mbox series

[SRU,Xenial,PULL] Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)

Message ID 64d8307cf6ffc09278aeda29bed31a0e72a680c1.1528355271.git.juergh@canonical.com
State New
Headers show
Series [SRU,Xenial,PULL] Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181) | expand

Pull-request

git://git.launchpad.net/~juergh/+git/xenial-linux lp1774181

Message

Juerg Haefliger June 7, 2018, 7:11 a.m. UTC
BugLink: https://bugs.launchpad.net/bugs/1774181

Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation.

The non-SAUCE patches are the stable 4.4 patches from 4.4.118 to 4.4.131. The rest will come in through follow-on updates to the current stable version 4.4.135.

The SAUCE patches is the add-on/difference between the original embargoed patchset and what finally landed in upstream.


== SRU Justification ==
Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable.

== Fix ==
Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro.

== Regression Potential ==
Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream.

== Test Case ==
TBD.

Signed-off-by: Juerg Haefliger <juergh@canonical.com>
---
The following changes since commit 8a4cab02850143918a93afbd9dd284cdef0b84d3:

  UBUNTU: Ubuntu-4.4.0-128.154 (2018-05-25 16:01:29 +0200)

are available in the Git repository at:

  git://git.launchpad.net/~juergh/+git/xenial-linux lp1774181

for you to fetch changes up to 64d8307cf6ffc09278aeda29bed31a0e72a680c1:

  UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb() (2018-06-05 17:27:01 +0200)

----------------------------------------------------------------
Dan Williams (12):
      array_index_nospec: Sanitize speculative array de-references
      x86: Implement array_index_mask_nospec
      x86: Introduce barrier_nospec
      x86/get_user: Use pointer masking to limit speculation
      x86/syscall: Sanitize syscall table de-references under speculation
      vfs, fdtable: Prevent bounds-check bypass via speculative execution
      nl80211: Sanitize array index in parse_txq_params
      x86/spectre: Report get_user mitigation for spectre_v1
      x86/kvm: Update spectre-v1 mitigation
      mpls, nospec: Sanitize array index in mpls_label_ok()
      nospec: Include <asm/barrier.h> dependency
      nospec: Kill array_index_nospec_mask_check()

Jiri Slaby (1):
      x86/syscall: Sanitize syscall table de-references under speculation fix

Juerg Haefliger (3):
      UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
      UBUNTU: SAUCE: Rename osb() to barrier_nospec()
      UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()

Mark Rutland (1):
      Documentation: Document array_index_nospec

Rasmus Villemoes (1):
      nospec: Allow index argument to have const-qualified type

Takashi Iwai (2):
      ALSA: seq: oss: Hardening for potential Spectre v1
      ALSA: hda: Hardening for potential Spectre v1

Will Deacon (1):
      nospec: Move array_index_nospec() parameter checking into separate macro

 Documentation/speculation.txt                      | 90 ++++++++++++++++++++++
 arch/arm/include/asm/barrier.h                     |  2 -
 arch/arm64/include/asm/barrier.h                   |  2 -
 arch/powerpc/include/asm/barrier.h                 |  3 +-
 arch/s390/include/asm/barrier.h                    | 13 ++--
 arch/x86/entry/common.c                            |  2 +
 arch/x86/entry/entry_64.S                          | 16 ++--
 arch/x86/include/asm/barrier.h                     | 30 +++++++-
 arch/x86/include/asm/msr.h                         |  2 +-
 arch/x86/kernel/cpu/bugs.c                         | 11 +--
 arch/x86/kvm/vmx.c                                 | 20 +++--
 arch/x86/lib/getuser.S                             | 10 +++
 drivers/net/wireless/ath/carl9170/main.c           |  3 +-
 drivers/scsi/qla2xxx/qla_mr.c                      |  5 +-
 .../thermal/int340x_thermal/int340x_thermal_zone.c |  3 +-
 fs/udf/misc.c                                      | 13 ++--
 include/linux/fdtable.h                            |  3 +-
 include/linux/nospec.h                             | 53 +++++++++++++
 kernel/bpf/core.c                                  |  6 +-
 kernel/user_namespace.c                            |  3 +-
 net/ipv4/raw.c                                     |  7 +-
 net/ipv6/raw.c                                     |  7 +-
 net/mpls/af_mpls.c                                 | 28 ++++---
 net/wireless/nl80211.c                             |  9 ++-
 sound/core/seq/oss/seq_oss_event.c                 | 15 ++--
 sound/core/seq/oss/seq_oss_midi.c                  |  2 +
 sound/core/seq/oss/seq_oss_synth.c                 | 75 ++++++++++--------
 sound/core/seq/oss/seq_oss_synth.h                 |  3 +-
 sound/pci/hda/hda_hwdep.c                          | 12 ++-
 29 files changed, 331 insertions(+), 117 deletions(-)
 create mode 100644 Documentation/speculation.txt

