From 8638283570e3409279f443994b03e923dffe0dc7 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Feb 28 2020 06:18:33 +0000 Subject: Merge branch 'SLE12-SP5' into SLE12-SP5-AZURE --- diff --git a/blacklist.conf b/blacklist.conf index 684b2a1..62f0347 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1462,3 +1462,5 @@ b527b638fd63ba791dc90a0a6e9a3035b10df52b # many prerequisities, not worth it bd0abfa8ca1dab85e9cedbf1988e5b4e53c67584 # Documentation only fd933c00ebe220060e66fb136a7050a242456566 # Documentation only 39323c64b8a95d10ddc66dc815dd14efdddf6777 # Documentation only +84029fd04c201a4c7e0b07ba262664900f47c6f5 # changes limit semantics, fixes noncritical case, see bsc#1164094 +6df19872d881641e6394f93ef2938cffcbdae5bb # arm 32bit only diff --git a/config/arm64/default b/config/arm64/default index d523966..79bc627 100644 --- a/config/arm64/default +++ b/config/arm64/default @@ -2089,7 +2089,7 @@ CONFIG_BLK_DEV_SD=y CONFIG_CHR_DEV_ST=m CONFIG_CHR_DEV_OSST=m CONFIG_BLK_DEV_SR=m -# CONFIG_BLK_DEV_SR_VENDOR is not set +CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_CHR_DEV_SG=m CONFIG_CHR_DEV_SCH=m CONFIG_SCSI_ENCLOSURE=m diff --git a/config/s390x/default b/config/s390x/default index 10b132b..a121c92 100644 --- a/config/s390x/default +++ b/config/s390x/default @@ -1519,7 +1519,7 @@ CONFIG_BLK_DEV_SD=m CONFIG_CHR_DEV_ST=m CONFIG_CHR_DEV_OSST=m CONFIG_BLK_DEV_SR=m -# CONFIG_BLK_DEV_SR_VENDOR is not set +CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_CHR_DEV_SG=m CONFIG_CHR_DEV_SCH=m CONFIG_SCSI_CONSTANTS=y diff --git a/config/x86_64/default b/config/x86_64/default index 63c541a..dd424fb 100644 --- a/config/x86_64/default +++ b/config/x86_64/default @@ -2243,7 +2243,7 @@ CONFIG_BLK_DEV_SD=m CONFIG_CHR_DEV_ST=m CONFIG_CHR_DEV_OSST=m CONFIG_BLK_DEV_SR=m -# CONFIG_BLK_DEV_SR_VENDOR is not set +CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_CHR_DEV_SG=m CONFIG_CHR_DEV_SCH=m CONFIG_SCSI_ENCLOSURE=m diff --git a/patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch b/patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch new file mode 100644 index 0000000..1facfbe --- /dev/null +++ b/patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch @@ -0,0 +1,36 @@ +From 7dafba3762d6c0083ded00a48f8c1a158bc86717 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 12 Feb 2020 09:10:47 +0100 +Subject: [PATCH] ALSA: hda/realtek - Fix silent output on MSI-GL73 +Git-commit: 7dafba3762d6c0083ded00a48f8c1a158bc86717 +References: git-fixes +Patch-mainline: v5.6-rc2 + +MSI-GL73 laptop with ALC1220 codec requires a similar workaround for +Clevo laptops to enforce the DAC/mixer connection path. Set up a +quirk entry for that. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204159 +Cc: +Link: https://lore.kernel.org/r/20200212081047.27727-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Oliver Neukum +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 3ee88adf57e7..6c8cb4ce517e 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2447,6 +2447,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE), + SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), ++ SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), +-- +2.16.4 + diff --git a/patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch b/patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch new file mode 100644 index 0000000..1e0cef5 --- /dev/null +++ b/patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch @@ -0,0 +1,45 @@ +From 93f9d1a4ac5930654c17412e3911b46ece73755a Mon Sep 17 00:00:00 2001 +From: Arvind Sankar +Date: Tue, 11 Feb 2020 11:22:35 -0500 +Subject: [PATCH] ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 +Git-commit: 93f9d1a4ac5930654c17412e3911b46ece73755a +References: git-fixes +Patch-mainline: v5.6-rc2 + +The Audioengine D1 (0x2912:0x30c8) does support reading the sample rate, +but it returns the rate in byte-reversed order. + +When setting sampling rate, the driver produces these warning messages: +[168840.944226] usb 3-2.2: current rate 4500480 is different from the runtime rate 44100 +[168854.930414] usb 3-2.2: current rate 8436480 is different from the runtime rate 48000 +[168905.185825] usb 3-2.1.2: current rate 30465 is different from the runtime rate 96000 + +As can be seen from the hexadecimal conversion, the current rate read +back is byte-reversed from the rate that was set. + +44100 == 0x00ac44, 4500480 == 0x44ac00 +48000 == 0x00bb80, 8436480 == 0x80bb00 +96000 == 0x017700, 30465 == 0x007701 + +Rather than implementing a new quirk to reverse the order, just skip +checking the rate to avoid spamming the log. + +Signed-off-by: Arvind Sankar +Cc: +Link: https://lore.kernel.org/r/20200211162235.1639889-1-nivedita@alum.mit.edu +Signed-off-by: Takashi Iwai +Signed-off-by: Oliver Neukum +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1281,6 +1281,7 @@ bool snd_usb_get_sample_rate_quirk(struc + case USB_ID(0x1395, 0x740a): /* Sennheiser DECT */ + case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */ + case USB_ID(0x21B4, 0x0081): /* AudioQuest DragonFly */ ++ case USB_ID(0x2912, 0x30c8): /* Audioengine D1 */ + return true; + } + diff --git a/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch b/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch new file mode 100644 index 0000000..ae7515a --- /dev/null +++ b/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch @@ -0,0 +1,133 @@ +Patch-mainline: v5.1-rc6 +Git-commit: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c +From: Paolo Bonzini +Date: Thu, 11 Apr 2019 11:16:47 +0200 +Subject: [PATCH] KVM: fix spectrev1 gadgets +References: bsc#1164705 + +These were found with smatch, and then generalized when applicable. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 4 +++- + include/linux/kvm_host.h | 10 ++++++---- + virt/kvm/irqchip.c | 5 +++-- + virt/kvm/kvm_main.c | 6 ++++-- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 991fdf7fc17f..9bf70cf84564 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -133,6 +133,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map, + if (offset <= max_apic_id) { + u8 cluster_size = min(max_apic_id - offset + 1, 16U); + ++ offset = array_index_nospec(offset, map->max_apic_id + 1); + *cluster = &map->phys_map[offset]; + *mask = dest_id & (0xffff >> (16 - cluster_size)); + } else { +@@ -838,7 +839,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm, + if (irq->dest_id > map->max_apic_id) { + *bitmap = 0; + } else { +- *dst = &map->phys_map[irq->dest_id]; ++ u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1); ++ *dst = &map->phys_map[dest_id]; + *bitmap = 1; + } + return true; +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index 9d55c63db09b..640a03642766 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -484,10 +485,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) + + static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + { +- /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case +- * the caller has read kvm->online_vcpus before (as is the case +- * for kvm_for_each_vcpu, for example). +- */ ++ int num_vcpus = atomic_read(&kvm->online_vcpus); ++ i = array_index_nospec(i, num_vcpus); ++ ++ /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ + smp_rmb(); + return kvm->vcpus[i]; + } +@@ -571,6 +572,7 @@ void kvm_put_kvm(struct kvm *kvm); + + static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id) + { ++ as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM); + return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu, + lockdep_is_held(&kvm->slots_lock) || + !refcount_read(&kvm->users_count)); +diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c +index 3547b0d8c91e..79e59e4fa3dc 100644 +--- a/virt/kvm/irqchip.c ++++ b/virt/kvm/irqchip.c +@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *ei; + int r; ++ u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES); + + /* + * Do not allow GSI to be mapped to the same irqchip more than once. + * Allow only one to one mapping between GSI and non-irqchip routing. + */ +- hlist_for_each_entry(ei, &rt->map[ue->gsi], link) ++ hlist_for_each_entry(ei, &rt->map[gsi], link) + if (ei->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->u.irqchip.irqchip == ei->irqchip.irqchip) + return -EINVAL; + +- e->gsi = ue->gsi; ++ e->gsi = gsi; + e->type = ue->type; + r = kvm_set_routing_entry(kvm, e, ue); + if (r) +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 55fe8e20d8fd..dc8edc97ba85 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2982,12 +2982,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + struct kvm_device_ops *ops = NULL; + struct kvm_device *dev; + bool test = cd->flags & KVM_CREATE_DEVICE_TEST; ++ int type; + int ret; + + if (cd->type >= ARRAY_SIZE(kvm_device_ops_table)) + return -ENODEV; + +- ops = kvm_device_ops_table[cd->type]; ++ type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table)); ++ ops = kvm_device_ops_table[type]; + if (ops == NULL) + return -ENODEV; + +@@ -3002,7 +3004,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + dev->kvm = kvm; + + mutex_lock(&kvm->lock); +- ret = ops->create(dev, cd->type); ++ ret = ops->create(dev, type); + if (ret < 0) { + mutex_unlock(&kvm->lock); + kfree(dev); +-- +2.16.4 + diff --git a/patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch b/patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch new file mode 100644 index 0000000..f5fac12 --- /dev/null +++ b/patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch @@ -0,0 +1,69 @@ +From 89340d0935c9296c7b8222b6eab30e67cb57ab82 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 9 Sep 2019 09:40:28 +0800 +Subject: [PATCH] Revert "locking/pvqspinlock: Don't wait if vCPU is preempted" +Git-commit: 89340d0935c9296c7b8222b6eab30e67cb57ab82 +Patch-mainline: v5.4-rc1 +References: bsc#1050549 + +This patch reverts commit 75437bb304b20 (locking/pvqspinlock: Don't +wait if vCPU is preempted). A large performance regression was caused +by this commit. on over-subscription scenarios. + +The test was run on a Xeon Skylake box, 2 sockets, 40 cores, 80 threads, +with three VMs of 80 vCPUs each. The score of ebizzy -M is reduced from +13000-14000 records/s to 1700-1800 records/s: + + Host Guest score + +vanilla w/o kvm optimizations upstream 1700-1800 records/s +vanilla w/o kvm optimizations revert 13000-14000 records/s +vanilla w/ kvm optimizations upstream 4500-5000 records/s +vanilla w/ kvm optimizations revert 14000-15500 records/s + +Exit from aggressive wait-early mechanism can result in premature yield +and extra scheduling latency. + +Actually, only 6% of wait_early events are caused by vcpu_is_preempted() +being true. However, when one vCPU voluntarily releases its vCPU, all +the subsequently waiters in the queue will do the same and the cascading +effect leads to bad performance. + +kvm optimizations: +[1] commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts) +[2] commit 266e85a5ec9 (KVM: X86: Boost queue head vCPU to mitigate lock waiter preemption) + +Tested-by: loobinliu@tencent.com +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Waiman Long +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: loobinliu@tencent.com +Cc: stable@vger.kernel.org +Fixes: 75437bb304b20 (locking/pvqspinlock: Don't wait if vCPU is preempted) +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Davidlohr Bueso + +--- + kernel/locking/qspinlock_paravirt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/qspinlock_paravirt.h b/kernel/locking/qspinlock_paravirt.h +index 89bab079e7a4..e84d21aa0722 100644 +--- a/kernel/locking/qspinlock_paravirt.h ++++ b/kernel/locking/qspinlock_paravirt.h +@@ -269,7 +269,7 @@ pv_wait_early(struct pv_node *prev, int loop) + if ((loop & PV_PREV_CHECK_MASK) != 0) + return false; + +- return READ_ONCE(prev->state) != vcpu_running || vcpu_is_preempted(prev->cpu); ++ return READ_ONCE(prev->state) != vcpu_running; + } + + /* +-- +2.16.4 + diff --git a/patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch b/patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch new file mode 100644 index 0000000..6d6e2af --- /dev/null +++ b/patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch @@ -0,0 +1,70 @@ +From 99143f82a255e7f054bead8443462fae76dd829e Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Jul 2019 14:56:17 +0200 +Subject: [PATCH] lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep + loop +Git-commit: 99143f82a255e7f054bead8443462fae76dd829e +Patch-mainline: v5.3-rc1 +References: bsc#1050549 + +While