--- /dev/null
+From f14040bca89258b8a1c71e2112e430462172ce93 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Thu, 13 Sep 2018 15:33:47 +1000
+Subject: KVM: PPC: Book3S HV: Fix guest r11 corruption with POWER9 TM workarounds
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit f14040bca89258b8a1c71e2112e430462172ce93 upstream.
+
+When we come into the softpatch handler (0x1500), we use r11 to store
+the HSRR0 for later use by the denorm handler.
+
+We also use the softpatch handler for the TM workarounds for
+POWER9. Unfortunately, in kvmppc_interrupt_hv we later store r11 out
+to the vcpu assuming it's still what we got from userspace.
+
+This causes r11 to be corrupted in the VCPU and hence when we restore
+the guest, we get a corrupted r11. We've seen this when running TM
+tests inside guests on P9.
+
+This fixes the problem by only touching r11 in the denorm case.
+
+Fixes: 4bb3c7a020 ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9")
+Cc: <stable@vger.kernel.org> # 4.17+
+Test-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Reviewed-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1321,9 +1321,7 @@ EXC_REAL_BEGIN(denorm_exception_hv, 0x15
+
+ #ifdef CONFIG_PPC_DENORMALISATION
+ mfspr r10,SPRN_HSRR1
+- mfspr r11,SPRN_HSRR0 /* save HSRR0 */
+ andis. r10,r10,(HSRR1_DENORM)@h /* denorm? */
+- addi r11,r11,-4 /* HSRR0 is next instruction */
+ bne+ denorm_assist
+ #endif
+
+@@ -1389,6 +1387,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
+ */
+ XVCPSGNDP32(32)
+ denorm_done:
++ mfspr r11,SPRN_HSRR0
++ subi r11,r11,4
+ mtspr SPRN_HSRR0,r11
+ mtcrf 0x80,r9
+ ld r9,PACA_EXGEN+EX_R9(r13)
--- /dev/null
+From 51c3c62b58b357e8d35e4cc32f7b4ec907426fe3 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Fri, 14 Sep 2018 11:14:11 +1000
+Subject: powerpc: Avoid code patching freed init sections
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 51c3c62b58b357e8d35e4cc32f7b4ec907426fe3 upstream.
+
+This stops us from doing code patching in init sections after they've
+been freed.
+
+In this chain:
+ kvm_guest_init() ->
+ kvm_use_magic_page() ->
+ fault_in_pages_readable() ->
+ __get_user() ->
+ __get_user_nocheck() ->
+ barrier_nospec();
+
+We have a code patching location at barrier_nospec() and
+kvm_guest_init() is an init function. This whole chain gets inlined,
+so when we free the init section (hence kvm_guest_init()), this code
+goes away and hence should no longer be patched.
+
+We seen this as userspace memory corruption when using a memory
+checker while doing partition migration testing on powervm (this
+starts the code patching post migration via
+/sys/kernel/mobility/migration). In theory, it could also happen when
+using /sys/kernel/debug/powerpc/barrier_nospec.
+
+Cc: stable@vger.kernel.org # 4.13+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/setup.h | 1 +
+ arch/powerpc/lib/code-patching.c | 6 ++++++
+ arch/powerpc/mm/mem.c | 2 ++
+ 3 files changed, 9 insertions(+)
+
+--- a/arch/powerpc/include/asm/setup.h
++++ b/arch/powerpc/include/asm/setup.h
+@@ -9,6 +9,7 @@ extern void ppc_printk_progress(char *s,
+
+ extern unsigned int rtas_data;
+ extern unsigned long long memory_limit;
++extern bool init_mem_is_free;
+ extern unsigned long klimit;
+ extern void *zalloc_maybe_bootmem(size_t size, gfp_t mask);
+
+--- a/arch/powerpc/lib/code-patching.c
++++ b/arch/powerpc/lib/code-patching.c
+@@ -28,6 +28,12 @@ static int __patch_instruction(unsigned
+ {
+ int err;
+
++ /* Make sure we aren't patching a freed init section */
++ if (init_mem_is_free && init_section_contains(exec_addr, 4)) {
++ pr_debug("Skipping init section patching addr: 0x%px\n", exec_addr);
++ return 0;
++ }
++
+ __put_user_size(instr, patch_addr, 4, err);
+ if (err)
+ return err;
+--- a/arch/powerpc/mm/mem.c
++++ b/arch/powerpc/mm/mem.c
+@@ -63,6 +63,7 @@
+ #endif
+
+ unsigned long long memory_limit;
++bool init_mem_is_free;
+
+ #ifdef CONFIG_HIGHMEM
+ pte_t *kmap_pte;
+@@ -396,6 +397,7 @@ void free_initmem(void)
+ {
+ ppc_md.progress = ppc_printk_progress;
+ mark_initmem_nx();
++ init_mem_is_free = true;
+ free_initmem_default(POISON_FREE_INITMEM);
+ }
+
--- /dev/null
+From 85682a7e3b9c664995ad477520f917039afdc330 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 10 Sep 2018 06:09:04 +0000
+Subject: powerpc: fix csum_ipv6_magic() on little endian platforms
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 85682a7e3b9c664995ad477520f917039afdc330 upstream.
+
+On little endian platforms, csum_ipv6_magic() keeps len and proto in
+CPU byte order. This generates a bad results leading to ICMPv6 packets
+from other hosts being dropped by powerpc64le platforms.
+
+In order to fix this, len and proto should be converted to network
+byte order ie bigendian byte order. However checksumming 0x12345678
+and 0x56341278 provide the exact same result so it is enough to
+rotate the sum of len and proto by 1 byte.
+
+PPC32 only support bigendian so the fix is needed for PPC64 only
+
+Fixes: e9c4943a107b ("powerpc: Implement csum_ipv6_magic in assembly")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Cc: <stable@vger.kernel.org> # 4.18+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Tested-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/checksum_64.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/lib/checksum_64.S
++++ b/arch/powerpc/lib/checksum_64.S
+@@ -443,6 +443,9 @@ _GLOBAL(csum_ipv6_magic)
+ addc r0, r8, r9
+ ld r10, 0(r4)
+ ld r11, 8(r4)
++#ifdef CONFIG_CPU_LITTLE_ENDIAN
++ rotldi r5, r5, 8
++#endif
+ adde r0, r0, r10
+ add r5, r5, r7
+ adde r0, r0, r11
--- /dev/null
+From c716a25b9b70084e1144f77423f5aedd772ea478 Mon Sep 17 00:00:00 2001
+From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+Date: Thu, 20 Sep 2018 01:38:58 -0300
+Subject: powerpc/pkeys: Fix reading of ibm, processor-storage-keys property
+
+From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+
+commit c716a25b9b70084e1144f77423f5aedd772ea478 upstream.
+
+scan_pkey_feature() uses of_property_read_u32_array() to read the
+ibm,processor-storage-keys property and calls be32_to_cpu() on the
+value it gets. The problem is that of_property_read_u32_array() already
+returns the value converted to the CPU byte order.
+
+The value of pkeys_total ends up more or less sane because there's a min()
+call in pkey_initialize() which reduces pkeys_total to 32. So in practice
+the kernel ignores the fact that the hypervisor reserved one key for
+itself (the device tree advertises 31 keys in my test VM).
+
+This is wrong, but the effect in practice is that when a process tries to
+allocate the 32nd key, it gets an -EINVAL error instead of -ENOSPC which
+would indicate that there aren't any keys available
+
+Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pkeys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/pkeys.c
++++ b/arch/powerpc/mm/pkeys.c
+@@ -44,7 +44,7 @@ static void scan_pkey_feature(void)
+ * Since any pkey can be used for data or execute, we will just treat
+ * all keys as equal and track them as one entity.
