- 13 Apr, 2023 8 commits
-
-
Heiko Carstens authored
Given that set_memory_rox() and set_memory_rwnx() exist, it is possible to get rid of all open coded __set_memory() usages and replace them with proper helper calls everywhere. Reviewed-by:
Alexander Gordeev <agordeev@linux.ibm.com> Signed-off-by:
Heiko Carstens <hca@linux.ibm.com> Signed-off-by:
Vasily Gorbik <gor@linux.ibm.com>
-
Heiko Carstens authored
Given that set_memory_rox() is implemented, provide also set_memory_rwnx(). This allows to get rid of all open coded __set_memory() usages in s390 architecture code. Reviewed-by:
-
Heiko Carstens authored
Provide the s390 specific native set_memory_rox() implementation to avoid frequent set_memory_ro(); set_memory_x() call pairs. This is the s390 variant of commit 60463628 ("x86/mm: Implement native set_memory_rox()"). Reviewed-by:
-
Nico Boehr authored
Diag 308 subcodes expect a physical address as their parameter. This currently is not a bug, but in the future physical and virtual addresses might differ. Fix the confusion by doing a virtual-to-physical conversion in the exported diag308() and leave the assembly wrapper __diag308() alone. Note that several callers pass NULL as addr, so check for the case when NULL is passed and pass 0 to hardware since virt_to_phys(0) might be nonzero. Suggested-by:
Marc Hartmayer <mhartmay@linux.ibm.com> Signed-off-by:
Nico Boehr <nrb@linux.ibm.com> Signed-off-by:
-
Heiko Carstens authored
Randomize the load address of modules in the kernel to make KASLR effective for modules. This is the s390 variant of commit e2b32e67 ("x86, kaslr: randomize module base load address"). Reviewed-by:
-
Heiko Carstens authored
Just like other architectures provide a kaslr_enabled() function, instead of directly accessing a global variable. Also pass the renamed __kaslr_enabled variable from the decompressor to the kernel, so that kalsr_enabled() is available there too. This will be used by a subsequent patch which randomizes the module base load address. Reviewed-by:
-
Heiko Carstens authored
Signed-off-by:
-
Heiko Carstens authored
Commit dfe843dc ("s390/checksum: support GENERIC_CSUM, enable it for KASAN") switched s390 to use the generic checksum functions, so that KASAN instrumentation also works checksum functions by avoiding architecture specific inline assemblies. There is however the problem that the generic csum_partial() function returns a 32 bit value with a 16 bit folded checksum, while the original s390 variant does not fold to 16 bit. This in turn causes that the ipib_checksum in lowcore contains different values depending on kernel config options. The ipib_checksum is used by system dumpers to verify if pointers in lowcore point to valid data. Verification is done by comparing checksum values. The system dumpers still use 32 bit checksum values which are not folded, and therefore the checksum verification fails (incorrectly). Symptom is that reboot after dump does not work anymore when a KASAN instrumented kernel is dumped. Fix this by not using the generic checksum implementation. Instead add an explicit kasan_check_read() so that KASAN knows about the read access from within the inline assembly. Reported-by:
Alexander Egorenkov <egorenar@linux.ibm.com> Fixes: dfe843dc ("s390/checksum: support GENERIC_CSUM, enable it for KASAN") Tested-by:
-
- 04 Apr, 2023 20 commits
-
-
Heiko Carstens authored
Add support for the stackleak feature. Whenever the kernel returns to user space the kernel stack is filled with a poison value. Enabling this feature is quite expensive: e.g. after instrumenting the getpid() system call function to have a 4kb stack the result is an increased runtime of the system call by a factor of 3. Reviewed-by:
-
Heiko Carstens authored
As preparation for the stackleak feature move on_thread_stack() to processor.h like x86. Also make it __always_inline, and slightly optimize it by reading current task's kernel stack pointer from lowcore. Reviewed-by:
-
Heiko Carstens authored
Allocate early async stack like other early stacks and get rid of arch_early_irq_init(). This way the async stack is allocated earlier, and handled like all other stacks. Reviewed-by:
-
Heiko Carstens authored
There is no user left of call_on_stack_noreturn() - remove it. Reviewed-by:
-
Heiko Carstens authored
