Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp195042yba;
        Mon, 20 May 2019 07:13:38 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxeHUFykrgmH53j4BLqWd7cqpmK1wJ/iL2/n5t+6BADnnRNqpVHncRJS+0NrdEHgR9YelMb
X-Received: by 2002:a65:624f:: with SMTP id q15mr75876613pgv.436.1558361617919;
        Mon, 20 May 2019 07:13:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558361617; cv=none;
        d=google.com; s=arc-20160816;
        b=Dfg/o+pM9OSwIf3pvH9MLHtJf5at4COd2gp/UURo4AeUo/SI3fB4CCpjjX9lszJN1e
         3PhAWua9xZirX8/Qtha9Rxj4TEQAc2cy7cFm6lb7opy96X+dk7NZZ18cOEm8TGSQ10Fj
         +lJXvKShr6TcOq6ZKwOEwZqsFQQtZ3QaVGAqCeZBKgBea/T4ryiEzobo2cAmcwHYw5dG
         4dc2uvW6KLTZxfuBBfZJwIRCFVPwjtj4Bxz6Cwwr5WRfkz1fQ3II5Gr3JjsgjkLLkfT9
         9/Ii2Pqd2cH83L0euQ0tcgaUfaSarUEUCgF4ecBSA/6Ou3F7uKtnyjZBiAI1AoIMQY+F
         Ra1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=8NgyReSLpbVPU/QjACev8PQrpDlF6U3CRNqJHeFqJes=;
        b=nwrhrarphgvlj0ErPSY4meHgtHhm9Nn3BYXw70ZhqdfWfixFLWa8ak0eZa9SG8yaWT
         7+4arXEQ05qkrvCm6r0UFJM4+sVE4kHrCdNoQ98Yp+OW4XY8J+AvnW43q5Fwx0L1A3Gj
         mcjfJqitfIM+l9/e1BcciHKdIgEM4U+2pGQZbS6tZUce37oP/N6ybwPNxl1qfDesOWFh
         Ex2k6SyUb/WSgMP6kzWGK9DzRh9CgXKL7b/lcolcQBHrcL6cjdT8fxN8Y7H5xIUbg9X0
         DbAZfy3U62GrISc/FrS7/KYEhlWaWPLnc2UsENhimZlHsAt04DEI/XdbaZmC8R8NV63X
         6vdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=JOfEv6Wa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y37si18290280pgl.71.2019.05.20.07.13.18;
        Mon, 20 May 2019 07:13:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=JOfEv6Wa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730362AbfETMQz (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Mon, 20 May 2019 08:16:55 -0400
Received: from mail.kernel.org ([198.145.29.99]:57640 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2387403AbfETMQw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 May 2019 08:16:52 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 32CCF20656;
        Mon, 20 May 2019 12:16:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1558354611;
        bh=hcCWdm8G1C81OZqG9T6IE40vqZ2g7WBEfGBUW8Mt+Bg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=JOfEv6Wa1kpp2SMlrUuGJZm8LPC8k3BH9Fvviu+Id9RO7G0OxPhiyErgaoenHjN2E
         E4E4fPx669yvhKGH0zdrUihDgl3uZVZr6EU4zr6Jwu+mda06dxnpiObgBMMI6hJ8Hn
         6ktlpgwXQUr9OkNAP/53dqBDLAX2AwbaQWXDmIOU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Andy Lutomirski <luto@kernel.org>,
        Borislav Petkov <bp@suse.de>,
        Frederic Weisbecker <frederic@kernel.org>,
        Jon Masters <jcm@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.9 05/44] x86/speculation/mds: Improve CPU buffer clear documentation
Date:   Mon, 20 May 2019 14:13:54 +0200
Message-Id: <20190520115231.555191031@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190520115230.720347034@linuxfoundation.org>
References: <20190520115230.720347034@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Andy Lutomirski <luto@kernel.org>

commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.

On x86_64, all returns to usermode go through
prepare_exit_to_usermode(), with the sole exception of do_nmi().
This even includes machine checks -- this was added several years
ago to support MCE recovery.  Update the documentation.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/x86/mds.rst |   39 +++++++--------------------------------
 1 file changed, 7 insertions(+), 32 deletions(-)

--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -142,38 +142,13 @@ Mitigation points
    mds_user_clear.
 
    The mitigation is invoked in prepare_exit_to_usermode() which covers
-   most of the kernel to user space transitions. There are a few exceptions
-   which are not invoking prepare_exit_to_usermode() on return to user
-   space. These exceptions use the paranoid exit code.
-
-   - Non Maskable Interrupt (NMI):
-
-     Access to sensible data like keys, credentials in the NMI context is
-     mostly theoretical: The CPU can do prefetching or execute a
-     misspeculated code path and thereby fetching data which might end up
-     leaking through a buffer.
-
-     But for mounting other attacks the kernel stack address of the task is
-     already valuable information. So in full mitigation mode, the NMI is
-     mitigated on the return from do_nmi() to provide almost complete
-     coverage.
-
-   - Machine Check Exception (#MC):
-
-     Another corner case is a #MC which hits between the CPU buffer clear
-     invocation and the actual return to user. As this still is in kernel
-     space it takes the paranoid exit path which does not clear the CPU
-     buffers. So the #MC handler repopulates the buffers to some
-     extent. Machine checks are not reliably controllable and the window is
-     extremly small so mitigation would just tick a checkbox that this
-     theoretical corner case is covered. To keep the amount of special
-     cases small, ignore #MC.
-
-   - Debug Exception (#DB):
-
-     This takes the paranoid exit path only when the INT1 breakpoint is in
-     kernel space. #DB on a user space address takes the regular exit path,
-     so no extra mitigation required.
+   all but one of the kernel to user space transitions.  The exception
+   is when we return from a Non Maskable Interrupt (NMI), which is
+   handled directly in do_nmi().
+
+   (The reason that NMI is special is that prepare_exit_to_usermode() can
+    enable IRQs.  In NMI context, NMIs are blocked, and we don't want to
+    enable IRQs with NMIs blocked.)
 
 
 2. C-State transition