Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "Here are some more arm64 fixes for 4.13. The main one is the PTE race
  with the hardware walker, but there are a couple of other things too.

   - Report correct timer frequency to userspace when trapping
     CNTFRQ_EL0

   - Fix race with hardware page table updates when updating access
     flags

   - Silence clang overflow warning in VA_START and PAGE_OFFSET
     calculations"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: avoid overflow in VA_START and PAGE_OFFSET
  arm64: Fix potential race with hardware DBM in ptep_set_access_flags()
  arm64: Use arch_timer_get_rate when trapping CNTFRQ_EL0

3 files changed, 13 insertions, 10 deletions

diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h
index 32f82723338a..ef39dcb9ca6a 100644
--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@@ -64,8 +64,10 @@
  * TASK_UNMAPPED_BASE - the lower boundary of the mmap VM area.
  */
 #define VA_BITS                 (CONFIG_ARM64_VA_BITS)
-#define VA_START                (UL(0xffffffffffffffff) << VA_BITS)
-#define PAGE_OFFSET             (UL(0xffffffffffffffff) << (VA_BITS - 1))
+#define VA_START                (UL(0xffffffffffffffff) - \
+        (UL(1) << VA_BITS) + 1)
+#define PAGE_OFFSET             (UL(0xffffffffffffffff) - \
+        (UL(1) << (VA_BITS - 1)) + 1)
 #define KIMAGE_VADDR            (MODULES_END)
 #define MODULES_END             (MODULES_VADDR + MODULES_VSIZE)
 #define MODULES_VADDR           (VA_START + KASAN_SHADOW_SIZE)
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index d48f47080213..8a62648848e5 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -523,7 +523,7 @@ static void cntfrq_read_handler(unsigned int esr, struct pt_regs *regs)
 {
         int rt = (esr & ESR_ELx_SYS64_ISS_RT_MASK) >> ESR_ELx_SYS64_ISS_RT_SHIFT;
 
-        pt_regs_write_reg(regs, rt, read_sysreg(cntfrq_el0));
+        pt_regs_write_reg(regs, rt, arch_timer_get_rate());
         regs->pc += 4;
 }
 
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index c7861c9864e6..2509e4fe6992 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -163,26 +163,27 @@ int ptep_set_access_flags(struct vm_area_struct *vma,
         /* only preserve the access flags and write permission */
         pte_val(entry) &= PTE_AF | PTE_WRITE | PTE_DIRTY;
 
-        /*
-         * PTE_RDONLY is cleared by default in the asm below, so set it in
-         * back if necessary (read-only or clean PTE).
-         */
+        /* set PTE_RDONLY if actual read-only or clean PTE */
         if (!pte_write(entry) || !pte_sw_dirty(entry))
                 pte_val(entry) |= PTE_RDONLY;
 
         /*
          * Setting the flags must be done atomically to avoid racing with the
-         * hardware update of the access/dirty state.
+         * hardware update of the access/dirty state. The PTE_RDONLY bit must
+         * be set to the most permissive (lowest value) of *ptep and entry
+         * (calculated as: a & b == ~(~a | ~b)).
          */
+        pte_val(entry) ^= PTE_RDONLY;
         asm volatile("//        ptep_set_access_flags\n"
         "       prfm    pstl1strm, %2\n"
         "1:     ldxr    %0, %2\n"
-        "       and     %0, %0, %3              // clear PTE_RDONLY\n"
+        "       eor     %0, %0, %3              // negate PTE_RDONLY in *ptep\n"
         "       orr     %0, %0, %4              // set flags\n"
+        "       eor     %0, %0, %3              // negate final PTE_RDONLY\n"
         "       stxr    %w1, %0, %2\n"
         "       cbnz    %w1, 1b\n"
         : "=&r" (old_pteval), "=&r" (tmp), "+Q" (pte_val(*ptep))
-        : "L" (~PTE_RDONLY), "r" (pte_val(entry)));
+        : "L" (PTE_RDONLY), "r" (pte_val(entry)));
 
         flush_tlb_fix_spurious_fault(vma, address);
         return 1;