[thirdparty/kernel/stable-queue.git] / queue-4.9 / powerpc-fsl-flush-the-branch-predictor-at-each-kerne.patch

From dacb2a9aa38fd5f0e5facd87c6f58e3c550732c2 Mon Sep 17 00:00:00 2001
From: Diana Craciun <diana.craciun@nxp.com>
Date: Thu, 11 Apr 2019 21:46:23 +1000
Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)

commit 10c5e83afd4a3f01712d97d3bb1ae34d5b74a185 upstream.

In order to protect against speculation attacks on
indirect branches, the branch predictor is flushed at
kernel entry to protect for the following situations:
- userspace process attacking another userspace process
- userspace process attacking the kernel
Basically when the privillege level change (i.e. the
kernel is entered), the branch predictor state is flushed.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/entry_64.S       |  5 +++++
 arch/powerpc/kernel/exceptions-64e.S | 26 +++++++++++++++++++++++++-
 arch/powerpc/mm/tlb_low_64e.S        |  7 +++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
index 6625cec9e7c0..390ebf4ef384 100644
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -80,6 +80,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM)
 	std	r0,GPR0(r1)
 	std	r10,GPR1(r1)
 	beq	2f			/* if from kernel mode */
+#ifdef CONFIG_PPC_FSL_BOOK3E
+START_BTB_FLUSH_SECTION
+	BTB_FLUSH(r10)
+END_BTB_FLUSH_SECTION
+#endif
 	ACCOUNT_CPU_USER_ENTRY(r13, r10, r11)
 2:	std	r2,GPR2(r1)
 	std	r3,GPR3(r1)
diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S
index ca03eb229a9a..79c6fee6368d 100644
--- a/arch/powerpc/kernel/exceptions-64e.S
+++ b/arch/powerpc/kernel/exceptions-64e.S
@@ -295,7 +295,8 @@ ret_from_mc_except:
 	andi.	r10,r11,MSR_PR;		/* save stack pointer */	    \
 	beq	1f;			/* branch around if supervisor */   \
 	ld	r1,PACAKSAVE(r13);	/* get kernel stack coming from usr */\
-1:	cmpdi	cr1,r1,0;		/* check if SP makes sense */	    \
+1:	type##_BTB_FLUSH		\
+	cmpdi	cr1,r1,0;		/* check if SP makes sense */	    \
 	bge-	cr1,exc_##n##_bad_stack;/* bad stack (TODO: out of line) */ \
 	mfspr	r10,SPRN_##type##_SRR0;	/* read SRR0 before touching stack */
 
@@ -327,6 +328,29 @@ ret_from_mc_except:
 #define SPRN_MC_SRR0	SPRN_MCSRR0
 #define SPRN_MC_SRR1	SPRN_MCSRR1
 
+#ifdef CONFIG_PPC_FSL_BOOK3E
+#define GEN_BTB_FLUSH			\
+	START_BTB_FLUSH_SECTION		\
+		beq 1f;			\
+		BTB_FLUSH(r10)			\
+		1:		\
+	END_BTB_FLUSH_SECTION
+
+#define CRIT_BTB_FLUSH			\
+	START_BTB_FLUSH_SECTION		\
+		BTB_FLUSH(r10)		\
+	END_BTB_FLUSH_SECTION
+
+#define DBG_BTB_FLUSH CRIT_BTB_FLUSH
+#define MC_BTB_FLUSH CRIT_BTB_FLUSH
+#define GDBELL_BTB_FLUSH GEN_BTB_FLUSH
+#else
+#define GEN_BTB_FLUSH
+#define CRIT_BTB_FLUSH
+#define DBG_BTB_FLUSH
+#define GDBELL_BTB_FLUSH
+#endif
+
 #define NORMAL_EXCEPTION_PROLOG(n, intnum, addition)			    \
 	EXCEPTION_PROLOG(n, intnum, GEN, addition##_GEN(n))
 
