From nobody Tue Dec 16 10:00:04 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 008FE14E2FC for ; Fri, 12 Apr 2024 18:10:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712945440; cv=none; b=Y3/bpN0q1QXV8SRu6gma04vzFgQmLY+rGQWqG0VFvksJsCFJRYmZFilB5bIQ4VaJ7D2f5Z2PW8LzeJDlWD8oYM+E5ayX10K8jA1W3vS6GuarFnBglyA7S+GcQYIagUBKVqTNBJdKzhbbUgll+ltmCI0obPj1TAQA5KTzXRMcisU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712945440; c=relaxed/simple; bh=YK2ZkmaxtGjqhU7ayXuNAm2Nf5PMoaPQIn3V1c2Mvxc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iZYnXSRmTpKTCY/s4EUraExKc05G2ZYMawVlqsu1MFzcRle+qIvq74RaWC72pVf+60dLJr9NKyODpITTCWyiQ5Ey1dCNyGQO/YiNXZQ7XpiLHJo7bJ6/N/i7xJiP5xAT2d9/oJi2370uNj3CqIgcNIC8GH+MEPwbWtz3JTrSnlw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qSwhmJPI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qSwhmJPI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30B9AC32781; Fri, 12 Apr 2024 18:10:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712945439; bh=YK2ZkmaxtGjqhU7ayXuNAm2Nf5PMoaPQIn3V1c2Mvxc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qSwhmJPIwiLbgLC6ZIYv9zerzm7jSiDP5NPGd4KoTpJHL57rEiWCtxCZ5JeTLk9lY 0e4T3lWkSpvdXB1e8JZcyOIQ/AazBZkGD33v4B8GZnVuwYl2mhJtl3/smFoqgDeh3q LxX4+zBMMuAdrnV1ywTyAY9SRftiYNYQlXcJ59vwJHI/v73Rf6ppdF1LDheA42yoqD yIYQU3qMIgVVnDk+sn2iBqz83kqk+xS2aU6HhYpRMlrE9MU8jyrZ5KXv4k/HZ2CUq1 X1D/Go00deKIww79GmmMb24i150MNVCj54SdXaP3sbpKpRuYqdVIsM+w/eN1gvbou/ Cnob4oA2249sA== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov , Ingo Molnar Subject: [PATCH v2 1/3] x86/bugs: Only harden syscalls when needed Date: Fri, 12 Apr 2024 11:10:32 -0700 Message-ID: <079f24edefb5b47e922c2804f199463e04ccf0c8.1712944776.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syscall hardening (i.e., converting the syscall indirect branch to a series of direct branches) may cause performance regressions in certain scenarios. Only use the syscall hardening when indirect branches are considered unsafe. Fixes: 1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for sy= stem calls") Signed-off-by: Josh Poimboeuf Reviewed-by: Pawan Gupta --- arch/x86/entry/common.c | 15 ++++++++++++--- arch/x86/entry/syscall_32.c | 11 +---------- arch/x86/entry/syscall_64.c | 6 ------ arch/x86/entry/syscall_x32.c | 7 ++++++- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/syscall.h | 8 +++++++- arch/x86/kernel/cpu/bugs.c | 31 +++++++++++++++++++++++++++++- 7 files changed, 57 insertions(+), 22 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 6de50b80702e..c0f8116291e4 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -49,7 +49,10 @@ static __always_inline bool do_syscall_x64(struct pt_reg= s *regs, int nr) =20 if (likely(unr < NR_syscalls)) { unr =3D array_index_nospec(unr, NR_syscalls); - regs->ax =3D x64_sys_call(regs, unr); + if (likely(cpu_feature_enabled(X86_FEATURE_INDIRECT_SAFE))) + regs->ax =3D sys_call_table[unr](regs); + else + regs->ax =3D x64_sys_call(regs, unr); return true; } return false; @@ -66,7 +69,10 @@ static __always_inline bool do_syscall_x32(struct pt_reg= s *regs, int nr) =20 if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) { xnr =3D array_index_nospec(xnr, X32_NR_syscalls); - regs->ax =3D x32_sys_call(regs, xnr); + if (likely(cpu_feature_enabled(X86_FEATURE_INDIRECT_SAFE))) + regs->ax =3D x32_sys_call_table[xnr](regs); + else + regs->ax =3D x32_sys_call(regs, xnr); return true; } return false; @@ -162,7 +168,10 @@ static __always_inline void do_syscall_32_irqs_on(stru= ct pt_regs *regs, int nr) =20 if (likely(unr < IA32_NR_syscalls)) { unr =3D array_index_nospec(unr, IA32_NR_syscalls); - regs->ax =3D ia32_sys_call(regs, unr); + if (likely(cpu_feature_enabled(X86_FEATURE_INDIRECT_SAFE))) + regs->ax =3D ia32_sys_call_table[unr](regs); + else + regs->ax =3D ia32_sys_call(regs, unr); } else if (nr !=3D -1) { regs->ax =3D __ia32_sys_ni_syscall(regs); } diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c index c2235bae17ef..aab31760b4e3 100644 --- a/arch/x86/entry/syscall_32.c +++ b/arch/x86/entry/syscall_32.c @@ -14,25 +14,16 @@ #endif =20 #define __SYSCALL(nr, sym) extern long __ia32_##sym(const struct pt_regs *= ); - #include #undef __SYSCALL =20 -/* - * The sys_call_table[] is no longer used for system calls, but - * kernel/trace/trace_syscalls.c still wants to know the system - * call address. - */ -#ifdef CONFIG_X86_32 #define __SYSCALL(nr, sym) __ia32_##sym, -const sys_call_ptr_t sys_call_table[] =3D { +const sys_call_ptr_t ia32_sys_call_table[] =3D { #include }; #undef __SYSCALL -#endif =20 #define __SYSCALL(nr, sym) case nr: return __ia32_##sym(regs); - long ia32_sys_call(const struct pt_regs *regs, unsigned int nr) { switch (nr) { diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c index 33b3f09e6f15..96ea1f8a1d3f 100644 --- a/arch/x86/entry/syscall_64.c +++ b/arch/x86/entry/syscall_64.c @@ -11,11 +11,6 @@ #include #undef __SYSCALL =20 -/* - * The sys_call_table[] is no longer used for system calls, but - * kernel/trace/trace_syscalls.c still wants to know the system - * call address. - */ #define __SYSCALL(nr, sym) __x64_##sym, const sys_call_ptr_t sys_call_table[] =3D { #include @@ -23,7 +18,6 @@ const sys_call_ptr_t sys_call_table[] =3D { #undef __SYSCALL =20 #define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); - long x64_sys_call(const struct pt_regs *regs, unsigned int nr) { switch (nr) { diff --git a/arch/x86/entry/syscall_x32.c b/arch/x86/entry/syscall_x32.c index 03de4a932131..5aef4230faca 100644 --- a/arch/x86/entry/syscall_x32.c +++ b/arch/x86/entry/syscall_x32.c @@ -11,8 +11,13 @@ #include #undef __SYSCALL =20 -#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); +#define __SYSCALL(nr, sym) __x64_##sym, +const sys_call_ptr_t x32_sys_call_table[] =3D { +#include +}; +#undef __SYSCALL =20 +#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); long x32_sys_call(const struct pt_regs *regs, unsigned int nr) { switch (nr) { diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 3c7434329661..7c87fe80c696 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -470,6 +470,7 @@ #define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control availa= ble */ #define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control ena= bled */ #define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch= history at vmexit using SW loop */ +#define X86_FEATURE_INDIRECT_SAFE (21*32+ 4) /* "" Indirect branches aren'= t vulnerable to Spectre v2 */ =20 /* * BUG word(s) diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index 2fc7bc3863ff..dfb59521244c 100644 --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -16,14 +16,20 @@ #include /* for TS_COMPAT */ #include =20 -/* This is used purely for kernel/trace/trace_syscalls.c */ typedef long (*sys_call_ptr_t)(const struct pt_regs *); extern const sys_call_ptr_t sys_call_table[]; =20 +#if defined(CONFIG_X86_32) +#define ia32_sys_call_table sys_call_table +#else /* * These may not exist, but still put the prototypes in so we * can use IS_ENABLED(). */ +extern const sys_call_ptr_t ia32_sys_call_table[]; +extern const sys_call_ptr_t x32_sys_call_table[]; +#endif + extern long ia32_sys_call(const struct pt_regs *, unsigned int nr); extern long x32_sys_call(const struct pt_regs *, unsigned int nr); extern long x64_sys_call(const struct pt_regs *, unsigned int nr); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index ca295b0c1eee..dcb97cc2758f 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1664,6 +1664,15 @@ static void __init bhi_select_mitigation(void) if (!IS_ENABLED(CONFIG_X86_64)) return; =20 + /* + * There's no hardware mitigation in place, so mark indirect branches + * as unsafe. + * + * One could argue the SW loop makes indirect branches safe again, but + * Linus prefers it this way. + */ + setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + /* Mitigate KVM by default */ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); @@ -1678,6 +1687,21 @@ static void __init spectre_v2_select_mitigation(void) enum spectre_v2_mitigation_cmd cmd =3D spectre_v2_parse_cmdline(); enum spectre_v2_mitigation mode =3D SPECTRE_V2_NONE; =20 + /* + * X86_FEATURE_INDIRECT_SAFE indicates whether indirect calls can be + * considered safe. That means either: + * + * - the CPU isn't vulnerable to Spectre v2 or its variants; + * + * - a hardware mitigation is in place (e.g., IBRS, BHI_DIS_S); or + * + * - the user turned off mitigations altogether. + * + * Assume innocence until proven guilty: set the cap bit now, then + * clear it later if/when needed. + */ + setup_force_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + /* * If the CPU is not affected and the command line mode is NONE or AUTO * then nothing to do. @@ -1764,11 +1788,16 @@ static void __init spectre_v2_select_mitigation(voi= d) break; =20 case SPECTRE_V2_LFENCE: + setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + fallthrough; case SPECTRE_V2_EIBRS_LFENCE: setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); - fallthrough; + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + break; =20 case SPECTRE_V2_RETPOLINE: + setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + fallthrough; case SPECTRE_V2_EIBRS_RETPOLINE: setup_force_cpu_cap(X86_FEATURE_RETPOLINE); break; --=20 2.44.0 From nobody Tue Dec 16 10:00:04 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18A2814EC60 for ; Fri, 12 Apr 2024 18:10:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712945441; cv=none; b=IPDJ+gMD+XiMTnHoIeLAz9Gg8bGrZNHte4ngiWC16K9lRZOLbNo0fUxQ1i8KssrEw3BY8uSve4pjw0AiJ4V8P6dkEi1y67zlu9JImh7Evn8uxM+c/dTC614RWLh+LBEu7WYHo8P/72N5AhvOUWG52b2pnyH8R5ZvKqlMEQYXCI0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712945441; c=relaxed/simple; bh=8NZHE1tS6vfknLA1oyfYTojtWsl+OR5G87hXz6y9g5w=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XZa94evWT7J3q+dbcwETrF4lHO/azj7xPfn8bKAe56d6CxC7M7+VB7/uSZiIX3+OODLMP2cFaIFFDu8r1KUbpopjPTDiusZ5wTvVzdioVbOzOuFhsU5/5eVQ90RIvp06tVKUvIMVYqYNiw5NoTQAf2q/OGq4JrxsDTapt+zZ5H8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PnwENq27; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PnwENq27" Received: by smtp.kernel.org (Postfix) with ESMTPSA id F1F87C32786; Fri, 12 Apr 2024 18:10:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712945440; bh=8NZHE1tS6vfknLA1oyfYTojtWsl+OR5G87hXz6y9g5w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PnwENq27GKTELnxMvUoZ8+jmsfhQy+Q+870u2mG+IiA2sxv9jwNwy0ZkRJfumNfzx 3d1B8SJxdFwUOsKNTKUN/uMa3pWhiedeB8rsef/NXyBB+YWDSn61LvWxfEQnC7FWEY MGBsdg8MP2ho3zIApifLmNSoqT6+Q3kwZ4adtY/BeJrtXGo4MAG29w2G854hUnYfdU uoAZ1I5wDYekZYh3wPLAD/VOIIPA1ruYqu36mHVow5EfY0MZGMicreYJyAq8KEwV8a JRRRUFUwqaZDCZCnmQcy+X8JAvrr7l7gQRLVXY+pFxc1zuCZHZEph3e02MRj5aAUkw N7SfiULmO+Jsg== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov , Ingo Molnar Subject: [PATCH 2/3] x86/bugs: Fix BHI retpoline check Date: Fri, 12 Apr 2024 11:10:33 -0700 Message-ID: X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Confusingly, X86_FEATURE_RETPOLINE doesn't mean retpolines are enabled, as it also includes the original "AMD retpoline" which isn't a retpoline at all. Also replace cpu_feature_enabled() with boot_cpu_has() because this is before alternatives are patched and cpu_feature_enabled()'s fallback path is slower than plain old boot_cpu_has(). Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Reviewed-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index dcb97cc2758f..e827613c9e39 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1652,7 +1652,8 @@ static void __init bhi_select_mitigation(void) return; =20 /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ - if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { + if (boot_cpu_has(X86_FEATURE_RETPOLINE) && + !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) { spec_ctrl_disable_kernel_rrsba(); if (rrsba_disabled) return; @@ -2833,11 +2834,13 @@ static const char *spectre_bhi_state(void) { if (!boot_cpu_has_bug(X86_BUG_BHI)) return "; BHI: Not affected"; - else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) return "; BHI: BHI_DIS_S"; - else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; - else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && + !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE) && + rrsba_disabled) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Vulnerable, KVM: SW loop"; --=20 2.44.0 From nobody Tue Dec 16 10:00:04 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F29FB14F10D for ; Fri, 12 Apr 2024 18:10:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712945442; cv=none; b=PBuIMp0PmJ2jgz3F2sEt4s01/WBEBYfEGU0mD41xCndvb0tsGuRyyLN75rYZaIfQk00PeM3XffatD6I1aAI7elYZy0CHsn3eMwV6ENxj14rgFzcMtti2Ucuhaj4yaw6UQPqPpkfvzHVgkK8O14DaF9cBqXk3XDgZSzeaMgeKLc8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712945442; c=relaxed/simple; bh=7vkYK4BTMEwDVFhnVwZt5O9MtmurQc2GLFoCzRHFmYM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=f3SInK2KkGx4VJr431vSeHapUNsj5K945cPkMRwoo/PfZuNqkzju+mTy7s7bdDg3rytzw6J+snM2a/LCstJbXEor8BAK0s7ikFYGTI88DybjPaTGa7NW5T3BXG5XANoVysJGcb1DuqZSqOWi21OOQcGwohnkDSEg5Y9dnI1i+tM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dBD7sbcr; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dBD7sbcr" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C41F2C4AF0C; Fri, 12 Apr 2024 18:10:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712945441; bh=7vkYK4BTMEwDVFhnVwZt5O9MtmurQc2GLFoCzRHFmYM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dBD7sbcrZHU5zT220mQihtegh3wkqAGcnNKOU4yiTK3jPgw6OgS8CAHu50ePBOYks /Xkjc0MZAu5BVAXUPLlnoDHXZf7a1cJGHGgMeye/0uDHsfyMGfljKeJcFByOOYWKya 6F1j37snWAYZ3fRdyEexqWNpltblJ6LPxf26fAQryg1uqFT13MXvlqE6jx0dzb0Efj QUcG0cWrYun6xWwhnt5CCciF0LpjAXQe6oF6mo4zMTgKjE83Vu8kkpI3jJEdRSIkD2 2qkeqzTpkEA245sYTBscHH5iDWtCEwotC6XbBRXz/w3cba6WT8i2KJCGI+MSVpCsoJ sFv/pZMV0BPUw== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov , Ingo Molnar Subject: [PATCH 3/3] x86/bugs: Remove support for Spectre v2 LFENCE "retpolines" Date: Fri, 12 Apr 2024 11:10:34 -0700 Message-ID: X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" I found several bugs where code assumes that X86_FEATURE_RETPOLINE actually means retpolines (imagine that!). In fact that feature also includes the original AMD LFENCE "retpolines", which aren't in fact retpolines. Really, those "retpolines" should just be removed. They're already considered vulnerable due to the fact that the speculative window after the indirect branch can still be long enough to do multiple dependent loads. And recent tooling makes such gadgets easier to find. Also, EIBRS_LFENCE tests worse in real-world benchmarks than the actual BHI mitigations, so it's both slower and less secure. Specifically this removes support for the following cmdline options: - spectre_v2=3Dretpoline,amd - spectre_v2=3Dretpoline,lfence - spectre_v2=3Deibrs,lfence Now when any of those options are used, it will print an error and fall back to the defaults (spectre_v2=3Dauto spectre_bhi=3Don). Signed-off-by: Josh Poimboeuf --- arch/x86/Makefile | 1 - arch/x86/include/asm/cpufeatures.h | 1 - arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/nospec-branch.h | 18 ++--- arch/x86/kernel/alternative.c | 17 +---- arch/x86/kernel/cpu/bugs.c | 66 +------------------ arch/x86/kernel/cpu/cpu.h | 3 +- arch/x86/lib/retpoline.S | 5 +- arch/x86/net/bpf_jit_comp.c | 5 +- tools/arch/x86/include/asm/cpufeatures.h | 1 - .../arch/x86/include/asm/disabled-features.h | 3 +- 11 files changed, 15 insertions(+), 108 deletions(-) diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 5ab93fcdd691..f0f91810a79e 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -20,7 +20,6 @@ ifdef CONFIG_CC_IS_CLANG RETPOLINE_CFLAGS :=3D -mretpoline-external-thunk RETPOLINE_VDSO_CFLAGS :=3D -mretpoline endif -RETPOLINE_CFLAGS +=3D $(call cc-option,-mindirect-branch-cs-prefix) =20 ifdef CONFIG_MITIGATION_RETHUNK RETHUNK_CFLAGS :=3D -mfunction-return=3Dthunk-extern diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 7c87fe80c696..fccc838ac8ff 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -296,7 +296,6 @@ #define X86_FEATURE_ENTRY_IBPB (11*32+10) /* "" Issue an IBPB on kernel e= ntry */ #define X86_FEATURE_RRSBA_CTRL (11*32+11) /* "" RET prediction control */ #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigati= on for Spectre variant 2 */ -#define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spect= re variant 2 */ #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */ #define X86_FEATURE_USE_IBPB_FW (11*32+16) /* "" Use IBPB during runtime = firmware calls */ diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/as= m/disabled-features.h index c492bdc97b05..e1c421282a78 100644 --- a/arch/x86/include/asm/disabled-features.h +++ b/arch/x86/include/asm/disabled-features.h @@ -53,8 +53,7 @@ #ifdef CONFIG_MITIGATION_RETPOLINE # define DISABLE_RETPOLINE 0 #else -# define DISABLE_RETPOLINE ((1 << (X86_FEATURE_RETPOLINE & 31)) | \ - (1 << (X86_FEATURE_RETPOLINE_LFENCE & 31))) +# define DISABLE_RETPOLINE (1 << (X86_FEATURE_RETPOLINE & 31) #endif =20 #ifdef CONFIG_MITIGATION_RETHUNK diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index ff5f1ecc7d1e..b98fb18928f6 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -434,15 +434,11 @@ static inline void call_depth_return_thunk(void) {} * which is ensured when CONFIG_MITIGATION_RETPOLINE is defined. */ # define CALL_NOSPEC \ - ALTERNATIVE_2( \ + ALTERNATIVE( \ ANNOTATE_RETPOLINE_SAFE \ "call *%[thunk_target]\n", \ "call __x86_indirect_thunk_%V[thunk_target]\n", \ - X86_FEATURE_RETPOLINE, \ - "lfence;\n" \ - ANNOTATE_RETPOLINE_SAFE \ - "call *%[thunk_target]\n", \ - X86_FEATURE_RETPOLINE_LFENCE) + X86_FEATURE_RETPOLINE) =20 # define THUNK_TARGET(addr) [thunk_target] "r" (addr) =20 @@ -453,7 +449,7 @@ static inline void call_depth_return_thunk(void) {} * here, anyway. */ # define CALL_NOSPEC \ - ALTERNATIVE_2( \ + ALTERNATIVE( \ ANNOTATE_RETPOLINE_SAFE \ "call *%[thunk_target]\n", \ " jmp 904f;\n" \ @@ -468,11 +464,7 @@ static inline void call_depth_return_thunk(void) {} " ret;\n" \ " .align 16\n" \ "904: call 901b;\n", \ - X86_FEATURE_RETPOLINE, \ - "lfence;\n" \ - ANNOTATE_RETPOLINE_SAFE \ - "call *%[thunk_target]\n", \ - X86_FEATURE_RETPOLINE_LFENCE) + X86_FEATURE_RETPOLINE) =20 # define THUNK_TARGET(addr) [thunk_target] "rm" (addr) #endif @@ -485,10 +477,8 @@ static inline void call_depth_return_thunk(void) {} enum spectre_v2_mitigation { SPECTRE_V2_NONE, SPECTRE_V2_RETPOLINE, - SPECTRE_V2_LFENCE, SPECTRE_V2_EIBRS, SPECTRE_V2_EIBRS_RETPOLINE, - SPECTRE_V2_EIBRS_LFENCE, SPECTRE_V2_IBRS, }; =20 diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 45a280f2161c..a7eb8203a8cd 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -639,8 +639,6 @@ static int emit_call_track_retpoline(void *addr, struct= insn *insn, int reg, u8 * into: * * CALL *%\reg - * - * It also tries to inline spectre_v2=3Dretpoline,lfence when size permits. */ static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes) { @@ -657,8 +655,7 @@ static int patch_retpoline(void *addr, struct insn *ins= n, u8 *bytes) /* If anyone ever does: CALL/JMP *%rsp, we're in deep trouble. */ BUG_ON(reg =3D=3D 4); =20 - if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && - !cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) { + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { if (cpu_feature_enabled(X86_FEATURE_CALL_DEPTH)) return emit_call_track_retpoline(addr, insn, reg, bytes); =20 @@ -675,9 +672,8 @@ static int patch_retpoline(void *addr, struct insn *ins= n, u8 *bytes) * into: * * Jncc.d8 1f - * [ LFENCE ] * JMP *%\reg - * [ NOP ] + * NOP * 1: */ if (is_jcc32(insn)) { @@ -691,15 +687,6 @@ static int patch_retpoline(void *addr, struct insn *in= sn, u8 *bytes) op =3D JMP32_INSN_OPCODE; } =20 - /* - * For RETPOLINE_LFENCE: prepend the indirect CALL/JMP with an LFENCE. - */ - if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) { - bytes[i++] =3D 0x0f; - bytes[i++] =3D 0xae; - bytes[i++] =3D 0xe8; /* LFENCE */ - } - ret =3D emit_indirect(op, reg, bytes + i); if (ret < 0) return ret; diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index e827613c9e39..2e71bacc8191 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1143,7 +1143,6 @@ static void __init retbleed_select_mitigation(void) break; case SPECTRE_V2_EIBRS: case SPECTRE_V2_EIBRS_RETPOLINE: - case SPECTRE_V2_EIBRS_LFENCE: retbleed_mitigation =3D RETBLEED_MITIGATION_EIBRS; break; default: @@ -1184,9 +1183,7 @@ static inline const char *spectre_v2_module_string(vo= id) static inline const char *spectre_v2_module_string(void) { return ""; } #endif =20 -#define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommend= ed for this CPU, data leaks possible!\n" #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled w= ith eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" -#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF i= s enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spe= ctre v2 BHB attacks!\n" #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enh= anced IBRS CPU, this may cause unnecessary performance loss\n" =20 #ifdef CONFIG_BPF_SYSCALL @@ -1201,10 +1198,6 @@ void unpriv_ebpf_notify(int new_state) case SPECTRE_V2_EIBRS: pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); break; - case SPECTRE_V2_EIBRS_LFENCE: - if (sched_smt_active()) - pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); - break; default: break; } @@ -1225,10 +1218,8 @@ enum spectre_v2_mitigation_cmd { SPECTRE_V2_CMD_FORCE, SPECTRE_V2_CMD_RETPOLINE, SPECTRE_V2_CMD_RETPOLINE_GENERIC, - SPECTRE_V2_CMD_RETPOLINE_LFENCE, SPECTRE_V2_CMD_EIBRS, SPECTRE_V2_CMD_EIBRS_RETPOLINE, - SPECTRE_V2_CMD_EIBRS_LFENCE, SPECTRE_V2_CMD_IBRS, }; =20 @@ -1414,9 +1405,7 @@ spectre_v2_user_select_mitigation(void) static const char * const spectre_v2_strings[] =3D { [SPECTRE_V2_NONE] =3D "Vulnerable", [SPECTRE_V2_RETPOLINE] =3D "Mitigation: Retpolines", - [SPECTRE_V2_LFENCE] =3D "Mitigation: LFENCE", [SPECTRE_V2_EIBRS] =3D "Mitigation: Enhanced / Automatic IBRS", - [SPECTRE_V2_EIBRS_LFENCE] =3D "Mitigation: Enhanced / Automatic IBRS + L= FENCE", [SPECTRE_V2_EIBRS_RETPOLINE] =3D "Mitigation: Enhanced / Automatic IBRS = + Retpolines", [SPECTRE_V2_IBRS] =3D "Mitigation: IBRS", }; @@ -1429,11 +1418,8 @@ static const struct { { "off", SPECTRE_V2_CMD_NONE, false }, { "on", SPECTRE_V2_CMD_FORCE, true }, { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, - { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, - { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, { "eibrs", SPECTRE_V2_CMD_EIBRS, false }, - { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false }, { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false }, { "auto", SPECTRE_V2_CMD_AUTO, false }, { "ibrs", SPECTRE_V2_CMD_IBRS, false }, @@ -1472,9 +1458,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_= v2_parse_cmdline(void) } =20 if ((cmd =3D=3D SPECTRE_V2_CMD_RETPOLINE || - cmd =3D=3D SPECTRE_V2_CMD_RETPOLINE_LFENCE || cmd =3D=3D SPECTRE_V2_CMD_RETPOLINE_GENERIC || - cmd =3D=3D SPECTRE_V2_CMD_EIBRS_LFENCE || cmd =3D=3D SPECTRE_V2_CMD_EIBRS_RETPOLINE) && !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE)) { pr_err("%s selected but not compiled in. Switching to AUTO select\n", @@ -1483,7 +1467,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_= v2_parse_cmdline(void) } =20 if ((cmd =3D=3D SPECTRE_V2_CMD_EIBRS || - cmd =3D=3D SPECTRE_V2_CMD_EIBRS_LFENCE || cmd =3D=3D SPECTRE_V2_CMD_EIBRS_RETPOLINE) && !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Swi= tching to AUTO select\n", @@ -1491,14 +1474,6 @@ static enum spectre_v2_mitigation_cmd __init spectre= _v2_parse_cmdline(void) return SPECTRE_V2_CMD_AUTO; } =20 - if ((cmd =3D=3D SPECTRE_V2_CMD_RETPOLINE_LFENCE || - cmd =3D=3D SPECTRE_V2_CMD_EIBRS_LFENCE) && - !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { - pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switchin= g to AUTO select\n", - mitigation_options[i].option); - return SPECTRE_V2_CMD_AUTO; - } - if (cmd =3D=3D SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_MITIGATION_IBRS_= ENTRY)) { pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); @@ -1585,7 +1560,6 @@ static void __init spectre_v2_determine_rsb_fill_type= _at_vmexit(enum spectre_v2_ case SPECTRE_V2_NONE: return; =20 - case SPECTRE_V2_EIBRS_LFENCE: case SPECTRE_V2_EIBRS: if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); @@ -1595,7 +1569,6 @@ static void __init spectre_v2_determine_rsb_fill_type= _at_vmexit(enum spectre_v2_ =20 case SPECTRE_V2_EIBRS_RETPOLINE: case SPECTRE_V2_RETPOLINE: - case SPECTRE_V2_LFENCE: case SPECTRE_V2_IBRS: setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); @@ -1652,8 +1625,7 @@ static void __init bhi_select_mitigation(void) return; =20 /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ - if (boot_cpu_has(X86_FEATURE_RETPOLINE) && - !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) { + if (boot_cpu_has(X86_FEATURE_RETPOLINE)) { spec_ctrl_disable_kernel_rrsba(); if (rrsba_disabled) return; @@ -1735,11 +1707,6 @@ static void __init spectre_v2_select_mitigation(void) mode =3D spectre_v2_select_retpoline(); break; =20 - case SPECTRE_V2_CMD_RETPOLINE_LFENCE: - pr_err(SPECTRE_V2_LFENCE_MSG); - mode =3D SPECTRE_V2_LFENCE; - break; - case SPECTRE_V2_CMD_RETPOLINE_GENERIC: mode =3D SPECTRE_V2_RETPOLINE; break; @@ -1756,10 +1723,6 @@ static void __init spectre_v2_select_mitigation(void) mode =3D SPECTRE_V2_EIBRS; break; =20 - case SPECTRE_V2_CMD_EIBRS_LFENCE: - mode =3D SPECTRE_V2_EIBRS_LFENCE; - break; - case SPECTRE_V2_CMD_EIBRS_RETPOLINE: mode =3D SPECTRE_V2_EIBRS_RETPOLINE; break; @@ -1788,14 +1751,6 @@ static void __init spectre_v2_select_mitigation(void) pr_warn(SPECTRE_V2_IBRS_PERF_MSG); break; =20 - case SPECTRE_V2_LFENCE: - setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); - fallthrough; - case SPECTRE_V2_EIBRS_LFENCE: - setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); - setup_force_cpu_cap(X86_FEATURE_RETPOLINE); - break; - case SPECTRE_V2_RETPOLINE: setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); fallthrough; @@ -1809,9 +1764,7 @@ static void __init spectre_v2_select_mitigation(void) * JMPs gets protection against BHI and Intramode-BTI, but RET * prediction from a non-RSB predictor is still a risk. */ - if (mode =3D=3D SPECTRE_V2_EIBRS_LFENCE || - mode =3D=3D SPECTRE_V2_EIBRS_RETPOLINE || - mode =3D=3D SPECTRE_V2_RETPOLINE) + if (boot_cpu_has(X86_FEATURE_RETPOLINE)) spec_ctrl_disable_kernel_rrsba(); =20 if (boot_cpu_has(X86_BUG_BHI)) @@ -1958,10 +1911,6 @@ void cpu_bugs_smt_update(void) { mutex_lock(&spec_ctrl_mutex); =20 - if (sched_smt_active() && unprivileged_ebpf_enabled() && - spectre_v2_enabled =3D=3D SPECTRE_V2_EIBRS_LFENCE) - pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); - switch (spectre_v2_user_stibp) { case SPECTRE_V2_USER_NONE: break; @@ -2838,9 +2787,7 @@ static const char *spectre_bhi_state(void) return "; BHI: BHI_DIS_S"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; - else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && - !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE) && - rrsba_disabled) + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Vulnerable, KVM: SW loop"; @@ -2850,16 +2797,9 @@ static const char *spectre_bhi_state(void) =20 static ssize_t spectre_v2_show_state(char *buf) { - if (spectre_v2_enabled =3D=3D SPECTRE_V2_LFENCE) - return sysfs_emit(buf, "Vulnerable: LFENCE\n"); - if (spectre_v2_enabled =3D=3D SPECTRE_V2_EIBRS && unprivileged_ebpf_enabl= ed()) return sysfs_emit(buf, "Vulnerable: eIBRS with unprivileged eBPF\n"); =20 - if (sched_smt_active() && unprivileged_ebpf_enabled() && - spectre_v2_enabled =3D=3D SPECTRE_V2_EIBRS_LFENCE) - return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF = and SMT\n"); - return sysfs_emit(buf, "%s%s%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_state(), diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h index ea9e07d57c8d..602318b87bd9 100644 --- a/arch/x86/kernel/cpu/cpu.h +++ b/arch/x86/kernel/cpu/cpu.h @@ -93,8 +93,7 @@ extern enum spectre_v2_mitigation spectre_v2_enabled; static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mod= e) { return mode =3D=3D SPECTRE_V2_EIBRS || - mode =3D=3D SPECTRE_V2_EIBRS_RETPOLINE || - mode =3D=3D SPECTRE_V2_EIBRS_LFENCE; + mode =3D=3D SPECTRE_V2_EIBRS_RETPOLINE; } =20 #endif /* ARCH_X86_CPU_H */ diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S index e674ccf720b9..e32199f40c48 100644 --- a/arch/x86/lib/retpoline.S +++ b/arch/x86/lib/retpoline.S @@ -37,9 +37,8 @@ SYM_INNER_LABEL(__x86_indirect_thunk_\reg, SYM_L_GLOBAL) UNWIND_HINT_UNDEFINED ANNOTATE_NOENDBR =20 - ALTERNATIVE_2 __stringify(RETPOLINE \reg), \ - __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg; int3), X8= 6_FEATURE_RETPOLINE_LFENCE, \ - __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), ALT_NOT(X86_FEAT= URE_RETPOLINE) + ALTERNATIVE __stringify(RETPOLINE \reg), \ + __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), ALT_NOT(X86_FEATUR= E_RETPOLINE) =20 .endm =20 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index df5fac428408..39ed0107fb59 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -556,10 +556,7 @@ static void emit_indirect_jump(u8 **pprog, int reg, u8= *ip) { u8 *prog =3D *pprog; =20 - if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) { - EMIT_LFENCE(); - EMIT2(0xFF, 0xE0 + reg); - } else if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { OPTIMIZER_HIDE_VAR(reg); if (cpu_feature_enabled(X86_FEATURE_CALL_DEPTH)) emit_jump(&prog, &__x86_indirect_jump_thunk_array[reg], ip); diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/incl= ude/asm/cpufeatures.h index 25160d26764b..6627e0d25425 100644 --- a/tools/arch/x86/include/asm/cpufeatures.h +++ b/tools/arch/x86/include/asm/cpufeatures.h @@ -298,7 +298,6 @@ #define X86_FEATURE_ENTRY_IBPB (11*32+10) /* "" Issue an IBPB on kernel e= ntry */ #define X86_FEATURE_RRSBA_CTRL (11*32+11) /* "" RET prediction control */ #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigati= on for Spectre variant 2 */ -#define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spect= re variant 2 */ #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */ #define X86_FEATURE_USE_IBPB_FW (11*32+16) /* "" Use IBPB during runtime = firmware calls */ diff --git a/tools/arch/x86/include/asm/disabled-features.h b/tools/arch/x8= 6/include/asm/disabled-features.h index 1f23960d2b06..74538147edc8 100644 --- a/tools/arch/x86/include/asm/disabled-features.h +++ b/tools/arch/x86/include/asm/disabled-features.h @@ -53,8 +53,7 @@ #ifdef CONFIG_MITIGATION_RETPOLINE # define DISABLE_RETPOLINE 0 #else -# define DISABLE_RETPOLINE ((1 << (X86_FEATURE_RETPOLINE & 31)) | \ - (1 << (X86_FEATURE_RETPOLINE_LFENCE & 31))) +# define DISABLE_RETPOLINE (1 << (X86_FEATURE_RETPOLINE & 31) #endif =20 #ifdef CONFIG_MITIGATION_RETHUNK --=20 2.44.0