Permalink
Commits on May 22, 2018
  1. fix merge conflict

    pfactum committed May 22, 2018
  2. Linux 4.16.11

    gregkh committed May 22, 2018
  3. bpf: Prevent memory disambiguation attack

    Alexei Starovoitov authored and gregkh committed May 15, 2018
    commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream
    
    Detect code patterns where malicious 'speculative store bypass' can be used
    and sanitize such patterns.
    
     39: (bf) r3 = r10
     40: (07) r3 += -216
     41: (79) r8 = *(u64 *)(r7 +0)   // slow read
     42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
     43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
     44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
     45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                     // is now sanitized
    
    Above code after x86 JIT becomes:
     e5: mov    %rbp,%rdx
     e8: add    $0xffffffffffffff28,%rdx
     ef: mov    0x0(%r13),%r14
     f3: movq   $0x0,-0x48(%rbp)
     fb: mov    %rdx,0x0(%r14)
     ff: mov    0x0(%rbx),%rdi
    103: movzbq 0x0(%rdi),%rsi
    
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  4. x86/bugs: Rename SSBD_NO to SSB_NO

    Konrad Rzeszutek Wilk authored and gregkh committed May 17, 2018
    commit 240da953fcc6a9008c92fae5b1f727ee5ed167ab upstream
    
    The "336996 Speculative Execution Side Channel Mitigations" from
    May defines this as SSB_NO, hence lets sync-up.
    
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  5. KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD

    Tom Lendacky authored and gregkh committed May 10, 2018
    commit bc226f07dcd3c9ef0b7f6236fe356ea4a9cb4769 upstream
    
    Expose the new virtualized architectural mechanism, VIRT_SSBD, for using
    speculative store bypass disable (SSBD) under SVM.  This will allow guests
    to use SSBD on hardware that uses non-architectural mechanisms for enabling
    SSBD.
    
    [ tglx: Folded the migration fixup from Paolo Bonzini ]
    
    Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  6. x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG

    Thomas Gleixner authored and gregkh committed May 10, 2018
    commit 47c61b3955cf712cadfc25635bf9bc174af030ea upstream
    
    Add the necessary logic for supporting the emulated VIRT_SPEC_CTRL MSR to
    x86_virt_spec_ctrl().  If either X86_FEATURE_LS_CFG_SSBD or
    X86_FEATURE_VIRT_SPEC_CTRL is set then use the new guest_virt_spec_ctrl
    argument to check whether the state must be modified on the host. The
    update reuses speculative_store_bypass_update() so the ZEN-specific sibling
    coordination can be reused.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  7. x86/bugs: Rework spec_ctrl base and mask logic

    Thomas Gleixner authored and gregkh committed May 12, 2018
    commit be6fcb5478e95bb1c91f489121238deb3abca46a upstream
    
    x86_spec_ctrL_mask is intended to mask out bits from a MSR_SPEC_CTRL value
    which are not to be modified. However the implementation is not really used
    and the bitmask was inverted to make a check easier, which was removed in
    "x86/bugs: Remove x86_spec_ctrl_set()"
    
    Aside of that it is missing the STIBP bit if it is supported by the
    platform, so if the mask would be used in x86_virt_spec_ctrl() then it
    would prevent a guest from setting STIBP.
    
    Add the STIBP bit if supported and use the mask in x86_virt_spec_ctrl() to
    sanitize the value which is supplied by the guest.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  8. x86/bugs: Remove x86_spec_ctrl_set()

    Thomas Gleixner authored and gregkh committed May 12, 2018
    commit 4b59bdb569453a60b752b274ca61f009e37f4dae upstream
    
    x86_spec_ctrl_set() is only used in bugs.c and the extra mask checks there
    provide no real value as both call sites can just write x86_spec_ctrl_base
    to MSR_SPEC_CTRL. x86_spec_ctrl_base is valid and does not need any extra
    masking or checking.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. x86/bugs: Expose x86_spec_ctrl_base directly

    Thomas Gleixner authored and gregkh committed May 12, 2018
    commit fa8ac4988249c38476f6ad678a4848a736373403 upstream
    
    x86_spec_ctrl_base is the system wide default value for the SPEC_CTRL MSR.
    x86_spec_ctrl_get_default() returns x86_spec_ctrl_base and was intended to
    prevent modification to that variable. Though the variable is read only
    after init and globaly visible already.
    
    Remove the function and export the variable instead.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  10. x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}

    Borislav Petkov authored and gregkh committed May 11, 2018
    commit cc69b34989210f067b2c51d5539b5f96ebcc3a01 upstream
    
    Function bodies are very similar and are going to grow more almost
    identical code. Add a bool arg to determine whether SPEC_CTRL is being set
    for the guest or restored to the host.
    
    No functional changes.
    
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  11. x86/speculation: Rework speculative_store_bypass_update()

    Thomas Gleixner authored and gregkh committed May 10, 2018
    commit 0270be3e34efb05a88bc4c422572ece038ef3608 upstream
    
    The upcoming support for the virtual SPEC_CTRL MSR on AMD needs to reuse
    speculative_store_bypass_update() to avoid code duplication. Add an
    argument for supplying a thread info (TIF) value and create a wrapper
    speculative_store_bypass_update_current() which is used at the existing
    call site.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  12. x86/speculation: Add virtualized speculative store bypass disable sup…

    Tom Lendacky authored and gregkh committed May 17, 2018
    …port
    
    commit 11fb0683493b2da112cd64c9dada221b52463bf7 upstream
    
    Some AMD processors only support a non-architectural means of enabling
    speculative store bypass disable (SSBD).  To allow a simplified view of
    this to a guest, an architectural definition has been created through a new
    CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f.  With this, a
    hypervisor can virtualize the existence of this definition and provide an
    architectural method for using SSBD to a guest.
    
    Add the new CPUID feature, the new MSR and update the existing SSBD
    support to use this MSR when present.
    
    Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  13. x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL

    Thomas Gleixner authored and gregkh committed May 9, 2018
    commit ccbcd2674472a978b48c91c1fbfb66c0ff959f24 upstream
    
    AMD is proposing a VIRT_SPEC_CTRL MSR to handle the Speculative Store
    Bypass Disable via MSR_AMD64_LS_CFG so that guests do not have to care
    about the bit position of the SSBD bit and thus facilitate migration.
    Also, the sibling coordination on Family 17H CPUs can only be done on
    the host.
    
    Extend x86_spec_ctrl_set_guest() and x86_spec_ctrl_restore_host() with an
    extra argument for the VIRT_SPEC_CTRL MSR.
    
    Hand in 0 from VMX and in SVM add a new virt_spec_ctrl member to the CPU
    data structure which is going to be used in later patches for the actual
    implementation.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  14. x86/speculation: Handle HT correctly on AMD

    Thomas Gleixner authored and gregkh committed May 9, 2018
    commit 1f50ddb4f4189243c05926b842dc1a0332195f31 upstream
    
    The AMD64_LS_CFG MSR is a per core MSR on Family 17H CPUs. That means when
    hyperthreading is enabled the SSBD bit toggle needs to take both cores into
    account. Otherwise the following situation can happen:
    
    CPU0		CPU1
    
    disable SSB
    		disable SSB
    		enable  SSB <- Enables it for the Core, i.e. for CPU0 as well
    
    So after the SSB enable on CPU1 the task on CPU0 runs with SSB enabled
    again.
    
    On Intel the SSBD control is per core as well, but the synchronization
    logic is implemented behind the per thread SPEC_CTRL MSR. It works like
    this:
    
      CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL
    
    i.e. if one of the threads enables a mitigation then this affects both and
    the mitigation is only disabled in the core when both threads disabled it.
    
    Add the necessary synchronization logic for AMD family 17H. Unfortunately
    that requires a spinlock to serialize the access to the MSR, but the locks
    are only shared between siblings.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  15. x86/cpufeatures: Add FEATURE_ZEN

    Thomas Gleixner authored and gregkh committed May 10, 2018
    commit d1035d971829dcf80e8686ccde26f94b0a069472 upstream
    
    Add a ZEN feature bit so family-dependent static_cpu_has() optimizations
    can be built for ZEN.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16. x86/cpufeatures: Disentangle SSBD enumeration

    Thomas Gleixner authored and gregkh committed May 10, 2018
    commit 52817587e706686fcdb27f14c1b000c92f266c96 upstream
    
    The SSBD enumeration is similarly to the other bits magically shared
    between Intel and AMD though the mechanisms are different.
    
    Make X86_FEATURE_SSBD synthetic and set it depending on the vendor specific
    features or family dependent setup.
    
    Change the Intel bit to X86_FEATURE_SPEC_CTRL_SSBD to denote that SSBD is
    controlled via MSR_SPEC_CTRL and fix up the usage sites.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  17. x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS

    Thomas Gleixner authored and gregkh committed May 10, 2018
    commit 7eb8956a7fec3c1f0abc2a5517dada99ccc8a961 upstream
    
    The availability of the SPEC_CTRL MSR is enumerated by a CPUID bit on
    Intel and implied by IBRS or STIBP support on AMD. That's just confusing
    and in case an AMD CPU has IBRS not supported because the underlying
    problem has been fixed but has another bit valid in the SPEC_CTRL MSR,
    the thing falls apart.
    
    Add a synthetic feature bit X86_FEATURE_MSR_SPEC_CTRL to denote the
    availability on both Intel and AMD.
    
    While at it replace the boot_cpu_has() checks with static_cpu_has() where
    possible. This prevents late microcode loading from exposing SPEC_CTRL, but
    late loading is already very limited as it does not reevaluate the
    mitigation options and other bits and pieces. Having static_cpu_has() is
    the simplest and least fragile solution.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18. x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP

    Borislav Petkov authored and gregkh committed May 2, 2018
    commit e7c587da125291db39ddf1f49b18e5970adbac17 upstream
    
    Intel and AMD have different CPUID bits hence for those use synthetic bits
    which get set on the respective vendor's in init_speculation_control(). So
    that debacles like what the commit message of
    
      c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload")
    
    talks about don't happen anymore.
    
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Tested-by: Jörg Otte <jrg.otte@gmail.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Link: https://lkml.kernel.org/r/20180504161815.GG9257@pd.tnic
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19. KVM: SVM: Move spec control call after restore of GS

    Thomas Gleixner authored and gregkh committed May 11, 2018
    commit 15e6c22fd8e5a42c5ed6d487b7c9fe44c2517765 upstream
    
    svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but
    before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current'
    to determine the host SSBD state of the thread. 'current' is GS based, but
    host GS is not yet restored and the access causes a triple fault.
    
    Move the call after the host GS restore.
    
    Fixes: 885f82bfbc6f x86/process: Allow runtime control of Speculative Store Bypass
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Acked-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20. x86/cpu: Make alternative_msr_write work for 32-bit code

    Jim Mattson authored and gregkh committed May 13, 2018
    commit 5f2b745f5e1304f438f9b2cd03ebc8120b6e0d3b upstream
    
    Cast val and (val >> 32) to (u32), so that they fit in a
    general-purpose register in both 32-bit and 64-bit code.
    
    [ tglx: Made it u32 instead of uintptr_t ]
    
    Fixes: c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload")
    Signed-off-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21. x86/bugs: Fix the parameters alignment and missing void

    Konrad Rzeszutek Wilk authored and gregkh committed May 11, 2018
    commit ffed645e3be0e32f8e9ab068d257aee8d0fe8eec upstream
    
    Fixes: 7bb4d366c ("x86/bugs: Make cpu_show_common() static")
    Fixes: 24f7fc83b ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation")
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22. x86/bugs: Make cpu_show_common() static

    Jiri Kosina authored and gregkh committed May 10, 2018
    commit 7bb4d366cba992904bffa4820d24e70a3de93e76 upstream
    
    cpu_show_common() is not used outside of arch/x86/kernel/cpu/bugs.c, so
    make it static.
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23. x86/bugs: Fix __ssb_select_mitigation() return type

    Jiri Kosina authored and gregkh committed May 10, 2018
    commit d66d8ff3d21667b41eddbe86b35ab411e40d8c5f upstream
    
    __ssb_select_mitigation() returns one of the members of enum ssb_mitigation,
    not ssb_mitigation_cmd; fix the prototype to reflect that.
    
    Fixes: 24f7fc83b9204 ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation")
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24. Documentation/spec_ctrl: Do some minor cleanups

    Borislav Petkov authored and gregkh committed May 8, 2018
    commit dd0792699c4058e63c0715d9a7c2d40226fcdddc upstream
    
    Fix some typos, improve formulations, end sentences with a fullstop.
    
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25. proc: Use underscores for SSBD in 'status'

    Konrad Rzeszutek Wilk authored and gregkh committed May 9, 2018
    commit e96f46ee8587607a828f783daa6eb5b44d25004d upstream
    
    The style for the 'status' file is CamelCase or this. _.
    
