[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Xen Security Advisory 289 v2 - Spectre V1 gadgets exploitable with L1TF
From: Xen.org security team <security () xen ! org>
Date: 2019-01-21 12:43:43
Message-ID: E1glYvX-00057u-QN () xenbits ! xenproject ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory XSA-289
version 2
Spectre V1 gadgets exploitable with L1TF
UPDATES IN VERSION 2
====================
Include references for `smatch' in 0000-Cover-Letter.txt.
Correct embargo end date in 0000-Cover-Letter.txt.
Public release.
ISSUE DESCRIPTION
=================
Previously reported vulnerabilities CVE-2017-5753 / XSA-254 (Spectre V1)
and CVE-2018-3646 / XSA-273 (L1TF) can, when combined, be leveraged to
more easily gather leaked information. The Spectre V1 approach would be
used to bring data into the cache on on hyperthread of a given CPU core,
while L1TF would be utilized to read out the cached data on another
hyperthread of the same CPU core.
A number of specific exploitable gadgets have been identified.
There are no new vulnerabilities. There is only new information about
existing vulnerabilities: specifically, confirmation that existing,
previously disclosed, vulnerabilities, can be exploited in specific
ways. (Previously, it was merely expected, and stated in XSA-254 and
XSA-273, that such the vulnerabilities would be exploitable.)
IMPACT
======
An attacker can potentially read arbitrary host RAM. This includes data
belonging to Xen, data belonging to other guests, and data belonging to
different security contexts within the same guest.
An attacker could be a guest kernel (which can manipulate the pagetables
directly), or could be guest userspace either directly (e.g. with
mprotect() or similar system call) or indirectly (by gaming the guest
kernel's paging subsystem).
See XSA-254 and XSA-273 for more general information about the
underlying vulnerabilities.
VULNERABLE SYSTEMS
==================
Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not known to be
affected.
Only systems with Symmetric Multi Threading (SMT, aka hyperthreading)
available and enabled are vulnerable.
Only Intel Core based processors (from at least Merom onwards) are
potentially affected. Other processor designs (Intel Atom/Knights
range), and other manufacturers (AMD) are not known to be affected.
MITIGATION
==========
As discussed in XSA-273, disabling SMT / hyperthreading will avoid the
L1TF vulnerability. It will therefore prevent the use of the
exploitable code patterns discussed in this advisory. Disabling SMT
may be achieved via a BIOS option (preferred) or the "smt=0"
hypervisor command line option.
CREDITS
=======
This issue was discovered by Norbert Manthey, Julian Stecklina, and
Pawel Wieczorkiewicz of the Xen Security Team at Amazon.
RESOLUTION
==========
These are hardware bugs, so technically speaking they cannot be
properly fixed in software.
See XSA-273 and XSA-254 for a fuller discussion of the general
situation, background, etc.
TECHNICAL DETAILS
=================
For the specific technical details of the now-known-explitable code
patterns, please see the attached patches.
These patches are intended by their authors to mitigate these
vulnerabilities. In some form they are likely to be included in
future Xen releases. We very much welcome this contribution to the
Xen community's response to Spectre/L1TF.
However:
* These patches have not been validated by the Xen Project
Security Team. Work is ongoing.
* We expect that there may be other exploitable code patterns and
gadgets, similar to but beyond those disclosed here.
* Should further such exploitable code patterns be discovered, we
will not necessarily issue a further advisory, or update this
advisory. Instead, we would usually recommend that any
improvements to reduce the exploitability be handled in public, in
accordance with the public status of the underlying vulnerabilities
XSA-273 and XSA-254.
* We therefore do not recommend responding to this advisory by
applying these patches. Instead, we recommend using hardware
without this bug, or failing that, disabling hyperthreading (SMT)
as discussed in XSA-273.
$ sha256sum xsa289*/*
fb58117afd3d69b2bc67001b759bcb8b27d5eddf14bb69596e01b5735a46fc83 xsa289/0000-Cover-Letter.txt
8051f6ac3f945d80368e745fff9568688a5f3ec3d34e88e1f965fe74853a60ac \
xsa289/0001-lfence-add-function-that-returns-int.patch \
bc0a26533d56fff11081661546c0b0c0bf3b216dc18b72944dfeef36adb254d4 \
xsa289/0002-is_hvm-pv_domain-block-speculation.patch \
ffb445c40064c65b167b5badbb73bf5e00689494a11269684a5e432c96bb5d74 \
xsa289/0003-is_control_domain-block-speculation.patch \
2952ac3f46256a85670b18a3d100d2fc6429fa98bb07dd55abe7ee939f30cb3e \
xsa289/0004-x86-hvm-block-speculative-accesses.patch \
c73ceacd649ebc4bc054e6e181283c1c58e3bed3e1d1309e5780e5efbd85461a \
xsa289/0005-nospec-introduce-method-for-static-arrays.patch \
52af8d264e770055d1e3937de0e2ebca408f2a7ec6b8d4fd67270594e2fa17e7 \
xsa289/0006-x86-hvm-block-speculative-out-of-bound-accesses.patch \
6beb965c15b36cc81ba756202f046e5757f6c69b0983abd98e51710b03c9851b \
xsa289/0007-xen-evtchn-block-speculative-out-of-bound-accesses.patch \
e48aaee8cf62ee7fc5df9fd07e2b687e53a8e056001d4e6434525ac68346ee18 \
xsa289/0008-common-gant_table-block-speculative-out-of-bound-acc.patch \
8f4fad87aff662901d848add571f5e3d0c08de444cc514391f6f4a133eff14b5 \
xsa289/0009-x86-hvm-emulate-block-speculative-out-of-bound-acces.patch \
43e61e91318c44a56f954c058ce85616df46e5ca424fcad066e631c16add2956 \
xsa289/0010-x86-vioapic-block-speculative-out-of-bound-accesses.patch \
394cdb4c7e15cc2cbaa383b724707a8a87f9e19f729561fd3cf02c3551003911 \
xsa289/0011-x86-hvm-hpet-block-speculative-out-of-bound-accesses.patch \
54a3f85f887b9ce596b5908a62e3efff76c79502941b71fd520a4170299e21c0 \
xsa289/0012-common-memory-block-speculative-out-of-bound-accesse.patch \
e87a89f333873a3b96318adfdd5fde8317b3a2062e7f330fc5398e0e5eade213 \
xsa289/0013-x86-CPUID-block-speculative-out-of-bound-accesses.patch \
94957ed06308e9af120373be6807fd3b044de8a35b7088c10c78b496596664f2 \
xsa289/detect-spectre-candidates.sh \
8569b7be345e01365ea4ecdd22ed00b21343d4234d83f5ce4bb11191c918354e xsa289/sorted-gadgets.txt $
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlxFvnoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ7oEIAKeR3NtnGU7gu7cQ6k6V8s8uKlGb8Afr6EobHTt1
aDK7tIoEgzbvwkFgwi7Q6/TuwsYwBDB8a+N2g/tlGg6lUe8uu1izLyu7Br3Qz22t
iPlW4j1m9u+4XYRFb2BRCmmijr86JlEN5cJrDLOeTn44fTXPpuvs+hN9QQDArSeC
oYQEHhZfIdzRJ5tH5ktiZJria2lrAOrrvPcqbyXgWHpJCK9FAoEa9jn5NQgi91jj
sIgFVvrJYmhP1lCyWYw5cxX0cKGItpdoA7Q7ndR4eXKRr4mpwv7RX6hkxtGyYAp/
24MB8+Ehasq7ZGCtDgCNW2Mqt7+6wmoWzRa666YTFnlc7MI=
=PAIM
-----END PGP SIGNATURE-----
["xsa289/0000-Cover-Letter.txt" (application/octet-stream)]
Dear all,
We recently detected a security vulnerability that can potentially allow the
leaking of hypervisor data and guest and dom0 data. The vulnerability only
affects hypervisors that run with hyperthreading enabled. The vulnerability
combines two already known vulnerabilities:
1) Spectre V1 (CVE-2017-5753, XSA 254)
2) L1TF (CVE-2018-3620, CVE-2018-3646, XSA-273)
As both vulnerabilities already have XSAs assigned, and the fix for L1TF is to
disable hyperthreading, the Xen security team has asked that this issue "should
be handled in public. there will not be a new XSA for the combined issue." To
allow operators of Xen with enabled hyperthreading to take action before we
disclose the patches, we decided to disclose this information on the XSA embargo
member list first. We will then disclose the patches publicly on 21st January,
2019. We do not guarantee that all potential defects are fixed with the patches.
We decided to prepare patches for origin/master of the Xen repository. Another
commit that has to be backported is provided below. Without this commit, there
might be more potential vulnerabilities. As you might be running another
version, we furthermore provide patches to the tool "smatch"[1] under GPLv2.
These patches allow you to perform a Spectre V1 analysis for Xen. This
way, you can analyze your version of Xen for potential
vulnerabilities, potentially allowing you to find more potential
candidates than were fixed in our first patch set. Note, the produced
list of potential vulnerabilities can be incomplete, and might contain
many false positives.
Best,
Norbert
Details of the vulnerability:
In the presence of the L1TF vulnerability, a guest can leak any data that is
brought into L1 cache. A guest with 2 hyperthreads on the same core can cause
the hypervisor to access memory in one core, while the other core executes guest
code the hypervisor cannot control.
There are several ways to speculatively bring data into the L1 cache. First,
speculation does not stop at privilege checks, so that the whole cache line of
data accessed close to a privilege check is brought into the cache, even if the
hypervisor currently serves unprivileged guests. These privilege checks include
the functions "is_hardware_domain", "is_control_domain", as well as Xen Security
Module (xsm) checks. Next, the trivial part of the Spectre V1 can be combined
with L1TF to leak even more data. The Spectre V1 attack required two parts: (1)
a load gadget, which loads potential secrets into the cache, and (2) a leak
gadget that makes the values of this secret available via a side channel. When
combining Spectre V1's load gadget (1) with L1TF's leak ability, any speculative
out-of-bound memory access becomes a potential vulnerability, especially, in
case the index for the out-of-bound operation is guest controlled.
This patch series addresses several of these issues, focusing on blocking
speculative out-of-bound accesses, as well as blocking loading hypervisor and
dom0 secrets into the L1 cache under speculation. We do not prevent out-of-bound
loads that might be caused by loops, because they can usually not be influenced
by the guest, and typically touch the same cache line that has been used in the
last valid loop iteration. Finally, the patches focus more on fixing potential
defects instead of maintaining high performance at all costs.
The issue has been reported by members of the Xen Security Team at Amazon:
Norbert Manthey, Julian Stecklina, and Pawel Wieczorkiewicz
What is provided in this package:
1) patches that fix potential SpectreV1+L1TF vulnerabilities
2) list of potential defects for Xen RELEASE-4.11.1
3) (non-public) patches for the smatch[1] tool,
as well as instructions to analyze Xen with this tool
Additionally to the provided patches, you have to backport the following commit,
because jump tables can also be used for speculative out-of-bound accesses:
2276da0db9b0f111e1a8f41dd707c6bd1dea9a7d
"retpoline: disable jump tables"
[1] smatch: https://repo.or.cz/w/smatch.git https://lwn.net/Articles/691882/
["xsa289/0001-lfence-add-function-that-returns-int.patch" (application/octet-stream)]
From 640c407c1684bfe77526aebe60383a50e97024c5 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 01/13] lfence: add function that returns int
In case the CPU executes speculatively, checks of domain properties, such
as is_hardware_domain or is_hvm_domain might be skipped. A reason for this
skip is that these macros access the domain structure via a pointer, and
check a certain field.
To block speculation and wait until the field is actually evaluated, we
need to add an lfence instruction after the field inspection. As the
macros are typically used in if statements, the lfence has to come in a
compatible way. Hence, we add a function that wraps the lfence instruction
and returns true. To protect a certain evaluation in an if statement, we
now have to add this function to the if statement as well.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/asm-x86/system.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xen/include/asm-x86/system.h b/xen/include/asm-x86/system.h
--- a/xen/include/asm-x86/system.h
+++ b/xen/include/asm-x86/system.h
@@ -203,6 +203,8 @@ static always_inline unsigned long __xadd(
#define rmb() asm volatile ( "lfence" ::: "memory" )
#define wmb() asm volatile ( "sfence" ::: "memory" )
+static inline int bool_lfence(void) { rmb(); return 1; }
+
/*
* SMP barriers, for ordering of reads and writes between CPUs, most commonly
* used with shared memory.
--
2.7.4
["xsa289/0002-is_hvm-pv_domain-block-speculation.patch" (application/octet-stream)]
From f2a099c06e1e5e4c8aa5516c338c4c0c70335ebb Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 02/13] is_hvm/pv_domain: block speculation
When checking for being an hvm domain, or PV domain, we have to make
sure that speculation cannot bypass that check, and eventually access
data that should not end up in cache for the current domain type.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/xen/sched.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -883,7 +883,8 @@ void watchdog_domain_destroy(struct domain *d);
static inline bool is_pv_domain(const struct domain *d)
{
- return IS_ENABLED(CONFIG_PV) ? d->guest_type == guest_type_pv : false;
+ bool res = IS_ENABLED(CONFIG_PV) ? d->guest_type == guest_type_pv : false;
+ return (res && bool_lfence()) || !bool_lfence();
}
static inline bool is_pv_vcpu(const struct vcpu *v)
@@ -914,7 +915,8 @@ static inline bool is_pv_64bit_vcpu(const struct vcpu *v)
#endif
static inline bool is_hvm_domain(const struct domain *d)
{
- return IS_ENABLED(CONFIG_HVM) ? d->guest_type == guest_type_hvm : false;
+ bool res = IS_ENABLED(CONFIG_HVM) ? d->guest_type == guest_type_hvm : false;
+ return (res && bool_lfence()) || !bool_lfence();
}
static inline bool is_hvm_vcpu(const struct vcpu *v)
--
2.7.4
["xsa289/0003-is_control_domain-block-speculation.patch" (application/octet-stream)]
From 5ed135e3cc4c21a803f12b1463b57598037f4661 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 03/13] is_control_domain: block speculation
Under speculation, an is_control_domain check can be bypassed, because the
check depends on a memory load. Therefore, the CPU might speculatively
continue execution of e.g. a hypercall to pull data from memory into
the cache, which should only be accessible by dom0.
To prevent these accesses, we block speculation after the access by
adding an lfence instruction.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/xen/sched.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -874,10 +874,12 @@ void watchdog_domain_destroy(struct domain *d);
* (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny the hardware domain access to this
*/
-#define is_hardware_domain(_d) ((_d) == hardware_domain)
+#define is_hardware_domain(_d) \
+ (((_d) == hardware_domain && bool_lfence()) || !bool_lfence())
/* This check is for functionality specific to a control domain */
-#define is_control_domain(_d) ((_d)->is_privileged)
+#define is_control_domain(_d) \
+ (((_d)->is_privileged && bool_lfence()) || !bool_lfence())
#define VM_ASSIST(d, t) (test_bit(VMASST_TYPE_ ## t, &(d)->vm_assist))
--
2.7.4
["xsa289/0004-x86-hvm-block-speculative-accesses.patch" (application/octet-stream)]
From 69b9c85d10f0956fa2710afe7669a7587f44d5d4 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 04/13] x86/hvm: block speculative accesses
When interacting with the hvm interface and event channels, the guest can
specify a vcpu id. This ID is checked against the maximum number of CPUs,
however, this check can by bypassed speculatively. This change prevents
the potential speculative out-of-bound access.
This is part of the SpectreV1+L1TF mitigation patch series.
Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/hvm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -37,6 +37,7 @@
#include <xen/monitor.h>
#include <xen/warning.h>
#include <xen/vpci.h>
+#include <xen/nospec.h>
#include <asm/shadow.h>
#include <asm/hap.h>
#include <asm/current.h>
@@ -4032,7 +4033,8 @@ static int hvmop_set_evtchn_upcall_vector(
if ( op.vector < 0x10 )
return -EINVAL;
- if ( op.vcpu >= d->max_vcpus || (v = d->vcpu[op.vcpu]) == NULL )
+ if ( op.vcpu >= d->max_vcpus ||
+ (v = d->vcpu[array_index_nospec(op.vcpu, d->max_vcpus)]) == NULL )
return -ENOENT;
printk(XENLOG_G_INFO "%pv: upcall vector %02x\n", v, op.vector);
--
2.7.4
["xsa289/0005-nospec-introduce-method-for-static-arrays.patch" (application/octet-stream)]
From 06a4c31f0eba474633cceda4172418fa112e1cea Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 05/13] nospec: introduce method for static
arrays
When blocking speculative out-of-bound accesses, we can classify arrays
into dynamic arrays and static arrays. Where the former are allocated
during run time, the size of the latter is known during compile time.
On static arrays, compiler might be able to block speculative accesses
in the future.
We introduce another macro that automatically uses the ARRAY_SIZE macro
to block speculative accesses. For arrays that are statically accessed,
this macro can be used instead of the usual macro.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/xen/nospec.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h
--- a/xen/include/xen/nospec.h
+++ b/xen/include/xen/nospec.h
@@ -58,6 +58,12 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
(typeof(_i)) (_i & _mask); \
})
+/*
+ * array_access_nospec - allow nospec access for static size arrays
+ */
+#define array_access_nospec(array, index) \
+ array[array_index_nospec(index, ARRAY_SIZE(array))]
+
#endif /* XEN_NOSPEC_H */
/*
--
2.7.4
["xsa289/0006-x86-hvm-block-speculative-out-of-bound-accesses.patch" (application/octet-stream)]
From f6b5b961aefe6f163cacd27ae5f3b117e069dc0c Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 06/13] x86/hvm: block speculative out-of-bound
accesses
There are multiple arrays in the HVM interface that are accessed
with indices that are provided by the guest. To avoid out of bound
accesses, we use the array_index_nospec macro.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/hvm.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -2096,7 +2096,7 @@ int hvm_mov_from_cr(unsigned int cr, unsigned int gpr)
case 2:
case 3:
case 4:
- val = curr->arch.hvm.guest_cr[cr];
+ val = array_access_nospec(curr->arch.hvm.guest_cr, cr);
break;
case 8:
val = (vlapic_get_reg(vcpu_vlapic(curr), APIC_TASKPRI) & 0xf0) >> 4;
@@ -3446,13 +3446,15 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content)
if ( !d->arch.cpuid->basic.mtrr )
goto gp_fault;
index = msr - MSR_MTRRfix16K_80000;
- *msr_content = fixed_range_base[index + 1];
+ *msr_content = fixed_range_base[array_index_nospec(index + 1,
+ NUM_FIXED_RANGES)];
break;
case MSR_MTRRfix4K_C0000...MSR_MTRRfix4K_F8000:
if ( !d->arch.cpuid->basic.mtrr )
goto gp_fault;
index = msr - MSR_MTRRfix4K_C0000;
- *msr_content = fixed_range_base[index + 3];
+ *msr_content = fixed_range_base[array_index_nospec(index + 3,
+ NUM_FIXED_RANGES)];
break;
case MSR_IA32_MTRR_PHYSBASE(0)...MSR_IA32_MTRR_PHYSMASK(MTRR_VCNT_MAX - 1):
if ( !d->arch.cpuid->basic.mtrr )
@@ -3461,7 +3463,8 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content)
if ( (index / 2) >=
MASK_EXTR(v->arch.hvm.mtrr.mtrr_cap, MTRRcap_VCNT) )
goto gp_fault;
- *msr_content = var_range_base[index];
+ *msr_content = var_range_base[array_index_nospec(index,
+ NUM_FIXED_RANGES)];
break;
case MSR_IA32_XSS:
@@ -4156,7 +4159,8 @@ static int hvmop_set_param(
*/
if ( !paging_mode_hap(d) || !cpu_has_vmx )
{
- d->arch.hvm.params[a.index] = a.value;
+ d->arch.hvm.params[array_index_nospec(a.index,
+ HVM_NR_PARAMS)] = a.value;
break;
}
@@ -4171,7 +4175,8 @@ static int hvmop_set_param(
rc = 0;
domain_pause(d);
- d->arch.hvm.params[a.index] = a.value;
+ d->arch.hvm.params[array_index_nospec(a.index,
+ HVM_NR_PARAMS)] = a.value;
for_each_vcpu ( d, v )
paging_update_cr3(v, false);
domain_unpause(d);
@@ -4326,7 +4331,7 @@ static int hvmop_set_param(
if ( rc != 0 )
goto out;
- d->arch.hvm.params[a.index] = a.value;
+ d->arch.hvm.params[array_index_nospec(a.index, HVM_NR_PARAMS)] = a.value;
HVM_DBG_LOG(DBG_LEVEL_HCALL, "set param %u = %"PRIx64,
a.index, a.value);
@@ -4420,6 +4425,8 @@ static int hvmop_get_param(
break;
default:
a.value = d->arch.hvm.params[a.index];
+ a.value = d->arch.hvm.params[array_index_nospec(a.index,
+ HVM_NR_PARAMS)];
break;
}
--
2.7.4
["xsa289/0007-xen-evtchn-block-speculative-out-of-bound-accesses.patch" (application/octet-stream)]
From a18d25e2fbb7f0f43d25e2c1132be299ff0161a5 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 07/13] xen/evtchn: block speculative
out-of-bound accesses
Guests can issue event channel interaction with guest specified data.
To avoid speculative out of bound accesses, we use the nospec macros.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/common/event_2l.c | 3 ++-
xen/common/event_channel.c | 48 +++++++++++++++++++++++++++-------------------
xen/common/event_fifo.c | 4 +++-
xen/include/xen/event.h | 5 +++--
4 files changed, 36 insertions(+), 24 deletions(-)
diff --git a/xen/common/event_2l.c b/xen/common/event_2l.c
--- a/xen/common/event_2l.c
+++ b/xen/common/event_2l.c
@@ -45,7 +45,8 @@ static void evtchn_2l_clear_pending(struct domain *d, struct evtchn *evtchn)
static void evtchn_2l_unmask(struct domain *d, struct evtchn *evtchn)
{
- struct vcpu *v = d->vcpu[evtchn->notify_vcpu_id];
+ struct vcpu *v = d->vcpu[array_index_nospec(evtchn->notify_vcpu_id,
+ d->max_vcpus)];
unsigned int port = evtchn->port;
/*
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -369,12 +369,12 @@ int evtchn_bind_virq(evtchn_bind_virq_t *bind, evtchn_port_t port)
return -EINVAL;
if ( (vcpu < 0) || (vcpu >= d->max_vcpus) ||
- ((v = d->vcpu[vcpu]) == NULL) )
+ ((v = d->vcpu[array_index_nospec(vcpu, d->max_vcpus)]) == NULL) )
return -ENOENT;
spin_lock(&d->event_lock);
- if ( v->virq_to_evtchn[virq] != 0 )
+ if ( array_access_nospec(v->virq_to_evtchn, virq) != 0 )
ERROR_EXIT(-EEXIST);
if ( port != 0 )
@@ -402,7 +402,7 @@ int evtchn_bind_virq(evtchn_bind_virq_t *bind, evtchn_port_t port)
spin_unlock(&chn->lock);
- v->virq_to_evtchn[virq] = bind->port = port;
+ array_access_nospec(v->virq_to_evtchn, virq) = bind->port = port;
out:
spin_unlock(&d->event_lock);
@@ -419,7 +419,7 @@ static long evtchn_bind_ipi(evtchn_bind_ipi_t *bind)
long rc = 0;
if ( (vcpu < 0) || (vcpu >= d->max_vcpus) ||
- (d->vcpu[vcpu] == NULL) )
+ (d->vcpu[array_index_nospec(vcpu, d->max_vcpus)] == NULL) )
return -ENOENT;
spin_lock(&d->event_lock);
@@ -576,7 +576,8 @@ int evtchn_close(struct domain *d1, int port1, bool guest)
pirq_guest_unbind(d1, pirq);
pirq->evtchn = 0;
pirq_cleanup_check(pirq, d1);
- unlink_pirq_port(chn1, d1->vcpu[chn1->notify_vcpu_id]);
+ unlink_pirq_port(chn1, d1->vcpu[array_index_nospec(chn1->notify_vcpu_id,
+ d1->max_vcpus)]);
#ifdef CONFIG_X86
if ( is_hvm_domain(d1) && domain_pirq_to_irq(d1, pirq->pirq) > 0 )
unmap_domain_pirq_emuirq(d1, pirq->pirq);
@@ -587,9 +588,9 @@ int evtchn_close(struct domain *d1, int port1, bool guest)
case ECS_VIRQ:
for_each_vcpu ( d1, v )
{
- if ( v->virq_to_evtchn[chn1->u.virq] != port1 )
+ if ( array_access_nospec(v->virq_to_evtchn, chn1->u.virq) != port1 )
continue;
- v->virq_to_evtchn[chn1->u.virq] = 0;
+ array_access_nospec(v->virq_to_evtchn, chn1->u.virq) = 0;
spin_barrier(&v->virq_lock);
}
break;
@@ -700,7 +701,9 @@ int evtchn_send(struct domain *ld, unsigned int lport)
rport = lchn->u.interdomain.remote_port;
rchn = evtchn_from_port(rd, rport);
if ( consumer_is_xen(rchn) )
- xen_notification_fn(rchn)(rd->vcpu[rchn->notify_vcpu_id], rport);
+ xen_notification_fn(rchn)
+ (rd->vcpu[array_index_nospec(rchn->notify_vcpu_id,
+ rd->max_vcpus)], rport);
else
evtchn_port_set_pending(rd, rchn->notify_vcpu_id, rchn);
break;
@@ -722,7 +725,7 @@ out:
int guest_enabled_event(struct vcpu *v, uint32_t virq)
{
- return ((v != NULL) && (v->virq_to_evtchn[virq] != 0));
+ return ((v != NULL) && (array_access_nospec(v->virq_to_evtchn, virq) != 0));
}
void send_guest_vcpu_virq(struct vcpu *v, uint32_t virq)
@@ -764,7 +767,7 @@ static void send_guest_global_virq(struct domain *d, uint32_t virq)
spin_lock_irqsave(&v->virq_lock, flags);
- port = v->virq_to_evtchn[virq];
+ port = array_access_nospec(v->virq_to_evtchn, virq);
if ( unlikely(port == 0) )
goto out;
@@ -804,7 +807,8 @@ void send_global_virq(uint32_t virq)
{
ASSERT(virq_is_global(virq));
- send_guest_global_virq(global_virq_handlers[virq] ?: hardware_domain, virq);
+ send_guest_global_virq(array_access_nospec(global_virq_handlers, virq) ?:
+ hardware_domain, virq);
}
int set_global_virq_handler(struct domain *d, uint32_t virq)
@@ -816,15 +820,15 @@ int set_global_virq_handler(struct domain *d, uint32_t virq)
if (!virq_is_global(virq))
return -EINVAL;
- if (global_virq_handlers[virq] == d)
+ if (array_access_nospec(global_virq_handlers, virq) == d)
return 0;
if (unlikely(!get_domain(d)))
return -EINVAL;
spin_lock(&global_virq_handlers_lock);
- old = global_virq_handlers[virq];
- global_virq_handlers[virq] = d;
+ old = array_access_nospec(global_virq_handlers, virq);
+ array_access_nospec(global_virq_handlers, virq) = d;
spin_unlock(&global_virq_handlers_lock);
if (old != NULL)
@@ -842,9 +846,9 @@ static void clear_global_virq_handlers(struct domain *d)
for (virq = 0; virq < NR_VIRQS; virq++)
{
- if (global_virq_handlers[virq] == d)
+ if (array_access_nospec(global_virq_handlers, virq) == d)
{
- global_virq_handlers[virq] = NULL;
+ array_access_nospec(global_virq_handlers, virq) = NULL;
put_count++;
}
}
@@ -931,7 +935,8 @@ long evtchn_bind_vcpu(unsigned int port, unsigned int vcpu_id)
struct evtchn *chn;
long rc = 0;
- if ( (vcpu_id >= d->max_vcpus) || (d->vcpu[vcpu_id] == NULL) )
+ if ( (vcpu_id >= d->max_vcpus) ||
+ (d->vcpu[array_index_nospec(vcpu_id, d->max_vcpus)] == NULL) )
return -ENOENT;
spin_lock(&d->event_lock);
@@ -966,11 +971,14 @@ long evtchn_bind_vcpu(unsigned int port, unsigned int vcpu_id)
case ECS_PIRQ:
if ( chn->notify_vcpu_id == vcpu_id )
break;
- unlink_pirq_port(chn, d->vcpu[chn->notify_vcpu_id]);
+ unlink_pirq_port(chn, d->vcpu[array_index_nospec(chn->notify_vcpu_id,
+ d->max_vcpus)]);
chn->notify_vcpu_id = vcpu_id;
pirq_set_affinity(d, chn->u.pirq.irq,
- cpumask_of(d->vcpu[vcpu_id]->processor));
- link_pirq_port(port, chn, d->vcpu[vcpu_id]);
+ cpumask_of(d->vcpu[array_index_nospec(vcpu_id,
+ d->max_vcpus)]->processor));
+ link_pirq_port(port, chn, d->vcpu[array_index_nospec(vcpu_id,
+ d->max_vcpus)]);
break;
default:
rc = -EINVAL;
diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -30,8 +30,10 @@ static inline event_word_t *evtchn_fifo_word_from_port(const struct domain *d,
/*
* Callers aren't required to hold d->event_lock, so we need to synchronize
* with add_page_to_event_array().
+ *
+ * To block speculative out-of-bound accesses, use rmb.
*/
- smp_rmb();
+ rmb();
p = port / EVTCHN_FIFO_EVENT_WORDS_PER_PAGE;
w = port % EVTCHN_FIFO_EVENT_WORDS_PER_PAGE;
diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h
--- a/xen/include/xen/event.h
+++ b/xen/include/xen/event.h
@@ -13,6 +13,7 @@
#include <xen/smp.h>
#include <xen/softirq.h>
#include <xen/bitops.h>
+#include <xen/nospec.h>
#include <asm/event.h>
/*
@@ -96,7 +97,7 @@ void arch_evtchn_inject(struct vcpu *v);
* The first bucket is directly accessed via d->evtchn.
*/
#define group_from_port(d, p) \
- ((d)->evtchn_group[(p) / EVTCHNS_PER_GROUP])
+ (array_access_nospec((d)->evtchn_group, (p) / EVTCHNS_PER_GROUP))
#define bucket_from_port(d, p) \
((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET])
@@ -174,7 +175,7 @@ static inline void evtchn_port_set_pending(struct domain *d,
unsigned int vcpu_id,
struct evtchn *evtchn)
{
- d->evtchn_port_ops->set_pending(d->vcpu[vcpu_id], evtchn);
+ d->evtchn_port_ops->set_pending(d->vcpu[array_index_nospec(vcpu_id, d->max_vcpus)], evtchn);
}
static inline void evtchn_port_clear_pending(struct domain *d,
--
2.7.4
["xsa289/0008-common-gant_table-block-speculative-out-of-bound-acc.patch" (application/octet-stream)]
From af440a75f0abd564c08534a5db1d4971059a89f4 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 08/13] common/gant_table: block speculative
out-of-bound accesses
Guests can issue grant table operations and provide guest controlled
data to them. This data is also used for memory loads. To avoid
speculative out of bound accesses, we use the array_index_nospec macro
where applicable. However, there are also memory accesses that cannot
be protected by a single array protection, or multiple accesses in a
row. To protect these, an lfence instruction is placed between the
actual range check and the access.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/common/grant_table.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -37,6 +37,7 @@
#include <xen/paging.h>
#include <xen/keyhandler.h>
#include <xen/vmap.h>
+#include <xen/nospec.h>
#include <xsm/xsm.h>
#include <asm/flushtlb.h>
@@ -963,6 +964,9 @@ map_grant_ref(
PIN_FAIL(unlock_out, GNTST_bad_gntref, "Bad ref %#x for d%d\n",
op->ref, rgt->domain->domain_id);
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
act = active_entry_acquire(rgt, op->ref);
shah = shared_entry_header(rgt, op->ref);
status = rgt->gt_version == 1 ? &shah->flags : &status_entry(rgt, op->ref);
@@ -1268,7 +1272,8 @@ unmap_common(
}
smp_rmb();
- map = &maptrack_entry(lgt, op->handle);
+ map = &maptrack_entry(lgt, array_index_nospec(op->handle,
+ lgt->maptrack_limit));
if ( unlikely(!read_atomic(&map->flags)) )
{
@@ -2026,6 +2031,9 @@ gnttab_prepare_for_transfer(
goto fail;
}
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
sha = shared_entry_header(rgt, ref);
scombo.word = *(u32 *)&sha->flags;
@@ -2239,6 +2247,9 @@ gnttab_transfer(
goto unlock_and_copyback;
}
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
page_list_add_tail(page, &e->page_list);
page_set_owner(page, e);
@@ -2408,6 +2419,9 @@ acquire_grant_for_copy(
PIN_FAIL(gt_unlock_out, GNTST_bad_gntref,
"Bad grant reference %#x\n", gref);
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
act = active_entry_acquire(rgt, gref);
shah = shared_entry_header(rgt, gref);
if ( rgt->gt_version == 1 )
@@ -2812,6 +2826,9 @@ static int gnttab_copy_buf(const struct gnttab_copy *op,
((op->dest.offset + op->len) > PAGE_SIZE) )
PIN_FAIL(out, GNTST_bad_copy_arg, "copy beyond page area\n");
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
if ( op->source.offset < src->ptr.offset ||
op->source.offset + op->len > src->ptr.offset + src->len )
PIN_FAIL(out, GNTST_general_error,
@@ -3215,6 +3232,9 @@ swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b)
if ( ref_a == ref_b )
goto out;
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
act_a = active_entry_acquire(gt, ref_a);
if ( act_a->pin )
PIN_FAIL(out, GNTST_eagain, "ref a %#x busy\n", ref_a);
--
2.7.4
["xsa289/0009-x86-hvm-emulate-block-speculative-out-of-bound-acces.patch" (application/octet-stream)]
From acad7d5166804ed3dbdf76a4ec9d07b0cd777bfc Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 09/13] x86/hvm/emulate: block speculative
out-of-bound accesses
During emulating instructions, the guest controls the content of the
CPU registers. As these values are used for array indexes, we have to
make sure that speculative out of bound accesses are blocked. This way,
we protect against loading secrets into L1 cache.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/emulate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -15,6 +15,7 @@
#include <xen/paging.h>
#include <xen/trace.h>
#include <xen/vm_event.h>
+#include <xen/nospec.h>
#include <asm/event.h>
#include <asm/i387.h>
#include <asm/xstate.h>
@@ -2028,7 +2029,7 @@ static int hvmemul_read_cr(
case 2:
case 3:
case 4:
- *val = current->arch.hvm.guest_cr[reg];
+ *val = array_access_nospec(current->arch.hvm.guest_cr, reg);
HVMTRACE_LONG_2D(CR_READ, reg, TRC_PAR_LONG(*val));
return X86EMUL_OKAY;
default:
@@ -2653,8 +2654,9 @@ struct segment_register *hvmemul_get_seg_reg(
return ERR_PTR(-X86EMUL_UNHANDLEABLE);
if ( !__test_and_set_bit(idx, &hvmemul_ctxt->seg_reg_accessed) )
- hvm_get_segment_register(current, idx, &hvmemul_ctxt->seg_reg[idx]);
- return &hvmemul_ctxt->seg_reg[idx];
+ hvm_get_segment_register(current, idx,
+ &array_access_nospec(hvmemul_ctxt->seg_reg, idx));
+ return &array_access_nospec(hvmemul_ctxt->seg_reg, idx);
}
static const char *guest_x86_mode_to_str(int mode)
--
2.7.4
["xsa289/0010-x86-vioapic-block-speculative-out-of-bound-accesses.patch" (application/octet-stream)]
From d861027dbc1e861fb27f1cea55ee08aa03279c01 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 10/13] x86/vioapic: block speculative
out-of-bound accesses
When interacting with io apic, a guest can specify values that are used
as index to structures, and whose values are not compared against
constants beforehand. Therefore, speculative out-of-bound accesses are
possible. This change prevents these accesses.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/vioapic.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c
--- a/xen/arch/x86/hvm/vioapic.c
+++ b/xen/arch/x86/hvm/vioapic.c
@@ -30,6 +30,7 @@
#include <xen/lib.h>
#include <xen/errno.h>
#include <xen/sched.h>
+#include <xen/nospec.h>
#include <public/hvm/ioreq.h>
#include <asm/hvm/io.h>
#include <asm/hvm/vpic.h>
@@ -117,7 +118,8 @@ static uint32_t vioapic_read_indirect(const struct hvm_vioapic *vioapic)
break;
}
- redir_content = vioapic->redirtbl[redir_index].bits;
+ redir_content = vioapic->redirtbl[array_index_nospec(redir_index,
+ vioapic->nr_pins)].bits;
result = (vioapic->ioregsel & 1) ? (redir_content >> 32)
: redir_content;
break;
@@ -216,7 +218,7 @@ static void vioapic_write_redirent(
spin_lock(&d->arch.hvm.irq_lock);
- pent = &vioapic->redirtbl[idx];
+ pent = &vioapic->redirtbl[array_index_nospec(idx, vioapic->nr_pins)];
ent = *pent;
if ( top_word )
@@ -258,7 +260,8 @@ static void vioapic_write_redirent(
pent->fields.remote_irr = 0;
else if ( !ent.fields.mask &&
!ent.fields.remote_irr &&
- hvm_irq->gsi_assert_count[idx] )
+ hvm_irq->gsi_assert_count[array_index_nospec(idx,
+ hvm_irq->nr_gsis)] )
{
pent->fields.remote_irr = 1;
vioapic_deliver(vioapic, idx);
@@ -378,15 +381,17 @@ static inline int pit_channel0_enabled(void)
static void vioapic_deliver(struct hvm_vioapic *vioapic, unsigned int pin)
{
- uint16_t dest = vioapic->redirtbl[pin].fields.dest_id;
- uint8_t dest_mode = vioapic->redirtbl[pin].fields.dest_mode;
- uint8_t delivery_mode = vioapic->redirtbl[pin].fields.delivery_mode;
- uint8_t vector = vioapic->redirtbl[pin].fields.vector;
- uint8_t trig_mode = vioapic->redirtbl[pin].fields.trig_mode;
+ unsigned int index_pin = array_index_nospec(pin, vioapic->nr_pins);
+
+ uint16_t dest = vioapic->redirtbl[index_pin].fields.dest_id;
+ uint8_t dest_mode = vioapic->redirtbl[index_pin].fields.dest_mode;
+ uint8_t delivery_mode = vioapic->redirtbl[index_pin].fields.delivery_mode;
+ uint8_t vector = vioapic->redirtbl[index_pin].fields.vector;
+ uint8_t trig_mode = vioapic->redirtbl[index_pin].fields.trig_mode;
struct domain *d = vioapic_domain(vioapic);
struct vlapic *target;
struct vcpu *v;
- unsigned int irq = vioapic->base_gsi + pin;
+ unsigned int irq = vioapic->base_gsi + index_pin;
ASSERT(spin_is_locked(&d->arch.hvm.irq_lock));
@@ -478,7 +483,7 @@ void vioapic_irq_positive_edge(struct domain *d, unsigned int irq)
ASSERT(pin < vioapic->nr_pins);
ASSERT(spin_is_locked(&d->arch.hvm.irq_lock));
- ent = &vioapic->redirtbl[pin];
+ ent = &vioapic->redirtbl[array_index_nospec(pin, vioapic->nr_pins)];
if ( ent->fields.mask )
return;
@@ -566,7 +571,8 @@ int vioapic_get_trigger_mode(const struct domain *d, unsigned int gsi)
if ( !vioapic )
return -EINVAL;
- return vioapic->redirtbl[pin].fields.trig_mode;
+ return vioapic->redirtbl[array_index_nospec(pin,
+ vioapic->nr_pins)].fields.trig_mode;
}
static int ioapic_save(struct vcpu *v, hvm_domain_context_t *h)
--
2.7.4
["xsa289/0011-x86-hvm-hpet-block-speculative-out-of-bound-accesses.patch" (application/octet-stream)]
From 3bd85bcd904b57fa1898a99ff36dbad65706e84b Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 11/13] x86/hvm/hpet: block speculative
out-of-bound accesses
When interacting with hpet, read and write operations can be executed
during instruction emulation, where the guest controls the data that
is used. As it is hard to predict the number of instructions that are
executed speculatively, we prevent out-of-bound accesses by using the
array_index_nospec function for guest specified addresses that should
be used for hpet operations.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/hpet.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/xen/arch/x86/hvm/hpet.c b/xen/arch/x86/hvm/hpet.c
--- a/xen/arch/x86/hvm/hpet.c
+++ b/xen/arch/x86/hvm/hpet.c
@@ -25,6 +25,7 @@
#include <xen/sched.h>
#include <xen/event.h>
#include <xen/trace.h>
+#include <xen/nospec.h>
#define domain_vhpet(x) (&(x)->arch.hvm.pl_time->vhpet)
#define vcpu_vhpet(x) (domain_vhpet((x)->domain))
@@ -124,15 +125,18 @@ static inline uint64_t hpet_read64(HPETState *h, unsigned long addr,
case HPET_Tn_CFG(0):
case HPET_Tn_CFG(1):
case HPET_Tn_CFG(2):
- return h->hpet.timers[HPET_TN(CFG, addr)].config;
+ return h->hpet.timers[array_index_nospec(HPET_TN(CFG, addr),
+ HPET_TIMER_NUM)].config;
case HPET_Tn_CMP(0):
case HPET_Tn_CMP(1):
case HPET_Tn_CMP(2):
- return hpet_get_comparator(h, HPET_TN(CMP, addr), guest_time);
+ return hpet_get_comparator(h, array_index_nospec(HPET_TN(CMP, addr),
+ HPET_TIMER_NUM), guest_time);
case HPET_Tn_ROUTE(0):
case HPET_Tn_ROUTE(1):
case HPET_Tn_ROUTE(2):
- return h->hpet.timers[HPET_TN(ROUTE, addr)].fsb;
+ return h->hpet.timers[array_index_nospec(HPET_TN(ROUTE, addr),
+ HPET_TIMER_NUM)].fsb;
}
return 0;
@@ -438,7 +442,7 @@ static int hpet_write(
case HPET_Tn_CFG(0):
case HPET_Tn_CFG(1):
case HPET_Tn_CFG(2):
- tn = HPET_TN(CFG, addr);
+ tn = array_index_nospec(HPET_TN(CFG, addr), HPET_TIMER_NUM);
h->hpet.timers[tn].config =
hpet_fixup_reg(new_val, old_val,
@@ -480,7 +484,7 @@ static int hpet_write(
case HPET_Tn_CMP(0):
case HPET_Tn_CMP(1):
case HPET_Tn_CMP(2):
- tn = HPET_TN(CMP, addr);
+ tn = array_index_nospec(HPET_TN(CMP, addr), HPET_TIMER_NUM);
if ( timer_is_periodic(h, tn) &&
!(h->hpet.timers[tn].config & HPET_TN_SETVAL) )
{
@@ -523,7 +527,7 @@ static int hpet_write(
case HPET_Tn_ROUTE(0):
case HPET_Tn_ROUTE(1):
case HPET_Tn_ROUTE(2):
- tn = HPET_TN(ROUTE, addr);
+ tn = array_index_nospec(HPET_TN(ROUTE, addr), HPET_TIMER_NUM);
h->hpet.timers[tn].fsb = new_val;
break;
--
2.7.4
["xsa289/0012-common-memory-block-speculative-out-of-bound-accesse.patch" (application/octet-stream)]
From 517e3f53d7cda71b3618b3ffab1b46b57ef903e2 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 12/13] common/memory: block speculative
out-of-bound accesses
The get_page_from_gfn method returns a pointer to a page that belongs
to a gfn. Before returning the pointer, the gfn is checked for being
valid. Under speculation, these checks can be bypassed, so that
the function get_page is still executed partially. Consequently, the
function page_get_owner_and_reference might be executed partially as
well. In this function, the computed pointer is accessed, resulting in
a speculative out-of-bound address load.
To mitigate the root cause, the lfence instruction is added in the
function that actually checks whether the mfn is valid.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/common/pdx.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/xen/common/pdx.c b/xen/common/pdx.c
--- a/xen/common/pdx.c
+++ b/xen/common/pdx.c
@@ -33,10 +33,11 @@ unsigned long __read_mostly pdx_group_valid[BITS_TO_LONGS(
bool __mfn_valid(unsigned long mfn)
{
- return likely(mfn < max_page) &&
- likely(!(mfn & pfn_hole_mask)) &&
- likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT,
- pdx_group_valid));
+ bool res = likely(mfn < max_page) &&
+ likely(!(mfn & pfn_hole_mask)) &&
+ likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT,
+ pdx_group_valid));
+ return (res && bool_lfence()) || !bool_lfence();
}
/* Sets all bits from the most-significant 1-bit down to the LSB */
--
2.7.4
["xsa289/0013-x86-CPUID-block-speculative-out-of-bound-accesses.patch" (application/octet-stream)]
From 2ef0c689a67fec0964dc50f0e83a67c60b70886c Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 13/13] x86/CPUID: block speculative
out-of-bound accesses
During instruction emulation, the cpuid instruction is emulated with
data that is controlled by the guest. As speculation might pass bound
checks, we have to ensure that no out-of-bound loads are possible.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/cpuid.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c
--- a/xen/arch/x86/cpuid.c
+++ b/xen/arch/x86/cpuid.c
@@ -1,6 +1,7 @@
#include <xen/init.h>
#include <xen/lib.h>
#include <xen/sched.h>
+#include <xen/nospec.h>
#include <asm/cpuid.h>
#include <asm/hvm/hvm.h>
#include <asm/hvm/nestedhvm.h>
@@ -638,7 +639,7 @@ void guest_cpuid(const struct vcpu *v, uint32_t leaf,
ARRAY_SIZE(p->feat.raw) - 1) )
return;
- *res = p->feat.raw[subleaf];
+ *res = array_access_nospec(p->feat.raw, subleaf);
break;
case 0xb:
@@ -656,7 +657,7 @@ void guest_cpuid(const struct vcpu *v, uint32_t leaf,
break;
default:
- *res = p->basic.raw[leaf];
+ *res = array_access_nospec(p->basic.raw, leaf);
break;
}
break;
--
2.7.4
["xsa289/detect-spectre-candidates.sh" (application/octet-stream)]
#!/bin/bash
# Copyright (C) 2018 Amazon.com, Inc. or its affiliates.
# Author: Norbert Manthey <nmanthey@amazon.de>
#
# This script show cases how smatch can be run for Xen.
# You want to run this on a big machine, as Xen will be recompiled many times
# This script writes a file last_smatch_spectre_warns.txt, which will contain
# the spectre v1 candidates of smatch.
#
# Keep this script in its directory, but call it from the Xen root directory!
# Number of smatch iterations (guest taint improves per iteration)
MAX_ITERATIONS=8
# In case something breaks, we want to stop
set -e -u
# Where is this script located
SCRIPT=$(readlink -e "$0")
SCRIPT_DIR=$(dirname "$SCRIPT")
# Make sure we're in the Xen directory and Xen builds
echo "Check whether Xen builds ..."
make xen -j $(nproc)
# Check whether smatch uses the correct commit, or delete current state
if [ -d smatch ]
then
pushd smatch &> /dev/null
if ! git show | grep -q "build_xen: add fixed db file"
then
echo "Smatch does not use the correct commit, wiping smatch directory."
popd &> /dev/null
rm -rf smatch
else
popd &> /dev/null
fi
fi
# Get the required tools
if [ ! -d smatch ]
then
echo "Make smatch tool available ..."
git clone git://repo.or.cz/smatch.git
pushd smatch &> /dev/null
# move to last known good state
git reset --hard 2a4b6b0db8f9dffe00f9867cdbadcdef6918c466
# apply patches for Xen (not public yet!)
PATCH_DIR="$SCRIPT_DIR/outgoing-upstream-xen/"
for patch in $(ls "$PATCH_DIR"/*.patch)
do
git am $patch
done
make smatch -j $(nproc)
popd &> /dev/null
fi
if [ ! -d one-line-scan ]
then
echo "Make one-line-scan tool available ..."
git clone https://github.com/awslabs/one-line-scan.git
fi
# Tell environment about tools, and check whether they work
export PATH=$PATH:$(pwd)/smatch:$(pwd)/one-line-scan
echo "Test availability of smatch and one-line-scan ..."
for tool in smatch one-line-scan
do
if ! command -v "$tool" &> /dev/null
then
echo "Cannot find tool $tool, abort"
exit 1
fi
done
# Initialize variables for analysis
START=$SECONDS # start timestampe to print timing
OLD=0 # number of defects found in last iteration
NEW=0 # number of defects found in current iteration
I=0 # current iteration
BUILD_STATUS=0 # status of the analysis job
# Repeat analysis at most $MAX_ITERATIONS times
echo "Start Xen analysis with smatch, use $MAX_ITERATIONS iterations"
while [ "$I" -lt $MAX_ITERATIONS ]
do
OLD=$NEW
I=$((I+1))
# Write a log per iteration
FULL_SPECTRE=1 ./smatch/smatch_scripts/build_xen_data.sh &> smatch-build-$I.log
BUILD_STATUS=$?
