€•|=Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ8/translations/zh_CN/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/zh_TW/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/it_IT/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/ja_JP/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/ko_KR/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/sp_SP/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1h¡hhhžhhŸŒR/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/cross-thread-rsb.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ'Cross-Thread Return Address Predictions”h]”hŒ'Cross-Thread Return Address Predictions”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ paragraph”“”)”}”(hX'Certain AMD and Hygon processors are subject to a cross-thread return address predictions vulnerability. When running in SMT mode and one sibling thread transitions out of C0 state, the other sibling thread could use return target predictions from the sibling thread that transitioned out of C0.”h]”hX'Certain AMD and Hygon processors are subject to a cross-thread return address predictions vulnerability. When running in SMT mode and one sibling thread transitions out of C0 state, the other sibling thread could use return target predictions from the sibling thread that transitioned out of C0.”…””}”(hhËhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hXYThe Spectre v2 mitigations protect the Linux kernel, as it fills the return address prediction entries with safe targets when context switching to the idle thread. However, KVM does allow a VMM to prevent exiting guest mode when transitioning out of C0. This could result in a guest-controlled return target being consumed by the sibling thread.”h]”hXYThe Spectre v2 mitigations protect the Linux kernel, as it fills the return address prediction entries with safe targets when context switching to the idle thread. However, KVM does allow a VMM to prevent exiting guest mode when transitioning out of C0. This could result in a guest-controlled return target being consumed by the sibling thread.”…””}”(hhÙhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K hh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒAffected processors”h]”hŒAffected processors”…””}”(hhêhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hhçhžhhŸh³h KubhÊ)”}”(hŒ"The following CPUs are vulnerable:”h]”hŒ"The following CPUs are vulnerable:”…””}”(hhøhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KhhçhžhubhŒ block_quote”“”)”}”(hŒ:- AMD Family 17h processors - Hygon Family 18h processors ”h]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒAMD Family 17h processors”h]”hÊ)”}”(hjh]”hŒAMD Family 17h processors”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubj)”}”(hŒHygon Family 18h processors ”h]”hÊ)”}”(hŒHygon Family 18h processors”h]”hŒHygon Family 18h processors”…””}”(hj.hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khj*ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j hŸh³h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhŸh³h Khhçhžhubeh}”(h]”Œaffected-processors”ah ]”h"]”Œaffected processors”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ Related CVEs”h]”hŒ Related CVEs”…””}”(hj[hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjXhžhhŸh³h KubhÊ)”}”(hŒ1The following CVE entry is related to this issue:”h]”hŒ1The following CVE entry is related to this issue:”…””}”(hjihžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KhjXhžhubj)”}”(hŒ¨============== ======================================= CVE-2022-27672 Cross-Thread Return Address Predictions ============== ======================================= ”h]”hŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j…hj‚ubj†)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K'uh1j…hj‚ubhŒtbody”“”)”}”(hhh]”hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hÊ)”}”(hŒCVE-2022-27672”h]”hŒCVE-2022-27672”…””}”(hjªhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K hj§ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¥hj¢ubj¦)”}”(hhh]”hÊ)”}”(hŒ'Cross-Thread Return Address Predictions”h]”hŒ'Cross-Thread Return Address Predictions”…””}”(hjÁhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K hj¾ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¥hj¢ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j hjubah}”(h]”h ]”h"]”h$]”h&]”uh1j›hj‚ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1j€hj}ubah}”(h]”h ]”h"]”h$]”h&]”uh1j{hjwubah}”(h]”h ]”h"]”h$]”h&]”uh1jhŸh³h KhjXhžhubeh}”(h]”Œ related-cves”ah ]”h"]”Œ related cves”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒProblem”h]”hŒProblem”…””}”(hjÿhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjühžhhŸh³h K$ubhÊ)”}”(hXùAffected SMT-capable processors support 1T and 2T modes of execution when SMT is enabled. In 2T mode, both threads in a core are executing code. For the processor core to enter 1T mode, it is required that one of the threads requests to transition out of the C0 state. This can be communicated with the HLT instruction or with an MWAIT instruction that requests non-C0. When the thread re-enters the C0 state, the processor transitions back to 2T mode, assuming the other thread is also still in C0 state.”h]”hXùAffected SMT-capable processors support 1T and 2T modes of execution when SMT is enabled. In 2T mode, both threads in a core are executing code. For the processor core to enter 1T mode, it is required that one of the threads requests to transition out of the C0 state. This can be communicated with the HLT instruction or with an MWAIT instruction that requests non-C0. When the thread re-enters the C0 state, the processor transitions back to 2T mode, assuming the other thread is also still in C0 state.”