Hi Thomas, Here's another spin of the spectre-v1 mitigations for 4.16. Changes since v4.1: [1] * Tweak the sanitization scheme yet again to make it even simpler. Now, instead of 'array_ptr' to get a sanitized pointer to an array element, just provide an array index sanitization helper 'array_idx' to be called after successfully validating the index is in bounds. I.e. in the exact same location one would otherwise put an lfence, place this sanitizer: if (idx < sz) { idx = array_idx(idx, sz); val = array[idx]; } This lets the implementation include more sanity checking that the compiler can usually compile out. It otherwise appears to produce better assembly. This also cleans up the concern about comparing the value returned from array_ptr to create another speculation point. (Russell, Linus, Cyril) * Drop the syscall_64_fastpath. This is the straightforward patch from Linus that might also be in flight from Andy, but I went ahead and included it since I did not see it on LKML yet. * Kill the MASK_NOSPEC macro and just open code it. (Andy) * Add system-call-number sanitization to the slow path syscall table lookups. * Redo the array_ptr conversions with array_idx. * Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate the new protections. It now reports "Vulnerable: Minimal user pointer sanitization". (Jiri) --- Dan Williams (11): array_idx: sanitize speculative array de-references x86: implement array_idx_mask x86: introduce __uaccess_begin_nospec and ifence x86, __get_user: use __uaccess_begin_nospec x86, get_user: use pointer masking to limit speculation x86: remove the syscall_64 fast-path x86: sanitize sycall table de-references under speculation vfs, fdtable: prevent bounds-check bypass via speculative execution kvm, x86: update spectre-v1 mitigation nl80211: sanitize array index in parse_txq_params x86/spectre: report get_user mitigation for spectre_v1 Mark Rutland (1): Documentation: document array_idx Documentation/speculation.txt | 87 ++++++++++++++++++++++++++++ arch/x86/entry/common.c | 3 + arch/x86/entry/entry_64.S | 116 ------------------------------------- arch/x86/entry/syscall_64.c | 7 +- arch/x86/include/asm/barrier.h | 26 ++++++++ arch/x86/include/asm/msr.h | 3 - arch/x86/include/asm/uaccess.h | 15 ++++- arch/x86/include/asm/uaccess_32.h | 6 +- arch/x86/include/asm/uaccess_64.h | 12 ++-- arch/x86/kernel/cpu/bugs.c | 2 - arch/x86/kvm/vmx.c | 14 +++- arch/x86/lib/getuser.S | 10 +++ arch/x86/lib/usercopy_32.c | 8 +-- include/linux/fdtable.h | 5 +- include/linux/nospec.h | 64 ++++++++++++++++++++ net/wireless/nl80211.c | 9 ++- 16 files changed, 239 insertions(+), 148 deletions(-) create mode 100644 Documentation/speculation.txt create mode 100644 include/linux/nospec.h