From 77d9d029a74ee9420c049d288edefb55d5295469 Mon Sep 17 00:00:00 2001 From: Denis Kirjanov Date: Feb 07 2022 14:40:20 +0000 Subject: Merge branch 'SLE15-SP3' into SLE15-SP3_EMBARGO Conflicts: series.conf --- diff --git a/blacklist.conf b/blacklist.conf index b9b9f04..771e7be 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1452,3 +1452,5 @@ a2308836880bf1501ff9373c611dc2970247d42b # not applicable 6ba34d3c73674e46d9e126e4f0cee79e5ef2481c # too intrusive, improbable (v2 only, unclear race) 7ee285395b211cad474b2b989db52666e0430daf # result is warning+nop only, can't happen with systemd distro e1fbbd073137a9d63279f6bf363151a938347640 # CRIU stuff, see bsc#1195335 +ee12595147ac1fbfb5bcb23837e26dd58d94b15d # We do not have commit 5e469c830fdb ("fanotify: copy event fid info to user") which is also necessary for the problem to be present +4013d47a5307fdb5c13370b5392498b00fedd274 # Only lockdep fixup diff --git a/config/arm64/default b/config/arm64/default index 8b6aec9..87cdc56 100644 --- a/config/arm64/default +++ b/config/arm64/default @@ -7943,6 +7943,7 @@ CONFIG_INFINIBAND_USER_MEM=y CONFIG_INFINIBAND_ON_DEMAND_PAGING=y CONFIG_INFINIBAND_ADDR_TRANS=y CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y +CONFIG_INFINIBAND_VIRT_DMA=y CONFIG_INFINIBAND_MTHCA=m CONFIG_INFINIBAND_MTHCA_DEBUG=y CONFIG_INFINIBAND_CXGB3=m diff --git a/config/ppc64le/default b/config/ppc64le/default index 22276fa..ab21647 100644 --- a/config/ppc64le/default +++ b/config/ppc64le/default @@ -4787,6 +4787,7 @@ CONFIG_INFINIBAND_USER_MEM=y CONFIG_INFINIBAND_ON_DEMAND_PAGING=y CONFIG_INFINIBAND_ADDR_TRANS=y CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y +CONFIG_INFINIBAND_VIRT_DMA=y CONFIG_INFINIBAND_MTHCA=m CONFIG_INFINIBAND_MTHCA_DEBUG=y CONFIG_INFINIBAND_CXGB3=m diff --git a/config/s390x/default b/config/s390x/default index 8569ef2..fdecdfe 100644 --- a/config/s390x/default +++ b/config/s390x/default @@ -2829,6 +2829,7 @@ CONFIG_INFINIBAND_USER_MEM=y CONFIG_INFINIBAND_ON_DEMAND_PAGING=y CONFIG_INFINIBAND_ADDR_TRANS=y CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y +CONFIG_INFINIBAND_VIRT_DMA=y # CONFIG_INFINIBAND_MTHCA is not set CONFIG_MLX4_INFINIBAND=m CONFIG_MLX5_INFINIBAND=m diff --git a/config/x86_64/default b/config/x86_64/default index 0ebfb7c..131c50f 100644 --- a/config/x86_64/default +++ b/config/x86_64/default @@ -7361,6 +7361,7 @@ CONFIG_INFINIBAND_USER_MEM=y CONFIG_INFINIBAND_ON_DEMAND_PAGING=y CONFIG_INFINIBAND_ADDR_TRANS=y CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y +CONFIG_INFINIBAND_VIRT_DMA=y CONFIG_INFINIBAND_MTHCA=m CONFIG_INFINIBAND_MTHCA_DEBUG=y CONFIG_INFINIBAND_QIB=m diff --git a/patches.suse/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch b/patches.suse/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch index 1e9440a..dd06314 100644 --- a/patches.suse/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch +++ b/patches.suse/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch @@ -3,7 +3,7 @@ From: Takashi Iwai Date: Fri, 24 Apr 2020 21:38:43 +0200 Subject: [PATCH] ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (for 5.7) Git-commit: ac957e8c54115c1ed32e41e0072af3a63576cda6 -No-fix: No-fix: 4285de0725b1bf73608abbcd35ad7fd3ddc0b61e +No-fix: 4285de0725b1bf73608abbcd35ad7fd3ddc0b61e Patch-mainline: v5.7-rc4 References: jsc#SLE-16518 diff --git a/patches.suse/ALSA-usb-audio-Correct-quirk-for-VF0770.patch b/patches.suse/ALSA-usb-audio-Correct-quirk-for-VF0770.patch new file mode 100644 index 0000000..a25059d --- /dev/null +++ b/patches.suse/ALSA-usb-audio-Correct-quirk-for-VF0770.patch @@ -0,0 +1,48 @@ +From 4ee02e20893d2f9e951c7888f2284fa608ddaa35 Mon Sep 17 00:00:00 2001 +From: Jonas Hahnfeld +Date: Mon, 31 Jan 2022 19:35:16 +0100 +Subject: [PATCH] ALSA: usb-audio: Correct quirk for VF0770 +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 4ee02e20893d2f9e951c7888f2284fa608ddaa35 +Patch-mainline: v5.17-rc3 +References: git-fixes + +This device provides both audio and video. The original quirk added in +commit 48827e1d6af5 ("ALSA: usb-audio: Add quirk for VF0770") used +USB_DEVICE to match the vendor and product ID. Depending on module order, +if snd-usb-audio was asked first, it would match the entire device and +uvcvideo wouldn't get to see it. Change the matching to USB_AUDIO_DEVICE +to restore uvcvideo matching in all cases. + +Fixes: 48827e1d6af5 ("ALSA: usb-audio: Add quirk for VF0770") +Reported-by: Jukka Heikintalo +Tested-by: Jukka Heikintalo +Reported-by: Paweł Susicki +Tested-by: Paweł Susicki +Cc: # 5.4, 5.10, 5.14, 5.15 +Signed-off-by: Jonas Hahnfeld +Link: https://lore.kernel.org/r/20220131183516.61191-1-hahnjo@hahnjo.de +Signed-off-by: Takashi Iwai + +--- + sound/usb/quirks-table.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index b1522e43173e..0ea39565e623 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -84,7 +84,7 @@ + * combination. + */ + { +- USB_DEVICE(0x041e, 0x4095), ++ USB_AUDIO_DEVICE(0x041e, 0x4095), + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { + .ifnum = QUIRK_ANY_INTERFACE, + .type = QUIRK_COMPOSITE, +-- +2.31.1 + diff --git a/patches.suse/ALSA-usb-audio-initialize-variables-that-could-ignor.patch b/patches.suse/ALSA-usb-audio-initialize-variables-that-could-ignor.patch new file mode 100644 index 0000000..10c6837 --- /dev/null +++ b/patches.suse/ALSA-usb-audio-initialize-variables-that-could-ignor.patch @@ -0,0 +1,44 @@ +From 3da4b7403db87d39bc2613cfd790de1de99a70ab Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Wed, 26 Jan 2022 10:21:42 -0800 +Subject: [PATCH] ALSA: usb-audio: initialize variables that could ignore errors +Git-commit: 3da4b7403db87d39bc2613cfd790de1de99a70ab +Patch-mainline: v5.17-rc3 +References: git-fixes + +clang static analysis reports this representative issue +mixer.c:1548:35: warning: Assigned value is garbage or undefined + ucontrol->value.integer.value[0] = val; + ^ ~~~ + +The filter_error() macro allows errors to be ignored. +If errors can be ignored, initialize variables +so garbage will not be used. + +Fixes: 48cc42973509 ("ALSA: usb-audio: Filter error from connector kctl ops, too") +Signed-off-by: Tom Rix +Link: https://lore.kernel.org/r/20220126182142.1184819-1-trix@redhat.com +Signed-off-by: Takashi Iwai + +--- + sound/usb/mixer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index e8f3f8d622ec..630766ba259f 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1527,6 +1527,10 @@ static int get_connector_value(struct usb_mixer_elem_info *cval, + usb_audio_err(chip, + "cannot get connectors status: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n", + UAC_GET_CUR, validx, idx, cval->val_type); ++ ++ if (val) ++ *val = 0; ++ + return filter_error(cval, ret); + } + +-- +2.31.1 + diff --git a/patches.suse/ASoC-cpcap-Check-for-NULL-pointer-after-calling-of_g.patch b/patches.suse/ASoC-cpcap-Check-for-NULL-pointer-after-calling-of_g.patch new file mode 100644 index 0000000..6536c5e --- /dev/null +++ b/patches.suse/ASoC-cpcap-Check-for-NULL-pointer-after-calling-of_g.patch @@ -0,0 +1,41 @@ +From f7a6021aaf02088870559f82fc13c58cda7fea1a Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Tue, 11 Jan 2022 10:50:48 +0800 +Subject: [PATCH] ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name +Git-commit: f7a6021aaf02088870559f82fc13c58cda7fea1a +Patch-mainline: v5.17-rc3 +References: git-fixes + +If the device does not exist, of_get_child_by_name() will return NULL +pointer. +And devm_snd_soc_register_component() does not check it. +Also, I have noticed that cpcap_codec_driver has not been used yet. +Therefore, it should be better to check it in order to avoid the future +dereference of the NULL pointer. + +Fixes: f6cdf2d3445d ("ASoC: cpcap: new codec") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220111025048.524134-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/cpcap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/cpcap.c b/sound/soc/codecs/cpcap.c +index 598e09024e23..ffdf8b615efa 100644 +--- a/sound/soc/codecs/cpcap.c ++++ b/sound/soc/codecs/cpcap.c +@@ -1667,6 +1667,8 @@ static int cpcap_codec_probe(struct platform_device *pdev) + { + struct device_node *codec_node = + of_get_child_by_name(pdev->dev.parent->of_node, "audio-codec"); ++ if (!codec_node) ++ return -ENODEV; + + pdev->dev.of_node = codec_node; + +-- +2.31.1 + diff --git a/patches.suse/ASoC-fsl-Add-missing-error-handling-in-pcm030_fabric.patch b/patches.suse/ASoC-fsl-Add-missing-error-handling-in-pcm030_fabric.patch new file mode 100644 index 0000000..1f408b6 --- /dev/null +++ b/patches.suse/ASoC-fsl-Add-missing-error-handling-in-pcm030_fabric.patch @@ -0,0 +1,53 @@ +From fb25621da5702c104ce0a48de5b174ced09e5b4e Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 27 Jan 2022 13:13:34 +0000 +Subject: [PATCH] ASoC: fsl: Add missing error handling in pcm030_fabric_probe +Git-commit: fb25621da5702c104ce0a48de5b174ced09e5b4e +Patch-mainline: v5.17-rc3 +References: git-fixes + +Add the missing platform_device_put() and platform_device_del() +before return from pcm030_fabric_probe in the error handling case. + +Fixes: c912fa913446 ("ASoC: fsl: register the wm9712-codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220127131336.30214-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/fsl/pcm030-audio-fabric.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/fsl/pcm030-audio-fabric.c b/sound/soc/fsl/pcm030-audio-fabric.c +index af3c3b90c0ac..83b4a22bf15a 100644 +--- a/sound/soc/fsl/pcm030-audio-fabric.c ++++ b/sound/soc/fsl/pcm030-audio-fabric.c +@@ -93,16 +93,21 @@ static int pcm030_fabric_probe(struct platform_device *op) + dev_err(&op->dev, "platform_device_alloc() failed\n"); + + ret = platform_device_add(pdata->codec_device); +- if (ret) ++ if (ret) { + dev_err(&op->dev, "platform_device_add() failed: %d\n", ret); ++ platform_device_put(pdata->codec_device); ++ } + + ret = snd_soc_register_card(card); +- if (ret) ++ if (ret) { + dev_err(&op->dev, "snd_soc_register_card() failed: %d\n", ret); ++ platform_device_del(pdata->codec_device); ++ platform_device_put(pdata->codec_device); ++ } + + platform_set_drvdata(op, pdata); +- + return ret; ++ + } + + static int pcm030_fabric_remove(struct platform_device *op) +-- +2.31.1 + diff --git a/patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch b/patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch new file mode 100644 index 0000000..096ce81 --- /dev/null +++ b/patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch @@ -0,0 +1,41 @@ +From 4c907bcd9dcd233da6707059d777ab389dcbd964 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 19 Jan 2022 15:31:01 +0300 +Subject: [PATCH] ASoC: max9759: fix underflow in speaker_gain_control_put() +Git-commit: 4c907bcd9dcd233da6707059d777ab389dcbd964 +Patch-mainline: v5.17-rc3 +References: git-fixes + +Check for negative values of "priv->gain" to prevent an out of bounds +access. The concern is that these might come from the user via: + -> snd_ctl_elem_write_user() + -> snd_ctl_elem_write() + -> kctl->put() + +Fixes: fa8d915172b8 ("ASoC: max9759: Add Amplifier Driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20220119123101.GA9509@kili +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/max9759.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/max9759.c b/sound/soc/codecs/max9759.c +index d75fd61b9032..bc57d7687f16 100644 +--- a/sound/soc/codecs/max9759.c ++++ b/sound/soc/codecs/max9759.c +@@ -64,7 +64,8 @@ static int speaker_gain_control_put(struct snd_kcontrol *kcontrol, + struct snd_soc_component *c = snd_soc_kcontrol_component(kcontrol); + struct max9759 *priv = snd_soc_component_get_drvdata(c); + +- if (ucontrol->value.integer.value[0] > 3) ++ if (ucontrol->value.integer.value[0] < 0 || ++ ucontrol->value.integer.value[0] > 3) + return -EINVAL; + + priv->gain = ucontrol->value.integer.value[0]; +-- +2.31.1 + diff --git a/patches.suse/ASoC-xilinx-xlnx_formatter_pcm-Make-buffer-bytes-mul.patch b/patches.suse/ASoC-xilinx-xlnx_formatter_pcm-Make-buffer-bytes-mul.patch new file mode 100644 index 0000000..de678da --- /dev/null +++ b/patches.suse/ASoC-xilinx-xlnx_formatter_pcm-Make-buffer-bytes-mul.patch @@ -0,0 +1,95 @@ +From e958b5884725dac86d36c1e7afe5a55f31feb0b2 Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Fri, 7 Jan 2022 15:47:06 -0600 +Subject: [PATCH] ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes +Git-commit: e958b5884725dac86d36c1e7afe5a55f31feb0b2 +Patch-mainline: v5.17-rc3 +References: git-fixes + +This patch is based on one in the Xilinx kernel tree, "ASoc: xlnx: Make +buffer bytes multiple of period bytes" by Devarsh Thakkar. The same +issue exists in the mainline version of the driver. The original +patch description is as follows: + +"The Xilinx Audio Formatter IP has a constraint on period +bytes to be multiple of 64. This leads to driver changing +the period size to suitable frames such that period bytes +are multiple of 64. + +Now since period bytes and period size are updated but not +the buffer bytes, this may make the buffer bytes unaligned +and not multiple of period bytes. + +When this happens we hear popping noise as while DMA is being +done the buffer bytes are not enough to complete DMA access +for last period of frame within the application buffer boundary. + +To avoid this, align buffer bytes too as multiple of 64, and +set another constraint to always enforce number of periods as +integer. Now since, there is already a rule in alsa core +to enforce Buffer size = Number of Periods * Period Size +this automatically aligns buffer bytes as multiple of period +bytes." + +Fixes: 6f6c3c36f091 ("ASoC: xlnx: add pcm formatter platform driver") +Cc: Devarsh Thakkar +Signed-off-by: Robert Hancock +Link: https://lore.kernel.org/r/20220107214711.1100162-2-robert.hancock@calian.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/xilinx/xlnx_formatter_pcm.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/xilinx/xlnx_formatter_pcm.c b/sound/soc/xilinx/xlnx_formatter_pcm.c +index 91afea9d5de6..ce19a6058b27 100644 +--- a/sound/soc/xilinx/xlnx_formatter_pcm.c ++++ b/sound/soc/xilinx/xlnx_formatter_pcm.c +@@ -37,6 +37,7 @@ + #define XLNX_AUD_XFER_COUNT 0x28 + #define XLNX_AUD_CH_STS_START 0x2C + #define XLNX_BYTES_PER_CH 0x44 ++#define XLNX_AUD_ALIGN_BYTES 64 + + #define AUD_STS_IOC_IRQ_MASK BIT(31) + #define AUD_STS_CH_STS_MASK BIT(29) +@@ -368,12 +369,32 @@ static int xlnx_formatter_pcm_open(struct snd_soc_component *component, + snd_soc_set_runtime_hwparams(substream, &xlnx_pcm_hardware); + runtime->private_data = stream_data; + +- /* Resize the period size divisible by 64 */ ++ /* Resize the period bytes as divisible by 64 */ + err = snd_pcm_hw_constraint_step(runtime, 0, +- SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 64); ++ SNDRV_PCM_HW_PARAM_PERIOD_BYTES, ++ XLNX_AUD_ALIGN_BYTES); + if (err) { + dev_err(component->dev, +- "unable to set constraint on period bytes\n"); ++ "Unable to set constraint on period bytes\n"); ++ return err; ++ } ++ ++ /* Resize the buffer bytes as divisible by 64 */ ++ err = snd_pcm_hw_constraint_step(runtime, 0, ++ SNDRV_PCM_HW_PARAM_BUFFER_BYTES, ++ XLNX_AUD_ALIGN_BYTES); ++ if (err) { ++ dev_err(component->dev, ++ "Unable to set constraint on buffer bytes\n"); ++ return err; ++ } ++ ++ /* Set periods as integer multiple */ ++ err = snd_pcm_hw_constraint_integer(runtime, ++ SNDRV_PCM_HW_PARAM_PERIODS); ++ if (err < 0) { ++ dev_err(component->dev, ++ "Unable to set constraint on periods to be integer\n"); + return err; + } + +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch b/patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch new file mode 100644 index 0000000..94b6642 --- /dev/null +++ b/patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch @@ -0,0 +1,52 @@ +From 899663be5e75dc0174dc8bda0b5e6826edf0b29a Mon Sep 17 00:00:00 2001 +From: Brian Gix +Date: Wed, 24 Nov 2021 12:16:28 -0800 +Subject: [PATCH] Bluetooth: refactor malicious adv data check +Git-commit: 899663be5e75dc0174dc8bda0b5e6826edf0b29a +Patch-mainline: v5.17-rc1 +References: git-fixes + +Check for out-of-bound read was being performed at the end of while +num_reports loop, and would fill journal with false positives. Added +check to beginning of loop processing so that it doesn't get checked +after ptr has been advanced. + +Signed-off-by: Brian Gix +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + net/bluetooth/hci_event.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index efc5458b1345..dee4ef22fc88 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5920,6 +5920,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + struct hci_ev_le_advertising_info *ev = ptr; + s8 rssi; + ++ if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) { ++ bt_dev_err(hdev, "Malicious advertising data."); ++ break; ++ } ++ + if (ev->length <= HCI_MAX_AD_LENGTH && + ev->data + ev->length <= skb_tail_pointer(skb)) { + rssi = ev->data[ev->length]; +@@ -5931,11 +5936,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + } + + ptr += sizeof(*ev) + ev->length + 1; +- +- if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { +- bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); +- break; +- } + } + + hci_dev_unlock(hdev); +-- +2.31.1 + diff --git a/patches.suse/IB-cm-Avoid-a-loop-when-device-has-255-ports.patch b/patches.suse/IB-cm-Avoid-a-loop-when-device-has-255-ports.patch new file mode 100644 index 0000000..48fd679 --- /dev/null +++ b/patches.suse/IB-cm-Avoid-a-loop-when-device-has-255-ports.patch @@ -0,0 +1,66 @@ +From 131be26750379592f0dd6244b2a90bbb504a10bb Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Wed, 27 Jan 2021 17:00:08 +0200 +Subject: [PATCH 1/1] IB/cm: Avoid a loop when device has 255 ports +Git-commit: 131be26750379592f0dd6244b2a90bbb504a10bb +Patch-mainline: v5.12 +References: git-fixes + +When RDMA device has 255 ports, loop iterator i overflows. Due to which +cm_add_one() port iterator loops infinitely. Use core provided port +iterator to avoid the infinite loop. + +Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation") +Link: https://lore.kernel.org/r/20210127150010.1876121-9-leon@kernel.org +Signed-off-by: Mark Bloch +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 98165589c8ab..be996dba040c 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -4333,7 +4333,7 @@ static int cm_add_one(struct ib_device *ib_device) + unsigned long flags; + int ret; + int count = 0; +- u8 i; ++ unsigned int i; + + cm_dev = kzalloc(struct_size(cm_dev, port, ib_device->phys_port_cnt), + GFP_KERNEL); +@@ -4345,7 +4345,7 @@ static int cm_add_one(struct ib_device *ib_device) + cm_dev->going_down = 0; + + set_bit(IB_MGMT_METHOD_SEND, reg_req.method_mask); +- for (i = 1; i <= ib_device->phys_port_cnt; i++) { ++ rdma_for_each_port (ib_device, i) { + if (!rdma_cap_ib_cm(ib_device, i)) + continue; + +@@ -4431,7 +4431,7 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data) + .clr_port_cap_mask = IB_PORT_CM_SUP + }; + unsigned long flags; +- int i; ++ unsigned int i; + + write_lock_irqsave(&cm.device_lock, flags); + list_del(&cm_dev->list); +@@ -4441,7 +4441,7 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data) + cm_dev->going_down = 1; + spin_unlock_irq(&cm.lock); + +- for (i = 1; i <= ib_device->phys_port_cnt; i++) { ++ rdma_for_each_port (ib_device, i) { + if (!rdma_cap_ib_cm(ib_device, i)) + continue; + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-hfi1-Fix-error-return-code-in-parse_platform_conf.patch b/patches.suse/IB-hfi1-Fix-error-return-code-in-parse_platform_conf.patch new file mode 100644 index 0000000..e74bdb6 --- /dev/null +++ b/patches.suse/IB-hfi1-Fix-error-return-code-in-parse_platform_conf.patch @@ -0,0 +1,36 @@ +From 4c7d9c69adadfc31892c7e8e134deb3546552106 Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Thu, 8 Apr 2021 11:31:40 +0000 +Subject: [PATCH 1/1] IB/hfi1: Fix error return code in parse_platform_config() +Git-commit: 4c7d9c69adadfc31892c7e8e134deb3546552106 +Patch-mainline: v5.13 +References: git-fixes + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20210408113140.103032-1-wangwensheng4@huawei.com +Reported-by: Hulk Robot +Signed-off-by: Wang Wensheng +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/firmware.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/hfi1/firmware.c b/drivers/infiniband/hw/hfi1/firmware.c +index 0e83d4b61e46..2cf102b5abd4 100644 +--- a/drivers/infiniband/hw/hfi1/firmware.c ++++ b/drivers/infiniband/hw/hfi1/firmware.c +@@ -1916,6 +1916,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + dd_dev_err(dd, "%s: Failed CRC check at offset %ld\n", + __func__, (ptr - + (u32 *)dd->platform_config.data)); ++ ret = -EINVAL; + goto bail; + } + /* Jump the CRC DWORD */ +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-hfi1-Use-kzalloc-for-mmu_rb_handler-allocation.patch b/patches.suse/IB-hfi1-Use-kzalloc-for-mmu_rb_handler-allocation.patch new file mode 100644 index 0000000..23472a8 --- /dev/null +++ b/patches.suse/IB-hfi1-Use-kzalloc-for-mmu_rb_handler-allocation.patch @@ -0,0 +1,52 @@ +From ca5f72568e034e1295a7ae350b1f786fcbfb2848 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 29 Mar 2021 09:54:14 -0400 +Subject: [PATCH 1/1] IB/hfi1: Use kzalloc() for mmu_rb_handler allocation +Git-commit: ca5f72568e034e1295a7ae350b1f786fcbfb2848 +Patch-mainline: v5.13 +References: git-fixes + +The code currently assumes that the mmu_notifier struct +embedded in mmu_rb_handler only contains two fields. + +There are now extra fields: + +struct mmu_notifier { + struct hlist_node hlist; + const struct mmu_notifier_ops *ops; + struct mm_struct *mm; + struct rcu_head rcu; + unsigned int users; +}; + +Given that there in no init for the mmu_notifier, a kzalloc() should +be used to insure that any newly added fields are given a predictable +initial value of zero. + +Fixes: 06e0ffa69312 ("IB/hfi1: Re-factor MMU notification code") +Link: https://lore.kernel.org/r/1617026056-50483-9-git-send-email-dennis.dalessandro@cornelisnetworks.com +Reviewed-by: Adam Goldman +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/mmu_rb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/mmu_rb.c b/drivers/infiniband/hw/hfi1/mmu_rb.c +index f3fb28e3d5d7..d213f65d4cdd 100644 +--- a/drivers/infiniband/hw/hfi1/mmu_rb.c ++++ b/drivers/infiniband/hw/hfi1/mmu_rb.c +@@ -89,7 +89,7 @@ int hfi1_mmu_rb_register(void *ops_arg, + struct mmu_rb_handler *h; + int ret; + +- h = kmalloc(sizeof(*h), GFP_KERNEL); ++ h = kzalloc(sizeof(*h), GFP_KERNEL); + if (!h) + return -ENOMEM; + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-isert-Fix-a-use-after-free-in-isert_connect_reque.patch b/patches.suse/IB-isert-Fix-a-use-after-free-in-isert_connect_reque.patch new file mode 100644 index 0000000..9886185 --- /dev/null +++ b/patches.suse/IB-isert-Fix-a-use-after-free-in-isert_connect_reque.patch @@ -0,0 +1,82 @@ +From adb76a520d068a54ee5ca82e756cf8e5a47363a4 Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Mon, 22 Mar 2021 09:13:25 -0700 +Subject: [PATCH 1/1] IB/isert: Fix a use after free in isert_connect_request +Git-commit: adb76a520d068a54ee5ca82e756cf8e5a47363a4 +Patch-mainline: v5.13 +References: git-fixes + +The device is got by isert_device_get() with refcount is 1, and is +assigned to isert_conn by + isert_conn->device = device. + +When isert_create_qp() failed, device will be freed with +isert_device_put(). + +Later, the device is used in isert_free_login_buf(isert_conn) by the +isert_conn->device->ib_device statement. + +Free the device in the correct order. + +Fixes: ae9ea9ed38c9 ("iser-target: Split some logic in isert_connect_request to routines") +Link: https://lore.kernel.org/r/20210322161325.7491-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Lv Yunlong +Acked-by: Sagi Grimberg +Reviewed-by: Leon Romanovsky +Reviewed-by: Max Gurtovoy +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index 7305ed8976c2..18266f07c58d 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -438,23 +438,23 @@ isert_connect_request(struct rdma_cm_id *cma_id, struct rdma_cm_event *event) + isert_init_conn(isert_conn); + isert_conn->cm_id = cma_id; + +- ret = isert_alloc_login_buf(isert_conn, cma_id->device); +- if (ret) +- goto out; +- + device = isert_device_get(cma_id); + if (IS_ERR(device)) { + ret = PTR_ERR(device); +- goto out_rsp_dma_map; ++ goto out; + } + isert_conn->device = device; + ++ ret = isert_alloc_login_buf(isert_conn, cma_id->device); ++ if (ret) ++ goto out_conn_dev; ++ + isert_set_nego_params(isert_conn, &event->param.conn); + + isert_conn->qp = isert_create_qp(isert_conn, cma_id); + if (IS_ERR(isert_conn->qp)) { + ret = PTR_ERR(isert_conn->qp); +- goto out_conn_dev; ++ goto out_rsp_dma_map; + } + + ret = isert_login_post_recv(isert_conn); +@@ -473,10 +473,10 @@ isert_connect_request(struct rdma_cm_id *cma_id, struct rdma_cm_event *event) + + out_destroy_qp: + isert_destroy_qp(isert_conn); +-out_conn_dev: +- isert_device_put(device); + out_rsp_dma_map: + isert_free_login_buf(isert_conn); ++out_conn_dev: ++ isert_device_put(device); + out: + kfree(isert_conn); + rdma_reject(cma_id, NULL, 0, IB_CM_REJ_CONSUMER_DEFINED); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-mlx4-Separate-tunnel-and-wire-bufs-parameters.patch b/patches.suse/IB-mlx4-Separate-tunnel-and-wire-bufs-parameters.patch new file mode 100644 index 0000000..89c13e5 --- /dev/null +++ b/patches.suse/IB-mlx4-Separate-tunnel-and-wire-bufs-parameters.patch @@ -0,0 +1,229 @@ +From 0ae207fb91a897780f0853864d80c48edec7f374 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Mon, 3 Aug 2020 08:19:38 +0200 +Subject: [PATCH 1/1] IB/mlx4: Separate tunnel and wire bufs parameters +Git-commit: 0ae207fb91a897780f0853864d80c48edec7f374 +Patch-mainline: v5.10 +References: git-fixes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Using CX-3 in virtualized mode, MAD packets are proxied through the PF +driver. The feed is N tunnel QPs, and what is received from the VFs is +multiplexed out on the wire QP. Since this is a many-to-one scenario, it +is better to have separate initialization parameters for the two usages. + +The number of wire and tunnel bufs are yanked up to 2K and 512 +respectively. With this set of parameters, a system consisting of eight +physical servers, each with eight VMs and 14 I/O servers (BM), can run +switch fail-over without seeing: + +mlx4_ib_demux_mad: failed sending GSI to slave 3 via tunnel qp (-11) + +or + +mlx4_ib_multiplex_mad: failed sending GSI to wire on behalf of slave 2 (-11) + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-4-haakon.bugge@oracle.com +Signed-off-by: Håkon Bugge +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx4/mad.c | 44 +++++++++++++++------------- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 3 +- + 2 files changed, 26 insertions(+), 21 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index 932786b0689e..e1310820352e 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1391,10 +1391,10 @@ int mlx4_ib_send_to_wire(struct mlx4_ib_dev *dev, int slave, u8 port, + + spin_lock(&sqp->tx_lock); + if (sqp->tx_ix_head - sqp->tx_ix_tail >= +- (MLX4_NUM_TUNNEL_BUFS - 1)) ++ (MLX4_NUM_WIRE_BUFS - 1)) + ret = -EAGAIN; + else +- wire_tx_ix = (++sqp->tx_ix_head) & (MLX4_NUM_TUNNEL_BUFS - 1); ++ wire_tx_ix = (++sqp->tx_ix_head) & (MLX4_NUM_WIRE_BUFS - 1); + spin_unlock(&sqp->tx_lock); + if (ret) + goto out; +@@ -1590,19 +1590,20 @@ static int mlx4_ib_alloc_pv_bufs(struct mlx4_ib_demux_pv_ctx *ctx, + int i; + struct mlx4_ib_demux_pv_qp *tun_qp; + int rx_buf_size, tx_buf_size; ++ const int nmbr_bufs = is_tun ? MLX4_NUM_TUNNEL_BUFS : MLX4_NUM_WIRE_BUFS; + + if (qp_type > IB_QPT_GSI) + return -EINVAL; + + tun_qp = &ctx->qp[qp_type]; + +- tun_qp->ring = kcalloc(MLX4_NUM_TUNNEL_BUFS, ++ tun_qp->ring = kcalloc(nmbr_bufs, + sizeof(struct mlx4_ib_buf), + GFP_KERNEL); + if (!tun_qp->ring) + return -ENOMEM; + +- tun_qp->tx_ring = kcalloc(MLX4_NUM_TUNNEL_BUFS, ++ tun_qp->tx_ring = kcalloc(nmbr_bufs, + sizeof (struct mlx4_ib_tun_tx_buf), + GFP_KERNEL); + if (!tun_qp->tx_ring) { +@@ -1619,7 +1620,7 @@ static int mlx4_ib_alloc_pv_bufs(struct mlx4_ib_demux_pv_ctx *ctx, + tx_buf_size = sizeof (struct mlx4_mad_snd_buf); + } + +- for (i = 0; i < MLX4_NUM_TUNNEL_BUFS; i++) { ++ for (i = 0; i < nmbr_bufs; i++) { + tun_qp->ring[i].addr = kmalloc(rx_buf_size, GFP_KERNEL); + if (!tun_qp->ring[i].addr) + goto err; +@@ -1633,7 +1634,7 @@ static int mlx4_ib_alloc_pv_bufs(struct mlx4_ib_demux_pv_ctx *ctx, + } + } + +- for (i = 0; i < MLX4_NUM_TUNNEL_BUFS; i++) { ++ for (i = 0; i < nmbr_bufs; i++) { + tun_qp->tx_ring[i].buf.addr = + kmalloc(tx_buf_size, GFP_KERNEL); + if (!tun_qp->tx_ring[i].buf.addr) +@@ -1664,7 +1665,7 @@ tx_err: + tx_buf_size, DMA_TO_DEVICE); + kfree(tun_qp->tx_ring[i].buf.addr); + } +- i = MLX4_NUM_TUNNEL_BUFS; ++ i = nmbr_bufs; + err: + while (i > 0) { + --i; +@@ -1685,6 +1686,7 @@ static void mlx4_ib_free_pv_qp_bufs(struct mlx4_ib_demux_pv_ctx *ctx, + int i; + struct mlx4_ib_demux_pv_qp *tun_qp; + int rx_buf_size, tx_buf_size; ++ const int nmbr_bufs = is_tun ? MLX4_NUM_TUNNEL_BUFS : MLX4_NUM_WIRE_BUFS; + + if (qp_type > IB_QPT_GSI) + return; +@@ -1699,13 +1701,13 @@ static void mlx4_ib_free_pv_qp_bufs(struct mlx4_ib_demux_pv_ctx *ctx, + } + + +- for (i = 0; i < MLX4_NUM_TUNNEL_BUFS; i++) { ++ for (i = 0; i < nmbr_bufs; i++) { + ib_dma_unmap_single(ctx->ib_dev, tun_qp->ring[i].map, + rx_buf_size, DMA_FROM_DEVICE); + kfree(tun_qp->ring[i].addr); + } + +- for (i = 0; i < MLX4_NUM_TUNNEL_BUFS; i++) { ++ for (i = 0; i < nmbr_bufs; i++) { + ib_dma_unmap_single(ctx->ib_dev, tun_qp->tx_ring[i].buf.map, + tx_buf_size, DMA_TO_DEVICE); + kfree(tun_qp->tx_ring[i].buf.addr); +@@ -1785,6 +1787,7 @@ static int create_pv_sqp(struct mlx4_ib_demux_pv_ctx *ctx, + struct mlx4_ib_qp_tunnel_init_attr qp_init_attr; + struct ib_qp_attr attr; + int qp_attr_mask_INIT; ++ const int nmbr_bufs = create_tun ? MLX4_NUM_TUNNEL_BUFS : MLX4_NUM_WIRE_BUFS; + + if (qp_type > IB_QPT_GSI) + return -EINVAL; +@@ -1795,8 +1798,8 @@ static int create_pv_sqp(struct mlx4_ib_demux_pv_ctx *ctx, + qp_init_attr.init_attr.send_cq = ctx->cq; + qp_init_attr.init_attr.recv_cq = ctx->cq; + qp_init_attr.init_attr.sq_sig_type = IB_SIGNAL_ALL_WR; +- qp_init_attr.init_attr.cap.max_send_wr = MLX4_NUM_TUNNEL_BUFS; +- qp_init_attr.init_attr.cap.max_recv_wr = MLX4_NUM_TUNNEL_BUFS; ++ qp_init_attr.init_attr.cap.max_send_wr = nmbr_bufs; ++ qp_init_attr.init_attr.cap.max_recv_wr = nmbr_bufs; + qp_init_attr.init_attr.cap.max_send_sge = 1; + qp_init_attr.init_attr.cap.max_recv_sge = 1; + if (create_tun) { +@@ -1858,7 +1861,7 @@ static int create_pv_sqp(struct mlx4_ib_demux_pv_ctx *ctx, + goto err_qp; + } + +- for (i = 0; i < MLX4_NUM_TUNNEL_BUFS; i++) { ++ for (i = 0; i < nmbr_bufs; i++) { + ret = mlx4_ib_post_pv_qp_buf(ctx, tun_qp, i); + if (ret) { + pr_err(" mlx4_ib_post_pv_buf error" +@@ -1894,8 +1897,8 @@ static void mlx4_ib_sqp_comp_worker(struct work_struct *work) + switch (wc.opcode) { + case IB_WC_SEND: + kfree(sqp->tx_ring[wc.wr_id & +- (MLX4_NUM_TUNNEL_BUFS - 1)].ah); +- sqp->tx_ring[wc.wr_id & (MLX4_NUM_TUNNEL_BUFS - 1)].ah ++ (MLX4_NUM_WIRE_BUFS - 1)].ah); ++ sqp->tx_ring[wc.wr_id & (MLX4_NUM_WIRE_BUFS - 1)].ah + = NULL; + spin_lock(&sqp->tx_lock); + sqp->tx_ix_tail++; +@@ -1904,13 +1907,13 @@ static void mlx4_ib_sqp_comp_worker(struct work_struct *work) + case IB_WC_RECV: + mad = (struct ib_mad *) &(((struct mlx4_mad_rcv_buf *) + (sqp->ring[wc.wr_id & +- (MLX4_NUM_TUNNEL_BUFS - 1)].addr))->payload); ++ (MLX4_NUM_WIRE_BUFS - 1)].addr))->payload); + grh = &(((struct mlx4_mad_rcv_buf *) + (sqp->ring[wc.wr_id & +- (MLX4_NUM_TUNNEL_BUFS - 1)].addr))->grh); ++ (MLX4_NUM_WIRE_BUFS - 1)].addr))->grh); + mlx4_ib_demux_mad(ctx->ib_dev, ctx->port, &wc, grh, mad); + if (mlx4_ib_post_pv_qp_buf(ctx, sqp, wc.wr_id & +- (MLX4_NUM_TUNNEL_BUFS - 1))) ++ (MLX4_NUM_WIRE_BUFS - 1))) + pr_err("Failed reposting SQP " + "buf:%lld\n", wc.wr_id); + break; +@@ -1923,8 +1926,8 @@ static void mlx4_ib_sqp_comp_worker(struct work_struct *work) + ctx->slave, wc.status, wc.wr_id); + if (!MLX4_TUN_IS_RECV(wc.wr_id)) { + kfree(sqp->tx_ring[wc.wr_id & +- (MLX4_NUM_TUNNEL_BUFS - 1)].ah); +- sqp->tx_ring[wc.wr_id & (MLX4_NUM_TUNNEL_BUFS - 1)].ah ++ (MLX4_NUM_WIRE_BUFS - 1)].ah); ++ sqp->tx_ring[wc.wr_id & (MLX4_NUM_WIRE_BUFS - 1)].ah + = NULL; + spin_lock(&sqp->tx_lock); + sqp->tx_ix_tail++; +@@ -1964,6 +1967,7 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + { + int ret, cq_size; + struct ib_cq_init_attr cq_attr = {}; ++ const int nmbr_bufs = create_tun ? MLX4_NUM_TUNNEL_BUFS : MLX4_NUM_WIRE_BUFS; + + if (ctx->state != DEMUX_PV_STATE_DOWN) + return -EEXIST; +@@ -1988,7 +1992,7 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + goto err_out_qp0; + } + +- cq_size = 2 * MLX4_NUM_TUNNEL_BUFS; ++ cq_size = 2 * nmbr_bufs; + if (ctx->has_smi) + cq_size *= 2; + +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index 38e87a700a2a..db3cc61de0db 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -233,7 +233,8 @@ enum mlx4_ib_mad_ifc_flags { + }; + + enum { +- MLX4_NUM_TUNNEL_BUFS = 256, ++ MLX4_NUM_TUNNEL_BUFS = 512, ++ MLX4_NUM_WIRE_BUFS = 2048, + }; + + struct mlx4_ib_tunnel_header { +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-mlx5-Add-missing-error-code.patch b/patches.suse/IB-mlx5-Add-missing-error-code.patch new file mode 100644 index 0000000..90aed3e --- /dev/null +++ b/patches.suse/IB-mlx5-Add-missing-error-code.patch @@ -0,0 +1,39 @@ +From 3a9b3d4536e0c25bd3906a28c1f584177e49dd0f Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 22 Feb 2021 20:23:43 +0800 +Subject: [PATCH 1/1] IB/mlx5: Add missing error code +Git-commit: 3a9b3d4536e0c25bd3906a28c1f584177e49dd0f +Patch-mainline: v5.12 +References: git-fixes + +Set err to -ENOMEM if kzalloc fails instead of 0. + +Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") +Link: https://lore.kernel.org/r/20210222122343.19720-1-yuehaibing@huawei.com +Signed-off-by: YueHaibing +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/devx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index ebc2a4355fa5..de3c2fc6f361 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -2073,8 +2073,10 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_SUBSCRIBE_EVENT)( + + num_alloc_xa_entries++; + event_sub = kzalloc(sizeof(*event_sub), GFP_KERNEL); +- if (!event_sub) ++ if (!event_sub) { ++ err = -ENOMEM; + goto err; ++ } + + list_add_tail(&event_sub->event_list, &sub_list); + uverbs_uobject_get(&ev_file->uobj); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-mlx5-Add-mutex-destroy-call-to-cap_mask_mutex-mut.patch b/patches.suse/IB-mlx5-Add-mutex-destroy-call-to-cap_mask_mutex-mut.patch new file mode 100644 index 0000000..aac929c --- /dev/null +++ b/patches.suse/IB-mlx5-Add-mutex-destroy-call-to-cap_mask_mutex-mut.patch @@ -0,0 +1,60 @@ +From ab40530a2e0a7aca9a5187824c4fb072f3916e85 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Wed, 13 Jan 2021 14:17:01 +0200 +Subject: [PATCH 1/1] IB/mlx5: Add mutex destroy call to cap_mask_mutex mutex +Git-commit: ab40530a2e0a7aca9a5187824c4fb072f3916e85 +Patch-mainline: v5.12 +References: git-fixes + +mutex_destroy() call for device's cap_mask_mutex mutex is missing, let's +add it to annotate destruction. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Link: https://lore.kernel.org/r/20210113121703.559778-4-leon@kernel.org +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/main.