Skip to content

Commit 042751d

Browse files
committed
Merge tag 'x86-urgent-2025-03-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull misc x86 fixes from Ingo Molnar: - Fix CPUID leaf 0x2 parsing bugs - Sanitize very early boot parameters to avoid crash - Fix size overflows in the SGX code - Make CALL_NOSPEC use consistent * tag 'x86-urgent-2025-03-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/boot: Sanitize boot params before parsing command line x86/sgx: Fix size overflows in sgx_encl_create() x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63 x86/cpu: Validate CPUID leaf 0x2 EDX output x86/cacheinfo: Validate CPUID leaf 0x2 EDX output x86/speculation: Add a conditional CS prefix to CALL_NOSPEC x86/speculation: Simplify and make CALL_NOSPEC consistent
2 parents 8287dfc + c00b413 commit 042751d

File tree

5 files changed

+64
-31
lines changed

5 files changed

+64
-31
lines changed

arch/x86/boot/compressed/pgtable_64.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
// SPDX-License-Identifier: GPL-2.0
22
#include "misc.h"
33
#include <asm/bootparam.h>
4+
#include <asm/bootparam_utils.h>
45
#include <asm/e820/types.h>
56
#include <asm/processor.h>
67
#include "pgtable.h"
@@ -107,6 +108,7 @@ asmlinkage void configure_5level_paging(struct boot_params *bp, void *pgtable)
107108
bool l5_required = false;
108109

109110
/* Initialize boot_params. Required for cmdline_find_option_bool(). */
111+
sanitize_boot_params(bp);
110112
boot_params_ptr = bp;
111113

112114
/*

arch/x86/include/asm/nospec-branch.h

Lines changed: 19 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -198,9 +198,8 @@
198198
.endm
199199

200200
/*
201-
* Equivalent to -mindirect-branch-cs-prefix; emit the 5 byte jmp/call
202-
* to the retpoline thunk with a CS prefix when the register requires
203-
* a RAX prefix byte to encode. Also see apply_retpolines().
201+
* Emits a conditional CS prefix that is compatible with
202+
* -mindirect-branch-cs-prefix.
204203
*/
205204
.macro __CS_PREFIX reg:req
206205
.irp rs,r8,r9,r10,r11,r12,r13,r14,r15
@@ -420,20 +419,27 @@ static inline void call_depth_return_thunk(void) {}
420419

421420
#ifdef CONFIG_X86_64
422421

422+
/*
423+
* Emits a conditional CS prefix that is compatible with
424+
* -mindirect-branch-cs-prefix.
425+
*/
426+
#define __CS_PREFIX(reg) \
427+
".irp rs,r8,r9,r10,r11,r12,r13,r14,r15\n" \
428+
".ifc \\rs," reg "\n" \
429+
".byte 0x2e\n" \
430+
".endif\n" \
431+
".endr\n"
432+
423433
/*
424434
* Inline asm uses the %V modifier which is only in newer GCC
425435
* which is ensured when CONFIG_MITIGATION_RETPOLINE is defined.
426436
*/
427-
# define CALL_NOSPEC \
428-
ALTERNATIVE_2( \
429-
ANNOTATE_RETPOLINE_SAFE \
430-
"call *%[thunk_target]\n", \
431-
"call __x86_indirect_thunk_%V[thunk_target]\n", \
432-
X86_FEATURE_RETPOLINE, \
433-
"lfence;\n" \
434-
ANNOTATE_RETPOLINE_SAFE \
435-
"call *%[thunk_target]\n", \
436-
X86_FEATURE_RETPOLINE_LFENCE)
437+
#ifdef CONFIG_MITIGATION_RETPOLINE
438+
#define CALL_NOSPEC __CS_PREFIX("%V[thunk_target]") \
439+
"call __x86_indirect_thunk_%V[thunk_target]\n"
440+
#else
441+
#define CALL_NOSPEC "call *%[thunk_target]\n"
442+
#endif
437443

438444
# define THUNK_TARGET(addr) [thunk_target] "r" (addr)
439445

arch/x86/kernel/cpu/cacheinfo.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -808,7 +808,7 @@ void init_intel_cacheinfo(struct cpuinfo_x86 *c)
808808
cpuid(2, &regs[0], &regs[1], &regs[2], &regs[3]);
809809

810810
/* If bit 31 is set, this is an unknown format */
811-
for (j = 0 ; j < 3 ; j++)
811+
for (j = 0 ; j < 4 ; j++)
812812
if (regs[j] & (1 << 31))
813813
regs[j] = 0;
814814

arch/x86/kernel/cpu/intel.c

Lines changed: 35 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -635,26 +635,37 @@ static unsigned int intel_size_cache(struct cpuinfo_x86 *c, unsigned int size)
635635
}
636636
#endif
637637

638-
#define TLB_INST_4K 0x01
639-
#define TLB_INST_4M 0x02
640-
#define TLB_INST_2M_4M 0x03
638+
#define TLB_INST_4K 0x01
639+
#define TLB_INST_4M 0x02
640+
#define TLB_INST_2M_4M 0x03
641641

642-
#define TLB_INST_ALL 0x05
643-
#define TLB_INST_1G 0x06
642+
#define TLB_INST_ALL 0x05
643+
#define TLB_INST_1G 0x06
644644

645-
#define TLB_DATA_4K 0x11
646-
#define TLB_DATA_4M 0x12
647-
#define TLB_DATA_2M_4M 0x13
648-
#define TLB_DATA_4K_4M 0x14
645+
#define TLB_DATA_4K 0x11
646+
#define TLB_DATA_4M 0x12
647+
#define TLB_DATA_2M_4M 0x13
648+
#define TLB_DATA_4K_4M 0x14
649649

650-
#define TLB_DATA_1G 0x16
650+
#define TLB_DATA_1G 0x16
651+
#define TLB_DATA_1G_2M_4M 0x17
651652

652-
#define TLB_DATA0_4K 0x21
653-
#define TLB_DATA0_4M 0x22
654-
#define TLB_DATA0_2M_4M 0x23
653+
#define TLB_DATA0_4K 0x21
654+
#define TLB_DATA0_4M 0x22
655+
#define TLB_DATA0_2M_4M 0x23
655656

656-
#define STLB_4K 0x41
657-
#define STLB_4K_2M 0x42
657+
#define STLB_4K 0x41
658+
#define STLB_4K_2M 0x42
659+
660+
/*
661+
* All of leaf 0x2's one-byte TLB descriptors implies the same number of
662+
* entries for their respective TLB types. The 0x63 descriptor is an
663+
* exception: it implies 4 dTLB entries for 1GB pages 32 dTLB entries
664+
* for 2MB or 4MB pages. Encode descriptor 0x63 dTLB entry count for
665+
* 2MB/4MB pages here, as its count for dTLB 1GB pages is already at the
666+
* intel_tlb_table[] mapping.
667+
*/
668+
#define TLB_0x63_2M_4M_ENTRIES 32
658669

659670
static const struct _tlb_table intel_tlb_table[] = {
660671
{ 0x01, TLB_INST_4K, 32, " TLB_INST 4 KByte pages, 4-way set associative" },
@@ -676,7 +687,8 @@ static const struct _tlb_table intel_tlb_table[] = {
676687
{ 0x5c, TLB_DATA_4K_4M, 128, " TLB_DATA 4 KByte and 4 MByte pages" },
677688
{ 0x5d, TLB_DATA_4K_4M, 256, " TLB_DATA 4 KByte and 4 MByte pages" },
678689
{ 0x61, TLB_INST_4K, 48, " TLB_INST 4 KByte pages, full associative" },
679-
{ 0x63, TLB_DATA_1G, 4, " TLB_DATA 1 GByte pages, 4-way set associative" },
690+
{ 0x63, TLB_DATA_1G_2M_4M, 4, " TLB_DATA 1 GByte pages, 4-way set associative"
691+
" (plus 32 entries TLB_DATA 2 MByte or 4 MByte pages, not encoded here)" },
680692
{ 0x6b, TLB_DATA_4K, 256, " TLB_DATA 4 KByte pages, 8-way associative" },
681693
{ 0x6c, TLB_DATA_2M_4M, 128, " TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" },
682694
{ 0x6d, TLB_DATA_1G, 16, " TLB_DATA 1 GByte pages, fully associative" },
@@ -776,6 +788,12 @@ static void intel_tlb_lookup(const unsigned char desc)
776788
if (tlb_lld_4m[ENTRIES] < intel_tlb_table[k].entries)
777789
tlb_lld_4m[ENTRIES] = intel_tlb_table[k].entries;
778790
break;
791+
case TLB_DATA_1G_2M_4M:
792+
if (tlb_lld_2m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES)
793+
tlb_lld_2m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES;
794+
if (tlb_lld_4m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES)
795+
tlb_lld_4m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES;
796+
fallthrough;
779797
case TLB_DATA_1G:
780798
if (tlb_lld_1g[ENTRIES] < intel_tlb_table[k].entries)
781799
tlb_lld_1g[ENTRIES] = intel_tlb_table[k].entries;
@@ -799,7 +817,7 @@ static void intel_detect_tlb(struct cpuinfo_x86 *c)
799817
cpuid(2, &regs[0], &regs[1], &regs[2], &regs[3]);
800818

801819
/* If bit 31 is set, this is an unknown format */
802-
for (j = 0 ; j < 3 ; j++)
820+
for (j = 0 ; j < 4 ; j++)
803821
if (regs[j] & (1 << 31))
804822
regs[j] = 0;
805823

arch/x86/kernel/cpu/sgx/ioctl.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,13 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
6464
struct file *backing;
6565
long ret;
6666

67+
/*
68+
* ECREATE would detect this too, but checking here also ensures
69+
* that the 'encl_size' calculations below can never overflow.
70+
*/
71+
if (!is_power_of_2(secs->size))
72+
return -EINVAL;
73+
6774
va_page = sgx_encl_grow(encl, true);
6875
if (IS_ERR(va_page))
6976
return PTR_ERR(va_page);

0 commit comments

Comments
 (0)