From 883f3483e08e6dbe7f9a83c2008c6ec609275c09 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Jul 11 2023 06:06:48 +0000 Subject: Merge branch 'SLE15-SP5' into SLE15-SP5-AZURE --- diff --git a/blacklist.conf b/blacklist.conf index ac5012c..e20f32b 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -701,3 +701,12 @@ a3a9d63dcd15535e7fdf4c7c1b32bfaed762973a # we don't ship bogus nvme id check 5dbc4cb4667457b0c53bcd7bff11500b3c362975 # cleanup commit 63678eecec57fc51b778be3da35a397931287170 # gcc 12 issue c58e28afb11f5cd3c7f8a27b3abb045d848467ac # auth patch refresh already contains this fix +3bbef91bdd2180c67407285ba160b023eb4d5306 # Just unused variable warning fix +1e9d62d252812575ded7c620d8fc67c32ff06c16 # Small performance improvement for xattr inodes +01e4ca29451760b9ac10b4cdc231c52150842643 # Theoretical issue with unused flag +5354b2af34064a4579be8bc0e2f15a7b70f14b5f # Handles situation when bdev is corrupted while being mounted +463808f237cf73e98a1a45ff7460c2406a150a0b # Handles situation when bdev is corrupted while being mounted +4f04351888a83e595571de672e0a4a8b74f4fb31 # Handles situation when bdev is corrupted while being mounted +2220eaf90992c11d888fe771055d4de330385f01 # Handles situation when bdev is corrupted while being mounted +dea9d8f7643fab07bf89a1155f1f94f37d096a5e # The problem is real, we don't want to just silence the warning +e730558adffb88a52e562db089e969ee9510184a # Subtle changes in fanotify behavior diff --git a/patches.suse/0001-nvme-introduce-nvme_start_request.patch b/patches.suse/0001-nvme-introduce-nvme_start_request.patch new file mode 100644 index 0000000..b13ee1c --- /dev/null +++ b/patches.suse/0001-nvme-introduce-nvme_start_request.patch @@ -0,0 +1,95 @@ +From 6887fc6495f2dfd55e088c982e983815278ee453 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 3 Oct 2022 12:43:43 +0300 +Git-commit: 6887fc6495f2dfd55e088c982e983815278ee453 +Patch-mainline: v6.2-rc1 +References: bsc#1210565 +Subject: [PATCH] nvme: introduce nvme_start_request + +In preparation for nvme-multipath IO stats accounting, we want the +accounting to happen in a centralized place. The request completion +is already centralized, but we need a common helper to request I/O +start. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Hannes Reinecke +--- + drivers/nvme/host/fc.c | 2 +- + drivers/nvme/host/nvme.h | 5 +++++ + drivers/nvme/host/pci.c | 2 +- + drivers/nvme/host/rdma.c | 2 +- + drivers/nvme/host/tcp.c | 2 +- + drivers/nvme/target/loop.c | 2 +- + 6 files changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2746,7 +2746,7 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl + atomic_set(&op->state, FCPOP_STATE_ACTIVE); + + if (!(op->flags & FCOP_FLAGS_AEN)) +- blk_mq_start_request(op->rq); ++ nvme_start_request(op->rq); + + cmdiu->csn = cpu_to_be32(atomic_inc_return(&queue->csn)); + ret = ctrl->lport->ops->fcp_io(&ctrl->lport->localport, +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -1005,6 +1005,11 @@ static inline void nvme_hwmon_exit(struc + } + #endif + ++static inline void nvme_start_request(struct request *rq) ++{ ++ blk_mq_start_request(rq); ++} ++ + static inline bool nvme_ctrl_sgl_supported(struct nvme_ctrl *ctrl) + { + return ctrl->sgls & ((1 << 0) | (1 << 1)); +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -918,7 +918,7 @@ static blk_status_t nvme_prep_rq(struct + goto out_unmap_data; + } + +- blk_mq_start_request(req); ++ nvme_start_request(req); + return BLK_STS_OK; + out_unmap_data: + nvme_unmap_data(dev, req); +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -2106,7 +2106,7 @@ static blk_status_t nvme_rdma_queue_rq(s + if (ret) + goto unmap_qe; + +- blk_mq_start_request(rq); ++ nvme_start_request(rq); + + if (IS_ENABLED(CONFIG_BLK_DEV_INTEGRITY) && + queue->pi_support && +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2487,7 +2487,7 @@ static blk_status_t nvme_tcp_queue_rq(st + if (unlikely(ret)) + return ret; + +- blk_mq_start_request(rq); ++ nvme_start_request(rq); + + nvme_tcp_queue_request(req, true, bd->last); + +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -145,7 +145,7 @@ static blk_status_t nvme_loop_queue_rq(s + if (ret) + return ret; + +- blk_mq_start_request(req); ++ nvme_start_request(req); + iod->cmd.common.flags |= NVME_CMD_SGL_METABUF; + iod->req.port = queue->ctrl->port; + if (!nvmet_req_init(&iod->req, &queue->nvme_cq, diff --git a/patches.suse/0001-ubi-Fix-failure-attaching-when-vid_hdr-offset-equals.patch b/patches.suse/0001-ubi-Fix-failure-attaching-when-vid_hdr-offset-equals.patch new file mode 100644 index 0000000..faae2af --- /dev/null +++ b/patches.suse/0001-ubi-Fix-failure-attaching-when-vid_hdr-offset-equals.patch @@ -0,0 +1,78 @@ +From 1e020e1b96afdecd20680b5b5be2a6ffc3d27628 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Mon, 6 Mar 2023 09:33:08 +0800 +Subject: [PATCH] ubi: Fix failure attaching when vid_hdr offset equals to + (sub)page size +Git-commit: 1e020e1b96afdecd20680b5b5be2a6ffc3d27628 +Patch-mainline: v6.3-rc7 +References: bsc#1210584 + +Following process will make ubi attaching failed since commit +1b42b1a36fc946 ("ubi: ensure that VID header offset ... size"): + +ID="0xec,0xa1,0x00,0x15" # 128M 128KB 2KB +modprobe nandsim id_bytes=$ID +flash_eraseall /dev/mtd0 +modprobe ubi mtd="0,2048" # set vid_hdr offset as 2048 (one page) +(dmesg): ubi0 error: ubi_attach_mtd_dev [ubi]: VID header offset 2048 too large. + UBI error: cannot attach mtd0 + UBI error: cannot initialize UBI, error -22 + +Rework original solution, the key point is making sure +'vid_hdr_shift + UBI_VID_HDR_SIZE < ubi->vid_hdr_alsize', +so we should check vid_hdr_shift rather not vid_hdr_offset. +Then, ubi still support (sub)page aligined VID header offset. + +Fixes: 1b42b1a36fc946 ("ubi: ensure that VID header offset ... size") +Signed-off-by: Zhihao Cheng +Tested-by: Nicolas Schichan +Tested-by: Miquel Raynal # v5.10, v4.19 +Signed-off-by: Richard Weinberger +Signed-off-by: Michal Hocko + +--- + drivers/mtd/ubi/build.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 0904eb40c95f..ad025b2ee417 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -666,12 +666,6 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024) + ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); + ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); + +- if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > +- ubi->vid_hdr_alsize)) { +- ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); +- return -EINVAL; +- } +- + dbg_gen("min_io_size %d", ubi->min_io_size); + dbg_gen("max_write_size %d", ubi->max_write_size); + dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size); +@@ -689,6 +683,21 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024) + ubi->vid_hdr_aloffset; + } + ++ /* ++ * Memory allocation for VID header is ubi->vid_hdr_alsize ++ * which is described in comments in io.c. ++ * Make sure VID header shift + UBI_VID_HDR_SIZE not exceeds ++ * ubi->vid_hdr_alsize, so that all vid header operations ++ * won't access memory out of bounds. ++ */ ++ if ((ubi->vid_hdr_shift + UBI_VID_HDR_SIZE) > ubi->vid_hdr_alsize) { ++ ubi_err(ubi, "Invalid VID header offset %d, VID header shift(%d)" ++ " + VID header size(%zu) > VID header aligned size(%d).", ++ ubi->vid_hdr_offset, ubi->vid_hdr_shift, ++ UBI_VID_HDR_SIZE, ubi->vid_hdr_alsize); ++ return -EINVAL; ++ } ++ + /* Similar for the data offset */ + ubi->leb_start = ubi->vid_hdr_offset + UBI_VID_HDR_SIZE; + ubi->leb_start = ALIGN(ubi->leb_start, ubi->min_io_size); +-- +2.35.3 + diff --git a/patches.suse/0001-ubi-ensure-that-VID-header-offset-VID-header-size-al.patch b/patches.suse/0001-ubi-ensure-that-VID-header-offset-VID-header-size-al.patch new file mode 100644 index 0000000..c2ce5f2 --- /dev/null +++ b/patches.suse/0001-ubi-ensure-that-VID-header-offset-VID-header-size-al.patch @@ -0,0 +1,132 @@ +From 1b42b1a36fc946f0d7088425b90d491b4257ca3e Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Tue, 15 Nov 2022 10:14:44 -0500 +Subject: [PATCH] ubi: ensure that VID header offset + VID header size <= + alloc, size +Git-commit: 1b42b1a36fc946f0d7088425b90d491b4257ca3e +Patch-mainline: v6.3-rc1 +References: bsc#1210584 + +Ensure that the VID header offset + VID header size does not exceed +the allocated area to avoid slab OOB. + +Bug: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline] +Bug: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline] +Bug: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197 +Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555 + +Cpu: 2 PID: 1555 Comm: syz-executor136 Tainted: G W +6.0.0-1868 #1 +Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 +04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x85/0xad lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433 + kasan_report+0xa7/0x11b mm/kasan/report.c:495 + crc32_body lib/crc32.c:111 [inline] + crc32_le_generic lib/crc32.c:179 [inline] + crc32_le_base+0x58c/0x626 lib/crc32.c:197 + ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067 + create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317 + create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] + ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 + ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 + ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 + ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0x0 +Rip: 0033:0x7f96d5cf753d +Code: +Rsp: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +Rax: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d +Rdx: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003 +Rbp: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0 +R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 1555: + kasan_save_stack+0x20/0x3d mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:45 [inline] + set_alloc_info mm/kasan/common.c:437 [inline] + ____kasan_kmalloc mm/kasan/common.c:516 [inline] + __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525 + kasan_kmalloc include/linux/kasan.h:234 [inline] + __kmalloc+0x138/0x257 mm/slub.c:4429 + kmalloc include/linux/slab.h:605 [inline] + ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline] + create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295 + create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] + ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 + ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 + ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 + ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0x0 + +The buggy address belongs to the object at ffff88802bb36e00 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 0 bytes to the right of + 256-byte region [ffff88802bb36e00, ffff88802bb36f00) + +The buggy address belongs to the physical page: +page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 pfn:0x2bb36 +head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0 +Flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +Raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40 +Raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 801c135ce73d ("UBI: Unsorted Block Images") +Reported-by: syzkaller +Signed-off-by: George Kennedy +Signed-off-by: Richard Weinberger +Signed-off-by: Michal Hocko + +--- + drivers/mtd/ubi/build.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index a901f8edfa41..2178eb4115b3 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -663,6 +663,12 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024) + ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); + ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); + ++ if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > ++ ubi->vid_hdr_alsize)) { ++ ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); ++ return -EINVAL; ++ } ++ + dbg_gen("min_io_size %d", ubi->min_io_size); + dbg_gen("max_write_size %d", ubi->max_write_size); + dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size); +-- +2.35.3 + diff --git a/patches.suse/0002-nvme-multipath-support-io-stats-on-the-mpath-device.patch b/patches.suse/0002-nvme-multipath-support-io-stats-on-the-mpath-device.patch new file mode 100644 index 0000000..b6cf266 --- /dev/null +++ b/patches.suse/0002-nvme-multipath-support-io-stats-on-the-mpath-device.patch @@ -0,0 +1,137 @@ +From d4d957b53d91eebc8c681c480edfdc697e55231e Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Tue, 29 Nov 2022 15:43:19 +0100 +Git-commit: d4d957b53d91eebc8c681c480edfdc697e55231e +Patch-mainline: v6.2-rc1 +References: bsc#1210565 +Subject: [PATCH] nvme-multipath: support io stats on the mpath device + +Our mpath stack device is just a shim that selects a bottom namespace +and submits the bio to it without any fancy splitting. This also means +that we don't clone the bio or have any context to the bio beyond +submission. However it really sucks that we don't see the mpath device +io stats. + +Given that the mpath device can't do that without adding some context +to it, we let the bottom device do it on its behalf (somewhat similar +to the approach taken in nvme_trace_bio_complete). + +When the IO starts, we account the request for multipath IO stats using +REQ_NVME_MPATH_IO_STATS nvme_request flag to avoid queue io stats disable +in the middle of the request. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Acked-by: Lidong Zhong +[mkoutny: SLE15-SP5: Return bdev_*_io_acct() functions as in mainline] +--- + drivers/nvme/host/core.c | 2 ++ + drivers/nvme/host/multipath.c | 26 ++++++++++++++++++++++++++ + drivers/nvme/host/nvme.h | 14 ++++++++++++++ + 3 files changed, 42 insertions(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -384,6 +384,8 @@ static inline void nvme_end_req(struct r + nvme_log_error(req); + nvme_end_req_zoned(req); + nvme_trace_bio_complete(req); ++ if (req->cmd_flags & REQ_NVME_MPATH) ++ nvme_mpath_end_request(req); + blk_mq_end_request(req, status); + } + +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -114,6 +114,31 @@ void nvme_failover_req(struct request *r + kblockd_schedule_work(&ns->head->requeue_work); + } + ++void nvme_mpath_start_request(struct request *rq) ++{ ++ struct nvme_ns *ns = rq->q->queuedata; ++ struct gendisk *disk = ns->head->disk; ++ ++ if (!blk_queue_io_stat(disk->queue) || blk_rq_is_passthrough(rq)) ++ return; ++ ++ nvme_req(rq)->flags |= NVME_MPATH_IO_STATS; ++ nvme_req(rq)->start_time = bdev_start_io_acct(disk->part0, ++ blk_rq_bytes(rq) >> SECTOR_SHIFT, ++ req_op(rq), jiffies); ++} ++EXPORT_SYMBOL_GPL(nvme_mpath_start_request); ++ ++void nvme_mpath_end_request(struct request *rq) ++{ ++ struct nvme_ns *ns = rq->q->queuedata; ++ ++ if (!(nvme_req(rq)->flags & NVME_MPATH_IO_STATS)) ++ return; ++ bdev_end_io_acct(ns->head->disk->part0, req_op(rq), ++ nvme_req(rq)->start_time); ++} ++ + void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl) + { + struct nvme_ns *ns; +@@ -505,6 +530,7 @@ int nvme_mpath_alloc_disk(struct nvme_ct + + blk_queue_flag_set(QUEUE_FLAG_NONROT, head->disk->queue); + blk_queue_flag_set(QUEUE_FLAG_NOWAIT, head->disk->queue); ++ blk_queue_flag_set(QUEUE_FLAG_IO_STAT, head->disk->queue); + /* + * This assumes all controllers that refer to a namespace either + * support poll queues or not. That is not a strict guarantee, +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -162,6 +162,9 @@ struct nvme_request { + u8 retries; + u8 flags; + u16 status; ++#ifdef CONFIG_NVME_MULTIPATH ++ unsigned long start_time; ++#endif + struct nvme_ctrl *ctrl; + }; + +@@ -173,6 +176,7 @@ struct nvme_request { + enum { + NVME_REQ_CANCELLED = (1 << 0), + NVME_REQ_USERCMD = (1 << 1), ++ NVME_MPATH_IO_STATS = (1 << 2), + }; + + static inline struct nvme_request *nvme_req(struct request *req) +@@ -867,6 +871,8 @@ bool nvme_mpath_clear_current_path(struc + void nvme_mpath_revalidate_paths(struct nvme_ns *ns); + void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl); + void nvme_mpath_shutdown_disk(struct nvme_ns_head *head); ++void nvme_mpath_start_request(struct request *rq); ++void nvme_mpath_end_request(struct request *rq); + + static inline void nvme_trace_bio_complete(struct request *req) + { +@@ -952,6 +958,12 @@ static inline void nvme_mpath_start_free + static inline void nvme_mpath_default_iopolicy(struct nvme_subsystem *subsys) + { + } ++static inline void nvme_mpath_start_request(struct request *rq) ++{ ++} ++static inline void nvme_mpath_end_request(struct request *rq) ++{ ++} + #endif /* CONFIG_NVME_MULTIPATH */ + + int nvme_revalidate_zones(struct nvme_ns *ns); +@@ -1007,6 +1019,8 @@ static inline void nvme_hwmon_exit(struc + + static inline void nvme_start_request(struct request *rq) + { ++ if (rq->cmd_flags & REQ_NVME_MPATH) ++ nvme_mpath_start_request(rq); + blk_mq_start_request(rq); + } + diff --git a/patches.suse/0389-drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch b/patches.suse/0389-drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch deleted file mode 100644 index 91f201e..0000000 --- a/patches.suse/0389-drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 0f03f5ee01731f415d341b6608ed2d39428c887a Mon Sep 17 00:00:00 2001 -From: Philip Yang -Date: Mon, 3 Oct 2022 13:03:26 -0400 -Subject: drm/amdgpu: Set vmbo destroy after pt bo is created -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Git-commit: 9a3c6067bd2ee2ca2652fbb0679f422f3c9109f9 -Patch-mainline: v6.1-rc1 -References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 jsc#PED-2849 - -Under VRAM usage pression, map to GPU may fail to create pt bo and -vmbo->shadow_list is not initialized, then ttm_bo_release calling -amdgpu_bo_vm_destroy to access vmbo->shadow_list generates below -dmesg and NULL pointer access backtrace: - -Set vmbo destroy callback to amdgpu_bo_vm_destroy only after creating pt -bo successfully, otherwise use default callback amdgpu_bo_destroy. - -amdgpu: amdgpu_vm_bo_update failed -amdgpu: update_gpuvm_pte() failed -amdgpu: Failed to map bo to gpuvm -amdgpu 0000:43:00.0: amdgpu: Failed to map peer:0000:43:00.0 mem_domain:2 -BUG: kernel NULL pointer dereference, address: - RIP: 0010:amdgpu_bo_vm_destroy+0x4d/0x80 [amdgpu] - Call Trace: - - ttm_bo_release+0x207/0x320 [amdttm] - amdttm_bo_init_reserved+0x1d6/0x210 [amdttm] - amdgpu_bo_create+0x1ba/0x520 [amdgpu] - amdgpu_bo_create_vm+0x3a/0x80 [amdgpu] - amdgpu_vm_pt_create+0xde/0x270 [amdgpu] - amdgpu_vm_ptes_update+0x63b/0x710 [amdgpu] - amdgpu_vm_update_range+0x2e7/0x6e0 [amdgpu] - amdgpu_vm_bo_update+0x2bd/0x600 [amdgpu] - update_gpuvm_pte+0x160/0x420 [amdgpu] - amdgpu_amdkfd_gpuvm_map_memory_to_gpu+0x313/0x1130 [amdgpu] - kfd_ioctl_map_memory_to_gpu+0x115/0x390 [amdgpu] - kfd_ioctl+0x24a/0x5b0 [amdgpu] - -Signed-off-by: Philip Yang -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Acked-by: Patrik Jakobsson ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c -index e6a9b9fc9e0b..2e8f6cd7a729 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c -@@ -688,13 +688,16 @@ int amdgpu_bo_create_vm(struct amdgpu_device *adev, - * num of amdgpu_vm_pt entries. - */ - BUG_ON(bp->bo_ptr_size < sizeof(struct amdgpu_bo_vm)); -- bp->destroy = &amdgpu_bo_vm_destroy; - r = amdgpu_bo_create(adev, bp, &bo_ptr); - if (r) - return r; - - *vmbo_ptr = to_amdgpu_bo_vm(bo_ptr); - INIT_LIST_HEAD(&(*vmbo_ptr)->shadow_list); -+ /* Set destroy callback to amdgpu_bo_vm_destroy after vmbo->shadow_list -+ * is initialized. -+ */ -+ bo_ptr->tbo.destroy = &amdgpu_bo_vm_destroy; - return r; - } - --- -2.38.1 - diff --git a/patches.suse/0850-drm-i915-gem-Use-to_gt-helper-for-GGTT-accesses.patch b/patches.suse/0850-drm-i915-gem-Use-to_gt-helper-for-GGTT-accesses.patch index 69c7356..22a9606 100644 --- a/patches.suse/0850-drm-i915-gem-Use-to_gt-helper-for-GGTT-accesses.patch +++ b/patches.suse/0850-drm-i915-gem-Use-to_gt-helper-for-GGTT-accesses.patch @@ -123,7 +123,7 @@ index e42b2e921721..3cfb89caf2df 100644 if (HAS_LMEM(to_i915(dev))) mmap_type = I915_MMAP_TYPE_FIXED; - else if (pat_enabled()) + else if (boot_cpu_has(X86_FEATURE_PAT)) mmap_type = I915_MMAP_TYPE_WC; - else if (!i915_ggtt_has_aperture(&to_i915(dev)->ggtt)) + else if (!i915_ggtt_has_aperture(to_gt(i915)->ggtt)) diff --git a/patches.suse/ALSA-fireface-make-read-only-const-array-for-model-n.patch b/patches.suse/ALSA-fireface-make-read-only-const-array-for-model-n.patch new file mode 100644 index 0000000..ca022db --- /dev/null +++ b/patches.suse/ALSA-fireface-make-read-only-const-array-for-model-n.patch @@ -0,0 +1,35 @@ +From a64db0b9dfac2011e14e88faf59847baac1dad5a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Wed, 28 Jun 2023 08:54:06 +0900 +Subject: [PATCH] ALSA: fireface: make read-only const array for model names static +Git-commit: a64db0b9dfac2011e14e88faf59847baac1dad5a +Patch-mainline: v6.5-rc1 +References: git-fixes + +It is preferable not to populate the constant array for constant strings +on the stack. + +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20230627235406.289970-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai + +--- + sound/firewire/fireface/ff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/fireface/ff.c b/sound/firewire/fireface/ff.c +index 