From patchwork Wed Oct 31 14:04:35 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Long <dave.long@linaro.org>
X-Patchwork-Id: 149836
Delivered-To: patches@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp6836538ljp;
 Wed, 31 Oct 2018 07:05:07 -0700 (PDT)
X-Received: by 2002:a67:44dc:: with SMTP id y89mr1322273vsf.4.1540994707805; 
 Wed, 31 Oct 2018 07:05:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540994707; cv=none;
 d=google.com; s=arc-20160816;
 b=BSodtkg608Gy4gXv0f2CXPfDrjubSJuqqOjmGJGPLlF2HtLJQgpAEUdiu7Gi4NbnTy
 5fjED+ibOUCXh3JL0dtepMGoL9nZGr69FUSwTLcOm0lYeaH9oZq44C6xNayUapFniMQD
 upxnR05V6++xGg0gxBkcc+Gi9oRIsyR2kakTp+zu+rZSStaYYsrzscojqQhIR04+wVfB
 VEMyFvLEBC+oeg90l2ixBjkOZGjUyYzcNQFEBng6kBc12etuHhzxAsVig/tXuTwEwLP3
 sv+CrgIowcYEYApgDuEmXrmRas0/eQolxDX04Aa2QUoqRfCcjSRafSGt5eQeEl/8RQIB
 c4dg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=references:in-reply-to:message-id:date:subject:cc:to:from
 :dkim-signature;
 bh=dKp7WarRb5ZEErL7wz6fxfKxyloFGIJqsAGrNR1dgaM=;
 b=tHd/N6QGVF/G/2xCXpmU2Bf6M50uR9fo0BrdJgDHq45V6j8Rcqynj08B4xxc2MaFM0
 f3v+07iB21LCcZLw8bkFvMebg3sf5GQI9h4doPUCQV1wdK4RmXMsaizocGtDDLXISeMn
 aGzUlDUi6Rel9Wh9KHPnngFReoXJLU8WizbJOhKfG+PtcuOrh3apA4DPz7dBazuF0UUl
 0KBTdyKxcFpQPHRDTpZ1wwG9Mqw9RlSO5l3z+OdN6pmpbKucRmmgVVcQkNtc/ofzKZ2c
 qzyaHvJoFWDBtiqfykwkI4Gy6TY9bSXugLPtXFphQCf47y6UAg5YJeeK5oaZ/lG4p4iO
 WVxQ==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=ZP2kkHNK;
 spf=pass (google.com: domain of dave.long@linaro.org designates
 209.85.220.65 as permitted sender)
 smtp.mailfrom=dave.long@linaro.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <dave.long@linaro.org>
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com.
 [209.85.220.65])
 by mx.google.com with SMTPS id 62sor9184433vku.41.2018.10.31.07.05.07
 for <patches@linaro.org> (Google Transport Security);
 Wed, 31 Oct 2018 07:05:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of dave.long@linaro.org designates
 209.85.220.65 as permitted sender) client-ip=209.85.220.65; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=ZP2kkHNK;
 spf=pass (google.com: domain of dave.long@linaro.org designates
 209.85.220.65 as permitted sender)
 smtp.mailfrom=dave.long@linaro.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=dKp7WarRb5ZEErL7wz6fxfKxyloFGIJqsAGrNR1dgaM=;
 b=ZP2kkHNKUMA391jKIVFWRizRA60UjjCfYKn4LSUQvEzhPvyK+n03rQCVVF1bU5oOEE
 UCFEk5eg8T4kU/2mEluXSwcIfXF2J0aWPQCMWJjF43P2S/9jkBGQz7LernZ7GuFDdcmx
 3XH8iVvde2h83GZPGI9LdJfyfoN6kFMkFjzSk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=dKp7WarRb5ZEErL7wz6fxfKxyloFGIJqsAGrNR1dgaM=;
 b=e8kYwrM1Sl8oJtemeq0KWDkRg+5rydrn7Xpa5MLNPrQ520qyIbDaTunPXHoNkl9JPo
 QRH7hncOP6B/RWVFR5MDHdDsQ4vdSqCIdkjQqiUgbNiFw+mHbv8AT87AfuNcil62Ok0S
 +xkbS4cbP2o/3fd+SkSHFhMj+ut9QrkdJ1vCBN/CH76e09AZb9H5tKHFpHCMVSxmpuwB
 BKH/1Zixe6VqTCzrOEHctJDUo7c8q4UOkaX9flU2YyduvBic4nxKEEqAMNQKa+ucOWya
 q+gjodurp6d70kNrUNtc9HL+g17UGDv5NJVh+zoyDGqmZRr6+2QxNDl+8WEHKvJEJTqo
 aARQ==
X-Gm-Message-State: AGRZ1gI/tYVy1a03vvz6VJJ1JGN2xe483Vkfs3Scac+vbv/2CkP29k5O
 DfJGbOMo9xipxtossSKNkRae3/L8
X-Google-Smtp-Source: AJdET5c4oC2f7HqU6BzdjhYvVS39zq8XDR05LPbXVbCX40Z3Owupe5r8HBWAA3pSgn7Pc9g84PHnKg==
X-Received: by 2002:a1f:a60f:: with SMTP id p15mr1321853vke.76.1540994707024; 
 Wed, 31 Oct 2018 07:05:07 -0700 (PDT)
Return-Path: <dave.long@linaro.org>
Received: from dave-Dell-System-XPS-L502X.hsd1.nh.comcast.net
 ([2603:3005:3403:7100:2c71:8680:34e1:a6aa])
 by smtp.googlemail.com with ESMTPSA id
 6sm6795632vsy.25.2018.10.31.07.05.04
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 31 Oct 2018 07:05:05 -0700 (PDT)
From: David Long <dave.long@linaro.org>
To: stable@vger.kernel.org, Russell King - ARM Linux <linux@armlinux.org.uk>, 
 Florian Fainelli <f.fainelli@gmail.com>,
 Tony Lindgren <tony@atomide.com>, Marc Zyngier <marc.zyngier@arm.com>,
 Mark Rutland <mark.rutland@arm.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
	Mark Brown <broonie@kernel.org>
Subject: [PATCH 4.4 17/18] ARM: spectre-v1: use get_user() for __get_user()
Date: Wed, 31 Oct 2018 10:04:35 -0400
Message-Id: <20181031140436.2964-18-dave.long@linaro.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181031140436.2964-1-dave.long@linaro.org>
References: <20181031140436.2964-1-dave.long@linaro.org>

From: Russell King <rmk+kernel@armlinux.org.uk>

Commit b1cd0a14806321721aae45f5446ed83a3647c914 upstream.

Fixing __get_user() for spectre variant 1 is not sane: we would have to
add address space bounds checking in order to validate that the location
should be accessed, and then zero the address if found to be invalid.

Since __get_user() is supposed to avoid the bounds check, and this is
exactly what get_user() does, there's no point having two different
implementations that are doing the same thing.  So, when the Spectre
workarounds are required, make __get_user() an alias of get_user().

Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
---
 arch/arm/include/asm/uaccess.h | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

-- 
2.17.1

diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 968b50063431..ecd159b45f12 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -314,6 +314,15 @@ static inline void set_fs(mm_segment_t fs)
 #define user_addr_max() \
 	(segment_eq(get_fs(), KERNEL_DS) ? ~0UL : get_fs())
 
+#ifdef CONFIG_CPU_SPECTRE
+/*
+ * When mitigating Spectre variant 1, it is not worth fixing the non-
+ * verifying accessors, because we need to add verification of the
+ * address space there.  Force these to use the standard get_user()
+ * version instead.
+ */
+#define __get_user(x, ptr) get_user(x, ptr)
+#else
 /*
  * The "__xxx" versions of the user access functions do not verify the
  * address space - it must have been done previously with a separate
@@ -330,12 +339,6 @@ static inline void set_fs(mm_segment_t fs)
 	__gu_err;							\
 })
 
-#define __get_user_error(x, ptr, err)					\
-({									\
-	__get_user_err((x), (ptr), err);				\
-	(void) 0;							\
-})
-
 #define __get_user_err(x, ptr, err)					\
 do {									\
 	unsigned long __gu_addr = (unsigned long)(ptr);			\
@@ -395,6 +398,7 @@ do {									\
 
 #define __get_user_asm_word(x, addr, err)			\
 	__get_user_asm(x, addr, err, ldr)
+#endif
 
 #define __put_user(x, ptr)						\
 ({									\