Introducing observable speculation barrier (obs)
NOT ready yet: clear unused register upon syscall entry
Change-Id: I65251fe7db5cce8607a0c19adb40a8c7b5f614e3
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4609
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.9.75 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -48,6 +48,26 @@ Patch27: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
48 | 48 |
# Fix CVE-2017-17450 |
49 | 49 |
Patch28: netfilter-xt_osf-Add-missing-permission-checks.patch |
50 | 50 |
Patch29: revert-SMB-validate-negotiate-even-if-signing-off.patch |
51 |
+# For Spectre |
|
52 |
+Patch50: 0139-x86-cpu-AMD-Make-the-LFENCE-instruction-serialized.patch |
|
53 |
+Patch51: 0140-x86-cpu-AMD-Remove-now-unused-definition-of-MFENCE_R.patch |
|
54 |
+Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
|
55 |
+Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
|
56 |
+Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch |
|
57 |
+Patch55: 0144-uvcvideo-prevent-speculative-execution.patch |
|
58 |
+Patch56: 0145-carl9170-prevent-speculative-execution.patch |
|
59 |
+Patch57: 0146-p54-prevent-speculative-execution.patch |
|
60 |
+Patch58: 0147-qla2xxx-prevent-speculative-execution.patch |
|
61 |
+Patch59: 0148-cw1200-prevent-speculative-execution.patch |
|
62 |
+Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch |
|
63 |
+Patch61: 0150-ipv4-prevent-speculative-execution.patch |
|
64 |
+Patch62: 0151-ipv6-prevent-speculative-execution.patch |
|
65 |
+Patch63: 0152-fs-prevent-speculative-execution.patch |
|
66 |
+Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
|
67 |
+Patch65: 0154-udf-prevent-speculative-execution.patch |
|
68 |
+Patch66: 0155-userns-prevent-speculative-execution.patch |
|
69 |
+Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch |
|
70 |
+Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch |
|
51 | 71 |
|
52 | 72 |
BuildRequires: bc |
53 | 73 |
BuildRequires: kbd |
... | ... |
@@ -115,6 +135,27 @@ The Linux package contains the Linux kernel doc files |
115 | 115 |
%patch28 -p1 |
116 | 116 |
%patch29 -p1 |
117 | 117 |
|
118 |
+%patch50 -p1 |
|
119 |
+%patch51 -p1 |
|
120 |
+%patch52 -p1 |
|
121 |
+%patch53 -p1 |
|
122 |
+%patch54 -p1 |
|
123 |
+%patch55 -p1 |
|
124 |
+%patch56 -p1 |
|
125 |
+%patch57 -p1 |
|
126 |
+%patch58 -p1 |
|
127 |
+%patch59 -p1 |
|
128 |
+%patch60 -p1 |
|
129 |
+%patch61 -p1 |
|
130 |
+%patch62 -p1 |
|
131 |
+%patch63 -p1 |
|
132 |
+%patch64 -p1 |
|
133 |
+%patch65 -p1 |
|
134 |
+%patch66 -p1 |
|
135 |
+#not ready yet |
|
136 |
+#%patch67 -p1 |
|
137 |
+#%patch68 -p1 |
|
138 |
+ |
|
118 | 139 |
%build |
119 | 140 |
# patch vmw_balloon driver |
120 | 141 |
sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c |
... | ... |
@@ -210,6 +251,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
210 | 210 |
/usr/src/linux-headers-%{uname_r} |
211 | 211 |
|
212 | 212 |
%changelog |
213 |
+* Sun Jan 08 2018 Bo Gan <ganb@vmware.com> 4.9.75-2 |
|
214 |
+- Initial Spectre fix |
|
213 | 215 |
* Fri Jan 05 2018 Anish Swaminathan <anishs@vmware.com> 4.9.75-1 |
214 | 216 |
- Version update to 4.9.75 |
215 | 217 |
* Thu Jan 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-3 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.9.75 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -57,6 +57,26 @@ Patch33: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
57 | 57 |
# Fix CVE-2017-17450 |
58 | 58 |
Patch34: netfilter-xt_osf-Add-missing-permission-checks.patch |
59 | 59 |
Patch35: revert-SMB-validate-negotiate-even-if-signing-off.patch |
60 |
+# For Spectre |
|
61 |
+Patch50: 0139-x86-cpu-AMD-Make-the-LFENCE-instruction-serialized.patch |
|
62 |
+Patch51: 0140-x86-cpu-AMD-Remove-now-unused-definition-of-MFENCE_R.patch |
|
63 |
+Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
|
64 |
+Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
|
65 |
+Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch |
|
66 |
+Patch55: 0144-uvcvideo-prevent-speculative-execution.patch |
|
67 |
+Patch56: 0145-carl9170-prevent-speculative-execution.patch |
|
68 |
+Patch57: 0146-p54-prevent-speculative-execution.patch |
|
69 |
+Patch58: 0147-qla2xxx-prevent-speculative-execution.patch |
|
70 |
+Patch59: 0148-cw1200-prevent-speculative-execution.patch |
|
71 |
+Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch |
|
72 |
+Patch61: 0150-ipv4-prevent-speculative-execution.patch |
|
73 |
+Patch62: 0151-ipv6-prevent-speculative-execution.patch |
|
74 |
+Patch63: 0152-fs-prevent-speculative-execution.patch |
|
75 |
+Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
|
76 |
+Patch65: 0154-udf-prevent-speculative-execution.patch |
|
77 |
+Patch66: 0155-userns-prevent-speculative-execution.patch |
|
78 |
+Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch |
|
79 |
+Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch |
|
60 | 80 |
|
61 | 81 |
# NSX requirements (should be removed) |
62 | 82 |
Patch99: LKCM.patch |
... | ... |
@@ -171,6 +191,27 @@ EOF |
171 | 171 |
%patch34 -p1 |
172 | 172 |
%patch35 -p1 |
173 | 173 |
|
174 |
+%patch50 -p1 |
|
175 |
+%patch51 -p1 |
|
176 |
+%patch52 -p1 |
|
177 |
+%patch53 -p1 |
|
178 |
+%patch54 -p1 |
|
179 |
+%patch55 -p1 |
|
180 |
+%patch56 -p1 |
|
181 |
+%patch57 -p1 |
|
182 |
+%patch58 -p1 |
|
183 |
+%patch59 -p1 |
|
184 |
+%patch60 -p1 |
|
185 |
+%patch61 -p1 |
|
186 |
+%patch62 -p1 |
|
187 |
+%patch63 -p1 |
|
188 |
+%patch64 -p1 |
|
189 |
+%patch65 -p1 |
|
190 |
+%patch66 -p1 |
|
191 |
+#not ready yet |
|
192 |
+#%patch67 -p1 |
|
193 |
+#%patch68 -p1 |
|
194 |
+ |
|
174 | 195 |
pushd .. |
175 | 196 |
%patch99 -p0 |
176 | 197 |
popd |
... | ... |
@@ -296,6 +337,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
296 | 296 |
/usr/src/linux-headers-%{uname_r} |
297 | 297 |
|
298 | 298 |
%changelog |
299 |
+* Sun Jan 08 2018 Bo Gan <ganb@vmware.com> 4.9.75-2 |
|
300 |
+- Initial Spectre fix |
|
299 | 301 |
* Fri Jan 05 2018 Bo Gan <ganb@vmware.com> 4.9.75-1 |
300 | 302 |
- Verion update (fix Intel Meltdown) |
301 | 303 |
* Thu Jan 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-3 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.9.75 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -54,6 +54,26 @@ Patch30: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
54 | 54 |
# Fix CVE-2017-17450 |
55 | 55 |
Patch31: netfilter-xt_osf-Add-missing-permission-checks.patch |
56 | 56 |
Patch32: revert-SMB-validate-negotiate-even-if-signing-off.patch |
57 |
+# For Spectre |
|
58 |
+Patch50: 0139-x86-cpu-AMD-Make-the-LFENCE-instruction-serialized.patch |
|
59 |
+Patch51: 0140-x86-cpu-AMD-Remove-now-unused-definition-of-MFENCE_R.patch |
|
60 |
+Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
|
61 |
+Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
|
62 |
+Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch |
|
63 |
+Patch55: 0144-uvcvideo-prevent-speculative-execution.patch |
|
64 |
+Patch56: 0145-carl9170-prevent-speculative-execution.patch |
|
65 |
+Patch57: 0146-p54-prevent-speculative-execution.patch |
|
66 |
+Patch58: 0147-qla2xxx-prevent-speculative-execution.patch |
|
67 |
+Patch59: 0148-cw1200-prevent-speculative-execution.patch |
|
68 |
+Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch |
|
69 |
+Patch61: 0150-ipv4-prevent-speculative-execution.patch |
|
70 |
+Patch62: 0151-ipv6-prevent-speculative-execution.patch |
|
71 |
+Patch63: 0152-fs-prevent-speculative-execution.patch |
|
72 |
+Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
|
73 |
+Patch65: 0154-udf-prevent-speculative-execution.patch |
|
74 |
+Patch66: 0155-userns-prevent-speculative-execution.patch |
|
75 |
+Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch |
|
76 |
+Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch |
|
57 | 77 |
|
58 | 78 |
%if 0%{?kat_build:1} |
59 | 79 |
Patch1000: %{kat_build}.patch |
... | ... |
@@ -158,6 +178,27 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
158 | 158 |
%patch31 -p1 |
159 | 159 |
%patch32 -p1 |
160 | 160 |
|
161 |
+%patch50 -p1 |
|
162 |
+%patch51 -p1 |
|
163 |
+%patch52 -p1 |
|
164 |
+%patch53 -p1 |
|
165 |
+%patch54 -p1 |
|
166 |
+%patch55 -p1 |
|
167 |
+%patch56 -p1 |
|
168 |
+%patch57 -p1 |
|
169 |
+%patch58 -p1 |
|
170 |
+%patch59 -p1 |
|
171 |
+%patch60 -p1 |
|
172 |
+%patch61 -p1 |
|
173 |
+%patch62 -p1 |
|
174 |
+%patch63 -p1 |
|
175 |
+%patch64 -p1 |
|
176 |
+%patch65 -p1 |
|
177 |
+%patch66 -p1 |
|
178 |
+#not ready yet |
|
179 |
+#%patch67 -p1 |
|
180 |
+#%patch68 -p1 |
|
181 |
+ |
|
161 | 182 |
%if 0%{?kat_build:1} |
162 | 183 |
%patch1000 -p1 |
163 | 184 |
%endif |
... | ... |
@@ -324,6 +365,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
324 | 324 |
/usr/share/doc/* |
325 | 325 |
|
326 | 326 |
%changelog |
327 |
+* Sun Jan 08 2018 Bo Gan <ganb@vmware.com> 4.9.75-2 |
|
328 |
+- Initial Spectre fix |
|
327 | 329 |
* Fri Jan 05 2018 Anish Swaminathan <anishs@vmware.com> 4.9.75-1 |
328 | 330 |
- Version update to 4.9.75 |
329 | 331 |
* Thu Jan 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-3 |
330 | 332 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,58 @@ |
0 |
+From 9883f4d618615acaa9541aaae38e8434d699593f Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Thu, 14 Dec 2017 09:57:58 +0200 |
|
3 |
+Subject: [PATCH 139/194] x86/cpu/AMD: Make the LFENCE instruction serialized |
|
4 |
+ |
|
5 |
+In order to reduce the impact of using MFENCE, make the execution of the |
|
6 |
+LFENCE instruction serialized. This is done by setting bit 1 of MSR |
|
7 |
+0xc0011029 (DE_CFG). |
|
8 |
+ |
|
9 |
+Some families that support LFENCE do not have this MSR. For these |
|
10 |
+families, the LFENCE instruction is already serialized. |
|
11 |
+ |
|
12 |
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> |
|
13 |
+--- |
|
14 |
+ arch/x86/include/asm/msr-index.h | 2 ++ |
|
15 |
+ arch/x86/kernel/cpu/amd.c | 13 +++++++++++-- |
|
16 |
+ 2 files changed, 13 insertions(+), 2 deletions(-) |
|
17 |
+ |
|
18 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
|
19 |
+index ab02261..1e7d710 100644 |
|
20 |
+--- a/arch/x86/include/asm/msr-index.h |
|
21 |
+@@ -352,6 +352,8 @@ |
|
22 |
+ #define FAM10H_MMIO_CONF_BASE_MASK 0xfffffffULL |
|
23 |
+ #define FAM10H_MMIO_CONF_BASE_SHIFT 20 |
|
24 |
+ #define MSR_FAM10H_NODE_ID 0xc001100c |
|
25 |
++#define MSR_F10H_DECFG 0xc0011029 |
|
26 |
++#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT 1 |
|
27 |
+ |
|
28 |
+ /* K8 MSRs */ |
|
29 |
+ #define MSR_K8_TOP_MEM1 0xc001001a |
|
30 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
31 |
+index bcb75dc..d64078d 100644 |
|
32 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
33 |
+@@ -829,8 +829,17 @@ static void init_amd(struct cpuinfo_x86 *c) |
|
34 |
+ set_cpu_cap(c, X86_FEATURE_K8); |
|
35 |
+ |
|
36 |
+ if (cpu_has(c, X86_FEATURE_XMM2)) { |
|
37 |
+- /* MFENCE stops RDTSC speculation */ |
|
38 |
+- set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC); |
|
39 |
++ /* |
|
40 |
++ * Use LFENCE for execution serialization. On some families |
|
41 |
++ * LFENCE is already serialized and the MSR is not available, |
|
42 |
++ * but msr_set_bit() uses rdmsrl_safe() and wrmsrl_safe(). |
|
43 |
++ */ |
|
44 |
++ if (c->x86 > 0xf) |
|
45 |
++ msr_set_bit(MSR_F10H_DECFG, |
|
46 |
++ MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT); |
|
47 |
++ |
|
48 |
++ /* LFENCE with MSR_F10H_DECFG[1]=1 stops RDTSC speculation */ |
|
49 |
++ set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC); |
|
50 |
+ } |
|
51 |
+ |
|
52 |
+ /* |
|
53 |
+-- |
|
54 |
+2.9.5 |
|
55 |
+ |
0 | 56 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,45 @@ |
0 |
+From 3325f36c2f6f6335cb3161977ba07ee58a03577f Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Thu, 14 Dec 2017 10:09:03 +0200 |
|
3 |
+Subject: [PATCH 140/194] x86/cpu/AMD: Remove now unused definition of |
|
4 |
+ MFENCE_RDTSC feature |
|
5 |
+ |
|
6 |
+With the switch to using LFENCE_RDTSC on AMD platforms there is no longer |
|
7 |
+a need for the MFENCE_RDTSC feature. Remove its usage and definition. |
|
8 |
+ |
|
9 |
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> |
|
10 |
+--- |
|
11 |
+ arch/x86/include/asm/cpufeatures.h | 2 +- |
|
12 |
+ arch/x86/include/asm/msr.h | 3 +-- |
|
13 |
+ 2 files changed, 2 insertions(+), 3 deletions(-) |
|
14 |
+ |
|
15 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
16 |
+index f8c2bd4..86c68cb 100644 |
|
17 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
18 |
+@@ -96,7 +96,7 @@ |
|
19 |
+ #define X86_FEATURE_SYSCALL32 ( 3*32+14) /* "" syscall in ia32 userspace */ |
|
20 |
+ #define X86_FEATURE_SYSENTER32 ( 3*32+15) /* "" sysenter in ia32 userspace */ |
|
21 |
+ #define X86_FEATURE_REP_GOOD ( 3*32+16) /* rep microcode works well */ |
|
22 |
+-#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */ |
|
23 |
++ |
|
24 |
+ #define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */ |
|
25 |
+ #define X86_FEATURE_ACC_POWER ( 3*32+19) /* AMD Accumulated Power Mechanism */ |
|
26 |
+ #define X86_FEATURE_NOPL ( 3*32+20) /* The NOPL (0F 1F) instructions */ |
|
27 |
+diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h |
|
28 |
+index 07962f5..8d8d7ae2 100644 |
|
29 |
+--- a/arch/x86/include/asm/msr.h |
|
30 |
+@@ -214,8 +214,7 @@ static __always_inline unsigned long long rdtsc_ordered(void) |
|
31 |
+ * that some other imaginary CPU is updating continuously with a |
|
32 |
+ * time stamp. |
|
33 |
+ */ |
|
34 |
+- alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, |
|
35 |
+- "lfence", X86_FEATURE_LFENCE_RDTSC); |
|
36 |
++ alternative("", "lfence", X86_FEATURE_LFENCE_RDTSC); |
|
37 |
+ return rdtsc(); |
|
38 |
+ } |
|
39 |
+ |
|
40 |
+-- |
|
41 |
+2.9.5 |
|
42 |
+ |
0 | 43 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,62 @@ |
0 |
+From 11ea2f142cc668db2383015c722bcd71b6b10ba7 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Mon, 7 Aug 2017 11:03:42 +0300 |
|
3 |
+Subject: [PATCH 141/194] locking/barriers: introduce new observable |
|
4 |
+ speculation barrier |
|
5 |
+ |
|
6 |
+The new observable speculation barrier, osb(), ensures |
|
7 |
+that any user observable speculation doesn't cross the boundary. |
|
8 |
+ |
|
9 |
+Any user observable speculative activity on this CPU |
|
10 |
+thread before this point either completes, reaches a |
|
11 |
+state it can no longer cause an observable activity, or |
|
12 |
+is aborted before instructions after the barrier execute. |
|
13 |
+ |
|
14 |
+In x86 case, osb() resolves in lfence if X86_FEATURE_LFENCE_RDTSC |
|
15 |
+is present. Other architectures can define their variants. |
|
16 |
+ |
|
17 |
+Suggested-by: Arjan van de Ven <arjan@linux.intel.com> |
|
18 |
+Suggested-by: Alan Cox <alan.cox@intel.com> |
|
19 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
20 |
+--- |
|
21 |
+ arch/x86/include/asm/barrier.h | 2 ++ |
|
22 |
+ include/asm-generic/barrier.h | 11 +++++++++++ |
|
23 |
+ 2 files changed, 13 insertions(+) |
|
24 |
+ |
|
25 |
+diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h |
|
26 |
+index 01727db..a0f695a 100644 |
|
27 |
+--- a/arch/x86/include/asm/barrier.h |
|
28 |
+@@ -77,6 +77,8 @@ do { \ |
|
29 |
+ |
|
30 |
+ #endif |
|
31 |
+ |
|
32 |
++#define osb() alternative("", "lfence", X86_FEATURE_LFENCE_RDTSC) |
|
33 |
++ |
|
34 |
+ /* Atomic operations are already serializing on x86 */ |
|
35 |
+ #define __smp_mb__before_atomic() barrier() |
|
36 |
+ #define __smp_mb__after_atomic() barrier() |
|
37 |
+diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h |
|
38 |
+index fe297b5..04b3b1f 100644 |
|
39 |
+--- a/include/asm-generic/barrier.h |
|
40 |
+@@ -246,5 +246,16 @@ do { \ |
|
41 |
+ }) |
|
42 |
+ #endif |
|
43 |
+ |
|
44 |
++/* Observable speculation barrier: ensures that any user |
|
45 |
++ * observable speculation doesn't cross the boundary. |
|
46 |
++ * Any user observable speculative activity on this CPU |
|
47 |
++ * thread before this point either completes, reaches a |
|
48 |
++ * state it can no longer cause observable activity, or |
|
49 |
++ * is aborted before instructions after the barrier execute. |
|
50 |
++ */ |
|
51 |
++#ifndef osb |
|
52 |
++#define osb() do { } while (0) |
|
53 |
++#endif |
|
54 |
++ |
|
55 |
+ #endif /* !__ASSEMBLY__ */ |
|
56 |
+ #endif /* __ASM_GENERIC_BARRIER_H */ |
|
57 |
+-- |
|
58 |
+2.9.5 |
|
59 |
+ |
0 | 60 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,48 @@ |
0 |
+From acc08dc457b9c6b30c21f589ef4f2f5235d1e654 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Mon, 7 Aug 2017 11:10:28 +0300 |
|
3 |
+Subject: [PATCH 142/194] bpf: prevent speculative execution in eBPF |
|
4 |
+ interpreter |
|
5 |
+ |
|
6 |
+This adds an observable speculation barrier before LD_IMM_DW and |
|
7 |
+LDX_MEM_B/H/W/DW eBPF instructions during eBPF program |
|
8 |
+execution in order to prevent speculative execution on out |
|
9 |
+of bound BFP_MAP array indexes. This way an arbitary kernel |
|
10 |
+memory is not exposed through side channel attacks. |
|
11 |
+ |
|
12 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
13 |
+--- |
|
14 |
+ kernel/bpf/core.c | 3 +++ |
|
15 |
+ 1 file changed, 3 insertions(+) |
|
16 |
+ |
|
17 |
