x86/enter: Use IBRS on syscall and interrupts - fix ia32 path

The backports missed a tiny bit of changes.

The easier of them is the ia32_syscall - there are two ways it returns
back to userspace - to int_ret_from_sys_call and there eventually
end up either in syscall_return_via_sysret or opportunistic_sysret_failed.

syscall_return_via_sysret had it, but opportunistic_sysret_failed failed
to have it. That is b/c we optimized a bit and stuck the DISABLE_IBRS
on restore_c_regs_and_iret which was called from opportunistic_sysret_failed
and retint_swapgs.

But with KPTI, doing IBRS_DISABLE from within restore_c_regs_and_iret is
not good - as we are touching an kernel variable and restore_c_regs_and_iret is
running with user-mode cr3!

So "x86: Fix spectre/kpti integration" fixed it by adding the DISABLE_IBRS
syscall_return_via_sysret.
(If you look at the original commit you would think that we should
also fix opportunistic_sysret_failed, but that is fixed in
"x86: Fix spectre/kpti integration")

The seconday issue is that we did not call DISABLE_IBRS from
sysexit_from_sys_call. This patch adds that in too.

Orabug: 27344012
CVE: CVE-2017-5715

Reported-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 2279b4ff5d9eef2c0977a26ea19fc861c8686e71..0604c0b5cfc0e3922612ed2cc2b05d8a0cc6f1a2 100644 (file)
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -214,6 +214,9 @@ sysexit_from_sys_call:
        movl    EFLAGS(%rsp),%r11d      /* User eflags */
        /*CFI_RESTORE rflags*/
        TRACE_IRQS_ON
+
+       DISABLE_IBRS
+
        SWITCH_USER_CR3
 
        /*
@@ -560,7 +563,6 @@ ia32_sysret:
        movq %rax,RAX(%rsp)
 ia32_ret_from_sys_call:
        CLEAR_RREGS
-       DISABLE_IBRS
        jmp int_ret_from_sys_call
 
 ia32_tracesys: