diff options
15 files changed, 1636 insertions, 0 deletions
diff --git a/queue-5.10/arm64-bpf-add-bhb-mitigation-to-the-epilogue-for-cbpf-programs.patch b/queue-5.10/arm64-bpf-add-bhb-mitigation-to-the-epilogue-for-cbpf-programs.patch new file mode 100644 index 0000000000..2c5d36ae0b --- /dev/null +++ b/queue-5.10/arm64-bpf-add-bhb-mitigation-to-the-epilogue-for-cbpf-programs.patch @@ -0,0 +1,155 @@ +From stable+bounces-151844-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:20 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:19 +0000 +Subject: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-13-pulehui@huaweicloud.com> + +From: James Morse <james.morse@arm.com> + +[ Upstream commit 0dfefc2ea2f29ced2416017d7e5b1253a54c2735 ] + +A malicious BPF program may manipulate the branch history to influence +what the hardware speculates will happen next. + +On exit from a BPF program, emit the BHB mititgation sequence. + +This is only applied for 'classic' cBPF programs that are loaded by +seccomp. + +Signed-off-by: James Morse <james.morse@arm.com> +Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/spectre.h | 1 + arch/arm64/kernel/proton-pack.c | 2 - + arch/arm64/net/bpf_jit_comp.c | 55 ++++++++++++++++++++++++++++++++++++--- + 3 files changed, 53 insertions(+), 5 deletions(-) + +--- a/arch/arm64/include/asm/spectre.h ++++ b/arch/arm64/include/asm/spectre.h +@@ -32,6 +32,7 @@ void spectre_v4_enable_task_mitigation(s + + enum mitigation_state arm64_get_spectre_bhb_state(void); + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); ++extern bool __nospectre_bhb; + u8 get_spectre_bhb_loop_value(void); + bool is_spectre_bhb_fw_mitigated(void); + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused); +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -1088,7 +1088,7 @@ static void kvm_setup_bhb_slot(const cha + #endif /* CONFIG_KVM */ + + static bool spectre_bhb_fw_mitigated; +-static bool __read_mostly __nospectre_bhb; ++bool __read_mostly __nospectre_bhb; + static int __init parse_spectre_bhb_param(char *str) + { + __nospectre_bhb = true; +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -7,14 +7,17 @@ + + #define pr_fmt(fmt) "bpf_jit: " fmt + ++#include <linux/arm-smccc.h> + #include <linux/bitfield.h> + #include <linux/bpf.h> ++#include <linux/cpu.h> + #include <linux/filter.h> + #include <linux/printk.h> + #include <linux/slab.h> + + #include <asm/byteorder.h> + #include <asm/cacheflush.h> ++#include <asm/cpufeature.h> + #include <asm/debug-monitors.h> + #include <asm/set_memory.h> + +@@ -328,7 +331,48 @@ static int emit_bpf_tail_call(struct jit + #undef jmp_offset + } + +-static void build_epilogue(struct jit_ctx *ctx) ++/* Clobbers BPF registers 1-4, aka x0-x3 */ ++static void __maybe_unused build_bhb_mitigation(struct jit_ctx *ctx) ++{ ++ const u8 r1 = bpf2a64[BPF_REG_1]; /* aka x0 */ ++ u8 k = get_spectre_bhb_loop_value(); ++ ++ if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY) || ++ cpu_mitigations_off() || __nospectre_bhb || ++ arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE) ++ return; ++ ++ if (supports_clearbhb(SCOPE_SYSTEM)) { ++ emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx); ++ return; ++ } ++ ++ if (k) { ++ emit_a64_mov_i64(r1, k, ctx); ++ emit(A64_B(1), ctx); ++ emit(A64_SUBS_I(true, r1, r1, 1), ctx); ++ emit(A64_B_(A64_COND_NE, -2), ctx); ++ emit(aarch64_insn_gen_dsb(AARCH64_INSN_MB_ISH), ctx); ++ emit(aarch64_insn_get_isb_value(), ctx); ++ } ++ ++ if (is_spectre_bhb_fw_mitigated()) { ++ emit(A64_ORR_I(false, r1, AARCH64_INSN_REG_ZR, ++ ARM_SMCCC_ARCH_WORKAROUND_3), ctx); ++ switch (arm_smccc_1_1_get_conduit()) { ++ case SMCCC_CONDUIT_HVC: ++ emit(aarch64_insn_get_hvc_value(), ctx); ++ break; ++ case SMCCC_CONDUIT_SMC: ++ emit(aarch64_insn_get_smc_value(), ctx); ++ break; ++ default: ++ pr_err_once("Firmware mitigation enabled with unknown conduit\n"); ++ } ++ } ++} ++ ++static void build_epilogue(struct jit_ctx *ctx, bool was_classic) + { + const u8 r0 = bpf2a64[BPF_REG_0]; + const u8 r6 = bpf2a64[BPF_REG_6]; +@@ -347,10 +391,13 @@ static void build_epilogue(struct jit_ct + emit(A64_POP(r8, r9, A64_SP), ctx); + emit(A64_POP(r6, r7, A64_SP), ctx); + ++ if (was_classic) ++ build_bhb_mitigation(ctx); ++ + /* Restore FP/LR registers */ + emit(A64_POP(A64_FP, A64_LR, A64_SP), ctx); + +- /* Set return value */ ++ /* Move the return value from bpf:r0 (aka x7) to x0 */ + emit(A64_MOV(1, A64_R(0), r0), ctx); + + emit(A64_RET(A64_LR), ctx); +@@ -1057,7 +1104,7 @@ struct bpf_prog *bpf_int_jit_compile(str + } + + ctx.epilogue_offset = ctx.idx; +- build_epilogue(&ctx); ++ build_epilogue(&ctx, was_classic); + + extable_size = prog->aux->num_exentries * + sizeof(struct exception_table_entry); +@@ -1089,7 +1136,7 @@ skip_init_ctx: + goto out_off; + } + +- build_epilogue(&ctx); ++ build_epilogue(&ctx, was_classic); + + /* 3. Extra pass to validate JITed code. */ + if (validate_code(&ctx)) { diff --git a/queue-5.10/arm64-bpf-only-mitigate-cbpf-programs-loaded-by-unprivileged-users.patch b/queue-5.10/arm64-bpf-only-mitigate-cbpf-programs-loaded-by-unprivileged-users.patch new file mode 100644 index 0000000000..49fe94f523 --- /dev/null +++ b/queue-5.10/arm64-bpf-only-mitigate-cbpf-programs-loaded-by-unprivileged-users.patch @@ -0,0 +1,40 @@ +From stable+bounces-151859-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:37 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:20 +0000 +Subject: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-14-pulehui@huaweicloud.com> + +From: James Morse <james.morse@arm.com> + +[ Upstream commit f300769ead032513a68e4a02e806393402e626f8 ] + +Support for eBPF programs loaded by unprivileged users is typically +disabled. This means only cBPF programs need to be mitigated for BHB. + +In addition, only mitigate cBPF programs that were loaded by an +unprivileged user. Privileged users can also load the same program +via eBPF, making the mitigation pointless. + +Signed-off-by: James Morse <james.morse@arm.com> +Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/net/bpf_jit_comp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -342,6 +342,9 @@ static void __maybe_unused build_bhb_mit + arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE) + return; + ++ if (capable(CAP_SYS_ADMIN)) ++ return; ++ + if (supports_clearbhb(SCOPE_SYSTEM)) { + emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx); + return; diff --git a/queue-5.10/arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch b/queue-5.10/arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch new file mode 100644 index 0000000000..aaae9c6fe5 --- /dev/null +++ b/queue-5.10/arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch @@ -0,0 +1,41 @@ +From stable+bounces-151860-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:38 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:14 +0000 +Subject: arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-8-pulehui@huaweicloud.com> + +From: Douglas Anderson <dianders@chromium.org> + +[ Upstream commit 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 ] + +Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO +2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to +the safe list. + +Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") +Cc: stable@vger.kernel.org +Cc: Scott Bauer <sbauer@quicinc.com> +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Acked-by: Trilok Soni <quic_tsoni@quicinc.com> +Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/kernel/proton-pack.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -862,6 +862,9 @@ static bool is_spectre_bhb_safe(int scop + MIDR_ALL_VERSIONS(MIDR_CORTEX_A510), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A520), + MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER), + {}, + }; + static bool all_safe = true; diff --git a/queue-5.10/arm64-errata-add-missing-sentinels-to-spectre-bhb-midr-arrays.patch b/queue-5.10/arm64-errata-add-missing-sentinels-to-spectre-bhb-midr-arrays.patch new file mode 100644 index 0000000000..2a333a22e6 --- /dev/null +++ b/queue-5.10/arm64-errata-add-missing-sentinels-to-spectre-bhb-midr-arrays.patch @@ -0,0 +1,77 @@ +From stable+bounces-151846-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:23 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:16 +0000 +Subject: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-10-pulehui@huaweicloud.com> + +From: Will Deacon <will@kernel.org> + +[ Upstream commit fee4d171451c1ad9e8aaf65fc0ab7d143a33bd72 ] + +Commit a5951389e58d ("arm64: errata: Add newer ARM cores to the +spectre_bhb_loop_affected() lists") added some additional CPUs to the +Spectre-BHB workaround, including some new arrays for designs that +require new 'k' values for the workaround to be effective. + +Unfortunately, the new arrays omitted the sentinel entry and so +is_midr_in_range_list() will walk off the end when it doesn't find a +match. With UBSAN enabled, this leads to a crash during boot when +is_midr_in_range_list() is inlined (which was more common prior to +c8c2647e69be ("arm64: Make _midr_in_range_list() an exported +function")): + + | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP + | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + | pc : spectre_bhb_loop_affected+0x28/0x30 + | lr : is_spectre_bhb_affected+0x170/0x190 + | [...] + | Call trace: + | spectre_bhb_loop_affected+0x28/0x30 + | update_cpu_capabilities+0xc0/0x184 + | init_cpu_features+0x188/0x1a4 + | cpuinfo_store_boot_cpu+0x4c/0x60 + | smp_prepare_boot_cpu+0x38/0x54 + | start_kernel+0x8c/0x478 + | __primary_switched+0xc8/0xd4 + | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020) + | ---[ end trace 0000000000000000 ]--- + | Kernel panic - not syncing: aarch64 BRK: Fatal exception + +Add the missing sentinel entries. + +Cc: Lee Jones <lee@kernel.org> +Cc: James Morse <james.morse@arm.com> +Cc: Doug Anderson <dianders@chromium.org> +Cc: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com> +Cc: <stable@vger.kernel.org> +Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Fixes: a5951389e58d ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") +Signed-off-by: Will Deacon <will@kernel.org> +Reviewed-by: Lee Jones <lee@kernel.org> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Link: https://lore.kernel.org/r/20250501104747.28431-1-will@kernel.org +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/kernel/proton-pack.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -887,10 +887,12 @@ static u8 spectre_bhb_loop_affected(void + static const struct midr_range spectre_bhb_k132_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), ++ {}, + }; + static const struct midr_range spectre_bhb_k38_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A715), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A720), ++ {}, + }; + static const struct midr_range spectre_bhb_k32_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), diff --git a/queue-5.10/arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch b/queue-5.10/arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch new file mode 100644 index 0000000000..24625a8753 --- /dev/null +++ b/queue-5.10/arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch @@ -0,0 +1,72 @@ +From stable+bounces-151843-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:18 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:15 +0000 +Subject: arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-9-pulehui@huaweicloud.com> + +From: Douglas Anderson <dianders@chromium.org> + +[ Upstream commit a5951389e58d2e816eed3dbec5877de9327fd881 ] + +When comparing to the ARM list [1], it appears that several ARM cores +were missing from the lists in spectre_bhb_loop_affected(). Add them. + +NOTE: for some of these cores it may not matter since other ways of +clearing the BHB may be used (like the CLRBHB instruction or ECBHB), +but it still seems good to have all the info from ARM's whitepaper +included. + +[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB + +Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") +Cc: stable@vger.kernel.org +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Reviewed-by: James Morse <james.morse@arm.com> +Link: https://lore.kernel.org/r/20250107120555.v4.5.I4a9a527e03f663040721c5401c41de587d015c82@changeid +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/kernel/proton-pack.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -884,6 +884,14 @@ static u8 spectre_bhb_loop_affected(void + { + u8 k = 0; + ++ static const struct midr_range spectre_bhb_k132_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), ++ }; ++ static const struct midr_range spectre_bhb_k38_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A720), ++ }; + static const struct midr_range spectre_bhb_k32_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), +@@ -897,6 +905,7 @@ static u8 spectre_bhb_loop_affected(void + }; + static const struct midr_range spectre_bhb_k24_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD), +@@ -912,7 +921,11 @@ static u8 spectre_bhb_loop_affected(void + {}, + }; + +- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) ++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k132_list)) ++ k = 132; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k38_list)) ++ k = 38; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) + k = 32; + else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) + k = 24; diff --git a/queue-5.10/arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch b/queue-5.10/arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch new file mode 100644 index 0000000000..23e6f187d4 --- /dev/null +++ b/queue-5.10/arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch @@ -0,0 +1,307 @@ +From stable+bounces-151845-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:23 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:13 +0000 +Subject: arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-7-pulehui@huaweicloud.com> + +From: Douglas Anderson <dianders@chromium.org> + +[ Upstream commit