Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp200583yba;
        Mon, 20 May 2019 07:18:36 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxlH39cVzf0VjQgDHviuLN6fUmd+e5dopwGCsyz9/TNkTYYqq1YTZ285a/sUSW6dgvJDMmy
X-Received: by 2002:a63:2ad2:: with SMTP id q201mr73861950pgq.94.1558361916610;
        Mon, 20 May 2019 07:18:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558361916; cv=none;
        d=google.com; s=arc-20160816;
        b=BMS9U6tK9CFaj0kMfC2aM+tmkqVOl0YudgExzW6dS7Wnl1f8D5noyTw5nooAppJwc+
         O/nO5zb/M6DFukrDv4D0mpSh2b4OIiRCO3FYx603BSHKpmQuECYwjVT+kmN8D5K8FI67
         Ywtw78V3o0mCJy3daCB218Py0K/3r4FR6AXhU1B/qfmT5XcpJ/kmcvFZ21TAZazyrz69
         cYhGQihu2Wo7V97GhP1nF+h7PEUcwxrIFVdq9bHDZTYAgT6xsky+BIxOSl+71RXbms78
         f/D76ob6Xw/8RVLBlbJ3yU/TY6YrVhWAUDORRQxSqGetmwNjMyoOTU1487nA1hE7irOe
         bZtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=8NgyReSLpbVPU/QjACev8PQrpDlF6U3CRNqJHeFqJes=;
        b=dsXPI/9U2NfV7UKiVBoonH3Q5/KXWsCFP5cAqV68V9zrJmyeuRKZgRVRmzyuoBIHa9
         Cl8HT1MT8c4zW5WvL0zElyF7uOhszFHpgBzYZizAABKxNHm9zNFTxVhIrejEb8ChkQy5
         Lyd4yc/f3pb7UmjdO/4hCLXuZ9fnmAWr14CtGlLzVZB/OTpuwN3K4+0a7WQTrbgx5Dzp
         TSVyZ35WwFPw++P/VUqYu71N3rXqKrZorJMGTRXqdEvo7c7Q1s0x1qfcTEDdYm6dQmPJ
         1wVx6HQvk5xihjqhXVoJ37NYfROrQyglAz6Ybw3vlWUuvEP/6BF8PHgDjMkyFiCUtbcF
         VfvQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=urkECL42;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 2si15418634pla.437.2019.05.20.07.18.21;
        Mon, 20 May 2019 07:18:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=urkECL42;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730416AbfETMSt (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Mon, 20 May 2019 08:18:49 -0400
Received: from mail.kernel.org ([198.145.29.99]:59876 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731299AbfETMSm (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 May 2019 08:18:42 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 7089D20656;
        Mon, 20 May 2019 12:18:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1558354721;
        bh=hcCWdm8G1C81OZqG9T6IE40vqZ2g7WBEfGBUW8Mt+Bg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=urkECL422r4Y8aT8YMk5jOTB+rZscDTOeW9og80Nl9/Ci4b57LVfdBNzBXyUOkji6
         XVlcbg0skPrWh3Mc13GIW/rOWBaMOmJSy3YQx9r9jj+qFqNyrHqY9/FDdWAABC8Muu
         N0a1gZFSgW70Xr1bTmx6PpOOSkPB5/GPA4LaEYrA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Andy Lutomirski <luto@kernel.org>,
        Borislav Petkov <bp@suse.de>,
        Frederic Weisbecker <frederic@kernel.org>,
        Jon Masters <jcm@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.14 07/63] x86/speculation/mds: Improve CPU buffer clear documentation
Date:   Mon, 20 May 2019 14:13:46 +0200
Message-Id: <20190520115232.063532271@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190520115231.137981521@linuxfoundation.org>
References: <20190520115231.137981521@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Andy Lutomirski <luto@kernel.org>

commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.

On x86_64, all returns to usermode go through
prepare_exit_to_usermode(), with the sole exception of do_nmi().
This even includes machine checks -- this was added several years
ago to support MCE recovery.  Update the documentation.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/x86/mds.rst |   39 +++++++--------------------------------
 1 file changed, 7 insertions(+), 32 deletions(-)

--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -142,38 +142,13 @@ Mitigation points
    mds_user_clear.
 
    The mitigation is invoked in prepare_exit_to_usermode() which covers
-   most of the kernel to user space transitions. There are a few exceptions
-   which are not invoking prepare_exit_to_usermode() on return to user
-   space. These exceptions use the paranoid exit code.
-
-   - Non Maskable Interrupt (NMI):
-
-     Access to sensible data like keys, credentials in the NMI context is
-     mostly theoretical: The CPU can do prefetching or execute a
-     misspeculated code path and thereby fetching data which might end up
-     leaking through a buffer.
-
-     But for mounting other attacks the kernel stack address of the task is
-     already valuable information. So in full mitigation mode, the NMI is
-     mitigated on the return from do_nmi() to provide almost complete
-     coverage.
-
-   - Machine Check Exception (#MC):
-
-     Another corner case is a #MC which hits between the CPU buffer clear
-     invocation and the actual return to user. As this still is in kernel
-     space it takes the paranoid exit path which does not clear the CPU
-     buffers. So the #MC handler repopulates the buffers to some
-     extent. Machine checks are not reliably controllable and the window is
-     extremly small so mitigation would just tick a checkbox that this
-     theoretical corner case is covered. To keep the amount of special
-     cases small, ignore #MC.
-
-   - Debug Exception (#DB):
-
-     This takes the paranoid exit path only when the INT1 breakpoint is in
-     kernel space. #DB on a user space address takes the regular exit path,
-     so no extra mitigation required.
+   all but one of the kernel to user space transitions.  The exception
+   is when we return from a Non Maskable Interrupt (NMI), which is
+   handled directly in do_nmi().
+
+   (The reason that NMI is special is that prepare_exit_to_usermode() can
+    enable IRQs.  In NMI context, NMIs are blocked, and we don't want to
+    enable IRQs with NMIs blocked.)
 
 
 2. C-State transition