2 files changed, 814 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc b/meta/recipes-devtools/gcc/gcc-8.3.inc
index 7925337fea..dce85a2943 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -73,6 +73,7 @@ SRC_URI = "\
           file://0040-powerpc-powerpc64-Add-support-for-musl-ldso.patch \
           file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
           file://0042-PR-debug-86964.patch \
+           file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \
 "
 SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
 SRC_URI[sha256sum] = "64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
new file mode 100644
index 0000000000..f15207f581
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
@@ -0,0 +1,813 @@
+From f98495d90ba66f67fe922a4b9229ea787041c418 Mon Sep 17 00:00:00 2001
+From: thopre01 <thopre01@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 22 Nov 2018 14:46:17 +0000
+Subject: [PATCH] PR85434: Prevent spilling of stack protector guard's address
+ on ARM
+In case of high register pressure in PIC mode, address of the stack
+protector's guard can be spilled on ARM targets as shown in PR85434,
+thus allowing an attacker to control what the canary would be compared
+against. ARM does lack stack_protect_set and stack_protect_test insn
+patterns, defining them does not help as the address is expanded
+regularly and the patterns only deal with the copy and test of the
+guard with the canary.
+This problem does not occur for x86 targets because the PIC access and
+the test can be done in the same instruction. Aarch64 is exempt too
+because PIC access insn pattern are mov of UNSPEC which prevents it from
+the second access in the epilogue being CSEd in cse_local pass with the
+first access in the prologue.
+The approach followed here is to create new "combined" set and test
+standard pattern names that take the unexpanded guard and do the set or
+test. This allows the target to use an opaque pattern (eg. using UNSPEC)
+to hide the individual instructions being generated to the compiler and
+split the pattern into generic load, compare and branch instruction
+after register allocator, therefore avoiding any spilling. This is here
+implemented for the ARM targets. For targets not implementing these new
+standard pattern names, the existing stack_protect_set and
+stack_protect_test pattern names are used.
+To be able to split PIC access after register allocation, the functions
+had to be augmented to force a new PIC register load and to control
+which register it loads into. This is because sharing the PIC register
+between prologue and epilogue could lead to spilling due to CSE again
+which an attacker could use to control what the canary gets compared
+against.
+2018-11-22  Thomas Preud'homme  <thomas.preudhomme@linaro.org>
+    gcc/
+    PR target/85434
+    * target-insns.def (stack_protect_combined_set): Define new standard
+    pattern name.
+    (stack_protect_combined_test): Likewise.
+    * cfgexpand.c (stack_protect_prologue): Try new
+    stack_protect_combined_set pattern first.
+    * function.c (stack_protect_epilogue): Try new
+    stack_protect_combined_test pattern first.
+    * config/arm/arm.c (require_pic_register): Add pic_reg and compute_now
+    parameters to control which register to use as PIC register and force
+    reloading PIC register respectively.  Insert in the stream of insns if
+    possible.
+    (legitimize_pic_address): Expose above new parameters in prototype and
+    adapt recursive calls accordingly.  Use pic_reg if non null instead of
+    cached one.
+    (arm_load_pic_register): Add pic_reg parameter and use it if non null.
+    (arm_legitimize_address): Adapt to new legitimize_pic_address
+    prototype.
+    (thumb_legitimize_address): Likewise.
+    (arm_emit_call_insn): Adapt to require_pic_register prototype change.
+    (arm_expand_prologue): Adapt to arm_load_pic_register prototype change.
+    (thumb1_expand_prologue): Likewise.
+    * config/arm/arm-protos.h (legitimize_pic_address): Adapt to prototype
+    change.
+    (arm_load_pic_register): Likewise.
+    * config/arm/predicated.md (guard_addr_operand): New predicate.
+    (guard_operand): New predicate.
+    * config/arm/arm.md (movsi expander): Adapt to legitimize_pic_address
+    prototype change.
+    (builtin_setjmp_receiver expander): Adapt to thumb1_expand_prologue
+    prototype change.
+    (stack_protect_combined_set): New expander..
+    (stack_protect_combined_set_insn): New insn_and_split pattern.
+    (stack_protect_set_insn): New insn pattern.
+    (stack_protect_combined_test): New expander.
+    (stack_protect_combined_test_insn): New insn_and_split pattern.
+    (arm_stack_protect_test_insn): New insn pattern.
+    * config/arm/thumb1.md (thumb1_stack_protect_test_insn): New insn pattern.
+    * config/arm/unspecs.md (UNSPEC_SP_SET): New unspec.
+    (UNSPEC_SP_TEST): Likewise.
+    * doc/md.texi (stack_protect_combined_set): Document new standard
+    pattern name.
+    (stack_protect_set): Clarify that the operand for guard's address is
+    legal.
+    (stack_protect_combined_test): Document new standard pattern name.
+    (stack_protect_test): Clarify that the operand for guard's address is
+    legal.
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@266379 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE: CVE-2018-12886
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ gcc/ChangeLog                          |  49 ++++++
+ gcc/cfgexpand.c                        |  17 +++
+ gcc/config/arm/arm-protos.h            |   4 +-
+ gcc/config/arm/arm.c                   |  87 ++++++++---
+ gcc/config/arm/arm.md                  | 163 +++++++++++++++++++-
+ gcc/config/arm/predicates.md           |  17 +++
+ gcc/config/arm/thumb1.md               |  13 ++
+ gcc/config/arm/unspecs.md              |   3 +
+ gcc/doc/md.texi                        |  55 ++++++-
+ gcc/function.c                         |  32 +++-
+ gcc/target-insns.def                   |   2 +
+ 11 files changed, 399 insertions(+), 43 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/arm/pr85434.c
+diff --git a/gcc/ChangeLog b/gcc/ChangeLog
+index e2ebfd34214..fa41e7112e0 100644
+--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
+@@ -1537,6 +1537,55 @@
+        * config/arm/neon.md (movv4hf, movv8hf): Refactored to..
+        (mov<mov>): ..this and enable unconditionally.
+ 
+2018-11-22  Thomas Preud'homme  <thomas.preudhomme@linaro.org>
+
+       * target-insns.def (stack_protect_combined_set): Define new standard
+       pattern name.
+       (stack_protect_combined_test): Likewise.
+       * cfgexpand.c (stack_protect_prologue): Try new
+       stack_protect_combined_set pattern first.
+       * function.c (stack_protect_epilogue): Try new
+       stack_protect_combined_test pattern first.
+       * config/arm/arm.c (require_pic_register): Add pic_reg and compute_now
+       parameters to control which register to use as PIC register and force
+       reloading PIC register respectively.  Insert in the stream of insns if
+       possible.
+       (legitimize_pic_address): Expose above new parameters in prototype and
+       adapt recursive calls accordingly.  Use pic_reg if non null instead of
+       cached one.
+       (arm_load_pic_register): Add pic_reg parameter and use it if non null.
+       (arm_legitimize_address): Adapt to new legitimize_pic_address
+       prototype.
+       (thumb_legitimize_address): Likewise.
+       (arm_emit_call_insn): Adapt to require_pic_register prototype change.
+       (arm_expand_prologue): Adapt to arm_load_pic_register prototype change.
+       (thumb1_expand_prologue): Likewise.
+       * config/arm/arm-protos.h (legitimize_pic_address): Adapt to prototype
+       change.
+       (arm_load_pic_register): Likewise.
+       * config/arm/predicated.md (guard_addr_operand): New predicate.
+       (guard_operand): New predicate.
+       * config/arm/arm.md (movsi expander): Adapt to legitimize_pic_address
+       prototype change.
+       (builtin_setjmp_receiver expander): Adapt to thumb1_expand_prologue
+       prototype change.
+       (stack_protect_combined_set): New expander..
+       (stack_protect_combined_set_insn): New insn_and_split pattern.
+       (stack_protect_set_insn): New insn pattern.
+       (stack_protect_combined_test): New expander.
+       (stack_protect_combined_test_insn): New insn_and_split pattern.
+       (arm_stack_protect_test_insn): New insn pattern.
+       * config/arm/thumb1.md (thumb1_stack_protect_test_insn): New insn pattern.
+       * config/arm/unspecs.md (UNSPEC_SP_SET): New unspec.
+       (UNSPEC_SP_TEST): Likewise.
+       * doc/md.texi (stack_protect_combined_set): Document new standard
+       pattern name.
+       (stack_protect_set): Clarify that the operand for guard's address is
+       legal.
+       (stack_protect_combined_test): Document new standard pattern name.
+       (stack_protect_test): Clarify that the operand for guard's address is
+       legal.
