Received: by 10.223.185.116 with SMTP id b49csp534760wrg; Fri, 16 Feb 2018 03:09:18 -0800 (PST) X-Google-Smtp-Source: AH8x227R7W1ettUy/RrnOtDnMmS6Uwd53fvgzPbWclPCMwz0LEg8s2UKvSfnhs4oAiTo9GqajJtM X-Received: by 2002:a17:902:567:: with SMTP id 94-v6mr1133055plf.66.1518779358327; Fri, 16 Feb 2018 03:09:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518779358; cv=none; d=google.com; s=arc-20160816; b=pFmb8YlVmCmd5wGZ2Gi1R2akhj6ctTE3MDMIdgr5wUjlrTMZ2Hl2Pf9/s7M6p928h0 qAfk/Uxy96t8A9qm8sim16fZ3QMlaXamUhcSEqg09f5FeY9tT60piEU8TSCIv30wfj12 jpM3/COnwNYxCVPKaI9y1t6SEgWJH0B0EUlfsA3W9c5Q3fiMhavj7dl4UqzFYRzKe9JZ QpM11dnj7rZl6gQAIbWqHiSPXlQ8nTiC9rB3WTlYUPjDmqe4CF1he4t0LNe9imYENDRO FHWuHCZ7UMy9CrLkrq1ODiFaISKbP/bMsgf4zk/S/EB0fPDVAhw51sNcocN/Q1hgsQ85 lDng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=+fm0dQdB5EhReBNDdrUCHiMKjd2C4m+l5zPvxCtfc2U=; b=upJYih6siTt5QN7R+BlTEjRU6Qrzn049QY1Fo3Rj0QKKmet9mK3eAdgwidCQX2ix4A VZ9nhxWMsZBQHMWf4FhCm5MOZ15t65xTEueqfbfWroL2pOYdsKlocbKApcksoTFhCdIi JisGKM+yVzUxewbXxlGXFB8zk4X8PApXsXE21dwKHQM6FzZzzUaVoNL+lSGxABTtD4z3 W+VIItFY1LA6MLR1g8+vr6FB7Iap3dtCLX1/64Pbb5PC2xh1bW7Y0MUVwxuNlruNj2Kf WzPB4dnUgP0ddvtLfeI1eLKurasujcc/43Km1O5HTe5VXdgDQmPDvQg+TOq9SE8GUejQ AjTQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2-v6si12047507plh.27.2018.02.16.03.09.03; Fri, 16 Feb 2018 03:09:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1427451AbeBORja (ORCPT + 99 others); Thu, 15 Feb 2018 12:39:30 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:56548 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1164711AbeBOPcu (ORCPT ); Thu, 15 Feb 2018 10:32:50 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 6C300FE0; Thu, 15 Feb 2018 15:32:49 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Hettena , Marc Zyngier , Will Deacon , Catalin Marinas , Ard Biesheuvel Subject: [PATCH 4.14 074/195] [Variant 2/Spectre-v2] arm64: entry: Apply BP hardening for suspicious interrupts from EL0 Date: Thu, 15 Feb 2018 16:16:05 +0100 Message-Id: <20180215151709.395680184@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180215151705.738773577@linuxfoundation.org> References: <20180215151705.738773577@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Will Deacon Commit 30d88c0e3ace upstream. It is possible to take an IRQ from EL0 following a branch to a kernel address in such a way that the IRQ is prioritised over the instruction abort. Whilst an attacker would need to get the stars to align here, it might be sufficient with enough calibration so perform BP hardening in the rare case that we see a kernel address in the ELR when handling an IRQ from EL0. Reported-by: Dan Hettena Reviewed-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman --- arch/arm64/kernel/entry.S | 5 +++++ arch/arm64/mm/fault.c | 6 ++++++ 2 files changed, 11 insertions(+) --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -821,6 +821,11 @@ el0_irq_naked: #endif ct_user_exit +#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR + tbz x22, #55, 1f + bl do_el0_irq_bp_hardening +1: +#endif irq_handler #ifdef CONFIG_TRACE_IRQFLAGS --- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -751,6 +751,12 @@ asmlinkage void __exception do_mem_abort arm64_notify_die("", regs, &info, esr); } +asmlinkage void __exception do_el0_irq_bp_hardening(void) +{ + /* PC has already been checked in entry.S */ + arm64_apply_bp_hardening(); +} + asmlinkage void __exception do_el0_ia_bp_hardening(unsigned long addr, unsigned int esr, struct pt_regs *regs)