Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp344703pxu;
        Thu, 3 Dec 2020 01:31:03 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwVlU055E1K3QAFMyYjuYXA8AmiqeuO3GGqnM8ykhYSZKwRBl4dJRriYtP4AasXQxDywE0Y
X-Received: by 2002:a17:906:2602:: with SMTP id h2mr1668934ejc.358.1606987863186;
        Thu, 03 Dec 2020 01:31:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606987863; cv=none;
        d=google.com; s=arc-20160816;
        b=b9kX61apL3RGqUwUi/GAweN1R/gf6n8yp1bC7e7ET3jkP2nU6PrRahLA1monSBnHfG
         C06H6fTkea+td+oWW8Fe6OBqKhD8bVeml4s5xEsoQfC+97kmiUHhgFzBoLvYQzHg8u5g
         YRhQYXhwcFbz+Cp8SSivC2dXlNjgbviR7oibJQMxnscAD/Z4LrOjZeCsYEtSKE9eyiDv
         KUVrN7y2yA/rzzlDgL0zGhuwK4N728hCLm/DpCVIDeJy1U4Ym/AFRD9SRvfuhpAM+V9y
         4Q8PWUKSk5NDwDith3/aTYKDXLekUEfvy8M9D8jmIeU8nRaHE5ddtv62T0uE9W052oB2
         rKWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
        bh=vGqA6R8hwaQULMvocvcy9HZZUici0ItTTHVAKqoBASg=;
        b=U9to/VoL6C7wNOcChgk512cSVJgKytAOcMLoZ/4QZTKMSWRXBtwVxK9DfWrtKA1d/0
         dd/+wCtiqGfnjFpd92zw2mM1DrPxTii+QTZjxRgs5V29BsTsjNVzUqSGxi6Ijzq/eQPP
         LaoVdPLoUDYTLhn61nVsMg9WYuDD+h1JZgPSt7+db065VtKf8TmIhMbhnw8j43qD2HJx
         g/QA2QLQyTeueoTAM6fD3DRhl4D6olW4SZFtAIhLN5wHrZ0WYWm9DGN31efQEA1s3Un1
         pfAkP1NAPlYkgN4ECeqibZsMXFq1LxQvJ+HVosPpKtKBNqzzTb3K5TZJuK2bekHTfMqv
         Tskw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y17si728052ejb.713.2020.12.03.01.30.40;
        Thu, 03 Dec 2020 01:31:03 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728834AbgLCJ2k (ORCPT <rfc822;proy.cse@gmail.com> + 99 others);
        Thu, 3 Dec 2020 04:28:40 -0500
Received: from mailgw02.mediatek.com ([210.61.82.184]:53901 "EHLO
        mailgw02.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org
        with ESMTP id S1726003AbgLCJ2j (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Dec 2020 04:28:39 -0500
X-UUID: 81173dd499dc4e29867ce372c50c8a4f-20201203
X-UUID: 81173dd499dc4e29867ce372c50c8a4f-20201203
Received: from mtkcas11.mediatek.inc [(172.21.101.40)] by mailgw02.mediatek.com
        (envelope-from <lecopzer.chen@mediatek.com>)
        (Cellopoint E-mail Firewall v4.1.14 Build 0819 with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256)
        with ESMTP id 1759663941; Thu, 03 Dec 2020 17:27:56 +0800
Received: from mtkcas10.mediatek.inc (172.21.101.39) by
 mtkmbs05n2.mediatek.inc (172.21.101.140) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Thu, 3 Dec 2020 17:27:53 +0800
Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas10.mediatek.inc
 (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend
 Transport; Thu, 3 Dec 2020 17:27:54 +0800
From:   Lecopzer Chen <lecopzer.chen@mediatek.com>
To:     <linux-kernel@vger.kernel.org>,
        <linux-arm-kernel@lists.infradead.org>
CC:     <akpm@linux-foundation.org>, <peterx@redhat.com>,
        <rppt@kernel.org>, <walken@google.com>, <marc.zyngier@arm.com>,
        <linux@armlinux.org.uk>,
        Lecopzer Chen <lecopzer.chen@mediatek.com>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        YJ Chiang <yj.chiang@mediatek.com>
Subject: [PATCH] ARM: mm: harden branch predictor before opening interrupts during fault
Date:   Thu, 3 Dec 2020 17:27:38 +0800
Message-ID: <20201203092738.11866-1-lecopzer.chen@mediatek.com>
X-Mailer: git-send-email 2.18.0
MIME-Version: 1.0
Content-Type: text/plain
X-MTK:  N
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch was send by "Sebastian Andrzej Siewior <bigeasy@linutronix.de>"
in [1] and rebase in v5.10-rc6.

The original commit message:

> On non-LPAE systems a write to 0xbffffff0 (modules area) from userland
> results in:
> | BUG: using smp_processor_id() in preemptible [00000000] code: mem-tc/521
> | caller is __do_user_fault.constprop.2+0x4c/0x74
> | CPU: 1 PID: 521 Comm: mem-tc Not tainted 5.1.0-rc1 #4
> | [<c04614e4>] (debug_smp_processor_id) from [<c0116378>] (__do_user_fault.constprop.2+0x4c/0x74)
> | [<c0116378>] (__do_user_fault.constprop.2) from [<c011668c>] (do_page_fault+0x278/0x37c)
> | [<c011668c>] (do_page_fault) from [<c0116904>] (do_DataAbort+0x3c/0xa8)
> | [<c0116904>] (do_DataAbort) from [<c0101e1c>] (__dabt_usr+0x3c/0x40)
>
> Move harden_branch_predictor() from __do_user_fault() to its both
> callers (do_bad_area() and do_page_fault()). The invocation in
> do_page_fault() is added before interrupst are enabled. The invocation
> in do_bad_area() is added just before __do_user_fault() is invoked.

The BUG still exists in v5.10-rc, and the previous disscussion was [2].
This issue can be easily reproduced in ARM with CONFIG_DEBUG_PREEMPT and
CONFIG_HARDEN_BRANCH_PREDICTOR by the following userspace program:

  int *p = 0xffff3ff4;
  *p = 123;

[1]:
https://patchwork.kernel.org/project/linux-arm-kernel/patch/20190319203239.gl46fxnfz6gzeeic@linutronix.de/
[2]:
https://lkml.org/lkml/2019/6/3/426

Fixes: f5fe12b1eaee2 ("ARM: spectre-v2: harden user aborts in kernel space")
Reported-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
Cc: YJ Chiang <yj.chiang@mediatek.com>
---
 arch/arm/mm/fault.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index efa402025031..f1b57b7d5a0c 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -138,9 +138,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
 {
 	struct task_struct *tsk = current;
 
-	if (addr > TASK_SIZE)
-		harden_branch_predictor();
-
 #ifdef CONFIG_DEBUG_USER
 	if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
 	    ((user_debug & UDBG_BUS)  && (sig == SIGBUS))) {
@@ -173,8 +170,11 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 	 * If we are in kernel mode at this point, we
 	 * have no context to handle this fault with.
 	 */
-	if (user_mode(regs))
+	if (user_mode(regs)) {
+		if (addr > TASK_SIZE)
+			harden_branch_predictor();
 		__do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
+	}
 	else
 		__do_kernel_fault(mm, addr, fsr, regs);
 }
@@ -251,6 +251,9 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 	tsk = current;
 	mm  = tsk->mm;
 
+	if (addr > TASK_SIZE && user_mode(regs))
+		harden_branch_predictor();
+
 	/* Enable interrupts if they were enabled in the parent context. */
 	if (interrupts_enabled(regs))
 		local_irq_enable();
-- 
2.18.0