[5.10,026/306] arm64: mm: Fix TLBI vs ASID rollover

Message ID	20210916155754.836388244@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Marc Zyngier <maz@kernel.org>, Jade Alglave <jade.alglave@arm.com>, Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>, Will Deacon <will@kernel.org>, Catalin Marinas <catalin.marinas@arm.com> Subject: [PATCH 5.10 026/306] arm64: mm: Fix TLBI vs ASID rollover Date: Thu, 16 Sep 2021 17:56:11 +0200 Message-Id: <20210916155754.836388244@linuxfoundation.org> In-Reply-To: <20210916155753.903069397@linuxfoundation.org> References: <20210916155753.903069397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.10,002/306] io_uring: limit fixed table size by RLIMIT_NOFILE [5.10,004/306] io_uring: add ->splice_fd_in checks [5.10,005/306] io_uring: fail links of cancelled timeouts [5.10,008/306] btrfs: reset replace target device to allocation state on close [5.10,010/306] blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN [5.10,012/306] powerpc/perf/hv-gpci: Fix counter value parsing [5.10,014/306] 9p/xen: Fix end of loop tests for list_for_each_entry [5.10,015/306] ceph: fix dereference of null pointer cf [5.10,017/306] tools/thermal/tmon: Add cross compiling support [5.10,020/306] clk: socfpga: agilex: add the bypass register for s2f_usr0 clock [5.10,022/306] pinctrl: ingenic: Fix incorrect pull up/down info [5.10,023/306] soc: qcom: aoss: Fix the out of bound usage of cooling_devs [5.10,026/306] arm64: mm: Fix TLBI vs ASID rollover [5.10,027/306] arm64: head: avoid over-mapping in map_memory [5.10,029/306] wcn36xx: Ensure finish scan is not requested before start scan [5.10,031/306] block: bfq: fix bfq_set_next_ioprio_data() [5.10,033/306] cpufreq: schedutil: Use kobject release() method to free sugov_tunables [5.10,035/306] crypto: ccp - shutdown SEV firmware on kexec [5.10,039/306] s390/qdio: fix roll-back after timeout on ESTABLISH ccw [5.10,041/306] Revert "dmaengine: imx-sdma: refine to load context only once" [5.10,042/306] dmaengine: imx-sdma: remove duplicated sdma_load_context [5.10,044/306] ARM: 9105/1: atags_to_fdt: dont warn about stack size [5.10,046/306] PCI/portdrv: Enable Bandwidth Notification only if port supports it [5.10,048/306] PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure [5.10,051/306] PCI: Export pci_pio_to_address() for module use [5.10,052/306] PCI: aardvark: Fix checking for PIO status [5.10,053/306] PCI: aardvark: Fix masking and unmasking legacy INTx interrupts [5.10,055/306] f2fs: quota: fix potential deadlock [5.10,057/306] pinctrl: armada-37xx: Correct PWM pins definitions [5.10,060/306] IB/hfi1: Adjust pkey entry in index 0 [5.10,063/306] scsi: BusLogic: Use %X for u32 sized integer rather than %lX [5.10,065/306] vfio: Use config not menuconfig for VFIO_NOIOMMU [5.10,066/306] scsi: ufs: Fix memory corruption by ufshcd_read_desc_param() [5.10,067/306] cpuidle: pseries: Fixup CEDE0 latency only for POWER10 onwards [5.10,068/306] powerpc/stacktrace: Include linux/delay.h [5.10,069/306] RDMA/efa: Remove double QP type assignment [5.10,071/306] cpuidle: pseries: Mark pseries_idle_proble() as __init [5.10,072/306] f2fs: reduce the scope of setting fsck tag when de->name_len is zero [5.10,074/306] dma-debug: fix debugfs initialization order [5.10,076/306] NFSv4/pNFS: Always allow update of a zero valued layout barrier [5.10,079/306] SUNRPC/xprtrdma: Fix reconnection locking [5.10,081/306] sunrpc: Fix return value of get_srcport() [5.10,083/306] pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() [5.10,086/306] scsi: qedi: Fix error codes in qedi_alloc_global_queues() [5.10,087/306] scsi: qedf: Fix error codes in qedf_alloc_global_queues() [5.10,088/306] powerpc/config: Renable MTD_PHYSMAP_OF [5.10,089/306] iommu/vt-d: Update the virtual command related registers [5.10,092/306] KVM: PPC: Book3S HV: Fix copy_tofrom_guest routines [5.10,095/306] platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from