2 files changed, 24 insertions, 0 deletions

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 01874d54f4fd..2da82eff0eb4 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -798,15 +798,25 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
                 if (task_spec_ssb_force_disable(task))
                         return -EPERM;
                 task_clear_spec_ssb_disable(task);
+                task_clear_spec_ssb_noexec(task);
                 task_update_spec_tif(task);
                 break;
         case PR_SPEC_DISABLE:
                 task_set_spec_ssb_disable(task);
+                task_clear_spec_ssb_noexec(task);
                 task_update_spec_tif(task);
                 break;
         case PR_SPEC_FORCE_DISABLE:
                 task_set_spec_ssb_disable(task);
                 task_set_spec_ssb_force_disable(task);
+                task_clear_spec_ssb_noexec(task);
+                task_update_spec_tif(task);
+                break;
+        case PR_SPEC_DISABLE_NOEXEC:
+                if (task_spec_ssb_force_disable(task))
+                        return -EPERM;
+                task_set_spec_ssb_disable(task);
+                task_set_spec_ssb_noexec(task);
                 task_update_spec_tif(task);
                 break;
         default:
@@ -885,6 +895,8 @@ static int ssb_prctl_get(struct task_struct *task)
         case SPEC_STORE_BYPASS_PRCTL:
                 if (task_spec_ssb_force_disable(task))
                         return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
+                if (task_spec_ssb_noexec(task))
+                        return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
                 if (task_spec_ssb_disable(task))
                         return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
                 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 90ae0ca51083..58ac7be52c7a 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -255,6 +255,18 @@ void arch_setup_new_exec(void)
         /* If cpuid was previously disabled for this task, re-enable it. */
         if (test_thread_flag(TIF_NOCPUID))
                 enable_cpuid();
+
+        /*
+         * Don't inherit TIF_SSBD across exec boundary when
+         * PR_SPEC_DISABLE_NOEXEC is used.
+         */
+        if (test_thread_flag(TIF_SSBD) &&
+            task_spec_ssb_noexec(current)) {
+                clear_thread_flag(TIF_SSBD);
+                task_clear_spec_ssb_disable(current);
+                task_clear_spec_ssb_noexec(current);
+                speculation_ctrl_update(task_thread_info(current)->flags);
+        }
 }
 
 static inline void switch_to_bitmap(struct thread_struct *prev,