Re: [PATCH v6 2/2] arm64: Add workaround for Arm Cortex-A77 erratum 1508412

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 24, 2020 at 8:48 AM Rob Herring <robh@xxxxxxxxxx> wrote:
>
> On Cortex-A77 r0p0 and r1p0, a sequence of a non-cacheable or device load
> and a store exclusive or PAR_EL1 read can cause a deadlock.
>
> The workaround requires a DMB SY before and after a PAR_EL1 register
> read. In addition, it's possible an interrupt (doing a device read) or
> KVM guest exit could be taken between the DMB and PAR read, so we
> also need a DMB before returning from interrupt and before returning to
> a guest.
>
> A deadlock is still possible with the workaround as KVM guests must also
> have the workaround. IOW, a malicious guest can deadlock an affected
> systems.
>
> This workaround also depends on a firmware counterpart to enable the h/w
> to insert DMB SY after load and store exclusive instructions. See the
> errata document SDEN-1152370 v10 [1] for more information.
>
> [1] https://static.docs.arm.com/101992/0010/Arm_Cortex_A77_MP074_Software_Developer_Errata_Notice_v10.pdf
>
> Cc: Catalin Marinas <catalin.marinas@xxxxxxx>
> Cc: James Morse <james.morse@xxxxxxx>
> Cc: Suzuki K Poulose <suzuki.poulose@xxxxxxx>
> Cc: Will Deacon <will@xxxxxxxxxx>
> Cc: Marc Zyngier <maz@xxxxxxxxxx>
> Cc: Julien Thierry <julien.thierry.kdev@xxxxxxxxx>
> Cc: kvmarm@xxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Rob Herring <robh@xxxxxxxxxx>
> ---
> v6:
> - Do dmb on kernel_exit rather than disabling interrupts around PAR read
> v5:
> - Rebase on v5.9-rc3
> - Disable interrupts around PAR reads
> - Add DMB on return to guest
>
> v4:
> - Move read_sysreg_par out of KVM code to sysreg.h to share
> - Also use read_sysreg_par in fault.c and kvm/sys_regs.c
> - Use alternative f/w for dmbs around PAR read
> - Use cpus_have_final_cap instead of cpus_have_const_cap
> - Add note about speculation of PAR read
>
> v3:
> - Add dmbs around PAR reads in KVM code
> - Clean-up 'work-around' and 'errata'
>
> v2:
> - Don't disable KVM, just print warning
> ---
>  Documentation/arm64/silicon-errata.rst     |  2 ++
>  arch/arm64/Kconfig                         | 20 ++++++++++++++++++++
>  arch/arm64/include/asm/cpucaps.h           |  3 ++-
>  arch/arm64/include/asm/sysreg.h            |  9 +++++++++
>  arch/arm64/kernel/cpu_errata.c             | 10 ++++++++++
>  arch/arm64/kernel/entry.S                  |  3 +++
>  arch/arm64/kvm/arm.c                       |  3 ++-
>  arch/arm64/kvm/hyp/include/hyp/switch.h    | 21 +++++++++++++--------
>  arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h |  2 +-
>  arch/arm64/kvm/hyp/nvhe/switch.c           |  2 +-
>  arch/arm64/kvm/hyp/vhe/switch.c            |  2 +-
>  arch/arm64/kvm/sys_regs.c                  |  2 +-
>  arch/arm64/mm/fault.c                      |  2 +-
>  13 files changed, 66 insertions(+), 15 deletions(-)

Marc, Can I get an ack for KVM on this? Will is waiting for one before applying.

Rob

>
> diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
> index d3587805de64..719510247292 100644
> --- a/Documentation/arm64/silicon-errata.rst
> +++ b/Documentation/arm64/silicon-errata.rst
> @@ -90,6 +90,8 @@ stable kernels.
>  +----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Cortex-A76      | #1463225        | ARM64_ERRATUM_1463225       |
>  +----------------+-----------------+-----------------+-----------------------------+
> +| ARM            | Cortex-A77      | #1508412        | ARM64_ERRATUM_1508412       |
> ++----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Neoverse-N1     | #1188873,1418040| ARM64_ERRATUM_1418040       |
>  +----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Neoverse-N1     | #1349291        | N/A                         |
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 6d232837cbee..9ba14ff06cd6 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -626,6 +626,26 @@ config ARM64_ERRATUM_1542419
>
>           If unsure, say Y.
>
> +config ARM64_ERRATUM_1508412
> +       bool "Cortex-A77: 1508412: workaround deadlock on sequence of NC/Device load and store exclusive or PAR read"
> +       default y
> +       help
> +         This option adds a workaround for Arm Cortex-A77 erratum 1508412.
> +
> +         Affected Cortex-A77 cores (r0p0, r1p0) could deadlock on a sequence
> +         of a store-exclusive or read of PAR_EL1 and a load with device or
> +         non-cacheable memory attributes. The workaround depends on a firmware
> +         counterpart.
> +
> +         KVM guests must also have the workaround implemented or they can
> +         deadlock the system.
> +
> +         Work around the issue by inserting DMB SY barriers around PAR_EL1
> +         register reads and warning KVM users. The DMB barrier is sufficient
> +         to prevent a speculative PAR_EL1 read.
> +
> +         If unsure, say Y.
> +
>  config CAVIUM_ERRATUM_22375
>         bool "Cavium erratum 22375, 24313"
>         default y
> diff --git a/arch/arm64/include/asm/cpucaps.h b/arch/arm64/include/asm/cpucaps.h
> index 07b643a70710..f184142b6e5a 100644
> --- a/arch/arm64/include/asm/cpucaps.h
> +++ b/arch/arm64/include/asm/cpucaps.h
> @@ -64,7 +64,8 @@
>  #define ARM64_BTI                              54
>  #define ARM64_HAS_ARMv8_4_TTL                  55
>  #define ARM64_HAS_TLB_RANGE                    56
> +#define ARM64_WORKAROUND_1508412               57
>
> -#define ARM64_NCAPS                            57
> +#define ARM64_NCAPS                            58
>
>  #endif /* __ASM_CPUCAPS_H */
> diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
> index 554a7e8ecb07..d8a48d572c68 100644
> --- a/arch/arm64/include/asm/sysreg.h
> +++ b/arch/arm64/include/asm/sysreg.h
> @@ -943,6 +943,7 @@
>
>  #include <linux/build_bug.h>
>  #include <linux/types.h>
> +#include <asm/alternative.h>
>
>  #define __DEFINE_MRS_MSR_S_REGNUM                              \
>  "      .irp    num,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30\n" \
> @@ -1024,6 +1025,14 @@
>                 write_sysreg(__scs_new, sysreg);                        \
>  } while (0)
>
> +#define read_sysreg_par() ({                                           \
> +       u64 par;                                                        \
> +       asm(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412));    \
> +       par = read_sysreg(par_el1);                                     \
> +       asm(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412));    \
> +       par;                                                            \
> +})
> +
>  #endif
>
>  #endif /* __ASM_SYSREG_H */
> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
> index c332d49780dc..b8ac7d1b2182 100644
> --- a/arch/arm64/kernel/cpu_errata.c
> +++ b/arch/arm64/kernel/cpu_errata.c
> @@ -952,6 +952,16 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
>                 .matches = has_neoverse_n1_erratum_1542419,
>                 .cpu_enable = cpu_enable_trap_ctr_access,
>         },
> +#endif
> +#ifdef CONFIG_ARM64_ERRATUM_1508412
> +       {
