Received: by 2002:a05:6a10:144:0:0:0:0 with SMTP id 4csp765042pxw; Fri, 8 Apr 2022 23:04:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0itvkOoDHSSQSddnKLcunux+jCFZyO3UZ/2PAPxHzOKnviJFtgQJ3J9aZIAWJXqWWQ5pG X-Received: by 2002:a17:907:7252:b0:6df:75cc:615e with SMTP id ds18-20020a170907725200b006df75cc615emr21877264ejc.683.1649484254808; Fri, 08 Apr 2022 23:04:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649484254; cv=none; d=google.com; s=arc-20160816; b=FoUB+pI/zuaICgQaubpM53UtMvD7zpJOAuVCKTOL4chhsDaPlPOlnu7tuhTs4h2Yat ZKk6D1q/AP/D9ZGyA9pDKSoP1IcYAvwbffmQF66MHkLh9HsPNWgrP+vdmEToF3mfOG2D fGzcg65Vg7+rR+foSfi+9h9ez4ZIazh8ZQpMIC2h0Njp8aNse/Yy7SF1XD1ayNHczFFZ UaBSy6DbdrT8xsDONkSgPlCt+zkUGv6Um6aEl7w6ywnUNKRii6EOpj2KKMBQRXj2T6hl 3f6540THHg4fJ/yS74M7GXZXGDQpuxbiPf7pgG3sHeZr/X1+gE2mjCZhqc8rZV/UTdYV rzvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=UZrOZFpS/KGSxxcAABS/nZgw+poMsFExshrPXVa7pNw=; b=MFn+DaJW9WpvvaZSApg//Sr3kf7P71HBgdgyK3fWbDdu4XR9DlZJiBCtiQVmtM/heJ VIiBL3HkgO2w/PZLloP4JaVcN26iOWV280lFDLNAWWIONHwTI4E0NsIl2NOWVHPe2EL2 7+lbbHLc3cm8DUeX+/7c1I/Q+D4ax7SCtlvnyPjLda2ug9PiS241gMacl2NzYcrsc86N 1mpA8XlSlB4bbnB14IE7fLqg+60oE/lO2oxvMbXTC9DW9sbARkLy3VmOew5eWqX/k/9m Pg0gxxQlUpwo/OcOrkPqIBN6G8koVcn2ibjlDqIHXhrzcXbaKAwzVvV0FzP8iln0Iiu9 gWuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r5-20020a50aac5000000b004190064e948si2527746edc.10.2022.04.08.23.03.48; Fri, 08 Apr 2022 23:04:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233245AbiDHQk2 (ORCPT + 99 others); Fri, 8 Apr 2022 12:40:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43844 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233234AbiDHQkZ (ORCPT ); Fri, 8 Apr 2022 12:40:25 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B823212220F for ; Fri, 8 Apr 2022 09:38:20 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2CAD21042; Fri, 8 Apr 2022 09:38:20 -0700 (PDT) Received: from [10.1.196.218] (eglon.cambridge.arm.com [10.1.196.218]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 2E8AC3F73B; Fri, 8 Apr 2022 09:38:19 -0700 (PDT) Subject: Re: arm64 spectre-bhb backports break boot on stable kernels <= v5.4 To: Will Deacon Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, maz@kernel.org, catalin.marinas@arm.com, mark.rutland@arm.com References: <20220408120041.GB27685@willie-the-truck> <1a44f42c-0391-7428-ac85-1e27aaf0be14@arm.com> <20220408162139.GB28108@willie-the-truck> From: James Morse Message-ID: Date: Fri, 8 Apr 2022 17:38:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <20220408162139.GB28108@willie-the-truck> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-9.7 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Will, On 08/04/2022 17:21, Will Deacon wrote: > On Fri, Apr 08, 2022 at 05:08:00PM +0100, James Morse wrote: >> On 08/04/2022 13:00, Will Deacon wrote: >>> Booting stable kernels <= v5.4 on arm64 with CONFIG_HARDEN_BRANCH_PREDICTOR=n >>> results in a NULL pointer dereference during boot due to kvm_get_hyp_vector() >>> dereferencing a NULL pointer from arm64_get_bp_hardening_data(): >>> >>> [ 2.384444] Internal error: Oops: 96000004 [#1] PREEMPT SMP >>> [ 2.384461] pstate: 20400085 (nzCv daIf +PAN -UAO) >>> [ 2.384472] pc : cpu_hyp_reinit+0x114/0x30c >>> [ 2.384476] lr : cpu_hyp_reinit+0x80/0x30c >>> [ 2.385171] Kernel panic - not syncing: Fatal exception in interrupt >> >> Yikes! >> >> Interesting to know that stuff behind CONFIG_EXPERT has someone who cares about it. >> (I was going to propose dropping the Kconfig option after a while). > Yup! FWIW, the hardening options are enabled in Android (GKI), but this was > reported to us externally by somebody using a custom config. >>> I can bodge this as below (untested), but it's pretty grotty. >> >> I wanted to keep the detection code even if the feature is disabled so the sysfs reporting >> is always correct. > > Makes sense. Another option is to check for ARM64_HARDEN_BRANCH_PREDICTOR in > spectre_bhb_enable_mitigation(), but then I think the KVM code would need > to query the mitigation state rather than just the cap. It already does, but as you say KVM is only using the cap here. >>> Please can you take a look? >> >> Ugh, arm64_get_bp_hardening_data() returns NULL with that Kconfig setup. >> >> >> For v5.4, this fixes it for me: >> --------------------%<-------------------- >> diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h >> index 78d110667c0c..ffe0aad96b17 100644 >> --- a/arch/arm64/include/asm/kvm_mmu.h >> +++ b/arch/arm64/include/asm/kvm_mmu.h >> @@ -479,7 +479,8 @@ static inline void *kvm_get_hyp_vector(void) >> int slot = -1; >> >> if ((cpus_have_const_cap(ARM64_HARDEN_BRANCH_PREDICTOR) || >> - cpus_have_const_cap(ARM64_SPECTRE_BHB)) && data->template_start) { >> + cpus_have_const_cap(ARM64_SPECTRE_BHB)) && >> + data && data->template_start) { >> vect = kern_hyp_va(kvm_ksym_ref(__bp_harden_hyp_vecs_start)); >> slot = data->hyp_vectors_slot; >> } > > That'll work, but will sysfs report that BHB is mitigated even if > !ARM64_HARDEN_BRANCH_PREDICTOR? The (!IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR) in check_branch_predictor() will set __hardenbp_enab to false, which get_spectre_v2_workaround_state() picks up and causes spectre_bhb_enable_mitigation() to skip all the mitigations, leaving state = SPECTRE_VULNERABLE. (The interactions with the other Spectre mitigations across the stable kernels were/continue-to-be a pain in the neck) >> --------------------%<-------------------- >> >> I'll check the other versions and post patches to the stable list. Earlier stable >> backports grew a dependency between these features as it wasn't possible to unpick the >> dependencies. > > Cheers. I know 4.19 is busted too, but I didn't check 4.14. Yup, I've just reproduced that one. I suspect v4.14 is where I added the Kconfig dependency. Thanks, James