From: Greg Kroah-Hartman Date: Tue, 2 Oct 2018 12:20:33 +0000 (-0700) Subject: 4.18-stable patches X-Git-Tag: v4.18.12~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=31f06f43246a1cbdca57d15b48e1d2a8538b2e05;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: kvm-ppc-book3s-hv-fix-guest-r11-corruption-with-power9-tm-workarounds.patch powerpc-avoid-code-patching-freed-init-sections.patch powerpc-fix-csum_ipv6_magic-on-little-endian-platforms.patch powerpc-pkeys-fix-reading-of-ibm-processor-storage-keys-property.patch powerpc-pseries-fix-unitialized-timer-reset-on-migration.patch --- diff --git a/queue-4.18/kvm-ppc-book3s-hv-fix-guest-r11-corruption-with-power9-tm-workarounds.patch b/queue-4.18/kvm-ppc-book3s-hv-fix-guest-r11-corruption-with-power9-tm-workarounds.patch new file mode 100644 index 00000000000..d3a59bef0e5 --- /dev/null +++ b/queue-4.18/kvm-ppc-book3s-hv-fix-guest-r11-corruption-with-power9-tm-workarounds.patch @@ -0,0 +1,55 @@ +From f14040bca89258b8a1c71e2112e430462172ce93 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Thu, 13 Sep 2018 15:33:47 +1000 +Subject: KVM: PPC: Book3S HV: Fix guest r11 corruption with POWER9 TM workarounds + +From: Michael Neuling + +commit f14040bca89258b8a1c71e2112e430462172ce93 upstream. + +When we come into the softpatch handler (0x1500), we use r11 to store +the HSRR0 for later use by the denorm handler. + +We also use the softpatch handler for the TM workarounds for +POWER9. Unfortunately, in kvmppc_interrupt_hv we later store r11 out +to the vcpu assuming it's still what we got from userspace. + +This causes r11 to be corrupted in the VCPU and hence when we restore +the guest, we get a corrupted r11. We've seen this when running TM +tests inside guests on P9. + +This fixes the problem by only touching r11 in the denorm case. + +Fixes: 4bb3c7a020 ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9") +Cc: # 4.17+ +Test-by: Suraj Jitindar Singh +Reviewed-by: Paul Mackerras +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/exceptions-64s.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -1321,9 +1321,7 @@ EXC_REAL_BEGIN(denorm_exception_hv, 0x15 + + #ifdef CONFIG_PPC_DENORMALISATION + mfspr r10,SPRN_HSRR1 +- mfspr r11,SPRN_HSRR0 /* save HSRR0 */ + andis. r10,r10,(HSRR1_DENORM)@h /* denorm? */ +- addi r11,r11,-4 /* HSRR0 is next instruction */ + bne+ denorm_assist + #endif + +@@ -1389,6 +1387,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) + */ + XVCPSGNDP32(32) + denorm_done: ++ mfspr r11,SPRN_HSRR0 ++ subi r11,r11,4 + mtspr SPRN_HSRR0,r11 + mtcrf 0x80,r9 + ld r9,PACA_EXGEN+EX_R9(r13) diff --git a/queue-4.18/powerpc-avoid-code-patching-freed-init-sections.patch b/queue-4.18/powerpc-avoid-code-patching-freed-init-sections.patch new file mode 100644 index 00000000000..e3be35744d2 --- /dev/null +++ b/queue-4.18/powerpc-avoid-code-patching-freed-init-sections.patch @@ -0,0 +1,87 @@ +From 51c3c62b58b357e8d35e4cc32f7b4ec907426fe3 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Fri, 14 Sep 2018 11:14:11 +1000 +Subject: powerpc: Avoid code patching freed init sections + +From: Michael Neuling + +commit 51c3c62b58b357e8d35e4cc32f7b4ec907426fe3 upstream. + +This stops us from doing code patching in init sections after they've +been freed. + +In this chain: + kvm_guest_init() -> + kvm_use_magic_page() -> + fault_in_pages_readable() -> + __get_user() -> + __get_user_nocheck() -> + barrier_nospec(); + +We have a code patching location at barrier_nospec() and +kvm_guest_init() is an init function. This whole chain gets inlined, +so when we free the init section (hence kvm_guest_init()), this code +goes away and hence should no longer be patched. + +We seen this as userspace memory corruption when using a memory +checker while doing partition migration testing on powervm (this +starts the code patching post migration via +/sys/kernel/mobility/migration). In theory, it could also happen when +using /sys/kernel/debug/powerpc/barrier_nospec. + +Cc: stable@vger.kernel.org # 4.13+ +Signed-off-by: Michael Neuling +Reviewed-by: Nicholas Piggin +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/setup.h | 1 + + arch/powerpc/lib/code-patching.c | 6 ++++++ + arch/powerpc/mm/mem.c | 2 ++ + 3 files changed, 9 insertions(+) + +--- a/arch/powerpc/include/asm/setup.h ++++ b/arch/powerpc/include/asm/setup.h +@@ -9,6 +9,7 @@ extern void ppc_printk_progress(char *s, + + extern unsigned int rtas_data; + extern unsigned long long memory_limit; ++extern bool init_mem_is_free; + extern unsigned long klimit; + extern void *zalloc_maybe_bootmem(size_t size, gfp_t mask); + +--- a/arch/powerpc/lib/code-patching.c ++++ b/arch/powerpc/lib/code-patching.c +@@ -28,6 +28,12 @@ static int __patch_instruction(unsigned + { + int err; + ++ /* Make sure we aren't patching a freed init section */ ++ if (init_mem_is_free && init_section_contains(exec_addr, 4)) { ++ pr_debug("Skipping init section patching addr: 0x%px\n", exec_addr); ++ return 0; ++ } ++ + __put_user_size(instr, patch_addr, 4, err); + if (err) + return err; +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -63,6 +63,7 @@ + #endif + + unsigned long long memory_limit; ++bool init_mem_is_free; + + #ifdef CONFIG_HIGHMEM + pte_t *kmap_pte; +@@ -396,6 +397,7 @@ void free_initmem(void) + { + ppc_md.progress = ppc_printk_progress; + mark_initmem_nx(); ++ init_mem_is_free = true; + free_initmem_default(POISON_FREE_INITMEM); + } + diff --git a/queue-4.18/powerpc-fix-csum_ipv6_magic-on-little-endian-platforms.patch b/queue-4.18/powerpc-fix-csum_ipv6_magic-on-little-endian-platforms.patch new file mode 100644 index 00000000000..c4b9f870701 --- /dev/null +++ b/queue-4.18/powerpc-fix-csum_ipv6_magic-on-little-endian-platforms.patch @@ -0,0 +1,45 @@ +From 85682a7e3b9c664995ad477520f917039afdc330 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 10 Sep 2018 06:09:04 +0000 +Subject: powerpc: fix csum_ipv6_magic() on little endian platforms + +From: Christophe Leroy + +commit 85682a7e3b9c664995ad477520f917039afdc330 upstream. + +On little endian platforms, csum_ipv6_magic() keeps len and proto in +CPU byte order. This generates a bad results leading to ICMPv6 packets +from other hosts being dropped by powerpc64le platforms. + +In order to fix this, len and proto should be converted to network +byte order ie bigendian byte order. However checksumming 0x12345678 +and 0x56341278 provide the exact same result so it is enough to +rotate the sum of len and proto by 1 byte. + +PPC32 only support bigendian so the fix is needed for PPC64 only + +Fixes: e9c4943a107b ("powerpc: Implement csum_ipv6_magic in assembly") +Reported-by: Jianlin Shi +Reported-by: Xin Long +Cc: # 4.18+ +Signed-off-by: Christophe Leroy +Tested-by: Xin Long +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/checksum_64.S | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/lib/checksum_64.S ++++ b/arch/powerpc/lib/checksum_64.S +@@ -443,6 +443,9 @@ _GLOBAL(csum_ipv6_magic) + addc r0, r8, r9 + ld r10, 0(r4) + ld r11, 8(r4) ++#ifdef CONFIG_CPU_LITTLE_ENDIAN ++ rotldi r5, r5, 8 ++#endif + adde r0, r0, r10 + add r5, r5, r7 + adde r0, r0, r11 diff --git a/queue-4.18/powerpc-pkeys-fix-reading-of-ibm-processor-storage-keys-property.patch b/queue-4.18/powerpc-pkeys-fix-reading-of-ibm-processor-storage-keys-property.patch new file mode 100644 index 00000000000..f7d813c5853 --- /dev/null +++ b/queue-4.18/powerpc-pkeys-fix-reading-of-ibm-processor-storage-keys-property.patch @@ -0,0 +1,44 @@ +From c716a25b9b70084e1144f77423f5aedd772ea478 Mon Sep 17 00:00:00 2001 +From: Thiago Jung Bauermann +Date: Thu, 20 Sep 2018 01:38:58 -0300 +Subject: powerpc/pkeys: Fix reading of ibm, processor-storage-keys property + +From: Thiago Jung Bauermann + +commit c716a25b9b70084e1144f77423f5aedd772ea478 upstream. + +scan_pkey_feature() uses of_property_read_u32_array() to read the +ibm,processor-storage-keys property and calls be32_to_cpu() on the +value it gets. The problem is that of_property_read_u32_array() already +returns the value converted to the CPU byte order. + +The value of pkeys_total ends up more or less sane because there's a min() +call in pkey_initialize() which reduces pkeys_total to 32. So in practice +the kernel ignores the fact that the hypervisor reserved one key for +itself (the device tree advertises 31 keys in my test VM). + +This is wrong, but the effect in practice is that when a process tries to +allocate the 32nd key, it gets an -EINVAL error instead of -ENOSPC which +would indicate that there aren't any keys available + +Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Thiago Jung Bauermann +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pkeys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -44,7 +44,7 @@ static void scan_pkey_feature(void) + * Since any pkey can be used for data or execute, we will just treat + * all keys as equal and track them as one entity. + */ +- pkeys_total = be32_to_cpu(vals[0]); ++ pkeys_total = vals[0]; + pkeys_devtree_defined = true; + } + diff --git a/queue-4.18/powerpc-pseries-fix-unitialized-timer-reset-on-migration.patch b/queue-4.18/powerpc-pseries-fix-unitialized-timer-reset-on-migration.patch new file mode 100644 index 00000000000..fb0506e36dd --- /dev/null +++ b/queue-4.18/powerpc-pseries-fix-unitialized-timer-reset-on-migration.patch @@ -0,0 +1,79 @@ +From 8604895a34d92f5e186ceb931b0d1b384030ea3d Mon Sep 17 00:00:00 2001 +From: Michael Bringmann +Date: Thu, 20 Sep 2018 11:45:13 -0500 +Subject: powerpc/pseries: Fix unitialized timer reset on migration + +From: Michael Bringmann + +commit 8604895a34d92f5e186ceb931b0d1b384030ea3d upstream. + +After migration of a powerpc LPAR, the kernel executes code to +update the system state to reflect new platform characteristics. + +Such changes include modifications to device tree properties provided +to the system by PHYP. Property notifications received by the +post_mobility_fixup() code are passed along to the kernel in general +through a call to of_update_property() which in turn passes such +events back to all modules through entries like the '.notifier_call' +function within the NUMA module. + +When the NUMA module updates its state, it resets its event timer. If +this occurs after a previous call to stop_topology_update() or on a +system without VPHN enabled, the code runs into an unitialized timer +structure and crashes. This patch adds a safety check along this path +toward the problem code. + +An example crash log is as follows. + + ibmvscsi 30000081: Re-enabling adapter! + ------------[ cut here ]------------ + kernel BUG at kernel/time/timer.c:958! + Oops: Exception in kernel mode, sig: 5 [#1] + LE SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: nfsv3 nfs_acl nfs tcp_diag udp_diag inet_diag lockd unix_diag af_packet_diag netlink_diag grace fscache sunrpc xts vmx_crypto pseries_rng sg binfmt_misc ip_tables xfs libcrc32c sd_mod ibmvscsi ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod + CPU: 11 PID: 3067 Comm: drmgr Not tainted 4.17.0+ #179 + ... + NIP mod_timer+0x4c/0x400 + LR reset_topology_timer+0x40/0x60 + Call Trace: + 0xc0000003f9407830 (unreliable) + reset_topology_timer+0x40/0x60 + dt_update_callback+0x100/0x120 + notifier_call_chain+0x90/0x100 + __blocking_notifier_call_chain+0x60/0x90 + of_property_notify+0x90/0xd0 + of_update_property+0x104/0x150 + update_dt_property+0xdc/0x1f0 + pseries_devicetree_update+0x2d0/0x510 + post_mobility_fixup+0x7c/0xf0 + migration_store+0xa4/0xc0 + kobj_attr_store+0x30/0x60 + sysfs_kf_write+0x64/0xa0 + kernfs_fop_write+0x16c/0x240 + __vfs_write+0x40/0x200 + vfs_write+0xc8/0x240 + ksys_write+0x5c/0x100 + system_call+0x58/0x6c + +Fixes: 5d88aa85c00b ("powerpc/pseries: Update CPU maps when device tree is updated") +Cc: stable@vger.kernel.org # v3.10+ +Signed-off-by: Michael Bringmann +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/numa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1452,7 +1452,8 @@ static struct timer_list topology_timer; + + static void reset_topology_timer(void) + { +- mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ); ++ if (vphn_enabled) ++ mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ); + } + + #ifdef CONFIG_SMP diff --git a/queue-4.18/series b/queue-4.18/series index 5affb43d349..305b4fa7a95 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -222,3 +222,8 @@ arm-arm64-smccc-1.1-handle-function-result-as-parameters.patch i2c-i801-allow-acpi-aml-access-i-o-ports-not-reserved-for-smbus.patch clk-x86-set-default-parent-to-48mhz.patch x86-pti-fix-section-mismatch-warning-error.patch +kvm-ppc-book3s-hv-fix-guest-r11-corruption-with-power9-tm-workarounds.patch +powerpc-fix-csum_ipv6_magic-on-little-endian-platforms.patch +powerpc-avoid-code-patching-freed-init-sections.patch +powerpc-pkeys-fix-reading-of-ibm-processor-storage-keys-property.patch +powerpc-pseries-fix-unitialized-timer-reset-on-migration.patch