82241058ea14..6e84e4787259 100644 +--- a/sound/firewire/fireface/ff.c ++++ b/sound/firewire/fireface/ff.c +@@ -16,7 +16,7 @@ MODULE_LICENSE("GPL"); + static void name_card(struct snd_ff *ff) + { + struct fw_device *fw_dev = fw_parent_device(ff->unit); +- const char *const names[] = { ++ static const char *const names[] = { + [SND_FF_UNIT_VERSION_FF800] = "Fireface800", + [SND_FF_UNIT_VERSION_FF400] = "Fireface400", + [SND_FF_UNIT_VERSION_UFX] = "FirefaceUFX", +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-fix-a-possible-null-pointer-dereference-due.patch b/patches.suse/ALSA-hda-fix-a-possible-null-pointer-dereference-due.patch new file mode 100644 index 0000000..f15a442 --- /dev/null +++ b/patches.suse/ALSA-hda-fix-a-possible-null-pointer-dereference-due.patch @@ -0,0 +1,60 @@ +From 1f4a08fed450db87fbb5ff5105354158bdbe1a22 Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Mon, 3 Jul 2023 11:10:16 +0800 +Subject: [PATCH] ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() +Git-commit: 1f4a08fed450db87fbb5ff5105354158bdbe1a22 +Patch-mainline: v6.5-rc1 +References: git-fixes + +The variable codec->regmap is often protected by the lock +codec->regmap_lock when is accessed. However, it is accessed without +holding the lock when is accessed in snd_hdac_regmap_sync(): + + if (codec->regmap) + +In my opinion, this may be a harmful race, because if codec->regmap is +set to NULL right after the condition is checked, a null-pointer +dereference can occur in the called function regcache_sync(): + + map->lock(map->lock_arg); --> Line 360 in drivers/base/regmap/regcache.c + +To fix this possible null-pointer dereference caused by data race, the +mutex_lock coverage is extended to protect the if statement as well as the +function call to regcache_sync(). + +[ Note: the lack of the regmap_lock itself is harmless for the current + codec driver implementations, as snd_hdac_regmap_sync() is only for + PM runtime resume that is prohibited during the codec probe. + But the change makes the whole code more consistent, so it's merged + as is -- tiwai ] + +Reported-by: BassCheck +Signed-off-by: Tuo Li +Link: https://lore.kernel.org/r/20230703031016.1184711-1-islituo@gmail.com +Signed-off-by: Takashi Iwai + +--- + sound/hda/hdac_regmap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/hda/hdac_regmap.c b/sound/hda/hdac_regmap.c +index f258cb3a6895..9b1bcabd8414 100644 +--- a/sound/hda/hdac_regmap.c ++++ b/sound/hda/hdac_regmap.c +@@ -596,10 +596,9 @@ EXPORT_SYMBOL_GPL(snd_hdac_regmap_update_raw_once); + */ + void snd_hdac_regmap_sync(struct hdac_device *codec) + { +- if (codec->regmap) { +- mutex_lock(&codec->regmap_lock); ++ mutex_lock(&codec->regmap_lock); ++ if (codec->regmap) + regcache_sync(codec->regmap); +- mutex_unlock(&codec->regmap_lock); +- } ++ mutex_unlock(&codec->regmap_lock); + } + EXPORT_SYMBOL_GPL(snd_hdac_regmap_sync); +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-G614Jx.patch b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-G614Jx.patch new file mode 100644 index 0000000..e8bff34 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-G614Jx.patch @@ -0,0 +1,37 @@ +From 33d7c9c3bf70ed91191a2bedbbc03783b824b5de Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Tue, 4 Jul 2023 16:46:18 +1200 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for ASUS ROG G614Jx +Git-commit: 33d7c9c3bf70ed91191a2bedbbc03783b824b5de +Patch-mainline: v6.5-rc1 +References: git-fixes + +Adds the required quirk to enable the Cirrus amp and correct pins +on the ASUS ROG G614J series which uses an SPI connected Cirrus amp. + +While this works if the related _DSD properties are made available, these +aren't included in the ACPI of these laptops (yet). + +Signed-off-by: Luke D. Jones +Link: https://lore.kernel.org/r/20230704044619.19343-5-luke@ljones.dev +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index a9c563cbea63..7910af756c9b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9632,6 +9632,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), ++ SND_PCI_QUIRK(0x1043, 0x1c9f, "ASUS G614JI", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GA402X.patch b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GA402X.patch new file mode 100644 index 0000000..918ad63 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GA402X.patch @@ -0,0 +1,37 @@ +From 9abc77fb144fe916fd2f592dc4b8c7bade02e58a Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Tue, 4 Jul 2023 16:46:16 +1200 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for ASUS ROG GA402X +Git-commit: 9abc77fb144fe916fd2f592dc4b8c7bade02e58a +Patch-mainline: v6.5-rc1 +References: git-fixes + +Adds the required quirk to enable the Cirrus amp and correct pins +on the ASUS ROG GA402X series which uses an I2C connected Cirrus amp. + +While this works if the related _DSD properties are made available, these +aren't included in the ACPI of these laptops (yet). + +Signed-off-by: Luke D. Jones +Link: https://lore.kernel.org/r/20230704044619.19343-3-luke@ljones.dev +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 4a8e7b1a9f01..d5f1c217e500 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9592,6 +9592,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), + SND_PCI_QUIRK(0x1043, 0x1433, "ASUS GX650P", ALC285_FIXUP_ASUS_I2C_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1463, "Asus GA402X", ALC285_FIXUP_ASUS_I2C_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1473, "ASUS GU604V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1483, "ASUS GU603V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1493, "ASUS GV601V", ALC285_FIXUP_ASUS_HEADSET_MIC), +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GX650P.patch b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GX650P.patch new file mode 100644 index 0000000..0fed7b3 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GX650P.patch @@ -0,0 +1,69 @@ +From 8cc87c055d28320e5fa5457922f43bc07dec58bd Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Tue, 4 Jul 2023 16:46:15 +1200 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for ASUS ROG GX650P +Git-commit: 8cc87c055d28320e5fa5457922f43bc07dec58bd +Patch-mainline: v6.5-rc1 +References: git-fixes + +Adds the required quirk to enable the Cirrus amp and correct pins +on the ASUS ROG GV601V series which uses an I2C connected Cirrus amp. + +While this works if the related _DSD properties are made available, these +aren't included in the ACPI of these laptops (yet). + +Signed-off-by: Luke D. Jones +Link: https://lore.kernel.org/r/20230704044619.19343-2-luke@ljones.dev +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 110d23c27602..4a8e7b1a9f01 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7068,6 +7068,8 @@ enum { + ALC285_FIXUP_SPEAKER2_TO_DAC1, + ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1, + ALC285_FIXUP_ASUS_HEADSET_MIC, ++ ALC285_FIXUP_ASUS_I2C_SPEAKER2_TO_DAC1, ++ ALC285_FIXUP_ASUS_I2C_HEADSET_MIC, + ALC280_FIXUP_HP_HEADSET_MIC, + ALC221_FIXUP_HP_FRONT_MIC, + ALC292_FIXUP_TPT460, +@@ -8058,6 +8060,22 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1 + }, ++ [ALC285_FIXUP_ASUS_I2C_SPEAKER2_TO_DAC1] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_speaker2_to_dac1, ++ .chained = true, ++ .chain_id = ALC287_FIXUP_CS35L41_I2C_2 ++ }, ++ [ALC285_FIXUP_ASUS_I2C_HEADSET_MIC] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x03a11050 }, ++ { 0x1b, 0x03a11c30 }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC285_FIXUP_ASUS_I2C_SPEAKER2_TO_DAC1 ++ }, + [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -9573,6 +9591,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), ++ SND_PCI_QUIRK(0x1043, 0x1433, "ASUS GX650P", ALC285_FIXUP_ASUS_I2C_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1473, "ASUS GU604V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1483, "ASUS GU603V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1493, "ASUS GV601V", ALC285_FIXUP_ASUS_HEADSET_MIC), +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GZ301V.patch b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GZ301V.patch new file mode 100644 index 0000000..4217aca --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GZ301V.patch @@ -0,0 +1,37 @@ +From 5251605f4d297a0eb5d3b7f39f9dcee9e4d0115a Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Fri, 7 Jul 2023 10:33:23 +1200 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for ASUS ROG GZ301V +Git-commit: 5251605f4d297a0eb5d3b7f39f9dcee9e4d0115a +Patch-mainline: v6.5-rc1 +References: git-fixes + +Adds the required quirk to enable the Cirrus amp and correct pins +on the ASUS ROG GZ301V series which uses an SPI connected Cirrus amp. + +While this works if the related _DSD properties are made available, these +aren't included in the ACPI of these laptops (yet). + +Signed-off-by: Luke D. Jones +Link: https://lore.kernel.org/r/20230706223323.30871-2-luke@ljones.dev +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e847ba373adc..e2f8b608de82 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9607,6 +9607,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1483, "ASUS GU603V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1493, "ASUS GV601V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), ++ SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK), + SND_PCI_QUIRK(0x1043, 0x1683, "ASUS UM3402YAR", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x16b2, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-quirk-for-Clevo-NPx0SNx.patch b/patches.suse/ALSA-hda-realtek-Add-quirk-for-Clevo-NPx0SNx.patch new file mode 100644 index 0000000..4215fc0 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-quirk-for-Clevo-NPx0SNx.patch @@ -0,0 +1,35 @@ +From 22065e4214c1196b54fc164892c2e193a743caf3 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Wed, 28 Jun 2023 17:54:34 +0200 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for Clevo NPx0SNx +Git-commit: 22065e4214c1196b54fc164892c2e193a743caf3 +Patch-mainline: v6.5-rc1 +References: git-fixes + +This applies a SND_PCI_QUIRK(...) to the Clevo NPx0SNx barebones fixing the +microphone not being detected on the headset combo port. + +Signed-off-by: Werner Sembach +Cc: +Link: https://lore.kernel.org/r/20230628155434.584159-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index afe8253f9a4f..ece650261543 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9731,6 +9731,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1558, 0x971d, "Clevo N970T[CDF]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa500, "Clevo NL5[03]RU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa600, "Clevo NL50NU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0xa650, "Clevo NP[567]0SN[CD]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa671, "Clevo NP70SN[CDE]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb018, "Clevo NP50D[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb019, "Clevo NH77D[BE]Q", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-quirks-for-Unis-H3C-Desktop-B76.patch b/patches.suse/ALSA-hda-realtek-Add-quirks-for-Unis-H3C-Desktop-B76.patch new file mode 100644 index 0000000..eb9cbcd --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-quirks-for-Unis-H3C-Desktop-B76.patch @@ -0,0 +1,58 @@ +From 73f1c75d5e6bd8ce2a887ef493a66ad1b16ed704 Mon Sep 17 00:00:00 2001 +From: dengxiang +Date: Mon, 3 Jul 2023 10:17:51 +0800 +Subject: [PATCH] ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760 +Git-commit: 73f1c75d5e6bd8ce2a887ef493a66ad1b16ed704 +Patch-mainline: v6.5-rc1 +References: git-fixes + +These models use NSIWAY amplifiers for internal speaker, but cannot put +sound outside from these amplifiers. So eapd verbs are needed to initialize +the amplifiers. They can be added during boot to get working sound out +of internal speaker. + +Signed-off-by: dengxiang +Link: https://lore.kernel.org/r/20230703021751.2945750-1-dengxiang@nfschina.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index ece650261543..110d23c27602 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11287,6 +11287,7 @@ enum { + ALC897_FIXUP_HP_HSMIC_VERB, + ALC897_FIXUP_LENOVO_HEADSET_MODE, + ALC897_FIXUP_HEADSET_MIC_PIN2, ++ ALC897_FIXUP_UNIS_H3C_X500S, + }; + + static const struct hda_fixup alc662_fixups[] = { +@@ -11726,6 +11727,13 @@ static const struct hda_fixup alc662_fixups[] = { + .chained = true, + .chain_id = ALC897_FIXUP_LENOVO_HEADSET_MODE + }, ++ [ALC897_FIXUP_UNIS_H3C_X500S] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ { 0x14, AC_VERB_SET_EAPD_BTLENABLE, 0 }, ++ {} ++ }, ++ }, + }; + + static const struct snd_pci_quirk alc662_fixup_tbl[] = { +@@ -11887,6 +11895,7 @@ static const struct hda_model_fixup alc662_fixup_models[] = { + {.id = ALC662_FIXUP_USI_HEADSET_MODE, .name = "usi-headset"}, + {.id = ALC662_FIXUP_LENOVO_MULTI_CODECS, .name = "dual-codecs"}, + {.id = ALC669_FIXUP_ACER_ASPIRE_ETHOS, .name = "aspire-ethos"}, ++ {.id = ALC897_FIXUP_UNIS_H3C_X500S, .name = "unis-h3c-x500s"}, + {} + }; + +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Amend-G634-quirk-to-enable-rear-spe.patch b/patches.suse/ALSA-hda-realtek-Amend-G634-quirk-to-enable-rear-spe.patch new file mode 100644 index 0000000..7fc7c68 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Amend-G634-quirk-to-enable-rear-spe.patch @@ -0,0 +1,59 @@ +From b759a5f097cd42c666f1ebca8da50ff507435fbe Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Tue, 4 Jul 2023 16:46:17 +1200 +Subject: [PATCH] ALSA: hda/realtek: Amend G634 quirk to enable rear speakers +Git-commit: b759a5f097cd42c666f1ebca8da50ff507435fbe +Patch-mainline: v6.5-rc1 +References: git-fixes + +Amends the last quirk for the G634 with 0x1caf subsys to enable the rear +speakers via pincfg. + +Signed-off-by: Luke D. Jones +Link: https://lore.kernel.org/r/20230704044619.19343-4-luke@ljones.dev +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index d5f1c217e500..a9c563cbea63 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7068,6 +7068,7 @@ enum { + ALC285_FIXUP_SPEAKER2_TO_DAC1, + ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1, + ALC285_FIXUP_ASUS_HEADSET_MIC, ++ ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS, + ALC285_FIXUP_ASUS_I2C_SPEAKER2_TO_DAC1, + ALC285_FIXUP_ASUS_I2C_HEADSET_MIC, + ALC280_FIXUP_HP_HEADSET_MIC, +@@ -8060,6 +8061,15 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1 + }, ++ [ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x14, 0x90170120 }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC285_FIXUP_ASUS_HEADSET_MIC ++ }, + [ALC285_FIXUP_ASUS_I2C_SPEAKER2_TO_DAC1] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_speaker2_to_dac1, +@@ -9622,7 +9632,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), +- SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JYR/JZR", ALC285_FIXUP_ASUS_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1d4e, "ASUS TM420", ALC256_FIXUP_ASUS_HPE), +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Whitespace-fix.patch b/patches.suse/ALSA-hda-realtek-Whitespace-fix.patch new file mode 100644 index 0000000..621bc99 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Whitespace-fix.patch @@ -0,0 +1,35 @@ +From 72cea3a3175b50a4875b3c112fb13df20c6218a5 Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Tue, 4 Jul 2023 16:46:19 +1200 +Subject: [PATCH] ALSA: hda/realtek: Whitespace fix +Git-commit: 72cea3a3175b50a4875b3c112fb13df20c6218a5 +Patch-mainline: v6.5-rc1 +References: git-fixes + +Remove an erroneous whitespace. + +Fixes: 31278997add6 ("ALSA: hda/realtek - Add headset quirk for Dell DT") +Signed-off-by: Luke D. Jones +Link: https://lore.kernel.org/r/20230704044619.19343-6-luke@ljones.dev +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 7910af756c9b..e847ba373adc 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5883,7 +5883,7 @@ static void alc_fixup_headset_mode_alc255_no_hp_mic(struct hda_codec *codec, + struct alc_spec *spec = codec->spec; + spec->parse_flags |= HDA_PINCFG_HEADSET_MIC; + alc255_set_default_jack_type(codec); +- } ++ } + else + alc_fixup_headset_mode(codec, fix, action); + } +-- +2.35.3 + diff --git a/patches.suse/ALSA-jack-Fix-mutex-call-in-snd_jack_report.patch b/patches.suse/ALSA-jack-Fix-mutex-call-in-snd_jack_report.patch new file mode 100644 index 0000000..b91f0ce --- /dev/null +++ b/patches.suse/ALSA-jack-Fix-mutex-call-in-snd_jack_report.patch @@ -0,0 +1,91 @@ +From 89dbb335cb6a627a4067bc42caa09c8bc3326d40 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 6 Jul 2023 17:53:57 +0200 +Subject: [PATCH] ALSA: jack: Fix mutex call in snd_jack_report() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 89dbb335cb6a627a4067bc42caa09c8bc3326d40 +Patch-mainline: v6.5-rc1 +References: git-fixes + +snd_jack_report() is supposed to be callable from an IRQ context, too, +and it's indeed used in that way from virtsnd driver. The fix for +input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev +under mutex"), however, introduced a mutex lock in snd_jack_report(), +and this resulted in a potential sleep-in-atomic. + +For addressing that problem, this patch changes the relevant code to +use the object get/put and removes the mutex usage. That is, +snd_jack_report(), it takes input_get_device() and leaves with +input_put_device() for assuring the input_dev being assigned. + +Although the whole mutex could be reduced, we keep it because it can +be still a protection for potential races between creation and +deletion. + +Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain +Tested-by: Amadeusz Sławiński +Cc: +Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/jack.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/sound/core/jack.c b/sound/core/jack.c +index 88493cc31914..03d155ed362b 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -654,6 +654,7 @@ void snd_jack_report(struct snd_jack *jack, int status) + struct snd_jack_kctl *jack_kctl; + unsigned int mask_bits = 0; + #ifdef CONFIG_SND_JACK_INPUT_DEV ++ struct input_dev *idev; + int i; + #endif + +@@ -670,17 +671,15 @@ void snd_jack_report(struct snd_jack *jack, int status) + status & jack_kctl->mask_bits); + + #ifdef CONFIG_SND_JACK_INPUT_DEV +- mutex_lock(&jack->input_dev_lock); +- if (!jack->input_dev) { +- mutex_unlock(&jack->input_dev_lock); ++ idev = input_get_device(jack->input_dev); ++ if (!idev) + return; +- } + + for (i = 0; i < ARRAY_SIZE(jack->key); i++) { + int testbit = ((SND_JACK_BTN_0 >> i) & ~mask_bits); + + if (jack->type & testbit) +- input_report_key(jack->input_dev, jack->key[i], ++ input_report_key(idev, jack->key[i], + status & testbit); + } + +@@ -688,13 +687,13 @@ void snd_jack_report(struct snd_jack *jack, int status) + int testbit = ((1 << i) & ~mask_bits); + + if (jack->type & testbit) +- input_report_switch(jack->input_dev, ++ input_report_switch(idev, + jack_switch_types[i], + status & testbit); + } + +- input_sync(jack->input_dev); +- mutex_unlock(&jack->input_dev_lock); ++ input_sync(idev); ++ input_put_device(idev); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + } + EXPORT_SYMBOL(snd_jack_report); +-- +2.35.3 + diff --git a/patches.suse/ALSA-oxfw-make-read-only-const-array-models-static.patch b/patches.suse/ALSA-oxfw-make-read-only-const-array-models-static.patch new file mode 100644 index 0000000..fc88861 --- /dev/null +++ b/patches.suse/ALSA-oxfw-make-read-only-const-array-models-static.patch @@ -0,0 +1,35 @@ +From d17f0ce9a9ee1372b9c71b4dc9bd6c8fbe73790f Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 27 Jun 2023 12:32:53 +0100 +Subject: [PATCH] ALSA: oxfw: make read-only const array models static +Git-commit: d17f0ce9a9ee1372b9c71b4dc9bd6c8fbe73790f +Patch-mainline: v6.5-rc1 +References: git-fixes + +Don't populate the const array on the stack, instead make it static. + +Signed-off-by: Colin Ian King +Reviewed-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20230627113253.700065-1-colin.i.king@gmail.com +Signed-off-by: Takashi Iwai + +--- + sound/firewire/oxfw/oxfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c +index 9523479fa94a..63d40f1a914f 100644 +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -44,7 +44,7 @@ struct compat_info { + + static bool detect_loud_models(struct fw_unit *unit) + { +- const char *const models[] = { ++ static const char *const models[] = { + "Onyxi", + "Onyx-i", + "Onyx 1640i", +-- +2.35.3 + diff --git a/patches.suse/ALSA-pcm-Fix-potential-data-race-at-PCM-memory-alloc.patch b/patches.suse/ALSA-pcm-Fix-potential-data-race-at-PCM-memory-alloc.patch new file mode 100644 index 0000000..23cfa34 --- /dev/null +++ b/patches.suse/ALSA-pcm-Fix-potential-data-race-at-PCM-memory-alloc.patch @@ -0,0 +1,115 @@ +From bd55842ed998a622ba6611fe59b3358c9f76773d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 3 Jul 2023 13:24:30 +0200 +Subject: [PATCH] ALSA: pcm: Fix potential data race at PCM memory allocation helpers +Git-commit: bd55842ed998a622ba6611fe59b3358c9f76773d +Patch-mainline: v6.5-rc1 +References: git-fixes + +The PCM memory allocation helpers have a sanity check against too many +buffer allocations. However, the check is performed without a proper +lock and the allocation isn't serialized; this allows user to allocate +more memories than predefined max size. + +Practically seen, this isn't really a big problem, as it's more or +less some "soft limit" as a sanity check, and it's not possible to +allocate unlimitedly. But it's still better to address this for more +consistent behavior. + +The patch covers the size check in do_alloc_pages() with the +card->memory_mutex, and increases the allocated size there for +preventing the further overflow. When the actual allocation fails, +the size is decreased accordingly. + +Reported-by: BassCheck +Reported-by: Tuo Li +Link: https://lore.kernel.org/r/CADm8Tek6t0WedK+3Y6rbE5YEt19tML8BUL45N2ji4ZAz1KcN_A@mail.gmail.com +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20230703112430.30634-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/pcm_memory.c | 44 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +diff --git a/sound/core/pcm_memory.c b/sound/core/pcm_memory.c +index 7bde7fb64011..a0b951471699 100644 +--- a/sound/core/pcm_memory.c ++++ b/sound/core/pcm_memory.c +@@ -31,15 +31,41 @@ static unsigned long max_alloc_per_card = 32UL * 1024UL * 1024UL; + module_param(max_alloc_per_card, ulong, 0644); + MODULE_PARM_DESC(max_alloc_per_card, "Max total allocation bytes per card."); + ++static void __update_allocated_size(struct snd_card *card, ssize_t bytes) ++{ ++ card->total_pcm_alloc_bytes += bytes; ++} ++ ++static void update_allocated_size(struct snd_card *card, ssize_t bytes) ++{ ++ mutex_lock(&card->memory_mutex); ++ __update_allocated_size(card, bytes); ++ mutex_unlock(&card->memory_mutex); ++} ++ ++static void decrease_allocated_size(struct snd_card *card, size_t bytes) ++{ ++ mutex_lock(&card->memory_mutex); ++ WARN_ON(card->total_pcm_alloc_bytes < bytes); ++ __update_allocated_size(card, -(ssize_t)bytes); ++ mutex_unlock(&card->memory_mutex); ++} ++ + static int do_alloc_pages(struct snd_card *card, int type, struct device *dev, + int str, size_t size, struct snd_dma_buffer *dmab) + { + enum dma_data_direction dir; + int err; + ++ /* check and reserve the requested size */ ++ mutex_lock(&card->memory_mutex); + if (max_alloc_per_card && +- card->total_pcm_alloc_bytes + size > max_alloc_per_card) ++ card->total_pcm_alloc_bytes + size > max_alloc_per_card) { ++ mutex_unlock(&card->memory_mutex); + return -ENOMEM; ++ } ++ __update_allocated_size(card, size); ++ mutex_unlock(&card->memory_mutex); + + if (str == SNDRV_PCM_STREAM_PLAYBACK) + dir = DMA_TO_DEVICE; +@@ -47,9 +73,14 @@ static int do_alloc_pages(struct snd_card *card, int type, struct device *dev, + dir = DMA_FROM_DEVICE; + err = snd_dma_alloc_dir_pages(type, dev, dir, size, dmab); + if (!err) { +- mutex_lock(&card->memory_mutex); +- card->total_pcm_alloc_bytes += dmab->bytes; +- mutex_unlock(&card->memory_mutex); ++ /* the actual allocation size might be bigger than requested, ++ * and we need to correct the account ++ */ ++ if (dmab->bytes != size) ++ update_allocated_size(card, dmab->bytes - size); ++ } else { ++ /* take back on allocation failure */ ++ decrease_allocated_size(card, size); + } + return err; + } +@@ -58,10 +89,7 @@ static void do_free_pages(struct snd_card *card, struct snd_dma_buffer *dmab) + { + if (!dmab->area) + return; +- mutex_lock(&card->memory_mutex); +- WARN_ON(card->total_pcm_alloc_bytes < dmab->bytes); +- card->total_pcm_alloc_bytes -= dmab->bytes; +- mutex_unlock(&card->memory_mutex); ++ decrease_allocated_size(card, dmab->bytes); + snd_dma_free_pages(dmab); + dmab->area = NULL; + } +-- +2.35.3 + diff --git a/patches.suse/Add-MODULE_FIRMWARE-for-FIRMWARE_TG357766.patch b/patches.suse/Add-MODULE_FIRMWARE-for-FIRMWARE_TG357766.patch new file mode 100644 index 0000000..edd7999 --- /dev/null +++ b/patches.suse/Add-MODULE_FIRMWARE-for-FIRMWARE_TG357766.patch @@ -0,0 +1,37 @@ +From 046f753da6143ee16452966915087ec8b0de3c70 Mon Sep 17 00:00:00 2001 +From: Tobias Heider +Date: Wed, 28 Jun 2023 02:13:32 +0200 +Subject: [PATCH] Add MODULE_FIRMWARE() for FIRMWARE_TG357766. +Git-commit: 046f753da6143ee16452966915087ec8b0de3c70 +Patch-mainline: v6.5-rc1 +References: git-fixes + +Fixes a bug where on the M1 mac mini initramfs-tools fails to +include the necessary firmware into the initrd. + +Fixes: c4dab50697ff ("tg3: Download 57766 EEE service patch firmware") +Signed-off-by: Tobias Heider +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/ZJt7LKzjdz8+dClx@tobhe.de +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/broadcom/tg3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 5e68a6a4b2af..5ef073a79ce9 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -225,6 +225,7 @@ MODULE_AUTHOR("David S. Miller (davem@redhat.com) and Jeff Garzik (jgarzik@pobox + MODULE_DESCRIPTION("Broadcom Tigon3 ethernet driver"); + MODULE_LICENSE("GPL"); + MODULE_FIRMWARE(FIRMWARE_TG3); ++MODULE_FIRMWARE(FIRMWARE_TG357766); + MODULE_FIRMWARE(FIRMWARE_TG3TSO); + MODULE_FIRMWARE(FIRMWARE_TG3TSO5); + +-- +2.35.3 + diff --git a/patches.suse/Documentation-ABI-sysfs-class-net-qmi-pass_through-c.patch b/patches.suse/Documentation-ABI-sysfs-class-net-qmi-pass_through-c.patch new file mode 100644 index 0000000..c471a7b --- /dev/null +++ b/patches.suse/Documentation-ABI-sysfs-class-net-qmi-pass_through-c.patch @@ -0,0 +1,35 @@ +From acd9755894c96c27078b52e0bfd894e48b0b1508 Mon Sep 17 00:00:00 2001 +From: Subash Abhinov Kasiviswanathan +Date: Fri, 30 Jun 2023 01:20:20 -0600 +Subject: [PATCH] Documentation: ABI: sysfs-class-net-qmi: pass_through contact update +Git-commit: acd9755894c96c27078b52e0bfd894e48b0b1508 +Patch-mainline: v6.5-rc1 +References: git-fixes + +Switch to the quicinc.com id. + +Fixes: bd1af6b5fffd ("Documentation: ABI: sysfs-class-net-qmi: document pass-through file") +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + Documentation/ABI/testing/sysfs-class-net-qmi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-class-net-qmi b/Documentation/ABI/testing/sysfs-class-net-qmi +index 47e6b9732337..b028f5bc86db 100644 +--- a/Documentation/ABI/testing/sysfs-class-net-qmi ++++ b/Documentation/ABI/testing/sysfs-class-net-qmi +@@ -62,7 +62,7 @@ Description: + What: /sys/class/net//qmi/pass_through + Date: January 2021 + KernelVersion: 5.12 +-Contact: Subash Abhinov Kasiviswanathan ++Contact: Subash Abhinov Kasiviswanathan + Description: + Boolean. Default: 'N' + +-- +2.35.3 + diff --git a/patches.suse/Documentation-bonding-fix-the-doc-of-peer_notif_dela.patch b/patches.suse/Documentation-bonding-fix-the-doc-of-peer_notif_dela.patch new file mode 100644 index 0000000..5aa2513 --- /dev/null +++ b/patches.suse/Documentation-bonding-fix-the-doc-of-peer_notif_dela.patch @@ -0,0 +1,37 @@ +From 84df83e0ecd3beba62c3d06b43ab51cc47efaca0 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Tue, 9 May 2023 11:11:58 +0800 +Subject: [PATCH] Documentation: bonding: fix the doc of peer_notif_delay +Git-commit: 84df83e0ecd3beba62c3d06b43ab51cc47efaca0 +Patch-mainline: v6.4-rc2 +References: git-fixes + +Bonding only supports setting peer_notif_delay with miimon set. + +Fixes: 0307d589c4d6 ("bonding: add documentation for peer_notif_delay") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + Documentation/networking/bonding.rst | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/Documentation/networking/bonding.rst ++++ b/Documentation/networking/bonding.rst +@@ -742,10 +742,11 @@ peer_notif_delay + Specify the delay, in milliseconds, between each peer + notification (gratuitous ARP and unsolicited IPv6 Neighbor + Advertisement) when they are issued after a failover event. +- This delay should be a multiple of the link monitor interval +- (arp_interval or miimon, whichever is active). The default +- value is 0 which means to match the value of the link monitor +- interval. ++ This delay should be a multiple of the MII link monitor interval ++ (miimon). ++ ++ The valid range is 0 - 300000. The default value is 0, which means ++ to match the value of the MII link monitor interval. + + primary + diff --git a/patches.suse/Documentation-timers-hrtimers-Make-hybrid-union-hist.patch b/patches.suse/Documentation-timers-hrtimers-Make-hybrid-union-hist.patch new file mode 100644 index 0000000..beb2812 --- /dev/null +++ b/patches.suse/Documentation-timers-hrtimers-Make-hybrid-union-hist.patch @@ -0,0 +1,68 @@ +From 4c093cbb89f32762555f624882f1d31a79237eaf Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 2 May 2023 12:05:10 +0200 +Subject: [PATCH] Documentation: timers: hrtimers: Make hybrid union historical +Git-commit: 4c093cbb89f32762555f624882f1d31a79237eaf +Patch-mainline: v6.4-rc1 +References: git-fixes + +Non-scalar time was removed from the ktime hybrid union in v3.17, and +the union itself followed suit in v4.10. + +Make it clear that ktime_t is always a 64bit scalar type, to avoid +confusing the casual reader. + +While at it, fix a spelling mistake. + +Fixes: 24e4a8c3e8868874 ("ktime: Kill non-scalar ktime_t implementation for 2038") +Fixes: 2456e855354415bf ("ktime: Get rid of the union") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Thomas Gleixner +Link: https://lore.kernel.org/r/59250a3d1c2c827b5c1833169a6e652ca6a784e6.1683021785.git.geert+renesas@glider.be +Signed-off-by: Jonathan Corbet +Acked-by: Takashi Iwai + +--- + Documentation/timers/hrtimers.rst | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/Documentation/timers/hrtimers.rst b/Documentation/timers/hrtimers.rst +index 7ac448908d1f..f88ff8bae89c 100644 +--- a/Documentation/timers/hrtimers.rst ++++ b/Documentation/timers/hrtimers.rst +@@ -123,17 +123,12 @@ equivalent to timer_delete() and timer_delete_sync()] - so there's no direct + potential for code sharing either. + + Basic data types: every time value, absolute or relative, is in a +-special nanosecond-resolution type: ktime_t. The kernel-internal +-representation of ktime_t values and operations is implemented via +-macros and inline functions, and can be switched between a "hybrid +-union" type and a plain "scalar" 64bit nanoseconds representation (at +-compile time). The hybrid union type optimizes time conversions on 32bit +-CPUs. This build-time-selectable ktime_t storage format was implemented +-to avoid the performance impact of 64-bit multiplications and divisions +-on 32bit CPUs. Such operations are frequently necessary to convert +-between the storage formats provided by kernel and userspace interfaces +-and the internal time format. (See include/linux/ktime.h for further +-details.) ++special nanosecond-resolution 64bit type: ktime_t. ++(Originally, the kernel-internal representation of ktime_t values and ++operations was implemented via macros and inline functions, and could be ++switched between a "hybrid union" type and a plain "scalar" 64bit ++nanoseconds representation (at compile time). This was abandoned in the ++context of the Y2038 work.) + + hrtimers - rounding of timer values + ----------------------------------- +@@ -148,7 +143,7 @@ a given clock has - be it low-res, high-res, or artificially-low-res. + hrtimers - testing and verification + ----------------------------------- + +-We used the high-resolution clock subsystem ontop of hrtimers to verify ++We used the high-resolution clock subsystem on top of hrtimers to verify + the hrtimer implementation details in praxis, and we also ran the posix + timer tests in order to ensure specification compliance. We also ran + tests on low-resolution clocks. +-- +2.35.3 + diff --git a/patches.suse/Fix-documentation-of-panic_on_warn.patch b/patches.suse/Fix-documentation-of-panic_on_warn.patch new file mode 100644 index 0000000..8f5c889 --- /dev/null +++ b/patches.suse/Fix-documentation-of-panic_on_warn.patch @@ -0,0 +1,44 @@ +From 57ada2358fae8c3df0f810c3a7196f074da01c98 Mon Sep 17 00:00:00 2001 +From: Olaf Hering +Date: Fri, 30 Jun 2023 16:53:02 +0200 +Subject: [PATCH] Fix documentation of panic_on_warn +Git-commit: 57ada2358fae8c3df0f810c3a7196f074da01c98 +Patch-mainline: v6.5-rc1 +References: git-fixes + +The kernel cmdline option panic_on_warn expects an integer, it is not a +plain option as documented. A number of uses in the tree figured this +already, and use panic_on_warn=1 for their purpose. + +Adjust a comment which otherwise may mislead people in the future. + +Fixes: 9e3961a09798 ("kernel: add panic_on_warn") +Signed-off-by: Olaf Hering +Reviewed-by: Randy Dunlap +Signed-off-by: Jonathan Corbet +Acked-by: Takashi Iwai + +--- + Documentation/admin-guide/kernel-parameters.txt | 2 +- + tools/testing/selftests/rcutorture/bin/kvm.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3706,7 +3706,7 @@ + extra details on the taint flags that users can pick + to compose the bitmask to assign to panic_on_taint. + +- panic_on_warn panic() instead of WARN(). Useful to cause kdump ++ panic_on_warn=1 panic() instead of WARN(). Useful to cause kdump + on a WARN(). + + crash_kexec_post_notifiers +--- a/tools/testing/selftests/rcutorture/bin/kvm.sh ++++ b/tools/testing/selftests/rcutorture/bin/kvm.sh +@@ -634,4 +634,4 @@ fi + # Control buffer size: --bootargs trace_buf_size=3k + # Get trace-buffer dumps on all oopses: --bootargs ftrace_dump_on_oops + # Ditto, but dump only the oopsing CPU: --bootargs ftrace_dump_on_oops=orig_cpu +-# Heavy-handed way to also dump on warnings: --bootargs panic_on_warn ++# Heavy-handed way to also dump on warnings: --bootargs panic_on_warn=1 diff --git a/patches.suse/KVM-x86-fix-sending-PV-IPI.patch b/patches.suse/KVM-x86-fix-sending-PV-IPI.patch index b8c3cc5..61c08cb 100644 --- a/patches.suse/KVM-x86-fix-sending-PV-IPI.patch +++ b/patches.suse/KVM-x86-fix-sending-PV-IPI.patch @@ -3,7 +3,7 @@ Date: Wed, 9 Mar 2022 16:35:44 +0800 Subject: KVM: x86: fix sending PV IPI Git-commit: c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e Patch-mainline: 5.18-rc1 -References: git-fixes +References: git-fixes, bsc#1210853 If apic_id is less than min, and (max - apic_id) is greater than KVM_IPI_CLUSTER_SIZE, then the third check condition is satisfied but diff --git a/patches.suse/NTB-amd-Fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/patches.suse/NTB-amd-Fix-error-handling-in-amd_ntb_pci_driver_ini.patch new file mode 100644 index 0000000..dccb539 --- /dev/null +++ b/patches.suse/NTB-amd-Fix-error-handling-in-amd_ntb_pci_driver_ini.patch @@ -0,0 +1,64 @@ +From 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Sat, 5 Nov 2022 09:43:09 +0000 +Subject: [PATCH] NTB: amd: Fix error handling in amd_ntb_pci_driver_init() +Git-commit: 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 +Patch-mainline: v6.5-rc1 +References: git-fixes + +A problem about ntb_hw_amd create debugfs failed is triggered with the +following log given: + + [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 + [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! + +The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_amd can never be created later. + + amd_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Acked-by: Takashi Iwai + +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 04550b1f984c..730f2103b91d 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1338,12 +1338,17 @@ static struct pci_driver amd_ntb_pci_driver = { + + static int __init amd_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&amd_ntb_pci_driver); ++ ret = pci_register_driver(&amd_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(amd_ntb_pci_driver_init); + +-- +2.35.3 + diff --git a/patches.suse/NTB-ntb_tool-Add-check-for-devm_kcalloc.patch b/patches.suse/NTB-ntb_tool-Add-check-for-devm_kcalloc.patch new file mode 100644 index 0000000..8feda8f --- /dev/null +++ b/patches.suse/NTB-ntb_tool-Add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From 2790143f09938776a3b4f69685b380bae8fd06c7 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Tue, 22 Nov 2022 11:32:44 +0800 +Subject: [PATCH] NTB: ntb_tool: Add check for devm_kcalloc +Git-commit: 2790143f09938776a3b4f69685b380bae8fd06c7 +Patch-mainline: v6.5-rc1 +References: git-fixes + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Serge Semin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Acked-by: Takashi Iwai + +--- + drivers/ntb/test/ntb_tool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c +index 5ee0afa621a9..eeeb4b1c97d2 100644 +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) + tc->peers[pidx].outmws = + devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, + sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); ++ if (tc->peers[pidx].outmws == NULL) ++ return -ENOMEM; + + for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { + tc->peers[pidx].outmws[widx].pidx = pidx; +-- +2.35.3 + diff --git a/patches.suse/NTB-ntb_transport-fix-possible-memory-leak-while-dev.patch b/patches.suse/NTB-ntb_transport-fix-possible-memory-leak-while-dev.patch new file mode 100644 index 0000000..c659723 --- /dev/null +++ b/patches.suse/NTB-ntb_transport-fix-possible-memory-leak-while-dev.patch @@ -0,0 +1,41 @@ +From 8623ccbfc55d962e19a3537652803676ad7acb90 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Thu, 10 Nov 2022 23:19:17 +0800 +Subject: [PATCH] NTB: ntb_transport: fix possible memory leak while device_register() fails +Git-commit: 8623ccbfc55d962e19a3537652803676ad7acb90 +Patch-mainline: v6.5-rc1 +References: git-fixes + +If device_register() returns error, the name allocated by +dev_set_name() need be freed. As comment of device_register() +says, it should use put_device() to give up the reference in +the error path. So fix this by calling put_device(), then the +name can be freed in kobject_cleanup(), and client_dev is freed +in ntb_transport_client_release(). + +Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") +Signed-off-by: Yang Yingliang +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Acked-by: Takashi Iwai + +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index a9b97ebc71ac..2abd2235bbca 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -410,7 +410,7 @@ int ntb_transport_register_client_dev(char *device_name) + + rc = device_register(dev); + if (rc) { +- kfree(client_dev); ++ put_device(dev); + goto err; + } + +-- +2.35.3 + diff --git a/patches.suse/RDMA-rxe-Fix-access-checks-in-rxe_check_bind_mw.patch b/patches.suse/RDMA-rxe-Fix-access-checks-in-rxe_check_bind_mw.patch new file mode 100644 index 0000000..775c631 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-access-checks-in-rxe_check_bind_mw.patch @@ -0,0 +1,96 @@ +From 425e1c9018fdf25cb4531606cc92d9d01a55534f Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Tue, 30 May 2023 17:13:32 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix access checks in rxe_check_bind_mw +Git-commit: 425e1c9018fdf25cb4531606cc92d9d01a55534f +Patch-mainline: v6.5-rc1 +References: git-fixes + +The subroutine rxe_check_bind_mw() in rxe_mw.c performs checks on the mw +access flags before they are set so they always succeed. This patch +instead checks the access flags passed in the send wqe. + +Fixes: 32a577b4c3a9 ("RDMA/rxe: Add support for bind MW work requests") +Link: https://lore.kernel.org/r/20230530221334.89432-4-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey +--- + drivers/infiniband/sw/rxe/rxe_mw.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_mw.c ++++ b/drivers/infiniband/sw/rxe/rxe_mw.c +@@ -48,7 +48,7 @@ int rxe_dealloc_mw(struct ib_mw *ibmw) + } + + static int rxe_check_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe, +- struct rxe_mw *mw, struct rxe_mr *mr) ++ struct rxe_mw *mw, struct rxe_mr *mr, int access) + { + if (mw->ibmw.type == IB_MW_TYPE_1) { + if (unlikely(mw->state != RXE_MW_STATE_VALID)) { +@@ -58,7 +58,7 @@ static int rxe_check_bind_mw(struct rxe_ + } + + /* o10-36.2.2 */ +- if (unlikely((mw->access & IB_ZERO_BASED))) { ++ if (unlikely((access & IB_ZERO_BASED))) { + pr_err_once("attempt to bind a zero based type 1 MW\n"); + return -EINVAL; + } +@@ -104,7 +104,7 @@ static int rxe_check_bind_mw(struct rxe_ + } + + /* C10-74 */ +- if (unlikely((mw->access & ++ if (unlikely((access & + (IB_ACCESS_REMOTE_WRITE | IB_ACCESS_REMOTE_ATOMIC)) && + !