e403e8538359d8580cbee1976ff71813e947101e ] + +The code for detecting CPUs that are vulnerable to Spectre BHB was +based on a hardcoded list of CPU IDs that were known to be affected. +Unfortunately, the list mostly only contained the IDs of standard ARM +cores. The IDs for many cores that are minor variants of the standard +ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the +code to assume that those variants were not affected. + +Flip the code on its head and instead assume that a core is vulnerable +if it doesn't have CSV2_3 but is unrecognized as being safe. This +involves creating a "Spectre BHB safe" list. + +As of right now, the only CPU IDs added to the "Spectre BHB safe" list +are ARM Cortex A35, A53, A55, A510, and A520. This list was created by +looking for cores that weren't listed in ARM's list [1] as per review +feedback on v2 of this patch [2]. Additionally Brahma A53 is added as +per mailing list feedback [3]. + +NOTE: this patch will not actually _mitigate_ anyone, it will simply +cause them to report themselves as vulnerable. If any cores in the +system are reported as vulnerable but not mitigated then the whole +system will be reported as vulnerable though the system will attempt +to mitigate with the information it has about the known cores. + +[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB +[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck +[3] https://lore.kernel.org/r/18dbd7d1-a46c-4112-a425-320c99f67a8d@broadcom.com + +Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") +Cc: stable@vger.kernel.org +Reviewed-by: Julius Werner <jwerner@chromium.org> +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Link: https://lore.kernel.org/r/20250107120555.v4.2.I2040fa004dafe196243f67ebcc647cbedbb516e6@changeid +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> +[The conflicts were mainly due to LTS commit e192c8baa69a +differ from mainline commit 558c303c9734] +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/spectre.h | 1 + arch/arm64/kernel/proton-pack.c | 167 +++++++++++++++++++-------------------- + 2 files changed, 84 insertions(+), 84 deletions(-) + +--- a/arch/arm64/include/asm/spectre.h ++++ b/arch/arm64/include/asm/spectre.h +@@ -33,7 +33,6 @@ void spectre_v4_enable_task_mitigation(s + enum mitigation_state arm64_get_spectre_bhb_state(void); + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); + bool is_spectre_bhb_fw_mitigated(void); +-u8 spectre_bhb_loop_affected(int scope); + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused); + bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr); + #endif /* __ASM_SPECTRE_H */ +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -853,53 +853,70 @@ enum mitigation_state arm64_get_spectre_ + * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any + * SCOPE_SYSTEM call will give the right answer. + */ +-u8 spectre_bhb_loop_affected(int scope) ++static bool is_spectre_bhb_safe(int scope) ++{ ++ static const struct midr_range spectre_bhb_safe_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520), ++ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53), ++ {}, ++ }; ++ static bool all_safe = true; ++ ++ if (scope != SCOPE_LOCAL_CPU) ++ return all_safe; ++ ++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list)) ++ return true; ++ ++ all_safe = false; ++ ++ return false; ++} ++ ++static u8 spectre_bhb_loop_affected(void) + { + u8 k = 0; +- static u8 max_bhb_k; + +- if (scope == SCOPE_LOCAL_CPU) { +- static const struct midr_range spectre_bhb_k32_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), +- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), +- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), +- {}, +- }; +- static const struct midr_range spectre_bhb_k24_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), +- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), +- MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD), +- {}, +- }; +- static const struct midr_range spectre_bhb_k11_list[] = { +- MIDR_ALL_VERSIONS(MIDR_AMPERE1), +- {}, +- }; +- static const struct midr_range spectre_bhb_k8_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), +- {}, +- }; +- +- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) +- k = 32; +- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) +- k = 24; +- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list)) +- k = 11; +- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list)) +- k = 8; +- +- max_bhb_k = max(max_bhb_k, k); +- } else { +- k = max_bhb_k; +- } ++ static const struct midr_range spectre_bhb_k32_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k24_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k11_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_AMPERE1), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k8_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), ++ {}, ++ }; ++ ++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) ++ k = 32; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) ++ k = 24; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list)) ++ k = 11; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list)) ++ k = 8; + + return k; + } +@@ -925,29 +942,13 @@ static enum mitigation_state spectre_bhb + } + } + +-static bool is_spectre_bhb_fw_affected(int scope) ++static bool has_spectre_bhb_fw_mitigation(void) + { +- static bool system_affected; + enum mitigation_state fw_state; + bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE; +- static const struct midr_range spectre_bhb_firmware_mitigated_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A73), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A75), +- {}, +- }; +- bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(), +- spectre_bhb_firmware_mitigated_list); +- +- if (scope != SCOPE_LOCAL_CPU) +- return system_affected; + + fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); +- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) { +- system_affected = true; +- return true; +- } +- +- return false; ++ return has_smccc && fw_state == SPECTRE_MITIGATED; + } + + static bool supports_ecbhb(int scope) +@@ -963,6 +964,8 @@ static bool supports_ecbhb(int scope) + ID_AA64MMFR1_ECBHB_SHIFT); + } + ++static u8 max_bhb_k; ++ + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, + int scope) + { +@@ -971,16 +974,18 @@ bool is_spectre_bhb_affected(const struc + if (supports_csv2p3(scope)) + return false; + +- if (supports_clearbhb(scope)) +- return true; +- +- if (spectre_bhb_loop_affected(scope)) +- return true; ++ if (is_spectre_bhb_safe(scope)) ++ return false; + +- if (is_spectre_bhb_fw_affected(scope)) +- return true; ++ /* ++ * At this point the core isn't known to be "safe" so we're going to ++ * assume it's vulnerable. We still need to update `max_bhb_k` though, ++ * but only if we aren't mitigating with clearbhb though. ++ */ ++ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU)) ++ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected()); + +- return false; ++ return