+
+ 2018-11-22  Uros Bizjak  <ubizjak@gmail.com>
+ 
+        Backport from mainline
+diff --git a/gcc/cfgexpand.c b/gcc/cfgexpand.c
+index 8fa392fcd8a..21bdcdaeaa3 100644
+--- a/gcc/cfgexpand.c
+++ b/gcc/cfgexpand.c
+@@ -6185,6 +6185,23 @@ stack_protect_prologue (void)
+   rtx x, y;
+ 
+   x = expand_normal (crtl->stack_protect_guard);
+
+  if (targetm.have_stack_protect_combined_set () && guard_decl)
+    {
+      gcc_assert (DECL_P (guard_decl));
+      y = DECL_RTL (guard_decl);
+
+      /* Allow the target to compute address of Y and copy it to X without
+        leaking Y into a register.  This combined address + copy pattern
+        allows the target to prevent spilling of any intermediate results by
+        splitting it after register allocator.  */
+      if (rtx_insn *insn = targetm.gen_stack_protect_combined_set (x, y))
+       {
+         emit_insn (insn);
+         return;
+       }
+    }
+
+   if (guard_decl)
+     y = expand_normal (guard_decl);
+   else
+diff --git a/gcc/config/arm/arm-protos.h b/gcc/config/arm/arm-protos.h
+index 8d6d2395b84..00f5f16ed02 100644
+--- a/gcc/config/arm/arm-protos.h
+++ b/gcc/config/arm/arm-protos.h
+@@ -28,7 +28,7 @@ extern enum unwind_info_type arm_except_unwind_info (struct gcc_options *);
+ extern int use_return_insn (int, rtx);
+ extern bool use_simple_return_p (void);
+ extern enum reg_class arm_regno_class (int);
+-extern void arm_load_pic_register (unsigned long);
+extern void arm_load_pic_register (unsigned long, rtx);
+ extern int arm_volatile_func (void);
+ extern void arm_expand_prologue (void);
+ extern void arm_expand_epilogue (bool);
+@@ -69,7 +69,7 @@ extern int const_ok_for_dimode_op (HOST_WIDE_INT, enum rtx_code);
+ extern int arm_split_constant (RTX_CODE, machine_mode, rtx,
+                               HOST_WIDE_INT, rtx, rtx, int);
+ extern int legitimate_pic_operand_p (rtx);
+-extern rtx legitimize_pic_address (rtx, machine_mode, rtx);
+extern rtx legitimize_pic_address (rtx, machine_mode, rtx, rtx, bool);
+ extern rtx legitimize_tls_address (rtx, rtx);
+ extern bool arm_legitimate_address_p (machine_mode, rtx, bool);
+ extern int arm_legitimate_address_outer_p (machine_mode, rtx, RTX_CODE, int);
+diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
+index 8393f0b87f3..12417de5102 100644
+--- a/gcc/config/arm/arm.c
+++ b/gcc/config/arm/arm.c
+@@ -7379,21 +7379,34 @@ legitimate_pic_operand_p (rtx x)
+   return 1;
+ }
+ 
+-/* Record that the current function needs a PIC register.  Initialize
+-   cfun->machine->pic_reg if we have not already done so.  */
+/* Record that the current function needs a PIC register.  If PIC_REG is null,
+   a new pseudo is allocated as PIC register, otherwise PIC_REG is used.  In
+   both case cfun->machine->pic_reg is initialized if we have not already done
+   so.  COMPUTE_NOW decide whether and where to set the PIC register.  If true,
+   PIC register is reloaded in the current position of the instruction stream
+   irregardless of whether it was loaded before.  Otherwise, it is only loaded
+   if not already done so (crtl->uses_pic_offset_table is null).  Note that
+   nonnull PIC_REG is only supported iff COMPUTE_NOW is true and null PIC_REG
+   is only supported iff COMPUTE_NOW is false.  */
+ 
+ static void
+-require_pic_register (void)
+require_pic_register (rtx pic_reg, bool compute_now)
+ {
+  gcc_assert (compute_now == (pic_reg != NULL_RTX));
+
+   /* A lot of the logic here is made obscure by the fact that this
+      routine gets called as part of the rtx cost estimation process.
+      We don't want those calls to affect any assumptions about the real
+      function; and further, we can't call entry_of_function() until we
+      start the real expansion process.  */
+-  if (!crtl->uses_pic_offset_table)
+  if (!crtl->uses_pic_offset_table || compute_now)
+     {
+-      gcc_assert (can_create_pseudo_p ());
+      gcc_assert (can_create_pseudo_p ()
+                 || (pic_reg != NULL_RTX
+                     && REG_P (pic_reg)
+                     && GET_MODE (pic_reg) == Pmode));
+       if (arm_pic_register != INVALID_REGNUM
+         && !compute_now
+          && !(TARGET_THUMB1 && arm_pic_register > LAST_LO_REGNUM))
+        {
+          if (!cfun->machine->pic_reg)
+@@ -7409,8 +7422,10 @@ require_pic_register (void)
+        {
+          rtx_insn *seq, *insn;
+ 
+         if (pic_reg == NULL_RTX)
+           pic_reg = gen_reg_rtx (Pmode);
+          if (!cfun->machine->pic_reg)
+-           cfun->machine->pic_reg = gen_reg_rtx (Pmode);
+           cfun->machine->pic_reg = pic_reg;
+ 
+          /* Play games to avoid marking the function as needing pic
+             if we are being called as part of the cost-estimation
+@@ -7421,11 +7436,12 @@ require_pic_register (void)
+              start_sequence ();
+ 
+              if (TARGET_THUMB1 && arm_pic_register != INVALID_REGNUM
+-                 && arm_pic_register > LAST_LO_REGNUM)
+                 && arm_pic_register > LAST_LO_REGNUM
+                 && !compute_now)
+                emit_move_insn (cfun->machine->pic_reg,
+                                gen_rtx_REG (Pmode, arm_pic_register));
+              else
+-               arm_load_pic_register (0UL);
+               arm_load_pic_register (0UL, pic_reg);
+ 
+              seq = get_insns ();
+              end_sequence ();
+@@ -7438,16 +7454,33 @@ require_pic_register (void)
+                 we can't yet emit instructions directly in the final
+                 insn stream.  Queue the insns on the entry edge, they will
+                 be committed after everything else is expanded.  */
+-             insert_insn_on_edge (seq,
+-                                  single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun)));
+             if (currently_expanding_to_rtl)
+               insert_insn_on_edge (seq,
+                                    single_succ_edge
+                                    (ENTRY_BLOCK_PTR_FOR_FN (cfun)));
+             else
+               emit_insn (seq);
+            }
+        }
+     }
+ }
+ 
+/* Legitimize PIC load to ORIG into REG.  If REG is NULL, a new pseudo is
+   created to hold the result of the load.  If not NULL, PIC_REG indicates
+   which register to use as PIC register, otherwise it is decided by register
+   allocator.  COMPUTE_NOW forces the PIC register to be loaded at the current
+   location in the instruction stream, irregardless of whether it was loaded
+   previously.  Note that nonnull PIC_REG is only supported iff COMPUTE_NOW is
+   true and null PIC_REG is only supported iff COMPUTE_NOW is false.
+
+   Returns the register REG into which the PIC load is performed.  */
+
+ rtx
+-legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
+legitimize_pic_address (rtx orig, machine_mode mode, rtx reg, rtx pic_reg,
+                       bool compute_now)
+ {
+  gcc_assert (compute_now == (pic_reg != NULL_RTX));
+
+   if (GET_CODE (orig) == SYMBOL_REF
+       || GET_CODE (orig) == LABEL_REF)
+     {
+@@ -7480,9 +7513,12 @@ legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
+          rtx mem;
+ 
+          /* If this function doesn't have a pic register, create one now.  */
+-         require_pic_register ();
+         require_pic_register (pic_reg, compute_now);
+
+         if (pic_reg == NULL_RTX)
+           pic_reg = cfun->machine->pic_reg;
+ 
+-         pat = gen_calculate_pic_address (reg, cfun->machine->pic_reg, orig);
+         pat = gen_calculate_pic_address (reg, pic_reg, orig);
+ 
+          /* Make the MEM as close to a constant as possible.  */
+          mem = SET_SRC (pat);
+@@ -7531,9 +7567,11 @@ legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
+ 
+       gcc_assert (GET_CODE (XEXP (orig, 0)) == PLUS);
+ 
+-      base = legitimize_pic_address (XEXP (XEXP (orig, 0), 0), Pmode, reg);
+      base = legitimize_pic_address (XEXP (XEXP (orig, 0), 0), Pmode, reg,
+                                    pic_reg, compute_now);
+       offset = legitimize_pic_address (XEXP (XEXP (orig, 0), 1), Pmode,
+-                                      base == reg ? 0 : reg);
+                                      base == reg ? 0 : reg, pic_reg,
+                                      compute_now);
+ 
+       if (CONST_INT_P (offset))
+        {
+@@ -7633,16 +7671,17 @@ static GTY(()) int pic_labelno;
+    low register.  */
+ 
+ void
+-arm_load_pic_register (unsigned long saved_regs ATTRIBUTE_UNUSED)
+arm_load_pic_register (unsigned long saved_regs ATTRIBUTE_UNUSED, rtx pic_reg)
+ {
+-  rtx l1, labelno, pic_tmp, pic_rtx, pic_reg;
+  rtx l1, labelno, pic_tmp, pic_rtx;
+ 
+   if (crtl->uses_pic_offset_table == 0 || TARGET_SINGLE_PIC_BASE)
+     return;
+ 
+   gcc_assert (flag_pic);
+ 
+-  pic_reg = cfun->machine->pic_reg;
+  if (pic_reg == NULL_RTX)
+    pic_reg = cfun->machine->pic_reg;
+   if (TARGET_VXWORKS_RTP)
+     {
+       pic_rtx = gen_rtx_SYMBOL_REF (Pmode, VXWORKS_GOTT_BASE);
+@@ -8718,7 +8757,8 @@ arm_legitimize_address (rtx x, rtx orig_x, machine_mode mode)
+     {
+       /* We need to find and carefully transform any SYMBOL and LABEL
+         references; so go back to the original address expression.  */
+-      rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX);
+      rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX, NULL_RTX,
+                                         false /*compute_now*/);
+ 
+       if (new_x != orig_x)
+        x = new_x;
+@@ -8786,7 +8826,8 @@ thumb_legitimize_address (rtx x, rtx orig_x, machine_mode mode)
+     {
+       /* We need to find and carefully transform any SYMBOL and LABEL
+         references; so go back to the original address expression.  */
+-      rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX);
+      rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX, NULL_RTX,
+                                         false /*compute_now*/);
+ 
+       if (new_x != orig_x)
+        x = new_x;
+@@ -18074,7 +18115,7 @@ arm_emit_call_insn (rtx pat, rtx addr, bool sibcall)
+          ? !targetm.binds_local_p (SYMBOL_REF_DECL (addr))
+          : !SYMBOL_REF_LOCAL_P (addr)))
+     {
+-      require_pic_register ();
+      require_pic_register (NULL_RTX, false /*compute_now*/);
+       use_reg (&CALL_INSN_FUNCTION_USAGE (insn), cfun->machine->pic_reg);
+     }
+ 
+@@ -22006,7 +22047,7 @@ arm_expand_prologue (void)
+       mask &= THUMB2_WORK_REGS;
+       if (!IS_NESTED (func_type))
+        mask |= (1 << IP_REGNUM);
+-      arm_load_pic_register (mask);
+      arm_load_pic_register (mask, NULL_RTX);
+     }
+ 
+   /* If we are profiling, make sure no instructions are scheduled before
+@@ -25237,7 +25278,7 @@ thumb1_expand_prologue (void)
+   /* Load the pic register before setting the frame pointer,
+      so we can use r7 as a temporary work register.  */
+   if (flag_pic && arm_pic_register != INVALID_REGNUM)
+-    arm_load_pic_register (live_regs_mask);
+    arm_load_pic_register (live_regs_mask, NULL_RTX);
+ 
+   if (!frame_pointer_needed && CALLER_INTERWORKING_SLOT_SIZE > 0)
+     emit_move_insn (gen_rtx_REG (Pmode, ARM_HARD_FRAME_POINTER_REGNUM),
+diff --git a/gcc/config/arm/arm.md b/gcc/config/arm/arm.md
+index c8dc9474b1b..f6196e93168 100644
+--- a/gcc/config/arm/arm.md
+++ b/gcc/config/arm/arm.md
+@@ -6021,7 +6021,8 @@
+       operands[1] = legitimize_pic_address (operands[1], SImode,
+                                            (!can_create_pseudo_p ()
+                                             ? operands[0]
+-                                            : 0));
+                                            : NULL_RTX), NULL_RTX,
+                                           false /*compute_now*/);
+   }
+   "
+ )
+@@ -6309,7 +6310,7 @@
+   /* r3 is clobbered by set/longjmp, so we can use it as a scratch
+      register.  */
+   if (arm_pic_register != INVALID_REGNUM)
+-    arm_load_pic_register (1UL << 3);
+    arm_load_pic_register (1UL << 3, NULL_RTX);
+   DONE;
+ }")
+ 
+@@ -8634,6 +8635,164 @@
+    (set_attr "conds" "clob")]
+ )
+ 
+;; Named patterns for stack smashing protection.
+(define_expand "stack_protect_combined_set"
+  [(parallel
+     [(set (match_operand:SI 0 "memory_operand" "")
+          (unspec:SI [(match_operand:SI 1 "guard_operand" "")]
+                     UNSPEC_SP_SET))
+      (clobber (match_scratch:SI 2 ""))
+      (clobber (match_scratch:SI 3 ""))])]
+  ""
+  ""
+)
+
+;; Use a separate insn from the above expand to be able to have the mem outside
+;; the operand #1 when register allocation comes. This is needed to avoid LRA
+;; try to reload the guard since we need to control how PIC access is done in
+;; the -fpic/-fPIC case (see COMPUTE_NOW parameter when calling
+;; legitimize_pic_address ()).
+(define_insn_and_split "*stack_protect_combined_set_insn"
+  [(set (match_operand:SI 0 "memory_operand" "=m,m")
+       (unspec:SI [(mem:SI (match_operand:SI 1 "guard_addr_operand" "X,X"))]
+                  UNSPEC_SP_SET))
+   (clobber (match_scratch:SI 2 "=&l,&r"))
+   (clobber (match_scratch:SI 3 "=&l,&r"))]
+  ""
+  "#"
+  "reload_completed"
+  [(parallel [(set (match_dup 0) (unspec:SI [(mem:SI (match_dup 2))]
+                                           UNSPEC_SP_SET))
+             (clobber (match_dup 2))])]
+  "
+{
+  if (flag_pic)
+    {
+      /* Forces recomputing of GOT base now.  */
+      legitimize_pic_address (operands[1], SImode, operands[2], operands[3],
+                             true /*compute_now*/);
+    }
+  else
+    {
+      if (address_operand (operands[1], SImode))
+       operands[2] = operands[1];
+      else
+       {
+         rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0);
+         emit_move_insn (operands[2], mem);
+       }
+    }
+}"
+  [(set_attr "arch" "t1,32")]
+)
+
+(define_insn "*stack_protect_set_insn"
+  [(set (match_operand:SI 0 "memory_operand" "=m,m")
+       (unspec:SI [(mem:SI (match_operand:SI 1 "register_operand" "+&l,&r"))]
+        UNSPEC_SP_SET))
+   (clobber (match_dup 1))]
+  ""
+  "@
+   ldr\\t%1, [%1]\;str\\t%1, %0\;movs\t%1,#0
+   ldr\\t%1, [%1]\;str\\t%1, %0\;mov\t%1,#0"
+  [(set_attr "length" "8,12")
+   (set_attr "conds" "clob,nocond")
+   (set_attr "type" "multiple")
+   (set_attr "arch" "t1,32")]
+)
+
+(define_expand "stack_protect_combined_test"
+  [(parallel
+     [(set (pc)
+          (if_then_else
+               (eq (match_operand:SI 0 "memory_operand" "")
+                   (unspec:SI [(match_operand:SI 1 "guard_operand" "")]
+                              UNSPEC_SP_TEST))
+               (label_ref (match_operand 2))
+               (pc)))
+      (clobber (match_scratch:SI 3 ""))
+      (clobber (match_scratch:SI 4 ""))
+      (clobber (reg:CC CC_REGNUM))])]
+  ""
+  ""
+)
+
+;; Use a separate insn from the above expand to be able to have the mem outside
+;; the operand #1 when register allocation comes. This is needed to avoid LRA
+;; try to reload the guard since we need to control how PIC access is done in
+;; the -fpic/-fPIC case (see COMPUTE_NOW parameter when calling
+;; legitimize_pic_address ()).
+(define_insn_and_split "*stack_protect_combined_test_insn"
+  [(set (pc)
+       (if_then_else
+               (eq (match_operand:SI 0 "memory_operand" "m,m")
+                   (unspec:SI [(mem:SI (match_operand:SI 1 "guard_addr_operand" "X,X"))]
+                              UNSPEC_SP_TEST))
+               (label_ref (match_operand 2))
+               (pc)))
+   (clobber (match_scratch:SI 3 "=&l,&r"))
+   (clobber (match_scratch:SI 4 "=&l,&r"))
+   (clobber (reg:CC CC_REGNUM))]
+  ""
+  "#"
+  "reload_completed"
+  [(const_int 0)]
+{
+  rtx eq;
+
+  if (flag_pic)
+    {
+      /* Forces recomputing of GOT base now.  */
+      legitimize_pic_address (operands[1], SImode, operands[3], operands[4],
+                             true /*compute_now*/);
+    }
+  else
+    {
+      if (address_operand (operands[1], SImode))
+       operands[3] = operands[1];
+      else
+       {
+         rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0);
+         emit_move_insn (operands[3], mem);
+       }
+    }
+  if (TARGET_32BIT)
+    {
+      emit_insn (gen_arm_stack_protect_test_insn (operands[4], operands[0],
+                                                 operands[3]));
+      rtx cc_reg = gen_rtx_REG (CC_Zmode, CC_REGNUM);
+      eq = gen_rtx_EQ (CC_Zmode, cc_reg, const0_rtx);
+      emit_jump_insn (gen_arm_cond_branch (operands[2], eq, cc_reg));
+    }
+  else
+    {
+      emit_insn (gen_thumb1_stack_protect_test_insn (operands[4], operands[0],
+                                                    operands[3]));
+      eq = gen_rtx_EQ (VOIDmode, operands[4], const0_rtx);
+      emit_jump_insn (gen_cbranchsi4 (eq, operands[4], const0_rtx,
+                                     operands[2]));
+    }
+  DONE;
+}
+  [(set_attr "arch" "t1,32")]
+)
+
+(define_insn "arm_stack_protect_test_insn"
+  [(set (reg:CC_Z CC_REGNUM)
+       (compare:CC_Z (unspec:SI [(match_operand:SI 1 "memory_operand" "m,m")
+                                 (mem:SI (match_operand:SI 2 "register_operand" "+l,r"))]