    Fixes: fae1fa0fc ("proc: Provide details on speculation flaw mitigations")
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26. x86/bugs: Rename _RDS to _SSBD

    Konrad Rzeszutek Wilk authored and gregkh committed May 9, 2018
    commit 9f65fb29374ee37856dbad847b4e121aab72b510 upstream
    
    Intel collateral will reference the SSB mitigation bit in IA32_SPEC_CTL[2]
    as SSBD (Speculative Store Bypass Disable).
    
    Hence changing it.
    
    It is unclear yet what the MSR_IA32_ARCH_CAPABILITIES (0x10a) Bit(4) name
    is going to be. Following the rename it would be SSBD_NO but that rolls out
    to Speculative Store Bypass Disable No.
    
    Also fixed the missing space in X86_FEATURE_AMD_SSBD.
    
    [ tglx: Fixup x86_amd_rds_enable() and rds_tif_to_amd_ls_cfg() as well ]
    
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  27. x86/speculation: Make "seccomp" the default mode for Speculative Stor…

    kees authored and gregkh committed May 3, 2018
    …e Bypass
    
    commit f21b53b20c754021935ea43364dbf53778eeba32 upstream
    
    Unless explicitly opted out of, anything running under seccomp will have
    SSB mitigations enabled. Choosing the "prctl" mode will disable this.
    
    [ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ]
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  28. seccomp: Move speculation migitation control to arch code

    Thomas Gleixner authored and gregkh committed May 4, 2018
    commit 8bf37d8c067bb7eb8e7c381bdadf9bd89182b6bc upstream
    
    The migitation control is simpler to implement in architecture code as it
    avoids the extra function call to check the mode. Aside of that having an
    explicit seccomp enabled mode in the architecture mitigations would require
    even more workarounds.
    
    Move it into architecture code and provide a weak function in the seccomp
    code. Remove the 'which' argument as this allows the architecture to decide
    which mitigations are relevant for seccomp.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29. seccomp: Add filter flag to opt-out of SSB mitigation

    kees authored and gregkh committed May 3, 2018
    commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream
    
    If a seccomp user is not interested in Speculative Store Bypass mitigation
    by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when
    adding filters.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  30. seccomp: Use PR_SPEC_FORCE_DISABLE

    Thomas Gleixner authored and gregkh committed May 4, 2018
    commit b849a812f7eb92e96d1c8239b06581b2cfd8b275 upstream
    
    Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to
    widen restrictions.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  31. prctl: Add force disable speculation

    Thomas Gleixner authored and gregkh committed May 3, 2018
    commit 356e4bfff2c5489e016fdb925adbf12a1e3950ee upstream
    
    For certain use cases it is desired to enforce mitigations so they cannot
    be undone afterwards. That's important for loader stubs which want to
    prevent a child from disabling the mitigation again. Will also be used for
    seccomp(). The extra state preserving of the prctl state for SSB is a
    preparatory step for EBPF dymanic speculation control.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  32. x86/bugs: Make boot modes __ro_after_init

    kees authored and gregkh committed May 3, 2018
    commit f9544b2b076ca90d887c5ae5d74fab4c21bb7c13 upstream
    
    There's no reason for these to be changed after boot.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  33. seccomp: Enable speculation flaw mitigations

    kees authored and gregkh committed May 1, 2018
    commit 5c3070890d06ff82eecb808d02d2ca39169533ef upstream
    
    When speculation flaw mitigations are opt-in (via prctl), using seccomp
    will automatically opt-in to these protections, since using seccomp
    indicates at least some level of sandboxing is desired.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  34. proc: Provide details on speculation flaw mitigations

    kees authored and gregkh committed May 1, 2018
    commit fae1fa0fc6cca8beee3ab8ed71d54f9a78fa3f64 upstream
    
    As done with seccomp and no_new_privs, also show speculation flaw
    mitigation state in /proc/$pid/status.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  35. nospec: Allow getting/setting on non-current task

    kees authored and gregkh committed May 1, 2018
    commit 7bbf1373e228840bb0295a2ca26d548ef37f448e upstream
    
    Adjust arch_prctl_get/set_spec_ctrl() to operate on tasks other than
    current.
    
    This is needed both for /proc/$pid/status queries and for seccomp (since
    thread-syncing can trigger seccomp in non-current threads).
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>