* Xen Security Advisory 289 v3 - Cache-load gadgets exploitable with L1TF
@ 2019-01-21 17:32 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2019-01-21 17:32 UTC (permalink / raw
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 8455 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory XSA-289
version 3
Cache-load gadgets exploitable with L1TF
UPDATES IN VERSION 3
====================
Rewrite text for technical accuracy. Previous references to Spectre v1
gadgets were not correct. In particular, the Xen Security Team is still
unaware of any Spectre v1 gadgets in Xen.
State that x86 PV guests cannot exploit the vulnerability.
Mention use of xen-hptool, and xl global affinity masks, as possible
mitigation approaches.
ISSUE DESCRIPTION
=================
Previously reported vulnerabilities CVE-2017-5753 / XSA-254 (Spectre V1)
and CVE-2018-3646 / XSA-273 (L1TF) can, when combined, be leveraged to
more easily gather leaked information.
A Spectre v1 gadget is a speculation sequence which starts with a
conditional branch, contains a memory load who's address is
attacker-influenced, and a second action dependent on the content of the
first memory load, which opens a sidechannel with the attacker.
These gadgets are rare in code, and so far, none have been discovered in
Xen. However, the first half of this gadget (i.e. to the first memory
load) is a very common sequence to find in compiled C, and forms an
arbitrary cache-load gadget.
An attacker can combine cache-load gadgets like this to bring data into
the cache on on hyperthread of a given CPU core, while L1TF is used on
another hyperthread to read the cached data.
A number of specific exploitable gadgets have been identified.
There are no new vulnerabilities. There is only new information about
existing vulnerabilities: specifically, confirmation that existing,
previously disclosed, vulnerabilities, can be exploited in specific
ways. (Previously, it was merely expected, and stated in XSA-254 and
XSA-273, that such the vulnerabilities would be exploitable.)
IMPACT
======
An attacker can potentially read arbitrary host RAM. This includes data
belonging to Xen, data belonging to other guests, and data belonging to
different security contexts within the same guest.
An attacker could be a guest kernel (which can manipulate the pagetables
directly), or could be guest userspace either directly (e.g. with
mprotect() or similar system call) or indirectly (by gaming the guest
kernel's paging subsystem).
See XSA-254 and XSA-273 for more general information about the
underlying vulnerabilities.
VULNERABLE SYSTEMS
==================
Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not known to be
affected.
Only systems with Symmetric Multi Threading (SMT, aka hyperthreading)
available and enabled are vulnerable.
Only Intel Core based processors (from at least Merom onwards) are
potentially affected. Other processor designs (Intel Atom/Knights
range), and other manufacturers (AMD) are not known to be affected.
Only x86 HVM or PVH guests can exploit the vulnerability. x86 PV guests
cannot exploit the vulnerability.
MITIGATION
==========
As discussed in XSA-273, disabling SMT / hyperthreading will avoid the
L1TF vulnerability. It will therefore prevent the use of the
exploitable code patterns discussed in this advisory. Disabling SMT
may be achieved via a BIOS option (preferred) or the "smt=0"
hypervisor command line option, or at runtime using `xen-hptool`, or by
using the xl global affinity masks.
CREDITS
=======
This issue was discovered by Norbert Manthey, Julian Stecklina, and
Pawel Wieczorkiewicz of the Xen Security Team at Amazon.
RESOLUTION
==========
These are hardware bugs, so technically speaking they cannot be
properly fixed in software.
See XSA-273 and XSA-254 for a fuller discussion of the general
situation, background, etc.
TECHNICAL DETAILS
=================
For the specific technical details of the now-known-explitable code
patterns, please see the attached patches.
These patches are intended by their authors to mitigate these
vulnerabilities. In some form they are likely to be included in
future Xen releases. We very much welcome this contribution to the
Xen community's response to Spectre/L1TF.
However:
* These patches have not been validated by the Xen Project
Security Team. Work is ongoing.
* We expect that there may be other exploitable code patterns and
gadgets, similar to but beyond those disclosed here.
* Should further such exploitable code patterns be discovered, we
will not necessarily issue a further advisory, or update this
advisory. Instead, we would usually recommend that any
improvements to reduce the exploitability be handled in public, in
accordance with the public status of the underlying vulnerabilities
XSA-273 and XSA-254.
* We therefore do not recommend responding to this advisory by
applying these patches. Instead, we recommend using hardware
without this bug, or failing that, disabling hyperthreading (SMT)
as discussed in XSA-273.
$ sha256sum xsa289*/*
fb58117afd3d69b2bc67001b759bcb8b27d5eddf14bb69596e01b5735a46fc83 xsa289/0000-Cover-Letter.txt
8051f6ac3f945d80368e745fff9568688a5f3ec3d34e88e1f965fe74853a60ac xsa289/0001-lfence-add-function-that-returns-int.patch
bc0a26533d56fff11081661546c0b0c0bf3b216dc18b72944dfeef36adb254d4 xsa289/0002-is_hvm-pv_domain-block-speculation.patch
ffb445c40064c65b167b5badbb73bf5e00689494a11269684a5e432c96bb5d74 xsa289/0003-is_control_domain-block-speculation.patch
2952ac3f46256a85670b18a3d100d2fc6429fa98bb07dd55abe7ee939f30cb3e xsa289/0004-x86-hvm-block-speculative-accesses.patch
c73ceacd649ebc4bc054e6e181283c1c58e3bed3e1d1309e5780e5efbd85461a xsa289/0005-nospec-introduce-method-for-static-arrays.patch
52af8d264e770055d1e3937de0e2ebca408f2a7ec6b8d4fd67270594e2fa17e7 xsa289/0006-x86-hvm-block-speculative-out-of-bound-accesses.patch
6beb965c15b36cc81ba756202f046e5757f6c69b0983abd98e51710b03c9851b xsa289/0007-xen-evtchn-block-speculative-out-of-bound-accesses.patch
e48aaee8cf62ee7fc5df9fd07e2b687e53a8e056001d4e6434525ac68346ee18 xsa289/0008-common-gant_table-block-speculative-out-of-bound-acc.patch
8f4fad87aff662901d848add571f5e3d0c08de444cc514391f6f4a133eff14b5 xsa289/0009-x86-hvm-emulate-block-speculative-out-of-bound-acces.patch
43e61e91318c44a56f954c058ce85616df46e5ca424fcad066e631c16add2956 xsa289/0010-x86-vioapic-block-speculative-out-of-bound-accesses.patch
394cdb4c7e15cc2cbaa383b724707a8a87f9e19f729561fd3cf02c3551003911 xsa289/0011-x86-hvm-hpet-block-speculative-out-of-bound-accesses.patch
54a3f85f887b9ce596b5908a62e3efff76c79502941b71fd520a4170299e21c0 xsa289/0012-common-memory-block-speculative-out-of-bound-accesse.patch
e87a89f333873a3b96318adfdd5fde8317b3a2062e7f330fc5398e0e5eade213 xsa289/0013-x86-CPUID-block-speculative-out-of-bound-accesses.patch
94957ed06308e9af120373be6807fd3b044de8a35b7088c10c78b496596664f2 xsa289/detect-spectre-candidates.sh
8569b7be345e01365ea4ecdd22ed00b21343d4234d83f5ce4bb11191c918354e xsa289/sorted-gadgets.txt
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlxGAjMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ7MUH/RUVelZ4yX8+2V/fpU02toqDnc0GhxNWepxpcOJ4
ma8U0i1nAwCyAFUAsn5K/pLn4dldyt8P+YdO9oDxasTuDTXo/Ussn/i5JkzpIaWX
dspy7lfOOduxEiqNLJ6VilAQs742sOUmQiVA6P+ZQUvMjaHtpT9qWBLaHD4C56TQ
UaHl14Iog6RbWIFikAme57iEyQ4QlCI9lEvGEYLF9FTyezsZZp+RFsszmDGa7hWo
UfHdKsxmC9RohRjM59nPjU7ZgUrTnbWkn4ShXLMZnDvj1MPtC9QxLXQgGIBST8ET
FrXMRRdg1fcUk6m0FMHhPx83gs/eWz5He+4qC/QZhfZDTfw=
=/mfS
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa289/0000-Cover-Letter.txt --]
[-- Type: application/octet-stream, Size: 4098 bytes --]
Dear all,
We recently detected a security vulnerability that can potentially allow the
leaking of hypervisor data and guest and dom0 data. The vulnerability only
affects hypervisors that run with hyperthreading enabled. The vulnerability
combines two already known vulnerabilities:
1) Spectre V1 (CVE-2017-5753, XSA 254)
2) L1TF (CVE-2018-3620, CVE-2018-3646, XSA-273)
As both vulnerabilities already have XSAs assigned, and the fix for L1TF is to
disable hyperthreading, the Xen security team has asked that this issue “should
be handled in public. there will not be a new XSA for the combined issue.” To
allow operators of Xen with enabled hyperthreading to take action before we
disclose the patches, we decided to disclose this information on the XSA embargo
member list first. We will then disclose the patches publicly on 21st January,
2019. We do not guarantee that all potential defects are fixed with the patches.
We decided to prepare patches for origin/master of the Xen repository. Another
commit that has to be backported is provided below. Without this commit, there
might be more potential vulnerabilities. As you might be running another
version, we furthermore provide patches to the tool “smatch”[1] under GPLv2.
These patches allow you to perform a Spectre V1 analysis for Xen. This
way, you can analyze your version of Xen for potential
vulnerabilities, potentially allowing you to find more potential
candidates than were fixed in our first patch set. Note, the produced
list of potential vulnerabilities can be incomplete, and might contain
many false positives.
Best,
Norbert
Details of the vulnerability:
In the presence of the L1TF vulnerability, a guest can leak any data that is
brought into L1 cache. A guest with 2 hyperthreads on the same core can cause
the hypervisor to access memory in one core, while the other core executes guest
code the hypervisor cannot control.
There are several ways to speculatively bring data into the L1 cache. First,
speculation does not stop at privilege checks, so that the whole cache line of
data accessed close to a privilege check is brought into the cache, even if the
hypervisor currently serves unprivileged guests. These privilege checks include
the functions “is_hardware_domain”, “is_control_domain”, as well as Xen Security
Module (xsm) checks. Next, the trivial part of the Spectre V1 can be combined
with L1TF to leak even more data. The Spectre V1 attack required two parts: (1)
a load gadget, which loads potential secrets into the cache, and (2) a leak
gadget that makes the values of this secret available via a side channel. When
combining Spectre V1's load gadget (1) with L1TF's leak ability, any speculative
out-of-bound memory access becomes a potential vulnerability, especially, in
case the index for the out-of-bound operation is guest controlled.
This patch series addresses several of these issues, focusing on blocking
speculative out-of-bound accesses, as well as blocking loading hypervisor and
dom0 secrets into the L1 cache under speculation. We do not prevent out-of-bound
loads that might be caused by loops, because they can usually not be influenced
by the guest, and typically touch the same cache line that has been used in the
last valid loop iteration. Finally, the patches focus more on fixing potential
defects instead of maintaining high performance at all costs.
The issue has been reported by members of the Xen Security Team at Amazon:
Norbert Manthey, Julian Stecklina, and Pawel Wieczorkiewicz
What is provided in this package:
1) patches that fix potential SpectreV1+L1TF vulnerabilities
2) list of potential defects for Xen RELEASE-4.11.1
3) (non-public) patches for the smatch[1] tool,
as well as instructions to analyze Xen with this tool
Additionally to the provided patches, you have to backport the following commit,
because jump tables can also be used for speculative out-of-bound accesses:
2276da0db9b0f111e1a8f41dd707c6bd1dea9a7d
"retpoline: disable jump tables"
[1] smatch: https://repo.or.cz/w/smatch.git https://lwn.net/Articles/691882/
[-- Attachment #3: xsa289/0001-lfence-add-function-that-returns-int.patch --]
[-- Type: application/octet-stream, Size: 1505 bytes --]
From 640c407c1684bfe77526aebe60383a50e97024c5 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 01/13] lfence: add function that returns int
In case the CPU executes speculatively, checks of domain properties, such
as is_hardware_domain or is_hvm_domain might be skipped. A reason for this
skip is that these macros access the domain structure via a pointer, and
check a certain field.
To block speculation and wait until the field is actually evaluated, we
need to add an lfence instruction after the field inspection. As the
macros are typically used in if statements, the lfence has to come in a
compatible way. Hence, we add a function that wraps the lfence instruction
and returns true. To protect a certain evaluation in an if statement, we
now have to add this function to the if statement as well.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/asm-x86/system.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xen/include/asm-x86/system.h b/xen/include/asm-x86/system.h
--- a/xen/include/asm-x86/system.h
+++ b/xen/include/asm-x86/system.h
@@ -203,6 +203,8 @@ static always_inline unsigned long __xadd(
#define rmb() asm volatile ( "lfence" ::: "memory" )
#define wmb() asm volatile ( "sfence" ::: "memory" )
+static inline int bool_lfence(void) { rmb(); return 1; }
+
/*
* SMP barriers, for ordering of reads and writes between CPUs, most commonly
* used with shared memory.
--
2.7.4
[-- Attachment #4: xsa289/0002-is_hvm-pv_domain-block-speculation.patch --]
[-- Type: application/octet-stream, Size: 1490 bytes --]
From f2a099c06e1e5e4c8aa5516c338c4c0c70335ebb Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 02/13] is_hvm/pv_domain: block speculation
When checking for being an hvm domain, or PV domain, we have to make
sure that speculation cannot bypass that check, and eventually access
data that should not end up in cache for the current domain type.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/xen/sched.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -883,7 +883,8 @@ void watchdog_domain_destroy(struct domain *d);
static inline bool is_pv_domain(const struct domain *d)
{
- return IS_ENABLED(CONFIG_PV) ? d->guest_type == guest_type_pv : false;
+ bool res = IS_ENABLED(CONFIG_PV) ? d->guest_type == guest_type_pv : false;
+ return (res && bool_lfence()) || !bool_lfence();
}
static inline bool is_pv_vcpu(const struct vcpu *v)
@@ -914,7 +915,8 @@ static inline bool is_pv_64bit_vcpu(const struct vcpu *v)
#endif
static inline bool is_hvm_domain(const struct domain *d)
{
- return IS_ENABLED(CONFIG_HVM) ? d->guest_type == guest_type_hvm : false;
+ bool res = IS_ENABLED(CONFIG_HVM) ? d->guest_type == guest_type_hvm : false;
+ return (res && bool_lfence()) || !bool_lfence();
}
static inline bool is_hvm_vcpu(const struct vcpu *v)
--
2.7.4
[-- Attachment #5: xsa289/0003-is_control_domain-block-speculation.patch --]
[-- Type: application/octet-stream, Size: 1504 bytes --]
From 5ed135e3cc4c21a803f12b1463b57598037f4661 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 03/13] is_control_domain: block speculation
Under speculation, an is_control_domain check can be bypassed, because the
check depends on a memory load. Therefore, the CPU might speculatively
continue execution of e.g. a hypercall to pull data from memory into
the cache, which should only be accessible by dom0.
To prevent these accesses, we block speculation after the access by
adding an lfence instruction.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/xen/sched.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -874,10 +874,12 @@ void watchdog_domain_destroy(struct domain *d);
* (that is, this would not be suitable for a driver domain)
* - There is never a reason to deny the hardware domain access to this
*/
-#define is_hardware_domain(_d) ((_d) == hardware_domain)
+#define is_hardware_domain(_d) \
+ (((_d) == hardware_domain && bool_lfence()) || !bool_lfence())
/* This check is for functionality specific to a control domain */
-#define is_control_domain(_d) ((_d)->is_privileged)
+#define is_control_domain(_d) \
+ (((_d)->is_privileged && bool_lfence()) || !bool_lfence())
#define VM_ASSIST(d, t) (test_bit(VMASST_TYPE_ ## t, &(d)->vm_assist))
--
2.7.4
[-- Attachment #6: xsa289/0004-x86-hvm-block-speculative-accesses.patch --]
[-- Type: application/octet-stream, Size: 1427 bytes --]
From 69b9c85d10f0956fa2710afe7669a7587f44d5d4 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 04/13] x86/hvm: block speculative accesses
When interacting with the hvm interface and event channels, the guest can
specify a vcpu id. This ID is checked against the maximum number of CPUs,
however, this check can by bypassed speculatively. This change prevents
the potential speculative out-of-bound access.
This is part of the SpectreV1+L1TF mitigation patch series.
Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/hvm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -37,6 +37,7 @@
#include <xen/monitor.h>
#include <xen/warning.h>
#include <xen/vpci.h>
+#include <xen/nospec.h>
#include <asm/shadow.h>
#include <asm/hap.h>
#include <asm/current.h>
@@ -4032,7 +4033,8 @@ static int hvmop_set_evtchn_upcall_vector(
if ( op.vector < 0x10 )
return -EINVAL;
- if ( op.vcpu >= d->max_vcpus || (v = d->vcpu[op.vcpu]) == NULL )
+ if ( op.vcpu >= d->max_vcpus ||
+ (v = d->vcpu[array_index_nospec(op.vcpu, d->max_vcpus)]) == NULL )
return -ENOENT;
printk(XENLOG_G_INFO "%pv: upcall vector %02x\n", v, op.vector);
--
2.7.4
[-- Attachment #7: xsa289/0005-nospec-introduce-method-for-static-arrays.patch --]
[-- Type: application/octet-stream, Size: 1376 bytes --]
From 06a4c31f0eba474633cceda4172418fa112e1cea Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 05/13] nospec: introduce method for static
arrays
When blocking speculative out-of-bound accesses, we can classify arrays
into dynamic arrays and static arrays. Where the former are allocated
during run time, the size of the latter is known during compile time.
On static arrays, compiler might be able to block speculative accesses
in the future.
We introduce another macro that automatically uses the ARRAY_SIZE macro
to block speculative accesses. For arrays that are statically accessed,
this macro can be used instead of the usual macro.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/include/xen/nospec.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h
--- a/xen/include/xen/nospec.h
+++ b/xen/include/xen/nospec.h
@@ -58,6 +58,12 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
(typeof(_i)) (_i & _mask); \
})
+/*
+ * array_access_nospec - allow nospec access for static size arrays
+ */
+#define array_access_nospec(array, index) \
+ array[array_index_nospec(index, ARRAY_SIZE(array))]
+
#endif /* XEN_NOSPEC_H */
/*
--
2.7.4
[-- Attachment #8: xsa289/0006-x86-hvm-block-speculative-out-of-bound-accesses.patch --]
[-- Type: application/octet-stream, Size: 3719 bytes --]
From f6b5b961aefe6f163cacd27ae5f3b117e069dc0c Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 06/13] x86/hvm: block speculative out-of-bound
accesses
There are multiple arrays in the HVM interface that are accessed
with indices that are provided by the guest. To avoid out of bound
accesses, we use the array_index_nospec macro.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/hvm.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -2096,7 +2096,7 @@ int hvm_mov_from_cr(unsigned int cr, unsigned int gpr)
case 2:
case 3:
case 4:
- val = curr->arch.hvm.guest_cr[cr];
+ val = array_access_nospec(curr->arch.hvm.guest_cr, cr);
break;
case 8:
val = (vlapic_get_reg(vcpu_vlapic(curr), APIC_TASKPRI) & 0xf0) >> 4;
@@ -3446,13 +3446,15 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content)
if ( !d->arch.cpuid->basic.mtrr )
goto gp_fault;
index = msr - MSR_MTRRfix16K_80000;
- *msr_content = fixed_range_base[index + 1];
+ *msr_content = fixed_range_base[array_index_nospec(index + 1,
+ NUM_FIXED_RANGES)];
break;
case MSR_MTRRfix4K_C0000...MSR_MTRRfix4K_F8000:
if ( !d->arch.cpuid->basic.mtrr )
goto gp_fault;
index = msr - MSR_MTRRfix4K_C0000;
- *msr_content = fixed_range_base[index + 3];
+ *msr_content = fixed_range_base[array_index_nospec(index + 3,
+ NUM_FIXED_RANGES)];
break;
case MSR_IA32_MTRR_PHYSBASE(0)...MSR_IA32_MTRR_PHYSMASK(MTRR_VCNT_MAX - 1):
if ( !d->arch.cpuid->basic.mtrr )
@@ -3461,7 +3463,8 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content)
if ( (index / 2) >=
MASK_EXTR(v->arch.hvm.mtrr.mtrr_cap, MTRRcap_VCNT) )
goto gp_fault;
- *msr_content = var_range_base[index];
+ *msr_content = var_range_base[array_index_nospec(index,
+ NUM_FIXED_RANGES)];
break;
case MSR_IA32_XSS:
@@ -4156,7 +4159,8 @@ static int hvmop_set_param(
*/
if ( !paging_mode_hap(d) || !cpu_has_vmx )
{
- d->arch.hvm.params[a.index] = a.value;
+ d->arch.hvm.params[array_index_nospec(a.index,
+ HVM_NR_PARAMS)] = a.value;
break;
}
@@ -4171,7 +4175,8 @@ static int hvmop_set_param(
rc = 0;
domain_pause(d);
- d->arch.hvm.params[a.index] = a.value;
+ d->arch.hvm.params[array_index_nospec(a.index,
+ HVM_NR_PARAMS)] = a.value;
for_each_vcpu ( d, v )
paging_update_cr3(v, false);
domain_unpause(d);
@@ -4326,7 +4331,7 @@ static int hvmop_set_param(
if ( rc != 0 )
goto out;
- d->arch.hvm.params[a.index] = a.value;
+ d->arch.hvm.params[array_index_nospec(a.index, HVM_NR_PARAMS)] = a.value;
HVM_DBG_LOG(DBG_LEVEL_HCALL, "set param %u = %"PRIx64,
a.index, a.value);
@@ -4420,6 +4425,8 @@ static int hvmop_get_param(
break;
default:
a.value = d->arch.hvm.params[a.index];
+ a.value = d->arch.hvm.params[array_index_nospec(a.index,
+ HVM_NR_PARAMS)];
break;
}
--
2.7.4
[-- Attachment #9: xsa289/0007-xen-evtchn-block-speculative-out-of-bound-accesses.patch --]
[-- Type: application/octet-stream, Size: 9143 bytes --]
From a18d25e2fbb7f0f43d25e2c1132be299ff0161a5 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 07/13] xen/evtchn: block speculative
out-of-bound accesses
Guests can issue event channel interaction with guest specified data.
To avoid speculative out of bound accesses, we use the nospec macros.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/common/event_2l.c | 3 ++-
xen/common/event_channel.c | 48 +++++++++++++++++++++++++++-------------------
xen/common/event_fifo.c | 4 +++-
xen/include/xen/event.h | 5 +++--
4 files changed, 36 insertions(+), 24 deletions(-)
diff --git a/xen/common/event_2l.c b/xen/common/event_2l.c
--- a/xen/common/event_2l.c
+++ b/xen/common/event_2l.c
@@ -45,7 +45,8 @@ static void evtchn_2l_clear_pending(struct domain *d, struct evtchn *evtchn)
static void evtchn_2l_unmask(struct domain *d, struct evtchn *evtchn)
{
- struct vcpu *v = d->vcpu[evtchn->notify_vcpu_id];
+ struct vcpu *v = d->vcpu[array_index_nospec(evtchn->notify_vcpu_id,
+ d->max_vcpus)];
unsigned int port = evtchn->port;
/*
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -369,12 +369,12 @@ int evtchn_bind_virq(evtchn_bind_virq_t *bind, evtchn_port_t port)
return -EINVAL;
if ( (vcpu < 0) || (vcpu >= d->max_vcpus) ||
- ((v = d->vcpu[vcpu]) == NULL) )
+ ((v = d->vcpu[array_index_nospec(vcpu, d->max_vcpus)]) == NULL) )
return -ENOENT;
spin_lock(&d->event_lock);
- if ( v->virq_to_evtchn[virq] != 0 )
+ if ( array_access_nospec(v->virq_to_evtchn, virq) != 0 )
ERROR_EXIT(-EEXIST);
if ( port != 0 )
@@ -402,7 +402,7 @@ int evtchn_bind_virq(evtchn_bind_virq_t *bind, evtchn_port_t port)
spin_unlock(&chn->lock);
- v->virq_to_evtchn[virq] = bind->port = port;
+ array_access_nospec(v->virq_to_evtchn, virq) = bind->port = port;
out:
spin_unlock(&d->event_lock);
@@ -419,7 +419,7 @@ static long evtchn_bind_ipi(evtchn_bind_ipi_t *bind)
long rc = 0;
if ( (vcpu < 0) || (vcpu >= d->max_vcpus) ||
- (d->vcpu[vcpu] == NULL) )
+ (d->vcpu[array_index_nospec(vcpu, d->max_vcpus)] == NULL) )
return -ENOENT;
spin_lock(&d->event_lock);
@@ -576,7 +576,8 @@ int evtchn_close(struct domain *d1, int port1, bool guest)
pirq_guest_unbind(d1, pirq);
pirq->evtchn = 0;
pirq_cleanup_check(pirq, d1);
- unlink_pirq_port(chn1, d1->vcpu[chn1->notify_vcpu_id]);
+ unlink_pirq_port(chn1, d1->vcpu[array_index_nospec(chn1->notify_vcpu_id,
+ d1->max_vcpus)]);
#ifdef CONFIG_X86
if ( is_hvm_domain(d1) && domain_pirq_to_irq(d1, pirq->pirq) > 0 )
unmap_domain_pirq_emuirq(d1, pirq->pirq);
@@ -587,9 +588,9 @@ int evtchn_close(struct domain *d1, int port1, bool guest)
case ECS_VIRQ:
for_each_vcpu ( d1, v )
{
- if ( v->virq_to_evtchn[chn1->u.virq] != port1 )
+ if ( array_access_nospec(v->virq_to_evtchn, chn1->u.virq) != port1 )
continue;
- v->virq_to_evtchn[chn1->u.virq] = 0;
+ array_access_nospec(v->virq_to_evtchn, chn1->u.virq) = 0;
spin_barrier(&v->virq_lock);
}
break;
@@ -700,7 +701,9 @@ int evtchn_send(struct domain *ld, unsigned int lport)
rport = lchn->u.interdomain.remote_port;
rchn = evtchn_from_port(rd, rport);
if ( consumer_is_xen(rchn) )
- xen_notification_fn(rchn)(rd->vcpu[rchn->notify_vcpu_id], rport);
+ xen_notification_fn(rchn)
+ (rd->vcpu[array_index_nospec(rchn->notify_vcpu_id,
+ rd->max_vcpus)], rport);
else
evtchn_port_set_pending(rd, rchn->notify_vcpu_id, rchn);
break;
@@ -722,7 +725,7 @@ out:
int guest_enabled_event(struct vcpu *v, uint32_t virq)
{
- return ((v != NULL) && (v->virq_to_evtchn[virq] != 0));
+ return ((v != NULL) && (array_access_nospec(v->virq_to_evtchn, virq) != 0));
}
void send_guest_vcpu_virq(struct vcpu *v, uint32_t virq)
@@ -764,7 +767,7 @@ static void send_guest_global_virq(struct domain *d, uint32_t virq)
spin_lock_irqsave(&v->virq_lock, flags);
- port = v->virq_to_evtchn[virq];
+ port = array_access_nospec(v->virq_to_evtchn, virq);
if ( unlikely(port == 0) )
goto out;
@@ -804,7 +807,8 @@ void send_global_virq(uint32_t virq)
{
ASSERT(virq_is_global(virq));
- send_guest_global_virq(global_virq_handlers[virq] ?: hardware_domain, virq);
+ send_guest_global_virq(array_access_nospec(global_virq_handlers, virq) ?:
+ hardware_domain, virq);
}
int set_global_virq_handler(struct domain *d, uint32_t virq)
@@ -816,15 +820,15 @@ int set_global_virq_handler(struct domain *d, uint32_t virq)
if (!virq_is_global(virq))
return -EINVAL;
- if (global_virq_handlers[virq] == d)
+ if (array_access_nospec(global_virq_handlers, virq) == d)
return 0;
if (unlikely(!get_domain(d)))
return -EINVAL;
spin_lock(&global_virq_handlers_lock);
- old = global_virq_handlers[virq];
- global_virq_handlers[virq] = d;
+ old = array_access_nospec(global_virq_handlers, virq);
+ array_access_nospec(global_virq_handlers, virq) = d;
spin_unlock(&global_virq_handlers_lock);
if (old != NULL)
@@ -842,9 +846,9 @@ static void clear_global_virq_handlers(struct domain *d)
for (virq = 0; virq < NR_VIRQS; virq++)
{
- if (global_virq_handlers[virq] == d)
+ if (array_access_nospec(global_virq_handlers, virq) == d)
{
- global_virq_handlers[virq] = NULL;
+ array_access_nospec(global_virq_handlers, virq) = NULL;
put_count++;
}
}
@@ -931,7 +935,8 @@ long evtchn_bind_vcpu(unsigned int port, unsigned int vcpu_id)
struct evtchn *chn;
long rc = 0;
- if ( (vcpu_id >= d->max_vcpus) || (d->vcpu[vcpu_id] == NULL) )
+ if ( (vcpu_id >= d->max_vcpus) ||
+ (d->vcpu[array_index_nospec(vcpu_id, d->max_vcpus)] == NULL) )
return -ENOENT;
spin_lock(&d->event_lock);
@@ -966,11 +971,14 @@ long evtchn_bind_vcpu(unsigned int port, unsigned int vcpu_id)
case ECS_PIRQ:
if ( chn->notify_vcpu_id == vcpu_id )
break;
- unlink_pirq_port(chn, d->vcpu[chn->notify_vcpu_id]);
+ unlink_pirq_port(chn, d->vcpu[array_index_nospec(chn->notify_vcpu_id,
+ d->max_vcpus)]);
chn->notify_vcpu_id = vcpu_id;
pirq_set_affinity(d, chn->u.pirq.irq,
- cpumask_of(d->vcpu[vcpu_id]->processor));
- link_pirq_port(port, chn, d->vcpu[vcpu_id]);
+ cpumask_of(d->vcpu[array_index_nospec(vcpu_id,
+ d->max_vcpus)]->processor));
+ link_pirq_port(port, chn, d->vcpu[array_index_nospec(vcpu_id,
+ d->max_vcpus)]);
break;
default:
rc = -EINVAL;
diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -30,8 +30,10 @@ static inline event_word_t *evtchn_fifo_word_from_port(const struct domain *d,
/*
* Callers aren't required to hold d->event_lock, so we need to synchronize
* with add_page_to_event_array().
+ *
+ * To block speculative out-of-bound accesses, use rmb.
*/
- smp_rmb();
+ rmb();
p = port / EVTCHN_FIFO_EVENT_WORDS_PER_PAGE;
w = port % EVTCHN_FIFO_EVENT_WORDS_PER_PAGE;
diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h
--- a/xen/include/xen/event.h
+++ b/xen/include/xen/event.h
@@ -13,6 +13,7 @@
#include <xen/smp.h>
#include <xen/softirq.h>
#include <xen/bitops.h>
+#include <xen/nospec.h>
#include <asm/event.h>
/*
@@ -96,7 +97,7 @@ void arch_evtchn_inject(struct vcpu *v);
* The first bucket is directly accessed via d->evtchn.
*/
#define group_from_port(d, p) \
- ((d)->evtchn_group[(p) / EVTCHNS_PER_GROUP])
+ (array_access_nospec((d)->evtchn_group, (p) / EVTCHNS_PER_GROUP))
#define bucket_from_port(d, p) \
((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET])
@@ -174,7 +175,7 @@ static inline void evtchn_port_set_pending(struct domain *d,
unsigned int vcpu_id,
struct evtchn *evtchn)
{
- d->evtchn_port_ops->set_pending(d->vcpu[vcpu_id], evtchn);
+ d->evtchn_port_ops->set_pending(d->vcpu[array_index_nospec(vcpu_id, d->max_vcpus)], evtchn);
}
static inline void evtchn_port_clear_pending(struct domain *d,
--
2.7.4
[-- Attachment #10: xsa289/0008-common-gant_table-block-speculative-out-of-bound-acc.patch --]
[-- Type: application/octet-stream, Size: 3561 bytes --]
From af440a75f0abd564c08534a5db1d4971059a89f4 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 08/13] common/gant_table: block speculative
out-of-bound accesses
Guests can issue grant table operations and provide guest controlled
data to them. This data is also used for memory loads. To avoid
speculative out of bound accesses, we use the array_index_nospec macro
where applicable. However, there are also memory accesses that cannot
be protected by a single array protection, or multiple accesses in a
row. To protect these, an lfence instruction is placed between the
actual range check and the access.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/common/grant_table.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -37,6 +37,7 @@
#include <xen/paging.h>
#include <xen/keyhandler.h>
#include <xen/vmap.h>
+#include <xen/nospec.h>
#include <xsm/xsm.h>
#include <asm/flushtlb.h>
@@ -963,6 +964,9 @@ map_grant_ref(
PIN_FAIL(unlock_out, GNTST_bad_gntref, "Bad ref %#x for d%d\n",
op->ref, rgt->domain->domain_id);
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
act = active_entry_acquire(rgt, op->ref);
shah = shared_entry_header(rgt, op->ref);
status = rgt->gt_version == 1 ? &shah->flags : &status_entry(rgt, op->ref);
@@ -1268,7 +1272,8 @@ unmap_common(
}
smp_rmb();
- map = &maptrack_entry(lgt, op->handle);
+ map = &maptrack_entry(lgt, array_index_nospec(op->handle,
+ lgt->maptrack_limit));
if ( unlikely(!read_atomic(&map->flags)) )
{
@@ -2026,6 +2031,9 @@ gnttab_prepare_for_transfer(
goto fail;
}
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
sha = shared_entry_header(rgt, ref);
scombo.word = *(u32 *)&sha->flags;
@@ -2239,6 +2247,9 @@ gnttab_transfer(
goto unlock_and_copyback;
}
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
page_list_add_tail(page, &e->page_list);
page_set_owner(page, e);
@@ -2408,6 +2419,9 @@ acquire_grant_for_copy(
PIN_FAIL(gt_unlock_out, GNTST_bad_gntref,
"Bad grant reference %#x\n", gref);
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
act = active_entry_acquire(rgt, gref);
shah = shared_entry_header(rgt, gref);
if ( rgt->gt_version == 1 )
@@ -2812,6 +2826,9 @@ static int gnttab_copy_buf(const struct gnttab_copy *op,
((op->dest.offset + op->len) > PAGE_SIZE) )
PIN_FAIL(out, GNTST_bad_copy_arg, "copy beyond page area\n");
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
if ( op->source.offset < src->ptr.offset ||
op->source.offset + op->len > src->ptr.offset + src->len )
PIN_FAIL(out, GNTST_general_error,
@@ -3215,6 +3232,9 @@ swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b)
if ( ref_a == ref_b )
goto out;
+ /* Make sure the above check is not bypassed speculatively */
+ rmb();
+
act_a = active_entry_acquire(gt, ref_a);
if ( act_a->pin )
PIN_FAIL(out, GNTST_eagain, "ref a %#x busy\n", ref_a);
--
2.7.4
[-- Attachment #11: xsa289/0009-x86-hvm-emulate-block-speculative-out-of-bound-acces.patch --]
[-- Type: application/octet-stream, Size: 1887 bytes --]
From acad7d5166804ed3dbdf76a4ec9d07b0cd777bfc Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 09/13] x86/hvm/emulate: block speculative
out-of-bound accesses
During emulating instructions, the guest controls the content of the
CPU registers. As these values are used for array indexes, we have to
make sure that speculative out of bound accesses are blocked. This way,
we protect against loading secrets into L1 cache.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/emulate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -15,6 +15,7 @@
#include <xen/paging.h>
#include <xen/trace.h>
#include <xen/vm_event.h>
+#include <xen/nospec.h>
#include <asm/event.h>
#include <asm/i387.h>
#include <asm/xstate.h>
@@ -2028,7 +2029,7 @@ static int hvmemul_read_cr(
case 2:
case 3:
case 4:
- *val = current->arch.hvm.guest_cr[reg];
+ *val = array_access_nospec(current->arch.hvm.guest_cr, reg);
HVMTRACE_LONG_2D(CR_READ, reg, TRC_PAR_LONG(*val));
return X86EMUL_OKAY;
default:
@@ -2653,8 +2654,9 @@ struct segment_register *hvmemul_get_seg_reg(
return ERR_PTR(-X86EMUL_UNHANDLEABLE);
if ( !__test_and_set_bit(idx, &hvmemul_ctxt->seg_reg_accessed) )
- hvm_get_segment_register(current, idx, &hvmemul_ctxt->seg_reg[idx]);
- return &hvmemul_ctxt->seg_reg[idx];
+ hvm_get_segment_register(current, idx,
+ &array_access_nospec(hvmemul_ctxt->seg_reg, idx));
+ return &array_access_nospec(hvmemul_ctxt->seg_reg, idx);
}
static const char *guest_x86_mode_to_str(int mode)
--
2.7.4
[-- Attachment #12: xsa289/0010-x86-vioapic-block-speculative-out-of-bound-accesses.patch --]
[-- Type: application/octet-stream, Size: 4122 bytes --]
From d861027dbc1e861fb27f1cea55ee08aa03279c01 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 10/13] x86/vioapic: block speculative
out-of-bound accesses
When interacting with io apic, a guest can specify values that are used
as index to structures, and whose values are not compared against
constants beforehand. Therefore, speculative out-of-bound accesses are
possible. This change prevents these accesses.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/vioapic.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c
--- a/xen/arch/x86/hvm/vioapic.c
+++ b/xen/arch/x86/hvm/vioapic.c
@@ -30,6 +30,7 @@
#include <xen/lib.h>
#include <xen/errno.h>
#include <xen/sched.h>
+#include <xen/nospec.h>
#include <public/hvm/ioreq.h>
#include <asm/hvm/io.h>
#include <asm/hvm/vpic.h>
@@ -117,7 +118,8 @@ static uint32_t vioapic_read_indirect(const struct hvm_vioapic *vioapic)
break;
}
- redir_content = vioapic->redirtbl[redir_index].bits;
+ redir_content = vioapic->redirtbl[array_index_nospec(redir_index,
+ vioapic->nr_pins)].bits;
result = (vioapic->ioregsel & 1) ? (redir_content >> 32)
: redir_content;
break;
@@ -216,7 +218,7 @@ static void vioapic_write_redirent(
spin_lock(&d->arch.hvm.irq_lock);
- pent = &vioapic->redirtbl[idx];
+ pent = &vioapic->redirtbl[array_index_nospec(idx, vioapic->nr_pins)];
ent = *pent;
if ( top_word )
@@ -258,7 +260,8 @@ static void vioapic_write_redirent(
pent->fields.remote_irr = 0;
else if ( !ent.fields.mask &&
!ent.fields.remote_irr &&
- hvm_irq->gsi_assert_count[idx] )
+ hvm_irq->gsi_assert_count[array_index_nospec(idx,
+ hvm_irq->nr_gsis)] )
{
pent->fields.remote_irr = 1;
vioapic_deliver(vioapic, idx);
@@ -378,15 +381,17 @@ static inline int pit_channel0_enabled(void)
static void vioapic_deliver(struct hvm_vioapic *vioapic, unsigned int pin)
{
- uint16_t dest = vioapic->redirtbl[pin].fields.dest_id;
- uint8_t dest_mode = vioapic->redirtbl[pin].fields.dest_mode;
- uint8_t delivery_mode = vioapic->redirtbl[pin].fields.delivery_mode;
- uint8_t vector = vioapic->redirtbl[pin].fields.vector;
- uint8_t trig_mode = vioapic->redirtbl[pin].fields.trig_mode;
+ unsigned int index_pin = array_index_nospec(pin, vioapic->nr_pins);
+
+ uint16_t dest = vioapic->redirtbl[index_pin].fields.dest_id;
+ uint8_t dest_mode = vioapic->redirtbl[index_pin].fields.dest_mode;
+ uint8_t delivery_mode = vioapic->redirtbl[index_pin].fields.delivery_mode;
+ uint8_t vector = vioapic->redirtbl[index_pin].fields.vector;
+ uint8_t trig_mode = vioapic->redirtbl[index_pin].fields.trig_mode;
struct domain *d = vioapic_domain(vioapic);
struct vlapic *target;
struct vcpu *v;
- unsigned int irq = vioapic->base_gsi + pin;
+ unsigned int irq = vioapic->base_gsi + index_pin;
ASSERT(spin_is_locked(&d->arch.hvm.irq_lock));
@@ -478,7 +483,7 @@ void vioapic_irq_positive_edge(struct domain *d, unsigned int irq)
ASSERT(pin < vioapic->nr_pins);
ASSERT(spin_is_locked(&d->arch.hvm.irq_lock));
- ent = &vioapic->redirtbl[pin];
+ ent = &vioapic->redirtbl[array_index_nospec(pin, vioapic->nr_pins)];
if ( ent->fields.mask )
return;
@@ -566,7 +571,8 @@ int vioapic_get_trigger_mode(const struct domain *d, unsigned int gsi)
if ( !vioapic )
return -EINVAL;
- return vioapic->redirtbl[pin].fields.trig_mode;
+ return vioapic->redirtbl[array_index_nospec(pin,
+ vioapic->nr_pins)].fields.trig_mode;
}
static int ioapic_save(struct vcpu *v, hvm_domain_context_t *h)
--
2.7.4
[-- Attachment #13: xsa289/0011-x86-hvm-hpet-block-speculative-out-of-bound-accesses.patch --]
[-- Type: application/octet-stream, Size: 3102 bytes --]
From 3bd85bcd904b57fa1898a99ff36dbad65706e84b Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 11/13] x86/hvm/hpet: block speculative
out-of-bound accesses
When interacting with hpet, read and write operations can be executed
during instruction emulation, where the guest controls the data that
is used. As it is hard to predict the number of instructions that are
executed speculatively, we prevent out-of-bound accesses by using the
array_index_nospec function for guest specified addresses that should
be used for hpet operations.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/hvm/hpet.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/xen/arch/x86/hvm/hpet.c b/xen/arch/x86/hvm/hpet.c
--- a/xen/arch/x86/hvm/hpet.c
+++ b/xen/arch/x86/hvm/hpet.c
@@ -25,6 +25,7 @@
#include <xen/sched.h>
#include <xen/event.h>
#include <xen/trace.h>
+#include <xen/nospec.h>
#define domain_vhpet(x) (&(x)->arch.hvm.pl_time->vhpet)
#define vcpu_vhpet(x) (domain_vhpet((x)->domain))
@@ -124,15 +125,18 @@ static inline uint64_t hpet_read64(HPETState *h, unsigned long addr,
case HPET_Tn_CFG(0):
case HPET_Tn_CFG(1):
case HPET_Tn_CFG(2):
- return h->hpet.timers[HPET_TN(CFG, addr)].config;
+ return h->hpet.timers[array_index_nospec(HPET_TN(CFG, addr),
+ HPET_TIMER_NUM)].config;
case HPET_Tn_CMP(0):
case HPET_Tn_CMP(1):
case HPET_Tn_CMP(2):
- return hpet_get_comparator(h, HPET_TN(CMP, addr), guest_time);
+ return hpet_get_comparator(h, array_index_nospec(HPET_TN(CMP, addr),
+ HPET_TIMER_NUM), guest_time);
case HPET_Tn_ROUTE(0):
case HPET_Tn_ROUTE(1):
case HPET_Tn_ROUTE(2):
- return h->hpet.timers[HPET_TN(ROUTE, addr)].fsb;
+ return h->hpet.timers[array_index_nospec(HPET_TN(ROUTE, addr),
+ HPET_TIMER_NUM)].fsb;
}
return 0;
@@ -438,7 +442,7 @@ static int hpet_write(
case HPET_Tn_CFG(0):
case HPET_Tn_CFG(1):
case HPET_Tn_CFG(2):
- tn = HPET_TN(CFG, addr);
+ tn = array_index_nospec(HPET_TN(CFG, addr), HPET_TIMER_NUM);
h->hpet.timers[tn].config =
hpet_fixup_reg(new_val, old_val,
@@ -480,7 +484,7 @@ static int hpet_write(
case HPET_Tn_CMP(0):
case HPET_Tn_CMP(1):
case HPET_Tn_CMP(2):
- tn = HPET_TN(CMP, addr);
+ tn = array_index_nospec(HPET_TN(CMP, addr), HPET_TIMER_NUM);
if ( timer_is_periodic(h, tn) &&
!(h->hpet.timers[tn].config & HPET_TN_SETVAL) )
{
@@ -523,7 +527,7 @@ static int hpet_write(
case HPET_Tn_ROUTE(0):
case HPET_Tn_ROUTE(1):
case HPET_Tn_ROUTE(2):
- tn = HPET_TN(ROUTE, addr);
+ tn = array_index_nospec(HPET_TN(ROUTE, addr), HPET_TIMER_NUM);
h->hpet.timers[tn].fsb = new_val;
break;
--
2.7.4
[-- Attachment #14: xsa289/0012-common-memory-block-speculative-out-of-bound-accesse.patch --]
[-- Type: application/octet-stream, Size: 1746 bytes --]
From 517e3f53d7cda71b3618b3ffab1b46b57ef903e2 Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 12/13] common/memory: block speculative
out-of-bound accesses
The get_page_from_gfn method returns a pointer to a page that belongs
to a gfn. Before returning the pointer, the gfn is checked for being
valid. Under speculation, these checks can be bypassed, so that
the function get_page is still executed partially. Consequently, the
function page_get_owner_and_reference might be executed partially as
well. In this function, the computed pointer is accessed, resulting in
a speculative out-of-bound address load.
To mitigate the root cause, the lfence instruction is added in the
function that actually checks whether the mfn is valid.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/common/pdx.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/xen/common/pdx.c b/xen/common/pdx.c
--- a/xen/common/pdx.c
+++ b/xen/common/pdx.c
@@ -33,10 +33,11 @@ unsigned long __read_mostly pdx_group_valid[BITS_TO_LONGS(
bool __mfn_valid(unsigned long mfn)
{
- return likely(mfn < max_page) &&
- likely(!(mfn & pfn_hole_mask)) &&
- likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT,
- pdx_group_valid));
+ bool res = likely(mfn < max_page) &&
+ likely(!(mfn & pfn_hole_mask)) &&
+ likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT,
+ pdx_group_valid));
+ return (res && bool_lfence()) || !bool_lfence();
}
/* Sets all bits from the most-significant 1-bit down to the LSB */
--
2.7.4
[-- Attachment #15: xsa289/0013-x86-CPUID-block-speculative-out-of-bound-accesses.patch --]
[-- Type: application/octet-stream, Size: 1500 bytes --]
From 2ef0c689a67fec0964dc50f0e83a67c60b70886c Mon Sep 17 00:00:00 2001
From: Norbert Manthey <nmanthey@amazon.de>
Subject: [PATCH SpectreV1+L1TF 13/13] x86/CPUID: block speculative
out-of-bound accesses
During instruction emulation, the cpuid instruction is emulated with
data that is controlled by the guest. As speculation might pass bound
checks, we have to ensure that no out-of-bound loads are possible.
This is part of the SpectreV1+L1TF mitigation patch series.
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
---
xen/arch/x86/cpuid.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c
--- a/xen/arch/x86/cpuid.c
+++ b/xen/arch/x86/cpuid.c
@@ -1,6 +1,7 @@
#include <xen/init.h>
#include <xen/lib.h>
#include <xen/sched.h>
+#include <xen/nospec.h>
#include <asm/cpuid.h>
#include <asm/hvm/hvm.h>
#include <asm/hvm/nestedhvm.h>
@@ -638,7 +639,7 @@ void guest_cpuid(const struct vcpu *v, uint32_t leaf,
ARRAY_SIZE(p->feat.raw) - 1) )
return;
- *res = p->feat.raw[subleaf];
+ *res = array_access_nospec(p->feat.raw, subleaf);
break;
case 0xb:
@@ -656,7 +657,7 @@ void guest_cpuid(const struct vcpu *v, uint32_t leaf,
break;
default:
- *res = p->basic.raw[leaf];
+ *res = array_access_nospec(p->basic.raw, leaf);
break;
}
break;
--
2.7.4
[-- Attachment #16: xsa289/detect-spectre-candidates.sh --]
[-- Type: application/octet-stream, Size: 3193 bytes --]
#!/bin/bash
# Copyright (C) 2018 Amazon.com, Inc. or its affiliates.
# Author: Norbert Manthey <nmanthey@amazon.de>
#
# This script show cases how smatch can be run for Xen.
# You want to run this on a big machine, as Xen will be recompiled many times
# This script writes a file last_smatch_spectre_warns.txt, which will contain
# the spectre v1 candidates of smatch.
#
# Keep this script in its directory, but call it from the Xen root directory!
# Number of smatch iterations (guest taint improves per iteration)
MAX_ITERATIONS=8
# In case something breaks, we want to stop
set -e -u
# Where is this script located
SCRIPT=$(readlink -e "$0")
SCRIPT_DIR=$(dirname "$SCRIPT")
# Make sure we're in the Xen directory and Xen builds
echo "Check whether Xen builds ..."
make xen -j $(nproc)
# Check whether smatch uses the correct commit, or delete current state
if [ -d smatch ]
then
pushd smatch &> /dev/null
if ! git show | grep -q "build_xen: add fixed db file"
then
echo "Smatch does not use the correct commit, wiping smatch directory."
popd &> /dev/null
rm -rf smatch
else
popd &> /dev/null
fi
fi
# Get the required tools
if [ ! -d smatch ]
then
echo "Make smatch tool available ..."
git clone git://repo.or.cz/smatch.git
pushd smatch &> /dev/null
# move to last known good state
git reset --hard 2a4b6b0db8f9dffe00f9867cdbadcdef6918c466
# apply patches for Xen (not public yet!)
PATCH_DIR="$SCRIPT_DIR/outgoing-upstream-xen/"
for patch in $(ls "$PATCH_DIR"/*.patch)
do
git am $patch
done
make smatch -j $(nproc)
popd &> /dev/null
fi
if [ ! -d one-line-scan ]
then
echo "Make one-line-scan tool available ..."
git clone https://github.com/awslabs/one-line-scan.git
fi
# Tell environment about tools, and check whether they work
export PATH=$PATH:$(pwd)/smatch:$(pwd)/one-line-scan
echo "Test availability of smatch and one-line-scan ..."
for tool in smatch one-line-scan
do
if ! command -v "$tool" &> /dev/null
then
echo "Cannot find tool $tool, abort"
exit 1
fi
done
# Initialize variables for analysis
START=$SECONDS # start timestampe to print timing
OLD=0 # number of defects found in last iteration
NEW=0 # number of defects found in current iteration
I=0 # current iteration
BUILD_STATUS=0 # status of the analysis job
# Repeat analysis at most $MAX_ITERATIONS times
echo "Start Xen analysis with smatch, use $MAX_ITERATIONS iterations"
while [ "$I" -lt $MAX_ITERATIONS ]
do
OLD=$NEW
I=$((I+1))
# Write a log per iteration
FULL_SPECTRE=1 ./smatch/smatch_scripts/build_xen_data.sh &> smatch-build-$I.log
BUILD_STATUS=$?
echo "build iteration $I with status $BUILD_STATUS"
[ "$BUILD_STATUS" -eq 0 ] || exit $BUILD_STATUS
# Keep results of last iteration around, in case the script is stopped early
grep spectre smatch_warns.txt | sort -u > last_smatch_spectre_warns.txt
# We are only interested in spectre issues for now
NEW=$(cat last_smatch_spectre_warns.txt | wc -l)
NOW=$SECONDS
echo "new amount of defects: $NEW (last: $OLD) at iter $I after $((NOW - START))"
# Check whether we found more defects
[ "$NEW" -ne "$OLD" ] || break
done |& tee full-smatch.log
exit $BUILD_STATUS
[-- Attachment #17: xsa289/sorted-gadgets.txt --]
[-- Type: application/octet-stream, Size: 68537 bytes --]
[guest init] 128 xen/arch/x86/acpi/cpufreq/cpufreq.c:518 acpi_cpufreq_cpu_init() warn: potential spectre issue 'cpu_data' [r]
[guest init] 128 xen/arch/x86/acpi/cpufreq/cpufreq.c:525 acpi_cpufreq_cpu_init() warn: potential spectre issue 'cpufreq_drv_data' [w]
[guest init] 128 xen/arch/x86/acpi/cpufreq/cpufreq.c:527 acpi_cpufreq_cpu_init() warn: potential spectre issue 'processor_pminfo' [r]
[guest exit] 128 xen/arch/x86/acpi/cpufreq/cpufreq.c:627 acpi_cpufreq_cpu_exit() warn: potential spectre issue 'cpufreq_drv_data' [r]
[guest init] 128 xen/arch/x86/acpi/cpufreq/powernow.c:240 powernow_cpufreq_cpu_init() warn: potential spectre issue 'cpu_data' [r]
[guest init] 128 xen/arch/x86/acpi/cpufreq/powernow.c:246 powernow_cpufreq_cpu_init() warn: potential spectre issue 'cpufreq_drv_data' [w]
[guest init] 128 xen/arch/x86/acpi/cpufreq/powernow.c:248 powernow_cpufreq_cpu_init() warn: potential spectre issue 'processor_pminfo' [r]
[guest exit] 128 xen/arch/x86/acpi/cpufreq/powernow.c:339 powernow_cpufreq_cpu_exit() warn: potential spectre issue 'cpufreq_drv_data' [r]
[uint64_t operation] 129 xen/arch/x86/acpi/boot.c:295 constant_test_bit() warn: potential spectre issue 'addr' [r]
[guest init] 129 xen/arch/x86/acpi/cpu_idle.c:825 cpuidle_init_cpu() warn: potential spectre issue 'processor_powers' [r]
[only do_platform_op] 129 xen/arch/x86/acpi/lib.c:73 acpi_get_processor_id() warn: potential spectre issue 'x86_cpu_to_apicid' [r]
[only interactive] 129 xen/arch/x86/apic.c:1290 smp_send_state_dump() warn: potential spectre issue '__per_cpu_offset' [w]
[transitive fix] 129 xen/arch/x86/hvm/hpet.c:94 hpet_get_comparator() warn: potential spectre issue 'h->hpet.comparator64' [r]
[transitive fix] 129 xen/arch/x86/hvm/hpet.c:98 hpet_get_comparator() warn: potential spectre issue 'h->hpet.period' [r]
[not contolled] 129 xen/arch/x86/irq.c:207 destroy_irq() warn: potential spectre issue 'irq_desc' [r]
[fixed CPUs] 129 xen/arch/x86/smpboot.c:1291 cpu_add() warn: potential spectre issue 'apicid_to_node' [w]
[fixed CPUs] 129 xen/arch/x86/smpboot.c:1321 __cpu_up() warn: potential spectre issue 'x86_cpu_to_apicid' [r]
[guest boot] 129 xen/arch/x86/smpboot.c:246 set_cpu_sibling_map() warn: potential spectre issue 'cpu_data' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:247 set_cpu_sibling_map() warn: potential spectre issue '__per_cpu_offset' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:558 do_boot_cpu() warn: potential spectre issue 'stack_base' [r]
[guest boot] 129 xen/arch/x86/smpboot.c:640 alloc_stub_page() warn: potential spectre issue 'cpu_to_node' [r]
[guest boot] 129 xen/arch/x86/smpboot.c:800 setup_cpu_root_pgt() warn: potential spectre issue '__per_cpu_offset' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:827 setup_cpu_root_pgt() warn: potential spectre issue 'stack_base' [r]
[guest boot] 129 xen/arch/x86/smpboot.c:830 setup_cpu_root_pgt() warn: potential spectre issue 'idt_tables' [r]
[guest boot] 129 xen/arch/x86/smpboot.c:909 cpu_smpboot_free() warn: potential spectre issue 'cpu_data' [r]
[guest boot] 129 xen/arch/x86/smpboot.c:922 cpu_smpboot_free() warn: potential spectre issue 'c' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:926 cpu_smpboot_free() warn: potential spectre issue '__per_cpu_offset' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:92 initialize_cpu_data() warn: potential spectre issue 'cpu_data' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:960 cpu_smpboot_free() warn: potential spectre issue 'idt_tables' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:964 cpu_smpboot_free() warn: potential spectre issue 'stack_base' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:973 cpu_smpboot_alloc() warn: potential spectre issue 'cpu_to_node' [r]
[guest boot] 129 xen/arch/x86/smpboot.c:982 cpu_smpboot_alloc() warn: potential spectre issue 'stack_base' [w]
[guest boot] 129 xen/arch/x86/smpboot.c:988 cpu_smpboot_alloc() warn: potential spectre issue '__per_cpu_offset' [w]
[static cpus] 129 xen/common/cpupool.c:525 cpupool_cpu_add() warn: potential spectre issue '__per_cpu_offset' [w]
[guest boot] 129 xen/common/domain.c:131 alloc_vcpu() warn: potential spectre issue 'd->vcpu' [w] (local cap)
[loop bound] 129 xen/common/softirq.c:50 __do_softirq() warn: potential spectre issue 'softirq_handlers' [w]
[compare constant] 129 xen/drivers/acpi/hwregs.c:77 acpi_hw_get_bit_register_info() warn: potential spectre issue 'acpi_gbl_bit_register_info' [r] (local cap)
[constant or bound] 129 xen/arch/x86/cpu/vpmu.c:102 vlapic_get_reg() warn: potential spectre issue 'vlapic->regs->data' [r]
[domctl or bound] 129 xen/arch/x86/hvm/vioapic.c:547 vioapic_get_mask() warn: potential spectre issue 'vioapic->redirtbl' [r]
[compared against constant] 129 xen/arch/x86/acpi/cpu_idle.c:68 apic_mem_read() warn: potential spectre issue '(VMAP_VIRT_END - ((1) << 12)) - ((4) << 12)' [r]
[amd] [x2apic_enabled?, if yes, irrelevant] 129 xen/arch/x86/apic.c:58 apic_mem_write() warn: potential spectre issue '(VMAP_VIRT_END - ((1) << 12)) - ((4) << 12)' [w]
[fixed via lfence] 129 xen/common/grant_table.c:240 shared_entry_header() warn: potential spectre issue 't->shared_v1' [r]
[fixed via lfence] 129 xen/common/grant_table.c:242 shared_entry_header() warn: potential spectre issue 't->shared_v2' [r]
[fixed via lfence] 129 xen/common/grant_table.c:2438 acquire_grant_for_copy() warn: potential spectre issue 'rgt->shared_v2' [r]
[fixed via lfence] 129 xen/common/grant_table.c:2439 acquire_grant_for_copy() warn: potential spectre issue 'rgt->status' [r]
[fixed via lfence] 129 xen/common/grant_table.c:2563 acquire_grant_for_copy() warn: potential spectre issue 'rgt->shared_v1' [r]
[fixed via lfence] 129 xen/common/grant_table.c:3252 swap_grant_ref() warn: potential spectre issue 'gt->shared_v1' [r]
[fixed via lfence] 129 xen/common/grant_table.c:3261 swap_grant_ref() warn: potential spectre issue 'gt->shared_v2' [r]
[fixed via lfence] 129 xen/common/grant_table.c:3262 swap_grant_ref() warn: potential spectre issue 'gt->status' [r]
[fixed via lfence] 129 xen/common/grant_table.c:355 active_entry_acquire() warn: potential spectre issue 't->active' [r]
[hard to trigger] 129 xen/arch/x86/hvm/save.c:102 hvm_register_savevm() warn: potential spectre issue 'hvm_sr_handlers' [w] (local cap)
[hard to trigger] 129 xen/arch/x86/hvm/save.c:148 hvm_save_one() warn: potential spectre issue 'hvm_sr_handlers' [r] (local cap)
[hard to trigger] 129 xen/arch/x86/x86_64/mm.c:59 do_page_walk() warn: potential spectre issue 'l4t' [r]
[hard to trigger] 129 xen/arch/x86/x86_64/mm.c:65 do_page_walk() warn: potential spectre issue 'l3t' [r]
[hard to trigger] 129 xen/arch/x86/x86_64/mm.c:77 do_page_walk() warn: potential spectre issue 'l2t' [r]
[hard to trigger] 129 xen/arch/x86/x86_64/mm.c:89 do_page_walk() warn: potential spectre issue 'l1t' [r]
[hard to trigger] 1 xen/arch/x86/io_apic.c:290 __io_apic_eoi() warn: potential spectre issue 'mp_ioapics' [w]
[unused] 129 xen/arch/x86/acpi/cpufreq/cpufreq.c:280 get_measured_perf() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[unused] 129 xen/arch/x86/acpi/cpufreq/cpufreq.c:337 get_cur_freq_on_cpu() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[unused] 129 xen/arch/x86/acpi/cpufreq/cpufreq.c:63 check_est_cpu() warn: potential spectre issue 'cpu_data' [r]
[numeric-bound] 129 xen/arch/x86/acpi/cpu_idle.c:1112 get_cpu_id() warn: potential spectre issue 'x86_acpiid_to_apicid' [r]
[dom0] 129 xen/arch/x86/acpi/cpu_idle.c:1242 pmstat_get_cx_nr() warn: potential spectre issue 'processor_powers' [r]
[dom0] 129 xen/arch/x86/acpi/cpu_idle.c:1247 pmstat_get_cx_stat() warn: potential spectre issue 'processor_powers' [r]
[amd] 129 xen/arch/x86/cpu/amd.c:101 constant_clear_bit() warn: potential spectre issue 'addr' [w]
[amd] 129 xen/arch/x86/cpu/amd.c:60 constant_set_bit() warn: potential spectre issue 'addr' [w]
[constant+loop] 129 xen/arch/x86/cpuid.c:70 zero_leaves() warn: potential spectre issue 'l' [w]
[constant] 129 xen/arch/x86/cpuid.c:726 guest_cpuid() warn: potential spectre issue 'p->cache.raw' [r] (local cap)
[fixed] 129 xen/arch/x86/cpuid.c:735 guest_cpuid() warn: potential spectre issue 'p->feat.raw' [r]
[constant] 129 xen/arch/x86/cpuid.c:742 guest_cpuid() warn: potential spectre issue 'p->xstate.raw' [r] (local cap)
[fixed] 129 xen/arch/x86/cpuid.c:746 guest_cpuid() warn: potential spectre issue 'p->basic.raw' [r]
[constant] 129 xen/arch/x86/cpuid.c:937 guest_cpuid() warn: potential spectre issue 'raw_cpuid_policy.basic.raw' [r]
[mce] 129 xen/arch/x86/cpu/mcheck/mce.c:1004 x86_mc_get_cpu_info() warn: potential spectre issue 'x86_cpu_to_apicid' [r]
[mce] 129 xen/arch/x86/cpu/mcheck/mce.c:1005 x86_mc_get_cpu_info() warn: potential spectre issue 'cpu_data' [r]
[mce] 129 xen/arch/x86/cpu/mcheck/mce.c:610 show_mca_info() warn: potential spectre issue 'type_str' [w] (local cap)
[mce] 129 xen/arch/x86/cpu/mcheck/mce.c:690 cpu_bank_free() warn: potential spectre issue '__per_cpu_offset' [w]
[mce] 129 xen/arch/x86/cpu/mcheck/mce.c:702 cpu_bank_alloc() warn: potential spectre issue '__per_cpu_offset' [w]
[mce] 129 xen/arch/x86/cpu/mcheck/mce_intel.c:860 cpu_mcabank_free() warn: potential spectre issue '__per_cpu_offset' [w]
[mce] 129 xen/arch/x86/cpu/mcheck/mce_intel.c:875 cpu_mcabank_alloc() warn: potential spectre issue '__per_cpu_offset' [w]
[mce] 129 xen/arch/x86/cpu/mcheck/mce_intel.c:949 vmce_intel_wrmsr() warn: potential spectre issue 'v->arch.vmce.bank' [w] (local cap)
[mce] 129 xen/arch/x86/cpu/mcheck/mce_intel.c:962 vmce_intel_rdmsr() warn: potential spectre issue 'v->arch.vmce.bank' [r] (local cap)
[mce] 129 xen/arch/x86/cpu/mcheck/mctelem.c:219 mctelem_process_deferred() warn: potential spectre issue '__per_cpu_offset' [w]
[mce] 129 xen/arch/x86/cpu/mcheck/mctelem.c:277 mctelem_has_deferred() warn: potential spectre issue '__per_cpu_offset' [w]
[mce] 129 xen/arch/x86/cpu/mcheck/mctelem.c:284 mctelem_has_deferred_lmce() warn: potential spectre issue '__per_cpu_offset' [w]
[mce] 129 xen/arch/x86/cpu/mcheck/vmce.c:122 bank_mce_rdmsr() warn: potential spectre issue 'v->arch.vmce.bank' [r] (local cap)
[mce] 129 xen/arch/x86/cpu/mcheck/vmce.c:258 bank_mce_wrmsr() warn: potential spectre issue 'v->arch.vmce.bank' [w] (local cap)
[init] 129 xen/arch/x86/cpu/mtrr/generic.c:103 mtrr_attrib_to_str() warn: potential spectre issue 'strings' [r] (local cap)
[bound] 129 xen/arch/x86/cpu/mtrr/generic.c:493 generic_set_mtrr() warn: potential spectre issue 'mtrr_state.var_ranges' [r]
[constant] 129 xen/arch/x86/cpu/mtrr/main.c:78 mtrr_attrib_to_str() warn: potential spectre issue 'mtrr_strings' [r] (local cap)
[bound] 129 xen/arch/x86/cpu/mwait-idle.c:1162 mwait_idle_cpu_init() warn: potential spectre issue 'processor_powers' [r]
[bound] 129 xen/arch/x86/cpu/vpmu.c:845 cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[nested/pv] 129 xen/arch/x86/cpu/vpmu_intel.c:673 core2_vpmu_do_wrmsr() warn: potential spectre issue 'xen_pmu_cntr_pair' [w] (local cap)
[pv] 129 xen/arch/x86/debug.c:109 dbg_pv_va2mfn() warn: potential spectre issue 'l4t' [r]
[pv] 129 xen/arch/x86/debug.c:121 dbg_pv_va2mfn() warn: potential spectre issue 'l3t' [r]
[pv] 129 xen/arch/x86/debug.c:135 dbg_pv_va2mfn() warn: potential spectre issue 'l2t' [r]
[pv] 129 xen/arch/x86/debug.c:147 dbg_pv_va2mfn() warn: potential spectre issue 'l1t' [r]
[init] 129 xen/arch/x86/dmi_scan.c:439 dmi_save_ident() warn: potential spectre issue 'd' [r]
[init] 129 xen/arch/x86/dmi_scan.c:444 dmi_save_ident() warn: potential spectre issue 'dmi_ident' [w]
[init] 129 xen/arch/x86/dmi_scan.c:446 dmi_save_ident() warn: potential spectre issue 'dmi_ident' [w]
[init] 129 xen/arch/x86/dmi_scan.c:762 dmi_get_date() warn: potential spectre issue 'dmi_ident' [r] (local cap)
[bound] 129 xen/arch/x86/domain.c:49 tasklet_work_to_do() warn: potential spectre issue '__per_cpu_offset' [w]
[boot] 129 xen/arch/x86/efi/boot.c:1354 copy_mapping() warn: potential spectre issue 'efi_l4_pgtable' [r]
[boot] 129 xen/arch/x86/efi/boot.c:1366 copy_mapping() warn: potential spectre issue 'efi_l4_pgtable' [w]
[boot] 129 xen/arch/x86/efi/boot.c:1372 copy_mapping() warn: potential spectre issue 'l3dst' [w]
[boot] 129 xen/arch/x86/efi/boot.c:366 PrintErrMesg() warn: potential spectre issue 'ErrCodeToStr' [r] (local cap)
[boot] 129 xen/arch/x86/efi/boot.c:531 split_string() warn: potential spectre issue '_ctype' [w] (local cap)
[efi] 258 xen/arch/x86/efi/runtime.c:10 efi_update_l4_pgtable() warn: potential spectre issue 'efi_l4_pgtable' [w]
[cpu-up] 129 xen/arch/x86/genapic/x2apic.c:200 update_clusterinfo() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/arch/x86/genapic/x2apic.c:38 x2apic_cluster() warn: potential spectre issue '__per_cpu_offset' [w]
[hard-to-trigger] 129 xen/arch/x86/genapic/x2apic.c:77 vector_allocation_cpumask_x2apic_cluster() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/arch/x86/hpet.c:105 hpet_next_event() warn: potential spectre issue '((VMAP_VIRT_END - ((1) << 12)) - ((197) << 12))' [w]
[bound] 129 xen/arch/x86/hpet.c:446 hpet_get_channel() warn: potential spectre issue 'hpet_events' [r]
[bound] 129 xen/arch/x86/hpet.c:497 hpet_attach_channel() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/arch/x86/hpet.c:516 hpet_detach_channel() warn: potential spectre issue '__per_cpu_offset' [w]
[constant] 129 xen/arch/x86/hvm/dm.c:48 _raw_copy_from_guest_buf_offset() warn: potential spectre issue 'args->buf' [r] (local cap)
[constant] 129 xen/arch/x86/hvm/emulate.c:1157 hvmemul_insn_fetch() warn: potential spectre issue 'hvmemul_ctxt->insn_buf' [w] (local cap)
[constant] 129 xen/arch/x86/hvm/emulate.c:1894 hvmemul_write_segment() warn: potential spectre issue 'hvmemul_ctxt->seg_reg' [w] (local cap)
[fixed] 129 xen/arch/x86/hvm/emulate.c:1938 hvmemul_read_cr() warn: potential spectre issue '((get_cpu_info().current_vcpu)).arch.hvm_vcpu.guest_cr' [r]
[fixed] 129 xen/arch/x86/hvm/emulate.c:2562 hvmemul_get_seg_reg() warn: potential spectre issue 'hvmemul_ctxt->seg_reg' [w] (local cap)
[bound] 129 xen/arch/x86/hvm/emulate.c:890 hvmemul_phys_mmio_access() warn: potential spectre issue 'buffer' [w] (local cap)
[bound] 129 xen/arch/x86/hvm/hpet.c:113 hpet_get_comparator() warn: potential spectre issue 'h->hpet.timers' [w]
[bound] 129 xen/arch/x86/hvm/hpet.c:217 hpet_stop_timer() warn: potential spectre issue 'h->pt' [w] (local cap)
[bound] 129 xen/arch/x86/hvm/hpet.c:267 hpet_set_timer() warn: potential spectre issue 'h->pt' [w] (local cap)
[bound] 129 xen/arch/x86/hvm/hpet.c:278 hpet_set_timer() warn: potential spectre issue 'h->hpet.timers' [r] (local cap)
[bound] 129 xen/arch/x86/hvm/hpet.c:289 hpet_set_timer() warn: potential spectre issue 'h->hpet.period' [r] (local cap)
[constant] 129 xen/arch/x86/hvm/hvm.c:108 vlapic_set_reg() warn: potential spectre issue 'vlapic->regs->data' [w]
[fixed] 129 xen/arch/x86/hvm/hvm.c:2125 hvm_mov_from_cr() warn: potential spectre issue 'curr->arch.hvm_vcpu.guest_cr' [r]
[constant] 129 xen/arch/x86/hvm/hvm.c:2182 hvm_update_cr() warn: potential spectre issue 'v->arch.hvm_vcpu.guest_cr' [w]
[fixed] 129 xen/arch/x86/hvm/hvm.c:3486 hvm_msr_read_intercept() warn: potential spectre issue 'fixed_range_base' [r]
[fixed] 129 xen/arch/x86/hvm/hvm.c:3498 hvm_msr_read_intercept() warn: potential spectre issue 'var_range_base' [r]
[constant] 129 xen/arch/x86/hvm/hvm.c:557 hvm_print_line() warn: potential spectre issue '_ctype' [w]
[nested] 129 xen/arch/x86/hvm/hvm.c:80 nestedhvm_set_cr() warn: potential spectre issue 'v->arch.hvm_vcpu.nvcpu.guest_cr' [w]
[bound] 129 xen/arch/x86/hvm/i8254.c:128 pit_set_gate() warn: potential spectre issue 'pit->hw.channels' [r]
[bound] 128 xen/arch/x86/hvm/i8254.c:146 pit_set_gate() warn: potential spectre issue 'pit->count_load_time' [w]
[bound] 129 xen/arch/x86/hvm/i8254.c:156 pit_get_gate() warn: potential spectre issue 'pit->hw.channels' [r]
[bound] 129 xen/arch/x86/hvm/i8254.c:169 pit_load_count() warn: potential spectre issue 'pit->hw.channels' [r]
[bound] 129 xen/arch/x86/hvm/i8254.c:178 pit_load_count() warn: potential spectre issue 'pit->count_load_time' [w]
[bound] 129 xen/arch/x86/hvm/i8254.c:212 pit_latch_count() warn: potential spectre issue 'pit->hw.channels' [r]
[bound] 129 xen/arch/x86/hvm/i8254.c:225 pit_latch_status() warn: potential spectre issue 'pit->hw.channels' [r]
[bound] 129 xen/arch/x86/hvm/i8254.c:63 pit_get_count() warn: potential spectre issue 'pit->hw.channels' [r]
[bound] 129 xen/arch/x86/hvm/i8254.c:68 pit_get_count() warn: potential spectre issue 'pit->count_load_time' [r]
[bound] 129 xen/arch/x86/hvm/i8254.c:92 pit_get_out() warn: potential spectre issue 'pit->hw.channels' [r]
[bound] 129 xen/arch/x86/hvm/i8254.c:99 pit_get_out() warn: potential spectre issue 'pit->count_load_time' [r]
[constant] 129 xen/arch/x86/hvm/ioreq.c:1056 hvm_map_io_range_to_ioreq_server() warn: potential spectre issue 's->range' [r]
[constant] 129 xen/arch/x86/hvm/ioreq.c:1113 hvm_unmap_io_range_from_ioreq_server() warn: potential spectre issue 's->range' [r]
[dm_op] 129 xen/arch/x86/hvm/ioreq.c:41 set_ioreq_server() warn: potential spectre issue 'd->arch.hvm_domain.ioreq_server.server' [w] (local cap)
[constant] 129 xen/arch/x86/hvm/ioreq.c:55 get_ioreq_server() warn: potential spectre issue 'd->arch.hvm_domain.ioreq_server.server' [r] (local cap)
[bound] 123 xen/arch/x86/hvm/ioreq.c:82 get_ioreq() warn: potential spectre issue 'p->vcpu_ioreq' [r]
[bound] 129 xen/arch/x86/hvm/irq.c:132 __hvm_pci_intx_deassert() warn: potential spectre issue 'hvm_irq->gsi_assert_count' [w] (local cap)
[bound] 129 xen/arch/x86/hvm/irq.c:170 hvm_gsi_assert() warn: potential spectre issue 'hvm_irq->gsi_assert_count' [w] (local cap)
[dom0] 129 xen/arch/x86/hvm/irq.c:187 hvm_gsi_deassert() warn: potential spectre issue 'hvm_irq->gsi_assert_count' [w] (local cap)
[constant] 129 xen/arch/x86/hvm/irq.c:321 hvm_set_pci_link_route() warn: potential spectre issue 'hvm_irq->pci_link.route' [r] (local cap)
[shadow] 129 xen/arch/x86/hvm/mtrr.c:142 pat_type_2_pte_flags() warn: potential spectre issue 'pat_entry_tbl' [r]
[bound] 129 xen/arch/x86/hvm/mtrr.c:213 get_mtrr_type() warn: potential spectre issue 'm->fixed_ranges' [r]
[shadow] 128 xen/arch/x86/hvm/mtrr.c:325 effective_mm_type() warn: potential spectre issue 'mm_type_tbl' [r]
[bound] 129 xen/arch/x86/hvm/mtrr.c:433 mtrr_fix_range_msr_set() warn: potential spectre issue 'fixed_range_base' [w]
[bound] 129 xen/arch/x86/hvm/mtrr.c:467 mtrr_var_range_msr_set() warn: potential spectre issue 'var_range_base' [w] (local cap)
[bound] 129 xen/arch/x86/hvm/stdvga.c:89 vram_getb() warn: potential spectre issue 'p' [r]
[bound] 129 xen/arch/x86/hvm/stdvga.c:96 vram_getl() warn: potential spectre issue 'p' [r]
[amd] 129 xen/arch/x86/hvm/svm/svm.c:1560 svm_cpu_dead() warn: potential spectre issue '__per_cpu_offset' [w]
[amd] 129 xen/arch/x86/hvm/svm/svm.c:1578 svm_cpu_up_prepare() warn: potential spectre issue '__per_cpu_offset' [w]
[amd] 129 xen/arch/x86/hvm/svm/svm.c:1580 svm_cpu_up_prepare() warn: potential spectre issue 'cpu_to_node' [r]
[amd] 129 xen/arch/x86/hvm/svm/svm.c:2037 svm_msr_read_intercept() warn: potential spectre issue 'v->arch.hvm_vcpu.u.svm.dr_mask' [r]
[amd] 129 xen/arch/x86/hvm/svm/svm.c:2237 svm_msr_write_intercept() warn: potential spectre issue 'v->arch.hvm_vcpu.u.svm.dr_mask' [w]
[amd] 129 xen/arch/x86/hvm/svm/svm.c:726 svm_get_segment_register() warn: potential spectre issue 'vmcb->sreg' [r]
[amd] 129 xen/arch/x86/hvm/svm/svm.c:800 svm_set_segment_register() warn: potential spectre issue 'vmcb->sreg' [w]
[fixed] 129 xen/arch/x86/hvm/vioapic.c:219 vioapic_write_redirent() warn: potential spectre issue 'vioapic->redirtbl' [r]
[fixed] 129 xen/arch/x86/hvm/vioapic.c:381 vioapic_deliver() warn: potential spectre issue 'vioapic->redirtbl' [r]
[fixed] 129 xen/arch/x86/hvm/vioapic.c:481 vioapic_irq_positive_edge() warn: potential spectre issue 'vioapic->redirtbl' [r] (local cap)
[bound] 129 xen/arch/x86/hvm/vioapic.c:558 vioapic_get_vector() warn: potential spectre issue 'vioapic->redirtbl' [r]
[fixed] 129 xen/arch/x86/hvm/vioapic.c:569 vioapic_get_trigger_mode() warn: potential spectre issue 'vioapic->redirtbl' [r]
[constant] 129 xen/arch/x86/hvm/vmsi.c:237 msixtbl_read() warn: potential spectre issue 'entry->gentries[nr_entry].msi_ad' [r]
[constant] 129 xen/arch/x86/hvm/vmsi.c:295 msixtbl_write() warn: potential spectre issue 'entry->gentries[nr_entry].msi_ad' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vmcs.c:592 vmx_cpu_up_prepare() warn: potential spectre issue '__per_cpu_offset' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vmcs.c:606 vmx_cpu_dead() warn: potential spectre issue '__per_cpu_offset' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:1076 vmx_get_segment_register() warn: potential spectre issue 'v->arch.hvm_vcpu.u.vmx.vm86_saved_seg' [r] (local cap)
[vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:1116 vmx_set_segment_register() warn: potential spectre issue 'v->arch.hvm_vcpu.u.vmx.vm86_saved_seg' [w] (local cap)
[vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:139 pi_get_pir() warn: potential spec:tre issue 'pi_desc->pir' [r]
[vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:206 vmx_pi_desc_fixup() warn: potential spectre issue '__per_cpu_offset' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vmx.c:97 vmx_pi_per_cpu_init() warn: potential spectre issue '__per_cpu_offset' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vvmx.c:2698 nvmx_set_cr_read_shadow() warn: potential spectre issue 'v->arch.hvm_vcpu.guest_cr' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vvmx.c:2704 nvmx_set_cr_read_shadow() warn: potential spectre issue 'v->arch.hvm_vcpu.nvcpu.guest_cr' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vvmx.c:43 nvmx_cpu_up_prepare() warn: potential spectre issue '__per_cpu_offset' [w]
[vmx] 129 xen/arch/x86/hvm/vmx/vvmx.c:56 nvmx_cpu_dead() warn: potential spectre issue '__per_cpu_offset' [w]
[constant] 129 xen/arch/x86/hvm/vpic.c:337 vpic_intercept_pic_io() warn: potential spectre issue '((get_cpu_info().current_vcpu)).domain.arch.hvm_domain.vpic' [r]
[constant] 129 xen/arch/x86/hvm/vpic.c:355 vpic_intercept_elcr_io() warn: potential spectre issue '((get_cpu_info().current_vcpu)).domain.arch.hvm_domain.vpic' [r]
[constant] 129 xen/arch/x86/hvm/vpic.c:450 vpic_irq_positive_edge() warn: potential spectre issue 'd->arch.hvm_domain.vpic' [r]
[constant] 129 xen/arch/x86/hvm/vpic.c:468 vpic_irq_negative_edge() warn: potential spectre issue 'd->arch.hvm_domain.vpic' [r]
[bound?] 129 xen/arch/x86/i8259.c:106 _disable_8259A_irq() warn: potential spectre issue '(null)' [w]
[init] 129 xen/arch/x86/i8259.c:331 make_8259A_irq() warn: potential spectre issue 'irq_desc' [w]
[dom0] 129 xen/arch/x86/io_apic.c:134 add_pin_to_irq() warn: potential spectre issue 'irq_2_pin' [w]
[boot-only?] 129 xen/arch/x86/io_apic.c:136 __io_apic_read() warn: potential spectre issue 'mp_ioapics' [w]
[boot-only?] 129 xen/arch/x86/io_apic.c:141 remove_pin_from_irq() warn: potential spectre issue 'irq_2_pin' [r]
[boot-only?] 129 xen/arch/x86/io_apic.c:149 __io_apic_write() warn: potential spectre issue 'mp_ioapics' [w]
[boot-only?] 129 xen/arch/x86/io_apic.c:1609 io_apic_level_ack_pending() warn: potential spectre issue 'irq_2_pin' [r]
[boot-only?] 129 xen/arch/x86/io_apic.c:167 set_native_irq_info() warn: potential spectre issue 'irq_desc' [w]
[boot-only?] 129 xen/arch/x86/io_apic.c:168 io_apic_modify() warn: potential spectre issue 'mp_ioapics' [w]
[boot-only?] 129 xen/arch/x86/io_apic.c:2200 io_apic_set_pci_routing() warn: potential spectre issue 'irq_desc' [r]
[bonud] 1 xen/arch/x86/io_apic.c:2358 ioapic_guest_write() warn: potential spectre issue 'irq_desc' [r] (local cap)
[boot-only?] 129 xen/arch/x86/io_apic.c:737 MPBIOS_polarity() warn: potential spectre issue 'mp_irqs' [r]
[boot-only?] 129 xen/arch/x86/io_apic.c:77 share_vector_maps() warn: potential spectre issue 'vector_map' [w]
[boot-only?] 129 xen/arch/x86/io_apic.c:811 MPBIOS_trigger() warn: potential spectre issue 'mp_irqs' [r]
[bound] 128 xen/arch/x86/io_apic.c:86 share_vector_maps() warn: potential spectre issue 'irq_desc' [r] (local cap)
[boot-only?] 129 xen/arch/x86/io_apic.c:896 pin_2_irq() warn: potential spectre issue 'mp_irqs' [r]
[boot-only?] 129 xen/arch/x86/io_apic.c:971 ioapic_register_intr() warn: potential spectre issue 'irq_desc' [w]
[__init] 129 xen/arch/x86/irq.c:1003 release_irq() warn: potential spectre issue 'irq_desc' [r]
[__init] 129 xen/arch/x86/irq.c:1027 setup_irq() warn: potential spectre issue 'irq_desc' [r]
[bound] 129 xen/arch/x86/irq.c:1153 __do_IRQ_guest() warn: potential spectre issue 'irq_desc' [r]
[__init] 129 xen/arch/x86/irq.c:119 __bind_irq_vector() warn: potential spectre issue 'irq_desc' [r]
[init] 1 xen/arch/x86/irq.c:182 create_irq() warn: potential spectre issue 'node_to_cpumask' [r] (local cap)
[bonud] 129 xen/arch/x86/irq.c:249 __clear_irq_vector() warn: potential spectre issue 'irq_desc' [r]
[hard-to-trigger] 129 xen/arch/x86/irq.c:317 irq_to_vector() warn: potential spectre issue 'irq_desc' [r] (local cap)
[hard-to-trigger] 129 xen/arch/x86/irq.c:409 irq_get_used_vector_mask() warn: potential spectre issue 'irq_desc' [r]
[microcode] 129 xen/arch/x86/microcode_amd.c:158 microcode_fits() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_amd.c:196 apply_microcode() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_amd.c:378 check_final_patch_levels() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_amd.c:398 cpu_request_microcode() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_amd.c:566 microcode_resume_match() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_amd.c:83 collect_cpu_info() warn: potential spectre issue 'cpu_data' [r]
[microcode] 129 xen/arch/x86/microcode.c:198 __microcode_fini_cpu() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode.c:214 microcode_resume_cpu() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_intel.c:134 microcode_update_match() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_intel.c:237 get_matching_microcode() warn: potential spectre issue '__per_cpu_offset' [w]
[microcode] 129 xen/arch/x86/microcode_intel.c:94 collect_cpu_info() warn: potential spectre issue 'cpu_data' [r]
[bit-and] 77 xen/arch/x86/mm/guest_walk.c:136 guest_walk_tables_4_levels() warn: potential spectre issue 'l4p' [r]
[bit-and] 77 xen/arch/x86/mm/guest_walk.c:166 guest_walk_tables_4_levels() warn: potential spectre issue 'l3p' [r]
[vmx] 128 xen/arch/x86/mm/hap/nested_ept.c:174 nept_walk_tables() warn: potential spectre issue 'lxp' [r]
[constant] 129 xen/arch/x86/mm/mem_access.c:362 p2m_set_mem_access() warn: potential spectre issue 'd->arch.altp2m_p2m' [r] (local cap)
[constant] 129 xen/arch/x86/mm/mem_access.c:417 p2m_set_mem_access_multi() warn: potential spectre issue 'd->arch.altp2m_p2m' [r] (local cap)
[mem-sharing] 387 xen/arch/x86/mm/mem_sharing.c:407 mem_sharing_lookup() warn: potential spectre issue 'RDWR_MPT_VIRT_START' [w]
[hard to trigger] 129 xen/arch/x86/mm/p2m.c:739 p2m_remove_page() warn: potential spectre issue 'RDWR_MPT_VIRT_START' [w]
[bound] 129 xen/arch/x86/mm/p2m-ept.c:1304 memory_type_to_str() warn: potential spectre issue 'memory_types' [r] (local cap)
[bound] 129 xen/arch/x86/mm/p2m-ept.c:1377 p2m_init_altp2m_ept() warn: potential spectre issue 'd->arch.altp2m_p2m' [r]
[bound] 129 xen/arch/x86/mm/p2m-ept.c:1384 p2m_init_altp2m_ept() warn: potential spectre issue 'd->arch.altp2m_eptp' [w]
[hard-to-trigger] 129 xen/arch/x86/mm/p2m-ept.c:453 ept_invalidate_emt_range() warn: potential spectre issue 'table' [r]
[bound] 129 xen/arch/x86/mm/p2m-ept.c:523 resolve_misconfig() warn: potential spectre issue 'epte' [r]
[shadow] 129 xen/arch/x86/mm/shadow/common.c:147 hvm_get_seg_reg() warn: potential spectre issue 'sh_ctxt->seg_reg' [r] (local cap)
[shadow] 129 xen/arch/x86/mm/shadow/common.c:262 hvm_emulate_insn_fetch() warn: potential spectre issue 'sh_ctxt->insn_buf' [w]
[shadow] 129 xen/arch/x86/mm/shadow/common.c:337 shadow_size() warn: potential spectre issue 'sh_type_to_size' [r] (local cap)
[shadow] 129 xen/arch/x86/mm/shadow/multi.c:227 shadow_check_gwalk() warn: potential spectre issue 'l4p' [r]
[shadow] 128 xen/arch/x86/mm/shadow/multi.c:2289 validate_gl1e() warn: potential spectre issue 'snp' [w]
[shadow] 129 xen/arch/x86/mm/shadow/multi.c:229 shadow_check_gwalk() warn: potential spectre issue 'l3p' [r]
[shadow] 129 xen/arch/x86/mm/shadow/multi.c:236 shadow_check_gwalk() warn: potential spectre issue 'l2p' [r]
[shadow] 6 xen/arch/x86/mm/shadow/multi.c:2460 sh_map_and_validate() warn: potential spectre issue 'sl1p' [r]
[shadow] 129 xen/arch/x86/mm/shadow/multi.c:246 shadow_check_gwalk() warn: potential spectre issue 'l1p' [r]
[shadow] 129 xen/arch/x86/mm/shadow/multi.c:3568 sh_invlpg__guest_4() warn: potential spectre issue '(null)' [w]
[shadow] 129 xen/arch/x86/mm/shadow/multi.c:3911 sh_set_toplevel_shadow() warn: potential spectre issue 'v->arch.shadow_table' [r]
[shadow] 127 xen/arch/x86/mm/shadow/multi.c:731 _sh_propagate() warn: potential spectre issue 'fetch_type_names' [w] (local cap)
[shadow] 129 xen/arch/x86/mm/shadow/multi.c:792 vtlb_lookup() warn: potential spectre issue 'v->arch.paging.vtlb' [r]
[constant] 129 xen/arch/x86/msi.c:578 alloc_msi_entry() warn: potential spectre issue 'entry' [w]
[constant] 129 xen/arch/x86/msi.c:790 read_pci_mem_bar() warn: potential spectre issue 'pdev->vf_rlen' [r] (local cap)
[constant] 129 xen/arch/x86/msi.c:87 msix_get_fixmap() warn: potential spectre issue 'msix->table_refcnt' [w] (local cap)
[constant] 129 xen/arch/x86/msi.c:91 msix_get_fixmap() warn: potential spectre issue 'msix->table_idx' [w] (local cap)
[bound] 129 xen/arch/x86/nmi.c:427 cpu_nmi_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[const-cpus] 129 xen/arch/x86/numa.c:174 setup_node_bootmem() warn: potential spectre issue 'node_data' [w]
[const-cpus] 129 xen/arch/x86/numa.c:285 numa_add_cpu() warn: potential spectre issue 'cpu_to_node' [w]
[const-cpus] 129 xen/arch/x86/numa.c:290 numa_set_node() warn: potential spectre issue 'cpu_to_node' [w]
[const-cpus] 2 xen/arch/x86/numa.c:87 populate_memnodemap() warn: potential spectre issue 'memnodemap' [w]
[const-cpus] 127 xen/arch/x86/numa.c:89 populate_memnodemap() warn: potential spectre issue 'memnodemap' [w]
[oprofile] 129 xen/arch/x86/oprofile/nmi_int.c:89 nmi_callback() warn: potential spectre issue 'cpu_msrs' [r]
[oprofile] 108 xen/arch/x86/oprofile/op_model_p4.c:493 pmc_setup_one_p4_counter() warn: potential spectre issue 'counter_config' [r]
[oprofile] 108 xen/arch/x86/oprofile/op_model_p4.c:513 pmc_setup_one_p4_counter() warn: potential spectre issue 'p4_counters' [w]
[oprofile] 129 xen/arch/x86/oprofile/op_model_ppro.c:264 ppro_load_msr() warn: potential spectre issue 'msrs' [r]
[oprofile] 129 xen/arch/x86/oprofile/op_model_ppro.c:279 ppro_save_msr() warn: potential spectre issue 'msrs' [w]
[hard-to-trigger] 129 xen/arch/x86/percpu.c:37 init_percpu_area() warn: potential spectre issue '__per_cpu_offset' [w]
[hard-to-trigger] 129 xen/arch/x86/percpu.c:60 free_percpu_area() warn: potential spectre issue '__per_cpu_offset' [w]
[constant] 129 xen/arch/x86/physdev.c:58 physdev_hvm_map_pirq() warn: potential spectre issue 'hvm_irq_dpci->girq' [r] (local cap)
[domctl] 129 xen/arch/x86/psr.c:1003 insert_val_into_array() warn: potential spectre issue 'feat_props' [r] (local cap)
[loop] 129 xen/arch/x86/psr.c:1072 compare_val() warn: potential spectre issue 'feat->cos_reg_val' [r]
[bound] 129 xen/arch/x86/psr.c:1090 find_cos() warn: potential spectre issue 'info->features' [r]
[bound] 129 xen/arch/x86/psr.c:1202 pick_avail_cos() warn: potential spectre issue 'info->features' [r]
[domctl] 128 xen/arch/x86/psr.c:1237 get_socket_cpu() warn: potential spectre issue 'socket_cpumask' [r] (local cap)
[domctl] 129 xen/arch/x86/psr.c:1348 psr_set_val() warn: potential spectre issue 'd->arch.psr_cos_ids' [w]
[bound] 129 xen/arch/x86/psr.c:1620 psr_cpu_fini() warn: potential spectre issue 'cpu_data' [r]
[constant] 129 xen/arch/x86/psr.c:372 cat_init_feature() warn: potential spectre issue 'info->features' [w] (local cap)
[arch_do_domctl] 129 xen/arch/x86/psr.c:868 psr_get_val() warn: potential spectre issue 'socket_info' [w]
[arch_do_domctl] 129 xen/arch/x86/psr.c:869 psr_get_val() warn: potential spectre issue 'd->arch.psr_cos_ids' [w]
[domctl] 129 xen/arch/x86/psr.c:999 insert_val_into_array() warn: potential spectre issue 'info->features' [r] (local cap)
[pv] 129 xen/arch/x86/pv/descriptor-tables.c:241 do_update_descriptor() warn: potential spectre issue 'gdt_pent' [w]
[pv] 129 xen/arch/x86/pv/dom0_build.c:38 dom0_update_physmap() warn: potential spectre issue 'vphysmap_s' [w]
[pv] 129 xen/arch/x86/pv/dom0_build.c:42 dom0_update_physmap() warn: potential spectre issue 'RDWR_COMPAT_MPT_VIRT_START' [w]
[pv] 129 xen/arch/x86/pv/emulate.c:27 gdt_ldt_desc_ptr() warn: potential spectre issue 'tbl' [r]
[pv] 129 xen/arch/x86/pv/emul-priv-op.c:1126 write_msr() warn: potential spectre issue 'curr->arch.pv_vcpu.dr_mask' [w]
[pv] 129 xen/arch/x86/pv/emul-priv-op.c:709 read_cr() warn: potential spectre issue 'curr->arch.pv_vcpu.ctrlreg' [r]
[pv] 129 xen/arch/x86/pv/emul-priv-op.c:927 read_msr() warn: potential spectre issue 'curr->arch.pv_vcpu.dr_mask' [r]
[pv] 129 xen/arch/x86/pv/mm.c:119 pv_map_ldt_shadow_page() warn: potential spectre issue '(curr->domain->arch.pv_domain.gdt_ldt_l1tab[(curr->vcpu_id >> (9 - GDT_LDT_VCPU_SHIFT))] + ((curr->vcpu_id << GDT_LDT_VCPU_SHIFT) & ((1 << 9) - 1))) + 16' [r]
[pv] 129 xen/arch/x86/pv/mm.c:18 guest_get_eff_l1e() warn: potential spectre issue 'LINEAR_PT_VIRT_START' [w]
[pv] 129 xen/arch/x86/pv/mm.c:45 map_guest_l1e() warn: potential spectre issue '((LINEAR_PT_VIRT_START) + ((LINEAR_PT_VIRT_START & (((1) << 48) - 1)) >> 12))' [w]
[pv] 128 xen/arch/x86/pv/traps.c:67 pv_inject_event() warn: potential spectre issue 'curr->arch.pv_vcpu.trap_ctxt' [r] (local cap)
[init] 129 xen/arch/x86/setup.c:221 initial_images_nrpages() warn: potential spectre issue 'node_data' [r]
[boot] 129 xen/arch/x86/setup.c:266 srat_detect_node() warn: potential spectre issue 'x86_cpu_to_apicid' [r]
[boot] 129 xen/arch/x86/smpboot.c:1004 cpu_smpboot_alloc() warn: potential spectre issue 'idt_tables' [w]
[boot] 129 xen/arch/x86/smpboot.c:100 smp_store_cpu_info() warn: potential spectre issue 'cpu_data' [w]
[bound] 129 xen/arch/x86/smpboot.c:1184 remove_siblinginfo() warn: potential spectre issue 'cpu_data' [w]
[bound] 129 xen/arch/x86/smpboot.c:1190 remove_siblinginfo() warn: potential spectre issue '__per_cpu_offset' [w]
[boot] 129 xen/arch/x86/smpboot.c:1261 cpu_add() warn: potential spectre issue 'x86_acpiid_to_apicid' [w]
[bound] 129 xen/arch/x86/smpboot.c:233 link_thread_siblings() warn: potential spectre issue '__per_cpu_offset' [w]
[boot] 1 xen/arch/x86/smpboot.c:279 set_cpu_sibling_map() warn: potential spectre issue 'c' [w] (local cap)
[bit-and] 129 xen/arch/x86/smpboot.c:722 clone_mapping() warn: potential spectre issue 'rpt' [w]
[shutdown] 129 xen/arch/x86/smpboot.c:841 cleanup_cpu_root_pgt() warn: potential spectre issue '__per_cpu_offset' [w]
[init] 129 xen/arch/x86/srat.c:140 cutoff_node() warn: potential spectre issue 'nodes' [r]
[bound] 129 xen/arch/x86/srat.c:47 node_found() warn: potential spectre issue 'pxm2node' [r]
[cpu_up] 1 xen/arch/x86/sysctl.c:64 cpu_up_helper() warn: potential spectre issue '__per_cpu_offset' [w]
[tboot] 129 xen/arch/x86/tboot.c:87 tboot_copy_memory() warn: potential spectre issue 'map_addr' [r]
[bit-and] 127 xen/arch/x86/traps.c:1241 __page_fault_type() warn: potential spectre issue 'l4t' [r]
[bit-and] 127 xen/arch/x86/traps.c:1250 __page_fault_type() warn: potential spectre issue 'l3t' [r]
[bit-and] 127 xen/arch/x86/traps.c:1261 __page_fault_type() warn: potential spectre issue 'l2t' [r]
[bit-and] 127 xen/arch/x86/traps.c:1272 __page_fault_type() warn: potential spectre issue 'l1t' [r]
[init] 129 xen/arch/x86/traps.c:1905 __set_intr_gate() warn: potential spectre issue 'idt_table' [w]
[constant] 129 xen/arch/x86/traps.c:2194 set_debugreg() warn: potential spectre issue 'v->arch.debugreg' [w]
[hard to trigger] 129 xen/arch/x86/traps.c:552 show_stack_overflow() warn: potential spectre issue 'stack_base' [w]
[bit-and] 129 xen/arch/x86/x86_64/mm.c:1213 handle_memadd_fault() warn: potential spectre issue 'pl2e' [r]
[bit-and] 129 xen/arch/x86/x86_64/traps.c:193 show_page_walk() warn: potential spectre issue 'l4t' [r]
[bit-and] 129 xen/arch/x86/x86_64/traps.c:205 show_page_walk() warn: potential spectre issue 'l3t' [r]
[bit-and] 129 xen/arch/x86/x86_64/traps.c:219 show_page_walk() warn: potential spectre issue 'l2t' [r]
[bit-and] 129 xen/arch/x86/x86_64/traps.c:233 show_page_walk() warn: potential spectre issue 'l1t' [r]
[constant] 129 xen/arch/x86/x86_emulate.c:105 x86emul_read_dr() warn: potential spectre issue 'curr->arch.debugreg' [r]
[hard-to-trigger] 129 xen/common/bitmap.c:52 clamp_last_byte() warn: potential spectre issue 'bp' [w]
[bound?] 129 xen/common/compat/domain.c:42 compat_vcpu_op() warn: potential spectre issue 'd->vcpu' [r] (local cap)
[loop] 129 xen/common/compat/memory.c:290 compat_memory_op() warn: potential spectre issue 'idxs' [w] (local cap)
[loop] 129 xen/common/compat/memory.c:291 compat_memory_op() warn: potential spectre issue 'gpfns' [w] (local cap)
[constant] 128 xen/common/domain.c:121 vcpu_info_reset() warn: potential spectre issue '(d->shared_info)->vcpu_info' [r] (local cap)
[bound] 129 xen/common/domain.c:1299 do_vcpu_op() warn: potential spectre issue 'd->vcpu' [r] (local cap)
[constant] 129 xen/common/event_channel.c:113 evtchn_from_port() warn: potential spectre issue 'd->evtchn' [r] (local cap)
[fixed] 129 xen/common/event_channel.c:114 evtchn_from_port() warn: potential spectre issue 'd->evtchn_group' [r]
[fixed] 129 xen/common/event_channel.c:173 evtchn_allocate_port() warn: potential spectre issue 'd->evtchn_group' [w]
[fixed] 129 xen/common/event_channel.c:177 evtchn_port_set_pending() warn: potential spectre issue 'd->vcpu' [w]
[fixed] 129 xen/common/event_channel.c:725 guest_enabled_event() warn: potential spectre issue 'v->virq_to_evtchn' [r]
[constant] 129 xen/common/event_channel.c:738 send_guest_vcpu_virq() warn: potential spectre issue 'v->virq_to_evtchn' [r]
[fixed] 129 xen/common/event_channel.c:767 send_guest_global_virq() warn: potential spectre issue 'v->virq_to_evtchn' [r]
[fixed] 129 xen/common/event_channel.c:807 send_global_virq() warn: potential spectre issue 'global_virq_handlers' [w]
[fixed] 129 xen/common/event_channel.c:826 set_global_virq_handler() warn: potential spectre issue 'global_virq_handlers' [r] (local cap)
[fixed] 129 xen/common/event_fifo.c:39 evtchn_fifo_word_from_port() warn: potential spectre issue 'd->evtchn_fifo.event_array' [r]
[bound] 129 xen/common/grant_table.c:2345 release_grant_for_copy() warn: potential spectre issue 'rgt->status' [r]
[dom0] 129 xen/common/grant_table.c:3903 gnttab_map_frame() warn: potential spectre issue 'gt->shared_raw' [r] (local cap)
[unlikely] 129 xen/common/grant_table.c:533 put_maptrack_handle() warn: potential spectre issue 't->maptrack' [w]
[bound] 129 xen/common/guestcopy.c:27 safe_copy_string_from_guest() warn: potential spectre issue 'tmp' [w] (local cap)
[init] 129 xen/common/gunzip.c:375 huft_build() warn: potential spectre issue 'c' [w]
[init] 129 xen/common/gunzip.c:433 huft_build() warn: potential spectre issue 'x' [w]
[init] 129 xen/common/gunzip.c:609 inflate_codes() warn: potential spectre issue 'mask_bits' [r]
[kexec] 129 xen/common/kexec.c:924 kexec_segments_add_segment() warn: potential spectre issue 'segments' [w]
[kexec] 1 xen/common/kexec.c:974 kexec_segments_from_ind_page() warn: potential spectre issue 'segments' [w]
[interactive] 129 xen/common/keyhandler.c:107 register_keyhandler() warn: potential spectre issue 'key_table' [w] (local cap)
[interactive] 129 xen/common/keyhandler.c:119 register_irq_keyhandler() warn: potential spectre issue 'key_table' [w] (local cap)
[interactive] 129 xen/common/keyhandler.c:87 handle_keypress() warn: potential spectre issue 'key_table' [r] (local cap)
[hard-to-trigger] 128 xen/common/libelf/libelf-dominfo.c:144 elf_xen_parse_note() warn: potential spectre issue 'note_desc' [w] (local cap)
[hard-to-trigger] 128 xen/common/libelf/libelf-dominfo.c:145 elf_xen_parse_note() warn: potential spectre issue 'parms->elf_notes' [w] (local cap)
[hard-to-trigger] 129 xen/common/libelf/libelf-dominfo.c:441 elf_xen_feature_set() warn: potential spectre issue 'addr' [w]
[hard-to-trigger] 129 xen/common/livepatch.c:1609 state2str() warn: potential spectre issue 'names' [r] (local cap)
[tmem] 129 xen/common/lzo.c:136 lzo1x_1_do_compress() warn: potential spectre issue 'dict' [r]
[bound] 129 xen/common/page_alloc.c:1785 avail_heap_pages() warn: potential spectre issue 'avail[i]' [r] (local cap)
[init] 129 xen/common/page_alloc.c:1888 find_non_smt() warn: potential spectre issue 'node_to_cpumask' [w]
[bound] 129 xen/common/page_alloc.c:549 init_node_heap() warn: potential spectre issue '_heap' [w]
[bound] 129 xen/common/page_alloc.c:550 init_node_heap() warn: potential spectre issue 'avail' [w]
[hard-t-trigger] 129 xen/common/page_alloc.c:715 page_list_add_scrub() warn: potential spectre issue '*_heap[node]' [w]
[constant] 129 xen/common/page_alloc.c:825 get_free_buddy() warn: potential spectre issue '*_heap[node]' [r]
[hard-to-trigger] 129 xen/common/radix-tree.c:96 radix_tree_maxindex() warn: potential spectre issue 'height_to_maxindex' [r]
[bound] 129 xen/common/rcupdate.c:441 rcu_pending() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/common/rcupdate.c:452 rcu_needs_cpu() warn: potential spectre issue '__per_cpu_offset' [w]
[bound-callback] 129 xen/common/rcupdate.c:573 cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 117 xen/common/sched_credit2.c:1284 runq_insert() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:1371 tickle_score() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 117 xen/common/sched_credit2.c:1493 runq_tickle() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 123 xen/common/sched_credit2.c:2084 csched2_vcpu_sleep() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 126 xen/common/sched_credit2.c:2105 csched2_vcpu_wake() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 22 xen/common/sched_credit2.c:2231 csched2_cpu_pick() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:2570 balance_load() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:3269 runq_candidate() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:3349 runq_candidate() warn: potential spectre issue 'idle_vcpu' [r]
[schedule] 129 xen/common/sched_credit2.c:3659 dump_pcpu() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:3877 csched2_switch_sched() warn: potential spectre issue 'idle_vcpu' [w]
[schedule] 129 xen/common/sched_credit2.c:3887 csched2_switch_sched() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:575 csched2_pcpu() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:665 smt_idle_mask_set() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:677 smt_idle_mask_clear() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 124 xen/common/sched_credit2.c:710 get_fallback_cpu() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit2.c:840 same_node() warn: potential spectre issue 'cpu_to_node' [r]
[schedule] 129 xen/common/sched_credit2.c:845 same_socket() warn: potential spectre issue 'cpu_data' [r]
[schedule] 24 xen/common/sched_credit2.c:883 cpu_to_runqueue() warn: potential spectre issue 'cpu_data' [w]
[schedule] 129 xen/common/sched_credit2.c:92 pcpu_schedule_lock() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:104 pcpu_schedule_lock_irqsave() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:107 pcpu_schedule_unlock_irqrestore() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 123 xen/common/sched_credit.c:1099 csched_vcpu_sleep() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 126 xen/common/sched_credit.c:1121 csched_vcpu_wake() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:116 pcpu_schedule_trylock() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:1333 csched_runq_sort() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:1584 csched_tick() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:1610 csched_runq_steal() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:1687 csched_load_balance() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:1692 csched_load_balance() warn: potential spectre issue 'cpu_to_node' [r]
[schedule] 129 xen/common/sched_credit.c:2244 csched_tick_suspend() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:2255 csched_tick_resume() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:251 is_runq_idle() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:260 inc_nr_runnable() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:268 dec_nr_runnable() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:528 csched_deinit_pdata() warn: potential spectre issue 'cpu_to_node' [r]
[schedule] 129 xen/common/sched_credit.c:596 init_pdata() warn: potential spectre issue 'cpu_to_node' [w]
[schedule] 129 xen/common/sched_credit.c:608 init_pdata() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:618 csched_init_pdata() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:638 csched_switch_sched() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:644 csched_switch_sched() warn: potential spectre issue 'idle_vcpu' [w]
[schedule] 126 xen/common/sched_credit.c:736 _csched_cpu_pick() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:943 csched_vcpu_acct() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_credit.c:96 pcpu_schedule_unlock() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 124 xen/common/sched_credit.c:99 vcpu_schedule_unlock_irq() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:126 vcpu_check_affinity() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:165 init_pdata() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:171 null_init_pdata() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:193 null_deinit_pdata() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 127 xen/common/sched_null.c:277 pick_cpu() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:343 vcpu_assign() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:365 vcpu_deassign() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:387 null_switch_sched() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:393 null_switch_sched() warn: potential spectre issue 'idle_vcpu' [w]
[schedule] 126 xen/common/sched_null.c:544 null_vcpu_wake() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 123 xen/common/sched_null.c:571 null_vcpu_sleep() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_null.c:635 null_vcpu_migrate() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[schedule] 124 xen/common/sched_null.c:93 vcpu_schedule_lock() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 123 xen/common/sched_rt.c:1153 rt_vcpu_sleep() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 117 xen/common/sched_rt.c:1208 runq_tickle() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[schedule] 126 xen/common/sched_rt.c:1269 rt_vcpu_wake() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_rt.c:362 rt_dump_pcpu() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_rt.c:748 rt_switch_sched() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/sched_rt.c:764 rt_switch_sched() warn: potential spectre issue 'idle_vcpu' [w]
[schedule] 126 xen/common/sched_rt.c:95 vcpu_schedule_lock_irq() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 126 xen/common/schedule.c:105 vcpu_schedule_lock_irqsave() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 126 xen/common/schedule.c:108 vcpu_schedule_unlock_irqrestore() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 126 xen/common/schedule.c:117 vcpu_scheduler() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:1629 cpu_schedule_up() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:1635 cpu_schedule_up() warn: potential spectre issue 'idle_vcpu' [r]
[schedule] 125 xen/common/schedule.c:163 vcpu_urgent_count_update() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:1685 cpu_schedule_down() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:1689 cpu_schedule_down() warn: potential spectre issue 'idle_vcpu' [w]
[schedule] 129 xen/common/schedule.c:1701 cpu_schedule_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:1838 schedule_cpu_switch() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 126 xen/common/schedule.c:183 vcpu_runstate_change() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:1871 schedule_cpu_switch() warn: potential spectre issue 'idle_vcpu' [r]
[schedule] 129 xen/common/schedule.c:216 get_cpu_idle_time() warn: potential spectre issue 'idle_vcpu' [r]
[schedule] 129 xen/common/schedule.c:290 sched_init_vcpu() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 127 xen/common/schedule.c:414 sched_destroy_vcpu() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 124 xen/common/schedule.c:460 vcpu_sleep_nosync_locked() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:555 vcpu_move_locked() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[schedule] 129 xen/common/schedule.c:586 vcpu_move_nosched() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 125 xen/common/schedule.c:672 vcpu_migrate_finish() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:790 cpu_disable_scheduler() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:94 pcpu_schedule_lock_irq() warn: potential spectre issue '__per_cpu_offset' [w]
[schedule] 129 xen/common/schedule.c:98 pcpu_schedule_unlock_irq() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/common/softirq.c:100 cpu_raise_softirq() warn: potential spectre issue 'irq_stat' [w]
[constant] 129 xen/common/softirq.c:70 open_softirq() warn: potential spectre issue 'softirq_handlers' [w] (local cap)
[stop-machine] 129 xen/common/stop_machine.c:182 cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[hard-to-trigger] 129 xen/common/symbols.c:170 symbols_get_symbol_type() warn: potential spectre issue 'symbols_names' [r]
[hard-to-trigger] 1 xen/common/symbols.c:203 xensyms_read() warn: potential spectre issue 'symbols_addresses' [r] (local cap)
[hard-to-trigger] 129 xen/common/symbols.c:48 symbols_expand_symbol() warn: potential spectre issue 'symbols_names' [r]
[hard-to-trigger] 129 xen/common/symbols.c:88 get_symbol_offset() warn: potential spectre issue 'symbols_markers' [r]
[bound] 129 xen/common/tasklet.c:227 cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 128 xen/common/tasklet.c:39 tasklet_enqueue() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/common/timer.c:106 remove_from_heap() warn: potential spectre issue 'heap' [r] (local cap)
[bound] 129 xen/common/timer.c:131 add_to_heap() warn: potential spectre issue 'heap' [w]
[bound] 129 xen/common/timer.c:298 init_timer() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/common/timer.c:369 migrate_timer() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[hard-to-trigger] 129 xen/common/timer.c:565 migrate_timers_from_cpu() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[bound] 129 xen/common/timer.c:608 cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[hard-to-trigger] 129 xen/common/timer.c:60 down_heap() warn: potential spectre issue 'heap' [r]
[hard-to-trigger] 129 xen/common/timer.c:80 up_heap() warn: potential spectre issue 'heap' [r]
[tmem] 129 xen/common/tmem.c:1431 do_tmem_destroy_pool() warn: potential spectre issue 'client->pools' [r] (local cap)
[tmem] 129 xen/common/tmem.c:1709 tmemc_save_get_next_page() warn: potential spectre issue 'client->pools' [r] (local cap)
[tmem] 129 xen/common/tmem.c:1811 tmemc_restore_put_page() warn: potential spectre issue 'client->pools' [r] (local cap)
[tmem] 129 xen/common/tmem.c:1829 tmemc_restore_flush_page() warn: potential spectre issue 'client->pools' [r] (local cap)
[tmem] 129 xen/common/tmem_xen.c:223 cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[init] 125 xen/common/unlzma.c:306 peek_old_byte() warn: potential spectre issue 'wr->buffer' [r] (local cap)
[init] 129 xen/common/unxz.c:184 dec_vli() warn: potential spectre issue 'in' [r] (local cap)
[init] 129 xen/common/unxz.c:327 dict_get() warn: potential spectre issue 'dict->buf' [r]
[init] 1 xen/common/unxz.c:362 dict_repeat() warn: potential spectre issue 'dict->buf' [r]
[init] 123 xen/common/unxz.c:455 rc_read_init() warn: potential spectre issue 'b->in' [r]
[init] 129 xen/common/unxz.c:46 xz_crc32() warn: potential spectre issue 'xz_crc32_table' [r]
[init] 121 xen/common/unxz.c:482 rc_normalize() warn: potential spectre issue 'rc->in' [r]
[init] 126 xen/common/unxz.c:603 dec_main() warn: potential spectre issue 'b->in' [r] (local cap)
[init] 129 xen/common/unxz.c:626 lzma_len() warn: potential spectre issue 'l->low' [r]
[init] 129 xen/common/unxz.c:631 lzma_len() warn: potential spectre issue 'l->mid' [r]
[init] 128 xen/common/unxz.c:660 lzma_match() warn: potential spectre issue 's->lzma.dist_slot' [r]
[init] 129 xen/common/unxz.c:694 lzma_rep_match() warn: potential spectre issue 's->lzma.is_rep0_long[s->lzma.state]' [w]
[init] 124 xen/common/unxz.c:970 xz_dec_lzma2_run() warn: potential spectre issue 'b->in' [r]
[const] 129 xen/common/vm_event.c:51 vm_event_enable() warn: potential spectre issue 'd->arch.hvm_domain.params' [r]
[printf] 128 xen/common/vsprintf.c:104 simple_strtoull() warn: potential spectre issue '_ctype' [w] (local cap)
[hard-to-trigger] 129 xen/common/vsprintf.c:53 simple_strtoul() warn: potential spectre issue '_ctype' [w] (local cap)
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:179 FIND_SUITABLE_BLOCK() warn: potential spectre issue 'p->sl_bitmap' [r]
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:185 FIND_SUITABLE_BLOCK() warn: potential spectre issue 'p->matrix[*fl]' [r]
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:206 EXTRACT_BLOCK_HDR() warn: potential spectre issue 'p->matrix[fl]' [w]
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:213 EXTRACT_BLOCK_HDR() warn: potential spectre issue 'p->sl_bitmap' [w]
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:234 EXTRACT_BLOCK() warn: potential spectre issue 'p->matrix[fl]' [w]
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:237 EXTRACT_BLOCK() warn: potential spectre issue 'p->sl_bitmap' [w]
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:250 INSERT_BLOCK() warn: potential spectre issue 'p->matrix[fl]' [r]
[hard-to-trigger] 129 xen/common/xmalloc_tlsf.c:254 INSERT_BLOCK() warn: potential spectre issue 'p->sl_bitmap' [w]
[hard-to-trigger] 129 xen/crypto/rijndael.c:1018 rijndaelEncrypt() warn: potential spectre issue 'Te4' [r]
[hard-to-trigger] 129 xen/crypto/rijndael.c:746 rijndaelKeySetupEnc() warn: potential spectre issue 'Te4' [r]
[hard-to-trigger] 129 xen/crypto/rijndael.c:958 rijndaelEncrypt() warn: potential spectre issue 'Te0' [r]
[init] 129 xen/drivers/char/ns16550.c:1446 ns16550_init() warn: potential spectre issue 'ns16550_com' [r] (local cap)
[init] 129 xen/drivers/char/serial.c:531 serial_irq() warn: potential spectre issue 'com' [r] (local cap)
[arm] 1 xen/drivers/char/serial.c:540 serial_vuart_info() warn: potential spectre issue 'com' [r] (local cap)
[init] 129 xen/drivers/char/serial.c:565 serial_register_uart() warn: potential spectre issue 'com' [w]
[platform_op] 129 xen/drivers/cpufreq/cpufreq.c:137 cpufreq_limit_change() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[platform_op] 129 xen/drivers/cpufreq/cpufreq.c:141 cpufreq_limit_change() warn: potential spectre issue 'processor_pminfo' [r] (local cap)
[platform_op] 129 xen/drivers/cpufreq/cpufreq.c:170 cpufreq_add_cpu() warn: potential spectre issue 'processor_pminfo' [r] (local cap)
[platform_op] 129 xen/drivers/cpufreq/cpufreq.c:178 cpufreq_add_cpu() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[cpu-down] 129 xen/drivers/cpufreq/cpufreq.c:328 cpufreq_del_cpu() warn: potential spectre issue 'processor_pminfo' [r] (local cap)
[cpu-down] 129 xen/drivers/cpufreq/cpufreq.c:333 cpufreq_del_cpu() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[cpu-up] 129 xen/drivers/cpufreq/cpufreq_misc_governors.c:102 cpufreq_userspace_cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[cpufreq] 126 xen/drivers/cpufreq/cpufreq_misc_governors.c:41 cpufreq_governor_userspace() warn: potential spectre issue '__per_cpu_offset' [w]
[do_pm_op] 129 xen/drivers/cpufreq/cpufreq_misc_governors.c:71 write_userspace_scaling_setspeed() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[bound] 125 xen/drivers/cpufreq/cpufreq_ondemand.c:192 dbs_timer_init() warn: potential spectre issue '__per_cpu_offset' [w]
[cpufreq] 126 xen/drivers/cpufreq/cpufreq_ondemand.c:224 cpufreq_governor_dbs() warn: potential spectre issue '__per_cpu_offset' [w]
[cpu-up] 129 xen/drivers/cpufreq/utility.c:152 cpufreq_statistic_exit() warn: potential spectre issue '__per_cpu_offset' [w]
[do_pm_op] 129 xen/drivers/cpufreq/utility.c:174 cpufreq_statistic_reset() warn: potential spectre issue 'processor_pminfo' [r]
[do_pm_op] 129 xen/drivers/cpufreq/utility.c:176 cpufreq_statistic_reset() warn: potential spectre issue '__per_cpu_offset' [w]
[pm] 129 xen/drivers/cpufreq/utility.c:380 cpufreq_driver_getavg() warn: potential spectre issue '__per_cpu_offset' [w] (local cap)
[pm] 129 xen/drivers/cpufreq/utility.c:403 cpufreq_update_turbo() warn: potential spectre issue '__per_cpu_offset' [w]
[pm] 129 xen/drivers/cpufreq/utility.c:430 cpufreq_get_turbo_status() warn: potential spectre issue '__per_cpu_offset' [w]
[pm] 129 xen/drivers/cpufreq/utility.c:48 cpufreq_residency_update() warn: potential spectre issue '__per_cpu_offset' [w]
[pm] 129 xen/drivers/cpufreq/utility.c:57 cpufreq_residency_update() warn: potential spectre issue 'pxpt->u.pt' [w]
[bound] 129 xen/drivers/cpufreq/utility.c:66 cpufreq_statistic_update() warn: potential spectre issue 'processor_pminfo' [r]
[bound] 129 xen/drivers/cpufreq/utility.c:68 cpufreq_statistic_update() warn: potential spectre issue '__per_cpu_offset' [w]
[bound] 129 xen/drivers/cpufreq/utility.c:80 cpufreq_statistic_update() warn: potential spectre issue 'pxpt->u.pt' [w]
[bound] 129 xen/drivers/cpufreq/utility.c:84 cpufreq_statistic_update() warn: potential spectre issue 'pxpt->u.trans_pt + from * pmpt->perf.state_count' [w]
[cpu-up] 129 xen/drivers/cpufreq/utility.c:93 cpufreq_statistic_init() warn: potential spectre issue 'processor_pminfo' [r]
[cpu-up] 129 xen/drivers/cpufreq/utility.c:95 cpufreq_statistic_init() warn: potential spectre issue '__per_cpu_offset' [w]
[amd] 129 xen/drivers/passthrough/amd/iommu_acpi.c:136 reserve_unity_map_for_device() warn: potential spectre issue 'ivrs_mappings' [r]
[amd] 129 xen/drivers/passthrough/amd/iommu_acpi.c:203 register_exclusion_range_for_device() warn: potential spectre issue 'ivrs_mappings' [r]
[amd] 129 xen/drivers/passthrough/amd/iommu_acpi.c:63 add_ivrs_mapping_entry() warn: potential spectre issue 'ivrs_mappings' [w]
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:106 get_intremap_entry() warn: potential spectre issue 'get_ivrs_mappings(seg)' [r]
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:118 free_intremap_entry() warn: potential spectre issue 'get_ivrs_mappings(seg)' [w]
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:367 amd_iommu_ioapic_update_ire() warn: potential spectre issue 'ioapic_sbdf[idx].pin_2_idx' [r]
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:369 amd_iommu_ioapic_update_ire() warn: potential spectre issue '&new_rte' [w]
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:403 amd_iommu_read_ioapic_from_ire() warn: potential spectre issue 'ioapic_sbdf[idx].pin_2_idx' [r]
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:64 get_intremap_lock() warn: potential spectre issue 'get_ivrs_mappings(seg)' [r]
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:71 get_intremap_requestor_id() warn: potential spectre issue 'get_ivrs_mappings(seg)' [r] (local cap)
[amd] 129 xen/drivers/passthrough/amd/iommu_intr.c:76 alloc_intremap_entry() warn: potential spectre issue 'get_ivrs_mappings(seg)' [r]
[amd] 129 xen/drivers/passthrough/amd/pci_amd_iommu.c:39 find_iommu_for_device() warn: potential spectre issue 'ivrs_mappings' [w] (local cap)
[amd] 129 xen/drivers/passthrough/amd/pci_amd_iommu.c:78 get_dma_requestor_id() warn: potential spectre issue 'ivrs_mappings' [r] (local cap)
[constant] 1 xen/drivers/passthrough/io.c:1025 hvm_dpci_eoi() warn: potential spectre issue 'hvm_irq_dpci->girq' [r] (local cap)
[bound] 129 xen/drivers/passthrough/io.c:1087 cpu_callback() warn: potential spectre issue '__per_cpu_offset' [w]
[dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:341 ioapic_rte_to_remap_entry() warn: potential spectre issue 'apic_pin_2_ir_idx[apic]' [r]
[dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:385 ioapic_rte_to_remap_entry() warn: potential spectre issue 'mp_ioapics' [w]
[dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:421 io_apic_read_remap_rte() warn: potential spectre issue 'mp_ioapics' [r]
[dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:425 io_apic_read_remap_rte() warn: potential spectre issue 'apic_pin_2_ir_idx[apic]' [r]
[dom0-vmx] 129 xen/drivers/passthrough/vtd/intremap.c:446 io_apic_write_remap_rte() warn: potential spectre issue 'mp_ioapics' [r]
[bound] 2 xen/drivers/passthrough/vtd/iommu.c:1345 domain_context_mapping_one() warn: potential spectre issue 'context_entries' [r]
[dom0-vmx] 2 xen/drivers/passthrough/vtd/iommu.c:1581 domain_context_unmap_one() warn: potential spectre issue 'context_entries' [r]
[hard-to-trigger] 129 xen/drivers/passthrough/vtd/iommu.c:1797 intel_iommu_map_page() warn: potential spectre issue 'page' [r]
[bound] 129 xen/drivers/passthrough/vtd/iommu.c:233 bus_to_context_maddr() warn: potential spectre issue 'root_entries' [r]
[hard-to-trigger] 129 xen/drivers/passthrough/vtd/iommu.c:855 iommu_get_fault_reason() warn: potential spectre issue 'intr_remap_fault_reasons' [r]
[hard-to-trigger] 129 xen/drivers/passthrough/vtd/iommu.c:860 iommu_get_fault_reason() warn: potential spectre issue 'dma_remap_fault_reasons' [r] (local cap)
[hard-to-trigger] 129 xen/drivers/passthrough/vtd/qinval.c:224 dev_invalidate_sync() warn: potential spectre issue 'iommu->domid_map' [r]
[iommu-verbose] 129 xen/drivers/passthrough/vtd/utils.c:115 print_vtd_entries() warn: potential spectre issue 'root_entry' [w]
[iommu-verbose] 129 xen/drivers/passthrough/vtd/utils.c:132 print_vtd_entries() warn: potential spectre issue 'ctxt_entry' [r]
[iommu-verbose] 129 xen/drivers/passthrough/vtd/utils.c:160 print_vtd_entries() warn: potential spectre issue 'l' [r]
[hard-to-trigger] 129 xen/drivers/vpci/msix.c:193 get_entry() warn: potential spectre issue 'msix->entries' [r]
[tools] 129 xen/tools/kconfig/zconf.tab.c:1041 yy_reduce_print() warn: potential spectre issue 'yyr2' [r]
[tools] 129 xen/tools/kconfig/zconf.tab.c:1043 yy_reduce_print() warn: potential spectre issue 'yyrline' [r]
[tools] 129 xen/tools/kconfig/zconf.tab.c:1050 yy_reduce_print() warn: potential spectre issue 'yyprhs' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:133 conf_set_sym_val() warn: potential spectre issue 'sym->def' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:1683 yy_try_NUL_trans() warn: potential spectre issue 'yy_nxt' [r]
[tools] 129 xen/tools/kconfig/zconf.tab.c:212 add_byte() warn: potential spectre issue '*lineptr' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:2135 zconf_scan_bytes() warn: potential spectre issue 'buf' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:308 conf_read_simple() warn: potential spectre issue 'sym->def' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:398 conf_read_simple() warn: potential spectre issue 'cs->def' [w] (local cap)
[tools] 1 xen/tools/kconfig/zconf.tab.c:760 conf_write() warn: potential spectre issue 'dirname' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:847 append_string() warn: potential spectre issue 'text' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:854 alloc_string() warn: potential spectre issue 'text' [w]
[tools] 129 xen/tools/kconfig/zconf.tab.c:88 kconf_id_hash() warn: potential spectre issue 'str' [r]
[tools] 129 xen/tools/kconfig/zconf.tab.c:986 yy_symbol_print() warn: potential spectre issue 'yytname' [w] (local cap)
[tools] 129 xen/tools/symbols.c:415 learn_symbol() warn: potential spectre issue 'token_profit' [w]
[tools] 129 xen/tools/symbols.c:424 forget_symbol() warn: potential spectre issue 'token_profit' [w]
[-- Attachment #18: Type: text/plain, Size: 157 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-01-21 17:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-01-21 17:32 Xen Security Advisory 289 v3 - Cache-load gadgets exploitable with L1TF Xen.org security team
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.