From 319a83b4d05d6aa25546e4fb96982d84597b4a84 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Oct 05 2022 05:31:04 +0000 Subject: Merge branch 'SLE12-SP5' into SLE12-SP5-AZURE --- diff --git a/blacklist.conf b/blacklist.conf index 66b348c..7528c6c 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2258,3 +2258,5 @@ e7f7c99ba911f56bc338845c1cd72954ba591707 # not a real bug, sensitive path, bsc#1 1bf4580e00a248a2c86269125390eb3648e1877c # not needed, bsc#1203910 a3f2fd22743fc56dd5e3896a3fbddd276df1577f # irrelevant in our configurations 9ef165406308515dcf2e3f6e97b39a1c56d86db5 # irrelevant in our configurations +26c6c2f8a907c9e3a2f24990552a4d77235791e6 # breaks kABI for an issue relevant only in a minor HC +41a91c606e7d2b74358a944525267cc451c271e8 # no gadget mode in SLE12 diff --git a/patches.suse/Input-melfas_mip4-fix-return-value-check-in-mip4_pro.patch b/patches.suse/Input-melfas_mip4-fix-return-value-check-in-mip4_pro.patch new file mode 100644 index 0000000..1041201 --- /dev/null +++ b/patches.suse/Input-melfas_mip4-fix-return-value-check-in-mip4_pro.patch @@ -0,0 +1,36 @@ +From a54dc27bd25f20ee3ea2009584b3166d25178243 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Sat, 24 Sep 2022 11:07:15 +0800 +Subject: [PATCH] Input: melfas_mip4 - fix return value check in mip4_probe() +Git-commit: a54dc27bd25f20ee3ea2009584b3166d25178243 +References: git-fixes +Patch-mainline: v6.0 + +devm_gpiod_get_optional() may return ERR_PTR(-EPROBE_DEFER), +add a minus sign to fix it. + +Fixes: 6ccb1d8f78bd ("Input: add MELFAS MIP4 Touchscreen driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220924030715.1653538-1-yangyingliang@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Oliver Neukum +--- + drivers/input/touchscreen/melfas_mip4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/melfas_mip4.c b/drivers/input/touchscreen/melfas_mip4.c +index 2745bf1aee38..83f4be05e27b 100644 +--- a/drivers/input/touchscreen/melfas_mip4.c ++++ b/drivers/input/touchscreen/melfas_mip4.c +@@ -1453,7 +1453,7 @@ static int mip4_probe(struct i2c_client *client, const struct i2c_device_id *id) + "ce", GPIOD_OUT_LOW); + if (IS_ERR(ts->gpio_ce)) { + error = PTR_ERR(ts->gpio_ce); +- if (error != EPROBE_DEFER) ++ if (error != -EPROBE_DEFER) + dev_err(&client->dev, + "Failed to get gpio: %d\n", error); + return error; +-- +2.35.3 + diff --git a/patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch b/patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch new file mode 100644 index 0000000..03ac77e --- /dev/null +++ b/patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch @@ -0,0 +1,134 @@ +From: Hyunwoo Kim +Date: Sun, 18 Sep 2022 21:02:51 -0700 +Subject: [PATCH] char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops +Message-ID: <20220919040251.GA302541@ubuntu> +Patch-mainline: Submitted, LKML +References: CVE-2022-41848 bsc#1203987 + +A race condition may occur if the user physically removes +the pcmcia device while calling ioctl() for this tty device node. + +This is a race condition between the mgslpc_ioctl() function and +the mgslpc_detach() function, which may eventually result in UAF. + +So, add a refcount check to mgslpc_detach() to free the structure +after the tty device node is close()d. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Takashi Iwai + +--- + drivers/char/pcmcia/synclink_cs.c | 35 +++++++++++++++++++++++++------ + 1 file changed, 29 insertions(+), 6 deletions(-) + +diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c +index 8fc49b038372..0dfba8833a67 100644 +--- a/drivers/char/pcmcia/synclink_cs.c ++++ b/drivers/char/pcmcia/synclink_cs.c +@@ -216,7 +216,8 @@ typedef struct _mgslpc_info { + + /* PCMCIA support */ + struct pcmcia_device *p_dev; +- int stop; ++ int stop; ++ struct kref refcnt; + + /* SPPP/Cisco HDLC device parts */ + int netcount; +@@ -228,6 +229,8 @@ typedef struct _mgslpc_info { + + } MGSLPC_INFO; + ++static DEFINE_MUTEX(remove_mutex); ++ + #define MGSLPC_MAGIC 0x5402 + + /* +@@ -468,10 +471,21 @@ static void mgslpc_wait_until_sent(struct tty_struct *tty, int timeout); + + /* PCMCIA prototypes */ + ++static void mgslpc_delete(struct kref *kref); + static int mgslpc_config(struct pcmcia_device *link); + static void mgslpc_release(u_long arg); + static void mgslpc_detach(struct pcmcia_device *p_dev); + ++static void mgslpc_delete(struct kref *kref) ++{ ++ MGSLPC_INFO *info = container_of(kref, MGSLPC_INFO, refcnt); ++ struct pcmcia_device *link = info->p_dev; ++ ++ mgslpc_release((u_long)link); ++ ++ mgslpc_remove_device(info); ++} ++ + /* + * 1st function defined in .text section. Calling this function in + * init_module() followed by a breakpoint allows a remote debugger +@@ -534,6 +548,7 @@ static int mgslpc_probe(struct pcmcia_device *link) + init_waitqueue_head(&info->event_wait_q); + spin_lock_init(&info->lock); + spin_lock_init(&info->netlock); ++ kref_init(&info->refcnt); + memcpy(&info->params,&default_params,sizeof(MGSL_PARAMS)); + info->idle_mode = HDLC_TXIDLE_FLAGS; + info->imra_value = 0xffff; +@@ -620,13 +635,15 @@ static void mgslpc_release(u_long arg) + + static void mgslpc_detach(struct pcmcia_device *link) + { ++ MGSLPC_INFO *info = link->priv; ++ ++ mutex_lock(&remove_mutex); + if (debug_level >= DEBUG_LEVEL_INFO) + printk("mgslpc_detach(0x%p)\n", link); + +- ((MGSLPC_INFO *)link->priv)->stop = 1; +- mgslpc_release((u_long)link); +- +- mgslpc_remove_device((MGSLPC_INFO *)link->priv); ++ info->stop = 1; ++ kref_put(&info->refcnt, mgslpc_delete); ++ mutex_unlock(&remove_mutex); + } + + static int mgslpc_suspend(struct pcmcia_device *link) +@@ -2341,10 +2358,13 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp) + + tty_port_close_end(port, tty); + tty_port_tty_set(port, NULL); ++ + cleanup: + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgslpc_close(%s) exit, count=%d\n", __FILE__, __LINE__, + tty->driver->name, port->count); ++ ++ kref_put(&info->refcnt, mgslpc_delete); + } + + /* Wait until the transmitter is empty. +@@ -2465,6 +2485,8 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp) + int retval, line; + unsigned long flags; + ++ mutex_lock(&remove_mutex); ++ + /* verify range of specified line number */ + line = tty->index; + if (line >= mgslpc_device_count) { +@@ -2517,9 +2539,10 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp) + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgslpc_open(%s) success\n", + __FILE__, __LINE__, info->device_name); +- retval = 0; + ++ kref_get(&info->refcnt); + cleanup: ++ mutex_unlock(&remove_mutex); + return retval; + } + +-- +2.35.3 + diff --git a/patches.suse/msft-hv-2644-net-mana-Add-rmb-after-checking-owner-bits.patch b/patches.suse/msft-hv-2644-net-mana-Add-rmb-after-checking-owner-bits.patch new file mode 100644 index 0000000..2afa7cd --- /dev/null +++ b/patches.suse/msft-hv-2644-net-mana-Add-rmb-after-checking-owner-bits.patch @@ -0,0 +1,51 @@ +From: Haiyang Zhang +Date: Sun, 11 Sep 2022 13:40:05 -0700 +Patch-mainline: v6.0-rc7 +Subject: net: mana: Add rmb after checking owner bits +Git-commit: 6fd2c68da55c552f86e401ebe40c4a619025ef69 +References: git-fixes + +Per GDMA spec, rmb is necessary after checking owner_bits, before +reading EQ or CQ entries. + +Add rmb in these two places to comply with the specs. + +Cc: stable@vger.kernel.org +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Reported-by: Sinan Kaya +Signed-off-by: Haiyang Zhang +Reviewed-by: Dexuan Cui +Link: https://lore.kernel.org/r/1662928805-15861-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Jakub Kicinski +Acked-by: Olaf Hering +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -397,6 +397,11 @@ static void mana_gd_process_eq_events(void *arg) + break; + } + ++ /* Per GDMA spec, rmb is necessary after checking owner_bits, before ++ * reading eqe. ++ */ ++ rmb(); ++ + mana_gd_process_eqe(eq); + + eq->head++; +@@ -1134,6 +1139,11 @@ static int mana_gd_read_cqe(struct gdma_queue *cq, struct gdma_comp *comp) + if (WARN_ON_ONCE(owner_bits != new_bits)) + return -1; + ++ /* Per GDMA spec, rmb is necessary after checking owner_bits, before ++ * reading completion info ++ */ ++ rmb(); ++ + comp->wq_num = cqe->cqe_info.wq_num; + comp->is_sq = cqe->cqe_info.is_sq; + memcpy(comp->cqe_data, cqe->cqe_data, GDMA_COMP_DATA_SIZE); diff --git a/patches.suse/usbnet-Fix-memory-leak-in-usbnet_disconnect.patch b/patches.suse/usbnet-Fix-memory-leak-in-usbnet_disconnect.patch new file mode 100644 index 0000000..59cf865 --- /dev/null +++ b/patches.suse/usbnet-Fix-memory-leak-in-usbnet_disconnect.patch @@ -0,0 +1,50 @@ +From a43206156263fbaf1f2b7f96257441f331e91bb7 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Thu, 22 Sep 2022 21:25:51 -0700 +Subject: [PATCH] usbnet: Fix memory leak in usbnet_disconnect() +Git-commit: a43206156263fbaf1f2b7f96257441f331e91bb7 +References: git-fixes +Patch-mainline: v6.0 + +Currently usbnet_disconnect() unanchors and frees all deferred URBs +using usb_scuttle_anchored_urbs(), which does not free urb->context, +causing a memory leak as reported by syzbot. + +Use a usb_get_from_anchor() while loop instead, similar to what we did +in commit 19cfe912c37b ("Bluetooth: btusb: Fix memory leak in +play_deferred"). Also free urb->sg. + +Reported-and-tested-by: syzbot+dcd3e13cf4472f2e0ba1@syzkaller.appspotmail.com +Fixes: 69ee472f2706 ("usbnet & cdc-ether: Autosuspend for online devices") +Fixes: 638c5115a794 ("USBNET: support DMA SG") +Signed-off-by: Peilin Ye +Link: https://lore.kernel.org/r/20220923042551.2745-1-yepeilin.cs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/usbnet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1594,6 +1594,7 @@ void usbnet_disconnect (struct usb_inter + struct usbnet *dev; + struct usb_device *xdev; + struct net_device *net; ++ struct urb *urb; + + dev = usb_get_intfdata(intf); + usb_set_intfdata(intf, NULL); +@@ -1610,7 +1611,11 @@ void usbnet_disconnect (struct usb_inter + net = dev->net; + unregister_netdev (net); + +- usb_scuttle_anchored_urbs(&dev->deferred); ++ while ((urb = usb_get_from_anchor(&dev->deferred))) { ++ dev_kfree_skb(urb->context); ++ kfree(urb->sg); ++ usb_free_urb(urb); ++ } + + if (dev->driver_info->unbind) + dev->driver_info->unbind (dev, intf); diff --git a/patches.suse/xhci-bail-out-early-if-driver-can-t-accress-host-in-.patch b/patches.suse/xhci-bail-out-early-if-driver-can-t-accress-host-in-.patch new file mode 100644 index 0000000..5d9afd1 --- /dev/null +++ b/patches.suse/xhci-bail-out-early-if-driver-can-t-accress-host-in-.patch @@ -0,0 +1,44 @@ +From 72ae194704da212e2ec312ab182a96799d070755 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 12 Mar 2020 16:45:09 +0200 +Subject: [PATCH] xhci: bail out early if driver can't accress host in resume +Git-commit: 72ae194704da212e2ec312ab182a96799d070755 +References: git-fixes +Patch-mainline: v5.7-rc1 + +Bail out early if the xHC host needs to be reset at resume +but driver can't access xHC PCI registers. + +If xhci driver already fails to reset the controller then there +is no point in attempting to free, re-initialize, re-allocate and +re-start the host. If failure to access the host is detected later, +failing the resume, xhci interrupts will be double freed +when remove is called. + +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200312144517.1593-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index dbac0fa9748d..fe38275363e0 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1157,8 +1157,10 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + xhci_dbg(xhci, "Stop HCD\n"); + xhci_halt(xhci); + xhci_zero_64b_regs(xhci); +- xhci_reset(xhci); ++ retval = xhci_reset(xhci); + spin_unlock_irq(&xhci->lock); ++ if (retval) ++ return retval; + xhci_cleanup_msix(xhci); + + xhci_dbg(xhci, "// Disabling event ring interrupts\n"); +-- +2.35.3 + diff --git a/series.conf b/series.conf index a0efd95..7a7ec6c 100644 --- a/series.conf +++ b/series.conf @@ -55243,6 +55243,7 @@ patches.suse/0001-media-ov519-add-missing-endpoint-sanity-checks.patch patches.suse/0001-media-stv06xx-add-missing-descriptor-sanity-checks.patch patches.suse/media-xirlink_cit-add-missing-descriptor-sanity-chec.patch + patches.suse/xhci-bail-out-early-if-driver-can-t-accress-host-in-.patch patches.suse/0001-usb-gadget-composite-Inform-controller-driver-of-sel.patch patches.suse/usb-musb-fix-crash-with-highmen-PIO-and-usbmon.patch patches.suse/USB-serial-digi_acceleport-remove-redundant-assignme.patch @@ -61893,7 +61894,10 @@ patches.suse/ALSA-pcm-oss-Fix-race-at-SNDCTL_DSP_SYNC.patch patches.suse/scsi-lpfc-Add-missing-destroy_workqueue-in-error-path.patch patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch + patches.suse/msft-hv-2644-net-mana-Add-rmb-after-checking-owner-bits.patch patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch + patches.suse/Input-melfas_mip4-fix-return-value-check-in-mip4_pro.patch + patches.suse/usbnet-Fix-memory-leak-in-usbnet_disconnect.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -62518,6 +62522,7 @@ patches.suse/mpt3sas-fix-spectre-issues.patch patches.suse/osst-fix-spectre-issue-in-osst_verify_frame.patch patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch + patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch ######################################################## # Other drivers we have added to the tree