echo "build iteration $I with status $BUILD_STATUS"
[ "$BUILD_STATUS" -eq 0 ] || exit $BUILD_STATUS
# Keep results of last iteration around, in case the script is stopped early
grep spectre smatch_warns.txt | sort -u > last_smatch_spectre_warns.txt
# We are only interested in spectre issues for now
NEW=$(cat last_smatch_spectre_warns.txt | wc -l)
NOW=$SECONDS
echo "new amount of defects: $NEW (last: $OLD) at iter $I after $((NOW - START))"
# Check whether we found more defects
[ "$NEW" -ne "$OLD" ] || break
done |& tee full-smatch.log
exit $BUILD_STATUS
["xsa289/sorted-gadgets.txt" (application/octet-stream)]
[guest init] 128 xen/arch/x86/acpi/cpufreq/cpufreq.c:518 acpi_cpufreq_cpu_init() warn: \
potential spectre issue 'cpu_data' [r] [guest init] 128 \
xen/arch/x86/acpi/cpufreq/cpufreq.c:525 acpi_cpufreq_cpu_init() warn: potential spectre issue \
'cpufreq_drv_data' [w] [guest init] 128 xen/arch/x86/acpi/cpufreq/cpufreq.c:527 \
acpi_cpufreq_cpu_init() warn: potential spectre issue 'processor_pminfo' [r] [guest exit] \
128 xen/arch/x86/acpi/cpufreq/cpufreq.c:627 acpi_cpufreq_cpu_exit() warn: potential spectre \
issue 'cpufreq_drv_data' [r] [guest init] 128 xen/arch/x86/acpi/cpufreq/powernow.c:240 \
powernow_cpufreq_cpu_init() warn: potential spectre issue 'cpu_data' [r] [guest init] 128 \
xen/arch/x86/acpi/cpufreq/powernow.c:246 powernow_cpufreq_cpu_init() warn: potential spectre \
issue 'cpufreq_drv_data' [w] [guest init] 128 xen/arch/x86/acpi/cpufreq/powernow.c:248 \
powernow_cpufreq_cpu_init() warn: potential spectre issue 'processor_pminfo' [r] [guest exit] \
128 xen/arch/x86/acpi/cpufreq/powernow.c:339 powernow_cpufreq_cpu_exit() warn: potential \
spectre issue 'cpufreq_drv_data' [r] [uint64_t operation] 129 xen/arch/x86/acpi/boot.c:295 \
constant_test_bit() warn: potential spectre issue 'addr' [r] [guest init] 129 \
xen/arch/x86/acpi/cpu_idle.c:825 cpuidle_init_cpu() warn: potential spectre issue \
'processor_powers' [r] [only do_platform_op] 129 xen/arch/x86/acpi/lib.c:73 \
acpi_get_processor_id() warn: potential spectre issue 'x86_cpu_to_apicid' [r] [only \
interactive] 129 xen/arch/x86/apic.c:1290 smp_send_state_dump() warn: potential spectre \
issue '__per_cpu_offset' [w] [transitive fix] 129 xen/arch/x86/hvm/hpet.c:94 \
hpet_get_comparator() warn: potential spectre issue 'h->hpet.comparator64' [r] [transitive fix] \
129 xen/arch/x86/hvm/hpet.c:98 hpet_get_comparator() warn: potential spectre issue \
'h->hpet.period' [r] [not contolled] 129 xen/arch/x86/irq.c:207 destroy_irq() warn: \
potential spectre issue 'irq_desc' [r] [fixed CPUs] 129 xen/arch/x86/smpboot.c:1291 \
cpu_add() warn: potential spectre issue 'apicid_to_node' [w] [fixed CPUs] 129 \
xen/arch/x86/smpboot.c:1321 __cpu_up() warn: potential spectre issue 'x86_cpu_to_apicid' [r] \
[guest boot] 129 xen/arch/x86/smpboot.c:246 set_cpu_sibling_map() warn: potential spectre \
issue 'cpu_data' [w] [guest boot] 129 xen/arch/x86/smpboot.c:247 set_cpu_sibling_map() warn: \
potential spectre issue '__per_cpu_offset' [w] [guest boot] 129 xen/arch/x86/smpboot.c:558 \
do_boot_cpu() warn: potential spectre issue 'stack_base' [r] [guest boot] 129 \
xen/arch/x86/smpboot.c:640 alloc_stub_page() warn: potential spectre issue 'cpu_to_node' [r] \
[guest boot] 129 xen/arch/x86/smpboot.c:800 setup_cpu_root_pgt() warn: potential spectre \
issue '__per_cpu_offset' [w] [guest boot] 129 xen/arch/x86/smpboot.c:827 \
setup_cpu_root_pgt() warn: potential spectre issue 'stack_base' [r] [guest boot] 129 \
xen/arch/x86/smpboot.c:830 setup_cpu_root_pgt() warn: potential spectre issue 'idt_tables' [r] \
[guest boot] 129 xen/arch/x86/smpboot.c:909 cpu_smpboot_free() warn: potential spectre issue \
'cpu_data' [r] [guest boot] 129 xen/arch/x86/smpboot.c:922 cpu_smpboot_free() warn: \
potential spectre issue 'c' [w] [guest boot] 129 xen/arch/x86/smpboot.c:926 \
cpu_smpboot_free() warn: potential spectre issue '__per_cpu_offset' [w] [guest boot] 129 \
xen/arch/x86/smpboot.c:92 initialize_cpu_data() warn: potential spectre issue 'cpu_data' [w] \
[guest boot] 129 xen/arch/x86/smpboot.c:960 cpu_smpboot_free() warn: potential spectre issue \
'idt_tables' [w] [guest boot] 129 xen/arch/x86/smpboot.c:964 cpu_smpboot_free() warn: \
potential spectre issue 'stack_base' [w] [guest boot] 129 xen/arch/x86/smpboot.c:973 \
cpu_smpboot_alloc() warn: potential spectre issue 'cpu_to_node' [r] [guest boot] 129 \
xen/arch/x86/smpboot.c:982 cpu_smpboot_alloc() warn: potential spectre issue 'stack_base' [w] \
[guest boot] 129 xen/arch/x86/smpboot.c:988 cpu_smpboot_alloc() warn: potential spectre \
issue '__per_cpu_offset' [w] [static cpus] 129 xen/common/cpupool.c:525 cpupool_cpu_add() \
warn: potential spectre issue '__per_cpu_offset' [w] [guest boot] 129 \
xen/common/domain.c:131 alloc_vcpu() warn: potential spectre issue 'd->vcpu' [w] (local cap) \
[loop bound] 129 xen/common/softirq.c:50 __do_softirq() warn: potential spectre issue \
'softirq_handlers' [w] [compare constant] 129 xen/drivers/acpi/hwregs.c:77 \
acpi_hw_get_bit_register_info() warn: potential spectre issue 'acpi_gbl_bit_register_info' [r] \
(local cap) [constant or bound] 129 xen/arch/x86/cpu/vpmu.c:102 vlapic_get_reg() warn: \
potential spectre issue 'vlapic->regs->data' [r] [domctl or bound] 129 \
xen/arch/x86/hvm/vioapic.c:547 vioapic_get_mask() warn: potential spectre issue \
'vioapic->redirtbl' [r] [compared against constant] 129 xen/arch/x86/acpi/cpu_idle.c:68 \
apic_mem_read() warn: potential spectre issue '(VMAP_VIRT_END - ((1) << 12)) - ((4) << 12)' [r] \
[amd] [x2apic_enabled?, if yes, irrelevant] 129 xen/arch/x86/apic.c:58 apic_mem_write() \
warn: potential spectre issue '(VMAP_VIRT_END - ((1) << 12)) - ((4) << 12)' [w] [fixed via \
lfence] 129 xen/common/grant_table.c:240 shared_entry_header() warn: potential spectre issue \
't->shared_v1' [r] [fixed via lfence] 129 xen/common/grant_table.c:242 shared_entry_header() \
warn: potential spectre issue 't->shared_v2' [r] [fixed via lfence] 129 \
xen/common/grant_table.c:2438 acquire_grant_for_copy() warn: potential spectre issue \
'rgt->shared_v2' [r] [fixed via lfence] 129 xen/common/grant_table.c:2439 \
acquire_grant_for_copy() warn: potential spectre issue 'rgt->status' [r] [fixed via lfence] \
129 xen/common/grant_table.c:2563 acquire_grant_for_copy() warn: potential spectre issue \
'rgt->shared_v1' [r] [fixed via lfence] 129 xen/common/grant_table.c:3252 swap_grant_ref() \
warn: potential spectre issue 'gt->shared_v1' [r] [fixed via lfence] 129 \
xen/common/grant_table.c:3261 swap_grant_ref() warn: potential spectre issue 'gt->shared_v2' \
[r] [fixed via lfence] 129 xen/common/grant_table.c:3262 swap_grant_ref() warn: potential \
spectre issue 'gt->status' [r] [fixed via lfence] 129 xen/common/grant_table.c:355 \
active_entry_acquire() warn: potential spectre issue 't->active' [r] [hard to trigger] 129 \
xen/arch/x86/hvm/save.c:102 hvm_register_savevm() warn: potential spectre issue \
'hvm_sr_handlers' [w] (local cap) [hard to trigger] 129 xen/arch/x86/hvm/save.c:148 \
hvm_save_one() warn: potential spectre issue 'hvm_sr_handlers' [r] (local cap) [hard to \
trigger] 129 xen/arch/x86/x86_64/mm.c:59 do_page_walk() warn: potential spectre issue 'l4t' \
[r] [hard to trigger] 129 xen/arch/x86/x86_64/mm.c:65 do_page_walk() warn: potential spectre \
issue 'l3t' [r] [hard to trigger] 129 xen/arch/x86/x86_64/mm.c:77 do_page_walk() warn: \
potential spectre issue 'l2t' [r] [hard to trigger] 129 xen/arch/x86/x86_64/mm.c:89 \
do_page_walk() warn: potential spectre issue 'l1t' [r] [hard to trigger] 1 \
xen/arch/x86/io_apic.c:290 __io_apic_eoi() warn: potential spectre issue 'mp_ioapics' [w] \
[unused] 129 xen/arch/x86/acpi/cpufreq/cpufreq.c:280 get_measured_perf() warn: potential \
spectre issue '__per_cpu_offset' [w] (local cap) [unused] 129 \
xen/arch/x86/acpi/cpufreq/cpufreq.c:337 get_cur_freq_on_cpu() warn: potential spectre issue \
'__per_cpu_offset' [w] (local cap) [unused] 129 xen/arch/x86/acpi/cpufreq/cpufreq.c:63 \
check_est_cpu() warn: potential spectre issue 'cpu_data' [r] [numeric-bound] 129 \
xen/arch/x86/acpi/cpu_idle.c:1112 get_cpu_id() warn: potential spectre issue \
'x86_acpiid_to_apicid' [r] [dom0] 129 xen/arch/x86/acpi/cpu_idle.c:1242 pmstat_get_cx_nr() \
warn: potential spectre issue 'processor_powers' [r] [dom0] 129 \
xen/arch/x86/acpi/cpu_idle.c:1247 pmstat_get_cx_stat() warn: potential spectre issue \
'processor_powers' [r] [amd] 129 xen/arch/x86/cpu/amd.c:101 constant_clear_bit() warn: \
potential spectre issue 'addr' [w] [amd] 129 xen/arch/x86/cpu/amd.c:60 constant_set_bit() \
warn: potential spectre issue 'addr' [w] [constant+loop] 129 xen/arch/x86/cpuid.c:70 \
zero_leaves() warn: potential spectre issue 'l' [w] [constant] 129 xen/arch/x86/cpuid.c:726 \
guest_cpuid() warn: potential spectre issue 'p->cache.raw' [r] (local cap) [fixed] 129 \
xen/arch/x86/cpuid.c:735 guest_cpuid() warn: potential spectre issue 'p->feat.raw' [r] \
[constant] 129 xen/arch/x86/cpuid.c:742 guest_cpuid() warn: potential spectre issue \
'p->xstate.raw' [r] (local cap) [fixed] 129 xen/arch/x86/cpuid.c:746 guest_cpuid() warn: \
potential spectre issue 'p->basic.raw' [r] [constant] 129 xen/arch/x86/cpuid.c:937 \
guest_cpuid() warn: potential spectre issue 'raw_cpuid_policy.basic.raw' [r] [mce] 129 \
xen/arch/x86/cpu/mcheck/mce.c:1004 x86_mc_get_cpu_info() warn: potential spectre issue \
'x86_cpu_to_apicid' [r] [mce] 129 xen/arch/x86/cpu/mcheck/mce.c:1005 x86_mc_get_cpu_info() \
warn: potential spectre issue 'cpu_data' [r] [mce] 129 xen/arch/x86/cpu/mcheck/mce.c:610 \
show_mca_info() warn: potential spectre issue 'type_str' [w] (local cap) [mce] 129 \
xen/arch/x86/cpu/mcheck/mce.c:690 cpu_bank_free() warn: potential spectre issue \
'__per_cpu_offset' [w] [mce] 129 xen/arch/x86/cpu/mcheck/mce.c:702 cpu_bank_alloc() warn: \
potential spectre issue '__per_cpu_offset' [w] [mce] 129 \
xen/arch/x86/cpu/mcheck/mce_intel.c:860 cpu_mcabank_free() warn: potential spectre issue \
'__per_cpu_offset' [w] [mce] 129 xen/arch/x86/cpu/mcheck/mce_intel.c:875 cpu_mcabank_alloc() \
warn: potential spectre issue '__per_cpu_offset' [w] [mce] 129 \
xen/arch/x86/cpu/mcheck/mce_intel.c:949 vmce_intel_wrmsr() warn: potential spectre issue \
'v->arch.vmce.bank' [w] (local cap) [mce] 129 xen/arch/x86/cpu/mcheck/mce_intel.c:962 \
vmce_intel_rdmsr() warn: potential spectre issue 'v->arch.vmce.bank' [r] (local cap) [mce] \
129 xen/arch/x86/cpu/mcheck/mctelem.c:219 mctelem_process_deferred() warn: potential spectre \
issue '__per_cpu_offset' [w] [mce] 129 xen/arch/x86/cpu/mcheck/mctelem.c:277 \
mctelem_has_deferred() warn: potential spectre issue '__per_cpu_offset' [w] [mce] 129 \
xen/arch/x86/cpu/mcheck/mctelem.c:284 mctelem_has_deferred_lmce() warn: potential spectre issue \
'__per_cpu_offset' [w] [mce] 129 xen/arch/x86/cpu/mcheck/vmce.c:122 bank_mce_rdmsr() warn: \
potential spectre issue 'v->arch.vmce.bank' [r] (local cap) [mce] 129 \
xen/arch/x86/cpu/mcheck/vmce.c:258 bank_mce_wrmsr() warn: potential spectre issue \
'v->arch.vmce.bank' [w] (local cap) [init] 129 xen/arch/x86/cpu/mtrr/generic.c:103 \
mtrr_attrib_to_str() warn: potential spectre issue 'strings' [r] (local cap) [bound] 129 \
xen/arch/x86/cpu/mtrr/generic.c:493 generic_set_mtrr() warn: potential spectre issue \
'mtrr_state.var_ranges' [r] [constant] 129 xen/arch/x86/cpu/mtrr/main.c:78 \
mtrr_attrib_to_str() warn: potential spectre issue 'mtrr_strings' [r] (local cap) [bound] 129 \
xen/arch/x86/cpu/mwait-idle.c:1162 mwait_idle_cpu_init() warn: potential spectre issue \
'processor_powers' [r] [bound] 129 xen/arch/x86/cpu/vpmu.c:845 cpu_callback() warn: potential \
spectre issue '__per_cpu_offset' [w] [nested/pv] 129 xen/arch/x86/cpu/vpmu_intel.c:673 \
core2_vpmu_do_wrmsr() warn: potential spectre issue 'xen_pmu_cntr_pair' [w] (local cap) [pv] \
129 xen/arch/x86/debug.c:109 dbg_pv_va2mfn() warn: potential spectre issue 'l4t' [r] [pv] 129 \
xen/arch/x86/debug.c:121 dbg_pv_va2mfn() warn: potential spectre issue 'l3t' [r] [pv] 129 \
xen/arch/x86/debug.c:135 dbg_pv_va2mfn() warn: potential spectre issue 'l2t' [r] [pv] 129 \
xen/arch/x86/debug.c:147 dbg_pv_va2mfn() warn: potential spectre issue 'l1t' [r] [init] 129 \
xen/arch/x86/dmi_scan.c:439 dmi_save_ident() warn: potential spectre issue 'd' [r] [init] 129 \
xen/arch/x86/dmi_scan.c:444 dmi_save_ident() warn: potential spectre issue 'dmi_ident' [w] \
[init] 129 xen/arch/x86/dmi_scan.c:446 dmi_save_ident() warn: potential spectre issue \
'dmi_ident' [w] [init] 129 xen/arch/x86/dmi_scan.c:762 dmi_get_date() warn: potential spectre \
issue 'dmi_ident' [r] (local cap) [bound] 129 xen/arch/x86/domain.c:49 tasklet_work_to_do() \
warn: potential spectre issue '__per_cpu_offset' [w] [boot] 129 xen/arch/x86/efi/boot.c:1354 \
copy_mapping() warn: potential spectre issue 'efi_l4_pgtable' [r] [boot] 129 \
xen/arch/x86/efi/boot.c:1366 copy_mapping() warn: potential spectre issue 'efi_l4_pgtable' [w] \
[boot] 129 xen/arch/x86/efi/boot.c:1372 copy_mapping() warn: potential spectre issue 'l3dst' \
[w] [boot] 129 xen/arch/x86/efi/boot.c:366 PrintErrMesg() warn: potential spectre issue \
'ErrCodeToStr' [r] (local cap) [boot] 129 xen/arch/x86/efi/boot.c:531 split_string() warn: \
potential spectre issue '_ctype' [w] (local cap) [efi] 258 xen/arch/x86/efi/runtime.c:10 \
efi_update_l4_pgtable() warn: potential spectre issue 'efi_l4_pgtable' [w] [cpu-up] 129 \
xen/arch/x86/genapic/x2apic.c:200 update_clusterinfo() warn: potential spectre issue \