reviewing another read_slowpath patch, both Will and I noticed +another missing ACQUIRE, namely: + + X = 0; + + CPU0 CPU1 + + rwsem_down_read() + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + + X = 1; + rwsem_up_write(); + rwsem_mark_wake() + atomic_long_add(adjustment, &sem->count); + smp_store_release(&waiter->task, NULL); + + if (!waiter.task) + break; + + ... + } + + r = X; + +Allows 'r == 0'. + +Reported-by: Peter Zijlstra (Intel) +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ingo Molnar +Signed-off-by: Davidlohr Bueso + +--- + kernel/locking/rwsem-xadd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index 7d29e15d8f44..cca18df9925d 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -277,8 +277,10 @@ __rwsem_down_read_failed_common(struct rw_semaphore *sem, int state) + /* wait to be given the lock */ + while (true) { + set_current_state(state); +- if (!waiter.task) ++ if (!smp_load_acquire(&waiter.task)) { ++ /* Orders against rwsem_mark_wake()'s smp_store_release() */ + break; ++ } + if (signal_pending_state(state, current)) { + raw_spin_lock_irq(&sem->wait_lock); + if (waiter.task) +-- +2.16.4 + diff --git a/patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch b/patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch new file mode 100644 index 0000000..2869544 --- /dev/null +++ b/patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch @@ -0,0 +1,131 @@ +From a9e9bcb45b1525ba7aea26ed9441e8632aeeda58 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Sun, 28 Apr 2019 17:25:38 -0400 +Subject: [PATCH] locking/rwsem: Prevent decrement of reader count before increment +Git-commit: a9e9bcb45b1525ba7aea26ed9441e8632aeeda58 +Patch-mainline: v5.2-rc1 +References: bsc#1050549 + +During my rwsem testing, it was found that after a down_read(), the +reader count may occasionally become 0 or even negative. Consequently, +a writer may steal the lock at that time and execute with the reader +in parallel thus breaking the mutual exclusion guarantee of the write +lock. In other words, both readers and writer can become rwsem owners +simultaneously. + +The current reader wakeup code does it in one pass to clear waiter->task +and put them into wake_q before fully incrementing the reader count. +Once waiter->task is cleared, the corresponding reader may see it, +finish the critical section and do unlock to decrement the count before +the count is incremented. This is not a problem if there is only one +reader to wake up as the count has been pre-incremented by 1. It is +a problem if there are more than one readers to be woken up and writer +can steal the lock. + +The wakeup was actually done in 2 passes before the following v4.9 commit: + + 70800c3c0cc5 ("locking/rwsem: Scan the wait_list for readers only once") + +To fix this problem, the wakeup is now done in two passes +again. In the first pass, we collect the readers and count them. +The reader count is then fully incremented. In the second pass, the +waiter->task is then cleared and they are put into wake_q to be woken +up later. + +Signed-off-by: Waiman Long +Acked-by: Linus Torvalds +Cc: Borislav Petkov +Cc: Davidlohr Bueso +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Tim Chen +Cc: Will Deacon +Cc: huang ying +Fixes: 70800c3c0cc5 ("locking/rwsem: Scan the wait_list for readers only once") +Link: http://lkml.kernel.org/r/20190428212557.13482-2-longman@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Davidlohr Bueso + +--- + kernel/locking/rwsem-xadd.c | 44 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 14 deletions(-) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index 34c70a985ca9..7d29e15d8f44 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -129,6 +129,7 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + { + struct rwsem_waiter *waiter, *tmp; + long oldcount, woken = 0, adjustment = 0; ++ struct list_head wlist; + + /* + * Take a peek at the queue head waiter such that we can determine +@@ -187,18 +188,42 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + * of the queue. We know that woken will be at least 1 as we accounted + * for above. Note we increment the 'active part' of the count by the + * number of readers before waking any processes up. ++ * ++ * We have to do wakeup in 2 passes to prevent the possibility that ++ * the reader count may be decremented before it is incremented. It ++ * is because the to-be-woken waiter may not have slept yet. So it ++ * may see waiter->task got cleared, finish its critical section and ++ * do an unlock before the reader count increment. ++ * ++ * 1) Collect the read-waiters in a separate list, count them and ++ * fully increment the reader count in rwsem. ++ * 2) For each waiters in the new list, clear waiter->task and ++ * put them into wake_q to be woken up later. + */ +- list_for_each_entry_safe(waiter, tmp, &sem->wait_list, list) { +- struct task_struct *tsk; +- ++ list_for_each_entry(waiter, &sem->wait_list, list) { + if (waiter->type == RWSEM_WAITING_FOR_WRITE) + break; + + woken++; +- tsk = waiter->task; ++ } ++ list_cut_before(&wlist, &sem->wait_list, &waiter->list); ++ ++ adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; ++ if (list_empty(&sem->wait_list)) { ++ /* hit end of list above */ ++ adjustment -= RWSEM_WAITING_BIAS; ++ } ++ ++ if (adjustment) ++ atomic_long_add(adjustment, &sem->count); ++ ++ /* 2nd pass */ ++ list_for_each_entry_safe(waiter, tmp, &wlist, list) { ++ struct task_struct *tsk; + ++ tsk = waiter->task; + get_task_struct(tsk); +- list_del(&waiter->list); ++ + /* + * Ensure calling get_task_struct() before setting the reader + * waiter to nil such that rwsem_down_read_failed() cannot +@@ -212,15 +237,6 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + */ + wake_q_add_safe(wake_q, tsk); + } +- +- adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; +- if (list_empty(&sem->wait_list)) { +- /* hit end of list above */ +- adjustment -= RWSEM_WAITING_BIAS; +- } +- +- if (adjustment) +- atomic_long_add(adjustment, &sem->count); + } + + /* +-- +2.16.4 + diff --git a/patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch b/patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch new file mode 100644 index 0000000..ca445c1 --- /dev/null +++ b/patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch @@ -0,0 +1,50 @@ +From f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 29 Sep 2017 14:47:51 -0500 +Subject: [PATCH] rtlwifi: Fix MAX MPDU of VHT capability +Git-commit: f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 +References: FATE#326906, git-fixes +Patch-mainline: v4.15 + +We must choose only one of VHT_CAP among +IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895, +IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 and +IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454. + +Signed-off-by: Ping-Ke Shih +Signed-off-by: Larry Finger +Cc: Yan-Hsuan Chuang +Cc: Birming Chiu +Cc: Shaofu +Cc: Steven Ting +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index ea18aa7afecb..fcf6e31d0fb9 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -249,8 +249,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, + + vht_cap->vht_supported = true; + vht_cap->cap = +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | + IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_TXSTBC | +@@ -283,8 +281,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, + + vht_cap->vht_supported = true; + vht_cap->cap = +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | + IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_TXSTBC | +-- +2.16.4 + diff --git a/patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch b/patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch new file mode 100644 index 0000000..1711abf --- /dev/null +++ b/patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch @@ -0,0 +1,53 @@ +From ecf4000e0d925c6ba074d11801df4a4cdd8d5324 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 29 Sep 2017 14:47:52 -0500 +Subject: [PATCH] rtlwifi: Remove redundant semicolon in wifi.h. +Git-commit: ecf4000e0d925c6ba074d11801df4a4cdd8d5324 +References: FATE#326906, git-fixes +Patch-mainline: v4.15 + +The semicolon can cause compiler error, if it exists in if...else +statement. + +Signed-off-by: Ping-Ke Shih +Signed-off-by: Larry Finger +Cc: Yan-Hsuan Chuang +Cc: Birming Chiu +Cc: Shaofu +Cc: Steven Ting +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/realtek/rtlwifi/wifi.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index 1ab1024330fb..90e875beff66 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -2857,19 +2857,19 @@ value to host byte ordering.*/ + cpu_to_le32( \ + LE_BITS_CLEARED_TO_4BYTE(__pstart, __bitoffset, __bitlen) | \ + ((((u32)__val) & BIT_LEN_MASK_32(__bitlen)) << (__bitoffset)) \ +- ); ++ ) + #define SET_BITS_TO_LE_2BYTE(__pstart, __bitoffset, __bitlen, __val) \ + *((__le16 *)(__pstart)) = \ + cpu_to_le16( \ + LE_BITS_CLEARED_TO_2BYTE(__pstart, __bitoffset, __bitlen) | \ + ((((u16)__val) & BIT_LEN_MASK_16(__bitlen)) << (__bitoffset)) \ +- ); ++ ) + #define SET_BITS_TO_LE_1BYTE(__pstart, __bitoffset, __bitlen, __val) \ + *((u8 *)(__pstart)) = EF1BYTE \ + ( \ + LE_BITS_CLEARED_TO_1BYTE(__pstart, __bitoffset, __bitlen) | \ + ((((u8)__val) & BIT_LEN_MASK_8(__bitlen)) << (__bitoffset)) \ +- ); ++ ) + + #define N_BYTE_ALIGMENT(__value, __aligment) ((__aligment == 1) ? \ + (__value) : (((__value + __aligment - 1) / __aligment) * __aligment)) +-- +2.16.4 + diff --git a/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch b/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch index 5d4bd93..aee178c 100644 --- a/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch +++ b/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch @@ -2,7 +2,8 @@ From e4ea643b871f05658438d5db6752c839db61ee28 Mon Sep 17 00:00:00 2001 From: Davidlohr Bueso Date: Tue, 26 Feb 2019 08:08:35 -0800 Subject: [PATCH] sched/wake_q: Reduce reference counting for special users -Patch-mainline: Not yet, queued via tip for v5.1. +Git-commit: 07879c6a3740fbbf3c8891a0ab484c20a12794d8 +Patch-mainline: v5.1-rc1 References: bsc#1050549 Some users, specifically futexes and rwsems, required fixes diff --git a/patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch b/patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch new file mode 100644 index 0000000..759fc4e --- /dev/null +++ b/patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch @@ -0,0 +1,44 @@ +Patch-mainline: v5.6-rc3 +Git-commit: 8645e56a4ad6dcbf504872db7f14a2f67db88ef2 +References: bsc#1065600 +From: Thomas Gleixner +Date: Wed, 19 Feb 2020 18:30:26 +0100 +Subject: [PATCH] xen: Enable interrupts when calling _cond_resched() + +xen_maybe_preempt_hcall() is called from the exception entry point +xen_do_hypervisor_callback with interrupts disabled. + +_cond_resched() evades the might_sleep() check in cond_resched() which +would have caught that and schedule_debug() unfortunately lacks a check +for irqs_disabled(). + +Enable interrupts around the call and use cond_resched() to catch future +issues. + +Fixes: fdfd811ddde3 ("x86/xen: allow privcmd hypercalls to be preempted") +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/878skypjrh.fsf@nanos.tec.linutronix.de +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +--- + drivers/xen/preempt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/xen/preempt.c b/drivers/xen/preempt.c +index 8b9919c26095..456a164364a2 100644 +--- a/drivers/xen/preempt.c ++++ b/drivers/xen/preempt.c +@@ -33,7 +33,9 @@ asmlinkage __visible void xen_maybe_preempt_hcall(void) + * cpu. + */ + __this_cpu_write(xen_in_preemptible_hcall, false); +- _cond_resched(); ++ local_irq_enable(); ++ cond_resched(); ++ local_irq_disable(); + __this_cpu_write(xen_in_preemptible_hcall, true); + } + } +-- +2.16.4 + diff --git a/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch b/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch new file mode 100644 index 0000000..032f55a --- /dev/null +++ b/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch @@ -0,0 +1,58 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:41 -0800 +Subject: [PATCH] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks +References: bsc#1164705 + +This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn(). +kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported +symbol, so KVM should treat it conservatively from a security perspective. + +Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index e9833e345a5c..2d4faefe8dd4 