amd64: prevents speculations over swapgs reload of %gs base.
Such speculations could use user-controlled %gs base, esp. since
FreeBSD supports WRGSBASE instructions.
Place LFENCEs on entry for each basic block after the test for
previous kernel/user mode on the kernel entry, which prevents the
speculation. Code accesses %gs-based PCPU before any serialization
instructions are executed, like %cr3 reload for KPTI.
With pti disabled, on haswell i7-4770S machine, "syscall_timings getppid"
shows when no lfence is added to syscall path:
test loop time iterations periteration
getppid 0 1.
040918865 4643611 0.
000000224
getppid 1 1.
004985962 4481816 0.
000000224
getppid 2 1.
005196483 4482363 0.
000000224
with lfence:
getppid 0 1.
043701091 4554779 0.
000000229
getppid 1 1.
016930328 4438094 0.
000000229
getppid 2 1.
023223117 4466640 0.
000000229
and ministat reports 'No difference proven at 95.0% confidence.'
Security: CVE-2019-1125
Sponsored by: The FreeBSD Foundation
MFC after: 1 week