License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 22:07:57 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
2015-11-13 04:59:04 +08:00
|
|
|
#include <linux/jump_label.h>
|
2017-07-11 23:33:44 +08:00
|
|
|
#include <asm/unwind_hints.h>
|
2017-12-04 22:07:35 +08:00
|
|
|
#include <asm/cpufeatures.h>
|
|
|
|
#include <asm/page_types.h>
|
2017-12-04 22:07:59 +08:00
|
|
|
#include <asm/percpu.h>
|
|
|
|
#include <asm/asm-offsets.h>
|
|
|
|
#include <asm/processor-flags.h>
|
2024-06-12 13:13:20 +08:00
|
|
|
#include <asm/msr.h>
|
|
|
|
#include <asm/nospec-branch.h>
|
2015-11-13 04:59:04 +08:00
|
|
|
|
2008-01-30 20:32:49 +08:00
|
|
|
/*
|
2009-02-04 01:02:36 +08:00
|
|
|
|
|
|
|
x86 function call convention, 64-bit:
|
|
|
|
-------------------------------------
|
|
|
|
arguments | callee-saved | extra caller-saved | return
|
|
|
|
[callee-clobbered] | | [callee-clobbered] |
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
rdi rsi rdx rcx r8-9 | rbx rbp [*] r12-15 | r10-11 | rax, rdx [**]
|
|
|
|
|
|
|
|
( rsp is obviously invariant across normal function calls. (gcc can 'merge'
|
|
|
|
functions when it sees tail-call optimization possibilities) rflags is
|
|
|
|
clobbered. Leftover arguments are passed over the stack frame.)
|
|
|
|
|
|
|
|
[*] In the frame-pointers case rbp is fixed to the stack frame.
|
|
|
|
|
|
|
|
[**] for struct return values wider than 64 bits the return convention is a
|
|
|
|
bit more complex: up to 128 bits width we return small structures
|
|
|
|
straight in rax, rdx. For structures larger than that (3 words or
|
|
|
|
larger) the caller puts a pointer to an on-stack return struct
|
|
|
|
[allocated in the caller's stack frame] into the first argument - i.e.
|
|
|
|
into rdi. All other arguments shift up by one in this case.
|
|
|
|
Fortunately this case is rare in the kernel.
|
|
|
|
|
|
|
|
For 32-bit we have the following conventions - kernel is built with
|
|
|
|
-mregparm=3 and -freg-struct-return:
|
|
|
|
|
|
|
|
x86 function calling convention, 32-bit:
|
|
|
|
----------------------------------------
|
|
|
|
arguments | callee-saved | extra caller-saved | return
|
|
|
|
[callee-clobbered] | | [callee-clobbered] |
|
|
|
|
-------------------------------------------------------------------------
|
|
|
|
eax edx ecx | ebx edi esi ebp [*] | <none> | eax, edx [**]
|
|
|
|
|
|
|
|
( here too esp is obviously invariant across normal function calls. eflags
|
|
|
|
is clobbered. Leftover arguments are passed over the stack frame. )
|
|
|
|
|
|
|
|
[*] In the frame-pointers case ebp is fixed to the stack frame.
|
|
|
|
|
|
|
|
[**] We build with -freg-struct-return, which on 32-bit means similar
|
|
|
|
semantics as on 64-bit: edx can be used for a second return value
|
|
|
|
(i.e. covering integer and structure sizes up to 64 bits) - after that
|
|
|
|
it gets more complex and more expensive: 3-word or larger struct returns
|
|
|
|
get done in the caller's frame and the pointer to the return struct goes
|
|
|
|
into regparm0, i.e. eax - the other arguments shift up and the
|
|
|
|
function's register parameters degenerate to regparm=2 in essence.
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
2013-08-14 20:51:00 +08:00
|
|
|
#ifdef CONFIG_X86_64
|
|
|
|
|
2009-02-04 01:02:36 +08:00
|
|
|
/*
|
2012-09-26 16:28:22 +08:00
|
|
|
* 64-bit system call stack frame layout defines and helpers,
|
|
|
|
* for assembly code:
|
2008-01-30 20:32:49 +08:00
|
|
|
*/
|
2005-04-17 06:20:36 +08:00
|
|
|
|
x86/asm/entry/64: Always allocate a complete "struct pt_regs" on the kernel stack
The 64-bit entry code was using six stack slots less by not
saving/restoring registers which are callee-preserved according
to the C ABI, and was not allocating space for them.
Only when syscalls needed a complete "struct pt_regs" was
the complete area allocated and filled in.
As an additional twist, on interrupt entry a "slightly less
truncated pt_regs" trick is used, to make nested interrupt
stacks easier to unwind.
This proved to be a source of significant obfuscation and subtle
bugs. For example, 'stub_fork' had to pop the return address,
extend the struct, save registers, and push return address back.
Ugly. 'ia32_ptregs_common' pops return address and "returns" via
jmp insn, throwing a wrench into CPU return stack cache.
This patch changes the code to always allocate a complete
"struct pt_regs" on the kernel stack. The saving of registers
is still done lazily.
"Partial pt_regs" trick on interrupt stack is retained.
Macros which manipulate "struct pt_regs" on stack are reworked:
- ALLOC_PT_GPREGS_ON_STACK allocates the structure.
- SAVE_C_REGS saves to it those registers which are clobbered
by C code.
- SAVE_EXTRA_REGS saves to it all other registers.
- Corresponding RESTORE_* and REMOVE_PT_GPREGS_FROM_STACK macros
reverse it.
'ia32_ptregs_common', 'stub_fork' and friends lost their ugly dance
with the return pointer.
LOAD_ARGS32 in ia32entry.S now uses symbolic stack offsets
instead of magic numbers.
'error_entry' and 'save_paranoid' now use SAVE_C_REGS +
SAVE_EXTRA_REGS instead of having it open-coded yet again.
Patch was run-tested: 64-bit executables, 32-bit executables,
strace works.
Timing tests did not show measurable difference in 32-bit
and 64-bit syscalls.
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Will Drewry <wad@chromium.org>
Link: http://lkml.kernel.org/r/1423778052-21038-2-git-send-email-dvlasenk@redhat.com
Link: http://lkml.kernel.org/r/b89763d354aa23e670b9bdf3a40ae320320a7c2e.1424989793.git.luto@amacapital.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-02-27 06:40:27 +08:00
|
|
|
/* The layout forms the "struct pt_regs" on the stack: */
|
|
|
|
/*
|
|
|
|
* C ABI says these regs are callee-preserved. They aren't saved on kernel entry
|
|
|
|
* unless syscall needs a complete, fully filled "struct pt_regs".
|
|
|
|
*/
|
|
|
|
#define R15 0*8
|
|
|
|
#define R14 1*8
|
|
|
|
#define R13 2*8
|
|
|
|
#define R12 3*8
|
|
|
|
#define RBP 4*8
|
|
|
|
#define RBX 5*8
|
|
|
|
/* These regs are callee-clobbered. Always saved on kernel entry. */
|
|
|
|
#define R11 6*8
|
|
|
|
#define R10 7*8
|
|
|
|
#define R9 8*8
|
|
|
|
#define R8 9*8
|
|
|
|
#define RAX 10*8
|
|
|
|
#define RCX 11*8
|
|
|
|
#define RDX 12*8
|
|
|
|
#define RSI 13*8
|
|
|
|
#define RDI 14*8
|
|
|
|
/*
|
|
|
|
* On syscall entry, this is syscall#. On CPU exception, this is error code.
|
|
|
|
* On hw interrupt, it's IRQ number:
|
|
|
|
*/
|
|
|
|
#define ORIG_RAX 15*8
|
|
|
|
/* Return frame for iretq */
|
|
|
|
#define RIP 16*8
|
|
|
|
#define CS 17*8
|
|
|
|
#define EFLAGS 18*8
|
|
|
|
#define RSP 19*8
|
|
|
|
#define SS 20*8
|
|
|
|
|
2015-02-27 06:40:36 +08:00
|
|
|
#define SIZEOF_PTREGS 21*8
|
|
|
|
|
2018-02-15 01:59:23 +08:00
|
|
|
.macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax save_ret=0
|
|
|
|
.if \save_ret
|
|
|
|
pushq %rsi /* pt_regs->si */
|
|
|
|
movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */
|
|
|
|
movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */
|
|
|
|
.else
|
2018-02-11 18:49:45 +08:00
|
|
|
pushq %rdi /* pt_regs->di */
|
|
|
|
pushq %rsi /* pt_regs->si */
|
2018-02-15 01:59:23 +08:00
|
|
|
.endif
|
2018-02-11 18:49:46 +08:00
|
|
|
pushq \rdx /* pt_regs->dx */
|
2018-02-11 18:49:45 +08:00
|
|
|
pushq %rcx /* pt_regs->cx */
|
2018-02-11 18:49:46 +08:00
|
|
|
pushq \rax /* pt_regs->ax */
|
2018-02-11 18:49:45 +08:00
|
|
|
pushq %r8 /* pt_regs->r8 */
|
|
|
|
pushq %r9 /* pt_regs->r9 */
|
|
|
|
pushq %r10 /* pt_regs->r10 */
|
|
|
|
pushq %r11 /* pt_regs->r11 */
|
|
|
|
pushq %rbx /* pt_regs->rbx */
|
|
|
|
pushq %rbp /* pt_regs->rbp */
|
|
|
|
pushq %r12 /* pt_regs->r12 */
|
|
|
|
pushq %r13 /* pt_regs->r13 */
|
|
|
|
pushq %r14 /* pt_regs->r14 */
|
|
|
|
pushq %r15 /* pt_regs->r15 */
|
|
|
|
UNWIND_HINT_REGS
|
2024-06-11 20:26:44 +08:00
|
|
|
|
2018-02-15 01:59:23 +08:00
|
|
|
.if \save_ret
|
|
|
|
pushq %rsi /* return address on top of stack */
|
|
|
|
.endif
|
2024-06-11 20:26:44 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Sanitize registers of values that a speculation attack might
|
|
|
|
* otherwise want to exploit. The lower registers are likely clobbered
|
|
|
|
* well before they could be put to use in a speculative execution
|
|
|
|
* gadget.
|
|
|
|
*/
|
|
|
|
xorl %edx, %edx /* nospec dx */
|
|
|
|
xorl %ecx, %ecx /* nospec cx */
|
|
|
|
xorl %r8d, %r8d /* nospec r8 */
|
|
|
|
xorl %r9d, %r9d /* nospec r9 */
|
|
|
|
xorl %r10d, %r10d /* nospec r10 */
|
|
|
|
xorl %r11d, %r11d /* nospec r11 */
|
|
|
|
xorl %ebx, %ebx /* nospec rbx */
|
|
|
|
xorl %ebp, %ebp /* nospec rbp */
|
|
|
|
xorl %r12d, %r12d /* nospec r12 */
|
|
|
|
xorl %r13d, %r13d /* nospec r13 */
|
|
|
|
xorl %r14d, %r14d /* nospec r14 */
|
|
|
|
xorl %r15d, %r15d /* nospec r15 */
|
|
|
|
|
2018-02-11 18:49:48 +08:00
|
|
|
.endm
|
2018-02-11 18:49:45 +08:00
|
|
|
|
2024-06-12 13:13:20 +08:00
|
|
|
.macro POP_REGS pop_rdi=1
|
2017-11-02 15:59:01 +08:00
|
|
|
popq %r15
|
|
|
|
popq %r14
|
|
|
|
popq %r13
|
|
|
|
popq %r12
|
|
|
|
popq %rbp
|
|
|
|
popq %rbx
|
|
|
|
popq %r11
|
|
|
|
popq %r10
|
|
|
|
popq %r9
|
|
|
|
popq %r8
|
|
|
|
popq %rax
|
|
|
|
popq %rcx
|
|
|
|
popq %rdx
|
|
|
|
popq %rsi
|
2018-02-11 18:49:43 +08:00
|
|
|
.if \pop_rdi
|
2017-11-02 15:59:01 +08:00
|
|
|
popq %rdi
|
2018-02-11 18:49:43 +08:00
|
|
|
.endif
|
2018-02-11 18:49:48 +08:00
|
|
|
.endm
|
2013-08-14 20:51:00 +08:00
|
|
|
|
2017-12-04 22:07:35 +08:00
|
|
|
#ifdef CONFIG_PAGE_TABLE_ISOLATION
|
|
|
|
|
2017-12-04 22:07:59 +08:00
|
|
|
/*
|
|
|
|
* PAGE_TABLE_ISOLATION PGDs are 8k. Flip bit 12 to switch between the two
|
|
|
|
* halves:
|
|
|
|
*/
|
2018-01-14 07:23:57 +08:00
|
|
|
#define PTI_USER_PGTABLE_BIT PAGE_SHIFT
|
|
|
|
#define PTI_USER_PGTABLE_MASK (1 << PTI_USER_PGTABLE_BIT)
|
|
|
|
#define PTI_USER_PCID_BIT X86_CR3_PTI_PCID_USER_BIT
|
|
|
|
#define PTI_USER_PCID_MASK (1 << PTI_USER_PCID_BIT)
|
|
|
|
#define PTI_USER_PGTABLE_AND_PCID_MASK (PTI_USER_PCID_MASK | PTI_USER_PGTABLE_MASK)
|
2017-12-04 22:07:35 +08:00
|
|
|
|
2017-12-04 22:07:59 +08:00
|
|
|
.macro SET_NOFLUSH_BIT reg:req
|
|
|
|
bts $X86_CR3_PCID_NOFLUSH_BIT, \reg
|
2017-12-04 22:07:35 +08:00
|
|
|
.endm
|
|
|
|
|
2017-12-04 22:07:59 +08:00
|
|
|
.macro ADJUST_KERNEL_CR3 reg:req
|
|
|
|
ALTERNATIVE "", "SET_NOFLUSH_BIT \reg", X86_FEATURE_PCID
|
|
|
|
/* Clear PCID and "PAGE_TABLE_ISOLATION bit", point CR3 at kernel pagetables: */
|
2018-01-14 07:23:57 +08:00
|
|
|
andq $(~PTI_USER_PGTABLE_AND_PCID_MASK), \reg
|
2017-12-04 22:07:35 +08:00
|
|
|
.endm
|
|
|
|
|
|
|
|
.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
|
2017-12-04 22:07:36 +08:00
|
|
|
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
|
2017-12-04 22:07:35 +08:00
|
|
|
mov %cr3, \scratch_reg
|
|
|
|
ADJUST_KERNEL_CR3 \scratch_reg
|
|
|
|
mov \scratch_reg, %cr3
|
2017-12-04 22:07:36 +08:00
|
|
|
.Lend_\@:
|
2017-12-04 22:07:35 +08:00
|
|
|
.endm
|
|
|
|
|
2017-12-04 22:07:59 +08:00
|
|
|
#define THIS_CPU_user_pcid_flush_mask \
|
|
|
|
PER_CPU_VAR(cpu_tlbstate) + TLB_STATE_user_pcid_flush_mask
|
|
|
|
|
|
|
|
.macro SWITCH_TO_USER_CR3_NOSTACK scratch_reg:req scratch_reg2:req
|
2017-12-04 22:07:36 +08:00
|
|
|
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
|
2017-12-04 22:07:35 +08:00
|
|
|
mov %cr3, \scratch_reg
|
2017-12-04 22:07:59 +08:00
|
|
|
|
|
|
|
ALTERNATIVE "jmp .Lwrcr3_\@", "", X86_FEATURE_PCID
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Test if the ASID needs a flush.
|
|
|
|
*/
|
|
|
|
movq \scratch_reg, \scratch_reg2
|
|
|
|
andq $(0x7FF), \scratch_reg /* mask ASID */
|
|
|
|
bt \scratch_reg, THIS_CPU_user_pcid_flush_mask
|
|
|
|
jnc .Lnoflush_\@
|
|
|
|
|
|
|
|
/* Flush needed, clear the bit */
|
|
|
|
btr \scratch_reg, THIS_CPU_user_pcid_flush_mask
|
|
|
|
movq \scratch_reg2, \scratch_reg
|
2018-01-14 07:23:57 +08:00
|
|
|
jmp .Lwrcr3_pcid_\@
|
2017-12-04 22:07:59 +08:00
|
|
|
|
|
|
|
.Lnoflush_\@:
|
|
|
|
movq \scratch_reg2, \scratch_reg
|
|
|
|
SET_NOFLUSH_BIT \scratch_reg
|
|
|
|
|
2018-01-14 07:23:57 +08:00
|
|
|
.Lwrcr3_pcid_\@:
|
|
|
|
/* Flip the ASID to the user version */
|
|
|
|
orq $(PTI_USER_PCID_MASK), \scratch_reg
|
|
|
|
|
2017-12-04 22:07:59 +08:00
|
|
|
.Lwrcr3_\@:
|
2018-01-14 07:23:57 +08:00
|
|
|
/* Flip the PGD to the user version */
|
|
|
|
orq $(PTI_USER_PGTABLE_MASK), \scratch_reg
|
2017-12-04 22:07:35 +08:00
|
|
|
mov \scratch_reg, %cr3
|
2017-12-04 22:07:36 +08:00
|
|
|
.Lend_\@:
|
2017-12-04 22:07:35 +08:00
|
|
|
.endm
|
|
|
|
|
2017-12-04 22:07:59 +08:00
|
|
|
.macro SWITCH_TO_USER_CR3_STACK scratch_reg:req
|
|
|
|
pushq %rax
|
|
|
|
SWITCH_TO_USER_CR3_NOSTACK scratch_reg=\scratch_reg scratch_reg2=%rax
|
|
|
|
popq %rax
|
|
|
|
.endm
|
|
|
|
|
2017-12-04 22:07:35 +08:00
|
|
|
.macro SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg:req save_reg:req
|
2017-12-04 22:07:36 +08:00
|
|
|
ALTERNATIVE "jmp .Ldone_\@", "", X86_FEATURE_PTI
|
2017-12-04 22:07:35 +08:00
|
|
|
movq %cr3, \scratch_reg
|
|
|
|
movq \scratch_reg, \save_reg
|
|
|
|
/*
|
2018-01-14 07:23:57 +08:00
|
|
|
* Test the user pagetable bit. If set, then the user page tables
|
|
|
|
* are active. If clear CR3 already has the kernel page table
|
|
|
|
* active.
|
2017-12-04 22:07:35 +08:00
|
|
|
*/
|
2018-01-14 07:23:57 +08:00
|
|
|
bt $PTI_USER_PGTABLE_BIT, \scratch_reg
|
|
|
|
jnc .Ldone_\@
|
2017-12-04 22:07:35 +08:00
|
|
|
|
|
|
|
ADJUST_KERNEL_CR3 \scratch_reg
|
|
|
|
movq \scratch_reg, %cr3
|
|
|
|
|
|
|
|
.Ldone_\@:
|
|
|
|
.endm
|
|
|
|
|
2017-12-04 22:08:00 +08:00
|
|
|
.macro RESTORE_CR3 scratch_reg:req save_reg:req
|
2017-12-04 22:07:36 +08:00
|
|
|
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
|
2017-12-04 22:08:00 +08:00
|
|
|
|
|
|
|
ALTERNATIVE "jmp .Lwrcr3_\@", "", X86_FEATURE_PCID
|
|
|
|
|
|
|
|
/*
|
|
|
|
* KERNEL pages can always resume with NOFLUSH as we do
|
|
|
|
* explicit flushes.
|
|
|
|
*/
|
2018-01-14 07:23:57 +08:00
|
|
|
bt $PTI_USER_PGTABLE_BIT, \save_reg
|
2017-12-04 22:08:00 +08:00
|
|
|
jnc .Lnoflush_\@
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check if there's a pending flush for the user ASID we're
|
|
|
|
* about to set.
|
|
|
|
*/
|
|
|
|
movq \save_reg, \scratch_reg
|
|
|
|
andq $(0x7FF), \scratch_reg
|
|
|
|
bt \scratch_reg, THIS_CPU_user_pcid_flush_mask
|
|
|
|
jnc .Lnoflush_\@
|
|
|
|
|
|
|
|
btr \scratch_reg, THIS_CPU_user_pcid_flush_mask
|
|
|
|
jmp .Lwrcr3_\@
|
|
|
|
|
|
|
|
.Lnoflush_\@:
|
|
|
|
SET_NOFLUSH_BIT \save_reg
|
|
|
|
|
|
|
|
.Lwrcr3_\@:
|
2017-12-04 22:07:35 +08:00
|
|
|
/*
|
|
|
|
* The CR3 write could be avoided when not changing its value,
|
|
|
|
* but would require a CR3 read *and* a scratch register.
|
|
|
|
*/
|
|
|
|
movq \save_reg, %cr3
|
2017-12-04 22:07:36 +08:00
|
|
|
.Lend_\@:
|
2017-12-04 22:07:35 +08:00
|
|
|
.endm
|
|
|
|
|
|
|
|
#else /* CONFIG_PAGE_TABLE_ISOLATION=n: */
|
|
|
|
|
|
|
|
.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
|
|
|
|
.endm
|
2017-12-04 22:07:59 +08:00
|
|
|
.macro SWITCH_TO_USER_CR3_NOSTACK scratch_reg:req scratch_reg2:req
|
|
|
|
.endm
|
|
|
|
.macro SWITCH_TO_USER_CR3_STACK scratch_reg:req
|
2017-12-04 22:07:35 +08:00
|
|
|
.endm
|
|
|
|
.macro SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg:req save_reg:req
|
|
|
|
.endm
|
2017-12-04 22:08:00 +08:00
|
|
|
.macro RESTORE_CR3 scratch_reg:req save_reg:req
|
2017-12-04 22:07:35 +08:00
|
|
|
.endm
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2024-06-12 13:13:20 +08:00
|
|
|
/*
|
|
|
|
* IBRS kernel mitigation for Spectre_v2.
|
|
|
|
*
|
|
|
|
* Assumes full context is established (PUSH_REGS, CR3 and GS) and it clobbers
|
|
|
|
* the regs it uses (AX, CX, DX). Must be called before the first RET
|
|
|
|
* instruction (NOTE! UNTRAIN_RET includes a RET instruction)
|
|
|
|
*
|
|
|
|
* The optional argument is used to save/restore the current value,
|
|
|
|
* which is used on the paranoid paths.
|
|
|
|
*
|
|
|
|
* Assumes x86_spec_ctrl_{base,current} to have SPEC_CTRL_IBRS set.
|
|
|
|
*/
|
|
|
|
.macro IBRS_ENTER save_reg
|
|
|
|
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS
|
|
|
|
movl $MSR_IA32_SPEC_CTRL, %ecx
|
|
|
|
|
|
|
|
.ifnb \save_reg
|
|
|
|
rdmsr
|
|
|
|
shl $32, %rdx
|
|
|
|
or %rdx, %rax
|
|
|
|
mov %rax, \save_reg
|
|
|
|
test $SPEC_CTRL_IBRS, %eax
|
|
|
|
jz .Ldo_wrmsr_\@
|
|
|
|
lfence
|
|
|
|
jmp .Lend_\@
|
|
|
|
.Ldo_wrmsr_\@:
|
|
|
|
.endif
|
|
|
|
|
|
|
|
movq PER_CPU_VAR(x86_spec_ctrl_current), %rdx
|
|
|
|
movl %edx, %eax
|
|
|
|
shr $32, %rdx
|
|
|
|
wrmsr
|
|
|
|
.Lend_\@:
|
|
|
|
.endm
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Similar to IBRS_ENTER, requires KERNEL GS,CR3 and clobbers (AX, CX, DX)
|
|
|
|
* regs. Must be called after the last RET.
|
|
|
|
*/
|
|
|
|
.macro IBRS_EXIT save_reg
|
|
|
|
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS
|
|
|
|
movl $MSR_IA32_SPEC_CTRL, %ecx
|
|
|
|
|
|
|
|
.ifnb \save_reg
|
|
|
|
mov \save_reg, %rdx
|
|
|
|
.else
|
|
|
|
movq PER_CPU_VAR(x86_spec_ctrl_current), %rdx
|
|
|
|
andl $(~SPEC_CTRL_IBRS), %edx
|
|
|
|
.endif
|
|
|
|
|
|
|
|
movl %edx, %eax
|
|
|
|
shr $32, %rdx
|
|
|
|
wrmsr
|
|
|
|
.Lend_\@:
|
|
|
|
.endm
|
|
|
|
|
x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
Spectre v1 isn't only about array bounds checks. It can affect any
conditional checks. The kernel entry code interrupt, exception, and NMI
handlers all have conditional swapgs checks. Those may be problematic in
the context of Spectre v1, as kernel code can speculatively run with a user
GS.
For example:
if (coming from user space)
swapgs
mov %gs:<percpu_offset>, %reg
mov (%reg), %reg1
When coming from user space, the CPU can speculatively skip the swapgs, and
then do a speculative percpu load using the user GS value. So the user can
speculatively force a read of any kernel value. If a gadget exists which
uses the percpu value as an address in another load/store, then the
contents of the kernel value may become visible via an L1 side channel
attack.
A similar attack exists when coming from kernel space. The CPU can
speculatively do the swapgs, causing the user GS to get used for the rest
of the speculative window.
The mitigation is similar to a traditional Spectre v1 mitigation, except:
a) index masking isn't possible; because the index (percpu offset)
isn't user-controlled; and
b) an lfence is needed in both the "from user" swapgs path and the
"from kernel" non-swapgs path (because of the two attacks described
above).
The user entry swapgs paths already have SWITCH_TO_KERNEL_CR3, which has a
CR3 write when PTI is enabled. Since CR3 writes are serializing, the
lfences can be skipped in those cases.
On the other hand, the kernel entry swapgs paths don't depend on PTI.
To avoid unnecessary lfences for the user entry case, create two separate
features for alternative patching:
X86_FEATURE_FENCE_SWAPGS_USER
X86_FEATURE_FENCE_SWAPGS_KERNEL
Use these features in entry code to patch in lfences where needed.
The features aren't enabled yet, so there's no functional change.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Dave Hansen <dave.hansen@intel.com>
2019-07-09 00:52:25 +08:00
|
|
|
/*
|
|
|
|
* Mitigate Spectre v1 for conditional swapgs code paths.
|
|
|
|
*
|
|
|
|
* FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to
|
|
|
|
* prevent a speculative swapgs when coming from kernel space.
|
|
|
|
*
|
|
|
|
* FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path,
|
|
|
|
* to prevent the swapgs from getting speculatively skipped when coming from
|
|
|
|
* user space.
|
|
|
|
*/
|
|
|
|
.macro FENCE_SWAPGS_USER_ENTRY
|
|
|
|
ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER
|
|
|
|
.endm
|
|
|
|
.macro FENCE_SWAPGS_KERNEL_ENTRY
|
|
|
|
ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL
|
|
|
|
.endm
|
|
|
|
|
2018-08-17 06:16:58 +08:00
|
|
|
.macro STACKLEAK_ERASE_NOCLOBBER
|
|
|
|
#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
|
|
|
|
PUSH_AND_CLEAR_REGS
|
|
|
|
call stackleak_erase
|
|
|
|
POP_REGS
|
|
|
|
#endif
|
|
|
|
.endm
|
|
|
|
|
2024-06-11 20:26:44 +08:00
|
|
|
.macro SAVE_AND_SET_GSBASE scratch_reg:req save_reg:req
|
|
|
|
rdgsbase \save_reg
|
|
|
|
GET_PERCPU_BASE \scratch_reg
|
|
|
|
wrgsbase \scratch_reg
|
|
|
|
.endm
|
2013-08-14 20:51:00 +08:00
|
|
|
#endif /* CONFIG_X86_64 */
|
|
|
|
|
2018-08-17 06:16:58 +08:00
|
|
|
.macro STACKLEAK_ERASE
|
|
|
|
#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
|
|
|
|
call stackleak_erase
|
|
|
|
#endif
|
|
|
|
.endm
|
|
|
|
|
2015-11-13 04:59:04 +08:00
|
|
|
/*
|
|
|
|
* This does 'call enter_from_user_mode' unless we can avoid it based on
|
|
|
|
* kernel config or using the static jump infrastructure.
|
|
|
|
*/
|
|
|
|
.macro CALL_enter_from_user_mode
|
|
|
|
#ifdef CONFIG_CONTEXT_TRACKING
|
2018-12-30 23:14:15 +08:00
|
|
|
#ifdef CONFIG_JUMP_LABEL
|
2018-12-19 18:20:23 +08:00
|
|
|
STATIC_JUMP_IF_FALSE .Lafter_call_\@, context_tracking_enabled, def=0
|
2015-11-13 04:59:04 +08:00
|
|
|
#endif
|
|
|
|
call enter_from_user_mode
|
|
|
|
.Lafter_call_\@:
|
|
|
|
#endif
|
|
|
|
.endm
|
2019-07-11 19:40:55 +08:00
|
|
|
|
|
|
|
#ifdef CONFIG_PARAVIRT_XXL
|
|
|
|
#define GET_CR2_INTO(reg) GET_CR2_INTO_AX ; _ASM_MOV %_ASM_AX, reg
|
|
|
|
#else
|
|
|
|
#define GET_CR2_INTO(reg) _ASM_MOV %cr2, reg
|
|
|
|
#endif
|
2024-06-11 20:26:44 +08:00
|
|
|
#ifdef CONFIG_SMP
|
|
|
|
|
|
|
|
/*
|
|
|
|
* CPU/node NR is loaded from the limit (size) field of a special segment
|
|
|
|
* descriptor entry in GDT.
|
|
|
|
*/
|
|
|
|
.macro LOAD_CPU_AND_NODE_SEG_LIMIT reg:req
|
|
|
|
movq $__CPUNODE_SEG, \reg
|
|
|
|
lsl \reg, \reg
|
|
|
|
.endm
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Fetch the per-CPU GSBASE value for this processor and put it in @reg.
|
|
|
|
* We normally use %gs for accessing per-CPU data, but we are setting up
|
|
|
|
* %gs here and obviously can not use %gs itself to access per-CPU data.
|
|
|
|
*
|
|
|
|
* Do not use RDPID, because KVM loads guest's TSC_AUX on vm-entry and
|
|
|
|
* may not restore the host's value until the CPU returns to userspace.
|
|
|
|
* Thus the kernel would consume a guest's TSC_AUX if an NMI arrives
|
|
|
|
* while running KVM's run loop.
|
|
|
|
*/
|
|
|
|
.macro GET_PERCPU_BASE reg:req
|
|
|
|
LOAD_CPU_AND_NODE_SEG_LIMIT \reg
|
|
|
|
andq $VDSO_CPUNODE_MASK, \reg
|
|
|
|
movq __per_cpu_offset(, \reg, 8), \reg
|
|
|
|
.endm
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
|
|
.macro GET_PERCPU_BASE reg:req
|
|
|
|
movq pcpu_unit_offsets(%rip), \reg
|
|
|
|
.endm
|
|
|
|
|
|
|
|
#endif /* CONFIG_SMP */
|