[Frugalware-git] frugalware-current: kernel-4.14.13-1-x86_64

crazy crazy at frugalware.org
Wed Jan 17 14:55:54 CET 2018


Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=f43cb876155ccc00a38bbf7516f928fbdf7d5a72

commit f43cb876155ccc00a38bbf7516f928fbdf7d5a72
Author: crazy <crazy at frugalware.org>
Date:   Wed Jan 17 14:54:29 2018 +0100

kernel-4.14.13-1-x86_64

* prepare for 4.14.14
* added missing retpoline bits for Skylake
* remove e1000e fix , .14 has that fix finally

diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild
index 528797d..8a9bac8 100644
--- a/source/base/kernel/FrugalBuild
+++ b/source/base/kernel/FrugalBuild
@@ -45,10 +45,12 @@ _F_kernel_patches=(
introduce-NUMA-identity-node-sched-domain.patch
# mute PPS error shit .. buggy in 4.14.x
mute-pps_state_mismatch.patch
-		   fix-e1000e-nm.patch
# see https://marc.info/?l=linux-kernel&m=151561236821659&w=2
# ZEN microcode update fix from a initrd with mem_encrpyt=on
SME-BSP_SME-microcode-update-fixes.patch
+		   # missing retpoline bits in .14
+		   retpoline-fill_RSB_on_context_switch_for_affected_CPUs.patch
+		   retpoline_add_LFENCE_to_the_retpoline_filling_RSB_macros.patch
)

