€•c>Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ8/translations/zh_CN/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/zh_TW/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/it_IT/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/ja_JP/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/ko_KR/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/pt_BR/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ8/translations/sp_SP/admin-guide/hw-vuln/cross-thread-rsb”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³ŒR/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/cross-thread-rsb.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ'Cross-Thread Return Address Predictions”h]”hŒ'Cross-Thread Return Address Predictions”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhŒ paragraph”“”)”}”(hX'Certain AMD and Hygon processors are subject to a cross-thread return address predictions vulnerability. When running in SMT mode and one sibling thread transitions out of C0 state, the other sibling thread could use return target predictions from the sibling thread that transitioned out of C0.”h]”hX'Certain AMD and Hygon processors are subject to a cross-thread return address predictions vulnerability. When running in SMT mode and one sibling thread transitions out of C0 state, the other sibling thread could use return target predictions from the sibling thread that transitioned out of C0.”…””}”(hhßh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÞ)”}”(hXYThe Spectre v2 mitigations protect the Linux kernel, as it fills the return address prediction entries with safe targets when context switching to the idle thread. However, KVM does allow a VMM to prevent exiting guest mode when transitioning out of C0. This could result in a guest-controlled return target being consumed by the sibling thread.”h]”hXYThe Spectre v2 mitigations protect the Linux kernel, as it fills the return address prediction entries with safe targets when context switching to the idle thread. However, KVM does allow a VMM to prevent exiting guest mode when transitioning out of C0. This could result in a guest-controlled return target being consumed by the sibling thread.”…””}”(hhíh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K hhÊh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒAffected processors”h]”hŒAffected processors”…””}”(hhþh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhûh²hh³hÇh´KubhÞ)”}”(hŒ"The following CPUs are vulnerable:”h]”hŒ"The following CPUs are vulnerable:”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khhûh²hubhŒ block_quote”“”)”}”(hŒ:- AMD Family 17h processors - Hygon Family 18h processors ”h]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒAMD Family 17h processors”h]”hÞ)”}”(hj)h]”hŒAMD Family 17h processors”…””}”(hj+h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khj'ubah}”(h]”h ]”h"]”h$]”h&]”uh1j%hj"ubj&)”}”(hŒHygon Family 18h processors ”h]”hÞ)”}”(hŒHygon Family 18h processors”h]”hŒHygon Family 18h processors”…””}”(hjBh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khj>ubah}”(h]”h ]”h"]”h$]”h&]”uh1j%hj"ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j h³hÇh´Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÇh´Khhûh²hubeh}”(h]”Œaffected-processors”ah ]”h"]”Œaffected processors”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒ Related CVEs”h]”hŒ Related CVEs”…””}”(hjoh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjlh²hh³hÇh´KubhÞ)”}”(hŒ1The following CVE entry is related to this issue:”h]”hŒ1The following CVE entry is related to this issue:”…””}”(hj}h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khjlh²hubj)”}”(hŒ¨============== ======================================= CVE-2022-27672 Cross-Thread Return Address Predictions ============== ======================================= ”h]”hŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j™hj–ubjš)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K'uh1j™hj–ubhŒtbody”“”)”}”(hhh]”hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hÞ)”}”(hŒCVE-2022-27672”h]”hŒCVE-2022-27672”…””}”(hj¾h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K hj»ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¹hj¶ubjº)”}”(hhh]”hÞ)”}”(hŒ'Cross-Thread Return Address Predictions”h]”hŒ'Cross-Thread Return Address Predictions”…””}”(hjÕh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K hjÒubah}”(h]”h ]”h"]”h$]”h&]”uh1j¹hj¶ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j´hj±ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¯hj–ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1j”hj‘ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj‹ubah}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÇh´Khjlh²hubeh}”(h]”Œ related-cves”ah ]”h"]”Œ related cves”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒProblem”h]”hŒProblem”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjh²hh³hÇh´K$ubhÞ)”}”(hXùAffected SMT-capable processors support 1T and 2T modes of execution when SMT is enabled. In 2T mode, both threads in a core are executing code. For the processor core to enter 1T mode, it is required that one of the threads requests to transition out of the C0 state. This can be communicated with the HLT instruction or with an MWAIT instruction that requests non-C0. When the thread re-enters the C0 state, the processor transitions back to 2T mode, assuming the other thread is also still in C0 state.”h]”hXùAffected SMT-capable processors support 1T and 2T modes of execution when SMT is enabled. In 2T mode, both threads in a core are executing code. For the processor core to enter 1T mode, it is required that one of the threads requests to transition out of the C0 state. This can be communicated with the HLT instruction or with an MWAIT instruction that requests non-C0. When the thread re-enters the C0 state, the processor transitions back to 2T mode, assuming the other thread is also still in C0 state.”…””}”(hj!h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K&hjh²hubhÞ)”}”(hXIn affected processors, the return address predictor (RAP) is partitioned depending on the SMT mode. For instance, in 2T mode each thread uses a private 16-entry RAP, but in 1T mode, the active thread uses a 32-entry RAP. Upon transition between 1T/2T mode, the RAP contents are not modified but the RAP pointers (which control the next return target to use for predictions) may change. This behavior may result in return targets from one SMT thread being used by RET predictions in the sibling thread following a 1T/2T switch. In particular, a RET instruction executed immediately after a transition to 1T may use a return target from the thread that just became idle. In theory, this could lead to information disclosure if the return targets used do not come from trustworthy code.”h]”hXIn affected processors, the return address predictor (RAP) is partitioned depending on the SMT mode. For instance, in 2T mode each thread uses a private 16-entry RAP, but in 1T mode, the active thread uses a 32-entry RAP. Upon transition between 1T/2T mode, the RAP contents are not modified but the RAP pointers (which control the next return target to use for predictions) may change. This behavior may result in return targets from one SMT thread being used by RET predictions in the sibling thread following a 1T/2T switch. In particular, a RET instruction executed immediately after a transition to 1T may use a return target from the thread that just became idle. In theory, this could lead to information disclosure if the return targets used do not come from trustworthy code.”…””}”(hj/h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K.hjh²hubeh}”(h]”Œproblem”ah ]”h"]”Œproblem”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K$ubhÉ)”}”(hhh]”(hÎ)”}”(hŒAttack scenarios”h]”hŒAttack scenarios”…””}”(hjHh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjEh²hh³hÇh´K;ubhÞ)”}”(hŒ¢An attack can be mounted on affected processors by performing a series of CALL instructions with targeted return locations and then transitioning out of C0 state.”h]”hŒ¢An attack can be mounted on affected processors by performing a series of CALL instructions with targeted return locations and then transitioning out of C0 state.”…””}”(hjVh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K=hjEh²hubeh}”(h]”Œattack-scenarios”ah ]”h"]”Œattack scenarios”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K;ubhÉ)”}”(hhh]”(hÎ)”}”(hŒMitigation mechanism”h]”hŒMitigation mechanism”…””}”(hjoh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjlh²hh³hÇh´KBubhÞ)”}”(hŒ×Before entering idle state, the kernel context switches to the idle thread. The context switch fills the RAP entries (referred to as the RSB in Linux) with safe targets by performing a sequence of CALL instructions.”h]”hŒ×Before entering idle state, the kernel context switches to the idle thread. The context switch fills the RAP entries (referred to as the RSB in Linux) with safe targets by performing a sequence of CALL instructions.”…””}”(hj}h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KDhjlh²hubhÞ)”}”(hŒuPrevent a guest VM from directly putting the processor into an idle state by intercepting HLT and MWAIT instructions.”h]”hŒuPrevent a guest VM from directly putting the processor into an idle state by intercepting HLT and MWAIT instructions.”…””}”(hj‹h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KHhjlh²hubhÞ)”}”(hŒ:Both mitigations are required to fully address this issue.”h]”hŒ:Both mitigations are required to fully address this issue.”…””}”(hj™h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KKhjlh²hubeh}”(h]”Œmitigation-mechanism”ah ]”h"]”Œmitigation mechanism”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KBubhÉ)”}”(hhh]”(hÎ)”}”(hŒ-Mitigation control on the kernel command line”h]”hŒ-Mitigation control on the kernel command line”…””}”(hj²h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj¯h²hh³hÇh´KNubhÞ)”}”(hŒMUse existing Spectre v2 mitigations that will fill the RSB on context switch.”h]”hŒMUse existing Spectre v2 mitigations that will fill the RSB on context switch.”…””}”(hjÀh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KPhj¯h²hubeh}”(h]”Œ-mitigation-control-on-the-kernel-command-line”ah ]”h"]”Œ-mitigation control on the kernel command line”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KNubhÉ)”}”(hhh]”(hÎ)”}”(hŒ-Mitigation control for KVM - module parameter”h]”hŒ-Mitigation control for KVM - module parameter”…””}”(hjÙh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjÖh²hh³hÇh´KSubhÞ)”}”(hX!By default, the KVM hypervisor mitigates this issue by intercepting guest attempts to transition out of C0. A VMM can use the KVM_CAP_X86_DISABLE_EXITS capability to override those interceptions, but since this is not common, the mitigation that covers this path is not enabled by default.”h]”hX!By default, the KVM hypervisor mitigates this issue by intercepting guest attempts to transition out of C0. A VMM can use the KVM_CAP_X86_DISABLE_EXITS capability to override those interceptions, but since this is not common, the mitigation that covers this path is not enabled by default.”…””}”(hjçh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KUhjÖh²hubhÞ)”}”(hŒ¢The mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on using the boolean module parameter mitigate_smt_rsb, e.g. ``kvm.mitigate_smt_rsb=1``.”h]”(hŒ‡The mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on using the boolean module parameter mitigate_smt_rsb, e.g. ”…””}”(hjõh²hh³Nh´NubhŒliteral”“”)”}”(hŒ``kvm.mitigate_smt_rsb=1``”h]”hŒkvm.mitigate_smt_rsb=1”…””}”(hjÿh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jýhjõubhŒ.”…””}”(hjõh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KZhjÖh²hubeh}”(h]”Œ+mitigation-control-for-kvm-module-parameter”ah ]”h"]”Œ-mitigation control for kvm - module parameter”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KSubeh}”(h]”Œ'cross-thread-return-address-predictions”ah ]”h"]”Œ'cross-thread return address predictions”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”j¹Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jIŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j$j!jijfj j jBj?jijfj¬j©jÓjÐjjuŒ nametypes”}”(j$‰ji‰j ‰jB‰ji‰j¬‰jÓ‰j‰uh}”(j!hÊjfhûj jlj?jjfjEj©jljÐj¯jjÖuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.