On Sun, Feb 09, 2020 at 06:17:47PM -0800, Anthony Steinhauser wrote:
> In the current implementation of the TAA mitigation if the cpuid_level
> is 6 and it's an Intel CPU, the sefflags_edx variable is used without
> being initialized. If the SEFF0EDX_ARCH_CAP bit is accidentally flipped
> in it, the rdmsr on the unimplemented MSR_ARCH_CAPABILITIES index leads
> to a #GP fault.
>
> This change initializes the sefflags_edx variable to 0 which is
> consistent with the MSR_ARCH_CAPABILITIES being unavailable.
> ---
> sys/arch/amd64/amd64/cpu.c | 2 +-
> sys/arch/i386/i386/cpu.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c
> index 48ab6b5e7f3..f9beff0d5e3 100644
> --- a/sys/arch/amd64/amd64/cpu.c
> +++ b/sys/arch/amd64/amd64/cpu.c
> @@ -1164,7 +1164,7 @@ void
> cpu_tsx_disable(struct cpu_info *ci)
> {
> uint64_t msr;
> - uint32_t dummy, sefflags_edx;
> + uint32_t dummy, sefflags_edx = 0;
>
> /* this runs before identifycpu() populates ci_feature_sefflags_edx */
> if (cpuid_level >= 0x07)
> diff --git a/sys/arch/i386/i386/cpu.c b/sys/arch/i386/i386/cpu.c
> index b31a431c594..76f1b65bede 100644
> --- a/sys/arch/i386/i386/cpu.c
> +++ b/sys/arch/i386/i386/cpu.c
> @@ -473,7 +473,7 @@ void
> cpu_tsx_disable(struct cpu_info *ci)
> {
> uint64_t msr;
> - uint32_t dummy, sefflags_edx;
> + uint32_t dummy, sefflags_edx = 0;
>
> /* this runs before identifycpu() populates ci_feature_sefflags_edx */
> if (cpuid_level >= 0x07)
> --
> 2.25.0.341.g760bfbb309-goog
>
Probably safer to use rdmsr_safe for this sort of thing also.
-ml