for ppatch in "${_F_kernel_patches[@]}"
diff --git a/source/base/kernel/fix-e1000e-nm.patch b/source/base/kernel/fix-e1000e-nm.patch
deleted file mode 100644
index dd7f8ed..0000000
--- a/source/base/kernel/fix-e1000e-nm.patch
+++ /dev/null
@@ -1,46 +0,0 @@
----
- drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-index d6d4ed7acf03..31277d3bb7dc 100644
---- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
-+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-@@ -1367,6 +1367,9 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
-  *  Checks to see of the link status of the hardware has changed.  If a
-  *  change in link status has been detected, then we read the PHY registers
-  *  to get the current speed/duplex if link exists.
-+ *
-+ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
-+ *  up).
-  **/
- static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- {
-@@ -1382,7 +1385,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- 	 * Change or Rx Sequence Error interrupt.
- 	 */
- 	if (!mac->get_link_status)
--		return 0;
-+		return 1;
-
- 	/* First we want to see if the MII Status Register reports
- 	 * link.  If so, then we want to get the current speed/duplex
-@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- 	 * different link partner.
- 	 */
- 	ret_val = e1000e_config_fc_after_link_up(hw);
--	if (ret_val)
-+	if (ret_val) {
- 		e_dbg("Error configuring flow control\n");
-+		return ret_val;
-+	}
-
--	return ret_val;
-+	return 1;
- }
-
- static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
---
-2.15.1
-
-
\ No newline at end of file
diff --git a/source/base/kernel/retpoline-fill_RSB_on_context_switch_for_affected_CPUs.patch b/source/base/kernel/retpoline-fill_RSB_on_context_switch_for_affected_CPUs.patch
new file mode 100644
index 0000000..8f402eb
--- /dev/null
+++ b/source/base/kernel/retpoline-fill_RSB_on_context_switch_for_affected_CPUs.patch
@@ -0,0 +1,175 @@
+From c995efd5a740d9cbafbf58bde4973e8b50b4d761 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw at amazon.co.uk>
+Date: Fri, 12 Jan 2018 17:49:25 +0000
+Subject: x86/retpoline: Fill RSB on context switch for affected CPUs
+
+On context switch from a shallow call stack to a deeper one, as the CPU
+does 'ret' up the deeper side it may encounter RSB entries (predictions for
+where the 'ret' goes to) which were populated in userspace.
+
+This is problematic if neither SMEP nor KPTI (the latter of which marks
+userspace pages as NX for the kernel) are active, as malicious code in
+userspace may then be executed speculatively.
+
+Overwrite the CPU's return prediction stack with calls which are predicted
+to return to an infinite loop, to "capture" speculation if this
+happens. This is required both for retpoline, and also in conjunction with
+IBRS for !SMEP && !KPTI.
+
+On Skylake+ the problem is slightly different, and an *underflow* of the
+RSB may cause errant branch predictions to occur. So there it's not so much
+overwrite, as *filling* the RSB to attempt to prevent it getting
+empty. This is only a partial solution for Skylake+ since there are many
+other conditions which may result in the RSB becoming empty. The full
+solution on Skylake+ is to use IBRS, which will prevent the problem even
+when the RSB becomes empty. With IBRS, the RSB-stuffing will not be
+required on context switch.
+
+[ tglx: Added missing vendor check and slighty massaged comments and
+  	changelog ]
+
+Signed-off-by: David Woodhouse <dwmw at amazon.co.uk>
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: gnomes at lxorguk.ukuu.org.uk
+Cc: Rik van Riel <riel at redhat.com>
+Cc: Andi Kleen <ak at linux.intel.com>
+Cc: Josh Poimboeuf <jpoimboe at redhat.com>
+Cc: thomas.lendacky at amd.com
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Jiri Kosina <jikos at kernel.org>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: Dave Hansen <dave.hansen at intel.com>
+Cc: Kees Cook <keescook at google.com>
+Cc: Tim Chen <tim.c.chen at linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh at linux-foundation.org>
+Cc: Paul Turner <pjt at google.com>
+Link: https://lkml.kernel.org/r/1515779365-9032-1-git-send-email-dwmw@amazon.co.uk
+---
+ arch/x86/entry/entry_32.S          | 11 +++++++++++
+ arch/x86/entry/entry_64.S          | 11 +++++++++++
+ arch/x86/include/asm/cpufeatures.h |  1 +
+ arch/x86/kernel/cpu/bugs.c         | 36 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 59 insertions(+)
+
+diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
+index a1f28a5..60c4c34 100644
+--- a/arch/x86/entry/entry_32.S
++++ b/arch/x86/entry/entry_32.S
+@@ -244,6 +244,17 @@ ENTRY(__switch_to_asm)
+ 	movl	%ebx, PER_CPU_VAR(stack_canary)+stack_canary_offset
+ #endif
+
++#ifdef CONFIG_RETPOLINE
++	/*
++	 * When switching from a shallower to a deeper call stack
++	 * the RSB may either underflow or use entries populated
++	 * with userspace addresses. On CPUs where those concerns
++	 * exist, overwrite the RSB with entries which capture
++	 * speculative execution to prevent attack.
++	 */
++	FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
++#endif
++
+ 	/* restore callee-saved registers */
+ 	popl	%esi
+ 	popl	%edi
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index 59874bc..d54a0ed 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -487,6 +487,17 @@ ENTRY(__switch_to_asm)
+ 	movq	%rbx, PER_CPU_VAR(irq_stack_union)+stack_canary_offset
+ #endif
+
++#ifdef CONFIG_RETPOLINE
++	/*
++	 * When switching from a shallower to a deeper call stack
++	 * the RSB may either underflow or use entries populated
++	 * with userspace addresses. On CPUs where those concerns
++	 * exist, overwrite the RSB with entries which capture
++	 * speculative execution to prevent attack.
++	 */
++	FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
++#endif
++
+ 	/* restore callee-saved registers */
+ 	popq	%r15
+ 	popq	%r14
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
+index f275447..aa09559 100644
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -211,6 +211,7 @@
+ #define X86_FEATURE_AVX512_4FMAPS	( 7*32+17) /* AVX-512 Multiply Accumulation Single precision */
+
+ #define X86_FEATURE_MBA			( 7*32+18) /* Memory Bandwidth Allocation */
++#define X86_FEATURE_RSB_CTXSW		( 7*32+19) /* Fill RSB on context switches */
+
+ /* Virtualization flags: Linux defined, word 8 */
+ #define X86_FEATURE_TPR_SHADOW		( 8*32+ 0) /* Intel TPR Shadow */
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index e4dc261..390b3dc 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -23,6 +23,7 @@
+ #include <asm/alternative.h>
+ #include <asm/pgtable.h>
+ #include <asm/set_memory.h>
++#include <asm/intel-family.h>
+
+ static void __init spectre_v2_select_mitigation(void);
+
+@@ -155,6 +156,23 @@ disable:
+ 	return SPECTRE_V2_CMD_NONE;
+ }
+
++/* Check for Skylake-like CPUs (for RSB handling) */
++static bool __init is_skylake_era(void)
++{
++	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
++	    boot_cpu_data.x86 == 6) {
++		switch (boot_cpu_data.x86_model) {
++		case INTEL_FAM6_SKYLAKE_MOBILE:
++		case INTEL_FAM6_SKYLAKE_DESKTOP:
++		case INTEL_FAM6_SKYLAKE_X:
++		case INTEL_FAM6_KABYLAKE_MOBILE:
++		case INTEL_FAM6_KABYLAKE_DESKTOP:
++			return true;
++		}
++	}
++	return false;
++}
++
+ static void __init spectre_v2_select_mitigation(void)
+ {
+ 	enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
+@@ -213,6 +231,24 @@ retpoline_auto:
+
+ 	spectre_v2_enabled = mode;
+ 	pr_info("%s\n", spectre_v2_strings[mode]);
++
++	/*
++	 * If neither SMEP or KPTI are available, there is a risk of
++	 * hitting userspace addresses in the RSB after a context switch
++	 * from a shallow call stack to a deeper one. To prevent this fill
++	 * the entire RSB, even when using IBRS.
++	 *
++	 * Skylake era CPUs have a separate issue with *underflow* of the
++	 * RSB, when they will predict 'ret' targets from the generic BTB.
++	 * The proper mitigation for this is IBRS. If IBRS is not supported
++	 * or deactivated in favour of retpolines the RSB fill on context
++	 * switch is required.
++	 */
++	if ((!boot_cpu_has(X86_FEATURE_PTI) &&
++	     !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
++		setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
++		pr_info("Filling RSB on context switch\n");
++	}
+ }
+
+ #undef pr_fmt
+--
+cgit v1.1
+
diff --git a/source/base/kernel/retpoline_add_LFENCE_to_the_retpoline_filling_RSB_macros.patch b/source/base/kernel/retpoline_add_LFENCE_to_the_retpoline_filling_RSB_macros.patch
new file mode 100644
index 0000000..d930100
--- /dev/null
+++ b/source/base/kernel/retpoline_add_LFENCE_to_the_retpoline_filling_RSB_macros.patch
@@ -0,0 +1,90 @@
+From 28d437d550e1e39f805d99f9f8ac399c778827b7 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky at amd.com>
+Date: Sat, 13 Jan 2018 17:27:30 -0600
+Subject: x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
+
+The PAUSE instruction is currently used in the retpoline and RSB filling
+macros as a speculation trap.  The use of PAUSE was originally suggested
+because it showed a very, very small difference in the amount of
+cycles/time used to execute the retpoline as compared to LFENCE.  On AMD,
+the PAUSE instruction is not a serializing instruction, so the pause/jmp
+loop will use excess power as it is speculated over waiting for return
+to mispredict to the correct target.
+
+The RSB filling macro is applicable to AMD, and, if software is unable to
+verify that LFENCE is serializing on AMD (possible when running under a
+hypervisor), the generic retpoline support will be used and, so, is also
+applicable to AMD.  Keep the current usage of PAUSE for Intel, but add an
+LFENCE instruction to the speculation trap for AMD.
+
+The same sequence has been adopted by GCC for the GCC generated retpolines.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky at amd.com>
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Reviewed-by: Borislav Petkov <bp at alien8.de>
+Acked-by: David Woodhouse <dwmw at amazon.co.uk>
+Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: Rik van Riel <riel at redhat.com>
+Cc: Andi Kleen <ak at linux.intel.com>
+Cc: Paul Turner <pjt at google.com>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Tim Chen <tim.c.chen at linux.intel.com>
+Cc: Jiri Kosina <jikos at kernel.org>
+Cc: Dave Hansen <dave.hansen at intel.com>
+Cc: Andy Lutomirski <luto at kernel.org>
+Cc: Josh Poimboeuf <jpoimboe at redhat.com>
+Cc: Dan Williams <dan.j.williams at intel.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Greg Kroah-Hartman <gregkh at linux-foundation.org>
+Cc: Kees Cook <keescook at google.com>
+Link: https://lkml.kernel.org/r/20180113232730.31060.36287.stgit@tlendack-t1.amdoffice.net
+---
+ arch/x86/include/asm/nospec-branch.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
+index 402a11c..7b45d84 100644
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -11,7 +11,7 @@
+  * Fill the CPU return stack buffer.
+  *
+  * Each entry in the RSB, if used for a speculative 'ret', contains an
+- * infinite 'pause; jmp' loop to capture speculative execution.
++ * infinite 'pause; lfence; jmp' loop to capture speculative execution.
+  *
+  * This is required in various cases for retpoline and IBRS-based
+  * mitigations for the Spectre variant 2 vulnerability. Sometimes to
+@@ -38,11 +38,13 @@
+ 	call	772f;				\
+ 773:	/* speculation trap */			\
+ 	pause;					\
++	lfence;					\
+ 	jmp	773b;				\
+ 772:						\
+ 	call	774f;				\
+ 775:	/* speculation trap */			\
+ 	pause;					\
++	lfence;					\
+ 	jmp	775b;				\
+ 774:						\
+ 	dec	reg;				\
+@@ -73,6 +75,7 @@
+ 	call	.Ldo_rop_\@
+ .Lspec_trap_\@:
+ 	pause
++	lfence
+ 	jmp	.Lspec_trap_\@
+ .Ldo_rop_\@:
+ 	mov	\reg, (%_ASM_SP)
+@@ -165,6 +168,7 @@
+ 	"       .align 16\n"					\
+ 	"901:	call   903f;\n"					\
+ 	"902:	pause;\n"					\
++	"    	lfence;\n"					\
+ 	"       jmp    902b;\n"					\
+ 	"       .align 16\n"					\
+ 	"903:	addl   $4, %%esp;\n"				\
+--
+cgit v1.1
+


More information about the Frugalware-git mailing list