clmul_ghash_mul() and clmul_ghash_update() are callable non-leaf
functions which don't honor CONFIG_FRAME_POINTER, which can result in
bad stack traces.
Create stack frames for them when CONFIG_FRAME_POINTER is enabled.
Signed-off-by: Josh Poimboeuf
Cc: Herbert Xu
Cc: David S. M
do_suspend_lowlevel() is a callable non-leaf function which doesn't
honor CONFIG_FRAME_POINTER, which can result in bad stack traces.
Create a stack frame for it when CONFIG_FRAME_POINTER is enabled.
Signed-off-by: Josh Poimboeuf
Acked-by: Pavel Machek
Cc: Rafael J. Wysocki
Cc: Len
aesni-intel_asm.S has several callable non-leaf functions which don't
honor CONFIG_FRAME_POINTER, which can result in bad stack traces.
Create stack frames for them when CONFIG_FRAME_POINTER is enabled.
Signed-off-by: Josh Poimboeuf
Cc: Herbert Xu
Cc: David S. Miller
Cc: Mathias K
vide() is a callable function, but is missing the ELF function type,
which confuses tools like stacktool.
Properly annotate it to be a callable function. The generated code is
unchanged.
Signed-off-by: Josh Poimboeuf
---
arch/x86/kernel/cpu/amd.c | 5 -
1 file changed, 4 insertions(+), 1
this seems to be a valid use of the instruction.
Add both functions to the stacktool whitelist.
Signed-off-by: Josh Poimboeuf
Reviewed-by: David Vrabel
Cc: Konrad Rzeszutek Wilk
Cc: Boris Ostrovsky
---
arch/x86/xen/enlighten.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
CONFIG_FRAME_POINTER is enabled by
listing the stack pointer as an output operand for the PVOP inline asm
statements.
Signed-off-by: Josh Poimboeuf
Cc: Jeremy Fitzhardinge
Cc: Chris Wright
Cc: Alok Kataria
Cc: Rusty Russell
---
arch/x86/include/asm/paravirt_types.h | 18 ++
1 file changed, 10
enabled by
listing the stack pointer as an output operand for the hypercall inline
asm statements.
Signed-off-by: Josh Poimboeuf
Reviewed-by: David Vrabel
Cc: Konrad Rzeszutek Wilk
Cc: Boris Ostrovsky
---
arch/x86/include/asm/xen/hypercall.h | 5 +++--
1 file changed, 3 insertions(+), 2
F
callable functions.
Create a stack frame when CONFIG_FRAME_POINTER is enabled and add the
ELF function type.
Signed-off-by: Josh Poimboeuf
Cc: Jeremy Fitzhardinge
Cc: Chris Wright
Cc: Alok Kataria
Cc: Rusty Russell
---
arch/x86/include/asm/paravirt.h | 9 +++--
1 file changed, 7 insert
Add C versions of the frame pointer macros which can be used to create a
stack frame in inline assembly.
Signed-off-by: Josh Poimboeuf
---
arch/x86/include/asm/frame.h | 16 +---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/frame.h b/arch/x86
stacktool rules.
Signed-off-by: Josh Poimboeuf
---
arch/x86/boot/Makefile| 3 ++-
arch/x86/boot/compressed/Makefile | 3 ++-
arch/x86/entry/vdso/Makefile | 5 -
arch/x86/purgatory/Makefile | 2 ++
arch/x86/realmode/Makefile| 4 +++-
arch/
Add new stacktool ignore macros: STACKTOOL_IGNORE_INSN and
STACKTOOL_IGNORE_FUNC. These can be used to tell stacktool to skip
validation of an instruction or a function, respectively.
Signed-off-by: Josh Poimboeuf
---
arch/x86/include/asm/stacktool.h | 45
Borislav Petkov
Cc: Linus Torvalds
Cc: Andi Kleen
Cc: Pedro Alves
Cc: Namhyung Kim
Cc: Bernd Petrovitsch
Cc: Chris J Arges
Cc: Andrew Morton
Cc: Jiri Slaby
Chris J Arges (2):
x86/uaccess: Add stack frame output operand in get_user inline asm
x86/stacktool: Ignore head_$(BITS) files.
into
tools list.h.
This is a straight copy except for adjustments to the include statements
and copying of the tools-specific list routines (list_del_range and
list_for_each_from).
Signed-off-by: Josh Poimboeuf
---
tools/include/linux/list.h | 752
On Thu, Oct 01, 2015 at 08:10:26AM +0200, mini...@ld-linux.so wrote:
> On Tue, Sep 22, 2015 at 10:47:04AM -0500, Josh Poimboeuf wrote:
> > aesni-intel_asm.S has several callable non-leaf functions which don't
> > honor CONFIG_FRAME_POINTER, which can result in bad stack tra
On Thu, Oct 01, 2015 at 09:50:51AM -0500, Chris J Arges wrote:
>
> > +
> > +$(STACKTOOL_IN): FORCE
> > + @$(MAKE) $(build)=stacktool
> > +
> > +$(STACKTOOL): $(STACKTOOL_IN)
> > + @(test -d ../../kernel -a -d ../../tools -a -d ../stacktool && (( \
> > + diff -I'^#include' arch/x86/insn/insn.
On Thu, Oct 01, 2015 at 07:36:54PM +0200, Mathias Krause wrote:
> On Do, Okt 01, 2015 at 08:29:50 -0500, Josh Poimboeuf wrote:
> > On Thu, Oct 01, 2015 at 08:10:26AM +0200, mini...@ld-linux.so wrote:
> > > On Tue, Sep 22, 2015 at 10:47:04AM -0500, Josh Poimboeuf wrote:
> >
rc_unwind table. Disabling unwinder.
>
> This comment moves an endif to match the if/endif pairs.
>
> Signed-off-by: Xi Ruoyao
Reviewed-by: Josh Poimboeuf
--
Josh
; unreachable warnings for GCC 4.4 and older"), which was a workaround
> for GCC 4.4 or older.
>
> Signed-off-by: Masahiro Yamada
Acked-by: Josh Poimboeuf
> ---
>
> scripts/Makefile.build | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/scripts/Ma
On Fri, Aug 03, 2018 at 07:40:40PM +0100, Allan Xavier wrote:
> +static void mark_rodata(struct objtool_file *file)
> +{
> + struct section *sec;
> + bool found = false;
> + static const char *str1 = ".str1.";
> + const int str1len = strlen(str1) + 1;
> +
A comment here would help,
On Fri, Aug 10, 2018 at 06:03:11PM +0200, Torsten Duwe wrote:
> This is more an RFC in the original sense: is this basically
> the correct approach? (as I had to tweak the API a bit).
>
> In particular the code does not detect interrupts and exception
> frames, and does not yet check whether the c
On Wed, Jul 25, 2018 at 03:17:53PM +0100, Allan Xavier wrote:
> This commit adds support for processing switch jump tables in objects
> with multiple .rodata sections, such as those created when using
> -ffunction-sections and -fdata-sections. Currently, objtool always
> looks in .rodata for jump
n Rostedt (VMware)
The enable_probe() name is a bit confusing, since it's not clear what
the difference is between enable_probe() and enable_trace_kprobe()
without looking at the code.
Maybe call it __enable_trace_kprobe()?
Otherwise it's a definite improvement.
Reviewed-by: Josh Poimboeuf
--
Josh
On Fri, Jul 27, 2018 at 04:23:55PM +, Jeremy Cline wrote:
> 'type' is a user-controlled value used to index into 's_qf_names', which
> can be used in a Spectre v1 attack. Clamp 'type' to the size of the
> array to avoid a speculative out-of-bounds r
xt4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
> spectre issue 'grp->bb_counters' [w] (local cap)
>
> * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
> 'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)
>
> * fs
w] (local cap)
>
> * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
> 'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)
>
> * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
> 'EXT4_SB(e4b->bd_sb)->s_mb_max
On Thu, Jul 19, 2018 at 01:33:54PM +0900, Prashant Bhole wrote:
> Hi Peter, Josh,
>
> Found following bug. This bug can not be seen with this fix:
> https://lkml.org/lkml/2018/5/10/280.
Peter, care to clean that up and submit it?
--
Josh
ough the symbol table comparing them against a nonexisting function,
> which can be avoided.
