tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'x86_bugs_for_v6.5_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 mitigation fixes from Borislav Petkov:
"The first set of fallout fixes after the embargo madness. There will
be another set next week too.

- A first series of cleanups/unifications and documentation
improvements to the SRSO and GDS mitigations code which got
postponed to after the embargo date

- Fix the SRSO aliasing addresses assertion so that the LLVM linker
can parse it too"

* tag 'x86_bugs_for_v6.5_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
driver core: cpu: Fix the fallback cpu_show_gds() name
x86: Move gds_ucode_mitigated() declaration to header
x86/speculation: Add cpu_show_gds() prototype
driver core: cpu: Make cpu_show_not_affected() static
x86/srso: Fix build breakage with the LLVM linker
Documentation/srso: Document IBPB aspect and fix formatting
driver core: cpu: Unify redundant silly stubs
Documentation/hw-vuln: Unify filename specification in index

Linus Torvalds 272b86ba f8de32cc

+82 -112
+7 -7
Documentation/admin-guide/hw-vuln/index.rst
··· 13 13 l1tf 14 14 mds 15 15 tsx_async_abort 16 - multihit.rst 17 - special-register-buffer-data-sampling.rst 18 - core-scheduling.rst 19 - l1d_flush.rst 20 - processor_mmio_stale_data.rst 21 - cross-thread-rsb.rst 16 + multihit 17 + special-register-buffer-data-sampling 18 + core-scheduling 19 + l1d_flush 20 + processor_mmio_stale_data 21 + cross-thread-rsb 22 22 srso 23 - gather_data_sampling.rst 23 + gather_data_sampling
+44 -27
Documentation/admin-guide/hw-vuln/srso.rst
··· 42 42 43 43 The possible values in this file are: 44 44 45 - - 'Not affected' The processor is not vulnerable 45 + * 'Not affected': 46 46 47 - - 'Vulnerable: no microcode' The processor is vulnerable, no 48 - microcode extending IBPB functionality 49 - to address the vulnerability has been 50 - applied. 47 + The processor is not vulnerable 51 48 52 - - 'Mitigation: microcode' Extended IBPB functionality microcode 53 - patch has been applied. It does not 54 - address User->Kernel and Guest->Host 55 - transitions protection but it does 56 - address User->User and VM->VM attack 57 - vectors. 49 + * 'Vulnerable: no microcode': 58 50 59 - (spec_rstack_overflow=microcode) 51 + The processor is vulnerable, no microcode extending IBPB 52 + functionality to address the vulnerability has been applied. 60 53 61 - - 'Mitigation: safe RET' Software-only mitigation. It complements 62 - the extended IBPB microcode patch 63 - functionality by addressing User->Kernel 64 - and Guest->Host transitions protection. 54 + * 'Mitigation: microcode': 65 55 66 - Selected by default or by 67 - spec_rstack_overflow=safe-ret 56 + Extended IBPB functionality microcode patch has been applied. It does 57 + not address User->Kernel and Guest->Host transitions protection but it 58 + does address User->User and VM->VM attack vectors. 68 59 69 - - 'Mitigation: IBPB' Similar protection as "safe RET" above 70 - but employs an IBPB barrier on privilege 71 - domain crossings (User->Kernel, 72 - Guest->Host). 60 + Note that User->User mitigation is controlled by how the IBPB aspect in 61 + the Spectre v2 mitigation is selected: 73 62 74 - (spec_rstack_overflow=ibpb) 63 + * conditional IBPB: 75 64 76 - - 'Mitigation: IBPB on VMEXIT' Mitigation addressing the cloud provider 77 - scenario - the Guest->Host transitions 78 - only. 65 + where each process can select whether it needs an IBPB issued 66 + around it PR_SPEC_DISABLE/_ENABLE etc, see :doc:`spectre` 79 67 80 - (spec_rstack_overflow=ibpb-vmexit) 68 + * strict: 69 + 70 + i.e., always on - by supplying spectre_v2_user=on on the kernel 71 + command line 72 + 73 + (spec_rstack_overflow=microcode) 74 + 75 + * 'Mitigation: safe RET': 76 + 77 + Software-only mitigation. It complements the extended IBPB microcode 78 + patch functionality by addressing User->Kernel and Guest->Host 79 + transitions protection. 80 + 81 + Selected by default or by spec_rstack_overflow=safe-ret 82 + 83 + * 'Mitigation: IBPB': 84 + 85 + Similar protection as "safe RET" above but employs an IBPB barrier on 86 + privilege domain crossings (User->Kernel, Guest->Host). 87 + 88 + (spec_rstack_overflow=ibpb) 89 + 90 + * 'Mitigation: IBPB on VMEXIT': 91 + 92 + Mitigation addressing the cloud provider scenario - the Guest->Host 93 + transitions only. 94 + 95 + (spec_rstack_overflow=ibpb-vmexit) 96 + 97 + 81 98 82 99 In order to exploit vulnerability, an attacker needs to: 83 100
+2
arch/x86/include/asm/processor.h
··· 731 731 #define arch_is_platform_page arch_is_platform_page 732 732 #endif 733 733 734 + extern bool gds_ucode_mitigated(void); 735 + 734 736 #endif /* _ASM_X86_PROCESSOR_H */
+9 -3
arch/x86/kernel/vmlinux.lds.S
··· 529 529 530 530 #ifdef CONFIG_CPU_SRSO 531 531 /* 532 - * GNU ld cannot do XOR so do: (A | B) - (A & B) in order to compute the XOR 532 + * GNU ld cannot do XOR until 2.41. 533 + * https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f6f78318fca803c4907fb8d7f6ded8295f1947b1 534 + * 535 + * LLVM lld cannot do XOR until lld-17. 536 + * https://github.com/llvm/llvm-project/commit/fae96104d4378166cbe5c875ef8ed808a356f3fb 537 + * 538 + * Instead do: (A | B) - (A & B) in order to compute the XOR 533 539 * of the two function addresses: 534 540 */ 535 - . = ASSERT(((srso_untrain_ret_alias | srso_safe_ret_alias) - 536 - (srso_untrain_ret_alias & srso_safe_ret_alias)) == ((1 << 2) | (1 << 8) | (1 << 14) | (1 << 20)), 541 + . = ASSERT(((ABSOLUTE(srso_untrain_ret_alias) | srso_safe_ret_alias) - 542 + (ABSOLUTE(srso_untrain_ret_alias) & srso_safe_ret_alias)) == ((1 << 2) | (1 << 8) | (1 << 14) | (1 << 20)), 537 543 "SRSO function pair won't alias"); 538 544 #endif 539 545
-2
arch/x86/kvm/x86.c
··· 314 314 315 315 static struct kmem_cache *x86_emulator_cache; 316 316 317 - extern bool gds_ucode_mitigated(void); 318 - 319 317 /* 320 318 * When called, it means the previous get/set msr reached an invalid msr. 321 319 * Return true if we want to ignore/silent this failed msr access.
+18 -73
drivers/base/cpu.c
