From patchwork Thu Jul 26 08:24:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 949535 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41blX83BRNz9ryl; Thu, 26 Jul 2018 18:25:12 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1fiba4-0007yH-H1; Thu, 26 Jul 2018 08:25:04 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1fiba2-0007xn-GW for kernel-team@lists.ubuntu.com; Thu, 26 Jul 2018 08:25:02 +0000 Received: from mail-ed1-f69.google.com ([209.85.208.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fiba2-0003p5-3S for kernel-team@lists.ubuntu.com; Thu, 26 Jul 2018 08:25:02 +0000 Received: by mail-ed1-f69.google.com with SMTP id y17-v6so492085eds.22 for ; Thu, 26 Jul 2018 01:25:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to; bh=vTq9D6pVjL2UhPGyZTiIIMKNU/cBc1mVEPhwN8/Y+us=; b=gobOYxavgHBB+cspT4Ct5Z4pE3rXPeDx3vzVnkBioS+9K8TtOTJWJui+o40IJt9sb2 EPLCRuPBYlO5D4lncIPzuQgkgVCsCw9cjHOmi9rZ4ilibCRcxHz8Xtq7Kgt0b+pfjIl7 2uKsBIs5MRSHaVUHGBDYpQQxdGeDpk8xmPBzNP3xwLArzipBdjTIerKwbz1baqV07ex7 Qh5SQ5AwbswF0/mAXt7dSp/0bz7tPZB3Jih5ytYyfU8DWXzj6sgAFS3jgKwbmhA52M6E Wpz35xl5ArR5fZJHdpUDI1w9cRHLd/nKaG3RZW6cCEDwD8HKFz+tS8CTb0qj399Fxm+Z zOfQ== X-Gm-Message-State: AOUpUlEf9BUO4AisNZFUeGZHA7hzjQcG2JHP6LNT4tAY3RzodhcdbQuP U7G4DdNx+06NkeKCo4prip7LVu0LFw4f+kheOdfzUtXZk2x/gLuX/QckzyrZ85M4gweYHI8Lfoi YPXj0iOMZVJVKJdSmNGbBd1BucpIGjVKfGTzu8gC2xA== X-Received: by 2002:a50:a623:: with SMTP id d32-v6mr1612485edc.8.1532593501592; Thu, 26 Jul 2018 01:25:01 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcR7Ozs6JLamcvX/vdULjqdGuz1W/MVZmYHVHDddbMXQ/bvfc4OOiE/lApTAnr/Nb5raZTxjg== X-Received: by 2002:a50:a623:: with SMTP id d32-v6mr1612471edc.8.1532593501408; Thu, 26 Jul 2018 01:25:01 -0700 (PDT) Received: from gollum.fritz.box ([81.221.205.149]) by smtp.gmail.com with ESMTPSA id x33-v6sm778991eda.81.2018.07.26.01.25.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 01:25:00 -0700 (PDT) From: Juerg Haefliger X-Google-Original-From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][PULL v2] Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181) Date: Thu, 26 Jul 2018 10:24:59 +0200 Message-Id: <2dd022222443a00e54f58f0e2a0e5f9e78c0e6b7.1532593086.git.juergh@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <182dabb3ee807633a0a11e8bbac93a64d111fdd3.1530194947.git.juergh@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1774181 Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation. == SRU Justification == Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable. == Fix == Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro. == Regression Potential == Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream. == Test Case == TBD. v1 -> v2: - No functional changes. - Pulled backports/cherry-picks from linux-stable and tagged them accordingly. - Squashed "UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb()" into "UBUNTU: SAUCE: Rename osb() to barrier_nospec()". - Added newlines before my sign-off lines to start a new section. Signed-off-by: Juerg Haefliger Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- The following changes since commit ea04a5f62ca732a3c55e712192e0a303277c209c: mm/mempolicy: fix use after free when calling get_mempolicy (2018-07-25 13:22:00 +0200) are available in the Git repository at: git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181-v2 for you to fetch changes up to 2dd022222443a00e54f58f0e2a0e5f9e78c0e6b7: UBUNTU: SAUCE: Rename osb() to barrier_nospec() (2018-07-26 09:46:02 +0200) ---------------------------------------------------------------- Ben Hutchings (1): x86/syscall: Sanitize syscall table de-references under speculation Dan Williams (9): array_index_nospec: Sanitize speculative array de-references x86: Implement array_index_mask_nospec x86: Introduce barrier_nospec x86/get_user: Use pointer masking to limit speculation vfs, fdtable: Prevent bounds-check bypass via speculative execution nl80211: Sanitize array index in parse_txq_params x86/spectre: Report get_user mitigation for spectre_v1 x86/kvm: Update spectre-v1 mitigation nospec: Kill array_index_nospec_mask_check() Juerg Haefliger (2): UBUNTU: SAUCE: Replace osb() calls with array_index_nospec() UBUNTU: SAUCE: Rename osb() to barrier_nospec() Mark Rutland (1): Documentation: Document array_index_nospec Rasmus Villemoes (1): nospec: Allow index argument to have const-qualified type Will Deacon (1): nospec: Move array_index_nospec() parameter checking into separate macro Documentation/speculation.txt | 90 ++++++++++++++++++++++++++++++++ arch/arm/include/asm/barrier.h | 3 -- arch/arm64/include/asm/barrier.h | 3 -- arch/powerpc/include/asm/barrier.h | 3 +- arch/s390/include/asm/barrier.h | 13 +++-- arch/x86/ia32/ia32entry.S | 36 ++++++++----- arch/x86/include/asm/barrier.h | 32 ++++++++++-- arch/x86/kernel/cpu/bugs.c | 10 +--- arch/x86/kernel/entry_32.S | 4 ++ arch/x86/kernel/entry_64.S | 16 +++--- arch/x86/kvm/vmx.c | 15 ++++-- arch/x86/lib/getuser.S | 10 ++++ drivers/media/usb/uvc/uvc_v4l2.c | 5 +- drivers/net/wireless/ath/carl9170/main.c | 3 +- drivers/scsi/qla2xxx/qla_mr.c | 5 +- fs/udf/misc.c | 13 ++--- include/asm-generic/barrier.h | 11 ---- include/linux/fdtable.h | 3 +- include/linux/nospec.h | 53 +++++++++++++++++++ kernel/user_namespace.c | 3 +- net/core/filter.c | 5 +- net/wireless/nl80211.c | 9 ++-- 22 files changed, 268 insertions(+), 77 deletions(-) create mode 100644 Documentation/speculation.txt