Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755027AbeAMS0E (ORCPT + 1 other); Sat, 13 Jan 2018 13:26:04 -0500 Received: from mga17.intel.com ([192.55.52.151]:44352 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754485AbeAMS0B (ORCPT ); Sat, 13 Jan 2018 13:26:01 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,354,1511856000"; d="scan'208";a="194893944" Subject: [PATCH v3 4/9] x86: implement ifence() From: Dan Williams To: linux-kernel@vger.kernel.org Cc: Mark Rutland , Tom Lendacky , linux-arch@vger.kernel.org, gregkh@linuxfoundation.org, Peter Zijlstra , Alan Cox , x86@kernel.org, Ingo Molnar , "H. Peter Anvin" , kernel-hardening@lists.openwall.com, tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, Elena Reshetova , alan@linux.intel.com Date: Sat, 13 Jan 2018 10:17:46 -0800 Message-ID: <151586746590.5820.13343935159472776801.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151586744180.5820.13215059696964205856.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151586744180.5820.13215059696964205856.stgit@dwillia2-desk3.amr.corp.intel.com> User-Agent: StGit/0.17.1-9-g687f MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: The new barrier, 'ifence', ensures that speculative execution never crosses the fence. Previously the kernel only needed this fence in 'rdtsc_ordered', but now it is also proposed as a mitigation against Spectre variant1 attacks. When used it needs to be placed in the success path after a bounds check i.e.: if (x < max) { ifence(); val = array[x]; } else return -EINVAL; With this change the cpu will never issue speculative reads of 'array + x' with values of x >= max. 'ifence', via 'ifence_array_ptr', is an opt-in fallback to the default mitigation provided by '__array_ptr'. It is also proposed for blocking speculation in the 'get_user' path to bypass 'access_ok' checks. For now, just provide the common definition for later patches to build upon. Suggested-by: Peter Zijlstra Suggested-by: Alan Cox Cc: Tom Lendacky Cc: Mark Rutland Cc: Greg KH Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Signed-off-by: Elena Reshetova Signed-off-by: Dan Williams --- arch/x86/include/asm/barrier.h | 4 ++++ arch/x86/include/asm/msr.h | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h index 7fb336210e1b..b04f572d6d97 100644 --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -24,6 +24,10 @@ #define wmb() asm volatile("sfence" ::: "memory") #endif +/* prevent speculative execution past this barrier */ +#define ifence() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \ + "lfence", X86_FEATURE_LFENCE_RDTSC) + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h index 07962f5f6fba..e426d2a33ff3 100644 --- a/arch/x86/include/asm/msr.h +++ b/arch/x86/include/asm/msr.h @@ -214,8 +214,7 @@ static __always_inline unsigned long long rdtsc_ordered(void) * that some other imaginary CPU is updating continuously with a * time stamp. */ - alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, - "lfence", X86_FEATURE_LFENCE_RDTSC); + ifence(); return rdtsc(); }