| From 784edf6bc8b9169450287c033592f1748c512e3a Mon Sep 17 00:00:00 2001 |
| From: Heiko Carstens <heiko.carstens@de.ibm.com> |
| Date: Mon, 18 Nov 2019 13:09:52 +0100 |
| Subject: [PATCH] s390/smp,vdso: fix ASCE handling |
| |
| commit a2308c11ecbc3471ebb7435ee8075815b1502ef0 upstream. |
| |
| When a secondary CPU is brought up it must initialize its control |
| registers. CPU A which triggers that a secondary CPU B is brought up |
| stores its control register contents into the lowcore of new CPU B, |
| which then loads these values on startup. |
| |
| This is problematic in various ways: the control register which |
| contains the home space ASCE will correctly contain the kernel ASCE; |
| however control registers for primary and secondary ASCEs are |
| initialized with whatever values were present in CPU A. |
| |
| Typically: |
| - the primary ASCE will contain the user process ASCE of the process |
| that triggered onlining of CPU B. |
| - the secondary ASCE will contain the percpu VDSO ASCE of CPU A. |
| |
| Due to lazy ASCE handling we may also end up with other combinations. |
| |
| When then CPU B switches to a different process (!= idle) it will |
| fixup the primary ASCE. However the problem is that the (wrong) ASCE |
| from CPU A was loaded into control register 1: as soon as an ASCE is |
| attached (aka loaded) a CPU is free to generate TLB entries using that |
| address space. |
| Even though it is very unlikey that CPU B will actually generate such |
| entries, this could result in TLB entries of the address space of the |
| process that ran on CPU A. These entries shouldn't exist at all and |
| could cause problems later on. |
| |
| Furthermore the secondary ASCE of CPU B will not be updated correctly. |
| This means that processes may see wrong results or even crash if they |
| access VDSO data on CPU B. The correct VDSO ASCE will eventually be |
| loaded on return to user space as soon as the kernel executed a call |
| to strnlen_user or an atomic futex operation on CPU B. |
| |
| Fix both issues by intializing the to be loaded control register |
| contents with the correct ASCEs and also enforce (re-)loading of the |
| ASCEs upon first context switch and return to user space. |
| |
| Fixes: 0aaba41b58bc ("s390: remove all code using the access register mode") |
| Cc: stable@vger.kernel.org # v4.15+ |
| Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> |
| Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c |
| index 35fafa2b91a8..fd742511985a 100644 |
| --- a/arch/s390/kernel/smp.c |
| +++ b/arch/s390/kernel/smp.c |
| @@ -266,10 +266,13 @@ static void pcpu_prepare_secondary(struct pcpu *pcpu, int cpu) |
| lc->spinlock_index = 0; |
| lc->percpu_offset = __per_cpu_offset[cpu]; |
| lc->kernel_asce = S390_lowcore.kernel_asce; |
| + lc->user_asce = S390_lowcore.kernel_asce; |
| lc->machine_flags = S390_lowcore.machine_flags; |
| lc->user_timer = lc->system_timer = |
| lc->steal_timer = lc->avg_steal_timer = 0; |
| __ctl_store(lc->cregs_save_area, 0, 15); |
| + lc->cregs_save_area[1] = lc->kernel_asce; |
| + lc->cregs_save_area[7] = lc->vdso_asce; |
| save_access_regs((unsigned int *) lc->access_regs_save_area); |
| memcpy(lc->stfle_fac_list, S390_lowcore.stfle_fac_list, |
| sizeof(lc->stfle_fac_list)); |
| @@ -820,6 +823,8 @@ static void smp_init_secondary(void) |
| |
| S390_lowcore.last_update_clock = get_tod_clock(); |
| restore_access_regs(S390_lowcore.access_regs_save_area); |
| + set_cpu_flag(CIF_ASCE_PRIMARY); |
| + set_cpu_flag(CIF_ASCE_SECONDARY); |
| cpu_init(); |
| preempt_disable(); |
| init_cpu_timer(); |
| -- |
| 2.7.4 |
| |