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K&hjühžhubhÊ)”}”(hXIn affected processors, the return address predictor (RAP) is partitioned depending on the SMT mode. For instance, in 2T mode each thread uses a private 16-entry RAP, but in 1T mode, the active thread uses a 32-entry RAP. Upon transition between 1T/2T mode, the RAP contents are not modified but the RAP pointers (which control the next return target to use for predictions) may change. This behavior may result in return targets from one SMT thread being used by RET predictions in the sibling thread following a 1T/2T switch. In particular, a RET instruction executed immediately after a transition to 1T may use a return target from the thread that just became idle. In theory, this could lead to information disclosure if the return targets used do not come from trustworthy code.”h]”hXIn affected processors, the return address predictor (RAP) is partitioned depending on the SMT mode. For instance, in 2T mode each thread uses a private 16-entry RAP, but in 1T mode, the active thread uses a 32-entry RAP. Upon transition between 1T/2T mode, the RAP contents are not modified but the RAP pointers (which control the next return target to use for predictions) may change. This behavior may result in return targets from one SMT thread being used by RET predictions in the sibling thread following a 1T/2T switch. In particular, a RET instruction executed immediately after a transition to 1T may use a return target from the thread that just became idle. In theory, this could lead to information disclosure if the return targets used do not come from trustworthy code.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K.hjühžhubeh}”(h]”Œproblem”ah ]”h"]”Œproblem”ah$]”h&]”uh1h´hh¶hžhhŸh³h K$ubhµ)”}”(hhh]”(hº)”}”(hŒAttack scenarios”h]”hŒAttack scenarios”…””}”(hj4hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj1hžhhŸh³h K;ubhÊ)”}”(hŒ¢An attack can be mounted on affected processors by performing a series of CALL instructions with targeted return locations and then transitioning out of C0 state.”h]”hŒ¢An attack can be mounted on affected processors by performing a series of CALL instructions with targeted return locations and then transitioning out of C0 state.”…””}”(hjBhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K=hj1hžhubeh}”(h]”Œattack-scenarios”ah ]”h"]”Œattack scenarios”ah$]”h&]”uh1h´hh¶hžhhŸh³h K;ubhµ)”}”(hhh]”(hº)”}”(hŒMitigation mechanism”h]”hŒMitigation mechanism”…””}”(hj[hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjXhžhhŸh³h KBubhÊ)”}”(hŒ×Before entering idle state, the kernel context switches to the idle thread. The context switch fills the RAP entries (referred to as the RSB in Linux) with safe targets by performing a sequence of CALL instructions.”h]”hŒ×Before entering idle state, the kernel context switches to the idle thread. The context switch fills the RAP entries (referred to as the RSB in Linux) with safe targets by performing a sequence of CALL instructions.”…””}”(hjihžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KDhjXhžhubhÊ)”}”(hŒuPrevent a guest VM from directly putting the processor into an idle state by intercepting HLT and MWAIT instructions.”h]”hŒuPrevent a guest VM from directly putting the processor into an idle state by intercepting HLT and MWAIT instructions.”…””}”(hjwhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KHhjXhžhubhÊ)”}”(hŒ:Both mitigations are required to fully address this issue.”h]”hŒ:Both mitigations are required to fully address this issue.”…””}”(hj…hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KKhjXhžhubeh}”(h]”Œmitigation-mechanism”ah ]”h"]”Œmitigation mechanism”ah$]”h&]”uh1h´hh¶hžhhŸh³h KBubhµ)”}”(hhh]”(hº)”}”(hŒ-Mitigation control on the kernel command line”h]”hŒ-Mitigation control on the kernel command line”…””}”(hjžhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj›hžhhŸh³h KNubhÊ)”}”(hŒMUse existing Spectre v2 mitigations that will fill the RSB on context switch.”h]”hŒMUse existing Spectre v2 mitigations that will fill the RSB on context switch.”…””}”(hj¬hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KPhj›hžhubeh}”(h]”Œ-mitigation-control-on-the-kernel-command-line”ah ]”h"]”Œ-mitigation control on the kernel command line”ah$]”h&]”uh1h´hh¶hžhhŸh³h KNubhµ)”}”(hhh]”(hº)”}”(hŒ-Mitigation control for KVM - module parameter”h]”hŒ-Mitigation control for KVM - module parameter”…””}”(hjÅhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÂhžhhŸh³h KSubhÊ)”}”(hX!By default, the KVM hypervisor mitigates this issue by intercepting guest attempts to transition out of C0. A VMM can use the KVM_CAP_X86_DISABLE_EXITS capability to override those interceptions, but since this is not common, the mitigation that covers this path is not enabled by default.”h]”hX!By default, the KVM hypervisor mitigates this issue by intercepting guest attempts to transition out of C0. A VMM can use the KVM_CAP_X86_DISABLE_EXITS capability to override those interceptions, but since this is not common, the mitigation that covers this path is not enabled by default.”…””}”(hjÓhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KUhjÂhžhubhÊ)”}”(hŒ¢The mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on using the boolean module parameter mitigate_smt_rsb, e.g. ``kvm.mitigate_smt_rsb=1``.”h]”(hŒ‡The mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on using the boolean module parameter mitigate_smt_rsb, e.g. ”…””}”(hjáhžhhŸNh NubhŒliteral”“”)”}”(hŒ``kvm.mitigate_smt_rsb=1``”h]”hŒkvm.mitigate_smt_rsb=1”…””}”(hjëhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jéhjáubhŒ.”…””}”(hjáhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KZhjÂhžhubeh}”(h]”Œ+mitigation-control-for-kvm-module-parameter”ah ]”h"]”Œ-mitigation control for kvm - module parameter”ah$]”h&]”uh1h´hh¶hžhhŸh³h KSubeh}”(h]”Œ'cross-thread-return-address-predictions”ah ]”h"]”Œ'cross-thread return address predictions”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”j¥Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j5Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jj jUjRjùjöj.j+jUjRj˜j•j¿j¼jjuŒ nametypes”}”(j‰jU‰jù‰j.‰jU‰j˜‰j¿‰j‰uh}”(j h¶jRhçjöjXj+jüjRj1j•jXj¼j›jjÂuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.