Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp190175imu; Wed, 21 Nov 2018 17:56:04 -0800 (PST) X-Google-Smtp-Source: AJdET5dlL9q6U6UFGRIhdGlftA7Cy43lM5dtVReeCbr/0rdZ4iQU4bYuM886TBHG/T8cdgXKtbr5 X-Received: by 2002:a62:5c06:: with SMTP id q6-v6mr9519184pfb.171.1542851763948; Wed, 21 Nov 2018 17:56:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542851763; cv=none; d=google.com; s=arc-20160816; b=TgjkReTvv0oXtn0JsR3PlEFXgO8fvzEoPFvg80b0AVdRFsW6h4jTofog/0T//Q6nbn 2k7nSW6o7IryYOx0XTYJXyZSJO4MtLrrjVg8X4QlVA0J0fORI7y6Nq35NPnYbveKUFDK 0jF6P5ECbmI+ub9eLyxjNGE9JC06GvRYvlrYkASwLBAIS7tXO1U47HqoYqH0Bp7BgqUT tyA3qGb6Dsh/EeZ90B33/4P4OEqp6H1mcBikAzQ18rRxMPRr+NAZ1jyeKzAmElcYMMnv Nhqwc68VH4n0xc6f23/5BLC3iZZMBDUY+IqipYHcmMChMp6QNyJx/LYtZllnEqi+xtH8 zJnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JJdez0tjmLSLYx3t9vM7l6J/1ybk7TiinunILnZFUCQ=; b=UVxT2pvTHkQEBTk/+5AtGe4+P6QN+E0BMIyeJho/l5wVhOfEjFymQXP9YQuYnVhFMh CLi+pEQZ1Ec7A5e/hshPp4ZkVolzb4I5OU30TOaKUAJlzwVs7/n9URxAV+X17dyt89A4 i8qJKh8jhpVOnxaCyAVeZSCUnCsCaocgaUJFrTxUg/LktUmv1PxqDKjyD/Aqn2NoiN8/ V+2rcC+uH0SPZRM0xUyhPju7CtVDACVvWjuruSJCD3tUu2/LR6n4zmCe3ghQGhqw8aCW 4dWRnDqrJ0TrL80QH+jx3UPDtl+4fuBwQ6JxrFcwIjPnEtvklDwYFZ+FWyT/2QdrpzZ9 5Orw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="ZzxxW/HZ"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w14-v6si46562941plq.327.2018.11.21.17.55.48; Wed, 21 Nov 2018 17:56:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="ZzxxW/HZ"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732410AbeKVFrI (ORCPT + 99 others); Thu, 22 Nov 2018 00:47:08 -0500 Received: from mail.kernel.org ([198.145.29.99]:42536 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729280AbeKVFrH (ORCPT ); Thu, 22 Nov 2018 00:47:07 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7EBAB214D9; Wed, 21 Nov 2018 19:11:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542827494; bh=YhxH9ScPviRRfT6QthgYOj5OmkOey74PjdJDU7eM1ck=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZzxxW/HZLGlfonLxmmUZh45vJYTt/Ib3V6gEkiPES4YW7KgoTrT9k0wFF587+8ZVn eQtw/shPZU0Ek0xToDvKtcJgHg2M/vJKHbFnYP83vLgv+avB2QBOL3gwVTpyyW58e1 qvYX3axP1yrLPj2/8iiMzdvxVjNJjlSEz2qvbeoI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Russell King , Mark Rutland , Tony Lindgren , "David A. Long" Subject: [PATCH 4.9 53/59] ARM: spectre-v1: fix syscall entry Date: Wed, 21 Nov 2018 20:07:08 +0100 Message-Id: <20181121183510.386462727@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181121183508.262873520@linuxfoundation.org> References: <20181121183508.262873520@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Russell King Commit 10573ae547c85b2c61417ff1a106cffbfceada35 upstream. Prevent speculation at the syscall table decoding by clamping the index used to zero on invalid system call numbers, and using the csdb speculative barrier. Signed-off-by: Russell King Acked-by: Mark Rutland Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman --- arch/arm/kernel/entry-common.S | 18 +++++++----------- arch/arm/kernel/entry-header.S | 25 +++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 11 deletions(-) --- a/arch/arm/kernel/entry-common.S +++ b/arch/arm/kernel/entry-common.S @@ -223,9 +223,7 @@ local_restart: tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls? bne __sys_trace - cmp scno, #NR_syscalls @ check upper syscall limit - badr lr, ret_fast_syscall @ return address - ldrcc pc, [tbl, scno, lsl #2] @ call sys_* routine + invoke_syscall tbl, scno, r10, ret_fast_syscall add r1, sp, #S_OFF 2: cmp scno, #(__ARM_NR_BASE - __NR_SYSCALL_BASE) @@ -258,14 +256,8 @@ __sys_trace: mov r1, scno add r0, sp, #S_OFF bl syscall_trace_enter - - badr lr, __sys_trace_return @ return address - mov scno, r0 @ syscall number (possibly new) - add r1, sp, #S_R0 + S_OFF @ pointer to regs - cmp scno, #NR_syscalls @ check upper syscall limit - ldmccia r1, {r0 - r6} @ have to reload r0 - r6 - stmccia sp, {r4, r5} @ and update the stack args - ldrcc pc, [tbl, scno, lsl #2] @ call sys_* routine + mov scno, r0 + invoke_syscall tbl, scno, r10, __sys_trace_return, reload=1 cmp scno, #-1 @ skip the syscall? bne 2b add sp, sp, #S_OFF @ restore stack @@ -317,6 +309,10 @@ sys_syscall: bic scno, r0, #__NR_OABI_SYSCALL_BASE cmp scno, #__NR_syscall - __NR_SYSCALL_BASE cmpne scno, #NR_syscalls @ check range +#ifdef CONFIG_CPU_SPECTRE + movhs scno, #0 + csdb +#endif stmloia sp, {r5, r6} @ shuffle args movlo r0, r1 movlo r1, r2 --- a/arch/arm/kernel/entry-header.S +++ b/arch/arm/kernel/entry-header.S @@ -377,6 +377,31 @@ #endif .endm + .macro invoke_syscall, table, nr, tmp, ret, reload=0 +#ifdef CONFIG_CPU_SPECTRE + mov \tmp, \nr + cmp \tmp, #NR_syscalls @ check upper syscall limit + movcs \tmp, #0 + csdb + badr lr, \ret @ return address + .if \reload + add r1, sp, #S_R0 + S_OFF @ pointer to regs + ldmccia r1, {r0 - r6} @ reload r0-r6 + stmccia sp, {r4, r5} @ update stack arguments + .endif + ldrcc pc, [\table, \tmp, lsl #2] @ call sys_* routine +#else + cmp \nr, #NR_syscalls @ check upper syscall limit + badr lr, \ret @ return address + .if \reload + add r1, sp, #S_R0 + S_OFF @ pointer to regs + ldmccia r1, {r0 - r6} @ reload r0-r6 + stmccia sp, {r4, r5} @ update stack arguments + .endif + ldrcc pc, [\table, \nr, lsl #2] @ call sys_* routine +#endif + .endm + /* * These are the registers used in the syscall handler, and allow us to * have in theory up to 7 arguments to a function - r0 to r6.