On Tue, Jan 23, 2018 at 09:38:56PM +0100, Jiri Slaby wrote: > From: David Woodhouse <dwmw@xxxxxxxxxxxx> > > commit c995efd5a740d9cbafbf58bde4973e8b50b4d761 upstream. > > On context switch from a shallow call stack to a deeper one, as the CPU > does 'ret' up the deeper side it may encounter RSB entries (predictions for > where the 'ret' goes to) which were populated in userspace. > > This is problematic if neither SMEP nor KPTI (the latter of which marks > userspace pages as NX for the kernel) are active, as malicious code in > userspace may then be executed speculatively. > > Overwrite the CPU's return prediction stack with calls which are predicted > to return to an infinite loop, to "capture" speculation if this > happens. This is required both for retpoline, and also in conjunction with > IBRS for !SMEP && !KPTI. > > On Skylake+ the problem is slightly different, and an *underflow* of the > RSB may cause errant branch predictions to occur. So there it's not so much > overwrite, as *filling* the RSB to attempt to prevent it getting > empty. This is only a partial solution for Skylake+ since there are many > other conditions which may result in the RSB becoming empty. The full > solution on Skylake+ is to use IBRS, which will prevent the problem even > when the RSB becomes empty. With IBRS, the RSB-stuffing will not be > required on context switch. > > [ tglx: Added missing vendor check and slighty massaged comments and > changelog ] > > [js] backport to 4.4 -- __switch_to_asm does not exist there, we > have to patch the switch_to macros for both x86_32 and x86_64. Many thanks for the backport, both patches in this series now queued up. greg k-h