[SRU,Trusty,PULL,v2] Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)

Message ID 2dd022222443a00e54f58f0e2a0e5f9e78c0e6b7.1532593086.git.juergh@canonical.com
State New
Headers show
Series
  • [SRU,Trusty,PULL,v2] Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
Related show

Pull-request

git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181-v2

Message

Juerg Haefliger July 26, 2018, 8:24 a.m.
BugLink: https://bugs.launchpad.net/bugs/1774181

Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation.

== SRU Justification ==
Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable.

== Fix ==
Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro.

== Regression Potential ==
Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream.

== Test Case ==
TBD.

v1 -> v2:
  - No functional changes.
  - Pulled backports/cherry-picks from linux-stable and tagged them accordingly.
  - Squashed "UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb()" into "UBUNTU: SAUCE: Rename osb() to barrier_nospec()".
  - Added newlines before my sign-off lines to start a new section.

Signed-off-by: Juerg Haefliger <juergh@canonical.com>
---

The following changes since commit ea04a5f62ca732a3c55e712192e0a303277c209c:

  mm/mempolicy: fix use after free when calling get_mempolicy (2018-07-25 13:22:00 +0200)

are available in the Git repository at:

  git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181-v2

for you to fetch changes up to 2dd022222443a00e54f58f0e2a0e5f9e78c0e6b7:

  UBUNTU: SAUCE: Rename osb() to barrier_nospec() (2018-07-26 09:46:02 +0200)

----------------------------------------------------------------
Ben Hutchings (1):
      x86/syscall: Sanitize syscall table de-references under speculation

Dan Williams (9):
      array_index_nospec: Sanitize speculative array de-references
      x86: Implement array_index_mask_nospec
      x86: Introduce barrier_nospec
      x86/get_user: Use pointer masking to limit speculation
      vfs, fdtable: Prevent bounds-check bypass via speculative execution
      nl80211: Sanitize array index in parse_txq_params
      x86/spectre: Report get_user mitigation for spectre_v1
      x86/kvm: Update spectre-v1 mitigation
      nospec: Kill array_index_nospec_mask_check()

Juerg Haefliger (2):
      UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
      UBUNTU: SAUCE: Rename osb() to barrier_nospec()

Mark Rutland (1):
      Documentation: Document array_index_nospec

Rasmus Villemoes (1):
      nospec: Allow index argument to have const-qualified type

Will Deacon (1):
      nospec: Move array_index_nospec() parameter checking into separate macro

 Documentation/speculation.txt            | 90 ++++++++++++++++++++++++++++++++
 arch/arm/include/asm/barrier.h           |  3 --
 arch/arm64/include/asm/barrier.h         |  3 --
 arch/powerpc/include/asm/barrier.h       |  3 +-
 arch/s390/include/asm/barrier.h          | 13 +++--
 arch/x86/ia32/ia32entry.S                | 36 ++++++++-----
 arch/x86/include/asm/barrier.h           | 32 ++++++++++--
 arch/x86/kernel/cpu/bugs.c               | 10 +---
 arch/x86/kernel/entry_32.S               |  4 ++
 arch/x86/kernel/entry_64.S               | 16 +++---
 arch/x86/kvm/vmx.c                       | 15 ++++--
 arch/x86/lib/getuser.S                   | 10 ++++
 drivers/media/usb/uvc/uvc_v4l2.c         |  5 +-
 drivers/net/wireless/ath/carl9170/main.c |  3 +-
 drivers/scsi/qla2xxx/qla_mr.c            |  5 +-
 fs/udf/misc.c                            | 13 ++---
 include/asm-generic/barrier.h            | 11 ----
 include/linux/fdtable.h                  |  3 +-
 include/linux/nospec.h                   | 53 +++++++++++++++++++
 kernel/user_namespace.c                  |  3 +-
 net/core/filter.c                        |  5 +-
 net/wireless/nl80211.c                   |  9 ++--
 22 files changed, 268 insertions(+), 77 deletions(-)
 create mode 100644 Documentation/speculation.txt

