasn't confident that they
> were correct, so I decided to drop them from this series).
> 
> You'll notice that the initial few patches in this series include
> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
> into 4.4, since a lot of the subsequent patches update these headers.
> On my first attempt to backport these patches to 4.4.y, I had actually
> tried to do all the updates on the cpufeature.h file itself, but it
> started getting very cumbersome, so I resorted to backporting the
> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
> think apart from these initial patches, the rest of the patchset
> doesn't have all that much noise. 
> 
> This patchset has been tested on both Intel and AMD machines (Intel
> Xeon CPU E5-2660 v4 and AMD EPYC 7281 16-Core Processor, respectively)
> with updated microcode. All the patch backports have been
> independently reviewed by Matt Helsley, Alexey Makhalov and Bo Gan.
> 
> I would appreciate if you could kindly consider these patches for
> review and inclusion in a future 4.4.y release.

Given no one has complained about these yet, I've queued them all up,
including the 2 extra ones you sent afterward.

Let's see what breaks :)

thanks,

greg k-h

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 7/23/18 4:26 AM, Greg KH wrote:
> On Sat, Jul 14, 2018 at 02:25:43AM -0700, Srivatsa S. Bhat wrote:
>> Hi Greg,
>>
>> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
>> and patches for the Speculative Store Bypass vulnerability to 4.4.y
>> (they apply cleanly on top of 4.4.140).
>>
>> I used 4.9.y as my reference when backporting to 4.4.y (as I thought
>> that would minimize the amount of fixing up necessary). Unfortunately
>> I had to skip the KVM fixes for these vulnerabilities, as the KVM
>> codebase is drastically different in 4.4 as compared to 4.9. (I tried
>> my best to backport them initially, but wasn't confident that they
>> were correct, so I decided to drop them from this series).
>>
>> You'll notice that the initial few patches in this series include
>> cleanups etc., that are non-critical to IBPB/IBRS/SSBD. Most of these
>> patches are aimed at getting the cpufeature.h vs cpufeatures.h split
>> into 4.4, since a lot of the subsequent patches update these headers.
>> On my first attempt to backport these patches to 4.4.y, I had actually
>> tried to do all the updates on the cpufeature.h file itself, but it
>> started getting very cumbersome, so I resorted to backporting the
>> cpufeature.h vs cpufeatures.h split and their dependencies as well. I
>> think apart from these initial patches, the rest of the patchset
>> doesn't have all that much noise. 
>>
>> This patchset has been tested on both Intel and AMD machines (Intel
>> Xeon CPU E5-2660 v4 and AMD EPYC 7281 16-Core Processor, respectively)
>> with updated microcode. All the patch backports have been
>> independently reviewed by Matt Helsley, Alexey Makhalov and Bo Gan.
>>
>> I would appreciate if you could kindly consider these patches for
>> review and inclusion in a future 4.4.y release.
> 
> Given no one has complained about these yet, I've queued them all up,
> including the 2 extra ones you sent afterward.
>
Great! Thank you very much!

> Let's see what breaks :)
> 

Hehe :)

Regards,
Srivatsa
VMware Photon OS

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Jiri Kosina]

On Sat, 14 Jul 2018, Srivatsa S. Bhat wrote:

> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
> and patches for the Speculative Store Bypass vulnerability to 4.4.y
> (they apply cleanly on top of 4.4.140).

FWIW -- not sure how much inspiration you took from our SLE 4.4-based 
tree, but most of the stuff is already there for quite some time 
(including the non-upstream IBRS on kernel boundary on SKL+, trampoline 
stack for PTI (which the original port didn't have), etc).

The IBRS SKL+ stuff has not been picked up by Greg, as it's non-upstream, 
and the trampoline stack I believe was pointed out to stable@, but noone 
really sat down and did the port (our codebase is different than 4.4.x 
stable base), but it definitely should be done if someone has to put 100% 
trust into the PTI port (either that, or at least zeroing out the kernel 
thread thread stack ... we used to have temporarily that before we 
switched over to proper entry trampoline in this version as well).

