From nobody Fri Nov 29 00:50:38 2024 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D371148838; Wed, 25 Sep 2024 22:25:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.8 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727303142; cv=none; b=Mygbbv3u+1i+rTWm9hi1RFEYWpgE8mStFkQMx1O1sMObwNrDM+fhhfEfSZXp4B6qE8GebxGwiA6XfW8hfU3nfRmKmIs1MWo/xI8rnhebJAy9MGjLdzUYbtuFVYxD/eodEqAhB++H7m03FkmJmaUKGgEKbnAw5sM/pa5b4Tphj/g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727303142; c=relaxed/simple; bh=OduRHAVBGOjYFmib5cZvnd9hU/f1pWV6cNPWVVpgWck=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=je+wClwSPcYOZ+zN6doEzkFgQuz6gLDNTCnDUPOtP8PRX5NMmxHkeu51wEbVu4ABhT3YMZelaR0zN7yWfMxjLOOtB2Y4E46fnmuoiHeJuuIhIvaj/kMOKXijDbo4ZvUrEDK57MGHygGm6xMhW3Ot8oHCXcheNAc8ZCjipp8eqSU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=OQ0HeytU; arc=none smtp.client-ip=192.198.163.8 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="OQ0HeytU" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1727303141; x=1758839141; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=OduRHAVBGOjYFmib5cZvnd9hU/f1pWV6cNPWVVpgWck=; b=OQ0HeytUAPRAkjdeffHDIX3F90jCI0o918G3mqJlh5llAcZ65w24UW49 E0qr87qohfXxBaAJ4OiHcNnSl6VYPVM2aKBNqq6mAS0skJz+LK14VId9K XNjRFBTgGqY7GkFcQhxWbXmntbTi/awOW0iEuN3Y/tgGQRwYbYNqIPN7B L8mtDI5Ts1Ngb6TU4LTChB05dApls9f7SwMswBTMkj421eeewH1zbydq3 /CGnD4xnDQWNwGJYwq73sEaHE+jFWonzGnDvlX55KHSThsmCyc5qI2a5Z fKA98dVO2CpHliMB0iflrVHpgbzUycC4Da26YDWh6ubsP0h92lGdU8Rza Q==; X-CSE-ConnectionGUID: Nixj/67cQcq/p1oGcfKt+w== X-CSE-MsgGUID: gLxGSkLmRZuThyHFsXlmOw== X-IronPort-AV: E=McAfee;i="6700,10204,11206"; a="43895126" X-IronPort-AV: E=Sophos;i="6.10,258,1719903600"; d="scan'208";a="43895126" Received: from fmviesa009.fm.intel.com ([10.60.135.149]) by fmvoesa102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2024 15:25:40 -0700 X-CSE-ConnectionGUID: ylRPP6vTTViXmAkOvhxqFg== X-CSE-MsgGUID: XqEOZxuLTpWVGAux8F33RQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,258,1719903600"; d="scan'208";a="71929250" Received: from fecarpio-mobl.amr.corp.intel.com (HELO desk) ([10.125.147.229]) by fmviesa009-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2024 15:25:39 -0700 Date: Wed, 25 Sep 2024 15:25:38 -0700 From: Pawan Gupta To: Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Robert Gill , Jari Ruusu , Brian Gerst , "Linux regression tracking (Thorsten Leemhuis)" , antonio.gomez.iglesias@linux.intel.com, daniel.sneddon@linux.intel.com, stable@vger.kernel.org Subject: [PATCH v7 1/3] x86/entry_32: Do not clobber user EFLAGS.ZF Message-ID: <20240925-fix-dosemu-vm86-v7-1-1de0daca2d42@linux.intel.com> X-Mailer: b4 0.14.1 References: <20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Opportunistic SYSEXIT executes VERW to clear CPU buffers after user EFLAGS are restored. This can clobber user EFLAGS.ZF. Move CLEAR_CPU_BUFFERS before the user EFLAGS are restored. This ensures that the user EFLAGS.ZF is not clobbered. Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transiti= on") Reported-by: Jari Ruusu Closes: https://lore.kernel.org/lkml/yVXwe8gvgmPADpRB6lXlicS2fcHoV5OHHxyuFb= B_MEleRPD7-KhGe5VtORejtPe-KCkT8Uhcg5d7-IBw4Ojb4H7z5LQxoZylSmJ8KNL3A8o=3D@pr= otonmail.com/ Cc: stable@vger.kernel.org # 5.10+ Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_32.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index d3a814efbff6..9ad6cd89b7ac 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -871,6 +871,8 @@ SYM_FUNC_START(entry_SYSENTER_32) =20 /* Now ready to switch the cr3 */ SWITCH_TO_USER_CR3 scratch_reg=3D%eax + /* Clobbers ZF */ + CLEAR_CPU_BUFFERS =20 /* * Restore all flags except IF. (We restore IF separately because @@ -881,7 +883,6 @@ SYM_FUNC_START(entry_SYSENTER_32) BUG_IF_WRONG_CR3 no_user_check=3D1 popfl popl %eax - CLEAR_CPU_BUFFERS =20 /* * Return back to the vDSO, which will pop ecx and edx. --=20 2.34.1 From nobody Fri Nov 29 00:50:38 2024 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C2A9148838; Wed, 25 Sep 2024 22:25:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.15 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727303148; cv=none; b=kKz4l3UewDZcUE0RYBeeIWcwzKpSY7sZPFG3doZkk/hxpS+7ovA40C5Oh6tMY0rjDdpE4DmI4MLPO3GqND/6LFag6RJETKelqFfZ2PI8FY8Z+GV4yi8Rp35R45ColdwXESgOaV38ZZL73bNwCpb/dGveJl5YmB23FVSmDNetgQo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727303148; c=relaxed/simple; bh=7XNLoPjMi2p0yPNBVBbQHtFB3VyLvnKB24qCJaKJbNM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=CHCLBbg7vznz4+Qie8sFtdi5j9g/c0IUhGvYB1AXxDhj7JE6WEohfPspnoomYxxb+oqHLMh3NDhCm0hdxKr/4pl7nJUSv8mHOPBg0rAVYrg5fWDX6aXyLKsiF+I73phdRo48yIFT4p5fikMLxFBj/jjyCxSdMgfSUD74/WfZlaw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=ZyGGszPH; arc=none smtp.client-ip=192.198.163.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="ZyGGszPH" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1727303146; x=1758839146; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=7XNLoPjMi2p0yPNBVBbQHtFB3VyLvnKB24qCJaKJbNM=; b=ZyGGszPHfGChi4JBraQvKZ4G/sriT0+n/bica0LhKzgbPf3IMGnHz5XE eS+4AIGFjrKsCCBHP0D0yNo2K/fZ8nZZuHWUETrza2wNkIS3FRliEklU3 fthWFQr1XmRMVQ5k5MbdktDZW0EYkZhFCDzhhagEOYDcB3p22rrif5lsf 4Wql7JOa1I4XwT4GTw+OSK8axHJxhcIlBvV7riQmabhgVpCpY9IRzLr92 MBvEwvQUN0E+qAug7vDXzTko9t4xs0keTxR1D7XlkQKJ+FacDnZqY0nRu utHIaxfJqTs+GoZmIgm9L98FIpATENiYDttsHN9bzHsGqc4QMkhv5WxGs Q==; X-CSE-ConnectionGUID: 3XxVLLYjSQKlrhY+9TEYGw== X-CSE-MsgGUID: zJfhXLj7TYm0t3lXAsrV0Q== X-IronPort-AV: E=McAfee;i="6700,10204,11206"; a="26531625" X-IronPort-AV: E=Sophos;i="6.10,258,1719903600"; d="scan'208";a="26531625" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa109.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2024 15:25:45 -0700 X-CSE-ConnectionGUID: opMfDUYoQzGWigxpE3SF5Q== X-CSE-MsgGUID: k04R3mphSHOJ6iDmQ2zYtw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,258,1719903600"; d="scan'208";a="102750712" Received: from fecarpio-mobl.amr.corp.intel.com (HELO desk) ([10.125.147.229]) by smtpauth.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2024 15:25:45 -0700 Date: Wed, 25 Sep 2024 15:25:44 -0700 From: Pawan Gupta To: Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Robert Gill , Jari Ruusu , Brian Gerst , "Linux regression tracking (Thorsten Leemhuis)" , antonio.gomez.iglesias@linux.intel.com, daniel.sneddon@linux.intel.com, stable@vger.kernel.org Subject: [PATCH v7 2/3] x86/entry_32: Clear CPU buffers after register restore in NMI return Message-ID: <20240925-fix-dosemu-vm86-v7-2-1de0daca2d42@linux.intel.com> X-Mailer: b4 0.14.1 References: <20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" CPU buffers are currently cleared after call to exc_nmi, but before register state is restored. This may be okay for MDS mitigation but not for RDFS. Because RDFS mitigation requires CPU buffers to be cleared when registers don't have any sensitive data. Move CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI. Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transiti= on") Cc: stable@vger.kernel.org # 5.10+ Suggested-by: Dave Hansen Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_32.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index 9ad6cd89b7ac..20be5758c2d2 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -1145,7 +1145,6 @@ SYM_CODE_START(asm_exc_nmi) =20 /* Not on SYSENTER stack. */ call exc_nmi - CLEAR_CPU_BUFFERS jmp .Lnmi_return =20 .Lnmi_from_sysenter_stack: @@ -1166,6 +1165,7 @@ SYM_CODE_START(asm_exc_nmi) =20 CHECK_AND_APPLY_ESPFIX RESTORE_ALL_NMI cr3_reg=3D%edi pop=3D4 + CLEAR_CPU_BUFFERS jmp .Lirq_return =20 #ifdef CONFIG_X86_ESPFIX32 @@ -1207,6 +1207,7 @@ SYM_CODE_START(asm_exc_nmi) * 1 - orig_ax */ lss (1+5+6)*4(%esp), %esp # back to espfix stack + CLEAR_CPU_BUFFERS jmp .Lirq_return #endif SYM_CODE_END(asm_exc_nmi) --=20 2.34.1 From nobody Fri Nov 29 00:50:38 2024 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84892148838; Wed, 25 Sep 2024 22:25:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.8 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727303154; cv=none; b=ft3VLCrNRdzoPpHIkTwfin3WeRGLWlViN8fuG3++mJwoPG2pwPgQ+MuxgEVBpPGyXBZe0SAcnHeriQ/vK2cxX9+b26w03VW2OnJUDY9RRaldFl2+gxyXN43BGXtet/FID765adnj8zqGhTinPj3o0r4P5XsuNfGsqFYNx4AsZuY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727303154; c=relaxed/simple; bh=5sBmeZb7zgbq4jsPslNM38CJ8kyfg1bQz+tU7ToEsR8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=o9BmcBhGAWSURGLY/9Y4PiCDir6n31F9D1C7YPngvUDevds4muQqC9LlSNqqZnoe12nWssxRYF9nSI+P8haQEyaMqX6tOZ9MBfc6kkfR5OXi35C+365Vf36zJhtj0QEP3Jfehm2biQCvk2RL77/G2N1WCpvU9Et8Id5TZwk2DCc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=PLQRk09P; arc=none smtp.client-ip=192.198.163.8 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="PLQRk09P" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1727303153; x=1758839153; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=5sBmeZb7zgbq4jsPslNM38CJ8kyfg1bQz+tU7ToEsR8=; b=PLQRk09PtpIj/k/VWYQ1RcLTvAKH+nofI2ixnU5fyujMwT41iiBwinxB eCdKqaPc+v39Yc2S1qNh53nZwTli4LsVAQcm4ITfPF4dXBj84etDkUy1G gQ5hRihflTz5yo0eUuULakQApVm1aZxaXQes6B5mIo+d4R0uF+houigaj gsd6uFLSq+LKHbRBAHp2HkCqycIU7R9hkZ+K9IGfPdxsJ+sFx/E4my+07 u4Sz+KLZcG6GpnM7GgUHYMhGuaLbrc+dJb+4tLRYK2X5R1uGmxQP1bQ1z lr4f3KR94vDZu6agFfAWKMmU9KG9mGxwA3HOoAMDaOY8Q99ouF2Ra/J4f Q==; X-CSE-ConnectionGUID: hOTThXShTuqgDD866Cqi7w== X-CSE-MsgGUID: jnWPZkJpQ3GBs23kkb1KTw== X-IronPort-AV: E=McAfee;i="6700,10204,11206"; a="43895205" X-IronPort-AV: E=Sophos;i="6.10,258,1719903600"; d="scan'208";a="43895205" Received: from fmviesa009.fm.intel.com ([10.60.135.149]) by fmvoesa102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2024 15:25:52 -0700 X-CSE-ConnectionGUID: HdLibePzRd2ER7RdHGcJ/A== X-CSE-MsgGUID: F/Hub8YTRSiD927TWLe9cg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,258,1719903600"; d="scan'208";a="71929308" Received: from fecarpio-mobl.amr.corp.intel.com (HELO desk) ([10.125.147.229]) by fmviesa009-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2024 15:25:51 -0700 Date: Wed, 25 Sep 2024 15:25:50 -0700 From: Pawan Gupta To: Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Robert Gill , Jari Ruusu , Brian Gerst , "Linux regression tracking (Thorsten Leemhuis)" , antonio.gomez.iglesias@linux.intel.com, daniel.sneddon@linux.intel.com, stable@vger.kernel.org Subject: [PATCH v7 3/3] x86/bugs: Use code segment selector for VERW operand Message-ID: <20240925-fix-dosemu-vm86-v7-3-1de0daca2d42@linux.intel.com> X-Mailer: b4 0.14.1 References: <20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240925-fix-dosemu-vm86-v7-0-1de0daca2d42@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds. Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transiti= on") Cc: stable@vger.kernel.org # 5.10+ Reported-by: Robert Gill Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@le= emhuis.info/ Suggested-by: Dave Hansen Suggested-by: Brian Gerst Signed-off-by: Pawan Gupta --- arch/x86/include/asm/nospec-branch.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index ff5f1ecc7d1e..e18a6aaf414c 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -318,12 +318,14 @@ /* * Macro to execute VERW instruction that mitigate transient data sampling * attacks such as MDS. On affected systems a microcode update overloaded = VERW - * instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF. + * instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF. Usi= ng %cs + * to reference VERW operand avoids a #GP fault for an arbitrary user %ds = in + * 32-bit mode. * * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLE= AR_CPU_BUF + ALTERNATIVE "", __stringify(verw %cs:_ASM_RIP(mds_verw_sel)), X86_FEATURE= _CLEAR_CPU_BUF .endm =20 #ifdef CONFIG_X86_64 --=20 2.34.1