Comments

Stefan Bader July 26, 2018, 11:47 a.m. | #1
On 26.07.2018 10:24, Juerg Haefliger wrote:
> git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181-v2
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Kleber Souza July 27, 2018, 3:44 p.m. | #2
On 07/26/18 10:24, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1774181
> 
> Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation.
> 
> == SRU Justification ==
> Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable.
> 
> == Fix ==
> Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro.
> 
> == Regression Potential ==
> Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream.
> 
> == Test Case ==
> TBD.
> 
> v1 -> v2:
>   - No functional changes.
>   - Pulled backports/cherry-picks from linux-stable and tagged them accordingly.
>   - Squashed "UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb()" into "UBUNTU: SAUCE: Rename osb() to barrier_nospec()".
>   - Added newlines before my sign-off lines to start a new section.
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
> 
> The following changes since commit ea04a5f62ca732a3c55e712192e0a303277c209c:
> 
>   mm/mempolicy: fix use after free when calling get_mempolicy (2018-07-25 13:22:00 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181-v2
> 
> for you to fetch changes up to 2dd022222443a00e54f58f0e2a0e5f9e78c0e6b7:
> 
>   UBUNTU: SAUCE: Rename osb() to barrier_nospec() (2018-07-26 09:46:02 +0200)
> 
> ----------------------------------------------------------------
> Ben Hutchings (1):
>       x86/syscall: Sanitize syscall table de-references under speculation
> 
> Dan Williams (9):
>       array_index_nospec: Sanitize speculative array de-references
>       x86: Implement array_index_mask_nospec
>       x86: Introduce barrier_nospec
>       x86/get_user: Use pointer masking to limit speculation
>       vfs, fdtable: Prevent bounds-check bypass via speculative execution
>       nl80211: Sanitize array index in parse_txq_params
>       x86/spectre: Report get_user mitigation for spectre_v1
>       x86/kvm: Update spectre-v1 mitigation
>       nospec: Kill array_index_nospec_mask_check()
> 
> Juerg Haefliger (2):
>       UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
>       UBUNTU: SAUCE: Rename osb() to barrier_nospec()
> 
> Mark Rutland (1):
>       Documentation: Document array_index_nospec
> 
> Rasmus Villemoes (1):
>       nospec: Allow index argument to have const-qualified type
> 
> Will Deacon (1):
>       nospec: Move array_index_nospec() parameter checking into separate macro
> 
>  Documentation/speculation.txt            | 90 ++++++++++++++++++++++++++++++++
>  arch/arm/include/asm/barrier.h           |  3 --
>  arch/arm64/include/asm/barrier.h         |  3 --
>  arch/powerpc/include/asm/barrier.h       |  3 +-
>  arch/s390/include/asm/barrier.h          | 13 +++--
>  arch/x86/ia32/ia32entry.S                | 36 ++++++++-----
>  arch/x86/include/asm/barrier.h           | 32 ++++++++++--
>  arch/x86/kernel/cpu/bugs.c               | 10 +---
>  arch/x86/kernel/entry_32.S               |  4 ++
>  arch/x86/kernel/entry_64.S               | 16 +++---
>  arch/x86/kvm/vmx.c                       | 15 ++++--
>  arch/x86/lib/getuser.S                   | 10 ++++
>  drivers/media/usb/uvc/uvc_v4l2.c         |  5 +-
>  drivers/net/wireless/ath/carl9170/main.c |  3 +-
>  drivers/scsi/qla2xxx/qla_mr.c            |  5 +-
>  fs/udf/misc.c                            | 13 ++---
>  include/asm-generic/barrier.h            | 11 ----
>  include/linux/fdtable.h                  |  3 +-
>  include/linux/nospec.h                   | 53 +++++++++++++++++++
>  kernel/user_namespace.c                  |  3 +-
>  net/core/filter.c                        |  5 +-
>  net/wireless/nl80211.c                   |  9 ++--
>  22 files changed, 268 insertions(+), 77 deletions(-)
>  create mode 100644 Documentation/speculation.txt
>
Kleber Souza July 27, 2018, 3:47 p.m. | #3
On 07/26/18 10:24, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1774181
> 
> Xenial/Trusty/Precise are currently lacking full support of upstream's Spectre v1 mitigation. Add the missing patches and merge them with Ubuntu's current implementation.
> 
> == SRU Justification ==
> Ubuntu's Spectre v1 mitigation is based on the original embargoed patchset which introduced a barrier macro to prevent speculation beyond array boundaries for user controlled indices. What eventually landed in upstream is slightly different and uses a barrier macro in combination with a masking solution (plus syscall table and user pointer sanitation). During the updates to newer stable upstream versions, all those patches were skipped. After reviewing them, we want to bring them back and merge them with the current implementation which brings us back in sync with upstream stable.
> 
> == Fix ==
> Add all the missing Spectre v1 patches from upstream stable 4.4.118 to 4.4.131. Where appropriate, replace Ubuntu's additional barriers with the masking macro.
> 
> == Regression Potential ==
> Low. The patches have been in upstream for quite a while now and we keep the speculation barriers that are currently in Ubuntu but not in upstream.
> 
> == Test Case ==
> TBD.
> 
> v1 -> v2:
>   - No functional changes.
>   - Pulled backports/cherry-picks from linux-stable and tagged them accordingly.
>   - Squashed "UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb()" into "UBUNTU: SAUCE: Rename osb() to barrier_nospec()".
>   - Added newlines before my sign-off lines to start a new section.
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
> 
> The following changes since commit ea04a5f62ca732a3c55e712192e0a303277c209c:
> 
>   mm/mempolicy: fix use after free when calling get_mempolicy (2018-07-25 13:22:00 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~juergh/+git/trusty-linux lp1774181-v2
> 
> for you to fetch changes up to 2dd022222443a00e54f58f0e2a0e5f9e78c0e6b7:
> 
>   UBUNTU: SAUCE: Rename osb() to barrier_nospec() (2018-07-26 09:46:02 +0200)
> 
> ----------------------------------------------------------------
> Ben Hutchings (1):
>       x86/syscall: Sanitize syscall table de-references under speculation
> 
> Dan Williams (9):
>       array_index_nospec: Sanitize speculative array de-references
>       x86: Implement array_index_mask_nospec
>       x86: Introduce barrier_nospec
>       x86/get_user: Use pointer masking to limit speculation
>       vfs, fdtable: Prevent bounds-check bypass via speculative execution
>       nl80211: Sanitize array index in parse_txq_params
>       x86/spectre: Report get_user mitigation for spectre_v1
>       x86/kvm: Update spectre-v1 mitigation
>       nospec: Kill array_index_nospec_mask_check()
> 
> Juerg Haefliger (2):
>       UBUNTU: SAUCE: Replace osb() calls with array_index_nospec()
>       UBUNTU: SAUCE: Rename osb() to barrier_nospec()
> 
> Mark Rutland (1):
>       Documentation: Document array_index_nospec
> 
> Rasmus Villemoes (1):
>       nospec: Allow index argument to have const-qualified type
> 
> Will Deacon (1):
>       nospec: Move array_index_nospec() parameter checking into separate macro
> 
>  Documentation/speculation.txt            | 90 ++++++++++++++++++++++++++++++++
>  arch/arm/include/asm/barrier.h           |  3 --
>  arch/arm64/include/asm/barrier.h         |  3 --
>  arch/powerpc/include/asm/barrier.h       |  3 +-
>  arch/s390/include/asm/barrier.h          | 13 +++--
>  arch/x86/ia32/ia32entry.S                | 36 ++++++++-----
>  arch/x86/include/asm/barrier.h           | 32 ++++++++++--
>  arch/x86/kernel/cpu/bugs.c               | 10 +---
>  arch/x86/kernel/entry_32.S               |  4 ++
>  arch/x86/kernel/entry_64.S               | 16 +++---
>  arch/x86/kvm/vmx.c                       | 15 ++++--
>  arch/x86/lib/getuser.S                   | 10 ++++
>  drivers/media/usb/uvc/uvc_v4l2.c         |  5 +-
>  drivers/net/wireless/ath/carl9170/main.c |  3 +-
>  drivers/scsi/qla2xxx/qla_mr.c            |  5 +-
>  fs/udf/misc.c                            | 13 ++---
>  include/asm-generic/barrier.h            | 11 ----
>  include/linux/fdtable.h                  |  3 +-
>  include/linux/nospec.h                   | 53 +++++++++++++++++++
>  kernel/user_namespace.c                  |  3 +-
>  net/core/filter.c                        |  5 +-
>  net/wireless/nl80211.c                   |  9 ++--
>  22 files changed, 268 insertions(+), 77 deletions(-)
>  create mode 100644 Documentation/speculation.txt
> 

Applied to trusty/master-next branch.

Thanks,
Kleber