Thanks,

-- 
Jiri Kosina
SUSE Labs


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 7/23/18 3:06 PM, Jiri Kosina wrote:
> On Sat, 14 Jul 2018, Srivatsa S. Bhat wrote:
> 
>> This patch series is a backport of the Spectre-v2 fixes (IBPB/IBRS)
>> and patches for the Speculative Store Bypass vulnerability to 4.4.y
>> (they apply cleanly on top of 4.4.140).
> 
> FWIW -- not sure how much inspiration you took from our SLE 4.4-based 
> tree, but most of the stuff is already there for quite some time 
> (including the non-upstream IBRS on kernel boundary on SKL+, trampoline 
> stack for PTI (which the original port didn't have), etc).
> 
> The IBRS SKL+ stuff has not been picked up by Greg, as it's non-upstream, 
> and the trampoline stack I believe was pointed out to stable@, but noone 
> really sat down and did the port (our codebase is different than 4.4.x 
> stable base), but it definitely should be done if someone has to put 100% 
> trust into the PTI port (either that, or at least zeroing out the kernel 
> thread thread stack ... we used to have temporarily that before we 
> switched over to proper entry trampoline in this version as well).
> 

I did glance at the SLES 4.4 kernel sometime ago, but there seemed to
be way too many custom patches and I wasn't sure in what ways your
PTI/Spectre fixes depended on the other (x86) patches in your tree. So
I decided to backport entirely from the 4.9 stable tree instead. My
reasoning was that, since the 4.9 stable patches were trusted to work
well, their 4.4 backports should work well too, as long as they are
backported correctly.
 
However, if you are proposing that you'd like to contribute the
enhanced PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4
stable, and have them merged instead of this patch series, then I
would certainly welcome it!

Regards,
Srivatsa
VMware Photon OS

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Jiri Kosina]

On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:

> However, if you are proposing that you'd like to contribute the enhanced 
> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and 
> have them merged instead of this patch series, then I would certainly 
> welcome it!

I'd in principle love us to push everything back to 4.4, but there are a 
few reasons (*) why that's not happening shortly.

Anyway, to point out explicitly what's really needed for those folks 
running 4.4-stable and relying on PTI providing The Real Thing(TM), it's 
either a 4.4-stable port of

	http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7

or making THREADINFO_GFP imply __GFP_ZERO.

(*) IBRS is not upstream, we historically have had very different x86 
    codebase compared to either 4.4, 4.4-stable or current Linus' tree, 
    and there are simply too many things happening right now to give this 
    high enough priority, sadly. We're not fully-dependent downstream 
    consumer of -stable any more, so this is one of the expected outcomes, 
    unfortunately; we don't immediately benefit from pushing our 
    downstream changes to stable, as we have to carry those over forward
    ourselves anyway.

Thanks,

-- 
Jiri Kosina
SUSE Labs

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Kees Cook]

On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>
>> However, if you are proposing that you'd like to contribute the enhanced
>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>> have them merged instead of this patch series, then I would certainly
>> welcome it!
>
> I'd in principle love us to push everything back to 4.4, but there are a
> few reasons (*) why that's not happening shortly.
>
> Anyway, to point out explicitly what's really needed for those folks
> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
> either a 4.4-stable port of
>
>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>
> or making THREADINFO_GFP imply __GFP_ZERO.

This is true in Linus's tree now. Should be trivial to backport:
https://git.kernel.org/linus/e01e80634ecdd

-Kees

-- 
Kees Cook
Pixel Security

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]

On 7/26/18 4:09 PM, Kees Cook wrote:
> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>
>>> However, if you are proposing that you'd like to contribute the enhanced
>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>> have them merged instead of this patch series, then I would certainly
>>> welcome it!
>>
>> I'd in principle love us to push everything back to 4.4, but there are a
>> few reasons (*) why that's not happening shortly.
>>
>> Anyway, to point out explicitly what's really needed for those folks
>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>> either a 4.4-stable port of
>>
>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>
>> or making THREADINFO_GFP imply __GFP_ZERO.
> 
> This is true in Linus's tree now. Should be trivial to backport:
> https://git.kernel.org/linus/e01e80634ecdd
> 

Hi Jiri, Kees,

Thank you for suggesting the patch! I have attached the (locally
tested) 4.4 and 4.9 backports of that patch with this mail. (The
mainline commit applies cleanly on 4.14).

Greg, could you please consider including them in stable 4.4, 4.9
and 4.14?

Thank you very much!