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -24,6 +24,7 @@ + #include "kvm_cache_regs.h" + #include + #include ++#include + #include + #include + +@@ -5200,10 +5201,15 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) + } + break; + case Escape: +- if (ctxt->modrm > 0xbf) +- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; +- else ++ if (ctxt->modrm > 0xbf) { ++ size_t size = ARRAY_SIZE(opcode.u.esc->high); ++ u32 index = array_index_nospec( ++ ctxt->modrm - 0xc0, size); ++ ++ opcode = opcode.u.esc->high[index]; ++ } else { + opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; ++ } + break; + case InstrDual: + if ((ctxt->modrm >> 6) == 3) +-- +2.16.4 + diff --git a/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch b/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch new file mode 100644 index 0000000..6518be2 --- /dev/null +++ b/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch @@ -0,0 +1,62 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 8618793750071d66028584a83ed0b4fa7eb4f607 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:42 -0800 +Subject: [PATCH] KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from + Spectre-v1/L1TF attacks +References: bsc#1164712 + +This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data() +and kvm_hv_msr_set_crash_data(). +These functions contain index computations that use the +(attacker-controlled) MSR number. + +Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/hyperv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index b255b9e865e5..4df1c965bf1a 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -753,11 +753,12 @@ static int kvm_hv_msr_get_crash_data(struct kvm_vcpu *vcpu, + u32 index, u64 *pdata) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- *pdata = hv->hv_crash_param[index]; ++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)]; + return 0; + } + +@@ -796,11 +797,12 @@ static int kvm_hv_msr_set_crash_data(struct kvm_vcpu *vcpu, + u32 index, u64 data) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- hv->hv_crash_param[index] = data; ++ hv->hv_crash_param[array_index_nospec(index, size)] = data; + return 0; + } + +-- +2.16.4 + diff --git a/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch b/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch new file mode 100644 index 0000000..fbfaf8f --- /dev/null +++ b/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch @@ -0,0 +1,48 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 14e32321f3606e4b0970200b6e5e47ee6f1e6410 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:43 -0800 +Subject: [PATCH] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF + attacks +References: bsc#1164727 + +This fixes a Spectre-v1/L1TF vulnerability in picdev_write(). +It replaces index computations based on the (attacked-controlled) port +number with constants through a minor refactoring. + +Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/i8259.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c +index 8b38bb4868a6..629a09ca9860 100644 +--- a/arch/x86/kvm/i8259.c ++++ b/arch/x86/kvm/i8259.c +@@ -460,10 +460,14 @@ static int picdev_write(struct kvm_pic *s, + switch (addr) { + case 0x20: + case 0x21: ++ pic_lock(s); ++ pic_ioport_write(&s->pics[0], addr, data); ++ pic_unlock(s); ++ break; + case 0xa0: + case 0xa1: + pic_lock(s); +- pic_ioport_write(&s->pics[addr >> 7], addr, data); ++ pic_ioport_write(&s->pics[1], addr, data); + pic_unlock(s); + break; + case 0x4d0: +-- +2.16.4 + diff --git a/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch b/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch new file mode 100644 index 0000000..67fe331 --- /dev/null +++ b/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch @@ -0,0 +1,61 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 8c86405f606ca8508b8d9280680166ca26723695 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:44 -0800 +Subject: [PATCH] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF + attacks +References: bsc#1164728 + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/ioapic.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index 7312aab33298..c5776febb517 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + default: + { + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; +- u64 redir_content; ++ u64 redir_content = ~0ULL; + +- if (redir_index < IOAPIC_NUM_PINS) +- redir_content = +- ioapic->redirtbl[redir_index].bits; +- else +- redir_content = ~0ULL; ++ if (redir_index < IOAPIC_NUM_PINS) { ++ u32 index = array_index_nospec( ++ redir_index, IOAPIC_NUM_PINS); ++ ++ redir_content = ioapic->redirtbl[index].bits; ++ } + + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : +-- +2.16.4 + diff --git a/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch b/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch new file mode 100644 index 0000000..bbdb310 --- /dev/null +++ b/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch @@ -0,0 +1,43 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 670564559ca35b439c8d8861fc399451ddf95137 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:45 -0800 +Subject: [PATCH] KVM: x86: Protect ioapic_write_indirect() from + Spectre-v1/L1TF attacks +References: bsc#1164729 + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +This patch depends on patch +"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks". + +Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/ioapic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index c5776febb517..26aa22cb9b29 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -299,6 +299,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val) + ioapic_debug("change redir index %x val %x\n", index, val); + if (index >= IOAPIC_NUM_PINS) + return; ++ index = array_index_nospec(index, IOAPIC_NUM_PINS); + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; + /* Preserve read-only fields */ +-- +2.16.4 + diff --git a/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch b/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch new file mode 100644 index 0000000..d11a2bb --- /dev/null +++ b/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch @@ -0,0 +1,57 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 4bf79cb089f6b1c6c632492c0271054ce52ad766 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:46 -0800 +Subject: [PATCH] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF + attacks +References: bsc#1164730 + +This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 88c3c0c6d1e3..865edce27a6a 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1791,15 +1791,20 @@ int kvm_lapic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val) + case APIC_LVTTHMR: + case APIC_LVTPC: + case APIC_LVT1: +- case APIC_LVTERR: ++ case APIC_LVTERR: { + /* TODO: Check vector */ ++ size_t size; ++ u32 index; ++ + if (!kvm_apic_sw_enabled(apic)) + val |= APIC_LVT_MASKED; +- +- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4]; ++ size = ARRAY_SIZE(apic_lvt_mask); ++ index = array_index_nospec( ++ (reg - APIC_LVTT) >> 4, size); ++ val &= apic_lvt_mask[index]; + kvm_lapic_set_reg(apic, reg, val); +- + break; ++ } + + case APIC_LVTT: + if (!kvm_apic_sw_enabled(apic)) +-- +2.16.4 + diff --git a/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch b/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch new file mode 100644 index 0000000..129a207 --- /dev/null +++ b/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch @@ -0,0 +1,50 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 25a5edea71b7c154b6a0b8cec14c711cafa31d26 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:47 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations in + fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks +References: bsc#1164731 + +This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/mtrr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 25ce3edd1872..7f0059aa30e1 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -202,11 +202,15 @@ static bool fixed_msr_to_seg_unit(u32 msr, int *seg, int *unit) + break; + case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000: + *seg = 1; +- *unit = msr - MSR_MTRRfix16K_80000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix16K_80000, ++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1); + break; + case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000: + *seg = 2; +- *unit = msr - MSR_MTRRfix4K_C0000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix4K_C0000, ++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1); + break; + default: + return false; +-- +2.16.4 + diff --git a/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch b/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch new file mode 100644 index 0000000..72ba054 --- /dev/null +++ b/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch @@ -0,0 +1,72 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 13c5183a4e643cc2b03a22d0e582c8e17bb7457d +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:48 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations in pmu.h from + Spectre-v1/L1TF attacks +References: bsc#1164732 + +This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and +get_fixed_pmc() functions. +They both contain index computations based on the (attacker-controlled) +MSR number. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/pmu.h | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h +index 7ebb62326c14..13332984b6d5 100644 +--- a/arch/x86/kvm/pmu.h ++++ b/arch/x86/kvm/pmu.h +@@ -1,6 +1,8 @@ + #ifndef __KVM_X86_PMU_H + #define __KVM_X86_PMU_H + ++#include ++ + #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu) + #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu)) + #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu) +@@ -80,8 +82,12 @@ static inline bool kvm_valid_perf_global_ctrl(struct kvm_pmu *pmu, + static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr, + u32 base) + { +- if (msr >= base && msr < base + pmu->nr_arch_gp_counters) +- return &pmu->gp_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_gp_counters); ++ ++ return &pmu->gp_counters[index]; ++ } + + return NULL; + } +@@ -91,8 +97,12 @@ static inline struct kvm_pmc *get_fixed_pmc(struct kvm_pmu *pmu, u32 msr) + { + int base = MSR_CORE_PERF_FIXED_CTR0; + +- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) +- return &pmu->fixed_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_fixed_counters); ++ ++ return &pmu->fixed_counters[index]; ++ } + + return NULL; + } +-- +2.16.4 + diff --git a/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch b/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch new file mode 100644 index 0000000..8aa91b3 --- /dev/null +++ b/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch @@ -0,0 +1,57 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 6ec4c5eee1750d5d17951c4e1960d953376a0dda +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:49 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations from + Spectre-v1/L1TF attacks in x86.c +References: bsc#1164733 + +This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and +get_msr_mce(). +Both functions contain index computations based on the +(attacker-controlled) MSR number. + +Fixes: 890ca9aefa78 ("KVM: Add MCE support") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 985066e1bda5..913e55f6dca3 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2138,7 +2138,10 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + /* only 0 or all 1s can be written to IA32_MCi_CTL + * some Linux kernels though clear bit 10 in bank 4 to + * workaround a BIOS/GART TBL issue on AMD K8s, ignore +@@ -2526,7 +2529,10 @@ static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host) + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + data = vcpu->arch.mce_banks[offset]; + break; + } +-- +2.16.4 + diff --git a/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch b/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch new file mode 100644 index 0000000..07d4f50 --- /dev/null +++ b/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch @@ -0,0 +1,60 @@ +Patch-mainline: v5.6-rc1 +Git-commit: ea740059ecb37807ba47b84b33d1447435a8d868 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:52 -0800 +Subject: [PATCH] KVM: x86: Protect DR-based index computations from + Spectre-v1/L1TF attacks +References: bsc#1164734 + +This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and +kvm_get_dr(). +Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are +exported symbols so KVM should tream them conservatively from a security +perspective. + +Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 913e55f6dca3..780224e76723 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -917,9 +917,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu *vcpu) + + static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- vcpu->arch.db[dr] = val; ++ vcpu->arch.db[array_index_nospec(dr, size)] = val; + if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)) + vcpu->arch.eff_db[dr] = val; + break; +@@ -956,9 +958,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr); + + int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- *val = vcpu->arch.db[dr]; ++ *val = vcpu->arch.db[array_index_nospec(dr, size)]; + break; + case 4: + /* fall through */ +-- +2.16.4 + diff --git a/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch b/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch new file mode 100644 index 0000000..0b2dbb4 --- /dev/null +++ b/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch @@ -0,0 +1,77 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 66061740f1a487f4ed54fde75e724709f805da53 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:53 -0800 +Subject: [PATCH] KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks +References: bsc#1164735 + +This fixes Spectre-v1/L1TF vulnerabilities in intel_find_fixed_event() +and intel_rdpmc_ecx_to_pmc(). +kvm_rdpmc() (ancestor of intel_find_fixed_event()) and +reprogram_fixed_counter() (ancestor of intel_rdpmc_ecx_to_pmc()) are +exported symbols so KVM should treat them conservatively from a security +perspective. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/pmu_intel.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c +index 7023138b1cb0..34a3a17bb6d7 100644 +--- a/arch/x86/kvm/pmu_intel.c ++++ b/arch/x86/kvm/pmu_intel.c +@@ -87,10 +87,14 @@ static unsigned intel_find_arch_event(struct kvm_pmu *pmu, + + static unsigned intel_find_fixed_event(int idx) + { +- if (idx >= ARRAY_SIZE(fixed_pmc_events)) ++ u32 event; ++ size_t size = ARRAY_SIZE(fixed_pmc_events); ++ ++ if (idx >= size) + return PERF_COUNT_HW_MAX; + +- return intel_arch_events[fixed_pmc_events[idx]].event_type; ++ event = fixed_pmc_events[array_index_nospec(idx, size)]; ++ return intel_arch_events[event].event_type; + } + + /* check if a PMC is enabled by comparing it with globl_ctrl bits. */ +@@ -131,15 +135,19 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu, + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + bool fixed = idx & (1u << 30); + struct kvm_pmc *counters; ++ unsigned int num_counters; + + idx &= ~(3u << 30); +- if (!fixed && idx >= pmu->nr_arch_gp_counters) +- return NULL; +- if (fixed && idx >= pmu->nr_arch_fixed_counters) ++ if (fixed) { ++ counters = pmu->fixed_counters; ++ num_counters = pmu->nr_arch_fixed_counters; ++ } else { ++ counters = pmu->gp_counters; ++ num_counters = pmu->nr_arch_gp_counters; ++ } ++ if (idx >= num_counters) + return NULL; +- counters = fixed ? pmu->fixed_counters : pmu->gp_counters; +- +- return &counters[idx]; ++ return &counters[array_index_nospec(idx, num_counters)]; + } + + static bool intel_is_valid_msr(struct kvm_vcpu *vcpu, u32 msr) +-- +2.16.4 + diff --git a/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch b/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch new file mode 100644 index 0000000..90606c9 --- /dev/null +++ b/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch @@ -0,0 +1,31 @@ +From: Navid Emamdoost +Date: Mon, 25 Nov 2019 13:52:52 -0600 +Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn() +Git-commit: 8c386cc817878588195dde38e919aa6ba9409d58 +Patch-mainline: 5.6-rc1 +References: git-fixes + +In the implementation of pci_iov_add_virtfn() the allocated virtfn is +leaked if pci_setup_device() fails. The error handling is not calling +pci_stop_and_remove_bus_device(). Change the goto label to failed2. + +Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()") +Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Helgaas +Signed-off-by: Jiri Slaby +--- + drivers/pci/iov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -137,7 +137,7 @@ int pci_iov_add_virtfn(struct pci_dev *d + pci_read_config_word(dev, iov->pos + PCI_SRIOV_VF_DID, &virtfn->device); + rc = pci_setup_device(virtfn); + if (rc) +- goto failed0; ++ goto failed1; + + virtfn->dev.parent = dev->dev.parent; + virtfn->physfn = pci_dev_get(dev); diff --git a/patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch b/patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch new file mode 100644 index 0000000..0b9c38a --- /dev/null +++ b/patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch @@ -0,0 +1,111 @@ +From: Prabhakar Kushwaha +Date: Sat, 25 Jan 2020 03:37:29 +0000 +Subject: ata: ahci: Add shutdown to freeze hardware resources of ahci +Git-commit: 10a663a1b15134a5a714aa515e11425a44d4fdf7 +Patch-mainline: v5.6-rc1 +References: bsc#1164388 + +device_shutdown() called from reboot or power_shutdown expect +all devices to be shutdown. Same is true for even ahci pci driver. +As no ahci shutdown function is implemented, the ata subsystem +always remains alive with DMA & interrupt support. File system +related calls should not be honored after device_shutdown(). + +So defining ahci pci driver shutdown to freeze hardware (mask +interrupt, stop DMA engine and free DMA resources). + +Signed-off-by: Prabhakar Kushwaha +Signed-off-by: Jens Axboe +Signed-off-by: Matthias Brugger +--- + drivers/ata/ahci.c | 7 +++++++ + drivers/ata/libata-core.c | 21 +++++++++++++++++++++ + include/linux/libata.h | 1 + + 3 files changed, 29 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 4bfd1b14b390..11ea1aff40db 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -81,6 +81,7 @@ enum board_ids { + + static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static void ahci_remove_one(struct pci_dev *dev); ++static void ahci_shutdown_one(struct pci_dev *dev); + static int ahci_vt8251_hardreset(struct ata_link *link, unsigned int *class, + unsigned long deadline); + static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class, +@@ -606,6 +607,7 @@ static struct pci_driver ahci_pci_driver = { + .id_table = ahci_pci_tbl, + .probe = ahci_init_one, + .remove = ahci_remove_one, ++ .shutdown = ahci_shutdown_one, + .driver = { + .pm = &ahci_pci_pm_ops, + }, +@@ -1877,6 +1879,11 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + return 0; + } + ++static void ahci_shutdown_one(struct pci_dev *pdev) ++{ ++ ata_pci_shutdown_one(pdev); ++} ++ + static void ahci_remove_one(struct pci_dev *pdev) + { + pm_runtime_get_noresume(&pdev->dev); +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 6f4ab5c5b52d..42c8728f6117 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6767,6 +6767,26 @@ void ata_pci_remove_one(struct pci_dev *pdev) + ata_host_detach(host); + } + ++void ata_pci_shutdown_one(struct pci_dev *pdev) ++{ ++ struct ata_host *host = pci_get_drvdata(pdev); ++ int i; ++ ++ for (i = 0; i < host->n_ports; i++) { ++ struct ata_port *ap = host->ports[i]; ++ ++ ap->pflags |= ATA_PFLAG_FROZEN; ++ ++ /* Disable port interrupts */ ++ if (ap->ops->freeze) ++ ap->ops->freeze(ap); ++ ++ /* Stop the port DMA engines */ ++ if (ap->ops->port_stop) ++ ap->ops->port_stop(ap); ++ } ++} ++ + /* move to PCI subsystem */ + int pci_test_config_bits(struct pci_dev *pdev, const struct pci_bits *bits) + { +@@ -7387,6 +7407,7 @@ EXPORT_SYMBOL_GPL(ata_timing_cycle2mode); + + #ifdef CONFIG_PCI + EXPORT_SYMBOL_GPL(pci_test_config_bits); ++EXPORT_SYMBOL_GPL(ata_pci_shutdown_one); + EXPORT_SYMBOL_GPL(ata_pci_remove_one); + #ifdef CONFIG_PM + EXPORT_SYMBOL_GPL(ata_pci_device_do_suspend); +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 2dbde119721d..bff539918d82 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -1221,6 +1221,7 @@ struct pci_bits { + }; + + extern int pci_test_config_bits(struct pci_dev *pdev, const struct pci_bits *bits); ++extern void ata_pci_shutdown_one(struct pci_dev *pdev); + extern void ata_pci_remove_one(struct pci_dev *pdev); + + #ifdef CONFIG_PM +-- +2.25.0 + diff --git a/patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch b/patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch new file mode 100644 index 0000000..539dcbc --- /dev/null +++ b/patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch @@ -0,0 +1,69 @@ +From 366ba7c71ef77c08d06b18ad61b26e2df7352338 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= +Date: Tue, 19 Nov 2019 21:37:08 +0000 +Subject: [PATCH] cdrom: respect device capabilities during opening action +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: boo#1164632 +Patch-mainline: v5.5-rc1 +Git-commit: 366ba7c71ef77c08d06b18ad61b26e2df7352338 + +Reading the TOC only works if the device can play audio, otherwise +these commands fail (and possibly bring the device to an unhealthy +state.) + +Similarly, cdrom_mmc3_profile() should only be called if the device +supports generic packet commands. + +To: Jens Axboe +Cc: linux-kernel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Signed-off-by: Diego Elio Pettenò +Signed-off-by: Jens Axboe +Acked-by: Michal Suchanek +--- + drivers/cdrom/cdrom.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index ac42ae4651ce..eebdcbef0578 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -996,6 +996,12 @@ static void cdrom_count_tracks(struct cdrom_device_info *cdi, tracktype *tracks) + tracks->xa = 0; + tracks->error = 0; + cd_dbg(CD_COUNT_TRACKS, "entering cdrom_count_tracks\n"); ++ ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) { ++ tracks->error = CDS_NO_INFO; ++ return; ++ } ++ + /* Grab the TOC header so we can see how many tracks there are */ + ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCHDR, &header); + if (ret) { +@@ -1162,7 +1168,8 @@ int cdrom_open(struct cdrom_device_info *cdi, struct block_device *bdev, + ret = open_for_data(cdi); + if (ret) + goto err; +- cdrom_mmc3_profile(cdi); ++ if (CDROM_CAN(CDC_GENERIC_PACKET)) ++ cdrom_mmc3_profile(cdi); + if (mode & FMODE_WRITE) { + ret = -EROFS; + if (cdrom_open_write(cdi)) +@@ -2882,6 +2889,9 @@ int cdrom_get_last_written(struct cdrom_device_info *cdi, long *last_written) + it doesn't give enough information or fails. then we return + the toc contents. */ + use_toc: ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) ++ return -ENOSYS; ++ + toc.cdte_format = CDROM_MSF; + toc.cdte_track = CDROM_LEADOUT; + if ((ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCENTRY, &toc))) +-- +2.23.0 + diff --git a/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch b/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch index 99c5229..8882a64 100644 --- a/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch +++ b/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch @@ -31,12 +31,12 @@ Signed-off-by: Matthias Brugger --- a/drivers/iommu/io-pgtable-arm.c +++ b/drivers/iommu/io-pgtable-arm.c @@ -549,6 +549,7 @@ static int arm_lpae_split_blk_unmap(stru - return __arm_lpae_unmap(data, iova, size, lvl, tablep); - - io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); -+ io_pgtable_tlb_sync(&data->iop); - return size; - } + tablep = iopte_deref(pte, data); + } else if (unmap_idx >= 0) { + io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); ++ io_pgtable_tlb_sync(&data->iop); + return size; + } @@ -579,6 +580,13 @@ static int __arm_lpae_unmap(struct arm_l io_pgtable_tlb_sync(iop); diff --git a/patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch b/patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch new file mode 100644 index 0000000..12298bd --- /dev/null +++ b/patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch @@ -0,0 +1,51 @@ +From: Robin Murphy +Date: Thu, 6 Sep 2018 17:59:50 +0100 +Subject: iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() +Git-commit: 85c7a0f1ef624ef58173ef52ea77780257bdfe04 +Patch-mainline: v4.20-rc1 +References: bsc#1164115 + +In removing the pagetable-wide lock, we gained the possibility of the +vanishingly unlikely case where we have a race between two concurrent +unmappers splitting the same block entry. The logic to handle this is +fairly straightforward - whoever loses the race frees their partial +next-level table and instead dereferences the winner's newly-installed +entry in order to fall back to a regular unmap, which intentionally +echoes the pre-existing case of recursively splitting a 1GB block down +to 4KB pages by installing a full table of 2MB blocks first. + +Unfortunately, the chump who implemented that logic failed to update the +condition check for that fallback, meaning that if said race occurs at +the last level (where the loser's unmap_idx is valid) then the unmap +won't actually happen. Fix that to properly account for both the race +and recursive cases. + +Fixes: 2c3d273eabe8 ("iommu/io-pgtable-arm: Support lockless operation") +Signed-off-by: Robin Murphy +[will: re-jig control flow to avoid duplicate cmpxchg test] +Signed-off-by: Will Deacon +Signed-off-by: Matthias Brugger +--- + drivers/iommu/io-pgtable-arm.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/io-pgtable-arm.c ++++ b/drivers/iommu/io-pgtable-arm.c +@@ -543,13 +543,12 @@ static int arm_lpae_split_blk_unmap(stru + return 0; + + tablep = iopte_deref(pte, data); ++ } else if (unmap_idx >= 0) { ++ io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); ++ return size; + } + +- if (unmap_idx < 0) +- return __arm_lpae_unmap(data, iova, size, lvl, tablep); +- +- io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); +- return size; ++ return __arm_lpae_unmap(data, iova, size, lvl, tablep); + } + + static int __arm_lpae_unmap(struct arm_lpae_io_pgtable *data, diff --git a/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions b/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions new file mode 100644 index 0000000..6993706 --- /dev/null +++ b/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions @@ -0,0 +1,87 @@ +From: Oliver Upton +Date: Tue, 4 Feb 2020 15:26:31 -0800 +Subject: KVM: nVMX: Check IO instruction VM-exit conditions +Git-commit: 35a571346a94fb93b5b3b6a599675ef3384bc75c +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +Consult the 'unconditional IO exiting' and 'use IO bitmaps' VM-execution +controls when checking instruction interception. If the 'use IO bitmaps' +VM-execution control is 1, check the instruction access against the IO +bitmaps to determine if the instruction causes a VM-exit. + +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/nested.c | 2 +- + arch/x86/kvm/vmx/vmx.c | 57 ++++++++++++++++++++++++++++++++++++++++++----- + 2 files changed, 52 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8570,7 +8570,7 @@ static bool nested_vmx_exit_handled_io(s + struct vmcs12 *vmcs12) + { + unsigned long exit_qualification; +- unsigned int port; ++ unsigned short port; + int size; + + if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) +@@ -12386,10 +12386,55 @@ static void nested_vmx_entry_failure(str + to_vmx(vcpu)->nested.sync_shadow_vmcs = true; + } + ++static int vmx_check_intercept_io(struct kvm_vcpu *vcpu, ++ struct x86_instruction_info *info) ++{ ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu); ++ unsigned short port; ++ bool intercept; ++ int size; ++ ++ if (info->intercept == x86_intercept_in || ++ info->intercept == x86_intercept_ins) { ++ port = info->src_val; ++ size = info->dst_bytes; ++ } else { ++ port = info->dst_val; ++ size = info->src_bytes; ++ } ++ ++ /* ++ * If the 'use IO bitmaps' VM-execution control is 0, IO instruction ++ * VM-exits depend on the 'unconditional IO exiting' VM-execution ++ * control. ++ * ++ * Otherwise, IO instruction VM-exits are controlled by the IO bitmaps. ++ */ ++ if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) ++ intercept = nested_cpu_has(vmcs12, ++ CPU_BASED_UNCOND_IO_EXITING); ++ else ++ intercept = nested_vmx_check_io_bitmaps(vcpu, port, size); ++ ++ return intercept ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; ++} ++ + static int vmx_check_intercept(struct kvm_vcpu *vcpu, + struct x86_instruction_info *info, + enum x86_intercept_stage stage) + { ++ switch (info->intercept) { ++ case x86_intercept_in: ++ case x86_intercept_ins: ++ case x86_intercept_out: ++ case x86_intercept_outs: ++ return vmx_check_intercept_io(vcpu, info); ++ ++ /* TODO: check more intercepts... */ ++ default: ++ break; ++ } ++ + return X86EMUL_UNHANDLEABLE; + } + diff --git a/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode b/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode new file mode 100644 index 0000000..dc989c6 --- /dev/null +++ b/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode @@ -0,0 +1,31 @@ +From: Paolo Bonzini +Date: Tue, 4 Feb 2020 15:26:29 -0800 +Subject: KVM: nVMX: Don't emulate instructions in guest mode +Git-commit: 07721feee46b4b248402133228235318199b05ec +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +vmx_check_intercept is not yet fully implemented. To avoid emulating +instructions disallowed by the L1 hypervisor, refuse to emulate +instructions by default. + +Cc: stable@vger.kernel.org +[Made commit, added commit msg - Oliver] +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -12378,7 +12378,7 @@ static int vmx_check_intercept(struct kv + struct x86_instruction_info *info, + enum x86_intercept_stage stage) + { +- return X86EMUL_CONTINUE; ++ return X86EMUL_UNHANDLEABLE; + } + + #ifdef CONFIG_X86_64 diff --git a/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function b/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function new file mode 100644 index 0000000..f67b2f3 --- /dev/null +++ b/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function @@ -0,0 +1,78 @@ +From: Oliver Upton +Date: Tue, 4 Feb 2020 15:26:30 -0800 +Subject: KVM: nVMX: Refactor IO bitmap checks into helper function +Git-commit: e71237d3ff1abf9f3388337cfebf53b96df2020d +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +Checks against the IO bitmap are useful for both instruction emulation +and VM-exit reflection. Refactor the IO bitmap checks into a helper +function. + +Signed-off-by: Oliver Upton +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/nested.c | 39 +++++++++++++++++++++++++-------------- + arch/x86/kvm/vmx/nested.h | 2 ++ + 2 files changed, 27 insertions(+), 14 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8529,23 +8529,17 @@ static int (*const kvm_vmx_exit_handlers + static const int kvm_vmx_max_exit_handlers = + ARRAY_SIZE(kvm_vmx_exit_handlers); + +-static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu, +- struct vmcs12 *vmcs12) ++/* ++ * Return true if an IO instruction with the specified port and size should cause ++ * a VM-exit into L1. ++ */ ++static bool nested_vmx_check_io_bitmaps(struct kvm_vcpu *vcpu, unsigned int port, ++ int size) + { +- unsigned long exit_qualification; ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu); + gpa_t bitmap, last_bitmap; +- unsigned int port; +- int size; + u8 b; + +- if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) +- return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING); +- +- exit_qualification = vmcs_readl(EXIT_QUALIFICATION); +- +- port = exit_qualification >> 16; +- size = (exit_qualification & 7) + 1; +- + last_bitmap = (gpa_t)-1; + b = -1; + +@@ -8572,6 +8566,24 @@ static bool nested_vmx_exit_handled_io(s + return false; + } + ++static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu, ++ struct vmcs12 *vmcs12) ++{ ++ unsigned long exit_qualification; ++ unsigned int port; ++ int size; ++ ++ if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) ++ return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING); ++ ++ exit_qualification = vmcs_readl(EXIT_QUALIFICATION); ++ ++ port = exit_qualification >> 16; ++ size = (exit_qualification & 7) + 1; ++ ++ return nested_vmx_check_io_bitmaps(vcpu, port, size); ++} ++ + /* + * Return 1 if we should exit from L2 to L1 to handle an MSR access access, + * rather than handle it ourselves in L0. I.e., check whether L1 expressed diff --git a/patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch b/patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch new file mode 100644 index 0000000..f77ac05 --- /dev/null +++ b/patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch @@ -0,0 +1,39 @@ +From f68334a85ee9120678c06a8da4a1711be7be86a2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 Feb 2020 09:22:08 +0100 +Subject: [PATCH] md/raid0: Fix buffer overflow at debug print +Patch-mainline: Not yet, waiting for patch author posting upstream +References: bsc#1164051 + +The debug print text in dump_zones() is formatted via a loop of +snprintf(). Since snprintf() returns the number of would-be-printed +characters, not the actually output, the length calculation in the +loop overflows the actual buffer size, which leads to a WARNING in +vsnprintf(). + +Replace snprintf() with scnprintf() to calculate properly with the +actual output size. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Coly Li +--- + drivers/md/raid0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index 322386ff5d22..3e16be05b98f 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -63,7 +63,7 @@ static void dump_zones(struct mddev *mddev) + int len = 0; + + for (k = 0; k < conf->strip_zone[j].nb_dev; k++) +- len += snprintf(line+len, 200-len, "%s%s", k?"/":"", ++ len += scnprintf(line+len, 200-len, "%s%s", k?"/":"", + bdevname(conf->devlist[j*raid_disks + + k]->bdev, b)); + pr_debug("md: zone%d=[%s]\n", j, line); +-- +2.16.4 + diff --git a/patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch b/patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch new file mode 100644 index 0000000..f9a8e42 --- /dev/null +++ b/patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch @@ -0,0 +1,109 @@ +From: Haiyang Zhang +Date: Thu, 21 Nov 2019 13:33:40 -0800 +Patch-mainline: v5.4 +Subject: hv_netvsc: Fix offset usage in netvsc_send_table() +Git-commit: 71f21959dd5516031db4f011e15e9a9508b93a7d +References: bsc#1164598 + +To reach the data region, the existing code adds offset in struct +nvsp_5_send_indirect_table on the beginning of this struct. But the +offset should be based on the beginning of its container, +struct nvsp_message. This bug causes the first table entry missing, +and adds an extra zero from the zero pad after the data region. +This can put extra burden on the channel 0. + +So, correct the offset usage. Also add a boundary check to ensure +not reading beyond data region. + +Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling (vRSS)") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/hyperv/hyperv_net.h | 3 ++- + drivers/net/hyperv/netvsc.c | 26 ++++++++++++++++++-------- + 2 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -609,7 +609,8 @@ struct nvsp_5_send_indirect_table { + /* The number of entries in the send indirection table */ + u32 count; + +- /* The offset of the send indirection table from top of this struct. ++ /* The offset of the send indirection table from the beginning of ++ * struct nvsp_message. + * The send indirection table tells which channel to put the send + * traffic on. Each entry is a channel number. + */ +diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1178,20 +1178,28 @@ static int netvsc_receive(struct net_device *ndev, + } + + static void netvsc_send_table(struct net_device *ndev, +- const struct nvsp_message *nvmsg) ++ const struct nvsp_message *nvmsg, ++ u32 msglen) + { + struct net_device_context *net_device_ctx = netdev_priv(ndev); +- u32 count, *tab; ++ u32 count, offset, *tab; + int i; + + count = nvmsg->msg.v5_msg.send_table.count; ++ offset = nvmsg->msg.v5_msg.send_table.offset; ++ + if (count != VRSS_SEND_TAB_SIZE) { + netdev_err(ndev, "Received wrong send-table size:%u\n", count); + return; + } + +- tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table + +- nvmsg->msg.v5_msg.send_table.offset); ++ if (offset > msglen - count * sizeof(u32)) { ++ netdev_err(ndev, "Received send-table offset too big:%u\n", ++ offset); ++ return; ++ } ++ ++ tab = (void *)nvmsg + offset; + + for (i = 0; i < count; i++) + net_device_ctx->tx_table[i] = tab[i]; +@@ -1209,12 +1217,13 @@ static void netvsc_send_vf(struct net_device *ndev, + net_device_ctx->vf_alloc ? "added" : "removed"); + } + +-static void netvsc_receive_inband(struct net_device *ndev, +- const struct nvsp_message *nvmsg) ++static void netvsc_receive_inband(struct net_device *ndev, ++ const struct nvsp_message *nvmsg, ++ u32 msglen) + { + switch (nvmsg->hdr.msg_type) { + case NVSP_MSG5_TYPE_SEND_INDIRECTION_TABLE: +- netvsc_send_table(ndev, nvmsg); ++ netvsc_send_table(ndev, nvmsg, msglen); + break; + + case NVSP_MSG4_TYPE_SEND_VF_ASSOCIATION: +@@ -1232,6 +1241,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device, + { + struct vmbus_channel *channel = nvchan->channel; + const struct nvsp_message *nvmsg = hv_pkt_data(desc); ++ u32 msglen = hv_pkt_datalen(desc); + + trace_nvsp_recv(ndev, channel, nvmsg); + +@@ -1247,7 +1257,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device, + break; + + case VM_PKT_DATA_INBAND: +- netvsc_receive_inband(ndev, nvmsg); ++ netvsc_receive_inband(ndev, nvmsg, msglen); + break; + + default: diff --git a/patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch b/patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch new file mode 100644 index 0000000..638e770 --- /dev/null +++ b/patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch @@ -0,0 +1,77 @@ +From: Haiyang Zhang +Date: Thu, 21 Nov 2019 13:33:41 -0800 +Patch-mainline: v5.4 +Subject: hv_netvsc: Fix send_table offset in case of a host bug +Git-commit: 171c1fd98df3d5948d9a9eb755274850fa5e59c6 +References: bsc#1164598 + +If negotiated NVSP version <= NVSP_PROTOCOL_VERSION_6, the offset may +be wrong (too small) due to a host bug. This can cause missing the +end of the send indirection table, and add multiple zero entries from +leading zeros before the data region. This bug adds extra burden on +channel 0. + +So fix the offset by computing it from the data structure sizes. This +will ensure netvsc driver runs normally on unfixed hosts, and future +fixed hosts. + +Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling (vRSS)") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/hyperv/netvsc.