+12

arch/arm/kernel/module-plts.c

reviewed

··· 225 225 mod->arch.init.plt = s; 226 226 else if (s->sh_type == SHT_SYMTAB) 227 227 syms = (Elf32_Sym *)s->sh_addr; 228 228 + #if defined(CONFIG_ARM_UNWIND) && !defined(CONFIG_VMSPLIT_3G) 229 229 + else if (s->sh_type == ELF_SECTION_UNWIND || 230 230 + (strncmp(".ARM.extab", secstrings + s->sh_name, 10) == 0)) { 231 231 + /* 232 232 + * To avoid the possible relocation out of range issue for 233 233 + * R_ARM_PREL31, mark unwind section .ARM.extab and .ARM.exidx as 234 234 + * executable so they will be allocated along with .text section to 235 235 + * meet +/-1GB range requirement of the R_ARM_PREL31 relocation 236 236 + */ 237 237 + s->sh_flags |= SHF_EXECINSTR; 238 238 + } 239 239 + #endif 228 240 } 229 241 230 242 if (!mod->arch.core.plt || !mod->arch.init.plt) {

+73 -85

arch/arm/mm/fault.c

reviewed

··· 115 115 return (fsr & FSR_WRITE) && !(fsr & FSR_CM); 116 116 } 117 117 118 118 - static inline bool is_translation_fault(unsigned int fsr) 119 119 - { 120 120 - int fs = fsr_fs(fsr); 121 121 - #ifdef CONFIG_ARM_LPAE 122 122 - if ((fs & FS_MMU_NOLL_MASK) == FS_TRANS_NOLL) 123 123 - return true; 124 124 - #else 125 125 - if (fs == FS_L1_TRANS || fs == FS_L2_TRANS) 126 126 - return true; 127 127 - #endif 128 128 - return false; 129 129 - } 130 130 - 131 131 - static inline bool is_permission_fault(unsigned int fsr) 132 132 - { 133 133 - int fs = fsr_fs(fsr); 134 134 - #ifdef CONFIG_ARM_LPAE 135 135 - if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL) 136 136 - return true; 137 137 - #else 138 138 - if (fs == FS_L1_PERM || fs == FS_L2_PERM) 139 139 - return true; 140 140 - #endif 141 141 - return false; 142 142 - } 143 143 - 144 118 static void die_kernel_fault(const char *msg, struct mm_struct *mm, 145 119 unsigned long addr, unsigned int fsr, 146 120 struct pt_regs *regs) ··· 164 190 165 191 /* 166 192 * Something tried to access memory that isn't in our memory map.. 167 167 - * User mode accesses just cause a SIGSEGV 193 193 + * User mode accesses just cause a SIGSEGV. Ensure interrupts are enabled 194 194 + * for preempt RT. 168 195 */ 169 196 static void 170 197 __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, 171 198 int code, struct pt_regs *regs) 172 199 { 173 200 struct task_struct *tsk = current; 201 201 + 202 202 + local_irq_enable(); 174 203 175 204 #ifdef CONFIG_DEBUG_USER 176 205 if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) || ··· 235 258 } 236 259 #endif 237 260 261 261 + /* 262 262 + * Handle a vmalloc fault, copying the non-leaf page table entries from 263 263 + * init_mm.pgd. Any kernel context can trigger this, so we must not sleep 264 264 + * or enable interrupts. Having two CPUs execute this for the same page is 265 265 + * no problem, we'll just copy the same data twice. 266 266 + * 267 267 + * Returns false on failure. 268 268 + */ 269 269 + static bool __kprobes __maybe_unused vmalloc_fault(unsigned long addr) 270 270 + { 271 271 + unsigned int index; 272 272 + pgd_t *pgd, *pgd_k; 273 273 + p4d_t *p4d, *p4d_k; 274 274 + pud_t *pud, *pud_k; 275 275 + pmd_t *pmd, *pmd_k; 276 276 + 277 277 + index = pgd_index(addr); 278 278 + 279 279 + pgd = cpu_get_pgd() + index; 280 280 + pgd_k = init_mm.pgd + index; 281 281 + 282 282 + p4d = p4d_offset(pgd, addr); 283 283 + p4d_k = p4d_offset(pgd_k, addr); 284 284 + 285 285 + if (p4d_none(*p4d_k)) 286 286 + return false; 287 287 + if (!p4d_present(*p4d)) 288 288 + set_p4d(p4d, *p4d_k); 289 289 + 290 290 + pud = pud_offset(p4d, addr); 291 291 + pud_k = pud_offset(p4d_k, addr); 292 292 + 293 293 + if (pud_none(*pud_k)) 294 294 + return false; 295 295 + if (!pud_present(*pud)) 296 296 + set_pud(pud, *pud_k); 297 297 + 298 298 + pmd = pmd_offset(pud, addr); 299 299 + pmd_k = pmd_offset(pud_k, addr); 300 300 + 301 301 + #ifdef CONFIG_ARM_LPAE 302 302 + /* 303 303 + * Only one hardware entry per PMD with LPAE. 304 304 + */ 305 305 + index = 0; 306 306 + #else 307 307 + /* 308 308 + * On ARM one Linux PGD entry contains two hardware entries (see page 309 309 + * tables layout in pgtable.h). We normally guarantee that we always 310 310 + * fill both L1 entries. But create_mapping() doesn't follow the rule. 311 311 + * It can create inidividual L1 entries, so here we have to call 312 312 + * pmd_none() check for the entry really corresponded to address, not 313 313 + * for the first of pair. 314 314 + */ 315 315 + index = (addr >> SECTION_SHIFT) & 1; 316 316 + #endif 317 317 + if (pmd_none(pmd_k[index])) 318 318 + return false; 319 319 + 320 320 + copy_pmd(pmd, pmd_k); 321 321 + 322 322 + return true; 323 323 + } 324 324 + 238 325 static int __kprobes 239 326 do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr, 240 327 unsigned int fsr, struct pt_regs *regs) ··· 309 268 * should not be faulting in kernel space, which includes the 310 269 * vector/khelper page. Handle the branch predictor hardening 311 270 * while interrupts are still disabled, then send a SIGSEGV. 271 271 + * Note that __do_user_fault() will enable interrupts. 312 272 */ 313 273 harden_branch_predictor(); 314 274 __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs); ··· 534 492 * directly to do_kernel_address_page_fault() to handle. 535 493 * 536 494 * Otherwise, we're probably faulting in the vmalloc() area, so try to fix 537 537 - * that up. Note that we must not take any locks or enable interrupts in 538 538 - * this case. 495 495 + * that up via vmalloc_fault(). 539 496 * 540 540 - * If vmalloc() fixup fails, that means the non-leaf page tables did not 497 497 + * If vmalloc_fault() fails, that means the non-leaf page tables did not 541 498 * contain an entry for this address, so handle this via 542 499 * do_kernel_address_page_fault(). 543 500 */ ··· 545 504 do_translation_fault(unsigned long addr, unsigned int fsr, 546 505 struct pt_regs *regs) 547 506 { 548 548 - unsigned int index; 549 549 - pgd_t *pgd, *pgd_k; 550 550 - p4d_t *p4d, *p4d_k; 551 551 - pud_t *pud, *pud_k; 552 552 - pmd_t *pmd, *pmd_k; 553 553 - 554 507 if (addr < TASK_SIZE) 555 508 return do_page_fault(addr, fsr, regs); 556 509 557 557 - if (user_mode(regs)) 558 558 - goto bad_area; 510 510 + if (!user_mode(regs) && vmalloc_fault(addr)) 511 511 + return 0; 559 512 560 560 - index = pgd_index(addr); 561 561 - 562 562 - pgd = cpu_get_pgd() + index; 563 563 - pgd_k = init_mm.pgd + index; 564 564 - 565 565 - p4d = p4d_offset(pgd, addr); 566 566 - p4d_k = p4d_offset(pgd_k, addr); 567 567 - 568 568 - if (p4d_none(*p4d_k)) 569 569 - goto bad_area; 570 570 - if (!p4d_present(*p4d)) 571 571 - set_p4d(p4d, *p4d_k); 572 572 - 573 573 - pud = pud_offset(p4d, addr); 574 574 - pud_k = pud_offset(p4d_k, addr); 575 575 - 576 576 - if (pud_none(*pud_k)) 577 577 - goto bad_area; 578 578 - if (!pud_present(*pud)) 579 579 - set_pud(pud, *pud_k); 580 580 - 581 581 - pmd = pmd_offset(pud, addr); 582 582 - pmd_k = pmd_offset(pud_k, addr); 583 583 - 584 584 - #ifdef CONFIG_ARM_LPAE 585 585 - /* 586 586 - * Only one hardware entry per PMD with LPAE. 587 587 - */ 588 588 - index = 0; 589 589 - #else 590 590 - /* 591 591 - * On ARM one Linux PGD entry contains two hardware entries (see page 592 592 - * tables layout in pgtable.h). We normally guarantee that we always 593 593 - * fill both L1 entries. But create_mapping() doesn't follow the rule. 594 594 - * It can create inidividual L1 entries, so here we have to call 595 595 - * pmd_none() check for the entry really corresponded to address, not 596 596 - * for the first of pair. 597 597 - */ 598 598 - index = (addr >> SECTION_SHIFT) & 1; 599 599 - #endif 600 600 - if (pmd_none(pmd_k[index])) 601 601 - goto bad_area; 602 602 - 603 603 - copy_pmd(pmd, pmd_k); 604 604 - return 0; 605 605 - 606 606 - bad_area: 607 513 do_kernel_address_page_fault(current->mm, addr, fsr, regs); 608 514 609 515 return 0;

+36 -6

arch/arm/mm/fault.h

reviewed

··· 5 5 /* 6 6 * Fault status register encodings. We steal bit 31 for our own purposes. 7 7 */ 8 8 - #define FSR_LNX_PF (1 << 31) 9 9 - #define FSR_CM (1 << 13) 10 10 - #define FSR_WRITE (1 << 11) 11 11 - #define FSR_FS4 (1 << 10) 12 12 - #define FSR_FS3_0 (15) 13 13 - #define FSR_FS5_0 (0x3f) 8 8 + #define FSR_LNX_PF BIT(31) 9 9 + #define FSR_CM BIT(13) 10 10 + #define FSR_WRITE BIT(11) 14 11 15 12 #ifdef CONFIG_ARM_LPAE 16 13 #define FSR_FS_AEA 17 ··· 15 18 #define FS_PERM_NOLL 0xC 16 19 #define FS_MMU_NOLL_MASK 0x3C 17 20 21 21 + #define FSR_FS5_0 GENMASK(5, 0) 22 22 + 18 23 static inline int fsr_fs(unsigned int fsr) 19 24 { 20 25 return fsr & FSR_FS5_0; 26 26 + } 27 27 + 28 28 + static inline bool is_translation_fault(unsigned int fsr) 29 29 + { 30 30 + int fs = fsr_fs(fsr); 31 31 + 32 32 + return (fs & FS_MMU_NOLL_MASK) == FS_TRANS_NOLL; 33 33 + } 34 34 + 35 35 + static inline bool is_permission_fault(unsigned int fsr) 36 36 + { 37 37 + int fs = fsr_fs(fsr); 38 38 + 39 39 + return (fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL; 21 40 } 22 41 #else 23 42 #define FSR_FS_AEA 22 ··· 42 29 #define FS_L1_PERM 0xD 43 30 #define FS_L2_PERM 0xF 44 31 32 32 + #define FSR_FS4 BIT(10) 33 33 + #define FSR_FS3_0 GENMASK(3, 0) 34 34 + 45 35 static inline int fsr_fs(unsigned int fsr) 46 36 { 47 37 return (fsr & FSR_FS3_0) | (fsr & FSR_FS4) >> 6; 38 38 + } 39 39 + 40 40 + static inline bool is_translation_fault(unsigned int fsr) 41 41 + { 42 42 + int fs = fsr_fs(fsr); 43 43 + 44 44 + return fs == FS_L1_TRANS || fs == FS_L2_TRANS; 45 45 + } 46 46 + 47 47 + static inline bool is_permission_fault(unsigned int fsr) 48 48 + { 49 49 + int fs = fsr_fs(fsr); 50 50 + 51 51 + return fs == FS_L1_PERM || fs == FS_L2_PERM; 48 52 } 49 53 #endif 50 54

+3 -1

arch/arm/mm/flush.c

reviewed

··· 304 304 else 305 305 mapping = NULL; 306 306 307 307 - if (!test_and_set_bit(PG_dcache_clean, &folio->flags.f)) 307 307 + if (!test_bit(PG_dcache_clean, &folio->flags.f)) { 308 308 __flush_dcache_folio(mapping, folio); 309 309 + set_bit(PG_dcache_clean, &folio->flags.f); 310 310 + } 309 311 310 312 if (pte_exec(pteval)) 311 313 __flush_icache_all();