run_smbios_call [5.10,096/306] powerpc/smp: Update cpu_core_map on all PowerPc systems [5.10,098/306] fscache: Fix cookie key hashing [5.10,101/306] soc: mediatek: cmdq: add address shift in jump [5.10,103/306] f2fs: fix unexpected ENOENT comes from f2fs_map_blocks() [5.10,104/306] f2fs: fix to unmap pages from userspace process in punch_hole() [5.10,105/306] f2fs: deallocate compressed pages when error happens [5.10,106/306] f2fs: should put a page beyond EOF when preparing a write [5.10,108/306] kbuild: Fix no symbols warning when CONFIG_TRIM_UNUSD_KSYMS=y [5.10,109/306] userfaultfd: prevent concurrent API initialization [5.10,111/306] drm/amdgpu: Fix amdgpu_ras_eeprom_init() [5.10,114/306] libbpf: Fix reuse of pinned map on older kernel [5.10,116/306] crypto: mxs-dcp - Use sg_mapping_iter to copy data [5.10,118/306] tipc: keep the skb in rcv queue until the whole data is read [5.10,120/306] iio: dac: ad5624r: Fix incorrect handling of an optional regulator. [5.10,123/306] ARM: dts: qcom: apq8064: correct clock names [5.10,126/306] Smack: Fix wrong semantics in smk_access_entry() [5.10,127/306] drm: avoid blocking in drm_clients_infos rcu section [5.10,131/306] igc: Check if num of q_vectors is smaller than max before array access [5.10,134/306] usb: gadget: u_ether: fix a potential null pointer dereference [5.10,135/306] USB: EHCI: ehci-mv: improve error handling in mv_ehci_enable() [5.10,138/306] tty: serial: jsm: hold port lock when reporting modem line changes [5.10,141/306] drm/amd/display: Fix timer_per_pixel unit error [5.10,143/306] media: platform: stm32: unprepare clocks at handling errors in probe [5.10,144/306] media: atomisp: Fix runtime PM imbalance in atomisp_pci_probe [5.10,146/306] nfp: fix return statement in nfp_net_parse_meta() [5.10,147/306] ethtool: improve compat ioctl handling [5.10,148/306] drm/amdgpu: Fix a printing message [5.10,149/306] drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex [5.10,151/306] bpf/tests: Do not PASS tests without actually testing the result [5.10,153/306] arm64: dts: allwinner: h6: tanix-tx6: Fix regulator node names [5.10,156/306] video: fbdev: riva: Error out if pixclock equals zero [5.10,158/306] flow_dissector: Fix out-of-bounds warnings [5.10,161/306] serial: 8250: Define RX trigger levels for OxSemi 950 devices [5.10,162/306] xtensa: ISS: dont panic in rs_init [5.10,164/306] serial: 8250_pci: make setup_port() parameters explicitly unsigned [5.10,165/306] staging: ks7010: Fix the initialization of the sleep_status structure [5.10,168/306] ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() [5.10,169/306] Bluetooth: skip invalid hci_sync_conn_complete_evt [5.10,170/306] workqueue: Fix possible memory leaks in wq_numa_init() [5.10,171/306] ARM: dts: stm32: Set {bitclock,frame}-master phandles on DHCOM SoM [5.10,175/306] ARM: dts: at91: use the right property for shutdown controller [5.10,176/306] arm64: tegra: Fix Tegra194 PCIe EP compatible string [5.10,181/306] media: v4l2-dv-timings.c: fix wrong condition in two for-loops [5.10,182/306] media: TDA1997x: fix tda1997x_query_dv_timings() return value [5.10,184/306] gfs2: Fix glock recursion in freeze_go_xmote_bh [5.10,185/306] arm64: dts: qcom: sdm630: Rewrite memory map [5.10,187/306] serial: 8250_omap: Handle optional overrun-throttle-ms property [5.10,189/306] arm64: dts: qcom: ipq8074: fix pci node reg property [5.10,190/306] arm64: dts: qcom: sdm660: use reg value for memory node [5.10,191/306] arm64: dts: qcom: ipq6018: drop 0x from unit address [5.10,192/306] arm64: dts: qcom: sdm630: dont use underscore in node name [5.10,193/306] arm64: dts: qcom: msm8994: dont use underscore in node name [5.10,194/306] arm64: dts: qcom: msm8996: dont use underscore in node name [5.10,196/306] nvmem: qfprom: Fix up qfprom_disable_fuse_blowing() ordering [5.10,198/306] drm/msm: mdp4: drop vblank get/put from prepare/complete_commit [5.10,201/306] drm: xlnx: zynqmp: release reset to DP controller before accessing DP registers [5.10,202/306] thunderbolt: Fix port linking by checking all adapters [5.10,204/306] drm/amd/display: fix incorrect CM/TF programming sequence in dwb [5.10,205/306] selftests/bpf: Fix xdp_tx.c prog section name [5.10,206/306] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c [5.10,208/306] Bluetooth: avoid circular locks in sco_sock_connect [5.10,209/306] drm/msm/dp: return correct edid checksum after corrupted edid checksum read [5.10,210/306] net/mlx5: Fix variable type to match 64bit [5.10,211/306] gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in a... [5.10,214/306] ARM: tegra: acer-a500: Remove bogus USB VBUS regulators [5.10,215/306] ARM: tegra: tamonten: Fix UART pad setting [5.10,217/306] arm64: dts: ls1046a: fix eeprom entries [5.10,219/306] nvme: code command_id with a genctr for use-after-free validation [5.10,221/306] opp: Dont print an error if required-opps is missing [5.10,223/306] iomap: pass writeback errors to the mapping [5.10,225/306] rpc: fix gss_svc_init cleanup on failure [5.10,226/306] selftests/bpf: Fix flaky send_signal test [5.10,229/306] net: Fix offloading indirect devices dependency on qdisc order creation [5.10,230/306] kselftest/arm64: mte: Fix misleading output when skipping tests [5.10,231/306] kselftest/arm64: pac: Fix skipping of tests on systems without PAC [5.10,235/306] drm/exynos: Always initialize mapping in exynos_drm_register_dma() [5.10,236/306] rtl8xxxu: Fix the handling of TX A-MPDU aggregation [5.10,239/306] rtw88: wow: fix size access error of probe request [5.10,240/306] octeontx2-pf: Fix NIX1_RX interface backpressure [5.10,241/306] m68knommu: only set CONFIG_ISA_DMA_API for ColdFire sub-arch [5.10,244/306] ASoC: Intel: Skylake: Fix module configuration for KPB and MIXER [5.10,246/306] of: Dont allow __of_attached_node_sysfs() without CONFIG_SYSFS [5.10,247/306] mmc: sdhci-of-arasan: Modified SD default speed to 19MHz for ZynqMP [5.10,248/306] mmc: sdhci-of-arasan: Check return value of non-void funtions [5.10,249/306] mmc: rtsx_pci: Fix long reads when clock is prescaled [5.10,251/306] mmc: core: Return correct emmc response in case of ioctl error [5.10,253/306] Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" [5.10,254/306] usb: musb: musb_dsps: request_irq() after initializing musb [5.10,256/306] usbip:vhci_hcd USB port can get stuck in the disabled state [5.10,257/306] ASoC: rockchip: i2s: Fix regmap_ops hang [5.10,260/306] nfsd: fix crash on LOCKT on reexported NFSv3 [5.10,261/306] iwlwifi: pcie: free RBs during configure [5.10,264/306] iwlwifi: mvm: fix access to BSS elements [5.10,266/306] iwlwifi: mvm: Fix scan channel flags settings [5.10,269/306] parport: remove non-zero check on count [5.10,271/306] wcn36xx: Fix missing frame timestamp for beacon/probe-resp [5.10,273/306] ath9k: fix sleeping in atomic context [5.10,275/306] fix array-index-out-of-bounds in taprio_change [5.10,278/306] fs/io_uring Dont use the return value from import_iovec(). [5.10,279/306] io_uring: remove duplicated io_size from rw [5.10,283/306] scsi: qla2xxx: Changes to support kdump kernel [5.10,285/306] cpufreq: powernv: Fix init_chip_info initialization in numa=off [5.10,288/306] mm/hmm: bypass devmap pte when all pfn requested flags are fulfilled [5.10,290/306] mm,vmscan: fix divide by zero in get_scan_count [5.10,293/306] platform/chrome: cros_ec_proto: Send command again when timeout occurs [5.10,294/306] lib/test_stackinit: Fix static initializer test [5.10,297/306] drm/msi/mdp4: populate priv->kms in mdp4_kms_init [5.10,299/306] drm/panfrost: Make sure MMU context lifetime is not bound to panfrost_priv [5.10,300/306] drm/amdgpu: Fix BUG_ON assert [5.10,303/306] drm/panfrost: Simplify lock_region calculation [5.10,304/306] drm/panfrost: Use u64 for size in lock_region [5.10,306/306] fanotify: limit number of event merge attempts

Message ID

20210916155754.836388244@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Marc Zyngier <maz@kernel.org>,
	Jade Alglave <jade.alglave@arm.com>,
	Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>,
	Will Deacon <will@kernel.org>, Catalin Marinas <catalin.marinas@arm.com>
Subject: [PATCH 5.10 026/306] arm64: mm: Fix TLBI vs ASID rollover
Date: Thu, 16 Sep 2021 17:56:11 +0200
Message-Id: <20210916155754.836388244@linuxfoundation.org>
In-Reply-To: <20210916155753.903069397@linuxfoundation.org>
References: <20210916155753.903069397@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Greg KH Sept. 16, 2021, 3:56 p.m. UTC

From: Will Deacon <will@kernel.org>

commit 5e10f9887ed85d4f59266d5c60dd09be96b5dbd4 upstream.

When switching to an 'mm_struct' for the first time following an ASID
rollover, a new ASID may be allocated and assigned to 'mm->context.id'.
This reassignment can happen concurrently with other operations on the
mm, such as unmapping pages and subsequently issuing TLB invalidation.

Consequently, we need to ensure that (a) accesses to 'mm->context.id'
are atomic and (b) all page-table updates made prior to a TLBI using the
old ASID are guaranteed to be visible to CPUs running with the new ASID.

This was found by inspection after reviewing the VMID changes from
Shameer but it looks like a real (yet hard to hit) bug.

Cc: <stable@vger.kernel.org>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Jade Alglave <jade.alglave@arm.com>
Cc: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Signed-off-by: Will Deacon <will@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20210806113109.2475-2-will@kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/mmu.h      |   29 +++++++++++++++++++++++++----
 arch/arm64/include/asm/tlbflush.h |   11 ++++++-----
 2 files changed, 31 insertions(+), 9 deletions(-)

--- a/arch/arm64/include/asm/mmu.h
+++ b/arch/arm64/include/asm/mmu.h
@@ -30,11 +30,32 @@  typedef struct {
 } mm_context_t;
 
 /*
- * This macro is only used by the TLBI and low-level switch_mm() code,
- * neither of which can race with an ASID change. We therefore don't
- * need to reload the counter using atomic64_read().
+ * We use atomic64_read() here because the ASID for an 'mm_struct' can
+ * be reallocated when scheduling one of its threads following a
+ * rollover event (see new_context() and flush_context()). In this case,
+ * a concurrent TLBI (e.g. via try_to_unmap_one() and ptep_clear_flush())
+ * may use a stale ASID. This is fine in principle as the new ASID is
+ * guaranteed to be clean in the TLB, but the TLBI routines have to take
+ * care to handle the following race:
+ *
+ *    CPU 0                    CPU 1                          CPU 2
+ *
+ *    // ptep_clear_flush(mm)
+ *    xchg_relaxed(pte, 0)
+ *    DSB ISHST
+ *    old = ASID(mm)
+ *         |                                                  <rollover>
+ *         |                   new = new_context(mm)
+ *         \-----------------> atomic_set(mm->context.id, new)
+ *                             cpu_switch_mm(mm)
+ *                             // Hardware walk of pte using new ASID
+ *    TLBI(old)
+ *
+ * In this scenario, the barrier on CPU 0 and the dependency on CPU 1
+ * ensure that the page-table walker on CPU 1 *must* see the invalid PTE
+ * written by CPU 0.
  */
-#define ASID(mm)	((mm)->context.id.counter & 0xffff)
+#define ASID(mm)	(atomic64_read(&(mm)->context.id) & 0xffff)
 
 static inline bool arm64_kernel_unmapped_at_el0(void)
 {
--- a/arch/arm64/include/asm/tlbflush.h
+++ b/arch/arm64/include/asm/tlbflush.h
@@ -245,9 +245,10 @@  static inline void flush_tlb_all(void)
 
 static inline void flush_tlb_mm(struct mm_struct *mm)
 {
-	unsigned long asid = __TLBI_VADDR(0, ASID(mm));
+	unsigned long asid;
 
 	dsb(ishst);
+	asid = __TLBI_VADDR(0, ASID(mm));
 	__tlbi(aside1is, asid);
 	__tlbi_user(aside1is, asid);
 	dsb(ish);
@@ -256,9 +257,10 @@  static inline void flush_tlb_mm(struct m
 static inline void flush_tlb_page_nosync(struct vm_area_struct *vma,
 					 unsigned long uaddr)
 {
-	unsigned long addr = __TLBI_VADDR(uaddr, ASID(vma->vm_mm));
+	unsigned long addr;
 
 	dsb(ishst);
+	addr = __TLBI_VADDR(uaddr, ASID(vma->vm_mm));
 	__tlbi(vale1is, addr);
 	__tlbi_user(vale1is, addr);
 }
@@ -283,9 +285,7 @@  static inline void __flush_tlb_range(str
 {
 	int num = 0;
 	int scale = 0;
-	unsigned long asid = ASID(vma->vm_mm);
-	unsigned long addr;
-	unsigned long pages;
+	unsigned long asid, addr, pages;
 
 	start = round_down(start, stride);
 	end = round_up(end, stride);
@@ -305,6 +305,7 @@  static inline void __flush_tlb_range(str
 	}
 
 	dsb(ishst);
+	asid = ASID(vma->vm_mm);
 
 	/*
 	 * When the CPU does not support TLB range operations, flush the TLB

[5.10,026/306] arm64: mm: Fix TLBI vs ASID rollover

Commit Message

Patch