APPLIED: [SRU][Xenial][PATCH 0/3] Use upstream Spectre variant 1 BPF mitigations

[Kleber Souza]

On 09/11/18 07:35, Tyler Hicks wrote:
> This patchset moves the Xenial kernel over to the upstream mitigations
> for Spectre variant 1 (CVE-2017-5753). The upstream mitigations were
> mostly already in place thanks to the following commits that we picked
> up via linux-stable rebases:
> 
> b2157399cc98 ("bpf: prevent out-of-bounds speculation")
> bbeb6e4323da ("bpf, array: fix overflow in max_entries and undefined behavior in index_mask")
> 
> However, a fix commit for b2157399cc98 was still missing:
> 
> c93552c443eb ("bpf: properly enforce index mask to prevent out-of-bounds speculation")
> 
> I've backported the missing patch and reverted the out-of-tree
> mitigations for Spectre variant 1 in the BPF code now that all the
> corresponding upstream commits are in place.
> 
> I tested these changes using the upstream kernel's test-verifier and
> test-verifier-log BPF selftests. While there are many failures due to
> the tests from Linus HEAD being used on a 4.4 based kernel, the test
> results are the same with and without these patches applied. I ran the
> tests as an unprivileged user and as root.
> 
> It is also worth mentioning that the backport of c93552c443eb matches
> what SUSE has done in their 4.4 kernel:
> 
>  https://kernel.opensuse.org/cgit/kernel-source/tree/patches.fixes/bpf-properly-enforce-index-mask-to-prevent-out-of-bo.patch?h=SLE12-SP3
> 
> Tyler
> 
> 

Applied to xenial/master-next branch.

Thanks,
Kleber