From 13e17846476d564aa5409c4f96584e02547e4a3e Mon Sep 17 00:00:00 2001 From: Frederic Weisbecker Date: May 30 2023 09:02:16 +0000 Subject: Merge 'SLE12-SP5' (3a17d97bdbd) into 'SLE12-SP5-RT' - Refresh: patches.rt/0251-workqueue-Use-normal-rcu.patch patches.rt/0252-workqueue-Use-local-irq-lock-instead-of-irq-disable-regions.patch --- diff --git a/blacklist.conf b/blacklist.conf index 3efde30..a106670 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -198,6 +198,7 @@ drivers/net/ethernet/natsemi/sonic.c #m68k Apple Macintosh drivers/net/ethernet/natsemi/sonic.h drivers/net/ethernet/pasemi/ # PA Semi network device drivers/net/ethernet/renesas/ # SuperH +drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c # DWMAC_SOCFPGA is not enabled drivers/net/hamradio/ # config not enabled drivers/pci/dwc/pci-dra7xx.c # config not enabled drivers/staging/android # we do not build android stuff @@ -577,6 +578,7 @@ b60706644282af04e4aa57da5af57470d453cd1f # vsprintf: cosmetic 1cf12e08bc4d50a76b80c42a3109c53d8794a0c9 # sched/hotplug: added here just to make sure that it will not be backported without followup fixes, e.g. ac687e6e8c26181a33 ac687e6e8c26181a33270efd1a2e2241377924b0 # kthread: not needed; part of a regression fix for the commit 1cf12e08bc4d ("sched/hotplug: Consolidate task migration on CPU unplug"); the regression commit is blacklisted as well 01341fbd0d8d4e717fc1231cdffe00343088ce0b # workqueue: Non-trivial reasoning why the change is correct. Fixing a corner case. Workqueues are typically allocated only once during boot so that the problem should not happen at runtime. +342ed2400b78072cc01c0130ce41240dec60d56d # workqueue: Cosmetic change. Not worth backporting. bsc#1211275 4950276672fce5c241857540f8561c440663673d # kmemcheck removal; not for released products d8be75663cec0069b85f80191abd2682ce4a512f # related to kmemcheck removal; not for released products a6da0024ffc19e0d47712bb5ca4fd083f76b07df # blktrace: fix unlocked registration of tracepoints; racy for ages; found by syzcaller; not worth it @@ -2798,3 +2800,51 @@ a157802359f7451ed8046b2b6dbaca187797e062 # build cleanup b648ab487f31bc4c38941bc770ea97fe394304bb # we don't have the original commit, nor do we care for 32bit a1ae8d4d9be0178132df7c4931a1ba77d0e76039 # no nvme core/fabric fixes to missing infrastructure 2a587b9ad052e7e92e508aea90c1e2ae433c1908 # ARCH_ASPEED=n +5d3d01ae15d2f37ed0325c99ab47ef0ae5d05f3c # a change of a name must break kABI +ea401499e943c307e6d44af6c2b4e068643e7884 # unavoidable kABI brekage of struct pcie_port_service_driver +f192970de860d3ab90aa9e2a22853201a57bde78 # not needed +4966babd904d7f8e9e20735f3637a98fd7ca538c # CONFIG_ROSE is not set +de526f401284e1638d4c97cb5a4c292ac3f37655 # not needed +0e5a82efda872c2469c210957d7d4161ef8f4391 # not needed +4ba0b8187d98cb4c5e33c0e98895ac5dcb86af83 # depends on dd123e62bdedcd3a486e48e883ec63138ec2c14c, which introduces a new driver +4b9880dbf3bdba3a7c56445137c3d0e30aaa0a40 # not needed with downstream version of patch +07b050f9290ee012a407a0f64151db902a1520f5 # not needed with downstream version of patch +a494398bde273143c2352dd373cad8211f7d94b2 # not needed with downstream version of patch +8c43bd1706885ba1acfa88da02bc60a2ec16f68c # not needed +3c91b0c1de8d013490bbc41ce9ee8810ea5baddd # not needed +64d7839af8c8f67daaf9bf387135052c55d85f90 # already applied +7856e8616273098dc6c09a6e084afd98a283ff0d # already applied +633e2b2ded739a34bd0fb1d8b5b871f7e489ea29 # breaks existing user space +3670de80678961eda7fa2220883fc77c16868951 # potential of breaking API +98a65439172dc69cb16834e62e852afc2adb83ed # driver not enabled: video: fbdev: kyro: fix a DoS bug by restricting user input +b36b242d4b8ea178f7fd038965e3cac7f30c3f09 # driver not enabled: video: fbdev: asiliantfb: Error out if 'pixclock' equals zero +1520b4b7ba964f8eec2e7dd14c571d50de3e5191 # driver not enabled: video: fbdev: kyro: Error out if 'pixclock' equals zero +f92763cb0feba247e0939ed137b495601fd072a5 # driver not enabled: video: fbdev: riva: Error out if 'pixclock' equals zero +37a1a2e6eeeb101285cd34e12e48a881524701aa # driver not enabled: video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow +8738ddcac644964ae128ccd3d80d48773c8d528e # driver not enabled: video: fbdev: w100fb: Reset global state +5c6f402bdcf9e7239c6bc7087eda71ac99b31379 # driver not enabled: video: fbdev: cirrusfb: check pixclock to avoid divide by zero +24565bc4115961db7ee64fcc7ad2a7437c0d0a49 # driver not enabled: video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit +f63658a59c3d439c8ad7b290f8ec270980e0f384 # driver not enabled: video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf() +c07a039cbb96748f54c02995bae8131cc9a73b0a # driver not enabled: video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() +4f01d09b2bbfbcb47b3eb305560a7f4857a32260 # driver not enabled: video: fbdev: sm712fb: Fix crash in smtcfb_write() +d87ad457f7e1b8d2492ca5b1531eb35030a1cc8f # driver not enabled: video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() +a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 # driver not enabled: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write +40bf722f8064f50200b8c4f8946cd625b441dda9 # driver not enabled: video: fbdev: i740fb: Check the argument of i740_calc_vclk() +07c55c9803dea748d17a054000cbf1913ce06399 # driver not enabled: fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() +5610bcfe8693c02e2e4c8b31427f1bdbdecc839c # driver not enabled: fbdev: smscufx: Fix use-after-free in ufx_ops_open() +aca7c13d3bee81a968337a5515411409ae9d095d # driver not enabled: parisc: fbdev/stifb: Align graphics memory size to 4MB +cc67482c9e5f2c80d62f623bcc347c29f9f648e1 # driver not enabled: fbdev: smscufx: Fix several use-after-free bugs +3c6bf6bddc84888c0ce163b09dee0ddd23b5172a # driver not enabled: fbdev: cyber2000fb: fix missing pci_disable_device() +025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 # driver not enabled: fbdev: ssd1307fb: Drop optional dependency +ed359a464846b48f76ea6cc5cd8257e545ac97f4 # driver not enabled: fbdev: pm2fb: fix missing pci_disable_device() +5886b130de953cfb8826f7771ec8640a79934a7f # driver not enabled: fbdev: via: Fix error in via_core_init() +001f2cdb952a9566c77fb4b5470cc361db5601bb # driver not enabled: fbdev: vermilion: decrease reference count in error path +7f501aa71da9dc2eaae2b0118a151cad018d33b0 # driver not enabled: fbdev: omapfb: cleanup inconsistent indentation +f90bd245de82c095187d8c2cabb8b488a39eaecc # driver not enabled: fbdev: tgafb: Fix potential divide by zero +203873a535d627c668f293be0cb73e26c30f9cc7 # driver not enabled: fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks +92e2a00f2987483e1f9253625828622edd442e61 # driver not enabled: fbdev: nvidia: Fix potential divide by zero +d823685486a3446d061fed7c7d2f80af984f119a # driver not enabled: fbdev: intelfb: Fix potential divide by zero +61ac4b86a4c047c20d5cb423ddd87496f14d9868 # driver not enabled: fbdev: lxfb: Fix potential divide by zero +44a3b36b42acfc433aaaf526191dd12fbb919fdb # driver not enabled: fbdev: au1200fb: Fix potential divide by zero +5a6bef734247c7a8c19511664ff77634ab86f45b # driver not enabled: fbdev: arcfb: Fix error handling in arcfb_probe() +ed9de4ed39875706607fb08118a58344ae6c5f42 # driver not enabled: fbdev: udlfb: Fix endpoint check diff --git a/patches.kabi/media-dvb_frontend-kabi-workaround.patch b/patches.kabi/media-dvb_frontend-kabi-workaround.patch new file mode 100644 index 0000000..8be10ad --- /dev/null +++ b/patches.kabi/media-dvb_frontend-kabi-workaround.patch @@ -0,0 +1,133 @@ +From: Takashi Iwai +Subject: media: dvb_frontend: kABI workaround +Patch-mainline: Never, kABI workaround +References: CVE-2022-45885 bsc#1205758 + +For keeping the kABI workaround, the newly introduced remove_mutex +of dvb_frontend to be a global one. It's not urgent for performance, +so we can live with that. + +Signed-off-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvb_frontend.c | 23 ++++++++++++----------- + drivers/media/dvb-core/dvb_frontend.h | 4 ---- + 2 files changed, 12 insertions(+), 15 deletions(-) + +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -100,6 +100,8 @@ MODULE_PARM_DESC(dvb_mfe_wait_time, "Wai + + static DEFINE_MUTEX(frontend_mutex); + ++static DEFINE_MUTEX(remove_mutex); ++ + struct dvb_frontend_private { + /* thread/frontend values */ + struct dvb_device *dvbdev; +@@ -816,20 +818,20 @@ static void dvb_frontend_stop(struct dvb + + dev_dbg(fe->dvb->device, "%s:\n", __func__); + +- mutex_lock(&fe->remove_mutex); ++ mutex_lock(&remove_mutex); + + if (fe->exit != DVB_FE_DEVICE_REMOVED) + fe->exit = DVB_FE_NORMAL_EXIT; + mb(); + + if (!fepriv->thread) { +- mutex_unlock(&fe->remove_mutex); ++ mutex_unlock(&remove_mutex); + return; + } + + kthread_stop(fepriv->thread); + +- mutex_unlock(&fe->remove_mutex); ++ mutex_unlock(&remove_mutex); + + if (fepriv->dvbdev->users < -1) { + wait_event(fepriv->dvbdev->wait_queue, +@@ -2507,7 +2509,7 @@ static int dvb_frontend_open(struct inod + struct dvb_adapter *adapter = fe->dvb; + int ret; + +- mutex_lock(&fe->remove_mutex); ++ mutex_lock(&remove_mutex); + + dev_dbg(fe->dvb->device, "%s:\n", __func__); + if (fe->exit == DVB_FE_DEVICE_REMOVED) { +@@ -2607,7 +2609,7 @@ static int dvb_frontend_open(struct inod + if (adapter->mfe_shared) + mutex_unlock (&adapter->mfe_lock); + +- mutex_unlock(&fe->remove_mutex); ++ mutex_unlock(&remove_mutex); + return ret; + + err3: +@@ -2629,7 +2631,7 @@ err0: + mutex_unlock (&adapter->mfe_lock); + + err_remove_mutex: +- mutex_unlock(&fe->remove_mutex); ++ mutex_unlock(&remove_mutex); + return ret; + } + +@@ -2640,7 +2642,7 @@ static int dvb_frontend_release(struct i + struct dvb_frontend_private *fepriv = fe->frontend_priv; + int ret; + +- mutex_lock(&fe->remove_mutex); ++ mutex_lock(&remove_mutex); + + dev_dbg(fe->dvb->device, "%s:\n", __func__); + +@@ -2665,14 +2667,14 @@ static int dvb_frontend_release(struct i + fe->ops.ts_bus_ctrl(fe, 0); + + if (fe->exit != DVB_FE_NO_EXIT) { +- mutex_unlock(&fe->remove_mutex); ++ mutex_unlock(&remove_mutex); + wake_up(&dvbdev->wait_queue); + } else { +- mutex_unlock(&fe->remove_mutex); ++ mutex_unlock(&remove_mutex); + } + + } else { +- mutex_unlock(&fe->remove_mutex); ++ mutex_unlock(&remove_mutex); + } + + dvb_frontend_put(fe); +@@ -2766,7 +2768,6 @@ int dvb_register_frontend(struct dvb_ada + fepriv = fe->frontend_priv; + + kref_init(&fe->refcount); +- mutex_init(&fe->remove_mutex); + + /* + * After initialization, there need to be two references: one +--- a/drivers/media/dvb-core/dvb_frontend.h ++++ b/drivers/media/dvb-core/dvb_frontend.h +@@ -659,9 +659,6 @@ struct dtv_frontend_properties { + * @exit: Used to inform the DVB core that the frontend + * thread should exit (usually, means that the hardware + * got disconnected). +- * @remove_mutex: mutex that avoids a race condition between a callback +- * called when the hardware is disconnected and the +- * file_operations of dvb_frontend. + */ + + struct dvb_frontend { +@@ -679,7 +676,6 @@ struct dvb_frontend { + int (*callback)(void *adapter_priv, int component, int cmd, int arg); + int id; + unsigned int exit; +- struct mutex remove_mutex; + }; + + /** diff --git a/patches.kabi/media-dvb_net-kabi-workaround.patch b/patches.kabi/media-dvb_net-kabi-workaround.patch new file mode 100644 index 0000000..ecbdae1 --- /dev/null +++ b/patches.kabi/media-dvb_net-kabi-workaround.patch @@ -0,0 +1,97 @@ +From: Takashi Iwai +Subject: media: dvb_net: kABI workaround +Patch-mainline: Never, kABI workaround +References: CVE-2022-45886 bsc#1205760 + +For keeping the kABI workaround, the newly introduced remove_mutex +of dvb_net to be a global one. It's not urgent for performance, +so we can live with that. + +Signed-off-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvb_net.c | 19 ++++++++++--------- + drivers/media/dvb-core/dvb_net.h | 1 - + 2 files changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -67,6 +67,8 @@ + #include "dvb_demux.h" + #include "dvb_net.h" + ++static DEFINE_MUTEX(remove_mutex); ++ + static inline __u32 iov_crc32( __u32 c, struct kvec *iov, unsigned int cnt ) + { + unsigned int j; +@@ -1574,17 +1576,17 @@ static int locked_dvb_net_open(struct in + struct dvb_net *dvbnet = dvbdev->priv; + int ret; + +- if (mutex_lock_interruptible(&dvbnet->remove_mutex)) ++ if (mutex_lock_interruptible(&remove_mutex)) + return -ERESTARTSYS; + + if (dvbnet->exit) { +- mutex_unlock(&dvbnet->remove_mutex); ++ mutex_unlock(&remove_mutex); + return -ENODEV; + } + + ret = dvb_generic_open(inode, file); + +- mutex_unlock(&dvbnet->remove_mutex); ++ mutex_unlock(&remove_mutex); + + return ret; + } +@@ -1594,15 +1596,15 @@ static int dvb_net_close(struct inode *i + struct dvb_device *dvbdev = file->private_data; + struct dvb_net *dvbnet = dvbdev->priv; + +- mutex_lock(&dvbnet->remove_mutex); ++ mutex_lock(&remove_mutex); + + dvb_generic_release(inode, file); + + if (dvbdev->users == 1 && dvbnet->exit == 1) { +- mutex_unlock(&dvbnet->remove_mutex); ++ mutex_unlock(&remove_mutex); + wake_up(&dvbdev->wait_queue); + } else { +- mutex_unlock(&dvbnet->remove_mutex); ++ mutex_unlock(&remove_mutex); + } + + return 0; +@@ -1631,9 +1633,9 @@ void dvb_net_release (struct dvb_net *dv + { + int i; + +- mutex_lock(&dvbnet->remove_mutex); ++ mutex_lock(&remove_mutex); + dvbnet->exit = 1; +- mutex_unlock(&dvbnet->remove_mutex); ++ mutex_unlock(&remove_mutex); + + if (dvbnet->dvbdev->users < 1) + wait_event(dvbnet->dvbdev->wait_queue, +@@ -1656,7 +1658,6 @@ int dvb_net_init (struct dvb_adapter *ad + int i; + + mutex_init(&dvbnet->ioctl_mutex); +- mutex_init(&dvbnet->remove_mutex); + dvbnet->demux = dmx; + + for (i=0; i --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -127,7 +127,7 @@ enum { +@@ -129,7 +129,7 @@ enum { * * PL: wq_pool_mutex protected. * @@ -28,7 +28,7 @@ Signed-off-by: Mike Galbraith * * PW: wq_pool_mutex and wq->mutex protected for writes. Either for reads. * -@@ -136,7 +136,7 @@ enum { +@@ -138,7 +138,7 @@ enum { * * WQ: wq->mutex protected. * @@ -36,8 +36,8 @@ Signed-off-by: Mike Galbraith + * WR: wq->mutex protected for writes. RCU protected for reads. * * MD: wq_mayday_lock protected. - */ -@@ -186,7 +186,7 @@ struct worker_pool { + * +@@ -191,7 +191,7 @@ struct worker_pool { atomic_t nr_running ____cacheline_aligned_in_smp; /* @@ -46,7 +46,7 @@ Signed-off-by: Mike Galbraith * from get_work_pool(). */ struct rcu_head rcu; -@@ -215,7 +215,7 @@ struct pool_workqueue { +@@ -220,7 +220,7 @@ struct pool_workqueue { /* * Release of unbound pwq is punted to system_wq. See put_pwq() * and pwq_unbound_release_workfn() for details. pool_workqueue @@ -55,7 +55,7 @@ Signed-off-by: Mike Galbraith * determined without grabbing wq->mutex. */ struct work_struct unbound_release_work; -@@ -359,20 +359,20 @@ static void workqueue_sysfs_unregister(s +@@ -364,20 +364,20 @@ static void workqueue_sysfs_unregister(s #include #define assert_rcu_or_pool_mutex() \ @@ -82,7 +82,7 @@ Signed-off-by: Mike Galbraith #define for_each_cpu_worker_pool(pool, cpu) \ for ((pool) = &per_cpu(cpu_worker_pools, cpu)[0]; \ -@@ -384,7 +384,7 @@ static void workqueue_sysfs_unregister(s +@@ -389,7 +389,7 @@ static void workqueue_sysfs_unregister(s * @pool: iteration cursor * @pi: integer used for iteration * @@ -91,7 +91,7 @@ Signed-off-by: Mike Galbraith * locked. If the pool needs to be used beyond the locking in effect, the * caller is responsible for guaranteeing that the pool stays online. * -@@ -416,7 +416,7 @@ static void workqueue_sysfs_unregister(s +@@ -421,7 +421,7 @@ static void workqueue_sysfs_unregister(s * @pwq: iteration cursor * @wq: the target workqueue * @@ -100,7 +100,7 @@ Signed-off-by: Mike Galbraith * If the pwq needs to be used beyond the locking in effect, the caller is * responsible for guaranteeing that the pwq stays online. * -@@ -552,7 +552,7 @@ static int worker_pool_assign_id(struct +@@ -557,7 +557,7 @@ static int worker_pool_assign_id(struct * @wq: the target workqueue * @node: the node ID * @@ -109,7 +109,7 @@ Signed-off-by: Mike Galbraith * read locked. * If the pwq needs to be used beyond the locking in effect, the caller is * responsible for guaranteeing that the pwq stays online. -@@ -696,8 +696,8 @@ static struct pool_workqueue *get_work_p +@@ -701,8 +701,8 @@ static struct pool_workqueue *get_work_p * @work: the work item of interest * * Pools are created and destroyed under wq_pool_mutex, and allows read @@ -120,7 +120,7 @@ Signed-off-by: Mike Galbraith * * All fields of the returned pool are accessible as long as the above * mentioned locking is in effect. If the returned pool needs to be used -@@ -1102,7 +1102,7 @@ static void put_pwq_unlocked(struct pool +@@ -1107,7 +1107,7 @@ static void put_pwq_unlocked(struct pool { if (pwq) { /* @@ -129,7 +129,7 @@ Signed-off-by: Mike Galbraith * following lock operations are safe. */ spin_lock_irq(&pwq->pool->lock); -@@ -1230,6 +1230,7 @@ static int try_to_grab_pending(struct wo +@@ -1235,6 +1235,7 @@ static int try_to_grab_pending(struct wo if (!test_and_set_bit(WORK_STRUCT_PENDING_BIT, work_data_bits(work))) return 0; @@ -137,7 +137,7 @@ Signed-off-by: Mike Galbraith /* * The queueing is in progress, or it is already queued. Try to * steal it from ->worklist without clearing WORK_STRUCT_PENDING. -@@ -1268,10 +1269,12 @@ static int try_to_grab_pending(struct wo +@@ -1273,10 +1274,12 @@ static int try_to_grab_pending(struct wo set_work_pool_and_keep_pending(work, pool->id); spin_unlock(&pool->lock); @@ -150,7 +150,7 @@ Signed-off-by: Mike Galbraith local_irq_restore(*flags); if (work_is_canceling(work)) return -ENOENT; -@@ -1385,6 +1388,7 @@ static void __queue_work(int cpu, struct +@@ -1390,6 +1393,7 @@ static void __queue_work(int cpu, struct if (unlikely(wq->flags & __WQ_DRAINING) && WARN_ON_ONCE(!is_chained_work(wq))) return; @@ -158,7 +158,7 @@ Signed-off-by: Mike Galbraith retry: /* pwq which will be used unless @work is executing elsewhere */ if (wq->flags & WQ_UNBOUND) { -@@ -1443,10 +1447,8 @@ retry: +@@ -1448,10 +1452,8 @@ retry: /* pwq determined, queue */ trace_workqueue_queue_work(req_cpu, pwq, work); @@ -171,7 +171,7 @@ Signed-off-by: Mike Galbraith pwq->nr_in_flight[pwq->work_color]++; work_flags = work_color_to_flags(pwq->work_color); -@@ -1464,7 +1466,9 @@ retry: +@@ -1469,7 +1471,9 @@ retry: insert_work(pwq, work, worklist, work_flags); @@ -181,7 +181,7 @@ Signed-off-by: Mike Galbraith } /** -@@ -2826,14 +2830,14 @@ static bool start_flush_work(struct work +@@ -2843,14 +2847,14 @@ static bool start_flush_work(struct work might_sleep(); @@ -199,7 +199,7 @@ Signed-off-by: Mike Galbraith /* see the comment in try_to_grab_pending() with the same code */ pwq = get_work_pwq(work); if (pwq) { -@@ -2862,10 +2866,11 @@ static bool start_flush_work(struct work +@@ -2879,10 +2883,11 @@ static bool start_flush_work(struct work else lock_map_acquire_read(&pwq->wq->lockdep_map); lock_map_release(&pwq->wq->lockdep_map); @@ -212,7 +212,7 @@ Signed-off-by: Mike Galbraith return false; } -@@ -3313,7 +3318,7 @@ static void rcu_free_pool(struct rcu_hea +@@ -3330,7 +3335,7 @@ static void rcu_free_pool(struct rcu_hea * put_unbound_pool - put a worker_pool * @pool: worker_pool to put * @@ -221,7 +221,7 @@ Signed-off-by: Mike Galbraith * safe manner. get_unbound_pool() calls this function on its failure path * and this function should be able to release pools which went through, * successfully or not, init_worker_pool(). -@@ -3367,8 +3372,8 @@ static void put_unbound_pool(struct work +@@ -3384,8 +3389,8 @@ static void put_unbound_pool(struct work del_timer_sync(&pool->idle_timer); del_timer_sync(&pool->mayday_timer); @@ -232,7 +232,7 @@ Signed-off-by: Mike Galbraith } /** -@@ -3475,14 +3480,14 @@ static void pwq_unbound_release_workfn(s +@@ -3498,14 +3503,14 @@ static void pwq_unbound_release_workfn(s put_unbound_pool(pool); mutex_unlock(&wq_pool_mutex); @@ -249,7 +249,7 @@ Signed-off-by: Mike Galbraith } /** -@@ -4157,7 +4162,7 @@ void destroy_workqueue(struct workqueue_ +@@ -4200,7 +4205,7 @@ void destroy_workqueue(struct workqueue_ * The base ref is never dropped on per-cpu pwqs. Directly * schedule RCU free. */ @@ -258,7 +258,7 @@ Signed-off-by: Mike Galbraith } else { /* * We're the sole accessor of @wq at this point. Directly -@@ -4267,7 +4272,8 @@ bool workqueue_congested(int cpu, struct +@@ -4310,7 +4315,8 @@ bool workqueue_congested(int cpu, struct struct pool_workqueue *pwq; bool ret; @@ -268,7 +268,7 @@ Signed-off-by: Mike Galbraith if (cpu == WORK_CPU_UNBOUND) cpu = smp_processor_id(); -@@ -4278,7 +4284,8 @@ bool workqueue_congested(int cpu, struct +@@ -4321,7 +4327,8 @@ bool workqueue_congested(int cpu, struct pwq = unbound_pwq_by_node(wq, cpu_to_node(cpu)); ret = !list_empty(&pwq->delayed_works); @@ -278,7 +278,7 @@ Signed-off-by: Mike Galbraith return ret; } -@@ -4304,15 +4311,15 @@ unsigned int work_busy(struct work_struc +@@ -4347,15 +4354,15 @@ unsigned int work_busy(struct work_struc if (work_pending(work)) ret |= WORK_BUSY_PENDING; @@ -298,7 +298,7 @@ Signed-off-by: Mike Galbraith return ret; } -@@ -4502,7 +4509,7 @@ void show_workqueue_state(void) +@@ -4545,7 +4552,7 @@ void show_workqueue_state(void) unsigned long flags; int pi; @@ -307,7 +307,7 @@ Signed-off-by: Mike Galbraith pr_info("Showing busy workqueues and worker pools:\n"); -@@ -4567,7 +4574,7 @@ void show_workqueue_state(void) +@@ -4613,7 +4620,7 @@ void show_workqueue_state(void) touch_nmi_watchdog(); } @@ -316,7 +316,7 @@ Signed-off-by: Mike Galbraith } /* -@@ -4928,16 +4935,16 @@ bool freeze_workqueues_busy(void) +@@ -4974,16 +4981,16 @@ bool freeze_workqueues_busy(void) * nr_active is monotonically decreasing. It's safe * to peek without lock. */ @@ -336,7 +336,7 @@ Signed-off-by: Mike Galbraith } out_unlock: mutex_unlock(&wq_pool_mutex); -@@ -5127,7 +5134,8 @@ static ssize_t wq_pool_ids_show(struct d +@@ -5173,7 +5180,8 @@ static ssize_t wq_pool_ids_show(struct d const char *delim = ""; int node, written = 0; @@ -346,7 +346,7 @@ Signed-off-by: Mike Galbraith for_each_node(node) { written += scnprintf(buf + written, PAGE_SIZE - written, "%s%d:%d", delim, node, -@@ -5135,7 +5143,8 @@ static ssize_t wq_pool_ids_show(struct d +@@ -5181,7 +5189,8 @@ static ssize_t wq_pool_ids_show(struct d delim = " "; } written += scnprintf(buf + written, PAGE_SIZE - written, "\n"); diff --git a/patches.rt/0252-workqueue-Use-local-irq-lock-instead-of-irq-disable-regions.patch b/patches.rt/0252-workqueue-Use-local-irq-lock-instead-of-irq-disable-regions.patch index 867c4a2..0e47b4e 100644 --- a/patches.rt/0252-workqueue-Use-local-irq-lock-instead-of-irq-disable-regions.patch +++ b/patches.rt/0252-workqueue-Use-local-irq-lock-instead-of-irq-disable-regions.patch @@ -17,15 +17,15 @@ Signed-off-by: Mike Galbraith --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -50,6 +50,7 @@ - #include +@@ -51,6 +51,7 @@ + #include #include #include +#include #include "workqueue_internal.h" -@@ -353,6 +354,8 @@ EXPORT_SYMBOL_GPL(system_power_efficient +@@ -357,6 +358,8 @@ EXPORT_SYMBOL_GPL(system_power_efficient struct workqueue_struct *system_freezable_power_efficient_wq __read_mostly; EXPORT_SYMBOL_GPL(system_freezable_power_efficient_wq); @@ -34,7 +34,7 @@ Signed-off-by: Mike Galbraith static int worker_thread(void *__worker); static void workqueue_sysfs_unregister(struct workqueue_struct *wq); -@@ -1106,9 +1109,11 @@ static void put_pwq_unlocked(struct pool +@@ -1110,9 +1113,11 @@ static void put_pwq_unlocked(struct pool * As both pwqs and pools are RCU protected, the * following lock operations are safe. */ @@ -48,7 +48,7 @@ Signed-off-by: Mike Galbraith } } -@@ -1212,7 +1217,7 @@ static int try_to_grab_pending(struct wo +@@ -1216,7 +1221,7 @@ static int try_to_grab_pending(struct wo struct worker_pool *pool; struct pool_workqueue *pwq; @@ -57,7 +57,7 @@ Signed-off-by: Mike Galbraith /* try to steal the timer if it exists */ if (is_dwork) { -@@ -1276,7 +1281,7 @@ static int try_to_grab_pending(struct wo +@@ -1280,7 +1285,7 @@ static int try_to_grab_pending(struct wo spin_unlock(&pool->lock); fail: rcu_read_unlock(); @@ -66,7 +66,7 @@ Signed-off-by: Mike Galbraith if (work_is_canceling(work)) return -ENOENT; cpu_relax(); -@@ -1381,7 +1386,7 @@ static void __queue_work(int cpu, struct +@@ -1385,7 +1390,7 @@ static void __queue_work(int cpu, struct * queued or lose PENDING. Grabbing PENDING and queueing should * happen with IRQ disabled. */ @@ -75,7 +75,7 @@ Signed-off-by: Mike Galbraith debug_work_activate(work); -@@ -1489,14 +1494,14 @@ bool queue_work_on(int cpu, struct workq +@@ -1493,14 +1498,14 @@ bool queue_work_on(int cpu, struct workq bool ret = false; unsigned long flags; @@ -92,7 +92,7 @@ Signed-off-by: Mike Galbraith return ret; } EXPORT_SYMBOL(queue_work_on); -@@ -1505,8 +1510,11 @@ void delayed_work_timer_fn(unsigned long +@@ -1509,8 +1514,11 @@ void delayed_work_timer_fn(unsigned long { struct delayed_work *dwork = (struct delayed_work *)__data; @@ -104,7 +104,7 @@ Signed-off-by: Mike Galbraith } EXPORT_SYMBOL(delayed_work_timer_fn); -@@ -1562,14 +1570,14 @@ bool queue_delayed_work_on(int cpu, stru +@@ -1566,14 +1574,14 @@ bool queue_delayed_work_on(int cpu, stru unsigned long flags; /* read the comment in __queue_work() */ @@ -121,7 +121,7 @@ Signed-off-by: Mike Galbraith return ret; } EXPORT_SYMBOL(queue_delayed_work_on); -@@ -1604,7 +1612,7 @@ bool mod_delayed_work_on(int cpu, struct +@@ -1608,7 +1616,7 @@ bool mod_delayed_work_on(int cpu, struct if (likely(ret >= 0)) { __queue_delayed_work(cpu, wq, dwork, delay); @@ -130,7 +130,7 @@ Signed-off-by: Mike Galbraith } /* -ENOENT from try_to_grab_pending() becomes %true */ -@@ -2961,7 +2969,7 @@ static bool __cancel_work_timer(struct w +@@ -2977,7 +2985,7 @@ static bool __cancel_work_timer(struct w /* tell other tasks trying to grab @work to back off */ mark_work_canceling(work); @@ -139,7 +139,7 @@ Signed-off-by: Mike Galbraith /* * This allows canceling during early boot. We know that @work -@@ -3022,10 +3030,10 @@ EXPORT_SYMBOL_GPL(cancel_work_sync); +@@ -3038,10 +3046,10 @@ EXPORT_SYMBOL_GPL(cancel_work_sync); */ bool flush_delayed_work(struct delayed_work *dwork) { @@ -152,7 +152,7 @@ Signed-off-by: Mike Galbraith return flush_work(&dwork->work); } EXPORT_SYMBOL(flush_delayed_work); -@@ -3063,7 +3071,7 @@ static bool __cancel_work(struct work_st +@@ -3079,7 +3087,7 @@ static bool __cancel_work(struct work_st return false; set_work_pool_and_clear_pending(work, get_work_pool_id(work)); diff --git a/patches.suse/0001-net-tls-fix-possible-race-condition-between-do_tls_g.patch b/patches.suse/0001-net-tls-fix-possible-race-condition-between-do_tls_g.patch new file mode 100644 index 0000000..b6a585a --- /dev/null +++ b/patches.suse/0001-net-tls-fix-possible-race-condition-between-do_tls_g.patch @@ -0,0 +1,66 @@ +From 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Fri, 12 May 2023 18:14:32 +0200 +Subject: [PATCH] net: tls: fix possible race condition between + do_tls_getsockopt_conf() and do_tls_setsockopt_conf() +Git-commit: 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 +Patch-mainline: v6.3-rc2 +References: bsc#1209366 CVE-2023-28466 + +ctx->crypto_send.info is not protected by lock_sock in +do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() +and error paths of do_tls_setsockopt_conf() may lead to a use-after-free +or null-deref. + +More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Vasant Karasulli + +--- + net/tls/tls_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index f88878b9a..3ff2d03f1 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -364,13 +364,11 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(crypto_info_aes_gcm_128->iv, + ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, + TLS_CIPHER_AES_GCM_128_IV_SIZE); + memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, + crypto_info_aes_gcm_128, + sizeof(*crypto_info_aes_gcm_128))) +@@ -390,6 +388,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname, + { + int rc = 0; + ++ lock_sock(sk); ++ + switch (optname) { + case TLS_TX: + rc = do_tls_getsockopt_tx(sk, optval, optlen); +@@ -398,6 +398,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname, + rc = -ENOPROTOOPT; + break; + } ++ ++ release_sock(sk); ++ + return rc; + } + +-- +2.34.1 + diff --git a/patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch b/patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch new file mode 100644 index 0000000..c23c763 --- /dev/null +++ b/patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch @@ -0,0 +1,211 @@ +From 611792920925fb088ddccbe2783c7f92fdfb6b64 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 26 Jan 2023 18:32:50 -0800 +Subject: [PATCH] netrom: Fix use-after-free caused by accept on already + connected socket +Git-commit: 611792920925fb088ddccbe2783c7f92fdfb6b64 +Patch-mainline: v6.2-rc7 +References: bsc#1211186 CVE-2023-32269 + +If you call listen() and accept() on an already connect()ed +AF_NETROM socket, accept() can successfully connect. +This is because when the peer socket sends data to sendmsg, +the skb with its own sk stored in the connected socket's +sk->sk_receive_queue is connected, and nr_accept() dequeues +the skb waiting in the sk->sk_receive_queue. + +As a result, nr_accept() allocates and returns a sock with +the sk of the parent AF_NETROM socket. + +And here use-after-free can happen through complex race conditions: +``` + cpu0 cpu1 + 1. socket_2 = socket(AF_NETROM) + . + . + listen(socket_2) + accepted_socket = accept(socket_2) + 2. socket_1 = socket(AF_NETROM) + nr_create() // sk refcount : 1 + connect(socket_1) + 3. write(accepted_socket) + nr_sendmsg() + nr_output() + nr_kick() + nr_send_iframe() + nr_transmit_buffer() + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() + nr_process_rx_frame(sk, skb); // sk : socket_1's sk + nr_state3_machine() + nr_queue_rx_frame() + sock_queue_rcv_skb() + sock_queue_rcv_skb_reason() + __sock_queue_rcv_skb() + __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue + 4. listen(socket_1) + nr_listen() + uaf_socket = accept(socket_1) + nr_accept() + skb_dequeue(&sk->sk_receive_queue); + 5. close(accepted_socket) + nr_release() + nr_write_internal(sk, NR_DISCREQ) + nr_transmit_buffer() // NR_DISCREQ + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() // sk : socket_1's sk + nr_process_rx_frame() // NR_STATE_3 + nr_state3_machine() // NR_DISCREQ + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0; + 6. close(socket_1) // sk refcount : 3 + nr_release() // NR_STATE_0 + sock_put(sk); // sk refcount : 0 + sk_free(sk); + close(uaf_socket) + nr_release() + sock_hold(sk); // UAF +``` + +KASAN report by syzbot: +``` +Bug: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 +Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:102 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] + __refcount_add include/linux/refcount.h:193 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + sock_hold include/net/sock.h:775 [inline] + nr_release+0x66/0x460 net/netrom/af_netrom.c:520 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7f6c19e3c9b9 +Code: Unable to access opcode bytes at 0x7f6c19e3c98f. +Rsp: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +Rax: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 +Rdx: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 +Rbp: 0000000000000003 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 +R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +``` + +To fix this issue, nr_listen() returns -EINVAL for sockets that +successfully nr_connect(). + +Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Acked-by: Vasant Karasulli + +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 6f7f4392cffb..5a4cb796150f 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -400,6 +400,11 @@ static int nr_listen(struct socket *sock, int backlog) + struct sock *sk = sock->sk; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ release_sock(sk); ++ return -EINVAL; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.34.1 + diff --git a/patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch b/patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch new file mode 100644 index 0000000..581c0de --- /dev/null +++ b/patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch @@ -0,0 +1,174 @@ +From 0da40e018fd034d87c9460123fa7f897b69fdee7 Mon Sep 17 00:00:00 2001 +From: Jisoo Jang +Date: Thu, 9 Mar 2023 19:44:57 +0900 +Subject: [PATCH] wifi: brcmfmac: slab-out-of-bounds read in + brcmf_get_assoc_ies() +Git-commit: 0da40e018fd034d87c9460123fa7f897b69fdee7 +Patch-mainline: v6.4 or v6.4-rc1 (next release) +References: bsc#1209287 CVE-2023-1380 + +Fix a slab-out-of-bounds read that occurs in kmemdup() called from +brcmf_get_assoc_ies(). +The bug could occur when assoc_info->req_len, data from a URB provided +by a USB device, is bigger than the size of buffer which is defined as +WL_EXTRA_BUF_MAX. + +Add the size check for req_len/resp_len of assoc_info. + +Found by a modified version of syzkaller. + +[ 46.592467][ T7] ================================================================== +[ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50 +[ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7 +[ 46.598575][ T7] +[ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145 +[ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker +[ 46.605943][ T7] Call Trace: +[ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1 +[ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334 +[ 46.608610][ T7] ? kmemdup+0x3e/0x50 +[ 46.609341][ T7] kasan_report.cold+0x79/0xd5 +[ 46.610151][ T7] ? kmemdup+0x3e/0x50 +[ 46.610796][ T7] kasan_check_range+0x14e/0x1b0 +[ 46.611691][ T7] memcpy+0x20/0x60 +[ 46.612323][ T7] kmemdup+0x3e/0x50 +[ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60 +[ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0 +[ 46.614831][ T7] ? lock_chain_count+0x20/0x20 +[ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770 +[ 46.616552][ T7] ? lock_chain_count+0x20/0x20 +[ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770 +[ 46.618244][ T7] ? lock_chain_count+0x20/0x20 +[ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0 +[ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0 +[ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790 +[ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950 +[ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 +[ 46.623390][ T7] ? find_held_lock+0x2d/0x110 +[ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60 +[ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0 +[ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 +[ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 +[ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100 +[ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60 +[ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 +[ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 46.630649][ T7] process_one_work+0x92b/0x1460 +[ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330 +[ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90 +[ 46.632347][ T7] worker_thread+0x95/0xe00 +[ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0 +[ 46.633393][ T7] ? process_one_work+0x1460/0x1460 +[ 46.633957][ T7] kthread+0x3a1/0x480 +[ 46.634369][ T7] ? set_kthread_struct+0x120/0x120 +[ 46.634933][ T7] ret_from_fork+0x1f/0x30 +[ 46.635431][ T7] +[ 46.635687][ T7] Allocated by task 7: +[ 46.636151][ T7] kasan_save_stack+0x1b/0x40 +[ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90 +[ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330 +[ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040 +[ 46.638275][ T7] brcmf_attach+0x389/0xd40 +[ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690 +[ 46.639279][ T7] usb_probe_interface+0x2aa/0x760 +[ 46.639820][ T7] really_probe+0x205/0xb70 +[ 46.640342][ T7] __driver_probe_device+0x311/0x4b0 +[ 46.640876][ T7] driver_probe_device+0x4e/0x150 +[ 46.641445][ T7] __device_attach_driver+0x1cc/0x2a0 +[ 46.642000][ T7] bus_for_each_drv+0x156/0x1d0 +[ 46.642543][ T7] __device_attach+0x23f/0x3a0 +[ 46.643065][ T7] bus_probe_device+0x1da/0x290 +[ 46.643644][ T7] device_add+0xb7b/0x1eb0 +[ 46.644130][ T7] usb_set_configuration+0xf59/0x16f0 +[ 46.644720][ T7] usb_generic_driver_probe+0x82/0xa0 +[ 46.645295][ T7] usb_probe_device+0xbb/0x250 +[ 46.645786][ T7] really_probe+0x205/0xb70 +[ 46.646258][ T7] __driver_probe_device+0x311/0x4b0 +[ 46.646804][ T7] driver_probe_device+0x4e/0x150 +[ 46.647387][ T7] __device_attach_driver+0x1cc/0x2a0 +[ 46.647926][ T7] bus_for_each_drv+0x156/0x1d0 +[ 46.648454][ T7] __device_attach+0x23f/0x3a0 +[ 46.648939][ T7] bus_probe_device+0x1da/0x290 +[ 46.649478][ T7] device_add+0xb7b/0x1eb0 +[ 46.649936][ T7] usb_new_device.cold+0x49c/0x1029 +[ 46.650526][ T7] hub_event+0x1c98/0x3950 +[ 46.650975][ T7] process_one_work+0x92b/0x1460 +[ 46.651535][ T7] worker_thread+0x95/0xe00 +[ 46.651991][ T7] kthread+0x3a1/0x480 +[ 46.652413][ T7] ret_from_fork+0x1f/0x30 +[ 46.652885][ T7] +[ 46.653131][ T7] The buggy address belongs to the object at ffff888019442000 +[ 46.653131][ T7] which belongs to the cache kmalloc-2k of size 2048 +[ 46.654669][ T7] The buggy address is located 0 bytes inside of +[ 46.654669][ T7] 2048-byte region [ffff888019442000, ffff888019442800) +[ 46.656137][ T7] The buggy address belongs to the page: +[ 46.656720][ T7] page:ffffea0000651000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19440 +[ 46.657792][ T7] head:ffffea0000651000 order:3 compound_mapcount:0 compound_pincount:0 +[ 46.658673][ T7] flags: 0x100000000010200(slab|head|node=0|zone=1) +[ 46.659422][ T7] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888100042000 +[ 46.660363][ T7] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 +[ 46.661236][ T7] page dumped because: kasan: bad access detected +[ 46.661956][ T7] page_owner tracks the page as allocated +[ 46.662588][ T7] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7, ts 31136961085, free_ts 0 +[ 46.664271][ T7] prep_new_page+0x1aa/0x240 +[ 46.664763][ T7] get_page_from_freelist+0x159a/0x27c0 +[ 46.665340][ T7] __alloc_pages+0x2da/0x6a0 +[ 46.665847][ T7] alloc_pages+0xec/0x1e0 +[ 46.666308][ T7] allocate_slab+0x380/0x4e0 +[ 46.666770][ T7] ___slab_alloc+0x5bc/0x940 +[ 46.667264][ T7] __slab_alloc+0x6d/0x80 +[ 46.667712][ T7] kmem_cache_alloc_trace+0x30a/0x330 +[ 46.668299][ T7] brcmf_usbdev_qinit.constprop.0+0x50/0x470 +[ 46.668885][ T7] brcmf_usb_probe+0xc97/0x1690 +[ 46.669438][ T7] usb_probe_interface+0x2aa/0x760 +[ 46.669988][ T7] really_probe+0x205/0xb70 +[ 46.670487][ T7] __driver_probe_device+0x311/0x4b0 +[ 46.671031][ T7] driver_probe_device+0x4e/0x150 +[ 46.671604][ T7] __device_attach_driver+0x1cc/0x2a0 +[ 46.672192][ T7] bus_for_each_drv+0x156/0x1d0 +[ 46.672739][ T7] page_owner free stack trace missing +[ 46.673335][ T7] +[ 46.673620][ T7] Memory state around the buggy address: +[ 46.674213][ T7] ffff888019442700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 46.675083][ T7] ffff888019442780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 46.675994][ T7] >ffff888019442800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 46.676875][ T7] ^ +[ 46.677323][ T7] ffff888019442880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 46.678190][ T7] ffff888019442900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 46.679052][ T7] ================================================================== +[ 46.679945][ T7] Disabling lock debugging due to kernel taint +[ 46.680725][ T7] Kernel panic - not syncing: + +Reviewed-by: Arend van Spriel +Signed-off-by: Jisoo Jang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr +Acked-by: Vasant Karasulli + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 548799fefb4b..de8a2e27f49c 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6280,6 +6280,11 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg, + (struct brcmf_cfg80211_assoc_ielen_le *)cfg->extra_buf; + req_len = le32_to_cpu(assoc_info->req_len); + resp_len = le32_to_cpu(assoc_info->resp_len); ++ if (req_len > WL_EXTRA_BUF_MAX || resp_len > WL_EXTRA_BUF_MAX) { ++ brcmf_err("invalid lengths in assoc info: req %u resp %u\n", ++ req_len, resp_len); ++ return -EINVAL; ++ } + if (req_len) { + err = brcmf_fil_iovar_data_get(ifp, "assoc_req_ies", + cfg->extra_buf, +-- +2.34.1 + diff --git a/patches.suse/ACPI-processor-Fix-evaluating-_PDC-method-when-runni.patch b/patches.suse/ACPI-processor-Fix-evaluating-_PDC-method-when-runni.patch new file mode 100644 index 0000000..5f87fa1 --- /dev/null +++ b/patches.suse/ACPI-processor-Fix-evaluating-_PDC-method-when-runni.patch @@ -0,0 +1,145 @@ +Patch-mainline: v6.4-rc1 +Git-commit: 073828e954459b883f23e53999d31e4c55ab9654 +References: git-fixes +From: Roger Pau Monne +Date: Wed, 22 Mar 2023 12:13:29 +0100 +Subject: [PATCH] ACPI: processor: Fix evaluating _PDC method when running as + Xen dom0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In ACPI systems, the OS can direct power management, as opposed to the +firmware. This OS-directed Power Management is called OSPM. Part of +telling the firmware that the OS going to direct power management is +making ACPI "_PDC" (Processor Driver Capabilities) calls. These _PDC +methods must be evaluated for every processor object. If these _PDC +calls are not completed for every processor it can lead to +inconsistency and later failures in things like the CPU frequency +driver. + +In a Xen system, the dom0 kernel is responsible for system-wide power +management. The dom0 kernel is in charge of OSPM. However, the +number of CPUs available to dom0 can be different than the number of +CPUs physically present on the system. + +This leads to a problem: the dom0 kernel needs to evaluate _PDC for +all the processors, but it can't always see them. + +In dom0 kernels, ignore the existing ACPI method for determining if a +processor is physically present because it might not be accurate. +Instead, ask the hypervisor for this information. + +Fix this by introducing a custom function to use when running as Xen +dom0 in order to check whether a processor object matches a CPU that's +online. Such checking is done using the existing information fetched +by the Xen pCPU subsystem, extending it to also store the ACPI ID. + +This ensures that _PDC method gets evaluated for all physically online +CPUs, regardless of the number of CPUs made available to dom0. + +Fixes: 5d554a7bb064 ("ACPI: processor: add internal processor_physically_present()") +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Juergen Gross +--- + drivers/acpi/processor_pdc.c | 11 +++++++++++ + drivers/xen/pcpu.c | 20 ++++++++++++++++++++ + include/xen/xen.h | 11 +++++++++++ + 3 files changed, 42 insertions(+) + +diff --git a/drivers/acpi/processor_pdc.c b/drivers/acpi/processor_pdc.c +index 8c3f82c9fff3..18fb04523f93 100644 +--- a/drivers/acpi/processor_pdc.c ++++ b/drivers/acpi/processor_pdc.c +@@ -14,6 +14,8 @@ + #include + #include + ++#include ++ + #include "internal.h" + + #define _COMPONENT ACPI_PROCESSOR_COMPONENT +@@ -47,6 +49,15 @@ static bool __init processor_physically_present(acpi_handle handle) + return false; + } + ++ if (xen_initial_domain()) ++ /* ++ * When running as a Xen dom0 the number of processors Linux ++ * sees can be different from the real number of processors on ++ * the system, and we still need to execute _PDC for all of ++ * them. ++ */ ++ return xen_processor_present(acpi_id); ++ + type = (acpi_type == ACPI_TYPE_DEVICE) ? 1 : 0; + cpuid = acpi_get_cpuid(handle, type, acpi_id); + +diff --git a/drivers/xen/pcpu.c b/drivers/xen/pcpu.c +index fd3a644b0855..b3e3d1bb37f3 100644 +--- a/drivers/xen/pcpu.c ++++ b/drivers/xen/pcpu.c +@@ -58,6 +58,7 @@ struct pcpu { + struct list_head list; + struct device dev; + uint32_t cpu_id; ++ uint32_t acpi_id; + uint32_t flags; + }; + +@@ -249,6 +250,7 @@ static struct pcpu *create_and_register_pcpu(struct xenpf_pcpuinfo *info) + + INIT_LIST_HEAD(&pcpu->list); + pcpu->cpu_id = info->xen_cpuid; ++ pcpu->acpi_id = info->acpi_id; + pcpu->flags = info->flags; + + /* Need hold on xen_pcpu_lock before pcpu list manipulations */ +@@ -381,3 +383,21 @@ static int __init xen_pcpu_init(void) + return ret; + } + arch_initcall(xen_pcpu_init); ++ ++#ifdef CONFIG_ACPI ++bool __init xen_processor_present(uint32_t acpi_id) ++{ ++ const struct pcpu *pcpu; ++ bool online = false; ++ ++ mutex_lock(&xen_pcpu_lock); ++ list_for_each_entry(pcpu, &xen_pcpus, list) ++ if (pcpu->acpi_id == acpi_id) { ++ online = pcpu->flags & XEN_PCPU_FLAGS_ONLINE; ++ break; ++ } ++ mutex_unlock(&xen_pcpu_lock); ++ ++ return online; ++} ++#endif +diff --git a/include/xen/xen.h b/include/xen/xen.h +index 7adf59837c25..0efeb652f9b8 100644 +--- a/include/xen/xen.h ++++ b/include/xen/xen.h +@@ -71,4 +71,15 @@ static inline void xen_free_unpopulated_pages(unsigned int nr_pages, + bool xen_biovec_phys_mergeable(const struct bio_vec *vec1, + const struct bio_vec *vec2); + ++#if defined(CONFIG_XEN_DOM0) && defined(CONFIG_ACPI) && defined(CONFIG_X86) ++bool __init xen_processor_present(uint32_t acpi_id); ++#else ++#include ++static inline bool xen_processor_present(uint32_t acpi_id) ++{ ++ BUG(); ++ return false; ++} ++#endif ++ + #endif /* _XEN_XEN_H */ +-- +2.35.3 + diff --git a/patches.suse/Documentation-Document-sysfs-interfaces-purr-spurr-i.patch b/patches.suse/Documentation-Document-sysfs-interfaces-purr-spurr-i.patch new file mode 100644 index 0000000..6b589bd --- /dev/null +++ b/patches.suse/Documentation-Document-sysfs-interfaces-purr-spurr-i.patch @@ -0,0 +1,70 @@ +From bde752c3d6dbe9f6ca346560198e66bc3d7d7238 Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Tue, 7 Apr 2020 14:17:43 +0530 +Subject: [PATCH] Documentation: Document sysfs interfaces purr, spurr, + idle_purr, idle_spurr + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v5.8-rc1 +Git-commit: bde752c3d6dbe9f6ca346560198e66bc3d7d7238 + +Add documentation for the following sysfs interfaces: +/sys/devices/system/cpu/cpuX/purr +/sys/devices/system/cpu/cpuX/spurr +/sys/devices/system/cpu/cpuX/idle_purr +/sys/devices/system/cpu/cpuX/idle_spurr + +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1586249263-14048-6-git-send-email-ego@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + .../ABI/testing/sysfs-devices-system-cpu | 39 +++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -439,3 +439,42 @@ Description: Umwait control + or C0.2 state. The time is an unsigned 32-bit number. + Note that a value of zero means there is no limit. + Low order two bits must be zero. ++ ++What: /sys/devices/system/cpu/cpuX/purr ++Date: Apr 2005 ++Contact: Linux for PowerPC mailing list ++Description: PURR ticks for this CPU since the system boot. ++ ++ The Processor Utilization Resources Register (PURR) is ++ a 64-bit counter which provides an estimate of the ++ resources used by the CPU thread. The contents of this ++ register increases monotonically. This sysfs interface ++ exposes the number of PURR ticks for cpuX. ++ ++What: /sys/devices/system/cpu/cpuX/spurr ++Date: Dec 2006 ++Contact: Linux for PowerPC mailing list ++Description: SPURR ticks for this CPU since the system boot. ++ ++ The Scaled Processor Utilization Resources Register ++ (SPURR) is a 64-bit counter that provides a frequency ++ invariant estimate of the resources used by the CPU ++ thread. The contents of this register increases ++ monotonically. This sysfs interface exposes the number ++ of SPURR ticks for cpuX. ++ ++What: /sys/devices/system/cpu/cpuX/idle_purr ++Date: Apr 2020 ++Contact: Linux for PowerPC mailing list ++Description: PURR ticks for cpuX when it was idle. ++ ++ This sysfs interface exposes the number of PURR ticks ++ for cpuX when it was idle. ++ ++What: /sys/devices/system/cpu/cpuX/idle_spurr ++Date: Apr 2020 ++Contact: Linux for PowerPC mailing list ++Description: SPURR ticks for cpuX when it was idle. ++ ++ This sysfs interface exposes the number of SPURR ticks ++ for cpuX when it was idle. diff --git a/patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch b/patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch new file mode 100644 index 0000000..1ec3019 --- /dev/null +++ b/patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch @@ -0,0 +1,47 @@ +Patch-mainline: v5.0-rc4 +Git-commit: 619ad846fc3452adaf71ca246c5aa711e2055398 +References: git-fixes +From: Vitaly Kuznetsov +Date: Mon, 7 Jan 2019 19:44:51 +0100 +Subject: [PATCH] KVM: nSVM: clear events pending from + svm_complete_interrupts() when exiting to L1 + +kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being +delivered to the host (L1) when it's running nested. The problem seems to +be: svm_complete_interrupts() raises 'nmi_injected' flag but later we +decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI +injection upon entry so it got delivered to L1 instead of L2. + +It seems that VMX code solves the same issue in prepare_vmcs12(), this was +introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework +event injection and recovery"). + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/svm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 8a0c9a1f6ac8..9caf1252c64a 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3414,6 +3414,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm) + kvm_mmu_reset_context(&svm->vcpu); + kvm_mmu_load(&svm->vcpu); + ++ /* ++ * Drop what we picked up for L2 via svm_complete_interrupts() so it ++ * doesn't end up in L1. ++ */ ++ svm->vcpu.arch.nmi_injected = false; ++ kvm_clear_exception_queue(&svm->vcpu); ++ kvm_clear_interrupt_queue(&svm->vcpu); ++ + return 0; + } + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch b/patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch new file mode 100644 index 0000000..76b2bd1 --- /dev/null +++ b/patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch @@ -0,0 +1,109 @@ +Patch-mainline: v4.17-rc1 +Git-commit: ddd6f0e94d3153951580d5b88b9d97c7e26a0e00 +References: git-fixes +From: KarimAllah Ahmed +Date: Wed, 28 Feb 2018 19:06:48 +0100 +Subject: [PATCH] KVM: x86: Update the exit_qualification access bits while + walking an address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... to avoid having a stale value when handling an EPT misconfig for MMIO +regions. + +MMIO regions that are not passed-through to the guest are handled through +EPT misconfigs. The first time a certain MMIO page is touched it causes an +EPT violation, then KVM marks the EPT entry to cause an EPT misconfig +instead. Any subsequent accesses to the entry will generate an EPT +misconfig. + +Things gets slightly complicated with nested guest handling for MMIO +regions that are not passed through from L0 (i.e. emulated by L0 +user-space). + +An EPT violation for one of these MMIO regions from L2, exits to L0 +hypervisor. L0 would then look at the EPT12 mapping for L1 hypervisor and +realize it is not present (or not sufficient to serve the request). Then L0 +injects an EPT violation to L1. L1 would then update its EPT mappings. The +EXIT_QUALIFICATION value for L1 would come from exit_qualification variable +in "struct vcpu". The problem is that this variable is only updated on EPT +violation and not on EPT misconfig. So if an EPT violation because of a +read happened first, then an EPT misconfig because of a write happened +afterwards. The L0 hypervisor will still contain exit_qualification value +from the previous read instead of the write and end up injecting an EPT +violation to the L1 hypervisor with an out of date EXIT_QUALIFICATION. + +The EPT violation that is injected from L0 to L1 needs to have the correct +EXIT_QUALIFICATION specially for the access bits because the individual +access bits for MMIO EPTs are updated only on actual access of this +specific type. So for the example above, the L1 hypervisor will keep +updating only the read bit in the EPT then resume the L2 guest. The L2 +guest would end up causing another exit where the L0 *again* will inject +another EPT violation to L1 hypervisor with *again* an out of date +exit_qualification which indicates a read and not a write. Then this +ping-pong just keeps happening without making any forward progress. + +The behavior of mapping MMIO regions changed in: + + commit a340b3e229b24 ("kvm: Map PFN-type memory regions as writable (if possible)") + +... where an EPT violation for a read would also fixup the write bits to +avoid another EPT violation which by acciddent would fix the bug mentioned +above. + +This commit fixes this situation and ensures that the access bits for the +exit_qualifcation is up to date. That ensures that even L1 hypervisor +running with a KVM version before the commit mentioned above would still +work. + +( The description above assumes EPT to be available and used by L1 + hypervisor + the L1 hypervisor is passing through the MMIO region to the L2 + guest while this MMIO region is emulated by the L0 user-space ). + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: H. Peter Anvin +Cc: x86@kernel.org +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: KarimAllah Ahmed +Signed-off-by: Radim Krčmář +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/paging_tmpl.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h +index 5abae72266b7..6288e9d7068e 100644 +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -452,14 +452,21 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, + * done by is_rsvd_bits_set() above. + * + * We set up the value of exit_qualification to inject: +- * [2:0] - Derive from [2:0] of real exit_qualification at EPT violation ++ * [2:0] - Derive from the access bits. The exit_qualification might be ++ * out of date if it is serving an EPT misconfiguration. + * [5:3] - Calculated by the page walk of the guest EPT page tables + * [7:8] - Derived from [7:8] of real exit_qualification + * + * The other bits are set to 0. + */ + if (!(errcode & PFERR_RSVD_MASK)) { +- vcpu->arch.exit_qualification &= 0x187; ++ vcpu->arch.exit_qualification &= 0x180; ++ if (write_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_WRITE; ++ if (user_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_READ; ++ if (fetch_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_INSTR; + vcpu->arch.exit_qualification |= (pte_access & 0x7) << 3; + } + #endif +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch b/patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch new file mode 100644 index 0000000..22ab451 --- /dev/null +++ b/patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch @@ -0,0 +1,51 @@ +Patch-mainline: v5.1-rc6 +Git-commit: 7a223e06b1a411cef6c4cd7a9b9a33c8d225b10e +References: git-fixes +From: Vitaly Kuznetsov +Date: Wed, 27 Mar 2019 15:12:20 +0100 +Subject: [PATCH] KVM: x86: avoid misreporting level-triggered irqs as + edge-triggered in tracing + +In __apic_accept_irq() interface trig_mode is int and actually on some code +paths it is set above u8: + +kvm_apic_set_irq() extracts it from 'struct kvm_lapic_irq' where trig_mode +is u16. This is done on purpose as e.g. kvm_set_msi_irq() sets it to +(1 << 15) & e->msi.data + +kvm_apic_local_deliver sets it to reg & (1 << 15). + +Fix the immediate issue by making 'tm' into u16. We may also want to adjust +__apic_accept_irq() interface and use proper sizes for vector, level, +trig_mode but this is not urgent. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h +index 6432d08c7de7..4d47a2631d1f 100644 +--- a/arch/x86/kvm/trace.h ++++ b/arch/x86/kvm/trace.h +@@ -438,13 +438,13 @@ TRACE_EVENT(kvm_apic_ipi, + ); + + TRACE_EVENT(kvm_apic_accept_irq, +- TP_PROTO(__u32 apicid, __u16 dm, __u8 tm, __u8 vec), ++ TP_PROTO(__u32 apicid, __u16 dm, __u16 tm, __u8 vec), + TP_ARGS(apicid, dm, tm, vec), + + TP_STRUCT__entry( + __field( __u32, apicid ) + __field( __u16, dm ) +- __field( __u8, tm ) ++ __field( __u16, tm ) + __field( __u8, vec ) + ), + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch b/patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch new file mode 100644 index 0000000..8eebcb5 --- /dev/null +++ b/patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch @@ -0,0 +1,39 @@ +Patch-mainline: v6.1-rc4 +Git-commit: 5015bb89b58225f97df6ac44383e7e8c8662c8c9 +References: git-fixes +From: Maxim Levitsky +Date: Tue, 25 Oct 2022 15:47:28 +0300 +Subject: [PATCH] KVM: x86: emulator: em_sysexit should update ctxt->mode + +SYSEXIT is one of the instructions that can change the +processor mode, thus ctxt->mode should be updated after it. + +Note that this is likely a benign bug, because the only problematic +mode change is from 32 bit to 64 bit which can lead to truncation of RIP, +and it is not possible to do with sysexit, +since sysexit running in 32 bit mode will be limited to 32 bit version. + +Signed-off-by: Maxim Levitsky +Message-Id: <20221025124741.228045-11-mlevitsk@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 3b27622d4642..261732957431 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2876,6 +2876,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + + ctxt->_eip = rdx; ++ ctxt->mode = usermode; + *reg_write(ctxt, VCPU_REGS_RSP) = rcx; + + return X86EMUL_CONTINUE; +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch b/patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch new file mode 100644 index 0000000..3eff6de --- /dev/null +++ b/patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch @@ -0,0 +1,166 @@ +Patch-mainline: v6.1-rc4 +Git-commit: d087e0f79fa0dd336a9a6b2f79ec23120f5eff73 +References: git-fixes +From: Maxim Levitsky +Date: Tue, 25 Oct 2022 15:47:29 +0300 +Subject: [PATCH] KVM: x86: emulator: introduce emulator_recalc_and_set_mode + +Some instructions update the cpu execution mode, which needs to update the +emulation mode. + +Extract this code, and make assign_eip_far use it. + +assign_eip_far now reads CS, instead of getting it via a parameter, +which is ok, because callers always assign CS to the same value +before calling this function. + +No functional change is intended. + +Signed-off-by: Maxim Levitsky +Message-Id: <20221025124741.228045-12-mlevitsk@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 85 ++++++++++++++++++++++++++++-------------- + 1 file changed, 57 insertions(+), 28 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 261732957431..e5522a23d985 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -791,8 +791,7 @@ static int linearize(struct x86_emulate_ctxt *ctxt, + ctxt->mode, linear); + } + +-static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst, +- enum x86emul_mode mode) ++static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst) + { + ulong linear; + int rc; +@@ -802,41 +801,71 @@ static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst, + + if (ctxt->op_bytes != sizeof(unsigned long)) + addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1); +- rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear); ++ rc = __linearize(ctxt, addr, &max_size, 1, false, true, ctxt->mode, &linear); + if (rc == X86EMUL_CONTINUE) + ctxt->_eip = addr.ea; + return rc; + } + ++static inline int emulator_recalc_and_set_mode(struct x86_emulate_ctxt *ctxt) ++{ ++ u64 efer; ++ struct desc_struct cs; ++ u16 selector; ++ u32 base3; ++ ++ ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); ++ ++ if (!(ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PE)) { ++ /* Real mode. cpu must not have long mode active */ ++ if (efer & EFER_LMA) ++ return X86EMUL_UNHANDLEABLE; ++ ctxt->mode = X86EMUL_MODE_REAL; ++ return X86EMUL_CONTINUE; ++ } ++ ++ if (ctxt->eflags & X86_EFLAGS_VM) { ++ /* Protected/VM86 mode. cpu must not have long mode active */ ++ if (efer & EFER_LMA) ++ return X86EMUL_UNHANDLEABLE; ++ ctxt->mode = X86EMUL_MODE_VM86; ++ return X86EMUL_CONTINUE; ++ } ++ ++ if (!ctxt->ops->get_segment(ctxt, &selector, &cs, &base3, VCPU_SREG_CS)) ++ return X86EMUL_UNHANDLEABLE; ++ ++ if (efer & EFER_LMA) { ++ if (cs.l) { ++ /* Proper long mode */ ++ ctxt->mode = X86EMUL_MODE_PROT64; ++ } else if (cs.d) { ++ /* 32 bit compatibility mode*/ ++ ctxt->mode = X86EMUL_MODE_PROT32; ++ } else { ++ ctxt->mode = X86EMUL_MODE_PROT16; ++ } ++ } else { ++ /* Legacy 32 bit / 16 bit mode */ ++ ctxt->mode = cs.d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16; ++ } ++ ++ return X86EMUL_CONTINUE; ++} ++ + static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) + { +- return assign_eip(ctxt, dst, ctxt->mode); ++ return assign_eip(ctxt, dst); + } + +-static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, +- const struct desc_struct *cs_desc) ++static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst) + { +- enum x86emul_mode mode = ctxt->mode; +- int rc; ++ int rc = emulator_recalc_and_set_mode(ctxt); + +-#ifdef CONFIG_X86_64 +- if (ctxt->mode >= X86EMUL_MODE_PROT16) { +- if (cs_desc->l) { +- u64 efer = 0; ++ if (rc != X86EMUL_CONTINUE) ++ return rc; + +- ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); +- if (efer & EFER_LMA) +- mode = X86EMUL_MODE_PROT64; +- } else +- mode = X86EMUL_MODE_PROT32; /* temporary value */ +- } +-#endif +- if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32) +- mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16; +- rc = assign_eip(ctxt, dst, mode); +- if (rc == X86EMUL_CONTINUE) +- ctxt->mode = mode; +- return rc; ++ return assign_eip(ctxt, dst); + } + + static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +@@ -2172,7 +2201,7 @@ static int em_jmp_far(struct x86_emulate_ctxt *ctxt) + if (rc != X86EMUL_CONTINUE) + return rc; + +- rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); ++ rc = assign_eip_far(ctxt, ctxt->src.val); + /* Error handling is not implemented. */ + if (rc != X86EMUL_CONTINUE) + return X86EMUL_UNHANDLEABLE; +@@ -2250,7 +2279,7 @@ static int em_ret_far(struct x86_emulate_ctxt *ctxt) + &new_desc); + if (rc != X86EMUL_CONTINUE) + return rc; +- rc = assign_eip_far(ctxt, eip, &new_desc); ++ rc = assign_eip_far(ctxt, eip); + /* Error handling is not implemented. */ + if (rc != X86EMUL_CONTINUE) + return X86EMUL_UNHANDLEABLE; +@@ -3470,7 +3499,7 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt) + if (rc != X86EMUL_CONTINUE) + return rc; + +- rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); ++ rc = assign_eip_far(ctxt, ctxt->src.val); + if (rc != X86EMUL_CONTINUE) + goto fail; + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch b/patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch new file mode 100644 index 0000000..151a14d --- /dev/null +++ b/patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch @@ -0,0 +1,58 @@ +Patch-mainline: v6.1-rc4 +Git-commit: ad8f9e69942c7db90758d9d774157e53bce94840 +References: git-fixes +From: Maxim Levitsky +Date: Tue, 25 Oct 2022 15:47:31 +0300 +Subject: [PATCH] KVM: x86: emulator: update the emulation mode after CR0 write + +Update the emulation mode when handling writes to CR0, because +toggling CR0.PE switches between Real and Protected Mode, and toggling +CR0.PG when EFER.LME=1 switches between Long and Protected Mode. + +This is likely a benign bug because there is no writeback of state, +other than the RIP increment, and when toggling CR0.PE, the CPU has +to execute code from a very low memory address. + +Signed-off-by: Maxim Levitsky +Message-Id: <20221025124741.228045-14-mlevitsk@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 33385ebae100..2954c046740b 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3641,11 +3641,25 @@ static int em_movbe(struct x86_emulate_ctxt *ctxt) + + static int em_cr_write(struct x86_emulate_ctxt *ctxt) + { +- if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val)) ++ int cr_num = ctxt->modrm_reg; ++ int r; ++ ++ if (ctxt->ops->set_cr(ctxt, cr_num, ctxt->src.val)) + return emulate_gp(ctxt, 0); + + /* Disable writeback. */ + ctxt->dst.type = OP_NONE; ++ ++ if (cr_num == 0) { ++ /* ++ * CR0 write might have updated CR0.PE and/or CR0.PG ++ * which can affect the cpu's execution mode. ++ */ ++ r = emulator_recalc_and_set_mode(ctxt); ++ if (r != X86EMUL_CONTINUE) ++ return r; ++ } ++ + return X86EMUL_CONTINUE; + } + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-fix-empty-body-warnings.patch b/patches.suse/KVM-x86-fix-empty-body-warnings.patch new file mode 100644 index 0000000..b32cb68 --- /dev/null +++ b/patches.suse/KVM-x86-fix-empty-body-warnings.patch @@ -0,0 +1,43 @@ +Patch-mainline: v4.20-rc5 +Git-commit: 354cb410d87314e2eda344feea84809e4261570a +References: git-fixes +From: Yi Wang +Date: Thu, 8 Nov 2018 16:48:36 +0800 +Subject: [PATCH] KVM: x86: fix empty-body warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We get the following warnings about empty statements when building +with 'W=1': + +arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + +Rework the debug helper macro to get rid of these warnings. + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 02f2291dcf7e..c4533d05c214 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -55,7 +55,7 @@ + #define PRIo64 "o" + + /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */ +-#define apic_debug(fmt, arg...) ++#define apic_debug(fmt, arg...) do {} while (0) + + /* 14 is the version for Xeon and Pentium 8.4.8*/ + #define APIC_VERSION (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16)) +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch b/patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch new file mode 100644 index 0000000..b301526 --- /dev/null +++ b/patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch @@ -0,0 +1,32 @@ +Patch-mainline: v5.6-rc4 +Git-commit: 147f1a1fe5d7e6b01b8df4d0cbd6f9eaf6b6c73b +References: git-fixes +From: Paolo Bonzini +Date: Thu, 13 Feb 2020 18:24:48 +0100 +Subject: [PATCH] KVM: x86: fix incorrect comparison in trace event + +The "u" field in the event has three states, -1/0/1. Using u8 however means that +comparison with -1 will always fail, so change to signed char. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/mmutrace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h +index 3c6522b84ff1..ffcd96fc02d0 100644 +--- a/arch/x86/kvm/mmutrace.h ++++ b/arch/x86/kvm/mmutrace.h +@@ -339,7 +339,7 @@ TRACE_EVENT( + /* These depend on page entry type, so compute them now. */ + __field(bool, r) + __field(bool, x) +- __field(u8, u) ++ __field(signed char, u) + ), + + TP_fast_assign( +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch b/patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch new file mode 100644 index 0000000..a64cf7a --- /dev/null +++ b/patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch @@ -0,0 +1,45 @@ +Patch-mainline: v5.0-rc1 +Git-commit: e87555e550cef4941579cd879759a7c0dee24e68 +References: git-fixes +From: Vitaly Kuznetsov +Date: Wed, 19 Dec 2018 12:06:13 +0100 +Subject: [PATCH] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AMD doesn't seem to implement MSR_IA32_MCG_EXT_CTL and svm code in kvm +knows nothing about it, however, this MSR is among emulated_msrs and +thus returned with KVM_GET_MSR_INDEX_LIST. The consequent KVM_GET_MSRS, +of course, fails. + +Report the MSR as unsupported to not confuse userspace. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Radim Krčmář +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/svm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index e4f18a305ef6..c4377f02a33b 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5840,6 +5840,13 @@ static bool svm_cpu_has_accelerated_tpr(void) + + static bool svm_has_emulated_msr(int index) + { ++ switch (index) { ++ case MSR_IA32_MCG_EXT_CTL: ++ return false; ++ default: ++ break; ++ } ++ + return true; + } + +-- +2.35.3 + diff --git a/patches.suse/PCI-Add-ACS-quirks-for-Cavium-multi-function-devices.patch b/patches.suse/PCI-Add-ACS-quirks-for-Cavium-multi-function-devices.patch new file mode 100644 index 0000000..3bbb34b --- /dev/null +++ b/patches.suse/PCI-Add-ACS-quirks-for-Cavium-multi-function-devices.patch @@ -0,0 +1,37 @@ +From: George Cherian +Date: Tue, 10 Aug 2021 17:54:25 +0530 +Subject: PCI: Add ACS quirks for Cavium multi-function devices +Git-commit: 32837d8a8f63eb95dcb9cd005524a27f06478832 +Patch-mainline: 5.15-rc1 +References: git-fixes + +Some Cavium endpoints are implemented as multi-function devices without ACS +capability, but they actually don't support peer-to-peer transactions. + +Add ACS quirks to declare DMA isolation for the following devices: + + - BGX device found on Octeon-TX (8xxx) + - CGX device found on Octeon-TX2 (9xxx) + - RPM device found on Octeon-TX3 (10xxx) + +Link: https://lore.kernel.org/r/20210810122425.1115156-1-george.cherian@marvell.com +Signed-off-by: George Cherian +Signed-off-by: Bjorn Helgaas +Signed-off-by: Jiri Slaby +--- + drivers/pci/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4910,6 +4910,10 @@ static const struct pci_dev_acs_enabled + { 0x10df, 0x720, pci_quirk_mf_endpoint_acs }, /* Emulex Skyhawk-R */ + /* Cavium ThunderX */ + { PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs }, ++ /* Cavium multi-function devices */ ++ { PCI_VENDOR_ID_CAVIUM, 0xA026, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_CAVIUM, 0xA059, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs }, + /* APM X-Gene */ + { PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs }, + /* Ampere Computing */ diff --git a/patches.suse/PCI-Call-Max-Payload-Size-related-fixup-quirks-early.patch b/patches.suse/PCI-Call-Max-Payload-Size-related-fixup-quirks-early.patch new file mode 100644 index 0000000..b5e5965 --- /dev/null +++ b/patches.suse/PCI-Call-Max-Payload-Size-related-fixup-quirks-early.patch @@ -0,0 +1,47 @@ +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Thu, 24 Jun 2021 19:14:17 +0200 +Subject: PCI: Call Max Payload Size-related fixup quirks early +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: b8da302e2955fe4d41eb9d48199242674d77dbe0 +Patch-mainline: 5.15-rc1 +References: git-fixes + +pci_device_add() calls HEADER fixups after pci_configure_device(), which +configures Max Payload Size. + +Convert MPS-related fixups to EARLY fixups so pci_configure_mps() takes +them into account. + +Fixes: 27d868b5e6cfa ("PCI: Set MPS to match upstream bridge") +Link: https://lore.kernel.org/r/20210624171418.27194-1-kabel@kernel.org +Signed-off-by: Marek Behún +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Slaby +--- + drivers/pci/quirks.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3061,12 +3061,12 @@ static void fixup_mpss_256(struct pci_de + { + dev->pcie_mpss = 1; /* 256 bytes */ + } +-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_SOLARFLARE, +- PCI_DEVICE_ID_SOLARFLARE_SFC4000A_0, fixup_mpss_256); +-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_SOLARFLARE, +- PCI_DEVICE_ID_SOLARFLARE_SFC4000A_1, fixup_mpss_256); +-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_SOLARFLARE, +- PCI_DEVICE_ID_SOLARFLARE_SFC4000B, fixup_mpss_256); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SOLARFLARE, ++ PCI_DEVICE_ID_SOLARFLARE_SFC4000A_0, fixup_mpss_256); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SOLARFLARE, ++ PCI_DEVICE_ID_SOLARFLARE_SFC4000A_1, fixup_mpss_256); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SOLARFLARE, ++ PCI_DEVICE_ID_SOLARFLARE_SFC4000B, fixup_mpss_256); + + /* Intel 5000 and 5100 Memory controllers have an errata with read completion + * coalescing (which is enabled by default on some BIOSes) and MPS of 256B. diff --git a/patches.suse/PCI-Mark-Atheros-QCA6174-to-avoid-bus-reset.patch b/patches.suse/PCI-Mark-Atheros-QCA6174-to-avoid-bus-reset.patch new file mode 100644 index 0000000..61c2ded --- /dev/null +++ b/patches.suse/PCI-Mark-Atheros-QCA6174-to-avoid-bus-reset.patch @@ -0,0 +1,36 @@ +From: Ingmar Klein +Date: Fri, 9 Apr 2021 11:26:33 +0200 +Subject: PCI: Mark Atheros QCA6174 to avoid bus reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: e3f4bd3462f6f796594ecc0dda7144ed2d1e5a26 +Patch-mainline: 5.16-rc1 +References: git-fixes + +When passing the Atheros QCA6174 through to a virtual machine, the VM hangs +at the point where the ath10k driver loads. + +Add a quirk to avoid bus resets on this device, which avoids the hang. + +[bhelgaas: commit log] +Link: https://lore.kernel.org/r/08982e05-b6e8-5a8d-24ab-da1488ee50a8@web.de +Signed-off-by: Ingmar Klein +Signed-off-by: Bjorn Helgaas +Reviewed-by: Pali Rohár +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Slaby +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3443,6 +3443,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003e, quirk_no_bus_reset); + + /* + * Root port on some Cavium CN8xxx chips do not successfully complete a bus diff --git a/patches.suse/PCI-Restrict-ASMedia-ASM1062-SATA-Max-Payload-Size-S.patch b/patches.suse/PCI-Restrict-ASMedia-ASM1062-SATA-Max-Payload-Size-S.patch new file mode 100644 index 0000000..4d61112 --- /dev/null +++ b/patches.suse/PCI-Restrict-ASMedia-ASM1062-SATA-Max-Payload-Size-S.patch @@ -0,0 +1,50 @@ +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Thu, 24 Jun 2021 19:14:18 +0200 +Subject: PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: b12d93e9958e028856cbcb061b6e64728ca07755 +Patch-mainline: 5.15-rc1 +References: git-fixes + +The ASMedia ASM1062 SATA controller advertises Max_Payload_Size_Supported +of 512, but in fact it cannot handle incoming TLPs with payload size of +512. + +We discovered this issue on PCIe controllers capable of MPS = 512 (Aardvark +and DesignWare), where the issue presents itself as an External Abort. +Bjorn Helgaas says: + + Probably ASM1062 reports a Malformed TLP error when it receives a data + payload of 512 bytes, and Aardvark, DesignWare, etc convert this to an + arm64 External Abort. [1] + +To avoid this problem, limit the ASM1062 Max Payload Size Supported to 256 +bytes, so we set the Max Payload Size of devices that may send TLPs to the +ASM1062 to 256 or less. + +[1] https://lore.kernel.org/linux-pci/20210601170907.GA1949035@bjorn-Precision-5520/ +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212695 +Link: https://lore.kernel.org/r/20210624171418.27194-2-kabel@kernel.org +Reported-by: Rötti +Signed-off-by: Marek Behún +Signed-off-by: Bjorn Helgaas +Reviewed-by: Krzysztof Wilczyński +Reviewed-by: Pali Rohár +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Slaby +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3067,6 +3067,7 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SO + PCI_DEVICE_ID_SOLARFLARE_SFC4000A_1, fixup_mpss_256); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SOLARFLARE, + PCI_DEVICE_ID_SOLARFLARE_SFC4000B, fixup_mpss_256); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_ASMEDIA, 0x0612, fixup_mpss_256); + + /* Intel 5000 and 5100 Memory controllers have an errata with read completion + * coalescing (which is enabled by default on some BIOSes) and MPS of 256B. diff --git a/patches.suse/PCI-Return-0-data-on-pciconfig_read-CAP_SYS_ADMIN-fa.patch b/patches.suse/PCI-Return-0-data-on-pciconfig_read-CAP_SYS_ADMIN-fa.patch new file mode 100644 index 0000000..2a6b811 --- /dev/null +++ b/patches.suse/PCI-Return-0-data-on-pciconfig_read-CAP_SYS_ADMIN-fa.patch @@ -0,0 +1,54 @@ +From: =?UTF-8?q?Krzysztof=20Wilczy=C5=84ski?= +Date: Thu, 29 Jul 2021 23:37:54 +0000 +Subject: PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: a8bd29bd49c4156ea0ec5a97812333e2aeef44e7 +Patch-mainline: 5.15-rc1 +References: git-fixes + +The pciconfig_read() syscall reads PCI configuration space using +hardware-dependent config accessors. + +If the read fails on PCI, most accessors don't return an error; they +pretend the read was successful and got ~0 data from the device, so the +syscall returns success with ~0 data in the buffer. + +When the accessor does return an error, pciconfig_read() normally fills the +user's buffer with ~0 and returns an error in errno. But after +e4585da22ad0 ("pci syscall.c: Switch to refcounting API"), we don't fill +the buffer with ~0 for the EPERM "user lacks CAP_SYS_ADMIN" error. + +Userspace may rely on the ~0 data to detect errors, but after e4585da22ad0, +that would not detect CAP_SYS_ADMIN errors. + +Restore the original behaviour of filling the buffer with ~0 when the +CAP_SYS_ADMIN check fails. + +[bhelgaas: commit log, fold in Nathan's fix +https://lore.kernel.org/r/20210803200836.500658-1-nathan@kernel.org] +Fixes: e4585da22ad0 ("pci syscall.c: Switch to refcounting API") +Link: https://lore.kernel.org/r/20210729233755.1509616-1-kw@linux.com +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Slaby +--- + drivers/pci/syscall.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -23,8 +23,10 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned + long err; + int cfg_ret; + ++ err = -EPERM; ++ dev = NULL; + if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; ++ goto error; + + err = -ENODEV; + dev = pci_get_bus_and_slot(bus, dfn); diff --git a/patches.suse/PCI-aardvark-Configure-PCIe-resources-from-ranges-DT.patch b/patches.suse/PCI-aardvark-Configure-PCIe-resources-from-ranges-DT.patch new file mode 100644 index 0000000..b8358c9 --- /dev/null +++ b/patches.suse/PCI-aardvark-Configure-PCIe-resources-from-ranges-DT.patch @@ -0,0 +1,297 @@ +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 24 Jun 2021 23:55:45 +0200 +Subject: PCI: aardvark: Configure PCIe resources from 'ranges' DT property +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 64f160e19e9264a7f6d89c516baae1473b6f8359 +Patch-mainline: 5.15-rc1 +References: git-fixes + +In commit 6df6ba974a55 ("PCI: aardvark: Remove PCIe outbound window +configuration") was removed aardvark PCIe outbound window configuration and +commit description said that was recommended solution by HW designers. + +But that commit completely removed support for configuring PCIe IO +resources without removing PCIe IO 'ranges' from DTS files. After that +commit PCIe IO space started to be treated as PCIe MEM space and accessing +it just caused kernel crash. + +Moreover implementation of PCIe outbound windows prior that commit was +incorrect. It completely ignored offset between CPU address and PCIe bus +address and expected that in DTS is CPU address always same as PCIe bus +address without doing any checks. Also it completely ignored size of every +PCIe resource specified in 'ranges' DTS property and expected that every +PCIe resource has size 128 MB (also for PCIe IO range). Again without any +check. Apparently none of PCIe resource has in DTS specified size of 128 +MB. So it was completely broken and thanks to how aardvark mask works, +configuration was completely ignored. + +This patch reverts back support for PCIe outbound window configuration but +implementation is a new without issues mentioned above. PCIe outbound +window is required when DTS specify in 'ranges' property non-zero offset +between CPU and PCIe address space. To address recommendation by HW +designers as specified in commit description of 6df6ba974a55, set default +outbound parameters as PCIe MEM access without translation and therefore +for this PCIe 'ranges' it is not needed to configure PCIe outbound window. +For PCIe IO space is needed to configure aardvark PCIe outbound window. + +This patch fixes kernel crash when trying to access PCIe IO space. + +[js] no .remove + +Link: https://lore.kernel.org/r/20210624215546.4015-2-pali@kernel.org +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org # 6df6ba974a55 ("PCI: aardvark: Remove PCIe outbound window configuration") +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pci-aardvark.c | 190 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 189 insertions(+), 1 deletion(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -114,6 +114,46 @@ + #define PCIE_MSI_MASK_REG (CONTROL_BASE_ADDR + 0x5C) + #define PCIE_MSI_PAYLOAD_REG (CONTROL_BASE_ADDR + 0x9C) + ++/* PCIe window configuration */ ++#define OB_WIN_BASE_ADDR 0x4c00 ++#define OB_WIN_BLOCK_SIZE 0x20 ++#define OB_WIN_COUNT 8 ++#define OB_WIN_REG_ADDR(win, offset) (OB_WIN_BASE_ADDR + \ ++ OB_WIN_BLOCK_SIZE * (win) + \ ++ (offset)) ++#define OB_WIN_MATCH_LS(win) OB_WIN_REG_ADDR(win, 0x00) ++#define OB_WIN_ENABLE BIT(0) ++#define OB_WIN_MATCH_MS(win) OB_WIN_REG_ADDR(win, 0x04) ++#define OB_WIN_REMAP_LS(win) OB_WIN_REG_ADDR(win, 0x08) ++#define OB_WIN_REMAP_MS(win) OB_WIN_REG_ADDR(win, 0x0c) ++#define OB_WIN_MASK_LS(win) OB_WIN_REG_ADDR(win, 0x10) ++#define OB_WIN_MASK_MS(win) OB_WIN_REG_ADDR(win, 0x14) ++#define OB_WIN_ACTIONS(win) OB_WIN_REG_ADDR(win, 0x18) ++#define OB_WIN_DEFAULT_ACTIONS (OB_WIN_ACTIONS(OB_WIN_COUNT-1) + 0x4) ++#define OB_WIN_FUNC_NUM_MASK GENMASK(31, 24) ++#define OB_WIN_FUNC_NUM_SHIFT 24 ++#define OB_WIN_FUNC_NUM_ENABLE BIT(23) ++#define OB_WIN_BUS_NUM_BITS_MASK GENMASK(22, 20) ++#define OB_WIN_BUS_NUM_BITS_SHIFT 20 ++#define OB_WIN_MSG_CODE_ENABLE BIT(22) ++#define OB_WIN_MSG_CODE_MASK GENMASK(21, 14) ++#define OB_WIN_MSG_CODE_SHIFT 14 ++#define OB_WIN_MSG_PAYLOAD_LEN BIT(12) ++#define OB_WIN_ATTR_ENABLE BIT(11) ++#define OB_WIN_ATTR_TC_MASK GENMASK(10, 8) ++#define OB_WIN_ATTR_TC_SHIFT 8 ++#define OB_WIN_ATTR_RELAXED BIT(7) ++#define OB_WIN_ATTR_NOSNOOP BIT(6) ++#define OB_WIN_ATTR_POISON BIT(5) ++#define OB_WIN_ATTR_IDO BIT(4) ++#define OB_WIN_TYPE_MASK GENMASK(3, 0) ++#define OB_WIN_TYPE_SHIFT 0 ++#define OB_WIN_TYPE_MEM 0x0 ++#define OB_WIN_TYPE_IO 0x4 ++#define OB_WIN_TYPE_CONFIG_TYPE0 0x8 ++#define OB_WIN_TYPE_CONFIG_TYPE1 0x9 ++#define OB_WIN_TYPE_MSG 0xc ++ + /* LMI registers base address and register offsets */ + #define LMI_BASE_ADDR 0x6000 + #define CFG_REG (LMI_BASE_ADDR + 0x0) +@@ -182,6 +222,13 @@ struct advk_pcie { + struct platform_device *pdev; + void __iomem *base; + struct list_head resources; ++ struct { ++ phys_addr_t match; ++ phys_addr_t remap; ++ phys_addr_t mask; ++ u32 actions; ++ } wins[OB_WIN_COUNT]; ++ u8 wins_count; + struct irq_domain *irq_domain; + struct irq_chip irq_chip; + struct irq_domain *msi_domain; +@@ -309,9 +356,39 @@ err: + dev_err(dev, "link never came up\n"); + } + ++/* ++ * Set PCIe address window register which could be used for memory ++ * mapping. ++ */ ++static void advk_pcie_set_ob_win(struct advk_pcie *pcie, u8 win_num, ++ phys_addr_t match, phys_addr_t remap, ++ phys_addr_t mask, u32 actions) ++{ ++ advk_writel(pcie, OB_WIN_ENABLE | ++ lower_32_bits(match), OB_WIN_MATCH_LS(win_num)); ++ advk_writel(pcie, upper_32_bits(match), OB_WIN_MATCH_MS(win_num)); ++ advk_writel(pcie, lower_32_bits(remap), OB_WIN_REMAP_LS(win_num)); ++ advk_writel(pcie, upper_32_bits(remap), OB_WIN_REMAP_MS(win_num)); ++ advk_writel(pcie, lower_32_bits(mask), OB_WIN_MASK_LS(win_num)); ++ advk_writel(pcie, upper_32_bits(mask), OB_WIN_MASK_MS(win_num)); ++ advk_writel(pcie, actions, OB_WIN_ACTIONS(win_num)); ++} ++ ++static void advk_pcie_disable_ob_win(struct advk_pcie *pcie, u8 win_num) ++{ ++ advk_writel(pcie, 0, OB_WIN_MATCH_LS(win_num)); ++ advk_writel(pcie, 0, OB_WIN_MATCH_MS(win_num)); ++ advk_writel(pcie, 0, OB_WIN_REMAP_LS(win_num)); ++ advk_writel(pcie, 0, OB_WIN_REMAP_MS(win_num)); ++ advk_writel(pcie, 0, OB_WIN_MASK_LS(win_num)); ++ advk_writel(pcie, 0, OB_WIN_MASK_MS(win_num)); ++ advk_writel(pcie, 0, OB_WIN_ACTIONS(win_num)); ++} ++ + static void advk_pcie_setup_hw(struct advk_pcie *pcie) + { + u32 reg; ++ int i; + + /* Set to Direct mode */ + reg = advk_readl(pcie, CTRL_CONFIG_REG); +@@ -374,16 +451,52 @@ static void advk_pcie_setup_hw(struct ad + reg = PCIE_IRQ_ALL_MASK & (~PCIE_IRQ_ENABLE_INTS_MASK); + advk_writel(pcie, reg, HOST_CTRL_INT_MASK_REG); + ++ /* ++ * Enable AXI address window location generation: ++ * When it is enabled, the default outbound window ++ * configurations (Default User Field: 0xD0074CFC) ++ * are used to transparent address translation for ++ * the outbound transactions. Thus, PCIe address ++ * windows are not required for transparent memory ++ * access when default outbound window configuration ++ * is set for memory access. ++ */ + reg = advk_readl(pcie, PCIE_CORE_CTRL2_REG); + reg |= PCIE_CORE_CTRL2_OB_WIN_ENABLE; + advk_writel(pcie, reg, PCIE_CORE_CTRL2_REG); + +- /* Bypass the address window mapping for PIO */ ++ /* ++ * Set memory access in Default User Field so it ++ * is not required to configure PCIe address for ++ * transparent memory access. ++ */ ++ advk_writel(pcie, OB_WIN_TYPE_MEM, OB_WIN_DEFAULT_ACTIONS); ++ ++ /* ++ * Bypass the address window mapping for PIO: ++ * Since PIO access already contains all required ++ * info over AXI interface by PIO registers, the ++ * address window is not required. ++ */ + reg = advk_readl(pcie, PIO_CTRL); + reg |= PIO_CTRL_ADDR_WIN_DISABLE; + advk_writel(pcie, reg, PIO_CTRL); + + /* ++ * Configure PCIe address windows for non-memory or ++ * non-transparent access as by default PCIe uses ++ * transparent memory access. ++ */ ++ for (i = 0; i < pcie->wins_count; i++) ++ advk_pcie_set_ob_win(pcie, i, ++ pcie->wins[i].match, pcie->wins[i].remap, ++ pcie->wins[i].mask, pcie->wins[i].actions); ++ ++ /* Disable remaining PCIe outbound windows */ ++ for (i = pcie->wins_count; i < OB_WIN_COUNT; i++) ++ advk_pcie_disable_ob_win(pcie, i); ++ ++ /* + * PERST# signal could have been asserted by pinctrl subsystem before + * probe() callback has been called, making the endpoint going into + * fundamental reset. As required by PCI Express spec a delay for at +@@ -1000,6 +1113,7 @@ static int advk_pcie_probe(struct platfo + struct resource *res; + struct pci_bus *bus, *child; + struct pci_host_bridge *bridge; ++ struct resource_entry *entry; + int ret, irq; + + bridge = devm_pci_alloc_host_bridge(dev, sizeof(struct advk_pcie)); +@@ -1009,6 +1123,80 @@ static int advk_pcie_probe(struct platfo + pcie = pci_host_bridge_priv(bridge); + pcie->pdev = pdev; + ++ resource_list_for_each_entry(entry, &bridge->windows) { ++ resource_size_t start = entry->res->start; ++ resource_size_t size = resource_size(entry->res); ++ unsigned long type = resource_type(entry->res); ++ u64 win_size; ++ ++ /* ++ * Aardvark hardware allows to configure also PCIe window ++ * for config type 0 and type 1 mapping, but driver uses ++ * only PIO for issuing configuration transfers which does ++ * not use PCIe window configuration. ++ */ ++ if (type != IORESOURCE_MEM && type != IORESOURCE_MEM_64 && ++ type != IORESOURCE_IO) ++ continue; ++ ++ /* ++ * Skip transparent memory resources. Default outbound access ++ * configuration is set to transparent memory access so it ++ * does not need window configuration. ++ */ ++ if ((type == IORESOURCE_MEM || type == IORESOURCE_MEM_64) && ++ entry->offset == 0) ++ continue; ++ ++ /* ++ * The n-th PCIe window is configured by tuple (match, remap, mask) ++ * and an access to address A uses this window if A matches the ++ * match with given mask. ++ * So every PCIe window size must be a power of two and every start ++ * address must be aligned to window size. Minimal size is 64 KiB ++ * because lower 16 bits of mask must be zero. Remapped address ++ * may have set only bits from the mask. ++ */ ++ while (pcie->wins_count < OB_WIN_COUNT && size > 0) { ++ /* Calculate the largest aligned window size */ ++ win_size = (1ULL << (fls64(size)-1)) | ++ (start ? (1ULL << __ffs64(start)) : 0); ++ win_size = 1ULL << __ffs64(win_size); ++ if (win_size < 0x10000) ++ break; ++ ++ dev_dbg(dev, ++ "Configuring PCIe window %d: [0x%llx-0x%llx] as %lu\n", ++ pcie->wins_count, (unsigned long long)start, ++ (unsigned long long)start + win_size, type); ++ ++ if (type == IORESOURCE_IO) { ++ pcie->wins[pcie->wins_count].actions = OB_WIN_TYPE_IO; ++ pcie->wins[pcie->wins_count].match = pci_pio_to_address(start); ++ } else { ++ pcie->wins[pcie->wins_count].actions = OB_WIN_TYPE_MEM; ++ pcie->wins[pcie->wins_count].match = start; ++ } ++ pcie->wins[pcie->wins_count].remap = start - entry->offset; ++ pcie->wins[pcie->wins_count].mask = ~(win_size - 1); ++ ++ if (pcie->wins[pcie->wins_count].remap & (win_size - 1)) ++ break; ++ ++ start += win_size; ++ size -= win_size; ++ pcie->wins_count++; ++ } ++ ++ if (size > 0) { ++ dev_err(&pcie->pdev->dev, ++ "Invalid PCIe region [0x%llx-0x%llx]\n", ++ (unsigned long long)entry->res->start, ++ (unsigned long long)entry->res->end + 1); ++ return -EINVAL; ++ } ++ } ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + pcie->base = devm_ioremap_resource(dev, res); + if (IS_ERR(pcie->base)) diff --git a/patches.suse/PCI-aardvark-Fix-PCIe-Max-Payload-Size-setting.patch b/patches.suse/PCI-aardvark-Fix-PCIe-Max-Payload-Size-setting.patch new file mode 100644 index 0000000..ab9c299 --- /dev/null +++ b/patches.suse/PCI-aardvark-Fix-PCIe-Max-Payload-Size-setting.patch @@ -0,0 +1,48 @@ +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Tue, 5 Oct 2021 20:09:41 +0200 +Subject: PCI: aardvark: Fix PCIe Max Payload Size setting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: a4e17d65dafdd3513042d8f00404c9b6068a825c +Patch-mainline: 5.16-rc1 +References: git-fixes + +Change PCIe Max Payload Size setting in PCIe Device Control register to 512 +bytes to align with PCIe Link Initialization sequence as defined in Marvell +Armada 3700 Functional Specification. According to the specification, +maximal Max Payload Size supported by this device is 512 bytes. + +Without this kernel prints suspicious line: + + pci 0000:01:00.0: Upstream bridge's Max Payload Size set to 256 (was 16384, max 512) + +With this change it changes to: + + pci 0000:01:00.0: Upstream bridge's Max Payload Size set to 256 (was 512, max 512) + +[js] 4.12 uses old macros, so use 2 instead of 7 (0xe0 -> 0x40) + +Link: https://lore.kernel.org/r/20211005180952.6812-3-kabel@kernel.org +Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver") +Signed-off-by: Pali Rohár +Signed-off-by: Marek Behún +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Marek Behún +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pci-aardvark.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -411,7 +411,7 @@ static void advk_pcie_setup_hw(struct ad + + /* Set PCIe Device Control and Status 1 PF0 register */ + reg = PCIE_CORE_DEV_CTRL_STATS_RELAX_ORDER_DISABLE | +- (7 << PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT) | ++ (2 << PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT) | + PCIE_CORE_DEV_CTRL_STATS_SNOOP_DISABLE | + (PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SZ << + PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT); diff --git a/patches.suse/PCI-aardvark-Fix-checking-for-PIO-status.patch b/patches.suse/PCI-aardvark-Fix-checking-for-PIO-status.patch new file mode 100644 index 0000000..a727028 --- /dev/null +++ b/patches.suse/PCI-aardvark-Fix-checking-for-PIO-status.patch @@ -0,0 +1,160 @@ +From: Evan Wang +Date: Thu, 22 Jul 2021 16:40:38 +0200 +Subject: PCI: aardvark: Fix checking for PIO status +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: fcb461e2bc8b83b7eaca20cb2221e8b940f2189c +Patch-mainline: 5.15-rc1 +References: git-fixes + +There is an issue that when PCIe switch is connected to an Armada 3700 +board, there will be lots of warnings about PIO errors when reading the +config space. According to Aardvark PIO read and write sequence in HW +specification, the current way to check PIO status has the following +issues: + +1) For PIO read operation, it reports the error message, which should be + avoided according to HW specification. + +2) For PIO read and write operations, it only checks PIO operation complete + status, which is not enough, and error status should also be checked. + +This patch aligns the code with Aardvark PIO read and write sequence in HW +specification on PIO status check and fix the warnings when reading config +space. + +[pali: Fix CRS handling when CRSSVE is not enabled] + +Link: https://lore.kernel.org/r/20210722144041.12661-2-pali@kernel.org +Tested-by: Victor Gu +Signed-off-by: Evan Wang +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Victor Gu +Reviewed-by: Marek Behún +Cc: stable@vger.kernel.org # b1bd5714472c ("PCI: aardvark: Indicate error in 'val' when config read fails") +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pci-aardvark.c | 62 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 54 insertions(+), 8 deletions(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -57,6 +57,7 @@ + #define PIO_COMPLETION_STATUS_CRS 2 + #define PIO_COMPLETION_STATUS_CA 4 + #define PIO_NON_POSTED_REQ BIT(10) ++#define PIO_ERR_STATUS BIT(11) + #define PIO_ADDR_LS (PIO_BASE_ADDR + 0x8) + #define PIO_ADDR_MS (PIO_BASE_ADDR + 0xc) + #define PIO_WR_DATA (PIO_BASE_ADDR + 0x10) +@@ -399,7 +400,7 @@ static void advk_pcie_setup_hw(struct ad + advk_writel(pcie, reg, PCIE_CORE_CMD_STATUS_REG); + } + +-static void advk_pcie_check_pio_status(struct advk_pcie *pcie) ++static int advk_pcie_check_pio_status(struct advk_pcie *pcie, u32 *val) + { + struct device *dev = &pcie->pdev->dev; + u32 reg; +@@ -410,14 +411,49 @@ static void advk_pcie_check_pio_status(s + status = (reg & PIO_COMPLETION_STATUS_MASK) >> + PIO_COMPLETION_STATUS_SHIFT; + +- if (!status) +- return; +- ++ /* ++ * According to HW spec, the PIO status check sequence as below: ++ * 1) even if COMPLETION_STATUS(bit9:7) indicates successful, ++ * it still needs to check Error Status(bit11), only when this bit ++ * indicates no error happen, the operation is successful. ++ * 2) value Unsupported Request(1) of COMPLETION_STATUS(bit9:7) only ++ * means a PIO write error, and for PIO read it is successful with ++ * a read value of 0xFFFFFFFF. ++ * 3) value Completion Retry Status(CRS) of COMPLETION_STATUS(bit9:7) ++ * only means a PIO write error, and for PIO read it is successful ++ * with a read value of 0xFFFF0001. ++ * 4) value Completer Abort (CA) of COMPLETION_STATUS(bit9:7) means ++ * error for both PIO read and PIO write operation. ++ * 5) other errors are indicated as 'unknown'. ++ */ + switch (status) { ++ case PIO_COMPLETION_STATUS_OK: ++ if (reg & PIO_ERR_STATUS) { ++ strcomp_status = "COMP_ERR"; ++ break; ++ } ++ /* Get the read result */ ++ if (val) ++ *val = advk_readl(pcie, PIO_RD_DATA); ++ /* No error */ ++ strcomp_status = NULL; ++ break; + case PIO_COMPLETION_STATUS_UR: + strcomp_status = "UR"; + break; + case PIO_COMPLETION_STATUS_CRS: ++ /* PCIe r4.0, sec 2.3.2, says: ++ * If CRS Software Visibility is not enabled, the Root Complex ++ * must re-issue the Configuration Request as a new Request. ++ * A Root Complex implementation may choose to limit the number ++ * of Configuration Request/CRS Completion Status loops before ++ * determining that something is wrong with the target of the ++ * Request and taking appropriate action, e.g., complete the ++ * Request to the host as a failed transaction. ++ * ++ * To simplify implementation do not re-issue the Configuration ++ * Request and complete the Request as a failed transaction. ++ */ + strcomp_status = "CRS"; + break; + case PIO_COMPLETION_STATUS_CA: +@@ -428,6 +464,9 @@ static void advk_pcie_check_pio_status(s + break; + } + ++ if (!strcomp_status) ++ return 0; ++ + if (reg & PIO_NON_POSTED_REQ) + str_posted = "Non-posted"; + else +@@ -435,6 +474,8 @@ static void advk_pcie_check_pio_status(s + + dev_err(dev, "%s PIO Response Status: %s, %#x @ %#x\n", + str_posted, strcomp_status, reg, advk_readl(pcie, PIO_ADDR_LS)); ++ ++ return -EFAULT; + } + + static int advk_pcie_wait_pio(struct advk_pcie *pcie) +@@ -545,10 +586,13 @@ static int advk_pcie_rd_conf(struct pci_ + return PCIBIOS_SET_FAILED; + } + +- advk_pcie_check_pio_status(pcie); ++ /* Check PIO status and get the read result */ ++ ret = advk_pcie_check_pio_status(pcie, val); ++ if (ret < 0) { ++ *val = 0xffffffff; ++ return PCIBIOS_SET_FAILED; ++ } + +- /* Get the read result */ +- *val = advk_readl(pcie, PIO_RD_DATA); + if (size == 1) + *val = (*val >> (8 * (where & 3))) & 0xff; + else if (size == 2) +@@ -608,7 +652,9 @@ static int advk_pcie_wr_conf(struct pci_ + if (ret < 0) + return PCIBIOS_SET_FAILED; + +- advk_pcie_check_pio_status(pcie); ++ ret = advk_pcie_check_pio_status(pcie, NULL); ++ if (ret < 0) ++ return PCIBIOS_SET_FAILED; + + return PCIBIOS_SUCCESSFUL; + } diff --git a/patches.suse/PCI-aardvark-Fix-masking-and-unmasking-legacy-INTx-i.patch b/patches.suse/PCI-aardvark-Fix-masking-and-unmasking-legacy-INTx-i.patch new file mode 100644 index 0000000..c2e8993 --- /dev/null +++ b/patches.suse/PCI-aardvark-Fix-masking-and-unmasking-legacy-INTx-i.patch @@ -0,0 +1,73 @@ +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Fri, 20 Aug 2021 17:50:20 +0200 +Subject: PCI: aardvark: Fix masking and unmasking legacy INTx interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: d212dcee27c1f89517181047e5485fcbba4a25c2 +Patch-mainline: 5.15-rc1 +References: git-fixes + +irq_mask and irq_unmask callbacks need to be properly guarded by raw spin +locks as masking/unmasking procedure needs atomic read-modify-write +operation on hardware register. + +Link: https://lore.kernel.org/r/20210820155020.3000-1-pali@kernel.org +Reported-by: Marc Zyngier +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pci-aardvark.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -231,6 +231,7 @@ struct advk_pcie { + u8 wins_count; + struct irq_domain *irq_domain; + struct irq_chip irq_chip; ++ raw_spinlock_t irq_lock; + struct irq_domain *msi_domain; + struct irq_domain *msi_inner_domain; + struct irq_chip msi_bottom_irq_chip; +@@ -841,22 +842,28 @@ static void advk_pcie_irq_mask(struct ir + { + struct advk_pcie *pcie = d->domain->host_data; + irq_hw_number_t hwirq = irqd_to_hwirq(d); ++ unsigned long flags; + u32 mask; + ++ raw_spin_lock_irqsave(&pcie->irq_lock, flags); + mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); + mask |= PCIE_ISR1_INTX_ASSERT(hwirq); + advk_writel(pcie, mask, PCIE_ISR1_MASK_REG); ++ raw_spin_unlock_irqrestore(&pcie->irq_lock, flags); + } + + static void advk_pcie_irq_unmask(struct irq_data *d) + { + struct advk_pcie *pcie = d->domain->host_data; + irq_hw_number_t hwirq = irqd_to_hwirq(d); ++ unsigned long flags; + u32 mask; + ++ raw_spin_lock_irqsave(&pcie->irq_lock, flags); + mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); + mask &= ~PCIE_ISR1_INTX_ASSERT(hwirq); + advk_writel(pcie, mask, PCIE_ISR1_MASK_REG); ++ raw_spin_unlock_irqrestore(&pcie->irq_lock, flags); + } + + static int advk_pcie_irq_map(struct irq_domain *h, +@@ -940,6 +947,8 @@ static int advk_pcie_init_irq_domain(str + struct irq_chip *irq_chip; + int ret = 0; + ++ raw_spin_lock_init(&pcie->irq_lock); ++ + pcie_intc_node = of_get_next_child(node, NULL); + if (!pcie_intc_node) { + dev_err(dev, "No PCIe Intc node found\n"); diff --git a/patches.suse/PCI-aardvark-Increase-polling-delay-to-1.5s-while-wa.patch b/patches.suse/PCI-aardvark-Increase-polling-delay-to-1.5s-while-wa.patch new file mode 100644 index 0000000..5c99f31 --- /dev/null +++ b/patches.suse/PCI-aardvark-Increase-polling-delay-to-1.5s-while-wa.patch @@ -0,0 +1,54 @@ +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 22 Jul 2021 16:40:39 +0200 +Subject: PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO + response +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 02bcec3ea5591720114f586960490b04b093a09e +Patch-mainline: 5.15-rc1 +References: git-fixes + +Measurements in different conditions showed that aardvark hardware PIO +response can take up to 1.44s. Increase wait timeout from 1ms to 1.5s to +ensure that we do not miss responses from hardware. After 1.44s hardware +returns errors (e.g. Completer abort). + +The previous two patches fixed checking for PIO status, so now we can use +it to also catch errors which are reported by hardware after 1.44s. + +After applying this patch, kernel can detect and print PIO errors to dmesg: + + [ 6.879999] advk-pcie d0070000.pcie: Non-posted PIO Response Status: CA, 0xe00 @ 0x100004 + [ 6.896436] advk-pcie d0070000.pcie: Posted PIO Response Status: COMP_ERR, 0x804 @ 0x100004 + [ 6.913049] advk-pcie d0070000.pcie: Posted PIO Response Status: COMP_ERR, 0x804 @ 0x100010 + [ 6.929663] advk-pcie d0070000.pcie: Non-posted PIO Response Status: CA, 0xe00 @ 0x100010 + [ 6.953558] advk-pcie d0070000.pcie: Posted PIO Response Status: COMP_ERR, 0x804 @ 0x100014 + [ 6.970170] advk-pcie d0070000.pcie: Non-posted PIO Response Status: CA, 0xe00 @ 0x100014 + [ 6.994328] advk-pcie d0070000.pcie: Posted PIO Response Status: COMP_ERR, 0x804 @ 0x100004 + +Without this patch kernel prints only a generic error to dmesg: + + [ 5.246847] advk-pcie d0070000.pcie: config read/write timed out + +Link: https://lore.kernel.org/r/20210722144041.12661-3-pali@kernel.org +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Marek Behún +Cc: stable@vger.kernel.org # 7fbcb5da811b ("PCI: aardvark: Don't rely on jiffies while holding spinlock") +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pci-aardvark.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -169,7 +169,7 @@ + (PCIE_CONF_BUS(bus) | PCIE_CONF_DEV(PCI_SLOT(devfn)) | \ + PCIE_CONF_FUNC(PCI_FUNC(devfn)) | PCIE_CONF_REG(where)) + +-#define PIO_RETRY_CNT 500 ++#define PIO_RETRY_CNT 750000 /* 1.5 s */ + #define PIO_RETRY_DELAY 2 /* 2 us*/ + + #define LINK_WAIT_MAX_RETRIES 10 diff --git a/patches.suse/PCI-xilinx-nwl-Enable-the-clock-through-CCF.patch b/patches.suse/PCI-xilinx-nwl-Enable-the-clock-through-CCF.patch new file mode 100644 index 0000000..24c4771 --- /dev/null +++ b/patches.suse/PCI-xilinx-nwl-Enable-the-clock-through-CCF.patch @@ -0,0 +1,60 @@ +From: Hyun Kwon +Date: Fri, 25 Jun 2021 12:48:23 +0200 +Subject: PCI: xilinx-nwl: Enable the clock through CCF +Git-commit: de0a01f5296651d3a539f2d23d0db8f359483696 +Patch-mainline: 5.15-rc1 +References: git-fixes + +Enable PCIe reference clock. There is no remove function that's why +this should be enough for simple operation. +Normally this clock is enabled by default by firmware but there are +usecases where this clock should be enabled by driver itself. +It is also good that PCIe clock is recorded in a clock framework. + +Link: https://lore.kernel.org/r/ee6997a08fab582b1c6de05f8be184f3fe8d5357.1624618100.git.michal.simek@xilinx.com +Fixes: ab597d35ef11 ("PCI: xilinx-nwl: Add support for Xilinx NWL PCIe Host Controller") +Signed-off-by: Hyun Kwon +Signed-off-by: Bharat Kumar Gogada +Signed-off-by: Michal Simek +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Slaby +--- + drivers/pci/host/pcie-xilinx-nwl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/pci/host/pcie-xilinx-nwl.c ++++ b/drivers/pci/host/pcie-xilinx-nwl.c +@@ -10,6 +10,7 @@ + * (at your option) any later version. + */ + ++#include + #include + #include + #include +@@ -171,6 +172,7 @@ struct nwl_pcie { + u8 root_busno; + struct nwl_msi msi; + struct irq_domain *legacy_irq_domain; ++ struct clk *clk; + }; + + static inline u32 nwl_bridge_readl(struct nwl_pcie *pcie, u32 off) +@@ -808,6 +810,16 @@ static int nwl_pcie_probe(struct platfor + return err; + } + ++ pcie->clk = devm_clk_get(dev, NULL); ++ if (IS_ERR(pcie->clk)) ++ return PTR_ERR(pcie->clk); ++ ++ err = clk_prepare_enable(pcie->clk); ++ if (err) { ++ dev_err(dev, "can't enable PCIe ref clock\n"); ++ return err; ++ } ++ + err = nwl_pcie_bridge_init(pcie); + if (err) { + dev_err(dev, "HW Initialization failed\n"); diff --git a/patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch b/patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch new file mode 100644 index 0000000..9a7115f --- /dev/null +++ b/patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch @@ -0,0 +1,48 @@ +From 05c2a61d69ea306e891884a86486e1ef37c4b78d Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Fri, 4 Dec 2020 16:47:17 +0800 +Subject: [PATCH] adm8211: fix error return code in adm8211_probe() +Git-commit: 05c2a61d69ea306e891884a86486e1ef37c4b78d +References: git-fixes +Patch-mainline: v5.11-rc1 + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: cc0b88cf5ecf ("[PATCH] Add adm8211 802.11b wireless driver") +Reported-by: Hulk Robot +Signed-off-by: Zhang Changzhong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1607071638-33619-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/admtek/adm8211.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/admtek/adm8211.c ++++ b/drivers/net/wireless/admtek/adm8211.c +@@ -1805,6 +1805,7 @@ static int adm8211_probe(struct pci_dev + if (io_len < 256 || mem_len < 1024) { + printk(KERN_ERR "%s (adm8211): Too short PCI resources\n", + pci_name(pdev)); ++ err = -ENOMEM; + goto err_disable_pdev; + } + +@@ -1814,6 +1815,7 @@ static int adm8211_probe(struct pci_dev + if (reg != ADM8211_SIG1 && reg != ADM8211_SIG2) { + printk(KERN_ERR "%s (adm8211): Invalid signature (0x%x)\n", + pci_name(pdev), reg); ++ err = -EINVAL; + goto err_disable_pdev; + } + +@@ -1821,7 +1823,7 @@ static int adm8211_probe(struct pci_dev + if (err) { + printk(KERN_ERR "%s (adm8211): Cannot obtain PCI resources\n", + pci_name(pdev)); +- return err; /* someone else grabbed it? don't disable it */ ++ goto err_disable_pdev; + } + + if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) || diff --git a/patches.suse/arm64-Discard-.note.GNU-stack-section.patch b/patches.suse/arm64-Discard-.note.GNU-stack-section.patch index d51fdec..3812125 100644 --- a/patches.suse/arm64-Discard-.note.GNU-stack-section.patch +++ b/patches.suse/arm64-Discard-.note.GNU-stack-section.patch @@ -7,6 +7,14 @@ Git-commit: 99cb0d917ffa1ab628bb67364ca9b162c07699b1 (partial - arm64 only) Patch-mainline: v6.2-rc2 References: bsc#1203693 bsc#1209798 +Note: the more general upstream solution requires at least + +4b9880dbf3bd powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT +07b050f9290e powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds +a494398bde27 s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 + +which are not applicable to the 4.12 kernel + Commit "Makefile: link with -z noexecstack --no-warn-rwx-segments: ddbd47d2219a" creates a new section .note.GNU-stack, which is not discarded by arm64. This changes the ELF layout and causes the build to fail on arm64. diff --git a/patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch b/patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch index c25bdc9..e9c0d11 100644 --- a/patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch +++ b/patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch @@ -1,9 +1,12 @@ +From 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 Mon Sep 17 00:00:00 2001 From: "Gautham R. Shenoy" Date: Thu, 31 May 2018 17:45:09 +0530 -Subject: cpuidle: powernv: Fix promotion from snooze if next state disabled +Subject: [PATCH] cpuidle: powernv: Fix promotion from snooze if next state + disabled + +References: bsc#1100884 Patch-mainline: v4.18-rc1 Git-commit: 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 -References: bsc#1100884 The commit 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state") introduced a timeout for the snooze idle @@ -80,18 +83,20 @@ Reviewed-by: Balbir Singh Signed-off-by: Michael Ellerman Acked-by: Giovanni Gherdovich --- - drivers/cpuidle/cpuidle-powernv.c | 32 ++++++++++++++++++++++++++------ + drivers/cpuidle/cpuidle-powernv.c | 32 +++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index 1a8234e706bc..d29e4f041efe 100644 --- a/drivers/cpuidle/cpuidle-powernv.c +++ b/drivers/cpuidle/cpuidle-powernv.c -@@ -42,9 +42,31 @@ struct stop_psscr_table { +@@ -43,9 +43,31 @@ struct stop_psscr_table { - static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX]; + static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX] __read_mostly; --static u64 snooze_timeout; -+static u64 default_snooze_timeout; - static bool snooze_timeout_en; +-static u64 snooze_timeout __read_mostly; ++static u64 default_snooze_timeout __read_mostly; + static bool snooze_timeout_en __read_mostly; +static u64 get_snooze_timeout(struct cpuidle_device *dev, + struct cpuidle_driver *drv, @@ -118,16 +123,16 @@ Acked-by: Giovanni Gherdovich static int snooze_loop(struct cpuidle_device *dev, struct cpuidle_driver *drv, int index) -@@ -54,7 +76,7 @@ static int snooze_loop(struct cpuidle_de +@@ -56,7 +78,7 @@ static int snooze_loop(struct cpuidle_device *dev, + local_irq_enable(); - set_thread_flag(TIF_POLLING_NRFLAG); - snooze_exit_time = get_tb() + snooze_timeout; + snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index); ppc64_runlatch_off(); HMT_very_low(); while (!need_resched()) { -@@ -453,11 +475,9 @@ static int powernv_idle_probe(void) +@@ -465,11 +487,9 @@ static int powernv_idle_probe(void) cpuidle_state_table = powernv_states; /* Device tree can indicate more idle states */ max_idle_state = powernv_add_idle_states(); @@ -141,3 +146,6 @@ Acked-by: Giovanni Gherdovich } else return -ENODEV; +-- +2.40.0 + diff --git a/patches.suse/cpuidle-powernv-avoid-double-irq-enable-coming-out-o.patch b/patches.suse/cpuidle-powernv-avoid-double-irq-enable-coming-out-o.patch new file mode 100644 index 0000000..9f854b6 --- /dev/null +++ b/patches.suse/cpuidle-powernv-avoid-double-irq-enable-coming-out-o.patch @@ -0,0 +1,63 @@ +From ced54c08d8e4060d59c10629ea5a4ccdaed6898e Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 17 Nov 2017 02:00:52 +1000 +Subject: [PATCH] cpuidle/powernv: avoid double irq enable coming out of idle + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v4.16-rc1 +Git-commit: ced54c08d8e4060d59c10629ea5a4ccdaed6898e + +Since e1689795a7 ("cpuidle: Add common time keeping and irq enabling"), +cpuidle drivers are expected to return from ->enter with irqs disabled. + +Update the cpuidle-powernv snooze and cede loops to disable irqs before +returning. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + drivers/cpuidle/cpuidle-pseries.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index a187a39fb866..0f2b697cbb27 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -51,8 +51,6 @@ static inline void idle_loop_epilog(unsigned long in_purr) + get_lppaca()->wait_state_cycles = cpu_to_be64(wait_cycles); + get_lppaca()->idle = 0; + +- if (irqs_disabled()) +- local_irq_enable(); + ppc64_runlatch_on(); + } + +@@ -87,6 +85,8 @@ static int snooze_loop(struct cpuidle_device *dev, + HMT_medium(); + clear_thread_flag(TIF_POLLING_NRFLAG); + ++ local_irq_disable(); ++ + idle_loop_epilog(in_purr); + + return index; +@@ -121,6 +121,7 @@ static int dedicated_cede_loop(struct cpuidle_device *dev, + HMT_medium(); + check_and_cede_processor(); + ++ local_irq_disable(); + get_lppaca()->donate_dedicated_cpu = 0; + + idle_loop_epilog(in_purr); +@@ -145,6 +146,7 @@ static int shared_cede_loop(struct cpuidle_device *dev, + */ + check_and_cede_processor(); + ++ local_irq_disable(); + idle_loop_epilog(in_purr); + + return index; +-- +2.40.0 + diff --git a/patches.suse/cpuidle-powerpc-cpuidle-set-polling-before-enabling-.patch b/patches.suse/cpuidle-powerpc-cpuidle-set-polling-before-enabling-.patch new file mode 100644 index 0000000..5af7736 --- /dev/null +++ b/patches.suse/cpuidle-powerpc-cpuidle-set-polling-before-enabling-.patch @@ -0,0 +1,68 @@ +From 3fc5ee927ff4ffed6aa2fcd44d2fbf07ac893cdc Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Wed, 14 Jun 2017 23:02:39 +1000 +Subject: [PATCH] cpuidle: powerpc: cpuidle set polling before enabling irqs + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v4.13-rc1 +Git-commit: 3fc5ee927ff4ffed6aa2fcd44d2fbf07ac893cdc + +local_irq_enable can cause interrupts to be taken which could +take significant amount of processing time. The idle process +should set its polling flag before this, so another process that +wakes it during this time will not have to send an IPI. + +Expand the TIF_POLLING_NRFLAG coverage to as large as possible. + +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + drivers/cpuidle/cpuidle-powernv.c | 4 +++- + drivers/cpuidle/cpuidle-pseries.c | 3 ++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index 79152676f62b..50b3c2e0306f 100644 +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -51,9 +51,10 @@ static int snooze_loop(struct cpuidle_device *dev, + { + u64 snooze_exit_time; + +- local_irq_enable(); + set_thread_flag(TIF_POLLING_NRFLAG); + ++ local_irq_enable(); ++ + snooze_exit_time = get_tb() + snooze_timeout; + ppc64_runlatch_off(); + HMT_very_low(); +@@ -66,6 +67,7 @@ static int snooze_loop(struct cpuidle_device *dev, + ppc64_runlatch_on(); + clear_thread_flag(TIF_POLLING_NRFLAG); + smp_mb(); ++ + return index; + } + +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index 166ccd711ec9..7b12bb2ea70f 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -62,9 +62,10 @@ static int snooze_loop(struct cpuidle_device *dev, + unsigned long in_purr; + u64 snooze_exit_time; + ++ set_thread_flag(TIF_POLLING_NRFLAG); ++ + idle_loop_prolog(&in_purr); + local_irq_enable(); +- set_thread_flag(TIF_POLLING_NRFLAG); + snooze_exit_time = get_tb() + snooze_timeout; + + while (!need_resched()) { +-- +2.40.0 + diff --git a/patches.suse/cpuidle-powerpc-no-memory-barrier-after-break-from-i.patch b/patches.suse/cpuidle-powerpc-no-memory-barrier-after-break-from-i.patch new file mode 100644 index 0000000..36e6a00 --- /dev/null +++ b/patches.suse/cpuidle-powerpc-no-memory-barrier-after-break-from-i.patch @@ -0,0 +1,81 @@ +From 7ded429152e84831f6696585755f318fb351e67f Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Wed, 14 Jun 2017 23:02:41 +1000 +Subject: [PATCH] cpuidle: powerpc: no memory barrier after break from idle + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v4.13-rc1 +Git-commit: 7ded429152e84831f6696585755f318fb351e67f + +A memory barrier is not required after the task wakes up, +only if we clear the polling flag before waking. The case +where we have work to do is the important one, so optimise +for it. + +Reviewed-by: Vaidyanathan Srinivasan +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + drivers/cpuidle/cpuidle-powernv.c | 11 +++++++++-- + drivers/cpuidle/cpuidle-pseries.c | 11 +++++++++-- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index 9d03326ac05e..37b0698b7193 100644 +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -59,14 +59,21 @@ static int snooze_loop(struct cpuidle_device *dev, + ppc64_runlatch_off(); + HMT_very_low(); + while (!need_resched()) { +- if (likely(snooze_timeout_en) && get_tb() > snooze_exit_time) ++ if (likely(snooze_timeout_en) && get_tb() > snooze_exit_time) { ++ /* ++ * Task has not woken up but we are exiting the polling ++ * loop anyway. Require a barrier after polling is ++ * cleared to order subsequent test of need_resched(). ++ */ ++ clear_thread_flag(TIF_POLLING_NRFLAG); ++ smp_mb(); + break; ++ } + } + + HMT_medium(); + ppc64_runlatch_on(); + clear_thread_flag(TIF_POLLING_NRFLAG); +- smp_mb(); + + return index; + } +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index a404f352d284..e9b3853d93ea 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -71,13 +71,20 @@ static int snooze_loop(struct cpuidle_device *dev, + while (!need_resched()) { + HMT_low(); + HMT_very_low(); +- if (snooze_timeout_en && get_tb() > snooze_exit_time) ++ if (likely(snooze_timeout_en) && get_tb() > snooze_exit_time) { ++ /* ++ * Task has not woken up but we are exiting the polling ++ * loop anyway. Require a barrier after polling is ++ * cleared to order subsequent test of need_resched(). ++ */ ++ clear_thread_flag(TIF_POLLING_NRFLAG); ++ smp_mb(); + break; ++ } + } + + HMT_medium(); + clear_thread_flag(TIF_POLLING_NRFLAG); +- smp_mb(); + + idle_loop_epilog(in_purr); + +-- +2.40.0 + diff --git a/patches.suse/cpuidle-powerpc-read-mostly-for-common-globals.patch b/patches.suse/cpuidle-powerpc-read-mostly-for-common-globals.patch new file mode 100644 index 0000000..1608463 --- /dev/null +++ b/patches.suse/cpuidle-powerpc-read-mostly-for-common-globals.patch @@ -0,0 +1,71 @@ +From 624e46d03576dd4d5667bad9d2ef814135d0075c Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Wed, 14 Jun 2017 23:02:40 +1000 +Subject: [PATCH] cpuidle: powerpc: read mostly for common globals + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v4.13-rc1 +Git-commit: 624e46d03576dd4d5667bad9d2ef814135d0075c + +Ensure these don't get put into bouncing cachelines. + +Reviewed-by: Vaidyanathan Srinivasan +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + drivers/cpuidle/cpuidle-powernv.c | 10 +++++----- + drivers/cpuidle/cpuidle-pseries.c | 8 ++++---- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index 50b3c2e0306f..9d03326ac05e 100644 +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -32,18 +32,18 @@ static struct cpuidle_driver powernv_idle_driver = { + .owner = THIS_MODULE, + }; + +-static int max_idle_state; +-static struct cpuidle_state *cpuidle_state_table; ++static int max_idle_state __read_mostly; ++static struct cpuidle_state *cpuidle_state_table __read_mostly; + + struct stop_psscr_table { + u64 val; + u64 mask; + }; + +-static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX]; ++static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX] __read_mostly; + +-static u64 snooze_timeout; +-static bool snooze_timeout_en; ++static u64 snooze_timeout __read_mostly; ++static bool snooze_timeout_en __read_mostly; + + static int snooze_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index 7b12bb2ea70f..a404f352d284 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -25,10 +25,10 @@ struct cpuidle_driver pseries_idle_driver = { + .owner = THIS_MODULE, + }; + +-static int max_idle_state; +-static struct cpuidle_state *cpuidle_state_table; +-static u64 snooze_timeout; +-static bool snooze_timeout_en; ++static int max_idle_state __read_mostly; ++static struct cpuidle_state *cpuidle_state_table __read_mostly; ++static u64 snooze_timeout __read_mostly; ++static bool snooze_timeout_en __read_mostly; + + static inline void idle_loop_prolog(unsigned long *in_purr) + { +-- +2.40.0 + diff --git a/patches.suse/ext4-fix-use-after-free-in-ext4_xattr_set_entry.patch b/patches.suse/ext4-fix-use-after-free-in-ext4_xattr_set_entry.patch index 2bd4782..406c0f1 100644 --- a/patches.suse/ext4-fix-use-after-free-in-ext4_xattr_set_entry.patch +++ b/patches.suse/ext4-fix-use-after-free-in-ext4_xattr_set_entry.patch @@ -4,7 +4,7 @@ Date: Thu, 16 Jun 2022 10:13:56 +0800 Subject: [PATCH] ext4: fix use-after-free in ext4_xattr_set_entry Git-commit: 67d7d8ad99beccd9fe92d585b87f1760dc9018e3 Patch-mainline: v6.0-rc1 -References: bsc#1206878 +References: bsc#1206878 bsc#1211105 CVE-2023-2513 Hulk Robot reported a issue: ================================================================== diff --git a/patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch b/patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch new file mode 100644 index 0000000..811a135 --- /dev/null +++ b/patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch @@ -0,0 +1,43 @@ +From: Douglas Raillard +Date: Mon, 6 Mar 2023 12:25:49 +0000 +Subject: f2fs: Fix f2fs_truncate_partial_nodes ftrace event +Git-commit: 0b04d4c0542e8573a837b1d81b94209e48723b25 +Patch-mainline: v6.3-rc5 +References: git-fixes + +Fix the nid_t field so that its size is correctly reported in the text +format embedded in trace.dat files. As it stands, it is reported as +being of size 4: + + field:nid_t nid[3]; offset:24; size:4; signed:0; + +Instead of 12: + + field:nid_t nid[3]; offset:24; size:12; signed:0; + +This also fixes the reported offset of subsequent fields so that they +match with the actual struct layout. + +Signed-off-by: Douglas Raillard +Reviewed-by: Mukesh Ojha +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Acked-by: Petr Pavlu +--- + include/trace/events/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h +index 1322d34a5dfc..99cbc5949e3c 100644 +--- a/include/trace/events/f2fs.h ++++ b/include/trace/events/f2fs.h +@@ -512,7 +512,7 @@ TRACE_EVENT(f2fs_truncate_partial_nodes, + TP_STRUCT__entry( + __field(dev_t, dev) + __field(ino_t, ino) +- __field(nid_t, nid[3]) ++ __array(nid_t, nid, 3) + __field(int, depth) + __field(int, err) + ), + diff --git a/patches.suse/fotg210-udc-Add-missing-completion-handler.patch b/patches.suse/fotg210-udc-Add-missing-completion-handler.patch new file mode 100644 index 0000000..891e90a --- /dev/null +++ b/patches.suse/fotg210-udc-Add-missing-completion-handler.patch @@ -0,0 +1,58 @@ +From e55f67391fa986f7357edba0ca59e668d99c3a5f Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Mon, 23 Jan 2023 08:35:06 +0100 +Subject: [PATCH] fotg210-udc: Add missing completion handler +Git-commit: e55f67391fa986f7357edba0ca59e668d99c3a5f +References: git-fixes +Patch-mainline: v6.3-rc1 + +This is used when responding to GET_STATUS requests. Without this, it +crashes on completion. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Signed-off-by: Fabian Vogt +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20230123073508.2350402-2-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/fotg210/fotg210-udc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/usb/fotg210/fotg210-udc.c b/drivers/usb/fotg210/fotg210-udc.c +index 4334504fccc8..53b7d078a54d 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -709,6 +709,20 @@ static int fotg210_is_epnstall(struct fotg210_ep *ep) + return value & INOUTEPMPSR_STL_EP ? 1 : 0; + } + ++/* For EP0 requests triggered by this driver (currently GET_STATUS response) */ ++static void fotg210_ep0_complete(struct usb_ep *_ep, struct usb_request *req) ++{ ++ struct fotg210_ep *ep; ++ struct fotg210_udc *fotg210; ++ ++ ep = container_of(_ep, struct fotg210_ep, ep); ++ fotg210 = ep->fotg210; ++ ++ if (req->status || req->actual != req->length) { ++ dev_warn(&fotg210->gadget.dev, "EP0 request failed: %d\n", req->status); ++ } ++} ++ + static void fotg210_get_status(struct fotg210_udc *fotg210, + struct usb_ctrlrequest *ctrl) + { +@@ -1253,6 +1267,8 @@ int fotg210_udc_probe(struct platform_device *pdev, struct fotg210 *fotg) + if (fotg210->ep0_req == NULL) + goto err_map; + ++ fotg210->ep0_req->complete = fotg210_ep0_complete; ++ + fotg210_init(fotg210); + + fotg210_disable_unplug(fotg210); +-- +2.40.1 + diff --git a/patches.suse/i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch b/patches.suse/i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch new file mode 100644 index 0000000..2fee903 --- /dev/null +++ b/patches.suse/i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch @@ -0,0 +1,35 @@ +From: Wei Chen +Date: Tue, 14 Mar 2023 16:54:21 +0000 +Subject: i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() +Patch-mainline: v6.3-rc4 +Git-commit: 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 +References: bsc#1210715 CVE-2023-2194 + +The data->block[0] variable comes from user and is a number between +0-255. Without proper check, the variable may be very large to cause +an out-of-bounds when performing memcpy in slimpro_i2c_blkwr. + +Fix this bug by checking the value of writelen. + +Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform") +Signed-off-by: Wei Chen +Cc: stable@vger.kernel.org +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Acked-by: Lee, Chun-Yi +--- + drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/busses/i2c-xgene-slimpro.c ++++ b/drivers/i2c/busses/i2c-xgene-slimpro.c +@@ -316,6 +316,9 @@ static int slimpro_i2c_blkwr(struct slim + u32 msg[3]; + int rc; + ++ if (writelen > I2C_SMBUS_BLOCK_MAX) ++ return -EINVAL; ++ + memcpy(ctx->dma_buffer, data, writelen); + paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen, + DMA_TO_DEVICE); diff --git a/patches.suse/ipv4-ipv4_default_advmss-should-use-route-mtu.patch b/patches.suse/ipv4-ipv4_default_advmss-should-use-route-mtu.patch new file mode 100644 index 0000000..354a5f1 --- /dev/null +++ b/patches.suse/ipv4-ipv4_default_advmss-should-use-route-mtu.patch @@ -0,0 +1,35 @@ +From ce720f2e5375229e2bdcb44424b185f30dae25b6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 18 Oct 2017 17:02:03 -0700 +Subject: [PATCH 2/7] ipv4: ipv4_default_advmss() should use route mtu +Git-commit: 164a5e7ad531e181334a3d3f03d0d5ad20d6faea +Patch-mainline: 4.15-rc1 +References: git-fixes + +ipv4_default_advmss() incorrectly uses the device MTU instead +of the route provided one. IPv6 has the proper behavior, +lets harmonize the two protocols. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index e55ec9708d88..87671aa02fd5 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1319,7 +1319,7 @@ static void set_class_tag(struct rtable *rt, u32 tag) + static unsigned int ipv4_default_advmss(const struct dst_entry *dst) + { + unsigned int header_size = sizeof(struct tcphdr) + sizeof(struct iphdr); +- unsigned int advmss = max_t(unsigned int, dst->dev->mtu - header_size, ++ unsigned int advmss = max_t(unsigned int, ipv4_mtu(dst) - header_size, + ip_rt_min_advmss); + + return min(advmss, IPV4_MAX_PMTU - header_size); +-- +2.16.4 + diff --git a/patches.suse/ipv6-Reinject-IPv6-packets-if-IPsec-policy-matches-a.patch b/patches.suse/ipv6-Reinject-IPv6-packets-if-IPsec-policy-matches-a.patch new file mode 100644 index 0000000..240e366 --- /dev/null +++ b/patches.suse/ipv6-Reinject-IPv6-packets-if-IPsec-policy-matches-a.patch @@ -0,0 +1,44 @@ +From 7c90b6940754463f9245305e7864a129a0a500d6 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 21 Dec 2017 17:32:24 +0100 +Subject: [PATCH 6/7] ipv6: Reinject IPv6 packets if IPsec policy matches after + SNAT +Git-commit: 09ee9dba9611cd382fd360a99ad1c2fa23bfdca8 +Patch-mainline: 4.16-rc1 +References: git-fixes + +If SNAT modifies the source address the resulting packet might match +an IPsec policy, reinject the packet if that's the case. + +The exact same thing is already done for IPv4. + +Signed-off-by: Tobias Brunner +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv6/ip6_output.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 50fed3140aa1..4657b1f76b2b 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -141,6 +141,14 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s + return ret; + } + ++#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM) ++ /* Policy lookup after SNAT yielded a new policy */ ++ if (skb_dst(skb)->xfrm) { ++ IPCB(skb)->flags |= IPSKB_REROUTED; ++ return dst_output(net, sk, skb); ++ } ++#endif ++ + if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || + dst_allfrag(skb_dst(skb)) || + (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size)) +-- +2.16.4 + diff --git a/patches.suse/ipv6-icmp6-Allow-icmp-messages-to-be-looped-back.patch b/patches.suse/ipv6-icmp6-Allow-icmp-messages-to-be-looped-back.patch new file mode 100644 index 0000000..17534f0 --- /dev/null +++ b/patches.suse/ipv6-icmp6-Allow-icmp-messages-to-be-looped-back.patch @@ -0,0 +1,46 @@ +From 55f8e57a05126a75c87b1386e1cf85c496ff2996 Mon Sep 17 00:00:00 2001 +From: Brendan McGrath +Date: Wed, 13 Dec 2017 22:14:57 +1100 +Subject: [PATCH 3/7] ipv6: icmp6: Allow icmp messages to be looped back +Git-commit: 588753f1eb18978512b1c9b85fddb457d46f9033 +Patch-mainline: 4.15-rc5 +References: git-fixes + +One example of when an ICMPv6 packet is required to be looped back is +when a host acts as both a Multicast Listener and a Multicast Router. + +A Multicast Router will listen on address ff02::16 for MLDv2 messages. + +Currently, MLDv2 messages originating from a Multicast Listener running +on the same host as the Multicast Router are not being delivered to the +Multicast Router. This is due to dst.input being assigned the default +value of dst_discard. + +This results in the packet being looped back but discarded before being +delivered to the Multicast Router. + +This patch sets dst.input to ip6_input to ensure a looped back packet +is delivered to the Multicast Router. + +Signed-off-by: Brendan McGrath +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv6/route.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index ff1c0fbc4a5e..2990fcf19878 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1682,6 +1682,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev, + } + + rt->dst.flags |= DST_HOST; ++ rt->dst.input = ip6_input; + rt->dst.output = ip6_output; + rt->rt6i_gateway = fl6->daddr; + rt->rt6i_dst.addr = fl6->daddr; +-- +2.16.4 + diff --git a/patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch b/patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch new file mode 100644 index 0000000..869f8db --- /dev/null +++ b/patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch @@ -0,0 +1,77 @@ +From 4388f1ebeee9ba362b6b94ea587e1006a8721a15 Mon Sep 17 00:00:00 2001 +From: David Lebrun +Date: Fri, 2 Sep 2022 10:45:06 +0100 +Subject: [PATCH] ipv6: sr: fix out-of-bounds read when setting HMAC data. +Git-commit: 84a53580c5d2138c7361c7c3eea5b31827e63b35 +Patch-mainline: v6.0-rc5 +References: bsc#1211592 + +The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 +Segment Routing Headers. This configuration is realised via netlink through +four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and +SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual +length of the SECRET attribute, it is possible to provide invalid combinations +(e.g., secret = "", secretlen = 64). This case is not checked in the code and +with an appropriately crafted netlink message, an out-of-bounds read of up +to 64 bytes (max secret length) can occur past the skb end pointer and into +skb_shared_info: + +Breakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208 +208 memcpy(hinfo->secret, secret, slen); +(gdb) bt + #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208 + #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, + extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=, + family=) at net/netlink/genetlink.c:731 + #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, + family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775 + #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 + #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 ) + at net/netlink/af_netlink.c:2501 + #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 + #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) + at net/netlink/af_netlink.c:1319 + #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=) + at net/netlink/af_netlink.c:1345 + #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921 +... +(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end +$1 = 0xffff88800b1b76c0 +(gdb) p/x secret +$2 = 0xffff88800b1b76c0 +(gdb) p slen +$3 = 64 '@' + +The OOB data can then be read back from userspace by dumping HMAC state. This +commit fixes this by ensuring SECRETLEN cannot exceed the actual length of +SECRET. + +Reported-by: Lucas Leong +Tested: verified that EINVAL is correctly returned when secretlen > len(secret) +Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure") +Signed-off-by: David Lebrun +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv6/seg6.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 4458e46977fe..c7f5e76d1544 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -129,6 +129,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info) + goto out_unlock; + } + ++ if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) { ++ err = -EINVAL; ++ goto out_unlock; ++ } ++ + if (hinfo) { + err = seg6_hmac_info_del(net, hmackeyid); + if (err) +-- +2.16.4 + diff --git a/patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch b/patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch new file mode 100644 index 0000000..36fb92e --- /dev/null +++ b/patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch @@ -0,0 +1,42 @@ +Patch-mainline: v4.19-rc5 +Git-commit: d35b34a9a70edae7ef923f100e51b8b5ae9fe899 +References: git-fixes +From: Junaid Shahid +Date: Wed, 8 Aug 2018 17:45:24 -0700 +Subject: [PATCH] kvm: mmu: Don't read PDPTEs when paging is not enabled + +kvm should not attempt to read guest PDPTEs when CR0.PG = 0 and +CR4.PAE = 1. + +Signed-off-by: Junaid Shahid +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 542f6315444d..5c870203737f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -628,7 +628,7 @@ bool pdptrs_changed(struct kvm_vcpu *vcpu) + gfn_t gfn; + int r; + +- if (is_long_mode(vcpu) || !is_pae(vcpu)) ++ if (is_long_mode(vcpu) || !is_pae(vcpu) || !is_paging(vcpu)) + return false; + + if (!test_bit(VCPU_EXREG_PDPTR, +@@ -8177,7 +8177,7 @@ static int __set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) + kvm_update_cpuid(vcpu); + + idx = srcu_read_lock(&vcpu->kvm->srcu); +- if (!is_long_mode(vcpu) && is_pae(vcpu)) { ++ if (!is_long_mode(vcpu) && is_pae(vcpu) && is_paging(vcpu)) { + load_pdptrs(vcpu, vcpu->arch.walk_mmu, kvm_read_cr3(vcpu)); + mmu_reset_needed = 1; + } +-- +2.35.3 + diff --git a/patches.suse/libata-add-horkage-for-ASMedia-1092.patch b/patches.suse/libata-add-horkage-for-ASMedia-1092.patch new file mode 100644 index 0000000..d46b13d --- /dev/null +++ b/patches.suse/libata-add-horkage-for-ASMedia-1092.patch @@ -0,0 +1,38 @@ +From a66307d473077b7aeba74e9b09c841ab3d399c2d Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Wed, 8 Dec 2021 07:58:53 +0100 +Subject: [PATCH] libata: add horkage for ASMedia 1092 +Git-commit: a66307d473077b7aeba74e9b09c841ab3d399c2d +Patch-mainline: v5.16-rc5 +References: bsc#1118212 git-fixes + +The ASMedia 1092 has a configuration mode which will present a +dummy device; sadly the implementation falsely claims to provide +a device with 100M which doesn't actually exist. +So disable this device to avoid errors during boot. + +Cc: stable@vger.kernel.org +Signed-off-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Acked-by: Takashi Iwai + +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 59ad8c979cb3..aba0c67d1bd6 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3920,6 +3920,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + { "VRFDFC22048UCHC-TE*", NULL, ATA_HORKAGE_NODMA }, + /* Odd clown on sil3726/4726 PMPs */ + { "Config Disk", NULL, ATA_HORKAGE_DISABLE }, ++ /* Similar story with ASMedia 1092 */ ++ { "ASMT109x- Config", NULL, ATA_HORKAGE_DISABLE }, + + /* Weird ATAPI devices */ + { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 }, +-- +2.31.1 + diff --git a/patches.suse/media-dvb-core-Fix-kernel-WARNING-for-blocking-opera.patch b/patches.suse/media-dvb-core-Fix-kernel-WARNING-for-blocking-opera.patch new file mode 100644 index 0000000..6725ab1 --- /dev/null +++ b/patches.suse/media-dvb-core-Fix-kernel-WARNING-for-blocking-opera.patch @@ -0,0 +1,60 @@ +From b8c75e4a1b325ea0a9433fa8834be97b5836b946 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 12 May 2023 16:18:00 +0100 +Subject: [PATCH] media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*() +Git-commit: b8c75e4a1b325ea0a9433fa8834be97b5836b946 +Patch-mainline: v6.4-rc3 +References: CVE-2023-31084 bsc#1210783 + +Using a semaphore in the wait_event*() condition is no good idea. +It hits a kernel WARN_ON() at prepare_to_wait_event() like: + do not call blocking ops when !TASK_RUNNING; state=1 set at + prepare_to_wait_event+0x6d/0x690 + +For avoiding the potential deadlock, rewrite to an open-coded loop +instead. Unlike the loop in wait_event*(), this uses wait_woken() +after the condition check, hence the task state stays consistent. + +CVE-2023-31084 was assigned to this bug. + +Link: https://lore.kernel.org/r/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com/ + +Link: https://lore.kernel.org/linux-media/20230512151800.1874-1-tiwai@suse.de +Reported-by: Yu Hao +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-31084 +Signed-off-by: Takashi Iwai +Signed-off-by: Mauro Carvalho Chehab + +--- + drivers/media/dvb-core/dvb_frontend.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct + } + + if (events->eventw == events->eventr) { +- int ret; ++ struct wait_queue_entry wait; ++ int ret = 0; + + if (flags & O_NONBLOCK) + return -EWOULDBLOCK; + +- ret = wait_event_interruptible(events->wait_queue, +- dvb_frontend_test_event(fepriv, events)); +- ++ init_waitqueue_entry(&wait, current); ++ add_wait_queue(&events->wait_queue, &wait); ++ while (!dvb_frontend_test_event(fepriv, events)) { ++ wait_woken(&wait, TASK_INTERRUPTIBLE, 0); ++ if (signal_pending(current)) { ++ ret = -ERESTARTSYS; ++ break; ++ } ++ } ++ remove_wait_queue(&events->wait_queue, &wait); + if (ret < 0) + return ret; + } diff --git a/patches.suse/media-dvb-core-Fix-use-after-free-due-on-race-condit.patch b/patches.suse/media-dvb-core-Fix-use-after-free-due-on-race-condit.patch new file mode 100644 index 0000000..ca00c47 --- /dev/null +++ b/patches.suse/media-dvb-core-Fix-use-after-free-due-on-race-condit.patch @@ -0,0 +1,121 @@ +From 4172385b0c9ac366dcab78eda48c26814b87ed1a Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 17 Nov 2022 04:59:23 +0000 +Subject: [PATCH] media: dvb-core: Fix use-after-free due on race condition at dvb_net +Git-commit: 4172385b0c9ac366dcab78eda48c26814b87ed1a +Patch-mainline: v6.4-rc3 +References: CVE-2022-45886 bsc#1205760 + +A race condition may occur between the .disconnect function, which +is called when the device is disconnected, and the dvb_device_open() +function, which is called when the device node is open()ed. +This results in several types of UAFs. + +The root cause of this is that you use the dvb_device_open() function, +which does not implement a conditional statement +that checks 'dvbnet->exit'. + +So, add 'remove_mutex` to protect 'dvbnet->exit' and use +locked_dvb_net_open() function to check 'dvbnet->exit'. + +[mchehab: fix a checkpatch warning] + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-3-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvb_net.c | 38 +++++++++++++++++++++++++++++++++++--- + drivers/media/dvb-core/dvb_net.h | 1 + + 2 files changed, 36 insertions(+), 3 deletions(-) + +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -1568,15 +1568,43 @@ static long dvb_net_ioctl(struct file *f + return dvb_usercopy(file, cmd, arg, dvb_net_do_ioctl); + } + ++static int locked_dvb_net_open(struct inode *inode, struct file *file) ++{ ++ struct dvb_device *dvbdev = file->private_data; ++ struct dvb_net *dvbnet = dvbdev->priv; ++ int ret; ++ ++ if (mutex_lock_interruptible(&dvbnet->remove_mutex)) ++ return -ERESTARTSYS; ++ ++ if (dvbnet->exit) { ++ mutex_unlock(&dvbnet->remove_mutex); ++ return -ENODEV; ++ } ++ ++ ret = dvb_generic_open(inode, file); ++ ++ mutex_unlock(&dvbnet->remove_mutex); ++ ++ return ret; ++} ++ + static int dvb_net_close(struct inode *inode, struct file *file) + { + struct dvb_device *dvbdev = file->private_data; + struct dvb_net *dvbnet = dvbdev->priv; + ++ mutex_lock(&dvbnet->remove_mutex); ++ + dvb_generic_release(inode, file); + +- if(dvbdev->users == 1 && dvbnet->exit == 1) ++ if (dvbdev->users == 1 && dvbnet->exit == 1) { ++ mutex_unlock(&dvbnet->remove_mutex); + wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&dvbnet->remove_mutex); ++ } ++ + return 0; + } + +@@ -1584,7 +1612,7 @@ static int dvb_net_close(struct inode *i + static const struct file_operations dvb_net_fops = { + .owner = THIS_MODULE, + .unlocked_ioctl = dvb_net_ioctl, +- .open = dvb_generic_open, ++ .open = locked_dvb_net_open, + .release = dvb_net_close, + .llseek = noop_llseek, + }; +@@ -1603,10 +1631,13 @@ void dvb_net_release (struct dvb_net *dv + { + int i; + ++ mutex_lock(&dvbnet->remove_mutex); + dvbnet->exit = 1; ++ mutex_unlock(&dvbnet->remove_mutex); ++ + if (dvbnet->dvbdev->users < 1) + wait_event(dvbnet->dvbdev->wait_queue, +- dvbnet->dvbdev->users==1); ++ dvbnet->dvbdev->users == 1); + + dvb_unregister_device(dvbnet->dvbdev); + +@@ -1625,6 +1656,7 @@ int dvb_net_init (struct dvb_adapter *ad + int i; + + mutex_init(&dvbnet->ioctl_mutex); ++ mutex_init(&dvbnet->remove_mutex); + dvbnet->demux = dmx; + + for (i=0; i +Date: Thu, 17 Nov 2022 04:59:24 +0000 +Subject: [PATCH] media: dvb-core: Fix use-after-free due to race at dvb_register_device() +Git-commit: 627bb528b086b4136315c25d6a447a98ea9448d3 +Patch-mainline: v6.4-rc3 +References: CVE-2022-45884 bsc#1205756 + +dvb_register_device() dynamically allocates fops with kmemdup() +to set the fops->owner. +And these fops are registered in 'file->f_ops' using replace_fops() +in the dvb_device_open() process, and kfree()d in dvb_free_device(). + +However, it is not common to use dynamically allocated fops instead +of 'static const' fops as an argument of replace_fops(), +and UAF may occur. +These UAFs can occur on any dvb type using dvb_register_device(), +such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. + +So, instead of kfree() the fops dynamically allocated in +dvb_register_device() in dvb_free_device() called during the +.disconnect() process, kfree() it collectively in exit_dvbdev() +called when the dvbdev.c module is removed. + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvbdev.c | 84 ++++++++++++++++++++++++++++++---------- + drivers/media/dvb-core/dvbdev.h | 15 +++++++ + 2 files changed, 78 insertions(+), 21 deletions(-) + +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -36,6 +36,7 @@ + #include + + static DEFINE_MUTEX(dvbdev_mutex); ++static LIST_HEAD(dvbdevfops_list); + static int dvbdev_debug; + + module_param(dvbdev_debug, int, 0644); +@@ -432,14 +433,15 @@ int dvb_register_device(struct dvb_adapt + int demux_sink_pads) + { + struct dvb_device *dvbdev; +- struct file_operations *dvbdevfops; ++ struct file_operations *dvbdevfops = NULL; ++ struct dvbdevfops_node *node = NULL, *new_node = NULL; + struct device *clsdev; + int minor; + int id, ret; + + mutex_lock(&dvbdev_register_lock); + +- if ((id = dvbdev_get_free_id (adap, type)) < 0){ ++ if ((id = dvbdev_get_free_id (adap, type)) < 0) { + mutex_unlock(&dvbdev_register_lock); + *pdvbdev = NULL; + pr_err("%s: couldn't find free device id\n", __func__); +@@ -447,18 +449,45 @@ int dvb_register_device(struct dvb_adapt + } + + *pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL); +- + if (!dvbdev){ + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + +- dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ /* ++ * When a device of the same type is probe()d more than once, ++ * the first allocated fops are used. This prevents memory leaks ++ * that can occur when the same device is probe()d repeatedly. ++ */ ++ list_for_each_entry(node, &dvbdevfops_list, list_head) { ++ if (node->fops->owner == adap->module && ++ node->type == type && ++ node->template == template) { ++ dvbdevfops = node->fops; ++ break; ++ } ++ } + +- if (!dvbdevfops){ +- kfree (dvbdev); +- mutex_unlock(&dvbdev_register_lock); +- return -ENOMEM; ++ if (dvbdevfops == NULL) { ++ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ if (!dvbdevfops) { ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL); ++ if (!new_node) { ++ kfree(dvbdevfops); ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node->fops = dvbdevfops; ++ new_node->type = type; ++ new_node->template = template; ++ list_add_tail (&new_node->list_head, &dvbdevfops_list); + } + + memcpy(dvbdev, template, sizeof(struct dvb_device)); +@@ -468,20 +497,20 @@ int dvb_register_device(struct dvb_adapt + dvbdev->priv = priv; + dvbdev->fops = dvbdevfops; + init_waitqueue_head (&dvbdev->wait_queue); +- + dvbdevfops->owner = adap->module; +- + list_add_tail (&dvbdev->list_head, &adap->device_list); +- + down_write(&minor_rwsem); + #ifdef CONFIG_DVB_DYNAMIC_MINORS + for (minor = 0; minor < MAX_DVB_MINORS; minor++) + if (dvb_minors[minor] == NULL) + break; +- + if (minor == MAX_DVB_MINORS) { ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); +@@ -490,42 +519,48 @@ int dvb_register_device(struct dvb_adapt + #else + minor = nums2minor(adap->num, type, id); + #endif +- + dvbdev->minor = minor; + dvb_minors[minor] = dvbdev; + up_write(&minor_rwsem); +- + ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads); + if (ret) { + pr_err("%s: dvb_register_media_device failed to create the mediagraph\n", + __func__); +- ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); + return ret; + } + +- mutex_unlock(&dvbdev_register_lock); +- + clsdev = device_create(dvb_class, adap->device, + MKDEV(DVB_MAJOR, minor), + dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id); + if (IS_ERR(clsdev)) { + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); + return PTR_ERR(clsdev); + } ++ + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", + adap->num, dnames[type], id, minor, minor); + ++ mutex_unlock(&dvbdev_register_lock); + return 0; + } + EXPORT_SYMBOL(dvb_register_device); +@@ -554,7 +589,6 @@ void dvb_free_device(struct dvb_device * + if (!dvbdev) + return; + +- kfree (dvbdev->fops); + kfree (dvbdev); + } + EXPORT_SYMBOL(dvb_free_device); +@@ -979,9 +1013,17 @@ error: + + static void __exit exit_dvbdev(void) + { ++ struct dvbdevfops_node *node, *next; ++ + class_destroy(dvb_class); + cdev_del(&dvb_device_cdev); + unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS); ++ ++ list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) { ++ list_del (&node->list_head); ++ kfree(node->fops); ++ kfree(node); ++ } + } + + subsys_initcall(init_dvbdev); +--- a/drivers/media/dvb-core/dvbdev.h ++++ b/drivers/media/dvb-core/dvbdev.h +@@ -165,6 +165,21 @@ struct dvb_device { + }; + + /** ++ * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list ++ * ++ * @fops: Dynamically allocated fops for ->owner registration ++ * @type: type of dvb_device ++ * @template: dvb_device used for registration ++ * @list_head: list_head for dvbdevfops_list ++ */ ++struct dvbdevfops_node { ++ struct file_operations *fops; ++ int type; ++ const struct dvb_device *template; ++ struct list_head list_head; ++}; ++ ++/** + * dvb_register_adapter - Registers a new DVB adapter + * + * @adap: pointer to struct dvb_adapter diff --git a/patches.suse/media-dvb-core-Fix-use-after-free-due-to-race-condit.patch b/patches.suse/media-dvb-core-Fix-use-after-free-due-to-race-condit.patch new file mode 100644 index 0000000..d7a4989 --- /dev/null +++ b/patches.suse/media-dvb-core-Fix-use-after-free-due-to-race-condit.patch @@ -0,0 +1,128 @@ +From 280a8ab81733da8bc442253c700a52c4c0886ffd Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Mon, 21 Nov 2022 06:33:08 +0000 +Subject: [PATCH] media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 +Git-commit: 280a8ab81733da8bc442253c700a52c4c0886ffd +Patch-mainline: v6.4-rc3 +References: CVE-2022-45919 bsc#1205803 + +If the device node of dvb_ca_en50221 is open() and the +device is disconnected, a UAF may occur when calling +close() on the device node. + +The root cause is that wake_up() and wait_event() for +dvbdev->wait_queue are not implemented. + +So implement wait_event() function in dvb_ca_en50221_release() +and add 'remove_mutex' which prevents race condition +for 'ca->exit'. + +[mchehab: fix a checkpatch warning] + +Link: https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 37 ++++++++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c +index b6ca29dfb184..baf64540dc00 100644 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -151,6 +151,12 @@ struct dvb_ca_private { + + /* mutex serializing ioctls */ + struct mutex ioctl_mutex; ++ ++ /* A mutex used when a device is disconnected */ ++ struct mutex remove_mutex; ++ ++ /* Whether the device is disconnected */ ++ int exit; + }; + + static void dvb_ca_private_free(struct dvb_ca_private *ca) +@@ -1711,12 +1717,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file) + + dprintk("%s\n", __func__); + +- if (!try_module_get(ca->pub->owner)) ++ mutex_lock(&ca->remove_mutex); ++ ++ if (ca->exit) { ++ mutex_unlock(&ca->remove_mutex); ++ return -ENODEV; ++ } ++ ++ if (!try_module_get(ca->pub->owner)) { ++ mutex_unlock(&ca->remove_mutex); + return -EIO; ++ } + + err = dvb_generic_open(inode, file); + if (err < 0) { + module_put(ca->pub->owner); ++ mutex_unlock(&ca->remove_mutex); + return err; + } + +@@ -1741,6 +1757,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file) + + dvb_ca_private_get(ca); + ++ mutex_unlock(&ca->remove_mutex); + return 0; + } + +@@ -1760,6 +1777,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file) + + dprintk("%s\n", __func__); + ++ mutex_lock(&ca->remove_mutex); ++ + /* mark the CA device as closed */ + ca->open = 0; + dvb_ca_en50221_thread_update_delay(ca); +@@ -1770,6 +1789,13 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file) + + dvb_ca_private_put(ca); + ++ if (dvbdev->users == 1 && ca->exit == 1) { ++ mutex_unlock(&ca->remove_mutex); ++ wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&ca->remove_mutex); ++ } ++ + return err; + } + +@@ -1893,6 +1919,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter, + } + + mutex_init(&ca->ioctl_mutex); ++ mutex_init(&ca->remove_mutex); + + if (signal_pending(current)) { + ret = -EINTR; +@@ -1935,6 +1962,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca) + + dprintk("%s\n", __func__); + ++ mutex_lock(&ca->remove_mutex); ++ ca->exit = 1; ++ mutex_unlock(&ca->remove_mutex); ++ ++ if (ca->dvbdev->users < 1) ++ wait_event(ca->dvbdev->wait_queue, ++ ca->dvbdev->users == 1); ++ + /* shutdown the thread if there was one */ + kthread_stop(ca->thread); + +-- +2.35.3 + diff --git a/patches.suse/media-dvb-core-Fix-use-after-free-on-race-condition-.patch b/patches.suse/media-dvb-core-Fix-use-after-free-on-race-condition-.patch new file mode 100644 index 0000000..e5d425d --- /dev/null +++ b/patches.suse/media-dvb-core-Fix-use-after-free-on-race-condition-.patch @@ -0,0 +1,179 @@ +From 6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 17 Nov 2022 04:59:22 +0000 +Subject: [PATCH] media: dvb-core: Fix use-after-free on race condition at dvb_frontend +Git-commit: 6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f +Patch-mainline: v6.4-rc3 +References: CVE-2022-45885 bsc#1205758 + +If the device node of dvb_frontend is open() and the device is +disconnected, many kinds of UAFs may occur when calling close() +on the device node. + +The root cause of this is that wake_up() for dvbdev->wait_queue +is implemented in the dvb_frontend_release() function, but +wait_event() is not implemented in the dvb_frontend_stop() function. + +So, implement wait_event() function in dvb_frontend_stop() and +add 'remove_mutex' which prevents race condition for 'fe->exit'. + +[mchehab: fix a couple of checkpatch warnings and some mistakes at the error handling logic] + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-2-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvb_frontend.c | 50 ++++++++++++++++++++++++++++------ + drivers/media/dvb-core/dvb_frontend.h | 6 +++- + 2 files changed, 47 insertions(+), 9 deletions(-) + +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -808,15 +808,26 @@ static void dvb_frontend_stop(struct dvb + + dev_dbg(fe->dvb->device, "%s:\n", __func__); + ++ mutex_lock(&fe->remove_mutex); ++ + if (fe->exit != DVB_FE_DEVICE_REMOVED) + fe->exit = DVB_FE_NORMAL_EXIT; + mb(); + +- if (!fepriv->thread) ++ if (!fepriv->thread) { ++ mutex_unlock(&fe->remove_mutex); + return; ++ } + + kthread_stop(fepriv->thread); + ++ mutex_unlock(&fe->remove_mutex); ++ ++ if (fepriv->dvbdev->users < -1) { ++ wait_event(fepriv->dvbdev->wait_queue, ++ fepriv->dvbdev->users == -1); ++ } ++ + sema_init(&fepriv->sem, 1); + fepriv->state = FESTATE_IDLE; + +@@ -2488,9 +2499,13 @@ static int dvb_frontend_open(struct inod + struct dvb_adapter *adapter = fe->dvb; + int ret; + ++ mutex_lock(&fe->remove_mutex); ++ + dev_dbg(fe->dvb->device, "%s:\n", __func__); +- if (fe->exit == DVB_FE_DEVICE_REMOVED) +- return -ENODEV; ++ if (fe->exit == DVB_FE_DEVICE_REMOVED) { ++ ret = -ENODEV; ++ goto err_remove_mutex; ++ } + + if (adapter->mfe_shared) { + mutex_lock (&adapter->mfe_lock); +@@ -2511,8 +2526,10 @@ static int dvb_frontend_open(struct inod + while (mferetry-- && (mfedev->users != -1 || + mfepriv->thread != NULL)) { + if(msleep_interruptible(500)) { +- if(signal_pending(current)) +- return -EINTR; ++ if(signal_pending(current)) { ++ ret = -EINTR; ++ goto err_remove_mutex; ++ } + } + } + +@@ -2524,7 +2541,8 @@ static int dvb_frontend_open(struct inod + if (mfedev->users != -1 || + mfepriv->thread != NULL) { + mutex_unlock (&adapter->mfe_lock); +- return -EBUSY; ++ ret = -EBUSY; ++ goto err_remove_mutex; + } + adapter->mfe_dvbdev = dvbdev; + } +@@ -2580,6 +2598,8 @@ static int dvb_frontend_open(struct inod + + if (adapter->mfe_shared) + mutex_unlock (&adapter->mfe_lock); ++ ++ mutex_unlock(&fe->remove_mutex); + return ret; + + err3: +@@ -2599,6 +2619,9 @@ err1: + err0: + if (adapter->mfe_shared) + mutex_unlock (&adapter->mfe_lock); ++ ++err_remove_mutex: ++ mutex_unlock(&fe->remove_mutex); + return ret; + } + +@@ -2609,6 +2632,8 @@ static int dvb_frontend_release(struct i + struct dvb_frontend_private *fepriv = fe->frontend_priv; + int ret; + ++ mutex_lock(&fe->remove_mutex); ++ + dev_dbg(fe->dvb->device, "%s:\n", __func__); + + if ((file->f_flags & O_ACCMODE) != O_RDONLY) { +@@ -2628,10 +2653,18 @@ static int dvb_frontend_release(struct i + mutex_unlock(&fe->dvb->mdev->graph_mutex); + } + #endif +- if (fe->exit != DVB_FE_NO_EXIT) +- wake_up(&dvbdev->wait_queue); + if (fe->ops.ts_bus_ctrl) + fe->ops.ts_bus_ctrl(fe, 0); ++ ++ if (fe->exit != DVB_FE_NO_EXIT) { ++ mutex_unlock(&fe->remove_mutex); ++ wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&fe->remove_mutex); ++ } ++ ++ } else { ++ mutex_unlock(&fe->remove_mutex); + } + + dvb_frontend_put(fe); +@@ -2725,6 +2758,7 @@ int dvb_register_frontend(struct dvb_ada + fepriv = fe->frontend_priv; + + kref_init(&fe->refcount); ++ mutex_init(&fe->remove_mutex); + + /* + * After initialization, there need to be two references: one +--- a/drivers/media/dvb-core/dvb_frontend.h ++++ b/drivers/media/dvb-core/dvb_frontend.h +@@ -658,7 +658,10 @@ struct dtv_frontend_properties { + * @id: Frontend ID + * @exit: Used to inform the DVB core that the frontend + * thread should exit (usually, means that the hardware +- * got disconnected. ++ * got disconnected). ++ * @remove_mutex: mutex that avoids a race condition between a callback ++ * called when the hardware is disconnected and the ++ * file_operations of dvb_frontend. + */ + + struct dvb_frontend { +@@ -676,6 +679,7 @@ struct dvb_frontend { + int (*callback)(void *adapter_priv, int component, int cmd, int arg); + int id; + unsigned int exit; ++ struct mutex remove_mutex; + }; + + /** diff --git a/patches.suse/media-dvbdev-Fix-memleak-in-dvb_register_device.patch b/patches.suse/media-dvbdev-Fix-memleak-in-dvb_register_device.patch new file mode 100644 index 0000000..a6798b5 --- /dev/null +++ b/patches.suse/media-dvbdev-Fix-memleak-in-dvb_register_device.patch @@ -0,0 +1,37 @@ +From 167faadfcf9339088910e9e85a1b711fcbbef8e9 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Mon, 24 Aug 2020 14:27:46 +0200 +Subject: [PATCH] media: dvbdev: Fix memleak in dvb_register_device +Git-commit: 167faadfcf9339088910e9e85a1b711fcbbef8e9 +Patch-mainline: v5.11-rc1 +References: CVE-2022-45884 bsc#1205756 + +When device_create() fails, dvbdev and dvbdevfops should +be freed just like when dvb_register_media_device() fails. + +Signed-off-by: Dinghao Liu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvbdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 959fa2820259..5ff7bedee247 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -539,6 +539,9 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + if (IS_ERR(clsdev)) { + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); ++ dvb_media_device_free(dvbdev); ++ kfree(dvbdevfops); ++ kfree(dvbdev); + return PTR_ERR(clsdev); + } + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", +-- +2.35.3 + diff --git a/patches.suse/media-dvbdev-fix-error-logic-at-dvb_register_device.patch b/patches.suse/media-dvbdev-fix-error-logic-at-dvb_register_device.patch new file mode 100644 index 0000000..deff76c --- /dev/null +++ b/patches.suse/media-dvbdev-fix-error-logic-at-dvb_register_device.patch @@ -0,0 +1,50 @@ +From 1fec2ecc252301110e4149e6183fa70460d29674 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 9 Jun 2021 14:32:29 +0200 +Subject: [PATCH] media: dvbdev: fix error logic at dvb_register_device() +Git-commit: 1fec2ecc252301110e4149e6183fa70460d29674 +Patch-mainline: v5.14-rc1 +References: CVE-2022-45884 bsc#1205756 + +As reported by smatch: + + drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:510 dvb_register_device() warn: '&dvbdev->list_head' not removed from list + drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:530 dvb_register_device() warn: '&dvbdev->list_head' not removed from list + drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:545 dvb_register_device() warn: '&dvbdev->list_head' not removed from list + +The error logic inside dvb_register_device() doesn't remove +devices from the dvb_adapter_list in case of errors. + +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvbdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -481,6 +481,7 @@ int dvb_register_device(struct dvb_adapt + break; + + if (minor == MAX_DVB_MINORS) { ++ list_del (&dvbdev->list_head); + kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); +@@ -501,6 +502,7 @@ int dvb_register_device(struct dvb_adapt + __func__); + + dvb_media_device_free(dvbdev); ++ list_del (&dvbdev->list_head); + kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); +@@ -517,6 +519,7 @@ int dvb_register_device(struct dvb_adapt + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); + dvb_media_device_free(dvbdev); ++ list_del (&dvbdev->list_head); + kfree(dvbdevfops); + kfree(dvbdev); + return PTR_ERR(clsdev); diff --git a/patches.suse/media-media-dvb-Use-kmemdup-rather-than-duplicating-.patch b/patches.suse/media-media-dvb-Use-kmemdup-rather-than-duplicating-.patch new file mode 100644 index 0000000..09ce1f5 --- /dev/null +++ b/patches.suse/media-media-dvb-Use-kmemdup-rather-than-duplicating-.patch @@ -0,0 +1,71 @@ +From f6af820ef1be58c2e4b81aa479b9f109eb6344ce Mon Sep 17 00:00:00 2001 +From: Fuqian Huang +Date: Wed, 3 Jul 2019 13:28:37 -0300 +Subject: [PATCH] media: media/dvb: Use kmemdup rather than duplicating its implementation +Git-commit: f6af820ef1be58c2e4b81aa479b9f109eb6344ce +Patch-mainline: v5.4-rc1 +References: CVE-2022-45884 bsc#1205756 + +kmemdup is introduced to duplicate a region of memory in a neat way. +Rather than kmalloc/kzalloc + memcpy, which the programmer needs to +write the size twice (sometimes lead to mistakes), kmemdup improves +readability, leads to smaller code and also reduce the chances of mistakes. +Suggestion to use kmemdup rather than using kmalloc/kzalloc + memcpy. + +Signed-off-by: Fuqian Huang +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvbdev.c | 3 +-- + drivers/media/dvb-frontends/drx39xyj/drxj.c | 5 ++--- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index a3393cd4e584..d7532f5a352a 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -476,7 +476,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + return -ENOMEM; + } + +- dvbdevfops = kzalloc(sizeof(struct file_operations), GFP_KERNEL); ++ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + + if (!dvbdevfops){ + kfree (dvbdev); +@@ -492,7 +492,6 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvbdev->fops = dvbdevfops; + init_waitqueue_head (&dvbdev->wait_queue); + +- memcpy(dvbdevfops, template->fops, sizeof(struct file_operations)); + dvbdevfops->owner = adap->module; + + list_add_tail (&dvbdev->list_head, &adap->device_list); +diff --git a/drivers/media/dvb-frontends/drx39xyj/drxj.c b/drivers/media/dvb-frontends/drx39xyj/drxj.c +index a6876fa48753..2f5af4813a74 100644 +--- a/drivers/media/dvb-frontends/drx39xyj/drxj.c ++++ b/drivers/media/dvb-frontends/drx39xyj/drxj.c +@@ -12287,7 +12287,8 @@ struct dvb_frontend *drx39xxj_attach(struct i2c_adapter *i2c) + if (state == NULL) + goto error; + +- demod = kmalloc(sizeof(struct drx_demod_instance), GFP_KERNEL); ++ demod = kmemdup(&drxj_default_demod_g, ++ sizeof(struct drx_demod_instance), GFP_KERNEL); + if (demod == NULL) + goto error; + +@@ -12311,8 +12312,6 @@ struct dvb_frontend *drx39xxj_attach(struct i2c_adapter *i2c) + state->demod = demod; + + /* setup the demod data */ +- memcpy(demod, &drxj_default_demod_g, sizeof(struct drx_demod_instance)); +- + demod->my_i2c_dev_addr = demod_addr; + demod->my_common_attr = demod_comm_attr; + demod->my_i2c_dev_addr->user_data = state; +-- +2.35.3 + diff --git a/patches.suse/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch b/patches.suse/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch new file mode 100644 index 0000000..572cc45 --- /dev/null +++ b/patches.suse/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch @@ -0,0 +1,43 @@ +From 517a281338322ff8293f988771c98aaa7205e457 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 17 Nov 2022 04:59:25 +0000 +Subject: [PATCH] media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() +Git-commit: 517a281338322ff8293f988771c98aaa7205e457 +Patch-mainline: v6.4-rc3 +References: CVE-2022-45887 bsc#1205762 + +Since dvb_frontend_detach() is not called in ttusb_dec_exit_dvb(), +which is called when the device is disconnected, dvb_frontend_free() +is not finally called. + +This causes a memory leak just by repeatedly plugging and +unplugging the device. + +Fix this issue by adding dvb_frontend_detach() to ttusb_dec_exit_dvb(). + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-5-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/ttusb-dec/ttusb_dec.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c +index 38822cedd93a..c4474d4c44e2 100644 +--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c ++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c +@@ -1544,8 +1544,7 @@ static void ttusb_dec_exit_dvb(struct ttusb_dec *dec) + dvb_dmx_release(&dec->demux); + if (dec->fe) { + dvb_unregister_frontend(dec->fe); +- if (dec->fe->ops.release) +- dec->fe->ops.release(dec->fe); ++ dvb_frontend_detach(dec->fe); + } + dvb_unregister_adapter(&dec->adapter); + } +-- +2.35.3 + diff --git a/patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch b/patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch new file mode 100644 index 0000000..6f8055c --- /dev/null +++ b/patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch @@ -0,0 +1,37 @@ +From a8e083ee8e2a6c94c29733835adae8bf5b832748 Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Fri, 2 Apr 2021 11:26:27 -0700 +Subject: [PATCH] mwl8k: Fix a double Free in mwl8k_probe_hw +Git-commit: a8e083ee8e2a6c94c29733835adae8bf5b832748 +References: git-fixes +Patch-mainline: v5.13-rc1 + +In mwl8k_probe_hw, hw->priv->txq is freed at the first time by +dma_free_coherent() in the call chain: +if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i). + +Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed +at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent(). + +My patch set txq->txd to NULL after the first free to avoid the +double free. + +Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") +Signed-off-by: Lv Yunlong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210402182627.4256-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/marvell/mwl8k.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -1469,6 +1469,7 @@ static int mwl8k_txq_init(struct ieee802 + txq->skb = kcalloc(MWL8K_TX_DESCS, sizeof(*txq->skb), GFP_KERNEL); + if (txq->skb == NULL) { + pci_free_consistent(priv->pdev, size, txq->txd, txq->txd_dma); ++ txq->txd = NULL; + return -ENOMEM; + } + diff --git a/patches.suse/net-Extra-_get-in-declaration-of-arch_get_platform_m.patch b/patches.suse/net-Extra-_get-in-declaration-of-arch_get_platform_m.patch new file mode 100644 index 0000000..8358596 --- /dev/null +++ b/patches.suse/net-Extra-_get-in-declaration-of-arch_get_platform_m.patch @@ -0,0 +1,47 @@ +From 7cc263efedd57ce0dcbf2017802a281aaed6506b Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Wed, 7 Feb 2018 20:35:00 +0100 +Subject: [PATCH 3/8] net: Extra '_get' in declaration of + arch_get_platform_mac_address +References: git-fixes +Patch-mainline: v4.16-rc1 +Git-commit: e728789c52afccc1275cba1dd812f03abe16ea3c + +In commit c7f5d105495a ("net: Add eth_platform_get_mac_address() helper."), +two declarations were added: + + int eth_platform_get_mac_address(struct device *dev, u8 *mac_addr); + unsigned char *arch_get_platform_get_mac_address(void); + +An extra '_get' was introduced in arch_get_platform_get_mac_address, remove +it. Fix compile warning using W=1: + + CC net/ethernet/eth.o +net/ethernet/eth.c:523:24: warning: no previous prototype for ‘arch_get_platform_mac_address’ [-Wmissing-prototypes] + unsigned char * __weak arch_get_platform_mac_address(void) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + AR net/ethernet/built-in.o + +Signed-off-by: Mathieu Malaterre +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + include/linux/etherdevice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 43c37093823e..d7a8b407207d 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -31,7 +31,7 @@ + #ifdef __KERNEL__ + struct device; + int eth_platform_get_mac_address(struct device *dev, u8 *mac_addr); +-unsigned char *arch_get_platform_get_mac_address(void); ++unsigned char *arch_get_platform_mac_address(void); + u32 eth_get_headlen(void *data, unsigned int max_len); + __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev); + extern const struct header_ops eth_header_ops; +-- +2.16.4 + diff --git a/patches.suse/net-arc_emac-fix-arc_emac_rx-error-paths.patch b/patches.suse/net-arc_emac-fix-arc_emac_rx-error-paths.patch new file mode 100644 index 0000000..9ca58d6 --- /dev/null +++ b/patches.suse/net-arc_emac-fix-arc_emac_rx-error-paths.patch @@ -0,0 +1,102 @@ +From 3d6a68ea0b0106046832083c9496f62c416695d0 Mon Sep 17 00:00:00 2001 +From: Alexander Kochetkov +Date: Fri, 15 Dec 2017 20:20:06 +0300 +Subject: [PATCH 2/8] net: arc_emac: fix arc_emac_rx() error paths +References: git-fixes +Patch-mainline: v4.15-rc5 +Git-commit: e688822d035b494071ecbadcccbd6f3325fb0f59 + +arc_emac_rx() has some issues found by code review. + +In case netdev_alloc_skb_ip_align() or dma_map_single() failure +rx fifo entry will not be returned to EMAC. + +In case dma_map_single() failure previously allocated skb became +lost to driver. At the same time address of newly allocated skb +will not be provided to EMAC. + +Signed-off-by: Alexander Kochetkov +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/arc/emac_main.c | 53 +++++++++++++++++++++--------------- + 1 file changed, 31 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/arc/emac_main.c b/drivers/net/ethernet/arc/emac_main.c +index 68de2f2652f2..f7e3073c4c3b 100644 +--- a/drivers/net/ethernet/arc/emac_main.c ++++ b/drivers/net/ethernet/arc/emac_main.c +@@ -210,39 +210,48 @@ static int arc_emac_rx(struct net_device *ndev, int budget) + continue; + } + +- pktlen = info & LEN_MASK; +- stats->rx_packets++; +- stats->rx_bytes += pktlen; +- skb = rx_buff->skb; +- skb_put(skb, pktlen); +- skb->dev = ndev; +- skb->protocol = eth_type_trans(skb, ndev); +- +- dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr), +- dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE); +- +- /* Prepare the BD for next cycle */ +- rx_buff->skb = netdev_alloc_skb_ip_align(ndev, +- EMAC_BUFFER_SIZE); +- if (unlikely(!rx_buff->skb)) { ++ /* Prepare the BD for next cycle. netif_receive_skb() ++ * only if new skb was allocated and mapped to avoid holes ++ * in the RX fifo. ++ */ ++ skb = netdev_alloc_skb_ip_align(ndev, EMAC_BUFFER_SIZE); ++ if (unlikely(!skb)) { ++ if (net_ratelimit()) ++ netdev_err(ndev, "cannot allocate skb\n"); ++ /* Return ownership to EMAC */ ++ rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE); + stats->rx_errors++; +- /* Because receive_skb is below, increment rx_dropped */ + stats->rx_dropped++; + continue; + } + +- /* receive_skb only if new skb was allocated to avoid holes */ +- netif_receive_skb(skb); +- +- addr = dma_map_single(&ndev->dev, (void *)rx_buff->skb->data, ++ addr = dma_map_single(&ndev->dev, (void *)skb->data, + EMAC_BUFFER_SIZE, DMA_FROM_DEVICE); + if (dma_mapping_error(&ndev->dev, addr)) { + if (net_ratelimit()) +- netdev_err(ndev, "cannot dma map\n"); +- dev_kfree_skb(rx_buff->skb); ++ netdev_err(ndev, "cannot map dma buffer\n"); ++ dev_kfree_skb(skb); ++ /* Return ownership to EMAC */ ++ rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE); + stats->rx_errors++; ++ stats->rx_dropped++; + continue; + } ++ ++ /* unmap previosly mapped skb */ ++ dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr), ++ dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE); ++ ++ pktlen = info & LEN_MASK; ++ stats->rx_packets++; ++ stats->rx_bytes += pktlen; ++ skb_put(rx_buff->skb, pktlen); ++ rx_buff->skb->dev = ndev; ++ rx_buff->skb->protocol = eth_type_trans(rx_buff->skb, ndev); ++ ++ netif_receive_skb(rx_buff->skb); ++ ++ rx_buff->skb = skb; + dma_unmap_addr_set(rx_buff, addr, addr); + dma_unmap_len_set(rx_buff, len, EMAC_BUFFER_SIZE); + +-- +2.16.4 + diff --git a/patches.suse/net-davinci_emac-match-the-mdio-device-against-its-c.patch b/patches.suse/net-davinci_emac-match-the-mdio-device-against-its-c.patch new file mode 100644 index 0000000..4674081 --- /dev/null +++ b/patches.suse/net-davinci_emac-match-the-mdio-device-against-its-c.patch @@ -0,0 +1,38 @@ +From 10e6479325ce46aa3f670bad4a127b194dcd60c2 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Wed, 20 Jun 2018 10:03:56 +0200 +Subject: [PATCH 4/7] net: davinci_emac: match the mdio device against its + compatible if possible +References: git-fixes +Patch-mainline: v4.18-rc3 +Git-commit: ea0820bb771175c7d4192fc6f5b5c56b3c6d5239 + +Device tree based systems without of_dev_auxdata will have the mdio +device named differently than "davinci_mdio(.0)". In this case use the +device's parent's compatible string for matching + +Signed-off-by: Bartosz Golaszewski +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/ti/davinci_emac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index ab2c7bad7089..0fc5a15f2b8a 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -1387,6 +1387,10 @@ static int emac_devioctl(struct net_device *ndev, struct ifreq *ifrq, int cmd) + + static int match_first_device(struct device *dev, void *data) + { ++ if (dev->parent && dev->parent->of_node) ++ return of_device_is_compatible(dev->parent->of_node, ++ "ti,davinci_mdio"); ++ + return !strncmp(dev_name(dev), "davinci_mdio", 12); + } + +-- +2.16.4 + diff --git a/patches.suse/net-dsa-b53-Add-BCM5389-support.patch b/patches.suse/net-dsa-b53-Add-BCM5389-support.patch new file mode 100644 index 0000000..1562139 --- /dev/null +++ b/patches.suse/net-dsa-b53-Add-BCM5389-support.patch @@ -0,0 +1,109 @@ +From b1f31bcb8ab3a3324405568dccde455d96587e22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Damien=20Th=C3=A9bault?= +Date: Thu, 31 May 2018 07:04:01 +0000 +Subject: [PATCH 8/8] net: dsa: b53: Add BCM5389 support +References: git-fixes +Patch-mainline: v4.17 +Git-commit: a95691bc54af1ac4b12c354f91e9cabf1cb068df + +This patch adds support for the BCM5389 switch connected through MDIO. + +Signed-off-by: Damien Thébault +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + Documentation/devicetree/bindings/net/dsa/b53.txt | 1 + + drivers/net/dsa/b53/b53_common.c | 13 +++++++++++++ + drivers/net/dsa/b53/b53_mdio.c | 5 ++++- + drivers/net/dsa/b53/b53_priv.h | 1 + + 4 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/net/dsa/b53.txt b/Documentation/devicetree/bindings/net/dsa/b53.txt +index 8ec2ca21adeb..dbf3024239f9 100644 +--- a/Documentation/devicetree/bindings/net/dsa/b53.txt ++++ b/Documentation/devicetree/bindings/net/dsa/b53.txt +@@ -10,6 +10,7 @@ Required properties: + "brcm,bcm53128" + "brcm,bcm5365" + "brcm,bcm5395" ++ "brcm,bcm5389" + "brcm,bcm5397" + "brcm,bcm5398" + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 8d00d27c53bb..9cecb3237867 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1702,6 +1702,18 @@ static const struct b53_chip_data b53_switch_chips[] = { + .cpu_port = B53_CPU_PORT_25, + .duplex_reg = B53_DUPLEX_STAT_FE, + }, ++ { ++ .chip_id = BCM5389_DEVICE_ID, ++ .dev_name = "BCM5389", ++ .vlans = 4096, ++ .enabled_ports = 0x1f, ++ .arl_entries = 4, ++ .cpu_port = B53_CPU_PORT, ++ .vta_regs = B53_VTA_REGS, ++ .duplex_reg = B53_DUPLEX_STAT_GE, ++ .jumbo_pm_reg = B53_JUMBO_PORT_MASK, ++ .jumbo_size_reg = B53_JUMBO_MAX_SIZE, ++ }, + { + .chip_id = BCM5395_DEVICE_ID, + .dev_name = "BCM5395", +@@ -2031,6 +2043,7 @@ int b53_switch_detect(struct b53_device *dev) + else + dev->chip_id = BCM5365_DEVICE_ID; + break; ++ case BCM5389_DEVICE_ID: + case BCM5395_DEVICE_ID: + case BCM5397_DEVICE_ID: + case BCM5398_DEVICE_ID: +diff --git a/drivers/net/dsa/b53/b53_mdio.c b/drivers/net/dsa/b53/b53_mdio.c +index fa7556f5d4fb..a533a90e3904 100644 +--- a/drivers/net/dsa/b53/b53_mdio.c ++++ b/drivers/net/dsa/b53/b53_mdio.c +@@ -285,6 +285,7 @@ static const struct b53_io_ops b53_mdio_ops = { + #define B53_BRCM_OUI_1 0x0143bc00 + #define B53_BRCM_OUI_2 0x03625c00 + #define B53_BRCM_OUI_3 0x00406000 ++#define B53_BRCM_OUI_4 0x01410c00 + + static int b53_mdio_probe(struct mdio_device *mdiodev) + { +@@ -311,7 +312,8 @@ static int b53_mdio_probe(struct mdio_device *mdiodev) + */ + if ((phy_id & 0xfffffc00) != B53_BRCM_OUI_1 && + (phy_id & 0xfffffc00) != B53_BRCM_OUI_2 && +- (phy_id & 0xfffffc00) != B53_BRCM_OUI_3) { ++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_3 && ++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_4) { + dev_err(&mdiodev->dev, "Unsupported device: 0x%08x\n", phy_id); + return -ENODEV; + } +@@ -360,6 +362,7 @@ static const struct of_device_id b53_of_match[] = { + { .compatible = "brcm,bcm53125" }, + { .compatible = "brcm,bcm53128" }, + { .compatible = "brcm,bcm5365" }, ++ { .compatible = "brcm,bcm5389" }, + { .compatible = "brcm,bcm5395" }, + { .compatible = "brcm,bcm5397" }, + { .compatible = "brcm,bcm5398" }, +diff --git a/drivers/net/dsa/b53/b53_priv.h b/drivers/net/dsa/b53/b53_priv.h +index fa05db0870d6..154f1a8e8546 100644 +--- a/drivers/net/dsa/b53/b53_priv.h ++++ b/drivers/net/dsa/b53/b53_priv.h +@@ -48,6 +48,7 @@ struct b53_io_ops { + enum { + BCM5325_DEVICE_ID = 0x25, + BCM5365_DEVICE_ID = 0x65, ++ BCM5389_DEVICE_ID = 0x89, + BCM5395_DEVICE_ID = 0x95, + BCM5397_DEVICE_ID = 0x97, + BCM5398_DEVICE_ID = 0x98, +-- +2.16.4 + diff --git a/patches.suse/net-dsa-mt7530-fix-module-autoloading-for-OF-platfor.patch b/patches.suse/net-dsa-mt7530-fix-module-autoloading-for-OF-platfor.patch new file mode 100644 index 0000000..dcbaca4 --- /dev/null +++ b/patches.suse/net-dsa-mt7530-fix-module-autoloading-for-OF-platfor.patch @@ -0,0 +1,35 @@ +From 1426a112eb5e4754c772a8b19a9c411018cc7045 Mon Sep 17 00:00:00 2001 +From: Sean Wang +Date: Mon, 26 Mar 2018 18:07:10 +0800 +Subject: [PATCH 6/8] net: dsa: mt7530: fix module autoloading for OF platform + drivers +References: git-fixes +Patch-mainline: v4.16 +Git-commit: 3c82b372a9f44aa224b8d5106ff6f1ad516fa8a8 + +It's required to create a modules.alias via MODULE_DEVICE_TABLE helper +for the OF platform driver. Otherwise, module autoloading cannot work. + +Signed-off-by: Sean Wang +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/dsa/mt7530.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 10bc0f3082a7..9592d5b4046d 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1104,6 +1104,7 @@ static const struct of_device_id mt7530_of_match[] = { + { .compatible = "mediatek,mt7530" }, + { /* sentinel */ }, + }; ++MODULE_DEVICE_TABLE(of, mt7530_of_match); + + static struct mdio_driver mt7530_mdio_driver = { + .probe = mt7530_probe, +-- +2.16.4 + diff --git a/patches.suse/net-dsa-qca8k-Add-support-for-QCA8334-switch.patch b/patches.suse/net-dsa-qca8k-Add-support-for-QCA8334-switch.patch new file mode 100644 index 0000000..c601cdf --- /dev/null +++ b/patches.suse/net-dsa-qca8k-Add-support-for-QCA8334-switch.patch @@ -0,0 +1,34 @@ +From 54954337995f25829e861e19e837b2feaa22780c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= +Date: Wed, 23 May 2018 08:20:19 +0200 +Subject: [PATCH 2/7] net: dsa: qca8k: Add support for QCA8334 switch +References: git-fixes +Patch-mainline: v4.18-rc1 +Git-commit: 64cf81675a1f64c1b311e4611dd3b6a961607612 + +Add support for the four-port variant of the Qualcomm QCA833x switch. + +Signed-off-by: Michal Vokáč +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/dsa/qca8k.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/dsa/qca8k.c b/drivers/net/dsa/qca8k.c +index e9f5013558c8..62dac168321e 100644 +--- a/drivers/net/dsa/qca8k.c ++++ b/drivers/net/dsa/qca8k.c +@@ -1042,6 +1042,7 @@ static SIMPLE_DEV_PM_OPS(qca8k_pm_ops, + qca8k_suspend, qca8k_resume); + + static const struct of_device_id qca8k_of_match[] = { ++ { .compatible = "qca,qca8334" }, + { .compatible = "qca,qca8337" }, + { /* sentinel */ }, + }; +-- +2.16.4 + diff --git a/patches.suse/net-emac-fix-fixed-link-setup-for-the-RTL8363SB-swit.patch b/patches.suse/net-emac-fix-fixed-link-setup-for-the-RTL8363SB-swit.patch new file mode 100644 index 0000000..19b937d --- /dev/null +++ b/patches.suse/net-emac-fix-fixed-link-setup-for-the-RTL8363SB-swit.patch @@ -0,0 +1,57 @@ +From 4516a76b0ee26777ae8e8c8e787817ebb24a93e8 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Mon, 17 Sep 2018 17:22:40 +0200 +Subject: [PATCH 7/7] net: emac: fix fixed-link setup for the RTL8363SB switch +References: git-fixes +Patch-mainline: v4.19-rc6 +Git-commit: 08e39982ef64f800fd1f9b9b92968d14d5fafa82 + +On the Netgear WNDAP620, the emac ethernet isn't receiving nor +xmitting any frames from/to the RTL8363SB (identifies itself +as a RTL8367RB). + +This is caused by the emac hardware not knowing the forced link +parameters for speed, duplex, pause, etc. + +This begs the question, how this was working on the original +driver code, when it was necessary to set the phy_address and +phy_map to 0xffffffff. But I guess without access to the old +PPC405/440/460 hardware, it's not possible to know. + +Signed-off-by: Christian Lamparter +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/ibm/emac/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/emac/core.c b/drivers/net/ethernet/ibm/emac/core.c +index d28e5a9a1363..b7d65158e498 100644 +--- a/drivers/net/ethernet/ibm/emac/core.c ++++ b/drivers/net/ethernet/ibm/emac/core.c +@@ -2673,12 +2673,17 @@ static int emac_init_phy(struct emac_instance *dev) + if (of_phy_is_fixed_link(np)) { + int res = emac_dt_mdio_probe(dev); + +- if (!res) { +- res = of_phy_register_fixed_link(np); +- if (res) +- mdiobus_unregister(dev->mii_bus); ++ if (res) ++ return res; ++ ++ res = of_phy_register_fixed_link(np); ++ dev->phy_dev = of_phy_find_device(np); ++ if (res || !dev->phy_dev) { ++ mdiobus_unregister(dev->mii_bus); ++ return res ? res : -EINVAL; + } +- return res; ++ emac_adjust_link(dev->ndev); ++ put_device(&dev->phy_dev->mdio.dev); + } + return 0; + } +-- +2.16.4 + diff --git a/patches.suse/net-ethernet-ti-cpsw-phy-sel-check-bus_find_device-r.patch b/patches.suse/net-ethernet-ti-cpsw-phy-sel-check-bus_find_device-r.patch new file mode 100644 index 0000000..1c2d3a5 --- /dev/null +++ b/patches.suse/net-ethernet-ti-cpsw-phy-sel-check-bus_find_device-r.patch @@ -0,0 +1,55 @@ +From b625efefa055fff63b604f36284e5f11549bf49d Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Tue, 15 May 2018 18:37:25 -0500 +Subject: [PATCH 1/7] net: ethernet: ti: cpsw-phy-sel: check bus_find_device() + ret value +References: git-fixes +Patch-mainline: v4.18-rc1 +Git-commit: c6213eb1aee308e67377fd1890d84f7284caf531 + +This fixes klockworks warnings: Pointer 'dev' returned from call to +function 'bus_find_device' at line 179 may be NULL and will be dereferenced +at line 181. + + cpsw-phy-sel.c:179: 'dev' is assigned the return value from function 'bus_find_device'. + bus.c:342: 'bus_find_device' explicitly returns a NULL value. + cpsw-phy-sel.c:181: 'dev' is dereferenced by passing argument 1 to function 'dev_get_drvdata'. + device.h:1024: 'dev' is passed to function 'dev_get_drvdata'. + device.h:1026: 'dev' is explicitly dereferenced. + +Signed-off-by: Grygorii Strashko +[nsekhar@ti.com: add an error message, fix return path] +Signed-off-by: Sekhar Nori +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/ti/cpsw-phy-sel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/cpsw-phy-sel.c b/drivers/net/ethernet/ti/cpsw-phy-sel.c +index 18013645e76c..0c1adad7415d 100644 +--- a/drivers/net/ethernet/ti/cpsw-phy-sel.c ++++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c +@@ -177,12 +177,18 @@ void cpsw_phy_sel(struct device *dev, phy_interface_t phy_mode, int slave) + } + + dev = bus_find_device(&platform_bus_type, NULL, node, match); +- of_node_put(node); ++ if (!dev) { ++ dev_err(dev, "unable to find platform device for %pOF\n", node); ++ goto out; ++ } ++ + priv = dev_get_drvdata(dev); + + priv->cpsw_phy_sel(priv, phy_mode, slave); + + put_device(dev); ++out: ++ of_node_put(node); + } + EXPORT_SYMBOL_GPL(cpsw_phy_sel); + +-- +2.16.4 + diff --git a/patches.suse/net-ipv6-send-NS-for-DAD-when-link-operationally-up.patch b/patches.suse/net-ipv6-send-NS-for-DAD-when-link-operationally-up.patch new file mode 100644 index 0000000..245820a --- /dev/null +++ b/patches.suse/net-ipv6-send-NS-for-DAD-when-link-operationally-up.patch @@ -0,0 +1,75 @@ +From 1ade0662e2dc7c31c701e384a0d6da0971e235a8 Mon Sep 17 00:00:00 2001 +From: Mike Manning +Date: Mon, 25 Sep 2017 22:01:36 +0100 +Subject: [PATCH 1/7] net: ipv6: send NS for DAD when link operationally up +Git-commit: 1f372c7bfb23286d2bf4ce0423ab488e86b74bb2 +Patch-mainline: 4.15-rc1 +References: git-fixes + +The NS for DAD are sent on admin up as long as a valid qdisc is found. +A race condition exists by which these packets will not egress the +interface if the operational state of the lower device is not yet up. +The solution is to delay DAD until the link is operationally up +according to RFC2863. Rather than only doing this, follow the existing +code checks by deferring IPv6 device initialization altogether. The fix +allows DAD on devices like tunnels that are controlled by userspace +control plane. The fix has no impact on regular deployments, but means +that there is no IPv6 connectivity until the port has been opened in +the case of port-based network access control, which should be +desirable. + +Signed-off-by: Mike Manning +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv6/addrconf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index fc7dae23c492..67ddc0d22609 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -304,10 +304,10 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { + .disable_policy = 0, + }; + +-/* Check if a valid qdisc is available */ +-static inline bool addrconf_qdisc_ok(const struct net_device *dev) ++/* Check if link is ready: is it up and is a valid qdisc available */ ++static inline bool addrconf_link_ready(const struct net_device *dev) + { +- return !qdisc_tx_is_noop(dev); ++ return netif_oper_up(dev) && !qdisc_tx_is_noop(dev); + } + + static void addrconf_del_rs_timer(struct inet6_dev *idev) +@@ -450,7 +450,7 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) + + ndev->token = in6addr_any; + +- if (netif_running(dev) && addrconf_qdisc_ok(dev)) ++ if (netif_running(dev) && addrconf_link_ready(dev)) + ndev->if_flags |= IF_READY; + + ipv6_mc_init_dev(ndev); +@@ -3482,7 +3482,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event, + /* restore routes for permanent addresses */ + addrconf_permanent_addr(dev); + +- if (!addrconf_qdisc_ok(dev)) { ++ if (!addrconf_link_ready(dev)) { + /* device is not ready yet. */ + pr_info("ADDRCONF(NETDEV_UP): %s: link is not ready\n", + dev->name); +@@ -3497,7 +3497,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event, + run_pending = 1; + } + } else if (event == NETDEV_CHANGE) { +- if (!addrconf_qdisc_ok(dev)) { ++ if (!addrconf_link_ready(dev)) { + /* device is still not ready. */ + break; + } +-- +2.16.4 + diff --git a/patches.suse/net-iucv-Fix-size-of-interrupt-data.patch b/patches.suse/net-iucv-Fix-size-of-interrupt-data.patch new file mode 100644 index 0000000..52c9bec --- /dev/null +++ b/patches.suse/net-iucv-Fix-size-of-interrupt-data.patch @@ -0,0 +1,104 @@ +From e745c3035e841a1600ccf9231db5109689bccebb Mon Sep 17 00:00:00 2001 +From: Alexandra Winter +Date: Wed, 15 Mar 2023 14:14:35 +0100 +Subject: [PATCH] net/iucv: Fix size of interrupt data +References: bsc#1211466 +Patch-mainline: v6.3-rc3 +Git-commit: 3d87debb8ed2649608ff432699e7c961c0c6f03b + +iucv_irq_data needs to be 4 bytes larger. +These bytes are not used by the iucv module, but written by +the z/VM hypervisor in case a CPU is deconfigured. + +Reported as: +BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten +----------------------------------------------------------------------------- +0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc +Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1 +__kmem_cache_alloc_node+0x166/0x450 +kmalloc_node_trace+0x3a/0x70 +iucv_cpu_prepare+0x44/0xd0 +cpuhp_invoke_callback+0x156/0x2f0 +cpuhp_issue_call+0xf0/0x298 +__cpuhp_setup_state_cpuslocked+0x136/0x338 +__cpuhp_setup_state+0xf4/0x288 +iucv_init+0xf4/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1 +__kmem_cache_free+0x308/0x358 +iucv_init+0x92/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0| +Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000 +Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................ +Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................ +Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........ +Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ +CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1 +Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) +Call Trace: +[<000000032aa034ec>] dump_stack_lvl+0xac/0x100 +[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140 +[<0000000329f5aa78>] check_object+0x370/0x3c0 +[<0000000329f5ede6>] free_debug_processing+0x15e/0x348 +[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0 +[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8 +[<0000000329f61768>] __kmem_cache_free+0x308/0x358 +[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88 +[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0 +[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0 +[<0000000329c3243e>] cpu_device_down+0x4e/0x78 +[<000000032a61dee0>] device_offline+0xc8/0x118 +[<000000032a61e048>] online_store+0x60/0xe0 +[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8 +[<0000000329fab65c>] vfs_write+0x174/0x360 +[<0000000329fab9fc>] ksys_write+0x74/0x100 +[<000000032aa03a5a>] __do_syscall+0x1da/0x208 +[<000000032aa177b2>] system_call+0x82/0xb0 +INFO: lockdep is turned off. +FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc +FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed + +Fixes: 2356f4cb1911 ("[S390]: Rewrite of the IUCV base code, part 2") +Signed-off-by: Alexandra Winter +Link: https://lore.kernel.org/r/20230315131435.4113889-1-wintera@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/iucv/iucv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 8f7ef167c45a..255a716fa395 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -119,7 +119,7 @@ struct iucv_irq_data { + u16 ippathid; + u8 ipflags1; + u8 iptype; +- u32 res2[8]; ++ u32 res2[9]; + }; + + struct iucv_irq_list { +-- +2.16.4 + diff --git a/patches.suse/net-mediatek-setup-proper-state-for-disabled-GMAC-on.patch b/patches.suse/net-mediatek-setup-proper-state-for-disabled-GMAC-on.patch new file mode 100644 index 0000000..9b01e22 --- /dev/null +++ b/patches.suse/net-mediatek-setup-proper-state-for-disabled-GMAC-on.patch @@ -0,0 +1,49 @@ +From fbd281229913d52b2d58703af4cf85e5f41da508 Mon Sep 17 00:00:00 2001 +From: Sean Wang +Date: Mon, 18 Dec 2017 17:00:17 +0800 +Subject: [PATCH 1/8] net: mediatek: setup proper state for disabled GMAC on + the default +References: git-fixes +Patch-mainline: v4.15-rc5 +Git-commit: 7352e252b5bf40d59342494a70354a2d436fd0cd + +The current solution would setup fixed and force link of 1Gbps to the both +GMAC on the default. However, The GMAC should always be put to link down +state when the GMAC is disabled on certain target boards. Otherwise, +the driver possibly receives unexpected data from the floating hardware +connection through the unused GMAC. Although the driver had been added +certain protection in RX path to get rid of such kind of unexpected data +sent to the upper stack. + +Signed-off-by: Sean Wang +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 5f15eb86ff00..29142c793c58 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1850,11 +1850,12 @@ static int mtk_hw_init(struct mtk_eth *eth) + /* set GE2 TUNE */ + regmap_write(eth->pctl, GPIO_BIAS_CTRL, 0x0); + +- /* GE1, Force 1000M/FD, FC ON */ +- mtk_w32(eth, MAC_MCR_FIXED_LINK, MTK_MAC_MCR(0)); +- +- /* GE2, Force 1000M/FD, FC ON */ +- mtk_w32(eth, MAC_MCR_FIXED_LINK, MTK_MAC_MCR(1)); ++ /* Set linkdown as the default for each GMAC. Its own MCR would be set ++ * up with the more appropriate value when mtk_phy_link_adjust call is ++ * being invoked. ++ */ ++ for (i = 0; i < MTK_MAC_COUNT; i++) ++ mtk_w32(eth, 0, MTK_MAC_MCR(i)); + + /* Indicates CDM to parse the MTK special tag from CPU + * which also is working out for untag packets. +-- +2.16.4 + diff --git a/patches.suse/net-mvneta-fix-enable-of-all-initialized-RXQs.patch b/patches.suse/net-mvneta-fix-enable-of-all-initialized-RXQs.patch new file mode 100644 index 0000000..6cf5845 --- /dev/null +++ b/patches.suse/net-mvneta-fix-enable-of-all-initialized-RXQs.patch @@ -0,0 +1,37 @@ +From 0d47970302527780636045ea55ce905abdb44efe Mon Sep 17 00:00:00 2001 +From: Yelena Krivosheev +Date: Fri, 30 Mar 2018 12:05:31 +0200 +Subject: [PATCH 7/8] net: mvneta: fix enable of all initialized RXQs +References: git-fixes +Patch-mainline: v4.16 +Git-commit: e81b5e01c14add8395dfba7130f8829206bb507d + +In mvneta_port_up() we enable relevant RX and TX port queues by write +queues bit map to an appropriate register. + +q_map must be ZERO in the beginning of this process. + +Signed-off-by: Yelena Krivosheev +Signed-off-by: Gregory CLEMENT +Acked-by: Thomas Petazzoni +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/marvell/mvneta.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 10fbd54eafbb..30e5f6a8bb34 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1137,6 +1137,7 @@ static void mvneta_port_up(struct mvneta_port *pp) + } + mvreg_write(pp, MVNETA_TXQ_CMD, q_map); + ++ q_map = 0; + /* Enable all initialized RXQs. */ + for (queue = 0; queue < rxq_number; queue++) { + struct mvneta_rx_queue *rxq = &pp->rxqs[queue]; +-- +2.16.4 + diff --git a/patches.suse/net-propagate-dev_get_valid_name-return-code.patch b/patches.suse/net-propagate-dev_get_valid_name-return-code.patch new file mode 100644 index 0000000..c4ec564 --- /dev/null +++ b/patches.suse/net-propagate-dev_get_valid_name-return-code.patch @@ -0,0 +1,45 @@ +From b5f0e7a99cce7c47ff6ebb3035192b173d361ffd Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Tue, 19 Jun 2018 17:23:17 +0800 +Subject: [PATCH 1/2] net: propagate dev_get_valid_name return code +References: git-fixes +Patch-mainline: v4.18-rc2 +Git-commit: 7892bd081045222b9e4027fec279a28d6fe7aa66 + +if dev_get_valid_name failed, propagate its return code + +and remove the setting err to ENODEV, it will be set to +0 again before dev_change_net_namespace exits. + +Signed-off-by: Li RongQing +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/core/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 1213a4ac3a49..721f0abf1741 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -9153,7 +9153,8 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char + /* We get here if we can't use the current device name */ + if (!pat) + goto out; +- if (dev_get_valid_name(net, dev, pat) < 0) ++ err = dev_get_valid_name(net, dev, pat); ++ if (err < 0) + goto out; + } + +@@ -9165,7 +9166,6 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char + dev_close(dev); + + /* And unlink it from device chain */ +- err = -ENODEV; + unlist_netdevice(dev); + + synchronize_net(); +-- +2.16.4 + diff --git a/patches.suse/net-qca_spi-Fix-log-level-if-probe-fails.patch b/patches.suse/net-qca_spi-Fix-log-level-if-probe-fails.patch new file mode 100644 index 0000000..0bb89fe --- /dev/null +++ b/patches.suse/net-qca_spi-Fix-log-level-if-probe-fails.patch @@ -0,0 +1,65 @@ +From 49c4929a47698a03bec523f3008083343250c71e Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Wed, 18 Jul 2018 08:31:45 +0200 +Subject: [PATCH 5/7] net: qca_spi: Fix log level if probe fails +References: git-fixes +Patch-mainline: v4.18-rc6 +Git-commit: 50973993260a6934f0a00da53d9b746cfbea89ab + +In cases the probing fails the log level of the messages should +be an error. + +Signed-off-by: Stefan Wahren +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 5fda7e033a22..332d9802799a 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -859,22 +859,22 @@ qca_spi_probe(struct spi_device *spi) + + if ((qcaspi_clkspeed < QCASPI_CLK_SPEED_MIN) || + (qcaspi_clkspeed > QCASPI_CLK_SPEED_MAX)) { +- dev_info(&spi->dev, "Invalid clkspeed: %d\n", +- qcaspi_clkspeed); ++ dev_err(&spi->dev, "Invalid clkspeed: %d\n", ++ qcaspi_clkspeed); + return -EINVAL; + } + + if ((qcaspi_burst_len < QCASPI_BURST_LEN_MIN) || + (qcaspi_burst_len > QCASPI_BURST_LEN_MAX)) { +- dev_info(&spi->dev, "Invalid burst len: %d\n", +- qcaspi_burst_len); ++ dev_err(&spi->dev, "Invalid burst len: %d\n", ++ qcaspi_burst_len); + return -EINVAL; + } + + if ((qcaspi_pluggable < QCASPI_PLUGGABLE_MIN) || + (qcaspi_pluggable > QCASPI_PLUGGABLE_MAX)) { +- dev_info(&spi->dev, "Invalid pluggable: %d\n", +- qcaspi_pluggable); ++ dev_err(&spi->dev, "Invalid pluggable: %d\n", ++ qcaspi_pluggable); + return -EINVAL; + } + +@@ -935,8 +935,8 @@ qca_spi_probe(struct spi_device *spi) + } + + if (register_netdev(qcaspi_devs)) { +- dev_info(&spi->dev, "Unable to register net device %s\n", +- qcaspi_devs->name); ++ dev_err(&spi->dev, "Unable to register net device %s\n", ++ qcaspi_devs->name); + free_netdev(qcaspi_devs); + return -EFAULT; + } +-- +2.16.4 + diff --git a/patches.suse/net-qcom-emac-Use-proper-free-methods-during-TX.patch b/patches.suse/net-qcom-emac-Use-proper-free-methods-during-TX.patch new file mode 100644 index 0000000..07d0b2b --- /dev/null +++ b/patches.suse/net-qcom-emac-Use-proper-free-methods-during-TX.patch @@ -0,0 +1,73 @@ +From 388c93a3a44a236da79ea39029a8a7e41e4f35f1 Mon Sep 17 00:00:00 2001 +From: Hemanth Puranik +Date: Tue, 6 Mar 2018 08:18:06 +0530 +Subject: [PATCH 4/8] net: qcom/emac: Use proper free methods during TX +References: git-fixes +Patch-mainline: v4.16-rc7 +Git-commit: cc5db3150e87fe7f7e947bf333b6c1c97f848ecb + +This patch fixes the warning messages/call traces seen if DMA debug is +enabled, In case of fragmented skb's memory was allocated using +dma_map_page but freed using dma_unmap_single. This patch modifies buffer +allocations in TX path to use dma_map_page in all the places and +dma_unmap_page while freeing the buffers. + +Signed-off-by: Hemanth Puranik +Acked-by: Timur Tabi +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qualcomm/emac/emac-mac.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/emac/emac-mac.c b/drivers/net/ethernet/qualcomm/emac/emac-mac.c +index 7715a0d4b28b..af197513d75a 100644 +--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c +@@ -1182,9 +1182,9 @@ void emac_mac_tx_process(struct emac_adapter *adpt, struct emac_tx_queue *tx_q) + while (tx_q->tpd.consume_idx != hw_consume_idx) { + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.consume_idx); + if (tpbuf->dma_addr) { +- dma_unmap_single(adpt->netdev->dev.parent, +- tpbuf->dma_addr, tpbuf->length, +- DMA_TO_DEVICE); ++ dma_unmap_page(adpt->netdev->dev.parent, ++ tpbuf->dma_addr, tpbuf->length, ++ DMA_TO_DEVICE); + tpbuf->dma_addr = 0; + } + +@@ -1341,9 +1341,11 @@ static void emac_tx_fill_tpd(struct emac_adapter *adpt, + + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx); + tpbuf->length = mapped_len; +- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent, +- skb->data, tpbuf->length, +- DMA_TO_DEVICE); ++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent, ++ virt_to_page(skb->data), ++ offset_in_page(skb->data), ++ tpbuf->length, ++ DMA_TO_DEVICE); + ret = dma_mapping_error(adpt->netdev->dev.parent, + tpbuf->dma_addr); + if (ret) +@@ -1359,9 +1361,12 @@ static void emac_tx_fill_tpd(struct emac_adapter *adpt, + if (mapped_len < len) { + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx); + tpbuf->length = len - mapped_len; +- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent, +- skb->data + mapped_len, +- tpbuf->length, DMA_TO_DEVICE); ++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent, ++ virt_to_page(skb->data + ++ mapped_len), ++ offset_in_page(skb->data + ++ mapped_len), ++ tpbuf->length, DMA_TO_DEVICE); + ret = dma_mapping_error(adpt->netdev->dev.parent, + tpbuf->dma_addr); + if (ret) +-- +2.16.4 + diff --git a/patches.suse/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch b/patches.suse/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch new file mode 100644 index 0000000..2a3c1ea --- /dev/null +++ b/patches.suse/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch @@ -0,0 +1,134 @@ +From 00a67b7f270eace6e88037f39d01271e7282fe3c Mon Sep 17 00:00:00 2001 +From: Gwangun Jung +Date: Thu, 13 Apr 2023 19:35:54 +0900 +Subject: [PATCH] net: sched: sch_qfq: prevent slab-out-of-bounds in + qfq_activate_agg +Git-commit: 3037933448f60f9acb705997eae62013ecb81e0d +Patch-mainline: v6.3 +References: bsc#1210940 CVE-2023-31436 + +If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. +The MTU of the loopback device can be set up to 2^31-1. +As a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX. + +Due to the invalid lmax value, an index is generated that exceeds the QFQ_MAX_INDEX(=24) value, causing out-of-bounds read/write errors. + +The following reports a oob access: + +[ 84.582666] BUG: KASAN: slab-out-of-bounds in qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) +[ 84.583267] Read of size 4 at addr ffff88810f676948 by task ping/301 +[ 84.583686] +[ 84.583797] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1 +[ 84.584164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +[ 84.584644] Call Trace: +[ 84.584787] +[ 84.584906] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) +[ 84.585108] print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) +[ 84.585570] kasan_report (mm/kasan/report.c:538) +[ 84.585988] qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) +[ 84.586599] qfq_enqueue (net/sched/sch_qfq.c:1255) +[ 84.587607] dev_qdisc_enqueue (net/core/dev.c:3776) +[ 84.587749] __dev_queue_xmit (./include/net/sch_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212) +[ 84.588763] ip_finish_output2 (./include/net/neighbour.h:546 net/ipv4/ip_output.c:228) +[ 84.589460] ip_output (net/ipv4/ip_output.c:430) +[ 84.590132] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1586 net/ipv4/ip_output.c:1606) +[ 84.590285] raw_sendmsg (net/ipv4/raw.c:649) +[ 84.591960] sock_sendmsg (net/socket.c:724 net/socket.c:747) +[ 84.592084] __sys_sendto (net/socket.c:2142) +[ 84.593306] __x64_sys_sendto (net/socket.c:2150) +[ 84.593779] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 84.593902] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +[ 84.594070] RIP: 0033:0x7fe568032066 +[ 84.594192] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09[ 84.594796] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + +Code starting with the faulting instruction +=========================================== +[ 84.595047] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066 +[ 84.595281] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003 +[ 84.595515] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010 +[ 84.595749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 84.595984] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001 +[ 84.596218] +[ 84.596295] +[ 84.596351] Allocated by task 291: +[ 84.596467] kasan_save_stack (mm/kasan/common.c:46) +[ 84.596597] kasan_set_track (mm/kasan/common.c:52) +[ 84.596725] __kasan_kmalloc (mm/kasan/common.c:384) +[ 84.596852] __kmalloc_node (./include/linux/kasan.h:196 mm/slab_common.c:967 mm/slab_common.c:974) +[ 84.596979] qdisc_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch_generic.c:938) +[ 84.597100] qdisc_create (net/sched/sch_api.c:1244) +[ 84.597222] tc_modify_qdisc (net/sched/sch_api.c:1680) +[ 84.597357] rtnetlink_rcv_msg (net/core/rtnetlink.c:6174) +[ 84.597495] netlink_rcv_skb (net/netlink/af_netlink.c:2574) +[ 84.597627] netlink_unicast (net/netlink/af_netlink.c:1340 net/netlink/af_netlink.c:1365) +[ 84.597759] netlink_sendmsg (net/netlink/af_netlink.c:1942) +[ 84.597891] sock_sendmsg (net/socket.c:724 net/socket.c:747) +[ 84.598016] ____sys_sendmsg (net/socket.c:2501) +[ 84.598147] ___sys_sendmsg (net/socket.c:2557) +[ 84.598275] __sys_sendmsg (./include/linux/file.h:31 net/socket.c:2586) +[ 84.598399] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 84.598520] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +[ 84.598688] +[ 84.598744] The buggy address belongs to the object at ffff88810f674000 +[ 84.598744] which belongs to the cache kmalloc-8k of size 8192 +[ 84.599135] The buggy address is located 2664 bytes to the right of +[ 84.599135] allocated 7904-byte region [ffff88810f674000, ffff88810f675ee0) +[ 84.599544] +[ 84.599598] The buggy address belongs to the physical page: +[ 84.599777] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670 +[ 84.600074] head:00000000e638567f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 84.600330] flags: 0x200000000010200(slab|head|node=0|zone=2) +[ 84.600517] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000 +[ 84.600764] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +[ 84.601009] page dumped because: kasan: bad access detected +[ 84.601187] +[ 84.601241] Memory state around the buggy address: +[ 84.601396] ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.601620] ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.601845] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602069] ^ +[ 84.602243] ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602468] ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 84.602693] ================================================================== +[ 84.602924] Disabling lock debugging due to kernel taint + +Fixes: 3015f3d2a3cd ("pkt_sched: enable QFQ to support TSO/GSO") +Reported-by: Gwangun Jung +Signed-off-by: Gwangun Jung +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sched/sch_qfq.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 0b05ac7c848e..05451c33634d 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -421,15 +421,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + } else + weight = 1; + +- if (tb[TCA_QFQ_LMAX]) { ++ if (tb[TCA_QFQ_LMAX]) + lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); +- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { +- pr_notice("qfq: invalid max length %u\n", lmax); +- return -EINVAL; +- } +- } else ++ else + lmax = psched_mtu(qdisc_dev(sch)); + ++ if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { ++ pr_notice("qfq: invalid max length %u\n", lmax); ++ return -EINVAL; ++ } ++ + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +-- +2.16.4 + diff --git a/patches.suse/platform-x86-alienware-wmi-Adjust-instance-of-wmi_ev.patch b/patches.suse/platform-x86-alienware-wmi-Adjust-instance-of-wmi_ev.patch new file mode 100644 index 0000000..6669fb5 --- /dev/null +++ b/patches.suse/platform-x86-alienware-wmi-Adjust-instance-of-wmi_ev.patch @@ -0,0 +1,59 @@ +From c0e4aa78716401e8d7d5434b69bbf6596b55a936 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 21 Jun 2017 17:01:35 -0500 +Subject: [PATCH] platform/x86: alienware-wmi: Adjust instance of + wmi_evaluate_method calls to 0 +Git-commit: c0e4aa78716401e8d7d5434b69bbf6596b55a936 +References: git-fixes +Patch-mainline: v4.13-rc1 + +Pali recently noticed that WMI instances are zero indexed. + +The only reason that these calls all worked properly is because the ASL +didn't verify the instance number. + +Signed-off-by: Mario Limonciello +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/alienware-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c +index d6b34923fb4e..9866fec78c1c 100644 +--- a/drivers/platform/x86/alienware-wmi.c ++++ b/drivers/platform/x86/alienware-wmi.c +@@ -303,7 +303,7 @@ static int alienware_update_led(struct platform_zone *zone) + } + pr_debug("alienware-wmi: guid %s method %d\n", guid, method_id); + +- status = wmi_evaluate_method(guid, 1, method_id, &input, NULL); ++ status = wmi_evaluate_method(guid, 0, method_id, &input, NULL); + if (ACPI_FAILURE(status)) + pr_err("alienware-wmi: zone set failure: %u\n", status); + return ACPI_FAILURE(status); +@@ -352,7 +352,7 @@ static int wmax_brightness(int brightness) + }; + input.length = (acpi_size) sizeof(args); + input.pointer = &args; +- status = wmi_evaluate_method(WMAX_CONTROL_GUID, 1, ++ status = wmi_evaluate_method(WMAX_CONTROL_GUID, 0, + WMAX_METHOD_BRIGHTNESS, &input, NULL); + if (ACPI_FAILURE(status)) + pr_err("alienware-wmi: brightness set failure: %u\n", status); +@@ -506,10 +506,10 @@ static acpi_status alienware_wmax_command(struct wmax_basic_args *in_args, + if (out_data != NULL) { + output.length = ACPI_ALLOCATE_BUFFER; + output.pointer = NULL; +- status = wmi_evaluate_method(WMAX_CONTROL_GUID, 1, ++ status = wmi_evaluate_method(WMAX_CONTROL_GUID, 0, + command, &input, &output); + } else +- status = wmi_evaluate_method(WMAX_CONTROL_GUID, 1, ++ status = wmi_evaluate_method(WMAX_CONTROL_GUID, 0, + command, &input, NULL); + + if (ACPI_SUCCESS(status) && out_data != NULL) { +-- +2.40.1 + diff --git a/patches.suse/platform-x86-alienware-wmi-constify-attribute_group-.patch b/patches.suse/platform-x86-alienware-wmi-constify-attribute_group-.patch new file mode 100644 index 0000000..6f87c0f --- /dev/null +++ b/patches.suse/platform-x86-alienware-wmi-constify-attribute_group-.patch @@ -0,0 +1,62 @@ +From 4b7942d8d1ced3c82495953cb0bb90e7de6dbba6 Mon Sep 17 00:00:00 2001 +From: Arvind Yadav +Date: Tue, 11 Jul 2017 16:18:17 +0530 +Subject: [PATCH] platform/x86: alienware-wmi: constify attribute_group + structures. +Git-commit: 4b7942d8d1ced3c82495953cb0bb90e7de6dbba6 +References: git-fixes +Patch-mainline: v4.13-rc1 + +attribute_groups are not supposed to change at runtime. All functions +working with attribute_groups provided by work +with const attribute_group. So mark the non-const structs as const. + +File size before: + text data bss dec hex filename + 6932 1016 48 7996 1f3c drivers/platform/x86/alienware-wmi.o + +File size After adding 'const': + text data bss dec hex filename + 7060 888 48 7996 1f64 drivers/platform/x86/alienware-wmi.o + +Signed-off-by: Arvind Yadav +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/alienware-wmi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c +index 9866fec78c1c..0831b428c217 100644 +--- a/drivers/platform/x86/alienware-wmi.c ++++ b/drivers/platform/x86/alienware-wmi.c +@@ -604,7 +604,7 @@ static struct attribute *hdmi_attrs[] = { + NULL, + }; + +-static struct attribute_group hdmi_attribute_group = { ++static const struct attribute_group hdmi_attribute_group = { + .name = "hdmi", + .attrs = hdmi_attrs, + }; +@@ -660,7 +660,7 @@ static struct attribute *amplifier_attrs[] = { + NULL, + }; + +-static struct attribute_group amplifier_attribute_group = { ++static const struct attribute_group amplifier_attribute_group = { + .name = "amplifier", + .attrs = amplifier_attrs, + }; +@@ -741,7 +741,7 @@ static struct attribute *deepsleep_attrs[] = { + NULL, + }; + +-static struct attribute_group deepsleep_attribute_group = { ++static const struct attribute_group deepsleep_attribute_group = { + .name = "deepsleep", + .attrs = deepsleep_attrs, + }; +-- +2.40.1 + diff --git a/patches.suse/platform-x86-alienware-wmi-fix-format-string-overflo.patch b/patches.suse/platform-x86-alienware-wmi-fix-format-string-overflo.patch new file mode 100644 index 0000000..f769bf1 --- /dev/null +++ b/patches.suse/platform-x86-alienware-wmi-fix-format-string-overflo.patch @@ -0,0 +1,122 @@ +From 22ff1a362df262dcc56ce282d9d658350c1fc036 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 20 Jul 2017 18:00:51 +0200 +Subject: [PATCH] platform/x86: alienware-wmi: fix format string overflow + warning +Git-commit: 22ff1a362df262dcc56ce282d9d658350c1fc036 +References: git-fixes +Patch-mainline: v4.14-rc1 + +gcc points out a possible format string overflow for a large value of 'zone': + +drivers/platform/x86/alienware-wmi.c: In function 'alienware_wmi_init': +drivers/platform/x86/alienware-wmi.c:461:24: error: '%02X' directive writing between 2 and 8 bytes into a region of size 6 [-Werror=format-overflow=] + sprintf(buffer, "zone%02X", i); + ^~~~ +drivers/platform/x86/alienware-wmi.c:461:19: note: directive argument in the range [0, 2147483646] + sprintf(buffer, "zone%02X", i); + ^~~~~~~~~~ +drivers/platform/x86/alienware-wmi.c:461:3: note: 'sprintf' output between 7 and 13 bytes into a destination of size 10 + +This replaces the 'int' variable with an 'u8' to make sure +it always fits, renaming the variable to 'zone' for clarity. + +Unfortunately, gcc-7.1.1 still warns about it with that change, which +seems to be unintended by the gcc developers. I have opened a bug +against gcc with a reduced test case. As a workaround, I also +change the format string to use "%02hhX", which shuts up the +warning in that version. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81483 +Link: https://patchwork.ozlabs.org/patch/788415/ +Suggested-by: Andy Shevchenko +Signed-off-by: Arnd Bergmann +[andy: added empty lines after u8 zone; definitions] +Signed-off-by: Andy Shevchenko +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/alienware-wmi.c | 40 +++++++++++++++------------- + 1 file changed, 21 insertions(+), 19 deletions(-) + +diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c +index 0831b428c217..4eb8e1a472b2 100644 +--- a/drivers/platform/x86/alienware-wmi.c ++++ b/drivers/platform/x86/alienware-wmi.c +@@ -255,12 +255,13 @@ static int parse_rgb(const char *buf, struct platform_zone *zone) + + static struct platform_zone *match_zone(struct device_attribute *attr) + { +- int i; +- for (i = 0; i < quirks->num_zones; i++) { +- if ((struct device_attribute *)zone_data[i].attr == attr) { ++ u8 zone; ++ ++ for (zone = 0; zone < quirks->num_zones; zone++) { ++ if ((struct device_attribute *)zone_data[zone].attr == attr) { + pr_debug("alienware-wmi: matched zone location: %d\n", +- zone_data[i].location); +- return &zone_data[i]; ++ zone_data[zone].location); ++ return &zone_data[zone]; + } + } + return NULL; +@@ -420,7 +421,7 @@ static DEVICE_ATTR(lighting_control_state, 0644, show_control_state, + + static int alienware_zone_init(struct platform_device *dev) + { +- int i; ++ u8 zone; + char buffer[10]; + char *name; + +@@ -457,19 +458,19 @@ static int alienware_zone_init(struct platform_device *dev) + if (!zone_data) + return -ENOMEM; + +- for (i = 0; i < quirks->num_zones; i++) { +- sprintf(buffer, "zone%02X", i); ++ for (zone = 0; zone < quirks->num_zones; zone++) { ++ sprintf(buffer, "zone%02hhX", zone); + name = kstrdup(buffer, GFP_KERNEL); + if (name == NULL) + return 1; +- sysfs_attr_init(&zone_dev_attrs[i].attr); +- zone_dev_attrs[i].attr.name = name; +- zone_dev_attrs[i].attr.mode = 0644; +- zone_dev_attrs[i].show = zone_show; +- zone_dev_attrs[i].store = zone_set; +- zone_data[i].location = i; +- zone_attrs[i] = &zone_dev_attrs[i].attr; +- zone_data[i].attr = &zone_dev_attrs[i]; ++ sysfs_attr_init(&zone_dev_attrs[zone].attr); ++ zone_dev_attrs[zone].attr.name = name; ++ zone_dev_attrs[zone].attr.mode = 0644; ++ zone_dev_attrs[zone].show = zone_show; ++ zone_dev_attrs[zone].store = zone_set; ++ zone_data[zone].location = zone; ++ zone_attrs[zone] = &zone_dev_attrs[zone].attr; ++ zone_data[zone].attr = &zone_dev_attrs[zone]; + } + zone_attrs[quirks->num_zones] = &dev_attr_lighting_control_state.attr; + zone_attribute_group.attrs = zone_attrs; +@@ -481,12 +482,13 @@ static int alienware_zone_init(struct platform_device *dev) + + static void alienware_zone_exit(struct platform_device *dev) + { ++ u8 zone; ++ + sysfs_remove_group(&dev->dev.kobj, &zone_attribute_group); + led_classdev_unregister(&global_led); + if (zone_dev_attrs) { +- int i; +- for (i = 0; i < quirks->num_zones; i++) +- kfree(zone_dev_attrs[i].attr.name); ++ for (zone = 0; zone < quirks->num_zones; zone++) ++ kfree(zone_dev_attrs[zone].attr.name); + } + kfree(zone_dev_attrs); + kfree(zone_data); +-- +2.40.1 + diff --git a/patches.suse/platform-x86-alienware-wmi-fix-kfree-on-potentially-.patch b/patches.suse/platform-x86-alienware-wmi-fix-kfree-on-potentially-.patch new file mode 100644 index 0000000..6c52479 --- /dev/null +++ b/patches.suse/platform-x86-alienware-wmi-fix-kfree-on-potentially-.patch @@ -0,0 +1,64 @@ +From 98e2630284ab741804bd0713e932e725466f2f84 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sat, 30 Mar 2019 00:17:12 +0000 +Subject: [PATCH] platform/x86: alienware-wmi: fix kfree on potentially + uninitialized pointer +Git-commit: 98e2630284ab741804bd0713e932e725466f2f84 +References: git-fixes +Patch-mainline: v5.2-rc1 + +Currently the kfree of output.pointer can be potentially freeing +an uninitalized pointer in the case where out_data is NULL. Fix this +by reworking the case where out_data is not-null to perform the +ACPI status check and also the kfree of outpoint.pointer in one block +and hence ensuring the pointer is only freed when it has been used. + +Also replace the if (ptr != NULL) idiom with just if (ptr). + +Fixes: ff0e9f26288d ("platform/x86: alienware-wmi: Correct a memory leak") +Signed-off-by: Colin Ian King +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/alienware-wmi.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c +index f10af5c383c5..c0d1555735cd 100644 +--- a/drivers/platform/x86/alienware-wmi.c ++++ b/drivers/platform/x86/alienware-wmi.c +@@ -522,23 +522,22 @@ static acpi_status alienware_wmax_command(struct wmax_basic_args *in_args, + + input.length = (acpi_size) sizeof(*in_args); + input.pointer = in_args; +- if (out_data != NULL) { ++ if (out_data) { + output.length = ACPI_ALLOCATE_BUFFER; + output.pointer = NULL; + status = wmi_evaluate_method(WMAX_CONTROL_GUID, 0, + command, &input, &output); +- } else ++ if (ACPI_SUCCESS(status)) { ++ obj = (union acpi_object *)output.pointer; ++ if (obj && obj->type == ACPI_TYPE_INTEGER) ++ *out_data = (u32)obj->integer.value; ++ } ++ kfree(output.pointer); ++ } else { + status = wmi_evaluate_method(WMAX_CONTROL_GUID, 0, + command, &input, NULL); +- +- if (ACPI_SUCCESS(status) && out_data != NULL) { +- obj = (union acpi_object *)output.pointer; +- if (obj && obj->type == ACPI_TYPE_INTEGER) +- *out_data = (u32) obj->integer.value; + } +- kfree(output.pointer); + return status; +- + } + + /* +-- +2.40.1 + diff --git a/patches.suse/platform-x86-dell-laptop-fix-rfkill-functionality.patch b/patches.suse/platform-x86-dell-laptop-fix-rfkill-functionality.patch new file mode 100644 index 0000000..68d5d45 --- /dev/null +++ b/patches.suse/platform-x86-dell-laptop-fix-rfkill-functionality.patch @@ -0,0 +1,60 @@ +From 6cc13c28da5beee0f706db6450e190709700b34a Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 27 Mar 2019 09:25:34 -0500 +Subject: [PATCH] platform/x86: dell-laptop: fix rfkill functionality +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 6cc13c28da5beee0f706db6450e190709700b34a +REferences: git-fixes +Patch-mainline: v5.2-rc1 + +When converting the driver two arguments were transposed leading +to rfkill not working. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201427 +Reported-by: Pepijn de Vos +Fixes: 549b49 ("platform/x86: dell-smbios: Introduce dispatcher for SMM calls") +Signed-off-by: Mario Limonciello +Acked-by: Pali Rohár +Cc: # 4.14.x +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/dell-laptop.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 95e6ca116e00..a561f653cf13 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -531,7 +531,7 @@ static void dell_rfkill_query(struct rfkill *rfkill, void *data) + return; + } + +- dell_fill_request(&buffer, 0, 0x2, 0, 0); ++ dell_fill_request(&buffer, 0x2, 0, 0, 0); + ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL); + hwswitch = buffer.output[1]; + +@@ -562,7 +562,7 @@ static int dell_debugfs_show(struct seq_file *s, void *data) + return ret; + status = buffer.output[1]; + +- dell_fill_request(&buffer, 0, 0x2, 0, 0); ++ dell_fill_request(&buffer, 0x2, 0, 0, 0); + hwswitch_ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL); + if (hwswitch_ret) + return hwswitch_ret; +@@ -647,7 +647,7 @@ static void dell_update_rfkill(struct work_struct *ignored) + if (ret != 0) + return; + +- dell_fill_request(&buffer, 0, 0x2, 0, 0); ++ dell_fill_request(&buffer, 0x2, 0, 0, 0); + ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL); + + if (ret == 0 && (status & BIT(0))) +-- +2.40.1 + diff --git a/patches.suse/platform-x86-dell-smbios-wmi-Add-missing-kfree-in-er.patch b/patches.suse/platform-x86-dell-smbios-wmi-Add-missing-kfree-in-er.patch new file mode 100644 index 0000000..849bb7d --- /dev/null +++ b/patches.suse/platform-x86-dell-smbios-wmi-Add-missing-kfree-in-er.patch @@ -0,0 +1,32 @@ +From 0487d4fc42d7f31a56cfd9e2237f9ebd889e6112 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 26 Aug 2021 16:08:22 +0200 +Subject: [PATCH] platform/x86: dell-smbios-wmi: Add missing kfree in + error-exit from run_smbios_call +Git-commit: 0487d4fc42d7f31a56cfd9e2237f9ebd889e6112 +References: git-fixes +Patch-mainline: v5.15-rc1 + +As pointed out be Kees Cook if we return -EIO because the +obj->type != ACPI_TYPE_BUFFER, then we must kfree the +output buffer before the return. + +Fixes: 1a258e670434 ("platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver") +Reported-by: Kees Cook +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210826140822.71198-1-hdegoede@redhat.com +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/dell-smbios-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/dell-smbios-wmi.c ++++ b/drivers/platform/x86/dell-smbios-wmi.c +@@ -72,6 +72,7 @@ static int run_smbios_call(struct wmi_de + if (obj->type == ACPI_TYPE_INTEGER) + dev_dbg(&wdev->dev, "SMBIOS call failed: %llu\n", + obj->integer.value); ++ kfree(output.pointer); + return -EIO; + } + memcpy(&priv->buf->std, obj->buffer.pointer, obj->buffer.length); diff --git a/patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch b/patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch new file mode 100644 index 0000000..4475e25 --- /dev/null +++ b/patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch @@ -0,0 +1,47 @@ +From 3a53587423d25c87af4b4126a806a0575104b45e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 18 May 2021 14:50:27 +0200 +Subject: [PATCH] platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios +Git-commit: 3a53587423d25c87af4b4126a806a0575104b45e +References: git-fixes +Patch-mainline: v5.13-rc3 + +init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems +where the Dell WMI interface is supported. While exit_dell_smbios_wmi() +unregisters it unconditionally, this leads to the following oops: + +[ 175.722921] ------------[ cut here ]------------ +[ 175.722925] Unexpected driver unregister! +[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40 +... +[ 175.723089] Call Trace: +[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios] +... +[ 175.723148] ---[ end trace 064c34e1ad49509d ]--- + +Make the unregister happen on the same condition the register happens +to fix this. + +Cc: Mario Limonciello +Fixes: 1a258e670434 ("platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver") +Signed-off-by: Hans de Goede +Reviewed-by: Mario Limonciello +Reviewed-by: Mark Gross +Link: https://lore.kernel.org/r/20210518125027.21824-1-hdegoede@redhat.com +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/dell-smbios-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/dell-smbios-wmi.c ++++ b/drivers/platform/x86/dell-smbios-wmi.c +@@ -274,7 +274,8 @@ int init_dell_smbios_wmi(void) + + void exit_dell_smbios_wmi(void) + { +- wmi_driver_unregister(&dell_smbios_wmi_driver); ++ if (wmi_supported) ++ wmi_driver_unregister(&dell_smbios_wmi_driver); + } + + MODULE_ALIAS("wmi:" DELL_WMI_SMBIOS_GUID); diff --git a/patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch b/patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch new file mode 100644 index 0000000..8f9534e --- /dev/null +++ b/patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch @@ -0,0 +1,85 @@ +From fd7276189450110ed835eb0a334e62d2f1c4e3be Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 26 Mar 2023 16:15:57 -0600 +Subject: [PATCH] powerpc: Don't try to copy PPR for task with NULL pt_regs + +References: bsc#1065729 +Patch-mainline: v6.3-rc5 +Git-commit: fd7276189450110ed835eb0a334e62d2f1c4e3be + +powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which +from my (arguably very short) checking is not commonly done for other +archs. This is fine, except when PF_IO_WORKER's have been created and +the task does something that causes a coredump to be generated. Then we +get this crash: + + Kernel attempted to read user page (160) - exploit attempt? (uid: 1000) + BUG: Kernel NULL pointer dereference on read at 0x00000160 + Faulting instruction address: 0xc0000000000c3a60 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries + Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod + CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88 + Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries + NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0 + REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+) + MSR: 800000000280b033 CR: 88082828 XER: 200400f8 + ... + NIP memcpy_power7+0x200/0x7d0 + LR ppr_get+0x64/0xb0 + Call Trace: + ppr_get+0x40/0xb0 (unreliable) + __regset_get+0x180/0x1f0 + regset_get_alloc+0x64/0x90 + elf_core_dump+0xb98/0x1b60 + do_coredump+0x1c34/0x24a0 + get_signal+0x71c/0x1410 + do_notify_resume+0x140/0x6f0 + interrupt_exit_user_prepare_main+0x29c/0x320 + interrupt_exit_user_prepare+0x6c/0xa0 + interrupt_return_srr_user+0x8/0x138 + +Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL +pt_regs. + +Check for a valid pt_regs in both ppc_get/ppr_set, and return an error +if not set. The actual error value doesn't seem to be important here, so +just pick -EINVAL. + +Fixes: fa439810cc1b ("powerpc/ptrace: Enable support for NT_PPPC_TAR, NT_PPC_PPR, NT_PPC_DSCR") +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Jens Axboe +[mpe: Trim oops in change log, add Fixes & Cc stable] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/d9f63344-fe7c-56ae-b420-4a1a04a2ae4c@kernel.dk +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/ptrace.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -290,6 +290,9 @@ static int gpr_set(struct task_struct *target, const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) + { ++ if (!target->thread.regs) ++ return -EINVAL; ++ + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, + &target->thread.ppr, 0, sizeof(u64)); + } +@@ -297,6 +300,9 @@ static int ppr_set(struct task_struct *target, const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) + { ++ if (!target->thread.regs) ++ return -EINVAL; ++ + return user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &target->thread.ppr, 0, sizeof(u64)); + } +-- +2.40.0 + diff --git a/patches.suse/powerpc-Move-idle_loop_prolog-epilog-functions-to-he.patch b/patches.suse/powerpc-Move-idle_loop_prolog-epilog-functions-to-he.patch new file mode 100644 index 0000000..63b3ae5 --- /dev/null +++ b/patches.suse/powerpc-Move-idle_loop_prolog-epilog-functions-to-he.patch @@ -0,0 +1,210 @@ +From e4a884cc28fa3f5d8b81de46998ffe29b4ad169e Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Tue, 7 Apr 2020 14:17:39 +0530 +Subject: [PATCH] powerpc: Move idle_loop_prolog()/epilog() functions to header + file + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v5.8-rc1 +Git-commit: e4a884cc28fa3f5d8b81de46998ffe29b4ad169e + +Currently prior to entering an idle state on a Linux Guest, the +pseries cpuidle driver implement an idle_loop_prolog() and +idle_loop_epilog() functions which ensure that idle_purr is correctly +computed, and the hypervisor is informed that the CPU cycles have been +donated. + +These prolog and epilog functions are also required in the default +idle call, i.e pseries_lpar_idle(). Hence move these accessor +functions to a common header file and call them from +pseries_lpar_idle(). Since the existing header files such as +asm/processor.h have enough clutter, create a new header file +asm/idle.h. Finally rename idle_loop_prolog() and idle_loop_epilog() +to pseries_idle_prolog() and pseries_idle_epilog() as they are only +relavent for on pseries guests. + +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1586249263-14048-2-git-send-email-ego@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/idle.h | 31 ++++++++++++++++++++++ + arch/powerpc/platforms/pseries/setup.c | 7 +++-- + drivers/cpuidle/cpuidle-pseries.c | 36 +++++--------------------- + 3 files changed, 43 insertions(+), 31 deletions(-) + create mode 100644 arch/powerpc/include/asm/idle.h + +diff --git a/arch/powerpc/include/asm/idle.h b/arch/powerpc/include/asm/idle.h +new file mode 100644 +index 000000000000..32064a4c0dd7 +--- /dev/null ++++ b/arch/powerpc/include/asm/idle.h +@@ -0,0 +1,31 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later */ ++#ifndef _ASM_POWERPC_IDLE_H ++#define _ASM_POWERPC_IDLE_H ++#include ++#include ++ ++#ifdef CONFIG_PPC_PSERIES ++static inline void pseries_idle_prolog(unsigned long *in_purr) ++{ ++ ppc64_runlatch_off(); ++ *in_purr = mfspr(SPRN_PURR); ++ /* ++ * Indicate to the HV that we are idle. Now would be ++ * a good time to find other work to dispatch. ++ */ ++ get_lppaca()->idle = 1; ++} ++ ++static inline void pseries_idle_epilog(unsigned long in_purr) ++{ ++ u64 wait_cycles; ++ ++ wait_cycles = be64_to_cpu(get_lppaca()->wait_state_cycles); ++ wait_cycles += mfspr(SPRN_PURR) - in_purr; ++ get_lppaca()->wait_state_cycles = cpu_to_be64(wait_cycles); ++ get_lppaca()->idle = 0; ++ ++ ppc64_runlatch_on(); ++} ++#endif /* CONFIG_PPC_PSERIES */ ++#endif +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -68,6 +68,7 @@ + #include + #include + #include ++#include + + #include "pseries.h" + #include "../../../../drivers/pci/pci.h" +@@ -319,6 +320,8 @@ machine_early_initcall(pseries, alloc_dispatch_log_kmem_cache); + + static void pseries_lpar_idle(void) + { ++ unsigned long in_purr; ++ + /* + * Default handler to go into low thread priority and possibly + * low power mode by ceding processor to hypervisor +@@ -328,7 +331,7 @@ static void pseries_lpar_idle(void) + return; + + /* Indicate to hypervisor that we are idle. */ +- get_lppaca()->idle = 1; ++ pseries_idle_prolog(&in_purr); + + /* + * Yield the processor to the hypervisor. We return if +@@ -339,7 +342,7 @@ static void pseries_lpar_idle(void) + */ + cede_processor(); + +- get_lppaca()->idle = 0; ++ pseries_idle_epilog(in_purr); + } + + /* +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index 74c247972bb3..46d5e05fcf97 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + + struct cpuidle_driver pseries_idle_driver = { +@@ -31,29 +32,6 @@ static struct cpuidle_state *cpuidle_state_table __read_mostly; + static u64 snooze_timeout __read_mostly; + static bool snooze_timeout_en __read_mostly; + +-static inline void idle_loop_prolog(unsigned long *in_purr) +-{ +- ppc64_runlatch_off(); +- *in_purr = mfspr(SPRN_PURR); +- /* +- * Indicate to the HV that we are idle. Now would be +- * a good time to find other work to dispatch. +- */ +- get_lppaca()->idle = 1; +-} +- +-static inline void idle_loop_epilog(unsigned long in_purr) +-{ +- u64 wait_cycles; +- +- wait_cycles = be64_to_cpu(get_lppaca()->wait_state_cycles); +- wait_cycles += mfspr(SPRN_PURR) - in_purr; +- get_lppaca()->wait_state_cycles = cpu_to_be64(wait_cycles); +- get_lppaca()->idle = 0; +- +- ppc64_runlatch_on(); +-} +- + static int snooze_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) +@@ -63,7 +41,7 @@ static int snooze_loop(struct cpuidle_device *dev, + + set_thread_flag(TIF_POLLING_NRFLAG); + +- idle_loop_prolog(&in_purr); ++ pseries_idle_prolog(&in_purr); + local_irq_enable(); + snooze_exit_time = get_tb() + snooze_timeout; + +@@ -87,7 +65,7 @@ static int snooze_loop(struct cpuidle_device *dev, + + local_irq_disable(); + +- idle_loop_epilog(in_purr); ++ pseries_idle_epilog(in_purr); + + return index; + } +@@ -115,7 +93,7 @@ static int dedicated_cede_loop(struct cpuidle_device *dev, + { + unsigned long in_purr; + +- idle_loop_prolog(&in_purr); ++ pseries_idle_prolog(&in_purr); + get_lppaca()->donate_dedicated_cpu = 1; + + HMT_medium(); +@@ -124,7 +102,7 @@ static int dedicated_cede_loop(struct cpuidle_device *dev, + local_irq_disable(); + get_lppaca()->donate_dedicated_cpu = 0; + +- idle_loop_epilog(in_purr); ++ pseries_idle_epilog(in_purr); + + return index; + } +@@ -135,7 +113,7 @@ static int shared_cede_loop(struct cpuidle_device *dev, + { + unsigned long in_purr; + +- idle_loop_prolog(&in_purr); ++ pseries_idle_prolog(&in_purr); + + /* + * Yield the processor to the hypervisor. We return if +@@ -147,7 +125,7 @@ static int shared_cede_loop(struct cpuidle_device *dev, + check_and_cede_processor(); + + local_irq_disable(); +- idle_loop_epilog(in_purr); ++ pseries_idle_epilog(in_purr); + + return index; + } +-- +2.40.0 + diff --git a/patches.suse/powerpc-Squash-lines-for-simple-wrapper-functions.patch b/patches.suse/powerpc-Squash-lines-for-simple-wrapper-functions.patch new file mode 100644 index 0000000..6427185 --- /dev/null +++ b/patches.suse/powerpc-Squash-lines-for-simple-wrapper-functions.patch @@ -0,0 +1,148 @@ +From 7f2462acb6a995f2b0005192c0ba8eb2bce08da4 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 6 Sep 2016 20:21:50 +0900 +Subject: [PATCH] powerpc: Squash lines for simple wrapper functions + +References: bsc#1065729 +Patch-mainline: v4.14-rc1 +Git-commit: 7f2462acb6a995f2b0005192c0ba8eb2bce08da4 + +Remove unneeded variables and assignments. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/ptrace.c | 42 +++++++------------------ + arch/powerpc/platforms/ps3/repository.c | 22 +++---------- + 2 files changed, 17 insertions(+), 47 deletions(-) + +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +index 660ed39e9c9a..07cd22e35405 100644 +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -1594,11 +1594,8 @@ static int ppr_get(struct task_struct *target, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) + { +- int ret; +- +- ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf, +- &target->thread.ppr, 0, sizeof(u64)); +- return ret; ++ return user_regset_copyout(&pos, &count, &kbuf, &ubuf, ++ &target->thread.ppr, 0, sizeof(u64)); + } + + static int ppr_set(struct task_struct *target, +@@ -1606,11 +1603,8 @@ static int ppr_set(struct task_struct *target, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) + { +- int ret; +- +- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- &target->thread.ppr, 0, sizeof(u64)); +- return ret; ++ return user_regset_copyin(&pos, &count, &kbuf, &ubuf, ++ &target->thread.ppr, 0, sizeof(u64)); + } + + static int dscr_get(struct task_struct *target, +@@ -1618,22 +1612,16 @@ static int dscr_get(struct task_struct *target, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) + { +- int ret; +- +- ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf, +- &target->thread.dscr, 0, sizeof(u64)); +- return ret; ++ return user_regset_copyout(&pos, &count, &kbuf, &ubuf, ++ &target->thread.dscr, 0, sizeof(u64)); + } + static int dscr_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) + { +- int ret; +- +- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- &target->thread.dscr, 0, sizeof(u64)); +- return ret; ++ return user_regset_copyin(&pos, &count, &kbuf, &ubuf, ++ &target->thread.dscr, 0, sizeof(u64)); + } + #endif + #ifdef CONFIG_PPC_BOOK3S_64 +@@ -1642,22 +1630,16 @@ static int tar_get(struct task_struct *target, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) + { +- int ret; +- +- ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf, +- &target->thread.tar, 0, sizeof(u64)); +- return ret; ++ return user_regset_copyout(&pos, &count, &kbuf, &ubuf, ++ &target->thread.tar, 0, sizeof(u64)); + } + static int tar_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) + { +- int ret; +- +- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- &target->thread.tar, 0, sizeof(u64)); +- return ret; ++ return user_regset_copyin(&pos, &count, &kbuf, &ubuf, ++ &target->thread.tar, 0, sizeof(u64)); + } + + static int ebb_active(struct task_struct *target, +diff --git a/arch/powerpc/platforms/ps3/repository.c b/arch/powerpc/platforms/ps3/repository.c +index 814a7eaa7769..50dbaf24b1ee 100644 +--- a/arch/powerpc/platforms/ps3/repository.c ++++ b/arch/powerpc/platforms/ps3/repository.c +@@ -170,14 +170,8 @@ int ps3_repository_read_bus_str(unsigned int bus_index, const char *bus_str, + + int ps3_repository_read_bus_id(unsigned int bus_index, u64 *bus_id) + { +- int result; +- +- result = read_node(PS3_LPAR_ID_PME, +- make_first_field("bus", bus_index), +- make_field("id", 0), +- 0, 0, +- bus_id, NULL); +- return result; ++ return read_node(PS3_LPAR_ID_PME, make_first_field("bus", bus_index), ++ make_field("id", 0), 0, 0, bus_id, NULL); + } + + int ps3_repository_read_bus_type(unsigned int bus_index, +@@ -224,15 +218,9 @@ int ps3_repository_read_dev_str(unsigned int bus_index, + int ps3_repository_read_dev_id(unsigned int bus_index, unsigned int dev_index, + u64 *dev_id) + { +- int result; +- +- result = read_node(PS3_LPAR_ID_PME, +- make_first_field("bus", bus_index), +- make_field("dev", dev_index), +- make_field("id", 0), +- 0, +- dev_id, NULL); +- return result; ++ return read_node(PS3_LPAR_ID_PME, make_first_field("bus", bus_index), ++ make_field("dev", dev_index), make_field("id", 0), 0, ++ dev_id, NULL); + } + + int ps3_repository_read_dev_type(unsigned int bus_index, +-- +2.40.0 + diff --git a/patches.suse/powerpc-idle-Store-PURR-snapshot-in-a-per-cpu-global.patch b/patches.suse/powerpc-idle-Store-PURR-snapshot-in-a-per-cpu-global.patch new file mode 100644 index 0000000..df381f2 --- /dev/null +++ b/patches.suse/powerpc-idle-Store-PURR-snapshot-in-a-per-cpu-global.patch @@ -0,0 +1,196 @@ +From c4019198cfa81224d32846915cd401e981f81b81 Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Tue, 7 Apr 2020 14:17:40 +0530 +Subject: [PATCH] powerpc/idle: Store PURR snapshot in a per-cpu global + variable + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v5.8-rc1 +Git-commit: c4019198cfa81224d32846915cd401e981f81b81 + +Currently when CPU goes idle, we take a snapshot of PURR via +pseries_idle_prolog() which is used at the CPU idle exit to compute +the idle PURR cycles via the function pseries_idle_epilog(). Thus, +the value of idle PURR cycle thus read before pseries_idle_prolog() and +after pseries_idle_epilog() is always correct. + +However, if we were to read the idle PURR cycles from an interrupt +context between pseries_idle_prolog() and pseries_idle_epilog() (this +will be done in a future patch), then, the value of the idle PURR thus +read will not include the cycles spent in the most recent idle period. +Thus, in that interrupt context, we will need access to the snapshot +of the PURR before going idle, in order to compute the idle PURR +cycles for the latest idle duration. + +In this patch, we save the snapshot of PURR in pseries_idle_prolog() +in a per-cpu variable, instead of on the stack, so that it can be +accessed from an interrupt context. + +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1586249263-14048-3-git-send-email-ego@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/idle.h | 31 ++++++++++++++++++-------- + arch/powerpc/platforms/pseries/setup.c | 7 +++--- + drivers/cpuidle/cpuidle-pseries.c | 15 +++++-------- + 3 files changed, 31 insertions(+), 22 deletions(-) + +diff --git a/arch/powerpc/include/asm/idle.h b/arch/powerpc/include/asm/idle.h +index 32064a4c0dd7..b90d75aa1f9e 100644 +--- a/arch/powerpc/include/asm/idle.h ++++ b/arch/powerpc/include/asm/idle.h +@@ -5,10 +5,27 @@ + #include + + #ifdef CONFIG_PPC_PSERIES +-static inline void pseries_idle_prolog(unsigned long *in_purr) ++DECLARE_PER_CPU(u64, idle_entry_purr_snap); ++ ++static inline void snapshot_purr_idle_entry(void) ++{ ++ *this_cpu_ptr(&idle_entry_purr_snap) = mfspr(SPRN_PURR); ++} ++ ++static inline void update_idle_purr_accounting(void) ++{ ++ u64 wait_cycles; ++ u64 in_purr = *this_cpu_ptr(&idle_entry_purr_snap); ++ ++ wait_cycles = be64_to_cpu(get_lppaca()->wait_state_cycles); ++ wait_cycles += mfspr(SPRN_PURR) - in_purr; ++ get_lppaca()->wait_state_cycles = cpu_to_be64(wait_cycles); ++} ++ ++static inline void pseries_idle_prolog(void) + { + ppc64_runlatch_off(); +- *in_purr = mfspr(SPRN_PURR); ++ snapshot_purr_idle_entry(); + /* + * Indicate to the HV that we are idle. Now would be + * a good time to find other work to dispatch. +@@ -16,16 +33,12 @@ static inline void pseries_idle_prolog(unsigned long *in_purr) + get_lppaca()->idle = 1; + } + +-static inline void pseries_idle_epilog(unsigned long in_purr) ++static inline void pseries_idle_epilog(void) + { +- u64 wait_cycles; +- +- wait_cycles = be64_to_cpu(get_lppaca()->wait_state_cycles); +- wait_cycles += mfspr(SPRN_PURR) - in_purr; +- get_lppaca()->wait_state_cycles = cpu_to_be64(wait_cycles); ++ update_idle_purr_accounting(); + get_lppaca()->idle = 0; +- + ppc64_runlatch_on(); + } ++ + #endif /* CONFIG_PPC_PSERIES */ + #endif +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index 2f53e6b031a7..4905c965e111 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -318,10 +318,9 @@ static int alloc_dispatch_log_kmem_cache(void) + } + machine_early_initcall(pseries, alloc_dispatch_log_kmem_cache); + ++DEFINE_PER_CPU(u64, idle_entry_purr_snap); + static void pseries_lpar_idle(void) + { +- unsigned long in_purr; +- + /* + * Default handler to go into low thread priority and possibly + * low power mode by ceding processor to hypervisor +@@ -331,7 +330,7 @@ static void pseries_lpar_idle(void) + return; + + /* Indicate to hypervisor that we are idle. */ +- pseries_idle_prolog(&in_purr); ++ pseries_idle_prolog(); + + /* + * Yield the processor to the hypervisor. We return if +@@ -342,7 +341,7 @@ static void pseries_lpar_idle(void) + */ + cede_processor(); + +- pseries_idle_epilog(in_purr); ++ pseries_idle_epilog(); + } + + /* +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index 46d5e05fcf97..6513ef2af66a 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -36,12 +36,11 @@ static int snooze_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) + { +- unsigned long in_purr; + u64 snooze_exit_time; + + set_thread_flag(TIF_POLLING_NRFLAG); + +- pseries_idle_prolog(&in_purr); ++ pseries_idle_prolog(); + local_irq_enable(); + snooze_exit_time = get_tb() + snooze_timeout; + +@@ -65,7 +64,7 @@ static int snooze_loop(struct cpuidle_device *dev, + + local_irq_disable(); + +- pseries_idle_epilog(in_purr); ++ pseries_idle_epilog(); + + return index; + } +@@ -91,9 +90,8 @@ static int dedicated_cede_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) + { +- unsigned long in_purr; + +- pseries_idle_prolog(&in_purr); ++ pseries_idle_prolog(); + get_lppaca()->donate_dedicated_cpu = 1; + + HMT_medium(); +@@ -102,7 +100,7 @@ static int dedicated_cede_loop(struct cpuidle_device *dev, + local_irq_disable(); + get_lppaca()->donate_dedicated_cpu = 0; + +- pseries_idle_epilog(in_purr); ++ pseries_idle_epilog(); + + return index; + } +@@ -111,9 +109,8 @@ static int shared_cede_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) + { +- unsigned long in_purr; + +- pseries_idle_prolog(&in_purr); ++ pseries_idle_prolog(); + + /* + * Yield the processor to the hypervisor. We return if +@@ -125,7 +122,7 @@ static int shared_cede_loop(struct cpuidle_device *dev, + check_and_cede_processor(); + + local_irq_disable(); +- pseries_idle_epilog(in_purr); ++ pseries_idle_epilog(); + + return index; + } +-- +2.40.0 + diff --git a/patches.suse/powerpc-pseries-Account-for-SPURR-ticks-on-idle-CPUs.patch b/patches.suse/powerpc-pseries-Account-for-SPURR-ticks-on-idle-CPUs.patch new file mode 100644 index 0000000..3d6bf29 --- /dev/null +++ b/patches.suse/powerpc-pseries-Account-for-SPURR-ticks-on-idle-CPUs.patch @@ -0,0 +1,95 @@ +From dc8afce5f45b099e3ea52a16b2f90e92f90f3af0 Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Tue, 7 Apr 2020 14:17:41 +0530 +Subject: [PATCH] powerpc/pseries: Account for SPURR ticks on idle CPUs + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v5.8-rc1 +Git-commit: dc8afce5f45b099e3ea52a16b2f90e92f90f3af0 + +On Pseries LPARs, to calculate utilization, we need to know the +[S]PURR ticks when the CPUs were busy or idle. + +Via pseries_idle_prolog(), pseries_idle_epilog(), we track the idle +PURR ticks in the VPA variable "wait_state_cycles". This patch extends +the support to account for the idle SPURR ticks. + +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1586249263-14048-4-git-send-email-ego@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/idle.h | 17 +++++++++++++++++ + arch/powerpc/platforms/pseries/setup.c | 2 ++ + 2 files changed, 19 insertions(+) + +diff --git a/arch/powerpc/include/asm/idle.h b/arch/powerpc/include/asm/idle.h +index b90d75aa1f9e..0efb25071d87 100644 +--- a/arch/powerpc/include/asm/idle.h ++++ b/arch/powerpc/include/asm/idle.h +@@ -5,13 +5,20 @@ + #include + + #ifdef CONFIG_PPC_PSERIES ++DECLARE_PER_CPU(u64, idle_spurr_cycles); + DECLARE_PER_CPU(u64, idle_entry_purr_snap); ++DECLARE_PER_CPU(u64, idle_entry_spurr_snap); + + static inline void snapshot_purr_idle_entry(void) + { + *this_cpu_ptr(&idle_entry_purr_snap) = mfspr(SPRN_PURR); + } + ++static inline void snapshot_spurr_idle_entry(void) ++{ ++ *this_cpu_ptr(&idle_entry_spurr_snap) = mfspr(SPRN_SPURR); ++} ++ + static inline void update_idle_purr_accounting(void) + { + u64 wait_cycles; +@@ -22,10 +29,19 @@ static inline void update_idle_purr_accounting(void) + get_lppaca()->wait_state_cycles = cpu_to_be64(wait_cycles); + } + ++static inline void update_idle_spurr_accounting(void) ++{ ++ u64 *idle_spurr_cycles_ptr = this_cpu_ptr(&idle_spurr_cycles); ++ u64 in_spurr = *this_cpu_ptr(&idle_entry_spurr_snap); ++ ++ *idle_spurr_cycles_ptr += mfspr(SPRN_SPURR) - in_spurr; ++} ++ + static inline void pseries_idle_prolog(void) + { + ppc64_runlatch_off(); + snapshot_purr_idle_entry(); ++ snapshot_spurr_idle_entry(); + /* + * Indicate to the HV that we are idle. Now would be + * a good time to find other work to dispatch. +@@ -36,6 +52,7 @@ static inline void pseries_idle_prolog(void) + static inline void pseries_idle_epilog(void) + { + update_idle_purr_accounting(); ++ update_idle_spurr_accounting(); + get_lppaca()->idle = 0; + ppc64_runlatch_on(); + } +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index 4905c965e111..1b55e804927d 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -318,7 +318,9 @@ static int alloc_dispatch_log_kmem_cache(void) + } + machine_early_initcall(pseries, alloc_dispatch_log_kmem_cache); + ++DEFINE_PER_CPU(u64, idle_spurr_cycles); + DEFINE_PER_CPU(u64, idle_entry_purr_snap); ++DEFINE_PER_CPU(u64, idle_entry_spurr_snap); + static void pseries_lpar_idle(void) + { + /* +-- +2.40.0 + diff --git a/patches.suse/powerpc-rtas-use-memmove-for-potentially-overlapping.patch b/patches.suse/powerpc-rtas-use-memmove-for-potentially-overlapping.patch new file mode 100644 index 0000000..e3ab7e5 --- /dev/null +++ b/patches.suse/powerpc-rtas-use-memmove-for-potentially-overlapping.patch @@ -0,0 +1,57 @@ +From 271208ee5e335cb1ad280d22784940daf7ddf820 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Mon, 6 Mar 2023 15:33:41 -0600 +Subject: [PATCH] powerpc/rtas: use memmove for potentially overlapping buffer + copy + +References: bsc#1065729 +Patch-mainline: v6.4-rc1 +Git-commit: 271208ee5e335cb1ad280d22784940daf7ddf820 + +Using memcpy() isn't safe when buf is identical to rtas_err_buf, which +can happen during boot before slab is up. Full context which may not +be obvious from the diff: + + if (altbuf) { + buf = altbuf; + } else { + buf = rtas_err_buf; + if (slab_is_available()) + buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC); + } + if (buf) + memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX); + +This was found by inspection and I'm not aware of it causing problems +in practice. It appears to have been introduced by commit +033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel"); the +old ppc64 version of this code did not have this problem. + +Use memmove() instead. + +Fixes: 033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel") +Signed-off-by: Nathan Lynch +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230220-rtas-queue-for-6-4-v1-2-010e4416f13f@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/rtas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 31175b34856a..9256cfaa8b6f 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -981,7 +981,7 @@ static char *__fetch_rtas_last_error(char *altbuf) + buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC); + } + if (buf) +- memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX); ++ memmove(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX); + } + + return buf; +-- +2.40.0 + diff --git a/patches.suse/powerpc-sysfs-Show-idle_purr-and-idle_spurr-for-ever.patch b/patches.suse/powerpc-sysfs-Show-idle_purr-and-idle_spurr-for-ever.patch new file mode 100644 index 0000000..a3cf68b --- /dev/null +++ b/patches.suse/powerpc-sysfs-Show-idle_purr-and-idle_spurr-for-ever.patch @@ -0,0 +1,197 @@ +From 6909f179ca7a73f243dca7c829facca1cc1d4ff5 Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Tue, 7 Apr 2020 14:17:42 +0530 +Subject: [PATCH] powerpc/sysfs: Show idle_purr and idle_spurr for every CPU + +References: PED-3947 bsc#1210544 ltc#202303 +Patch-mainline: v5.8-rc1 +Git-commit: 6909f179ca7a73f243dca7c829facca1cc1d4ff5 + +On Pseries LPARs, to calculate utilization, we need to know the +[S]PURR ticks when the CPUs were busy or idle. + +The total PURR and SPURR ticks are already exposed via the per-cpu +sysfs files "purr" and "spurr". This patch adds support for exposing +the idle PURR and SPURR ticks via new per-cpu sysfs files named +"idle_purr" and "idle_spurr". + +This patch also adds helper functions to accurately read the values of +idle_purr and idle_spurr especially from an interrupt context between +when the interrupt has occurred between the pseries_idle_prolog() and +pseries_idle_epilog(). This will ensure that the idle purr/spurr +values corresponding to the latest idle period is accounted for before +these values are read. + +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1586249263-14048-5-git-send-email-ego@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/idle.h | 32 +++++++++++++ + arch/powerpc/kernel/sysfs.c | 82 +++++++++++++++++++++++++++++++-- + 2 files changed, 111 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/include/asm/idle.h b/arch/powerpc/include/asm/idle.h +index 0efb25071d87..accd1f50085a 100644 +--- a/arch/powerpc/include/asm/idle.h ++++ b/arch/powerpc/include/asm/idle.h +@@ -57,5 +57,37 @@ static inline void pseries_idle_epilog(void) + ppc64_runlatch_on(); + } + ++static inline u64 read_this_idle_purr(void) ++{ ++ /* ++ * If we are reading from an idle context, update the ++ * idle-purr cycles corresponding to the last idle period. ++ * Since the idle context is not yet over, take a fresh ++ * snapshot of the idle-purr. ++ */ ++ if (unlikely(get_lppaca()->idle == 1)) { ++ update_idle_purr_accounting(); ++ snapshot_purr_idle_entry(); ++ } ++ ++ return be64_to_cpu(get_lppaca()->wait_state_cycles); ++} ++ ++static inline u64 read_this_idle_spurr(void) ++{ ++ /* ++ * If we are reading from an idle context, update the ++ * idle-spurr cycles corresponding to the last idle period. ++ * Since the idle context is not yet over, take a fresh ++ * snapshot of the idle-spurr. ++ */ ++ if (get_lppaca()->idle == 1) { ++ update_idle_spurr_accounting(); ++ snapshot_spurr_idle_entry(); ++ } ++ ++ return *this_cpu_ptr(&idle_spurr_cycles); ++} ++ + #endif /* CONFIG_PPC_PSERIES */ + #endif +diff --git a/arch/powerpc/kernel/sysfs.c b/arch/powerpc/kernel/sysfs.c +--- a/arch/powerpc/kernel/sysfs.c ++++ b/arch/powerpc/kernel/sysfs.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include "cacheinfo.h" + +@@ -760,6 +761,74 @@ static void create_svm_file(void) + #endif /* HAS_PPC_PMC_PA6T */ + #endif /* HAS_PPC_PMC_CLASSIC */ + ++#ifdef CONFIG_PPC_PSERIES ++static void read_idle_purr(void *val) ++{ ++ u64 *ret = val; ++ ++ *ret = read_this_idle_purr(); ++} ++ ++static ssize_t idle_purr_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ struct cpu *cpu = container_of(dev, struct cpu, dev); ++ u64 val; ++ ++ smp_call_function_single(cpu->dev.id, read_idle_purr, &val, 1); ++ return sprintf(buf, "%llx\n", val); ++} ++static DEVICE_ATTR(idle_purr, 0400, idle_purr_show, NULL); ++ ++static void create_idle_purr_file(struct device *s) ++{ ++ if (firmware_has_feature(FW_FEATURE_LPAR)) ++ device_create_file(s, &dev_attr_idle_purr); ++} ++ ++static void remove_idle_purr_file(struct device *s) ++{ ++ if (firmware_has_feature(FW_FEATURE_LPAR)) ++ device_remove_file(s, &dev_attr_idle_purr); ++} ++ ++static void read_idle_spurr(void *val) ++{ ++ u64 *ret = val; ++ ++ *ret = read_this_idle_spurr(); ++} ++ ++static ssize_t idle_spurr_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ struct cpu *cpu = container_of(dev, struct cpu, dev); ++ u64 val; ++ ++ smp_call_function_single(cpu->dev.id, read_idle_spurr, &val, 1); ++ return sprintf(buf, "%llx\n", val); ++} ++static DEVICE_ATTR(idle_spurr, 0400, idle_spurr_show, NULL); ++ ++static void create_idle_spurr_file(struct device *s) ++{ ++ if (firmware_has_feature(FW_FEATURE_LPAR)) ++ device_create_file(s, &dev_attr_idle_spurr); ++} ++ ++static void remove_idle_spurr_file(struct device *s) ++{ ++ if (firmware_has_feature(FW_FEATURE_LPAR)) ++ device_remove_file(s, &dev_attr_idle_spurr); ++} ++ ++#else /* CONFIG_PPC_PSERIES */ ++#define create_idle_purr_file(s) ++#define remove_idle_purr_file(s) ++#define create_idle_spurr_file(s) ++#define remove_idle_spurr_file(s) ++#endif /* CONFIG_PPC_PSERIES */ ++ + static int register_cpu_online(unsigned int cpu) + { + struct cpu *c = &per_cpu(cpu_devices, cpu); +@@ -823,10 +892,13 @@ static int register_cpu_online(unsigned int cpu) + if (!firmware_has_feature(FW_FEATURE_LPAR)) + add_write_permission_dev_attr(&dev_attr_purr); + device_create_file(s, &dev_attr_purr); ++ create_idle_purr_file(s); + } + +- if (cpu_has_feature(CPU_FTR_SPURR)) ++ if (cpu_has_feature(CPU_FTR_SPURR)) { + device_create_file(s, &dev_attr_spurr); ++ create_idle_spurr_file(s); ++ } + + if (cpu_has_feature(CPU_FTR_DSCR)) + device_create_file(s, &dev_attr_dscr); +@@ -910,11 +982,15 @@ static int unregister_cpu_online(unsigned int cpu) + if (cpu_has_feature(CPU_FTR_MMCRA)) + device_remove_file(s, &dev_attr_mmcra); + +- if (cpu_has_feature(CPU_FTR_PURR)) ++ if (cpu_has_feature(CPU_FTR_PURR)) { + device_remove_file(s, &dev_attr_purr); ++ remove_idle_purr_file(s); ++ } + +- if (cpu_has_feature(CPU_FTR_SPURR)) ++ if (cpu_has_feature(CPU_FTR_SPURR)) { + device_remove_file(s, &dev_attr_spurr); ++ remove_idle_spurr_file(s); ++ } + + if (cpu_has_feature(CPU_FTR_DSCR)) + device_remove_file(s, &dev_attr_dscr); +-- +2.40.0 + diff --git a/patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch b/patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch new file mode 100644 index 0000000..02a52dc --- /dev/null +++ b/patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch @@ -0,0 +1,83 @@ +From: Tze-nan Wu +Date: Wed, 26 Apr 2023 14:20:23 +0800 +Subject: ring-buffer: Ensure proper resetting of atomic variables in + ring_buffer_reset_online_cpus +Git-commit: 7c339fb4d8577792378136c15fde773cfb863cb8 +Patch-mainline: v6.4-rc1 +References: git-fixes + +In ring_buffer_reset_online_cpus, the buffer_size_kb write operation +may permanently fail if the cpu_online_mask changes between two +for_each_online_buffer_cpu loops. The number of increases and decreases +on both cpu_buffer->resize_disabled and cpu_buffer->record_disabled may be +inconsistent, causing some CPUs to have non-zero values for these atomic +variables after the function returns. + +This issue can be reproduced by "echo 0 > trace" while hotplugging cpu. +After reproducing success, we can find out buffer_size_kb will not be +functional anymore. + +To prevent leaving 'resize_disabled' and 'record_disabled' non-zero after +ring_buffer_reset_online_cpus returns, we ensure that each atomic variable +has been set up before atomic_sub() to it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230426062027.17451-1-Tze-nan.Wu@mediatek.com + +Cc: stable@vger.kernel.org +Cc: +Cc: npiggin@gmail.com +Fixes: b23d7a5f4a07 ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU") +Reviewed-by: Cheng-Jui Wang +Signed-off-by: Tze-nan Wu +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/ring_buffer.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 58be5b409f72..9a0cb94c3972 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -5326,6 +5326,9 @@ void ring_buffer_reset_cpu(struct trace_buffer *buffer, int cpu) + } + EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu); + ++/* Flag to ensure proper resetting of atomic variables */ ++#define RESET_BIT (1 << 30) ++ + /** + * ring_buffer_reset_cpu - reset a ring buffer per CPU buffer + * @buffer: The ring buffer to reset a per cpu buffer of +@@ -5342,20 +5345,27 @@ void ring_buffer_reset_online_cpus(struct trace_buffer *buffer) + for_each_online_buffer_cpu(buffer, cpu) { + cpu_buffer = buffer->buffers[cpu]; + +- atomic_inc(&cpu_buffer->resize_disabled); ++ atomic_add(RESET_BIT, &cpu_buffer->resize_disabled); + atomic_inc(&cpu_buffer->record_disabled); + } + + /* Make sure all commits have finished */ + synchronize_rcu(); + +- for_each_online_buffer_cpu(buffer, cpu) { ++ for_each_buffer_cpu(buffer, cpu) { + cpu_buffer = buffer->buffers[cpu]; + ++ /* ++ * If a CPU came online during the synchronize_rcu(), then ++ * ignore it. ++ */ ++ if (!(atomic_read(&cpu_buffer->resize_disabled) & RESET_BIT)) ++ continue; ++ + reset_disabled_cpu_buffer(cpu_buffer); + + atomic_dec(&cpu_buffer->record_disabled); +- atomic_dec(&cpu_buffer->resize_disabled); ++ atomic_sub(RESET_BIT, &cpu_buffer->resize_disabled); + } + + mutex_unlock(&buffer->mutex); + diff --git a/patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch b/patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch new file mode 100644 index 0000000..94b11dd --- /dev/null +++ b/patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch @@ -0,0 +1,95 @@ +From: Johannes Berg +Date: Thu, 27 Apr 2023 17:59:20 +0200 +Subject: ring-buffer: Sync IRQ works before buffer destruction +Git-commit: 675751bb20634f981498c7d66161584080cc061e +Patch-mainline: v6.4-rc1 +References: git-fixes + +If something was written to the buffer just before destruction, +it may be possible (maybe not in a real system, but it did +happen in ARCH=um with time-travel) to destroy the ringbuffer +before the IRQ work ran, leading this KASAN report (or a crash +without KASAN): + + BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a + Read of size 8 at addr 000000006d640a48 by task swapper/0 + + CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7 + Stack: + 60c4f20f 0c203d48 41b58ab3 60f224fc + 600477fa 60f35687 60c4f20f 601273dd + 00000008 6101eb00 6101eab0 615be548 + Call Trace: + [<60047a58>] show_stack+0x25e/0x282 + [<60c609e0>] dump_stack_lvl+0x96/0xfd + [<60c50d4c>] print_report+0x1a7/0x5a8 + [<603078d3>] kasan_report+0xc1/0xe9 + [<60308950>] __asan_report_load8_noabort+0x1b/0x1d + [<60232844>] irq_work_run_list+0x11a/0x13a + [<602328b4>] irq_work_tick+0x24/0x34 + [<6017f9dc>] update_process_times+0x162/0x196 + [<6019f335>] tick_sched_handle+0x1a4/0x1c3 + [<6019fd9e>] tick_sched_timer+0x79/0x10c + [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695 + [<60182913>] hrtimer_interrupt+0x16c/0x2c4 + [<600486a3>] um_timer+0x164/0x183 + [...] + + Allocated by task 411: + save_stack_trace+0x99/0xb5 + stack_trace_save+0x81/0x9b + kasan_save_stack+0x2d/0x54 + kasan_set_track+0x34/0x3e + kasan_save_alloc_info+0x25/0x28 + ____kasan_kmalloc+0x8b/0x97 + __kasan_kmalloc+0x10/0x12 + __kmalloc+0xb2/0xe8 + load_elf_phdrs+0xee/0x182 + [...] + + The buggy address belongs to the object at 000000006d640800 + which belongs to the cache kmalloc-1k of size 1024 + The buggy address is located 584 bytes inside of + freed 1024-byte region [000000006d640800, 000000006d640c00) + +Add the appropriate irq_work_sync() so the work finishes before +the buffers are destroyed. + +Prior to the commit in the Fixes tag below, there was only a +single global IRQ work, so this issue didn't exist. + +Link: https://lore.kernel.org/linux-trace-kernel/20230427175920.a76159263122.I8295e405c44362a86c995e9c2c37e3e03810aa56@changeid + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Fixes: 15693458c4bc ("tracing/ring-buffer: Move poll wake ups into ring buffer code") +Signed-off-by: Johannes Berg +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/ring_buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 9a0cb94c3972..0d748f1f79ff 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1767,6 +1767,8 @@ static void rb_free_cpu_buffer(struct ring_buffer_per_cpu *cpu_buffer) + struct list_head *head = cpu_buffer->pages; + struct buffer_page *bpage, *tmp; + ++ irq_work_sync(&cpu_buffer->irq_work.work); ++ + free_buffer_page(cpu_buffer->reader_page); + + if (head) { +@@ -1873,6 +1875,8 @@ ring_buffer_free(struct trace_buffer *buffer) + + cpuhp_state_remove_instance(CPUHP_TRACE_RB_PREPARE, &buffer->node); + ++ irq_work_sync(&buffer->irq_work.work); ++ + for_each_buffer_cpu(buffer, cpu) + rb_free_cpu_buffer(buffer->buffers[cpu]); + + diff --git a/patches.suse/s390-ctcm-fix-ctcm_new_device-error-return-code.patch b/patches.suse/s390-ctcm-fix-ctcm_new_device-error-return-code.patch new file mode 100644 index 0000000..db30e9c --- /dev/null +++ b/patches.suse/s390-ctcm-fix-ctcm_new_device-error-return-code.patch @@ -0,0 +1,51 @@ +From: Arnd Bergmann +Date: Wed, 17 Apr 2019 18:29:13 +0200 +Subject: s390: ctcm: fix ctcm_new_device error return code +Git-commit: 27b141fc234a3670d21bd742c35d7205d03cbb3a +Patch-mainline: v5.1-rc7 +References: git-fixes bsc#1211361 + +clang points out that the return code from this function is +undefined for one of the error paths: + +../drivers/s390/net/ctcm_main.c:1595:7: warning: variable 'result' is used uninitialized whenever 'if' condition is true + [-Wsometimes-uninitialized] + if (priv->channel[direction] == NULL) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../drivers/s390/net/ctcm_main.c:1638:9: note: uninitialized use occurs here + return result; + ^~~~~~ +../drivers/s390/net/ctcm_main.c:1595:3: note: remove the 'if' if its condition is always false + if (priv->channel[direction] == NULL) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../drivers/s390/net/ctcm_main.c:1539:12: note: initialize the variable 'result' to silence this warning + int result; + ^ + +Make it return -ENODEV here, as in the related failure cases. +gcc has a known bug in underreporting some of these warnings +when it has already eliminated the assignment of the return code +based on some earlier optimization step. + +Reviewed-by: Nathan Chancellor +Signed-off-by: Arnd Bergmann +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + drivers/s390/net/ctcm_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c +index 7617d21cb296..f63c5c871d3d 100644 +--- a/drivers/s390/net/ctcm_main.c ++++ b/drivers/s390/net/ctcm_main.c +@@ -1595,6 +1595,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev) + if (priv->channel[direction] == NULL) { + if (direction == CTCM_WRITE) + channel_free(priv->channel[CTCM_READ]); ++ result = -ENODEV; + goto out_dev; + } + priv->channel[direction]->netdev = dev; + diff --git a/patches.suse/s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch b/patches.suse/s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch new file mode 100644 index 0000000..b2a9756 --- /dev/null +++ b/patches.suse/s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch @@ -0,0 +1,32 @@ +From: Vasily Gorbik +Date: Sun, 24 Jun 2018 09:21:59 +0200 +Subject: s390/dasd: correct numa_node in dasd_alloc_queue +Git-commit: b17e3abb0af404cb62ad4ef1a5962f58b06e2b78 +Patch-mainline: v4.19-rc1 +References: git-fixes bsc#1211362 + +The numa_node field of the tag_set struct has to be explicitly +initialized, otherwise it stays as 0, which is a valid numa node id and +cause memory allocation failure if node 0 is offline. + +Acked-by: Stefan Haberland +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Acked-by: Miroslav Franc +--- + drivers/s390/block/dasd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c +index d3a38c421503..7c3dddeb781c 100644 +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -3120,6 +3120,7 @@ static int dasd_alloc_queue(struct dasd_block *block) + block->tag_set.nr_hw_queues = nr_hw_queues; + block->tag_set.queue_depth = queue_depth; + block->tag_set.flags = BLK_MQ_F_SHOULD_MERGE; ++ block->tag_set.numa_node = NUMA_NO_NODE; + + rc = blk_mq_alloc_tag_set(&block->tag_set); + if (rc) + diff --git a/patches.suse/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch b/patches.suse/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch new file mode 100644 index 0000000..eb7a665 --- /dev/null +++ b/patches.suse/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch @@ -0,0 +1,52 @@ +From: Vasily Gorbik +Date: Sun, 17 Jun 2018 00:30:43 +0200 +Subject: s390/extmem: fix gcc 8 stringop-overflow warning +Git-commit: 6b2ddf33baec23dace85bd647e3fc4ac070963e8 +Patch-mainline: v4.19-rc1 +References: git-fixes bsc#1211363 + +arch/s390/mm/extmem.c: In function '__segment_load': +arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals +source length [-Wstringop-overflow=] + strncat(seg->res_name, " (DCSS)", 7); + +What gcc complains about here is the misuse of strncat function, which +in this case does not limit a number of bytes taken from "src", so it is +in the end the same as strcat(seg->res_name, " (DCSS)"); + +Keeping in mind that a res_name is 15 bytes, strncat in this case +would overflow the buffer and write 0 into alignment byte between the +fields in the struct. To avoid that increasing res_name size to 16, +and reusing strlcat. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Acked-by: Miroslav Franc +--- + arch/s390/mm/extmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/mm/extmem.c b/arch/s390/mm/extmem.c +index 6ad15d3fab81..84111a43ea29 100644 +--- a/arch/s390/mm/extmem.c ++++ b/arch/s390/mm/extmem.c +@@ -80,7 +80,7 @@ struct qin64 { + struct dcss_segment { + struct list_head list; + char dcss_name[8]; +- char res_name[15]; ++ char res_name[16]; + unsigned long start_addr; + unsigned long end; + atomic_t ref_count; +@@ -433,7 +433,7 @@ __segment_load (char *name, int do_nonshared, unsigned long *addr, unsigned long + memcpy(&seg->res_name, seg->dcss_name, 8); + EBCASC(seg->res_name, 8); + seg->res_name[8] = '\0'; +- strncat(seg->res_name, " (DCSS)", 7); ++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name)); + seg->res->name = seg->res_name; + rc = seg->vm_segtype; + if (rc == SEG_TYPE_SC || + diff --git a/patches.suse/s390-kasan-fix-early-pgm-check-handler-execution.patch b/patches.suse/s390-kasan-fix-early-pgm-check-handler-execution.patch new file mode 100644 index 0000000..fa90017 --- /dev/null +++ b/patches.suse/s390-kasan-fix-early-pgm-check-handler-execution.patch @@ -0,0 +1,38 @@ +From: Vasily Gorbik +Date: Wed, 17 Jun 2020 15:05:49 +0200 +Subject: s390/kasan: fix early pgm check handler execution +Git-commit: 998f5bbe3dbdab81c1cfb1aef7c3892f5d24f6c7 +Patch-mainline: v5.8-rc3 +References: git-fixes bsc#1211360 + +Currently if early_pgm_check_handler is called it ends up in pgm check +loop. The problem is that early_pgm_check_handler is instrumented by +KASAN but executed without DAT flag enabled which leads to addressing +exception when KASAN checks try to access shadow memory. + +Fix that by executing early handlers with DAT flag on under KASAN as +expected. + +Reported-and-tested-by: Alexander Egorenkov +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Acked-by: Miroslav Franc +--- + arch/s390/kernel/early.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index cd241ee66eff..078277231858 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -170,6 +170,8 @@ static noinline __init void setup_lowcore_early(void) + psw_t psw; + + psw.mask = PSW_MASK_BASE | PSW_DEFAULT_KEY | PSW_MASK_EA | PSW_MASK_BA; ++ if (IS_ENABLED(CONFIG_KASAN)) ++ psw.mask |= PSW_MASK_DAT; + psw.addr = (unsigned long) s390_base_ext_handler; + S390_lowcore.external_new_psw = psw; + psw.addr = (unsigned long) s390_base_pgm_handler; + diff --git a/patches.suse/s390-pci-fix-sleeping-in-atomic-during-hotplug.patch b/patches.suse/s390-pci-fix-sleeping-in-atomic-during-hotplug.patch new file mode 100644 index 0000000..27288e0 --- /dev/null +++ b/patches.suse/s390-pci-fix-sleeping-in-atomic-during-hotplug.patch @@ -0,0 +1,39 @@ +From: Sebastian Ott +Date: Thu, 18 Oct 2018 11:11:08 +0200 +Subject: s390/pci: fix sleeping in atomic during hotplug +Git-commit: 98dfd32620e970eb576ebce5ea39d905cb005e72 +Patch-mainline: v5.0-rc1 +References: git-fixes bsc#1211364 + +When triggered by pci hotplug (PEC 0x306) clp_get_state is called +with spinlocks held resulting in the following warning: + +zpci: n/a: Event 0x306 reconfigured PCI function 0x0 +BUG: sleeping function called from invalid context at mm/page_alloc.c:4324 +in_atomic(): 1, irqs_disabled(): 0, pid: 98, name: kmcheck +2 locks held by kmcheck/98: + +Change the allocation to use GFP_ATOMIC. + +Cc: stable@vger.kernel.org # 4.13+ +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Acked-by: Miroslav Franc +--- + arch/s390/pci/pci_clp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/pci/pci_clp.c b/arch/s390/pci/pci_clp.c +index 19b2d2a9b43d..eeb7450db18c 100644 +--- a/arch/s390/pci/pci_clp.c ++++ b/arch/s390/pci/pci_clp.c +@@ -436,7 +436,7 @@ int clp_get_state(u32 fid, enum zpci_state *state) + struct clp_state_data sd = {fid, ZPCI_FN_STATE_RESERVED}; + int rc; + +- rrb = clp_alloc_block(GFP_KERNEL); ++ rrb = clp_alloc_block(GFP_ATOMIC); + if (!rrb) + return -ENOMEM; + + diff --git a/patches.suse/s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch b/patches.suse/s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch new file mode 100644 index 0000000..fd25c97 --- /dev/null +++ b/patches.suse/s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch @@ -0,0 +1,32 @@ +From: Vasily Gorbik +Date: Mon, 25 Jun 2018 14:30:42 +0200 +Subject: s390/scm_blk: correct numa_node in scm_blk_dev_setup +Git-commit: d642d6262f4fcfa5d200ec6e218c17f0c15b3390 +Patch-mainline: v4.19-rc1 +References: git-fixes bsc#1211365 + +The numa_node field of the tag_set struct has to be explicitly +initialized, otherwise it stays as 0, which is a valid numa node id and +cause memory allocation failure if node 0 is offline. + +Acked-by: Sebastian Ott +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Acked-by: Miroslav Franc +--- + drivers/s390/block/scm_blk.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/block/scm_blk.c b/drivers/s390/block/scm_blk.c +index b1fcb76dd272..98f66b7b6794 100644 +--- a/drivers/s390/block/scm_blk.c ++++ b/drivers/s390/block/scm_blk.c +@@ -455,6 +455,7 @@ int scm_blk_dev_setup(struct scm_blk_dev *bdev, struct scm_device *scmdev) + bdev->tag_set.nr_hw_queues = nr_requests; + bdev->tag_set.queue_depth = nr_requests_per_io * nr_requests; + bdev->tag_set.flags = BLK_MQ_F_SHOULD_MERGE; ++ bdev->tag_set.numa_node = NUMA_NO_NODE; + + ret = blk_mq_alloc_tag_set(&bdev->tag_set); + if (ret) + diff --git a/patches.suse/s390-sysinfo-add-missing-ifdef-CONFIG_PROC_FS.patch b/patches.suse/s390-sysinfo-add-missing-ifdef-CONFIG_PROC_FS.patch new file mode 100644 index 0000000..45b3d09 --- /dev/null +++ b/patches.suse/s390-sysinfo-add-missing-ifdef-CONFIG_PROC_FS.patch @@ -0,0 +1,43 @@ +From: Heiko Carstens +Date: Mon, 2 Jul 2018 10:54:02 +0200 +Subject: s390/sysinfo: add missing #ifdef CONFIG_PROC_FS +Git-commit: 9f35b818a2f90fb6cb291aa0c9f835d4f0974a9a +Patch-mainline: v4.19-rc1 +References: git-fixes bsc#1211366 + +Get rid of this compile warning for !PROC_FS: + + CC arch/s390/kernel/sysinfo.o +arch/s390/kernel/sysinfo.c:275:12: warning: 'sysinfo_show' defined but not used [-Wunused-function] + static int sysinfo_show(struct seq_file *m, void *v) + +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Acked-by: Miroslav Franc +--- + arch/s390/kernel/sysinfo.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/s390/kernel/sysinfo.c b/arch/s390/kernel/sysinfo.c +index 54f5496913fa..12f80d1f0415 100644 +--- a/arch/s390/kernel/sysinfo.c ++++ b/arch/s390/kernel/sysinfo.c +@@ -59,6 +59,8 @@ int stsi(void *sysinfo, int fc, int sel1, int sel2) + } + EXPORT_SYMBOL(stsi); + ++#ifdef CONFIG_PROC_FS ++ + static bool convert_ext_name(unsigned char encoding, char *name, size_t len) + { + switch (encoding) { +@@ -301,6 +303,8 @@ static int __init sysinfo_create_proc(void) + } + device_initcall(sysinfo_create_proc); + ++#endif /* CONFIG_PROC_FS */ ++ + /* + * Service levels interface. + */ + diff --git a/patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch b/patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch new file mode 100644 index 0000000..b95b414 --- /dev/null +++ b/patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch @@ -0,0 +1,41 @@ +From 483a69f6fad664c76148afbd0c454cd03c813abb Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Wed, 20 Jun 2018 12:47:52 -0300 +Subject: [PATCH 2/2] sctp: fix erroneous inc of snmp SctpFragUsrMsgs +References: git-fixes +Patch-mainline: v4.18-rc3 +Git-commit: fedb1bd3d274b33c432cb83c80c6b3cf54d509c8 + +Currently it is incrementing SctpFragUsrMsgs when the user message size +is of the exactly same size as the maximum fragment size, which is wrong. + +The fix is to increment it only when user message is bigger than the +maximum fragment size. + +Fixes: bfd2e4b8734d ("sctp: refactor sctp_datamsg_from_user") +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sctp/chunk.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c +index 697721a7a3f1..f9d93f9b6814 100644 +--- a/net/sctp/chunk.c ++++ b/net/sctp/chunk.c +@@ -230,7 +230,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + /* Account for a different sized first fragment */ + if (msg_len >= first_len) { + msg->can_delay = 0; +- SCTP_INC_STATS(sock_net(asoc->base.sk), SCTP_MIB_FRAGUSRMSGS); ++ if (msg_len > first_len) ++ SCTP_INC_STATS(sock_net(asoc->base.sk), ++ SCTP_MIB_FRAGUSRMSGS); + } else { + /* Which may be the only one... */ + first_len = msg_len; +-- +2.16.4 + diff --git a/patches.suse/sctp-make-use-of-pre-calculated-len.patch b/patches.suse/sctp-make-use-of-pre-calculated-len.patch new file mode 100644 index 0000000..1fa20c0 --- /dev/null +++ b/patches.suse/sctp-make-use-of-pre-calculated-len.patch @@ -0,0 +1,96 @@ +From b1eef66295a6c4f4f42b235592b339a8fa0d067c Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Mon, 8 Jan 2018 19:02:29 -0200 +Subject: [PATCH 5/7] sctp: make use of pre-calculated len +Git-commit: c76f97c99ae6d26d14c7f0e50e074382bfbc9f98 +Patch-mainline: 4.15-rc8 +References: git-fixes + +Some sockopt handling functions were calculating the length of the +buffer to be written to userspace and then calculating it again when +actually writing the buffer, which could lead to some write not using +an up-to-date length. + +This patch updates such places to just make use of the len variable. + +Also, replace some sizeof(type) to sizeof(var). + +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sctp/socket.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 4713dd8f5ecf..7e2914216f0f 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4983,7 +4983,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv + len = sizeof(int); + if (put_user(len, optlen)) + return -EFAULT; +- if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int))) ++ if (copy_to_user(optval, &sctp_sk(sk)->autoclose, len)) + return -EFAULT; + return 0; + } +@@ -5560,6 +5560,9 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len, + err = -EFAULT; + goto out; + } ++ /* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too, ++ * but we can't change it anymore. ++ */ + if (put_user(bytes_copied, optlen)) + err = -EFAULT; + out: +@@ -5996,7 +5999,7 @@ static int sctp_getsockopt_maxseg(struct sock *sk, int len, + params.assoc_id = 0; + } else if (len >= sizeof(struct sctp_assoc_value)) { + len = sizeof(struct sctp_assoc_value); +- if (copy_from_user(¶ms, optval, sizeof(params))) ++ if (copy_from_user(¶ms, optval, len)) + return -EFAULT; + } else + return -EINVAL; +@@ -6165,7 +6168,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len, + + if (len < sizeof(struct sctp_authkeyid)) + return -EINVAL; +- if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid))) ++ ++ len = sizeof(struct sctp_authkeyid); ++ if (copy_from_user(&val, optval, len)) + return -EFAULT; + + asoc = sctp_id2assoc(sk, val.scact_assoc_id); +@@ -6177,7 +6182,6 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len, + else + val.scact_keynumber = ep->active_key_id; + +- len = sizeof(struct sctp_authkeyid); + if (put_user(len, optlen)) + return -EFAULT; + if (copy_to_user(optval, &val, len)) +@@ -6203,7 +6207,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len, + if (len < sizeof(struct sctp_authchunks)) + return -EINVAL; + +- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) ++ if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + + to = p->gauth_chunks; +@@ -6248,7 +6252,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len, + if (len < sizeof(struct sctp_authchunks)) + return -EINVAL; + +- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) ++ if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + + to = p->gauth_chunks; +-- +2.16.4 + diff --git a/patches.suse/stmmac-fix-valid-numbers-of-unicast-filter-entries.patch b/patches.suse/stmmac-fix-valid-numbers-of-unicast-filter-entries.patch new file mode 100644 index 0000000..defdc0d --- /dev/null +++ b/patches.suse/stmmac-fix-valid-numbers-of-unicast-filter-entries.patch @@ -0,0 +1,46 @@ +From afd6dcd40dc44dd22a6f2d58b2dd0ffd0751e9c0 Mon Sep 17 00:00:00 2001 +From: Jongsung Kim +Date: Thu, 13 Sep 2018 18:32:21 +0900 +Subject: [PATCH 6/7] stmmac: fix valid numbers of unicast filter entries +References: git-fixes +Patch-mainline: v4.19-rc5 +Git-commit: edf2ef7242805e53ec2e0841db26e06d8bc7da70 + +Synopsys DWC Ethernet MAC can be configured to have 1..32, 64, or +128 unicast filter entries. (Table 7-8 MAC Address Registers from +databook) Fix dwmac1000_validate_ucast_entries() to accept values +between 1 and 32 in addition. + +Signed-off-by: Jongsung Kim +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index eb11dcccf529..10ce06dcb780 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -67,7 +67,7 @@ static int dwmac1000_validate_mcast_bins(int mcast_bins) + * Description: + * This function validates the number of Unicast address entries supported + * by a particular Synopsys 10/100/1000 controller. The Synopsys controller +- * supports 1, 32, 64, or 128 Unicast filter entries for it's Unicast filter ++ * supports 1..32, 64, or 128 Unicast filter entries for it's Unicast filter + * logic. This function validates a valid, supported configuration is + * selected, and defaults to 1 Unicast address if an unsupported + * configuration is selected. +@@ -77,8 +77,7 @@ static int dwmac1000_validate_ucast_entries(int ucast_entries) + int x = ucast_entries; + + switch (x) { +- case 1: +- case 32: ++ case 1 ... 32: + case 64: + case 128: + break; +-- +2.16.4 + diff --git a/patches.suse/sunvnet-does-not-support-GSO-for-sctp.patch b/patches.suse/sunvnet-does-not-support-GSO-for-sctp.patch new file mode 100644 index 0000000..401fd8e --- /dev/null +++ b/patches.suse/sunvnet-does-not-support-GSO-for-sctp.patch @@ -0,0 +1,37 @@ +From 15f8e04409aedb5e33e6e662b128b9643d17a7f3 Mon Sep 17 00:00:00 2001 +From: Cathy Zhou +Date: Wed, 14 Mar 2018 10:56:07 -0700 +Subject: [PATCH 5/8] sunvnet: does not support GSO for sctp +References: git-fixes +Patch-mainline: v4.16-rc7 +Git-commit: cf55612a945039476abfd73e39064b2e721c3272 + +The NETIF_F_GSO_SOFTWARE implies support for GSO on SCTP, but the +sunvnet driver does not support GSO for sctp. Here we remove the +NETIF_F_GSO_SOFTWARE feature flag and only report NETIF_F_ALL_TSO +instead. + +Signed-off-by: Cathy Zhou +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/sun/sunvnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index e9e4b582082b..6e0947d69048 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -312,7 +312,7 @@ static struct vnet *vnet_new(const u64 *local_mac, + dev->ethtool_ops = &vnet_ethtool_ops; + dev->watchdog_timeo = VNET_TX_TIMEOUT; + +- dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE | ++ dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_ALL_TSO | + NETIF_F_HW_CSUM | NETIF_F_SG; + dev->features = dev->hw_features; + +-- +2.16.4 + diff --git a/patches.suse/usb-dwc3-Fix-race-between-dwc3_set_mode-and-__dwc3_s.patch b/patches.suse/usb-dwc3-Fix-race-between-dwc3_set_mode-and-__dwc3_s.patch new file mode 100644 index 0000000..3d99ec9 --- /dev/null +++ b/patches.suse/usb-dwc3-Fix-race-between-dwc3_set_mode-and-__dwc3_s.patch @@ -0,0 +1,103 @@ +From 62c73bfea048e66168df09da6d3e4510ecda40bb Mon Sep 17 00:00:00 2001 +From: Sven Peter +Date: Mon, 28 Nov 2022 17:15:26 +0100 +Subject: [PATCH] usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode +Git-commit: 62c73bfea048e66168df09da6d3e4510ecda40bb +References: git-fixes +Patch-mainline: v6.2-rc1 + +dwc->desired_dr_role is changed by dwc3_set_mode inside a spinlock but +then read by __dwc3_set_mode outside of that lock. This can lead to a +race condition when very quick successive role switch events happen: + +CPU A + dwc3_set_mode(DWC3_GCTL_PRTCAP_HOST) // first role switch event + spin_lock_irqsave(&dwc->lock, flags); + dwc->desired_dr_role = mode; // DWC3_GCTL_PRTCAP_HOST + spin_unlock_irqrestore(&dwc->lock, flags); + queue_work(system_freezable_wq, &dwc->drd_work); + +CPU B + __dwc3_set_mode + // .... + spin_lock_irqsave(&dwc->lock, flags); + // desired_dr_role is DWC3_GCTL_PRTCAP_HOST + dwc3_set_prtcap(dwc, dwc->desired_dr_role); + spin_unlock_irqrestore(&dwc->lock, flags); + +CPU A + dwc3_set_mode(DWC3_GCTL_PRTCAP_DEVICE) // second event + spin_lock_irqsave(&dwc->lock, flags); + dwc->desired_dr_role = mode; // DWC3_GCTL_PRTCAP_DEVICE + spin_unlock_irqrestore(&dwc->lock, flags); + +CPU B (continues running __dwc3_set_mode) + switch (dwc->desired_dr_role) { // DWC3_GCTL_PRTCAP_DEVICE + // .... + case DWC3_GCTL_PRTCAP_DEVICE: + // .... + ret = dwc3_gadget_init(dwc); + +We then have DWC3_GCTL.DWC3_GCTL_PRTCAPDIR = DWC3_GCTL_PRTCAP_HOST and +dwc->current_dr_role = DWC3_GCTL_PRTCAP_HOST but initialized the +controller in device mode. It's also possible to get into a state +where both host and device are intialized at the same time. +Fix this race by creating a local copy of desired_dr_role inside +__dwc3_set_mode while holding dwc->lock. + +Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly") +Cc: stable +Acked-by: Thinh Nguyen +Signed-off-by: Sven Peter +Link: https://lore.kernel.org/r/20221128161526.79730-1-sven@svenpeter.dev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/dwc3/core.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -118,17 +118,22 @@ static void __dwc3_set_mode(struct work_ + struct dwc3 *dwc = work_to_dwc(work); + unsigned long flags; + int ret; ++ u32 desired_dr_role; + +- if (!dwc->desired_dr_role) ++ spin_lock_irqsave(&dwc->lock, flags); ++ desired_dr_role = dwc->desired_dr_role; ++ spin_unlock_irqrestore(&dwc->lock, flags); ++ ++ if (!desired_dr_role) + return; + +- if (dwc->desired_dr_role == dwc->current_dr_role) ++ if (desired_dr_role == dwc->current_dr_role) + return; + + if (dwc->dr_mode != USB_DR_MODE_OTG) + return; + +- if (dwc->desired_dr_role == DWC3_GCTL_PRTCAP_OTG) ++ if (desired_dr_role == DWC3_GCTL_PRTCAP_OTG) + return; + + switch (dwc->current_dr_role) { +@@ -145,13 +150,13 @@ static void __dwc3_set_mode(struct work_ + + spin_lock_irqsave(&dwc->lock, flags); + +- dwc3_set_prtcap(dwc, dwc->desired_dr_role); ++ dwc3_set_prtcap(dwc, desired_dr_role); + +- dwc->current_dr_role = dwc->desired_dr_role; ++ dwc->current_dr_role = desired_dr_role; + + spin_unlock_irqrestore(&dwc->lock, flags); + +- switch (dwc->desired_dr_role) { ++ switch (desired_dr_role) { + case DWC3_GCTL_PRTCAP_HOST: + ret = dwc3_host_init(dwc); + if (ret) diff --git a/patches.suse/usb-early-xhci-dbc-Fix-a-potential-out-of-bound-memo.patch b/patches.suse/usb-early-xhci-dbc-Fix-a-potential-out-of-bound-memo.patch new file mode 100644 index 0000000..c6d02e7 --- /dev/null +++ b/patches.suse/usb-early-xhci-dbc-Fix-a-potential-out-of-bound-memo.patch @@ -0,0 +1,41 @@ +From a4a97ab3db5c081eb6e7dba91306adefb461e0bd Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 29 Jan 2023 19:23:08 +0100 +Subject: [PATCH] usb: early: xhci-dbc: Fix a potential out-of-bound memory + access +Git-commit: a4a97ab3db5c081eb6e7dba91306adefb461e0bd +References: git-fixes +Patch-mainline: v6.3-rc1 + +If xdbc_bulk_write() fails, the values in 'buf' can be anything. So the +string is not guaranteed to be NULL terminated when xdbc_trace() is called. + +Reserve an extra byte, which will be zeroed automatically because 'buf' is +a static variable, in order to avoid troubles, should it happen. + +Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/d6a7562c5e839a195cee85db6dc81817f9372cb1.1675016180.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/early/xhci-dbc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c +index 797047154820..f3e23be227d4 100644 +--- a/drivers/usb/early/xhci-dbc.c ++++ b/drivers/usb/early/xhci-dbc.c +@@ -874,7 +874,8 @@ static int xdbc_bulk_write(const char *bytes, int size) + + static void early_xdbc_write(struct console *con, const char *str, u32 n) + { +- static char buf[XDBC_MAX_PACKET]; ++ /* static variables are zeroed, so buf is always NULL terminated */ ++ static char buf[XDBC_MAX_PACKET + 1]; + int chunk, ret; + int use_cr = 0; + +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Add-ability-for-wcn36xx_smd_dump_cmd_req-to-.patch b/patches.suse/wcn36xx-Add-ability-for-wcn36xx_smd_dump_cmd_req-to-.patch new file mode 100644 index 0000000..82a9c6f --- /dev/null +++ b/patches.suse/wcn36xx-Add-ability-for-wcn36xx_smd_dump_cmd_req-to-.patch @@ -0,0 +1,48 @@ +From c0c2eb20c79e10e7c828e8a1be1efd346d568d5f Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 9 Sep 2021 15:44:28 +0100 +Subject: [PATCH] wcn36xx: Add ability for wcn36xx_smd_dump_cmd_req to pass + two's complement +Git-commit: c0c2eb20c79e10e7c828e8a1be1efd346d568d5f +References: git-fixes +Patch-mainline: v5.16-rc1 + +Qcom documents suggest passing of negative values to the dump command, +however currently we convert from string to u32 not s32, so we cannot pass +a two's complement value to the firmware in this way. + +There is in fact only one parameter which takes a two's complement value + in the antenna diversity switch command. + +Downstream: +iwpriv wlan0 dump 71 3 + +Upstream: +echo "71 3 " > /sys/kernel/debug/ieee80211/phy0/wcn36xx/dump + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Reviewed-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210909144428.2564650-3-bryan.odonoghue@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/debug.c b/drivers/net/wireless/ath/wcn36xx/debug.c +index 389b5e7129a6..6af306ae41ad 100644 +--- a/drivers/net/wireless/ath/wcn36xx/debug.c ++++ b/drivers/net/wireless/ath/wcn36xx/debug.c +@@ -120,7 +120,7 @@ static ssize_t write_file_dump(struct file *file, + if (begin == NULL) + break; + +- if (kstrtou32(begin, 0, &arg[i]) != 0) ++ if (kstrtos32(begin, 0, &arg[i]) != 0) + break; + } + +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Add-ieee80211-rx-status-rate-information.patch b/patches.suse/wcn36xx-Add-ieee80211-rx-status-rate-information.patch new file mode 100644 index 0000000..4307fb7 --- /dev/null +++ b/patches.suse/wcn36xx-Add-ieee80211-rx-status-rate-information.patch @@ -0,0 +1,159 @@ +From 0aa90483f23e792f6cf571e8b396eef746194438 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Mon, 15 Jun 2020 20:29:06 +0300 +Subject: [PATCH] wcn36xx: Add ieee80211 rx status rate information +Git-commit: 0aa90483f23e792f6cf571e8b396eef746194438 +References: git-fixes +Patch-mainline: v5.10-rc1 + +Packet encoding, bandwidth and bitrate can be derived from the +wcn36xx rate_idx, part of the buffer descriptor. + +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1591961254-10243-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 109 +++++++++++++++++++++++- + 1 file changed, 108 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index a6902371e89c..dda6d8946aef 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -23,9 +23,104 @@ static inline int get_rssi0(struct wcn36xx_rx_bd *bd) + return 100 - ((bd->phy_stat0 >> 24) & 0xff); + } + ++struct wcn36xx_rate { ++ u16 bitrate; ++ u16 mcs_or_legacy_index; ++ enum mac80211_rx_encoding encoding; ++ enum mac80211_rx_encoding_flags encoding_flags; ++ enum rate_info_bw bw; ++}; ++ ++static const struct wcn36xx_rate wcn36xx_rate_table[] = { ++ /* 11b rates */ ++ { 10, 0, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 20, 1, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 55, 2, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 110, 3, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ ++ /* 11b SP (short preamble) */ ++ { 10, 0, RX_ENC_LEGACY, RX_ENC_FLAG_SHORTPRE, RATE_INFO_BW_20 }, ++ { 20, 1, RX_ENC_LEGACY, RX_ENC_FLAG_SHORTPRE, RATE_INFO_BW_20 }, ++ { 55, 2, RX_ENC_LEGACY, RX_ENC_FLAG_SHORTPRE, RATE_INFO_BW_20 }, ++ { 110, 3, RX_ENC_LEGACY, RX_ENC_FLAG_SHORTPRE, RATE_INFO_BW_20 }, ++ ++ /* 11ag */ ++ { 60, 4, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 90, 5, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 120, 6, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 180, 7, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 240, 8, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 360, 9, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 480, 10, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ { 540, 11, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, ++ ++ /* 11n */ ++ { 65, 0, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ { 130, 1, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ { 195, 2, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ { 260, 3, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ { 390, 4, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ { 520, 5, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ { 585, 6, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ { 650, 7, RX_ENC_HT, 0, RATE_INFO_BW_20 }, ++ ++ /* 11n SGI */ ++ { 72, 0, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ { 144, 1, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ { 217, 2, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ { 289, 3, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ { 434, 4, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ { 578, 5, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ { 650, 6, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ { 722, 7, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_20 }, ++ ++ /* 11n GF (greenfield) */ ++ { 65, 0, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ { 130, 1, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ { 195, 2, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ { 260, 3, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ { 390, 4, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ { 520, 5, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ { 585, 6, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ { 650, 7, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_20 }, ++ ++ /* 11n CB (channel bonding) */ ++ { 135, 0, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ { 270, 1, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ { 405, 2, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ { 540, 3, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ { 810, 4, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ { 1080, 5, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ { 1215, 6, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ { 1350, 7, RX_ENC_HT, 0, RATE_INFO_BW_40 }, ++ ++ /* 11n CB + SGI */ ++ { 150, 0, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ { 300, 1, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ { 450, 2, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ { 600, 3, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ { 900, 4, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ { 1200, 5, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ { 1350, 6, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ { 1500, 7, RX_ENC_HT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_40 }, ++ ++ /* 11n GF + CB */ ++ { 135, 0, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ { 270, 1, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ { 405, 2, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ { 540, 3, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ { 810, 4, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ { 1080, 5, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ { 1215, 6, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ { 1350, 7, RX_ENC_HT, RX_ENC_FLAG_HT_GF, RATE_INFO_BW_40 }, ++ ++ /* TODO: AC rates */ ++}; ++ + int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + { + struct ieee80211_rx_status status; ++ const struct wcn36xx_rate *rate; + struct ieee80211_hdr *hdr; + struct wcn36xx_rx_bd *bd; + u16 fc, sn; +@@ -61,7 +156,6 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + status.mactime = 10; + status.signal = -get_rssi0(bd); + status.antenna = 1; +- status.rate_idx = 1; + status.flag = 0; + status.rx_flags = 0; + status.flag |= RX_FLAG_IV_STRIPPED | +@@ -70,6 +164,19 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + + wcn36xx_dbg(WCN36XX_DBG_RX, "status.flags=%x\n", status.flag); + ++ if (bd->rate_id < ARRAY_SIZE(wcn36xx_rate_table)) { ++ rate = &wcn36xx_rate_table[bd->rate_id]; ++ status.encoding = rate->encoding; ++ status.enc_flags = rate->encoding_flags; ++ status.bw = rate->bw; ++ status.rate_idx = rate->mcs_or_legacy_index; ++ } else { ++ status.encoding = 0; ++ status.bw = 0; ++ status.enc_flags = 0; ++ status.rate_idx = 0; ++ } ++ + memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status)); + + if (ieee80211_is_beacon(hdr->frame_control)) { +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Channel-list-update-before-hardware-scan.patch b/patches.suse/wcn36xx-Channel-list-update-before-hardware-scan.patch new file mode 100644 index 0000000..c89caf9 --- /dev/null +++ b/patches.suse/wcn36xx-Channel-list-update-before-hardware-scan.patch @@ -0,0 +1,200 @@ +From d707f812bb0513ea0030d0c9fe2a456bae5a4583 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Mon, 25 Oct 2021 17:22:08 +0200 +Subject: [PATCH] wcn36xx: Channel list update before hardware scan +Git-commit: d707f812bb0513ea0030d0c9fe2a456bae5a4583 +References: git-fixes +Patch-mainline: v5.16-rc1 + +The channel scan list must be updated before triggering a hardware scan +so that firmware takes into account the regulatory info for each single +channel such as active/passive config, power, DFS, etc... Without this +the firmware uses its own internal default channel configuration, which +is not aligned with mac80211 regulatory rules, and misses several +channels (e.g. 144). + +Fixes: 2f3bef4b247e ("wcn36xx: Add hardware scan offload support") +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1635175328-25642-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/hal.h | 32 ++++++++++++ + drivers/net/wireless/ath/wcn36xx/main.c | 1 + drivers/net/wireless/ath/wcn36xx/smd.c | 82 ++++++++++++++++++++++++++++++++ + drivers/net/wireless/ath/wcn36xx/smd.h | 1 + 4 files changed, 116 insertions(+) + +--- a/drivers/net/wireless/ath/wcn36xx/hal.h ++++ b/drivers/net/wireless/ath/wcn36xx/hal.h +@@ -359,6 +359,8 @@ enum wcn36xx_hal_host_msg_type { + WCN36XX_HAL_START_SCAN_OFFLOAD_RSP = 205, + WCN36XX_HAL_STOP_SCAN_OFFLOAD_REQ = 206, + WCN36XX_HAL_STOP_SCAN_OFFLOAD_RSP = 207, ++ WCN36XX_HAL_UPDATE_CHANNEL_LIST_REQ = 208, ++ WCN36XX_HAL_UPDATE_CHANNEL_LIST_RSP = 209, + WCN36XX_HAL_SCAN_OFFLOAD_IND = 210, + + WCN36XX_HAL_AVOID_FREQ_RANGE_IND = 233, +@@ -1223,6 +1225,36 @@ struct wcn36xx_hal_stop_scan_offload_rsp + u32 status; + } __packed; + ++#define WCN36XX_HAL_CHAN_REG1_MIN_PWR_MASK 0x000000ff ++#define WCN36XX_HAL_CHAN_REG1_MAX_PWR_MASK 0x0000ff00 ++#define WCN36XX_HAL_CHAN_REG1_REG_PWR_MASK 0x00ff0000 ++#define WCN36XX_HAL_CHAN_REG1_CLASS_ID_MASK 0xff000000 ++#define WCN36XX_HAL_CHAN_REG2_ANT_GAIN_MASK 0x000000ff ++#define WCN36XX_HAL_CHAN_INFO_FLAG_PASSIVE BIT(7) ++#define WCN36XX_HAL_CHAN_INFO_FLAG_DFS BIT(10) ++#define WCN36XX_HAL_CHAN_INFO_FLAG_HT BIT(11) ++#define WCN36XX_HAL_CHAN_INFO_FLAG_VHT BIT(12) ++#define WCN36XX_HAL_CHAN_INFO_PHY_11A 0 ++#define WCN36XX_HAL_CHAN_INFO_PHY_11BG 1 ++#define WCN36XX_HAL_DEFAULT_ANT_GAIN 6 ++#define WCN36XX_HAL_DEFAULT_MIN_POWER 6 ++ ++struct wcn36xx_hal_channel_param { ++ u32 mhz; ++ u32 band_center_freq1; ++ u32 band_center_freq2; ++ u32 channel_info; ++ u32 reg_info_1; ++ u32 reg_info_2; ++} __packed; ++ ++struct wcn36xx_hal_update_channel_list_req_msg { ++ struct wcn36xx_hal_msg_header header; ++ ++ u8 num_channel; ++ struct wcn36xx_hal_channel_param channels[80]; ++} __packed; ++ + enum wcn36xx_hal_rate_index { + HW_RATE_INDEX_1MBPS = 0x82, + HW_RATE_INDEX_2MBPS = 0x84, +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -664,6 +664,7 @@ static int wcn36xx_hw_scan(struct ieee80 + + mutex_unlock(&wcn->scan_lock); + ++ wcn36xx_smd_update_channel_list(wcn, &hw_req->req); + return wcn36xx_smd_start_hw_scan(wcn, vif, &hw_req->req); + } + +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -16,6 +16,7 @@ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + ++#include + #include + #include + #include +@@ -755,6 +756,86 @@ out: + return ret; + } + ++int wcn36xx_smd_update_channel_list(struct wcn36xx *wcn, struct cfg80211_scan_request *req) ++{ ++ struct wcn36xx_hal_update_channel_list_req_msg *msg_body; ++ int ret, i; ++ ++ msg_body = kzalloc(sizeof(*msg_body), GFP_KERNEL); ++ if (!msg_body) ++ return -ENOMEM; ++ ++ INIT_HAL_MSG((*msg_body), WCN36XX_HAL_UPDATE_CHANNEL_LIST_REQ); ++ ++ msg_body->num_channel = min_t(u8, req->n_channels, sizeof(msg_body->channels)); ++ for (i = 0; i < msg_body->num_channel; i++) { ++ struct wcn36xx_hal_channel_param *param = &msg_body->channels[i]; ++ u32 min_power = WCN36XX_HAL_DEFAULT_MIN_POWER; ++ u32 ant_gain = WCN36XX_HAL_DEFAULT_ANT_GAIN; ++ ++ param->mhz = req->channels[i]->center_freq; ++ param->band_center_freq1 = req->channels[i]->center_freq; ++ param->band_center_freq2 = 0; ++ ++ if (req->channels[i]->flags & IEEE80211_CHAN_NO_IR) ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_PASSIVE; ++ ++ if (req->channels[i]->flags & IEEE80211_CHAN_RADAR) ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_DFS; ++ ++ if (req->channels[i]->band == NL80211_BAND_5GHZ) { ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_HT; ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_VHT; ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_PHY_11A; ++ } else { ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_PHY_11BG; ++ } ++ ++ if (min_power > req->channels[i]->max_power) ++ min_power = req->channels[i]->max_power; ++ ++ if (req->channels[i]->max_antenna_gain) ++ ant_gain = req->channels[i]->max_antenna_gain; ++ ++ u32p_replace_bits(¶m->reg_info_1, min_power, ++ WCN36XX_HAL_CHAN_REG1_MIN_PWR_MASK); ++ u32p_replace_bits(¶m->reg_info_1, req->channels[i]->max_power, ++ WCN36XX_HAL_CHAN_REG1_MAX_PWR_MASK); ++ u32p_replace_bits(¶m->reg_info_1, req->channels[i]->max_reg_power, ++ WCN36XX_HAL_CHAN_REG1_REG_PWR_MASK); ++ u32p_replace_bits(¶m->reg_info_1, 0, ++ WCN36XX_HAL_CHAN_REG1_CLASS_ID_MASK); ++ u32p_replace_bits(¶m->reg_info_2, ant_gain, ++ WCN36XX_HAL_CHAN_REG2_ANT_GAIN_MASK); ++ ++ wcn36xx_dbg(WCN36XX_DBG_HAL, ++ "%s: freq=%u, channel_info=%08x, reg_info1=%08x, reg_info2=%08x\n", ++ __func__, param->mhz, param->channel_info, param->reg_info_1, ++ param->reg_info_2); ++ } ++ ++ mutex_lock(&wcn->hal_mutex); ++ ++ PREPARE_HAL_BUF(wcn->hal_buf, (*msg_body)); ++ ++ ret = wcn36xx_smd_send_and_wait(wcn, msg_body->header.len); ++ if (ret) { ++ wcn36xx_err("Sending hal_update_channel_list failed\n"); ++ goto out; ++ } ++ ++ ret = wcn36xx_smd_rsp_status_check(wcn->hal_buf, wcn->hal_rsp_len); ++ if (ret) { ++ wcn36xx_err("hal_update_channel_list response failed err=%d\n", ret); ++ goto out; ++ } ++ ++out: ++ kfree(msg_body); ++ mutex_unlock(&wcn->hal_mutex); ++ return ret; ++} ++ + static int wcn36xx_smd_switch_channel_rsp(void *buf, size_t len) + { + struct wcn36xx_hal_switch_channel_rsp_msg *rsp; +@@ -2550,6 +2631,7 @@ int wcn36xx_smd_rsp_process(struct rpmsg + case WCN36XX_HAL_8023_MULTICAST_LIST_RSP: + case WCN36XX_HAL_START_SCAN_OFFLOAD_RSP: + case WCN36XX_HAL_STOP_SCAN_OFFLOAD_RSP: ++ case WCN36XX_HAL_UPDATE_CHANNEL_LIST_RSP: + memcpy(wcn->hal_buf, buf, len); + wcn->hal_rsp_len = len; + complete(&wcn->hal_rsp_compl); +--- a/drivers/net/wireless/ath/wcn36xx/smd.h ++++ b/drivers/net/wireless/ath/wcn36xx/smd.h +@@ -70,6 +70,7 @@ int wcn36xx_smd_update_scan_params(struc + int wcn36xx_smd_start_hw_scan(struct wcn36xx *wcn, struct ieee80211_vif *vif, + struct cfg80211_scan_request *req); + int wcn36xx_smd_stop_hw_scan(struct wcn36xx *wcn); ++int wcn36xx_smd_update_channel_list(struct wcn36xx *wcn, struct cfg80211_scan_request *req); + int wcn36xx_smd_add_sta_self(struct wcn36xx *wcn, struct ieee80211_vif *vif); + int wcn36xx_smd_delete_sta_self(struct wcn36xx *wcn, u8 *addr); + int wcn36xx_smd_delete_sta(struct wcn36xx *wcn, u8 sta_index); diff --git a/patches.suse/wcn36xx-Disable-bmps-when-encryption-is-disabled.patch b/patches.suse/wcn36xx-Disable-bmps-when-encryption-is-disabled.patch new file mode 100644 index 0000000..d2abcb9 --- /dev/null +++ b/patches.suse/wcn36xx-Disable-bmps-when-encryption-is-disabled.patch @@ -0,0 +1,94 @@ +From c6522a5076e1a65877c51cfee313a74ef61cabf8 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Tue, 25 Aug 2020 15:45:27 +0200 +Subject: [PATCH] wcn36xx: Disable bmps when encryption is disabled +Git-commit: c6522a5076e1a65877c51cfee313a74ef61cabf8 +References: git-fixes +Patch-mainline: v5.10-rc1 + +For whatever reason, when connected to an open/no-security BSS, +the wcn36xx controller in bmps mode does not forward 'wake-up' +beacons despite AP sends DTIM with station AID. + +Meaning that AP is not able to wakeup the station and needs to wait +for the station to wakeup by its own (TX data, keep alive pkt...), +causing serious latency issues and unexpected deauth. + +When connected to AP with encryption enabled, this issue does not occur. +So a simple workaround is to only enable bmps support in that case. + +Ideally, it should be propertly fixed to allow bmps support with open +BSS, whatever the issue is at driver or firmware level. + +Tested on wcn3620 and wcn3680. + +Signed-off-by: Loic Poulain +Tested-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1598363127-26066-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 10 ++++++++++ + drivers/net/wireless/ath/wcn36xx/pmc.c | 5 ++++- + drivers/net/wireless/ath/wcn36xx/wcn36xx.h | 1 + + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 2c3e68646fe4..8becd667fe7b 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -610,6 +610,15 @@ static int wcn36xx_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + } + } + } ++ /* FIXME: Only enable bmps support when encryption is enabled. ++ * For any reasons, when connected to open/no-security BSS, ++ * the wcn36xx controller in bmps mode does not forward ++ * 'wake-up' beacons despite AP sends DTIM with station AID. ++ * It could be due to a firmware issue or to the way driver ++ * configure the station. ++ */ ++ if (vif->type == NL80211_IFTYPE_STATION) ++ vif_priv->allow_bmps = true; + break; + case DISABLE_KEY: + if (!(IEEE80211_KEY_FLAG_PAIRWISE & key_conf->flags)) { +@@ -891,6 +900,7 @@ static void wcn36xx_bss_info_changed(struct ieee80211_hw *hw, + vif->addr, + bss_conf->aid); + vif_priv->sta_assoc = false; ++ vif_priv->allow_bmps = false; + wcn36xx_smd_set_link_st(wcn, + bss_conf->bssid, + vif->addr, +diff --git a/drivers/net/wireless/ath/wcn36xx/pmc.c b/drivers/net/wireless/ath/wcn36xx/pmc.c +index 1976b80c235f..8441031b667c 100644 +--- a/drivers/net/wireless/ath/wcn36xx/pmc.c ++++ b/drivers/net/wireless/ath/wcn36xx/pmc.c +@@ -23,7 +23,10 @@ int wcn36xx_pmc_enter_bmps_state(struct wcn36xx *wcn, + { + int ret = 0; + struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif); +- /* TODO: Make sure the TX chain clean */ ++ ++ if (!vif_priv->allow_bmps) ++ return -ENOTSUPP; ++ + ret = wcn36xx_smd_enter_bmps(wcn, vif); + if (!ret) { + wcn36xx_dbg(WCN36XX_DBG_PMC, "Entered BMPS\n"); +diff --git a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +index 3221fed15620..719a6daf9298 100644 +--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h ++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +@@ -122,6 +122,7 @@ struct wcn36xx_vif { + enum wcn36xx_hal_bss_type bss_type; + + /* Power management */ ++ bool allow_bmps; + enum wcn36xx_power_state pw_state; + + u8 bss_index; +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Ensure-finish-scan-is-not-requested-before-s.patch b/patches.suse/wcn36xx-Ensure-finish-scan-is-not-requested-before-s.patch new file mode 100644 index 0000000..4b257ba --- /dev/null +++ b/patches.suse/wcn36xx-Ensure-finish-scan-is-not-requested-before-s.patch @@ -0,0 +1,78 @@ +From d195d7aac09bddabc2c8326fb02fcec2b0a2de02 Mon Sep 17 00:00:00 2001 +From: Joseph Gates +Date: Wed, 18 Aug 2021 13:31:43 +0200 +Subject: [PATCH] wcn36xx: Ensure finish scan is not requested before start + scan +Git-commit: d195d7aac09bddabc2c8326fb02fcec2b0a2de02 +References: git-fixes +Patch-mainline: v5.15-rc1 + +If the operating channel is the first in the scan list, it was seen that +a finish scan request would be sent before a start scan request was +sent, causing the firmware to fail all future scans. Track the current +channel being scanned to avoid requesting the scan finish before it +starts. + +Cc: +Fixes: 5973a2947430 ("wcn36xx: Fix software-driven scan") +Signed-off-by: Joseph Gates +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1629286303-13179-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 5 ++++- + drivers/net/wireless/ath/wcn36xx/wcn36xx.h | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index d202f2128df2..67f4db662402 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -408,13 +408,14 @@ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) + wcn36xx_dbg(WCN36XX_DBG_MAC, "wcn36xx_config channel switch=%d\n", + ch); + +- if (wcn->sw_scan_opchannel == ch) { ++ if (wcn->sw_scan_opchannel == ch && wcn->sw_scan_channel) { + /* If channel is the initial operating channel, we may + * want to receive/transmit regular data packets, then + * simply stop the scan session and exit PS mode. + */ + wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, + wcn->sw_scan_vif); ++ wcn->sw_scan_channel = 0; + } else if (wcn->sw_scan) { + /* A scan is ongoing, do not change the operating + * channel, but start a scan session on the channel. +@@ -422,6 +423,7 @@ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) + wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN, + wcn->sw_scan_vif); + wcn36xx_smd_start_scan(wcn, ch); ++ wcn->sw_scan_channel = ch; + } else { + wcn36xx_change_opchannel(wcn, ch); + } +@@ -702,6 +704,7 @@ static void wcn36xx_sw_scan_start(struct ieee80211_hw *hw, + + wcn->sw_scan = true; + wcn->sw_scan_vif = vif; ++ wcn->sw_scan_channel = 0; + if (vif_priv->sta_assoc) + wcn->sw_scan_opchannel = WCN36XX_HW_CHANNEL(wcn); + else +diff --git a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +index 6121d8a5641a..0feb235b5a42 100644 +--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h ++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +@@ -246,6 +246,7 @@ struct wcn36xx { + struct cfg80211_scan_request *scan_req; + bool sw_scan; + u8 sw_scan_opchannel; ++ u8 sw_scan_channel; + struct ieee80211_vif *sw_scan_vif; + struct mutex scan_lock; + bool scan_aborted; +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Fix-TX-data-path.patch b/patches.suse/wcn36xx-Fix-TX-data-path.patch new file mode 100644 index 0000000..da90a67 --- /dev/null +++ b/patches.suse/wcn36xx-Fix-TX-data-path.patch @@ -0,0 +1,80 @@ +From 512b191d965237249999b3c58600fe50356ab323 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Fri, 24 Jul 2020 12:20:50 +0200 +Subject: [PATCH] wcn36xx: Fix TX data path +Git-commit: 512b191d965237249999b3c58600fe50356ab323 +References: git-fixes +Patch-mainline: v5.10-rc1 + +This patch contains the following fixes: + +- Use correct queue for submitting QoS packet. The queue id to use +is a one-to-one mapping with the TID. + +- Don't encrypt a frame with IEEE80211_TX_INTFL_DONT_ENCRYPT flag. + +- Use the 'special queue' for null packets, preventing the firmware +to submit it as AMPDU. + +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595586052-16081-5-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -267,9 +267,11 @@ static void wcn36xx_set_tx_data(struct w + bool bcast) + { + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; ++ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_vif *vif = NULL; + struct wcn36xx_vif *__vif_priv = NULL; +- bool is_data_qos; ++ bool is_data_qos = ieee80211_is_data_qos(hdr->frame_control); ++ u16 tid = 0; + + bd->bd_rate = WCN36XX_BD_RATE_DATA; + +@@ -297,10 +299,21 @@ static void wcn36xx_set_tx_data(struct w + bd->dpu_desc_idx = __vif_priv->self_dpu_desc_index; + bd->dpu_sign = __vif_priv->self_ucast_dpu_sign; + } ++ if (is_data_qos) { ++ tid = ieee80211_get_tid(hdr); ++ /* TID->QID is one-to-one mapping */ ++ bd->queue_id = tid; ++ } + +- if (ieee80211_is_nullfunc(hdr->frame_control) || +- (sta_priv && !sta_priv->is_data_encrypted)) ++ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT || ++ (sta_priv && !sta_priv->is_data_encrypted)) { + bd->dpu_ne = 1; ++ } ++ ++ if (ieee80211_is_any_nullfunc(hdr->frame_control)) { ++ /* Don't use a regular queue for null packet (no ampdu) */ ++ bd->queue_id = WCN36XX_TX_U_WQ_ID; ++ } + + if (bcast) { + bd->ub = 1; +@@ -308,13 +321,11 @@ static void wcn36xx_set_tx_data(struct w + } + *vif_priv = __vif_priv; + +- is_data_qos = ieee80211_is_data_qos(hdr->frame_control); +- + wcn36xx_set_tx_pdu(bd, + is_data_qos ? + sizeof(struct ieee80211_qos_hdr) : + sizeof(struct ieee80211_hdr_3addr), +- skb->len, sta_priv ? sta_priv->tid : 0); ++ skb->len, tid); + + if (sta_priv && is_data_qos) + wcn36xx_tx_start_ampdu(wcn, sta_priv, skb); diff --git a/patches.suse/wcn36xx-Fix-multiple-AMPDU-sessions-support.patch b/patches.suse/wcn36xx-Fix-multiple-AMPDU-sessions-support.patch new file mode 100644 index 0000000..4fb0011 --- /dev/null +++ b/patches.suse/wcn36xx-Fix-multiple-AMPDU-sessions-support.patch @@ -0,0 +1,169 @@ +From ffe835aa5bdb33572fceb0b14cba6a44c3371bdd Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Fri, 24 Jul 2020 12:20:47 +0200 +Subject: [PATCH] wcn36xx: Fix multiple AMPDU sessions support +Git-commit: ffe835aa5bdb33572fceb0b14cba6a44c3371bdd +References: git-fixes +Patch-mainline: v5.10-rc1 + +Several AMPDU sessions can be started, e.g. for different TIDs. +Currently the driver does not take care of the session ID when +requesting block-ack (statically set to 0), which leads to never +block-acked packet with sessions other than 0. + +Fix this by saving the session id when creating the ba session and +use it in subsequent ba operations. + +This issue can be reproduced with iperf in two steps (tid 0 strem +then tid 6 stream). + +1.0 iperf -s # wcn36xx side +1.1 iperf -c ${IP_ADDR} # host side + +Then + +2.0 iperf -s -u -S 0xC0 # wcn36xx side +2.1 iperf -c ${IP_ADDR} -u -S 0xC0 -l 2000 # host side + +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595586052-16081-2-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 10 ++++++---- + drivers/net/wireless/ath/wcn36xx/smd.c | 32 ++++++++++++++++++++++++++------ + drivers/net/wireless/ath/wcn36xx/smd.h | 4 ++-- + 3 files changed, 34 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -1082,6 +1082,7 @@ static int wcn36xx_ampdu_action(struct i + enum ieee80211_ampdu_mlme_action action = params->action; + u16 tid = params->tid; + u16 *ssn = ¶ms->ssn; ++ u8 session; + + wcn36xx_dbg(WCN36XX_DBG_MAC, "mac ampdu action action %d tid %d\n", + action, tid); +@@ -1091,10 +1092,11 @@ static int wcn36xx_ampdu_action(struct i + switch (action) { + case IEEE80211_AMPDU_RX_START: + sta_priv->tid = tid; +- wcn36xx_smd_add_ba_session(wcn, sta, tid, ssn, 0, +- get_sta_index(vif, sta_priv)); +- wcn36xx_smd_add_ba(wcn); +- wcn36xx_smd_trigger_ba(wcn, get_sta_index(vif, sta_priv)); ++ session = wcn36xx_smd_add_ba_session(wcn, sta, tid, ssn, 0, ++ get_sta_index(vif, sta_priv)); ++ wcn36xx_smd_add_ba(wcn, session); ++ wcn36xx_smd_trigger_ba(wcn, get_sta_index(vif, sta_priv), tid, ++ session); + break; + case IEEE80211_AMPDU_RX_STOP: + wcn36xx_smd_del_ba(wcn, tid, get_sta_index(vif, sta_priv)); +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -2102,6 +2102,22 @@ out: + return ret; + } + ++static int wcn36xx_smd_add_ba_session_rsp(void *buf, int len, u8 *session) ++{ ++ struct wcn36xx_hal_add_ba_session_rsp_msg *rsp; ++ ++ if (len < sizeof(*rsp)) ++ return -EINVAL; ++ ++ rsp = (struct wcn36xx_hal_add_ba_session_rsp_msg *)buf; ++ if (rsp->status != WCN36XX_FW_MSG_RESULT_SUCCESS) ++ return rsp->status; ++ ++ *session = rsp->ba_session_id; ++ ++ return 0; ++} ++ + int wcn36xx_smd_add_ba_session(struct wcn36xx *wcn, + struct ieee80211_sta *sta, + u16 tid, +@@ -2110,6 +2126,7 @@ int wcn36xx_smd_add_ba_session(struct wc + u8 sta_index) + { + struct wcn36xx_hal_add_ba_session_req_msg msg_body; ++ u8 session_id; + int ret; + + mutex_lock(&wcn->hal_mutex); +@@ -2135,17 +2152,20 @@ int wcn36xx_smd_add_ba_session(struct wc + wcn36xx_err("Sending hal_add_ba_session failed\n"); + goto out; + } +- ret = wcn36xx_smd_rsp_status_check(wcn->hal_buf, wcn->hal_rsp_len); ++ ret = wcn36xx_smd_add_ba_session_rsp(wcn->hal_buf, wcn->hal_rsp_len, ++ &session_id); + if (ret) { + wcn36xx_err("hal_add_ba_session response failed err=%d\n", ret); + goto out; + } ++ ++ ret = session_id; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; + } + +-int wcn36xx_smd_add_ba(struct wcn36xx *wcn) ++int wcn36xx_smd_add_ba(struct wcn36xx *wcn, u8 session_id) + { + struct wcn36xx_hal_add_ba_req_msg msg_body; + int ret; +@@ -2153,7 +2173,7 @@ int wcn36xx_smd_add_ba(struct wcn36xx *w + mutex_lock(&wcn->hal_mutex); + INIT_HAL_MSG(msg_body, WCN36XX_HAL_ADD_BA_REQ); + +- msg_body.session_id = 0; ++ msg_body.session_id = session_id; + msg_body.win_size = WCN36XX_AGGR_BUFFER_SIZE; + + PREPARE_HAL_BUF(wcn->hal_buf, msg_body); +@@ -2212,7 +2232,7 @@ static int wcn36xx_smd_trigger_ba_rsp(vo + return rsp->status; + } + +-int wcn36xx_smd_trigger_ba(struct wcn36xx *wcn, u8 sta_index) ++int wcn36xx_smd_trigger_ba(struct wcn36xx *wcn, u8 sta_index, u16 tid, u8 session_id) + { + struct wcn36xx_hal_trigger_ba_req_msg msg_body; + struct wcn36xx_hal_trigger_ba_req_candidate *candidate; +@@ -2221,7 +2241,7 @@ int wcn36xx_smd_trigger_ba(struct wcn36x + mutex_lock(&wcn->hal_mutex); + INIT_HAL_MSG(msg_body, WCN36XX_HAL_TRIGGER_BA_REQ); + +- msg_body.session_id = 0; ++ msg_body.session_id = session_id; + msg_body.candidate_cnt = 1; + msg_body.header.len += sizeof(*candidate); + PREPARE_HAL_BUF(wcn->hal_buf, msg_body); +@@ -2229,7 +2249,7 @@ int wcn36xx_smd_trigger_ba(struct wcn36x + candidate = (struct wcn36xx_hal_trigger_ba_req_candidate *) + (wcn->hal_buf + sizeof(msg_body)); + candidate->sta_index = sta_index; +- candidate->tid_bitmap = 1; ++ candidate->tid_bitmap = 1 << tid; + + ret = wcn36xx_smd_send_and_wait(wcn, msg_body.header.len); + if (ret) { +--- a/drivers/net/wireless/ath/wcn36xx/smd.h ++++ b/drivers/net/wireless/ath/wcn36xx/smd.h +@@ -132,9 +132,9 @@ int wcn36xx_smd_add_ba_session(struct wc + u16 *ssn, + u8 direction, + u8 sta_index); +-int wcn36xx_smd_add_ba(struct wcn36xx *wcn); ++int wcn36xx_smd_add_ba(struct wcn36xx *wcn, u8 session_id); + int wcn36xx_smd_del_ba(struct wcn36xx *wcn, u16 tid, u8 sta_index); +-int wcn36xx_smd_trigger_ba(struct wcn36xx *wcn, u8 sta_index); ++int wcn36xx_smd_trigger_ba(struct wcn36xx *wcn, u8 sta_index, u16 tid, u8 session_id); + + int wcn36xx_smd_update_cfg(struct wcn36xx *wcn, u32 cfg_id, u32 value); + diff --git a/patches.suse/wcn36xx-Fix-software-driven-scan.patch b/patches.suse/wcn36xx-Fix-software-driven-scan.patch new file mode 100644 index 0000000..b543e19 --- /dev/null +++ b/patches.suse/wcn36xx-Fix-software-driven-scan.patch @@ -0,0 +1,393 @@ +From 5973a2947430a297e3442c28114822a90dff362c Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Mon, 24 Aug 2020 18:53:55 +0200 +Subject: [PATCH] wcn36xx: Fix software-driven scan +Git-commit: 5973a2947430a297e3442c28114822a90dff362c +References: git-fix +Patch-mainline: v5.10-rc1 + +For software-driven scan, rely on mac80211 software scan instead +of internal driver implementation. The internal implementation +cause connection trouble since it keep the antenna busy during +the entire scan duration, moreover it's only a passive scanning +(no probe request). Therefore, let mac80211 manages sw scan. + +Note: we fallback to software scan if firmware does not report +scan offload support or if we need to scan the 5Ghz band (currently +not supported by the offload scan...). + +Signed-off-by: Loic Poulain +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1598288035-19790-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 164 +++++++++++---------- + drivers/net/wireless/ath/wcn36xx/smd.c | 23 ++- + drivers/net/wireless/ath/wcn36xx/smd.h | 8 +- + drivers/net/wireless/ath/wcn36xx/txrx.c | 11 +- + drivers/net/wireless/ath/wcn36xx/wcn36xx.h | 6 +- + 5 files changed, 119 insertions(+), 93 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 868de9d4a14a..2c3e68646fe4 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -354,8 +354,6 @@ static void wcn36xx_stop(struct ieee80211_hw *hw) + + wcn36xx_dbg(WCN36XX_DBG_MAC, "mac stop\n"); + +- cancel_work_sync(&wcn->scan_work); +- + mutex_lock(&wcn->scan_lock); + if (wcn->scan_req) { + struct cfg80211_scan_info scan_info = { +@@ -378,12 +376,37 @@ static void wcn36xx_stop(struct ieee80211_hw *hw) + kfree(wcn->hal_buf); + } + +-static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) ++static void wcn36xx_change_ps(struct wcn36xx *wcn, bool enable) ++{ ++ struct ieee80211_vif *vif = NULL; ++ struct wcn36xx_vif *tmp; ++ ++ list_for_each_entry(tmp, &wcn->vif_list, list) { ++ vif = wcn36xx_priv_to_vif(tmp); ++ if (enable && !wcn->sw_scan) { ++ if (vif->bss_conf.ps) /* ps allowed ? */ ++ wcn36xx_pmc_enter_bmps_state(wcn, vif); ++ } else { ++ wcn36xx_pmc_exit_bmps_state(wcn, vif); ++ } ++ } ++} ++ ++static void wcn36xx_change_opchannel(struct wcn36xx *wcn, int ch) + { +- struct wcn36xx *wcn = hw->priv; + struct ieee80211_vif *vif = NULL; + struct wcn36xx_vif *tmp; + ++ list_for_each_entry(tmp, &wcn->vif_list, list) { ++ vif = wcn36xx_priv_to_vif(tmp); ++ wcn36xx_smd_switch_channel(wcn, vif, ch); ++ } ++} ++ ++static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) ++{ ++ struct wcn36xx *wcn = hw->priv; ++ + wcn36xx_dbg(WCN36XX_DBG_MAC, "mac config changed 0x%08x\n", changed); + + mutex_lock(&wcn->conf_mutex); +@@ -392,24 +415,29 @@ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) + int ch = WCN36XX_HW_CHANNEL(wcn); + wcn36xx_dbg(WCN36XX_DBG_MAC, "wcn36xx_config channel switch=%d\n", + ch); +- list_for_each_entry(tmp, &wcn->vif_list, list) { +- vif = wcn36xx_priv_to_vif(tmp); +- wcn36xx_smd_switch_channel(wcn, vif, ch); +- } +- } + +- if (changed & IEEE80211_CONF_CHANGE_PS) { +- list_for_each_entry(tmp, &wcn->vif_list, list) { +- vif = wcn36xx_priv_to_vif(tmp); +- if (hw->conf.flags & IEEE80211_CONF_PS) { +- if (vif->bss_conf.ps) /* ps allowed ? */ +- wcn36xx_pmc_enter_bmps_state(wcn, vif); +- } else { +- wcn36xx_pmc_exit_bmps_state(wcn, vif); +- } ++ if (wcn->sw_scan_opchannel == ch) { ++ /* If channel is the initial operating channel, we may ++ * want to receive/transmit regular data packets, then ++ * simply stop the scan session and exit PS mode. ++ */ ++ wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ } else if (wcn->sw_scan) { ++ /* A scan is ongoing, do not change the operating ++ * channel, but start a scan session on the channel. ++ */ ++ wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ wcn36xx_smd_start_scan(wcn, ch); ++ } else { ++ wcn36xx_change_opchannel(wcn, ch); + } + } + ++ if (changed & IEEE80211_CONF_CHANGE_PS) ++ wcn36xx_change_ps(wcn, hw->conf.flags & IEEE80211_CONF_PS); ++ + mutex_unlock(&wcn->conf_mutex); + + return 0; +@@ -614,55 +642,26 @@ static int wcn36xx_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + return ret; + } + +-static void wcn36xx_hw_scan_worker(struct work_struct *work) ++static int wcn36xx_hw_scan(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_scan_request *hw_req) + { +- struct wcn36xx *wcn = container_of(work, struct wcn36xx, scan_work); +- struct cfg80211_scan_request *req = wcn->scan_req; +- u8 channels[WCN36XX_HAL_PNO_MAX_NETW_CHANNELS_EX]; +- struct cfg80211_scan_info scan_info = {}; +- bool aborted = false; ++ struct wcn36xx *wcn = hw->priv; + int i; + +- wcn36xx_dbg(WCN36XX_DBG_MAC, "mac80211 scan %d channels worker\n", req->n_channels); +- +- for (i = 0; i < req->n_channels; i++) +- channels[i] = req->channels[i]->hw_value; +- +- wcn36xx_smd_update_scan_params(wcn, channels, req->n_channels); +- +- wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN); +- for (i = 0; i < req->n_channels; i++) { +- mutex_lock(&wcn->scan_lock); +- aborted = wcn->scan_aborted; +- mutex_unlock(&wcn->scan_lock); +- +- if (aborted) +- break; +- +- wcn->scan_freq = req->channels[i]->center_freq; +- wcn->scan_band = req->channels[i]->band; +- +- wcn36xx_smd_start_scan(wcn, req->channels[i]->hw_value); +- msleep(30); +- wcn36xx_smd_end_scan(wcn, req->channels[i]->hw_value); +- +- wcn->scan_freq = 0; ++ if (!get_feat_caps(wcn->fw_feat_caps, SCAN_OFFLOAD)) { ++ /* fallback to mac80211 software scan */ ++ return 1; + } +- wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN); +- +- scan_info.aborted = aborted; +- ieee80211_scan_completed(wcn->hw, &scan_info); + +- mutex_lock(&wcn->scan_lock); +- wcn->scan_req = NULL; +- mutex_unlock(&wcn->scan_lock); +-} ++ /* For unknown reason, the hardware offloaded scan only works with ++ * 2.4Ghz channels, fallback to software scan in other cases. ++ */ ++ for (i = 0; i < hw_req->req.n_channels; i++) { ++ if (hw_req->req.channels[i]->band != NL80211_BAND_2GHZ) ++ return 1; ++ } + +-static int wcn36xx_hw_scan(struct ieee80211_hw *hw, +- struct ieee80211_vif *vif, +- struct ieee80211_scan_request *hw_req) +-{ +- struct wcn36xx *wcn = hw->priv; + mutex_lock(&wcn->scan_lock); + if (wcn->scan_req) { + mutex_unlock(&wcn->scan_lock); +@@ -674,12 +673,6 @@ static int wcn36xx_hw_scan(struct ieee80211_hw *hw, + + mutex_unlock(&wcn->scan_lock); + +- if (!get_feat_caps(wcn->fw_feat_caps, SCAN_OFFLOAD)) { +- /* legacy manual/sw scan */ +- schedule_work(&wcn->scan_work); +- return 0; +- } +- + return wcn36xx_smd_start_hw_scan(wcn, vif, &hw_req->req); + } + +@@ -696,16 +689,35 @@ static void wcn36xx_cancel_hw_scan(struct ieee80211_hw *hw, + /* ieee80211_scan_completed will be called on FW scan + * indication */ + wcn36xx_smd_stop_hw_scan(wcn); +- } else { +- struct cfg80211_scan_info scan_info = { +- .aborted = true, +- }; +- +- cancel_work_sync(&wcn->scan_work); +- ieee80211_scan_completed(wcn->hw, &scan_info); + } + } + ++static void wcn36xx_sw_scan_start(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ const u8 *mac_addr) ++{ ++ struct wcn36xx *wcn = hw->priv; ++ struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif); ++ ++ wcn->sw_scan = true; ++ wcn->sw_scan_vif = vif; ++ if (vif_priv->sta_assoc) ++ wcn->sw_scan_opchannel = WCN36XX_HW_CHANNEL(wcn); ++ else ++ wcn->sw_scan_opchannel = 0; ++} ++ ++static void wcn36xx_sw_scan_complete(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif) ++{ ++ struct wcn36xx *wcn = hw->priv; ++ ++ /* ensure that any scan session is finished */ ++ wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, wcn->sw_scan_vif); ++ wcn->sw_scan = false; ++ wcn->sw_scan_opchannel = 0; ++} ++ + static void wcn36xx_update_allowed_rates(struct ieee80211_sta *sta, + enum nl80211_band band) + { +@@ -1151,6 +1163,8 @@ static const struct ieee80211_ops wcn36xx_ops = { + .set_key = wcn36xx_set_key, + .hw_scan = wcn36xx_hw_scan, + .cancel_hw_scan = wcn36xx_cancel_hw_scan, ++ .sw_scan_start = wcn36xx_sw_scan_start, ++ .sw_scan_complete = wcn36xx_sw_scan_complete, + .bss_info_changed = wcn36xx_bss_info_changed, + .set_rts_threshold = wcn36xx_set_rts_threshold, + .sta_add = wcn36xx_sta_add, +@@ -1329,8 +1343,6 @@ static int wcn36xx_probe(struct platform_device *pdev) + goto out_wq; + } + +- INIT_WORK(&wcn->scan_work, wcn36xx_hw_scan_worker); +- + wcn->smd_channel = qcom_wcnss_open_channel(wcnss, "WLAN_CTRL", wcn36xx_smd_rsp_process, hw); + if (IS_ERR(wcn->smd_channel)) { + wcn36xx_err("failed to open WLAN_CTRL channel\n"); +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index 908cc6cf7b1a..5a565f119e5d 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -517,8 +517,10 @@ int wcn36xx_smd_stop(struct wcn36xx *wcn) + return ret; + } + +-int wcn36xx_smd_init_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode) ++int wcn36xx_smd_init_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode, ++ struct ieee80211_vif *vif) + { ++ struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif); + struct wcn36xx_hal_init_scan_req_msg msg_body; + int ret; + +@@ -526,6 +528,13 @@ int wcn36xx_smd_init_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode) + INIT_HAL_MSG(msg_body, WCN36XX_HAL_INIT_SCAN_REQ); + + msg_body.mode = mode; ++ if (vif_priv->bss_index != WCN36XX_HAL_BSS_INVALID_IDX) { ++ /* Notify BSSID with null DATA packet */ ++ msg_body.frame_type = 2; ++ msg_body.notify = 1; ++ msg_body.scan_entry.bss_index[0] = vif_priv->bss_index; ++ msg_body.scan_entry.active_bss_count = 1; ++ } + + PREPARE_HAL_BUF(wcn->hal_buf, msg_body); + +@@ -607,8 +616,10 @@ int wcn36xx_smd_end_scan(struct wcn36xx *wcn, u8 scan_channel) + } + + int wcn36xx_smd_finish_scan(struct wcn36xx *wcn, +- enum wcn36xx_hal_sys_mode mode) ++ enum wcn36xx_hal_sys_mode mode, ++ struct ieee80211_vif *vif) + { ++ struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif); + struct wcn36xx_hal_finish_scan_req_msg msg_body; + int ret; + +@@ -616,6 +627,14 @@ int wcn36xx_smd_finish_scan(struct wcn36xx *wcn, + INIT_HAL_MSG(msg_body, WCN36XX_HAL_FINISH_SCAN_REQ); + + msg_body.mode = mode; ++ msg_body.oper_channel = WCN36XX_HW_CHANNEL(wcn); ++ if (vif_priv->bss_index != WCN36XX_HAL_BSS_INVALID_IDX) { ++ /* Notify BSSID with null data packet */ ++ msg_body.notify = 1; ++ msg_body.frame_type = 2; ++ msg_body.scan_entry.bss_index[0] = vif_priv->bss_index; ++ msg_body.scan_entry.active_bss_count = 1; ++ } + + PREPARE_HAL_BUF(wcn->hal_buf, msg_body); + +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.h b/drivers/net/wireless/ath/wcn36xx/smd.h +index 68c59df7a0ad..b1d8083d9d9d 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.h ++++ b/drivers/net/wireless/ath/wcn36xx/smd.h +@@ -59,11 +59,13 @@ void wcn36xx_smd_close(struct wcn36xx *wcn); + int wcn36xx_smd_load_nv(struct wcn36xx *wcn); + int wcn36xx_smd_start(struct wcn36xx *wcn); + int wcn36xx_smd_stop(struct wcn36xx *wcn); +-int wcn36xx_smd_init_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode); + int wcn36xx_smd_start_scan(struct wcn36xx *wcn, u8 scan_channel); + int wcn36xx_smd_end_scan(struct wcn36xx *wcn, u8 scan_channel); +-int wcn36xx_smd_finish_scan(struct wcn36xx *wcn, +- enum wcn36xx_hal_sys_mode mode); ++int wcn36xx_smd_finish_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode, ++ struct ieee80211_vif *vif); ++int wcn36xx_smd_init_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode, ++ struct ieee80211_vif *vif); ++ + int wcn36xx_smd_update_scan_params(struct wcn36xx *wcn, u8 *channels, size_t channel_count); + int wcn36xx_smd_start_hw_scan(struct wcn36xx *wcn, struct ieee80211_vif *vif, + struct cfg80211_scan_request *req); +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index f5872e7dfb51..820505619f66 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -144,15 +144,8 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + fc = __le16_to_cpu(hdr->frame_control); + sn = IEEE80211_SEQ_TO_SN(__le16_to_cpu(hdr->seq_ctrl)); + +- /* When scanning associate beacons to this */ +- if (ieee80211_is_beacon(hdr->frame_control) && wcn->scan_freq) { +- status.freq = wcn->scan_freq; +- status.band = wcn->scan_band; +- } else { +- status.freq = WCN36XX_CENTER_FREQ(wcn); +- status.band = WCN36XX_BAND(wcn); +- } +- ++ status.freq = WCN36XX_CENTER_FREQ(wcn); ++ status.band = WCN36XX_BAND(wcn); + status.mactime = 10; + status.signal = -get_rssi0(bd); + status.antenna = 1; +diff --git a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +index 2d89849c630b..3221fed15620 100644 +--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h ++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +@@ -223,10 +223,10 @@ struct wcn36xx { + spinlock_t hal_ind_lock; + struct list_head hal_ind_queue; + +- struct work_struct scan_work; + struct cfg80211_scan_request *scan_req; +- int scan_freq; +- int scan_band; ++ bool sw_scan; ++ u8 sw_scan_opchannel; ++ struct ieee80211_vif *sw_scan_vif; + struct mutex scan_lock; + bool scan_aborted; + +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Fix-warning-due-to-bad-rate_idx.patch b/patches.suse/wcn36xx-Fix-warning-due-to-bad-rate_idx.patch new file mode 100644 index 0000000..4206838 --- /dev/null +++ b/patches.suse/wcn36xx-Fix-warning-due-to-bad-rate_idx.patch @@ -0,0 +1,54 @@ +From 6ea131acea98026f144f64fb2d8ea7dbb95d3049 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Sat, 29 Aug 2020 04:38:41 +0100 +Subject: [PATCH] wcn36xx: Fix warning due to bad rate_idx +Git-commit: 6ea131acea98026f144f64fb2d8ea7dbb95d3049 +References: git-fixes +Patch-mainline: v5.10-rc1 + +The rate_idx is the index of the bitrate in the supported rate table. +However the 5Ghz band has a smaller legacy bitrate table than 2.4Ghz +since it does not have the DSSS bitrates (1, 2, 5.5, 11). + +So in 5Ghz band the index should adjusted accrodingly (-4). + +Signed-off-by: Loic Poulain +[bod: Made sure fix is only applied if the rate_idx > n_bitrates] +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200829033846.2167619-6-bryan.odonoghue@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index 90924f6106ee..19f5e306848b 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -230,6 +230,7 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + const struct wcn36xx_rate *rate; + struct ieee80211_hdr *hdr; + struct wcn36xx_rx_bd *bd; ++ struct ieee80211_supported_band *sband; + u16 fc, sn; + + /* +@@ -270,6 +271,14 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + status.enc_flags = rate->encoding_flags; + status.bw = rate->bw; + status.rate_idx = rate->mcs_or_legacy_index; ++ sband = wcn->hw->wiphy->bands[status.band]; ++ ++ if (status.band == NL80211_BAND_5GHZ && ++ status.encoding == RX_ENC_LEGACY && ++ status.rate_idx >= sband->n_bitrates) { ++ /* no dsss rates in 5Ghz rates table */ ++ status.rate_idx -= 4; ++ } + } else { + status.encoding = 0; + status.bw = 0; +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Increase-number-of-TX-retries.patch b/patches.suse/wcn36xx-Increase-number-of-TX-retries.patch new file mode 100644 index 0000000..e55d51b --- /dev/null +++ b/patches.suse/wcn36xx-Increase-number-of-TX-retries.patch @@ -0,0 +1,39 @@ +From 1c20560607e6e142af76b9bd57e275b9053958a1 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Fri, 24 Jul 2020 12:20:49 +0200 +Subject: [PATCH] wcn36xx: Increase number of TX retries +Git-commit: 1c20560607e6e142af76b9bd57e275b9053958a1 +References: git-fixes +Patch-mainline: v5.10-rc1 + +Increase the short/long retry limit to 15 in order to impove TX +robustness in noisy/busy environment. 15 is the default value +defined in the downstream driver. Observed number of ack timeout +is reduced with this change. + +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595586052-16081-4-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/smd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index 59f9f53fc788..908cc6cf7b1a 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -45,8 +45,8 @@ static struct wcn36xx_cfg_val wcn36xx_cfg_vals[] = { + WCN36XX_CFG_VAL(MAX_MEDIUM_TIME, 6000), + WCN36XX_CFG_VAL(MAX_MPDUS_IN_AMPDU, 64), + WCN36XX_CFG_VAL(RTS_THRESHOLD, 2347), +- WCN36XX_CFG_VAL(SHORT_RETRY_LIMIT, 6), +- WCN36XX_CFG_VAL(LONG_RETRY_LIMIT, 6), ++ WCN36XX_CFG_VAL(SHORT_RETRY_LIMIT, 15), ++ WCN36XX_CFG_VAL(LONG_RETRY_LIMIT, 15), + WCN36XX_CFG_VAL(FRAGMENTATION_THRESHOLD, 8000), + WCN36XX_CFG_VAL(DYNAMIC_THRESHOLD_ZERO, 5), + WCN36XX_CFG_VAL(DYNAMIC_THRESHOLD_ONE, 10), +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Move-hal_buf-allocation-to-devm_kmalloc-in-p.patch b/patches.suse/wcn36xx-Move-hal_buf-allocation-to-devm_kmalloc-in-p.patch index d2b86a8..fa08012 100644 --- a/patches.suse/wcn36xx-Move-hal_buf-allocation-to-devm_kmalloc-in-p.patch +++ b/patches.suse/wcn36xx-Move-hal_buf-allocation-to-devm_kmalloc-in-p.patch @@ -63,7 +63,7 @@ Acked-by: Takashi Iwai out_free_dxe_ctl: wcn36xx_dxe_free_ctl_blks(wcn); out_free_dxe_pool: -@@ -374,8 +365,6 @@ static void wcn36xx_stop(struct ieee8021 +@@ -372,8 +363,6 @@ static void wcn36xx_stop(struct ieee8021 wcn36xx_dxe_free_mem_pools(wcn); wcn36xx_dxe_free_ctl_blks(wcn); @@ -71,8 +71,8 @@ Acked-by: Takashi Iwai - kfree(wcn->hal_buf); } - static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) -@@ -1322,6 +1311,12 @@ static int wcn36xx_probe(struct platform + static void wcn36xx_change_ps(struct wcn36xx *wcn, bool enable) +@@ -1335,6 +1324,12 @@ static int wcn36xx_probe(struct platform mutex_init(&wcn->hal_mutex); mutex_init(&wcn->scan_lock); diff --git a/patches.suse/wcn36xx-Specify-ieee80211_rx_status.nss.patch b/patches.suse/wcn36xx-Specify-ieee80211_rx_status.nss.patch new file mode 100644 index 0000000..0ce20ac --- /dev/null +++ b/patches.suse/wcn36xx-Specify-ieee80211_rx_status.nss.patch @@ -0,0 +1,38 @@ +From 1af05d43b9bef43ef71387b0d467c6c7aa6641a0 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Sat, 29 Aug 2020 04:38:42 +0100 +Subject: [PATCH] wcn36xx: Specify ieee80211_rx_status.nss +Git-commit: 1af05d43b9bef43ef71387b0d467c6c7aa6641a0 +References: git-fixes +Patch-mainline: v5.10-rc1 + +Specify the number of spatial streams in ieee80211_rx_status. For non VHT +data-rates the wireless core doesn't care about this field, however for VHT +data-rates it does. + +Every version of wcn36xx has one spatial stream, so specify nss for +wcn3620, wcn3660 and wcn3680 now. + +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200829033846.2167619-7-bryan.odonoghue@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index 19f5e306848b..1b831157ede1 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -272,6 +272,7 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + status.bw = rate->bw; + status.rate_idx = rate->mcs_or_legacy_index; + sband = wcn->hw->wiphy->bands[status.band]; ++ status.nss = 1; + + if (status.band == NL80211_BAND_5GHZ && + status.encoding == RX_ENC_LEGACY && +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Use-kmemdup-instead-of-duplicating-it-in-wcn.patch b/patches.suse/wcn36xx-Use-kmemdup-instead-of-duplicating-it-in-wcn.patch new file mode 100644 index 0000000..a37b9e1 --- /dev/null +++ b/patches.suse/wcn36xx-Use-kmemdup-instead-of-duplicating-it-in-wcn.patch @@ -0,0 +1,39 @@ +From 3f96556f639e6cc507cc682406e83671f8e7c1ea Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 6 Aug 2018 12:39:07 +0300 +Subject: [PATCH] wcn36xx: Use kmemdup instead of duplicating it in + wcn36xx_smd_process_ptt_msg_rsp +Git-commit: 3f96556f639e6cc507cc682406e83671f8e7c1ea +References: git-fixes +Patch-mainline: v4.20-rc1 + +Replace calls to kmalloc followed by a memcpy with a direct call to +kmemdup. + +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/smd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index 00098f24116d..1d2d698fb779 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -792,10 +792,10 @@ static int wcn36xx_smd_process_ptt_msg_rsp(void *buf, size_t len, + rsp->header.len - sizeof(rsp->ptt_msg_resp_status)); + + if (rsp->header.len > 0) { +- *p_ptt_rsp_msg = kmalloc(rsp->header.len, GFP_ATOMIC); ++ *p_ptt_rsp_msg = kmemdup(rsp->ptt_msg, rsp->header.len, ++ GFP_ATOMIC); + if (!*p_ptt_rsp_msg) + return -ENOMEM; +- memcpy(*p_ptt_rsp_msg, rsp->ptt_msg, rsp->header.len); + } + return ret; + } +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-Use-sequence-number-allocated-by-mac80211.patch b/patches.suse/wcn36xx-Use-sequence-number-allocated-by-mac80211.patch new file mode 100644 index 0000000..af87726 --- /dev/null +++ b/patches.suse/wcn36xx-Use-sequence-number-allocated-by-mac80211.patch @@ -0,0 +1,38 @@ +From 84aff52e4f57ed4702ec328b839941cd29551d49 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Fri, 24 Jul 2020 12:20:52 +0200 +Subject: [PATCH] wcn36xx: Use sequence number allocated by mac80211 +Git-commit: 84aff52e4f57ed4702ec328b839941cd29551d49 +References: git-fixes +Patch-mainline: v5.10-rc1 + +Instead of using the firmware generated sequence number, use the one +already allocated by the mac80211 layer. This allows better control +of the sequence numbers and avoid to rely on same sequence for Data, +QOS Data and QOS Null Data packets. + +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595586052-16081-7-git-send-email-loic.poulain@linaro.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index 52aff4c63587..f5872e7dfb51 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -207,7 +207,8 @@ static void wcn36xx_set_tx_pdu(struct wcn36xx_tx_bd *bd, + bd->pdu.mpdu_header_off; + bd->pdu.mpdu_len = len; + bd->pdu.tid = tid; +- bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_DPU_QOS; ++ /* Use seq number generated by mac80211 */ ++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_HOST; + } + + static inline struct wcn36xx_vif *get_vif_by_addr(struct wcn36xx *wcn, +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-disable-HW_CONNECTION_MONITOR.patch b/patches.suse/wcn36xx-disable-HW_CONNECTION_MONITOR.patch new file mode 100644 index 0000000..d3d7d13 --- /dev/null +++ b/patches.suse/wcn36xx-disable-HW_CONNECTION_MONITOR.patch @@ -0,0 +1,38 @@ +From f998f9fcf9033b1e7f76bf4c17969b74be664dce Mon Sep 17 00:00:00 2001 +From: Eduardo Abinader +Date: Tue, 17 Dec 2019 15:12:47 +0100 +Subject: [PATCH] wcn36xx: disable HW_CONNECTION_MONITOR +Git-commit: f998f9fcf9033b1e7f76bf4c17969b74be664dce +References: git-fixes +Patch-mainline: v5.10-rc1 + +Whenever the signal stregth decays smoothly and physical connnection +is already gone and no deauth has arrived, the qcom soc is not +able to indicate neither WCN36XX_HAL_MISSED_BEACON_IND nor +WCN36XX_HAL_MISSED_BEACON_IND. It was noticed that such situation gets +even more reproducible, when the driver fails to enter bmps mode - which is +highly likely to occur. Thus, in order to provide proper disconnection +of the connected STA, let mac80211 handle it, instead of wcn3xx driver. + +Signed-off-by: Eduardo Abinader +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index c30fdd0cbf1e..e49c306e0eef 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -1169,7 +1169,6 @@ static int wcn36xx_init_ieee80211(struct wcn36xx *wcn) + + ieee80211_hw_set(wcn->hw, TIMING_BEACON_ONLY); + ieee80211_hw_set(wcn->hw, AMPDU_AGGREGATION); +- ieee80211_hw_set(wcn->hw, CONNECTION_MONITOR); + ieee80211_hw_set(wcn->hw, SUPPORTS_PS); + ieee80211_hw_set(wcn->hw, SIGNAL_DBM); + ieee80211_hw_set(wcn->hw, HAS_RATE_CONTROL); +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch b/patches.suse/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch new file mode 100644 index 0000000..6ca63f3 --- /dev/null +++ b/patches.suse/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch @@ -0,0 +1,191 @@ +From 8f1ba8b0ee2679f0b3d22d2a5c1bc70c436fd872 Mon Sep 17 00:00:00 2001 +From: Benjamin Li +Date: Wed, 27 Oct 2021 10:03:05 -0700 +Subject: [PATCH] wcn36xx: ensure pairing of init_scan/finish_scan and + start_scan/end_scan +Git-commit: 8f1ba8b0ee2679f0b3d22d2a5c1bc70c436fd872 +References: git-fixes +Patch-mainline: v5.17-rc1 + +An SMD capture from the downstream prima driver on WCN3680B shows the +following command sequence for connected scans: + +- init_scan_req + - start_scan_req, channel 1 + - end_scan_req, channel 1 + - start_scan_req, channel 2 + - ... + - end_scan_req, channel 3 +- finish_scan_req +- init_scan_req + - start_scan_req, channel 4 + - ... + - end_scan_req, channel 6 +- finish_scan_req +- ... + - end_scan_req, channel 165 +- finish_scan_req + +Upstream currently never calls wcn36xx_smd_end_scan, and in some cases[1] +still sends finish_scan_req twice in a row or before init_scan_req. A +typical connected scan looks like this: + +- init_scan_req + - start_scan_req, channel 1 +- finish_scan_req +- init_scan_req + - start_scan_req, channel 2 +- ... + - start_scan_req, channel 165 +- finish_scan_req +- finish_scan_req + +This patch cleans up scanning so that init/finish and start/end are always +paired together and correctly nested. + +- init_scan_req + - start_scan_req, channel 1 + - end_scan_req, channel 1 +- finish_scan_req +- init_scan_req + - start_scan_req, channel 2 + - end_scan_req, channel 2 +- ... + - start_scan_req, channel 165 + - end_scan_req, channel 165 +- finish_scan_req + +Note that upstream will not do batching of 3 active-probe scans before +returning to the operating channel, and this patch does not change that. +To match downstream in this aspect, adjust IEEE80211_PROBE_DELAY and/or +the 125ms max off-channel time in ieee80211_scan_state_decision. + +[1]: commit d195d7aac09b ("wcn36xx: Ensure finish scan is not requested +before start scan") addressed one case of finish_scan_req being sent +without a preceding init_scan_req (the case of the operating channel +coinciding with the first scan channel); two other cases are: +1) if SW scan is started and aborted immediately, without scanning any + channels, we send a finish_scan_req without ever sending init_scan_req, + and +2) as SW scan logic always returns us to the operating channel before + calling wcn36xx_sw_scan_complete, finish_scan_req is always sent twice + at the end of a SW scan + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Benjamin Li +Tested-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027170306.555535-4-benl@squareup.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 34 +++++++++++++++++++++++------ + drivers/net/wireless/ath/wcn36xx/smd.c | 4 +++ + drivers/net/wireless/ath/wcn36xx/wcn36xx.h | 1 + 3 files changed, 32 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -397,6 +397,7 @@ static void wcn36xx_change_opchannel(str + static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) + { + struct wcn36xx *wcn = hw->priv; ++ int ret; + + wcn36xx_dbg(WCN36XX_DBG_MAC, "mac config changed 0x%08x\n", changed); + +@@ -412,17 +413,31 @@ static int wcn36xx_config(struct ieee802 + * want to receive/transmit regular data packets, then + * simply stop the scan session and exit PS mode. + */ +- wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, +- wcn->sw_scan_vif); +- wcn->sw_scan_channel = 0; ++ if (wcn->sw_scan_channel) ++ wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel); ++ if (wcn->sw_scan_init) { ++ wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ } + } else if (wcn->sw_scan) { + /* A scan is ongoing, do not change the operating + * channel, but start a scan session on the channel. + */ +- wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN, +- wcn->sw_scan_vif); ++ if (wcn->sw_scan_channel) ++ wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel); ++ if (!wcn->sw_scan_init) { ++ /* This can fail if we are unable to notify the ++ * operating channel. ++ */ ++ ret = wcn36xx_smd_init_scan(wcn, ++ HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ if (ret) { ++ mutex_unlock(&wcn->conf_mutex); ++ return -EIO; ++ } ++ } + wcn36xx_smd_start_scan(wcn, ch); +- wcn->sw_scan_channel = ch; + } else { + wcn36xx_change_opchannel(wcn, ch); + } +@@ -717,7 +732,12 @@ static void wcn36xx_sw_scan_complete(str + struct wcn36xx *wcn = hw->priv; + + /* ensure that any scan session is finished */ +- wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, wcn->sw_scan_vif); ++ if (wcn->sw_scan_channel) ++ wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel); ++ if (wcn->sw_scan_init) { ++ wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ } + wcn->sw_scan = false; + wcn->sw_scan_opchannel = 0; + } +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -551,6 +551,7 @@ int wcn36xx_smd_init_scan(struct wcn36xx + wcn36xx_err("hal_init_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_init = true; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +@@ -581,6 +582,7 @@ int wcn36xx_smd_start_scan(struct wcn36x + wcn36xx_err("hal_start_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_channel = scan_channel; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +@@ -611,6 +613,7 @@ int wcn36xx_smd_end_scan(struct wcn36xx + wcn36xx_err("hal_end_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_channel = 0; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +@@ -652,6 +655,7 @@ int wcn36xx_smd_finish_scan(struct wcn36 + wcn36xx_err("hal_finish_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_init = false; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h ++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +@@ -227,6 +227,7 @@ struct wcn36xx { + struct cfg80211_scan_request *scan_req; + bool sw_scan; + u8 sw_scan_opchannel; ++ bool sw_scan_init; + u8 sw_scan_channel; + struct ieee80211_vif *sw_scan_vif; + struct mutex scan_lock; diff --git a/patches.suse/wcn36xx-fix-spelling-mistake-to-too.patch b/patches.suse/wcn36xx-fix-spelling-mistake-to-too.patch new file mode 100644 index 0000000..2261be1 --- /dev/null +++ b/patches.suse/wcn36xx-fix-spelling-mistake-to-too.patch @@ -0,0 +1,33 @@ +From d7809bd9eae67b4252cbc4672431610227cbb729 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 23 Jan 2020 00:51:17 +0000 +Subject: [PATCH] wcn36xx: fix spelling mistake "to" -> "too" +Git-commit: d7809bd9eae67b4252cbc4672431610227cbb729 +References: git-fixes +Patch-mainline: v5.10-rc1 + +There is a spelling mistake in a wcn36xx_err message. Fix it. + +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index 523550f94a3f..77269ac7f352 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -1620,7 +1620,7 @@ int wcn36xx_smd_send_beacon(struct wcn36xx *wcn, struct ieee80211_vif *vif, + msg_body.beacon_length6 = msg_body.beacon_length + 6; + + if (msg_body.beacon_length > BEACON_TEMPLATE_SIZE) { +- wcn36xx_err("Beacon is to big: beacon size=%d\n", ++ wcn36xx_err("Beacon is too big: beacon size=%d\n", + msg_body.beacon_length); + ret = -ENOMEM; + goto out; +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-fix-typo.patch b/patches.suse/wcn36xx-fix-typo.patch new file mode 100644 index 0000000..8b29a51 --- /dev/null +++ b/patches.suse/wcn36xx-fix-typo.patch @@ -0,0 +1,31 @@ +From 3c33a11a291303db4b96b5e39dfd54831937bfa5 Mon Sep 17 00:00:00 2001 +From: Eduardo Abinader +Date: Fri, 8 Nov 2019 11:10:46 +0200 +Subject: [PATCH] wcn36xx: fix typo +Git-commit: 3c33a11a291303db4b96b5e39dfd54831937bfa5 +References: git-fixes +Patch-mainline: v5.10-rc1 + +Signed-off-by: Eduardo Abinader +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/hal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/hal.h b/drivers/net/wireless/ath/wcn36xx/hal.h +index 8abda2760e04..6ba0fd57c951 100644 +--- a/drivers/net/wireless/ath/wcn36xx/hal.h ++++ b/drivers/net/wireless/ath/wcn36xx/hal.h +@@ -2091,7 +2091,7 @@ struct wcn36xx_hal_set_bss_key_rsp_msg { + /* + * This is used configure the key information on a given station. + * When the sec_type is WEP40 or WEP104, the def_wep_idx is used to locate +- * a preconfigured key from a BSS the station assoicated with; otherwise ++ * a preconfigured key from a BSS the station associated with; otherwise + * a new key descriptor is created based on the key field. + */ + struct wcn36xx_hal_set_sta_key_req_msg { +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-remove-unecessary-return.patch b/patches.suse/wcn36xx-remove-unecessary-return.patch new file mode 100644 index 0000000..49b18eb --- /dev/null +++ b/patches.suse/wcn36xx-remove-unecessary-return.patch @@ -0,0 +1,31 @@ +From 6dea30b4fd548dd68e6a98da01ffeb50e7f99150 Mon Sep 17 00:00:00 2001 +From: Eduardo Abinader +Date: Wed, 30 Oct 2019 09:41:41 +0100 +Subject: [PATCH] wcn36xx: remove unecessary return +Git-commit: 6dea30b4fd548dd68e6a98da01ffeb50e7f99150 +References: git-fixes +Patch-mainline: v5.10-rc1 + +Signed-off-by: Eduardo Abinader +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 79998a3ddb7a..dcae79c576bf 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -935,8 +935,6 @@ static void wcn36xx_bss_info_changed(struct ieee80211_hw *hw, + out: + + mutex_unlock(&wcn->conf_mutex); +- +- return; + } + + /* this is required when using IEEE80211_HW_HAS_RATE_CONTROL */ +-- +2.40.1 + diff --git a/patches.suse/wcn36xx-use-dma_zalloc_coherent-instead-of-allocator.patch b/patches.suse/wcn36xx-use-dma_zalloc_coherent-instead-of-allocator.patch new file mode 100644 index 0000000..1a69079 --- /dev/null +++ b/patches.suse/wcn36xx-use-dma_zalloc_coherent-instead-of-allocator.patch @@ -0,0 +1,76 @@ +From d410e28f3ae476e1572b8893c646ef44fae7bbbd Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 6 Aug 2018 12:39:16 +0300 +Subject: [PATCH] wcn36xx: use dma_zalloc_coherent instead of allocator/memset +Git-commit: d410e28f3ae476e1572b8893c646ef44fae7bbbd +References: git-fixes +Patch-mainline: v4.20-rc1 + +Use dma_zalloc_coherent instead of dma_alloc_coherent +followed by memset 0. + +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index 06cfe8d311f3..5ab3e31c9ffa 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -174,13 +174,12 @@ static int wcn36xx_dxe_init_descs(struct device *dev, struct wcn36xx_dxe_ch *wcn + int i; + + size = wcn_ch->desc_num * sizeof(struct wcn36xx_dxe_desc); +- wcn_ch->cpu_addr = dma_alloc_coherent(dev, size, &wcn_ch->dma_addr, +- GFP_KERNEL); ++ wcn_ch->cpu_addr = dma_zalloc_coherent(dev, size, ++ &wcn_ch->dma_addr, ++ GFP_KERNEL); + if (!wcn_ch->cpu_addr) + return -ENOMEM; + +- memset(wcn_ch->cpu_addr, 0, size); +- + cur_dxe = (struct wcn36xx_dxe_desc *)wcn_ch->cpu_addr; + cur_ctl = wcn_ch->head_blk_ctl; + +@@ -628,13 +627,13 @@ int wcn36xx_dxe_allocate_mem_pools(struct wcn36xx *wcn) + 16 - (WCN36XX_BD_CHUNK_SIZE % 8); + + s = wcn->mgmt_mem_pool.chunk_size * WCN36XX_DXE_CH_DESC_NUMB_TX_H; +- cpu_addr = dma_alloc_coherent(wcn->dev, s, &wcn->mgmt_mem_pool.phy_addr, +- GFP_KERNEL); ++ cpu_addr = dma_zalloc_coherent(wcn->dev, s, ++ &wcn->mgmt_mem_pool.phy_addr, ++ GFP_KERNEL); + if (!cpu_addr) + goto out_err; + + wcn->mgmt_mem_pool.virt_addr = cpu_addr; +- memset(cpu_addr, 0, s); + + /* Allocate BD headers for DATA frames */ + +@@ -643,13 +642,13 @@ int wcn36xx_dxe_allocate_mem_pools(struct wcn36xx *wcn) + 16 - (WCN36XX_BD_CHUNK_SIZE % 8); + + s = wcn->data_mem_pool.chunk_size * WCN36XX_DXE_CH_DESC_NUMB_TX_L; +- cpu_addr = dma_alloc_coherent(wcn->dev, s, &wcn->data_mem_pool.phy_addr, +- GFP_KERNEL); ++ cpu_addr = dma_zalloc_coherent(wcn->dev, s, ++ &wcn->data_mem_pool.phy_addr, ++ GFP_KERNEL); + if (!cpu_addr) + goto out_err; + + wcn->data_mem_pool.virt_addr = cpu_addr; +- memset(cpu_addr, 0, s); + + return 0; + +-- +2.40.1 + diff --git a/patches.suse/workqueue-Fix-hung-time-report-of-worker-pools.patch b/patches.suse/workqueue-Fix-hung-time-report-of-worker-pools.patch new file mode 100644 index 0000000..af14bb1 --- /dev/null +++ b/patches.suse/workqueue-Fix-hung-time-report-of-worker-pools.patch @@ -0,0 +1,60 @@ +From 335a42ebb0ca8ee9997a1731aaaae6dcd704c113 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Tue, 7 Mar 2023 13:53:31 +0100 +Subject: [PATCH] workqueue: Fix hung time report of worker pools +Git-commit: 335a42ebb0ca8ee9997a1731aaaae6dcd704c113 +Patch-mainline: v6.4-rc1 +References: bsc#1211044 + +The workqueue watchdog prints a warning when there is no progress in +a worker pool. Where the progress means that the pool started processing +a pending work item. + +Note that it is perfectly fine to process work items much longer. +The progress should be guaranteed by waking up or creating idle +workers. + +show_one_worker_pool() prints state of non-idle worker pool. It shows +a delay since the last pool->watchdog_ts. + +The timestamp is updated when a first pending work is queued in +__queue_work(). Also it is updated when a work is dequeued for +processing in worker_thread() and rescuer_thread(). + +The delay is misleading when there is no pending work item. In this +case it shows how long the last work item is being proceed. Show +zero instead. There is no stall if there is no pending work. + +Fixes: 82607adcf9cdf40fb7b ("workqueue: implement lockup detector") +Signed-off-by: Petr Mladek +Signed-off-by: Tejun Heo + +--- + kernel/workqueue.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -4879,16 +4879,19 @@ void show_workqueue_state(void) + for_each_pool(pool, pi) { + struct worker *worker; + bool first = true; ++ unsigned long hung = 0; + + spin_lock_irqsave(&pool->lock, flags); + if (pool->nr_workers == pool->nr_idle) + goto next_pool; + ++ /* How long the first pending work is waiting for a worker. */ ++ if (!list_empty(&pool->worklist)) ++ hung = jiffies_to_msecs(jiffies - pool->watchdog_ts) / 1000; ++ + pr_info("pool %d:", pool->id); + pr_cont_pool_info(pool); +- pr_cont(" hung=%us workers=%d", +- jiffies_to_msecs(jiffies - pool->watchdog_ts) / 1000, +- pool->nr_workers); ++ pr_cont(" hung=%lus workers=%d", hung, pool->nr_workers); + if (pool->manager) + pr_cont(" manager: %d", + task_pid_nr(pool->manager->task)); diff --git a/patches.suse/workqueue-Interrupted-create_worker-is-not-a-repeate.patch b/patches.suse/workqueue-Interrupted-create_worker-is-not-a-repeate.patch new file mode 100644 index 0000000..074efe2 --- /dev/null +++ b/patches.suse/workqueue-Interrupted-create_worker-is-not-a-repeate.patch @@ -0,0 +1,48 @@ +From 60f540389a5d2df25ddc7ad511b4fa2880dea521 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Tue, 7 Mar 2023 13:53:33 +0100 +Subject: [PATCH] workqueue: Interrupted create_worker() is not a repeated + event +Git-commit: 60f540389a5d2df25ddc7ad511b4fa2880dea521 +Patch-mainline: v6.4-rc1 +References: bsc#1211044 + +kthread_create_on_node() might get interrupted(). It is rare but realistic. +For example, when an unbound workqueue is allocated in module_init() +callback. It is done in the context of the "modprobe" process. And, +for example, systemd might kill pending processes when switching root +from initrd to the booted system. + +The interrupt is a one-off event and the race might be hard to reproduce. +It is always worth printing. + +Signed-off-by: Petr Mladek +Signed-off-by: Tejun Heo + +--- + kernel/workqueue.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 9760f0fca82d..5f0ecaaaf997 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -1959,8 +1959,13 @@ static struct worker *create_worker(struct worker_pool *pool) + worker->task = kthread_create_on_node(worker_thread, worker, pool->node, + "kworker/%s", id_buf); + if (IS_ERR(worker->task)) { +- pr_err_once("workqueue: Failed to create a worker thread: %ld", +- PTR_ERR(worker->task)); ++ if (PTR_ERR(worker->task) == -EINTR) { ++ pr_err("workqueue: Interrupted when creating a worker thread \"kworker/%s\"\n", ++ id_buf); ++ } else { ++ pr_err_once("workqueue: Failed to create a worker thread: %ld", ++ PTR_ERR(worker->task)); ++ } + goto fail; + } + +-- +2.35.3 + diff --git a/patches.suse/workqueue-Print-backtraces-from-CPUs-with-hung-CPU-b.patch b/patches.suse/workqueue-Print-backtraces-from-CPUs-with-hung-CPU-b.patch new file mode 100644 index 0000000..7d72e05 --- /dev/null +++ b/patches.suse/workqueue-Print-backtraces-from-CPUs-with-hung-CPU-b.patch @@ -0,0 +1,165 @@ +From cd2440d66fec7d1bdb4f605b64c27c63c9141989 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Tue, 7 Mar 2023 13:53:35 +0100 +Subject: [PATCH] workqueue: Print backtraces from CPUs with hung CPU bound + workqueues +Git-commit: cd2440d66fec7d1bdb4f605b64c27c63c9141989 +Patch-mainline: v6.4-rc1 +References: bsc#1211044 + +The workqueue watchdog reports a lockup when there was not any progress +in the worker pool for a long time. The progress means that a pending +work item starts being proceed. + +Worker pools for unbound workqueues always wake up an idle worker and +try to process the work immediately. The last idle worker has to create +new worker first. The stall might happen only when a new worker could +not be created in which case an error should get printed. Another problem +might be too high load. In this case, workers are victims of a global +system problem. + +Worker pools for CPU bound workqueues are designed for lightweight +work items that do not need much CPU time. They are proceed one by +one on a single worker. New worker is used only when a work is sleeping. +It creates one additional scenario. The stall might happen when +the CPU-bound workqueue is used for CPU-intensive work. + +More precisely, the stall is detected when a CPU-bound worker is in +the TASK_RUNNING state for too long. In this case, it might be useful +to see the backtrace from the problematic worker. + +The information how long a worker is in the running state is not available. +But the CPU-bound worker pools do not have many workers in the running +state by definition. And only few pools are typically blocked. + +It should be acceptable to print backtraces from all workers in +TASK_RUNNING state in the stalled worker pools. The number of false +positives should be very low. + +Signed-off-by: Petr Mladek +Signed-off-by: Tejun Heo + +--- + kernel/workqueue.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 57 insertions(+) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -48,6 +48,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -140,6 +141,8 @@ enum { + * WR: wq->mutex protected for writes. Sched-RCU protected for reads. + * + * MD: wq_mayday_lock protected. ++ * ++ * WD: Used internally by the watchdog. + */ + + /* struct worker is defined in workqueue_internal.h */ +@@ -152,6 +155,7 @@ struct worker_pool { + unsigned int flags; /* X: flags */ + + unsigned long watchdog_ts; /* L: watchdog timestamp */ ++ bool cpu_stall; /* WD: stalled cpu bound pool */ + + struct list_head worklist; /* L: list of pending works */ + int nr_workers; /* L: total number of workers */ +@@ -5493,6 +5497,48 @@ static struct timer_list wq_watchdog_tim + static unsigned long wq_watchdog_touched = INITIAL_JIFFIES; + static DEFINE_PER_CPU(unsigned long, wq_watchdog_touched_cpu) = INITIAL_JIFFIES; + ++/* ++ * Show workers that might prevent the processing of pending work items. ++ * The only candidates are CPU-bound workers in the running state. ++ * Pending work items should be handled by another idle worker ++ * in all other situations. ++ */ ++static void show_cpu_pool_hog(struct worker_pool *pool) ++{ ++ struct worker *worker; ++ unsigned long flags; ++ int bkt; ++ ++ spin_lock_irqsave(&pool->lock, flags); ++ ++ hash_for_each(pool->busy_hash, bkt, worker, hentry) { ++ if (worker->task->state == TASK_RUNNING) { ++ pr_info("pool %d:\n", pool->id); ++ sched_show_task(worker->task); ++ } ++ } ++ ++ spin_unlock_irqrestore(&pool->lock, flags); ++} ++ ++static void show_cpu_pools_hogs(void) ++{ ++ struct worker_pool *pool; ++ int pi; ++ ++ pr_info("Showing backtraces of running workers in stalled CPU-bound worker pools:\n"); ++ ++ rcu_read_lock(); ++ ++ for_each_pool(pool, pi) { ++ if (pool->cpu_stall) ++ show_cpu_pool_hog(pool); ++ ++ } ++ ++ rcu_read_unlock(); ++} ++ + static void wq_watchdog_reset_touched(void) + { + int cpu; +@@ -5506,6 +5552,7 @@ static void wq_watchdog_timer_fn(unsigne + { + unsigned long thresh = READ_ONCE(wq_watchdog_thresh) * HZ; + bool lockup_detected = false; ++ bool cpu_pool_stall = false; + unsigned long now = jiffies; + struct worker_pool *pool; + int pi; +@@ -5518,6 +5565,7 @@ static void wq_watchdog_timer_fn(unsigne + for_each_pool(pool, pi) { + unsigned long pool_ts, touched, ts; + ++ pool->cpu_stall = false; + if (list_empty(&pool->worklist)) + continue; + +@@ -5547,11 +5595,17 @@ static void wq_watchdog_timer_fn(unsigne + /* did we stall? */ + if (time_after(now, ts + thresh)) { + lockup_detected = true; ++ if (pool->cpu >= 0) { ++ pool->cpu_stall = true; ++ cpu_pool_stall = true; ++ } + pr_emerg("BUG: workqueue lockup - pool"); + pr_cont_pool_info(pool); + pr_cont(" stuck for %us!\n", + jiffies_to_msecs(now - pool_ts) / 1000); + } ++ ++ + } + + rcu_read_unlock(); +@@ -5559,6 +5613,9 @@ static void wq_watchdog_timer_fn(unsigne + if (lockup_detected) + show_workqueue_state(); + ++ if (cpu_pool_stall) ++ show_cpu_pools_hogs(); ++ + wq_watchdog_reset_touched(); + mod_timer(&wq_watchdog_timer, jiffies + thresh); + } diff --git a/patches.suse/workqueue-Warn-when-a-new-worker-could-not-be-create.patch b/patches.suse/workqueue-Warn-when-a-new-worker-could-not-be-create.patch new file mode 100644 index 0000000..548c900 --- /dev/null +++ b/patches.suse/workqueue-Warn-when-a-new-worker-could-not-be-create.patch @@ -0,0 +1,98 @@ +From 3f0ea0b864562c6bd1cee892026067eaea7be242 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Tue, 7 Mar 2023 13:53:32 +0100 +Subject: [PATCH] workqueue: Warn when a new worker could not be created +Git-commit: 3f0ea0b864562c6bd1cee892026067eaea7be242 +Patch-mainline: v6.4-rc1 +References: bsc#1211044 + +The workqueue watchdog reports a lockup when there was not any progress +in the worker pool for a long time. The progress means that a pending +work item starts being proceed. + +The progress is guaranteed by using idle workers or creating new workers +for pending work items. + +There are several reasons why a new worker could not be created: + + + there is not enough memory + + + there is no free pool ID (IDR API) + + + the system reached PID limit + + + the process creating the new worker was interrupted + + + the last idle worker (manager) has not been scheduled for a long + time. It was not able to even start creating the kthread. + +None of these failures is reported at the moment. The only clue is that +show_one_worker_pool() prints that there is a manager. It is the last +idle worker that is responsible for creating a new one. But it is not +clear if create_worker() is failing and why. + +Make the debugging easier by printing errors in create_worker(). + +The error code is important, especially from kthread_create_on_node(). +It helps to distinguish the various reasons. For example, reaching +memory limit (-ENOMEM), other system limits (-EAGAIN), or process +interrupted (-EINTR). + +Use pr_once() to avoid repeating the same error every CREATE_COOLDOWN +for each stuck worker pool. + +Ratelimited printk() might be better. It would help to know if the problem +remains. It would be more clear if the create_worker() errors and workqueue +stalls are related. Also old messages might get lost when the internal log +buffer is full. The problem is that printk() might touch the watchdog. +For example, see touch_nmi_watchdog() in serial8250_console_write(). +It would require synchronization of the begin and length of the ratelimit +interval with the workqueue watchdog. Otherwise, the error messages +might break the watchdog. This does not look worth the complexity. + +Signed-off-by: Petr Mladek +Signed-off-by: Tejun Heo + +--- + kernel/workqueue.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 8c0ec21a86a2..9760f0fca82d 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -1936,12 +1936,16 @@ static struct worker *create_worker(struct worker_pool *pool) + + /* ID is needed to determine kthread name */ + id = ida_simple_get(&pool->worker_ida, 0, 0, GFP_KERNEL); +- if (id < 0) ++ if (id < 0) { ++ pr_err_once("workqueue: Failed to allocate a worker ID: %d\n", id); + goto fail; ++ } + + worker = alloc_worker(pool->node); +- if (!worker) ++ if (!worker) { ++ pr_err_once("workqueue: Failed to allocate a worker\n"); + goto fail; ++ } + + worker->pool = pool; + worker->id = id; +@@ -1953,8 +1958,11 @@ static struct worker *create_worker(struct worker_pool *pool) + + worker->task = kthread_create_on_node(worker_thread, worker, pool->node, + "kworker/%s", id_buf); +- if (IS_ERR(worker->task)) ++ if (IS_ERR(worker->task)) { ++ pr_err_once("workqueue: Failed to create a worker thread: %ld", ++ PTR_ERR(worker->task)); + goto fail; ++ } + + set_user_nice(worker->task, pool->attrs->nice); + kthread_bind_mask(worker->task, pool->attrs->cpumask); +-- +2.35.3 + diff --git a/patches.suse/workqueue-Warn-when-a-rescuer-could-not-be-created.patch b/patches.suse/workqueue-Warn-when-a-rescuer-could-not-be-created.patch new file mode 100644 index 0000000..86e7e53 --- /dev/null +++ b/patches.suse/workqueue-Warn-when-a-rescuer-could-not-be-created.patch @@ -0,0 +1,48 @@ +From 4c0736a76a186e5df2cd2afda3e7a04d2a427d1b Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Tue, 7 Mar 2023 13:53:34 +0100 +Subject: [PATCH] workqueue: Warn when a rescuer could not be created +Git-commit: 4c0736a76a186e5df2cd2afda3e7a04d2a427d1b +Patch-mainline: v6.4-rc1 +References: bsc#1211044 + +Rescuers are created when a workqueue with WQ_MEM_RECLAIM is allocated. +It typically happens during the system boot. + +systemd switches the root filesystem from initrd to the booted system +during boot. It kills processes that block the switch for too long. +One of the process might be modprobe that tries to create a workqueue. + +These problems are hard to reproduce. Also alloc_workqueue() does not +pass the error code. Make the debugging easier by printing an error, +similar to create_worker(). + +Signed-off-by: Petr Mladek +Signed-off-by: Tejun Heo + +--- + kernel/workqueue.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -4074,13 +4074,18 @@ struct workqueue_struct *__alloc_workque + struct worker *rescuer; + + rescuer = alloc_worker(NUMA_NO_NODE); +- if (!rescuer) ++ if (!rescuer) { ++ pr_err("workqueue: Failed to allocate a rescuer for wq \"%s\"\n", ++ wq->name); + goto err_destroy; ++ } + + rescuer->rescue_wq = wq; + rescuer->task = kthread_create(rescuer_thread, rescuer, "%s", + wq->name); + if (IS_ERR(rescuer->task)) { ++ pr_err("workqueue: Failed to create a rescuer kthread for wq \"%s\": %ld", ++ wq->name, PTR_ERR(rescuer->task)); + kfree(rescuer); + goto err_destroy; + } diff --git a/patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch b/patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch new file mode 100644 index 0000000..7f9b4a4 --- /dev/null +++ b/patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch @@ -0,0 +1,122 @@ +Patch-mainline: v5.3-rc1 +Git-commit: 3901336ed9887b075531bffaeef7742ba614058b +References: git-fixes +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:39 -0500 +Subject: [PATCH] x86/kvm: Don't call kvm_spurious_fault() from .fixup + +After making a change to improve objtool's sibling call detection, it +started showing the following warning: + + arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame + +The problem is the ____kvm_handle_fault_on_reboot() macro. It does a +fake call by pushing a fake RIP and doing a jump. That tricks the +unwinder into printing the function which triggered the exception, +rather than the .fixup code. + +Instead of the hack to make it look like the original function made the +call, just change the macro so that the original function actually does +make the call. This allows removal of the hack, and also makes objtool +happy. + +I triggered a vmx instruction exception and verified that the stack +trace is still sane: + + kernel BUG at arch/x86/kvm/x86.c:358! + invalid opcode: 0000 [#1] SMP PTI + CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16 + Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017 + RIP: 0010:kvm_spurious_fault+0x5/0x10 + Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 + RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246 + RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000 + RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000 + R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0 + R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000 + FS: 00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + loaded_vmcs_init+0x4f/0xe0 + alloc_loaded_vmcs+0x38/0xd0 + vmx_create_vcpu+0xf7/0x600 + kvm_vm_ioctl+0x5e9/0x980 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? free_one_page+0x13f/0x4e0 + do_vfs_ioctl+0xa4/0x630 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x1c0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fa349b1ee5b + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Acked-by: Paolo Bonzini +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Juergen Gross +--- + arch/x86/include/asm/kvm_host.h | 34 ++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 0cc5b611a113..8282b8d41209 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1496,25 +1496,29 @@ enum { + #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) + #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) + ++asmlinkage void __noreturn kvm_spurious_fault(void); ++ + /* + * Hardware virtualization extension instructions may fault if a + * reboot turns off virtualization while processes are running. +- * Trap the fault and ignore the instruction if that happens. ++ * Usually after catching the fault we just panic; during reboot ++ * instead the instruction is ignored. + */ +-asmlinkage void kvm_spurious_fault(void); +- +-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ +- "666: " insn "\n\t" \ +- "668: \n\t" \ +- ".pushsection .fixup, \"ax\" \n" \ +- "667: \n\t" \ +- cleanup_insn "\n\t" \ +- "cmpb $0, kvm_rebooting \n\t" \ +- "jne 668b \n\t" \ +- __ASM_SIZE(push) " $666b \n\t" \ +- "jmp kvm_spurious_fault \n\t" \ +- ".popsection \n\t" \ +- _ASM_EXTABLE(666b, 667b) ++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ ++ "666: \n\t" \ ++ insn "\n\t" \ ++ "jmp 668f \n\t" \ ++ "667: \n\t" \ ++ "call kvm_spurious_fault \n\t" \ ++ "668: \n\t" \ ++ ".pushsection .fixup, \"ax\" \n\t" \ ++ "700: \n\t" \ ++ cleanup_insn "\n\t" \ ++ "cmpb $0, kvm_rebooting\n\t" \ ++ "je 667b \n\t" \ ++ "jmp 668b \n\t" \ ++ ".popsection \n\t" \ ++ _ASM_EXTABLE(666b, 700b) + + #define __kvm_handle_fault_on_reboot(insn) \ + ____kvm_handle_fault_on_reboot(insn, "") +-- +2.35.3 + diff --git a/patches.suse/x86-kvm-avoid-constant-conversion-warning.patch b/patches.suse/x86-kvm-avoid-constant-conversion-warning.patch new file mode 100644 index 0000000..32cce23 --- /dev/null +++ b/patches.suse/x86-kvm-avoid-constant-conversion-warning.patch @@ -0,0 +1,53 @@ +Patch-mainline: v5.3-rc1 +Git-commit: a6a6d3b1f867d34ba5bd61aa7bb056b48ca67cff +References: git-fixes +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:12:30 +0200 +Subject: [PATCH] x86: kvm: avoid constant-conversion warning + +clang finds a contruct suspicious that converts an unsigned +character to a signed integer and back, causing an overflow: + +arch/x86/kvm/mmu.c:4605:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -205 to 51 [-Werror,-Wconstant-conversion] + u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4607:38: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -241 to 15 [-Werror,-Wconstant-conversion] + u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4609:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -171 to 85 [-Werror,-Wconstant-conversion] + u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; + ~~ ^~ + +Add an explicit cast to tell clang that everything works as +intended here. + +Signed-off-by: Arnd Bergmann +Link: https://github.com/ClangBuiltLinux/linux/issues/95 +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/mmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index 9a5814d8d194..8f72526e2f68 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4597,11 +4597,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu, + */ + + /* Faults from writes to non-writable pages */ +- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; ++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0; + /* Faults from user mode accesses to supervisor pages */ +- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; ++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0; + /* Faults from fetches of non-executable pages*/ +- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; ++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0; + /* Faults from kernel mode fetches of user pages */ + u8 smepf = 0; + /* Faults from kernel mode accesses of user pages */ +-- +2.35.3 + diff --git a/patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch b/patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch new file mode 100644 index 0000000..b58310a --- /dev/null +++ b/patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch @@ -0,0 +1,68 @@ +Patch-mainline: v4.20-rc5 +Git-commit: 1e4329ee2c52692ea42cc677fb2133519718b34a +References: git-fixes +From: Yi Wang +Date: Thu, 8 Nov 2018 11:22:21 +0800 +Subject: [PATCH] x86/kvm/vmx: fix old-style function declaration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The inline keyword which is not at the beginning of the function +declaration may trigger the following build warnings, so let's fix it: + +arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/vmx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index d09d67310012..5f43fcfc225b 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1308,7 +1308,7 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked); + static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12, + u16 error_code); + static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu); +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type); + + static DEFINE_PER_CPU(struct vmcs *, vmxarea); +@@ -5956,7 +5956,7 @@ static void free_vpid(int vpid) + spin_unlock(&vmx_vpid_lock); + } + +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -5994,7 +5994,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit + } + } + +-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -6032,7 +6032,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm + } + } + +-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type, bool value) + { + if (value) +-- +2.35.3 + diff --git a/patches.suse/xen-netback-don-t-do-grant-copy-across-page-boundary.patch b/patches.suse/xen-netback-don-t-do-grant-copy-across-page-boundary.patch new file mode 100644 index 0000000..d1a29aa --- /dev/null +++ b/patches.suse/xen-netback-don-t-do-grant-copy-across-page-boundary.patch @@ -0,0 +1,122 @@ +Patch-mainline: v6.3-rc5 +Git-commit: 05310f31ca74673a96567fb14637b7d5d6c82ea5 +References: git-fixes +From: Juergen Gross +Date: Mon, 27 Mar 2023 10:36:45 +0200 +Subject: [PATCH] xen/netback: don't do grant copy across page boundary + +Fix xenvif_get_requests() not to do grant copy operations across local +page boundaries. This requires to double the maximum number of copy +operations per queue, as each copy could now be split into 2. + +Make sure that struct xenvif_tx_cb doesn't grow too large. + +Cc: stable@vger.kernel.org +Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") +Signed-off-by: Juergen Gross +Reviewed-by: Paul Durrant +Signed-off-by: Paolo Abeni +--- + drivers/net/xen-netback/common.h | 2 +- + drivers/net/xen-netback/netback.c | 25 +++++++++++++++++++++++-- + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h +index 3dbfc8a6924e..1fcbd83f7ff2 100644 +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -166,7 +166,7 @@ struct xenvif_queue { /* Per-queue data for xenvif */ + struct pending_tx_info pending_tx_info[MAX_PENDING_REQS]; + grant_handle_t grant_tx_handle[MAX_PENDING_REQS]; + +- struct gnttab_copy tx_copy_ops[MAX_PENDING_REQS]; ++ struct gnttab_copy tx_copy_ops[2 * MAX_PENDING_REQS]; + struct gnttab_map_grant_ref tx_map_ops[MAX_PENDING_REQS]; + struct gnttab_unmap_grant_ref tx_unmap_ops[MAX_PENDING_REQS]; + /* passed to gnttab_[un]map_refs with pages under (un)mapping */ +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 1b42676ca141..111c179f161b 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -334,6 +334,7 @@ static int xenvif_count_requests(struct xenvif_queue *queue, + struct xenvif_tx_cb { + u16 copy_pending_idx[XEN_NETBK_LEGACY_SLOTS_MAX + 1]; + u8 copy_count; ++ u32 split_mask; + }; + + #define XENVIF_TX_CB(skb) ((struct xenvif_tx_cb *)(skb)->cb) +@@ -361,6 +362,8 @@ static inline struct sk_buff *xenvif_alloc_skb(unsigned int size) + struct sk_buff *skb = + alloc_skb(size + NET_SKB_PAD + NET_IP_ALIGN, + GFP_ATOMIC | __GFP_NOWARN); ++ ++ BUILD_BUG_ON(sizeof(*XENVIF_TX_CB(skb)) > sizeof(skb->cb)); + if (unlikely(skb == NULL)) + return NULL; + +@@ -396,11 +399,13 @@ static void xenvif_get_requests(struct xenvif_queue *queue, + nr_slots = shinfo->nr_frags + 1; + + copy_count(skb) = 0; ++ XENVIF_TX_CB(skb)->split_mask = 0; + + /* Create copy ops for exactly data_len bytes into the skb head. */ + __skb_put(skb, data_len); + while (data_len > 0) { + int amount = data_len > txp->size ? txp->size : data_len; ++ bool split = false; + + cop->source.u.ref = txp->gref; + cop->source.domid = queue->vif->domid; +@@ -413,6 +418,13 @@ static void xenvif_get_requests(struct xenvif_queue *queue, + cop->dest.u.gmfn = virt_to_gfn(skb->data + skb_headlen(skb) + - data_len); + ++ /* Don't cross local page boundary! */ ++ if (cop->dest.offset + amount > XEN_PAGE_SIZE) { ++ amount = XEN_PAGE_SIZE - cop->dest.offset; ++ XENVIF_TX_CB(skb)->split_mask |= 1U << copy_count(skb); ++ split = true; ++ } ++ + cop->len = amount; + cop->flags = GNTCOPY_source_gref; + +@@ -420,7 +432,8 @@ static void xenvif_get_requests(struct xenvif_queue *queue, + pending_idx = queue->pending_ring[index]; + callback_param(queue, pending_idx).ctx = NULL; + copy_pending_idx(skb, copy_count(skb)) = pending_idx; +- copy_count(skb)++; ++ if (!split) ++ copy_count(skb)++; + + cop++; + data_len -= amount; +@@ -441,7 +454,8 @@ static void xenvif_get_requests(struct xenvif_queue *queue, + nr_slots--; + } else { + /* The copy op partially covered the tx_request. +- * The remainder will be mapped. ++ * The remainder will be mapped or copied in the next ++ * iteration. + */ + txp->offset += amount; + txp->size -= amount; +@@ -539,6 +553,13 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue, + pending_idx = copy_pending_idx(skb, i); + + newerr = (*gopp_copy)->status; ++ ++ /* Split copies need to be handled together. */ ++ if (XENVIF_TX_CB(skb)->split_mask & (1U << i)) { ++ (*gopp_copy)++; ++ if (!newerr) ++ newerr = (*gopp_copy)->status; ++ } + if (likely(!newerr)) { + /* The first frag might still have this slot mapped */ + if (i < copy_count(skb) - 1 || !sharedslot) +-- +2.35.3 + diff --git a/patches.suse/xen-netback-use-same-error-messages-for-same-errors.patch b/patches.suse/xen-netback-use-same-error-messages-for-same-errors.patch new file mode 100644 index 0000000..f057fa2 --- /dev/null +++ b/patches.suse/xen-netback-use-same-error-messages-for-same-errors.patch @@ -0,0 +1,39 @@ +Patch-mainline: v6.3-rc5 +Git-commit: 2eca98e5b24d01c02b46c67be05a5f98cc9789b1 +References: git-fixes +From: Juergen Gross +Date: Wed, 29 Mar 2023 10:02:59 +0200 +Subject: [PATCH] xen/netback: use same error messages for same errors + +Issue the same error message in case an illegal page boundary crossing +has been detected in both cases where this is tested. + +Suggested-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Link: https://lore.kernel.org/r/20230329080259.14823-1-jgross@suse.com +Signed-off-by: Paolo Abeni +--- + drivers/net/xen-netback/netback.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 4943be4fd99d..c1501f41e2d8 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -994,10 +994,8 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + + /* No crossing a page as the payload mustn't fragment. */ + if (unlikely((txreq.offset + txreq.size) > XEN_PAGE_SIZE)) { +- netdev_err(queue->vif->dev, +- "txreq.offset: %u, size: %u, end: %lu\n", +- txreq.offset, txreq.size, +- (unsigned long)(txreq.offset&~XEN_PAGE_MASK) + txreq.size); ++ netdev_err(queue->vif->dev, "Cross page boundary, txreq.offset: %u, size: %u\n", ++ txreq.offset, txreq.size); + xenvif_fatal_tx_err(queue->vif); + break; + } +-- +2.35.3 + diff --git a/series.conf b/series.conf index 21081a7..06ab0b8 100644 --- a/series.conf +++ b/series.conf @@ -3540,6 +3540,7 @@ patches.suse/platform-x86-ideapad-laptop-Add-Y520-15IKBN-to-no_hw patches.suse/platform-x86-ideapad-laptop-Add-Y720-15IKBN-to-no_hw patches.suse/platform-x86-dell-laptop-Fix-bogus-keyboard-backligh.patch + patches.suse/platform-x86-alienware-wmi-Adjust-instance-of-wmi_ev.patch patches.suse/platform-x86-dell-wmi-led-Adjust-instance-of-wmi_eva.patch patches.suse/KVM-Tidy-the-whitespace-in-nested_svm_check_permissi.patch patches.suse/KVM-white-space-cleanup-in-nested_vmx_setup_ctls_msr.patch @@ -3848,6 +3849,9 @@ patches.suse/powerpc-fadump-avoid-holes-in-boot-memory-area-when-fadump-is-registered.patch patches.suse/powerpc-fadump-provide-a-helpful-error-message.patch patches.suse/powerpc-fadump-add-reschedule-point-while-releasing-memory.patch + patches.suse/cpuidle-powerpc-cpuidle-set-polling-before-enabling-.patch + patches.suse/cpuidle-powerpc-read-mostly-for-common-globals.patch + patches.suse/cpuidle-powerpc-no-memory-barrier-after-break-from-i.patch patches.suse/powerpc-powernv-idle-Clear-r12-on-wakeup-from-stop-lite.patch patches.suse/0001-spin-loop-primitives-for-busy-waiting.patch patches.suse/0001-powerpc-use-spin-loop-primitives-in-some-functions.patch @@ -5503,6 +5507,7 @@ patches.suse/0017-rtc-Remove-wrong-deprecation-comment.patch patches.suse/platform-x86-ideapad-laptop-Add-IdeaPad-V510-15IKB-t patches.suse/platform-x86-ideapad-laptop-Add-several-models-to-no + patches.suse/platform-x86-alienware-wmi-constify-attribute_group-.patch patches.suse/platform-x86-asus-wmi-constify-attribute_group-struc.patch patches.suse/include-linux-dcache.h-use-unsigned-chars-in-struct-.patch patches.suse/kernel.h-handle-pointers-to-arrays-better-in-contain.patch @@ -9525,6 +9530,7 @@ patches.suse/powerpc-xmon-Fix-display-of-SPRs.patch patches.suse/powerpc-kernel-Change-retrieval-of-pci_dn.patch patches.suse/powerpc-mm-radix-Prettify-mapped-memory-range-print-.patch + patches.suse/powerpc-Squash-lines-for-simple-wrapper-functions.patch patches.suse/powerpc-xmon-Add-ISA-v3.0-SPRs-to-SPR-dump.patch patches.suse/powerpc-conditionally-compile-platform-specific-serial-drivers.patch patches.suse/cxl-Fix-driver-use-count.patch @@ -10222,6 +10228,7 @@ patches.suse/pci-mark-amd-stoney-gpu-ats-as-broken patches.suse/PCI-Add-ACS-quirk-for-APM-X-Gene-devices.patch patches.suse/pci-disable-vf-decoding-before-pcibios_sriov_disable-updates-resources + patches.suse/platform-x86-alienware-wmi-fix-format-string-overflo.patch patches.suse/platform-x86-dell-wmi-Fix-driver-interface-version-q.patch patches.suse/platform-x86-asus-wmi-Evaluate-wmi-method-with-insta.patch patches.suse/platform-x86-intel_pmc_core-Make-the-driver-PCH-fami.patch @@ -13436,6 +13443,7 @@ patches.suse/bpf-libbpf-Provide-basic-API-support-to-specify-BPF-.patch patches.suse/bpf-Swap-the-order-of-checking-prog_info-and-map_inf.patch patches.suse/bpf-Test-new-fields-in-bpf_attr-and-bpf_-prog-map-_i.patch + patches.suse/net-ipv6-send-NS-for-DAD-when-link-operationally-up.patch patches.suse/i40e-i40evf-rename-bytes_per_int-to-bytes_per_usec.patch patches.suse/i40e-Fix-unqualified-module-message-while-bringing-l.patch patches.suse/i40e-Fix-link-down-message-when-interface-is-brought.patch @@ -13958,6 +13966,7 @@ patches.suse/bpf-Add-file-mode-configuration-into-bpf-maps.patch patches.suse/bpf-Add-tests-for-eBPF-file-mode.patch patches.suse/spectrum-Convert-fib-event-handlers-to-use-container.patch + patches.suse/ipv4-ipv4_default_advmss-should-use-route-mtu.patch patches.suse/Bluetooth-btqcomsmd-Add-support-for-BD-address-setup patches.suse/ieee802154-fix-gcc-4.9-warnings patches.suse/Bluetooth-hci_uart_set_flow_control-Fix-NULL-deref-w @@ -18855,6 +18864,7 @@ patches.suse/block-fix-blk_rq_append_bio.patch patches.suse/block-throttle-avoid-double-charge.patch patches.suse/0001-block-unalign-call_single_data-in-struct-request.patch + patches.suse/ipv6-icmp6-Allow-icmp-messages-to-be-looped-back.patch patches.suse/xdp-linearize-skb-in-netif_receive_generic_xdp.patch patches.suse/bpf-s390x-do-not-reload-skb-pointers-in-non-skb-cont.patch patches.suse/bpf-ppc64-do-not-reload-skb-pointers-in-non-skb-cont.patch @@ -18870,6 +18880,8 @@ patches.suse/mac80211_hwsim-Fix-a-possible-sleep-in-atomic-bug-in patches.suse/tg3-Fix-rx-hang-on-MTU-change-with-5717-5719.patch patches.suse/mlxsw-spectrum_router-Remove-batch-neighbour-deletio.patch + patches.suse/net-mediatek-setup-proper-state-for-disabled-GMAC-on.patch + patches.suse/net-arc_emac-fix-arc_emac_rx-error-paths.patch patches.suse/vxlan-update-skb-dst-pmtu-on-tx-path.patch patches.suse/ip_gre-remove-the-incorrect-mtu-limit-for-ipgre-tap.patch patches.suse/ip6_gre-remove-the-incorrect-mtu-limit-for-ipgre-tap.patch @@ -19257,6 +19269,7 @@ patches.suse/bpf-avoid-false-sharing-of-map-refcount-with-max_ent.patch patches.suse/bpf-introduce-BPF_JIT_ALWAYS_ON-config.patch patches.suse/sctp-add-a-ceiling-to-optlen-in-some-sockopts.patch + patches.suse/sctp-make-use-of-pre-calculated-len.patch patches.suse/0001-net-gianfar_ptp-move-set_fipers-to-spinlock-protecti.patch patches.suse/0001-iwlwifi-pcie-fix-DMA-memory-mapping-unmapping.patch patches.suse/wcn36xx-Fix-dynamic-power-saving @@ -21316,6 +21329,7 @@ patches.suse/sfc-expose-FEC-stats-on-Medford2.patch patches.suse/sfc-expose-CTPIO-stats-on-NICs-that-support-them.patch patches.suse/enic-add-wq-clean-up-budget.patch + patches.suse/ipv6-Reinject-IPv6-packets-if-IPsec-policy-matches-a.patch patches.suse/net-hns3-add-support-to-query-tqps-number.patch patches.suse/net-hns3-add-support-to-modify-tqps-number.patch patches.suse/net-hns3-change-the-returned-tqp-number-by-ethtool-x.patch @@ -23792,6 +23806,7 @@ patches.suse/powerpc-pseries-radix-is-not-subject-to-RMA-limit-re.patch patches.suse/powerpc-pseries-lift-RTAS-limit-for-radix.patch patches.suse/powerpc-64s-Relax-PACA-address-limitations.patch + patches.suse/cpuidle-powernv-avoid-double-irq-enable-coming-out-o.patch patches.suse/powerpc-pseries-cpuidle-add-polling-idle-for-shared-.patch patches.suse/powerpc-initial-pkey-plumbing.patch patches.suse/powerpc-track-allocation-status-of-all-pkeys.patch @@ -24446,6 +24461,7 @@ patches.suse/nfp-populate-MODULE_VERSION.patch patches.suse/netlink-ensure-to-loop-over-all-netns-in-genlmsg_mul.patch patches.suse/ibmvnic-queue-reset-when-CRQ-gets-closed-during-rese.patch + patches.suse/net-Extra-_get-in-declaration-of-arch_get_platform_m.patch patches.suse/net-sched-cls_u32-fix-cls_u32-on-filter-replace.patch patches.suse/rtlwifi-rtl8821ae-Fix-connection-lost-problem-correc patches.suse/ath10k-correct-the-length-of-DRAM-dump-for-QCA6174-h.patch @@ -25494,6 +25510,7 @@ patches.suse/e1000e-Fix-check_for_link-return-value-with-autoneg-.patch patches.suse/e1000e-allocate-ring-descriptors-with-dma_zalloc_coh.patch patches.suse/qed-Free-RoCE-ILT-Memory-on-rmmod-qedr.patch + patches.suse/net-qcom-emac-Use-proper-free-methods-during-TX.patch patches.suse/net-smsc911x-Fix-unload-crash-when-link-is-up.patch patches.suse/net-Fix-hlist-corruptions-in-inet_evict_bucket.patch patches.suse/l2tp-do-not-accept-arbitrary-sockets.patch @@ -25569,6 +25586,7 @@ patches.suse/tg3-prevent-scheduling-while-atomic-splat.patch patches.suse/can-cc770-Fix-stalls-on-rt-linux-remove-redundant-IR patches.suse/can-cc770-Fix-queue-stall-dropped-RTR-reply + patches.suse/sunvnet-does-not-support-GSO-for-sctp.patch patches.suse/s390-sles15sp1-00-11-062-net-smc-simplify-wait-when-closing-listen-socket.patch patches.suse/net-sched-actions-return-explicit-error-when-tunnel_.patch patches.suse/0010-net-Fix-vlan-untag-for-bridge-and-vlan_dev-with-reor.patch @@ -25782,6 +25800,7 @@ patches.suse/team-move-dev_mc_sync-after-master_upper_dev_link-in.patch patches.suse/0001-net-usb-qmi_wwan.c-Add-USB-id-for-lt4120-modem.patch patches.suse/vhost_net-add-missing-lock-nesting-notation.patch + patches.suse/net-dsa-mt7530-fix-module-autoloading-for-OF-platfor.patch patches.suse/batman-adv-fix-multicast-via-unicast-transmission-wi.patch patches.suse/batman-adv-fix-packet-loss-for-broadcasted-DHCP-pack.patch patches.suse/0001-net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d.patch @@ -25820,6 +25839,7 @@ patches.suse/ipv6-sr-fix-seg6-encap-performances-with-TSO-enabled.patch patches.suse/vrf-Fix-use-after-free-and-double-free-in-vrf_finish.patch patches.suse/net-ipv6-Fix-route-leaking-between-VRFs.patch + patches.suse/net-mvneta-fix-enable-of-all-initialized-RXQs.patch patches.suse/x86-alternatives-fixup-alternative_call_2 patches.suse/x86-platform-uv-fix-critical-uv-mmr-address-error patches.suse/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus @@ -29616,6 +29636,7 @@ patches.suse/msft-hv-1607-kvm-x86-factor-out-kvm.arch.hyperv-de-init.patch patches.suse/msft-hv-1608-kvm-x86-hyperv-guest-host-event-signaling-via-eventf.patch patches.suse/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use + patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch patches.suse/msft-hv-1631-x86-kvm-hyper-v-add-reenlightenment-MSRs-support.patch patches.suse/msft-hv-1632-x86-kvm-hyper-v-remove-stale-entries-from-vec_bitmap.patch patches.suse/msft-hv-1633-x86-kvm-hyper-v-inject-GP-only-when-invalid-SINTx-ve.patch @@ -31118,6 +31139,7 @@ patches.suse/ixgbe-fix-parsing-of-TC-actions-for-HW-offload.patch patches.suse/net-sysfs-Fix-memory-leak-in-XPS-configuration.patch patches.suse/kcm-Fix-use-after-free-caused-by-clonned-sockets.patch + patches.suse/net-dsa-b53-Add-BCM5389-support.patch patches.suse/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch patches.suse/ip_tunnel-restore-binding-to-ifaces-with-a-large-mtu.patch patches.suse/ip6_tunnel-remove-magic-mtu-value-0xFFF8.patch @@ -33388,6 +33410,7 @@ patches.suse/s390-sles15sp1-00-11-093-net-smc-drop-messages-when-link-state-is-inactive.patch patches.suse/s390-sles15sp1-00-11-094-net-smc-check-for-pending-termination.patch patches.suse/sched-manipulate-__QDISC_STATE_RUNNING-in-qdisc_run_.patch + patches.suse/net-ethernet-ti-cpsw-phy-sel-check-bus_find_device-r.patch patches.suse/qed-Fix-possibility-of-list-corruption-during-rmmod-.patch patches.suse/qed-Fix-LL2-race-during-connection-terminate.patch patches.suse/cxgb4-update-LE-TCAM-collection-for-T6.patch @@ -33650,6 +33673,7 @@ patches.suse/msft-hv-1690-hv_netvsc-Add-handlers-for-ethtool-get-set-msg-level.patch patches.suse/cxgb4-Add-new-T6-device-ids.patch patches.suse/net-dsa-qca8k-add-qca8334-binding-documentation.patch + patches.suse/net-dsa-qca8k-Add-support-for-QCA8334-switch.patch patches.suse/0006-net-dsa-qca8k-Enable-RXMAC-when-bringing-up-a-port.patch patches.suse/0007-net-dsa-qca8k-Force-CPU-port-to-its-highest-bandwidt.patch patches.suse/0008-net-dsa-qca8k-Allow-overwriting-CPU-port-setting.patch @@ -35269,6 +35293,7 @@ patches.suse/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch patches.suse/net-net_failover-fix-typo-in-net_failover_slave_regi.patch patches.suse/enic-do-not-overwrite-error-code.patch + patches.suse/net-propagate-dev_get_valid_name-return-code.patch patches.suse/net-sched-act_ife-fix-recursive-lock-and-idr-leak.patch patches.suse/net-sched-act_ife-preserve-the-action-control-in-cas.patch patches.suse/net-sungem-fix-rx-checksum-support.patch @@ -35367,7 +35392,9 @@ patches.suse/x86-microcode-intel-fix-memleak-in-save_microcode_patch patches.suse/x86-cpu-amd-fix-llc-id-bit-shift-calculation patches.suse/uprobes-x86-Remove-incorrect-WARN_ON-in-uprobe_init_.patch + patches.suse/net-davinci_emac-match-the-mdio-device-against-its-c.patch patches.suse/bpf-enforce-correct-alignment-for-instructions.patch + patches.suse/sctp-fix-erroneous-inc-of-snmp-SctpFragUsrMsgs.patch patches.suse/ipvlan-fix-IFLA_MTU-ignored-on-NEWLINK.patch patches.suse/net-packet-fix-use-after-free.patch patches.suse/cls_flower-fix-use-after-free-in-flower-S-W-path.patch @@ -35811,6 +35838,7 @@ patches.suse/ipv6-fix-useless-rol32-call-on-hash.patch patches.suse/0009-net-qca_spi-Avoid-packet-drop-during-initial-sync.patch patches.suse/0010-net-qca_spi-Make-sure-the-QCA7000-reset-is-triggered.patch + patches.suse/net-qca_spi-Fix-log-level-if-probe-fails.patch patches.suse/msft-hv-1734-hv_netvsc-Fix-napi-reschedule-while-receive-completi.patch patches.suse/ptp-fix-missing-break-in-switch.patch patches.suse/crypto-af_alg-Initialize-sg_num_bytes-in-error-code-.patch @@ -36236,7 +36264,11 @@ patches.suse/s390-sles15sp1-00-03-04-zcrypt-Review-inline-assembler-constraints.patch patches.suse/s390-sles15sp1-00-03-05-zcrypt-Show-load-of-cards-and-queues-in-sysfs.patch patches.suse/s390-sles15sp1-00-03-06-zcrypt-Integrate-ap_asm.h-into-include-asm-ap.h.patch + patches.suse/s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch + patches.suse/s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch + patches.suse/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch patches.suse/s390-sles15sp1-00-03-07-zcrypt-add-copy_from_user-length-plausibility-c.patch + patches.suse/s390-sysinfo-add-missing-ifdef-CONFIG_PROC_FS.patch patches.suse/0085-RAID-s390-Remove-VLA-usage.patch patches.suse/s390-mm-correct-allocate_pgste-proc_handler-callback.patch patches.suse/s390-sles15-16-01-kvm-fix-deadlock-when-killed-by-oom.patch @@ -40978,6 +41010,7 @@ patches.suse/tls-clear-key-material-from-kernel-memory-when-do_tl.patch patches.suse/gso_segment-Reset-skb-mac_len-after-modifying-networ.patch patches.suse/net-sched-act_sample-fix-NULL-dereference-in-the-dat.patch + patches.suse/stmmac-fix-valid-numbers-of-unicast-filter-entries.patch patches.suse/udp4-fix-IP_CMSG_CHECKSUM-for-connected-sockets.patch patches.suse/udp6-add-missing-checks-on-edumux-packet-processing.patch patches.suse/veth-Orphan-skb-before-GRO.patch @@ -41054,6 +41087,7 @@ patches.suse/s390-sles15sp1-00-04-19-KVM-s390-Make-huge-pages-unavailable-in-ucontrol-VMs.patch patches.suse/KVM-PPC-Avoid-marking-DMA-mapped-pages-dirty-in-real.patch patches.suse/KVM-PPC-Book3S-HV-Don-t-use-compound_order-to-determ.patch + patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch patches.suse/msft-hv-1758-x86-hyper-v-rename-ipi_arg_-ex-non_ex-structures.patch patches.suse/pinctrl-cannonlake-Fix-gpio-base-for-GPP-E.patch patches.suse/pinctrl-intel-Do-pin-translation-in-other-GPIO-opera.patch @@ -41075,6 +41109,7 @@ patches.suse/media-af9035-prevent-buffer-overflow-on-write.patch patches.suse/net-stmmac-Fixup-the-tail-addr-setting-in-xmit-path.patch patches.suse/NFC-Fix-possible-memory-corruption-when-handling-SHD.patch + patches.suse/net-emac-fix-fixed-link-setup-for-the-RTL8363SB-swit.patch patches.suse/net-mlx5-Fix-read-from-coherent-memory.patch patches.suse/net-mlx5-Check-for-SQ-and-not-RQ-state-when-modifyin.patch patches.suse/net-mlx5e-TLS-Read-capabilities-only-when-it-is-safe.patch @@ -42203,6 +42238,8 @@ patches.suse/ice-Add-support-for-dynamic-interrupt-moderation.patch patches.suse/ice-Fix-error-on-driver-remove.patch patches.suse/ath10k-fix-kernel-panic-by-moving-pci-flush-after-na.patch + patches.suse/wcn36xx-Use-kmemdup-instead-of-duplicating-it-in-wcn.patch + patches.suse/wcn36xx-use-dma_zalloc_coherent-instead-of-allocator.patch patches.suse/ath10k-skip-resetting-rx-filter-for-WCN3990.patch patches.suse/ath10k-schedule-hardware-restart-if-WMI-command-time.patch patches.suse/ath9k-fix-tx99-with-monitor-mode-interface.patch @@ -44442,6 +44479,8 @@ patches.suse/kvm-x86-fix-scan-ioapic-use-before-initialization patches.suse/svm-add-mutex_lock-to-protect-apic_access_page_done-on-amd-systems patches.suse/kvm-x86-fix-kernel-info-leak-in-kvm_hc_clock_pairing-hypercall + patches.suse/KVM-x86-fix-empty-body-warnings.patch + patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch patches.suse/kvm-mmu-fix-race-in-emulated-page-table-writes patches.suse/kvm-svm-ensure-an-ibpb-on-all-affected-cpus-when-freeing-a-vmcb.patch patches.suse/spi-mediatek-use-correct-mata-xfer_len-when-in-fifo-.patch @@ -45326,6 +45365,7 @@ patches.suse/kvm-s390-fix-kmsg-component-kvm-s390.patch patches.suse/KVM-PPC-Book3S-HV-Fix-race-between-kvm_unmap_hva_ran.patch patches.suse/KVM-PPC-Book3S-PR-Set-hflag-to-indicate-that-POWER9-.patch + patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch patches.suse/kvm-Disallow-wraparound-in-kvm_gfn_to_hva_cache_init.patch patches.suse/kvm-Change-offset-in-kvm_write_guest_offset_cached-t.patch patches.suse/kvm-nvmx-nmi-window-and-interrupt-window-exiting-should-wake-l2-from-hlt @@ -46335,6 +46375,7 @@ patches.suse/cred-allow-get_cred-and-put_cred-to-be-given-NULL.patch patches.suse/NFS-nfs_compare_mount_options-always-compare-auth-fl.patch patches.suse/sunrpc-handle-ENOMEM-in-rpcb_getport_async.patch + patches.suse/s390-pci-fix-sleeping-in-atomic-during-hotplug.patch patches.suse/clk-imx8qxp-make-the-name-of-clock-id-generic.patch patches.suse/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch patches.suse/drbd-ignore-all-zero-peer-volume-sizes-in-handshake.patch @@ -46758,6 +46799,7 @@ patches.suse/kvm-x86-fix-single-step-debugging patches.suse/svm-add-warning-message-for-avic-ipi-invalid-target patches.suse/svm-fix-avic-incomplete-ipi-emulation + patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch patches.suse/irqchip-gic-v3-its-Align-PCI-Multi-MSI-allocation-on.patch patches.suse/sched-wait-Fix-rcuwait_wake_up-ordering.patch patches.suse/0001-sched-wake_q-Document-wake_q_add.patch @@ -48813,6 +48855,7 @@ patches.suse/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu patches.suse/kvm-x86-always-use-32-bit-smram-save-state-for-32-bit-kernels patches.suse/0001-KVM-fix-spectrev1-gadgets.patch + patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch patches.suse/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch patches.suse/cfg80211-Handle-WMM-rules-in-regulatory-domain-inter.patch patches.suse/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch @@ -48921,6 +48964,7 @@ patches.suse/sunrpc-don-t-mark-uninitialised-items-as-VALID.patch patches.suse/nfsd-Don-t-release-the-callback-slot-unless-it-was-a.patch patches.suse/ipv4-set-the-tcp_min_rtt_wlen-range-from-0-to-one-da.patch + patches.suse/s390-ctcm-fix-ctcm_new_device-error-return-code.patch patches.suse/mlxsw-spectrum-Put-MC-TCs-into-DWRR-mode.patch patches.suse/mlxsw-pci-Reincrease-PCI-reset-timeout.patch patches.suse/mlxsw-spectrum-Fix-autoneg-status-in-ethtool.patch @@ -50141,6 +50185,8 @@ patches.suse/platform-x86-dell-rbtn-Add-missing-include.patch patches.suse/platform-x86-intel_pmc_ipc-adding-error-handling.patch patches.suse/platform-x86-intel_pmc_core-Mark-local-function-stat.patch + patches.suse/platform-x86-dell-laptop-fix-rfkill-functionality.patch + patches.suse/platform-x86-alienware-wmi-fix-kfree-on-potentially-.patch patches.suse/platform-x86-intel_punit_ipc-Revert-Fix-resource-ior.patch patches.suse/platform-mellanox-Add-TmFifo-driver-for-Mellanox-Blu.patch patches.suse/platform-x86-mlx-platform-Add-support-for-tachometer.patch @@ -51779,6 +51825,7 @@ patches.suse/scsi-libfc-fix-null-pointer-dereference-on-a-null-lport patches.suse/scsi-sd_zbc-Fix-compilation-warning.patch patches.suse/scsi-core-fix-race-on-creating-sense-cache + patches.suse/x86-kvm-avoid-constant-conversion-warning.patch patches.suse/kvm-svm-fix-detection-of-amd-errata-1096 patches.suse/kvm-x86-vpmu-refine-kvm_pmu-err-msg-when-event-creation-failed patches.suse/kvm-nvmx-do-not-use-dangling-shadow-vmcs-after-guest-reset @@ -51786,6 +51833,7 @@ patches.suse/objtool-Rename-elf_open-to-prevent-conflict-with-libelf-from-elftoolchain.patch patches.suse/stacktrace-force-user_ds-for-stack_trace_save_user.patch patches.suse/x86-paravirt-Fix-callee-saved-function-ELF-sizes.patch + patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch patches.suse/objtool-Track-original-function-across-branches.patch patches.suse/objtool-Convert-insn-type-to-enum.patch patches.suse/objtool-Support-conditional-retpolines.patch @@ -52469,6 +52517,7 @@ patches.suse/media-hdpvr-Add-device-num-check-and-handling.patch patches.suse/media-iguanair-add-sanity-checks.patch patches.suse/media-fdp1-Reduce-FCP-not-found-message-level-to-deb.patch + patches.suse/media-media-dvb-Use-kmemdup-rather-than-duplicating-.patch patches.suse/media-tm6000-double-free-if-usb-disconnect-while-str.patch patches.suse/media-omap3isp-Set-device-on-omap3isp-subdevs.patch patches.suse/media-omap3isp-Don-t-set-streaming-state-on-random-s.patch @@ -53801,6 +53850,7 @@ patches.suse/ath10k-fix-memory-leak-for-tpc_stats_final.patch patches.suse/ath10k-Correct-error-handling-of-dma_map_single.patch patches.suse/net-ath10k-Fix-a-NULL-ptr-deref-bug.patch + patches.suse/wcn36xx-remove-unecessary-return.patch patches.suse/0001-rt2800-remove-errornous-duplicate-condition.patch patches.suse/rtlwifi-fix-memory-leak-in-rtl92c_set_fw_rsvdpagepkt.patch patches.suse/rtlwifi-rtl8192de-Fix-missing-code-to-retrieve-RX-bu.patch @@ -53808,6 +53858,7 @@ patches.suse/rtlwifi-rtl8192de-Fix-missing-enable-interrupt-flag.patch patches.suse/iwlwifi-mvm-fix-unaligned-read-of-rx_pkt_status.patch patches.suse/ath10k-fix-get-invalid-tx-rate-for-Mesh-metric.patch + patches.suse/wcn36xx-fix-typo.patch patches.suse/s390-bpf-Wrap-JIT-macro-parameter-usages-in-parentheses.patch patches.suse/bpf-skmsg-fix-potential-psock-NULL-pointer-dereferen.patch patches.suse/mac80211-consider-QoS-Null-frames-for-STA_NULLFUNC_A.patch @@ -54892,6 +54943,7 @@ patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_usbdev_qinit.patch patches.suse/orinoco-avoid-assertion-in-case-of-NULL-pointer.patch patches.suse/ath9k-fix-storage-endpoint-lookup.patch + patches.suse/wcn36xx-disable-HW_CONNECTION_MONITOR.patch patches.suse/net-ena-remove-set-but-not-used-variable-rx_ring.patch patches.suse/gianfar-Fix-TX-timestamping-with-a-stacked-DSA-drive.patch patches.suse/vmxnet3-Remove-always-false-conditional-statement.patch @@ -54909,6 +54961,7 @@ patches.suse/Revert-ath10k-fix-DMA-related-firmware-crashes-on-mu.patch patches.suse/ath10k-Correct-the-DMA-direction-for-management-tx-b.patch patches.suse/ar5523-Add-USB-ID-of-SMCWUSBT-G2-wireless-adapter.patch + patches.suse/wcn36xx-fix-spelling-mistake-to-too.patch patches.suse/bnxt_en-Remove-the-setting-of-dev_port.patch patches.suse/ALSA-control-remove-useless-assignment-in-.info-call.patch patches.suse/ALSA-usx2y-Adjust-indentation-in-snd_usX2Y_hwdep_dsp.patch @@ -55409,6 +55462,7 @@ patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch patches.suse/0002-Btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-.patch patches.suse/floppy-check-FDC-index-for-errors-before-assigning-i.patch + patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch patches.suse/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function @@ -56761,6 +56815,11 @@ patches.suse/firmware-imx-scu-fix-corruption-of-header.patch patches.suse/firmware-imx-scu-Fix-possible-memory-leak-in-imx_scu.patch patches.suse/drivers-soc-ti-knav_qmss_queue-Make-knav_gp_range_op.patch + patches.suse/powerpc-Move-idle_loop_prolog-epilog-functions-to-he.patch + patches.suse/powerpc-idle-Store-PURR-snapshot-in-a-per-cpu-global.patch + patches.suse/powerpc-pseries-Account-for-SPURR-ticks-on-idle-CPUs.patch + patches.suse/powerpc-sysfs-Show-idle_purr-and-idle_spurr-for-ever.patch + patches.suse/Documentation-Document-sysfs-interfaces-purr-spurr-i.patch patches.suse/powerpc-eeh-Fix-pseries_eeh_configure_bridge.patch patches.suse/powerpc-pseries-ras-Avoid-calling-rtas_token-in-NMI-.patch patches.suse/powerpc-pseries-ras-Fix-FWNMI_VALID-off-by-one.patch @@ -57048,6 +57107,7 @@ patches.suse/0010-ALSA-usb-audio-Add-registration-quirk-for-Kingston-H.patch patches.suse/ALSA-usb-audio-add-quirk-for-Samsung-USBC-Headset-AK.patch patches.suse/ALSA-usb-audio-Fix-OOB-access-of-mixer-element-list.patch + patches.suse/s390-kasan-fix-early-pgm-check-handler-execution.patch patches.suse/RDMA-efa-Set-maximum-pkeys-device-attribute.patch patches.suse/RDMA-qedr-Fix-KASAN-use-after-free-in-ucma_event_han.patch patches.suse/RDMA-cma-Protect-bind_list-and-listen_list-while-fin.patch @@ -58478,7 +58538,12 @@ patches.suse/brcmfmac-check-ndev-pointer.patch patches.suse/mwifiex-Do-not-use-GFP_KERNEL-in-atomic-context.patch patches.suse/ath10k-provide-survey-info-as-accumulated-data.patch + patches.suse/wcn36xx-Add-ieee80211-rx-status-rate-information.patch patches.suse/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch + patches.suse/wcn36xx-Fix-multiple-AMPDU-sessions-support.patch + patches.suse/wcn36xx-Increase-number-of-TX-retries.patch + patches.suse/wcn36xx-Fix-TX-data-path.patch + patches.suse/wcn36xx-Use-sequence-number-allocated-by-mac80211.patch patches.suse/ath10k-start-recovery-process-when-payload-length-ex.patch patches.suse/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch patches.suse/ath9k_htc-Use-appropriate-rs_datalen-type.patch @@ -58492,6 +58557,10 @@ patches.suse/rtl8xxxu-prevent-potential-memory-leak.patch patches.suse/mwifiex-remove-function-pointer-check.patch patches.suse/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch + patches.suse/wcn36xx-Fix-software-driven-scan.patch + patches.suse/wcn36xx-Disable-bmps-when-encryption-is-disabled.patch + patches.suse/wcn36xx-Fix-warning-due-to-bad-rate_idx.patch + patches.suse/wcn36xx-Specify-ieee80211_rx_status.nss.patch patches.suse/gve-Get-and-set-Rx-copybreak-via-ethtool.patch patches.suse/gve-Add-stats-for-gve.patch patches.suse/gve-Use-dev_info-err-instead-of-netif_info-err.patch @@ -59072,6 +59141,7 @@ patches.suse/media-mtk-vcodec-add-missing-put_device-call-in-mtk_.patch patches.suse/media-v4l2-async-Fix-trivial-documentation-typo.patch patches.suse/media-platform-add-missing-put_device-call-in-mtk_jp.patch + patches.suse/media-dvbdev-Fix-memleak-in-dvb_register_device.patch patches.suse/media-solo6x10-fix-missing-snd_card_free-in-error-ha.patch patches.suse/media-sunxi-cir-ensure-IR-is-handled-when-it-is-cont.patch patches.suse/media-siano-fix-memory-leak-of-debugfs-members-in-sm.patch @@ -59128,6 +59198,7 @@ patches.suse/net-ena-use-xdp_return_frame-to-free-xdp-frames.patch patches.suse/net-ena-introduce-ndo_xdp_xmit-function-for-XDP_REDI.patch patches.suse/mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch + patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch patches.suse/mwifiex-Fix-possible-buffer-overflows-in-mwifiex_2.patch patches.suse/nfc-s3fwrn5-Release-the-nfc-firmware.patch patches.suse/ALSA-hda-Fix-regressions-on-clear-and-reconfig-sysfs.patch @@ -60455,6 +60526,7 @@ patches.suse/ibmvnic-queue-reset-work-in-system_long_wq.patch patches.suse/rtlwifi-8821ae-upgrade-PHY-and-RF-parameters.patch patches.suse/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_e.patch + patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch patches.suse/msft-hv-2332-net-mana-Add-a-driver-for-Microsoft-Azure-Network-Ad.patch patches.suse/mac80211-clear-the-beacon-s-CRC-after-channel-switch.patch patches.suse/mac80211-bail-out-if-cipher-schemes-are-invalid.patch @@ -60641,6 +60713,7 @@ patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch patches.suse/platform-mellanox-mlxbf-tmfifo-Fix-a-memory-barrier-.patch patches.suse/platform-x86-hp-wireless-add-AMD-s-hardware-id-to-th.patch + patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch patches.suse/platform-x86-intel_punit_ipc-Append-MODULE_DEVICE_TA.patch patches.suse/ALSA-hda-realtek-reset-eapd-coeff-to-default-value-f.patch patches.suse/ALSA-bebob-oxfw-fix-Kconfig-entry-for-Mackie-d.2-Pro.patch @@ -60855,6 +60928,7 @@ patches.suse/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch patches.suse/media-uvcvideo-Fix-pixel-format-change-for-Elgato-Ca.patch patches.suse/media-dvb_net-avoid-speculation-from-net-slot.patch + patches.suse/media-dvbdev-fix-error-logic-at-dvb_register_device.patch patches.suse/media-siano-fix-device-register-error-path.patch patches.suse/media-s5p-g2d-Fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch patches.suse/crypto-ccp-annotate-sev-firmware-file-names @@ -61416,6 +61490,7 @@ patches.suse/msft-hv-2430-net-mana-Move-NAPI-from-EQ-to-CQ.patch patches.suse/msft-hv-2431-net-mana-Add-support-for-EQ-sharing.patch patches.suse/msft-hv-2432-net-mana-Add-WARN_ON_ONCE-in-case-of-CQE-read-overfl.patch + patches.suse/wcn36xx-Ensure-finish-scan-is-not-requested-before-s.patch patches.suse/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch patches.suse/bcma-Fix-memory-leak-for-internally-handled-cores.patch patches.suse/ipv4-make-exception-cache-less-predictible.patch @@ -61445,6 +61520,7 @@ patches.suse/xen-blkfront-read-response-from-backend-only-once.patch patches.suse/xen-blkfront-don-t-take-local-copy-of-a-request-from.patch patches.suse/xen-blkfront-don-t-trust-the-backend-response-data-b.patch + patches.suse/platform-x86-dell-smbios-wmi-Add-missing-kfree-in-er.patch patches.suse/mailbox-sti-quieten-kernel-doc-warnings.patch patches.suse/clk-at91-clk-generated-Limit-the-requested-rate-to-o.patch patches.suse/clk-kirkwood-Fix-a-clocking-boot-regression.patch @@ -61581,7 +61657,16 @@ patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch patches.suse/net-usb-qmi_wwan-add-Telit-0x1060-composition.patch patches.suse/qlcnic-Remove-redundant-unlock-in-qlcnic_pinit_from_.patch + patches.suse/PCI-Call-Max-Payload-Size-related-fixup-quirks-early.patch + patches.suse/PCI-Restrict-ASMedia-ASM1062-SATA-Max-Payload-Size-S.patch + patches.suse/PCI-Return-0-data-on-pciconfig_read-CAP_SYS_ADMIN-fa.patch + patches.suse/PCI-Add-ACS-quirks-for-Cavium-multi-function-devices.patch + patches.suse/PCI-aardvark-Fix-checking-for-PIO-status.patch + patches.suse/PCI-aardvark-Increase-polling-delay-to-1.5s-while-wa.patch + patches.suse/PCI-aardvark-Configure-PCIe-resources-from-ranges-DT.patch + patches.suse/PCI-aardvark-Fix-masking-and-unmasking-legacy-INTx-i.patch patches.suse/msft-hv-2426-PCI-hv-Support-for-create-interrupt-v3.patch + patches.suse/PCI-xilinx-nwl-Enable-the-clock-through-CCF.patch patches.suse/profiling-fix-shift-out-of-bounds-bugs.patch patches.suse/prctl-allow-to-setup-brk-for-et_dyn-executables.patch patches.suse/ceph-lockdep-annotations-for-try_nonblocking_invalidate.patch @@ -61767,6 +61852,7 @@ patches.suse/gve-DQO-avoid-unused-variable-warnings.patch patches.suse/gve-Use-kvcalloc-instead-of-kvzalloc.patch patches.suse/Bluetooth-sco-Fix-lock_sock-blockage-by-memcpy_from_.patch + patches.suse/wcn36xx-Add-ability-for-wcn36xx_smd_dump_cmd_req-to-.patch patches.suse/ath10k-Fix-missing-frame-timestamp-for-beacon-probe-.patch patches.suse/msft-hv-2449-net-mana-Use-kcalloc-instead-of-kzalloc.patch patches.suse/msft-hv-2451-hv_netvsc-use-netif_is_bond_master-instead-of-open-c.patch @@ -61790,6 +61876,7 @@ patches.suse/libertas-Fix-possible-memory-leak-in-probe-and-disco.patch patches.suse/wcn36xx-Fix-HT40-capability-for-2Ghz-band.patch patches.suse/wcn36xx-add-proper-DMA-memory-barriers-in-rx-path.patch + patches.suse/wcn36xx-Channel-list-update-before-hardware-scan.patch patches.suse/ath10k-fix-control-message-timeout.patch patches.suse/ath6kl-fix-control-message-timeout.patch patches.suse/ath10k-fix-division-by-zero-in-send-path.patch @@ -61868,7 +61955,9 @@ patches.suse/ocfs2-do-not-zero-pages-beyond-i_size.patch patches.suse/0001-memcg-kmem-further-deprecate-kmem.limit_in_bytes.patch patches.suse/0002-PCI-Do-not-enable-AtomicOps-on-VFs.patch + patches.suse/PCI-Mark-Atheros-QCA6174-to-avoid-bus-reset.patch patches.suse/msft-hv-2452-PCI-hv-Remove-unnecessary-use-of-hx.patch + patches.suse/PCI-aardvark-Fix-PCIe-Max-Payload-Size-setting.patch patches.suse/s390-cio-make-ccw_device_dma_-more-robust patches.suse/s390-pci-add-s390_iommu_aperture-kernel-parameter patches.suse/quota-check-block-number-when-reading-the-block-in-q.patch @@ -61992,6 +62081,7 @@ patches.suse/IB-hfi1-Correct-guard-on-eager-buffer-deallocation.patch patches.suse/IB-hfi1-Insure-use-of-smp_processor_id-is-preempt-di.patch patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch + patches.suse/libata-add-horkage-for-ASMedia-1092.patch patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch patches.suse/cifs-fix-ntlmssp-auth-when-there-is-no-key-exchange.patch patches.suse/mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregist.patch @@ -62066,6 +62156,7 @@ patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch patches.suse/msft-hv-2486-net-mana-Add-XDP-support.patch + patches.suse/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch patches.suse/ibmvnic-Update-driver-return-codes.patch patches.suse/gve-Correct-order-of-processing-device-options.patch patches.suse/gve-Move-the-irq-db-indexes-out-of-the-ntfy-block-st.patch @@ -62951,6 +63042,7 @@ patches.suse/sch_sfb-Don-t-assume-the-skb-is-still-around-after-e.patch patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch patches.suse/i40e-Fix-kernel-crash-during-module-removal.patch + patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch patches.suse/net-usb-qmi_wwan-add-Quectel-RM520N.patch patches.suse/sch_sfb-Also-store-skb-len-before-calling-child-enqu.patch patches.suse/ALSA-pcm-oss-Fix-race-at-SNDCTL_DSP_SYNC.patch @@ -63055,6 +63147,9 @@ patches.suse/scsi-qla2xxx-Use-transport-defined-speed-mask-for-su.patch patches.suse/usb-dwc3-gadget-Stop-processing-more-requests-on-IMI.patch patches.suse/usb-dwc3-gadget-Don-t-set-IMI-for-no_interrupt.patch + patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch + patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch + patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch patches.suse/NFSv4.1-Handle-RECLAIM_COMPLETE-trunking-errors.patch patches.suse/NFSv4.1-We-must-always-send-RECLAIM_COMPLETE-after-a.patch patches.suse/NFSv4.2-Fixup-CLONE-dest-file-size-for-zero-length-c.patch @@ -63149,6 +63244,7 @@ patches.suse/crypto-arm64-Fix-unused-variable-compilation-warnings-of-cpu_feature.patch patches.suse/tracing-Fix-infinite-loop-in-tracing_read_pipe-on-overflowed-print_trace_line.patch patches.suse/usb-typec-Check-for-ops-exit-instead-of-ops-enter-in.patch + patches.suse/usb-dwc3-Fix-race-between-dwc3_set_mode-and-__dwc3_s.patch patches.suse/usb-storage-Add-check-for-kcalloc.patch patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch patches.suse/powerpc-xive-add-missing-iounmap-in-error-path-in-xi.patch @@ -63186,6 +63282,7 @@ patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch patches.suse/tracing-Make-sure-trace_printk-can-output-as-soon-as-it-can-be-used.patch + patches.suse/0001-netrom-Fix-use-after-free-caused-by-accept-on-alread.patch patches.suse/net-USB-Fix-wrong-direction-WARNING-in-plusb.c.patch patches.suse/usb-typec-altmodes-displayport-Fix-probe-pin-assign-.patch patches.suse/net-sched-tcindex-update-imperfect-hash-filters-resp.patch @@ -63228,6 +63325,8 @@ patches.suse/scsi-qla2xxx-remove-the-unused-variable-wwn.patch patches.suse/nfsd-fix-race-to-check-ls_layouts.patch patches.suse/tracing-Add-NULL-checks-for-buffer-in-ring_buffer_free_read_page.patch + patches.suse/fotg210-udc-Add-missing-completion-handler.patch + patches.suse/usb-early-xhci-dbc-Fix-a-potential-out-of-bound-memo.patch patches.suse/applicom-Fix-PCI-device-refcount-leak-in-applicom_in.patch patches.suse/powerpc-powernv-ioda-Skip-unallocated-resources-when.patch patches.suse/powerpc-pseries-lpar-add-missing-RTAS-retry-status-h.patch @@ -63237,6 +63336,7 @@ patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch patches.suse/watchdog-pcwd_usb-Fix-attempting-to-access-uninitial.patch patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch + patches.suse/0001-net-tls-fix-possible-race-condition-between-do_tls_g.patch patches.suse/net-usb-qmi_wwan-add-Telit-0x1080-composition.patch patches.suse/SUNRPC-Fix-a-server-shutdown-leak.patch patches.suse/scsi-qla2xxx-Add-option-to-disable-FC2-Target-suppor.patch @@ -63244,6 +63344,7 @@ patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch patches.suse/net-usb-smsc75xx-Limit-packet-length-to-skb-len.patch patches.suse/net-usb-smsc75xx-Move-packet-length-check-to-prevent.patch + patches.suse/net-iucv-Fix-size-of-interrupt-data.patch patches.suse/hwmon-xgene-Fix-use-after-free-bug-in-xgene_hwmon_remove-d.patch patches.suse/ring-buffer-remove-obsolete-comment-for-free_buffer_page.patch patches.suse/tracing-hwlat-Replace-sched_setaffinity-with-set_cpus_allowed_ptr.patch @@ -63254,10 +63355,15 @@ patches.suse/net-qcom-emac-Fix-use-after-free-bug-in-emac_remove-.patch patches.suse/net-usb-lan78xx-Limit-packet-length-to-skb-len.patch patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch + patches.suse/i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch patches.suse/s390-vfio-ap-fix-memory-leak-in-vfio_ap-device-drive.patch + patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch + patches.suse/xen-netback-don-t-do-grant-copy-across-page-boundary.patch + patches.suse/xen-netback-use-same-error-messages-for-same-errors.patch patches.suse/NFSv4-Fix-hangs-when-recovering-open-state-after-a-s.patch + patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch patches.suse/ring-buffer-Fix-race-while-reader-and-writer-are-on-the-same-page.patch patches.suse/ftrace-Mark-get_lock_parent_ip-__always_inline.patch patches.suse/scsi-qla2xxx-Fix-memory-leak-in-qla2x00_probe_one.patch @@ -63265,12 +63371,29 @@ patches.suse/cgroup-cpuset-Wake-up-cpuset_attach_wq-tasks-in-cpuset_cancel_attach.patch patches.suse/cifs-fix-negotiate-context-parsing.patch patches.suse/powerpc-papr_scm-Update-the-NUMA-distance-table-for-.patch + patches.suse/net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch + patches.suse/ACPI-processor-Fix-evaluating-_PDC-method-when-runni.patch + patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-unbind.patch patches.suse/usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch + patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch + patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch + patches.suse/powerpc-rtas-use-memmove-for-potentially-overlapping.patch + patches.suse/workqueue-Fix-hung-time-report-of-worker-pools.patch + patches.suse/workqueue-Warn-when-a-new-worker-could-not-be-create.patch + patches.suse/workqueue-Interrupted-create_worker-is-not-a-repeate.patch + patches.suse/workqueue-Warn-when-a-rescuer-could-not-be-created.patch + patches.suse/workqueue-Print-backtraces-from-CPUs-with-hung-CPU-b.patch patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch + patches.suse/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch + patches.suse/media-dvb-core-Fix-use-after-free-on-race-condition-.patch + patches.suse/media-dvb-core-Fix-use-after-free-due-on-race-condit.patch + patches.suse/media-dvb-core-Fix-use-after-free-due-to-race-at-dvb.patch + patches.suse/media-dvb-core-Fix-kernel-WARNING-for-blocking-opera.patch + patches.suse/media-dvb-core-Fix-use-after-free-due-to-race-condit.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -64320,6 +64443,8 @@ patches.kabi/struct-wmi_svc_avail_ev_arg-new-member-to-end.patch patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch patches.kabi/xhci-hide-include-of-iommu.h.patch + patches.kabi/media-dvb_frontend-kabi-workaround.patch + patches.kabi/media-dvb_net-kabi-workaround.patch ######################################################## # You'd better have a good reason for adding a patch