1. 12 11月, 2018 5 次提交
  2. 06 11月, 2018 1 次提交
    • A
      ARM: 8809/1: proc-v7: fix Thumb annotation of cpu_v7_hvc_switch_mm · 6282e916
      Ard Biesheuvel 提交于
      Due to what appears to be a copy/paste error, the opening ENTRY()
      of cpu_v7_hvc_switch_mm() lacks a matching ENDPROC(), and instead,
      the one for cpu_v7_smc_switch_mm() is duplicated.
      
      Given that it is ENDPROC() that emits the Thumb annotation, the
      cpu_v7_hvc_switch_mm() routine will be called in ARM mode on a
      Thumb2 kernel, resulting in the following splat:
      
        Internal error: Oops - undefined instruction: 0 [#1] SMP THUMB2
        Modules linked in:
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.0-rc1-00030-g4d28ad89189d-dirty #488
        Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
        PC is at cpu_v7_hvc_switch_mm+0x12/0x18
        LR is at flush_old_exec+0x31b/0x570
        pc : [<c0316efe>]    lr : [<c04117c7>]    psr: 00000013
        sp : ee899e50  ip : 00000000  fp : 00000001
        r10: eda28f34  r9 : eda31800  r8 : c12470e0
        r7 : eda1fc00  r6 : eda53000  r5 : 00000000  r4 : ee88c000
        r3 : c0316eec  r2 : 00000001  r1 : eda53000  r0 : 6da6c000
        Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      
      Note the 'ISA ARM' in the last line.
      
      Fix this by using the correct name in ENDPROC().
      
      Cc: <stable@vger.kernel.org>
      Fixes: 10115105 ("ARM: spectre-v2: add firmware based hardening")
      Reviewed-by: NDave Martin <Dave.Martin@arm.com>
      Acked-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      6282e916
  3. 05 10月, 2018 9 次提交
  4. 03 8月, 2018 5 次提交
    • R
      ARM: spectre-v1: mitigate user accesses · a3c0f847
      Russell King 提交于
      Spectre variant 1 attacks are about this sequence of pseudo-code:
      
      	index = load(user-manipulated pointer);
      	access(base + index * stride);
      
      In order for the cache side-channel to work, the access() must me made
      to memory which userspace can detect whether cache lines have been
      loaded.  On 32-bit ARM, this must be either user accessible memory, or
      a kernel mapping of that same user accessible memory.
      
      The problem occurs when the load() speculatively loads privileged data,
      and the subsequent access() is made to user accessible memory.
      
      Any load() which makes use of a user-maniplated pointer is a potential
      problem if the data it has loaded is used in a subsequent access.  This
      also applies for the access() if the data loaded by that access is used
      by a subsequent access.
      
      Harden the get_user() accessors against Spectre attacks by forcing out
      of bounds addresses to a NULL pointer.  This prevents get_user() being
      used as the load() step above.  As a side effect, put_user() will also
      be affected even though it isn't implicated.
      
      Also harden copy_from_user() by redoing the bounds check within the
      arm_copy_from_user() code, and NULLing the pointer if out of bounds.
      Acked-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      a3c0f847
    • R
      ARM: spectre-v1: use get_user() for __get_user() · b1cd0a14
      Russell King 提交于
      Fixing __get_user() for spectre variant 1 is not sane: we would have to
      add address space bounds checking in order to validate that the location
      should be accessed, and then zero the address if found to be invalid.
      
      Since __get_user() is supposed to avoid the bounds check, and this is
      exactly what get_user() does, there's no point having two different
      implementations that are doing the same thing.  So, when the Spectre
      workarounds are required, make __get_user() an alias of get_user().
      Acked-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      b1cd0a14
    • R
      ARM: use __inttype() in get_user() · d09fbb32
      Russell King 提交于
      Borrow the x86 implementation of __inttype() to use in get_user() to
      select an integer type suitable to temporarily hold the result value.
      This is necessary to avoid propagating the volatile nature of the
      result argument, which can cause the following warning:
      
      lib/iov_iter.c:413:5: warning: optimization may eliminate reads and/or writes to register variables [-Wvolatile-register-var]
      Acked-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      d09fbb32
    • R
      ARM: oabi-compat: copy semops using __copy_from_user() · 8c8484a1
      Russell King 提交于
      __get_user_error() is used as a fast accessor to make copying structure
      members as efficient as possible.  However, with software PAN and the
      recent Spectre variant 1, the efficiency is reduced as these are no
      longer fast accessors.
      
      In the case of software PAN, it has to switch the domain register around
      each access, and with Spectre variant 1, it would have to repeat the
      access_ok() check for each access.
      
      Rather than using __get_user_error() to copy each semops element member,
      copy each semops element in full using __copy_from_user().
      Acked-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      8c8484a1
    • R
      ARM: vfp: use __copy_from_user() when restoring VFP state · 42019fc5
      Russell King 提交于
      __get_user_error() is used as a fast accessor to make copying structure
      members in the signal handling path as efficient as possible.  However,
      with software PAN and the recent Spectre variant 1, the efficiency is
      reduced as these are no longer fast accessors.
      
      In the case of software PAN, it has to switch the domain register around
      each access, and with Spectre variant 1, it would have to repeat the
      access_ok() check for each access.
      
      Use __copy_from_user() rather than __get_user_err() for individual
      members when restoring VFP state.
      Acked-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      42019fc5
  5. 27 7月, 2018 1 次提交
    • R
      ARM: signal: copy registers using __copy_from_user() · c32cd419
      Russell King 提交于
      __get_user_error() is used as a fast accessor to make copying structure
      members in the signal handling path as efficient as possible.  However,
      with software PAN and the recent Spectre variant 1, the efficiency is
      reduced as these are no longer fast accessors.
      
      In the case of software PAN, it has to switch the domain register around
      each access, and with Spectre variant 1, it would have to repeat the
      access_ok() check for each access.
      
      It becomes much more efficient to use __copy_from_user() instead, so
      let's use this for the ARM integer registers.
      Acked-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      c32cd419
  6. 01 6月, 2018 3 次提交
  7. 31 5月, 2018 15 次提交
  8. 02 4月, 2018 1 次提交