From patchwork Tue Mar 19 20:32:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sebastian Andrzej Siewior X-Patchwork-Id: 10860325 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D209314DE for ; Tue, 19 Mar 2019 20:32:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AF8D429850 for ; Tue, 19 Mar 2019 20:32:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A273D29853; Tue, 19 Mar 2019 20:32:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1F40829852 for ; Tue, 19 Mar 2019 20:32:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:To:From :Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=4MzWWhHGsMIPQ7Irv4Twam+J1j8qt+B3eGR289mPIx8=; b=eAVCIN7i9jVpZi IL5LEmgUhPE80lojCSwvM9IHDNzt8Gwc7G7lgfJ5hAin74EOLn1VoCCQcYMFVM2XvV6szpjR6KI3+ WI3p1xzGk7aNNRIoKTnvsZUxpxMEqCKHfuJ2uPa3ylc2SwtSWAb/jB27fRbxtKqGbl/1pV0HGs5p/ whkzbZVLWD9KAjIrUpkUWH0AxidZCHqVHCKo/0aJMkaJNaTNi7Mc/kaLuQHOJPqcOIMwYLTSx07v7 yisA8wgwM3mou9m6bcEc+aMI7bW94rqsifaZj9gpxQVNKr6sYsQ9gCBGetU1zy1Bnjes01ylkSeND uo/YYjb45sI09HHtvbsQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1h6LPl-0005GR-QX; Tue, 19 Mar 2019 20:32:49 +0000 Received: from galois.linutronix.de ([2a01:7a0:2:106d:700::1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h6LPi-0005Fy-Tv for linux-arm-kernel@lists.infradead.org; Tue, 19 Mar 2019 20:32:48 +0000 Received: from bigeasy by Galois.linutronix.de with local (Exim 4.80) (envelope-from ) id 1h6LPb-00052Z-Ol; Tue, 19 Mar 2019 21:32:39 +0100 Date: Tue, 19 Mar 2019 21:32:39 +0100 From: Sebastian Andrzej Siewior To: linux-arm-kernel@lists.infradead.org Subject: [PATCH] ARM: mm: harden branch predictor before opening interrupts during fault Message-ID: <20190319203239.gl46fxnfz6gzeeic@linutronix.de> MIME-Version: 1.0 Content-Disposition: inline User-Agent: NeoMutt/20180716 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190319_133247_103171_69832C20 X-CRM114-Status: GOOD ( 13.04 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Gleixner , Bernd Edlinger , Russell King , Arnd Bergmann Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP On non-LPAE systems a write to 0xbffffff0 (modules area) from userland results in: | BUG: using smp_processor_id() in preemptible [00000000] code: mem-tc/521 | caller is __do_user_fault.constprop.2+0x4c/0x74 | CPU: 1 PID: 521 Comm: mem-tc Not tainted 5.1.0-rc1 #4 | [] (debug_smp_processor_id) from [] (__do_user_fault.constprop.2+0x4c/0x74) | [] (__do_user_fault.constprop.2) from [] (do_page_fault+0x278/0x37c) | [] (do_page_fault) from [] (do_DataAbort+0x3c/0xa8) | [] (do_DataAbort) from [] (__dabt_usr+0x3c/0x40) Move harden_branch_predictor() from __do_user_fault() to its both callers (do_bad_area() and do_page_fault()). The invocation in do_page_fault() is added before interrupst are enabled. The invocation in do_bad_area() is added just before __do_user_fault() is invoked. Fixes: f5fe12b1eaee2 ("ARM: spectre-v2: harden user aborts in kernel space") Reported-by: Bernd Edlinger Signed-off-by: Sebastian Andrzej Siewior --- arch/arm/mm/fault.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c index 58f69fa07df95..7adff8eb8f3d2 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -161,9 +161,6 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr, unsigned int fsr, unsigned int sig, int code, struct pt_regs *regs) { - if (addr > TASK_SIZE) - harden_branch_predictor(); - #ifdef CONFIG_DEBUG_USER if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) || ((user_debug & UDBG_BUS) && (sig == SIGBUS))) { @@ -195,10 +192,13 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs) * If we are in kernel mode at this point, we * have no context to handle this fault with. */ - if (user_mode(regs)) + if (user_mode(regs)) { + if (addr > TASK_SIZE) + harden_branch_predictor(); __do_user_fault(tsk, addr, fsr, SIGSEGV, SEGV_MAPERR, regs); - else + } else { __do_kernel_fault(mm, addr, fsr, regs); + } } #ifdef CONFIG_MMU @@ -272,6 +272,8 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) tsk = current; mm = tsk->mm; + if (addr > TASK_SIZE && user_mode(regs)) + harden_branch_predictor(); /* Enable interrupts if they were enabled in the parent context. */ if (interrupts_enabled(regs)) local_irq_enable();