From a19b12d0145ad9fe23ad895a26647d37493bd556 Mon Sep 17 00:00:00 2001 From: Mahesh Salgaonkar Date: Tue, 16 Jan 2018 23:00:17 +0530 Subject: [PATCH 25/26] UBUNTU: SAUCE: rfi-flush: Fix for kernel crash. CVE-2017-5754 Fix the kernel crash at bootup time in rfi_fkush_fallback. GPR00: 0000000000000000 00003fffe9d8cf10 0000000000000000 0000000000000000 GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000060000000 GPR12: 00003fff97d019e0 c000000007e01400 0000000000000000 0000000000000000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR24: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR28: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.735817] NIP [c000000000001ecc] rfi_flush_fallback+0x34/0x74 [ 0.735871] LR [0000000000000000] (null) [ 0.735905] Call Trace: [ 0.735922] Instruction dump: [ 0.735945] 7db142a6 f92d0380 f94d0388 f96d0390 7d2902a6 e94d03e8 e96d03f0 796bb282 [ 0.736034] 7d6903a6 3d606000 7d405a2c 7c0004ac e96a0088 e96a0110 e96a0198 [ 0.736127] ---[ end trace 488a656297f03279 ]--- Signed-off-by: Mahesh Salgaonkar Signed-off-by: Stefan Bader --- arch/powerpc/kernel/asm-offsets.c | 1 - arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/setup_64.c | 3 ++- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c index bc24a0d..885cd28 100644 --- a/arch/powerpc/kernel/asm-offsets.c +++ b/arch/powerpc/kernel/asm-offsets.c @@ -238,7 +238,6 @@ int main(void) OFFSET(PACA_RFI_FLUSH_FALLBACK_AREA, paca_struct, rfi_flush_fallback_area); OFFSET(PACA_EXRFI, paca_struct, exrfi); OFFSET(PACA_L1D_FLUSH_SIZE, paca_struct, l1d_flush_size); - OFFSET(PACA_L1D_FLUSH_SETS, paca_struct, l1d_flush_size); #endif DEFINE(PACAHWCPUID, offsetof(struct paca_struct, hw_cpu_id)); DEFINE(PACAKEXECSTATE, offsetof(struct paca_struct, kexec_state)); diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S index 5efa935..8b0394c 100644 --- a/arch/powerpc/kernel/exceptions-64s.S +++ b/arch/powerpc/kernel/exceptions-64s.S @@ -703,7 +703,7 @@ hrfi_flush_fallback: mfctr r9 ld r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13) ld r11,PACA_L1D_FLUSH_SIZE(r13) - srdi r11,r11,11 /* 128 byte lines, unrolled 8x */ + srdi r11,r11,(7 + 3) /* 128 byte lines, unrolled 8x */ mtctr r11 DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */ diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c index 8a72b21..8ae5c14 100644 --- a/arch/powerpc/kernel/setup_64.c +++ b/arch/powerpc/kernel/setup_64.c @@ -730,7 +730,7 @@ EXPORT_SYMBOL(ppc_pci_io); #ifdef CONFIG_PPC_BOOK3S_64 static enum l1d_flush_type enabled_flush_types; #define MAX_L1D_SIZE (64 * 1024) -//static char l1d_flush_fallback_area[2 * MAX_L1D_SIZE] __page_aligned_bss; +static char l1d_flush_fallback_area[2 * MAX_L1D_SIZE] __page_aligned_bss; static bool no_rfi_flush; bool rfi_flush; @@ -804,6 +804,7 @@ static bool init_fallback_flush(void) WARN_ON(l1d_size > MAX_L1D_SIZE); for_each_possible_cpu(cpu) { + paca[cpu].rfi_flush_fallback_area = l1d_flush_fallback_area; paca[cpu].l1d_flush_size = l1d_size; } -- 2.7.4