From a79647d6e52cd6a945444ceea1cf05b51428bd3d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Jun 2021 12:48:43 +0200 Subject: [PATCH] 4.9-stable patches added patches: arcv2-save-abi-registers-across-signal-handling.patch can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch pci-mark-some-nvidia-gpus-to-avoid-bus-reset.patch pci-mark-ti-c667x-to-avoid-bus-reset.patch tracing-do-no-increment-trace_clock_global-by-one.patch --- ...abi-registers-across-signal-handling.patch | 112 +++++++++++++++ ...-fix-infoleak-in-struct-bcm_msg_head.patch | 51 +++++++ ...-some-nvidia-gpus-to-avoid-bus-reset.patch | 48 +++++++ ...pci-mark-ti-c667x-to-avoid-bus-reset.patch | 48 +++++++ queue-4.9/series | 5 + ...-increment-trace_clock_global-by-one.patch | 131 ++++++++++++++++++ 6 files changed, 395 insertions(+) create mode 100644 queue-4.9/arcv2-save-abi-registers-across-signal-handling.patch create mode 100644 queue-4.9/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch create mode 100644 queue-4.9/pci-mark-some-nvidia-gpus-to-avoid-bus-reset.patch create mode 100644 queue-4.9/pci-mark-ti-c667x-to-avoid-bus-reset.patch create mode 100644 queue-4.9/tracing-do-no-increment-trace_clock_global-by-one.patch diff --git a/queue-4.9/arcv2-save-abi-registers-across-signal-handling.patch b/queue-4.9/arcv2-save-abi-registers-across-signal-handling.patch new file mode 100644 index 00000000000..0f0adb53413 --- /dev/null +++ b/queue-4.9/arcv2-save-abi-registers-across-signal-handling.patch @@ -0,0 +1,112 @@ +From 96f1b00138cb8f04c742c82d0a7c460b2202e887 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 8 Jun 2021 19:39:25 -0700 +Subject: ARCv2: save ABI registers across signal handling + +From: Vineet Gupta + +commit 96f1b00138cb8f04c742c82d0a7c460b2202e887 upstream. + +ARCv2 has some configuration dependent registers (r30, r58, r59) which +could be targetted by the compiler. To keep the ABI stable, these were +unconditionally part of the glibc ABI +(sysdeps/unix/sysv/linux/arc/sys/ucontext.h:mcontext_t) however we +missed populating them (by saving/restoring them across signal +handling). + +This patch fixes the issue by + - adding arcv2 ABI regs to kernel struct sigcontext + - populating them during signal handling + +Change to struct sigcontext might seem like a glibc ABI change (although +it primarily uses ucontext_t:mcontext_t) but the fact is + - it has only been extended (existing fields are not touched) + - the old sigcontext was ABI incomplete to begin with anyways + +Fixes: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/53 +Cc: +Tested-by: kernel test robot +Reported-by: Vladimir Isaev +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/uapi/asm/sigcontext.h | 1 + arch/arc/kernel/signal.c | 43 +++++++++++++++++++++++++++++++++ + 2 files changed, 44 insertions(+) + +--- a/arch/arc/include/uapi/asm/sigcontext.h ++++ b/arch/arc/include/uapi/asm/sigcontext.h +@@ -17,6 +17,7 @@ + */ + struct sigcontext { + struct user_regs_struct regs; ++ struct user_regs_arcv2 v2abi; + }; + + #endif /* _ASM_ARC_SIGCONTEXT_H */ +--- a/arch/arc/kernel/signal.c ++++ b/arch/arc/kernel/signal.c +@@ -62,6 +62,41 @@ struct rt_sigframe { + unsigned int sigret_magic; + }; + ++static int save_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs) ++{ ++ int err = 0; ++#ifndef CONFIG_ISA_ARCOMPACT ++ struct user_regs_arcv2 v2abi; ++ ++ v2abi.r30 = regs->r30; ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ v2abi.r58 = regs->r58; ++ v2abi.r59 = regs->r59; ++#else ++ v2abi.r58 = v2abi.r59 = 0; ++#endif ++ err = __copy_to_user(&mctx->v2abi, &v2abi, sizeof(v2abi)); ++#endif ++ return err; ++} ++ ++static int restore_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs) ++{ ++ int err = 0; ++#ifndef CONFIG_ISA_ARCOMPACT ++ struct user_regs_arcv2 v2abi; ++ ++ err = __copy_from_user(&v2abi, &mctx->v2abi, sizeof(v2abi)); ++ ++ regs->r30 = v2abi.r30; ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ regs->r58 = v2abi.r58; ++ regs->r59 = v2abi.r59; ++#endif ++#endif ++ return err; ++} ++ + static int + stash_usr_regs(struct rt_sigframe __user *sf, struct pt_regs *regs, + sigset_t *set) +@@ -95,6 +130,10 @@ stash_usr_regs(struct rt_sigframe __user + + err = __copy_to_user(&(sf->uc.uc_mcontext.regs.scratch), &uregs.scratch, + sizeof(sf->uc.uc_mcontext.regs.scratch)); ++ ++ if (is_isa_arcv2()) ++ err |= save_arcv2_regs(&(sf->uc.uc_mcontext), regs); ++ + err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(sigset_t)); + + return err ? -EFAULT : 0; +@@ -110,6 +149,10 @@ static int restore_usr_regs(struct pt_re + err |= __copy_from_user(&uregs.scratch, + &(sf->uc.uc_mcontext.regs.scratch), + sizeof(sf->uc.uc_mcontext.regs.scratch)); ++ ++ if (is_isa_arcv2()) ++ err |= restore_arcv2_regs(&(sf->uc.uc_mcontext), regs); ++ + if (err) + return -EFAULT; + diff --git a/queue-4.9/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch b/queue-4.9/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch new file mode 100644 index 00000000000..706c39dd182 --- /dev/null +++ b/queue-4.9/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch @@ -0,0 +1,51 @@ +From 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc Mon Sep 17 00:00:00 2001 +From: Norbert Slusarek +Date: Sat, 12 Jun 2021 22:18:54 +0200 +Subject: can: bcm: fix infoleak in struct bcm_msg_head + +From: Norbert Slusarek + +commit 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc upstream. + +On 64-bit systems, struct bcm_msg_head has an added padding of 4 bytes between +struct members count and ival1. Even though all struct members are initialized, +the 4-byte hole will contain data from the kernel stack. This patch zeroes out +struct bcm_msg_head before usage, preventing infoleaks to userspace. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Link: https://lore.kernel.org/r/trinity-7c1b2e82-e34f-4885-8060-2cd7a13769ce-1623532166177@3c-app-gmx-bs52 +Cc: linux-stable +Signed-off-by: Norbert Slusarek +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -405,6 +405,7 @@ static void bcm_tx_timeout_tsklet(unsign + if (!op->count && (op->flags & TX_COUNTEVT)) { + + /* create notification to user */ ++ memset(&msg_head, 0, sizeof(msg_head)); + msg_head.opcode = TX_EXPIRED; + msg_head.flags = op->flags; + msg_head.count = op->count; +@@ -452,6 +453,7 @@ static void bcm_rx_changed(struct bcm_op + /* this element is not throttled anymore */ + data->flags &= (BCM_CAN_FLAGS_MASK|RX_RECV); + ++ memset(&head, 0, sizeof(head)); + head.opcode = RX_CHANGED; + head.flags = op->flags; + head.count = op->count; +@@ -566,6 +568,7 @@ static void bcm_rx_timeout_tsklet(unsign + struct bcm_msg_head msg_head; + + /* create notification to user */ ++ memset(&msg_head, 0, sizeof(msg_head)); + msg_head.opcode = RX_TIMEOUT; + msg_head.flags = op->flags; + msg_head.count = op->count; diff --git a/queue-4.9/pci-mark-some-nvidia-gpus-to-avoid-bus-reset.patch b/queue-4.9/pci-mark-some-nvidia-gpus-to-avoid-bus-reset.patch new file mode 100644 index 00000000000..716f3da27c1 --- /dev/null +++ b/queue-4.9/pci-mark-some-nvidia-gpus-to-avoid-bus-reset.patch @@ -0,0 +1,48 @@ +From 4c207e7121fa92b66bf1896bf8ccb9edfb0f9731 Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Tue, 8 Jun 2021 11:18:56 +0530 +Subject: PCI: Mark some NVIDIA GPUs to avoid bus reset + +From: Shanker Donthineni + +commit 4c207e7121fa92b66bf1896bf8ccb9edfb0f9731 upstream. + +Some NVIDIA GPU devices do not work with SBR. Triggering SBR leaves the +device inoperable for the current system boot. It requires a system +hard-reboot to get the GPU device back to normal operating condition +post-SBR. For the affected devices, enable NO_BUS_RESET quirk to avoid the +issue. + +This issue will be fixed in the next generation of hardware. + +Link: https://lore.kernel.org/r/20210608054857.18963-8-ameynarkhede03@gmail.com +Signed-off-by: Shanker Donthineni +Signed-off-by: Bjorn Helgaas +Reviewed-by: Sinan Kaya +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3346,6 +3346,18 @@ static void quirk_no_bus_reset(struct pc + } + + /* ++ * Some NVIDIA GPU devices do not work with bus reset, SBR needs to be ++ * prevented for those affected devices. ++ */ ++static void quirk_nvidia_no_bus_reset(struct pci_dev *dev) ++{ ++ if ((dev->device & 0xffc0) == 0x2340) ++ quirk_no_bus_reset(dev); ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID, ++ quirk_nvidia_no_bus_reset); ++ ++/* + * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset. + * The device will throw a Link Down error on AER-capable systems and + * regardless of AER, config space of the device is never accessible again diff --git a/queue-4.9/pci-mark-ti-c667x-to-avoid-bus-reset.patch b/queue-4.9/pci-mark-ti-c667x-to-avoid-bus-reset.patch new file mode 100644 index 00000000000..aa9f1585d0b --- /dev/null +++ b/queue-4.9/pci-mark-ti-c667x-to-avoid-bus-reset.patch @@ -0,0 +1,48 @@ +From b5cf198e74a91073d12839a3e2db99994a39995d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antti=20J=C3=A4rvinen?= +Date: Mon, 15 Mar 2021 10:26:06 +0000 +Subject: PCI: Mark TI C667X to avoid bus reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Antti Järvinen + +commit b5cf198e74a91073d12839a3e2db99994a39995d upstream. + +Some TI KeyStone C667X devices do not support bus/hot reset. The PCIESS +automatically disables LTSSM when Secondary Bus Reset is received and +device stops working. Prevent bus reset for these devices. With this +change, the device can be assigned to VMs with VFIO, but it will leak state +between VMs. + +Reference: https://e2e.ti.com/support/processors/f/791/t/954382 +Link: https://lore.kernel.org/r/20210315102606.17153-1-antti.jarvinen@gmail.com +Signed-off-by: Antti Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Kishon Vijay Abraham I +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3358,6 +3358,16 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); + ++/* ++ * Some TI KeyStone C667X devices do not support bus/hot reset. The PCIESS ++ * automatically disables LTSSM when Secondary Bus Reset is received and ++ * the device stops working. Prevent bus reset for these devices. With ++ * this change, the device can be assigned to VMs with VFIO, but it will ++ * leak state between VMs. Reference ++ * https://e2e.ti.com/support/processors/f/791/t/954382 ++ */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TI, 0xb005, quirk_no_bus_reset); ++ + static void quirk_no_pm_reset(struct pci_dev *dev) + { + /* diff --git a/queue-4.9/series b/queue-4.9/series index 421ee21e60a..d8b8431c1ea 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -35,3 +35,8 @@ net-cdc_eem-fix-tx-fixup-skb-leak.patch net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch scsi-core-put-.shost_dev-in-failure-path-if-host-sta.patch radeon-use-memcpy_to-fromio-for-uvd-fw-upload.patch +can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch +tracing-do-no-increment-trace_clock_global-by-one.patch +pci-mark-ti-c667x-to-avoid-bus-reset.patch +pci-mark-some-nvidia-gpus-to-avoid-bus-reset.patch +arcv2-save-abi-registers-across-signal-handling.patch diff --git a/queue-4.9/tracing-do-no-increment-trace_clock_global-by-one.patch b/queue-4.9/tracing-do-no-increment-trace_clock_global-by-one.patch new file mode 100644 index 00000000000..ca1dffe975d --- /dev/null +++ b/queue-4.9/tracing-do-no-increment-trace_clock_global-by-one.patch @@ -0,0 +1,131 @@ +From 89529d8b8f8daf92d9979382b8d2eb39966846ea Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 17 Jun 2021 17:12:35 -0400 +Subject: tracing: Do no increment trace_clock_global() by one + +From: Steven Rostedt (VMware) + +commit 89529d8b8f8daf92d9979382b8d2eb39966846ea upstream. + +The trace_clock_global() tries to make sure the events between CPUs is +somewhat in order. A global value is used and updated by the latest read +of a clock. If one CPU is ahead by a little, and is read by another CPU, a +lock is taken, and if the timestamp of the other CPU is behind, it will +simply use the other CPUs timestamp. + +The lock is also only taken with a "trylock" due to tracing, and strange +recursions can happen. The lock is not taken at all in NMI context. + +In the case where the lock is not able to be taken, the non synced +timestamp is returned. But it will not be less than the saved global +timestamp. + +The problem arises because when the time goes "backwards" the time +returned is the saved timestamp plus 1. If the lock is not taken, and the +plus one to the timestamp is returned, there's a small race that can cause +the time to go backwards! + + CPU0 CPU1 + ---- ---- + trace_clock_global() { + ts = clock() [ 1000 ] + trylock(clock_lock) [ success ] + global_ts = ts; [ 1000 ] + + + trace_clock_global() { + ts = clock() [ 999 ] + if (ts < global_ts) + ts = global_ts + 1 [ 1001 ] + + trylock(clock_lock) [ fail ] + + return ts [ 1001] + } + unlock(clock_lock); + return ts; [ 1000 ] + } + + trace_clock_global() { + ts = clock() [ 1000 ] + if (ts < global_ts) [ false 1000 == 1000 ] + + trylock(clock_lock) [ success ] + global_ts = ts; [ 1000 ] + unlock(clock_lock) + + return ts; [ 1000 ] + } + +The above case shows to reads of trace_clock_global() on the same CPU, but +the second read returns one less than the first read. That is, time when +backwards, and this is not what is allowed by trace_clock_global(). + +This was triggered by heavy tracing and the ring buffer checker that tests +for the clock going backwards: + + Ring buffer clock went backwards: 20613921464 -> 20613921463 + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 0 at kernel/trace/ring_buffer.c:3412 check_buffer+0x1b9/0x1c0 + Modules linked in: + [..] + [CPU: 2]TIME DOES NOT MATCH expected:20620711698 actual:20620711697 delta:6790234 before:20613921463 after:20613921463 + [20613915818] PAGE TIME STAMP + [20613915818] delta:0 + [20613915819] delta:1 + [20613916035] delta:216 + [20613916465] delta:430 + [20613916575] delta:110 + [20613916749] delta:174 + [20613917248] delta:499 + [20613917333] delta:85 + [20613917775] delta:442 + [20613917921] delta:146 + [20613918321] delta:400 + [20613918568] delta:247 + [20613918768] delta:200 + [20613919306] delta:538 + [20613919353] delta:47 + [20613919980] delta:627 + [20613920296] delta:316 + [20613920571] delta:275 + [20613920862] delta:291 + [20613921152] delta:290 + [20613921464] delta:312 + [20613921464] delta:0 TIME EXTEND + [20613921464] delta:0 + +This happened more than once, and always for an off by one result. It also +started happening after commit aafe104aa9096 was added. + +Cc: stable@vger.kernel.org +Fixes: aafe104aa9096 ("tracing: Restructure trace_clock_global() to never block") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_clock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_clock.c ++++ b/kernel/trace/trace_clock.c +@@ -113,9 +113,9 @@ u64 notrace trace_clock_global(void) + prev_time = READ_ONCE(trace_clock_struct.prev_time); + now = sched_clock_cpu(this_cpu); + +- /* Make sure that now is always greater than prev_time */ ++ /* Make sure that now is always greater than or equal to prev_time */ + if ((s64)(now - prev_time) < 0) +- now = prev_time + 1; ++ now = prev_time; + + /* + * If in an NMI context then dont risk lockups and simply return +@@ -129,7 +129,7 @@ u64 notrace trace_clock_global(void) + /* Reread prev_time in case it was already updated */ + prev_time = READ_ONCE(trace_clock_struct.prev_time); + if ((s64)(now - prev_time) < 0) +- now = prev_time + 1; ++ now = prev_time; + + trace_clock_struct.prev_time = now; + -- 2.47.2