From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=4tZY=PN=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CCB81C43387
	for <stable@archiver.kernel.org>; Sat,  5 Jan 2019 15:29:55 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 8C145206B6
	for <stable@archiver.kernel.org>; Sat,  5 Jan 2019 15:29:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1546702195;
	bh=MrMdrkWpqh1DwouxbNc/JX9c9E3Ms89Rs/pAltBd+q0=;
	h=Subject:To:Cc:From:Date:List-ID:From;
	b=Xgj0JbItYEhMwf8vxNryrfXmx6jfnNfJNQq7FBt0AtyPRYyGbWaiGhmBTLSApQj/i
	 lSM2Z17OGIyfvL3kMNi+nUAS1m0s8qziiIpw3Nswf+kP9BDGN9q8cp2kkoNqP4l911
	 2Cpqye4/05QT8GoOZST6wZb8BReuMZ3G5HdI6GBU=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726200AbfAEP3z (ORCPT <rfc822;stable@archiver.kernel.org>);
        Sat, 5 Jan 2019 10:29:55 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:48265 "EHLO
        out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726276AbfAEP3y (ORCPT
        <rfc822;stable@vger.kernel.org>); Sat, 5 Jan 2019 10:29:54 -0500
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
        by mailout.nyi.internal (Postfix) with ESMTP id ADCD522070;
        Sat,  5 Jan 2019 10:29:53 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute6.internal (MEProxy); Sat, 05 Jan 2019 10:29:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-transfer-encoding:content-type
        :date:from:message-id:mime-version:subject:to:x-me-proxy
        :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=t8YiU8
        03qfJf34KrNmOV8mKSuV00apKjSKKprjh17oo=; b=ihzwjp68To7j+WidiTpTwy
        ML/OfcHmVdX4Mhqh6y+UaF5fWUzmAg6dSJiUzh65a5Bp3m/jktZpzpp23DF1wGWT
        XLzWUT0HI2Scym+9joipPNkyctDQftRu+9f+Im+kcTjiHmDQ3rUjKrwp7fGxAlbf
        2r3/QEEQK+rhyFx5EixGkhY9d8SoQZ+eqfBtWM4rQpQngvN3kOu0apc/hicchprf
        LlRyP5/BjHPBboqsjf/FzHAFkUadONLx6slhewh1OuRiiMmyNcMUXDC0LiIYynW8
        w8H+ktLmGXArDpHCS26ntNnhDamedOOPOaOw5MGTUJxsSK+u/mZ83bU6c0M41MNg
        ==
X-ME-Sender: <xms:cc0wXIH3o7czlcMx5dcqEKBp95NSJ0iSt21TTIbxW8T89iswrWmQDg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrvdefgdejkeculddtuddrgedtkedrtddtmd
    cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefuvffhfffkgggtgfesthekredttd
    dtlfenucfhrhhomhepoehgrhgvghhkhheslhhinhhugihfohhunhgurghtihhonhdrohhr
    gheqnecukfhppedukeekrdekledrudefhedrkeejnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpehgrhgvgheskhhrohgrhhdrtghomhenucevlhhushhtvghrufhiiigvpedu
X-ME-Proxy: <xmx:cc0wXIlR-aH6Uq2xWMDkIXVhR28xVRwz1qy69gK21ehpHJQzU56Iuw>
    <xmx:cc0wXG1MvMTH3LvGAGgI7pZhUv04VO_hfXUw9Bu70voanmMkSMBeUA>
    <xmx:cc0wXGxYrpQGbfw5wwavA49IPMR8KWM7CLRql6k0225zqtL4SoR2eQ>
    <xmx:cc0wXDvO8TsefLZvSIZQUe2CHjPOrHD7sDOLclYPDErqsokzFNLaWg>
Received: from localhost (unknown [188.89.135.87])
        by mail.messagingengine.com (Postfix) with ESMTPA id E59EE10087;
        Sat,  5 Jan 2019 10:29:52 -0500 (EST)
Subject: FAILED: patch "[PATCH] KVM: PPC: Book3S HV: Fix race between kvm_unmap_hva_range and" failed to apply to 4.19-stable tree
To:     paulus@ozlabs.org
Cc:     <stable@vger.kernel.org>
From:   <gregkh@linuxfoundation.org>
Date:   Sat, 05 Jan 2019 16:29:51 +0100
Message-ID: <1546702191223101@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org


The patch below does not apply to the 4.19-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From 234ff0b729ad882d20f7996591a964965647addf Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Fri, 16 Nov 2018 21:28:18 +1100
Subject: [PATCH] KVM: PPC: Book3S HV: Fix race between kvm_unmap_hva_range and
 MMU mode switch

Testing has revealed an occasional crash which appears to be caused
by a race between kvmppc_switch_mmu_to_hpt and kvm_unmap_hva_range_hv.
The symptom is a NULL pointer dereference in __find_linux_pte() called
from kvm_unmap_radix() with kvm->arch.pgtable == NULL.

Looking at kvmppc_switch_mmu_to_hpt(), it does indeed clear
kvm->arch.pgtable (via kvmppc_free_radix()) before setting
kvm->arch.radix to NULL, and there is nothing to prevent
kvm_unmap_hva_range_hv() or the other MMU callback functions from
being called concurrently with kvmppc_switch_mmu_to_hpt() or
kvmppc_switch_mmu_to_radix().

This patch therefore adds calls to spin_lock/unlock on the kvm->mmu_lock
around the assignments to kvm->arch.radix, and makes sure that the
partition-scoped radix tree or HPT is only freed after changing
kvm->arch.radix.

This also takes the kvm->mmu_lock in kvmppc_rmap_reset() to make sure
that the clearing of each rmap array (one per memslot) doesn't happen
concurrently with use of the array in the kvm_unmap_hva_range_hv()
or the other MMU callbacks.

Fixes: 18c3640cefc7 ("KVM: PPC: Book3S HV: Add infrastructure for running HPT guests on radix host")
Cc: stable@vger.kernel.org # v4.15+
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>

diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c
index c615617e78ac..a18afda3d0f0 100644
--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
+++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
@@ -743,12 +743,15 @@ void kvmppc_rmap_reset(struct kvm *kvm)
 	srcu_idx = srcu_read_lock(&kvm->srcu);
 	slots = kvm_memslots(kvm);
 	kvm_for_each_memslot(memslot, slots) {
+		/* Mutual exclusion with kvm_unmap_hva_range etc. */
+		spin_lock(&kvm->mmu_lock);
 		/*
 		 * This assumes it is acceptable to lose reference and
 		 * change bits across a reset.
 		 */
 		memset(memslot->arch.rmap, 0,
 		       memslot->npages * sizeof(*memslot->arch.rmap));
+		spin_unlock(&kvm->mmu_lock);
 	}
 	srcu_read_unlock(&kvm->srcu, srcu_idx);
 }
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index a56f8413758a..ab43306c4ea1 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -4532,12 +4532,15 @@ int kvmppc_switch_mmu_to_hpt(struct kvm *kvm)
 {
 	if (nesting_enabled(kvm))
 		kvmhv_release_all_nested(kvm);
+	kvmppc_rmap_reset(kvm);
+	kvm->arch.process_table = 0;
+	/* Mutual exclusion with kvm_unmap_hva_range etc. */
+	spin_lock(&kvm->mmu_lock);
+	kvm->arch.radix = 0;
+	spin_unlock(&kvm->mmu_lock);
 	kvmppc_free_radix(kvm);
 	kvmppc_update_lpcr(kvm, LPCR_VPM1,
 			   LPCR_VPM1 | LPCR_UPRT | LPCR_GTSE | LPCR_HR);
-	kvmppc_rmap_reset(kvm);
-	kvm->arch.radix = 0;
-	kvm->arch.process_table = 0;
 	return 0;
 }
 
@@ -4549,12 +4552,14 @@ int kvmppc_switch_mmu_to_radix(struct kvm *kvm)
 	err = kvmppc_init_vm_radix(kvm);
 	if (err)
 		return err;
-
+	kvmppc_rmap_reset(kvm);
+	/* Mutual exclusion with kvm_unmap_hva_range etc. */
+	spin_lock(&kvm->mmu_lock);
+	kvm->arch.radix = 1;
+	spin_unlock(&kvm->mmu_lock);
 	kvmppc_free_hpt(&kvm->arch.hpt);
 	kvmppc_update_lpcr(kvm, LPCR_UPRT | LPCR_GTSE | LPCR_HR,
 			   LPCR_VPM1 | LPCR_UPRT | LPCR_GTSE | LPCR_HR);
-	kvmppc_rmap_reset(kvm);
-	kvm->arch.radix = 1;
 	return 0;
 }