• Lorenzo Pieralisi's avatar
    arm64: kernel: fix __cpu_suspend mm switch on warm-boot · b3ce059c
    Lorenzo Pieralisi authored
    commit f43c2718 upstream.
    
    On arm64 the TTBR0_EL1 register is set to either the reserved TTBR0
    page tables on boot or to the active_mm mappings belonging to user space
    processes, it must never be set to swapper_pg_dir page tables mappings.
    
    When a CPU is booted its active_mm is set to init_mm even though its
    TTBR0_EL1 points at the reserved TTBR0 page mappings. This implies
    that when __cpu_suspend is triggered the active_mm can point at
    init_mm even if the current TTBR0_EL1 register contains the reserved
    TTBR0_EL1 mappings.
    
    Therefore, the mm save and restore executed in __cpu_suspend might
    turn out to be erroneous in that, if the current->active_mm corresponds
    to init_mm, on resume from low power it ends up restoring in the
    TTBR0_EL1 the init_mm mappings that are global and can cause speculation
    of TLB entries which end up being propagated to user space.
    
    This patch fixes the issue by checking the active_mm pointer before
    restoring the TTBR0 mappings. If the current active_mm == &init_mm,
    the code sets the TTBR0_EL1 to the reserved TTBR0 mapping instead of
    switching back to the active_mm, which is the expected behaviour
    corresponding to the TTBR0_EL1 settings when __cpu_suspend was entered.
    
    Fixes: 95322526 ("arm64: kernel: cpu_{suspend/resume} implementation")
    Cc: Will Deacon <will.deacon@arm.com>
    Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    b3ce059c
suspend.c 4.61 KB