releases/4.4.181/x86-speculation-mds-improve-cpu-buffer-clear-documentation.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 9d8d0294e78a164d407133dea05caf4b84247d6a Mon Sep 17 00:00:00 2001
 From: Andy Lutomirski <luto@kernel.org>
 Date: Tue, 14 May 2019 13:24:40 -0700
 Subject: x86/speculation/mds: Improve CPU buffer clear documentation

 From: Andy Lutomirski <luto@kernel.org>

 commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.

 On x86_64, all returns to usermode go through
 prepare_exit_to_usermode(), with the sole exception of do_nmi().
 This even includes machine checks -- this was added several years
 ago to support MCE recovery.  Update the documentation.

 Signed-off-by: Andy Lutomirski <luto@kernel.org>
 Cc: Borislav Petkov <bp@suse.de>
 Cc: Frederic Weisbecker <frederic@kernel.org>
 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Cc: Jon Masters <jcm@redhat.com>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Thomas Gleixner <tglx@linutronix.de>
 Cc: stable@vger.kernel.org
 Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
 Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  Documentation/x86/mds.rst |   39 +++++++--------------------------------
  1 file changed, 7 insertions(+), 32 deletions(-)

 --- a/Documentation/x86/mds.rst
 +++ b/Documentation/x86/mds.rst
 @@ -142,38 +142,13 @@ Mitigation points
     mds_user_clear.

     The mitigation is invoked in prepare_exit_to_usermode() which covers
 -   most of the kernel to user space transitions. There are a few exceptions
 -   which are not invoking prepare_exit_to_usermode() on return to user
 -   space. These exceptions use the paranoid exit code.
 -
 -   - Non Maskable Interrupt (NMI):
 -
 -     Access to sensible data like keys, credentials in the NMI context is
 -     mostly theoretical: The CPU can do prefetching or execute a
 -     misspeculated code path and thereby fetching data which might end up
 -     leaking through a buffer.
 -
 -     But for mounting other attacks the kernel stack address of the task is
 -     already valuable information. So in full mitigation mode, the NMI is
 -     mitigated on the return from do_nmi() to provide almost complete
 -     coverage.
 -
 -   - Machine Check Exception (#MC):
 -
 -     Another corner case is a #MC which hits between the CPU buffer clear
 -     invocation and the actual return to user. As this still is in kernel
 -     space it takes the paranoid exit path which does not clear the CPU
 -     buffers. So the #MC handler repopulates the buffers to some
 -     extent. Machine checks are not reliably controllable and the window is
 -     extremly small so mitigation would just tick a checkbox that this
 -     theoretical corner case is covered. To keep the amount of special
 -     cases small, ignore #MC.
 -
 -   - Debug Exception (#DB):
 -
 -     This takes the paranoid exit path only when the INT1 breakpoint is in
 -     kernel space. #DB on a user space address takes the regular exit path,
 -     so no extra mitigation required.
 +   all but one of the kernel to user space transitions.  The exception
 +   is when we return from a Non Maskable Interrupt (NMI), which is
 +   handled directly in do_nmi().
 +
 +   (The reason that NMI is special is that prepare_exit_to_usermode() can
 +    enable IRQs.  In NMI context, NMIs are blocked, and we don't want to
 +    enable IRQs with NMIs blocked.)


  2. C-State transition
	From 9d8d0294e78a164d407133dea05caf4b84247d6a Mon Sep 17 00:00:00 2001
	From: Andy Lutomirski <luto@kernel.org>
	Date: Tue, 14 May 2019 13:24:40 -0700
	Subject: x86/speculation/mds: Improve CPU buffer clear documentation

	From: Andy Lutomirski <luto@kernel.org>

	commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.

	On x86_64, all returns to usermode go through
	prepare_exit_to_usermode(), with the sole exception of do_nmi().
	This even includes machine checks -- this was added several years
	ago to support MCE recovery. Update the documentation.

	Signed-off-by: Andy Lutomirski <luto@kernel.org>
	Cc: Borislav Petkov <bp@suse.de>
	Cc: Frederic Weisbecker <frederic@kernel.org>
	Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Cc: Jon Masters <jcm@redhat.com>
	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Cc: Thomas Gleixner <tglx@linutronix.de>
	Cc: stable@vger.kernel.org
	Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
	Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	Documentation/x86/mds.rst \| 39 +++++++--------------------------------
	1 file changed, 7 insertions(+), 32 deletions(-)

	--- a/Documentation/x86/mds.rst
	+++ b/Documentation/x86/mds.rst
	@@ -142,38 +142,13 @@ Mitigation points
	mds_user_clear.

	The mitigation is invoked in prepare_exit_to_usermode() which covers
	- most of the kernel to user space transitions. There are a few exceptions
	- which are not invoking prepare_exit_to_usermode() on return to user
	- space. These exceptions use the paranoid exit code.
	-
	- - Non Maskable Interrupt (NMI):
	-
	- Access to sensible data like keys, credentials in the NMI context is
	- mostly theoretical: The CPU can do prefetching or execute a
	- misspeculated code path and thereby fetching data which might end up
	- leaking through a buffer.
	-
	- But for mounting other attacks the kernel stack address of the task is
	- already valuable information. So in full mitigation mode, the NMI is
	- mitigated on the return from do_nmi() to provide almost complete
	- coverage.
	-
	- - Machine Check Exception (#MC):
	-
	- Another corner case is a #MC which hits between the CPU buffer clear
	- invocation and the actual return to user. As this still is in kernel
	- space it takes the paranoid exit path which does not clear the CPU
	- buffers. So the #MC handler repopulates the buffers to some
	- extent. Machine checks are not reliably controllable and the window is
	- extremly small so mitigation would just tick a checkbox that this
	- theoretical corner case is covered. To keep the amount of special
	- cases small, ignore #MC.
	-
	- - Debug Exception (#DB):
	-
	- This takes the paranoid exit path only when the INT1 breakpoint is in
	- kernel space. #DB on a user space address takes the regular exit path,
	- so no extra mitigation required.
	+ all but one of the kernel to user space transitions. The exception
	+ is when we return from a Non Maskable Interrupt (NMI), which is
	+ handled directly in do_nmi().
	+
	+ (The reason that NMI is special is that prepare_exit_to_usermode() can
	+ enable IRQs. In NMI context, NMIs are blocked, and we don't want to
	+ enable IRQs with NMIs blocked.)


	2. C-State transition