From 8509cd2494f410cb7f36c382bc4ac010e44d81ad Mon Sep 17 00:00:00 2001 From: Petr Tesarik Date: Jul 11 2019 12:27:16 +0000 Subject: Merge branch 'SLE15' into SLE15-SP1 - Refresh patches.drivers/nfit-ars-introduce-scrub_flags.patch - Refresh patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch - Refresh patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch - Refresh patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch - Refresh patches.kabi/kabi-handle-addition-of-net-hash_mix.patch - Refresh patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch - Refresh patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch - Restore patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch Conflicts: blacklist.conf patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch rpm/gitlog-excludes series.conf --- diff --git a/blacklist.conf b/blacklist.conf index f0224c4..a4f95dc 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1179,3 +1179,15 @@ d5443bbf5fc8f8389cce146b1fc2987cdd229d12 # infrastructure, no bug fix 064c5d6881e897077639e04973de26440ee205e6 # not needed d3669ca9ff33e1dc6414d1e34891d342e4544e71 # not applicable, just changes in comments 24512228b7a3f412b5a51f189df302616b021c33 # DISCONTIGMEM unsupported +0c97bf863efce63d6ab7971dad811601e6171d2f # compiler warning, gcc-9 +4a60aa05a0634241ce17f957bf9fb5ac1eed6576 # not needed. We don't build with -ffunction-sections -fdata-sections. +074376ac0e1d1fcd4fafebca86ee6158e7c20680 # __CHECKER__ only +fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 # compiler.h: reverted in below +c6975e4196549c18c5277a55e30b2d6d1b80abf2 # compiler.h: reverted above in 4.14.x +149d05f80dc9259ad62f2630935502e4c02b26a7 # nouveau: build fix, not affected +9ae306d8dbc874de331bb10a4451a5198b660257 # nouveau: build fix, not affected +6491d698396fd5da4941980a35ca7c162a672016 # nfc: breaks kABI +65fd4cb65b2dad97feb8330b6690445910b56d6a # Documentation moving only +9c3e922ba316a5d3d8cbe41e0db97888fca5c359 # too risky because too many dependencies +8a4db13ccc079b762123d04a7270d6d2cb3398d7 # drm/i915: Already cherry-picked +600d3712ae122be3ceab0d7ac8246caa3d87dcea # drm/i915: Already cherry-picked diff --git a/patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id b/patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id new file mode 100644 index 0000000..e147510 --- /dev/null +++ b/patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id @@ -0,0 +1,43 @@ +From: "Suthikulpanit, Suravee" +Date: Tue, 14 May 2019 15:49:52 +0000 +Subject: kvm: svm/avic: fix off-by-one in checking host APIC ID +Git-commit: c9bcd3e3335d0a29d89fabd2c385e1b989e6f1b0 +Patch-mainline: v5.2-rc2 +References: bsc#1140971 + +Current logic does not allow VCPU to be loaded onto CPU with +APIC ID 255. This should be allowed since the host physical APIC ID +field in the AVIC Physical APIC table entry is an 8-bit value, +and APIC ID 255 is valid in system with x2APIC enabled. +Instead, do not allow VCPU load if the host APIC ID cannot be +represented by an 8-bit value. + +Also, use the more appropriate AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK +instead of AVIC_MAX_PHYSICAL_ID_COUNT. + +Signed-off-by: Suravee Suthikulpanit +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/svm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index a849dcb7fbc5..a9e553a1317f 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2024,7 +2024,11 @@ static void avic_vcpu_load(struct kvm_vcpu *vcpu, int cpu) + if (!kvm_vcpu_apicv_active(vcpu)) + return; + +- if (WARN_ON(h_physical_id >= AVIC_MAX_PHYSICAL_ID_COUNT)) ++ /* ++ * Since the host physical APIC id is 8 bits, ++ * we can support host APIC ID upto 255. ++ */ ++ if (WARN_ON(h_physical_id > AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK)) + return; + + entry = READ_ONCE(*(svm->avic_physical_id_cache)); + diff --git a/patches.arch/kvm-x86-fix-return-value-for-reserved-efer b/patches.arch/kvm-x86-fix-return-value-for-reserved-efer new file mode 100644 index 0000000..5f8ffae --- /dev/null +++ b/patches.arch/kvm-x86-fix-return-value-for-reserved-efer @@ -0,0 +1,36 @@ +From: Paolo Bonzini +Date: Fri, 24 May 2019 21:52:46 +0200 +Subject: KVM: x86: fix return value for reserved EFER +Git-commit: 66f61c92889ff3ca365161fb29dd36d6354682ba +Patch-mainline: v5.2-rc2 +References: bsc#1140992 + +Commit 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for +host-initiated writes", 2019-04-02) introduced a "return false" in a +function returning int, and anyway set_efer has a "nonzero on error" +conventon so it should be returning 1. + +Reported-by: Pavel Machek +Fixes: 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes") +Cc: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index e7e57de50a3c..acb179f78fdc 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1298,7 +1298,7 @@ static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + u64 efer = msr_info->data; + + if (efer & efer_reserved_bits) +- return false; ++ return 1; + + if (!msr_info->host_initiated) { + if (!__kvm_valid_efer(vcpu, efer)) + diff --git a/patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes b/patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes new file mode 100644 index 0000000..ef1cd7f --- /dev/null +++ b/patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes @@ -0,0 +1,99 @@ +From: Sean Christopherson +Date: Tue, 2 Apr 2019 08:19:15 -0700 +Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes +Git-commit: 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 +Patch-mainline: v5.2-rc1 +References: bsc#1140972 + +KVM allows userspace to violate consistency checks related to the +guest's CPUID model to some degree. Generally speaking, userspace has +carte blanche when it comes to guest state so long as jamming invalid +state won't negatively affect the host. + +Currently this is seems to be a non-issue as most of the interesting +EFER checks are missing, e.g. NX and LME, but those will be added +shortly. Proactively exempt userspace from the CPUID checks so as not +to break userspace. + +Note, the efer_reserved_bits check still applies to userspace writes as +that mask reflects the host's capabilities, e.g. KVM shouldn't allow a +guest to run with NX=1 if it has been disabled in the host. + +Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/x86.c | 37 ++++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index a0d1fc80ac5a..5d7dcd06d08a 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1258,31 +1258,42 @@ static int do_get_msr_feature(struct kvm_vcpu *vcpu, unsigned index, u64 *data) + return 0; + } + +-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) + { +- if (efer & efer_reserved_bits) +- return false; +- + if (efer & EFER_FFXSR && !guest_cpuid_has(vcpu, X86_FEATURE_FXSR_OPT)) +- return false; ++ return false; + + if (efer & EFER_SVME && !guest_cpuid_has(vcpu, X86_FEATURE_SVM)) +- return false; ++ return false; + + return true; ++ ++} ++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++{ ++ if (efer & efer_reserved_bits) ++ return false; ++ ++ return __kvm_valid_efer(vcpu, efer); + } + EXPORT_SYMBOL_GPL(kvm_valid_efer); + +-static int set_efer(struct kvm_vcpu *vcpu, u64 efer) ++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + { + u64 old_efer = vcpu->arch.efer; ++ u64 efer = msr_info->data; + +- if (!kvm_valid_efer(vcpu, efer)) +- return 1; ++ if (efer & efer_reserved_bits) ++ return false; + +- if (is_paging(vcpu) +- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) +- return 1; ++ if (!msr_info->host_initiated) { ++ if (!__kvm_valid_efer(vcpu, efer)) ++ return 1; ++ ++ if (is_paging(vcpu) && ++ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) ++ return 1; ++ } + + efer &= ~EFER_LMA; + efer |= vcpu->arch.efer & EFER_LMA; +@@ -2452,7 +2463,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + vcpu->arch.arch_capabilities = data; + break; + case MSR_EFER: +- return set_efer(vcpu, data); ++ return set_efer(vcpu, msr_info); + case MSR_K7_HWCR: + data &= ~(u64)0x40; /* ignore flush filter disable */ + data &= ~(u64)0x100; /* ignore ignne emulation enable */ + diff --git a/patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch b/patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch new file mode 100644 index 0000000..7591216 --- /dev/null +++ b/patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch @@ -0,0 +1,146 @@ +From f850a48a07996bfd7bd1b2e52f57b5ee55125482 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 25 Jun 2019 14:06:13 +0200 +Subject: [PATCH] ACPI: PM: Allow transitions to D0 to occur in special cases +Git-commit: f850a48a07996bfd7bd1b2e52f57b5ee55125482 +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +If a device with ACPI PM is left in D0 during a system-wide +transition to the S3 (suspend-to-RAM) or S4 (hibernation) sleep +state, the actual state of the device need not be D0 during resume +from it, although its power.state value will still reflect D0 (that +is, the power state from before the system-wide transition). + +In that case, the acpi_device_set_power() call made to ensure that +the power state of the device will be D0 going forward has no effect, +because the new state (D0) is equal to the one reflected by the +device's power.state value. That does not affect power resources, +which are taken care of by acpi_resume_power_resources() called from +acpi_pm_finish() during resume from system-wide sleep states, but it +still may be necessary to invoke _PS0 for the device on top of that +in order to finalize its transition to D0. + +For this reason, modify acpi_device_set_power() to allow transitions +to D0 to occur even if D0 is the current power state of the device +according to its power.state value. + +That will not affect power resources, which are assumed to be in +the right configuration already (as reflected by the current values +of their reference counters), but it may cause _PS0 to be evaluated +for the device. However, evaluating _PS0 for a device already in D0 +may lead to confusion in general, so invoke _PSC (if present) to +check the device's current power state upfront and only evaluate +_PS0 for it if _PSC has returned a power state different from D0. +[If _PSC is not present or the evaluation of it fails, the power +state of the device is assumed to be D0 at this point.] + +Fixes: 20dacb71ad28 (ACPI / PM: Rework device power management to follow ACPI 6) +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Acked-by: Takashi Iwai + +--- + drivers/acpi/device_pm.c | 53 ++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 45 insertions(+), 8 deletions(-) + +diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c +index 3269a4e8b902..94194c7e8a07 100644 +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -53,6 +53,19 @@ const char *acpi_power_state_string(int state) + } + } + ++static int acpi_dev_pm_explicit_get(struct acpi_device *device, int *state) ++{ ++ unsigned long long psc; ++ acpi_status status; ++ ++ status = acpi_evaluate_integer(device->handle, "_PSC", NULL, &psc); ++ if (ACPI_FAILURE(status)) ++ return -ENODEV; ++ ++ *state = psc; ++ return 0; ++} ++ + /** + * acpi_device_get_power - Get power state of an ACPI device. + * @device: Device to get the power state of. +@@ -65,6 +78,7 @@ const char *acpi_power_state_string(int state) + int acpi_device_get_power(struct acpi_device *device, int *state) + { + int result = ACPI_STATE_UNKNOWN; ++ int error; + + if (!device || !state) + return -EINVAL; +@@ -81,18 +95,16 @@ int acpi_device_get_power(struct acpi_device *device, int *state) + * if available. + */ + if (device->power.flags.power_resources) { +- int error = acpi_power_get_inferred_state(device, &result); ++ error = acpi_power_get_inferred_state(device, &result); + if (error) + return error; + } + if (device->power.flags.explicit_get) { +- acpi_handle handle = device->handle; +- unsigned long long psc; +- acpi_status status; ++ int psc; + +- status = acpi_evaluate_integer(handle, "_PSC", NULL, &psc); +- if (ACPI_FAILURE(status)) +- return -ENODEV; ++ error = acpi_dev_pm_explicit_get(device, &psc); ++ if (error) ++ return error; + + /* + * The power resources settings may indicate a power state +@@ -160,7 +172,8 @@ int acpi_device_set_power(struct acpi_device *device, int state) + + /* Make sure this is a valid target state */ + +- if (state == device->power.state) { ++ /* There is a special case for D0 addressed below. */ ++ if (state > ACPI_STATE_D0 && state == device->power.state) { + ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Device [%s] already in %s\n", + device->pnp.bus_id, + acpi_power_state_string(state))); +@@ -228,6 +241,30 @@ int acpi_device_set_power(struct acpi_device *device, int state) + if (result) + goto end; + } ++ ++ if (device->power.state == ACPI_STATE_D0) { ++ int psc; ++ ++ /* Nothing to do here if _PSC is not present. */ ++ if (!device->power.flags.explicit_get) ++ return 0; ++ ++ /* ++ * The power state of the device was set to D0 last ++ * time, but that might have happened before a ++ * system-wide transition involving the platform ++ * firmware, so it may be necessary to evaluate _PS0 ++ * for the device here. However, use extra care here ++ * and evaluate _PSC to check the device's current power ++ * state, and only invoke _PS0 if the evaluation of _PSC ++ * is successful and it returns a power state different ++ * from D0. ++ */ ++ result = acpi_dev_pm_explicit_get(device, &psc); ++ if (result || psc == ACPI_STATE_D0) ++ return 0; ++ } ++ + result = acpi_dev_pm_explicit_set(device, ACPI_STATE_D0); + } + +-- +2.16.4 + diff --git a/patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch b/patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch new file mode 100644 index 0000000..3ae9bad --- /dev/null +++ b/patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch @@ -0,0 +1,50 @@ +From 21ba237926227121dacccaf5d7863b0cb50f3eda Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 25 Jun 2019 14:04:45 +0200 +Subject: [PATCH] ACPI: PM: Avoid evaluating _PS3 on transitions from D3hot to D3cold +Git-commit: 21ba237926227121dacccaf5d7863b0cb50f3eda +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +If the power state of a device with ACPI PM is changed from D3hot to +D3cold, it merely is a matter of dropping references to additional +power resources (specifically, those in the list returned by _PR3), +and the _PS3 method should not be invoked for the device then (as +it has already been evaluated during the previous transition to +D3hot). + +Fixes: 20dacb71ad28 (ACPI / PM: Rework device power management to follow ACPI 6) +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Acked-by: Takashi Iwai + +--- + drivers/acpi/device_pm.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c +index b859d75eaf9f..3269a4e8b902 100644 +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -210,9 +210,15 @@ int acpi_device_set_power(struct acpi_device *device, int state) + return -ENODEV; + } + +- result = acpi_dev_pm_explicit_set(device, state); +- if (result) +- goto end; ++ /* ++ * If the device goes from D3hot to D3cold, _PS3 has been ++ * evaluated for it already, so skip it in that case. ++ */ ++ if (device->power.state < ACPI_STATE_D3_HOT) { ++ result = acpi_dev_pm_explicit_set(device, state); ++ if (result) ++ goto end; ++ } + + if (device->power.flags.power_resources) + result = acpi_power_transition(device, target_state); +-- +2.16.4 + diff --git a/patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch b/patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch new file mode 100644 index 0000000..271333c --- /dev/null +++ b/patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch @@ -0,0 +1,57 @@ +From 7fbd1753b64eafe21cf842348a40a691d0dee440 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 1 Jul 2019 23:43:53 +0900 +Subject: [PATCH 5/7] ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages +Git-commit: 7fbd1753b64eafe21cf842348a40a691d0dee440 +Patch-mainline: v5.2 +References: bsc#1051510 + +In IEC 61883-6, 8 MIDI data streams are multiplexed into single +MIDI conformant data channel. The index of stream is calculated by +modulo 8 of the value of data block counter. + +In fireworks, the value of data block counter in CIP header has a quirk +with firmware version v5.0.0, v5.7.3 and v5.8.0. This brings ALSA +IEC 61883-1/6 packet streaming engine to miss detection of MIDI +messages. + +This commit fixes the miss detection to modify the value of data block +counter for the modulo calculation. + +For maintainers, this bug exists since a commit 18f5ed365d3f ("ALSA: +Fireworks/firewire-lib: add support for recent firmware quirk") in Linux +kernel v4.2. There're many changes since the commit. This fix can be +backported to Linux kernel v4.4 or later. I tagged a base commit to the +backport for your convenience. + +Besides, my work for Linux kernel v5.3 brings heavy code refactoring and +some structure members are renamed in 'sound/firewire/amdtp-stream.h'. +The content of this patch brings conflict when merging -rc tree with +this patch and the latest tree. I request maintainers to solve the +conflict to replace 'tx_first_dbc' with 'ctx_data.tx.first_dbc'. + +Fixes: df075feefbd3 ("ALSA: firewire-lib: complete AM824 data block processing layer") +Cc: # v4.4+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai + +--- + sound/firewire/amdtp-am824.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/amdtp-am824.c b/sound/firewire/amdtp-am824.c +index 4210e5c6262e..d09da9dbf235 100644 +--- a/sound/firewire/amdtp-am824.c ++++ b/sound/firewire/amdtp-am824.c +@@ -321,7 +321,7 @@ static void read_midi_messages(struct amdtp_stream *s, + u8 *b; + + for (f = 0; f < frames; f++) { +- port = (s->data_block_counter + f) % 8; ++ port = (8 - s->tx_first_dbc + s->data_block_counter + f) % 8; + b = (u8 *)&buffer[p->midi_position]; + + len = b[0] - 0x80; +-- +2.16.4 + diff --git a/patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch b/patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch new file mode 100644 index 0000000..4d50162 --- /dev/null +++ b/patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch @@ -0,0 +1,49 @@ +From 503d90b30602a3295978e46d844ccc8167400fe6 Mon Sep 17 00:00:00 2001 +From: Richard Sailer +Date: Wed, 19 Jun 2019 13:33:11 +0200 +Subject: [PATCH 1/7] ALSA: hda/realtek: Add quirks for several Clevo notebook barebones +Git-commit: 503d90b30602a3295978e46d844ccc8167400fe6 +Patch-mainline: v5.2 +References: bsc#1051510 + +This adds 4 SND_PCI_QUIRK(...) lines for several barebone models of the ODM +Clevo. The model names are written in regex syntax to describe/match all clevo +models that are similar enough and use the same PCI SSID that this fixup works +for them. + +Additionally the lines regarding SSID 0x96e1 and 0x97e1 didn't fix audio for the +all our Clevo notebooks using these SSIDs (models Clevo P960* and P970*) since +ALC1220_FIXP_CLEVO_PB51ED_PINS swapped pins that are not necesarry to be +swapped. This patch initiates ALC1220_FIXUP_CLEVO_P950 instead for these model +and fixes the audio. + +Fixes: 80690a276f44 ("ALSA: hda/realtek - Add quirk for Tuxedo XC 1509") +Signed-off-by: Richard Sailer +Cc: +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 179e4be1f747..35f01f5102da 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2461,9 +2461,10 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x1558, 0x9501, "Clevo P950HR", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1558, 0x95e1, "Clevo P95xER", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1558, 0x95e2, "Clevo P950ER", ALC1220_FIXUP_CLEVO_P950), +- SND_PCI_QUIRK(0x1558, 0x96e1, "System76 Oryx Pro (oryp5)", ALC1220_FIXUP_CLEVO_PB51ED_PINS), +- SND_PCI_QUIRK(0x1558, 0x97e1, "System76 Oryx Pro (oryp5)", ALC1220_FIXUP_CLEVO_PB51ED_PINS), +- SND_PCI_QUIRK(0x1558, 0x65d1, "Tuxedo Book XC1509", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x96e1, "Clevo P960[ER][CDFN]-K", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1558, 0x97e1, "Clevo P970[ER][CDFN]", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1558, 0x65d1, "Clevo PB51[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD), + SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Y530", ALC882_FIXUP_LENOVO_Y530), +-- +2.16.4 + diff --git a/patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch b/patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch new file mode 100644 index 0000000..d9e56de --- /dev/null +++ b/patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch @@ -0,0 +1,34 @@ +From bef33e19203dde434bcdf21c449e3fb4f06c2618 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Fri, 28 Jun 2019 10:54:53 +0200 +Subject: [PATCH 3/7] ALSA: hda/realtek - Change front mic location for Lenovo M710q +Git-commit: bef33e19203dde434bcdf21c449e3fb4f06c2618 +Patch-mainline: v5.2 +References: bsc#1051510 + +On M710q Lenovo ThinkCentre machine, there are two front mics, +we change the location for one of them to avoid conflicts. + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 35f01f5102da..48f3c5b8d6e9 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7088,6 +7088,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), ++ SND_PCI_QUIRK(0x17aa, 0x3111, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x312a, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), +-- +2.16.4 + diff --git a/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch b/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch new file mode 100644 index 0000000..63ae7ad --- /dev/null +++ b/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch @@ -0,0 +1,44 @@ +From 3450121997ce872eb7f1248417225827ea249710 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 2 Jul 2019 20:07:21 +0200 +Subject: [PATCH 7/7] ALSA: line6: Fix write on zero-sized buffer +Git-commit: 3450121997ce872eb7f1248417225827ea249710 +Patch-mainline: v5.2 +References: bsc#1051510 + +LINE6 drivers allocate the buffers based on the value returned from +usb_maxpacket() calls. The manipulated device may return zero for +this, and this results in the kmalloc() with zero size (and it may +succeed) while the other part of the driver code writes the packet +data with the fixed size -- which eventually overwrites. + +This patch adds a simple sanity check for the invalid buffer size for +avoiding that problem. + +Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai + +--- + sound/usb/line6/pcm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/usb/line6/pcm.c b/sound/usb/line6/pcm.c +index 72c6f8e82a7e..78c2d6cab3b5 100644 +--- a/sound/usb/line6/pcm.c ++++ b/sound/usb/line6/pcm.c +@@ -560,6 +560,11 @@ int line6_init_pcm(struct usb_line6 *line6, + line6pcm->max_packet_size_out = + usb_maxpacket(line6->usbdev, + usb_sndisocpipe(line6->usbdev, ep_write), 1); ++ if (!line6pcm->max_packet_size_in || !line6pcm->max_packet_size_out) { ++ dev_err(line6pcm->line6->ifcdev, ++ "cannot get proper max packet size\n"); ++ return -EINVAL; ++ } + + spin_lock_init(&line6pcm->out.lock); + spin_lock_init(&line6pcm->in.lock); +-- +2.16.4 + diff --git a/patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch b/patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch new file mode 100644 index 0000000..2f91a32 --- /dev/null +++ b/patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch @@ -0,0 +1,51 @@ +From c3ea60c231446663afd6ea1054da6b7f830855ca Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 28 Jun 2019 10:54:29 +0100 +Subject: [PATCH 4/7] ALSA: seq: fix incorrect order of dest_client/dest_ports arguments +Git-commit: c3ea60c231446663afd6ea1054da6b7f830855ca +Patch-mainline: v5.2 +References: bsc#1051510 + +There are two occurrances of a call to snd_seq_oss_fill_addr where +the dest_client and dest_port arguments are in the wrong order. Fix +this by swapping them around. + +Addresses-coverity: ("Arguments in wrong order") +Signed-off-by: Colin Ian King +Cc: +Signed-off-by: Takashi Iwai + +--- + sound/core/seq/oss/seq_oss_ioctl.c | 2 +- + sound/core/seq/oss/seq_oss_rw.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/oss/seq_oss_ioctl.c b/sound/core/seq/oss/seq_oss_ioctl.c +index 5b8520177b0e..7d72e3d48ad5 100644 +--- a/sound/core/seq/oss/seq_oss_ioctl.c ++++ b/sound/core/seq/oss/seq_oss_ioctl.c +@@ -62,7 +62,7 @@ static int snd_seq_oss_oob_user(struct seq_oss_devinfo *dp, void __user *arg) + if (copy_from_user(ev, arg, 8)) + return -EFAULT; + memset(&tmpev, 0, sizeof(tmpev)); +- snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.port, dp->addr.client); ++ snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.client, dp->addr.port); + tmpev.time.tick = 0; + if (! snd_seq_oss_process_event(dp, (union evrec *)ev, &tmpev)) { + snd_seq_oss_dispatch(dp, &tmpev, 0, 0); +diff --git a/sound/core/seq/oss/seq_oss_rw.c b/sound/core/seq/oss/seq_oss_rw.c +index eb1ef12181f3..1063e1b16ea0 100644 +--- a/sound/core/seq/oss/seq_oss_rw.c ++++ b/sound/core/seq/oss/seq_oss_rw.c +@@ -174,7 +174,7 @@ insert_queue(struct seq_oss_devinfo *dp, union evrec *rec, struct file *opt) + memset(&event, 0, sizeof(event)); + /* set dummy -- to be sure */ + event.type = SNDRV_SEQ_EVENT_NOTEOFF; +- snd_seq_oss_fill_addr(dp, &event, dp->addr.port, dp->addr.client); ++ snd_seq_oss_fill_addr(dp, &event, dp->addr.client, dp->addr.port); + + if (snd_seq_oss_process_event(dp, rec, &event)) + return 0; /* invalid event - no need to insert queue */ +-- +2.16.4 + diff --git a/patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch b/patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch new file mode 100644 index 0000000..76c6745 --- /dev/null +++ b/patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch @@ -0,0 +1,48 @@ +From 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 27 Jun 2019 17:43:08 +0100 +Subject: [PATCH 2/7] ALSA: usb-audio: fix sign unintended sign extension on left shifts +Git-commit: 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 +Patch-mainline: v5.2 +References: bsc#1051510 + +There are a couple of left shifts of unsigned 8 bit values that +first get promoted to signed ints and hence get sign extended +on the shift if the top bit of the 8 bit values are set. Fix +this by casting the 8 bit values to unsigned ints to stop the +unintentional sign extension. + +Addresses-coverity: ("Unintended sign extension") +Signed-off-by: Colin Ian King +Cc: +Signed-off-by: Takashi Iwai + +--- + sound/usb/mixer_quirks.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index a751a18ca4c2..5783329a3237 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -754,7 +754,7 @@ static int snd_ni_control_init_val(struct usb_mixer_interface *mixer, + return err; + } + +- kctl->private_value |= (value << 24); ++ kctl->private_value |= ((unsigned int)value << 24); + return 0; + } + +@@ -915,7 +915,7 @@ static int snd_ftu_eff_switch_init(struct usb_mixer_interface *mixer, + if (err < 0) + return err; + +- kctl->private_value |= value[0] << 24; ++ kctl->private_value |= (unsigned int)value[0] << 24; + return 0; + } + +-- +2.16.4 + diff --git a/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 b/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 index 2ca1565..f68d63c 100644 --- a/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 +++ b/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 @@ -4,8 +4,7 @@ Date: Tue, 21 May 2019 08:26:53 +0200 Subject: [PATCH] ASoC: Intel: Add machine driver for CX2072X on BYT/CHT platforms Git-commit: 3917da94f787e6c907e440653ead0c666a71379e -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v5.3-rc1 References: bsc#1068546 This is an implementation of a machine driver needed for Conexant diff --git a/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC b/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC index 84a7521..9901b44 100644 --- a/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC +++ b/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC @@ -3,8 +3,7 @@ From: Simon Ho Date: Tue, 21 May 2019 08:26:52 +0200 Subject: [PATCH] ASoC: Add support for Conexant CX2072X CODEC Git-commit: a497a4363706b3eb208c64e66e5b485bb3b186ac -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v5.3-rc1 References: bsc#1068546 Initial commit of the Conexant CX2072X CODEC driver. Some features are diff --git a/patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch b/patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch new file mode 100644 index 0000000..b8ebd28 --- /dev/null +++ b/patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch @@ -0,0 +1,41 @@ +From be0461048b60066eaba9046178fb96e78579af21 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 24 May 2019 23:25:51 +0100 +Subject: [PATCH] ASoC: cx2072x: fix integer overflow on unsigned int multiply +Git-commit: be0461048b60066eaba9046178fb96e78579af21 +Patch-mainline: v5.3-rc1 +References: bsc#1111666 + +In the case where frac_div larger than 96 the result of an unsigned +multiplication overflows an unsigned int. For example, this can +happen when the sample_rate is 192000 and pll_input is 122. Fix +this by casing the first term of the mutiply to a u64. Also remove +the extraneous parentheses around the expression. + +Addresses-coverity: ("Unintentional integer overflow") +Fixes: a497a4363706 ("ASoC: Add support for Conexant CX2072X CODEC") +Signed-off-by: Colin Ian King +Reviewed-by: Takashi Iwai +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/cx2072x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cx2072x.c b/sound/soc/codecs/cx2072x.c +index c11a585bbf70..ed762546eaee 100644 +--- a/sound/soc/codecs/cx2072x.c ++++ b/sound/soc/codecs/cx2072x.c +@@ -627,7 +627,7 @@ static int cx2072x_config_pll(struct cx2072x_priv *cx2072x) + if (frac_div) { + frac_div *= 1000; + frac_div /= pll_input; +- frac_num = ((4000 + frac_div) * ((1 << 20) - 4)); ++ frac_num = (u64)(4000 + frac_div) * ((1 << 20) - 4); + do_div(frac_num, 7); + frac = ((u32)frac_num + 499) / 1000; + } +-- +2.16.4 + diff --git a/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch b/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch new file mode 100644 index 0000000..0569125 --- /dev/null +++ b/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch @@ -0,0 +1,91 @@ +From 57a20248ef3e429dc822f0774bc4e00136c46c83 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 11 Apr 2019 16:21:53 -0700 +Subject: [PATCH] clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 +Git-commit: 57a20248ef3e429dc822f0774bc4e00136c46c83 +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +Experimentally it can be seen that going into deep sleep (specifically +setting PMU_CLR_DMA and PMU_CLR_BUS in RK3288_PMU_PWRMODE_CON1) +appears to fail unless "aclk_dmac1" is on. The failure is that the +system never signals that it made it into suspend on the GLOBAL_PWROFF +pin and it just hangs. + +NOTE that it's confirmed that it's the actual suspend that fails, not +one of the earlier calls to read/write registers. Specifically if you +comment out the "PMU_GLOBAL_INT_DISABLE" setting in +rk3288_slp_mode_set() and then comment out the "cpu_do_idle()" call in +rockchip_lpmode_enter() then you can exercise the whole suspend path +without any crashing. + +This is currently not a problem with suspend upstream because there is +no current way to exercise the deep suspend code. However, anyone +trying to make it work will run into this issue. + +This was not a problem on shipping rk3288-based Chromebooks because +those devices all ran on an old kernel based on 3.14. On that kernel +"aclk_dmac1" appears to be left on all the time. + +There are several ways to skin this problem. + +A) We could add "aclk_dmac1" to the list of critical clocks and that +apperas to work, but presumably that wastes power. + +B) We could keep a list of "struct clk" objects to enable at suspend +time in clk-rk3288.c and use the standard clock APIs. + +C) We could make the rk3288-pmu driver keep a list of clocks to enable +at suspend time. Presumably this would require a dts and bindings +change. + +D) We could just whack the clock on in the existing syscore suspend +function where we whack a bunch of other clocks. This is particularly +easy because we know for sure that the clock's only parent +("aclk_cpu") is a critical clock so we don't need to do anything more +than ungate it. + +In this case I have chosen D) because it seemed like the least work, +but any of the other options would presumably also work fine. + +Signed-off-by: Douglas Anderson +Reviewed-by: Elaine Zhang +Signed-off-by: Heiko Stuebner +Acked-by: Takashi Iwai + +--- + drivers/clk/rockchip/clk-rk3288.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c +index 961d4ee86b75..e8b5a6bfcc8a 100644 +--- a/drivers/clk/rockchip/clk-rk3288.c ++++ b/drivers/clk/rockchip/clk-rk3288.c +@@ -861,6 +861,9 @@ static const int rk3288_saved_cru_reg_ids[] = { + RK3288_CLKSEL_CON(10), + RK3288_CLKSEL_CON(33), + RK3288_CLKSEL_CON(37), ++ ++ /* We turn aclk_dmac1 on for suspend; this will restore it */ ++ RK3288_CLKGATE_CON(10), + }; + + static u32 rk3288_saved_cru_regs[ARRAY_SIZE(rk3288_saved_cru_reg_ids)]; +@@ -876,6 +879,14 @@ static int rk3288_clk_suspend(void) + readl_relaxed(rk3288_cru_base + reg_id); + } + ++ /* ++ * Going into deep sleep (specifically setting PMU_CLR_DMA in ++ * RK3288_PMU_PWRMODE_CON1) appears to fail unless ++ * "aclk_dmac1" is on. ++ */ ++ writel_relaxed(1 << (12 + 16), ++ rk3288_cru_base + RK3288_CLKGATE_CON(10)); ++ + /* + * Switch PLLs other than DPLL (for SDRAM) to slow mode to + * avoid crashes on resume. The Mask ROM on the system will +-- +2.16.4 + diff --git a/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch b/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch new file mode 100644 index 0000000..0b70c9e --- /dev/null +++ b/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch @@ -0,0 +1,43 @@ +From 40db569d6769ffa3864fd1b89616b1a7323568a8 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Fri, 12 Apr 2019 00:48:34 +0300 +Subject: [PATCH] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider +Git-commit: 40db569d6769ffa3864fd1b89616b1a7323568a8 +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +There are wrongly set parenthesis in the code that are resulting in a +wrong configuration being programmed for PLLM. The original fix was made +by Danny Huang in the downstream kernel. The patch was tested on Nyan Big +Tegra124 chromebook, PLLM rate changing works correctly now and system +doesn't lock up after changing the PLLM rate due to EMC scaling. + +Cc: +Tested-by: Steev Klimaszewski +Signed-off-by: Dmitry Osipenko +Acked-by: Peter De Schrijver +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/tegra/clk-pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c +index ebc8481a2122..6b976b2514f7 100644 +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -666,8 +666,8 @@ static void _update_pll_mnp(struct tegra_clk_pll *pll, + pll_override_writel(val, params->pmc_divp_reg, pll); + + val = pll_override_readl(params->pmc_divnm_reg, pll); +- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) | +- ~(divn_mask(pll) << div_nmp->override_divn_shift); ++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) | ++ (divn_mask(pll) << div_nmp->override_divn_shift)); + val |= (cfg->m << div_nmp->override_divm_shift) | + (cfg->n << div_nmp->override_divn_shift); + pll_override_writel(val, params->pmc_divnm_reg, pll); +-- +2.16.4 + diff --git a/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch b/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch new file mode 100644 index 0000000..a1620a3 --- /dev/null +++ b/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch @@ -0,0 +1,58 @@ +From 3f93a4f297961c12bb17aa16cb3a4d1291823cae Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Fri, 21 Jun 2019 16:23:06 +0800 +Subject: [PATCH] dmaengine: imx-sdma: remove BD_INTR for channel0 +Git-commit: 3f93a4f297961c12bb17aa16cb3a4d1291823cae +Patch-mainline: v5.2 +References: bsc#1051510 + +It is possible for an irq triggered by channel0 to be received later +after clks are disabled once firmware loaded during sdma probe. If +that happens then clearing them by writing to SDMA_H_INTR won't work +and the kernel will hang processing infinite interrupts. Actually, +don't need interrupt triggered on channel0 since it's pollling +SDMA_H_STATSTOP to know channel0 done rather than interrupt in +current code, just clear BD_INTR to disable channel0 interrupt to +avoid the above case. +This issue was brought by commit 1d069bfa3c78 ("dmaengine: imx-sdma: +ack channel 0 IRQ in the interrupt handler") which didn't take care +the above case. + +Fixes: 1d069bfa3c78 ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler") +Cc: stable@vger.kernel.org #5.0+ +Signed-off-by: Robin Gong +Reported-by: Sven Van Asbroeck +Tested-by: Sven Van Asbroeck +Reviewed-by: Michael Olbrich +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/imx-sdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index ba72fcfbebfe..4ec84a633bd3 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -703,7 +703,7 @@ static int sdma_load_script(struct sdma_engine *sdma, void *buf, int size, + spin_lock_irqsave(&sdma->channel_0_lock, flags); + + bd0->mode.command = C0_SETPM; +- bd0->mode.status = BD_DONE | BD_INTR | BD_WRAP | BD_EXTD; ++ bd0->mode.status = BD_DONE | BD_WRAP | BD_EXTD; + bd0->mode.count = size / 2; + bd0->buffer_addr = buf_phys; + bd0->ext_buffer_addr = address; +@@ -1025,7 +1025,7 @@ static int sdma_load_context(struct sdma_channel *sdmac) + context->gReg[7] = sdmac->watermark_level; + + bd0->mode.command = C0_SETDM; +- bd0->mode.status = BD_DONE | BD_INTR | BD_WRAP | BD_EXTD; ++ bd0->mode.status = BD_DONE | BD_WRAP | BD_EXTD; + bd0->mode.count = sizeof(*context) / 4; + bd0->buffer_addr = sdma->context_phys; + bd0->ext_buffer_addr = 2048 + (sizeof(*context) / 4) * channel; +-- +2.16.4 + diff --git a/patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size b/patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size new file mode 100644 index 0000000..50ef6b8 --- /dev/null +++ b/patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size @@ -0,0 +1,31 @@ +From: Yoshihiro Shimoda +Date: Fri, 7 Jun 2019 16:47:13 +0900 +Subject: Documentation: DMA-API: fix a function name of max_mapping_size +Git-commit: 99d2b938672944831035bef50c68a6e948e93abf +Patch-mainline: v5.3-rc1 +References: bsc#1140954 + +The exported function name is dma_max_mapping_size(), not +dma_direct_max_mapping_size() so that this patch fixes +the function name in the documentation. + +Fixes: 133d624b1cee ("dma: Introduce dma_max_mapping_size()") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Jonathan Corbet +Acked-by: Joerg Roedel +--- + Documentation/DMA-API.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/DMA-API.txt ++++ b/Documentation/DMA-API.txt +@@ -181,7 +181,7 @@ call to set the mask to the value return + :: + + size_t +- dma_direct_max_mapping_size(struct device *dev); ++ dma_max_mapping_size(struct device *dev); + + Returns the maximum size of a mapping for the device. The size parameter + of the mapping functions like dma_map_single(), dma_map_page() and + diff --git a/patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch b/patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch new file mode 100644 index 0000000..0cc1d96 --- /dev/null +++ b/patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch @@ -0,0 +1,45 @@ +From 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 10 Jun 2019 20:10:45 +0300 +Subject: [PATCH] gpio: omap: fix lack of irqstatus_raw0 for OMAP4 +Git-commit: 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added +the register definition tables to the gpio-omap driver. Subsequently to +that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() +checks from *_runtime_resume()") added definitions for irqstatus_raw* +registers to the legacy OMAP4 definitions, but missed the DT +definitions. + +This causes an unintentional change of behaviour for the 1.101 errata +workaround on OMAP4 platforms. Fix this oversight. + +Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()") +Signed-off-by: Russell King +Signed-off-by: Grygorii Strashko +Tested-by: Tony Lindgren +Signed-off-by: Linus Walleij +Acked-by: Takashi Iwai + +--- + drivers/gpio/gpio-omap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index 2c6d46396834..44b214e5cefb 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -1457,6 +1457,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = { + .clr_dataout = OMAP4_GPIO_CLEARDATAOUT, + .irqstatus = OMAP4_GPIO_IRQSTATUS0, + .irqstatus2 = OMAP4_GPIO_IRQSTATUS1, ++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0, ++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1, + .irqenable = OMAP4_GPIO_IRQSTATUSSET0, + .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1, + .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0, +-- +2.16.4 + diff --git a/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch b/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch index c5a7b22..9b12047 100644 --- a/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch +++ b/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch @@ -4,8 +4,7 @@ Date: Fri, 7 Jun 2019 16:03:53 -0500 Subject: [PATCH] ibmvnic: Do not close unopened driver during reset References: bsc#1137752 -Patch-mainline: queued -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git +Patch-mainline: v5.2-rc6 Git-commit: 1f94608b0ce141be5286dde31270590bdf35b86a Check driver state before halting it during a reset. If the driver is diff --git a/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch b/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch index f730273..d4743b1 100644 --- a/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch +++ b/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch @@ -4,8 +4,7 @@ Date: Fri, 7 Jun 2019 16:03:55 -0500 Subject: [PATCH] ibmvnic: Fix unchecked return codes of memory allocations References: bsc#1137752 -Patch-mainline: queued -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git +Patch-mainline: v5.2-rc6 Git-commit: 7c940b1a5291e5069d561f5b8f0e51db6b7a259a The return values for these memory allocations are unchecked, diff --git a/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch b/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch index 2b6d40e..ee71f4f 100644 --- a/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch +++ b/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch @@ -4,8 +4,7 @@ Date: Fri, 7 Jun 2019 16:03:54 -0500 Subject: [PATCH] ibmvnic: Refresh device multicast list after reset References: bsc#1137752 -Patch-mainline: queued -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git +Patch-mainline: v5.2-rc6 Git-commit: be32a24372cf162e825332da1a7ccef058d4f20b It was observed that multicast packets were no longer received after diff --git a/patches.drivers/iommu-amd-make-iommu_disable-safer b/patches.drivers/iommu-amd-make-iommu_disable-safer new file mode 100644 index 0000000..9937554 --- /dev/null +++ b/patches.drivers/iommu-amd-make-iommu_disable-safer @@ -0,0 +1,33 @@ +From: Kevin Mitchell +Date: Wed, 12 Jun 2019 14:52:03 -0700 +Subject: iommu/amd: Make iommu_disable safer +Git-commit: 3ddbe913e55516d3e2165d43d4d5570761769878 +Patch-mainline: v5.3-rc1 +References: bsc#1140955 + +Make it safe to call iommu_disable during early init error conditions +before mmio_base is set, but after the struct amd_iommu has been added +to the amd_iommu_list. For example, this happens if firmware fails to +fill in mmio_phys in the ACPI table leading to a NULL pointer +dereference in iommu_feature_disable. + +Fixes: 2c0ae1720c09c ('iommu/amd: Convert iommu initialization to state machine') +Signed-off-by: Kevin Mitchell +Signed-off-by: Joerg Roedel +--- + drivers/iommu/amd_iommu_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -421,6 +421,9 @@ static void iommu_enable(struct amd_iomm + + static void iommu_disable(struct amd_iommu *iommu) + { ++ if (!iommu->mmio_base) ++ return; ++ + /* Disable command buffer */ + iommu_feature_disable(iommu, CONTROL_CMDBUF_EN); + + diff --git a/patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes b/patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes new file mode 100644 index 0000000..b3e9bc2 --- /dev/null +++ b/patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes @@ -0,0 +1,74 @@ +From: Robin Murphy +Date: Mon, 3 Jun 2019 14:15:37 +0200 +Subject: iommu/arm-smmu: Avoid constant zero in TLBI writes +Git-commit: 4e4abae311e4b44aaf61f18a826fd7136037f199 +Patch-mainline: v5.2-rc5 +References: bsc#1140956 + +Apparently, some Qualcomm arm64 platforms which appear to expose their +SMMU global register space are still, in fact, using a hypervisor to +mediate it by trapping and emulating register accesses. Sadly, some +deployed versions of said trapping code have bugs wherein they go +horribly wrong for stores using r31 (i.e. XZR/WZR) as the source +register. + +While this can be mitigated for GCC today by tweaking the constraints +for the implementation of writel_relaxed(), to avoid any potential +arms race with future compilers more aggressively optimising register +allocation, the simple way is to just remove all the problematic +constant zeros. For the write-only TLB operations, the actual value is +irrelevant anyway and any old nearby variable will provide a suitable +GPR to encode. The one point at which we really do need a zero to clear +a context bank happens before any of the TLB maintenance where crashes +have been reported, so is apparently not a problem... :/ + +Reported-by: AngeloGioacchino Del Regno +Tested-by: Marc Gonzalez +Signed-off-by: Robin Murphy +Signed-off-by: Marc Gonzalez +Acked-by: Will Deacon +Cc: stable@vger.kernel.org +Signed-off-by: Joerg Roedel +--- + drivers/iommu/arm-smmu.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/arm-smmu.c ++++ b/drivers/iommu/arm-smmu.c +@@ -252,6 +252,15 @@ enum arm_smmu_s2cr_privcfg { + #define SCTLR_TRE (1 << 1) + #define SCTLR_M (1 << 0) + ++/* ++ * Apparently, some Qualcomm arm64 platforms which appear to expose their SMMU ++ * global register space are still, in fact, using a hypervisor to mediate it ++ * by trapping and emulating register accesses. Sadly, some deployed versions ++ * of said trapping code have bugs wherein they go horribly wrong for stores ++ * using r31 (i.e. XZR/WZR) as the source register. ++ */ ++#define QCOM_DUMMY_VAL -1 ++ + #define ARM_MMU500_ACTLR_CPRE (1 << 1) + + #define ARM_MMU500_ACR_CACHE_LOCK (1 << 26) +@@ -588,7 +597,7 @@ static void __arm_smmu_tlb_sync(struct a + { + unsigned int spin_cnt, delay; + +- writel_relaxed(0, sync); ++ writel_relaxed(QCOM_DUMMY_VAL, sync); + for (delay = 1; delay < TLB_LOOP_TIMEOUT; delay *= 2) { + for (spin_cnt = TLB_SPIN_COUNT; spin_cnt > 0; spin_cnt--) { + if (!(readl_relaxed(status) & sTLBGSTATUS_GSACTIVE)) +@@ -1787,8 +1796,8 @@ static void arm_smmu_device_reset(struct + } + + /* Invalidate the TLB, just in case */ +- writel_relaxed(0, gr0_base + ARM_SMMU_GR0_TLBIALLH); +- writel_relaxed(0, gr0_base + ARM_SMMU_GR0_TLBIALLNSNH); ++ writel_relaxed(QCOM_DUMMY_VAL, gr0_base + ARM_SMMU_GR0_TLBIALLH); ++ writel_relaxed(QCOM_DUMMY_VAL, gr0_base + ARM_SMMU_GR0_TLBIALLNSNH); + + reg = readl_relaxed(ARM_SMMU_GR0_NS(smmu) + ARM_SMMU_GR0_sCR0); + + diff --git a/patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region b/patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region new file mode 100644 index 0000000..33400b8 --- /dev/null +++ b/patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region @@ -0,0 +1,55 @@ +From: Eric Auger +Date: Mon, 3 Jun 2019 08:53:30 +0200 +Subject: iommu: Fix a leak in iommu_insert_resv_region +Git-commit: ad0834dedaa15c3a176f783c0373f836e44b4700 +Patch-mainline: v5.3-rc1 +References: bsc#1140957 + +In case we expand an existing region, we unlink +this latter and insert the larger one. In +that case we should free the original region after +the insertion. Also we can immediately return. + +Fixes: 6c65fb318e8b ("iommu: iommu_get_group_resv_regions") + +Signed-off-by: Eric Auger +Signed-off-by: Joerg Roedel +--- + drivers/iommu/iommu.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -205,18 +205,21 @@ static int iommu_insert_resv_region(stru + pos = pos->next; + } else if ((start >= a) && (end <= b)) { + if (new->type == type) +- goto done; ++ return 0; + else + pos = pos->next; + } else { + if (new->type == type) { + phys_addr_t new_start = min(a, start); + phys_addr_t new_end = max(b, end); ++ int ret; + + list_del(&entry->list); + entry->start = new_start; + entry->length = new_end - new_start + 1; +- iommu_insert_resv_region(entry, regions); ++ ret = iommu_insert_resv_region(entry, regions); ++ kfree(entry); ++ return ret; + } else { + pos = pos->next; + } +@@ -229,7 +232,6 @@ insert: + return -ENOMEM; + + list_add_tail(®ion->list, pos); +-done: + return 0; + } + + diff --git a/patches.drivers/iommu-use-right-function-to-get-group-for-device b/patches.drivers/iommu-use-right-function-to-get-group-for-device new file mode 100644 index 0000000..5ac2b09 --- /dev/null +++ b/patches.drivers/iommu-use-right-function-to-get-group-for-device @@ -0,0 +1,35 @@ +From: Lu Baolu +Date: Tue, 21 May 2019 15:27:35 +0800 +Subject: iommu: Use right function to get group for device +Git-commit: 57274ea25736496ee019a5c40479855b21888839 +Patch-mainline: v5.3-rc1 +References: bsc#1140958 + +The iommu_group_get_for_dev() will allocate a group for a +device if it isn't in any group. This isn't the use case +in iommu_request_dm_for_dev(). Let's use iommu_group_get() +instead. + +Fixes: d290f1e70d85a ("iommu: Introduce iommu_request_dm_for_dev()") +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +--- + drivers/iommu/iommu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -1849,9 +1849,9 @@ int iommu_request_dm_for_dev(struct devi + int ret; + + /* Device must already be in a group before calling this function */ +- group = iommu_group_get_for_dev(dev); +- if (IS_ERR(group)) +- return PTR_ERR(group); ++ group = iommu_group_get(dev); ++ if (!group) ++ return -EINVAL; + + mutex_lock(&group->mutex); + + diff --git a/patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list b/patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list new file mode 100644 index 0000000..c7debfe --- /dev/null +++ b/patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list @@ -0,0 +1,128 @@ +From: Eric Auger +Date: Mon, 3 Jun 2019 08:53:31 +0200 +Subject: iommu/vt-d: Duplicate iommu_resv_region objects per device list +Git-commit: 5f64ce5411b467f1cfea6c63e2494c22b773582b +Patch-mainline: v5.3-rc1 +References: bsc#1140959 + +intel_iommu_get_resv_regions() aims to return the list of +reserved regions accessible by a given @device. However several +devices can access the same reserved memory region and when +building the list it is not safe to use a single iommu_resv_region +object, whose container is the RMRR. This iommu_resv_region must +be duplicated per device reserved region list. + +Let's remove the struct iommu_resv_region from the RMRR unit +and allocate the iommu_resv_region directly in +intel_iommu_get_resv_regions(). We hold the dmar_global_lock instead +of the rcu-lock to allow sleeping. + +Fixes: 0659b8dc45a6 ("iommu/vt-d: Implement reserved region get/put callbacks") +Signed-off-by: Eric Auger +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +--- + drivers/iommu/intel-iommu.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -442,7 +442,6 @@ struct dmar_rmrr_unit { + u64 end_address; /* reserved end address */ + struct dmar_dev_scope *devices; /* target devices */ + int devices_cnt; /* target device count */ +- struct iommu_resv_region *resv; /* reserved region handle */ + }; + + struct dmar_atsr_unit { +@@ -4281,7 +4280,6 @@ static inline void init_iommu_pm_ops(voi + int __init dmar_parse_one_rmrr(struct acpi_dmar_header *header, void *arg) + { + struct acpi_dmar_reserved_memory *rmrr; +- int prot = DMA_PTE_READ|DMA_PTE_WRITE; + struct dmar_rmrr_unit *rmrru; + size_t length; + +@@ -4295,22 +4293,16 @@ int __init dmar_parse_one_rmrr(struct ac + rmrru->end_address = rmrr->end_address; + + length = rmrr->end_address - rmrr->base_address + 1; +- rmrru->resv = iommu_alloc_resv_region(rmrr->base_address, length, prot, +- IOMMU_RESV_DIRECT); +- if (!rmrru->resv) +- goto free_rmrru; + + rmrru->devices = dmar_alloc_dev_scope((void *)(rmrr + 1), + ((void *)rmrr) + rmrr->header.length, + &rmrru->devices_cnt); + if (rmrru->devices_cnt && rmrru->devices == NULL) +- goto free_all; ++ goto free_rmrru; + + list_add(&rmrru->list, &dmar_rmrr_units); + + return 0; +-free_all: +- kfree(rmrru->resv); + free_rmrru: + kfree(rmrru); + out: +@@ -4528,7 +4520,6 @@ static void intel_iommu_free_dmars(void) + list_for_each_entry_safe(rmrru, rmrr_n, &dmar_rmrr_units, list) { + list_del(&rmrru->list); + dmar_free_dev_scope(&rmrru->devices, &rmrru->devices_cnt); +- kfree(rmrru->resv); + kfree(rmrru); + } + +@@ -5308,22 +5299,33 @@ static void intel_iommu_remove_device(st + static void intel_iommu_get_resv_regions(struct device *device, + struct list_head *head) + { ++ int prot = DMA_PTE_READ | DMA_PTE_WRITE; + struct iommu_resv_region *reg; + struct dmar_rmrr_unit *rmrr; + struct device *i_dev; + int i; + +- rcu_read_lock(); ++ down_read(&dmar_global_lock); + for_each_rmrr_units(rmrr) { + for_each_active_dev_scope(rmrr->devices, rmrr->devices_cnt, + i, i_dev) { ++ struct iommu_resv_region *resv; ++ size_t length; ++ + if (i_dev != device) + continue; + +- list_add_tail(&rmrr->resv->list, head); ++ length = rmrr->end_address - rmrr->base_address + 1; ++ resv = iommu_alloc_resv_region(rmrr->base_address, ++ length, prot, ++ IOMMU_RESV_DIRECT); ++ if (!resv) ++ break; ++ ++ list_add_tail(&resv->list, head); + } + } +- rcu_read_unlock(); ++ up_read(&dmar_global_lock); + + reg = iommu_alloc_resv_region(IOAPIC_RANGE_START, + IOAPIC_RANGE_END - IOAPIC_RANGE_START + 1, +@@ -5338,10 +5340,8 @@ static void intel_iommu_put_resv_regions + { + struct iommu_resv_region *entry, *next; + +- list_for_each_entry_safe(entry, next, head, list) { +- if (entry->type == IOMMU_RESV_MSI) +- kfree(entry); +- } ++ list_for_each_entry_safe(entry, next, head, list) ++ kfree(entry); + } + + #ifdef CONFIG_INTEL_IOMMU_SVM + diff --git a/patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions b/patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions new file mode 100644 index 0000000..331e0bb --- /dev/null +++ b/patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions @@ -0,0 +1,33 @@ +From: Eric Auger +Date: Mon, 3 Jun 2019 08:53:34 +0200 +Subject: iommu/vt-d: Handle PCI bridge RMRR device scopes in + intel_iommu_get_resv_regions +Git-commit: 3855ba2d834d8f7727b7f992ff781fa66cc09f96 +Patch-mainline: v5.3-rc1 +References: bsc#1140960 + +In the case the RMRR device scope is a PCI-PCI bridge, let's check +the device belongs to the PCI sub-hierarchy. + +Fixes: 0659b8dc45a6 ("iommu/vt-d: Implement reserved region get/put callbacks") + +Signed-off-by: Eric Auger +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +--- + drivers/iommu/intel-iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5313,7 +5313,8 @@ static void intel_iommu_get_resv_regions + struct iommu_resv_region *resv; + size_t length; + +- if (i_dev != device) ++ if (i_dev != device && ++ !is_downstream_to_pci_bridge(device, i_dev)) + continue; + + length = rmrr->end_address - rmrr->base_address + 1; + diff --git a/patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes b/patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes new file mode 100644 index 0000000..4e10bfb --- /dev/null +++ b/patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes @@ -0,0 +1,36 @@ +From: Eric Auger +Date: Mon, 3 Jun 2019 08:53:33 +0200 +Subject: iommu/vt-d: Handle RMRR with PCI bridge device scopes +Git-commit: e143fd4598ddf7401d3699957cd59ceb5426d53d +Patch-mainline: v5.3-rc1 +References: bsc#1140961 + +When reading the vtd specification and especially the +Reserved Memory Region Reporting Structure chapter, +it is not obvious a device scope element cannot be a +PCI-PCI bridge, in which case all downstream ports are +likely to access the reserved memory region. Let's handle +this case in device_has_rmrr. + +Fixes: ea2447f700ca ("intel-iommu: Prevent devices with RMRRs from being placed into SI Domain") + +Signed-off-by: Eric Auger +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +--- + drivers/iommu/intel-iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2825,7 +2825,8 @@ static bool device_has_rmrr(struct devic + */ + for_each_active_dev_scope(rmrr->devices, + rmrr->devices_cnt, i, tmp) +- if (tmp == dev) { ++ if (tmp == dev || ++ is_downstream_to_pci_bridge(dev, tmp)) { + rcu_read_unlock(); + return true; + } + diff --git a/patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper b/patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper new file mode 100644 index 0000000..cd867e1 --- /dev/null +++ b/patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper @@ -0,0 +1,79 @@ +From: Eric Auger +Date: Mon, 3 Jun 2019 08:53:32 +0200 +Subject: iommu/vt-d: Introduce is_downstream_to_pci_bridge helper +Git-commit: b9a7f9816483b19360b92e9b8c91bea2f9f30308 +Patch-mainline: v5.3-rc1 +References: bsc#1140962 + +Several call sites are about to check whether a device belongs +to the PCI sub-hierarchy of a candidate PCI-PCI bridge. +Introduce an helper to perform that check. + +Signed-off-by: Eric Auger +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +--- + drivers/iommu/intel-iommu.c | 37 +++++++++++++++++++++++++++++-------- + 1 file changed, 29 insertions(+), 8 deletions(-) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 082fbb1bdeaf..6747fec46cfb 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -729,12 +729,39 @@ static int iommu_dummy(struct device *dev) + return dev->archdata.iommu == DUMMY_DEVICE_DOMAIN_INFO; + } + ++/** ++ * is_downstream_to_pci_bridge - test if a device belongs to the PCI ++ * sub-hierarchy of a candidate PCI-PCI bridge ++ * @dev: candidate PCI device belonging to @bridge PCI sub-hierarchy ++ * @bridge: the candidate PCI-PCI bridge ++ * ++ * Return: true if @dev belongs to @bridge PCI sub-hierarchy, else false. ++ */ ++static bool ++is_downstream_to_pci_bridge(struct device *dev, struct device *bridge) ++{ ++ struct pci_dev *pdev, *pbridge; ++ ++ if (!dev_is_pci(dev) || !dev_is_pci(bridge)) ++ return false; ++ ++ pdev = to_pci_dev(dev); ++ pbridge = to_pci_dev(bridge); ++ ++ if (pbridge->subordinate && ++ pbridge->subordinate->number <= pdev->bus->number && ++ pbridge->subordinate->busn_res.end >= pdev->bus->number) ++ return true; ++ ++ return false; ++} ++ + static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devfn) + { + struct dmar_drhd_unit *drhd = NULL; + struct intel_iommu *iommu; + struct device *tmp; +- struct pci_dev *ptmp, *pdev = NULL; ++ struct pci_dev *pdev = NULL; + u16 segment = 0; + int i; + +@@ -780,13 +807,7 @@ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devf + goto out; + } + +- if (!pdev || !dev_is_pci(tmp)) +- continue; +- +- ptmp = to_pci_dev(tmp); +- if (ptmp->subordinate && +- ptmp->subordinate->number <= pdev->bus->number && +- ptmp->subordinate->busn_res.end >= pdev->bus->number) ++ if (is_downstream_to_pci_bridge(dev, tmp)) + goto got_pdev; + } + + diff --git a/patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks b/patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks new file mode 100644 index 0000000..601dea2 --- /dev/null +++ b/patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks @@ -0,0 +1,47 @@ +From: Lukasz Odzioba +Date: Mon, 20 May 2019 15:41:28 +0200 +Subject: iommu/vt-d: Remove unnecessary rcu_read_locks +Git-commit: f780a8dc196db1c41b5da21ecfa27e83ee5fb776 +Patch-mainline: v5.3-rc1 +References: bsc#1140964 + +We use RCU's for rarely updated lists like iommus, rmrr, atsr units. + +I'm not sure why domain_remove_dev_info() in domain_exit() was surrounded +by rcu_read_lock. Lock was present before refactoring in d160aca527, +but it was related to rcu list, not domain_remove_dev_info function. + +dmar_remove_one_dev_info() doesn't touch any of those lists, so it doesn't +require a lock. In fact it is called 6 times without it anyway. + +Fixes: d160aca5276d ("iommu/vt-d: Unify domain->iommu attach/detachment") + +Signed-off-by: Lukasz Odzioba +Signed-off-by: Joerg Roedel +--- + drivers/iommu/intel-iommu.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2013,9 +2013,7 @@ static void domain_exit(struct dmar_doma + } + + /* Remove associated devices and clear attached or cached domains */ +- rcu_read_lock(); + domain_remove_dev_info(domain); +- rcu_read_unlock(); + + /* destroy iovas */ + put_iova_domain(&domain->iovad); +@@ -5121,9 +5119,7 @@ static int intel_iommu_attach_device(str + + old_domain = find_domain(dev); + if (old_domain) { +- rcu_read_lock(); + dmar_remove_one_dev_info(old_domain, dev); +- rcu_read_unlock(); + + if (!domain_type_is_vm_or_si(old_domain) && + list_empty(&old_domain->devices)) + diff --git a/patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch b/patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch new file mode 100644 index 0000000..3ed2cf6 --- /dev/null +++ b/patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch @@ -0,0 +1,69 @@ +From 6afebb70ee7a4bde106dc1a875e7ac7997248f84 Mon Sep 17 00:00:00 2001 +From: Rafael David Tinoco +Date: Fri, 6 Jul 2018 14:28:33 -0300 +Subject: [PATCH] mfd: hi655x: Fix regmap area declared size for hi655x +Git-commit: 6afebb70ee7a4bde106dc1a875e7ac7997248f84 +Patch-mainline: v4.19-rc1 +References: bsc#1051510 + +Fixes https://bugs.linaro.org/show_bug.cgi?id=3903 + +LTP Functional tests have caused a bad paging request when triggering +the regmap_read_debugfs() logic of the device PMIC Hi6553 (reading +regmap/f8000000.pmic/registers file during read_all test): + +Unable to handle kernel paging request at virtual address ffff0 +[ffff00000984e000] pgd=0000000077ffe803, pud=0000000077ffd803,0 +Internal error: Oops: 96000007 [#1] SMP +... +Hardware name: HiKey Development Board (DT) +... +Call trace: + regmap_mmio_read8+0x24/0x40 + regmap_mmio_read+0x48/0x70 + _regmap_bus_reg_read+0x38/0x48 + _regmap_read+0x68/0x170 + regmap_read+0x50/0x78 + regmap_read_debugfs+0x1a0/0x308 + regmap_map_read_file+0x48/0x58 + full_proxy_read+0x68/0x98 + __vfs_read+0x48/0x80 + vfs_read+0x94/0x150 + SyS_read+0x6c/0xd8 + el0_svc_naked+0x30/0x34 +Code: aa1e03e0 d503201f f9400280 8b334000 (39400000) + +Investigations have showed that, when triggered by debugfs read() +handler, the mmio regmap logic was reading a bigger (16k) register area +than the one mapped by devm_ioremap_resource() during hi655x-pmic probe +time (4k). + +This commit changes hi655x's max register, according to HW specs, to be +the same as the one declared in the pmic device in hi6220's dts, fixing +the issue. + +Cc: #v4.9 #v4.14 #v4.16 #v4.17 +Signed-off-by: Rafael David Tinoco +Signed-off-by: Lee Jones +Acked-by: Takashi Iwai + +--- + drivers/mfd/hi655x-pmic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/hi655x-pmic.c b/drivers/mfd/hi655x-pmic.c +index c37ccbfd52f2..96c07fa1802a 100644 +--- a/drivers/mfd/hi655x-pmic.c ++++ b/drivers/mfd/hi655x-pmic.c +@@ -49,7 +49,7 @@ static struct regmap_config hi655x_regmap_config = { + .reg_bits = 32, + .reg_stride = HI655X_STRIDE, + .val_bits = 8, +- .max_register = HI655X_BUS_ADDR(0xFFF), ++ .max_register = HI655X_BUS_ADDR(0x400) - HI655X_STRIDE, + }; + + static struct resource pwrkey_resources[] = { +-- +2.16.4 + diff --git a/patches.drivers/nfit-ars-avoid-stale-ars-results.patch b/patches.drivers/nfit-ars-avoid-stale-ars-results.patch new file mode 100644 index 0000000..2ec2b41 --- /dev/null +++ b/patches.drivers/nfit-ars-avoid-stale-ars-results.patch @@ -0,0 +1,73 @@ +From: Dan Williams +Date: Wed, 13 Feb 2019 09:28:40 -0800 +Subject: [PATCH] nfit/ars: Avoid stale ARS results +Patch-mainline: v5.1-rc1 +Git-commit: 78153dd45e7e0596ba32b15d02bda08e1513111e +References: jsc#SLE-5433 + +Gate ARS result consumption on whether the OS issued start-ARS since the +previous consumption. The BIOS may only clear its result buffers after a +successful start-ARS. + +Fixes: 0caeef63e6d2 ("libnvdimm: Add a poison list and export badblocks") +Cc: +Reported-by: Krzysztof Rusocki +Reported-by: Vishal Verma +Reviewed-by: Toshi Kani +Signed-off-by: Dan Williams +Acked-by: Johannes Thumshirn +--- + drivers/acpi/nfit/core.c | 17 ++++++++++++++++- + drivers/acpi/nfit/nfit.h | 1 + + 2 files changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -2529,7 +2529,10 @@ static int ars_start(struct acpi_nfit_de + + if (rc < 0) + return rc; +- return cmd_rc; ++ if (cmd_rc < 0) ++ return cmd_rc; ++ set_bit(ARS_VALID, &acpi_desc->scrub_flags); ++ return 0; + } + + static int ars_continue(struct acpi_nfit_desc *acpi_desc) +@@ -2623,6 +2626,17 @@ static int ars_status_process_records(st + */ + if (ars_status->out_length < 44) + return 0; ++ ++ /* ++ * Ignore potentially stale results that are only refreshed ++ * after a start-ARS event. ++ */ ++ if (!test_and_clear_bit(ARS_VALID, &acpi_desc->scrub_flags)) { ++ dev_dbg(acpi_desc->dev, "skip %d stale records\n", ++ ars_status->num_records); ++ return 0; ++ } ++ + for (i = 0; i < ars_status->num_records; i++) { + /* only process full records */ + if (ars_status->out_length +@@ -3108,6 +3122,7 @@ static int acpi_nfit_register_regions(st + struct nfit_spa *nfit_spa; + int rc; + ++ set_bit(ARS_VALID, &acpi_desc->scrub_flags); + list_for_each_entry(nfit_spa, &acpi_desc->spas, list) { + switch (nfit_spa_type(nfit_spa->spa)) { + case NFIT_SPA_VOLATILE: +--- a/drivers/acpi/nfit/nfit.h ++++ b/drivers/acpi/nfit/nfit.h +@@ -185,6 +185,7 @@ enum scrub_flags { + ARS_BUSY, + ARS_CANCEL, + ARS_POLL, ++ ARS_VALID, + }; + + struct acpi_nfit_desc { diff --git a/patches.drivers/nfit-ars-introduce-scrub_flags.patch b/patches.drivers/nfit-ars-introduce-scrub_flags.patch new file mode 100644 index 0000000..e97d300 --- /dev/null +++ b/patches.drivers/nfit-ars-introduce-scrub_flags.patch @@ -0,0 +1,123 @@ +From: Dan Williams +Date: Wed, 13 Feb 2019 09:57:22 -0800 +Subject: [PATCH] nfit/ars: Introduce scrub_flags +Patch-mainline: v5.1-rc1 +Git-commit: e34b8252a3d2893ca55c82dbfcdaa302fa03d400 +References: jsc#SLE-5433 + +In preparation for introducing new flags to gate whether ARS results are +stale, or poll the completion state, convert the existing flags to an +unsigned long with enumerated values. This conversion allows the flags +to be atomically updated outside of ->init_mutex. + +Reviewed-by: Toshi Kani +Signed-off-by: Dan Williams +Acked-by: Johannes Thumshirn +--- + drivers/acpi/nfit/core.c | 30 +++++++++++++++++------------- + drivers/acpi/nfit/nfit.h | 8 ++++++-- + 2 files changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1299,19 +1299,23 @@ static ssize_t scrub_show(struct device + struct device_attribute *attr, char *buf) + { + struct nvdimm_bus_descriptor *nd_desc; ++ struct acpi_nfit_desc *acpi_desc; + ssize_t rc = -ENXIO; ++ bool busy; + + device_lock(dev); + nd_desc = dev_get_drvdata(dev); +- if (nd_desc) { +- struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc); +- +- mutex_lock(&acpi_desc->init_mutex); +- rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, +- acpi_desc->scrub_busy +- && !acpi_desc->cancel ? "+\n" : "\n"); +- mutex_unlock(&acpi_desc->init_mutex); ++ if (!nd_desc) { ++ device_unlock(dev); ++ return rc; + } ++ acpi_desc = to_acpi_desc(nd_desc); ++ ++ mutex_lock(&acpi_desc->init_mutex); ++ busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags) ++ && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags); ++ rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n"); ++ mutex_unlock(&acpi_desc->init_mutex); + device_unlock(dev); + return rc; + } +@@ -2951,7 +2955,7 @@ static unsigned int __acpi_nfit_scrub(st + + lockdep_assert_held(&acpi_desc->init_mutex); + +- if (acpi_desc->cancel) ++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) + return 0; + + if (query_rc == -EBUSY) { +@@ -3025,7 +3029,7 @@ static void __sched_ars(struct acpi_nfit + { + lockdep_assert_held(&acpi_desc->init_mutex); + +- acpi_desc->scrub_busy = 1; ++ set_bit(ARS_BUSY, &acpi_desc->scrub_flags); + /* note this should only be set from within the workqueue */ + if (tmo) + acpi_desc->scrub_tmo = tmo; +@@ -3041,7 +3045,7 @@ static void notify_ars_done(struct acpi_ + { + lockdep_assert_held(&acpi_desc->init_mutex); + +- acpi_desc->scrub_busy = 0; ++ clear_bit(ARS_BUSY, &acpi_desc->scrub_flags); + acpi_desc->scrub_count++; + if (acpi_desc->scrub_count_state) + sysfs_notify_dirent(acpi_desc->scrub_count_state); +@@ -3314,7 +3318,7 @@ int acpi_nfit_ars_rescan(struct acpi_nfi + struct nfit_spa *nfit_spa; + + mutex_lock(&acpi_desc->init_mutex); +- if (acpi_desc->cancel) { ++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) { + mutex_unlock(&acpi_desc->init_mutex); + return 0; + } +@@ -3394,7 +3398,7 @@ void acpi_nfit_shutdown(void *data) + mutex_unlock(&acpi_desc_lock); + + mutex_lock(&acpi_desc->init_mutex); +- acpi_desc->cancel = 1; ++ set_bit(ARS_CANCEL, &acpi_desc->scrub_flags); + cancel_delayed_work_sync(&acpi_desc->dwork); + mutex_unlock(&acpi_desc->init_mutex); + +--- a/drivers/acpi/nfit/nfit.h ++++ b/drivers/acpi/nfit/nfit.h +@@ -181,6 +181,11 @@ struct nfit_mem { + int family; + }; + ++enum scrub_flags { ++ ARS_BUSY, ++ ARS_CANCEL, ++}; ++ + struct acpi_nfit_desc { + struct nvdimm_bus_descriptor nd_desc; + struct acpi_table_header acpi_header; +@@ -203,8 +208,7 @@ struct acpi_nfit_desc { + unsigned int max_ars; + unsigned int scrub_count; + unsigned int scrub_mode; +- unsigned int scrub_busy:1; +- unsigned int cancel:1; ++ unsigned long scrub_flags; + unsigned long dimm_cmd_force_en; + unsigned long bus_cmd_force_en; + unsigned long bus_nfit_cmd_force_en; diff --git a/patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch b/patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch new file mode 100644 index 0000000..13c6551 --- /dev/null +++ b/patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch @@ -0,0 +1,37 @@ +From 0b055ed4c9bc16217d5eb4f4e6a5446cd9631b87 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Wed, 19 Jun 2019 11:52:02 +0200 +Subject: [PATCH] pwm: stm32: Use 3 cells ->of_xlate() +Git-commit: 0b055ed4c9bc16217d5eb4f4e6a5446cd9631b87 +Patch-mainline: v5.3-rc1 +References: bsc#1111666 + +STM32 Timers support generic 3 cells PWM to encode PWM number, period +and polarity. + +Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") +Signed-off-by: Fabrice Gasnier +Reviewed-by: Benjamin Gaignard +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/pwm/pwm-stm32.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c +index 4f842550fbd1..740e2dec8313 100644 +--- a/drivers/pwm/pwm-stm32.c ++++ b/drivers/pwm/pwm-stm32.c +@@ -608,6 +608,8 @@ static int stm32_pwm_probe(struct platform_device *pdev) + priv->regmap = ddata->regmap; + priv->clk = ddata->clk; + priv->max_arr = ddata->max_arr; ++ priv->chip.of_xlate = of_pwm_xlate_with_flags; ++ priv->chip.of_pwm_n_cells = 3; + + if (!priv->regmap || !priv->clk) + return -EINVAL; +-- +2.16.4 + diff --git a/patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch b/patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch new file mode 100644 index 0000000..77b7e94 --- /dev/null +++ b/patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch @@ -0,0 +1,58 @@ +From 904d88d743b0c94092c5117955eab695df8109e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Mon, 24 Jun 2019 18:45:11 +0200 +Subject: [PATCH] qmi_wwan: Fix out-of-bounds read +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 904d88d743b0c94092c5117955eab695df8109e8 +Patch-mainline: v5.2-rc7 +References: bsc#1111666 + +The syzbot reported + + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xca/0x13e lib/dump_stack.c:113 + print_address_description+0x67/0x231 mm/kasan/report.c:188 + __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 + kasan_report+0xe/0x20 mm/kasan/common.c:614 + qmi_wwan_probe+0x342/0x360 drivers/net/usb/qmi_wwan.c:1417 + usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 + really_probe+0x281/0x660 drivers/base/dd.c:509 + driver_probe_device+0x104/0x210 drivers/base/dd.c:670 + __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 + bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 + +Caused by too many confusing indirections and casts. +id->driver_info is a pointer stored in a long. We want the +pointer here, not the address of it. + +Thanks-to: Hillf Danton +Reported-by: syzbot+b68605d7fadd21510de1@syzkaller.appspotmail.com +Cc: Kristian Evensen +Fixes: e4bf63482c30 ("qmi_wwan: Add quirk for Quectel dynamic config") +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/usb/qmi_wwan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index d080f8048e52..8b4ad10cf940 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1482,7 +1482,7 @@ static int qmi_wwan_probe(struct usb_interface *intf, + * different. Ignore the current interface if the number of endpoints + * equals the number for the diag interface (two). + */ +- info = (void *)&id->driver_info; ++ info = (void *)id->driver_info; + + if (info->data & QMI_WWAN_QUIRK_QUECTEL_DYNCFG) { + if (desc->bNumEndpoints == 2) +-- +2.16.4 + diff --git a/patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch b/patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch new file mode 100644 index 0000000..fbc0eb1 --- /dev/null +++ b/patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch @@ -0,0 +1,46 @@ +From 16da0eb5ab6ef2dd1d33431199126e63db9997cc Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 29 Jun 2019 13:44:45 +0200 +Subject: [PATCH] regulator: s2mps11: Fix buck7 and buck8 wrong voltages +Git-commit: 16da0eb5ab6ef2dd1d33431199126e63db9997cc +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +On S2MPS11 device, the buck7 and buck8 regulator voltages start at 750 +mV, not 600 mV. Using wrong minimal value caused shifting of these +regulator values by 150 mV (e.g. buck7 usually configured to v1.35 V was +reported as 1.2 V). + +On most of the boards these regulators are left in default state so this +was only affecting reported voltage. However if any driver wanted to +change them, then effectively it would set voltage 150 mV higher than +intended. + +Cc: +Fixes: cb74685ecb39 ("regulator: s2mps11: Add samsung s2mps11 regulator driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/regulator/s2mps11.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c +index af9bf10b4c33..7a89030187a4 100644 +--- a/drivers/regulator/s2mps11.c ++++ b/drivers/regulator/s2mps11.c +@@ -372,8 +372,8 @@ static const struct regulator_desc s2mps11_regulators[] = { + regulator_desc_s2mps11_buck1_4(4), + regulator_desc_s2mps11_buck5, + regulator_desc_s2mps11_buck67810(6, MIN_600_MV, STEP_6_25_MV), +- regulator_desc_s2mps11_buck67810(7, MIN_600_MV, STEP_12_5_MV), +- regulator_desc_s2mps11_buck67810(8, MIN_600_MV, STEP_12_5_MV), ++ regulator_desc_s2mps11_buck67810(7, MIN_750_MV, STEP_12_5_MV), ++ regulator_desc_s2mps11_buck67810(8, MIN_750_MV, STEP_12_5_MV), + regulator_desc_s2mps11_buck9, + regulator_desc_s2mps11_buck67810(10, MIN_750_MV, STEP_12_5_MV), + }; +-- +2.16.4 + diff --git a/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch b/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch new file mode 100644 index 0000000..44724e4 --- /dev/null +++ b/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch @@ -0,0 +1,153 @@ +From bafd9c64056cd034a1174dcadb65cd3b294ff8f6 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 4 Mar 2019 14:33:54 +0000 +Subject: [PATCH] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest +Git-commit: bafd9c64056cd034a1174dcadb65cd3b294ff8f6 +Patch-mainline: v5.1-rc3 +References: bsc#1051510 + +`ni_cdio_cmdtest()` validates Comedi asynchronous commands for the DIO +subdevice (subdevice 2) of supported National Instruments M-series +cards. It is called when handling the `COMEDI_CMD` and `COMEDI_CMDTEST` +ioctls for this subdevice. There are two causes for a possible +divide-by-zero error when validating that the `stop_arg` member of the +passed-in command is not too large. + +The first cause for the divide-by-zero is that calls to +`comedi_bytes_per_scan()` are only valid once the command has been +copied to `s->async->cmd`, but that copy is only done for the +`COMEDI_CMD` ioctl. For the `COMEDI_CMDTEST` ioctl, it will use +whatever was left there by the previous `COMEDI_CMD` ioctl, if any. +(This is very likely, as it is usual for the application to use +`COMEDI_CMDTEST` before `COMEDI_CMD`.) If there has been no previous, +valid `COMEDI_CMD` for this subdevice, then `comedi_bytes_per_scan()` +will return 0, so the subsequent division in `ni_cdio_cmdtest()` of +`s->async->prealloc_bufsz / comedi_bytes_per_scan(s)` will be a +divide-by-zero error. To fix this error, call a new function +`comedi_bytes_per_scan_cmd(s, cmd)`, based on the existing +`comedi_bytes_per_scan(s)` but using a specified `struct comedi_cmd` for +its calculations. (Also refactor `comedi_bytes_per_scan()` to call the +new function.) + +Once the first cause for the divide-by-zero has been fixed, the second +cause is that `comedi_bytes_per_scan_cmd()` can legitimately return 0 if +the `scan_end_arg` member of the `struct comedi_cmd` being tested is 0. +Fix it by only performing the division (and validating that `stop_arg` +is no more than the maximum value) if `comedi_bytes_per_scan_cmd()` +returns a non-zero value. + +The problem was reported on the COMEDI mailing list here: +https://groups.google.com/forum/#!topic/comedi_list/4t9WlHzMhKM + +Reported-by: Ivan Vasilyev +Tested-by: Ivan Vasilyev +Fixes: f164cbf98fa8 ("staging: comedi: ni_mio_common: add finite regeneration to dio output") +Cc: # 4.6+ +Cc: Spencer E. Olson +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/comedi/comedidev.h | 2 + + drivers/staging/comedi/drivers.c | 33 +++++++++++++++++++++---- + drivers/staging/comedi/drivers/ni_mio_common.c | 10 +++++-- + 3 files changed, 38 insertions(+), 7 deletions(-) + +--- a/drivers/staging/comedi/comedidev.h ++++ b/drivers/staging/comedi/comedidev.h +@@ -992,6 +992,8 @@ int comedi_dio_insn_config(struct comedi + unsigned int mask); + unsigned int comedi_dio_update_state(struct comedi_subdevice *s, + unsigned int *data); ++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s, ++ struct comedi_cmd *cmd); + unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s); + unsigned int comedi_nscans_left(struct comedi_subdevice *s, + unsigned int nscans); +--- a/drivers/staging/comedi/drivers.c ++++ b/drivers/staging/comedi/drivers.c +@@ -390,11 +390,13 @@ unsigned int comedi_dio_update_state(str + EXPORT_SYMBOL_GPL(comedi_dio_update_state); + + /** +- * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes ++ * comedi_bytes_per_scan_cmd() - Get length of asynchronous command "scan" in ++ * bytes + * @s: COMEDI subdevice. ++ * @cmd: COMEDI command. + * + * Determines the overall scan length according to the subdevice type and the +- * number of channels in the scan. ++ * number of channels in the scan for the specified command. + * + * For digital input, output or input/output subdevices, samples for + * multiple channels are assumed to be packed into one or more unsigned +@@ -404,9 +406,9 @@ EXPORT_SYMBOL_GPL(comedi_dio_update_stat + * + * Returns the overall scan length in bytes. + */ +-unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s) ++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s, ++ struct comedi_cmd *cmd) + { +- struct comedi_cmd *cmd = &s->async->cmd; + unsigned int num_samples; + unsigned int bits_per_sample; + +@@ -423,6 +425,29 @@ unsigned int comedi_bytes_per_scan(struc + } + return comedi_samples_to_bytes(s, num_samples); + } ++EXPORT_SYMBOL_GPL(comedi_bytes_per_scan_cmd); ++ ++/** ++ * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes ++ * @s: COMEDI subdevice. ++ * ++ * Determines the overall scan length according to the subdevice type and the ++ * number of channels in the scan for the current command. ++ * ++ * For digital input, output or input/output subdevices, samples for ++ * multiple channels are assumed to be packed into one or more unsigned ++ * short or unsigned int values according to the subdevice's %SDF_LSAMPL ++ * flag. For other types of subdevice, samples are assumed to occupy a ++ * whole unsigned short or unsigned int according to the %SDF_LSAMPL flag. ++ * ++ * Returns the overall scan length in bytes. ++ */ ++unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s) ++{ ++ struct comedi_cmd *cmd = &s->async->cmd; ++ ++ return comedi_bytes_per_scan_cmd(s, cmd); ++} + EXPORT_SYMBOL_GPL(comedi_bytes_per_scan); + + static unsigned int __comedi_nscans_left(struct comedi_subdevice *s, +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -3522,6 +3522,7 @@ static int ni_cdio_check_chanlist(struct + static int ni_cdio_cmdtest(struct comedi_device *dev, + struct comedi_subdevice *s, struct comedi_cmd *cmd) + { ++ unsigned int bytes_per_scan; + int err = 0; + int tmp; + +@@ -3551,9 +3552,12 @@ static int ni_cdio_cmdtest(struct comedi + err |= comedi_check_trigger_arg_is(&cmd->convert_arg, 0); + err |= comedi_check_trigger_arg_is(&cmd->scan_end_arg, + cmd->chanlist_len); +- err |= comedi_check_trigger_arg_max(&cmd->stop_arg, +- s->async->prealloc_bufsz / +- comedi_bytes_per_scan(s)); ++ bytes_per_scan = comedi_bytes_per_scan_cmd(s, cmd); ++ if (bytes_per_scan) { ++ err |= comedi_check_trigger_arg_max(&cmd->stop_arg, ++ s->async->prealloc_bufsz / ++ bytes_per_scan); ++ } + + if (err) + return 3; diff --git a/patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch b/patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch new file mode 100644 index 0000000..8d06d09 --- /dev/null +++ b/patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch @@ -0,0 +1,75 @@ +From df4d737ee4d7205aaa6275158aeebff87fd14488 Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Sat, 18 May 2019 22:04:56 -0300 +Subject: [PATCH] staging:iio:ad7150: fix threshold mode config bit +Git-commit: df4d737ee4d7205aaa6275158aeebff87fd14488 +Patch-mainline: v5.2-rc6 +References: bsc#1051510 + +According to the AD7150 configuration register description, bit 7 assumes +value 1 when the threshold mode is fixed and 0 when it is adaptive, +however, the operation that identifies this mode was considering the +opposite values. + +This patch renames the boolean variable to describe it correctly and +properly replaces it in the places where it is used. + +Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.") +Signed-off-by: Melissa Wen +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/staging/iio/cdc/ad7150.