+ */
+- pkeys_total = be32_to_cpu(vals[0]);
++ pkeys_total = vals[0];
+ pkeys_devtree_defined = true;
+ }
+
--- /dev/null
+From 8604895a34d92f5e186ceb931b0d1b384030ea3d Mon Sep 17 00:00:00 2001
+From: Michael Bringmann <mwb@linux.vnet.ibm.com>
+Date: Thu, 20 Sep 2018 11:45:13 -0500
+Subject: powerpc/pseries: Fix unitialized timer reset on migration
+
+From: Michael Bringmann <mwb@linux.vnet.ibm.com>
+
+commit 8604895a34d92f5e186ceb931b0d1b384030ea3d upstream.
+
+After migration of a powerpc LPAR, the kernel executes code to
+update the system state to reflect new platform characteristics.
+
+Such changes include modifications to device tree properties provided
+to the system by PHYP. Property notifications received by the
+post_mobility_fixup() code are passed along to the kernel in general
+through a call to of_update_property() which in turn passes such
+events back to all modules through entries like the '.notifier_call'
+function within the NUMA module.
+
+When the NUMA module updates its state, it resets its event timer. If
+this occurs after a previous call to stop_topology_update() or on a
+system without VPHN enabled, the code runs into an unitialized timer
+structure and crashes. This patch adds a safety check along this path
+toward the problem code.
+
+An example crash log is as follows.
+
+ ibmvscsi 30000081: Re-enabling adapter!
+ ------------[ cut here ]------------
+ kernel BUG at kernel/time/timer.c:958!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ LE SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in: nfsv3 nfs_acl nfs tcp_diag udp_diag inet_diag lockd unix_diag af_packet_diag netlink_diag grace fscache sunrpc xts vmx_crypto pseries_rng sg binfmt_misc ip_tables xfs libcrc32c sd_mod ibmvscsi ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod
+ CPU: 11 PID: 3067 Comm: drmgr Not tainted 4.17.0+ #179
+ ...
+ NIP mod_timer+0x4c/0x400
+ LR reset_topology_timer+0x40/0x60
+ Call Trace:
+ 0xc0000003f9407830 (unreliable)
+ reset_topology_timer+0x40/0x60
+ dt_update_callback+0x100/0x120
+ notifier_call_chain+0x90/0x100
+ __blocking_notifier_call_chain+0x60/0x90
+ of_property_notify+0x90/0xd0
+ of_update_property+0x104/0x150
+ update_dt_property+0xdc/0x1f0
+ pseries_devicetree_update+0x2d0/0x510
+ post_mobility_fixup+0x7c/0xf0
+ migration_store+0xa4/0xc0
+ kobj_attr_store+0x30/0x60
+ sysfs_kf_write+0x64/0xa0
+ kernfs_fop_write+0x16c/0x240
+ __vfs_write+0x40/0x200
+ vfs_write+0xc8/0x240
+ ksys_write+0x5c/0x100
+ system_call+0x58/0x6c
+
+Fixes: 5d88aa85c00b ("powerpc/pseries: Update CPU maps when device tree is updated")
+Cc: stable@vger.kernel.org # v3.10+
+Signed-off-by: Michael Bringmann <mwb@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/numa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1452,7 +1452,8 @@ static struct timer_list topology_timer;
+
+ static void reset_topology_timer(void)
+ {
+- mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ);
++ if (vphn_enabled)
++ mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ);
+ }
+
+ #ifdef CONFIG_SMP
i2c-i801-allow-acpi-aml-access-i-o-ports-not-reserved-for-smbus.patch
clk-x86-set-default-parent-to-48mhz.patch
x86-pti-fix-section-mismatch-warning-error.patch
+kvm-ppc-book3s-hv-fix-guest-r11-corruption-with-power9-tm-workarounds.patch
+powerpc-fix-csum_ipv6_magic-on-little-endian-platforms.patch
+powerpc-avoid-code-patching-freed-init-sections.patch
+powerpc-pkeys-fix-reading-of-ibm-processor-storage-keys-property.patch
+powerpc-pseries-fix-unitialized-timer-reset-on-migration.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
