projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 3140e7c0 GKH |
1 | From foo@baz Fri Mar 29 16:04:51 CET 2019 |
| 2 | From: Michael Ellerman <mpe@ellerman.id.au> | |
| 3 | Date: Fri, 29 Mar 2019 22:26:14 +1100 | |
| 4 | Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) | |
| 5 | To: stable@vger.kernel.org, gregkh@linuxfoundation.org | |
| 6 | Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr | |
| 7 | Message-ID: <20190329112620.14489-27-mpe@ellerman.id.au> | |
| 8 | ||
| 9 | From: Diana Craciun <diana.craciun@nxp.com> | |
| 10 | ||
| 11 | commit 7fef436295bf6c05effe682c8797dfcb0deb112a upstream. | |
| 12 | ||
| 13 | In order to protect against speculation attacks on | |
| 14 | indirect branches, the branch predictor is flushed at | |
| 15 | kernel entry to protect for the following situations: | |
| 16 | - userspace process attacking another userspace process | |
| 17 | - userspace process attacking the kernel | |
| 18 | Basically when the privillege level change (i.e.the kernel | |
| 19 | is entered), the branch predictor state is flushed. | |
| 20 | ||
| 21 | Signed-off-by: Diana Craciun <diana.craciun@nxp.com> | |
| 22 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> | |
| 23 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 24 | --- | |
| 25 | arch/powerpc/kernel/head_booke.h | 6 ++++++ | |
| 26 | arch/powerpc/kernel/head_fsl_booke.S | 15 +++++++++++++++ | |
| 27 | 2 files changed, 21 insertions(+) | |
| 28 | ||
| 29 | --- a/arch/powerpc/kernel/head_booke.h | |
| 30 | +++ b/arch/powerpc/kernel/head_booke.h | |
| 31 | @@ -43,6 +43,9 @@ | |
| 32 | andi. r11, r11, MSR_PR; /* check whether user or kernel */\ | |
| 33 | mr r11, r1; \ | |
| 34 | beq 1f; \ | |
| 35 | +START_BTB_FLUSH_SECTION \ | |
| 36 | + BTB_FLUSH(r11) \ | |
| 37 | +END_BTB_FLUSH_SECTION \ | |
| 38 | /* if from user, start at top of this thread's kernel stack */ \ | |
| 39 | lwz r11, THREAD_INFO-THREAD(r10); \ | |
| 40 | ALLOC_STACK_FRAME(r11, THREAD_SIZE); \ | |
| 41 | @@ -128,6 +131,9 @@ | |
| 42 | stw r9,_CCR(r8); /* save CR on stack */\ | |
| 43 | mfspr r11,exc_level_srr1; /* check whether user or kernel */\ | |
| 44 | DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \ | |
| 45 | +START_BTB_FLUSH_SECTION \ | |
| 46 | + BTB_FLUSH(r10) \ | |
| 47 | +END_BTB_FLUSH_SECTION \ | |
| 48 | andi. r11,r11,MSR_PR; \ | |
| 49 | mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\ | |
| 50 | lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\ | |
| 51 | --- a/arch/powerpc/kernel/head_fsl_booke.S | |
| 52 | +++ b/arch/powerpc/kernel/head_fsl_booke.S | |
| 53 | @@ -453,6 +453,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) | |
| 54 | mfcr r13 | |
| 55 | stw r13, THREAD_NORMSAVE(3)(r10) | |
| 56 | DO_KVM BOOKE_INTERRUPT_DTLB_MISS SPRN_SRR1 | |
| 57 | +START_BTB_FLUSH_SECTION | |
| 58 | + mfspr r11, SPRN_SRR1 | |
| 59 | + andi. r10,r11,MSR_PR | |
| 60 | + beq 1f | |
| 61 | + BTB_FLUSH(r10) | |
| 62 | +1: | |
| 63 | +END_BTB_FLUSH_SECTION | |
| 64 | mfspr r10, SPRN_DEAR /* Get faulting address */ | |
| 65 | ||
| 66 | /* If we are faulting a kernel address, we have to use the | |
| 67 | @@ -547,6 +554,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) | |
| 68 | mfcr r13 | |
| 69 | stw r13, THREAD_NORMSAVE(3)(r10) | |
| 70 | DO_KVM BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR1 | |
| 71 | +START_BTB_FLUSH_SECTION | |
| 72 | + mfspr r11, SPRN_SRR1 | |
| 73 | + andi. r10,r11,MSR_PR | |
| 74 | + beq 1f | |
| 75 | + BTB_FLUSH(r10) | |
| 76 | +1: | |
| 77 | +END_BTB_FLUSH_SECTION | |
| 78 | + | |
| 79 | mfspr r10, SPRN_SRR0 /* Get faulting address */ | |
| 80 | ||
| 81 | /* If we are faulting a kernel address, we have to use the |