2019-06-03 13:44:50 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2012-03-05 19:49:27 +08:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2012 ARM Ltd.
|
|
|
|
*/
|
|
|
|
#ifndef __ASM_MMU_H
|
|
|
|
#define __ASM_MMU_H
|
|
|
|
|
2019-01-09 00:19:01 +08:00
|
|
|
#include <asm/cputype.h>
|
|
|
|
|
2017-08-20 18:20:47 +08:00
|
|
|
#define MMCF_AARCH32 0x1 /* mm context flag for AArch32 executables */
|
2018-01-08 23:38:18 +08:00
|
|
|
#define USER_ASID_BIT 48
|
|
|
|
#define USER_ASID_FLAG (UL(1) << USER_ASID_BIT)
|
2017-12-02 01:33:48 +08:00
|
|
|
#define TTBR_ASID_MASK (UL(0xffff) << 48)
|
2017-08-20 18:20:47 +08:00
|
|
|
|
2017-11-14 21:58:08 +08:00
|
|
|
#ifndef __ASSEMBLY__
|
|
|
|
|
arm64: mm: Pin down ASIDs for sharing mm with devices
To enable address space sharing with the IOMMU, introduce
arm64_mm_context_get() and arm64_mm_context_put(), that pin down a
context and ensure that it will keep its ASID after a rollover. Export
the symbols to let the modular SMMUv3 driver use them.
Pinning is necessary because a device constantly needs a valid ASID,
unlike tasks that only require one when running. Without pinning, we would
need to notify the IOMMU when we're about to use a new ASID for a task,
and it would get complicated when a new task is assigned a shared ASID.
Consider the following scenario with no ASID pinned:
1. Task t1 is running on CPUx with shared ASID (gen=1, asid=1)
2. Task t2 is scheduled on CPUx, gets ASID (1, 2)
3. Task tn is scheduled on CPUy, a rollover occurs, tn gets ASID (2, 1)
We would now have to immediately generate a new ASID for t1, notify
the IOMMU, and finally enable task tn. We are holding the lock during
all that time, since we can't afford having another CPU trigger a
rollover. The IOMMU issues invalidation commands that can take tens of
milliseconds.
It gets needlessly complicated. All we wanted to do was schedule task tn,
that has no business with the IOMMU. By letting the IOMMU pin tasks when
needed, we avoid stalling the slow path, and let the pinning fail when
we're out of shareable ASIDs.
After a rollover, the allocator expects at least one ASID to be available
in addition to the reserved ones (one per CPU). So (NR_ASIDS - NR_CPUS -
1) is the maximum number of ASIDs that can be shared with the IOMMU.
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://lore.kernel.org/r/20200918101852.582559-5-jean-philippe@linaro.org
Signed-off-by: Will Deacon <will@kernel.org>
2020-09-18 18:18:44 +08:00
|
|
|
#include <linux/refcount.h>
|
2021-12-03 01:10:46 +08:00
|
|
|
#include <asm/cpufeature.h>
|
arm64: mm: Pin down ASIDs for sharing mm with devices
To enable address space sharing with the IOMMU, introduce
arm64_mm_context_get() and arm64_mm_context_put(), that pin down a
context and ensure that it will keep its ASID after a rollover. Export
the symbols to let the modular SMMUv3 driver use them.
Pinning is necessary because a device constantly needs a valid ASID,
unlike tasks that only require one when running. Without pinning, we would
need to notify the IOMMU when we're about to use a new ASID for a task,
and it would get complicated when a new task is assigned a shared ASID.
Consider the following scenario with no ASID pinned:
1. Task t1 is running on CPUx with shared ASID (gen=1, asid=1)
2. Task t2 is scheduled on CPUx, gets ASID (1, 2)
3. Task tn is scheduled on CPUy, a rollover occurs, tn gets ASID (2, 1)
We would now have to immediately generate a new ASID for t1, notify
the IOMMU, and finally enable task tn. We are holding the lock during
all that time, since we can't afford having another CPU trigger a
rollover. The IOMMU issues invalidation commands that can take tens of
milliseconds.
It gets needlessly complicated. All we wanted to do was schedule task tn,
that has no business with the IOMMU. By letting the IOMMU pin tasks when
needed, we avoid stalling the slow path, and let the pinning fail when
we're out of shareable ASIDs.
After a rollover, the allocator expects at least one ASID to be available
in addition to the reserved ones (one per CPU). So (NR_ASIDS - NR_CPUS -
1) is the maximum number of ASIDs that can be shared with the IOMMU.
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://lore.kernel.org/r/20200918101852.582559-5-jean-philippe@linaro.org
Signed-off-by: Will Deacon <will@kernel.org>
2020-09-18 18:18:44 +08:00
|
|
|
|
2012-03-05 19:49:27 +08:00
|
|
|
typedef struct {
|
2015-10-07 01:46:24 +08:00
|
|
|
atomic64_t id;
|
2020-06-22 19:35:41 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
void *sigpage;
|
|
|
|
#endif
|
arm64: mm: Pin down ASIDs for sharing mm with devices
To enable address space sharing with the IOMMU, introduce
arm64_mm_context_get() and arm64_mm_context_put(), that pin down a
context and ensure that it will keep its ASID after a rollover. Export
the symbols to let the modular SMMUv3 driver use them.
Pinning is necessary because a device constantly needs a valid ASID,
unlike tasks that only require one when running. Without pinning, we would
need to notify the IOMMU when we're about to use a new ASID for a task,
and it would get complicated when a new task is assigned a shared ASID.
Consider the following scenario with no ASID pinned:
1. Task t1 is running on CPUx with shared ASID (gen=1, asid=1)
2. Task t2 is scheduled on CPUx, gets ASID (1, 2)
3. Task tn is scheduled on CPUy, a rollover occurs, tn gets ASID (2, 1)
We would now have to immediately generate a new ASID for t1, notify
the IOMMU, and finally enable task tn. We are holding the lock during
all that time, since we can't afford having another CPU trigger a
rollover. The IOMMU issues invalidation commands that can take tens of
milliseconds.
It gets needlessly complicated. All we wanted to do was schedule task tn,
that has no business with the IOMMU. By letting the IOMMU pin tasks when
needed, we avoid stalling the slow path, and let the pinning fail when
we're out of shareable ASIDs.
After a rollover, the allocator expects at least one ASID to be available
in addition to the reserved ones (one per CPU). So (NR_ASIDS - NR_CPUS -
1) is the maximum number of ASIDs that can be shared with the IOMMU.
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://lore.kernel.org/r/20200918101852.582559-5-jean-philippe@linaro.org
Signed-off-by: Will Deacon <will@kernel.org>
2020-09-18 18:18:44 +08:00
|
|
|
refcount_t pinned;
|
2015-10-07 01:46:24 +08:00
|
|
|
void *vdso;
|
2016-11-02 17:10:45 +08:00
|
|
|
unsigned long flags;
|
2012-03-05 19:49:27 +08:00
|
|
|
} mm_context_t;
|
|
|
|
|
2015-10-07 01:46:24 +08:00
|
|
|
/*
|
2021-08-06 19:31:04 +08:00
|
|
|
* We use atomic64_read() here because the ASID for an 'mm_struct' can
|
|
|
|
* be reallocated when scheduling one of its threads following a
|
|
|
|
* rollover event (see new_context() and flush_context()). In this case,
|
|
|
|
* a concurrent TLBI (e.g. via try_to_unmap_one() and ptep_clear_flush())
|
|
|
|
* may use a stale ASID. This is fine in principle as the new ASID is
|
|
|
|
* guaranteed to be clean in the TLB, but the TLBI routines have to take
|
|
|
|
* care to handle the following race:
|
|
|
|
*
|
|
|
|
* CPU 0 CPU 1 CPU 2
|
|
|
|
*
|
|
|
|
* // ptep_clear_flush(mm)
|
|
|
|
* xchg_relaxed(pte, 0)
|
|
|
|
* DSB ISHST
|
|
|
|
* old = ASID(mm)
|
|
|
|
* | <rollover>
|
|
|
|
* | new = new_context(mm)
|
|
|
|
* \-----------------> atomic_set(mm->context.id, new)
|
|
|
|
* cpu_switch_mm(mm)
|
|
|
|
* // Hardware walk of pte using new ASID
|
|
|
|
* TLBI(old)
|
|
|
|
*
|
|
|
|
* In this scenario, the barrier on CPU 0 and the dependency on CPU 1
|
|
|
|
* ensure that the page-table walker on CPU 1 *must* see the invalid PTE
|
|
|
|
* written by CPU 0.
|
2015-10-07 01:46:24 +08:00
|
|
|
*/
|
2021-08-06 19:31:04 +08:00
|
|
|
#define ASID(mm) (atomic64_read(&(mm)->context.id) & 0xffff)
|
2012-03-05 19:49:27 +08:00
|
|
|
|
2019-12-10 02:12:17 +08:00
|
|
|
static inline bool arm64_kernel_unmapped_at_el0(void)
|
2019-12-10 02:12:15 +08:00
|
|
|
{
|
2020-03-19 04:38:29 +08:00
|
|
|
return cpus_have_const_cap(ARM64_UNMAP_KERNEL_AT_EL0);
|
2019-01-09 00:19:01 +08:00
|
|
|
}
|
|
|
|
|
2019-01-14 22:22:24 +08:00
|
|
|
extern void arm64_memblock_init(void);
|
2012-03-05 19:49:27 +08:00
|
|
|
extern void paging_init(void);
|
2016-04-09 06:50:26 +08:00
|
|
|
extern void bootmem_init(void);
|
2012-10-23 21:55:08 +08:00
|
|
|
extern void __iomem *early_io_map(phys_addr_t phys, unsigned long virt);
|
2023-04-06 23:27:58 +08:00
|
|
|
extern void create_mapping_noalloc(phys_addr_t phys, unsigned long virt,
|
|
|
|
phys_addr_t size, pgprot_t prot);
|
2014-10-20 21:42:07 +08:00
|
|
|
extern void create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys,
|
|
|
|
unsigned long virt, phys_addr_t size,
|
2016-10-21 19:22:57 +08:00
|
|
|
pgprot_t prot, bool page_mappings_only);
|
2019-08-23 14:24:50 +08:00
|
|
|
extern void *fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot);
|
2017-03-10 04:52:01 +08:00
|
|
|
extern void mark_linear_text_alias_ro(void);
|
2019-12-10 02:12:17 +08:00
|
|
|
extern bool kaslr_requires_kpti(void);
|
2012-03-05 19:49:27 +08:00
|
|
|
|
arm64/mm: Separate boot-time page tables from swapper_pg_dir
Since the address of swapper_pg_dir is fixed for a given kernel image,
it is an attractive target for manipulation via an arbitrary write. To
mitigate this we'd like to make it read-only by moving it into the
rodata section.
We require that swapper_pg_dir is at a fixed offset from tramp_pg_dir
and reserved_ttbr0, so these will also need to move into rodata.
However, swapper_pg_dir is allocated along with some transient page
tables used for boot which we do not want to move into rodata.
As a step towards this, this patch separates the boot-time page tables
into a new init_pg_dir, and reduces swapper_pg_dir to the single page it
needs to be. This allows us to retain the relationship between
swapper_pg_dir, tramp_pg_dir, and swapper_pg_dir, while cleanly
separating these from the boot-time page tables.
The init_pg_dir holds all of the pgd/pud/pmd/pte levels needed during
boot, and all of these levels will be freed when we switch to the
swapper_pg_dir, which is initialized by the existing code in
paging_init(). Since we start off on the init_pg_dir, we no longer need
to allocate a transient page table in paging_init() in order to ensure
that swapper_pg_dir isn't live while we initialize it.
There should be no functional change as a result of this patch.
Signed-off-by: Jun Yao <yaojun8558363@gmail.com>
Reviewed-by: James Morse <james.morse@arm.com>
[Mark: place init_pg_dir after BSS, fold mm changes, commit message]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2018-09-24 22:47:49 +08:00
|
|
|
#define INIT_MM_CONTEXT(name) \
|
|
|
|
.pgd = init_pg_dir,
|
|
|
|
|
2017-11-14 21:58:08 +08:00
|
|
|
#endif /* !__ASSEMBLY__ */
|
2012-03-05 19:49:27 +08:00
|
|
|
#endif
|