Message ID | 182dabb3ee807633a0a11e8bbac93a64d111fdd3.1530194947.git.juergh@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,Trusty,PULL] Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181) | expand |
ping. On 06/28/2018 04:40 PM, Juerg Haefliger wrote: > BugLink: https://bugs.launchpad.net/bugs/1774181 > > Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre > v1 mitigation. Add the missing patches and merge them with Ubuntu's current > implementation. > > == SRU Justification == > Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset > which introduced a barrier macro to prevent speculation beyond array boundaries > for user controlled indices. What eventually landed in upstream is slightly > different and uses a barrier macro in combination with a masking solution (plus > syscall table and user pointer sanitation). During the updates to newer stable > upstream versions, all those patches were skipped. After reviewing them, we > want to bring them back and merge them with the current implementation which > brings us back in sync with upstream stable. > > == Fix == > Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. > Where appropriate, replace Ubuntu's additional barriers with the masking macro. > > == Regression Potential == > Low. The patches have been in upstream for quite a while now and we keep the > speculation barriers that are currently in Ubuntu but not in upstream. > > == Test Case == > TBD. > > Compile-tested all supported architectures. > > Signed-off-by: Juerg Haefliger <juergh@canonical.com> > --- > > The following changes since commit ae41eb7e6e1f4431c8a6d98578588d15b7240bf8: > > fscache: Fix hanging wait on page discarded by writeback (2018-06-18 17:44:37 +0200) > > are available in the Git repository at: > > git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181 > > for you to fetch changes up to 182dabb3ee807633a0a11e8bbac93a64d111fdd3: > > UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200) > > ---------------------------------------------------------------- > Ben Hutchings (1): > x86/syscall: Sanitize syscall table de-references under speculation > > Dan Williams (9): > array_index_nospec: Sanitize speculative array de-references > x86: Implement array_index_mask_nospec > x86: Introduce barrier_nospec > x86/get_user: Use pointer masking to limit speculation > vfs, fdtable: Prevent bounds-check bypass via speculative execution > nl80211: Sanitize array index in parse_txq_params > x86/spectre: Report get_user mitigation for spectre_v1 > x86/kvm: Update spectre-v1 mitigation > nospec: Kill array_index_nospec_mask_check() > > Juerg Haefliger (3): > UBUNTU: SAUCE: Replace osb() calls with array_index_nospec() > UBUNTU: SAUCE: Rename osb() to barrier_nospec() > UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() > > Mark Rutland (1): > Documentation: Document array_index_nospec > > Rasmus Villemoes (1): > nospec: Allow index argument to have const-qualified type > > Will Deacon (1): > nospec: Move array_index_nospec() parameter checking into separate macro > > Documentation/speculation.txt | 90 ++++++++++++++++++++++++++++++++ > arch/arm/include/asm/barrier.h | 3 -- > arch/arm64/include/asm/barrier.h | 3 -- > arch/powerpc/include/asm/barrier.h | 3 +- > arch/s390/include/asm/barrier.h | 13 +++-- > arch/x86/ia32/ia32entry.S | 36 ++++++++----- > arch/x86/include/asm/barrier.h | 32 ++++++++++-- > arch/x86/kernel/cpu/bugs.c | 10 +--- > arch/x86/kernel/entry_32.S | 4 ++ > arch/x86/kernel/entry_64.S | 16 +++--- > arch/x86/kvm/vmx.c | 15 ++++-- > arch/x86/lib/getuser.S | 10 ++++ > drivers/media/usb/uvc/uvc_v4l2.c | 5 +- > drivers/net/wireless/ath/carl9170/main.c | 3 +- > drivers/scsi/qla2xxx/qla_mr.c | 5 +- > fs/udf/misc.c | 13 ++--- > include/asm-generic/barrier.h | 11 ---- > include/linux/fdtable.h | 3 +- > include/linux/nospec.h | 53 +++++++++++++++++++ > kernel/user_namespace.c | 3 +- > net/core/filter.c | 5 +- > net/wireless/nl80211.c | 9 ++-- > 22 files changed, 268 insertions(+), 77 deletions(-) > create mode 100644 Documentation/speculation.txt >
1) It seems like your final patch "UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb()" should actually be part of the patch just before it, as part of the refactor? 2) This is probably a stupid question, but why do some osb() calls stay as they are (only get renamed) while others become a call to array_index_nospec() ? 3) Regarding your "needed?" comments, presumably, anywhere osb() was being called before will still need a barrier - so why do you think they would NOT be needed? (Where did that set of 'speculatively-accessed arrays originally come from anyway? I don't see barriers in these locations in mainline or stable) 4) (minor) should the cherry-pick/backport SHAs mention that they're from linux-stable ? On 2018-06-28 16:40:50 , Juerg Haefliger wrote: > BugLink: https://bugs.launchpad.net/bugs/1774181 > > Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre > v1 mitigation. Add the missing patches and merge them with Ubuntu's current > implementation. > > == SRU Justification == > Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset > which introduced a barrier macro to prevent speculation beyond array boundaries > for user controlled indices. What eventually landed in upstream is slightly > different and uses a barrier macro in combination with a masking solution (plus > syscall table and user pointer sanitation). During the updates to newer stable > upstream versions, all those patches were skipped. After reviewing them, we > want to bring them back and merge them with the current implementation which > brings us back in sync with upstream stable. > > == Fix == > Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. > Where appropriate, replace Ubuntu's additional barriers with the masking macro. > > == Regression Potential == > Low. The patches have been in upstream for quite a while now and we keep the > speculation barriers that are currently in Ubuntu but not in upstream. > > == Test Case == > TBD. > > Compile-tested all supported architectures. > > Signed-off-by: Juerg Haefliger <juergh@canonical.com> > --- > > The following changes since commit ae41eb7e6e1f4431c8a6d98578588d15b7240bf8: > > fscache: Fix hanging wait on page discarded by writeback (2018-06-18 17:44:37 +0200) > > are available in the Git repository at: > > git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181 > > for you to fetch changes up to 182dabb3ee807633a0a11e8bbac93a64d111fdd3: > > UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200) > > ---------------------------------------------------------------- > Ben Hutchings (1): > x86/syscall: Sanitize syscall table de-references under speculation > > Dan Williams (9): > array_index_nospec: Sanitize speculative array de-references > x86: Implement array_index_mask_nospec > x86: Introduce barrier_nospec > x86/get_user: Use pointer masking to limit speculation > vfs, fdtable: Prevent bounds-check bypass via speculative execution > nl80211: Sanitize array index in parse_txq_params > x86/spectre: Report get_user mitigation for spectre_v1 > x86/kvm: Update spectre-v1 mitigation > nospec: Kill array_index_nospec_mask_check() > > Juerg Haefliger (3): > UBUNTU: SAUCE: Replace osb() calls with array_index_nospec() > UBUNTU: SAUCE: Rename osb() to barrier_nospec() > UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() > > Mark Rutland (1): > Documentation: Document array_index_nospec > > Rasmus Villemoes (1): > nospec: Allow index argument to have const-qualified type > > Will Deacon (1): > nospec: Move array_index_nospec() parameter checking into separate macro > > Documentation/speculation.txt | 90 ++++++++++++++++++++++++++++++++ > arch/arm/include/asm/barrier.h | 3 -- > arch/arm64/include/asm/barrier.h | 3 -- > arch/powerpc/include/asm/barrier.h | 3 +- > arch/s390/include/asm/barrier.h | 13 +++-- > arch/x86/ia32/ia32entry.S | 36 ++++++++----- > arch/x86/include/asm/barrier.h | 32 ++++++++++-- > arch/x86/kernel/cpu/bugs.c | 10 +--- > arch/x86/kernel/entry_32.S | 4 ++ > arch/x86/kernel/entry_64.S | 16 +++--- > arch/x86/kvm/vmx.c | 15 ++++-- > arch/x86/lib/getuser.S | 10 ++++ > drivers/media/usb/uvc/uvc_v4l2.c | 5 +- > drivers/net/wireless/ath/carl9170/main.c | 3 +- > drivers/scsi/qla2xxx/qla_mr.c | 5 +- > fs/udf/misc.c | 13 ++--- > include/asm-generic/barrier.h | 11 ---- > include/linux/fdtable.h | 3 +- > include/linux/nospec.h | 53 +++++++++++++++++++ > kernel/user_namespace.c | 3 +- > net/core/filter.c | 5 +- > net/wireless/nl80211.c | 9 ++-- > 22 files changed, 268 insertions(+), 77 deletions(-) > create mode 100644 Documentation/speculation.txt > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 07/24/2018 06:54 AM, Khaled Elmously wrote: > 1) It seems like your final patch "UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb()" should actually be part of the patch just before it, as part of the refactor? Yes, the two could be squashed together. At the time I thought the logical separation made sense but I do realize that it breaks bisection. I have no issues with merging the two. > 2) This is probably a stupid question, but why do some osb() calls stay as they are (only get renamed) while others become a call to array_index_nospec() ? array_index_nospec is a macro that upstream introduced to specifically prevent speculation beyond array boundaries (presumably with less overhead than osb calls). So wherever arrays are involved we use the macro and osb in all the other places. > 3) Regarding your "needed?" comments, presumably, anywhere osb() was being called before will still need a barrier - so why do you think they would NOT be needed? (Where did that set of 'speculatively-accessed arrays originally come from anyway? I don't see barriers in these locations in mainline or stable) What we pulled into Ubuntu was a series of embargoed patches but what finally landed in upstream (and what this patch series is trying to get us towards to) is different. The embargoed patches added osb calls in places where upstream didn't add them, that's why you don't seem them in mainline. There was some lengthy discussion about whether those are actually needed or not and it looks like the original patch author finally gave up (or was convinced) so they got dropped from the upstream patches. We keep them just because :-) No, by removing them we could introduce a regression and keeping them doesn't hurt much. > 4) (minor) should the cherry-pick/backport SHAs mention that they're from linux-stable ? If they are, then yes. I can't remember :-) Thanks for the feedback! ...Juerg > > > > > > On 2018-06-28 16:40:50 , Juerg Haefliger wrote: >> BugLink: https://bugs.launchpad.net/bugs/1774181 >> >> Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre >> v1 mitigation. Add the missing patches and merge them with Ubuntu's current >> implementation. >> >> == SRU Justification == >> Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset >> which introduced a barrier macro to prevent speculation beyond array boundaries >> for user controlled indices. What eventually landed in upstream is slightly >> different and uses a barrier macro in combination with a masking solution (plus >> syscall table and user pointer sanitation). During the updates to newer stable >> upstream versions, all those patches were skipped. After reviewing them, we >> want to bring them back and merge them with the current implementation which >> brings us back in sync with upstream stable. >> >> == Fix == >> Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. >> Where appropriate, replace Ubuntu's additional barriers with the masking macro. >> >> == Regression Potential == >> Low. The patches have been in upstream for quite a while now and we keep the >> speculation barriers that are currently in Ubuntu but not in upstream. >> >> == Test Case == >> TBD. >> >> Compile-tested all supported architectures. >> >> Signed-off-by: Juerg Haefliger <juergh@canonical.com> >> --- >> >> The following changes since commit ae41eb7e6e1f4431c8a6d98578588d15b7240bf8: >> >> fscache: Fix hanging wait on page discarded by writeback (2018-06-18 17:44:37 +0200) >> >> are available in the Git repository at: >> >> git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181 >> >> for you to fetch changes up to 182dabb3ee807633a0a11e8bbac93a64d111fdd3: >> >> UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200) >> >> ---------------------------------------------------------------- >> Ben Hutchings (1): >> x86/syscall: Sanitize syscall table de-references under speculation >> >> Dan Williams (9): >> array_index_nospec: Sanitize speculative array de-references >> x86: Implement array_index_mask_nospec >> x86: Introduce barrier_nospec >> x86/get_user: Use pointer masking to limit speculation >> vfs, fdtable: Prevent bounds-check bypass via speculative execution >> nl80211: Sanitize array index in parse_txq_params >> x86/spectre: Report get_user mitigation for spectre_v1 >> x86/kvm: Update spectre-v1 mitigation >> nospec: Kill array_index_nospec_mask_check() >> >> Juerg Haefliger (3): >> UBUNTU: SAUCE: Replace osb() calls with array_index_nospec() >> UBUNTU: SAUCE: Rename osb() to barrier_nospec() >> UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() >> >> Mark Rutland (1): >> Documentation: Document array_index_nospec >> >> Rasmus Villemoes (1): >> nospec: Allow index argument to have const-qualified type >> >> Will Deacon (1): >> nospec: Move array_index_nospec() parameter checking into separate macro >> >> Documentation/speculation.txt | 90 ++++++++++++++++++++++++++++++++ >> arch/arm/include/asm/barrier.h | 3 -- >> arch/arm64/include/asm/barrier.h | 3 -- >> arch/powerpc/include/asm/barrier.h | 3 +- >> arch/s390/include/asm/barrier.h | 13 +++-- >> arch/x86/ia32/ia32entry.S | 36 ++++++++----- >> arch/x86/include/asm/barrier.h | 32 ++++++++++-- >> arch/x86/kernel/cpu/bugs.c | 10 +--- >> arch/x86/kernel/entry_32.S | 4 ++ >> arch/x86/kernel/entry_64.S | 16 +++--- >> arch/x86/kvm/vmx.c | 15 ++++-- >> arch/x86/lib/getuser.S | 10 ++++ >> drivers/media/usb/uvc/uvc_v4l2.c | 5 +- >> drivers/net/wireless/ath/carl9170/main.c | 3 +- >> drivers/scsi/qla2xxx/qla_mr.c | 5 +- >> fs/udf/misc.c | 13 ++--- >> include/asm-generic/barrier.h | 11 ---- >> include/linux/fdtable.h | 3 +- >> include/linux/nospec.h | 53 +++++++++++++++++++ >> kernel/user_namespace.c | 3 +- >> net/core/filter.c | 5 +- >> net/wireless/nl80211.c | 9 ++-- >> 22 files changed, 268 insertions(+), 77 deletions(-) >> create mode 100644 Documentation/speculation.txt >> >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 28.06.2018 16:40, Juerg Haefliger wrote: > BugLink: https://bugs.launchpad.net/bugs/1774181 > > Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre > v1 mitigation. Add the missing patches and merge them with Ubuntu's current > implementation. > > == SRU Justification == > Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset > which introduced a barrier macro to prevent speculation beyond array boundaries > for user controlled indices. What eventually landed in upstream is slightly > different and uses a barrier macro in combination with a masking solution (plus > syscall table and user pointer sanitation). During the updates to newer stable > upstream versions, all those patches were skipped. After reviewing them, we > want to bring them back and merge them with the current implementation which > brings us back in sync with upstream stable. I went through the set and ended more or less with the same comments as Khaled: - some patches look like picked from 4.4.y without mentioning that - personally I like to start a new section with the backported/cherry picked line, this makes it a bit more obvious where the new block starts. Not really important but some patches do it that way and some not. So either one style or the other would be good. - I would squash moving that WARN_ON_ONCE and removing it into one patch with the commit message of the removal - Renaming osb() and fixing the last uses really should be one patch for bi- section. -Stefan > > == Fix == > Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. > Where appropriate, replace Ubuntu's additional barriers with the masking macro. > > == Regression Potential == > Low. The patches have been in upstream for quite a while now and we keep the > speculation barriers that are currently in Ubuntu but not in upstream. > > == Test Case == > TBD. > > Compile-tested all supported architectures. > > Signed-off-by: Juerg Haefliger <juergh@canonical.com> > --- > > The following changes since commit ae41eb7e6e1f4431c8a6d98578588d15b7240bf8: > > fscache: Fix hanging wait on page discarded by writeback (2018-06-18 17:44:37 +0200) > > are available in the Git repository at: > > git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181 > > for you to fetch changes up to 182dabb3ee807633a0a11e8bbac93a64d111fdd3: > > UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200) > > ---------------------------------------------------------------- > Ben Hutchings (1): > x86/syscall: Sanitize syscall table de-references under speculation > > Dan Williams (9): > array_index_nospec: Sanitize speculative array de-references > x86: Implement array_index_mask_nospec > x86: Introduce barrier_nospec > x86/get_user: Use pointer masking to limit speculation > vfs, fdtable: Prevent bounds-check bypass via speculative execution > nl80211: Sanitize array index in parse_txq_params > x86/spectre: Report get_user mitigation for spectre_v1 > x86/kvm: Update spectre-v1 mitigation > nospec: Kill array_index_nospec_mask_check() > > Juerg Haefliger (3): > UBUNTU: SAUCE: Replace osb() calls with array_index_nospec() > UBUNTU: SAUCE: Rename osb() to barrier_nospec() > UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() > > Mark Rutland (1): > Documentation: Document array_index_nospec > > Rasmus Villemoes (1): > nospec: Allow index argument to have const-qualified type > > Will Deacon (1): > nospec: Move array_index_nospec() parameter checking into separate macro > > Documentation/speculation.txt | 90 ++++++++++++++++++++++++++++++++ > arch/arm/include/asm/barrier.h | 3 -- > arch/arm64/include/asm/barrier.h | 3 -- > arch/powerpc/include/asm/barrier.h | 3 +- > arch/s390/include/asm/barrier.h | 13 +++-- > arch/x86/ia32/ia32entry.S | 36 ++++++++----- > arch/x86/include/asm/barrier.h | 32 ++++++++++-- > arch/x86/kernel/cpu/bugs.c | 10 +--- > arch/x86/kernel/entry_32.S | 4 ++ > arch/x86/kernel/entry_64.S | 16 +++--- > arch/x86/kvm/vmx.c | 15 ++++-- > arch/x86/lib/getuser.S | 10 ++++ > drivers/media/usb/uvc/uvc_v4l2.c | 5 +- > drivers/net/wireless/ath/carl9170/main.c | 3 +- > drivers/scsi/qla2xxx/qla_mr.c | 5 +- > fs/udf/misc.c | 13 ++--- > include/asm-generic/barrier.h | 11 ---- > include/linux/fdtable.h | 3 +- > include/linux/nospec.h | 53 +++++++++++++++++++ > kernel/user_namespace.c | 3 +- > net/core/filter.c | 5 +- > net/wireless/nl80211.c | 9 ++-- > 22 files changed, 268 insertions(+), 77 deletions(-) > create mode 100644 Documentation/speculation.txt >
On 07/25/2018 03:35 PM, Stefan Bader wrote: > On 28.06.2018 16:40, Juerg Haefliger wrote: >> BugLink: https://bugs.launchpad.net/bugs/1774181 >> >> Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre >> v1 mitigation. Add the missing patches and merge them with Ubuntu's current >> implementation. >> >> == SRU Justification == >> Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset >> which introduced a barrier macro to prevent speculation beyond array boundaries >> for user controlled indices. What eventually landed in upstream is slightly >> different and uses a barrier macro in combination with a masking solution (plus >> syscall table and user pointer sanitation). During the updates to newer stable >> upstream versions, all those patches were skipped. After reviewing them, we >> want to bring them back and merge them with the current implementation which >> brings us back in sync with upstream stable. > > I went through the set and ended more or less with the same comments as Khaled: > - some patches look like picked from 4.4.y without mentioning that > - personally I like to start a new section with the backported/cherry picked > line, this makes it a bit more obvious where the new block starts. Not really > important but some patches do it that way and some not. So either one style > or the other would be good. > - I would squash moving that WARN_ON_ONCE and removing it into one patch with > the commit message of the removal > - Renaming osb() and fixing the last uses really should be one patch for bi- > section. Will fix it up and resend a new PR. Thanks for the review! ...Juerg > -Stefan >> >> == Fix == >> Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. >> Where appropriate, replace Ubuntu's additional barriers with the masking macro. >> >> == Regression Potential == >> Low. The patches have been in upstream for quite a while now and we keep the >> speculation barriers that are currently in Ubuntu but not in upstream. >> >> == Test Case == >> TBD. >> >> Compile-tested all supported architectures. >> >> Signed-off-by: Juerg Haefliger <juergh@canonical.com> >> --- >> >> The following changes since commit ae41eb7e6e1f4431c8a6d98578588d15b7240bf8: >> >> fscache: Fix hanging wait on page discarded by writeback (2018-06-18 17:44:37 +0200) >> >> are available in the Git repository at: >> >> git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181 >> >> for you to fetch changes up to 182dabb3ee807633a0a11e8bbac93a64d111fdd3: >> >> UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200) >> >> ---------------------------------------------------------------- >> Ben Hutchings (1): >> x86/syscall: Sanitize syscall table de-references under speculation >> >> Dan Williams (9): >> array_index_nospec: Sanitize speculative array de-references >> x86: Implement array_index_mask_nospec >> x86: Introduce barrier_nospec >> x86/get_user: Use pointer masking to limit speculation >> vfs, fdtable: Prevent bounds-check bypass via speculative execution >> nl80211: Sanitize array index in parse_txq_params >> x86/spectre: Report get_user mitigation for spectre_v1 >> x86/kvm: Update spectre-v1 mitigation >> nospec: Kill array_index_nospec_mask_check() >> >> Juerg Haefliger (3): >> UBUNTU: SAUCE: Replace osb() calls with array_index_nospec() >> UBUNTU: SAUCE: Rename osb() to barrier_nospec() >> UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() >> >> Mark Rutland (1): >> Documentation: Document array_index_nospec >> >> Rasmus Villemoes (1): >> nospec: Allow index argument to have const-qualified type >> >> Will Deacon (1): >> nospec: Move array_index_nospec() parameter checking into separate macro >> >> Documentation/speculation.txt | 90 ++++++++++++++++++++++++++++++++ >> arch/arm/include/asm/barrier.h | 3 -- >> arch/arm64/include/asm/barrier.h | 3 -- >> arch/powerpc/include/asm/barrier.h | 3 +- >> arch/s390/include/asm/barrier.h | 13 +++-- >> arch/x86/ia32/ia32entry.S | 36 ++++++++----- >> arch/x86/include/asm/barrier.h | 32 ++++++++++-- >> arch/x86/kernel/cpu/bugs.c | 10 +--- >> arch/x86/kernel/entry_32.S | 4 ++ >> arch/x86/kernel/entry_64.S | 16 +++--- >> arch/x86/kvm/vmx.c | 15 ++++-- >> arch/x86/lib/getuser.S | 10 ++++ >> drivers/media/usb/uvc/uvc_v4l2.c | 5 +- >> drivers/net/wireless/ath/carl9170/main.c | 3 +- >> drivers/scsi/qla2xxx/qla_mr.c | 5 +- >> fs/udf/misc.c | 13 ++--- >> include/asm-generic/barrier.h | 11 ---- >> include/linux/fdtable.h | 3 +- >> include/linux/nospec.h | 53 +++++++++++++++++++ >> kernel/user_namespace.c | 3 +- >> net/core/filter.c | 5 +- >> net/wireless/nl80211.c | 9 ++-- >> 22 files changed, 268 insertions(+), 77 deletions(-) >> create mode 100644 Documentation/speculation.txt >> > >
BugLink: https://bugs.launchpad.net/bugs/1774181 Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation. == SRU Justification == Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable. == Fix == Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro. == Regression Potential == Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream. == Test Case == TBD. Compile-tested all supported architectures. Signed-off-by: Juerg Haefliger <juergh@canonical.com> --- The following changes since commit ae41eb7e6e1f4431c8a6d98578588d15b7240bf8: fscache: Fix hanging wait on page discarded by writeback (2018-06-18 17:44:37 +0200) are available in the Git repository at: git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181 for you to fetch changes up to 182dabb3ee807633a0a11e8bbac93a64d111fdd3: UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200) ---------------------------------------------------------------- Ben Hutchings (1): x86/syscall: Sanitize syscall table de-references under speculation Dan Williams (9): array_index_nospec: Sanitize speculative array de-references x86: Implement array_index_mask_nospec x86: Introduce barrier_nospec x86/get_user: Use pointer masking to limit speculation vfs, fdtable: Prevent bounds-check bypass via speculative execution nl80211: Sanitize array index in parse_txq_params x86/spectre: Report get_user mitigation for spectre_v1 x86/kvm: Update spectre-v1 mitigation nospec: Kill array_index_nospec_mask_check() Juerg Haefliger (3): UBUNTU: SAUCE: Replace osb() calls with array_index_nospec() UBUNTU: SAUCE: Rename osb() to barrier_nospec() UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() Mark Rutland (1): Documentation: Document array_index_nospec Rasmus Villemoes (1): nospec: Allow index argument to have const-qualified type Will Deacon (1): nospec: Move array_index_nospec() parameter checking into separate macro Documentation/speculation.txt | 90 ++++++++++++++++++++++++++++++++ arch/arm/include/asm/barrier.h | 3 -- arch/arm64/include/asm/barrier.h | 3 -- arch/powerpc/include/asm/barrier.h | 3 +- arch/s390/include/asm/barrier.h | 13 +++-- arch/x86/ia32/ia32entry.S | 36 ++++++++----- arch/x86/include/asm/barrier.h | 32 ++++++++++-- arch/x86/kernel/cpu/bugs.c | 10 +--- arch/x86/kernel/entry_32.S | 4 ++ arch/x86/kernel/entry_64.S | 16 +++--- arch/x86/kvm/vmx.c | 15 ++++-- arch/x86/lib/getuser.S | 10 ++++ drivers/media/usb/uvc/uvc_v4l2.c | 5 +- drivers/net/wireless/ath/carl9170/main.c | 3 +- drivers/scsi/qla2xxx/qla_mr.c | 5 +- fs/udf/misc.c | 13 ++--- include/asm-generic/barrier.h | 11 ---- include/linux/fdtable.h | 3 +- include/linux/nospec.h | 53 +++++++++++++++++++ kernel/user_namespace.c | 3 +- net/core/filter.c | 5 +- net/wireless/nl80211.c | 9 ++-- 22 files changed, 268 insertions(+), 77 deletions(-) create mode 100644 Documentation/speculation.txt