Merge tag 'v4.2-rc7' into drm-next

Linux 4.2-rc7

Backmerge master for i915 fixes

1 files changed, 25 insertions, 0 deletions

diff --git a/arch/mips/include/asm/stackframe.h b/arch/mips/include/asm/stackframe.h
index 28d6d9364bd1..a71da576883c 100644
--- a/arch/mips/include/asm/stackframe.h
+++ b/arch/mips/include/asm/stackframe.h
@@ -152,6 +152,31 @@
                 .set    noreorder
                 bltz    k0, 8f
                  move   k1, sp
+#ifdef CONFIG_EVA
+                /*
+                 * Flush interAptiv's Return Prediction Stack (RPS) by writing
+                 * EntryHi. Toggling Config7.RPS is slower and less portable.
+                 *
+                 * The RPS isn't automatically flushed when exceptions are
+                 * taken, which can result in kernel mode speculative accesses
+                 * to user addresses if the RPS mispredicts. That's harmless
+                 * when user and kernel share the same address space, but with
+                 * EVA the same user segments may be unmapped to kernel mode,
+                 * even containing sensitive MMIO regions or invalid memory.
+                 *
+                 * This can happen when the kernel sets the return address to
+                 * ret_from_* and jr's to the exception handler, which looks
+                 * more like a tail call than a function call. If nested calls
+                 * don't evict the last user address in the RPS, it will
+                 * mispredict the return and fetch from a user controlled
+                 * address into the icache.
+                 *
+                 * More recent EVA-capable cores with MAAR to restrict
+                 * speculative accesses aren't affected.
+                 */
+                MFC0    k0, CP0_ENTRYHI
+                MTC0    k0, CP0_ENTRYHI
+#endif
                 .set    reorder
                 /* Called from user mode, new stack. */
                 get_saved_sp