> +               /* we depend on the firmware portion for correctness */
> +               .desc = "ARM erratum 1508412 (kernel portion)",
> +               .capability = ARM64_WORKAROUND_1508412,
> +               ERRATA_MIDR_RANGE(MIDR_CORTEX_A77,
> +                                 0, 0,
> +                                 1, 0),
> +       },
>  #endif
>         {
>         }
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 55af8b504b65..52232ee40634 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -332,6 +332,9 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
>         br      x30
>  #endif
>         .else
> +       /* Ensure any device/NC reads complete */
> +       alternative_insn nop, "dmb sy", ARM64_WORKAROUND_1508412
> +
>         eret
>         .endif
>         sb
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 46dc3d75cf13..79ead5c510ab 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -1640,7 +1640,8 @@ int kvm_arch_init(void *opaque)
>                 return -ENODEV;
>         }
>
> -       if (cpus_have_final_cap(ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE))
> +       if (cpus_have_final_cap(ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE) ||
> +           cpus_have_final_cap(ARM64_WORKAROUND_1508412))
>                 kvm_info("Guests without required CPU erratum workarounds can deadlock system!\n" \
>                          "Only trusted guests should be used on this system.\n");
>
> diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h
> index 5b6b8fa00f0a..c48f4c59e933 100644
> --- a/arch/arm64/kvm/hyp/include/hyp/switch.h
> +++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
> @@ -145,9 +145,9 @@ static inline bool __translate_far_to_hpfar(u64 far, u64 *hpfar)
>          * We do need to save/restore PAR_EL1 though, as we haven't
>          * saved the guest context yet, and we may return early...
>          */
> -       par = read_sysreg(par_el1);
> +       par = read_sysreg_par();
>         if (!__kvm_at("s1e1r", far))
> -               tmp = read_sysreg(par_el1);
> +               tmp = read_sysreg_par();
>         else
>                 tmp = SYS_PAR_EL1_F; /* back to the guest */
>         write_sysreg(par, par_el1);
> @@ -424,7 +424,7 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
>         if (cpus_have_final_cap(ARM64_WORKAROUND_CAVIUM_TX2_219_TVM) &&
>             kvm_vcpu_trap_get_class(vcpu) == ESR_ELx_EC_SYS64 &&
>             handle_tx2_tvm(vcpu))
> -               return true;
> +               goto guest;
>
>         /*
>          * We trap the first access to the FP/SIMD to save the host context
> @@ -434,13 +434,13 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
>          * Similarly for trapped SVE accesses.
>          */
>         if (__hyp_handle_fpsimd(vcpu))
> -               return true;
> +               goto guest;
>
>         if (__hyp_handle_ptrauth(vcpu))
> -               return true;
> +               goto guest;
>
>         if (!__populate_fault_info(vcpu))
> -               return true;
> +               goto guest;
>
>         if (static_branch_unlikely(&vgic_v2_cpuif_trap)) {
>                 bool valid;
> @@ -455,7 +455,7 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
>                         int ret = __vgic_v2_perform_cpuif_access(vcpu);
>
>                         if (ret == 1)
> -                               return true;
> +                               goto guest;
>
>                         /* Promote an illegal access to an SError.*/
>                         if (ret == -1)
> @@ -471,12 +471,17 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
>                 int ret = __vgic_v3_perform_cpuif_access(vcpu);
>
>                 if (ret == 1)
> -                       return true;
> +                       goto guest;
>         }
>
>  exit:
>         /* Return to the host kernel and handle the exit */
>         return false;
> +
> +guest:
> +       /* Re-enter the guest */
> +       asm(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412));
> +       return true;
>  }
>
>  static inline bool __needs_ssbd_off(struct kvm_vcpu *vcpu)
> diff --git a/arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h b/arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h
> index 7a986030145f..cce43bfe158f 100644
> --- a/arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h
> +++ b/arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h
> @@ -43,7 +43,7 @@ static inline void __sysreg_save_el1_state(struct kvm_cpu_context *ctxt)
>         ctxt_sys_reg(ctxt, CONTEXTIDR_EL1) = read_sysreg_el1(SYS_CONTEXTIDR);
>         ctxt_sys_reg(ctxt, AMAIR_EL1)   = read_sysreg_el1(SYS_AMAIR);
>         ctxt_sys_reg(ctxt, CNTKCTL_EL1) = read_sysreg_el1(SYS_CNTKCTL);
> -       ctxt_sys_reg(ctxt, PAR_EL1)     = read_sysreg(par_el1);
> +       ctxt_sys_reg(ctxt, PAR_EL1)     = read_sysreg_par();
>         ctxt_sys_reg(ctxt, TPIDR_EL1)   = read_sysreg(tpidr_el1);
>
>         ctxt_sys_reg(ctxt, SP_EL1)      = read_sysreg(sp_el1);
> diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
> index 0970442d2dbc..f4233cccf60b 100644
> --- a/arch/arm64/kvm/hyp/nvhe/switch.c
> +++ b/arch/arm64/kvm/hyp/nvhe/switch.c
> @@ -246,7 +246,7 @@ void __noreturn hyp_panic(struct kvm_cpu_context *host_ctxt)
>  {
>         u64 spsr = read_sysreg_el2(SYS_SPSR);
>         u64 elr = read_sysreg_el2(SYS_ELR);
> -       u64 par = read_sysreg(par_el1);
> +       u64 par = read_sysreg_par();
>         struct kvm_vcpu *vcpu = host_ctxt->__hyp_running_vcpu;
>         unsigned long str_va;
>
> diff --git a/arch/arm64/kvm/hyp/vhe/switch.c b/arch/arm64/kvm/hyp/vhe/switch.c
> index c1da4f86ccac..c2cb27e57318 100644
> --- a/arch/arm64/kvm/hyp/vhe/switch.c
> +++ b/arch/arm64/kvm/hyp/vhe/switch.c
> @@ -212,7 +212,7 @@ void __noreturn hyp_panic(struct kvm_cpu_context *host_ctxt)
>  {
>         u64 spsr = read_sysreg_el2(SYS_SPSR);
>         u64 elr = read_sysreg_el2(SYS_ELR);
> -       u64 par = read_sysreg(par_el1);
> +       u64 par = read_sysreg_par();
>
>         __hyp_call_panic(spsr, elr, par, host_ctxt);
>         unreachable();
> diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> index 077293b5115f..8d8d77794cc4 100644
> --- a/arch/arm64/kvm/sys_regs.c
> +++ b/arch/arm64/kvm/sys_regs.c
> @@ -95,7 +95,7 @@ static bool __vcpu_read_sys_reg_from_cpu(int reg, u64 *val)
>         case AMAIR_EL1:         *val = read_sysreg_s(SYS_AMAIR_EL12);   break;
>         case CNTKCTL_EL1:       *val = read_sysreg_s(SYS_CNTKCTL_EL12); break;
>         case ELR_EL1:           *val = read_sysreg_s(SYS_ELR_EL12);     break;
> -       case PAR_EL1:           *val = read_sysreg_s(SYS_PAR_EL1);      break;
> +       case PAR_EL1:           *val = read_sysreg_par();               break;
>         case DACR32_EL2:        *val = read_sysreg_s(SYS_DACR32_EL2);   break;
>         case IFSR32_EL2:        *val = read_sysreg_s(SYS_IFSR32_EL2);   break;
>         case DBGVCR32_EL2:      *val = read_sysreg_s(SYS_DBGVCR32_EL2); break;
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index f07333e86c2f..2dbd1d9aa3c7 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -260,7 +260,7 @@ static bool __kprobes is_spurious_el1_translation_fault(unsigned long addr,
>         local_irq_save(flags);
>         asm volatile("at s1e1r, %0" :: "r" (addr));
>         isb();
> -       par = read_sysreg(par_el1);
> +       par = read_sysreg_par();
>         local_irq_restore(flags);
>
>         /*
> --
> 2.25.1
>
_______________________________________________
kvmarm mailing list
kvmarm@xxxxxxxxxxxxxxxxxxxxx
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm



[Index of Archives]     [Linux KVM]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux