commit 44caf8b34625267f5b7227391551a4064e5fa0f7 Author: Greg Kroah-Hartman Date: Fri Nov 23 08:20:39 2018 +0100 Linux 4.9.139 commit 861f5387585e2dcf7e2e611e62751dd3fe1abecb Author: Russell King Date: Wed Nov 7 11:44:02 2018 -0500 ARM: spectre-v1: mitigate user accesses Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream. Spectre variant 1 attacks are about this sequence of pseudo-code: index = load(user-manipulated pointer); access(base + index * stride); In order for the cache side-channel to work, the access() must me made to memory which userspace can detect whether cache lines have been loaded. On 32-bit ARM, this must be either user accessible memory, or a kernel mapping of that same user accessible memory. The problem occurs when the load() speculatively loads privileged data, and the subsequent access() is made to user accessible memory. Any load() which makes use of a user-maniplated pointer is a potential problem if the data it has loaded is used in a subsequent access. This also applies for the access() if the data loaded by that access is used by a subsequent access. Harden the get_user() accessors against Spectre attacks by forcing out of bounds addresses to a NULL pointer. This prevents get_user() being used as the load() step above. As a side effect, put_user() will also be affected even though it isn't implicated. Also harden copy_from_user() by redoing the bounds check within the arm_copy_from_user() code, and NULLing the pointer if out of bounds. Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit f4438f29bfbd105a4208cf194cd7f1f3e01fd666 Author: Russell King Date: Wed Nov 7 11:44:01 2018 -0500 ARM: spectre-v1: use get_user() for __get_user() Commit b1cd0a14806321721aae45f5446ed83a3647c914 upstream. Fixing __get_user() for spectre variant 1 is not sane: we would have to add address space bounds checking in order to validate that the location should be accessed, and then zero the address if found to be invalid. Since __get_user() is supposed to avoid the bounds check, and this is exactly what get_user() does, there's no point having two different implementations that are doing the same thing. So, when the Spectre workarounds are required, make __get_user() an alias of get_user(). Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit bdf0f17e4e1103af74239cfea553b8ab3c4fd29f Author: Russell King Date: Wed Nov 7 11:44:00 2018 -0500 ARM: use __inttype() in get_user() Commit d09fbb327d670737ab40fd8bbb0765ae06b8b739 upstream. Borrow the x86 implementation of __inttype() to use in get_user() to select an integer type suitable to temporarily hold the result value. This is necessary to avoid propagating the volatile nature of the result argument, which can cause the following warning: lib/iov_iter.c:413:5: warning: optimization may eliminate reads and/or writes to register variables [-Wvolatile-register-var] Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit d609e4aa5086e2c20a7767f70401af0e2400989a Author: Russell King Date: Wed Nov 7 11:43:59 2018 -0500 ARM: oabi-compat: copy semops using __copy_from_user() Commit 8c8484a1c18e3231648f5ba7cc5ffb7fd70b3ca4 upstream. __get_user_error() is used as a fast accessor to make copying structure members as efficient as possible. However, with software PAN and the recent Spectre variant 1, the efficiency is reduced as these are no longer fast accessors. In the case of software PAN, it has to switch the domain register around each access, and with Spectre variant 1, it would have to repeat the access_ok() check for each access. Rather than using __get_user_error() to copy each semops element member, copy each semops element in full using __copy_from_user(). Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 9c91b9687904d28ad29974ce9028bb6a6088527f Author: Russell King Date: Wed Nov 7 11:43:58 2018 -0500 ARM: vfp: use __copy_from_user() when restoring VFP state Commit 42019fc50dfadb219f9e6ddf4c354f3837057d80 upstream. __get_user_error() is used as a fast accessor to make copying structure members in the signal handling path as efficient as possible. However, with software PAN and the recent Spectre variant 1, the efficiency is reduced as these are no longer fast accessors. In the case of software PAN, it has to switch the domain register around each access, and with Spectre variant 1, it would have to repeat the access_ok() check for each access. Use __copy_from_user() rather than __get_user_err() for individual members when restoring VFP state. Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 50f032cc506a0f8c5a44c2f19950ae0f287b43db Author: Russell King Date: Wed Nov 7 11:43:57 2018 -0500 ARM: signal: copy registers using __copy_from_user() Commit c32cd419d6650e42b9cdebb83c672ec945e6bd7e upstream. __get_user_error() is used as a fast accessor to make copying structure members in the signal handling path as efficient as possible. However, with software PAN and the recent Spectre variant 1, the efficiency is reduced as these are no longer fast accessors. In the case of software PAN, it has to switch the domain register around each access, and with Spectre variant 1, it would have to repeat the access_ok() check for each access. It becomes much more efficient to use __copy_from_user() instead, so let's use this for the ARM integer registers. Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 49b853905b9afc4a6898ce37f4be8721273badc3 Author: Russell King Date: Wed Nov 7 11:43:56 2018 -0500 ARM: spectre-v1: fix syscall entry Commit 10573ae547c85b2c61417ff1a106cffbfceada35 upstream. Prevent speculation at the syscall table decoding by clamping the index used to zero on invalid system call numbers, and using the csdb speculative barrier. Signed-off-by: Russell King Acked-by: Mark Rutland Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 8a4ae2876f6c03e3def6fb1d438cc5f01932cdc1 Author: Russell King Date: Wed Nov 7 11:43:55 2018 -0500 ARM: spectre-v1: add array_index_mask_nospec() implementation Commit 1d4238c56f9816ce0f9c8dbe42d7f2ad81cb6613 upstream. Add an implementation of the array_index_mask_nospec() function for mitigating Spectre variant 1 throughout the kernel. Signed-off-by: Russell King Acked-by: Mark Rutland Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit abdeed7e61be1b3a92c7dc02762b36f49d14d7fa Author: Russell King Date: Wed Nov 7 11:43:54 2018 -0500 ARM: spectre-v1: add speculation barrier (csdb) macros Commit a78d156587931a2c3b354534aa772febf6c9e855 upstream. Add assembly and C macros for the new CSDB instruction. Signed-off-by: Russell King Acked-by: Mark Rutland Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 3aa01740a26ec5b568f6b22a6fbced76cbf1db0f Author: Russell King Date: Wed Nov 7 11:43:53 2018 -0500 ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1 Commit add5609877c6785cc002c6ed7e008b1d61064439 upstream. Report support for SMCCC_ARCH_WORKAROUND_1 to KVM guests for affected CPUs. Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Reviewed-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit b8940544118bdcab5da92ca76f527784cab882ce Author: Russell King Date: Wed Nov 7 11:43:52 2018 -0500 ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling Commit b800acfc70d9fb81fbd6df70f2cf5e20f70023d0 upstream. We want SMCCC_ARCH_WORKAROUND_1 to be fast. As fast as possible. So let's intercept it as early as we can by testing for the function call number as soon as we've identified a HVC call coming from the guest. Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Reviewed-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 10c7b397cf5d35bdaf8a99a0e0dc4f02fdd05118 Author: Russell King Date: Wed Nov 7 11:43:51 2018 -0500 ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 Commit 3c908e16396d130608e831b7fac4b167a2ede6ba upstream. Include Brahma B15 in the Spectre v2 KVM workarounds. Signed-off-by: Russell King Acked-by: Florian Fainelli Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit b7888c6a365aae8e7ac9974f514a776ef60c372d Author: Marc Zyngier Date: Wed Nov 7 11:43:50 2018 -0500 ARM: KVM: invalidate icache on guest exit for Cortex-A15 Commit 0c47ac8cd157727e7a532d665d6fb1b5fd333977 upstream. In order to avoid aliasing attacks against the branch predictor on Cortex-A15, let's invalidate the BTB on guest exit, which can only be done by invalidating the icache (with ACTLR[0] being set). We use the same hack as for A12/A17 to perform the vector decoding. Signed-off-by: Marc Zyngier Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 51836963fa6f41d12a5baff7a01faea2a0ce7d90 Author: Marc Zyngier Date: Wed Nov 7 11:43:49 2018 -0500 ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17 Commit 3f7e8e2e1ebda787f156ce46e3f0a9ce2833fa4f upstream. In order to avoid aliasing attacks against the branch predictor, let's invalidate the BTB on guest exit. This is made complicated by the fact that we cannot take a branch before invalidating the BTB. We only apply this to A12 and A17, which are the only two ARM cores on which this useful. Signed-off-by: Marc Zyngier Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 47571a90791114c429eb71d070b168f6bdaf32b6 Author: Russell King Date: Wed Nov 7 11:43:48 2018 -0500 ARM: spectre-v2: warn about incorrect context switching functions Commit c44f366ea7c85e1be27d08f2f0880f4120698125 upstream. Warn at error level if the context switching function is not what we are expecting. This can happen with big.Little systems, which we currently do not support. Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit bf92464b7ede0ed578349137996506a39b79796b Author: Russell King Date: Wed Nov 7 11:43:47 2018 -0500 ARM: spectre-v2: add firmware based hardening Commit 10115105cb3aa17b5da1cb726ae8dd5f6854bd93 upstream. Commit 6282e916f774e37845c65d1eae9f8c649004f033 upstream. Add firmware based hardening for cores that require more complex handling in firmware. Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Reviewed-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 26892e74dfd9acba30b24dbf31e2f64fd5ae3b83 Author: Russell King Date: Wed Nov 7 11:43:46 2018 -0500 ARM: spectre-v2: harden user aborts in kernel space Commit f5fe12b1eaee220ce62ff9afb8b90929c396595f upstream. In order to prevent aliasing attacks on the branch predictor, invalidate the BTB or instruction cache on CPUs that are known to be affected when taking an abort on a address that is outside of a user task limit: Cortex A8, A9, A12, A17, A73, A75: flush BTB. Cortex A15, Brahma B15: invalidate icache. If the IBE bit is not set, then there is little point to enabling the workaround. Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 9bc1ec1beb8c4e27c63485430f038d2584d45556 Author: Russell King Date: Wed Nov 7 11:43:45 2018 -0500 ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit Commit e388b80288aade31135aca23d32eee93dd106795 upstream. When the branch predictor hardening is enabled, firmware must have set the IBE bit in the auxiliary control register. If this bit has not been set, the Spectre workarounds will not be functional. Add validation that this bit is set, and print a warning at alert level if this is not the case. Signed-off-by: Russell King Reviewed-by: Florian Fainelli Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 33efd46a0c02047678dde378a756695003975905 Author: Russell King Date: Wed Nov 7 11:43:44 2018 -0500 ARM: spectre-v2: harden branch predictor on context switches Commit 06c23f5ffe7ad45b908d0fff604dae08a7e334b9 upstream. Required manual merge of arch/arm/mm/proc-v7.S. Harden the branch predictor against Spectre v2 attacks on context switches for ARMv7 and later CPUs. We do this by: Cortex A9, A12, A17, A73, A75: invalidating the BTB. Cortex A15, Brahma B15: invalidating the instruction cache. Cortex A57 and Cortex A72 are not addressed in this patch. Cortex R7 and Cortex R8 are also not addressed as we do not enforce memory protection on these cores. Signed-off-by: Russell King Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit eed96a3ce0a3b9de900f4cfb8f3519c429ba8b28 Author: Russell King Date: Wed Nov 7 11:43:43 2018 -0500 ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre Commit c58d237d0852a57fde9bc2c310972e8f4e3d155d upstream. Add a Kconfig symbol for CPUs which are vulnerable to the Spectre attacks. Signed-off-by: Russell King Reviewed-by: Florian Fainelli Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 901e325f772f5e4cf9afc314f4bf70b8c9a97594 Author: Russell King Date: Wed Nov 7 11:43:42 2018 -0500 ARM: bugs: add support for per-processor bug checking Commit 9d3a04925deeabb97c8e26d940b501a2873e8af3 upstream. Add support for per-processor bug checking - each processor function descriptor gains a function pointer for this check, which must not be an __init function. If non-NULL, this will be called whenever a CPU enters the kernel via which ever path (boot CPU, secondary CPU startup, CPU resuming, etc.) This allows processor specific bug checks to validate that workaround bits are properly enabled by firmware via all entry paths to the kernel. Signed-off-by: Russell King Reviewed-by: Florian Fainelli Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 35293cc54366e4a9e3c1c5186541383dd4bcc2ff Author: Russell King Date: Wed Nov 7 11:43:41 2018 -0500 ARM: bugs: hook processor bug checking into SMP and suspend paths Commit 26602161b5ba795928a5a719fe1d5d9f2ab5c3ef upstream. Check for CPU bugs when secondary processors are being brought online, and also when CPUs are resuming from a low power mode. This gives an opportunity to check that processor specific bug workarounds are correctly enabled for all paths that a CPU re-enters the kernel. Signed-off-by: Russell King Reviewed-by: Florian Fainelli Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit b26c3c4bcdadc709bd5161c553f590633ff972b7 Author: Russell King Date: Wed Nov 7 11:43:40 