[PATCH v5 0/4] arm64: Work around C1-Pro erratum 4193714 (CVE-2026-0995)

[Catalin Marinas <catalin.marinas@arm.com>]

That's version 5 of the C1-Pro workaround. Version 3 here:

https://lore.kernel.org/r/20260402101246.3870036-1-catalin.marinas@arm.com

Changes since v4:

- Static sme_dvmsync_cpus mask to avoid allocating under stop_machine().
  Sashiko was right, even GFP_ATOMIC won't work under a raw_spin_lock()

- batch->cpumask allocated lazily on arch_tlbbatch_add_pending() only to
  avoid a potential leak in case of task cloning failure. That's mostly
  theoretical as the (mobile) systems affected are expected to be built
  with CPUMASK_OFFSTACK=n (the GKI kernel defaults to NR_CPUS=32)

The other Sashiko report about the DSB in arch_tlbbatch_add_pending() is
correct but it's not much we can do about it. I don't expect this to be
noticeable at all on systems with a small number of CPUs.

As with v4, there's no longer a global sme_active_cpus mask, reducing
the risk DoS from a malicious app using SME.


Erratum description:

Arm C1-Pro prior to r1p3 has an erratum (4193714) where a TLBI+DSB
sequence might fail to ensure the completion of all outstanding SME
(Scalable Matrix Extension) memory accesses. The DVMSync message is
acknowledged before the SME accesses have fully completed, potentially
allowing pages to be reused before all in-flight accesses are done.

The workaround consists of executing a DSB locally (via IPI)
on all affected CPUs running with SME enabled, after the TLB
invalidation. This ensures the SME accesses have completed before the
IPI is acknowledged.

This has been assigned CVE-2026-0995:

https://developer.arm.com/documentation/111823/latest/


Catalin Marinas (4):
  arm64: tlb: Introduce __tlbi_sync_s1ish_{kernel,batch}() for TLB
    maintenance
  arm64: tlb: Pass the corresponding mm to __tlbi_sync_s1ish()
  arm64: cputype: Add C1-Pro definitions
  arm64: errata: Work around early CME DVMSync acknowledgement

 Documentation/arch/arm64/silicon-errata.rst |  2 +
 arch/arm64/Kconfig                          | 12 +++
 arch/arm64/include/asm/cpucaps.h            |  2 +
 arch/arm64/include/asm/cputype.h            |  2 +
 arch/arm64/include/asm/fpsimd.h             | 21 +++++
 arch/arm64/include/asm/tlbbatch.h           | 10 ++-
 arch/arm64/include/asm/tlbflush.h           | 96 +++++++++++++++++++--
 arch/arm64/kernel/cpu_errata.c              | 30 +++++++
 arch/arm64/kernel/entry-common.c            |  3 +
 arch/arm64/kernel/fpsimd.c                  | 79 +++++++++++++++++
 arch/arm64/kernel/process.c                 | 36 ++++++++
 arch/arm64/kernel/sys_compat.c              |  2 +-
 arch/arm64/tools/cpucaps                    |  1 +
 13 files changed, 285 insertions(+), 11 deletions(-)