From nobody Tue Feb 14 02:57:53 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PG5VX4c3rz3q4TX for ; Tue, 14 Feb 2023 02:57:56 +0000 (UTC) (envelope-from jrtc27@jrtc27.com) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PG5VW6tdwz41h5 for ; Tue, 14 Feb 2023 02:57:55 +0000 (UTC) (envelope-from jrtc27@jrtc27.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of jrtc27@jrtc27.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=jrtc27@jrtc27.com; dmarc=none Received: by mail-wm1-f41.google.com with SMTP id hg24-20020a05600c539800b003e1f5f2a29cso237676wmb.4 for ; Mon, 13 Feb 2023 18:57:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M0ruyAMmLT2KInPireE0924m0m4Edb3qBuuo/t/xaIU=; b=G2q/FAG5gZIPyuVIAr1ZT3sVbUTCPblUxmzFVJvICLP1mqUT5Pq3evTXeA+eR5XHMu lWI7n50UICqLJ8bx+6g5MFEttTmbF3EM3nAzbIMh5zWwmh6rJ/APkgK+jOj+l9gi7ynF e7vFQWk9BqN3PUf23eWMd/DIJtLVO1Dw9slhQ8NVoz/GnRrsr9OtMQRgdpT9Z/8jIz+4 bZss5fbqSWe9qTcPoNX0aLXov3M1y24ato8fuw2vkEPEgVylZheiILZ1ZngQBZ1mNi0F 648PjwbkQwJWjQIGKdJVTS4Rj+VVvIOperHgB3hxBw8ON3b9tv5+JF0HaTDarUswjMca B+dg== X-Gm-Message-State: AO0yUKUAjDQFp2fy4SS+yKJhWuA73wAIKx5biU0AK2MSDvz5QyARQkbp 7ooxKxFDiVmEOL874PUDAvrlrA== X-Google-Smtp-Source: AK7set8xgnC5CjcCcj2+QrSa1zNn2YeP2zDnJ9pzqH/8xrN2VjNgjzEKxwSuW45b8X4B/QNXl9P0Qg== X-Received: by 2002:a05:600c:c0b:b0:3df:e1cc:94ff with SMTP id fm11-20020a05600c0c0b00b003dfe1cc94ffmr712120wmb.28.1676343474182; Mon, 13 Feb 2023 18:57:54 -0800 (PST) Received: from smtpclient.apple (global-5-143.n-2.net.cam.ac.uk. [131.111.5.143]) by smtp.gmail.com with ESMTPSA id w19-20020a05600c475300b003e11f280b8bsm13646098wmo.44.2023.02.13.18.57.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Feb 2023 18:57:53 -0800 (PST) Content-Type: text/plain; charset=utf-8 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Subject: Re: git: f29942229d24 - main - Read the arm64 far early in el0 exceptions From: Jessica Clarke In-Reply-To: <0E3AAA1E-0B3E-4C4F-A425-CEE13BAE8723@freebsd.org> Date: Tue, 14 Feb 2023 02:57:53 +0000 Cc: "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <1F46E64A-2261-47B1-BA73-3649DB1E08CE@freebsd.org> References: <202302021648.312GmSXI049747@gitrepo.freebsd.org> <0E3AAA1E-0B3E-4C4F-A425-CEE13BAE8723@freebsd.org> To: Andrew Turner X-Mailer: Apple Mail (2.3696.120.41.1.1) X-Spamd-Result: default: False [-2.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; FORGED_SENDER(0.30)[jrtc27@freebsd.org,jrtc27@jrtc27.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_THREE(0.00)[4]; PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-main@freebsd.org]; TO_DN_EQ_ADDR_SOME(0.00)[]; DMARC_NA(0.00)[freebsd.org]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.128.41:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FREEFALL_USER(0.00)[jrtc27]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[dev-commits-src-main@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[jrtc27@freebsd.org,jrtc27@jrtc27.com]; MID_RHS_MATCH_FROM(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.128.41:from] X-Rspamd-Queue-Id: 4PG5VW6tdwz41h5 X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N On 2 Feb 2023, at 21:00, Jessica Clarke wrote: >=20 > On 2 Feb 2023, at 16:48, Andrew Turner wrote: >>=20 >> The branch main has been updated by andrew: >>=20 >> URL: = https://cgit.FreeBSD.org/src/commit/?id=3Df29942229d24ebb8b98f8c5d02f3c863= 2648007e >>=20 >> commit f29942229d24ebb8b98f8c5d02f3c8632648007e >> Author: Andrew Turner >> AuthorDate: 2023-01-25 17:47:39 +0000 >> Commit: Andrew Turner >> CommitDate: 2023-02-02 16:43:15 +0000 >>=20 >> Read the arm64 far early in el0 exceptions >>=20 >> When handling userspace exceptions on arm64 we need to dereference = the >> current thread pointer. If this is being promoted/demoted there is = a >> small window where it will cause another exception to be hit. As = this >> second exception