Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.9.140 2018-11-23T11:57:41Z 2018-11-23T11:57:41Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-11-23T11:57:41Z urn:sha1:e186413178a3d6a4d5c92ef5bced2e0b589a4649 2018-11-23T11:57:41Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-11-23T11:42:42Z urn:sha1:961323dd94783fd78507ad04eac3a90d95b1fa8f This reverts commit 23e983e27aaff6357bb851d91b593d83a9a6552c which is commit b91d532928dff2141ea9c107c3e73104d9843767 upstream. It breaks the Android networking test suite, which works fine with the backported patch in 4.14. So something must be off for 4.9 for this patch, so just revert it. Cc: Jianlin Shi <jishi@redhat.com> Cc: David Ahern <dsahern@gmail.com> Cc: Xin Long <lucien.xin@gmail.com> Cc: David S. Miller <davem@davemloft.net> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-23T11:57:41Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-11-21T18:11:06Z urn:sha1:0afb423b1d3fd4728ab273c208392e61cc06c835 This reverts commit 66fe51cb35d91d75a67ec8a38caf03da95e8c191 which is commit 53c613fe6349994f023245519265999eed75957f upstream. It's not ready for the stable trees as there are major slowdowns involved with this patch. Reported-by: Jiri Kosina <jkosina@suse.cz> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: "WoodhouseDavid" <dwmw@amazon.co.uk> Cc: Andi Kleen <ak@linux.intel.com> Cc: Tim Chen <tim.c.chen@linux.intel.com> Cc: "SchauflerCasey" <casey.schaufler@intel.com> Cc: Rainer Fiebig <jrf@mailbox.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-23T07:20:39Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-11-23T07:20:39Z urn:sha1:44caf8b34625267f5b7227391551a4064e5fa0f7 2018-11-23T07:20:39Z Russell King rmk+kernel@armlinux.org.uk 2018-11-07T16:44:02Z urn:sha1:861f5387585e2dcf7e2e611e62751dd3fe1abecb Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream. Spectre variant 1 attacks are about this sequence of pseudo-code: index = load(user-manipulated pointer); access(base + index * stride); In order for the cache side-channel to work, the access() must me made to memory which userspace can detect whether cache lines have been loaded. On 32-bit ARM, this must be either user accessible memory, or a kernel mapping of that same user accessible memory. The problem occurs when the load() speculatively loads privileged data, and the subsequent access() is made to user accessible memory. Any load() which makes use of a user-maniplated pointer is a potential problem if the data it has loaded is used in a subsequent access. This also applies for the access() if the data loaded by that access is used by a subsequent access. Harden the get_user() accessors against Spectre attacks by forcing out of bounds addresses to a NULL pointer. This prevents get_user() being used as the load() step above. As a side effect, put_user() will also be affected even though it isn't implicated. Also harden copy_from_user() by redoing the bounds check within the arm_copy_from_user() code, and NULLing the pointer if out of bounds. Acked-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David A. Long <dave.long@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-23T07:20:39Z Russell King rmk+kernel@armlinux.org.uk 2018-11-07T16:44:01Z urn:sha1:f4438f29bfbd105a4208cf194cd7f1f3e01fd666 Commit b1cd0a14806321721aae45f5446ed83a3647c914 upstream. Fixing __get_user() for spectre variant 1 is not sane: we would have to add address space bounds checking in order to validate that the location should be accessed, and then zero the address if found to be invalid. Since __get_user() is supposed to avoid the bounds check, and this is exactly what get_user() does, there's no point having two different implementations that are doing the same thing. So, when the Spectre workarounds are required, make __get_user() an alias of get_user(). Acked-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David A. Long <dave.long@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-23T07:20:39Z Russell King rmk+kernel@armlinux.org.uk 2018-11-07T16:44:00Z urn:sha1:bdf0f17e4e1103af74239cfea553b8ab3c4fd29f Commit d09fbb327d670737ab40fd8bbb0765ae06b8b739 upstream. Borrow the x86 implementation of __inttype() to use in get_user() to select an integer type suitable to temporarily hold the result value. This is necessary to avoid propagating the volatile nature of the result argument, which can cause the following warning: lib/iov_iter.c:413:5: warning: optimization may eliminate reads and/or writes to register variables [-Wvolatile-register-var] Acked-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David A. Long <dave.long@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-23T07:20:39Z Russell King rmk+kernel@armlinux.org.uk 2018-11-07T16:43:59Z urn:sha1:d609e4aa5086e2c20a7767f70401af0e2400989a Commit 8c8484a1c18e3231648f5ba7cc5ffb7fd70b3ca4 upstream. __get_user_error() is used as a fast accessor to make copying structure members as efficient as possible. However, with software PAN and the recent Spectre variant 1, the efficiency is reduced as these are no longer fast accessors. In the case of software PAN, it has to switch the domain register around each access, and with Spectre variant 1, it would have to repeat the access_ok() check for each access. Rather than using __get_user_error() to copy each semops element member, copy each semops element in full using __copy_from_user(). Acked-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David A. Long <dave.long@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-23T07:20:39Z Russell King rmk+kernel@armlinux.org.uk 2018-11-07T16:43:58Z urn:sha1:9c91b9687904d28ad29974ce9028bb6a6088527f Commit 42019fc50dfadb219f9e6ddf4c354f3837057d80 upstream. __get_user_error() is used as a fast accessor to make copying structure members in the signal handling path as efficient as possible. However, with software PAN and the recent Spectre variant 1, the efficiency is reduced as these are no longer fast accessors. In the case of software PAN, it has to switch the domain register around each access, and with Spectre variant 1, it would have to repeat the access_ok() check for each access. Use __copy_from_user() rather than __get_user_err() for individual members when restoring VFP state. Acked-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David A. Long <dave.long@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-23T07:20:39Z Russell King rmk+kernel@armlinux.org.uk 2018-11-07T16:43:57Z urn:sha1:50f032cc506a0f8c5a44c2f19950ae0f287b43db Commit c32cd419d6650e42b9cdebb83c672ec945e6bd7e upstream. __get_user_error() is used as a fast accessor to make copying structure members in the signal handling path as efficient as possible. However, with software PAN and the recent Spectre variant 1, the efficiency is reduced as these are no longer fast accessors. In the case of software PAN, it has to switch the domain register around each access, and with Spectre variant 1, it would have to repeat the access_ok() check for each access. It becomes much more efficient to use __copy_from_user() instead, so let's use this for the ARM integer registers. Acked-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David A. Long <dave.long@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>