Received: by 10.223.185.116 with SMTP id b49csp99266wrg;
        Thu, 15 Feb 2018 17:27:52 -0800 (PST)
X-Google-Smtp-Source: AH8x227ZbCqbm1vY0sA5rni95h1SKdpAGHzOMlZ4SsJQDbAEIrBHLrIBYKM1bew37vpym4h2PF92
X-Received: by 10.99.125.19 with SMTP id y19mr306334pgc.285.1518744472840;
        Thu, 15 Feb 2018 17:27:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518744472; cv=none;
        d=google.com; s=arc-20160816;
        b=zpvCs8qwzGB4VYrePH8JgYNIX7uZDEF17Bis0ijPRLUmkPCNiiJyKYo7pfGKX5Pcyi
         3vLt/WvAOUgY5KdPjopXSoscjVSl416jpcCINj8Wk9M3kTvKqKw3Xjbl20t7D8PCCk9x
         hhuwBNsMxn8X4vGR4ABG2dnqUk0o7e4uovv9scsnOt0j+pwecmAZKdO/sEV5iCL7DBOX
         NKVD2Mcxl1Q8k5Eab0rTf62vhOrdAnv8YNJQodk1OOxuoxYhDlRuSaPMbZnc4xrAN63c
         rJGQwBCr0pw4/yFb6nbkIuAshgO5rR5j8dJte1ZT3ig/JrWSrof9QJFFb9C8Ng4WDead
         LdZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=XBlDDc/VHMoOUiO92bYLatONXnoNgzLm5aZCq0XH6Wg=;
        b=UxexMZsMPaTJNv59HV/WIsOipJinrtgMIYnAh2uLWxcXvEpGnAC787i97tdS+/hQmb
         VAMw5EF0BApvfNVmryyIC3eBIB1lVV1sYjTqQoI1xk7Y7ppJQpAVscW1JxqwXoXlLfWE
         4w4p4RAtHStvCv+dWU1195LYtBtprAiNJlYGwsn9b8UnYN7A0fp6Xnhxgi0PgZhwO2TV
         CHFADn6oAxPuqQKTZrR8zlU0EBak3ePSGHRyKITz31MPRTOGnYcCXe6uTrldij46Unx4
         luWUF6V0+H3t07Oc31KcBzAW74yQ4RcRS7HI0NYIJr6nX4HEnj+mey9hQvb1BQRdD9Zj
         ROHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z9si427107pgp.675.2018.02.15.17.27.38;
        Thu, 15 Feb 2018 17:27:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1423993AbeBOPlj (ORCPT <rfc822;kkdevenda@gmail.com> + 99 others);
        Thu, 15 Feb 2018 10:41:39 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:60942 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1423981AbeBOPlg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 10:41:36 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id E3B84DD6;
        Thu, 15 Feb 2018 15:41:35 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Hettena <dhettena@nvidia.com>,
        Marc Zyngier <marc.zyngier@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Catalin Marinas <catalin.marinas@arm.com>
Subject: [PATCH 4.15 067/202] [Variant 2/Spectre-v2] arm64: entry: Apply BP hardening for suspicious interrupts from EL0
Date:   Thu, 15 Feb 2018 16:16:07 +0100
Message-Id: <20180215151716.998604993@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180215151712.768794354@linuxfoundation.org>
References: <20180215151712.768794354@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>


Commit 30d88c0e3ace upstream.

It is possible to take an IRQ from EL0 following a branch to a kernel
address in such a way that the IRQ is prioritised over the instruction
abort. Whilst an attacker would need to get the stars to align here,
it might be sufficient with enough calibration so perform BP hardening
in the rare case that we see a kernel address in the ELR when handling
an IRQ from EL0.

Reported-by: Dan Hettena <dhettena@nvidia.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S |    5 +++++
 arch/arm64/mm/fault.c     |    6 ++++++
 2 files changed, 11 insertions(+)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -828,6 +828,11 @@ el0_irq_naked:
 #endif
 
 	ct_user_exit
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+	tbz	x22, #55, 1f
+	bl	do_el0_irq_bp_hardening
+1:
+#endif
 	irq_handler
 
 #ifdef CONFIG_TRACE_IRQFLAGS
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -707,6 +707,12 @@ asmlinkage void __exception do_mem_abort
 	arm64_notify_die("", regs, &info, esr);
 }
 
+asmlinkage void __exception do_el0_irq_bp_hardening(void)
+{
+	/* PC has already been checked in entry.S */
+	arm64_apply_bp_hardening();
+}
+
 asmlinkage void __exception do_el0_ia_bp_hardening(unsigned long addr,
 						   unsigned int esr,
 						   struct pt_regs *regs)