From: Marc Zyngier <maz@kernel.org>
To: "Pierre-Clément Tosi" <ptosi@google.com>
Cc: u-boot@lists.denx.de, Fabio Estevam <festevam@gmail.com>,
Tom Rini <trini@konsulko.com>
Subject: Re: [PATCH] arm64: Fix map_range() not splitting mapped blocks
Date: Tue, 19 Mar 2024 09:43:03 +0000 [thread overview]
Message-ID: <86o7bazheg.wl-maz@kernel.org> (raw)
In-Reply-To: <43haokus4jdxguk4arig5tsqcgq2wbezwpbj7oti6pdkvrfual@wa7vz2iypcv5>
On Mon, 18 Mar 2024 19:35:49 +0000,
Pierre-Clément Tosi <ptosi@google.com> wrote:
>
> The implementation of map_range() creates the requested mapping by
> walking the page tables, iterating over multiple PTEs and/or descending
> into existing table mappings as needed. When doing so, it assumes any
> pre-existing valid PTE to be a table mapping. This assumption is wrong
> if the platform code attempts to successively map two overlapping ranges
> where the latter intersects a block mapping created for the former.
>
> As a result, map_range() treats the existing block mapping as a table
> mapping and descends into it i.e. starts interpreting the
> previously-mapped range as an array of PTEs, writing to them and
> potentially even descending further (extra fun with MMIO ranges!).
>
> Instead, pass any valid non-table mapping to split_block(), which
> ensures that it actually was a block mapping (calls panic() otherwise)
> before splitting it.
>
> Fixes: 41e2787f5ec4 ("arm64: Reduce add_map() complexity")
> Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
> ---
> arch/arm/cpu/armv8/cache_v8.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/arm/cpu/armv8/cache_v8.c b/arch/arm/cpu/armv8/cache_v8.c
> index 697334086f..57d06f0575 100644
> --- a/arch/arm/cpu/armv8/cache_v8.c
> +++ b/arch/arm/cpu/armv8/cache_v8.c
> @@ -326,6 +326,8 @@ static void map_range(u64 virt, u64 phys, u64 size, int level,
> /* Going one level down */
> if (pte_type(&table[i]) == PTE_TYPE_FAULT)
> set_pte_table(&table[i], create_table());
> + else if (pte_type(&table[i]) != PTE_TYPE_TABLE)
> + split_block(&table[i], level);
>
> next_table = (u64 *)(table[i] & GENMASK_ULL(47, PAGE_SHIFT));
> next_size = min(map_size - (virt & (map_size - 1)), size);
This seems pretty reasonable, thanks for looking into this. However, I
can't help but notice that this is done without any BBM, and no TLBI
either.
Are we guaranteed that the updated page tables are not live at the
point of update?
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2024-03-19 9:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-18 19:35 [PATCH] arm64: Fix map_range() not splitting mapped blocks Pierre-Clément Tosi
2024-03-18 19:46 ` Fabio Estevam
2024-03-19 9:43 ` Marc Zyngier [this message]
2024-03-19 11:39 ` Pierre-Clément Tosi
2024-03-19 12:13 ` Fabio Estevam
2024-03-19 12:39 ` Pierre-Clément Tosi
2024-03-22 19:31 ` Fabio Estevam
2024-03-22 19:33 ` Fabio Estevam
2024-03-23 14:34 ` Tom Rini
2024-03-25 20:37 ` Hiago De Franco
2024-03-30 20:03 ` Fabio Estevam
2024-04-10 13:31 ` Fabio Estevam
2024-03-26 9:21 ` Marc Zyngier
2024-04-10 17:43 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86o7bazheg.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=festevam@gmail.com \
--cc=ptosi@google.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox