| From foo@baz Fri Mar 29 15:53:50 CET 2019 |
| From: Michael Ellerman <mpe@ellerman.id.au> |
| Date: Fri, 29 Mar 2019 22:26:14 +1100 |
| Subject: powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) |
| To: stable@vger.kernel.org, gregkh@linuxfoundation.org |
| Cc: linuxppc-dev@ozlabs.org, diana.craciun@nxp.com, msuchanek@suse.de, christophe.leroy@c-s.fr |
| Message-ID: <20190329112620.14489-27-mpe@ellerman.id.au> |
| |
| From: Diana Craciun <diana.craciun@nxp.com> |
| |
| commit 7fef436295bf6c05effe682c8797dfcb0deb112a upstream. |
| |
| In order to protect against speculation attacks on |
| indirect branches, the branch predictor is flushed at |
| kernel entry to protect for the following situations: |
| - userspace process attacking another userspace process |
| - userspace process attacking the kernel |
| Basically when the privillege level change (i.e.the kernel |
| is entered), the branch predictor state is flushed. |
| |
| Signed-off-by: Diana Craciun <diana.craciun@nxp.com> |
| Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/powerpc/kernel/head_booke.h | 6 ++++++ |
| arch/powerpc/kernel/head_fsl_booke.S | 15 +++++++++++++++ |
| 2 files changed, 21 insertions(+) |
| |
| --- a/arch/powerpc/kernel/head_booke.h |
| +++ b/arch/powerpc/kernel/head_booke.h |
| @@ -43,6 +43,9 @@ |
| andi. r11, r11, MSR_PR; /* check whether user or kernel */\ |
| mr r11, r1; \ |
| beq 1f; \ |
| +START_BTB_FLUSH_SECTION \ |
| + BTB_FLUSH(r11) \ |
| +END_BTB_FLUSH_SECTION \ |
| /* if from user, start at top of this thread's kernel stack */ \ |
| lwz r11, THREAD_INFO-THREAD(r10); \ |
| ALLOC_STACK_FRAME(r11, THREAD_SIZE); \ |
| @@ -128,6 +131,9 @@ |
| stw r9,_CCR(r8); /* save CR on stack */\ |
| mfspr r11,exc_level_srr1; /* check whether user or kernel */\ |
| DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \ |
| +START_BTB_FLUSH_SECTION \ |
| + BTB_FLUSH(r10) \ |
| +END_BTB_FLUSH_SECTION \ |
| andi. r11,r11,MSR_PR; \ |
| mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\ |
| lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\ |
| --- a/arch/powerpc/kernel/head_fsl_booke.S |
| +++ b/arch/powerpc/kernel/head_fsl_booke.S |
| @@ -452,6 +452,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) |
| mfcr r13 |
| stw r13, THREAD_NORMSAVE(3)(r10) |
| DO_KVM BOOKE_INTERRUPT_DTLB_MISS SPRN_SRR1 |
| +START_BTB_FLUSH_SECTION |
| + mfspr r11, SPRN_SRR1 |
| + andi. r10,r11,MSR_PR |
| + beq 1f |
| + BTB_FLUSH(r10) |
| +1: |
| +END_BTB_FLUSH_SECTION |
| mfspr r10, SPRN_DEAR /* Get faulting address */ |
| |
| /* If we are faulting a kernel address, we have to use the |
| @@ -546,6 +553,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV) |
| mfcr r13 |
| stw r13, THREAD_NORMSAVE(3)(r10) |
| DO_KVM BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR1 |
| +START_BTB_FLUSH_SECTION |
| + mfspr r11, SPRN_SRR1 |
| + andi. r10,r11,MSR_PR |
| + beq 1f |
| + BTB_FLUSH(r10) |
| +1: |
| +END_BTB_FLUSH_SECTION |
| + |
| mfspr r10, SPRN_SRR0 /* Get faulting address */ |
| |
| /* If we are faulting a kernel address, we have to use the |
