Received: by 10.192.165.156 with SMTP id m28csp246683imm;
        Tue, 17 Apr 2018 09:27:21 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+Ek+rl8wf5V4jJDbaxgcl8r5JjWlASWk+L7P4IUQkyVHBHY4NPKljF/h+/TJrC+qd5UEDl
X-Received: by 2002:a17:902:7405:: with SMTP id g5-v6mr2712227pll.4.1523982441273;
        Tue, 17 Apr 2018 09:27:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523982441; cv=none;
        d=google.com; s=arc-20160816;
        b=eEWMhtHIg3MMvWnVjgGmHLbNZpdPvvukzAeRhdN9ynUbOdBNlzLJ1+J0uN2BSGwu50
         SG6aqB8IXiy4M0s6ozGT6nkUf4MmNxv3xd9AieCUxgKWr/MUutynQMH0NRAJaZDZJIZ/
         kX4W4NS031m/Q1aaXFPScetbmARQVkLyYwVaSfgkw+C4IDumbEMgVn6wVZuaYiyybWWf
         LK6nYY4QFu377ees9yK1Sb10KlmqN2ScYHBGMe0mwRzblmJN6b+0Xu2zR0kfR+ET0Hd3
         vJrXawzePTakM2VOVBvsSDxA3jZDUpT0D6f2WbN5245DWzJINGRm36RiwXecYq5rSd1+
         0FCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=beb4xM8hnIH6wkwkxgTZ17oRM05hctvHBDVFUkGbl34=;
        b=ZYtoCWrZmqJ25lickvFqcrvdeFZDV7gLZAUIm8bnKlmbtPpB409igjOSlWXaTOFCpm
         KZaLdy+6704587erALA05xu+1sWKVrSqNt3FR+m4M4V1ooTVm4avVzaU0MqNk/R/4NKP
         cYnDaQWgnf3rG59zDzPQwpDuq7vTB+5ZHf8GugQu7MvV+FLLhzuLtgzvmY9r4sFGJH2v
         +WatxMOEZJFK/0eDi6GQxLnkUmAqVFjzvC/kKxjhi/InfQsuOFekfZc6jja5eM2PpiJI
         7DRsNrPKXWv513CvYZyDoyudEO5AEAtYe3Fs4kiA6XbkObn83on+0WLK8ITOWy6THOn3
         VEvA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c184si12944209pfc.367.2018.04.17.09.27.06;
        Tue, 17 Apr 2018 09:27:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755731AbeDQQZG (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 12:25:06 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:35656 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932077AbeDQQJG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 12:09:06 -0400
Received: from localhost (unknown [46.44.180.42])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id D645EC98;
        Tue, 17 Apr 2018 16:09:05 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Dan Hettena <dhettena@nvidia.com>,
        Marc Zyngier <marc.zyngier@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Greg Hackmann <ghackmann@google.com>,
        Mark Rutland <mark.rutland@arm.com>
Subject: [PATCH 4.9 30/66] arm64: entry: Apply BP hardening for suspicious interrupts from EL0
Date:   Tue, 17 Apr 2018 17:59:03 +0200
Message-Id: <20180417155647.179857158@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180417155645.868055442@linuxfoundation.org>
References: <20180417155645.868055442@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>


From: Will Deacon <will.deacon@arm.com>

commit 30d88c0e3ace625a92eead9ca0ad94093a8f59fe upstream.

It is possible to take an IRQ from EL0 following a branch to a kernel
address in such a way that the IRQ is prioritised over the instruction
abort. Whilst an attacker would need to get the stars to align here,
it might be sufficient with enough calibration so perform BP hardening
in the rare case that we see a kernel address in the ELR when handling
an IRQ from EL0.

Reported-by: Dan Hettena <dhettena@nvidia.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S |    5 +++++
 arch/arm64/mm/fault.c     |    6 ++++++
 2 files changed, 11 insertions(+)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -686,6 +686,11 @@ el0_irq_naked:
 #endif
 
 	ct_user_exit
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+	tbz	x22, #55, 1f
+	bl	do_el0_irq_bp_hardening
+1:
+#endif
 	irq_handler
 
 #ifdef CONFIG_TRACE_IRQFLAGS
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -590,6 +590,12 @@ asmlinkage void __exception do_mem_abort
 	arm64_notify_die("", regs, &info, esr);
 }
 
+asmlinkage void __exception do_el0_irq_bp_hardening(void)
+{
+	/* PC has already been checked in entry.S */
+	arm64_apply_bp_hardening();
+}
+
 asmlinkage void __exception do_el0_ia_bp_hardening(unsigned long addr,
 						   unsigned int esr,
 						   struct pt_regs *regs)