• Will Deacon's avatar
    ARM: 8299/1: mm: ensure local active ASID is marked as allocated on rollover · 8e648066
    Will Deacon authored
    Commit e1a5848e ("ARM: 7924/1: mm: don't bother with reserved ttbr0
    when running with LPAE") removed the use of the reserved TTBR0 value
    for LPAE systems, since the ASID is held in the TTBR and can be updated
    atomicly with the pgd of the next mm.
    
    Unfortunately, this patch forgot to update flush_context, which
    deliberately avoids marking the local active ASID as allocated, since we
    used to switch via ASID zero and didn't need to allocate the ASID of
    the previous mm. The side-effect of this is that we can allocate the
    same ASID to the next mm and, between flushing the local TLB and updating
    TTBR0, we can perform speculative TLB fills for userspace nG mappings
    using the page table of the previous mm.
    
    The consequence of this is that the next mm can erroneously hit some
    mappings of the previous mm. Note that this was made significantly
    harder to hit by a391263c ("ARM: 8203/1: mm: try to re-use old ASID
    assignments following a rollover") but is still theoretically possible.
    
    This patch fixes the problem by removing the code from flush_context
    that forces the allocated ASID to zero for the local CPU. Many thanks
    to the Broadcom guys for tracking this one down.
    
    Fixes: e1a5848e ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE")
    
    Cc: <stable@vger.kernel.org> # v3.14+
    Reported-by: default avatarRaymond Ngun <rngun@broadcom.com>
    Tested-by: default avatarRaymond Ngun <rngun@broadcom.com>
    Reviewed-by: default avatarGregory Fong <gregory.0xf0@gmail.com>
    Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
    Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
    8e648066
context.c 7.13 KB