1 From 124370babf0428ec8db2d0ba314105cd9e6ea2c7 Mon Sep 17 00:00:00 2001
2 From: Claggy3 <stephen.maclagan@hotmail.com>
3 Date: Sat, 11 Feb 2017 14:00:30 +0000
4 Subject: [PATCH] Update vfpmodule.c
6 Christopher Alexander Tobias Schulze - May 2, 2015, 11:57 a.m.
7 This patch fixes a problem with VFP state save and restore related
8 to exception handling (panic with message "BUG: unsupported FP
9 instruction in kernel mode") present on VFP11 floating point units
10 (as used with ARM1176JZF-S CPUs, e.g. on first generation Raspberry
11 Pi boards). This patch was developed and discussed on
13 https://github.com/raspberrypi/linux/issues/859
15 A precondition to see the crashes is that floating point exception
16 traps are enabled. In this case, the VFP11 might determine that a FPU
17 operation needs to trap at a point in time when it is not possible to
18 signal this to the ARM11 core any more. The VFP11 will then set the
19 FPEXC.EX bit and store the trapped opcode in FPINST. (In some cases,
20 a second opcode might have been accepted by the VFP11 before the
21 exception was detected and could be reported to the ARM11 - in this
22 case, the VFP11 also sets FPEXC.FP2V and stores the second opcode in
25 If FPEXC.EX is set, the VFP11 will "bounce" the next FPU opcode issued
26 by the ARM11 CPU, which will be seen by the ARM11 as an undefined opcode
27 trap. The VFP support code examines the FPEXC.EX and FPEXC.FP2V bits
28 to decide what actions to take, i.e., whether to emulate the opcodes
29 found in FPINST and FPINST2, and whether to retry the bounced instruction.
31 If a user space application has left the VFP11 in this "pending trap"
32 state, the next FPU opcode issued to the VFP11 might actually be the
33 VSTMIA operation vfp_save_state() uses to store the FPU registers
34 to memory (in our test cases, when building the signal stack frame).
35 In this case, the kernel crashes as described above.
37 This patch fixes the problem by making sure that vfp_save_state() is
38 always entered with FPEXC.EX cleared. (The current value of FPEXC has
39 already been saved, so this does not corrupt the context. Clearing
40 FPEXC.EX has no effects on FPINST or FPINST2. Also note that many
41 callers already modify FPEXC by setting FPEXC.EN before invoking
44 This patch also addresses a second problem related to FPEXC.EX: After
45 returning from signal handling, the kernel reloads the VFP context
46 from the user mode stack. However, the current code explicitly clears
47 both FPEXC.EX and FPEXC.FP2V during reload. As VFP11 requires these
48 bits to be preserved, this patch disables clearing them for VFP
49 implementations belonging to architecture 1. There should be no
50 negative side effects: the user can set both bits by executing FPU
51 opcodes anyway, and while user code may now place arbitrary values
52 into FPINST and FPINST2 (e.g., non-VFP ARM opcodes) the VFP support
53 code knows which instructions can be emulated, and rejects other
54 opcodes with "unhandled bounce" messages, so there should be no
55 security impact from allowing reloading FPEXC.EX and FPEXC.FP2V.
57 Signed-off-by: Christopher Alexander Tobias Schulze <cat.schulze@alice-dsl.net>
59 arch/arm/vfp/vfpmodule.c | 27 ++++++++++++++++++++-------
60 1 file changed, 20 insertions(+), 7 deletions(-)
62 diff --git a/arch/arm/vfp/vfpmodule.c b/arch/arm/vfp/vfpmodule.c
63 index 2a61e4b..7675518 100644
64 --- a/arch/arm/vfp/vfpmodule.c
65 +++ b/arch/arm/vfp/vfpmodule.c
66 @@ -183,8 +183,11 @@ static int vfp_notifier(struct notifier_block *self, unsigned long cmd, void *v)
67 * case the thread migrates to a different CPU. The
68 * restoring is done lazily.
70 - if ((fpexc & FPEXC_EN) && vfp_current_hw_state[cpu])
71 - vfp_save_state(vfp_current_hw_state[cpu], fpexc);
72 + if ((fpexc & FPEXC_EN) && vfp_current_hw_state[cpu]) {
73 + /* vfp_save_state oopses on VFP11 if EX bit set */
74 + fmxr(FPEXC, fpexc & ~FPEXC_EX);
75 + vfp_save_state(vfp_current_hw_state[cpu], fpexc);
80 @@ -467,13 +470,16 @@ static int vfp_pm_suspend(void)
81 /* if vfp is on, then save state for resumption */
82 if (fpexc & FPEXC_EN) {
83 pr_debug("%s: saving vfp state\n", __func__);
84 + /* vfp_save_state oopses on VFP11 if EX bit set */
85 + fmxr(FPEXC, fpexc & ~FPEXC_EX);
86 vfp_save_state(&ti->vfpstate, fpexc);
88 /* disable, just in case */
89 fmxr(FPEXC, fmrx(FPEXC) & ~FPEXC_EN);
90 } else if (vfp_current_hw_state[ti->cpu]) {
92 - fmxr(FPEXC, fpexc | FPEXC_EN);
93 + /* vfp_save_state oopses on VFP11 if EX bit set */
94 + fmxr(FPEXC, (fpexc & ~FPEXC_EX) | FPEXC_EN);
95 vfp_save_state(vfp_current_hw_state[ti->cpu], fpexc);
98 @@ -536,7 +542,8 @@ void vfp_sync_hwstate(struct thread_info *thread)
100 * Save the last VFP state on this CPU.
102 - fmxr(FPEXC, fpexc | FPEXC_EN);
103 + /* vfp_save_state oopses on VFP11 if EX bit set */
104 + fmxr(FPEXC, (fpexc & ~FPEXC_EX) | FPEXC_EN);
105 vfp_save_state(&thread->vfpstate, fpexc | FPEXC_EN);
108 @@ -608,6 +615,7 @@ int vfp_restore_user_hwstate(struct user_vfp __user *ufp,
109 struct vfp_hard_struct *hwstate = &thread->vfpstate.hard;
112 + u32 fpsid = fmrx(FPSID);
114 /* Disable VFP to avoid corrupting the new thread state. */
115 vfp_flush_hwstate(thread);
116 @@ -631,8 +639,12 @@ int vfp_restore_user_hwstate(struct user_vfp __user *ufp,
117 /* Ensure the VFP is enabled. */
120 - /* Ensure FPINST2 is invalid and the exception flag is cleared. */
121 - fpexc &= ~(FPEXC_EX | FPEXC_FP2V);
122 + /* Mask FPXEC_EX and FPEXC_FP2V if not required by VFP arch */
123 + if ((fpsid & FPSID_ARCH_MASK) != (1 << FPSID_ARCH_BIT)) {
124 + /* Ensure FPINST2 is invalid and the exception flag is cleared. */
125 + fpexc &= ~(FPEXC_EX | FPEXC_FP2V);
128 hwstate->fpexc = fpexc;
130 __get_user_error(hwstate->fpinst, &ufp_exc->fpinst, err);
131 @@ -702,7 +714,8 @@ void kernel_neon_begin(void)
134 fpexc = fmrx(FPEXC) | FPEXC_EN;
135 - fmxr(FPEXC, fpexc);
136 + /* vfp_save_state oopses on VFP11 if EX bit set */
137 + fmxr(FPEXC, fpexc & ~FPEXC_EX);
140 * Save the userland NEON/VFP state. Under UP,
projects / openwrt / openwrt.git / blob