[SRU,Trusty] UBUNTU: SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"

Message ID 20180727154328.29137-1-juergh@canonical.com
State New
Headers show
Series
  • [SRU,Trusty] UBUNTU: SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"
Related show

Commit Message

Juerg Haefliger July 27, 2018, 3:43 p.m.
CVE-2017-5715 (Spectre v2 retpoline)

For whatever reason, our backport of "x86/retpoline/entry: Convert entry
assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it
should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional
difference for the Ubuntu kernel, fix it to be formally correct and
equivalent to upstream.

Also, the backport is incomplete (doesn't convert the indirect jumps
through the syscall table in ia32entry.S) and also introduces whitespaces
instead of tabs. Fix that too, to be in line with upstream stable 3.16 and
to prevent potential future conflicts when cherry picking patches that
modify these areas.

Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps")
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
---
 arch/x86/ia32/ia32entry.S  | 18 +++++++++++++++++-
 arch/x86/kernel/entry_32.S |  6 +++---
 arch/x86/kernel/entry_64.S | 14 +++++++-------
 3 files changed, 27 insertions(+), 11 deletions(-)

Comments

Stefan Bader July 30, 2018, 10:58 a.m. | #1
On 27.07.2018 17:43, Juerg Haefliger wrote:
> CVE-2017-5715 (Spectre v2 retpoline)
> 
> For whatever reason, our backport of "x86/retpoline/entry: Convert entry
> assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it
> should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional
> difference for the Ubuntu kernel, fix it to be formally correct and
> equivalent to upstream.
> 
> Also, the backport is incomplete (doesn't convert the indirect jumps
> through the syscall table in ia32entry.S) and also introduces whitespaces
> instead of tabs. Fix that too, to be in line with upstream stable 3.16 and
> to prevent potential future conflicts when cherry picking patches that
> modify these areas.
> 
> Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps")
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  arch/x86/ia32/ia32entry.S  | 18 +++++++++++++++++-
>  arch/x86/kernel/entry_32.S |  6 +++---
>  arch/x86/kernel/entry_64.S | 14 +++++++-------
>  3 files changed, 27 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
> index aedd4b526243..cc9fa083175d 100644
> --- a/arch/x86/ia32/ia32entry.S
> +++ b/arch/x86/ia32/ia32entry.S
> @@ -20,6 +20,7 @@
>  #include <asm/spec_ctrl.h>
>  #include <linux/linkage.h>
>  #include <linux/err.h>
> +#include <asm/nospec-branch.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -176,7 +177,12 @@ sysenter_flags_fixed:
>  sysenter_do_call:
>  	IA32_ARG_FIXUP
>  sysenter_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq	ia32_sys_call_table(,%rax,8),%rax
> +	call	__x86_indirect_thunk_rax
> +#else
>  	call	*ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq	%rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target)
>  cstar_do_call:
>  	IA32_ARG_FIXUP 1
>  cstar_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -458,7 +469,12 @@ ENTRY(ia32_syscall)
>  	ja ia32_badsys
>  ia32_do_call:
>  	IA32_ARG_FIXUP
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
> +#endif
>  ia32_sysret:
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  ia32_ret_from_sys_call:
> @@ -524,7 +540,7 @@ ia32_ptregs_common:
>  	CFI_REL_OFFSET	rsp,RSP-ARGOFFSET
>  /*	CFI_REL_OFFSET	ss,SS-ARGOFFSET*/
>  	SAVE_REST
> -	call *%rax
> +	CALL_NOSPEC %rax
>  	RESTORE_REST
>  	jmp  ia32_sysret	/* misbalances the return cache */
>  	CFI_ENDPROC
> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
> index afab84e0e50e..a250f31c0093 100644
> --- a/arch/x86/kernel/entry_32.S
> +++ b/arch/x86/kernel/entry_32.S
> @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread)
>  	pushl_cfi $0x0202		# Reset kernel eflags
>  	popfl_cfi
>  	movl PT_EBP(%esp),%eax
> -	movl PT_EBX(%esp),%edx
> +	movl	PT_EBX(%esp), %edx
>  	CALL_NOSPEC %edx
>  	movl $0,PT_EAX(%esp)
>  	jmp syscall_exit
> @@ -435,7 +435,7 @@ sysenter_do_call:
>  	cmpl $(NR_syscalls), %eax
>  	jae sysenter_badsys
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> @@ -521,7 +521,7 @@ ENTRY(system_call)
>  	jae syscall_badsys
>  syscall_call:
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
> index 3b9377790eca..8cf5cfa4a8a2 100644
> --- a/arch/x86/kernel/entry_64.S
> +++ b/arch/x86/kernel/entry_64.S
> @@ -61,8 +61,8 @@
>  #include <asm/pgtable_types.h>
>  #include <asm/kaiser.h>
>  #include <asm/spec_ctrl.h>
> -#include <linux/err.h>
>  #include <asm/nospec-branch.h>
> +#include <linux/err.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -709,9 +709,9 @@ system_call_fastpath:
>  #endif
>  	ja badsys
>  	movq %r10,%rcx
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
>  #endif
> @@ -842,9 +842,9 @@ tracesys:
>  #endif
>  	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
>  	movq %r10,%rcx	/* fixup for C */
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)
>  #endif
>
Kleber Souza July 30, 2018, 1:29 p.m. | #2
On 07/27/18 17:43, Juerg Haefliger wrote:
> CVE-2017-5715 (Spectre v2 retpoline)
> 
> For whatever reason, our backport of "x86/retpoline/entry: Convert entry
> assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it
> should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional
> difference for the Ubuntu kernel, fix it to be formally correct and
> equivalent to upstream.
> 
> Also, the backport is incomplete (doesn't convert the indirect jumps
> through the syscall table in ia32entry.S) and also introduces whitespaces
> instead of tabs. Fix that too, to be in line with upstream stable 3.16 and
> to prevent potential future conflicts when cherry picking patches that
> modify these areas.
> 
> Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps")
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  arch/x86/ia32/ia32entry.S  | 18 +++++++++++++++++-
>  arch/x86/kernel/entry_32.S |  6 +++---
>  arch/x86/kernel/entry_64.S | 14 +++++++-------
>  3 files changed, 27 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
> index aedd4b526243..cc9fa083175d 100644
> --- a/arch/x86/ia32/ia32entry.S
> +++ b/arch/x86/ia32/ia32entry.S
> @@ -20,6 +20,7 @@
>  #include <asm/spec_ctrl.h>
>  #include <linux/linkage.h>
>  #include <linux/err.h>
> +#include <asm/nospec-branch.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -176,7 +177,12 @@ sysenter_flags_fixed:
>  sysenter_do_call:
>  	IA32_ARG_FIXUP
>  sysenter_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq	ia32_sys_call_table(,%rax,8),%rax
> +	call	__x86_indirect_thunk_rax
> +#else
>  	call	*ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq	%rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target)
>  cstar_do_call:
>  	IA32_ARG_FIXUP 1
>  cstar_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -458,7 +469,12 @@ ENTRY(ia32_syscall)
>  	ja ia32_badsys
>  ia32_do_call:
>  	IA32_ARG_FIXUP
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
> +#endif
>  ia32_sysret:
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  ia32_ret_from_sys_call:
> @@ -524,7 +540,7 @@ ia32_ptregs_common:
>  	CFI_REL_OFFSET	rsp,RSP-ARGOFFSET
>  /*	CFI_REL_OFFSET	ss,SS-ARGOFFSET*/
>  	SAVE_REST
> -	call *%rax
> +	CALL_NOSPEC %rax
>  	RESTORE_REST
>  	jmp  ia32_sysret	/* misbalances the return cache */
>  	CFI_ENDPROC
> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
> index afab84e0e50e..a250f31c0093 100644
> --- a/arch/x86/kernel/entry_32.S
> +++ b/arch/x86/kernel/entry_32.S
> @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread)
>  	pushl_cfi $0x0202		# Reset kernel eflags
>  	popfl_cfi
>  	movl PT_EBP(%esp),%eax
> -	movl PT_EBX(%esp),%edx
> +	movl	PT_EBX(%esp), %edx
>  	CALL_NOSPEC %edx
>  	movl $0,PT_EAX(%esp)
>  	jmp syscall_exit
> @@ -435,7 +435,7 @@ sysenter_do_call:
>  	cmpl $(NR_syscalls), %eax
>  	jae sysenter_badsys
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> @@ -521,7 +521,7 @@ ENTRY(system_call)
>  	jae syscall_badsys
>  syscall_call:
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
> index 3b9377790eca..8cf5cfa4a8a2 100644
> --- a/arch/x86/kernel/entry_64.S
> +++ b/arch/x86/kernel/entry_64.S
> @@ -61,8 +61,8 @@
>  #include <asm/pgtable_types.h>
>  #include <asm/kaiser.h>
>  #include <asm/spec_ctrl.h>
> -#include <linux/err.h>
>  #include <asm/nospec-branch.h>
> +#include <linux/err.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -709,9 +709,9 @@ system_call_fastpath:
>  #endif
>  	ja badsys
>  	movq %r10,%rcx
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
>  #endif
> @@ -842,9 +842,9 @@ tracesys:
>  #endif
>  	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
>  	movq %r10,%rcx	/* fixup for C */
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)
>  #endif
>
Kleber Souza July 30, 2018, 2:30 p.m. | #3
On 07/27/18 17:43, Juerg Haefliger wrote:
> CVE-2017-5715 (Spectre v2 retpoline)
> 
> For whatever reason, our backport of "x86/retpoline/entry: Convert entry
> assembler indirect jumps" added "#ifdef RETPOLINE" in entry_64.S when it
> should be "#ifdef CONFIG_RETPOLINE". Although this doesn't make a fuctional
> difference for the Ubuntu kernel, fix it to be formally correct and
> equivalent to upstream.
> 
> Also, the backport is incomplete (doesn't convert the indirect jumps
> through the syscall table in ia32entry.S) and also introduces whitespaces
> instead of tabs. Fix that too, to be in line with upstream stable 3.16 and
> to prevent potential future conflicts when cherry picking patches that
> modify these areas.
> 
> Fixes: b12de0b8b316 ("x86/retpoline/entry: Convert entry assembler indirect jumps")
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
>  arch/x86/ia32/ia32entry.S  | 18 +++++++++++++++++-
>  arch/x86/kernel/entry_32.S |  6 +++---
>  arch/x86/kernel/entry_64.S | 14 +++++++-------
>  3 files changed, 27 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
> index aedd4b526243..cc9fa083175d 100644
> --- a/arch/x86/ia32/ia32entry.S
> +++ b/arch/x86/ia32/ia32entry.S
> @@ -20,6 +20,7 @@
>  #include <asm/spec_ctrl.h>
>  #include <linux/linkage.h>
>  #include <linux/err.h>
> +#include <asm/nospec-branch.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -176,7 +177,12 @@ sysenter_flags_fixed:
>  sysenter_do_call:
>  	IA32_ARG_FIXUP
>  sysenter_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq	ia32_sys_call_table(,%rax,8),%rax
> +	call	__x86_indirect_thunk_rax
> +#else
>  	call	*ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq	%rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -344,7 +350,12 @@ ENTRY(ia32_cstar_target)
>  cstar_do_call:
>  	IA32_ARG_FIXUP 1
>  cstar_dispatch:
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8)
> +#endif
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> @@ -458,7 +469,12 @@ ENTRY(ia32_syscall)
>  	ja ia32_badsys
>  ia32_do_call:
>  	IA32_ARG_FIXUP
> +#ifdef CONFIG_RETPOLINE
> +	movq ia32_sys_call_table(,%rax,8),%rax
> +	call __x86_indirect_thunk_rax
> +#else
>  	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
> +#endif
>  ia32_sysret:
>  	movq %rax,RAX-ARGOFFSET(%rsp)
>  ia32_ret_from_sys_call:
> @@ -524,7 +540,7 @@ ia32_ptregs_common:
>  	CFI_REL_OFFSET	rsp,RSP-ARGOFFSET
>  /*	CFI_REL_OFFSET	ss,SS-ARGOFFSET*/
>  	SAVE_REST
> -	call *%rax
> +	CALL_NOSPEC %rax
>  	RESTORE_REST
>  	jmp  ia32_sysret	/* misbalances the return cache */
>  	CFI_ENDPROC
> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
> index afab84e0e50e..a250f31c0093 100644
> --- a/arch/x86/kernel/entry_32.S
> +++ b/arch/x86/kernel/entry_32.S
> @@ -309,7 +309,7 @@ ENTRY(ret_from_kernel_thread)
>  	pushl_cfi $0x0202		# Reset kernel eflags
>  	popfl_cfi
>  	movl PT_EBP(%esp),%eax
> -	movl PT_EBX(%esp),%edx
> +	movl	PT_EBX(%esp), %edx
>  	CALL_NOSPEC %edx
>  	movl $0,PT_EAX(%esp)
>  	jmp syscall_exit
> @@ -435,7 +435,7 @@ sysenter_do_call:
>  	cmpl $(NR_syscalls), %eax
>  	jae sysenter_badsys
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> @@ -521,7 +521,7 @@ ENTRY(system_call)
>  	jae syscall_badsys
>  syscall_call:
>  #ifdef CONFIG_RETPOLINE
> -	movl sys_call_table(,%eax,4), %eax
> +	movl sys_call_table(,%eax,4),%eax
>  	call __x86_indirect_thunk_eax
>  #else
>  	call *sys_call_table(,%eax,4)
> diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
> index 3b9377790eca..8cf5cfa4a8a2 100644
> --- a/arch/x86/kernel/entry_64.S
> +++ b/arch/x86/kernel/entry_64.S
> @@ -61,8 +61,8 @@
>  #include <asm/pgtable_types.h>
>  #include <asm/kaiser.h>
>  #include <asm/spec_ctrl.h>
> -#include <linux/err.h>
>  #include <asm/nospec-branch.h>
> +#include <linux/err.h>
>  
>  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
>  #include <linux/elf-em.h>
> @@ -709,9 +709,9 @@ system_call_fastpath:
>  #endif
>  	ja badsys
>  	movq %r10,%rcx
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
>  #endif
> @@ -842,9 +842,9 @@ tracesys:
>  #endif
>  	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
>  	movq %r10,%rcx	/* fixup for C */
> -#ifdef RETPOLINE
> -	movq    sys_call_table(, %rax, 8), %rax
> -	call    __x86_indirect_thunk_rax
> +#ifdef CONFIG_RETPOLINE
> +	movq	sys_call_table(, %rax, 8), %rax
> +	call	__x86_indirect_thunk_rax
>  #else
>  	call *sys_call_table(,%rax,8)
>  #endif
> 

Hi Juerg,

The patch was applied to trusty/master-next branch, however some fuzzing
was needed. It seems that the context had been changed by the backport
we did for:

x86/syscall: Sanitize syscall table de-references under speculation

The results look good and I compiled-tested it, but if you could double
check it we would be more confident about it.

Thanks,
Kleber

Patch

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index aedd4b526243..cc9fa083175d 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -20,6 +20,7 @@ 
 #include <asm/spec_ctrl.h>
 #include <linux/linkage.h>
 #include <linux/err.h>
+#include <asm/nospec-branch.h>
 
 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
 #include <linux/elf-em.h>
@@ -176,7 +177,12 @@  sysenter_flags_fixed:
 sysenter_do_call:
 	IA32_ARG_FIXUP
 sysenter_dispatch:
+#ifdef CONFIG_RETPOLINE
+	movq	ia32_sys_call_table(,%rax,8),%rax
+	call	__x86_indirect_thunk_rax
+#else
 	call	*ia32_sys_call_table(,%rax,8)
+#endif
 	movq	%rax,RAX-ARGOFFSET(%rsp)
 	DISABLE_INTERRUPTS(CLBR_NONE)
 	TRACE_IRQS_OFF
@@ -344,7 +350,12 @@  ENTRY(ia32_cstar_target)
 cstar_do_call:
 	IA32_ARG_FIXUP 1
 cstar_dispatch:
+#ifdef CONFIG_RETPOLINE
+	movq ia32_sys_call_table(,%rax,8),%rax
+	call __x86_indirect_thunk_rax
+#else
 	call *ia32_sys_call_table(,%rax,8)
+#endif
 	movq %rax,RAX-ARGOFFSET(%rsp)
 	DISABLE_INTERRUPTS(CLBR_NONE)
 	TRACE_IRQS_OFF
@@ -458,7 +469,12 @@  ENTRY(ia32_syscall)
 	ja ia32_badsys
 ia32_do_call:
 	IA32_ARG_FIXUP
+#ifdef CONFIG_RETPOLINE
+	movq ia32_sys_call_table(,%rax,8),%rax
+	call __x86_indirect_thunk_rax
+#else
 	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
+#endif
 ia32_sysret:
 	movq %rax,RAX-ARGOFFSET(%rsp)
 ia32_ret_from_sys_call:
@@ -524,7 +540,7 @@  ia32_ptregs_common:
 	CFI_REL_OFFSET	rsp,RSP-ARGOFFSET
 /*	CFI_REL_OFFSET	ss,SS-ARGOFFSET*/
 	SAVE_REST
-	call *%rax
+	CALL_NOSPEC %rax
 	RESTORE_REST
 	jmp  ia32_sysret	/* misbalances the return cache */
 	CFI_ENDPROC
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index afab84e0e50e..a250f31c0093 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -309,7 +309,7 @@  ENTRY(ret_from_kernel_thread)
 	pushl_cfi $0x0202		# Reset kernel eflags
 	popfl_cfi
 	movl PT_EBP(%esp),%eax
-	movl PT_EBX(%esp),%edx
+	movl	PT_EBX(%esp), %edx
 	CALL_NOSPEC %edx
 	movl $0,PT_EAX(%esp)
 	jmp syscall_exit
@@ -435,7 +435,7 @@  sysenter_do_call:
 	cmpl $(NR_syscalls), %eax
 	jae sysenter_badsys
 #ifdef CONFIG_RETPOLINE
-	movl sys_call_table(,%eax,4), %eax
+	movl sys_call_table(,%eax,4),%eax
 	call __x86_indirect_thunk_eax
 #else
 	call *sys_call_table(,%eax,4)
@@ -521,7 +521,7 @@  ENTRY(system_call)
 	jae syscall_badsys
 syscall_call:
 #ifdef CONFIG_RETPOLINE
-	movl sys_call_table(,%eax,4), %eax
+	movl sys_call_table(,%eax,4),%eax
 	call __x86_indirect_thunk_eax
 #else
 	call *sys_call_table(,%eax,4)
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 3b9377790eca..8cf5cfa4a8a2 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -61,8 +61,8 @@ 
 #include <asm/pgtable_types.h>
 #include <asm/kaiser.h>
 #include <asm/spec_ctrl.h>
-#include <linux/err.h>
 #include <asm/nospec-branch.h>
+#include <linux/err.h>
 
 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
 #include <linux/elf-em.h>
@@ -709,9 +709,9 @@  system_call_fastpath:
 #endif
 	ja badsys
 	movq %r10,%rcx
-#ifdef RETPOLINE
-	movq    sys_call_table(, %rax, 8), %rax
-	call    __x86_indirect_thunk_rax
+#ifdef CONFIG_RETPOLINE
+	movq	sys_call_table(, %rax, 8), %rax
+	call	__x86_indirect_thunk_rax
 #else
 	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
 #endif
@@ -842,9 +842,9 @@  tracesys:
 #endif
 	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
 	movq %r10,%rcx	/* fixup for C */
-#ifdef RETPOLINE
-	movq    sys_call_table(, %rax, 8), %rax
-	call    __x86_indirect_thunk_rax
+#ifdef CONFIG_RETPOLINE
+	movq	sys_call_table(, %rax, 8), %rax
+	call	__x86_indirect_thunk_rax
 #else
 	call *sys_call_table(,%rax,8)
 #endif