Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2018-08-02 12:53:54 +0200
committerJiri Kosina <jkosina@suse.cz>2018-08-02 12:53:54 +0200
commit278dbed0b69a97f4f5467bd2eefd9fd25d78f509 (patch)
treeb54e3d57231aa111a7801a8a37a92c4f1e69fcd8
parent988e608599bc8e174ffbdd13dd09d66a8ff9775b (diff)
parent4a21a43bf9b76864cfaf0b86e7b8b8838417e0eb (diff)
Merge remote-tracking branch 'origin/users/vbabka/SLE11-SP4/for-next' into SLE11-SP4rpm-3.0.101-108.63
Pull spectre/meltdown bugfixes from Vlastimil Babka
-rw-r--r--patches.fixes/x64-entry-move-ENABLE_IBRS-after-switching-from-tram.patch55
-rw-r--r--patches.suse/kaiser-11-sp4-trampoline-stack-entry-fix-fixup-bad-iret.patch27
-rw-r--r--patches.suse/x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch30
-rw-r--r--series.conf3
4 files changed, 115 insertions, 0 deletions
diff --git a/patches.fixes/x64-entry-move-ENABLE_IBRS-after-switching-from-tram.patch b/patches.fixes/x64-entry-move-ENABLE_IBRS-after-switching-from-tram.patch
new file mode 100644
index 0000000000..bdc4eca576
--- /dev/null
+++ b/patches.fixes/x64-entry-move-ENABLE_IBRS-after-switching-from-tram.patch
@@ -0,0 +1,55 @@
+From 2165e85b0afe79d153be8adf00652da147ddd6f1 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Thu, 2 Aug 2018 10:56:41 +0200
+Subject: [PATCH] x64/entry: move ENABLE_IBRS after switching from trampoline
+ stack
+Patch-mainline: never, different implementation
+References: bsc#1098658
+
+In the current error_entry, ENABLE_IBRS is performed under error_swapgs label
+before switching from trampoline stack to kernel thread stack under error_sti.
+It also switches to kernel thread stack temporarily and unconditionally, while
+the proper switch checks first that we are indeed on the trampoline stack.
+
+This might be a problem when we jump to error_swapgs from error_kernelspace
+which means the kernel faulted in gs_change. AFAIU that's on the kernel stack,
+so by switching to its beginning means we would overwrite it.
+
+There are also jumps to error_sti from error_bad_iret, which means this path
+would miss ENABLE_IBRS. It's also a bit wasteful to switch the stack twice.
+
+To resolve all above, move ENABLE_IBRS after the (conditional) stack switch
+under error_sti.
+
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ arch/x86/kernel/entry_64.S | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 8f2c9d5d4927..418ec6a0b079 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1627,10 +1627,6 @@ ENTRY(error_entry)
+ error_swapgs:
+ SWAPGS
+ SWITCH_KERNEL_CR3
+- movq %rsp, %rsi
+- movq PER_CPU_VAR(kernel_stack), %rsp
+- ENABLE_IBRS
+- movq %rsi, %rsp
+ error_sti:
+ movq PER_CPU_VAR(init_tss + TSS_sp0), %rcx
+ cmpq %rcx, %rsp
+@@ -1646,6 +1642,8 @@ ENTRY(error_entry)
+ movq %rsp, %rsi
+ rep movsb
+ movq %rax, %rsp
++
++ ENABLE_IBRS
+ 1:
+ TRACE_IRQS_OFF
+ ret
+--
+2.18.0
+
diff --git a/patches.suse/kaiser-11-sp4-trampoline-stack-entry-fix-fixup-bad-iret.patch b/patches.suse/kaiser-11-sp4-trampoline-stack-entry-fix-fixup-bad-iret.patch
new file mode 100644
index 0000000000..ffab9eeac3
--- /dev/null
+++ b/patches.suse/kaiser-11-sp4-trampoline-stack-entry-fix-fixup-bad-iret.patch
@@ -0,0 +1,27 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Subject: [PATCH] x86/traps: Fix bad_iret_stack in fixup_bad_iret()
+Patch-mainline: never, different implementation
+References: bsc#1098658
+
+With PTI and trampoline entry stack in place, we need to return to the
+entry stack while fixing up bad iret to userspace, otherwise we end
+up in #GP with CR3 already switched, but still running on thread stack
+(as that's what task_pt_regs() gives us).
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ arch/x86/kernel/traps.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -587,8 +587,7 @@ struct bad_iret_stack *fixup_bad_iret(st
+ * iret target.
+ */
+ struct bad_iret_stack *new_stack =
+- container_of(task_pt_regs(current),
+- struct bad_iret_stack, regs);
++ (struct bad_iret_stack *)this_cpu_read(init_tss.x86_tss.sp0) - 1;
+
+ /* Copy the IRET target to the new stack. */
+ memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
diff --git a/patches.suse/x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch b/patches.suse/x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch
new file mode 100644
index 0000000000..b17e0861a9
--- /dev/null
+++ b/patches.suse/x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch
@@ -0,0 +1,30 @@
+From 311cb57e0fd0b5be271c92f3be5ecfe9b132b66c Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Tue, 10 Jul 2018 13:00:27 +0200
+Subject: [PATCH] x86/traps: add missing kernel CR3 switch in bad_iret path
+Patch-mainline: never, different implementation
+References: bsc#1098658
+
+In error_bad_iret, we have user CR3 already but are about to execute kernel
+code again starting with fixup_bad_iret(). We need to switch to kernel CR3.
+
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ arch/x86/kernel/entry_64.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 8a865e860d46..8f2c9d5d4927 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1676,6 +1676,7 @@ ENTRY(error_entry)
+
+ error_bad_iret:
+ SWAPGS
++ SWITCH_KERNEL_CR3
+ mov %rsp,%rdi
+ call fixup_bad_iret
+ mov %rax,%rsp
+--
+2.18.0
+
diff --git a/series.conf b/series.conf
index 3f4145fe97..ec9ac952de 100644
--- a/series.conf
+++ b/series.conf
@@ -25302,6 +25302,9 @@
patches.arch/17-x86-retpoline-remove-the-esp-rsp-thunk.patch
patches.suse/x86-speculation-Fix-typo-IBRS_ATT-which-should-be-IB.patch
patches.arch/19-x86-retpoline-entry-convert-unwind-assembly-indirect.patch
+ patches.suse/kaiser-11-sp4-trampoline-stack-entry-fix-fixup-bad-iret.patch
+ patches.suse/x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch
+ patches.fixes/x64-entry-move-ENABLE_IBRS-after-switching-from-tram.patch
# misc
patches.arch/sysfs-cpu-Add-vulnerability-folder.patch