>
> The same issues apply, to misspelled/incorrect names. At least gatekeep
> the modules with over the limit string length, by checking for their
> length during livepatch module registration.
&g
On Tue, Jul 31, 2018 at 12:39:41AM -0600, Andreas Dilger wrote:
> > Also it looks like XQM_MAXQUOTAS, MAXQUOTAS, and EXT4_MAXQUOTAS all
> > have the same value (3). Maybe they can be consolidated to just use
> > MAXQUOTAS everywhere?
>
> No, the filesystem-specific MAXQUOTAS values were separated
On Tue, Jul 31, 2018 at 01:37:29AM +, Jeremy Cline wrote:
> Hi folks,
>
> This series unifies XQM_MAXQUOTAS with MAXQUOTAS, which were both being
> used to perform bounds checks on arrays, and then sanitizes 'type' so it
> can't be used in speculative out-of-bounds array access.
>
> Jeremy Cl
On Thu, Jul 19, 2018 at 11:19:54PM +0200, Peter Zijlstra wrote:
> --- a/include/uapi/linux/perf_event.h
> +++ b/include/uapi/linux/perf_event.h
> @@ -143,6 +143,8 @@ enum perf_event_sample_format {
> PERF_SAMPLE_PHYS_ADDR = 1U << 19,
>
> PERF_SAMPLE_MAX = 1U << 20,
On Mon, Jul 23, 2018 at 11:38:30PM +0200, Pavel Machek wrote:
> But for now I'd like at least "global" option of turning pti on/off
> during runtime for benchmarking. Let me see...
>
> Something like this, or is it going to be way more complex? Does
> anyone have patch by chance?
RHEL/CentOS has
On Mon, Jul 23, 2018 at 04:14:27PM +0200, Peter Zijlstra wrote:
> On Mon, Jul 23, 2018 at 08:30:06AM -0500, Josh Poimboeuf wrote:
> > On Thu, Jul 19, 2018 at 11:19:54PM +0200, Peter Zijlstra wrote:
> > > --- a/include/uapi/linux/perf_event.h
> > > +++ b/incl
On Tue, Jul 24, 2018 at 09:53:30PM +0200, Jiri Kosina wrote:
> From: Jiri Kosina
>
> The article "Spectre Returns! Speculation Attacks using the Return Stack
> Buffer" [1] describes two new (sub-)variants of spectrev2-like attack,
> making use solely of the RSB contents even on CPUs that don't fa
On Wed, Jul 25, 2018 at 12:28:26PM +0200, Artem Savkov wrote:
> If enable_trace_kprobe fails to enable the probe in enable_k(ret)probe
> it returns an error, but does not unset the tp flags it set previosly.
"previously"
> @@ -424,6 +423,16 @@ enable_trace_kprobe(struct trace_kprobe *tk, struct
t; unable to remove the probe through kprobe_events file since probes_open()
> expects every probe to be disabled.
>
> Signed-off-by: Artem Savkov
Reviewed-by: Josh Poimboeuf
--
Josh
On Wed, Jul 25, 2018 at 03:50:44PM +0200, Jiri Kosina wrote:
> On Wed, 25 Jul 2018, Josh Poimboeuf wrote:
>
> > > The article "Spectre Returns! Speculation Attacks using the Return Stack
> > > Buffer" [1] describes two new (sub-)variants of spectrev2-like atta
On Thu, Jul 26, 2018 at 01:11:01AM +0200, Jiri Kosina wrote:
> On Wed, 25 Jul 2018, Linus Torvalds wrote:
>
> > > Mitigate userspace-userspace attacks by always unconditionally filling
> > > RSB on
> > > context switch when generic spectrev2 mitigation has been enabled.
> >
> > Shouldn't this al
> We bail out during patch registration for architectures, those don't
> support reliable stack trace.
Does anybody know if that change was intentional? I thought the plan
was to allow non-consistency-model arches to still use livepatch, and
that they'd just have to 'force' patches to completion
12 in commit
> e8320f3 (pager: drop "wait for output to run less" hack). The bug it
> worked around was apparently fixed in less back in June 2007.
>
> So remove the hack from here as well.
>
> Signed-off-by: Arvind Sankar
Looks good to me.
Acked-by: Josh Poimboeuf
L
On Thu, Jan 25, 2018 at 01:45:54PM +0100, Borislav Petkov wrote:
> > > +/* Like alternative_io, but for replacing a direct call with another
> > > one. */
> > > +#define alternative_void_call(oldfunc, newfunc, feature, input...)
> > > \
> > > + asm volatile (ALTERNATIVE("call %P[old
On Thu, Jan 25, 2018 at 04:03:18PM +, David Woodhouse wrote:
> On Thu, 2018-01-25 at 16:51 +0100, Borislav Petkov wrote:
> >
> > > And the seg fault is objtool's way of telling you you need a
> > > ANNOTATE_NOSPEC_ALTERNATIVE above the alternative ;-)
> >
> > Except that it blew up when I did
On Thu, Jan 25, 2018 at 05:00:39PM +, David Woodhouse wrote:
> On Thu, 2018-01-25 at 10:56 -0600, Josh Poimboeuf wrote:
> > On Thu, Jan 25, 2018 at 04:03:18PM +, David Woodhouse wrote:
> > > On Thu, 2018-01-25 at 16:51 +0100, Borislav Petkov wrote:
> > > >
On Thu, Jan 25, 2018 at 09:05:37AM -0800, Andy Lutomirski wrote:
> On Thu, Jan 25, 2018 at 9:00 AM, David Woodhouse wrote:
> > On Thu, 2018-01-25 at 10:56 -0600, Josh Poimboeuf wrote:
> >> On Thu, Jan 25, 2018 at 04:03:18PM +, David Woodhouse wrote:
> >> > On
On Thu, Jan 25, 2018 at 06:04:23PM +, David Woodhouse wrote:
> On Thu, 2018-01-25 at 18:53 +0100, Borislav Petkov wrote:
> >
> > So forget the KABI angle and think: simpler, cleaner, more readable
> > macros.
> >
> > Oh, and David, if while doing so I manage to add the alignment, then
> > *th
On Thu, May 11, 2017 at 02:40:42PM +0200, Miroslav Benes wrote:
> I'm still not sure if we know for 100 percent what we're doing :)
At least we know that we don't know!
--
Josh
On Thu, May 11, 2017 at 03:52:46PM +0200, Petr Mladek wrote:
> Anyway, a crazy idea is to use the livepatch consistency model instead
> of RCU to protect the function stack. The model makes sure that all
> tasks, including the idle ones, were not running any patched function
> (and their ftrace han
le() macro for C code, which you can call right after the
ASM_UD0 line above to fix the warnings. Feel free to add the patch to
your set.
From: Josh Poimboeuf
Subject: [PATCH] objtool: create UNREACHABLE_ASM macro
Create an UNREACHABLE_ASM macro to enable inline asm to annotate dead
end c
On Fri, May 12, 2017 at 09:53:48AM +0200, Jiri Slaby wrote:
> On 04/26/2017, 03:42 AM, Josh Poimboeuf wrote:
> >> @@ -323,7 +323,7 @@ ENTRY(resume_userspace)
> >>movl%esp, %eax
> >>callprepare_exit_to_usermode
> >>jmp restore_all
>
On Wed, Jan 10, 2018 at 08:55:40PM +0100, Thomas Gleixner wrote:
> On Wed, 10 Jan 2018, Linus Torvalds wrote:
>
> > On Wed, Jan 10, 2018 at 3:28 AM, Borislav Petkov wrote:
> > >
> > > Make sure we scan all bytes before we decide to optimize the NOPs in
> > > there.
> >
> > Can we also add compil
On Wed, Jan 10, 2018 at 12:26:25PM -0800, Linus Torvalds wrote:
> On Wed, Jan 10, 2018 at 12:15 PM, Josh Poimboeuf wrote:
> >
> > I think .altinstruction relocations *do* work if they're for the first
> > instruction, and it's a jump or a call.
>
> Yes - for
On Wed, Jan 10, 2018 at 01:11:48PM -0800, Linus Torvalds wrote:
> On Wed, Jan 10, 2018 at 1:08 PM, David Woodhouse wrote:
> >
> > There are a few of the form 'call *somefunc'.
> >
> > The existing code handles them not by virtue of the relocs, as I said,
> > but by a simple delta of the old and ne
On Wed, Jan 10, 2018 at 01:17:45PM -0800, Linus Torvalds wrote:
> On Wed, Jan 10, 2018 at 1:11 PM, Linus Torvalds
> wrote:
> >
> > Wouldn't it be much better to simply do it as part of relocation instead?
>
> .. except we only do real relocation for modules, and depend on the
> linker doing every
Make objtool compatible with CONFIG_RETPOLINE and re-enable the
objtool-dependent features.
Josh Poimboeuf (3):
objtool: Detect jumps to retpoline thunks
objtool: Ignore retpoline alternatives
Revert "x86/retpoline: Temporarily disable objtool when
CONFIG_RETPOLINE=y"
arch/x
This reverts commit 59b6e22f92f9a86dbd0798db72adc97bdb831f86.
Now that objtool is retpoline-aware, we can re-enable objtool and all
its friends, including ORC and the livepatch consistency model.
Signed-off-by: Josh Poimboeuf
---
arch/x86/Kconfig | 4 ++--
arch/x86/Kconfig.debug | 6
the control flow *around* the
retpoline, even if it can't yet follow what's inside. This means the
ORC unwinder will fail to unwind from inside a retpoline, but will work
fine otherwise.
Signed-off-by: Josh Poimboeuf
---
arch/x86/include/asm/nospec-branch.h | 27 +++-
too
: Josh Poimboeuf
---
tools/objtool/check.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 9b341584eb1b..de053fb7049b 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -456,6 +456,13 @@ static int add_jump_destinations
On Tue, Jan 09, 2018 at 05:03:21PM -0800, Andi Kleen wrote:
> From: Andi Kleen
>
> Remove the partial stack frame in the 64bit syscall fast path.
> In the next patch we want to clear the extra registers, which requires
> to always save all registers. So remove the partial stack frame
> in the sys
On Wed, Jan 10, 2018 at 06:14:56PM +0100, Markus wrote:
> On Thursday, 4 January 2018 19:25:12 CET Markus wrote:
> > On Thursday, 4 January 2018 18:32:03 CET Josh Poimboeuf wrote:
> > > On Thu, Jan 04, 2018 at 05:56:30PM +0100, Markus wrote:
> > > > On Thursday, 4
On Wed, Jan 10, 2018 at 10:13:00PM -0600, Josh Poimboeuf wrote:
> On Wed, Jan 10, 2018 at 06:14:56PM +0100, Markus wrote:
> > On Thursday, 4 January 2018 19:25:12 CET Markus wrote:
> > > On Thursday, 4 January 2018 18:32:03 CET Josh Poimboeuf wrote:
> > > > On Thu, Ja
15 -
> samples/livepatch/livepatch-shadow-fix1.c| 15 -
> samples/livepatch/livepatch-shadow-fix2.c| 15 -
> 8 files changed, 33 insertions(+), 181 deletions(-)
Nice diffstat.
Acked-by: Josh Poimboeuf
--
Josh
On Tue, Jan 09, 2018 at 11:07:16AM -0600, Josh Poimboeuf wrote:
> On Tue, Jan 09, 2018 at 05:05:51PM +0100, Peter Zijlstra wrote:
> > On Tue, Jan 09, 2018 at 10:56:52AM -0500, Vince Weaver wrote:
> > > On Tue, 9 Jan 2018, Peter Zijlstra wrote:
> > >
> > > &g
On Thu, Jan 11, 2018 at 11:37:18AM +, David Woodhouse wrote:
> In accordance with the Intel and AMD documentation, we need to overwrite
> all entries in the RSB on exiting a guest, to prevent malicious branch
> target predictions from affecting the host kernel. This is needed both
> for retpoli
On Thu, Jan 11, 2018 at 02:28:32PM +, David Woodhouse wrote:
> On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote:
> >
> > This seems weird. I liked v1 a lot better. What's the problem with
> > patching in the whole thing?
> >
> > Also, if y
On Thu, Jan 11, 2018 at 02:53:57PM +, David Woodhouse wrote:
> On Thu, 2018-01-11 at 15:32 +0100, Peter Zijlstra wrote:
> > On Thu, Jan 11, 2018 at 02:28:32PM +, David Woodhouse wrote:
> > >
> > > On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote:
>
module_put() is called and the module can be removed.
>
> Acquire klp_mutex in sysfs callback to prevent it. Do the same for the
> signal sending just to be sure. There is no real downside to that.
>
> Reported-by: Jason Baron
> Signed-off-by: Miroslav Benes
Acked-by: Josh Poimboeuf
--
Josh
On Thu, Jan 11, 2018 at 04:27:38PM +, David Woodhouse wrote:
> On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote:
> >
> > +#define ANNOTATE_NOSPEC_ALTERNATIVE\
> > + "999:\n\t"
On Thu, Jan 11, 2018 at 04:39:38PM +, David Woodhouse wrote:
> On Thu, 2018-01-11 at 10:33 -0600, Josh Poimboeuf wrote:
> > On Thu, Jan 11, 2018 at 04:27:38PM +, David Woodhouse wrote:
> > >
> > > On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote:
> &g
On Thu, Jan 11, 2018 at 04:55:18PM +, David Woodhouse wrote:
> On Thu, 2018-01-11 at 10:48 -0600, Josh Poimboeuf wrote:
> >
> > The above macro is protected by '#ifdef RETPOLINE', and I seriously
> > doubt 0-day is testing with an unreleased version of GCC. S
On Thu, Jan 11, 2018 at 09:29:48AM -0800, Linus Torvalds wrote:
> That, btw, is also why it's pointless to make the small numbers
> "bigger". Using "1122" as a label is actively worse than just using
> "1".
>
> You shouldn't try to fool yourself and think that your number is
> "unique". It doesn't
On Thu, Jan 11, 2018 at 07:11:03PM +0100, Markus wrote:
> On Thursday, 11 January 2018 05:25:51 CET Josh Poimboeuf wrote:
> > On Wed, Jan 10, 2018 at 10:13:00PM -0600, Josh Poimboeuf wrote:
> > > On Wed, Jan 10, 2018 at 06:14:56PM +0100, Markus wrote:
> > > > On Thu
On Thu, Jan 11, 2018 at 10:21:49AM -0800, Alexei Starovoitov wrote:
> On Thu, Jan 11, 2018 at 09:02:55AM -0800, Andy Lutomirski wrote:
> > On Thu, Jan 11, 2018 at 7:51 AM, Dave Hansen
> > wrote:
> > > On 01/11/2018 07:44 AM, Willy Tarreau wrote:
> > >>> I think we also need to be able to dump the
On Thu, Jan 11, 2018 at 10:57:51AM -0800, Dave Hansen wrote:
> On 01/11/2018 10:51 AM, Linus Torvalds wrote:
> > On Thu, Jan 11, 2018 at 10:38 AM, Dave Hansen
> > wrote:
> >> On 01/11/2018 10:32 AM, Josh Poimboeuf wrote:
> >>>> hmm. Exposing cr3 to user spac
On Thu, Jan 11, 2018 at 02:00:27PM -0500, Vince Weaver wrote:
> On Wed, 10 Jan 2018, Josh Poimboeuf wrote:
>
> > For the crash, you might try enabling CONFIG_DEBUG_ENTRY and seeing if
> > that gives you any output.
>
> I did enable that, didn't seem to help on
On Thu, Jan 11, 2018 at 08:19:35PM +0100, Olivier Galibert wrote:
> Wouldn't the time taken by an easy syscall like getuid be a clear indicator?
I think only if you had a baseline measurement to compare against.
--
Josh
On Thu, Jan 11, 2018 at 07:52:00PM +0100, Markus wrote:
> On Thursday, 11 January 2018 19:20:57 CET Josh Poimboeuf wrote:
> > On Thu, Jan 11, 2018 at 07:11:03PM +0100, Markus wrote:
> > > On Thursday, 11 January 2018 05:25:51 CET Josh Poimboeuf wrote:
> > > > On W
On Thu, Jan 11, 2018 at 09:00:33PM +0100, Markus wrote:
> On Thursday, 11 January 2018 20:38:10 CET Josh Poimboeuf wrote:
> > On Thu, Jan 11, 2018 at 07:52:00PM +0100, Markus wrote:
> > > On Thursday, 11 January 2018 19:20:57 CET Josh Poimboeuf wrote:
> > > > On T
On Tue, Jan 09, 2018 at 05:03:21PM -0800, Andi Kleen wrote:
> From: Andi Kleen
>
> Remove the partial stack frame in the 64bit syscall fast path.
> In the next patch we want to clear the extra registers, which requires
> to always save all registers. So remove the partial stack frame
> in the sys
On Tue, Jan 09, 2018 at 05:03:23PM -0800, Andi Kleen wrote:
> From: Andi Kleen
>
> We clear all the non argument registers for 64bit SYSCALLs
> to minimize any risk of bad speculation using user values.
>
> So far unused argument registers still leak. To be addressed
> in future patches.
>
> Si
On Thu, Jan 11, 2018 at 09:03:56PM -0800, Dave Hansen wrote:
> On 01/11/2018 07:01 PM, Raj, Ashok wrote:
> > On Thu, Jan 11, 2018 at 06:20:13PM -0800, Andy Lutomirski wrote:
> >> On Thu, Jan 11, 2018 at 5:52 PM, Raj, Ashok wrote:
>
> What's wrong with native_read_msr()?
> >>>
> >>> Yes,
On Thu, Jan 11, 2018 at 04:47:02PM -0800, Dan Williams wrote:
> For 'get_user' paths, do not allow the kernel to speculate on the value
> of a user controlled pointer. In addition to the 'stac' instruction for
> Supervisor Mode Access Protection, an 'ifence' causes the 'access_ok'
> result to resol
On Fri, Jan 12, 2018 at 10:21:43AM -0800, Dan Williams wrote:
> > That just sounds wrong. What if the speculation starts *after* the
> > access_ok() check? Then the barrier has no purpose.
> >
> > Most access_ok/get_user/copy_from_user calls are like this:
> >
> > if (copy_from_user(...uptr..))
On Fri, Jan 12, 2018 at 12:01:04PM -0800, Linus Torvalds wrote:
> On Fri, Jan 12, 2018 at 11:26 AM, Dan Williams
> wrote:
> >
> > By the time we get to de-reference uptr we know it is not pointing at
> > kernel memory, because access_ok would have failed and the cpu would
> > have waited for that
On Fri, Jan 12, 2018 at 10:44:48PM +0100, Thomas Gleixner wrote:
> Folks!
>
> After 10 days of frenzy following the disclosure of the mess, I'm at a
> point where I think that the current set which we have in Linus tree and
> the pending patches in tip:x86/pti plus one not yet applied patch (RSB o
On Fri, Jan 12, 2018 at 06:56:18PM +, David Woodhouse wrote:
> On Fri, 2018-01-12 at 18:05 +, Andrew Cooper wrote:
> >
> > If you unconditionally fill the RSB on every entry to supervisor mode,
> > then there are never guest-controlled RSB values to be found.
> >
> > With that property (a
On Tue, Jan 30, 2018 at 10:58:31AM +0100, Peter Zijlstra wrote:
> On Mon, Jan 29, 2018 at 10:00:42PM -0600, Josh Poimboeuf wrote:
> > With the following commit:
> >
> > 2a0098d70640 ("objtool: Fix seg fault with gold linker")
> >
> > ... objtool warn
On Mon, Jan 29, 2018 at 08:21:08PM +0100, Peter Zijlstra wrote:
> On Mon, Jan 29, 2018 at 12:38:50PM -0600, Josh Poimboeuf wrote:
> > On Tue, Jan 23, 2018 at 04:25:42PM +0100, Peter Zijlstra wrote:
> > > Paravirt emits indirect calls which get flagged by objtool retpoline
> &g
On Mon, Jan 29, 2018 at 10:04:47PM +, David Woodhouse wrote:
> From: Tim Chen
>
> Flush indirect branches when switching into a process that marked itself
> non dumpable. This protects high value processes like gpg better,
> without having too high performance overhead.
I wonder what the poi
On Tue, Jan 30, 2018 at 10:56:53AM +0100, Peter Zijlstra wrote:
> On Mon, Jan 29, 2018 at 04:52:53PM -0600, Josh Poimboeuf wrote:
> > On Tue, Jan 23, 2018 at 04:25:59PM +0100, Peter Zijlstra wrote:
> > > I've observed GCC generate:
> > >
> > > sy
On Tue, Jan 30, 2018 at 01:23:17PM -0800, Tim Chen wrote:
> On 01/30/2018 09:48 AM, Josh Poimboeuf wrote:
> > On Mon, Jan 29, 2018 at 10:04:47PM +, David Woodhouse wrote:
> >> From: Tim Chen
> >>
> >> Flush indirect branches when switching into a process
doesn't seem to be useful for much
other than introducing surprising corner cases and making the kernel
vulnerable to Spectre v2. It was probably a debug option from the early
paravirt days. So just remove it.
Signed-off-by: Josh Poimboeuf
---
Documentation/admin-guide/kernel-parameters.t
l
> context switches to a different userspace process, until we have a clear
> mitigation strategy for userspace against Spectre-v2 designed and
> implemented.
>
> Signed-off-by: Dominik Brodowski
Acked-by: Josh Poimboeuf
--
Josh
On Wed, Jan 31, 2018 at 10:29:21AM +0100, Peter Zijlstra wrote:
> On Fri, Jan 26, 2018 at 10:37:30AM +, David Woodhouse wrote:
> > On Tue, 2018-01-23 at 16:25 +0100, Peter Zijlstra wrote:
> > > This is boot code, we run this _way_ before userspace comes along to
> > > poison our branch predicto
On Fri, Jan 26, 2018 at 01:33:04PM +0300, Evgenii Shatokhin wrote:
> >+ The callbacks from the replaced patches are not called. It would be
> > pretty hard to define a reasonable semantic and implement it.
>
> At least, it surely simplifies error handling, if these callbacks are not
> cal
On Fri, Jan 26, 2018 at 11:23:26AM +0100, Petr Mladek wrote:
> So, we are talking about a lot of rather non-trivial code.
> IMHO, it might be easier to run just the callbacks from
> the new patch. In reality, the author should always know
> what it might be replacing and what needs to be done.
>
>
On Thu, Feb 01, 2018 at 04:08:14PM +0100, Miroslav Benes wrote:
> On Thu, 1 Feb 2018, Joe Lawrence wrote:
>
> > On 02/01/2018 08:49 AM, Miroslav Benes wrote:
> > >
> > > Well, one more thing. I think there is a problem with shadow variables.
> > > Similar to callbacks situation. Shadow variables
On Thu, Feb 01, 2018 at 04:13:48PM +0100, Peter Zijlstra wrote:
> On Thu, Feb 01, 2018 at 04:11:36PM +0100, Peter Zijlstra wrote:
> > On Thu, Feb 01, 2018 at 02:55:26PM +, David Woodhouse wrote:
> > >
> > >
> > > On Thu, 2018-02-01 at 15:34 +0100, Peter Zijlstra wrote:
> > > >
> > > > * Th
On Thu, Feb 01, 2018 at 03:34:21PM +0100, Peter Zijlstra wrote:
> There are the retpoline validation patches; they work with the __noretpoline
> thing from David.
Have you run this through 0-day bot yet? A manual awk/sed found another
one, which objtool confirms:
drivers/watchdog/.tmp_hpwdt.o:
On Thu, Feb 01, 2018 at 08:31:53AM +, David Woodhouse wrote:
> On Wed, 2018-01-31 at 08:03 +0100, Dominik Brodowski wrote:
> > Whether a process needs protection by IBPB on context switches is a
> > different question to whether a process should be allowed to be dumped,
> > though the former ma
On Thu, Feb 01, 2018 at 03:34:21PM +0100, Peter Zijlstra wrote:
> There are the retpoline validation patches; they work with the __noretpoline
> thing from David.
For the series:
Acked-by: Josh Poimboeuf
--
Josh
On Thu, Feb 01, 2018 at 06:14:27PM +0100, Peter Zijlstra wrote:
> On Thu, Feb 01, 2018 at 04:51:35PM +, David Woodhouse wrote:
> > > Ideally we'd have a way to mark the module 'unsafe' or something.
> >
> > No, we just need to set IBRS before doing it.
>
> That would work, assuming IBRS is a
301 - 400 of 4583 matches
Mail list logo
