| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Aug 2018 15:54:33 -0400 (EDT)
From: Mikulas Patocka <mpatocka@...hat.com>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>
cc: Robin Murphy <robin.murphy@....com>,
Thomas Petazzoni <thomas.petazzoni@...e-electrons.com>,
Joao Pinto <Joao.Pinto@...opsys.com>,
linux-pci <linux-pci@...r.kernel.org>,
Jingoo Han <jingoohan1@...il.com>,
Will Deacon <will.deacon@....com>,
Russell King <linux@...linux.org.uk>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Matt Sealey <neko@...uhatsu.net>,
Catalin Marinas <catalin.marinas@....com>,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>
Subject: Re: framebuffer corruption due to overlapping stp instructions on
arm64
On Mon, 6 Aug 2018, Ard Biesheuvel wrote:
> On 6 August 2018 at 19:09, Mikulas Patocka <mpatocka@...hat.com> wrote:
> >
> >
> > On Mon, 6 Aug 2018, Ard Biesheuvel wrote:
> >
> >> On 6 August 2018 at 14:42, Robin Murphy <robin.murphy@....com> wrote:
> >> > On 06/08/18 11:25, Mikulas Patocka wrote:
> >> > [...]
> >> >>>
> >> >>> None of this explains why some transactions fail to make it across
> >> >>> entirely. The overlapping writes in question write the same data to
> >> >>> the memory locations that are covered by both, and so the ordering in
> >> >>> which the transactions are received should not affect the outcome.
> >> >>
> >> >>
> >> >> You're right that the corruption couldn't be explained just by reordering
> >> >> writes. My hypothesis is that the PCIe controller tries to disambiguate
> >> >> the overlapping writes, but the disambiguation logic was not tested and it
> >> >> is buggy. If there's a barrier between the overlapping writes, the PCIe
> >> >> controller won't see any overlapping writes, so it won't trigger the
> >> >> faulty disambiguation logic and it works.
> >> >>
> >> >> Could the ARM engineers look if there's some chicken bit in Cortex-A72
> >> >> that could insert barriers between non-cached writes automatically?
> >> >
> >> >
> >> > I don't think there is, and even if there was I imagine it would have a
> >> > pretty hideous effect on non-coherent DMA buffers and the various other
> >> > places in which we have Normal-NC mappings of actual system RAM.
> >> >
> >>
> >> Looking at the A72 manual, there is one chicken bit that looks like it
> >> may be related:
> >>
> >> CPUACTLR_EL1 bit #50:
> >>
> >> 0 Enables store streaming on NC/GRE memory type. This is the reset value.
> >> 1 Disables store streaming on NC/GRE memory type.
> >>
> >> so putting something like
> >>
> >> mrs x0, S3_1_C15_C2_0
> >> orr x0, x0, #(1 << 50)
> >> msr S3_1_C15_C2_0, x0
> >>
> >> in __cpu_setup() would be worth a try.
> >
> > It won't boot.
> >
> > But if i write the same value that was read, it also won't boot.
> >
> > I created a simple kernel module that reads this register and it has bit
> > 32 set, all other bits clear. But when I write the same value into it, the
> > core that does the write is stuck in infinite loop.
> >
> > So, it seems that we are writing this register from a wrong place.
> >
>
> Ah, my bad. I didn't look closely enough at the description:
>
> """
> The accessibility to the CPUACTLR_EL1 by Exception level is:
>
> EL0 -
> EL1(NS) RW (a)
> EL1(S) RW (a)
> EL2 RW (b)
> EL3(SCR.NS = 1) RW
> EL3(SCR.NS = 0) RW
>
> (a) Write access if ACTLR_EL3.CPUACTLR is 1 and ACTLR_EL2.CPUACTLR is
> 1, or ACTLR_EL3.CPUACTLR is 1 and SCR.NS is 0.
> """
>
> so you'll have to do this from ARM Trusted Firmware. If you're
> comfortable rebuilding that:
>
> diff --git a/include/lib/cpus/aarch64/cortex_a72.h
> b/include/lib/cpus/aarch64/cortex_a72.h
> index bfd64918625b..a7b8cf4be0c6 100644
> --- a/include/lib/cpus/aarch64/cortex_a72.h
> +++ b/include/lib/cpus/aarch64/cortex_a72.h
> @@ -31,6 +31,7 @@
> #define CORTEX_A72_ACTLR_EL1 S3_1_C15_C2_0
>
> #define CORTEX_A72_ACTLR_DISABLE_L1_DCACHE_HW_PFTCH (1 << 56)
> +#define CORTEX_A72_ACTLR_DIS_NC_GRE_STORE_STREAMING (1 << 50)
> #define CORTEX_A72_ACTLR_NO_ALLOC_WBWA (1 << 49)
> #define CORTEX_A72_ACTLR_DCC_AS_DCCI (1 << 44)
> #define CORTEX_A72_ACTLR_EL1_DIS_INSTR_PREFETCH (1 << 32)
> diff --git a/lib/cpus/aarch64/cortex_a72.S b/lib/cpus/aarch64/cortex_a72.S
> index 55e508678284..5914d6ee3ba6 100644
> --- a/lib/cpus/aarch64/cortex_a72.S
> +++ b/lib/cpus/aarch64/cortex_a72.S
> @@ -133,6 +133,15 @@ func cortex_a72_reset_func
> orr x0, x0, #CORTEX_A72_ECTLR_SMP_BIT
> msr CORTEX_A72_ECTLR_EL1, x0
> isb
> +
> + /* ---------------------------------------------
> + * Disables store streaming on NC/GRE memory type.
> + * ---------------------------------------------
> + */
> + mrs x0, CORTEX_A72_ACTLR_EL1
> + orr x0, x0, #CORTEX_A72_ACTLR_DIS_NC_GRE_STORE_STREAMING
> + msr CORTEX_A72_ACTLR_EL1, x0
> + isb
> ret x19
> endfunc cortex_a72_reset_func
Unfortunatelly, it doesn't work. I verified that the bit is set after
booting Linux, but the memcpy corruption was still present.
I also tried the other chicken bits, it slowed down the system noticeably,
but had no effect on the memcpy corruption.
Mikulas
Powered by blists - more mailing lists