Comments

Stefan Bader June 7, 2018, 4:47 p.m. UTC | #1
On 07.06.2018 00:11, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1774181
> 
> Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation.
> 
> The non-SAUCE patches are the stable 4.4 patches from 4.4.118 to 4.4.131. The rest will come in through follow-on updates to the current stable version 4.4.135.
> 
> The SAUCE patches is the add-on/difference between the original embargoed patchset and what finally landed in upstream.
> 
> 
> == SRU Justification ==
> Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable.
> 
> == Fix ==
> Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro.
> 
> == Regression Potential ==
> Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream.
> 
> == Test Case ==
> TBD.
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
> The following changes since commit 8a4cab02850143918a93afbd9dd284cdef0b84d3:
> 
>   UBUNTU: Ubuntu-4.4.0-128.154 (2018-05-25 16:01:29 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~juergh/+git/xenial-linux lp1774181
> 
> for you to fetch changes up to 64d8307cf6ffc09278aeda29bed31a0e72a680c1:
> 
>   UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb() (2018-06-05 17:27:01 +0200)
> 
> ----------------------------------------------------------------
> Dan Williams (12):
>       array_index_nospec: Sanitize speculative array de-references
>       x86: Implement array_index_mask_nospec
>       x86: Introduce barrier_nospec
>       x86/get_user: Use pointer masking to limit speculation
>       x86/syscall: Sanitize syscall table de-references under speculation
>       vfs, fdtable: Prevent bounds-check bypass via speculative execution
>       nl80211: Sanitize array index in parse_txq_params
>       x86/spectre: Report get_user mitigation for spectre_v1
>       x86/kvm: Update spectre-v1 mitigation
>       mpls, nospec: Sanitize array index in mpls_label_ok()
>       nospec: Include <asm/barrier.h> dependency
>       nospec: Kill array_index_nospec_mask_check()
> 
> Jiri Slaby (1):
>       x86/syscall: Sanitize syscall table de-references under speculation fix
> 
> Juerg Haefliger (3):
>       UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
>       UBUNTU: SAUCE: Rename osb() to barrier_nospec()
>       UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()
> 
> Mark Rutland (1):
>       Documentation: Document array_index_nospec
> 
> Rasmus Villemoes (1):
>       nospec: Allow index argument to have const-qualified type
> 
> Takashi Iwai (2):
>       ALSA: seq: oss: Hardening for potential Spectre v1
>       ALSA: hda: Hardening for potential Spectre v1
> 
> Will Deacon (1):
>       nospec: Move array_index_nospec() parameter checking into separate macro
> 
>  Documentation/speculation.txt                      | 90 ++++++++++++++++++++++
>  arch/arm/include/asm/barrier.h                     |  2 -
>  arch/arm64/include/asm/barrier.h                   |  2 -
>  arch/powerpc/include/asm/barrier.h                 |  3 +-
>  arch/s390/include/asm/barrier.h                    | 13 ++--
>  arch/x86/entry/common.c                            |  2 +
>  arch/x86/entry/entry_64.S                          | 16 ++--
>  arch/x86/include/asm/barrier.h                     | 30 +++++++-
>  arch/x86/include/asm/msr.h                         |  2 +-
>  arch/x86/kernel/cpu/bugs.c                         | 11 +--
>  arch/x86/kvm/vmx.c                                 | 20 +++--
>  arch/x86/lib/getuser.S                             | 10 +++
>  drivers/net/wireless/ath/carl9170/main.c           |  3 +-
>  drivers/scsi/qla2xxx/qla_mr.c                      |  5 +-
>  .../thermal/int340x_thermal/int340x_thermal_zone.c |  3 +-
>  fs/udf/misc.c                                      | 13 ++--
>  include/linux/fdtable.h                            |  3 +-
>  include/linux/nospec.h                             | 53 +++++++++++++
>  kernel/bpf/core.c                                  |  6 +-
>  kernel/user_namespace.c                            |  3 +-
>  net/ipv4/raw.c                                     |  7 +-
>  net/ipv6/raw.c                                     |  7 +-
>  net/mpls/af_mpls.c                                 | 28 ++++---
>  net/wireless/nl80211.c                             |  9 ++-
>  sound/core/seq/oss/seq_oss_event.c                 | 15 ++--
>  sound/core/seq/oss/seq_oss_midi.c                  |  2 +
>  sound/core/seq/oss/seq_oss_synth.c                 | 75 ++++++++++--------
>  sound/core/seq/oss/seq_oss_synth.h                 |  3 +-
>  sound/pci/hda/hda_hwdep.c                          | 12 ++-
>  29 files changed, 331 insertions(+), 117 deletions(-)
>  create mode 100644 Documentation/speculation.txt
> 
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Kleber Sacilotto de Souza June 7, 2018, 4:56 p.m. UTC | #2
On 06/07/18 00:11, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1774181
> 
> Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation.
> 
> The non-SAUCE patches are the stable 4.4 patches from 4.4.118 to 4.4.131. The rest will come in through follow-on updates to the current stable version 4.4.135.
> 
> The SAUCE patches is the add-on/difference between the original embargoed patchset and what finally landed in upstream.
> 
> 
> == SRU Justification ==
> Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable.
> 
> == Fix ==
> Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro.
> 
> == Regression Potential ==
> Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream.
> 
> == Test Case ==
> TBD.
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
> The following changes since commit 8a4cab02850143918a93afbd9dd284cdef0b84d3:
> 
>   UBUNTU: Ubuntu-4.4.0-128.154 (2018-05-25 16:01:29 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~juergh/+git/xenial-linux lp1774181
> 
> for you to fetch changes up to 64d8307cf6ffc09278aeda29bed31a0e72a680c1:
> 
>   UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb() (2018-06-05 17:27:01 +0200)
> 
> ----------------------------------------------------------------
> Dan Williams (12):
>       array_index_nospec: Sanitize speculative array de-references
>       x86: Implement array_index_mask_nospec
>       x86: Introduce barrier_nospec
>       x86/get_user: Use pointer masking to limit speculation
>       x86/syscall: Sanitize syscall table de-references under speculation
>       vfs, fdtable: Prevent bounds-check bypass via speculative execution
>       nl80211: Sanitize array index in parse_txq_params
>       x86/spectre: Report get_user mitigation for spectre_v1
>       x86/kvm: Update spectre-v1 mitigation
>       mpls, nospec: Sanitize array index in mpls_label_ok()
>       nospec: Include <asm/barrier.h> dependency
>       nospec: Kill array_index_nospec_mask_check()
> 
> Jiri Slaby (1):
>       x86/syscall: Sanitize syscall table de-references under speculation fix
> 
> Juerg Haefliger (3):
>       UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
>       UBUNTU: SAUCE: Rename osb() to barrier_nospec()
>       UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()
> 
> Mark Rutland (1):
>       Documentation: Document array_index_nospec
> 
> Rasmus Villemoes (1):
>       nospec: Allow index argument to have const-qualified type
> 
> Takashi Iwai (2):
>       ALSA: seq: oss: Hardening for potential Spectre v1
>       ALSA: hda: Hardening for potential Spectre v1
> 
> Will Deacon (1):
>       nospec: Move array_index_nospec() parameter checking into separate macro
> 
>  Documentation/speculation.txt                      | 90 ++++++++++++++++++++++
>  arch/arm/include/asm/barrier.h                     |  2 -
>  arch/arm64/include/asm/barrier.h                   |  2 -
>  arch/powerpc/include/asm/barrier.h                 |  3 +-
>  arch/s390/include/asm/barrier.h                    | 13 ++--
>  arch/x86/entry/common.c                            |  2 +
>  arch/x86/entry/entry_64.S                          | 16 ++--
>  arch/x86/include/asm/barrier.h                     | 30 +++++++-
>  arch/x86/include/asm/msr.h                         |  2 +-
>  arch/x86/kernel/cpu/bugs.c                         | 11 +--
>  arch/x86/kvm/vmx.c                                 | 20 +++--
>  arch/x86/lib/getuser.S                             | 10 +++
>  drivers/net/wireless/ath/carl9170/main.c           |  3 +-
>  drivers/scsi/qla2xxx/qla_mr.c                      |  5 +-
>  .../thermal/int340x_thermal/int340x_thermal_zone.c |  3 +-
>  fs/udf/misc.c                                      | 13 ++--
>  include/linux/fdtable.h                            |  3 +-
>  include/linux/nospec.h                             | 53 +++++++++++++
>  kernel/bpf/core.c                                  |  6 +-
>  kernel/user_namespace.c                            |  3 +-
>  net/ipv4/raw.c                                     |  7 +-
>  net/ipv6/raw.c                                     |  7 +-
>  net/mpls/af_mpls.c                                 | 28 ++++---
>  net/wireless/nl80211.c                             |  9 ++-
>  sound/core/seq/oss/seq_oss_event.c                 | 15 ++--
>  sound/core/seq/oss/seq_oss_midi.c                  |  2 +
>  sound/core/seq/oss/seq_oss_synth.c                 | 75 ++++++++++--------
>  sound/core/seq/oss/seq_oss_synth.h                 |  3 +-
>  sound/pci/hda/hda_hwdep.c                          | 12 ++-
>  29 files changed, 331 insertions(+), 117 deletions(-)
>  create mode 100644 Documentation/speculation.txt
> 

The patches look good, the only thing is that the non-SAUCE patches are
mentioning SHA1's as "backported from..." or "cherry picked from..."
that are actually from the linux-stable tree instead of linux. So just
to be more clear about the provenance, I would add "linux-stable" after
the SHA1's.

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Stefan Bader June 7, 2018, 5:43 p.m. UTC | #3
On 07.06.2018 00:11, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1774181
> 
> Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation.
> 
> The non-SAUCE patches are the stable 4.4 patches from 4.4.118 to 4.4.131. The rest will come in through follow-on updates to the current stable version 4.4.135.
> 
> The SAUCE patches is the add-on/difference between the original embargoed patchset and what finally landed in upstream.
> 
> 
> == SRU Justification ==
> Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable.
> 
> == Fix ==
> Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro.
> 
> == Regression Potential ==
> Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream.
> 
> == Test Case ==
> TBD.
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
> The following changes since commit 8a4cab02850143918a93afbd9dd284cdef0b84d3:
> 
>   UBUNTU: Ubuntu-4.4.0-128.154 (2018-05-25 16:01:29 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~juergh/+git/xenial-linux lp1774181
> 
> for you to fetch changes up to 64d8307cf6ffc09278aeda29bed31a0e72a680c1:
> 
>   UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb() (2018-06-05 17:27:01 +0200)
> 
> ----------------------------------------------------------------
> Dan Williams (12):
>       array_index_nospec: Sanitize speculative array de-references
>       x86: Implement array_index_mask_nospec
>       x86: Introduce barrier_nospec
>       x86/get_user: Use pointer masking to limit speculation
>       x86/syscall: Sanitize syscall table de-references under speculation
>       vfs, fdtable: Prevent bounds-check bypass via speculative execution
>       nl80211: Sanitize array index in parse_txq_params
>       x86/spectre: Report get_user mitigation for spectre_v1
>       x86/kvm: Update spectre-v1 mitigation
>       mpls, nospec: Sanitize array index in mpls_label_ok()
>       nospec: Include <asm/barrier.h> dependency
>       nospec: Kill array_index_nospec_mask_check()
> 
> Jiri Slaby (1):
>       x86/syscall: Sanitize syscall table de-references under speculation fix
> 
> Juerg Haefliger (3):
>       UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
>       UBUNTU: SAUCE: Rename osb() to barrier_nospec()
>       UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()
> 
> Mark Rutland (1):
>       Documentation: Document array_index_nospec
> 
> Rasmus Villemoes (1):
>       nospec: Allow index argument to have const-qualified type
> 
> Takashi Iwai (2):
>       ALSA: seq: oss: Hardening for potential Spectre v1
>       ALSA: hda: Hardening for potential Spectre v1
> 
> Will Deacon (1):
>       nospec: Move array_index_nospec() parameter checking into separate macro
> 
>  Documentation/speculation.txt                      | 90 ++++++++++++++++++++++
>  arch/arm/include/asm/barrier.h                     |  2 -
>  arch/arm64/include/asm/barrier.h                   |  2 -
>  arch/powerpc/include/asm/barrier.h                 |  3 +-
>  arch/s390/include/asm/barrier.h                    | 13 ++--
>  arch/x86/entry/common.c                            |  2 +
>  arch/x86/entry/entry_64.S                          | 16 ++--
>  arch/x86/include/asm/barrier.h                     | 30 +++++++-
>  arch/x86/include/asm/msr.h                         |  2 +-
>  arch/x86/kernel/cpu/bugs.c                         | 11 +--
>  arch/x86/kvm/vmx.c                                 | 20 +++--
>  arch/x86/lib/getuser.S                             | 10 +++
>  drivers/net/wireless/ath/carl9170/main.c           |  3 +-
>  drivers/scsi/qla2xxx/qla_mr.c                      |  5 +-
>  .../thermal/int340x_thermal/int340x_thermal_zone.c |  3 +-
>  fs/udf/misc.c                                      | 13 ++--
>  include/linux/fdtable.h                            |  3 +-
>  include/linux/nospec.h                             | 53 +++++++++++++
>  kernel/bpf/core.c                                  |  6 +-
>  kernel/user_namespace.c                            |  3 +-
>  net/ipv4/raw.c                                     |  7 +-
>  net/ipv6/raw.c                                     |  7 +-
>  net/mpls/af_mpls.c                                 | 28 ++++---
>  net/wireless/nl80211.c                             |  9 ++-
>  sound/core/seq/oss/seq_oss_event.c                 | 15 ++--
>  sound/core/seq/oss/seq_oss_midi.c                  |  2 +
>  sound/core/seq/oss/seq_oss_synth.c                 | 75 ++++++++++--------
>  sound/core/seq/oss/seq_oss_synth.h                 |  3 +-
>  sound/pci/hda/hda_hwdep.c                          | 12 ++-
>  29 files changed, 331 insertions(+), 117 deletions(-)
>  create mode 100644 Documentation/speculation.txt
> 
Applied to xenial/master-next. I did re-order this set to come before the
4.4.132 stable update we had pulled before as this contains dependencies for
that. Thanks.

-Stefan