From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756659AbaIIMij (ORCPT ); Tue, 9 Sep 2014 08:38:39 -0400 Received: from cam-admin0.cambridge.arm.com ([217.140.96.50]:42289 "EHLO cam-admin0.cambridge.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752908AbaIIMih (ORCPT ); Tue, 9 Sep 2014 08:38:37 -0400 Date: Tue, 9 Sep 2014 13:38:29 +0100 From: Will Deacon To: Kees Cook Cc: Rabin Vincent , "linux-kernel@vger.kernel.org" , Laura Abbott , Rob Herring , Leif Lindholm , "msalter@redhat.com" , Liu hua , Nikolay Borisov , Nicolas Pitre , Doug Anderson , Jason Wessel , Catalin Marinas , Russell King - ARM Linux , "linux-arm-kernel@lists.infradead.org" Subject: Re: [PATCH v5 3/8] arm: fixmap: implement __set_fixmap() Message-ID: <20140909123829.GK1754@arm.com> References: <1409781429-27593-1-git-send-email-keescook@chromium.org> <1409781429-27593-4-git-send-email-keescook@chromium.org> <20140904170349.GL7156@arm.com> <20140904172748.GO7156@arm.com> <20140908191634.GV5598@outflux.net> <20140908215506.GA4759@dator> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 08, 2014 at 11:40:43PM +0100, Kees Cook wrote: > On Mon, Sep 8, 2014 at 2:55 PM, Rabin Vincent wrote: > > On Mon, Sep 08, 2014 at 12:16:34PM -0700, Kees Cook wrote: > >> On Thu, Sep 04, 2014 at 06:27:48PM +0100, Will Deacon wrote: > >> > On Thu, Sep 04, 2014 at 06:23:42PM +0100, Kees Cook wrote: > >> > > Ah! If this is the case, perhaps we can get away with > >> > > local_flush_tlb_kernel_range() then? > >> > > >> > That's a bit tricky, since you need to ensure that preemption is disabled > >> > until the mapping is put back like it was. > >> > >> Okay, under both real hardware with the errata, and under QEMU, things seem > >> to work with this change to the series. What do you think? > > > > Preemption is already disabled until the mapping is put back in this > > patch.c code because interrupts are disabled from before the time > > set_fixmap() is called until after clear_fixmap() is called. > > Should I drop the preempt_disable/enable(), and just add a comment to > set_fixmap()? > > > I'd guess that Will meant other (future) callers of set_fixmap() would > > have to ensure similar behaviour with set_fixmap() / clear_fixmap(). > > > > Unless I'm missing something set/clear_fixmap() seem to be quite arch > > specific and only really used on x86, so we could ensure that future > > users on ARM perform the correct tlb flush: the first user on ARM with > > a non-atomic context (or you) could implement a set_fixmap() which does > > the global flush and have this patch.c (and any other atomic context > > callers) call __set_fixmap() directly. > > > > The change to local_flush_tlb_kernel_range() in __set_fixmap() would of > > course be needed in that case, and IIRC that was what my original patch > > had (via set_top_pte()). > > Ah, so it was, yes! Will, which version of this logic would you prefer? I still don't think we're solving the general problem here -- we're actually just making the ftrace case work. It is perfectly possible for another CPU to undergo a TLB miss and refill whilst the page table is being modified by the CPU with preemption disabled. In this case, a local tlb flush won't invalidate that entry on the other core, and we have no way of knowing when the original permissions are actually observed across the system. So I think we need to figure out a way to invalidate the TLB properly. What do architectures that use IPIs for TLB broadcasting do (x86, some powerpc, mips, ...)? They must have exactly the same problem. Will