Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp13300139ybl;
        Sun, 29 Dec 2019 08:49:36 -0800 (PST)
X-Google-Smtp-Source: APXvYqyX/11KXHC5um4R0QbznGoBjU7og1IVp+IlACBZGH+KAKklz68B+wfRQmBBbaeFX+IUU/GC
X-Received: by 2002:a05:6830:c2:: with SMTP id x2mr57571955oto.8.1577638176621;
        Sun, 29 Dec 2019 08:49:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1577638176; cv=none;
        d=google.com; s=arc-20160816;
        b=j9QUSivCJDIbbiAQOjoEzSbgbUQWo4LlGrifRpQSSuV9iK2KWtGesjtXvQ/Bb9g9VF
         f1DSzwxDLRt/dwGRHdLvDBG6qPg9LMae+2ZG/upu9Ykhzhd8xAluMf+MKwyWyGiVgMCk
         JtJBZyiaU/aXvW2YPE6pL82oqm7nOoBIGQFg+oyxcbu8/9HJsdheROqqD5vb3DM/YAOK
         OmEGiGzq216t12fE7Ys//bj4ZJhv8w8+Z4O2NbYW/p/5Ks54sVNS2DPY1RW0d1Fk0JUb
         MflB+xAWUH/Zwe+fg1fnV8WGytf2N6gy27yJZCL2bEbRu5g8yg+CLoOp6+dCq00UdztE
         xkbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:mime-version
         :message-id:date:dkim-signature;
        bh=G2EAa5QdJG1X2s38OI2Ndje11N5B4/Yby2K/2bfNOiY=;
        b=fPjgBw6eAc0A3/fdy82xm2DruXvPlVDjd3oMlClG7+bvNLJttsygzaGbvrzfDBpRfW
         NTFQlMcTOA/oZMyuvamV1zQiSZwiGvixqMXnK0nC14MnnoYEbyTtVmUvqf8/0neaPUns
         5GX67+nlxw30SJQmpqopTMfyVFd+Jgt6uxXcznRIAU/VZaM4ClYu2jcj8J4Hbqfjh59g
         0ivnLOJ4HeKzKau44J58VjzqFbqE3QBtg86a/IOwU72vQMgMtjGta3GeXp+KjLsqWwcI
         O/4rwJela3PXuba0q+zYtU8CphG/5rSNECkHuSqDSZZXcXmJ00Y21rvUzPD640oiQEBP
         shAg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="C/H/9VQ7";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u25si19338944otg.170.2019.12.29.08.49.22;
        Sun, 29 Dec 2019 08:49:36 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="C/H/9VQ7";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726674AbfL2Qsg (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Sun, 29 Dec 2019 11:48:36 -0500
Received: from mail-pj1-f73.google.com ([209.85.216.73]:55698 "EHLO
        mail-pj1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726602AbfL2Qsg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Dec 2019 11:48:36 -0500
Received: by mail-pj1-f73.google.com with SMTP id bg6so10674521pjb.5
        for <linux-kernel@vger.kernel.org>; Sun, 29 Dec 2019 08:48:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=G2EAa5QdJG1X2s38OI2Ndje11N5B4/Yby2K/2bfNOiY=;
        b=C/H/9VQ7ZNg8f2sw+U4qk1c9SVUehLJ6VS/qlJbMff1SHVKvNqK9fn0X1FDqHYaPyj
         YcLwaaHra5lc5FoPp8EVUzqxvgSEGsk6du/2FDcyVYWPQt6J0c2y5eauTjvtP3HsO0Zh
         jzcWshUO5ji5J092ncEmstw/KfFg/njqIOdhDwxGD/bl5KI0Jx7KergLr8XWCWpX/5JI
         tOYeCCzizETf3DYZONmzaT8jSLbDb43Fhe6zsrEbVJK0xk7tkANl1z7lhzl+XypdSH+c
         y5C+5a3QwWNzVWd16X4yNdfLcRoODJ6R09L1hps3S9E70i6Vx+fKYIpPeOimE07cBx1G
         BVOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=G2EAa5QdJG1X2s38OI2Ndje11N5B4/Yby2K/2bfNOiY=;
        b=gocgjqtS2wpcjBUkLWnyjQgu8Zd3tNWQCDBEQ6ed3Hj3PqSMO2GKmZebA2GRGQik5E
         v358lt9UwjSjQ++/IUK15MivPz0r4ze2/xGlZTlxsAdLQfKnEZCaIDOqS3+4LJ1VJFnf
         XxcoMP4aT76OLdMr01LwrSDamvldLkahaxWTnh8ebioAJVxvGXpV372UNMhTvBey9DTv
         TFHqvI4Yf9eIfMu8zVtV0NgwKoDADWkevL51eIAz8VvKKxw90B+IcDcffhcBfzHh7F4R
         iAPXV+WhzuqQy3cjRpBMuHx+1XpimcHQXnbHUMGe8CdjtXoSdQV6n58PnyIWSVoYl1ZO
         ArzA==
X-Gm-Message-State: APjAAAW8njRx+Cm8aVQ7bDS4Z4A1TSDne1earApXJWJPMpJ7/rdUzzeQ
        Sun2xavQQqxFBDsbq8eojDCVBNoQKJzOqizvSIs4sNipR3CJkx7OkwV2n3deNuC0XI/UFvXP23D
        XnlQI6cTeHMvoUog1Pzh2P4PGk5UBw6s/ai2OCTx18TiTweEZ12z8cdHVY8rKp+CqHk2gufCUeL
        mF77PE8s9+
X-Received: by 2002:a63:4e0e:: with SMTP id c14mr66892846pgb.237.1577638115094;
 Sun, 29 Dec 2019 08:48:35 -0800 (PST)
Date:   Sun, 29 Dec 2019 08:48:30 -0800
Message-Id: <20191229164830.62144-1-asteinhauser@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.24.1.735.g03f4e72817-goog
Subject: [PATCH] Return ENXIO instead of EPERM when speculation control is unimplemented
From:   Anthony Steinhauser <asteinhauser@google.com>
To:     linux-kernel@vger.kernel.org
Cc:     mingo@redhat.com, bp@alien8.de, tglx@linutronix.de,
        Anthony Steinhauser <asteinhauser@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

According to the documentation, the PR_GET_SPECULATION_CTRL call should
return ENXIO when the control of the selected speculation misfeature is
not possible. EPERM should be returned only when the speculation was
disabled with PR_SPEC_FORCE_DISABLE and caller tried to enable it again.

Instead, the current implementation returns EPERM when the control of
indirect branch speculation is not possible because it is unimplemented by
the CPU. This behavior is obviously not compatible with the current
documentation. ENXIO should be returned in this case.

This change is:
1) Explicitly document that the EPERM return value applies also to cases
when the speculative behavior is forced from the boot command line and the
caller tries to change it.
2) Distinguishing between the speculation control being unimplemented and
being disabled, returning ENXIO in the first case and EPERM in the second
case.

Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
---
 Documentation/userspace-api/spec_ctrl.rst |  6 +++--
 arch/x86/include/asm/nospec-branch.h      |  3 ++-
 arch/x86/kernel/cpu/bugs.c                | 29 +++++++++++++++--------
 3 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst
index 7ddd8f667459..3ff6316207f1 100644
--- a/Documentation/userspace-api/spec_ctrl.rst
+++ b/Documentation/userspace-api/spec_ctrl.rst
@@ -83,8 +83,10 @@ ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
 ENXIO   Control of the selected speculation misfeature is not possible.
         See PR_GET_SPECULATION_CTRL.
 
-EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
-        tried to enable it again.
+EPERM   Caller tried to enable speculation when it was disabled with
+        PR_SPEC_FORCE_DISABLE or force-disabled on the boot command line.
+        Caller tried to disable speculation when it was force-enabled on
+        the boot command line.
 ======= =================================================================
 
 Speculation misfeature controls
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 5c24a7b35166..1e2caccac89e 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -220,7 +220,8 @@ enum spectre_v2_mitigation {
 
 /* The indirect branch speculation control variants */
 enum spectre_v2_user_mitigation {
-	SPECTRE_V2_USER_NONE,
+	SPECTRE_V2_USER_UNAVAILABLE,
+	SPECTRE_V2_USER_DISABLED,
 	SPECTRE_V2_USER_STRICT,
 	SPECTRE_V2_USER_STRICT_PREFERRED,
 	SPECTRE_V2_USER_PRCTL,
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 8bf64899f56a..a6556483b136 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -489,7 +489,7 @@ static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
 	SPECTRE_V2_NONE;
 
 static enum spectre_v2_user_mitigation spectre_v2_user __ro_after_init =
-	SPECTRE_V2_USER_NONE;
+	SPECTRE_V2_USER_UNAVAILABLE;
 