··· 509 509 } 510 510 511 511 #ifdef CONFIG_GENERIC_CPU_VULNERABILITIES 512 - 513 - ssize_t __weak cpu_show_meltdown(struct device *dev, 514 - struct device_attribute *attr, char *buf) 515 - { 516 - return sysfs_emit(buf, "Not affected\n"); 517 - } 518 - 519 - ssize_t __weak cpu_show_spectre_v1(struct device *dev, 520 - struct device_attribute *attr, char *buf) 521 - { 522 - return sysfs_emit(buf, "Not affected\n"); 523 - } 524 - 525 - ssize_t __weak cpu_show_spectre_v2(struct device *dev, 526 - struct device_attribute *attr, char *buf) 527 - { 528 - return sysfs_emit(buf, "Not affected\n"); 529 - } 530 - 531 - ssize_t __weak cpu_show_spec_store_bypass(struct device *dev, 532 - struct device_attribute *attr, char *buf) 533 - { 534 - return sysfs_emit(buf, "Not affected\n"); 535 - } 536 - 537 - ssize_t __weak cpu_show_l1tf(struct device *dev, 538 - struct device_attribute *attr, char *buf) 539 - { 540 - return sysfs_emit(buf, "Not affected\n"); 541 - } 542 - 543 - ssize_t __weak cpu_show_mds(struct device *dev, 544 - struct device_attribute *attr, char *buf) 545 - { 546 - return sysfs_emit(buf, "Not affected\n"); 547 - } 548 - 549 - ssize_t __weak cpu_show_tsx_async_abort(struct device *dev, 550 - struct device_attribute *attr, 551 - char *buf) 552 - { 553 - return sysfs_emit(buf, "Not affected\n"); 554 - } 555 - 556 - ssize_t __weak cpu_show_itlb_multihit(struct device *dev, 557 - struct device_attribute *attr, char *buf) 558 - { 559 - return sysfs_emit(buf, "Not affected\n"); 560 - } 561 - 562 - ssize_t __weak cpu_show_srbds(struct device *dev, 512 + static ssize_t cpu_show_not_affected(struct device *dev, 563 513 struct device_attribute *attr, char *buf) 564 514 { 565 515 return sysfs_emit(buf, "Not affected\n"); 566 516 } 567 517 568 - ssize_t __weak cpu_show_mmio_stale_data(struct device *dev, 569 - struct device_attribute *attr, char *buf) 570 - { 571 - return sysfs_emit(buf, "Not affected\n"); 572 - } 518 + #define CPU_SHOW_VULN_FALLBACK(func) \ 519 + ssize_t cpu_show_##func(struct device *, \ 520 + struct device_attribute *, char *) \ 521 + __attribute__((weak, alias("cpu_show_not_affected"))) 573 522 574 - ssize_t __weak cpu_show_retbleed(struct device *dev, 575 - struct device_attribute *attr, char *buf) 576 - { 577 - return sysfs_emit(buf, "Not affected\n"); 578 - } 579 - 580 - ssize_t __weak cpu_show_spec_rstack_overflow(struct device *dev, 581 - struct device_attribute *attr, char *buf) 582 - { 583 - return sysfs_emit(buf, "Not affected\n"); 584 - } 585 - 586 - ssize_t __weak cpu_show_gds(struct device *dev, 587 - struct device_attribute *attr, char *buf) 588 - { 589 - return sysfs_emit(buf, "Not affected\n"); 590 - } 523 + CPU_SHOW_VULN_FALLBACK(meltdown); 524 + CPU_SHOW_VULN_FALLBACK(spectre_v1); 525 + CPU_SHOW_VULN_FALLBACK(spectre_v2); 526 + CPU_SHOW_VULN_FALLBACK(spec_store_bypass); 527 + CPU_SHOW_VULN_FALLBACK(l1tf); 528 + CPU_SHOW_VULN_FALLBACK(mds); 529 + CPU_SHOW_VULN_FALLBACK(tsx_async_abort); 530 + CPU_SHOW_VULN_FALLBACK(itlb_multihit); 531 + CPU_SHOW_VULN_FALLBACK(srbds); 532 + CPU_SHOW_VULN_FALLBACK(mmio_stale_data); 533 + CPU_SHOW_VULN_FALLBACK(retbleed); 534 + CPU_SHOW_VULN_FALLBACK(spec_rstack_overflow); 535 + CPU_SHOW_VULN_FALLBACK(gds); 591 536 592 537 static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); 593 538 static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
+2
include/linux/cpu.h
··· 72 72 struct device_attribute *attr, char *buf); 73 73 extern ssize_t cpu_show_spec_rstack_overflow(struct device *dev, 74 74 struct device_attribute *attr, char *buf); 75 + extern ssize_t cpu_show_gds(struct device *dev, 76 + struct device_attribute *attr, char *buf); 75 77 76 78 extern __printf(4, 5) 77 79 struct device *cpu_device_create(struct device *parent, void *drvdata,