[PATCH v2 0/2] LKDTM powerpc enhancements - Part2

[PATCH v2 0/2] LKDTM powerpc enhancements - Part2

[Sayali Patil]

Hi all,

This series adds a new LKDTM trigger PPC_RADIX_TLBIEL, to validate
machine check handling on radix MMU systems and improves reliability of
the PPC_SLB_MULTIHIT test by adding isync instructions after slbmte
operations.

Please review the patches and provide any feedback or suggestions
for improvement.

Thanks,
Sayali

---

v1->v2
 - Split the patch series into two parts.
 - Updated "lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE
   validation" as per review comments:
   Wrapped Hash-MMU specific functions with #ifdef CONFIG_PPC_64S_HASH_MMU.
   Guarded powerpc_crashtypes registration with #ifdef CONFIG_PPC_BOOK3S_64
   Updated comment explaining the MCE trigger condition for radix MMU.

v1: https://lore.kernel.org/all/cover.1778057685.git.sayalip@linux.ibm.com/
---

Sayali Patil (2):
  lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering
  lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation

 drivers/misc/lkdtm/Makefile             |  2 +-
 drivers/misc/lkdtm/core.c               |  2 +-
 drivers/misc/lkdtm/powerpc.c            | 49 +++++++++++++++++++++++++
 tools/testing/selftests/lkdtm/tests.txt |  1 +
 4 files changed, 52 insertions(+), 2 deletions(-)

-- 
2.52.0

[PATCH v2 1/2] lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering

[Sayali Patil]

The slbmte instruction modifies the Segment Lookaside Buffer, but without
a context synchronizing operation the CPU is not guaranteed to observe
the updated SLB state for subsequent instructions. This can result in
use of stale translation state when memory is accessed immediately after
SLB modifications.

Add isync after each slbmte in the PPC_SLB_MULTIHIT test to ensure proper
ordering of SLB updates before subsequent memory accesses.

This aligns with Power ISA context synchronization requirements for changes
in address translation state and improves the reliability of SLB multihit
injection tests in hash MMU mode.

Suggested-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Sayali Patil <sayalip@linux.ibm.com>
---
 drivers/misc/lkdtm/powerpc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/misc/lkdtm/powerpc.c b/drivers/misc/lkdtm/powerpc.c
index be385449911a..ef07e5201edf 100644
--- a/drivers/misc/lkdtm/powerpc.c
+++ b/drivers/misc/lkdtm/powerpc.c
@@ -17,11 +17,14 @@ static void insert_slb_entry(unsigned long p, int ssize, int page_size)
 		     : "r" (mk_vsid_data(p, ssize, flags)),
 		       "r" (mk_esid_data(p, ssize, SLB_NUM_BOLTED))
 		     : "memory");
+	isync();
 
 	asm volatile("slbmte %0,%1" :
 			: "r" (mk_vsid_data(p, ssize, flags)),
 			  "r" (mk_esid_data(p, ssize, SLB_NUM_BOLTED + 1))
 			: "memory");
+	isync();
+
 	preempt_enable();
 }
 
@@ -84,6 +87,7 @@ static void insert_dup_slb_entry_0(void)
 			: "r" (vsid),
 			  "r" (esid | SLB_NUM_BOLTED)
 			: "memory");
+	isync();
 
 	asm volatile("slbmfee  %0,%1" : "=r" (esid) : "r" (i));
 	asm volatile("slbmfev  %0,%1" : "=r" (vsid) : "r" (i));
@@ -93,6 +97,7 @@ static void insert_dup_slb_entry_0(void)
 			: "r" (vsid),
 			  "r" (esid | (SLB_NUM_BOLTED + 1))
 			: "memory");
+	isync();
 
 	pr_info("%s accessing test address 0x%lx: 0x%lx\n",
 		__func__, test_address, *test_ptr);
-- 
2.52.0

Re: [PATCH v2 1/2] lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering

[Ritesh Harjani]

Sayali Patil <sayalip@linux.ibm.com> writes:

> The slbmte instruction modifies the Segment Lookaside Buffer, but without
> a context synchronizing operation the CPU is not guaranteed to observe
> the updated SLB state for subsequent instructions. This can result in
> use of stale translation state when memory is accessed immediately after
> SLB modifications.
>
> Add isync after each slbmte in the PPC_SLB_MULTIHIT test to ensure proper
> ordering of SLB updates before subsequent memory accesses.
>
> This aligns with Power ISA context synchronization requirements for changes
> in address translation state and improves the reliability of SLB multihit
> injection tests in hash MMU mode.
>

Yup, CSI is required for before & after a slbmte. Given we are trying to
add duplicate slb entries, I think the isync()s added in this patch is
sufficient.

