[PATCH] ARM: mm: fix kexec and hibernation with CONFIG_CPU_TTBR0_PAN

Florian Fainelli florian.fainelli at broadcom.com
Mon May 25 11:15:20 PDT 2026 


On 5/25/2026 6:35 AM, Linus Walleij wrote:
> Hi Florian,
> 
> thanks for digging in and finding this!
> 
> On Sat, May 23, 2026 at 2:08 AM Florian Fainelli
> <florian.fainelli at broadcom.com> wrote:
> 
>> Commit 7af5b901e847 ("ARM: 9358/2: Implement PAN for LPAE by TTBR0
>> page table walks disablement") implemented PAN for LPAE kernels by
>> setting TTBCR.EPD0 on every kernel entry, disabling TTBR0 page-table
>> walks while running in kernel mode. The commit correctly updated
>> cpu_suspend() in arch/arm/kernel/suspend.c, but missed two other code
>> paths that switch the CPU to the identity mapping before jumping to
>> low-PA (TTBR0-range) physical addresses:
>>
>> 1. setup_mm_for_reboot() in arch/arm/mm/idmap.c, used by the kexec
>>     reboot path. With TTBCR.EPD0 still set, the subsequent branch to
>>     the identity-mapped cpu_v7_reset causes a PrefetchAbort because the
>>     TTBR0 page-table walk needed to resolve the identity-mapped address
>>     is disabled. This manifests as a hard hang or "bad PC value" panic
>>     on LPAE kernels booted on CPUs that strictly enforce EPD0 for
>>     instruction fetch (e.g. Cortex-A53 in AArch32 mode) while the same
>>     image may accidentally work on Cortex-A15 due to microarchitectural
>>     differences in EPD0 enforcement.
>>
>> 2. arch_restore_image() in arch/arm/kernel/hibernate.c, which calls
>>     cpu_switch_mm(idmap_pgd, &init_mm) directly without going through
>>     setup_mm_for_reboot(), leaving TTBCR.EPD0 set while the identity
>>     mapping is active.
>>
>> Fix both sites by calling uaccess_save_and_enable() before switching
>> to the identity mapping, mirroring what the original commit did for
>> cpu_suspend().
>>
>> Fixes: 7af5b901e847 ("ARM: 9358/2: Implement PAN for LPAE by TTBR0 page table walks disablement")
>> Cc: Catalin Marinas <catalin.marinas at arm.com>
>> Cc: Linus Walleij <linus.walleij at linaro.org>
>> Assisted-by: Cursor:claude-sonnet-4.6
>> Signed-off-by: Florian Fainelli <florian.fainelli at broadcom.com>
> 
> Reviewed-by: Linus Walleij <linusw at kernel.org>
> 
> Please put this patch into Russell's patch tracker.

Thank you, now done:

https://www.armlinux.org.uk/developer/patches/viewpatch.php?id=9476/1
-- 
Florian

More information about the linux-arm-kernel mailing list