x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation

STIBP is a feature provided by certain Intel ucodes / CPUs. This feature
(once enabled) prevents cross-hyperthread control of decisions made by
indirect branch predictors.

Enable this feature if

- the CPU is vulnerable to spectre v2
- the CPU supports SMT and has SMT siblings online
- spectre_v2 mitigation autoselection is enabled (default)

After some previous discussion, this leaves STIBP on all the time, as wrmsr
on crossing kernel boundary is a no-no. This could perhaps later be a bit
more optimized (like disabling it in NOHZ, experiment with disabling it in
idle, etc) if needed.

Note that the synchronization of the mask manipulation via newly added
spec_ctrl_mutex is currently not strictly needed, as the only updater is
already being serialized by cpu_add_remove_lock, but let's make this a
little bit more future-proof.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc:  "WoodhouseDavid" <dwmw@amazon.co.uk>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc:  "SchauflerCasey" <casey.schaufler@intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251438240.15880@cbobk.fhfr.pm

2 files changed, 61 insertions, 7 deletions

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 40bdaea97fe7..53eb14a65610 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -35,12 +35,10 @@ static void __init spectre_v2_select_mitigation(void);
 static void __init ssb_select_mitigation(void);
 static void __init l1tf_select_mitigation(void);
 
-/*
- * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
- * writes to SPEC_CTRL contain whatever reserved bits have been set.
- */
-u64 __ro_after_init x86_spec_ctrl_base;
+/* The base value of the SPEC_CTRL MSR that always has to be preserved. */
+u64 x86_spec_ctrl_base;
 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
+static DEFINE_MUTEX(spec_ctrl_mutex);
 
 /*
  * The vendor and possibly platform specific bits which can be modified in
@@ -325,6 +323,46 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
         return cmd;
 }
 
+static bool stibp_needed(void)
+{
+        if (spectre_v2_enabled == SPECTRE_V2_NONE)
+                return false;
+
+        if (!boot_cpu_has(X86_FEATURE_STIBP))
+                return false;
+
+        return true;
+}
+
+static void update_stibp_msr(void *info)
+{
+        wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+}
+
+void arch_smt_update(void)
+{
+        u64 mask;
+
+        if (!stibp_needed())
+                return;
+
+        mutex_lock(&spec_ctrl_mutex);
+        mask = x86_spec_ctrl_base;
+        if (cpu_smt_control == CPU_SMT_ENABLED)
+                mask |= SPEC_CTRL_STIBP;
+        else
+                mask &= ~SPEC_CTRL_STIBP;
+
+        if (mask != x86_spec_ctrl_base) {
+                pr_info("Spectre v2 cross-process SMT mitigation: %s STIBP\n",
+                                cpu_smt_control == CPU_SMT_ENABLED ?
+                                "Enabling" : "Disabling");
+                x86_spec_ctrl_base = mask;
+                on_each_cpu(update_stibp_msr, NULL, 1);
+        }
+        mutex_unlock(&spec_ctrl_mutex);
+}
+
 static void __init spectre_v2_select_mitigation(void)
 {
         enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
@@ -424,6 +462,9 @@ specv2_set_mode:
                 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
                 pr_info("Enabling Restricted Speculation for firmware calls\n");
         }
+
+        /* Enable STIBP if appropriate */
+        arch_smt_update();
 }
 
 #undef pr_fmt
@@ -814,6 +855,8 @@ static ssize_t l1tf_show_state(char *buf)
 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
                                char *buf, unsigned int bug)
 {
+        int ret;
+
         if (!boot_cpu_has_bug(bug))
                 return sprintf(buf, "Not affected\n");
 
@@ -831,10 +874,12 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
                 return sprintf(buf, "Mitigation: __user pointer sanitization\n");
 
         case X86_BUG_SPECTRE_V2:
-                return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+                ret = sprintf(buf, "%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
                                boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
                                boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
+                               (x86_spec_ctrl_base & SPEC_CTRL_STIBP) ? ", STIBP" : "",
                                spectre_v2_module_string());
+                return ret;
 
         case X86_BUG_SPEC_STORE_BYPASS:
                 return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
diff --git a/kernel/cpu.c b/kernel/cpu.c
index aa7fe85ad62e..2fb49916ea56 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2025,6 +2025,12 @@ static void cpuhp_online_cpu_device(unsigned int cpu)
         kobject_uevent(&dev->kobj, KOBJ_ONLINE);
 }
 
+/*
+ * Architectures that need SMT-specific errata handling during SMT hotplug
+ * should override this.
+ */
+void __weak arch_smt_update(void) { };
+
 static int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval)
 {
         int cpu, ret = 0;
@@ -2051,8 +2057,10 @@ static int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval)
                  */
                 cpuhp_offline_cpu_device(cpu);
         }
-        if (!ret)
+        if (!ret) {
                 cpu_smt_control = ctrlval;
+                arch_smt_update();
+        }
         cpu_maps_update_done();
         return ret;
 }
@@ -2063,6 +2071,7 @@ static int cpuhp_smt_enable(void)
 
         cpu_maps_update_begin();
         cpu_smt_control = CPU_SMT_ENABLED;
+        arch_smt_update();
         for_each_present_cpu(cpu) {
                 /* Skip online CPUs and CPUs on offline nodes */
                 if (cpu_online(cpu) || !node_online(cpu_to_node(cpu)))