release/5.2.22/powerpc-powernv-ioda-Fix-race-in-TCE-level-allocatio.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From c0c3818ebf87e115fab1d3c32d56ecd1068e8c8b Mon Sep 17 00:00:00 2001
 From: Alexey Kardashevskiy <aik@ozlabs.ru>
 Date: Thu, 18 Jul 2019 15:11:36 +1000
 Subject: [PATCH] powerpc/powernv/ioda: Fix race in TCE level allocation

 commit 56090a3902c80c296e822d11acdb6a101b322c52 upstream.

 pnv_tce() returns a pointer to a TCE entry and originally a TCE table
 would be pre-allocated. For the default case of 2GB window the table
 needs only a single level and that is fine. However if more levels are
 requested, it is possible to get a race when 2 threads want a pointer
 to a TCE entry from the same page of TCEs.

 This adds cmpxchg to handle the race. Note that once TCE is non-zero,
 it cannot become zero again.

 Fixes: a68bd1267b72 ("powerpc/powernv/ioda: Allocate indirect TCE levels on demand")
 CC: stable@vger.kernel.org # v4.19+
 Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
 Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 Link: https://lore.kernel.org/r/20190718051139.74787-2-aik@ozlabs.ru
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/arch/powerpc/platforms/powernv/pci-ioda-tce.c b/arch/powerpc/platforms/powernv/pci-ioda-tce.c
 index c75ec37bf0cd..a0b9c0c23ed2 100644
 --- a/arch/powerpc/platforms/powernv/pci-ioda-tce.c
 +++ b/arch/powerpc/platforms/powernv/pci-ioda-tce.c
 @@ -49,6 +49,9 @@ static __be64 *pnv_alloc_tce_level(int nid, unsigned int shift)
  	return addr;
  }

 +static void pnv_pci_ioda2_table_do_free_pages(__be64 *addr,
 +		unsigned long size, unsigned int levels);
 +
  static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
  {
  	__be64 *tmp = user ? tbl->it_userspace : (__be64 *) tbl->it_base;
 @@ -58,9 +61,9 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)

  	while (level) {
  		int n = (idx & mask) >> (level * shift);
 -		unsigned long tce;
 +		unsigned long oldtce, tce = be64_to_cpu(READ_ONCE(tmp[n]));

 -		if (tmp[n] == 0) {
 +		if (!tce) {
  			__be64 *tmp2;

  			if (!alloc)
 @@ -71,10 +74,15 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
  			if (!tmp2)
  				return NULL;

 -			tmp[n] = cpu_to_be64(__pa(tmp2) |
 -					TCE_PCI_READ | TCE_PCI_WRITE);
 +			tce = __pa(tmp2) | TCE_PCI_READ | TCE_PCI_WRITE;
 +			oldtce = be64_to_cpu(cmpxchg(&tmp[n], 0,
 +					cpu_to_be64(tce)));
 +			if (oldtce) {
 +				pnv_pci_ioda2_table_do_free_pages(tmp2,
 +					ilog2(tbl->it_level_size) + 3, 1);
 +				tce = oldtce;
 +			}
  		}
 -		tce = be64_to_cpu(tmp[n]);

  		tmp = __va(tce & ~(TCE_PCI_READ | TCE_PCI_WRITE));
  		idx &= ~mask;
 --
 2.7.4
	From c0c3818ebf87e115fab1d3c32d56ecd1068e8c8b Mon Sep 17 00:00:00 2001
	From: Alexey Kardashevskiy <aik@ozlabs.ru>
	Date: Thu, 18 Jul 2019 15:11:36 +1000
	Subject: [PATCH] powerpc/powernv/ioda: Fix race in TCE level allocation

	commit 56090a3902c80c296e822d11acdb6a101b322c52 upstream.

	pnv_tce() returns a pointer to a TCE entry and originally a TCE table
	would be pre-allocated. For the default case of 2GB window the table
	needs only a single level and that is fine. However if more levels are
	requested, it is possible to get a race when 2 threads want a pointer
	to a TCE entry from the same page of TCEs.

	This adds cmpxchg to handle the race. Note that once TCE is non-zero,
	it cannot become zero again.

	Fixes: a68bd1267b72 ("powerpc/powernv/ioda: Allocate indirect TCE levels on demand")
	CC: stable@vger.kernel.org # v4.19+
	Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	Link: https://lore.kernel.org/r/20190718051139.74787-2-aik@ozlabs.ru
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/arch/powerpc/platforms/powernv/pci-ioda-tce.c b/arch/powerpc/platforms/powernv/pci-ioda-tce.c
	index c75ec37bf0cd..a0b9c0c23ed2 100644
	--- a/arch/powerpc/platforms/powernv/pci-ioda-tce.c
	+++ b/arch/powerpc/platforms/powernv/pci-ioda-tce.c
	@@ -49,6 +49,9 @@ static __be64 *pnv_alloc_tce_level(int nid, unsigned int shift)
	return addr;
	}

	+static void pnv_pci_ioda2_table_do_free_pages(__be64 *addr,
	+ unsigned long size, unsigned int levels);
	+
	static __be64 pnv_tce(struct iommu_table tbl, bool user, long idx, bool alloc)
	{
	__be64 tmp = user ? tbl->it_userspace : (__be64 ) tbl->it_base;
	@@ -58,9 +61,9 @@ static __be64 pnv_tce(struct iommu_table tbl, bool user, long idx, bool alloc)

	while (level) {
	int n = (idx & mask) >> (level * shift);
	- unsigned long tce;
	+ unsigned long oldtce, tce = be64_to_cpu(READ_ONCE(tmp[n]));

	- if (tmp[n] == 0) {
	+ if (!tce) {
	__be64 *tmp2;

	if (!alloc)
	@@ -71,10 +74,15 @@ static __be64 pnv_tce(struct iommu_table tbl, bool user, long idx, bool alloc)
	if (!tmp2)
	return NULL;

	- tmp[n] = cpu_to_be64(__pa(tmp2) \|
	- TCE_PCI_READ \| TCE_PCI_WRITE);
	+ tce = __pa(tmp2) \| TCE_PCI_READ \| TCE_PCI_WRITE;
	+ oldtce = be64_to_cpu(cmpxchg(&tmp[n], 0,
	+ cpu_to_be64(tce)));
	+ if (oldtce) {
	+ pnv_pci_ioda2_table_do_free_pages(tmp2,
	+ ilog2(tbl->it_level_size) + 3, 1);
	+ tce = oldtce;
	+ }
	}
	- tce = be64_to_cpu(tmp[n]);

	tmp = __va(tce & ~(TCE_PCI_READ \| TCE_PCI_WRITE));
	idx &= ~mask;
	--
	2.7.4