'__per_cpu_offset' [w] [bound] 129 xen/arch/x86/genapic/x2apic.c:38 x2apic_cluster() warn: \
potential spectre issue '__per_cpu_offset' [w] [hard-to-trigger] 129 \
xen/arch/x86/genapic/x2apic.c:77 vector_allocation_cpumask_x2apic_cluster() warn: potential \
spectre issue '__per_cpu_offset' [w] [bound] 129 xen/arch/x86/hpet.c:105 hpet_next_event() \
warn: potential spectre issue '((VMAP_VIRT_END - ((1) << 12)) - ((197) << 12))' [w] [bound] \
129 xen/arch/x86/hpet.c:446 hpet_get_channel() warn: potential spectre issue 'hpet_events' [r] \
[bound] 129 xen/arch/x86/hpet.c:497 hpet_attach_channel() warn: potential spectre issue \
'__per_cpu_offset' [w] [bound] 129 xen/arch/x86/hpet.c:516 hpet_detach_channel() warn: \
potential spectre issue '__per_cpu_offset' [w] [constant] 129 xen/arch/x86/hvm/dm.c:48 \
_raw_copy_from_guest_buf_offset() warn: potential spectre issue 'args->buf' [r] (local cap) \
[constant] 129 xen/arch/x86/hvm/emulate.c:1157 hvmemul_insn_fetch() warn: potential spectre \
issue 'hvmemul_ctxt->insn_buf' [w] (local cap) [constant] 129 \
xen/arch/x86/hvm/emulate.c:1894 hvmemul_write_segment() warn: potential spectre issue \
'hvmemul_ctxt->seg_reg' [w] (local cap) [fixed] 129 xen/arch/x86/hvm/emulate.c:1938 \
hvmemul_read_cr() warn: potential spectre issue \
'((get_cpu_info().current_vcpu)).arch.hvm_vcpu.guest_cr' [r] [fixed] 129 \
xen/arch/x86/hvm/emulate.c:2562 hvmemul_get_seg_reg() warn: potential spectre issue \
'hvmemul_ctxt->seg_reg' [w] (local cap) [bound] 129 xen/arch/x86/hvm/emulate.c:890 \
hvmemul_phys_mmio_access() warn: potential spectre issue 'buffer' [w] (local cap) [bound] \
129 xen/arch/x86/hvm/hpet.c:113 hpet_get_comparator() warn: potential spectre issue \
'h->hpet.timers' [w] [bound] 129 xen/arch/x86/hvm/hpet.c:217 hpet_stop_timer() warn: \
potential spectre issue 'h->pt' [w] (local cap) [bound] 129 xen/arch/x86/hvm/hpet.c:267 \
hpet_set_timer() warn: potential spectre issue 'h->pt' [w] (local cap) [bound] 129 \
xen/arch/x86/hvm/hpet.c:278 hpet_set_timer() warn: potential spectre issue 'h->hpet.timers' [r] \
(local cap) [bound] 129 xen/arch/x86/hvm/hpet.c:289 hpet_set_timer() warn: potential spectre \
issue 'h->hpet.period' [r] (local cap) [constant] 129 xen/arch/x86/hvm/hvm.c:108 \
vlapic_set_reg() warn: potential spectre issue 'vlapic->regs->data' [w] [fixed] 129 \
xen/arch/x86/hvm/hvm.c:2125 hvm_mov_from_cr() warn: potential spectre issue \
'curr->arch.hvm_vcpu.guest_cr' [r] [constant] 129 xen/arch/x86/hvm/hvm.c:2182 \
hvm_update_cr() warn: potential spectre issue 'v->arch.hvm_vcpu.guest_cr' [w] [fixed] 129 \
xen/arch/x86/hvm/hvm.c:3486 hvm_msr_read_intercept() warn: potential spectre issue \
'fixed_range_base' [r] [fixed] 129 xen/arch/x86/hvm/hvm.c:3498 hvm_msr_read_intercept() \
warn: potential spectre issue 'var_range_base' [r] [constant] 129 xen/arch/x86/hvm/hvm.c:557 \
hvm_print_line() warn: potential spectre issue '_ctype' [w] [nested] 129 \
xen/arch/x86/hvm/hvm.c:80 nestedhvm_set_cr() warn: potential spectre issue \
'v->arch.hvm_vcpu.nvcpu.guest_cr' [w] [bound] 129 xen/arch/x86/hvm/i8254.c:128 pit_set_gate() \
warn: potential spectre issue 'pit->hw.channels' [r] [bound] 128 xen/arch/x86/hvm/i8254.c:146 \
pit_set_gate() warn: potential spectre issue 'pit->count_load_time' [w] [bound] 129 \
xen/arch/x86/hvm/i8254.c:156 pit_get_gate() warn: potential spectre issue 'pit->hw.channels' \
[r] [bound] 129 xen/arch/x86/hvm/i8254.c:169 pit_load_count() warn: potential spectre issue \
'pit->hw.channels' [r] [bound] 129 xen/arch/x86/hvm/i8254.c:178 pit_load_count() warn: \
potential spectre issue 'pit->count_load_time' [w] [bound] 129 xen/arch/x86/hvm/i8254.c:212 \
pit_latch_count() warn: potential spectre issue 'pit->hw.channels' [r] [bound] 129 \
xen/arch/x86/hvm/i8254.c:225 pit_latch_status() warn: potential spectre issue \
'pit->hw.channels' [r] [bound] 129 xen/arch/x86/hvm/i8254.c:63 pit_get_count() warn: \
potential spectre issue 'pit->hw.channels' [r] [bound] 129 xen/arch/x86/hvm/i8254.c:68 \
pit_get_count() warn: potential spectre issue 'pit->count_load_time' [r] [bound] 129 \
xen/arch/x86/hvm/i8254.c:92 pit_get_out() warn: potential spectre issue 'pit->hw.channels' [r] \
[bound] 129 xen/arch/x86/hvm/i8254.c:99 pit_get_out() warn: potential spectre issue \
'pit->count_load_time' [r] [constant] 129 xen/arch/x86/hvm/ioreq.c:1056 \
hvm_map_io_range_to_ioreq_server() warn: potential spectre issue 's->range' [r] [constant] \
129 xen/arch/x86/hvm/ioreq.c:1113 hvm_unmap_io_range_from_ioreq_server() warn: potential \
spectre issue 's->range' [r] [dm_op] 129 xen/arch/x86/hvm/ioreq.c:41 set_ioreq_server() warn: \
potential spectre issue 'd->arch.hvm_domain.ioreq_server.server' [w] (local cap) [constant] \
129 xen/arch/x86/hvm/ioreq.c:55 get_ioreq_server() warn: potential spectre issue \
'd->arch.hvm_domain.ioreq_server.server' [r] (local cap) [bound] 123 \
[bound] 129 xen/arch/x86/hvm/irq.c:170 hvm_gsi_assert() warn: potential spectre issue \
'hvm_irq->gsi_assert_count' [w] (local cap) [dom0] 129 xen/arch/x86/hvm/irq.c:187 \
hvm_gsi_deassert() warn: potential spectre issue 'hvm_irq->gsi_assert_count' [w] (local cap) \
[constant] 129 xen/arch/x86/hvm/irq.c:321 hvm_set_pci_link_route() warn: potential spectre \
issue 'hvm_irq->pci_link.route' [r] (local cap) [shadow] 129 xen/arch/x86/hvm/mtrr.c:142 \
pat_type_2_pte_flags() warn: potential spectre issue 'pat_entry_tbl' [r] [bound] 129 \
xen/arch/x86/hvm/mtrr.c:213 get_mtrr_type() warn: potential spectre issue 'm->fixed_ranges' [r] \
[shadow] 128 xen/arch/x86/hvm/mtrr.c:325 effective_mm_type() warn: potential spectre issue \
'mm_type_tbl' [r] [bound] 129 xen/arch/x86/hvm/mtrr.c:433 mtrr_fix_range_msr_set() warn: \
potential spectre issue 'fixed_range_base' [w] [bound] 129 xen/arch/x86/hvm/mtrr.c:467 \
mtrr_var_range_msr_set() warn: potential spectre issue 'var_range_base' [w] (local cap) [bound] \
129 xen/arch/x86/hvm/stdvga.c:89 vram_getb() warn: potential spectre issue 'p' [r] [bound] \
129 xen/arch/x86/hvm/stdvga.c:96 vram_getl() warn: potential spectre issue 'p' [r] [amd] 129 \
xen/arch/x86/hvm/svm/svm.c:1560 svm_cpu_dead() warn: potential spectre issue '__per_cpu_offset' \
[w] [amd] 129 xen/arch/x86/hvm/svm/svm.c:1578 svm_cpu_up_prepare() warn: potential spectre \
issue '__per_cpu_offset' [w] [amd] 129 xen/arch/x86/hvm/svm/svm.c:1580 svm_cpu_up_prepare() \
warn: potential spectre issue 'cpu_to_node' [r] [amd] 129 xen/arch/x86/hvm/svm/svm.c:2037 \
svm_msr_read_intercept() warn: potential spectre issue 'v->arch.hvm_vcpu.u.svm.dr_mask' [r] \
[amd] 129 xen/arch/x86/hvm/svm/svm.c:2237 svm_msr_write_intercept() warn: potential spectre \
issue 'v->arch.hvm_vcpu.u.svm.dr_mask' [w] [amd] 129 xen/arch/x86/hvm/svm/svm.c:726 \
svm_get_segment_register() warn: potential spectre issue 'vmcb->sreg' [r] [amd] 129 \
xen/arch/x86/hvm/svm/svm.c:800 svm_set_segment_register() warn: potential spectre issue \
'vmcb->sreg' [w] [fixed] 129 xen/arch/x86/hvm/vioapic.c:219 vioapic_write_redirent() warn: \
potential spectre issue 'vioapic->redirtbl' [r] [fixed] 129 xen/arch/x86/hvm/vioapic.c:381 \
vioapic_deliver() warn: potential spectre issue 'vioapic->redirtbl' [r] [fixed] 129 \
xen/arch/x86/hvm/vioapic.c:481 vioapic_irq_positive_edge() warn: potential spectre issue \
'vioapic->redirtbl' [r] (local cap) [bound] 129 xen/arch/x86/hvm/vioapic.c:558 \
vioapic_get_vector() warn: potential spectre issue 'vioapic->redirtbl' [r] [fixed] 129 \
xen/arch/x86/hvm/vioapic.c:569 vioapic_get_trigger_mode() warn: potential spectre issue \
'vioapic->redirtbl' [r] [constant] 129 xen/arch/x86/hvm/vmsi.c:237 msixtbl_read() warn: \
potential spectre issue 'entry->gentries[nr_entry].msi_ad' [r] [constant] 129 \
xen/arch/x86/hvm/vmsi.c:295 msixtbl_write() warn: potential spectre issue \
'entry->gentries[nr_entry].msi_ad' [w] [vmx] 129 xen/arch/x86/hvm/vmx/vmcs.c:592 \
vmx_cpu_up_prepare() warn: potential spectre issue '__per_cpu_offset' [w] [vmx] 129 \
xen/arch/x86/hvm/vmx/vmcs.c:606 vmx_cpu_dead() warn: potential spectre issue '__per_cpu_offset' \
[w] [vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:1076 vmx_get_segment_register() warn: potential \
spectre issue 'v->arch.hvm_vcpu.u.vmx.vm86_saved_seg' [r] (local cap) [vmx] 129 \
xen/arch/x86/hvm/vmx/vmx.c:1116 vmx_set_segment_register() warn: potential spectre issue \
'v->arch.hvm_vcpu.u.vmx.vm86_saved_seg' [w] (local cap) [vmx] 129 \
xen/arch/x86/hvm/vmx/vmx.c:139 pi_get_pir() warn: potential spec:tre issue 'pi_desc->pir' [r] \
[vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:206 vmx_pi_desc_fixup() warn: potential spectre issue \
'__per_cpu_offset' [w] [vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:97 vmx_pi_per_cpu_init() warn: \
potential spectre issue '__per_cpu_offset' [w] [vmx] 129 xen/arch/x86/hvm/vmx/vvmx.c:2698 \
nvmx_set_cr_read_shadow() warn: potential spectre issue 'v->arch.hvm_vcpu.guest_cr' [w] [vmx] \
129 xen/arch/x86/hvm/vmx/vvmx.c:2704 nvmx_set_cr_read_shadow() warn: potential spectre issue \
'v->arch.hvm_vcpu.nvcpu.guest_cr' [w] [vmx] 129 xen/arch/x86/hvm/vmx/vvmx.c:43 \
nvmx_cpu_up_prepare() warn: potential spectre issue '__per_cpu_offset' [w] [vmx] 129 \
xen/arch/x86/hvm/vmx/vvmx.c:56 nvmx_cpu_dead() warn: potential spectre issue '__per_cpu_offset' \
[w] [constant] 129 xen/arch/x86/hvm/vpic.c:337 vpic_intercept_pic_io() warn: potential \
spectre issue '((get_cpu_info().current_vcpu)).domain.arch.hvm_domain.vpic' [r] [constant] \
129 xen/arch/x86/hvm/vpic.c:355 vpic_intercept_elcr_io() warn: potential spectre issue \
'((get_cpu_info().current_vcpu)).domain.arch.hvm_domain.vpic' [r] [constant] 129 \
xen/arch/x86/hvm/vpic.c:450 vpic_irq_positive_edge() warn: potential spectre issue \
'd->arch.hvm_domain.vpic' [r] [constant] 129 xen/arch/x86/hvm/vpic.c:468 \
vpic_irq_negative_edge() warn: potential spectre issue 'd->arch.hvm_domain.vpic' [r] [bound?] \
129 xen/arch/x86/i8259.c:106 _disable_8259A_irq() warn: potential spectre issue '(null)' [w] \
[init] 129 xen/arch/x86/i8259.c:331 make_8259A_irq() warn: potential spectre issue 'irq_desc' \
[w] [dom0] 129 xen/arch/x86/io_apic.c:134 add_pin_to_irq() warn: potential spectre issue \
'irq_2_pin' [w] [boot-only?] 129 xen/arch/x86/io_apic.c:136 __io_apic_read() warn: potential \
spectre issue 'mp_ioapics' [w] [boot-only?] 129 xen/arch/x86/io_apic.c:141 \
remove_pin_from_irq() warn: potential spectre issue 'irq_2_pin' [r] [boot-only?] 129 \
xen/arch/x86/io_apic.c:149 __io_apic_write() warn: potential spectre issue 'mp_ioapics' [w] \
[boot-only?] 129 xen/arch/x86/io_apic.c:1609 io_apic_level_ack_pending() warn: potential \
spectre issue 'irq_2_pin' [r] [boot-only?] 129 xen/arch/x86/io_apic.c:167 \
set_native_irq_info() warn: potential spectre issue 'irq_desc' [w] [boot-only?] 129 \
xen/arch/x86/io_apic.c:168 io_apic_modify() warn: potential spectre issue 'mp_ioapics' [w] \
[boot-only?] 129 xen/arch/x86/io_apic.c:2200 io_apic_set_pci_routing() warn: potential \
spectre issue 'irq_desc' [r] [bonud] 1 xen/arch/x86/io_apic.c:2358 ioapic_guest_write() \
warn: potential spectre issue 'irq_desc' [r] (local cap) [boot-only?] 129 \
xen/arch/x86/io_apic.c:737 MPBIOS_polarity() warn: potential spectre issue 'mp_irqs' [r] \
[boot-only?] 129 xen/arch/x86/io_apic.c:77 share_vector_maps() warn: potential spectre issue \
'vector_map' [w] [boot-only?] 129 xen/arch/x86/io_apic.c:811 MPBIOS_trigger() warn: \
potential spectre issue 'mp_irqs' [r] [bound] 128 xen/arch/x86/io_apic.c:86 \
share_vector_maps() warn: potential spectre issue 'irq_desc' [r] (local cap) [boot-only?] \
129 xen/arch/x86/io_apic.c:896 pin_2_irq() warn: potential spectre issue 'mp_irqs' [r] \
[boot-only?] 129 xen/arch/x86/io_apic.c:971 ioapic_register_intr() warn: potential spectre \
issue 'irq_desc' [w] [__init] 129 xen/arch/x86/irq.c:1003 release_irq() warn: potential \
spectre issue 'irq_desc' [r] [__init] 129 xen/arch/x86/irq.c:1027 setup_irq() warn: \
potential spectre issue 'irq_desc' [r] [bound] 129 xen/arch/x86/irq.c:1153 __do_IRQ_guest() \
warn: potential spectre issue 'irq_desc' [r] [__init] 129 xen/arch/x86/irq.c:119 \
__bind_irq_vector() warn: potential spectre issue 'irq_desc' [r] [init] 1 \
xen/arch/x86/irq.c:182 create_irq() warn: potential spectre issue 'node_to_cpumask' [r] (local \
cap) [bonud] 129 xen/arch/x86/irq.c:249 __clear_irq_vector() warn: potential spectre issue \
'irq_desc' [r] [hard-to-trigger] 129 xen/arch/x86/irq.c:317 irq_to_vector() warn: potential \
spectre issue 'irq_desc' [r] (local cap) [hard-to-trigger] 129 xen/arch/x86/irq.c:409 \
irq_get_used_vector_mask() warn: potential spectre issue 'irq_desc' [r] [microcode] 129 \
xen/arch/x86/microcode_amd.c:158 microcode_fits() warn: potential spectre issue \
'__per_cpu_offset' [w] [microcode] 129 xen/arch/x86/microcode_amd.c:196 apply_microcode() \
warn: potential spectre issue '__per_cpu_offset' [w] [microcode] 129 \
xen/arch/x86/microcode_amd.c:378 check_final_patch_levels() warn: potential spectre issue \
'__per_cpu_offset' [w] [microcode] 129 xen/arch/x86/microcode_amd.c:398 \
cpu_request_microcode() warn: potential spectre issue '__per_cpu_offset' [w] [microcode] 129 \
xen/arch/x86/microcode_amd.c:566 microcode_resume_match() warn: potential spectre issue \
'__per_cpu_offset' [w] [microcode] 129 xen/arch/x86/microcode_amd.c:83 collect_cpu_info() \
warn: potential spectre issue 'cpu_data' [r] [microcode] 129 xen/arch/x86/microcode.c:198 \
