arm64: mm: Move ASID from TTBR0 to TTBR1

Commit 7655abb95386 upstream.

In preparation for mapping kernelspace and userspace with different
ASIDs, move the ASID to TTBR1 and update switch_mm to context-switch
TTBR0 via an invalid mapping (the zero page).

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit d26f0a5dc6a6d8237b024a150de6be30fce7b467)

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h
index 9d155fa9a50791af293916cfdc1ede087f850c6d..aa39c126c0d08a312e8233013177399e29d958a8 100644 (file)
--- a/arch/arm64/include/asm/mmu_context.h
+++ b/arch/arm64/include/asm/mmu_context.h
@@ -57,6 +57,13 @@ static inline void cpu_set_reserved_ttbr0(void)
        isb();
 }
 
+static inline void cpu_switch_mm(pgd_t *pgd, struct mm_struct *mm)
+{
+       BUG_ON(pgd == swapper_pg_dir);
+       cpu_set_reserved_ttbr0();
+       cpu_do_switch_mm(virt_to_phys(pgd),mm);
+}
+
 /*
  * TCR.T0SZ value to use when the ID map is active. Usually equals
  * TCR_T0SZ(VA_BITS), unless system RAM is positioned very high in

diff --git a/arch/arm64/include/asm/pgtable-hwdef.h b/arch/arm64/include/asm/pgtable-hwdef.h
index eb0c2bd90de903469790a66c6d7f528af64c9d76..8df4cb6ac6f71e963031268e3c30246f04bf0914 100644 (file)
--- a/arch/arm64/include/asm/pgtable-hwdef.h
+++ b/arch/arm64/include/asm/pgtable-hwdef.h
@@ -272,6 +272,7 @@
 #define TCR_TG1_4K             (UL(2) << TCR_TG1_SHIFT)
 #define TCR_TG1_64K            (UL(3) << TCR_TG1_SHIFT)
 
+#define TCR_A1                 (UL(1) << 22)
 #define TCR_ASID16             (UL(1) << 36)
 #define TCR_TBI0               (UL(1) << 37)
 #define TCR_HA                 (UL(1) << 39)

diff --git a/arch/arm64/include/asm/proc-fns.h b/arch/arm64/include/asm/proc-fns.h
index 14ad6e4e87d11477ca350b7dbf6ff7e6017a7cc4..16cef2e8449ec1c178bcf863d32168680122e779 100644 (file)
--- a/arch/arm64/include/asm/proc-fns.h
+++ b/arch/arm64/include/asm/proc-fns.h
@@ -35,12 +35,6 @@ extern u64 cpu_do_resume(phys_addr_t ptr, u64 idmap_ttbr);
 
 #include <asm/memory.h>
 
-#define cpu_switch_mm(pgd,mm)                          \
-do {                                                   \
-       BUG_ON(pgd == swapper_pg_dir);                  \
-       cpu_do_switch_mm(virt_to_phys(pgd),mm);         \
-} while (0)
-
 #endif /* __ASSEMBLY__ */
 #endif /* __KERNEL__ */
 #endif /* __ASM_PROCFNS_H */

diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
index 877d42fb0df655c77a8fe3f0f7f517d9aa7c9247..0bd7550b72301d4bb6d4ba071bd5ab899c0f7baa 100644 (file)
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -139,9 +139,12 @@ ENDPROC(cpu_do_resume)
  */
 ENTRY(cpu_do_switch_mm)
        pre_ttbr0_update_workaround x0, x2, x3
+       mrs     x2, ttbr1_el1
        mmid    x1, x1                          // get mm->context.id
-       bfi     x0, x1, #48, #16                // set the ASID
-       msr     ttbr0_el1, x0                   // set TTBR0
+       bfi     x2, x1, #48, #16                // set the ASID
+       msr     ttbr1_el1, x2                   // in TTBR1 (since TCR.A1 is set)
+       isb
+       msr     ttbr0_el1, x0                   // now update TTBR0
        isb
        post_ttbr0_update_workaround
        ret
@@ -225,7 +228,7 @@ ENTRY(__cpu_setup)
         * both user and kernel.
         */
        ldr     x10, =TCR_TxSZ(VA_BITS) | TCR_CACHE_FLAGS | TCR_SMP_FLAGS | \
-                       TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0
+                       TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0 | TCR_A1
        tcr_set_idmap_t0sz      x10, x9
 
        /*