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index d26f3f3e0462..4747cc16b391 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3929,7 +3929,7 @@ static void mlx5_ib_stage_init_cleanup(struct mlx5_ib_dev *dev) + mlx5_ib_cleanup_multiport_master(dev); + WARN_ON(!xa_empty(&dev->odp_mkeys)); + cleanup_srcu_struct(&dev->odp_srcu); +- ++ mutex_destroy(&dev->cap_mask_mutex); + WARN_ON(!xa_empty(&dev->sig_mrs)); + WARN_ON(!bitmap_empty(dev->dm.memic_alloc_pages, MLX5_MAX_MEMIC_PAGES)); + } +@@ -3980,6 +3980,10 @@ static int mlx5_ib_stage_init_init(struct mlx5_ib_dev *dev) + dev->ib_dev.dev.parent = mdev->device; + dev->ib_dev.lag_flags = RDMA_LAG_FLAGS_HASH_ALL_SLAVES; + ++ err = init_srcu_struct(&dev->odp_srcu); ++ if (err) ++ goto err_mp; ++ + mutex_init(&dev->cap_mask_mutex); + INIT_LIST_HEAD(&dev->qp_list); + spin_lock_init(&dev->reset_flow_resource_lock); +@@ -3989,11 +3993,6 @@ static int mlx5_ib_stage_init_init(struct mlx5_ib_dev *dev) + + spin_lock_init(&dev->dm.lock); + dev->dm.dev = mdev; +- +- err = init_srcu_struct(&dev->odp_srcu); +- if (err) +- goto err_mp; +- + return 0; + + err_mp: +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-mlx5-Fix-error-unwinding-when-set_has_smi_cap-fai.patch b/patches.suse/IB-mlx5-Fix-error-unwinding-when-set_has_smi_cap-fai.patch new file mode 100644 index 0000000..8bd09de --- /dev/null +++ b/patches.suse/IB-mlx5-Fix-error-unwinding-when-set_has_smi_cap-fai.patch @@ -0,0 +1,37 @@ +From 2cb091f6293df898b47f4e0f2e54324e2bbaf816 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Wed, 13 Jan 2021 14:17:00 +0200 +Subject: [PATCH 1/1] IB/mlx5: Fix error unwinding when set_has_smi_cap fails +Git-commit: 2cb091f6293df898b47f4e0f2e54324e2bbaf816 +Patch-mainline: v5.11 +References: git-fixes + +When set_has_smi_cap() fails, multiport master cleanup is missed. Fix it +by doing the correct error unwinding goto. + +Fixes: a989ea01cb10 ("RDMA/mlx5: Move SMI caps logic") +Link: https://lore.kernel.org/r/20210113121703.559778-3-leon@kernel.org +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 3bae9ba0ead8..fbe3b75f866b 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3956,7 +3956,7 @@ static int mlx5_ib_stage_init_init(struct mlx5_ib_dev *dev) + + err = set_has_smi_cap(dev); + if (err) +- return err; ++ goto err_mp; + + if (!mlx5_core_mp_enabled(mdev)) { + for (i = 1; i <= dev->num_ports; i++) { +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-mlx5-Return-appropriate-error-code-instead-of-ENO.patch b/patches.suse/IB-mlx5-Return-appropriate-error-code-instead-of-ENO.patch new file mode 100644 index 0000000..61f1394 --- /dev/null +++ b/patches.suse/IB-mlx5-Return-appropriate-error-code-instead-of-ENO.patch @@ -0,0 +1,38 @@ +From d286ac1d05210695c312b9018b3aa7c2048e9aca Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Wed, 27 Jan 2021 17:00:07 +0200 +Subject: [PATCH 1/1] IB/mlx5: Return appropriate error code instead of ENOMEM +Git-commit: d286ac1d05210695c312b9018b3aa7c2048e9aca +Patch-mainline: v5.12 +References: git-fixes + +When mlx5_ib_stage_init_init() fails, return the error code related to +failure instead of -ENOMEM. + +Fixes: 16c1975f1032 ("IB/mlx5: Create profile infrastructure to add and remove stages") +Link: https://lore.kernel.org/r/20210127150010.1876121-8-leon@kernel.org +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index ecbb8443b0ec..477c90bc5b0e 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3998,8 +3998,7 @@ static int mlx5_ib_stage_init_init(struct mlx5_ib_dev *dev) + + err_mp: + mlx5_ib_cleanup_multiport_master(dev); +- +- return -ENOMEM; ++ return err; + } + + static int mlx5_ib_enable_driver(struct ib_device *dev) +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-umad-Return-EIO-in-case-of-when-device-disassocia.patch b/patches.suse/IB-umad-Return-EIO-in-case-of-when-device-disassocia.patch new file mode 100644 index 0000000..f10710b --- /dev/null +++ b/patches.suse/IB-umad-Return-EIO-in-case-of-when-device-disassocia.patch @@ -0,0 +1,53 @@ +From 4fc5461823c9cad547a9bdfbf17d13f0da0d6bb5 Mon Sep 17 00:00:00 2001 +From: Shay Drory +Date: Mon, 25 Jan 2021 14:13:38 +0200 +Subject: [PATCH 1/1] IB/umad: Return EIO in case of when device disassociated +Git-commit: 4fc5461823c9cad547a9bdfbf17d13f0da0d6bb5 +Patch-mainline: v5.12 +References: git-fixes + +MAD message received by the user has EINVAL error in all flows +including when the device is disassociated. That makes it impossible +for the applications to treat such flow differently. + +Change it to return EIO, so the applications will be able to perform +disassociation recovery. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20210125121339.837518-2-leon@kernel.org +Signed-off-by: Shay Drory +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/user_mad.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index 19104a675691..7ec1918431f7 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -379,6 +379,11 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + + mutex_lock(&file->mutex); + ++ if (file->agents_dead) { ++ mutex_unlock(&file->mutex); ++ return -EIO; ++ } ++ + while (list_empty(&file->recv_list)) { + mutex_unlock(&file->mutex); + +@@ -524,7 +529,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + + agent = __get_agent(file, packet->mad.hdr.id); + if (!agent) { +- ret = -EINVAL; ++ ret = -EIO; + goto err_up; + } + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/IB-umad-Return-EPOLLERR-in-case-of-when-device-disas.patch b/patches.suse/IB-umad-Return-EPOLLERR-in-case-of-when-device-disas.patch new file mode 100644 index 0000000..e3c6f8a --- /dev/null +++ b/patches.suse/IB-umad-Return-EPOLLERR-in-case-of-when-device-disas.patch @@ -0,0 +1,66 @@ +From def4cd43f522253645b72c97181399c241b54536 Mon Sep 17 00:00:00 2001 +From: Shay Drory +Date: Mon, 25 Jan 2021 14:13:39 +0200 +Subject: [PATCH 1/1] IB/umad: Return EPOLLERR in case of when device +Git-commit: def4cd43f522253645b72c97181399c241b54536 +Patch-mainline: v5.12 +References: git-fixes + disassociated + +Currently, polling a umad device will always works, even if the device was +disassociated. A disassociated device should immediately return EPOLLERR +from poll(). Otherwise userspace is endlessly hung on poll() with no idea +that the device has been removed from the system. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20210125121339.837518-3-leon@kernel.org +Signed-off-by: Shay Drory +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/user_mad.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index 7ec1918431f7..dd7f3b437c6b 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -397,6 +397,11 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + mutex_lock(&file->mutex); + } + ++ if (file->agents_dead) { ++ mutex_unlock(&file->mutex); ++ return -EIO; ++ } ++ + packet = list_entry(file->recv_list.next, struct ib_umad_packet, list); + list_del(&packet->list); + +@@ -658,10 +663,14 @@ static __poll_t ib_umad_poll(struct file *filp, struct poll_table_struct *wait) + /* we will always be able to post a MAD send */ + __poll_t mask = EPOLLOUT | EPOLLWRNORM; + ++ mutex_lock(&file->mutex); + poll_wait(filp, &file->recv_wait, wait); + + if (!list_empty(&file->recv_list)) + mask |= EPOLLIN | EPOLLRDNORM; ++ if (file->agents_dead) ++ mask = EPOLLERR; ++ mutex_unlock(&file->mutex); + + return mask; + } +@@ -1341,6 +1350,7 @@ static void ib_umad_kill_port(struct ib_umad_port *port) + list_for_each_entry(file, &port->file_list, port_list) { + mutex_lock(&file->mutex); + file->agents_dead = 1; ++ wake_up_interruptible(&file->recv_wait); + mutex_unlock(&file->mutex); + + for (id = 0; id < IB_UMAD_MAX_AGENTS; ++id) +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/Input-wm97xx-Simplify-resource-management.patch b/patches.suse/Input-wm97xx-Simplify-resource-management.patch new file mode 100644 index 0000000..66f4916 --- /dev/null +++ b/patches.suse/Input-wm97xx-Simplify-resource-management.patch @@ -0,0 +1,65 @@ +From a4f399a1416f645ac701064a55b0cb5203707ac9 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 30 Jan 2022 09:06:36 +0100 +Subject: [PATCH] Input: wm97xx: Simplify resource management +Git-commit: a4f399a1416f645ac701064a55b0cb5203707ac9 +Patch-mainline: v5.17-rc3 +References: git-fixes + +Since the commit in the Fixes tag below, 'wm->input_dev' is a managed +resource that doesn't need to be explicitly unregistered or freed (see +devm_input_allocate_device() documentation) + +So, remove some unless line of code to slightly simplify it. + +Fixes: c72f61e74073 ("Input: wm97xx: split out touchscreen registering") +Signed-off-by: Christophe JAILLET +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/87dce7e80ea9b191843fa22415ca3aef5f3cc2e6.1643529968.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/wm97xx-core.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/input/touchscreen/wm97xx-core.c b/drivers/input/touchscreen/wm97xx-core.c +index 78d2ee99f37a..1b58611c8084 100644 +--- a/drivers/input/touchscreen/wm97xx-core.c ++++ b/drivers/input/touchscreen/wm97xx-core.c +@@ -615,10 +615,9 @@ static int wm97xx_register_touch(struct wm97xx *wm) + * extensions) + */ + wm->touch_dev = platform_device_alloc("wm97xx-touch", -1); +- if (!wm->touch_dev) { +- ret = -ENOMEM; +- goto touch_err; +- } ++ if (!wm->touch_dev) ++ return -ENOMEM; ++ + platform_set_drvdata(wm->touch_dev, wm); + wm->touch_dev->dev.parent = wm->dev; + wm->touch_dev->dev.platform_data = pdata; +@@ -629,9 +628,6 @@ static int wm97xx_register_touch(struct wm97xx *wm) + return 0; + touch_reg_err: + platform_device_put(wm->touch_dev); +-touch_err: +- input_unregister_device(wm->input_dev); +- wm->input_dev = NULL; + + return ret; + } +@@ -639,8 +635,6 @@ static int wm97xx_register_touch(struct wm97xx *wm) + static void wm97xx_unregister_touch(struct wm97xx *wm) + { + platform_device_unregister(wm->touch_dev); +- input_unregister_device(wm->input_dev); +- wm->input_dev = NULL; + } + + static int _wm97xx_probe(struct wm97xx *wm) +-- +2.31.1 + diff --git a/patches.suse/NFS-Ensure-the-server-has-an-up-to-date-ctime-before.patch b/patches.suse/NFS-Ensure-the-server-has-an-up-to-date-ctime-before.patch new file mode 100644 index 0000000..649c575 --- /dev/null +++ b/patches.suse/NFS-Ensure-the-server-has-an-up-to-date-ctime-before.patch @@ -0,0 +1,32 @@ +From: Trond Myklebust +Date: Wed, 15 Dec 2021 16:38:16 -0500 +Subject: [PATCH] NFS: Ensure the server has an up to date ctime before + renaming +Git-commit: 6ff9d99bb88faebf134ca668842349d9718e5464 +Patch-mainline: v5.17 +References: git-fixes + +Renaming a file is required by POSIX to update the file ctime, so +ensure that the file data is synced to disk so that we don't clobber the +updated ctime by writing back after creating the hard link. + +Fixes: f2c2c552f119 ("NFS: Move delegation recall into the NFSv4 callback for rename_setup()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2135,6 +2135,8 @@ int nfs_rename(struct inode *old_dir, st + } + } + ++ if (S_ISREG(old_inode->i_mode)) ++ nfs_sync_inode(old_inode); + task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, NULL); + if (IS_ERR(task)) { + error = PTR_ERR(task); diff --git a/patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch b/patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch index a87c7dc..7800003 100644 --- a/patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch +++ b/patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch @@ -1,7 +1,8 @@ From: NeilBrown Date: Mon, 27 Sep 2021 14:09:03 +1000 Subject: [PATCH] NFS: don't store 'struct cred *' in struct nfs_access_entry -Patch-mainline: Submitted, 25sep2021 linux-nfs +Patch-mainline: v5.17-rc2 +Git-commit: 6238aec83f3fb12132f964937e5bbcf248fea8f9 References: bsc#1190746 Storing the 'struct cred *' in nfs_access_entry is problematic. diff --git a/patches.suse/NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch b/patches.suse/NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch new file mode 100644 index 0000000..f21923f --- /dev/null +++ b/patches.suse/NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch @@ -0,0 +1,46 @@ +From: Trond Myklebust +Date: Thu, 6 Jan 2022 18:24:02 -0500 +Subject: [PATCH] NFSv4: Handle case where the lookup of a directory fails +Git-commit: ac795161c93699d600db16c1a8cc23a65a1eceaf +Patch-mainline: v5.17 +References: git-fixes + +If the application sets the O_DIRECTORY flag, and tries to open a +regular file, nfs_atomic_open() will punt to doing a regular lookup. +If the server then returns a regular file, we will happily return a +file descriptor with uninitialised open state. + +The fix is to return the expected ENOTDIR error in these cases. + +Reported-by: Lyu Tao +Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/dir.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1657,6 +1657,19 @@ out: + + no_open: + res = nfs_lookup(dir, dentry, lookup_flags); ++ if (!res) { ++ inode = d_inode(dentry); ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && ++ !S_ISDIR(inode->i_mode)) ++ res = ERR_PTR(-ENOTDIR); ++ } else if (!IS_ERR(res)) { ++ inode = d_inode(res); ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && ++ !S_ISDIR(inode->i_mode)) { ++ dput(res); ++ res = ERR_PTR(-ENOTDIR); ++ } ++ } + if (switched) { + d_lookup_done(dentry); + if (!res) diff --git a/patches.suse/NFSv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch b/patches.suse/NFSv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch new file mode 100644 index 0000000..f4d3736 --- /dev/null +++ b/patches.suse/NFSv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch @@ -0,0 +1,40 @@ +From: Trond Myklebust +Date: Thu, 6 Jan 2022 18:24:03 -0500 +Subject: [PATCH] NFSv4: nfs_atomic_open() can race when looking up a + non-regular file +Git-commit: 1751fc1db36f6f411709e143d5393f92d12137a9 +Patch-mainline: v5.17 +References: git-fixes + +If the file type changes back to being a regular file on the server +between the failed OPEN and our LOOKUP, then we need to re-run the OPEN. + +Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Acked-by: NeilBrown + +--- + fs/nfs/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1662,12 +1662,17 @@ no_open: + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) + res = ERR_PTR(-ENOTDIR); ++ else if (inode && S_ISREG(inode->i_mode)) ++ res = ERR_PTR(-EOPENSTALE); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) { + dput(res); + res = ERR_PTR(-ENOTDIR); ++ } else if (inode && S_ISREG(inode->i_mode)) { ++ dput(res); ++ res = ERR_PTR(-EOPENSTALE); + } + } + if (switched) { diff --git a/patches.suse/PM-wakeup-simplify-the-output-logic-of-pm_show_wakel.patch b/patches.suse/PM-wakeup-simplify-the-output-logic-of-pm_show_wakel.patch new file mode 100644 index 0000000..d7ff3ba --- /dev/null +++ b/patches.suse/PM-wakeup-simplify-the-output-logic-of-pm_show_wakel.patch @@ -0,0 +1,57 @@ +From c9d967b2ce40d71e968eb839f36c936b8a9cf1ea Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 13 Jan 2022 19:44:20 +0100 +Subject: [PATCH] PM: wakeup: simplify the output logic of pm_show_wakelocks() +Git-commit: c9d967b2ce40d71e968eb839f36c936b8a9cf1ea +Patch-mainline: v5.17-rc2 +References: git-fixes + +The buffer handling in pm_show_wakelocks() is tricky, and hopefully +correct. Ensure it really is correct by using sysfs_emit_at() which +handles all of the tricky string handling logic in a PAGE_SIZE buffer +for us automatically as this is a sysfs file being read from. + +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Lee Jones +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + kernel/power/wakelock.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c +index 105df4dfc783..52571dcad768 100644 +--- a/kernel/power/wakelock.c ++++ b/kernel/power/wakelock.c +@@ -39,23 +39,20 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active) + { + struct rb_node *node; + struct wakelock *wl; +- char *str = buf; +- char *end = buf + PAGE_SIZE; ++ int len = 0; + + mutex_lock(&wakelocks_lock); + + for (node = rb_first(&wakelocks_tree); node; node = rb_next(node)) { + wl = rb_entry(node, struct wakelock, node); + if (wl->ws->active == show_active) +- str += scnprintf(str, end - str, "%s ", wl->name); ++ len += sysfs_emit_at(buf, len, "%s ", wl->name); + } +- if (str > buf) +- str--; + +- str += scnprintf(str, end - str, "\n"); ++ len += sysfs_emit_at(buf, len, "\n"); + + mutex_unlock(&wakelocks_lock); +- return (str - buf); ++ return len; + } + + #if CONFIG_PM_WAKELOCKS_LIMIT > 0 +-- +2.31.1 + diff --git a/patches.suse/RDMA-addr-Be-strict-with-gid-size.patch b/patches.suse/RDMA-addr-Be-strict-with-gid-size.patch new file mode 100644 index 0000000..81cb412 --- /dev/null +++ b/patches.suse/RDMA-addr-Be-strict-with-gid-size.patch @@ -0,0 +1,40 @@ +From d1c803a9ccd7bd3aff5e989ccfb39ed3b799b975 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 5 Apr 2021 10:44:34 +0300 +Subject: [PATCH 1/1] RDMA/addr: Be strict with gid size +Git-commit: d1c803a9ccd7bd3aff5e989ccfb39ed3b799b975 +Patch-mainline: v5.12 +References: git-fixes + +The nla_len() is less than or equal to 16. If it's less than 16 then end +of the "gid" buffer is uninitialized. + +Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") +Link: https://lore.kernel.org/r/20210405074434.264221-1-leon@kernel.org +Reported-by: Dan Carpenter +Signed-off-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/addr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index 0abce004a959..65e3e7df8a4b 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -76,7 +76,9 @@ static struct workqueue_struct *addr_wq; + + static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = { + [LS_NLA_TYPE_DGID] = {.type = NLA_BINARY, +- .len = sizeof(struct rdma_nla_ls_gid)}, ++ .len = sizeof(struct rdma_nla_ls_gid), ++ .validation_type = NLA_VALIDATE_MIN, ++ .min = sizeof(struct rdma_nla_ls_gid)}, + }; + + static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh) +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-bnxt_re-Fix-a-double-free-in-bnxt_qplib_alloc_r.patch b/patches.suse/RDMA-bnxt_re-Fix-a-double-free-in-bnxt_qplib_alloc_r.patch new file mode 100644 index 0000000..3ca9a25 --- /dev/null +++ b/patches.suse/RDMA-bnxt_re-Fix-a-double-free-in-bnxt_qplib_alloc_r.patch @@ -0,0 +1,44 @@ +From 34b39efa5ae82fc0ad0acc27653c12a56328dbbe Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Mon, 26 Apr 2021 07:06:14 -0700 +Subject: [PATCH 1/1] RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res +Git-commit: 34b39efa5ae82fc0ad0acc27653c12a56328dbbe +Patch-mainline: v5.13 +References: git-fixes + +In bnxt_qplib_alloc_res, it calls bnxt_qplib_alloc_dpi_tbl(). Inside +bnxt_qplib_alloc_dpi_tbl, dpit->dbr_bar_reg_iomem is freed via +pci_iounmap() in unmap_io error branch. After the callee returns err code, +bnxt_qplib_alloc_res calls +bnxt_qplib_free_res()->bnxt_qplib_free_dpi_tbl() in the fail branch. Then +dpit->dbr_bar_reg_iomem is freed in the second time by pci_iounmap(). + +My patch set dpit->dbr_bar_reg_iomem to NULL after it is freed by +pci_iounmap() in the first time, to avoid the double free. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/20210426140614.6722-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Lv Yunlong +Reviewed-by: Leon Romanovsky +Acked-by: Devesh Sharma +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index fa7878336100..3ca47004b752 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -854,6 +854,7 @@ static int bnxt_qplib_alloc_dpi_tbl(struct bnxt_qplib_res *res, + + unmap_io: + pci_iounmap(res->pdev, dpit->dbr_bar_reg_iomem); ++ dpit->dbr_bar_reg_iomem = NULL; + return -ENOMEM; + } + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-bnxt_re-Fix-error-return-code-in-bnxt_qplib_cq_.patch b/patches.suse/RDMA-bnxt_re-Fix-error-return-code-in-bnxt_qplib_cq_.patch new file mode 100644 index 0000000..f3f3a32 --- /dev/null +++ b/patches.suse/RDMA-bnxt_re-Fix-error-return-code-in-bnxt_qplib_cq_.patch @@ -0,0 +1,37 @@ +From 22efb0a8d130c6379c1eb64cbace1542b27e37ff Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Thu, 8 Apr 2021 11:31:37 +0000 +Subject: [PATCH 1/1] RDMA/bnxt_re: Fix error return code in +Git-commit: 22efb0a8d130c6379c1eb64cbace1542b27e37ff +Patch-mainline: v5.13 +References: git-fixes + bnxt_qplib_cq_process_terminal() + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/20210408113137.97202-1-wangwensheng4@huawei.com +Reported-by: Hulk Robot +Signed-off-by: Wang Wensheng +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 995d4633b0a1..d4d4959c2434 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2784,6 +2784,7 @@ do_rq: + dev_err(&cq->hwq.pdev->dev, + "FP: CQ Processed terminal reported rq_cons_idx 0x%x exceeds max 0x%x\n", + cqe_cons, rq->max_wqe); ++ rc = -EINVAL; + goto done; + } + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-bnxt_re-Set-queue-pair-state-when-being-queried.patch b/patches.suse/RDMA-bnxt_re-Set-queue-pair-state-when-being-queried.patch new file mode 100644 index 0000000..a15caac --- /dev/null +++ b/patches.suse/RDMA-bnxt_re-Set-queue-pair-state-when-being-queried.patch @@ -0,0 +1,36 @@ +From 53839b51a7671eeb3fb44d479d541cf3a0f2dd45 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Wed, 21 Oct 2020 14:49:52 +0300 +Subject: [PATCH 1/1] RDMA/bnxt_re: Set queue pair state when being queried +Git-commit: 53839b51a7671eeb3fb44d479d541cf3a0f2dd45 +Patch-mainline: v5.11 +References: git-fixes + +The API for ib_query_qp requires the driver to set cur_qp_state on return, +add the missing set. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/20201021114952.38876-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Acked-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index cf3db9628397..f9c999d5ba28 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2078,6 +2078,7 @@ int bnxt_re_query_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr, + goto out; + } + qp_attr->qp_state = __to_ib_qp_state(qplib_qp->state); ++ qp_attr->cur_qp_state = __to_ib_qp_state(qplib_qp->cur_qp_state); + qp_attr->en_sqd_async_notify = qplib_qp->en_sqd_async_notify ? 1 : 0; + qp_attr->qp_access_flags = __to_ib_access_flags(qplib_qp->access); + qp_attr->pkey_index = qplib_qp->pkey_index; +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-cm-Fix-an-attempt-to-use-non-valid-pointer-when.patch b/patches.suse/RDMA-cm-Fix-an-attempt-to-use-non-valid-pointer-when.patch new file mode 100644 index 0000000..663db16 --- /dev/null +++ b/patches.suse/RDMA-cm-Fix-an-attempt-to-use-non-valid-pointer-when.patch @@ -0,0 +1,74 @@ +From 340b940ea0ed12d9adbb8f72dea17d516b2019e8 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Fri, 4 Dec 2020 08:42:05 +0200 +Subject: [PATCH 1/1] RDMA/cm: Fix an attempt to use non-valid pointer when +Git-commit: 340b940ea0ed12d9adbb8f72dea17d516b2019e8 +Patch-mainline: v5.10 +References: git-fixes + +If cm_create_timewait_info() fails, the timewait_info pointer will contain +an error value and will be used in cm_remove_remote() later. + + general protection fault, probably for non-canonical address 0xdffffc0000000024: 0000 [#1] SMP KASAN PTI + KASAN: null-ptr-deref in range [0×0000000000000120-0×0000000000000127] + CPU: 2 PID: 12446 Comm: syz-executor.3 Not tainted 5.10.0-rc5-5d4c0742a60e #27 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:cm_remove_remote.isra.0+0x24/0×170 drivers/infiniband/core/cm.c:978 + Code: 84 00 00 00 00 00 41 54 55 53 48 89 fb 48 8d ab 2d 01 00 00 e8 7d bf 4b fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 48 89 ea 83 e2 07 38 d0 7f 08 84 c0 0f 85 fc 00 00 00 + RSP: 0018:ffff888013127918 EFLAGS: 00010006 + RAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: ffffc9000a18b000 + RDX: 0000000000000024 RSI: ffffffff82edc573 RDI: fffffffffffffff4 + RBP: 0000000000000121 R08: 0000000000000001 R09: ffffed1002624f1d + R10: 0000000000000003 R11: ffffed1002624f1c R12: ffff888107760c70 + R13: ffff888107760c40 R14: fffffffffffffff4 R15: ffff888107760c9c + FS: 00007fe1ffcc1700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000001b2ff21000 CR3: 000000010f504001 CR4: 0000000000370ee0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + cm_destroy_id+0x189/0×15b0 drivers/infiniband/core/cm.c:1155 + cma_connect_ib drivers/infiniband/core/cma.c:4029 [inline] + rdma_connect_locked+0x1100/0×17c0 drivers/infiniband/core/cma.c:4107 + rdma_connect+0x2a/0×40 drivers/infiniband/core/cma.c:4140 + ucma_connect+0x277/0×340 drivers/infiniband/core/ucma.c:1069 + ucma_write+0x236/0×2f0 drivers/infiniband/core/ucma.c:1724 + vfs_write+0x220/0×830 fs/read_write.c:603 + ksys_write+0x1df/0×240 fs/read_write.c:658 + do_syscall_64+0x33/0×40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation") +Link: https://lore.kernel.org/r/20201204064205.145795-1-leon@kernel.org +Reviewed-by: Maor Gottlieb +Reported-by: Amit Matityahu +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 012156624b82..5afd142fe8c7 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -1522,6 +1522,7 @@ int ib_send_cm_req(struct ib_cm_id *cm_id, + id.local_id); + if (IS_ERR(cm_id_priv->timewait_info)) { + ret = PTR_ERR(cm_id_priv->timewait_info); ++ cm_id_priv->timewait_info = NULL; + goto out; + } + +@@ -2114,6 +2115,7 @@ static int cm_req_handler(struct cm_work *work) + id.local_id); + if (IS_ERR(cm_id_priv->timewait_info)) { + ret = PTR_ERR(cm_id_priv->timewait_info); ++ cm_id_priv->timewait_info = NULL; + goto destroy; + } + cm_id_priv->timewait_info->work.remote_id = cm_id_priv->id.remote_id; +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-core-Do-not-indicate-device-ready-when-device-e.patch b/patches.suse/RDMA-core-Do-not-indicate-device-ready-when-device-e.patch new file mode 100644 index 0000000..77916b7 --- /dev/null +++ b/patches.suse/RDMA-core-Do-not-indicate-device-ready-when-device-e.patch @@ -0,0 +1,60 @@ +From 779e0bf47632c609c59f527f9711ecd3214dccb0 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Tue, 8 Dec 2020 09:35:44 +0200 +Subject: [PATCH 1/1] RDMA/core: Do not indicate device ready when device +Git-commit: 779e0bf47632c609c59f527f9711ecd3214dccb0 +Patch-mainline: v5.11 +References: git-fixes + enablement fails + +In procedure ib_register_device, procedure kobject_uevent is called +(advertising that the device is ready for userspace usage) even when +device_enable_and_get() returned an error. + +As a result, various RDMA modules attempted to register for the device +even while the device driver was preparing to unregister the device. + +Fix this by advertising the device availability only after enabling the +device succeeds. + +Fixes: e7a5b4aafd82 ("RDMA/device: Don't fire uevent before device is fully initialized") +Link: https://lore.kernel.org/r/20201208073545.9723-3-leon@kernel.org +Suggested-by: Leon Romanovsky +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/device.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 11485b8748a2..e96f979e6d52 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -1397,9 +1397,6 @@ int ib_register_device(struct ib_device *device, const char *name, + } + + ret = enable_device_and_get(device); +- dev_set_uevent_suppress(&device->dev, false); +- /* Mark for userspace that device is ready */ +- kobject_uevent(&device->dev.kobj, KOBJ_ADD); + if (ret) { + void (*dealloc_fn)(struct ib_device *); + +@@ -1419,8 +1416,12 @@ int ib_register_device(struct ib_device *device, const char *name, + ib_device_put(device); + __ib_unregister_device(device); + device->ops.dealloc_driver = dealloc_fn; ++ dev_set_uevent_suppress(&device->dev, false); + return ret; + } ++ dev_set_uevent_suppress(&device->dev, false); ++ /* Mark for userspace that device is ready */ ++ kobject_uevent(&device->dev.kobj, KOBJ_ADD); + ib_device_put(device); + + return 0; +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-core-Don-t-access-cm_id-after-its-destruction.patch b/patches.suse/RDMA-core-Don-t-access-cm_id-after-its-destruction.patch new file mode 100644 index 0000000..9bb1db0 --- /dev/null +++ b/patches.suse/RDMA-core-Don-t-access-cm_id-after-its-destruction.patch @@ -0,0 +1,97 @@ +From 889d916b6f8a48b8c9489fffcad3b78eedd01a51 Mon Sep 17 00:00:00 2001 +From: Shay Drory +Date: Tue, 11 May 2021 08:48:28 +0300 +Subject: [PATCH 1/1] RDMA/core: Don't access cm_id after its destruction +Git-commit: 889d916b6f8a48b8c9489fffcad3b78eedd01a51 +Patch-mainline: v5.13 +References: git-fixes + +restrack should only be attached to a cm_id while the ID has a valid +device pointer. It is set up when the device is first loaded, but not +cleared when the device is removed. There is also two copies of the device +pointer, one private and one in the public API, and these were left out of +sync. + +Make everything go to NULL together and manipulate restrack right around +the device assignments. + +Found by syzcaller: +BUG: KASAN: wild-memory-access in __list_del include/linux/list.h:112 [inline] +BUG: KASAN: wild-memory-access in __list_del_entry include/linux/list.h:135 [inline] +BUG: KASAN: wild-memory-access in list_del include/linux/list.h:146 [inline] +BUG: KASAN: wild-memory-access in cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline] +BUG: KASAN: wild-memory-access in cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline] +BUG: KASAN: wild-memory-access in cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783 +Write of size 8 at addr dead000000000108 by task syz-executor716/334 + +CPU: 0 PID: 334 Comm: syz-executor716 Not tainted 5.11.0+ #271 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0xbe/0xf9 lib/dump_stack.c:120 + __kasan_report mm/kasan/report.c:400 [inline] + kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413 + __list_del include/linux/list.h:112 [inline] + __list_del_entry include/linux/list.h:135 [inline] + list_del include/linux/list.h:146 [inline] + cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline] + cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline] + cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783 + _destroy_id+0x29/0x460 drivers/infiniband/core/cma.c:1862 + ucma_close_id+0x36/0x50 drivers/infiniband/core/ucma.c:185 + ucma_destroy_private_ctx+0x58d/0x5b0 drivers/infiniband/core/ucma.c:576 + ucma_close+0x91/0xd0 drivers/infiniband/core/ucma.c:1797 + __fput+0x169/0x540 fs/file_table.c:280 + task_work_run+0xb7/0x100 kernel/task_work.c:140 + exit_task_work include/linux/task_work.h:30 [inline] + do_exit+0x7da/0x17f0 kernel/exit.c:825 + do_group_exit+0x9e/0x190 kernel/exit.c:922 + __do_sys_exit_group kernel/exit.c:933 [inline] + __se_sys_exit_group kernel/exit.c:931 [inline] + __x64_sys_exit_group+0x2d/0x30 kernel/exit.c:931 + do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 255d0c14b375 ("RDMA/cma: rdma_bind_addr() leaks a cma_dev reference count") +Link: https://lore.kernel.org/r/3352ee288fe34f2b44220457a29bfc0548686363.1620711734.git.leonro@nvidia.com +Signed-off-by: Shay Drory +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 2b9ffc21cbc4..ab148a696c0c 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -473,6 +473,7 @@ static void cma_release_dev(struct rdma_id_private *id_priv) + list_del(&id_priv->list); + cma_dev_put(id_priv->cma_dev); + id_priv->cma_dev = NULL; ++ id_priv->id.device = NULL; + if (id_priv->id.route.addr.dev_addr.sgid_attr) { + rdma_put_gid_attr(id_priv->id.route.addr.dev_addr.sgid_attr); + id_priv->id.route.addr.dev_addr.sgid_attr = NULL; +@@ -1860,6 +1861,7 @@ static void _destroy_id(struct rdma_id_private *id_priv, + iw_destroy_cm_id(id_priv->cm_id.iw); + } + cma_leave_mc_groups(id_priv); ++ rdma_restrack_del(&id_priv->res); + cma_release_dev(id_priv); + } + +@@ -3774,7 +3775,7 @@ int rdma_listen(struct rdma_cm_id *id, int backlog) + } + + id_priv->backlog = backlog; +- if (id->device) { ++ if (id_priv->cma_dev) { + if (rdma_cap_ib_cm(id->device, 1)) { + ret = cma_ib_listen(id_priv); + if (ret) +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-core-Fix-corrupted-SL-on-passive-side.patch b/patches.suse/RDMA-core-Fix-corrupted-SL-on-passive-side.patch new file mode 100644 index 0000000..4c3e712 --- /dev/null +++ b/patches.suse/RDMA-core-Fix-corrupted-SL-on-passive-side.patch @@ -0,0 +1,54 @@ +From 194f64a3cad3ab9e381e996a13089de3215d1887 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Mon, 22 Mar 2021 14:35:32 +0100 +Subject: [PATCH 1/1] RDMA/core: Fix corrupted SL on passive side +Git-commit: 194f64a3cad3ab9e381e996a13089de3215d1887 +Patch-mainline: v5.13 +References: git-fixes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On RoCE systems, a CM REQ contains a Primary Hop Limit > 1 and Primary +Subnet Local is zero. + +In cm_req_handler(), the cm_process_routed_req() function is called. Since +the Primary Subnet Local value is zero in the request, and since this is +RoCE (Primary Local LID is permissive), the following statement will be +executed: + + IBA_SET(CM_REQ_PRIMARY_SL, req_msg, wc->sl); + +This corrupts SL in req_msg if it was different from zero. In other words, +a request to setup a connection using an SL != zero, will not be honored, +and a connection using SL zero will be created instead. + +Fixed by not calling cm_process_routed_req() on RoCE systems, the +cm_process_route_req() is only for IB anyhow. + +Fixes: 3971c9f6dbf2 ("IB/cm: Add interim support for routed paths") +Link: https://lore.kernel.org/r/1616420132-31005-1-git-send-email-haakon.bugge@oracle.com +Signed-off-by: Håkon Bugge +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 74ca5e67a113..32c836b7ae97 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -2138,7 +2138,8 @@ static int cm_req_handler(struct cm_work *work) + goto destroy; + } + +- cm_process_routed_req(req_msg, work->mad_recv_wc->wc); ++ if (cm_id_priv->av.ah_attr.type != RDMA_AH_ATTR_TYPE_ROCE) ++ cm_process_routed_req(req_msg, work->mad_recv_wc->wc); + + memset(&work->path[0], 0, sizeof(work->path[0])); + if (cm_req_has_alt_path(req_msg)) +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-core-Unify-RoCE-check-and-re-factor-code.patch b/patches.suse/RDMA-core-Unify-RoCE-check-and-re-factor-code.patch new file mode 100644 index 0000000..7966cae --- /dev/null +++ b/patches.suse/RDMA-core-Unify-RoCE-check-and-re-factor-code.patch @@ -0,0 +1,56 @@ +From 65d4801ae44e842cddca60278cfe299e1c2417c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Tue, 6 Apr 2021 12:37:03 +0200 +Subject: [PATCH 1/1] RDMA/core: Unify RoCE check and re-factor code +Git-commit: 65d4801ae44e842cddca60278cfe299e1c2417c3 +Patch-mainline: v5.13 +References: git-fixes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In cm_req_handler(), unify the check for RoCE and re-factor to avoid +one test. + +Link: https://lore.kernel.org/r/1617705423-15570-1-git-send-email-haakon.bugge@oracle.com +Suggested-by: Jason Gunthorpe +Fixes: 8f9748602491 ("IB/cm: Reduce dependency on gid attribute ndev check") +Fixes: 194f64a3cad3 ("RDMA/core: Fix corrupted SL on passive side") +Signed-off-by: Håkon Bugge +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cm.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 1b884c4313f8..0ead0d223154 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -2138,21 +2138,17 @@ static int cm_req_handler(struct cm_work *work) + goto destroy; + } + +- if (cm_id_priv->av.ah_attr.type != RDMA_AH_ATTR_TYPE_ROCE) +- cm_process_routed_req(req_msg, work->mad_recv_wc->wc); +- + memset(&work->path[0], 0, sizeof(work->path[0])); + if (cm_req_has_alt_path(req_msg)) + memset(&work->path[1], 0, sizeof(work->path[1])); + grh = rdma_ah_read_grh(&cm_id_priv->av.ah_attr); + gid_attr = grh->sgid_attr; + +- if (gid_attr && +- rdma_protocol_roce(work->port->cm_dev->ib_device, +- work->port->port_num)) { ++ if (cm_id_priv->av.ah_attr.type == RDMA_AH_ATTR_TYPE_ROCE) { + work->path[0].rec_type = + sa_conv_gid_to_pathrec_type(gid_attr->gid_type); + } else { ++ cm_process_routed_req(req_msg, work->mad_recv_wc->wc); + cm_path_set_rec_type( + work->port->cm_dev->ib_device, work->port->port_num, + &work->path[0], +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-cxgb4-Fix-adapter-LE-hash-errors-while-destroyi.patch b/patches.suse/RDMA-cxgb4-Fix-adapter-LE-hash-errors-while-destroyi.patch new file mode 100644 index 0000000..70dfb3b --- /dev/null +++ b/patches.suse/RDMA-cxgb4-Fix-adapter-LE-hash-errors-while-destroyi.patch @@ -0,0 +1,47 @@ +From 3408be145a5d6418ff955fe5badde652be90e700 Mon Sep 17 00:00:00 2001 +From: Potnuri Bharat Teja +Date: Thu, 25 Mar 2021 00:34:53 +0530 +Subject: [PATCH 1/1] RDMA/cxgb4: Fix adapter LE hash errors while destroying +Git-commit: 3408be145a5d6418ff955fe5badde652be90e700 +Patch-mainline: v5.12 +References: git-fixes + ipv6 listening server + +Not setting the ipv6 bit while destroying ipv6 listening servers may +result in potential fatal adapter errors due to lookup engine memory hash +errors. Therefore always set ipv6 field while destroying ipv6 listening +servers. + +Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") +Link: https://lore.kernel.org/r/20210324190453.8171-1-bharat@chelsio.com +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/cxgb4/cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 8769e7aa097f..81903749d241 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3610,13 +3610,13 @@ int c4iw_destroy_listen(struct iw_cm_id *cm_id) + ep->com.local_addr.ss_family == AF_INET) { + err = cxgb4_remove_server_filter( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], 0); ++ ep->com.dev->rdev.lldi.rxq_ids[0], false); + } else { + struct sockaddr_in6 *sin6; + c4iw_init_wr_wait(ep->com.wr_waitp); + err = cxgb4_remove_server( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], 0); ++ ep->com.dev->rdev.lldi.rxq_ids[0], true); + if (err) + goto done; + err = c4iw_wait_for_reply(&ep->com.dev->rdev, ep->com.wr_waitp, +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-cxgb4-Fix-the-reported-max_recv_sge-value.patch b/patches.suse/RDMA-cxgb4-Fix-the-reported-max_recv_sge-value.patch new file mode 100644 index 0000000..041c235 --- /dev/null +++ b/patches.suse/RDMA-cxgb4-Fix-the-reported-max_recv_sge-value.patch @@ -0,0 +1,38 @@ +From a372173bf314d374da4dd1155549d8ca7fc44709 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Thu, 14 Jan 2021 21:14:23 +0200 +Subject: [PATCH 1/1] RDMA/cxgb4: Fix the reported max_recv_sge value +Git-commit: a372173bf314d374da4dd1155549d8ca7fc44709 +Patch-mainline: v5.11 +References: git-fixes + +The max_recv_sge value is wrongly reported when calling query_qp, This is +happening due to a typo when assigning the max_recv_sge value, the value +of sq_max_sges was assigned instead of rq_max_sges. + +Fixes: 3e5c02c9ef9a ("iw_cxgb4: Support query_qp() verb") +Link: https://lore.kernel.org/r/20210114191423.423529-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/cxgb4/qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index a7401398cb34..d109bb3822a5 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -2474,7 +2474,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + init_attr->cap.max_send_wr = qhp->attr.sq_num_entries; + init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries; + init_attr->cap.max_send_sge = qhp->attr.sq_max_sges; +- init_attr->cap.max_recv_sge = qhp->attr.sq_max_sges; ++ init_attr->cap.max_recv_sge = qhp->attr.rq_max_sges; + init_attr->cap.max_inline_data = T4_MAX_SEND_INLINE; + init_attr->sq_sig_type = qhp->sq_sig_all ? IB_SIGNAL_ALL_WR : 0; + return 0; +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-cxgb4-Validate-the-number-of-CQEs.patch b/patches.suse/RDMA-cxgb4-Validate-the-number-of-CQEs.patch new file mode 100644 index 0000000..847e253 --- /dev/null +++ b/patches.suse/RDMA-cxgb4-Validate-the-number-of-CQEs.patch @@ -0,0 +1,37 @@ +From 6d8285e604e0221b67bd5db736921b7ddce37d00 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Sun, 8 Nov 2020 15:20:07 +0200 +Subject: [PATCH 1/1] RDMA/cxgb4: Validate the number of CQEs +Git-commit: 6d8285e604e0221b67bd5db736921b7ddce37d00 +Patch-mainline: v5.11 +References: git-fixes + +Before create CQ, make sure that the requested number of CQEs is in the +supported range. + +Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") +Link: https://lore.kernel.org/r/20201108132007.67537-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/cxgb4/cq.