powerpc/64s/radix: Fix exit lazy tlb mm switch with irqs enabled

Switching mm and tinkering with current->active_mm should be done with
irqs disabled. There is a path where exit_lazy_flush_tlb can be called
with irqs enabled:

    exit_lazy_flush_tlb
    flush_type_needed
    __flush_all_mm
    tlb_finish_mmu
    exit_mmap

Which results in the switching being done with irqs enabled, which is
incorrect.

Fixes: a665eec0a22e ("powerpc/64s/radix: Fix mm_cpumask trimming race vs kthread_use_mm")
Cc: stable@vger.kernel.org # v5.10+
Reported-by: Sachin Sant <sachinp@linux.ibm.com>
Link: https://lore.kernel.org/linuxppc-dev/A9A5D83D-BA70-47A4-BCB4-30C1AE19BC22@linux.ibm.com/
Tested-by: Sachin Sant <sachinp@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20230607005601.583293-1-npiggin@gmail.com

diff --git a/arch/powerpc/mm/book3s64/radix_tlb.c b/arch/powerpc/mm/book3s64/radix_tlb.c
index ce804b7bf84e42c131634e7639c93096f4acfe9d..0bd4866d98241d68546ec7669fc265b93866badb 100644 (file)
--- a/arch/powerpc/mm/book3s64/radix_tlb.c
+++ b/arch/powerpc/mm/book3s64/radix_tlb.c
@@ -795,12 +795,20 @@ void exit_lazy_flush_tlb(struct mm_struct *mm, bool always_flush)
                goto out;
 
        if (current->active_mm == mm) {
+               unsigned long flags;
+
                WARN_ON_ONCE(current->mm != NULL);
-               /* Is a kernel thread and is using mm as the lazy tlb */
+               /*
+                * It is a kernel thread and is using mm as the lazy tlb, so
+                * switch it to init_mm. This is not always called from IPI
+                * (e.g., flush_type_needed), so must disable irqs.
+                */
+               local_irq_save(flags);
                mmgrab_lazy_tlb(&init_mm);
                current->active_mm = &init_mm;
                switch_mm_irqs_off(mm, &init_mm, current);
                mmdrop_lazy_tlb(mm);
+               local_irq_restore(flags);
        }
 
        /*