x86: mitigate swapgs Spectre V1 attacks

See CVE-2019-1125. We mitigate this by adding an 'lfence'
upon interrupt/exception entry after the decision has been
made whether it's necessary to invoke 'swapgs' or not.

Only applies to x86_64, 32-bit doesn't use swapgs.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>

arch/x86/Kconfig

@@ -188,8 +188,9 @@ config X86_NO_SPECTRE_V1
 	bool
 	help
 	  This hidden option should be set on a per-SOC basis to indicate that
-	  a particular SOC is not vulnerable to the Spectre V1, V1.1, and V1.2
-	  CPU vulnerabilities as described in CVE-2017-5753 and CVE-2018-3693.
+	  a particular SOC is not vulnerable to the Spectre V1, V1.1, V1.2, and
+	  swapgs CPU vulnerabilities as described in CVE-2017-5753,
+	  CVE-2018-3693, and CVE-2019-1125.
 
 config X86_NO_SPECTRE_V2
 	bool

arch/x86/core/intel64/locore.S

@@ -310,8 +310,12 @@ __resume:
 	jz 1f
 	swapgs
 #endif /* CONFIG_USERSPACE */
-
-1:	iretq
+1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
+	iretq
 
 
 
@@ -329,6 +333,10 @@ except: /*
 	jz 1f
 	swapgs
 1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
 #endif /* CONFIG_USERSPACE */
 	pushq %r15
 	subq $X86_FXSAVE_SIZE, %rsp
@@ -427,6 +435,10 @@ irq:
 	jz 1f
 	swapgs
 1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
 #endif /* CONFIG_USERSPACE */
 	pushq %rsi
 	movq %gs:__x86_tss64_t_cpu_OFFSET, %rsi