This is a note to let you know that I've just added the patch titled sparc64: Fix illegal relative branches in hypervisor patched TLB cross-call code. to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-cross-call-code.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Sat Nov 19 09:52:37 CET 2016 From: "David S. Miller" <davem@xxxxxxxxxxxxx> Date: Wed, 26 Oct 2016 10:20:14 -0700 Subject: sparc64: Fix illegal relative branches in hypervisor patched TLB cross-call code. From: "David S. Miller" <davem@xxxxxxxxxxxxx> [ Upstream commit a236441bb69723032db94128761a469030c3fe6d ] Just like the non-cross-call TLB flush handlers, the cross-call ones need to avoid doing PC-relative branches outside of their code blocks. Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/sparc/mm/ultra.S | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) --- a/arch/sparc/mm/ultra.S +++ b/arch/sparc/mm/ultra.S @@ -484,7 +484,7 @@ cheetah_patch_cachetlbops: */ .align 32 .globl xcall_flush_tlb_mm -xcall_flush_tlb_mm: /* 21 insns */ +xcall_flush_tlb_mm: /* 24 insns */ mov PRIMARY_CONTEXT, %g2 ldxa [%g2] ASI_DMMU, %g3 srlx %g3, CTX_PGSZ1_NUC_SHIFT, %g4 @@ -506,9 +506,12 @@ xcall_flush_tlb_mm: /* 21 insns */ nop nop nop + nop + nop + nop .globl xcall_flush_tlb_page -xcall_flush_tlb_page: /* 17 insns */ +xcall_flush_tlb_page: /* 20 insns */ /* %g5=context, %g1=vaddr */ mov PRIMARY_CONTEXT, %g4 ldxa [%g4] ASI_DMMU, %g2 @@ -527,9 +530,12 @@ xcall_flush_tlb_page: /* 17 insns */ retry nop nop + nop + nop + nop .globl xcall_flush_tlb_kernel_range -xcall_flush_tlb_kernel_range: /* 25 insns */ +xcall_flush_tlb_kernel_range: /* 28 insns */ sethi %hi(PAGE_SIZE - 1), %g2 or %g2, %lo(PAGE_SIZE - 1), %g2 andn %g1, %g2, %g1 @@ -555,6 +561,9 @@ xcall_flush_tlb_kernel_range: /* 25 insn nop nop nop + nop + nop + nop /* This runs in a very controlled environment, so we do * not need to worry about BH races etc. @@ -737,7 +746,7 @@ __hypervisor_tlb_xcall_error: ba,a,pt %xcc, rtrap .globl __hypervisor_xcall_flush_tlb_mm -__hypervisor_xcall_flush_tlb_mm: /* 21 insns */ +__hypervisor_xcall_flush_tlb_mm: /* 24 insns */ /* %g5=ctx, g1,g2,g3,g4,g7=scratch, %g6=unusable */ mov %o0, %g2 mov %o1, %g3 @@ -751,7 +760,7 @@ __hypervisor_xcall_flush_tlb_mm: /* 21 i mov HV_FAST_MMU_DEMAP_CTX, %o5 ta HV_FAST_TRAP mov HV_FAST_MMU_DEMAP_CTX, %g6 - brnz,pn %o0, __hypervisor_tlb_xcall_error + brnz,pn %o0, 1f mov %o0, %g5 mov %g2, %o0 mov %g3, %o1 @@ -760,9 +769,12 @@ __hypervisor_xcall_flush_tlb_mm: /* 21 i mov %g7, %o5 membar #Sync retry +1: sethi %hi(__hypervisor_tlb_xcall_error), %g4 + jmpl %g4 + %lo(__hypervisor_tlb_xcall_error), %g0 + nop .globl __hypervisor_xcall_flush_tlb_page -__hypervisor_xcall_flush_tlb_page: /* 17 insns */ +__hypervisor_xcall_flush_tlb_page: /* 20 insns */ /* %g5=ctx, %g1=vaddr */ mov %o0, %g2 mov %o1, %g3 @@ -774,16 +786,19 @@ __hypervisor_xcall_flush_tlb_page: /* 17 sllx %o0, PAGE_SHIFT, %o0 ta HV_MMU_UNMAP_ADDR_TRAP mov HV_MMU_UNMAP_ADDR_TRAP, %g6 - brnz,a,pn %o0, __hypervisor_tlb_xcall_error + brnz,a,pn %o0, 1f mov %o0, %g5 mov %g2, %o0 mov %g3, %o1 mov %g4, %o2 membar #Sync retry +1: sethi %hi(__hypervisor_tlb_xcall_error), %g4 + jmpl %g4 + %lo(__hypervisor_tlb_xcall_error), %g0 + nop .globl __hypervisor_xcall_flush_tlb_kernel_range -__hypervisor_xcall_flush_tlb_kernel_range: /* 25 insns */ +__hypervisor_xcall_flush_tlb_kernel_range: /* 28 insns */ /* %g1=start, %g7=end, g2,g3,g4,g5,g6=scratch */ sethi %hi(PAGE_SIZE - 1), %g2 or %g2, %lo(PAGE_SIZE - 1), %g2 @@ -800,7 +815,7 @@ __hypervisor_xcall_flush_tlb_kernel_rang mov HV_MMU_ALL, %o2 /* ARG2: flags */ ta HV_MMU_UNMAP_ADDR_TRAP mov HV_MMU_UNMAP_ADDR_TRAP, %g6 - brnz,pn %o0, __hypervisor_tlb_xcall_error + brnz,pn %o0, 1f mov %o0, %g5 