true; + } + + static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot) +@@ -1063,7 +1068,7 @@ static bool spectre_bhb_fw_mitigated; + + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) + { +- enum mitigation_state fw_state, state = SPECTRE_VULNERABLE; ++ enum mitigation_state state = SPECTRE_VULNERABLE; + + if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU)) + return; +@@ -1081,8 +1086,8 @@ void spectre_bhb_enable_mitigation(const + this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN); + + state = SPECTRE_MITIGATED; +- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) { +- switch (spectre_bhb_loop_affected(SCOPE_SYSTEM)) { ++ } else if (spectre_bhb_loop_affected()) { ++ switch (max_bhb_k) { + case 8: + kvm_setup_bhb_slot(__spectre_bhb_loop_k8); + break; +@@ -1098,15 +1103,12 @@ void spectre_bhb_enable_mitigation(const + this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP); + + state = SPECTRE_MITIGATED; +- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) { +- fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); +- if (fw_state == SPECTRE_MITIGATED) { +- kvm_setup_bhb_slot(__smccc_workaround_3_smc); +- this_cpu_set_vectors(EL1_VECTOR_BHB_FW); ++ } else if (has_spectre_bhb_fw_mitigation()) { ++ kvm_setup_bhb_slot(__smccc_workaround_3_smc); ++ this_cpu_set_vectors(EL1_VECTOR_BHB_FW); + +- state = SPECTRE_MITIGATED; +- spectre_bhb_fw_mitigated = true; +- } ++ state = SPECTRE_MITIGATED; ++ spectre_bhb_fw_mitigated = true; + } + + update_mitigation_state(&spectre_bhb_state, state); +@@ -1123,7 +1125,6 @@ void noinstr spectre_bhb_patch_loop_iter + { + u8 rd; + u32 insn; +- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM); + + BUG_ON(nr_inst != 1); /* MOV -> MOV */ + +@@ -1132,7 +1133,7 @@ void noinstr spectre_bhb_patch_loop_iter + + insn = le32_to_cpu(*origptr); + rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn); +- insn = aarch64_insn_gen_movewide(rd, loop_count, 0, ++ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0, + AARCH64_INSN_VARIANT_64BIT, + AARCH64_INSN_MOVEWIDE_ZERO); + *updptr++ = cpu_to_le32(insn); diff --git a/queue-5.10/arm64-insn-add-barrier-encodings.patch b/queue-5.10/arm64-insn-add-barrier-encodings.patch new file mode 100644 index 0000000000..f166f7731d --- /dev/null +++ b/queue-5.10/arm64-insn-add-barrier-encodings.patch @@ -0,0 +1,64 @@ +From stable+bounces-151840-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:16 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:08 +0000 +Subject: arm64: insn: Add barrier encodings +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-2-pulehui@huaweicloud.com> + +From: Julien Thierry <jthierry@redhat.com> + +[ Upstream commit d4b217330d7e0320084ff04c8491964f1f68980a ] + +Create necessary functions to encode/decode aarch64 barrier +instructions. + +DSB needs special case handling as it has multiple encodings. + +Signed-off-by: Julien Thierry <jthierry@redhat.com> +Link: https://lore.kernel.org/r/20210303170536.1838032-7-jthierry@redhat.com +[will: Don't reject DSB #4] +Signed-off-by: Will Deacon <will@kernel.org> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/insn.h | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/arch/arm64/include/asm/insn.h ++++ b/arch/arm64/include/asm/insn.h +@@ -370,6 +370,14 @@ __AARCH64_INSN_FUNCS(eret_auth, 0xFFFFFB + __AARCH64_INSN_FUNCS(mrs, 0xFFF00000, 0xD5300000) + __AARCH64_INSN_FUNCS(msr_imm, 0xFFF8F01F, 0xD500401F) + __AARCH64_INSN_FUNCS(msr_reg, 0xFFF00000, 0xD5100000) ++__AARCH64_INSN_FUNCS(dmb, 0xFFFFF0FF, 0xD50330BF) ++__AARCH64_INSN_FUNCS(dsb_base, 0xFFFFF0FF, 0xD503309F) ++__AARCH64_INSN_FUNCS(dsb_nxs, 0xFFFFF3FF, 0xD503323F) ++__AARCH64_INSN_FUNCS(isb, 0xFFFFF0FF, 0xD50330DF) ++__AARCH64_INSN_FUNCS(sb, 0xFFFFFFFF, 0xD50330FF) ++__AARCH64_INSN_FUNCS(clrex, 0xFFFFF0FF, 0xD503305F) ++__AARCH64_INSN_FUNCS(ssbb, 0xFFFFFFFF, 0xD503309F) ++__AARCH64_INSN_FUNCS(pssbb, 0xFFFFFFFF, 0xD503349F) + + #undef __AARCH64_INSN_FUNCS + +@@ -381,6 +389,19 @@ static inline bool aarch64_insn_is_adr_a + return aarch64_insn_is_adr(insn) || aarch64_insn_is_adrp(insn); + } + ++static inline bool aarch64_insn_is_dsb(u32 insn) ++{ ++ return aarch64_insn_is_dsb_base(insn) || aarch64_insn_is_dsb_nxs(insn); ++} ++ ++static inline bool aarch64_insn_is_barrier(u32 insn) ++{ ++ return aarch64_insn_is_dmb(insn) || aarch64_insn_is_dsb(insn) || ++ aarch64_insn_is_isb(insn) || aarch64_insn_is_sb(insn) || ++ aarch64_insn_is_clrex(insn) || aarch64_insn_is_ssbb(insn) || ++ aarch64_insn_is_pssbb(insn); ++} ++ + int aarch64_insn_read(void *addr, u32 *insnp); + int aarch64_insn_write(void *addr, u32 insn); + enum aarch64_insn_encoding_class aarch64_get_insn_class(u32 insn); diff --git a/queue-5.10/arm64-insn-add-encoders-for-atomic-operations.patch b/queue-5.10/arm64-insn-add-encoders-for-atomic-operations.patch new file mode 100644 index 0000000000..6fa140bbbd --- /dev/null +++ b/queue-5.10/arm64-insn-add-encoders-for-atomic-operations.patch @@ -0,0 +1,404 @@ +From stable+bounces-151839-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:13 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:10 +0000 +Subject: arm64: insn: add encoders for atomic operations +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-4-pulehui@huaweicloud.com> + +From: Hou Tao <houtao1@huawei.com> + +[ Upstream commit fa1114d9eba5087ba5e81aab4c56f546995e6cd3 ] + +It is a preparation patch for eBPF atomic supports under arm64. eBPF +needs support atomic[64]_fetch_add, atomic[64]_[fetch_]{and,or,xor} and +atomic[64]_{xchg|cmpxchg}. The ordering semantics of eBPF atomics are +the same with the implementations in linux kernel. + +Add three helpers to support LDCLR/LDEOR/LDSET/SWP, CAS and DMB +instructions. STADD/STCLR/STEOR/STSET are simply encoded as aliases for +LDADD/LDCLR/LDEOR/LDSET with XZR as the destination register, so no extra +helper is added. atomic_fetch_add() and other atomic ops needs support for +STLXR instruction, so extend enum aarch64_insn_ldst_type to do that. + +LDADD/LDEOR/LDSET/SWP and CAS instructions are only available when LSE +atomics is enabled, so just return AARCH64_BREAK_FAULT directly in +these newly-added helpers if CONFIG_ARM64_LSE_ATOMICS is disabled. + +Signed-off-by: Hou Tao <houtao1@huawei.com> +Link: https://lore.kernel.org/r/20220217072232.1186625-3-houtao1@huawei.com +Signed-off-by: Will Deacon <will@kernel.org> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/insn.h | 80 ++++++++++++++++-- + arch/arm64/kernel/insn.c | 185 ++++++++++++++++++++++++++++++++++++++---- + arch/arm64/net/bpf_jit.h | 11 ++ + 3 files changed, 253 insertions(+), 23 deletions(-) + +--- a/arch/arm64/include/asm/insn.h ++++ b/arch/arm64/include/asm/insn.h +@@ -218,7 +218,9 @@ enum aarch64_insn_ldst_type { + AARCH64_INSN_LDST_LOAD_PAIR_POST_INDEX, + AARCH64_INSN_LDST_STORE_PAIR_POST_INDEX, + AARCH64_INSN_LDST_LOAD_EX, ++ AARCH64_INSN_LDST_LOAD_ACQ_EX, + AARCH64_INSN_LDST_STORE_EX, ++ AARCH64_INSN_LDST_STORE_REL_EX, + }; + + enum aarch64_insn_adsb_type { +@@ -293,6 +295,36 @@ enum aarch64_insn_adr_type { + AARCH64_INSN_ADR_TYPE_ADR, + }; + ++enum aarch64_insn_mem_atomic_op { ++ AARCH64_INSN_MEM_ATOMIC_ADD, ++ AARCH64_INSN_MEM_ATOMIC_CLR, ++ AARCH64_INSN_MEM_ATOMIC_EOR, ++ AARCH64_INSN_MEM_ATOMIC_SET, ++ AARCH64_INSN_MEM_ATOMIC_SWP, ++}; ++ ++enum aarch64_insn_mem_order_type { ++ AARCH64_INSN_MEM_ORDER_NONE, ++ AARCH64_INSN_MEM_ORDER_ACQ, ++ AARCH64_INSN_MEM_ORDER_REL, ++ AARCH64_INSN_MEM_ORDER_ACQREL, ++}; ++ ++enum aarch64_insn_mb_type { ++ AARCH64_INSN_MB_SY, ++ AARCH64_INSN_MB_ST, ++ AARCH64_INSN_MB_LD, ++ AARCH64_INSN_MB_ISH, ++ AARCH64_INSN_MB_ISHST, ++ AARCH64_INSN_MB_ISHLD, ++ AARCH64_INSN_MB_NSH, ++ AARCH64_INSN_MB_NSHST, ++ AARCH64_INSN_MB_NSHLD, ++ AARCH64_INSN_MB_OSH, ++ AARCH64_INSN_MB_OSHST, ++ AARCH64_INSN_MB_OSHLD, ++}; ++ + #define __AARCH64_INSN_FUNCS(abbr, mask, val) \ + static __always_inline bool aarch64_insn_is_##abbr(u32 code) \ + { \ +@@ -310,6 +342,11 @@ __AARCH64_INSN_FUNCS(prfm, 0x3FC00000, 0 + __AARCH64_INSN_FUNCS(prfm_lit, 0xFF000000, 0xD8000000) + __AARCH64_INSN_FUNCS(str_reg, 0x3FE0EC00, 0x38206800) + __AARCH64_INSN_FUNCS(ldadd, 0x3F20FC00, 0x38200000) ++__AARCH64_INSN_FUNCS(ldclr, 0x3F20FC00, 0x38201000) ++__AARCH64_INSN_FUNCS(ldeor, 0x3F20FC00, 0x38202000) ++__AARCH64_INSN_FUNCS(ldset, 0x3F20FC00, 0x38203000) ++__AARCH64_INSN_FUNCS(swp, 0x3F20FC00, 0x38208000) ++__AARCH64_INSN_FUNCS(cas, 0x3FA07C00, 0x08A07C00) + __AARCH64_INSN_FUNCS(ldr_reg, 0x3FE0EC00, 0x38606800) + __AARCH64_INSN_FUNCS(ldr_lit, 0xBF000000, 0x18000000) + __AARCH64_INSN_FUNCS(ldrsw_lit, 0xFF000000, 0x98000000) +@@ -452,13 +489,6 @@ u32 aarch64_insn_gen_load_store_ex(enum + enum aarch64_insn_register state, + enum aarch64_insn_size_type size, + enum aarch64_insn_ldst_type type); +-u32 aarch64_insn_gen_ldadd(enum aarch64_insn_register result, +- enum aarch64_insn_register address, +- enum aarch64_insn_register value, +- enum aarch64_insn_size_type size); +-u32 aarch64_insn_gen_stadd(enum aarch64_insn_register address, +- enum aarch64_insn_register value, +- enum aarch64_insn_size_type size); + u32 aarch64_insn_gen_add_sub_imm(enum aarch64_insn_register dst, + enum aarch64_insn_register src, + int imm, enum aarch64_insn_variant variant, +@@ -519,6 +549,42 @@ u32 aarch64_insn_gen_prefetch(enum aarch + enum aarch64_insn_prfm_type type, + enum aarch64_insn_prfm_target target, + enum aarch64_insn_prfm_policy policy); ++#ifdef CONFIG_ARM64_LSE_ATOMICS ++u32 aarch64_insn_gen_atomic_ld_op(enum aarch64_insn_register result, ++ enum aarch64_insn_register address, ++ enum aarch64_insn_register value, ++ enum aarch64_insn_size_type size, ++ enum aarch64_insn_mem_atomic_op op, ++ enum aarch64_insn_mem_order_type order); ++u32 aarch64_insn_gen_cas(enum aarch64_insn_register result, ++ enum aarch64_insn_register address, ++ enum aarch64_insn_register value, ++ enum aarch64_insn_size_type size, ++ enum aarch64_insn_mem_order_type order); ++#else ++static inline ++u32 aarch64_insn_gen_atomic_ld_op(enum aarch64_insn_register result, ++ enum aarch64_insn_register address, ++ enum aarch64_insn_register value, ++ enum aarch64_insn_size_type size, ++ enum aarch64_insn_mem_atomic_op op, ++ enum aarch64_insn_mem_order_type order) ++{ ++ return AARCH64_BREAK_FAULT; ++} ++ ++static inline ++u32 aarch64_insn_gen_cas(enum aarch64_insn_register result, ++ enum aarch64_insn_register address, ++ enum aarch64_insn_register value, ++ enum aarch64_insn_size_type size, ++ enum aarch64_insn_mem_order_type order) ++{ ++ return AARCH64_BREAK_FAULT; ++} ++#endif ++u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type); ++ + s32 aarch64_get_branch_offset(u32 insn); + u32 aarch64_set_branch_offset(u32 insn, s32 offset); + +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -721,10 +721,16 @@ u32 aarch64_insn_gen_load_store_ex(enum + + switch (type) { + case AARCH64_INSN_LDST_LOAD_EX: ++ case AARCH64_INSN_LDST_LOAD_ACQ_EX: + insn = aarch64_insn_get_load_ex_value(); ++ if (type == AARCH64_INSN_LDST_LOAD_ACQ_EX) ++ insn |= BIT(15); + break; + case AARCH64_INSN_LDST_STORE_EX: ++ case AARCH64_INSN_LDST_STORE_REL_EX: + insn = aarch64_insn_get_store_ex_value(); ++ if (type == AARCH64_INSN_LDST_STORE_REL_EX) ++ insn |= BIT(15); + break; + default: + pr_err("%s: unknown load/store exclusive encoding %d\n", __func__, type); +@@ -746,12 +752,65 @@ u32 aarch64_insn_gen_load_store_ex(enum + state); + } + +-u32 aarch64_insn_gen_ldadd(enum aarch64_insn_register result, +- enum aarch64_insn_register address, +- enum aarch64_insn_register value, +- enum aarch64_insn_size_type size) ++#ifdef CONFIG_ARM64_LSE_ATOMICS ++static u32 aarch64_insn_encode_ldst_order(enum aarch64_insn_mem_order_type type, ++ u32 insn) + { +- u32 insn = aarch64_insn_get_ldadd_value(); ++ u32 order; ++ ++ switch (type) { ++ case AARCH64_INSN_MEM_ORDER_NONE: ++ order = 0; ++ break; ++ case AARCH64_INSN_MEM_ORDER_ACQ: ++ order = 2; ++ break; ++ case AARCH64_INSN_MEM_ORDER_REL: ++ order = 1; ++ break; ++ case AARCH64_INSN_MEM_ORDER_ACQREL: ++ order = 3; ++ break; ++ default: ++ pr_err("%s: unknown mem order %d\n", __func__, type); ++ return AARCH64_BREAK_FAULT; ++ } ++ ++ insn &= ~GENMASK(23, 22); ++ insn |= order << 22; ++ ++ return insn; ++} ++ ++u32 aarch64_insn_gen_atomic_ld_op(enum aarch64_insn_register result, ++ enum aarch64_insn_register address, ++ enum aarch64_insn_register value, ++ enum aarch64_insn_size_type size, ++ enum aarch64_insn_mem_atomic_op op, ++ enum aarch64_insn_mem_order_type order) ++{ ++ u32 insn; ++ ++ switch (op) { ++ case AARCH64_INSN_MEM_ATOMIC_ADD: ++ insn = aarch64_insn_get_ldadd_value(); ++ break; ++ case AARCH64_INSN_MEM_ATOMIC_CLR: ++ insn = aarch64_insn_get_ldclr_value(); ++ break; ++ case AARCH64_INSN_MEM_ATOMIC_EOR: ++ insn = aarch64_insn_get_ldeor_value(); ++ break; ++ case AARCH64_INSN_MEM_ATOMIC_SET: ++ insn = aarch64_insn_get_ldset_value(); ++ break; ++ case AARCH64_INSN_MEM_ATOMIC_SWP: ++ insn = aarch64_insn_get_swp_value(); ++ break; ++ default: ++ pr_err("%s: unimplemented mem atomic op %d\n", __func__, op); ++ return AARCH64_BREAK_FAULT; ++ } + + switch (size) { + case AARCH64_INSN_SIZE_32: +@@ -764,6 +823,8 @@ u32 aarch64_insn_gen_ldadd(enum aarch64_ + + insn = aarch64_insn_encode_ldst_size(size, insn); + ++ insn = aarch64_insn_encode_ldst_order(order, insn); ++ + insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RT, insn, + result); + +@@ -774,18 +835,69 @@ u32 aarch64_insn_gen_ldadd(enum aarch64_ + value); + } + +-u32 aarch64_insn_gen_stadd(enum aarch64_insn_register address, +- enum aarch64_insn_register value, +- enum aarch64_insn_size_type size) ++static u32 aarch64_insn_encode_cas_order(enum aarch64_insn_mem_order_type type, ++ u32 insn) + { +- /* +- * STADD is simply encoded as an alias for LDADD with XZR as +- * the destination register. +- */ +- return aarch64_insn_gen_ldadd(AARCH64_INSN_REG_ZR, address, +- value, size); ++ u32 order; ++ ++ switch (type) { ++ case AARCH64_INSN_MEM_ORDER_NONE: ++ order = 0; ++ break; ++ case AARCH64_INSN_MEM_ORDER_ACQ: ++ order = BIT(22); ++ break; ++ case AARCH64_INSN_MEM_ORDER_REL: ++ order = BIT(15); ++ break; ++ case AARCH64_INSN_MEM_ORDER_ACQREL: ++ order = BIT(15) | BIT(22); ++ break; ++ default: ++ pr_err("%s: unknown mem order %d\n", __func__, type); ++ return AARCH64_BREAK_FAULT; ++ } ++ ++ insn &= ~(BIT(15) | BIT(22)); ++ insn |= order; ++ ++ return insn; + } + ++u32 aarch64_insn_gen_cas(enum aarch64_insn_register result, ++ enum aarch64_insn_register address, ++ enum aarch64_insn_register value, ++ enum aarch64_insn_size_type size, ++ enum aarch64_insn_mem_order_type order) ++{ ++ u32 insn; ++ ++ switch (size) { ++ case AARCH64_INSN_SIZE_32: ++ case AARCH64_INSN_SIZE_64: ++ break; ++ default: ++ pr_err("%s: unimplemented size encoding %d\n", __func__, size); ++ return AARCH64_BREAK_FAULT; ++ } ++ ++ insn = aarch64_insn_get_cas_value(); ++ ++ insn = aarch64_insn_encode_ldst_size(size, insn); ++ ++ insn = aarch64_insn_encode_cas_order(order, insn); ++ ++ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RT, insn, ++ result); ++ ++ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn, ++ address); ++ ++ return aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RS, insn, ++ value); ++} ++#endif ++ + static u32 aarch64_insn_encode_prfm_imm(enum aarch64_insn_prfm_type type, + enum aarch64_insn_prfm_target target, + enum aarch64_insn_prfm_policy policy, +@@ -1697,3 +1809,48 @@ u32 aarch64_insn_gen_extr(enum aarch64_i + insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn, Rn); + return aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RM, insn, Rm); + } ++ ++u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type) ++{ ++ u32 opt; ++ u32 insn; ++ ++ switch (type) { ++ case AARCH64_INSN_MB_SY: ++ opt = 0xf; ++ break; ++ case AARCH64_INSN_MB_ST: ++ opt = 0xe; ++ break; ++ case AARCH64_INSN_MB_LD: ++ opt = 0xd; ++ break; ++ case AARCH64_INSN_MB_ISH: ++ opt = 0xb; ++ break; ++ case AARCH64_INSN_MB_ISHST: ++ opt = 0xa; ++ break; ++ case AARCH64_INSN_MB_ISHLD: ++ opt = 0x9; ++ break; ++ case AARCH64_INSN_MB_NSH: ++ opt = 0x7; ++ break; ++ case AARCH64_INSN_MB_NSHST: ++ opt = 0x6; ++ break; ++ case AARCH64_INSN_MB_NSHLD: ++ opt = 0x5; ++ break; ++ default: ++ pr_err("%s: unknown dmb type %d\n", __func__, type); ++ return AARCH64_BREAK_FAULT; ++ } ++ ++ insn = aarch64_insn_get_dmb_value(); ++ insn &= ~GENMASK(11, 8); ++ insn |= (opt << 8); ++ ++ return insn; ++} +--- a/arch/arm64/net/bpf_jit.h ++++ b/arch/arm64/net/bpf_jit.h +@@ -89,9 +89,16 @@ + #define A64_STXR(sf, Rt, Rn, Rs) \ + A64_LSX(sf, Rt, Rn, Rs, STORE_EX) + +-/* LSE atomics */ ++/* ++ * LSE atomics ++ * ++ * STADD is simply encoded as an alias for LDADD with XZR as ++ * the destination register. ++ */ + #define A64_STADD(sf, Rn, Rs) \ +- aarch64_insn_gen_stadd(Rn, Rs, A64_SIZE(sf)) ++ aarch64_insn_gen_atomic_ld_op(A64_ZR, Rn, Rs, \ ++ A64_SIZE(sf), AARCH64_INSN_MEM_ATOMIC_ADD, \ ++ AARCH64_INSN_MEM_ORDER_NONE) + + /* Add/subtract (immediate) */ + #define A64_ADDSUB_IMM(sf, Rd, Rn, imm12, type) \ diff --git a/queue-5.10/arm64-insn-add-support-for-encoding-dsb.patch b/queue-5.10/arm64-insn-add-support-for-encoding-dsb.patch new file mode 100644 index 0000000000..68b8985dd6 --- /dev/null +++ b/queue-5.10/arm64-insn-add-support-for-encoding-dsb.patch @@ -0,0 +1,130 @@ +From stable+bounces-151838-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:12 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:11 +0000 +Subject: arm64: insn: Add support for encoding DSB +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-5-pulehui@huaweicloud.com> + +From: James Morse <james.morse@arm.com> + +[ Upstream commit 63de8abd97ddb9b758bd8f915ecbd18e1f1a87a0 ] + +To generate code in the eBPF epilogue that uses the DSB instruction, +insn.c needs a heler to encode the type and domain. + +Re-use the crm encoding logic from the DMB instruction. + +Signed-off-by: James Morse <james.morse@arm.com> +Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/insn.h | 1 + arch/arm64/kernel/insn.c | 60 +++++++++++++++++++++++++----------------- + 2 files changed, 38 insertions(+), 23 deletions(-) + +--- a/arch/arm64/include/asm/insn.h ++++ b/arch/arm64/include/asm/insn.h +@@ -584,6 +584,7 @@ u32 aarch64_insn_gen_cas(enum aarch64_in + } + #endif + u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type); ++u32 aarch64_insn_gen_dsb(enum aarch64_insn_mb_type type); + + s32 aarch64_get_branch_offset(u32 insn); + u32 aarch64_set_branch_offset(u32 insn, s32 offset); +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -5,6 +5,7 @@ + * + * Copyright (C) 2014-2016 Zi Shen Lim <zlim.lnx@gmail.com> + */ ++#include <linux/bitfield.h> + #include <linux/bitops.h> + #include <linux/bug.h> + #include <linux/compiler.h> +@@ -1810,47 +1811,60 @@ u32 aarch64_insn_gen_extr(enum aarch64_i + return aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RM, insn, Rm); + } + +-u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type) ++static u32 __get_barrier_crm_val(enum aarch64_insn_mb_type type) + { +- u32 opt; +- u32 insn; +- + switch (type) { + case AARCH64_INSN_MB_SY: +- opt = 0xf; +- break; ++ return 0xf; + case AARCH64_INSN_MB_ST: +- opt = 0xe; +- break; ++ return 0xe; + case AARCH64_INSN_MB_LD: +- opt = 0xd; +- break; ++ return 0xd; + case AARCH64_INSN_MB_ISH: +- opt = 0xb; +- break; ++ return 0xb; + case AARCH64_INSN_MB_ISHST: +- opt = 0xa; +- break; ++ return 0xa; + case AARCH64_INSN_MB_ISHLD: +- opt = 0x9; +- break; ++ return 0x9; + case AARCH64_INSN_MB_NSH: +- opt = 0x7; +- break; ++ return 0x7; + case AARCH64_INSN_MB_NSHST: +- opt = 0x6; +- break; ++ return 0x6; + case AARCH64_INSN_MB_NSHLD: +- opt = 0x5; +- break; ++ return 0x5; + default: +- pr_err("%s: unknown dmb type %d\n", __func__, type); ++ pr_err("%s: unknown barrier type %d\n", __func__, type); + return AARCH64_BREAK_FAULT; + } ++} ++ ++u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type) ++{ ++ u32 opt; ++ u32 insn; ++ ++ opt = __get_barrier_crm_val(type); ++ if (opt == AARCH64_BREAK_FAULT) ++ return AARCH64_BREAK_FAULT; + + insn = aarch64_insn_get_dmb_value(); + insn &= ~GENMASK(11, 8); + insn |= (opt << 8); + ++ return insn; ++} ++ ++u32 aarch64_insn_gen_dsb(enum aarch64_insn_mb_type type) ++{ ++ u32 opt, insn; ++ ++ opt = __get_barrier_crm_val(type); ++ if (opt == AARCH64_BREAK_FAULT) ++ return AARCH64_BREAK_FAULT; ++ ++ insn = aarch64_insn_get_dsb_base_value(); ++ insn &= ~GENMASK(11, 8); ++ insn |= (opt << 8); ++ + return insn; + } diff --git a/queue-5.10/arm64-move-aarch64_break_fault-into-insn-def.h.patch b/queue-5.10/arm64-move-aarch64_break_fault-into-insn-def.h.patch new file mode 100644 index 0000000000..27b5acf722 --- /dev/null +++ b/queue-5.10/arm64-move-aarch64_break_fault-into-insn-def.h.patch @@ -0,0 +1,74 @@ +From stable+bounces-151841-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:18 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:09 +0000 +Subject: arm64: move AARCH64_BREAK_FAULT into insn-def.h +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-3-pulehui@huaweicloud.com> + +From: Hou Tao <houtao1@huawei.com> + +[ Upstream commit 97e58e395e9c074fd096dad13c54e9f4112cf71d ] + +If CONFIG_ARM64_LSE_ATOMICS is off, encoders for LSE-related instructions +can return AARCH64_BREAK_FAULT directly in insn.h. In order to access +AARCH64_BREAK_FAULT in insn.h, we can not include debug-monitors.h in +insn.h, because debug-monitors.h has already depends on insn.h, so just +move AARCH64_BREAK_FAULT into insn-def.h. + +It will be used by the following patch to eliminate unnecessary LSE-related +encoders when CONFIG_ARM64_LSE_ATOMICS is off. + +Signed-off-by: Hou Tao <houtao1@huawei.com> +Link: https://lore.kernel.org/r/20220217072232.1186625-2-houtao1@huawei.com +Signed-off-by: Will Deacon <will@kernel.org> +[not exist insn-def.h file, move to insn.h] +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/debug-monitors.h | 12 ------------ + arch/arm64/include/asm/insn.h | 12 ++++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +--- a/arch/arm64/include/asm/debug-monitors.h ++++ b/arch/arm64/include/asm/debug-monitors.h +@@ -34,18 +34,6 @@ + */ + #define BREAK_INSTR_SIZE AARCH64_INSN_SIZE + +-/* +- * BRK instruction encoding +- * The #imm16 value should be placed at bits[20:5] within BRK ins +- */ +-#define AARCH64_BREAK_MON 0xd4200000 +- +-/* +- * BRK instruction for provoking a fault on purpose +- * Unlike kgdb, #imm16 value with unallocated handler is used for faulting. +- */ +-#define AARCH64_BREAK_FAULT (AARCH64_BREAK_MON | (FAULT_BRK_IMM << 5)) +- + #define AARCH64_BREAK_KGDB_DYN_DBG \ + (AARCH64_BREAK_MON | (KGDB_DYN_DBG_BRK_IMM << 5)) + +--- a/arch/arm64/include/asm/insn.h ++++ b/arch/arm64/include/asm/insn.h +@@ -13,6 +13,18 @@ + /* A64 instructions are always 32 bits. */ + #define AARCH64_INSN_SIZE 4 + ++/* ++ * BRK instruction encoding ++ * The #imm16 value should be placed at bits[20:5] within BRK ins ++ */ ++#define AARCH64_BREAK_MON 0xd4200000 ++ ++/* ++ * BRK instruction for provoking a fault on purpose ++ * Unlike kgdb, #imm16 value with unallocated handler is used for faulting. ++ */ ++#define AARCH64_BREAK_FAULT (AARCH64_BREAK_MON | (FAULT_BRK_IMM << 5)) ++ + #ifndef __ASSEMBLY__ + /* + * ARM Architecture Reference Manual for ARMv8 Profile-A, Issue A.a diff --git a/queue-5.10/arm64-proton-pack-add-new-cpus-k-values-for-branch-mitigation.patch b/queue-5.10/arm64-proton-pack-add-new-cpus-k-values-for-branch-mitigation.patch new file mode 100644 index 0000000000..8e5ab0374f --- /dev/null +++ b/queue-5.10/arm64-proton-pack-add-new-cpus-k-values-for-branch-mitigation.patch @@ -0,0 +1,56 @@ +From stable+bounces-151847-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:25 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:21 +0000 +Subject: arm64: proton-pack: Add new CPUs 'k' values for branch mitigation +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-15-pulehui@huaweicloud.com> + +From: James Morse <james.morse@arm.com> + +[ Upstream commit efe676a1a7554219eae0b0dcfe1e0cdcc9ef9aef ] + +Update the list of 'k' values for the branch mitigation from arm's +website. + +Add the values for Cortex-X1C. The MIDR_EL1 value can be found here: +https://developer.arm.com/documentation/101968/0002/Register-descriptions/AArch> + +Link: https://developer.arm.com/documentation/110280/2-0/?lang=en +Signed-off-by: James Morse <james.morse@arm.com> +Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/cputype.h | 2 ++ + arch/arm64/kernel/proton-pack.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -80,6 +80,7 @@ + #define ARM_CPU_PART_CORTEX_A78AE 0xD42 + #define ARM_CPU_PART_CORTEX_X1 0xD44 + #define ARM_CPU_PART_CORTEX_A510 0xD46 ++#define ARM_CPU_PART_CORTEX_X1C 0xD4C + #define ARM_CPU_PART_CORTEX_A520 0xD80 + #define ARM_CPU_PART_CORTEX_A710 0xD47 + #define ARM_CPU_PART_CORTEX_A715 0xD4D +@@ -144,6 +145,7 @@ + #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) + #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) + #define MIDR_CORTEX_A510 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A510) ++#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) + #define MIDR_CORTEX_A520 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A520) + #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) + #define MIDR_CORTEX_A715 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A715) +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -899,6 +899,7 @@ static u8 spectre_bhb_loop_affected(void + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), diff --git a/queue-5.10/arm64-proton-pack-expose-whether-the-branchy-loop-k-value.patch b/queue-5.10/arm64-proton-pack-expose-whether-the-branchy-loop-k-value.patch new file mode 100644 index 0000000000..0a1e244c39 --- /dev/null +++ b/queue-5.10/arm64-proton-pack-expose-whether-the-branchy-loop-k-value.patch @@ -0,0 +1,48 @@ +From stable+bounces-151858-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:36 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:17 +0000 +Subject: arm64: proton-pack: Expose whether the branchy loop k value +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-11-pulehui@huaweicloud.com> + +From: James Morse <james.morse@arm.com> + +[ Upstream commit a1152be30a043d2d4dcb1683415f328bf3c51978 ] + +Add a helper to expose the k value of the branchy loop. This is needed +by the BPF JIT to generate the mitigation sequence in BPF programs. + +Signed-off-by: James Morse <james.morse@arm.com> +Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/spectre.h | 1 + + arch/arm64/kernel/proton-pack.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/arch/arm64/include/asm/spectre.h ++++ b/arch/arm64/include/asm/spectre.h +@@ -32,6 +32,7 @@ void spectre_v4_enable_task_mitigation(s + + enum mitigation_state arm64_get_spectre_bhb_state(void); + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); ++u8 get_spectre_bhb_loop_value(void); + bool is_spectre_bhb_fw_mitigated(void); + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused); + bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr); +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -1006,6 +1006,11 @@ bool is_spectre_bhb_affected(const struc + return true; + } + ++u8 get_spectre_bhb_loop_value(void) ++{ ++ return max_bhb_k; ++} ++ + static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot) + { + const char *v = arm64_get_bp_hardening_vector(slot); diff --git a/queue-5.10/arm64-proton-pack-expose-whether-the-platform-is-mitigated-by-firmware.patch b/queue-5.10/arm64-proton-pack-expose-whether-the-platform-is-mitigated-by-firmware.patch new file mode 100644 index 0000000000..6582074319 --- /dev/null +++ b/queue-5.10/arm64-proton-pack-expose-whether-the-platform-is-mitigated-by-firmware.patch @@ -0,0 +1,78 @@ +From stable+bounces-151842-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:20 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:12 +0000 +Subject: arm64: proton-pack: Expose whether the platform is mitigated by firmware +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-6-pulehui@huaweicloud.com> + +From: James Morse <james.morse@arm.com> + +[ Upstream commit e7956c92f396a44eeeb6eaf7a5b5e1ad24db6748 ] + +is_spectre_bhb_fw_affected() allows the caller to determine if the CPU +is known to need a firmware mitigation. CPUs are either on the list +of CPUs we know about, or firmware has been queried and reported that +the platform is affected - and mitigated by firmware. + +This helper is not useful to determine if the platform is mitigated +by firmware. A CPU could be on the know list, but the firmware may +not be implemented. Its affected but not mitigated. + +spectre_bhb_enable_mitigation() handles this distinction by checking +the firmware state before enabling the mitigation. + +Add a helper to expose this state. This will be used by the BPF JIT +to determine if calling firmware for a mitigation is necessary and +supported. + +Signed-off-by: James Morse <james.morse@arm.com> +Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> +[The conflicts were due to not include bitmap of mitigations] +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/include/asm/spectre.h | 1 + + arch/arm64/kernel/proton-pack.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +--- a/arch/arm64/include/asm/spectre.h ++++ b/arch/arm64/include/asm/spectre.h +@@ -32,6 +32,7 @@ void spectre_v4_enable_task_mitigation(s + + enum mitigation_state arm64_get_spectre_bhb_state(void); + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); ++bool is_spectre_bhb_fw_mitigated(void); + u8 spectre_bhb_loop_affected(int scope); + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused); + bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr); +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -1059,6 +1059,8 @@ static void kvm_setup_bhb_slot(const cha + static void kvm_setup_bhb_slot(const char *hyp_vecs_start) { } + #endif /* CONFIG_KVM */ + ++static bool spectre_bhb_fw_mitigated; ++ + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) + { + enum mitigation_state fw_state, state = SPECTRE_VULNERABLE; +@@ -1103,12 +1105,18 @@ void spectre_bhb_enable_mitigation(const + this_cpu_set_vectors(EL1_VECTOR_BHB_FW); + + state = SPECTRE_MITIGATED; ++ spectre_bhb_fw_mitigated = true; + } + } + + update_mitigation_state(&spectre_bhb_state, state); + } + ++bool is_spectre_bhb_fw_mitigated(void) ++{ ++ return spectre_bhb_fw_mitigated; ++} ++ + /* Patched to correct the immediate */ + void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt, + __le32 *origptr, __le32 *updptr, int nr_inst) diff --git a/queue-5.10/arm64-spectre-increase-parameters-that-can-be-used-to-turn-off-bhb-mitigation-individually.patch b/queue-5.10/arm64-spectre-increase-parameters-that-can-be-used-to-turn-off-bhb-mitigation-individually.patch new file mode 100644 index 0000000000..4bf858abd6 --- /dev/null +++ b/queue-5.10/arm64-spectre-increase-parameters-that-can-be-used-to-turn-off-bhb-mitigation-individually.patch @@ -0,0 +1,76 @@ +From stable+bounces-151861-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:40 2025 +From: Pu Lehui <pulehui@huaweicloud.com> +Date: Sat, 7 Jun 2025 15:25:18 +0000 +Subject: arm64: spectre: increase parameters that can be used to turn off bhb mitigation individually +To: stable@vger.kernel.org +Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com +Message-ID: <20250607152521.2828291-12-pulehui@huaweicloud.com> + +From: Liu Song <liusong@linux.alibaba.com> + +[ Upstream commit 877ace9eab7de032f954533afd5d1ecd0cf62eaf ] + +In our environment, it was found that the mitigation BHB has a great +impact on the benchmark performance. For example, in the lmbench test, +the "process fork && exit" test performance drops by 20%. +So it is necessary to have the ability to turn off the mitigation +individually through cmdline, thus avoiding having to compile the +kernel by adjusting the config. + +Signed-off-by: Liu Song <liusong@linux.alibaba.com> +Acked-by: Catalin Marinas <catalin.marinas@arm.com> +Link: https://lore.kernel.org/r/1661514050-22263-1-git-send-email-liusong@linux.alibaba.com +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Pu Lehui <pulehui@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + Documentation/admin-guide/kernel-parameters.txt | 5 +++++ + arch/arm64/kernel/proton-pack.c | 9 ++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2954,6 +2954,7 @@ + spec_store_bypass_disable=off [X86,PPC] + spectre_v2_user=off [X86] + ssbd=force-off [ARM64] ++ nospectre_bhb [ARM64] + tsx_async_abort=off [X86] + + Exceptions: +@@ -3367,6 +3368,10 @@ + vulnerability. System may allow data leaks with this + option. + ++ nospectre_bhb [ARM64] Disable all mitigations for Spectre-BHB (branch ++ history injection) vulnerability. System may allow data leaks ++ with this option. ++ + nospec_store_bypass_disable + [HW] Disable all mitigations for the Speculative Store Bypass vulnerability + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -1088,6 +1088,13 @@ static void kvm_setup_bhb_slot(const cha + #endif /* CONFIG_KVM */ + + static bool spectre_bhb_fw_mitigated; ++static bool __read_mostly __nospectre_bhb; ++static int __init parse_spectre_bhb_param(char *str) ++{ ++ __nospectre_bhb = true; ++ return 0; ++} ++early_param("nospectre_bhb", parse_spectre_bhb_param); + + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) + { +@@ -1100,7 +1107,7 @@ void spectre_bhb_enable_mitigation(const + /* No point mitigating Spectre-BHB alone. */ + } else if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY)) { + pr_info_once("spectre-bhb mitigation disabled by compile time option\n"); +- } else if (cpu_mitigations_off()) { ++ } else if (cpu_mitigations_off() || __nospectre_bhb) { + pr_info_once("spectre-bhb mitigation disabled by command line option\n"); + } else if (supports_ecbhb(SCOPE_LOCAL_CPU)) { + state = SPECTRE_MITIGATED; diff --git a/queue-5.10/series b/queue-5.10/series index 43743d644d..97abd26dc4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -320,3 +320,17 @@ arm-dts-am335x-bone-common-add-gpio-phy-reset-on-revision-c3-board.patch arm-dts-am335x-bone-common-increase-mdio-reset-deassert-time.patch arm-dts-am335x-bone-common-increase-mdio-reset-deassert-delay-to-50ms.patch serial-sh-sci-increment-the-runtime-usage-counter-for-the-earlycon-device.patch +arm64-insn-add-barrier-encodings.patch +arm64-move-aarch64_break_fault-into-insn-def.h.patch +arm64-insn-add-encoders-for-atomic-operations.patch +arm64-insn-add-support-for-encoding-dsb.patch +arm64-proton-pack-expose-whether-the-platform-is-mitigated-by-firmware.patch +arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch +arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch +arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch +arm64-errata-add-missing-sentinels-to-spectre-bhb-midr-arrays.patch +arm64-proton-pack-expose-whether-the-branchy-loop-k-value.patch +arm64-spectre-increase-parameters-that-can-be-used-to-turn-off-bhb-mitigation-individually.patch +arm64-bpf-add-bhb-mitigation-to-the-epilogue-for-cbpf-programs.patch +arm64-bpf-only-mitigate-cbpf-programs-loaded-by-unprivileged-users.patch +arm64-proton-pack-add-new-cpus-k-values-for-branch-mitigation.patch |