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c |
|
18 |
+index 7b62df8..b28eca1 100644 |
|
19 |
+--- a/kernel/bpf/core.c |
|
20 |
+@@ -33,6 +33,7 @@ |
|
21 |
+ #include <linux/frame.h> |
|
22 |
+ |
|
23 |
+ #include <asm/unaligned.h> |
|
24 |
++#include <asm/barrier.h> |
|
25 |
+ |
|
26 |
+ /* Registers */ |
|
27 |
+ #define BPF_R0 regs[BPF_REG_0] |
|
28 |
+@@ -932,6 +933,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, |
|
29 |
+ DST = IMM; |
|
30 |
+ CONT; |
|
31 |
+ LD_IMM_DW: |
|
32 |
++ osb(); |
|
33 |
+ DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32; |
|
34 |
+ insn++; |
|
35 |
+ CONT; |
|
36 |
+@@ -1193,6 +1195,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, |
|
37 |
+ *(SIZE *)(unsigned long) (DST + insn->off) = IMM; \ |
|
38 |
+ CONT; \ |
|
39 |
+ LDX_MEM_##SIZEOP: \ |
|
40 |
++ osb(); \ |
|
41 |
+ DST = *(SIZE *)(unsigned long) (SRC + insn->off); \ |
|
42 |
+ CONT; |
|
43 |
+ |
|
44 |
+-- |
|
45 |
+2.9.5 |
|
46 |
+ |
0 | 47 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,111 @@ |
0 |
+From e3b71cad927d33b8e20c66bf07956f935c9c6eef Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Tue, 8 Aug 2017 12:06:58 +0300 |
|
3 |
+Subject: [PATCH 143/194] x86, bpf, jit: prevent speculative execution when JIT |
|
4 |
+ is enabled |
|
5 |
+ |
|
6 |
+When constant blinding is enabled (bpf_jit_harden = 1), this adds |
|
7 |
+an observable speculation barrier before emitting x86 jitted code |
|
8 |
+for the BPF_ALU(64)_OR_X and BPF_ALU_LHS_X |
|
9 |
+(for BPF_REG_AX register) eBPF instructions. This is needed in order |
|
10 |
+to prevent speculative execution on out of bounds BPF_MAP array |
|
11 |
+indexes when JIT is enabled. This way an arbitary kernel memory is |
|
12 |
+not exposed through side-channel attacks. |
|
13 |
+ |
|
14 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
+--- |
|
16 |
+ arch/x86/net/bpf_jit_comp.c | 28 +++++++++++++++++++++++++++- |
|
17 |
+ include/linux/filter.h | 9 +++++++++ |
|
18 |
+ 2 files changed, 36 insertions(+), 1 deletion(-) |
|
19 |
+ |
|
20 |
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c |
|
21 |
+index 0554e8a..f01480a 100644 |
|
22 |
+--- a/arch/x86/net/bpf_jit_comp.c |
|
23 |
+@@ -16,6 +16,7 @@ |
|
24 |
+ #include <linux/bpf.h> |
|
25 |
+ |
|
26 |
+ int bpf_jit_enable __read_mostly; |
|
27 |
++u8 bpf_jit_fence = 0; |
|
28 |
+ |
|
29 |
+ /* |
|
30 |
+ * assembly code in arch/x86/net/bpf_jit.S |
|
31 |
+@@ -109,6 +110,18 @@ static void bpf_flush_icache(void *start, void *end) |
|
32 |
+ set_fs(old_fs); |
|
33 |
+ } |
|
34 |
+ |
|
35 |
++static void emit_memory_barrier(u8 **pprog) |
|
36 |
++{ |
|
37 |
++ u8 *prog = *pprog; |
|
38 |
++ int cnt = 0; |
|
39 |
++ |
|
40 |
++ if (bpf_jit_fence) |
|
41 |
++ EMIT3(0x0f, 0xae, 0xe8); |
|
42 |
++ |
|
43 |
++ *pprog = prog; |
|
44 |
++ return; |
|
45 |
++} |
|
46 |
++ |
|
47 |
+ #define CHOOSE_LOAD_FUNC(K, func) \ |
|
48 |
+ ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset) |
|
49 |
+ |
|
50 |
+@@ -400,7 +413,7 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, |
|
51 |
+ case BPF_ADD: b2 = 0x01; break; |
|
52 |
+ case BPF_SUB: b2 = 0x29; break; |
|
53 |
+ case BPF_AND: b2 = 0x21; break; |
|
54 |
+- case BPF_OR: b2 = 0x09; break; |
|
55 |
++ case BPF_OR: b2 = 0x09; emit_memory_barrier(&prog); break; |
|
56 |
+ case BPF_XOR: b2 = 0x31; break; |
|
57 |
+ } |
|
58 |
+ if (BPF_CLASS(insn->code) == BPF_ALU64) |
|
59 |
+@@ -647,6 +660,16 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, |
|
60 |
+ case BPF_ALU64 | BPF_RSH | BPF_X: |
|
61 |
+ case BPF_ALU64 | BPF_ARSH | BPF_X: |
|
62 |
+ |
|
63 |
++ /* If blinding is enabled, each |
|
64 |
++ * BPF_LD | BPF_IMM | BPF_DW instruction |
|
65 |
++ * is converted to 4 eBPF instructions with |
|
66 |
++ * BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32) |
|
67 |
++ * always present(number 3). Detect such cases |
|
68 |
++ * and insert memory barriers. */ |
|
69 |
++ if ((BPF_CLASS(insn->code) == BPF_ALU64) |
|
70 |
++ && (BPF_OP(insn->code) == BPF_LSH) |
|
71 |
++ && (src_reg == BPF_REG_AX)) |
|
72 |
++ emit_memory_barrier(&prog); |
|
73 |
+ /* check for bad case when dst_reg == rcx */ |
|
74 |
+ if (dst_reg == BPF_REG_4) { |
|
75 |
+ /* mov r11, dst_reg */ |
|
76 |
+@@ -1124,6 +1147,9 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) |
|
77 |
+ if (!bpf_jit_enable) |
|
78 |
+ return orig_prog; |
|
79 |
+ |
|
80 |
++ if (bpf_jit_fence_present() && bpf_jit_blinding_enabled()) |
|
81 |
++ bpf_jit_fence = 1; |
|
82 |
++ |
|
83 |
+ tmp = bpf_jit_blind_constants(prog); |
|
84 |
+ /* If blinding was requested and we failed during blinding, |
|
85 |
+ * we must fall back to the interpreter. |
|
86 |
+diff --git a/include/linux/filter.h b/include/linux/filter.h |
|
87 |
+index 48ec57e..cba50a5 100644 |
|
88 |
+--- a/include/linux/filter.h |
|
89 |
+@@ -651,6 +651,16 @@ static inline bool bpf_jit_blinding_enabled(void) |
|
90 |
+ |
|
91 |
+ return true; |
|
92 |
+ } |
|
93 |
++ |
|
94 |
++static inline bool bpf_jit_fence_present(void) |
|
95 |
++{ |
|
96 |
++ /* Check if lfence is present on CPU |
|
97 |
++ */ |
|
98 |
++ if (boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) |
|
99 |
++ return true; |
|
100 |
++ return false; |
|
101 |
++} |
|
102 |
++ |
|
103 |
+ #else |
|
104 |
+ static inline void bpf_jit_compile(struct bpf_prog *fp) |
|
105 |
+ { |
|
106 |
+-- |
|
107 |
+2.9.5 |
|
108 |
+ |
0 | 109 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+From 7dd7ad0b13eb99b650d92ea3b1a2ca170a567216 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:41:27 +0300 |
|
3 |
+Subject: [PATCH 144/194] uvcvideo: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the index value in function uvc_ioctl_enum_input() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used to resolve |
|
8 |
+selector->baSourceID, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ drivers/media/usb/uvc/uvc_v4l2.c | 1 + |
|
16 |
+ 1 file changed, 1 insertion(+) |
|
17 |
+ |
|
18 |
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c |
|
19 |
+index 3e7e283..65175bb 100644 |
|
20 |
+--- a/drivers/media/usb/uvc/uvc_v4l2.c |
|
21 |
+@@ -821,6 +821,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh, |
|
22 |
+ } |
|
23 |
+ pin = iterm->id; |
|
24 |
+ } else if (index < selector->bNrInPins) { |
|
25 |
++ osb(); |
|
26 |
+ pin = selector->baSourceID[index]; |
|
27 |
+ list_for_each_entry(iterm, &chain->entities, chain) { |
|
28 |
+ if (!UVC_ENTITY_IS_ITERM(iterm)) |
|
29 |
+-- |
|
30 |
+2.9.5 |
|
31 |
+ |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+From 9c2549c6adcafe2c2f35d44dc87ec23cc52a68b2 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:43:39 +0300 |
|
3 |
+Subject: [PATCH 145/194] carl9170: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the queue value in function carl9170_op_conf_tx() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used to resolve |
|
8 |
+ar9170_qmap and following ar->edcf, insert an observable |
|
9 |
+speculation barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ drivers/net/wireless/ath/carl9170/main.c | 1 + |
|
16 |
+ 1 file changed, 1 insertion(+) |
|
17 |
+ |
|
18 |
+diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c |
|
19 |
+index 988c885..cf267b7 100644 |
|
20 |
+--- a/drivers/net/wireless/ath/carl9170/main.c |
|
21 |
+@@ -1388,6 +1388,7 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw, |
|
22 |
+ |
|
23 |
+ mutex_lock(&ar->mutex); |
|
24 |
+ if (queue < ar->hw->queues) { |
|
25 |
++ osb(); |
|
26 |
+ memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param)); |
|
27 |
+ ret = carl9170_set_qos(ar); |
|
28 |
+ } else { |
|
29 |
+-- |
|
30 |
+2.9.5 |
|
31 |
+ |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+From 07f7bcf24d303ec6d91d7da809f3b6e6760f8301 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:44:38 +0300 |
|
3 |
+Subject: [PATCH 146/194] p54: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the queue value in function p54_conf_tx() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used to resolve |
|
8 |
+priv->qos_params, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ drivers/net/wireless/intersil/p54/main.c | 1 + |
|
16 |
+ 1 file changed, 1 insertion(+) |
|
17 |
+ |
|
18 |
+diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c |
|
19 |
+index d5a3bf9..3d20b47 100644 |
|
20 |
+--- a/drivers/net/wireless/intersil/p54/main.c |
|
21 |
+@@ -415,6 +415,7 @@ static int p54_conf_tx(struct ieee80211_hw *dev, |
|
22 |
+ |
|
23 |
+ mutex_lock(&priv->conf_mutex); |
|
24 |
+ if (queue < dev->queues) { |
|
25 |
++ osb(); |
|
26 |
+ P54_SET_QUEUE(priv->qos_params[queue], params->aifs, |
|
27 |
+ params->cw_min, params->cw_max, params->txop); |
|
28 |
+ ret = p54_set_edcf(priv); |
|
29 |
+-- |
|
30 |
+2.9.5 |
|
31 |
+ |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,55 @@ |
0 |
+From f7de96128d46f9d9ecad5c1ded3133e2da25f39c Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:45:35 +0300 |
|
3 |
+Subject: [PATCH 147/194] qla2xxx: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the handle value in functions qlafx00_status_entry() |
|
6 |
+and qlafx00_multistatus_entry() seems to be controllable |
|
7 |
+by userspace and later on conditionally (upon bound check) |
|
8 |
+used to resolve req->outstanding_cmds, insert an observable |
|
9 |
+speculation barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid kernel |
|
11 |
+memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ drivers/scsi/qla2xxx/qla_mr.c | 12 ++++++++---- |
|
16 |
+ 1 file changed, 8 insertions(+), 4 deletions(-) |
|
17 |
+ |
|
18 |
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c |
|
19 |
+index e23a3d4..9090283 100644 |
|
20 |
+--- a/drivers/scsi/qla2xxx/qla_mr.c |
|
21 |
+@@ -2305,10 +2305,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt) |
|
22 |
+ req = ha->req_q_map[que]; |
|
23 |
+ |
|
24 |
+ /* Validate handle. */ |
|
25 |
+- if (handle < req->num_outstanding_cmds) |
|
26 |
++ if (handle < req->num_outstanding_cmds) { |
|
27 |
++ osb(); |
|
28 |
+ sp = req->outstanding_cmds[handle]; |
|
29 |
+- else |
|
30 |
++ } else { |
|
31 |
+ sp = NULL; |
|
32 |
++ } |
|
33 |
+ |
|
34 |
+ if (sp == NULL) { |
|
35 |
+ ql_dbg(ql_dbg_io, vha, 0x3034, |
|
36 |
+@@ -2656,10 +2658,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha, |
|
37 |
+ req = ha->req_q_map[que]; |
|
38 |
+ |
|
39 |
+ /* Validate handle. */ |
|
40 |
+- if (handle < req->num_outstanding_cmds) |
|
41 |
++ if (handle < req->num_outstanding_cmds) { |
|
42 |
++ osb(); |
|
43 |
+ sp = req->outstanding_cmds[handle]; |
|
44 |
+- else |
|
45 |
++ } else { |
|
46 |
+ sp = NULL; |
|
47 |
++ } |
|
48 |
+ |
|
49 |
+ if (sp == NULL) { |
|
50 |
+ ql_dbg(ql_dbg_io, vha, 0x3044, |
|
51 |
+-- |
|
52 |
+2.9.5 |
|
53 |
+ |
0 | 54 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+From 9a0dc9abad09792c93d099d5e92af5788c224791 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:46:21 +0300 |
|
3 |
+Subject: [PATCH 148/194] cw1200: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the queue value in function cw1200_conf_tx() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used in |
|
8 |
+WSM_TX_QUEUE_SET, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ drivers/net/wireless/st/cw1200/sta.c | 1 + |
|
16 |
+ 1 file changed, 1 insertion(+) |
|
17 |
+ |
|
18 |
+diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c |
|
19 |
+index a522248..754fc43 100644 |
|
20 |
+--- a/drivers/net/wireless/st/cw1200/sta.c |
|
21 |
+@@ -619,6 +619,7 @@ int cw1200_conf_tx(struct ieee80211_hw *dev, struct ieee80211_vif *vif, |
|
22 |
+ mutex_lock(&priv->conf_mutex); |
|
23 |
+ |
|
24 |
+ if (queue < dev->queues) { |
|
25 |
++ osb(); |
|
26 |
+ old_uapsd_flags = le16_to_cpu(priv->uapsd_info.uapsd_flags); |
|
27 |
+ |
|
28 |
+ WSM_TX_QUEUE_SET(&priv->tx_queue_params, queue, 0, 0, 0); |
|
29 |
+-- |
|
30 |
+2.9.5 |
|
31 |
+ |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,47 @@ |
0 |
+From d9542e2d9b4b1e4649f0c1ea13a1b5dcfc1e2674 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:47:12 +0300 |
|
3 |
+Subject: [PATCH 149/194] Thermal/int340x: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the trip value in function int340x_thermal_get_trip_temp() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used to resolve |
|
8 |
+d->aux_trips, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ drivers/thermal/int340x_thermal/int340x_thermal_zone.c | 11 ++++++----- |
|
16 |
+ 1 file changed, 6 insertions(+), 5 deletions(-) |
|
17 |
+ |
|
18 |
+diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c |
|
19 |
+index 145a5c53..d732b34 100644 |
|
20 |
+--- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c |
|
21 |
+@@ -57,15 +57,16 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone, |
|
22 |
+ if (d->override_ops && d->override_ops->get_trip_temp) |
|
23 |
+ return d->override_ops->get_trip_temp(zone, trip, temp); |
|
24 |
+ |
|
25 |
+- if (trip < d->aux_trip_nr) |
|
26 |
++ if (trip < d->aux_trip_nr) { |
|
27 |
++ osb(); |
|
28 |
+ *temp = d->aux_trips[trip]; |
|
29 |
+- else if (trip == d->crt_trip_id) |
|
30 |
++ } else if (trip == d->crt_trip_id) { |
|
31 |
+ *temp = d->crt_temp; |
|
32 |
+- else if (trip == d->psv_trip_id) |
|
33 |
++ } else if (trip == d->psv_trip_id) { |
|
34 |
+ *temp = d->psv_temp; |
|
35 |
+- else if (trip == d->hot_trip_id) |
|
36 |
++ } else if (trip == d->hot_trip_id) { |
|
37 |
+ *temp = d->hot_temp; |
|
38 |
+- else { |
|
39 |
++ } else { |
|
40 |
+ for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) { |
|
41 |
+ if (d->act_trips[i].valid && |
|
42 |
+ d->act_trips[i].id == trip) { |
|
43 |
+-- |
|
44 |
+2.9.5 |
|
45 |
+ |
0 | 46 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+From 9515f43ddd006464308b2796b63b7d6446d922b8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 13 Dec 2017 10:16:07 +0200 |
|
3 |
+Subject: [PATCH 150/194] ipv4: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the offset value in function raw_getfrag() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used in the following |
|
8 |
+memcpy, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ net/ipv4/raw.c | 1 + |
|
16 |
+ 1 file changed, 1 insertion(+) |
|
17 |
+ |
|
18 |
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c |
|
19 |
+index 33b70bf..c9d33f1 100644 |
|
20 |
+--- a/net/ipv4/raw.c |
|
21 |
+@@ -476,6 +476,7 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd, |
|
22 |
+ if (offset < rfv->hlen) { |
|
23 |
+ int copy = min(rfv->hlen - offset, len); |
|
24 |
+ |
|
25 |
++ osb(); |
|
26 |
+ if (skb->ip_summed == CHECKSUM_PARTIAL) |
|
27 |
+ memcpy(to, rfv->hdr.c + offset, copy); |
|
28 |
+ else |
|
29 |
+-- |
|
30 |
+2.9.5 |
|
31 |
+ |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+From 1ce83a2cfe57cec87a22e69b726e9547b4d830f8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:48:35 +0300 |
|
3 |
+Subject: [PATCH 151/194] ipv6: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the offset value in function raw6_getfrag() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used in the |
|
8 |
+following memcpy, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ net/ipv6/raw.c | 1 + |
|
16 |
+ 1 file changed, 1 insertion(+) |
|
17 |
+ |
|
18 |
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c |
|
19 |
+index e4462b0..8794d92 100644 |
|
20 |
+--- a/net/ipv6/raw.c |
|
21 |
+@@ -729,6 +729,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, |
|
22 |
+ if (offset < rfv->hlen) { |
|
23 |
+ int copy = min(rfv->hlen - offset, len); |
|
24 |
+ |
|
25 |
++ osb(); |
|
26 |
+ if (skb->ip_summed == CHECKSUM_PARTIAL) |
|
27 |
+ memcpy(to, rfv->c + offset, copy); |
|
28 |
+ else |
|
29 |
+-- |
|
30 |
+2.9.5 |
|
31 |
+ |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,37 @@ |
0 |
+From d7ca466502c0427749f64a6bdb47d96f848bf72d Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:52:22 +0300 |
|
3 |
+Subject: [PATCH 152/194] fs: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the fd value in function __fcheck_files() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used to resolve |
|
8 |
+fdt->fd, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ include/linux/fdtable.h | 4 +++- |
|
16 |
+ 1 file changed, 3 insertions(+), 1 deletion(-) |
|
17 |
+ |
|
18 |
+diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h |
|
19 |
+index 1c65817..dbc1200 100644 |
|
20 |
+--- a/include/linux/fdtable.h |
|
21 |
+@@ -82,8 +82,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i |
|
22 |
+ { |
|
23 |
+ struct fdtable *fdt = rcu_dereference_raw(files->fdt); |
|
24 |
+ |
|
25 |
+- if (fd < fdt->max_fds) |
|
26 |
++ if (fd < fdt->max_fds) { |
|
27 |
++ osb(); |
|
28 |
+ return rcu_dereference_raw(fdt->fd[fd]); |
|
29 |
++ } |
|
30 |
+ return NULL; |
|
31 |
+ } |
|
32 |
+ |
|
33 |
+-- |
|
34 |
+2.9.5 |
|
35 |
+ |
0 | 36 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,34 @@ |
0 |
+From 3e9a34c67e5376bedd9e79e6a7e16b01a01c8215 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 30 Aug 2017 13:55:54 +0300 |
|
3 |
+Subject: [PATCH 153/194] net: mpls: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the index value in function mpls_route_input_rcu() |
|
6 |
+seems to be controllable by userspace and later on |
|
7 |
+conditionally (upon bound check) used to resolve |
|
8 |
+platform_label, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ net/mpls/af_mpls.c | 2 ++ |
|
16 |
+ 1 file changed, 2 insertions(+) |
|
17 |
+ |
|
18 |
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c |
|
19 |
+index c5b9ce4..3bdf8d8 100644 |
|
20 |
+--- a/net/mpls/af_mpls.c |
|
21 |
+@@ -50,6 +50,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index) |
|
22 |
+ if (index < net->mpls.platform_labels) { |
|
23 |
+ struct mpls_route __rcu **platform_label = |
|
24 |
+ rcu_dereference(net->mpls.platform_label); |
|
25 |
++ |
|
26 |
++ osb(); |
|
27 |
+ rt = rcu_dereference(platform_label[index]); |
|
28 |
+ } |
|
29 |
+ return rt; |
|
30 |
+-- |
|
31 |
+2.9.5 |
|
32 |
+ |
0 | 33 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,52 @@ |
0 |
+From bbb72371d2212fe0526f1ae679d5d55fe51bd909 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
2 |
+Date: Wed, 13 Dec 2017 10:15:30 +0200 |
|
3 |
+Subject: [PATCH 154/194] udf: prevent speculative execution |
|
4 |
+ |
|
5 |
+Since the eahd->appAttrLocation value in function |
|
6 |
+udf_add_extendedattr() seems to be controllable by |
|
7 |
+userspace and later on conditionally (upon bound check) |
|
8 |
+used in following memmove, insert an observable speculation |
|
9 |
+barrier before its usage. This should prevent |
|
10 |
+observable speculation on that branch and avoid |
|
11 |
+kernel memory leak. |
|
12 |
+ |
|
13 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
14 |
+--- |
|
15 |
+ fs/udf/misc.c | 6 ++++++ |
|
16 |
+ 1 file changed, 6 insertions(+) |
|
17 |
+ |
|
18 |
+diff --git a/fs/udf/misc.c b/fs/udf/misc.c |
|
19 |
+index 3949c4b..c826ccc 100644 |
|
20 |
+--- a/fs/udf/misc.c |
|
21 |
+@@ -104,6 +104,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, |
|
22 |
+ iinfo->i_lenEAttr) { |
|
23 |
+ uint32_t aal = |
|
24 |
+ le32_to_cpu(eahd->appAttrLocation); |
|
25 |
++ |
|
26 |
++ osb(); |
|
27 |
+ memmove(&ea[offset - aal + size], |
|
28 |
+ &ea[aal], offset - aal); |
|
29 |
+ offset -= aal; |
|
30 |
+@@ -114,6 +116,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, |
|
31 |
+ iinfo->i_lenEAttr) { |
|
32 |
+ uint32_t ial = |
|
33 |
+ le32_to_cpu(eahd->impAttrLocation); |
|
34 |
++ |
|
35 |
++ osb(); |
|
36 |
+ memmove(&ea[offset - ial + size], |
|
37 |
+ &ea[ial], offset - ial); |
|
38 |
+ offset -= ial; |
|
39 |
+@@ -125,6 +129,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, |
|
40 |
+ iinfo->i_lenEAttr) { |
|
41 |
+ uint32_t aal = |
|
42 |
+ le32_to_cpu(eahd->appAttrLocation); |
|
43 |
++ |
|
44 |
++ osb(); |
|
45 |
+ memmove(&ea[offset - aal + size], |
|
46 |
+ &ea[aal], offset - aal); |
|
47 |
+ offset -= aal; |
|
48 |
+-- |
|
49 |
+2.9.5 |
|
50 |
+ |
0 | 51 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,39 @@ |
0 |
+From 616abca9e7f1add8e8f26cf6d33992b76412bcec Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Tim Chen <tim.c.chen@linux.intel.com> |
|
2 |
+Date: Fri, 15 Dec 2017 02:29:09 -0800 |
|
3 |
+Subject: [PATCH 155/194] userns: prevent speculative execution |
|
4 |
+ |
|
5 |
+From: Elena Reshetova <elena.reshetova@intel.com> |
|
6 |
+ |
|
7 |
+Since the pos value in function m_start() |
|
8 |
+seems to be controllable by userspace and later on |
|
9 |
+conditionally (upon bound check) used to resolve |
|
10 |
+map->extent, insert an observable speculation |
|
11 |
+barrier before its usage. This should prevent |
|
12 |
+observable speculation on that branch and avoid |
|
13 |
+kernel memory leak. |
|
14 |
+ |
|
15 |
+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
16 |
+--- |
|
17 |
+ kernel/user_namespace.c | 4 +++- |
|
18 |
+ 1 file changed, 3 insertions(+), 1 deletion(-) |
|
19 |
+ |
|
20 |
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c |
|
21 |
+index c490f1e..2240f36 100644 |
|
22 |
+--- a/kernel/user_namespace.c |
|
23 |
+@@ -543,8 +543,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos, |
|
24 |
+ struct uid_gid_extent *extent = NULL; |
|
25 |
+ loff_t pos = *ppos; |
|
26 |
+ |
|
27 |
+- if (pos < map->nr_extents) |
|
28 |
++ if (pos < map->nr_extents) { |
|
29 |
++ osb(); |
|
30 |
+ extent = &map->extent[pos]; |
|
31 |
++ } |
|
32 |
+ |
|
33 |
+ return extent; |
|
34 |
+ } |
|
35 |
+-- |
|
36 |
+2.9.5 |
|
37 |
+ |
0 | 38 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,94 @@ |
0 |
+From 632c8d1eaacb69fb0e8ed5c6d8e19e4f69a17554 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Tim Chen <tim.c.chen@linux.intel.com> |
|
2 |
+Date: Tue, 19 Sep 2017 15:21:40 -0700 |
|
3 |
+Subject: [PATCH 169/194] x86/syscall: Clear unused extra registers on syscall |
|
4 |
+ entrance |
|
5 |
+ |
|
6 |
+To prevent the unused registers %r12-%r15, %rbp and %rbx from |
|
7 |
+being used speculatively, we clear them upon syscall entrance |
|
8 |
+for code hygiene. |
|
9 |
+--- |
|
10 |
+ arch/x86/entry/calling.h | 19 +++++++++++++++++++ |
|
11 |
+ arch/x86/entry/entry_64.S | 13 ++++++++++--- |
|
12 |
+ 2 files changed, 29 insertions(+), 3 deletions(-) |
|
13 |
+ |
|
14 |
+diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h |
|
15 |
+index 393a5bf..dba5ff7 100644 |
|
16 |
+--- a/arch/x86/entry/calling.h |
|
17 |
+@@ -156,6 +156,25 @@ For 32-bit we have the following conventions - kernel is built with |
|
18 |
+ popq %rbx |
|
19 |
+ .endm |
|
20 |
+ |
|
21 |
++ .macro RESTORE_EXTRA_REGS offset=0 |
|
22 |
++ movq 0*8+\offset(%rsp), %r15 |
|
23 |
++ movq 1*8+\offset(%rsp), %r14 |
|
24 |
++ movq 2*8+\offset(%rsp), %r13 |
|
25 |
++ movq 3*8+\offset(%rsp), %r12 |
|
26 |
++ movq 4*8+\offset(%rsp), %rbp |
|
27 |
++ movq 5*8+\offset(%rsp), %rbx |
|
28 |
++ UNWIND_HINT_REGS offset=\offset extra=0 |
|
29 |
++ .endm |
|
30 |
++ |
|
31 |
++ .macro CLEAR_EXTRA_REGS |
|
32 |
++ xorq %r15, %r15 |
|
33 |
++ xorq %r14, %r14 |
|
34 |
++ xorq %r13, %r13 |
|
35 |
++ xorq %r12, %r12 |
|
36 |
++ xorq %rbp, %rbp |
|
37 |
++ xorq %rbx, %rbx |
|
38 |
++ .endm |
|
39 |
++ |
|
40 |
+ .macro POP_C_REGS |
|
41 |
+ popq %r11 |
|
42 |
+ popq %r10 |
|
43 |
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S |
|
44 |
+index e58a78f..f65060a 100644 |
|
45 |
+--- a/arch/x86/entry/entry_64.S |
|
46 |
+@@ -235,9 +235,16 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) |
|
47 |
+ pushq %r9 /* pt_regs->r9 */ |
|
48 |
+ pushq %r10 /* pt_regs->r10 */ |
|
49 |
+ pushq %r11 /* pt_regs->r11 */ |
|
50 |
+- sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */ |
|
51 |
++ sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not used */ |
|
52 |
+ UNWIND_HINT_REGS extra=0 |
|
53 |
+ |
|
54 |
++ /* |
|
55 |
++ * Clear the unused extra regs for code hygiene. |
|
56 |
++ * Will restore the callee saved extra regs at end of syscall. |
|
57 |
++ */ |
|
58 |
++ SAVE_EXTRA_REGS |
|
59 |
++ CLEAR_EXTRA_REGS |
|
60 |
++ |
|
61 |
+ TRACE_IRQS_OFF |
|
62 |
+ |
|
63 |
+ STUFF_RSB |
|
64 |
+@@ -290,7 +297,9 @@ entry_SYSCALL_64_fastpath: |
|
65 |
+ TRACE_IRQS_ON /* user mode is traced as IRQs on */ |
|
66 |
+ movq RIP(%rsp), %rcx |
|
67 |
+ movq EFLAGS(%rsp), %r11 |
|
68 |
++ RESTORE_EXTRA_REGS |
|
69 |
+ addq $6*8, %rsp /* skip extra regs -- they were preserved */ |
|
70 |
++ |
|
71 |
+ UNWIND_HINT_EMPTY |
|
72 |
+ jmp .Lpop_c_regs_except_rcx_r11_and_sysret |
|
73 |
+ |
|
74 |
+@@ -302,14 +311,12 @@ entry_SYSCALL_64_fastpath: |
|
75 |
+ */ |
|
76 |
+ TRACE_IRQS_ON |
|
77 |
+ ENABLE_INTERRUPTS(CLBR_ANY) |
|
78 |
+- SAVE_EXTRA_REGS |
|
79 |
+ movq %rsp, %rdi |
|
80 |
+ call syscall_return_slowpath /* returns with IRQs disabled */ |
|
81 |
+ jmp return_from_SYSCALL_64 |
|
82 |
+ |
|
83 |
+ entry_SYSCALL64_slow_path: |
|
84 |
+ /* IRQs are off. */ |
|
85 |
+- SAVE_EXTRA_REGS |
|
86 |
+ movq %rsp, %rdi |
|
87 |
+ call do_syscall_64 /* returns with IRQs disabled */ |
|
88 |
+ |
|
89 |
+-- |
|
90 |
+2.9.5 |
|
91 |
+ |
0 | 92 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,91 @@ |
0 |
+From 2c536e1e9227a94ce8f3fb8e52591a1c4b9e3975 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Tim Chen <tim.c.chen@linux.intel.com> |
|
2 |
+Date: Fri, 15 Sep 2017 19:41:24 -0700 |
|
3 |
+Subject: [PATCH 170/194] x86/syscall: Clear unused extra registers on 32-bit |
|
4 |
+ compatible syscall entrance |
|
5 |
+ |
|
6 |
+To prevent the unused registers %r8-%r15, from being used speculatively, |
|
7 |
+we clear them upon syscall entrance for code hygiene in 32 bit compatible |
|
8 |
+mode. |
|
9 |
+ |
|
10 |
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> |
|
11 |
+--- |
|
12 |
+ arch/x86/entry/calling.h | 11 +++++++++++ |
|
13 |
+ arch/x86/entry/entry_64_compat.S | 18 ++++++++++++++---- |
|
14 |
+ 2 files changed, 25 insertions(+), 4 deletions(-) |
|
15 |
+ |
|
16 |
+diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h |
|
17 |
+index dba5ff7..b4c6842 100644 |
|
18 |
+--- a/arch/x86/entry/calling.h |
|
19 |
+@@ -156,6 +156,17 @@ For 32-bit we have the following conventions - kernel is built with |
|
20 |
+ popq %rbx |
|
21 |
+ .endm |
|
22 |
+ |
|
23 |
++ .macro CLEAR_R8_TO_R15 |
|
24 |
++ xorq %r15, %r15 |
|
25 |
++ xorq %r14, %r14 |
|
26 |
++ xorq %r13, %r13 |
|
27 |
++ xorq %r12, %r12 |
|
28 |
++ xorq %r11, %r11 |
|
29 |
++ xorq %r10, %r10 |
|
30 |
++ xorq %r9, %r9 |
|
31 |
++ xorq %r8, %r8 |
|
32 |
++ .endm |
|
33 |
++ |
|
34 |
+ .macro RESTORE_EXTRA_REGS offset=0 |
|
35 |
+ movq 0*8+\offset(%rsp), %r15 |
|
36 |
+ movq 1*8+\offset(%rsp), %r14 |
|
37 |
+diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S |
|
38 |
+index 574b599..7951358 100644 |
|
39 |
+--- a/arch/x86/entry/entry_64_compat.S |
|
40 |
+@@ -100,6 +100,8 @@ ENTRY(entry_SYSENTER_compat) |
|
41 |
+ |
|
42 |
+ STUFF_RSB |
|
43 |
+ |
|
44 |
++ CLEAR_R8_TO_R15 |
|
45 |
++ |
|
46 |
+ /* |
|
47 |
+ * SYSENTER doesn't filter flags, so we need to clear NT and AC |
|
48 |
+ * ourselves. To save a few cycles, we can check whether |
|
49 |
+@@ -218,10 +220,12 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe) |
|
50 |
+ pushq $0 /* pt_regs->r11 = 0 */ |
|
51 |
+ pushq %rbx /* pt_regs->rbx */ |
|
52 |
+ pushq %rbp /* pt_regs->rbp (will be overwritten) */ |
|
53 |
+- pushq $0 /* pt_regs->r12 = 0 */ |
|
54 |
+- pushq $0 /* pt_regs->r13 = 0 */ |
|
55 |
+- pushq $0 /* pt_regs->r14 = 0 */ |
|
56 |
+- pushq $0 /* pt_regs->r15 = 0 */ |
|
57 |
++ pushq %r12 /* pt_regs->r12 */ |
|
58 |
++ pushq %r13 /* pt_regs->r13 */ |
|
59 |
++ pushq %r14 /* pt_regs->r14 */ |
|
60 |
++ pushq %r15 /* pt_regs->r15 */ |
|
61 |
++ |
|
62 |
++ CLEAR_R8_TO_R15 |
|
63 |
+ |
|
64 |
+ /* |
|
65 |
+ * We just saved %rdi so it is safe to clobber. It is not |
|
66 |
+@@ -247,6 +251,10 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe) |
|
67 |
+ sysret32_from_system_call: |
|
68 |
+ TRACE_IRQS_ON /* User mode traces as IRQs on. */ |
|
69 |
+ DISABLE_IBRS_CLOBBER |
|
70 |
++ movq R15(%rsp), %r15 /* pt_regs->r15 */ |
|
71 |
++ movq R14(%rsp), %r14 /* pt_regs->r14 */ |
|
72 |
++ movq R13(%rsp), %r13 /* pt_regs->r13 */ |
|
73 |
++ movq R12(%rsp), %r12 /* pt_regs->r12 */ |
|
74 |
+ movq RBX(%rsp), %rbx /* pt_regs->rbx */ |
|
75 |
+ movq RBP(%rsp), %rbp /* pt_regs->rbp */ |
|
76 |
+ movq EFLAGS(%rsp), %r11 /* pt_regs->flags (in r11) */ |
|
77 |
+@@ -359,6 +367,8 @@ ENTRY(entry_INT80_compat) |
|
78 |
+ |
|
79 |
+ STUFF_RSB |
|
80 |
+ |
|
81 |
++ CLEAR_R8_TO_R15 |
|
82 |
++ |
|
83 |
+ /* |
|
84 |
+ * User mode is traced as though IRQs are on, and the interrupt |
|
85 |
+ * gate turned them off. |
|
86 |
+-- |
|
87 |
+2.9.5 |
|
88 |
+ |