From 97f1040982d7935716e9a45a26ccd5cc8fe92f8c Mon Sep 17 00:00:00 2001 From: Russell King Date: Sun, 29 Jan 2012 14:55:21 +0000 Subject: Revert "ARM: 7304/1: ioremap: fix boundary check when reusing static mapping" This reverts commit 3c424f359898aff48c3d5bed608ac706f8a528c3. Joachim Eastwood reports: | "ARM: 7304/1: ioremap: fix boundary check when reusing static mapping" | Commit: 3c424f359898aff48c3d5bed608ac706f8a528c3 in Linus master | | Breaks booting on my custom AT91RM9200 board. | There isn't any error messages or anything that indicates what goes | wrong it just stops after; Uncompressing Linux... done, booting the | kernel. | | Reverting it makes my board boot again. and further debugging reveals: ioremap: pfn=fffff phys=fffff000 offset=400 size=1000 ioremap: area c3ffdfc0: phys_addr=200000 pfn=200 size=4000 ioremap: found: addr fef74000 => fed73000 => fed73400 Clearly, an area for pfn 0x200, 16K can't ever satisfy a request for pfn 0xfffff. This happens because the changed if statement becomes: if (0x00200 > 0xfffff || 0xfffff000 + 0x400 + 0x1000-1 > 0x00200000 + 0x4000-1) and therefore: if (0x00200 > 0xfffff || 0x000003ff > 0x00203fff) The if condition fails, and so we _believe_ that the SRAM mapping fits our request. Clearly that's totally bogus. Moreover, the original premise of the 'fix' patch was wrong: | The condition checking boundaries of the requested and existing | mappings didn't take in-page offset into consideration though, | which lead to obscure and hard to debug problems when requested | mapping crossed end of the static one. as the code immediately above this loop does: size = PAGE_ALIGN(offset + size); so 'size' already contains the requested offset into the page. So, revert the broken 'fix'. Acked-by: Nicolas Pitre --- arch/arm/mm/ioremap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c index ba159370fa5..80632e8d753 100644 --- a/arch/arm/mm/ioremap.c +++ b/arch/arm/mm/ioremap.c @@ -225,8 +225,7 @@ void __iomem * __arm_ioremap_pfn_caller(unsigned long pfn, if ((area->flags & VM_ARM_MTYPE_MASK) != VM_ARM_MTYPE(mtype)) continue; if (__phys_to_pfn(area->phys_addr) > pfn || - __pfn_to_phys(pfn) + offset + size-1 > - area->phys_addr + area->size-1) + __pfn_to_phys(pfn) + size-1 > area->phys_addr + area->size-1) continue; /* we can drop the lock here as we know *area is static */ read_unlock(&vmlist_lock); -- cgit v1.2.3 From 2af276dfb1722e97b190bd2e646b079a2aa674db Mon Sep 17 00:00:00 2001 From: Will Deacon Date: Mon, 30 Jan 2012 20:21:42 +0100 Subject: ARM: 7306/1: vfp: flush thread hwstate before restoring context from sigframe Following execution of a signal handler, we currently restore the VFP context from the ucontext in the signal frame. This involves copying from the user stack into the current thread's vfp_hard_struct and then flushing the new data out to the hardware registers. This is problematic when using a preemptible kernel because we could be context switched whilst updating the vfp_hard_struct. If the current thread has made use of VFP since the last context switch, the VFP notifier will copy from the hardware registers into the vfp_hard_struct, overwriting any data that had been partially copied by the signal code. Disabling preemption across copy_from_user calls is a terrible idea, so instead we move the VFP thread flush *before* we update the vfp_hard_struct. Since the flushing is performed lazily, this has the effect of disabling VFP and clearing the CPU's VFP state pointer, therefore preventing the thread from being updated with stale data on the next context switch. Cc: stable Tested-by: Peter Maydell Signed-off-by: Will Deacon Signed-off-by: Russell King --- arch/arm/kernel/signal.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c index 0340224cf73..9e617bd4a14 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -227,6 +227,8 @@ static int restore_vfp_context(struct vfp_sigframe __user *frame) if (magic != VFP_MAGIC || size != VFP_STORAGE_SIZE) return -EINVAL; + vfp_flush_hwstate(thread); + /* * Copy the floating point registers. There can be unused * registers see asm/hwcap.h for details. @@ -251,9 +253,6 @@ static int restore_vfp_context(struct vfp_sigframe __user *frame) __get_user_error(h->fpinst, &frame->ufp_exc.fpinst, err); __get_user_error(h->fpinst2, &frame->ufp_exc.fpinst2, err); - if (!err) - vfp_flush_hwstate(thread); - return err ? -EFAULT : 0; } -- cgit v1.2.3 From 247f4993a5974e6759606c4d380748eecfd273ff Mon Sep 17 00:00:00 2001 From: Dave Martin Date: Mon, 30 Jan 2012 20:22:28 +0100 Subject: ARM: 7307/1: vfp: fix ptrace regset modification race In a preemptible kernel, vfp_set() can be preempted, causing the hardware VFP context to be switched while the thread vfp state is being read and modified. This leads to a race condition which can cause the thread vfp state to become corrupted if lazy VFP context save occurs due to preemption in between the time thread->vfpstate is read and the time the modified state is written back. This may occur if preemption occurs during the execution of a ptrace() call which modifies the VFP register state of a thread. Such instances should be very rare in most realistic scenarios -- none has been reported, so far as I am aware. Only uniprocessor systems should be affected, since VFP context save is not currently lazy in SMP kernels. The problem was introduced by my earlier patch migrating to use regsets to implement ptrace. This patch does a vfp_sync_hwstate() before reading thread->vfpstate, to make sure that the thread's VFP state is not live in the hardware registers while the registers are modified. Thanks to Will Deacon for spotting this. Cc: stable Signed-off-by: Dave Martin Signed-off-by: Will Deacon Signed-off-by: Russell King --- arch/arm/kernel/ptrace.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index e1d5e1929fb..d001be4e0ce 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -699,10 +699,13 @@ static int vfp_set(struct task_struct *target, { int ret; struct thread_info *thread = task_thread_info(target); - struct vfp_hard_struct new_vfp = thread->vfpstate.hard; + struct vfp_hard_struct new_vfp; const size_t user_fpregs_offset = offsetof(struct user_vfp, fpregs); const size_t user_fpscr_offset = offsetof(struct user_vfp, fpscr); + vfp_sync_hwstate(thread); + new_vfp = thread->vfpstate.hard; + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &new_vfp.fpregs, user_fpregs_offset, @@ -723,7 +726,6 @@ static int vfp_set(struct task_struct *target, if (ret) return ret; - vfp_sync_hwstate(thread); thread->vfpstate.hard = new_vfp; vfp_flush_hwstate(thread); -- cgit v1.2.3 From 8130b9d7b9d858aa04ce67805e8951e3cb6e9b2f Mon Sep 17 00:00:00 2001 From: Will Deacon Date: Mon, 30 Jan 2012 20:23:29 +0100 Subject: ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers If we are context switched whilst copying into a thread's vfp_hard_struct then the partial copy may be corrupted by the VFP context switching code (see "ARM: vfp: flush thread hwstate before restoring context from sigframe"). This patch updates the ptrace VFP set code so that the thread state is flushed before the copy, therefore disabling VFP and preventing corruption from occurring. Cc: stable Signed-off-by: Will Deacon Signed-off-by: Russell King --- arch/arm/kernel/ptrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index d001be4e0ce..e33870ff0ac 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -726,8 +726,8 @@ static int vfp_set(struct task_struct *target, if (ret) return ret; - thread->vfpstate.hard = new_vfp; vfp_flush_hwstate(thread); + thread->vfpstate.hard = new_vfp; return 0; } -- cgit v1.2.3 From 91756acb58b17aee68d055fc15b1e2550ff00801 Mon Sep 17 00:00:00 2001 From: Will Deacon Date: Wed, 25 Jan 2012 19:36:28 +0100 Subject: ARM: 7303/1: perf: add empty NODE event definitions for Cortex-A5 and Cortex-A15 Commit 89d6c0b5 ("perf, arch: Add generic NODE cache events") added empty NODE event definitions for the ARM PMU implementations. This was merged along with Cortex-A5 and Cortex-A15 PMU support, so they missed out on the original patch. This patch adds the empty definitions to Cortex-A5 and Cortex-A15. Signed-off-by: Will Deacon Signed-off-by: Russell King --- arch/arm/kernel/perf_event_v7.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/arch/arm/kernel/perf_event_v7.c b/arch/arm/kernel/perf_event_v7.c index 460bbbb6b88..6933244c68f 100644 --- a/arch/arm/kernel/perf_event_v7.c +++ b/arch/arm/kernel/perf_event_v7.c @@ -469,6 +469,20 @@ static const unsigned armv7_a5_perf_cache_map[PERF_COUNT_HW_CACHE_MAX] [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, }, }, + [C(NODE)] = { + [C(OP_READ)] = { + [C(RESULT_ACCESS)] = CACHE_OP_UNSUPPORTED, + [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, + }, + [C(OP_WRITE)] = { + [C(RESULT_ACCESS)] = CACHE_OP_UNSUPPORTED, + [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, + }, + [C(OP_PREFETCH)] = { + [C(RESULT_ACCESS)] = CACHE_OP_UNSUPPORTED, + [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, + }, + }, }; /* @@ -579,6 +593,20 @@ static const unsigned armv7_a15_perf_cache_map[PERF_COUNT_HW_CACHE_MAX] [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, }, }, + [C(NODE)] = { + [C(OP_READ)] = { + [C(RESULT_ACCESS)] = CACHE_OP_UNSUPPORTED, + [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, + }, + [C(OP_WRITE)] = { + [C(RESULT_ACCESS)] = CACHE_OP_UNSUPPORTED, + [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, + }, + [C(OP_PREFETCH)] = { + [C(RESULT_ACCESS)] = CACHE_OP_UNSUPPORTED, + [C(RESULT_MISS)] = CACHE_OP_UNSUPPORTED, + }, + }, }; /* -- cgit v1.2.3 From 6d3ec1ae6cdcda185bd9452b2daed5145e2493a5 Mon Sep 17 00:00:00 2001 From: Catalin Marinas Date: Wed, 25 Jan 2012 11:54:22 +0100 Subject: ARM: 7302/1: Add TLB flushing for both entries in a PMD Linux uses two PMD entries for a PTE with the classic page table format, covering 2MB range. However, the __pte_free_tlb() function only adds a single TLB flush corresponding to 1MB range covering 'addr'. On Cortex-A15, level 1 entries can be cached by the TLB independently of the level 2 entries and without additional flushing a PMD entry would be left pointing at the wrong PTE. The patch limits the TLB flushing range to two 4KB pages around the 1MB boundary within PMD. Signed-off-by: Catalin Marinas Signed-off-by: Russell King --- arch/arm/include/asm/tlb.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/arm/include/asm/tlb.h b/arch/arm/include/asm/tlb.h index 5d3ed7e3856..314d4664eae 100644 --- a/arch/arm/include/asm/tlb.h +++ b/arch/arm/include/asm/tlb.h @@ -198,7 +198,15 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte, unsigned long addr) { pgtable_page_dtor(pte); - tlb_add_flush(tlb, addr); + + /* + * With the classic ARM MMU, a pte page has two corresponding pmd + * entries, each covering 1MB. + */ + addr &= PMD_MASK; + tlb_add_flush(tlb, addr + SZ_1M - PAGE_SIZE); + tlb_add_flush(tlb, addr + SZ_1M); + tlb_remove_page(tlb, pte); } -- cgit v1.2.3 From 5a97d0ae5b5d78727b87965cba84194a9f1e06ce Mon Sep 17 00:00:00 2001 From: Will Deacon Date: Fri, 3 Feb 2012 11:08:05 +0100 Subject: ARM: 7314/1: kuser: consistently use usr_ret for returning from helpers __kuser_cmpxchg64 has a return path using bx lr to get back to the caller. This is actually ok since the code in question is predicated on CONFIG_CPU_32v6K, but for the sake of consistency using the usr_ret macro is probably better. Acked-by: Dave Martin Acked-by: Nicolas Pitre Signed-off-by: Will Deacon Signed-off-by: Russell King --- arch/arm/kernel/entry-armv.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S index 3a456c6c700..be16a48007b 100644 --- a/arch/arm/kernel/entry-armv.S +++ b/arch/arm/kernel/entry-armv.S @@ -790,7 +790,7 @@ __kuser_cmpxchg64: @ 0xffff0f60 smp_dmb arm rsbs r0, r3, #0 @ set returned val and C flag ldmfd sp!, {r4, r5, r6, r7} - bx lr + usr_ret lr #elif !defined(CONFIG_SMP) -- cgit v1.2.3