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c +index 2cb65be24770..44c2416588d4 100644 +--- a/drivers/infiniband/hw/cxgb4/cq.c ++++ b/drivers/infiniband/hw/cxgb4/cq.c +@@ -1008,6 +1008,9 @@ int c4iw_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + if (attr->flags) + return -EINVAL; + ++ if (entries < 1 || entries > ibdev->attrs.max_cqe) ++ return -EINVAL; ++ + if (vector >= rhp->rdev.lldi.nciq) + return -EINVAL; + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-cxgb4-add-missing-qpid-increment.patch b/patches.suse/RDMA-cxgb4-add-missing-qpid-increment.patch new file mode 100644 index 0000000..6140d34 --- /dev/null +++ b/patches.suse/RDMA-cxgb4-add-missing-qpid-increment.patch @@ -0,0 +1,38 @@ +From 3a6684385928d00b29acac7658a5ae1f2a44494c Mon Sep 17 00:00:00 2001 +From: Potnuri Bharat Teja +Date: Thu, 15 Apr 2021 20:44:22 +0530 +Subject: [PATCH 1/1] RDMA/cxgb4: add missing qpid increment +Git-commit: 3a6684385928d00b29acac7658a5ae1f2a44494c +Patch-mainline: v5.13 +References: git-fixes + +missing qpid increment leads to skipping few qpids while allocating QP. +This eventually leads to adapter running out of qpids after establishing +fewer connections than it actually supports. +Current patch increments the qpid correctly. + +Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") +Link: https://lore.kernel.org/r/20210415151422.9139-1-bharat@chelsio.com +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/cxgb4/resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/cxgb4/resource.c b/drivers/infiniband/hw/cxgb4/resource.c +index 5c95c789f302..e800e8e8bed5 100644 +--- a/drivers/infiniband/hw/cxgb4/resource.c ++++ b/drivers/infiniband/hw/cxgb4/resource.c +@@ -216,7 +216,7 @@ u32 c4iw_get_qpid(struct c4iw_rdev *rdev, struct c4iw_dev_ucontext *uctx) + goto out; + entry->qid = qid; + list_add_tail(&entry->entry, &uctx->cqids); +- for (i = qid; i & rdev->qpmask; i++) { ++ for (i = qid + 1; i & rdev->qpmask; i++) { + entry = kmalloc(sizeof(*entry), GFP_KERNEL); + if (!entry) + goto out; +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-hns-Add-a-check-for-current-state-before-modify.patch b/patches.suse/RDMA-hns-Add-a-check-for-current-state-before-modify.patch new file mode 100644 index 0000000..87ed82c --- /dev/null +++ b/patches.suse/RDMA-hns-Add-a-check-for-current-state-before-modify.patch @@ -0,0 +1,45 @@ +From e0ef0f68c4c0d85b1eb63f38d5d10324361280e8 Mon Sep 17 00:00:00 2001 +From: Lang Cheng +Date: Tue, 25 Aug 2020 19:07:54 +0800 +Subject: [PATCH 1/1] RDMA/hns: Add a check for current state before modifying +Git-commit: e0ef0f68c4c0d85b1eb63f38d5d10324361280e8 +Patch-mainline: v5.10 +References: git-fixes + QP + +It should be considered an illegal operation if the ULP attempts to modify +a QP from another state to the current hardware state. Otherwise, the ULP +can modify some fields of QPC at any time. For example, for a QP in state +of RTS, modify it from RTR to RTS can change the PSN, which is always not +as expected. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Link: https://lore.kernel.org/r/1598353674-24270-1-git-send-email-liweihang@huawei.com +Signed-off-by: Lang Cheng +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index e94ca130ff5e..bb87e5fc7e63 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -1162,8 +1162,10 @@ int hns_roce_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + + mutex_lock(&hr_qp->mutex); + +- cur_state = attr_mask & IB_QP_CUR_STATE ? +- attr->cur_qp_state : (enum ib_qp_state)hr_qp->state; ++ if (attr_mask & IB_QP_CUR_STATE && attr->cur_qp_state != hr_qp->state) ++ goto out; ++ ++ cur_state = hr_qp->state; + new_state = attr_mask & IB_QP_STATE ? attr->qp_state : cur_state; + + if (ibqp->uobject && +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-hns-Remove-the-portn-field-in-UD-SQ-WQE.patch b/patches.suse/RDMA-hns-Remove-the-portn-field-in-UD-SQ-WQE.patch new file mode 100644 index 0000000..b3645ed --- /dev/null +++ b/patches.suse/RDMA-hns-Remove-the-portn-field-in-UD-SQ-WQE.patch @@ -0,0 +1,50 @@ +From 148f904c6f94cbd9067008142268524a95320dde Mon Sep 17 00:00:00 2001 +From: Weihang Li +Date: Mon, 16 Nov 2020 19:33:25 +0800 +Subject: [PATCH 1/1] RDMA/hns: Remove the portn field in UD SQ WQE +Git-commit: 148f904c6f94cbd9067008142268524a95320dde +Patch-mainline: v5.11 +References: git-fixes + +This field in UD WQE in not used by hardware. + +Fixes: 7bdee4158b37 ("RDMA/hns: Fill sq wqe context of ud type in hip08") +Link: https://lore.kernel.org/r/1605526408-6936-5-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 -- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 3 --- + 2 files changed, 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 438662826e3d..78993fec3fcd 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -491,8 +491,6 @@ static inline int set_ud_wqe(struct hns_roce_qp *qp, + V2_UD_SEND_WQE_BYTE_40_FLOW_LABEL_S, ah->av.flowlabel); + roce_set_field(ud_sq_wqe->byte_40, V2_UD_SEND_WQE_BYTE_40_SL_M, + V2_UD_SEND_WQE_BYTE_40_SL_S, ah->av.sl); +- roce_set_field(ud_sq_wqe->byte_40, V2_UD_SEND_WQE_BYTE_40_PORTN_M, +- V2_UD_SEND_WQE_BYTE_40_PORTN_S, qp->port); + + roce_set_bit(ud_sq_wqe->byte_40, V2_UD_SEND_WQE_BYTE_40_UD_VLAN_EN_S, + ah->av.vlan_en ? 1 : 0); +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index 1409d05a0fc1..146688809f78 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -1121,9 +1121,6 @@ struct hns_roce_v2_ud_send_wqe { + #define V2_UD_SEND_WQE_BYTE_40_SL_S 20 + #define V2_UD_SEND_WQE_BYTE_40_SL_M GENMASK(23, 20) + +-#define V2_UD_SEND_WQE_BYTE_40_PORTN_S 24 +-#define V2_UD_SEND_WQE_BYTE_40_PORTN_M GENMASK(26, 24) +- + #define V2_UD_SEND_WQE_BYTE_40_UD_VLAN_EN_S 30 + + #define V2_UD_SEND_WQE_BYTE_40_LBI_S 31 +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-hns-Remove-unnecessary-access-right-set-during-.patch b/patches.suse/RDMA-hns-Remove-unnecessary-access-right-set-during-.patch new file mode 100644 index 0000000..39cd94c --- /dev/null +++ b/patches.suse/RDMA-hns-Remove-unnecessary-access-right-set-during-.patch @@ -0,0 +1,91 @@ +From 29b52027ac354f2a0e5c4d17ca1b621a1644949d Mon Sep 17 00:00:00 2001 +From: Yixian Liu +Date: Fri, 11 Dec 2020 09:37:32 +0800 +Subject: [PATCH 1/1] RDMA/hns: Remove unnecessary access right set during +Git-commit: 29b52027ac354f2a0e5c4d17ca1b621a1644949d +Patch-mainline: v5.11 +References: git-fixes + INIT2INIT + +As the qp access right is checked and setted in common function +hns_roce_v2_set_opt_fields(), there is no need to set again for a special +case INIT2INIT. + +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Fixes: 7db82697b8bf ("RDMA/hns: Add support for extended atomic in userspace") +Link: https://lore.kernel.org/r/1607650657-35992-7-git-send-email-liweihang@huawei.com +Signed-off-by: Yixian Liu +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 46 ---------------------- + 1 file changed, 46 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index b2b80528c3bb..6d80cda701dd 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -3641,7 +3641,6 @@ static void modify_qp_reset_to_init(struct ib_qp *ibqp, + + roce_set_bit(context->byte_172_sq_psn, V2_QPC_BYTE_172_FRE_S, 1); + +- hr_qp->access_flags = attr->qp_access_flags; + roce_set_field(context->byte_252_err_txcqn, V2_QPC_BYTE_252_TX_CQN_M, + V2_QPC_BYTE_252_TX_CQN_S, to_hr_cq(ibqp->send_cq)->cqn); + } +@@ -3664,51 +3663,6 @@ static void modify_qp_init_to_init(struct ib_qp *ibqp, + roce_set_field(qpc_mask->byte_4_sqpn_tst, V2_QPC_BYTE_4_TST_M, + V2_QPC_BYTE_4_TST_S, 0); + +- if (attr_mask & IB_QP_ACCESS_FLAGS) { +- roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_RRE_S, +- !!(attr->qp_access_flags & IB_ACCESS_REMOTE_READ)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, V2_QPC_BYTE_76_RRE_S, +- 0); +- +- roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_RWE_S, +- !!(attr->qp_access_flags & +- IB_ACCESS_REMOTE_WRITE)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, V2_QPC_BYTE_76_RWE_S, +- 0); +- +- roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_ATE_S, +- !!(attr->qp_access_flags & +- IB_ACCESS_REMOTE_ATOMIC)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, V2_QPC_BYTE_76_ATE_S, +- 0); +- roce_set_bit(context->byte_76_srqn_op_en, +- V2_QPC_BYTE_76_EXT_ATE_S, +- !!(attr->qp_access_flags & +- IB_ACCESS_REMOTE_ATOMIC)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, +- V2_QPC_BYTE_76_EXT_ATE_S, 0); +- } else { +- roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_RRE_S, +- !!(hr_qp->access_flags & IB_ACCESS_REMOTE_READ)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, V2_QPC_BYTE_76_RRE_S, +- 0); +- +- roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_RWE_S, +- !!(hr_qp->access_flags & IB_ACCESS_REMOTE_WRITE)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, V2_QPC_BYTE_76_RWE_S, +- 0); +- +- roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_ATE_S, +- !!(hr_qp->access_flags & IB_ACCESS_REMOTE_ATOMIC)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, V2_QPC_BYTE_76_ATE_S, +- 0); +- roce_set_bit(context->byte_76_srqn_op_en, +- V2_QPC_BYTE_76_EXT_ATE_S, +- !!(hr_qp->access_flags & IB_ACCESS_REMOTE_ATOMIC)); +- roce_set_bit(qpc_mask->byte_76_srqn_op_en, +- V2_QPC_BYTE_76_EXT_ATE_S, 0); +- } +- + roce_set_field(context->byte_16_buf_ba_pg_sz, V2_QPC_BYTE_16_PD_M, + V2_QPC_BYTE_16_PD_S, to_hr_pd(ibqp->pd)->pdn); + roce_set_field(qpc_mask->byte_16_buf_ba_pg_sz, V2_QPC_BYTE_16_PD_M, +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-i40iw-Address-an-mmap-handler-exploit-in-i40iw.patch b/patches.suse/RDMA-i40iw-Address-an-mmap-handler-exploit-in-i40iw.patch new file mode 100644 index 0000000..ea642d2 --- /dev/null +++ b/patches.suse/RDMA-i40iw-Address-an-mmap-handler-exploit-in-i40iw.patch @@ -0,0 +1,111 @@ +From 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 Mon Sep 17 00:00:00 2001 +From: Shiraz Saleem +Date: Tue, 24 Nov 2020 18:56:16 -0600 +Subject: [PATCH 1/1] RDMA/i40iw: Address an mmap handler exploit in i40iw +Git-commit: 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 +Patch-mainline: v5.10 +References: git-fixes + +i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap +vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range +without any validation. This is vulnerable to an mmap exploit as described +in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com + +The push feature is disabled in the driver currently and therefore no push +mmaps are issued from user-space. The feature does not work as expected in +the x722 product. + +Remove the push module parameter and all VMA attribute manipulations for +this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user +mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound +to a single page. + +Cc: +Fixes: d37498417947 ("i40iw: add files for iwarp interface") +Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com +Reported-by: Di Zhu +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/i40iw/i40iw_main.c | 5 --- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 37 +++++------------------ + 2 files changed, 7 insertions(+), 35 deletions(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_main.c b/drivers/infiniband/hw/i40iw/i40iw_main.c +index 2408b279e4c2..584932d3cc44 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_main.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c +@@ -54,10 +54,6 @@ + #define DRV_VERSION __stringify(DRV_VERSION_MAJOR) "." \ + __stringify(DRV_VERSION_MINOR) "." __stringify(DRV_VERSION_BUILD) + +-static int push_mode; +-module_param(push_mode, int, 0644); +-MODULE_PARM_DESC(push_mode, "Low latency mode: 0=disabled (default), 1=enabled)"); +- + static int debug; + module_param(debug, int, 0644); + MODULE_PARM_DESC(debug, "debug flags: 0=disabled (default), 0x7fffffff=all"); +@@ -1580,7 +1576,6 @@ static enum i40iw_status_code i40iw_setup_init_state(struct i40iw_handler *hdl, + if (status) + goto exit; + iwdev->obj_next = iwdev->obj_mem; +- iwdev->push_mode = push_mode; + + init_waitqueue_head(&iwdev->vchnl_waitq); + init_waitqueue_head(&dev->vf_reqs); +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +index 581ecbadf586..533f3caecb7a 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -167,39 +167,16 @@ static void i40iw_dealloc_ucontext(struct ib_ucontext *context) + */ + static int i40iw_mmap(struct ib_ucontext *context, struct vm_area_struct *vma) + { +- struct i40iw_ucontext *ucontext; +- u64 db_addr_offset, push_offset, pfn; +- +- ucontext = to_ucontext(context); +- if (ucontext->iwdev->sc_dev.is_pf) { +- db_addr_offset = I40IW_DB_ADDR_OFFSET; +- push_offset = I40IW_PUSH_OFFSET; +- if (vma->vm_pgoff) +- vma->vm_pgoff += I40IW_PF_FIRST_PUSH_PAGE_INDEX - 1; +- } else { +- db_addr_offset = I40IW_VF_DB_ADDR_OFFSET; +- push_offset = I40IW_VF_PUSH_OFFSET; +- if (vma->vm_pgoff) +- vma->vm_pgoff += I40IW_VF_FIRST_PUSH_PAGE_INDEX - 1; +- } ++ struct i40iw_ucontext *ucontext = to_ucontext(context); ++ u64 dbaddr; + +- vma->vm_pgoff += db_addr_offset >> PAGE_SHIFT; +- +- if (vma->vm_pgoff == (db_addr_offset >> PAGE_SHIFT)) { +- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); +- } else { +- if ((vma->vm_pgoff - (push_offset >> PAGE_SHIFT)) % 2) +- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); +- else +- vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot); +- } ++ if (vma->vm_pgoff || vma->vm_end - vma->vm_start != PAGE_SIZE) ++ return -EINVAL; + +- pfn = vma->vm_pgoff + +- (pci_resource_start(ucontext->iwdev->ldev->pcidev, 0) >> +- PAGE_SHIFT); ++ dbaddr = I40IW_DB_ADDR_OFFSET + pci_resource_start(ucontext->iwdev->ldev->pcidev, 0); + +- return rdma_user_mmap_io(context, vma, pfn, PAGE_SIZE, +- vma->vm_page_prot, NULL); ++ return rdma_user_mmap_io(context, vma, dbaddr >> PAGE_SHIFT, PAGE_SIZE, ++ pgprot_noncached(vma->vm_page_prot), NULL); + } + + /** +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-i40iw-Fix-error-unwinding-when-i40iw_hmc_sd_one.patch b/patches.suse/RDMA-i40iw-Fix-error-unwinding-when-i40iw_hmc_sd_one.patch new file mode 100644 index 0000000..5ea3043 --- /dev/null +++ b/patches.suse/RDMA-i40iw-Fix-error-unwinding-when-i40iw_hmc_sd_one.patch @@ -0,0 +1,58 @@ +From 783a11bf2400e5d5c42a943c3083dc0330751842 Mon Sep 17 00:00:00 2001 +From: Sindhu Devale +Date: Thu, 15 Apr 2021 19:21:04 -0500 +Subject: [PATCH 1/1] RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one +Git-commit: 783a11bf2400e5d5c42a943c3083dc0330751842 +Patch-mainline: v5.13 +References: git-fixes + fails + +When i40iw_hmc_sd_one fails, chunk is freed without the deletion of chunk +entry in the PBLE info list. + +Fix it by adding the chunk entry to the PBLE info list only after +successful addition of SD in i40iw_hmc_sd_one. + +This fixes a static checker warning reported here: + https://lore.kernel.org/linux-rdma/YHV4CFXzqTm23AOZ@mwanda/ + +Fixes: 9715830157be ("i40iw: add pble resource files") +Link: https://lore.kernel.org/r/20210416002104.323-1-shiraz.saleem@intel.com +Reported-by: Dan Carpenter +Signed-off-by: Sindhu Devale +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/i40iw/i40iw_pble.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_pble.c b/drivers/infiniband/hw/i40iw/i40iw_pble.c +index 53e5cd1a2bd6..146a4148219b 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_pble.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_pble.c +@@ -393,12 +393,9 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev, + i40iw_debug(dev, I40IW_DEBUG_PBLE, "next_fpm_addr = %llx chunk_size[%u] = 0x%x\n", + pble_rsrc->next_fpm_addr, chunk->size, chunk->size); + pble_rsrc->unallocated_pble -= (chunk->size >> 3); +- list_add(&chunk->list, &pble_rsrc->pinfo.clist); + sd_reg_val = (sd_entry_type == I40IW_SD_TYPE_PAGED) ? + sd_entry->u.pd_table.pd_page_addr.pa : sd_entry->u.bp.addr.pa; +- if (sd_entry->valid) +- return 0; +- if (dev->is_pf) { ++ if (dev->is_pf && !sd_entry->valid) { + ret_code = i40iw_hmc_sd_one(dev, hmc_info->hmc_fn_id, + sd_reg_val, idx->sd_idx, + sd_entry->entry_type, true); +@@ -409,6 +406,7 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev, + } + + sd_entry->valid = true; ++ list_add(&chunk->list, &pble_rsrc->pinfo.clist); + return 0; + error: + kfree(chunk); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Fix-corruption-of-reg_pages-in-mlx5_ib_rer.patch b/patches.suse/RDMA-mlx5-Fix-corruption-of-reg_pages-in-mlx5_ib_rer.patch new file mode 100644 index 0000000..f600ec7 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Fix-corruption-of-reg_pages-in-mlx5_ib_rer.patch @@ -0,0 +1,106 @@ +From fc3325701a6353594083f08e297d4c1965c601aa Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 26 Oct 2020 15:19:31 +0200 +Subject: [PATCH 1/1] RDMA/mlx5: Fix corruption of reg_pages in +Git-commit: fc3325701a6353594083f08e297d4c1965c601aa +Patch-mainline: v5.11 +References: git-fixes + +reg_pages should always contain mr->npage since when the mr is finally +de-reg'd it is always subtracted out. + +If there were any error exits then mlx5_ib_rereg_user_mr() would leave the +reg_pages adjusted and this will cause it to be double subtracted +eventually. + +The manipulation of reg_pages is inherently connected to the umem, so lift +it out of set_mr_fields() and only adjust it around creating/destroying a +umem. + +reg_pages is only used for diagnostics in sysfs. + +Fixes: 7d0cc6edcc70 ("IB/mlx5: Add MR cache for large UMR regions") +Link: https://lore.kernel.org/r/20201026131936.1335664-3-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/mr.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 50bbd07b9747..f3a28119d145 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1248,10 +1248,8 @@ err_1: + } + + static void set_mr_fields(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr, +- int npages, u64 length, int access_flags) ++ u64 length, int access_flags) + { +- mr->npages = npages; +- atomic_add(npages, &dev->mdev->priv.reg_pages); + mr->ibmr.lkey = mr->mmkey.key; + mr->ibmr.rkey = mr->mmkey.key; + mr->ibmr.length = length; +@@ -1291,8 +1289,7 @@ static struct ib_mr *mlx5_ib_get_dm_mr(struct ib_pd *pd, u64 start_addr, + + kfree(in); + +- mr->umem = NULL; +- set_mr_fields(dev, mr, 0, length, acc); ++ set_mr_fields(dev, mr, length, acc); + + return &mr->ibmr; + +@@ -1420,7 +1417,9 @@ struct ib_mr *mlx5_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + mlx5_ib_dbg(dev, "mkey 0x%x\n", mr->mmkey.key); + + mr->umem = umem; +- set_mr_fields(dev, mr, npages, length, access_flags); ++ mr->npages = npages; ++ atomic_add(mr->npages, &dev->mdev->priv.reg_pages); ++ set_mr_fields(dev, mr, length, access_flags); + + if (use_umr) { + int update_xlt_flags = MLX5_IB_UPD_XLT_ENABLE; +@@ -1524,8 +1523,6 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *ib_mr, int flags, u64 start, + mlx5_ib_dbg(dev, "start 0x%llx, virt_addr 0x%llx, length 0x%llx, access_flags 0x%x\n", + start, virt_addr, length, access_flags); + +- atomic_sub(mr->npages, &dev->mdev->priv.reg_pages); +- + if (!mr->umem) + return -EINVAL; + +@@ -1554,12 +1551,17 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *ib_mr, int flags, u64 start, + * used. + */ + flags |= IB_MR_REREG_TRANS; ++ atomic_sub(mr->npages, &dev->mdev->priv.reg_pages); ++ mr->npages = 0; + ib_umem_release(mr->umem); + mr->umem = NULL; ++ + err = mr_umem_get(dev, addr, len, access_flags, &mr->umem, + &npages, &page_shift, &ncont, &order); + if (err) + goto err; ++ mr->npages = ncont; ++ atomic_add(mr->npages, &dev->mdev->priv.reg_pages); + } + + if (!mlx5_ib_can_use_umr(dev, true, access_flags) || +@@ -1610,7 +1612,7 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *ib_mr, int flags, u64 start, + goto err; + } + +- set_mr_fields(dev, mr, npages, len, access_flags); ++ set_mr_fields(dev, mr, len, access_flags); + + return 0; + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Fix-potential-race-between-destroy-and-CQE.patch b/patches.suse/RDMA-mlx5-Fix-potential-race-between-destroy-and-CQE.patch new file mode 100644 index 0000000..b79a0dc --- /dev/null +++ b/patches.suse/RDMA-mlx5-Fix-potential-race-between-destroy-and-CQE.patch @@ -0,0 +1,47 @@ +From 4b916ed9f9e85f705213ca8d69771d3c1cd6ee5a Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Sun, 30 Aug 2020 11:40:04 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Fix potential race between destroy and CQE +Git-commit: 4b916ed9f9e85f705213ca8d69771d3c1cd6ee5a +Patch-mainline: v5.10 +References: git-fixes + poll + +The SRQ can be destroyed right before mlx5_cmd_get_srq is called. +In such case the latter will return NULL instead of expected SRQ. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Link: https://lore.kernel.org/r/20200830084010.102381-5-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/cq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index dceb0eb2bed1..b318bde2e565 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -168,7 +168,7 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe, + { + enum rdma_link_layer ll = rdma_port_get_link_layer(qp->ibqp.device, 1); + struct mlx5_ib_dev *dev = to_mdev(qp->ibqp.device); +- struct mlx5_ib_srq *srq; ++ struct mlx5_ib_srq *srq = NULL; + struct mlx5_ib_wq *wq; + u16 wqe_ctr; + u8 roce_packet_type; +@@ -180,7 +180,8 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe, + + if (qp->ibqp.xrcd) { + msrq = mlx5_cmd_get_srq(dev, be32_to_cpu(cqe->srqn)); +- srq = to_mibsrq(msrq); ++ if (msrq) ++ srq = to_mibsrq(msrq); + } else { + srq = to_msrq(qp->ibqp.srq); + } +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Fix-query-DCT-via-DEVX.patch b/patches.suse/RDMA-mlx5-Fix-query-DCT-via-DEVX.patch new file mode 100644 index 0000000..7bac576 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Fix-query-DCT-via-DEVX.patch @@ -0,0 +1,53 @@ +From cfa3b797118eda7d68f9ede9b1a0279192aca653 Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Wed, 19 May 2021 11:41:32 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Fix query DCT via DEVX +Git-commit: cfa3b797118eda7d68f9ede9b1a0279192aca653 +Patch-mainline: v5.13 +References: git-fixes + +When executing DEVX command to query QP object, we need to take the QP +type from the mlx5_ib_qp struct which hold the driver specific QP types as +well, such as DC. + +Fixes: 34613eb1d2ad ("IB/mlx5: Enable modify and query verbs objects via DEVX") +Link: https://lore.kernel.org/r/6eee15d63f09bb70787488e0cf96216e2957f5aa.1621413654.git.leonro@nvidia.com +Reviewed-by: Yishai Hadas +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/devx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index a0b677accd96..eb9b0a2707f8 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -630,9 +630,8 @@ static bool devx_is_valid_obj_id(struct uverbs_attr_bundle *attrs, + case UVERBS_OBJECT_QP: + { + struct mlx5_ib_qp *qp = to_mqp(uobj->object); +- enum ib_qp_type qp_type = qp->ibqp.qp_type; + +- if (qp_type == IB_QPT_RAW_PACKET || ++ if (qp->type == IB_QPT_RAW_PACKET || + (qp->flags & IB_QP_CREATE_SOURCE_QPN)) { + struct mlx5_ib_raw_packet_qp *raw_packet_qp = + &qp->raw_packet_qp; +@@ -649,10 +648,9 @@ static bool devx_is_valid_obj_id(struct uverbs_attr_bundle *attrs, + sq->tisn) == obj_id); + } + +- if (qp_type == MLX5_IB_QPT_DCT) ++ if (qp->type == MLX5_IB_QPT_DCT) + return get_enc_obj_id(MLX5_CMD_OP_CREATE_DCT, + qp->dct.mdct.mqp.qpn) == obj_id; +- + return get_enc_obj_id(MLX5_CMD_OP_CREATE_QP, + qp->ibqp.qp_num) == obj_id; + } +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch b/patches.suse/RDMA-mlx5-Fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch new file mode 100644 index 0000000..9f8e665 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch @@ -0,0 +1,43 @@ +From b942fc0319a72b83146b79619eb578e989062911 Mon Sep 17 00:00:00 2001 +From: Liu Shixin +Date: Thu, 17 Sep 2020 16:13:54 +0800 +Subject: [PATCH 1/1] RDMA/mlx5: Fix type warning of sizeof in +Git-commit: b942fc0319a72b83146b79619eb578e989062911 +Patch-mainline: v5.10 +References: git-fixes + +sizeof() when applied to a pointer typed expression should give the size +of the pointed data, even if the data is a pointer. + +Fixes: e1f24a79f424 ("IB/mlx5: Support congestion related counters") +Link: https://lore.kernel.org/r/20200917081354.2083293-1-liushixin2@huawei.com +Signed-off-by: Liu Shixin +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/counters.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c +index 8d77fea0eb48..70c8fd67ee2f 100644 +--- a/drivers/infiniband/hw/mlx5/counters.c ++++ b/drivers/infiniband/hw/mlx5/counters.c +@@ -457,12 +457,12 @@ static int __mlx5_ib_alloc_counters(struct mlx5_ib_dev *dev, + cnts->num_ext_ppcnt_counters = ARRAY_SIZE(ext_ppcnt_cnts); + num_counters += ARRAY_SIZE(ext_ppcnt_cnts); + } +- cnts->names = kcalloc(num_counters, sizeof(cnts->names), GFP_KERNEL); ++ cnts->names = kcalloc(num_counters, sizeof(*cnts->names), GFP_KERNEL); + if (!cnts->names) + return -ENOMEM; + + cnts->offsets = kcalloc(num_counters, +- sizeof(cnts->offsets), GFP_KERNEL); ++ sizeof(*cnts->offsets), GFP_KERNEL); + if (!cnts->offsets) + goto err_names; + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Fix-wrong-free-of-blue-flame-register-on-e.patch b/patches.suse/RDMA-mlx5-Fix-wrong-free-of-blue-flame-register-on-e.patch new file mode 100644 index 0000000..a43c5e4 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Fix-wrong-free-of-blue-flame-register-on-e.patch @@ -0,0 +1,39 @@ +From 1c3aa6bd0b823105c2030af85d92d158e815d669 Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Wed, 13 Jan 2021 14:17:03 +0200 +Subject: [PATCH 1/1] RDMA/mlx5: Fix wrong free of blue flame register on error +Git-commit: 1c3aa6bd0b823105c2030af85d92d158e815d669 +Patch-mainline: v5.11 +References: git-fixes + +If the allocation of the fast path blue flame register fails, the driver +should free the regular blue flame register allocated a statement above, +not the one that it just failed to allocate. + +Fixes: 16c1975f1032 ("IB/mlx5: Create profile infrastructure to add and remove stages") +Link: https://lore.kernel.org/r/20210113121703.559778-6-leon@kernel.org +Reported-by: Hans Petter Selasky +Signed-off-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index fbe3b75f866b..d26f3f3e0462 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -4319,7 +4319,7 @@ static int mlx5_ib_stage_bfrag_init(struct mlx5_ib_dev *dev) + + err = mlx5_alloc_bfreg(dev->mdev, &dev->fp_bfreg, false, true); + if (err) +- mlx5_free_bfreg(dev->mdev, &dev->fp_bfreg); ++ mlx5_free_bfreg(dev->mdev, &dev->bfreg); + + return err; + } +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Issue-FW-command-to-destroy-SRQ-on-reentry.patch b/patches.suse/RDMA-mlx5-Issue-FW-command-to-destroy-SRQ-on-reentry.patch new file mode 100644 index 0000000..c9ef824 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Issue-FW-command-to-destroy-SRQ-on-reentry.patch @@ -0,0 +1,57 @@ +From fd89099d635e67f22c3eda263bef1f27f9d5dcb5 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 7 Sep 2020 15:09:15 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Issue FW command to destroy SRQ on reentry +Git-commit: fd89099d635e67f22c3eda263bef1f27f9d5dcb5 +Patch-mainline: v5.10 +References: git-fixes + +The HW release can fail and leave the system in limbo state, where SRQ is +removed from the table, but can't be destroyed later. In every reentry, +the initial xa_erase_irq() check will fail. + +Rewrite the erase logic to keep index, but don't store the entry +itself. By doing it, we can safely reinsert entry back in the case of +destroy failure. + +Link: https://lore.kernel.org/r/20200907120921.476363-4-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/srq_cmd.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/srq_cmd.c b/drivers/infiniband/hw/mlx5/srq_cmd.c +index 37aaacebd3f2..c53acbc63d0b 100644 +--- a/drivers/infiniband/hw/mlx5/srq_cmd.c ++++ b/drivers/infiniband/hw/mlx5/srq_cmd.c +@@ -596,13 +596,22 @@ void mlx5_cmd_destroy_srq(struct mlx5_ib_dev *dev, struct mlx5_core_srq *srq) + struct mlx5_core_srq *tmp; + int err; + +- tmp = xa_erase_irq(&table->array, srq->srqn); +- if (!tmp || tmp != srq) ++ /* Delete entry, but leave index occupied */ ++ tmp = xa_cmpxchg_irq(&table->array, srq->srqn, srq, XA_ZERO_ENTRY, 0); ++ if (WARN_ON(tmp != srq)) + return; + + err = destroy_srq_split(dev, srq); +- if (err) ++ if (err) { ++ /* ++ * We don't need to check returned result for an error, ++ * because we are storing in pre-allocated space xarray ++ * entry and it can't fail at this stage. ++ */ ++ xa_cmpxchg_irq(&table->array, srq->srqn, XA_ZERO_ENTRY, srq, 0); + return; ++ } ++ xa_erase_irq(&table->array, srq->srqn); + + mlx5_core_res_put(&srq->common); + wait_for_completion(&srq->common.free); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Recover-from-fatal-event-in-dual-port-mode.patch b/patches.suse/RDMA-mlx5-Recover-from-fatal-event-in-dual-port-mode.patch new file mode 100644 index 0000000..7079cb4 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Recover-from-fatal-event-in-dual-port-mode.patch @@ -0,0 +1,37 @@ +From 97f30d324ce6645a4de4ffb71e4ae9b8ca36ff04 Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Tue, 11 May 2021 08:48:29 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Recover from fatal event in dual port mode +Git-commit: 97f30d324ce6645a4de4ffb71e4ae9b8ca36ff04 +Patch-mainline: v5.13 +References: git-fixes + +When there is fatal event on the slave port, the device is marked as not +active. We need to mark it as active again when the slave is recovered to +regain full functionality. + +Fixes: d69a24e03659 ("IB/mlx5: Move IB event processing onto a workqueue") +Link: https://lore.kernel.org/r/8906754455bb23019ef223c725d2c0d38acfb80b.1620711734.git.leonro@nvidia.com +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 6d1dd09a4388..644d5d0ac544 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -4419,6 +4419,7 @@ static int mlx5r_mp_probe(struct auxiliary_device *adev, + + if (bound) { + rdma_roce_rescan_device(&dev->ib_dev); ++ mpi->ibdev->ib_active = true; + break; + } + } +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-mlx5-Use-the-correct-obj_id-upon-DEVX-TIR-creat.patch b/patches.suse/RDMA-mlx5-Use-the-correct-obj_id-upon-DEVX-TIR-creat.patch new file mode 100644 index 0000000..3a46171 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Use-the-correct-obj_id-upon-DEVX-TIR-creat.patch @@ -0,0 +1,39 @@ +From 8798e4ad0abe0ba1221928a46561981c510be0c6 Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Wed, 30 Dec 2020 15:01:19 +0200 +Subject: [PATCH 1/1] RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation +Git-commit: 8798e4ad0abe0ba1221928a46561981c510be0c6 +Patch-mainline: v5.12 +References: git-fixes + +Use the correct obj_id upon DEVX TIR creation by strictly taking the tirn +24 bits and not the general obj_id which is 32 bits. + +Fixes: 7efce3691d33 ("IB/mlx5: Add obj create and destroy functionality") +Link: https://lore.kernel.org/r/20201230130121.180350-2-leon@kernel.org +Signed-off-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/devx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index 819c142857d6..ff8e17d7f7ca 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -1064,7 +1064,9 @@ static void devx_obj_build_destroy_cmd(void *in, void *out, void *din, + MLX5_SET(general_obj_in_cmd_hdr, din, opcode, MLX5_CMD_OP_DESTROY_RQT); + break; + case MLX5_CMD_OP_CREATE_TIR: +- MLX5_SET(general_obj_in_cmd_hdr, din, opcode, MLX5_CMD_OP_DESTROY_TIR); ++ *obj_id = MLX5_GET(create_tir_out, out, tirn); ++ MLX5_SET(destroy_tir_in, din, opcode, MLX5_CMD_OP_DESTROY_TIR); ++ MLX5_SET(destroy_tir_in, din, tirn, *obj_id); + break; + case MLX5_CMD_OP_CREATE_TIS: + MLX5_SET(general_obj_in_cmd_hdr, din, opcode, MLX5_CMD_OP_DESTROY_TIS); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-ocrdma-Fix-use-after-free-in-ocrdma_dealloc_uco.patch b/patches.suse/RDMA-ocrdma-Fix-use-after-free-in-ocrdma_dealloc_uco.patch new file mode 100644 index 0000000..83d7915 --- /dev/null +++ b/patches.suse/RDMA-ocrdma-Fix-use-after-free-in-ocrdma_dealloc_uco.patch @@ -0,0 +1,45 @@ +From f2bc3af6353cb2a33dfa9d270d999d839eef54cb Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Tue, 29 Dec 2020 18:46:53 -0800 +Subject: [PATCH 1/1] RDMA/ocrdma: Fix use after free in +Git-commit: f2bc3af6353cb2a33dfa9d270d999d839eef54cb +Patch-mainline: v5.11 +References: git-fixes + ocrdma_dealloc_ucontext_pd() + +In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to the variable +pd and then after uctx->cntxt_pd is freed, the variable pd is passed to +function _ocrdma_dealloc_pd() which dereferences pd directly or through +its call to ocrdma_mbx_dealloc_pd(). + +Reorder the free using the variable pd. + +Cc: stable@vger.kernel.org +Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core") +Link: https://lore.kernel.org/r/20201230024653.1516495-1-trix@redhat.com +Signed-off-by: Tom Rix +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +index bc98bd950d99..3acb5c10b155 100644 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +@@ -434,9 +434,9 @@ static void ocrdma_dealloc_ucontext_pd(struct ocrdma_ucontext *uctx) + pr_err("%s(%d) Freeing in use pdid=0x%x.\n", + __func__, dev->id, pd->id); + } +- kfree(uctx->cntxt_pd); + uctx->cntxt_pd = NULL; + _ocrdma_dealloc_pd(dev, pd); ++ kfree(pd); + } + + static struct ocrdma_pd *ocrdma_get_ucontext_pd(struct ocrdma_ucontext *uctx) +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-rxe-Clear-all-QP-fields-if-creation-failed.patch b/patches.suse/RDMA-rxe-Clear-all-QP-fields-if-creation-failed.patch new file mode 100644 index 0000000..8e2282a --- /dev/null +++ b/patches.suse/RDMA-rxe-Clear-all-QP-fields-if-creation-failed.patch @@ -0,0 +1,116 @@ +From 67f29896fdc83298eed5a6576ff8f9873f709228 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 11 May 2021 10:26:03 +0300 +Subject: [PATCH 1/1] RDMA/rxe: Clear all QP fields if creation failed +Git-commit: 67f29896fdc83298eed5a6576ff8f9873f709228 +Patch-mainline: v5.13 +References: git-fixes + +rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly +created ones, but in case rxe_qp_from_init() failed it was filled with +garbage and caused tot the following error. + + refcount_t: underflow; use-after-free. + WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 + Modules linked in: + CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 + Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 + RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 + RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 + R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 + R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 + FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + __refcount_sub_and_test include/linux/refcount.h:283 [inline] + __refcount_dec_and_test include/linux/refcount.h:315 [inline] + refcount_dec_and_test include/linux/refcount.h:333 [inline] + kref_put include/linux/kref.h:64 [inline] + rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805 + execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327 + rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391 + kref_put include/linux/kref.h:65 [inline] + rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425 + _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline] + ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 + ib_create_qp include/rdma/ib_verbs.h:3644 [inline] + create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 + ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline] + ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 + add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717 + enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 + ib_register_device drivers/infiniband/core/device.c:1413 [inline] + ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 + rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147 + rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 + rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503 + rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] + rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 + nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 + rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 + rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] + rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/7bf8d548764d406dbbbaf4b574960ebfd5af8387.1620717918.git.leonro@nvidia.com +Reported-by: syzbot+36a7f280de4e11c6f04e@syzkaller.appspotmail.com +Signed-off-by: Leon Romanovsky +Reviewed-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 34ae957a315c..b0f350d674fd 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -242,6 +242,7 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, + if (err) { + vfree(qp->sq.queue->buf); + kfree(qp->sq.queue); ++ qp->sq.queue = NULL; + return err; + } + +@@ -295,6 +296,7 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, + if (err) { + vfree(qp->rq.queue->buf); + kfree(qp->rq.queue); ++ qp->rq.queue = NULL; + return err; + } + } +@@ -355,6 +357,11 @@ int rxe_qp_from_init(struct rxe_dev *rxe, struct rxe_qp *qp, struct rxe_pd *pd, + err2: + rxe_queue_cleanup(qp->sq.queue); + err1: ++ qp->pd = NULL; ++ qp->rcq = NULL; ++ qp->scq = NULL; ++ qp->srq = NULL; ++ + if (srq) + rxe_drop_ref(srq); + rxe_drop_ref(scq); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-rxe-Compute-PSN-windows-correctly.patch b/patches.suse/RDMA-rxe-Compute-PSN-windows-correctly.patch new file mode 100644 index 0000000..429a76f --- /dev/null +++ b/patches.suse/RDMA-rxe-Compute-PSN-windows-correctly.patch @@ -0,0 +1,42 @@ +From bb3ab2979fd69db23328691cb10067861df89037 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Tue, 13 Oct 2020 12:07:42 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Compute PSN windows correctly +Git-commit: bb3ab2979fd69db23328691cb10067861df89037 +Patch-mainline: v5.11 +References: git-fixes + +The code which limited the number of unacknowledged PSNs was incorrect. +The PSNs are limited to 24 bits and wrap back to zero from 0x00ffffff. +The test was computing a 32 bit value which wraps at 32 bits so that +qp->req.psn can appear smaller than the limit when it is actually larger. + +Replace '>' test with psn_compare which is used for other PSN comparisons +and correctly handles the 24 bit size. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20201013170741.3590-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_req.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c +index af3923bf0a36..d4917646641a 100644 +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -634,7 +634,8 @@ next_wqe: + } + + if (unlikely(qp_type(qp) == IB_QPT_RC && +- qp->req.psn > (qp->comp.psn + RXE_MAX_UNACKED_PSNS))) { ++ psn_compare(qp->req.psn, (qp->comp.psn + ++ RXE_MAX_UNACKED_PSNS)) > 0)) { + qp->req.wait_psn = 1; + goto exit; + } +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-rxe-Correct-skb-on-loopback-path.patch b/patches.suse/RDMA-rxe-Correct-skb-on-loopback-path.patch new file mode 100644 index 0000000..ccb68c9 --- /dev/null +++ b/patches.suse/RDMA-rxe-Correct-skb-on-loopback-path.patch @@ -0,0 +1,42 @@ +From 5120bf0a5fc15dec210a0fe0f39e4a256bb6e349 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 28 Jan 2021 12:23:02 -0600 +Subject: [PATCH 1/1] RDMA/rxe: Correct skb on loopback path +Git-commit: 5120bf0a5fc15dec210a0fe0f39e4a256bb6e349 +Patch-mainline: v5.12 +References: git-fixes + +rxe_net.c sends packets at the IP layer with skb->data pointing at the IP +header but receives packets from a UDP tunnel with skb->data pointing at +the UDP header. On the loopback path this was not correctly accounted +for. This patch corrects for this by using sbk_pull() to strip the IP +header from the skb on received packets. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210128182301.16859-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index c4b06ced30a7..0d4125b867b7 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -408,6 +408,11 @@ int rxe_send(struct rxe_pkt_info *pkt, struct sk_buff *skb) + + void rxe_loopback(struct sk_buff *skb) + { ++ if (skb->protocol == htons(ETH_P_IP)) ++ skb_pull(skb, sizeof(struct iphdr)); ++ else ++ skb_pull(skb, sizeof(struct ipv6hdr)); ++ + rxe_rcv(skb); + } + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch b/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch new file mode 100644 index 0000000..1a931fd --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch @@ -0,0 +1,74 @@ +From 8fc1b7027fc162738d5a85c82410e501a371a404 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 28 Jan 2021 11:47:53 -0600 +Subject: [PATCH 1/1] RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt +Git-commit: 8fc1b7027fc162738d5a85c82410e501a371a404 +Patch-mainline: v5.12 +References: git-fixes + +rxe_rcv_mcast_pkt() in rxe_recv.c can leak SKBs in error path code. The +loop over the QPs attached to a multicast group creates new cloned SKBs +for all but the last QP in the list and passes the SKB and its clones to +rxe_rcv_pkt() for further processing. Any QPs that do not pass some checks +are skipped. If the last QP in the list fails the tests the SKB is +leaked. This patch checks if the SKB for the last QP was used and if not +frees it. Also removes a redundant loop invariant assignment. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Fixes: 71abf20b28ff ("RDMA/rxe: Handle skb_clone() failure in rxe_recv.c") +Link: https://lore.kernel.org/r/20210128174752.16128-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 0dd163b745fe..2bbcea61b780 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -256,7 +256,6 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + + list_for_each_entry(mce, &mcg->qp_list, qp_list) { + qp = mce->qp; +- pkt = SKB_TO_PKT(skb); + + /* validate qp for incoming packet */ + err = check_type_state(rxe, pkt, qp); +@@ -268,12 +267,18 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + continue; + + /* for all but the last qp create a new clone of the +- * skb and pass to the qp. ++ * skb and pass to the qp. If an error occurs in the ++ * checks for the last qp in the list we need to ++ * free the skb since it hasn't been passed on to ++ * rxe_rcv_pkt() which would free it later. + */ +- if (mce->qp_list.next != &mcg->qp_list) ++ if (mce->qp_list.next != &mcg->qp_list) { + per_qp_skb = skb_clone(skb, GFP_ATOMIC); +- else ++ } else { + per_qp_skb = skb; ++ /* show we have consumed the skb */ ++ skb = NULL; ++ } + + if (unlikely(!per_qp_skb)) + continue; +@@ -288,9 +293,8 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + + rxe_drop_ref(mcg); /* drop ref from rxe_pool_get_key. */ + +- return; +- + err1: ++ /* free skb if not consumed */ + kfree_skb(skb); + } + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_recv.c.patch b/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_recv.c.patch new file mode 100644 index 0000000..ada9c3f --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_recv.c.patch @@ -0,0 +1,66 @@ +From 7d9ae80e31df57dd3253e1ec514f0000aa588a81 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Wed, 27 Jan 2021 15:45:01 -0600 +Subject: [PATCH 1/1] RDMA/rxe: Fix coding error in rxe_recv.c +Git-commit: 7d9ae80e31df57dd3253e1ec514f0000aa588a81 +Patch-mainline: v5.12 +References: git-fixes + +check_type_state() in rxe_recv.c is written as if the type bits in the +packet opcode were a bit mask which is not correct. This patch corrects +this code to compare all 3 type bits to the required type. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210127214500.3707-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index c9984a28eecc..db0ee5c3962e 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -9,21 +9,26 @@ + #include "rxe.h" + #include "rxe_loc.h" + ++/* check that QP matches packet opcode type and is in a valid state */ + static int check_type_state(struct rxe_dev *rxe, struct rxe_pkt_info *pkt, + struct rxe_qp *qp) + { ++ unsigned int pkt_type; ++ + if (unlikely(!qp->valid)) + goto err1; + ++ pkt_type = pkt->opcode & 0xe0; ++ + switch (qp_type(qp)) { + case IB_QPT_RC: +- if (unlikely((pkt->opcode & IB_OPCODE_RC) != 0)) { ++ if (unlikely(pkt_type != IB_OPCODE_RC)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } + break; + case IB_QPT_UC: +- if (unlikely(!(pkt->opcode & IB_OPCODE_UC))) { ++ if (unlikely(pkt_type != IB_OPCODE_UC)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } +@@ -31,7 +36,7 @@ static int check_type_state(struct rxe_dev *rxe, struct rxe_pkt_info *pkt, + case IB_QPT_UD: + case IB_QPT_SMI: + case IB_QPT_GSI: +- if (unlikely(!(pkt->opcode & IB_OPCODE_UD))) { ++ if (unlikely(pkt_type != IB_OPCODE_UD)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-rxe-Fix-missing-kconfig-dependency-on-CRYPTO.patch b/patches.suse/RDMA-rxe-Fix-missing-kconfig-dependency-on-CRYPTO.patch new file mode 100644 index 0000000..dce5994 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-missing-kconfig-dependency-on-CRYPTO.patch @@ -0,0 +1,43 @@ +From 475f23b8c66d2892ad6acbf90ed757cafab13de7 Mon Sep 17 00:00:00 2001 +From: Julian Braha +Date: Fri, 19 Feb 2021 18:32:26 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix missing kconfig dependency on CRYPTO +Git-commit: 475f23b8c66d2892ad6acbf90ed757cafab13de7 +Patch-mainline: v5.12 +References: git-fixes + +When RDMA_RXE is enabled and CRYPTO is disabled, Kbuild gives the +following warning: + + WARNING: unmet direct dependencies detected for CRYPTO_CRC32 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - RDMA_RXE [=y] && (INFINIBAND_USER_ACCESS [=y] || !INFINIBAND_USER_ACCESS [=y]) && INET [=y] && PCI [=y] && INFINIBAND [=y] && INFINIBAND_VIRT_DMA [=y] + +This is because RDMA_RXE selects CRYPTO_CRC32, without depending on or +selecting CRYPTO, despite that config option being subordinate to CRYPTO. + +Fixes: cee2688e3cd6 ("IB/rxe: Offload CRC calculation when possible") +Signed-off-by: Julian Braha +Link: https://lore.kernel.org/r/21525878.NYvzQUHefP@ubuntu-mate-laptop +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/sw/rxe/Kconfig b/drivers/infiniband/sw/rxe/Kconfig +index 452149066792..06b8dc5093f7 100644 +--- a/drivers/infiniband/sw/rxe/Kconfig ++++ b/drivers/infiniband/sw/rxe/Kconfig +@@ -4,6 +4,7 @@ config RDMA_RXE + depends on INET && PCI && INFINIBAND + depends on INFINIBAND_VIRT_DMA + select NET_UDP_TUNNEL ++ select CRYPTO + select CRYPTO_CRC32 + select DMA_VIRT_OPS + ---help--- +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-rxe-Remove-useless-code-in-rxe_recv.c.patch b/patches.suse/RDMA-rxe-Remove-useless-code-in-rxe_recv.c.patch new file mode 100644 index 0000000..08d8656 --- /dev/null +++ b/patches.suse/RDMA-rxe-Remove-useless-code-in-rxe_recv.c.patch @@ -0,0 +1,45 @@ +From e328197423e09094aff48619ebef6671ff64d3b2 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Wed, 27 Jan 2021 16:42:04 -0600 +Subject: [PATCH 1/1] RDMA/rxe: Remove useless code in rxe_recv.c +Git-commit: e328197423e09094aff48619ebef6671ff64d3b2 +Patch-mainline: v5.12 +References: git-fixes + +In check_keys() in rxe_recv.c + + if ((...) && pkt->mask) { + ... + } + +always has pkt->mask non zero since in rxe_udp_encap_recv() pkt->mask is +always set to RXE_GRH_MASK (!= 0). There is no obvious reason for this +additional test and the original intent is lost. This patch simplifies the +expression. + +Fixes: 8b7b59d030cc ("IB/rxe: remove redudant qpn check") +Link: https://lore.kernel.org/r/20210127224203.2812-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index db0ee5c3962e..0dd163b745fe 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -90,8 +90,7 @@ static int check_keys(struct rxe_dev *rxe, struct rxe_pkt_info *pkt, + goto err1; + } + +- if ((qp_type(qp) == IB_QPT_UD || qp_type(qp) == IB_QPT_GSI) && +- pkt->mask) { ++ if (qp_type(qp) == IB_QPT_UD || qp_type(qp) == IB_QPT_GSI) { + u32 qkey = (qpn == 1) ? GSI_QKEY : qp->attr.qkey; + + if (unlikely(deth_qkey(pkt) != qkey)) { +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-siw-Fix-a-use-after-free-in-siw_alloc_mr.patch b/patches.suse/RDMA-siw-Fix-a-use-after-free-in-siw_alloc_mr.patch new file mode 100644 index 0000000..5805368 --- /dev/null +++ b/patches.suse/RDMA-siw-Fix-a-use-after-free-in-siw_alloc_mr.patch @@ -0,0 +1,54 @@ +From 3093ee182f01689b89e9f8797b321603e5de4f63 Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Sun, 25 Apr 2021 18:16:47 -0700 +Subject: [PATCH 1/1] RDMA/siw: Fix a use after free in siw_alloc_mr +Git-commit: 3093ee182f01689b89e9f8797b321603e5de4f63 +Patch-mainline: v5.13 +References: git-fixes + +Our code analyzer reported a UAF. + +In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of +siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via +kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a +freed object. After, the execution continue up to the err_out branch of +siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr). + +My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} +section, to avoid the uaf. + +Fixes: 2251334dcac9 ("rdma/siw: application buffer management") +Link: https://lore.kernel.org/r/20210426011647.3561-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Lv Yunlong +Reviewed-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_mem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_mem.c b/drivers/infiniband/sw/siw/siw_mem.c +index 34a910cf0edb..61c17db70d65 100644 +--- a/drivers/infiniband/sw/siw/siw_mem.c ++++ b/drivers/infiniband/sw/siw/siw_mem.c +@@ -106,8 +106,6 @@ int siw_mr_add_mem(struct siw_mr *mr, struct ib_pd *pd, void *mem_obj, + mem->perms = rights & IWARP_ACCESS_MASK; + kref_init(&mem->ref); + +- mr->mem = mem; +- + get_random_bytes(&next, 4); + next &= 0x00ffffff; + +@@ -116,6 +114,8 @@ int siw_mr_add_mem(struct siw_mr *mr, struct ib_pd *pd, void *mem_obj, + kfree(mem); + return -ENOMEM; + } ++ ++ mr->mem = mem; + /* Set the STag index part */ + mem->stag = id << 8; + mr->base_mr.lkey = mr->base_mr.rkey = mem->stag; +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-siw-Fix-calculation-of-tx_valid_cpus-size.patch b/patches.suse/RDMA-siw-Fix-calculation-of-tx_valid_cpus-size.patch new file mode 100644 index 0000000..887e06c --- /dev/null +++ b/patches.suse/RDMA-siw-Fix-calculation-of-tx_valid_cpus-size.patch @@ -0,0 +1,74 @@ +From 429fa9698957d1a910535ce5e33aedf5adfdabc1 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Mon, 1 Feb 2021 13:29:22 +0200 +Subject: [PATCH 1/1] RDMA/siw: Fix calculation of tx_valid_cpus size +Git-commit: 429fa9698957d1a910535ce5e33aedf5adfdabc1 +Patch-mainline: v5.12 +References: git-fixes + +The size of tx_valid_cpus was calculated under the assumption that the +numa nodes identifiers are continuous, which is not the case in all archs +as this could lead to the following panic when trying to access an invalid +tx_valid_cpus index, avoid the following panic by using nr_node_ids +instead of num_online_nodes() to allocate the tx_valid_cpus size. + + Kernel attempted to read user page (8) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000008 + Faulting instruction address: 0xc0080000081b4a90 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV + Modules linked in: siw(+) rfkill rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm sunrpc ib_umad rdma_cm ib_cm iw_cm i40iw ib_uverbs ib_core i40e ses enclosure scsi_transport_sas ipmi_powernv ibmpowernv at24 ofpart ipmi_devintf regmap_i2c ipmi_msghandler powernv_flash uio_pdrv_genirq uio mtd opal_prd zram ip_tables xfs libcrc32c sd_mod t10_pi ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto aacraid drm_panel_orientation_quirks dm_mod + CPU: 40 PID: 3279 Comm: modprobe Tainted: G W X --------- --- 5.11.0-0.rc4.129.eln108.ppc64le #2 + NIP: c0080000081b4a90 LR: c0080000081b4a2c CTR: c0000000007ce1c0 + REGS: c000000027fa77b0 TRAP: 0300 Tainted: G W X --------- --- (5.11.0-0.rc4.129.eln108.ppc64le) + MSR: 9000000002009033 CR: 44224882 XER: 00000000 + CFAR: c0000000007ce200 DAR: 0000000000000008 DSISR: 40000000 IRQMASK: 0 + GPR00: c0080000081b4a2c c000000027fa7a50 c0080000081c3900 0000000000000040 + GPR04: c000000002023080 c000000012e1c300 000020072ad70000 0000000000000001 + GPR08: c000000001726068 0000000000000008 0000000000000008 c0080000081b5758 + GPR12: c0000000007ce1c0 c0000007fffc3000 00000001590b1e40 0000000000000000 + GPR16: 0000000000000000 0000000000000001 000000011ad68fc8 00007fffcc09c5c8 + GPR20: 0000000000000008 0000000000000000 00000001590b2850 00000001590b1d30 + GPR24: 0000000000043d68 000000011ad67a80 000000011ad67a80 0000000000100000 + GPR28: c000000012e1c300 c0000000020271c8 0000000000000001 c0080000081bf608 + NIP [c0080000081b4a90] siw_init_cpulist+0x194/0x214 [siw] + LR [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] + Call Trace: + [c000000027fa7a50] [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] (unreliable) + [c000000027fa7a90] [c0080000081b4e68] siw_init_module+0x40/0x2a0 [siw] + [c000000027fa7b30] [c0000000000124f4] do_one_initcall+0x84/0x2e0 + [c000000027fa7c00] [c000000000267ffc] do_init_module+0x7c/0x350 + [c000000027fa7c90] [c00000000026a180] __do_sys_init_module+0x210/0x250 + [c000000027fa7db0] [c0000000000387e4] system_call_exception+0x134/0x230 + [c000000027fa7e10] [c00000000000d660] system_call_common+0xf0/0x27c + Instruction dump: + 40810044 3d420000 e8bf0000 e88a82d0 3d420000 e90a82c8 792a1f24 7cc4302a + 7d2642aa 79291f24 7d25482a 7d295214 <7d4048a8> 7d4a3b78 7d4049ad 40c2fff4 + +Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") +Link: https://lore.kernel.org/r/20210201112922.141085-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Bernard Metzler +Tested-by: Yi Zhang +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw_main.c b/drivers/infiniband/sw/siw/siw_main.c +index 81a294269592..cf55326f2ab4 100644 +--- a/drivers/infiniband/sw/siw/siw_main.c ++++ b/drivers/infiniband/sw/siw/siw_main.c +@@ -135,7 +135,7 @@ static struct { + + static int siw_init_cpulist(void) + { +- int i, num_nodes = num_possible_nodes(); ++ int i, num_nodes = nr_node_ids; + + memset(siw_tx_thread, 0, sizeof(siw_tx_thread)); + +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-siw-Fix-handling-of-zero-sized-Read-and-Receive.patch b/patches.suse/RDMA-siw-Fix-handling-of-zero-sized-Read-and-Receive.patch new file mode 100644 index 0000000..3f0f60f --- /dev/null +++ b/patches.suse/RDMA-siw-Fix-handling-of-zero-sized-Read-and-Receive.patch @@ -0,0 +1,574 @@ +From 661f385961f06f36da24cf408d461f988d0c39ad Mon Sep 17 00:00:00 2001 +From: Bernard Metzler +Date: Fri, 8 Jan 2021 13:58:45 +0100 +Subject: [PATCH 1/1] RDMA/siw: Fix handling of zero-sized Read and Receive +Git-commit: 661f385961f06f36da24cf408d461f988d0c39ad +Patch-mainline: v5.12 +References: git-fixes + Queues. + +During connection setup, the application may choose to zero-size inbound +and outbound READ queues, as well as the Receive queue. This patch fixes +handling of zero-sized queues, but not prevents it. + +Kamal Heib says in an initial error report: + + When running the blktests over siw the following shift-out-of-bounds is + reported, this is happening because the passed IRD or ORD from the ulp + could be zero which will lead to unexpected behavior when calling + roundup_pow_of_two(), fix that by blocking zero values of ORD or IRD. + + UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 + shift exponent 64 is too large for 64-bit type 'long unsigned int' + CPU: 20 PID: 3957 Comm: kworker/u64:13 Tainted: G S 5.10.0-rc6 #2 + Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016 + Workqueue: iw_cm_wq cm_work_handler [iw_cm] + Call Trace: + dump_stack+0x99/0xcb + ubsan_epilogue+0x5/0x40 + __ubsan_handle_shift_out_of_bounds.cold.11+0xb4/0xf3 + ? down_write+0x183/0x3d0 + siw_qp_modify.cold.8+0x2d/0x32 [siw] + ? __local_bh_enable_ip+0xa5/0xf0 + siw_accept+0x906/0x1b60 [siw] + ? xa_load+0x147/0x1f0 + ? siw_connect+0x17a0/0x17a0 [siw] + ? lock_downgrade+0x700/0x700 + ? siw_get_base_qp+0x1c2/0x340 [siw] + ? _raw_spin_unlock_irqrestore+0x39/0x40 + iw_cm_accept+0x1f4/0x430 [iw_cm] + rdma_accept+0x3fa/0xb10 [rdma_cm] + ? check_flush_dependency+0x410/0x410 + ? cma_rep_recv+0x570/0x570 [rdma_cm] + nvmet_rdma_queue_connect+0x1a62/0x2680 [nvmet_rdma] + ? nvmet_rdma_alloc_cmds+0xce0/0xce0 [nvmet_rdma] + ? lock_release+0x56e/0xcc0 + ? lock_downgrade+0x700/0x700 + ? lock_downgrade+0x700/0x700 + ? __xa_alloc_cyclic+0xef/0x350 + ? __xa_alloc+0x2d0/0x2d0 + ? rdma_restrack_add+0xbe/0x2c0 [ib_core] + ? __ww_mutex_die+0x190/0x190 + cma_cm_event_handler+0xf2/0x500 [rdma_cm] + iw_conn_req_handler+0x910/0xcb0 [rdma_cm] + ? _raw_spin_unlock_irqrestore+0x39/0x40 + ? trace_hardirqs_on+0x1c/0x150 + ? cma_ib_handler+0x8a0/0x8a0 [rdma_cm] + ? __kasan_kmalloc.constprop.7+0xc1/0xd0 + cm_work_handler+0x121c/0x17a0 [iw_cm] + ? iw_cm_reject+0x190/0x190 [iw_cm] + ? trace_hardirqs_on+0x1c/0x150 + process_one_work+0x8fb/0x16c0 + ? pwq_dec_nr_in_flight+0x320/0x320 + worker_thread+0x87/0xb40 + ? __kthread_parkme+0xd1/0x1a0 + ? process_one_work+0x16c0/0x16c0 + kthread+0x35f/0x430 + ? kthread_mod_delayed_work+0x180/0x180 + ret_from_fork+0x22/0x30 + +Fixes: a531975279f3 ("rdma/siw: main include file") +Fixes: f29dd55b0236 ("rdma/siw: queue pair methods") +Fixes: 8b6a361b8c48 ("rdma/siw: receive path") +Fixes: b9be6f18cf9e ("rdma/siw: transmit path") +Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") +Link: https://lore.kernel.org/r/20210108125845.1803-1-bmt@zurich.ibm.com +Reported-by: Kamal Heib +Reported-by: Yi Zhang +Reported-by: kernel test robot +Signed-off-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw.h | 2 +- + drivers/infiniband/sw/siw/siw_qp.c | 271 ++++++++++++++------------ + drivers/infiniband/sw/siw/siw_qp_rx.c | 26 ++- + drivers/infiniband/sw/siw/siw_qp_tx.c | 4 +- + drivers/infiniband/sw/siw/siw_verbs.c | 20 +- + 5 files changed, 177 insertions(+), 146 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw.h b/drivers/infiniband/sw/siw/siw.h +index adda78996219..368959ae9a8c 100644 +--- a/drivers/infiniband/sw/siw/siw.h ++++ b/drivers/infiniband/sw/siw/siw.h +@@ -653,7 +653,7 @@ static inline struct siw_sqe *orq_get_free(struct siw_qp *qp) + { + struct siw_sqe *orq_e = orq_get_tail(qp); + +- if (orq_e && READ_ONCE(orq_e->flags) == 0) ++ if (READ_ONCE(orq_e->flags) == 0) + return orq_e; + + return NULL; +diff --git a/drivers/infiniband/sw/siw/siw_qp.c b/drivers/infiniband/sw/siw/siw_qp.c +index 875d36d4b1c6..ddb2e66f9f13 100644 +--- a/drivers/infiniband/sw/siw/siw_qp.c ++++ b/drivers/infiniband/sw/siw/siw_qp.c +@@ -199,26 +199,26 @@ void siw_qp_llp_write_space(struct sock *sk) + + static int siw_qp_readq_init(struct siw_qp *qp, int irq_size, int orq_size) + { +- irq_size = roundup_pow_of_two(irq_size); +- orq_size = roundup_pow_of_two(orq_size); +- +- qp->attrs.irq_size = irq_size; +- qp->attrs.orq_size = orq_size; +- +- qp->irq = vzalloc(irq_size * sizeof(struct siw_sqe)); +- if (!qp->irq) { +- siw_dbg_qp(qp, "irq malloc for %d failed\n", irq_size); +- qp->attrs.irq_size = 0; +- return -ENOMEM; ++ if (irq_size) { ++ irq_size = roundup_pow_of_two(irq_size); ++ qp->irq = vzalloc(irq_size * sizeof(struct siw_sqe)); ++ if (!qp->irq) { ++ qp->attrs.irq_size = 0; ++ return -ENOMEM; ++ } + } +- qp->orq = vzalloc(orq_size * sizeof(struct siw_sqe)); +- if (!qp->orq) { +- siw_dbg_qp(qp, "orq malloc for %d failed\n", orq_size); +- qp->attrs.orq_size = 0; +- qp->attrs.irq_size = 0; +- vfree(qp->irq); +- return -ENOMEM; ++ if (orq_size) { ++ orq_size = roundup_pow_of_two(orq_size); ++ qp->orq = vzalloc(orq_size * sizeof(struct siw_sqe)); ++ if (!qp->orq) { ++ qp->attrs.orq_size = 0; ++ qp->attrs.irq_size = 0; ++ vfree(qp->irq); ++ return -ENOMEM; ++ } + } ++ qp->attrs.irq_size = irq_size; ++ qp->attrs.orq_size = orq_size; + siw_dbg_qp(qp, "ORD %d, IRD %d\n", orq_size, irq_size); + return 0; + } +@@ -288,13 +288,14 @@ int siw_qp_mpa_rts(struct siw_qp *qp, enum mpa_v2_ctrl ctrl) + if (ctrl & MPA_V2_RDMA_WRITE_RTR) + wqe->sqe.opcode = SIW_OP_WRITE; + else if (ctrl & MPA_V2_RDMA_READ_RTR) { +- struct siw_sqe *rreq; ++ struct siw_sqe *rreq = NULL; + + wqe->sqe.opcode = SIW_OP_READ; + + spin_lock(&qp->orq_lock); + +- rreq = orq_get_free(qp); ++ if (qp->attrs.orq_size) ++ rreq = orq_get_free(qp); + if (rreq) { + siw_read_to_orq(rreq, &wqe->sqe); + qp->orq_put++; +@@ -877,135 +878,88 @@ void siw_read_to_orq(struct siw_sqe *rreq, struct siw_sqe *sqe) + rreq->num_sge = 1; + } + +-/* +- * Must be called with SQ locked. +- * To avoid complete SQ starvation by constant inbound READ requests, +- * the active IRQ will not be served after qp->irq_burst, if the +- * SQ has pending work. +- */ +-int siw_activate_tx(struct siw_qp *qp) ++static int siw_activate_tx_from_sq(struct siw_qp *qp) + { +- struct siw_sqe *irqe, *sqe; ++ struct siw_sqe *sqe; + struct siw_wqe *wqe = tx_wqe(qp); + int rv = 1; + +- irqe = &qp->irq[qp->irq_get % qp->attrs.irq_size]; +- +- if (irqe->flags & SIW_WQE_VALID) { +- sqe = sq_get_next(qp); +- +- /* +- * Avoid local WQE processing starvation in case +- * of constant inbound READ request stream +- */ +- if (sqe && ++qp->irq_burst >= SIW_IRQ_MAXBURST_SQ_ACTIVE) { +- qp->irq_burst = 0; +- goto skip_irq; +- } +- memset(wqe->mem, 0, sizeof(*wqe->mem) * SIW_MAX_SGE); +- wqe->wr_status = SIW_WR_QUEUED; +- +- /* start READ RESPONSE */ +- wqe->sqe.opcode = SIW_OP_READ_RESPONSE; +- wqe->sqe.flags = 0; +- if (irqe->num_sge) { +- wqe->sqe.num_sge = 1; +- wqe->sqe.sge[0].length = irqe->sge[0].length; +- wqe->sqe.sge[0].laddr = irqe->sge[0].laddr; +- wqe->sqe.sge[0].lkey = irqe->sge[0].lkey; +- } else { +- wqe->sqe.num_sge = 0; +- } +- +- /* Retain original RREQ's message sequence number for +- * potential error reporting cases. +- */ +- wqe->sqe.sge[1].length = irqe->sge[1].length; +- +- wqe->sqe.rkey = irqe->rkey; +- wqe->sqe.raddr = irqe->raddr; ++ sqe = sq_get_next(qp); ++ if (!sqe) ++ return 0; + +- wqe->processed = 0; +- qp->irq_get++; ++ memset(wqe->mem, 0, sizeof(*wqe->mem) * SIW_MAX_SGE); ++ wqe->wr_status = SIW_WR_QUEUED; + +- /* mark current IRQ entry free */ +- smp_store_mb(irqe->flags, 0); ++ /* First copy SQE to kernel private memory */ ++ memcpy(&wqe->sqe, sqe, sizeof(*sqe)); + ++ if (wqe->sqe.opcode >= SIW_NUM_OPCODES) { ++ rv = -EINVAL; + goto out; + } +- sqe = sq_get_next(qp); +- if (sqe) { +-skip_irq: +- memset(wqe->mem, 0, sizeof(*wqe->mem) * SIW_MAX_SGE); +- wqe->wr_status = SIW_WR_QUEUED; +- +- /* First copy SQE to kernel private memory */ +- memcpy(&wqe->sqe, sqe, sizeof(*sqe)); +- +- if (wqe->sqe.opcode >= SIW_NUM_OPCODES) { ++ if (wqe->sqe.flags & SIW_WQE_INLINE) { ++ if (wqe->sqe.opcode != SIW_OP_SEND && ++ wqe->sqe.opcode != SIW_OP_WRITE) { + rv = -EINVAL; + goto out; + } +- if (wqe->sqe.flags & SIW_WQE_INLINE) { +- if (wqe->sqe.opcode != SIW_OP_SEND && +- wqe->sqe.opcode != SIW_OP_WRITE) { +- rv = -EINVAL; +- goto out; +- } +- if (wqe->sqe.sge[0].length > SIW_MAX_INLINE) { +- rv = -EINVAL; +- goto out; +- } +- wqe->sqe.sge[0].laddr = (uintptr_t)&wqe->sqe.sge[1]; +- wqe->sqe.sge[0].lkey = 0; +- wqe->sqe.num_sge = 1; ++ if (wqe->sqe.sge[0].length > SIW_MAX_INLINE) { ++ rv = -EINVAL; ++ goto out; + } +- if (wqe->sqe.flags & SIW_WQE_READ_FENCE) { +- /* A READ cannot be fenced */ +- if (unlikely(wqe->sqe.opcode == SIW_OP_READ || +- wqe->sqe.opcode == +- SIW_OP_READ_LOCAL_INV)) { +- siw_dbg_qp(qp, "cannot fence read\n"); +- rv = -EINVAL; +- goto out; +- } +- spin_lock(&qp->orq_lock); ++ wqe->sqe.sge[0].laddr = (uintptr_t)&wqe->sqe.sge[1]; ++ wqe->sqe.sge[0].lkey = 0; ++ wqe->sqe.num_sge = 1; ++ } ++ if (wqe->sqe.flags & SIW_WQE_READ_FENCE) { ++ /* A READ cannot be fenced */ ++ if (unlikely(wqe->sqe.opcode == SIW_OP_READ || ++ wqe->sqe.opcode == ++ SIW_OP_READ_LOCAL_INV)) { ++ siw_dbg_qp(qp, "cannot fence read\n"); ++ rv = -EINVAL; ++ goto out; ++ } ++ spin_lock(&qp->orq_lock); + +- if (!siw_orq_empty(qp)) { +- qp->tx_ctx.orq_fence = 1; +- rv = 0; +- } +- spin_unlock(&qp->orq_lock); ++ if (qp->attrs.orq_size && !siw_orq_empty(qp)) { ++ qp->tx_ctx.orq_fence = 1; ++ rv = 0; ++ } ++ spin_unlock(&qp->orq_lock); + +- } else if (wqe->sqe.opcode == SIW_OP_READ || +- wqe->sqe.opcode == SIW_OP_READ_LOCAL_INV) { +- struct siw_sqe *rreq; ++ } else if (wqe->sqe.opcode == SIW_OP_READ || ++ wqe->sqe.opcode == SIW_OP_READ_LOCAL_INV) { ++ struct siw_sqe *rreq; + +- wqe->sqe.num_sge = 1; ++ if (unlikely(!qp->attrs.orq_size)) { ++ /* We negotiated not to send READ req's */ ++ rv = -EINVAL; ++ goto out; ++ } ++ wqe->sqe.num_sge = 1; + +- spin_lock(&qp->orq_lock); ++ spin_lock(&qp->orq_lock); + +- rreq = orq_get_free(qp); +- if (rreq) { +- /* +- * Make an immediate copy in ORQ to be ready +- * to process loopback READ reply +- */ +- siw_read_to_orq(rreq, &wqe->sqe); +- qp->orq_put++; +- } else { +- qp->tx_ctx.orq_fence = 1; +- rv = 0; +- } +- spin_unlock(&qp->orq_lock); ++ rreq = orq_get_free(qp); ++ if (rreq) { ++ /* ++ * Make an immediate copy in ORQ to be ready ++ * to process loopback READ reply ++ */ ++ siw_read_to_orq(rreq, &wqe->sqe); ++ qp->orq_put++; ++ } else { ++ qp->tx_ctx.orq_fence = 1; ++ rv = 0; + } +- +- /* Clear SQE, can be re-used by application */ +- smp_store_mb(sqe->flags, 0); +- qp->sq_get++; +- } else { +- rv = 0; ++ spin_unlock(&qp->orq_lock); + } ++ ++ /* Clear SQE, can be re-used by application */ ++ smp_store_mb(sqe->flags, 0); ++ qp->sq_get++; + out: + if (unlikely(rv < 0)) { + siw_dbg_qp(qp, "error %d\n", rv); +@@ -1014,6 +968,65 @@ out: + return rv; + } + ++/* ++ * Must be called with SQ locked. ++ * To avoid complete SQ starvation by constant inbound READ requests, ++ * the active IRQ will not be served after qp->irq_burst, if the ++ * SQ has pending work. ++ */ ++int siw_activate_tx(struct siw_qp *qp) ++{ ++ struct siw_sqe *irqe; ++ struct siw_wqe *wqe = tx_wqe(qp); ++ ++ if (!qp->attrs.irq_size) ++ return siw_activate_tx_from_sq(qp); ++ ++ irqe = &qp->irq[qp->irq_get % qp->attrs.irq_size]; ++ ++ if (!(irqe->flags & SIW_WQE_VALID)) ++ return siw_activate_tx_from_sq(qp); ++ ++ /* ++ * Avoid local WQE processing starvation in case ++ * of constant inbound READ request stream ++ */ ++ if (sq_get_next(qp) && ++qp->irq_burst >= SIW_IRQ_MAXBURST_SQ_ACTIVE) { ++ qp->irq_burst = 0; ++ return siw_activate_tx_from_sq(qp); ++ } ++ memset(wqe->mem, 0, sizeof(*wqe->mem) * SIW_MAX_SGE); ++ wqe->wr_status = SIW_WR_QUEUED; ++ ++ /* start READ RESPONSE */ ++ wqe->sqe.opcode = SIW_OP_READ_RESPONSE; ++ wqe->sqe.flags = 0; ++ if (irqe->num_sge) { ++ wqe->sqe.num_sge = 1; ++ wqe->sqe.sge[0].length = irqe->sge[0].length; ++ wqe->sqe.sge[0].laddr = irqe->sge[0].laddr; ++ wqe->sqe.sge[0].lkey = irqe->sge[0].lkey; ++ } else { ++ wqe->sqe.num_sge = 0; ++ } ++ ++ /* Retain original RREQ's message sequence number for ++ * potential error reporting cases. ++ */ ++ wqe->sqe.sge[1].length = irqe->sge[1].length; ++ ++ wqe->sqe.rkey = irqe->rkey; ++ wqe->sqe.raddr = irqe->raddr; ++ ++ wqe->processed = 0; ++ qp->irq_get++; ++ ++ /* mark current IRQ entry free */ ++ smp_store_mb(irqe->flags, 0); ++ ++ return 1; ++} ++ + /* + * Check if current CQ state qualifies for calling CQ completion + * handler. Must be called with CQ lock held. +diff --git a/drivers/infiniband/sw/siw/siw_qp_rx.c b/drivers/infiniband/sw/siw/siw_qp_rx.c +index 4bd1f1f84057..60116f20653c 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_rx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c +@@ -680,6 +680,10 @@ static int siw_init_rresp(struct siw_qp *qp, struct siw_rx_stream *srx) + } + spin_lock_irqsave(&qp->sq_lock, flags); + ++ if (unlikely(!qp->attrs.irq_size)) { ++ run_sq = 0; ++ goto error_irq; ++ } + if (tx_work->wr_status == SIW_WR_IDLE) { + /* + * immediately schedule READ response w/o +@@ -712,8 +716,9 @@ static int siw_init_rresp(struct siw_qp *qp, struct siw_rx_stream *srx) + /* RRESP now valid as current TX wqe or placed into IRQ */ + smp_store_mb(resp->flags, SIW_WQE_VALID); + } else { +- pr_warn("siw: [QP %u]: irq %d exceeded %d\n", qp_id(qp), +- qp->irq_put % qp->attrs.irq_size, qp->attrs.irq_size); ++error_irq: ++ pr_warn("siw: [QP %u]: IRQ exceeded or null, size %d\n", ++ qp_id(qp), qp->attrs.irq_size); + + siw_init_terminate(qp, TERM_ERROR_LAYER_RDMAP, + RDMAP_ETYPE_REMOTE_OPERATION, +@@ -740,6 +745,9 @@ static int siw_orqe_start_rx(struct siw_qp *qp) + struct siw_sqe *orqe; + struct siw_wqe *wqe = NULL; + ++ if (unlikely(!qp->attrs.orq_size)) ++ return -EPROTO; ++ + /* make sure ORQ indices are current */ + smp_mb(); + +@@ -796,8 +804,8 @@ int siw_proc_rresp(struct siw_qp *qp) + */ + rv = siw_orqe_start_rx(qp); + if (rv) { +- pr_warn("siw: [QP %u]: ORQ empty at idx %d\n", +- qp_id(qp), qp->orq_get % qp->attrs.orq_size); ++ pr_warn("siw: [QP %u]: ORQ empty, size %d\n", ++ qp_id(qp), qp->attrs.orq_size); + goto error_term; + } + rv = siw_rresp_check_ntoh(srx, frx); +@@ -1290,11 +1298,13 @@ static int siw_rdmap_complete(struct siw_qp *qp, int error) + wc_status); + siw_wqe_put_mem(wqe, SIW_OP_READ); + +- if (!error) ++ if (!error) { + rv = siw_check_tx_fence(qp); +- else +- /* Disable current ORQ eleement */ +- WRITE_ONCE(orq_get_current(qp)->flags, 0); ++ } else { ++ /* Disable current ORQ element */ ++ if (qp->attrs.orq_size) ++ WRITE_ONCE(orq_get_current(qp)->flags, 0); ++ } + break; + + case RDMAP_RDMA_READ_REQ: +diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c +index d19d8325588b..7989c4043db4 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -1107,8 +1107,8 @@ next_wqe: + /* + * RREQ may have already been completed by inbound RRESP! + */ +- if (tx_type == SIW_OP_READ || +- tx_type == SIW_OP_READ_LOCAL_INV) { ++ if ((tx_type == SIW_OP_READ || ++ tx_type == SIW_OP_READ_LOCAL_INV) && qp->attrs.orq_size) { + /* Cleanup pending entry in ORQ */ + qp->orq_put--; + qp->orq[qp->orq_put % qp->attrs.orq_size].flags = 0; +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index 68fd053fc774..e389d44e5591 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -365,13 +365,23 @@ struct ib_qp *siw_create_qp(struct ib_pd *pd, + if (rv) + goto err_out; + ++ num_sqe = attrs->cap.max_send_wr; ++ num_rqe = attrs->cap.max_recv_wr; ++ + /* All queue indices are derived from modulo operations + * on a free running 'get' (consumer) and 'put' (producer) + * unsigned counter. Having queue sizes at power of two + * avoids handling counter wrap around. + */ +- num_sqe = roundup_pow_of_two(attrs->cap.max_send_wr); +- num_rqe = roundup_pow_of_two(attrs->cap.max_recv_wr); ++ if (num_sqe) ++ num_sqe = roundup_pow_of_two(num_sqe); ++ else { ++ /* Zero sized SQ is not supported */ ++ rv = -EINVAL; ++ goto err_out; ++ } ++ if (num_rqe) ++ num_rqe = roundup_pow_of_two(num_rqe); + + if (udata) + qp->sendq = vmalloc_user(num_sqe * sizeof(struct siw_sqe)); +@@ -379,7 +389,6 @@ struct ib_qp *siw_create_qp(struct ib_pd *pd, + qp->sendq = vzalloc(num_sqe * sizeof(struct siw_sqe)); + + if (qp->sendq == NULL) { +- siw_dbg(base_dev, "SQ size %d alloc failed\n", num_sqe); + rv = -ENOMEM; + goto err_out_xa; + } +@@ -413,7 +422,6 @@ struct ib_qp *siw_create_qp(struct ib_pd *pd, + qp->recvq = vzalloc(num_rqe * sizeof(struct siw_rqe)); + + if (qp->recvq == NULL) { +- siw_dbg(base_dev, "RQ size %d alloc failed\n", num_rqe); + rv = -ENOMEM; + goto err_out_xa; + } +@@ -966,9 +974,9 @@ int siw_post_receive(struct ib_qp *base_qp, const struct ib_recv_wr *wr, + unsigned long flags; + int rv = 0; + +- if (qp->srq) { ++ if (qp->srq || qp->attrs.rq_size == 0) { + *bad_wr = wr; +- return -EOPNOTSUPP; /* what else from errno.h? */ ++ return -EINVAL; + } + if (!rdma_is_kernel_res(&qp->base_qp.res)) { + siw_dbg_qp(qp, "no kernel post_recv for user mapped rq\n"); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-siw-Properly-check-send-and-receive-CQ-pointers.patch b/patches.suse/RDMA-siw-Properly-check-send-and-receive-CQ-pointers.patch new file mode 100644 index 0000000..aba3667 --- /dev/null +++ b/patches.suse/RDMA-siw-Properly-check-send-and-receive-CQ-pointers.patch @@ -0,0 +1,61 @@ +From a568814a55a0e82bbc7c7b51333d0c38e8fb5520 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Sun, 9 May 2021 14:39:21 +0300 +Subject: [PATCH 1/1] RDMA/siw: Properly check send and receive CQ pointers +Git-commit: a568814a55a0e82bbc7c7b51333d0c38e8fb5520 +Patch-mainline: v5.13 +References: git-fixes + +The check for the NULL of pointer received from container_of() is +incorrect by definition as it points to some offset from NULL. + +Change such check with proper NULL check of SIW QP attributes. + +Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") +Link: https://lore.kernel.org/r/a7535a82925f6f4c1f062abaa294f3ae6e54bdd2.1620560310.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Reviewed-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_verbs.