The pause instruction is currently used in the retpoline and RSB filling
macros as a speculation trap. The use of pause was originally suggested
because it showed a very, very small difference in the amount of
cycles/time used to execute the retpoline as compared to lfence. On AMD,
the pause instruction is not a serializing instruction, so the pause/jmp
loop will use excess power as it is speculated over waiting for return
to mispredict to the correct target.
The RSB filling macro is applicable to AMD, and, if software is unable to
verify that lfence is serializing on AMD (possible when running under a
hypervisor), the generic retpoline support will be used and, so, is also
applicable to AMD. Change the use of pause to lfence.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/nospec-branch.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/nospec-branch.h
b/arch/x86/include/asm/nospec-branch.h
index 402a11c..2c4a09a 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -11,7 +11,7 @@
* Fill the CPU return stack buffer.
*
* Each entry in the RSB, if used for a speculative 'ret', contains an
- * infinite 'pause; jmp' loop to capture speculative execution.
+ * infinite 'lfence; jmp' loop to capture speculative execution.
*
* This is required in various cases for retpoline and IBRS-based
* mitigations for the Spectre variant 2 vulnerability. Sometimes to
@@ -37,12 +37,12 @@
771: \
call 772f; \
773: /* speculation trap */ \
- pause; \
+ lfence; \
jmp 773b; \
772: \
call 774f; \
775: /* speculation trap */ \
- pause; \
+ lfence; \
jmp 775b; \
774: \
dec reg; \
@@ -72,7 +72,7 @@
.macro RETPOLINE_JMP reg:req
call .Ldo_rop_\@
.Lspec_trap_\@:
- pause
+ lfence
jmp .Lspec_trap_\@
.Ldo_rop_\@:
mov \reg, (%_ASM_SP)
@@ -164,7 +164,7 @@
" jmp 904f;\n" \
" .align 16\n" \
"901: call 903f;\n" \
- "902: pause;\n" \
+ "902: lfence;\n" \
" jmp 902b;\n" \
" .align 16\n" \
"903: addl $4, %%esp;\n" \
