bpf: prevent speculative execution in eBPF interpreter

CVE-2017-5753
CVE-2017-5715

This adds a generic memory barrier before LD_IMM_DW and
LDX_MEM_B/H/W/DW eBPF instructions during eBPF program
execution in order to prevent speculative execution on out
of bound BFP_MAP array indexes. This way an arbitary kernel
memory is not exposed through side channel attacks.

For more details, please see this Google Project Zero report: tbd
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
(cherry picked from commit 69cfcc33d4ec282f14e47f1705bf45117e557b69)
Signed-off-by: Andy Whitcroft <apw@canonical.com>

kernel/bpf/core.c

@@ -29,6 +29,7 @@
 #include <linux/bpf.h>
 
 #include <asm/unaligned.h>
+#include <asm/barrier.h>
 
 /* Registers */
 #define BPF_R0	regs[BPF_REG_0]
@@ -630,6 +631,7 @@ static unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn)
 		DST = IMM;
 		CONT;
 	LD_IMM_DW:
+		gmb();
 		DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32;
 		insn++;
 		CONT;
@@ -844,6 +846,7 @@ static unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn)
 		*(SIZE *)(unsigned long) (DST + insn->off) = IMM;	\
 		CONT;							\
 	LDX_MEM_##SIZEOP:						\
+		gmb();							\
 		DST = *(SIZE *)(unsigned long) (SRC + insn->off);	\
 		CONT;