Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'x86_urgent_for_v6.5_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Borislav Petkov:
- AMD's automatic IBRS doesn't enable cross-thread branch target
injection protection (STIBP) for user processes. Enable STIBP on such
systems.
- Do not delete (but put the ref instead) of AMD MCE error thresholding
sysfs kobjects when destroying them in order not to delete the kernfs
pointer prematurely
- Restore annotation in ret_from_fork_asm() in order to fix kthread
stack unwinding from being marked as unreliable and thus breaking
livepatching
* tag 'x86_urgent_for_v6.5_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
x86/MCE/AMD: Decrement threshold_bank refcount when removing threshold blocks
x86: Fix kthread unwind
+33
-13
+7
-4
Documentation/admin-guide/hw-vuln/spectre.rst
+7
-4
Documentation/admin-guide/hw-vuln/spectre.rst
···
484
484
485
485
Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at
486
486
boot, by setting the IBRS bit, and they're automatically protected against
487
-
Spectre v2 variant attacks, including cross-thread branch target injections
488
-
on SMT systems (STIBP). In other words, eIBRS enables STIBP too.
487
+
Spectre v2 variant attacks.
489
488
490
-
Legacy IBRS systems clear the IBRS bit on exit to userspace and
491
-
therefore explicitly enable STIBP for that
489
+
On Intel's enhanced IBRS systems, this includes cross-thread branch target
490
+
injections on SMT systems (STIBP). In other words, Intel eIBRS enables
491
+
STIBP, too.
492
+
493
+
AMD Automatic IBRS does not protect userspace, and Legacy IBRS systems clear
494
+
the IBRS bit on exit to userspace, therefore both explicitly enable STIBP.
492
495
493
496
The retpoline mitigation is turned on by default on vulnerable
494
497
CPUs. It can be forced on or off by the administrator
+15
-1
arch/x86/entry/entry_64.S
+15
-1
arch/x86/entry/entry_64.S
···
285
285
*/
286
286
.pushsection .text, "ax"
287
287
SYM_CODE_START(ret_from_fork_asm)
288
-
UNWIND_HINT_REGS
288
+
/*
289
+
* This is the start of the kernel stack; even through there's a
290
+
* register set at the top, the regset isn't necessarily coherent
291
+
* (consider kthreads) and one cannot unwind further.
292
+
*
293
+
* This ensures stack unwinds of kernel threads terminate in a known
294
+
* good state.
295
+
*/
296
+
UNWIND_HINT_END_OF_STACK
289
297
ANNOTATE_NOENDBR // copy_thread
290
298
CALL_DEPTH_ACCOUNT
291
299
···
303
295
movq %r12, %rcx /* fn_arg */
304
296
call ret_from_fork
305
297
298
+
/*
299
+
* Set the stack state to what is expected for the target function
300
+
* -- at this point the register set should be a valid user set
301
+
* and unwind should work normally.
302
+
*/
303
+
UNWIND_HINT_REGS
306
304
jmp swapgs_restore_regs_and_return_to_usermode
307
305
SYM_CODE_END(ret_from_fork_asm)
308
306
.popsection
+9
-6
arch/x86/kernel/cpu/bugs.c
+9
-6
arch/x86/kernel/cpu/bugs.c
···
1150
1150
}
1151
1151
1152
1152
/*
1153
-
* If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP
1153
+
* If no STIBP, Intel enhanced IBRS is enabled, or SMT impossible, STIBP
1154
1154
* is not required.
1155
1155
*
1156
-
* Enhanced IBRS also protects against cross-thread branch target
1156
+
* Intel's Enhanced IBRS also protects against cross-thread branch target
1157
1157
* injection in user-mode as the IBRS bit remains always set which
1158
1158
* implicitly enables cross-thread protections. However, in legacy IBRS
1159
1159
* mode, the IBRS bit is set only on kernel entry and cleared on return
1160
-
* to userspace. This disables the implicit cross-thread protection,
1161
-
* so allow for STIBP to be selected in that case.
1160
+
* to userspace. AMD Automatic IBRS also does not protect userspace.
1161
+
* These modes therefore disable the implicit cross-thread protection,
1162
+
* so allow for STIBP to be selected in those cases.
1162
1163
*/
1163
1164
if (!boot_cpu_has(X86_FEATURE_STIBP) ||
1164
1165
!smt_possible ||
1165
-
spectre_v2_in_eibrs_mode(spectre_v2_enabled))
1166
+
(spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
1167
+
!boot_cpu_has(X86_FEATURE_AUTOIBRS)))
1166
1168
return;
1167
1169
1168
1170
/*
···
2296
2294
2297
2295
static char *stibp_state(void)
2298
2296
{
2299
-
if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
2297
+
if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
2298
+
!boot_cpu_has(X86_FEATURE_AUTOIBRS))
2300
2299
return "";
2301
2300
2302
2301
switch (spectre_v2_user_stibp) {
+2
-2
arch/x86/kernel/cpu/mce/amd.c
+2
-2
arch/x86/kernel/cpu/mce/amd.c
···
1261
1261
struct threshold_block *pos = NULL;
1262
1262
struct threshold_block *tmp = NULL;
1263
1263
1264
-
kobject_del(b->kobj);
1264
+
kobject_put(b->kobj);
1265
1265
1266
1266
list_for_each_entry_safe(pos, tmp, &b->blocks->miscj, miscj)
1267
-
kobject_del(&pos->kobj);
1267
+
kobject_put(b->kobj);
1268
1268
}
1269
1269
1270
1270
static void threshold_remove_bank(struct threshold_bank *bank)