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index d2313efb26db..917c8a919f38 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -300,7 +300,6 @@ struct ib_qp *siw_create_qp(struct ib_pd *pd, + struct siw_ucontext *uctx = + rdma_udata_to_drv_context(udata, struct siw_ucontext, + base_ucontext); +- struct siw_cq *scq = NULL, *rcq = NULL; + unsigned long flags; + int num_sqe, num_rqe, rv = 0; + size_t length; +@@ -343,10 +342,8 @@ struct ib_qp *siw_create_qp(struct ib_pd *pd, + rv = -EINVAL; + goto err_out; + } +- scq = to_siw_cq(attrs->send_cq); +- rcq = to_siw_cq(attrs->recv_cq); + +- if (!scq || (!rcq && !attrs->srq)) { ++ if (!attrs->send_cq || (!attrs->recv_cq && !attrs->srq)) { + siw_dbg(base_dev, "send CQ or receive CQ invalid\n"); + rv = -EINVAL; + goto err_out; +@@ -401,8 +398,8 @@ struct ib_qp *siw_create_qp(struct ib_pd *pd, + } + } + qp->pd = pd; +- qp->scq = scq; +- qp->rcq = rcq; ++ qp->scq = to_siw_cq(attrs->send_cq); ++ qp->rcq = to_siw_cq(attrs->recv_cq); + + if (attrs->srq) { + /* +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-usnic-Fix-memleak-in-find_free_vf_and_create_qp.patch b/patches.suse/RDMA-usnic-Fix-memleak-in-find_free_vf_and_create_qp.patch new file mode 100644 index 0000000..149a4f1 --- /dev/null +++ b/patches.suse/RDMA-usnic-Fix-memleak-in-find_free_vf_and_create_qp.patch @@ -0,0 +1,45 @@ +From a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Sat, 26 Dec 2020 15:42:48 +0800 +Subject: [PATCH 1/1] RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp +Git-commit: a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 +Patch-mainline: v5.11 +References: git-fixes + +If usnic_ib_qp_grp_create() fails at the first call, dev_list +will not be freed on error, which leads to memleak. + +Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") +Link: https://lore.kernel.org/r/20201226074248.2893-1-dinghao.liu@zju.edu.cn +Signed-off-by: Dinghao Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +index 38a37770c016..3705c6b8b223 100644 +--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c ++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +@@ -214,6 +214,7 @@ find_free_vf_and_create_qp_grp(struct usnic_ib_dev *us_ibdev, + + } + usnic_uiom_free_dev_list(dev_list); ++ dev_list = NULL; + } + + /* Try to find resources on an unused vf */ +@@ -239,6 +240,8 @@ find_free_vf_and_create_qp_grp(struct usnic_ib_dev *us_ibdev, + qp_grp_check: + if (IS_ERR_OR_NULL(qp_grp)) { + usnic_err("Failed to allocate qp_grp\n"); ++ if (usnic_ib_share_vf) ++ usnic_uiom_free_dev_list(dev_list); + return ERR_PTR(qp_grp ? PTR_ERR(qp_grp) : -ENOMEM); + } + return qp_grp; +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-uverbs-Fix-a-NULL-vs-IS_ERR-bug.patch b/patches.suse/RDMA-uverbs-Fix-a-NULL-vs-IS_ERR-bug.patch new file mode 100644 index 0000000..b3aa4dc --- /dev/null +++ b/patches.suse/RDMA-uverbs-Fix-a-NULL-vs-IS_ERR-bug.patch @@ -0,0 +1,39 @@ +From 463a3f66473b58d71428a1c3ce69ea52c05440e5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 14 May 2021 17:18:10 +0300 +Subject: [PATCH 1/1] RDMA/uverbs: Fix a NULL vs IS_ERR() bug +Git-commit: 463a3f66473b58d71428a1c3ce69ea52c05440e5 +Patch-mainline: v5.13 +References: git-fixes + +The uapi_get_object() function returns error pointers, it never returns +NULL. + +Fixes: 149d3845f4a5 ("RDMA/uverbs: Add a method to introspect handles in a context") +Link: https://lore.kernel.org/r/YJ6Got+U7lz+3n9a@mwanda +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/uverbs_std_types_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_std_types_device.c b/drivers/infiniband/core/uverbs_std_types_device.c +index a03021d94e11..049684880ae0 100644 +--- a/drivers/infiniband/core/uverbs_std_types_device.c ++++ b/drivers/infiniband/core/uverbs_std_types_device.c +@@ -117,8 +117,8 @@ static int UVERBS_HANDLER(UVERBS_METHOD_INFO_HANDLES)( + return ret; + + uapi_object = uapi_get_object(attrs->ufile->device->uapi, object_id); +- if (!uapi_object) +- return -EINVAL; ++ if (IS_ERR(uapi_object)) ++ return PTR_ERR(uapi_object); + + handles = gather_objects_handle(attrs->ufile, uapi_object, attrs, + out_len, &total); +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RDMA-uverbs-Tidy-input-validation-of-ib_uverbs_rereg.patch b/patches.suse/RDMA-uverbs-Tidy-input-validation-of-ib_uverbs_rereg.patch new file mode 100644 index 0000000..0707869 --- /dev/null +++ b/patches.suse/RDMA-uverbs-Tidy-input-validation-of-ib_uverbs_rereg.patch @@ -0,0 +1,51 @@ +From b9653b31d7767b7dccc8b24b660301be90449036 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 30 Nov 2020 09:58:35 +0200 +Subject: [PATCH 1/1] RDMA/uverbs: Tidy input validation of +Git-commit: b9653b31d7767b7dccc8b24b660301be90449036 +Patch-mainline: v5.11 +References: git-fixes + ib_uverbs_rereg_mr() + +Unknown flags should be EOPNOTSUPP, only zero flags is EINVAL. Flags is +actually the rereg action to perform. + +The checking of the start/hca_va/etc is also redundant and ib_umem_get() +does these checks and returns proper error codes. + +Fixes: 7e6edb9b2e0b ("IB/core: Add user MR re-registration support") +Link: https://lore.kernel.org/r/20201130075839.278575-2-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/uverbs_cmd.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index 402d0b8bf58e..143a0e33fe52 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -783,13 +783,15 @@ static int ib_uverbs_rereg_mr(struct uverbs_attr_bundle *attrs) + if (ret) + return ret; + +- if (cmd.flags & ~IB_MR_REREG_SUPPORTED || !cmd.flags) ++ if (!cmd.flags) + return -EINVAL; + ++ if (cmd.flags & ~IB_MR_REREG_SUPPORTED) ++ return -EOPNOTSUPP; ++ + if ((cmd.flags & IB_MR_REREG_TRANS) && +- (!cmd.start || !cmd.hca_va || 0 >= cmd.length || +- (cmd.start & ~PAGE_MASK) != (cmd.hca_va & ~PAGE_MASK))) +- return -EINVAL; ++ (cmd.start & ~PAGE_MASK) != (cmd.hca_va & ~PAGE_MASK)) ++ return -EINVAL; + + uobj = uobj_get_write(UVERBS_OBJECT_MR, cmd.mr_handle, attrs); + if (IS_ERR(uobj)) +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/RMDA-sw-Don-t-allow-drivers-using-dma_virt_ops-on-hi.patch b/patches.suse/RMDA-sw-Don-t-allow-drivers-using-dma_virt_ops-on-hi.patch new file mode 100644 index 0000000..f1236e8 --- /dev/null +++ b/patches.suse/RMDA-sw-Don-t-allow-drivers-using-dma_virt_ops-on-hi.patch @@ -0,0 +1,84 @@ +From b1e678bf290db5a76f1b6a9f7c381310e03440d6 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 6 Nov 2020 19:19:32 +0100 +Subject: [PATCH 1/1] RMDA/sw: Don't allow drivers using dma_virt_ops on +Git-commit: b1e678bf290db5a76f1b6a9f7c381310e03440d6 +Patch-mainline: v5.10 +References: git-fixes + +dma_virt_ops requires that all pages have a kernel virtual address. +Introduce a INFINIBAND_VIRT_DMA Kconfig symbol that depends on !HIGHMEM +and make all three drivers depend on the new symbol. + +Also remove the ARCH_DMA_ADDR_T_64BIT dependency, which has been obsolete +since commit 4965a68780c5 ("arch: define the ARCH_DMA_ADDR_T_64BIT config +symbol in lib/Kconfig") + +Fixes: 551199aca1c3 ("lib/dma-virt: Add dma_virt_ops") +Link: https://lore.kernel.org/r/20201106181941.1878556-2-hch@lst.de +Signed-off-by: Christoph Hellwig +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/Kconfig | 3 +++ + drivers/infiniband/sw/rdmavt/Kconfig | 3 ++- + drivers/infiniband/sw/rxe/Kconfig | 2 +- + drivers/infiniband/sw/siw/Kconfig | 1 + + 4 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/Kconfig b/drivers/infiniband/Kconfig +index 32a51432ec4f..9325e189a215 100644 +--- a/drivers/infiniband/Kconfig ++++ b/drivers/infiniband/Kconfig +@@ -73,6 +73,9 @@ config INFINIBAND_ADDR_TRANS_CONFIGFS + This allows the user to config the default GID type that the CM + uses for each device, when initiaing new connections. + ++config INFINIBAND_VIRT_DMA ++ def_bool !HIGHMEM ++ + if INFINIBAND_USER_ACCESS || !INFINIBAND_USER_ACCESS + source "drivers/infiniband/hw/mthca/Kconfig" + source "drivers/infiniband/hw/qib/Kconfig" +diff --git a/drivers/infiniband/sw/rdmavt/Kconfig b/drivers/infiniband/sw/rdmavt/Kconfig +index 9ef5f5ce1ff6..c8e268082952 100644 +--- a/drivers/infiniband/sw/rdmavt/Kconfig ++++ b/drivers/infiniband/sw/rdmavt/Kconfig +@@ -1,7 +1,8 @@ + # SPDX-License-Identifier: GPL-2.0-only + config INFINIBAND_RDMAVT + tristate "RDMA verbs transport library" +- depends on X86_64 && ARCH_DMA_ADDR_T_64BIT ++ depends on INFINIBAND_VIRT_DMA ++ depends on X86_64 + depends on PCI + select DMA_VIRT_OPS + ---help--- +diff --git a/drivers/infiniband/sw/rxe/Kconfig b/drivers/infiniband/sw/rxe/Kconfig +index a0c6c7dfc181..8810bfa68049 100644 +--- a/drivers/infiniband/sw/rxe/Kconfig ++++ b/drivers/infiniband/sw/rxe/Kconfig +@@ -2,7 +2,7 @@ + config RDMA_RXE + tristate "Software RDMA over Ethernet (RoCE) driver" + depends on INET && PCI && INFINIBAND +- depends on !64BIT || ARCH_DMA_ADDR_T_64BIT ++ depends on INFINIBAND_VIRT_DMA + select NET_UDP_TUNNEL + select CRYPTO_CRC32 + select DMA_VIRT_OPS +diff --git a/drivers/infiniband/sw/siw/Kconfig b/drivers/infiniband/sw/siw/Kconfig +index b622fc62f2cd..3450ba5081df 100644 +--- a/drivers/infiniband/sw/siw/Kconfig ++++ b/drivers/infiniband/sw/siw/Kconfig +@@ -1,6 +1,7 @@ + config RDMA_SIW + tristate "Software RDMA over TCP/IP (iWARP) driver" + depends on INET && INFINIBAND && LIBCRC32C ++ depends on INFINIBAND_VIRT_DMA + select DMA_VIRT_OPS + help + This driver implements the iWARP RDMA transport over +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch b/patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch new file mode 100644 index 0000000..77eba33 --- /dev/null +++ b/patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch @@ -0,0 +1,137 @@ +From 26fbe9772b8c459687930511444ce443011f86bf Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 24 Jan 2022 15:23:45 -0500 +Subject: [PATCH] USB: core: Fix hang in usb_kill_urb by adding memory barriers +Git-commit: 26fbe9772b8c459687930511444ce443011f86bf +Patch-mainline: v5.17-rc2 +References: git-fixes + +The syzbot fuzzer has identified a bug in which processes hang waiting +for usb_kill_urb() to return. It turns out the issue is not unlinking +the URB; that works just fine. Rather, the problem arises when the +wakeup notification that the URB has completed is not received. + +The reason is memory-access ordering on SMP systems. In outline form, +usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on +different CPUs perform the following actions: + +CPU 0 CPU 1 + +Acked-by: Takashi Iwai + +---------------------------- --------------------------------- +usb_kill_urb(): __usb_hcd_giveback_urb(): + ... ... + atomic_inc(&urb->reject); atomic_dec(&urb->use_count); + ... ... + wait_event(usb_kill_urb_queue, + atomic_read(&urb->use_count) == 0); + if (atomic_read(&urb->reject)) + wake_up(&usb_kill_urb_queue); + +Confining your attention to urb->reject and urb->use_count, you can +see that the overall pattern of accesses on CPU 0 is: + + write urb->reject, then read urb->use_count; + +whereas the overall pattern of accesses on CPU 1 is: + + write urb->use_count, then read urb->reject. + +This pattern is referred to in memory-model circles as SB (for "Store +Buffering"), and it is well known that without suitable enforcement of +the desired order of accesses -- in the form of memory barriers -- it +is entirely possible for one or both CPUs to execute their reads ahead +of their writes. The end result will be that sometimes CPU 0 sees the +old un-decremented value of urb->use_count while CPU 1 sees the old +un-incremented value of urb->reject. Consequently CPU 0 ends up on +the wait queue and never gets woken up, leading to the observed hang +in usb_kill_urb(). + +The same pattern of accesses occurs in usb_poison_urb() and the +failure pathway of usb_hcd_submit_urb(). + +The problem is fixed by adding suitable memory barriers. To provide +proper memory-access ordering in the SB pattern, a full barrier is +required on both CPUs. The atomic_inc() and atomic_dec() accesses +themselves don't provide any memory ordering, but since they are +present, we can use the optimized smp_mb__after_atomic() memory +barrier in the various routines to obtain the desired effect. + +This patch adds the necessary memory barriers. + +CC: +Reported-and-tested-by: syzbot+76629376e06e2c2ad626@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/Ye8K0QYee0Q0Nna2@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hcd.c | 14 ++++++++++++++ + drivers/usb/core/urb.c | 12 ++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 3e01dd6e509b..d9712c2602af 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1563,6 +1563,13 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + urb->hcpriv = NULL; + INIT_LIST_HEAD(&urb->urb_list); + atomic_dec(&urb->use_count); ++ /* ++ * Order the write of urb->use_count above before the read ++ * of urb->reject below. Pairs with the memory barriers in ++ * usb_kill_urb() and usb_poison_urb(). ++ */ ++ smp_mb__after_atomic(); ++ + atomic_dec(&urb->dev->urbnum); + if (atomic_read(&urb->reject)) + wake_up(&usb_kill_urb_queue); +@@ -1665,6 +1672,13 @@ static void __usb_hcd_giveback_urb(struct urb *urb) + + usb_anchor_resume_wakeups(anchor); + atomic_dec(&urb->use_count); ++ /* ++ * Order the write of urb->use_count above before the read ++ * of urb->reject below. Pairs with the memory barriers in ++ * usb_kill_urb() and usb_poison_urb(). ++ */ ++ smp_mb__after_atomic(); ++ + if (unlikely(atomic_read(&urb->reject))) + wake_up(&usb_kill_urb_queue); + usb_put_urb(urb); +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 30727729a44c..33d62d7e3929 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -715,6 +715,12 @@ void usb_kill_urb(struct urb *urb) + if (!(urb && urb->dev && urb->ep)) + return; + atomic_inc(&urb->reject); ++ /* ++ * Order the write of urb->reject above before the read ++ * of urb->use_count below. Pairs with the barriers in ++ * __usb_hcd_giveback_urb() and usb_hcd_submit_urb(). ++ */ ++ smp_mb__after_atomic(); + + usb_hcd_unlink_urb(urb, -ENOENT); + wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); +@@ -756,6 +762,12 @@ void usb_poison_urb(struct urb *urb) + if (!urb) + return; + atomic_inc(&urb->reject); ++ /* ++ * Order the write of urb->reject above before the read ++ * of urb->use_count below. Pairs with the barriers in ++ * __usb_hcd_giveback_urb() and usb_hcd_submit_urb(). ++ */ ++ smp_mb__after_atomic(); + + if (!urb->dev || !urb->ep) + return; +-- +2.31.1 + diff --git a/patches.suse/USB-serial-mos7840-fix-probe-error-handling.patch b/patches.suse/USB-serial-mos7840-fix-probe-error-handling.patch new file mode 100644 index 0000000..d52075f --- /dev/null +++ b/patches.suse/USB-serial-mos7840-fix-probe-error-handling.patch @@ -0,0 +1,167 @@ +From 960fbd1ca584a5b4cd818255769769d42bfc6dbe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 7 Nov 2019 14:28:56 +0100 +Subject: [PATCH] USB: serial: mos7840: fix probe error handling +Git-commit: 960fbd1ca584a5b4cd818255769769d42bfc6dbe +References: git-fixes +Patch-mainline: v5.5-rc1 + +The driver would return success and leave the port structures +half-initialised if any of the register accesses during probe fails. + +This would specifically leave the port control urb unallocated, +something which could trigger a NULL pointer dereference on interrupt +events. + +Fortunately the interrupt implementation is completely broken and has +never even been enabled... + +Note that the zero-length-enable register write used to set the zle-flag +for all ports is moved to attach. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/mos7840.c | 48 +++++++++++++++++++++--------------- + 1 file changed, 28 insertions(+), 20 deletions(-) + +diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c +index 6de41a3c2dab..ddd8db3be110 100644 +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -2066,6 +2066,23 @@ static int mos7840_calc_num_ports(struct usb_serial *serial, + return num_ports; + } + ++static int mos7840_attach(struct usb_serial *serial) ++{ ++ struct device *dev = &serial->interface->dev; ++ int status; ++ u16 val; ++ ++ /* Zero Length flag enable */ ++ val = 0x0f; ++ status = mos7840_set_reg_sync(serial->port[0], ZLP_REG5, val); ++ if (status < 0) ++ dev_dbg(dev, "Writing ZLP_REG5 failed status-0x%x\n", status); ++ else ++ dev_dbg(dev, "ZLP_REG5 Writing success status%d\n", status); ++ ++ return status; ++} ++ + static int mos7840_port_probe(struct usb_serial_port *port) + { + struct usb_serial *serial = port->serial; +@@ -2123,7 +2140,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + mos7840_port->ControlRegOffset, &Data); + if (status < 0) { + dev_dbg(&port->dev, "Reading ControlReg failed status-0x%x\n", status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "ControlReg Reading success val is %x, status%d\n", Data, status); + Data |= 0x08; /* setting driver done bit */ +@@ -2135,7 +2152,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + mos7840_port->ControlRegOffset, Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing ControlReg failed(rx_disable) status-0x%x\n", status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "ControlReg Writing success(rx_disable) status%d\n", status); + +@@ -2146,7 +2163,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + (__u16) (mos7840_port->DcrRegOffset + 0), Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing DCR0 failed status-0x%x\n", status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "DCR0 Writing success status%d\n", status); + +@@ -2155,7 +2172,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + (__u16) (mos7840_port->DcrRegOffset + 1), Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing DCR1 failed status-0x%x\n", status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "DCR1 Writing success status%d\n", status); + +@@ -2164,7 +2181,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + (__u16) (mos7840_port->DcrRegOffset + 2), Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing DCR2 failed status-0x%x\n", status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "DCR2 Writing success status%d\n", status); + +@@ -2173,7 +2190,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + status = mos7840_set_reg_sync(port, CLK_START_VALUE_REGISTER, Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing CLK_START_VALUE_REGISTER failed status-0x%x\n", status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "CLK_START_VALUE_REGISTER Writing success status%d\n", status); + +@@ -2190,7 +2207,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + status = mos7840_set_uart_reg(port, SCRATCH_PAD_REGISTER, Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing SCRATCH_PAD_REGISTER failed status-0x%x\n", status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "SCRATCH_PAD_REGISTER Writing success status%d\n", status); + +@@ -2204,7 +2221,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + (__u16)(ZLP_REG1 + ((__u16) mos7840_port->port_num))); + if (status < 0) { + dev_dbg(&port->dev, "Writing ZLP_REG%d failed status-0x%x\n", pnum + 2, status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "ZLP_REG%d Writing success status%d\n", pnum + 2, status); + } else { +@@ -2216,7 +2233,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + (__u16)(ZLP_REG1 + ((__u16) mos7840_port->port_num) - 0x1)); + if (status < 0) { + dev_dbg(&port->dev, "Writing ZLP_REG%d failed status-0x%x\n", pnum + 1, status); +- goto out; ++ goto error; + } else + dev_dbg(&port->dev, "ZLP_REG%d Writing success status%d\n", pnum + 1, status); + +@@ -2254,17 +2271,7 @@ static int mos7840_port_probe(struct usb_serial_port *port) + /* Turn off LED */ + mos7840_set_led_sync(port, MODEM_CONTROL_REGISTER, 0x0300); + } +-out: +- if (pnum == serial->num_ports - 1) { +- /* Zero Length flag enable */ +- Data = 0x0f; +- status = mos7840_set_reg_sync(serial->port[0], ZLP_REG5, Data); +- if (status < 0) { +- dev_dbg(&port->dev, "Writing ZLP_REG5 failed status-0x%x\n", status); +- goto error; +- } else +- dev_dbg(&port->dev, "ZLP_REG5 Writing success status%d\n", status); +- } ++ + return 0; + error: + kfree(mos7840_port->led_dr); +@@ -2320,6 +2327,7 @@ static struct usb_serial_driver moschip7840_4port_device = { + .unthrottle = mos7840_unthrottle, + .calc_num_ports = mos7840_calc_num_ports, + .probe = mos7840_probe, ++ .attach = mos7840_attach, + .ioctl = mos7840_ioctl, + .get_serial = mos7840_get_serial_info, + .set_termios = mos7840_set_termios, +-- +2.34.1 + diff --git a/patches.suse/blk-cgroup-fix-missing-put-device-in-error-path-from.patch b/patches.suse/blk-cgroup-fix-missing-put-device-in-error-path-from.patch new file mode 100644 index 0000000..889398a --- /dev/null +++ b/patches.suse/blk-cgroup-fix-missing-put-device-in-error-path-from.patch @@ -0,0 +1,54 @@ +From 15c30104965101b8e76b24d27035569d6613a7d6 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Tue, 2 Nov 2021 10:07:05 +0800 +Subject: [PATCH] blk-cgroup: fix missing put device in error path from + blkg_conf_pref() +Git-commit: 15c30104965101b8e76b24d27035569d6613a7d6 +Patch-mainline: v5.16-rc2 +References: bsc#1195481 + +If blk_queue_enter() failed due to queue is dying, the +blkdev_put_no_open() is needed because blkcg_conf_open_bdev() succeeded. + +Fixes: 0c9d338c8443 ("blk-cgroup: synchronize blkg creation against policy deactivation") +Signed-off-by: Yu Kuai +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20211102020705.2321858-1-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Acked-by: Jan Kara + +--- + block/blk-cgroup.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -617,7 +617,7 @@ int blkg_conf_prep(struct blkcg *blkcg, + */ + ret = blk_queue_enter(q, 0); + if (ret) +- return ret; ++ goto fail; + + rcu_read_lock(); + spin_lock_irq(&q->queue_lock); +@@ -653,7 +653,7 @@ int blkg_conf_prep(struct blkcg *blkcg, + new_blkg = blkg_alloc(pos, q, GFP_KERNEL); + if (unlikely(!new_blkg)) { + ret = -ENOMEM; +- goto fail; ++ goto fail_exit_queue; + } + + rcu_read_lock(); +@@ -688,8 +688,9 @@ success: + fail_unlock: + spin_unlock_irq(&q->queue_lock); + rcu_read_unlock(); +-fail: ++fail_exit_queue: + blk_queue_exit(q); ++fail: + put_disk_and_module(disk); + /* + * If queue was bypassing, we should retry. Do so after a diff --git a/patches.suse/blk-mq-introduce-blk_mq_set_request_complete.patch b/patches.suse/blk-mq-introduce-blk_mq_set_request_complete.patch new file mode 100644 index 0000000..54ed326 --- /dev/null +++ b/patches.suse/blk-mq-introduce-blk_mq_set_request_complete.patch @@ -0,0 +1,44 @@ +From: Chao Leng +Date: Mon, 1 Feb 2021 11:49:38 +0800 +Subject: [PATCH] blk-mq: introduce blk_mq_set_request_complete +Git-commit: 83fba8c8114748a18e20391565cfdfdf8466075c +Patch-mainline: v5.12-rc1 +References: git-fixes + +nvme drivers need to set the state of request to MQ_RQ_COMPLETE when +directly complete request in queue_rq. +So add blk_mq_set_request_complete. + +Signed-off-by: Chao Leng +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + include/linux/blk-mq.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h +index aabbf6830ffc..2c473c9b8990 100644 +--- a/include/linux/blk-mq.h ++++ b/include/linux/blk-mq.h +@@ -490,6 +490,18 @@ static inline int blk_mq_request_completed(struct request *rq) + return blk_mq_rq_state(rq) == MQ_RQ_COMPLETE; + } + ++/* ++ * ++ * Set the state to complete when completing a request from inside ->queue_rq. ++ * This is used by drivers that want to ensure special complete actions that ++ * need access to the request are called on failure, e.g. by nvme for ++ * multipathing. ++ */ ++static inline void blk_mq_set_request_complete(struct request *rq) ++{ ++ WRITE_ONCE(rq->state, MQ_RQ_COMPLETE); ++} ++ + void blk_mq_start_request(struct request *rq); + void blk_mq_end_request(struct request *rq, blk_status_t error); + void __blk_mq_end_request(struct request *rq, blk_status_t error); +-- +2.29.2 + diff --git a/patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch b/patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch new file mode 100644 index 0000000..c3cb4ef --- /dev/null +++ b/patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch @@ -0,0 +1,48 @@ +From 92c4cfaee6872038563c5b6f2e8e613f9d84d47d Mon Sep 17 00:00:00 2001 +From: Jordy Zomer +Date: Sat, 29 Jan 2022 16:06:04 +0100 +Subject: [PATCH] dma-buf: heaps: Fix potential spectre v1 gadget +Git-commit: 92c4cfaee6872038563c5b6f2e8e613f9d84d47d +Patch-mainline: v5.17-rc3 +References: git-fixes + +It appears like nr could be a Spectre v1 gadget as it's supplied by a +user and used as an array index. Prevent the contents +of kernel memory from being leaked to userspace via speculative +execution by using array_index_nospec. + +Signed-off-by: Jordy Zomer +Fixes: c02a81fba74f ("dma-buf: Add dma-buf heaps framework") +Cc: # v5.6+ +Acked-by: John Stultz +Signed-off-by: Sumit Semwal [sumits: added fixes and cc: stable tags] +Link: https://patchwork.freedesktop.org/patch/msgid/20220129150604.3461652-1-jordy@pwning.systems +Acked-by: Takashi Iwai + +--- + drivers/dma-buf/dma-heap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c +index 56bf5ad01ad5..8f5848aa144f 100644 +--- a/drivers/dma-buf/dma-heap.c ++++ b/drivers/dma-buf/dma-heap.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -135,6 +136,7 @@ static long dma_heap_ioctl(struct file *file, unsigned int ucmd, + if (nr >= ARRAY_SIZE(dma_heap_ioctl_cmds)) + return -EINVAL; + ++ nr = array_index_nospec(nr, ARRAY_SIZE(dma_heap_ioctl_cmds)); + /* Get the kernel ioctl cmd that matches */ + kcmd = dma_heap_ioctl_cmds[nr]; + +-- +2.31.1 + diff --git a/patches.suse/drm-i915-overlay-Prevent-divide-by-zero-bugs-in-scal.patch b/patches.suse/drm-i915-overlay-Prevent-divide-by-zero-bugs-in-scal.patch new file mode 100644 index 0000000..059a2e0 --- /dev/null +++ b/patches.suse/drm-i915-overlay-Prevent-divide-by-zero-bugs-in-scal.patch @@ -0,0 +1,51 @@ +From 90a3d22ff02b196d5884e111f39271a1d4ee8e3e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 24 Jan 2022 15:24:09 +0300 +Subject: [PATCH] drm/i915/overlay: Prevent divide by zero bugs in scaling +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 90a3d22ff02b196d5884e111f39271a1d4ee8e3e +Patch-mainline: v5.17-rc3 +Alt-commit: cf5b64f7f10b28bebb9b7c9d25e7aee5cbe43918 +References: git-fixes + +Smatch detected a divide by zero bug in check_overlay_scaling(). + + drivers/gpu/drm/i915/display/intel_overlay.c:976 check_overlay_scaling() + error: potential divide by zero bug '/ rec->dst_height'. + drivers/gpu/drm/i915/display/intel_overlay.c:980 check_overlay_scaling() + error: potential divide by zero bug '/ rec->dst_width'. + +Prevent this by ensuring that the dst height and width are non-zero. + +Fixes: 02e792fbaadb ("drm/i915: implement drmmode overlay support v4") +Signed-off-by: Dan Carpenter +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220124122409.GA31673@kili +(cherry picked from commit cf5b64f7f10b28bebb9b7c9d25e7aee5cbe43918) + +Signed-off-by: Tvrtko Ursulin +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/display/intel_overlay.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_overlay.c b/drivers/gpu/drm/i915/display/intel_overlay.c +index 1a376e9a1ff3..d610e48cab94 100644 +--- a/drivers/gpu/drm/i915/display/intel_overlay.c ++++ b/drivers/gpu/drm/i915/display/intel_overlay.c +@@ -959,6 +959,9 @@ static int check_overlay_dst(struct intel_overlay *overlay, + const struct intel_crtc_state *pipe_config = + overlay->crtc->config; + ++ if (rec->dst_height == 0 || rec->dst_width == 0) ++ return -EINVAL; ++ + if (rec->dst_x < pipe_config->pipe_src_w && + rec->dst_x + rec->dst_width <= pipe_config->pipe_src_w && + rec->dst_y < pipe_config->pipe_src_h && +-- +2.31.1 + diff --git a/patches.suse/drm-msm-dsi-Fix-missing-put_device-call-in-dsi_get_p.patch b/patches.suse/drm-msm-dsi-Fix-missing-put_device-call-in-dsi_get_p.patch new file mode 100644 index 0000000..928d0fb --- /dev/null +++ b/patches.suse/drm-msm-dsi-Fix-missing-put_device-call-in-dsi_get_p.patch @@ -0,0 +1,44 @@ +From c04c3148ca12227d92f91b355b4538cc333c9922 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 30 Dec 2021 07:09:40 +0000 +Subject: [PATCH] drm/msm/dsi: Fix missing put_device() call in dsi_get_phy +Git-commit: c04c3148ca12227d92f91b355b4538cc333c9922 +Patch-mainline: v5.17-rc2 +References: git-fixes + +If of_find_device_by_node() succeeds, dsi_get_phy() doesn't +a corresponding put_device(). Thus add put_device() to fix the exception +handling. + +Fixes: ec31abf ("drm/msm/dsi: Separate PHY to another platform device") +Signed-off-by: Miaoqian Lin +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211230070943.18116-1-linmq006@gmail.com +Signed-off-by: Dmitry Baryshkov +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/msm/dsi/dsi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c +index 052548883d27..0fe02529b5e7 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi.c ++++ b/drivers/gpu/drm/msm/dsi/dsi.c +@@ -40,7 +40,12 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi) + + of_node_put(phy_node); + +- if (!phy_pdev || !msm_dsi->phy) { ++ if (!phy_pdev) { ++ DRM_DEV_ERROR(&pdev->dev, "%s: phy driver is not ready\n", __func__); ++ return -EPROBE_DEFER; ++ } ++ if (!msm_dsi->phy) { ++ put_device(&phy_pdev->dev); + DRM_DEV_ERROR(&pdev->dev, "%s: phy driver is not ready\n", __func__); + return -EPROBE_DEFER; + } +-- +2.31.1 + diff --git a/patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch b/patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch new file mode 100644 index 0000000..2f9047c --- /dev/null +++ b/patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch @@ -0,0 +1,47 @@ +From 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a Mon Sep 17 00:00:00 2001 +From: Nick Lopez +Date: Sat, 22 Jan 2022 01:19:06 -0700 +Subject: [PATCH] drm/nouveau: fix off by one in BIOS boundary checking +Git-commit: 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a +Patch-mainline: v5.17-rc3 +References: git-fixes + +Bounds checking when parsing init scripts embedded in the BIOS reject +access to the last byte. This causes driver initialization to fail on +Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working +console. + +This is probably only seen on OpenFirmware machines like PowerPC Macs +because the BIOS image provided by OF is only the used parts of the ROM, +not a power-of-two blocks read from PCI directly so PCs always have +empty bytes at the end that are never accessed. + +Signed-off-by: Nick Lopez +Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image") +Cc: # v4.10+ +Reviewed-by: Ilia Mirkin +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20220122081906.2633061-1-github@glowingmonkey.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c +index d0f52d59fc2f..64e423dddd9e 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c +@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size) + *addr += bios->imaged_addr; + } + +- if (unlikely(*addr + size >= bios->size)) { ++ if (unlikely(*addr + size > bios->size)) { + nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr); + return false; + } +-- +2.31.1 + diff --git a/patches.suse/drm-radeon-fix-error-handling-in-radeon_driver_open_.patch b/patches.suse/drm-radeon-fix-error-handling-in-radeon_driver_open_.patch index 16b7e43..120809a 100644 --- a/patches.suse/drm-radeon-fix-error-handling-in-radeon_driver_open_.patch +++ b/patches.suse/drm-radeon-fix-error-handling-in-radeon_driver_open_.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 4722f463896cc0ef1a6f1c3cb2e171e949831249 Patch-mainline: v5.17-rc1 -References: git-fixes +References: bsc#1195142 git-fixes The return value was never initialized so the cleanup code executed when it isn't even necessary. diff --git a/patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch b/patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch new file mode 100644 index 0000000..b870f65 --- /dev/null +++ b/patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch @@ -0,0 +1,128 @@ +From 5c48a7df91499e371ef725895b2e2d21a126e227 Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Sat, 25 Dec 2021 17:09:37 +0800 +Subject: [PATCH] ext4: fix an use-after-free issue about data=journal + writeback mode +Git-commit: 5c48a7df91499e371ef725895b2e2d21a126e227 +Patch-mainline: v5.17-rc1 +References: bsc#1195482 + +Our syzkaller report an use-after-free issue that accessing the freed +buffer_head on the writeback page in __ext4_journalled_writepage(). The +problem is that if there was a truncate racing with the data=journalled +writeback procedure, the writeback length could become zero and +bget_one() refuse to get buffer_head's refcount, then the truncate +procedure release buffer once we drop page lock, finally, the last +ext4_walk_page_buffers() trigger the use-after-free problem. + +sync truncate +ext4_sync_file() + file_write_and_wait_range() + ext4_setattr(0) + inode->i_size = 0 + ext4_writepage() + len = 0 + __ext4_journalled_writepage() + page_bufs = page_buffers(page) + ext4_walk_page_buffers(bget_one) <- does not get refcount + do_invalidatepage() + free_buffer_head() + ext4_walk_page_buffers(page_bufs) <- trigger use-after-free + +After commit bdf96838aea6 ("ext4: fix race between truncate and +__ext4_journalled_writepage()"), we have already handled the racing +case, so the bget_one() and bput_one() are not needed. So this patch +simply remove these hunk, and recheck the i_size to make it safe. + +Fixes: bdf96838aea6 ("ext4: fix race between truncate and __ext4_journalled_writepage()") +Signed-off-by: Zhang Yi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211225090937.712867-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 35 ++++++++++------------------------- + 1 file changed, 10 insertions(+), 25 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2041,28 +2041,16 @@ int ext4_da_get_block_prep(struct inode + return 0; + } + +-static int bget_one(handle_t *handle, struct buffer_head *bh) +-{ +- get_bh(bh); +- return 0; +-} +- +-static int bput_one(handle_t *handle, struct buffer_head *bh) +-{ +- put_bh(bh); +- return 0; +-} +- + static int __ext4_journalled_writepage(struct page *page, + unsigned int len) + { + struct address_space *mapping = page->mapping; + struct inode *inode = mapping->host; +- struct buffer_head *page_bufs = NULL; + handle_t *handle = NULL; + int ret = 0, err = 0; + int inline_data = ext4_has_inline_data(inode); + struct buffer_head *inode_bh = NULL; ++ loff_t size; + + ClearPageChecked(page); + +@@ -2072,14 +2060,6 @@ static int __ext4_journalled_writepage(s + inode_bh = ext4_journalled_write_inline_data(inode, len, page); + if (inode_bh == NULL) + goto out; +- } else { +- page_bufs = page_buffers(page); +- if (!page_bufs) { +- BUG(); +- goto out; +- } +- ext4_walk_page_buffers(handle, page_bufs, 0, len, +- NULL, bget_one); + } + /* + * We need to release the page lock before we start the +@@ -2100,7 +2080,8 @@ static int __ext4_journalled_writepage(s + + lock_page(page); + put_page(page); +- if (page->mapping != mapping) { ++ size = i_size_read(inode); ++ if (page->mapping != mapping || page_offset(page) > size) { + /* The page got truncated from under us */ + ext4_journal_stop(handle); + ret = 0; +@@ -2110,6 +2091,13 @@ static int __ext4_journalled_writepage(s + if (inline_data) { + ret = ext4_mark_inode_dirty(handle, inode); + } else { ++ struct buffer_head *page_bufs = page_buffers(page); ++ ++ if (page->index == size >> PAGE_SHIFT) ++ len = size & ~PAGE_MASK; ++ else ++ len = PAGE_SIZE; ++ + ret = ext4_walk_page_buffers(handle, page_bufs, 0, len, NULL, + do_journal_get_write_access); + +@@ -2123,9 +2111,6 @@ static int __ext4_journalled_writepage(s + if (!ret) + ret = err; + +- if (!ext4_has_inline_data(inode)) +- ext4_walk_page_buffers(NULL, page_bufs, 0, len, +- NULL, bput_one); + ext4_set_inode_state(inode, EXT4_STATE_JDATA); + out: + unlock_page(page); diff --git a/patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch b/patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch new file mode 100644 index 0000000..3d15103 --- /dev/null +++ b/patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch @@ -0,0 +1,56 @@ +From 15fc69bbbbbc8c72e5f6cc4e1be0f51283c5448e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 7 Oct 2021 17:53:35 +0200 +Subject: [PATCH] ext4: make sure quota gets properly shutdown on error +Git-commit: 15fc69bbbbbc8c72e5f6cc4e1be0f51283c5448e +Patch-mainline: v5.17-rc1 +References: bsc#1195480 + +When we hit an error when enabling quotas and setting inode flags, we do +not properly shutdown quota subsystem despite returning error from +Q_QUOTAON quotactl. This can lead to some odd situations like kernel +using quota file while it is still writeable for userspace. Make sure we +properly cleanup the quota subsystem in case of error. + +Signed-off-by: Jan Kara +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20211007155336.12493-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/super.