will set the fault address register we will read = the >> incorrect value in the userspace exception handler. >>=20 >> Fix this be always reading the fault address before dereferencing = the >> current thread pointer. >>=20 >> Reported by: olivier@ >> Reviewed by: markj >> Sponsored by: Arm Ltd >> Differential Revision: https://reviews.freebsd.org/D38196 >> --- >> sys/arm64/arm64/exception.S | 15 +++++++++++++++ >> sys/arm64/arm64/trap.c | 26 +++++++------------------- >> 2 files changed, 22 insertions(+), 19 deletions(-) >>=20 >> diff --git a/sys/arm64/arm64/exception.S = b/sys/arm64/arm64/exception.S >> index 4a74358afeb9..55bac5e5228a 100644 >> --- a/sys/arm64/arm64/exception.S >> +++ b/sys/arm64/arm64/exception.S >> @@ -212,10 +212,25 @@ ENTRY(handle_el1h_irq) >> END(handle_el1h_irq) >>=20 >> ENTRY(handle_el0_sync) >> + /* >> + * Read the fault address early. The current thread structure = may >> + * be transiently unmapped if it is part of a memory range being >> + * promoted or demoted to/from a superpage. As this involves a >> + * break-before-make sequence there is a short period of time = where >> + * an access will raise an exception. If this happens the fault >> + * address will be changed to the kernel address so a later read = of >> + * far_el1 will give the wrong value. >> + * >> + * The earliest memory access that could trigger a fault is in a >> + * function called by the save_registers macro so this is the = latest >> + * we can read the userspace value. >> + */ >> + mrs x19, far_el1 >> save_registers 0 >> ldr x0, [x18, #PC_CURTHREAD] >> mov x1, sp >> str x1, [x0, #TD_FRAME] >> + mov x2, x19 >> bl do_el0_sync >> do_ast >> restore_registers 0 >> diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c >> index 4e54a06548cc..1b33d7aa60c4 100644 >> --- a/sys/arm64/arm64/trap.c >> +++ b/sys/arm64/arm64/trap.c >> @@ -76,7 +76,7 @@ __FBSDID("$FreeBSD$"); >>=20 >> /* Called from exception.S */ >> void do_el1h_sync(struct thread *, struct trapframe *); >=20 > This did not address my feedback regarding EL1 debug exceptions also > clobbering FAR. Ping, now after this has been MFC=E2=80=99ed without so much as a reply = to my feedback here nor on the Phabricator review. Jess >> -void do_el0_sync(struct thread *, struct trapframe *); >> +void do_el0_sync(struct thread *, struct trapframe *, uint64_t far); >> void do_el0_error(struct trapframe *); >> void do_serror(struct trapframe *); >> void unhandled_exception(struct trapframe *); >> @@ -559,11 +559,11 @@ do_el1h_sync(struct thread *td, struct = trapframe *frame) >> } >>=20 >> void >> -do_el0_sync(struct thread *td, struct trapframe *frame) >> +do_el0_sync(struct thread *td, struct trapframe *frame, uint64_t = far) >> { >> pcpu_bp_harden bp_harden; >> uint32_t exception; >> - uint64_t esr, far; >> + uint64_t esr; >> int dfsc; >>=20 >> /* Check we have a sane environment when entering from userland = */ >> @@ -573,27 +573,15 @@ do_el0_sync(struct thread *td, struct trapframe = *frame) >>=20 >> esr =3D frame->tf_esr; >> exception =3D ESR_ELx_EXCEPTION(esr); >> - switch (exception) { >> - case EXCP_INSN_ABORT_L: >> - far =3D READ_SPECIALREG(far_el1); >> - >> + if (exception =3D=3D EXCP_INSN_ABORT_L && far > = VM_MAXUSER_ADDRESS) { >> /* >> * Userspace may be trying to train the branch predictor = to >> * attack the kernel. If we are on a CPU affected by = this >> * call the handler to clear the branch predictor state. >> */ >> - if (far > VM_MAXUSER_ADDRESS) { >> - bp_harden =3D PCPU_GET(bp_harden); >> - if (bp_harden !=3D NULL) >> - bp_harden(); >> - } >> - break; >> - case EXCP_UNKNOWN: >> - case EXCP_DATA_ABORT_L: >> - case EXCP_DATA_ABORT: >> - case EXCP_WATCHPT_EL0: >> - far =3D READ_SPECIALREG(far_el1); >> - break; >> + bp_harden =3D PCPU_GET(bp_harden); >> + if (bp_harden !=3D NULL) >> + bp_harden(); >> } >> intr_enable();