From: Greg Kroah-Hartman Date: Fri, 4 Sep 2020 11:38:16 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.63~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e810d773a17112d73ab14cc59cec5af7b7e5b4d0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: dt-bindings-mmc-tegra-add-tmclk-for-tegra210-and-later.patch kvm-arm64-add-kvm_extable-for-vaxorcism-code.patch kvm-arm64-set-hcr_el2.ptw-to-prevent-at-taking-synchronous-exception.patch kvm-arm64-survive-synchronous-exceptions-caused-by-at-instructions.patch --- diff --git a/queue-5.4/dt-bindings-mmc-tegra-add-tmclk-for-tegra210-and-later.patch b/queue-5.4/dt-bindings-mmc-tegra-add-tmclk-for-tegra210-and-later.patch new file mode 100644 index 00000000000..52ac85f7a73 --- /dev/null +++ b/queue-5.4/dt-bindings-mmc-tegra-add-tmclk-for-tegra210-and-later.patch @@ -0,0 +1,84 @@ +From f7f86e8ac0ad7cd6792a80137f5a550924966916 Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Thu, 27 Aug 2020 10:20:57 -0700 +Subject: dt-bindings: mmc: tegra: Add tmclk for Tegra210 and later + +From: Sowjanya Komatineni + +commit f7f86e8ac0ad7cd6792a80137f5a550924966916 upstream. + +commit b5a84ecf025a ("mmc: tegra: Add Tegra210 support") + +Tegra210 and later uses separate SDMMC_LEGACY_TM clock for data +timeout. + +So, this patch adds "tmclk" to Tegra sdhci clock property in the +device tree binding. + +Fixes: b5a84ecf025a ("mmc: tegra: Add Tegra210 support") +Cc: stable # 5.4 +Reviewed-by: Jon Hunter +Signed-off-by: Sowjanya Komatineni +Link: https://lore.kernel.org/r/1598548861-32373-4-git-send-email-skomatineni@nvidia.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/mmc/nvidia,tegra20-sdhci.txt | 32 +++++++++- + 1 file changed, 29 insertions(+), 3 deletions(-) + +--- a/Documentation/devicetree/bindings/mmc/nvidia,tegra20-sdhci.txt ++++ b/Documentation/devicetree/bindings/mmc/nvidia,tegra20-sdhci.txt +@@ -15,8 +15,15 @@ Required properties: + - "nvidia,tegra210-sdhci": for Tegra210 + - "nvidia,tegra186-sdhci": for Tegra186 + - "nvidia,tegra194-sdhci": for Tegra194 +-- clocks : Must contain one entry, for the module clock. +- See ../clocks/clock-bindings.txt for details. ++- clocks: For Tegra210, Tegra186 and Tegra194 must contain two entries. ++ One for the module clock and one for the timeout clock. ++ For all other Tegra devices, must contain a single entry for ++ the module clock. See ../clocks/clock-bindings.txt for details. ++- clock-names: For Tegra210, Tegra186 and Tegra194 must contain the ++ strings 'sdhci' and 'tmclk' to represent the module and ++ the timeout clocks, respectively. ++ For all other Tegra devices must contain the string 'sdhci' ++ to represent the module clock. + - resets : Must contain an entry for each entry in reset-names. + See ../reset/reset.txt for details. + - reset-names : Must include the following entries: +@@ -99,7 +106,7 @@ Optional properties for Tegra210, Tegra1 + + Example: + sdhci@700b0000 { +- compatible = "nvidia,tegra210-sdhci", "nvidia,tegra124-sdhci"; ++ compatible = "nvidia,tegra124-sdhci"; + reg = <0x0 0x700b0000 0x0 0x200>; + interrupts = ; + clocks = <&tegra_car TEGRA210_CLK_SDMMC1>; +@@ -107,6 +114,25 @@ sdhci@700b0000 { + resets = <&tegra_car 14>; + reset-names = "sdhci"; + pinctrl-names = "sdmmc-3v3", "sdmmc-1v8"; ++ pinctrl-0 = <&sdmmc1_3v3>; ++ pinctrl-1 = <&sdmmc1_1v8>; ++ nvidia,pad-autocal-pull-up-offset-3v3 = <0x00>; ++ nvidia,pad-autocal-pull-down-offset-3v3 = <0x7d>; ++ nvidia,pad-autocal-pull-up-offset-1v8 = <0x7b>; ++ nvidia,pad-autocal-pull-down-offset-1v8 = <0x7b>; ++ status = "disabled"; ++}; ++ ++sdhci@700b0000 { ++ compatible = "nvidia,tegra210-sdhci"; ++ reg = <0x0 0x700b0000 0x0 0x200>; ++ interrupts = ; ++ clocks = <&tegra_car TEGRA210_CLK_SDMMC1>, ++ <&tegra_car TEGRA210_CLK_SDMMC_LEGACY>; ++ clock-names = "sdhci", "tmclk"; ++ resets = <&tegra_car 14>; ++ reset-names = "sdhci"; ++ pinctrl-names = "sdmmc-3v3", "sdmmc-1v8"; + pinctrl-0 = <&sdmmc1_3v3>; + pinctrl-1 = <&sdmmc1_1v8>; + nvidia,pad-autocal-pull-up-offset-3v3 = <0x00>; diff --git a/queue-5.4/kvm-arm64-add-kvm_extable-for-vaxorcism-code.patch b/queue-5.4/kvm-arm64-add-kvm_extable-for-vaxorcism-code.patch new file mode 100644 index 00000000000..890f883b5cc --- /dev/null +++ b/queue-5.4/kvm-arm64-add-kvm_extable-for-vaxorcism-code.patch @@ -0,0 +1,237 @@ +From e9ee186bb735bfc17fa81dbc9aebf268aee5b41e Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Fri, 21 Aug 2020 15:07:05 +0100 +Subject: KVM: arm64: Add kvm_extable for vaxorcism code + +From: James Morse + +commit e9ee186bb735bfc17fa81dbc9aebf268aee5b41e upstream. + +KVM has a one instruction window where it will allow an SError exception +to be consumed by the hypervisor without treating it as a hypervisor bug. +This is used to consume asynchronous external abort that were caused by +the guest. + +As we are about to add another location that survives unexpected exceptions, +generalise this code to make it behave like the host's extable. + +KVM's version has to be mapped to EL2 to be accessible on nVHE systems. + +The SError vaxorcism code is a one instruction window, so has two entries +in the extable. Because the KVM code is copied for VHE and nVHE, we end up +with four entries, half of which correspond with code that isn't mapped. + +Cc: # 5.4.x +Signed-off-by: James Morse +Reviewed-by: Marc Zyngier +Signed-off-by: Catalin Marinas +Signed-off-by: Andre Przywara +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/kvm_asm.h | 15 +++++++++++ + arch/arm64/kernel/vmlinux.lds.S | 8 ++++++ + arch/arm64/kvm/hyp/entry.S | 15 ++++++----- + arch/arm64/kvm/hyp/hyp-entry.S | 51 +++++++++++++++++++++++---------------- + arch/arm64/kvm/hyp/switch.c | 31 +++++++++++++++++++++++ + 5 files changed, 94 insertions(+), 26 deletions(-) + +--- a/arch/arm64/include/asm/kvm_asm.h ++++ b/arch/arm64/include/asm/kvm_asm.h +@@ -113,6 +113,21 @@ extern u32 __kvm_get_mdcr_el2(void); + kern_hyp_va \vcpu + .endm + ++/* ++ * KVM extable for unexpected exceptions. ++ * In the same format _asm_extable, but output to a different section so that ++ * it can be mapped to EL2. The KVM version is not sorted. The caller must ++ * ensure: ++ * x18 has the hypervisor value to allow any Shadow-Call-Stack instrumented ++ * code to write to it, and that SPSR_EL2 and ELR_EL2 are restored by the fixup. ++ */ ++.macro _kvm_extable, from, to ++ .pushsection __kvm_ex_table, "a" ++ .align 3 ++ .long (\from - .), (\to - .) ++ .popsection ++.endm ++ + #endif + + #endif /* __ARM_KVM_ASM_H__ */ +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -24,6 +24,13 @@ ENTRY(_text) + + jiffies = jiffies_64; + ++ ++#define HYPERVISOR_EXTABLE \ ++ . = ALIGN(SZ_8); \ ++ __start___kvm_ex_table = .; \ ++ *(__kvm_ex_table) \ ++ __stop___kvm_ex_table = .; ++ + #define HYPERVISOR_TEXT \ + /* \ + * Align to 4 KB so that \ +@@ -39,6 +46,7 @@ jiffies = jiffies_64; + __hyp_idmap_text_end = .; \ + __hyp_text_start = .; \ + *(.hyp.text) \ ++ HYPERVISOR_EXTABLE \ + __hyp_text_end = .; + + #define IDMAP_TEXT \ +--- a/arch/arm64/kvm/hyp/entry.S ++++ b/arch/arm64/kvm/hyp/entry.S +@@ -173,20 +173,23 @@ alternative_endif + // This is our single instruction exception window. A pending + // SError is guaranteed to occur at the earliest when we unmask + // it, and at the latest just after the ISB. +- .global abort_guest_exit_start + abort_guest_exit_start: + + isb + +- .global abort_guest_exit_end + abort_guest_exit_end: + + msr daifset, #4 // Mask aborts ++ ret + +- // If the exception took place, restore the EL1 exception +- // context so that we can report some information. +- // Merge the exception code with the SError pending bit. +- tbz x0, #ARM_EXIT_WITH_SERROR_BIT, 1f ++ _kvm_extable abort_guest_exit_start, 9997f ++ _kvm_extable abort_guest_exit_end, 9997f ++9997: ++ msr daifset, #4 // Mask aborts ++ mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) ++ ++ // restore the EL1 exception context so that we can report some ++ // information. Merge the exception code with the SError pending bit. + msr elr_el2, x2 + msr esr_el2, x3 + msr spsr_el2, x4 +--- a/arch/arm64/kvm/hyp/hyp-entry.S ++++ b/arch/arm64/kvm/hyp/hyp-entry.S +@@ -15,6 +15,30 @@ + #include + #include + ++.macro save_caller_saved_regs_vect ++ /* x0 and x1 were saved in the vector entry */ ++ stp x2, x3, [sp, #-16]! ++ stp x4, x5, [sp, #-16]! ++ stp x6, x7, [sp, #-16]! ++ stp x8, x9, [sp, #-16]! ++ stp x10, x11, [sp, #-16]! ++ stp x12, x13, [sp, #-16]! ++ stp x14, x15, [sp, #-16]! ++ stp x16, x17, [sp, #-16]! ++.endm ++ ++.macro restore_caller_saved_regs_vect ++ ldp x16, x17, [sp], #16 ++ ldp x14, x15, [sp], #16 ++ ldp x12, x13, [sp], #16 ++ ldp x10, x11, [sp], #16 ++ ldp x8, x9, [sp], #16 ++ ldp x6, x7, [sp], #16 ++ ldp x4, x5, [sp], #16 ++ ldp x2, x3, [sp], #16 ++ ldp x0, x1, [sp], #16 ++.endm ++ + .text + .pushsection .hyp.text, "ax" + +@@ -156,27 +180,14 @@ el2_sync: + + + el2_error: +- ldp x0, x1, [sp], #16 ++ save_caller_saved_regs_vect ++ stp x29, x30, [sp, #-16]! ++ ++ bl kvm_unexpected_el2_exception ++ ++ ldp x29, x30, [sp], #16 ++ restore_caller_saved_regs_vect + +- /* +- * Only two possibilities: +- * 1) Either we come from the exit path, having just unmasked +- * PSTATE.A: change the return code to an EL2 fault, and +- * carry on, as we're already in a sane state to handle it. +- * 2) Or we come from anywhere else, and that's a bug: we panic. +- * +- * For (1), x0 contains the original return code and x1 doesn't +- * contain anything meaningful at that stage. We can reuse them +- * as temp registers. +- * For (2), who cares? +- */ +- mrs x0, elr_el2 +- adr x1, abort_guest_exit_start +- cmp x0, x1 +- adr x1, abort_guest_exit_end +- ccmp x0, x1, #4, ne +- b.ne __hyp_panic +- mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) + eret + sb + +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -14,6 +14,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -25,6 +26,9 @@ + #include + #include + ++extern struct exception_table_entry __start___kvm_ex_table; ++extern struct exception_table_entry __stop___kvm_ex_table; ++ + /* Check whether the FP regs were dirtied while in the host-side run loop: */ + static bool __hyp_text update_fp_enabled(struct kvm_vcpu *vcpu) + { +@@ -791,3 +795,30 @@ void __hyp_text __noreturn hyp_panic(str + + unreachable(); + } ++ ++asmlinkage void __hyp_text kvm_unexpected_el2_exception(void) ++{ ++ unsigned long addr, fixup; ++ struct kvm_cpu_context *host_ctxt; ++ struct exception_table_entry *entry, *end; ++ unsigned long elr_el2 = read_sysreg(elr_el2); ++ ++ entry = hyp_symbol_addr(__start___kvm_ex_table); ++ end = hyp_symbol_addr(__stop___kvm_ex_table); ++ host_ctxt = &__hyp_this_cpu_ptr(kvm_host_data)->host_ctxt; ++ ++ while (entry < end) { ++ addr = (unsigned long)&entry->insn + entry->insn; ++ fixup = (unsigned long)&entry->fixup + entry->fixup; ++ ++ if (addr != elr_el2) { ++ entry++; ++ continue; ++ } ++ ++ write_sysreg(fixup, elr_el2); ++ return; ++ } ++ ++ hyp_panic(host_ctxt); ++} diff --git a/queue-5.4/kvm-arm64-set-hcr_el2.ptw-to-prevent-at-taking-synchronous-exception.patch b/queue-5.4/kvm-arm64-set-hcr_el2.ptw-to-prevent-at-taking-synchronous-exception.patch new file mode 100644 index 00000000000..1d366fe8bb9 --- /dev/null +++ b/queue-5.4/kvm-arm64-set-hcr_el2.ptw-to-prevent-at-taking-synchronous-exception.patch @@ -0,0 +1,57 @@ +From 71a7f8cb1ca4ca7214a700b1243626759b6c11d4 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Fri, 21 Aug 2020 15:07:07 +0100 +Subject: KVM: arm64: Set HCR_EL2.PTW to prevent AT taking synchronous exception + +From: James Morse + +commit 71a7f8cb1ca4ca7214a700b1243626759b6c11d4 upstream. + +AT instructions do a translation table walk and return the result, or +the fault in PAR_EL1. KVM uses these to find the IPA when the value is +not provided by the CPU in HPFAR_EL1. + +If a translation table walk causes an external abort it is taken as an +exception, even if it was due to an AT instruction. (DDI0487F.a's D5.2.11 +"Synchronous faults generated by address translation instructions") + +While we previously made KVM resilient to exceptions taken due to AT +instructions, the device access causes mismatched attributes, and may +occur speculatively. Prevent this, by forbidding a walk through memory +described as device at stage2. Now such AT instructions will report a +stage2 fault. + +Such a fault will cause KVM to restart the guest. If the AT instructions +always walk the page tables, but guest execution uses the translation cached +in the TLB, the guest can't make forward progress until the TLB entry is +evicted. This isn't a problem, as since commit 5dcd0fdbb492 ("KVM: arm64: +Defer guest entry when an asynchronous exception is pending"), KVM will +return to the host to process IRQs allowing the rest of the system to keep +running. + +Cc: stable@vger.kernel.org # +Reviewed-by: Marc Zyngier +Signed-off-by: Catalin Marinas +Signed-off-by: Andre Przywara +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_arm.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/kvm_arm.h ++++ b/arch/arm64/include/asm/kvm_arm.h +@@ -72,11 +72,12 @@ + * IMO: Override CPSR.I and enable signaling with VI + * FMO: Override CPSR.F and enable signaling with VF + * SWIO: Turn set/way invalidates into set/way clean+invalidate ++ * PTW: Take a stage2 fault if a stage1 walk steps in device memory + */ + #define HCR_GUEST_FLAGS (HCR_TSC | HCR_TSW | HCR_TWE | HCR_TWI | HCR_VM | \ + HCR_TVM | HCR_BSU_IS | HCR_FB | HCR_TAC | \ + HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW | HCR_TLOR | \ +- HCR_FMO | HCR_IMO) ++ HCR_FMO | HCR_IMO | HCR_PTW ) + #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF) + #define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK) + #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H) diff --git a/queue-5.4/kvm-arm64-survive-synchronous-exceptions-caused-by-at-instructions.patch b/queue-5.4/kvm-arm64-survive-synchronous-exceptions-caused-by-at-instructions.patch new file mode 100644 index 00000000000..98db359e23a --- /dev/null +++ b/queue-5.4/kvm-arm64-survive-synchronous-exceptions-caused-by-at-instructions.patch @@ -0,0 +1,129 @@ +From 88a84ccccb3966bcc3f309cdb76092a9892c0260 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Fri, 21 Aug 2020 15:07:06 +0100 +Subject: KVM: arm64: Survive synchronous exceptions caused by AT instructions + +From: James Morse + +commit 88a84ccccb3966bcc3f309cdb76092a9892c0260 upstream. + +KVM doesn't expect any synchronous exceptions when executing, any such +exception leads to a panic(). AT instructions access the guest page +tables, and can cause a synchronous external abort to be taken. + +The arm-arm is unclear on what should happen if the guest has configured +the hardware update of the access-flag, and a memory type in TCR_EL1 that +does not support atomic operations. B2.2.6 "Possible implementation +restrictions on using atomic instructions" from DDI0487F.a lists +synchronous external abort as a possible behaviour of atomic instructions +that target memory that isn't writeback cacheable, but the page table +walker may behave differently. + +Make KVM robust to synchronous exceptions caused by AT instructions. +Add a get_user() style helper for AT instructions that returns -EFAULT +if an exception was generated. + +While KVM's version of the exception table mixes synchronous and +asynchronous exceptions, only one of these can occur at each location. + +Re-enter the guest when the AT instructions take an exception on the +assumption the guest will take the same exception. This isn't guaranteed +to make forward progress, as the AT instructions may always walk the page +tables, but guest execution may use the translation cached in the TLB. + +This isn't a problem, as since commit 5dcd0fdbb492 ("KVM: arm64: Defer guest +entry when an asynchronous exception is pending"), KVM will return to the +host to process IRQs allowing the rest of the system to keep running. + +Cc: stable@vger.kernel.org # +Reviewed-by: Marc Zyngier +Signed-off-by: Catalin Marinas +Signed-off-by: Andre Przywara +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_asm.h | 28 ++++++++++++++++++++++++++++ + arch/arm64/kvm/hyp/hyp-entry.S | 14 ++++++++++---- + arch/arm64/kvm/hyp/switch.c | 8 ++++---- + 3 files changed, 42 insertions(+), 8 deletions(-) + +--- a/arch/arm64/include/asm/kvm_asm.h ++++ b/arch/arm64/include/asm/kvm_asm.h +@@ -88,6 +88,34 @@ extern u32 __kvm_get_mdcr_el2(void); + *__hyp_this_cpu_ptr(sym); \ + }) + ++#define __KVM_EXTABLE(from, to) \ ++ " .pushsection __kvm_ex_table, \"a\"\n" \ ++ " .align 3\n" \ ++ " .long (" #from " - .), (" #to " - .)\n" \ ++ " .popsection\n" ++ ++ ++#define __kvm_at(at_op, addr) \ ++( { \ ++ int __kvm_at_err = 0; \ ++ u64 spsr, elr; \ ++ asm volatile( \ ++ " mrs %1, spsr_el2\n" \ ++ " mrs %2, elr_el2\n" \ ++ "1: at "at_op", %3\n" \ ++ " isb\n" \ ++ " b 9f\n" \ ++ "2: msr spsr_el2, %1\n" \ ++ " msr elr_el2, %2\n" \ ++ " mov %w0, %4\n" \ ++ "9:\n" \ ++ __KVM_EXTABLE(1b, 2b) \ ++ : "+r" (__kvm_at_err), "=&r" (spsr), "=&r" (elr) \ ++ : "r" (addr), "i" (-EFAULT)); \ ++ __kvm_at_err; \ ++} ) ++ ++ + #else /* __ASSEMBLY__ */ + + .macro hyp_adr_this_cpu reg, sym, tmp +--- a/arch/arm64/kvm/hyp/hyp-entry.S ++++ b/arch/arm64/kvm/hyp/hyp-entry.S +@@ -166,13 +166,19 @@ el1_error: + b __guest_exit + + el2_sync: +- /* Check for illegal exception return, otherwise panic */ ++ /* Check for illegal exception return */ + mrs x0, spsr_el2 ++ tbnz x0, #20, 1f + +- /* if this was something else, then panic! */ +- tst x0, #PSR_IL_BIT +- b.eq __hyp_panic ++ save_caller_saved_regs_vect ++ stp x29, x30, [sp, #-16]! ++ bl kvm_unexpected_el2_exception ++ ldp x29, x30, [sp], #16 ++ restore_caller_saved_regs_vect + ++ eret ++ ++1: + /* Let's attempt a recovery from the illegal exception return */ + get_vcpu_ptr x1, x0 + mov x0, #ARM_EXCEPTION_IL +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -261,10 +261,10 @@ static bool __hyp_text __translate_far_t + * saved the guest context yet, and we may return early... + */ + par = read_sysreg(par_el1); +- asm volatile("at s1e1r, %0" : : "r" (far)); +- isb(); +- +- tmp = read_sysreg(par_el1); ++ if (!__kvm_at("s1e1r", far)) ++ tmp = read_sysreg(par_el1); ++ else ++ tmp = SYS_PAR_EL1_F; /* back to the guest */ + write_sysreg(par, par_el1); + + if (unlikely(tmp & SYS_PAR_EL1_F)) diff --git a/queue-5.4/series b/queue-5.4/series index f9687fcc266..4780790de01 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,7 @@ hid-core-sanitize-event-code-and-type-when-mapping-input.patch perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch drm-sched-fix-passing-zero-to-ptr_err-warning-v2.patch drm-etnaviv-fix-ts-cache-flushing-on-gpus-with-blt-engine.patch +kvm-arm64-add-kvm_extable-for-vaxorcism-code.patch +kvm-arm64-survive-synchronous-exceptions-caused-by-at-instructions.patch +kvm-arm64-set-hcr_el2.ptw-to-prevent-at-taking-synchronous-exception.patch +dt-bindings-mmc-tegra-add-tmclk-for-tegra210-and-later.patch