Regards,
Srivatsa
VMware Photon OS

[-- Attachment #2: 4.4-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3081 bytes --]

From 7e39d8ccbb0889c03ce6dc0dee0e63d78f37d0a9 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.4.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index ff307b5..646891f 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
-- 
2.7.4


[-- Attachment #3: 4.9-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3113 bytes --]

From 7debcc6438b4a0bdc9a7b509a751350dad883328 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.9.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index 2873baf..5e64367 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -59,12 +59,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | \
-				 __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP	(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
-- 
2.7.4

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Kees Cook]

On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
<srivatsa@csail.mit.edu> wrote:
> On 7/26/18 4:09 PM, Kees Cook wrote:
>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>>
>>>> However, if you are proposing that you'd like to contribute the enhanced
>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>>> have them merged instead of this patch series, then I would certainly
>>>> welcome it!
>>>
>>> I'd in principle love us to push everything back to 4.4, but there are a
>>> few reasons (*) why that's not happening shortly.
>>>
>>> Anyway, to point out explicitly what's really needed for those folks
>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>>> either a 4.4-stable port of
>>>
>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>>
>>> or making THREADINFO_GFP imply __GFP_ZERO.
>>
>> This is true in Linus's tree now. Should be trivial to backport:
>> https://git.kernel.org/linus/e01e80634ecdd
>>
>
> Hi Jiri, Kees,
>
> Thank you for suggesting the patch! I have attached the (locally
> tested) 4.4 and 4.9 backports of that patch with this mail. (The
> mainline commit applies cleanly on 4.14).
>
> Greg, could you please consider including them in stable 4.4, 4.9
> and 4.14?

I don't think your v4.9 is sufficient: it leaves the vmapped stack
uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
from task stacks") included in the backport (really, just adding the
memset()).

Otherwise, yup, looks good.

-Kees

-- 
Kees Cook
Pixel Security

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

[-- Attachment #1: Type: text/plain, Size: 1932 bytes --]

On 8/2/18 3:22 PM, Kees Cook wrote:
> On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
> <srivatsa@csail.mit.edu> wrote:
>> On 7/26/18 4:09 PM, Kees Cook wrote:
>>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>>>
>>>>> However, if you are proposing that you'd like to contribute the enhanced
>>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>>>> have them merged instead of this patch series, then I would certainly
>>>>> welcome it!
>>>>
>>>> I'd in principle love us to push everything back to 4.4, but there are a
>>>> few reasons (*) why that's not happening shortly.
>>>>
>>>> Anyway, to point out explicitly what's really needed for those folks
>>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>>>> either a 4.4-stable port of
>>>>
>>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>>>
>>>> or making THREADINFO_GFP imply __GFP_ZERO.
>>>
>>> This is true in Linus's tree now. Should be trivial to backport:
>>> https://git.kernel.org/linus/e01e80634ecdd
>>>
>>
>> Hi Jiri, Kees,
>>
>> Thank you for suggesting the patch! I have attached the (locally
>> tested) 4.4 and 4.9 backports of that patch with this mail. (The
>> mainline commit applies cleanly on 4.14).
>>
>> Greg, could you please consider including them in stable 4.4, 4.9
>> and 4.14?
> 
> I don't think your v4.9 is sufficient: it leaves the vmapped stack
> uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
> from task stacks") included in the backport (really, just adding the
> memset()).
> 

Ah, I see, thank you! I have attached the updated patchset for 4.9
with this mail.

> Otherwise, yup, looks good.
> 
Thank you for reviewing the patches!
 
Regards,
Srivatsa
VMware Photon OS

[-- Attachment #2: 4.9-0001-kmemleak-clear-stale-pointers-from-task-stacks.patch --]
[-- Type: text/plain, Size: 1906 bytes --]

From edf835d8b6bac08bc5e69efb3e1cc321e2457f61 Mon Sep 17 00:00:00 2001
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date: Fri, 13 Oct 2017 15:58:22 -0700
Subject: [PATCH 1/2] kmemleak: clear stale pointers from task stacks

commit ca182551857cc2c1e6a2b7f1e72090a137a15008 upstream.

Kmemleak considers any pointers on task stacks as references.  This
patch clears newly allocated and reused vmap stacks.

Link: http://lkml.kernel.org/r/150728990124.744199.8403409836394318684.stgit@buzz
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.9.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
---
 include/linux/thread_info.h | 2 +-
 kernel/fork.c               | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index 2873baf..cf87c16 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -59,7 +59,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
+#if IS_ENABLED(CONFIG_DEBUG_STACK_USAGE) || IS_ENABLED(CONFIG_DEBUG_KMEMLEAK)
 # define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | \
 				 __GFP_ZERO)
 #else
diff --git a/kernel/fork.c b/kernel/fork.c
index 70e10cb..c19e6d4 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -184,6 +184,10 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
 			continue;
 		this_cpu_write(cached_stacks[i], NULL);
 
+#ifdef CONFIG_DEBUG_KMEMLEAK
+		/* Clear stale pointers from reused stack. */
+		memset(s->addr, 0, THREAD_SIZE);
+#endif
 		tsk->stack_vm_area = s;
 		local_irq_enable();
 		return s->addr;
-- 
2.7.4


