Patch "sparc64: Fix illegal relative branches in hypervisor patched TLB code." has been added to the 4.8-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    sparc64: Fix illegal relative branches in hypervisor patched TLB code.

to the 4.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-code.patch
and it can be found in the queue-4.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Sat Nov 19 09:52:59 CET 2016
From: "David S. Miller" <davem@davemloft.net>
Date: Tue, 25 Oct 2016 16:23:26 -0700
Subject: sparc64: Fix illegal relative branches in hypervisor patched TLB code.

From: "David S. Miller" <davem@davemloft.net>


[ Upstream commit b429ae4d5b565a71dfffd759dfcd4f6c093ced94 ]

When we copy code over to patch another piece of code, we can only use
PC-relative branches that target code within that piece of code.

Such PC-relative branches cannot be made to external symbols because
the patch moves the location of the code and thus modifies the
relative address of external symbols.

Use an absolute jmpl to fix this problem.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/mm/ultra.S |   65 +++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 51 insertions(+), 14 deletions(-)

--- a/arch/sparc/mm/ultra.S
+++ b/arch/sparc/mm/ultra.S
@@ -30,7 +30,7 @@
 	.text
 	.align		32
 	.globl		__flush_tlb_mm
-__flush_tlb_mm:		/* 18 insns */
+__flush_tlb_mm:		/* 19 insns */
 	/* %o0=(ctx & TAG_CONTEXT_BITS), %o1=SECONDARY_CONTEXT */
 	ldxa		[%o1] ASI_DMMU, %g2
 	cmp		%g2, %o0
@@ -81,7 +81,7 @@ __flush_tlb_page:	/* 22 insns */
 
 	.align		32
 	.globl		__flush_tlb_pending
-__flush_tlb_pending:	/* 26 insns */
+__flush_tlb_pending:	/* 27 insns */
 	/* %o0 = context, %o1 = nr, %o2 = vaddrs[] */
 	rdpr		%pstate, %g7
 	sllx		%o1, 3, %o1
@@ -113,7 +113,7 @@ __flush_tlb_pending:	/* 26 insns */
 
 	.align		32
 	.globl		__flush_tlb_kernel_range
-__flush_tlb_kernel_range:	/* 16 insns */
+__flush_tlb_kernel_range:	/* 19 insns */
 	/* %o0=start, %o1=end */
 	cmp		%o0, %o1
 	be,pn		%xcc, 2f
@@ -131,6 +131,9 @@ __flush_tlb_kernel_range:	/* 16 insns */
 	retl
 	 nop
 	nop
+	nop
+	nop
+	nop
 
 __spitfire_flush_tlb_mm_slow:
 	rdpr		%pstate, %g1
@@ -309,19 +312,28 @@ __hypervisor_tlb_tl0_error:
 	ret
 	 restore
 
-__hypervisor_flush_tlb_mm: /* 10 insns */
+__hypervisor_flush_tlb_mm: /* 19 insns */
 	mov		%o0, %o2	/* ARG2: mmu context */
 	mov		0, %o0		/* ARG0: CPU lists unimplemented */
 	mov		0, %o1		/* ARG1: CPU lists unimplemented */
 	mov		HV_MMU_ALL, %o3	/* ARG3: flags */
 	mov		HV_FAST_MMU_DEMAP_CTX, %o5
 	ta		HV_FAST_TRAP
-	brnz,pn		%o0, __hypervisor_tlb_tl0_error
+	brnz,pn		%o0, 1f
 	 mov		HV_FAST_MMU_DEMAP_CTX, %o1
 	retl
 	 nop
+1:	sethi		%hi(__hypervisor_tlb_tl0_error), %o5
+	jmpl		%o5 + %lo(__hypervisor_tlb_tl0_error), %g0
+	 nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
 