 #ifdef CONFIG_RETPOLINE
 static bool spectre_v2_bad_module;
@@ -540,7 +540,8 @@ enum spectre_v2_user_cmd {
 };
 
 static const char * const spectre_v2_user_strings[] = {
-	[SPECTRE_V2_USER_NONE]			= "User space: Vulnerable",
+	[SPECTRE_V2_USER_UNAVAILABLE]		= "User space: Vulnerable: STIBP unavailable",
+	[SPECTRE_V2_USER_DISABLED]		= "User space: Vulnerable: STIBP disabled",
 	[SPECTRE_V2_USER_STRICT]		= "User space: Mitigation: STIBP protection",
 	[SPECTRE_V2_USER_STRICT_PREFERRED]	= "User space: Mitigation: STIBP always-on protection",
 	[SPECTRE_V2_USER_PRCTL]			= "User space: Mitigation: STIBP via prctl",
@@ -602,7 +603,7 @@ spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd)
 static void __init
 spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
 {
-	enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
+	enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_UNAVAILABLE;
 	bool smt_possible = IS_ENABLED(CONFIG_SMP);
 	enum spectre_v2_user_cmd cmd;
 
@@ -616,6 +617,7 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
 	cmd = spectre_v2_parse_user_cmdline(v2_cmd);
 	switch (cmd) {
 	case SPECTRE_V2_USER_CMD_NONE:
+		mode = SPECTRE_V2_USER_DISABLED;
 		goto set_mode;
 	case SPECTRE_V2_USER_CMD_FORCE:
 		mode = SPECTRE_V2_USER_STRICT;
@@ -676,7 +678,7 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
 	 * mode.
 	 */
 	if (!smt_possible || !boot_cpu_has(X86_FEATURE_STIBP))
-		mode = SPECTRE_V2_USER_NONE;
+		mode = SPECTRE_V2_USER_UNAVAILABLE;
 set_mode:
 	spectre_v2_user = mode;
 	/* Only print the STIBP mode when SMT possible */
@@ -915,7 +917,8 @@ void cpu_bugs_smt_update(void)
 	mutex_lock(&spec_ctrl_mutex);
 
 	switch (spectre_v2_user) {
-	case SPECTRE_V2_USER_NONE:
+	case SPECTRE_V2_USER_DISABLED:
+	case SPECTRE_V2_USER_UNAVAILABLE:
 		break;
 	case SPECTRE_V2_USER_STRICT:
 	case SPECTRE_V2_USER_STRICT_PREFERRED:
@@ -1157,7 +1160,8 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
 {
 	switch (ctrl) {
 	case PR_SPEC_ENABLE:
-		if (spectre_v2_user == SPECTRE_V2_USER_NONE)
+		if (spectre_v2_user == SPECTRE_V2_USER_UNAVAILABLE ||
+		    spectre_v2_user == SPECTRE_V2_USER_DISABLED)
 			return 0;
 		/*
 		 * Indirect branch speculation is always disabled in strict
@@ -1173,9 +1177,11 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
 	case PR_SPEC_FORCE_DISABLE:
 		/*
 		 * Indirect branch speculation is always allowed when
-		 * mitigation is force disabled.
+		 * mitigation is unavailable or force disabled.
 		 */
-		if (spectre_v2_user == SPECTRE_V2_USER_NONE)
+		if (spectre_v2_user == SPECTRE_V2_USER_UNAVAILABLE)
+			return -ENXIO;
+		if (spectre_v2_user == SPECTRE_V2_USER_DISABLED)
 			return -EPERM;
 		if (spectre_v2_user == SPECTRE_V2_USER_STRICT ||
 		    spectre_v2_user == SPECTRE_V2_USER_STRICT_PREFERRED)
@@ -1241,7 +1247,8 @@ static int ib_prctl_get(struct task_struct *task)
 		return PR_SPEC_NOT_AFFECTED;
 
 	switch (spectre_v2_user) {
-	case SPECTRE_V2_USER_NONE:
+	case SPECTRE_V2_USER_UNAVAILABLE:
+	case SPECTRE_V2_USER_DISABLED:
 		return PR_SPEC_ENABLE;
 	case SPECTRE_V2_USER_PRCTL:
 	case SPECTRE_V2_USER_SECCOMP:
@@ -1495,7 +1502,9 @@ static char *stibp_state(void)
 		return "";
 
 	switch (spectre_v2_user) {
-	case SPECTRE_V2_USER_NONE:
+	case SPECTRE_V2_USER_UNAVAILABLE:
+		return ", STIBP: unavailable";
+	case SPECTRE_V2_USER_DISABLED:
 		return ", STIBP: disabled";
 	case SPECTRE_V2_USER_STRICT:
 		return ", STIBP: forced";
-- 
2.24.1.735.g03f4e72817-goog