11859 need swapgs mitigation
Reviewed by: Robert Mustacchi <rm@fingolfin.org>
Reviewed by: Dan McDonald <danmcd@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Robert Mustacchi <rm@fingolfin.org>

@@ -18,11 +18,11 @@
  *
  * CDDL HEADER END
  */
 /*
  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2018 Joyent, Inc.
+ * Copyright 2019 Joyent, Inc.
  */
 
 /*      Copyright (c) 1990, 1991 UNIX System Laboratories, Inc. */
 /*      Copyright (c) 1984, 1986, 1987, 1988, 1989, 1990 AT&T   */
 /*      All Rights Reserved   */

@@ -549,20 +549,23 @@
                  * we'll be taking a trap but with the original %gs and %gsbase
                  * undamaged (i.e. pointing at curcpu).
                  *
                  * We've just mucked up the kernel's gsbase.  Oops.  In
                  * particular we can't take any traps at all.  Make the newly
-                 * computed gsbase be the hidden gs via __swapgs, and fix
+                 * computed gsbase be the hidden gs via swapgs, and fix
                  * the kernel's gsbase back again. Later, when we return to
                  * userland we'll swapgs again restoring gsbase just loaded
                  * above.
                  */
-                __swapgs();
+                __asm__ __volatile__("mfence; swapgs");
+
                 rp->r_gs = pcb->pcb_gs;
 
                 /*
-                 * restore kernel's gsbase
+                 * Restore kernel's gsbase. Note that this also serializes any
+                 * attempted speculation from loading the user-controlled
+                 * %gsbase.
                  */
                 wrmsr(MSR_AMD_GSBASE, kgsbase);
 
 #endif  /* __xpv */