This is a note to let you know that I've just added the patch titled
sparc64: Fix corrupted thread fault code.
to the 3.16-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
sparc64-fix-corrupted-thread-fault-code.patch
and it can be found in the queue-3.16 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Tue Oct 28 11:19:22 CST 2014
From: "David S. Miller" <davem@xxxxxxxxxxxxx>
Date: Sat, 18 Oct 2014 23:03:09 -0400
Subject: sparc64: Fix corrupted thread fault code.
From: "David S. Miller" <davem@xxxxxxxxxxxxx>
[ Upstream commit 84bd6d8b9c0f06b3f188efb479c77e20f05e9a8a ]
Every path that ends up at do_sparc64_fault() must install a valid
FAULT_CODE_* bitmask in the per-thread fault code byte.
Two paths leading to the label winfix_trampoline (which expects the
FAULT_CODE_* mask in register %g4) were not doing so:
1) For pre-hypervisor TLB protection violation traps, if we took
the 'winfix_trampoline' path we wouldn't have %g4 initialized
with the FAULT_CODE_* value yet. Resulting in using the
TLB_TAG_ACCESS register address value instead.
2) In the TSB miss path, when we notice that we are going to use a
hugepage mapping, but we haven't allocated the hugepage TSB yet, we
still have to take the window fixup case into consideration and
in that particular path we leave %g4 not setup properly.
Errors on this sort were largely invisible previously, but after
commit 4ccb9272892c33ef1c19a783cfa87103b30c2784 ("sparc64: sun4v TLB
error power off events") we now have a fault_code mask bit
(FAULT_CODE_BAD_RA) that triggers due to this bug.
FAULT_CODE_BAD_RA triggers because this bit is set in TLB_TAG_ACCESS
(see #1 above) and thus we get seemingly random bus errors triggered
for user processes.
Fixes: 4ccb9272892c ("sparc64: sun4v TLB error power off events")
Reported-by: Meelis Roos <mroos@xxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/sparc/kernel/dtlb_prot.S | 6 +++---
arch/sparc/kernel/tsb.S | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/arch/sparc/kernel/dtlb_prot.S
+++ b/arch/sparc/kernel/dtlb_prot.S
@@ -24,11 +24,11 @@
mov TLB_TAG_ACCESS, %g4 ! For reload of vaddr
/* PROT ** ICACHE line 2: More real fault processing */
+ ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5
bgu,pn %xcc, winfix_trampoline ! Yes, perform winfixup
- ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5
- ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault
mov FAULT_CODE_DTLB | FAULT_CODE_WRITE, %g4
- nop
+ ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault
+ nop
nop
nop
nop
--- a/arch/sparc/kernel/tsb.S
+++ b/arch/sparc/kernel/tsb.S
@@ -162,10 +162,10 @@ tsb_miss_page_table_walk_sun4v_fastpath:
nop
.previous
- rdpr %tl, %g3
- cmp %g3, 1
+ rdpr %tl, %g7
+ cmp %g7, 1
bne,pn %xcc, winfix_trampoline
- nop
+ mov %g3, %g4
ba,pt %xcc, etrap
rd %pc, %g7
call hugetlb_setup
Patches currently in stable-queue which might be from davem@xxxxxxxxxxxxx are
queue-3.16/sparc64-adjust-vmalloc-region-size-based-upon-available-virtual-address-bits.patch
queue-3.16/sparc64-fix-fpu-register-corruption-with-aes-crypto-offload.patch
queue-3.16/sparc64-move-request_irq-from-ldc_bind-to-ldc_alloc.patch
queue-3.16/sparc32-dma_alloc_coherent-must-honour-gfp-flags.patch
queue-3.16/sparc64-kill-unnecessary-tables-and-increase-max_banks.patch
queue-3.16/sparc-let-memset-return-the-address-argument.patch
queue-3.16/sparc64-use-kernel-page-tables-for-vmemmap.patch
queue-3.16/sparc64-sparse-irq.patch
queue-3.16/sparc64-fix-physical-memory-management-regressions-with-large-max_phys_bits.patch
queue-3.16/sparc64-fix-lockdep-warnings-on-reboot-on-ultra-5.patch
queue-3.16/sparc64-switch-to-4-level-page-tables.patch
queue-3.16/sparc64-sun4v-tlb-error-power-off-events.patch
queue-3.16/sparc-bpf_jit-fix-support-for-ldx-stx-mem-and-skf_ad_vlan_tag.patch
queue-3.16/sparc64-increase-size-of-boot-string-to-1024-bytes.patch
queue-3.16/sparc64-find_node-adjustment.patch
queue-3.16/sparc64-fix-reversed-start-end-in-flush_tlb_kernel_range.patch
queue-3.16/sparc64-increase-max_phys_address_bits-to-53.patch
queue-3.16/sparc64-define-va-hole-at-run-time-rather-than-at-compile-time.patch
queue-3.16/sparc64-fix-register-corruption-in-top-most-kernel-stack-frame-during-boot.patch
queue-3.16/sparc64-do-not-disable-interrupts-in-nmi_cpu_busy.patch
queue-3.16/sparc64-support-m6-and-m7-for-building-cpu-distribution-map.patch
queue-3.16/sparc64-cpu-hardware-caps-support-for-sparc-m6-and-m7.patch
queue-3.16/sparc64-do-not-define-thread-fpregs-save-area-as-zero-length-array.patch
queue-3.16/sparc-bpf_jit-fix-loads-from-negative-offsets.patch
queue-3.16/sparc64-t5-pmu.patch
queue-3.16/sparc64-adjust-ktsb-assembler-to-support-larger-physical-addresses.patch
queue-3.16/sparc64-implement-__get_user_pages_fast.patch
queue-3.16/sparc64-fix-corrupted-thread-fault-code.patch
queue-3.16/sparc64-fix-hibernation-code-refrence-to-page_offset.patch
queue-3.16/sparc64-correctly-recognise-m6-and-m7-cpu-type.patch
queue-3.16/sparc64-fix-pcr_ops-initialization-and-usage-bugs.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html