[SRU][Xenial][PATCH 0/3] Use upstream Spectre variant 1 BPF mitigations

[Tyler Hicks]

This patchset moves the Xenial kernel over to the upstream mitigations
for Spectre variant 1 (CVE-2017-5753). The upstream mitigations were
mostly already in place thanks to the following commits that we picked
up via linux-stable rebases:

b2157399cc98 ("bpf: prevent out-of-bounds speculation")
bbeb6e4323da ("bpf, array: fix overflow in max_entries and undefined behavior in index_mask")

However, a fix commit for b2157399cc98 was still missing:

c93552c443eb ("bpf: properly enforce index mask to prevent out-of-bounds speculation")

I've backported the missing patch and reverted the out-of-tree
mitigations for Spectre variant 1 in the BPF code now that all the
corresponding upstream commits are in place.

I tested these changes using the upstream kernel's test-verifier and
test-verifier-log BPF selftests. While there are many failures due to
the tests from Linus HEAD being used on a 4.4 based kernel, the test
results are the same with and without these patches applied. I ran the
tests as an unprivileged user and as root.

It is also worth mentioning that the backport of c93552c443eb matches
what SUSE has done in their 4.4 kernel:

 https://kernel.opensuse.org/cgit/kernel-source/tree/patches.fixes/bpf-properly-enforce-index-mask-to-prevent-out-of-bo.patch?h=SLE12-SP3

Tyler