[SRU][Bionic][v3 5/6] s390: fix br_r1_trampoline for machines without exrl
Khalid Elmously
khalid.elmously at canonical.com
Wed Sep 5 16:54:13 UTC 2018
From: Martin Schwidefsky <schwidefsky at de.ibm.com>
CVE-2017-5715 (Spectre v2 s390x)
For machines without the exrl instruction the BFP jit generates
code that uses an "br %r1" instruction located in the lowcore page.
Unfortunately there is a cut & paste error that puts an additional
"larl %r1,.+14" instruction in the code that clobbers the branch
target address in %r1. Remove the larl instruction.
Cc: <stable at vger.kernel.org> # v4.17+
Fixes: de5cb6eb51 ("s390: use expoline thunks in the BPF JIT")
Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
(cherry picked from commit 26f843848bae973817b3587780ce6b7b0200d3e4)
Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
---
arch/s390/net/bpf_jit_comp.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index f5ad92d09006..6b84bdc94055 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -518,8 +518,6 @@ static void bpf_jit_epilogue(struct bpf_jit *jit, u32 stack_depth)
/* br %r1 */
_EMIT2(0x07f1);
} else {
- /* larl %r1,.+14 */
- EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14);
/* ex 0,S390_lowcore.br_r1_tampoline */
EMIT4_DISP(0x44000000, REG_0, REG_0,
offsetof(struct lowcore, br_r1_trampoline));
--
2.17.1
More information about the kernel-team
mailing list