From: sashiko-bot@kernel.org
To: "Thierry Reding" <thierry.reding@kernel.org>
Cc: devicetree@vger.kernel.org, robh@kernel.org,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
conor+dt@kernel.org, dri-devel@lists.freedesktop.org,
linux-s390@vger.kernel.org, "Vasily Gorbik" <gor@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>
Subject: Re: [PATCH v3 04/11] arm64/mm: Add set_memory_device() and set_memory_normal()
Date: Wed, 01 Jul 2026 16:23:14 +0000 [thread overview]
Message-ID: <20260701162314.A15631F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701-tegra-vpr-v3-4-d80f7b871bb4@nvidia.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Critical] Misuse of aggregate PROT_* macros as masks corrupts memory types, permissions, and page table block structures.
- [High] Modifying live memory attributes (type/cacheability) without a Break-Before-Make (BBM) sequence violates ARM64 architecture invariants.
- [High] Bypasses `can_set_direct_map()`, alignment checks, and boundary validation, leading to crashes on non-splittable linear maps.
--
commit 4153df151684415d2f2a476b7fbb71cc99c64650
Author: Chun Ng <chunn@nvidia.com>
arm64/mm: Add set_memory_device() and set_memory_normal()
Add helpers to swap PROT_NORMAL and PROT_DEVICE_nGnRnE protection bits
on a kernel-linear-map range.
> diff --git a/arch/arm64/mm/pageattr.c b/arch/arm64/mm/pageattr.c
> index bbe98ac9ad8c6..871b59a6c9eaf 100644
> --- a/arch/arm64/mm/pageattr.c
> +++ b/arch/arm64/mm/pageattr.c
> @@ -251,6 +251,22 @@ int set_memory_valid(unsigned long addr, int numpages, int enable)
> __pgprot(PTE_PRESENT_VALID_KERNEL));
> }
>
> +int set_memory_device(unsigned long addr, int numpages)
> +{
[Severity: High]
Does this bypass necessary linear map validation checks?
Unlike other helpers such as set_direct_map_invalid_noflush(), these functions
do not call can_set_direct_map(). If the kernel is booted with configurations
preventing page-level splitting (like rodata=off), the modification could fail
or corrupt perfectly aligned PMD block mappings.
Additionally, should this validate address alignment and check __is_lm_address()
before modifying the memory, similar to change_memory_common()?
> + return __change_memory_common(addr, PAGE_SIZE * numpages,
> + __pgprot(PROT_DEVICE_nGnRnE),
> + __pgprot(PROT_NORMAL));
[Severity: Critical]
Will passing aggregate PROT_* macros as clear_mask and set_mask corrupt memory
types and page table structures?
When __change_memory_common() uses the clear_mask, it clears the bits present in
the mask. PROT_NORMAL contains memory type index 0 (MT_NORMAL). Clearing 0
leaves existing memory type bits intact, meaning the subsequent OR of
PROT_DEVICE_nGnRnE (index 3) will combine with the old bits, potentially
resulting in an invalid memory type index.
Also, both PROT_NORMAL and PROT_DEVICE_nGnRnE include PROT_DEFAULT, which has
PTE_TYPE_PAGE (binary 11). If this is applied to a PMD or PUD block mapping
(which has descriptor type PMD_TYPE_SECT, binary 01), clearing and setting
these bits will mutate a valid block descriptor into a table descriptor, causing
a translation fault. Should this use explicit PTE_ATTRINDX masks instead?
[Severity: High]
Does changing the memory type from Normal to Device require a Break-Before-Make
(BBM) sequence?
The ARM Architecture Reference Manual requires a BBM sequence when updating
a live page table entry to change its memory attributes. __change_memory_common()
modifies PTEs in-place via read-modify-write (update_range_prot) and issues
a TLB invalidation only after the writes complete.
Skipping the intermediate invalidation step (writing an invalid entry, issuing
DSB/TLBI, and a second DSB before writing the new attribute) can cause hardware
coherency issues and TLB Conflict Aborts.
> +}
> +EXPORT_SYMBOL_GPL(set_memory_device);
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-tegra-vpr-v3-0-d80f7b871bb4@nvidia.com?part=4
next prev parent reply other threads:[~2026-07-01 16:23 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 16:08 [PATCH v3 00/11] dma-buf: heaps: Add support for Tegra VPR Thierry Reding
2026-07-01 16:08 ` [PATCH v3 01/11] dt-bindings: reserved-memory: Document " Thierry Reding
2026-07-01 16:15 ` sashiko-bot
2026-07-01 19:53 ` Rob Herring (Arm)
2026-07-02 12:58 ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 02/11] dt-bindings: display: tegra: Document memory regions Thierry Reding
2026-07-01 16:13 ` sashiko-bot
2026-07-01 19:53 ` Rob Herring (Arm)
2026-07-02 13:47 ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 03/11] dt-bindings: gpu: host1x: Document memory-regions for NVDEC Thierry Reding
2026-07-01 16:16 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 04/11] arm64/mm: Add set_memory_device() and set_memory_normal() Thierry Reding
2026-07-01 16:23 ` sashiko-bot [this message]
2026-07-02 9:18 ` Will Deacon
2026-07-02 13:46 ` Thierry Reding
2026-07-02 16:41 ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 05/11] bitmap: Add bitmap_allocate() function Thierry Reding
2026-07-01 16:08 ` [PATCH v3 06/11] mm/cma: Allow dynamically creating CMA areas Thierry Reding
2026-07-01 16:26 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 07/11] dma-buf: heaps: Add debugfs support Thierry Reding
2026-07-01 16:27 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 08/11] dma-buf: heaps: Add support for Tegra VPR Thierry Reding
2026-07-01 16:34 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 09/11] arm64: tegra: Add VPR placeholder node on Tegra234 Thierry Reding
2026-07-01 16:08 ` [PATCH v3 10/11] arm64: tegra: Hook up VPR to host1x Thierry Reding
2026-07-01 22:46 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 11/11] arm64: tegra: Add VPR placeholder node on Tegra264 Thierry Reding
2026-07-01 16:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701162314.A15631F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=thierry.reding@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox