Merge branch 'x86-smap-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86/smap support from Ingo Molnar: "This adds support for the SMAP (Supervisor Mode Access Prevention) CPU feature on Intel CPUs: a hardware feature that prevents unintended user-space data access from kernel privileged code. It's turned on automatically when possible. This, in combination with SMEP, makes it even harder to exploit kernel bugs such as NULL pointer dereferences." Fix up trivial conflict in arch/x86/kernel/entry_64.S due to newly added includes right next to each other. * 'x86-smap-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86, smep, smap: Make the switching functions one-way x86, suspend: On wakeup always initialize cr4 and EFER x86-32: Start out eflags and cr4 clean x86, smap: Do not abuse the [f][x]rstor_checking() functions for user space x86-32, smap: Add STAC/CLAC instructions to 32-bit kernel entry x86, smap: Reduce the SMAP overhead for signal handling x86, smap: A page fault due to SMAP is an oops x86, smap: Turn on Supervisor Mode Access Prevention x86, smap: Add STAC and CLAC instructions to control user space access x86, uaccess: Merge prototypes for clear_user/__clear_user x86, smap: Add a header file with macros for STAC/CLAC x86, alternative: Add header guards to <asm/alternative-asm.h> x86, alternative: Use .pushsection/.popsection x86, smap: Add CR4 bit for SMAP x86-32, mm: The WP test should be done on a kernel page

Merge branch 'x86-smap-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86/smap support from Ingo Molnar: "This adds support for the SMAP (Supervisor Mode Access Prevention) CPU feature on Intel CPUs: a hardware feature that prevents unintended user-space data access from kernel privileged code. It's turned on automatically when possible. This, in combination with SMEP, makes it even harder to exploit kernel bugs such as NULL pointer dereferences." Fix up trivial conflict in arch/x86/kernel/entry_64.S due to newly added includes right next to each other. * 'x86-smap-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86, smep, smap: Make the switching functions one-way x86, suspend: On wakeup always initialize cr4 and EFER x86-32: Start out eflags and cr4 clean x86, smap: Do not abuse the [f][x]rstor_checking() functions for user space x86-32, smap: Add STAC/CLAC instructions to 32-bit kernel entry x86, smap: Reduce the SMAP overhead for signal handling x86, smap: A page fault due to SMAP is an oops x86, smap: Turn on Supervisor Mode Access Prevention x86, smap: Add STAC and CLAC instructions to control user space access x86, uaccess: Merge prototypes for clear_user/__clear_user x86, smap: Add a header file with macros for STAC/CLAC x86, alternative: Add header guards to <asm/alternative-asm.h> x86, alternative: Use .pushsection/.popsection x86, smap: Add CR4 bit for SMAP x86-32, mm: The WP test should be done on a kernel page
Linus Torvalds
2 parents a57d985e37 b2cc2a074d
Showing 31 changed files Side-by-side Diff
Documentation/kernel-parameters.txt
arch/x86/Kconfig
arch/x86/ia32/ia32_signal.c
arch/x86/ia32/ia32entry.S
arch/x86/include/asm/alternative-asm.h
arch/x86/include/asm/alternative.h
arch/x86/include/asm/fpu-internal.h
arch/x86/include/asm/futex.h
arch/x86/include/asm/processor-flags.h
arch/x86/include/asm/smap.h
arch/x86/include/asm/uaccess.h
arch/x86/include/asm/uaccess_32.h
arch/x86/include/asm/uaccess_64.h
arch/x86/include/asm/xsave.h
arch/x86/kernel/acpi/sleep.c
arch/x86/kernel/cpu/common.c
arch/x86/kernel/entry_32.S
arch/x86/kernel/entry_64.S
arch/x86/kernel/head_32.S
arch/x86/kernel/signal.c
@@ -1812,8 +1812,12 @@
 			noexec=on: enable non-executable mappings (default)
 			noexec=off: disable non-executable mappings
  
+	nosmap		[X86]
+			Disable SMAP (Supervisor Mode Access Prevention)
+			even if it is supported by processor.
+
 	nosmep		[X86]
-			Disable SMEP (Supervisor Mode Execution Protection)
+			Disable SMEP (Supervisor Mode Execution Prevention)
 			even if it is supported by processor.
  
 	noexec32	[X86-64]
@@ -1493,6 +1493,17 @@
 	  If supported, this is a high bandwidth, cryptographically
 	  secure hardware random number generator.
  
+config X86_SMAP
+	def_bool y
+	prompt "Supervisor Mode Access Prevention" if EXPERT
+	---help---
+	  Supervisor Mode Access Prevention (SMAP) is a security
+	  feature in newer Intel processors.  There is a small
+	  performance cost if this enabled and turned on; there is
+	  also a small increase in the kernel size if this is enabled.
+
+	  If unsure, say Y.
+
 config EFI
 	bool "EFI runtime service support"
 	depends on ACPI
@@ -32,6 +32,7 @@
 #include <asm/sigframe.h>
 #include <asm/sighandling.h>
 #include <asm/sys_ia32.h>
+#include <asm/smap.h>
  
 #define FIX_EFLAGS	__FIX_EFLAGS
  
  
@@ -251,11 +252,12 @@
  
 		get_user_ex(tmp, &sc->fpstate);
 		buf = compat_ptr(tmp);
-		err |= restore_xstate_sig(buf, 1);
  
 		get_user_ex(*pax, &sc->ax);
 	} get_user_catch(err);
  
+	err |= restore_xstate_sig(buf, 1);
+
 	return err;
 }
  
@@ -506,7 +508,6 @@
 		put_user_ex(sig, &frame->sig);
 		put_user_ex(ptr_to_compat(&frame->info), &frame->pinfo);
 		put_user_ex(ptr_to_compat(&frame->uc), &frame->puc);
-		err |= copy_siginfo_to_user32(&frame->info, info);
  
 		/* Create the ucontext.  */
 		if (cpu_has_xsave)
@@ -518,9 +519,6 @@
 		put_user_ex(sas_ss_flags(regs->sp),
 			    &frame->uc.uc_stack.ss_flags);
 		put_user_ex(current->sas_ss_size, &frame->uc.uc_stack.ss_size);
-		err |= ia32_setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
-					     regs, set->sig[0]);
-		err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
  
 		if (ka->sa.sa_flags & SA_RESTORER)
 			restorer = ka->sa.sa_restorer;
@@ -535,6 +533,11 @@
 		 */
 		put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
 	} put_user_catch(err);
+
+	err |= copy_siginfo_to_user32(&frame->info, info);
+	err |= ia32_setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
+				     regs, set->sig[0]);
+	err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
  
 	if (err)
 		return -EFAULT;
@@ -14,6 +14,7 @@
 #include <asm/segment.h>
 #include <asm/irqflags.h>
 #include <asm/asm.h>
+#include <asm/smap.h>
 #include <linux/linkage.h>
 #include <linux/err.h>
  
  
@@ -146,8 +147,10 @@
 	SAVE_ARGS 0,1,0
  	/* no need to do an access_ok check here because rbp has been
  	   32bit zero extended */ 
+	ASM_STAC
 1:	movl	(%rbp),%ebp
 	_ASM_EXTABLE(1b,ia32_badarg)
+	ASM_CLAC
 	orl     $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	testl   $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	CFI_REMEMBER_STATE
  
@@ -301,8 +304,10 @@
 	/* no need to do an access_ok check here because r8 has been
 	   32bit zero extended */ 
 	/* hardware stack frame is complete now */	
+	ASM_STAC
 1:	movl	(%r8),%r9d
 	_ASM_EXTABLE(1b,ia32_badarg)
+	ASM_CLAC
 	orl     $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	testl   $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	CFI_REMEMBER_STATE
@@ -365,6 +370,7 @@
 END(ia32_cstar_target)
  
 ia32_badarg:
+	ASM_CLAC
 	movq $-EFAULT,%rax
 	jmp ia32_sysret
 	CFI_ENDPROC
+#ifndef _ASM_X86_ALTERNATIVE_ASM_H
+#define _ASM_X86_ALTERNATIVE_ASM_H
+
 #ifdef __ASSEMBLY__
  
 #include <asm/asm.h>
  
@@ -5,10 +8,10 @@
 #ifdef CONFIG_SMP
 	.macro LOCK_PREFIX
 672:	lock
-	.section .smp_locks,"a"
+	.pushsection .smp_locks,"a"
 	.balign 4
 	.long 672b - .
-	.previous
+	.popsection
 	.endm
 #else
 	.macro LOCK_PREFIX
@@ -24,4 +27,6 @@
 .endm
  
 #endif  /*  __ASSEMBLY__  */
+
+#endif /* _ASM_X86_ALTERNATIVE_ASM_H */
@@ -29,10 +29,10 @@
  
 #ifdef CONFIG_SMP
 #define LOCK_PREFIX_HERE \
-		".section .smp_locks,\"a\"\n"	\
-		".balign 4\n"			\
-		".long 671f - .\n" /* offset */	\
-		".previous\n"			\
+		".pushsection .smp_locks,\"a\"\n"	\
+		".balign 4\n"				\
+		".long 671f - .\n" /* offset */		\
+		".popsection\n"				\
 		"671:"
  
 #define LOCK_PREFIX LOCK_PREFIX_HERE "\n\tlock; "
  
  
  
  
  
  
  
@@ -99,30 +99,30 @@
 /* alternative assembly primitive: */
 #define ALTERNATIVE(oldinstr, newinstr, feature)			\
 	OLDINSTR(oldinstr)						\
-	".section .altinstructions,\"a\"\n"				\
+	".pushsection .altinstructions,\"a\"\n"				\
 	ALTINSTR_ENTRY(feature, 1)					\
-	".previous\n"							\
-	".section .discard,\"aw\",@progbits\n"				\
+	".popsection\n"							\
+	".pushsection .discard,\"aw\",@progbits\n"			\
 	DISCARD_ENTRY(1)						\
-	".previous\n"							\
-	".section .altinstr_replacement, \"ax\"\n"			\
+	".popsection\n"							\
+	".pushsection .altinstr_replacement, \"ax\"\n"			\
 	ALTINSTR_REPLACEMENT(newinstr, feature, 1)			\
-	".previous"
+	".popsection"
  
 #define ALTERNATIVE_2(oldinstr, newinstr1, feature1, newinstr2, feature2)\
 	OLDINSTR(oldinstr)						\
-	".section .altinstructions,\"a\"\n"				\
+	".pushsection .altinstructions,\"a\"\n"				\
 	ALTINSTR_ENTRY(feature1, 1)					\
 	ALTINSTR_ENTRY(feature2, 2)					\
-	".previous\n"							\
-	".section .discard,\"aw\",@progbits\n"				\
+	".popsection\n"							\
+	".pushsection .discard,\"aw\",@progbits\n"			\
 	DISCARD_ENTRY(1)						\
 	DISCARD_ENTRY(2)						\
-	".previous\n"							\
-	".section .altinstr_replacement, \"ax\"\n"			\
+	".popsection\n"							\
+	".pushsection .altinstr_replacement, \"ax\"\n"			\
 	ALTINSTR_REPLACEMENT(newinstr1, feature1, 1)			\
 	ALTINSTR_REPLACEMENT(newinstr2, feature2, 2)			\
-	".previous"
+	".popsection"
  
 /*
  * This must be included *after* the definition of ALTERNATIVE due to
@@ -21,6 +21,7 @@
 #include <asm/user.h>
 #include <asm/uaccess.h>
 #include <asm/xsave.h>
+#include <asm/smap.h>
  
 #ifdef CONFIG_X86_64
 # include <asm/sigcontext32.h>
@@ -121,6 +122,22 @@
 	__sanitize_i387_state(tsk);
 }
  
+#define user_insn(insn, output, input...)				\
+({									\
+	int err;							\
+	asm volatile(ASM_STAC "\n"					\
+		     "1:" #insn "\n\t"					\
+		     "2: " ASM_CLAC "\n"				\
+		     ".section .fixup,\"ax\"\n"				\
+		     "3:  movl $-1,%[err]\n"				\
+		     "    jmp  2b\n"					\
+		     ".previous\n"					\
+		     _ASM_EXTABLE(1b, 3b)				\
+		     : [err] "=r" (err), output				\
+		     : "0"(0), input);					\
+	err;								\
+})
+
 #define check_insn(insn, output, input...)				\
 ({									\
 	int err;							\
  
  
  
@@ -138,18 +155,18 @@
  
 static inline int fsave_user(struct i387_fsave_struct __user *fx)
 {
-	return check_insn(fnsave %[fx]; fwait,  [fx] "=m" (*fx), "m" (*fx));
+	return user_insn(fnsave %[fx]; fwait,  [fx] "=m" (*fx), "m" (*fx));
 }
  
 static inline int fxsave_user(struct i387_fxsave_struct __user *fx)
 {
 	if (config_enabled(CONFIG_X86_32))
-		return check_insn(fxsave %[fx], [fx] "=m" (*fx), "m" (*fx));
+		return user_insn(fxsave %[fx], [fx] "=m" (*fx), "m" (*fx));
 	else if (config_enabled(CONFIG_AS_FXSAVEQ))
-		return check_insn(fxsaveq %[fx], [fx] "=m" (*fx), "m" (*fx));
+		return user_insn(fxsaveq %[fx], [fx] "=m" (*fx), "m" (*fx));
  
 	/* See comment in fpu_fxsave() below. */
-	return check_insn(rex64/fxsave (%[fx]), "=m" (*fx), [fx] "R" (fx));
+	return user_insn(rex64/fxsave (%[fx]), "=m" (*fx), [fx] "R" (fx));
 }
  
 static inline int fxrstor_checking(struct i387_fxsave_struct *fx)
  
@@ -164,9 +181,26 @@
 			  "m" (*fx));
 }
  
+static inline int fxrstor_user(struct i387_fxsave_struct __user *fx)
+{
+	if (config_enabled(CONFIG_X86_32))
+		return user_insn(fxrstor %[fx], "=m" (*fx), [fx] "m" (*fx));
+	else if (config_enabled(CONFIG_AS_FXSAVEQ))
+		return user_insn(fxrstorq %[fx], "=m" (*fx), [fx] "m" (*fx));
+
+	/* See comment in fpu_fxsave() below. */
+	return user_insn(rex64/fxrstor (%[fx]), "=m" (*fx), [fx] "R" (fx),
+			  "m" (*fx));
+}
+
 static inline int frstor_checking(struct i387_fsave_struct *fx)
 {
 	return check_insn(frstor %[fx], "=m" (*fx), [fx] "m" (*fx));
+}
+
+static inline int frstor_user(struct i387_fsave_struct __user *fx)
+{
+	return user_insn(frstor %[fx], "=m" (*fx), [fx] "m" (*fx));
 }
  
 static inline void fpu_fxsave(struct fpu *fpu)
@@ -9,10 +9,13 @@
 #include <asm/asm.h>
 #include <asm/errno.h>
 #include <asm/processor.h>
+#include <asm/smap.h>
  
 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg)	\
-	asm volatile("1:\t" insn "\n"				\
-		     "2:\t.section .fixup,\"ax\"\n"		\
+	asm volatile("\t" ASM_STAC "\n"				\
+		     "1:\t" insn "\n"				\
+		     "2:\t" ASM_CLAC "\n"			\
+		     "\t.section .fixup,\"ax\"\n"		\
 		     "3:\tmov\t%3, %1\n"			\
 		     "\tjmp\t2b\n"				\
 		     "\t.previous\n"				\
  
@@ -21,12 +24,14 @@
 		     : "i" (-EFAULT), "0" (oparg), "1" (0))
  
 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg)	\
-	asm volatile("1:\tmovl	%2, %0\n"			\
+	asm volatile("\t" ASM_STAC "\n"				\
+		     "1:\tmovl	%2, %0\n"			\
 		     "\tmovl\t%0, %3\n"				\
 		     "\t" insn "\n"				\
 		     "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n"	\
 		     "\tjnz\t1b\n"				\
-		     "3:\t.section .fixup,\"ax\"\n"		\
+		     "3:\t" ASM_CLAC "\n"			\
+		     "\t.section .fixup,\"ax\"\n"		\
 		     "4:\tmov\t%5, %1\n"			\
 		     "\tjmp\t3b\n"				\
 		     "\t.previous\n"				\
@@ -122,8 +127,10 @@
 	if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
 		return -EFAULT;
  
-	asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
-		     "2:\t.section .fixup, \"ax\"\n"
+	asm volatile("\t" ASM_STAC "\n"
+		     "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
+		     "2:\t" ASM_CLAC "\n"
+		     "\t.section .fixup, \"ax\"\n"
 		     "3:\tmov     %3, %0\n"
 		     "\tjmp     2b\n"
 		     "\t.previous\n"
@@ -65,6 +65,7 @@
 #define X86_CR4_PCIDE	0x00020000 /* enable PCID support */
 #define X86_CR4_OSXSAVE 0x00040000 /* enable xsave and xrestore */
 #define X86_CR4_SMEP	0x00100000 /* enable SMEP support */
+#define X86_CR4_SMAP	0x00200000 /* enable SMAP support */
  
 /*
  * x86-64 Task Priority Register, CR8
+/*
+ * Supervisor Mode Access Prevention support
+ *
+ * Copyright (C) 2012 Intel Corporation
+ * Author: H. Peter Anvin <hpa@linux.intel.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; version 2
+ * of the License.
+ */
+
+#ifndef _ASM_X86_SMAP_H
+#define _ASM_X86_SMAP_H
+
+#include <linux/stringify.h>
+#include <asm/nops.h>
+#include <asm/cpufeature.h>
+
+/* "Raw" instruction opcodes */
+#define __ASM_CLAC	.byte 0x0f,0x01,0xca
+#define __ASM_STAC	.byte 0x0f,0x01,0xcb
+
+#ifdef __ASSEMBLY__
+
+#include <asm/alternative-asm.h>
+
+#ifdef CONFIG_X86_SMAP
+
+#define ASM_CLAC							\
+	661: ASM_NOP3 ;							\
+	.pushsection .altinstr_replacement, "ax" ;			\
+	662: __ASM_CLAC ;						\
+	.popsection ;							\
+	.pushsection .altinstructions, "a" ;				\
+	altinstruction_entry 661b, 662b, X86_FEATURE_SMAP, 3, 3 ;	\
+	.popsection
+
+#define ASM_STAC							\
+	661: ASM_NOP3 ;							\
+	.pushsection .altinstr_replacement, "ax" ;			\
+	662: __ASM_STAC ;						\
+	.popsection ;							\
+	.pushsection .altinstructions, "a" ;				\
+	altinstruction_entry 661b, 662b, X86_FEATURE_SMAP, 3, 3 ;	\
+	.popsection
+
+#else /* CONFIG_X86_SMAP */
+
+#define ASM_CLAC
+#define ASM_STAC
+
+#endif /* CONFIG_X86_SMAP */
+
+#else /* __ASSEMBLY__ */
+
+#include <asm/alternative.h>
+
+#ifdef CONFIG_X86_SMAP
+
+static __always_inline void clac(void)
+{
+	/* Note: a barrier is implicit in alternative() */
+	alternative(ASM_NOP3, __stringify(__ASM_CLAC), X86_FEATURE_SMAP);
+}
+
+static __always_inline void stac(void)
+{
+	/* Note: a barrier is implicit in alternative() */
+	alternative(ASM_NOP3, __stringify(__ASM_STAC), X86_FEATURE_SMAP);
+}
+
+/* These macros can be used in asm() statements */
+#define ASM_CLAC \
+	ALTERNATIVE(ASM_NOP3, __stringify(__ASM_CLAC), X86_FEATURE_SMAP)
+#define ASM_STAC \
+	ALTERNATIVE(ASM_NOP3, __stringify(__ASM_STAC), X86_FEATURE_SMAP)
+
+#else /* CONFIG_X86_SMAP */
+
+static inline void clac(void) { }
+static inline void stac(void) { }
+
+#define ASM_CLAC
+#define ASM_STAC
+
+#endif /* CONFIG_X86_SMAP */
+
+#endif /* __ASSEMBLY__ */
+
+#endif /* _ASM_X86_SMAP_H */
@@ -9,6 +9,7 @@
 #include <linux/string.h>
 #include <asm/asm.h>
 #include <asm/page.h>
+#include <asm/smap.h>
  
 #define VERIFY_READ 0
 #define VERIFY_WRITE 1
  
@@ -192,9 +193,10 @@
  
 #ifdef CONFIG_X86_32
 #define __put_user_asm_u64(x, addr, err, errret)			\
-	asm volatile("1:	movl %%eax,0(%2)\n"			\
+	asm volatile(ASM_STAC "\n"					\
+		     "1:	movl %%eax,0(%2)\n"			\
 		     "2:	movl %%edx,4(%2)\n"			\
-		     "3:\n"						\
+		     "3: " ASM_CLAC "\n"				\
 		     ".section .fixup,\"ax\"\n"				\
 		     "4:	movl %3,%0\n"				\
 		     "	jmp 3b\n"					\
  
@@ -205,9 +207,10 @@
 		     : "A" (x), "r" (addr), "i" (errret), "0" (err))
  
 #define __put_user_asm_ex_u64(x, addr)					\
-	asm volatile("1:	movl %%eax,0(%1)\n"			\
+	asm volatile(ASM_STAC "\n"					\
+		     "1:	movl %%eax,0(%1)\n"			\
 		     "2:	movl %%edx,4(%1)\n"			\
-		     "3:\n"						\
+		     "3: " ASM_CLAC "\n"				\
 		     _ASM_EXTABLE_EX(1b, 2b)				\
 		     _ASM_EXTABLE_EX(2b, 3b)				\
 		     : : "A" (x), "r" (addr))
@@ -379,8 +382,9 @@
 } while (0)
  
 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret)	\
-	asm volatile("1:	mov"itype" %2,%"rtype"1\n"		\
-		     "2:\n"						\
+	asm volatile(ASM_STAC "\n"					\
+		     "1:	mov"itype" %2,%"rtype"1\n"		\
+		     "2: " ASM_CLAC "\n"				\
 		     ".section .fixup,\"ax\"\n"				\
 		     "3:	mov %3,%0\n"				\
 		     "	xor"itype" %"rtype"1,%"rtype"1\n"		\
@@ -443,8 +447,9 @@
  * aliasing issues.
  */
 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret)	\
-	asm volatile("1:	mov"itype" %"rtype"1,%2\n"		\
-		     "2:\n"						\
+	asm volatile(ASM_STAC "\n"					\
+		     "1:	mov"itype" %"rtype"1,%2\n"		\
+		     "2: " ASM_CLAC "\n"				\
 		     ".section .fixup,\"ax\"\n"				\
 		     "3:	mov %3,%0\n"				\
 		     "	jmp 2b\n"					\
  
  
  
@@ -463,13 +468,13 @@
  * uaccess_try and catch
  */
 #define uaccess_try	do {						\
-	int prev_err = current_thread_info()->uaccess_err;		\
 	current_thread_info()->uaccess_err = 0;				\
+	stac();								\
 	barrier();
  
 #define uaccess_catch(err)						\
+	clac();								\
 	(err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0);	\
-	current_thread_info()->uaccess_err = prev_err;			\
 } while (0)
  
 /**
@@ -568,6 +573,9 @@
  
 extern __must_check long strlen_user(const char __user *str);
 extern __must_check long strnlen_user(const char __user *str, long n);
+
+unsigned long __must_check clear_user(void __user *mem, unsigned long len);
+unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
  
 /*
  * movsl can be slow when source and dest are not both 8-byte aligned
@@ -213,8 +213,5 @@
 	return n;
 }
  
-unsigned long __must_check clear_user(void __user *mem, unsigned long len);
-unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
-
 #endif /* _ASM_X86_UACCESS_32_H */
@@ -217,9 +217,6 @@
 	}
 }
  
-__must_check unsigned long clear_user(void __user *mem, unsigned long len);
-__must_check unsigned long __clear_user(void __user *mem, unsigned long len);
-
 static __must_check __always_inline int
 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
 {
@@ -70,8 +70,9 @@
 	if (unlikely(err))
 		return -EFAULT;
  
-	__asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
-			     "2:\n"
+	__asm__ __volatile__(ASM_STAC "\n"
+			     "1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
+			     "2: " ASM_CLAC "\n"
 			     ".section .fixup,\"ax\"\n"
 			     "3:  movl $-1,%[err]\n"
 			     "    jmp  2b\n"
@@ -90,8 +91,9 @@
 	u32 lmask = mask;
 	u32 hmask = mask >> 32;
  
-	__asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
-			     "2:\n"
+	__asm__ __volatile__(ASM_STAC "\n"
+			     "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
+			     "2: " ASM_CLAC "\n"
 			     ".section .fixup,\"ax\"\n"
 			     "3:  movl $-1,%[err]\n"
 			     "    jmp  2b\n"
@@ -43,17 +43,22 @@
  
 	header->video_mode = saved_video_mode;
  
+	header->pmode_behavior = 0;
+
 #ifndef CONFIG_64BIT
 	store_gdt((struct desc_ptr *)&header->pmode_gdt);
  
-	if (rdmsr_safe(MSR_EFER, &header->pmode_efer_low,
-		       &header->pmode_efer_high))
-		header->pmode_efer_low = header->pmode_efer_high = 0;
+	if (!rdmsr_safe(MSR_EFER,
+			&header->pmode_efer_low,
+			&header->pmode_efer_high))
+		header->pmode_behavior |= (1 << WAKEUP_BEHAVIOR_RESTORE_EFER);
 #endif /* !CONFIG_64BIT */
  
 	header->pmode_cr0 = read_cr0();
-	header->pmode_cr4 = read_cr4_safe();
-	header->pmode_behavior = 0;
+	if (__this_cpu_read(cpu_info.cpuid_level) >= 0) {
+		header->pmode_cr4 = read_cr4();
+		header->pmode_behavior |= (1 << WAKEUP_BEHAVIOR_RESTORE_CR4);
+	}
 	if (!rdmsr_safe(MSR_IA32_MISC_ENABLE,
 			&header->pmode_misc_en_low,
 			&header->pmode_misc_en_high))
@@ -259,25 +259,38 @@
 }
 #endif
  
-static int disable_smep __cpuinitdata;
 static __init int setup_disable_smep(char *arg)
 {
-	disable_smep = 1;
+	setup_clear_cpu_cap(X86_FEATURE_SMEP);
 	return 1;
 }
 __setup("nosmep", setup_disable_smep);
  
-static __cpuinit void setup_smep(struct cpuinfo_x86 *c)
+static __always_inline void setup_smep(struct cpuinfo_x86 *c)
 {
-	if (cpu_has(c, X86_FEATURE_SMEP)) {
-		if (unlikely(disable_smep)) {
-			setup_clear_cpu_cap(X86_FEATURE_SMEP);
-			clear_in_cr4(X86_CR4_SMEP);
-		} else
-			set_in_cr4(X86_CR4_SMEP);
-	}
+	if (cpu_has(c, X86_FEATURE_SMEP))
+		set_in_cr4(X86_CR4_SMEP);
 }
  
+static __init int setup_disable_smap(char *arg)
+{
+	setup_clear_cpu_cap(X86_FEATURE_SMAP);
+	return 1;
+}
+__setup("nosmap", setup_disable_smap);
+
+static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+{
+	unsigned long eflags;
+
+	/* This should have been cleared long ago */
+	raw_local_save_flags(eflags);
+	BUG_ON(eflags & X86_EFLAGS_AC);
+
+	if (cpu_has(c, X86_FEATURE_SMAP))
+		set_in_cr4(X86_CR4_SMAP);
+}
+
 /*
  * Some CPU features depend on higher CPUID levels, which may not always
  * be available due to CPUID level capping or broken virtualization
@@ -712,8 +725,6 @@
 	c->cpu_index = 0;
 	filter_cpuid_features(c, false);
  
-	setup_smep(c);
-
 	if (this_cpu->c_bsp_init)
 		this_cpu->c_bsp_init(c);
 }
@@ -798,8 +809,6 @@
 		c->phys_proc_id = c->initial_apicid;
 	}
  
-	setup_smep(c);
-
 	get_model_name(c); /* Default name */
  
 	detect_nopl(c);
@@ -864,6 +873,10 @@
 	/* Disable the PN if appropriate */
 	squash_the_stupid_serial_number(c);
  
+	/* Set up SMEP/SMAP */
+	setup_smep(c);
+	setup_smap(c);
+
 	/*
 	 * The vendor-specific functions might have changed features.
 	 * Now we do "generic changes."
@@ -1114,7 +1127,8 @@
  
 	/* Flags to clear on syscall */
 	wrmsrl(MSR_SYSCALL_MASK,
-	       X86_EFLAGS_TF|X86_EFLAGS_DF|X86_EFLAGS_IF|X86_EFLAGS_IOPL);
+	       X86_EFLAGS_TF|X86_EFLAGS_DF|X86_EFLAGS_IF|
+	       X86_EFLAGS_IOPL|X86_EFLAGS_AC);
 }
  
 /*
@@ -57,6 +57,7 @@
 #include <asm/cpufeature.h>
 #include <asm/alternative-asm.h>
 #include <asm/asm.h>
+#include <asm/smap.h>
  
 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
 #include <linux/elf-em.h>
  
@@ -407,7 +408,9 @@
  */
 	cmpl $__PAGE_OFFSET-3,%ebp
 	jae syscall_fault
+	ASM_STAC
 1:	movl (%ebp),%ebp
+	ASM_CLAC
 	movl %ebp,PT_EBP(%esp)
 	_ASM_EXTABLE(1b,syscall_fault)
  
@@ -488,6 +491,7 @@
 	# system call handler stub
 ENTRY(system_call)
 	RING0_INT_FRAME			# can't unwind into user space anyway
+	ASM_CLAC
 	pushl_cfi %eax			# save orig_eax
 	SAVE_ALL
 	GET_THREAD_INFO(%ebp)
@@ -670,6 +674,7 @@
  
 	RING0_INT_FRAME			# can't unwind into user space anyway
 syscall_fault:
+	ASM_CLAC
 	GET_THREAD_INFO(%ebp)
 	movl $-EFAULT,PT_EAX(%esp)
 	jmp resume_userspace
@@ -825,6 +830,7 @@
  */
 	.p2align CONFIG_X86_L1_CACHE_SHIFT
 common_interrupt:
+	ASM_CLAC
 	addl $-0x80,(%esp)	/* Adjust vector into the [-256,-1] range */
 	SAVE_ALL
 	TRACE_IRQS_OFF
@@ -841,6 +847,7 @@
 #define BUILD_INTERRUPT3(name, nr, fn)	\
 ENTRY(name)				\
 	RING0_INT_FRAME;		\
+	ASM_CLAC;			\
 	pushl_cfi $~(nr);		\
 	SAVE_ALL;			\
 	TRACE_IRQS_OFF			\
@@ -857,6 +864,7 @@
  
 ENTRY(coprocessor_error)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 	pushl_cfi $do_coprocessor_error
 	jmp error_code
@@ -865,6 +873,7 @@
  
 ENTRY(simd_coprocessor_error)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 #ifdef CONFIG_X86_INVD_BUG
 	/* AMD 486 bug: invd from userspace calls exception 19 instead of #GP */
@@ -886,6 +895,7 @@
  
 ENTRY(device_not_available)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $-1			# mark this as an int
 	pushl_cfi $do_device_not_available
 	jmp error_code
@@ -906,6 +916,7 @@
  
 ENTRY(overflow)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 	pushl_cfi $do_overflow
 	jmp error_code
@@ -914,6 +925,7 @@
  
 ENTRY(bounds)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 	pushl_cfi $do_bounds
 	jmp error_code
@@ -922,6 +934,7 @@
  
 ENTRY(invalid_op)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 	pushl_cfi $do_invalid_op
 	jmp error_code
@@ -930,6 +943,7 @@
  
 ENTRY(coprocessor_segment_overrun)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 	pushl_cfi $do_coprocessor_segment_overrun
 	jmp error_code
@@ -938,6 +952,7 @@
  
 ENTRY(invalid_TSS)
 	RING0_EC_FRAME
+	ASM_CLAC
 	pushl_cfi $do_invalid_TSS
 	jmp error_code
 	CFI_ENDPROC
@@ -945,6 +960,7 @@
  
 ENTRY(segment_not_present)
 	RING0_EC_FRAME
+	ASM_CLAC
 	pushl_cfi $do_segment_not_present
 	jmp error_code
 	CFI_ENDPROC
@@ -952,6 +968,7 @@
  
 ENTRY(stack_segment)
 	RING0_EC_FRAME
+	ASM_CLAC
 	pushl_cfi $do_stack_segment
 	jmp error_code
 	CFI_ENDPROC
@@ -959,6 +976,7 @@
  
 ENTRY(alignment_check)
 	RING0_EC_FRAME
+	ASM_CLAC
 	pushl_cfi $do_alignment_check
 	jmp error_code
 	CFI_ENDPROC
@@ -966,6 +984,7 @@
  
 ENTRY(divide_error)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0			# no error code
 	pushl_cfi $do_divide_error
 	jmp error_code
@@ -975,6 +994,7 @@
 #ifdef CONFIG_X86_MCE
 ENTRY(machine_check)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 	pushl_cfi machine_check_vector
 	jmp error_code
@@ -984,6 +1004,7 @@
  
 ENTRY(spurious_interrupt_bug)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $0
 	pushl_cfi $do_spurious_interrupt_bug
 	jmp error_code
@@ -1273,6 +1294,7 @@
  
 ENTRY(page_fault)
 	RING0_EC_FRAME
+	ASM_CLAC
 	pushl_cfi $do_page_fault
 	ALIGN
 error_code:
@@ -1345,6 +1367,7 @@
  
 ENTRY(debug)
 	RING0_INT_FRAME
+	ASM_CLAC
 	cmpl $ia32_sysenter_target,(%esp)
 	jne debug_stack_correct
 	FIX_STACK 12, debug_stack_correct, debug_esp_fix_insn
@@ -1369,6 +1392,7 @@
  */
 ENTRY(nmi)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi %eax
 	movl %ss, %eax
 	cmpw $__ESPFIX_SS, %ax
@@ -1439,6 +1463,7 @@
  
 ENTRY(int3)
 	RING0_INT_FRAME
+	ASM_CLAC
 	pushl_cfi $-1			# mark this as an int
 	SAVE_ALL
 	TRACE_IRQS_OFF
@@ -1459,6 +1484,7 @@
 #ifdef CONFIG_KVM_GUEST
 ENTRY(async_page_fault)
 	RING0_EC_FRAME
+	ASM_CLAC
 	pushl_cfi $do_async_page_fault
 	jmp error_code
 	CFI_ENDPROC
@@ -57,6 +57,7 @@
 #include <asm/percpu.h>
 #include <asm/asm.h>
 #include <asm/rcu.h>
+#include <asm/smap.h>
 #include <linux/err.h>
  
 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
@@ -568,7 +569,8 @@
  * System call entry. Up to 6 arguments in registers are supported.
  *
  * SYSCALL does not save anything on the stack and does not change the
- * stack pointer.
+ * stack pointer.  However, it does mask the flags register for us, so
+ * CLD and CLAC are not needed.
  */
  
 /*
@@ -987,6 +989,7 @@
 	 */
 	.p2align CONFIG_X86_L1_CACHE_SHIFT
 common_interrupt:
+	ASM_CLAC
 	XCPT_FRAME
 	addq $-0x80,(%rsp)		/* Adjust vector to [-256,-1] range */
 	interrupt do_IRQ
@@ -1126,6 +1129,7 @@
  */
 .macro apicinterrupt num sym do_sym
 ENTRY(\sym)
+	ASM_CLAC
 	INTR_FRAME
 	pushq_cfi $~(\num)
 .Lcommon_\sym:
@@ -1180,6 +1184,7 @@
  */
 .macro zeroentry sym do_sym
 ENTRY(\sym)
+	ASM_CLAC
 	INTR_FRAME
 	PARAVIRT_ADJUST_EXCEPTION_FRAME
 	pushq_cfi $-1		/* ORIG_RAX: no syscall to restart */
@@ -1197,6 +1202,7 @@
  
 .macro paranoidzeroentry sym do_sym
 ENTRY(\sym)
+	ASM_CLAC
 	INTR_FRAME
 	PARAVIRT_ADJUST_EXCEPTION_FRAME
 	pushq_cfi $-1		/* ORIG_RAX: no syscall to restart */
@@ -1215,6 +1221,7 @@
 #define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
 .macro paranoidzeroentry_ist sym do_sym ist
 ENTRY(\sym)
+	ASM_CLAC
 	INTR_FRAME
 	PARAVIRT_ADJUST_EXCEPTION_FRAME
 	pushq_cfi $-1		/* ORIG_RAX: no syscall to restart */
@@ -1234,6 +1241,7 @@
  
