Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2018 23:55:13 -0800
From: Dan Williams <>
Cc: Mark Rutland <>, Cyril Novikov <>,, Peter Zijlstra <>,
 Catalin Marinas <>, Will Deacon <>,
 "H. Peter Anvin" <>, Jiri Slaby <>,
 Elena Reshetova <>,,
 Andi Kleen <>, Jonathan Corbet <>,, Russell King <>,
 Ingo Molnar <>, Andrew Honig <>,, Tom Lendacky <>,
 Kees Cook <>, Al Viro <>,
 Andy Lutomirski <>, Jim Mattson <>,
 Christian Lamparter <>,,, Paolo Bonzini <>,
 Johannes Berg <>,,
 "David S. Miller" <>
Subject: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti

Hi Thomas,

Here's another spin of the spectre-v1 mitigations for 4.16.

Changes since v4.1: [1]
* Tweak the sanitization scheme yet again to make it even simpler. Now,
  instead of 'array_ptr' to get a sanitized pointer to an array element,
  just provide an array index sanitization helper 'array_idx' to be called
  after successfully validating the index is in bounds. I.e. in the
  exact same location one would otherwise put an lfence, place this

      if (idx < sz) {
          idx = array_idx(idx, sz);
          val = array[idx];

  This lets the implementation include more sanity checking that the
  compiler can usually compile out. It otherwise appears to produce
  better assembly. This also cleans up the concern about comparing the
  value returned from array_ptr to create another speculation point.
  (Russell, Linus, Cyril)

* Drop the syscall_64_fastpath.  This is the straightforward patch from
  Linus that might also be in flight from Andy, but I went ahead and
  included it since I did not see it on LKML yet.

* Kill the MASK_NOSPEC macro and just open code it. (Andy)

* Add system-call-number sanitization to the slow path syscall table

* Redo the array_ptr conversions with array_idx.

* Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate
  the new protections. It now reports "Vulnerable: Minimal user pointer
  sanitization". (Jiri)


Dan Williams (11):
      array_idx: sanitize speculative array de-references
      x86: implement array_idx_mask
      x86: introduce __uaccess_begin_nospec and ifence
      x86, __get_user: use __uaccess_begin_nospec
      x86, get_user: use pointer masking to limit speculation
      x86: remove the syscall_64 fast-path
      x86: sanitize sycall table de-references under speculation
      vfs, fdtable: prevent bounds-check bypass via speculative execution
      kvm, x86: update spectre-v1 mitigation
      nl80211: sanitize array index in parse_txq_params
      x86/spectre: report get_user mitigation for spectre_v1

Mark Rutland (1):
      Documentation: document array_idx

 Documentation/speculation.txt     |   87 ++++++++++++++++++++++++++++
 arch/x86/entry/common.c           |    3 +
 arch/x86/entry/entry_64.S         |  116 -------------------------------------
 arch/x86/entry/syscall_64.c       |    7 +-
 arch/x86/include/asm/barrier.h    |   26 ++++++++
 arch/x86/include/asm/msr.h        |    3 -
 arch/x86/include/asm/uaccess.h    |   15 ++++-
 arch/x86/include/asm/uaccess_32.h |    6 +-
 arch/x86/include/asm/uaccess_64.h |   12 ++--
 arch/x86/kernel/cpu/bugs.c        |    2 -
 arch/x86/kvm/vmx.c                |   14 +++-
 arch/x86/lib/getuser.S            |   10 +++
 arch/x86/lib/usercopy_32.c        |    8 +--
 include/linux/fdtable.h           |    5 +-
 include/linux/nospec.h            |   64 ++++++++++++++++++++
 net/wireless/nl80211.c            |    9 ++-
 16 files changed, 239 insertions(+), 148 deletions(-)
 create mode 100644 Documentation/speculation.txt
 create mode 100644 include/linux/nospec.h

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.