From 486a296b54bb4c4af21561fe66c10eecd6003c6b Mon Sep 17 00:00:00 2001
From: Michael Ellerman <mpe@ellerman.id.au>
Date: Tue, 9 Jan 2018 19:11:57 +0530
Subject: [PATCH 07/26] UBUNTU: SAUCE: rfi-flush: Make the fallback robust
 against memory corruption

CVE-2017-5754

The load dependency we add in the fallback flush relies on the value
we loaded from the fallback area being zero. Although that should
always be the case, bugs happen, so make the code robust against any
corruption by xor'ing it with itself.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/powerpc/kernel/exceptions-64s.S | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
index 5271bee..96cbba0 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -681,7 +681,8 @@ rfi_flush_fallback:
 	.rept	8 /* 8-way set associative */
 	ldx	r11,r10,r8
 	add	r8,r8,r12
-	add	r8,r8,r11 /* r11 will be 0, but this creates a dependency */
+	xor	r11,r11,r11	// Ensure r11 is 0 even if fallback area is not
+	add	r8,r8,r11	// Add 0, this creates a dependency on the ldx
 	.endr
 	addi	r10,r10,128 /* 128 byte cache line */
 	bdnz	1b
@@ -723,7 +724,8 @@ hrfi_flush_fallback:
 	.rept	8 /* 8-way set associative */
 	ldx	r11,r10,r8
 	add	r8,r8,r12
-	add	r8,r8,r11 /* r11 will be 0, but this creates a dependency */
+	xor	r11,r11,r11	// Ensure r11 is 0 even if fallback area is not
+	add	r8,r8,r11	// Add 0, this creates a dependency on the ldx
 	.endr
 	addi	r10,r10,128 /* 128 byte cache line */
 	bdnz	1b
-- 
2.7.4