Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-14 15:13:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
ba6e31af2b
linux/arch
History
Pawan Gupta ba6e31af2b x86/speculation: Add LFENCE to RSB fill sequence 
RSB fill sequence does not have any protection for miss-prediction of
conditional branch at the end of the sequence. CPU can speculatively
execute code immediately after the sequence, while RSB filling hasn't
completed yet.

  #define __FILL_RETURN_BUFFER(reg, nr, sp)       \
          mov     $(nr/2), reg;                   \
  771:                                            \
          ANNOTATE_INTRA_FUNCTION_CALL;           \
          call    772f;                           \
  773:    /* speculation trap */                  \
          UNWIND_HINT_EMPTY;                      \
          pause;                                  \
          lfence;                                 \
          jmp     773b;                           \
  772:                                            \
          ANNOTATE_INTRA_FUNCTION_CALL;           \
          call    774f;                           \
  775:    /* speculation trap */                  \
          UNWIND_HINT_EMPTY;                      \
          pause;                                  \
          lfence;                                 \
          jmp     775b;                           \
  774:                                            \
          add     $(BITS_PER_LONG/8) * 2, sp;     \
          dec     reg;                            \
          jnz     771b;        <----- CPU can miss-predict here.

Before RSB is filled, RETs that come in program order after this macro
can be executed speculatively, making them vulnerable to RSB-based
attacks.

Mitigate it by adding an LFENCE after the conditional branch to prevent
speculation while RSB is being filled.

Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
2022-08-03 14:12:18 +02:00
..
alpha Cleanups (and one fix) around struct mount handling. 2022-06-04 19:00:05 -07:00
arc This set of changes updates init and user mode helper tasks to be 2022-06-03 16:03:05 -07:00
arm ARM fixes for 5.19: 2022-07-30 17:24:16 -07:00
arm64 ARM: SoC fixes for 5.19, part 3 2022-07-15 10:16:44 -07:00
csky csky/tlb: Remove tlb_flush() define 2022-07-21 10:50:13 -07:00
hexagon
ia64 Bitmap patches for 5.19-rc1 2022-06-04 14:04:27 -07:00
loongarch LoongArch: Fix wrong "ROM Size" of boardinfo 2022-07-29 18:22:33 +08:00
m68k This set of changes updates init and user mode helper tasks to be 2022-06-03 16:03:05 -07:00
microblaze This set of changes updates init and user mode helper tasks to be 2022-06-03 16:03:05 -07:00
mips mips: lantiq: Add missing of_node_put() in irq.c 2022-06-21 22:34:03 +02:00
nios2 This set of changes updates init and user mode helper tasks to be 2022-06-03 16:03:05 -07:00
openrisc openrisc: unwinder: Fix grammar issue in comment 2022-06-28 17:31:24 +09:00
parisc parisc: Fix vDSO signal breakage on 32-bit kernel 2022-07-02 18:36:58 +02:00
powerpc powerpc fixes for 5.19 #6 2022-07-29 09:57:07 -07:00
riscv A Single RISC-V Fix for 5.19 2022-07-29 10:46:03 -07:00
s390 s390 updates for 5.19 2022-07-26 10:03:53 -07:00
sh sh: convert nommu io{re,un}map() to static inline functions 2022-07-03 15:42:32 -07:00
sparc mmu_gather: Remove per arch tlb_{start,end}_vma() 2022-07-21 10:50:13 -07:00
um - Improve the check whether the kernel supports WP mappings so that it 2022-07-17 08:27:30 -07:00
x86 x86/speculation: Add LFENCE to RSB fill sequence 2022-08-03 14:12:18 +02:00
xtensa xtensa: change '.bss' to '.section .bss' 2022-06-20 02:50:34 -07:00
.gitignore
Kconfig mmu_gather: Remove per arch tlb_{start,end}_vma() 2022-07-21 10:50:13 -07:00