Patch "x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 29 Jun 2024 22:27:46 -0400

This is a note to let you know that I've just added the patch titled

    x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 19598933a5ddc7d6c3605bcc13fabb2d9f74d841
Author: Uros Bizjak <ubizjak@xxxxxxxxx>
Date:   Fri Mar 15 09:18:23 2024 +0100

    x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup
    
    [ Upstream commit 5d31174f3c8c465d9dbe88f6b9d1fe5716f44981 ]
    
    The assembly snippet in restore_fpregs_from_fpstate() that implements
    X86_BUG_FXSAVE_LEAK fixup loads the value from a random variable,
    preferably the one that is already in the L1 cache.
    
    However, the access to fpinit_state via *fpstate pointer is not
    implemented correctly. The "m" asm constraint requires dereferenced
    pointer variable, otherwise the compiler just reloads the value
    via temporary stack slot. The current asm code reflects this:
    
         mov    %rdi,(%rsp)
         ...
         fildl  (%rsp)
    
    With dereferenced pointer variable, the code does what the
    comment above the asm snippet says:
    
         fildl  (%rdi)
    
    Also, remove the pointless %P operand modifier. The modifier is
    ineffective on non-symbolic references - it was used to prevent
    %rip-relative addresses in .altinstr sections, but FILDL in the
    .text section can use %rip-relative addresses without problems.
    
    Signed-off-by: Uros Bizjak <ubizjak@xxxxxxxxx>
    Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
    Cc: Andy Lutomirski <luto@xxxxxxxxxx>
    Cc: H. Peter Anvin <hpa@xxxxxxxxx>
    Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240315081849.5187-1-ubizjak@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
index 3ad1bf5de7373..157008d99f951 100644
--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
@@ -121,8 +121,8 @@ void __restore_fpregs_from_fpstate(union fpregs_state *fpstate, u64 mask)
 		asm volatile(
 			"fnclex\n\t"
 			"emms\n\t"
-			"fildl %P[addr]"	/* set F?P to defined value */
-			: : [addr] "m" (fpstate));
+			"fildl %[addr]"	/* set F?P to defined value */
+			: : [addr] "m" (*fpstate));
 	}
 
 	if (use_xsave()) {







