diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-02-05 01:12:25 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-02-05 01:12:28 +0000 |
commit | e45585822a401474c4e4becebdd8a73bb74a6e19 (patch) | |
tree | d58fa0f3b28322c0908b0ee3fae67297ed62eb8d | |
parent | f5b7f8c5905290a13a82d8f4888e9dd2f07efae9 (diff) | |
download | linux-stable-queue-e45585822a401474c4e4becebdd8a73bb74a6e19.tar.gz |
Drop x86 IBPB patch that should not be backported by itself
There are several follow-up commits that are needed to avoid major
performance regressions.
-rw-r--r-- | queue-3.16/series | 1 | ||||
-rw-r--r-- | queue-3.16/x86-speculation-apply-ibpb-more-strictly-to-avoid-cross-process-data.patch | 166 |
2 files changed, 0 insertions, 167 deletions
diff --git a/queue-3.16/series b/queue-3.16/series index 5def932c..6b7e6b4a 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -42,7 +42,6 @@ usb-chipidea-prevent-unbalanced-irq-disable.patch crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch media-pci-cx23885-handle-adding-to-list-failure.patch net-phy-stop-with-excessive-soft-reset.patch -x86-speculation-apply-ibpb-more-strictly-to-avoid-cross-process-data.patch fuse-fix-blocked_waitq-wakeup.patch edac-i7core-sb-skx-_edac-fix-uncorrected-error-counting.patch iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch diff --git a/queue-3.16/x86-speculation-apply-ibpb-more-strictly-to-avoid-cross-process-data.patch b/queue-3.16/x86-speculation-apply-ibpb-more-strictly-to-avoid-cross-process-data.patch deleted file mode 100644 index dc37dae9..00000000 --- a/queue-3.16/x86-speculation-apply-ibpb-more-strictly-to-avoid-cross-process-data.patch +++ /dev/null @@ -1,166 +0,0 @@ -From: Jiri Kosina <jkosina@suse.cz> -Date: Tue, 25 Sep 2018 14:38:18 +0200 -Subject: x86/speculation: Apply IBPB more strictly to avoid cross-process data - leak - -commit dbfe2953f63c640463c630746cd5d9de8b2f63ae upstream. - -Currently, IBPB is only issued in cases when switching into a non-dumpable -process, the rationale being to protect such 'important and security -sensitive' processess (such as GPG) from data leaking into a different -userspace process via spectre v2. - -This is however completely insufficient to provide proper userspace-to-userpace -spectrev2 protection, as any process can poison branch buffers before being -scheduled out, and the newly scheduled process immediately becomes spectrev2 -victim. - -In order to minimize the performance impact (for usecases that do require -spectrev2 protection), issue the barrier only in cases when switching between -processess where the victim can't be ptraced by the potential attacker (as in -such cases, the attacker doesn't have to bother with branch buffers at all). - -[ tglx: Split up PTRACE_MODE_NOACCESS_CHK into PTRACE_MODE_SCHED and - PTRACE_MODE_IBPB to be able to do ptrace() context tracking reasonably - fine-grained ] - -Fixes: 18bf3c3ea8 ("x86/speculation: Use Indirect Branch Prediction Barrier in context switch") -Originally-by: Tim Chen <tim.c.chen@linux.intel.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Josh Poimboeuf <jpoimboe@redhat.com> -Cc: Andrea Arcangeli <aarcange@redhat.com> -Cc: "WoodhouseDavid" <dwmw@amazon.co.uk> -Cc: Andi Kleen <ak@linux.intel.com> -Cc: "SchauflerCasey" <casey.schaufler@intel.com> -Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251437340.15880@cbobk.fhfr.pm -[bwh: Backported to 3.16: We don't have mm_context_t::ctx_id so can't use - it to compare task identity.] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/arch/x86/mm/tlb.c -+++ b/arch/x86/mm/tlb.c -@@ -7,6 +7,7 @@ - #include <linux/module.h> - #include <linux/cpu.h> - #include <linux/debugfs.h> -+#include <linux/ptrace.h> - - #include <asm/tlbflush.h> - #include <asm/mmu_context.h> -@@ -95,6 +96,19 @@ void switch_mm(struct mm_struct *prev, s - local_irq_restore(flags); - } - -+static bool ibpb_needed(struct task_struct *tsk) -+{ -+ /* -+ * Check if the current (previous) task has access to the memory -+ * of the @tsk (next) task. If access is denied, make sure to -+ * issue a IBPB to stop user->user Spectre-v2 attacks. -+ * -+ * Note: __ptrace_may_access() returns 0 or -ERRNO. -+ */ -+ return (tsk && tsk->mm && -+ ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB)); -+} -+ - void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, - struct task_struct *tsk) - { -@@ -107,16 +121,13 @@ void switch_mm_irqs_off(struct mm_struct - * one process from doing Spectre-v2 attacks on another. - * - * As an optimization, flush indirect branches only when -- * switching into processes that disable dumping. This -- * protects high value processes like gpg, without having -- * too high performance overhead. IBPB is *expensive*! -- * -- * This will not flush branches when switching into kernel -- * threads. It will flush if we switch to a different non- -- * dumpable process. -+ * switching into a processes that can't be ptrace by the -+ * current one (as in such case, attacker has much more -+ * convenient way how to tamper with the next process than -+ * branch buffer poisoning). - */ -- if (tsk && tsk->mm && -- get_dumpable(tsk->mm) != SUID_DUMP_USER) -+ if (static_cpu_has(X86_FEATURE_USE_IBPB) && -+ ibpb_needed(tsk)) - indirect_branch_prediction_barrier(); - - this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); ---- a/include/linux/ptrace.h -+++ b/include/linux/ptrace.h -@@ -59,14 +59,17 @@ extern void exit_ptrace(struct task_stru - #define PTRACE_MODE_READ 0x01 - #define PTRACE_MODE_ATTACH 0x02 - #define PTRACE_MODE_NOAUDIT 0x04 --#define PTRACE_MODE_FSCREDS 0x08 --#define PTRACE_MODE_REALCREDS 0x10 -+#define PTRACE_MODE_FSCREDS 0x08 -+#define PTRACE_MODE_REALCREDS 0x10 -+#define PTRACE_MODE_SCHED 0x20 -+#define PTRACE_MODE_IBPB 0x40 - - /* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ - #define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) - #define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) - #define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) - #define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) -+#define PTRACE_MODE_SPEC_IBPB (PTRACE_MODE_ATTACH_REALCREDS | PTRACE_MODE_IBPB) - - /** - * ptrace_may_access - check whether the caller is permitted to access -@@ -84,6 +87,20 @@ extern void exit_ptrace(struct task_stru - */ - extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); - -+/** -+ * ptrace_may_access - check whether the caller is permitted to access -+ * a target task. -+ * @task: target task -+ * @mode: selects type of access and caller credentials -+ * -+ * Returns true on success, false on denial. -+ * -+ * Similar to ptrace_may_access(). Only to be called from context switch -+ * code. Does not call into audit and the regular LSM hooks due to locking -+ * constraints. -+ */ -+extern bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode); -+ - static inline int ptrace_reparented(struct task_struct *child) - { - return !same_thread_group(child->real_parent, child->parent); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -262,6 +262,9 @@ static int ptrace_check_attach(struct ta - - static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) - { -+ if (mode & PTRACE_MODE_SCHED) -+ return false; -+ - if (mode & PTRACE_MODE_NOAUDIT) - return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); - else -@@ -329,9 +332,16 @@ ok: - !ptrace_has_cap(mm->user_ns, mode))) - return -EPERM; - -+ if (mode & PTRACE_MODE_SCHED) -+ return 0; - return security_ptrace_access_check(task, mode); - } - -+bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode) -+{ -+ return __ptrace_may_access(task, mode | PTRACE_MODE_SCHED); -+} -+ - bool ptrace_may_access(struct task_struct *task, unsigned int mode) - { - int err; |