LGTM. Feel free to add:
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>


As Mpe added - This needs to be cc'd to Kees.

-> ./scripts/get_maintainer.pl -f drivers/misc/lkdtm/powerpc.c
Kees Cook <kees@kernel.org> (maintainer:LINUX KERNEL DUMP TEST MODULE (LKDTM))
Arnd Bergmann <arnd@arndb.de> (maintainer:CHAR and MISC DRIVERS)
Greg Kroah-Hartman <gregkh@linuxfoundation.org> (maintainer:CHAR and MISC DRIVERS)
linux-kernel@vger.kernel.org (open list)
CHAR and MISC DRIVERS status: Supported

-ritesh

[PATCH v2 2/2] lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation

[Sayali Patil]

Add a new LKDTM trigger (PPC_RADIX_TLBIEL) that executes a process-scoped
radix TLBIEL instruction to exercise the radix MMU behaviour and
associated machine check exception (MCE) handling paths.

This provides a way to validate MCE handling in radix mode. Currently,
there is no dedicated LKDTM test that exercises this path or allows
triggering radix-specific machine check behaviour for validation.

The test is only enabled on ppc64 systems with radix MMU
support and If radix is not active, the trigger is skipped and reported as
XFAIL.

Co-developed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Sayali Patil <sayalip@linux.ibm.com>
---
 drivers/misc/lkdtm/Makefile             |  2 +-
 drivers/misc/lkdtm/core.c               |  2 +-
 drivers/misc/lkdtm/powerpc.c            | 44 +++++++++++++++++++++++++
 tools/testing/selftests/lkdtm/tests.txt |  1 +
 4 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index 03ebe33185f9..4e58d16fc01e 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -11,7 +11,7 @@ lkdtm-$(CONFIG_LKDTM)		+= usercopy.o
 lkdtm-$(CONFIG_LKDTM)		+= kstack_erase.o
 lkdtm-$(CONFIG_LKDTM)		+= cfi.o
 lkdtm-$(CONFIG_LKDTM)		+= fortify.o
-lkdtm-$(CONFIG_PPC_64S_HASH_MMU)	+= powerpc.o
+lkdtm-$(CONFIG_PPC_BOOK3S_64)	+= powerpc.o
 
 KASAN_SANITIZE_stackleak.o	:= n
 
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 5732fd59a227..ededa32d6744 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -96,7 +96,7 @@ static const struct crashtype_category *crashtype_categories[] = {
 	&stackleak_crashtypes,
 	&cfi_crashtypes,
 	&fortify_crashtypes,
-#ifdef CONFIG_PPC_64S_HASH_MMU
+#ifdef CONFIG_PPC_BOOK3S_64
 	&powerpc_crashtypes,
 #endif
 };
diff --git a/drivers/misc/lkdtm/powerpc.c b/drivers/misc/lkdtm/powerpc.c
index ef07e5201edf..6eaac79ea26b 100644
--- a/drivers/misc/lkdtm/powerpc.c
+++ b/drivers/misc/lkdtm/powerpc.c
@@ -5,6 +5,7 @@
 #include <linux/vmalloc.h>
 #include <asm/mmu.h>
 
+#ifdef CONFIG_PPC_64S_HASH_MMU
 /* Inserts new slb entries */
 static void insert_slb_entry(unsigned long p, int ssize, int page_size)
 {
@@ -104,9 +105,35 @@ static void insert_dup_slb_entry_0(void)
 