diff --git a/arch/powerpc/mm/tlb_low_64e.S b/arch/powerpc/mm/tlb_low_64e.S
index eb82d787d99a..b7e9c09dfe19 100644
--- a/arch/powerpc/mm/tlb_low_64e.S
+++ b/arch/powerpc/mm/tlb_low_64e.S
@@ -69,6 +69,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
 	std	r15,EX_TLB_R15(r12)
 	std	r10,EX_TLB_CR(r12)
 #ifdef CONFIG_PPC_FSL_BOOK3E
+START_BTB_FLUSH_SECTION
+	mfspr r11, SPRN_SRR1
+	andi. r10,r11,MSR_PR
+	beq 1f
+	BTB_FLUSH(r10)
+1:
+END_BTB_FLUSH_SECTION
 	std	r7,EX_TLB_R7(r12)
 #endif
 	TLB_MISS_PROLOG_STATS
-- 
2.19.1
Commit	Line	Data
45d80ddf SL	1	From dacb2a9aa38fd5f0e5facd87c6f58e3c550732c2 Mon Sep 17 00:00:00 2001
	2	From: Diana Craciun <diana.craciun@nxp.com>
	3	Date: Thu, 11 Apr 2019 21:46:23 +1000
	4	Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)
	5
	6	commit 10c5e83afd4a3f01712d97d3bb1ae34d5b74a185 upstream.
	7
	8	In order to protect against speculation attacks on
	9	indirect branches, the branch predictor is flushed at
	10	kernel entry to protect for the following situations:
	11	- userspace process attacking another userspace process
	12	- userspace process attacking the kernel
	13	Basically when the privillege level change (i.e. the
	14	kernel is entered), the branch predictor state is flushed.
	15
	16	Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
	17	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	18	Signed-off-by: Sasha Levin <sashal@kernel.org>
	19	---
	20	arch/powerpc/kernel/entry_64.S \| 5 +++++
	21	arch/powerpc/kernel/exceptions-64e.S \| 26 +++++++++++++++++++++++++-
	22	arch/powerpc/mm/tlb_low_64e.S \| 7 +++++++
	23	3 files changed, 37 insertions(+), 1 deletion(-)
	24
	25	diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
	26	index 6625cec9e7c0..390ebf4ef384 100644
	27	--- a/arch/powerpc/kernel/entry_64.S
	28	+++ b/arch/powerpc/kernel/entry_64.S
	29	@@ -80,6 +80,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM)
	30	std r0,GPR0(r1)
	31	std r10,GPR1(r1)
	32	beq 2f /* if from kernel mode */
	33	+#ifdef CONFIG_PPC_FSL_BOOK3E
	34	+START_BTB_FLUSH_SECTION
	35	+ BTB_FLUSH(r10)
	36	+END_BTB_FLUSH_SECTION
	37	+#endif
	38	ACCOUNT_CPU_USER_ENTRY(r13, r10, r11)
	39	2: std r2,GPR2(r1)
	40	std r3,GPR3(r1)
	41	diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S
	42	index ca03eb229a9a..79c6fee6368d 100644
	43	--- a/arch/powerpc/kernel/exceptions-64e.S
	44	+++ b/arch/powerpc/kernel/exceptions-64e.S
	45	@@ -295,7 +295,8 @@ ret_from_mc_except:
	46	andi. r10,r11,MSR_PR; /* save stack pointer */ \
	47	beq 1f; /* branch around if supervisor */ \
	48	ld r1,PACAKSAVE(r13); /* get kernel stack coming from usr */\
	49	-1: cmpdi cr1,r1,0; /* check if SP makes sense */ \
	50	+1: type##_BTB_FLUSH \
	51	+ cmpdi cr1,r1,0; /* check if SP makes sense */ \
	52	bge- cr1,exc_##n##_bad_stack;/* bad stack (TODO: out of line) */ \
	53	mfspr r10,SPRN_##type##_SRR0; /* read SRR0 before touching stack */
	54
	55	@@ -327,6 +328,29 @@ ret_from_mc_except:
	56	#define SPRN_MC_SRR0 SPRN_MCSRR0
	57	#define SPRN_MC_SRR1 SPRN_MCSRR1
	58
	59	+#ifdef CONFIG_PPC_FSL_BOOK3E
	60	+#define GEN_BTB_FLUSH \
	61	+ START_BTB_FLUSH_SECTION \
	62	+ beq 1f; \
	63	+ BTB_FLUSH(r10) \
	64	+ 1: \
65	+ END_BTB_FLUSH_SECTION
66	+
67	+#define CRIT_BTB_FLUSH \
68	+ START_BTB_FLUSH_SECTION \
69	+ BTB_FLUSH(r10) \
70	+ END_BTB_FLUSH_SECTION
71	+
72	+#define DBG_BTB_FLUSH CRIT_BTB_FLUSH
73	+#define MC_BTB_FLUSH CRIT_BTB_FLUSH
74	+#define GDBELL_BTB_FLUSH GEN_BTB_FLUSH
75	+#else
76	+#define GEN_BTB_FLUSH
77	+#define CRIT_BTB_FLUSH
78	+#define DBG_BTB_FLUSH
79	+#define GDBELL_BTB_FLUSH
80	+#endif
81	+
82	#define NORMAL_EXCEPTION_PROLOG(n, intnum, addition) \
83	EXCEPTION_PROLOG(n, intnum, GEN, addition##_GEN(n))
84
85	diff --git a/arch/powerpc/mm/tlb_low_64e.S b/arch/powerpc/mm/tlb_low_64e.S
86	index eb82d787d99a..b7e9c09dfe19 100644
87	--- a/arch/powerpc/mm/tlb_low_64e.S
88	+++ b/arch/powerpc/mm/tlb_low_64e.S
89	@@ -69,6 +69,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
90	std r15,EX_TLB_R15(r12)
91	std r10,EX_TLB_CR(r12)
92	#ifdef CONFIG_PPC_FSL_BOOK3E
93	+START_BTB_FLUSH_SECTION
94	+ mfspr r11, SPRN_SRR1
95	+ andi. r10,r11,MSR_PR
96	+ beq 1f
97	+ BTB_FLUSH(r10)
98	+1:
99	+END_BTB_FLUSH_SECTION
100	std r7,EX_TLB_R7(r12)
101	#endif
102	TLB_MISS_PROLOG_STATS
103	--
104	2.19.1
105