--- /dev/null
+From 96f1b00138cb8f04c742c82d0a7c460b2202e887 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Tue, 8 Jun 2021 19:39:25 -0700
+Subject: ARCv2: save ABI registers across signal handling
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 96f1b00138cb8f04c742c82d0a7c460b2202e887 upstream.
+
+ARCv2 has some configuration dependent registers (r30, r58, r59) which
+could be targetted by the compiler. To keep the ABI stable, these were
+unconditionally part of the glibc ABI
+(sysdeps/unix/sysv/linux/arc/sys/ucontext.h:mcontext_t) however we
+missed populating them (by saving/restoring them across signal
+handling).
+
+This patch fixes the issue by
+ - adding arcv2 ABI regs to kernel struct sigcontext
+ - populating them during signal handling
+
+Change to struct sigcontext might seem like a glibc ABI change (although
+it primarily uses ucontext_t:mcontext_t) but the fact is
+ - it has only been extended (existing fields are not touched)
+ - the old sigcontext was ABI incomplete to begin with anyways
+
+Fixes: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/53
+Cc: <stable@vger.kernel.org>
+Tested-by: kernel test robot <lkp@intel.com>
+Reported-by: Vladimir Isaev <isaev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/include/uapi/asm/sigcontext.h | 1
+ arch/arc/kernel/signal.c | 43 +++++++++++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+)
+
+--- a/arch/arc/include/uapi/asm/sigcontext.h
++++ b/arch/arc/include/uapi/asm/sigcontext.h
+@@ -17,6 +17,7 @@
+ */
+ struct sigcontext {
+ struct user_regs_struct regs;
++ struct user_regs_arcv2 v2abi;
+ };
+
+ #endif /* _ASM_ARC_SIGCONTEXT_H */
+--- a/arch/arc/kernel/signal.c
++++ b/arch/arc/kernel/signal.c
+@@ -62,6 +62,41 @@ struct rt_sigframe {
+ unsigned int sigret_magic;
+ };
+
++static int save_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs)
++{
++ int err = 0;
++#ifndef CONFIG_ISA_ARCOMPACT
++ struct user_regs_arcv2 v2abi;
++
++ v2abi.r30 = regs->r30;
++#ifdef CONFIG_ARC_HAS_ACCL_REGS
++ v2abi.r58 = regs->r58;
++ v2abi.r59 = regs->r59;
++#else
++ v2abi.r58 = v2abi.r59 = 0;
++#endif
++ err = __copy_to_user(&mctx->v2abi, &v2abi, sizeof(v2abi));
++#endif
++ return err;
++}
++
++static int restore_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs)
++{
++ int err = 0;
++#ifndef CONFIG_ISA_ARCOMPACT
++ struct user_regs_arcv2 v2abi;
++
++ err = __copy_from_user(&v2abi, &mctx->v2abi, sizeof(v2abi));
++
++ regs->r30 = v2abi.r30;
++#ifdef CONFIG_ARC_HAS_ACCL_REGS
++ regs->r58 = v2abi.r58;
++ regs->r59 = v2abi.r59;
++#endif
++#endif
++ return err;
++}
++
+ static int
+ stash_usr_regs(struct rt_sigframe __user *sf, struct pt_regs *regs,
+ sigset_t *set)
+@@ -95,6 +130,10 @@ stash_usr_regs(struct rt_sigframe __user
+
+ err = __copy_to_user(&(sf->uc.uc_mcontext.regs.scratch), &uregs.scratch,
+ sizeof(sf->uc.uc_mcontext.regs.scratch));
++
++ if (is_isa_arcv2())
++ err |= save_arcv2_regs(&(sf->uc.uc_mcontext), regs);
++
+ err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(sigset_t));
+
+ return err ? -EFAULT : 0;
+@@ -110,6 +149,10 @@ static int restore_usr_regs(struct pt_re
+ err |= __copy_from_user(&uregs.scratch,
+ &(sf->uc.uc_mcontext.regs.scratch),
+ sizeof(sf->uc.uc_mcontext.regs.scratch));
++
++ if (is_isa_arcv2())
++ err |= restore_arcv2_regs(&(sf->uc.uc_mcontext), regs);
++
+ if (err)
+ return -EFAULT;
+
--- /dev/null
+From 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc Mon Sep 17 00:00:00 2001
+From: Norbert Slusarek <nslusarek@gmx.net>
+Date: Sat, 12 Jun 2021 22:18:54 +0200
+Subject: can: bcm: fix infoleak in struct bcm_msg_head
+
+From: Norbert Slusarek <nslusarek@gmx.net>
+
+commit 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc upstream.
+
+On 64-bit systems, struct bcm_msg_head has an added padding of 4 bytes between
+struct members count and ival1. Even though all struct members are initialized,
+the 4-byte hole will contain data from the kernel stack. This patch zeroes out
+struct bcm_msg_head before usage, preventing infoleaks to userspace.
+
+Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
+Link: https://lore.kernel.org/r/trinity-7c1b2e82-e34f-4885-8060-2cd7a13769ce-1623532166177@3c-app-gmx-bs52
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/bcm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -392,6 +392,7 @@ static void bcm_tx_timeout_tsklet(unsign
+ if (!op->count && (op->flags & TX_COUNTEVT)) {
+
+ /* create notification to user */
++ memset(&msg_head, 0, sizeof(msg_head));
+ msg_head.opcode = TX_EXPIRED;
+ msg_head.flags = op->flags;
+ msg_head.count = op->count;
+@@ -439,6 +440,7 @@ static void bcm_rx_changed(struct bcm_op
+ /* this element is not throttled anymore */
+ data->can_dlc &= (BCM_CAN_DLC_MASK|RX_RECV);
+
++ memset(&head, 0, sizeof(head));
+ head.opcode = RX_CHANGED;
+ head.flags = op->flags;
+ head.count = op->count;
+@@ -550,6 +552,7 @@ static void bcm_rx_timeout_tsklet(unsign
+ struct bcm_msg_head msg_head;
+
+ /* create notification to user */
++ memset(&msg_head, 0, sizeof(msg_head));
+ msg_head.opcode = RX_TIMEOUT;
+ msg_head.flags = op->flags;
+ msg_head.count = op->count;
--- /dev/null
+From 4c207e7121fa92b66bf1896bf8ccb9edfb0f9731 Mon Sep 17 00:00:00 2001
+From: Shanker Donthineni <sdonthineni@nvidia.com>
+Date: Tue, 8 Jun 2021 11:18:56 +0530
+Subject: PCI: Mark some NVIDIA GPUs to avoid bus reset
+
+From: Shanker Donthineni <sdonthineni@nvidia.com>
+
+commit 4c207e7121fa92b66bf1896bf8ccb9edfb0f9731 upstream.
+
+Some NVIDIA GPU devices do not work with SBR. Triggering SBR leaves the
+device inoperable for the current system boot. It requires a system
+hard-reboot to get the GPU device back to normal operating condition
+post-SBR. For the affected devices, enable NO_BUS_RESET quirk to avoid the
+issue.
+
+This issue will be fixed in the next generation of hardware.
+
+Link: https://lore.kernel.org/r/20210608054857.18963-8-ameynarkhede03@gmail.com
+Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Sinan Kaya <okaya@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3145,6 +3145,18 @@ static void quirk_no_bus_reset(struct pc
+ }
+
+ /*
++ * Some NVIDIA GPU devices do not work with bus reset, SBR needs to be
++ * prevented for those affected devices.
++ */
++static void quirk_nvidia_no_bus_reset(struct pci_dev *dev)
++{
++ if ((dev->device & 0xffc0) == 0x2340)
++ quirk_no_bus_reset(dev);
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID,
++ quirk_nvidia_no_bus_reset);
++
++/*
+ * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset.
+ * The device will throw a Link Down error on AER-capable systems and
+ * regardless of AER, config space of the device is never accessible again
--- /dev/null
+From b5cf198e74a91073d12839a3e2db99994a39995d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antti=20J=C3=A4rvinen?= <antti.jarvinen@gmail.com>
+Date: Mon, 15 Mar 2021 10:26:06 +0000
+Subject: PCI: Mark TI C667X to avoid bus reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Antti Järvinen <antti.jarvinen@gmail.com>
+
+commit b5cf198e74a91073d12839a3e2db99994a39995d upstream.
+
+Some TI KeyStone C667X devices do not support bus/hot reset. The PCIESS
+automatically disables LTSSM when Secondary Bus Reset is received and
+device stops working. Prevent bus reset for these devices. With this
+change, the device can be assigned to VMs with VFIO, but it will leak state
+between VMs.
+
+Reference: https://e2e.ti.com/support/processors/f/791/t/954382
+Link: https://lore.kernel.org/r/20210315102606.17153-1-antti.jarvinen@gmail.com
+Signed-off-by: Antti Järvinen <antti.jarvinen@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Kishon Vijay Abraham I <kishon@ti.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3157,6 +3157,16 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset);
+
++/*
++ * Some TI KeyStone C667X devices do not support bus/hot reset. The PCIESS
++ * automatically disables LTSSM when Secondary Bus Reset is received and
++ * the device stops working. Prevent bus reset for these devices. With
++ * this change, the device can be assigned to VMs with VFIO, but it will
++ * leak state between VMs. Reference
++ * https://e2e.ti.com/support/processors/f/791/t/954382
++ */
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TI, 0xb005, quirk_no_bus_reset);
++
+ static void quirk_no_pm_reset(struct pci_dev *dev)
+ {
+ /*
net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
scsi-core-put-.shost_dev-in-failure-path-if-host-sta.patch
radeon-use-memcpy_to-fromio-for-uvd-fw-upload.patch
+can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch
+tracing-do-no-increment-trace_clock_global-by-one.patch
+pci-mark-ti-c667x-to-avoid-bus-reset.patch
+pci-mark-some-nvidia-gpus-to-avoid-bus-reset.patch
+arcv2-save-abi-registers-across-signal-handling.patch
--- /dev/null
+From 89529d8b8f8daf92d9979382b8d2eb39966846ea Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 17 Jun 2021 17:12:35 -0400
+Subject: tracing: Do no increment trace_clock_global() by one
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 89529d8b8f8daf92d9979382b8d2eb39966846ea upstream.
+
+The trace_clock_global() tries to make sure the events between CPUs is
+somewhat in order. A global value is used and updated by the latest read
+of a clock. If one CPU is ahead by a little, and is read by another CPU, a
+lock is taken, and if the timestamp of the other CPU is behind, it will
+simply use the other CPUs timestamp.
+
+The lock is also only taken with a "trylock" due to tracing, and strange
+recursions can happen. The lock is not taken at all in NMI context.
+
+In the case where the lock is not able to be taken, the non synced
+timestamp is returned. But it will not be less than the saved global
+timestamp.
+
+The problem arises because when the time goes "backwards" the time
+returned is the saved timestamp plus 1. If the lock is not taken, and the
+plus one to the timestamp is returned, there's a small race that can cause
+the time to go backwards!
+
+ CPU0 CPU1
+ ---- ----
+ trace_clock_global() {
+ ts = clock() [ 1000 ]
+ trylock(clock_lock) [ success ]
+ global_ts = ts; [ 1000 ]
+
+ <interrupted by NMI>
+ trace_clock_global() {
+ ts = clock() [ 999 ]
+ if (ts < global_ts)
+ ts = global_ts + 1 [ 1001 ]
+
+ trylock(clock_lock) [ fail ]
+
+ return ts [ 1001]
+ }
+ unlock(clock_lock);
+ return ts; [ 1000 ]
+ }
+
+ trace_clock_global() {
+ ts = clock() [ 1000 ]
+ if (ts < global_ts) [ false 1000 == 1000 ]
+
+ trylock(clock_lock) [ success ]
+ global_ts = ts; [ 1000 ]
+ unlock(clock_lock)
+
+ return ts; [ 1000 ]
+ }
+
+The above case shows to reads of trace_clock_global() on the same CPU, but
+the second read returns one less than the first read. That is, time when
+backwards, and this is not what is allowed by trace_clock_global().
+
+This was triggered by heavy tracing and the ring buffer checker that tests
+for the clock going backwards:
+
+ Ring buffer clock went backwards: 20613921464 -> 20613921463
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 0 at kernel/trace/ring_buffer.c:3412 check_buffer+0x1b9/0x1c0
+ Modules linked in:
+ [..]
+ [CPU: 2]TIME DOES NOT MATCH expected:20620711698 actual:20620711697 delta:6790234 before:20613921463 after:20613921463
+ [20613915818] PAGE TIME STAMP
+ [20613915818] delta:0
+ [20613915819] delta:1
+ [20613916035] delta:216
+ [20613916465] delta:430
+ [20613916575] delta:110
+ [20613916749] delta:174
+ [20613917248] delta:499
+ [20613917333] delta:85
+ [20613917775] delta:442
+ [20613917921] delta:146
+ [20613918321] delta:400
+ [20613918568] delta:247
+ [20613918768] delta:200
+ [20613919306] delta:538
+ [20613919353] delta:47
+ [20613919980] delta:627
+ [20613920296] delta:316
+ [20613920571] delta:275
+ [20613920862] delta:291
+ [20613921152] delta:290
+ [20613921464] delta:312
+ [20613921464] delta:0 TIME EXTEND
+ [20613921464] delta:0
+
+This happened more than once, and always for an off by one result. It also
+started happening after commit aafe104aa9096 was added.
+
+Cc: stable@vger.kernel.org
+Fixes: aafe104aa9096 ("tracing: Restructure trace_clock_global() to never block")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_clock.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/trace_clock.c
++++ b/kernel/trace/trace_clock.c
+@@ -113,9 +113,9 @@ u64 notrace trace_clock_global(void)
+ prev_time = READ_ONCE(trace_clock_struct.prev_time);
+ now = sched_clock_cpu(this_cpu);
+
+- /* Make sure that now is always greater than prev_time */
++ /* Make sure that now is always greater than or equal to prev_time */
+ if ((s64)(now - prev_time) < 0)
+- now = prev_time + 1;
++ now = prev_time;
+
+ /*
+ * If in an NMI context then dont risk lockups and simply return
+@@ -129,7 +129,7 @@ u64 notrace trace_clock_global(void)
+ /* Reread prev_time in case it was already updated */
+ prev_time = READ_ONCE(trace_clock_struct.prev_time);
+ if ((s64)(now - prev_time) < 0)
+- now = prev_time + 1;
++ now = prev_time;
+
+ trace_clock_struct.prev_time = now;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
