Re: [PATCH -stable] arm64: mm: don't write garbage into TTBR1_EL1 register

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 24 February 2018 at 08:34, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Feb 23, 2018 at 06:29:02PM +0000, Ard Biesheuvel wrote:
>> Stable backport commit 173358a49173 ("arm64: kpti: Add ->enable callback
>> to remap swapper using nG mappings") of upstream commit f992b4dfd58b did
>> not survive the backporting process unscathed, and ends up writing garbage
>> into the TTBR1_EL1 register, rather than pointing it to the zero page to
>> disable translations. Fix that.
>>
>> Cc: <stable@xxxxxxxxxxxxxxx> #v4.14
>> Reported-by: Nicolas Dechesne <nicolas.dechesne@xxxxxxxxxx>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
>> ---
>>  arch/arm64/mm/proc.S | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> Any reason why you didn't cc: the stable list, as this is a patch that
> is not needed in mainline, right?
>

Indeed, apologies. I added the Cc: tag but it appears not to have been
picked up by git send-email.

Also, i suppose it is unclear from the tag that this should be applied
to both v4.15 and v4.14

>> diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
>> index 08572f95bd8a..2b473ddeb7a3 100644
>> --- a/arch/arm64/mm/proc.S
>> +++ b/arch/arm64/mm/proc.S
>> @@ -155,7 +155,7 @@ ENDPROC(cpu_do_switch_mm)
>>
>>  .macro       __idmap_cpu_set_reserved_ttbr1, tmp1, tmp2
>>       adrp    \tmp1, empty_zero_page
>> -     msr     ttbr1_el1, \tmp2
>> +     msr     ttbr1_el1, \tmp1
>
> I don't understand why this isn't also needed in Linus's tree.  What
> commit there prevents this from being required?
>

Linus's tree has

 +.macro __idmap_cpu_set_reserved_ttbr1, tmp1, tmp2
+     adrp \tmp1, empty_zero_page
+     phys_to_ttbr \tmp1, \tmp2
+     msr ttbr1_el1, \tmp2
+     isb
+     tlbi vmalle1
+     dsb nsh
+     isb
+.endm

but phys_to_ttbr does not exist in the v4.15 and earlier trees (it is
related to 52-bit physical address support which landed in v4.16), so
it was removed for the backport. However, that means tmp2 is never
assigned, and whatever was there is poked into the translation table
base register.

But let's wait for team-ARM to ack this in any case.

Thanks,
Ard.
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]