Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp11539ybm;
        Mon, 20 May 2019 10:59:13 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxfAV7/6oh5sujBmZFqEm3rORZa594ttLeQCWV/h8qq2ELmjeXPhBViuVQgxXQ5BGXfJ8ZR
X-Received: by 2002:a17:902:b58a:: with SMTP id a10mr47506923pls.83.1558375153083;
        Mon, 20 May 2019 10:59:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558375153; cv=none;
        d=google.com; s=arc-20160816;
        b=QWOILNTwlX3z+RJh4sNm4AHecXOe3JWAmakD3tFvgw+jmUBp/xbh21uq2TryHj4R2j
         3BzwnrYepxxv9d87EzwD57whqTQ8pUZwSTZ++o0X3IPgPcukFVNOoHNvz9fvZov4DaR4
         rP6em6Ed/oyM8r2BXU5Io0UcAqYMIQHplBtG0uB+Oz0LJCinumpveQQzoDiHHCLmEOpq
         PIUHdLAwbj6CipNfYTrPQZwBDOCv93PgdYLqp9lqj8owVzmonMeRz5tK3VOUv0J1OiYC
         hwooFsmamTNkNYsfWsdzmF/MkUrc2F3LD6HY1hzDPM+i3P+2BW/bBogshqR9ZO4Cov+l
         RxjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=8NgyReSLpbVPU/QjACev8PQrpDlF6U3CRNqJHeFqJes=;
        b=TNMEI5A7TGSvdXTaEEHNo4W5L5qvLtRW7dprFsJEjtC+pcPDptrao7TaGj+ok7VMjA
         1MuEf+cWGDuqzT/si6VtB6ybDbCB249J1aRqpKCHBuXv/+sRIbtGOanAeenHDzDlsmgV
         Ds+dq/oZUfxSI/3SLg6UFymAPyZWrIi2TISsf3QB0ubY7uE29CU1aXR62qROBrlOa1Xd
         BxeMKKXV76Q4ZPMa/2yKAptzkM0y/KNGzSMB/5lum9ZGKPRqzQHiHF/OnrGQ/fdur4BI
         hBXE+aQ9HwPw+6wth88CjjrQM0O/aMHoi974uB0H9Pebextlw8WLxNfVaa3w2DNVRbFv
         LScw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=IZIhyJYn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id co12si19177343plb.384.2019.05.20.10.58.58;
        Mon, 20 May 2019 10:59:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=IZIhyJYn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390907AbfETMuF (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Mon, 20 May 2019 08:50:05 -0400
Received: from mail.kernel.org ([198.145.29.99]:34696 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730404AbfETMVM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 May 2019 08:21:12 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B3A46213F2;
        Mon, 20 May 2019 12:21:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1558354871;
        bh=hcCWdm8G1C81OZqG9T6IE40vqZ2g7WBEfGBUW8Mt+Bg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=IZIhyJYneebqqkkR5EjA4s3UqF59ZcVwKRRqmRsqMMvDeYZ+QBlIwDfvZm9uCjxpL
         N9YWS45fsqcKCCyqwKQBC1tEA3zHzRRgQExUSDyp5UJCjbiZfV6EUF3rnuYUnDRPUS
         6lw+xd+DddGKmlA+IWXwS1rQXUrlRi8eaSNOehhs=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Andy Lutomirski <luto@kernel.org>,
        Borislav Petkov <bp@suse.de>,
        Frederic Weisbecker <frederic@kernel.org>,
        Jon Masters <jcm@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.19 003/105] x86/speculation/mds: Improve CPU buffer clear documentation
Date:   Mon, 20 May 2019 14:13:09 +0200
Message-Id: <20190520115247.289761419@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190520115247.060821231@linuxfoundation.org>
References: <20190520115247.060821231@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Andy Lutomirski <luto@kernel.org>

commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.

On x86_64, all returns to usermode go through
prepare_exit_to_usermode(), with the sole exception of do_nmi().
This even includes machine checks -- this was added several years
ago to support MCE recovery.  Update the documentation.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/x86/mds.rst |   39 +++++++--------------------------------
 1 file changed, 7 insertions(+), 32 deletions(-)

--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -142,38 +142,13 @@ Mitigation points
    mds_user_clear.
 
    The mitigation is invoked in prepare_exit_to_usermode() which covers
-   most of the kernel to user space transitions. There are a few exceptions
-   which are not invoking prepare_exit_to_usermode() on return to user
-   space. These exceptions use the paranoid exit code.
-
-   - Non Maskable Interrupt (NMI):
-
-     Access to sensible data like keys, credentials in the NMI context is
-     mostly theoretical: The CPU can do prefetching or execute a
-     misspeculated code path and thereby fetching data which might end up
-     leaking through a buffer.
-
-     But for mounting other attacks the kernel stack address of the task is
-     already valuable information. So in full mitigation mode, the NMI is
-     mitigated on the return from do_nmi() to provide almost complete
-     coverage.
-
-   - Machine Check Exception (#MC):
-
-     Another corner case is a #MC which hits between the CPU buffer clear
-     invocation and the actual return to user. As this still is in kernel
-     space it takes the paranoid exit path which does not clear the CPU
-     buffers. So the #MC handler repopulates the buffers to some
-     extent. Machine checks are not reliably controllable and the window is
-     extremly small so mitigation would just tick a checkbox that this
-     theoretical corner case is covered. To keep the amount of special
-     cases small, ignore #MC.
-
-   - Debug Exception (#DB):
-
-     This takes the paranoid exit path only when the INT1 breakpoint is in
-     kernel space. #DB on a user space address takes the regular exit path,
-     so no extra mitigation required.
+   all but one of the kernel to user space transitions.  The exception
+   is when we return from a Non Maskable Interrupt (NMI), which is
+   handled directly in do_nmi().
+
+   (The reason that NMI is special is that prepare_exit_to_usermode() can
+    enable IRQs.  In NMI context, NMIs are blocked, and we don't want to
+    enable IRQs with NMIs blocked.)
 
 
 2. C-State transition