From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrew Cooper <andrew.cooper3@citrix.com>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Borislav Petkov <bp@suse.de>
Subject: [PATCH 4.19 32/32] x86/speculation: Add LFENCE to RSB fill sequence
Date: Tue, 9 Aug 2022 20:00:23 +0200 [thread overview]
Message-ID: <20220809175514.089995381@linuxfoundation.org> (raw)
In-Reply-To: <20220809175513.082573955@linuxfoundation.org>
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit ba6e31af2be96c4d0536f2152ed6f7b6c11bca47 upstream.
RSB fill sequence does not have any protection for miss-prediction of
conditional branch at the end of the sequence. CPU can speculatively
execute code immediately after the sequence, while RSB filling hasn't
completed yet.
#define __FILL_RETURN_BUFFER(reg, nr, sp) \
mov $(nr/2), reg; \
771: \
call 772f; \
773: /* speculation trap */ \
pause; \
lfence; \
jmp 773b; \
772: \
call 774f; \
775: /* speculation trap */ \
pause; \
lfence; \
jmp 775b; \
774: \
dec reg; \
jnz 771b; <----- CPU can miss-predict here. \
add $(BITS_PER_LONG/8) * nr, sp;
Before RSB is filled, RETs that come in program order after this macro
can be executed speculatively, making them vulnerable to RSB-based
attacks.
Mitigate it by adding an LFENCE after the conditional branch to prevent
speculation while RSB is being filled.
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/nospec-branch.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -52,7 +52,9 @@
774: \
dec reg; \
jnz 771b; \
- add $(BITS_PER_LONG/8) * nr, sp;
+ add $(BITS_PER_LONG/8) * nr, sp; \
+ /* barrier for jnz misprediction */ \
+ lfence;
/* Sequence to mitigate PBRSB on eIBRS CPUs */
#define __ISSUE_UNBALANCED_RET_GUARD(sp) \
next prev parent reply other threads:[~2022-08-09 18:07 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 17:59 [PATCH 4.19 00/32] 4.19.255-rc1 review Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 01/32] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 02/32] ntfs: fix use-after-free in ntfs_ucsncmp() Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 03/32] s390/archrandom: prevent CPACF trng invocations in interrupt context Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 04/32] tcp: Fix data-races around sysctl_tcp_dsack Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 05/32] tcp: Fix a data-race around sysctl_tcp_app_win Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 06/32] tcp: Fix a data-race around sysctl_tcp_adv_win_scale Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 07/32] tcp: Fix a data-race around sysctl_tcp_frto Greg Kroah-Hartman
2022-08-09 17:59 ` [PATCH 4.19 08/32] tcp: Fix a data-race around sysctl_tcp_nometrics_save Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 09/32] scsi: ufs: host: Hold reference returned by of_parse_phandle() Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 10/32] tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 11/32] net: ping6: Fix memleak in ipv6_renew_options() Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 12/32] igmp: Fix data-races around sysctl_igmp_qrv Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 13/32] net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 14/32] tcp: Fix a data-race around sysctl_tcp_min_tso_segs Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 15/32] tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 16/32] tcp: Fix a data-race around sysctl_tcp_autocorking Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 17/32] tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 18/32] Documentation: fix sctp_wmem in ip-sysctl.rst Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 19/32] tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 20/32] tcp: Fix a data-race around sysctl_tcp_comp_sack_nr Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 21/32] i40e: Fix interface init with MSI interrupts (no MSI-X) Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 22/32] sctp: fix sleep in atomic context bug in timer handlers Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 23/32] netfilter: nf_queue: do not allow packet truncation below transport header offset Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 24/32] perf symbol: Correct address for bss symbols Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 25/32] ARM: crypto: comment out gcc warning that breaks clang builds Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 26/32] mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 27/32] scsi: core: Fix race between handling STS_RESOURCE and completion Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 28/32] ACPI: video: Force backlight native for some TongFang devices Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 29/32] ACPI: video: Shortening quirk list by identifying Clevo by board_name only Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 30/32] macintosh/adb: fix oob read in do_adb_query() function Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 4.19 31/32] x86/speculation: Add RSB VM Exit protections Greg Kroah-Hartman
2022-08-09 18:00 ` Greg Kroah-Hartman [this message]
2022-08-10 9:20 ` [PATCH 4.19 00/32] 4.19.255-rc1 review Pavel Machek
2022-08-10 9:38 ` Naresh Kamboju
2022-08-10 13:18 ` Sudip Mukherjee (Codethink)
2022-08-10 13:31 ` Guenter Roeck
2022-08-10 14:25 ` Jon Hunter
2022-08-10 14:46 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220809175514.089995381@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrew.cooper3@citrix.com \
--cc=bp@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox