Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
From:   Sasha Levin <Alexander.Levin@microsoft.com>
To:     "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
CC:     David Hildenbrand <david@redhat.com>,
        Christian Borntraeger <borntraeger@de.ibm.com>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.14 069/161] KVM: s390: vsie: use READ_ONCE to
 access some SCB fields
Thread-Topic: [PATCH AUTOSEL for 4.14 069/161] KVM: s390: vsie: use READ_ONCE
 to access some SCB fields
Thread-Index: AQHTz5iYElVPrhnqi0OQxZqYJt5WjQ==
Date:   Mon, 9 Apr 2018 00:20:42 +0000
Message-ID: <20180409001936.162706-69-alexander.levin@microsoft.com>
References: <20180409001936.162706-1-alexander.levin@microsoft.com>
In-Reply-To: <20180409001936.162706-1-alexander.levin@microsoft.com>
Accept-Language: en-US
Content-Language: en-US
received-spf: None (protection.outlook.com: microsoft.com does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6b113038-4229-4e6e-ab91-08d59db027dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2018 00:20:42.4566
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB1080
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Hildenbrand <david@redhat.com>

[ Upstream commit b3ecd4aa8632a86428605ab73393d14779019d82 ]

Another VCPU might try to modify the SCB while we are creating the
shadow SCB. In general this is no problem - unless the compiler decides
to not load values once, but e.g. twice.

For us, this is only relevant when checking/working with such values.
E.g. the prefix value, the mso, state of transactional execution and
addresses of satellite blocks.

E.g. if we blindly forward values (e.g. general purpose registers or
execution controls after masking), we don't care.

Leaving unpin_blocks() untouched for now, will handle it separately.

The worst thing right now that I can see would be a missed prefix
un/remap (mso, prefix, tx) or using wrong guest addresses. Nothing
critical, but let's try to avoid unpredictable behavior.

Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20180116171526.12343-2-david@redhat.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Acked-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 arch/s390/kvm/vsie.c | 50 +++++++++++++++++++++++++++++++-----------------=
--
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c
index b18b5652e5c5..a74204db759b 100644
--- a/arch/s390/kvm/vsie.c
+++ b/arch/s390/kvm/vsie.c
@@ -31,7 +31,11 @@ struct vsie_page {
 	 * the same offset as that in struct sie_page!
 	 */
 	struct mcck_volatile_info mcck_info;    /* 0x0200 */
-	/* the pinned originial scb */
+	/*
+	 * The pinned original scb. Be aware that other VCPUs can modify
+	 * it while we read from it. Values that are used for conditions or
+	 * are reused conditionally, should be accessed via READ_ONCE.
+	 */
 	struct kvm_s390_sie_block *scb_o;	/* 0x0218 */
 	/* the shadow gmap in use by the vsie_page */
 	struct gmap *gmap;			/* 0x0220 */
@@ -143,12 +147,13 @@ static int shadow_crycb(struct kvm_vcpu *vcpu, struct=
 vsie_page *vsie_page)
 {
 	struct kvm_s390_sie_block *scb_s =3D &vsie_page->scb_s;
 	struct kvm_s390_sie_block *scb_o =3D vsie_page->scb_o;
-	u32 crycb_addr =3D scb_o->crycbd & 0x7ffffff8U;
+	const uint32_t crycbd_o =3D READ_ONCE(scb_o->crycbd);
+	const u32 crycb_addr =3D crycbd_o & 0x7ffffff8U;
 	unsigned long *b1, *b2;
 	u8 ecb3_flags;
=20
 	scb_s->crycbd =3D 0;
-	if (!(scb_o->crycbd & vcpu->arch.sie_block->crycbd & CRYCB_FORMAT1))
+	if (!(crycbd_o & vcpu->arch.sie_block->crycbd & CRYCB_FORMAT1))
 		return 0;
 	/* format-1 is supported with message-security-assist extension 3 */
 	if (!test_kvm_facility(vcpu->kvm, 76))
@@ -186,12 +191,15 @@ static void prepare_ibc(struct kvm_vcpu *vcpu, struct=
 vsie_page *vsie_page)
 {
 	struct kvm_s390_sie_block *scb_s =3D &vsie_page->scb_s;
 	struct kvm_s390_sie_block *scb_o =3D vsie_page->scb_o;
+	/* READ_ONCE does not work on bitfields - use a temporary variable */
+	const uint32_t __new_ibc =3D scb_o->ibc;
+	const uint32_t new_ibc =3D READ_ONCE(__new_ibc) & 0x0fffU;
 	__u64 min_ibc =3D (sclp.ibc >> 16) & 0x0fffU;
=20
 	scb_s->ibc =3D 0;
 	/* ibc installed in g2 and requested for g3 */
-	if (vcpu->kvm->arch.model.ibc && (scb_o->ibc & 0x0fffU)) {
-		scb_s->ibc =3D scb_o->ibc & 0x0fffU;
+	if (vcpu->kvm->arch.model.ibc && new_ibc) {
+		scb_s->ibc =3D new_ibc;
 		/* takte care of the minimum ibc level of the machine */
 		if (scb_s->ibc < min_ibc)
 			scb_s->ibc =3D min_ibc;
@@ -256,6 +264,10 @@ static int shadow_scb(struct kvm_vcpu *vcpu, struct vs=
ie_page *vsie_page)
 {
 	struct kvm_s390_sie_block *scb_o =3D vsie_page->scb_o;
 	struct kvm_s390_sie_block *scb_s =3D &vsie_page->scb_s;
+	/* READ_ONCE does not work on bitfields - use a temporary variable */
+	const uint32_t __new_prefix =3D scb_o->prefix;
+	const uint32_t new_prefix =3D READ_ONCE(__new_prefix);
+	const bool wants_tx =3D READ_ONCE(scb_o->ecb) & ECB_TE;
 	bool had_tx =3D scb_s->ecb & ECB_TE;
 	unsigned long new_mso =3D 0;
 	int rc;
@@ -302,14 +314,14 @@ static int shadow_scb(struct kvm_vcpu *vcpu, struct v=
sie_page *vsie_page)
 	scb_s->icpua =3D scb_o->icpua;
=20
 	if (!(atomic_read(&scb_s->cpuflags) & CPUSTAT_SM))
-		new_mso =3D scb_o->mso & 0xfffffffffff00000UL;
+		new_mso =3D READ_ONCE(scb_o->mso) & 0xfffffffffff00000UL;
 	/* if the hva of the prefix changes, we have to remap the prefix */
-	if (scb_s->mso !=3D new_mso || scb_s->prefix !=3D scb_o->prefix)
+	if (scb_s->mso !=3D new_mso || scb_s->prefix !=3D new_prefix)
 		prefix_unmapped(vsie_page);
 	 /* SIE will do mso/msl validity and exception checks for us */
 	scb_s->msl =3D scb_o->msl & 0xfffffffffff00000UL;
 	scb_s->mso =3D new_mso;
-	scb_s->prefix =3D scb_o->prefix;
+	scb_s->prefix =3D new_prefix;
=20
 	/* We have to definetly flush the tlb if this scb never ran */
 	if (scb_s->ihcpu !=3D 0xffffU)
@@ -321,11 +333,11 @@ static int shadow_scb(struct kvm_vcpu *vcpu, struct v=
sie_page *vsie_page)
 	if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_ESOP))
 		scb_s->ecb |=3D scb_o->ecb & ECB_HOSTPROTINT;
 	/* transactional execution */
-	if (test_kvm_facility(vcpu->kvm, 73)) {
+	if (test_kvm_facility(vcpu->kvm, 73) && wants_tx) {
 		/* remap the prefix is tx is toggled on */
-		if ((scb_o->ecb & ECB_TE) && !had_tx)
+		if (!had_tx)
 			prefix_unmapped(vsie_page);
-		scb_s->ecb |=3D scb_o->ecb & ECB_TE;
+		scb_s->ecb |=3D ECB_TE;
 	}
 	/* SIMD */
 	if (test_kvm_facility(vcpu->kvm, 129)) {
@@ -544,9 +556,9 @@ static int pin_blocks(struct kvm_vcpu *vcpu, struct vsi=
e_page *vsie_page)
 	gpa_t gpa;
 	int rc =3D 0;
=20
-	gpa =3D scb_o->scaol & ~0xfUL;
+	gpa =3D READ_ONCE(scb_o->scaol) & ~0xfUL;
 	if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_64BSCAO))
-		gpa |=3D (u64) scb_o->scaoh << 32;
+		gpa |=3D (u64) READ_ONCE(scb_o->scaoh) << 32;
 	if (gpa) {
 		if (!(gpa & ~0x1fffUL))
 			rc =3D set_validity_icpt(scb_s, 0x0038U);
@@ -566,7 +578,7 @@ static int pin_blocks(struct kvm_vcpu *vcpu, struct vsi=
e_page *vsie_page)
 		scb_s->scaol =3D (u32)(u64)hpa;
 	}
=20
-	gpa =3D scb_o->itdba & ~0xffUL;
+	gpa =3D READ_ONCE(scb_o->itdba) & ~0xffUL;
 	if (gpa && (scb_s->ecb & ECB_TE)) {
 		if (!(gpa & ~0x1fffU)) {
 			rc =3D set_validity_icpt(scb_s, 0x0080U);
@@ -581,7 +593,7 @@ static int pin_blocks(struct kvm_vcpu *vcpu, struct vsi=
e_page *vsie_page)
 		scb_s->itdba =3D hpa;
 	}
=20
-	gpa =3D scb_o->gvrd & ~0x1ffUL;
+	gpa =3D READ_ONCE(scb_o->gvrd) & ~0x1ffUL;
 	if (gpa && (scb_s->eca & ECA_VX) && !(scb_s->ecd & ECD_HOSTREGMGMT)) {
 		if (!(gpa & ~0x1fffUL)) {
 			rc =3D set_validity_icpt(scb_s, 0x1310U);
@@ -599,7 +611,7 @@ static int pin_blocks(struct kvm_vcpu *vcpu, struct vsi=
e_page *vsie_page)
 		scb_s->gvrd =3D hpa;
 	}
=20
-	gpa =3D scb_o->riccbd & ~0x3fUL;
+	gpa =3D READ_ONCE(scb_o->riccbd) & ~0x3fUL;
 	if (gpa && (scb_s->ecb3 & ECB3_RI)) {
 		if (!(gpa & ~0x1fffUL)) {
 			rc =3D set_validity_icpt(scb_s, 0x0043U);
@@ -617,8 +629,8 @@ static int pin_blocks(struct kvm_vcpu *vcpu, struct vsi=
e_page *vsie_page)
 	if ((scb_s->ecb & ECB_GS) && !(scb_s->ecd & ECD_HOSTREGMGMT)) {
 		unsigned long sdnxc;
=20
-		gpa =3D scb_o->sdnxo & ~0xfUL;
-		sdnxc =3D scb_o->sdnxo & 0xfUL;
+		gpa =3D READ_ONCE(scb_o->sdnxo) & ~0xfUL;
+		sdnxc =3D READ_ONCE(scb_o->sdnxo) & 0xfUL;
 		if (!gpa || !(gpa & ~0x1fffUL)) {
 			rc =3D set_validity_icpt(scb_s, 0x10b0U);
 			goto unpin;
@@ -785,7 +797,7 @@ static void retry_vsie_icpt(struct vsie_page *vsie_page=
)
 static int handle_stfle(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page=
)
 {
 	struct kvm_s390_sie_block *scb_s =3D &vsie_page->scb_s;
-	__u32 fac =3D vsie_page->scb_o->fac & 0x7ffffff8U;
+	__u32 fac =3D READ_ONCE(vsie_page->scb_o->fac) & 0x7ffffff8U;
=20
 	if (fac && test_kvm_facility(vcpu->kvm, 7)) {
 		retry_vsie_icpt(vsie_page);
--=20
2.15.1