From: Greg Kroah-Hartman Date: Fri, 29 Mar 2019 15:07:53 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v3.18.138~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3140e7c0b32ea09706028c6d31ad9841521a48ca;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: powerpc-fsl-add-infrastructure-to-fixup-branch-predictor-flush.patch powerpc-fsl-add-macro-to-flush-the-branch-predictor.patch powerpc-fsl-add-nospectre_v2-command-line-argument.patch powerpc-fsl-emulate-sprn_bucsr-register.patch powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch powerpc-fsl-fix-the-flush-of-branch-predictor.patch powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-64bit.patch powerpc-fsl-update-spectre-v2-reporting.patch powerpc-security-fix-spectre_v2-reporting.patch --- diff --git a/queue-4.19/powerpc-fsl-add-infrastructure-to-fixup-branch-predictor-flush.patch b/queue-4.19/powerpc-fsl-add-infrastructure-to-fixup-branch-predictor-flush.patch new file mode 100644 index 00000000000..6a9b19bba5b --- /dev/null +++ b/queue-4.19/powerpc-fsl-add-infrastructure-to-fixup-branch-predictor-flush.patch @@ -0,0 +1,118 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:08 +1100 +Subject: powerpc/fsl: Add infrastructure to fixup branch predictor flush +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-21-mpe@ellerman.id.au> + +From: Diana Craciun + +commit 76a5eaa38b15dda92cd6964248c39b5a6f3a4e9d upstream. + +In order to protect against speculation attacks (Spectre +variant 2) on NXP PowerPC platforms, the branch predictor +should be flushed when the privillege level is changed. +This patch is adding the infrastructure to fixup at runtime +the code sections that are performing the branch predictor flush +depending on a boot arg parameter which is added later in a +separate patch. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/feature-fixups.h | 12 ++++++++++++ + arch/powerpc/include/asm/setup.h | 2 ++ + arch/powerpc/kernel/vmlinux.lds.S | 8 ++++++++ + arch/powerpc/lib/feature-fixups.c | 23 +++++++++++++++++++++++ + 4 files changed, 45 insertions(+) + +--- a/arch/powerpc/include/asm/feature-fixups.h ++++ b/arch/powerpc/include/asm/feature-fixups.h +@@ -221,6 +221,17 @@ label##3: \ + FTR_ENTRY_OFFSET 953b-954b; \ + .popsection; + ++#define START_BTB_FLUSH_SECTION \ ++955: \ ++ ++#define END_BTB_FLUSH_SECTION \ ++956: \ ++ .pushsection __btb_flush_fixup,"a"; \ ++ .align 2; \ ++957: \ ++ FTR_ENTRY_OFFSET 955b-957b; \ ++ FTR_ENTRY_OFFSET 956b-957b; \ ++ .popsection; + + #ifndef __ASSEMBLY__ + #include +@@ -230,6 +241,7 @@ extern long __start___stf_entry_barrier_ + extern long __start___stf_exit_barrier_fixup, __stop___stf_exit_barrier_fixup; + extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup; + extern long __start___barrier_nospec_fixup, __stop___barrier_nospec_fixup; ++extern long __start__btb_flush_fixup, __stop__btb_flush_fixup; + + void apply_feature_fixups(void); + void setup_feature_keys(void); +--- a/arch/powerpc/include/asm/setup.h ++++ b/arch/powerpc/include/asm/setup.h +@@ -67,6 +67,8 @@ void do_barrier_nospec_fixups_range(bool + static inline void do_barrier_nospec_fixups_range(bool enable, void *start, void *end) { }; + #endif + ++void do_btb_flush_fixups(void); ++ + #endif /* !__ASSEMBLY__ */ + + #endif /* _ASM_POWERPC_SETUP_H */ +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -164,6 +164,14 @@ SECTIONS + } + #endif /* CONFIG_PPC_BARRIER_NOSPEC */ + ++#ifdef CONFIG_PPC_FSL_BOOK3E ++ . = ALIGN(8); ++ __spec_btb_flush_fixup : AT(ADDR(__spec_btb_flush_fixup) - LOAD_OFFSET) { ++ __start__btb_flush_fixup = .; ++ *(__btb_flush_fixup) ++ __stop__btb_flush_fixup = .; ++ } ++#endif + EXCEPTION_TABLE(0) + + NOTES :kernel :notes +--- a/arch/powerpc/lib/feature-fixups.c ++++ b/arch/powerpc/lib/feature-fixups.c +@@ -347,6 +347,29 @@ void do_barrier_nospec_fixups_range(bool + + printk(KERN_DEBUG "barrier-nospec: patched %d locations\n", i); + } ++ ++static void patch_btb_flush_section(long *curr) ++{ ++ unsigned int *start, *end; ++ ++ start = (void *)curr + *curr; ++ end = (void *)curr + *(curr + 1); ++ for (; start < end; start++) { ++ pr_devel("patching dest %lx\n", (unsigned long)start); ++ patch_instruction(start, PPC_INST_NOP); ++ } ++} ++ ++void do_btb_flush_fixups(void) ++{ ++ long *start, *end; ++ ++ start = PTRRELOC(&__start__btb_flush_fixup); ++ end = PTRRELOC(&__stop__btb_flush_fixup); ++ ++ for (; start < end; start += 2) ++ patch_btb_flush_section(start); ++} + #endif /* CONFIG_PPC_FSL_BOOK3E */ + + void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end) diff --git a/queue-4.19/powerpc-fsl-add-macro-to-flush-the-branch-predictor.patch b/queue-4.19/powerpc-fsl-add-macro-to-flush-the-branch-predictor.patch new file mode 100644 index 00000000000..6e468ebbfde --- /dev/null +++ b/queue-4.19/powerpc-fsl-add-macro-to-flush-the-branch-predictor.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:09 +1100 +Subject: powerpc/fsl: Add macro to flush the branch predictor +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-22-mpe@ellerman.id.au> + +From: Diana Craciun + +commit 1cbf8990d79ff69da8ad09e8a3df014e1494462b upstream. + +The BUCSR register can be used to invalidate the entries in the +branch prediction mechanisms. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/ppc_asm.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/include/asm/ppc_asm.h ++++ b/arch/powerpc/include/asm/ppc_asm.h +@@ -821,4 +821,14 @@ END_FTR_SECTION_IFCLR(CPU_FTR_601) + stringify_in_c(.long (_target) - . ;) \ + stringify_in_c(.previous) + ++#ifdef CONFIG_PPC_FSL_BOOK3E ++#define BTB_FLUSH(reg) \ ++ lis reg,BUCSR_INIT@h; \ ++ ori reg,reg,BUCSR_INIT@l; \ ++ mtspr SPRN_BUCSR,reg; \ ++ isync; ++#else ++#define BTB_FLUSH(reg) ++#endif /* CONFIG_PPC_FSL_BOOK3E */ ++ + #endif /* _ASM_POWERPC_PPC_ASM_H */ diff --git a/queue-4.19/powerpc-fsl-add-nospectre_v2-command-line-argument.patch b/queue-4.19/powerpc-fsl-add-nospectre_v2-command-line-argument.patch new file mode 100644 index 00000000000..adfc3ee196c --- /dev/null +++ b/queue-4.19/powerpc-fsl-add-nospectre_v2-command-line-argument.patch @@ -0,0 +1,74 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:12 +1100 +Subject: powerpc/fsl: Add nospectre_v2 command line argument +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-25-mpe@ellerman.id.au> + +From: Diana Craciun + +commit f633a8ad636efb5d4bba1a047d4a0f1ef719aa06 upstream. + +When the command line argument is present, the Spectre variant 2 +mitigations are disabled. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/setup.h | 5 +++++ + arch/powerpc/kernel/security.c | 21 +++++++++++++++++++++ + 2 files changed, 26 insertions(+) + +--- a/arch/powerpc/include/asm/setup.h ++++ b/arch/powerpc/include/asm/setup.h +@@ -67,6 +67,11 @@ void do_barrier_nospec_fixups_range(bool + static inline void do_barrier_nospec_fixups_range(bool enable, void *start, void *end) { }; + #endif + ++#ifdef CONFIG_PPC_FSL_BOOK3E ++void setup_spectre_v2(void); ++#else ++static inline void setup_spectre_v2(void) {}; ++#endif + void do_btb_flush_fixups(void); + + #endif /* !__ASSEMBLY__ */ +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -26,6 +26,10 @@ static enum count_cache_flush_type count + + bool barrier_nospec_enabled; + static bool no_nospec; ++static bool btb_flush_enabled; ++#ifdef CONFIG_PPC_FSL_BOOK3E ++static bool no_spectrev2; ++#endif + + static void enable_barrier_nospec(bool enable) + { +@@ -101,6 +105,23 @@ static __init int barrier_nospec_debugfs + device_initcall(barrier_nospec_debugfs_init); + #endif /* CONFIG_DEBUG_FS */ + ++#ifdef CONFIG_PPC_FSL_BOOK3E ++static int __init handle_nospectre_v2(char *p) ++{ ++ no_spectrev2 = true; ++ ++ return 0; ++} ++early_param("nospectre_v2", handle_nospectre_v2); ++void setup_spectre_v2(void) ++{ ++ if (no_spectrev2) ++ do_btb_flush_fixups(); ++ else ++ btb_flush_enabled = true; ++} ++#endif /* CONFIG_PPC_FSL_BOOK3E */ ++ + #ifdef CONFIG_PPC_BOOK3S_64 + ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) + { diff --git a/queue-4.19/powerpc-fsl-emulate-sprn_bucsr-register.patch b/queue-4.19/powerpc-fsl-emulate-sprn_bucsr-register.patch new file mode 100644 index 00000000000..bacd8f1e434 --- /dev/null +++ b/queue-4.19/powerpc-fsl-emulate-sprn_bucsr-register.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:11 +1100 +Subject: powerpc/fsl: Emulate SPRN_BUCSR register +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-24-mpe@ellerman.id.au> + +From: Diana Craciun + +commit 98518c4d8728656db349f875fcbbc7c126d4c973 upstream. + +In order to flush the branch predictor the guest kernel performs +writes to the BUCSR register which is hypervisor privilleged. However, +the branch predictor is flushed at each KVM entry, so the branch +predictor has been already flushed, so just return as soon as possible +to guest. + +Signed-off-by: Diana Craciun +[mpe: Tweak comment formatting] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/e500_emulate.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/powerpc/kvm/e500_emulate.c ++++ b/arch/powerpc/kvm/e500_emulate.c +@@ -277,6 +277,13 @@ int kvmppc_core_emulate_mtspr_e500(struc + vcpu->arch.pwrmgtcr0 = spr_val; + break; + ++ case SPRN_BUCSR: ++ /* ++ * If we are here, it means that we have already flushed the ++ * branch predictor, so just return to guest. ++ */ ++ break; ++ + /* extra exceptions */ + #ifdef CONFIG_SPE_POSSIBLE + case SPRN_IVOR32: diff --git a/queue-4.19/powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch b/queue-4.19/powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch new file mode 100644 index 00000000000..2c208b251e3 --- /dev/null +++ b/queue-4.19/powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch @@ -0,0 +1,32 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:16 +1100 +Subject: powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-29-mpe@ellerman.id.au> + +From: Diana Craciun + +commit 3bc8ea8603ae4c1e09aca8de229ad38b8091fcb3 upstream. + +If the user choses not to use the mitigations, replace +the code sequence with nops. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/setup-common.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/setup-common.c ++++ b/arch/powerpc/kernel/setup-common.c +@@ -973,6 +973,7 @@ void __init setup_arch(char **cmdline_p) + ppc_md.setup_arch(); + + setup_barrier_nospec(); ++ setup_spectre_v2(); + + paging_init(); + diff --git a/queue-4.19/powerpc-fsl-fix-the-flush-of-branch-predictor.patch b/queue-4.19/powerpc-fsl-fix-the-flush-of-branch-predictor.patch new file mode 100644 index 00000000000..8bfa1dd8db8 --- /dev/null +++ b/queue-4.19/powerpc-fsl-fix-the-flush-of-branch-predictor.patch @@ -0,0 +1,45 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:19 +1100 +Subject: powerpc/fsl: Fix the flush of branch predictor. +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-32-mpe@ellerman.id.au> + +From: Christophe Leroy + +commit 27da80719ef132cf8c80eb406d5aeb37dddf78cc upstream. + +The commit identified below adds MC_BTB_FLUSH macro only when +CONFIG_PPC_FSL_BOOK3E is defined. This results in the following error +on some configs (seen several times with kisskb randconfig_defconfig) + +arch/powerpc/kernel/exceptions-64e.S:576: Error: Unrecognized opcode: `mc_btb_flush' +make[3]: *** [scripts/Makefile.build:367: arch/powerpc/kernel/exceptions-64e.o] Error 1 +make[2]: *** [scripts/Makefile.build:492: arch/powerpc/kernel] Error 2 +make[1]: *** [Makefile:1043: arch/powerpc] Error 2 +make: *** [Makefile:152: sub-make] Error 2 + +This patch adds a blank definition of MC_BTB_FLUSH for other cases. + +Fixes: 10c5e83afd4a ("powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)") +Cc: Diana Craciun +Signed-off-by: Christophe Leroy +Reviewed-by: Daniel Axtens +Reviewed-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/exceptions-64e.