[-- Attachment #3: 4.9-0002-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3670 bytes --]

From 5371cd0bb1e2ca8d1603845c764e1524f7e729ad Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH 2/2] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.9.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 7 +------
 kernel/fork.c               | 3 +--
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index cf87c16..5e64367 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -59,12 +59,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#if IS_ENABLED(CONFIG_DEBUG_STACK_USAGE) || IS_ENABLED(CONFIG_DEBUG_KMEMLEAK)
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | \
-				 __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP	(GFP_KERNEL_ACCOUNT | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
diff --git a/kernel/fork.c b/kernel/fork.c
index c19e6d4..2c98b98 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -184,10 +184,9 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
 			continue;
 		this_cpu_write(cached_stacks[i], NULL);
 
-#ifdef CONFIG_DEBUG_KMEMLEAK
 		/* Clear stale pointers from reused stack. */
 		memset(s->addr, 0, THREAD_SIZE);
-#endif
+
 		tsk->stack_vm_area = s;
 		local_irq_enable();
 		return s->addr;
-- 
2.7.4

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Fri, Aug 03, 2018 at 04:20:31PM -0700, Srivatsa S. Bhat wrote:
> On 8/2/18 3:22 PM, Kees Cook wrote:
> > On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
> > <srivatsa@csail.mit.edu> wrote:
> >> On 7/26/18 4:09 PM, Kees Cook wrote:
> >>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
> >>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
> >>>>
> >>>>> However, if you are proposing that you'd like to contribute the enhanced
> >>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
> >>>>> have them merged instead of this patch series, then I would certainly
> >>>>> welcome it!
> >>>>
> >>>> I'd in principle love us to push everything back to 4.4, but there are a
> >>>> few reasons (*) why that's not happening shortly.
> >>>>
> >>>> Anyway, to point out explicitly what's really needed for those folks
> >>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
> >>>> either a 4.4-stable port of
> >>>>
> >>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
> >>>>
> >>>> or making THREADINFO_GFP imply __GFP_ZERO.
> >>>
> >>> This is true in Linus's tree now. Should be trivial to backport:
> >>> https://git.kernel.org/linus/e01e80634ecdd
> >>>
> >>
> >> Hi Jiri, Kees,
> >>
> >> Thank you for suggesting the patch! I have attached the (locally
> >> tested) 4.4 and 4.9 backports of that patch with this mail. (The
> >> mainline commit applies cleanly on 4.14).
> >>
> >> Greg, could you please consider including them in stable 4.4, 4.9
> >> and 4.14?
> > 
> > I don't think your v4.9 is sufficient: it leaves the vmapped stack
> > uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
> > from task stacks") included in the backport (really, just adding the
> > memset()).
> > 
> 
> Ah, I see, thank you! I have attached the updated patchset for 4.9
> with this mail.
> 
> > Otherwise, yup, looks good.
> > 
> Thank you for reviewing the patches!
>  
> Regards,
> Srivatsa
> VMware Photon OS

These work for 4.9, do you also have a set for 4.4?

thanks,

greg k-h

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

[-- Attachment #1: Type: text/plain, Size: 2649 bytes --]

On 8/7/18 6:49 AM, Greg KH wrote:
> On Fri, Aug 03, 2018 at 04:20:31PM -0700, Srivatsa S. Bhat wrote:
>> On 8/2/18 3:22 PM, Kees Cook wrote:
>>> On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat
>>> <srivatsa@csail.mit.edu> wrote:
>>>> On 7/26/18 4:09 PM, Kees Cook wrote:
>>>>> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@kernel.org> wrote:
>>>>>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote:
>>>>>>
>>>>>>> However, if you are proposing that you'd like to contribute the enhanced
>>>>>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and
>>>>>>> have them merged instead of this patch series, then I would certainly
>>>>>>> welcome it!
>>>>>>
>>>>>> I'd in principle love us to push everything back to 4.4, but there are a
>>>>>> few reasons (*) why that's not happening shortly.
>>>>>>
>>>>>> Anyway, to point out explicitly what's really needed for those folks
>>>>>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's
>>>>>> either a 4.4-stable port of
>>>>>>
>>>>>>         http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7
>>>>>>
>>>>>> or making THREADINFO_GFP imply __GFP_ZERO.
>>>>>
>>>>> This is true in Linus's tree now. Should be trivial to backport:
>>>>> https://git.kernel.org/linus/e01e80634ecdd
>>>>>
>>>>
>>>> Hi Jiri, Kees,
>>>>
>>>> Thank you for suggesting the patch! I have attached the (locally
>>>> tested) 4.4 and 4.9 backports of that patch with this mail. (The
>>>> mainline commit applies cleanly on 4.14).
>>>>
>>>> Greg, could you please consider including them in stable 4.4, 4.9
>>>> and 4.14?
>>>
>>> I don't think your v4.9 is sufficient: it leaves the vmapped stack
>>> uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers
>>> from task stacks") included in the backport (really, just adding the
>>> memset()).
>>>
>>
>> Ah, I see, thank you! I have attached the updated patchset for 4.9
>> with this mail.
>>
>>> Otherwise, yup, looks good.
>>>
>> Thank you for reviewing the patches!
>>  
>> Regards,
>> Srivatsa
>> VMware Photon OS
> 
> These work for 4.9, do you also have a set for 4.4?
> 

Thank you for considering these patches for 4.9!

The (single) patch for 4.4 did not need any more changes, and hence is
the same as the one I attached in my previous mail. I'll attach it
again here for your reference.

Also, upstream commit e01e80634ecdde1 (fork: unconditionally clear
stack on fork) applies cleanly on 4.14 stable, so it would be great to
cherry-pick it to 4.14 stable as well.

Thank you!

Regards,
Srivatsa
VMware Photon OS

[-- Attachment #2: 4.4-fork-unconditionally-clear-stack-on-fork.patch --]
[-- Type: text/plain, Size: 3081 bytes --]

From 7e39d8ccbb0889c03ce6dc0dee0e63d78f37d0a9 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 20 Apr 2018 14:55:31 -0700
Subject: [PATCH] fork: unconditionally clear stack on fork

commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

One of the classes of kernel stack content leaks[1] is exposing the
contents of prior heap or stack contents when a new process stack is
allocated.  Normally, those stacks are not zeroed, and the old contents
remain in place.  In the face of stack content exposure flaws, those
contents can leak to userspace.

Fixing this will make the kernel no longer vulnerable to these flaws, as
the stack will be wiped each time a stack is assigned to a new process.
There's not a meaningful change in runtime performance; it almost looks
like it provides a benefit.

Performing back-to-back kernel builds before:
	Run times: 157.86 157.09 158.90 160.94 160.80
	Mean: 159.12
	Std Dev: 1.54

and after:
	Run times: 159.31 157.34 156.71 158.15 160.81
	Mean: 158.46
	Std Dev: 1.46

Instead of making this a build or runtime config, Andy Lutomirski
recommended this just be enabled by default.

[1] A noisy search for many kinds of stack content leaks can be seen here:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

I did some more with perf and cycle counts on running 100,000 execs of
/bin/true.

before:
Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841
Mean:  221015379122.60
Std Dev: 4662486552.47

after:
Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348
Mean:  217745009865.40
Std Dev: 5935559279.99

It continues to look like it's faster, though the deviation is rather
wide, but I'm not sure what I could do that would be less noisy.  I'm
open to ideas!

Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Srivatsa: Backported to 4.4.y ]
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
---
 include/linux/thread_info.h | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index ff307b5..646891f 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 
 #ifdef __KERNEL__
 
-#ifdef CONFIG_DEBUG_STACK_USAGE
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
-#else
-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK)
-#endif
+#define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
 
 /*
  * flag set/clear/test wrappers
-- 
2.7.4

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Greg KH]

On Tue, Aug 07, 2018 at 12:08:07PM -0700, Srivatsa S. Bhat wrote:
> Also, upstream commit e01e80634ecdde1 (fork: unconditionally clear
> stack on fork) applies cleanly on 4.14 stable, so it would be great to
> cherry-pick it to 4.14 stable as well.

It is already in the 4.14.60 release, did I somehow mess up the
backport?

thanks,

greg k-h

Re: [RESEND] Spectre-v2 (IBPB/IBRS) and SSBD fixes for 4.4.y

[Srivatsa S. Bhat]

On 8/7/18 12:15 PM, Greg KH wrote:
> On Tue, Aug 07, 2018 at 12:08:07PM -0700, Srivatsa S. Bhat wrote:
>> Also, upstream commit e01e80634ecdde1 (fork: unconditionally clear
>> stack on fork) applies cleanly on 4.14 stable, so it would be great to
>> cherry-pick it to 4.14 stable as well.
> 
> It is already in the 4.14.60 release, did I somehow mess up the
> backport?
> 

Sorry, my bad! The backport in 4.14.60 looks fine. Thank you!
 
Regards,
Srivatsa
VMware Photon OS