1 files changed, 94 insertions, 0 deletions

diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0080-x86-retpoline-Add-LFENCE-to-the-retpoline-RSB-fillin.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0080-x86-retpoline-Add-LFENCE-to-the-retpoline-RSB-fillin.patch
new file mode 100644
index 00000000..acb54587
--- /dev/null
+++ b/common/recipes-kernel/linux/linux-yocto-4.9.21/0080-x86-retpoline-Add-LFENCE-to-the-retpoline-RSB-fillin.patch
@@ -0,0 +1,94 @@
+From b72091ebb94e5cb7808c813989e6b5aefa464751 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Sat, 13 Jan 2018 17:27:30 -0600
+Subject: [PATCH 080/103] x86/retpoline: Add LFENCE to the retpoline/RSB
+ filling RSB macros
+
+commit 28d437d550e1e39f805d99f9f8ac399c778827b7 upstream.
+
+The PAUSE instruction is currently used in the retpoline and RSB filling
+macros as a speculation trap.  The use of PAUSE was originally suggested
+because it showed a very, very small difference in the amount of
+cycles/time used to execute the retpoline as compared to LFENCE.  On AMD,
+the PAUSE instruction is not a serializing instruction, so the pause/jmp
+loop will use excess power as it is speculated over waiting for return
+to mispredict to the correct target.
+
+The RSB filling macro is applicable to AMD, and, if software is unable to
+verify that LFENCE is serializing on AMD (possible when running under a
+hypervisor), the generic retpoline support will be used and, so, is also
+applicable to AMD.  Keep the current usage of PAUSE for Intel, but add an
+LFENCE instruction to the speculation trap for AMD.
+
+The same sequence has been adopted by GCC for the GCC generated retpolines.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Borislav Petkov <bp@alien8.de>
+Acked-by: David Woodhouse <dwmw@amazon.co.uk>
+Acked-by: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Paul Turner <pjt@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
+Cc: Kees Cook <keescook@google.com>
+Link: https://lkml.kernel.org/r/20180113232730.31060.36287.stgit@tlendack-t1.amdoffice.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/nospec-branch.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
+index 402a11c..7b45d84 100644
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -11,7 +11,7 @@
+  * Fill the CPU return stack buffer.
+  *
+  * Each entry in the RSB, if used for a speculative 'ret', contains an
+- * infinite 'pause; jmp' loop to capture speculative execution.
++ * infinite 'pause; lfence; jmp' loop to capture speculative execution.
+  *
+  * This is required in various cases for retpoline and IBRS-based
+  * mitigations for the Spectre variant 2 vulnerability. Sometimes to
+@@ -38,11 +38,13 @@
+ 	call	772f;				\
+ 773:	/* speculation trap */			\
+ 	pause;					\
++	lfence;					\
+ 	jmp	773b;				\
+ 772:						\
+ 	call	774f;				\
+ 775:	/* speculation trap */			\
+ 	pause;					\
++	lfence;					\
+ 	jmp	775b;				\
+ 774:						\
+ 	dec	reg;				\
+@@ -73,6 +75,7 @@
+ 	call	.Ldo_rop_\@
+ .Lspec_trap_\@:
+ 	pause
++	lfence
+ 	jmp	.Lspec_trap_\@
+ .Ldo_rop_\@:
+ 	mov	\reg, (%_ASM_SP)
+@@ -165,6 +168,7 @@
+ 	"       .align 16\n"					\
+ 	"901:	call   903f;\n"					\
+ 	"902:	pause;\n"					\
++	"    	lfence;\n"					\
+ 	"       jmp    902b;\n"					\
+ 	"       .align 16\n"					\
+ 	"903:	addl   $4, %%esp;\n"				\
+-- 
+2.7.4
+