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/staging/iio/cdc/ad7150.c ++++ b/drivers/staging/iio/cdc/ad7150.c +@@ -6,6 +6,7 @@ + * Licensed under the GPL-2 or later. + */ + ++#include + #include + #include + #include +@@ -129,7 +130,7 @@ static int ad7150_read_event_config(stru + { + int ret; + u8 threshtype; +- bool adaptive; ++ bool thrfixed; + struct ad7150_chip_info *chip = iio_priv(indio_dev); + + ret = i2c_smbus_read_byte_data(chip->client, AD7150_CFG); +@@ -137,21 +138,23 @@ static int ad7150_read_event_config(stru + return ret; + + threshtype = (ret >> 5) & 0x03; +- adaptive = !!(ret & 0x80); ++ ++ /*check if threshold mode is fixed or adaptive*/ ++ thrfixed = FIELD_GET(AD7150_CFG_FIX, ret); + + switch (type) { + case IIO_EV_TYPE_MAG_ADAPTIVE: + if (dir == IIO_EV_DIR_RISING) +- return adaptive && (threshtype == 0x1); +- return adaptive && (threshtype == 0x0); ++ return !thrfixed && (threshtype == 0x1); ++ return !thrfixed && (threshtype == 0x0); + case IIO_EV_TYPE_THRESH_ADAPTIVE: + if (dir == IIO_EV_DIR_RISING) +- return adaptive && (threshtype == 0x3); +- return adaptive && (threshtype == 0x2); ++ return !thrfixed && (threshtype == 0x3); ++ return !thrfixed && (threshtype == 0x2); + case IIO_EV_TYPE_THRESH: + if (dir == IIO_EV_DIR_RISING) +- return !adaptive && (threshtype == 0x1); +- return !adaptive && (threshtype == 0x0); ++ return thrfixed && (threshtype == 0x1); ++ return thrfixed && (threshtype == 0x0); + default: + break; + } diff --git a/patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch b/patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch new file mode 100644 index 0000000..6c26dc9 --- /dev/null +++ b/patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch @@ -0,0 +1,52 @@ +From 25f09f858835b0e9a06213811031190a17d8ab78 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 1 Jul 2019 08:38:12 -0500 +Subject: [PATCH] drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE +Git-commit: 25f09f858835b0e9a06213811031190a17d8ab78 +Patch-mainline: v5.2 +References: bsc#1051510 + +Recommended by the hw team. + +Reviewed-and-tested-by: Huang Rui +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index b610e3b30d95..2f18c64d531f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1959,25 +1959,6 @@ static void gfx_v9_0_constants_init(struct amdgpu_device *adev) + mutex_unlock(&adev->srbm_mutex); + + gfx_v9_0_init_compute_vmid(adev); +- +- mutex_lock(&adev->grbm_idx_mutex); +- /* +- * making sure that the following register writes will be broadcasted +- * to all the shaders +- */ +- gfx_v9_0_select_se_sh(adev, 0xffffffff, 0xffffffff, 0xffffffff); +- +- WREG32_SOC15(GC, 0, mmPA_SC_FIFO_SIZE, +- (adev->gfx.config.sc_prim_fifo_size_frontend << +- PA_SC_FIFO_SIZE__SC_FRONTEND_PRIM_FIFO_SIZE__SHIFT) | +- (adev->gfx.config.sc_prim_fifo_size_backend << +- PA_SC_FIFO_SIZE__SC_BACKEND_PRIM_FIFO_SIZE__SHIFT) | +- (adev->gfx.config.sc_hiz_tile_fifo_size << +- PA_SC_FIFO_SIZE__SC_HIZ_TILE_FIFO_SIZE__SHIFT) | +- (adev->gfx.config.sc_earlyz_tile_fifo_size << +- PA_SC_FIFO_SIZE__SC_EARLYZ_TILE_FIFO_SIZE__SHIFT)); +- mutex_unlock(&adev->grbm_idx_mutex); +- + } + + static void gfx_v9_0_wait_for_rlc_serdes(struct amdgpu_device *adev) +-- +2.16.4 + diff --git a/patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch b/patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch new file mode 100644 index 0000000..fadbf4f --- /dev/null +++ b/patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch @@ -0,0 +1,97 @@ +From 326fb6dd1483c985a6ef47db3fa8788bb99e8b83 Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Wed, 5 Jun 2019 16:55:35 -0700 +Subject: [PATCH] drm/i915/dmc: protect against reading random memory +Git-commit: 326fb6dd1483c985a6ef47db3fa8788bb99e8b83 +Patch-mainline: v5.2-rc5 +No-fix: bc7b488b1d1c71dc4c5182206911127bc6c410d6 +References: bsc#1051510 + +While loading the DMC firmware we were double checking the headers made +sense, but in no place we checked that we were actually reading memory +we were supposed to. This could be wrong in case the firmware file is +truncated or malformed. + +Before this patch: + # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin + -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin + # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin + # modprobe i915 + # dmesg| grep -i dmc + [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin + [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7) + +i.e. it loads random data. Now it fails like below: + [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin + [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting. + i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management. + i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915 + +Before reading any part of the firmware file, validate the input first. + +Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.") +Cc: stable@vger.kernel.org +Signed-off-by: Lucas De Marchi +Reviewed-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com +(cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6) + +Signed-off-by: Jani Nikula +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/intel_csr.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_csr.c ++++ b/drivers/gpu/drm/i915/intel_csr.c +@@ -282,10 +282,17 @@ static uint32_t *parse_csr_fw(struct drm + uint32_t i; + uint32_t *dmc_payload; + uint32_t required_version; ++ size_t fsize; + + if (!fw) + return NULL; + ++ fsize = sizeof(struct intel_css_header) + ++ sizeof(struct intel_package_header) + ++ sizeof(struct intel_dmc_header); ++ if (fsize > fw->size) ++ goto error_truncated; ++ + /* Extract CSS Header information*/ + css_header = (struct intel_css_header *)fw->data; + if (sizeof(struct intel_css_header) != +@@ -357,6 +364,9 @@ static uint32_t *parse_csr_fw(struct drm + return NULL; + } + readcount += dmc_offset; ++ fsize += dmc_offset; ++ if (fsize > fw->size) ++ goto error_truncated; + + /* Extract dmc_header information. */ + dmc_header = (struct intel_dmc_header *)&fw->data[readcount]; +@@ -388,6 +398,10 @@ static uint32_t *parse_csr_fw(struct drm + + /* fw_size is in dwords, so multiplied by 4 to convert into bytes. */ + nbytes = dmc_header->fw_size * 4; ++ fsize += nbytes; ++ if (fsize > fw->size) ++ goto error_truncated; ++ + if (nbytes > CSR_MAX_FW_SIZE) { + DRM_ERROR("DMC firmware too big (%u bytes)\n", nbytes); + return NULL; +@@ -401,6 +415,10 @@ static uint32_t *parse_csr_fw(struct drm + } + + return memcpy(dmc_payload, &fw->data[readcount], nbytes); ++ ++error_truncated: ++ DRM_ERROR("Truncated DMC firmware, rejecting.\n"); ++ return NULL; + } + + static void csr_load_work_fn(struct work_struct *work) diff --git a/patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch b/patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch new file mode 100644 index 0000000..813472d --- /dev/null +++ b/patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch @@ -0,0 +1,80 @@ +From 0f29456d08042134aff6e562d07a6365c841c4ad Mon Sep 17 00:00:00 2001 +From: Hongbo Yao +Date: Mon, 8 Apr 2019 22:01:03 +0800 +Subject: [PATCH] irqchip/gic-v3-its: fix some definitions of inner cacheability attributes +Git-commit: 0f29456d08042134aff6e562d07a6365c841c4ad +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +Some definitions of Inner Cacheability attibutes need to be corrected. + +Fixes: 8c828a535e29f ("irqchip/gicv3-its: Restore all cacheability attributes") +Signed-off-by: Hongbo Yao +Signed-off-by: Marc Zyngier +Acked-by: Takashi Iwai + +--- + include/linux/irqchip/arm-gic-v3.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/include/linux/irqchip/arm-gic-v3.h b/include/linux/irqchip/arm-gic-v3.h +index c848a7cc502e..c7e3e39224c6 100644 +--- a/include/linux/irqchip/arm-gic-v3.h ++++ b/include/linux/irqchip/arm-gic-v3.h +@@ -165,7 +165,7 @@ + #define GICR_PROPBASER_nCnB GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, nCnB) + #define GICR_PROPBASER_nC GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, nC) + #define GICR_PROPBASER_RaWt GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWt) +-#define GICR_PROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWt) ++#define GICR_PROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWb) + #define GICR_PROPBASER_WaWt GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, WaWt) + #define GICR_PROPBASER_WaWb GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, WaWb) + #define GICR_PROPBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWaWt) +@@ -192,7 +192,7 @@ + #define GICR_PENDBASER_nCnB GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, nCnB) + #define GICR_PENDBASER_nC GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, nC) + #define GICR_PENDBASER_RaWt GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWt) +-#define GICR_PENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWt) ++#define GICR_PENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWb) + #define GICR_PENDBASER_WaWt GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, WaWt) + #define GICR_PENDBASER_WaWb GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, WaWb) + #define GICR_PENDBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWaWt) +@@ -251,7 +251,7 @@ + #define GICR_VPROPBASER_nCnB GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, nCnB) + #define GICR_VPROPBASER_nC GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, nC) + #define GICR_VPROPBASER_RaWt GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWt) +-#define GICR_VPROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWt) ++#define GICR_VPROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWb) + #define GICR_VPROPBASER_WaWt GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, WaWt) + #define GICR_VPROPBASER_WaWb GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, WaWb) + #define GICR_VPROPBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWaWt) +@@ -277,7 +277,7 @@ + #define GICR_VPENDBASER_nCnB GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, nCnB) + #define GICR_VPENDBASER_nC GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, nC) + #define GICR_VPENDBASER_RaWt GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWt) +-#define GICR_VPENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWt) ++#define GICR_VPENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWb) + #define GICR_VPENDBASER_WaWt GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, WaWt) + #define GICR_VPENDBASER_WaWb GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, WaWb) + #define GICR_VPENDBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWaWt) +@@ -351,7 +351,7 @@ + #define GITS_CBASER_nCnB GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, nCnB) + #define GITS_CBASER_nC GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, nC) + #define GITS_CBASER_RaWt GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWt) +-#define GITS_CBASER_RaWb GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWt) ++#define GITS_CBASER_RaWb GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWb) + #define GITS_CBASER_WaWt GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, WaWt) + #define GITS_CBASER_WaWb GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, WaWb) + #define GITS_CBASER_RaWaWt GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWaWt) +@@ -377,7 +377,7 @@ + #define GITS_BASER_nCnB GIC_BASER_CACHEABILITY(GITS_BASER, INNER, nCnB) + #define GITS_BASER_nC GIC_BASER_CACHEABILITY(GITS_BASER, INNER, nC) + #define GITS_BASER_RaWt GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWt) +-#define GITS_BASER_RaWb GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWt) ++#define GITS_BASER_RaWb GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWb) + #define GITS_BASER_WaWt GIC_BASER_CACHEABILITY(GITS_BASER, INNER, WaWt) + #define GITS_BASER_WaWb GIC_BASER_CACHEABILITY(GITS_BASER, INNER, WaWb) + #define GITS_BASER_RaWaWt GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWaWt) +-- +2.16.4 + diff --git a/patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch b/patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch new file mode 100644 index 0000000..c28db02 --- /dev/null +++ b/patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch @@ -0,0 +1,54 @@ +From f69e749a49353d96af1a293f56b5b56de59c668a Mon Sep 17 00:00:00 2001 +From: Alexander Lochmann +Date: Fri, 14 Dec 2018 11:55:52 +0100 +Subject: [PATCH] Abort file_remove_privs() for non-reg. files +Git-commit: f69e749a49353d96af1a293f56b5b56de59c668a +Patch-mainline: v5.1 +References: bsc#1140888 + +file_remove_privs() might be called for non-regular files, e.g. +blkdev inode. There is no reason to do its job on things +like blkdev inodes, pipes, or cdevs. Hence, abort if +file does not refer to a regular inode. + +Av: more to the point, for devices there might be any number of +inodes refering to given device. Which one to strip the permissions +from, even if that made any sense in the first place? All of them +will be observed with contents modified, after all. + +Found by LockDoc (Alexander Lochmann, Horst Schirmeier and Olaf +Spinczyk) + +Reviewed-by: Jan Kara +Signed-off-by: Alexander Lochmann +Signed-off-by: Horst Schirmeier +Signed-off-by: Al Viro +Acked-by: Jan Kara + +--- + fs/inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index e9d97add2b36..9a453f3637f8 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1817,8 +1817,13 @@ int file_remove_privs(struct file *file) + int kill; + int error = 0; + +- /* Fast path for nothing security related */ +- if (IS_NOSEC(inode)) ++ /* ++ * Fast path for nothing security related. ++ * As well for non-regular files, e.g. blkdev inodes. ++ * For example, blkdev_write_iter() might get here ++ * trying to remove privs which it is not allowed to. ++ */ ++ if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode)) + return 0; + + kill = dentry_needs_remove_privs(dentry); +-- +2.16.4 + diff --git a/patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch b/patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch new file mode 100644 index 0000000..d07ef01 --- /dev/null +++ b/patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch @@ -0,0 +1,60 @@ +From 000dd5316e1c756a1c028f22e01d06a38249dd4d Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Jun 2019 13:57:39 +0300 +Subject: [PATCH] PCI: Do not poll for PME if the device is in D3cold +Git-commit: 000dd5316e1c756a1c028f22e01d06a38249dd4d +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +PME polling does not take into account that a device that is directly +connected to the host bridge may go into D3cold as well. This leads to a +situation where the PME poll thread reads from a config space of a +device that is in D3cold and gets incorrect information because the +config space is not accessible. + +Here is an example from Intel Ice Lake system where two PCIe root ports +are in D3cold (I've instrumented the kernel to log the PMCSR register +Contents): + + [ 62.971442] pcieport 0000:00:07.1: Check PME status, PMCSR=0xffff + [ 62.971504] pcieport 0000:00:07.0: Check PME status, PMCSR=0xffff + +Since 0xffff is interpreted so that PME is pending, the root ports will +be runtime resumed. This repeats over and over again essentially +blocking all runtime power management. + +Prevent this from happening by checking whether the device is in D3cold +before its PME status is read. + +Fixes: 71a83bd727cc ("PCI/PM: add runtime PM support to PCIe port") +Signed-off-by: Mika Westerberg +Reviewed-by: Lukas Wunner +Cc: 3.6+ # v3.6+ +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/pci/pci.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 9839d6f9bcb5..e34fb2b3c466 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2060,6 +2060,13 @@ static void pci_pme_list_scan(struct work_struct *work) + */ + if (bridge && bridge->current_state != PCI_D0) + continue; ++ /* ++ * If the device is in D3cold it should not be ++ * polled either. ++ */ ++ if (pme_dev->dev->current_state == PCI_D3cold) ++ continue; ++ + pci_pme_wakeup(pme_dev->dev, NULL); + } else { + list_del(&pme_dev->list); +-- +2.16.4 + diff --git a/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch new file mode 100644 index 0000000..c5a604e --- /dev/null +++ b/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch @@ -0,0 +1,42 @@ +From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 28 May 2019 17:32:26 +0200 +Subject: [PATCH] apparmor: enforce nullbyte at end of tag string +Git-commit: 8404d7a674c49278607d19726e0acc0cae299357 +Patch-mainline: v5.2-rc6 +References: bsc#1051510 + +A packed AppArmor policy contains null-terminated tag strings that are read +by unpack_nameX(). However, unpack_nameX() uses string functions on them +without ensuring that they are actually null-terminated, potentially +leading to out-of-bounds accesses. + +Make sure that the tag string is null-terminated before passing it to +strcmp(). + +Cc: stable@vger.kernel.org +Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") +Signed-off-by: Jann Horn +Signed-off-by: John Johansen +Acked-by: Takashi Iwai + +--- + security/apparmor/policy_unpack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c +index 01957ce9252b..005a705346f0 100644 +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -272,7 +272,7 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) + char *tag = NULL; + size_t size = unpack_u16_chunk(e, &tag); + /* if a name is specified it must match. otherwise skip tag */ +- if (name && (!size || strcmp(name, tag))) ++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) + goto fail; + } else if (name) { + /* if a name is specified and there is no name tag fail */ +-- +2.16.4 + diff --git a/patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch b/patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch new file mode 100644 index 0000000..e443f25 --- /dev/null +++ b/patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch @@ -0,0 +1,127 @@ +From: Ming Lei +Date: Tue, 30 Apr 2019 09:52:25 +0800 +Subject: blk-mq: free hw queue's resource in hctx's release handler +Patch-mainline: v5.2-rc1 +Git-commit: c7e2d94b3d1634988a95ac4d77a72dc7487ece06 +References: bsc#1140637 + +Once blk_cleanup_queue() returns, tags shouldn't be used any more, +because blk_mq_free_tag_set() may be called. Commit 45a9c9d909b2 +("blk-mq: Fix a use-after-free") fixes this issue exactly. + +However, that commit introduces another issue. Before 45a9c9d909b2, +we are allowed to run queue during cleaning up queue if the queue's +kobj refcount is held. After that commit, queue can't be run during +queue cleaning up, otherwise oops can be triggered easily because +some fields of hctx are freed by blk_mq_free_queue() in blk_cleanup_queue(). + +We have invented ways for addressing this kind of issue before, such as: + + 8dc765d438f1 ("SCSI: fix queue cleanup race before queue initialization is done") + c2856ae2f315 ("blk-mq: quiesce queue before freeing queue") + +But still can't cover all cases, recently James reports another such +kind of issue: + + https://marc.info/?l=linux-scsi&m=155389088124782&w=2 + +This issue can be quite hard to address by previous way, given +scsi_run_queue() may run requeues for other LUNs. + +Fixes the above issue by freeing hctx's resources in its release handler, and this +way is safe becasue tags isn't needed for freeing such hctx resource. + +This approach follows typical design pattern wrt. kobject's release handler. + +Cc: Dongli Zhang +Cc: James Smart +Cc: Bart Van Assche +Cc: linux-scsi@vger.kernel.org, +Cc: Martin K . Petersen , +Cc: Christoph Hellwig , +Cc: James E . J . Bottomley , +Reported-by: James Smart +Fixes: 45a9c9d909b2 ("blk-mq: Fix a use-after-free") +Cc: stable@vger.kernel.org +Reviewed-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Tested-by: James Smart +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Acked-by: Johannes Thumshirn +--- + block/blk-core.c | 2 +- + block/blk-mq-sysfs.c | 6 ++++++ + block/blk-mq.c | 8 ++------ + block/blk-mq.h | 2 +- + 4 files changed, 10 insertions(+), 8 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -725,7 +725,7 @@ void blk_cleanup_queue(struct request_qu + blk_exit_queue(q); + + if (q->mq_ops) +- blk_mq_free_queue(q); ++ blk_mq_exit_queue(q); + percpu_ref_exit(&q->q_usage_counter); + + spin_lock_irq(lock); +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -10,6 +10,7 @@ + #include + + #include ++#include "blk.h" + #include "blk-mq.h" + #include "blk-mq-tag.h" + +@@ -21,6 +22,11 @@ static void blk_mq_hw_sysfs_release(stru + { + struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx, + kobj); ++ ++ if (hctx->flags & BLK_MQ_F_BLOCKING) ++ cleanup_srcu_struct(hctx->srcu); ++ blk_free_flush_queue(hctx->fq); ++ sbitmap_free(&hctx->ctx_map); + free_cpumask_var(hctx->cpumask); + kfree(hctx->ctxs); + kfree(hctx); +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1993,12 +1993,7 @@ static void blk_mq_exit_hctx(struct requ + if (set->ops->exit_hctx) + set->ops->exit_hctx(hctx, hctx_idx); + +- if (hctx->flags & BLK_MQ_F_BLOCKING) +- cleanup_srcu_struct(hctx->srcu); +- + blk_mq_remove_cpuhp(hctx); +- blk_free_flush_queue(hctx->fq); +- sbitmap_free(&hctx->ctx_map); + } + + static void blk_mq_exit_hw_queues(struct request_queue *q, +@@ -2533,7 +2528,8 @@ err_exit: + } + EXPORT_SYMBOL(blk_mq_init_allocated_queue); + +-void blk_mq_free_queue(struct request_queue *q) ++/* tags can _not_ be used after returning from blk_mq_exit_queue */ ++void blk_mq_exit_queue(struct request_queue *q) + { + struct blk_mq_tag_set *set = q->tag_set; + +--- a/block/blk-mq.h ++++ b/block/blk-mq.h +@@ -27,7 +27,7 @@ struct blk_mq_ctx { + } ____cacheline_aligned_in_smp; + + void blk_mq_freeze_queue(struct request_queue *q); +-void blk_mq_free_queue(struct request_queue *q); ++void blk_mq_exit_queue(struct request_queue *q); + int blk_mq_update_nr_requests(struct request_queue *q, unsigned int nr); + void blk_mq_wake_waiters(struct request_queue *q); + bool blk_mq_dispatch_rq_list(struct request_queue *, struct list_head *, bool); diff --git a/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch b/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch new file mode 100644 index 0000000..20fed57 --- /dev/null +++ b/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch @@ -0,0 +1,40 @@ +From 987d1e8dcd370d96029a3d76a0031b043c4a69ae Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 20 Sep 2018 13:17:46 -0600 +Subject: [PATCH] coresight: etb10: Fix handling of perf mode +Git-commit: 987d1e8dcd370d96029a3d76a0031b043c4a69ae +Patch-mainline: v4.20-rc1 +References: bsc#1051510 + +If the ETB is already enabled in sysfs mode, the ETB reports +success even if a perf mode is requested. Fix this by checking +the requested mode. + +Cc: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/hwtracing/coresight/coresight-etb10.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c +index 306119eaf16a..0dad8626bcfb 100644 +--- a/drivers/hwtracing/coresight/coresight-etb10.c ++++ b/drivers/hwtracing/coresight/coresight-etb10.c +@@ -147,6 +147,10 @@ static int etb_enable(struct coresight_device *csdev, u32 mode) + if (val == CS_MODE_PERF) + return -EBUSY; + ++ /* Don't let perf disturb sysFS sessions */ ++ if (val == CS_MODE_SYSFS && mode == CS_MODE_PERF) ++ return -EBUSY; ++ + /* Nothing to do, the tracer is already enabled. */ + if (val == CS_MODE_SYSFS) + goto out; +-- +2.16.4 + diff --git a/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch b/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch new file mode 100644 index 0000000..75c6e9b --- /dev/null +++ b/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch @@ -0,0 +1,66 @@ +From 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a Mon Sep 17 00:00:00 2001 +From: Sai Prakash Ranjan +Date: Mon, 25 Feb 2019 10:54:01 -0700 +Subject: [PATCH] coresight: etm4x: Add support to enable ETMv4.2 +Git-commit: 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a +Patch-mainline: v5.1-rc1 +References: bsc#1051510 + +SDM845 has ETMv4.2 and can use the existing etm4x driver. +But the current etm driver checks only for ETMv4.0 and +errors out for other etm4x versions. This patch adds this +missing support to enable SoC's with ETMv4x to use same +driver by checking only the ETM architecture major version +number. + +Without this change, we get below error during etm probe: + +/ # dmesg | grep etm +[ 6.660093] coresight-etm4x: probe of 7040000.etm failed with error -22 +[ 6.666902] coresight-etm4x: probe of 7140000.etm failed with error -22 +[ 6.673708] coresight-etm4x: probe of 7240000.etm failed with error -22 +[ 6.680511] coresight-etm4x: probe of 7340000.etm failed with error -22 +[ 6.687313] coresight-etm4x: probe of 7440000.etm failed with error -22 +[ 6.694113] coresight-etm4x: probe of 7540000.etm failed with error -22 +[ 6.700914] coresight-etm4x: probe of 7640000.etm failed with error -22 +[ 6.707717] coresight-etm4x: probe of 7740000.etm failed with error -22 + +With this change, etm probe is successful: + +/ # dmesg | grep etm +[ 6.659198] coresight-etm4x 7040000.etm: CPU0: ETM v4.2 initialized +[ 6.665848] coresight-etm4x 7140000.etm: CPU1: ETM v4.2 initialized +[ 6.672493] coresight-etm4x 7240000.etm: CPU2: ETM v4.2 initialized +[ 6.679129] coresight-etm4x 7340000.etm: CPU3: ETM v4.2 initialized +[ 6.685770] coresight-etm4x 7440000.etm: CPU4: ETM v4.2 initialized +[ 6.692403] coresight-etm4x 7540000.etm: CPU5: ETM v4.2 initialized +[ 6.699024] coresight-etm4x 7640000.etm: CPU6: ETM v4.2 initialized +[ 6.705646] coresight-etm4x 7740000.etm: CPU7: ETM v4.2 initialized + +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 53e2fb6e86f6..fe76b176974a 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -55,7 +55,8 @@ static void etm4_os_unlock(struct etmv4_drvdata *drvdata) + + static bool etm4_arch_supported(u8 arch) + { +- switch (arch) { ++ /* Mask out the minor version number */ ++ switch (arch & 0xf0) { + case ETM_ARCH_V4: + break; + default: +-- +2.16.4 + diff --git a/patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch b/patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch new file mode 100644 index 0000000..33a83a1 --- /dev/null +++ b/patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch @@ -0,0 +1,46 @@ +From 1a0fad630e0b7cff38e7691b28b0517cfbb0633f Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Tue, 2 Jul 2019 09:53:25 +0200 +Subject: [PATCH] crypto: cryptd - Fix skcipher instance memory leak +Git-commit: 1a0fad630e0b7cff38e7691b28b0517cfbb0633f +Patch-mainline: v5.2 +References: bsc#1051510 + +cryptd_skcipher_free() fails to free the struct skcipher_instance +allocated in cryptd_create_skcipher(), leading to a memory leak. This +is detected by kmemleak on bootup on ARM64 platforms: + + unreferenced object 0xffff80003377b180 (size 1024): + comm "cryptomgr_probe", pid 822, jiffies 4294894830 (age 52.760s) + backtrace: + kmem_cache_alloc_trace+0x270/0x2d0 + cryptd_create+0x990/0x124c + cryptomgr_probe+0x5c/0x1e8 + kthread+0x258/0x318 + ret_from_fork+0x10/0x1c + +Fixes: 4e0958d19bd8 ("crypto: cryptd - Add support for skcipher") +Cc: +Signed-off-by: Vincent Whitchurch +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + crypto/cryptd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/cryptd.c b/crypto/cryptd.c +index b3bb99390ae7..c8434042cbc1 100644 +--- a/crypto/cryptd.c ++++ b/crypto/cryptd.c +@@ -393,6 +393,7 @@ static void cryptd_skcipher_free(struct skcipher_instance *inst) + struct skcipherd_instance_ctx *ctx = skcipher_instance_ctx(inst); + + crypto_drop_skcipher(&ctx->spawn); ++ kfree(inst); + } + + static int cryptd_create_skcipher(struct crypto_template *tmpl, +-- +2.16.4 + diff --git a/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch b/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch index a629a4c..d60d69b 100644 --- a/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch +++ b/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch @@ -4,8 +4,7 @@ Date: Tue, 2 Jul 2019 14:17:00 -0700 Subject: [PATCH] crypto: user - prevent operating on larval algorithms References: bsc#1133401 -Patch-mainline: queued -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git +Patch-mainline: v5.2 Git-commit: 21d4120ec6f5b5992b01b96ac484701163917b63 Michal Suchanek reported [1] that running the pcrypt_aead01 test from diff --git a/patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch b/patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch new file mode 100644 index 0000000..39c4262 --- /dev/null +++ b/patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch @@ -0,0 +1,61 @@ +From 1571c029a2ff289683ddb0a32253850363bcb8a7 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 6 Jun 2019 11:10:28 +0200 +Subject: [PATCH] dax: Fix xarray entry association for mixed mappings +Git-commit: 1571c029a2ff289683ddb0a32253850363bcb8a7 +Patch-mainline: v5.2 +References: bsc#1140893 + +When inserting entry into xarray, we store mapping and index in +corresponding struct pages for memory error handling. When it happened +that one process was mapping file at PMD granularity while another +process at PTE granularity, we could wrongly deassociate PMD range and +then reassociate PTE range leaving the rest of struct pages in PMD range +without mapping information which could later cause missed notifications +about memory errors. Fix the problem by calling the association / +deassociation code if and only if we are really going to update the +xarray (deassociating and associating zero or empty entries is just +no-op so there's no reason to complicate the code with trying to avoid +the calls for these cases). + +Cc: +Fixes: d2c997c0f145 ("fs, dax: use page->mapping to warn if truncate...") +Signed-off-by: Jan Kara +Signed-off-by: Dan Williams +Acked-by: Jan Kara + +--- + fs/dax.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -693,12 +693,14 @@ static void *dax_insert_mapping_entry(st + + spin_lock_irq(&mapping->tree_lock); + new_entry = dax_radix_locked_entry(pfn, flags); +- if (dax_entry_size(entry) != dax_entry_size(new_entry)) { ++ if (dax_is_zero_entry(entry) || dax_is_empty_entry(entry)) { ++ struct radix_tree_node *node; ++ void **slot; ++ void *ret; ++ + dax_disassociate_entry(entry, mapping, false); + dax_associate_entry(new_entry, mapping, vmf->vma, vmf->address); +- } + +- if (dax_is_zero_entry(entry) || dax_is_empty_entry(entry)) { + /* + * Only swap our new entry into the radix tree if the current + * entry is a zero page or an empty entry. If a normal PTE or +@@ -707,10 +709,6 @@ static void *dax_insert_mapping_entry(st + * existing entry is a PMD, we will just leave the PMD in the + * tree and dirty it if necessary. + */ +- struct radix_tree_node *node; +- void **slot; +- void *ret; +- + ret = __radix_tree_lookup(page_tree, index, &node, &slot); + WARN_ON_ONCE(ret != entry); + __radix_tree_replace(page_tree, node, slot, diff --git a/patches.fixes/drivers-base-introduce-kill_device.patch b/patches.fixes/drivers-base-introduce-kill_device.patch index f63e79c..de803f6 100644 --- a/patches.fixes/drivers-base-introduce-kill_device.patch +++ b/patches.fixes/drivers-base-introduce-kill_device.patch @@ -2,7 +2,7 @@ From: Dan Williams Date: Mon, 10 Jun 2019 21:03:44 -0700 Subject: drivers/base: Introduce kill_device() Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/nvdimm.git +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm.git Git-commit: 2fcf7c0b67e03233b118ca29c551c1e66da6c80b References: bsc#1139865 diff --git a/patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch b/patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch new file mode 100644 index 0000000..c1e5168 --- /dev/null +++ b/patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch @@ -0,0 +1,42 @@ +From ee0ed02ca93ef1ecf8963ad96638795d55af2c14 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 23 May 2019 23:35:28 -0400 +Subject: [PATCH] ext4: do not delete unlinked inode from orphan list on failed + truncate +Git-commit: ee0ed02ca93ef1ecf8963ad96638795d55af2c14 +Patch-mainline: v5.2-rc2 +References: bsc#1140891 + +It is possible that unlinked inode enters ext4_setattr() (e.g. if +somebody calls ftruncate(2) on unlinked but still open file). In such +case we should not delete the inode from the orphan list if truncate +fails. Note that this is mostly a theoretical concern as filesystem is +corrupted if we reach this path anyway but let's be consistent in our +orphan handling. + +Reviewed-by: Ira Weiny +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 9bcb7f2b86dd..c7f77c643008 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5625,7 +5625,7 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr) + up_write(&EXT4_I(inode)->i_data_sem); + ext4_journal_stop(handle); + if (error) { +- if (orphan) ++ if (orphan && inode->i_nlink) + ext4_orphan_del(NULL, inode); + goto err_out; + } +-- +2.16.4 + diff --git a/patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch b/patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch new file mode 100644 index 0000000..3cfaa86 --- /dev/null +++ b/patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch @@ -0,0 +1,101 @@ +From be99ca2716972a712cde46092c54dee5e6192bf8 Mon Sep 17 00:00:00 2001 +From: Wengang Wang +Date: Thu, 13 Jun 2019 15:56:01 -0700 +Subject: [PATCH] fs/ocfs2: fix race in ocfs2_dentry_attach_lock() +Git-commit: be99ca2716972a712cde46092c54dee5e6192bf8 +Patch-mainline: v5.2-rc5 +References: bsc#1140889 + +ocfs2_dentry_attach_lock() can be executed in parallel threads against the +same dentry. Make that race safe. The race is like this: + + thread A thread B + +(A1) enter ocfs2_dentry_attach_lock, +seeing dentry->d_fsdata is NULL, +and no alias found by +ocfs2_find_local_alias, so kmalloc +a new ocfs2_dentry_lock structure +to local variable "dl", dl1 + + ..... + + (B1) enter ocfs2_dentry_attach_lock, + seeing dentry->d_fsdata is NULL, + and no alias found by + ocfs2_find_local_alias so kmalloc + a new ocfs2_dentry_lock structure + to local variable "dl", dl2. + + ...... + +(A2) set dentry->d_fsdata with dl1, +call ocfs2_dentry_lock() and increase +dl1->dl_lockres.l_ro_holders to 1 on +success. + ...... + + (B2) set dentry->d_fsdata with dl2 + call ocfs2_dentry_lock() and increase + dl2->dl_lockres.l_ro_holders to 1 on + success. + + ...... + +(A3) call ocfs2_dentry_unlock() +and decrease +dl2->dl_lockres.l_ro_holders to 0 +on success. + .... + + (B3) call ocfs2_dentry_unlock(), + decreasing + dl2->dl_lockres.l_ro_holders, but + see it's zero now, panic + +Link: http://lkml.kernel.org/r/20190529174636.22364-1-wen.gang.wang@oracle.com +Signed-off-by: Wengang Wang +Reported-by: Daniel Sobe +Tested-by: Daniel Sobe +Reviewed-by: Changwei Ge +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Jan Kara + +--- + fs/ocfs2/dcache.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/ocfs2/dcache.c b/fs/ocfs2/dcache.c +index 2d016937fdda..42a61eecdacd 100644 +--- a/fs/ocfs2/dcache.c ++++ b/fs/ocfs2/dcache.c +@@ -296,6 +296,18 @@ int ocfs2_dentry_attach_lock(struct dentry *dentry, + + out_attach: + spin_lock(&dentry_attach_lock); ++ if (unlikely(dentry->d_fsdata && !alias)) { ++ /* d_fsdata is set by a racing thread which is doing ++ * the same thing as this thread is doing. Leave the racing ++ * thread going ahead and we return here. ++ */ ++ spin_unlock(&dentry_attach_lock); ++ iput(dl->dl_inode); ++ ocfs2_lock_res_free(&dl->dl_lockres); ++ kfree(dl); ++ return 0; ++ } ++ + dentry->d_fsdata = dl; + dl->dl_count++; + spin_unlock(&dentry_attach_lock); +-- +2.16.4 + diff --git a/patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch b/patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch new file mode 100644 index 0000000..87476c1 --- /dev/null +++ b/patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch @@ -0,0 +1,101 @@ +From 89189557b47b35683a27c80ee78aef18248eefb4 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 25 Apr 2019 22:24:05 -0700 +Subject: [PATCH] fs/proc/proc_sysctl.c: Fix a NULL pointer dereference +Git-commit: 89189557b47b35683a27c80ee78aef18248eefb4 +Patch-mainline: v5.1-rc7 +References: bsc#1140887 + +Syzkaller report this: + + sysctl could not get directory: /net//bridge -12 + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline] + RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline] + RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline] + RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459 + Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48 + RSP: 0018:ffff8881bb507778 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a + RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568 + RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4 + R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + erase_entry fs/proc/proc_sysctl.c:178 [inline] + erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207 + start_unregistering fs/proc/proc_sysctl.c:331 [inline] + drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631 + get_subdir fs/proc/proc_sysctl.c:1022 [inline] + __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 + br_netfilter_init+0x68/0x1000 [br_netfilter] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle + iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter] + Dumping ftrace buffer: + (ftrace buffer empty) + ---[ end trace 68741688d5fbfe85 ]--- + +commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer +dereference in put_links") forgot to handle start_unregistering() case, +while header->parent is NULL, it calls erase_header() and as seen in the +above syzkaller call trace, accessing &header->parent->root will trigger +a NULL pointer dereference. + +As that commit explained, there is also no need to call +start_unregistering() if header->parent is NULL. + +Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com +Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links") +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: YueHaibing +Reported-by: Hulk Robot +Reviewed-by: Kees Cook +Cc: Luis Chamberlain +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Jan Kara + +--- + fs/proc/proc_sysctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index d65390727541..7325baa8f9d4 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1626,9 +1626,11 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + +-- +2.16.4 + diff --git a/patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch b/patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch new file mode 100644 index 0000000..e8cda58 --- /dev/null +++ b/patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch @@ -0,0 +1,105 @@ +From 23da9588037ecdd4901db76a5b79a42b529c4ec3 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 28 Mar 2019 20:44:40 -0700 +Subject: [PATCH] fs/proc/proc_sysctl.c: fix NULL pointer dereference in + put_links +Git-commit: 23da9588037ecdd4901db76a5b79a42b529c4ec3 +Patch-mainline: v5.1-rc3 +References: bsc#1140887 + +Syzkaller reports: + +Kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +Cpu: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Rip: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599 +Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91 +Rsp: 0018:ffff8881d828f238 EFLAGS: 00010202 +Rax: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267 +Rdx: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178 +Rbp: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259 +R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4 +R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000 +Fs: 00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 +Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Cr2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0 +Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Pkru: 55555554 +Call Trace: + drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629 + get_subdir fs/proc/proc_sysctl.c:1022 [inline] + __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 + br_netfilter_init+0xbc/0x1000 [br_netfilter] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +Rip: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +Rsp: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +Rdx: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 +Rbp: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 +Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle + iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73] +Dumping ftrace buffer: + (ftrace buffer empty) + +Acked-by: Jan Kara + +---[ end trace 770020de38961fd0 ]--- + +A new dir entry can be created in get_subdir and its 'header->parent' is +set to NULL. Only after insert_header success, it will be set to 'dir', +otherwise 'header->parent' is set to NULL and drop_sysctl_table is called. +However in err handling path of get_subdir, drop_sysctl_table also be +called on 'new->header' regardless its value of parent pointer. Then +put_links is called, which triggers NULL-ptr deref when access member of +header->parent. + +In fact we have multiple error paths which call drop_sysctl_table() there, +upon failure on insert_links() we also call drop_sysctl_table().And even +in the successful case on __register_sysctl_table() we still always call +drop_sysctl_table().This patch fix it. + +Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: YueHaibing +Reported-by: Hulk Robot +Acked-by: Luis Chamberlain +Cc: Kees Cook +Cc: Alexey Dobriyan +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Al Viro +Cc: Eric W. Biederman +Cc: [3.4+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + fs/proc/proc_sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 4d598a399bbf..d65390727541 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1626,7 +1626,8 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- put_links(header); ++ if (parent) ++ put_links(header); + start_unregistering(header); + if (!--header->count) + kfree_rcu(header, rcu); +-- +2.16.4 + diff --git a/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch b/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch new file mode 100644 index 0000000..f44a61d --- /dev/null +++ b/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch @@ -0,0 +1,151 @@ +From: Eric Dumazet +Date: Wed, 27 Mar 2019 12:40:33 -0700 +Subject: inet: switch IP ID generator to siphash +Patch-mainline: v5.2-rc1 +Git-commit: df453700e8d81b1bdafdf684365ee2b9431fb702 +References: CVE-2019-10638 bsc#1140575 + +According to Amit Klein and Benny Pinkas, IP ID generation is too weak +and might be used by attackers. + +Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) +having 64bit key and Jenkins hash is risky. + +It is time to switch to siphash and its 128bit keys. + +Signed-off-by: Eric Dumazet +Reported-by: Amit Klein +Reported-by: Benny Pinkas +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + include/linux/siphash.h | 5 +++++ + include/net/netns/ipv4.h | 2 ++ + net/ipv4/route.c | 12 +++++++----- + net/ipv6/output_core.c | 30 ++++++++++++++++-------------- + 4 files changed, 30 insertions(+), 19 deletions(-) + +--- a/include/linux/siphash.h ++++ b/include/linux/siphash.h +@@ -21,6 +21,11 @@ typedef struct { + u64 key[2]; + } siphash_key_t; + ++static inline bool siphash_key_is_zero(const siphash_key_t *key) ++{ ++ return !(key->key[0] | key->key[1]); ++} ++ + u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); + #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + struct tcpm_hash_bucket; + struct ctl_table_header; +@@ -159,5 +160,6 @@ struct netns_ipv4 { + unsigned int ipmr_seq; /* protected by rtnl_mutex */ + + atomic_t rt_genid; ++ siphash_key_t ip_id_key; + }; + #endif +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -513,15 +513,17 @@ EXPORT_SYMBOL(ip_idents_reserve); + + void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) + { +- static u32 ip_idents_hashrnd __read_mostly; + u32 hash, id; + +- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); + +- hash = jhash_3words((__force u32)iph->daddr, ++ hash = siphash_3u32((__force u32)iph->daddr, + (__force u32)iph->saddr, +- iph->protocol ^ net_hash_mix(net), +- ip_idents_hashrnd); ++ iph->protocol, ++ &net->ipv4.ip_id_key); + id = ip_idents_reserve(hash, segs); + iph->id = htons(id); + } +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -10,15 +10,25 @@ + #include + #include + +-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, ++static u32 __ipv6_select_ident(struct net *net, + const struct in6_addr *dst, + const struct in6_addr *src) + { ++ const struct { ++ struct in6_addr dst; ++ struct in6_addr src; ++ } __aligned(SIPHASH_ALIGNMENT) combined = { ++ .dst = *dst, ++ .src = *src, ++ }; + u32 hash, id; + +- hash = __ipv6_addr_jhash(dst, hashrnd); +- hash = __ipv6_addr_jhash(src, hash); +- hash ^= net_hash_mix(net); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); ++ ++ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); + + /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, + * set the hight order instead thus minimizing possible future +@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, + */ + __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) + { +- static u32 ip6_proxy_idents_hashrnd __read_mostly; + struct in6_addr buf[2]; + struct in6_addr *addrs; + u32 id; +@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) + if (!addrs) + return 0; + +- net_get_random_once(&ip6_proxy_idents_hashrnd, +- sizeof(ip6_proxy_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd, +- &addrs[1], &addrs[0]); ++ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]); + return htonl(id); + } + EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); +@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net, + const struct in6_addr *daddr, + const struct in6_addr *saddr) + { +- static u32 ip6_idents_hashrnd __read_mostly; + u32 id; + +- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr); ++ id = __ipv6_select_ident(net, daddr, saddr); + return htonl(id); + } + EXPORT_SYMBOL(ipv6_select_ident); diff --git a/patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch b/patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch new file mode 100644 index 0000000..9240a94 --- /dev/null +++ b/patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch @@ -0,0 +1,52 @@ +From 89cddc563743cb1e0068867ac97013b2a5bf86aa Mon Sep 17 00:00:00 2001 +From: Vivek Gautam +Date: Tue, 4 Dec 2018 11:52:13 +0530 +Subject: [PATCH] iommu/arm-smmu: Add support for qcom,smmu-v2 variant +Git-commit: 89cddc563743cb1e0068867ac97013b2a5bf86aa +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +qcom,smmu-v2 is an arm,smmu-v2 implementation with specific +clock and power requirements. +On msm8996, multiple cores, viz. mdss, video, etc. use this +smmu. On sdm845, this smmu is used with gpu. +Add bindings for the same. + +Signed-off-by: Vivek Gautam +Reviewed-by: Rob Herring +Reviewed-by: Tomasz Figa +Tested-by: Srinivas Kandagatla +Reviewed-by: Robin Murphy +Signed-off-by: Will Deacon +Acked-by: Takashi Iwai + +--- + drivers/iommu/arm-smmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iommu/arm-smmu.c ++++ b/drivers/iommu/arm-smmu.c +@@ -319,6 +319,7 @@ enum arm_smmu_implementation { + GENERIC_SMMU, + ARM_MMU500, + CAVIUM_SMMUV2, ++ QCOM_SMMUV2, + }; + + /* Until ACPICA headers cover IORT rev. C */ +@@ -2068,6 +2069,7 @@ ARM_SMMU_MATCH_DATA(smmu_generic_v2, ARM + ARM_SMMU_MATCH_DATA(arm_mmu401, ARM_SMMU_V1_64K, GENERIC_SMMU); + ARM_SMMU_MATCH_DATA(arm_mmu500, ARM_SMMU_V2, ARM_MMU500); + ARM_SMMU_MATCH_DATA(cavium_smmuv2, ARM_SMMU_V2, CAVIUM_SMMUV2); ++ARM_SMMU_MATCH_DATA(qcom_smmuv2, ARM_SMMU_V2, QCOM_SMMUV2); + + static const struct of_device_id arm_smmu_of_match[] = { + { .compatible = "arm,smmu-v1", .data = &smmu_generic_v1 }, +@@ -2076,6 +2078,7 @@ static const struct of_device_id arm_smm + { .compatible = "arm,mmu-401", .data = &arm_mmu401 }, + { .compatible = "arm,mmu-500", .data = &arm_mmu500 }, + { .compatible = "cavium,smmu-v2", .data = &cavium_smmuv2 }, ++ { .compatible = "qcom,smmu-v2", .data = &qcom_smmuv2 }, + { }, + }; + MODULE_DEVICE_TABLE(of, arm_smmu_of_match); diff --git a/patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch b/patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch new file mode 100644 index 0000000..97de8c8 --- /dev/null +++ b/patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch @@ -0,0 +1,50 @@ +From a868e8530441286342f90c1fd9c5f24de3aa2880 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 7 Nov 2018 22:58:24 +0000 +Subject: [PATCH] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer +Git-commit: a868e8530441286342f90c1fd9c5f24de3aa2880 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +After removing an entry from a queue (e.g. reading an event in +arm_smmu_evtq_thread()) it is necessary to advance the MMIO consumer +pointer to free the queue slot back to the SMMU. A memory barrier is +required here so that all reads targetting the queue entry have +completed before the consumer pointer is updated. + +The implementation of queue_inc_cons() relies on a writel() to complete +the previous reads, but this is incorrect because writel() is only +guaranteed to complete prior writes. This patch replaces the call to +writel() with an mb(); writel_relaxed() sequence, which gives us the +read->write ordering which we require. + +Cc: Robin Murphy +Signed-off-by: Will Deacon +Acked-by: Takashi Iwai + +--- + drivers/iommu/arm-smmu-v3.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index 62ef4afc9ee5..11f528e727a1 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -679,7 +679,13 @@ static void queue_inc_cons(struct arm_smmu_queue *q) + u32 cons = (Q_WRP(q, q->cons) | Q_IDX(q, q->cons)) + 1; + + q->cons = Q_OVF(q, q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons); +- writel(q->cons, q->cons_reg); ++ ++ /* ++ * Ensure that all CPU accesses (reads and writes) to the queue ++ * are complete before we update the cons pointer. ++ */ ++ mb(); ++ writel_relaxed(q->cons, q->cons_reg); + } + + static int queue_sync_prod(struct arm_smmu_queue *q) +-- +2.16.4 + diff --git a/patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch b/patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch new file mode 100644 index 0000000..76c3be3 --- /dev/null +++ b/patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch @@ -0,0 +1,37 @@ +From 0d535967ac658966c6ade8f82b5799092f7d5441 Mon Sep 17 00:00:00 2001 +From: Miao Zhong +Date: Mon, 23 Jul 2018 20:56:58 +0800 +Subject: [PATCH] iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register +Git-commit: 0d535967ac658966c6ade8f82b5799092f7d5441 +Patch-mainline: v4.19-rc1 +References: bsc#1051510 + +When PRI queue occurs overflow, driver should update the OVACKFLG to +the PRIQ consumer register, otherwise subsequent PRI requests will not +be processed. + +Cc: Will Deacon +Cc: Robin Murphy +Signed-off-by: Miao Zhong +Signed-off-by: Will Deacon +Acked-by: Takashi Iwai + +--- + drivers/iommu/arm-smmu-v3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index 1d647104bccc..deacc152f09f 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1301,6 +1301,7 @@ static irqreturn_t arm_smmu_priq_thread(int irq, void *dev) + + /* Sync our overflow flag, as we believe we're up to speed */ + q->cons = Q_OVF(q, q->prod) | Q_WRP(q, q->cons) | Q_IDX(q, q->cons); ++ writel(q->cons, q->cons_reg); + return IRQ_HANDLED; + } + +-- +2.16.4 + diff --git a/patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch b/patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch new file mode 100644 index 0000000..f7a0199 --- /dev/null +++ b/patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch @@ -0,0 +1,50 @@ +From fca269f201a8d9985c0a31fb60b15d4eb57cef80 Mon Sep 17 00:00:00 2001 +From: Jianguo Chen +Date: Wed, 20 Mar 2019 18:54:21 +0000 +Subject: [PATCH] irqchip/mbigen: Don't clear eventid when freeing an MSI +Git-commit: fca269f201a8d9985c0a31fb60b15d4eb57cef80 +Patch-mainline: v5.1-rc2 +References: bsc#1051510 + +mbigen_write_msg clears eventid bits of a mbigen register +when free a interrupt, because msi_domain_deactivate memset +struct msg to zero. Then multiple mbigen pins with zero eventid +will report the same interrupt number. + +The eventid clear call trace: + free_irq + __free_irq + irq_shutdown + irq_domain_deactivate_irq + __irq_domain_deactivate_irq + __irq_domain_deactivate_irq + msi_domain_deactivate + platform_msi_write_msg + mbigen_write_msg + +Signed-off-by: Jianguo Chen +[maz: massaged subject] +Signed-off-by: Marc Zyngier +Acked-by: Takashi Iwai + +--- + drivers/irqchip/irq-mbigen.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c +index 567b29c47608..98b6e1d4b1a6 100644 +--- a/drivers/irqchip/irq-mbigen.c ++++ b/drivers/irqchip/irq-mbigen.c +@@ -161,6 +161,9 @@ static void mbigen_write_msg(struct msi_desc *desc, struct msi_msg *msg) + void __iomem *base = d->chip_data; + u32 val; + ++ if (!msg->address_lo && !msg->address_hi) ++ return; ++ + base += get_mbigen_vec_reg(d->hwirq); + val = readl_relaxed(base); + +-- +2.16.4 + diff --git a/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch b/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch index f2ad11b..bedf626 100644 --- a/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch +++ b/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch @@ -2,7 +2,7 @@ From: Dan Williams Date: Mon, 10 Jun 2019 21:10:58 -0700 Subject: libnvdimm/bus: Prevent duplicate device_unregister() calls Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/nvdimm.git +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm.git Git-commit: 4bc5021f8006cfb021e878cb8fb1b0e15a01ff28 References: bsc#1139865 diff --git a/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch b/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch new file mode 100644 index 0000000..2c80b0e --- /dev/null +++ b/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch @@ -0,0 +1,39 @@ +From: Wei Yang +Date: Tue, 22 Jan 2019 10:48:09 +0800 +Subject: libnvdimm, pfn: Fix over-trim in trim_pfn_device() +Patch-mainline: v5.1-rc1 +Git-commit: f101ada7da6551127d192c2f1742c1e9e0f62799 +References: bsc#1140719 + +When trying to see whether current nd_region intersects with others, +trim_pfn_device() has already calculated the *size* to be expanded to +SECTION size. + +Do not double append 'adjust' to 'size' when calculating whether the end +of a region collides with the next pmem region. + +Fixes: ae86cbfef381 "libnvdimm, pfn: Pad pfn namespaces relative to other regions" +Cc: +Signed-off-by: Wei Yang +Signed-off-by: Dan Williams +Acked-by: Johannes Thumshirn +--- + drivers/nvdimm/pfn_devs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c +index 6f22272e8d80..040bbd9c367e 100644 +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -678,7 +678,7 @@ static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trun + if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, + IORES_DESC_NONE) == REGION_MIXED + || !IS_ALIGNED(end, nd_pfn->align) +- || nd_region_conflict(nd_region, start, size + adjust)) ++ || nd_region_conflict(nd_region, start, size)) + *end_trunc = end - phys_pmem_align_down(nd_pfn, end); + } + +-- +2.16.4 + diff --git a/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch b/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch new file mode 100644 index 0000000..dc19653 --- /dev/null +++ b/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch @@ -0,0 +1,46 @@ +From: Eric Dumazet +Date: Fri, 22 Jun 2018 16:27:47 -0700 +Subject: netns: get more entropy from net_hash_mix() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: v4.19-rc1 +Git-commit: 5424ea27390f1f8903e5de0eaa0c5b561e8e877a +References: CVE-2019-10638 bsc#1140575 + +struct net are effectively allocated from order-1 pages on x86, +with one object per slab, meaning that the 13 low order bits +of their addresses are zero. + +Once shifted by L1_CACHE_SHIFT, this leaves 7 zero-bits, +meaning that net_hash_mix() does not help spreading +objects on various hash tables. + +For example, TCP listen table has 32 buckets, meaning that +all netns use the same bucket for port 80 or port 443. + +Signed-off-by: Eric Dumazet +Reported-by: Maciej Żenczykowski +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + include/net/netns/hash.h | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/include/net/netns/hash.h ++++ b/include/net/netns/hash.h +@@ -8,12 +8,7 @@ struct net; + static inline u32 net_hash_mix(const struct net *net) + { + #ifdef CONFIG_NET_NS +- /* +- * shift this right to eliminate bits, that are +- * always zeroed +- */ +- +- return (u32)(((unsigned long)net) >> L1_CACHE_SHIFT); ++ return (u32)(((unsigned long)net) >> ilog2(sizeof(*net))); + #else + return 0; + #endif diff --git a/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch b/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch new file mode 100644 index 0000000..9556d0a --- /dev/null +++ b/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch @@ -0,0 +1,73 @@ +From: Eric Dumazet +Date: Wed, 27 Mar 2019 08:21:30 -0700 +Subject: netns: provide pure entropy for net_hash_mix() +Patch-mainline: v5.1-rc4 +Git-commit: 355b98553789b646ed97ad801a619ff898471b92 +References: CVE-2019-10639 bsc#1140577 + +net_hash_mix() currently uses kernel address of a struct net, +and is used in many places that could be used to reveal this +address to a patient attacker, thus defeating KASLR, for +the typical case (initial net namespace, &init_net is +not dynamically allocated) + +I believe the original implementation tried to avoid spending +too many cycles in this function, but security comes first. + +Also provide entropy regardless of CONFIG_NET_NS. + +Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes") +Signed-off-by: Eric Dumazet +Reported-by: Amit Klein +Reported-by: Benny Pinkas +Cc: Pavel Emelyanov +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + include/net/net_namespace.h | 1 + + include/net/netns/hash.h | 10 ++-------- + net/core/net_namespace.c | 1 + + 3 files changed, 4 insertions(+), 8 deletions(-) + +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -54,6 +54,7 @@ struct net { + */ + spinlock_t rules_mod_lock; + ++ u32 hash_mix; + atomic64_t cookie_gen; + + struct list_head list; /* list of network namespaces */ +--- a/include/net/netns/hash.h ++++ b/include/net/netns/hash.h +@@ -1,16 +1,10 @@ + #ifndef __NET_NS_HASH_H__ + #define __NET_NS_HASH_H__ + +-#include +- +-struct net; ++#include + + static inline u32 net_hash_mix(const struct net *net) + { +-#ifdef CONFIG_NET_NS +- return (u32)(((unsigned long)net) >> ilog2(sizeof(*net))); +-#else +- return 0; +-#endif ++ return net->hash_mix; + } + #endif +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -285,6 +285,7 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns) + + atomic_set(&net->count, 1); + atomic_set(&net->passive, 1); ++ get_random_bytes(&net->hash_mix, sizeof(u32)); + net->dev_base_seq = 1; + net->user_ns = user_ns; + idr_init(&net->netns_ids); diff --git a/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch b/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch new file mode 100644 index 0000000..129a028 --- /dev/null +++ b/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch @@ -0,0 +1,66 @@ +From: Dan Williams +Date: Wed, 13 Feb 2019 09:04:07 -0800 +Subject: nfit/ars: Allow root to busy-poll the ARS state machine +Patch-mainline: v5.1-rc1 +Git-commit: 5479b2757f26fe9908fc341d105b2097fe820b6f +References: bsc#1140814 + +The ARS implementation implements exponential back-off on the poll +interval to prevent high-frequency access to the DIMM / platform +interface. Depending on when the ARS completes the poll interval may +exceed the completion event by minutes. Allow root to reset the timeout +each time it probes the status. A one-second timeout is still enforced, +but root can otherwise can control the poll interval. + +Fixes: bc6ba8085842 ("nfit, address-range-scrub: rework and simplify ARS...") +Cc: +Reported-by: Erwin Tsaur +Reviewed-by: Toshi Kani +Signed-off-by: Dan Williams +Acked-by: Johannes Thumshirn +--- + drivers/acpi/nfit/core.c | 8 ++++++++ + drivers/acpi/nfit/nfit.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index 90312892093e..629cf91649d2 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1333,6 +1333,13 @@ static ssize_t scrub_show(struct device *dev, + busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags) + && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags); + rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n"); ++ /* Allow an admin to poll the busy state at a higher rate */ ++ if (busy && capable(CAP_SYS_RAWIO) && !test_and_set_bit(ARS_POLL, ++ &acpi_desc->scrub_flags)) { ++ acpi_desc->scrub_tmo = 1; ++ mod_delayed_work(nfit_wq, &acpi_desc->dwork, HZ); ++ } ++ + mutex_unlock(&acpi_desc->init_mutex); + device_unlock(dev); + return rc; +@@ -3187,6 +3194,7 @@ static void acpi_nfit_scrub(struct work_struct *work) + else + notify_ars_done(acpi_desc); + memset(acpi_desc->ars_status, 0, acpi_desc->max_ars); ++ clear_bit(ARS_POLL, &acpi_desc->scrub_flags); + mutex_unlock(&acpi_desc->init_mutex); + } + +diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h +index 897ce10192a0..d14bad687fb8 100644 +--- a/drivers/acpi/nfit/nfit.h ++++ b/drivers/acpi/nfit/nfit.h +@@ -213,6 +213,7 @@ struct nfit_mem { + enum scrub_flags { + ARS_BUSY, + ARS_CANCEL, ++ ARS_POLL, + }; + + struct acpi_nfit_desc { +-- +2.16.4 + diff --git a/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch b/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch new file mode 100644 index 0000000..90bd54a --- /dev/null +++ b/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch @@ -0,0 +1,39 @@ +From: Laine Walker-Avina +Date: Mon, 20 May 2019 10:13:04 -0700 +Subject: nvme: copy MTFA field from identify controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: v5.2-rc2 +Git-commit: 2d466c7a574d0b893a233735f133c60115013c0e +References: bsc#1140715 + +We use the controller's reported maximum firmware activation time as our +timeout before resetting a controller for a failed activation notice, +but this value was never being read so we could only use the default +timeout. Copy the Identify Controller MTFA field to the corresponding +nvme_ctrl's mtfa field. + +Fixes: b6dccf7fae433 (“nvme: add support for FW activation without reset”). +Reviewed-by: Max Gurtovoy +Reviewed-by: Christoph Hellwig +Reviewed-by: Minwoo Im +Signed-off-by: Laine Walker-Avina +[changelog, fix endian] +Signed-off-by: Keith Busch +Acked-by: Johannes Thumshirn +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2391,6 +2391,7 @@ int nvme_init_identify(struct nvme_ctrl + + ctrl->oacs = le16_to_cpu(id->oacs); + ctrl->oncs = le16_to_cpup(&id->oncs); ++ ctrl->mtfa = le16_to_cpu(id->mtfa); + ctrl->oaes = le32_to_cpu(id->oaes); + atomic_set(&ctrl->abort_limit, id->acl + 1); + ctrl->vwc = id->vwc; + diff --git a/patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch b/patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch new file mode 100644 index 0000000..390c0b2 --- /dev/null +++ b/patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch @@ -0,0 +1,42 @@ +From: Andrea Parri +Date: Mon, 20 May 2019 19:23:57 +0200 +Subject: sbitmap: fix improper use of smp_mb__before_atomic() +Patch-mainline: v5.2-rc2 +Git-commit: a0934fd2b1208458e55fc4b48f55889809fce666 +References: bsc#1140658 + +This barrier only applies to the read-modify-write operations; in +particular, it does not apply to the atomic_set() primitive. + +Replace the barrier with an smp_mb(). + +Fixes: 6c0ca7ae292ad ("sbitmap: fix wakeup hang after sbq resize") +Cc: stable@vger.kernel.org +Reported-by: "Paul E. McKenney" +Reported-by: Peter Zijlstra +Signed-off-by: Andrea Parri +Reviewed-by: Ming Lei +Cc: Jens Axboe +Cc: Omar Sandoval +Cc: Ming Lei +Cc: linux-block@vger.kernel.org +Cc: "Paul E. McKenney" +Cc: Peter Zijlstra +Signed-off-by: Jens Axboe +Acked-by: Johannes Thumshirn +--- + lib/sbitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -338,7 +338,7 @@ void sbitmap_queue_resize(struct sbitmap + * to ensure that the batch size is updated before the wait + * counts. + */ +- smp_mb__before_atomic(); ++ smp_mb(); + for (i = 0; i < SBQ_WAIT_QUEUES; i++) + atomic_set(&sbq->ws[i].wait_cnt, 1); + } + diff --git a/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch b/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch new file mode 100644 index 0000000..3b5ec18 --- /dev/null +++ b/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch @@ -0,0 +1,42 @@ +From: Bart Van Assche +Date: Wed, 17 Apr 2019 14:44:28 -0700 +Subject: scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending() +Patch-mainline: v5.2-rc1 +Git-commit: e209783d66bca04b5fce4429e59338517ffc1a0b +References: bsc#1140727 + +Implementations of the .write_pending() callback functions must guarantee +that an appropriate LIO core callback function will be called immediately or +at a later time. Make sure that this guarantee is met for aborted SCSI +commands. + +[mkp: typo] + +Cc: Himanshu Madhani +Cc: Giridhar Malavali +Fixes: 694833ee00c4 ("scsi: tcm_qla2xxx: Do not allow aborted cmd to advance.") # v4.13. +Fixes: a07100e00ac4 ("qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM") # v4.5. +Signed-off-by: Bart Van Assche +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Acked-by: Johannes Thumshirn +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index b1cf2aa03de7..aa2de81e2dcc 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -393,6 +393,8 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd) + cmd->se_cmd.transport_state, + cmd->se_cmd.t_state, + cmd->se_cmd.se_cmd_flags); ++ transport_generic_request_failure(&cmd->se_cmd, ++ TCM_CHECK_CONDITION_ABORT_CMD); + return 0; + } + cmd->trc_flags |= TRC_XFR_RDY; +-- +2.16.4 + diff --git a/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch b/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch new file mode 100644 index 0000000..b6114f0 --- /dev/null +++ b/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch @@ -0,0 +1,48 @@ +From: Andrew Vasquez +Date: Tue, 2 Apr 2019 14:24:25 -0700 +Subject: scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS + routines +Patch-mainline: v5.2-rc1 +Git-commit: 5cbdae10bf11f96e30b4d14de7b08c8b490e903c +References: bsc#1140728 + +Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs +code") incorrectly set 'optrom_region_size' to 'start+size', which can +overflow option-rom boundaries when 'start' is non-zero. Continue setting +optrom_region_size to the proper adjusted value of 'size'. + +Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code") +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Vasquez +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Acked-by: Johannes Thumshirn +--- + drivers/scsi/qla2xxx/qla_attr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index 8687090193dc..93058379d3c8 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -376,7 +376,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SREADING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +@@ -449,7 +449,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SWRITING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +-- +2.16.4 + diff --git a/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch b/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch index 96bb5c7..af47c29 100644 --- a/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch +++ b/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch @@ -3,7 +3,8 @@ From: Jan Kara Date: Tue, 11 Jun 2019 14:33:38 +0200 Subject: [PATCH] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() References: bsc#1135296 -Patch-mainline: Submitted 18/06/2019 +Patch-mainline: v5.2-rc7 +Git-commit: 240b4cc8fd5db138b675297d4226ec46594d9b3b Once we unlock adapter->hw_lock in pvscsi_queue_lck() nothing prevents just queued scsi_cmnd from completing and freeing the request. Thus cmd->cmnd[0] diff --git a/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch new file mode 100644 index 0000000..1af25b9 --- /dev/null +++ b/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch @@ -0,0 +1,39 @@ +From: Eric Dumazet +Date: Fri, 21 Jun 2019 06:09:55 -0700 +Subject: tcp: refine memory limit test in tcp_fragment() +Patch-mainline: v5.2-rc6 +Git-commit: b6653b3629e5b88202be3c9abc44713973f5c4b4 +References: CVE-2019-11478 bsc#1137586 bsc#1139751 + +tcp_fragment() might be called for skbs in the write queue. + +Memory limits might have been exceeded because tcp_sendmsg() only +checks limits at full skb (64KB) boundaries. + +Therefore, we need to make sure tcp_fragment() wont punish applications +that might have setup very low SO_SNDBUF values. + +Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits") +Signed-off-by: Eric Dumazet +Reported-by: Christoph Paasch +Tested-by: Christoph Paasch +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +SLE: version used here comes from stable-4.4.y commit 46c7b5d6f2a5 + +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1273,7 +1273,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, + if (nsize < 0) + nsize = 0; + +- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { ++ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); + return -ENOMEM; + } diff --git a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch index 781b664..ed0bff0 100644 --- a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch +++ b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch @@ -42,9 +42,9 @@ Signed-off-by: Michal Kubecek if (nsize < 0) nsize = 0; -- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { +- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) { - NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); -+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) ++ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) return -ENOMEM; - } diff --git a/patches.kabi/kabi-fixup-blk_mq_register_dev.patch b/patches.kabi/kabi-fixup-blk_mq_register_dev.patch new file mode 100644 index 0000000..bdb8409 --- /dev/null +++ b/patches.kabi/kabi-fixup-blk_mq_register_dev.patch @@ -0,0 +1,41 @@ +From: Johannes Thumshirn +Date: Mon 8 Jul 11:05:25 CEST 2019 +Subject: Kabi fixup blk_mq_register_dev() +References: bsc#1140637 +Patch-mainline: Never, KABI consistency + +This is a kabi consistency patch for +patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch. + +patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch +adds "block/blk.h" to block/blk-mq-sysfs.c in order to get the definitions for +blk_free_flush_queue(). + +But adding "block/blk.h" breaks the kABI for blk_mq_register_dev() by making +it more defined. + +Fix this by removing the include and pulling the definition in as an "extern" + +Signed-off-by: Johannes Thumshirn +--- + block/blk-mq-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -10,7 +10,6 @@ + #include + + #include +-#include "blk.h" + #include "blk-mq.h" + #include "blk-mq-tag.h" + +@@ -20,6 +19,7 @@ static void blk_mq_sysfs_release(struct + + static void blk_mq_hw_sysfs_release(struct kobject *kobj) + { ++ extern void blk_free_flush_queue(struct blk_flush_queue *q); + struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx, + kobj); + diff --git a/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch new file mode 100644 index 0000000..5e54d11 --- /dev/null +++ b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch @@ -0,0 +1,34 @@ +From: Michal Kubecek +Date: Tue, 9 Jul 2019 08:37:40 +0200 +Subject: kabi: handle addition of net::hash_mix +Patch-mainline: Never, kabi workaround +References: CVE-2019-10639 bsc#1140577 + +Backport of mainline commit 355b98553789 ("netns: provide pure entropy for +net_hash_mix()") adds new member hash_mix into kabi-protected struct net. +As struct net is always allocated by in-tree kernel code, we can simply +move hash_mix at the end and hide it from genksyms. + +Signed-off-by: Michal Kubecek +--- + include/net/net_namespace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -54,7 +54,6 @@ struct net { + */ + spinlock_t rules_mod_lock; + +- u32 hash_mix; + atomic64_t cookie_gen; + + struct list_head list; /* list of network namespaces */ +@@ -156,6 +155,7 @@ struct net { + atomic_t fnhe_genid; + #ifndef __GENKSYMS__ + int sysctl_tcp_min_snd_mss; ++ u32 hash_mix; + #endif + }; + diff --git a/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch new file mode 100644 index 0000000..bd3f155 --- /dev/null +++ b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch @@ -0,0 +1,77 @@ +From: Michal Kubecek +Date: Tue, 9 Jul 2019 08:45:15 +0200 +Subject: kabi: handle addition of netns_ipv4::ip_id_key +Patch-mainline: Never, kabi workaround +References: CVE-2019-10638 bsc#1140575 + +Backport of mainline commit df453700e8d8 ("inet: switch IP ID generator to +siphash") adds new member ip_id_ikey into struct netns_ipv4 which is +embedded into kabi-protected struct net. As struct net is always allocated +by in-tree kernel code and struct netns_ipv4 is not used anywhere else, we +can move ip_id_key out of netns_ipv4 to the end of struct net itself and +hide it from genksyms. + +Signed-off-by: Michal Kubecek +--- + include/net/net_namespace.h | 1 + + include/net/netns/ipv4.h | 1 - + net/ipv4/route.c | 7 +++---- + net/ipv6/output_core.c | 7 +++---- + 4 files changed, 7 insertions(+), 9 deletions(-) + +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -156,6 +156,7 @@ struct net { + #ifndef __GENKSYMS__ + int sysctl_tcp_min_snd_mss; + u32 hash_mix; ++ siphash_key_t ip_id_key; + #endif + }; + +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -160,6 +160,5 @@ struct netns_ipv4 { + unsigned int ipmr_seq; /* protected by rtnl_mutex */ + + atomic_t rt_genid; +- siphash_key_t ip_id_key; + }; + #endif +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -516,14 +516,13 @@ void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) + u32 hash, id; + + /* Note the following code is not safe, but this is okay. */ +- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) +- get_random_bytes(&net->ipv4.ip_id_key, +- sizeof(net->ipv4.ip_id_key)); ++ if (unlikely(siphash_key_is_zero(&net->ip_id_key))) ++ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key)); + + hash = siphash_3u32((__force u32)iph->daddr, + (__force u32)iph->saddr, + iph->protocol, +- &net->ipv4.ip_id_key); ++ &net->ip_id_key); + id = ip_idents_reserve(hash, segs); + iph->id = htons(id); + } +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -24,11 +24,10 @@ static u32 __ipv6_select_ident(struct net *net, + u32 hash, id; + + /* Note the following code is not safe, but this is okay. */ +- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) +- get_random_bytes(&net->ipv4.ip_id_key, +- sizeof(net->ipv4.ip_id_key)); ++ if (unlikely(siphash_key_is_zero(&net->ip_id_key))) ++ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key)); + +- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); ++ hash = siphash(&combined, sizeof(combined), &net->ip_id_key); + + /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, + * set the hight order instead thus minimizing possible future diff --git a/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch b/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch new file mode 100644 index 0000000..2bbba5d --- /dev/null +++ b/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch @@ -0,0 +1,33 @@ +From: Johannes Thumshirn +Date: Tue 22 May 11:58:05 CEST 2018 +Subject: kabi protect struct acpi_nfit_desc +References: bsc#1091424 +Patch-mainline: Never, KABI fixup + +Signed-off-by: Johannes Thumshirn +--- + drivers/acpi/nfit/nfit.