__microcode_fini_cpu() warn: potential spectre issue '__per_cpu_offset' [w] [microcode] 129 \
xen/arch/x86/microcode.c:214 microcode_resume_cpu() warn: potential spectre issue \
'__per_cpu_offset' [w] [microcode] 129 xen/arch/x86/microcode_intel.c:134 \
microcode_update_match() warn: potential spectre issue '__per_cpu_offset' [w] [microcode] \
129 xen/arch/x86/microcode_intel.c:237 get_matching_microcode() warn: potential spectre issue \
'__per_cpu_offset' [w] [microcode] 129 xen/arch/x86/microcode_intel.c:94 collect_cpu_info() \
warn: potential spectre issue 'cpu_data' [r] [bit-and] 77 xen/arch/x86/mm/guest_walk.c:136 \
guest_walk_tables_4_levels() warn: potential spectre issue 'l4p' [r] [bit-and] 77 \
xen/arch/x86/mm/guest_walk.c:166 guest_walk_tables_4_levels() warn: potential spectre issue \
'l3p' [r] [vmx] 128 xen/arch/x86/mm/hap/nested_ept.c:174 nept_walk_tables() warn: potential \
spectre issue 'lxp' [r] [constant] 129 xen/arch/x86/mm/mem_access.c:362 p2m_set_mem_access() \
warn: potential spectre issue 'd->arch.altp2m_p2m' [r] (local cap) [constant] 129 \
xen/arch/x86/mm/mem_access.c:417 p2m_set_mem_access_multi() warn: potential spectre issue \
'd->arch.altp2m_p2m' [r] (local cap) [mem-sharing] 387 xen/arch/x86/mm/mem_sharing.c:407 \
mem_sharing_lookup() warn: potential spectre issue 'RDWR_MPT_VIRT_START' [w] [hard to trigger] \
129 xen/arch/x86/mm/p2m.c:739 p2m_remove_page() warn: potential spectre issue \
'RDWR_MPT_VIRT_START' [w] [bound] 129 xen/arch/x86/mm/p2m-ept.c:1304 memory_type_to_str() \
warn: potential spectre issue 'memory_types' [r] (local cap) [bound] 129 \
xen/arch/x86/mm/p2m-ept.c:1377 p2m_init_altp2m_ept() warn: potential spectre issue \
'd->arch.altp2m_p2m' [r] [bound] 129 xen/arch/x86/mm/p2m-ept.c:1384 p2m_init_altp2m_ept() \
warn: potential spectre issue 'd->arch.altp2m_eptp' [w] [hard-to-trigger] 129 \
xen/arch/x86/mm/p2m-ept.c:453 ept_invalidate_emt_range() warn: potential spectre issue 'table' \
[r] [bound] 129 xen/arch/x86/mm/p2m-ept.c:523 resolve_misconfig() warn: potential spectre \
issue 'epte' [r] [shadow] 129 xen/arch/x86/mm/shadow/common.c:147 hvm_get_seg_reg() warn: \
potential spectre issue 'sh_ctxt->seg_reg' [r] (local cap) [shadow] 129 \
xen/arch/x86/mm/shadow/common.c:262 hvm_emulate_insn_fetch() warn: potential spectre issue \
'sh_ctxt->insn_buf' [w] [shadow] 129 xen/arch/x86/mm/shadow/common.c:337 shadow_size() warn: \
potential spectre issue 'sh_type_to_size' [r] (local cap) [shadow] 129 \
xen/arch/x86/mm/shadow/multi.c:227 shadow_check_gwalk() warn: potential spectre issue 'l4p' [r] \
[shadow] 128 xen/arch/x86/mm/shadow/multi.c:2289 validate_gl1e() warn: potential spectre \
issue 'snp' [w] [shadow] 129 xen/arch/x86/mm/shadow/multi.c:229 shadow_check_gwalk() warn: \
potential spectre issue 'l3p' [r] [shadow] 129 xen/arch/x86/mm/shadow/multi.c:236 \
shadow_check_gwalk() warn: potential spectre issue 'l2p' [r] [shadow] 6 \
xen/arch/x86/mm/shadow/multi.c:2460 sh_map_and_validate() warn: potential spectre issue 'sl1p' \
[r] [shadow] 129 xen/arch/x86/mm/shadow/multi.c:246 shadow_check_gwalk() warn: potential \
spectre issue 'l1p' [r] [shadow] 129 xen/arch/x86/mm/shadow/multi.c:3568 \
sh_invlpg__guest_4() warn: potential spectre issue '(null)' [w] [shadow] 129 \
xen/arch/x86/mm/shadow/multi.c:3911 sh_set_toplevel_shadow() warn: potential spectre issue \
'v->arch.shadow_table' [r] [shadow] 127 xen/arch/x86/mm/shadow/multi.c:731 _sh_propagate() \
warn: potential spectre issue 'fetch_type_names' [w] (local cap) [shadow] 129 \
xen/arch/x86/mm/shadow/multi.c:792 vtlb_lookup() warn: potential spectre issue \
'v->arch.paging.vtlb' [r] [constant] 129 xen/arch/x86/msi.c:578 alloc_msi_entry() warn: \
potential spectre issue 'entry' [w] [constant] 129 xen/arch/x86/msi.c:790 read_pci_mem_bar() \
warn: potential spectre issue 'pdev->vf_rlen' [r] (local cap) [constant] 129 \
xen/arch/x86/msi.c:87 msix_get_fixmap() warn: potential spectre issue 'msix->table_refcnt' [w] \
(local cap) [constant] 129 xen/arch/x86/msi.c:91 msix_get_fixmap() warn: potential spectre \
issue 'msix->table_idx' [w] (local cap) [bound] 129 xen/arch/x86/nmi.c:427 cpu_nmi_callback() \
warn: potential spectre issue '__per_cpu_offset' [w] [const-cpus] 129 xen/arch/x86/numa.c:174 \
setup_node_bootmem() warn: potential spectre issue 'node_data' [w] [const-cpus] 129 \
xen/arch/x86/numa.c:285 numa_add_cpu() warn: potential spectre issue 'cpu_to_node' [w] \
[const-cpus] 129 xen/arch/x86/numa.c:290 numa_set_node() warn: potential spectre issue \
'cpu_to_node' [w] [const-cpus] 2 xen/arch/x86/numa.c:87 populate_memnodemap() warn: \
potential spectre issue 'memnodemap' [w] [const-cpus] 127 xen/arch/x86/numa.c:89 \
populate_memnodemap() warn: potential spectre issue 'memnodemap' [w] [oprofile] 129 \
xen/arch/x86/oprofile/nmi_int.c:89 nmi_callback() warn: potential spectre issue 'cpu_msrs' [r] \
[oprofile] 108 xen/arch/x86/oprofile/op_model_p4.c:493 pmc_setup_one_p4_counter() warn: \
potential spectre issue 'counter_config' [r] [oprofile] 108 \
xen/arch/x86/oprofile/op_model_p4.c:513 pmc_setup_one_p4_counter() warn: potential spectre \
issue 'p4_counters' [w] [oprofile] 129 xen/arch/x86/oprofile/op_model_ppro.c:264 \
ppro_load_msr() warn: potential spectre issue 'msrs' [r] [oprofile] 129 \
xen/arch/x86/oprofile/op_model_ppro.c:279 ppro_save_msr() warn: potential spectre issue 'msrs' \
[w] [hard-to-trigger] 129 xen/arch/x86/percpu.c:37 init_percpu_area() warn: potential spectre \
issue '__per_cpu_offset' [w] [hard-to-trigger] 129 xen/arch/x86/percpu.c:60 \
free_percpu_area() warn: potential spectre issue '__per_cpu_offset' [w] [constant] 129 \
xen/arch/x86/physdev.c:58 physdev_hvm_map_pirq() warn: potential spectre issue \
'hvm_irq_dpci->girq' [r] (local cap) [domctl] 129 xen/arch/x86/psr.c:1003 \
insert_val_into_array() warn: potential spectre issue 'feat_props' [r] (local cap) [loop] 129 \
xen/arch/x86/psr.c:1072 compare_val() warn: potential spectre issue 'feat->cos_reg_val' [r] \
[bound] 129 xen/arch/x86/psr.c:1090 find_cos() warn: potential spectre issue 'info->features' \
[r] [bound] 129 xen/arch/x86/psr.c:1202 pick_avail_cos() warn: potential spectre issue \
'info->features' [r] [domctl] 128 xen/arch/x86/psr.c:1237 get_socket_cpu() warn: potential \
spectre issue 'socket_cpumask' [r] (local cap) [domctl] 129 xen/arch/x86/psr.c:1348 \
psr_set_val() warn: potential spectre issue 'd->arch.psr_cos_ids' [w] [bound] 129 \
xen/arch/x86/psr.c:1620 psr_cpu_fini() warn: potential spectre issue 'cpu_data' [r] [constant] \
129 xen/arch/x86/psr.c:372 cat_init_feature() warn: potential spectre issue 'info->features' \
[w] (local cap) [arch_do_domctl] 129 xen/arch/x86/psr.c:868 psr_get_val() warn: potential \
spectre issue 'socket_info' [w] [arch_do_domctl] 129 xen/arch/x86/psr.c:869 psr_get_val() \
warn: potential spectre issue 'd->arch.psr_cos_ids' [w] [domctl] 129 xen/arch/x86/psr.c:999 \
insert_val_into_array() warn: potential spectre issue 'info->features' [r] (local cap) [pv] \
129 xen/arch/x86/pv/descriptor-tables.c:241 do_update_descriptor() warn: potential spectre \
issue 'gdt_pent' [w] [pv] 129 xen/arch/x86/pv/dom0_build.c:38 dom0_update_physmap() warn: \
potential spectre issue 'vphysmap_s' [w] [pv] 129 xen/arch/x86/pv/dom0_build.c:42 \
dom0_update_physmap() warn: potential spectre issue 'RDWR_COMPAT_MPT_VIRT_START' [w] [pv] \
129 xen/arch/x86/pv/emulate.c:27 gdt_ldt_desc_ptr() warn: potential spectre issue 'tbl' [r] \
[pv] 129 xen/arch/x86/pv/emul-priv-op.c:1126 write_msr() warn: potential spectre issue \
'curr->arch.pv_vcpu.dr_mask' [w] [pv] 129 xen/arch/x86/pv/emul-priv-op.c:709 read_cr() warn: \
potential spectre issue 'curr->arch.pv_vcpu.ctrlreg' [r] [pv] 129 \
xen/arch/x86/pv/emul-priv-op.c:927 read_msr() warn: potential spectre issue \
'curr->arch.pv_vcpu.dr_mask' [r] [pv] 129 xen/arch/x86/pv/mm.c:119 pv_map_ldt_shadow_page() \
warn: potential spectre issue '(curr->domain->arch.pv_domain.gdt_ldt_l1tab[(curr->vcpu_id >> (9 \
- GDT_LDT_VCPU_SHIFT))] + ((curr->vcpu_id << GDT_LDT_VCPU_SHIFT) & ((1 << 9) - 1))) + 16' [r] \
[pv] 129 xen/arch/x86/pv/mm.c:18 guest_get_eff_l1e() warn: potential spectre issue \
'LINEAR_PT_VIRT_START' [w] [pv] 129 xen/arch/x86/pv/mm.c:45 map_guest_l1e() warn: potential \
spectre issue '((LINEAR_PT_VIRT_START) + ((LINEAR_PT_VIRT_START & (((1) << 48) - 1)) >> 12))' \
[w] [pv] 128 xen/arch/x86/pv/traps.c:67 pv_inject_event() warn: potential spectre issue \
'curr->arch.pv_vcpu.trap_ctxt' [r] (local cap) [init] 129 xen/arch/x86/setup.c:221 \
initial_images_nrpages() warn: potential spectre issue 'node_data' [r] [boot] 129 \
xen/arch/x86/setup.c:266 srat_detect_node() warn: potential spectre issue 'x86_cpu_to_apicid' \
[r] [boot] 129 xen/arch/x86/smpboot.c:1004 cpu_smpboot_alloc() warn: potential spectre issue \
'idt_tables' [w] [boot] 129 xen/arch/x86/smpboot.c:100 smp_store_cpu_info() warn: potential \
spectre issue 'cpu_data' [w] [bound] 129 xen/arch/x86/smpboot.c:1184 remove_siblinginfo() \
warn: potential spectre issue 'cpu_data' [w] [bound] 129 xen/arch/x86/smpboot.c:1190 \
remove_siblinginfo() warn: potential spectre issue '__per_cpu_offset' [w] [boot] 129 \
xen/arch/x86/smpboot.c:1261 cpu_add() warn: potential spectre issue 'x86_acpiid_to_apicid' [w] \
[bound] 129 xen/arch/x86/smpboot.c:233 link_thread_siblings() warn: potential spectre issue \
'__per_cpu_offset' [w] [boot] 1 xen/arch/x86/smpboot.c:279 set_cpu_sibling_map() warn: \
potential spectre issue 'c' [w] (local cap) [bit-and] 129 xen/arch/x86/smpboot.c:722 \
[init] 129 xen/arch/x86/srat.c:140 cutoff_node() warn: potential spectre issue 'nodes' [r]
[bound] 129 xen/arch/x86/srat.c:47 node_found() warn: potential spectre issue 'pxm2node' [r]
[cpu_up] 1 xen/arch/x86/sysctl.c:64 cpu_up_helper() warn: potential spectre issue \
'__per_cpu_offset' [w] [tboot] 129 xen/arch/x86/tboot.c:87 tboot_copy_memory() warn: \
potential spectre issue 'map_addr' [r] [bit-and] 127 xen/arch/x86/traps.c:1241 \
__page_fault_type() warn: potential spectre issue 'l4t' [r] [bit-and] 127 \
xen/arch/x86/traps.c:1250 __page_fault_type() warn: potential spectre issue 'l3t' [r] [bit-and] \
127 xen/arch/x86/traps.c:1261 __page_fault_type() warn: potential spectre issue 'l2t' [r] \
[bit-and] 127 xen/arch/x86/traps.c:1272 __page_fault_type() warn: potential spectre issue \
'l1t' [r] [init] 129 xen/arch/x86/traps.c:1905 __set_intr_gate() warn: potential spectre \
issue 'idt_table' [w] [constant] 129 xen/arch/x86/traps.c:2194 set_debugreg() warn: potential \
spectre issue 'v->arch.debugreg' [w] [hard to trigger] 129 xen/arch/x86/traps.c:552 \
show_stack_overflow() warn: potential spectre issue 'stack_base' [w] [bit-and] 129 \
xen/arch/x86/x86_64/mm.c:1213 handle_memadd_fault() warn: potential spectre issue 'pl2e' [r] \
[bit-and] 129 xen/arch/x86/x86_64/traps.c:193 show_page_walk() warn: potential spectre issue \
'l4t' [r] [bit-and] 129 xen/arch/x86/x86_64/traps.c:205 show_page_walk() warn: potential \
spectre issue 'l3t' [r] [bit-and] 129 xen/arch/x86/x86_64/traps.c:219 show_page_walk() warn: \
potential spectre issue 'l2t' [r] [bit-and] 129 xen/arch/x86/x86_64/traps.c:233 \
show_page_walk() warn: potential spectre issue 'l1t' [r] [constant] 129 \
xen/arch/x86/x86_emulate.c:105 x86emul_read_dr() warn: potential spectre issue \
'curr->arch.debugreg' [r] [hard-to-trigger] 129 xen/common/bitmap.c:52 clamp_last_byte() \
warn: potential spectre issue 'bp' [w] [bound?] 129 xen/common/compat/domain.c:42 \
compat_vcpu_op() warn: potential spectre issue 'd->vcpu' [r] (local cap) [loop] 129 \
xen/common/compat/memory.c:290 compat_memory_op() warn: potential spectre issue 'idxs' [w] \
(local cap) [loop] 129 xen/common/compat/memory.c:291 compat_memory_op() warn: potential \
spectre issue 'gpfns' [w] (local cap) [constant] 128 xen/common/domain.c:121 \
vcpu_info_reset() warn: potential spectre issue '(d->shared_info)->vcpu_info' [r] (local cap) \
[bound] 129 xen/common/domain.c:1299 do_vcpu_op() warn: potential spectre issue 'd->vcpu' \
[r] (local cap) [constant] 129 xen/common/event_channel.c:113 evtchn_from_port() warn: \
potential spectre issue 'd->evtchn' [r] (local cap) [fixed] 129 \
xen/common/event_channel.c:114 evtchn_from_port() warn: potential spectre issue \
'd->evtchn_group' [r] [fixed] 129 xen/common/event_channel.c:173 evtchn_allocate_port() \
warn: potential spectre issue 'd->evtchn_group' [w] [fixed] 129 \
xen/common/event_channel.c:177 evtchn_port_set_pending() warn: potential spectre issue \
'd->vcpu' [w] [fixed] 129 xen/common/event_channel.c:725 guest_enabled_event() warn: \
potential spectre issue 'v->virq_to_evtchn' [r] [constant] 129 \
xen/common/event_channel.c:738 send_guest_vcpu_virq() warn: potential spectre issue \
'v->virq_to_evtchn' [r] [fixed] 129 xen/common/event_channel.c:767 send_guest_global_virq() \
warn: potential spectre issue 'v->virq_to_evtchn' [r] [fixed] 129 \
xen/common/event_channel.c:807 send_global_virq() warn: potential spectre issue \
'global_virq_handlers' [w] [fixed] 129 xen/common/event_channel.c:826 \
set_global_virq_handler() warn: potential spectre issue 'global_virq_handlers' [r] (local cap) \
[fixed] 129 xen/common/event_fifo.c:39 evtchn_fifo_word_from_port() warn: potential spectre \
issue 'd->evtchn_fifo.event_array' [r] [bound] 129 xen/common/grant_table.c:2345 \
release_grant_for_copy() warn: potential spectre issue 'rgt->status' [r] [dom0] 129 \
xen/common/grant_table.c:3903 gnttab_map_frame() warn: potential spectre issue 'gt->shared_raw' \
[r] (local cap) [unlikely] 129 xen/common/grant_table.c:533 put_maptrack_handle() warn: \
potential spectre issue 't->maptrack' [w] [bound] 129 xen/common/guestcopy.c:27 \
safe_copy_string_from_guest() warn: potential spectre issue 'tmp' [w] (local cap) [init] 129 \
xen/common/gunzip.c:375 huft_build() warn: potential spectre issue 'c' [w] [init] 129 \
xen/common/gunzip.c:433 huft_build() warn: potential spectre issue 'x' [w] [init] 129 \
xen/common/gunzip.c:609 inflate_codes() warn: potential spectre issue 'mask_bits' [r] [kexec] \
129 xen/common/kexec.c:924 kexec_segments_add_segment() warn: potential spectre issue \
'segments' [w] [kexec] 1 xen/common/kexec.c:974 kexec_segments_from_ind_page() warn: \
potential spectre issue 'segments' [w] [interactive] 129 xen/common/keyhandler.c:107 \
register_keyhandler() warn: potential spectre issue 'key_table' [w] (local cap) [interactive] \
129 xen/common/keyhandler.c:119 register_irq_keyhandler() warn: potential spectre issue \
'key_table' [w] (local cap) [interactive] 129 xen/common/keyhandler.c:87 handle_keypress() \
warn: potential spectre issue 'key_table' [r] (local cap) [hard-to-trigger] 128 \
xen/common/libelf/libelf-dominfo.c:144 elf_xen_parse_note() warn: potential spectre issue \
'note_desc' [w] (local cap) [hard-to-trigger] 128 xen/common/libelf/libelf-dominfo.c:145 \
elf_xen_parse_note() warn: potential spectre issue 'parms->elf_notes' [w] (local cap) \
[hard-to-trigger] 129 xen/common/libelf/libelf-dominfo.c:441 elf_xen_feature_set() warn: \
potential spectre issue 'addr' [w] [hard-to-trigger] 129 xen/common/livepatch.c:1609 \
state2str() warn: potential spectre issue 'names' [r] (local cap) [tmem] 129 \
xen/common/lzo.c:136 lzo1x_1_do_compress() warn: potential spectre issue 'dict' [r] [bound] \
129 xen/common/page_alloc.c:1785 avail_heap_pages() warn: potential spectre issue 'avail[i]' \
[r] (local cap) [init] 129 xen/common/page_alloc.c:1888 find_non_smt() warn: potential \
spectre issue 'node_to_cpumask' [w] [bound] 129 xen/common/page_alloc.c:549 init_node_heap() \
warn: potential spectre issue '_heap' [w] [bound] 129 xen/common/page_alloc.c:550 \
init_node_heap() warn: potential spectre issue 'avail' [w] [hard-t-trigger] 129 \
xen/common/page_alloc.c:715 page_list_add_scrub() warn: potential spectre issue '*_heap[node]' \
[w] [constant] 129 xen/common/page_alloc.c:825 get_free_buddy() warn: potential spectre issue \
'*_heap[node]' [r] [hard-to-trigger] 129 xen/common/radix-tree.c:96 radix_tree_maxindex() \
warn: potential spectre issue 'height_to_maxindex' [r] [bound] 129 xen/common/rcupdate.c:441 \
rcu_pending() warn: potential spectre issue '__per_cpu_offset' [w] [bound] 129 \
xen/common/rcupdate.c:452 rcu_needs_cpu() warn: potential spectre issue '__per_cpu_offset' [w] \
[bound-callback] 129 xen/common/rcupdate.c:573 cpu_callback() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 117 xen/common/sched_credit2.c:1284 runq_insert() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit2.c:1371 \
tickle_score() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 117 \
xen/common/sched_credit2.c:1493 runq_tickle() warn: potential spectre issue '__per_cpu_offset' \
[w] [schedule] 123 xen/common/sched_credit2.c:2084 csched2_vcpu_sleep() warn: potential \
spectre issue '__per_cpu_offset' [w] [schedule] 126 xen/common/sched_credit2.c:2105 \
csched2_vcpu_wake() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 22 \
xen/common/sched_credit2.c:2231 csched2_cpu_pick() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit2.c:2570 balance_load() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit2.c:3269 \
runq_candidate() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit2.c:3349 runq_candidate() warn: potential spectre issue 'idle_vcpu' [r] \
[schedule] 129 xen/common/sched_credit2.c:3659 dump_pcpu() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit2.c:3877 csched2_switch_sched() \
warn: potential spectre issue 'idle_vcpu' [w] [schedule] 129 xen/common/sched_credit2.c:3887 \
csched2_switch_sched() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit2.c:575 csched2_pcpu() warn: potential spectre issue '__per_cpu_offset' \
[w] [schedule] 129 xen/common/sched_credit2.c:665 smt_idle_mask_set() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit2.c:677 \
smt_idle_mask_clear() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 124 \
xen/common/sched_credit2.c:710 get_fallback_cpu() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit2.c:840 same_node() warn: \
potential spectre issue 'cpu_to_node' [r] [schedule] 129 xen/common/sched_credit2.c:845 \
same_socket() warn: potential spectre issue 'cpu_data' [r] [schedule] 24 \
xen/common/sched_credit2.c:883 cpu_to_runqueue() warn: potential spectre issue 'cpu_data' [w] \
[schedule] 129 xen/common/sched_credit2.c:92 pcpu_schedule_lock() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:104 \
pcpu_schedule_lock_irqsave() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] \
129 xen/common/sched_credit.c:107 pcpu_schedule_unlock_irqrestore() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 123 xen/common/sched_credit.c:1099 \
csched_vcpu_sleep() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 126 \
xen/common/sched_credit.c:1121 csched_vcpu_wake() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:116 pcpu_schedule_trylock() \
warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit.c:1333 csched_runq_sort() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:1584 csched_tick() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:1610 \
csched_runq_steal() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit.c:1687 csched_load_balance() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:1692 csched_load_balance() \
warn: potential spectre issue 'cpu_to_node' [r] [schedule] 129 xen/common/sched_credit.c:2244 \
csched_tick_suspend() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit.c:2255 csched_tick_resume() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:251 is_runq_idle() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:260 \
inc_nr_runnable() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit.c:268 dec_nr_runnable() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:528 csched_deinit_pdata() \
warn: potential spectre issue 'cpu_to_node' [r] [schedule] 129 xen/common/sched_credit.c:596 \
init_pdata() warn: potential spectre issue 'cpu_to_node' [w] [schedule] 129 \
xen/common/sched_credit.c:608 init_pdata() warn: potential spectre issue '__per_cpu_offset' [w] \
[schedule] 129 xen/common/sched_credit.c:618 csched_init_pdata() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:638 \
csched_switch_sched() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit.c:644 csched_switch_sched() warn: potential spectre issue 'idle_vcpu' \
[w] [schedule] 126 xen/common/sched_credit.c:736 _csched_cpu_pick() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_credit.c:943 csched_vcpu_acct() \
warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_credit.c:96 pcpu_schedule_unlock() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 124 xen/common/sched_credit.c:99 \
vcpu_schedule_unlock_irq() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] \
129 xen/common/sched_null.c:126 vcpu_check_affinity() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/sched_null.c:165 init_pdata() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_null.c:171 \
null_init_pdata() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_null.c:193 null_deinit_pdata() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 127 xen/common/sched_null.c:277 pick_cpu() warn: potential \
spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_null.c:343 vcpu_assign() \
warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_null.c:365 vcpu_deassign() warn: potential spectre issue '__per_cpu_offset' \
[w] [schedule] 129 xen/common/sched_null.c:387 null_switch_sched() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_null.c:393 null_switch_sched() \
warn: potential spectre issue 'idle_vcpu' [w] [schedule] 126 xen/common/sched_null.c:544 \
null_vcpu_wake() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 123 \
xen/common/sched_null.c:571 null_vcpu_sleep() warn: potential spectre issue '__per_cpu_offset' \
[w] [schedule] 129 xen/common/sched_null.c:635 null_vcpu_migrate() warn: potential spectre \
issue '__per_cpu_offset' [w] (local cap) [schedule] 124 xen/common/sched_null.c:93 \
vcpu_schedule_lock() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 123 \
xen/common/sched_rt.c:1153 rt_vcpu_sleep() warn: potential spectre issue '__per_cpu_offset' [w] \
[schedule] 117 xen/common/sched_rt.c:1208 runq_tickle() warn: potential spectre issue \
'__per_cpu_offset' [w] (local cap) [schedule] 126 xen/common/sched_rt.c:1269 rt_vcpu_wake() \
warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/sched_rt.c:362 \
rt_dump_pcpu() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/sched_rt.c:748 rt_switch_sched() warn: potential spectre issue '__per_cpu_offset' \
[w] [schedule] 129 xen/common/sched_rt.c:764 rt_switch_sched() warn: potential spectre issue \
'idle_vcpu' [w] [schedule] 126 xen/common/sched_rt.c:95 vcpu_schedule_lock_irq() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 126 xen/common/schedule.c:105 \
vcpu_schedule_lock_irqsave() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] \
126 xen/common/schedule.c:108 vcpu_schedule_unlock_irqrestore() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 126 xen/common/schedule.c:117 vcpu_scheduler() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/schedule.c:1629 \
cpu_schedule_up() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/schedule.c:1635 cpu_schedule_up() warn: potential spectre issue 'idle_vcpu' [r] \
[schedule] 125 xen/common/schedule.c:163 vcpu_urgent_count_update() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 129 xen/common/schedule.c:1685 cpu_schedule_down() \
warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/schedule.c:1689 cpu_schedule_down() warn: potential spectre issue 'idle_vcpu' [w] \
[schedule] 129 xen/common/schedule.c:1701 cpu_schedule_callback() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 129 xen/common/schedule.c:1838 schedule_cpu_switch() \
warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 126 \
xen/common/schedule.c:183 vcpu_runstate_change() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/schedule.c:1871 schedule_cpu_switch() warn: \
potential spectre issue 'idle_vcpu' [r] [schedule] 129 xen/common/schedule.c:216 \
get_cpu_idle_time() warn: potential spectre issue 'idle_vcpu' [r] [schedule] 129 \
xen/common/schedule.c:290 sched_init_vcpu() warn: potential spectre issue '__per_cpu_offset' \
[w] [schedule] 127 xen/common/schedule.c:414 sched_destroy_vcpu() warn: potential spectre \
issue '__per_cpu_offset' [w] [schedule] 124 xen/common/schedule.c:460 \
vcpu_sleep_nosync_locked() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] \
129 xen/common/schedule.c:555 vcpu_move_locked() warn: potential spectre issue \
'__per_cpu_offset' [w] (local cap) [schedule] 129 xen/common/schedule.c:586 \
vcpu_move_nosched() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 125 \
xen/common/schedule.c:672 vcpu_migrate_finish() warn: potential spectre issue \
'__per_cpu_offset' [w] [schedule] 129 xen/common/schedule.c:790 cpu_disable_scheduler() warn: \
potential spectre issue '__per_cpu_offset' [w] [schedule] 129 xen/common/schedule.c:94 \
pcpu_schedule_lock_irq() warn: potential spectre issue '__per_cpu_offset' [w] [schedule] 129 \
xen/common/schedule.c:98 pcpu_schedule_unlock_irq() warn: potential spectre issue \
'__per_cpu_offset' [w] [bound] 129 xen/common/softirq.c:100 cpu_raise_softirq() warn: \
potential spectre issue 'irq_stat' [w] [constant] 129 xen/common/softirq.c:70 open_softirq() \
warn: potential spectre issue 'softirq_handlers' [w] (local cap) [stop-machine] 129 \
xen/common/stop_machine.c:182 cpu_callback() warn: potential spectre issue '__per_cpu_offset' \
[w] [hard-to-trigger] 129 xen/common/symbols.c:170 symbols_get_symbol_type() warn: potential \
spectre issue 'symbols_names' [r] [hard-to-trigger] 1 xen/common/symbols.c:203 \
xensyms_read() warn: potential spectre issue 'symbols_addresses' [r] (local cap) \
[hard-to-trigger] 129 xen/common/symbols.c:48 symbols_expand_symbol() warn: potential spectre \
issue 'symbols_names' [r] [hard-to-trigger] 129 xen/common/symbols.c:88 get_symbol_offset() \
warn: potential spectre issue 'symbols_markers' [r] [bound] 129 xen/common/tasklet.c:227 \
[bound] 129 xen/common/timer.c:106 remove_from_heap() warn: potential spectre issue 'heap' \
[r] (local cap) [bound] 129 xen/common/timer.c:131 add_to_heap() warn: potential spectre \
issue 'heap' [w] [bound] 129 xen/common/timer.c:298 init_timer() warn: potential spectre \
issue '__per_cpu_offset' [w] [bound] 129 xen/common/timer.c:369 migrate_timer() warn: \
potential spectre issue '__per_cpu_offset' [w] (local cap) [hard-to-trigger] 129 \
xen/common/timer.c:565 migrate_timers_from_cpu() warn: potential spectre issue \
'__per_cpu_offset' [w] (local cap) [bound] 129 xen/common/timer.c:608 cpu_callback() warn: \
potential spectre issue '__per_cpu_offset' [w] [hard-to-trigger] 129 xen/common/timer.c:60 \
down_heap() warn: potential spectre issue 'heap' [r] [hard-to-trigger] 129 \
xen/common/timer.c:80 up_heap() warn: potential spectre issue 'heap' [r] [tmem] 129 \
