From: James Morse <james.morse@xxxxxxx> commit b28a8eebe81c186fdb1a0078263b30576c8e1f42 upstream. The trampoline code needs to use the address of symbols in the wider kernel, e.g. vectors. PC-relative addressing wouldn't work as the trampoline code doesn't run at the address the linker expected. tramp_ventry uses a literal pool, unless CONFIG_RANDOMIZE_BASE is set, in which case it uses the data page as a literal pool because the data page can be unmapped when running in user-space, which is required for CPUs vulnerable to meltdown. Pull this logic out as a macro, instead of adding a third copy of it. Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx> Signed-off-by: James Morse <james.morse@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/arm64/kernel/entry.S | 37 ++++++++++++++++--------------------- 1 file changed, 16 insertions(+), 21 deletions(-) --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -646,6 +646,15 @@ alternative_else_nop_endif sub \dst, \dst, PAGE_SIZE .endm + .macro tramp_data_read_var dst, var +#ifdef CONFIG_RANDOMIZE_BASE + tramp_data_page \dst + add \dst, \dst, #:lo12:__entry_tramp_data_\var + ldr \dst, [\dst] +#else + ldr \dst, =\var +#endif + .endm #define BHB_MITIGATION_NONE 0 #define BHB_MITIGATION_LOOP 1 @@ -676,13 +685,8 @@ alternative_else_nop_endif b . 2: tramp_map_kernel x30 -#ifdef CONFIG_RANDOMIZE_BASE - tramp_data_page x30 alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 - ldr x30, [x30] -#else - ldr x30, =vectors -#endif + tramp_data_read_var x30, vectors alternative_if_not ARM64_WORKAROUND_CAVIUM_TX2_219_PRFM prfm plil1strm, [x30, #(1b - \vector_start)] alternative_else_nop_endif @@ -765,7 +769,12 @@ SYM_CODE_END(tramp_exit_compat) .pushsection ".rodata", "a" .align PAGE_SHIFT SYM_DATA_START(__entry_tramp_data_start) +__entry_tramp_data_vectors: .quad vectors +#ifdef CONFIG_ARM_SDE_INTERFACE +__entry_tramp_data___sdei_asm_handler: + .quad __sdei_asm_handler +#endif /* CONFIG_ARM_SDE_INTERFACE */ SYM_DATA_END(__entry_tramp_data_start) .popsection // .rodata #endif /* CONFIG_RANDOMIZE_BASE */ @@ -932,14 +941,7 @@ SYM_CODE_START(__sdei_asm_entry_trampoli * Remember whether to unmap the kernel on exit. */ 1: str x4, [x1, #(SDEI_EVENT_INTREGS + S_SDEI_TTBR1)] - -#ifdef CONFIG_RANDOMIZE_BASE - tramp_data_page x4 - add x4, x4, #:lo12:__sdei_asm_trampoline_next_handler - ldr x4, [x4] -#else - ldr x4, =__sdei_asm_handler -#endif + tramp_data_read_var x4, __sdei_asm_handler br x4 SYM_CODE_END(__sdei_asm_entry_trampoline) NOKPROBE(__sdei_asm_entry_trampoline) @@ -962,13 +964,6 @@ SYM_CODE_END(__sdei_asm_exit_trampoline) NOKPROBE(__sdei_asm_exit_trampoline) .ltorg .popsection // .entry.tramp.text -#ifdef CONFIG_RANDOMIZE_BASE -.pushsection ".rodata", "a" -SYM_DATA_START(__sdei_asm_trampoline_next_handler) - .quad __sdei_asm_handler -SYM_DATA_END(__sdei_asm_trampoline_next_handler) -.popsection // .rodata -#endif /* CONFIG_RANDOMIZE_BASE */ #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ /* Patches currently in stable-queue which might be from james.morse@xxxxxxx are queue-5.16/arm64-entry-add-macro-for-reading-symbol-addresses-from-the-trampoline.patch queue-5.16/arm64-use-the-clearbhb-instruction-in-mitigations.patch queue-5.16/arm64-add-percpu-vectors-for-el1.patch queue-5.16/arm64-entry-free-up-another-register-on-kpti-s-tramp_exit-path.patch queue-5.16/arm64-entry-don-t-assume-tramp_vectors-is-the-start-of-the-vectors.patch queue-5.16/arm64-entry-make-the-trampoline-cleanup-optional.patch queue-5.16/arm64-proton-pack-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch queue-5.16/arm64-entry-add-non-kpti-__bp_harden_el1_vectors-for-mitigations.patch queue-5.16/arm64-add-id_aa64isar2_el1-sys-register.patch queue-5.16/kvm-arm64-allow-smccc_arch_workaround_3-to-be-discovered-and-migrated.patch queue-5.16/arm64-spectre-rename-spectre_v4_patch_fw_mitigation_conduit.patch queue-5.16/arm64-entry-move-trampoline-macros-out-of-ifdef-d-section.patch queue-5.16/arm64-entry-allow-tramp_alias-to-access-symbols-after-the-4k-boundary.patch queue-5.16/arm64-entry-move-the-trampoline-data-page-before-the-text-page.patch queue-5.16/arm64-entry.s-add-ventry-overflow-sanity-checks.patch queue-5.16/arm64-entry-add-vectors-that-have-the-bhb-mitigation-sequences.patch queue-5.16/arm64-mitigate-spectre-style-branch-history-side-channels.patch queue-5.16/arm64-entry-allow-the-trampoline-text-to-occupy-multiple-pages.patch queue-5.16/arm64-proton-pack-report-spectre-bhb-vulnerabilities-as-part-of-spectre-v2.patch queue-5.16/kvm-arm64-allow-indirect-vectors-to-be-used-without-spectre_v3a.patch queue-5.16/arm64-entry-make-the-kpti-trampoline-s-kpti-sequence-optional.patch