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/nfit/nfit.h ++++ b/drivers/acpi/nfit/nfit.h +@@ -239,7 +239,8 @@ struct acpi_nfit_desc { + unsigned int max_ars; + unsigned int scrub_count; + unsigned int scrub_mode; +- unsigned long scrub_flags; ++ unsigned int scrub_busy:1; ++ unsigned int cancel:1; + unsigned long dimm_cmd_force_en; + unsigned long bus_cmd_force_en; + unsigned long bus_nfit_cmd_force_en; +@@ -247,6 +248,9 @@ struct acpi_nfit_desc { + unsigned int scrub_tmo; + int (*blk_do_io)(struct nd_blk_region *ndbr, resource_size_t dpa, + void *iobuf, u64 len, int rw); ++#ifndef __GENKSYMS__ ++ unsigned long scrub_flags; ++#endif + }; + + enum scrub_mode { diff --git a/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch b/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch new file mode 100644 index 0000000..7ca190f --- /dev/null +++ b/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch @@ -0,0 +1,182 @@ +From: Petr Mladek +Date: Thu, 27 Jun 2019 10:13:34 +0200 +Subject: ftrace/x86: Remove possible deadlock between register_kprobe() and + ftrace_run_update_code() +Git-commit: d5b844a2cf507fc7642c9ae80a9d585db3065c28 +Patch-mainline: v5.2 +References: bsc#1071995 fate#323487 + +The commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text +permissions race") causes a possible deadlock between register_kprobe() +and ftrace_run_update_code() when ftrace is using stop_machine(). + +The existing dependency chain (in reverse order) is: + +-> #1 (text_mutex){+.+.}: + validate_chain.isra.21+0xb32/0xd70 + __lock_acquire+0x4b8/0x928 + lock_acquire+0x102/0x230 + __mutex_lock+0x88/0x908 + mutex_lock_nested+0x32/0x40 + register_kprobe+0x254/0x658 + init_kprobes+0x11a/0x168 + do_one_initcall+0x70/0x318 + kernel_init_freeable+0x456/0x508 + kernel_init+0x22/0x150 + ret_from_fork+0x30/0x34 + kernel_thread_starter+0x0/0xc + +-> #0 (cpu_hotplug_lock.rw_sem){++++}: + check_prev_add+0x90c/0xde0 + validate_chain.isra.21+0xb32/0xd70 + __lock_acquire+0x4b8/0x928 + lock_acquire+0x102/0x230 + cpus_read_lock+0x62/0xd0 + stop_machine+0x2e/0x60 + arch_ftrace_update_code+0x2e/0x40 + ftrace_run_update_code+0x40/0xa0 + ftrace_startup+0xb2/0x168 + register_ftrace_function+0x64/0x88 + klp_patch_object+0x1a2/0x290 + klp_enable_patch+0x554/0x980 + do_one_initcall+0x70/0x318 + do_init_module+0x6e/0x250 + load_module+0x1782/0x1990 + __s390x_sys_finit_module+0xaa/0xf0 + system_call+0xd8/0x2d0 + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(text_mutex); + lock(cpu_hotplug_lock.rw_sem); + lock(text_mutex); + lock(cpu_hotplug_lock.rw_sem); + +It is similar problem that has been solved by the commit 2d1e38f56622b9b +("kprobes: Cure hotplug lock ordering issues"). Many locks are involved. +To be on the safe side, text_mutex must become a low level lock taken +after cpu_hotplug_lock.rw_sem. + +This can't be achieved easily with the current ftrace design. +For example, arm calls set_all_modules_text_rw() already in +ftrace_arch_code_modify_prepare(), see arch/arm/kernel/ftrace.c. +This functions is called: + + + outside stop_machine() from ftrace_run_update_code() + + without stop_machine() from ftrace_module_enable() + +Fortunately, the problematic fix is needed only on x86_64. It is +the only architecture that calls set_all_modules_text_rw() +in ftrace path and supports livepatching at the same time. + +Therefore it is enough to move text_mutex handling from the generic +kernel/trace/ftrace.c into arch/x86/kernel/ftrace.c: + + ftrace_arch_code_modify_prepare() + ftrace_arch_code_modify_post_process() + +This patch basically reverts the ftrace part of the problematic +commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module +text permissions race"). And provides x86_64 specific-fix. + +Some refactoring of the ftrace code will be needed when livepatching +is implemented for arm or nds32. These architectures call +set_all_modules_text_rw() and use stop_machine() at the same time. + +Link: http://lkml.kernel.org/r/20190627081334.12793-1-pmladek@suse.com + +Fixes: 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text permissions race") +Acked-by: Thomas Gleixner +Reported-by: Miroslav Benes +Reviewed-by: Miroslav Benes +Reviewed-by: Josh Poimboeuf +Signed-off-by: Petr Mladek +[ + As reviewed by Miroslav Benes , removed return value of + ftrace_run_update_code() as it is a void function. +] +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + arch/x86/kernel/ftrace.c | 3 +++ + kernel/trace/ftrace.c | 10 +--------- + 2 files changed, 4 insertions(+), 9 deletions(-) + +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #include + +@@ -34,6 +35,7 @@ + + int ftrace_arch_code_modify_prepare(void) + { ++ mutex_lock(&text_mutex); + set_kernel_text_rw(); + set_all_modules_text_rw(); + return 0; +@@ -43,6 +45,7 @@ int ftrace_arch_code_modify_post_process + { + set_all_modules_text_ro(); + set_kernel_text_ro(); ++ mutex_unlock(&text_mutex); + return 0; + } + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -33,7 +33,6 @@ + #include + #include + #include +-#include + + #include + +@@ -2630,12 +2629,10 @@ static void ftrace_run_update_code(int c + { + int ret; + +- mutex_lock(&text_mutex); +- + ret = ftrace_arch_code_modify_prepare(); + FTRACE_WARN_ON(ret); + if (ret) +- goto out_unlock; ++ return; + + /* + * By default we use stop_machine() to modify the code. +@@ -2647,9 +2644,6 @@ static void ftrace_run_update_code(int c + + ret = ftrace_arch_code_modify_post_process(); + FTRACE_WARN_ON(ret); +- +-out_unlock: +- mutex_unlock(&text_mutex); + } + + static void ftrace_run_modify_code(struct ftrace_ops *ops, int command, +@@ -5415,7 +5409,6 @@ void ftrace_module_enable(struct module + struct ftrace_page *pg; + + mutex_lock(&ftrace_lock); +- mutex_lock(&text_mutex); + + if (ftrace_disabled) + goto out_unlock; +@@ -5476,7 +5469,6 @@ void ftrace_module_enable(struct module + ftrace_arch_code_modify_post_process(); + + out_unlock: +- mutex_unlock(&text_mutex); + mutex_unlock(&ftrace_lock); + } + diff --git a/patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch b/patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch new file mode 100644 index 0000000..d837598 --- /dev/null +++ b/patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch @@ -0,0 +1,74 @@ +From 81d3f9de6f4c3abd507aed6840e04d55085d31c2 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 26 Oct 2018 15:10:58 -0700 +Subject: [PATCH] hugetlbfs: dirty pages as they are added to pagecache + +References: git fixes (mm/hugetlbfs) +Patch-mainline: v4.20 +Git-commit: 22146c3ce98962436e401f7b7016a6f664c9ffb5 + +Some test systems were experiencing negative huge page reserve counts and +incorrect file block counts. This was traced to /proc/sys/vm/drop_caches +removing clean pages from hugetlbfs file pagecaches. When non-hugetlbfs +explicit code removes the pages, the appropriate accounting is not +performed. + +This can be recreated as follows: + fallocate -l 2M /dev/hugepages/foo + echo 1 > /proc/sys/vm/drop_caches + fallocate -l 2M /dev/hugepages/foo + grep -i huge /proc/meminfo + AnonHugePages: 0 kB + ShmemHugePages: 0 kB + HugePages_Total: 2048 + HugePages_Free: 2047 + HugePages_Rsvd: 18446744073709551615 + HugePages_Surp: 0 + Hugepagesize: 2048 kB + Hugetlb: 4194304 kB + ls -lsh /dev/hugepages/foo + 4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo + +To address this issue, dirty pages as they are added to pagecache. This +can easily be reproduced with fallocate as shown above. Read faulted +pages will eventually end up being marked dirty. But there is a window +where they are clean and could be impacted by code such as drop_caches. +So, just dirty them all as they are added to the pagecache. + +Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com +Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()") +Signed-off-by: Mike Kravetz +Acked-by: Mihcla Hocko +Reviewed-by: Khalid Aziz +Cc: Hugh Dickins +Cc: Naoya Horiguchi +Cc: "Aneesh Kumar K . V" +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Cc: Davidlohr Bueso +Cc: Alexander Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Mel Gorman +--- + mm/hugetlb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 9922e6aa80da..4e0ab342baf8 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3684,6 +3684,12 @@ int huge_add_to_page_cache(struct page *page, struct address_space *mapping, + return err; + ClearPagePrivate(page); + ++ /* ++ * set page dirty so that it will not be removed from cache/file ++ * by non-hugetlbfs specific code paths. ++ */ ++ set_page_dirty(page); ++ + spin_lock(&inode->i_lock); + inode->i_blocks += blocks_per_huge_page(h); + spin_unlock(&inode->i_lock); diff --git a/patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch b/patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch new file mode 100644 index 0000000..49400aa --- /dev/null +++ b/patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch @@ -0,0 +1,134 @@ +From ab19c4ea6646929c6239dc43b15c87d4667d93ac Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 16 Nov 2018 15:08:04 -0800 +Subject: [PATCH] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! + +References: git fixes (mm/hugetlbfs) +Patch-mainline: v4.20 +Git-commit: 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf + +This bug has been experienced several times by the Oracle DB team. The +BUG is in remove_inode_hugepages() as follows: + + /* + * If page is mapped, it was faulted in after being + * unmapped in caller. Unmap (again) now after taking + * the fault mutex. The mutex will prevent faults + * until we finish removing the page. + * + * This race can only happen in the hole punch case. + * Getting here in a truncate operation is a bug. + */ + if (unlikely(page_mapped(page))) { + BUG_ON(truncate_op); + +In this case, the elevated map count is not the result of a race. +Rather it was incorrectly incremented as the result of a bug in the huge +pmd sharing code. Consider the following: + + - Process A maps a hugetlbfs file of sufficient size and alignment + (PUD_SIZE) that a pmd page could be shared. + + - Process B maps the same hugetlbfs file with the same size and + alignment such that a pmd page is shared. + + - Process B then calls mprotect() to change protections for the mapping + with the shared pmd. As a result, the pmd is 'unshared'. + + - Process B then calls mprotect() again to chage protections for the + mapping back to their original value. pmd remains unshared. + + - Process B then forks and process C is created. During the fork + process, we do dup_mm -> dup_mmap -> copy_page_range to copy page + tables. Copying page tables for hugetlb mappings is done in the + routine copy_hugetlb_page_range. + +In copy_hugetlb_page_range(), the destination pte is obtained by: + + dst_pte = huge_pte_alloc(dst, addr, sz); + +If pmd sharing is possible, the returned pointer will be to a pte in an +existing page table. In the situation above, process C could share with +either process A or process B. Since process A is first in the list, +the returned pte is a pointer to a pte in process A's page table. + +However, the check for pmd sharing in copy_hugetlb_page_range is: + + /* If the pagetables are shared don't copy or take references */ + if (dst_pte == src_pte) + continue; + +Since process C is sharing with process A instead of process B, the +above test fails. The code in copy_hugetlb_page_range which follows +assumes dst_pte points to a huge_pte_none pte. It copies the pte entry +from src_pte to dst_pte and increments this map count of the associated +page. This is how we end up with an elevated map count. + +To solve, check the dst_pte entry for huge_pte_none. If !none, this +implies PMD sharing so do not copy. + +Link: http://lkml.kernel.org/r/20181105212315.14125-1-mike.kravetz@oracle.com +Fixes: c5c99429fa57 ("fix hugepages leak due to pagetable page sharing") +Signed-off-by: Mike Kravetz +Reviewed-by: Naoya Horiguchi +Cc: Michal Hocko +Cc: Hugh Dickins +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Cc: Davidlohr Bueso +Cc: Prakash Sangappa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Mel Gorman +--- + mm/hugetlb.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 4e0ab342baf8..29314b5b4b8e 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3254,7 +3254,7 @@ static int is_hugetlb_entry_hwpoisoned(pte_t pte) + int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src, + struct vm_area_struct *vma) + { +- pte_t *src_pte, *dst_pte, entry; ++ pte_t *src_pte, *dst_pte, entry, dst_entry; + struct page *ptepage; + unsigned long addr; + int cow; +@@ -3282,15 +3282,30 @@ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src, + break; + } + +- /* If the pagetables are shared don't copy or take references */ +- if (dst_pte == src_pte) ++ /* ++ * If the pagetables are shared don't copy or take references. ++ * dst_pte == src_pte is the common case of src/dest sharing. ++ * ++ * However, src could have 'unshared' and dst shares with ++ * another vma. If dst_pte !none, this implies sharing. ++ * Check here before taking page table lock, and once again ++ * after taking the lock below. ++ */ ++ dst_entry = huge_ptep_get(dst_pte); ++ if ((dst_pte == src_pte) || !huge_pte_none(dst_entry)) + continue; + + dst_ptl = huge_pte_lock(h, dst, dst_pte); + src_ptl = huge_pte_lockptr(h, src, src_pte); + spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING); + entry = huge_ptep_get(src_pte); +- if (huge_pte_none(entry)) { /* skip none entry */ ++ dst_entry = huge_ptep_get(dst_pte); ++ if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) { ++ /* ++ * Skip if src entry none. Also, skip in the ++ * unlikely case dst entry !none as this implies ++ * sharing with another vma. ++ */ + ; + } else if (unlikely(is_hugetlb_entry_migration(entry) || + is_hugetlb_entry_hwpoisoned(entry))) { diff --git a/patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch b/patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch new file mode 100644 index 0000000..19c1799 --- /dev/null +++ b/patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch @@ -0,0 +1,106 @@ +From 3f40030f624f6a3532c11dde3cde8433f10fe889 Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Thu, 4 Jul 2019 15:14:42 -0700 +Subject: [PATCH] mm/vmscan.c: prevent useless kswapd loops + +References: git fixes (mm/vmscan) +Patch-mainline: v5.2 +Git-commit: dffcac2cb88e4ec5906235d64a83d802580b119e + +In production we have noticed hard lockups on large machines running +large jobs due to kswaps hoarding lru lock within isolate_lru_pages when +sc->reclaim_idx is 0 which is a small zone. The lru was couple hundred +GiBs and the condition (page_zonenum(page) > sc->reclaim_idx) in +isolate_lru_pages() was basically skipping GiBs of pages while holding +the LRU spinlock with interrupt disabled. + +On further inspection, it seems like there are two issues: + +(1) If kswapd on the return from balance_pgdat() could not sleep (i.e. + node is still unbalanced), the classzone_idx is unintentionally set + to 0 and the whole reclaim cycle of kswapd will try to reclaim only + the lowest and smallest zone while traversing the whole memory. + +(2) Fundamentally isolate_lru_pages() is really bad when the + allocation has woken kswapd for a smaller zone on a very large machine + running very large jobs. It can hoard the LRU spinlock while skipping + over 100s of GiBs of pages. + +This patch only fixes (1). (2) needs a more fundamental solution. To +fix (1), in the kswapd context, if pgdat->kswapd_classzone_idx is +invalid use the classzone_idx of the previous kswapd loop otherwise use +the one the waker has requested. + +Link: http://lkml.kernel.org/r/20190701201847.251028-1-shakeelb@google.com +Fixes: e716f2eb24de ("mm, vmscan: prevent kswapd sleeping prematurely due to mismatched classzone_idx") +Signed-off-by: Shakeel Butt +Reviewed-by: Yang Shi +Acked-by: Mel Gorman +Cc: Johannes Weiner +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Hillf Danton +Cc: Roman Gushchin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Mel Gorman +--- + mm/vmscan.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 8cf73cb92a13..477fcb98a825 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -3362,19 +3362,18 @@ static int balance_pgdat(pg_data_t *pgdat, int order, int classzone_idx) + } + + /* +- * pgdat->kswapd_classzone_idx is the highest zone index that a recent +- * allocation request woke kswapd for. When kswapd has not woken recently, +- * the value is MAX_NR_ZONES which is not a valid index. This compares a +- * given classzone and returns it or the highest classzone index kswapd +- * was recently woke for. ++ * The pgdat->kswapd_classzone_idx is used to pass the highest zone index to be ++ * reclaimed by kswapd from the waker. If the value is MAX_NR_ZONES which is not ++ * a valid index then either kswapd runs for first time or kswapd couldn't sleep ++ * after previous reclaim attempt (node is still unbalanced). In that case ++ * return the zone index of the previous kswapd reclaim cycle. + */ + static enum zone_type kswapd_classzone_idx(pg_data_t *pgdat, +- enum zone_type classzone_idx) ++ enum zone_type prev_classzone_idx) + { + if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES) +- return classzone_idx; +- +- return max(pgdat->kswapd_classzone_idx, classzone_idx); ++ return prev_classzone_idx; ++ return pgdat->kswapd_classzone_idx; + } + + static void kswapd_try_to_sleep(pg_data_t *pgdat, int alloc_order, int reclaim_order, +@@ -3517,7 +3516,7 @@ static int kswapd(void *p) + + /* Read the new order and classzone_idx */ + alloc_order = reclaim_order = pgdat->kswapd_order; +- classzone_idx = kswapd_classzone_idx(pgdat, 0); ++ classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx); + pgdat->kswapd_order = 0; + pgdat->kswapd_classzone_idx = MAX_NR_ZONES; + +@@ -3567,8 +3566,12 @@ void wakeup_kswapd(struct zone *zone, int order, enum zone_type classzone_idx) + if (!cpuset_zone_allowed(zone, gfp_flags)) + return; + pgdat = zone->zone_pgdat; +- pgdat->kswapd_classzone_idx = kswapd_classzone_idx(pgdat, +- classzone_idx); ++ ++ if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES) ++ pgdat->kswapd_classzone_idx = classzone_idx; ++ else ++ pgdat->kswapd_classzone_idx = max(pgdat->kswapd_classzone_idx, ++ classzone_idx); + pgdat->kswapd_order = max(pgdat->kswapd_order, order); + if (!waitqueue_active(&pgdat->kswapd_wait)) + return; diff --git a/patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch b/patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch new file mode 100644 index 0000000..aa85abd --- /dev/null +++ b/patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch @@ -0,0 +1,54 @@ +From: Jann Horn +Date: Thu, 4 Jul 2019 17:32:23 +0200 +Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME +Git-commit: 6994eefb0053799d2e07cd140df6c2ea106c41ee +Patch-mainline: 5.2 +References: git-fixes + +Fix two issues: + +When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU +reference to the parent's objective credentials, then give that pointer +to get_cred(). However, the object lifetime rules for things like +struct cred do not permit unconditionally turning an RCU reference into +a stable reference. + +PTRACE_TRACEME records the parent's credentials as if the parent was +acting as the subject, but that's not the case. If a malicious +unprivileged child uses PTRACE_TRACEME and the parent is privileged, and +at a later point, the parent process becomes attacker-controlled +(because it drops privileges and calls execve()), the attacker ends up +with control over two processes with a privileged ptrace relationship, +which can be abused to ptrace a suid binary and obtain root privileges. + +Fix both of these by always recording the credentials of the process +that is requesting the creation of the ptrace relationship: +current_cred() can't change under us, and current is the proper subject +for access control. + +This change is theoretically userspace-visible, but I am not aware of +any code that it will actually break. + +Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") +Signed-off-by: Jann Horn +Acked-by: Oleg Nesterov +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Jiri Slaby +--- + kernel/ptrace.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -78,9 +78,7 @@ void __ptrace_link(struct task_struct *c + */ + static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) + { +- rcu_read_lock(); +- __ptrace_link(child, new_parent, __task_cred(new_parent)); +- rcu_read_unlock(); ++ __ptrace_link(child, new_parent, current_cred()); + } + + /** diff --git a/patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch b/patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch new file mode 100644 index 0000000..3f793f5 --- /dev/null +++ b/patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch @@ -0,0 +1,60 @@ +From: Jann Horn +Date: Wed, 29 May 2019 13:31:57 +0200 +Subject: ptrace: restore smp_rmb() in __ptrace_may_access() +Git-commit: f6581f5b55141a95657ef5742cf6a6bfa20a109f +Patch-mainline: 5.2-rc5 +References: git-fixes + +Restore the read memory barrier in __ptrace_may_access() that was deleted +a couple years ago. Also add comments on this barrier and the one it pairs +with to explain why they're there (as far as I understand). + +Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks") +Cc: stable@vger.kernel.org +Acked-by: Kees Cook +Acked-by: Oleg Nesterov +Signed-off-by: Jann Horn +Signed-off-by: Eric W. Biederman +Signed-off-by: Jiri Slaby +--- + kernel/cred.c | 9 +++++++++ + kernel/ptrace.c | 10 ++++++++++ + 2 files changed, 19 insertions(+) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -448,6 +448,15 @@ int commit_creds(struct cred *new) + if (task->mm) + set_dumpable(task->mm, suid_dumpable); + task->pdeath_signal = 0; ++ /* ++ * If a task drops privileges and becomes nondumpable, ++ * the dumpability change must become visible before ++ * the credential change; otherwise, a __ptrace_may_access() ++ * racing with this change may be able to attach to a task it ++ * shouldn't be able to attach to (as if the task had dropped ++ * privileges without becoming nondumpable). ++ * Pairs with a read barrier in __ptrace_may_access(). ++ */ + smp_wmb(); + } + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -323,6 +323,16 @@ static int __ptrace_may_access(struct ta + return -EPERM; + ok: + rcu_read_unlock(); ++ /* ++ * If a task drops privileges and becomes nondumpable (through a syscall ++ * like setresuid()) while we are trying to access it, we must ensure ++ * that the dumpability is read after the credentials; otherwise, ++ * we may be able to attach to a task that we shouldn't be able to ++ * attach to (as if the task had dropped privileges without becoming ++ * nondumpable). ++ * Pairs with a write barrier in commit_creds(). ++ */ ++ smp_rmb(); + mm = task->mm; + if (mm && + ((get_dumpable(mm) != SUID_DUMP_USER) && diff --git a/patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch b/patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch new file mode 100644 index 0000000..e9f048e --- /dev/null +++ b/patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch @@ -0,0 +1,74 @@ +From: "Eric W. Biederman" +Date: Tue, 28 May 2019 18:46:37 -0500 +Subject: signal/ptrace: Don't leak unitialized kernel memory with + PTRACE_PEEK_SIGINFO +Git-commit: f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 +Patch-mainline: 5.2-rc5 +References: git-fixes + +Recently syzbot in conjunction with KMSAN reported that +ptrace_peek_siginfo can copy an uninitialized siginfo to userspace. +Inspecting ptrace_peek_siginfo confirms this. + +The problem is that off when initialized from args.off can be +initialized to a negaive value. At which point the "if (off >= 0)" +test to see if off became negative fails because off started off +negative. + +Prevent the core problem by adding a variable found that is only true +if a siginfo is found and copied to a temporary in preparation for +being copied to userspace. + +Prevent args.off from being truncated when being assigned to off by +testing that off is <= the maximum possible value of off. Convert off +to an unsigned long so that we should not have to truncate args.off, +we have well defined overflow behavior so if we add another check we +won't risk fighting undefined compiler behavior, and so that we have a +type whose maximum value is easy to test for. + +Cc: Andrei Vagin +Cc: stable@vger.kernel.org +Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com +Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Jiri Slaby +--- + kernel/ptrace.