-__hypervisor_flush_tlb_page: /* 11 insns */
+__hypervisor_flush_tlb_page: /* 22 insns */
 	/* %o0 = context, %o1 = vaddr */
 	mov		%o0, %g2
 	mov		%o1, %o0              /* ARG0: vaddr + IMMU-bit */
@@ -330,10 +342,21 @@ __hypervisor_flush_tlb_page: /* 11 insns
 	srlx		%o0, PAGE_SHIFT, %o0
 	sllx		%o0, PAGE_SHIFT, %o0
 	ta		HV_MMU_UNMAP_ADDR_TRAP
-	brnz,pn		%o0, __hypervisor_tlb_tl0_error
+	brnz,pn		%o0, 1f
 	 mov		HV_MMU_UNMAP_ADDR_TRAP, %o1
 	retl
 	 nop
+1:	sethi		%hi(__hypervisor_tlb_tl0_error), %o2
+	jmpl		%o2 + %lo(__hypervisor_tlb_tl0_error), %g0
+	 nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
 
 __hypervisor_flush_tlb_pending: /* 16 insns */
 	/* %o0 = context, %o1 = nr, %o2 = vaddrs[] */
@@ -347,14 +370,25 @@ __hypervisor_flush_tlb_pending: /* 16 in
 	srlx		%o0, PAGE_SHIFT, %o0
 	sllx		%o0, PAGE_SHIFT, %o0
 	ta		HV_MMU_UNMAP_ADDR_TRAP
-	brnz,pn		%o0, __hypervisor_tlb_tl0_error
+	brnz,pn		%o0, 1f
 	 mov		HV_MMU_UNMAP_ADDR_TRAP, %o1
 	brnz,pt		%g1, 1b
 	 nop
 	retl
 	 nop
+1:	sethi		%hi(__hypervisor_tlb_tl0_error), %o2
+	jmpl		%o2 + %lo(__hypervisor_tlb_tl0_error), %g0
+	 nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
 
-__hypervisor_flush_tlb_kernel_range: /* 16 insns */
+__hypervisor_flush_tlb_kernel_range: /* 19 insns */
 	/* %o0=start, %o1=end */
 	cmp		%o0, %o1
 	be,pn		%xcc, 2f
@@ -366,12 +400,15 @@ __hypervisor_flush_tlb_kernel_range: /*
 	mov		0, %o1		/* ARG1: mmu context */
 	mov		HV_MMU_ALL, %o2	/* ARG2: flags */
 	ta		HV_MMU_UNMAP_ADDR_TRAP
-	brnz,pn		%o0, __hypervisor_tlb_tl0_error
+	brnz,pn		%o0, 3f
 	 mov		HV_MMU_UNMAP_ADDR_TRAP, %o1
 	brnz,pt		%g2, 1b
 	 sub		%g2, %g3, %g2
 2:	retl
 	 nop
+3:	sethi		%hi(__hypervisor_tlb_tl0_error), %o2
+	jmpl		%o2 + %lo(__hypervisor_tlb_tl0_error), %g0
+	 nop
 
 #ifdef DCACHE_ALIASING_POSSIBLE
 	/* XXX Niagara and friends have an 8K cache, so no aliasing is
@@ -819,28 +856,28 @@ hypervisor_patch_cachetlbops:
 	sethi		%hi(__hypervisor_flush_tlb_mm), %o1
 	or		%o1, %lo(__hypervisor_flush_tlb_mm), %o1
 	call		tlb_patch_one
-	 mov		10, %o2
+	 mov		19, %o2
 
 	sethi		%hi(__flush_tlb_page), %o0
 	or		%o0, %lo(__flush_tlb_page), %o0
 	sethi		%hi(__hypervisor_flush_tlb_page), %o1
 	or		%o1, %lo(__hypervisor_flush_tlb_page), %o1
 	call		tlb_patch_one
-	 mov		11, %o2
+	 mov		22, %o2
 
 	sethi		%hi(__flush_tlb_pending), %o0
 	or		%o0, %lo(__flush_tlb_pending), %o0
 	sethi		%hi(__hypervisor_flush_tlb_pending), %o1
 	or		%o1, %lo(__hypervisor_flush_tlb_pending), %o1
 	call		tlb_patch_one
-	 mov		16, %o2
+	 mov		27, %o2
 
 	sethi		%hi(__flush_tlb_kernel_range), %o0
 	or		%o0, %lo(__flush_tlb_kernel_range), %o0
 	sethi		%hi(__hypervisor_flush_tlb_kernel_range), %o1
 	or		%o1, %lo(__hypervisor_flush_tlb_kernel_range), %o1
 	call		tlb_patch_one
-	 mov		16, %o2
+	 mov		19, %o2
 
