arm64 fixes:

- Report correct timer frequency to userspace when trapping CNTFRQ_EL0 - Fix race with hardware page table updates when updating access flags - Silence clang overflow warning in VA_START and PAGE_OFFSET calculations -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABCgAGBQJZhIc7AAoJELescNyEwWM0EaUH/0f1/MnKwZHAUoSOWrZynKna 0y59hNvlr47FCGxaMVSVWq/+mtSqxsQTPyLkLSULh8PR7OEwjq5qLxLMhFWF/7B4 /nmAGhFOYHDR95/0Mo0cMOMyamIvGPIqd304yld0P13S5z26UdRCoTrWgeKFJ2sm wcKCJeAK+U4NZbASNthDKH7Mo0lM25oLIJ8gqj4o0NrxyZr86mXVTypV/nM82qdm WRMFqGh5iRrmnGSCajgcTjqnYkFOYwHirKvdrV68+GFOYqVIS+9+RdwSnRNOZ9hl MsIOUDRn3doHDe4tK9NcQlLoaRIqA9fM4+94XGJu+8uUNfDRYMueO6XUvGmnmOQ= =FER5 -----END PGP SIGNATURE----- Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "Here are some more arm64 fixes for 4.13. The main one is the PTE race with the hardware walker, but there are a couple of other things too. - Report correct timer frequency to userspace when trapping CNTFRQ_EL0 - Fix race with hardware page table updates when updating access flags - Silence clang overflow warning in VA_START and PAGE_OFFSET calculations" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: avoid overflow in VA_START and PAGE_OFFSET arm64: Fix potential race with hardware DBM in ptep_set_access_flags() arm64: Use arch_timer_get_rate when trapping CNTFRQ_EL0
2026-05-30 18:13:41 +02:00 · 2017-08-04 12:11:48 -07:00 · 2017-08-04 12:11:48 -07:00 · b3c6858fb1
commit b3c6858fb1
parent 0a23ea65ce 82cd588052
3 changed files with 13 additions and 10 deletions
--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@ -64,8 +64,10 @@
 * TASK_UNMAPPED_BASE - the lower boundary of the mmap VM area.
 */
 #define VA_BITS			(CONFIG_ARM64_VA_BITS)
-#define VA_START		(UL(0xffffffffffffffff) << VA_BITS)
-#define PAGE_OFFSET		(UL(0xffffffffffffffff) << (VA_BITS - 1))
+#define VA_START		(UL(0xffffffffffffffff) - \
+	(UL(1) << VA_BITS) + 1)
+#define PAGE_OFFSET		(UL(0xffffffffffffffff) - \
+	(UL(1) << (VA_BITS - 1)) + 1)
 #define KIMAGE_VADDR		(MODULES_END)
 #define MODULES_END		(MODULES_VADDR + MODULES_VSIZE)
 #define MODULES_VADDR		(VA_START + KASAN_SHADOW_SIZE)
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@ -523,7 +523,7 @@ static void cntfrq_read_handler(unsigned int esr, struct pt_regs *regs)
 {
 	int rt = (esr & ESR_ELx_SYS64_ISS_RT_MASK) >> ESR_ELx_SYS64_ISS_RT_SHIFT;

-	pt_regs_write_reg(regs, rt, read_sysreg(cntfrq_el0));
+	pt_regs_write_reg(regs, rt, arch_timer_get_rate());
 	regs->pc += 4;
 }

--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@ -163,26 +163,27 @@ int ptep_set_access_flags(struct vm_area_struct *vma,
 	/* only preserve the access flags and write permission */
 	pte_val(entry) &= PTE_AF | PTE_WRITE | PTE_DIRTY;

-	/*
-	 * PTE_RDONLY is cleared by default in the asm below, so set it in
-	 * back if necessary (read-only or clean PTE).
-	 */
+	/* set PTE_RDONLY if actual read-only or clean PTE */
 	if (!pte_write(entry) || !pte_sw_dirty(entry))
 		pte_val(entry) |= PTE_RDONLY;

 	/*
 	 * Setting the flags must be done atomically to avoid racing with the
-	 * hardware update of the access/dirty state.
+	 * hardware update of the access/dirty state. The PTE_RDONLY bit must
+	 * be set to the most permissive (lowest value) of *ptep and entry
+	 * (calculated as: a & b == ~(~a | ~b)).
 	 */
+	pte_val(entry) ^= PTE_RDONLY;
 	asm volatile("//	ptep_set_access_flags\n"
 	"	prfm	pstl1strm, %2\n"
 	"1:	ldxr	%0, %2\n"
-	"	and	%0, %0, %3		// clear PTE_RDONLY\n"
+	"	eor	%0, %0, %3		// negate PTE_RDONLY in *ptep\n"
 	"	orr	%0, %0, %4		// set flags\n"
+	"	eor	%0, %0, %3		// negate final PTE_RDONLY\n"
 	"	stxr	%w1, %0, %2\n"
 	"	cbnz	%w1, 1b\n"
 	: "=&r" (old_pteval), "=&r" (tmp), "+Q" (pte_val(*ptep))
-	: "L" (~PTE_RDONLY), "r" (pte_val(entry)));
+	: "L" (PTE_RDONLY), "r" (pte_val(entry)));

 	flush_tlb_fix_spurious_fault(vma, address);
 	return 1;