--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST
+From: Diana Craciun <diana.craciun@nxp.com>
+Date: Mon, 29 Apr 2019 18:49:03 +0300
+Subject: powerpc/fsl: Emulate SPRN_BUCSR register
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun <diana.craciun@nxp.com>
+Message-ID: <1556552948-24957-4-git-send-email-diana.craciun@nxp.com>
+
+From: Diana Craciun <diana.craciun@nxp.com>
+
+commit 98518c4d8728656db349f875fcbbc7c126d4c973 upstream.
+
+In order to flush the branch predictor the guest kernel performs
+writes to the BUCSR register which is hypervisor privilleged. However,
+the branch predictor is flushed at each KVM entry, so the branch
+predictor has been already flushed, so just return as soon as possible
+to guest.
+
+Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
+[mpe: Tweak comment formatting]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/e500_emulate.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/powerpc/kvm/e500_emulate.c
++++ b/arch/powerpc/kvm/e500_emulate.c
+@@ -277,6 +277,13 @@ int kvmppc_core_emulate_mtspr_e500(struc
+ vcpu->arch.pwrmgtcr0 = spr_val;
+ break;
+
++ case SPRN_BUCSR:
++ /*
++ * If we are here, it means that we have already flushed the
++ * branch predictor, so just return to guest.
++ */
++ break;
++
+ /* extra exceptions */
+ #ifdef CONFIG_SPE_POSSIBLE
+ case SPRN_IVOR32:
--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST
+From: Diana Craciun <diana.craciun@nxp.com>
+Date: Mon, 29 Apr 2019 18:49:01 +0300
+Subject: powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun <diana.craciun@nxp.com>
+Message-ID: <1556552948-24957-2-git-send-email-diana.craciun@nxp.com>
+
+From: Diana Craciun <diana.craciun@nxp.com>
+
+commit 3bc8ea8603ae4c1e09aca8de229ad38b8091fcb3 upstream.
+
+If the user choses not to use the mitigations, replace
+the code sequence with nops.
+
+Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/setup_32.c | 1 +
+ arch/powerpc/kernel/setup_64.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/powerpc/kernel/setup_32.c
++++ b/arch/powerpc/kernel/setup_32.c
+@@ -323,6 +323,7 @@ void __init setup_arch(char **cmdline_p)
+ if ( ppc_md.progress ) ppc_md.progress("arch: exit", 0x3eab);
+
+ setup_barrier_nospec();
++ setup_spectre_v2();
+
+ paging_init();
+
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -737,6 +737,7 @@ void __init setup_arch(char **cmdline_p)
+ ppc_md.setup_arch();
+
+ setup_barrier_nospec();
++ setup_spectre_v2();
+
+ paging_init();
+
--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST
+From: Diana Craciun <diana.craciun@nxp.com>
+Date: Mon, 29 Apr 2019 18:49:06 +0300
+Subject: powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup'
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun <diana.craciun@nxp.com>
+Message-ID: <1556552948-24957-7-git-send-email-diana.craciun@nxp.com>
+
+From: Diana Craciun <diana.craciun@nxp.com>
+
+commit 039daac5526932ec731e4499613018d263af8b3e upstream.
+
+Fixed the following build warning:
+powerpc-linux-gnu-ld: warning: orphan section `__btb_flush_fixup' from
+`arch/powerpc/kernel/head_44x.o' being placed in section
+`__btb_flush_fixup'.
+
+Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/head_booke.h | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/kernel/head_booke.h
++++ b/arch/powerpc/kernel/head_booke.h
+@@ -31,6 +31,16 @@
+ */
+ #define THREAD_NORMSAVE(offset) (THREAD_NORMSAVES + (offset * 4))
+
++#ifdef CONFIG_PPC_FSL_BOOK3E
++#define BOOKE_CLEAR_BTB(reg) \
++START_BTB_FLUSH_SECTION \
++ BTB_FLUSH(reg) \
++END_BTB_FLUSH_SECTION
++#else
++#define BOOKE_CLEAR_BTB(reg)
++#endif
++
++
+ #define NORMAL_EXCEPTION_PROLOG(intno) \
+ mtspr SPRN_SPRG_WSCRATCH0, r10; /* save one register */ \
+ mfspr r10, SPRN_SPRG_THREAD; \
+@@ -42,9 +52,7 @@
+ andi. r11, r11, MSR_PR; /* check whether user or kernel */\
+ mr r11, r1; \
+ beq 1f; \
+-START_BTB_FLUSH_SECTION \
+- BTB_FLUSH(r11) \
+-END_BTB_FLUSH_SECTION \
++ BOOKE_CLEAR_BTB(r11) \
+ /* if from user, start at top of this thread's kernel stack */ \
+ lwz r11, THREAD_INFO-THREAD(r10); \
+ ALLOC_STACK_FRAME(r11, THREAD_SIZE); \
+@@ -130,9 +138,7 @@ END_BTB_FLUSH_SECTION \
+ stw r9,_CCR(r8); /* save CR on stack */\
+ mfspr r11,exc_level_srr1; /* check whether user or kernel */\
+ DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \
+-START_BTB_FLUSH_SECTION \
+- BTB_FLUSH(r10) \
+-END_BTB_FLUSH_SECTION \
++ BOOKE_CLEAR_BTB(r10) \
+ andi. r11,r11,MSR_PR; \
+ mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\
+ lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\
--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST
+From: Diana Craciun <diana.craciun@nxp.com>
+Date: Mon, 29 Apr 2019 18:49:02 +0300
+Subject: powerpc/fsl: Flush branch predictor when entering KVM
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun <diana.craciun@nxp.com>
+Message-ID: <1556552948-24957-3-git-send-email-diana.craciun@nxp.com>
+
+From: Diana Craciun <diana.craciun@nxp.com>
+
+commit e7aa61f47b23afbec41031bc47ca8d6cb6516abc upstream.
+
+Switching from the guest to host is another place
+where the speculative accesses can be exploited.
+Flush the branch predictor when entering KVM.
+
+Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/bookehv_interrupts.S | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/kvm/bookehv_interrupts.S
++++ b/arch/powerpc/kvm/bookehv_interrupts.S
+@@ -75,6 +75,10 @@
+ PPC_LL r1, VCPU_HOST_STACK(r4)
+ PPC_LL r2, HOST_R2(r1)
+
++START_BTB_FLUSH_SECTION
++ BTB_FLUSH(r10)
++END_BTB_FLUSH_SECTION
++
+ mfspr r10, SPRN_PID
+ lwz r8, VCPU_HOST_PID(r4)
+ PPC_LL r11, VCPU_SHARED(r4)
--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST
+From: Diana Craciun <diana.craciun@nxp.com>
+Date: Mon, 29 Apr 2019 18:49:04 +0300
+Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit)
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun <diana.craciun@nxp.com>
+Message-ID: <1556552948-24957-5-git-send-email-diana.craciun@nxp.com>
+
+From: Diana Craciun <diana.craciun@nxp.com>
+
+commit 7fef436295bf6c05effe682c8797dfcb0deb112a upstream.
+
+In order to protect against speculation attacks on
+indirect branches, the branch predictor is flushed at
+kernel entry to protect for the following situations:
+- userspace process attacking another userspace process
+- userspace process attacking the kernel
+Basically when the privillege level change (i.e.the kernel
+is entered), the branch predictor state is flushed.
+
+Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/head_booke.h | 6 ++++++
+ arch/powerpc/kernel/head_fsl_booke.S | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+--- a/arch/powerpc/kernel/head_booke.h
++++ b/arch/powerpc/kernel/head_booke.h
+@@ -42,6 +42,9 @@
+ andi. r11, r11, MSR_PR; /* check whether user or kernel */\
+ mr r11, r1; \
+ beq 1f; \
++START_BTB_FLUSH_SECTION \
++ BTB_FLUSH(r11) \
++END_BTB_FLUSH_SECTION \
+ /* if from user, start at top of this thread's kernel stack */ \
+ lwz r11, THREAD_INFO-THREAD(r10); \
+ ALLOC_STACK_FRAME(r11, THREAD_SIZE); \
+@@ -127,6 +130,9 @@
+ stw r9,_CCR(r8); /* save CR on stack */\
+ mfspr r11,exc_level_srr1; /* check whether user or kernel */\
+ DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \
++START_BTB_FLUSH_SECTION \
++ BTB_FLUSH(r10) \
++END_BTB_FLUSH_SECTION \
+ andi. r11,r11,MSR_PR; \
+ mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\
+ lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\
+--- a/arch/powerpc/kernel/head_fsl_booke.S
++++ b/arch/powerpc/kernel/head_fsl_booke.S
+@@ -451,6 +451,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
+ mfcr r13
+ stw r13, THREAD_NORMSAVE(3)(r10)
+ DO_KVM BOOKE_INTERRUPT_DTLB_MISS SPRN_SRR1
++START_BTB_FLUSH_SECTION
++ mfspr r11, SPRN_SRR1
++ andi. r10,r11,MSR_PR
++ beq 1f
++ BTB_FLUSH(r10)
++1:
++END_BTB_FLUSH_SECTION
+ mfspr r10, SPRN_DEAR /* Get faulting address */
+
+ /* If we are faulting a kernel address, we have to use the
+@@ -545,6 +552,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
+ mfcr r13
+ stw r13, THREAD_NORMSAVE(3)(r10)
+ DO_KVM BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR1
++START_BTB_FLUSH_SECTION
++ mfspr r11, SPRN_SRR1
++ andi. r10,r11,MSR_PR
++ beq 1f
++ BTB_FLUSH(r10)
++1:
++END_BTB_FLUSH_SECTION
++
+ mfspr r10, SPRN_SRR0 /* Get faulting address */
+
+ /* If we are faulting a kernel address, we have to use the
--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST
+From: Diana Craciun <diana.craciun@nxp.com>
+Date: Mon, 29 Apr 2019 18:49:05 +0300
+Subject: powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun <diana.craciun@nxp.com>
+Message-ID: <1556552948-24957-6-git-send-email-diana.craciun@nxp.com>
+
+From: Diana Craciun <diana.craciun@nxp.com>
+
+commit c28218d4abbf4f2035495334d8bfcba64bda4787 upstream.
+
+Used barrier_nospec to sanitize the syscall table.
+
+Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/entry_32.S | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/kernel/entry_32.S
++++ b/arch/powerpc/kernel/entry_32.S
+@@ -33,6 +33,7 @@
+ #include <asm/unistd.h>
+ #include <asm/ftrace.h>
+ #include <asm/ptrace.h>
++#include <asm/barrier.h>
+
+ /*
+ * MSR_KERNEL is > 0x10000 on 4xx/Book-E since it include MSR_CE.
+@@ -340,6 +341,15 @@ syscall_dotrace_cont:
+ ori r10,r10,sys_call_table@l
+ slwi r0,r0,2
+ bge- 66f
++
++ barrier_nospec_asm
++ /*
++ * Prevent the load of the handler below (based on the user-passed
++ * system call number) being speculatively executed until the test
++ * against NR_syscalls and branch to .66f above has
++ * committed.
++ */
++
+ lwzx r10,r10,r0 /* Fetch system call handler [ptr] */
+ mtlr r10
+ addi r9,r1,STACK_FRAME_OVERHEAD
team-fix-possible-recursive-locking-when-add-slaves.patch
net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch
ipv4-set-the-tcp_min_rtt_wlen-range-from-0-to-one-day.patch
+powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch
+powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch
+powerpc-fsl-emulate-sprn_bucsr-register.patch
+powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch
+powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch
+powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