 #ifdef DCACHE_ALIASING_POSSIBLE
 	sethi		%hi(__flush_dcache_page), %o0


Patches currently in stable-queue which might be from davem@davemloft.net are

queue-4.8/sparc64-delete-now-unused-user-copy-fixup-functions.patch
queue-4.8/net-__skb_flow_dissect-must-cap-its-return-value.patch
queue-4.8/tcp-take-care-of-truncations-done-by-sk_filter.patch
queue-4.8/net-clear-sk_err_soft-in-sk_clone_lock.patch
queue-4.8/dccp-do-not-release-listeners-too-soon.patch
queue-4.8/sparc64-convert-copy_in_user-to-accurate-exception-reporting.patch
queue-4.8/net-stmmac-fix-lack-of-link-transition-for-fixed-phys.patch
queue-4.8/sparc64-handle-extremely-large-kernel-tlb-range-flushes-more-gracefully.patch
queue-4.8/sparc-handle-negative-offsets-in-arch_jump_label_transform.patch
queue-4.8/sparc64-delete-__ret_efault.patch
queue-4.8/dctcp-avoid-bogus-doubling-of-cwnd-after-loss.patch
queue-4.8/sparc64-delete-now-unused-user-copy-assembler-helpers.patch
queue-4.8/revert-bnx2-reset-device-during-driver-initialization.patch
queue-4.8/net-mangle-zero-checksum-in-skb_checksum_help.patch
queue-4.8/revert-include-uapi-linux-atm_zatm.h-include-linux-time.h.patch
queue-4.8/ipv4-allow-local-fragmentation-in-ip_finish_output_gso.patch
queue-4.8/tcp-fix-return-value-for-partial-writes.patch
queue-4.8/ip6_tunnel-clear-ip6cb-in-ip6tunnel_xmit.patch
queue-4.8/sctp-assign-assoc_id-earlier-in-__sctp_connect.patch
queue-4.8/sparc64-convert-ng4copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.8/bpf-fix-htab-map-destruction-when-extra-reserve-is-in-use.patch
queue-4.8/ipv6-dccp-fix-out-of-bound-access-in-dccp_v6_err.patch
queue-4.8/sparc64-convert-u3copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.8/sparc64-convert-ng2copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.8/sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-code.patch
queue-4.8/sparc64-convert-gencopy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.8/sparc64-convert-u1copy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.8/sctp-change-sk-state-only-when-it-has-assocs-in-sctp_shutdown.patch
queue-4.8/sparc64-prepare-to-move-to-more-saner-user-copy-exception-handling.patch
queue-4.8/bnx2-wait-for-in-flight-dma-to-complete-at-probe-stage.patch
queue-4.8/bgmac-stop-clearing-dma-receive-control-register-right-after-it-is-set.patch
queue-4.8/ipv6-dccp-add-missing-bind_conflict-to-dccp_ipv6_mapped.patch
queue-4.8/tcp-fix-potential-memory-corruption.patch
queue-4.8/sparc64-convert-ngcopy_-from-to-_user-to-accurate-exception-reporting.patch
queue-4.8/fib_trie-correct-proc-net-route-off-by-one-error.patch
queue-4.8/mlxsw-spectrum_router-correctly-dump-neighbour-activity.patch
queue-4.8/sparc64-fix-illegal-relative-branches-in-hypervisor-patched-tlb-cross-call-code.patch
queue-4.8/mlxsw-spectrum-fix-refcount-bug-on-span-entries.patch
queue-4.8/sparc64-handle-extremely-large-kernel-tsb-range-flushes-sanely.patch
queue-4.8/sparc64-fix-instruction-count-in-comment-for-__hypervisor_flush_tlb_pending.patch
queue-4.8/dccp-do-not-send-reset-to-already-closed-sockets.patch
queue-4.8/ipv4-use-new_gw-for-redirect-neigh-lookup.patch
queue-4.8/net-icmp6_send-should-use-dst-dev-to-determine-l3-domain.patch
queue-4.8/dccp-fix-out-of-bound-access-in-dccp_v4_err.patch
queue-4.8/net-icmp_route_lookup-should-use-rt-dev-to-determine-l3-domain.patch
queue-4.8/sock-fix-sendmmsg-for-partial-sendmsg.patch