 .macro errorentry sym do_sym
 ENTRY(\sym)
+	ASM_CLAC
 	XCPT_FRAME
 	PARAVIRT_ADJUST_EXCEPTION_FRAME
 	subq $ORIG_RAX-R15, %rsp
@@ -1252,6 +1260,7 @@
 	/* error code is on the stack already */
 .macro paranoiderrorentry sym do_sym
 ENTRY(\sym)
+	ASM_CLAC
 	XCPT_FRAME
 	PARAVIRT_ADJUST_EXCEPTION_FRAME
 	subq $ORIG_RAX-R15, %rsp
@@ -287,27 +287,28 @@
 	leal -__PAGE_OFFSET(%ecx),%esp
  
 default_entry:
-
 /*
  *	New page tables may be in 4Mbyte page mode and may
  *	be using the global pages. 
  *
  *	NOTE! If we are on a 486 we may have no cr4 at all!
- *	So we do not try to touch it unless we really have
- *	some bits in it to set.  This won't work if the BSP
- *	implements cr4 but this AP does not -- very unlikely
- *	but be warned!  The same applies to the pse feature
- *	if not equally supported. --macro
- *
- *	NOTE! We have to correct for the fact that we're
- *	not yet offset PAGE_OFFSET..
+ *	Specifically, cr4 exists if and only if CPUID exists,
+ *	which in turn exists if and only if EFLAGS.ID exists.
  */
-#define cr4_bits pa(mmu_cr4_features)
-	movl cr4_bits,%edx
-	andl %edx,%edx
-	jz 6f
-	movl %cr4,%eax		# Turn on paging options (PSE,PAE,..)
-	orl %edx,%eax
+	movl $X86_EFLAGS_ID,%ecx
+	pushl %ecx
+	popfl
+	pushfl
+	popl %eax
+	pushl $0
+	popfl
+	pushfl
+	popl %edx
+	xorl %edx,%eax
+	testl %ecx,%eax
+	jz 6f			# No ID flag = no CPUID = no CR4
+
+	movl pa(mmu_cr4_features),%eax
 	movl %eax,%cr4
  
 	testb $X86_CR4_PAE, %al		# check if PAE is enabled
@@ -114,11 +114,12 @@
 		regs->orig_ax = -1;		/* disable syscall checks */
  
 		get_user_ex(buf, &sc->fpstate);
-		err |= restore_xstate_sig(buf, config_enabled(CONFIG_X86_32));
  
 		get_user_ex(*pax, &sc->ax);
 	} get_user_catch(err);
  
+	err |= restore_xstate_sig(buf, config_enabled(CONFIG_X86_32));
+
 	return err;
 }
  
@@ -355,7 +356,6 @@
 		put_user_ex(sig, &frame->sig);
 		put_user_ex(&frame->info, &frame->pinfo);
 		put_user_ex(&frame->uc, &frame->puc);
-		err |= copy_siginfo_to_user(&frame->info, info);
  
 		/* Create the ucontext.  */
 		if (cpu_has_xsave)
@@ -367,9 +367,6 @@
 		put_user_ex(sas_ss_flags(regs->sp),
 			    &frame->uc.uc_stack.ss_flags);
 		put_user_ex(current->sas_ss_size, &frame->uc.uc_stack.ss_size);
-		err |= setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
-					regs, set->sig[0]);
-		err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
  
 		/* Set up to return from userspace.  */
 		restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
@@ -386,6 +383,11 @@
 		 */
 		put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
 	} put_user_catch(err);
+	
+	err |= copy_siginfo_to_user(&frame->info, info);
+	err |= setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
+				regs, set->sig[0]);
+	err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
  
 	if (err)
 		return -EFAULT;
@@ -434,8 +436,6 @@
 		put_user_ex(sas_ss_flags(regs->sp),
 			    &frame->uc.uc_stack.ss_flags);
 		put_user_ex(me->sas_ss_size, &frame->uc.uc_stack.ss_size);
-		err |= setup_sigcontext(&frame->uc.uc_mcontext, fp, regs, set->sig[0]);
-		err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
  
 		/* Set up to return from userspace.  If provided, use a stub
 		   already in userspace.  */
@@ -448,6 +448,9 @@
 		}
 	} put_user_catch(err);
  
+	err |= setup_sigcontext(&frame->uc.uc_mcontext, fp, regs, set->sig[0]);
+	err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
+
 	if (err)
 		return -EFAULT;
  
@@ -504,9 +507,6 @@
 			    &frame->uc.uc_stack.ss_flags);
 		put_user_ex(current->sas_ss_size, &frame->uc.uc_stack.ss_size);
 		put_user_ex(0, &frame->uc.uc__pad0);
-		err |= setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
-					regs, set->sig[0]);
-		err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
  
 		if (ka->sa.sa_flags & SA_RESTORER) {
 			restorer = ka->sa.sa_restorer;
@@ -517,6 +517,10 @@
 		}
 		put_user_ex(restorer, &frame->pretcode);
 	} put_user_catch(err);
+
+	err |= setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
+				regs, set->sig[0]);
+	err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
  
 	if (err)
 		return -EFAULT;
@@ -315,7 +315,7 @@
 		if ((unsigned long)buf % 64 || fx_only) {
 			u64 init_bv = pcntxt_mask & ~XSTATE_FPSSE;
 			xrstor_state(init_xstate_buf, init_bv);
-			return fxrstor_checking((__force void *) buf);
+			return fxrstor_user(buf);
 		} else {
 			u64 init_bv = pcntxt_mask & ~xbv;
 			if (unlikely(init_bv))
  
@@ -323,9 +323,9 @@
 			return xrestore_user(buf, xbv);
 		}
 	} else if (use_fxsr()) {
-		return fxrstor_checking((__force void *) buf);
+		return fxrstor_user(buf);
 	} else
-		return frstor_checking((__force void *) buf);
+		return frstor_user(buf);
 }
  
 int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size)
@@ -17,6 +17,7 @@
 #include <asm/cpufeature.h>
 #include <asm/alternative-asm.h>
 #include <asm/asm.h>
+#include <asm/smap.h>
  
 /*
  * By placing feature2 after feature1 in altinstructions section, we logically
@@ -130,6 +131,7 @@
  */
 ENTRY(copy_user_generic_unrolled)
 	CFI_STARTPROC
+	ASM_STAC
 	cmpl $8,%edx
 	jb 20f		/* less then 8 bytes, go to byte copy loop */
 	ALIGN_DESTINATION
@@ -177,6 +179,7 @@
 	decl %ecx
 	jnz 21b
 23:	xor %eax,%eax
+	ASM_CLAC
 	ret
  
 	.section .fixup,"ax"
@@ -232,6 +235,7 @@
  */
 ENTRY(copy_user_generic_string)
 	CFI_STARTPROC
+	ASM_STAC
 	andl %edx,%edx
 	jz 4f
 	cmpl $8,%edx
@@ -246,6 +250,7 @@
 3:	rep
 	movsb
 4:	xorl %eax,%eax
+	ASM_CLAC
 	ret
  
 	.section .fixup,"ax"
  
@@ -273,12 +278,14 @@
  */
 ENTRY(copy_user_enhanced_fast_string)
 	CFI_STARTPROC
+	ASM_STAC
 	andl %edx,%edx
 	jz 2f
 	movl %edx,%ecx
 1:	rep
 	movsb
 2:	xorl %eax,%eax
+	ASM_CLAC
 	ret
  
 	.section .fixup,"ax"
@@ -15,6 +15,7 @@
 #include <asm/asm-offsets.h>
 #include <asm/thread_info.h>
 #include <asm/asm.h>
+#include <asm/smap.h>
  
 	.macro ALIGN_DESTINATION
 #ifdef FIX_ALIGNMENT
@@ -48,6 +49,7 @@
  */
 ENTRY(__copy_user_nocache)
 	CFI_STARTPROC
+	ASM_STAC
 	cmpl $8,%edx
 	jb 20f		/* less then 8 bytes, go to byte copy loop */
 	ALIGN_DESTINATION
@@ -95,6 +97,7 @@
 	decl %ecx
 	jnz 21b
 23:	xorl %eax,%eax
+	ASM_CLAC
 	sfence
 	ret
  
@@ -33,6 +33,7 @@
 #include <asm/asm-offsets.h>
 #include <asm/thread_info.h>
 #include <asm/asm.h>
+#include <asm/smap.h>
  
 	.text
 ENTRY(__get_user_1)
  
@@ -40,8 +41,10 @@
 	GET_THREAD_INFO(%_ASM_DX)
 	cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
 	jae bad_get_user
+	ASM_STAC
 1:	movzb (%_ASM_AX),%edx
 	xor %eax,%eax
+	ASM_CLAC
 	ret
 	CFI_ENDPROC
 ENDPROC(__get_user_1)
  
@@ -53,8 +56,10 @@
 	GET_THREAD_INFO(%_ASM_DX)
 	cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
 	jae bad_get_user
+	ASM_STAC
 2:	movzwl -1(%_ASM_AX),%edx
 	xor %eax,%eax
+	ASM_CLAC
 	ret
 	CFI_ENDPROC
 ENDPROC(__get_user_2)
  
@@ -66,8 +71,10 @@
 	GET_THREAD_INFO(%_ASM_DX)
 	cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
 	jae bad_get_user
+	ASM_STAC
 3:	mov -3(%_ASM_AX),%edx
 	xor %eax,%eax
+	ASM_CLAC
 	ret
 	CFI_ENDPROC
 ENDPROC(__get_user_4)
  
@@ -80,8 +87,10 @@
 	GET_THREAD_INFO(%_ASM_DX)
 	cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
 	jae	bad_get_user
+	ASM_STAC
 4:	movq -7(%_ASM_AX),%_ASM_DX
 	xor %eax,%eax
+	ASM_CLAC
 	ret
 	CFI_ENDPROC
 ENDPROC(__get_user_8)
@@ -91,6 +100,7 @@
 	CFI_STARTPROC
 	xor %edx,%edx
 	mov $(-EFAULT),%_ASM_AX
+	ASM_CLAC
 	ret
 	CFI_ENDPROC
 END(bad_get_user)
@@ -15,6 +15,7 @@
 #include <asm/thread_info.h>
 #include <asm/errno.h>
 #include <asm/asm.h>
+#include <asm/smap.h>
  
  
 /*
@@ -31,7 +32,8 @@
  
 #define ENTER	CFI_STARTPROC ; \
 		GET_THREAD_INFO(%_ASM_BX)
-#define EXIT	ret ; \
+#define EXIT	ASM_CLAC ;	\
+		ret ;		\
 		CFI_ENDPROC
  
 .text
@@ -39,6 +41,7 @@
 	ENTER
 	cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
 	jae bad_put_user
+	ASM_STAC
 1:	movb %al,(%_ASM_CX)
 	xor %eax,%eax
 	EXIT
@@ -50,6 +53,7 @@
 	sub $1,%_ASM_BX
 	cmp %_ASM_BX,%_ASM_CX
 	jae bad_put_user
+	ASM_STAC
 2:	movw %ax,(%_ASM_CX)
 	xor %eax,%eax
 	EXIT
@@ -61,6 +65,7 @@
 	sub $3,%_ASM_BX
 	cmp %_ASM_BX,%_ASM_CX
 	jae bad_put_user
+	ASM_STAC
 3:	movl %eax,(%_ASM_CX)
 	xor %eax,%eax
 	EXIT
@@ -72,6 +77,7 @@
 	sub $7,%_ASM_BX
 	cmp %_ASM_BX,%_ASM_CX
 	jae bad_put_user
+	ASM_STAC
 4:	mov %_ASM_AX,(%_ASM_CX)
 #ifdef CONFIG_X86_32
 5:	movl %edx,4(%_ASM_CX)
@@ -42,10 +42,11 @@
 	int __d0;							\
 	might_fault();							\
 	__asm__ __volatile__(						\
+		ASM_STAC "\n"						\
 		"0:	rep; stosl\n"					\
 		"	movl %2,%0\n"					\
 		"1:	rep; stosb\n"					\
-		"2:\n"							\
+		"2: " ASM_CLAC "\n"					\
 		".section .fixup,\"ax\"\n"				\
 		"3:	lea 0(%2,%0,4),%0\n"				\
 		"	jmp 2b\n"					\
  
@@ -626,10 +627,12 @@
 		return n;
 	}
 #endif
+	stac();
 	if (movsl_is_ok(to, from, n))
 		__copy_user(to, from, n);
 	else
 		n = __copy_user_intel(to, from, n);
+	clac();
 	return n;
 }
 EXPORT_SYMBOL(__copy_to_user_ll);
  
@@ -637,10 +640,12 @@
 unsigned long __copy_from_user_ll(void *to, const void __user *from,
 					unsigned long n)
 {
+	stac();
 	if (movsl_is_ok(to, from, n))
 		__copy_user_zeroing(to, from, n);
 	else
 		n = __copy_user_zeroing_intel(to, from, n);
+	clac();
 	return n;
 }
 EXPORT_SYMBOL(__copy_from_user_ll);
  
@@ -648,11 +653,13 @@
 unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
 					 unsigned long n)
 {
+	stac();
 	if (movsl_is_ok(to, from, n))
 		__copy_user(to, from, n);
 	else
 		n = __copy_user_intel((void __user *)to,
 				      (const void *)from, n);
+	clac();
 	return n;
 }
 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
@@ -660,6 +667,7 @@
 unsigned long __copy_from_user_ll_nocache(void *to, const void __user *from,
 					unsigned long n)
 {
+	stac();
 #ifdef CONFIG_X86_INTEL_USERCOPY
 	if (n > 64 && cpu_has_xmm2)
 		n = __copy_user_zeroing_intel_nocache(to, from, n);
@@ -668,6 +676,7 @@
 #else
 	__copy_user_zeroing(to, from, n);
 #endif
+	clac();
 	return n;
 }
 EXPORT_SYMBOL(__copy_from_user_ll_nocache);
@@ -675,6 +684,7 @@
 unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *from,
 					unsigned long n)
 {
+	stac();
 #ifdef CONFIG_X86_INTEL_USERCOPY
 	if (n > 64 && cpu_has_xmm2)
 		n = __copy_user_intel_nocache(to, from, n);
@@ -683,6 +693,7 @@
 #else
 	__copy_user(to, from, n);
 #endif
+	clac();
 	return n;
 }
 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
@@ -18,6 +18,7 @@
 	might_fault();
 	/* no memory constraint because it doesn't change any memory gcc knows
 	   about */
+	stac();
 	asm volatile(
 		"	testq  %[size8],%[size8]\n"
 		"	jz     4f\n"
@@ -40,6 +41,7 @@
 		: [size8] "=&c"(size), [dst] "=&D" (__d0)
 		: [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr),
 		  [zero] "r" (0UL), [eight] "r" (8UL));
+	clac();
 	return size;
 }
 EXPORT_SYMBOL(__clear_user);
@@ -82,6 +84,7 @@
 	for (c = 0, zero_len = len; zerorest && zero_len; --zero_len)
 		if (__put_user_nocheck(c, to++, sizeof(char)))
 			break;
+	clac();
 	return len;
 }
@@ -996,6 +996,17 @@
 	return address >= TASK_SIZE_MAX;
 }
  
+static inline bool smap_violation(int error_code, struct pt_regs *regs)
+{
+	if (error_code & PF_USER)
+		return false;
+
+	if (!user_mode_vm(regs) && (regs->flags & X86_EFLAGS_AC))
+		return false;
+
+	return true;
+}
+
 /*
  * This routine handles page faults.  It determines the address,
  * and the problem, and then passes it off to one of the appropriate
@@ -1088,6 +1099,13 @@
  
 	if (unlikely(error_code & PF_RSVD))
 		pgtable_bad(regs, error_code, address);
+
+	if (static_cpu_has(X86_FEATURE_SMAP)) {
+		if (unlikely(smap_violation(error_code, regs))) {
+			bad_area_nosemaphore(regs, error_code, address);
+			return;
+		}
+	}
  
 	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
  
@@ -709,7 +709,7 @@
   "Checking if this processor honours the WP bit even in supervisor mode...");
  
 	/* Any page-aligned address will do, the test is non-destructive */
-	__set_fixmap(FIX_WP_TEST, __pa(&swapper_pg_dir), PAGE_READONLY);
+	__set_fixmap(FIX_WP_TEST, __pa(&swapper_pg_dir), PAGE_KERNEL_RO);
 	boot_cpu_data.wp_works_ok = do_test_wp_bit();
 	clear_fixmap(FIX_WP_TEST);
  
@@ -36,6 +36,8 @@
  
 /* Wakeup behavior bits */
 #define WAKEUP_BEHAVIOR_RESTORE_MISC_ENABLE     0
+#define WAKEUP_BEHAVIOR_RESTORE_CR4		1
+#define WAKEUP_BEHAVIOR_RESTORE_EFER		2
  
 #endif /* ARCH_X86_KERNEL_ACPI_RM_WAKEUP_H */
@@ -74,9 +74,18 @@
  
 	lidtl	wakeup_idt
  
-	/* Clear the EFLAGS */
-	pushl	$0
+	/* Clear the EFLAGS but remember if we have EFLAGS.ID */
+	movl $X86_EFLAGS_ID, %ecx
+	pushl %ecx
 	popfl
+	pushfl
+	popl %edi
+	pushl $0
+	popfl
+	pushfl
+	popl %edx
+	xorl %edx, %edi
+	andl %ecx, %edi		/* %edi is zero iff CPUID & %cr4 are missing */
  
 	/* Check header signature... */
 	movl	signature, %eax
@@ -93,8 +102,8 @@
  
 	/* Restore MISC_ENABLE before entering protected mode, in case
 	   BIOS decided to clear XD_DISABLE during S3. */
-	movl	pmode_behavior, %eax
-	btl	$WAKEUP_BEHAVIOR_RESTORE_MISC_ENABLE, %eax
+	movl	pmode_behavior, %edi
+	btl	$WAKEUP_BEHAVIOR_RESTORE_MISC_ENABLE, %edi
 	jnc	1f
  
 	movl	pmode_misc_en, %eax
  
  
@@ -110,15 +119,15 @@
 	movl	pmode_cr3, %eax
 	movl	%eax, %cr3
  
-	movl	pmode_cr4, %ecx
-	jecxz	1f
-	movl	%ecx, %cr4
+	btl	$WAKEUP_BEHAVIOR_RESTORE_CR4, %edi
+	jz	1f
+	movl	pmode_cr4, %eax
+	movl	%eax, %cr4
 1:
+	btl	$WAKEUP_BEHAVIOR_RESTORE_EFER, %edi
+	jz	1f
 	movl	pmode_efer, %eax
 	movl	pmode_efer + 4, %edx
-	movl	%eax, %ecx
-	orl	%edx, %ecx
-	jz	1f
 	movl	$MSR_EFER, %ecx
 	wrmsr
 1:
...	...	@@ -1812,8 +1812,12 @@
1812	1812	noexec=on: enable non-executable mappings (default)
1813	1813	noexec=off: disable non-executable mappings
1814	1814
	1815	+ nosmap [X86]
	1816	+ Disable SMAP (Supervisor Mode Access Prevention)
	1817	+ even if it is supported by processor.
	1818	+
1815	1819	nosmep [X86]
1816		- Disable SMEP (Supervisor Mode Execution Protection)
	1820	+ Disable SMEP (Supervisor Mode Execution Prevention)
1817	1821	even if it is supported by processor.
1818	1822
1819	1823	noexec32 [X86-64]
...	...	@@ -1493,6 +1493,17 @@
1493	1493	If supported, this is a high bandwidth, cryptographically
1494	1494	secure hardware random number generator.
1495	1495
	1496	+config X86_SMAP
	1497	+ def_bool y
	1498	+ prompt "Supervisor Mode Access Prevention" if EXPERT
	1499	+ ---help---
	1500	+ Supervisor Mode Access Prevention (SMAP) is a security
	1501	+ feature in newer Intel processors. There is a small
	1502	+ performance cost if this enabled and turned on; there is
	1503	+ also a small increase in the kernel size if this is enabled.
	1504	+
	1505	+ If unsure, say Y.
	1506	+
1496	1507	config EFI
1497	1508	bool "EFI runtime service support"
1498	1509	depends on ACPI
...	...	@@ -32,6 +32,7 @@
32	32	#include <asm/sigframe.h>
33	33	#include <asm/sighandling.h>
34	34	#include <asm/sys_ia32.h>
	35	+#include <asm/smap.h>
35	36
36	37	#define FIX_EFLAGS __FIX_EFLAGS
37	38
38	39
...	...	@@ -251,11 +252,12 @@
251	252
252	253	get_user_ex(tmp, &sc->fpstate);
253	254	buf = compat_ptr(tmp);
254		- err \|= restore_xstate_sig(buf, 1);
255	255
256	256	get_user_ex(*pax, &sc->ax);
257	257	} get_user_catch(err);
258	258
	259	+ err \|= restore_xstate_sig(buf, 1);
	260	+
259	261	return err;
260	262	}
261	263
...	...	@@ -506,7 +508,6 @@
506	508	put_user_ex(sig, &frame->sig);
507	509	put_user_ex(ptr_to_compat(&frame->info), &frame->pinfo);
508	510	put_user_ex(ptr_to_compat(&frame->uc), &frame->puc);
509		- err \|= copy_siginfo_to_user32(&frame->info, info);
510	511
511	512	/* Create the ucontext. */
512	513	if (cpu_has_xsave)
...	...	@@ -518,9 +519,6 @@
518	519	put_user_ex(sas_ss_flags(regs->sp),
519	520	&frame->uc.uc_stack.ss_flags);
520	521	put_user_ex(current->sas_ss_size, &frame->uc.uc_stack.ss_size);
521		- err \|= ia32_setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
522		- regs, set->sig[0]);
523		- err \|= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
524	522
525	523	if (ka->sa.sa_flags & SA_RESTORER)
526	524	restorer = ka->sa.sa_restorer;
...	...	@@ -535,6 +533,11 @@
535	533	*/
536	534	put_user_ex(((u64 )&code), (u64 __user *)frame->retcode);
537	535	} put_user_catch(err);
	536	+
	537	+ err \|= copy_siginfo_to_user32(&frame->info, info);
	538	+ err \|= ia32_setup_sigcontext(&frame->uc.uc_mcontext, fpstate,
	539	+ regs, set->sig[0]);
	540	+ err \|= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
538	541
539	542	if (err)
540	543	return -EFAULT;
...	...	@@ -14,6 +14,7 @@
14	14	#include <asm/segment.h>
15	15	#include <asm/irqflags.h>
16	16	#include <asm/asm.h>
	17	+#include <asm/smap.h>
17	18	#include <linux/linkage.h>
18	19	#include <linux/err.h>
19	20
20	21
...	...	@@ -146,8 +147,10 @@
146	147	SAVE_ARGS 0,1,0
147	148	/* no need to do an access_ok check here because rbp has been
148	149	32bit zero extended */
	150	+ ASM_STAC
149	151	1: movl (%rbp),%ebp
150	152	_ASM_EXTABLE(1b,ia32_badarg)
	153	+ ASM_CLAC
151	154	orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
152	155	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
153	156	CFI_REMEMBER_STATE
154	157
...	...	@@ -301,8 +304,10 @@
301	304	/* no need to do an access_ok check here because r8 has been
302	305	32bit zero extended */
303	306	/* hardware stack frame is complete now */
	307	+ ASM_STAC
304	308	1: movl (%r8),%r9d
305	309	_ASM_EXTABLE(1b,ia32_badarg)
	310	+ ASM_CLAC
306	311	orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
307	312	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
308	313	CFI_REMEMBER_STATE
...	...	@@ -365,6 +370,7 @@
365	370	END(ia32_cstar_target)
366	371
367	372	ia32_badarg:
	373	+ ASM_CLAC
368	374	movq $-EFAULT,%rax
369	375	jmp ia32_sysret
370	376	CFI_ENDPROC
	1	+#ifndef _ASM_X86_ALTERNATIVE_ASM_H
	2	+#define _ASM_X86_ALTERNATIVE_ASM_H
	3	+
1	4	#ifdef __ASSEMBLY__
2	5
3	6	#include <asm/asm.h>
4	7
...	...	@@ -5,10 +8,10 @@
5	8	#ifdef CONFIG_SMP
6	9	.macro LOCK_PREFIX
7	10	672: lock
8		- .section .smp_locks,"a"
	11	+ .pushsection .smp_locks,"a"
9	12	.balign 4
10	13	.long 672b - .
11		- .previous
	14	+ .popsection
12	15	.endm
13	16	#else
14	17	.macro LOCK_PREFIX
...	...	@@ -24,4 +27,6 @@
24	27	.endm
25	28
26	29	#endif /* __ASSEMBLY__ */
	30	+
	31	+#endif /* _ASM_X86_ALTERNATIVE_ASM_H */
...	...	@@ -29,10 +29,10 @@
29	29
30	30	#ifdef CONFIG_SMP
31	31	#define LOCK_PREFIX_HERE \
32		- ".section .smp_locks,\"a\"\n" \
33		- ".balign 4\n" \
34		- ".long 671f - .\n" /* offset */ \
35		- ".previous\n" \
	32	+ ".pushsection .smp_locks,\"a\"\n" \
	33	+ ".balign 4\n" \
	34	+ ".long 671f - .\n" /* offset */ \
	35	+ ".popsection\n" \
36	36	"671:"
37	37
38	38	#define LOCK_PREFIX LOCK_PREFIX_HERE "\n\tlock; "
39	39
40	40
41	41
42	42
43	43
44	44
45	45
...	...	@@ -99,30 +99,30 @@
99	99	/* alternative assembly primitive: */
100	100	#define ALTERNATIVE(oldinstr, newinstr, feature) \
101	101	OLDINSTR(oldinstr) \
102		- ".section .altinstructions,\"a\"\n" \
	102	+ ".pushsection .altinstructions,\"a\"\n" \
103	103	ALTINSTR_ENTRY(feature, 1) \
104		- ".previous\n" \
105		- ".section .discard,\"aw\",@progbits\n" \
	104	+ ".popsection\n" \
	105	+ ".pushsection .discard,\"aw\",@progbits\n" \
106	106	DISCARD_ENTRY(1) \
107		- ".previous\n" \
108		- ".section .altinstr_replacement, \"ax\"\n" \
	107	+ ".popsection\n" \
	108	+ ".pushsection .altinstr_replacement, \"ax\"\n" \
109	109	ALTINSTR_REPLACEMENT(newinstr, feature, 1) \
110		- ".previous"
	110	+ ".popsection"
111	111
112	112	#define ALTERNATIVE_2(oldinstr, newinstr1, feature1, newinstr2, feature2)\
113	113	OLDINSTR(oldinstr) \
114		- ".section .altinstructions,\"a\"\n" \
	114	+ ".pushsection .altinstructions,\"a\"\n" \
115	115	ALTINSTR_ENTRY(feature1, 1) \
116	116	ALTINSTR_ENTRY(feature2, 2) \
117		- ".previous\n" \
118		- ".section .discard,\"aw\",@progbits\n" \
	117	+ ".popsection\n" \
	118	+ ".pushsection .discard,\"aw\",@progbits\n" \
119	119	DISCARD_ENTRY(1) \
120	120	DISCARD_ENTRY(2) \
121		- ".previous\n" \
122		- ".section .altinstr_replacement, \"ax\"\n" \
	121	+ ".popsection\n" \
	122	+ ".pushsection .altinstr_replacement, \"ax\"\n" \
123	123	ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \
124	124	ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \
125		- ".previous"
	125	+ ".popsection"
126	126
127	127	/*
128	128	* This must be included after the definition of ALTERNATIVE due to
...	...	@@ -21,6 +21,7 @@
21	21	#include <asm/user.h>
22	22	#include <asm/uaccess.h>
23	23	#include <asm/xsave.h>
	24	+#include <asm/smap.h>
24	25
25	26	#ifdef CONFIG_X86_64
26	27	# include <asm/sigcontext32.h>
...	...	@@ -121,6 +122,22 @@
121	122	__sanitize_i387_state(tsk);
122	123	}
123	124
	125	+#define user_insn(insn, output, input...) \
	126	+({ \
	127	+ int err; \
	128	+ asm volatile(ASM_STAC "\n" \
	129	+ "1:" #insn "\n\t" \
	130	+ "2: " ASM_CLAC "\n" \
	131	+ ".section .fixup,\"ax\"\n" \
	132	+ "3: movl $-1,%[err]\n" \
	133	+ " jmp 2b\n" \
	134	+ ".previous\n" \
	135	+ _ASM_EXTABLE(1b, 3b) \
	136	+ : [err] "=r" (err), output \
	137	+ : "0"(0), input); \
	138	+ err; \
	139	+})
	140	+
124	141	#define check_insn(insn, output, input...) \
125	142	({ \
126	143	int err; \
127	144
128	145
129	146
...	...	@@ -138,18 +155,18 @@
138	155
139	156	static inline int fsave_user(struct i387_fsave_struct __user *fx)
140	157	{
141		- return check_insn(fnsave %[fx]; fwait, [fx] "=m" (fx), "m" (fx));
	158	+ return user_insn(fnsave %[fx]; fwait, [fx] "=m" (fx), "m" (fx));
142	159	}
143	160
144	161	static inline int fxsave_user(struct i387_fxsave_struct __user *fx)
145	162	{
146	163	if (config_enabled(CONFIG_X86_32))
147		- return check_insn(fxsave %[fx], [fx] "=m" (fx), "m" (fx));
	164	+ return user_insn(fxsave %[fx], [fx] "=m" (fx), "m" (fx));
148	165	else if (config_enabled(CONFIG_AS_FXSAVEQ))
149		- return check_insn(fxsaveq %[fx], [fx] "=m" (fx), "m" (fx));
	166	+ return user_insn(fxsaveq %[fx], [fx] "=m" (fx), "m" (fx));
150	167
151	168	/* See comment in fpu_fxsave() below. */
152		- return check_insn(rex64/fxsave (%[fx]), "=m" (*fx), [fx] "R" (fx));
	169	+ return user_insn(rex64/fxsave (%[fx]), "=m" (*fx), [fx] "R" (fx));
153	170	}
154	171
155	172	static inline int fxrstor_checking(struct i387_fxsave_struct *fx)
156	173
...	...	@@ -164,9 +181,26 @@
164	181	"m" (*fx));
165	182	}
166	183
	184	+static inline int fxrstor_user(struct i387_fxsave_struct __user *fx)
	185	+{
	186	+ if (config_enabled(CONFIG_X86_32))
	187	+ return user_insn(fxrstor %[fx], "=m" (fx), [fx] "m" (fx));
	188	+ else if (config_enabled(CONFIG_AS_FXSAVEQ))
	189	+ return user_insn(fxrstorq %[fx], "=m" (fx), [fx] "m" (fx));
	190	+
	191	+ /* See comment in fpu_fxsave() below. */
	192	+ return user_insn(rex64/fxrstor (%[fx]), "=m" (*fx), [fx] "R" (fx),
	193	+ "m" (*fx));
	194	+}
	195	+
167	196	static inline int frstor_checking(struct i387_fsave_struct *fx)
168	197	{
169	198	return check_insn(frstor %[fx], "=m" (fx), [fx] "m" (fx));
	199	+}
	200	+
	201	+static inline int frstor_user(struct i387_fsave_struct __user *fx)
	202	+{
	203	+ return user_insn(frstor %[fx], "=m" (fx), [fx] "m" (fx));
170	204	}
171	205
172	206	static inline void fpu_fxsave(struct fpu *fpu)
...	...	@@ -9,10 +9,13 @@
9	9	#include <asm/asm.h>
10	10	#include <asm/errno.h>
11	11	#include <asm/processor.h>
	12	+#include <asm/smap.h>
12	13
13	14	#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
14		- asm volatile("1:\t" insn "\n" \
15		- "2:\t.section .fixup,\"ax\"\n" \
	15	+ asm volatile("\t" ASM_STAC "\n" \
	16	+ "1:\t" insn "\n" \
	17	+ "2:\t" ASM_CLAC "\n" \
	18	+ "\t.section .fixup,\"ax\"\n" \
16	19	"3:\tmov\t%3, %1\n" \
17	20	"\tjmp\t2b\n" \
18	21	"\t.previous\n" \
19	22
...	...	@@ -21,12 +24,14 @@
21	24	: "i" (-EFAULT), "0" (oparg), "1" (0))
22	25
23	26	#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
24		- asm volatile("1:\tmovl %2, %0\n" \
	27	+ asm volatile("\t" ASM_STAC "\n" \
	28	+ "1:\tmovl %2, %0\n" \
25	29	"\tmovl\t%0, %3\n" \
26	30	"\t" insn "\n" \
27	31	"2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \
28	32	"\tjnz\t1b\n" \
29		- "3:\t.section .fixup,\"ax\"\n" \
	33	+ "3:\t" ASM_CLAC "\n" \
	34	+ "\t.section .fixup,\"ax\"\n" \
30	35	"4:\tmov\t%5, %1\n" \
31	36	"\tjmp\t3b\n" \
32	37	"\t.previous\n" \
...	...	@@ -122,8 +127,10 @@
122	127	if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
123	128	return -EFAULT;
124	129
125		- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
126		- "2:\t.section .fixup, \"ax\"\n"
	130	+ asm volatile("\t" ASM_STAC "\n"
	131	+ "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
	132	+ "2:\t" ASM_CLAC "\n"
	133	+ "\t.section .fixup, \"ax\"\n"
127	134	"3:\tmov %3, %0\n"
128	135	"\tjmp 2b\n"
129	136	"\t.previous\n"
...	...	@@ -65,6 +65,7 @@
65	65	#define X86_CR4_PCIDE 0x00020000 /* enable PCID support */
66	66	#define X86_CR4_OSXSAVE 0x00040000 /* enable xsave and xrestore */
67	67	#define X86_CR4_SMEP 0x00100000 /* enable SMEP support */
	68	+#define X86_CR4_SMAP 0x00200000 /* enable SMAP support */
68	69
69	70	/*
70	71	* x86-64 Task Priority Register, CR8
	1	+/*
	2	+ * Supervisor Mode Access Prevention support
	3	+ *
	4	+ * Copyright (C) 2012 Intel Corporation
	5	+ * Author: H. Peter Anvin <hpa@linux.intel.com>
	6	+ *
	7	+ * This program is free software; you can redistribute it and/or
	8	+ * modify it under the terms of the GNU General Public License
	9	+ * as published by the Free Software Foundation; version 2
	10	+ * of the License.
	11	+ */
	12	+
	13	+#ifndef _ASM_X86_SMAP_H
	14	+#define _ASM_X86_SMAP_H
	15	+
	16	+#include <linux/stringify.h>
	17	+#include <asm/nops.h>
	18	+#include <asm/cpufeature.h>
	19	+
	20	+/* "Raw" instruction opcodes */
	21	+#define __ASM_CLAC .byte 0x0f,0x01,0xca
	22	+#define __ASM_STAC .byte 0x0f,0x01,0xcb
	23	+
	24	+#ifdef __ASSEMBLY__
	25	+
	26	+#include <asm/alternative-asm.h>
	27	+
	28	+#ifdef CONFIG_X86_SMAP
	29	+
	30	+#define ASM_CLAC \
	31	+ 661: ASM_NOP3 ; \
	32	+ .pushsection .altinstr_replacement, "ax" ; \
	33	+ 662: __ASM_CLAC ; \
	34	+ .popsection ; \
	35	+ .pushsection .altinstructions, "a" ; \
	36	+ altinstruction_entry 661b, 662b, X86_FEATURE_SMAP, 3, 3 ; \
	37	+ .popsection
	38	+
	39	+#define ASM_STAC \
	40	+ 661: ASM_NOP3 ; \
	41	+ .pushsection .altinstr_replacement, "ax" ; \
	42	+ 662: __ASM_STAC ; \
	43	+ .popsection ; \
	44	+ .pushsection .altinstructions, "a" ; \
	45	+ altinstruction_entry 661b, 662b, X86_FEATURE_SMAP, 3, 3 ; \
	46	+ .popsection
	47	+
	48	+#else /* CONFIG_X86_SMAP */
	49	+
	50	+#define ASM_CLAC
	51	+#define ASM_STAC
	52	+
	53	+#endif /* CONFIG_X86_SMAP */
	54	+
	55	+#else /* __ASSEMBLY__ */
	56	+
	57	+#include <asm/alternative.h>
	58	+
	59	+#ifdef CONFIG_X86_SMAP
	60	+
	61	+static __always_inline void clac(void)
	62	+{
	63	+ /* Note: a barrier is implicit in alternative() */
	64	+ alternative(ASM_NOP3, __stringify(__ASM_CLAC), X86_FEATURE_SMAP);
	65	+}
	66	+
	67	+static __always_inline void stac(void)
	68	+{
	69	+ /* Note: a barrier is implicit in alternative() */
	70	+ alternative(ASM_NOP3, __stringify(__ASM_STAC), X86_FEATURE_SMAP);
	71	+}
	72	+
	73	+/* These macros can be used in asm() statements */
	74	+#define ASM_CLAC \
	75	+ ALTERNATIVE(ASM_NOP3, __stringify(__ASM_CLAC), X86_FEATURE_SMAP)
	76	+#define ASM_STAC \
	77	+ ALTERNATIVE(ASM_NOP3, __stringify(__ASM_STAC), X86_FEATURE_SMAP)
	78	+
	79	+#else /* CONFIG_X86_SMAP */
	80	+
	81	+static inline void clac(void) { }
	82	+static inline void stac(void) { }
	83	+
	84	+#define ASM_CLAC
	85	+#define ASM_STAC
	86	+
	87	+#endif /* CONFIG_X86_SMAP */
	88	+
	89	+#endif /* __ASSEMBLY__ */
	90	+
	91	+#endif /* _ASM_X86_SMAP_H */