Re: [PATCH 6.7.y 1/6] x86/bugs: Add asm helpers for executing VERW

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Jiri Slaby <jirislaby@kernel.org>
To: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	stable@vger.kernel.org
Cc: Alyssa Milburn <alyssa.milburn@intel.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH 6.7.y 1/6] x86/bugs: Add asm helpers for executing VERW
Date: Tue, 27 Feb 2024 08:40:26 +0100	[thread overview]
Message-ID: <c9ede8e2-5066-435b-bd1d-1971a8072952@kernel.org> (raw)
In-Reply-To: <20240226-delay-verw-backport-6-7-y-v1-1-ab25f643173b@linux.intel.com>

On 27. 02. 24, 6:00, Pawan Gupta wrote:
> commit baf8361e54550a48a7087b603313ad013cc13386 upstream.
> 
> MDS mitigation requires clearing the CPU buffers before returning to
> user. This needs to be done late in the exit-to-user path. Current
> location of VERW leaves a possibility of kernel data ending up in CPU
> buffers for memory accesses done after VERW such as:
> 
>    1. Kernel data accessed by an NMI between VERW and return-to-user can
>       remain in CPU buffers since NMI returning to kernel does not
>       execute VERW to clear CPU buffers.
>    2. Alyssa reported that after VERW is executed,
>       CONFIG_GCC_PLUGIN_STACKLEAK=y scrubs the stack used by a system
>       call. Memory accesses during stack scrubbing can move kernel stack
>       contents into CPU buffers.
>    3. When caller saved registers are restored after a return from
>       function executing VERW, the kernel stack accesses can remain in
>       CPU buffers(since they occur after VERW).
> 
> To fix this VERW needs to be moved very late in exit-to-user path.
> 
> In preparation for moving VERW to entry/exit asm code, create macros
> that can be used in asm. Also make VERW patching depend on a new feature
> flag X86_FEATURE_CLEAR_CPU_BUF.
...
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -315,6 +315,17 @@
>   #endif
>   .endm
>   
> +/*
> + * Macro to execute VERW instruction that mitigate transient data sampling
> + * attacks such as MDS. On affected systems a microcode update overloaded VERW
> + * instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF.
> + *
> + * Note: Only the memory operand variant of VERW clears the CPU buffers.
> + */
> +.macro CLEAR_CPU_BUFFERS
> +	ALTERNATIVE "", __stringify(verw mds_verw_sel), X86_FEATURE_CLEAR_CPU_BUF

Why is not rip-relative preserved here? Will this work at all (it looks 
like verw would now touch random memory)?

In any way, should you do any changes during the backport, you shall 
document that.


-- 
js
suse labs

next prev parent reply	other threads:[~2024-02-27  7:40 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-27  5:00 [PATCH 6.7.y 0/6] Delay VERW - 6.7.y backport Pawan Gupta
2024-02-27  5:00 ` [PATCH 6.7.y 1/6] x86/bugs: Add asm helpers for executing VERW Pawan Gupta
2024-02-27  7:40   ` Jiri Slaby [this message]
2024-02-27  7:47     ` Greg KH
2024-02-27  8:29       ` Pawan Gupta
2024-02-27  8:27     ` Pawan Gupta
2024-02-27  8:41       ` Jiri Slaby
2024-02-27  9:42         ` Jiri Slaby
2024-02-27  5:01 ` [PATCH 6.7.y 2/6] x86/entry_64: Add VERW just before userspace transition Pawan Gupta
2024-02-27  5:01 ` [PATCH 6.7.y 3/6] x86/entry_32: " Pawan Gupta
2024-02-27  5:01 ` [PATCH 6.7.y 4/6] x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key Pawan Gupta
2024-02-27  5:01 ` [PATCH 6.7.y 5/6] KVM/VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH Pawan Gupta
2024-02-27  5:01 ` [PATCH 6.7.y 6/6] KVM/VMX: Move VERW closer to VMentry for MDS mitigation Pawan Gupta

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c9ede8e2-5066-435b-bd1d-1971a8072952@kernel.org \
    --to=jirislaby@kernel.org \
    --cc=alyssa.milburn@intel.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=pawan.kumar.gupta@linux.intel.com \
    --cc=peterz@infradead.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox