From e9f7bfc46f55f2688e99e174a36c2f216f23dcc0 Mon Sep 17 00:00:00 2001
From: Borislav Petkov <bp@suse.de>
Date: Aug 04 2022 14:17:48 +0000
Subject: x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726

CVE-2022-26373).

---

diff --git a/patches.suse/x86-speculation-Add-LFENCE-to-RSB-fill-sequence.patch b/patches.suse/x86-speculation-Add-LFENCE-to-RSB-fill-sequence.patch
new file mode 100644
index 0000000..4331ff6
--- /dev/null
+++ b/patches.suse/x86-speculation-Add-LFENCE-to-RSB-fill-sequence.patch
@@ -0,0 +1,66 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Tue, 2 Aug 2022 15:47:02 -0700
+Subject: x86/speculation: Add LFENCE to RSB fill sequence
+Git-commit: ba6e31af2be96c4d0536f2152ed6f7b6c11bca47
+Patch-mainline: Queued in a subsystem tree
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
+References: bsc#1201726 CVE-2022-26373
+
+RSB fill sequence does not have any protection for miss-prediction of
+conditional branch at the end of the sequence. CPU can speculatively
+execute code immediately after the sequence, while RSB filling hasn't
+completed yet.
+
+  #define __FILL_RETURN_BUFFER(reg, nr, sp)       \
+          mov     $(nr/2), reg;                   \
+  771:                                            \
+          ANNOTATE_INTRA_FUNCTION_CALL;           \
+          call    772f;                           \
+  773:    /* speculation trap */                  \
+          UNWIND_HINT_EMPTY;                      \
+          pause;                                  \
+          lfence;                                 \
+          jmp     773b;                           \
+  772:                                            \
+          ANNOTATE_INTRA_FUNCTION_CALL;           \
+          call    774f;                           \
+  775:    /* speculation trap */                  \
+          UNWIND_HINT_EMPTY;                      \
+          pause;                                  \
+          lfence;                                 \
+          jmp     775b;                           \
+  774:                                            \
+          add     $(BITS_PER_LONG/8) * 2, sp;     \
+          dec     reg;                            \
+          jnz     771b;        <----- CPU can miss-predict here.
+
+Before RSB is filled, RETs that come in program order after this macro
+can be executed speculatively, making them vulnerable to RSB-based
+attacks.
+
+Mitigate it by adding an LFENCE after the conditional branch to prevent
+speculation while RSB is being filled.
+
+Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/include/asm/nospec-branch.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
+index 4c9ba49d9b3e..d3a3cc6772ee 100644
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -60,7 +60,9 @@
+ 774:						\
+ 	add	$(BITS_PER_LONG/8) * 2, sp;	\
+ 	dec	reg;				\
+-	jnz	771b;
++	jnz	771b;				\
++	/* barrier for jnz misprediction */	\
++	lfence;
+ 
+ #ifdef __ASSEMBLY__
+ 
+
diff --git a/series.conf b/series.conf
index 2f5b50e..f6dc95c 100644
--- a/series.conf
+++ b/series.conf
@@ -12473,6 +12473,7 @@
 
 	# tip
 	patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch
+	patches.suse/x86-speculation-Add-LFENCE-to-RSB-fill-sequence.patch
 
 	########################################################
 	# kbuild/module infrastructure fixes