sethi %hi(PAGE_SIZE), %o2 brnz,pt %g3, 1b @@ -810,6 +825,9 @@ __hypervisor_xcall_flush_tlb_kernel_rang mov %g7, %o2 membar #Sync retry +1: sethi %hi(__hypervisor_tlb_xcall_error), %g4 + jmpl %g4 + %lo(__hypervisor_tlb_xcall_error), %g0 + nop /* These just get rescheduled to PIL vectors. */ .globl xcall_call_function @@ -894,21 +912,21 @@ hypervisor_patch_cachetlbops: sethi %hi(__hypervisor_xcall_flush_tlb_mm), %o1 or %o1, %lo(__hypervisor_xcall_flush_tlb_mm), %o1 call tlb_patch_one - mov 21, %o2 + mov 24, %o2 sethi %hi(xcall_flush_tlb_page), %o0 or %o0, %lo(xcall_flush_tlb_page), %o0 sethi %hi(__hypervisor_xcall_flush_tlb_page), %o1 or %o1, %lo(__hypervisor_xcall_flush_tlb_page), %o1 call tlb_patch_one - mov 17, %o2 + mov 20, %o2 sethi %hi(xcall_flush_tlb_kernel_range), %o0 or %o0, %lo(xcall_flush_tlb_kernel_range), %o0 sethi %hi(__hypervisor_xcall_flush_tlb_kernel_range), %o1 or %o1, %lo(__hypervisor_xcall_flush_tlb_kernel_range), %o1 call tlb_patch_one - mov 25, %o2 + mov 28, %o2 #endif /* CONFIG_SMP */ ret Patches currently in stable-queue which might be from davem@xxxxxxxxxxxxx are queue-4.4/sparc64-delete-now-unused-user-copy-fixup-functions.patch queue-4.4/net-__skb_flow_dissect-must-cap-its-return-value.patch queue-4.4/tcp-take-care-of-truncations-done-by-sk_filter.patch queue-4.4/net-clear-sk_err_soft-in-sk_clone_lock.patch queue-4.4/sparc64-convert-copy_in_user-to-accurate-exception-reporting.patch queue-4.4/sparc64-handle-extremely-large-kernel-tlb-range-flushes-more-gracefully.patch queue-4.4/sparc-handle-negative-offsets-in-arch_jump_label_transform.patch queue-4.4/sparc64-delete-__ret_efault.patch queue-4.4/dctcp-avoid-bogus-doubling-of-cwnd-after-loss.patch queue-4.4/sparc64-delete-now-unused-user-copy-assembler-helpers.patch queue-4.4/net-mangle-zero-checksum-in-skb_checksum_help.patch queue-4.4/sparc64-mm-fix-base-tsb-sizing-when-hugetlb-pages-are-used.patch queue-4.4/ip6_tunnel-clear-ip6cb-in-ip6tunnel_xmit.patch queue-4.4/sctp-assign-assoc_id-earlier-in-__sctp_connect.patch queue-4.4/sparc64-convert-ng4copy_-from-to-_user-to-accurate-exception-reporting.patch queue-4.4/ipv6-dccp-fix-out-of-bound-access-in-dccp_v6_err.patch queue-4.4/sparc64-convert-u3copy_-from-to-_user-to-accurate-exception-reporting.patch queue-4.4/sparc64-convert-ng2copy_-from-to-_user-to-accurate-exception-reporting.patch queue-4.4/sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-code.patch queue-4.4/sparc64-convert-gencopy_-from-to-_user-to-accurate-exception-reporting.patch queue-4.4/sparc64-convert-u1copy_-from-to-_user-to-accurate-exception-reporting.patch queue-4.4/sparc-don-t-leak-context-bits-into-thread-fault_address.patch queue-4.4/sparc64-prepare-to-move-to-more-saner-user-copy-exception-handling.patch queue-4.4/bgmac-stop-clearing-dma-receive-control-register-right-after-it-is-set.patch queue-4.4/ipv6-dccp-add-missing-bind_conflict-to-dccp_ipv6_mapped.patch queue-4.4/tcp-fix-potential-memory-corruption.patch queue-4.4/sparc64-convert-ngcopy_-from-to-_user-to-accurate-exception-reporting.patch queue-4.4/fib_trie-correct-proc-net-route-off-by-one-error.patch queue-4.4/sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-cross-call-code.patch queue-4.4/sparc64-handle-extremely-large-kernel-tsb-range-flushes-sanely.patch queue-4.4/sparc64-fix-instruction-count-in-comment-for-__hypervisor_flush_tlb_pending.patch queue-4.4/sparc-serial-sunhv-fix-a-double-lock-bug.patch queue-4.4/dccp-do-not-send-reset-to-already-closed-sockets.patch queue-4.4/ipv4-use-new_gw-for-redirect-neigh-lookup.patch queue-4.4/dccp-fix-out-of-bound-access-in-dccp_v4_err.patch queue-4.4/sock-fix-sendmmsg-for-partial-sendmsg.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html