Google Git
Sign in
kernel / pub / scm / linux / kernel / git / ardb / linux / refs/heads/arm-fdt-mapping-mt
commitff2fe1cb852c4bed35737ace5f04d035e962b462[log] [tgz]
authorArd Biesheuvel <ardb@kernel.org>Mon Jun 06 17:27:44 2022 +0200
committerArd Biesheuvel <ardb@kernel.org>Mon Aug 01 16:50:46 2022 +0200
tree5b2dcdc1ee0a8663bff033c28bce5168e4cb82d0
parent3d7cb6b04c3f3115719235cc6866b10326de34cd [diff]
ARM: mm: shrink permanent FDT mapping to avoid mismatched attributes

Zhen Lei writes in commit 598f0a99fa8a ("ARM: 9210/1: Mark the FDT_FIXED
sections as shareable"):

  Commit 7a1be318f579 ("ARM: 9012/1: move device tree mapping out of
  linear region") uses FDT_FIXED_BASE to map the whole FDT_FIXED_SIZE
  memory area which contains fdt. But it only reserves the exact physical
  memory that fdt occupied. Unfortunately, this mapping is non-shareable.
  An illegal or speculative read access can bring the RAM content from
  non-fdt zone into cache, PIPT makes it to be hit by subsequently read
  access through shareable mapping (such as linear mapping), and the
  cache consistency between cores is lost due to non-shareable property.

  |<---------FDT_FIXED_SIZE------>|
  |                               |
   -------------------------------
  | <non-fdt> | <fdt> | <non-fdt> |
   -------------------------------

  1. CoreA read <non-fdt> through MT_ROM mapping, the old data is loaded
     into the cache.
  2. CoreB write <non-fdt> to update data through linear mapping. CoreA
     received the notification to invalid the corresponding cachelines,
     but the property non-shareable makes it to be ignored.
  3. CoreA read <non-fdt> through linear mapping, cache hit, the old data
     is read.

However, the resulting fix is incomplete, as mismatched shareability
attributes are not the only potential problem vector here: the non-fdt
regions might also be covered by a no-map memory reservation, or be
mapped with non-cacheable attributes for, e.g., firmware calls or
non-coherent DMA. This means, in order to eliminate any potential
mismatched attribute mappings, we must reduce the size of the FDT
mapping to match its memblock reservation, and eliminate the non-fdt
regions altogether.

The permanent FDT region will no longer cover the ATAGS when booting a
non-DT system, but this mapping was never used or exposed after boot
anyway. (The ATAGS are copied into a separate buffer by the early ATAGS
processing code)

Reported-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
3 files changed
tree: 5b2dcdc1ee0a8663bff033c28bce5168e4cb82d0
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. LICENSES/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .clang-format
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README