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index b72f8f6084e4..863a3eae505a 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6749,10 +6749,7 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + + lockdep_set_quota_inode(path->dentry->d_inode, I_DATA_SEM_QUOTA); + err = dquot_quota_on(sb, type, format_id, path); +- if (err) { +- lockdep_set_quota_inode(path->dentry->d_inode, +- I_DATA_SEM_NORMAL); +- } else { ++ if (!err) { + struct inode *inode = d_inode(path->dentry); + handle_t *handle; + +@@ -6772,7 +6769,12 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + ext4_journal_stop(handle); + unlock_inode: + inode_unlock(inode); ++ if (err) ++ dquot_quota_off(sb, type); + } ++ if (err) ++ lockdep_set_quota_inode(path->dentry->d_inode, ++ I_DATA_SEM_NORMAL); + return err; + } + +-- +2.31.1 + diff --git a/patches.suse/fsnotify-fix-fsnotify-hooks-in-pseudo-filesystems.patch b/patches.suse/fsnotify-fix-fsnotify-hooks-in-pseudo-filesystems.patch new file mode 100644 index 0000000..2811717 --- /dev/null +++ b/patches.suse/fsnotify-fix-fsnotify-hooks-in-pseudo-filesystems.patch @@ -0,0 +1,135 @@ +From 29044dae2e746949ad4b9cbdbfb248994d1dcdb4 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 20 Jan 2022 23:53:05 +0200 +Subject: [PATCH] fsnotify: fix fsnotify hooks in pseudo filesystems +Git-commit: 29044dae2e746949ad4b9cbdbfb248994d1dcdb4 +Patch-mainline: v5.17-rc2 +References: bsc#1195479 + +Commit 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of +d_delete()") moved the fsnotify delete hook before d_delete() so fsnotify +will have access to a positive dentry. + +This allowed a race where opening the deleted file via cached dentry +is now possible after receiving the IN_DELETE event. + +To fix the regression in pseudo filesystems, convert d_delete() calls +to d_drop() (see commit 46c46f8df9aa ("devpts_pty_kill(): don't bother +with d_delete()") and move the fsnotify hook after d_drop(). + +Add a missing fsnotify_unlink() hook in nfsdfs that was found during +the audit of fsnotify hooks in pseudo filesystems. + +Note that the fsnotify hooks in simple_recursive_removal() follow +d_invalidate(), so they require no change. + +Link: https://lore.kernel.org/r/20220120215305.282577-2-amir73il@gmail.com +Reported-by: Ivan Delalande +Link: https://lore.kernel.org/linux-fsdevel/YeNyzoDM5hP5LtGW@visor/ +Fixes: 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()") +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/configfs/dir.c | 6 +++--- + fs/devpts/inode.c | 2 +- + fs/nfsd/nfsctl.c | 5 +++-- + net/sunrpc/rpc_pipe.c | 4 ++-- + 4 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index 1466b5d01cbb..d3cd2a94d1e8 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -1780,8 +1780,8 @@ void configfs_unregister_group(struct config_group *group) + configfs_detach_group(&group->cg_item); + d_inode(dentry)->i_flags |= S_DEAD; + dont_mount(dentry); ++ d_drop(dentry); + fsnotify_rmdir(d_inode(parent), dentry); +- d_delete(dentry); + inode_unlock(d_inode(parent)); + + dput(dentry); +@@ -1922,10 +1922,10 @@ void configfs_unregister_subsystem(struct configfs_subsystem *subsys) + configfs_detach_group(&group->cg_item); + d_inode(dentry)->i_flags |= S_DEAD; + dont_mount(dentry); +- fsnotify_rmdir(d_inode(root), dentry); + inode_unlock(d_inode(dentry)); + +- d_delete(dentry); ++ d_drop(dentry); ++ fsnotify_rmdir(d_inode(root), dentry); + + inode_unlock(d_inode(root)); + +diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c +index 42e5a766d33c..4f25015aa534 100644 +--- a/fs/devpts/inode.c ++++ b/fs/devpts/inode.c +@@ -621,8 +621,8 @@ void devpts_pty_kill(struct dentry *dentry) + + dentry->d_fsdata = NULL; + drop_nlink(dentry->d_inode); +- fsnotify_unlink(d_inode(dentry->d_parent), dentry); + d_drop(dentry); ++ fsnotify_unlink(d_inode(dentry->d_parent), dentry); + dput(dentry); /* d_alloc_name() in devpts_pty_new() */ + } + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index b9f27fbcd768..68b020f2002b 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1247,7 +1247,8 @@ static void nfsdfs_remove_file(struct inode *dir, struct dentry *dentry) + clear_ncl(d_inode(dentry)); + dget(dentry); + ret = simple_unlink(dir, dentry); +- d_delete(dentry); ++ d_drop(dentry); ++ fsnotify_unlink(dir, dentry); + dput(dentry); + WARN_ON_ONCE(ret); + } +@@ -1338,8 +1339,8 @@ void nfsd_client_rmdir(struct dentry *dentry) + dget(dentry); + ret = simple_rmdir(dir, dentry); + WARN_ON_ONCE(ret); ++ d_drop(dentry); + fsnotify_rmdir(dir, dentry); +- d_delete(dentry); + dput(dentry); + inode_unlock(dir); + } +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index ee5336d73fdd..35588f0afa86 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -600,9 +600,9 @@ static int __rpc_rmdir(struct inode *dir, struct dentry *dentry) + + dget(dentry); + ret = simple_rmdir(dir, dentry); ++ d_drop(dentry); + if (!ret) + fsnotify_rmdir(dir, dentry); +- d_delete(dentry); + dput(dentry); + return ret; + } +@@ -613,9 +613,9 @@ static int __rpc_unlink(struct inode *dir, struct dentry *dentry) + + dget(dentry); + ret = simple_unlink(dir, dentry); ++ d_drop(dentry); + if (!ret) + fsnotify_unlink(dir, dentry); +- d_delete(dentry); + dput(dentry); + return ret; + } +-- +2.31.1 + diff --git a/patches.suse/fsnotify-invalidate-dcache-before-IN_DELETE-event.patch b/patches.suse/fsnotify-invalidate-dcache-before-IN_DELETE-event.patch new file mode 100644 index 0000000..28397ff --- /dev/null +++ b/patches.suse/fsnotify-invalidate-dcache-before-IN_DELETE-event.patch @@ -0,0 +1,173 @@ +From a37d9a17f099072fe4d3a9048b0321978707a918 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 20 Jan 2022 23:53:04 +0200 +Subject: [PATCH] fsnotify: invalidate dcache before IN_DELETE event +Git-commit: a37d9a17f099072fe4d3a9048b0321978707a918 +Patch-mainline: v5.17-rc2 +References: bsc#1195478 + +Apparently, there are some applications that use IN_DELETE event as an +invalidation mechanism and expect that if they try to open a file with +the name reported with the delete event, that it should not contain the +content of the deleted file. + +Commit 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of +d_delete()") moved the fsnotify delete hook before d_delete() so fsnotify +will have access to a positive dentry. + +This allowed a race where opening the deleted file via cached dentry +is now possible after receiving the IN_DELETE event. + +To fix the regression, create a new hook fsnotify_delete() that takes +the unlinked inode as an argument and use a helper d_delete_notify() to +pin the inode, so we can pass it to fsnotify_delete() after d_delete(). + +Backporting hint: this regression is from v5.3. Although patch will +apply with only trivial conflicts to v5.4 and v5.10, it won't build, +because fsnotify_delete() implementation is different in each of those +versions (see fsnotify_link()). + +A follow up patch will fix the fsnotify_unlink/rmdir() calls in pseudo +filesystem that do not need to call d_delete(). + +Link: https://lore.kernel.org/r/20220120215305.282577-1-amir73il@gmail.com +Reported-by: Ivan Delalande +Link: https://lore.kernel.org/linux-fsdevel/YeNyzoDM5hP5LtGW@visor/ +Fixes: 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()") +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/btrfs/ioctl.c | 6 +---- + fs/namei.c | 10 ++++----- + include/linux/fsnotify.h | 48 +++++++++++++++++++++++++++++++++++++++++------ + 3 files changed, 49 insertions(+), 15 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2956,10 +2956,8 @@ static noinline int btrfs_ioctl_snap_des + inode_lock(inode); + err = btrfs_delete_subvolume(dir, dentry); + inode_unlock(inode); +- if (!err) { +- fsnotify_rmdir(dir, dentry); +- d_delete(dentry); +- } ++ if (!err) ++ d_delete_notify(dir, dentry); + + out_dput: + dput(dentry); +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3895,13 +3895,12 @@ int vfs_rmdir(struct inode *dir, struct + dentry->d_inode->i_flags |= S_DEAD; + dont_mount(dentry); + detach_mounts(dentry); +- fsnotify_rmdir(dir, dentry); + + out: + inode_unlock(dentry->d_inode); + dput(dentry); + if (!error) +- d_delete(dentry); ++ d_delete_notify(dir, dentry); + return error; + } + EXPORT_SYMBOL(vfs_rmdir); +@@ -4014,7 +4013,6 @@ int vfs_unlink(struct inode *dir, struct + if (!error) { + dont_mount(dentry); + detach_mounts(dentry); +- fsnotify_unlink(dir, dentry); + } + } + } +@@ -4022,9 +4020,11 @@ out: + inode_unlock(target); + + /* We don't d_delete() NFS sillyrenamed files--they still exist. */ +- if (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) { ++ if (!error && dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ fsnotify_unlink(dir, dentry); ++ } else if (!error) { + fsnotify_link_count(target); +- d_delete(dentry); ++ d_delete_notify(dir, dentry); + } + + return error; +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -192,16 +192,52 @@ static inline void fsnotify_link(struct + } + + /* ++ * fsnotify_delete - @dentry was unlinked and unhashed ++ * ++ * Caller must make sure that dentry->d_name is stable. ++ * ++ * Note: unlike fsnotify_unlink(), we have to pass also the unlinked inode ++ * as this may be called after d_delete() and old_dentry may be negative. ++ */ ++static inline void fsnotify_delete(struct inode *dir, struct inode *inode, ++ struct dentry *dentry) ++{ ++ __u32 mask = FS_DELETE; ++ ++ if (S_ISDIR(inode->i_mode)) ++ mask |= FS_ISDIR; ++ ++ fsnotify(dir, mask, inode, FSNOTIFY_EVENT_INODE, &dentry->d_name, 0); ++} ++ ++/** ++ * d_delete_notify - delete a dentry and call fsnotify_delete() ++ * @dentry: The dentry to delete ++ * ++ * This helper is used to guaranty that the unlinked inode cannot be found ++ * by lookup of this name after fsnotify_delete() event has been delivered. ++ */ ++static inline void d_delete_notify(struct inode *dir, struct dentry *dentry) ++{ ++ struct inode *inode = d_inode(dentry); ++ ++ ihold(inode); ++ d_delete(dentry); ++ fsnotify_delete(dir, inode, dentry); ++ iput(inode); ++} ++ ++/* + * fsnotify_unlink - 'name' was unlinked + * + * Caller must make sure that dentry->d_name is stable. + */ + static inline void fsnotify_unlink(struct inode *dir, struct dentry *dentry) + { +- /* Expected to be called before d_delete() */ +- WARN_ON_ONCE(d_is_negative(dentry)); ++ if (WARN_ON_ONCE(d_is_negative(dentry))) ++ return; + +- fsnotify_dirent(dir, dentry, FS_DELETE); ++ fsnotify_delete(dir, d_inode(dentry), dentry); + } + + /* +@@ -221,10 +257,10 @@ static inline void fsnotify_mkdir(struct + */ + static inline void fsnotify_rmdir(struct inode *dir, struct dentry *dentry) + { +- /* Expected to be called before d_delete() */ +- WARN_ON_ONCE(d_is_negative(dentry)); ++ if (WARN_ON_ONCE(d_is_negative(dentry))) ++ return; + +- fsnotify_dirent(dir, dentry, FS_DELETE | FS_ISDIR); ++ fsnotify_delete(dir, d_inode(dentry), dentry); + } + + /* diff --git a/patches.suse/i40iw-Add-support-to-make-destroy-QP-synchronous.patch b/patches.suse/i40iw-Add-support-to-make-destroy-QP-synchronous.patch new file mode 100644 index 0000000..c570d7d --- /dev/null +++ b/patches.suse/i40iw-Add-support-to-make-destroy-QP-synchronous.patch @@ -0,0 +1,407 @@ +From f2334964e969762e266a616acf9377f6046470a2 Mon Sep 17 00:00:00 2001 +From: "Sindhu, Devale" +Date: Wed, 16 Sep 2020 08:18:12 -0500 +Subject: [PATCH 1/1] i40iw: Add support to make destroy QP synchronous +Git-commit: f2334964e969762e266a616acf9377f6046470a2 +Patch-mainline: v5.10 +References: git-fixes + +Occasionally ib_write_bw crash is seen due to access of a pd object in +i40iw_sc_qp_destroy after it is freed. Destroy qp is not synchronous in +i40iw and thus the iwqp object could be referencing a pd object that is +freed by ib core as a result of successful return from i40iw_destroy_qp. + +Wait in i40iw_destroy_qp till all QP references are released and destroy +the QP and its associated resources before returning. Switch to use the +refcount API vs atomic API for lifetime management of the qp. + + RIP: 0010:i40iw_sc_qp_destroy+0x4b/0x120 [i40iw] + [...] + RSP: 0018:ffffb4a7042e3ba8 EFLAGS: 00010002 + RAX: 0000000000000000 RBX: 0000000000000001 RCX: dead000000000122 + RDX: ffffb4a7042e3bac RSI: ffff8b7ef9b1e940 RDI: ffff8b7efbf09080 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 + R10: 8080808080808080 R11: 0000000000000010 R12: ffff8b7efbf08050 + R13: 0000000000000001 R14: ffff8b7f15042928 R15: ffff8b7ef9b1e940 + FS: 0000000000000000(0000) GS:ffff8b7f2fa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000400 CR3: 000000020d60a006 CR4: 00000000001606e0 + Call Trace: + i40iw_exec_cqp_cmd+0x4d3/0x5c0 [i40iw] + ? try_to_wake_up+0x1ea/0x5d0 + ? __switch_to_asm+0x40/0x70 + i40iw_process_cqp_cmd+0x95/0xa0 [i40iw] + i40iw_handle_cqp_op+0x42/0x1a0 [i40iw] + ? cm_event_handler+0x13c/0x1f0 [iw_cm] + i40iw_rem_ref+0xa0/0xf0 [i40iw] + cm_work_handler+0x99c/0xd10 [iw_cm] + process_one_work+0x1a1/0x360 + worker_thread+0x30/0x380 + ? process_one_work+0x360/0x360 + kthread+0x10c/0x130 + ? kthread_park+0x80/0x80 + ret_from_fork+0x35/0x40 + +Fixes: d37498417947 ("i40iw: add files for iwarp interface") +Link: https://lore.kernel.org/r/20200916131811.2077-1-shiraz.saleem@intel.com +Reported-by: Kamal Heib +Signed-off-by: Sindhu, Devale +Signed-off-by: Shiraz, Saleem +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/i40iw/i40iw.h | 9 ++-- + drivers/infiniband/hw/i40iw/i40iw_cm.c | 10 ++-- + drivers/infiniband/hw/i40iw/i40iw_hw.c | 4 +- + drivers/infiniband/hw/i40iw/i40iw_utils.c | 59 ++++------------------- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 31 ++++++++---- + drivers/infiniband/hw/i40iw/i40iw_verbs.h | 3 +- + 6 files changed, 45 insertions(+), 71 deletions(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw.h b/drivers/infiniband/hw/i40iw/i40iw.h +index 25747b85a79c..832b80de004f 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw.h ++++ b/drivers/infiniband/hw/i40iw/i40iw.h +@@ -409,8 +409,8 @@ static inline struct i40iw_qp *to_iwqp(struct ib_qp *ibqp) + } + + /* i40iw.c */ +-void i40iw_add_ref(struct ib_qp *); +-void i40iw_rem_ref(struct ib_qp *); ++void i40iw_qp_add_ref(struct ib_qp *ibqp); ++void i40iw_qp_rem_ref(struct ib_qp *ibqp); + struct ib_qp *i40iw_get_qp(struct ib_device *, int); + + void i40iw_flush_wqes(struct i40iw_device *iwdev, +@@ -554,9 +554,8 @@ enum i40iw_status_code i40iw_manage_qhash(struct i40iw_device *iwdev, + bool wait); + void i40iw_receive_ilq(struct i40iw_sc_vsi *vsi, struct i40iw_puda_buf *rbuf); + void i40iw_free_sqbuf(struct i40iw_sc_vsi *vsi, void *bufp); +-void i40iw_free_qp_resources(struct i40iw_device *iwdev, +- struct i40iw_qp *iwqp, +- u32 qp_num); ++void i40iw_free_qp_resources(struct i40iw_qp *iwqp); ++ + enum i40iw_status_code i40iw_obj_aligned_mem(struct i40iw_device *iwdev, + struct i40iw_dma_mem *memptr, + u32 size, u32 mask); +diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c +index a3b95805c154..3053c345a5a3 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -2322,7 +2322,7 @@ static void i40iw_rem_ref_cm_node(struct i40iw_cm_node *cm_node) + iwqp = cm_node->iwqp; + if (iwqp) { + iwqp->cm_node = NULL; +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + cm_node->iwqp = NULL; + } else if (cm_node->qhash_set) { + i40iw_get_addr_info(cm_node, &nfo); +@@ -3452,7 +3452,7 @@ void i40iw_cm_disconn(struct i40iw_qp *iwqp) + kfree(work); + return; + } +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + + work->iwqp = iwqp; +@@ -3623,7 +3623,7 @@ static void i40iw_disconnect_worker(struct work_struct *work) + + kfree(dwork); + i40iw_cm_disconn_true(iwqp); +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +@@ -3745,7 +3745,7 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + cm_node->lsmm_size = accept.size + conn_param->private_data_len; + i40iw_cm_init_tsa_conn(iwqp, cm_node); + cm_id->add_ref(cm_id); +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + + attr.qp_state = IB_QPS_RTS; + cm_node->qhash_set = false; +@@ -3908,7 +3908,7 @@ int i40iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + iwqp->cm_node = cm_node; + cm_node->iwqp = iwqp; + iwqp->cm_id = cm_id; +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + + if (cm_node->state != I40IW_CM_STATE_OFFLOADED) { + cm_node->state = I40IW_CM_STATE_SYN_SENT; +diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c +index e1085634b8d9..56fdc161f6f8 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c +@@ -313,7 +313,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev) + __func__, info->qp_cq_id); + continue; + } +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + qp = &iwqp->sc_qp; + spin_lock_irqsave(&iwqp->lock, flags); +@@ -426,7 +426,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev) + break; + } + if (info->qp) +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } while (1); + + if (aeqcnt) +diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c +index 4ab8e0dcfd4c..644f8c641aa0 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c +@@ -477,25 +477,6 @@ void i40iw_cleanup_pending_cqp_op(struct i40iw_device *iwdev) + } + } + +-/** +- * i40iw_free_qp - callback after destroy cqp completes +- * @cqp_request: cqp request for destroy qp +- * @num: not used +- */ +-static void i40iw_free_qp(struct i40iw_cqp_request *cqp_request, u32 num) +-{ +- struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)cqp_request->param; +- struct i40iw_qp *iwqp = (struct i40iw_qp *)qp->back_qp; +- struct i40iw_device *iwdev; +- u32 qp_num = iwqp->ibqp.qp_num; +- +- iwdev = iwqp->iwdev; +- +- i40iw_rem_pdusecount(iwqp->iwpd, iwdev); +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); +- i40iw_rem_devusecount(iwdev); +-} +- + /** + * i40iw_wait_event - wait for completion + * @iwdev: iwarp device +@@ -616,26 +597,23 @@ void i40iw_rem_pdusecount(struct i40iw_pd *iwpd, struct i40iw_device *iwdev) + } + + /** +- * i40iw_add_ref - add refcount for qp ++ * i40iw_qp_add_ref - add refcount for qp + * @ibqp: iqarp qp + */ +-void i40iw_add_ref(struct ib_qp *ibqp) ++void i40iw_qp_add_ref(struct ib_qp *ibqp) + { + struct i40iw_qp *iwqp = (struct i40iw_qp *)ibqp; + +- atomic_inc(&iwqp->refcount); ++ refcount_inc(&iwqp->refcount); + } + + /** +- * i40iw_rem_ref - rem refcount for qp and free if 0 ++ * i40iw_qp_rem_ref - rem refcount for qp and free if 0 + * @ibqp: iqarp qp + */ +-void i40iw_rem_ref(struct ib_qp *ibqp) ++void i40iw_qp_rem_ref(struct ib_qp *ibqp) + { + struct i40iw_qp *iwqp; +- enum i40iw_status_code status; +- struct i40iw_cqp_request *cqp_request; +- struct cqp_commands_info *cqp_info; + struct i40iw_device *iwdev; + u32 qp_num; + unsigned long flags; +@@ -643,7 +621,7 @@ void i40iw_rem_ref(struct ib_qp *ibqp) + iwqp = to_iwqp(ibqp); + iwdev = iwqp->iwdev; + spin_lock_irqsave(&iwdev->qptable_lock, flags); +- if (!atomic_dec_and_test(&iwqp->refcount)) { ++ if (!refcount_dec_and_test(&iwqp->refcount)) { + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + return; + } +@@ -651,25 +629,8 @@ void i40iw_rem_ref(struct ib_qp *ibqp) + qp_num = iwqp->ibqp.qp_num; + iwdev->qp_table[qp_num] = NULL; + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); +- cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false); +- if (!cqp_request) +- return; +- +- cqp_request->callback_fcn = i40iw_free_qp; +- cqp_request->param = (void *)&iwqp->sc_qp; +- cqp_info = &cqp_request->info; +- cqp_info->cqp_cmd = OP_QP_DESTROY; +- cqp_info->post_sq = 1; +- cqp_info->in.u.qp_destroy.qp = &iwqp->sc_qp; +- cqp_info->in.u.qp_destroy.scratch = (uintptr_t)cqp_request; +- cqp_info->in.u.qp_destroy.remove_hash_idx = true; +- status = i40iw_handle_cqp_op(iwdev, cqp_request); +- if (!status) +- return; ++ complete(&iwqp->free_qp); + +- i40iw_rem_pdusecount(iwqp->iwpd, iwdev); +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); +- i40iw_rem_devusecount(iwdev); + } + + /** +@@ -936,7 +897,7 @@ static void i40iw_terminate_timeout(struct timer_list *t) + struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)&iwqp->sc_qp; + + i40iw_terminate_done(qp, 1); +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +@@ -948,7 +909,7 @@ void i40iw_terminate_start_timer(struct i40iw_sc_qp *qp) + struct i40iw_qp *iwqp; + + iwqp = (struct i40iw_qp *)qp->back_qp; +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + timer_setup(&iwqp->terminate_timer, i40iw_terminate_timeout, 0); + iwqp->terminate_timer.expires = jiffies + HZ; + add_timer(&iwqp->terminate_timer); +@@ -964,7 +925,7 @@ void i40iw_terminate_del_timer(struct i40iw_sc_qp *qp) + + iwqp = (struct i40iw_qp *)qp->back_qp; + if (del_timer(&iwqp->terminate_timer)) +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +index 7d5ad586ce01..ffb692d619b2 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -364,11 +364,11 @@ static struct i40iw_pbl *i40iw_get_pbl(unsigned long va, + * @iwqp: qp ptr (user or kernel) + * @qp_num: qp number assigned + */ +-void i40iw_free_qp_resources(struct i40iw_device *iwdev, +- struct i40iw_qp *iwqp, +- u32 qp_num) ++void i40iw_free_qp_resources(struct i40iw_qp *iwqp) + { + struct i40iw_pbl *iwpbl = &iwqp->iwpbl; ++ struct i40iw_device *iwdev = iwqp->iwdev; ++ u32 qp_num = iwqp->ibqp.qp_num; + + i40iw_ieq_cleanup_qp(iwdev->vsi.ieq, &iwqp->sc_qp); + i40iw_dealloc_push_page(iwdev, &iwqp->sc_qp); +@@ -402,6 +402,10 @@ static void i40iw_clean_cqes(struct i40iw_qp *iwqp, struct i40iw_cq *iwcq) + static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + { + struct i40iw_qp *iwqp = to_iwqp(ibqp); ++ struct ib_qp_attr attr; ++ struct i40iw_device *iwdev = iwqp->iwdev; ++ ++ memset(&attr, 0, sizeof(attr)); + + iwqp->destroyed = 1; + +@@ -416,7 +420,15 @@ static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + } + } + +- i40iw_rem_ref(&iwqp->ibqp); ++ attr.qp_state = IB_QPS_ERR; ++ i40iw_modify_qp(&iwqp->ibqp, &attr, IB_QP_STATE, NULL); ++ i40iw_qp_rem_ref(&iwqp->ibqp); ++ wait_for_completion(&iwqp->free_qp); ++ i40iw_cqp_qp_destroy_cmd(&iwdev->sc_dev, &iwqp->sc_qp); ++ i40iw_rem_pdusecount(iwqp->iwpd, iwdev); ++ i40iw_free_qp_resources(iwqp); ++ i40iw_rem_devusecount(iwdev); ++ + return 0; + } + +@@ -577,6 +589,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + qp->back_qp = (void *)iwqp; + qp->push_idx = I40IW_INVALID_PUSH_PAGE_INDEX; + ++ iwqp->iwdev = iwdev; + iwqp->ctx_info.iwarp_info = &iwqp->iwarp_info; + + if (i40iw_allocate_dma_mem(dev->hw, +@@ -601,7 +614,6 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + goto error; + } + +- iwqp->iwdev = iwdev; + iwqp->iwpd = iwpd; + iwqp->ibqp.qp_num = qp_num; + qp = &iwqp->sc_qp; +@@ -715,7 +727,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + goto error; + } + +- i40iw_add_ref(&iwqp->ibqp); ++ refcount_set(&iwqp->refcount, 1); + spin_lock_init(&iwqp->lock); + iwqp->sig_all = (init_attr->sq_sig_type == IB_SIGNAL_ALL_WR) ? 1 : 0; + iwdev->qp_table[qp_num] = iwqp; +@@ -737,10 +749,11 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + } + init_completion(&iwqp->sq_drained); + init_completion(&iwqp->rq_drained); ++ init_completion(&iwqp->free_qp); + + return &iwqp->ibqp; + error: +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); ++ i40iw_free_qp_resources(iwqp); + return ERR_PTR(err_code); + } + +@@ -2629,13 +2642,13 @@ static const struct ib_device_ops i40iw_dev_ops = { + .get_hw_stats = i40iw_get_hw_stats, + .get_port_immutable = i40iw_port_immutable, + .iw_accept = i40iw_accept, +- .iw_add_ref = i40iw_add_ref, ++ .iw_add_ref = i40iw_qp_add_ref, + .iw_connect = i40iw_connect, + .iw_create_listen = i40iw_create_listen, + .iw_destroy_listen = i40iw_destroy_listen, + .iw_get_qp = i40iw_get_qp, + .iw_reject = i40iw_reject, +- .iw_rem_ref = i40iw_rem_ref, ++ .iw_rem_ref = i40iw_qp_rem_ref, + .map_mr_sg = i40iw_map_mr_sg, + .mmap = i40iw_mmap, + .modify_qp = i40iw_modify_qp, +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.h b/drivers/infiniband/hw/i40iw/i40iw_verbs.h +index 331bc21cbcc7..bab71f3e5637 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.h ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.h +@@ -139,7 +139,7 @@ struct i40iw_qp { + struct i40iw_qp_host_ctx_info ctx_info; + struct i40iwarp_offload_info iwarp_info; + void *allocated_buffer; +- atomic_t refcount; ++ refcount_t refcount; + struct iw_cm_id *cm_id; + void *cm_node; + struct ib_mr *lsmm_mr; +@@ -174,5 +174,6 @@ struct i40iw_qp { + struct i40iw_dma_mem ietf_mem; + struct completion sq_drained; + struct completion rq_drained; ++ struct completion free_qp; + }; + #endif +-- +2.31.1.5.g533053588dc3 + diff --git a/patches.suse/nvme-core-use-list_add_tail_rcu-instead-of-list_add_.patch b/patches.suse/nvme-core-use-list_add_tail_rcu-instead-of-list_add_.patch new file mode 100644 index 0000000..6e3a3d9 --- /dev/null +++ b/patches.suse/nvme-core-use-list_add_tail_rcu-instead-of-list_add_.patch @@ -0,0 +1,35 @@ +From: Chao Leng +Date: Thu, 28 Jan 2021 11:33:51 +0800 +Subject: [PATCH] nvme-core: use list_add_tail_rcu instead of list_add_tail for + nvme_init_ns_head +Git-commit: 772ea326a4a00b6b4b2c8f3606ad10c31f46c511 +Patch-mainline: v5.11-rc1 +References: git-fixes + +The "list" of nvme_ns_head is used as rcu list, now in nvme_init_ns_head +list_add_tail is used to add ns->siblings to the rcu list. It is not safe. +Should use list_add_tail_rcu instead of list_add_tail. + +Signed-off-by: Chao Leng +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 8caf9b34734d..f13eb4ded95f 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3829,7 +3829,7 @@ static int nvme_init_ns_head(struct nvme_ns *ns, unsigned nsid, + } + } + +- list_add_tail(&ns->siblings, &head->list); ++ list_add_tail_rcu(&ns->siblings, &head->list); + ns->head = head; + mutex_unlock(&ctrl->subsys->lock); + return 0; +-- +2.29.2 + diff --git a/patches.suse/nvme-fabrics-avoid-double-completions-in-nvmf_fail_n.patch b/patches.suse/nvme-fabrics-avoid-double-completions-in-nvmf_fail_n.patch new file mode 100644 index 0000000..3de4252 --- /dev/null +++ b/patches.suse/nvme-fabrics-avoid-double-completions-in-nvmf_fail_n.patch @@ -0,0 +1,46 @@ +From: Chao Leng +Date: Mon, 1 Feb 2021 11:49:39 +0800 +Subject: [PATCH] nvme-fabrics: avoid double completions in + nvmf_fail_nonready_command +Git-commit: ea5e5f42cd2c80d19862dd63a2f3a4e7a99c6a20 +Patch-mainline: v5.12-rc1 +References: git-fixes + +When reconnecting, the request may be completed with +NVME_SC_HOST_PATH_ERROR in nvmf_fail_nonready_command, which currently +set the state of the request to MQ_RQ_IN_FLIGHT before calling +nvme_complete_rq. When this happens for a request that is freed by +the caller, such as nvme_submit_user_cmd, in the worst case the request +could be completed again in tear down process. + +Instead of calling blk_mq_start_request from nvmf_fail_nonready_command, +just use the new nvme_host_path_error helper to complete the command +without starting it. + +Signed-off-by: Chao Leng +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/fabrics.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index 72ac00173500..5dfd806fc2d2 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -552,11 +552,7 @@ blk_status_t nvmf_fail_nonready_command(struct nvme_ctrl *ctrl, + !test_bit(NVME_CTRL_FAILFAST_EXPIRED, &ctrl->flags) && + !blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) + return BLK_STS_RESOURCE; +- +- nvme_req(rq)->status = NVME_SC_HOST_PATH_ERROR; +- blk_mq_start_request(rq); +- nvme_complete_rq(rq); +- return BLK_STS_OK; ++ return nvme_host_path_error(rq); + } + EXPORT_SYMBOL_GPL(nvmf_fail_nonready_command); + +-- +2.29.2 + diff --git a/patches.suse/nvme-fabrics-ignore-invalid-fast_io_fail_tmo-values.patch b/patches.suse/nvme-fabrics-ignore-invalid-fast_io_fail_tmo-values.patch new file mode 100644 index 0000000..36dd746 --- /dev/null +++ b/patches.suse/nvme-fabrics-ignore-invalid-fast_io_fail_tmo-values.patch @@ -0,0 +1,36 @@ +From: Maurizio Lombardi +Date: Fri, 12 Nov 2021 15:16:12 +0100 +Subject: [PATCH] nvme-fabrics: ignore invalid fast_io_fail_tmo values +Git-commit: 8e8aaf512a91ae44d40647a88b51326c7b0a70a8 +Patch-mainline: v5.16-rc1 +References: git-fixes + +Valid fast_io_fail_tmo values are integers >= 0 or -1 (disabled). +Prevent userspace from setting arbitrary negative values. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/fabrics.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index c5a2b71c5268..282d54117e0a 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -698,6 +698,9 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + if (token >= 0) + pr_warn("I/O fail on reconnect controller after %d sec\n", + token); ++ else ++ token = -1; ++ + opts->fast_io_fail_tmo = token; + break; + case NVMF_OPT_HOSTNQN: +-- +2.29.2 + diff --git a/patches.suse/nvme-fabrics-remove-superfluous-nvmf_host_put-in-nvm.patch b/patches.suse/nvme-fabrics-remove-superfluous-nvmf_host_put-in-nvm.patch new file mode 100644 index 0000000..b7bf3de --- /dev/null +++ b/patches.suse/nvme-fabrics-remove-superfluous-nvmf_host_put-in-nvm.patch @@ -0,0 +1,34 @@ +From: Hou Pu +Date: Fri, 9 Jul 2021 10:32:47 +0800 +Subject: [PATCH] nvme-fabrics: remove superfluous nvmf_host_put in + nvmf_parse_options +Git-commit: e23439e977ed2b247912c2b5c6945ef1bc380100 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Opts->host is NULL there. It is checked just before. So remove +nvmf_host_put. It is introduced by commit 59a2f3f00fd7 ("nvme: fix +potential memory leak in option parsing"). + +Signed-off-by: Hou Pu +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/fabrics.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index a5469fd9d4c3..668c6bb7a567 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -719,7 +719,6 @@ static int nvmf_parse_options(struct nvmf_ctrl_options *opts, + ret = -EINVAL; + goto out; + } +- nvmf_host_put(opts->host); + opts->host = nvmf_host_add(p); + kfree(p); + if (!opts->host) { +-- +2.29.2 + diff --git a/patches.suse/nvme-fix-use-after-free-when-disconnecting-a-reconne.patch b/patches.suse/nvme-fix-use-after-free-when-disconnecting-a-reconne.patch new file mode 100644 index 0000000..2f397fd --- /dev/null +++ b/patches.suse/nvme-fix-use-after-free-when-disconnecting-a-reconne.patch @@ -0,0 +1,49 @@ +From: Ruozhu Li +Date: Thu, 4 Nov 2021 15:13:32 +0800 +Subject: [PATCH] nvme: fix use after free when disconnecting a reconnecting + ctrl +Git-commit: 8b77fa6fdce0fc7147bab91b1011048758290ca4 +Patch-mainline: v5.16-rc1 +References: git-fixes + +A crash happens when trying to disconnect a reconnecting ctrl: + + 1) The network was cut off when the connection was just established, + scan work hang there waiting for some IOs complete. Those I/Os were + retried because we return BLK_STS_RESOURCE to blk in reconnecting. + 2) After a while, I tried to disconnect this connection. This + procedure also hangs because it tried to obtain ctrl->scan_lock. + It should be noted that now we have switched the controller state + to NVME_CTRL_DELETING. + 3) In nvme_check_ready(), we always return true when ctrl->state is + NVME_CTRL_DELETING, so those retrying I/Os were issued to the bottom + device which was already freed. + +To fix this, when ctrl->state is NVME_CTRL_DELETING, issue cmd to bottom +device only when queue state is live. If not, return host path error to +the block layer + +[hare: ported to SLE15 SP3] + +Signed-off-by: Ruozhu Li +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/fabrics.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c +index 31bfd509585c..13308c1992d2 100644 +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -551,6 +551,7 @@ blk_status_t nvmf_fail_nonready_command(struct nvme_ctrl *ctrl, + struct request *rq) + { + if (ctrl->state != NVME_CTRL_DELETING_NOIO && ++ ctrl->state != NVME_CTRL_DELETING && + ctrl->state != NVME_CTRL_DEAD && + !test_bit(NVME_CTRL_FAILFAST_EXPIRED, &ctrl->flags) && + !blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) +-- +2.29.2 diff --git a/patches.suse/nvme-introduce-a-nvme_host_path_error-helper.patch b/patches.suse/nvme-introduce-a-nvme_host_path_error-helper.patch new file mode 100644 index 0000000..42d36c3 --- /dev/null +++ b/patches.suse/nvme-introduce-a-nvme_host_path_error-helper.patch @@ -0,0 +1,64 @@ +From: Chao Leng +Date: Thu, 4 Feb 2021 08:55:11 +0100 +Subject: [PATCH] nvme: introduce a nvme_host_path_error helper +Git-commit: dda3248e7fc306e0ce3612ae96bdd9a36e2ab04f +Patch-mainline: v5.12-rc1 +References: git-fixes + +When using nvme native multipathing, if a path related error occurs +during ->queue_rq, the request needs to be completed with +NVME_SC_HOST_PATH_ERROR so that the request can be failed over. + +Introduce a helper to complete the command from ->queue_rq in a wait +that invokes nvme_complete_rq. + +Signed-off-by: Chao Leng +[hch: renamed, added a return value to clean up the callers a bit] +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/core.c | 15 +++++++++++++++ + drivers/nvme/host/nvme.h | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 0befaad788a0..02579f4f776c 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -355,6 +355,21 @@ void nvme_complete_rq(struct request *req) + } + EXPORT_SYMBOL_GPL(nvme_complete_rq); + ++/* ++ * Called to unwind from ->queue_rq on a failed command submission so that the ++ * multipathing code gets called to potentially failover to another path. ++ * The caller needs to unwind all transport specific resource allocations and ++ * must return propagate the return value. ++ */ ++blk_status_t nvme_host_path_error(struct request *req) ++{ ++ nvme_req(req)->status = NVME_SC_HOST_PATH_ERROR; ++ blk_mq_set_request_complete(req); ++ nvme_complete_rq(req); ++ return BLK_STS_OK; ++} ++EXPORT_SYMBOL_GPL(nvme_host_path_error); ++ + bool nvme_cancel_request(struct request *req, void *data, bool reserved) + { + dev_dbg_ratelimited(((struct nvme_ctrl *) data)->device, +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index a72f07181091..5819f0381041 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -575,6 +575,7 @@ static inline bool nvme_is_aen_req(u16 qid, __u16 command_id) + } + + void nvme_complete_rq(struct request *req); ++blk_status_t nvme_host_path_error(struct request *req); + bool nvme_cancel_request(struct request *req, void *data, bool reserved); + void nvme_cancel_tagset(struct nvme_ctrl *ctrl); + void nvme_cancel_admin_tagset(struct nvme_ctrl *ctrl); +-- +2.29.2 + diff --git a/patches.suse/nvme-multipath-fix-ANA-state-updates-when-a-namespac.patch b/patches.suse/nvme-multipath-fix-ANA-state-updates-when-a-namespac.patch new file mode 100644 index 0000000..4a9b405 --- /dev/null +++ b/patches.suse/nvme-multipath-fix-ANA-state-updates-when-a-namespac.patch @@ -0,0 +1,60 @@ +From: Anton Eidelman +Date: Sun, 12 Sep 2021 12:54:57 -0600 +Subject: [PATCH] nvme-multipath: fix ANA state updates when a namespace is not + present +Git-commit: 79f528afa93918519574773ea49a444c104bc1bd +Patch-mainline: v5.15-rc1 +References: git-fixes + +nvme_update_ana_state() has a deficiency that results in a failure to +properly update the ana state for a namespace in the following case: + + NSIDs in ctrl->namespaces: 1, 3, 4 + NSIDs in desc->nsids: 1, 2, 3, 4 + +Loop iteration 0: + ns index = 0, n = 0, ns->head->ns_id = 1, nsid = 1, MATCH. +Loop iteration 1: + ns index = 1, n = 1, ns->head->ns_id = 3, nsid = 2, NO MATCH. +Loop iteration 2: + ns index = 2, n = 2, ns->head->ns_id = 4, nsid = 4, MATCH. + +Where the update to the ANA state of NSID 3 is missed. To fix this +increment n and retry the update with the same ns when ns->head->ns_id is +higher than nsid, + +Signed-off-by: Anton Eidelman +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/multipath.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 5d7bc58a27bd..e8ccdd398f78 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -600,14 +600,17 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl, + + down_read(&ctrl->namespaces_rwsem); + list_for_each_entry(ns, &ctrl->namespaces, list) { +- unsigned nsid = le32_to_cpu(desc->nsids[n]); +- ++ unsigned nsid; ++again: ++ nsid = le32_to_cpu(desc->nsids[n]); + if (ns->head->ns_id < nsid) + continue; + if (ns->head->ns_id == nsid) + nvme_update_ns_ana_state(desc, ns); + if (++n == nr_nsids) + break; ++ if (ns->head->ns_id > nsid) ++ goto again; + } + up_read(&ctrl->namespaces_rwsem); + return 0; +-- +2.29.2 + diff --git a/patches.suse/nvme-refactor-ns-ctrl-by-request.patch b/patches.suse/nvme-refactor-ns-ctrl-by-request.patch new file mode 100644 index 0000000..3ba2581 --- /dev/null +++ b/patches.suse/nvme-refactor-ns-ctrl-by-request.patch @@ -0,0 +1,48 @@ +From: Minwoo Im +Date: Wed, 13 Jan 2021 23:36:27 +0900 +Subject: [PATCH] nvme: refactor ns->ctrl by request +Git-commit: fc97e942d90c2103755f2fcd9a068a4ee7dfc1bf +Patch-mainline: v5.12-rc1 +References: git-fixes + +Just for current code in nvme_cleanup_cmd(), we don't have to get +namespace instance, but we need controller instance. + +Controller instance can be retrieved by namespace instance, but it can +be directly accessed by nvme_request instance from request. + + ctrl = nvme_req(req)->ctrl; + +We don't have to go around namespace instance from request instance +through gendisk. + +Signed-off-by: Minwoo Im +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 636a88c93194..009830d247f8 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -841,11 +841,11 @@ static inline blk_status_t nvme_setup_rw(struct nvme_ns *ns, + void nvme_cleanup_cmd(struct request *req) + { + if (req->rq_flags & RQF_SPECIAL_PAYLOAD) { +- struct nvme_ns *ns = req->rq_disk->private_data; ++ struct nvme_ctrl *ctrl = nvme_req(req)->ctrl; + struct page *page = req->special_vec.bv_page; + +- if (page == ns->ctrl->discard_page) +- clear_bit_unlock(0, &ns->ctrl->discard_page_busy); ++ if (page == ctrl->discard_page) ++ clear_bit_unlock(0, &ctrl->discard_page_busy); + else + kfree(page_address(page) + req->special_vec.bv_offset); + } +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-data-digest-pointer-calculation.patch b/patches.suse/nvme-tcp-fix-data-digest-pointer-calculation.patch new file mode 100644 index 0000000..256202c --- /dev/null +++ b/patches.suse/nvme-tcp-fix-data-digest-pointer-calculation.patch @@ -0,0 +1,36 @@ +From: Varun Prakash +Date: Mon, 25 Oct 2021 22:47:30 +0530 +Subject: [PATCH] nvme-tcp: fix data digest pointer calculation +Git-commit: d89b9f3bbb58e9e378881209756b0723694f22ff +Patch-mainline: v5.15-rc1 +References: git-fixes + +ddgst is of type __le32, &req->ddgst + req->offset +increases &req->ddgst by 4 * req->offset, fix this by +type casting &req->ddgst to u8 *. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Signed-off-by: Varun Prakash +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 1a209f0d7181..4ae562d30d2b 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1054,7 +1054,7 @@ static int nvme_tcp_try_send_ddgst(struct nvme_tcp_request *req) + int ret; + struct msghdr msg = { .msg_flags = MSG_DONTWAIT }; + struct kvec iov = { +- .iov_base = &req->ddgst + req->offset, ++ .iov_base = (u8 *)&req->ddgst + req->offset, + .iov_len = NVME_TCP_DIGEST_LENGTH - req->offset + }; + +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch b/patches.suse/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch new file mode 100644 index 0000000..b54f08c --- /dev/null +++ b/patches.suse/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch @@ -0,0 +1,73 @@ +From: Sagi Grimberg +Date: Tue, 14 Sep 2021 18:38:55 +0300 +Subject: [PATCH] nvme-tcp: fix incorrect h2cdata pdu offset accounting +Git-commit: e371af033c560b9dd1e861f8f0b503142bf0a06c +Patch-mainline: v5.15-rc1 +References: git-fixes + +When the controller sends us multiple r2t PDUs in a single +request we need to account for it correctly as our send/recv +context run concurrently (i.e. we get a new r2t with r2t_offset +before we updated our iterator and req->data_sent marker). This +can cause wrong offsets to be sent to the controller. + +To fix that, we will first know that this may happen only in +the send sequence of the last page, hence we will take +the r2t_offset to the h2c PDU data_offset, and in +nvme_tcp_try_send_data loop, we make sure to increment +the request markers also when we completed a PDU but +we are expecting more r2t PDUs as we still did not send +the entire data of the request. + +Fixes: 825619b09ad3 ("nvme-tcp: fix possible use-after-completion") +Reported-by: Nowak, Lukasz +Tested-by: Nowak, Lukasz +Signed-off-by: Sagi Grimberg +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index e4249b7dc056..3c1c29dd3020 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -620,7 +620,7 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + cpu_to_le32(data->hdr.hlen + hdgst + req->pdu_len + ddgst); + data->ttag = pdu->ttag; + data->command_id = nvme_cid(rq); +- data->data_offset = cpu_to_le32(req->data_sent); ++ data->data_offset = pdu->r2t_offset; + data->data_length = cpu_to_le32(req->pdu_len); + return 0; + } +@@ -953,7 +953,15 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + nvme_tcp_ddgst_update(queue->snd_hash, page, + offset, ret); + +- /* fully successful last write*/ ++ /* ++ * update the request iterator except for the last payload send ++ * in the request where we don't want to modify it as we may ++ * compete with the RX path completing the request. ++ */ ++ if (req->data_sent + ret < req->data_len) ++ nvme_tcp_advance_req(req, ret); ++ ++ /* fully successful last send in current PDU */ + if (last && ret == len) { + if (queue->data_digest) { + nvme_tcp_ddgst_final(queue->snd_hash, +@@ -965,7 +973,6 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + } + return 1; + } +- nvme_tcp_advance_req(req, ret); + } + return -EAGAIN; + } +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-memory-leak-when-freeing-a-queue.patch b/patches.suse/nvme-tcp-fix-memory-leak-when-freeing-a-queue.patch new file mode 100644 index 0000000..d579512 --- /dev/null +++ b/patches.suse/nvme-tcp-fix-memory-leak-when-freeing-a-queue.patch @@ -0,0 +1,45 @@ +From: Maurizio Lombardi +Date: Wed, 3 Nov 2021 09:18:17 +0100 +Subject: [PATCH] nvme-tcp: fix memory leak when freeing a queue +Git-commit: a5053c92b3db71c3f7f9f13934ca620632828d06 +Patch-mainline: v5.16-rc1 +References: git-fixes + +Release the page frag cache when tearing down the io queues + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Reviewed-by: John Meneghini +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 5f8ad4d4ac8c..4ceb28675fdf 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1225,6 +1225,7 @@ static int nvme_tcp_alloc_async_req(struct nvme_tcp_ctrl *ctrl) + + static void nvme_tcp_free_queue(struct nvme_ctrl *nctrl, int qid) + { ++ struct page *page; + struct nvme_tcp_ctrl *ctrl = to_tcp_ctrl(nctrl); + struct nvme_tcp_queue *queue = &ctrl->queues[qid]; + +@@ -1234,6 +1235,11 @@ static void nvme_tcp_free_queue(struct nvme_ctrl *nctrl, int qid) + if (queue->hdr_digest || queue->data_digest) + nvme_tcp_free_crypto(queue); + ++ if (queue->pf_cache.va) { ++ page = virt_to_head_page(queue->pf_cache.va); ++ __page_frag_cache_drain(page, queue->pf_cache.pagecnt_bias); ++ queue->pf_cache.va = NULL; ++ } + sock_release(queue->sock); + kfree(queue->pdu); + mutex_destroy(&queue->send_mutex); +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-fix-possible-use-after-completion.patch b/patches.suse/nvme-tcp-fix-possible-use-after-completion.patch new file mode 100644 index 0000000..b926962 --- /dev/null +++ b/patches.suse/nvme-tcp-fix-possible-use-after-completion.patch @@ -0,0 +1,82 @@ +From: Sagi Grimberg +Date: Mon, 17 May 2021 14:07:45 -0700 +Subject: [PATCH] nvme-tcp: fix possible use-after-completion +Git-commit: 825619b09ad351894d2c6fb6705f5b3711d145c7 +Patch-mainline: v5.13-rc1 +References: git-fixes + +Commit db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq +context") added a second context that may perform a network send. +This means that now RX and TX are not serialized in nvme_tcp_io_work +and can run concurrently. + +While there is correct mutual exclusion in the TX path (where +the send_mutex protect the queue socket send activity) RX activity, +and more specifically request completion may run concurrently. + +This means we must guarantee that any mutation of the request state +related to its lifetime, bytes sent must not be accessed when a completion +may have possibly arrived back (and processed). + +The race may trigger when a request completion arrives, processed +_and_ reused as a fresh new request, exactly in the (relatively short) +window between the last data payload sent and before the request iov_iter +is advanced. + +Consider the following race: +1. 16K write request is queued +2. The nvme command and the data is sent to the controller (in-capsule + or solicited by r2t) +3. After the last payload is sent but before the req.iter is advanced, + the controller sends back a completion. +4. The completion is processed, the request is completed, and reused + to transfer a new request (write or read) +5. The new request is queued, and the driver reset the request parameters + (nvme_tcp_setup_cmd_pdu). +6. Now context in (2) resumes execution and advances the req.iter + +==> use-after-completion as this is already a new request. + +Fix this by making sure the request is not advanced after the last +data payload send, knowing that a completion may have arrived already. + +An alternative solution would have been to delay the request completion +or state change waiting for reference counting on the TX path, but besides +adding atomic operations to the hot-path, it may present challenges in +multi-stage R2T scenarios where a r2t handler needs to be deferred to +an async execution. + +Reported-by: Narayan Ayalasomayajula +Tested-by: Anil Mishra +Reviewed-by: Keith Busch +Cc: stable@vger.kernel.org # v5.8+ +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 0222e23f5936..b97d2732a80f 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -943,7 +943,6 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + if (ret <= 0) + return ret; + +- nvme_tcp_advance_req(req, ret); + if (queue->data_digest) + nvme_tcp_ddgst_update(queue->snd_hash, page, + offset, ret); +@@ -960,6 +959,7 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + } + return 1; + } ++ nvme_tcp_advance_req(req, ret); + } + return -EAGAIN; + } +-- +2.29.2 + diff --git a/patches.suse/nvme-tcp-validate-R2T-PDU-in-nvme_tcp_handle_r2t.patch b/patches.suse/nvme-tcp-validate-R2T-PDU-in-nvme_tcp_handle_r2t.patch new file mode 100644 index 0000000..9899703 --- /dev/null +++ b/patches.suse/nvme-tcp-validate-R2T-PDU-in-nvme_tcp_handle_r2t.patch @@ -0,0 +1,124 @@ +From: Varun Prakash +Date: Tue, 23 Nov 2021 16:28:56 +0530 +Subject: [PATCH] nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t() +Git-commit: 1d3ef9c3a39e04be31155c27ebf80342350c3abf +Patch-mainline: v5.16-rc1 +References: git-fixes + +If maxh2cdata < r2t_length then driver will form multiple +H2CData PDUs, validate R2T PDU in nvme_tcp_handle_r2t() to +reuse nvme_tcp_setup_h2c_data_pdu(). + +Also set req->state to NVME_TCP_SEND_H2C_PDU in +nvme_tcp_setup_h2c_data_pdu(). + +Signed-off-by: Varun Prakash +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Acked-by: Hannes Reinecke +--- + drivers/nvme/host/tcp.c | 55 ++++++++++++++++++----------------------- + 1 file changed, 24 insertions(+), 31 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 33bc83d8d992..5f8ad4d4ac8c 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -572,7 +572,7 @@ static int nvme_tcp_handle_comp(struct nvme_tcp_queue *queue, + return ret; + } + +-static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, ++static void nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + struct nvme_tcp_r2t_pdu *pdu) + { + struct nvme_tcp_data_pdu *data = req->pdu; +@@ -581,32 +581,11 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + u8 hdgst = nvme_tcp_hdgst_len(queue); + u8 ddgst = nvme_tcp_ddgst_len(queue); + ++ req->state = NVME_TCP_SEND_H2C_PDU; ++ req->offset = 0; + req->pdu_len = le32_to_cpu(pdu->r2t_length); + req->pdu_sent = 0; + +- if (unlikely(!req->pdu_len)) { +- dev_err(queue->ctrl->ctrl.device, +- "req %d r2t len is %u, probably a bug...\n", +- rq->tag, req->pdu_len); +- return -EPROTO; +- } +- +- if (unlikely(req->data_sent + req->pdu_len > req->data_len)) { +- dev_err(queue->ctrl->ctrl.device, +- "req %d r2t len %u exceeded data len %u (%zu sent)\n", +- rq->tag, req->pdu_len, req->data_len, +- req->data_sent); +- return -EPROTO; +- } +- +- if (unlikely(le32_to_cpu(pdu->r2t_offset) < req->data_sent)) { +- dev_err(queue->ctrl->ctrl.device, +- "req %d unexpected r2t offset %u (expected %zu)\n", +- rq->tag, le32_to_cpu(pdu->r2t_offset), +- req->data_sent); +- return -EPROTO; +- } +- + memset(data, 0, sizeof(*data)); + data->hdr.type = nvme_tcp_h2c_data; + data->hdr.flags = NVME_TCP_F_DATA_LAST; +@@ -622,7 +601,6 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + data->command_id = nvme_cid(rq); + data->data_offset = pdu->r2t_offset; + data->data_length = cpu_to_le32(req->pdu_len); +- return 0; + } + + static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue, +@@ -630,7 +608,7 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue, + { + struct nvme_tcp_request *req; + struct request *rq; +- int ret; ++ u32 r2t_length = le32_to_cpu(pdu->r2t_length); + + rq = nvme_find_rq(nvme_tcp_tagset(queue), pdu->command_id); + if (!rq) { +@@ -641,13 +619,28 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue, + } + req = blk_mq_rq_to_pdu(rq); + +- ret = nvme_tcp_setup_h2c_data_pdu(req, pdu); +- if (unlikely(ret)) +- return ret; ++ if (unlikely(!r2t_length)) { ++ dev_err(queue->ctrl->ctrl.device, ++ "req %d r2t len is %u, probably a bug...\n", ++ rq->tag, r2t_length); ++ return -EPROTO; ++ } + +- req->state = NVME_TCP_SEND_H2C_PDU; +- req->offset = 0; ++ if (unlikely(req->data_sent + r2t_length > req->data_len)) { ++ dev_err(queue->ctrl->ctrl.device, ++ "req %d r2t len %u exceeded data len %u (%zu sent)\n", ++ rq->tag, r2t_length, req->data_len, req->data_sent); ++ return -EPROTO; ++ } ++ ++ if (unlikely(le32_to_cpu(pdu->r2t_offset) < req->data_sent)) { ++ dev_err(queue->ctrl->ctrl.device, ++ "req %d unexpected r2t offset %u (expected %zu)\n", ++ rq->tag, le32_to_cpu(pdu->r2t_offset), req->data_sent); ++ return -EPROTO; ++ } + ++ nvme_tcp_setup_h2c_data_pdu(req, pdu); + nvme_tcp_queue_request(req, false, true); + + return 0; +-- +2.29.2 + diff --git a/patches.suse/pinctrl-intel-Fix-a-glitch-when-updating-IRQ-flags-o.patch b/patches.suse/pinctrl-intel-Fix-a-glitch-when-updating-IRQ-flags-o.patch new file mode 100644 index 0000000..6dd1426 --- /dev/null +++ b/patches.suse/pinctrl-intel-Fix-a-glitch-when-updating-IRQ-flags-o.patch @@ -0,0 +1,74 @@ +From e12963c453263d5321a2c610e98cbc731233b685 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 19 Jan 2022 20:19:15 +0200 +Subject: [PATCH] pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line +Git-commit: e12963c453263d5321a2c610e98cbc731233b685 +Patch-mainline: v5.17-rc3 +References: git-fixes + +The commit af7e3eeb84e2 ("pinctrl: intel: Disable input and output buffer +when switching to GPIO") hadn't taken into account an update of the IRQ +flags scenario. + +When updating the IRQ flags on the preconfigured line the ->irq_set_type() +is called again. In such case the sequential Rx buffer configuration +changes may trigger a falling or rising edge interrupt that may lead, +on some platforms, to an undesired event. + +This may happen because each of intel_gpio_set_gpio_mode() and +__intel_gpio_set_direction() updates the pad configuration with a different +value of the GPIORXDIS bit. Notable, that the intel_gpio_set_gpio_mode() is +called only for the pads that are configured as an input. Due to this fact, +integrate the logic of __intel_gpio_set_direction() call into the +intel_gpio_set_gpio_mode() so that the Rx buffer won't be disabled and +immediately re-enabled. + +Fixes: af7e3eeb84e2 ("pinctrl: intel: Disable input and output buffer when switching to GPIO") +Reported-by: Kane Chen +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Tested-by: Grace Kao +Acked-by: Takashi Iwai + +--- + drivers/pinctrl/intel/pinctrl-intel.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index e9bb98cb9112..826d494f3cc6 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -451,8 +451,8 @@ static void intel_gpio_set_gpio_mode(void __iomem *padcfg0) + value &= ~PADCFG0_PMODE_MASK; + value |= PADCFG0_PMODE_GPIO; + +- /* Disable input and output buffers */ +- value |= PADCFG0_GPIORXDIS; ++ /* Disable TX buffer and enable RX (this will be input) */ ++ value &= ~PADCFG0_GPIORXDIS; + value |= PADCFG0_GPIOTXDIS; + + /* Disable SCI/SMI/NMI generation */ +@@ -497,9 +497,6 @@ static int intel_gpio_request_enable(struct pinctrl_dev *pctldev, + + intel_gpio_set_gpio_mode(padcfg0); + +- /* Disable TX buffer and enable RX (this will be input) */ +- __intel_gpio_set_direction(padcfg0, true); +- + raw_spin_unlock_irqrestore(&pctrl->lock, flags); + + return 0; +@@ -1115,9 +1112,6 @@ static int intel_gpio_irq_type(struct irq_data *d, unsigned int type) + + intel_gpio_set_gpio_mode(reg); + +- /* Disable TX buffer and enable RX (this will be input) */ +- __intel_gpio_set_direction(reg, true); +- + value = readl(reg); + + value &= ~(PADCFG0_RXEVCFG_MASK | PADCFG0_RXINV); +-- +2.31.1 + diff --git a/patches.suse/pinctrl-intel-fix-unexpected-interrupt.patch b/patches.suse/pinctrl-intel-fix-unexpected-interrupt.patch new file mode 100644 index 0000000..7fa6584 --- /dev/null +++ b/patches.suse/pinctrl-intel-fix-unexpected-interrupt.patch @@ -0,0 +1,127 @@ +From e986f0e602f19ecb7880b04dd1db415ed9bca3f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Bartosik?= +Date: Mon, 24 Jan 2022 13:55:29 +0100 +Subject: [PATCH] pinctrl: intel: fix unexpected interrupt +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: e986f0e602f19ecb7880b04dd1db415ed9bca3f6 +Patch-mainline: v5.17-rc3 +References: git-fixes + +ASUS Chromebook C223 with Celeron N3350 crashes sometimes during +cold booot. Inspection of the kernel log showed that it gets into +an inifite loop logging the following message: + +->handle_irq(): 000000009cdb51e8, handle_bad_irq+0x0/0x251 +->irq_data.chip(): 000000005ec212a7, 0xffffa043009d8e7 +->action(): 00000 IRQ_NOPROBE set +unexpected IRQ trap at vector 7c + +The issue happens during cold boot but only if cold boot happens +at most several dozen seconds after Chromebook is powered off. For +longer intervals between power off and power on (cold boot) the issue +does not reproduce. The unexpected interrupt is sourced from INT3452 +GPIO pin which is used for SD card detect. Investigation relevealed +that when the interval between power off and power on (cold boot) +is less than several dozen seconds then values of INT3452 GPIO interrupt +enable and interrupt pending registers survive power off and power +on sequence and interrupt for SD card detect pin is enabled and pending +during probe of SD controller which causes the unexpected IRQ message. +"Intel Pentium and Celeron Processor N- and J- Series" volume 3 doc +mentions that GPIO interrupt enable and status registers default +value is 0x0. +The fix clears INT3452 GPIO interrupt enabled and interrupt pending +registers in its probe function. + +Fixes: 7981c0015af2 ("pinctrl: intel: Add Intel Sunrisepoint pin controller and GPIO support") +Signed-off-by: Łukasz Bartosik +Signed-off-by: Andy Shevchenko +Acked-by: Takashi Iwai + +--- + drivers/pinctrl/intel/pinctrl-intel.c | 54 +++++++++++++++++---------- + 1 file changed, 34 insertions(+), 20 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index 85750974d182..e9bb98cb9112 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1216,6 +1216,39 @@ static irqreturn_t intel_gpio_irq(int irq, void *data) + return IRQ_RETVAL(ret); + } + ++static void intel_gpio_irq_init(struct intel_pinctrl *pctrl) ++{ ++ int i; ++ ++ for (i = 0; i < pctrl->ncommunities; i++) { ++ const struct intel_community *community; ++ void __iomem *base; ++ unsigned int gpp; ++ ++ community = &pctrl->communities[i]; ++ base = community->regs; ++ ++ for (gpp = 0; gpp < community->ngpps; gpp++) { ++ /* Mask and clear all interrupts */ ++ writel(0, base + community->ie_offset + gpp * 4); ++ writel(0xffff, base + community->is_offset + gpp * 4); ++ } ++ } ++} ++ ++static int intel_gpio_irq_init_hw(struct gpio_chip *gc) ++{ ++ struct intel_pinctrl *pctrl = gpiochip_get_data(gc); ++ ++ /* ++ * Make sure the interrupt lines are in a proper state before ++ * further configuration. ++ */ ++ intel_gpio_irq_init(pctrl); ++ ++ return 0; ++} ++ + static int intel_gpio_add_community_ranges(struct intel_pinctrl *pctrl, + const struct intel_community *community) + { +@@ -1320,6 +1353,7 @@ static int intel_gpio_probe(struct intel_pinctrl *pctrl, int irq) + girq->num_parents = 0; + girq->default_type = IRQ_TYPE_NONE; + girq->handler = handle_bad_irq; ++ girq->init_hw = intel_gpio_irq_init_hw; + + ret = devm_gpiochip_add_data(pctrl->dev, &pctrl->chip, pctrl); + if (ret) { +@@ -1695,26 +1729,6 @@ int intel_pinctrl_suspend_noirq(struct device *dev) + } + EXPORT_SYMBOL_GPL(intel_pinctrl_suspend_noirq); + +-static void intel_gpio_irq_init(struct intel_pinctrl *pctrl) +-{ +- size_t i; +- +- for (i = 0; i < pctrl->ncommunities; i++) { +- const struct intel_community *community; +- void __iomem *base; +- unsigned int gpp; +- +- community = &pctrl->communities[i]; +- base = community->regs; +- +- for (gpp = 0; gpp < community->ngpps; gpp++) { +- /* Mask and clear all interrupts */ +- writel(0, base + community->ie_offset + gpp * 4); +- writel(0xffff, base + community->is_offset + gpp * 4); +- } +- } +-} +- + static bool intel_gpio_update_reg(void __iomem *reg, u32 mask, u32 value) + { + u32 curr, updated; +-- +2.31.1 + diff --git a/patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch b/patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch new file mode 100644 index 0000000..4e9c7e3 --- /dev/null +++ b/patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch @@ -0,0 +1,95 @@ +From fb6433b48a178d4672cb26632454ee0b21056eaa Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Sat, 22 Jan 2022 09:04:29 +0530 +Subject: [PATCH] powerpc/perf: Fix power_pmu_disable to call + clear_pmi_irq_pending only if PMI is pending + +References: bsc#1156395 +Patch-mainline: v5.17-rc2 +Git-commit: fb6433b48a178d4672cb26632454ee0b21056eaa + +Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel +triggered below warning: + +[ 172.851380] ------------[ cut here ]------------ +[ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280 +[ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse +[ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2 +[ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180 +[ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598) +[ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000 +[ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1 +[ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004 +[ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000 +[ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68 +[ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000 +[ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0 +[ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003 +[ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600 +[ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8 +[ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280 +[ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280 +[ 172.851565] Call Trace: +[ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable) +[ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60 +[ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660 +[ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0 +[ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140 +[ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40 +[ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380 +[ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268 + +The warning indicates that MSR_EE being set(interrupt enabled) when +there was an overflown PMC detected. This could happen in +power_pmu_disable since it runs under interrupt soft disable +condition ( local_irq_save ) and not with interrupts hard disabled. +commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear +pending PMI before resetting an overflown PMC") intended to clear +PMI pending bit in Paca when disabling the PMU. It could happen +that PMC gets overflown while code is in power_pmu_disable +callback function. Hence add a check to see if PMI pending bit +is set in Paca before clearing it via clear_pmi_pending. + +Fixes: 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") +Reported-by: Sachin Sant +Signed-off-by: Athira Rajeev +Tested-by: Sachin Sant +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220122033429.25395-1-atrajeev@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/perf/core-book3s.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 32b98b7a1f86..b5b42cf0a703 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1355,9 +1355,20 @@ static void power_pmu_disable(struct pmu *pmu) + * Otherwise provide a warning if there is PMI pending, but + * no counter is found overflown. + */ +- if (any_pmc_overflown(cpuhw)) +- clear_pmi_irq_pending(); +- else ++ if (any_pmc_overflown(cpuhw)) { ++ /* ++ * Since power_pmu_disable runs under local_irq_save, it ++ * could happen that code hits a PMC overflow without PMI ++ * pending in paca. Hence only clear PMI pending if it was ++ * set. ++ * ++ * If a PMI is pending, then MSR[EE] must be disabled (because ++ * the masked PMI handler disabling EE). So it is safe to ++ * call clear_pmi_irq_pending(). ++ */ ++ if (pmi_irq_pending()) ++ clear_pmi_irq_pending(); ++ } else + WARN_ON(pmi_irq_pending()); + + val = mmcra = cpuhw->mmcr.mmcra; +-- +2.31.1 + diff --git a/patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch b/patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch new file mode 100644 index 0000000..c8f38cd --- /dev/null +++ b/patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch @@ -0,0 +1,117 @@ +From b7fb2dad571d1e21173c06cef0bced77b323990a Mon Sep 17 00:00:00 2001 +From: Sujit Kautkar +Date: Mon, 10 Jan 2022 10:47:36 -0800 +Subject: [PATCH] rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev +Git-commit: b7fb2dad571d1e21173c06cef0bced77b323990a +Patch-mainline: v5.17-rc2 +References: git-fixes + +struct rpmsg_ctrldev contains a struct cdev. The current code frees +the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the +cdev is a managed object, therefore its release is not predictable +and the rpmsg_ctrldev could be freed before the cdev is entirely +released, as in the backtrace below. + +[ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c +[ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 +[ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v +[ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 +[ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) +[ 93.730055] Workqueue: events kobject_delayed_cleanup +[ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) +[ 93.740216] pc : debug_print_object+0x13c/0x1b0 +[ 93.744890] lr : debug_print_object+0x13c/0x1b0 +[ 93.749555] sp : ffffffacf5bc7940 +[ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 +[ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 +[ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 +[ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 +[ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 +[ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 +[ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 +[ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c +[ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 +[ 93.802244] x11: 0000000000000001 x10: 0000000000000000 +[ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 +[ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 +[ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 +[ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 +[ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 +[ 93.835104] Call trace: +[ 93.837644] debug_print_object+0x13c/0x1b0 +[ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 +[ 93.846987] debug_check_no_obj_freed+0x18/0x20 +[ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 +[ 93.856346] kfree+0xfc/0x2f4 +[ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 +[ 93.864445] device_release+0x84/0x168 +[ 93.868310] kobject_cleanup+0x12c/0x298 +[ 93.872356] kobject_delayed_cleanup+0x10/0x18 +[ 93.876948] process_one_work+0x578/0x92c +[ 93.881086] worker_thread+0x804/0xcf8 +[ 93.884963] kthread+0x2a8/0x314 +[ 93.888303] ret_from_fork+0x10/0x18 + +The cdev_device_add/del() API was created to address this issue (see +commit '233ed09d7fda ("chardev: add helper function to register char +devs with a struct device")'), use it instead of cdev add/del(). + +Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") +Signed-off-by: Sujit Kautkar +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Mathieu Poirier +Reviewed-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid +Acked-by: Takashi Iwai + +--- + drivers/rpmsg/rpmsg_char.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c +index d6214cb66026..8d3c2ca7081b 100644 +--- a/drivers/rpmsg/rpmsg_char.c ++++ b/drivers/rpmsg/rpmsg_char.c +@@ -462,7 +462,6 @@ static void rpmsg_ctrldev_release_device(struct device *dev) + + ida_simple_remove(&rpmsg_ctrl_ida, dev->id); + ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt)); +- cdev_del(&ctrldev->cdev); + kfree(ctrldev); + } + +@@ -497,19 +496,13 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev) + dev->id = ret; + dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret); + +- ret = cdev_add(&ctrldev->cdev, dev->devt, 1); ++ ret = cdev_device_add(&ctrldev->cdev, &ctrldev->dev); + if (ret) + goto free_ctrl_ida; + + /* We can now rely on the release function for cleanup */ + dev->release = rpmsg_ctrldev_release_device; + +- ret = device_add(dev); +- if (ret) { +- dev_err(&rpdev->dev, "device_add failed: %d\n", ret); +- put_device(dev); +- } +- + dev_set_drvdata(&rpdev->dev, ctrldev); + + return ret; +@@ -535,7 +528,7 @@ static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev) + if (ret) + dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret); + +- device_del(&ctrldev->dev); ++ cdev_device_del(&ctrldev->cdev, &ctrldev->dev); + put_device(&ctrldev->dev); + } + +-- +2.31.1 + diff --git a/patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ept.patch b/patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ept.patch new file mode 100644 index 0000000..6eb0f3d --- /dev/null +++ b/patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ept.patch @@ -0,0 +1,76 @@ +From 7a534ae89e34e9b51acb5a63dd0f88308178b46a Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Mon, 10 Jan 2022 10:47:37 -0800 +Subject: [PATCH] rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev +Git-commit: 7a534ae89e34e9b51acb5a63dd0f88308178b46a +Patch-mainline: v5.17-rc2 +References: git-fixes + +struct rpmsg_eptdev contains a struct cdev. The current code frees +the rpmsg_eptdev struct in rpmsg_eptdev_destroy(), but the cdev is +a managed object, therefore its release is not predictable and the +rpmsg_eptdev could be freed before the cdev is entirely released. + +The cdev_device_add/del() API was created to address this issue +(see commit '233ed09d7fda ("chardev: add helper function to register +char devs with a struct device")'), use it instead of cdev add/del(). + +Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") +Suggested-by: Bjorn Andersson +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Mathieu Poirier +Reviewed-by: Stephen Boyd +Reviewed-by: Bjorn Andersson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220110104706.v6.2.Idde68b05b88d4a2e6e54766c653f3a6d9e419ce6@changeid +Acked-by: Takashi Iwai + +--- + drivers/rpmsg/rpmsg_char.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c +index 8d3c2ca7081b..5663cf799c95 100644 +--- a/drivers/rpmsg/rpmsg_char.c ++++ b/drivers/rpmsg/rpmsg_char.c +@@ -93,7 +93,7 @@ static int rpmsg_eptdev_destroy(struct device *dev, void *data) + /* wake up any blocked readers */ + wake_up_interruptible(&eptdev->readq); + +- device_del(&eptdev->dev); ++ cdev_device_del(&eptdev->cdev, &eptdev->dev); + put_device(&eptdev->dev); + + return 0; +@@ -336,7 +336,6 @@ static void rpmsg_eptdev_release_device(struct device *dev) + + ida_simple_remove(&rpmsg_ept_ida, dev->id); + ida_simple_remove(&rpmsg_minor_ida, MINOR(eptdev->dev.devt)); +- cdev_del(&eptdev->cdev); + kfree(eptdev); + } + +@@ -381,19 +380,13 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev, + dev->id = ret; + dev_set_name(dev, "rpmsg%d", ret); + +- ret = cdev_add(&eptdev->cdev, dev->devt, 1); ++ ret = cdev_device_add(&eptdev->cdev, &eptdev->dev); + if (ret) + goto free_ept_ida; + + /* We can now rely on the release function for cleanup */ + dev->release = rpmsg_eptdev_release_device; + +- ret = device_add(dev); +- if (ret) { +- dev_err(dev, "device_add failed: %d\n", ret); +- put_device(dev); +- } +- + return ret; + + free_ept_ida: +-- +2.31.1 + diff --git a/patches.suse/scripts-dtc-only-append-to-HOST_EXTRACFLAGS-instead-.patch b/patches.suse/scripts-dtc-only-append-to-HOST_EXTRACFLAGS-instead-.patch new file mode 100644 index 0000000..c52968b --- /dev/null +++ b/patches.suse/scripts-dtc-only-append-to-HOST_EXTRACFLAGS-instead-.patch @@ -0,0 +1,39 @@ +From efe84d408bf41975db8506d3a1cc02e794e2309c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Sat, 19 Sep 2020 16:39:22 +0200 +Subject: [PATCH] scripts/dtc: only append to HOST_EXTRACFLAGS instead of + overwriting +Patch-mainline: v5.9-rc8 +Git-commit: efe84d408bf41975db8506d3a1cc02e794e2309c +References: git-fixes + + +When building with + + $ HOST_EXTRACFLAGS=-g make + +the expectation is that host tools are built with debug informations. +This however doesn't happen if the Makefile assigns a new value to the +HOST_EXTRACFLAGS instead of appending to it. So use += instead of := for +the first assignment. + +Fixes: e3fd9b5384f3 ("scripts/dtc: consolidate include path options in Makefile") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Rob Herring +Acked-by: Dirk Mueller + +--- + scripts/dtc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/dtc/Makefile ++++ b/scripts/dtc/Makefile +@@ -9,7 +9,7 @@ dtc-objs := dtc.o flattree.o fstree.o da + dtc-objs += dtc-lexer.lex.o dtc-parser.tab.o + + # Source files need to get at the userspace version of libfdt_env.h to compile +-HOST_EXTRACFLAGS := -I $(srctree)/$(src)/libfdt ++HOST_EXTRACFLAGS += -I $(srctree)/$(src)/libfdt + + ifeq ($(wildcard /usr/include/yaml.h),) + ifneq ($(CHECK_DTBS),) diff --git a/patches.suse/spi-bcm-qspi-check-for-valid-cs-before-applying-chip.patch b/patches.suse/spi-bcm-qspi-check-for-valid-cs-before-applying-chip.patch new file mode 100644 index 0000000..52cebe6 --- /dev/null +++ b/patches.suse/spi-bcm-qspi-check-for-valid-cs-before-applying-chip.patch @@ -0,0 +1,41 @@ +From 2cbd27267ffe020af1442b95ec57f59a157ba85c Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Thu, 27 Jan 2022 13:53:59 -0500 +Subject: [PATCH] spi: bcm-qspi: check for valid cs before applying chip select +Git-commit: 2cbd27267ffe020af1442b95ec57f59a157ba85c +Patch-mainline: v5.17-rc3 +References: git-fixes + +Apply only valid chip select value. This change fixes case where chip +select is set to initial value of '-1' during probe and PM supend and +subsequent resume can try to use the value with undefined behaviour. +Also in case where gpio based chip select, the check in +bcm_qspi_chip_select() shall prevent undefined behaviour on resume. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Kamal Dasu +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220127185359.27322-1-kdasu.kdev@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-bcm-qspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index c9a769b8594b..86c76211b3d3 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -585,7 +585,7 @@ static void bcm_qspi_chip_select(struct bcm_qspi *qspi, int cs) + u32 rd = 0; + u32 wr = 0; + +- if (qspi->base[CHIP_SELECT]) { ++ if (cs >= 0 && qspi->base[CHIP_SELECT]) { + rd = bcm_qspi_read(qspi, CHIP_SELECT, 0); + wr = (rd & ~0xff) | (1 << cs); + if (rd == wr) +-- +2.31.1 + diff --git a/patches.suse/spi-mediatek-Avoid-NULL-pointer-crash-in-interrupt.patch b/patches.suse/spi-mediatek-Avoid-NULL-pointer-crash-in-interrupt.patch new file mode 100644 index 0000000..3d63f28 --- /dev/null +++ b/patches.suse/spi-mediatek-Avoid-NULL-pointer-crash-in-interrupt.patch @@ -0,0 +1,39 @@ +From f83a96e5f033fbbd21764705cb9c04234b96218e Mon Sep 17 00:00:00 2001 +From: Benjamin Gaignard +Date: Mon, 31 Jan 2022 15:17:08 +0100 +Subject: [PATCH] spi: mediatek: Avoid NULL pointer crash in interrupt +Git-commit: f83a96e5f033fbbd21764705cb9c04234b96218e +Patch-mainline: v5.17-rc3 +References: git-fixes + +In some case, like after a transfer timeout, master->cur_msg pointer +is NULL which led to a kernel crash when trying to use master->cur_msg->spi. +mtk_spi_can_dma(), pointed by master->can_dma, doesn't use this parameter +avoid the problem by setting NULL as second parameter. + +Fixes: a568231f46322 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Benjamin Gaignard +Link: https://lore.kernel.org/r/20220131141708.888710-1-benjamin.gaignard@collabora.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-mt65xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index a15de10ee286..753bd313e6fd 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -624,7 +624,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) + else + mdata->state = MTK_SPI_IDLE; + +- if (!master->can_dma(master, master->cur_msg->spi, trans)) { ++ if (!master->can_dma(master, NULL, trans)) { + if (trans->rx_buf) { + cnt = mdata->xfer_len / 4; + ioread32_rep(mdata->base + SPI_RX_DATA_REG, +-- +2.31.1 + diff --git a/patches.suse/spi-meson-spicc-add-IRQ-check-in-meson_spicc_probe.patch b/patches.suse/spi-meson-spicc-add-IRQ-check-in-meson_spicc_probe.patch new file mode 100644 index 0000000..31ba72f --- /dev/null +++ b/patches.suse/spi-meson-spicc-add-IRQ-check-in-meson_spicc_probe.patch @@ -0,0 +1,42 @@ +From e937440f7fc444a3e3f1fb75ea65292d6f433a44 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 26 Jan 2022 11:04:47 +0000 +Subject: [PATCH] spi: meson-spicc: add IRQ check in meson_spicc_probe +Git-commit: e937440f7fc444a3e3f1fb75ea65292d6f433a44 +Patch-mainline: v5.17-rc3 +References: git-fixes + +This check misses checking for platform_get_irq()'s call and may passes +the negative error codes to devm_request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. +Stop calling devm_request_irq() with invalid IRQ #s. + +Fixes: 454fa271bc4e ("spi: Add Meson SPICC driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220126110447.24549-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-meson-spicc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c +index c208efeadd18..0bc7daa7afc8 100644 +--- a/drivers/spi/spi-meson-spicc.c ++++ b/drivers/spi/spi-meson-spicc.c +@@ -693,6 +693,11 @@ static int meson_spicc_probe(struct platform_device *pdev) + writel_relaxed(0, spicc->base + SPICC_INTREG); + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { ++ ret = irq; ++ goto out_master; ++ } ++ + ret = devm_request_irq(&pdev->dev, irq, meson_spicc_irq, + 0, NULL, spicc); + if (ret) { +-- +2.31.1 + diff --git a/patches.suse/tty-Add-support-for-Brainboxes-UC-cards.patch b/patches.suse/tty-Add-support-for-Brainboxes-UC-cards.patch new file mode 100644 index 0000000..b9da496 --- /dev/null +++ b/patches.suse/tty-Add-support-for-Brainboxes-UC-cards.patch @@ -0,0 +1,145 @@ +From 152d1afa834c84530828ee031cf07a00e0fc0b8c Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Mon, 24 Jan 2022 09:42:23 +0000 +Subject: [PATCH] tty: Add support for Brainboxes UC cards. +Git-commit: 152d1afa834c84530828ee031cf07a00e0fc0b8c +Patch-mainline: v5.17-rc2 +References: git-fixes + +This commit adds support for the some of the Brainboxes PCI range of +cards, including the UC-101, UC-235/246, UC-257, UC-268, UC-275/279, +UC-302, UC-310, UC-313, UC-320/324, UC-346, UC-357, UC-368 +and UC-420/431. + +Signed-off-by: Cameron Williams +Cc: stable +Link: https://lore.kernel.org/r/AM5PR0202MB2564688493F7DD9B9C610827C45E9@AM5PR0202MB2564.