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1178,6 +1178,7 @@ static int netvsc_receive(struct net_device *ndev, + } + + static void netvsc_send_table(struct net_device *ndev, ++ struct netvsc_device *nvscdev, + const struct nvsp_message *nvmsg, + u32 msglen) + { +@@ -1193,6 +1194,16 @@ static void netvsc_send_table(struct net_device *ndev, + return; + } + ++ /* If negotiated version <= NVSP_PROTOCOL_VERSION_6, the offset may be ++ * wrong due to a host bug. So fix the offset here. ++ */ ++ if (nvscdev->nvsp_version <= NVSP_PROTOCOL_VERSION_6 && ++ msglen >= sizeof(struct nvsp_message_header) + ++ sizeof(union nvsp_6_message_uber) + count * sizeof(u32)) ++ offset = sizeof(struct nvsp_message_header) + ++ sizeof(union nvsp_6_message_uber); ++ ++ /* Boundary check for all versions */ + if (offset > msglen - count * sizeof(u32)) { + netdev_err(ndev, "Received send-table offset too big:%u\n", + offset); +@@ -1218,12 +1229,13 @@ static void netvsc_send_vf(struct net_device *ndev, + } + + static void netvsc_receive_inband(struct net_device *ndev, ++ struct netvsc_device *nvscdev, + const struct nvsp_message *nvmsg, + u32 msglen) + { + switch (nvmsg->hdr.msg_type) { + case NVSP_MSG5_TYPE_SEND_INDIRECTION_TABLE: +- netvsc_send_table(ndev, nvmsg, msglen); ++ netvsc_send_table(ndev, nvscdev, nvmsg, msglen); + break; + + case NVSP_MSG4_TYPE_SEND_VF_ASSOCIATION: +@@ -1257,7 +1269,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device, + break; + + case VM_PKT_DATA_INBAND: +- netvsc_receive_inband(ndev, nvmsg, msglen); ++ netvsc_receive_inband(ndev, net_device, nvmsg, msglen); + break; + + default: diff --git a/patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch b/patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch new file mode 100644 index 0000000..3f230f3 --- /dev/null +++ b/patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch @@ -0,0 +1,46 @@ +From: Haiyang Zhang +Date: Wed, 11 Dec 2019 14:26:27 -0800 +Patch-mainline: v5.5-rc3 +Subject: hv_netvsc: Fix tx_table init in rndis_set_subchannel() +Git-commit: c39ea5cba5a2e97fc01b78c85208bf31383b399c +References: bsc#1164598 + +Host can provide send indirection table messages anytime after RSS is +enabled by calling rndis_filter_set_rss_param(). So the host provided +table values may be overwritten by the initialization in +rndis_set_subchannel(). + +To prevent this problem, move the tx_table initialization before calling +rndis_filter_set_rss_param(). + +Fixes: a6fb6aa3cfa9 ("hv_netvsc: Set tx_table to equal weight after subchannels open") +Signed-off-by: Haiyang Zhang +Signed-off-by: Jakub Kicinski +Acked-by: Olaf Hering +--- + drivers/net/hyperv/rndis_filter.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -1171,6 +1171,9 @@ int rndis_set_subchannel(struct net_device *ndev, + wait_event(nvdev->subchan_open, + atomic_read(&nvdev->open_chn) == nvdev->num_chn); + ++ for (i = 0; i < VRSS_SEND_TAB_SIZE; i++) ++ ndev_ctx->tx_table[i] = i % nvdev->num_chn; ++ + /* ignore failures from setting rss parameters, still have channels */ + if (dev_info) + rndis_filter_set_rss_param(rdev, dev_info->rss_key); +@@ -1180,9 +1183,6 @@ int rndis_set_subchannel(struct net_device *ndev, + netif_set_real_num_tx_queues(ndev, nvdev->num_chn); + netif_set_real_num_rx_queues(ndev, nvdev->num_chn); + +- for (i = 0; i < VRSS_SEND_TAB_SIZE; i++) +- ndev_ctx->tx_table[i] = i % nvdev->num_chn; +- + return 0; + } + diff --git a/patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch b/patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch new file mode 100644 index 0000000..9801432 --- /dev/null +++ b/patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch @@ -0,0 +1,108 @@ +From: Haiyang Zhang +Date: Thu, 19 Dec 2019 18:28:10 -0800 +Patch-mainline: v5.5-rc3 +Subject: hv_netvsc: Fix unwanted rx_table reset +Git-commit: b0689faa8efc5a3391402d7ae93bd373b7248e51 +References: bsc#1164598 + +In existing code, the receive indirection table, rx_table, is in +struct rndis_device, which will be reset when changing MTU, ringparam, +etc. User configured receive indirection table values will be lost. + +To fix this, move rx_table to struct net_device_context, and check +netif_is_rxfh_configured(), so rx_table will be set to default only +if no user configured value. + +Fixes: ff4a44199012 ("netvsc: allow get/set of RSS indirection table") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/hyperv/hyperv_net.h | 3 ++- + drivers/net/hyperv/netvsc_drv.c | 4 ++-- + drivers/net/hyperv/rndis_filter.c | 10 +++++++--- + 3 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -169,7 +169,6 @@ struct rndis_device { + + u8 hw_mac_adr[ETH_ALEN]; + u8 rss_key[NETVSC_HASH_KEYLEN]; +- u16 rx_table[ITAB_NUM]; + }; + + +@@ -940,6 +939,8 @@ struct net_device_context { + + u32 tx_table[VRSS_SEND_TAB_SIZE]; + ++ u16 rx_table[ITAB_NUM]; ++ + /* Ethtool settings */ + u8 duplex; + u32 speed; +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1662,7 +1662,7 @@ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key, + rndis_dev = ndev->extension; + if (indir) { + for (i = 0; i < ITAB_NUM; i++) +- indir[i] = rndis_dev->rx_table[i]; ++ indir[i] = ndc->rx_table[i]; + } + + if (key) +@@ -1692,7 +1692,7 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir, + return -EINVAL; + + for (i = 0; i < ITAB_NUM; i++) +- rndis_dev->rx_table[i] = indir[i]; ++ ndc->rx_table[i] = indir[i]; + } + + if (!key) { +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -773,6 +773,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + const u8 *rss_key, u16 flag) + { + struct net_device *ndev = rdev->ndev; ++ struct net_device_context *ndc = netdev_priv(ndev); + struct rndis_request *request; + struct rndis_set_request *set; + struct rndis_set_complete *set_complete; +@@ -812,7 +813,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + /* Set indirection table entries */ + itab = (u32 *)(rssp + 1); + for (i = 0; i < ITAB_NUM; i++) +- itab[i] = rdev->rx_table[i]; ++ itab[i] = ndc->rx_table[i]; + + /* Set hask key values */ + keyp = (u8 *)((unsigned long)rssp + rssp->hashkey_offset); +@@ -1312,6 +1313,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + struct netvsc_device_info *device_info) + { + struct net_device *net = hv_get_drvdata(dev); ++ struct net_device_context *ndc = netdev_priv(net); + struct netvsc_device *net_device; + struct rndis_device *rndis_device; + struct ndis_recv_scale_cap rsscap; +@@ -1398,9 +1400,11 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + /* We will use the given number of channels if available. */ + net_device->num_chn = min(net_device->max_chn, device_info->num_chn); + +- for (i = 0; i < ITAB_NUM; i++) +- rndis_device->rx_table[i] = ethtool_rxfh_indir_default( ++ if (!netif_is_rxfh_configured(net)) { ++ for (i = 0; i < ITAB_NUM; i++) ++ ndc->rx_table[i] = ethtool_rxfh_indir_default( + i, net_device->num_chn); ++ } + + atomic_set(&net_device->open_chn, 1); + vmbus_set_sc_create_callback(dev->channel, netvsc_sc_open); diff --git a/patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch b/patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch new file mode 100644 index 0000000..2532163 --- /dev/null +++ b/patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch @@ -0,0 +1,29 @@ +From: John Fastabend +Date: Tue, 15 Aug 2017 22:31:10 -0700 +Subject: net: add sendmsg_locked and sendpage_locked to af_inet6 +Patch-mainline: v4.14-rc1 +Git-commit: 45f91bdcd5c5ba559a4bb7c3a0e0709476cf570f +References: bsc#1144162 + +To complete the sendmsg_locked and sendpage_locked implementation add +the hooks for af_inet6 as well. + +Signed-off-by: John Fastabend +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + net/ipv6/af_inet6.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -596,6 +596,8 @@ const struct proto_ops inet6_stream_ops = { + .recvmsg = inet_recvmsg, /* ok */ + .mmap = sock_no_mmap, + .sendpage = inet_sendpage, ++ .sendmsg_locked = tcp_sendmsg_locked, ++ .sendpage_locked = tcp_sendpage_locked, + .splice_read = tcp_splice_read, + .read_sock = tcp_read_sock, + .peek_len = tcp_peek_len, diff --git a/patches.suse/net-sched-correct-flower-port-blocking.patch b/patches.suse/net-sched-correct-flower-port-blocking.patch new file mode 100644 index 0000000..375a785 --- /dev/null +++ b/patches.suse/net-sched-correct-flower-port-blocking.patch @@ -0,0 +1,65 @@ +From: Jason Baron +Date: Mon, 17 Feb 2020 15:38:09 -0500 +Subject: net: sched: correct flower port blocking +Git-commit: 8a9093c79863b58cc2f9874d7ae788f0d622a596 +Patch-mainline: 5.6-rc3 +References: git-fixes + +tc flower rules that are based on src or dst port blocking are sometimes +ineffective due to uninitialized stack data. __skb_flow_dissect() extracts +ports from the skb for tc flower to match against. However, the port +dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in +key_control->flags. All callers of __skb_flow_dissect(), zero-out the +key_control field except for fl_classify() as used by the flower +classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to +__skb_flow_dissect(), since key_control is allocated on the stack +and may not be initialized. + +Since key_basic and key_control are present for all flow keys, let's +make sure they are initialized. + +Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments") +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Acked-by: Cong Wang +Signed-off-by: Jason Baron +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/net/flow_dissector.h | 9 +++++++++ + net/sched/cls_flower.c | 1 + + 2 files changed, 10 insertions(+) + +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -3,6 +3,7 @@ + + #include + #include ++#include + #include + + /** +@@ -272,4 +273,12 @@ static inline void *skb_flow_dissector_t + return ((char *)target_container) + flow_dissector->offset[key_id]; + } + ++static inline void ++flow_dissector_init_keys(struct flow_dissector_key_control *key_control, ++ struct flow_dissector_key_basic *key_basic) ++{ ++ memset(key_control, 0, sizeof(*key_control)); ++ memset(key_basic, 0, sizeof(*key_basic)); ++} ++ + #endif +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -157,6 +157,7 @@ static int fl_classify(struct sk_buff *s + struct fl_flow_key skb_mkey; + + list_for_each_entry_rcu(mask, &head->masks, list) { ++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic); + fl_clear_masked_range(&skb_key, mask); + + skb_key.indev_ifindex = skb->skb_iif; diff --git a/patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch b/patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch new file mode 100644 index 0000000..e44a127 --- /dev/null +++ b/patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch @@ -0,0 +1,291 @@ +From 2464cc4c345699adea52c7aef75707207cb8a2f6 Mon Sep 17 00:00:00 2001 +From: Gustavo Luiz Duarte +Date: Tue, 11 Feb 2020 00:38:29 -0300 +Subject: [PATCH] powerpc/tm: Fix clearing MSR[TS] in current when reclaiming + on signal delivery + +References: bsc#1118338 ltc#173734 +Patch-mainline: v5.6-rc3 +Git-commit: 2464cc4c345699adea52c7aef75707207cb8a2f6 + +After a treclaim, we expect to be in non-transactional state. If we +don't clear the current thread's