+                                UNSPEC_SP_TEST)
+                     (const_int 0)))
+   (clobber (match_operand:SI 0 "register_operand" "=&l,&r"))
+   (clobber (match_dup 2))]
+  "TARGET_32BIT"
+  "ldr\t%0, [%2]\;ldr\t%2, %1\;eors\t%0, %2, %0"
+  [(set_attr "length" "8,12")
+   (set_attr "conds" "set")
+   (set_attr "type" "multiple")
+   (set_attr "arch" "t,32")]
+)
+
+ (define_expand "casesi"
+   [(match_operand:SI 0 "s_register_operand" "")        ; index to jump on
+    (match_operand:SI 1 "const_int_operand" "") ; lower bound
+diff --git a/gcc/config/arm/predicates.md b/gcc/config/arm/predicates.md
+index 7e198f9bce4..69718ee9c7a 100644
+--- a/gcc/config/arm/predicates.md
+++ b/gcc/config/arm/predicates.md
+@@ -31,6 +31,23 @@
+              || REGNO_REG_CLASS (REGNO (op)) != NO_REGS));
+ })
+ 
+; Predicate for stack protector guard's address in
+; stack_protect_combined_set_insn and stack_protect_combined_test_insn patterns
+(define_predicate "guard_addr_operand"
+  (match_test "true")
+{
+  return (CONSTANT_ADDRESS_P (op)
+         || !targetm.cannot_force_const_mem (mode, op));
+})
+
+; Predicate for stack protector guard in stack_protect_combined_set and
+; stack_protect_combined_test patterns
+(define_predicate "guard_operand"
+  (match_code "mem")
+{
+  return guard_addr_operand (XEXP (op, 0), mode);
+})
+
+ (define_predicate "imm_for_neon_inv_logic_operand"
+   (match_code "const_vector")
+ {
+diff --git a/gcc/config/arm/thumb1.md b/gcc/config/arm/thumb1.md
+index 19dcdbcdd73..cd199c9c529 100644
+--- a/gcc/config/arm/thumb1.md
+++ b/gcc/config/arm/thumb1.md
+@@ -1962,4 +1962,17 @@
+   }"
+   [(set_attr "type" "mov_reg")]
+ )
+
+(define_insn "thumb1_stack_protect_test_insn"
+  [(set (match_operand:SI 0 "register_operand" "=&l")
+       (unspec:SI [(match_operand:SI 1 "memory_operand" "m")
+                   (mem:SI (match_operand:SI 2 "register_operand" "+l"))]
+        UNSPEC_SP_TEST))
+   (clobber (match_dup 2))]
+  "TARGET_THUMB1"
+  "ldr\t%0, [%2]\;ldr\t%2, %1\;eors\t%0, %2, %0"
+  [(set_attr "length" "8")
+   (set_attr "conds" "set")
+   (set_attr "type" "multiple")]
+)
+ 
+diff --git a/gcc/config/arm/unspecs.md b/gcc/config/arm/unspecs.md
+index 19416736ef9..8f9dbcb08dc 100644
+--- a/gcc/config/arm/unspecs.md
+++ b/gcc/config/arm/unspecs.md
+@@ -86,6 +86,9 @@
+   UNSPEC_PROBE_STACK    ; Probe stack memory reference
+   UNSPEC_NONSECURE_MEM ; Represent non-secure memory in ARMv8-M with
+                        ; security extension
+  UNSPEC_SP_SET                ; Represent the setting of stack protector's canary
+  UNSPEC_SP_TEST       ; Represent the testing of stack protector's canary
+                       ; against the guard.
+ ])
+ 
+ (define_c_enum "unspec" [
+diff --git a/gcc/doc/md.texi b/gcc/doc/md.texi
+index 295fc1f1143..895309b2f3c 100644
+--- a/gcc/doc/md.texi
+++ b/gcc/doc/md.texi
+@@ -7450,22 +7450,61 @@ builtins.
+ The get/set patterns have a single output/input operand respectively,
+ with @var{mode} intended to be @code{Pmode}.
+ 
+@cindex @code{stack_protect_combined_set} instruction pattern
+@item @samp{stack_protect_combined_set}
+This pattern, if defined, moves a @code{ptr_mode} value from an address
+whose declaration RTX is given in operand 1 to the memory in operand 0
+without leaving the value in a register afterward.  If several
+instructions are needed by the target to perform the operation (eg. to
+load the address from a GOT entry then load the @code{ptr_mode} value
+and finally store it), it is the backend's responsibility to ensure no
+intermediate result gets spilled.  This is to avoid leaking the value
+some place that an attacker might use to rewrite the stack guard slot
+after having clobbered it.
+
+If this pattern is not defined, then the address declaration is
+expanded first in the standard way and a @code{stack_protect_set}
+pattern is then generated to move the value from that address to the
+address in operand 0.
+
+ @cindex @code{stack_protect_set} instruction pattern
+ @item @samp{stack_protect_set}
+-This pattern, if defined, moves a @code{ptr_mode} value from the memory
+-in operand 1 to the memory in operand 0 without leaving the value in
+-a register afterward.  This is to avoid leaking the value some place
+-that an attacker might use to rewrite the stack guard slot after
+-having clobbered it.
