From: catalin.marinas@arm.com (Catalin Marinas)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 2/3] arm64: Work around Falkor erratum 1003
Date: Thu, 8 Dec 2016 10:31:16 +0000 [thread overview]
Message-ID: <20161208103115.GF33075@MBP.local> (raw)
In-Reply-To: <20161207200028.4420-2-cov@codeaurora.org>
On Wed, Dec 07, 2016 at 03:00:26PM -0500, Christopher Covington wrote:
> From: Shanker Donthineni <shankerd@codeaurora.org>
>
> On the Qualcomm Datacenter Technologies Falkor v1 CPU, memory accesses may
> allocate TLB entries using an incorrect ASID when TTBRx_EL1 is being
> updated. Changing the TTBRx_EL1[ASID] and TTBRx_EL1[BADDR] fields
> separately using a reserved ASID will ensure that there are no TLB entries
> with incorrect ASID after changing the the ASID.
>
> Pseudo code:
> write TTBRx_EL1[ASID] to a reserved value
> ISB
> write TTBRx_EL1[BADDR] to a desired value
> ISB
> write TTBRx_EL1[ASID] to a desired value
> ISB
While the new ASID probably won't have incorrect TLB entries, the
reserved ASID will have random entries from all over the place. That's
because in step 1 you change the ASID to the reserved one while leaving
the old BADDR in place. There is a brief time before changing the ASID
when speculative page table walks will populate the TLB with entries
tagged with the reserved ASID. Such entries are never removed during TLB
shoot-down for the real ASID, so, depending on how this CPU implements
the walk cache, you could end up with intermediate level entries still
active and pointing to freed/reused pages. It will eventually hit an
entry that looks global with weird consequences.
We've been bitten by this in the past on arm32: 52af9c6cd863 ("ARM:
6943/1: mm: use TTBR1 instead of reserved context ID").
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Christopher Covington <cov@codeaurora.org>
Cc: Will Deacon <will.deacon@arm.com>,
Shanker Donthineni <shankerd@codeaurora.org>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Andre Przywara <andre.przywara@arm.com>,
Ganapatrao Kulkarni <gkulkarni@caviumnetworks.com>,
James Morse <james.morse@arm.com>,
Andrew Pinski <apinski@cavium.com>,
Mark Rutland <mark.rutland@arm.com>,
Jean-Philippe Brucker <jean-philippe.brucker@arm.com>,
Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>,
Geoff Levand <geoff@infradead.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] arm64: Work around Falkor erratum 1003
Date: Thu, 8 Dec 2016 10:31:16 +0000 [thread overview]
Message-ID: <20161208103115.GF33075@MBP.local> (raw)
In-Reply-To: <20161207200028.4420-2-cov@codeaurora.org>
On Wed, Dec 07, 2016 at 03:00:26PM -0500, Christopher Covington wrote:
> From: Shanker Donthineni <shankerd@codeaurora.org>
>
> On the Qualcomm Datacenter Technologies Falkor v1 CPU, memory accesses may
> allocate TLB entries using an incorrect ASID when TTBRx_EL1 is being
> updated. Changing the TTBRx_EL1[ASID] and TTBRx_EL1[BADDR] fields
> separately using a reserved ASID will ensure that there are no TLB entries
> with incorrect ASID after changing the the ASID.
>
> Pseudo code:
> write TTBRx_EL1[ASID] to a reserved value
> ISB
> write TTBRx_EL1[BADDR] to a desired value
> ISB
> write TTBRx_EL1[ASID] to a desired value
> ISB
While the new ASID probably won't have incorrect TLB entries, the
reserved ASID will have random entries from all over the place. That's
because in step 1 you change the ASID to the reserved one while leaving
the old BADDR in place. There is a brief time before changing the ASID
when speculative page table walks will populate the TLB with entries
tagged with the reserved ASID. Such entries are never removed during TLB
shoot-down for the real ASID, so, depending on how this CPU implements
the walk cache, you could end up with intermediate level entries still
active and pointing to freed/reused pages. It will eventually hit an
entry that looks global with weird consequences.
We've been bitten by this in the past on arm32: 52af9c6cd863 ("ARM:
6943/1: mm: use TTBR1 instead of reserved context ID").
--
Catalin
next prev parent reply other threads:[~2016-12-08 10:31 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-07 20:00 [PATCH 1/3] arm64: Define Qualcomm Technologies Falkor v1 CPU Christopher Covington
2016-12-07 20:00 ` Christopher Covington
2016-12-07 20:00 ` [PATCH 2/3] arm64: Work around Falkor erratum 1003 Christopher Covington
2016-12-07 20:00 ` Christopher Covington
2016-12-08 10:31 ` Catalin Marinas [this message]
2016-12-08 10:31 ` Catalin Marinas
2016-12-19 21:27 ` Christopher Covington
2016-12-19 21:27 ` Christopher Covington
2016-12-08 11:31 ` Mark Rutland
2016-12-08 11:31 ` Mark Rutland
2016-12-07 20:04 ` [PATCH] arm64: Work around Falkor erratum 1009 Christopher Covington
2016-12-07 20:04 ` Christopher Covington
2016-12-08 11:20 ` Will Deacon
2016-12-08 11:20 ` Will Deacon
2016-12-08 11:20 ` Will Deacon
2016-12-08 11:35 ` Marc Zyngier
2016-12-08 11:35 ` Marc Zyngier
2016-12-08 11:45 ` Mark Rutland
2016-12-08 11:45 ` Mark Rutland
2016-12-08 13:27 ` Catalin Marinas
2016-12-08 13:27 ` Catalin Marinas
2016-12-08 13:27 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161208103115.GF33075@MBP.local \
--to=catalin.marinas@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.