On 10/26/2018 10:46 AM, Waiman Long wrote: > On 10/17/2018 01:59 PM, Tim Chen wrote: >> Mark the non-dumpable processes with TIF_STIBP flag so they will >> use STIBP and IBPB defenses against Spectre v2 attack from >> processes in user space. >> >> Signed-off-by: Tim Chen <[email protected]> >> --- >> arch/x86/kernel/cpu/bugs.c | 21 +++++++++++++++++++++ >> 1 file changed, 21 insertions(+) >> >> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c >> index 1d317f2..cc77b9e 100644 >> --- a/arch/x86/kernel/cpu/bugs.c >> +++ b/arch/x86/kernel/cpu/bugs.c >> @@ -14,6 +14,7 @@ >> #include <linux/module.h> >> #include <linux/nospec.h> >> #include <linux/prctl.h> >> +#include <linux/sched/coredump.h> >> >> #include <asm/spec-ctrl.h> >> #include <asm/cmdline.h> >> @@ -773,6 +774,26 @@ int arch_prctl_spec_ctrl_set(struct task_struct *task, >> unsigned long which, >> } >> } >> >> +void arch_set_dumpable(struct task_struct *tsk, unsigned int value) >> +{ >> + bool update; >> + >> + if (!static_branch_unlikely(&spectre_v2_app_lite)) >> + return; >> + if (!static_cpu_has(X86_FEATURE_STIBP)) >> + return; >> + if (spectre_v2_app2app_enabled == SPECTRE_V2_APP2APP_NONE) >> + return; > > The third if above seems to be a subset of the first one. Do you need to > do the check one more time? >
Yes, it is redundant and can be removed. Tim
