From 44308a6ad508a7580086055f1e1362d6ebe9b717 Mon Sep 17 00:00:00 2001 From: Michal Kubecek Date: Jul 15 2021 10:17:58 +0000 Subject: Merge branch 'SLE15-SP2' into SLE15-SP2_EMBARGO --- diff --git a/patches.suse/ACPI-EC-Make-more-Asus-laptops-use-ECDT-_GPE.patch b/patches.suse/ACPI-EC-Make-more-Asus-laptops-use-ECDT-_GPE.patch new file mode 100644 index 0000000..88796dc --- /dev/null +++ b/patches.suse/ACPI-EC-Make-more-Asus-laptops-use-ECDT-_GPE.patch @@ -0,0 +1,54 @@ +From 6306f0431914beaf220634ad36c08234006571d5 Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Thu, 20 May 2021 11:09:50 +0800 +Subject: [PATCH] ACPI: EC: Make more Asus laptops use ECDT _GPE +Git-commit: 6306f0431914beaf220634ad36c08234006571d5 +Patch-mainline: v5.14-rc1 +References: git-fixes + +More ASUS laptops have the _GPE define in the DSDT table with a +different value than the _GPE number in the ECDT. + +This is causing media keys not working on ASUS X505BA/BP, X542BA/BP + +Add model info to the quirks list. + +Signed-off-by: Chris Chiu +Signed-off-by: Jian-Hong Pan +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/ec.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 13565629ce0a..e8c5da2b964a 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1846,6 +1846,22 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "GL702VMK"),}, NULL}, + { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BA", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BA"),}, NULL}, ++ { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BP", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BP"),}, NULL}, ++ { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BA", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BA"),}, NULL}, ++ { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BP", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BP"),}, NULL}, ++ { + ec_honor_ecdt_gpe, "ASUS X550VXK", { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "X550VXK"),}, NULL}, +-- +2.26.2 + diff --git a/patches.suse/ACPI-bus-Call-kobject_put-in-acpi_init-error-path.patch b/patches.suse/ACPI-bus-Call-kobject_put-in-acpi_init-error-path.patch new file mode 100644 index 0000000..6279e43 --- /dev/null +++ b/patches.suse/ACPI-bus-Call-kobject_put-in-acpi_init-error-path.patch @@ -0,0 +1,37 @@ +From 4ac7a817f1992103d4e68e9837304f860b5e7300 Mon Sep 17 00:00:00 2001 +From: Hanjun Guo +Date: Wed, 2 Jun 2021 17:36:50 +0800 +Subject: [PATCH] ACPI: bus: Call kobject_put() in acpi_init() error path +Git-commit: 4ac7a817f1992103d4e68e9837304f860b5e7300 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Although the system will not be in a good condition or it will not +boot if acpi_bus_init() fails, it is still necessary to put the +kobject in the error path before returning to avoid leaking memory. + +Signed-off-by: Hanjun Guo +[ rjw: Subject and changelog edits ] + +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/bus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index a2e814a9ad99..c69470ec16b2 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1330,6 +1330,7 @@ static int __init acpi_init(void) + + result = acpi_bus_init(); + if (result) { ++ kobject_put(acpi_kobj); + disable_acpi(); + return result; + } +-- +2.26.2 + diff --git a/patches.suse/ACPI-processor-idle-Fix-up-C-state-latency-if-not-or.patch b/patches.suse/ACPI-processor-idle-Fix-up-C-state-latency-if-not-or.patch new file mode 100644 index 0000000..44a18b3 --- /dev/null +++ b/patches.suse/ACPI-processor-idle-Fix-up-C-state-latency-if-not-or.patch @@ -0,0 +1,114 @@ +From 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 12 May 2021 17:15:14 -0500 +Subject: [PATCH] ACPI: processor idle: Fix up C-state latency if not ordered +Git-commit: 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Generally, the C-state latency is provided by the _CST method or +FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh, +and Cezanne set the C2 latency greater than C3's which causes the +C2 state to be skipped. + +That will block the core entering PC6, which prevents S0ix working +properly on Linux systems. + +In other operating systems, the latency values are not validated and +this does not cause problems by skipping states. + +To avoid this issue on Linux, detect when latencies are not an +arithmetic progression and sort them. + +Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174 +Suggested-by: Prike Liang +Suggested-by: Alex Deucher +Signed-off-by: Mario Limonciello +[ rjw: Subject and changelog edits ] + +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/processor_idle.c | 40 +++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 45a019619e4a..095c8aca141e 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -16,6 +16,7 @@ + #include + #include + #include /* need_resched() */ ++#include + #include + #include + #include +@@ -384,10 +385,37 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr, + return; + } + ++static int acpi_cst_latency_cmp(const void *a, const void *b) ++{ ++ const struct acpi_processor_cx *x = a, *y = b; ++ ++ if (!(x->valid && y->valid)) ++ return 0; ++ if (x->latency > y->latency) ++ return 1; ++ if (x->latency < y->latency) ++ return -1; ++ return 0; ++} ++static void acpi_cst_latency_swap(void *a, void *b, int n) ++{ ++ struct acpi_processor_cx *x = a, *y = b; ++ u32 tmp; ++ ++ if (!(x->valid && y->valid)) ++ return; ++ tmp = x->latency; ++ x->latency = y->latency; ++ y->latency = tmp; ++} ++ + static int acpi_processor_power_verify(struct acpi_processor *pr) + { + unsigned int i; + unsigned int working = 0; ++ unsigned int last_latency = 0; ++ unsigned int last_type = 0; ++ bool buggy_latency = false; + + pr->power.timer_broadcast_on_state = INT_MAX; + +@@ -411,12 +439,24 @@ static int acpi_processor_power_verify(struct acpi_processor *pr) + } + if (!cx->valid) + continue; ++ if (cx->type >= last_type && cx->latency < last_latency) ++ buggy_latency = true; ++ last_latency = cx->latency; ++ last_type = cx->type; + + lapic_timer_check_state(i, pr, cx); + tsc_check_state(cx->type); + working++; + } + ++ if (buggy_latency) { ++ pr_notice("FW issue: working around C-state latencies out of order\n"); ++ sort(&pr->power.states[1], max_cstate, ++ sizeof(struct acpi_processor_cx), ++ acpi_cst_latency_cmp, ++ acpi_cst_latency_swap); ++ } ++ + lapic_timer_propagate_broadcast(pr); + + return (working); +-- +2.26.2 + diff --git a/patches.suse/ACPI-resources-Add-checks-for-ACPI-IRQ-override.patch b/patches.suse/ACPI-resources-Add-checks-for-ACPI-IRQ-override.patch new file mode 100644 index 0000000..bcfdf52 --- /dev/null +++ b/patches.suse/ACPI-resources-Add-checks-for-ACPI-IRQ-override.patch @@ -0,0 +1,83 @@ +From 0ec4e55e9f571f08970ed115ec0addc691eda613 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 9 Jun 2021 10:14:42 +0800 +Subject: [PATCH] ACPI: resources: Add checks for ACPI IRQ override +Git-commit: 0ec4e55e9f571f08970ed115ec0addc691eda613 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The laptop keyboard doesn't work on many MEDION notebooks, but the +keyboard works well under Windows and Unix. + +Through debugging, we found this log in the dmesg: + + ACPI: IRQ 1 override to edge, high + pnp 00:03: Plug and Play ACPI device, IDs PNP0303 (active) + + And we checked the IRQ definition in the DSDT, it is: + + IRQ (Level, ActiveLow, Exclusive, ) + {1} + +So the BIOS defines the keyboard IRQ to Level_Low, but the Linux +kernel override it to Edge_High. If the Linux kernel is modified +to skip the IRQ override, the keyboard will work normally. + +From the existing comment in acpi_dev_get_irqresource(), the override +function only needs to be called when IRQ() or IRQNoFlags() is used +to populate the resource descriptor, and according to Section 6.4.2.1 +of ACPI 6.4 [1], if IRQ() is empty or IRQNoFlags() is used, the IRQ +is High true, edge sensitive and non-shareable. ACPICA also assumes +that to be the case (see acpi_rs_set_irq[] in rsirq.c). + +In accordance with the above, check 3 additional conditions +(EdgeSensitive, ActiveHigh and Exclusive) when deciding whether or +not to treat an ACPI_RESOURCE_TYPE_IRQ resource as "legacy", in which +case the IRQ override is applicable to it. + +Link: https://uefi.org/specs/ACPI/6.4/06_Device_Configuration/Device_Configuration.html#irq-descriptor # [1] +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +Buglink: http://bugs.launchpad.net/bugs/1909814 +Suggested-by: Rafael J. Wysocki +Reported-by: Manuel Krause +Tested-by: Manuel Krause +Signed-off-by: Hui Wang +[ rjw: Subject rewrite, changelog edits ] + +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/resource.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index ee78a210c606..dc01fb550b28 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -423,6 +423,13 @@ static void acpi_dev_get_irqresource(struct resource *res, u32 gsi, + } + } + ++static bool irq_is_legacy(struct acpi_resource_irq *irq) ++{ ++ return irq->triggering == ACPI_EDGE_SENSITIVE && ++ irq->polarity == ACPI_ACTIVE_HIGH && ++ irq->shareable == ACPI_EXCLUSIVE; ++} ++ + /** + * acpi_dev_resource_interrupt - Extract ACPI interrupt resource information. + * @ares: Input ACPI resource object. +@@ -461,7 +468,7 @@ bool acpi_dev_resource_interrupt(struct acpi_resource *ares, int index, + } + acpi_dev_get_irqresource(res, irq->interrupts[index], + irq->triggering, irq->polarity, +- irq->shareable, true); ++ irq->shareable, irq_is_legacy(irq)); + break; + case ACPI_RESOURCE_TYPE_EXTENDED_IRQ: + ext_irq = &ares->data.extended_irq; +-- +2.26.2 + diff --git a/patches.suse/ACPICA-Fix-memory-leak-caused-by-_CID-repair-functio.patch b/patches.suse/ACPICA-Fix-memory-leak-caused-by-_CID-repair-functio.patch new file mode 100644 index 0000000..a3b50b6 --- /dev/null +++ b/patches.suse/ACPICA-Fix-memory-leak-caused-by-_CID-repair-functio.patch @@ -0,0 +1,55 @@ +From c27bac0314131b11bccd735f7e8415ac6444b667 Mon Sep 17 00:00:00 2001 +From: Erik Kaneda +Date: Fri, 4 Jun 2021 14:25:57 -0700 +Subject: [PATCH] ACPICA: Fix memory leak caused by _CID repair function +Git-commit: c27bac0314131b11bccd735f7e8415ac6444b667 +Patch-mainline: v5.14-rc1 +References: git-fixes + +ACPICA commit 180cb53963aa876c782a6f52cc155d951b26051a + +According to the ACPI spec, _CID returns a package containing +hardware ID's. Each element of an ASL package contains a reference +count from the parent package as well as the element itself. + +Name (TEST, Package() { + "String object" // this package element has a reference count of 2 +}) + +A memory leak was caused in the _CID repair function because it did +not decrement the reference count created by the package. Fix the +memory leak by calling acpi_ut_remove_reference on _CID package elements +that represent a hardware ID (_HID). + +Link: https://github.com/acpica/acpica/commit/180cb539 +Tested-by: Shawn Guo +Signed-off-by: Erik Kaneda +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/acpica/nsrepair2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c +index 14b71b41e845..38e10ab976e6 100644 +--- a/drivers/acpi/acpica/nsrepair2.c ++++ b/drivers/acpi/acpica/nsrepair2.c +@@ -379,6 +379,13 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info, + + (*element_ptr)->common.reference_count = + original_ref_count; ++ ++ /* ++ * The original_element holds a reference from the package object ++ * that represents _HID. Since a new element was created by _HID, ++ * remove the reference from the _CID package. ++ */ ++ acpi_ut_remove_reference(original_element); + } + + element_ptr++; +-- +2.26.2 + diff --git a/patches.suse/ALSA-hda-realtek-Add-another-ALC236-variant-support.patch b/patches.suse/ALSA-hda-realtek-Add-another-ALC236-variant-support.patch new file mode 100644 index 0000000..cbddb57 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-another-ALC236-variant-support.patch @@ -0,0 +1,126 @@ +From 1948fc065a89f18d057b8ffaef6d7242ad99edb8 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 18 Jun 2021 18:17:20 +0200 +Subject: [PATCH] ALSA: hda/realtek: Add another ALC236 variant support +Git-commit: 1948fc065a89f18d057b8ffaef6d7242ad99edb8 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The codec chip 10ec:0230 is another variant of ALC236, combined with a +card reader. Apply the equivalent setup as 10ec:0236. + +Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1184869 +Cc: +Link: https://lore.kernel.org/r/20210618161720.28694-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -377,6 +377,7 @@ static void alc_fill_eapd_coef(struct hd + alc_update_coef_idx(codec, 0x67, 0xf000, 0x3000); + /* fallthrough */ + case 0x10ec0215: ++ case 0x10ec0230: + case 0x10ec0233: + case 0x10ec0235: + case 0x10ec0236: +@@ -3145,6 +3146,7 @@ static void alc_disable_headset_jack_key + alc_update_coef_idx(codec, 0x49, 0x0045, 0x0); + alc_update_coef_idx(codec, 0x44, 0x0045 << 8, 0x0); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x48, 0x0); +@@ -3172,6 +3174,7 @@ static void alc_enable_headset_jack_key( + alc_update_coef_idx(codec, 0x49, 0x007f, 0x0045); + alc_update_coef_idx(codec, 0x44, 0x007f << 8, 0x0045 << 8); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x48, 0xd011); +@@ -4673,6 +4676,7 @@ static void alc_headset_mode_unplugged(s + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, coef0256); +@@ -4787,6 +4791,7 @@ static void alc_headset_mode_mic_in(stru + alc_process_coef_fw(codec, coef0255); + snd_hda_set_pin_ctl_cache(codec, mic_pin, PIN_VREF50); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x45, 0xc489); +@@ -4936,6 +4941,7 @@ static void alc_headset_mode_default(str + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x1b, 0x0e4b); +@@ -5034,6 +5040,7 @@ static void alc_headset_mode_ctia(struct + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, coef0256); +@@ -5147,6 +5154,7 @@ static void alc_headset_mode_omtp(struct + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, coef0256); +@@ -5247,6 +5255,7 @@ static void alc_determine_headset_type(s + val = alc_read_coef_idx(codec, 0x46); + is_ctia = (val & 0x0070) == 0x0070; + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x1b, 0x0e4b); +@@ -5540,6 +5549,7 @@ static void alc255_set_default_jack_type + case 0x10ec0255: + alc_process_coef_fw(codec, alc255fw); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, alc256fw); +@@ -6128,6 +6138,7 @@ static void alc_combo_jack_hp_jd_restart + alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */ + alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15); + break; ++ case 0x10ec0230: + case 0x10ec0235: + case 0x10ec0236: + case 0x10ec0255: +@@ -9133,6 +9144,7 @@ static int patch_alc269(struct hda_codec + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + spec->codec_variant = ALC269_TYPE_ALC256; +@@ -10424,6 +10436,7 @@ static const struct hda_device_id snd_hd + HDA_CODEC_ENTRY(0x10ec0221, "ALC221", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0222, "ALC222", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0225, "ALC225", patch_alc269), ++ HDA_CODEC_ENTRY(0x10ec0230, "ALC236", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0231, "ALC231", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0233, "ALC233", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269), diff --git a/patches.suse/ALSA-hda-realtek-Fix-bass-speaker-DAC-mapping-for-As.patch b/patches.suse/ALSA-hda-realtek-Fix-bass-speaker-DAC-mapping-for-As.patch new file mode 100644 index 0000000..4345108 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Fix-bass-speaker-DAC-mapping-for-As.patch @@ -0,0 +1,45 @@ +From f8fbcdfb0665de60997d9746809e1704ed782bbc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 20 Jun 2021 08:59:52 +0200 +Subject: [PATCH] ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D +Git-commit: f8fbcdfb0665de60997d9746809e1704ed782bbc +Patch-mainline: v5.14-rc1 +References: git-fixes + +Asus Zenbook 14 UM431D has two speaker pins and a headphone pin, and +the auto-parser ends up assigning the bass to the third DAC 0x06. +Although the tone comes out, it's inconvenient because this DAC has no +volume control unlike two other DACs. + +For obtaining the volume control for the bass speaker, this patch +enforces the mapping to let both front and bass speaker pins sharing +the same DAC. It's not ideal but a little bit of improvement. + +Since we've already applied the same workaround for another ASUS +machine, we just need to hook the chain to the existing quirk. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=212547 +Cc: +Link: https://lore.kernel.org/r/20210620065952.18948-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 07eabcf22b5f..49f4cac8b05e 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7839,6 +7839,8 @@ static const struct hda_fixup alc269_fixups[] = { + { 0x20, AC_VERB_SET_PROC_COEF, 0x4e4b }, + { } + }, ++ .chained = true, ++ .chain_id = ALC289_FIXUP_ASUS_GA401, + }, + [ALC285_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, +-- +2.26.2 + diff --git a/patches.suse/ALSA-usb-audio-fix-rate-on-Ozone-Z90-USB-headset.patch b/patches.suse/ALSA-usb-audio-fix-rate-on-Ozone-Z90-USB-headset.patch new file mode 100644 index 0000000..9be93a4 --- /dev/null +++ b/patches.suse/ALSA-usb-audio-fix-rate-on-Ozone-Z90-USB-headset.patch @@ -0,0 +1,38 @@ +From aecc19ec404bdc745c781058ac97a373731c3089 Mon Sep 17 00:00:00 2001 +From: Daehwan Jung +Date: Wed, 16 Jun 2021 18:34:55 +0900 +Subject: [PATCH] ALSA: usb-audio: fix rate on Ozone Z90 USB headset +Git-commit: aecc19ec404bdc745c781058ac97a373731c3089 +Patch-mainline: v5.14-rc1 +References: git-fixes + +It mislabels its 96 kHz altsetting and that's why it causes some noise + +Signed-off-by: Daehwan Jung +Cc: +Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com +Signed-off-by: Takashi Iwai + +--- + sound/usb/format.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/format.c b/sound/usb/format.c +index 2287f8c65315..eb216fef4ba7 100644 +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -223,9 +223,11 @@ static int parse_audio_format_rates_v1(struct snd_usb_audio *chip, struct audiof + continue; + /* C-Media CM6501 mislabels its 96 kHz altsetting */ + /* Terratec Aureon 7.1 USB C-Media 6206, too */ ++ /* Ozone Z90 USB C-Media, too */ + if (rate == 48000 && nr_rates == 1 && + (chip->usb_id == USB_ID(0x0d8c, 0x0201) || + chip->usb_id == USB_ID(0x0d8c, 0x0102) || ++ chip->usb_id == USB_ID(0x0d8c, 0x0078) || + chip->usb_id == USB_ID(0x0ccd, 0x00b1)) && + fp->altsetting == 5 && fp->maxpacksize == 392) + rate = 96000; +-- +2.26.2 + diff --git a/patches.suse/ALSA-usb-audio-scarlett2-Fix-wrong-resume-call.patch b/patches.suse/ALSA-usb-audio-scarlett2-Fix-wrong-resume-call.patch new file mode 100644 index 0000000..14e386f --- /dev/null +++ b/patches.suse/ALSA-usb-audio-scarlett2-Fix-wrong-resume-call.patch @@ -0,0 +1,83 @@ +From 785b6f29a795f109685f286b91e0250c206fbffb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 23 Jun 2021 02:30:49 +0930 +Subject: [PATCH] ALSA: usb-audio: scarlett2: Fix wrong resume call +Git-commit: 785b6f29a795f109685f286b91e0250c206fbffb +Patch-mainline: v5.14-rc1 +References: git-fixes + +The current way of the scarlett2 mixer code managing the +usb_mixer_elem_info object is wrong in two ways: it passes its +internal index to the head.id field, and the val_type field is +uninitialized. This ended up with the wrong execution at the resume +because a bogus unit id is passed wrongly. Also, in the later code +extensions, we'll have more mixer elements, and passing the index will +overflow the unit id size (of 256). + +This patch corrects those issues. It introduces a new value type, +USB_MIXER_BESPOKEN, which indicates a non-standard mixer element, and +use this type for all scarlett2 mixer elements, as well as +initializing the fixed unit id 0 for avoiding the overflow. + +Tested-by: Geoffrey D. Bennett +Signed-off-by: Geoffrey D. Bennett +Cc: +Link: https://lore.kernel.org/r/49721219f45b7e175e729b0d9d9c142fd8f4342a.1624379707.git.g@b4.vu +Signed-off-by: Takashi Iwai + +--- + sound/usb/mixer.c | 3 +++ + sound/usb/mixer.h | 1 + + sound/usb/mixer_scarlett_gen2.c | 7 ++++++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 4ea4875abdf8..30b3e128e28d 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3606,6 +3606,9 @@ static int restore_mixer_value(struct usb_mixer_elem_list *list) + struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list); + int c, err, idx; + ++ if (cval->val_type == USB_MIXER_BESPOKEN) ++ return 0; ++ + if (cval->cmask) { + idx = 0; + for (c = 0; c < MAX_CHANNELS; c++) { +diff --git a/sound/usb/mixer.h b/sound/usb/mixer.h +index e5a01f17bf3c..ea41e7a1f7bf 100644 +--- a/sound/usb/mixer.h ++++ b/sound/usb/mixer.h +@@ -55,6 +55,7 @@ enum { + USB_MIXER_U16, + USB_MIXER_S32, + USB_MIXER_U32, ++ USB_MIXER_BESPOKEN, /* non-standard type */ + }; + + typedef void (*usb_mixer_elem_dump_func_t)(struct snd_info_buffer *buffer, +diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c +index dde008ea21d7..c4689c401d6e 100644 +--- a/sound/usb/mixer_scarlett_gen2.c ++++ b/sound/usb/mixer_scarlett_gen2.c +@@ -1136,10 +1136,15 @@ static int scarlett2_add_new_ctl(struct usb_mixer_interface *mixer, + if (!elem) + return -ENOMEM; + ++ /* We set USB_MIXER_BESPOKEN type, so that the core USB mixer code ++ * ignores them for resume and other operations. ++ * Also, the head.id field is set to 0, as we don't use this field. ++ */ + elem->head.mixer = mixer; + elem->control = index; +- elem->head.id = index; ++ elem->head.id = 0; + elem->channels = channels; ++ elem->val_type = USB_MIXER_BESPOKEN; + + kctl = snd_ctl_new1(ncontrol, elem); + if (!kctl) { +-- +2.26.2 + diff --git a/patches.suse/ASoC-Intel-bytcr_rt5640-Fix-HP-Pavilion-x2-10-p0XX-O.patch b/patches.suse/ASoC-Intel-bytcr_rt5640-Fix-HP-Pavilion-x2-10-p0XX-O.patch index 608ea73..a1c88fd 100644 --- a/patches.suse/ASoC-Intel-bytcr_rt5640-Fix-HP-Pavilion-x2-10-p0XX-O.patch +++ b/patches.suse/ASoC-Intel-bytcr_rt5640-Fix-HP-Pavilion-x2-10-p0XX-O.patch @@ -3,6 +3,7 @@ From: Hans de Goede Date: Wed, 24 Feb 2021 11:50:52 +0100 Subject: [PATCH] ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold Git-commit: ca08ddfd961d2a17208d9182e0ee5791b39bd8bf +No-fix: 1045a5c04e16716870cc953872e703258e7896de Patch-mainline: v5.12-rc4 References: git-fixes diff --git a/patches.suse/ASoC-ak4458-Add-MODULE_DEVICE_TABLE.patch b/patches.suse/ASoC-ak4458-Add-MODULE_DEVICE_TABLE.patch index 33dd1ba..436db65 100644 --- a/patches.suse/ASoC-ak4458-Add-MODULE_DEVICE_TABLE.patch +++ b/patches.suse/ASoC-ak4458-Add-MODULE_DEVICE_TABLE.patch @@ -3,6 +3,7 @@ From: Shengjiu Wang Date: Wed, 24 Feb 2021 14:57:51 +0800 Subject: [PATCH] ASoC: ak4458: Add MODULE_DEVICE_TABLE Git-commit: 4ec5b96775a88dd9b1c3ba1d23c43c478cab95a2 +No-fix: f84b4524005238fc9fd5cf615bb426fa40a99494 Patch-mainline: v5.12-rc4 References: git-fixes diff --git a/patches.suse/ASoC-ak5558-Add-MODULE_DEVICE_TABLE.patch b/patches.suse/ASoC-ak5558-Add-MODULE_DEVICE_TABLE.patch index 45c4f17..a115708 100644 --- a/patches.suse/ASoC-ak5558-Add-MODULE_DEVICE_TABLE.patch +++ b/patches.suse/ASoC-ak5558-Add-MODULE_DEVICE_TABLE.patch @@ -3,6 +3,7 @@ From: Shengjiu Wang Date: Wed, 24 Feb 2021 14:57:52 +0800 Subject: [PATCH] ASoC: ak5558: Add MODULE_DEVICE_TABLE Git-commit: 80cffd2468ddb850e678f17841fc356930b2304a +No-fix: 741c8397e5d0b339fb3e614a9ff5cb4bf7ae1a65 Patch-mainline: v5.12-rc4 References: git-fixes diff --git a/patches.suse/HID-do-not-use-down_interruptible-when-unbinding-dev.patch b/patches.suse/HID-do-not-use-down_interruptible-when-unbinding-dev.patch new file mode 100644 index 0000000..ecf2687 --- /dev/null +++ b/patches.suse/HID-do-not-use-down_interruptible-when-unbinding-dev.patch @@ -0,0 +1,53 @@ +From f2145f8dc566c4f3b5a8deb58dcd12bed4e20194 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 19 Mar 2021 17:27:16 -0700 +Subject: [PATCH] HID: do not use down_interruptible() when unbinding devices +Git-commit: f2145f8dc566c4f3b5a8deb58dcd12bed4e20194 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Action of unbinding driver from a device is not cancellable and should not +fail, and driver core does not pay attention to the result of "remove" +method, therefore using down_interruptible() in hid_device_remove() does +not make sense. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-core.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 0ae9f6df59d1..ff695ec520f8 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2303,12 +2303,8 @@ static int hid_device_remove(struct device *dev) + { + struct hid_device *hdev = to_hid_device(dev); + struct hid_driver *hdrv; +- int ret = 0; + +- if (down_interruptible(&hdev->driver_input_lock)) { +- ret = -EINTR; +- goto end; +- } ++ down(&hdev->driver_input_lock); + hdev->io_started = false; + + hdrv = hdev->driver; +@@ -2323,8 +2319,8 @@ static int hid_device_remove(struct device *dev) + + if (!hdev->io_started) + up(&hdev->driver_input_lock); +-end: +- return ret; ++ ++ return 0; + } + + static ssize_t modalias_show(struct device *dev, struct device_attribute *a, +-- +2.26.2 + diff --git a/patches.suse/HID-wacom-Correct-base-usage-for-capacitive-ExpressK.patch b/patches.suse/HID-wacom-Correct-base-usage-for-capacitive-ExpressK.patch new file mode 100644 index 0000000..14444f6 --- /dev/null +++ b/patches.suse/HID-wacom-Correct-base-usage-for-capacitive-ExpressK.patch @@ -0,0 +1,35 @@ +From 424d8237945c6c448c8b3f23885d464fb5685c97 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Wed, 23 Jun 2021 09:58:09 -0700 +Subject: [PATCH] HID: wacom: Correct base usage for capacitive ExpressKey status bits +Git-commit: 424d8237945c6c448c8b3f23885d464fb5685c97 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The capacitive status of ExpressKeys is reported with usages beginning +at 0x940, not 0x950. Bring our driver into alignment with reality. + +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/wacom_wac.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h +index 71c886245dbf..8f16654eca09 100644 +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -122,7 +122,7 @@ + #define WACOM_HID_WD_TOUCHONOFF (WACOM_HID_UP_WACOMDIGITIZER | 0x0454) + #define WACOM_HID_WD_BATTERY_LEVEL (WACOM_HID_UP_WACOMDIGITIZER | 0x043b) + #define WACOM_HID_WD_EXPRESSKEY00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0910) +-#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0950) ++#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0940) + #define WACOM_HID_WD_MODE_CHANGE (WACOM_HID_UP_WACOMDIGITIZER | 0x0980) + #define WACOM_HID_WD_MUTE_DEVICE (WACOM_HID_UP_WACOMDIGITIZER | 0x0981) + #define WACOM_HID_WD_CONTROLPANEL (WACOM_HID_UP_WACOMDIGITIZER | 0x0982) +-- +2.26.2 + diff --git a/patches.suse/USB-cdc-acm-blacklist-Heimann-USB-Appset-device.patch b/patches.suse/USB-cdc-acm-blacklist-Heimann-USB-Appset-device.patch new file mode 100644 index 0000000..0813c19 --- /dev/null +++ b/patches.suse/USB-cdc-acm-blacklist-Heimann-USB-Appset-device.patch @@ -0,0 +1,48 @@ +From 4897807753e078655a78de39ed76044d784f3e63 Mon Sep 17 00:00:00 2001 +From: Hannu Hartikainen +Date: Tue, 22 Jun 2021 17:14:54 +0300 +Subject: [PATCH] USB: cdc-acm: blacklist Heimann USB Appset device +Git-commit: 4897807753e078655a78de39ed76044d784f3e63 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be +a CDC-ACM device in its descriptors but in fact is not. If it is run +with echo disabled it returns garbled data, probably due to something +that happens in the TTY layer. And when run with echo enabled (the +default), it will mess up the calibration data of the sensor the first +time any data is sent to the device. + +In short, I had a bad time after connecting the sensor and trying to get +it to work. I hope blacklisting it in the cdc-acm driver will save +someone else a bit of trouble. + +Signed-off-by: Hannu Hartikainen +Cc: stable +Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/class/cdc-acm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index ca7a61190dd9..d50b606d09aa 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1959,6 +1959,11 @@ static const struct usb_device_id acm_ids[] = { + .driver_info = IGNORE_DEVICE, + }, + ++ /* Exclude Heimann Sensor GmbH USB appset demo */ ++ { USB_DEVICE(0x32a7, 0x0000), ++ .driver_info = IGNORE_DEVICE, ++ }, ++ + /* control interfaces without any protocol set */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, + USB_CDC_PROTO_NONE) }, +-- +2.26.2 + diff --git a/patches.suse/ath9k-Fix-kernel-NULL-pointer-dereference-during-ath.patch b/patches.suse/ath9k-Fix-kernel-NULL-pointer-dereference-during-ath.patch new file mode 100644 index 0000000..5fc180c --- /dev/null +++ b/patches.suse/ath9k-Fix-kernel-NULL-pointer-dereference-during-ath.patch @@ -0,0 +1,121 @@ +From fb312ac5ccb007e843f982b38d4d6886ba4b32f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Mon, 31 May 2021 17:41:27 +0300 +Subject: [PATCH] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: fb312ac5ccb007e843f982b38d4d6886ba4b32f2 +Patch-mainline: v5.14-rc1 +References: git-fixes + +I got this crash more times during debugging of PCIe controller and crash +happens somehow at the time when PCIe kernel code started link retraining (as +part of ASPM code) when at the same time PCIe link went down and ath9k probably +executed hw reset procedure. + +Currently I'm not able to reproduce this issue as it looks like to be +some race condition between link training, ASPM, link down and reset +path. And as always, race conditions which depends on more input +parameters are hard to reproduce as it depends on precise timings. + +But it is clear that pointers are zero in this case and should be +properly filled as same code pattern is used in ath9k_stop() function. +Anyway I was able to reproduce this crash by manually triggering ath +reset worker prior putting card up. I created simple patch to export +reset functionality via debugfs and use it to "simulate" of triggering +reset. s proved that NULL-pointer dereference issue is there. + +Function ath9k_hw_reset() is dereferencing chan structure pointer, so it +needs to be non-NULL pointer. + +Function ath9k_stop() already contains code which sets ah->curchan to valid +non-NULL pointer prior calling ath9k_hw_reset() function. + +Add same code pattern also into ath_reset_internal() function to prevent +kernel NULL pointer dereference in ath9k_hw_reset() function. + +This change fixes kernel NULL pointer dereference in ath9k_hw_reset() which +is caused by calling ath9k_hw_reset() from ath_reset_internal() with NULL +chan structure. + + [ 45.334305] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 + [ 45.344417] Mem abort info: + [ 45.347301] ESR = 0x96000005 + [ 45.350448] EC = 0x25: DABT (current EL), IL = 32 bits + [ 45.356166] SET = 0, FnV = 0 + [ 45.359350] EA = 0, S1PTW = 0 + [ 45.362596] Data abort info: + [ 45.365756] ISV = 0, ISS = 0x00000005 + [ 45.369735] CM = 0, WnR = 0 + [ 45.372814] user pgtable: 4k pages, 39-bit VAs, pgdp=000000000685d000 + [ 45.379663] [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 + [ 45.388856] Internal error: Oops: 96000005 [#1] SMP + [ 45.393897] Modules linked in: ath9k ath9k_common ath9k_hw + [ 45.399574] CPU: 1 PID: 309 Comm: kworker/u4:2 Not tainted 5.12.0-rc2-dirty #785 + [ 45.414746] Workqueue: phy0 ath_reset_work [ath9k] + [ 45.419713] pstate: 40000005 (nZcv daif -PAN -UAO -TCO BTYPE=--) + [ 45.425910] pc : ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw] + [ 45.431234] lr : ath9k_hw_reset+0xc0/0x1c48 [ath9k_hw] + [ 45.436548] sp : ffffffc0118dbca0 + [ 45.439961] x29: ffffffc0118dbca0 x28: 0000000000000000 + [ 45.445442] x27: ffffff800dee4080 x26: 0000000000000000 + [ 45.450923] x25: ffffff800df9b9d8 x24: 0000000000000000 + [ 45.456404] x23: ffffffc0115f6000 x22: ffffffc008d0d408 + [ 45.461885] x21: ffffff800dee5080 x20: ffffff800df9b9d8 + [ 45.467366] x19: 0000000000000000 x18: 0000000000000000 + [ 45.472846] x17: 0000000000000000 x16: 0000000000000000 + [ 45.478326] x15: 0000000000000010 x14: ffffffffffffffff + [ 45.483807] x13: ffffffc0918db94f x12: ffffffc011498720 + [ 45.489289] x11: 0000000000000003 x10: ffffffc0114806e0 + [ 45.494770] x9 : ffffffc01014b2ec x8 : 0000000000017fe8 + [ 45.500251] x7 : c0000000ffffefff x6 : 0000000000000001 + [ 45.505733] x5 : 0000000000000000 x4 : 0000000000000000 + [ 45.511213] x3 : 0000000000000000 x2 : ffffff801fece870 + [ 45.516693] x1 : ffffffc00eded000 x0 : 000000000000003f + [ 45.522174] Call trace: + [ 45.524695] ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw] + [ 45.529653] ath_reset_internal+0x1a8/0x2b8 [ath9k] + [ 45.534696] ath_reset_work+0x2c/0x40 [ath9k] + [ 45.539198] process_one_work+0x210/0x480 + [ 45.543339] worker_thread+0x5c/0x510 + [ 45.547115] kthread+0x12c/0x130 + [ 45.550445] ret_from_fork+0x10/0x1c + [ 45.554138] Code: 910922c2 9117e021 95ff0398 b4000294 (b9400a61) + [ 45.560430] ---[ end trace 566410ba90b50e8b ]--- + [ 45.565193] Kernel panic - not syncing: Oops: Fatal exception in interrupt + [ 45.572282] SMP: stopping secondary CPUs + [ 45.576331] Kernel Offset: disabled + [ 45.579924] CPU features: 0x00040002,0000200c + [ 45.584416] Memory Limit: none + [ 45.587564] Rebooting in 3 seconds.. + +Signed-off-by: Pali Rohár +Cc: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210402122653.24014-1-pali@kernel.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath9k/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 45f6402478b5..97c3a53f9cef 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -307,6 +307,11 @@ static int ath_reset_internal(struct ath_softc *sc, struct ath9k_channel *hchan) + hchan = ah->curchan; + } + ++ if (!hchan) { ++ fastcc = false; ++ hchan = ath9k_cmn_get_channel(sc->hw, ah, &sc->cur_chan->chandef); ++ } ++ + if (!ath_prepare_reset(sc)) + fastcc = false; + +-- +2.26.2 + diff --git a/patches.suse/clocksource-Retry-clock-read-if-long-delays-detected.patch b/patches.suse/clocksource-Retry-clock-read-if-long-delays-detected.patch new file mode 100644 index 0000000..c1097d0 --- /dev/null +++ b/patches.suse/clocksource-Retry-clock-read-if-long-delays-detected.patch @@ -0,0 +1,144 @@ +From db3a34e17433de2390eb80d436970edcebd0ca3e Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Thu, 27 May 2021 12:01:19 -0700 +Subject: [PATCH] clocksource: Retry clock read if long delays detected +Git-commit: db3a34e17433de2390eb80d436970edcebd0ca3e +Patch-mainline: v5.14-rc1 +References: git-fixes + +When the clocksource watchdog marks a clock as unstable, this might be due +to that clock being unstable or it might be due to delays that happen to +occur between the reads of the two clocks. Yes, interrupts are disabled +across those two reads, but there are no shortage of things that can delay +interrupts-disabled regions of code ranging from SMI handlers to vCPU +preemption. It would be good to have some indication as to why the clock +was marked unstable. + +Therefore, re-read the watchdog clock on either side of the read from the +clock under test. If the watchdog clock shows an excessive time delta +between its pair of reads, the reads are retried. + +The maximum number of retries is specified by a new kernel boot parameter +clocksource.max_cswd_read_retries, which defaults to three, that is, up to +four reads, one initial and up to three retries. If more than one retry +was required, a message is printed on the console (the occasional single +retry is expected behavior, especially in guest OSes). If the maximum +number of retries is exceeded, the clock under test will be marked +unstable. However, the probability of this happening due to various sorts +of delays is quite small. In addition, the reason (clock-read delays) for +the unstable marking will be apparent. + +Reported-by: Chris Mason +Signed-off-by: Paul E. McKenney +Signed-off-by: Thomas Gleixner +Acked-by: Feng Tang +Link: https://lore.kernel.org/r/20210527190124.440372-1-paulmck@kernel.org +Acked-by: Takashi Iwai + +--- + .../admin-guide/kernel-parameters.txt | 6 +++ + kernel/time/clocksource.c | 53 ++++++++++++++++--- + 2 files changed, 53 insertions(+), 6 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index cb89dbdedc46..995deccc28bc 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -581,6 +581,12 @@ + loops can be debugged more effectively on production + systems. + ++ clocksource.max_cswd_read_retries= [KNL] ++ Number of clocksource_watchdog() retries due to ++ external delays before the clock will be marked ++ unstable. Defaults to three retries, that is, ++ four attempts to read the clock under test. ++ + clearcpuid=BITNUM[,BITNUM...] [X86] + Disable CPUID feature X for the kernel. See + arch/x86/include/asm/cpufeatures.h for the valid bit +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index 2cd902592fc1..43243f2be98e 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -124,6 +124,13 @@ static void __clocksource_change_rating(struct clocksource *cs, int rating); + #define WATCHDOG_INTERVAL (HZ >> 1) + #define WATCHDOG_THRESHOLD (NSEC_PER_SEC >> 4) + ++/* ++ * Maximum permissible delay between two readouts of the watchdog ++ * clocksource surrounding a read of the clocksource being validated. ++ * This delay could be due to SMIs, NMIs, or to VCPU preemptions. ++ */ ++#define WATCHDOG_MAX_SKEW (100 * NSEC_PER_USEC) ++ + static void clocksource_watchdog_work(struct work_struct *work) + { + /* +@@ -184,12 +191,45 @@ void clocksource_mark_unstable(struct clocksource *cs) + spin_unlock_irqrestore(&watchdog_lock, flags); + } + ++static ulong max_cswd_read_retries = 3; ++module_param(max_cswd_read_retries, ulong, 0644); ++ ++static bool cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) ++{ ++ unsigned int nretries; ++ u64 wd_end, wd_delta; ++ int64_t wd_delay; ++ ++ for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) { ++ local_irq_disable(); ++ *wdnow = watchdog->read(watchdog); ++ *csnow = cs->read(cs); ++ wd_end = watchdog->read(watchdog); ++ local_irq_enable(); ++ ++ wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask); ++ wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, ++ watchdog->shift); ++ if (wd_delay <= WATCHDOG_MAX_SKEW) { ++ if (nretries > 1 || nretries >= max_cswd_read_retries) { ++ pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n", ++ smp_processor_id(), watchdog->name, nretries); ++ } ++ return true; ++ } ++ } ++ ++ pr_warn("timekeeping watchdog on CPU%d: %s read-back delay of %lldns, attempt %d, marking unstable\n", ++ smp_processor_id(), watchdog->name, wd_delay, nretries); ++ return false; ++} ++ + static void clocksource_watchdog(struct timer_list *unused) + { +- struct clocksource *cs; + u64 csnow, wdnow, cslast, wdlast, delta; +- int64_t wd_nsec, cs_nsec; + int next_cpu, reset_pending; ++ int64_t wd_nsec, cs_nsec; ++ struct clocksource *cs; + + spin_lock(&watchdog_lock); + if (!watchdog_running) +@@ -206,10 +246,11 @@ static void clocksource_watchdog(struct timer_list *unused) + continue; + } + +- local_irq_disable(); +- csnow = cs->read(cs); +- wdnow = watchdog->read(watchdog); +- local_irq_enable(); ++ if (!cs_watchdog_read(cs, &csnow, &wdnow)) { ++ /* Clock readout unreliable, so give it up. */ ++ __clocksource_unstable(cs); ++ continue; ++ } + + /* Clocksource initialized ? */ + if (!(cs->flags & CLOCK_SOURCE_WATCHDOG) || +-- +2.26.2 + diff --git a/patches.suse/crypto-ccp-Fix-a-resource-leak-in-an-error-handling-.patch b/patches.suse/crypto-ccp-Fix-a-resource-leak-in-an-error-handling-.patch new file mode 100644 index 0000000..8db9694 --- /dev/null +++ b/patches.suse/crypto-ccp-Fix-a-resource-leak-in-an-error-handling-.patch @@ -0,0 +1,51 @@ +From a6f8e68e238a15bb15f1726b35c695136c64eaba Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 16 May 2021 08:58:04 +0200 +Subject: [PATCH] crypto: ccp - Fix a resource leak in an error handling path +Git-commit: a6f8e68e238a15bb15f1726b35c695136c64eaba +Patch-mainline: v5.14-rc1 +References: git-fixes + +If an error occurs after calling 'sp_get_irqs()', 'sp_free_irqs()' must be +called as already done in the error handling path. + +Fixes: f4d18d656f88 ("crypto: ccp - Abstract interrupt registeration") +Signed-off-by: Christophe JAILLET +Acked-by: John Allen +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/ccp/sp-pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c +index f468594ef8af..6fb6ba35f89d 100644 +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -222,7 +222,7 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (ret) { + dev_err(dev, "dma_set_mask_and_coherent failed (%d)\n", + ret); +- goto e_err; ++ goto free_irqs; + } + } + +@@ -230,10 +230,12 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + + ret = sp_init(sp); + if (ret) +- goto e_err; ++ goto free_irqs; + + return 0; + ++free_irqs: ++ sp_free_irqs(sp); + e_err: + dev_notice(dev, "initialization failed\n"); + return ret; +-- +2.26.2 + diff --git a/patches.suse/crypto-ixp4xx-dma_unmap-the-correct-address.patch b/patches.suse/crypto-ixp4xx-dma_unmap-the-correct-address.patch new file mode 100644 index 0000000..19c917e --- /dev/null +++ b/patches.suse/crypto-ixp4xx-dma_unmap-the-correct-address.patch @@ -0,0 +1,38 @@ +From 9395c58fdddd79cdd3882132cdd04e8ac7ad525f Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Wed, 5 May 2021 20:26:08 +0000 +Subject: [PATCH] crypto: ixp4xx - dma_unmap the correct address +Git-commit: 9395c58fdddd79cdd3882132cdd04e8ac7ad525f +Patch-mainline: v5.14-rc1 +References: git-fixes + +Testing ixp4xx_crypto with CONFIG_DMA_API_DEBUG lead to the following error: +Dma-api: platform ixp4xx_crypto.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=24 bytes] + +This is due to dma_unmap using the wrong address. + +Fixes: 0d44dc59b2b4 ("crypto: ixp4xx - Fix handling of chained sg buffers") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/ixp4xx_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index 0616e369522e..ed3deaa5ed2b 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -330,7 +330,7 @@ static void free_buf_chain(struct device *dev, struct buffer_desc *buf, + + buf1 = buf->next; + phys1 = buf->phys_next; +- dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir); ++ dma_unmap_single(dev, buf->phys_addr, buf->buf_len, buf->dir); + dma_pool_free(buffer_pool, buf, phys); + buf = buf1; + phys = phys1; +-- +2.26.2 + diff --git a/patches.suse/crypto-nitrox-fix-unchecked-variable-in-nitrox_regis.patch b/patches.suse/crypto-nitrox-fix-unchecked-variable-in-nitrox_regis.patch new file mode 100644 index 0000000..b70046d --- /dev/null +++ b/patches.suse/crypto-nitrox-fix-unchecked-variable-in-nitrox_regis.patch @@ -0,0 +1,38 @@ +From 57c126661f50b884d3812e7db6e00f2e778eccfb Mon Sep 17 00:00:00 2001 +From: Tong Tiangen +Date: Tue, 1 Jun 2021 18:01:55 +0800 +Subject: [PATCH] crypto: nitrox - fix unchecked variable in nitrox_register_interrupts +Git-commit: 57c126661f50b884d3812e7db6e00f2e778eccfb +Patch-mainline: v5.14-rc1 +References: git-fixes + +Function nitrox_register_interrupts leaves variable 'nr_vecs' unchecked, which +would be use as kcalloc parameter later. + +Fixes: 5155e118dda9 ("crypto: cavium/nitrox - use pci_alloc_irq_vectors() while enabling MSI-X.") +Signed-off-by: Tong Tiangen +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/cavium/nitrox/nitrox_isr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/crypto/cavium/nitrox/nitrox_isr.c b/drivers/crypto/cavium/nitrox/nitrox_isr.c +index c288c4b51783..f19e520da6d0 100644 +--- a/drivers/crypto/cavium/nitrox/nitrox_isr.c ++++ b/drivers/crypto/cavium/nitrox/nitrox_isr.c +@@ -307,6 +307,10 @@ int nitrox_register_interrupts(struct nitrox_device *ndev) + * Entry 192: NPS_CORE_INT_ACTIVE + */ + nr_vecs = pci_msix_vec_count(pdev); ++ if (nr_vecs < 0) { ++ dev_err(DEV(ndev), "Error in getting vec count %d\n", nr_vecs); ++ return nr_vecs; ++ } + + /* Enable MSI-X */ + ret = pci_alloc_irq_vectors(pdev, nr_vecs, nr_vecs, PCI_IRQ_MSIX); +-- +2.26.2 + diff --git a/patches.suse/crypto-nx-add-missing-MODULE_DEVICE_TABLE.patch b/patches.suse/crypto-nx-add-missing-MODULE_DEVICE_TABLE.patch new file mode 100644 index 0000000..428878c --- /dev/null +++ b/patches.suse/crypto-nx-add-missing-MODULE_DEVICE_TABLE.patch @@ -0,0 +1,36 @@ +From 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae Mon Sep 17 00:00:00 2001 +From: Bixuan Cui +Date: Sat, 8 May 2021 11:14:55 +0800 +Subject: [PATCH] crypto: nx - add missing MODULE_DEVICE_TABLE +Git-commit: 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae +Patch-mainline: v5.14-rc1 +References: git-fixes + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/nx/nx-842-pseries.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c +index cc8dd3072b8b..8ee547ee378e 100644 +--- a/drivers/crypto/nx/nx-842-pseries.c ++++ b/drivers/crypto/nx/nx-842-pseries.c +@@ -1069,6 +1069,7 @@ static const struct vio_device_id nx842_vio_driver_ids[] = { + {"ibm,compression-v1", "ibm,compression"}, + {"", ""}, + }; ++MODULE_DEVICE_TABLE(vio, nx842_vio_driver_ids); + + static struct vio_driver nx842_vio_driver = { + .name = KBUILD_MODNAME, +-- +2.26.2 + diff --git a/patches.suse/crypto-omap-sham-Fix-PM-reference-leak-in-omap-sham-.patch b/patches.suse/crypto-omap-sham-Fix-PM-reference-leak-in-omap-sham-.patch new file mode 100644 index 0000000..2fe893a --- /dev/null +++ b/patches.suse/crypto-omap-sham-Fix-PM-reference-leak-in-omap-sham-.patch @@ -0,0 +1,48 @@ +From ca323b2c61ec321eb9f2179a405b9c34cdb4f553 Mon Sep 17 00:00:00 2001 +From: Zhang Qilong +Date: Tue, 1 Jun 2021 22:51:18 +0800 +Subject: [PATCH] crypto: omap-sham - Fix PM reference leak in omap sham ops +Git-commit: ca323b2c61ec321eb9f2179a405b9c34cdb4f553 +Patch-mainline: v5.14-rc1 +References: git-fixes + +pm_runtime_get_sync will increment pm usage counter +even it failed. Forgetting to putting operation will +result in reference leak here. We fix it by replacing +it with pm_runtime_resume_and_get to keep usage counter +balanced. + +Fixes: 604c31039dae4 ("crypto: omap-sham - Check for return value from pm_runtime_get_sync") +Signed-off-by: Zhang Qilong +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/omap-sham.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index ae0d320d3c60..dd53ad9987b0 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -372,7 +372,7 @@ static int omap_sham_hw_init(struct omap_sham_dev *dd) + { + int err; + +- err = pm_runtime_get_sync(dd->dev); ++ err = pm_runtime_resume_and_get(dd->dev); + if (err < 0) { + dev_err(dd->dev, "failed to get sync: %d\n", err); + return err; +@@ -2244,7 +2244,7 @@ static int omap_sham_suspend(struct device *dev) + + static int omap_sham_resume(struct device *dev) + { +- int err = pm_runtime_get_sync(dev); ++ int err = pm_runtime_resume_and_get(dev); + if (err < 0) { + dev_err(dev, "failed to get sync: %d\n", err); + return err; +-- +2.26.2 + diff --git a/patches.suse/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch b/patches.suse/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch new file mode 100644 index 0000000..08e7b8c --- /dev/null +++ b/patches.suse/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch @@ -0,0 +1,47 @@ +From 96b57229209490c8bca4335b01a426a96173dc56 Mon Sep 17 00:00:00 2001 +From: Jack Xu +Date: Mon, 17 May 2021 05:13:15 -0400 +Subject: [PATCH] crypto: qat - check return code of qat_hal_rd_rel_reg() +Git-commit: 96b57229209490c8bca4335b01a426a96173dc56 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Check the return code of the function qat_hal_rd_rel_reg() and return it +to the caller. + +This is to fix the following warning when compiling the driver with +clang scan-build: + + drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value + +Signed-off-by: Jack Xu +Co-developed-by: Zhehui Xiang +Signed-off-by: Zhehui Xiang +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/qat/qat_common/qat_hal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c +index ed9b81347144..12ca6b8764aa 100644 +--- a/drivers/crypto/qat/qat_common/qat_hal.c ++++ b/drivers/crypto/qat/qat_common/qat_hal.c +@@ -1417,7 +1417,11 @@ static int qat_hal_put_rel_wr_xfer(struct icp_qat_fw_loader_handle *handle, + pr_err("QAT: bad xfrAddr=0x%x\n", xfr_addr); + return -EINVAL; + } +- qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval); ++ status = qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval); ++ if (status) { ++ pr_err("QAT: failed to read register"); ++ return status; ++ } + gpr_addr = qat_hal_get_reg_addr(ICP_GPB_REL, gprnum); + data16low = 0xffff & data; + data16hi = 0xffff & (data >> 0x10); +-- +2.26.2 + diff --git a/patches.suse/crypto-qat-remove-unused-macro-in-FW-loader.patch b/patches.suse/crypto-qat-remove-unused-macro-in-FW-loader.patch new file mode 100644 index 0000000..0b98c66 --- /dev/null +++ b/patches.suse/crypto-qat-remove-unused-macro-in-FW-loader.patch @@ -0,0 +1,42 @@ +From 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 Mon Sep 17 00:00:00 2001 +From: Jack Xu +Date: Mon, 17 May 2021 05:13:16 -0400 +Subject: [PATCH] crypto: qat - remove unused macro in FW loader +Git-commit: 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware +loader. + +This is to fix the following warning when compiling the driver using the +clang compiler with CC=clang W=2: + + drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros] + +Signed-off-by: Jack Xu +Co-developed-by: Zhehui Xiang +Signed-off-by: Zhehui Xiang +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/qat/qat_common/qat_uclo.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c +index ed1343bb36ac..2026cc6be8f0 100644 +--- a/drivers/crypto/qat/qat_common/qat_uclo.c ++++ b/drivers/crypto/qat/qat_common/qat_uclo.c +@@ -342,7 +342,6 @@ static int qat_uclo_init_umem_seg(struct icp_qat_fw_loader_handle *handle, + return 0; + } + +-#define ICP_DH895XCC_PESRAM_BAR_SIZE 0x80000 + static int qat_uclo_init_ae_memory(struct icp_qat_fw_loader_handle *handle, + struct icp_qat_uof_initmem *init_mem) + { +-- +2.26.2 + diff --git a/patches.suse/crypto-ux500-Fix-error-return-code-in-hash_hw_final.patch b/patches.suse/crypto-ux500-Fix-error-return-code-in-hash_hw_final.patch new file mode 100644 index 0000000..fb6ff58 --- /dev/null +++ b/patches.suse/crypto-ux500-Fix-error-return-code-in-hash_hw_final.patch @@ -0,0 +1,37 @@ +From b01360384009ab066940b45f34880991ea7ccbfb Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Sat, 8 May 2021 15:00:49 +0800 +Subject: [PATCH] crypto: ux500 - Fix error return code in hash_hw_final() +Git-commit: b01360384009ab066940b45f34880991ea7ccbfb +Patch-mainline: v5.14-rc1 +References: git-fixes + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 8a63b1994c50 ("crypto: ux500 - Add driver for HASH hardware") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/ux500/hash/hash_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index ecb7412e84e3..51a6e1a42434 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -1011,6 +1011,7 @@ static int hash_hw_final(struct ahash_request *req) + goto out; + } + } else if (req->nbytes == 0 && ctx->keylen > 0) { ++ ret = -EPERM; + dev_err(device_data->dev, "%s: Empty message with keylength > 0, NOT supported\n", + __func__); + goto out; +-- +2.26.2 + diff --git a/patches.suse/fm10k-Fix-an-error-handling-path-in-fm10k_probe.patch b/patches.suse/fm10k-Fix-an-error-handling-path-in-fm10k_probe.patch new file mode 100644 index 0000000..68ca10b --- /dev/null +++ b/patches.suse/fm10k-Fix-an-error-handling-path-in-fm10k_probe.patch @@ -0,0 +1,36 @@ +From e85e14d68f517ef12a5fb8123fff65526b35b6cd Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 16 Jun 2021 07:00:36 +0200 +Subject: [PATCH] fm10k: Fix an error handling path in 'fm10k_probe()' +Git-commit: e85e14d68f517ef12a5fb8123fff65526b35b6cd +Patch-mainline: v5.14-rc2 +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +index dbcae92bb18d..adfa2768f024 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +@@ -2227,6 +2227,7 @@ static int fm10k_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err_ioremap: + free_netdev(netdev); + err_alloc_netdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.26.2 + diff --git a/patches.suse/gve-Fix-an-error-handling-path-in-gve_probe.patch b/patches.suse/gve-Fix-an-error-handling-path-in-gve_probe.patch new file mode 100644 index 0000000..6c8035a --- /dev/null +++ b/patches.suse/gve-Fix-an-error-handling-path-in-gve_probe.patch @@ -0,0 +1,45 @@ +From 2342ae10d1272d411a468a85a67647dd115b344f Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Thu, 1 Jul 2021 22:18:24 +0200 +Subject: [PATCH] gve: Fix an error handling path in 'gve_probe()' +Git-commit: 2342ae10d1272d411a468a85a67647dd115b344f +Patch-mainline: v5.14-rc2 +References: git-fixes + +If the 'register_netdev() call fails, we must release the resources +allocated by the previous 'gve_init_priv()' call, as already done in the +remove function. + +Add a new label and the missing 'gve_teardown_priv_resources()' in the +error handling path. + +Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") +Signed-off-by: Christophe JAILLET +Reviewed-by: Catherine Sullivan +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/google/gve/gve_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1170,13 +1170,16 @@ static int gve_probe(struct pci_dev *pde + + err = register_netdev(dev); + if (err) +- goto abort_with_wq; ++ goto abort_with_gve_init; + + dev_info(&pdev->dev, "GVE version %s\n", gve_version_str); + gve_clear_probe_in_progress(priv); + queue_work(priv->gve_wq, &priv->service_task); + return 0; + ++abort_with_gve_init: ++ gve_teardown_priv_resources(priv); ++ + abort_with_wq: + destroy_workqueue(priv->gve_wq); + diff --git a/patches.suse/hwmon-max31790-Fix-pwmX_enable-attributes.patch b/patches.suse/hwmon-max31790-Fix-pwmX_enable-attributes.patch new file mode 100644 index 0000000..97ae365 --- /dev/null +++ b/patches.suse/hwmon-max31790-Fix-pwmX_enable-attributes.patch @@ -0,0 +1,137 @@ +From 148c847c9e5a54b99850617bf9c143af9a344f92 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 26 May 2021 08:40:18 -0700 +Subject: [PATCH] hwmon: (max31790) Fix pwmX_enable attributes +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 148c847c9e5a54b99850617bf9c143af9a344f92 +Patch-mainline: v5.14-rc1 +References: git-fixes + +pwmX_enable supports three possible values: + +0: Fan control disabled. Duty cycle is fixed to 0% +1: Fan control enabled, pwm mode. Duty cycle is determined by values written into Target Duty Cycle registers. +2: Fan control enabled, rpm mode Duty cycle is adjusted such that fan speed matches the values in Target Count registers + +The current code does not do this; instead, it mixes pwm control +configuration with fan speed monitoring configuration. Worse, it +reports that pwm control would be disabled (pwmX_enable==0) when +it is in fact enabled in pwm mode. Part of the problem may be that +the chip sets the "TACH input enable" bit on its own whenever the +mode bit is set to RPM mode, but that doesn't mean that "TACH input +enable" accurately reflects the pwm mode. + +Fix it up and only handle pwm control with the pwmX_enable attributes. +In the documentation, clarify that disabling pwm control (pwmX_enable=0) +sets the pwm duty cycle to 0%. In the code, explain why TACH_INPUT_EN +is set together with RPM_MODE. + +While at it, only update the configuration register if the configuration +has changed, and only update the cached configuration if updating the +chip configuration was successful. + +Cc: Jan Kundrát +Cc: Václav Kubernát +Signed-off-by: Guenter Roeck +Tested-by: Václav Kubernát +Reviewed-by: Jan Kundrát +Link: https://lore.kernel.org/r/20210526154022.3223012-4-linux@roeck-us.net +Acked-by: Takashi Iwai + +--- + Documentation/hwmon/max31790.rst | 2 +- + drivers/hwmon/max31790.c | 41 ++++++++++++++++++++------------ + 2 files changed, 27 insertions(+), 16 deletions(-) + +diff --git a/Documentation/hwmon/max31790.rst b/Documentation/hwmon/max31790.rst +index 54ff0f49e28f..7b097c3b9b90 100644 +--- a/Documentation/hwmon/max31790.rst ++++ b/Documentation/hwmon/max31790.rst +@@ -38,7 +38,7 @@ Sysfs entries + fan[1-12]_input RO fan tachometer speed in RPM + fan[1-12]_fault RO fan experienced fault + fan[1-6]_target RW desired fan speed in RPM +-pwm[1-6]_enable RW regulator mode, 0=disabled, 1=manual mode, 2=rpm mode ++pwm[1-6]_enable RW regulator mode, 0=disabled (duty cycle=0%), 1=manual mode, 2=rpm mode + pwm[1-6] RW read: current pwm duty cycle, + write: target pwm duty cycle (0-255) + ================== === ======================================================= +diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c +index 693497e09ac0..67677c437768 100644 +--- a/drivers/hwmon/max31790.c ++++ b/drivers/hwmon/max31790.c +@@ -27,6 +27,7 @@ + + /* Fan Config register bits */ + #define MAX31790_FAN_CFG_RPM_MODE 0x80 ++#define MAX31790_FAN_CFG_CTRL_MON 0x10 + #define MAX31790_FAN_CFG_TACH_INPUT_EN 0x08 + #define MAX31790_FAN_CFG_TACH_INPUT 0x01 + +@@ -271,12 +272,12 @@ static int max31790_read_pwm(struct device *dev, u32 attr, int channel, + *val = data->pwm[channel] >> 8; + return 0; + case hwmon_pwm_enable: +- if (fan_config & MAX31790_FAN_CFG_RPM_MODE) ++ if (fan_config & MAX31790_FAN_CFG_CTRL_MON) ++ *val = 0; ++ else if (fan_config & MAX31790_FAN_CFG_RPM_MODE) + *val = 2; +- else if (fan_config & MAX31790_FAN_CFG_TACH_INPUT_EN) +- *val = 1; + else +- *val = 0; ++ *val = 1; + return 0; + default: + return -EOPNOTSUPP; +@@ -307,23 +308,33 @@ static int max31790_write_pwm(struct device *dev, u32 attr, int channel, + case hwmon_pwm_enable: + fan_config = data->fan_config[channel]; + if (val == 0) { +- fan_config &= ~(MAX31790_FAN_CFG_TACH_INPUT_EN | +- MAX31790_FAN_CFG_RPM_MODE); ++ fan_config |= MAX31790_FAN_CFG_CTRL_MON; ++ /* ++ * Disable RPM mode; otherwise disabling fan speed ++ * monitoring is not possible. ++ */ ++ fan_config &= ~MAX31790_FAN_CFG_RPM_MODE; + } else if (val == 1) { +- fan_config = (fan_config | +- MAX31790_FAN_CFG_TACH_INPUT_EN) & +- ~MAX31790_FAN_CFG_RPM_MODE; ++ fan_config &= ~(MAX31790_FAN_CFG_CTRL_MON | MAX31790_FAN_CFG_RPM_MODE); + } else if (val == 2) { +- fan_config |= MAX31790_FAN_CFG_TACH_INPUT_EN | +- MAX31790_FAN_CFG_RPM_MODE; ++ fan_config &= ~MAX31790_FAN_CFG_CTRL_MON; ++ /* ++ * The chip sets MAX31790_FAN_CFG_TACH_INPUT_EN on its ++ * own if MAX31790_FAN_CFG_RPM_MODE is set. ++ * Do it here as well to reflect the actual register ++ * value in the cache. ++ */ ++ fan_config |= (MAX31790_FAN_CFG_RPM_MODE | MAX31790_FAN_CFG_TACH_INPUT_EN); + } else { + err = -EINVAL; + break; + } +- data->fan_config[channel] = fan_config; +- err = i2c_smbus_write_byte_data(client, +- MAX31790_REG_FAN_CONFIG(channel), +- fan_config); ++ if (fan_config != data->fan_config[channel]) { ++ err = i2c_smbus_write_byte_data(client, MAX31790_REG_FAN_CONFIG(channel), ++ fan_config); ++ if (!err) ++ data->fan_config[channel] = fan_config; ++ } + break; + default: + err = -EOPNOTSUPP; +-- +2.26.2 + diff --git a/patches.suse/hwmon-max31790-Report-correct-current-pwm-duty-cycle.patch b/patches.suse/hwmon-max31790-Report-correct-current-pwm-duty-cycle.patch new file mode 100644 index 0000000..e612567 --- /dev/null +++ b/patches.suse/hwmon-max31790-Report-correct-current-pwm-duty-cycle.patch @@ -0,0 +1,76 @@ +From 897f6339893b741a5d68ae8e2475df65946041c2 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 26 May 2021 08:40:17 -0700 +Subject: [PATCH] hwmon: (max31790) Report correct current pwm duty cycles +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 897f6339893b741a5d68ae8e2475df65946041c2 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The MAX31790 has two sets of registers for pwm duty cycles, one to request +a duty cycle and one to read the actual current duty cycle. Both do not +have to be the same. + +When reporting the pwm duty cycle to the user, the actual pwm duty cycle +from pwm duty cycle registers needs to be reported. When setting it, the +pwm target duty cycle needs to be written. Since we don't know the actual +pwm duty cycle after a target pwm duty cycle has been written, set the +valid flag to false to indicate that actual pwm duty cycle should be read +from the chip instead of using cached values. + +Cc: Jan Kundrát +Cc: Václav Kubernát +Signed-off-by: Guenter Roeck +Tested-by: Václav Kubernát +Reviewed-by: Jan Kundrát +Link: https://lore.kernel.org/r/20210526154022.3223012-3-linux@roeck-us.net +Acked-by: Takashi Iwai + +--- + Documentation/hwmon/max31790.rst | 3 ++- + drivers/hwmon/max31790.c | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/Documentation/hwmon/max31790.rst b/Documentation/hwmon/max31790.rst +index f301385d8cef..54ff0f49e28f 100644 +--- a/Documentation/hwmon/max31790.rst ++++ b/Documentation/hwmon/max31790.rst +@@ -39,5 +39,6 @@ fan[1-12]_input RO fan tachometer speed in RPM + fan[1-12]_fault RO fan experienced fault + fan[1-6]_target RW desired fan speed in RPM + pwm[1-6]_enable RW regulator mode, 0=disabled, 1=manual mode, 2=rpm mode +-pwm[1-6] RW fan target duty cycle (0-255) ++pwm[1-6] RW read: current pwm duty cycle, ++ write: target pwm duty cycle (0-255) + ================== === ======================================================= +diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c +index f6d4fc0a2f13..693497e09ac0 100644 +--- a/drivers/hwmon/max31790.c ++++ b/drivers/hwmon/max31790.c +@@ -104,7 +104,7 @@ static struct max31790_data *max31790_update_device(struct device *dev) + data->tach[NR_CHANNEL + i] = rv; + } else { + rv = i2c_smbus_read_word_swapped(client, +- MAX31790_REG_PWMOUT(i)); ++ MAX31790_REG_PWM_DUTY_CYCLE(i)); + if (rv < 0) + goto abort; + data->pwm[i] = rv; +@@ -299,10 +299,10 @@ static int max31790_write_pwm(struct device *dev, u32 attr, int channel, + err = -EINVAL; + break; + } +- data->pwm[channel] = val << 8; ++ data->valid = false; + err = i2c_smbus_write_word_swapped(client, + MAX31790_REG_PWMOUT(channel), +- data->pwm[channel]); ++ val << 8); + break; + case hwmon_pwm_enable: + fan_config = data->fan_config[channel]; +-- +2.26.2 + diff --git a/patches.suse/hwrng-exynos-Fix-runtime-PM-imbalance-on-error.patch b/patches.suse/hwrng-exynos-Fix-runtime-PM-imbalance-on-error.patch new file mode 100644 index 0000000..fa807cb --- /dev/null +++ b/patches.suse/hwrng-exynos-Fix-runtime-PM-imbalance-on-error.patch @@ -0,0 +1,49 @@ +From 0cdbabf8bb7a6147f5adf37dbc251e92a1bbc2c7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= +Date: Wed, 5 May 2021 20:29:14 +0200 +Subject: [PATCH] hwrng: exynos - Fix runtime PM imbalance on error +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 0cdbabf8bb7a6147f5adf37dbc251e92a1bbc2c7 +Patch-mainline: v5.14-rc1 +References: git-fixes + +pm_runtime_resume_and_get() wraps around pm_runtime_get_sync() and +decrements the runtime PM usage counter in case the latter function +fails and keeps the counter balanced. + +Signed-off-by: Łukasz Stelmach +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/char/hw_random/exynos-trng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/hw_random/exynos-trng.c b/drivers/char/hw_random/exynos-trng.c +index 8e1fe3f8dd2d..c8db62bc5ff7 100644 +--- a/drivers/char/hw_random/exynos-trng.c ++++ b/drivers/char/hw_random/exynos-trng.c +@@ -132,7 +132,7 @@ static int exynos_trng_probe(struct platform_device *pdev) + return PTR_ERR(trng->mem); + + pm_runtime_enable(&pdev->dev); +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) { + dev_err(&pdev->dev, "Could not get runtime PM.\n"); + goto err_pm_get; +@@ -165,7 +165,7 @@ static int exynos_trng_probe(struct platform_device *pdev) + clk_disable_unprepare(trng->clk); + + err_clock: +- pm_runtime_put_sync(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); + + err_pm_get: + pm_runtime_disable(&pdev->dev); +-- +2.26.2 + diff --git a/patches.suse/iio-accel-mxc4005-Drop-unnecessary-explicit-casts-in.patch b/patches.suse/iio-accel-mxc4005-Drop-unnecessary-explicit-casts-in.patch new file mode 100644 index 0000000..81fbeb4 --- /dev/null +++ b/patches.suse/iio-accel-mxc4005-Drop-unnecessary-explicit-casts-in.patch @@ -0,0 +1,46 @@ +From b01401a228bc4997b0d4bcb669fced448f7a15ca Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 5 Apr 2020 19:03:16 +0100 +Subject: [PATCH] iio:accel:mxc4005: Drop unnecessary explicit casts in regmap_bulk_read calls +Git-commit: b01401a228bc4997b0d4bcb669fced448f7a15ca +Patch-mainline: v5.8-rc1 +References: git-fixes + +regmap_bulk_read takes a void * for its val parameter. It certainly +makes no sense to cast to a (u8 *) + no need to explicitly cast +at all when converting another pointer type to void *. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Reviewed-by: Andy Shevchenko +Acked-by: Takashi Iwai + +--- + drivers/iio/accel/mxc4005.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c +index 3d5bea651923..9d07642c0de1 100644 +--- a/drivers/iio/accel/mxc4005.c ++++ b/drivers/iio/accel/mxc4005.c +@@ -135,7 +135,7 @@ static int mxc4005_read_xyz(struct mxc4005_data *data) + int ret; + + ret = regmap_bulk_read(data->regmap, MXC4005_REG_XOUT_UPPER, +- (u8 *) data->buffer, sizeof(data->buffer)); ++ data->buffer, sizeof(data->buffer)); + if (ret < 0) { + dev_err(data->dev, "failed to read axes\n"); + return ret; +@@ -150,7 +150,7 @@ static int mxc4005_read_axis(struct mxc4005_data *data, + __be16 reg; + int ret; + +- ret = regmap_bulk_read(data->regmap, addr, (u8 *) ®, sizeof(reg)); ++ ret = regmap_bulk_read(data->regmap, addr, ®, sizeof(reg)); + if (ret < 0) { + dev_err(data->dev, "failed to read reg %02x\n", addr); + return ret; +-- +2.26.2 + diff --git a/patches.suse/iio-accel-mxc4005-Fix-overread-of-data-and-alignment.patch b/patches.suse/iio-accel-mxc4005-Fix-overread-of-data-and-alignment.patch new file mode 100644 index 0000000..df1a6f7 --- /dev/null +++ b/patches.suse/iio-accel-mxc4005-Fix-overread-of-data-and-alignment.patch @@ -0,0 +1,63 @@ +From f65802284a3a337510d7f8f916c97d66c74f2e71 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sat, 1 May 2021 18:01:07 +0100 +Subject: [PATCH] iio: accel: mxc4005: Fix overread of data and alignment issue. +Git-commit: f65802284a3a337510d7f8f916c97d66c74f2e71 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The bulk read size is based on the size of an array that also has +space for the timestamp alongside the channels. +Fix that and also fix alignment of the buffer passed +to iio_push_to_buffers_with_timestamp. + +Found during an audit of all calls to this function. + +Fixes: 1ce0eda0f757 ("iio: mxc4005: add triggered buffer mode for mxc4005") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-6-jic23@kernel.org +Acked-by: Takashi Iwai + +--- + drivers/iio/accel/mxc4005.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c +index 98c7f5f59011..b3afbf064915 100644 +--- a/drivers/iio/accel/mxc4005.c ++++ b/drivers/iio/accel/mxc4005.c +@@ -56,7 +56,11 @@ struct mxc4005_data { + struct mutex mutex; + struct regmap *regmap; + struct iio_trigger *dready_trig; +- __be16 buffer[8]; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ __be16 chans[3]; ++ s64 timestamp __aligned(8); ++ } scan; + bool trigger_enabled; + }; + +@@ -135,7 +139,7 @@ static int mxc4005_read_xyz(struct mxc4005_data *data) + int ret; + + ret = regmap_bulk_read(data->regmap, MXC4005_REG_XOUT_UPPER, +- data->buffer, sizeof(data->buffer)); ++ data->scan.chans, sizeof(data->scan.chans)); + if (ret < 0) { + dev_err(data->dev, "failed to read axes\n"); + return ret; +@@ -301,7 +305,7 @@ static irqreturn_t mxc4005_trigger_handler(int irq, void *private) + if (ret < 0) + goto err; + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + + err: +-- +2.26.2 + diff --git a/patches.suse/iio-adc-at91-sama5d2-Fix-buffer-alignment-in-iio_pus.patch b/patches.suse/iio-adc-at91-sama5d2-Fix-buffer-alignment-in-iio_pus.patch new file mode 100644 index 0000000..1ff9573 --- /dev/null +++ b/patches.suse/iio-adc-at91-sama5d2-Fix-buffer-alignment-in-iio_pus.patch @@ -0,0 +1,44 @@ +From 8f884758966259fa8c50c137ac6d4ce9bb7859db Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 13 Jun 2021 16:22:54 +0100 +Subject: [PATCH] iio: adc: at91-sama5d2: Fix buffer alignment in iio_push_to_buffers_with_timestamp() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 8f884758966259fa8c50c137ac6d4ce9bb7859db +Patch-mainline: v5.14-rc1 +References: git-fixes + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support") +Signed-off-by: Jonathan Cameron +Cc: Eugen Hristev +Reviewed-by: Nuno Sá +Link: https://lore.kernel.org/r/20210613152301.571002-2-jic23@kernel.org +Acked-by: Takashi Iwai + +--- + drivers/iio/adc/at91-sama5d2_adc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 6e8c28675947..ea5ca163d879 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -403,7 +403,8 @@ struct at91_adc_state { + struct at91_adc_dma dma_st; + struct at91_adc_touch touch_st; + struct iio_dev *indio_dev; +- u16 buffer[AT91_BUFFER_MAX_HWORDS]; ++ /* Ensure naturally aligned timestamp */ ++ u16 buffer[AT91_BUFFER_MAX_HWORDS] __aligned(8); + /* + * lock to prevent concurrent 'single conversion' requests through + * sysfs. +-- +2.26.2 + diff --git a/patches.suse/iio-at91-sama5d2_adc-remove-usage-of-iio_priv_to_dev.patch b/patches.suse/iio-at91-sama5d2_adc-remove-usage-of-iio_priv_to_dev.patch new file mode 100644 index 0000000..68b22b6 --- /dev/null +++ b/patches.suse/iio-at91-sama5d2_adc-remove-usage-of-iio_priv_to_dev.patch @@ -0,0 +1,169 @@ +From ebf35aad0baa05823df31fda42df4b67f72e6e72 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Mon, 25 May 2020 13:53:41 +0300 +Subject: [PATCH] iio: at91-sama5d2_adc: remove usage of iio_priv_to_dev() helper +Git-commit: ebf35aad0baa05823df31fda42df4b67f72e6e72 +Patch-mainline: v5.9-rc1 +References: git-fixes + +We may want to get rid of the iio_priv_to_dev() helper. The reason is that +we will hide some of the members of the iio_dev structure (to prevent +drivers from accessing them directly), and that will also mean hiding the +implementation of the iio_priv_to_dev() helper inside the IIO core. + +Hiding the implementation of iio_priv_to_dev() implies that some fast-paths +may not be fast anymore, so a general idea is to try to get rid of the +iio_priv_to_dev() altogether. +The iio_priv() helper won't be affected by the rework, as the iio_dev +struct will keep a reference to the private information. + +For this driver, not using iio_priv_to_dev(), means reworking some paths to +pass the iio device and using iio_priv() to access the private information, +and also keeping a reference to the iio device for some quirky paths. + +One [quirky] path is the at91_adc_workq_handler() which requires the IIO +device & the state struct to push to buffers. +Since this requires the back-ref to the IIO device, the +at91_adc_touch_pos() also uses it. This simplifies the patch a bit. The +information required in this function is mostly for debugging purposes. +Replacing it with a reference to the IIO device would have been a slightly +bigger change, which may not be worth it (for just the debugging purpose +and given that we need the back-ref to the IIO device anyway). + +Signed-off-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/iio/adc/at91-sama5d2_adc.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 6cc06f1566eb..3d9b75eaf6dd 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -402,6 +402,7 @@ struct at91_adc_state { + wait_queue_head_t wq_data_available; + struct at91_adc_dma dma_st; + struct at91_adc_touch touch_st; ++ struct iio_dev *indio_dev; + u16 buffer[AT91_BUFFER_MAX_HWORDS]; + /* + * lock to prevent concurrent 'single conversion' requests through +@@ -642,13 +643,13 @@ static u16 at91_adc_touch_pos(struct at91_adc_state *st, int reg) + /* first half of register is the x or y, second half is the scale */ + val = at91_adc_readl(st, reg); + if (!val) +- dev_dbg(&iio_priv_to_dev(st)->dev, "pos is 0\n"); ++ dev_dbg(&st->indio_dev->dev, "pos is 0\n"); + + pos = val & AT91_SAMA5D2_XYZ_MASK; + result = (pos << AT91_SAMA5D2_MAX_POS_BITS) - pos; + scale = (val >> 16) & AT91_SAMA5D2_XYZ_MASK; + if (scale == 0) { +- dev_err(&iio_priv_to_dev(st)->dev, "scale is 0\n"); ++ dev_err(&st->indio_dev->dev, "scale is 0\n"); + return 0; + } + result /= scale; +@@ -1186,9 +1187,9 @@ static unsigned at91_adc_startup_time(unsigned startup_time_min, + return i; + } + +-static void at91_adc_setup_samp_freq(struct at91_adc_state *st, unsigned freq) ++static void at91_adc_setup_samp_freq(struct iio_dev *indio_dev, unsigned freq) + { +- struct iio_dev *indio_dev = iio_priv_to_dev(st); ++ struct at91_adc_state *st = iio_priv(indio_dev); + unsigned f_per, prescal, startup, mr; + + f_per = clk_get_rate(st->per_clk); +@@ -1257,9 +1258,9 @@ static void at91_adc_pen_detect_interrupt(struct at91_adc_state *st) + st->touch_st.touching = true; + } + +-static void at91_adc_no_pen_detect_interrupt(struct at91_adc_state *st) ++static void at91_adc_no_pen_detect_interrupt(struct iio_dev *indio_dev) + { +- struct iio_dev *indio_dev = iio_priv_to_dev(st); ++ struct at91_adc_state *st = iio_priv(indio_dev); + + at91_adc_writel(st, AT91_SAMA5D2_TRGR, + AT91_SAMA5D2_TRGR_TRGMOD_NO_TRIGGER); +@@ -1279,7 +1280,7 @@ static void at91_adc_workq_handler(struct work_struct *workq) + struct at91_adc_touch, workq); + struct at91_adc_state *st = container_of(touch_st, + struct at91_adc_state, touch_st); +- struct iio_dev *indio_dev = iio_priv_to_dev(st); ++ struct iio_dev *indio_dev = st->indio_dev; + + iio_push_to_buffers(indio_dev, st->buffer); + } +@@ -1300,7 +1301,7 @@ static irqreturn_t at91_adc_interrupt(int irq, void *private) + at91_adc_pen_detect_interrupt(st); + } else if ((status & AT91_SAMA5D2_IER_NOPEN)) { + /* nopen detected IRQ */ +- at91_adc_no_pen_detect_interrupt(st); ++ at91_adc_no_pen_detect_interrupt(indio); + } else if ((status & AT91_SAMA5D2_ISR_PENS) && + ((status & rdy_mask) == rdy_mask)) { + /* periodic trigger IRQ - during pen sense */ +@@ -1468,7 +1469,7 @@ static int at91_adc_write_raw(struct iio_dev *indio_dev, + val > st->soc_info.max_sample_rate) + return -EINVAL; + +- at91_adc_setup_samp_freq(st, val); ++ at91_adc_setup_samp_freq(indio_dev, val); + return 0; + default: + return -EINVAL; +@@ -1606,8 +1607,10 @@ static int at91_adc_update_scan_mode(struct iio_dev *indio_dev, + return 0; + } + +-static void at91_adc_hw_init(struct at91_adc_state *st) ++static void at91_adc_hw_init(struct iio_dev *indio_dev) + { ++ struct at91_adc_state *st = iio_priv(indio_dev); ++ + at91_adc_writel(st, AT91_SAMA5D2_CR, AT91_SAMA5D2_CR_SWRST); + at91_adc_writel(st, AT91_SAMA5D2_IDR, 0xffffffff); + /* +@@ -1617,7 +1620,7 @@ static void at91_adc_hw_init(struct at91_adc_state *st) + at91_adc_writel(st, AT91_SAMA5D2_MR, + AT91_SAMA5D2_MR_TRANSFER(2) | AT91_SAMA5D2_MR_ANACH); + +- at91_adc_setup_samp_freq(st, st->soc_info.min_sample_rate); ++ at91_adc_setup_samp_freq(indio_dev, st->soc_info.min_sample_rate); + + /* configure extended mode register */ + at91_adc_config_emr(st); +@@ -1699,6 +1702,7 @@ static int at91_adc_probe(struct platform_device *pdev) + indio_dev->num_channels = ARRAY_SIZE(at91_adc_channels); + + st = iio_priv(indio_dev); ++ st->indio_dev = indio_dev; + + bitmap_set(&st->touch_st.channels_bitmask, + AT91_SAMA5D2_TOUCH_X_CHAN_IDX, 1); +@@ -1810,7 +1814,7 @@ static int at91_adc_probe(struct platform_device *pdev) + goto vref_disable; + } + +- at91_adc_hw_init(st); ++ at91_adc_hw_init(indio_dev); + + ret = clk_prepare_enable(st->per_clk); + if (ret) +@@ -1926,7 +1930,7 @@ static __maybe_unused int at91_adc_resume(struct device *dev) + if (ret) + goto vref_disable_resume; + +- at91_adc_hw_init(st); ++ at91_adc_hw_init(indio_dev); + + /* reconfiguring trigger hardware state */ + if (!iio_buffer_enabled(indio_dev)) +-- +2.26.2 + diff --git a/patches.suse/lib-vsprintf-Fix-handling-of-number-field-widths-in-.patch b/patches.suse/lib-vsprintf-Fix-handling-of-number-field-widths-in-.patch new file mode 100644 index 0000000..23a4299 --- /dev/null +++ b/patches.suse/lib-vsprintf-Fix-handling-of-number-field-widths-in-.patch @@ -0,0 +1,233 @@ +From 900fdc4573766dd43b847b4f54bd4a1ee2bc7360 Mon Sep 17 00:00:00 2001 +From: Richard Fitzgerald +Date: Fri, 14 May 2021 17:12:04 +0100 +Subject: [PATCH] lib: vsprintf: Fix handling of number field widths in vsscanf +Git-commit: 900fdc4573766dd43b847b4f54bd4a1ee2bc7360 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The existing code attempted to handle numbers by doing a strto[u]l(), +ignoring the field width, and then repeatedly dividing to extract the +field out of the full converted value. If the string contains a run of +valid digits longer than will fit in a long or long long, this would +overflow and no amount of dividing can recover the correct value. + +This patch fixes vsscanf() to obey number field widths when parsing +the number. + +A new _parse_integer_limit() is added that takes a limit for the number +of characters to parse. The number field conversion in vsscanf is changed +to use this new function. + +If a number starts with a radix prefix, the field width must be long +enough for at last one digit after the prefix. If not, it will be handled +like this: + + sscanf("0x4", "%1i", &i): i=0, scanning continues with the 'x' + sscanf("0x4", "%2i", &i): i=0, scanning continues with the '4' + +This is consistent with the observed behaviour of userland sscanf. + +Note that this patch does NOT fix the problem of a single field value +overflowing the target type. So for example: + + sscanf("123456789abcdef", "%x", &i); + +Will not produce the correct result because the value obviously overflows +INT_MAX. But sscanf will report a successful conversion. + +Note that where a very large number is used to mean "unlimited", the value +INT_MAX is used for consistency with the behaviour of vsnprintf(). + +Signed-off-by: Richard Fitzgerald +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210514161206.30821-2-rf@opensource.cirrus.com +Acked-by: Takashi Iwai + +--- + lib/kstrtox.c | 13 ++++++-- + lib/kstrtox.h | 2 ++ + lib/vsprintf.c | 82 +++++++++++++++++++++++++++++--------------------- + 3 files changed, 60 insertions(+), 37 deletions(-) + +diff --git a/lib/kstrtox.c b/lib/kstrtox.c +index a118b0b1e9b2..0b5fe8b41173 100644 +--- a/lib/kstrtox.c ++++ b/lib/kstrtox.c +@@ -39,20 +39,22 @@ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base) + + /* + * Convert non-negative integer string representation in explicitly given radix +- * to an integer. ++ * to an integer. A maximum of max_chars characters will be converted. ++ * + * Return number of characters consumed maybe or-ed with overflow bit. + * If overflow occurs, result integer (incorrect) is still returned. + * + * Don't you dare use this function. + */ +-unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p) ++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *p, ++ size_t max_chars) + { + unsigned long long res; + unsigned int rv; + + res = 0; + rv = 0; +- while (1) { ++ while (max_chars--) { + unsigned int c = *s; + unsigned int lc = c | 0x20; /* don't tolower() this line */ + unsigned int val; +@@ -82,6 +84,11 @@ unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long + return rv; + } + ++unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p) ++{ ++ return _parse_integer_limit(s, base, p, INT_MAX); ++} ++ + static int _kstrtoull(const char *s, unsigned int base, unsigned long long *res) + { + unsigned long long _res; +diff --git a/lib/kstrtox.h b/lib/kstrtox.h +index 3b4637bcd254..158c400ca865 100644 +--- a/lib/kstrtox.h ++++ b/lib/kstrtox.h +@@ -4,6 +4,8 @@ + + #define KSTRTOX_OVERFLOW (1U << 31) + const char *_parse_integer_fixup_radix(const char *s, unsigned int *base); ++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *res, ++ size_t max_chars); + unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *res); + + #endif +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index af307588ad8b..3290eca46e47 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -53,6 +53,31 @@ + #include + #include "kstrtox.h" + ++static unsigned long long simple_strntoull(const char *startp, size_t max_chars, ++ char **endp, unsigned int base) ++{ ++ const char *cp; ++ unsigned long long result = 0ULL; ++ size_t prefix_chars; ++ unsigned int rv; ++ ++ cp = _parse_integer_fixup_radix(startp, &base); ++ prefix_chars = cp - startp; ++ if (prefix_chars < max_chars) { ++ rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars); ++ /* FIXME */ ++ cp += (rv & ~KSTRTOX_OVERFLOW); ++ } else { ++ /* Field too short for prefix + digit, skip over without converting */ ++ cp = startp + max_chars; ++ } ++ ++ if (endp) ++ *endp = (char *)cp; ++ ++ return result; ++} ++ + /** + * simple_strtoull - convert a string to an unsigned long long + * @cp: The start of the string +@@ -63,18 +88,7 @@ + */ + unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base) + { +- unsigned long long result; +- unsigned int rv; +- +- cp = _parse_integer_fixup_radix(cp, &base); +- rv = _parse_integer(cp, base, &result); +- /* FIXME */ +- cp += (rv & ~KSTRTOX_OVERFLOW); +- +- if (endp) +- *endp = (char *)cp; +- +- return result; ++ return simple_strntoull(cp, INT_MAX, endp, base); + } + EXPORT_SYMBOL(simple_strtoull); + +@@ -109,6 +123,21 @@ long simple_strtol(const char *cp, char **endp, unsigned int base) + } + EXPORT_SYMBOL(simple_strtol); + ++static long long simple_strntoll(const char *cp, size_t max_chars, char **endp, ++ unsigned int base) ++{ ++ /* ++ * simple_strntoull() safely handles receiving max_chars==0 in the ++ * case cp[0] == '-' && max_chars == 1. ++ * If max_chars == 0 we can drop through and pass it to simple_strntoull() ++ * and the content of *cp is irrelevant. ++ */ ++ if (*cp == '-' && max_chars > 0) ++ return -simple_strntoull(cp + 1, max_chars - 1, endp, base); ++ ++ return simple_strntoull(cp, max_chars, endp, base); ++} ++ + /** + * simple_strtoll - convert a string to a signed long long + * @cp: The start of the string +@@ -119,10 +148,7 @@ EXPORT_SYMBOL(simple_strtol); + */ + long long simple_strtoll(const char *cp, char **endp, unsigned int base) + { +- if (*cp == '-') +- return -simple_strtoull(cp + 1, endp, base); +- +- return simple_strtoull(cp, endp, base); ++ return simple_strntoll(cp, INT_MAX, endp, base); + } + EXPORT_SYMBOL(simple_strtoll); + +@@ -3541,25 +3567,13 @@ int vsscanf(const char *buf, const char *fmt, va_list args) + break; + + if (is_sign) +- val.s = qualifier != 'L' ? +- simple_strtol(str, &next, base) : +- simple_strtoll(str, &next, base); ++ val.s = simple_strntoll(str, ++ field_width >= 0 ? field_width : INT_MAX, ++ &next, base); + else +- val.u = qualifier != 'L' ? +- simple_strtoul(str, &next, base) : +- simple_strtoull(str, &next, base); +- +- if (field_width > 0 && next - str > field_width) { +- if (base == 0) +- _parse_integer_fixup_radix(str, &base); +- while (next - str > field_width) { +- if (is_sign) +- val.s = div_s64(val.s, base); +- else +- val.u = div_u64(val.u, base); +- --next; +- } +- } ++ val.u = simple_strntoull(str, ++ field_width >= 0 ? field_width : INT_MAX, ++ &next, base); + + switch (qualifier) { + case 'H': /* that's 'hh' in format */ +-- +2.26.2 + diff --git a/patches.suse/media-Fix-Media-Controller-API-config-checks.patch b/patches.suse/media-Fix-Media-Controller-API-config-checks.patch new file mode 100644 index 0000000..862a64c --- /dev/null +++ b/patches.suse/media-Fix-Media-Controller-API-config-checks.patch @@ -0,0 +1,88 @@ +From 50e7a31d30e8221632675abed3be306382324ca2 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Wed, 16 Jun 2021 17:19:06 +0200 +Subject: [PATCH] media: Fix Media Controller API config checks +Git-commit: 50e7a31d30e8221632675abed3be306382324ca2 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Smatch static checker warns that "mdev" can be null: + +sound/usb/media.c:287 snd_media_device_create() + warn: 'mdev' can also be NULL + +If CONFIG_MEDIA_CONTROLLER is disabled, this file should not be included +in the build. + +The below conditions in the sound/usb/Makefile are in place to ensure that +media.c isn't included in the build. + +Sound/usb/makefile: +snd-usb-audio-$(CONFIG_SND_USB_AUDIO_USE_MEDIA_CONTROLLER) += media.o + +select SND_USB_AUDIO_USE_MEDIA_CONTROLLER if MEDIA_CONTROLLER && + (MEDIA_SUPPORT=y || MEDIA_SUPPORT=SND_USB_AUDIO) + +The following config check in include/media/media-dev-allocator.h is +in place to enable the API only when CONFIG_MEDIA_CONTROLLER and +CONFIG_USB are enabled. + + #if defined(CONFIG_MEDIA_CONTROLLER) && defined(CONFIG_USB) + +This check doesn't work as intended when CONFIG_USB=m. When CONFIG_USB=m, +CONFIG_USB_MODULE is defined and CONFIG_USB is not. The above config check +doesn't catch that CONFIG_USB is defined as a module and disables the API. +This results in sound/usb enabling Media Controller specific ALSA driver +code, while Media disables the Media Controller API. + +Fix the problem requires two changes: + +1. Change the check to use IS_ENABLED to detect when CONFIG_USB is enabled + as a module or static. Since CONFIG_MEDIA_CONTROLLER is a bool, leave + the check unchanged to be consistent with drivers/media/Makefile. + +2. Change the drivers/media/mc/Makefile to include mc-dev-allocator.o + in mc-objs when CONFIG_USB is enabled. + +Link: https://lore.kernel.org/alsa-devel/YLeAvT+R22FQ%2FEyw@mwanda/ + +Reported-by: Dan Carpenter +Signed-off-by: Shuah Khan +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/mc/Makefile | 2 +- + include/media/media-dev-allocator.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/mc/Makefile b/drivers/media/mc/Makefile +index 119037f0e686..2b7af42ba59c 100644 +--- a/drivers/media/mc/Makefile ++++ b/drivers/media/mc/Makefile +@@ -3,7 +3,7 @@ + mc-objs := mc-device.o mc-devnode.o mc-entity.o \ + mc-request.o + +-ifeq ($(CONFIG_USB),y) ++ifneq ($(CONFIG_USB),) + mc-objs += mc-dev-allocator.o + endif + +diff --git a/include/media/media-dev-allocator.h b/include/media/media-dev-allocator.h +index b35ea6062596..2ab54d426c64 100644 +--- a/include/media/media-dev-allocator.h ++++ b/include/media/media-dev-allocator.h +@@ -19,7 +19,7 @@ + + struct usb_device; + +-#if defined(CONFIG_MEDIA_CONTROLLER) && defined(CONFIG_USB) ++#if defined(CONFIG_MEDIA_CONTROLLER) && IS_ENABLED(CONFIG_USB) + /** + * media_device_usb_allocate() - Allocate and return struct &media device + * +-- +2.26.2 + diff --git a/patches.suse/media-bt8xx-Fix-a-missing-check-bug-in-bt878_probe.patch b/patches.suse/media-bt8xx-Fix-a-missing-check-bug-in-bt878_probe.patch new file mode 100644 index 0000000..5164ad0 --- /dev/null +++ b/patches.suse/media-bt8xx-Fix-a-missing-check-bug-in-bt878_probe.patch @@ -0,0 +1,121 @@ +From 1a4520090681853e6b850cbe54b27247a013e0e5 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Wed, 12 May 2021 17:18:36 +0200 +Subject: [PATCH] media: bt8xx: Fix a missing check bug in bt878_probe +Git-commit: 1a4520090681853e6b850cbe54b27247a013e0e5 +Patch-mainline: v5.14-rc1 +References: git-fixes + +In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is +set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'. +However, this two drivers are separate. The user may not load the +'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet +has not been initialized when 'tasklet_schedule' is called, so it is +necessary to check whether the tasklet is initialized in 'bt878_probe'. + +Fix this by adding a check at the end of bt878_probe. + +The KASAN's report reveals it: + +Bug: unable to handle kernel NULL pointer dereference at 0000000000000000 +PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0 +Oops: 0010 [#1] PREEMPT SMP KASAN PTI +Cpu: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177- +gdba4159c14ef-dirty #40 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59- +gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +Rip: 0010: (null) +Code: Bad RIP value. +Rsp: 0018:ffff88806c287ea0 EFLAGS: 00010246 +Rax: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 +Rdx: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 +Rbp: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 +R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 +R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 +Fs: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: +0000000000000000 +Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Cr2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 +Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522 + tasklet_action+0x50/0x70 kernel/softirq.c:540 + __do_softirq+0x224/0x92c kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:372 [inline] + irq_exit+0x15a/0x180 kernel/softirq.c:412 + exiting_irq arch/x86/include/asm/apic.h:535 [inline] + do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 + +Rip: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline] +Rip: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline] +Rip: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584 +Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8 +14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad +24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec +Rsp: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde +Rax: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000 +Rdx: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0 +Rbp: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58 +R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000 do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe +Rip: 0033:0x4692a9 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 +48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +Rsp: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f +Rax: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9 +Rdx: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140 +Rbp: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60 +R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0 +Modules linked in: +Dumping ftrace buffer: + (ftrace buffer empty) + +Cr2: 0000000000000000 +Acked-by: Takashi Iwai + +---[ end trace 68e5849c3f77cbb6 ]--- +RIP: 0010: (null) +Code: Bad RIP value. +RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246 +RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 +RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 +R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 +R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 +FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: +0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Reported-by: Zheyu Ma +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/pci/bt8xx/bt878.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c +index 7ca309121fb5..90972d6952f1 100644 +--- a/drivers/media/pci/bt8xx/bt878.c ++++ b/drivers/media/pci/bt8xx/bt878.c +@@ -478,6 +478,9 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + btwrite(0, BT878_AINT_MASK); + bt878_num++; + ++ if (!bt->tasklet.func) ++ tasklet_disable(&bt->tasklet); ++ + return 0; + + fail2: +-- +2.26.2 + diff --git a/patches.suse/media-cobalt-fix-race-condition-in-setting-HPD.patch b/patches.suse/media-cobalt-fix-race-condition-in-setting-HPD.patch new file mode 100644 index 0000000..c978740 --- /dev/null +++ b/patches.suse/media-cobalt-fix-race-condition-in-setting-HPD.patch @@ -0,0 +1,70 @@ +From 3d37ef41bed0854805ab9af22c422267510e1344 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 23 Apr 2021 10:00:49 +0200 +Subject: [PATCH] media: cobalt: fix race condition in setting HPD +Git-commit: 3d37ef41bed0854805ab9af22c422267510e1344 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The cobalt_s_bit_sysctrl reads the old register value over PCI, +then changes a bit and sets writes the new value to the register. + +This is used among other things for setting the HPD output pin. + +But if the HPD is changed for multiple inputs at the same time, +then this causes a race condition where a stale value is read. + +Serialize this function with a mutex. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/pci/cobalt/cobalt-driver.c | 1 + + drivers/media/pci/cobalt/cobalt-driver.h | 7 ++++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cobalt/cobalt-driver.c b/drivers/media/pci/cobalt/cobalt-driver.c +index 839503e654f4..16af58f2f93c 100644 +--- a/drivers/media/pci/cobalt/cobalt-driver.c ++++ b/drivers/media/pci/cobalt/cobalt-driver.c +@@ -667,6 +667,7 @@ static int cobalt_probe(struct pci_dev *pci_dev, + return -ENOMEM; + cobalt->pci_dev = pci_dev; + cobalt->instance = i; ++ mutex_init(&cobalt->pci_lock); + + retval = v4l2_device_register(&pci_dev->dev, &cobalt->v4l2_dev); + if (retval) { +diff --git a/drivers/media/pci/cobalt/cobalt-driver.h b/drivers/media/pci/cobalt/cobalt-driver.h +index bca68572b324..12c33e035904 100644 +--- a/drivers/media/pci/cobalt/cobalt-driver.h ++++ b/drivers/media/pci/cobalt/cobalt-driver.h +@@ -251,6 +251,8 @@ struct cobalt { + int instance; + struct pci_dev *pci_dev; + struct v4l2_device v4l2_dev; ++ /* serialize PCI access in cobalt_s_bit_sysctrl() */ ++ struct mutex pci_lock; + + void __iomem *bar0, *bar1; + +@@ -320,10 +322,13 @@ static inline u32 cobalt_g_sysctrl(struct cobalt *cobalt) + static inline void cobalt_s_bit_sysctrl(struct cobalt *cobalt, + int bit, int val) + { +- u32 ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE); ++ u32 ctrl; + ++ mutex_lock(&cobalt->pci_lock); ++ ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE); + cobalt_write_bar1(cobalt, COBALT_SYS_CTRL_BASE, + (ctrl & ~(1UL << bit)) | (val << bit)); ++ mutex_unlock(&cobalt->pci_lock); + } + + static inline u32 cobalt_g_sysstat(struct cobalt *cobalt) +-- +2.26.2 + diff --git a/patches.suse/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch b/patches.suse/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch new file mode 100644 index 0000000..4a16b6b --- /dev/null +++ b/patches.suse/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch @@ -0,0 +1,104 @@ +From be8656e62e9e791837b606a027802b504a945c97 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Wed, 21 Apr 2021 21:43:45 +0200 +Subject: [PATCH] media: cpia2: fix memory leak in cpia2_usb_probe +Git-commit: be8656e62e9e791837b606a027802b504a945c97 +Patch-mainline: v5.14-rc1 +References: git-fixes + +syzbot reported leak in cpia2 usb driver. The problem was +in invalid error handling. + +v4l2_device_register() is called in cpia2_init_camera_struct(), but +all error cases after cpia2_init_camera_struct() did not call the +v4l2_device_unregister() + +Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/cpia2/cpia2.h | 1 + + drivers/media/usb/cpia2/cpia2_core.c | 12 ++++++++++++ + drivers/media/usb/cpia2/cpia2_usb.c | 13 +++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/cpia2/cpia2.h b/drivers/media/usb/cpia2/cpia2.h +index 50835f5f7512..57b7f1ea68da 100644 +--- a/drivers/media/usb/cpia2/cpia2.h ++++ b/drivers/media/usb/cpia2/cpia2.h +@@ -429,6 +429,7 @@ int cpia2_send_command(struct camera_data *cam, struct cpia2_command *cmd); + int cpia2_do_command(struct camera_data *cam, + unsigned int command, + unsigned char direction, unsigned char param); ++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf); + struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf); + int cpia2_init_camera(struct camera_data *cam); + int cpia2_allocate_buffers(struct camera_data *cam); +diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c +index e747548ab286..b5a2d06fb356 100644 +--- a/drivers/media/usb/cpia2/cpia2_core.c ++++ b/drivers/media/usb/cpia2/cpia2_core.c +@@ -2163,6 +2163,18 @@ static void reset_camera_struct(struct camera_data *cam) + cam->height = cam->params.roi.height; + } + ++/****************************************************************************** ++ * ++ * cpia2_init_camera_struct ++ * ++ * Deinitialize camera struct ++ *****************************************************************************/ ++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf) ++{ ++ v4l2_device_unregister(&cam->v4l2_dev); ++ kfree(cam); ++} ++ + /****************************************************************************** + * + * cpia2_init_camera_struct +diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c +index 3ab80a7b4498..76aac06f9fb8 100644 +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -844,15 +844,13 @@ static int cpia2_usb_probe(struct usb_interface *intf, + ret = set_alternate(cam, USBIF_CMDONLY); + if (ret < 0) { + ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + + + if((ret = cpia2_init_camera(cam)) < 0) { + ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + LOG(" CPiA Version: %d.%02d (%d.%d)\n", + cam->params.version.firmware_revision_hi, +@@ -872,11 +870,14 @@ static int cpia2_usb_probe(struct usb_interface *intf, + ret = cpia2_register_camera(cam); + if (ret < 0) { + ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + + return 0; ++ ++alt_err: ++ cpia2_deinit_camera_struct(cam, intf); ++ return ret; + } + + /****************************************************************************** +-- +2.26.2 + diff --git a/patches.suse/media-dvb_net-avoid-speculation-from-net-slot.patch b/patches.suse/media-dvb_net-avoid-speculation-from-net-slot.patch new file mode 100644 index 0000000..5c74f5a --- /dev/null +++ b/patches.suse/media-dvb_net-avoid-speculation-from-net-slot.patch @@ -0,0 +1,89 @@ +From abc0226df64dc137b48b911c1fe4319aec5891bb Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 16 Jun 2021 13:13:54 +0200 +Subject: [PATCH] media: dvb_net: avoid speculation from net slot +Git-commit: abc0226df64dc137b48b911c1fe4319aec5891bb +Patch-mainline: v5.14-rc1 +References: git-fixes + +The risk of especulation is actually almost-non-existing here, +as there are very few users of TCP/IP using the DVB stack, +as, this is mainly used with DVB-S/S2 cards, and only by people +that receives TCP/IP from satellite connections, which limits +a lot the number of users of such feature(*). + +(*) In thesis, DVB-C cards could also benefit from it, but I'm +yet to see a hardware that supports it. + +Yet, fixing it is trivial. + +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/dvb-core/dvb_net.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c +index 89620da983ba..dddebea644bb 100644 +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1462,14 +1463,20 @@ static int dvb_net_do_ioctl(struct file *file, + struct net_device *netdev; + struct dvb_net_priv *priv_data; + struct dvb_net_if *dvbnetif = parg; ++ int if_num = dvbnetif->if_num; + +- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX || +- !dvbnet->state[dvbnetif->if_num]) { ++ if (if_num >= DVB_NET_DEVICES_MAX) { + ret = -EINVAL; + goto ioctl_error; + } ++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX); + +- netdev = dvbnet->device[dvbnetif->if_num]; ++ if (!dvbnet->state[if_num]) { ++ ret = -EINVAL; ++ goto ioctl_error; ++ } ++ ++ netdev = dvbnet->device[if_num]; + + priv_data = netdev_priv(netdev); + dvbnetif->pid=priv_data->pid; +@@ -1522,14 +1529,20 @@ static int dvb_net_do_ioctl(struct file *file, + struct net_device *netdev; + struct dvb_net_priv *priv_data; + struct __dvb_net_if_old *dvbnetif = parg; ++ int if_num = dvbnetif->if_num; ++ ++ if (if_num >= DVB_NET_DEVICES_MAX) { ++ ret = -EINVAL; ++ goto ioctl_error; ++ } ++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX); + +- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX || +- !dvbnet->state[dvbnetif->if_num]) { ++ if (!dvbnet->state[if_num]) { + ret = -EINVAL; + goto ioctl_error; + } + +- netdev = dvbnet->device[dvbnetif->if_num]; ++ netdev = dvbnet->device[if_num]; + + priv_data = netdev_priv(netdev); + dvbnetif->pid=priv_data->pid; +-- +2.26.2 + diff --git a/patches.suse/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch b/patches.suse/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch new file mode 100644 index 0000000..2a009f9 --- /dev/null +++ b/patches.suse/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch @@ -0,0 +1,44 @@ +From 9ad1efee086e0e913914fa2b2173efb830bad68c Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Tue, 25 May 2021 15:06:52 +0200 +Subject: [PATCH] media: dvd_usb: memory leak in cinergyt2_fe_attach +Git-commit: 9ad1efee086e0e913914fa2b2173efb830bad68c +Patch-mainline: v5.14-rc1 +References: git-fixes + +When the driver fails to talk with the hardware with dvb_usb_generic_rw, +it will return an error to dvb_usb_adapter_frontend_init. However, the +driver forgets to free the resource (e.g., struct cinergyt2_fe_state), +which leads to a memory leak. + +Fix this by freeing struct cinergyt2_fe_state when dvb_usb_generic_rw +fails in cinergyt2_frontend_attach. + +Backtrace: [<0000000056e17b1a>] kmalloc include/linux/slab.h:552 [inline] [<0000000056e17b1a>] kzalloc include/linux/slab.h:682 [inline] [<0000000056e17b1a>] cinergyt2_fe_attach+0x21/0x80 drivers/media/usb/dvb-usb/cinergyT2-fe.c:271 [<00000000ae0b1711>] cinergyt2_frontend_attach+0x21/0x70 drivers/media/usb/dvb-usb/cinergyT2-core.c:74 [<00000000d0254861>] dvb_usb_adapter_frontend_init+0x11b/0x1b0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290 [<0000000002e08ac6>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:84 [inline] [<0000000002e08ac6>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:173 [inline] [<0000000002e08ac6>] dvb_usb_device_init.cold+0x4d0/0x6ae drivers/media/usb/dvb-usb/dvb-usb-init.c:287 + +Reported-by: syzbot+e1de8986786b3722050e@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb/cinergyT2-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c +index 969a7ec71dff..4116ba5c45fc 100644 +--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c ++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c +@@ -78,6 +78,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap) + + ret = dvb_usb_generic_rw(d, st->data, 1, st->data, 3, 0); + if (ret < 0) { ++ if (adap->fe_adap[0].fe) ++ adap->fe_adap[0].fe->ops.release(adap->fe_adap[0].fe); + deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep state info\n"); + } + mutex_unlock(&d->data_mutex); +-- +2.26.2 + diff --git a/patches.suse/media-em28xx-Fix-possible-memory-leak-of-em28xx-stru.patch b/patches.suse/media-em28xx-Fix-possible-memory-leak-of-em28xx-stru.patch new file mode 100644 index 0000000..f31d0c9 --- /dev/null +++ b/patches.suse/media-em28xx-Fix-possible-memory-leak-of-em28xx-stru.patch @@ -0,0 +1,58 @@ +From ac5688637144644f06ed1f3c6d4dd8bb7db96020 Mon Sep 17 00:00:00 2001 +From: Igor Matheus Andrade Torrente +Date: Tue, 4 May 2021 20:32:49 +0200 +Subject: [PATCH] media: em28xx: Fix possible memory leak of em28xx struct +Git-commit: ac5688637144644f06ed1f3c6d4dd8bb7db96020 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The em28xx struct kref isn't being decreased after an error in the +em28xx_ir_init, leading to a possible memory leak. + +A kref_put and em28xx_shutdown_buttons is added to the error handler code. + +Signed-off-by: Igor Matheus Andrade Torrente +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/em28xx/em28xx-input.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c +index 5aa15a7a49de..59529cbf9cd0 100644 +--- a/drivers/media/usb/em28xx/em28xx-input.c ++++ b/drivers/media/usb/em28xx/em28xx-input.c +@@ -720,7 +720,8 @@ static int em28xx_ir_init(struct em28xx *dev) + dev->board.has_ir_i2c = 0; + dev_warn(&dev->intf->dev, + "No i2c IR remote control device found.\n"); +- return -ENODEV; ++ err = -ENODEV; ++ goto ref_put; + } + } + +@@ -735,7 +736,7 @@ static int em28xx_ir_init(struct em28xx *dev) + + ir = kzalloc(sizeof(*ir), GFP_KERNEL); + if (!ir) +- return -ENOMEM; ++ goto ref_put; + rc = rc_allocate_device(RC_DRIVER_SCANCODE); + if (!rc) + goto error; +@@ -839,6 +840,9 @@ static int em28xx_ir_init(struct em28xx *dev) + dev->ir = NULL; + rc_free_device(rc); + kfree(ir); ++ref_put: ++ em28xx_shutdown_buttons(dev); ++ kref_put(&dev->ref, em28xx_free_device); + return err; + } + +-- +2.26.2 + diff --git a/patches.suse/media-exynos-gsc-fix-pm_runtime_get_sync-usage-count.patch b/patches.suse/media-exynos-gsc-fix-pm_runtime_get_sync-usage-count.patch new file mode 100644 index 0000000..7d26119 --- /dev/null +++ b/patches.suse/media-exynos-gsc-fix-pm_runtime_get_sync-usage-count.patch @@ -0,0 +1,46 @@ +From 59087b66ea6730c130c57d23bd9fd139b78c1ba5 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 23 Apr 2021 17:19:18 +0200 +Subject: [PATCH] media: exynos-gsc: fix pm_runtime_get_sync() usage count +Git-commit: 59087b66ea6730c130c57d23bd9fd139b78c1ba5 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The pm_runtime_get_sync() internally increments the +dev->power.usage_count without decrementing it, even on errors. +Replace it by the new pm_runtime_resume_and_get(), introduced by: +commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") +in order to properly decrement the usage counter, avoiding +a potential PM usage counter leak. + +As a bonus, as pm_runtime_get_sync() always return 0 on +success, the logic can be simplified. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/exynos-gsc/gsc-m2m.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/exynos-gsc/gsc-m2m.c b/drivers/media/platform/exynos-gsc/gsc-m2m.c +index 27a3c92c73bc..f1cf847d1cc2 100644 +--- a/drivers/media/platform/exynos-gsc/gsc-m2m.c ++++ b/drivers/media/platform/exynos-gsc/gsc-m2m.c +@@ -56,10 +56,8 @@ static void __gsc_m2m_job_abort(struct gsc_ctx *ctx) + static int gsc_m2m_start_streaming(struct vb2_queue *q, unsigned int count) + { + struct gsc_ctx *ctx = q->drv_priv; +- int ret; + +- ret = pm_runtime_get_sync(&ctx->gsc_dev->pdev->dev); +- return ret > 0 ? 0 : ret; ++ return pm_runtime_resume_and_get(&ctx->gsc_dev->pdev->dev); + } + + static void __gsc_m2m_cleanup_queue(struct gsc_ctx *ctx) +-- +2.26.2 + diff --git a/patches.suse/media-imx-csi-Skip-first-few-frames-from-a-BT.656-so.patch b/patches.suse/media-imx-csi-Skip-first-few-frames-from-a-BT.656-so.patch new file mode 100644 index 0000000..26c7be7 --- /dev/null +++ b/patches.suse/media-imx-csi-Skip-first-few-frames-from-a-BT.656-so.patch @@ -0,0 +1,63 @@ +From e198be37e52551bb863d07d2edc535d0932a3c4f Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam +Date: Mon, 17 May 2021 16:29:23 +0200 +Subject: [PATCH] media: imx-csi: Skip first few frames from a BT.656 source +Git-commit: e198be37e52551bb863d07d2edc535d0932a3c4f +Patch-mainline: v5.14-rc1 +References: git-fixes + +Some BT.656 sensors (e.g. ADV718x) transmit frames with unstable BT.656 +sync codes after initial power on. This confuses the imx CSI,resulting +in vertical and/or horizontal sync issues. Skip the first 20 frames +to avoid the unstable sync codes. + +[fabio: fixed checkpatch warning and increased the frame skipping to 20] + +Signed-off-by: Steve Longerbeam +Signed-off-by: Fabio Estevam +Reviewed-by: Tim Harvey +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/staging/media/imx/imx-media-csi.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c +index d2f1d40b2d5a..bb1305c9daaf 100644 +--- a/drivers/staging/media/imx/imx-media-csi.c ++++ b/drivers/staging/media/imx/imx-media-csi.c +@@ -750,9 +750,10 @@ static int csi_setup(struct csi_priv *priv) + + static int csi_start(struct csi_priv *priv) + { +- struct v4l2_fract *output_fi; ++ struct v4l2_fract *input_fi, *output_fi; + int ret; + ++ input_fi = &priv->frame_interval[CSI_SINK_PAD]; + output_fi = &priv->frame_interval[priv->active_output_pad]; + + /* start upstream */ +@@ -761,6 +762,17 @@ static int csi_start(struct csi_priv *priv) + if (ret) + return ret; + ++ /* Skip first few frames from a BT.656 source */ ++ if (priv->upstream_ep.bus_type == V4L2_MBUS_BT656) { ++ u32 delay_usec, bad_frames = 20; ++ ++ delay_usec = DIV_ROUND_UP_ULL((u64)USEC_PER_SEC * ++ input_fi->numerator * bad_frames, ++ input_fi->denominator); ++ ++ usleep_range(delay_usec, delay_usec + 1000); ++ } ++ + if (priv->dest == IPU_CSI_DEST_IDMAC) { + ret = csi_idmac_start(priv); + if (ret) +-- +2.26.2 + diff --git a/patches.suse/media-imx-imx7_mipi_csis-Fix-logging-of-only-error-e.patch b/patches.suse/media-imx-imx7_mipi_csis-Fix-logging-of-only-error-e.patch new file mode 100644 index 0000000..4b2475e --- /dev/null +++ b/patches.suse/media-imx-imx7_mipi_csis-Fix-logging-of-only-error-e.patch @@ -0,0 +1,48 @@ +From d2fcc9c2de1191ea80366e3658711753738dd10a Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Tue, 13 Apr 2021 04:29:52 +0200 +Subject: [PATCH] media: imx: imx7_mipi_csis: Fix logging of only error event counters +Git-commit: d2fcc9c2de1191ea80366e3658711753738dd10a +Patch-mainline: v5.14-rc1 +References: git-fixes + +The mipi_csis_events array ends with 6 non-error events, not 4. Update +mipi_csis_log_counters() accordingly. While at it, log event counters in +forward order, as there's no reason to log them backward. + +Signed-off-by: Laurent Pinchart +Acked-by: Rui Miguel Silva +Reviewed-by: Frieder Schrempf +Tested-by: Frieder Schrempf +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/staging/media/imx/imx7-mipi-csis.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/media/imx/imx7-mipi-csis.c b/drivers/staging/media/imx/imx7-mipi-csis.c +index 1dc680d94a46..47e3175729c0 100644 +--- a/drivers/staging/media/imx/imx7-mipi-csis.c ++++ b/drivers/staging/media/imx/imx7-mipi-csis.c +@@ -666,13 +666,15 @@ static void mipi_csis_clear_counters(struct csi_state *state) + + static void mipi_csis_log_counters(struct csi_state *state, bool non_errors) + { +- int i = non_errors ? MIPI_CSIS_NUM_EVENTS : MIPI_CSIS_NUM_EVENTS - 4; ++ unsigned int num_events = non_errors ? MIPI_CSIS_NUM_EVENTS ++ : MIPI_CSIS_NUM_EVENTS - 6; + struct device *dev = &state->pdev->dev; + unsigned long flags; ++ unsigned int i; + + spin_lock_irqsave(&state->slock, flags); + +- for (i--; i >= 0; i--) { ++ for (i = 0; i < num_events; ++i) { + if (state->events[i].counter > 0 || state->debug) + dev_info(dev, "%s events: %d\n", state->events[i].name, + state->events[i].counter); +-- +2.26.2 + diff --git a/patches.suse/media-mdk-mdp-fix-pm_runtime_get_sync-usage-count.patch b/patches.suse/media-mdk-mdp-fix-pm_runtime_get_sync-usage-count.patch new file mode 100644 index 0000000..4bfbd59 --- /dev/null +++ b/patches.suse/media-mdk-mdp-fix-pm_runtime_get_sync-usage-count.patch @@ -0,0 +1,50 @@ +From d07bb9702cf5f5ccf3fb661e6cab54bbc33cd23f Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 23 Apr 2021 16:57:16 +0200 +Subject: [PATCH] media: mdk-mdp: fix pm_runtime_get_sync() usage count +Git-commit: d07bb9702cf5f5ccf3fb661e6cab54bbc33cd23f +Patch-mainline: v5.14-rc1 +References: git-fixes + +The pm_runtime_get_sync() internally increments the +dev->power.usage_count without decrementing it, even on errors. +Replace it by the new pm_runtime_resume_and_get(), introduced by: +commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") +in order to properly decrement the usage counter, avoiding +a potential PM usage counter leak. + +While here, fix the return contition of mtk_mdp_m2m_start_streaming(), +as it doesn't make any sense to return 0 if the PM runtime failed +to resume. + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c b/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c +index ace4528cdc5e..f14779e7596e 100644 +--- a/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c ++++ b/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c +@@ -391,12 +391,12 @@ static int mtk_mdp_m2m_start_streaming(struct vb2_queue *q, unsigned int count) + struct mtk_mdp_ctx *ctx = q->drv_priv; + int ret; + +- ret = pm_runtime_get_sync(&ctx->mdp_dev->pdev->dev); ++ ret = pm_runtime_resume_and_get(&ctx->mdp_dev->pdev->dev); + if (ret < 0) +- mtk_mdp_dbg(1, "[%d] pm_runtime_get_sync failed:%d", ++ mtk_mdp_dbg(1, "[%d] pm_runtime_resume_and_get failed:%d", + ctx->id, ret); + +- return 0; ++ return ret; + } + + static void *mtk_mdp_m2m_buf_remove(struct mtk_mdp_ctx *ctx, +-- +2.26.2 + diff --git a/patches.suse/media-mtk-vcodec-fix-PM-runtime-get-logic.patch b/patches.suse/media-mtk-vcodec-fix-PM-runtime-get-logic.patch new file mode 100644 index 0000000..f2d68e3 --- /dev/null +++ b/patches.suse/media-mtk-vcodec-fix-PM-runtime-get-logic.patch @@ -0,0 +1,77 @@ +From 908711f542c17fe61e5d653da1beb8e5ab5c7b50 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 23 Apr 2021 17:19:09 +0200 +Subject: [PATCH] media: mtk-vcodec: fix PM runtime get logic +Git-commit: 908711f542c17fe61e5d653da1beb8e5ab5c7b50 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Currently, the driver just assumes that PM runtime logic +succeded resuming the device. + +That may not be the case, as pm_runtime_get_sync() +can fail (but keeping the usage count incremented). + +Replace the code to use pm_runtime_resume_and_get(), +and letting it return the error code. + +This way, if mtk_vcodec_dec_pw_on() fails, the logic +under fops_vcodec_open() will do the right thing and +return an error, instead of just assuming that the +device is ready to be used. + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c | 4 +++- + drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c | 8 +++++--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h | 2 +- + 3 files changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c +@@ -142,7 +142,9 @@ static int fops_vcodec_open(struct file + mtk_vcodec_dec_set_default_params(ctx); + + if (v4l2_fh_is_singular(&ctx->fh)) { +- mtk_vcodec_dec_pw_on(&dev->pm); ++ ret = mtk_vcodec_dec_pw_on(&dev->pm); ++ if (ret < 0) ++ goto err_load_fw; + /* + * vpu_load_firmware checks if it was loaded already and + * does nothing in that case +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c +@@ -89,13 +89,15 @@ void mtk_vcodec_release_dec_pm(struct mt + put_device(dev->pm.larbvdec); + } + +-void mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm) ++int mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm) + { + int ret; + +- ret = pm_runtime_get_sync(pm->dev); ++ ret = pm_runtime_resume_and_get(pm->dev); + if (ret) +- mtk_v4l2_err("pm_runtime_get_sync fail %d", ret); ++ mtk_v4l2_err("pm_runtime_resume_and_get fail %d", ret); ++ ++ return ret; + } + + void mtk_vcodec_dec_pw_off(struct mtk_vcodec_pm *pm) +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h +@@ -12,7 +12,7 @@ + int mtk_vcodec_init_dec_pm(struct mtk_vcodec_dev *dev); + void mtk_vcodec_release_dec_pm(struct mtk_vcodec_dev *dev); + +-void mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm); ++int mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm); + void mtk_vcodec_dec_pw_off(struct mtk_vcodec_pm *pm); + void mtk_vcodec_dec_clock_on(struct mtk_vcodec_pm *pm); + void mtk_vcodec_dec_clock_off(struct mtk_vcodec_pm *pm); diff --git a/patches.suse/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch b/patches.suse/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch new file mode 100644 index 0000000..b8b251b --- /dev/null +++ b/patches.suse/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch @@ -0,0 +1,60 @@ +From f8194e5e63fdcb349e8da9eef9e574d5b1d687cb Mon Sep 17 00:00:00 2001 +From: Anirudh Rayabharam +Date: Tue, 4 May 2021 19:08:58 +0200 +Subject: [PATCH] media: pvrusb2: fix warning in pvr2_i2c_core_done +Git-commit: f8194e5e63fdcb349e8da9eef9e574d5b1d687cb +Patch-mainline: v5.14-rc1 +References: git-fixes + +syzbot has reported the following warning in pvr2_i2c_done: + + sysfs group 'power' not found for kobject '1-0043' + +When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is +not unregistered along with the USB and v4l2 teardown. As part of the USB +device disconnect, the sysfs files of the subdevices are also deleted. +So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the +sysfs files have been deleted. + +To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make +the device deregistration code shared by calling pvr_hdw_disconnect from +pvr2_hdw_destroy. + +Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com +Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Anirudh Rayabharam +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index f4a727918e35..d38dee1792e4 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -2676,9 +2676,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw) + pvr2_stream_destroy(hdw->vid_stream); + hdw->vid_stream = NULL; + } +- pvr2_i2c_core_done(hdw); + v4l2_device_unregister(&hdw->v4l2_dev); +- pvr2_hdw_remove_usb_stuff(hdw); ++ pvr2_hdw_disconnect(hdw); + mutex_lock(&pvr2_unit_mtx); + do { + if ((hdw->unit_number >= 0) && +@@ -2705,6 +2704,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw) + { + pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw); + LOCK_TAKE(hdw->big_lock); ++ pvr2_i2c_core_done(hdw); + LOCK_TAKE(hdw->ctl_lock); + pvr2_hdw_remove_usb_stuff(hdw); + LOCK_GIVE(hdw->ctl_lock); +-- +2.26.2 + diff --git a/patches.suse/media-s5p-jpeg-fix-pm_runtime_get_sync-usage-count.patch b/patches.suse/media-s5p-jpeg-fix-pm_runtime_get_sync-usage-count.patch new file mode 100644 index 0000000..c8cf323 --- /dev/null +++ b/patches.suse/media-s5p-jpeg-fix-pm_runtime_get_sync-usage-count.patch @@ -0,0 +1,49 @@ +From 10343de268d10cf07b092b8b525e12ad558ead77 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 23 Apr 2021 17:19:10 +0200 +Subject: [PATCH] media: s5p-jpeg: fix pm_runtime_get_sync() usage count +Git-commit: 10343de268d10cf07b092b8b525e12ad558ead77 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The pm_runtime_get_sync() internally increments the +dev->power.usage_count without decrementing it, even on errors. +Replace it by the new pm_runtime_resume_and_get(), introduced by: +commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") +in order to properly decrement the usage counter, avoiding +a potential PM usage counter leak. + +As a plus, pm_runtime_resume_and_get() doesn't return +positive numbers, so the return code validation can +be removed. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Sylwester Nawrocki +Acked-by: Andrzej Pietrasiewicz +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/s5p-jpeg/jpeg-core.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c +index 026111505f5a..d402e456f27d 100644 +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -2566,11 +2566,8 @@ static void s5p_jpeg_buf_queue(struct vb2_buffer *vb) + static int s5p_jpeg_start_streaming(struct vb2_queue *q, unsigned int count) + { + struct s5p_jpeg_ctx *ctx = vb2_get_drv_priv(q); +- int ret; +- +- ret = pm_runtime_get_sync(ctx->jpeg->dev); + +- return ret > 0 ? 0 : ret; ++ return pm_runtime_resume_and_get(ctx->jpeg->dev); + } + + static void s5p_jpeg_stop_streaming(struct vb2_queue *q) +-- +2.26.2 + diff --git a/patches.suse/media-sh_vou-fix-pm_runtime_get_sync-usage-count.patch b/patches.suse/media-sh_vou-fix-pm_runtime_get_sync-usage-count.patch new file mode 100644 index 0000000..81402c5 --- /dev/null +++ b/patches.suse/media-sh_vou-fix-pm_runtime_get_sync-usage-count.patch @@ -0,0 +1,45 @@ +From 6e8b1526db164c9d4b9dacfb9bc48e365d7c4860 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 23 Apr 2021 17:07:41 +0200 +Subject: [PATCH] media: sh_vou: fix pm_runtime_get_sync() usage count +Git-commit: 6e8b1526db164c9d4b9dacfb9bc48e365d7c4860 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The pm_runtime_get_sync() internally increments the +dev->power.usage_count without decrementing it, even on errors. +Replace it by the new pm_runtime_resume_and_get(), introduced by: +commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") +in order to properly decrement the usage counter, avoiding +a potential PM usage counter leak. + +While here, check if the PM runtime error was caught at open time. + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/sh_vou.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sh_vou.c b/drivers/media/platform/sh_vou.c +index 4ac48441f22c..ca4310e26c49 100644 +--- a/drivers/media/platform/sh_vou.c ++++ b/drivers/media/platform/sh_vou.c +@@ -1133,7 +1133,11 @@ static int sh_vou_open(struct file *file) + if (v4l2_fh_is_singular_file(file) && + vou_dev->status == SH_VOU_INITIALISING) { + /* First open */ +- pm_runtime_get_sync(vou_dev->v4l2_dev.dev); ++ err = pm_runtime_resume_and_get(vou_dev->v4l2_dev.dev); ++ if (err < 0) { ++ v4l2_fh_release(file); ++ goto done_open; ++ } + err = sh_vou_hw_init(vou_dev); + if (err < 0) { + pm_runtime_put(vou_dev->v4l2_dev.dev); +-- +2.26.2 + diff --git a/patches.suse/media-siano-fix-device-register-error-path.patch b/patches.suse/media-siano-fix-device-register-error-path.patch new file mode 100644 index 0000000..0f31279 --- /dev/null +++ b/patches.suse/media-siano-fix-device-register-error-path.patch @@ -0,0 +1,39 @@ +From 5368b1ee2939961a16e74972b69088433fc52195 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 10 Jun 2021 08:57:02 +0200 +Subject: [PATCH] media: siano: fix device register error path +Git-commit: 5368b1ee2939961a16e74972b69088433fc52195 +Patch-mainline: v5.14-rc1 +References: git-fixes + +As reported by smatch: + drivers/media/common/siano/smsdvb-main.c:1231 smsdvb_hotplug() warn: '&client->entry' not removed from list + +If an error occur at the end of the registration logic, it won't +drop the device from the list. + +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/common/siano/smsdvb-main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/common/siano/smsdvb-main.c b/drivers/media/common/siano/smsdvb-main.c +index b8a163a47d09..f80caaa333da 100644 +--- a/drivers/media/common/siano/smsdvb-main.c ++++ b/drivers/media/common/siano/smsdvb-main.c +@@ -1212,6 +1212,10 @@ static int smsdvb_hotplug(struct smscore_device_t *coredev, + return 0; + + media_graph_error: ++ mutex_lock(&g_smsdvb_clientslock); ++ list_del(&client->entry); ++ mutex_unlock(&g_smsdvb_clientslock); ++ + smsdvb_debugfs_release(client); + + client_error: +-- +2.26.2 + diff --git a/patches.suse/media-st-hva-Fix-potential-NULL-pointer-dereferences.patch b/patches.suse/media-st-hva-Fix-potential-NULL-pointer-dereferences.patch new file mode 100644 index 0000000..d1bc12a --- /dev/null +++ b/patches.suse/media-st-hva-Fix-potential-NULL-pointer-dereferences.patch @@ -0,0 +1,40 @@ +From b7fdd208687ba59ebfb09b2199596471c63b69e3 Mon Sep 17 00:00:00 2001 +From: Evgeny Novikov +Date: Wed, 19 May 2021 14:04:49 +0200 +Subject: [PATCH] media: st-hva: Fix potential NULL pointer dereferences +Git-commit: b7fdd208687ba59ebfb09b2199596471c63b69e3 +Patch-mainline: v5.14-rc1 +References: git-fixes + +When ctx_id >= HVA_MAX_INSTANCES in hva_hw_its_irq_thread() it tries to +access fields of ctx that is NULL at that point. The patch gets rid of +these accesses. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/sti/hva/hva-hw.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index 77b8bfa5e0c5..30fb1aa4a351 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -130,8 +130,7 @@ static irqreturn_t hva_hw_its_irq_thread(int irq, void *arg) + ctx_id = (hva->sts_reg & 0xFF00) >> 8; + if (ctx_id >= HVA_MAX_INSTANCES) { + dev_err(dev, "%s %s: bad context identifier: %d\n", +- ctx->name, __func__, ctx_id); +- ctx->hw_err = true; ++ HVA_PREFIX, __func__, ctx_id); + goto out; + } + +-- +2.26.2 + diff --git a/patches.suse/media-sti-bdisp-fix-pm_runtime_get_sync-usage-count.patch b/patches.suse/media-sti-bdisp-fix-pm_runtime_get_sync-usage-count.patch new file mode 100644 index 0000000..6b6ac07 --- /dev/null +++ b/patches.suse/media-sti-bdisp-fix-pm_runtime_get_sync-usage-count.patch @@ -0,0 +1,62 @@ +From c44eac5b72e23c31eefc0e10a71d9650036b8341 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 23 Apr 2021 17:19:21 +0200 +Subject: [PATCH] media: sti/bdisp: fix pm_runtime_get_sync() usage count +Git-commit: c44eac5b72e23c31eefc0e10a71d9650036b8341 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The pm_runtime_get_sync() internally increments the +dev->power.usage_count without decrementing it, even on errors. + +The bdisp_start_streaming() doesn't take it into account, which +would unbalance PM usage counter at bdisp_stop_streaming(). + +The logic at bdisp_probe() is correct, but the best is to use +the same call along the driver. + +So, replace it by the new pm_runtime_resume_and_get(), introduced by: +commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") +in order to properly decrement the usage counter, avoiding +a potential PM usage counter leak. + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -499,7 +499,7 @@ static int bdisp_start_streaming(struct + { + struct bdisp_ctx *ctx = q->drv_priv; + struct vb2_v4l2_buffer *buf; +- int ret = pm_runtime_get_sync(ctx->bdisp_dev->dev); ++ int ret = pm_runtime_resume_and_get(ctx->bdisp_dev->dev); + + if (ret < 0) { + dev_err(ctx->bdisp_dev->dev, "failed to set runtime PM\n"); +@@ -1368,10 +1368,10 @@ static int bdisp_probe(struct platform_d + + /* Power management */ + pm_runtime_enable(dev); +- ret = pm_runtime_get_sync(dev); ++ ret = pm_runtime_resume_and_get(dev); + if (ret < 0) { + dev_err(dev, "failed to set PM\n"); +- goto err_pm; ++ goto err_remove; + } + + /* Filters */ +@@ -1399,6 +1399,7 @@ err_filter: + bdisp_hw_free_filters(bdisp->dev); + err_pm: + pm_runtime_put(dev); ++err_remove: + bdisp_debugfs_remove(bdisp); + err_v4l2: + v4l2_device_unregister(&bdisp->v4l2_dev); diff --git a/patches.suse/media-sti-fix-obj-config-targets.patch b/patches.suse/media-sti-fix-obj-config-targets.patch new file mode 100644 index 0000000..769f8c9 --- /dev/null +++ b/patches.suse/media-sti-fix-obj-config-targets.patch @@ -0,0 +1,58 @@ +From 56c1f0876293888f686e31278d183d4af2cac3c3 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 18 May 2021 11:26:31 +0200 +Subject: [PATCH] media: sti: fix obj-$(config) targets +Git-commit: 56c1f0876293888f686e31278d183d4af2cac3c3 +Patch-mainline: v5.14-rc1 +References: git-fixes + +The right thing to do is to add a new object to the building +system when a certain config option is selected, and *not* +override them. + +So, fix obj-$(config) logic at sti makefiles, using "+=", +instead of ":=". + +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/sti/bdisp/Makefile | 2 +- + drivers/media/platform/sti/delta/Makefile | 2 +- + drivers/media/platform/sti/hva/Makefile | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/Makefile b/drivers/media/platform/sti/bdisp/Makefile +index caf7ccd193ea..39ade0a34723 100644 +--- a/drivers/media/platform/sti/bdisp/Makefile ++++ b/drivers/media/platform/sti/bdisp/Makefile +@@ -1,4 +1,4 @@ + # SPDX-License-Identifier: GPL-2.0-only +-obj-$(CONFIG_VIDEO_STI_BDISP) := bdisp.o ++obj-$(CONFIG_VIDEO_STI_BDISP) += bdisp.o + + bdisp-objs := bdisp-v4l2.o bdisp-hw.o bdisp-debug.o +diff --git a/drivers/media/platform/sti/delta/Makefile b/drivers/media/platform/sti/delta/Makefile +index 92b37e216f00..32412fa4c632 100644 +--- a/drivers/media/platform/sti/delta/Makefile ++++ b/drivers/media/platform/sti/delta/Makefile +@@ -1,5 +1,5 @@ + # SPDX-License-Identifier: GPL-2.0-only +-obj-$(CONFIG_VIDEO_STI_DELTA_DRIVER) := st-delta.o ++obj-$(CONFIG_VIDEO_STI_DELTA_DRIVER) += st-delta.o + st-delta-y := delta-v4l2.o delta-mem.o delta-ipc.o delta-debug.o + + # MJPEG support +diff --git a/drivers/media/platform/sti/hva/Makefile b/drivers/media/platform/sti/hva/Makefile +index 74b41ec52f97..b5a5478bdd01 100644 +--- a/drivers/media/platform/sti/hva/Makefile ++++ b/drivers/media/platform/sti/hva/Makefile +@@ -1,4 +1,4 @@ + # SPDX-License-Identifier: GPL-2.0-only +-obj-$(CONFIG_VIDEO_STI_HVA) := st-hva.o ++obj-$(CONFIG_VIDEO_STI_HVA) += st-hva.o + st-hva-y := hva-v4l2.o hva-hw.o hva-mem.o hva-h264.o + st-hva-$(CONFIG_VIDEO_STI_HVA_DEBUGFS) += hva-debugfs.o +-- +2.26.2 + diff --git a/patches.suse/media-v4l2-core-Avoid-the-dangling-pointer-in-v4l2_f.patch b/patches.suse/media-v4l2-core-Avoid-the-dangling-pointer-in-v4l2_f.patch new file mode 100644 index 0000000..f84cd59 --- /dev/null +++ b/patches.suse/media-v4l2-core-Avoid-the-dangling-pointer-in-v4l2_f.patch @@ -0,0 +1,39 @@ +From 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Sun, 9 May 2021 10:24:02 +0200 +Subject: [PATCH] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release +Git-commit: 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c +Patch-mainline: v5.14-rc1 +References: git-fixes + +A use after free bug caused by the dangling pointer +filp->privitate_data in v4l2_fh_release. +See https://lore.kernel.org/patchwork/patch/1419058/. + +My patch sets the dangling pointer to NULL to provide +robust. + +Signed-off-by: Lv Yunlong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/v4l2-core/v4l2-fh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c +index 684574f58e82..90eec79ee995 100644 +--- a/drivers/media/v4l2-core/v4l2-fh.c ++++ b/drivers/media/v4l2-core/v4l2-fh.c +@@ -96,6 +96,7 @@ int v4l2_fh_release(struct file *filp) + v4l2_fh_del(fh); + v4l2_fh_exit(fh); + kfree(fh); ++ filp->private_data = NULL; + } + return 0; + } +-- +2.26.2 + diff --git a/patches.suse/memstick-rtsx_usb_ms-fix-UAF.patch b/patches.suse/memstick-rtsx_usb_ms-fix-UAF.patch new file mode 100644 index 0000000..2c4f06a --- /dev/null +++ b/patches.suse/memstick-rtsx_usb_ms-fix-UAF.patch @@ -0,0 +1,89 @@ +From 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 Mon Sep 17 00:00:00 2001 +From: Tong Zhang +Date: Tue, 11 May 2021 12:39:45 -0400 +Subject: [PATCH] memstick: rtsx_usb_ms: fix UAF +Git-commit: 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 +Patch-mainline: v5.14-rc1 +References: git-fixes + +This patch fixes the following issues: +1. memstick_free_host() will free the host, so the use of ms_dev(host) after +it will be a problem. To fix this, move memstick_free_host() after when we +are done with ms_dev(host). +2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove +and free host otherwise memstick_check will be called and UAF will +happen. + +[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] +[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] +[ 11.357376] platform_remove+0x2a/0x50 +[ 11.367531] Freed by task 298: +[ 11.368537] kfree+0xa4/0x2a0 +[ 11.368711] device_release+0x51/0xe0 +[ 11.368905] kobject_put+0xa2/0x120 +[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms] +[ 11.369386] platform_remove+0x2a/0x50 + +[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0 +[ 12.045432] mutex_lock+0xc9/0xd0 +[ 12.046080] memstick_check+0x6a/0x578 [memstick] +[ 12.046509] process_one_work+0x46d/0x750 +[ 12.052107] Freed by task 297: +[ 12.053115] kfree+0xa4/0x2a0 +[ 12.053272] device_release+0x51/0xe0 +[ 12.053463] kobject_put+0xa2/0x120 +[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms] +[ 12.053939] platform_remove+0x2a/0x50 + +Signed-off-by: Tong Zhang +Co-developed-by: Ulf Hansson +Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/memstick/host/rtsx_usb_ms.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/memstick/host/rtsx_usb_ms.c b/drivers/memstick/host/rtsx_usb_ms.c +index 102dbb8080da..29271ad4728a 100644 +--- a/drivers/memstick/host/rtsx_usb_ms.c ++++ b/drivers/memstick/host/rtsx_usb_ms.c +@@ -799,9 +799,9 @@ static int rtsx_usb_ms_drv_probe(struct platform_device *pdev) + + return 0; + err_out: +- memstick_free_host(msh); + pm_runtime_disable(ms_dev(host)); + pm_runtime_put_noidle(ms_dev(host)); ++ memstick_free_host(msh); + return err; + } + +@@ -828,9 +828,6 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev) + } + mutex_unlock(&host->host_mutex); + +- memstick_remove_host(msh); +- memstick_free_host(msh); +- + /* Balance possible unbalanced usage count + * e.g. unconditional module removal + */ +@@ -838,10 +835,11 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev) + pm_runtime_put(ms_dev(host)); + + pm_runtime_disable(ms_dev(host)); +- platform_set_drvdata(pdev, NULL); +- ++ memstick_remove_host(msh); + dev_dbg(ms_dev(host), + ": Realtek USB Memstick controller has been removed\n"); ++ memstick_free_host(msh); ++ platform_set_drvdata(pdev, NULL); + + return 0; + } +-- +2.26.2 + diff --git a/patches.suse/mm-futex-fix-shared-futex-pgoff-on-shmem-huge-page.patch b/patches.suse/mm-futex-fix-shared-futex-pgoff-on-shmem-huge-page.patch new file mode 100644 index 0000000..c453cca --- /dev/null +++ b/patches.suse/mm-futex-fix-shared-futex-pgoff-on-shmem-huge-page.patch @@ -0,0 +1,165 @@ +From 2a5d66e6b8f012e3c7bbf6d3b285427fb2f8b31b Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 24 Jun 2021 18:39:52 -0700 +Subject: [PATCH] mm, futex: fix shared futex pgoff on shmem huge page + +References: git fixes (kernel/futex) +Patch-mainline: v5.13 +Git-commit: fe19bd3dae3d15d2fbfdb3de8839a6ea0fe94264 + +If more than one futex is placed on a shmem huge page, it can happen +that waking the second wakes the first instead, and leaves the second +waiting: the key's shared.pgoff is wrong. + +When 3.11 commit 13d60f4b6ab5 ("futex: Take hugepages into account when +generating futex_key"), the only shared huge pages came from hugetlbfs, +and the code added to deal with its exceptional page->index was put into +hugetlb source. Then that was missed when 4.8 added shmem huge pages. + +page_to_pgoff() is what others use for this nowadays: except that, as +currently written, it gives the right answer on hugetlbfs head, but +nonsense on hugetlbfs tails. Fix that by calling hugetlbfs-specific +hugetlb_basepage_index() on PageHuge tails as well as on head. + +Yes, it's unconventional to declare hugetlb_basepage_index() there in +pagemap.h, rather than in hugetlb.h; but I do not expect anything but +page_to_pgoff() ever to need it. + +[akpm@linux-foundation.org: give hugetlb_basepage_index() prototype the correct scope] + +Link: https://lkml.kernel.org/r/b17d946b-d09-326e-b42a-52884c36df32@google.com +Fixes: 800d8c63b2e9 ("shmem: add huge pages support") +Reported-by: Neel Natu +Signed-off-by: Hugh Dickins +Reviewed-by: Matthew Wilcox (Oracle) +Acked-by: Thomas Gleixner +Cc: "Kirill A. Shutemov" +Cc: Zhang Yi +Cc: Mel Gorman +Cc: Mike Kravetz +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Darren Hart +Cc: Davidlohr Bueso +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Mel Gorman +--- + include/linux/hugetlb.h | 16 ---------------- + include/linux/pagemap.h | 13 +++++++------ + kernel/futex.c | 3 +-- + mm/hugetlb.c | 5 +---- + 4 files changed, 9 insertions(+), 28 deletions(-) + +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index 6f9b773eddfc..be0727b09dd2 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -467,17 +467,6 @@ static inline int hstate_index(struct hstate *h) + return h - hstates; + } + +-pgoff_t __basepage_index(struct page *page); +- +-/* Return page->index in PAGE_SIZE units */ +-static inline pgoff_t basepage_index(struct page *page) +-{ +- if (!PageCompound(page)) +- return page->index; +- +- return __basepage_index(page); +-} +- + extern int dissolve_free_huge_page(struct page *page); + extern int dissolve_free_huge_pages(unsigned long start_pfn, + unsigned long end_pfn); +@@ -698,11 +687,6 @@ static inline int hstate_index(struct hstate *h) + return 0; + } + +-static inline pgoff_t basepage_index(struct page *page) +-{ +- return page->index; +-} +- + static inline int dissolve_free_huge_page(struct page *page) + { + return 0; +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h +index c597023de4aa..f0ab42ce4f03 100644 +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -385,7 +385,7 @@ static inline struct page *read_mapping_page(struct address_space *mapping, + } + + /* +- * Get index of the page with in radix-tree ++ * Get index of the page within radix-tree (but not for hugetlb pages). + * (TODO: remove once hugetlb pages will have ->index in PAGE_SIZE) + */ + static inline pgoff_t page_to_index(struct page *page) +@@ -404,15 +404,16 @@ static inline pgoff_t page_to_index(struct page *page) + return pgoff; + } + ++extern pgoff_t hugetlb_basepage_index(struct page *page); ++ + /* +- * Get the offset in PAGE_SIZE. +- * (TODO: hugepage should have ->index in PAGE_SIZE) ++ * Get the offset in PAGE_SIZE (even for hugetlb pages). ++ * (TODO: hugetlb pages should have ->index in PAGE_SIZE) + */ + static inline pgoff_t page_to_pgoff(struct page *page) + { +- if (unlikely(PageHeadHuge(page))) +- return page->index << compound_order(page); +- ++ if (unlikely(PageHuge(page))) ++ return hugetlb_basepage_index(page); + return page_to_index(page); + } + +diff --git a/kernel/futex.c b/kernel/futex.c +index 9523e0127113..05912a31f209 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -35,7 +35,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -647,7 +646,7 @@ static int get_futex_key(u32 __user *uaddr, bool fshared, union futex_key *key, + + key->both.offset |= FUT_OFF_INODE; /* inode-based key */ + key->shared.i_seq = get_inode_sequence_number(inode); +- key->shared.pgoff = basepage_index(tail); ++ key->shared.pgoff = page_to_pgoff(tail); + rcu_read_unlock(); + } + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 57eea8860bd7..440ff06a4ab8 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1340,15 +1340,12 @@ int PageHeadHuge(struct page *page_head) + return get_compound_page_dtor(page_head) == free_huge_page; + } + +-pgoff_t __basepage_index(struct page *page) ++pgoff_t hugetlb_basepage_index(struct page *page) + { + struct page *page_head = compound_head(page); + pgoff_t index = page_index(page_head); + unsigned long compound_idx; + +- if (!PageHuge(page_head)) +- return page_index(page); +- + if (compound_order(page_head) >= MAX_ORDER) + compound_idx = page_to_pfn(page) - page_to_pfn(page_head); + else diff --git a/patches.suse/mmc-sdhci-sprd-use-sdhci_sprd_writew.patch b/patches.suse/mmc-sdhci-sprd-use-sdhci_sprd_writew.patch new file mode 100644 index 0000000..5d65734 --- /dev/null +++ b/patches.suse/mmc-sdhci-sprd-use-sdhci_sprd_writew.patch @@ -0,0 +1,37 @@ +From 961470820021e6f9d74db4837bd6831a1a30341b Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 1 Jun 2021 11:54:03 +0200 +Subject: [PATCH] mmc: sdhci-sprd: use sdhci_sprd_writew +Git-commit: 961470820021e6f9d74db4837bd6831a1a30341b +Patch-mainline: v5.14-rc1 +References: git-fixes + +The sdhci_sprd_writew() was defined by never used in sdhci_ops: + + drivers/mmc/host/sdhci-sprd.c:134:20: warning: unused function 'sdhci_sprd_writew' + +Reported-by: kernel test robot +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20210601095403.236007-2-krzysztof.kozlowski@canonical.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-sprd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/sdhci-sprd.c b/drivers/mmc/host/sdhci-sprd.c +index 5dc36efff47f..11e375579cfb 100644 +--- a/drivers/mmc/host/sdhci-sprd.c ++++ b/drivers/mmc/host/sdhci-sprd.c +@@ -393,6 +393,7 @@ static void sdhci_sprd_request_done(struct sdhci_host *host, + static struct sdhci_ops sdhci_sprd_ops = { + .read_l = sdhci_sprd_readl, + .write_l = sdhci_sprd_writel, ++ .write_w = sdhci_sprd_writew, + .write_b = sdhci_sprd_writeb, + .set_clock = sdhci_sprd_set_clock, + .get_max_clock = sdhci_sprd_get_max_clock, +-- +2.26.2 + diff --git a/patches.suse/mmc-via-sdmmc-add-a-check-against-NULL-pointer-deref.patch b/patches.suse/mmc-via-sdmmc-add-a-check-against-NULL-pointer-deref.patch new file mode 100644 index 0000000..bb37e17 --- /dev/null +++ b/patches.suse/mmc-via-sdmmc-add-a-check-against-NULL-pointer-deref.patch @@ -0,0 +1,130 @@ +From 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Thu, 3 Jun 2021 13:33:20 +0000 +Subject: [PATCH] mmc: via-sdmmc: add a check against NULL pointer dereference +Git-commit: 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Before referencing 'host->data', the driver needs to check whether it is +null pointer, otherwise it will cause a null pointer reference. + +This log reveals it: + +[ 29.355199] BUG: kernel NULL pointer dereference, address: +0000000000000014 +[ 29.357323] #PF: supervisor write access in kernel mode +[ 29.357706] #PF: error_code(0x0002) - not-present page +[ 29.358088] PGD 0 P4D 0 +[ 29.358280] Oops: 0002 [#1] PREEMPT SMP PTI +[ 29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4- +g70e7f0549188-dirty #102 +[ 29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), +BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410 +[ 29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 +10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 +18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 +[ 29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 +[ 29.362042] RAX: 0000000000000000 RBX: ffff888107d77880 +Rcx: 0000000000000000 +[ 29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb +Rdi: 00000000ffffffff +[ 29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001 +R09: 0000000000000001 +[ 29.363604] R10: 0000000000000000 R11: 0000000000000001 +R12: 0000000000008600 +[ 29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200 +R15: 0000000000008000 +[ 29.364651] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) +knlGS:0000000000000000 +[ 29.365235] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000 +Cr4: 00000000000006e0 +[ 29.366170] DR0: 0000000000000000 DR1: 0000000000000000 +Dr2: 0000000000000000 +[ 29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0 +Dr7: 0000000000000400 +[ 29.367197] Call Trace: +[ 29.367381] +[ 29.367537] __handle_irq_event_percpu+0x53/0x3e0 +[ 29.367916] handle_irq_event_percpu+0x35/0x90 +[ 29.368247] handle_irq_event+0x39/0x60 +[ 29.368632] handle_fasteoi_irq+0xc2/0x1d0 +[ 29.368950] __common_interrupt+0x7f/0x150 +[ 29.369254] common_interrupt+0xb4/0xd0 +[ 29.369547] +[ 29.369708] asm_common_interrupt+0x1e/0x40 +[ 29.370016] RIP: 0010:native_safe_halt+0x17/0x20 +[ 29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00 +00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb +f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91 +[ 29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 29.372079] RAX: 0000000000000000 RBX: 0000000000000002 +[ 29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4 +Rdi: ffffffff85403406 +[ 29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001 +[ 29.373646] R10: 0000000000000000 R11: 0000000000000001 +R12: ffffffff86009188 +[ 29.374160] R13: 0000000000000000 R14: 0000000000000000 +R15: ffff888100258000 +[ 29.374690] default_idle+0x9/0x10 +[ 29.374944] arch_cpu_idle+0xa/0x10 +[ 29.375198] default_idle_call+0x6e/0x250 +[ 29.375491] do_idle+0x1f0/0x2d0 +[ 29.375740] cpu_startup_entry+0x18/0x20 +[ 29.376034] start_secondary+0x11f/0x160 +[ 29.376328] secondary_startup_64_no_verify+0xb0/0xbb +[ 29.376705] Modules linked in: +[ 29.376939] Dumping ftrace buffer: +[ 29.377187] (ftrace buffer empty) +[ 29.377460] CR2: 0000000000000014 +[ 29.377712] ---[ end trace 51a473dffb618c47 ]--- +[ 29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410 +[ 29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 +10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 +18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 +[ 29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 +[ 29.380098] RAX: 0000000000000000 RBX: ffff888107d77880 +[ 29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb +[ 29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001 +[ 29.381653] R10: 0000000000000000 R11: 0000000000000001 +[ 29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200 +[ 29.382697] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) +knlGS:0000000000000000 +[ 29.383277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000 +[ 29.384223] DR0: 0000000000000000 DR1: 0000000000000000 +[ 29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 +[ 29.385260] Kernel panic - not syncing: Fatal exception in interrupt +[ 29.385882] Dumping ftrace buffer: +[ 29.386135] (ftrace buffer empty) +[ 29.386401] Kernel Offset: disabled +[ 29.386656] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/via-sdmmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index a1d098560099..c32df5530b94 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -857,6 +857,9 @@ static void via_sdc_data_isr(struct via_crdr_mmc_host *host, u16 intmask) + { + BUG_ON(intmask == 0); + ++ if (!host->data) ++ return; ++ + if (intmask & VIA_CRDR_SDSTS_DT) + host->data->error = -ETIMEDOUT; + else if (intmask & (VIA_CRDR_SDSTS_RC | VIA_CRDR_SDSTS_WC)) +-- +2.26.2 + diff --git a/patches.suse/netfilter-x_tables-fix-compat-match-target-pad-out-o.patch b/patches.suse/netfilter-x_tables-fix-compat-match-target-pad-out-o.patch new file mode 100644 index 0000000..7cdf257 --- /dev/null +++ b/patches.suse/netfilter-x_tables-fix-compat-match-target-pad-out-o.patch @@ -0,0 +1,99 @@ +From: Florian Westphal +Date: Wed, 7 Apr 2021 21:38:57 +0200 +Subject: netfilter: x_tables: fix compat match/target pad out-of-bound write +Patch-mainline: v5.12-rc8 +Git-commit: b29c457a6511435960115c0f548c4360d5f4801d +References: CVE-2021-22555 bsc#1188116 + +xt_compat_match/target_from_user doesn't check that zeroing the area +to start of next rule won't write past end of allocated ruleset blob. + +Remove this code and zero the entire blob beforehand. + +Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com +Reported-by: Andy Nguyen +Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Acked-by: Michal Kubecek + +--- + net/ipv4/netfilter/arp_tables.c | 2 ++ + net/ipv4/netfilter/ip_tables.c | 2 ++ + net/ipv6/netfilter/ip6_tables.c | 2 ++ + net/netfilter/x_tables.c | 10 ++-------- + 4 files changed, 8 insertions(+), 8 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1196,6 +1196,8 @@ static int translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1430,6 +1430,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1445,6 +1445,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -731,7 +731,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + { + const struct xt_match *match = m->u.kernel.match; + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; +- int pad, off = xt_compat_match_offset(match); ++ int off = xt_compat_match_offset(match); + u_int16_t msize = cm->u.user.match_size; + char name[sizeof(m->u.user.name)]; + +@@ -741,9 +741,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + match->compat_from_user(m->data, cm->data); + else + memcpy(m->data, cm->data, msize - sizeof(*cm)); +- pad = XT_ALIGN(match->matchsize) - match->matchsize; +- if (pad > 0) +- memset(m->data + match->matchsize, 0, pad); + + msize += off; + m->u.user.match_size = msize; +@@ -1114,7 +1111,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + { + const struct xt_target *target = t->u.kernel.target; + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; +- int pad, off = xt_compat_target_offset(target); ++ int off = xt_compat_target_offset(target); + u_int16_t tsize = ct->u.user.target_size; + char name[sizeof(t->u.user.name)]; + +@@ -1124,9 +1121,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + target->compat_from_user(t->data, ct->data); + else + memcpy(t->data, ct->data, tsize - sizeof(*ct)); +- pad = XT_ALIGN(target->targetsize) - target->targetsize; +- if (pad > 0) +- memset(t->data + target->targetsize, 0, pad); + + tsize += off; + t->u.user.target_size = tsize; diff --git a/patches.suse/platform-x86-toshiba_acpi-Fix-missing-error-code-in-.patch b/patches.suse/platform-x86-toshiba_acpi-Fix-missing-error-code-in-.patch new file mode 100644 index 0000000..c6532b8 --- /dev/null +++ b/patches.suse/platform-x86-toshiba_acpi-Fix-missing-error-code-in-.patch @@ -0,0 +1,41 @@ +From 28e367127718a9cb85d615a71e152f7acee41bfc Mon Sep 17 00:00:00 2001 +From: Jiapeng Chong +Date: Wed, 2 Jun 2021 18:05:48 +0800 +Subject: [PATCH] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() +Git-commit: 28e367127718a9cb85d615a71e152f7acee41bfc +Patch-mainline: v5.14-rc1 +References: git-fixes + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'error'. + +Eliminate the follow smatch warning: + +drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard() +Warn: missing error code 'error'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com +Signed-off-by: Hans de Goede +Acked-by: Takashi Iwai + +--- + drivers/platform/x86/toshiba_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c +index fa7232ad8c39..352508d30467 100644 +--- a/drivers/platform/x86/toshiba_acpi.c ++++ b/drivers/platform/x86/toshiba_acpi.c +@@ -2831,6 +2831,7 @@ static int toshiba_acpi_setup_keyboard(struct toshiba_acpi_dev *dev) + + if (!dev->info_supported && !dev->system_event_supported) { + pr_warn("No hotkey query interface found\n"); ++ error = -EINVAL; + goto err_remove_filter; + } + +-- +2.26.2 + diff --git a/patches.suse/random32-Fix-implicit-truncation-warning-in-prandom_.patch b/patches.suse/random32-Fix-implicit-truncation-warning-in-prandom_.patch new file mode 100644 index 0000000..2083b0d --- /dev/null +++ b/patches.suse/random32-Fix-implicit-truncation-warning-in-prandom_.patch @@ -0,0 +1,48 @@ +From d327ea15a305024ef0085252fa3657bbb1ce25f5 Mon Sep 17 00:00:00 2001 +From: Richard Fitzgerald +Date: Tue, 25 May 2021 13:20:12 +0100 +Subject: [PATCH] random32: Fix implicit truncation warning in prandom_seed_state() +Git-commit: d327ea15a305024ef0085252fa3657bbb1ce25f5 +Patch-mainline: v5.14-rc1 +References: git-fixes + +sparse generates the following warning: + + include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from + constant value + +This is because the 64-bit seed value is manipulated and then placed in a +u32, causing an implicit cast and truncation. A forced cast to u32 doesn't +prevent this warning, which is reasonable because a typecast doesn't prove +that truncation was expected. + +Logical-AND the value with 0xffffffff to make explicit that truncation to +32-bit is intended. + +Reported-by: kernel test robot +Signed-off-by: Richard Fitzgerald +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com +Acked-by: Takashi Iwai + +--- + include/linux/prandom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/prandom.h b/include/linux/prandom.h +index bbf4b4ad61df..056d31317e49 100644 +--- a/include/linux/prandom.h ++++ b/include/linux/prandom.h +@@ -111,7 +111,7 @@ static inline u32 __seed(u32 x, u32 m) + */ + static inline void prandom_seed_state(struct rnd_state *state, u64 seed) + { +- u32 i = (seed >> 32) ^ (seed << 10) ^ seed; ++ u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL; + + state->s1 = __seed(i, 2U); + state->s2 = __seed(i, 8U); +-- +2.26.2 + diff --git a/patches.suse/regulator-da9052-Ensure-enough-delay-time-for-.set_v.patch b/patches.suse/regulator-da9052-Ensure-enough-delay-time-for-.set_v.patch new file mode 100644 index 0000000..c4bc00b --- /dev/null +++ b/patches.suse/regulator-da9052-Ensure-enough-delay-time-for-.set_v.patch @@ -0,0 +1,39 @@ +From a336dc8f683e5be794186b5643cd34cb28dd2c53 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Fri, 18 Jun 2021 22:14:11 +0800 +Subject: [PATCH] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel +Git-commit: a336dc8f683e5be794186b5643cd34cb28dd2c53 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Use DIV_ROUND_UP to prevent truncation by integer division issue. +This ensures we return enough delay time. + +Also fix returning negative value when new_sel < old_sel. + +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/regulator/da9052-regulator.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c +index e18d291c7f21..23fa429ebe76 100644 +--- a/drivers/regulator/da9052-regulator.c ++++ b/drivers/regulator/da9052-regulator.c +@@ -250,7 +250,8 @@ static int da9052_regulator_set_voltage_time_sel(struct regulator_dev *rdev, + case DA9052_ID_BUCK3: + case DA9052_ID_LDO2: + case DA9052_ID_LDO3: +- ret = (new_sel - old_sel) * info->step_uV / 6250; ++ ret = DIV_ROUND_UP(abs(new_sel - old_sel) * info->step_uV, ++ 6250); + break; + } + +-- +2.26.2 + diff --git a/patches.suse/regulator-uniphier-Add-missing-MODULE_DEVICE_TABLE.patch b/patches.suse/regulator-uniphier-Add-missing-MODULE_DEVICE_TABLE.patch new file mode 100644 index 0000000..d1ab145 --- /dev/null +++ b/patches.suse/regulator-uniphier-Add-missing-MODULE_DEVICE_TABLE.patch @@ -0,0 +1,37 @@ +From d019f38a1af3c6015cde6a47951a3ec43beeed80 Mon Sep 17 00:00:00 2001 +From: Zou Wei +Date: Tue, 11 May 2021 11:53:18 +0800 +Subject: [PATCH] regulator: uniphier: Add missing MODULE_DEVICE_TABLE +Git-commit: d019f38a1af3c6015cde6a47951a3ec43beeed80 +Patch-mainline: v5.14-rc1 +References: git-fixes + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Link: https://lore.kernel.org/r/1620705198-104566-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/regulator/uniphier-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/uniphier-regulator.c b/drivers/regulator/uniphier-regulator.c +index 2e02e26b516c..e75b0973e325 100644 +--- a/drivers/regulator/uniphier-regulator.c ++++ b/drivers/regulator/uniphier-regulator.c +@@ -201,6 +201,7 @@ static const struct of_device_id uniphier_regulator_match[] = { + }, + { /* Sentinel */ }, + }; ++MODULE_DEVICE_TABLE(of, uniphier_regulator_match); + + static struct platform_driver uniphier_regulator_driver = { + .probe = uniphier_regulator_probe, +-- +2.26.2 + diff --git a/patches.suse/serial_cs-Add-Option-International-GSM-Ready-56K-ISD.patch b/patches.suse/serial_cs-Add-Option-International-GSM-Ready-56K-ISD.patch new file mode 100644 index 0000000..dd9cf91 --- /dev/null +++ b/patches.suse/serial_cs-Add-Option-International-GSM-Ready-56K-ISD.patch @@ -0,0 +1,36 @@ +From d495dd743d5ecd47288156e25c4d9163294a0992 Mon Sep 17 00:00:00 2001 +From: Ondrej Zary +Date: Fri, 11 Jun 2021 22:19:40 +0200 +Subject: [PATCH] serial_cs: Add Option International GSM-Ready 56K/ISDN modem +Git-commit: d495dd743d5ecd47288156e25c4d9163294a0992 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Add support for Option International GSM-Ready 56K/ISDN PCMCIA modem +card. + +Signed-off-by: Ondrej Zary +Cc: stable +Link: https://lore.kernel.org/r/20210611201940.23898-2-linux@zary.sk +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/8250/serial_cs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/8250/serial_cs.c b/drivers/tty/serial/8250/serial_cs.c +index 2f1d33ea26e1..dc2ef05a10eb 100644 +--- a/drivers/tty/serial/8250/serial_cs.c ++++ b/drivers/tty/serial/8250/serial_cs.c +@@ -786,6 +786,7 @@ static const struct pcmcia_device_id serial_ids[] = { + PCMCIA_DEVICE_PROD_ID12("Multi-Tech", "MT2834LT", 0x5f73be51, 0x4cd7c09e), + PCMCIA_DEVICE_PROD_ID12("OEM ", "C288MX ", 0xb572d360, 0xd2385b7a), + PCMCIA_DEVICE_PROD_ID12("Option International", "V34bis GSM/PSTN Data/Fax Modem", 0x9d7cd6f5, 0x5cb8bf41), ++ PCMCIA_DEVICE_PROD_ID12("Option International", "GSM-Ready 56K/ISDN", 0x9d7cd6f5, 0xb23844aa), + PCMCIA_DEVICE_PROD_ID12("PCMCIA ", "C336MX ", 0x99bcafe9, 0xaa25bcab), + PCMCIA_DEVICE_PROD_ID12("Quatech Inc", "PCMCIA Dual RS-232 Serial Port Card", 0xc4420b35, 0x92abc92f), + PCMCIA_DEVICE_PROD_ID12("Quatech Inc", "Dual RS-232 Serial Port PC Card", 0xc4420b35, 0x031a380d), +-- +2.26.2 + diff --git a/patches.suse/serial_cs-remove-wrong-GLOBETROTTER.cis-entry.patch b/patches.suse/serial_cs-remove-wrong-GLOBETROTTER.cis-entry.patch new file mode 100644 index 0000000..bd5894e --- /dev/null +++ b/patches.suse/serial_cs-remove-wrong-GLOBETROTTER.cis-entry.patch @@ -0,0 +1,56 @@ +From 11b1d881a90fc184cc7d06e9804eb288c24a2a0d Mon Sep 17 00:00:00 2001 +From: Ondrej Zary +Date: Fri, 11 Jun 2021 22:19:39 +0200 +Subject: [PATCH] serial_cs: remove wrong GLOBETROTTER.cis entry +Git-commit: 11b1d881a90fc184cc7d06e9804eb288c24a2a0d +Patch-mainline: v5.14-rc1 +References: git-fixes + +The GLOBETROTTER.cis entry in serial_cs matches more devices than +intended and breaks them. Remove it. + +Example: # pccardctl info +PRODID_1="Option International +" +PRODID_2="GSM-Ready 56K/ISDN +" +PRODID_3="021 +" +PRODID_4="A +" +MANFID=0013,0000 +FUNCID=0 + +Result: +pcmcia 0.0: Direct firmware load for cis/GLOBETROTTER.cis failed with error -2 + +The GLOBETROTTER.cis is nowhere to be found. There's GLOBETROTTER.cis.ihex at +https://netdev.vger.kernel.narkive.com/h4inqdxM/patch-axnet-cs-fix-phy-id-detection-for-bogus-asix-chip#post41 +It's from completely diffetent card: +vers_1 4.1, "Option International", "GSM/GPRS GlobeTrotter", "001", "A" + +Signed-off-by: Ondrej Zary +Cc: stable +Link: https://lore.kernel.org/r/20210611201940.23898-1-linux@zary.sk +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/8250/serial_cs.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/serial_cs.c b/drivers/tty/serial/8250/serial_cs.c +index 3708114343b0..2f1d33ea26e1 100644 +--- a/drivers/tty/serial/8250/serial_cs.c ++++ b/drivers/tty/serial/8250/serial_cs.c +@@ -813,7 +813,6 @@ static const struct pcmcia_device_id serial_ids[] = { + PCMCIA_DEVICE_CIS_PROD_ID12("ADVANTECH", "COMpad-32/85B-4", 0x96913a85, 0xcec8f102, "cis/COMpad4.cis"), + PCMCIA_DEVICE_CIS_PROD_ID123("ADVANTECH", "COMpad-32/85", "1.0", 0x96913a85, 0x8fbe92ae, 0x0877b627, "cis/COMpad2.cis"), + PCMCIA_DEVICE_CIS_PROD_ID2("RS-COM 2P", 0xad20b156, "cis/RS-COM-2P.cis"), +- PCMCIA_DEVICE_CIS_MANF_CARD(0x0013, 0x0000, "cis/GLOBETROTTER.cis"), + PCMCIA_DEVICE_PROD_ID12("ELAN DIGITAL SYSTEMS LTD, c1997.", "SERIAL CARD: SL100 1.00.", 0x19ca78af, 0xf964f42b), + PCMCIA_DEVICE_PROD_ID12("ELAN DIGITAL SYSTEMS LTD, c1997.", "SERIAL CARD: SL100", 0x19ca78af, 0x71d98e83), + PCMCIA_DEVICE_PROD_ID12("ELAN DIGITAL SYSTEMS LTD, c1997.", "SERIAL CARD: SL232 1.00.", 0x19ca78af, 0x69fb7490), +-- +2.26.2 + diff --git a/patches.suse/spi-Make-of_register_spi_device-also-set-the-fwnode.patch b/patches.suse/spi-Make-of_register_spi_device-also-set-the-fwnode.patch new file mode 100644 index 0000000..7bd0731 --- /dev/null +++ b/patches.suse/spi-Make-of_register_spi_device-also-set-the-fwnode.patch @@ -0,0 +1,62 @@ +From 0e793ba77c18382f08e440260fe72bc6fce2a3cb Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Wed, 21 Apr 2021 11:14:02 +0100 +Subject: [PATCH] spi: Make of_register_spi_device also set the fwnode +Git-commit: 0e793ba77c18382f08e440260fe72bc6fce2a3cb +Patch-mainline: v5.14-rc1 +References: git-fixes + +Currently, the SPI core doesn't set the struct device fwnode pointer +when it creates a new SPI device. This means when the device is +registered the fwnode is NULL and the check in device_add which sets +the fwnode->dev pointer is skipped. This wasn't previously an issue, +however these two patches: + +commit 4731210c09f5 ("gpiolib: Bind gpio_device to a driver to enable +fw_devlink=on by default") +commit ced2af419528 ("gpiolib: Don't probe gpio_device if it's not the +primary device") + +Added some code to the GPIO core which relies on using that +fwnode->dev pointer to determine if a driver is bound to the fwnode +and if not bind a stub GPIO driver. This means the GPIO providers +behind SPI will get both the expected driver and this stub driver +causing the stub driver to fail if it attempts to request any pin +configuration. For example on my system: + +madera-pinctrl madera-pinctrl: pin gpio5 already requested by madera-pinctrl; cannot claim for gpiochip3 +madera-pinctrl madera-pinctrl: pin-4 (gpiochip3) status -22 +madera-pinctrl madera-pinctrl: could not request pin 4 (gpio5) from group aif1 on device madera-pinctrl +gpio_stub_drv gpiochip3: Error applying setting, reverse things back +Gpio_stub_drv: probe of gpiochip3 failed with error -22 + +The firmware node on the device created by the GPIO framework is set +through the of_node pointer hence things generally actually work, +however that fwnode->dev is never set, as the check was skipped at +device_add time. This fix appears to match how the I2C subsystem +handles the same situation. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20210421101402.8468-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 904a353798b6..862a9bb69129 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2047,6 +2047,7 @@ of_register_spi_device(struct spi_controller *ctlr, struct device_node *nc) + /* Store a pointer to the node in the device structure */ + of_node_get(nc); + spi->dev.of_node = nc; ++ spi->dev.fwnode = of_fwnode_handle(nc); + + /* Register the new device */ + rc = spi_add_device(spi); +-- +2.26.2 + diff --git a/patches.suse/spi-omap-100k-Fix-the-length-judgment-problem.patch b/patches.suse/spi-omap-100k-Fix-the-length-judgment-problem.patch new file mode 100644 index 0000000..bddae3b --- /dev/null +++ b/patches.suse/spi-omap-100k-Fix-the-length-judgment-problem.patch @@ -0,0 +1,36 @@ +From e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 Mon Sep 17 00:00:00 2001 +From: Tian Tao +Date: Thu, 29 Apr 2021 19:20:48 +0800 +Subject: [PATCH] spi: omap-100k: Fix the length judgment problem +Git-commit: e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 +Patch-mainline: v5.14-rc1 +References: git-fixes + +word_len should be checked in the omap1_spi100k_setup_transfer +function to see if it exceeds 32. + +Signed-off-by: Tian Tao +Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-omap-100k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index 7062f2902253..f104470605b3 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -241,7 +241,7 @@ static int omap1_spi100k_setup_transfer(struct spi_device *spi, + else + word_len = spi->bits_per_word; + +- if (spi->bits_per_word > 32) ++ if (word_len > 32) + return -EINVAL; + cs->word_len = word_len; + +-- +2.26.2 + diff --git a/patches.suse/spi-spi-loopback-test-Fix-tx_buf-might-be-rx_buf.patch b/patches.suse/spi-spi-loopback-test-Fix-tx_buf-might-be-rx_buf.patch new file mode 100644 index 0000000..a9f1214 --- /dev/null +++ b/patches.suse/spi-spi-loopback-test-Fix-tx_buf-might-be-rx_buf.patch @@ -0,0 +1,35 @@ +From 9e37a3ab0627011fb63875e9a93094b6fc8ddf48 Mon Sep 17 00:00:00 2001 +From: Jay Fang +Date: Mon, 10 May 2021 14:58:23 +0800 +Subject: [PATCH] spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf' +Git-commit: 9e37a3ab0627011fb63875e9a93094b6fc8ddf48 +Patch-mainline: v5.14-rc1 +References: git-fixes + +In function 'spi_test_run_iter': Value 'tx_buf' might be 'rx_buf'. + +Signed-off-by: Jay Fang +Link: https://lore.kernel.org/r/1620629903-15493-5-git-send-email-f.fangjian@huawei.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-loopback-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c +index f1cf2232f0b5..4d4f77a186a9 100644 +--- a/drivers/spi/spi-loopback-test.c ++++ b/drivers/spi/spi-loopback-test.c +@@ -875,7 +875,7 @@ static int spi_test_run_iter(struct spi_device *spi, + test.transfers[i].len = len; + if (test.transfers[i].tx_buf) + test.transfers[i].tx_buf += tx_off; +- if (test.transfers[i].tx_buf) ++ if (test.transfers[i].rx_buf) + test.transfers[i].rx_buf += rx_off; + } + +-- +2.26.2 + diff --git a/patches.suse/spi-spi-topcliff-pch-Fix-potential-double-free-in-pc.patch b/patches.suse/spi-spi-topcliff-pch-Fix-potential-double-free-in-pc.patch new file mode 100644 index 0000000..a0e757d --- /dev/null +++ b/patches.suse/spi-spi-topcliff-pch-Fix-potential-double-free-in-pc.patch @@ -0,0 +1,41 @@ +From 026a1dc1af52742c5897e64a3431445371a71871 Mon Sep 17 00:00:00 2001 +From: Jay Fang +Date: Thu, 6 May 2021 15:08:08 +0800 +Subject: [PATCH] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() +Git-commit: 026a1dc1af52742c5897e64a3431445371a71871 +Patch-mainline: v5.14-rc1 +References: git-fixes + +pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for +data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will +free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after +kfree() to avoid double free. + +Signed-off-by: Jay Fang +Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-topcliff-pch.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c +index b8870784fc6e..8c4615b76339 100644 +--- a/drivers/spi/spi-topcliff-pch.c ++++ b/drivers/spi/spi-topcliff-pch.c +@@ -580,8 +580,10 @@ static void pch_spi_set_tx(struct pch_spi_data *data, int *bpw) + data->pkt_tx_buff = kzalloc(size, GFP_KERNEL); + if (data->pkt_tx_buff != NULL) { + data->pkt_rx_buff = kzalloc(size, GFP_KERNEL); +- if (!data->pkt_rx_buff) ++ if (!data->pkt_rx_buff) { + kfree(data->pkt_tx_buff); ++ data->pkt_tx_buff = NULL; ++ } + } + + if (!data->pkt_rx_buff) { +-- +2.26.2 + diff --git a/patches.suse/ssb-sdio-Don-t-overwrite-const-buffer-if-block_write.patch b/patches.suse/ssb-sdio-Don-t-overwrite-const-buffer-if-block_write.patch new file mode 100644 index 0000000..a193eb9 --- /dev/null +++ b/patches.suse/ssb-sdio-Don-t-overwrite-const-buffer-if-block_write.patch @@ -0,0 +1,41 @@ +From 47ec636f7a25aa2549e198c48ecb6b1c25d05456 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20B=C3=BCsch?= +Date: Sat, 15 May 2021 21:02:52 +0200 +Subject: [PATCH] ssb: sdio: Don't overwrite const buffer if block_write fails +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 47ec636f7a25aa2549e198c48ecb6b1c25d05456 +Patch-mainline: v5.14-rc1 +References: git-fixes + +It doesn't make sense to clobber the const driver-side buffer, if a +write-to-device attempt failed. All other SSB variants (PCI, PCMCIA and SoC) +also don't corrupt the buffer on any failure in block_write. +Therefore, remove this memset from the SDIO variant. + +Signed-off-by: Michael Büsch +Cc: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210515210252.318be2ba@wiggum +Acked-by: Takashi Iwai + +--- + drivers/ssb/sdio.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/ssb/sdio.c b/drivers/ssb/sdio.c +index 7fe0afb42234..66c5c2169704 100644 +--- a/drivers/ssb/sdio.c ++++ b/drivers/ssb/sdio.c +@@ -411,7 +411,6 @@ static void ssb_sdio_block_write(struct ssb_device *dev, const void *buffer, + sdio_claim_host(bus->host_sdio); + if (unlikely(ssb_sdio_switch_core(bus, dev))) { + error = -EIO; +- memset((void *)buffer, 0xff, count); + goto err_out; + } + offset |= bus->sdio_sbaddr & 0xffff; +-- +2.26.2 + diff --git a/patches.suse/staging-rtl8712-remove-redundant-check-in-r871xu_drv.patch b/patches.suse/staging-rtl8712-remove-redundant-check-in-r871xu_drv.patch new file mode 100644 index 0000000..d2dbfff --- /dev/null +++ b/patches.suse/staging-rtl8712-remove-redundant-check-in-r871xu_drv.patch @@ -0,0 +1,41 @@ +From 69d998f1e552f6e2e7b55f5058ce1ac7a72903f9 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Mon, 14 Jun 2021 01:00:07 +0300 +Subject: [PATCH] staging: rtl8712: remove redundant check in r871xu_drv_init +Git-commit: 69d998f1e552f6e2e7b55f5058ce1ac7a72903f9 +Patch-mainline: v5.14-rc1 +References: git-fixes + +padapter->dvobj_init is initialized rigth before +initialization check. There is no need for any +branching here. + +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/d367e5f39f22af44c545f8710cc18fb00f10e66c.1623620630.git.paskripkin@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/rtl8712/usb_intf.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -380,13 +380,11 @@ static int r871xu_drv_init(struct usb_in + /* step 3. + * initialize the dvobj_priv + */ +- if (!padapter->dvobj_init) { ++ ++ status = padapter->dvobj_init(padapter); ++ if (status != _SUCCESS) + goto error; +- } else { +- status = padapter->dvobj_init(padapter); +- if (status != _SUCCESS) +- goto error; +- } ++ + /* step 4. */ + status = r8712_init_drv_sw(padapter); + if (status == _FAIL) diff --git a/patches.suse/tpm-tpm_tis-Decorate-tpm_get_timeouts-with-request_l.patch b/patches.suse/tpm-tpm_tis-Decorate-tpm_get_timeouts-with-request_l.patch new file mode 100644 index 0000000..996f29f --- /dev/null +++ b/patches.suse/tpm-tpm_tis-Decorate-tpm_get_timeouts-with-request_l.patch @@ -0,0 +1,72 @@ +From a5665ec2affdba21bff3b0d4d3aed83b3951e8ff Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Sat, 20 Feb 2021 00:55:59 +0200 +Subject: [PATCH] tpm, tpm_tis: Decorate tpm_get_timeouts() with + request_locality() + +References: bsc#1188036 +Patch-mainline: v5.12-rc2 +Git-commit: a5665ec2affdba21bff3b0d4d3aed83b3951e8ff + +This is shown with Samsung Chromebook Pro (Caroline) with TPM 1.2 +(SLB 9670): + +[ 4.324298] TPM returned invalid status +[ 4.324806] WARNING: CPU: 2 PID: 1 at drivers/char/tpm/tpm_tis_core.c:275 tpm_tis_status+0x86/0x8f + +Background +========== + +TCG PC Client Platform TPM Profile (PTP) Specification, paragraph 6.1 FIFO +Interface Locality Usage per Register, Table 39 Register Behavior Based on +Locality Setting for FIFO - a read attempt to TPM_STS_x Registers returns +0xFF in case of lack of locality. + +The fix +======= + +Decorate tpm_get_timeouts() with request_locality() and release_locality(). + +Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") +Cc: James Bottomley +Cc: Guenter Roeck +Cc: Laurent Bigonville +Cc: stable@vger.kernel.org +Reported-by: Lukasz Majczak +Signed-off-by: Jarkko Sakkinen +Acked-by: Michal Suchanek +--- + drivers/char/tpm/tpm_tis_core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index 431919d5f48a..30843954aa36 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -1019,11 +1019,21 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, + init_waitqueue_head(&priv->read_queue); + init_waitqueue_head(&priv->int_queue); + if (irq != -1) { +- /* Before doing irq testing issue a command to the TPM in polling mode ++ /* ++ * Before doing irq testing issue a command to the TPM in polling mode + * to make sure it works. May as well use that command to set the + * proper timeouts for the driver. + */ +- if (tpm_get_timeouts(chip)) { ++ ++ rc = request_locality(chip, 0); ++ if (rc < 0) ++ goto out_err; ++ ++ rc = tpm_get_timeouts(chip); ++ ++ release_locality(chip, 0); ++ ++ if (rc) { + dev_err(dev, "Could not get TPM timeouts and durations\n"); + rc = -ENODEV; + goto out_err; +-- +2.26.2 + diff --git a/patches.suse/tpm-tpm_tis-Decorate-tpm_tis_gen_interrupt-with-requ.patch b/patches.suse/tpm-tpm_tis-Decorate-tpm_tis_gen_interrupt-with-requ.patch new file mode 100644 index 0000000..a0bccfd --- /dev/null +++ b/patches.suse/tpm-tpm_tis-Decorate-tpm_tis_gen_interrupt-with-requ.patch @@ -0,0 +1,75 @@ +From d53a6adfb553969809eb2b736a976ebb5146cd95 Mon Sep 17 00:00:00 2001 +From: Lukasz Majczak +Date: Tue, 16 Feb 2021 10:17:49 +0200 +Subject: [PATCH] tpm, tpm_tis: Decorate tpm_tis_gen_interrupt() with + request_locality() + +References: bsc#1188036 +Patch-mainline: v5.12-rc2 +Git-commit: d53a6adfb553969809eb2b736a976ebb5146cd95 + +This is shown with Samsung Chromebook Pro (Caroline) with TPM 1.2 +(SLB 9670): + +[ 4.324298] TPM returned invalid status +[ 4.324806] WARNING: CPU: 2 PID: 1 at drivers/char/tpm/tpm_tis_core.c:275 tpm_tis_status+0x86/0x8f + +Background +========== + +TCG PC Client Platform TPM Profile (PTP) Specification, paragraph 6.1 FIFO +Interface Locality Usage per Register, Table 39 Register Behavior Based on +Locality Setting for FIFO - a read attempt to TPM_STS_x Registers returns +0xFF in case of lack of locality. + +The fix +======= + +Decorate tpm_tis_gen_interrupt() with request_locality() and +release_locality(). + +Cc: Laurent Bigonville +Cc: James Bottomley +Cc: Guenter Roeck +Cc: stable@vger.kernel.org +Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") +Signed-off-by: Lukasz Majczak +Signed-off-by: Jarkko Sakkinen +Acked-by: Michal Suchanek +--- + drivers/char/tpm/tpm_tis_core.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index 30843954aa36..a2e0395cbe61 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -707,12 +707,22 @@ static int tpm_tis_gen_interrupt(struct tpm_chip *chip) + const char *desc = "attempting to generate an interrupt"; + u32 cap2; + cap_t cap; ++ int ret; + ++ /* TPM 2.0 */ + if (chip->flags & TPM_CHIP_FLAG_TPM2) + return tpm2_get_tpm_pt(chip, 0x100, &cap2, desc); +- else +- return tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, +- 0); ++ ++ /* TPM 1.2 */ ++ ret = request_locality(chip, 0); ++ if (ret < 0) ++ return ret; ++ ++ ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0); ++ ++ release_locality(chip, 0); ++ ++ return ret; + } + + /* Register the IRQ and issue a command that will cause an interrupt. If an +-- +2.26.2 + diff --git a/patches.suse/tpm-tpm_tis-Extend-locality-handling-to-TPM2-in-tpm_.patch b/patches.suse/tpm-tpm_tis-Extend-locality-handling-to-TPM2-in-tpm_.patch new file mode 100644 index 0000000..0702f5e --- /dev/null +++ b/patches.suse/tpm-tpm_tis-Extend-locality-handling-to-TPM2-in-tpm_.patch @@ -0,0 +1,55 @@ +From e630af7dfb450d1c00c30077314acf33032ff9e4 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 10 May 2021 15:28:30 +0300 +Subject: [PATCH] tpm, tpm_tis: Extend locality handling to TPM2 in + tpm_tis_gen_interrupt() + +References: bsc#1188036 +Patch-mainline: v5.13-rc2 +Git-commit: e630af7dfb450d1c00c30077314acf33032ff9e4 + +The earlier fix (linked) only partially fixed the locality handling bug +in tpm_tis_gen_interrupt(), i.e. only for TPM 1.x. + +Extend the locality handling to cover TPM2. + +Cc: Hans de Goede +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/linux-integrity/20210220125534.20707-1-jarkko@kernel.org/ +Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") +Reported-by: Lino Sanfilippo +Signed-off-by: Jarkko Sakkinen +Tested-by: Lino Sanfilippo +Acked-by: Michal Suchanek +--- + drivers/char/tpm/tpm_tis_core.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index a2e0395cbe61..6fa150a3b75e 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -709,16 +709,14 @@ static int tpm_tis_gen_interrupt(struct tpm_chip *chip) + cap_t cap; + int ret; + +- /* TPM 2.0 */ +- if (chip->flags & TPM_CHIP_FLAG_TPM2) +- return tpm2_get_tpm_pt(chip, 0x100, &cap2, desc); +- +- /* TPM 1.2 */ + ret = request_locality(chip, 0); + if (ret < 0) + return ret; + +- ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0); ++ if (chip->flags & TPM_CHIP_FLAG_TPM2) ++ ret = tpm2_get_tpm_pt(chip, 0x100, &cap2, desc); ++ else ++ ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0); + + release_locality(chip, 0); + +-- +2.26.2 + diff --git a/patches.suse/tpm-tpm_tis-Reserve-locality-in-tpm_tis_resume.patch b/patches.suse/tpm-tpm_tis-Reserve-locality-in-tpm_tis_resume.patch new file mode 100644 index 0000000..6dfce15 --- /dev/null +++ b/patches.suse/tpm-tpm_tis-Reserve-locality-in-tpm_tis_resume.patch @@ -0,0 +1,52 @@ +From 8a2d296aaebadd68d9c1f6908667df1d1c84c051 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 10 May 2021 15:28:31 +0300 +Subject: [PATCH] tpm, tpm_tis: Reserve locality in tpm_tis_resume() + +References: bsc#1188036 +Patch-mainline: v5.13-rc2 +Git-commit: 8a2d296aaebadd68d9c1f6908667df1d1c84c051 + +Reserve locality in tpm_tis_resume(), as it could be unsert after waking +up from a sleep state. + +Cc: stable@vger.kernel.org +Cc: Lino Sanfilippo +Reported-by: Hans de Goede +Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") +Signed-off-by: Jarkko Sakkinen +Acked-by: Michal Suchanek +--- + drivers/char/tpm/tpm_tis_core.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index 6fa150a3b75e..55b9d3965ae1 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -1125,12 +1125,20 @@ int tpm_tis_resume(struct device *dev) + if (ret) + return ret; + +- /* TPM 1.2 requires self-test on resume. This function actually returns ++ /* ++ * TPM 1.2 requires self-test on resume. This function actually returns + * an error code but for unknown reason it isn't handled. + */ +- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) ++ if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) { ++ ret = request_locality(chip, 0); ++ if (ret < 0) ++ return ret; ++ + tpm1_do_selftest(chip); + ++ release_locality(chip, 0); ++ } ++ + return 0; + } + EXPORT_SYMBOL_GPL(tpm_tis_resume); +-- +2.26.2 + diff --git a/patches.suse/usb-gadget-eem-fix-echo-command-packet-response-issu.patch b/patches.suse/usb-gadget-eem-fix-echo-command-packet-response-issu.patch new file mode 100644 index 0000000..8e63c72 --- /dev/null +++ b/patches.suse/usb-gadget-eem-fix-echo-command-packet-response-issu.patch @@ -0,0 +1,116 @@ +From 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Mon Sep 17 00:00:00 2001 +From: Linyu Yuan +Date: Wed, 16 Jun 2021 19:51:42 +0800 +Subject: [PATCH] usb: gadget: eem: fix echo command packet response issue +Git-commit: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 +Patch-mainline: v5.14-rc1 +References: git-fixes + +when receive eem echo command, it will send a response, +but queue this response to the usb request which allocate +from gadget device endpoint zero, +and transmit the request to IN endpoint of eem interface. + +on dwc3 gadget, it will trigger following warning in function +__dwc3_gadget_ep_queue(), + + if (WARN(req->dep != dep, "request %pK belongs to '%s'\n", + &req->request, req->dep->name)) + return -EINVAL; + +fix it by allocating a usb request from IN endpoint of eem interface, +and transmit the usb request to same IN endpoint of eem interface. + +Signed-off-by: Linyu Yuan +Cc: stable +Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/function/f_eem.c | 43 ++++++++++++++++++++++++++--- + 1 file changed, 39 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_eem.c b/drivers/usb/gadget/function/f_eem.c +index 2cd9942707b4..5d38f29bda72 100644 +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -30,6 +30,11 @@ struct f_eem { + u8 ctrl_id; + }; + ++struct in_context { ++ struct sk_buff *skb; ++ struct usb_ep *ep; ++}; ++ + static inline struct f_eem *func_to_eem(struct usb_function *f) + { + return container_of(f, struct f_eem, port.func); +@@ -320,9 +325,12 @@ static int eem_bind(struct usb_configuration *c, struct usb_function *f) + + static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req) + { +- struct sk_buff *skb = (struct sk_buff *)req->context; ++ struct in_context *ctx = req->context; + +- dev_kfree_skb_any(skb); ++ dev_kfree_skb_any(ctx->skb); ++ kfree(req->buf); ++ usb_ep_free_request(ctx->ep, req); ++ kfree(ctx); + } + + /* +@@ -410,7 +418,9 @@ static int eem_unwrap(struct gether *port, + * b15: bmType (0 == data, 1 == command) + */ + if (header & BIT(15)) { +- struct usb_request *req = cdev->req; ++ struct usb_request *req; ++ struct in_context *ctx; ++ struct usb_ep *ep; + u16 bmEEMCmd; + + /* EEM command packet format: +@@ -439,11 +449,36 @@ static int eem_unwrap(struct gether *port, + skb_trim(skb2, len); + put_unaligned_le16(BIT(15) | BIT(11) | len, + skb_push(skb2, 2)); ++ ++ ep = port->in_ep; ++ req = usb_ep_alloc_request(ep, GFP_ATOMIC); ++ if (!req) { ++ dev_kfree_skb_any(skb2); ++ goto next; ++ } ++ ++ req->buf = kmalloc(skb2->len, GFP_KERNEL); ++ if (!req->buf) { ++ usb_ep_free_request(ep, req); ++ dev_kfree_skb_any(skb2); ++ goto next; ++ } ++ ++ ctx = kmalloc(sizeof(*ctx), GFP_KERNEL); ++ if (!ctx) { ++ kfree(req->buf); ++ usb_ep_free_request(ep, req); ++ dev_kfree_skb_any(skb2); ++ goto next; ++ } ++ ctx->skb = skb2; ++ ctx->ep = ep; ++ + skb_copy_bits(skb2, 0, req->buf, skb2->len); + req->length = skb2->len; + req->complete = eem_cmd_complete; + req->zero = 1; +- req->context = skb2; ++ req->context = ctx; + if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC)) + DBG(cdev, "echo response queue fail\n"); + break; +-- +2.26.2 + diff --git a/patches.suse/usb-gadget-f_fs-Fix-setting-of-device-and-driver-dat.patch b/patches.suse/usb-gadget-f_fs-Fix-setting-of-device-and-driver-dat.patch new file mode 100644 index 0000000..81271ec --- /dev/null +++ b/patches.suse/usb-gadget-f_fs-Fix-setting-of-device-and-driver-dat.patch @@ -0,0 +1,566 @@ +From ecfbd7b9054bddb12cea07fda41bb3a79a7b0149 Mon Sep 17 00:00:00 2001 +From: Andrew Gabbasov +Date: Thu, 3 Jun 2021 12:15:07 -0500 +Subject: [PATCH] usb: gadget: f_fs: Fix setting of device and driver data + cross-references +Git-commit: ecfbd7b9054bddb12cea07fda41bb3a79a7b0149 +References: git-fixes +Patch-mainline: v5.14-rc1 + +FunctionFS device structure 'struct ffs_dev' and driver data structure +'struct ffs_data' are bound to each other with cross-reference pointers +'ffs_data->private_data' and 'ffs_dev->ffs_data'. While the first one +is supposed to be valid through the whole life of 'struct ffs_data' +(and while 'struct ffs_dev' exists non-freed), the second one is cleared +in 'ffs_closed()' (called from 'ffs_data_reset()' or the last +'ffs_data_put()'). This can be called several times, alternating in +different order with 'ffs_free_inst()', that, if possible, clears +the other cross-reference. + +As a result, different cases of these calls order may leave stale +cross-reference pointers, used when the pointed structure is already +freed. Even if it occasionally doesn't cause kernel crash, this error +is reported by KASAN-enabled kernel configuration. + +For example, the case [last 'ffs_data_put()' - 'ffs_free_inst()'] was +fixed by commit cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in +ffs_free_inst"). + +The other case ['ffs_data_reset()' - 'ffs_free_inst()' - 'ffs_data_put()'] +now causes KASAN reported error [1], when 'ffs_data_reset()' clears +'ffs_dev->ffs_data', then 'ffs_free_inst()' frees the 'struct ffs_dev', +but can't clear 'ffs_data->private_data', which is then accessed +in 'ffs_closed()' called from 'ffs_data_put()'. This happens since +'ffs_dev->ffs_data' reference is cleared too early. + +Moreover, one more use case, when 'ffs_free_inst()' is called immediately +after mounting FunctionFS device (that is before the descriptors are +written and 'ffs_ready()' is called), and then 'ffs_data_reset()' +or 'ffs_data_put()' is called from accessing "ep0" file or unmounting +the device. This causes KASAN error report like [2], since +'ffs_dev->ffs_data' is not yet set when 'ffs_free_inst()' can't properly +clear 'ffs_data->private_data', that is later accessed to freed structure. + +Fix these (and may be other) cases of stale pointers access by moving +setting and clearing of the mentioned cross-references to the single +places, setting both of them when 'struct ffs_data' is created and +bound to 'struct ffs_dev', and clearing both of them when one of the +structures is destroyed. It seems convenient to make this pointer +initialization and structures binding in 'ffs_acquire_dev()' and +make pointers clearing in 'ffs_release_dev()'. This required some +changes in these functions parameters and return types. + +Also, 'ffs_release_dev()' calling requires some cleanup, fixing minor +issues, like (1) 'ffs_release_dev()' is not called if 'ffs_free_inst()' +is called without unmounting the device, and "release_dev" callback +is not called at all, or (2) "release_dev" callback is called before +"ffs_closed" callback on unmounting, which seems to be not correctly +nested with "acquire_dev" and "ffs_ready" callbacks. +Make this cleanup togther with other mentioned 'ffs_release_dev()' changes. + +[1] +================================================================== +root@rcar-gen3:~# mkdir /dev/cfs +root@rcar-gen3:~# mkdir /dev/ffs +root@rcar-gen3:~# modprobe libcomposite +root@rcar-gen3:~# mount -t configfs none /dev/cfs +root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1 +root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs +[ 64.340664] file system registered +root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs +root@rcar-gen3:~# cd /dev/ffs +root@rcar-gen3:/dev/ffs# /home/root/ffs-test +ffs-test: info: ep0: writing descriptors (in v2 format) +[ 83.181442] read descriptors +[ 83.186085] read strings +ffs-test: info: ep0: writing strings +ffs-test: dbg: ep1: starting +ffs-test: dbg: ep2: starting +ffs-test: info: ep1: starts +ffs-test: info: ep2: starts +ffs-test: info: ep0: starts + +^C +root@rcar-gen3:/dev/ffs# cd /home/root/ +root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs +[ 98.935061] unloading +root@rcar-gen3:~# umount /dev/ffs +[ 102.734301] ================================================================== +[ 102.742059] BUG: KASAN: use-after-free in ffs_release_dev+0x64/0xa8 [usb_f_fs] +[ 102.749683] Write of size 1 at addr ffff0004d46ff549 by task umount/2997 +[ 102.756709] +[ 102.758311] CPU: 0 PID: 2997 Comm: umount Not tainted 5.13.0-rc4+ #8 +[ 102.764971] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) +[ 102.772179] Call trace: +[ 102.774779] dump_backtrace+0x0/0x330 +[ 102.778653] show_stack+0x20/0x2c +[ 102.782152] dump_stack+0x11c/0x1ac +[ 102.785833] print_address_description.constprop.0+0x30/0x274 +[ 102.791862] kasan_report+0x14c/0x1c8 +[ 102.795719] __asan_report_store1_noabort+0x34/0x58 +[ 102.800840] ffs_release_dev+0x64/0xa8 [usb_f_fs] +[ 102.805801] ffs_fs_kill_sb+0x50/0x84 [usb_f_fs] +[ 102.810663] deactivate_locked_super+0xa0/0xf0 +[ 102.815339] deactivate_super+0x98/0xac +[ 102.819378] cleanup_mnt+0xd0/0x1b0 +[ 102.823057] __cleanup_mnt+0x1c/0x28 +[ 102.826823] task_work_run+0x104/0x180 +[ 102.830774] do_notify_resume+0x458/0x14e0 +[ 102.835083] work_pending+0xc/0x5f8 +[ 102.838762] +[ 102.840357] Allocated by task 2988: +[ 102.844032] kasan_save_stack+0x28/0x58 +[ 102.848071] kasan_set_track+0x28/0x3c +[ 102.852016] ____kasan_kmalloc+0x84/0x9c +[ 102.856142] __kasan_kmalloc+0x10/0x1c +[ 102.860088] __kmalloc+0x214/0x2f8 +[ 102.863678] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] +[ 102.868990] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] +[ 102.873942] try_get_usb_function_instance+0xf0/0x164 [libcomposite] +[ 102.880629] usb_get_function_instance+0x64/0x68 [libcomposite] +[ 102.886858] function_make+0x128/0x1ec [libcomposite] +[ 102.892185] configfs_mkdir+0x330/0x590 [configfs] +[ 102.897245] vfs_mkdir+0x12c/0x1bc +[ 102.900835] do_mkdirat+0x180/0x1d0 +[ 102.904513] __arm64_sys_mkdirat+0x80/0x94 +[ 102.908822] invoke_syscall+0xf8/0x25c +[ 102.912772] el0_svc_common.constprop.0+0x150/0x1a0 +[ 102.917891] do_el0_svc+0xa0/0xd4 +[ 102.921386] el0_svc+0x24/0x34 +[ 102.924613] el0_sync_handler+0xcc/0x154 +[ 102.928743] el0_sync+0x198/0x1c0 +[ 102.932238] +[ 102.933832] Freed by task 2996: +[ 102.937144] kasan_save_stack+0x28/0x58 +[ 102.941181] kasan_set_track+0x28/0x3c +[ 102.945128] kasan_set_free_info+0x28/0x4c +[ 102.949435] ____kasan_slab_free+0x104/0x118 +[ 102.953921] __kasan_slab_free+0x18/0x24 +[ 102.958047] slab_free_freelist_hook+0x148/0x1f0 +[ 102.962897] kfree+0x318/0x440 +[ 102.966123] ffs_free_inst+0x164/0x2d8 [usb_f_fs] +[ 102.971075] usb_put_function_instance+0x84/0xa4 [libcomposite] +[ 102.977302] ffs_attr_release+0x18/0x24 [usb_f_fs] +[ 102.982344] config_item_put+0x140/0x1a4 [configfs] +[ 102.987486] configfs_rmdir+0x3fc/0x518 [configfs] +[ 102.992535] vfs_rmdir+0x114/0x234 +[ 102.996122] do_rmdir+0x274/0x2b0 +[ 102.999617] __arm64_sys_unlinkat+0x94/0xc8 +[ 103.004015] invoke_syscall+0xf8/0x25c +[ 103.007961] el0_svc_common.constprop.0+0x150/0x1a0 +[ 103.013080] do_el0_svc+0xa0/0xd4 +[ 103.016575] el0_svc+0x24/0x34 +[ 103.019801] el0_sync_handler+0xcc/0x154 +[ 103.023930] el0_sync+0x198/0x1c0 +[ 103.027426] +[ 103.029020] The buggy address belongs to the object at ffff0004d46ff500 +[ 103.029020] which belongs to the cache kmalloc-128 of size 128 +[ 103.042079] The buggy address is located 73 bytes inside of +[ 103.042079] 128-byte region [ffff0004d46ff500, ffff0004d46ff580) +[ 103.054236] The buggy address belongs to the page: +[ 103.059262] page:0000000021aa849b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0004d46fee00 pfn:0x5146fe +[ 103.070437] head:0000000021aa849b order:1 compound_mapcount:0 +[ 103.076456] flags: 0x8000000000010200(slab|head|zone=2) +[ 103.081948] raw: 8000000000010200 fffffc0013521a80 0000000d0000000d ffff0004c0002300 +[ 103.090052] raw: ffff0004d46fee00 000000008020001e 00000001ffffffff 0000000000000000 +[ 103.098150] page dumped because: kasan: bad access detected +[ 103.103985] +[ 103.105578] Memory state around the buggy address: +[ 103.110602] ffff0004d46ff400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 103.118161] ffff0004d46ff480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 103.125726] >ffff0004d46ff500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 103.133284] ^ +[ 103.139120] ffff0004d46ff580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 103.146679] ffff0004d46ff600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 103.154238] ================================================================== +[ 103.161792] Disabling lock debugging due to kernel taint +[ 103.167319] Unable to handle kernel paging request at virtual address 0037801d6000018e +[ 103.175406] Mem abort info: +[ 103.178457] ESR = 0x96000004 +[ 103.181609] EC = 0x25: DABT (current EL), IL = 32 bits +[ 103.187020] SET = 0, FnV = 0 +[ 103.190185] EA = 0, S1PTW = 0 +[ 103.193417] Data abort info: +[ 103.196385] ISV = 0, ISS = 0x00000004 +[ 103.200315] CM = 0, WnR = 0 +[ 103.203366] [0037801d6000018e] address between user and kernel address ranges +[ 103.210611] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 103.216231] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk sata_rc4 +[ 103.259233] CPU: 0 PID: 2997 Comm: umount Tainted: G B 5.13.0-rc4+ #8 +[ 103.267031] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) +[ 103.273951] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) +[ 103.280001] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] +[ 103.285197] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] +[ 103.290385] sp : ffff800014777a80 +[ 103.293725] x29: ffff800014777a80 x28: ffff0004d7649c80 x27: 0000000000000000 +[ 103.300931] x26: ffff800014777fb0 x25: ffff60009aec9394 x24: ffff0004d7649ca4 +[ 103.308136] x23: 1fffe0009a3d063a x22: dfff800000000000 x21: ffff0004d1e831d0 +[ 103.315340] x20: e1c000eb00000bb4 x19: ffff0004d1e83000 x18: 0000000000000000 +[ 103.322545] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 103.329748] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000012ef658 +[ 103.336952] x11: ffff7000012ef658 x10: 0720072007200720 x9 : ffff800011322648 +[ 103.344157] x8 : ffff800014777818 x7 : ffff80000977b2c7 x6 : 0000000000000000 +[ 103.351359] x5 : 0000000000000001 x4 : ffff7000012ef659 x3 : 0000000000000001 +[ 103.358562] x2 : 0000000000000000 x1 : 1c38001d6000018e x0 : e1c000eb00000c70 +[ 103.365766] Call trace: +[ 103.368235] ffs_data_clear+0x138/0x370 [usb_f_fs] +[ 103.373076] ffs_data_reset+0x20/0x304 [usb_f_fs] +[ 103.377829] ffs_data_closed+0x1ec/0x244 [usb_f_fs] +[ 103.382755] ffs_fs_kill_sb+0x70/0x84 [usb_f_fs] +[ 103.387420] deactivate_locked_super+0xa0/0xf0 +[ 103.391905] deactivate_super+0x98/0xac +[ 103.395776] cleanup_mnt+0xd0/0x1b0 +[ 103.399299] __cleanup_mnt+0x1c/0x28 +[ 103.402906] task_work_run+0x104/0x180 +[ 103.406691] do_notify_resume+0x458/0x14e0 +[ 103.410823] work_pending+0xc/0x5f8 +[ 103.414351] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) +[ 103.420490] ---[ end trace 57b43a50e8244f57 ]--- +Segmentation fault +root@rcar-gen3:~# +================================================================== + +[2] +================================================================== +root@rcar-gen3:~# mkdir /dev/ffs +root@rcar-gen3:~# modprobe libcomposite +root@rcar-gen3:~# +root@rcar-gen3:~# mount -t configfs none /dev/cfs +root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1 +root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs +[ 54.766480] file system registered +root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs +root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs +[ 63.197597] unloading +root@rcar-gen3:~# cat /dev/ffs/ep0 +cat: read error:[ 67.213506] ================================================================== +[ 67.222095] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs] +[ 67.229699] Write of size 1 at addr ffff0004c26e974a by task cat/2994 +[ 67.236446] +[ 67.238045] CPU: 0 PID: 2994 Comm: cat Not tainted 5.13.0-rc4+ #8 +[ 67.244431] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) +[ 67.251624] Call trace: +[ 67.254212] dump_backtrace+0x0/0x330 +[ 67.258081] show_stack+0x20/0x2c +[ 67.261579] dump_stack+0x11c/0x1ac +[ 67.265260] print_address_description.constprop.0+0x30/0x274 +[ 67.271286] kasan_report+0x14c/0x1c8 +[ 67.275143] __asan_report_store1_noabort+0x34/0x58 +[ 67.280265] ffs_data_clear+0x70/0x370 [usb_f_fs] +[ 67.285220] ffs_data_reset+0x20/0x304 [usb_f_fs] +[ 67.290172] ffs_data_closed+0x240/0x244 [usb_f_fs] +[ 67.295305] ffs_ep0_release+0x40/0x54 [usb_f_fs] +[ 67.300256] __fput+0x304/0x580 +[ 67.303576] ____fput+0x18/0x24 +[ 67.306893] task_work_run+0x104/0x180 +[ 67.310846] do_notify_resume+0x458/0x14e0 +[ 67.315154] work_pending+0xc/0x5f8 +[ 67.318834] +[ 67.320429] Allocated by task 2988: +[ 67.324105] kasan_save_stack+0x28/0x58 +[ 67.328144] kasan_set_track+0x28/0x3c +[ 67.332090] ____kasan_kmalloc+0x84/0x9c +[ 67.336217] __kasan_kmalloc+0x10/0x1c +[ 67.340163] __kmalloc+0x214/0x2f8 +[ 67.343754] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] +[ 67.349066] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] +[ 67.354017] try_get_usb_function_instance+0xf0/0x164 [libcomposite] +[ 67.360705] usb_get_function_instance+0x64/0x68 [libcomposite] +[ 67.366934] function_make+0x128/0x1ec [libcomposite] +[ 67.372260] configfs_mkdir+0x330/0x590 [configfs] +[ 67.377320] vfs_mkdir+0x12c/0x1bc +[ 67.380911] do_mkdirat+0x180/0x1d0 +[ 67.384589] __arm64_sys_mkdirat+0x80/0x94 +[ 67.388899] invoke_syscall+0xf8/0x25c +[ 67.392850] el0_svc_common.constprop.0+0x150/0x1a0 +[ 67.397969] do_el0_svc+0xa0/0xd4 +[ 67.401464] el0_svc+0x24/0x34 +[ 67.404691] el0_sync_handler+0xcc/0x154 +[ 67.408819] el0_sync+0x198/0x1c0 +[ 67.412315] +[ 67.413909] Freed by task 2993: +[ 67.417220] kasan_save_stack+0x28/0x58 +[ 67.421257] kasan_set_track+0x28/0x3c +[ 67.425204] kasan_set_free_info+0x28/0x4c +[ 67.429513] ____kasan_slab_free+0x104/0x118 +[ 67.434001] __kasan_slab_free+0x18/0x24 +[ 67.438128] slab_free_freelist_hook+0x148/0x1f0 +[ 67.442978] kfree+0x318/0x440 +[ 67.446205] ffs_free_inst+0x164/0x2d8 [usb_f_fs] +[ 67.451156] usb_put_function_instance+0x84/0xa4 [libcomposite] +[ 67.457385] ffs_attr_release+0x18/0x24 [usb_f_fs] +[ 67.462428] config_item_put+0x140/0x1a4 [configfs] +[ 67.467570] configfs_rmdir+0x3fc/0x518 [configfs] +[ 67.472626] vfs_rmdir+0x114/0x234 +[ 67.476215] do_rmdir+0x274/0x2b0 +[ 67.479710] __arm64_sys_unlinkat+0x94/0xc8 +[ 67.484108] invoke_syscall+0xf8/0x25c +[ 67.488055] el0_svc_common.constprop.0+0x150/0x1a0 +[ 67.493175] do_el0_svc+0xa0/0xd4 +[ 67.496671] el0_svc+0x24/0x34 +[ 67.499896] el0_sync_handler+0xcc/0x154 +[ 67.504024] el0_sync+0x198/0x1c0 +[ 67.507520] +[ 67.509114] The buggy address belongs to the object at ffff0004c26e9700 +[ 67.509114] which belongs to the cache kmalloc-128 of size 128 +[ 67.522171] The buggy address is located 74 bytes inside of +[ 67.522171] 128-byte region [ffff0004c26e9700, ffff0004c26e9780) +[ 67.534328] The buggy address belongs to the page: +[ 67.539355] page:000000003177a217 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5026e8 +[ 67.549175] head:000000003177a217 order:1 compound_mapcount:0 +[ 67.555195] flags: 0x8000000000010200(slab|head|zone=2) +[ 67.560687] raw: 8000000000010200 fffffc0013037100 0000000c00000002 ffff0004c0002300 +[ 67.568791] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +[ 67.576890] page dumped because: kasan: bad access detected +[ 67.582725] +[ 67.584318] Memory state around the buggy address: +[ 67.589343] ffff0004c26e9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 67.596903] ffff0004c26e9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 67.604463] >ffff0004c26e9700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 67.612022] ^ +[ 67.617860] ffff0004c26e9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 67.625421] ffff0004c26e9800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.632981] ================================================================== +[ 67.640535] Disabling lock debugging due to kernel taint + File descriptor[ 67.646100] Unable to handle kernel paging request at virtual address fabb801d4000018d + in bad state +[ 67.655456] Mem abort info: +[ 67.659619] ESR = 0x96000004 +[ 67.662801] EC = 0x25: DABT (current EL), IL = 32 bits +[ 67.668225] SET = 0, FnV = 0 +[ 67.671375] EA = 0, S1PTW = 0 +[ 67.674613] Data abort info: +[ 67.677587] ISV = 0, ISS = 0x00000004 +[ 67.681522] CM = 0, WnR = 0 +[ 67.684588] [fabb801d4000018d] address between user and kernel address ranges +[ 67.691849] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 67.697470] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce gf128mul sha2_ce sha1_ce evdev sata_rcar libata xhci_plat_hcd scsi_mod xhci_hcd rene4 +[ 67.740467] CPU: 0 PID: 2994 Comm: cat Tainted: G B 5.13.0-rc4+ #8 +[ 67.748005] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) +[ 67.754924] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) +[ 67.760974] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] +[ 67.766178] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] +[ 67.771365] sp : ffff800014767ad0 +[ 67.774706] x29: ffff800014767ad0 x28: ffff800009cf91c0 x27: ffff0004c54861a0 +[ 67.781913] x26: ffff0004dc90b288 x25: 1fffe00099ec10f5 x24: 00000000000a801d +[ 67.789118] x23: 1fffe00099f6953a x22: dfff800000000000 x21: ffff0004cfb4a9d0 +[ 67.796322] x20: d5e000ea00000bb1 x19: ffff0004cfb4a800 x18: 0000000000000000 +[ 67.803526] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 67.810730] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000028ecefa +[ 67.817934] x11: ffff7000028ecefa x10: 0720072007200720 x9 : ffff80001132c014 +[ 67.825137] x8 : ffff8000147677d8 x7 : ffff8000147677d7 x6 : 0000000000000000 +[ 67.832341] x5 : 0000000000000001 x4 : ffff7000028ecefb x3 : 0000000000000001 +[ 67.839544] x2 : 0000000000000005 x1 : 1abc001d4000018d x0 : d5e000ea00000c6d +[ 67.846748] Call trace: +[ 67.849218] ffs_data_clear+0x138/0x370 [usb_f_fs] +[ 67.854058] ffs_data_reset+0x20/0x304 [usb_f_fs] +[ 67.858810] ffs_data_closed+0x240/0x244 [usb_f_fs] +[ 67.863736] ffs_ep0_release+0x40/0x54 [usb_f_fs] +[ 67.868488] __fput+0x304/0x580 +[ 67.871665] ____fput+0x18/0x24 +[ 67.874837] task_work_run+0x104/0x180 +[ 67.878622] do_notify_resume+0x458/0x14e0 +[ 67.882754] work_pending+0xc/0x5f8 +[ 67.886282] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) +[ 67.892422] ---[ end trace 6d7cedf53d7abbea ]--- +Segmentation fault +root@rcar-gen3:~# +================================================================== + +Fixes: 4b187fceec3c ("usb: gadget: FunctionFS: add devices management code") +Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference") +Fixes: cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in ffs_free_inst") +Reported-by: Bhuvanesh Surachari +Tested-by: Eugeniu Rosca +Reviewed-by: Eugeniu Rosca +Signed-off-by: Andrew Gabbasov +Link: https://lore.kernel.org/r/20210603171507.22514-1-andrew_gabbasov@mentor.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/gadget/function/f_fs.c | 65 ++++++++++++++++++------------------- + 1 file changed, 32 insertions(+), 33 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -250,8 +250,8 @@ EXPORT_SYMBOL_GPL(ffs_lock); + static struct ffs_dev *_ffs_find_dev(const char *name); + static struct ffs_dev *_ffs_alloc_dev(void); + static void _ffs_free_dev(struct ffs_dev *dev); +-static void *ffs_acquire_dev(const char *dev_name); +-static void ffs_release_dev(struct ffs_data *ffs_data); ++static int ffs_acquire_dev(const char *dev_name, struct ffs_data *ffs_data); ++static void ffs_release_dev(struct ffs_dev *ffs_dev); + static int ffs_ready(struct ffs_data *ffs); + static void ffs_closed(struct ffs_data *ffs); + +@@ -1572,8 +1572,8 @@ unmapped_value: + static int ffs_fs_get_tree(struct fs_context *fc) + { + struct ffs_sb_fill_data *ctx = fc->fs_private; +- void *ffs_dev; + struct ffs_data *ffs; ++ int ret; + + ENTER(); + +@@ -1592,13 +1592,12 @@ static int ffs_fs_get_tree(struct fs_con + return -ENOMEM; + } + +- ffs_dev = ffs_acquire_dev(ffs->dev_name); +- if (IS_ERR(ffs_dev)) { ++ ret = ffs_acquire_dev(ffs->dev_name, ffs); ++ if (ret) { + ffs_data_put(ffs); +- return PTR_ERR(ffs_dev); ++ return ret; + } + +- ffs->private_data = ffs_dev; + ctx->ffs_data = ffs; + return get_tree_nodev(fc, ffs_sb_fill); + } +@@ -1609,7 +1608,6 @@ static void ffs_fs_free_fc(struct fs_con + + if (ctx) { + if (ctx->ffs_data) { +- ffs_release_dev(ctx->ffs_data); + ffs_data_put(ctx->ffs_data); + } + +@@ -1648,10 +1646,8 @@ ffs_fs_kill_sb(struct super_block *sb) + ENTER(); + + kill_litter_super(sb); +- if (sb->s_fs_info) { +- ffs_release_dev(sb->s_fs_info); ++ if (sb->s_fs_info) + ffs_data_closed(sb->s_fs_info); +- } + } + + static struct file_system_type ffs_fs_type = { +@@ -1721,6 +1717,7 @@ static void ffs_data_put(struct ffs_data + if (unlikely(refcount_dec_and_test(&ffs->ref))) { + pr_info("%s(): freeing\n", __func__); + ffs_data_clear(ffs); ++ ffs_release_dev(ffs->private_data); + BUG_ON(waitqueue_active(&ffs->ev.waitq) || + waitqueue_active(&ffs->ep0req_completion.wait) || + waitqueue_active(&ffs->wait)); +@@ -3050,6 +3047,7 @@ static inline struct f_fs_opts *ffs_do_f + struct ffs_function *func = ffs_func_from_usb(f); + struct f_fs_opts *ffs_opts = + container_of(f->fi, struct f_fs_opts, func_inst); ++ struct ffs_data *ffs_data; + int ret; + + ENTER(); +@@ -3064,12 +3062,13 @@ static inline struct f_fs_opts *ffs_do_f + if (!ffs_opts->no_configfs) + ffs_dev_lock(); + ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV; +- func->ffs = ffs_opts->dev->ffs_data; ++ ffs_data = ffs_opts->dev->ffs_data; + if (!ffs_opts->no_configfs) + ffs_dev_unlock(); + if (ret) + return ERR_PTR(ret); + ++ func->ffs = ffs_data; + func->conf = c; + func->gadget = c->cdev->gadget; + +@@ -3524,6 +3523,7 @@ static void ffs_free_inst(struct usb_fun + struct f_fs_opts *opts; + + opts = to_f_fs_opts(f); ++ ffs_release_dev(opts->dev); + ffs_dev_lock(); + _ffs_free_dev(opts->dev); + ffs_dev_unlock(); +@@ -3711,47 +3711,48 @@ static void _ffs_free_dev(struct ffs_dev + { + list_del(&dev->entry); + +- /* Clear the private_data pointer to stop incorrect dev access */ +- if (dev->ffs_data) +- dev->ffs_data->private_data = NULL; +- + kfree(dev); + if (list_empty(&ffs_devices)) + functionfs_cleanup(); + } + +-static void *ffs_acquire_dev(const char *dev_name) ++static int ffs_acquire_dev(const char *dev_name, struct ffs_data *ffs_data) + { ++ int ret = 0; + struct ffs_dev *ffs_dev; + + ENTER(); + ffs_dev_lock(); + + ffs_dev = _ffs_find_dev(dev_name); +- if (!ffs_dev) +- ffs_dev = ERR_PTR(-ENOENT); +- else if (ffs_dev->mounted) +- ffs_dev = ERR_PTR(-EBUSY); +- else if (ffs_dev->ffs_acquire_dev_callback && +- ffs_dev->ffs_acquire_dev_callback(ffs_dev)) +- ffs_dev = ERR_PTR(-ENOENT); +- else ++ if (!ffs_dev) { ++ ret = -ENOENT; ++ } else if (ffs_dev->mounted) { ++ ret = -EBUSY; ++ } else if (ffs_dev->ffs_acquire_dev_callback && ++ ffs_dev->ffs_acquire_dev_callback(ffs_dev)) { ++ ret = -ENOENT; ++ } else { + ffs_dev->mounted = true; ++ ffs_dev->ffs_data = ffs_data; ++ ffs_data->private_data = ffs_dev; ++ } + + ffs_dev_unlock(); +- return ffs_dev; ++ return ret; + } + +-static void ffs_release_dev(struct ffs_data *ffs_data) ++static void ffs_release_dev(struct ffs_dev *ffs_dev) + { +- struct ffs_dev *ffs_dev; +- + ENTER(); + ffs_dev_lock(); + +- ffs_dev = ffs_data->private_data; +- if (ffs_dev) { ++ if (ffs_dev && ffs_dev->mounted) { + ffs_dev->mounted = false; ++ if (ffs_dev->ffs_data) { ++ ffs_dev->ffs_data->private_data = NULL; ++ ffs_dev->ffs_data = NULL; ++ } + + if (ffs_dev->ffs_release_dev_callback) + ffs_dev->ffs_release_dev_callback(ffs_dev); +@@ -3779,7 +3780,6 @@ static int ffs_ready(struct ffs_data *ff + } + + ffs_obj->desc_ready = true; +- ffs_obj->ffs_data = ffs; + + if (ffs_obj->ffs_ready_callback) { + ret = ffs_obj->ffs_ready_callback(ffs); +@@ -3807,7 +3807,6 @@ static void ffs_closed(struct ffs_data * + goto done; + + ffs_obj->desc_ready = false; +- ffs_obj->ffs_data = NULL; + + if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) && + ffs_obj->ffs_closed_callback) diff --git a/patches.suse/vfio-pci-Handle-concurrent-vma-faults.patch b/patches.suse/vfio-pci-Handle-concurrent-vma-faults.patch new file mode 100644 index 0000000..1d3830b --- /dev/null +++ b/patches.suse/vfio-pci-Handle-concurrent-vma-faults.patch @@ -0,0 +1,124 @@ +From 6a45ece4c9af473555f01f0f8b97eba56e3c7d0d Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 28 Jun 2021 14:08:12 -0600 +Subject: [PATCH] vfio/pci: Handle concurrent vma faults +Git-commit: 6a45ece4c9af473555f01f0f8b97eba56e3c7d0d +Patch-mainline: v5.14-rc1 +References: git-fixes + +io_remap_pfn_range() will trigger a BUG_ON if it encounters a +populated pte within the mapping range. This can occur because we map +the entire vma on fault and multiple faults can be blocked behind the +vma_lock. This leads to traces like the one reported below. + +We can use our vma_list to test whether a given vma is mapped to avoid +this issue. + +[ 1591.733256] kernel BUG at mm/memory.c:2177! +[ 1591.739515] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[ 1591.747381] Modules linked in: vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) +[ 1591.760536] CPU: 2 PID: 227 Comm: lcore-worker-2 Tainted: G O 5.11.0-rc3+ #1 +[ 1591.770735] Hardware name: , BIOS HixxxxFPGA 1P B600 V121-1 +[ 1591.778872] pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) +[ 1591.786134] pc : remap_pfn_range+0x214/0x340 +[ 1591.793564] lr : remap_pfn_range+0x1b8/0x340 +[ 1591.799117] sp : ffff80001068bbd0 +[ 1591.803476] x29: ffff80001068bbd0 x28: 0000042eff6f0000 +[ 1591.810404] x27: 0000001100910000 x26: 0000001300910000 +[ 1591.817457] x25: 0068000000000fd3 x24: ffffa92f1338e358 +[ 1591.825144] x23: 0000001140000000 x22: 0000000000000041 +[ 1591.832506] x21: 0000001300910000 x20: ffffa92f141a4000 +[ 1591.839520] x19: 0000001100a00000 x18: 0000000000000000 +[ 1591.846108] x17: 0000000000000000 x16: ffffa92f11844540 +[ 1591.853570] x15: 0000000000000000 x14: 0000000000000000 +[ 1591.860768] x13: fffffc0000000000 x12: 0000000000000880 +[ 1591.868053] x11: ffff0821bf3d01d0 x10: ffff5ef2abd89000 +[ 1591.875932] x9 : ffffa92f12ab0064 x8 : ffffa92f136471c0 +[ 1591.883208] x7 : 0000001140910000 x6 : 0000000200000000 +[ 1591.890177] x5 : 0000000000000001 x4 : 0000000000000001 +[ 1591.896656] x3 : 0000000000000000 x2 : 0168044000000fd3 +[ 1591.903215] x1 : ffff082126261880 x0 : fffffc2084989868 +[ 1591.910234] Call trace: +[ 1591.914837] remap_pfn_range+0x214/0x340 +[ 1591.921765] vfio_pci_mmap_fault+0xac/0x130 [vfio_pci] +[ 1591.931200] __do_fault+0x44/0x12c +[ 1591.937031] handle_mm_fault+0xcc8/0x1230 +[ 1591.942475] do_page_fault+0x16c/0x484 +[ 1591.948635] do_translation_fault+0xbc/0xd8 +[ 1591.954171] do_mem_abort+0x4c/0xc0 +[ 1591.960316] el0_da+0x40/0x80 +[ 1591.965585] el0_sync_handler+0x168/0x1b0 +[ 1591.971608] el0_sync+0x174/0x180 +[ 1591.978312] Code: eb1b027f 540000c0 f9400022 b4fffe02 (d4210000) + +Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") +Reported-by: Zeng Tao +Suggested-by: Zeng Tao +Link: https://lore.kernel.org/r/162497742783.3883260.3282953006487785034.stgit@omen +Signed-off-by: Alex Williamson +Acked-by: Takashi Iwai + +--- + drivers/vfio/pci/vfio_pci.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 759dfb118712..318864d52837 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -1584,6 +1584,7 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf) + { + struct vm_area_struct *vma = vmf->vma; + struct vfio_pci_device *vdev = vma->vm_private_data; ++ struct vfio_pci_mmap_vma *mmap_vma; + vm_fault_t ret = VM_FAULT_NOPAGE; + + mutex_lock(&vdev->vma_lock); +@@ -1591,24 +1592,36 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf) + + if (!__vfio_pci_memory_enabled(vdev)) { + ret = VM_FAULT_SIGBUS; +- mutex_unlock(&vdev->vma_lock); + goto up_out; + } + +- if (__vfio_pci_add_vma(vdev, vma)) { +- ret = VM_FAULT_OOM; +- mutex_unlock(&vdev->vma_lock); +- goto up_out; ++ /* ++ * We populate the whole vma on fault, so we need to test whether ++ * the vma has already been mapped, such as for concurrent faults ++ * to the same vma. io_remap_pfn_range() will trigger a BUG_ON if ++ * we ask it to fill the same range again. ++ */ ++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) { ++ if (mmap_vma->vma == vma) ++ goto up_out; + } + +- mutex_unlock(&vdev->vma_lock); +- + if (io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, +- vma->vm_end - vma->vm_start, vma->vm_page_prot)) ++ vma->vm_end - vma->vm_start, ++ vma->vm_page_prot)) { + ret = VM_FAULT_SIGBUS; ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); ++ goto up_out; ++ } ++ ++ if (__vfio_pci_add_vma(vdev, vma)) { ++ ret = VM_FAULT_OOM; ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); ++ } + + up_out: + up_read(&vdev->memory_lock); ++ mutex_unlock(&vdev->vma_lock); + return ret; + } + +-- +2.26.2 + diff --git a/patches.suse/vfs-Convert-functionfs-to-use-the-new-mount-API.patch b/patches.suse/vfs-Convert-functionfs-to-use-the-new-mount-API.patch new file mode 100644 index 0000000..80444ee --- /dev/null +++ b/patches.suse/vfs-Convert-functionfs-to-use-the-new-mount-API.patch @@ -0,0 +1,325 @@ +From dec90f61f125568088a6ada61832b366c1670e9f Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 20 Mar 2019 23:31:05 +0000 +Subject: [PATCH] vfs: Convert functionfs to use the new mount API +Git-commit: dec90f61f125568088a6ada61832b366c1670e9f +References: git -fixes +Patch-mainline: v5.4-rc1 + +Convert the functionfs filesystem to the new internal mount API as the old +one will be obsoleted and removed. This allows greater flexibility in +communication of mount parameters between userspace, the VFS and the +filesystem. + +See Documentation/filesystems/mount_api.txt for more information. + +Signed-off-by: David Howells +Acked-by: Felipe Balbi +Acked-by: Michal Nazarewicz +cc: linux-usb@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Oliver Neukum +--- + drivers/usb/gadget/function/f_fs.c | 233 +++++++++++++++-------------- + 1 file changed, 120 insertions(+), 113 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 213ff03c8a9f..59d9d512dcda 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1451,9 +1452,9 @@ struct ffs_sb_fill_data { + struct ffs_data *ffs_data; + }; + +-static int ffs_sb_fill(struct super_block *sb, void *_data, int silent) ++static int ffs_sb_fill(struct super_block *sb, struct fs_context *fc) + { +- struct ffs_sb_fill_data *data = _data; ++ struct ffs_sb_fill_data *data = fc->fs_private; + struct inode *inode; + struct ffs_data *ffs = data->ffs_data; + +@@ -1486,147 +1487,152 @@ static int ffs_sb_fill(struct super_block *sb, void *_data, int silent) + return 0; + } + +-static int ffs_fs_parse_opts(struct ffs_sb_fill_data *data, char *opts) +-{ +- ENTER(); ++enum { ++ Opt_no_disconnect, ++ Opt_rmode, ++ Opt_fmode, ++ Opt_mode, ++ Opt_uid, ++ Opt_gid, ++}; + +- if (!opts || !*opts) +- return 0; ++static const struct fs_parameter_spec ffs_fs_param_specs[] = { ++ fsparam_bool ("no_disconnect", Opt_no_disconnect), ++ fsparam_u32 ("rmode", Opt_rmode), ++ fsparam_u32 ("fmode", Opt_fmode), ++ fsparam_u32 ("mode", Opt_mode), ++ fsparam_u32 ("uid", Opt_uid), ++ fsparam_u32 ("gid", Opt_gid), ++ {} ++}; + +- for (;;) { +- unsigned long value; +- char *eq, *comma; +- +- /* Option limit */ +- comma = strchr(opts, ','); +- if (comma) +- *comma = 0; +- +- /* Value limit */ +- eq = strchr(opts, '='); +- if (unlikely(!eq)) { +- pr_err("'=' missing in %s\n", opts); +- return -EINVAL; +- } +- *eq = 0; ++static const struct fs_parameter_description ffs_fs_fs_parameters = { ++ .name = "kAFS", ++ .specs = ffs_fs_param_specs, ++}; + +- /* Parse value */ +- if (kstrtoul(eq + 1, 0, &value)) { +- pr_err("%s: invalid value: %s\n", opts, eq + 1); +- return -EINVAL; +- } ++static int ffs_fs_parse_param(struct fs_context *fc, struct fs_parameter *param) ++{ ++ struct ffs_sb_fill_data *data = fc->fs_private; ++ struct fs_parse_result result; ++ int opt; + +- /* Interpret option */ +- switch (eq - opts) { +- case 13: +- if (!memcmp(opts, "no_disconnect", 13)) +- data->no_disconnect = !!value; +- else +- goto invalid; +- break; +- case 5: +- if (!memcmp(opts, "rmode", 5)) +- data->root_mode = (value & 0555) | S_IFDIR; +- else if (!memcmp(opts, "fmode", 5)) +- data->perms.mode = (value & 0666) | S_IFREG; +- else +- goto invalid; +- break; ++ ENTER(); + +- case 4: +- if (!memcmp(opts, "mode", 4)) { +- data->root_mode = (value & 0555) | S_IFDIR; +- data->perms.mode = (value & 0666) | S_IFREG; +- } else { +- goto invalid; +- } +- break; ++ opt = fs_parse(fc, &ffs_fs_fs_parameters, param, &result); ++ if (opt < 0) ++ return opt; + +- case 3: +- if (!memcmp(opts, "uid", 3)) { +- data->perms.uid = make_kuid(current_user_ns(), value); +- if (!uid_valid(data->perms.uid)) { +- pr_err("%s: unmapped value: %lu\n", opts, value); +- return -EINVAL; +- } +- } else if (!memcmp(opts, "gid", 3)) { +- data->perms.gid = make_kgid(current_user_ns(), value); +- if (!gid_valid(data->perms.gid)) { +- pr_err("%s: unmapped value: %lu\n", opts, value); +- return -EINVAL; +- } +- } else { +- goto invalid; +- } +- break; ++ switch (opt) { ++ case Opt_no_disconnect: ++ data->no_disconnect = result.boolean; ++ break; ++ case Opt_rmode: ++ data->root_mode = (result.uint_32 & 0555) | S_IFDIR; ++ break; ++ case Opt_fmode: ++ data->perms.mode = (result.uint_32 & 0666) | S_IFREG; ++ break; ++ case Opt_mode: ++ data->root_mode = (result.uint_32 & 0555) | S_IFDIR; ++ data->perms.mode = (result.uint_32 & 0666) | S_IFREG; ++ break; + +- default: +-invalid: +- pr_err("%s: invalid option\n", opts); +- return -EINVAL; +- } ++ case Opt_uid: ++ data->perms.uid = make_kuid(current_user_ns(), result.uint_32); ++ if (!uid_valid(data->perms.uid)) ++ goto unmapped_value; ++ break; ++ case Opt_gid: ++ data->perms.gid = make_kgid(current_user_ns(), result.uint_32); ++ if (!gid_valid(data->perms.gid)) ++ goto unmapped_value; ++ break; + +- /* Next iteration */ +- if (!comma) +- break; +- opts = comma + 1; ++ default: ++ return -ENOPARAM; + } + + return 0; +-} + +-/* "mount -t functionfs dev_name /dev/function" ends up here */ ++unmapped_value: ++ return invalf(fc, "%s: unmapped value: %u", param->key, result.uint_32); ++} + +-static struct dentry * +-ffs_fs_mount(struct file_system_type *t, int flags, +- const char *dev_name, void *opts) +-{ +- struct ffs_sb_fill_data data = { +- .perms = { +- .mode = S_IFREG | 0600, +- .uid = GLOBAL_ROOT_UID, +- .gid = GLOBAL_ROOT_GID, +- }, +- .root_mode = S_IFDIR | 0500, +- .no_disconnect = false, +- }; +- struct dentry *rv; +- int ret; ++/* ++ * Set up the superblock for a mount. ++ */ ++static int ffs_fs_get_tree(struct fs_context *fc) ++{ ++ struct ffs_sb_fill_data *ctx = fc->fs_private; + void *ffs_dev; + struct ffs_data *ffs; + + ENTER(); + +- ret = ffs_fs_parse_opts(&data, opts); +- if (unlikely(ret < 0)) +- return ERR_PTR(ret); ++ if (!fc->source) ++ return invalf(fc, "No source specified"); + +- ffs = ffs_data_new(dev_name); ++ ffs = ffs_data_new(fc->source); + if (unlikely(!ffs)) +- return ERR_PTR(-ENOMEM); +- ffs->file_perms = data.perms; +- ffs->no_disconnect = data.no_disconnect; ++ return -ENOMEM; ++ ffs->file_perms = ctx->perms; ++ ffs->no_disconnect = ctx->no_disconnect; + +- ffs->dev_name = kstrdup(dev_name, GFP_KERNEL); ++ ffs->dev_name = kstrdup(fc->source, GFP_KERNEL); + if (unlikely(!ffs->dev_name)) { + ffs_data_put(ffs); +- return ERR_PTR(-ENOMEM); ++ return -ENOMEM; + } + +- ffs_dev = ffs_acquire_dev(dev_name); ++ ffs_dev = ffs_acquire_dev(ffs->dev_name); + if (IS_ERR(ffs_dev)) { + ffs_data_put(ffs); +- return ERR_CAST(ffs_dev); ++ return PTR_ERR(ffs_dev); + } ++ + ffs->private_data = ffs_dev; +- data.ffs_data = ffs; ++ ctx->ffs_data = ffs; ++ return get_tree_nodev(fc, ffs_sb_fill); ++} ++ ++static void ffs_fs_free_fc(struct fs_context *fc) ++{ ++ struct ffs_sb_fill_data *ctx = fc->fs_private; ++ ++ if (ctx) { ++ if (ctx->ffs_data) { ++ ffs_release_dev(ctx->ffs_data); ++ ffs_data_put(ctx->ffs_data); ++ } + +- rv = mount_nodev(t, flags, &data, ffs_sb_fill); +- if (IS_ERR(rv) && data.ffs_data) { +- ffs_release_dev(data.ffs_data); +- ffs_data_put(data.ffs_data); ++ kfree(ctx); + } +- return rv; ++} ++ ++static const struct fs_context_operations ffs_fs_context_ops = { ++ .free = ffs_fs_free_fc, ++ .parse_param = ffs_fs_parse_param, ++ .get_tree = ffs_fs_get_tree, ++}; ++ ++static int ffs_fs_init_fs_context(struct fs_context *fc) ++{ ++ struct ffs_sb_fill_data *ctx; ++ ++ ctx = kzalloc(sizeof(struct ffs_sb_fill_data), GFP_KERNEL); ++ if (!ctx) ++ return -ENOMEM; ++ ++ ctx->perms.mode = S_IFREG | 0600; ++ ctx->perms.uid = GLOBAL_ROOT_UID; ++ ctx->perms.gid = GLOBAL_ROOT_GID; ++ ctx->root_mode = S_IFDIR | 0500; ++ ctx->no_disconnect = false; ++ ++ fc->fs_private = ctx; ++ fc->ops = &ffs_fs_context_ops; ++ return 0; + } + + static void +@@ -1644,7 +1650,8 @@ ffs_fs_kill_sb(struct super_block *sb) + static struct file_system_type ffs_fs_type = { + .owner = THIS_MODULE, + .name = "functionfs", +- .mount = ffs_fs_mount, ++ .init_fs_context = ffs_fs_init_fs_context, ++ .parameters = &ffs_fs_fs_parameters, + .kill_sb = ffs_fs_kill_sb, + }; + MODULE_ALIAS_FS("functionfs"); +-- +2.26.2 + diff --git a/patches.suse/vmxnet3-fix-cksum-offload-issues-for-tunnels-with-no.patch b/patches.suse/vmxnet3-fix-cksum-offload-issues-for-tunnels-with-no.patch new file mode 100644 index 0000000..4d17b6e --- /dev/null +++ b/patches.suse/vmxnet3-fix-cksum-offload-issues-for-tunnels-with-no.patch @@ -0,0 +1,85 @@ +From b22580233d473dbf7bbfa4f6549c09e2c80e9e64 Mon Sep 17 00:00:00 2001 +From: Ronak Doshi +Date: Thu, 1 Jul 2021 23:44:27 -0700 +Subject: [PATCH] vmxnet3: fix cksum offload issues for tunnels with non-default udp ports +Git-commit: b22580233d473dbf7bbfa4f6549c09e2c80e9e64 +Patch-mainline: v5.14-rc2 +References: git-fixes + +Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload +support") added support for encapsulation offload. However, the inner +offload capability is to be restricted to UDP tunnels with default +Vxlan and Geneve ports. + +This patch fixes the issue for tunnels with non-default ports using +features check capability and filtering appropriate features for such +tunnels. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/vmxnet3/vmxnet3_ethtool.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vmxnet3/vmxnet3_ethtool.c b/drivers/net/vmxnet3/vmxnet3_ethtool.c +index c0bd9cbc43b1..1b483cf2b1ca 100644 +--- a/drivers/net/vmxnet3/vmxnet3_ethtool.c ++++ b/drivers/net/vmxnet3/vmxnet3_ethtool.c +@@ -1,7 +1,7 @@ + /* + * Linux driver for VMware's vmxnet3 ethernet NIC. + * +- * Copyright (C) 2008-2020, VMware, Inc. All Rights Reserved. ++ * Copyright (C) 2008-2021, VMware, Inc. All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -26,6 +26,10 @@ + + + #include "vmxnet3_int.h" ++#include ++#include ++ ++#define VXLAN_UDP_PORT 8472 + + struct vmxnet3_stat_desc { + char desc[ETH_GSTRING_LEN]; +@@ -262,6 +266,8 @@ netdev_features_t vmxnet3_features_check(struct sk_buff *skb, + if (VMXNET3_VERSION_GE_4(adapter) && + skb->encapsulation && skb->ip_summed == CHECKSUM_PARTIAL) { + u8 l4_proto = 0; ++ u16 port; ++ struct udphdr *udph; + + switch (vlan_get_protocol(skb)) { + case htons(ETH_P_IP): +@@ -274,8 +280,20 @@ netdev_features_t vmxnet3_features_check(struct sk_buff *skb, + return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK); + } + +- if (l4_proto != IPPROTO_UDP) ++ switch (l4_proto) { ++ case IPPROTO_UDP: ++ udph = udp_hdr(skb); ++ port = be16_to_cpu(udph->dest); ++ /* Check if offloaded port is supported */ ++ if (port != GENEVE_UDP_PORT && ++ port != IANA_VXLAN_UDP_PORT && ++ port != VXLAN_UDP_PORT) { ++ return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK); ++ } ++ break; ++ default: + return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK); ++ } + } + return features; + } +-- +2.26.2 + diff --git a/patches.suse/xarray-iov_iter_fault_in_readable-should-do-nothing-.patch b/patches.suse/xarray-iov_iter_fault_in_readable-should-do-nothing-.patch new file mode 100644 index 0000000..b53915a --- /dev/null +++ b/patches.suse/xarray-iov_iter_fault_in_readable-should-do-nothing-.patch @@ -0,0 +1,35 @@ +From 0e8f0d67401589a141950856902c7d0ec8d9c985 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 2 Jun 2021 14:48:21 -0400 +Subject: [PATCH] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case +Git-commit: 0e8f0d67401589a141950856902c7d0ec8d9c985 +Patch-mainline: v5.14-rc1 +References: git-fixes + +... and actually should just check it's given an iovec-backed iterator +in the first place. + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Acked-by: Takashi Iwai + +--- + lib/iov_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index c8877cffb7bc..a3aabeda945b 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -476,7 +476,7 @@ int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes) + int err; + struct iovec v; + +- if (!(i->type & (ITER_BVEC|ITER_KVEC))) { ++ if (iter_is_iovec(i)) { + iterate_iovec(i, bytes, v, iov, skip, ({ + err = fault_in_pages_readable(v.iov_base, v.iov_len); + if (unlikely(err)) +-- +2.26.2 + diff --git a/series.conf b/series.conf index 677a2da..ce02f3e 100644 --- a/series.conf +++ b/series.conf @@ -3415,6 +3415,7 @@ patches.suse/mfd-intel-lpss-Remove-D3cold-delay.patch patches.suse/mfd-intel-lpss-Add-Intel-Tiger-Lake-PCI-IDs.patch patches.suse/vfs-Convert-bpf-to-use-the-new-mount-API.patch + patches.suse/vfs-Convert-functionfs-to-use-the-new-mount-API.patch patches.suse/hypfs-Fix-error-number-left-in-struct-pointer-member.patch patches.suse/msft-hv-1907-hv_balloon-Use-a-static-page-for-the-balloon_up-send.patch patches.suse/msft-hv-1908-hv_balloon-Reorganize-the-probe-function.patch @@ -13967,6 +13968,7 @@ patches.suse/vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch patches.suse/iio-buffer-Don-t-allow-buffers-without-any-channels-.patch patches.suse/iio-pressure-bmp280-Tolerate-IRQ-before-registering.patch + patches.suse/iio-accel-mxc4005-Drop-unnecessary-explicit-casts-in.patch patches.suse/staging-r8188eu-avoid-skb_clone-for-amsdu-to-msdu-co.patch patches.suse/staging-sm750fb-add-missing-case-while-setting-FB_VI.patch patches.suse/iio-vcnl4000-Fix-i2c-swapped-word-reading.patch @@ -15260,6 +15262,7 @@ patches.suse/ALSA-pci-delete-repeated-words-in-comments.patch patches.suse/staging-vchiq_arm-Add-a-matching-unregister-call.patch patches.suse/iio-improve-IIO_CONCENTRATION-channel-type-descripti.patch + patches.suse/iio-at91-sama5d2_adc-remove-usage-of-iio_priv_to_dev.patch patches.suse/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch patches.suse/staging-rtl8712-handle-firmware-load-failure.patch patches.suse/iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad55.patch @@ -18740,6 +18743,8 @@ patches.suse/Xen-gnttab-handle-p2m-update-errors-on-a-per-slot-ba.patch patches.suse/xen-netback-respect-gnttab_map_refs-s-return-value.patch patches.suse/kvm-svm-clear-the-cr4-register-on-reset.patch + patches.suse/tpm-tpm_tis-Decorate-tpm_get_timeouts-with-request_l.patch + patches.suse/tpm-tpm_tis-Decorate-tpm_tis_gen_interrupt-with-requ.patch patches.suse/scsi-iscsi-restrict-sessions-and-handles-to-admin-capabilities patches.suse/scsi-iscsi-ensure-sysfs-attributes-are-limited-to-page_size patches.suse/scsi-iscsi-verify-lengths-on-passthrough-pdus @@ -19120,6 +19125,7 @@ patches.suse/gpio-sysfs-Obey-valid_mask.patch patches.suse/libnvdimm-region-Fix-nvdimm_has_flush-to-handle-ND_R.patch patches.suse/net-geneve-check-skb-is-large-enough-for-IPv4-IPv6-h.patch + patches.suse/netfilter-x_tables-fix-compat-match-target-pad-out-o.patch patches.suse/ibmvnic-correctly-use-dev_consume-free_skb_irq.patch patches.suse/ibmvnic-avoid-calling-napi_disable-twice.patch patches.suse/ibmvnic-remove-duplicate-napi_schedule-call-in-do_re.patch @@ -19680,6 +19686,8 @@ patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch patches.suse/x86-kvm-Disable-all-PV-features-on-crash.patch patches.suse/x86-kvm-Unify-kvm_pv_guest_cpu_reboot-with-kvm_guest.patch + patches.suse/tpm-tpm_tis-Extend-locality-handling-to-TPM2-in-tpm_.patch + patches.suse/tpm-tpm_tis-Reserve-locality-in-tpm_tis_resume.patch patches.suse/tpm-fix-error-return-code-in-tpm2_get_cc_attrs_tbl.patch patches.suse/hwmon-occ-Fix-poll-rate-limiting.patch patches.suse/vgacon-Record-video-mode-changes-with-VT_RESIZEX.patch @@ -20010,41 +20018,93 @@ patches.suse/i2c-robotfuzz-osif-fix-control-request-directions.patch patches.suse/kthread_worker-split-code-for-canceling-the-delayed-.patch patches.suse/kthread-prevent-deadlock-when-kthread_mod_delayed_wo.patch + patches.suse/mm-futex-fix-shared-futex-pgoff-on-shmem-huge-page.patch patches.suse/pinctrl-stm32-fix-the-reported-number-of-GPIO-lines-.patch patches.suse/s390-stack-fix-possible-register-corruption-with-stack-switch-helper.patch patches.suse/ata-ahci_sunxi-Disable-DIPM.patch patches.suse/mmc-block-Disable-CMDQ-on-the-ioctl-path.patch patches.suse/mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch + patches.suse/memstick-rtsx_usb_ms-fix-UAF.patch patches.suse/mmc-vub3000-fix-control-request-direction.patch patches.suse/mmc-sdhci-esdhc-imx-remove-unused-is_imx6q_usdhc.patch + patches.suse/mmc-sdhci-sprd-use-sdhci_sprd_writew.patch + patches.suse/mmc-via-sdmmc-add-a-check-against-NULL-pointer-deref.patch patches.suse/regulator-hi655x-Fix-pass-wrong-pointer-to-config.dr.patch + patches.suse/regulator-uniphier-Add-missing-MODULE_DEVICE_TABLE.patch + patches.suse/regulator-da9052-Ensure-enough-delay-time-for-.set_v.patch + patches.suse/spi-Make-of_register_spi_device-also-set-the-fwnode.patch patches.suse/spi-spi-sun6i-Fix-chipselect-clock-bug.patch + patches.suse/spi-spi-topcliff-pch-Fix-potential-double-free-in-pc.patch + patches.suse/spi-omap-100k-Fix-the-length-judgment-problem.patch patches.suse/spi-tegra114-Fix-an-error-message.patch + patches.suse/spi-spi-loopback-test-Fix-tx_buf-might-be-rx_buf.patch patches.suse/spi-stm32-qspi-Remove-unused-qspi-field-of-struct-st.patch patches.suse/hwmon-max31722-Remove-non-standard-ACPI-device-IDs.patch patches.suse/hwmon-max31790-Fix-fan-speed-reporting-for-fan7.12.patch + patches.suse/hwmon-max31790-Report-correct-current-pwm-duty-cycle.patch + patches.suse/hwmon-max31790-Fix-pwmX_enable-attributes.patch + patches.suse/media-mdk-mdp-fix-pm_runtime_get_sync-usage-count.patch + patches.suse/media-sh_vou-fix-pm_runtime_get_sync-usage-count.patch + patches.suse/media-mtk-vcodec-fix-PM-runtime-get-logic.patch + patches.suse/media-s5p-jpeg-fix-pm_runtime_get_sync-usage-count.patch + patches.suse/media-sti-bdisp-fix-pm_runtime_get_sync-usage-count.patch + patches.suse/media-exynos-gsc-fix-pm_runtime_get_sync-usage-count.patch + patches.suse/media-sti-fix-obj-config-targets.patch + patches.suse/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch + patches.suse/media-cobalt-fix-race-condition-in-setting-HPD.patch patches.suse/media-I2C-change-RST-to-RSET-to-fix-multiple-build-e.patch + patches.suse/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch patches.suse/media-rc-i2c-Fix-an-error-message.patch patches.suse/media-dvb-usb-fix-wrong-definition.patch + patches.suse/media-imx-imx7_mipi_csis-Fix-logging-of-only-error-e.patch + patches.suse/media-em28xx-Fix-possible-memory-leak-of-em28xx-stru.patch patches.suse/media-exynos4-is-Fix-a-use-after-free-in-isp_video_r.patch + patches.suse/media-v4l2-core-Avoid-the-dangling-pointer-in-v4l2_f.patch + patches.suse/media-bt8xx-Fix-a-missing-check-bug-in-bt878_probe.patch patches.suse/media-au0828-fix-a-NULL-vs-IS_ERR-check.patch patches.suse/media-tc358743-Fix-error-return-code-in-tc358743_pro.patch patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch + patches.suse/media-st-hva-Fix-potential-NULL-pointer-dereferences.patch patches.suse/media-dtv5100-fix-control-request-directions.patch patches.suse/media-gspca-sq905-fix-control-request-direction.patch patches.suse/media-gspca-gl860-fix-zero-length-control-requests.patch patches.suse/media-gspca-sunplus-fix-zero-length-control-requests.patch patches.suse/media-rtl28xxu-fix-zero-length-control-request.patch + patches.suse/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch + patches.suse/media-dvb_net-avoid-speculation-from-net-slot.patch + patches.suse/media-siano-fix-device-register-error-path.patch + patches.suse/media-imx-csi-Skip-first-few-frames-from-a-BT.656-so.patch patches.suse/media-s5p-g2d-Fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch + patches.suse/media-Fix-Media-Controller-API-config-checks.patch + patches.suse/hwrng-exynos-Fix-runtime-PM-imbalance-on-error.patch + patches.suse/crypto-ixp4xx-dma_unmap-the-correct-address.patch + patches.suse/crypto-nx-add-missing-MODULE_DEVICE_TABLE.patch + patches.suse/crypto-ux500-Fix-error-return-code-in-hash_hw_final.patch + patches.suse/crypto-ccp-Fix-a-resource-leak-in-an-error-handling-.patch + patches.suse/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch + patches.suse/crypto-qat-remove-unused-macro-in-FW-loader.patch + patches.suse/crypto-nitrox-fix-unchecked-variable-in-nitrox_regis.patch + patches.suse/crypto-omap-sham-Fix-PM-reference-leak-in-omap-sham-.patch patches.suse/docs-admin-guide-update-description-for-kernel.hotpl.patch patches.suse/media-siano-Fix-out-of-bounds-warnings-in-smscore_lo.patch + patches.suse/lib-vsprintf-Fix-handling-of-number-field-widths-in-.patch + patches.suse/random32-Fix-implicit-truncation-warning-in-prandom_.patch + patches.suse/clocksource-Retry-clock-read-if-long-delays-detected.patch patches.suse/cpufreq-sc520_freq-add-fallthrough-to-one-case.patch + patches.suse/ACPICA-Fix-memory-leak-caused-by-_CID-repair-functio.patch + patches.suse/ACPI-processor-idle-Fix-up-C-state-latency-if-not-or.patch + patches.suse/ACPI-resources-Add-checks-for-ACPI-IRQ-override.patch patches.suse/ACPI-sysfs-Fix-a-buffer-overrun-problem-with-descrip.patch + patches.suse/ACPI-EC-Make-more-Asus-laptops-use-ECDT-_GPE.patch patches.suse/ACPI-APEI-fix-synchronous-external-aborts-in-user-mo.patch + patches.suse/ACPI-bus-Call-kobject_put-in-acpi_init-error-path.patch patches.suse/ACPI-property-Constify-stubs-for-CONFIG_ACPI-n-case.patch patches.suse/dax-fix-ENOMEM-handling-in-grab_mapping_entry.patch patches.suse/0001-ipmi-watchdog-Stop-watchdog-timer-when-the-current-a.patch + patches.suse/platform-x86-toshiba_acpi-Fix-missing-error-code-in-.patch patches.suse/extcon-extcon-max8997-Fix-IRQ-freeing-at-error-path.patch + patches.suse/HID-wacom-Correct-base-usage-for-capacitive-ExpressK.patch + patches.suse/HID-do-not-use-down_interruptible-when-unbinding-dev.patch patches.suse/block-return-the-correct-bvec-when-checking-for-gaps.patch patches.suse/nvme-verify-MNAN-value-if-ANA-is-enabled.patch patches.suse/ibmvnic-remove-default-label-from-to_string-switch.patch @@ -20056,10 +20116,12 @@ patches.suse/ibmvnic-fix-kernel-build-warnings-in-build_hdr_descs.patch patches.suse/ibmvnic-fix-send_request_map-incompatible-argument.patch patches.suse/ssb-Fix-error-return-code-in-ssb_bus_scan.patch + patches.suse/ssb-sdio-Don-t-overwrite-const-buffer-if-block_write.patch patches.suse/brcmfmac-fix-setting-of-station-info-chains-bitmask.patch patches.suse/brcmfmac-correctly-report-average-RSSI-in-station-in.patch patches.suse/brcmsmac-mac80211_if-Fix-a-resource-leak-in-an-error.patch patches.suse/rsi-Assign-beacon-rate-settings-to-the-correct-rate_.patch + patches.suse/ath9k-Fix-kernel-NULL-pointer-dereference-during-ath.patch patches.suse/ath10k-go-to-path-err_unsupported-when-chip-id-is-no.patch patches.suse/ath10k-add-missing-error-return-code-in-ath10k_pci_p.patch patches.suse/wireless-carl9170-fix-LEDS-build-errors-warnings.patch @@ -20119,6 +20181,10 @@ patches.suse/Revert-ALSA-bebob-oxfw-fix-Kconfig-entry-for-Mackie-.patch patches.suse/ALSA-usb-audio-scarlett2-Read-mixer-volumes-at-init-.patch patches.suse/ALSA-usb-audio-scarlett2-Read-mux-at-init-time.patch + patches.suse/ALSA-usb-audio-fix-rate-on-Ozone-Z90-USB-headset.patch + patches.suse/ALSA-hda-realtek-Add-another-ALC236-variant-support.patch + patches.suse/ALSA-hda-realtek-Fix-bass-speaker-DAC-mapping-for-As.patch + patches.suse/ALSA-usb-audio-scarlett2-Fix-wrong-resume-call.patch patches.suse/ASoC-cs42l42-Correct-definition-of-CS42L42_ADC_PDN_M.patch patches.suse/ASoC-atmel-i2s-Fix-usage-of-capture-and-playback-at-.patch patches.suse/ASoC-hisilicon-fix-missing-clk_disable_unprepare-on-.patch @@ -20127,6 +20193,8 @@ patches.suse/tracepoint-Add-tracepoint_probe_register_may_exist-for-BPF-tracing.patch patches.suse/tracing-Simplify-fix-saved_tgids-logic.patch patches.suse/tracing-Resize-tgid_map-to-pid_max-not-PID_MAX_DEFAULT.patch + patches.suse/xarray-iov_iter_fault_in_readable-should-do-nothing-.patch + patches.suse/vfio-pci-Handle-concurrent-vma-faults.patch patches.suse/leds-lm3532-select-regmap-I2C-API.patch patches.suse/leds-as3645a-Fix-error-return-code-in-as3645a_parse_.patch patches.suse/leds-ktd2692-Fix-an-error-handling-path.patch @@ -20152,6 +20220,7 @@ patches.suse/iio-accel-bma220-Fix-buffer-alignment-in-iio_push_to.patch patches.suse/iio-accel-hid-Fix-buffer-alignment-in-iio_push_to_bu.patch patches.suse/iio-accel-kxcjk-1013-Fix-buffer-alignment-in-iio_pus.patch + patches.suse/iio-accel-mxc4005-Fix-overread-of-data-and-alignment.patch patches.suse/iio-accel-stk8312-Fix-buffer-alignment-in-iio_push_t.patch patches.suse/iio-accel-stk8ba50-Fix-buffer-alignment-in-iio_push_.patch patches.suse/iio-adc-ti-ads1015-Fix-buffer-alignment-in-iio_push_.patch @@ -20169,11 +20238,13 @@ patches.suse/iio-potentiostat-lmp91000-Fix-alignment-of-buffer-in.patch patches.suse/staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch patches.suse/staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch + patches.suse/staging-rtl8712-remove-redundant-check-in-r871xu_drv.patch patches.suse/staging-rtl8712-fix-memory-leak-in-rtl871x_load_fw_c.patch patches.suse/iio-si1133-fix-format-string-warnings.patch patches.suse/iio-ltr501-mark-register-holding-upper-8-bits-of-ALS.patch patches.suse/iio-ltr501-ltr559-fix-initialization-of-LTR501_ALS_C.patch patches.suse/iio-ltr501-ltr501_read_ps-add-missing-endianness-con.patch + patches.suse/iio-adc-at91-sama5d2-Fix-buffer-alignment-in-iio_pus.patch patches.suse/iio-adc-hx711-Fix-buffer-alignment-in-iio_push_to_bu.patch patches.suse/iio-adc-mxs-lradc-Fix-buffer-alignment-in-iio_push_t.patch patches.suse/iio-adc-ti-ads8688-Fix-alignment-of-buffer-in-iio_pu.patch @@ -20185,14 +20256,19 @@ patches.suse/tty-nozomi-Fix-the-error-handling-path-of-nozomi_car.patch patches.suse/serial-tegra-tcu-Reorder-channel-initialization.patch patches.suse/serial-8250-Actually-allow-UPF_MAGIC_MULTIPLIER-baud.patch + patches.suse/serial_cs-remove-wrong-GLOBETROTTER.cis-entry.patch + patches.suse/serial_cs-Add-Option-International-GSM-Ready-56K-ISD.patch patches.suse/serial-mvebu-uart-fix-calculation-of-clock-divisor.patch patches.suse/serial-mvebu-uart-do-not-allow-changing-baudrate-whe.patch patches.suse/serial-mvebu-uart-correctly-calculate-minimal-possib.patch patches.suse/usb-typec-wcove-Fx-wrong-kernel-doc-format.patch + patches.suse/usb-gadget-f_fs-Fix-setting-of-device-and-driver-dat.patch patches.suse/usb-dwc2-Don-t-reset-the-core-after-setting-turnarou.patch patches.suse/usb-typec-Add-the-missed-altmode_id_remove-in-typec_.patch patches.suse/xhci-solve-a-double-free-problem-while-doing-s4.patch + patches.suse/usb-gadget-eem-fix-echo-command-packet-response-issu.patch patches.suse/usb-dwc3-Fix-debugfs-creation-flow.patch + patches.suse/USB-cdc-acm-blacklist-Heimann-USB-Appset-device.patch patches.suse/fuse-ignore-pg_workingset-after-stealing.patch patches.suse/fuse-check-connected-before-queueing-on-fpq-io.patch patches.suse/fuse-reject-internal-errno.patch @@ -20213,6 +20289,9 @@ patches.suse/rtc-fix-snprintf-checking-in-is_rtc_hctosys.patch patches.suse/rtc-stm32-Fix-unbalanced-clk_disable_unprepare-on-pr.patch patches.suse/rtc-pcf2127-handle-timestamp-interrupts.patch + patches.suse/fm10k-Fix-an-error-handling-path-in-fm10k_probe.patch + patches.suse/gve-Fix-an-error-handling-path-in-gve_probe.patch + patches.suse/vmxnet3-fix-cksum-offload-issues-for-tunnels-with-no.patch ######################################################## # end of sorted patches