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/exceptions-64e.S ++++ b/arch/powerpc/kernel/exceptions-64e.S +@@ -349,6 +349,7 @@ ret_from_mc_except: + #define GEN_BTB_FLUSH + #define CRIT_BTB_FLUSH + #define DBG_BTB_FLUSH ++#define MC_BTB_FLUSH + #define GDBELL_BTB_FLUSH + #endif + diff --git a/queue-4.19/powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch b/queue-4.19/powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch new file mode 100644 index 00000000000..6d951a7524c --- /dev/null +++ b/queue-4.19/powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch @@ -0,0 +1,65 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:18 +1100 +Subject: powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup' +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-31-mpe@ellerman.id.au> + +From: Diana Craciun + +commit 039daac5526932ec731e4499613018d263af8b3e upstream. + +Fixed the following build warning: +powerpc-linux-gnu-ld: warning: orphan section `__btb_flush_fixup' from +`arch/powerpc/kernel/head_44x.o' being placed in section +`__btb_flush_fixup'. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_booke.h | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/head_booke.h ++++ b/arch/powerpc/kernel/head_booke.h +@@ -32,6 +32,16 @@ + */ + #define THREAD_NORMSAVE(offset) (THREAD_NORMSAVES + (offset * 4)) + ++#ifdef CONFIG_PPC_FSL_BOOK3E ++#define BOOKE_CLEAR_BTB(reg) \ ++START_BTB_FLUSH_SECTION \ ++ BTB_FLUSH(reg) \ ++END_BTB_FLUSH_SECTION ++#else ++#define BOOKE_CLEAR_BTB(reg) ++#endif ++ ++ + #define NORMAL_EXCEPTION_PROLOG(intno) \ + mtspr SPRN_SPRG_WSCRATCH0, r10; /* save one register */ \ + mfspr r10, SPRN_SPRG_THREAD; \ +@@ -43,9 +53,7 @@ + andi. r11, r11, MSR_PR; /* check whether user or kernel */\ + mr r11, r1; \ + beq 1f; \ +-START_BTB_FLUSH_SECTION \ +- BTB_FLUSH(r11) \ +-END_BTB_FLUSH_SECTION \ ++ BOOKE_CLEAR_BTB(r11) \ + /* if from user, start at top of this thread's kernel stack */ \ + lwz r11, THREAD_INFO-THREAD(r10); \ + ALLOC_STACK_FRAME(r11, THREAD_SIZE); \ +@@ -131,9 +139,7 @@ END_BTB_FLUSH_SECTION \ + stw r9,_CCR(r8); /* save CR on stack */\ + mfspr r11,exc_level_srr1; /* check whether user or kernel */\ + DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \ +-START_BTB_FLUSH_SECTION \ +- BTB_FLUSH(r10) \ +-END_BTB_FLUSH_SECTION \ ++ BOOKE_CLEAR_BTB(r10) \ + andi. r11,r11,MSR_PR; \ + mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\ + lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\ diff --git a/queue-4.19/powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch b/queue-4.19/powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch new file mode 100644 index 00000000000..74e9e14a52a --- /dev/null +++ b/queue-4.19/powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch @@ -0,0 +1,36 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:15 +1100 +Subject: powerpc/fsl: Flush branch predictor when entering KVM +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-28-mpe@ellerman.id.au> + +From: Diana Craciun + +commit e7aa61f47b23afbec41031bc47ca8d6cb6516abc upstream. + +Switching from the guest to host is another place +where the speculative accesses can be exploited. +Flush the branch predictor when entering KVM. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/bookehv_interrupts.S | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/kvm/bookehv_interrupts.S ++++ b/arch/powerpc/kvm/bookehv_interrupts.S +@@ -75,6 +75,10 @@ + PPC_LL r1, VCPU_HOST_STACK(r4) + PPC_LL r2, HOST_R2(r1) + ++START_BTB_FLUSH_SECTION ++ BTB_FLUSH(r10) ++END_BTB_FLUSH_SECTION ++ + mfspr r10, SPRN_PID + lwz r8, VCPU_HOST_PID(r4) + PPC_LL r11, VCPU_SHARED(r4) diff --git a/queue-4.19/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch b/queue-4.19/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch new file mode 100644 index 00000000000..5979f0dbd84 --- /dev/null +++ b/queue-4.19/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch @@ -0,0 +1,81 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:14 +1100 +Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-27-mpe@ellerman.id.au> + +From: Diana Craciun + +commit 7fef436295bf6c05effe682c8797dfcb0deb112a upstream. + +In order to protect against speculation attacks on +indirect branches, the branch predictor is flushed at +kernel entry to protect for the following situations: +- userspace process attacking another userspace process +- userspace process attacking the kernel +Basically when the privillege level change (i.e.the kernel +is entered), the branch predictor state is flushed. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_booke.h | 6 ++++++ + arch/powerpc/kernel/head_fsl_booke.S | 15 +++++++++++++++ + 2 files changed, 21 insertions(+) + +--- a/arch/powerpc/kernel/head_booke.h ++++ b/arch/powerpc/kernel/head_booke.h +@@ -43,6 +43,9 @@ + andi. r11, r11, MSR_PR; /* check whether user or kernel */\ + mr r11, r1; \ + beq 1f; \ ++START_BTB_FLUSH_SECTION \ ++ BTB_FLUSH(r11) \ ++END_BTB_FLUSH_SECTION \ + /* if from user, start at top of this thread's kernel stack */ \ + lwz r11, THREAD_INFO-THREAD(r10); \ + ALLOC_STACK_FRAME(r11, THREAD_SIZE); \ +@@ -128,6 +131,9 @@ + stw r9,_CCR(r8); /* save CR on stack */\ + mfspr r11,exc_level_srr1; /* check whether user or kernel */\ + DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \ ++START_BTB_FLUSH_SECTION \ ++ BTB_FLUSH(r10) \ ++END_BTB_FLUSH_SECTION \ + andi. r11,r11,MSR_PR; \ + mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\ + lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\ +--- a/arch/powerpc/kernel/head_fsl_booke.S ++++ b/arch/powerpc/kernel/head_fsl_booke.S +@@ -453,6 +453,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) + mfcr r13 + stw r13, THREAD_NORMSAVE(3)(r10) + DO_KVM BOOKE_INTERRUPT_DTLB_MISS SPRN_SRR1 ++START_BTB_FLUSH_SECTION ++ mfspr r11, SPRN_SRR1 ++ andi. r10,r11,MSR_PR ++ beq 1f ++ BTB_FLUSH(r10) ++1: ++END_BTB_FLUSH_SECTION + mfspr r10, SPRN_DEAR /* Get faulting address */ + + /* If we are faulting a kernel address, we have to use the +@@ -547,6 +554,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) + mfcr r13 + stw r13, THREAD_NORMSAVE(3)(r10) + DO_KVM BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR1 ++START_BTB_FLUSH_SECTION ++ mfspr r11, SPRN_SRR1 ++ andi. r10,r11,MSR_PR ++ beq 1f ++ BTB_FLUSH(r10) ++1: ++END_BTB_FLUSH_SECTION ++ + mfspr r10, SPRN_SRR0 /* Get faulting address */ + + /* If we are faulting a kernel address, we have to use the diff --git a/queue-4.19/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-64bit.patch b/queue-4.19/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-64bit.patch new file mode 100644 index 00000000000..153aced2300 --- /dev/null +++ b/queue-4.19/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-64bit.patch @@ -0,0 +1,101 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:13 +1100 +Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-26-mpe@ellerman.id.au> + +From: Diana Craciun + +commit 10c5e83afd4a3f01712d97d3bb1ae34d5b74a185 upstream. + +In order to protect against speculation attacks on +indirect branches, the branch predictor is flushed at +kernel entry to protect for the following situations: +- userspace process attacking another userspace process +- userspace process attacking the kernel +Basically when the privillege level change (i.e. the +kernel is entered), the branch predictor state is flushed. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/entry_64.S | 5 +++++ + arch/powerpc/kernel/exceptions-64e.S | 26 +++++++++++++++++++++++++- + arch/powerpc/mm/tlb_low_64e.S | 7 +++++++ + 3 files changed, 37 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -80,6 +80,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM) + std r0,GPR0(r1) + std r10,GPR1(r1) + beq 2f /* if from kernel mode */ ++#ifdef CONFIG_PPC_FSL_BOOK3E ++START_BTB_FLUSH_SECTION ++ BTB_FLUSH(r10) ++END_BTB_FLUSH_SECTION ++#endif + ACCOUNT_CPU_USER_ENTRY(r13, r10, r11) + 2: std r2,GPR2(r1) + std r3,GPR3(r1) +--- a/arch/powerpc/kernel/exceptions-64e.S ++++ b/arch/powerpc/kernel/exceptions-64e.S +@@ -296,7 +296,8 @@ ret_from_mc_except: + andi. r10,r11,MSR_PR; /* save stack pointer */ \ + beq 1f; /* branch around if supervisor */ \ + ld r1,PACAKSAVE(r13); /* get kernel stack coming from usr */\ +-1: cmpdi cr1,r1,0; /* check if SP makes sense */ \ ++1: type##_BTB_FLUSH \ ++ cmpdi cr1,r1,0; /* check if SP makes sense */ \ + bge- cr1,exc_##n##_bad_stack;/* bad stack (TODO: out of line) */ \ + mfspr r10,SPRN_##type##_SRR0; /* read SRR0 before touching stack */ + +@@ -328,6 +329,29 @@ ret_from_mc_except: + #define SPRN_MC_SRR0 SPRN_MCSRR0 + #define SPRN_MC_SRR1 SPRN_MCSRR1 + ++#ifdef CONFIG_PPC_FSL_BOOK3E ++#define GEN_BTB_FLUSH \ ++ START_BTB_FLUSH_SECTION \ ++ beq 1f; \ ++ BTB_FLUSH(r10) \ ++ 1: \ ++ END_BTB_FLUSH_SECTION ++ ++#define CRIT_BTB_FLUSH \ ++ START_BTB_FLUSH_SECTION \ ++ BTB_FLUSH(r10) \ ++ END_BTB_FLUSH_SECTION ++ ++#define DBG_BTB_FLUSH CRIT_BTB_FLUSH ++#define MC_BTB_FLUSH CRIT_BTB_FLUSH ++#define GDBELL_BTB_FLUSH GEN_BTB_FLUSH ++#else ++#define GEN_BTB_FLUSH ++#define CRIT_BTB_FLUSH ++#define DBG_BTB_FLUSH ++#define GDBELL_BTB_FLUSH ++#endif ++ + #define NORMAL_EXCEPTION_PROLOG(n, intnum, addition) \ + EXCEPTION_PROLOG(n, intnum, GEN, addition##_GEN(n)) + +--- a/arch/powerpc/mm/tlb_low_64e.S ++++ b/arch/powerpc/mm/tlb_low_64e.S +@@ -70,6 +70,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) + std r15,EX_TLB_R15(r12) + std r10,EX_TLB_CR(r12) + #ifdef CONFIG_PPC_FSL_BOOK3E ++START_BTB_FLUSH_SECTION ++ mfspr r11, SPRN_SRR1 ++ andi. r10,r11,MSR_PR ++ beq 1f ++ BTB_FLUSH(r10) ++1: ++END_BTB_FLUSH_SECTION + std r7,EX_TLB_R7(r12) + #endif + TLB_MISS_PROLOG_STATS diff --git a/queue-4.19/powerpc-fsl-update-spectre-v2-reporting.patch b/queue-4.19/powerpc-fsl-update-spectre-v2-reporting.patch new file mode 100644 index 00000000000..11d3ff7498c --- /dev/null +++ b/queue-4.19/powerpc-fsl-update-spectre-v2-reporting.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:17 +1100 +Subject: powerpc/fsl: Update Spectre v2 reporting +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-30-mpe@ellerman.id.au> + +From: Diana Craciun + +commit dfa88658fb0583abb92e062c7a9cd5a5b94f2a46 upstream. + +Report branch predictor state flush as a mitigation for +Spectre variant 2. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/security.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -212,8 +212,11 @@ ssize_t cpu_show_spectre_v2(struct devic + + if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW) + seq_buf_printf(&s, "(hardware accelerated)"); +- } else ++ } else if (btb_flush_enabled) { ++ seq_buf_printf(&s, "Mitigation: Branch predictor state flush"); ++ } else { + seq_buf_printf(&s, "Vulnerable"); ++ } + + seq_buf_printf(&s, "\n"); + diff --git a/queue-4.19/powerpc-security-fix-spectre_v2-reporting.patch b/queue-4.19/powerpc-security-fix-spectre_v2-reporting.patch new file mode 100644 index 00000000000..570cd73841b --- /dev/null +++ b/queue-4.19/powerpc-security-fix-spectre_v2-reporting.patch @@ -0,0 +1,89 @@ +From foo@baz Fri Mar 29 16:04:51 CET 2019 +From: Michael Ellerman +Date: Fri, 29 Mar 2019 22:26:20 +1100 +Subject: powerpc/security: Fix spectre_v2 reporting +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr +Message-ID: <20190329112620.14489-33-mpe@ellerman.id.au> + +From: Michael Ellerman + +commit 92edf8df0ff2ae86cc632eeca0e651fd8431d40d upstream. + +When I updated the spectre_v2 reporting to handle software count cache +flush I got the logic wrong when there's no software count cache +enabled at all. + +The result is that on systems with the software count cache flush +disabled we print: + + Mitigation: Indirect branch cache disabled, Software count cache flush + +Which correctly indicates that the count cache is disabled, but +incorrectly says the software count cache flush is enabled. + +The root of the problem is that we are trying to handle all +combinations of options. But we know now that we only expect to see +the software count cache flush enabled if the other options are false. + +So split the two cases, which simplifies the logic and fixes the bug. +We were also missing a space before "(hardware accelerated)". + +The result is we see one of: + + Mitigation: Indirect branch serialisation (kernel only) + Mitigation: Indirect branch cache disabled + Mitigation: Software count cache flush + Mitigation: Software count cache flush (hardware accelerated) + +Fixes: ee13cb249fab ("powerpc/64s: Add support for software count cache flush") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Michael Ellerman +Reviewed-by: Michael Neuling +Reviewed-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/security.c | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -189,29 +189,22 @@ ssize_t cpu_show_spectre_v2(struct devic + bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED); + ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED); + +- if (bcs || ccd || count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) { +- bool comma = false; ++ if (bcs || ccd) { + seq_buf_printf(&s, "Mitigation: "); + +- if (bcs) { ++ if (bcs) + seq_buf_printf(&s, "Indirect branch serialisation (kernel only)"); +- comma = true; +- } + +- if (ccd) { +- if (comma) +- seq_buf_printf(&s, ", "); +- seq_buf_printf(&s, "Indirect branch cache disabled"); +- comma = true; +- } +- +- if (comma) ++ if (bcs && ccd) + seq_buf_printf(&s, ", "); + +- seq_buf_printf(&s, "Software count cache flush"); ++ if (ccd) ++ seq_buf_printf(&s, "Indirect branch cache disabled"); ++ } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) { ++ seq_buf_printf(&s, "Mitigation: Software count cache flush"); + + if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW) +- seq_buf_printf(&s, "(hardware accelerated)"); ++ seq_buf_printf(&s, " (hardware accelerated)"); + } else if (btb_flush_enabled) { + seq_buf_printf(&s, "Mitigation: Branch predictor state flush"); + } else { diff --git a/queue-4.19/series b/queue-4.19/series index 2a3d0008ba8..b196e12b4c1 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -30,3 +30,15 @@ net-sched-fix-cleanup-null-pointer-exception-in-act_mirr.patch thunderx-enable-page-recycling-for-non-xdp-case.patch thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch tun-add-a-missing-rcu_read_unlock-in-error-path.patch +powerpc-fsl-add-infrastructure-to-fixup-branch-predictor-flush.patch +powerpc-fsl-add-macro-to-flush-the-branch-predictor.patch +powerpc-fsl-emulate-sprn_bucsr-register.patch +powerpc-fsl-add-nospectre_v2-command-line-argument.patch +powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-64bit.patch +powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch +powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch +powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch +powerpc-fsl-update-spectre-v2-reporting.patch +powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch +powerpc-fsl-fix-the-flush-of-branch-predictor.patch +powerpc-security-fix-spectre_v2-reporting.patch