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -704,6 +704,10 @@ static int ptrace_peek_siginfo(struct ta + if (arg.nr < 0) + return -EINVAL; + ++ /* Ensure arg.off fits in an unsigned long */ ++ if (arg.off > ULONG_MAX) ++ return 0; ++ + if (arg.flags & PTRACE_PEEKSIGINFO_SHARED) + pending = &child->signal->shared_pending; + else +@@ -711,18 +715,20 @@ static int ptrace_peek_siginfo(struct ta + + for (i = 0; i < arg.nr; ) { + siginfo_t info; +- s32 off = arg.off + i; ++ unsigned long off = arg.off + i; ++ bool found = false; + + spin_lock_irq(&child->sighand->siglock); + list_for_each_entry(q, &pending->list, list) { + if (!off--) { ++ found = true; + copy_siginfo(&info, &q->info); + break; + } + } + spin_unlock_irq(&child->sighand->siglock); + +- if (off >= 0) /* beyond the end of the list */ ++ if (!found) /* beyond the end of the list */ + break; + + #ifdef CONFIG_COMPAT diff --git a/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch b/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch new file mode 100644 index 0000000..d67ddc4 --- /dev/null +++ b/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch @@ -0,0 +1,105 @@ +From: Eiichi Tsukata +Date: Tue, 25 Jun 2019 10:29:10 +0900 +Subject: tracing/snapshot: Resize spare buffer if size changed +Git-commit: 46cc0b44428d0f0e81f11ea98217fc0edfbeab07 +Patch-mainline: v5.2 +References: bsc#1140726 + +Current snapshot implementation swaps two ring_buffers even though their +sizes are different from each other, that can cause an inconsistency +between the contents of buffer_size_kb file and the current buffer size. + +For example: + + # cat buffer_size_kb + 7 (expanded: 1408) + # echo 1 > events/enable + # grep bytes per_cpu/cpu0/stats + bytes: 1441020 + # echo 1 > snapshot // current:1408, spare:1408 + # echo 123 > buffer_size_kb // current:123, spare:1408 + # echo 1 > snapshot // current:1408, spare:123 + # grep bytes per_cpu/cpu0/stats + bytes: 1443700 + # cat buffer_size_kb + 123 // != current:1408 + +And also, a similar per-cpu case hits the following WARNING: + +Reproducer: + + # echo 1 > per_cpu/cpu0/snapshot + # echo 123 > buffer_size_kb + # echo 1 > per_cpu/cpu0/snapshot + +WARNING: + + WARNING: CPU: 0 PID: 1946 at kernel/trace/trace.c:1607 update_max_tr_single.part.0+0x2b8/0x380 + Modules linked in: + CPU: 0 PID: 1946 Comm: bash Not tainted 5.2.0-rc6 #20 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 + RIP: 0010:update_max_tr_single.part.0+0x2b8/0x380 + Code: ff e8 dc da f9 ff 0f 0b e9 88 fe ff ff e8 d0 da f9 ff 44 89 ee bf f5 ff ff ff e8 33 dc f9 ff 41 83 fd f5 74 96 e8 b8 da f9 ff <0f> 0b eb 8d e8 af da f9 ff 0f 0b e9 bf fd ff ff e8 a3 da f9 ff 48 + RSP: 0018:ffff888063e4fca0 EFLAGS: 00010093 + RAX: ffff888066214380 RBX: ffffffff99850fe0 RCX: ffffffff964298a8 + RDX: 0000000000000000 RSI: 00000000fffffff5 RDI: 0000000000000005 + RBP: 1ffff1100c7c9f96 R08: ffff888066214380 R09: ffffed100c7c9f9b + R10: ffffed100c7c9f9a R11: 0000000000000003 R12: 0000000000000000 + R13: 00000000ffffffea R14: ffff888066214380 R15: ffffffff99851060 + FS: 00007f9f8173c700(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000714dc0 CR3: 0000000066fa6000 CR4: 00000000000006f0 + Call Trace: + ? trace_array_printk_buf+0x140/0x140 + ? __mutex_lock_slowpath+0x10/0x10 + tracing_snapshot_write+0x4c8/0x7f0 + ? trace_printk_init_buffers+0x60/0x60 + ? selinux_file_permission+0x3b/0x540 + ? tracer_preempt_off+0x38/0x506 + ? trace_printk_init_buffers+0x60/0x60 + __vfs_write+0x81/0x100 + vfs_write+0x1e1/0x560 + ksys_write+0x126/0x250 + ? __ia32_sys_read+0xb0/0xb0 + ? do_syscall_64+0x1f/0x390 + do_syscall_64+0xc1/0x390 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +This patch adds resize_buffer_duplicate_size() to check if there is a +difference between current/spare buffer sizes and resize a spare buffer +if necessary. + +Link: http://lkml.kernel.org/r/20190625012910.13109-1-devel@etsukata.com + +Cc: stable@vger.kernel.org +Fixes: ad909e21bbe69 ("tracing: Add internal tracing_snapshot() functions") +Signed-off-by: Eiichi Tsukata +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + kernel/trace/trace.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 4122ccde6ec2..c3aabb576fe5 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6719,11 +6719,13 @@ tracing_snapshot_write(struct file *filp, const char __user *ubuf, size_t cnt, + break; + } + #endif +- if (!tr->allocated_snapshot) { ++ if (tr->allocated_snapshot) ++ ret = resize_buffer_duplicate_size(&tr->max_buffer, ++ &tr->trace_buffer, iter->cpu_file); ++ else + ret = tracing_alloc_snapshot_instance(tr); +- if (ret < 0) +- break; +- } ++ if (ret < 0) ++ break; + local_irq_disable(); + /* Now, we're going to swap */ + if (iter->cpu_file == RING_BUFFER_ALL_CPUS) + diff --git a/rpm/gitlog-excludes b/rpm/gitlog-excludes index 3ebe117..4cc953f 100644 --- a/rpm/gitlog-excludes +++ b/rpm/gitlog-excludes @@ -46,3 +46,7 @@ afad726eebefbb4c892476482bf48f4ec8f5e4ad 3970eda87249720404ed2fccd0f5b09281272071 6ee531a251e417d971b85d64ca9be65023b79921 9107bf77b44c09488b7909f35ebd6ff01315e8fa +bac621c6704610562ebd9e74ae5ad85ca8025681 +5568093d5dbacaeb60b6e0f7f4bbe384b586b82a +821419f311f3edd58124e551664a2362b62671d6 +16acab4bfa6b2421267eb4833ae3a6a5a763ff2f diff --git a/rpm/post.sh b/rpm/post.sh index 1569b8b..9929880 100644 --- a/rpm/post.sh +++ b/rpm/post.sh @@ -10,7 +10,7 @@ for x in /boot/@IMAGE@ /boot/initrd; do ln -s ${x##*/}-@KERNELRELEASE@-@FLAVOR@ $x$suffix done -# Add symlinks of compatible modules to /lib/modules/$krel/weak-updates/, +# Add symlinks of compatible modules to /lib/modules/$krel/weak-updates/, # run depmod and mkinitrd wm2=/usr/lib/module-init-tools/weak-modules2 if [ -x $wm2 ]; then @@ -21,7 +21,7 @@ if [ -x $wm2 ]; then rpm -ql $nvr | /bin/bash -${-/e/} $wm2 --add-kernel-modules @KERNELRELEASE@-@FLAVOR@ fi else - echo "$wm does not exist, please run depmod and mkinitrd manually" >&2 + echo "$wm2 does not exist, please run depmod and mkinitrd manually" >&2 fi message_install_bl () { diff --git a/scripts/git_sort/git_sort.py b/scripts/git_sort/git_sort.py index dc9aabb..342c913 100755 --- a/scripts/git_sort/git_sort.py +++ b/scripts/git_sort/git_sort.py @@ -228,6 +228,7 @@ remotes = ( Head(RepoURL("viro/vfs.git"), "fixes"), Head(RepoURL("jeyu/linux.git"), "modules-next"), Head(RepoURL("nvdimm/nvdimm.git"), "libnvdimm-for-next"), + Head(RepoURL("nvdimm/nvdimm.git"), "libnvdimm-fixes"), Head(RepoURL("djbw/nvdimm.git"), "libnvdimm-pending"), Head(RepoURL("git://git.linux-nfs.org/projects/anna/linux-nfs.git"), "linux-next"), Head(RepoURL("acme/linux.git"), "perf/core"), diff --git a/series.conf b/series.conf index e4334f9..72d6715 100644 --- a/series.conf +++ b/series.conf @@ -35738,6 +35738,7 @@ patches.fixes/kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch patches.arch/x86-i8259-add-missing-include-file patches.drivers/net-usb-r8152-use-irqsave-in-USB-s-complete-callback.patch + patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch patches.drivers/net_sched-remove-unused-htb-drop_list.patch patches.drivers/tls-Removed-unused-variable.patch patches.drivers/bnxt-simplify-cls_flower-command-switch-and-handle-d.patch @@ -39133,6 +39134,7 @@ patches.drivers/mfd-intel-lpss-Add-Ice-Lake-PCI-IDs.patch patches.drivers/mfd-arizona-Don-t-use-regmap_read_poll_timeout patches.drivers/mfd-ti_am335x_tscadc-Fix-struct-clk-memory-leak.patch + patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch patches.drivers/mfd-sm501-Set-coherent_dma_mask-when-creating-subdev patches.drivers/HID-hid-ntrig-add-error-handling-for-sysfs_create_gr.patch patches.drivers/HID-wacom-Replace-touch_max-fixup-code-with-static-t.patch @@ -39370,6 +39372,7 @@ patches.apparmor/apparmor-fix-an-error-code-in-__aa_create_ns.patch patches.apparmor/apparmor-remove-no-op-permission-check-in-policy_unpack.patch patches.drivers/iommu-arm-smmu-error-out-only-if-not-enough-context-interrupts + patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch patches.drivers/iommu-arm-smmu-v3-Prevent-any-devices-access-to-memo.patch patches.drivers/iommu-arm-smmu-v3-Abort-all-transactions-if-SMMU-is-.patch patches.drivers/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed @@ -41960,6 +41963,7 @@ patches.suse/msft-hv-1758-uio_hv_generic-drop-ifdef-DEBUG.patch patches.suse/msft-hv-1759-Drivers-hv-vmbus-Fix-synic-per-cpu-context-initializ.patch patches.drivers/uio-ensure-class-is-registered-before-devices.patch + patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch patches.suse/msft-hv-1767-vmbus-pass-channel-to-hv_process_channel_removal.patch patches.suse/msft-hv-1768-vmbus-keep-pointer-to-ring-buffer-page.patch patches.suse/msft-hv-1769-vmbus-split-ring-buffer-allocation-from-open.patch @@ -42092,6 +42096,7 @@ patches.suse/0001-mm-defer-ZONE_DEVICE-page-initialization-to-the-poin.patch patches.suse/mm-split-swp_file-into-swp_activated-and-swp_fs.patch patches.suse/mm-export-add_swap_extent.patch + patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch patches.drivers/0432-rtc-ds1307-add-offset-sysfs-for-mt41txx-chips.patch patches.drivers/0433-rtc-ds1307-add-frequency_test_enable-attribute-on-m4.patch patches.drivers/0457-rtc-ds1307-fix-ds1339-wakealarm-support.patch @@ -42685,6 +42690,7 @@ patches.drivers/efi-arm-Defer-persistent-reservations-until-after-pa.patch patches.drivers/efi-Permit-calling-efi_mem_reserve_persistent-from-a.patch patches.arch/perf-x86-intel-uncore-support-coffeelake-8th-cbox.patch + patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch patches.fixes/ocfs2-free-up-write-context-when-direct-IO-failed.patch patches.suse/mm-vmstat.c-fix-NUMA-statistics-updates.patch patches.fixes/lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreac.patch @@ -44388,6 +44394,8 @@ patches.drivers/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems patches.fixes/iommu-arm-smmu-v3-Fix-big-endian-CMD_SYNC-writes.patch patches.drivers/iommu-arm-smmu-v3-avoid-memory-corruption-from-hisilicon-msi-payloads + patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch + patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw patches.drivers/iommu-amd-fix-amd_iommu-force_isolation patches.drivers/iommu-dma-use-numa-aware-memory-allocations-in-_iommu_dma_alloc_pages @@ -45468,6 +45476,7 @@ patches.drivers/stm-class-Fix-an-endless-loop-in-channel-allocation.patch patches.drivers/stm-class-Prevent-division-by-zero.patch patches.suse/msft-hv-1845-Drivers-hv-vmbus-Change-server-monitor_pages-index-t.patch + patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch patches.drivers/VMCI-Support-upto-64-bit-PPNs.patch patches.drivers/misc-hpilo-Exclude-unsupported-device-via-blacklist.patch patches.drivers/misc-hpilo-Do-not-claim-unsupported-hardware.patch @@ -45922,10 +45931,14 @@ patches.fixes/libnvdimm-label-clear-updating-flag-after-label-set-update.patch patches.fixes/nfit-Fix-nfit_intel_shutdown_status-command-submissi.patch patches.fixes/nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch + patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch patches.fixes/libnvdimm-Fix-altmap-reservation-size-calculation.patch patches.fixes/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch patches.fixes/nfit-ars-Attempt-a-short-ARS-whenever-the-ARS-state-.patch patches.fixes/nfit-ars-Attempt-short-ARS-even-in-the-no_init_ars-c.patch + patches.drivers/nfit-ars-introduce-scrub_flags.patch + patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch + patches.drivers/nfit-ars-avoid-stale-ars-results.patch patches.fixes/0001-crypto-caam-add-missing-put_device-call.patch patches.drivers/clk-highbank-fix-refcount-leak-in-hb_clk_init.patch patches.drivers/clk-qoriq-fix-refcount-leak-in-clockgen_init.patch @@ -46066,6 +46079,7 @@ patches.drivers/thermal-int340x_thermal-fix-mode-setting.patch patches.arch/thermal-intel_powerclamp-fix-truncated-kthread-name.patch patches.fixes/irqchip-gic-v3-its-Fix-comparison-logic-in-lpi_range.patch + patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch patches.fixes/0001-futex-Ensure-that-futex-address-is-aligned-in-handle.patch patches.suse/msft-hv-1856-x86-hyperv-Prevent-potential-NULL-pointer-dereferenc.patch patches.fixes/ext4-fix-NULL-pointer-dereference-while-journal-is-a.patch @@ -46151,6 +46165,7 @@ patches.fixes/0001-mm-debug.c-fix-__dump_page-when-mapping-host-is-not-.patch patches.suse/ptrace-take-into-account-saved_sigmask-in-PTRACE-GET.patch patches.fixes/0001-mm-page_isolation.c-fix-a-wrong-flag-in-set_migratet.patch + patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch patches.fixes/ACPI-CPPC-Fix-guaranteed-performance-handling.patch patches.fixes/cpufreq-intel_pstate-Also-use-CPPC-nominal_perf-for-.patch patches.drivers/usb-host-xhci-rcar-Add-XHCI_TRUST_TX_LENGTH-quirk.patch @@ -46178,6 +46193,7 @@ patches.drivers/serial-ar933x_uart-Fix-build-failure-with-disabled-c.patch patches.drivers/serial-sh-sci-Fix-setting-SCSCR_TIE-while-transferri.patch patches.drivers/Disable-kgdboc-failed-by-echo-space-to-sys-module-kg.patch + patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch patches.drivers/staging-rtl8188eu-Fix-potential-NULL-pointer-derefer.patch patches.drivers/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-NULL.patch patches.drivers/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch @@ -46209,6 +46225,7 @@ patches.drivers/ixgbe-fix-mdio-bus-registration.patch patches.drivers/fm10k-Fix-a-potential-NULL-pointer-dereference.patch patches.drivers/qmi_wwan-add-Olicard-600.patch + patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch patches.drivers/nfp-disable-netpoll-on-representors.patch patches.fixes/openvswitch-fix-flow-actions-reallocation.patch patches.fixes/net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch @@ -46439,6 +46456,7 @@ patches.suse/tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch patches.suse/mm-page_alloc.c-avoid-potential-NULL-pointer-dereference.patch patches.suse/mm-page_alloc.c-fix-never-set-ALLOC_NOFRAGMENT-flag.patch + patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch patches.drivers/Input-synaptics-rmi4-write-config-register-values-to.patch patches.drivers/dmaengine-sh-rcar-dmac-With-cyclic-DMA-residue-0-is-.patch @@ -46482,6 +46500,7 @@ patches.drivers/i2c-imx-correct-the-method-of-getting-private-data-i.patch patches.drivers/i2c-synquacer-fix-enumeration-of-slave-devices.patch patches.arch/KVM-PPC-Book3S-Protect-memslots-while-validating-use.patch + patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch patches.arch/x86-mm-mem_encrypt-disable-all-instrumentation-for-early-sme-setup.patch patches.arch/perf-x86-amd-update-generic-hardware-cache-events-for-family-17h.patch @@ -46604,6 +46623,7 @@ patches.suse/block-check_events-don-t-bother-with-events-if-un.patch patches.fixes/block-fix-use-after-free-on-gendisk.patch patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch + patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch patches.fixes/audit-fix-a-memleak-caused-by-auditing-load-module.patch patches.fixes/audit-fix-a-memory-leak-bug.patch patches.fixes/ext4-make-sanity-check-in-mballoc-more-strict.patch @@ -46685,6 +46705,7 @@ patches.drivers/ice-Update-comment-regarding-the-ITR_GRAN_S.patch patches.drivers/ice-Remove-2-BITS-comment.patch patches.drivers/bnx2x-Utilize-FW-7.13.11.0.patch + patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch patches.drivers/cxgb4-Update-1.23.3.0-as-the-latest-firmware-support.patch patches.drivers/cxgb4-cxgb4vf-Display-advertised-FEC-in-ethtool.patch @@ -46952,6 +46973,7 @@ patches.drivers/scsi-qedf-missing-kref_put-in-qedf_xmit.patch patches.drivers/scsi-qedf-fixup-locking-in-qedf_restart_rport.patch patches.drivers/scsi-qedf-fixup-bit-operations.patch + patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch patches.drivers/scsi-qla2xxx-Set-remote-port-devloss-timeout-to-0.patch patches.drivers/scsi-hisi_sas-add-host-reset-interface-for-test patches.drivers/scsi-hisi_sas-remedy-inconsistent-phy-down-state-in-software @@ -46969,6 +46991,7 @@ patches.drivers/scsi-libsas-do-discovery-on-empty-phy-to-update-phy-info patches.drivers/scsi-libsas-print-expander-phy-indexes-in-decimal patches.drivers/scsi-qla2xxx-Fix-read-offset-in-qla24xx_load_risc_fl.patch + patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch @@ -47103,6 +47126,8 @@ patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch patches.drivers/clk-rockchip-fix-wrong-clock-definitions-for-rk3328.patch patches.drivers/clk-rockchip-Fix-video-codec-clocks-on-rk3288.patch + patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch + patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch patches.drivers/net-hns3-remove-redundant-assignment-of-l2_hdr-to-it.patch patches.suse/tipc-fix-hanging-clients-using-poll-with-EPOLLOUT-fl.patch patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch @@ -47236,12 +47261,14 @@ patches.fixes/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch patches.fixes/nvme-fc-use-separate-work-queue-to-avoid-warning.patch patches.fixes/nvme-multipath-avoid-crash-on-invalid-subsystem-cntl.patch + patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes patches.arch/KVM-PPC-Book3S-HV-Avoid-lockdep-debugging-in-TCE-rea.patch patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch + patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch patches.fixes/ext4-fix-data-corruption-caused-by-overlapping-unali.patch patches.fixes/ext4-avoid-panic-during-forced-reboot-due-to-aborted.patch @@ -47277,10 +47304,15 @@ patches.drivers/mmc-sdhci-iproc-Set-NO_HISPD-bit-to-fix-HS50-data-ho.patch patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch + patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch patches.fixes/blk-mq-fix-hang-caused-by-freeze-unfreeze-sequence.patch + patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch + patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch patches.arch/kvm-x86-include-multiple-indices-with-cpuid-leaf-0x8000001d.patch patches.arch/kvm-x86-include-cpuid-leaf-0x8000001e-in-kvm-s-supported-cpuid.patch + patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id + patches.arch/kvm-x86-fix-return-value-for-reserved-efer patches.drivers/gpio-fix-gpio-adp5588-build-errors.patch patches.fixes/doc-Cope-with-the-deprecation-of-AutoReporter.patch patches.fixes/0001-docs-Fix-conf.py-for-Sphinx-2.0.patch @@ -47365,6 +47397,8 @@ patches.fixes/0001-test_firmware-Use-correct-snprintf-limit.patch patches.drivers/spi-bitbang-Fix-NULL-pointer-dereference-in-spi_unre.patch patches.drivers/spi-spi-fsl-spi-call-spi_finalize_current_message-at.patch + patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch + patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch patches.drivers/HID-wacom-Don-t-set-tool-type-until-we-re-in-range.patch patches.drivers/HID-wacom-Don-t-report-anything-prior-to-the-tool-en.patch patches.drivers/HID-wacom-Send-BTN_TOUCH-in-response-to-INTUOSP2_BT-.patch @@ -47376,6 +47410,8 @@ patches.drivers/ASoC-fsl_asrc-Fix-the-issue-about-unsupported-rate.patch patches.drivers/ASoC-cs42xx8-Add-regcache-mask-dirty.patch patches.drivers/Revert-ALSA-hda-realtek-Improve-the-headset-mic-for-.patch + patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes + patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch patches.fixes/0001-coredump-fix-race-condition-between-collapse_huge_pa.patch patches.drivers/drivers-base-devres-introduce-devm_release_action.patch patches.drivers/mm-devm_memremap_pages-introduce-devm_memunmap_pages.patch @@ -47388,6 +47424,7 @@ patches.drm/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch patches.drm/drm-mediatek-clear-num_pipes-when-unbind-driver.patch patches.drm/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch + patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch patches.drm/drm-i915-sdvo-Implement-proper-HDMI-audio-support-fo.patch patches.drm/drm-i915-perf-fix-whitelist-on-Gen10.patch patches.drm/drm-panel-orientation-quirks-Add-quirk-for-GPD-pocke.patch @@ -47417,6 +47454,9 @@ patches.fixes/can-purge-socket-error-queue-on-sock-destruct.patch patches.drivers/net-mlx5-Update-pci-error-handler-entries-and-comman.patch patches.drivers/net-mlx5-Avoid-reloading-already-removed-devices.patch + patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch + patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch + patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch patches.drivers/net-tls-correctly-account-for-copied-bytes-with-mult.patch patches.drivers/mlxsw-spectrum_flower-Fix-TOS-matching.patch patches.drivers/net-mvpp2-prs-Fix-parser-range-for-VID-filtering.patch @@ -47443,37 +47483,70 @@ patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch patches.drivers/Input-uinput-add-compat-ioctl-number-translation-for.patch patches.drivers/Input-synaptics-enable-SMBus-on-ThinkPad-E480-and-E5.patch + patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch patches.drivers/PCI-PM-Skip-devices-in-D0-for-suspend-to-idle.patch patches.drivers/mmc-core-complete-HS400-before-checking-status.patch patches.drivers/mmc-core-Prevent-processing-SDIO-IRQs-when-the-card-.patch patches.fixes/0001-usb-chipidea-udc-workaround-for-endpoint-conflict-is.patch + patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch patches.drm/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch patches.drm/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch patches.drm/drm-i915-gvt-ignore-unexpected-pvinfo-write.patch patches.drivers/IB-hfi1-Validate-fault-injection-opcode-user-input.patch patches.drivers/IB-hfi1-Create-inline-to-get-extended-headers.patch patches.drivers/net-udp_gso-Allow-TX-timestamp-with-UDP-GSO.patch + patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch patches.drivers/Bluetooth-Fix-regression-with-minimum-encryption-key.patch patches.arch/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch patches.drivers/ppp-mppe-Add-softdep-to-arc4.patch patches.drivers/net-sched-cbs-Fix-error-path-of-cbs_module_init.patch patches.drivers/net-tls-fix-page-double-free-on-TX-cleanup.patch + patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch + patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch patches.fixes/mm-soft-offline-return-EBUSY-if-set_hwpoison_free_bu.patch patches.fixes/mm-hugetlb-soft-offline-dissolve_free_huge_page-retu.patch patches.fixes/Bluetooth-Fix-faulty-expression-for-minimum-encrypti.patch + patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch + patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch + patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch + patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch + patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch + patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch + patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch + patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch + patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch + patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch + patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch + patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch + patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch patches.drm/drm-amd-powerplay-use-hardware-fan-control-if-no-pow.patch + patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch patches.drm/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch patches.drm/drm-imx-notify-drm-core-before-sending-event-during-.patch patches.drm/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch patches.fixes/scsi-target-iblock-fix-overrun-in-write-same-emulation + patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch + patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch + patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch + patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch + patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks + patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region + patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list + patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper + patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes + patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions + patches.drivers/iommu-amd-make-iommu_disable-safer + patches.drivers/iommu-use-right-function-to-get-group-for-device patches.drivers/ALSA-usb-audio-Fix-parse-of-UAC2-Extension-Units.patch + patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC + patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 + patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch + patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch + patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch + patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch patches.fixes/PM-ACPI-PCI-Resume-all-devices-during-hibernation.patch patches.drivers/ACPICA-Clear-status-of-GPEs-on-first-direct-enable.patch - - # davem/net - patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch - patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch - patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch + patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size # davem/net-next patches.drivers/cxgb4-Enable-hash-filter-with-offload.patch @@ -47583,13 +47656,10 @@ patches.drivers/scsi-mpt3sas-Introduce-perf_mode-module-parameter.patch patches.drivers/scsi-mpt3sas-Update-driver-version-to-29.100.00.00.patch - # djbw/nvdimm libnvdimm-pending + # nvdimm/nvdimm libnvdimm-fixes patches.fixes/drivers-base-introduce-kill_device.patch patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch - # herbert/crypto-2.6 - patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch - # out-of-tree patches patches.drivers/firmware-arm_sdei-fix-wrong-of_node_put-in-init-function.patch patches.drivers/net-mvpp2-fix-condition-for-setting-up-link-interrup.patch @@ -48012,9 +48082,6 @@ patches.suse/cdrom-turn-off-autoclose-by-default.patch patches.suse/scsi-sr-workaround-VMware-ESXi-cdrom-emulation-bug.patch - # bsc#1136922 - patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch - ######################################################## # DRM/Video ######################################################## @@ -48049,6 +48116,8 @@ patches.suse/ibmveth-Update-ethtool-settings-to-reflect-virtual-p.patch patches.fixes/irda-Fix-memory-leak-caused-by-repeated-binds-of-ird.patch patches.fixes/irda-Only-insert-new-objects-into-the-global-databas.patch + patches.kabi/kabi-handle-addition-of-net-hash_mix.patch + patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch ######################################################## # Netfilter @@ -48068,8 +48137,6 @@ ########################################################## # Sound ########################################################## - patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC - patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 ######################################################## # printk @@ -48272,6 +48339,7 @@ patches.suse/0008-kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch patches.suse/prepare-arm64-kgraft patches.suse/powerpc-KABI-add-aux_ptr-to-hole-in-paca_struct-to-e.patch + patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch patches.kabi/Fix-struct-page-kABI-after-adding-atomic-for-ppc.patch patches.kabi/kabi-arm64-cpuhotplug-Reuse-other-arch-s-cpuhp_state.patch @@ -48321,6 +48389,8 @@ patches.kabi/x86-topology-Add-CPUID.1F-multi-die-package-support.patch patches.kabi/x86-topology-Define-topology_logical_die_id.patch + patches.kabi/kabi-fixup-blk_mq_register_dev.patch + ######################################################## # You'd better have a good reason for adding a patch # below here.