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/8250/8250_pci.c | 100 ++++++++++++++++++++++++++++- + 1 file changed, 98 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index e8b5469e9dfa..e17e97ea86fa 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -4779,8 +4779,30 @@ static const struct pci_device_id serial_pci_tbl[] = { + { PCI_VENDOR_ID_INTASHIELD, PCI_DEVICE_ID_INTASHIELD_IS400, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */ + pbn_b2_4_115200 }, ++ /* Brainboxes Devices */ + /* +- * BrainBoxes UC-260 ++ * Brainboxes UC-101 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0BA1, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_2_115200 }, ++ /* ++ * Brainboxes UC-235/246 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0AA1, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_1_115200 }, ++ /* ++ * Brainboxes UC-257 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0861, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_2_115200 }, ++ /* ++ * Brainboxes UC-260/271/701/756 + */ + { PCI_VENDOR_ID_INTASHIELD, 0x0D21, + PCI_ANY_ID, PCI_ANY_ID, +@@ -4788,7 +4810,81 @@ static const struct pci_device_id serial_pci_tbl[] = { + pbn_b2_4_115200 }, + { PCI_VENDOR_ID_INTASHIELD, 0x0E34, + PCI_ANY_ID, PCI_ANY_ID, +- PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ pbn_b2_4_115200 }, ++ /* ++ * Brainboxes UC-268 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0841, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_4_115200 }, ++ /* ++ * Brainboxes UC-275/279 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0881, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_8_115200 }, ++ /* ++ * Brainboxes UC-302 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x08E1, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_2_115200 }, ++ /* ++ * Brainboxes UC-310 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x08C1, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_2_115200 }, ++ /* ++ * Brainboxes UC-313 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x08A3, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_2_115200 }, ++ /* ++ * Brainboxes UC-320/324 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A61, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_1_115200 }, ++ /* ++ * Brainboxes UC-346 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0B02, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_4_115200 }, ++ /* ++ * Brainboxes UC-357 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A81, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_2_115200 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A83, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_2_115200 }, ++ /* ++ * Brainboxes UC-368 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0C41, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, ++ pbn_b2_4_115200 }, ++ /* ++ * Brainboxes UC-420/431 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0921, ++ PCI_ANY_ID, PCI_ANY_ID, ++ 0, 0, + pbn_b2_4_115200 }, + /* + * Perle PCI-RAS cards +-- +2.31.1 + diff --git a/patches.suse/udf-Fix-NULL-ptr-deref-when-converting-from-inline-f.patch b/patches.suse/udf-Fix-NULL-ptr-deref-when-converting-from-inline-f.patch new file mode 100644 index 0000000..45973be --- /dev/null +++ b/patches.suse/udf-Fix-NULL-ptr-deref-when-converting-from-inline-f.patch @@ -0,0 +1,69 @@ +From 7fc3b7c2981bbd1047916ade327beccb90994eee Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 17 Jan 2022 18:22:13 +0100 +Subject: [PATCH] udf: Fix NULL ptr deref when converting from inline format +Git-commit: 7fc3b7c2981bbd1047916ade327beccb90994eee +Patch-mainline: v5.17-rc2 +References: bsc#1195476 + +udf_expand_file_adinicb() calls directly ->writepage to write data +expanded into a page. This however misses to setup inode for writeback +properly and so we can crash on inode->i_wb dereference when submitting +page for IO like: + + BUG: kernel NULL pointer dereference, address: 0000000000000158 + #PF: supervisor read access in kernel mode +... + + __folio_start_writeback+0x2ac/0x350 + __block_write_full_page+0x37d/0x490 + udf_expand_file_adinicb+0x255/0x400 [udf] + udf_file_write_iter+0xbe/0x1b0 [udf] + new_sync_write+0x125/0x1c0 + vfs_write+0x28e/0x400 + +Fix the problem by marking the page dirty and going through the standard +writeback path to write the page. Strictly speaking we would not even +have to write the page but we want to catch e.g. ENOSPC errors early. + +Reported-by: butt3rflyh4ck +Cc: stable@vger.kernel.org +Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks") +Reviewed-by: Christoph Hellwig +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 1d6b7a50736b..d6aa506b6b58 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -258,10 +258,6 @@ int udf_expand_file_adinicb(struct inode *inode) + char *kaddr; + struct udf_inode_info *iinfo = UDF_I(inode); + int err; +- struct writeback_control udf_wbc = { +- .sync_mode = WB_SYNC_NONE, +- .nr_to_write = 1, +- }; + + WARN_ON_ONCE(!inode_is_locked(inode)); + if (!iinfo->i_lenAlloc) { +@@ -305,8 +301,10 @@ int udf_expand_file_adinicb(struct inode *inode) + iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; + /* from now on we have normal address_space methods */ + inode->i_data.a_ops = &udf_aops; ++ set_page_dirty(page); ++ unlock_page(page); + up_write(&iinfo->i_data_sem); +- err = inode->i_data.a_ops->writepage(page, &udf_wbc); ++ err = filemap_fdatawrite(inode->i_mapping); + if (err) { + /* Restore everything back so that we don't lose data... */ + lock_page(page); +-- +2.31.1 + diff --git a/patches.suse/udf-Restore-i_lenAlloc-when-inode-expansion-fails.patch b/patches.suse/udf-Restore-i_lenAlloc-when-inode-expansion-fails.patch new file mode 100644 index 0000000..56bc54d --- /dev/null +++ b/patches.suse/udf-Restore-i_lenAlloc-when-inode-expansion-fails.patch @@ -0,0 +1,39 @@ +From ea8569194b43f0f01f0a84c689388542c7254a1f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 18 Jan 2022 09:57:25 +0100 +Subject: [PATCH] udf: Restore i_lenAlloc when inode expansion fails +Git-commit: ea8569194b43f0f01f0a84c689388542c7254a1f +Patch-mainline: v5.17-rc2 +References: bsc#1195477 + +When we fail to expand inode from inline format to a normal format, we +restore inode to contain the original inline formatting but we forgot to +set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then +causing further problems such as warnings and lost data down the line. + +Reported-by: butt3rflyh4ck +Cc: stable@vger.kernel.org +Fixes: 7e49b6f2480c ("udf: Convert UDF to new truncate calling sequence") +Reviewed-by: Christoph Hellwig +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index d6aa506b6b58..ea8f6cd01f50 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -315,6 +315,7 @@ int udf_expand_file_adinicb(struct inode *inode) + unlock_page(page); + iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; + inode->i_data.a_ops = &udf_adinicb_aops; ++ iinfo->i_lenAlloc = inode->i_size; + up_write(&iinfo->i_data_sem); + } + put_page(page); +-- +2.31.1 + diff --git a/patches.suse/usb-storage-Add-unusual-devs-entry-for-VL817-USB-SAT.patch b/patches.suse/usb-storage-Add-unusual-devs-entry-for-VL817-USB-SAT.patch new file mode 100644 index 0000000..7d227bd --- /dev/null +++ b/patches.suse/usb-storage-Add-unusual-devs-entry-for-VL817-USB-SAT.patch @@ -0,0 +1,65 @@ +From 5b67b315037250a61861119683e7fcb509deea25 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 24 Jan 2022 15:14:40 -0500 +Subject: [PATCH] usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5b67b315037250a61861119683e7fcb509deea25 +Patch-mainline: v5.17-rc2 +References: git-fixes + +Two people have reported (and mentioned numerous other reports on the +web) that VIA's VL817 USB-SATA bridge does not work with the uas +driver. Typical log messages are: + +[ 3606.232149] sd 14:0:0:0: [sdg] tag#2 uas_zap_pending 0 uas-tag 1 inflight: CMD +[ 3606.232154] sd 14:0:0:0: [sdg] tag#2 CDB: Write(16) 8a 00 00 00 00 00 18 0c c9 80 00 00 00 80 00 00 +[ 3606.306257] usb 4-4.4: reset SuperSpeed Plus Gen 2x1 USB device number 11 using xhci_hcd +[ 3606.328584] scsi host14: uas_eh_device_reset_handler success + +Surprisingly, the devices do seem to work okay for some other people. +The cause of the differing behaviors is not known. + +In the hope of getting the devices to work for the most users, even at +the possible cost of degraded performance for some, this patch adds an +unusual_devs entry for the VL817 to block it from binding to the uas +driver by default. Users will be able to override this entry by means +of a module parameter, if they want. + +Cc: +Reported-by: DocMAX +Reported-and-tested-by: Thomas Weißschuh +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/Ye8IsK2sjlEv1rqU@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/storage/unusual_devs.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 29191d33c0e3..1a05e3dcfec8 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2301,6 +2301,16 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x9999, + USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, + US_FL_SCM_MULT_TARG ), + ++/* ++ * Reported by DocMAX ++ * and Thomas Weißschuh ++ */ ++UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999, ++ "VIA Labs, Inc.", ++ "VL817 SATA Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_IGNORE_UAS), ++ + UNUSUAL_DEV( 0x2116, 0x0320, 0x0001, 0x0001, + "ST", + "2A", +-- +2.31.1 + diff --git a/patches.suse/xhci-pci-Allow-host-runtime-PM-as-default-for-Intel.patch b/patches.suse/xhci-pci-Allow-host-runtime-PM-as-default-for-Intel.patch new file mode 100644 index 0000000..692f39a --- /dev/null +++ b/patches.suse/xhci-pci-Allow-host-runtime-PM-as-default-for-Intel.patch @@ -0,0 +1,51 @@ +From c4d1ca05b8e68a4b5a3c4455cb6ec25b3df6d9dd Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 8 Dec 2020 11:29:10 +0200 +Subject: [PATCH] xhci-pci: Allow host runtime PM as default for Intel Alpine + Ridge LP +Git-commit: c4d1ca05b8e68a4b5a3c4455cb6ec25b3df6d9dd +References: git-fixes +Patch-mainline: v5.11-rc1 + +The xHCI controller on Alpine Ridge LP keeps the whole Thunderbolt +controller awake if the host controller is not allowed to sleep. +This is the case even if no USB devices are connected to the host. + +Add the Intel Alpine Ridge LP product-id to the list of product-ids +for which we allow runtime PM by default. + +Fixes: 2815ef7fe4d4 ("xhci-pci: allow host runtime PM as default for Intel Alpine and Titan Ridge") +Cc: +Reviewed-by: Mika Westerberg +Signed-off-by: Hans de Goede +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20201208092912.1773650-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index bf89172c43ca..5f94d7edeb37 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -47,6 +47,7 @@ + #define PCI_DEVICE_ID_INTEL_DNV_XHCI 0x19d0 + #define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_2C_XHCI 0x15b5 + #define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_4C_XHCI 0x15b6 ++#define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_LP_XHCI 0x15c1 + #define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_C_2C_XHCI 0x15db + #define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_C_4C_XHCI 0x15d4 + #define PCI_DEVICE_ID_INTEL_TITAN_RIDGE_2C_XHCI 0x15e9 +@@ -232,6 +233,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + (pdev->device == PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_2C_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_4C_XHCI || ++ pdev->device == PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_LP_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_C_2C_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_C_4C_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_TITAN_RIDGE_2C_XHCI || +-- +2.34.1 + diff --git a/series.conf b/series.conf index 4f40113..663a6a7 100644 --- a/series.conf +++ b/series.conf @@ -11863,6 +11863,7 @@ patches.suse/USB-serial-option-add-support-for-DW5821e-with-eSIM-.patch patches.suse/0001-USB-serial-mos7720-fix-remote-wakeup.patch patches.suse/0001-USB-serial-mos7840-fix-remote-wakeup.patch + patches.suse/USB-serial-mos7840-fix-probe-error-handling.patch patches.suse/USB-serial-option-add-support-for-Foxconn-T77W968-LT.patch patches.suse/USB-serial-ftdi_sio-add-device-IDs-for-U-Blox-C099-F.patch patches.suse/0001-usb-host-xhci-update-event-ring-dequeue-pointer-on-p.patch @@ -43008,6 +43009,7 @@ patches.suse/nfs-Fix-security-label-length-not-being-reset.patch patches.suse/NFSv4.2-fix-client-s-attribute-cache-management-for-.patch patches.suse/pNFS-flexfiles-Ensure-we-initialise-the-mirror-bsize.patch + patches.suse/scripts-dtc-only-append-to-HOST_EXTRACFLAGS-instead-.patch patches.suse/clk-tegra-Always-program-PLL_E-when-enabled.patch patches.suse/clk-tegra-Fix-missing-prototype-for-tegra210_clk_reg.patch patches.suse/clk-samsung-exynos4-mark-chipid-clock-as-CLK_IGNORE_.patch @@ -45131,6 +45133,7 @@ patches.suse/i3c-master-Fix-error-return-in-cdns_i3c_master_probe.patch patches.suse/IB-mlx4-Add-and-improve-logging.patch patches.suse/IB-mlx4-Add-support-for-MRA.patch + patches.suse/IB-mlx4-Separate-tunnel-and-wire-bufs-parameters.patch patches.suse/IB-mlx4-Fix-starvation-in-paravirt-mux-demux.patch patches.suse/IB-mlx4-Adjust-delayed-work-when-a-dup-is-observed.patch patches.suse/RDMA-efa-Remove-redundant-udata-check-from-alloc-uco.patch @@ -45149,8 +45152,11 @@ patches.suse/RDMA-ucma-Narrow-file-mut-in-ucma_event_handler.patch patches.suse/RDMA-ucma-Rework-how-new-connections-are-passed-thro.patch patches.suse/RDMA-ucma-Remove-closing-and-the-close_wq.patch + patches.suse/RDMA-hns-Add-a-check-for-current-state-before-modify.patch patches.suse/RDMA-ucma-Fix-resource-leak-on-error-path.patch + patches.suse/RDMA-mlx5-Fix-potential-race-between-destroy-and-CQE.patch patches.suse/RDMA-rtrs-srv-Incorporate-ib_register_client-into-rt.patch + patches.suse/RDMA-mlx5-Issue-FW-command-to-destroy-SRQ-on-reentry.patch patches.suse/RDMA-Change-XRCD-destroy-return-value.patch patches.suse/RDMA-umem-Fix-ib_umem_find_best_pgsz-for-mappings-th.patch patches.suse/RDMA-umem-Prevent-small-pages-from-being-returned-by.patch @@ -45178,6 +45184,7 @@ patches.suse/RDMA-mlx5-Remove-dead-check-for-EAGAIN-after-alloc_m.patch patches.suse/RDMA-mlx5-Disable-IB_DEVICE_MEM_MGT_EXTENSIONS-if-IB.patch patches.suse/RDMA-ucma-Rework-ucma_migrate_id-to-avoid-races-with.patch + patches.suse/i40iw-Add-support-to-make-destroy-QP-synchronous.patch patches.suse/RDMA-efa-Drop-double-zeroing-for-sg_init_table.patch patches.suse/RDMA-hns-Add-interception-for-resizing-SRQs.patch patches.suse/RDMA-hns-Correct-typo-of-hns_roce_create_cq.patch @@ -45186,6 +45193,7 @@ patches.suse/RDMA-hns-Fix-the-wrong-value-of-rnr_retry-when-query.patch patches.suse/RDMA-hns-Fix-configuration-of-ack_req_freq-in-QPC.patch patches.suse/RDMA-hns-Fix-missing-sq_sig_type-when-querying-QP.patch + patches.suse/RDMA-mlx5-Fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch patches.suse/RDMA-addr-Fix-race-with-netevent_callback-rdma_addr_.patch patches.suse/RDMA-qedr-Endianness-warnings-cleanup.patch patches.suse/overflow-Include-header-file-with-SIZE_MAX-declarati.patch @@ -45938,6 +45946,7 @@ patches.suse/powerpc-64s-rename-pnv-pseries_setup_rfi_flush-to-_s.patch patches.suse/RDMA-cm-Make-the-local_id_table-xarray-non-irq.patch patches.suse/RDMA-pvrdma-Fix-missing-kfree-in-pvrdma_register_dev.patch + patches.suse/RMDA-sw-Don-t-allow-drivers-using-dma_virt_ops-on-hi.patch patches.suse/IB-hfi1-Fix-error-return-code-in-hfi1_init_dd.patch patches.suse/rfkill-Fix-use-after-free-in-rfkill_resume.patch patches.suse/mac80211-minstrel-remove-deferred-sampling-code.patch @@ -46114,6 +46123,7 @@ patches.suse/spi-spi-nxp-fspi-fix-fspi-panic-by-unexpected-interr.patch patches.suse/spi-imx-fix-the-unbalanced-spi-runtime-pm-management.patch patches.suse/IB-mthca-fix-return-value-of-error-branch-in-mthca_i.patch + patches.suse/RDMA-i40iw-Address-an-mmap-handler-exploit-in-i40iw.patch patches.suse/IB-hfi1-Ensure-correct-mm-is-used-at-all-times.patch patches.suse/RDMA-hns-Fix-wrong-field-of-SRQ-number-the-device-su.patch patches.suse/RDMA-hns-Fix-retry_cnt-and-rnr_cnt-when-querying-QP.patch @@ -46295,6 +46305,7 @@ patches.suse/ARM-dts-sun7i-pcduino3-nano-enable-RGMII-RX-TX-delay-on-PHY.patch patches.suse/ARM-dts-imx6qdl-kontron-samx6i-fix-I2C_PM-scl-pin.patch patches.suse/RDMA-efa-Use-the-correct-current-and-new-states-in-m.patch + patches.suse/RDMA-cm-Fix-an-attempt-to-use-non-valid-pointer-when.patch patches.suse/cfg80211-initialize-rekey_data.patch patches.suse/net-sched-fq_pie-initialize-timer-earlier-in-fq_pie_.patch patches.suse/mac80211-mesh-fix-mesh_pathtbl_init-error-path.patch @@ -46888,6 +46899,7 @@ patches.suse/USB-dummy-hcd-Fix-uninitialized-array-use-in-init.patch patches.suse/usb-mtu3-fix-memory-corruption-in-mtu3_debugfs_regse.patch patches.suse/USB-add-RESET_RESUME-quirk-for-Snapscan-1212.patch + patches.suse/xhci-pci-Allow-host-runtime-PM-as-default-for-Intel.patch patches.suse/xhci-Give-USB2-ports-time-to-enter-U3-in-bus-suspend.patch patches.suse/usb-ehci-omap-Fix-PM-disable-depth-umbalance-in-ehci.patch patches.suse/usb-oxu210hp-hcd-Fix-memory-leak-in-oxu_create.patch @@ -47232,8 +47244,10 @@ patches.suse/scsi-qla2xxx-If-fcport-is-undergoing-deletion-comple.patch patches.suse/scsi-qla2xxx-Fix-device-loss-on-4G-and-older-HBAs.patch patches.suse/scsi-qla2xxx-Update-version-to-10.02.00.104-k.patch + patches.suse/RDMA-bnxt_re-Set-queue-pair-state-when-being-queried.patch patches.suse/RDMA-bnxt_re-Fix-entry-size-during-SRQ-create.patch patches.suse/RDMA-core-Fix-error-return-in-_ib_modify_qp.patch + patches.suse/RDMA-rxe-Compute-PSN-windows-correctly.patch patches.suse/IB-isert-add-module-param-to-set-sg_tablesize-for-IO.patch patches.suse/RDMA-rtrs-clt-Remove-destroy_con_cq_qp-in-case-route.patch patches.suse/RDMA-rtrs-clt-Remove-outdated-comment-in-create_con_.patch @@ -47243,11 +47257,17 @@ patches.suse/RDMA-rtrs-srv-Fix-typo.patch patches.suse/RDMA-rtrs-Remove-unnecessary-argument-dir-of-rtrs_iu.patch patches.suse/RDMA-rtrs-Introduce-rtrs_post_send.patch + patches.suse/RDMA-mlx5-Fix-corruption-of-reg_pages-in-mlx5_ib_rer.patch patches.suse/RDMA-cma-Add-missing-error-handling-of-listen_id.patch + patches.suse/RDMA-cxgb4-Validate-the-number-of-CQEs.patch patches.suse/RDMA-cma-Fix-deadlock-on-lock-in-rdma_cma_listen_on_.patch + patches.suse/RDMA-hns-Remove-the-portn-field-in-UD-SQ-WQE.patch patches.suse/RDMA-hns-Bugfix-for-calculation-of-extended-sge.patch + patches.suse/RDMA-uverbs-Tidy-input-validation-of-ib_uverbs_rereg.patch patches.suse/RDMA-bnxt_re-Fix-max_qp_wrs-reported.patch patches.suse/RDMA-core-Clean-up-cq-pool-mechanism.patch + patches.suse/RDMA-core-Do-not-indicate-device-ready-when-device-e.patch + patches.suse/RDMA-hns-Remove-unnecessary-access-right-set-during-.patch patches.suse/RDMA-mlx5-Fix-MR-cache-memory-leak.patch patches.suse/RDMA-cma-Don-t-overwrite-sgid_attr-after-device-is-r.patch patches.suse/x86-swiotlb-adjust-swiotlb-bounce-buffer-size-for-sev-guests.patch @@ -47829,6 +47849,10 @@ patches.suse/ext4-fix-superblock-checksum-failure-when-setting-pa.patch patches.suse/ext4-fix-bug-for-rename-with-RENAME_WHITEOUT.patch patches.suse/RDMA-ucma-Do-not-miss-ctx-destruction-steps-in-some-.patch + patches.suse/RDMA-usnic-Fix-memleak-in-find_free_vf_and_create_qp.patch + patches.suse/RDMA-ocrdma-Fix-use-after-free-in-ocrdma_dealloc_uco.patch + patches.suse/IB-mlx5-Fix-error-unwinding-when-set_has_smi_cap-fai.patch + patches.suse/RDMA-mlx5-Fix-wrong-free-of-blue-flame-register-on-e.patch patches.suse/0015-dm-raid-fix-discard-limits-for-raid1.patch patches.suse/0016-dm-zoned-select-CONFIG_CRC32.patch patches.suse/0003-dm-crypt-do-not-wait-for-backlogged-crypto-request-c.patch @@ -47957,6 +47981,7 @@ patches.suse/media-rc-ensure-that-uevent-can-be-read-directly-aft.patch patches.suse/HID-multitouch-Apply-MT_QUIRK_CONFIDENCE-quirk-for-m.patch patches.suse/HID-wacom-Correct-NULL-dereference-on-AES-pen-proxim.patch + patches.suse/RDMA-cxgb4-Fix-the-reported-max_recv_sge-value.patch patches.suse/Revert-RDMA-mlx5-Fix-devlink-deadlock-on-net-namespa.patch patches.suse/arm-imx-fix-imx8m-dependencies.patch patches.suse/ARM-dts-imx6qdl-kontron-samx6i-fix-i2c_lcd-cam-default-status.patch @@ -48044,6 +48069,7 @@ patches.suse/nbd-freeze-the-queue-while-we-re-adding-connections.patch patches.suse/0027-bcache-only-check-feature-sets-when-sb-version-BCACH.patch patches.suse/nvme-multipath-Early-exit-if-no-path-is-available.patch + patches.suse/nvme-core-use-list_add_tail_rcu-instead-of-list_add_.patch patches.suse/ACPI-IORT-Do-not-blindly-trust-DMA-masks-from-firmwa.patch patches.suse/s390-vfio-ap-clean-up-vfio_ap-resources-when-kvm-pointer-invalidated patches.suse/s390-vfio-ap-no-need-to-disable-irq-after-queue-reset @@ -48362,6 +48388,7 @@ patches.suse/nvme-tcp-fix-wrong-setting-of-request-iov_iter.patch patches.suse/nvme-tcp-get-rid-of-unused-helper-function.patch patches.suse/nvme-tcp-pass-multipage-bvec-to-request-iov_iter.patch + patches.suse/nvme-refactor-ns-ctrl-by-request.patch patches.suse/nvme-core-add-cancel-tagset-helpers.patch patches.suse/nvme-tcp-add-clean-action-for-failed-reconnection.patch patches.suse/nvme-tcp-use-cancel-tagset-helper-for-tear-down.patch @@ -48372,6 +48399,9 @@ patches.suse/0031-bcache-Give-btree_io_wq-correct-semantics-again.patch patches.suse/0032-bcache-Move-journal-work-to-new-flush-wq.patch patches.suse/0033-bcache-Avoid-comma-separated-statements.patch + patches.suse/blk-mq-introduce-blk_mq_set_request_complete.patch + patches.suse/nvme-introduce-a-nvme_host_path_error-helper.patch + patches.suse/nvme-fabrics-avoid-double-completions-in-nvmf_fail_n.patch patches.suse/nvme-hwmon-rework-to-avoid-devm-allocation.patch patches.suse/nvme-tcp-fix-crash-triggered-with-a-dataless-request.patch patches.suse/irqchip-ls-extirq-add-IRQCHIP_SKIP_SET_WAKE-to-the-i.patch @@ -48665,6 +48695,7 @@ patches.suse/scsi-qla2xxx-Fix-some-memory-corruption.patch patches.suse/scsi-lpfc-Fix-ancient-double-free patches.suse/scsi-qla2xxx-Simplify-the-calculation-of-variables.patch + patches.suse/RDMA-siw-Fix-handling-of-zero-sized-Read-and-Receive.patch patches.suse/RDMA-rtrs-Extend-ibtrs_cq_qp_create.patch patches.suse/RDMA-rtrs-srv-Release-lock-before-call-into-close_se.patch patches.suse/RDMA-rtrs-srv-Use-sysfs_remove_file_self-for-disconn.patch @@ -48680,7 +48711,18 @@ patches.suse/RDMA-rtrs-Fix-KASAN-stack-out-of-bounds-bug.patch patches.suse/RDMA-bnxt_re-Code-refactor-while-populating-user-MRs.patch patches.suse/RDMA-bnxt_re-Allow-bigger-MR-creation.patch + patches.suse/RDMA-mlx5-Use-the-correct-obj_id-upon-DEVX-TIR-creat.patch + patches.suse/IB-mlx5-Add-mutex-destroy-call-to-cap_mask_mutex-mut.patch patches.suse/RDMA-mlx5-Allow-creating-all-QPs-even-when-non-RDMA-.patch + patches.suse/IB-umad-Return-EIO-in-case-of-when-device-disassocia.patch + patches.suse/IB-umad-Return-EPOLLERR-in-case-of-when-device-disas.patch + patches.suse/IB-mlx5-Return-appropriate-error-code-instead-of-ENO.patch + patches.suse/IB-cm-Avoid-a-loop-when-device-has-255-ports.patch + patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_recv.c.patch + patches.suse/RDMA-rxe-Remove-useless-code-in-rxe_recv.c.patch + patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch + patches.suse/RDMA-rxe-Correct-skb-on-loopback-path.patch + patches.suse/RDMA-siw-Fix-calculation-of-tx_valid_cpus-size.patch patches.suse/RDMA-hns-Fix-type-of-sq_signal_bits.patch patches.suse/RDMA-hns-Disable-RQ-inline-by-default.patch patches.suse/RDMA-ucma-Fix-use-after-free-bug-in-ucma_create_ueve.patch @@ -48917,6 +48959,8 @@ patches.suse/nvme-hwmon-Return-error-code-when-registration-fails.patch patches.suse/nvme-fabrics-fix-kato-initialization.patch patches.suse/RDMA-cm-Fix-IRQ-restore-in-ib_send_cm_sidr_rep.patch + patches.suse/RDMA-rxe-Fix-missing-kconfig-dependency-on-CRYPTO.patch + patches.suse/IB-mlx5-Add-missing-error-code.patch patches.suse/powerpc-pseries-Don-t-enforce-MSI-affinity-with-kdum.patch patches.suse/powerpc-sstep-Fix-VSX-instruction-emulation.patch patches.suse/crypto-mips-poly1305-enable-for-all-MIPS-processors.patch @@ -49250,6 +49294,7 @@ patches.suse/ch_ktls-fix-enum-conversion-warning.patch patches.suse/math-Export-mul_u64_u64_div_u64.patch patches.suse/arm64-kdump-update-ppos-when-reading-elfcorehdr.patch + patches.suse/RDMA-cxgb4-Fix-adapter-LE-hash-errors-while-destroyi.patch patches.suse/0001-squashfs-fix-inode-lookup-sanity-checks.patch patches.suse/0002-squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch patches.suse/btrfs-fix-subvolume-snapshot-deletion-not-triggered-.patch @@ -49346,6 +49391,7 @@ patches.suse/ALSA-hda-realtek-Fix-speaker-amp-setup-on-Acer-Aspir.patch patches.suse/RDMA-rtrs-clt-Close-rtrs-client-conn-before-destroyi.patch patches.suse/IB-hfi1-Fix-probe-time-panic-when-AIP-is-enabled-wit.patch + patches.suse/RDMA-addr-Be-strict-with-gid-size.patch patches.suse/cifs-On-cifs_reconnect-resolve-the-hostname-again-.patch patches.suse/fs-cifs-Remove-unnecessary-struct-declaration.patch patches.suse/cifs-escape-spaces-in-share-names.patch @@ -50250,12 +50296,22 @@ patches.suse/ext4-fix-error-code-in-ext4_commit_super.patch patches.suse/fs-fix-reporting-supported-extra-file-attributes-for.patch patches.suse/RDMA-mlx5-Fix-drop-packet-rule-in-egress-table.patch + patches.suse/IB-isert-Fix-a-use-after-free-in-isert_connect_reque.patch + patches.suse/RDMA-core-Fix-corrupted-SL-on-passive-side.patch + patches.suse/IB-hfi1-Use-kzalloc-for-mmu_rb_handler-allocation.patch patches.suse/RDMA-hns-Delete-redundant-condition-judgment-related.patch patches.suse/RDMA-hns-Delete-redundant-abnormal-interrupt-status.patch patches.suse/RDMA-qedr-Fix-error-return-code-in-qedr_iw_connect.patch + patches.suse/IB-hfi1-Fix-error-return-code-in-parse_platform_conf.patch + patches.suse/RDMA-bnxt_re-Fix-error-return-code-in-bnxt_qplib_cq_.patch patches.suse/RDMA-srpt-Fix-error-return-code-in-srpt_cm_req_recv.patch patches.suse/RDMA-rtrs-clt-destroy-sysfs-after-removing-session-f.patch patches.suse/IB-hfi1-Rework-AIP-and-VNIC-dummy-netdev-usage.patch + patches.suse/RDMA-core-Unify-RoCE-check-and-re-factor-code.patch + patches.suse/RDMA-cxgb4-add-missing-qpid-increment.patch + patches.suse/RDMA-i40iw-Fix-error-unwinding-when-i40iw_hmc_sd_one.patch + patches.suse/RDMA-siw-Fix-a-use-after-free-in-siw_alloc_mr.patch + patches.suse/RDMA-bnxt_re-Fix-a-double-free-in-bnxt_qplib_alloc_r.patch patches.suse/iommu-fix-a-boundary-issue-to-avoid-performance-drop patches.suse/iommu-arm-smmu-v3-add-bit-field-sfm-into-gerror_err_mask patches.suse/iommu-vt-d-reject-unsupported-page-request-modes @@ -50497,6 +50553,12 @@ patches.suse/ALSA-intel8x0-Don-t-update-period-unless-prepared.patch patches.suse/ALSA-dice-fix-stream-format-for-TC-Electronic-Konnek.patch patches.suse/ALSA-line6-Fix-racy-initialization-of-LINE6-MIDI.patch + patches.suse/RDMA-siw-Properly-check-send-and-receive-CQ-pointers.patch + patches.suse/RDMA-rxe-Clear-all-QP-fields-if-creation-failed.patch + patches.suse/RDMA-mlx5-Recover-from-fatal-event-in-dual-port-mode.patch + patches.suse/RDMA-core-Don-t-access-cm_id-after-its-destruction.patch + patches.suse/RDMA-mlx5-Fix-query-DCT-via-DEVX.patch + patches.suse/RDMA-uverbs-Fix-a-NULL-vs-IS_ERR-bug.patch patches.suse/scsi-qedf-Add-pointer-checks-in-qedf_update_link_speed patches.suse/scsi-qla2xxx-Fix-error-return-code-in-qla82xx_write_.patch patches.suse/firmware-arm_scpi-Prevent-the-ternary-sign-expansion.patch @@ -50519,6 +50581,7 @@ patches.suse/x86-Xen-swap-NX-determination-and-GDT-setup-on-BSP.patch patches.suse/xen-pciback-redo-VF-placement-in-the-virtual-topolog.patch patches.suse/xen-pciback-reconfigure-also-from-backend-watch-hand.patch + patches.suse/nvme-tcp-fix-possible-use-after-completion.patch patches.suse/nvme-tcp-rerun-io_work-if-req_list-is-not-empty.patch patches.suse/nvme-fc-clear-q_live-at-beginning-of-association-tea.patch patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch @@ -52078,6 +52141,7 @@ patches.suse/nvme-pci-limit-maximum-queue-depth-to-4095.patch patches.suse/nvme-tcp-don-t-check-blk_mq_tag_to_rq-when-receiving.patch patches.suse/nvme-code-command_id-with-a-genctr-for-use-after-fre.patch + patches.suse/nvme-fabrics-remove-superfluous-nvmf_host_put-in-nvm.patch patches.suse/nvme-tcp-pair-send_mutex-init-with-destroy.patch patches.suse/nvme-tcp-don-t-update-queue-count-when-failing-to-se.patch patches.suse/0008-md-raid10-Remove-unnecessary-rcu_dereference-in-raid.patch @@ -52561,6 +52625,7 @@ patches.suse/xen-reset-legacy-rtc-flag-for-PV-domU.patch patches.suse/swiotlb-xen-avoid-double-free.patch patches.suse/nvme-avoid-race-in-shutdown-namespace-removal.patch + patches.suse/nvme-multipath-fix-ANA-state-updates-when-a-namespac.patch patches.suse/nvme-tcp-fix-io_work-priority-inversion.patch patches.suse/PCI-Add-AMD-GPU-multi-function-power-dependencies.patch patches.suse/spi-Fix-tegra20-build-with-CONFIG_PM-n.patch @@ -52614,6 +52679,7 @@ patches.suse/nvme-fc-update-hardware-queues-before-using-them.patch patches.suse/nvme-fc-avoid-race-between-time-out-and-tear-down.patch patches.suse/nvme-fc-remove-freeze-unfreeze-around-update_nr_hw_q.patch + patches.suse/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch patches.suse/scsi-lpfc-Fix-CPU-to-from-endian-warnings-introduced.patch patches.suse/scsi-lpfc-Fix-compilation-errors-on-kernels-with-no-.patch @@ -52857,6 +52923,7 @@ patches.suse/mmc-dw_mmc-exynos-fix-the-finding-clock-sample-value.patch patches.suse/mmc-vub300-fix-control-message-timeouts.patch patches.suse/nvme-tcp-fix-possible-req-offset-corruption.patch + patches.suse/nvme-tcp-fix-data-digest-pointer-calculation.patch patches.suse/scsi-ibmvfc-Fix-up-duplicate-response-detection.patch patches.suse/tpm-Check-for-integer-overflow-in-tpm2_map_response_.patch patches.suse/blk-cgroup-synchronize-blkg-creation-against-policy-.patch @@ -53315,6 +53382,7 @@ patches.suse/cifs-protect-srv_count-with-cifs_tcp_ses_lock.patch patches.suse/cifs-introduce-cifs_ses_mark_for_reconnect-helper.patch patches.suse/ACPI-Add-stubs-for-wakeup-handler-functions.patch + patches.suse/blk-cgroup-fix-missing-put-device-in-error-path-from.patch patches.suse/hugetlbfs-flush-TLBs-correctly-after-huge_pmd_unshar.patch patches.suse/ALSA-hda-realtek-Add-quirk-for-ASRock-NUC-Box-1100.patch patches.suse/ASoC-DAPM-Cover-regression-by-kctl-change-notificati.patch @@ -53330,7 +53398,10 @@ patches.suse/cifs-populate-server_hostname-for-extra-channels.patch patches.suse/smb2-clarify-rc-initialization-in-smb2_reconnect.patch patches.suse/cifs-update-internal-version-number-0b03fe6d.patch + patches.suse/nvme-tcp-validate-R2T-PDU-in-nvme_tcp_handle_r2t.patch + patches.suse/nvme-tcp-fix-memory-leak-when-freeing-a-queue.patch patches.suse/nvme-pci-add-NO-APST-quirk-for-Kioxia-device.patch + patches.suse/nvme-fabrics-ignore-invalid-fast_io_fail_tmo-values.patch patches.suse/drm-amd-display-Set-plane-update-flags-for-all-plane.patch patches.suse/drm-nouveau-acr-fix-a-couple-NULL-vs-IS_ERR-checks.patch patches.suse/drm-vc4-fix-error-code-in-vc4_create_object.patch @@ -53448,6 +53519,7 @@ patches.suse/libata-add-horkage-for-ASMedia-1092.patch patches.suse/nfsd-Fix-nsfd-startup-race-again.patch patches.suse/clk-qcom-regmap-mux-fix-parent-clock-lookup.patch + patches.suse/nvme-fix-use-after-free-when-disconnecting-a-reconne.patch patches.suse/block-fix-ioprio_get-IOPRIO_WHO_PGRP-vs-setuid-2.patch patches.suse/scsi-pm80xx-Do-not-call-scsi_remove_host-in-pm8001_alloc patches.suse/scsi-qla2xxx-Format-log-strings-only-if-needed.patch @@ -53673,6 +53745,7 @@ patches.suse/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch patches.suse/iwlwifi-mvm-Fix-calculation-of-frame-length.patch patches.suse/ath9k-Fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch + patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch patches.suse/Bluetooth-btmtksdio-fix-resume-failure.patch patches.suse/Bluetooth-L2CAP-Fix-using-wrong-mode.patch patches.suse/Bluetooth-hci_qca-Stop-IBS-timer-during-BT-OFF.patch @@ -53741,6 +53814,8 @@ patches.suse/tpm-add-request_locality-before-write-TPM_INT_ENABLE.patch patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch patches.suse/selinux-fix-potential-memleak-in-selinux_add_opt.patch + patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch + patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch patches.suse/ext4-set-csum-seed-in-tmp-inode-while-migrating-to-extents.patch patches.suse/sched-fair-Fix-detection-of-per-CPU-kthreads-waking-a-task.patch @@ -53866,6 +53941,11 @@ patches.suse/Documentation-fix-firewire.rst-ABI-file-path-error.patch patches.suse/scripts-dtc-dtx_diff-remove-broken-example-from-help.patch patches.suse/drm-i915-Flush-TLBs-before-releasing-backing-store.patch + patches.suse/NFS-Ensure-the-server-has-an-up-to-date-ctime-before.patch + patches.suse/NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch + patches.suse/NFSv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch + patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch + patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ept.patch patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch patches.suse/phylib-fix-potential-use-after-free.patch patches.suse/ibmvnic-Allow-extra-failures-before-disabling.patch @@ -53874,6 +53954,7 @@ patches.suse/ibmvnic-remove-unused-wait_capability.patch patches.suse/net-bridge-vlan-fix-single-net-device-option-dumping.patch patches.suse/net-bridge-vlan-fix-memory-leak-in-__allowed_ingress.patch + patches.suse/drm-msm-dsi-Fix-missing-put_device-call-in-dsi_get_p.patch patches.suse/drm-msm-hdmi-Fix-missing-put_device-call-in-msm_hdmi.patch patches.suse/drm-msm-dpu-invalid-parameter-check-in-dpu_setup_dsp.patch patches.suse/drm-msm-Fix-wrong-size-calculation.patch @@ -53884,15 +53965,39 @@ patches.suse/hwmon-lm90-Mark-alert-as-broken-for-MAX6680.patch patches.suse/hwmon-lm90-Mark-alert-as-broken-for-MAX6646-6647-664.patch patches.suse/ata-pata_platform-Fix-a-NULL-pointer-dereference-in-.patch + patches.suse/udf-Fix-NULL-ptr-deref-when-converting-from-inline-f.patch + patches.suse/udf-Restore-i_lenAlloc-when-inode-expansion-fails.patch + patches.suse/fsnotify-invalidate-dcache-before-IN_DELETE-event.patch + patches.suse/fsnotify-fix-fsnotify-hooks-in-pseudo-filesystems.patch patches.suse/msft-hv-2513-video-hyperv_fb-Fix-validation-of-screen-resolution.patch + patches.suse/PM-wakeup-simplify-the-output-logic-of-pm_show_wakel.patch + patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch patches.suse/usb-roles-fix-include-linux-usb-role.h-compile-issue.patch patches.suse/usb-typec-tcpm-Do-not-disconnect-while-receiving-VBU.patch + patches.suse/usb-storage-Add-unusual-devs-entry-for-VL817-USB-SAT.patch + patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch patches.suse/ucsi_ccg-Check-DEV_INT-bit-only-when-starting-CCG4.patch patches.suse/usb-gadget-f_sourcesink-Fix-isoc-transfer-for-USB_SP.patch patches.suse/usb-common-ulpi-Fix-crash-in-ulpi_match.patch + patches.suse/tty-Add-support-for-Brainboxes-UC-cards.patch patches.suse/serial-8250-of-Fix-mapped-region-size-when-using-reg.patch patches.suse/tty-n_gsm-fix-SW-flow-control-encoding-handling.patch patches.suse/serial-stm32-fix-software-flow-control-transfer.patch + patches.suse/spi-meson-spicc-add-IRQ-check-in-meson_spicc_probe.patch + patches.suse/spi-bcm-qspi-check-for-valid-cs-before-applying-chip.patch + patches.suse/spi-mediatek-Avoid-NULL-pointer-crash-in-interrupt.patch + patches.suse/pinctrl-intel-fix-unexpected-interrupt.patch + patches.suse/pinctrl-intel-Fix-a-glitch-when-updating-IRQ-flags-o.patch + patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch + patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch + patches.suse/drm-i915-overlay-Prevent-divide-by-zero-bugs-in-scal.patch + patches.suse/ALSA-usb-audio-initialize-variables-that-could-ignor.patch + patches.suse/ALSA-usb-audio-Correct-quirk-for-VF0770.patch + patches.suse/ASoC-xilinx-xlnx_formatter_pcm-Make-buffer-bytes-mul.patch + patches.suse/ASoC-cpcap-Check-for-NULL-pointer-after-calling-of_g.patch + patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch + patches.suse/ASoC-fsl-Add-missing-error-handling-in-pcm030_fabric.patch + patches.suse/Input-wm97xx-Simplify-resource-management.patch # klassert/ipsec patches.suse/xfrm-fix-mtu-regression.patch