[PATCH 2/2] arm64: Notify on pte permission upgrades

From: Alistair Popple
Date: Tue May 23 2023 - 21:47:57 EST


ARM64 requires TLB invalidates when upgrading pte permission from
read-only to read-write. However mmu_notifiers assume upgrades do not
need notifications and none are sent. This causes problems when a
secondary TLB such as implemented by an ARM SMMU doesn't support
broadcast TLB maintenance (BTM) and caches a read-only PTE.

As no notification is sent and the SMMU does not snoop TLB invalidates
it will continue to return read-only entries to a device even though
the CPU page table contains a writable entry. This leads to a
continually faulting device and no way of handling the fault.

The ARM SMMU driver already registers for mmu notifier events to keep
any secondary TLB synchronised. Therefore sending a notifier on
permission upgrade fixes the problem.

Rather than adding notifier calls to generic architecture independent
code where it may cause performance regressions on architectures that
don't require it add it to the architecture specific
ptep_set_access_flags() where the CPU TLB is invalidated.

Signed-off-by: Alistair Popple <apopple@xxxxxxxxxx>

---

A version of this fix was previously posted here:

https://lore.kernel.org/linux-mm/ZGxg+I8FWz3YqBMk@xxxxxxxxxxxxx/T/

That fix updated generic architecture independent code by adding a new
mmu notifier range event that would allow filtering by
architectures/drivers that didn't require flushing for upgrades.

This was done because calling notifiers from architecture specific
code requires calling the notifier while holding the ptl. It wasn't
immediately obvious that that was safe, but review comments and git
history suggests it must be hence the updated approach here.
---
arch/arm64/mm/fault.c | 6 +++++-
arch/arm64/mm/hugetlbpage.c | 9 +++++++++
2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index cb21ccd..1ee45a8 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -25,6 +25,7 @@
#include <linux/perf_event.h>
#include <linux/preempt.h>
#include <linux/hugetlb.h>
+#include <linux/mmu_notifier.h>

#include <asm/acpi.h>
#include <asm/bug.h>
@@ -225,8 +226,11 @@ int ptep_set_access_flags(struct vm_area_struct *vma,
} while (pteval != old_pteval);

/* Invalidate a stale read-only entry */
- if (dirty)
+ if (dirty) {
flush_tlb_page(vma, address);
+ mmu_notifier_invalidate_range(vma->vm_mm, address & PAGE_MASK,
+ (address & PAGE_MASK) + PAGE_SIZE);
+ }
return 1;
}

diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c
index 95364e8..677f0d1 100644
--- a/arch/arm64/mm/hugetlbpage.c
+++ b/arch/arm64/mm/hugetlbpage.c
@@ -14,6 +14,7 @@
#include <linux/pagemap.h>
#include <linux/err.h>
#include <linux/sysctl.h>
+#include <linux/mmu_notifier.h>
#include <asm/mman.h>
#include <asm/tlb.h>
#include <asm/tlbflush.h>
@@ -487,6 +488,14 @@ int huge_ptep_set_access_flags(struct vm_area_struct *vma,

orig_pte = get_clear_contig_flush(mm, addr, ptep, pgsize, ncontig);

+ /*
+ * Make sure any cached read-only entries are removed from
+ * secondary TLBs.
+ */
+ if (dirty)
+ mmu_notifier_invalidate_range(mm, addr,
+ addr + (pgsize + ncontig));
+
/* Make sure we don't lose the dirty or young state */
if (pte_dirty(orig_pte))
pte = pte_mkdirty(pte);
--
git-series 0.9.1