[PATCH] RISC-V: Fix FIXMAP area corruption on RV32 systems

From: Anup Patel
Date: Fri Aug 16 2019 - 07:49:47 EST

Next message: Wolfram Sang: "Re: [PATCH v3 3/3] i2c/busses/i2c-icy: Add LTC2990 present on 2019 board revision"
Previous message: Jason Gunthorpe: "Re: turn hmm migrate_vma upside down v3"
Next in thread: Alistair Francis: "Re: [PATCH] RISC-V: Fix FIXMAP area corruption on RV32 systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Currently, the order of various virtual memory areas in increasing
order of virtual addresses is as follows:
1. User space area
2. FIXMAP area
3. VMALLOC area
4. Kernel area

The user space area starts at 0x0 and it's maximum size is represented
by TASK_SIZE.

On RV32 systems, TASK_SIZE is defined as VMALLOC_START which causes the
user space area to overlap the FIXMAP area. This allows user space apps
to potentially corrupt the FIXMAP area and kernel OF APIs will crash
whenever they access corrupted FDT in the FIXMAP area.

On RV64 systems, TASK_SIZE is set to fixed 256GB and no other areas
happen to overlap so we don't see any FIXMAP area corruptions.

This patch fixes FIXMAP area corruption on RV32 systems by setting
TASK_SIZE to FIXADDR_START. We also move FIXADDR_TOP, FIXADDR_SIZE,
and FIXADDR_START defines to asm/pgtable.h so that we can avoid cyclic
header includes.

Signed-off-by: Anup Patel <anup.patel@xxxxxxx>
---
arch/riscv/include/asm/fixmap.h | 4 ----
arch/riscv/include/asm/pgtable.h | 12 ++++++++++--
2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/arch/riscv/include/asm/fixmap.h b/arch/riscv/include/asm/fixmap.h
index 9c66033c3a54..161f28d04a07 100644
--- a/arch/riscv/include/asm/fixmap.h
+++ b/arch/riscv/include/asm/fixmap.h
@@ -30,10 +30,6 @@ enum fixed_addresses {
__end_of_fixed_addresses
};

-#define FIXADDR_SIZE (__end_of_fixed_addresses * PAGE_SIZE)
-#define FIXADDR_TOP (VMALLOC_START)
-#define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE)
-
#define FIXMAP_PAGE_IO PAGE_KERNEL

#define __early_set_fixmap __set_fixmap
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index a364aba23d55..9dd08a006a28 100644
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -420,14 +420,22 @@ static inline void pgtable_cache_init(void)
#define VMALLOC_END (PAGE_OFFSET - 1)
#define VMALLOC_START (PAGE_OFFSET - VMALLOC_SIZE)

+#define FIXADDR_TOP (VMALLOC_START)
+#ifdef CONFIG_64BIT
+#define FIXADDR_SIZE PMD_SIZE
+#else
+#define FIXADDR_SIZE PGDIR_SIZE
+#endif
+#define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE)
+
/*
- * Task size is 0x4000000000 for RV64 or 0xb800000 for RV32.
+ * Task size is 0x4000000000 for RV64 or 0x9fc00000 for RV32.
* Note that PGDIR_SIZE must evenly divide TASK_SIZE.
*/
#ifdef CONFIG_64BIT
#define TASK_SIZE (PGDIR_SIZE * PTRS_PER_PGD / 2)
#else
-#define TASK_SIZE VMALLOC_START
+#define TASK_SIZE FIXADDR_START
#endif

#include <asm-generic/pgtable.h>
--
2.17.1

Next message: Wolfram Sang: "Re: [PATCH v3 3/3] i2c/busses/i2c-icy: Add LTC2990 present on 2019 board revision"
Previous message: Jason Gunthorpe: "Re: turn hmm migrate_vma upside down v3"
Next in thread: Alistair Francis: "Re: [PATCH] RISC-V: Fix FIXMAP area corruption on RV32 systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]