s390 is the only architecture which switches from the initial stack to a later on allocated different stack for the first process. This is (at least) problematic for the stackleak feature, which instruments functions to save the current stackpointer within the task structure of the running process. The stackleak code compares stack pointers of the current process - and doesn't expect that the kernel stack of a task can change. Even though the stackleak feature itself will not cause any harm, the assumption about kernel stacks being consistent is there, and only s390 doesn't follow that. Therefore switch back to use init_thread_union, just like all other architectures. Reviewed-by:
-
Heiko Carstens authored
Make sure the lowcore kernel stack pointer reflects the kernel stack of the current task as early as possible, instead of having a NULL pointer there. Reviewed-by:
-
Heiko Carstens authored
Make STACK_INIT_OFFSET also available for assembler code, and use it everywhere instead of open-coding it at several places. Reviewed-by:
-
Heiko Carstens authored
The pattern for all in_<type>_stack() functions is the same; especially also the size of all stacks is the same. Simplify the code by passing only the stack address to the generic in_stack() helper, which then can assume a THREAD_SIZE sized stack. Reviewed-by:
-
Harald Freudenberger authored
The preparation of the key data struct for a CCA RSA ME operation had some improvement to skip leading zeros in the key's exponent. However, all supported CCA cards nowadays support leading zeros in key tokens. So for simplifying the CCA key preparing code, this patch simply removes this optimization code. Signed-off-by:
Harald Freudenberger <freude@linux.ibm.com> Reviewed-by:
Juergen Christ <jchrist@linux.ibm.com> Reviewed-by:
Holger Dengler <dengler@linux.ibm.com> Signed-off-by:
-
Harald Freudenberger authored
There was some ancient code which padded the results of a clear key ME or CRT operation with some PKCS 1.2 header. According to the comment this was only needed by crypto cards older than the CEX2. These cards are not supported any more and so this patch removes this obscure result padding code. Signed-off-by:
-
Vasily Gorbik authored
Currently, exception tables are marked as ro_after_init. However, since they are sorted during compile time using scripts/sorttable, they can be moved to RO_DATA using the RO_EXCEPTION_TABLE_ALIGN macro, which is specifically designed for this purpose. Suggested-by:
-
Vasily Gorbik authored
Since commit 4efd417f ("s390: raise minimum supported machine generation to z10"), the long-displacement facility is assumed and required for the kernel. Clean up a couple of places in the entry code, where long-displacement could be used directly instead of using a base register. However, there are still a few other places where a base register has to be used to extend short-displacement for the second lowcore page access. Notably, boot/head.S still has to be built for z900, and in mcck_int_handler, spt and lbear, which don't have long-displacements, but need to access save areas at the second lowcore page. Reviewed-by:
-
Vasily Gorbik authored
Heiko Carstens says: =================== There are a couple of oddities within the s390 uaccess library functions. Therefore cleanup the whole uaccess.c file. There is no functional change, only improved readability. The output of "objdump -Dr" was always compared before/after each patch to make sure that the generated object file is identical, if that could be expected. Therefore the series also includes more patches than really required to cleanup the code. Furthermore the kunit usercopy tests also still pass. =================== Signed-off-by: -
Heiko Carstens authored
In order to get uaccess.c (nearly) checkpatch warning free remove an extra blank line: CHECK: Blank lines aren't necessary before a close brace '}' + +} Reviewed-by:
Gerald Schaefer <gerald.schaefer@linux.ibm.com> Signed-off-by:
-
Heiko Carstens authored
Get rid of the not needed val local variable and pass the constant value directly as operand value. In addition this turns the val operand into an input operand, since it is not changed within the inline assemblies. This in turn requires also to add the earlyclobber contraint modifier to all output operands, since the (former) val operand is used after all output variants have been modified. The usercopy kunit tests still pass after this change. Reviewed-by:
-
Heiko Carstens authored
Rename tmp1 and tmp2 variables to more meaningful val (for value) and rem (for remainder). Except for debug sections the output of "objdump -Dr" of the uaccess object file is identical before/after this change. Reviewed-by:
-
Heiko Carstens authored
Reviewed-by:
-
Heiko Carstens authored
Rename and sort labels in uaccess inline assemblies to increase readability. In addition have only one EX_TABLE entry per line - also to increase readability. Except for debug sections the output of "objdump -Dr" of the uaccess object file is identical before/after this change. Reviewed-by:
-
Heiko Carstens authored
Remove an unused label in all three uaccess inline assemblies. Reviewed-by:
-
Heiko Carstens authored
Improve readability of the uaccess inline assemblies by using symbolic names for all input and output operands. Except for debug sections the output of "objdump -Dr" of the uaccess object file is identical before/after this change. Reviewed-by:
-
- 27 Mar, 2023 4 commits
-
-
Heiko Carstens authored
Add missing earlyclobber annotation to size, to, and tmp2 operands of the __clear_user() inline assembly since they are modified or written to before the last usage of all input operands. This can lead to incorrect register allocation for the inline assembly. Fixes: 6c2a9e6d ("[S390] Use alternative user-copy operations for new hardware.") Reported-by:
Mark Rutland <mark.rutland@arm.com> Link: https://lore.kernel.org/all/20230321122514.1743889-3-mark.rutland@arm.com/ Cc: stable@vger.kernel.org Reviewed-by:
-
Lizhe authored
If there is no driver match function, the driver core assumes that each candidate pair (driver, device) matches, see driver_match_device(). Drop the matrix bus's match function that always returned 1 and so implements the same behaviour as when there is no match function Signed-off-by:
Lizhe <sensor1010@163.com> Reviewed-by:
Tony Krowiak <akrowiak@linux.ibm.com> Link: https://lore.kernel.org/r/20230319041941.259830-1-sensor1010@163.comSigned-off-by:
-
Heiko Carstens authored
s390 trivially supports the ARCH_HAS_MEMBARRIER_SYNC_CORE requirements since the used lpswe(y) instruction to return from any kernel context to user space performs CPU serialization. This is very similar to arm, arm64 and powerpc. See commit 70216e18 ("membarrier: Provide core serializing command, *_SYNC_CORE") for further details. Signed-off-by:
-
Thomas Richter authored
This flag is used to process only fully populated sampling buffers when an sampling event is stopped on a CPU. By default the last sampling buffer is also scanned for samples even if the sampling block full indicator is not set in the trailer entry of a sampling buffer page. This flag can be set via perf_event_attr::config1 field. It was never used and never documented. It is useless now. With PERF_CPUM_SF_FULL_BLOCKS: When a process is scheduled off the CPU, the sampling is stopped and the samples are copied to the perf ring buffer and marked invalid. When stopped at the last full sample buffer page (which is achieved with the PERF_CPUM_SF_FULL_BLOCKS options), the hardware sampling will resume at the first free sample entry in the current, partially filled sample buffer. Without PERF_CPUM_SF_FULL_BLOCKS (default behavior): The partially filled last sample buffer is scanned and valid samples are saved to the perf ring buffer. The valid samples are marked invalid. The sampling is resumed when the process is scheduled on this CPU. Again the hardware sampling will resume at the first free sample entry in the current, partially filled sample buffer. Now the next interrupt handler invocation scans the full sample block and saves the valid samples to the ring buffer. It omits the invalid samples at the top of the buffer. The default behavior is fully sufficient, therefore remove this feature. Signed-off-by:
Thomas Richter <tmricht@linux.ibm.com> Acked-by:
Hendrik Brueckner <brueckner@linux.ibm.com> Acked-by:
Sumanth Korikkar <sumanthk@linux.ibm.com> Signed-off-by:
-
- 20 Mar, 2023 8 commits
-
-
Heiko Carstens authored
Make use of atomic_fetch_xor() instead of an atomic_cmpxchg() loop to implement atomic_xor_bits() (aka atomic_xor_return()). This makes the C code more readable and in addition generates better code, since for z196 and newer a single lax instruction is generated instead of a cmpxchg() loop. Signed-off-by: -
Harald Freudenberger authored
Review and extend the low level AP code to be able to deal with asynchronous reported errors on APQNs. The hypervisor and the SE guest may be confronted with an asynchronously reported error at return of an AP instruction. So all places where AP instructions are called need review and may eventually need extensions. However, not all places need rework. As together with the AP status and the enabled asynch bit there is always a response code set. The asynch error reporting comes with new response codes which may be simple handled in the default case of a switch statement. The idea behind this patch is to report asynch errors as -EPERM (read this as "Operation not permitted") which reflects the fact that only a rapq (with F bit enabled) is a valid AP instruction when an asynch error is flagged. The AP queue state machine functions return AP_SM_WAIT_NONE when a asynch error is detected to reflect the fact, that the state machine can't do anything with such an error as long as the queue is reset. Unfortunately the ap bus scan function needed some update as the ap_queue_info() now needs to return 3 states: 1 if an APQN exists and info is available, -1 if it is assumed an APQN does not exist and the new return value 0 without any info values filled. This 0 returncode is handled as "there is an APQN but we currently don't know any more hw info about this, so please use your previous info and try again later". Signed-off-by:
-
Harald Freudenberger authored
Implementation of the new functions for SE AP support: bind, unbind and associate. There are two new sysfs attributes for this: /sys/devices/ap/cardxx/xx.yyyy/se_bind /sys/devices/ap/cardxx/xx.yyyy/se_associate Writing a 1 into the se_bind attribute triggers the SE AP bind for this AP queue, writing a 0 into does an unbind - that's a reset (RAPQ) with the F bit enabled. The se_associate attribute needs an integer value in range 0...2^16-1 written in. This is the index into a secrets table feed into the ultravisor. For more details please see the Architecture documents. These both new ap queue attributes are only visible inside a SE guest with SB (Secure Binding) available. Signed-off-by:
-
Harald Freudenberger authored
For some events the ap bus needs to poll. For example when an AP queue is reset until the reset is through. Also when no interrupt support is available (e.g. zVM) there is a need to poll until all requests have been processed and all replies have been delivered. Polling is done with a high resolution timer by default run with a rate of 4kHz (LPAR) or 666Hz (zVM guest). For some events (wait for reset complete, wait for irq enabled complete) this is a much too high poll rate which triggers a lot of TAPQ invocations. This patch introduces the possibility for the state machine functions to return a new wait enum AP_SM_WAIT_LOW_TIMEOUT which gives a hint to the ap_wait() function to eventually set up the timer with a more relaxed timeout value of 25Hz. This patch also includes a slight rework of the sysfs functions parsing the timer related stuff: Use of kstrtobool and kstrtoul instead of sscanf. Signed-off-by:
-
Harald Freudenberger authored
Introduce two new low level functions ap_bapq() (calls PQAP(BAPQ)) and ap_aapq (calls PQAP(AAPQ)). Both functions are only meant to be used in SE environment with the SE AP binding facility available. Signed-off-by:
-
Harald Freudenberger authored
Extent the ap inline functions ap_rapq() (calls PQAP(RAPQ)) and ap_zapq() (calls PQAP(ZAPQ)) with a new parameter to enable the new architectured F bit which forces an unassociate and/or unbind on a secure execution associated and/or bound queue. Signed-off-by:
-
Harald Freudenberger authored
With SE SB (Secure Binding) some currently unused and thus always zero bits in the TAPQ GR2 result are now used to show the binding state of a queue. So to check if a card has changed the comparing base is exactly this GR2 value shown as 'ap_function' in sysfs (/sys/devices/ap/cardxx/ap_functions). Now there is some queue specific info in this info and so a new mask TAPQ_CARD_FUNC_CMP_MASK is used to filter out only the relevant bits for card compare. For the same reason now the function bits (including exactly this bind/associate information) need to be exposed to user space now. So tools like lszcrypt can evaluate binding/association state on a queue base. So here comes a new sysfs attribute /sys/devices/ap/cardxx/xx.yyyy/ap_functions This sysfs attribute is similar to the already existing ap_functions attribute at ap card level. It shows the upper 32 bits of GR2 from an invocation of TAPQ for this AP queue. Signed-off-by:
-
Harald Freudenberger authored
This patch introduces a new struct ap_tapq_gr2 which covers the response in GR2 on TAPQ invocation. This makes it much easier and less error-prone for the calling functions to access the right field without shifting and masking. Signed-off-by:
-