MSR[TS] before we get preempted, then +tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in +suspended transaction state. + +When handling a signal caught in transactional state, +handle_rt_signal64() calls get_tm_stackpointer() that treclaims the +transaction using tm_reclaim_current() but without clearing the +thread's MSR[TS]. This can cause the TM Bad Thing exception below if +later we pagefault and get preempted trying to access the user's +sigframe, using __put_user(). Afterwards, when we are rescheduled back +into do_page_fault() (but now in suspended state since the thread's +MSR[TS] was not cleared), upon executing 'rfid' after completion of +the page fault handling, the exception is raised because a transition +from suspended to non-transactional state is invalid. + + Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033 + Oops: Unrecoverable exception, sig: 6 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32 + NIP: c00000000000de44 LR: c000000000034728 CTR: 0000000000000000 + REGS: c00000003fe7bd70 TRAP: 0700 Not tainted (5.4.0-rc2) + MSR: 8000000302a03031 CR: 44000884 XER: 00000000 + CFAR: c00000000000dda4 IRQMASK: 0 + PACATMSCRATCH: 800000010280b033 + GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78 + GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0 + GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000 + GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000 + GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140 + GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800 + GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000 + NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0 + LR [c000000000034728] handle_rt_signal64+0x78/0xc50 + Call Trace: + [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable) + [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460 + [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74 + Instruction dump: + 7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088 + 60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989 + ---[ end trace 93094aa44b442f87 ]--- + +The simplified sequence of events that triggers the above exception is: + + ... # userspace in NON-TRANSACTIONAL state + tbegin # userspace in TRANSACTIONAL state + signal delivery # kernelspace in SUSPENDED state + handle_rt_signal64() + get_tm_stackpointer() + treclaim # kernelspace in NON-TRANSACTIONAL state + __put_user() + page fault happens. We will never get back here because of the TM Bad Thing exception. + + page fault handling kicks in and we voluntarily preempt ourselves + do_page_fault() + __schedule() + __switch_to(other_task) + + our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared + __switch_to(our_task) + switch_to_tm() + tm_recheckpoint_new_task() + trechkpt # kernelspace in SUSPENDED state + + The page fault handling resumes, but now we are in suspended transaction state + do_page_fault() completes + rfid <----- trying to get back where the page fault happened (we were non-transactional back then) + TM Bad Thing # illegal transition from suspended to non-transactional + +This patch fixes that issue by clearing the current thread's MSR[TS] +just after treclaim in get_tm_stackpointer() so that we stay in +non-transactional state in case we are preempted. In order to make +treclaim and clearing the thread's MSR[TS] atomic from a preemption +perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is +used. It's also necessary to save the previous value of the thread's +MSR before get_tm_stackpointer() is called so that it can be exposed +to the signal handler later in setup_tm_sigcontexts() to inform the +userspace MSR at the moment of the signal delivery. + +Found with tm-signal-context-force-tm kernel selftest. + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9 +Signed-off-by: Gustavo Luiz Duarte +Acked-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/signal.c | 17 +++++++++++++++-- + arch/powerpc/kernel/signal_32.c | 28 ++++++++++++++-------------- + arch/powerpc/kernel/signal_64.c | 22 ++++++++++------------ + 3 files changed, 39 insertions(+), 28 deletions(-) + +diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c +index e6c30cee6abf..d215f9554553 100644 +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -200,14 +200,27 @@ unsigned long get_tm_stackpointer(struct task_struct *tsk) + * normal/non-checkpointed stack pointer. + */ + ++ unsigned long ret = tsk->thread.regs->gpr[1]; ++ + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BUG_ON(tsk != current); + + if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) { ++ preempt_disable(); + tm_reclaim_current(TM_CAUSE_SIGNAL); + if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr)) +- return tsk->thread.ckpt_regs.gpr[1]; ++ ret = tsk->thread.ckpt_regs.gpr[1]; ++ ++ /* ++ * If we treclaim, we must clear the current thread's TM bits ++ * before re-enabling preemption. Otherwise we might be ++ * preempted and have the live MSR[TS] changed behind our back ++ * (tm_recheckpoint_new_task() would recheckpoint). Besides, we ++ * enter the signal handler in non-transactional state. ++ */ ++ tsk->thread.regs->msr &= ~MSR_TS_MASK; ++ preempt_enable(); + } + #endif +- return tsk->thread.regs->gpr[1]; ++ return ret; + } +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index 98600b276f76..1b090a76b444 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -489,19 +489,11 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame, + */ + static int save_tm_user_regs(struct pt_regs *regs, + struct mcontext __user *frame, +- struct mcontext __user *tm_frame, int sigret) ++ struct mcontext __user *tm_frame, int sigret, ++ unsigned long msr) + { +- unsigned long msr = regs->msr; +- + WARN_ON(tm_suspend_disabled); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + /* Save both sets of general registers */ + if (save_general_regs(¤t->thread.ckpt_regs, frame) + || save_general_regs(regs, tm_frame)) +@@ -912,6 +904,10 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -944,13 +940,13 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_frame = &rt_sf->uc_transact.uc_mcontext; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (__put_user((unsigned long)&rt_sf->uc_transact, + &rt_sf->uc.uc_link) || + __put_user((unsigned long)tm_frame, + &rt_sf->uc_transact.uc_regs)) + goto badframe; +- if (save_tm_user_regs(regs, frame, tm_frame, sigret)) ++ if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr)) + goto badframe; + } + else +@@ -1369,6 +1365,10 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset, + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -1402,9 +1402,9 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset, + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_mctx = &frame->mctx_transact; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact, +- sigret)) ++ sigret, msr)) + goto badframe; + } + else +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 117515564ec7..84ed2e77ef9c 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -192,7 +192,8 @@ static long setup_sigcontext(struct sigcontext __user *sc, + static long setup_tm_sigcontexts(struct sigcontext __user *sc, + struct sigcontext __user *tm_sc, + struct task_struct *tsk, +- int signr, sigset_t *set, unsigned long handler) ++ int signr, sigset_t *set, unsigned long handler, ++ unsigned long msr) + { + /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the + * process never used altivec yet (MSR_VEC is zero in pt_regs of +@@ -207,12 +208,11 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc); + #endif + struct pt_regs *regs = tsk->thread.regs; +- unsigned long msr = tsk->thread.regs->msr; + long err = 0; + + BUG_ON(tsk != current); + +- BUG_ON(!MSR_TM_ACTIVE(regs->msr)); ++ BUG_ON(!MSR_TM_ACTIVE(msr)); + + WARN_ON(tm_suspend_disabled); + +@@ -222,13 +222,6 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + */ + msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + #ifdef CONFIG_ALTIVEC + err |= __put_user(v_regs, &sc->v_regs); + err |= __put_user(tm_v_regs, &tm_sc->v_regs); +@@ -824,6 +817,10 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + unsigned long newsp = 0; + long err = 0; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -841,7 +838,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + err |= __put_user(0, &frame->uc.uc_flags); + err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]); + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + /* The ucontext_t passed to userland points to the second + * ucontext_t (for transactional state) with its uc_link ptr. + */ +@@ -849,7 +846,8 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext, + &frame->uc_transact.uc_mcontext, + tsk, ksig->sig, NULL, +- (unsigned long)ksig->ka.sa.sa_handler); ++ (unsigned long)ksig->ka.sa.sa_handler, ++ msr); + } else + #endif + { +-- +2.23.0 + diff --git a/patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch b/patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch deleted file mode 100644 index 74c989a..0000000 --- a/patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 Mon Sep 17 00:00:00 2001 -From: Ping-Ke Shih -Date: Fri, 29 Sep 2017 14:47:51 -0500 -Subject: [PATCH] rtlwifi: Fix MAX MPDU of VHT capability -Git-commit: f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 -Patch-mainline: v4.15-rc1 -References: FATE#326906 - -We must choose only one of VHT_CAP among -IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895, -IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 and -IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454. - -Signed-off-by: Ping-Ke Shih -Signed-off-by: Larry Finger -Cc: Yan-Hsuan Chuang -Cc: Birming Chiu -Cc: Shaofu -Cc: Steven Ting -Signed-off-by: Kalle Valo -Acked-by: Takashi Iwai - ---- - drivers/net/wireless/realtek/rtlwifi/base.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c -index ea18aa7afecb..fcf6e31d0fb9 100644 ---- a/drivers/net/wireless/realtek/rtlwifi/base.c -+++ b/drivers/net/wireless/realtek/rtlwifi/base.c -@@ -249,8 +249,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, - - vht_cap->vht_supported = true; - vht_cap->cap = -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | - IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | - IEEE80211_VHT_CAP_SHORT_GI_80 | - IEEE80211_VHT_CAP_TXSTBC | -@@ -283,8 +281,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, - - vht_cap->vht_supported = true; - vht_cap->cap = -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | - IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | - IEEE80211_VHT_CAP_SHORT_GI_80 | - IEEE80211_VHT_CAP_TXSTBC | --- -2.19.2 - diff --git a/patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch b/patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch deleted file mode 100644 index 52d51e2..0000000 --- a/patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch +++ /dev/null @@ -1,54 +0,0 @@ -From ecf4000e0d925c6ba074d11801df4a4cdd8d5324 Mon Sep 17 00:00:00 2001 -From: Ping-Ke Shih -Date: Fri, 29 Sep 2017 14:47:52 -0500 -Subject: [PATCH] rtlwifi: Remove redundant semicolon in wifi.h. -Git-commit: ecf4000e0d925c6ba074d11801df4a4cdd8d5324 -Patch-mainline: v4.15-rc1 -References: FATE#326906 - -The semicolon can cause compiler error, if it exists in if...else -statement. - -Signed-off-by: Ping-Ke Shih -Signed-off-by: Larry Finger -Cc: Yan-Hsuan Chuang -Cc: Birming Chiu -Cc: Shaofu -Cc: Steven Ting -Signed-off-by: Kalle Valo -Acked-by: Takashi Iwai - ---- - drivers/net/wireless/realtek/rtlwifi/wifi.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h -index 1ab1024330fb..90e875beff66 100644 ---- a/drivers/net/wireless/realtek/rtlwifi/wifi.h -+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h -@@ -2857,19 +2857,19 @@ value to host byte ordering.*/ - cpu_to_le32( \ - LE_BITS_CLEARED_TO_4BYTE(__pstart, __bitoffset, __bitlen) | \ - ((((u32)__val) & BIT_LEN_MASK_32(__bitlen)) << (__bitoffset)) \ -- ); -+ ) - #define SET_BITS_TO_LE_2BYTE(__pstart, __bitoffset, __bitlen, __val) \ - *((__le16 *)(__pstart)) = \ - cpu_to_le16( \ - LE_BITS_CLEARED_TO_2BYTE(__pstart, __bitoffset, __bitlen) | \ - ((((u16)__val) & BIT_LEN_MASK_16(__bitlen)) << (__bitoffset)) \ -- ); -+ ) - #define SET_BITS_TO_LE_1BYTE(__pstart, __bitoffset, __bitlen, __val) \ - *((u8 *)(__pstart)) = EF1BYTE \ - ( \ - LE_BITS_CLEARED_TO_1BYTE(__pstart, __bitoffset, __bitlen) | \ - ((((u8)__val) & BIT_LEN_MASK_8(__bitlen)) << (__bitoffset)) \ -- ); -+ ) - - #define N_BYTE_ALIGMENT(__value, __aligment) ((__aligment == 1) ? \ - (__value) : (((__value + __aligment - 1) / __aligment) * __aligment)) --- -2.19.2 - diff --git a/patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch b/patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch new file mode 100644 index 0000000..2849d84 --- /dev/null +++ b/patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch @@ -0,0 +1,68 @@ +From 396bbe1427828be1025fb052b7e04b42f421352d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= +Date: Tue, 19 Nov 2019 21:37:09 +0000 +Subject: [PATCH] sr_vendor: support Beurer GL50 evo CD-on-a-chip devices. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: boo#1164632 +Patch-mainline: v5.5-rc1 +Git-commit: 396bbe1427828be1025fb052b7e04b42f421352d + +The Beurer GL50 evo uses a Cygnal-manufactured CD-on-a-chip that only +accepts a subset of SCSI commands, and supports neither audio commands +nor generic packet commands. + +Actually sending those commands bring the device to an unrecoverable +state that causes the device to hang and reset. + +To: Jens Axboe +Cc: linux-kernel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Signed-off-by: Diego Elio Pettenò +Signed-off-by: Jens Axboe +Acked-by: Michal Suchanek +--- + drivers/scsi/sr_vendor.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c +index e3b0ce25162b..17a56c87d383 100644 +--- a/drivers/scsi/sr_vendor.c ++++ b/drivers/scsi/sr_vendor.c +@@ -61,6 +61,7 @@ + #define VENDOR_NEC 2 + #define VENDOR_TOSHIBA 3 + #define VENDOR_WRITER 4 /* pre-scsi3 writers */ ++#define VENDOR_CYGNAL_85ED 5 /* CD-on-a-chip */ + + #define VENDOR_TIMEOUT 30*HZ + +@@ -99,6 +100,23 @@ void sr_vendor_init(Scsi_CD *cd) + } else if (!strncmp(vendor, "TOSHIBA", 7)) { + cd->vendor = VENDOR_TOSHIBA; + ++ } else if (!strncmp(vendor, "Beurer", 6) && ++ !strncmp(model, "Gluco Memory", 12)) { ++ /* The Beurer GL50 evo uses a Cygnal-manufactured CD-on-a-chip ++ that only accepts a subset of SCSI commands. Most of the ++ not-implemented commands are fine to fail, but a few, ++ particularly around the MMC or Audio commands, will put the ++ device into an unrecoverable state, so they need to be ++ avoided at all costs. ++ */ ++ cd->vendor = VENDOR_CYGNAL_85ED; ++ cd->cdi.mask |= ( ++ CDC_MULTI_SESSION | ++ CDC_CLOSE_TRAY | CDC_OPEN_TRAY | ++ CDC_LOCK | ++ CDC_GENERIC_PACKET | ++ CDC_PLAY_AUDIO ++ ); + } + #endif + } +-- +2.23.0 + diff --git a/series.conf b/series.conf index a67f5fa..a03672d 100644 --- a/series.conf +++ b/series.conf @@ -8770,6 +8770,7 @@ patches.suse/virtio-put-paren-around-sizeof.patch patches.suse/mlx4-sizeof-style-usage.patch patches.suse/liquidio-update-VF-s-netdev-max_mtu-if-there-s-a-cha.patch + patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch patches.suse/net-fixes-for-skb_send_sock.patch patches.suse/bpf-introduce-new-program-type-for-skbs-on-sockets.patch patches.suse/bpf-export-bpf_prog_inc_not_zero.patch @@ -13749,8 +13750,8 @@ patches.suse/mwifiex-minor-cleanups-w-sta_list_spinlock-in-cfg802.patch patches.suse/mwifiex-double-the-size-of-chan_stats-array-in-adapt.patch patches.suse/mwifiex-Use-put_unaligned_le32.patch - patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch - patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch + patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch + patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch patches.suse/rtlwifi-rtl8192ee-Make-driver-support-64bits-DMA.patch patches.suse/rtlwifi-Implement-rtl_get_tx_hw_rate-to-yield-correc.patch patches.suse/rtlwifi-Add-rtl_get_hal_edca_param-to-generate-regis.patch @@ -42710,6 +42711,7 @@ patches.suse/mei-samples-fix-a-signedness-bug-in-amt_host_if_call.patch patches.suse/gsmi-Fix-bug-in-append_to_eventlog-sysfs-handler.patch patches.suse/msft-hv-1784-hv_balloon-Replace-spin_is_locked-with-lockdep.patch + patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch patches.suse/iommu-arm-smmu-v3-Fix-unexpected-CMD_SYNC-timeout.patch patches.suse/iommu-arm-smmu-v3-Avoid-back-to-back-CMD_SYNC-operat.patch patches.suse/iommu-arm-smmu-v3-Implement-flush_iotlb_all-hook.patch @@ -46592,6 +46594,7 @@ patches.suse/clocksource-drivers-exynos_mct-Fix-error-path-in-tim.patch patches.suse/irqchip-gic-v3-its-Avoid-parsing-_indirect_-twice-fo.patch patches.suse/efi-memattr-Don-t-bail-on-zero-VA-if-it-equals-the-r.patch + patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch patches.suse/perf-core-add-function-to-test-for-event-exclusion-flags.patch patches.suse/perf-core-add-perf_pmu_cap_no_exclude-for-exclusion-incapable-pmus.patch patches.suse/x86-cpu-amd-set-the-cpb-bit-unconditionally-on-f17h.patch @@ -47740,6 +47743,7 @@ patches.suse/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep patches.suse/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu patches.suse/kvm-x86-always-use-32-bit-smram-save-state-for-32-bit-kernels + patches.suse/0001-KVM-fix-spectrev1-gadgets.patch patches.suse/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch patches.suse/cfg80211-Handle-WMM-rules-in-regulatory-domain-inter.patch patches.suse/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch @@ -49057,6 +49061,7 @@ patches.suse/soc-mediatek-pwrap-Zero-initialize-rdata-in-pwrap_in.patch patches.suse/soc-rockchip-Set-the-proper-PWM-for-rk3288.patch patches.suse/objtool-fix-function-fallthrough-detection.patch + patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch patches.suse/0001-ntp-Allow-TAI-UTC-offset-to-be-set-to-zero.patch patches.suse/x86-speculation-mds-revert-cpu-buffer-clear-on-double-fault-exit.patch patches.suse/configfs-fix-possible-use-after-free-in-configfs_reg.patch @@ -50372,6 +50377,7 @@ patches.suse/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-for-pa_iova_pfn patches.suse/s390-dma-provide-proper-ARCH_ZONE_DMA_BITS patches.suse/virtio-s390-fix-race-on-airq_areas + patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch patches.suse/tty-ldsem-locking-rwsem-Add-missing-ACQUIRE-to-read_.patch patches.suse/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch patches.suse/sched-fair-Use-RCU-accessors-consistently-for-numa_g.patch @@ -51215,6 +51221,7 @@ patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch patches.suse/thermal_hwmon-Sanitize-thermal_zone-type.patch patches.suse/thermal-Fix-use-after-free-when-unregistering-therma.patch + patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch patches.suse/nfsd-handle-drc-over-allocation-gracefully.patch patches.suse/nfsd-degraded-slot-count-more-gracefully-as-allocati.patch @@ -51655,6 +51662,8 @@ patches.suse/net-mlx5-Update-the-list-of-the-PCI-supported-device-b7eca940.patch patches.suse/0001-nfc-port100-handle-command-failure-cleanly.patch patches.suse/sfc-Only-cancel-the-PPS-workqueue-if-it-exists.patch + patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch + patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch patches.suse/net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch patches.suse/0001-virtio_ring-fix-return-code-on-DMA-mapping-fails.patch patches.suse/virtio_console-allocate-inbufs-in-add_port-only-if-i.patch @@ -51945,6 +51954,8 @@ patches.suse/gpio-mpc8xxx-Don-t-overwrite-default-irq_set_type-ca.patch patches.suse/platform-x86-hp-wmi-Fix-ACPI-errors-caused-by-too-sm.patch patches.suse/platform-x86-hp-wmi-Fix-ACPI-errors-caused-by-passin.patch + patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch + patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch patches.suse/libnvdimm-namespace-Differentiate-between-probe-mapp.patch patches.suse/libnvdimm-export-the-target_node-attribute-for-regions-and-namespaces.patch patches.suse/Input-synaptics-rmi4-simplify-data-read-in-rmi_f54_w.patch @@ -52221,6 +52232,7 @@ patches.suse/net-ibmvnic-Fix-typo-in-retry-check.patch patches.suse/6pack-mkiss-fix-possible-deadlock.patch patches.suse/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch + patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch patches.suse/bonding-fix-active-backup-transition-after-link-fail.patch patches.suse/gtp-do-not-allow-adding-duplicate-tid-and-ms_addr-pd.patch patches.suse/gtp-fix-wrong-condition-in-gtp_genl_dump_pdp.patch @@ -52234,6 +52246,7 @@ patches.suse/net-hisilicon-Fix-a-BUG-trigered-by-wrong-bytes_comp.patch patches.suse/qede-Disable-hardware-gro-when-xdp-prog-is-installed.patch patches.suse/mod_devicetable-fix-PHY-module-format.patch + patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch patches.suse/net-dst-Force-4-byte-alignment-of-dst_metrics.patch patches.suse/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature-spec_ctrl_ssbd patches.suse/ext4-check-for-directory-entries-too-close-to-block-.patch @@ -52488,6 +52501,17 @@ patches.suse/kvm-svm-override-default-mmio-mask-if-memory-encryption-is-enabled patches.suse/KVM-PPC-Book3S-HV-Uninit-vCPU-if-vcore-creation-fail.patch patches.suse/KVM-PPC-Book3S-PR-Free-shared-page-if-mmu-initializa.patch + patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch + patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch + patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch + patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch + patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch + patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch + patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch + patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch + patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch + patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch + patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch patches.suse/KVM-Clean-up-__kvm_gfn_to_hva_cache_init-and-its-cal.patch patches.suse/KVM-PPC-Book3S-PR-Fix-Werror-return-type-build-failu.patch patches.suse/x86-resctrl-fix-use-after-free-when-deleting-resource-groups.patch @@ -52505,6 +52529,7 @@ patches.suse/media-uvcvideo-Avoid-cyclic-entity-chains-due-to-mal.patch patches.suse/PCI-Don-t-disable-bridge-BARs-when-assigning-bus-res.patch patches.suse/PCI-switchtec-Fix-vep_vector_number-ioread-width.patch + patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch patches.suse/vfs-fix-do_last-regression.patch patches.suse/mfd-dln2-More-sanity-checking-for-endpoints.patch patches.suse/mfd-da9062-Fix-watchdog-compatible-string.patch @@ -52527,6 +52552,7 @@ patches.suse/iommu-arm-smmu-v3-populate-vmid-field-for-cmdq_op_tlbi_nh_va patches.suse/pwm-omap-dmtimer-Remove-PWM-chip-in-.remove-before-m.patch patches.suse/pwm-Remove-set-but-not-set-variable-pwm.patch + patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch patches.suse/0022-bcache-fix-memory-corruption-in-bch_cache_accounting.patch patches.suse/0023-bcache-explicity-type-cast-in-bset_bkey_last.patch patches.suse/0024-bcache-add-readahead-cache-policy-options-via-sysfs-.patch @@ -52553,6 +52579,8 @@ patches.suse/iwlwifi-don-t-throw-error-when-trying-to-remove-IGTK.patch patches.suse/clocksource-Prevent-double-add_timer_on-for-watchdog.patch patches.suse/kconfig-fix-broken-dependency-in-randconfig-generate.patch + patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch + patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch patches.suse/0001-enic-prevent-waking-up-stopped-tx-queues-over-watchd.patch patches.suse/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload patches.suse/hwmon-pmbus-ltc2978-Fix-PMBus-polling-of-MFR_COMMON-.patch @@ -52570,7 +52598,13 @@ patches.suse/ALSA-seq-Fix-concurrent-access-to-queue-current-tick.patch patches.suse/ALSA-hda-Use-scnprintf-for-printing-texts-for-sysfs-.patch patches.suse/ASoC-sun8i-codec-Fix-setting-DAI-data-format.patch + patches.suse/net-sched-correct-flower-port-blocking.patch + patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch + patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch + patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode + patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function + patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -52694,7 +52728,6 @@ # locking/core ######################################################## patches.suse/sched-optimize-latency-defaults.patch - patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch # that benefits. If unsure, mail performance@suse.de # not enable without a specific example of a workload and machine @@ -52996,6 +53029,7 @@ patches.suse/scsi-retry-alua-transition-in-progress patches.suse/megaraid-mbox-fix-SG_IO patches.suse/fcoe-reduce-max_sectors + patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch # bsc#1048585 bsc#1080813 patches.suse/delay-add-poll_event_interruptible.patch