From 342554a7b70d582e4fedc9f5fb2d6aa5f0fbbaf5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 30 Apr 2019 12:40:29 +0200 Subject: [PATCH] 4.4-stable patches added patches: powerpc-fsl-emulate-sprn_bucsr-register.patch powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch --- ...erpc-fsl-emulate-sprn_bucsr-register.patch | 42 ++++++++++ ...ing-if-nospectre_v2-boot-arg-is-used.patch | 43 ++++++++++ ...ing-orphan-section-__btb_flush_fixup.patch | 65 +++++++++++++++ ...h-branch-predictor-when-entering-kvm.patch | 36 +++++++++ ...redictor-at-each-kernel-entry-32-bit.patch | 81 +++++++++++++++++++ ...ble-for-nxp-powerpc-32-bit-platforms.patch | 47 +++++++++++ queue-4.4/series | 6 ++ 7 files changed, 320 insertions(+) create mode 100644 queue-4.4/powerpc-fsl-emulate-sprn_bucsr-register.patch create mode 100644 queue-4.4/powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch create mode 100644 queue-4.4/powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch create mode 100644 queue-4.4/powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch create mode 100644 queue-4.4/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch create mode 100644 queue-4.4/powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch diff --git a/queue-4.4/powerpc-fsl-emulate-sprn_bucsr-register.patch b/queue-4.4/powerpc-fsl-emulate-sprn_bucsr-register.patch new file mode 100644 index 00000000000..e4a0e1603a6 --- /dev/null +++ b/queue-4.4/powerpc-fsl-emulate-sprn_bucsr-register.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST +From: Diana Craciun +Date: Mon, 29 Apr 2019 18:49:03 +0300 +Subject: powerpc/fsl: Emulate SPRN_BUCSR register +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun +Message-ID: <1556552948-24957-4-git-send-email-diana.craciun@nxp.com> + +From: Diana Craciun + +commit 98518c4d8728656db349f875fcbbc7c126d4c973 upstream. + +In order to flush the branch predictor the guest kernel performs +writes to the BUCSR register which is hypervisor privilleged. However, +the branch predictor is flushed at each KVM entry, so the branch +predictor has been already flushed, so just return as soon as possible +to guest. + +Signed-off-by: Diana Craciun +[mpe: Tweak comment formatting] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/e500_emulate.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/powerpc/kvm/e500_emulate.c ++++ b/arch/powerpc/kvm/e500_emulate.c +@@ -277,6 +277,13 @@ int kvmppc_core_emulate_mtspr_e500(struc + vcpu->arch.pwrmgtcr0 = spr_val; + break; + ++ case SPRN_BUCSR: ++ /* ++ * If we are here, it means that we have already flushed the ++ * branch predictor, so just return to guest. ++ */ ++ break; ++ + /* extra exceptions */ + #ifdef CONFIG_SPE_POSSIBLE + case SPRN_IVOR32: diff --git a/queue-4.4/powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch b/queue-4.4/powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch new file mode 100644 index 00000000000..d378cd0e75f --- /dev/null +++ b/queue-4.4/powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch @@ -0,0 +1,43 @@ +From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST +From: Diana Craciun +Date: Mon, 29 Apr 2019 18:49:01 +0300 +Subject: powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun +Message-ID: <1556552948-24957-2-git-send-email-diana.craciun@nxp.com> + +From: Diana Craciun + +commit 3bc8ea8603ae4c1e09aca8de229ad38b8091fcb3 upstream. + +If the user choses not to use the mitigations, replace +the code sequence with nops. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/setup_32.c | 1 + + arch/powerpc/kernel/setup_64.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/powerpc/kernel/setup_32.c ++++ b/arch/powerpc/kernel/setup_32.c +@@ -323,6 +323,7 @@ void __init setup_arch(char **cmdline_p) + if ( ppc_md.progress ) ppc_md.progress("arch: exit", 0x3eab); + + setup_barrier_nospec(); ++ setup_spectre_v2(); + + paging_init(); + +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -737,6 +737,7 @@ void __init setup_arch(char **cmdline_p) + ppc_md.setup_arch(); + + setup_barrier_nospec(); ++ setup_spectre_v2(); + + paging_init(); + diff --git a/queue-4.4/powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch b/queue-4.4/powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch new file mode 100644 index 00000000000..725b4d122db --- /dev/null +++ b/queue-4.4/powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch @@ -0,0 +1,65 @@ +From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST +From: Diana Craciun +Date: Mon, 29 Apr 2019 18:49:06 +0300 +Subject: powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup' +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun +Message-ID: <1556552948-24957-7-git-send-email-diana.craciun@nxp.com> + +From: Diana Craciun + +commit 039daac5526932ec731e4499613018d263af8b3e upstream. + +Fixed the following build warning: +powerpc-linux-gnu-ld: warning: orphan section `__btb_flush_fixup' from +`arch/powerpc/kernel/head_44x.o' being placed in section +`__btb_flush_fixup'. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_booke.h | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/head_booke.h ++++ b/arch/powerpc/kernel/head_booke.h +@@ -31,6 +31,16 @@ + */ + #define THREAD_NORMSAVE(offset) (THREAD_NORMSAVES + (offset * 4)) + ++#ifdef CONFIG_PPC_FSL_BOOK3E ++#define BOOKE_CLEAR_BTB(reg) \ ++START_BTB_FLUSH_SECTION \ ++ BTB_FLUSH(reg) \ ++END_BTB_FLUSH_SECTION ++#else ++#define BOOKE_CLEAR_BTB(reg) ++#endif ++ ++ + #define NORMAL_EXCEPTION_PROLOG(intno) \ + mtspr SPRN_SPRG_WSCRATCH0, r10; /* save one register */ \ + mfspr r10, SPRN_SPRG_THREAD; \ +@@ -42,9 +52,7 @@ + andi. r11, r11, MSR_PR; /* check whether user or kernel */\ + mr r11, r1; \ + beq 1f; \ +-START_BTB_FLUSH_SECTION \ +- BTB_FLUSH(r11) \ +-END_BTB_FLUSH_SECTION \ ++ BOOKE_CLEAR_BTB(r11) \ + /* if from user, start at top of this thread's kernel stack */ \ + lwz r11, THREAD_INFO-THREAD(r10); \ + ALLOC_STACK_FRAME(r11, THREAD_SIZE); \ +@@ -130,9 +138,7 @@ END_BTB_FLUSH_SECTION \ + stw r9,_CCR(r8); /* save CR on stack */\ + mfspr r11,exc_level_srr1; /* check whether user or kernel */\ + DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \ +-START_BTB_FLUSH_SECTION \ +- BTB_FLUSH(r10) \ +-END_BTB_FLUSH_SECTION \ ++ BOOKE_CLEAR_BTB(r10) \ + andi. r11,r11,MSR_PR; \ + mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\ + lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\ diff --git a/queue-4.4/powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch b/queue-4.4/powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch new file mode 100644 index 00000000000..e592c367ed7 --- /dev/null +++ b/queue-4.4/powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST +From: Diana Craciun +Date: Mon, 29 Apr 2019 18:49:02 +0300 +Subject: powerpc/fsl: Flush branch predictor when entering KVM +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun +Message-ID: <1556552948-24957-3-git-send-email-diana.craciun@nxp.com> + +From: Diana Craciun + +commit e7aa61f47b23afbec41031bc47ca8d6cb6516abc upstream. + +Switching from the guest to host is another place +where the speculative accesses can be exploited. +Flush the branch predictor when entering KVM. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/bookehv_interrupts.S | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/kvm/bookehv_interrupts.S ++++ b/arch/powerpc/kvm/bookehv_interrupts.S +@@ -75,6 +75,10 @@ + PPC_LL r1, VCPU_HOST_STACK(r4) + PPC_LL r2, HOST_R2(r1) + ++START_BTB_FLUSH_SECTION ++ BTB_FLUSH(r10) ++END_BTB_FLUSH_SECTION ++ + mfspr r10, SPRN_PID + lwz r8, VCPU_HOST_PID(r4) + PPC_LL r11, VCPU_SHARED(r4) diff --git a/queue-4.4/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch b/queue-4.4/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch new file mode 100644 index 00000000000..4858b07a3cc --- /dev/null +++ b/queue-4.4/powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch @@ -0,0 +1,81 @@ +From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST +From: Diana Craciun +Date: Mon, 29 Apr 2019 18:49:04 +0300 +Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun +Message-ID: <1556552948-24957-5-git-send-email-diana.craciun@nxp.com> + +From: Diana Craciun + +commit 7fef436295bf6c05effe682c8797dfcb0deb112a upstream. + +In order to protect against speculation attacks on +indirect branches, the branch predictor is flushed at +kernel entry to protect for the following situations: +- userspace process attacking another userspace process +- userspace process attacking the kernel +Basically when the privillege level change (i.e.the kernel +is entered), the branch predictor state is flushed. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_booke.h | 6 ++++++ + arch/powerpc/kernel/head_fsl_booke.S | 15 +++++++++++++++ + 2 files changed, 21 insertions(+) + +--- a/arch/powerpc/kernel/head_booke.h ++++ b/arch/powerpc/kernel/head_booke.h +@@ -42,6 +42,9 @@ + andi. r11, r11, MSR_PR; /* check whether user or kernel */\ + mr r11, r1; \ + beq 1f; \ ++START_BTB_FLUSH_SECTION \ ++ BTB_FLUSH(r11) \ ++END_BTB_FLUSH_SECTION \ + /* if from user, start at top of this thread's kernel stack */ \ + lwz r11, THREAD_INFO-THREAD(r10); \ + ALLOC_STACK_FRAME(r11, THREAD_SIZE); \ +@@ -127,6 +130,9 @@ + stw r9,_CCR(r8); /* save CR on stack */\ + mfspr r11,exc_level_srr1; /* check whether user or kernel */\ + DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \ ++START_BTB_FLUSH_SECTION \ ++ BTB_FLUSH(r10) \ ++END_BTB_FLUSH_SECTION \ + andi. r11,r11,MSR_PR; \ + mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\ + lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\ +--- a/arch/powerpc/kernel/head_fsl_booke.S ++++ b/arch/powerpc/kernel/head_fsl_booke.S +@@ -451,6 +451,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) + mfcr r13 + stw r13, THREAD_NORMSAVE(3)(r10) + DO_KVM BOOKE_INTERRUPT_DTLB_MISS SPRN_SRR1 ++START_BTB_FLUSH_SECTION ++ mfspr r11, SPRN_SRR1 ++ andi. r10,r11,MSR_PR ++ beq 1f ++ BTB_FLUSH(r10) ++1: ++END_BTB_FLUSH_SECTION + mfspr r10, SPRN_DEAR /* Get faulting address */ + + /* If we are faulting a kernel address, we have to use the +@@ -545,6 +552,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) + mfcr r13 + stw r13, THREAD_NORMSAVE(3)(r10) + DO_KVM BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR1 ++START_BTB_FLUSH_SECTION ++ mfspr r11, SPRN_SRR1 ++ andi. r10,r11,MSR_PR ++ beq 1f ++ BTB_FLUSH(r10) ++1: ++END_BTB_FLUSH_SECTION ++ + mfspr r10, SPRN_SRR0 /* Get faulting address */ + + /* If we are faulting a kernel address, we have to use the diff --git a/queue-4.4/powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch b/queue-4.4/powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch new file mode 100644 index 00000000000..6798320a4a7 --- /dev/null +++ b/queue-4.4/powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 30 Apr 2019 12:38:50 PM CEST +From: Diana Craciun +Date: Mon, 29 Apr 2019 18:49:05 +0300 +Subject: powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linuxppc-dev@ozlabs.org, mpe@ellerman.id.au, Diana Craciun +Message-ID: <1556552948-24957-6-git-send-email-diana.craciun@nxp.com> + +From: Diana Craciun + +commit c28218d4abbf4f2035495334d8bfcba64bda4787 upstream. + +Used barrier_nospec to sanitize the syscall table. + +Signed-off-by: Diana Craciun +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/entry_32.S | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/kernel/entry_32.S ++++ b/arch/powerpc/kernel/entry_32.S +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + /* + * MSR_KERNEL is > 0x10000 on 4xx/Book-E since it include MSR_CE. +@@ -340,6 +341,15 @@ syscall_dotrace_cont: + ori r10,r10,sys_call_table@l + slwi r0,r0,2 + bge- 66f ++ ++ barrier_nospec_asm ++ /* ++ * Prevent the load of the handler below (based on the user-passed ++ * system call number) being speculatively executed until the test ++ * against NR_syscalls and branch to .66f above has ++ * committed. ++ */ ++ + lwzx r10,r10,r0 /* Fetch system call handler [ptr] */ + mtlr r10 + addi r9,r1,STACK_FRAME_OVERHEAD diff --git a/queue-4.4/series b/queue-4.4/series index ac528bdd529..b6cb5667233 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -76,3 +76,9 @@ ipv4-add-sanity-checks-in-ipv4_link_failure.patch team-fix-possible-recursive-locking-when-add-slaves.patch net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch ipv4-set-the-tcp_min_rtt_wlen-range-from-0-to-one-day.patch +powerpc-fsl-enable-runtime-patching-if-nospectre_v2-boot-arg-is-used.patch +powerpc-fsl-flush-branch-predictor-when-entering-kvm.patch +powerpc-fsl-emulate-sprn_bucsr-register.patch +powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-32-bit.patch +powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch +powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch -- 2.47.2