Commit 10573ae5 authored by Russell King's avatar Russell King

ARM: spectre-v1: fix syscall entry

Prevent speculation at the syscall table decoding by clamping the index
used to zero on invalid system call numbers, and using the csdb
speculative barrier.
Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
Boot-tested-by: default avatarTony Lindgren <tony@atomide.com>
Reviewed-by: default avatarTony Lindgren <tony@atomide.com>
parent 1d4238c5
...@@ -242,9 +242,7 @@ local_restart: ...@@ -242,9 +242,7 @@ local_restart:
tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls? tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace bne __sys_trace
cmp scno, #NR_syscalls @ check upper syscall limit invoke_syscall tbl, scno, r10, ret_fast_syscall
badr lr, ret_fast_syscall @ return address
ldrcc pc, [tbl, scno, lsl #2] @ call sys_* routine
add r1, sp, #S_OFF add r1, sp, #S_OFF
2: cmp scno, #(__ARM_NR_BASE - __NR_SYSCALL_BASE) 2: cmp scno, #(__ARM_NR_BASE - __NR_SYSCALL_BASE)
...@@ -278,14 +276,8 @@ __sys_trace: ...@@ -278,14 +276,8 @@ __sys_trace:
mov r1, scno mov r1, scno
add r0, sp, #S_OFF add r0, sp, #S_OFF
bl syscall_trace_enter bl syscall_trace_enter
mov scno, r0
badr lr, __sys_trace_return @ return address invoke_syscall tbl, scno, r10, __sys_trace_return, reload=1
mov scno, r0 @ syscall number (possibly new)
add r1, sp, #S_R0 + S_OFF @ pointer to regs
cmp scno, #NR_syscalls @ check upper syscall limit
ldmccia r1, {r0 - r6} @ have to reload r0 - r6
stmccia sp, {r4, r5} @ and update the stack args
ldrcc pc, [tbl, scno, lsl #2] @ call sys_* routine
cmp scno, #-1 @ skip the syscall? cmp scno, #-1 @ skip the syscall?
bne 2b bne 2b
add sp, sp, #S_OFF @ restore stack add sp, sp, #S_OFF @ restore stack
...@@ -363,6 +355,10 @@ sys_syscall: ...@@ -363,6 +355,10 @@ sys_syscall:
bic scno, r0, #__NR_OABI_SYSCALL_BASE bic scno, r0, #__NR_OABI_SYSCALL_BASE
cmp scno, #__NR_syscall - __NR_SYSCALL_BASE cmp scno, #__NR_syscall - __NR_SYSCALL_BASE
cmpne scno, #NR_syscalls @ check range cmpne scno, #NR_syscalls @ check range
#ifdef CONFIG_CPU_SPECTRE
movhs scno, #0
csdb
#endif
stmloia sp, {r5, r6} @ shuffle args stmloia sp, {r5, r6} @ shuffle args
movlo r0, r1 movlo r0, r1
movlo r1, r2 movlo r1, r2
......
...@@ -378,6 +378,31 @@ ...@@ -378,6 +378,31 @@
#endif #endif
.endm .endm
.macro invoke_syscall, table, nr, tmp, ret, reload=0
#ifdef CONFIG_CPU_SPECTRE
mov \tmp, \nr
cmp \tmp, #NR_syscalls @ check upper syscall limit
movcs \tmp, #0
csdb
badr lr, \ret @ return address
.if \reload
add r1, sp, #S_R0 + S_OFF @ pointer to regs
ldmccia r1, {r0 - r6} @ reload r0-r6
stmccia sp, {r4, r5} @ update stack arguments
.endif
ldrcc pc, [\table, \tmp, lsl #2] @ call sys_* routine
#else
cmp \nr, #NR_syscalls @ check upper syscall limit
badr lr, \ret @ return address
.if \reload
add r1, sp, #S_R0 + S_OFF @ pointer to regs
ldmccia r1, {r0 - r6} @ reload r0-r6
stmccia sp, {r4, r5} @ update stack arguments
.endif
ldrcc pc, [\table, \nr, lsl #2] @ call sys_* routine
#endif
.endm
/* /*
* These are the registers used in the syscall handler, and allow us to * These are the registers used in the syscall handler, and allow us to
* have in theory up to 7 arguments to a function - r0 to r6. * have in theory up to 7 arguments to a function - r0 to r6.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment