arm64: Issue isb when trapping CNTVCT_EL0 access
Greg Hackmann [Wed, 20 Dec 2017 09:36:20 +0000 (14:36 +0530)]
Bug 2031796
CVE-2017-13218

Change-Id: I6005a6e944494257bfc2243fde2f7a09c3fd76c6
Reviewed-on: https://git-master.nvidia.com/r/1623697
(cherry picked from commit e0d40dddcfa7388d2f71a1fe3798eaae0704fd0a)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1648570
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

arch/arm64/kernel/traps.c

index 3c97aab..02c068f 100644 (file)
@@ -34,6 +34,7 @@
 
 #include <asm/arch_timer.h>
 #include <asm/atomic.h>
+#include <asm/barrier.h>
 #include <asm/debug-monitors.h>
 #include <asm/esr.h>
 #include <asm/traps.h>
@@ -331,6 +332,7 @@ static void cntvct_read_handler(unsigned int esr, struct pt_regs *regs)
 {
        int rt = (esr & ESR_ELx_SYS64_ISS_RT_MASK) >> ESR_ELx_SYS64_ISS_RT_SHIFT;
 
+       isb();
        if (rt != 31)
                regs->regs[rt] = arch_counter_get_cntvct();
        regs->pc += 4;