xen/common/tmem.c:1431 do_tmem_destroy_pool() warn: potential spectre issue 'client->pools' [r] \
(local cap) [tmem] 129 xen/common/tmem.c:1709 tmemc_save_get_next_page() warn: potential \
spectre issue 'client->pools' [r] (local cap) [tmem] 129 xen/common/tmem.c:1811 \
tmemc_restore_put_page() warn: potential spectre issue 'client->pools' [r] (local cap) [tmem] \
129 xen/common/tmem.c:1829 tmemc_restore_flush_page() warn: potential spectre issue \
'client->pools' [r] (local cap) [tmem] 129 xen/common/tmem_xen.c:223 cpu_callback() warn: \
potential spectre issue '__per_cpu_offset' [w] [init] 125 xen/common/unlzma.c:306 \
peek_old_byte() warn: potential spectre issue 'wr->buffer' [r] (local cap) [init] 129 \
xen/common/unxz.c:184 dec_vli() warn: potential spectre issue 'in' [r] (local cap) [init] 129 \
xen/common/unxz.c:327 dict_get() warn: potential spectre issue 'dict->buf' [r] [init] 1 \
xen/common/unxz.c:362 dict_repeat() warn: potential spectre issue 'dict->buf' [r] [init] 123 \
xen/common/unxz.c:455 rc_read_init() warn: potential spectre issue 'b->in' [r] [init] 129 \
xen/common/unxz.c:46 xz_crc32() warn: potential spectre issue 'xz_crc32_table' [r] [init] 121 \
xen/common/unxz.c:482 rc_normalize() warn: potential spectre issue 'rc->in' [r] [init] 126 \
xen/common/unxz.c:603 dec_main() warn: potential spectre issue 'b->in' [r] (local cap) [init] \
129 xen/common/unxz.c:626 lzma_len() warn: potential spectre issue 'l->low' [r] [init] 129 \
xen/common/unxz.c:631 lzma_len() warn: potential spectre issue 'l->mid' [r] [init] 128 \
xen/common/unxz.c:660 lzma_match() warn: potential spectre issue 's->lzma.dist_slot' [r] [init] \
129 xen/common/unxz.c:694 lzma_rep_match() warn: potential spectre issue \
's->lzma.is_rep0_long[s->lzma.state]' [w] [init] 124 xen/common/unxz.c:970 xz_dec_lzma2_run() \
warn: potential spectre issue 'b->in' [r] [const] 129 xen/common/vm_event.c:51 \
vm_event_enable() warn: potential spectre issue 'd->arch.hvm_domain.params' [r] [printf] 128 \
xen/common/vsprintf.c:104 simple_strtoull() warn: potential spectre issue '_ctype' [w] (local \
cap) [hard-to-trigger] 129 xen/common/vsprintf.c:53 simple_strtoul() warn: potential spectre \
issue '_ctype' [w] (local cap) [hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:179 \
FIND_SUITABLE_BLOCK() warn: potential spectre issue 'p->sl_bitmap' [r] [hard-to-trigger] 129 \
xen/common/xmalloc_tlsf.c:185 FIND_SUITABLE_BLOCK() warn: potential spectre issue \
'p->matrix[*fl]' [r] [hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:206 EXTRACT_BLOCK_HDR() \
warn: potential spectre issue 'p->matrix[fl]' [w] [hard-to-trigger] 129 \
xen/common/xmalloc_tlsf.c:213 EXTRACT_BLOCK_HDR() warn: potential spectre issue 'p->sl_bitmap' \
[w] [hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:234 EXTRACT_BLOCK() warn: potential \
spectre issue 'p->matrix[fl]' [w] [hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:237 \
EXTRACT_BLOCK() warn: potential spectre issue 'p->sl_bitmap' [w] [hard-to-trigger] 129 \
xen/common/xmalloc_tlsf.c:250 INSERT_BLOCK() warn: potential spectre issue 'p->matrix[fl]' [r] \
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:254 INSERT_BLOCK() warn: potential spectre \
issue 'p->sl_bitmap' [w] [hard-to-trigger] 129 xen/crypto/rijndael.c:1018 rijndaelEncrypt() \
warn: potential spectre issue 'Te4' [r] [hard-to-trigger] 129 xen/crypto/rijndael.c:746 \
rijndaelKeySetupEnc() warn: potential spectre issue 'Te4' [r] [hard-to-trigger] 129 \
xen/crypto/rijndael.c:958 rijndaelEncrypt() warn: potential spectre issue 'Te0' [r] [init] \
129 xen/drivers/char/ns16550.c:1446 ns16550_init() warn: potential spectre issue 'ns16550_com' \
[r] (local cap) [init] 129 xen/drivers/char/serial.c:531 serial_irq() warn: potential spectre \
issue 'com' [r] (local cap) [arm] 1 xen/drivers/char/serial.c:540 serial_vuart_info() warn: \
potential spectre issue 'com' [r] (local cap) [init] 129 xen/drivers/char/serial.c:565 \
serial_register_uart() warn: potential spectre issue 'com' [w] [platform_op] 129 \
xen/drivers/cpufreq/cpufreq.c:137 cpufreq_limit_change() warn: potential spectre issue \
'__per_cpu_offset' [w] (local cap) [platform_op] 129 xen/drivers/cpufreq/cpufreq.c:141 \
cpufreq_limit_change() warn: potential spectre issue 'processor_pminfo' [r] (local cap) \
[platform_op] 129 xen/drivers/cpufreq/cpufreq.c:170 cpufreq_add_cpu() warn: potential spectre \
issue 'processor_pminfo' [r] (local cap) [platform_op] 129 xen/drivers/cpufreq/cpufreq.c:178 \
cpufreq_add_cpu() warn: potential spectre issue '__per_cpu_offset' [w] (local cap) [cpu-down] \
129 xen/drivers/cpufreq/cpufreq.c:328 cpufreq_del_cpu() warn: potential spectre issue \
'processor_pminfo' [r] (local cap) [cpu-down] 129 xen/drivers/cpufreq/cpufreq.c:333 \
cpufreq_del_cpu() warn: potential spectre issue '__per_cpu_offset' [w] (local cap) [cpu-up] \
129 xen/drivers/cpufreq/cpufreq_misc_governors.c:102 cpufreq_userspace_cpu_callback() warn: \
potential spectre issue '__per_cpu_offset' [w] [cpufreq] 126 \
xen/drivers/cpufreq/cpufreq_misc_governors.c:41 cpufreq_governor_userspace() warn: potential \
spectre issue '__per_cpu_offset' [w] [do_pm_op] 129 \
xen/drivers/cpufreq/cpufreq_misc_governors.c:71 write_userspace_scaling_setspeed() warn: \
potential spectre issue '__per_cpu_offset' [w] (local cap) [bound] 125 \
xen/drivers/cpufreq/cpufreq_ondemand.c:192 dbs_timer_init() warn: potential spectre issue \
'__per_cpu_offset' [w] [cpufreq] 126 xen/drivers/cpufreq/cpufreq_ondemand.c:224 \
cpufreq_governor_dbs() warn: potential spectre issue '__per_cpu_offset' [w] [cpu-up] 129 \
xen/drivers/cpufreq/utility.c:152 cpufreq_statistic_exit() warn: potential spectre issue \
'__per_cpu_offset' [w] [do_pm_op] 129 xen/drivers/cpufreq/utility.c:174 \
cpufreq_statistic_reset() warn: potential spectre issue 'processor_pminfo' [r] [do_pm_op] 129 \
xen/drivers/cpufreq/utility.c:176 cpufreq_statistic_reset() warn: potential spectre issue \
'__per_cpu_offset' [w] [pm] 129 xen/drivers/cpufreq/utility.c:380 cpufreq_driver_getavg() \
warn: potential spectre issue '__per_cpu_offset' [w] (local cap) [pm] 129 \
xen/drivers/cpufreq/utility.c:403 cpufreq_update_turbo() warn: potential spectre issue \
'__per_cpu_offset' [w] [pm] 129 xen/drivers/cpufreq/utility.c:430 cpufreq_get_turbo_status() \
warn: potential spectre issue '__per_cpu_offset' [w] [pm] 129 \
xen/drivers/cpufreq/utility.c:48 cpufreq_residency_update() warn: potential spectre issue \
'__per_cpu_offset' [w] [pm] 129 xen/drivers/cpufreq/utility.c:57 cpufreq_residency_update() \
warn: potential spectre issue 'pxpt->u.pt' [w] [bound] 129 xen/drivers/cpufreq/utility.c:66 \
cpufreq_statistic_update() warn: potential spectre issue 'processor_pminfo' [r] [bound] 129 \
xen/drivers/cpufreq/utility.c:68 cpufreq_statistic_update() warn: potential spectre issue \
'__per_cpu_offset' [w] [bound] 129 xen/drivers/cpufreq/utility.c:80 \
cpufreq_statistic_update() warn: potential spectre issue 'pxpt->u.pt' [w] [bound] 129 \
xen/drivers/cpufreq/utility.c:84 cpufreq_statistic_update() warn: potential spectre issue \
'pxpt->u.trans_pt + from * pmpt->perf.state_count' [w] [cpu-up] 129 \
xen/drivers/cpufreq/utility.c:93 cpufreq_statistic_init() warn: potential spectre issue \
'processor_pminfo' [r] [cpu-up] 129 xen/drivers/cpufreq/utility.c:95 cpufreq_statistic_init() \
warn: potential spectre issue '__per_cpu_offset' [w] [amd] 129 \
xen/drivers/passthrough/amd/iommu_acpi.c:136 reserve_unity_map_for_device() warn: potential \
spectre issue 'ivrs_mappings' [r] [amd] 129 xen/drivers/passthrough/amd/iommu_acpi.c:203 \
register_exclusion_range_for_device() warn: potential spectre issue 'ivrs_mappings' [r] [amd] \
129 xen/drivers/passthrough/amd/iommu_acpi.c:63 add_ivrs_mapping_entry() warn: potential \
spectre issue 'ivrs_mappings' [w] [amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:106 \
get_intremap_entry() warn: potential spectre issue 'get_ivrs_mappings(seg)' [r] [amd] 129 \
xen/drivers/passthrough/amd/iommu_intr.c:118 free_intremap_entry() warn: potential spectre \
issue 'get_ivrs_mappings(seg)' [w] [amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:367 \
amd_iommu_ioapic_update_ire() warn: potential spectre issue 'ioapic_sbdf[idx].pin_2_idx' [r] \
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:369 amd_iommu_ioapic_update_ire() warn: \
potential spectre issue '&new_rte' [w] [amd] 129 \
xen/drivers/passthrough/amd/iommu_intr.c:403 amd_iommu_read_ioapic_from_ire() warn: potential \
spectre issue 'ioapic_sbdf[idx].pin_2_idx' [r] [amd] 129 \
xen/drivers/passthrough/amd/iommu_intr.c:64 get_intremap_lock() warn: potential spectre issue \
'get_ivrs_mappings(seg)' [r] [amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:71 \
get_intremap_requestor_id() warn: potential spectre issue 'get_ivrs_mappings(seg)' [r] (local \
cap) [amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:76 alloc_intremap_entry() warn: \
potential spectre issue 'get_ivrs_mappings(seg)' [r] [amd] 129 \
xen/drivers/passthrough/amd/pci_amd_iommu.c:39 find_iommu_for_device() warn: potential spectre \
issue 'ivrs_mappings' [w] (local cap) [amd] 129 \
xen/drivers/passthrough/amd/pci_amd_iommu.c:78 get_dma_requestor_id() warn: potential spectre \
issue 'ivrs_mappings' [r] (local cap) [constant] 1 xen/drivers/passthrough/io.c:1025 \
hvm_dpci_eoi() warn: potential spectre issue 'hvm_irq_dpci->girq' [r] (local cap) [bound] 129 \
xen/drivers/passthrough/io.c:1087 cpu_callback() warn: potential spectre issue \
'__per_cpu_offset' [w] [dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:341 \
ioapic_rte_to_remap_entry() warn: potential spectre issue 'apic_pin_2_ir_idx[apic]' [r] \
[dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:385 ioapic_rte_to_remap_entry() warn: \
potential spectre issue 'mp_ioapics' [w] [dom0-vmx] 129 \
xen/drivers/passthrough/vtd/intremap.c:421 io_apic_read_remap_rte() warn: potential spectre \
issue 'mp_ioapics' [r] [dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:425 \
io_apic_read_remap_rte() warn: potential spectre issue 'apic_pin_2_ir_idx[apic]' [r] [dom0-vmx] \
129 xen/drivers/passthrough/vtd/intremap.c:446 io_apic_write_remap_rte() warn: potential \
spectre issue 'mp_ioapics' [r] [bound] 2 xen/drivers/passthrough/vtd/iommu.c:1345 \
domain_context_mapping_one() warn: potential spectre issue 'context_entries' [r] [dom0-vmx] \
2 xen/drivers/passthrough/vtd/iommu.c:1581 domain_context_unmap_one() warn: potential spectre \
issue 'context_entries' [r] [hard-to-trigger] 129 xen/drivers/passthrough/vtd/iommu.c:1797 \
intel_iommu_map_page() warn: potential spectre issue 'page' [r] [bound] 129 \
xen/drivers/passthrough/vtd/iommu.c:233 bus_to_context_maddr() warn: potential spectre issue \
'root_entries' [r] [hard-to-trigger] 129 xen/drivers/passthrough/vtd/iommu.c:855 \
iommu_get_fault_reason() warn: potential spectre issue 'intr_remap_fault_reasons' [r] \
[hard-to-trigger] 129 xen/drivers/passthrough/vtd/iommu.c:860 iommu_get_fault_reason() warn: \
potential spectre issue 'dma_remap_fault_reasons' [r] (local cap) [hard-to-trigger] 129 \
xen/drivers/passthrough/vtd/qinval.c:224 dev_invalidate_sync() warn: potential spectre issue \
'iommu->domid_map' [r] [iommu-verbose] 129 xen/drivers/passthrough/vtd/utils.c:115 \
print_vtd_entries() warn: potential spectre issue 'root_entry' [w] [iommu-verbose] 129 \
xen/drivers/passthrough/vtd/utils.c:132 print_vtd_entries() warn: potential spectre issue \
'ctxt_entry' [r] [iommu-verbose] 129 xen/drivers/passthrough/vtd/utils.c:160 \
print_vtd_entries() warn: potential spectre issue 'l' [r] [hard-to-trigger] 129 \
xen/drivers/vpci/msix.c:193 get_entry() warn: potential spectre issue 'msix->entries' [r] \
[tools] 129 xen/tools/kconfig/zconf.tab.c:1041 yy_reduce_print() warn: potential spectre \
issue 'yyr2' [r] [tools] 129 xen/tools/kconfig/zconf.tab.c:1043 yy_reduce_print() warn: \
potential spectre issue 'yyrline' [r] [tools] 129 xen/tools/kconfig/zconf.tab.c:1050 \
yy_reduce_print() warn: potential spectre issue 'yyprhs' [w] [tools] 129 \
xen/tools/kconfig/zconf.tab.c:133 conf_set_sym_val() warn: potential spectre issue 'sym->def' \
[w] [tools] 129 xen/tools/kconfig/zconf.tab.c:1683 yy_try_NUL_trans() warn: potential spectre \
issue 'yy_nxt' [r] [tools] 129 xen/tools/kconfig/zconf.tab.c:212 add_byte() warn: potential \
spectre issue '*lineptr' [w] [tools] 129 xen/tools/kconfig/zconf.tab.c:2135 \
zconf_scan_bytes() warn: potential spectre issue 'buf' [w] [tools] 129 \
xen/tools/kconfig/zconf.tab.c:308 conf_read_simple() warn: potential spectre issue 'sym->def' \
[w] [tools] 129 xen/tools/kconfig/zconf.tab.c:398 conf_read_simple() warn: potential spectre \
issue 'cs->def' [w] (local cap) [tools] 1 xen/tools/kconfig/zconf.tab.c:760 conf_write() \
warn: potential spectre issue 'dirname' [w] [tools] 129 xen/tools/kconfig/zconf.tab.c:847 \
append_string() warn: potential spectre issue 'text' [w] [tools] 129 \
xen/tools/kconfig/zconf.tab.c:854 alloc_string() warn: potential spectre issue 'text' [w] \
[tools] 129 xen/tools/kconfig/zconf.tab.c:88 kconf_id_hash() warn: potential spectre issue \
'str' [r] [tools] 129 xen/tools/kconfig/zconf.tab.c:986 yy_symbol_print() warn: potential \
spectre issue 'yytname' [w] (local cap) [tools] 129 xen/tools/symbols.c:415 learn_symbol() \
warn: potential spectre issue 'token_profit' [w] [tools] 129 xen/tools/symbols.c:424 \
forget_symbol() warn: potential spectre issue 'token_profit' [w]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic