| Message ID | 20180905163621.16452-7-khalid.elmously@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Follow-up fixes for CVE-2017-5715 (Spectre v2) for s390x | expand |
This patch should just be set as From: Martin Schwidefsky <schwidefsky@de.ibm.com> (and drop the "Original author" line). -Kamal On Wed, Sep 05, 2018 at 12:36:21PM -0400, Khalid Elmously wrote: > CVE-2017-5715 (Spectre v2 s390x) > > removed the code that generated the indirect branch "basr %b5,%w1" > from the BPF JIT. Older versions of the BPF which still have support > for LD_ABS/LD_IND need a patch to add the execute trampoline for > this branch instruction. > > Original author: Martin Schwidefsky <schwidefsky@de.ibm.com> > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > arch/s390/net/bpf_jit_comp.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c > index 6b84bdc94055..e3a4b98f8b47 100644 > --- a/arch/s390/net/bpf_jit_comp.c > +++ b/arch/s390/net/bpf_jit_comp.c > @@ -1302,8 +1302,13 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i > /* lg %skb_data,data_off(%b6) */ > EMIT6_DISP_LH(0xe3000000, 0x0004, REG_SKB_DATA, REG_0, > BPF_REG_6, offsetof(struct sk_buff, data)); > - /* basr %b5,%w1 (%b5 is call saved) */ > - EMIT2(0x0d00, BPF_REG_5, REG_W1); > + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) { > + /* brasl %r5,__s390_indirect_jump_r1 */ > + EMIT6_PCREL_RILB(0xc0050000, BPF_REG_5, jit->r1_thunk_ip); > + } else { > + /* basr %b5,%w1 (%b5 is call saved) */ > + EMIT2(0x0d00, BPF_REG_5, REG_W1); > + } > > /* > * Note: For fast access we jump directly after the > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c index 6b84bdc94055..e3a4b98f8b47 100644 --- a/arch/s390/net/bpf_jit_comp.c +++ b/arch/s390/net/bpf_jit_comp.c @@ -1302,8 +1302,13 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i /* lg %skb_data,data_off(%b6) */ EMIT6_DISP_LH(0xe3000000, 0x0004, REG_SKB_DATA, REG_0, BPF_REG_6, offsetof(struct sk_buff, data)); - /* basr %b5,%w1 (%b5 is call saved) */ - EMIT2(0x0d00, BPF_REG_5, REG_W1); + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) { + /* brasl %r5,__s390_indirect_jump_r1 */ + EMIT6_PCREL_RILB(0xc0050000, BPF_REG_5, jit->r1_thunk_ip); + } else { + /* basr %b5,%w1 (%b5 is call saved) */ + EMIT2(0x0d00, BPF_REG_5, REG_W1); + } /* * Note: For fast access we jump directly after the
CVE-2017-5715 (Spectre v2 s390x) removed the code that generated the indirect branch "basr %b5,%w1" from the BPF JIT. Older versions of the BPF which still have support for LD_ABS/LD_IND need a patch to add the execute trampoline for this branch instruction. Original author: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> --- arch/s390/net/bpf_jit_comp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)