Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[PATCH 6/6] arm64: trap userspace "dc cvau" cache operation on errata-affected core
87 views
Skip to first unread message
Andre Przywara
May 9, 2016, 12:50:06 PM5/9/16
to
The ARM errata 819472, 826319, 827319 and 824069 for affected
Cortex-A53 cores demand to promote "dc cvau" instructions to
"dc civac". Since we allow userspace to also emit those instructions,
we should make sure that "dc cvau" gets promoted there too.
So lets grasp the nettle here and actually trap every userland cache
maintenance instruction once we detect at least one affected core in
the system.
We then emulate the instruction by executing it on behalf of userland,
promoting "dc cvau" to "dc civac" on the way and injecting access
fault back into userspace.
Signed-off-by: Andre Przywara <andre.p...@arm.com>
---
arch/arm64/include/asm/processor.h | 1 +
arch/arm64/include/asm/sysreg.h | 2 +-
arch/arm64/kernel/cpu_errata.c | 2 ++
arch/arm64/kernel/entry.S | 12 ++++++-
arch/arm64/kernel/traps.c | 71 ++++++++++++++++++++++++++++++++++++++
5 files changed, 86 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
index cef1cf3..ace0a96 100644
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -192,5 +192,6 @@ static inline void spin_lock_prefetch(const void *ptr)
void cpu_enable_pan(void *__unused);
void cpu_enable_uao(void *__unused);
+void cpu_enable_cache_maint_trap(void *__unused);
#endif /* __ASM_PROCESSOR_H */
diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
index 1287416..7e0b097 100644
--- a/arch/arm64/include/asm/sysreg.h
+++ b/arch/arm64/include/asm/sysreg.h
@@ -90,7 +90,7 @@
#define SCTLR_EL1_CP15BEN (0x1 << 5)
#define SCTLR_EL1_SED (0x1 << 8)
#define SCTLR_EL1_SPAN (0x1 << 23)
-
+#define SCTLR_EL1_UCI (0x1 << 26)
/* id_aa64isar0 */
#define ID_AA64ISAR0_RDM_SHIFT 28
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 64cb71d..3f54d23 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -44,6 +44,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
.desc = "ARM errata 826319, 827319, 824069",
.capability = ARM64_WORKAROUND_CLEAN_CACHE,
MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x02),
+ .enable = cpu_enable_cache_maint_trap,
},
#endif
#ifdef CONFIG_ARM64_ERRATUM_819472
@@ -52,6 +53,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
.desc = "ARM errata 819472",
.capability = ARM64_WORKAROUND_CLEAN_CACHE,
MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x01),
+ .enable = cpu_enable_cache_maint_trap,
},
#endif
#ifdef CONFIG_ARM64_ERRATUM_832075
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 12e8d2b..86480b4 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -451,7 +451,7 @@ el0_sync:
cmp x24, #ESR_ELx_EC_FP_EXC64 // FP/ASIMD exception
b.eq el0_fpsimd_exc
cmp x24, #ESR_ELx_EC_SYS64 // configurable trap
- b.eq el0_undef
+ b.eq el0_sys
cmp x24, #ESR_ELx_EC_SP_ALIGN // stack alignment exception
b.eq el0_sp_pc
cmp x24, #ESR_ELx_EC_PC_ALIGN // pc alignment exception
@@ -579,6 +579,16 @@ el0_undef:
mov x0, sp
bl do_undefinstr
b ret_to_user
+el0_sys:
+ /*
+ * System instructions, for trapped cache maintenance instructions
+ */
+ enable_dbg_and_irq
+ ct_user_exit
+ mov x0, x25
+ mov x1, sp
+ bl do_sysinstr
+ b ret_to_user
el0_dbg:
/*
* Debug exception handling
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 03755a4..c2a158e 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -41,6 +41,7 @@
#include <asm/stacktrace.h>
#include <asm/exception.h>
#include <asm/system_misc.h>
+#include <asm/sysreg.h>
static const char *handler[]= {
"Synchronous Abort",
@@ -419,6 +420,76 @@ asmlinkage void __exception do_undefinstr(struct pt_regs *regs)
force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
}
+void cpu_enable_cache_maint_trap(void *__unused)
+{
+ config_sctlr_el1(SCTLR_EL1_UCI, 0);
+}
+
+#define __user_cache_maint(insn, address, res) \
+ asm volatile ( \
+ "1: " insn ", %1\n" \
+ " mov %w0, #0\n" \
+ "2:\n" \
+ " .pushsection .fixup,\"ax\"\n" \
+ " .align 2\n" \
+ "3: mov %w0, %w2\n" \
+ " b 2b\n" \
+ " .popsection\n" \
+ _ASM_EXTABLE(1b, 3b) \
+ : "=r" (res) \
+ : "r" (address), "i" (-EFAULT) \
+ : "memory")
+
+asmlinkage void __exception do_sysinstr(unsigned int esr, struct pt_regs *regs)
+{
+ unsigned long address;
+ int ret;
+
+ /* if this is a write with: Op0=1, Op2=1, Op1=3, CRn=7 */
+ if ((esr & 0x01fffc01) == 0x0012dc00) {
+ int rt = (esr >> 5) & 0x1f;
+ int crm = (esr >> 1) & 0x0f;
+
+ address = regs->regs[rt];
+
+ switch (crm) {
+ case 11: /* DC CVAU, gets promoted */
+ __user_cache_maint("dc civac", address, ret);
+ break;
+ case 10: /* DC CVAC, gets promoted */
+ __user_cache_maint("dc civac", address, ret);
+ break;
+ case 14: /* DC CIVAC */
+ __user_cache_maint("dc civac", address, ret);
+ break;
+ case 5: /* IC IVAU */
+ __user_cache_maint("ic ivau", address, ret);
+ break;
+ default:
+ force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
+ return;
+ }
+ } else {
+ force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
+ return;
+ }
+
+ if (ret) {
+ int sig_code;
+
+ down_read(¤t->mm->mmap_sem);
+ if (find_vma(current->mm, address) == NULL)
+ sig_code = SEGV_MAPERR;
+ else
+ sig_code = SEGV_ACCERR;
+ up_read(¤t->mm->mmap_sem);
+
+ force_signal_inject(SIGSEGV, sig_code, regs, address);
+ } else {
+ regs->pc += 4;
+ }
+}
+
long compat_arm_syscall(struct pt_regs *regs);
asmlinkage long do_ni_syscall(struct pt_regs *regs)
--
2.7.3
Cortex-A53 cores demand to promote "dc cvau" instructions to
"dc civac". Since we allow userspace to also emit those instructions,
we should make sure that "dc cvau" gets promoted there too.
So lets grasp the nettle here and actually trap every userland cache
maintenance instruction once we detect at least one affected core in
the system.
We then emulate the instruction by executing it on behalf of userland,
promoting "dc cvau" to "dc civac" on the way and injecting access
fault back into userspace.
Signed-off-by: Andre Przywara <andre.p...@arm.com>
---
arch/arm64/include/asm/processor.h | 1 +
arch/arm64/include/asm/sysreg.h | 2 +-
arch/arm64/kernel/cpu_errata.c | 2 ++
arch/arm64/kernel/entry.S | 12 ++++++-
arch/arm64/kernel/traps.c | 71 ++++++++++++++++++++++++++++++++++++++
5 files changed, 86 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
index cef1cf3..ace0a96 100644
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -192,5 +192,6 @@ static inline void spin_lock_prefetch(const void *ptr)
void cpu_enable_pan(void *__unused);
void cpu_enable_uao(void *__unused);
+void cpu_enable_cache_maint_trap(void *__unused);
#endif /* __ASM_PROCESSOR_H */
diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
index 1287416..7e0b097 100644
--- a/arch/arm64/include/asm/sysreg.h
+++ b/arch/arm64/include/asm/sysreg.h
@@ -90,7 +90,7 @@
#define SCTLR_EL1_CP15BEN (0x1 << 5)
#define SCTLR_EL1_SED (0x1 << 8)
#define SCTLR_EL1_SPAN (0x1 << 23)
-
+#define SCTLR_EL1_UCI (0x1 << 26)
/* id_aa64isar0 */
#define ID_AA64ISAR0_RDM_SHIFT 28
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 64cb71d..3f54d23 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -44,6 +44,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
.desc = "ARM errata 826319, 827319, 824069",
.capability = ARM64_WORKAROUND_CLEAN_CACHE,
MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x02),
+ .enable = cpu_enable_cache_maint_trap,
},
#endif
#ifdef CONFIG_ARM64_ERRATUM_819472
@@ -52,6 +53,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
.desc = "ARM errata 819472",
.capability = ARM64_WORKAROUND_CLEAN_CACHE,
MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x01),
+ .enable = cpu_enable_cache_maint_trap,
},
#endif
#ifdef CONFIG_ARM64_ERRATUM_832075
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 12e8d2b..86480b4 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -451,7 +451,7 @@ el0_sync:
cmp x24, #ESR_ELx_EC_FP_EXC64 // FP/ASIMD exception
b.eq el0_fpsimd_exc
cmp x24, #ESR_ELx_EC_SYS64 // configurable trap
- b.eq el0_undef
+ b.eq el0_sys
cmp x24, #ESR_ELx_EC_SP_ALIGN // stack alignment exception
b.eq el0_sp_pc
cmp x24, #ESR_ELx_EC_PC_ALIGN // pc alignment exception
@@ -579,6 +579,16 @@ el0_undef:
mov x0, sp
bl do_undefinstr
b ret_to_user
+el0_sys:
+ /*
+ * System instructions, for trapped cache maintenance instructions
+ */
+ enable_dbg_and_irq
+ ct_user_exit
+ mov x0, x25
+ mov x1, sp
+ bl do_sysinstr
+ b ret_to_user
el0_dbg:
/*
* Debug exception handling
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 03755a4..c2a158e 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -41,6 +41,7 @@
#include <asm/stacktrace.h>
#include <asm/exception.h>
#include <asm/system_misc.h>
+#include <asm/sysreg.h>
static const char *handler[]= {
"Synchronous Abort",
@@ -419,6 +420,76 @@ asmlinkage void __exception do_undefinstr(struct pt_regs *regs)
force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
}
+void cpu_enable_cache_maint_trap(void *__unused)
+{
+ config_sctlr_el1(SCTLR_EL1_UCI, 0);
+}
+
+#define __user_cache_maint(insn, address, res) \
+ asm volatile ( \
+ "1: " insn ", %1\n" \
+ " mov %w0, #0\n" \
+ "2:\n" \
+ " .pushsection .fixup,\"ax\"\n" \
+ " .align 2\n" \
+ "3: mov %w0, %w2\n" \
+ " b 2b\n" \
+ " .popsection\n" \
+ _ASM_EXTABLE(1b, 3b) \
+ : "=r" (res) \
+ : "r" (address), "i" (-EFAULT) \
+ : "memory")
+
+asmlinkage void __exception do_sysinstr(unsigned int esr, struct pt_regs *regs)
+{
+ unsigned long address;
+ int ret;
+
+ /* if this is a write with: Op0=1, Op2=1, Op1=3, CRn=7 */
+ if ((esr & 0x01fffc01) == 0x0012dc00) {
+ int rt = (esr >> 5) & 0x1f;
+ int crm = (esr >> 1) & 0x0f;
+
+ address = regs->regs[rt];
+
+ switch (crm) {
+ case 11: /* DC CVAU, gets promoted */
+ __user_cache_maint("dc civac", address, ret);
+ break;
+ case 10: /* DC CVAC, gets promoted */
+ __user_cache_maint("dc civac", address, ret);
+ break;
+ case 14: /* DC CIVAC */
+ __user_cache_maint("dc civac", address, ret);
+ break;
+ case 5: /* IC IVAU */
+ __user_cache_maint("ic ivau", address, ret);
+ break;
+ default:
+ force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
+ return;
+ }
+ } else {
+ force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
+ return;
+ }
+
+ if (ret) {
+ int sig_code;
+
+ down_read(¤t->mm->mmap_sem);
+ if (find_vma(current->mm, address) == NULL)
+ sig_code = SEGV_MAPERR;
+ else
+ sig_code = SEGV_ACCERR;
+ up_read(¤t->mm->mmap_sem);
+
+ force_signal_inject(SIGSEGV, sig_code, regs, address);
+ } else {
+ regs->pc += 4;
+ }
+}
+
long compat_arm_syscall(struct pt_regs *regs);
asmlinkage long do_ni_syscall(struct pt_regs *regs)
--
2.7.3
Suzuki K Poulose
Jun 14, 2016, 12:20:06 PM6/14/16
to
On 09/05/16 17:49, Andre Przywara wrote:
> The ARM errata 819472, 826319, 827319 and 824069 for affected
> Cortex-A53 cores demand to promote "dc cvau" instructions to
> "dc civac". Since we allow userspace to also emit those instructions,
> we should make sure that "dc cvau" gets promoted there too.
> So lets grasp the nettle here and actually trap every userland cache
> maintenance instruction once we detect at least one affected core in
> the system.
> We then emulate the instruction by executing it on behalf of userland,
> promoting "dc cvau" to "dc civac" on the way and injecting access
> fault back into userspace.
>
> Signed-off-by: Andre Przywara <andre.p...@arm.com>
> The ARM errata 819472, 826319, 827319 and 824069 for affected
> Cortex-A53 cores demand to promote "dc cvau" instructions to
> "dc civac". Since we allow userspace to also emit those instructions,
> we should make sure that "dc cvau" gets promoted there too.
> So lets grasp the nettle here and actually trap every userland cache
> maintenance instruction once we detect at least one affected core in
> the system.
> We then emulate the instruction by executing it on behalf of userland,
> promoting "dc cvau" to "dc civac" on the way and injecting access
> fault back into userspace.
>
> Signed-off-by: Andre Przywara <andre.p...@arm.com>
Thats the only EL0 accessible instruction we don't handle above.
Suzuki
Suzuki K Poulose
Jun 17, 2016, 1:30:04 PM6/17/16
to
On 17/06/16 18:20, Andre Przywara wrote:
> Hi Suzuki,
>
> thanks for having a look!
> 1) DC ZVA is not trapped by setting SCTLR.UCI - instead it has its own
> bit (SCTLR.DZE).
You are right. I was thinking that UCI traps all DC operations. It only
traps DC CVAU, DC CIVAC, DC CVAC, and IC IVAU.
Cheers
Suzuki
> Hi Suzuki,
>
> thanks for having a look!
>
> On 14/06/16 17:16, Suzuki K Poulose wrote:
>> On 09/05/16 17:49, Andre Przywara wrote:
>>> The ARM errata 819472, 826319, 827319 and 824069 for affected
>>> Cortex-A53 cores demand to promote "dc cvau" instructions to
>>> "dc civac". Since we allow userspace to also emit those instructions,
>>> we should make sure that "dc cvau" gets promoted there too.
>>> So lets grasp the nettle here and actually trap every userland cache
>>> maintenance instruction once we detect at least one affected core in
>>> the system.
> On 14/06/16 17:16, Suzuki K Poulose wrote:
>> On 09/05/16 17:49, Andre Przywara wrote:
>>> The ARM errata 819472, 826319, 827319 and 824069 for affected
>>> Cortex-A53 cores demand to promote "dc cvau" instructions to
>>> "dc civac". Since we allow userspace to also emit those instructions,
>>> we should make sure that "dc cvau" gets promoted there too.
>>> So lets grasp the nettle here and actually trap every userland cache
>>> maintenance instruction once we detect at least one affected core in
>>> the system.
__user_cache_maint("dc civac", address, ret);
>>> + break;
>>> + case 10: /* DC CVAC, gets promoted */
>>> + __user_cache_maint("dc civac", address, ret);
>>> + break;
>>> + case 14: /* DC CIVAC */
>>> + __user_cache_maint("dc civac", address, ret);
>>> + break;
>>> + case 5: /* IC IVAU */
>>> + __user_cache_maint("ic ivau", address, ret);
>>> + break;
>>> + default:
>>> + force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
>>> + return;
>>> + }
>>> + } else {
>>> + force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
>>> + return;
>>
>> Correct me if I am wrong, I think we should handle DC ZVA and emulate
>> the same ?
>> Thats the only EL0 accessible instruction we don't handle above.
>
> Mmmh, but why should we care?
>>> + break;
>>> + case 10: /* DC CVAC, gets promoted */
>>> + __user_cache_maint("dc civac", address, ret);
>>> + break;
>>> + case 14: /* DC CIVAC */
>>> + __user_cache_maint("dc civac", address, ret);
>>> + break;
>>> + case 5: /* IC IVAU */
>>> + __user_cache_maint("ic ivau", address, ret);
>>> + break;
>>> + default:
>>> + force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
>>> + return;
>>> + }
>>> + } else {
>>> + force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
>>> + return;
>>
>> Correct me if I am wrong, I think we should handle DC ZVA and emulate
>> the same ?
>> Thats the only EL0 accessible instruction we don't handle above.
>
> 1) DC ZVA is not trapped by setting SCTLR.UCI - instead it has its own
> bit (SCTLR.DZE).
You are right. I was thinking that UCI traps all DC operations. It only
traps DC CVAU, DC CIVAC, DC CVAC, and IC IVAU.
Cheers
Suzuki
Andre Przywara
Jun 17, 2016, 1:30:05 PM6/17/16
to
Hi Suzuki,
thanks for having a look!
On 14/06/16 17:16, Suzuki K Poulose wrote:
thanks for having a look!
On 14/06/16 17:16, Suzuki K Poulose wrote:
Mmmh, but why should we care?
1) DC ZVA is not trapped by setting SCTLR.UCI - instead it has its own
bit (SCTLR.DZE).
2) The SDEN document does not speak about DC ZVA, so it's not affected
1) DC ZVA is not trapped by setting SCTLR.UCI - instead it has its own
bit (SCTLR.DZE).
by that mentioned errata.
3) A fault caused by this instruction will not trigger this SIGILL fault
path, AFAICT. We get a synchronous data abort on a NULL pointer
dereference, for instance, so it's a SIGSEGV.
I tested it with issuing valid and invalid DC ZVA instructions and it
worked fine on both an affected and unaffected system.
I saw SIGSEGVs due to PC=0 with *some* unaligned addresses, though, but
that behaviour was reproducible on a non-affected core without the
patches as well, so I don't think it's related (need to investigate).
Yes, a DC ZVA shares the encoding masking above (Op0=1, Op2=1, Op1=3,
CRn=7), but unless the kernel actually sets SCTLR.DZE, we should be
safe. So is it that potential case that you are after or do I miss
something else here?
Cheers,
Andre.
Catalin Marinas
Jun 24, 2016, 12:30:07 PM6/24/16
to
On Mon, May 09, 2016 at 05:49:50PM +0100, Andre Przywara wrote:
> +#define __user_cache_maint(insn, address, res) \
> + asm volatile ( \
> + "1: " insn ", %1\n" \
> + " mov %w0, #0\n" \
> + "2:\n" \
> + " .pushsection .fixup,\"ax\"\n" \
> + " .align 2\n" \
> + "3: mov %w0, %w2\n" \
> + " b 2b\n" \
> + " .popsection\n" \
> + _ASM_EXTABLE(1b, 3b) \
> + : "=r" (res) \
> + : "r" (address), "i" (-EFAULT) \
> + : "memory")
I don't think we need the "memory" clobber here. It's not really
> +#define __user_cache_maint(insn, address, res) \
> + asm volatile ( \
> + "1: " insn ", %1\n" \
> + " mov %w0, #0\n" \
> + "2:\n" \
> + " .pushsection .fixup,\"ax\"\n" \
> + " .align 2\n" \
> + "3: mov %w0, %w2\n" \
> + " b 2b\n" \
> + " .popsection\n" \
> + _ASM_EXTABLE(1b, 3b) \
> + : "=r" (res) \
> + : "r" (address), "i" (-EFAULT) \
> + : "memory")
accessing memory that the compiler controls.
armv8_deprecated.c, could you make this a common function in trap.c?
--
Catalin
0 new messages