Patch "[Variant 3/Meltdown] arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN" has been added to the 4.15-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    [Variant 3/Meltdown] arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN

to the 4.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     arm64-mm-fix-and-re-enable-arm64_sw_ttbr0_pan.patch
and it can be found in the queue-4.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Tue Feb 13 17:25:10 CET 2018
From: Will Deacon <will.deacon@arm.com>
Date: Thu, 10 Aug 2017 13:58:16 +0100
Subject: [Variant 3/Meltdown] arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN

From: Will Deacon <will.deacon@arm.com>


Commit 27a921e75711 upstream.

With the ASID now installed in TTBR1, we can re-enable ARM64_SW_TTBR0_PAN
by ensuring that we switch to a reserved ASID of zero when disabling
user access and restore the active user ASID on the uaccess enable path.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/Kconfig                   |    1 -
 arch/arm64/include/asm/asm-uaccess.h |   25 +++++++++++++++++--------
 arch/arm64/include/asm/uaccess.h     |   21 +++++++++++++++++----
 arch/arm64/kernel/entry.S            |    4 ++--
 arch/arm64/lib/clear_user.S          |    2 +-
 arch/arm64/lib/copy_from_user.S      |    2 +-
 arch/arm64/lib/copy_in_user.S        |    2 +-
 arch/arm64/lib/copy_to_user.S        |    2 +-
 arch/arm64/mm/cache.S                |    2 +-
 arch/arm64/xen/hypercall.S           |    2 +-
 10 files changed, 42 insertions(+), 21 deletions(-)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -920,7 +920,6 @@ endif
 
 config ARM64_SW_TTBR0_PAN
 	bool "Emulate Privileged Access Never using TTBR0_EL1 switching"
-	depends on BROKEN       # Temporary while switch_mm is reworked
 	help
 	  Enabling this option prevents the kernel from accessing
 	  user-space memory directly by pointing TTBR0_EL1 to a reserved
--- a/arch/arm64/include/asm/asm-uaccess.h
+++ b/arch/arm64/include/asm/asm-uaccess.h
@@ -16,11 +16,20 @@
 	add	\tmp1, \tmp1, #SWAPPER_DIR_SIZE	// reserved_ttbr0 at the end of swapper_pg_dir
 	msr	ttbr0_el1, \tmp1		// set reserved TTBR0_EL1
 	isb
+	sub	\tmp1, \tmp1, #SWAPPER_DIR_SIZE
+	bic	\tmp1, \tmp1, #(0xffff << 48)
+	msr	ttbr1_el1, \tmp1		// set reserved ASID
+	isb
 	.endm
 
-	.macro	__uaccess_ttbr0_enable, tmp1
+	.macro	__uaccess_ttbr0_enable, tmp1, tmp2
 	get_thread_info \tmp1
 	ldr	\tmp1, [\tmp1, #TSK_TI_TTBR0]	// load saved TTBR0_EL1
+	mrs	\tmp2, ttbr1_el1
+	extr    \tmp2, \tmp2, \tmp1, #48
+	ror     \tmp2, \tmp2, #16
+	msr	ttbr1_el1, \tmp2		// set the active ASID
+	isb
 	msr	ttbr0_el1, \tmp1		// set the non-PAN TTBR0_EL1
 	isb
 	.endm
@@ -31,18 +40,18 @@ alternative_if_not ARM64_HAS_PAN
 alternative_else_nop_endif
 	.endm
 
-	.macro	uaccess_ttbr0_enable, tmp1, tmp2
+	.macro	uaccess_ttbr0_enable, tmp1, tmp2, tmp3
 alternative_if_not ARM64_HAS_PAN
-	save_and_disable_irq \tmp2		// avoid preemption
-	__uaccess_ttbr0_enable \tmp1
-	restore_irq \tmp2
+	save_and_disable_irq \tmp3		// avoid preemption
+	__uaccess_ttbr0_enable \tmp1, \tmp2
+	restore_irq \tmp3
 alternative_else_nop_endif
 	.endm
 #else
 	.macro	uaccess_ttbr0_disable, tmp1
 	.endm
 
-	.macro	uaccess_ttbr0_enable, tmp1, tmp2
+	.macro	uaccess_ttbr0_enable, tmp1, tmp2, tmp3
 	.endm
 #endif
 
@@ -56,8 +65,8 @@ alternative_if ARM64_ALT_PAN_NOT_UAO
 alternative_else_nop_endif
 	.endm
 
-	.macro	uaccess_enable_not_uao, tmp1, tmp2
-	uaccess_ttbr0_enable \tmp1, \tmp2
+	.macro	uaccess_enable_not_uao, tmp1, tmp2, tmp3
+	uaccess_ttbr0_enable \tmp1, \tmp2, \tmp3
 alternative_if ARM64_ALT_PAN_NOT_UAO
 	SET_PSTATE_PAN(0)
 alternative_else_nop_endif
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -107,15 +107,19 @@ static inline void __uaccess_ttbr0_disab
 {
 	unsigned long ttbr;
 
+	ttbr = read_sysreg(ttbr1_el1);
 	/* reserved_ttbr0 placed at the end of swapper_pg_dir */
-	ttbr = read_sysreg(ttbr1_el1) + SWAPPER_DIR_SIZE;
-	write_sysreg(ttbr, ttbr0_el1);
+	write_sysreg(ttbr + SWAPPER_DIR_SIZE, ttbr0_el1);
+	isb();
+	/* Set reserved ASID */
+	ttbr &= ~(0xffffUL << 48);
+	write_sysreg(ttbr, ttbr1_el1);
 	isb();
 }
 
 static inline void __uaccess_ttbr0_enable(void)
 {
-	unsigned long flags;
+	unsigned long flags, ttbr0, ttbr1;
 
 	/*
 	 * Disable interrupts to avoid preemption between reading the 'ttbr0'
@@ -123,7 +127,16 @@ static inline void __uaccess_ttbr0_enabl
 	 * roll-over and an update of 'ttbr0'.
 	 */
 	local_irq_save(flags);
-	write_sysreg(current_thread_info()->ttbr0, ttbr0_el1);
+	ttbr0 = current_thread_info()->ttbr0;
+
+	/* Restore active ASID */
+	ttbr1 = read_sysreg(ttbr1_el1);
+	ttbr1 |= ttbr0 & (0xffffUL << 48);
+	write_sysreg(ttbr1, ttbr1_el1);
+	isb();
+
+	/* Restore user page table */
+	write_sysreg(ttbr0, ttbr0_el1);
 	isb();
 	local_irq_restore(flags);
 }
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -184,7 +184,7 @@ alternative_if ARM64_HAS_PAN
 alternative_else_nop_endif
 
 	.if	\el != 0
-	mrs	x21, ttbr0_el1
+	mrs	x21, ttbr1_el1
 	tst	x21, #0xffff << 48		// Check for the reserved ASID
 	orr	x23, x23, #PSR_PAN_BIT		// Set the emulated PAN in the saved SPSR
 	b.eq	1f				// TTBR0 access already disabled
@@ -248,7 +248,7 @@ alternative_else_nop_endif
 	tbnz	x22, #22, 1f			// Skip re-enabling TTBR0 access if the PSR_PAN_BIT is set
 	.endif
 
-	__uaccess_ttbr0_enable x0
+	__uaccess_ttbr0_enable x0, x1
 
 	.if	\el == 0
 	/*
--- a/arch/arm64/lib/clear_user.S
+++ b/arch/arm64/lib/clear_user.S
@@ -30,7 +30,7 @@
  * Alignment fixed up by hardware.
  */
 ENTRY(__clear_user)
-	uaccess_enable_not_uao x2, x3
+	uaccess_enable_not_uao x2, x3, x4
 	mov	x2, x1			// save the size for fixup return
 	subs	x1, x1, #8
 	b.mi	2f
--- a/arch/arm64/lib/copy_from_user.S
+++ b/arch/arm64/lib/copy_from_user.S
@@ -64,7 +64,7 @@
 
 end	.req	x5
 ENTRY(__arch_copy_from_user)
-	uaccess_enable_not_uao x3, x4
+	uaccess_enable_not_uao x3, x4, x5
 	add	end, x0, x2
 #include "copy_template.S"
 	uaccess_disable_not_uao x3
--- a/arch/arm64/lib/copy_in_user.S
+++ b/arch/arm64/lib/copy_in_user.S
@@ -65,7 +65,7 @@
 
 end	.req	x5
 ENTRY(raw_copy_in_user)
-	uaccess_enable_not_uao x3, x4
+	uaccess_enable_not_uao x3, x4, x5
 	add	end, x0, x2
 #include "copy_template.S"
 	uaccess_disable_not_uao x3
--- a/arch/arm64/lib/copy_to_user.S
+++ b/arch/arm64/lib/copy_to_user.S
@@ -63,7 +63,7 @@
 
 end	.req	x5
 ENTRY(__arch_copy_to_user)
-	uaccess_enable_not_uao x3, x4
+	uaccess_enable_not_uao x3, x4, x5
 	add	end, x0, x2
 #include "copy_template.S"
 	uaccess_disable_not_uao x3
--- a/arch/arm64/mm/cache.S
+++ b/arch/arm64/mm/cache.S
@@ -49,7 +49,7 @@ ENTRY(flush_icache_range)
  *	- end     - virtual end address of region
  */
 ENTRY(__flush_cache_user_range)
-	uaccess_ttbr0_enable x2, x3
+	uaccess_ttbr0_enable x2, x3, x4
 	dcache_line_size x2, x3
 	sub	x3, x2, #1
 	bic	x4, x0, x3
--- a/arch/arm64/xen/hypercall.S
+++ b/arch/arm64/xen/hypercall.S
@@ -101,7 +101,7 @@ ENTRY(privcmd_call)
 	 * need the explicit uaccess_enable/disable if the TTBR0 PAN emulation
 	 * is enabled (it implies that hardware UAO and PAN disabled).
 	 */
-	uaccess_ttbr0_enable x6, x7
+	uaccess_ttbr0_enable x6, x7, x8
 	hvc XEN_IMM
 
 	/*


Patches currently in stable-queue which might be from will.deacon@arm.com are

queue-4.15/arm64-make-user_ds-an-inclusive-limit.patch
queue-4.15/arm64-mm-remove-pre_ttbr0_update_workaround-for-falkor-erratum-e1003.patch
queue-4.15/arm64-uaccess-don-t-bother-eliding-access_ok-checks-in-__-get-put-_user.patch
queue-4.15/arm64-cpufeature-pass-capability-structure-to-enable-callback.patch
queue-4.15/arm64-uaccess-mask-__user-pointers-for-__arch_-clear-copy_-_user.patch
queue-4.15/arm64-mm-add-arm64_kernel_unmapped_at_el0-helper.patch
queue-4.15/arm64-entry-reword-comment-about-post_ttbr_update_workaround.patch
queue-4.15/arm64-kaslr-put-kernel-vectors-address-in-separate-data-page.patch
queue-4.15/arm-arm64-smccc-make-function-identifiers-an-unsigned-quantity.patch
queue-4.15/arm64-move-bp-hardening-to-check_and_switch_context.patch
queue-4.15/arm-arm64-kvm-advertise-smccc-v1.1.patch
queue-4.15/arm64-move-post_ttbr_update_workaround-to-c-code.patch
queue-4.15/arm64-turn-on-kpti-only-on-cpus-that-need-it.patch
queue-4.15/firmware-psci-expose-psci-conduit.patch
queue-4.15/arm64-force-kpti-to-be-disabled-on-cavium-thunderx.patch
queue-4.15/arm64-entry-apply-bp-hardening-for-high-priority-synchronous-exceptions.patch
queue-4.15/arm64-kpti-fix-the-interaction-between-asid-switching-and-software-pan.patch
queue-4.15/firmware-psci-expose-smccc-version-through-psci_ops.patch
queue-4.15/arm64-mm-permit-transitioning-from-global-to-non-global-without-bbm.patch
queue-4.15/arm64-mm-allocate-asids-in-pairs.patch
queue-4.15/arm64-tls-avoid-unconditional-zeroing-of-tpidrro_el0-for-native-tasks.patch
queue-4.15/arm64-use-ret-instruction-for-exiting-the-trampoline.patch
queue-4.15/arm64-futex-mask-__user-pointers-prior-to-dereference.patch
queue-4.15/arm64-entry-explicitly-pass-exception-level-to-kernel_ventry-macro.patch
queue-4.15/arm64-implement-branch-predictor-hardening-for-affected-cortex-a-cpus.patch
queue-4.15/arm64-kpti-make-use-of-ng-dependent-on-arm64_kernel_unmapped_at_el0.patch
queue-4.15/arm-arm64-kvm-add-psci_version-helper.patch
queue-4.15/arm64-kill-psci_get_version-as-a-variant-2-workaround.patch
queue-4.15/arm64-entry-ensure-branch-through-syscall-table-is-bounded-under-speculation.patch
queue-4.15/arm64-mm-use-non-global-mappings-for-kernel-space.patch
queue-4.15/arm64-entry-apply-bp-hardening-for-suspicious-interrupts-from-el0.patch
queue-4.15/arm64-capabilities-handle-duplicate-entries-for-a-capability.patch
queue-4.15/arm64-entry-hook-up-entry-trampoline-to-exception-vectors.patch
queue-4.15/arm64-branch-predictor-hardening-for-cavium-thunderx2.patch
queue-4.15/arm64-uaccess-prevent-speculative-use-of-the-current-addr_limit.patch
queue-4.15/arm64-use-pointer-masking-to-limit-uaccess-speculation.patch
queue-4.15/arm64-add-arm_smccc_arch_workaround_1-bp-hardening-support.patch
queue-4.15/arm64-erratum-work-around-falkor-erratum-e1003-in-trampoline-code.patch
queue-4.15/arm64-mm-fix-and-re-enable-arm64_sw_ttbr0_pan.patch
queue-4.15/arm64-mm-invalidate-both-kernel-and-user-asids-when-performing-tlbi.patch
queue-4.15/drivers-firmware-expose-psci_get_version-through-psci_ops-structure.patch
queue-4.15/arm64-mm-rename-post_ttbr0_update_workaround.patch
queue-4.15/arm64-mm-map-entry-trampoline-into-trampoline-and-kernel-page-tables.patch
queue-4.15/arm-arm64-kvm-turn-kvm_psci_version-into-a-static-inline.patch
queue-4.15/arm-arm64-kvm-implement-psci-1.0-support.patch
queue-4.15/arm64-kconfig-reword-unmap_kernel_at_el0-kconfig-entry.patch
queue-4.15/arm64-mm-move-asid-from-ttbr0-to-ttbr1.patch
queue-4.15/arm64-mm-introduce-ttbr_asid_mask-for-getting-at-the-asid-in-the-ttbr.patch
queue-4.15/arm64-kvm-add-smccc_arch_workaround_1-fast-handling.patch
queue-4.15/arm64-take-into-account-id_aa64pfr0_el1.csv3.patch
queue-4.15/arm64-cputype-add-missing-midr-values-for-cortex-a72-and-cortex-a75.patch
queue-4.15/arm64-kvm-report-smccc_arch_workaround_1-bp-hardening-support.patch
queue-4.15/arm64-barrier-add-csdb-macros-to-control-data-value-prediction.patch
queue-4.15/arm-arm64-smccc-implement-smccc-v1.1-inline-primitive.patch
queue-4.15/perf-arm_spe-fail-device-probe-when-arm64_kernel_unmapped_at_el0.patch
queue-4.15/arm64-implement-branch-predictor-hardening-for-falkor.patch
queue-4.15/arm64-kconfig-add-config_unmap_kernel_at_el0.patch
queue-4.15/arm64-idmap-use-awx-flags-for-.idmap.text-.pushsection-directives.patch
queue-4.15/arm64-run-enable-method-for-errata-work-arounds-on-late-cpus.patch
queue-4.15/arm64-mm-temporarily-disable-arm64_sw_ttbr0_pan.patch
queue-4.15/arm64-entry-add-exception-trampoline-page-for-exceptions-from-el0.patch
queue-4.15/arm64-kvm-make-psci_version-a-fast-path.patch
queue-4.15/arm64-cpufeature-__this_cpu_has_cap-shouldn-t-stop-early.patch
queue-4.15/arm64-implement-array_index_mask_nospec.patch
queue-4.15/arm64-kpti-add-enable-callback-to-remap-swapper-using-ng-mappings.patch
queue-4.15/arm-arm64-kvm-consolidate-the-psci-include-files.patch
queue-4.15/arm64-add-skeleton-to-harden-the-branch-predictor-against-aliasing-attacks.patch
queue-4.15/arm64-cpu_errata-add-kryo-to-falkor-1003-errata.patch
queue-4.15/arm-arm64-kvm-add-smccc-accessors-to-psci-code.patch
queue-4.15/arm64-entry-add-fake-cpu-feature-for-unmapping-the-kernel-at-el0.patch
queue-4.15/arm64-kvm-use-per-cpu-vector-when-bp-hardening-is-enabled.patch
queue-4.15/arm64-cputype-add-midr-values-for-cavium-thunderx2-cpus.patch
queue-4.15/arm64-kvm-increment-pc-after-handling-an-smc-trap.patch