On Thu, Aug 2, 2018 at 12:22 PM, Srivatsa S. Bhat <srivatsa@xxxxxxxxxxxxx> wrote: > On 7/26/18 4:09 PM, Kees Cook wrote: >> On Tue, Jul 24, 2018 at 3:02 PM, Jiri Kosina <jikos@xxxxxxxxxx> wrote: >>> On Tue, 24 Jul 2018, Srivatsa S. Bhat wrote: >>> >>>> However, if you are proposing that you'd like to contribute the enhanced >>>> PTI/Spectre (upstream) patches from the SLES 4.4 tree to 4.4 stable, and >>>> have them merged instead of this patch series, then I would certainly >>>> welcome it! >>> >>> I'd in principle love us to push everything back to 4.4, but there are a >>> few reasons (*) why that's not happening shortly. >>> >>> Anyway, to point out explicitly what's really needed for those folks >>> running 4.4-stable and relying on PTI providing The Real Thing(TM), it's >>> either a 4.4-stable port of >>> >>> http://kernel.suse.com/cgit/kernel-source/plain/patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack.patch?id=3428a77b02b1ba03e45d8fc352ec350429f57fc7 >>> >>> or making THREADINFO_GFP imply __GFP_ZERO. >> >> This is true in Linus's tree now. Should be trivial to backport: >> https://git.kernel.org/linus/e01e80634ecdd >> > > Hi Jiri, Kees, > > Thank you for suggesting the patch! I have attached the (locally > tested) 4.4 and 4.9 backports of that patch with this mail. (The > mainline commit applies cleanly on 4.14). > > Greg, could you please consider including them in stable 4.4, 4.9 > and 4.14? I don't think your v4.9 is sufficient: it leaves the vmapped stack uncleared. v4.9 needs ca182551857 ("kmemleak: clear stale pointers from task stacks") included in the backport (really, just adding the memset()). Otherwise, yup, looks good. -Kees -- Kees Cook Pixel Security
