With KUAP, the TLB miss handler bails out when an access to user memory is performed with a nul TID.
But the normal TLB miss routine which is only used early during boot does the check regardless for all memory areas, not only user memory.
By chance there is no early IO or vmalloc access, but when KASAN come we will start having early TLB misses.
Fix it by creating a special branch for user accesses similar to the one in the 'bolted' TLB miss handlers. Unfortunately SPRN_MAS1 is now read too early and there are no registers available to preserve it so it will be read a second time.
Fixes: 57bc963837f5 ("powerpc/kuap: Wire-up KUAP on book3e/64") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy christophe.leroy@csgroup.eu --- arch/powerpc/mm/nohash/tlb_low_64e.S | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/arch/powerpc/mm/nohash/tlb_low_64e.S b/arch/powerpc/mm/nohash/tlb_low_64e.S index 8b97c4acfebf..9e9ab3803fb2 100644 --- a/arch/powerpc/mm/nohash/tlb_low_64e.S +++ b/arch/powerpc/mm/nohash/tlb_low_64e.S @@ -583,7 +583,7 @@ itlb_miss_fault_e6500: */ rlwimi r11,r14,32-19,27,27 rlwimi r11,r14,32-16,19,19 - beq normal_tlb_miss + beq normal_tlb_miss_user /* XXX replace the RMW cycles with immediate loads + writes */ 1: mfspr r10,SPRN_MAS1 cmpldi cr0,r15,8 /* Check for vmalloc region */ @@ -626,7 +626,7 @@ itlb_miss_fault_e6500:
cmpldi cr0,r15,0 /* Check for user region */ std r14,EX_TLB_ESR(r12) /* write crazy -1 to frame */ - beq normal_tlb_miss + beq normal_tlb_miss_user
li r11,_PAGE_PRESENT|_PAGE_BAP_SX /* Base perm */ oris r11,r11,_PAGE_ACCESSED@h @@ -653,6 +653,12 @@ itlb_miss_fault_e6500: * r11 = PTE permission mask * r10 = crap (free to use) */ +normal_tlb_miss_user: +#ifdef CONFIG_PPC_KUAP + mfspr r14,SPRN_MAS1 + rlwinm. r14,r14,0,0x3fff0000 + beq- normal_tlb_miss_access_fault /* KUAP fault */ +#endif normal_tlb_miss: /* So we first construct the page table address. We do that by * shifting the bottom of the address (not the region ID) by @@ -683,11 +689,6 @@ finish_normal_tlb_miss: /* Check if required permissions are met */ andc. r15,r11,r14 bne- normal_tlb_miss_access_fault -#ifdef CONFIG_PPC_KUAP - mfspr r11,SPRN_MAS1 - rlwinm. r10,r11,0,0x3fff0000 - beq- normal_tlb_miss_access_fault /* KUAP fault */ -#endif
/* Now we build the MAS: * @@ -709,9 +710,7 @@ finish_normal_tlb_miss: rldicl r10,r14,64-8,64-8 cmpldi cr0,r10,BOOK3E_PAGESZ_4K beq- 1f -#ifndef CONFIG_PPC_KUAP mfspr r11,SPRN_MAS1 -#endif rlwimi r11,r14,31,21,24 rlwinm r11,r11,0,21,19 mtspr SPRN_MAS1,r11
On Tue, 28 Jun 2022 16:48:54 +0200, Christophe Leroy wrote:
With KUAP, the TLB miss handler bails out when an access to user memory is performed with a nul TID.
But the normal TLB miss routine which is only used early during boot does the check regardless for all memory areas, not only user memory.
By chance there is no early IO or vmalloc access, but when KASAN come we will start having early TLB misses.
[...]
Applied to powerpc/next.
[1/6] powerpc/64e: Fix early TLB miss with KUAP https://git.kernel.org/powerpc/c/09317643117ade87c03158341e87466413fa8f1a [2/6] powerpc/64e: Remove MMU_FTR_USE_TLBRSRV and MMU_FTR_USE_PAIRED_MAS https://git.kernel.org/powerpc/c/3adfb457b84bd6de4e78a99814038fbd7205f253 [3/6] powerpc/64e: Remove unused REGION related macros https://git.kernel.org/powerpc/c/b646c1f7f43c13510d519e3044c87aa32352fc1f [4/6] powerpc/64e: Move virtual memory closer to linear memory https://git.kernel.org/powerpc/c/128c1ea2f838d3031a1c475607860e4271a8e9dc [5/6] powerpc/64e: Reorganise virtual memory https://git.kernel.org/powerpc/c/059c189389ebe9c4909d849d1a5f65c53115ca19 [6/6] powerpc/64e: KASAN Full support for BOOK3E/64 https://git.kernel.org/powerpc/c/c7b9ed7c34a9f5dbf8222d63e3e313cef9f3150b
cheers
linux-stable-mirror@lists.linaro.org