On Fri, Aug 29, 2025 at 08:49:21AM -0700, Kees Cook wrote:
> Seen during KPTI initialization:
>
> CFI failure at create_kpti_ng_temp_pgd+0x124/0xce8 (target:
> kpti_ng_pgd_alloc+0x0/0x14; expected type: 0xd61b88b6)
>
> The call site is alloc_init_pud() at arch/arm64/mm/mmu.c:
>
> pud_phys = pgtable_alloc(TABLE_PUD);
>
> alloc_init_pud() has the prototype:
>
> static void alloc_init_pud(p4d_t *p4dp, unsigned long addr, unsigned long
> end,
> phys_addr_t phys, pgprot_t prot,
> phys_addr_t (*pgtable_alloc)(enum pgtable_type),
> int flags)
>
> where the pgtable_alloc() prototype is declared.
>
> The target (kpti_ng_pgd_alloc) is used in arch/arm64/kernel/cpufeature.c:
>
> create_kpti_ng_temp_pgd(kpti_ng_temp_pgd, __pa(alloc), KPTI_NG_TEMP_VA,
> PAGE_SIZE, PAGE_KERNEL, kpti_ng_pgd_alloc, 0);
>
> which is an alias for __create_pgd_mapping_locked() with prototype:
>
> extern __alias(__create_pgd_mapping_locked)
> void create_kpti_ng_temp_pgd(pgd_t *pgdir, phys_addr_t phys,
> unsigned long virt,
> phys_addr_t size, pgprot_t prot,
> phys_addr_t (*pgtable_alloc)(enum
> pgtable_type),
> int flags);
>
> __create_pgd_mapping_locked() passes the function pointer down:
>
> __create_pgd_mapping_locked() -> alloc_init_p4d() -> alloc_init_pud()
>
> But the target function (kpti_ng_pgd_alloc) has the wrong signature:
>
> static phys_addr_t __init kpti_ng_pgd_alloc(int shift);
>
> The "int" should be "enum pgtable_type".
>
> To make "enum pgtable_type" available to cpufeature.c, move
> enum pgtable_type definition from arch/arm64/mm/mmu.c to
> arch/arm64/include/asm/mmu.h.
>
> Adjust kpti_ng_pgd_alloc to use "enum pgtable_type" instead of "int".
> The function behavior remains identical (parameter is unused).
>
> Fixes: 47546a1912fc ("arm64: mm: install KPTI nG mappings with MMU enabled")
That doesn't look right; that commit is from June 2022, and we only
introduced enum pgtable_type in May 2025 in commit:
c64f46ee13779616 ("arm64: mm: use enum to identify pgtable level instead of
*_SHIFT")
... which landed in v6.16.
AFAICT, that's the commit which broke things.
The actual fix looks fine, though I suspect we should move more of this
logic into mmu.c.
Mark.
> Signed-off-by: Kees Cook <k...@kernel.org>
> ---
> Cc: Ard Biesheuvel <a...@kernel.org>
> Cc: Catalin Marinas <catalin.mari...@arm.com>
> Cc: Will Deacon <w...@kernel.org>
> Cc: Oliver Upton <oliver.up...@linux.dev>
> Cc: Anshuman Khandual <anshuman.khand...@arm.com>
> Cc: Yue Haibing <yuehaib...@huawei.com>
> Cc: Mark Rutland <mark.rutl...@arm.com>
> Cc: Marc Zyngier <m...@kernel.org>
> Cc: Mark Brown <broo...@kernel.org>
> Cc: <linux-arm-ker...@lists.infradead.org>
> ---
> arch/arm64/include/asm/mmu.h | 7 +++++++
> arch/arm64/kernel/cpufeature.c | 5 +++--
> arch/arm64/mm/mmu.c | 7 -------
> 3 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h
> index 6e8aa8e72601..49f1a810df16 100644
> --- a/arch/arm64/include/asm/mmu.h
> +++ b/arch/arm64/include/asm/mmu.h
> @@ -17,6 +17,13 @@
> #include <linux/refcount.h>
> #include <asm/cpufeature.h>
>
> +enum pgtable_type {
> + TABLE_PTE,
> + TABLE_PMD,
> + TABLE_PUD,
> + TABLE_P4D,
> +};
> +
> typedef struct {
> atomic64_t id;
> #ifdef CONFIG_COMPAT
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index 9ad065f15f1d..e49d142a281f 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -84,6 +84,7 @@
> #include <asm/hwcap.h>
> #include <asm/insn.h>
> #include <asm/kvm_host.h>
> +#include <asm/mmu.h>
> #include <asm/mmu_context.h>
> #include <asm/mte.h>
> #include <asm/hypervisor.h>
> @@ -1945,11 +1946,11 @@ static bool has_pmuv3(const struct
> arm64_cpu_capabilities *entry, int scope)
> extern
> void create_kpti_ng_temp_pgd(pgd_t *pgdir, phys_addr_t phys, unsigned long
> virt,
> phys_addr_t size, pgprot_t prot,
> - phys_addr_t (*pgtable_alloc)(int), int flags);
> + phys_addr_t (*pgtable_alloc)(enum pgtable_type),
> int flags);
>
> static phys_addr_t __initdata kpti_ng_temp_alloc;
>
> -static phys_addr_t __init kpti_ng_pgd_alloc(int shift)
> +static phys_addr_t __init kpti_ng_pgd_alloc(enum pgtable_type type)
> {
> kpti_ng_temp_alloc -= PAGE_SIZE;
> return kpti_ng_temp_alloc;
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 34e5d78af076..183801520740 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -47,13 +47,6 @@
> #define NO_CONT_MAPPINGS BIT(1)
> #define NO_EXEC_MAPPINGS BIT(2) /* assumes FEAT_HPDS is not used */
>
> -enum pgtable_type {
> - TABLE_PTE,
> - TABLE_PMD,
> - TABLE_PUD,
> - TABLE_P4D,
> -};
> -
> u64 kimage_voffset __ro_after_init;
> EXPORT_SYMBOL(kimage_voffset);
>
> --
> 2.34.1
>