 	preempt_enable();
 }
+#endif /* CONFIG_PPC_64S_HASH_MMU */
+
+static __always_inline void tlbiel_va(unsigned long va,
+				      unsigned long pid,
+				      unsigned long ap,
+				      unsigned long ric)
+{
+	unsigned long rb, rs, prs, r;
+
+	rb = va & ~(PPC_BITMASK(52, 63));
+	rb |= ap << PPC_BITLSHIFT(58);
+	rs = pid << PPC_BITLSHIFT(31);
+
+	prs = 1; /* process scoped */
+	r = 1;   /* radix format */
+
+	/*
+	 * Trigger an MCE by issuing radix tlbiel with an invalid operand combination.
+	 * The combination of RIC = 2 with IS = 0 (Invalidation selector specified
+	 * in the RB register) is invalid.
+	 * This invalid combination causes hardware to raise a machine check.
+	 */
+	asm volatile(PPC_TLBIEL(%0, %4, %3, %2, %1)
+			: : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory");
+}
 
 static void lkdtm_PPC_SLB_MULTIHIT(void)
 {
+#ifdef CONFIG_PPC_64S_HASH_MMU
 	if (!radix_enabled()) {
 		pr_info("Injecting SLB multihit errors\n");
 		/*
@@ -122,10 +149,27 @@ static void lkdtm_PPC_SLB_MULTIHIT(void)
 	} else {
 		pr_err("XFAIL: This test is for ppc64 and with hash mode MMU only\n");
 	}
+#else
+	pr_err("XFAIL: This test requires CONFIG_PPC_64S_HASH_MMU\n");
+#endif
+}
+
+static void lkdtm_PPC_RADIX_TLBIEL(void)
+{
+	unsigned long addr = PAGE_OFFSET;
+
+	if (radix_enabled()) {
+		pr_info("Injecting Radix TLB invalidation MCE\n");
+		tlbiel_va(addr, 0, 0, RIC_FLUSH_ALL);
+		pr_info("Recovered from radix tlbiel attempt\n");
+	} else {
+		pr_err("XFAIL: This test is for ppc64 and with radix mode MMU only\n");
+	}
 }
 
 static struct crashtype crashtypes[] = {
 	CRASHTYPE(PPC_SLB_MULTIHIT),
+	CRASHTYPE(PPC_RADIX_TLBIEL),
 };
 
 struct crashtype_category powerpc_crashtypes = {
diff --git a/tools/testing/selftests/lkdtm/tests.txt b/tools/testing/selftests/lkdtm/tests.txt
index 3245032db34d..d8180bbe31e8 100644
--- a/tools/testing/selftests/lkdtm/tests.txt
+++ b/tools/testing/selftests/lkdtm/tests.txt
@@ -86,3 +86,4 @@ FORTIFY_STR_MEMBER detected buffer overflow
 FORTIFY_MEM_OBJECT detected buffer overflow
 FORTIFY_MEM_MEMBER detected field-spanning write
 PPC_SLB_MULTIHIT Recovered
+#PPC_RADIX_TLBIEL Triggers unrecoverable MCE
-- 
2.52.0

Re: [PATCH v2 2/2] lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation

[Ritesh Harjani]

Sayali Patil <sayalip@linux.ibm.com> writes:

> Add a new LKDTM trigger (PPC_RADIX_TLBIEL) that executes a process-scoped
> radix TLBIEL instruction to exercise the radix MMU behaviour and
> associated machine check exception (MCE) handling paths.
>
> This provides a way to validate MCE handling in radix mode. Currently,
> there is no dedicated LKDTM test that exercises this path or allows
> triggering radix-specific machine check behaviour for validation.
>
> The test is only enabled on ppc64 systems with radix MMU
> support and If radix is not active, the trigger is skipped and reported as
> XFAIL.
>

yes, ISA states that RIC=2 and IS=0 is an invalid form of tlbiel causing
machine check.

It's good to have this test case which can test MCE handling while in
radix mmu mode for an invalid TLBIE[L] encoding.

Looks good to me. Feel free to add:
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>

Re: [PATCH v2 0/2] LKDTM powerpc enhancements - Part2

[Michael Ellerman]

On 18/5/2026 16:56, Sayali Patil wrote:
> Hi all,
> 
> This series adds a new LKDTM trigger PPC_RADIX_TLBIEL, to validate
> machine check handling on radix MMU systems and improves reliability of
> the PPC_SLB_MULTIHIT test by adding isync instructions after slbmte
> operations.
> 
> Please review the patches and provide any feedback or suggestions
> for improvement.
> 
> Thanks,
> Sayali
> 
> ---
> 
> v1->v2
>   - Split the patch series into two parts.
>   - Updated "lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE
>     validation" as per review comments:
>     Wrapped Hash-MMU specific functions with #ifdef CONFIG_PPC_64S_HASH_MMU.
>     Guarded powerpc_crashtypes registration with #ifdef CONFIG_PPC_BOOK3S_64
>     Updated comment explaining the MCE trigger condition for radix MMU.
> 
> v1: https://lore.kernel.org/all/cover.1778057685.git.sayalip@linux.ibm.com/
> ---
> 
> Sayali Patil (2):
>    lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering
>    lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation
> 
>   drivers/misc/lkdtm/Makefile             |  2 +-
>   drivers/misc/lkdtm/core.c               |  2 +-
>   drivers/misc/lkdtm/powerpc.c            | 49 +++++++++++++++++++++++++
>   tools/testing/selftests/lkdtm/tests.txt |  1 +
>   4 files changed, 52 insertions(+), 2 deletions(-)

Both changes look good to me.

You should send them to Kees, who maintains lkdtm. I've added him to Cc, 
but that may not be sufficient to get his attention.

Reviewed-by: Michael Ellerman <mpe@kernel.org>

cheers

Re: [PATCH v2 0/2] LKDTM powerpc enhancements - Part2

[Sayali Patil]

On 18/05/26 17:28, Michael Ellerman wrote:
> On 18/5/2026 16:56, Sayali Patil wrote:
>> Hi all,
>>
>> This series adds a new LKDTM trigger PPC_RADIX_TLBIEL, to validate
>> machine check handling on radix MMU systems and improves reliability of
>> the PPC_SLB_MULTIHIT test by adding isync instructions after slbmte
>> operations.
>>
>> Please review the patches and provide any feedback or suggestions
>> for improvement.
>>
>> Thanks,
>> Sayali
>>
>> ---
>>
>> v1->v2
>>   - Split the patch series into two parts.
>>   - Updated "lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE
>>     validation" as per review comments:
>>     Wrapped Hash-MMU specific functions with #ifdef 
>> CONFIG_PPC_64S_HASH_MMU.
>>     Guarded powerpc_crashtypes registration with #ifdef 
>> CONFIG_PPC_BOOK3S_64
>>     Updated comment explaining the MCE trigger condition for radix MMU.
>>
>> v1: https://lore.kernel.org/all/ 
>> cover.1778057685.git.sayalip@linux.ibm.com/
>> ---
>>
>> Sayali Patil (2):
>>    lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering
>>    lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation
>>
>>   drivers/misc/lkdtm/Makefile             |  2 +-
>>   drivers/misc/lkdtm/core.c               |  2 +-
>>   drivers/misc/lkdtm/powerpc.c            | 49 +++++++++++++++++++++++++
>>   tools/testing/selftests/lkdtm/tests.txt |  1 +
>>   4 files changed, 52 insertions(+), 2 deletions(-)
> 
> Both changes look good to me.
> 
> You should send them to Kees, who maintains lkdtm. I've added him to Cc, 
> but that may not be sufficient to get his attention.
> 
> Reviewed-by: Michael Ellerman <mpe@kernel.org>
> 
> cheers
> 
Thanks for the review, Michael!

Hi Kees,

Could you please review these patches and let me know if you have any 
comments?

Thanks,
Sayali

Re: [PATCH v2 0/2] LKDTM powerpc enhancements - Part2

[Kees Cook]

On Mon, 18 May 2026 12:26:03 +0530, Sayali Patil wrote:
> This series adds a new LKDTM trigger PPC_RADIX_TLBIEL, to validate
> machine check handling on radix MMU systems and improves reliability of
> the PPC_SLB_MULTIHIT test by adding isync instructions after slbmte
> operations.
> 
> Please review the patches and provide any feedback or suggestions
> for improvement.
> 
> [...]

Thanks for the CC! Yeah, with everyone's Acks this is fine by me.

Applied to for-next/hardening, thanks!

[1/2] lkdtm/powerpc: add isync after slbmte to enforce SLB update ordering
      https://git.kernel.org/kees/c/3f21a4426e6f
[2/2] lkdtm/powerpc: add PPC_RADIX_TLBIEL test for radix MCE validation
      https://git.kernel.org/kees/c/122b52f0bab0

Take care,

-- 
Kees Cook