Received: by 10.223.176.46 with SMTP id f43csp2696842wra;
        Mon, 22 Jan 2018 01:48:10 -0800 (PST)
X-Google-Smtp-Source: AH8x226+XWbsaORcsXEA5+WJmQCFnolvJ55QFef4XCO5OEG1IuuTavk7TanluPJtEVm4h/Phji+A
X-Received: by 10.99.166.18 with SMTP id t18mr6990647pge.42.1516614490584;
        Mon, 22 Jan 2018 01:48:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516614490; cv=none;
        d=google.com; s=arc-20160816;
        b=ozGkMi+HgEszwxegZv1uU2L/Es+mDAV9PYc9H6Stbyr1ZW7h/DTAGU6xAeGNf5rEhm
         XuU7cWRmocnbODgH5T3LKRtb53Is9ktqFHqA1muALm0ny2pZ+fhTsVxn9kBt66RrO4pK
         8J0afs5Qh2CBRwZVggpPfi5TnSgekeksH5/QDWXoE/stHI5Vap5NB5XQSZt8crubdMp2
         uWw4hLVoHoUnZosvWsYrYm9RYMWVqMF2BukD0qZlZ1Ovn0Dj2RtRJk1PamJozZMbXO8U
         dfJXNPRPUn9y9lFMeqyKpK3m3lth9EkKO6AHZtC0XwYqLFM9clIe3ftWcWg9StYPBOlU
         krvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=dTFUDHDLPsuEFekrOqrCXJIdbHIaYi7N1fUaYRNTyeM=;
        b=mtBwLmc5hQKC6LPvi9emaQsvI6Zr0zH/QAZ1XuAwc0hnSNurWxxiblCTyCJj2DMF9s
         l3reqyX9lJHwvWdIk+/3E9hKxnhtF5Hd/9nOvXxU4QtHqZGFW9R6OS825YJq7ZEOmymn
         ajIm9tfSZDFJussjDXMflhGo+W2+bOBJJ8UdQUKRrrHl4qoI9fyXQ7MOFe/VZ3Wjf85j
         fqZDfgFwp1g9PYNQjhdFgKQPi/NJM/XihcIOntlBMgP8Ry49RgOGl7wmW5Q97omGPOAC
         /ualKUOa8OruNrs2R0dKYPxZQjkSaha90lAAqWBsWYEpYg6zYTAOesbUWd75qlO7artm
         rwSg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h3-v6si3233653pld.110.2018.01.22.01.47.56;
        Mon, 22 Jan 2018 01:48:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751287AbeAVIlJ (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Mon, 22 Jan 2018 03:41:09 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:58270 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751254AbeAVIlG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Jan 2018 03:41:06 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 63E14EB3;
        Mon, 22 Jan 2018 08:41:05 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, David Woodhouse <dwmw@amazon.co.uk>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@kernel.org>,
        Arjan van de Ven <arjan@linux.intel.com>,
        gnomes@lxorguk.ukuu.org.uk, Rik van Riel <riel@redhat.com>,
        Andi Kleen <ak@linux.intel.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>, thomas.lendacky@amd.com,
        Peter Zijlstra <peterz@infradead.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Jiri Kosina <jikos@kernel.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Dave Hansen <dave.hansen@intel.com>,
        Kees Cook <keescook@google.com>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Paul Turner <pjt@google.com>, Razvan Ghitulete <rga@amazon.de>,
        Greg Kroah-Hartman <gregkh@linux-foundation.org>
Subject: [PATCH 4.4 13/53] x86/retpoline/entry: Convert entry assembler indirect jumps
Date:   Mon, 22 Jan 2018 09:40:05 +0100
Message-Id: <20180122083910.850243957@linuxfoundation.org>
X-Mailer: git-send-email 2.16.0
In-Reply-To: <20180122083910.299610926@linuxfoundation.org>
References: <20180122083910.299610926@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Woodhouse <dwmw@amazon.co.uk>

commit 2641f08bb7fc63a636a2b18173221d7040a3512e upstream.

Convert indirect jumps in core 32/64bit entry assembler code to use
non-speculative sequences when CONFIG_RETPOLINE is enabled.

Don't use CALL_NOSPEC in entry_SYSCALL_64_fastpath because the return
address after the 'call' instruction must be *precisely* at the
.Lentry_SYSCALL_64_after_fastpath label for stub_ptregs_64 to work,
and the use of alternatives will mess that up unless we play horrid
games to prepend with NOPs and make the variants the same length. It's
not worth it; in the case where we ALTERNATIVE out the retpoline, the
first instruction at __x86.indirect_thunk.rax is going to be a bare
jmp *%rax anyway.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: Rik van Riel <riel@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: thomas.lendacky@amd.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
Cc: Paul Turner <pjt@google.com>
Link: https://lkml.kernel.org/r/1515707194-20531-7-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Razvan Ghitulete <rga@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/entry/entry_32.S |    6 ++++--
 arch/x86/entry/entry_64.S |   14 +++++++++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)

--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -44,6 +44,7 @@
 #include <asm/alternative-asm.h>
 #include <asm/asm.h>
 #include <asm/smap.h>
+#include <asm/nospec-branch.h>
 
 	.section .entry.text, "ax"
 
@@ -226,7 +227,8 @@ ENTRY(ret_from_kernel_thread)
 	pushl	$0x0202				# Reset kernel eflags
 	popfl
 	movl	PT_EBP(%esp), %eax
-	call	*PT_EBX(%esp)
+	movl	PT_EBX(%esp), %edx
+	CALL_NOSPEC %edx
 	movl	$0, PT_EAX(%esp)
 
 	/*
@@ -938,7 +940,7 @@ error_code:
 	movl	%ecx, %es
 	TRACE_IRQS_OFF
 	movl	%esp, %eax			# pt_regs pointer
-	call	*%edi
+	CALL_NOSPEC %edi
 	jmp	ret_from_exception
 END(page_fault)
 
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -36,6 +36,7 @@
 #include <asm/smap.h>
 #include <asm/pgtable_types.h>
 #include <asm/kaiser.h>
+#include <asm/nospec-branch.h>
 #include <linux/err.h>
 
 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
@@ -184,7 +185,13 @@ entry_SYSCALL_64_fastpath:
 #endif
 	ja	1f				/* return -ENOSYS (already in pt_regs->ax) */
 	movq	%r10, %rcx
+#ifdef CONFIG_RETPOLINE
+	movq	sys_call_table(, %rax, 8), %rax
+	call	__x86_indirect_thunk_rax
+#else
 	call	*sys_call_table(, %rax, 8)
+#endif
+
 	movq	%rax, RAX(%rsp)
 1:
 /*
@@ -276,7 +283,12 @@ tracesys_phase2:
 #endif
 	ja	1f				/* return -ENOSYS (already in pt_regs->ax) */
 	movq	%r10, %rcx			/* fixup for C */
+#ifdef CONFIG_RETPOLINE
+	movq	sys_call_table(, %rax, 8), %rax
+	call	__x86_indirect_thunk_rax
+#else
 	call	*sys_call_table(, %rax, 8)
+#endif
 	movq	%rax, RAX(%rsp)
 1:
 	/* Use IRET because user could have changed pt_regs->foo */
@@ -491,7 +503,7 @@ ENTRY(ret_from_fork)
 	 * nb: we depend on RESTORE_EXTRA_REGS above
 	 */
 	movq	%rbp, %rdi
-	call	*%rbx
+	CALL_NOSPEC %rbx
 	movl	$0, RAX(%rsp)
 	RESTORE_EXTRA_REGS
 	jmp	int_ret_from_sys_call