From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5077C63777 for ; Thu, 3 Dec 2020 09:28:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3E339217A0 for ; Thu, 3 Dec 2020 09:28:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730044AbgLCJ2k (ORCPT ); Thu, 3 Dec 2020 04:28:40 -0500 Received: from mailgw02.mediatek.com ([210.61.82.184]:53901 "EHLO mailgw02.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726003AbgLCJ2j (ORCPT ); Thu, 3 Dec 2020 04:28:39 -0500 X-UUID: 81173dd499dc4e29867ce372c50c8a4f-20201203 X-UUID: 81173dd499dc4e29867ce372c50c8a4f-20201203 Received: from mtkcas11.mediatek.inc [(172.21.101.40)] by mailgw02.mediatek.com (envelope-from ) (Cellopoint E-mail Firewall v4.1.14 Build 0819 with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 1759663941; Thu, 03 Dec 2020 17:27:56 +0800 Received: from mtkcas10.mediatek.inc (172.21.101.39) by mtkmbs05n2.mediatek.inc (172.21.101.140) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Dec 2020 17:27:53 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas10.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 3 Dec 2020 17:27:54 +0800 From: Lecopzer Chen To: , CC: , , , , , , Lecopzer Chen , Sebastian Andrzej Siewior , YJ Chiang Subject: [PATCH] ARM: mm: harden branch predictor before opening interrupts during fault Date: Thu, 3 Dec 2020 17:27:38 +0800 Message-ID: <20201203092738.11866-1-lecopzer.chen@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 Content-Type: text/plain X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch was send by "Sebastian Andrzej Siewior " in [1] and rebase in v5.10-rc6. The original commit message: > On non-LPAE systems a write to 0xbffffff0 (modules area) from userland > results in: > | BUG: using smp_processor_id() in preemptible [00000000] code: mem-tc/521 > | caller is __do_user_fault.constprop.2+0x4c/0x74 > | CPU: 1 PID: 521 Comm: mem-tc Not tainted 5.1.0-rc1 #4 > | [] (debug_smp_processor_id) from [] (__do_user_fault.constprop.2+0x4c/0x74) > | [] (__do_user_fault.constprop.2) from [] (do_page_fault+0x278/0x37c) > | [] (do_page_fault) from [] (do_DataAbort+0x3c/0xa8) > | [] (do_DataAbort) from [] (__dabt_usr+0x3c/0x40) > > Move harden_branch_predictor() from __do_user_fault() to its both > callers (do_bad_area() and do_page_fault()). The invocation in > do_page_fault() is added before interrupst are enabled. The invocation > in do_bad_area() is added just before __do_user_fault() is invoked. The BUG still exists in v5.10-rc, and the previous disscussion was [2]. This issue can be easily reproduced in ARM with CONFIG_DEBUG_PREEMPT and CONFIG_HARDEN_BRANCH_PREDICTOR by the following userspace program: int *p = 0xffff3ff4; *p = 123; [1]: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20190319203239.gl46fxnfz6gzeeic@linutronix.de/ [2]: https://lkml.org/lkml/2019/6/3/426 Fixes: f5fe12b1eaee2 ("ARM: spectre-v2: harden user aborts in kernel space") Reported-by: Bernd Edlinger Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Lecopzer Chen Cc: YJ Chiang --- arch/arm/mm/fault.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c index efa402025031..f1b57b7d5a0c 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -138,9 +138,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, { struct task_struct *tsk = current; - if (addr > TASK_SIZE) - harden_branch_predictor(); - #ifdef CONFIG_DEBUG_USER if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) || ((user_debug & UDBG_BUS) && (sig == SIGBUS))) { @@ -173,8 +170,11 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs) * If we are in kernel mode at this point, we * have no context to handle this fault with. */ - if (user_mode(regs)) + if (user_mode(regs)) { + if (addr > TASK_SIZE) + harden_branch_predictor(); __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs); + } else __do_kernel_fault(mm, addr, fsr, regs); } @@ -251,6 +251,9 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) tsk = current; mm = tsk->mm; + if (addr > TASK_SIZE && user_mode(regs)) + harden_branch_predictor(); + /* Enable interrupts if they were enabled in the parent context. */ if (interrupts_enabled(regs)) local_irq_enable(); -- 2.18.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 078E6C63777 for ; Thu, 3 Dec 2020 09:29:47 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 867EB217A0 for ; Thu, 3 Dec 2020 09:29:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 867EB217A0 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=mediatek.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=+XE0pNsNSPOgvXt9N6KFSyeJQ5Gw1KDEDqXuWx6n24U=; b=y0nPRG9KNGkE0hc9o4PO+OnnV5 VIM1FKpWaTvsPurIdC7sf5wVGBcdxHuWqa6GCB7EDd/EcY2xD+fGdLtmqxgWAw63t9n9BfJqlCtob rgH9MtE9BF0rTrZm+Qhi6+9xFKKea/NvtvIJt+ouIUbfg6k+dglycWNs2YtIKC0jZvcvnmNxZXsTL WlRe1b8oCrT5RCkhMeyaROvvZhZviEWwnJ7Y/vx5zo4K7A4V1GJsVJxilJKgAIn2ZybaVLnPwdtrX uXMwQhlapGsWea615Mym3eUGnyZkT8LNGIosLPlXaIr/dyuyOiWz41+ZsHKqUuD6mEcMU1l/xu6p5 hQJExh+A==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kkkuF-0004q5-Jr; Thu, 03 Dec 2020 09:28:07 +0000 Received: from mailgw01.mediatek.com ([216.200.240.184]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kkkuB-0004pc-JC for linux-arm-kernel@lists.infradead.org; Thu, 03 Dec 2020 09:28:05 +0000 X-UUID: 19fc2651ef1b4dc899f6f8064411950e-20201203 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=h9O09kijTO9IzKUqRoR4oulkOeNEuK/Nswm4ybxFeVU=; b=ZMM0dY9WsxxOaef/McQUMRQCNzwcCRpGnvPrY7qxwsr8bkbkj/g1y36HWk9ZkhLYNj3RNpVqM2PgHyReJsa6rn8WRru8DMMBIWTWkMw3ybSpnitqU0J6ZgzFjlKl8qCfCC3KXq64qwgqDJkmPDJNoJY+eyOVwz+zZoGm1zvVJwc=; X-UUID: 19fc2651ef1b4dc899f6f8064411950e-20201203 Received: from mtkcas66.mediatek.inc [(172.29.193.44)] by mailgw01.mediatek.com (envelope-from ) (musrelay.mediatek.com ESMTP with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 927363493; Thu, 03 Dec 2020 01:27:38 -0800 Received: from mtkmbs05n2.mediatek.inc (172.21.101.140) by MTKMBS62N2.mediatek.inc (172.29.193.42) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Dec 2020 01:27:55 -0800 Received: from mtkcas10.mediatek.inc (172.21.101.39) by mtkmbs05n2.mediatek.inc (172.21.101.140) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Dec 2020 17:27:53 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas10.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 3 Dec 2020 17:27:54 +0800 From: Lecopzer Chen To: , Subject: [PATCH] ARM: mm: harden branch predictor before opening interrupts during fault Date: Thu, 3 Dec 2020 17:27:38 +0800 Message-ID: <20201203092738.11866-1-lecopzer.chen@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 X-MTK: N X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201203_042804_389267_CE1CCA11 X-CRM114-Status: GOOD ( 17.54 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lecopzer Chen , marc.zyngier@arm.com, Sebastian Andrzej Siewior , linux@armlinux.org.uk, peterx@redhat.com, akpm@linux-foundation.org, walken@google.com, YJ Chiang , rppt@kernel.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This patch was send by "Sebastian Andrzej Siewior " in [1] and rebase in v5.10-rc6. The original commit message: > On non-LPAE systems a write to 0xbffffff0 (modules area) from userland > results in: > | BUG: using smp_processor_id() in preemptible [00000000] code: mem-tc/521 > | caller is __do_user_fault.constprop.2+0x4c/0x74 > | CPU: 1 PID: 521 Comm: mem-tc Not tainted 5.1.0-rc1 #4 > | [] (debug_smp_processor_id) from [] (__do_user_fault.constprop.2+0x4c/0x74) > | [] (__do_user_fault.constprop.2) from [] (do_page_fault+0x278/0x37c) > | [] (do_page_fault) from [] (do_DataAbort+0x3c/0xa8) > | [] (do_DataAbort) from [] (__dabt_usr+0x3c/0x40) > > Move harden_branch_predictor() from __do_user_fault() to its both > callers (do_bad_area() and do_page_fault()). The invocation in > do_page_fault() is added before interrupst are enabled. The invocation > in do_bad_area() is added just before __do_user_fault() is invoked. The BUG still exists in v5.10-rc, and the previous disscussion was [2]. This issue can be easily reproduced in ARM with CONFIG_DEBUG_PREEMPT and CONFIG_HARDEN_BRANCH_PREDICTOR by the following userspace program: int *p = 0xffff3ff4; *p = 123; [1]: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20190319203239.gl46fxnfz6gzeeic@linutronix.de/ [2]: https://lkml.org/lkml/2019/6/3/426 Fixes: f5fe12b1eaee2 ("ARM: spectre-v2: harden user aborts in kernel space") Reported-by: Bernd Edlinger Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Lecopzer Chen Cc: YJ Chiang --- arch/arm/mm/fault.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c index efa402025031..f1b57b7d5a0c 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -138,9 +138,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, { struct task_struct *tsk = current; - if (addr > TASK_SIZE) - harden_branch_predictor(); - #ifdef CONFIG_DEBUG_USER if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) || ((user_debug & UDBG_BUS) && (sig == SIGBUS))) { @@ -173,8 +170,11 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs) * If we are in kernel mode at this point, we * have no context to handle this fault with. */ - if (user_mode(regs)) + if (user_mode(regs)) { + if (addr > TASK_SIZE) + harden_branch_predictor(); __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs); + } else __do_kernel_fault(mm, addr, fsr, regs); } @@ -251,6 +251,9 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) tsk = current; mm = tsk->mm; + if (addr > TASK_SIZE && user_mode(regs)) + harden_branch_predictor(); + /* Enable interrupts if they were enabled in the parent context. */ if (interrupts_enabled(regs)) local_irq_enable(); -- 2.18.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel