Signed-off-by: Paolo Pisati <email address hidden>
9f7e20a...
by
Jayachandran C <email address hidden>
arm64: Branch predictor hardening for Cavium ThunderX2
Use PSCI based mitigation for speculative execution attacks targeting
the branch predictor. The approach is similar to the one used for
Cortex-A CPUs, but in case of ThunderX2 we add another SMC call to
test if the firmware supports the capability.
If the secure firmware has been updated with the mitigation code to
invalidate the branch target buffer, we use the PSCI version call to
invoke it.
Signed-off-by: Jayachandran C <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Under speculation, CPUs may mis-predict branches in bounds checks. Thus,
memory accesses under a bounds check may be speculated even if the
bounds check fails, providing a primitive for building a side channel.
The EBPF map code has a number of such bounds-checks accesses in
map_lookup_elem implementations. This patch modifies these to use the
nospec helpers to inhibit such side channels.
The JITted lookup_elem implementations remain potentially vulnerable,
and are disabled (with JITted code falling back to the C
implementations).
Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
(cherry picked from commit 553d407e0f2cf89b69f883ad28a6f0f13e1bed62)
Signed-off-by: Paolo Pisati <email address hidden>
bpf: do not test for PCPU_MIN_UNIT_SIZE before percpu allocations
PCPU_MIN_UNIT_SIZE is an implementation detail of the percpu
allocator. Given we support __GFP_NOWARN now, lets just let
the allocation request fail naturally instead. The two call
sites from BPF mistakenly assumed __GFP_NOWARN would work, so
no changes needed to their actual __alloc_percpu_gfp() calls
which use the flag already.
Signed-off-by: Daniel Borkmann <email address hidden>
Acked-by: Alexei Starovoitov <email address hidden>
Acked-by: John Fastabend <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit bc6d5031b43a2291de638ab9304320b4cae61689)
Signed-off-by: Paolo Pisati <email address hidden>
e14e15f...
by
Yonghong Song <email address hidden>
bpf: perf event change needed for subsequent bpf helpers
This patch does not impact existing functionalities.
It contains the changes in perf event area needed for
subsequent bpf_perf_event_read_value and
bpf_perf_prog_read_value helpers.
Signed-off-by: Yonghong Song <email address hidden>
Acked-by: Peter Zijlstra (Intel) <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 97562633bcbac4a07d605ae628d7655fa71caaf5)
Signed-off-by: Paolo Pisati <email address hidden>
bpf: inline map in map lookup functions for array and htab
Avoid two successive functions calls for the map in map lookup, first
is the bpf_map_lookup_elem() helper call, and second the callback via
map->ops->map_lookup_elem() to get to the map in map implementation.
Implementation inlines array and htab flavor for map in map lookups.
Signed-off-by: Daniel Borkmann <email address hidden>
Acked-by: Alexei Starovoitov <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 7b0c2a0508b90fce79d3782b2e55d0e8bf6a283e)
Signed-off-by: Paolo Pisati <email address hidden>
This patch implements nospec_load() and nospec_ptr() for arm64,
following the recommended architectural sequence.
Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
(cherry picked from commit 7f51e49b766a995f9c7f4a52d031cecd263940ec)
Signed-off-by: Paolo Pisati <email address hidden>
Document the rationale and usage of the new nospec*() helpers.
Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
(cherry picked from commit f6f421101a401739854a59404300103d52392075)
Signed-off-by: Paolo Pisati <email address hidden>
Under speculation, CPUs may mis-predict branches in bounds checks. Thus,
memory accesses under a bounds check may be speculated even if the
bounds check fails, providing a primitive for building a side channel.
This patch adds helpers which can be used to inhibit the use of
out-of-bounds pointers and/or valeus read from these under speculation.
A generic implementation is provided for compatibility, but does not
guarantee safety under speculation. Architectures are expected to
override these helpers as necessary.
Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
(cherry picked from commit d58cfcacce8dbb666064430fe3c60cb598b56ac1)
Signed-off-by: Paolo Pisati <email address hidden>