[SRU][Bionic][v4 0/6] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][v4 0/6] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

Khalid Elmously
Patches requested by IBM for Spectre v2.

Build-tested for s390x


Christian Borntraeger (2):
  KVM: s390: implement CPU model only facilities
  KVM: s390: add etoken support for guests

Martin Schwidefsky (4):
  s390: detect etoken facility
  s390/lib: use expoline for all bcr instructions
  s390: fix br_r1_trampoline for machines without exrl
  UBUNTU: SAUCE: bpf, s390x: remove ld_abs/ld_ind

 arch/s390/include/asm/kvm_host.h |  1 +
 arch/s390/include/uapi/asm/kvm.h |  5 ++-
 arch/s390/kernel/nospec-branch.c | 12 ++++++-
 arch/s390/kernel/nospec-sysfs.c  |  2 ++
 arch/s390/kvm/kvm-s390.c         | 61 +++++++++++++++++++++-----------
 arch/s390/kvm/kvm-s390.h         |  2 --
 arch/s390/kvm/vsie.c             |  9 +++--
 arch/s390/lib/mem.S              | 16 +++++----
 arch/s390/net/bpf_jit_comp.c     | 11 +++---
 arch/s390/tools/gen_facilities.c | 23 +++++++++++-
 10 files changed, 104 insertions(+), 38 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][v3 1/6] KVM: s390: implement CPU model only facilities

Khalid Elmously
From: Christian Borntraeger <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

Some facilities should only be provided to the guest, if they are
enabled by a CPU model. This allows us to avoid capabilities and
to simply fall back to the cpumodel for deciding about a facility
without enabling it for older QEMUs or QEMUs without a CPU
model.

Reviewed-by: David Hildenbrand <[hidden email]>
Reviewed-by: Cornelia Huck <[hidden email]>
Signed-off-by: Christian Borntraeger <[hidden email]>
(cherry picked from commit c3b9e3e1ea1c1d1524b56b6734711db2a6fc2163)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 arch/s390/kvm/kvm-s390.c         | 53 ++++++++++++++++++++------------
 arch/s390/kvm/kvm-s390.h         |  2 --
 arch/s390/tools/gen_facilities.c | 20 ++++++++++++
 3 files changed, 54 insertions(+), 21 deletions(-)

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 656a3c8dfb50..9629be612304 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -151,13 +151,33 @@ static int nested;
 module_param(nested, int, S_IRUGO);
 MODULE_PARM_DESC(nested, "Nested virtualization support");
 
-/* upper facilities limit for kvm */
-unsigned long kvm_s390_fac_list_mask[16] = { FACILITIES_KVM };
 
-unsigned long kvm_s390_fac_list_mask_size(void)
+/*
+ * For now we handle at most 16 double words as this is what the s390 base
+ * kernel handles and stores in the prefix page. If we ever need to go beyond
+ * this, this requires changes to code, but the external uapi can stay.
+ */
+#define SIZE_INTERNAL 16
+
+/*
+ * Base feature mask that defines default mask for facilities. Consists of the
+ * defines in FACILITIES_KVM and the non-hypervisor managed bits.
+ */
+static unsigned long kvm_s390_fac_base[SIZE_INTERNAL] = { FACILITIES_KVM };
+/*
+ * Extended feature mask. Consists of the defines in FACILITIES_KVM_CPUMODEL
+ * and defines the facilities that can be enabled via a cpu model.
+ */
+static unsigned long kvm_s390_fac_ext[SIZE_INTERNAL] = { FACILITIES_KVM_CPUMODEL };
+
+static unsigned long kvm_s390_fac_size(void)
 {
- BUILD_BUG_ON(ARRAY_SIZE(kvm_s390_fac_list_mask) > S390_ARCH_FAC_MASK_SIZE_U64);
- return ARRAY_SIZE(kvm_s390_fac_list_mask);
+ BUILD_BUG_ON(SIZE_INTERNAL > S390_ARCH_FAC_MASK_SIZE_U64);
+ BUILD_BUG_ON(SIZE_INTERNAL > S390_ARCH_FAC_LIST_SIZE_U64);
+ BUILD_BUG_ON(SIZE_INTERNAL * sizeof(unsigned long) >
+ sizeof(S390_lowcore.stfle_fac_list));
+
+ return SIZE_INTERNAL;
 }
 
 /* available cpu features supported by kvm */
@@ -1953,20 +1973,15 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
  if (!kvm->arch.sie_page2)
  goto out_err;
 
- /* Populate the facility mask initially. */
- memcpy(kvm->arch.model.fac_mask, S390_lowcore.stfle_fac_list,
-       sizeof(S390_lowcore.stfle_fac_list));
- for (i = 0; i < S390_ARCH_FAC_LIST_SIZE_U64; i++) {
- if (i < kvm_s390_fac_list_mask_size())
- kvm->arch.model.fac_mask[i] &= kvm_s390_fac_list_mask[i];
- else
- kvm->arch.model.fac_mask[i] = 0UL;
- }
-
- /* Populate the facility list initially. */
  kvm->arch.model.fac_list = kvm->arch.sie_page2->fac_list;
- memcpy(kvm->arch.model.fac_list, kvm->arch.model.fac_mask,
-       S390_ARCH_FAC_LIST_SIZE_BYTE);
+
+ for (i = 0; i < kvm_s390_fac_size(); i++) {
+ kvm->arch.model.fac_mask[i] = S390_lowcore.stfle_fac_list[i] &
+      (kvm_s390_fac_base[i] |
+       kvm_s390_fac_ext[i]);
+ kvm->arch.model.fac_list[i] = S390_lowcore.stfle_fac_list[i] &
+      kvm_s390_fac_base[i];
+ }
 
  /* we are always in czam mode - even on pre z14 machines */
  set_kvm_facility(kvm->arch.model.fac_mask, 138);
@@ -3965,7 +3980,7 @@ static int __init kvm_s390_init(void)
  }
 
  for (i = 0; i < 16; i++)
- kvm_s390_fac_list_mask[i] |=
+ kvm_s390_fac_base[i] |=
  S390_lowcore.stfle_fac_list[i] & nonhyp_mask(i);
 
  return kvm_init(NULL, sizeof(struct kvm_vcpu), 0, THIS_MODULE);
diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h
index efa186f065fb..0f08873937d4 100644
--- a/arch/s390/kvm/kvm-s390.h
+++ b/arch/s390/kvm/kvm-s390.h
@@ -281,8 +281,6 @@ void exit_sie(struct kvm_vcpu *vcpu);
 void kvm_s390_sync_request(int req, struct kvm_vcpu *vcpu);
 int kvm_s390_vcpu_setup_cmma(struct kvm_vcpu *vcpu);
 void kvm_s390_vcpu_unsetup_cmma(struct kvm_vcpu *vcpu);
-unsigned long kvm_s390_fac_list_mask_size(void);
-extern unsigned long kvm_s390_fac_list_mask[];
 void kvm_s390_set_cpu_timer(struct kvm_vcpu *vcpu, __u64 cputm);
 __u64 kvm_s390_get_cpu_timer(struct kvm_vcpu *vcpu);
 
diff --git a/arch/s390/tools/gen_facilities.c b/arch/s390/tools/gen_facilities.c
index 0373801d9860..78b7192fc070 100644
--- a/arch/s390/tools/gen_facilities.c
+++ b/arch/s390/tools/gen_facilities.c
@@ -62,6 +62,13 @@ static struct facility_def facility_defs[] = {
  }
  },
  {
+ /*
+ * FACILITIES_KVM contains the list of facilities that are part
+ * of the default facility mask and list that are passed to the
+ * initial CPU model. If no CPU model is used, this, together
+ * with the non-hypervisor managed bits, is the maximum list of
+ * guest facilities supported by KVM.
+ */
  .name = "FACILITIES_KVM",
  .bits = (int[]){
  0,  /* N3 instructions */
@@ -89,6 +96,19 @@ static struct facility_def facility_defs[] = {
  -1  /* END */
  }
  },
+ {
+ /*
+ * FACILITIES_KVM_CPUMODEL contains the list of facilities
+ * that can be enabled by CPU model code if the host supports
+ * it. These facilities are not passed to the guest without
+ * CPU model support.
+ */
+
+ .name = "FACILITIES_KVM_CPUMODEL",
+ .bits = (int[]){
+ -1  /* END */
+ }
+ },
 };
 
 static void print_facility_list(struct facility_def *def)
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][v3 2/6] s390: detect etoken facility

Khalid Elmously
In reply to this post by Khalid Elmously
From: Martin Schwidefsky <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

Detect and report the etoken facility. With spectre_v2=auto or
CONFIG_EXPOLINE_AUTO=y automatically disable expolines and use
the full branch prediction mode for the kernel.

Signed-off-by: Martin Schwidefsky <[hidden email]>
(cherry picked from commit aeaf7002a76c8da60c0f503badcbddc07650678c)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 arch/s390/kernel/nospec-branch.c | 12 +++++++++++-
 arch/s390/kernel/nospec-sysfs.c  |  2 ++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c
index 8ad6a7128b3a..555da6e05d7b 100644
--- a/arch/s390/kernel/nospec-branch.c
+++ b/arch/s390/kernel/nospec-branch.c
@@ -35,6 +35,8 @@ early_param("nospec", nospec_setup_early);
 
 static int __init nospec_report(void)
 {
+ if (test_facility(156))
+ pr_info("Spectre V2 mitigation: etokens\n");
  if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
  pr_info("Spectre V2 mitigation: execute trampolines.\n");
  if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
@@ -56,7 +58,15 @@ early_param("nospectre_v2", nospectre_v2_setup_early);
 
 void __init nospec_auto_detect(void)
 {
- if (IS_ENABLED(CC_USING_EXPOLINE)) {
+ if (test_facility(156)) {
+ /*
+ * The machine supports etokens.
+ * Disable expolines and disable nobp.
+ */
+ if (IS_ENABLED(CC_USING_EXPOLINE))
+ nospec_disable = 1;
+ __clear_facility(82, S390_lowcore.alt_stfle_fac_list);
+ } else if (IS_ENABLED(CC_USING_EXPOLINE)) {
  /*
  * The kernel has been compiled with expolines.
  * Keep expolines enabled and disable nobp.
diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c
index 8affad5f18cb..e30e580ae362 100644
--- a/arch/s390/kernel/nospec-sysfs.c
+++ b/arch/s390/kernel/nospec-sysfs.c
@@ -13,6 +13,8 @@ ssize_t cpu_show_spectre_v1(struct device *dev,
 ssize_t cpu_show_spectre_v2(struct device *dev,
     struct device_attribute *attr, char *buf)
 {
+ if (test_facility(156))
+ return sprintf(buf, "Mitigation: etokens\n");
  if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
  return sprintf(buf, "Mitigation: execute trampolines\n");
  if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][v3 3/6] KVM: s390: add etoken support for guests

Khalid Elmously
In reply to this post by Khalid Elmously
From: Christian Borntraeger <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

We want to provide facility 156 (etoken facility) to our
guests. This includes migration support (via sync regs) and
VSIE changes. The tokens are being reset on clear reset. This
has to be implemented by userspace (via sync regs).

Signed-off-by: Christian Borntraeger <[hidden email]>
Reviewed-by: David Hildenbrand <[hidden email]>
Acked-by: Cornelia Huck <[hidden email]>
(backported from commit a3da7b4a3be51f37f434f14e11e60491f098b6ea)
[kmously: Minor context adjustment for whitespace]
Signed-off-by: Khalid Elmously <[hidden email]>
---
 arch/s390/include/asm/kvm_host.h | 1 +
 arch/s390/include/uapi/asm/kvm.h | 5 ++++-
 arch/s390/kvm/kvm-s390.c         | 8 ++++++--
 arch/s390/kvm/vsie.c             | 9 +++++++--
 arch/s390/tools/gen_facilities.c | 3 ++-
 5 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index cd7ed86c571e..3ad7ccde93af 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -266,6 +266,7 @@ struct kvm_s390_sie_block {
  __u8 reserved1c0[8]; /* 0x01c0 */
 #define ECD_HOSTREGMGMT 0x20000000
 #define ECD_MEF 0x08000000
+#define ECD_ETOKENF 0x02000000
  __u32 ecd; /* 0x01c8 */
  __u8 reserved1cc[18]; /* 0x01cc */
  __u64 pp; /* 0x01de */
diff --git a/arch/s390/include/uapi/asm/kvm.h b/arch/s390/include/uapi/asm/kvm.h
index 4cdaa55fabfe..9a50f02b9894 100644
--- a/arch/s390/include/uapi/asm/kvm.h
+++ b/arch/s390/include/uapi/asm/kvm.h
@@ -4,7 +4,7 @@
 /*
  * KVM s390 specific structures and definitions
  *
- * Copyright IBM Corp. 2008
+ * Copyright IBM Corp. 2008, 2018
  *
  *    Author(s): Carsten Otte <[hidden email]>
  *               Christian Borntraeger <[hidden email]>
@@ -225,6 +225,7 @@ struct kvm_guest_debug_arch {
 #define KVM_SYNC_FPRS   (1UL << 8)
 #define KVM_SYNC_GSCB   (1UL << 9)
 #define KVM_SYNC_BPBC   (1UL << 10)
+#define KVM_SYNC_ETOKEN (1UL << 11)
 /* length and alignment of the sdnx as a power of two */
 #define SDNXC 8
 #define SDNXL (1UL << SDNXC)
@@ -258,6 +259,8 @@ struct kvm_sync_regs {
  struct {
  __u64 reserved1[2];
  __u64 gscb[4];
+ __u64 etoken;
+ __u64 etoken_extension;
  };
  };
 };
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 9629be612304..bc637fd34ec0 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -2262,6 +2262,8 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
  vcpu->run->kvm_valid_regs |= KVM_SYNC_BPBC;
  if (test_kvm_facility(vcpu->kvm, 133))
  vcpu->run->kvm_valid_regs |= KVM_SYNC_GSCB;
+ if (test_kvm_facility(vcpu->kvm, 156))
+ vcpu->run->kvm_valid_regs |= KVM_SYNC_ETOKEN;
  /* fprs can be synchronized via vrs, even if the guest has no vx. With
  * MACHINE_HAS_VX, (load|store)_fpu_regs() will work with vrs format.
  */
@@ -2509,7 +2511,8 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
  }
  if (test_kvm_facility(vcpu->kvm, 139))
  vcpu->arch.sie_block->ecd |= ECD_MEF;
-
+ if (test_kvm_facility(vcpu->kvm, 156))
+ vcpu->arch.sie_block->ecd |= ECD_ETOKENF;
  vcpu->arch.sie_block->sdnxo = ((unsigned long) &vcpu->run->s.regs.sdnx)
  | SDNXC;
  vcpu->arch.sie_block->riccbd = (unsigned long) &vcpu->run->s.regs.riccb;
@@ -3381,6 +3384,7 @@ static void sync_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
  }
  preempt_enable();
  }
+ /* SIE will load etoken directly from SDNX and therefore kvm_run */
 
  kvm_run->kvm_dirty_regs = 0;
 }
@@ -3420,7 +3424,7 @@ static void store_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
  __ctl_clear_bit(2, 4);
  vcpu->arch.host_gscb = NULL;
  }
-
+ /* SIE will save etoken directly into SDNX and therefore kvm_run */
 }
 
 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c
index eb3043a7fff5..1f5989422df6 100644
--- a/arch/s390/kvm/vsie.c
+++ b/arch/s390/kvm/vsie.c
@@ -2,7 +2,7 @@
 /*
  * kvm nested virtualization support for s390x
  *
- * Copyright IBM Corp. 2016
+ * Copyright IBM Corp. 2016, 2018
  *
  *    Author(s): David Hildenbrand <[hidden email]>
  */
@@ -372,6 +372,10 @@ static int shadow_scb(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page)
  if (test_kvm_facility(vcpu->kvm, 139))
  scb_s->ecd |= scb_o->ecd & ECD_MEF;
 
+ /* etoken */
+ if (test_kvm_facility(vcpu->kvm, 156))
+ scb_s->ecd |= scb_o->ecd & ECD_ETOKENF;
+
  prepare_ibc(vcpu, vsie_page);
  rc = shadow_crycb(vcpu, vsie_page);
 out:
@@ -621,7 +625,8 @@ static int pin_blocks(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page)
  /* Validity 0x0044 will be checked by SIE */
  scb_s->riccbd = hpa;
  }
- if ((scb_s->ecb & ECB_GS) && !(scb_s->ecd & ECD_HOSTREGMGMT)) {
+ if (((scb_s->ecb & ECB_GS) && !(scb_s->ecd & ECD_HOSTREGMGMT)) ||
+    (scb_s->ecd & ECD_ETOKENF)) {
  unsigned long sdnxc;
 
  gpa = READ_ONCE(scb_o->sdnxo) & ~0xfUL;
diff --git a/arch/s390/tools/gen_facilities.c b/arch/s390/tools/gen_facilities.c
index 78b7192fc070..c3582a42b598 100644
--- a/arch/s390/tools/gen_facilities.c
+++ b/arch/s390/tools/gen_facilities.c
@@ -4,7 +4,7 @@
  * numbering scheme from the Princples of Operations: most significant bit
  * has bit number 0.
  *
- *    Copyright IBM Corp. 2015
+ *    Copyright IBM Corp. 2015, 2018
  *
  */
 
@@ -106,6 +106,7 @@ static struct facility_def facility_defs[] = {
 
  .name = "FACILITIES_KVM_CPUMODEL",
  .bits = (int[]){
+ 156, /* etoken facility */
  -1  /* END */
  }
  },
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][v3 4/6] s390/lib: use expoline for all bcr instructions

Khalid Elmously
In reply to this post by Khalid Elmously
From: Martin Schwidefsky <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

The memove, memset, memcpy, __memset16, __memset32 and __memset64
function have an additional indirect return branch in form of a
"bzr" instruction. These need to use expolines as well.

Cc: <[hidden email]> # v4.17+
Fixes: 97489e0663 ("s390/lib: use expoline for indirect branches")
Reviewed-by: Heiko Carstens <[hidden email]>
Signed-off-by: Martin Schwidefsky <[hidden email]>
(cherry picked from commit 5eda25b10297684c1f46a14199ec00210f3c346e)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 arch/s390/lib/mem.S | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S
index 2311f15be9cf..40c4d59c926e 100644
--- a/arch/s390/lib/mem.S
+++ b/arch/s390/lib/mem.S
@@ -17,7 +17,7 @@
 ENTRY(memmove)
  ltgr %r4,%r4
  lgr %r1,%r2
- bzr %r14
+ jz .Lmemmove_exit
  aghi %r4,-1
  clgr %r2,%r3
  jnh .Lmemmove_forward
@@ -36,6 +36,7 @@ ENTRY(memmove)
 .Lmemmove_forward_remainder:
  larl %r5,.Lmemmove_mvc
  ex %r4,0(%r5)
+.Lmemmove_exit:
  BR_EX %r14
 .Lmemmove_reverse:
  ic %r0,0(%r4,%r3)
@@ -65,7 +66,7 @@ EXPORT_SYMBOL(memmove)
  */
 ENTRY(memset)
  ltgr %r4,%r4
- bzr %r14
+ jz .Lmemset_exit
  ltgr %r3,%r3
  jnz .Lmemset_fill
  aghi %r4,-1
@@ -80,6 +81,7 @@ ENTRY(memset)
 .Lmemset_clear_remainder:
  larl %r3,.Lmemset_xc
  ex %r4,0(%r3)
+.Lmemset_exit:
  BR_EX %r14
 .Lmemset_fill:
  cghi %r4,1
@@ -115,7 +117,7 @@ EXPORT_SYMBOL(memset)
  */
 ENTRY(memcpy)
  ltgr %r4,%r4
- bzr %r14
+ jz .Lmemcpy_exit
  aghi %r4,-1
  srlg %r5,%r4,8
  ltgr %r5,%r5
@@ -124,6 +126,7 @@ ENTRY(memcpy)
 .Lmemcpy_remainder:
  larl %r5,.Lmemcpy_mvc
  ex %r4,0(%r5)
+.Lmemcpy_exit:
  BR_EX %r14
 .Lmemcpy_loop:
  mvc 0(256,%r1),0(%r3)
@@ -145,9 +148,9 @@ EXPORT_SYMBOL(memcpy)
 .macro __MEMSET bits,bytes,insn
 ENTRY(__memset\bits)
  ltgr %r4,%r4
- bzr %r14
+ jz .L__memset_exit\bits
  cghi %r4,\bytes
- je .L__memset_exit\bits
+ je .L__memset_store\bits
  aghi %r4,-(\bytes+1)
  srlg %r5,%r4,8
  ltgr %r5,%r5
@@ -163,8 +166,9 @@ ENTRY(__memset\bits)
  larl %r5,.L__memset_mvc\bits
  ex %r4,0(%r5)
  BR_EX %r14
-.L__memset_exit\bits:
+.L__memset_store\bits:
  \insn %r3,0(%r2)
+.L__memset_exit\bits:
  BR_EX %r14
 .L__memset_mvc\bits:
  mvc \bytes(1,%r1),0(%r1)
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][v3 5/6] s390: fix br_r1_trampoline for machines without exrl

Khalid Elmously
In reply to this post by Khalid Elmously
From: Martin Schwidefsky <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

For machines without the exrl instruction the BFP jit generates
code that uses an "br %r1" instruction located in the lowcore page.
Unfortunately there is a cut & paste error that puts an additional
"larl %r1,.+14" instruction in the code that clobbers the branch
target address in %r1. Remove the larl instruction.

Cc: <[hidden email]> # v4.17+
Fixes: de5cb6eb51 ("s390: use expoline thunks in the BPF JIT")
Signed-off-by: Martin Schwidefsky <[hidden email]>
(cherry picked from commit 26f843848bae973817b3587780ce6b7b0200d3e4)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 arch/s390/net/bpf_jit_comp.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index f5ad92d09006..6b84bdc94055 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -518,8 +518,6 @@ static void bpf_jit_epilogue(struct bpf_jit *jit, u32 stack_depth)
  /* br %r1 */
  _EMIT2(0x07f1);
  } else {
- /* larl %r1,.+14 */
- EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14);
  /* ex 0,S390_lowcore.br_r1_tampoline */
  EMIT4_DISP(0x44000000, REG_0, REG_0,
    offsetof(struct lowcore, br_r1_trampoline));
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][v3 6/6] UBUNTU: SAUCE: bpf, s390x: remove ld_abs/ld_ind

Khalid Elmously
In reply to this post by Khalid Elmously
From: Martin Schwidefsky <[hidden email]>

CVE-2017-5715 (Spectre v2 s390x)

removed the code that generated the indirect branch "basr %b5,%w1"
from the BPF JIT. Older versions of the BPF which still have support
for LD_ABS/LD_IND need a patch to add the execute trampoline for
this branch instruction.

Signed-off-by: Khalid Elmously <[hidden email]>
---
 arch/s390/net/bpf_jit_comp.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 6b84bdc94055..e3a4b98f8b47 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -1302,8 +1302,13 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
  /* lg %skb_data,data_off(%b6) */
  EMIT6_DISP_LH(0xe3000000, 0x0004, REG_SKB_DATA, REG_0,
       BPF_REG_6, offsetof(struct sk_buff, data));
- /* basr %b5,%w1 (%b5 is call saved) */
- EMIT2(0x0d00, BPF_REG_5, REG_W1);
+ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) {
+ /* brasl %r5,__s390_indirect_jump_r1 */
+ EMIT6_PCREL_RILB(0xc0050000, BPF_REG_5, jit->r1_thunk_ip);
+ } else {
+ /* basr %b5,%w1 (%b5 is call saved) */
+ EMIT2(0x0d00, BPF_REG_5, REG_W1);
+ }
 
  /*
  * Note: For fast access we jump directly after the
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Bionic][v4 0/6] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

Kamal Mostafa-2
In reply to this post by Khalid Elmously

Acked-by: Kamal Mostafa <[hidden email]>

On Wed, Sep 05, 2018 at 12:54:08PM -0400, Khalid Elmously wrote:

> Patches requested by IBM for Spectre v2.
>
> Build-tested for s390x
>
>
> Christian Borntraeger (2):
>   KVM: s390: implement CPU model only facilities
>   KVM: s390: add etoken support for guests
>
> Martin Schwidefsky (4):
>   s390: detect etoken facility
>   s390/lib: use expoline for all bcr instructions
>   s390: fix br_r1_trampoline for machines without exrl
>   UBUNTU: SAUCE: bpf, s390x: remove ld_abs/ld_ind
>
>  arch/s390/include/asm/kvm_host.h |  1 +
>  arch/s390/include/uapi/asm/kvm.h |  5 ++-
>  arch/s390/kernel/nospec-branch.c | 12 ++++++-
>  arch/s390/kernel/nospec-sysfs.c  |  2 ++
>  arch/s390/kvm/kvm-s390.c         | 61 +++++++++++++++++++++-----------
>  arch/s390/kvm/kvm-s390.h         |  2 --
>  arch/s390/kvm/vsie.c             |  9 +++--
>  arch/s390/lib/mem.S              | 16 +++++----
>  arch/s390/net/bpf_jit_comp.c     | 11 +++---
>  arch/s390/tools/gen_facilities.c | 23 +++++++++++-
>  10 files changed, 104 insertions(+), 38 deletions(-)
>
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Bionic][v4 0/6] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

Stefan Bader-2
In reply to this post by Khalid Elmously
On 05.09.2018 18:54, Khalid Elmously wrote:

> Patches requested by IBM for Spectre v2.
>
> Build-tested for s390x
>
>
> Christian Borntraeger (2):
>   KVM: s390: implement CPU model only facilities
>   KVM: s390: add etoken support for guests
>
> Martin Schwidefsky (4):
>   s390: detect etoken facility
>   s390/lib: use expoline for all bcr instructions
>   s390: fix br_r1_trampoline for machines without exrl
>   UBUNTU: SAUCE: bpf, s390x: remove ld_abs/ld_ind
>
>  arch/s390/include/asm/kvm_host.h |  1 +
>  arch/s390/include/uapi/asm/kvm.h |  5 ++-
>  arch/s390/kernel/nospec-branch.c | 12 ++++++-
>  arch/s390/kernel/nospec-sysfs.c  |  2 ++
>  arch/s390/kvm/kvm-s390.c         | 61 +++++++++++++++++++++-----------
>  arch/s390/kvm/kvm-s390.h         |  2 --
>  arch/s390/kvm/vsie.c             |  9 +++--
>  arch/s390/lib/mem.S              | 16 +++++----
>  arch/s390/net/bpf_jit_comp.c     | 11 +++---
>  arch/s390/tools/gen_facilities.c | 23 +++++++++++-
>  10 files changed, 104 insertions(+), 38 deletions(-)
>
Acked-by: Stefan Bader <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU][Bionic][v4 0/6] Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x

Kleber Souza
In reply to this post by Khalid Elmously
On 09/05/18 18:54, Khalid Elmously wrote:

> Patches requested by IBM for Spectre v2.
>
> Build-tested for s390x
>
>
> Christian Borntraeger (2):
>   KVM: s390: implement CPU model only facilities
>   KVM: s390: add etoken support for guests
>
> Martin Schwidefsky (4):
>   s390: detect etoken facility
>   s390/lib: use expoline for all bcr instructions
>   s390: fix br_r1_trampoline for machines without exrl
>   UBUNTU: SAUCE: bpf, s390x: remove ld_abs/ld_ind
>
>  arch/s390/include/asm/kvm_host.h |  1 +
>  arch/s390/include/uapi/asm/kvm.h |  5 ++-
>  arch/s390/kernel/nospec-branch.c | 12 ++++++-
>  arch/s390/kernel/nospec-sysfs.c  |  2 ++
>  arch/s390/kvm/kvm-s390.c         | 61 +++++++++++++++++++++-----------
>  arch/s390/kvm/kvm-s390.h         |  2 --
>  arch/s390/kvm/vsie.c             |  9 +++--
>  arch/s390/lib/mem.S              | 16 +++++----
>  arch/s390/net/bpf_jit_comp.c     | 11 +++---
>  arch/s390/tools/gen_facilities.c | 23 +++++++++++-
>  10 files changed, 104 insertions(+), 38 deletions(-)
>

Applied to bionic/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team