Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3377042pxf;
        Mon, 5 Apr 2021 10:23:39 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyFa6XxVBViWbc74+pGiOMn/YvFA34QO8vwCcQlXv7ITrGR7NqP3FwQ142s277SQnMnVmDs
X-Received: by 2002:a05:6e02:de6:: with SMTP id m6mr1456627ilj.81.1617643419817;
        Mon, 05 Apr 2021 10:23:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617643419; cv=none;
        d=google.com; s=arc-20160816;
        b=V6cCwQKmam9VSJdLc0qxjYOPCe+GHyn8xT05lcISMGZnR92YZVOZQvLVJZnv/6cbMN
         Js4kw87n8JPGEN0VMFLDns5hUdfBkwS20FVlNHizkz4ZUsrhXGALRB3+S9UJ3udoBTvl
         RQn+eQ89NWDH+6m4Pl4V3L1HZZDai9ZqyWYb8lqViKs7BpRS5jkPksUoHF2hlwu+h6B9
         e8KZ8J1I2e8vhNt3uTtw6iAD6Tzt/dkTgMdhDGEejsPieRnAybe/Hyi1G8W+wAU5PxBd
         A96S9GUqNyO6/UcdaAG9+8oDBa3zbE26cSdKAye1fM+ZH01WTgxKSeE9SzyUr+hJr4vz
         Txiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=EaomSX6PphrNh5PLfYdjaDgc9G3wnjDN+naZOt4Hj/Q=;
        b=Gq3GocU/5eqeocvhvUViyLaU+7orhVp6nz/klhhGNB+teeGqXhnnkLF6qld4Hrtwa4
         wk9RCscV7SxBDE1rvSV2TDFKIhZjIXVhI0Xgc+THeTE+XsgDaYXmmVHBN0fBw8FWdEAY
         IfsIAeNlJoJ9/iDC4RBjPl0yXHgFSoSYsuzYrlPilR+6NeHjM/GIs4usrb9jgV1kTi+P
         Cbg22oDJjEgezQ1U+C0J0r68Jwkpjb09e4GXiGzV1Gl3y1nbhz54JRjCv8e8Peia9u/C
         NmFDpXIkKSemacLQzB7c93/J4qjomav+i714thxR8WQd5PKXR5wpAr216oNvbh9oM/gy
         h3aQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="S4r45/O5";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p12si3514309ios.6.2021.04.05.10.23.27;
        Mon, 05 Apr 2021 10:23:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="S4r45/O5";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240752AbhDEJWH (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Mon, 5 Apr 2021 05:22:07 -0400
Received: from mail.kernel.org ([198.145.29.99]:39006 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S240806AbhDEJRH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 5 Apr 2021 05:17:07 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id BF77E611C1;
        Mon,  5 Apr 2021 09:17:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1617614221;
        bh=hnCyp1pY3A5BEjmo/pO28QU4NIJS5GIogwo0akaMA6Y=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=S4r45/O582q1uuB/Q2Zqo+etR9+ngjVcbzbi+8t3rxfxiHaJIG9TkJ+FZx+5zczOq
         WnJYBJCaoDBCyLTGyS2AgxlgVNDTBEYKbFNFebmqNmbLF+VCqBZfEdvRRqMxup+m8p
         zBc4Mn9rkHFiD7cDF0piNSNA8EGCEYCwYrKQH98M=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Murilo Opsfelder Araujo <muriloo@linux.ibm.com>,
        "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.11 128/152] powerpc/mm/book3s64: Use the correct storage key value when calling H_PROTECT
Date:   Mon,  5 Apr 2021 10:54:37 +0200
Message-Id: <20210405085038.386202343@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210405085034.233917714@linuxfoundation.org>
References: <20210405085034.233917714@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>

[ Upstream commit 53f1d31708f6240e4615b0927df31f182e389e2f ]

H_PROTECT expects the flag value to include flags:
  AVPN, pp0, pp1, pp2, key0-key4, Noexec, CMO Option flags

This patch updates hpte_updatepp() to fetch the storage key value from
the linux page table and use the same in H_PROTECT hcall.

native_hpte_updatepp() is not updated because the kernel doesn't clear
the existing storage key value there. The kernel also doesn't use
hpte_updatepp() callback for updating storage keys.

This fixes the below kernel crash observed with KUAP enabled.

  BUG: Unable to handle kernel data access on write at 0xc009fffffc440000
  Faulting instruction address: 0xc0000000000b7030
  Key fault AMR: 0xfcffffffffffffff IAMR: 0xc0000077bc498100
  Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194
  Oops: Kernel access of bad area, sig: 11 [#1]
  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
  ...
  CFAR: c000000000010100 DAR: c009fffffc440000 DSISR: 02200000 IRQMASK: 0
  ...
  NIP memset+0x68/0x104
  LR  pcpu_alloc+0x54c/0xb50
  Call Trace:
    pcpu_alloc+0x55c/0xb50 (unreliable)
    blk_stat_alloc_callback+0x94/0x150
    blk_mq_init_allocated_queue+0x64/0x560
    blk_mq_init_queue+0x54/0xb0
    scsi_mq_alloc_queue+0x30/0xa0
    scsi_alloc_sdev+0x1cc/0x300
    scsi_probe_and_add_lun+0xb50/0x1020
    __scsi_scan_target+0x17c/0x790
    scsi_scan_channel+0x90/0xe0
    scsi_scan_host_selected+0x148/0x1f0
    do_scan_async+0x2c/0x2a0
    async_run_entry_fn+0x78/0x220
    process_one_work+0x264/0x540
    worker_thread+0xa8/0x600
    kthread+0x190/0x1a0
    ret_from_kernel_thread+0x5c/0x6c

With KUAP enabled the kernel uses storage key 3 for all its
translations. But as shown by the debug print, in this specific case we
have the hash page table entry created with key value 0.

  Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194

and DSISR indicates a key fault.

This can happen due to parallel fault on the same EA by different CPUs:

  CPU 0					CPU 1
  fault on X

  H_PAGE_BUSY set
  					fault on X

  finish fault handling and
  clear H_PAGE_BUSY
  					check for H_PAGE_BUSY
  					continue with fault handling.

This implies CPU1 will end up calling hpte_updatepp for address X and
the kernel updated the hash pte entry with key 0

Fixes: d94b827e89dc ("powerpc/book3s64/kuap: Use Key 3 for kernel mapping with hash translation")
Reported-by: Murilo Opsfelder Araujo <muriloo@linux.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Debugged-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210326070755.304625-1-aneesh.kumar@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/pseries/lpar.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
index 764170fdb0f7..3805519a6469 100644
--- a/arch/powerpc/platforms/pseries/lpar.c
+++ b/arch/powerpc/platforms/pseries/lpar.c
@@ -887,7 +887,8 @@ static long pSeries_lpar_hpte_updatepp(unsigned long slot,
 
 	want_v = hpte_encode_avpn(vpn, psize, ssize);
 
-	flags = (newpp & 7) | H_AVPN;
+	flags = (newpp & (HPTE_R_PP | HPTE_R_N | HPTE_R_KEY_LO)) | H_AVPN;
+	flags |= (newpp & HPTE_R_KEY_HI) >> 48;
 	if (mmu_has_feature(MMU_FTR_KERNEL_RO))
 		/* Move pp0 into bit 8 (IBM 55) */
 		flags |= (newpp & HPTE_R_PP0) >> 55;
-- 
2.30.2