diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch')
-rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch | 159 |
1 files changed, 0 insertions, 159 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch deleted file mode 100644 index be5712b6..00000000 --- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch +++ /dev/null @@ -1,159 +0,0 @@ -From dabd9b2a92eda21c93aeee9f7bf8f369fed15833 Mon Sep 17 00:00:00 2001 -From: Andi Kleen <ak@linux.intel.com> -Date: Thu, 25 Jan 2018 15:50:28 -0800 -Subject: [PATCH 07/42] module/retpoline: Warn about missing retpoline in - module - -(cherry picked from commit caf7501a1b4ec964190f31f9c3f163de252273b8) - -There's a risk that a kernel which has full retpoline mitigations becomes -vulnerable when a module gets loaded that hasn't been compiled with the -right compiler or the right option. - -To enable detection of that mismatch at module load time, add a module info -string "retpoline" at build time when the module was compiled with -retpoline support. This only covers compiled C source, but assembler source -or prebuilt object files are not checked. - -If a retpoline enabled kernel detects a non retpoline protected module at -load time, print a warning and report it in the sysfs vulnerability file. - -[ tglx: Massaged changelog ] - -Signed-off-by: Andi Kleen <ak@linux.intel.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Cc: David Woodhouse <dwmw2@infradead.org> -Cc: gregkh@linuxfoundation.org -Cc: torvalds@linux-foundation.org -Cc: jeyu@kernel.org -Cc: arjan@linux.intel.com -Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org -Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - arch/x86/kernel/cpu/bugs.c | 17 ++++++++++++++++- - include/linux/module.h | 9 +++++++++ - kernel/module.c | 11 +++++++++++ - scripts/mod/modpost.c | 9 +++++++++ - 4 files changed, 45 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 8cacf62..4cea7d4 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -10,6 +10,7 @@ - #include <linux/init.h> - #include <linux/utsname.h> - #include <linux/cpu.h> -+#include <linux/module.h> - - #include <asm/nospec-branch.h> - #include <asm/cmdline.h> -@@ -92,6 +93,19 @@ static const char *spectre_v2_strings[] = { - #define pr_fmt(fmt) "Spectre V2 mitigation: " fmt - - static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; -+static bool spectre_v2_bad_module; -+ -+#ifdef RETPOLINE -+bool retpoline_module_ok(bool has_retpoline) -+{ -+ if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline) -+ return true; -+ -+ pr_err("System may be vunerable to spectre v2\n"); -+ spectre_v2_bad_module = true; -+ return false; -+} -+#endif - - static void __init spec2_print_if_insecure(const char *reason) - { -@@ -277,6 +291,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev, - if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) - return sprintf(buf, "Not affected\n"); - -- return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]); -+ return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled], -+ spectre_v2_bad_module ? " - vulnerable module loaded" : ""); - } - #endif -diff --git a/include/linux/module.h b/include/linux/module.h -index 0c3207d..d2224a0 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -791,6 +791,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr, - static inline void module_bug_cleanup(struct module *mod) {} - #endif /* CONFIG_GENERIC_BUG */ - -+#ifdef RETPOLINE -+extern bool retpoline_module_ok(bool has_retpoline); -+#else -+static inline bool retpoline_module_ok(bool has_retpoline) -+{ -+ return true; -+} -+#endif -+ - #ifdef CONFIG_MODULE_SIG - static inline bool module_sig_ok(struct module *module) - { -diff --git a/kernel/module.c b/kernel/module.c -index 0e54d5b..07bfb99 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -2817,6 +2817,15 @@ static int check_modinfo_livepatch(struct module *mod, struct load_info *info) - } - #endif /* CONFIG_LIVEPATCH */ - -+static void check_modinfo_retpoline(struct module *mod, struct load_info *info) -+{ -+ if (retpoline_module_ok(get_modinfo(info, "retpoline"))) -+ return; -+ -+ pr_warn("%s: loading module not compiled with retpoline compiler.\n", -+ mod->name); -+} -+ - /* Sets info->hdr and info->len. */ - static int copy_module_from_user(const void __user *umod, unsigned long len, - struct load_info *info) -@@ -2969,6 +2978,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags) - add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK); - } - -+ check_modinfo_retpoline(mod, info); -+ - if (get_modinfo(info, "staging")) { - add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK); - pr_warn("%s: module is from the staging directory, the quality " -diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index 325f1af..96a8047 100644 ---- a/scripts/mod/modpost.c -+++ b/scripts/mod/modpost.c -@@ -2130,6 +2130,14 @@ static void add_intree_flag(struct buffer *b, int is_intree) - buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n"); - } - -+/* Cannot check for assembler */ -+static void add_retpoline(struct buffer *b) -+{ -+ buf_printf(b, "\n#ifdef RETPOLINE\n"); -+ buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n"); -+ buf_printf(b, "#endif\n"); -+} -+ - static void add_staging_flag(struct buffer *b, const char *name) - { - static const char *staging_dir = "drivers/staging"; -@@ -2474,6 +2482,7 @@ int main(int argc, char **argv) - - add_header(&buf, mod); - add_intree_flag(&buf, !external_module); -+ add_retpoline(&buf); - add_staging_flag(&buf, mod->name); - err |= add_versions(&buf, mod); - add_depends(&buf, mod, modules); --- -2.7.4 - |