From 24b0ee2be7ef453f8b8d43d01f39777ee886cf50 Mon Sep 17 00:00:00 2001
From: Pgowda <pgowda.cve@gmail.com>
Date: Mon, 15 Nov 2021 04:14:40 -0800
Subject: gcc: Fix CVE-2021-35465

source : https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102035

Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=3929bca9ca95de9d35e82ae8828b188029e3eb70]
Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=574e7950bd6b34e9e2cacce18c802b45505d1d0a]
Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=30461cf8dba3d3adb15a125e4da48800eb2b9b8f]
Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=809330ab8450261e05919b472783bf15e4b000f7]

(From OE-Core rev: 2dae3da5dbb0c8293927f0676fff08437f75d0d2)

Signed-off-by: Pgowda <pgowda.cve@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../gcc/gcc/0003-CVE-2021-35465.patch              | 103 +++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 meta/recipes-devtools/gcc/gcc/0003-CVE-2021-35465.patch

(limited to 'meta/recipes-devtools/gcc/gcc/0003-CVE-2021-35465.patch')

diff --git a/meta/recipes-devtools/gcc/gcc/0003-CVE-2021-35465.patch b/meta/recipes-devtools/gcc/gcc/0003-CVE-2021-35465.patch
new file mode 100644
index 0000000000..d87be19866
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc/0003-CVE-2021-35465.patch
@@ -0,0 +1,103 @@
+From 30461cf8dba3d3adb15a125e4da48800eb2b9b8f Mon Sep 17 00:00:00 2001
+From: Richard Earnshaw <rearnsha@arm.com>
+Date: Fri, 18 Jun 2021 17:18:37 +0100
+Subject: [PATCH] arm: fix vlldm erratum for Armv8.1-m [PR102035]
+
+For Armv8.1-m we generate code that emits VLLDM directly and do not
+rely on support code in the library, so emit the mitigation directly
+as well, when required.  In this case, we can use the compiler options
+to determine when to apply the fix and when it is safe to omit it.
+
+gcc:
+	PR target/102035
+	* config/arm/arm.md (attribute arch): Add fix_vlldm.
+	(arch_enabled): Use it.
+	* config/arm/vfp.md (lazy_store_multiple_insn): Add alternative to
+	use when erratum mitigation is needed.
+
+CVE: CVE-2021-35465
+Upstream-Status: Backport[https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=30461cf8dba3d3adb15a125e4da48800eb2b9b8f]
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+
+---
+ gcc/config/arm/arm.md | 11 +++++++++--
+ gcc/config/arm/vfp.md | 10 +++++++---
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff -upr a/gcc/config/arm/arm.md b/gcc/config/arm/arm.md
+--- a/gcc/config/arm/arm.md	2020-07-22 23:35:17.344384552 -0700
++++ b/gcc/config/arm/arm.md	2021-11-11 20:33:58.431543947 -0800
+@@ -132,9 +132,12 @@
+ ; TARGET_32BIT, "t1" or "t2" to specify a specific Thumb mode.  "v6"
+ ; for ARM or Thumb-2 with arm_arch6, and nov6 for ARM without
+ ; arm_arch6.  "v6t2" for Thumb-2 with arm_arch6 and "v8mb" for ARMv8-M
+-; Baseline.  This attribute is used to compute attribute "enabled",
++; Baseline.  "fix_vlldm" is for fixing the v8-m/v8.1-m VLLDM erratum.
++; This attribute is used to compute attribute "enabled",
+ ; use type "any" to enable an alternative in all cases.
+-(define_attr "arch" "any,a,t,32,t1,t2,v6,nov6,v6t2,v8mb,iwmmxt,iwmmxt2,armv6_or_vfpv3,neon,mve"
++(define_attr "arch" "any, a, t, 32, t1, t2, v6,nov6, v6t2, \
++		     v8mb, fix_vlldm, iwmmxt, iwmmxt2, armv6_or_vfpv3, \
++		     neon, mve"
+   (const_string "any"))
+ 
+ (define_attr "arch_enabled" "no,yes"
+@@ -177,6 +180,10 @@
+ 	      (match_test "TARGET_THUMB1 && arm_arch8"))
+ 	 (const_string "yes")
+ 
++	 (and (eq_attr "arch" "fix_vlldm")
++	      (match_test "fix_vlldm"))
++	 (const_string "yes")
++
+ 	 (and (eq_attr "arch" "iwmmxt2")
+ 	      (match_test "TARGET_REALLY_IWMMXT2"))
+ 	 (const_string "yes")
+diff -upr a/gcc/config/arm/vfp.md b/gcc/config/arm/vfp.md
+--- a/gcc/config/arm/vfp.md	2020-07-22 23:35:17.356384684 -0700
++++ b/gcc/config/arm/vfp.md	2021-11-11 20:33:58.431543947 -0800
+@@ -1703,12 +1703,15 @@
+    (set_attr "type" "mov_reg")]
+ )
+ 
++;; Both this and the next instruction are treated by GCC in the same
++;; way as a blockage pattern.  That's perhaps stronger than it needs
++;; to be, but we do not want accesses to the VFP register bank to be
++;; moved across either instruction.
++
+ (define_insn "lazy_store_multiple_insn"
+-  [(set (match_operand:SI 0 "s_register_operand" "+&rk")
+-	(post_dec:SI (match_dup 0)))
+-   (unspec_volatile [(const_int 0)
+-		     (mem:SI (post_dec:SI (match_dup 0)))]
+-		    VUNSPEC_VLSTM)]
++  [(unspec_volatile
++    [(mem:BLK (match_operand:SI 0 "s_register_operand" "rk"))]
++    VUNSPEC_VLSTM)]
+   "use_cmse && reload_completed"
+   "vlstm%?\\t%0"
+   [(set_attr "predicable" "yes")
+@@ -1716,14 +1719,16 @@
+ )
+ 
+ (define_insn "lazy_load_multiple_insn"
+-  [(set (match_operand:SI 0 "s_register_operand" "+&rk")
+-	(post_inc:SI (match_dup 0)))
+-   (unspec_volatile:SI [(const_int 0)
+-			(mem:SI (match_dup 0))]
+-		       VUNSPEC_VLLDM)]
++  [(unspec_volatile
++    [(mem:BLK (match_operand:SI 0 "s_register_operand" "rk,rk"))]
++    VUNSPEC_VLLDM)]
+   "use_cmse && reload_completed"
+-  "vlldm%?\\t%0"
+-  [(set_attr "predicable" "yes")
++  "@
++   vscclrm\\t{vpr}\;vlldm\\t%0
++   vlldm\\t%0"
++  [(set_attr "arch" "fix_vlldm,*")
++   (set_attr "predicable" "no")
++   (set_attr "length" "8,4")
+    (set_attr "type" "load_4")]
+ )
+ 
-- 
cgit v1.2.3-54-g00ecf