aboutsummaryrefslogtreecommitdiffstats
path: root/arch
diff options
context:
space:
mode:
authorWill Deacon <will.deacon@arm.com>2015-01-29 10:41:46 -0500
committerRussell King <rmk+kernel@arm.linux.org.uk>2015-02-03 07:57:33 -0500
commit8e64806672466392acf19e14427d1c29df3e58b9 (patch)
tree2c9f1b94c39aed431e310c8a5d188574a5d5653b /arch
parentfba289054f24d2550f47a1413e1ccc24f4165560 (diff)
ARM: 8299/1: mm: ensure local active ASID is marked as allocated on rollover
Commit e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE") removed the use of the reserved TTBR0 value for LPAE systems, since the ASID is held in the TTBR and can be updated atomicly with the pgd of the next mm. Unfortunately, this patch forgot to update flush_context, which deliberately avoids marking the local active ASID as allocated, since we used to switch via ASID zero and didn't need to allocate the ASID of the previous mm. The side-effect of this is that we can allocate the same ASID to the next mm and, between flushing the local TLB and updating TTBR0, we can perform speculative TLB fills for userspace nG mappings using the page table of the previous mm. The consequence of this is that the next mm can erroneously hit some mappings of the previous mm. Note that this was made significantly harder to hit by a391263cd84e ("ARM: 8203/1: mm: try to re-use old ASID assignments following a rollover") but is still theoretically possible. This patch fixes the problem by removing the code from flush_context that forces the allocated ASID to zero for the local CPU. Many thanks to the Broadcom guys for tracking this one down. Fixes: e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE") Cc: <stable@vger.kernel.org> # v3.14+ Reported-by: Raymond Ngun <rngun@broadcom.com> Tested-by: Raymond Ngun <rngun@broadcom.com> Reviewed-by: Gregory Fong <gregory.0xf0@gmail.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Diffstat (limited to 'arch')
-rw-r--r--arch/arm/mm/context.c26
1 files changed, 11 insertions, 15 deletions
diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
index 91892569710f..845769e41332 100644
--- a/arch/arm/mm/context.c
+++ b/arch/arm/mm/context.c
@@ -144,21 +144,17 @@ static void flush_context(unsigned int cpu)
144 /* Update the list of reserved ASIDs and the ASID bitmap. */ 144 /* Update the list of reserved ASIDs and the ASID bitmap. */
145 bitmap_clear(asid_map, 0, NUM_USER_ASIDS); 145 bitmap_clear(asid_map, 0, NUM_USER_ASIDS);
146 for_each_possible_cpu(i) { 146 for_each_possible_cpu(i) {
147 if (i == cpu) { 147 asid = atomic64_xchg(&per_cpu(active_asids, i), 0);
148 asid = 0; 148 /*
149 } else { 149 * If this CPU has already been through a
150 asid = atomic64_xchg(&per_cpu(active_asids, i), 0); 150 * rollover, but hasn't run another task in
151 /* 151 * the meantime, we must preserve its reserved
152 * If this CPU has already been through a 152 * ASID, as this is the only trace we have of
153 * rollover, but hasn't run another task in 153 * the process it is still running.
154 * the meantime, we must preserve its reserved 154 */
155 * ASID, as this is the only trace we have of 155 if (asid == 0)
156 * the process it is still running. 156 asid = per_cpu(reserved_asids, i);
157 */ 157 __set_bit(asid & ~ASID_MASK, asid_map);
158 if (asid == 0)
159 asid = per_cpu(reserved_asids, i);
160 __set_bit(asid & ~ASID_MASK, asid_map);
161 }
162 per_cpu(reserved_asids, i) = asid; 158 per_cpu(reserved_asids, i) = asid;
163 } 159 }
164 160