x86/retpoline/hyperv: Convert assembler indirect jumps

commit e70e5892b28c18f517f29ab6e83bd57705104b31 upstream.

Convert all indirect jumps in hyperv inline asm code to use non-speculative
sequences when CONFIG_RETPOLINE is enabled.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: Rik van Riel <riel@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: thomas.lendacky@amd.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
Cc: Paul Turner <pjt@google.com>
Link: https://lkml.kernel.org/r/1515707194-20531-9-git-send-email-dwmw@amazon.co.uk
[ backport to 4.4, hopefully correct, not tested... - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Orabug: 27477743
CVE: CVE-2017-5715
(cherry picked from commit d2beed45635e3c430bc6d84ff8e6c6e8cb2e10b4)
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Pavel Tatashin <pasha.tatashin@oracle.com>

diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
index eb4e383dbc58db41e66de1dae9e0dd7cf54e7f26..9a4926507ef2118c3a141f2236c8f74ec9071e8e 100644 (file)
--- a/drivers/hv/hv.c
+++ b/drivers/hv/hv.c
@@ -31,6 +31,7 @@
 #include <linux/clockchips.h>
 #include <asm/hyperv.h>
 #include <asm/mshyperv.h>
+#include <asm/nospec-branch.h>
 #include "hyperv_vmbus.h"
 
 /* The one and only */
@@ -103,9 +104,10 @@ u64 hv_do_hypercall(u64 control, void *input, void *output)
                return (u64)ULLONG_MAX;
 
        __asm__ __volatile__("mov %0, %%r8" : : "r" (output_address) : "r8");
-       __asm__ __volatile__("call *%3" : "=a" (hv_status) :
+       __asm__ __volatile__(CALL_NOSPEC :
+                            "=a" (hv_status) :
                             "c" (control), "d" (input_address),
-                            "m" (hypercall_page));
+                            THUNK_TARGET(hypercall_page));
 
        return hv_status;
 
@@ -123,11 +125,12 @@ u64 hv_do_hypercall(u64 control, void *input, void *output)
        if (!hypercall_page)
                return (u64)ULLONG_MAX;
 
-       __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
+       __asm__ __volatile__ (CALL_NOSPEC : "=d"(hv_status_hi),
                              "=a"(hv_status_lo) : "d" (control_hi),
                              "a" (control_lo), "b" (input_address_hi),
                              "c" (input_address_lo), "D"(output_address_hi),
-                             "S"(output_address_lo), "m" (hypercall_page));
+                             "S"(output_address_lo),
+                             THUNK_TARGET(hypercall_page));
 
        return hv_status_lo | ((u64)hv_status_hi << 32);
 #endif /* !x86_64 */