From 4fcf28ef25c434ac504a918b76f3e6e02a716e00 Mon Sep 17 00:00:00 2001
From: Andrew Boie <andrew.p.boie@intel.com>
Date: Fri, 3 Jan 2020 18:13:33 -0800
Subject: [PATCH] x86: mitigate swapgs Spectre V1 attacks

See CVE-2019-1125. We mitigate this by adding an 'lfence'
upon interrupt/exception entry after the decision has been
made whether it's necessary to invoke 'swapgs' or not.

Only applies to x86_64, 32-bit doesn't use swapgs.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
---
 arch/x86/Kconfig               |  5 +++--
 arch/x86/core/intel64/locore.S | 16 ++++++++++++++--
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 64869cc6385..2947fca9b7d 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -188,8 +188,9 @@ config X86_NO_SPECTRE_V1
 	bool
 	help
 	  This hidden option should be set on a per-SOC basis to indicate that
-	  a particular SOC is not vulnerable to the Spectre V1, V1.1, and V1.2
-	  CPU vulnerabilities as described in CVE-2017-5753 and CVE-2018-3693.
+	  a particular SOC is not vulnerable to the Spectre V1, V1.1, V1.2, and
+	  swapgs CPU vulnerabilities as described in CVE-2017-5753,
+	  CVE-2018-3693, and CVE-2019-1125.
 
 config X86_NO_SPECTRE_V2
 	bool
diff --git a/arch/x86/core/intel64/locore.S b/arch/x86/core/intel64/locore.S
index 8e5ef3d6e98..fb340838eb1 100644
--- a/arch/x86/core/intel64/locore.S
+++ b/arch/x86/core/intel64/locore.S
@@ -310,8 +310,12 @@ __resume:
 	jz 1f
 	swapgs
 #endif /* CONFIG_USERSPACE */
-
-1:	iretq
+1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
+	iretq
 
 
 
@@ -329,6 +333,10 @@ except: /*
 	jz 1f
 	swapgs
 1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
 #endif /* CONFIG_USERSPACE */
 	pushq %r15
 	subq $X86_FXSAVE_SIZE, %rsp
@@ -427,6 +435,10 @@ irq:
 	jz 1f
 	swapgs
 1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
 #endif /* CONFIG_USERSPACE */
 	pushq %rsi
 	movq %gs:__x86_tss64_t_cpu_OFFSET, %rsi