+This pattern, if defined, moves a @code{ptr_mode} value from the valid
+memory location in operand 1 to the memory in operand 0 without leaving
+the value in a register afterward.  This is to avoid leaking the value
+some place that an attacker might use to rewrite the stack guard slot
+after having clobbered it.
+
+Note: on targets where the addressing modes do not allow to load
+directly from stack guard address, the address is expanded in a standard
+way first which could cause some spills.
+ 
+ If this pattern is not defined, then a plain move pattern is generated.
+ 
+@cindex @code{stack_protect_combined_test} instruction pattern
+@item @samp{stack_protect_combined_test}
+This pattern, if defined, compares a @code{ptr_mode} value from an
+address whose declaration RTX is given in operand 1 with the memory in
+operand 0 without leaving the value in a register afterward and
+branches to operand 2 if the values were equal.  If several
+instructions are needed by the target to perform the operation (eg. to
+load the address from a GOT entry then load the @code{ptr_mode} value
+and finally store it), it is the backend's responsibility to ensure no
+intermediate result gets spilled.  This is to avoid leaking the value
+some place that an attacker might use to rewrite the stack guard slot
+after having clobbered it.
+
+If this pattern is not defined, then the address declaration is
+expanded first in the standard way and a @code{stack_protect_test}
+pattern is then generated to compare the value from that address to the
+value at the memory in operand 0.
+
+ @cindex @code{stack_protect_test} instruction pattern
+ @item @samp{stack_protect_test}
+ This pattern, if defined, compares a @code{ptr_mode} value from the
+-memory in operand 1 with the memory in operand 0 without leaving the
+-value in a register afterward and branches to operand 2 if the values
+-were equal.
+valid memory location in operand 1 with the memory in operand 0 without
+leaving the value in a register afterward and branches to operand 2 if
+the values were equal.
+ 
+ If this pattern is not defined, then a plain compare pattern and
+ conditional branch pattern is used.
+diff --git a/gcc/function.c b/gcc/function.c
+index 85a5d9f43f7..69523c1d723 100644
+--- a/gcc/function.c
+++ b/gcc/function.c
+@@ -4937,18 +4937,34 @@ stack_protect_epilogue (void)
+   tree guard_decl = targetm.stack_protect_guard ();
+   rtx_code_label *label = gen_label_rtx ();
+   rtx x, y;
+-  rtx_insn *seq;
+  rtx_insn *seq = NULL;
+ 
+   x = expand_normal (crtl->stack_protect_guard);
+-  if (guard_decl)
+-    y = expand_normal (guard_decl);
+
+  if (targetm.have_stack_protect_combined_test () && guard_decl)
+    {
+      gcc_assert (DECL_P (guard_decl));
+      y = DECL_RTL (guard_decl);
+      /* Allow the target to compute address of Y and compare it with X without
+        leaking Y into a register.  This combined address + compare pattern
+        allows the target to prevent spilling of any intermediate results by
+        splitting it after register allocator.  */
+      seq = targetm.gen_stack_protect_combined_test (x, y, label);
+    }
+   else
+-    y = const0_rtx;
+    {
+      if (guard_decl)
+       y = expand_normal (guard_decl);
+      else
+       y = const0_rtx;
+
+      /* Allow the target to compare Y with X without leaking either into
+        a register.  */
+      if (targetm.have_stack_protect_test ())
+       seq = targetm.gen_stack_protect_test (x, y, label);
+    }
+ 
+-  /* Allow the target to compare Y with X without leaking either into
+-     a register.  */
+-  if (targetm.have_stack_protect_test ()
+-      && ((seq = targetm.gen_stack_protect_test (x, y, label)) != NULL_RTX))
+  if (seq)
+     emit_insn (seq);
+   else
+     emit_cmp_and_jump_insns (x, y, EQ, NULL_RTX, ptr_mode, 1, label);
+diff --git a/gcc/target-insns.def b/gcc/target-insns.def
+index 9a552c3d11c..d39889b3522 100644
+--- a/gcc/target-insns.def
+++ b/gcc/target-insns.def
+@@ -96,7 +96,9 @@ DEF_TARGET_INSN (sibcall_value, (rtx x0, rtx x1, rtx opt2, rtx opt3,
+ DEF_TARGET_INSN (simple_return, (void))
+ DEF_TARGET_INSN (split_stack_prologue, (void))
+ DEF_TARGET_INSN (split_stack_space_check, (rtx x0, rtx x1))
+DEF_TARGET_INSN (stack_protect_combined_set, (rtx x0, rtx x1))
+ DEF_TARGET_INSN (stack_protect_set, (rtx x0, rtx x1))
+DEF_TARGET_INSN (stack_protect_combined_test, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (stack_protect_test, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (store_multiple, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (tablejump, (rtx x0, rtx x1))
+-- 
+2.21.0