From: David Long <dave.long@linaro.org>
To: stable@vger.kernel.org,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Florian Fainelli <f.fainelli@gmail.com>,
Tony Lindgren <tony@atomide.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Mark Rutland <mark.rutland@arm.com>
Cc: Greg KH <gregkh@linuxfoundation.org>, Mark Brown <broonie@kernel.org>
Subject: [PATCH 4.9 V2 18/24] ARM: spectre-v1: fix syscall entry
Date: Wed, 7 Nov 2018 11:43:56 -0500 [thread overview]
Message-ID: <20181107164402.9380-19-dave.long@linaro.org> (raw)
In-Reply-To: <20181107164402.9380-1-dave.long@linaro.org>
From: Russell King <rmk+kernel@armlinux.org.uk>
Commit 10573ae547c85b2c61417ff1a106cffbfceada35 upstream.
Prevent speculation at the syscall table decoding by clamping the index
used to zero on invalid system call numbers, and using the csdb
speculative barrier.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Boot-tested-by: Tony Lindgren <tony@atomide.com>
Reviewed-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: David A. Long <dave.long@linaro.org>
---
arch/arm/kernel/entry-common.S | 18 +++++++-----------
| 25 +++++++++++++++++++++++++
2 files changed, 32 insertions(+), 11 deletions(-)
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index 10c3283d6c19..56be67ecf0fa 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -223,9 +223,7 @@ local_restart:
tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace
- cmp scno, #NR_syscalls @ check upper syscall limit
- badr lr, ret_fast_syscall @ return address
- ldrcc pc, [tbl, scno, lsl #2] @ call sys_* routine
+ invoke_syscall tbl, scno, r10, ret_fast_syscall
add r1, sp, #S_OFF
2: cmp scno, #(__ARM_NR_BASE - __NR_SYSCALL_BASE)
@@ -258,14 +256,8 @@ __sys_trace:
mov r1, scno
add r0, sp, #S_OFF
bl syscall_trace_enter
-
- badr lr, __sys_trace_return @ return address
- mov scno, r0 @ syscall number (possibly new)
- add r1, sp, #S_R0 + S_OFF @ pointer to regs
- cmp scno, #NR_syscalls @ check upper syscall limit
- ldmccia r1, {r0 - r6} @ have to reload r0 - r6
- stmccia sp, {r4, r5} @ and update the stack args
- ldrcc pc, [tbl, scno, lsl #2] @ call sys_* routine
+ mov scno, r0
+ invoke_syscall tbl, scno, r10, __sys_trace_return, reload=1
cmp scno, #-1 @ skip the syscall?
bne 2b
add sp, sp, #S_OFF @ restore stack
@@ -317,6 +309,10 @@ sys_syscall:
bic scno, r0, #__NR_OABI_SYSCALL_BASE
cmp scno, #__NR_syscall - __NR_SYSCALL_BASE
cmpne scno, #NR_syscalls @ check range
+#ifdef CONFIG_CPU_SPECTRE
+ movhs scno, #0
+ csdb
+#endif
stmloia sp, {r5, r6} @ shuffle args
movlo r0, r1
movlo r1, r2
--git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
index e056c9a9aa9d..fa7c6e5c17e7 100644
--- a/arch/arm/kernel/entry-header.S
+++ b/arch/arm/kernel/entry-header.S
@@ -377,6 +377,31 @@
#endif
.endm
+ .macro invoke_syscall, table, nr, tmp, ret, reload=0
+#ifdef CONFIG_CPU_SPECTRE
+ mov \tmp, \nr
+ cmp \tmp, #NR_syscalls @ check upper syscall limit
+ movcs \tmp, #0
+ csdb
+ badr lr, \ret @ return address
+ .if \reload
+ add r1, sp, #S_R0 + S_OFF @ pointer to regs
+ ldmccia r1, {r0 - r6} @ reload r0-r6
+ stmccia sp, {r4, r5} @ update stack arguments
+ .endif
+ ldrcc pc, [\table, \tmp, lsl #2] @ call sys_* routine
+#else
+ cmp \nr, #NR_syscalls @ check upper syscall limit
+ badr lr, \ret @ return address
+ .if \reload
+ add r1, sp, #S_R0 + S_OFF @ pointer to regs
+ ldmccia r1, {r0 - r6} @ reload r0-r6
+ stmccia sp, {r4, r5} @ update stack arguments
+ .endif
+ ldrcc pc, [\table, \nr, lsl #2] @ call sys_* routine
+#endif
+ .endm
+
/*
* These are the registers used in the syscall handler, and allow us to
* have in theory up to 7 arguments to a function - r0 to r6.
--
2.17.1
next prev parent reply other threads:[~2018-11-08 2:15 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-07 16:43 [PATCH 4.9 V2 00/24] V4.9 backport of 32-bit arm spectre patches David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 01/24] ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 02/24] ARM: bugs: prepare processor bug infrastructure David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 03/24] ARM: bugs: hook processor bug checking into SMP and suspend paths David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 04/24] ARM: bugs: add support for per-processor bug checking David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 05/24] ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 06/24] ARM: spectre-v2: harden branch predictor on context switches David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 07/24] ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 08/24] ARM: spectre-v2: harden user aborts in kernel space David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 09/24] ARM: spectre-v2: add firmware based hardening David Long
2018-11-12 16:54 ` Russell King - ARM Linux
2018-11-13 14:23 ` Marc Zyngier
2018-11-13 15:16 ` David Long
2018-11-13 17:36 ` Marc Zyngier
2018-11-13 17:54 ` Russell King - ARM Linux
2018-11-13 16:43 ` Tony Lindgren
2018-11-13 18:08 ` Florian Fainelli
2018-11-20 10:59 ` Russell King - ARM Linux
2018-11-20 11:15 ` Greg KH
2018-11-20 15:30 ` David Long
2018-11-20 16:42 ` Marc Zyngier
2018-11-20 16:24 ` David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 10/24] ARM: spectre-v2: warn about incorrect context switching functions David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 11/24] ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17 David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 12/24] ARM: KVM: invalidate icache on guest exit for Cortex-A15 David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 13/24] ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 14/24] ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 15/24] ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1 David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 16/24] ARM: spectre-v1: add speculation barrier (csdb) macros David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 17/24] ARM: spectre-v1: add array_index_mask_nospec() implementation David Long
2018-11-07 16:43 ` David Long [this message]
2018-11-07 16:43 ` [PATCH 4.9 V2 19/24] ARM: signal: copy registers using __copy_from_user() David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 20/24] ARM: vfp: use __copy_from_user() when restoring VFP state David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 21/24] ARM: oabi-compat: copy semops using __copy_from_user() David Long
2018-11-07 16:44 ` [PATCH 4.9 V2 22/24] ARM: use __inttype() in get_user() David Long
2018-11-07 16:44 ` [PATCH 4.9 V2 23/24] ARM: spectre-v1: use get_user() for __get_user() David Long
2018-11-07 16:44 ` [PATCH 4.9 V2 24/24] ARM: spectre-v1: mitigate user accesses David Long
2018-11-12 15:27 ` [PATCH 4.9 V2 00/24] V4.9 backport of 32-bit arm spectre patches Russell King - ARM Linux
2018-11-21 18:27 ` Greg KH
2018-11-21 19:13 ` David Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181107164402.9380-19-dave.long@linaro.org \
--to=dave.long@linaro.org \
--cc=broonie@kernel.org \
--cc=f.fainelli@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=stable@vger.kernel.org \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).