2018 -0500 ARM: bugs: prepare processor bug infrastructure Commit a5b9177f69329314721aa7022b7e69dab23fa1f0 upstream. Prepare the processor bug infrastructure so that it can be expanded to check for per-processor bugs. Signed-off-by: Russell King Reviewed-by: Florian Fainelli Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 183a0d21e436d37184196b7c6e144aa56f9b3f23 Author: Russell King Date: Wed Nov 7 11:43:39 2018 -0500 ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs Commit f5683e76f35b4ec5891031b6a29036efe0a1ff84 upstream. Add CPU part numbers for Cortex A53, A57, A72, A73, A75 and the Broadcom Brahma B15 CPU. Signed-off-by: Russell King Acked-by: Florian Fainelli Boot-tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Acked-by: Marc Zyngier Signed-off-by: David A. Long Signed-off-by: Greg Kroah-Hartman commit 134db5b955b8dfef54a9d319706f04093289d1e0 Author: Mark Rutland Date: Wed May 3 16:09:38 2017 +0100 arm64: uaccess: suppress spurious clang warning commit d135b8b5060ea91dd751ff172d179eb4eab1e966 upstream. Clang tries to warn when there's a mismatch between an operand's size, and the size of the register it is held in, as this may indicate a bug. Specifically, clang warns when the operand's type is less than 64 bits wide, and the register is used unqualified (i.e. %N rather than %xN or %wN). Unfortunately clang can generate these warnings for unreachable code. For example, for code like: do { \ typeof(*(ptr)) __v = (v); \ switch(sizeof(*(ptr))) { \ case 1: \ // assume __v is 1 byte wide \ asm ("{op}b %w0" : : "r" (v)); \ break; \ case 8: \ // assume __v is 8 bytes wide \ asm ("{op} %0" : : "r" (v)); \ break; \ } while (0) ... if op() were passed a char value and pointer to char, clang may produce a warning for the unreachable case where sizeof(*(ptr)) is 8. For the same reasons, clang produces warnings when __put_user_err() is used for types that are less than 64 bits wide. We could avoid this with a cast to a fixed-width type in each of the cases. However, GCC will then warn that pointer types are being cast to mismatched integer sizes (in unreachable paths). Another option would be to use the same union trickery as we do for __smp_store_release() and __smp_load_acquire(), but this is fairly invasive. Instead, this patch suppresses the clang warning by using an x modifier in the assembly for the 8 byte case of __put_user_err(). No additional work is necessary as the value has been cast to typeof(*(ptr)), so the compiler will have performed any necessary extension for the reachable case. For consistency, __get_user_err() is also updated to use the x modifier for its 8 byte case. Acked-by: Will Deacon Signed-off-by: Mark Rutland Reported-by: Matthias Kaehlcke Signed-off-by: Catalin Marinas Signed-off-by: Nick Desaulniers Signed-off-by: Greg Kroah-Hartman commit 86e514306bfb147287ea7e597a0ef9d7039e8b5b Author: Arnd Bergmann Date: Wed Jul 26 15:36:23 2017 +0200 Kbuild: use -fshort-wchar globally commit 8c97023cf0518f172b8cb7a9fffc28b89401abbf upstream. Commit 971a69db7dc0 ("Xen: don't warn about 2-byte wchar_t in efi") added the --no-wchar-size-warning to the Makefile to avoid this harmless warning: arm-linux-gnueabi-ld: warning: drivers/xen/efi.o uses 2-byte wchar_t yet the output is to use 4-byte wchar_t; use of wchar_t values across objects may fail Changing kbuild to use thin archives instead of recursive linking unfortunately brings the same warning back during the final link. The kernel does not use wchar_t string literals at this point, and xen does not use wchar_t at all (only efi_char16_t), so the flag has no effect, but as pointed out by Jan Beulich, adding a wchar_t string literal would be bad here. Since wchar_t is always defined as u16, independent of the toolchain default, always passing -fshort-wchar is correct and lets us remove the Xen specific hack along with fixing the warning. Link: https://patchwork.kernel.org/patch/9275217/ Fixes: 971a69db7dc0 ("Xen: don't warn about 2-byte wchar_t in efi") Signed-off-by: Arnd Bergmann Acked-by: David Vrabel Signed-off-by: Masahiro Yamada Signed-off-by: Nick Desaulniers Signed-off-by: Greg Kroah-Hartman commit 52c3adecfb2f5cf6e94b9bbe689fab20cae64d79 Author: Matthias Kaehlcke Date: Thu Aug 17 11:20:47 2017 -0700 x86/build: Use cc-option to validate stack alignment parameter commit 9e8730b178a2472fca3123e909d6e69cc8127778 upstream. With the following commit: 8f91869766c0 ("x86/build: Fix stack alignment for CLang") cc-option is only used to determine the name of the stack alignment option supported by the compiler, but not to verify that the actual parameter