(mr->access & IB_ACCESS_LOCAL_WRITE))) { + pr_err_once( +@@ -113,7 +113,7 @@ static int rxe_check_bind_mw(struct rxe_ + } + + /* C10-75 */ +- if (mw->access & IB_ZERO_BASED) { ++ if (access & IB_ZERO_BASED) { + if (unlikely(wqe->wr.wr.mw.length > mr->ibmr.length)) { + pr_err_once( + "attempt to bind a ZB MW outside of the MR\n"); +@@ -133,12 +133,12 @@ static int rxe_check_bind_mw(struct rxe_ + } + + static void rxe_do_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe, +- struct rxe_mw *mw, struct rxe_mr *mr) ++ struct rxe_mw *mw, struct rxe_mr *mr, int access) + { + u32 key = wqe->wr.wr.mw.rkey & 0xff; + + mw->rkey = (mw->rkey & ~0xff) | key; +- mw->access = wqe->wr.wr.mw.access; ++ mw->access = access; + mw->state = RXE_MW_STATE_VALID; + mw->addr = wqe->wr.wr.mw.addr; + mw->length = wqe->wr.wr.mw.length; +@@ -169,6 +169,7 @@ int rxe_bind_mw(struct rxe_qp *qp, struc + struct rxe_dev *rxe = to_rdev(qp->ibqp.device); + u32 mw_rkey = wqe->wr.wr.mw.mw_rkey; + u32 mr_lkey = wqe->wr.wr.mw.mr_lkey; ++ int access = wqe->wr.wr.mw.access; + + mw = rxe_pool_get_index(&rxe->mw_pool, mw_rkey >> 8); + if (unlikely(!mw)) { +@@ -198,11 +199,11 @@ int rxe_bind_mw(struct rxe_qp *qp, struc + + spin_lock_bh(&mw->lock); + +- ret = rxe_check_bind_mw(qp, wqe, mw, mr); ++ ret = rxe_check_bind_mw(qp, wqe, mw, mr, access); + if (ret) + goto err_unlock; + +- rxe_do_bind_mw(qp, wqe, mw, mr); ++ rxe_do_bind_mw(qp, wqe, mw, mr, access); + err_unlock: + spin_unlock_bh(&mw->lock); + err_drop_mr: diff --git a/patches.suse/Revert-drm-amd-display-edp-do-not-add-non-edid-timin.patch b/patches.suse/Revert-drm-amd-display-edp-do-not-add-non-edid-timin.patch new file mode 100644 index 0000000..23a3eb2 --- /dev/null +++ b/patches.suse/Revert-drm-amd-display-edp-do-not-add-non-edid-timin.patch @@ -0,0 +1,43 @@ +From d6149086b45e150c170beaa4546495fd1880724c Mon Sep 17 00:00:00 2001 +From: Hersen Wu +Date: Mon, 26 Jun 2023 13:40:58 -0400 +Subject: [PATCH] Revert "drm/amd/display: edp do not add non-edid timings" +Git-commit: d6149086b45e150c170beaa4546495fd1880724c +Patch-mainline: v6.5-rc1 +References: git-fixes + +This change causes regression when eDP and external display in mirror +mode. When external display supports low resolution than eDP, use eDP +timing to driver external display may cause corruption on external +display. + +This reverts commit e749dd10e5f292061ad63d2b030194bf7d7d452c. + +Cc: stable@vger.kernel.org +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2655 +Signed-off-by: Hersen Wu +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7853,13 +7853,7 @@ static int amdgpu_dm_connector_get_modes + drm_add_modes_noedid(connector, 640, 480); + } else { + amdgpu_dm_connector_ddc_get_modes(connector, edid); +- /* most eDP supports only timings from its edid, +- * usually only detailed timings are available +- * from eDP edid. timings which are not from edid +- * may damage eDP +- */ +- if (connector->connector_type != DRM_MODE_CONNECTOR_eDP) +- amdgpu_dm_connector_add_common_modes(encoder, connector); ++ amdgpu_dm_connector_add_common_modes(encoder, connector); + amdgpu_dm_connector_add_freesync_modes(connector, edid); + } + amdgpu_dm_fbc_init(connector); diff --git a/patches.suse/apparmor-fix-missing-error-check-for-rhashtable_inse.patch b/patches.suse/apparmor-fix-missing-error-check-for-rhashtable_inse.patch new file mode 100644 index 0000000..54f827d --- /dev/null +++ b/patches.suse/apparmor-fix-missing-error-check-for-rhashtable_inse.patch @@ -0,0 +1,42 @@ +From 000518bc5aef25d3f703592a0296d578c98b1517 Mon Sep 17 00:00:00 2001 +From: Danila Chernetsov +Date: Tue, 4 Apr 2023 19:05:49 +0000 +Subject: [PATCH] apparmor: fix missing error check for rhashtable_insert_fast +Git-commit: 000518bc5aef25d3f703592a0296d578c98b1517 +Patch-mainline: v6.5-rc1 +References: git-fixes + + rhashtable_insert_fast() could return err value when memory allocation is + failed. but unpack_profile() do not check values and this always returns + success value. This patch just adds error check code. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e025be0f26d5 ("apparmor: support querying extended trusted helper extra data") + +Signed-off-by: Danila Chernetsov +Signed-off-by: John Johansen +Acked-by: Takashi Iwai + +--- + security/apparmor/policy_unpack.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -909,8 +909,13 @@ static struct aa_profile *unpack_profile + goto fail; + } + +- rhashtable_insert_fast(profile->data, &data->head, +- profile->data->p); ++ if (rhashtable_insert_fast(profile->data, &data->head, ++ profile->data->p)) { ++ kfree_sensitive(data->key); ++ kfree_sensitive(data); ++ info = "failed to insert data to table"; ++ goto fail; ++ } + } + + if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { diff --git a/patches.suse/clk-qcom-camcc-sc7180-Add-parent-dependency-to-all-c.patch b/patches.suse/clk-qcom-camcc-sc7180-Add-parent-dependency-to-all-c.patch new file mode 100644 index 0000000..ce35b7c --- /dev/null +++ b/patches.suse/clk-qcom-camcc-sc7180-Add-parent-dependency-to-all-c.patch @@ -0,0 +1,88 @@ +From 3e4d179532423f299554cd0dedabdd9d2fdd238d Mon Sep 17 00:00:00 2001 +From: Taniya Das +Date: Mon, 1 May 2023 19:59:32 +0530 +Subject: [PATCH] clk: qcom: camcc-sc7180: Add parent dependency to all camera GDSCs +Git-commit: 3e4d179532423f299554cd0dedabdd9d2fdd238d +Patch-mainline: v6.5-rc1 +References: git-fixes + +Camera titan top GDSC is a parent supply to all other camera GDSCs. Titan +top GDSC is required to be enabled before enabling any other camera GDSCs +and it should be disabled only after all other camera GDSCs are disabled. +Ensure this behavior by marking titan top GDSC as parent of all other +camera GDSCs. + +Fixes: 15d09e830bbc ("clk: qcom: camcc: Add camera clock controller driver for SC7180") +Signed-off-by: Taniya Das +Acked-by: Stephen Boyd +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230501142932.13049-1-quic_tdas@quicinc.com +Acked-by: Takashi Iwai + +--- + drivers/clk/qcom/camcc-sc7180.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/clk/qcom/camcc-sc7180.c b/drivers/clk/qcom/camcc-sc7180.c +index e2b4804695f3..8a4ba7a19ed1 100644 +--- a/drivers/clk/qcom/camcc-sc7180.c ++++ b/drivers/clk/qcom/camcc-sc7180.c +@@ -1480,12 +1480,21 @@ static struct clk_branch cam_cc_sys_tmr_clk = { + }, + }; + ++static struct gdsc titan_top_gdsc = { ++ .gdscr = 0xb134, ++ .pd = { ++ .name = "titan_top_gdsc", ++ }, ++ .pwrsts = PWRSTS_OFF_ON, ++}; ++ + static struct gdsc bps_gdsc = { + .gdscr = 0x6004, + .pd = { + .name = "bps_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, ++ .parent = &titan_top_gdsc.pd, + .flags = HW_CTRL, + }; + +@@ -1495,6 +1504,7 @@ static struct gdsc ife_0_gdsc = { + .name = "ife_0_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, ++ .parent = &titan_top_gdsc.pd, + }; + + static struct gdsc ife_1_gdsc = { +@@ -1503,6 +1513,7 @@ static struct gdsc ife_1_gdsc = { + .name = "ife_1_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, ++ .parent = &titan_top_gdsc.pd, + }; + + static struct gdsc ipe_0_gdsc = { +@@ -1512,15 +1523,9 @@ static struct gdsc ipe_0_gdsc = { + }, + .pwrsts = PWRSTS_OFF_ON, + .flags = HW_CTRL, ++ .parent = &titan_top_gdsc.pd, + }; + +-static struct gdsc titan_top_gdsc = { +- .gdscr = 0xb134, +- .pd = { +- .name = "titan_top_gdsc", +- }, +- .pwrsts = PWRSTS_OFF_ON, +-}; + + static struct clk_hw *cam_cc_sc7180_hws[] = { + [CAM_CC_PLL2_OUT_EARLY] = &cam_cc_pll2_out_early.hw, +-- +2.35.3 + diff --git a/patches.suse/clk-qcom-gcc-ipq6018-Use-floor-ops-for-sdcc-clocks.patch b/patches.suse/clk-qcom-gcc-ipq6018-Use-floor-ops-for-sdcc-clocks.patch new file mode 100644 index 0000000..f34d6ec --- /dev/null +++ b/patches.suse/clk-qcom-gcc-ipq6018-Use-floor-ops-for-sdcc-clocks.patch @@ -0,0 +1,37 @@ +From 56e5ae0116aef87273cf1812d608645b076e4f02 Mon Sep 17 00:00:00 2001 +From: Mantas Pucka +Date: Tue, 25 Apr 2023 12:11:49 +0300 +Subject: [PATCH] clk: qcom: gcc-ipq6018: Use floor ops for sdcc clocks +Git-commit: 56e5ae0116aef87273cf1812d608645b076e4f02 +Patch-mainline: v6.5-rc1 +References: git-fixes + +SDCC clocks must be rounded down to avoid overclocking the controller. + +Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support") +Signed-off-by: Mantas Pucka +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/1682413909-24927-1-git-send-email-mantas@8devices.com +Acked-by: Takashi Iwai + +--- + drivers/clk/qcom/gcc-ipq6018.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-ipq6018.c b/drivers/clk/qcom/gcc-ipq6018.c +index 3f9c2f61a5d9..5c5d1b04ea7a 100644 +--- a/drivers/clk/qcom/gcc-ipq6018.c ++++ b/drivers/clk/qcom/gcc-ipq6018.c +@@ -1654,7 +1654,7 @@ static struct clk_rcg2 sdcc1_apps_clk_src = { + .name = "sdcc1_apps_clk_src", + .parent_data = gcc_xo_gpll0_gpll2_gpll0_out_main_div2, + .num_parents = 4, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_rcg2_floor_ops, + }, + }; + +-- +2.35.3 + diff --git a/patches.suse/docs-networking-Update-codeaurora-references-for-rmn.patch b/patches.suse/docs-networking-Update-codeaurora-references-for-rmn.patch new file mode 100644 index 0000000..e37e402 --- /dev/null +++ b/patches.suse/docs-networking-Update-codeaurora-references-for-rmn.patch @@ -0,0 +1,42 @@ +From 26b32974ad2e82811706fd19c33c4ad6b9953663 Mon Sep 17 00:00:00 2001 +From: Subash Abhinov Kasiviswanathan +Date: Fri, 30 Jun 2023 10:26:17 -0600 +Subject: [PATCH] docs: networking: Update codeaurora references for rmnet +Git-commit: 26b32974ad2e82811706fd19c33c4ad6b9953663 +Patch-mainline: v6.5-rc1 +References: git-fixes + +source.codeaurora.org is no longer accessible and so the reference link +in the documentation is not useful. Use iproute2 instead as it has a +rmnet module for configuration. + +Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") +Signed-off-by: Sean Tranchetti +Signed-off-by: Subash Abhinov Kasiviswanathan +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + .../networking/device_drivers/cellular/qualcomm/rmnet.rst | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Documentation/networking/device_drivers/cellular/qualcomm/rmnet.rst b/Documentation/networking/device_drivers/cellular/qualcomm/rmnet.rst +index 4118384cf8eb..289c146a8291 100644 +--- a/Documentation/networking/device_drivers/cellular/qualcomm/rmnet.rst ++++ b/Documentation/networking/device_drivers/cellular/qualcomm/rmnet.rst +@@ -190,8 +190,7 @@ MAP header|IP Packet|Optional padding|MAP header|Command Packet|Optional pad... + 3. Userspace configuration + ========================== + +-rmnet userspace configuration is done through netlink library librmnetctl +-and command line utility rmnetcli. Utility is hosted in codeaurora forum git. +-The driver uses rtnl_link_ops for communication. ++rmnet userspace configuration is done through netlink using iproute2 ++https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/ + +-https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/dataservices/tree/rmnetctl ++The driver uses rtnl_link_ops for communication. +-- +2.35.3 + diff --git a/patches.suse/drm-amd-Disable-PSR-SU-on-Parade-0803-TCON.patch b/patches.suse/drm-amd-Disable-PSR-SU-on-Parade-0803-TCON.patch new file mode 100644 index 0000000..286c566 --- /dev/null +++ b/patches.suse/drm-amd-Disable-PSR-SU-on-Parade-0803-TCON.patch @@ -0,0 +1,47 @@ +From 9d5137e01cb8c67e30e30865fd5b0abe71fa3372 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 19 Jun 2023 15:04:24 -0500 +Subject: [PATCH] drm/amd: Disable PSR-SU on Parade 0803 TCON +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: 9d5137e01cb8c67e30e30865fd5b0abe71fa3372 + +A number of users have reported that there are random hangs occurring +caused by PSR-SU specifically on panels that contain the parade 0803 +TCON. Users have been able to work around the issue by disabling PSR +entirely. + +To avoid these hangs, disable PSR-SU when this TCON is found. + +Cc: stable@vger.kernel.org +Cc: Sean Wang +Cc: Marc Rossi +Cc: Hamza Mahfooz +Suggested-by: Tsung-hua (Ryan) Lin +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2443 +Signed-off-by: Mario Limonciello +Reviewed-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/display/modules/power/power_helpers.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/modules/power/power_helpers.c b/drivers/gpu/drm/amd/display/modules/power/power_helpers.c +index 51e76bce92ea..70b3ed98b254 100644 +--- a/drivers/gpu/drm/amd/display/modules/power/power_helpers.c ++++ b/drivers/gpu/drm/amd/display/modules/power/power_helpers.c +@@ -818,6 +818,8 @@ bool is_psr_su_specific_panel(struct dc_link *link) + ((dpcd_caps->sink_dev_id_str[1] == 0x08 && dpcd_caps->sink_dev_id_str[0] == 0x08) || + (dpcd_caps->sink_dev_id_str[1] == 0x08 && dpcd_caps->sink_dev_id_str[0] == 0x07))) + isPSRSUSupported = false; ++ else if (dpcd_caps->sink_dev_id_str[1] == 0x08 && dpcd_caps->sink_dev_id_str[0] == 0x03) ++ isPSRSUSupported = false; + else if (dpcd_caps->psr_info.force_psrsu_cap == 0x1) + isPSRSUSupported = true; + } +-- +2.35.3 + diff --git a/patches.suse/drm-amd-Don-t-try-to-enable-secure-display-TA-multip.patch b/patches.suse/drm-amd-Don-t-try-to-enable-secure-display-TA-multip.patch new file mode 100644 index 0000000..cb40584 --- /dev/null +++ b/patches.suse/drm-amd-Don-t-try-to-enable-secure-display-TA-multip.patch @@ -0,0 +1,42 @@ +From 134ea95255cf359a2e6d70308c15243c3fdf8eaf Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 22 Jun 2023 22:18:39 -0500 +Subject: [PATCH] drm/amd: Don't try to enable secure display TA multiple times +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: 134ea95255cf359a2e6d70308c15243c3fdf8eaf + +If the securedisplay TA failed to load the first time, it's unlikely +to work again after a suspend/resume cycle or reset cycle and it appears +to be causing problems in futher attempts. + +Fixes: e42dfa66d592 ("drm/amdgpu: Add secure display TA load for Renoir") +Reported-by: Filip Hejsek +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2633 +Signed-off-by: Mario Limonciello +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +index a150b7a4b4aa..e4757a2807d9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -1947,6 +1947,8 @@ static int psp_securedisplay_initialize(struct psp_context *psp) + psp_securedisplay_parse_resp_status(psp, securedisplay_cmd->status); + dev_err(psp->adev->dev, "SECUREDISPLAY: query securedisplay TA failed. ret 0x%x\n", + securedisplay_cmd->securedisplay_out_message.query_ta.query_cmd_ret); ++ /* don't try again */ ++ psp->securedisplay_context.context.bin_desc.size_bytes = 0; + } + + return 0; +-- +2.35.3 + diff --git a/patches.suse/drm-amd-display-add-a-NULL-pointer-check.patch b/patches.suse/drm-amd-display-add-a-NULL-pointer-check.patch new file mode 100644 index 0000000..584a0c0 --- /dev/null +++ b/patches.suse/drm-amd-display-add-a-NULL-pointer-check.patch @@ -0,0 +1,50 @@ +From b8a3031ce20fc83e339c2967be6665f8418e8097 Mon Sep 17 00:00:00 2001 +From: Sung-huai Wang +Date: Tue, 6 Jun 2023 14:28:38 +0800 +Subject: [PATCH] drm/amd/display: add a NULL pointer check +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: b8a3031ce20fc83e339c2967be6665f8418e8097 + +[Why & How] + +We have to check if stream is properly initialized before calling +find_matching_pll(), otherwise we might end up trying to deferecence a +NULL pointer. + +Cc: stable@vger.kernel.org # 6.1+ +Reviewed-by: Nicholas Kazlauskas +Acked-by: Hamza Mahfooz +Signed-off-by: Sung-huai Wang +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + .../gpu/drm/amd/display/dc/dce112/dce112_resource.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c b/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c +index e179e80667d1..19d7cfa53211 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c +@@ -970,10 +970,12 @@ enum dc_status resource_map_phy_clock_resources( + || dc_is_virtual_signal(pipe_ctx->stream->signal)) + pipe_ctx->clock_source = + dc->res_pool->dp_clock_source; +- else +- pipe_ctx->clock_source = find_matching_pll( +- &context->res_ctx, dc->res_pool, +- stream); ++ else { ++ if (stream && stream->link && stream->link->link_enc) ++ pipe_ctx->clock_source = find_matching_pll( ++ &context->res_ctx, dc->res_pool, ++ stream); ++ } + + if (pipe_ctx->clock_source == NULL) + return DC_NO_CLOCK_SOURCE_RESOURCE; +-- +2.35.3 + diff --git a/patches.suse/drm-amd-display-disable-seamless-boot-if-force_odm_c.patch b/patches.suse/drm-amd-display-disable-seamless-boot-if-force_odm_c.patch new file mode 100644 index 0000000..a20140c --- /dev/null +++ b/patches.suse/drm-amd-display-disable-seamless-boot-if-force_odm_c.patch @@ -0,0 +1,41 @@ +From 47cfea157cafcc7411ff6e97daf5d8d7426d9493 Mon Sep 17 00:00:00 2001 +From: Leo Chen +Date: Thu, 8 Jun 2023 16:37:38 -0400 +Subject: [PATCH] drm/amd/display: disable seamless boot if force_odm_combine is enabled +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: 47cfea157cafcc7411ff6e97daf5d8d7426d9493 + +[Why & How] +Having seamless boot on while forcing debug option ODM combine 2 to 1 +will cause some corruptions because of some missing programmings. + +Cc: stable@vger.kernel.org # 6.1+ +Reviewed-by: Nicholas Kazlauskas +Acked-by: Hamza Mahfooz +Signed-off-by: Leo Chen +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 7cde67b7f0c3..393bae3ce7bd 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1602,6 +1602,9 @@ bool dc_validate_boot_timing(const struct dc *dc, + return false; + } + ++ if (dc->debug.force_odm_combine) ++ return false; ++ + /* Check for enabled DIG to identify enabled display */ + if (!link->link_enc->funcs->is_dig_enabled(link->link_enc)) + return false; +-- +2.35.3 + diff --git a/patches.suse/drm-amd-pm-revise-the-ASPM-settings-for-thunderbolt-.patch b/patches.suse/drm-amd-pm-revise-the-ASPM-settings-for-thunderbolt-.patch new file mode 100644 index 0000000..521e862 --- /dev/null +++ b/patches.suse/drm-amd-pm-revise-the-ASPM-settings-for-thunderbolt-.patch @@ -0,0 +1,54 @@ +From d9b64859512ccd79a0d3387e29e4503999301a1e Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Thu, 15 Jun 2023 10:56:55 +0800 +Subject: [PATCH] drm/amd/pm: revise the ASPM settings for thunderbolt attached scenario +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: d9b64859512ccd79a0d3387e29e4503999301a1e + +Also, correct the comment for NAVI10_PCIE__LC_L1_INACTIVITY_TBT_DEFAULT +as 0x0000000E stands for 400ms instead of 4ms. + +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c b/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c +index aa761ff3a5fa..7ba47fc1917b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c ++++ b/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c +@@ -346,7 +346,7 @@ static void nbio_v2_3_init_registers(struct amdgpu_device *adev) + + #define NAVI10_PCIE__LC_L0S_INACTIVITY_DEFAULT 0x00000000 // off by default, no gains over L1 + #define NAVI10_PCIE__LC_L1_INACTIVITY_DEFAULT 0x00000009 // 1=1us, 9=1ms +-#define NAVI10_PCIE__LC_L1_INACTIVITY_TBT_DEFAULT 0x0000000E // 4ms ++#define NAVI10_PCIE__LC_L1_INACTIVITY_TBT_DEFAULT 0x0000000E // 400ms + + static void nbio_v2_3_enable_aspm(struct amdgpu_device *adev, + bool enable) +@@ -479,9 +479,12 @@ static void nbio_v2_3_program_aspm(struct amdgpu_device *adev) + WREG32_SOC15(NBIO, 0, mmRCC_BIF_STRAP5, data); + + def = data = RREG32_PCIE(smnPCIE_LC_CNTL); +- data &= ~PCIE_LC_CNTL__LC_L0S_INACTIVITY_MASK; +- data |= 0x9 << PCIE_LC_CNTL__LC_L1_INACTIVITY__SHIFT; +- data |= 0x1 << PCIE_LC_CNTL__LC_PMI_TO_L1_DIS__SHIFT; ++ data |= NAVI10_PCIE__LC_L0S_INACTIVITY_DEFAULT << PCIE_LC_CNTL__LC_L0S_INACTIVITY__SHIFT; ++ if (pci_is_thunderbolt_attached(adev->pdev)) ++ data |= NAVI10_PCIE__LC_L1_INACTIVITY_TBT_DEFAULT << PCIE_LC_CNTL__LC_L1_INACTIVITY__SHIFT; ++ else ++ data |= NAVI10_PCIE__LC_L1_INACTIVITY_DEFAULT << PCIE_LC_CNTL__LC_L1_INACTIVITY__SHIFT; ++ data &= ~PCIE_LC_CNTL__LC_PMI_TO_L1_DIS_MASK; + if (def != data) + WREG32_PCIE(smnPCIE_LC_CNTL, data); + +-- +2.35.3 + diff --git a/patches.suse/drm-amd-pm-update-the-LC_L1_INACTIVITY-setting-to-ad.patch b/patches.suse/drm-amd-pm-update-the-LC_L1_INACTIVITY-setting-to-ad.patch new file mode 100644 index 0000000..1ab3461 --- /dev/null +++ b/patches.suse/drm-amd-pm-update-the-LC_L1_INACTIVITY-setting-to-ad.patch @@ -0,0 +1,39 @@ +From 34a0773fbb922931a696fc8cfdf292a7a9338534 Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Thu, 15 Jun 2023 11:03:49 +0800 +Subject: [PATCH] drm/amd/pm: update the LC_L1_INACTIVITY setting to address possible noise issue +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: 34a0773fbb922931a696fc8cfdf292a7a9338534 + +It is proved that insufficient LC_L1_INACTIVITY setting can cause audio +noise on some platform. With the LC_L1_INACTIVITY increased to 4ms, the +issue can be resolved. + +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c b/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c +index 7ba47fc1917b..4038455d7998 100644 +--- a/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c ++++ b/drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c +@@ -345,7 +345,7 @@ static void nbio_v2_3_init_registers(struct amdgpu_device *adev) + } + + #define NAVI10_PCIE__LC_L0S_INACTIVITY_DEFAULT 0x00000000 // off by default, no gains over L1 +-#define NAVI10_PCIE__LC_L1_INACTIVITY_DEFAULT 0x00000009 // 1=1us, 9=1ms ++#define NAVI10_PCIE__LC_L1_INACTIVITY_DEFAULT 0x0000000A // 1=1us, 9=1ms, 10=4ms + #define NAVI10_PCIE__LC_L1_INACTIVITY_TBT_DEFAULT 0x0000000E // 400ms + + static void nbio_v2_3_enable_aspm(struct amdgpu_device *adev, +-- +2.35.3 + diff --git a/patches.suse/drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch b/patches.suse/drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch new file mode 100644 index 0000000..91f201e --- /dev/null +++ b/patches.suse/drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch @@ -0,0 +1,73 @@ +From 0f03f5ee01731f415d341b6608ed2d39428c887a Mon Sep 17 00:00:00 2001 +From: Philip Yang +Date: Mon, 3 Oct 2022 13:03:26 -0400 +Subject: drm/amdgpu: Set vmbo destroy after pt bo is created +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 9a3c6067bd2ee2ca2652fbb0679f422f3c9109f9 +Patch-mainline: v6.1-rc1 +References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 jsc#PED-2849 + +Under VRAM usage pression, map to GPU may fail to create pt bo and +vmbo->shadow_list is not initialized, then ttm_bo_release calling +amdgpu_bo_vm_destroy to access vmbo->shadow_list generates below +dmesg and NULL pointer access backtrace: + +Set vmbo destroy callback to amdgpu_bo_vm_destroy only after creating pt +bo successfully, otherwise use default callback amdgpu_bo_destroy. + +amdgpu: amdgpu_vm_bo_update failed +amdgpu: update_gpuvm_pte() failed +amdgpu: Failed to map bo to gpuvm +amdgpu 0000:43:00.0: amdgpu: Failed to map peer:0000:43:00.0 mem_domain:2 +BUG: kernel NULL pointer dereference, address: + RIP: 0010:amdgpu_bo_vm_destroy+0x4d/0x80 [amdgpu] + Call Trace: + + ttm_bo_release+0x207/0x320 [amdttm] + amdttm_bo_init_reserved+0x1d6/0x210 [amdttm] + amdgpu_bo_create+0x1ba/0x520 [amdgpu] + amdgpu_bo_create_vm+0x3a/0x80 [amdgpu] + amdgpu_vm_pt_create+0xde/0x270 [amdgpu] + amdgpu_vm_ptes_update+0x63b/0x710 [amdgpu] + amdgpu_vm_update_range+0x2e7/0x6e0 [amdgpu] + amdgpu_vm_bo_update+0x2bd/0x600 [amdgpu] + update_gpuvm_pte+0x160/0x420 [amdgpu] + amdgpu_amdkfd_gpuvm_map_memory_to_gpu+0x313/0x1130 [amdgpu] + kfd_ioctl_map_memory_to_gpu+0x115/0x390 [amdgpu] + kfd_ioctl+0x24a/0x5b0 [amdgpu] + +Signed-off-by: Philip Yang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Acked-by: Patrik Jakobsson +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c +index e6a9b9fc9e0b..2e8f6cd7a729 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c +@@ -688,13 +688,16 @@ int amdgpu_bo_create_vm(struct amdgpu_device *adev, + * num of amdgpu_vm_pt entries. + */ + BUG_ON(bp->bo_ptr_size < sizeof(struct amdgpu_bo_vm)); +- bp->destroy = &amdgpu_bo_vm_destroy; + r = amdgpu_bo_create(adev, bp, &bo_ptr); + if (r) + return r; + + *vmbo_ptr = to_amdgpu_bo_vm(bo_ptr); + INIT_LIST_HEAD(&(*vmbo_ptr)->shadow_list); ++ /* Set destroy callback to amdgpu_bo_vm_destroy after vmbo->shadow_list ++ * is initialized. ++ */ ++ bo_ptr->tbo.destroy = &amdgpu_bo_vm_destroy; + return r; + } + +-- +2.38.1 + diff --git a/patches.suse/drm-amdgpu-Validate-VM-ioctl-flags.patch b/patches.suse/drm-amdgpu-Validate-VM-ioctl-flags.patch new file mode 100644 index 0000000..79296fd --- /dev/null +++ b/patches.suse/drm-amdgpu-Validate-VM-ioctl-flags.patch @@ -0,0 +1,33 @@ +From a2b308044dcaca8d3e580959a4f867a1d5c37fac Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Sat, 13 May 2023 14:51:00 +0200 +Subject: [PATCH] drm/amdgpu: Validate VM ioctl flags. +Git-commit: a2b308044dcaca8d3e580959a4f867a1d5c37fac +Patch-mainline: v6.5-rc1 +References: git-fixes + +None have been defined yet, so reject anybody setting any. Mesa sets +it to 0 anyway. + +Signed-off-by: Bas Nieuwenhuizen +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -3305,6 +3305,10 @@ int amdgpu_vm_ioctl(struct drm_device *d + long timeout = msecs_to_jiffies(2000); + int r; + ++ /* No valid flags defined yet */ ++ if (args->in.flags) ++ return -EINVAL; ++ + switch (args->in.op) { + case AMDGPU_VM_OP_RESERVE_VMID: + /* We only have requirement to reserve vmid from gfxhub */ diff --git a/patches.suse/drm-amdgpu-fix-clearing-mappings-for-BOs-that-are-al.patch b/patches.suse/drm-amdgpu-fix-clearing-mappings-for-BOs-that-are-al.patch new file mode 100644 index 0000000..2c0f5b7 --- /dev/null +++ b/patches.suse/drm-amdgpu-fix-clearing-mappings-for-BOs-that-are-al.patch @@ -0,0 +1,68 @@ +From dd885821b0397e60a58cf074ffe11b59bf400e45 Mon Sep 17 00:00:00 2001 +From: Samuel Pitoiset +Date: Fri, 16 Jun 2023 15:14:07 +0200 +Subject: [PATCH] drm/amdgpu: fix clearing mappings for BOs that are always valid in VM +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: dd885821b0397e60a58cf074ffe11b59bf400e45 + +Per VM BOs must be marked as moved or otherwise their ranges are not +updated on use which might be necessary when the replace operation +splits mappings. + +This fixes random GPU hangs when replacing sparse mappings from the +userspace, while OP_MAP/OP_UNMAP works fine because always valid BOs +are correctly handled there. + +Cc: stable@vger.kernel.org +Signed-off-by: Samuel Pitoiset +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index 2c8cafec48a4..58e328f7c1ff 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -1683,18 +1683,30 @@ int amdgpu_vm_bo_clear_mappings(struct amdgpu_device *adev, + + /* Insert partial mapping before the range */ + if (!list_empty(&before->list)) { ++ struct amdgpu_bo *bo = before->bo_va->base.bo; ++ + amdgpu_vm_it_insert(before, &vm->va); + if (before->flags & AMDGPU_PTE_PRT) + amdgpu_vm_prt_get(adev); ++ ++ if (bo && bo->tbo.base.resv == vm->root.bo->tbo.base.resv && ++ !before->bo_va->base.moved) ++ amdgpu_vm_bo_moved(&before->bo_va->base); + } else { + kfree(before); + } + + /* Insert partial mapping after the range */ + if (!list_empty(&after->list)) { ++ struct amdgpu_bo *bo = after->bo_va->base.bo; ++ + amdgpu_vm_it_insert(after, &vm->va); + if (after->flags & AMDGPU_PTE_PRT) + amdgpu_vm_prt_get(adev); ++ ++ if (bo && bo->tbo.base.resv == vm->root.bo->tbo.base.resv && ++ !after->bo_va->base.moved) ++ amdgpu_vm_bo_moved(&after->bo_va->base); + } else { + kfree(after); + } +-- +2.35.3 + diff --git a/patches.suse/drm-amdgpu-fix-number-of-fence-calculations.patch b/patches.suse/drm-amdgpu-fix-number-of-fence-calculations.patch new file mode 100644 index 0000000..24e592b --- /dev/null +++ b/patches.suse/drm-amdgpu-fix-number-of-fence-calculations.patch @@ -0,0 +1,65 @@ +From 7e473000653172c5eec8898e313b5c343fadd2fc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Tue, 20 Jun 2023 13:18:13 +0200 +Subject: [PATCH] drm/amdgpu: fix number of fence calculations +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +References: bsc#1212848, bsc#1212961 +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: https://gitlab.freedesktop.org/agd5f/linux.git +Git-commit: 7e473000653172c5eec8898e313b5c343fadd2fc + +Since adding gang submit we need to take the gang size into account +while reserving fences. + +Signed-off-by: Christian König +Fixes: 4624459c84d7 ("drm/amdgpu: add gang submit frontend v6") +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +index 2eb2c66843a8..5612caf77dd6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -133,9 +133,6 @@ static int amdgpu_cs_p1_user_fence(struct amdgpu_cs_parser *p, + bo = amdgpu_bo_ref(gem_to_amdgpu_bo(gobj)); + p->uf_entry.priority = 0; + p->uf_entry.tv.bo = &bo->tbo; +- /* One for TTM and two for the CS job */ +- p->uf_entry.tv.num_shared = 3; +- + drm_gem_object_put(gobj); + + size = amdgpu_bo_size(bo); +@@ -882,15 +879,19 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p, + + mutex_lock(&p->bo_list->bo_list_mutex); + +- /* One for TTM and one for the CS job */ ++ /* One for TTM and one for each CS job */ + amdgpu_bo_list_for_each_entry(e, p->bo_list) +- e->tv.num_shared = 2; ++ e->tv.num_shared = 1 + p->gang_size; ++ p->uf_entry.tv.num_shared = 1 + p->gang_size; + + amdgpu_bo_list_get_list(p->bo_list, &p->validated); + + INIT_LIST_HEAD(&duplicates); + amdgpu_vm_get_pd_bo(&fpriv->vm, &p->validated, &p->vm_pd); + ++ /* Two for VM updates, one for TTM and one for each CS job */ ++ p->vm_pd.tv.num_shared = 3 + p->gang_size; ++ + if (p->uf_entry.tv.bo && !ttm_to_amdgpu_bo(p->uf_entry.tv.bo)->parent) + list_add(&p->uf_entry.tv.head, &p->validated); + +-- +2.35.3 + diff --git a/patches.suse/drm-i915-psr-Use-hw.adjusted-mode-when-calculating-i.patch b/patches.suse/drm-i915-psr-Use-hw.adjusted-mode-when-calculating-i.patch new file mode 100644 index 0000000..bddb078 --- /dev/null +++ b/patches.suse/drm-i915-psr-Use-hw.adjusted-mode-when-calculating-i.patch @@ -0,0 +1,53 @@ +From 5311892a0ad1d301aafd53ca0154091b3eb407ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Tue, 20 Jun 2023 14:17:45 +0300 +Subject: [PATCH] drm/i915/psr: Use hw.adjusted mode when calculating io/fast wake times +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5311892a0ad1d301aafd53ca0154091b3eb407ea +Patch-mainline: v6.5-rc1 +Alt-commit: ef0af9db2a21257885116949f471fe5565b2f0ab +References: git-fixes + +Encoder compute config is changing hw.adjusted mode. Uapi.adjusted mode +doesn't get updated before psr compute config gets called. This causes io +and fast wake line calculation using adjusted mode containing values before +encoder adjustments. Fix this by using hw.adjusted mode instead of +uapi.adjusted mode. + +Cc: Stanislav Lisovskiy + +Signed-off-by: Jouni Högander +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8475 +Fixes: cb42e8ede5b4 ("drm/i915/psr: Use calculated io and fast wake lines") +Reviewed-by: Mika Kahola +Link: https://patchwork.freedesktop.org/patch/msgid/20230620111745.2870706-1-jouni.hogander@intel.com +(cherry picked from commit ef0af9db2a21257885116949f471fe5565b2f0ab) + +Signed-off-by: Tvrtko Ursulin +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/display/intel_psr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index d58ed9b62e67..56c17283ba2d 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -933,9 +933,9 @@ static bool _compute_psr2_wake_times(struct intel_dp *intel_dp, + } + + io_wake_lines = intel_usecs_to_scanlines( +- &crtc_state->uapi.adjusted_mode, io_wake_time); ++ &crtc_state->hw.adjusted_mode, io_wake_time); + fast_wake_lines = intel_usecs_to_scanlines( +- &crtc_state->uapi.adjusted_mode, fast_wake_time); ++ &crtc_state->hw.adjusted_mode, fast_wake_time); + + if (io_wake_lines > max_wake_lines || + fast_wake_lines > max_wake_lines) +-- +2.35.3 + diff --git a/patches.suse/dt-bindings-phy-brcm-brcmstb-usb-phy-Fix-error-in-co.patch b/patches.suse/dt-bindings-phy-brcm-brcmstb-usb-phy-Fix-error-in-co.patch new file mode 100644 index 0000000..a52e07c --- /dev/null +++ b/patches.suse/dt-bindings-phy-brcm-brcmstb-usb-phy-Fix-error-in-co.patch @@ -0,0 +1,43 @@ +From a454850a815e62fa5d7c1eded0e8d56742613b94 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Wed, 21 Jun 2023 17:09:58 -0600 +Subject: [PATCH] dt-bindings: phy: brcm,brcmstb-usb-phy: Fix error in "compatible" conditional schema +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: a454850a815e62fa5d7c1eded0e8d56742613b94 +Patch-mainline: v6.5-rc1 +References: git-fixes + +The conditional if/then schema has an error as the "enum" values have +"const" in them. Drop the "const". + +Signed-off-by: Rob Herring +Fixes: 46b616c1574d ("dt-bindings: phy: brcm, brcmstb-usb-phy: add BCM4908 binding") +Acked-by: Rafał Miłecki +Message-id: <20230621230958.3815818-1-robh@kernel.org> +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + .../devicetree/bindings/phy/brcm,brcmstb-usb-phy.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/phy/brcm,brcmstb-usb-phy.yaml b/Documentation/devicetree/bindings/phy/brcm,brcmstb-usb-phy.yaml +index 43a4b880534c..580fbe37b37f 100644 +--- a/Documentation/devicetree/bindings/phy/brcm,brcmstb-usb-phy.yaml ++++ b/Documentation/devicetree/bindings/phy/brcm,brcmstb-usb-phy.yaml +@@ -115,8 +115,8 @@ allOf: + compatible: + contains: + enum: +- - const: brcm,bcm4908-usb-phy +- - const: brcm,brcmstb-usb-phy ++ - brcm,bcm4908-usb-phy ++ - brcm,brcmstb-usb-phy + then: + properties: + reg: +-- +2.35.3 + diff --git a/patches.suse/ext4-Fix-reusing-stale-buffer-heads-from-last-failed.patch b/patches.suse/ext4-Fix-reusing-stale-buffer-heads-from-last-failed.patch new file mode 100644 index 0000000..cadfcfd --- /dev/null +++ b/patches.suse/ext4-Fix-reusing-stale-buffer-heads-from-last-failed.patch @@ -0,0 +1,122 @@ +From 26fb5290240dc31cae99b8b4dd2af7f46dfcba6b Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Wed, 15 Mar 2023 09:31:23 +0800 +Subject: [PATCH] ext4: Fix reusing stale buffer heads from last failed + mounting +Git-commit: 26fb5290240dc31cae99b8b4dd2af7f46dfcba6b +Patch-mainline: v6.5-rc1 +References: bsc#1213020 + +Following process makes ext4 load stale buffer heads from last failed +mounting in a new mounting operation: +mount_bdev + ext4_fill_super + | ext4_load_and_init_journal + | ext4_load_journal + | jbd2_journal_load + | load_superblock + | journal_get_superblock + | set_buffer_verified(bh) // buffer head is verified + | jbd2_journal_recover // failed caused by EIO + | goto failed_mount3a // skip 'sb->s_root' initialization + deactivate_locked_super + kill_block_super + generic_shutdown_super + if (sb->s_root) + // false, skip ext4_put_super->invalidate_bdev-> + // invalidate_mapping_pages->mapping_evict_folio-> + // filemap_release_folio->try_to_free_buffers, which + // cannot drop buffer head. + blkdev_put + blkdev_put_whole + if (atomic_dec_and_test(&bdev->bd_openers)) + // false, systemd-udev happens to open the device. Then + // blkdev_flush_mapping->kill_bdev->truncate_inode_pages-> + // truncate_inode_folio->truncate_cleanup_folio-> + // folio_invalidate->block_invalidate_folio-> + // filemap_release_folio->try_to_free_buffers will be skipped, + // dropping buffer head is missed again. + +Second mount: +ext4_fill_super + ext4_load_and_init_journal + ext4_load_journal + ext4_get_journal + jbd2_journal_init_inode + journal_init_common + bh = getblk_unmovable + bh = __find_get_block // Found stale bh in last failed mounting + journal->j_sb_buffer = bh + jbd2_journal_load + load_superblock + journal_get_superblock + if (buffer_verified(bh)) + // true, skip journal->j_format_version = 2, value is 0 + jbd2_journal_recover + do_one_pass + next_log_block += count_tags(journal, bh) + // According to journal_tag_bytes(), 'tag_bytes' calculating is + // affected by jbd2_has_feature_csum3(), jbd2_has_feature_csum3() + // returns false because 'j->j_format_version >= 2' is not true, + // then we get wrong next_log_block. The do_one_pass may exit + // early whenoccuring non JBD2_MAGIC_NUMBER in 'next_log_block'. + +The filesystem is corrupted here, journal is partially replayed, and +new journal sequence number actually is already used by last mounting. + +The invalidate_bdev() can drop all buffer heads even racing with bare +reading block device(eg. systemd-udev), so we can fix it by invalidating +bdev in error handling path in __ext4_fill_super(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217171 +Fixes: 25ed6e8a54df ("jbd2: enable journal clients to enable v2 checksumming") +Cc: stable@vger.kernel.org # v3.5 +Signed-off-by: Zhihao Cheng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230315013128.3911115-2-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/super.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1096,6 +1096,12 @@ static void ext4_blkdev_remove(struct ex + struct block_device *bdev; + bdev = sbi->s_journal_bdev; + if (bdev) { ++ /* ++ * Invalidate the journal device's buffers. We don't want them ++ * floating about in memory - the physical journal device may ++ * hotswapped, and it breaks the `ro-after' testing code. ++ */ ++ invalidate_bdev(bdev); + ext4_blkdev_put(bdev); + sbi->s_journal_bdev = NULL; + } +@@ -1233,13 +1239,7 @@ static void ext4_put_super(struct super_ + sync_blockdev(sb->s_bdev); + invalidate_bdev(sb->s_bdev); + if (sbi->s_journal_bdev && sbi->s_journal_bdev != sb->s_bdev) { +- /* +- * Invalidate the journal device's buffers. We don't want them +- * floating about in memory - the physical journal device may +- * hotswapped, and it breaks the `ro-after' testing code. +- */ + sync_blockdev(sbi->s_journal_bdev); +- invalidate_bdev(sbi->s_journal_bdev); + ext4_blkdev_remove(sbi); + } + +@@ -5256,6 +5256,7 @@ failed_mount: + brelse(bh); + ext4_blkdev_remove(sbi); + out_fail: ++ invalidate_bdev(sb->s_bdev); + sb->s_fs_info = NULL; + kfree(sbi->s_blockgroup_lock); + out_free_base: diff --git a/patches.suse/ext4-add-EA_INODE-checking-to-ext4_iget.patch b/patches.suse/ext4-add-EA_INODE-checking-to-ext4_iget.patch new file mode 100644 index 0000000..c24ffc4 --- /dev/null +++ b/patches.suse/ext4-add-EA_INODE-checking-to-ext4_iget.patch @@ -0,0 +1,179 @@ +From b3e6bcb94590dea45396b9481e47b809b1be4afa Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:48 -0400 +Subject: [PATCH] ext4: add EA_INODE checking to ext4_iget() +Git-commit: b3e6bcb94590dea45396b9481e47b809b1be4afa +Patch-mainline: v6.4-rc5 +References: bsc#1213106 + +Add a new flag, EXT4_IGET_EA_INODE which indicates whether the inode +is expected to have the EA_INODE flag or not. If the flag is not +set/clear as expected, then fail the iget() operation and mark the +file system as corrupted. + +This commit also makes the ext4_iget() always perform the +is_bad_inode() check even when the inode is already inode cache. This +allows us to remove the is_bad_inode() check from the callers of +ext4_iget() in the ea_inode code. + +Reported-by: syzbot+cbb68193bdb95af4340a@syzkaller.appspotmail.com +Reported-by: syzbot+62120febbd1ee3c3c860@syzkaller.appspotmail.com +Reported-by: syzbot+edce54daffee36421b4c@syzkaller.appspotmail.com +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-2-tytso@mit.edu +Acked-by: Jan Kara + +--- + fs/ext4/ext4.h | 3 ++- + fs/ext4/inode.c | 31 ++++++++++++++++++++++++++----- + fs/ext4/xattr.c | 36 +++++++----------------------------- + 3 files changed, 35 insertions(+), 35 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2976,7 +2976,8 @@ typedef enum { + EXT4_IGET_NORMAL = 0, + EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */ + EXT4_IGET_HANDLE = 0x0002, /* Inode # is from a handle */ +- EXT4_IGET_BAD = 0x0004 /* Allow to iget a bad inode */ ++ EXT4_IGET_BAD = 0x0004, /* Allow to iget a bad inode */ ++ EXT4_IGET_EA_INODE = 0x0008 /* Inode should contain an EA value */ + } ext4_iget_flags; + + extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4635,6 +4635,21 @@ static inline u64 ext4_inode_peek_iversi + return inode_peek_iversion(inode); + } + ++static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags) ++ ++{ ++ if (flags & EXT4_IGET_EA_INODE) { ++ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) ++ return "missing EA_INODE flag"; ++ } else { ++ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) ++ return "unexpected EA_INODE flag"; ++ } ++ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) ++ return "unexpected bad inode w/o EXT4_IGET_BAD"; ++ return NULL; ++} ++ + struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + ext4_iget_flags flags, const char *function, + unsigned int line) +@@ -4643,6 +4658,7 @@ struct inode *__ext4_iget(struct super_b + struct ext4_inode *raw_inode; + struct ext4_inode_info *ei; + struct inode *inode; ++ const char *err_str; + journal_t *journal = EXT4_SB(sb)->s_journal; + long ret; + loff_t size; +@@ -4666,8 +4682,14 @@ struct inode *__ext4_iget(struct super_b + inode = iget_locked(sb, ino); + if (!inode) + return ERR_PTR(-ENOMEM); +- if (!(inode->i_state & I_NEW)) ++ if (!(inode->i_state & I_NEW)) { ++ if ((err_str = check_igot_inode(inode, flags)) != NULL) { ++ ext4_error_inode(inode, function, line, 0, err_str); ++ iput(inode); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + return inode; ++ } + + ei = EXT4_I(inode); + iloc.bh = NULL; +@@ -4936,10 +4958,9 @@ struct inode *__ext4_iget(struct super_b + if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb)) + ext4_error_inode(inode, function, line, 0, + "casefold flag without casefold feature"); +- if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) { +- ext4_error_inode(inode, function, line, 0, +- "bad inode without EXT4_IGET_BAD flag"); +- ret = -EUCLEAN; ++ if ((err_str = check_igot_inode(inode, flags)) != NULL) { ++ ext4_error_inode(inode, function, line, 0, err_str); ++ ret = -EFSCORRUPTED; + goto bad_inode; + } + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -397,7 +397,7 @@ static int ext4_xattr_inode_iget(struct + return -EFSCORRUPTED; + } + +- inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL); ++ inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_EA_INODE); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + ext4_error(parent->i_sb, +@@ -405,23 +405,6 @@ static int ext4_xattr_inode_iget(struct + err); + return err; + } +- +- if (is_bad_inode(inode)) { +- ext4_error(parent->i_sb, +- "error while reading EA inode %lu is_bad_inode", +- ea_ino); +- err = -EIO; +- goto error; +- } +- +- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { +- ext4_error(parent->i_sb, +- "EA inode %lu does not have EXT4_EA_INODE_FL flag", +- ea_ino); +- err = -EINVAL; +- goto error; +- } +- + ext4_xattr_inode_set_class(inode); + + /* +@@ -442,9 +425,6 @@ static int ext4_xattr_inode_iget(struct + + *ea_inode = inode; + return 0; +-error: +- iput(inode); +- return err; + } + + /* Remove entry from mbcache when EA inode is getting evicted */ +@@ -1507,11 +1487,10 @@ ext4_xattr_inode_cache_find(struct inode + + while (ce) { + ea_inode = ext4_iget(inode->i_sb, ce->e_value, +- EXT4_IGET_NORMAL); +- if (!IS_ERR(ea_inode) && +- !is_bad_inode(ea_inode) && +- (EXT4_I(ea_inode)->i_flags & EXT4_EA_INODE_FL) && +- i_size_read(ea_inode) == value_len && ++ EXT4_IGET_EA_INODE); ++ if (IS_ERR(ea_inode)) ++ goto next_entry; ++ if (i_size_read(ea_inode) == value_len && + !ext4_xattr_inode_read(ea_inode, ea_data, value_len) && + !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data, + value_len) && +@@ -1521,9 +1500,8 @@ ext4_xattr_inode_cache_find(struct inode + kvfree(ea_data); + return ea_inode; + } +- +- if (!IS_ERR(ea_inode)) +- iput(ea_inode); ++ iput(ea_inode); ++ next_entry: + ce = mb_cache_entry_find_next(ea_inode_cache, ce); + } + kvfree(ea_data); diff --git a/patches.suse/ext4-add-ext4_sb_block_valid-refactored-out-of-ext4_.patch b/patches.suse/ext4-add-ext4_sb_block_valid-refactored-out-of-ext4_.patch new file mode 100644 index 0000000..0ca192a --- /dev/null +++ b/patches.suse/ext4-add-ext4_sb_block_valid-refactored-out-of-ext4_.patch @@ -0,0 +1,92 @@ +From 6bc6c2bdf1baca6522b8d9ba976257d722423085 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Wed, 16 Feb 2022 12:32:49 +0530 +Subject: [PATCH] ext4: add ext4_sb_block_valid() refactored out of + ext4_inode_block_valid() +Git-commit: 6bc6c2bdf1baca6522b8d9ba976257d722423085 +Patch-mainline: v5.18-rc1 +References: bsc#1213088 + +This API will be needed at places where we don't have an inode +for e.g. while freeing blocks in ext4_group_add_blocks() + +Suggested-by: Jan Kara +Signed-off-by: Ritesh Harjani +Link: https://lore.kernel.org/r/dd34a236543ad5ae7123eeebe0cb69e6bdd44f34.1644992610.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/block_validity.c | 26 +++++++++++++++++--------- + fs/ext4/ext4.h | 3 +++ + 2 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 4666b55b736e..5504f72bbbbe 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -292,15 +292,10 @@ void ext4_release_system_zone(struct super_block *sb) + call_rcu(&system_blks->rcu, ext4_destroy_system_zone); + } + +-/* +- * Returns 1 if the passed-in block region (start_blk, +- * start_blk+count) is valid; 0 if some part of the block region +- * overlaps with some other filesystem metadata blocks. +- */ +-int ext4_inode_block_valid(struct inode *inode, ext4_fsblk_t start_blk, +- unsigned int count) ++int ext4_sb_block_valid(struct super_block *sb, struct inode *inode, ++ ext4_fsblk_t start_blk, unsigned int count) + { +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_system_blocks *system_blks; + struct ext4_system_zone *entry; + struct rb_node *n; +@@ -329,7 +324,9 @@ int ext4_inode_block_valid(struct inode *inode, ext4_fsblk_t start_blk, + else if (start_blk >= (entry->start_blk + entry->count)) + n = n->rb_right; + else { +- ret = (entry->ino == inode->i_ino); ++ ret = 0; ++ if (inode) ++ ret = (entry->ino == inode->i_ino); + break; + } + } +@@ -338,6 +335,17 @@ int ext4_inode_block_valid(struct inode *inode, ext4_fsblk_t start_blk, + return ret; + } + ++/* ++ * Returns 1 if the passed-in block region (start_blk, ++ * start_blk+count) is valid; 0 if some part of the block region ++ * overlaps with some other filesystem metadata blocks. ++ */ ++int ext4_inode_block_valid(struct inode *inode, ext4_fsblk_t start_blk, ++ unsigned int count) ++{ ++ return ext4_sb_block_valid(inode->i_sb, inode, start_blk, count); ++} ++ + int ext4_check_blockref(const char *function, unsigned int line, + struct inode *inode, __le32 *p, unsigned int max) + { +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 97c85ae185a9..0d4f284c0514 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -3707,6 +3707,9 @@ extern int ext4_inode_block_valid(struct inode *inode, + unsigned int count); + extern int ext4_check_blockref(const char *, unsigned int, + struct inode *, __le32 *, unsigned int); ++extern int ext4_sb_block_valid(struct super_block *sb, struct inode *inode, ++ ext4_fsblk_t start_blk, unsigned int count); ++ + + /* extents.c */ + struct ext4_ext_path; +-- +2.35.3 + diff --git a/patches.suse/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_i.patch b/patches.suse/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_i.patch new file mode 100644 index 0000000..7cf6d0a --- /dev/null +++ b/patches.suse/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_i.patch @@ -0,0 +1,63 @@ +From aff3bea95388299eec63440389b4545c8041b357 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:51 -0400 +Subject: [PATCH] ext4: add lockdep annotations for i_data_sem for ea_inode's +Git-commit: aff3bea95388299eec63440389b4545c8041b357 +Patch-mainline: v6.4-rc5 +References: bsc#1213109 + +Treat i_data_sem for ea_inodes as being in their own lockdep class to +avoid lockdep complaints about ext4_setattr's use of inode_lock() on +normal inodes potentially causing lock ordering with i_data_sem on +ea_inodes in ext4_xattr_inode_write(). However, ea_inodes will be +operated on by ext4_setattr(), so this isn't a problem. + +Cc: stable@kernel.org +Link: https://syzkaller.appspot.com/bug?extid=298c5d8fb4a128bc27b0 +Reported-by: syzbot+298c5d8fb4a128bc27b0@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-5-tytso@mit.edu +Acked-by: Jan Kara + +--- + fs/ext4/ext4.h | 2 ++ + fs/ext4/xattr.c | 4 ++++ + 2 files changed, 6 insertions(+) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 9525c52b78dc..8104a21b001a 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -918,11 +918,13 @@ do { \ + * where the second inode has larger inode number + * than the first + * I_DATA_SEM_QUOTA - Used for quota inodes only ++ * I_DATA_SEM_EA - Used for ea_inodes only + */ + enum { + I_DATA_SEM_NORMAL = 0, + I_DATA_SEM_OTHER, + I_DATA_SEM_QUOTA, ++ I_DATA_SEM_EA + }; + + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index ff7ab63c5b4f..13d7f17a9c8c 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -121,7 +121,11 @@ ext4_expand_inode_array(struct ext4_xattr_inode_array **ea_inode_array, + #ifdef CONFIG_LOCKDEP + void ext4_xattr_inode_set_class(struct inode *ea_inode) + { ++ struct ext4_inode_info *ei = EXT4_I(ea_inode); ++ + lockdep_set_subclass(&ea_inode->i_rwsem, 1); ++ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */ ++ lockdep_set_subclass(&ei->i_data_sem, I_DATA_SEM_EA); + } + #endif + +-- +2.35.3 + diff --git a/patches.suse/ext4-add-strict-range-checks-while-freeing-blocks.patch b/patches.suse/ext4-add-strict-range-checks-while-freeing-blocks.patch new file mode 100644 index 0000000..177d0f9 --- /dev/null +++ b/patches.suse/ext4-add-strict-range-checks-while-freeing-blocks.patch @@ -0,0 +1,70 @@ +From a00b482b82fb098956a5bed22bd7873e56f152f1 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Wed, 16 Feb 2022 12:32:50 +0530 +Subject: [PATCH] ext4: add strict range checks while freeing blocks +Git-commit: a00b482b82fb098956a5bed22bd7873e56f152f1 +Patch-mainline: v5.18-rc1 +References: bsc#1213089 + +Currently ext4_mb_clear_bb() & ext4_group_add_blocks() only checks +whether the given block ranges (which is to be freed) belongs to any FS +metadata blocks or not, of the block's respective block group. +But to detect any FS error early, it is better to add more strict +checkings in those functions which checks whether the given blocks +belongs to any critical FS metadata or not within system-zone. + +Suggested-by: Jan Kara +Signed-off-by: Ritesh Harjani +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/ddd9143d064774e32d6364a99667817c6e8bfdc0.1644992610.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/mballoc.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index bb3cfcd545ce..0a95bdb1e07b 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5930,13 +5930,7 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + goto error_return; + } + +- if (in_range(ext4_block_bitmap(sb, gdp), block, count) || +- in_range(ext4_inode_bitmap(sb, gdp), block, count) || +- in_range(block, ext4_inode_table(sb, gdp), +- sbi->s_itb_per_group) || +- in_range(block + count - 1, ext4_inode_table(sb, gdp), +- sbi->s_itb_per_group)) { +- ++ if (!ext4_inode_block_valid(inode, block, count)) { + ext4_error(sb, "Freeing blocks in system zone - " + "Block = %llu, count = %lu", block, count); + /* err = 0. ext4_std_error should be a no op */ +@@ -6007,7 +6001,7 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + NULL); + if (err && err != -EOPNOTSUPP) + ext4_msg(sb, KERN_WARNING, "discard request in" +- " group:%d block:%d count:%lu failed" ++ " group:%u block:%d count:%lu failed" + " with %d", block_group, bit, count, + err); + } else +@@ -6220,11 +6214,7 @@ int ext4_group_add_blocks(handle_t *handle, struct super_block *sb, + goto error_return; + } + +- if (in_range(ext4_block_bitmap(sb, desc), block, count) || +- in_range(ext4_inode_bitmap(sb, desc), block, count) || +- in_range(block, ext4_inode_table(sb, desc), sbi->s_itb_per_group) || +- in_range(block + count - 1, ext4_inode_table(sb, desc), +- sbi->s_itb_per_group)) { ++ if (!ext4_sb_block_valid(sb, NULL, block, count)) { + ext4_error(sb, "Adding blocks in system zones - " + "Block = %llu, count = %lu", + block, count); +-- +2.35.3 + diff --git a/patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch b/patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch new file mode 100644 index 0000000..ed74204 --- /dev/null +++ b/patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch @@ -0,0 +1,232 @@ +From 00d873c17e29cc32d90ca852b82685f1673acaa5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 May 2023 14:47:23 +0200 +Subject: [PATCH] ext4: avoid deadlock in fs reclaim with page writeback +Git-commit: 00d873c17e29cc32d90ca852b82685f1673acaa5 +Patch-mainline: v6.4-rc2 +References: bsc#1213016 + +Ext4 has a filesystem wide lock protecting ext4_writepages() calls to +avoid races with switching of journalled data flag or inode format. This +lock can however cause a deadlock like: + +CPU0 CPU1 + +ext4_writepages() + percpu_down_read(sbi->s_writepages_rwsem); + ext4_change_inode_journal_flag() + percpu_down_write(sbi->s_writepages_rwsem); + - blocks, all readers block from now on + ext4_do_writepages() + ext4_init_io_end() + kmem_cache_zalloc(io_end_cachep, GFP_KERNEL) + fs_reclaim frees dentry... + dentry_unlink_inode() + iput() - last ref => + iput_final() - inode dirty => + write_inode_now()... + ext4_writepages() tries to acquire sbi->s_writepages_rwsem + and blocks forever + +Make sure we cannot recurse into filesystem reclaim from writeback code +to avoid the deadlock. + +Reported-by: syzbot+6898da502aef574c5f8a@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/0000000000004c66b405fa108e27@google.com +Fixes: c8585c6fcaf2 ("ext4: fix races between changing inode journal mode and ext4_writepages") +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230504124723.20205-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/ext4.h | 25 +++++++++++++++++++++++++ + fs/ext4/inode.c | 18 ++++++++++-------- + fs/ext4/migrate.c | 11 ++++++----- + 3 files changed, 41 insertions(+), 13 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #ifdef __KERNEL__ + #include + #endif +@@ -1720,6 +1721,30 @@ static inline struct ext4_inode_info *EX + return container_of(inode, struct ext4_inode_info, vfs_inode); + } + ++static inline int ext4_writepages_down_read(struct super_block *sb) ++{ ++ percpu_down_read(&EXT4_SB(sb)->s_writepages_rwsem); ++ return memalloc_nofs_save(); ++} ++ ++static inline void ext4_writepages_up_read(struct super_block *sb, int ctx) ++{ ++ memalloc_nofs_restore(ctx); ++ percpu_up_read(&EXT4_SB(sb)->s_writepages_rwsem); ++} ++ ++static inline int ext4_writepages_down_write(struct super_block *sb) ++{ ++ percpu_down_write(&EXT4_SB(sb)->s_writepages_rwsem); ++ return memalloc_nofs_save(); ++} ++ ++static inline void ext4_writepages_up_write(struct super_block *sb, int ctx) ++{ ++ memalloc_nofs_restore(ctx); ++ percpu_up_write(&EXT4_SB(sb)->s_writepages_rwsem); ++} ++ + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2668,11 +2668,12 @@ static int ext4_writepages(struct addres + struct ext4_sb_info *sbi = EXT4_SB(mapping->host->i_sb); + struct blk_plug plug; + bool give_up_on_write = false; ++ int alloc_ctx; + + if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) + return -EIO; + +- percpu_down_read(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_read(inode->i_sb); + trace_ext4_writepages(inode, wbc); + + /* +@@ -2882,7 +2883,7 @@ unplug: + out_writepages: + trace_ext4_writepages_result(inode, wbc, ret, + nr_to_write - wbc->nr_to_write); +- percpu_up_read(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_read(inode->i_sb, alloc_ctx); + return ret; + } + +@@ -2893,17 +2894,18 @@ static int ext4_dax_writepages(struct ad + long nr_to_write = wbc->nr_to_write; + struct inode *inode = mapping->host; + struct ext4_sb_info *sbi = EXT4_SB(mapping->host->i_sb); ++ int alloc_ctx; + + if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) + return -EIO; + +- percpu_down_read(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_read(inode->i_sb); + trace_ext4_writepages(inode, wbc); + + ret = dax_writeback_mapping_range(mapping, sbi->s_daxdev, wbc); + trace_ext4_writepages_result(inode, wbc, ret, + nr_to_write - wbc->nr_to_write); +- percpu_up_read(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_read(inode->i_sb, alloc_ctx); + return ret; + } + +@@ -6008,7 +6010,7 @@ int ext4_change_inode_journal_flag(struc + journal_t *journal; + handle_t *handle; + int err; +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); ++ int alloc_ctx; + + /* + * We have to be very careful here: changing a data block's +@@ -6046,7 +6048,7 @@ int ext4_change_inode_journal_flag(struc + } + } + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + jbd2_journal_lock_updates(journal); + + /* +@@ -6063,7 +6065,7 @@ int ext4_change_inode_journal_flag(struc + err = jbd2_journal_flush(journal, 0); + if (err < 0) { + jbd2_journal_unlock_updates(journal); +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return err; + } + ext4_clear_inode_flag(inode, EXT4_INODE_JOURNAL_DATA); +@@ -6071,7 +6073,7 @@ int ext4_change_inode_journal_flag(struc + ext4_set_aops(inode); + + jbd2_journal_unlock_updates(journal); +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + + if (val) + filemap_invalidate_unlock(inode->i_mapping); +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -409,7 +409,6 @@ static int free_ext_block(handle_t *hand + + int ext4_ext_migrate(struct inode *inode) + { +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + handle_t *handle; + int retval = 0, i; + __le32 *i_data; +@@ -419,6 +418,7 @@ int ext4_ext_migrate(struct inode *inode + unsigned long max_entries; + __u32 goal, tmp_csum_seed; + uid_t owner[2]; ++ int alloc_ctx; + + /* + * If the filesystem does not support extents, or the inode +@@ -435,7 +435,7 @@ int ext4_ext_migrate(struct inode *inode + */ + return retval; + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + + /* + * Worst case we can touch the allocation bitmaps and a block +@@ -587,7 +587,7 @@ out_tmp_inode: + unlock_new_inode(tmp_inode); + iput(tmp_inode); + out_unlock: +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return retval; + } + +@@ -606,6 +606,7 @@ int ext4_ind_migrate(struct inode *inode + ext4_fsblk_t blk; + handle_t *handle; + int ret, ret2 = 0; ++ int alloc_ctx; + + if (!ext4_has_feature_extents(inode->i_sb) || + (!ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) +@@ -622,7 +623,7 @@ int ext4_ind_migrate(struct inode *inode + if (test_opt(inode->i_sb, DELALLOC)) + ext4_alloc_da_blocks(inode); + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1); + if (IS_ERR(handle)) { +@@ -666,6 +667,6 @@ errout: + ext4_journal_stop(handle); + up_write(&EXT4_I(inode)->i_data_sem); + out_unlock: +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return ret; + } diff --git a/patches.suse/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-.patch b/patches.suse/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-.patch new file mode 100644 index 0000000..5f38515 --- /dev/null +++ b/patches.suse/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-.patch @@ -0,0 +1,36 @@ +From 2a534e1d0d1591e951f9ece2fb460b2ff92edabd Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 May 2023 15:16:27 -0400 +Subject: [PATCH] ext4: bail out of ext4_xattr_ibody_get() fails for any reason +Git-commit: 2a534e1d0d1591e951f9ece2fb460b2ff92edabd +Patch-mainline: v6.4-rc2 +References: bsc#1213018 + +In ext4_update_inline_data(), if ext4_xattr_ibody_get() fails for any +reason, it's best if we just fail as opposed to stumbling on, +especially if the failure is EFSCORRUPTED. + +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index f47adb284e90..5854bd5a3352 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -360,7 +360,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode, + + error = ext4_xattr_ibody_get(inode, i.name_index, i.name, + value, len); +- if (error == -ENODATA) ++ if (error < 0) + goto out; + + BUFFER_TRACE(is.iloc.bh, "get_write_access"); +-- +2.35.3 + diff --git a/patches.suse/ext4-block-range-must-be-validated-before-use-in-ext.patch b/patches.suse/ext4-block-range-must-be-validated-before-use-in-ext.patch new file mode 100644 index 0000000..23ff1ab --- /dev/null +++ b/patches.suse/ext4-block-range-must-be-validated-before-use-in-ext.patch @@ -0,0 +1,148 @@ +From 1e1c2b86ef86a8477fd9b9a4f48a6bfe235606f6 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 14 Jul 2022 18:59:03 +0200 +Subject: [PATCH] ext4: block range must be validated before use in + ext4_mb_clear_bb() +Git-commit: 1e1c2b86ef86a8477fd9b9a4f48a6bfe235606f6 +Patch-mainline: v6.0-rc1 +References: bsc#1213090 + +Block range to free is validated in ext4_free_blocks() using +ext4_inode_block_valid() and then it's passed to ext4_mb_clear_bb(). +However in some situations on bigalloc file system the range might be +adjusted after the validation in ext4_free_blocks() which can lead to +troubles on corrupted file systems such as one found by syzkaller that +resulted in the following BUG + +kernel BUG at fs/ext4/ext4.h:3319! +PREEMPT SMP NOPTI +Cpu: 28 PID: 4243 Comm: repro Kdump: loaded Not tainted 5.19.0-rc6+ #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1.fc35 04/01/2014 +Rip: 0010:ext4_free_blocks+0x95e/0xa90 +Call Trace: + + ? lock_timer_base+0x61/0x80 + ? __es_remove_extent+0x5a/0x760 + ? __mod_timer+0x256/0x380 + ? ext4_ind_truncate_ensure_credits+0x90/0x220 + ext4_clear_blocks+0x107/0x1b0 + ext4_free_data+0x15b/0x170 + ext4_ind_truncate+0x214/0x2c0 + ? _raw_spin_unlock+0x15/0x30 + ? ext4_discard_preallocations+0x15a/0x410 + ? ext4_journal_check_start+0xe/0x90 + ? __ext4_journal_start_sb+0x2f/0x110 + ext4_truncate+0x1b5/0x460 + ? __ext4_journal_start_sb+0x2f/0x110 + ext4_evict_inode+0x2b4/0x6f0 + evict+0xd0/0x1d0 + ext4_enable_quotas+0x11f/0x1f0 + ext4_orphan_cleanup+0x3de/0x430 + ? proc_create_seq_private+0x43/0x50 + ext4_fill_super+0x295f/0x3ae0 + ? snprintf+0x39/0x40 + ? sget_fc+0x19c/0x330 + ? ext4_reconfigure+0x850/0x850 + get_tree_bdev+0x16d/0x260 + vfs_get_tree+0x25/0xb0 + path_mount+0x431/0xa70 + __x64_sys_mount+0xe2/0x120 + do_syscall_64+0x5b/0x80 + ? do_user_addr_fault+0x1e2/0x670 + ? exc_page_fault+0x70/0x170 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +Rip: 0033:0x7fdf4e512ace + +Fix it by making sure that the block range is properly validated before +used every time it changes in ext4_free_blocks() or ext4_mb_clear_bb(). + +Link: https://syzkaller.appspot.com/bug?id=5266d464285a03cee9dbfda7d2452a72c3c2ae7c +Reported-by: syzbot+15cd994e273307bf5cfa@syzkaller.appspotmail.com +Signed-off-by: Lukas Czerner +Cc: Tadeusz Struk +Tested-by: Tadeusz Struk +Link: https://lore.kernel.org/r/20220714165903.58260-1-lczerner@redhat.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/mballoc.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index b02f71f07289..bd8f8b5c3d30 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5934,6 +5934,15 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + + sbi = EXT4_SB(sb); + ++ if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) && ++ !ext4_inode_block_valid(inode, block, count)) { ++ ext4_error(sb, "Freeing blocks in system zone - " ++ "Block = %llu, count = %lu", block, count); ++ /* err = 0. ext4_std_error should be a no op */ ++ goto error_return; ++ } ++ flags |= EXT4_FREE_BLOCKS_VALIDATED; ++ + do_more: + overflow = 0; + ext4_get_group_no_and_offset(sb, block, &block_group, &bit); +@@ -5950,6 +5959,8 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + overflow = EXT4_C2B(sbi, bit) + count - + EXT4_BLOCKS_PER_GROUP(sb); + count -= overflow; ++ /* The range changed so it's no longer validated */ ++ flags &= ~EXT4_FREE_BLOCKS_VALIDATED; + } + count_clusters = EXT4_NUM_B2C(sbi, count); + bitmap_bh = ext4_read_block_bitmap(sb, block_group); +@@ -5964,7 +5975,8 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + goto error_return; + } + +- if (!ext4_inode_block_valid(inode, block, count)) { ++ if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) && ++ !ext4_inode_block_valid(inode, block, count)) { + ext4_error(sb, "Freeing blocks in system zone - " + "Block = %llu, count = %lu", block, count); + /* err = 0. ext4_std_error should be a no op */ +@@ -6087,6 +6099,8 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + block += count; + count = overflow; + put_bh(bitmap_bh); ++ /* The range changed so it's no longer validated */ ++ flags &= ~EXT4_FREE_BLOCKS_VALIDATED; + goto do_more; + } + error_return: +@@ -6133,6 +6147,7 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, + "block = %llu, count = %lu", block, count); + return; + } ++ flags |= EXT4_FREE_BLOCKS_VALIDATED; + + ext4_debug("freeing block %llu\n", block); + trace_ext4_free_blocks(inode, block, count, flags); +@@ -6164,6 +6179,8 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, + block -= overflow; + count += overflow; + } ++ /* The range changed so it's no longer validated */ ++ flags &= ~EXT4_FREE_BLOCKS_VALIDATED; + } + overflow = EXT4_LBLK_COFF(sbi, count); + if (overflow) { +@@ -6174,6 +6191,8 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, + return; + } else + count += sbi->s_cluster_ratio - overflow; ++ /* The range changed so it's no longer validated */ ++ flags &= ~EXT4_FREE_BLOCKS_VALIDATED; + } + + if (!bh && (flags & EXT4_FREE_BLOCKS_FORGET)) { +-- +2.35.3 + diff --git a/patches.suse/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-.patch b/patches.suse/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-.patch new file mode 100644 index 0000000..46b3009 --- /dev/null +++ b/patches.suse/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-.patch @@ -0,0 +1,45 @@ +From fa83c34e3e56b3c672af38059e066242655271b1 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Fri, 5 May 2023 21:24:29 +0800 +Subject: [PATCH] ext4: check iomap type only if ext4_iomap_begin() does not + fail +Git-commit: fa83c34e3e56b3c672af38059e066242655271b1 +Patch-mainline: v6.4-rc2 +References: bsc#1213103 + +When ext4_iomap_overwrite_begin() calls ext4_iomap_begin() map blocks may +fail for some reason (e.g. memory allocation failure, bare disk write), and +later because "iomap->type ! = IOMAP_MAPPED" triggers WARN_ON(). When ext4 +iomap_begin() returns an error, it is normal that the type of iomap->type +may not match the expectation. Therefore, we only determine if iomap->type +is as expected when ext4_iomap_begin() is executed successfully. + +Cc: stable@kernel.org +Reported-by: syzbot+08106c4b7d60702dbc14@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/00000000000015760b05f9b4eee9@google.com +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230505132429.714648-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 3cb774d9e3f1..ce5f21b6c2b3 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3377,7 +3377,7 @@ static int ext4_iomap_overwrite_begin(struct inode *inode, loff_t offset, + */ + flags &= ~IOMAP_WRITE; + ret = ext4_iomap_begin(inode, offset, length, flags, iomap, srcmap); +- WARN_ON_ONCE(iomap->type != IOMAP_MAPPED); ++ WARN_ON_ONCE(!ret && iomap->type != IOMAP_MAPPED); + return ret; + } + +-- +2.35.3 + diff --git a/patches.suse/ext4-disallow-ea_inodes-with-extended-attributes.patch b/patches.suse/ext4-disallow-ea_inodes-with-extended-attributes.patch new file mode 100644 index 0000000..6bdcc7e --- /dev/null +++ b/patches.suse/ext4-disallow-ea_inodes-with-extended-attributes.patch @@ -0,0 +1,39 @@ +From 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:50 -0400 +Subject: [PATCH] ext4: disallow ea_inodes with extended attributes +Git-commit: 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 +Patch-mainline: v6.4-rc5 +References: bsc#1213108 + +An ea_inode stores the value of an extended attribute; it can not have +extended attributes itself, or this will cause recursive nightmares. +Add a check in ext4_iget() to make sure this is the case. + +Cc: stable@kernel.org +Reported-by: syzbot+e44749b6ba4d0434cd47@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-4-tytso@mit.edu +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 258f3cbed347..02de439bf1f0 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4647,6 +4647,9 @@ static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags) + if (flags & EXT4_IGET_EA_INODE) { + if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + return "missing EA_INODE flag"; ++ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) || ++ EXT4_I(inode)->i_file_acl) ++ return "ea_inode with extended attributes"; + } else { + if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + return "unexpected EA_INODE flag"; +-- +2.35.3 + diff --git a/patches.suse/ext4-fail-ext4_iget-if-special-inode-unallocated.patch b/patches.suse/ext4-fail-ext4_iget-if-special-inode-unallocated.patch new file mode 100644 index 0000000..687f288 --- /dev/null +++ b/patches.suse/ext4-fail-ext4_iget-if-special-inode-unallocated.patch @@ -0,0 +1,76 @@ +From 5cd740287ae5e3f9d1c46f5bfe8778972fd6d3fe Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Sat, 7 Jan 2023 11:21:25 +0800 +Subject: [PATCH] ext4: fail ext4_iget if special inode unallocated +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5cd740287ae5e3f9d1c46f5bfe8778972fd6d3fe +Patch-mainline: v6.3-rc1 +References: bsc#1213010 + +In ext4_fill_super(), EXT4_ORPHAN_FS flag is cleared after +ext4_orphan_cleanup() is executed. Therefore, when __ext4_iget() is +called to get an inode whose i_nlink is 0 when the flag exists, no error +is returned. If the inode is a special inode, a null pointer dereference +may occur. If the value of i_nlink is 0 for any inodes (except boot loader +inodes) got by using the EXT4_IGET_SPECIAL flag, the current file system +is corrupted. Therefore, make the ext4_iget() function return an error if +it gets such an abnormal special inode. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199179 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216539 +Reported-by: Luís Henriques +Suggested-by: Theodore Ts'o +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230107032126.4165860-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 9df913bdb416..b65dadfe3b45 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4872,13 +4872,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + goto bad_inode; + raw_inode = ext4_raw_inode(&iloc); + +- if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { +- ext4_error_inode(inode, function, line, 0, +- "iget: root inode unallocated"); +- ret = -EFSCORRUPTED; +- goto bad_inode; +- } +- + if ((flags & EXT4_IGET_HANDLE) && + (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) { + ret = -ESTALE; +@@ -4951,11 +4944,16 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + * NeilBrown 1999oct15 + */ + if (inode->i_nlink == 0) { +- if ((inode->i_mode == 0 || ++ if ((inode->i_mode == 0 || flags & EXT4_IGET_SPECIAL || + !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS)) && + ino != EXT4_BOOT_LOADER_INO) { +- /* this inode is deleted */ +- ret = -ESTALE; ++ /* this inode is deleted or unallocated */ ++ if (flags & EXT4_IGET_SPECIAL) { ++ ext4_error_inode(inode, function, line, 0, ++ "iget: special inode unallocated"); ++ ret = -EFSCORRUPTED; ++ } else ++ ret = -ESTALE; + goto bad_inode; + } + /* The only unlinked inodes we let through here have +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-WARNING-in-ext4_update_inline_data.patch b/patches.suse/ext4-fix-WARNING-in-ext4_update_inline_data.patch new file mode 100644 index 0000000..937b357 --- /dev/null +++ b/patches.suse/ext4-fix-WARNING-in-ext4_update_inline_data.patch @@ -0,0 +1,114 @@ +From 2b96b4a5d9443ca4cad58b0040be455803c05a42 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Tue, 7 Mar 2023 09:52:53 +0800 +Subject: [PATCH] ext4: fix WARNING in ext4_update_inline_data +Git-commit: 2b96b4a5d9443ca4cad58b0040be455803c05a42 +Patch-mainline: v6.3-rc2 +References: bsc#1213012 + +Syzbot found the following issue: +EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. + +Fscrypt: AES-256-CTS-CBC using implementation "cts-cbc-aes-aesni" +Fscrypt: AES-256-XTS using implementation "xts-aes-aesni" +Acked-by: Jan Kara + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 5071 at mm/page_alloc.c:5525 __alloc_pages+0x30a/0x560 mm/page_alloc.c:5525 +Modules linked in: +CPU: 1 PID: 5071 Comm: syz-executor263 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:__alloc_pages+0x30a/0x560 mm/page_alloc.c:5525 +RSP: 0018:ffffc90003c2f1c0 EFLAGS: 00010246 +RAX: ffffc90003c2f220 RBX: 0000000000000014 RCX: 0000000000000000 +RDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90003c2f248 +RBP: ffffc90003c2f2d8 R08: dffffc0000000000 R09: ffffc90003c2f220 +R10: fffff52000785e49 R11: 1ffff92000785e44 R12: 0000000000040d40 +R13: 1ffff92000785e40 R14: dffffc0000000000 R15: 1ffff92000785e3c +FS: 0000555556c0d300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f95d5e04138 CR3: 00000000793aa000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __alloc_pages_node include/linux/gfp.h:237 [inline] + alloc_pages_node include/linux/gfp.h:260 [inline] + __kmalloc_large_node+0x95/0x1e0 mm/slab_common.c:1113 + __do_kmalloc_node mm/slab_common.c:956 [inline] + __kmalloc+0xfe/0x190 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + kzalloc include/linux/slab.h:720 [inline] + ext4_update_inline_data+0x236/0x6b0 fs/ext4/inline.c:346 + ext4_update_inline_dir fs/ext4/inline.c:1115 [inline] + ext4_try_add_inline_entry+0x328/0x990 fs/ext4/inline.c:1307 + ext4_add_entry+0x5a4/0xeb0 fs/ext4/namei.c:2385 + ext4_add_nondir+0x96/0x260 fs/ext4/namei.c:2772 + ext4_create+0x36c/0x560 fs/ext4/namei.c:2817 + lookup_open fs/namei.c:3413 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x12ac/0x2dd0 fs/namei.c:3711 + do_filp_open+0x264/0x4f0 fs/namei.c:3741 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_openat fs/open.c:1342 [inline] + __se_sys_openat fs/open.c:1337 [inline] + __x64_sys_openat+0x243/0x290 fs/open.c:1337 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Above issue happens as follows: +ext4_iget + ext4_find_inline_data_nolock ->i_inline_off=164 i_inline_size=60 +ext4_try_add_inline_entry + __ext4_mark_inode_dirty + ext4_expand_extra_isize_ea ->i_extra_isize=32 s_want_extra_isize=44 + ext4_xattr_shift_entries + ->after shift i_inline_off is incorrect, actually is change to 176 +ext4_try_add_inline_entry + ext4_update_inline_dir + get_max_inline_xattr_value_size + if (EXT4_I(inode)->i_inline_off) + entry = (struct ext4_xattr_entry *)((void *)raw_inode + + EXT4_I(inode)->i_inline_off); + free += EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)); + ->As entry is incorrect, then 'free' may be negative + ext4_update_inline_data + value = kzalloc(len, GFP_NOFS); + -> len is unsigned int, maybe very large, then trigger warning when + 'kzalloc()' + +To resolve the above issue we need to update 'i_inline_off' after +'ext4_xattr_shift_entries()'. We do not need to set +EXT4_STATE_MAY_INLINE_DATA flag here, since ext4_mark_inode_dirty() +already sets this flag if needed. Setting EXT4_STATE_MAY_INLINE_DATA +when it is needed may trigger a BUG_ON in ext4_writepages(). + +Reported-by: syzbot+d30838395804afc2fa6f@syzkaller.appspotmail.com +Cc: stable@kernel.org +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230307015253.2232062-3-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o +--- + fs/ext4/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 863c15388848..2a006e4db467 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2851,6 +2851,9 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize, + (void *)header, total_ino); + EXT4_I(inode)->i_extra_isize = new_extra_isize; + ++ if (ext4_has_inline_data(inode)) ++ error = ext4_find_inline_data_nolock(inode); ++ + cleanup: + if (error && (mnt_count != le16_to_cpu(sbi->s_es->s_mnt_count))) { + ext4_warning(inode->i_sb, "Unable to expand inode %lu. Delete some EAs or run e2fsck.", +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-WARNING-in-mb_find_extent.patch b/patches.suse/ext4-fix-WARNING-in-mb_find_extent.patch new file mode 100644 index 0000000..cf63d78 --- /dev/null +++ b/patches.suse/ext4-fix-WARNING-in-mb_find_extent.patch @@ -0,0 +1,135 @@ +From fa08a7b61dff8a4df11ff1e84abfc214b487caf7 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Mon, 16 Jan 2023 10:00:15 +0800 +Subject: [PATCH] ext4: fix WARNING in mb_find_extent +Git-commit: fa08a7b61dff8a4df11ff1e84abfc214b487caf7 +Patch-mainline: v6.4-rc2 +References: bsc#1213099 + +Syzbot found the following issue: + +Ext4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! +EXT4-fs (loop0): orphan cleanup on readonly fs + +Acked-by: Jan Kara + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mb_find_extent+0x8a1/0xe30 +Modules linked in: +CPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:mb_find_extent+0x8a1/0xe30 fs/ext4/mballoc.c:1869 +RSP: 0018:ffffc90003c9e098 EFLAGS: 00010293 +RAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0 +RDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040 +RBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402 +R10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000 +R13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc +FS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ext4_mb_complex_scan_group+0x353/0x1100 fs/ext4/mballoc.c:2307 + ext4_mb_regular_allocator+0x1533/0x3860 fs/ext4/mballoc.c:2735 + ext4_mb_new_blocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605 + ext4_ext_map_blocks+0x1868/0x6880 fs/ext4/extents.c:4286 + ext4_map_blocks+0xa49/0x1cc0 fs/ext4/inode.c:651 + ext4_getblk+0x1b9/0x770 fs/ext4/inode.c:864 + ext4_bread+0x2a/0x170 fs/ext4/inode.c:920 + ext4_quota_write+0x225/0x570 fs/ext4/super.c:7105 + write_blk fs/quota/quota_tree.c:64 [inline] + get_free_dqblk+0x34a/0x6d0 fs/quota/quota_tree.c:130 + do_insert_tree+0x26b/0x1aa0 fs/quota/quota_tree.c:340 + do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375 + do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375 + do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375 + dq_insert_tree fs/quota/quota_tree.c:401 [inline] + qtree_write_dquot+0x3b6/0x530 fs/quota/quota_tree.c:420 + v2_write_dquot+0x11b/0x190 fs/quota/quota_v2.c:358 + dquot_acquire+0x348/0x670 fs/quota/dquot.c:444 + ext4_acquire_dquot+0x2dc/0x400 fs/ext4/super.c:6740 + dqget+0x999/0xdc0 fs/quota/dquot.c:914 + __dquot_initialize+0x3d0/0xcf0 fs/quota/dquot.c:1492 + ext4_process_orphan+0x57/0x2d0 fs/ext4/orphan.c:329 + ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474 + __ext4_fill_super fs/ext4/super.c:5516 [inline] + ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Add some debug information: +mb_find_extent: mb_find_extent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7 +block_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Acctually, blocks per group is 64, but block bitmap indicate at least has +128 blocks. Now, ext4_validate_block_bitmap() didn't check invalid block's +bitmap if set. +To resolve above issue, add check like fsck "Padding at end of block bitmap is +not set". + +Cc: stable@kernel.org +Reported-by: syzbot+68223fe9f6c95ad43bed@syzkaller.appspotmail.com +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230116020015.1506120-1-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o +--- + fs/ext4/balloc.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index 094269488183..c49e612e3975 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -305,6 +305,22 @@ struct ext4_group_desc * ext4_get_group_desc(struct super_block *sb, + return desc; + } + ++static ext4_fsblk_t ext4_valid_block_bitmap_padding(struct super_block *sb, ++ ext4_group_t block_group, ++ struct buffer_head *bh) ++{ ++ ext4_grpblk_t next_zero_bit; ++ unsigned long bitmap_size = sb->s_blocksize * 8; ++ unsigned int offset = num_clusters_in_group(sb, block_group); ++ ++ if (bitmap_size <= offset) ++ return 0; ++ ++ next_zero_bit = ext4_find_next_zero_bit(bh->b_data, bitmap_size, offset); ++ ++ return (next_zero_bit < bitmap_size ? next_zero_bit : 0); ++} ++ + /* + * Return the block number which was discovered to be invalid, or 0 if + * the block bitmap is valid. +@@ -402,6 +418,15 @@ static int ext4_validate_block_bitmap(struct super_block *sb, + EXT4_GROUP_INFO_BBITMAP_CORRUPT); + return -EFSCORRUPTED; + } ++ blk = ext4_valid_block_bitmap_padding(sb, block_group, bh); ++ if (unlikely(blk != 0)) { ++ ext4_unlock_group(sb, block_group); ++ ext4_error(sb, "bg %u: block %llu: padding at end of block bitmap is not set", ++ block_group, blk); ++ ext4_mark_group_bitmap_corrupted(sb, block_group, ++ EXT4_GROUP_INFO_BBITMAP_CORRUPT); ++ return -EFSCORRUPTED; ++ } + set_buffer_verified(bh); + verified: + ext4_unlock_group(sb, block_group); +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-qu.patch b/patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-qu.patch new file mode 100644 index 0000000..b8d2460 --- /dev/null +++ b/patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-qu.patch @@ -0,0 +1,116 @@ +From d323877484765aaacbb2769b06e355c2041ed115 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Wed, 26 Oct 2022 12:23:07 +0800 +Subject: [PATCH] ext4: fix bug_on in __es_tree_search caused by bad quota + inode +Git-commit: d323877484765aaacbb2769b06e355c2041ed115 +Patch-mainline: v6.2-rc1 +References: bsc#1213111 + +We got a issue as fllows: +================================================================== + kernel BUG at fs/ext4/extents_status.c:202! + invalid opcode: 0000 [#1] PREEMPT SMP + CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352 + RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0 + RSP: 0018:ffffc90001227900 EFLAGS: 00010202 + RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000 + RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8 + RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001 + R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10 + R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000 + FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ext4_es_cache_extent+0xe2/0x210 + ext4_cache_extents+0xd2/0x110 + ext4_find_extent+0x5d5/0x8c0 + ext4_ext_map_blocks+0x9c/0x1d30 + ext4_map_blocks+0x431/0xa50 + ext4_getblk+0x82/0x340 + ext4_bread+0x14/0x110 + ext4_quota_read+0xf0/0x180 + v2_read_header+0x24/0x90 + v2_check_quota_file+0x2f/0xa0 + dquot_load_quota_sb+0x26c/0x760 + dquot_load_quota_inode+0xa5/0x190 + ext4_enable_quotas+0x14c/0x300 + __ext4_fill_super+0x31cc/0x32c0 + ext4_fill_super+0x115/0x2d0 + get_tree_bdev+0x1d2/0x360 + ext4_get_tree+0x19/0x30 + vfs_get_tree+0x26/0xe0 + path_mount+0x81d/0xfc0 + do_mount+0x8d/0xc0 + __x64_sys_mount+0xc0/0x160 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +================================================================== + +Above issue may happen as follows: + +Acked-by: Jan Kara + +------------------------------------- +ext4_fill_super + ext4_orphan_cleanup + ext4_enable_quotas + ext4_quota_enable + ext4_iget --> get error inode <5> + ext4_ext_check_inode --> Wrong imode makes it escape inspection + make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode + dquot_load_quota_inode + vfs_setup_quota_inode --> check pass + dquot_load_quota_sb + v2_check_quota_file + v2_read_header + ext4_quota_read + ext4_bread + ext4_getblk + ext4_map_blocks + ext4_ext_map_blocks + ext4_find_extent + ext4_cache_extents + ext4_es_cache_extent + __es_tree_search.isra.0 + ext4_es_end --> Wrong extents trigger BUG_ON + +In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains +incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO, +the ext4_ext_check_inode check in the ext4_iget function can be bypassed, +finally, the extents that are not checked trigger the BUG_ON in the +__es_tree_search function. To solve this issue, check whether the inode is +bad_inode in vfs_setup_quota_inode(). + +Signed-off-by: Baokun Li +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Jason Yan +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221026042310.3839669-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +--- + fs/quota/dquot.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 0427b44bfee5..f27faf5db554 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2324,6 +2324,8 @@ static int vfs_setup_quota_inode(struct inode *inode, int type) + struct super_block *sb = inode->i_sb; + struct quota_info *dqopt = sb_dqopt(sb); + ++ if (is_bad_inode(inode)) ++ return -EUCLEAN; + if (!S_ISREG(inode->i_mode)) + return -EACCES; + if (IS_RDONLY(inode)) +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-data-races-when-using-cached-status-extents.patch b/patches.suse/ext4-fix-data-races-when-using-cached-status-extents.patch new file mode 100644 index 0000000..000ed75 --- /dev/null +++ b/patches.suse/ext4-fix-data-races-when-using-cached-status-extents.patch @@ -0,0 +1,86 @@ +From 492888df0c7b42fc0843631168b0021bc4caee84 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 May 2023 14:55:24 +0200 +Subject: [PATCH] ext4: fix data races when using cached status extents +Git-commit: 492888df0c7b42fc0843631168b0021bc4caee84 +Patch-mainline: v6.4-rc2 +References: bsc#1213102 + +When using cached extent stored in extent status tree in tree->cache_es +another process holding ei->i_es_lock for reading can be racing with us +setting new value of tree->cache_es. If the compiler would decide to +refetch tree->cache_es at an unfortunate moment, it could result in a +bogus in_range() check. Fix the possible race by using READ_ONCE() when +using tree->cache_es only under ei->i_es_lock for reading. + +Cc: stable@kernel.org +Reported-by: syzbot+4a03518df1e31b537066@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000d3b33905fa0fd4a6@google.com +Suggested-by: Dmitry Vyukov +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230504125524.10802-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/extents_status.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 7bc221038c6c..595abb9e7d74 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -267,14 +267,12 @@ static void __es_find_extent_range(struct inode *inode, + + /* see if the extent has been cached */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u) %llu %x\n", +- lblk, es1->es_lblk, es1->es_len, +- ext4_es_pblock(es1), ext4_es_status(es1)); +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u) %llu %x\n", ++ lblk, es1->es_lblk, es1->es_len, ++ ext4_es_pblock(es1), ext4_es_status(es1)); ++ goto out; + } + + es1 = __es_tree_search(&tree->root, lblk); +@@ -293,7 +291,7 @@ static void __es_find_extent_range(struct inode *inode, + } + + if (es1 && matching_fn(es1)) { +- tree->cache_es = es1; ++ WRITE_ONCE(tree->cache_es, es1); + es->es_lblk = es1->es_lblk; + es->es_len = es1->es_len; + es->es_pblk = es1->es_pblk; +@@ -931,14 +929,12 @@ int ext4_es_lookup_extent(struct inode *inode, ext4_lblk_t lblk, + + /* find extent in cache firstly */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u)\n", +- lblk, es1->es_lblk, es1->es_len); +- found = 1; +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u)\n", ++ lblk, es1->es_lblk, es1->es_len); ++ found = 1; ++ goto out; + } + + node = tree->root.rb_node; +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-deadlock-when-converting-an-inline-director.patch b/patches.suse/ext4-fix-deadlock-when-converting-an-inline-director.patch new file mode 100644 index 0000000..4fc187a --- /dev/null +++ b/patches.suse/ext4-fix-deadlock-when-converting-an-inline-director.patch @@ -0,0 +1,69 @@ +From f4ce24f54d9cca4f09a395f3eecce20d6bec4663 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 6 May 2023 21:04:01 -0400 +Subject: [PATCH] ext4: fix deadlock when converting an inline directory in + nojournal mode +Git-commit: f4ce24f54d9cca4f09a395f3eecce20d6bec4663 +Patch-mainline: v6.4-rc2 +References: bsc#1213105 + +In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock +by calling ext4_handle_dirty_dirblock() when it already has taken the +directory lock. There is a similar self-deadlock in +ext4_incvert_inline_data_nolock() for data files which we'll fix at +the same time. + +A simple reproducer demonstrating the problem: + + mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64 + mount -t ext4 -o dirsync /dev/vdc /vdc + cd /vdc + mkdir file0 + cd file0 + touch file0 + touch file1 + attr -s BurnSpaceInEA -V abcde . + touch supercalifragilisticexpialidocious + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230507021608.1290720-1-tytso@mit.edu +Reported-by: syzbot+91dccab7c64e2850a4e5@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=ba84cc80a9491d65416bc7877e1650c87530fe8a +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 859bc4e2c9b0..d3dfc51a43c5 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1175,6 +1175,7 @@ static int ext4_finish_convert_inline_dir(handle_t *handle, + ext4_initialize_dirent_tail(dir_block, + inode->i_sb->s_blocksize); + set_buffer_uptodate(dir_block); ++ unlock_buffer(dir_block); + err = ext4_handle_dirty_dirblock(handle, inode, dir_block); + if (err) + return err; +@@ -1249,6 +1250,7 @@ static int ext4_convert_inline_data_nolock(handle_t *handle, + if (!S_ISDIR(inode->i_mode)) { + memcpy(data_bh->b_data, buf, inline_size); + set_buffer_uptodate(data_bh); ++ unlock_buffer(data_bh); + error = ext4_handle_dirty_metadata(handle, + inode, data_bh); + } else { +@@ -1256,7 +1258,6 @@ static int ext4_convert_inline_data_nolock(handle_t *handle, + buf, inline_size); + } + +- unlock_buffer(data_bh); + out_restore: + if (error) + ext4_restore_inline_data(handle, inode, iloc, buf, inline_size); +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-i_disksize-exceeding-i_size-problem-in-pari.patch b/patches.suse/ext4-fix-i_disksize-exceeding-i_size-problem-in-pari.patch new file mode 100644 index 0000000..33bbea6 --- /dev/null +++ b/patches.suse/ext4-fix-i_disksize-exceeding-i_size-problem-in-pari.patch @@ -0,0 +1,75 @@ +From 1dedde690303c05ef732b7c5c8356fdf60a4ade3 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Tue, 21 Mar 2023 09:37:21 +0800 +Subject: [PATCH] ext4: fix i_disksize exceeding i_size problem in paritally + written case +Git-commit: 1dedde690303c05ef732b7c5c8356fdf60a4ade3 +Patch-mainline: v6.4-rc1 +References: bsc#1213015 + +It is possible for i_disksize can exceed i_size, triggering a warning. + +generic_perform_write + copied = iov_iter_copy_from_user_atomic(len) // copied < len + ext4_da_write_end + | ext4_update_i_disksize + | new_i_size = pos + copied; + | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize + | generic_write_end + | copied = block_write_end(copied, len) // copied = 0 + | if (unlikely(copied < len)) + | if (!PageUptodate(page)) + | copied = 0; + | if (pos + copied > inode->i_size) // return false + if (unlikely(copied == 0)) + goto again; + if (unlikely(iov_iter_fault_in_readable(i, bytes))) { + status = -EFAULT; + break; + } + +We get i_disksize greater than i_size here, which could trigger WARNING +check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio: + +ext4_dio_write_iter + iomap_dio_rw + __iomap_dio_rw // return err, length is not aligned to 512 + ext4_handle_inode_extension + WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops + + WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319 + CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2 + RIP: 0010:ext4_file_write_iter+0xbc7 + Call Trace: + vfs_write+0x3b1 + ksys_write+0x77 + do_syscall_64+0x39 + +Fix it by updating 'copied' value before updating i_disksize just like +ext4_write_inline_data_end() does. + +A reproducer can be found in the buganizer link below. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209 +Fixes: 64769240bd07 ("ext4: Add delayed allocation support in data=writeback mode") +Signed-off-by: Zhihao Cheng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230321013721.89818-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3095,6 +3095,8 @@ static int ext4_da_write_end(struct file + len, copied, page, fsdata); + + trace_ext4_da_write_end(inode, pos, len, copied); ++ if (unlikely(copied < len) && !PageUptodate(page)) ++ copied = 0; + start = pos & (PAGE_SIZE - 1); + end = start + copied - 1; + diff --git a/patches.suse/ext4-fix-lockdep-warning-when-enabling-MMP.patch b/patches.suse/ext4-fix-lockdep-warning-when-enabling-MMP.patch new file mode 100644 index 0000000..4376cd3 --- /dev/null +++ b/patches.suse/ext4-fix-lockdep-warning-when-enabling-MMP.patch @@ -0,0 +1,89 @@ +From 949f95ff39bf188e594e7ecd8e29b82eb108f5bf Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 11 Apr 2023 14:10:19 +0200 +Subject: [PATCH] ext4: fix lockdep warning when enabling MMP +Git-commit: 949f95ff39bf188e594e7ecd8e29b82eb108f5bf +Patch-mainline: v6.4-rc2 +References: bsc#1213100 + +When we enable MMP in ext4_multi_mount_protect() during mount or +remount, we end up calling sb_start_write() from write_mmp_block(). This +triggers lockdep warning because freeze protection ranks above s_umount +semaphore we are holding during mount / remount. The problem is harmless +because we are guaranteed the filesystem is not frozen during mount / +remount but still let's fix the warning by not grabbing freeze +protection from ext4_multi_mount_protect(). + +Cc: stable@kernel.org +Reported-by: syzbot+6b7df7d5506b32467149@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=ab7e5b6f400b7778d46f01841422e5718fb81843 +Signed-off-by: Jan Kara +Reviewed-by: Christian Brauner +Link: https://lore.kernel.org/r/20230411121019.21940-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/mmp.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/fs/ext4/mmp.c ++++ b/fs/ext4/mmp.c +@@ -39,28 +39,36 @@ static void ext4_mmp_csum_set(struct sup + * Write the MMP block using REQ_SYNC to try to get the block on-disk + * faster. + */ +-static int write_mmp_block(struct super_block *sb, struct buffer_head *bh) ++static int write_mmp_block_thawed(struct super_block *sb, ++ struct buffer_head *bh) + { + struct mmp_struct *mmp = (struct mmp_struct *)(bh->b_data); + +- /* +- * We protect against freezing so that we don't create dirty buffers +- * on frozen filesystem. +- */ +- sb_start_write(sb); + ext4_mmp_csum_set(sb, mmp); + lock_buffer(bh); + bh->b_end_io = end_buffer_write_sync; + get_bh(bh); + submit_bh(REQ_OP_WRITE, REQ_SYNC | REQ_META | REQ_PRIO, bh); + wait_on_buffer(bh); +- sb_end_write(sb); + if (unlikely(!buffer_uptodate(bh))) + return -EIO; +- + return 0; + } + ++static int write_mmp_block(struct super_block *sb, struct buffer_head *bh) ++{ ++ int err; ++ ++ /* ++ * We protect against freezing so that we don't create dirty buffers ++ * on frozen filesystem. ++ */ ++ sb_start_write(sb); ++ err = write_mmp_block_thawed(sb, bh); ++ sb_end_write(sb); ++ return err; ++} ++ + /* + * Read the MMP block. It _must_ be read from disk and hence we clear the + * uptodate flag on the buffer. +@@ -348,7 +356,11 @@ skip: + seq = mmp_new_seq(); + mmp->mmp_seq = cpu_to_le32(seq); + +- retval = write_mmp_block(sb, bh); ++ /* ++ * On mount / remount we are protected against fs freezing (by s_umount ++ * semaphore) and grabbing freeze protection upsets lockdep ++ */ ++ retval = write_mmp_block_thawed(sb, bh); + if (retval) + goto failed; + diff --git a/patches.suse/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch b/patches.suse/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch new file mode 100644 index 0000000..4ff5e54 --- /dev/null +++ b/patches.suse/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch @@ -0,0 +1,97 @@ +From 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Tue, 10 Jan 2023 21:34:36 +0800 +Subject: [PATCH] ext4: fix task hung in ext4_xattr_delete_inode +Git-commit: 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 +Patch-mainline: v6.3-rc1 +References: bsc#1213096 + +Syzbot reported a hung task problem: +================================================================== +Info: task syz-executor232:5073 blocked for more than 143 seconds. + Not tainted 6.2.0-rc2-syzkaller-00024-g512dee0c00ad #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-exec232 state:D stack:21024 pid:5073 ppid:5072 flags:0x00004004 +Call Trace: + + context_switch kernel/sched/core.c:5244 [inline] + __schedule+0x995/0xe20 kernel/sched/core.c:6555 + schedule+0xcb/0x190 kernel/sched/core.c:6631 + __wait_on_freeing_inode fs/inode.c:2196 [inline] + find_inode_fast+0x35a/0x4c0 fs/inode.c:950 + iget_locked+0xb1/0x830 fs/inode.c:1273 + __ext4_iget+0x22e/0x3ed0 fs/ext4/inode.c:4861 + ext4_xattr_inode_iget+0x68/0x4e0 fs/ext4/xattr.c:389 + ext4_xattr_inode_dec_ref_all+0x1a7/0xe50 fs/ext4/xattr.c:1148 + ext4_xattr_delete_inode+0xb04/0xcd0 fs/ext4/xattr.c:2880 + ext4_evict_inode+0xd7c/0x10b0 fs/ext4/inode.c:296 + evict+0x2a4/0x620 fs/inode.c:664 + ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474 + __ext4_fill_super fs/ext4/super.c:5516 [inline] + ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7fa5406fd5ea +Rsp: 002b:00007ffc7232f968 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +Rax: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa5406fd5ea +Rdx: 0000000020000440 RSI: 0000000020000000 RDI: 00007ffc7232f970 +Rbp: 00007ffc7232f970 R08: 00007ffc7232f9b0 R09: 0000000000000432 +R10: 0000000000804a03 R11: 0000000000000202 R12: 0000000000000004 +R13: 0000555556a7a2c0 R14: 00007ffc7232f9b0 R15: 0000000000000000 + +================================================================== + +The problem is that the inode contains an xattr entry with ea_inum of 15 +when cleaning up an orphan inode <15>. When evict inode <15>, the reference +counting of the corresponding EA inode is decreased. When EA inode <15> is +found by find_inode_fast() in __ext4_iget(), it is found that the EA inode +holds the I_FREEING flag and waits for the EA inode to complete deletion. +As a result, when inode <15> is being deleted, we wait for inode <15> to +complete the deletion, resulting in an infinite loop and triggering Hung +Task. To solve this problem, we only need to check whether the ino of EA +inode and parent is the same before getting EA inode. + +Link: https://syzkaller.appspot.com/bug?extid=77d6fcc37bbb92f26048 +Reported-by: syzbot+77d6fcc37bbb92f26048@syzkaller.appspotmail.com +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230110133436.996350-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/xattr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index d8fef540ca9b..863c15388848 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -422,6 +422,17 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino, + struct inode *inode; + int err; + ++ /* ++ * We have to check for this corruption early as otherwise ++ * iget_locked() could wait indefinitely for the state of our ++ * parent inode. ++ */ ++ if (parent->i_ino == ea_ino) { ++ ext4_error(parent->i_sb, ++ "Parent and EA inode have the same ino %lu", ea_ino); ++ return -EFSCORRUPTED; ++ } ++ + inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch b/patches.suse/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch new file mode 100644 index 0000000..d85a841 --- /dev/null +++ b/patches.suse/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch @@ -0,0 +1,49 @@ +From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 6 Jun 2023 15:32:03 +0800 +Subject: [PATCH] ext4: fix to check return value of freeze_bdev() in + ext4_shutdown() +Git-commit: c4d13222afd8a64bf11bc7ec68645496ee8b54b9 +Patch-mainline: v6.5-rc1 +References: bsc#1213021 + +freeze_bdev() can fail due to a lot of reasons, it needs to check its +reason before later process. + +Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl") +Cc: stable@kernel.org +Signed-off-by: Chao Yu +Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index f9a430152063..55be1b8a6360 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -797,6 +797,7 @@ static int ext4_shutdown(struct super_block *sb, unsigned long arg) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + __u32 flags; ++ int ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -815,7 +816,9 @@ static int ext4_shutdown(struct super_block *sb, unsigned long arg) + + switch (flags) { + case EXT4_GOING_FLAGS_DEFAULT: +- freeze_bdev(sb->s_bdev); ++ ret = freeze_bdev(sb->s_bdev); ++ if (ret) ++ return ret; + set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); + thaw_bdev(sb->s_bdev); + break; +-- +2.35.3 + diff --git a/patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch b/patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch new file mode 100644 index 0000000..026f8d4 --- /dev/null +++ b/patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch @@ -0,0 +1,94 @@ +From 835659598c67907b98cd2aa57bb951dfaf675c69 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Thu, 6 Apr 2023 11:16:27 +0000 +Subject: [PATCH] ext4: fix use-after-free read in ext4_find_extent for + bigalloc + inline +Git-commit: 835659598c67907b98cd2aa57bb951dfaf675c69 +Patch-mainline: v6.4-rc1 +References: bsc#1213098 + +Syzbot found the following issue: +Loop0: detected capacity change from 0 to 2048 +EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. +================================================================== +Bug: KASAN: use-after-free in ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline] +Bug: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931 +Read of size 4 at addr ffff888073644750 by task syz-executor420/5067 + +Cpu: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline] + ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931 + ext4_clu_mapped+0x117/0x970 fs/ext4/extents.c:5809 + ext4_insert_delayed_block fs/ext4/inode.c:1696 [inline] + ext4_da_map_blocks fs/ext4/inode.c:1806 [inline] + ext4_da_get_block_prep+0x9e8/0x13c0 fs/ext4/inode.c:1870 + ext4_block_write_begin+0x6a8/0x2290 fs/ext4/inode.c:1098 + ext4_da_write_begin+0x539/0x760 fs/ext4/inode.c:3082 + generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 + ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285 + ext4_file_write_iter+0x1d0/0x18f0 + call_write_iter include/linux/fs.h:2186 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x7dc/0xc50 fs/read_write.c:584 + ksys_write+0x177/0x2a0 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7f4b7a9737b9 +Rsp: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +Rax: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9 +Rdx: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 +Rbp: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Above issue is happens when enable bigalloc and inline data feature. As +commit 131294c35ed6 fixed delayed allocation bug in ext4_clu_mapped for +bigalloc + inline. But it only resolved issue when has inline data, if +inline data has been converted to extent(ext4_da_convert_inline_data_to_extent) +before writepages, there is no EXT4_STATE_MAY_INLINE_DATA flag. However +i_data is still store inline data in this scene. Then will trigger UAF +when find extent. +To resolve above issue, there is need to add judge "ext4_has_inline_data(inode)" +in ext4_clu_mapped(). + +Fixes: 131294c35ed6 ("ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline") +Reported-by: syzbot+bf4bb7731ef73b83a3b4@syzkaller.appspotmail.com +Reviewed-by: Jan Kara +Reviewed-by: Ye Bin +Reviewed-by: Tudor Ambarus +Tested-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20230406111627.1916759-1-tudor.ambarus@linaro.org +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/extents.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index e79c767cc5e0..35703dce23a3 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5795,7 +5795,8 @@ int ext4_clu_mapped(struct inode *inode, ext4_lblk_t lclu) + * mapped - no physical clusters have been allocated, and the + * file has no extents + */ +- if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) ++ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA) || ++ ext4_has_inline_data(inode)) + return 0; + + /* search for the extent closest to the first block in the cluster */ +-- +2.35.3 + diff --git a/patches.suse/ext4-improve-error-handling-from-ext4_dirhash.patch b/patches.suse/ext4-improve-error-handling-from-ext4_dirhash.patch new file mode 100644 index 0000000..1869e21 --- /dev/null +++ b/patches.suse/ext4-improve-error-handling-from-ext4_dirhash.patch @@ -0,0 +1,163 @@ +From 4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 6 May 2023 11:59:13 -0400 +Subject: [PATCH] ext4: improve error handling from ext4_dirhash() +Git-commit: 4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786 +Patch-mainline: v6.4-rc2 +References: bsc#1213104 + +The ext4_dirhash() will *almost* never fail, especially when the hash +tree feature was first introduced. However, with the addition of +support of encrypted, casefolded file names, that function can most +certainly fail today. + +So make sure the callers of ext4_dirhash() properly check for +failures, and reflect the errors back up to their callers. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-1-tytso@mit.edu +Reported-by: syzbot+394aa8a792cb99dbc837@syzkaller.appspotmail.com +Reported-by: syzbot+344aaa8697ebd232bfc8@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=db56459ea4ac4a676ae4b4678f633e55da005a9b +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/hash.c | 6 +++++- + fs/ext4/namei.c | 53 ++++++++++++++++++++++++++++++++++--------------- + 2 files changed, 42 insertions(+), 17 deletions(-) + +diff --git a/fs/ext4/hash.c b/fs/ext4/hash.c +index 147b5241dd94..46c3423ddfa1 100644 +--- a/fs/ext4/hash.c ++++ b/fs/ext4/hash.c +@@ -277,7 +277,11 @@ static int __ext4fs_dirhash(const struct inode *dir, const char *name, int len, + } + default: + hinfo->hash = 0; +- return -1; ++ hinfo->minor_hash = 0; ++ ext4_warning(dir->i_sb, ++ "invalid/unsupported hash tree version %u", ++ hinfo->hash_version); ++ return -EINVAL; + } + hash = hash & ~1; + if (hash == (EXT4_HTREE_EOF_32BIT << 1)) +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index a5010b5b8a8c..45b579805c95 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -674,7 +674,7 @@ static struct stats dx_show_leaf(struct inode *dir, + len = de->name_len; + if (!IS_ENCRYPTED(dir)) { + /* Directory is not encrypted */ +- ext4fs_dirhash(dir, de->name, ++ (void) ext4fs_dirhash(dir, de->name, + de->name_len, &h); + printk("%*.s:(U)%x.%u ", len, + name, h.hash, +@@ -709,8 +709,9 @@ static struct stats dx_show_leaf(struct inode *dir, + if (IS_CASEFOLDED(dir)) + h.hash = EXT4_DIRENT_HASH(de); + else +- ext4fs_dirhash(dir, de->name, +- de->name_len, &h); ++ (void) ext4fs_dirhash(dir, ++ de->name, ++ de->name_len, &h); + printk("%*.s:(E)%x.%u ", len, name, + h.hash, (unsigned) ((char *) de + - base)); +@@ -720,7 +721,8 @@ static struct stats dx_show_leaf(struct inode *dir, + #else + int len = de->name_len; + char *name = de->name; +- ext4fs_dirhash(dir, de->name, de->name_len, &h); ++ (void) ext4fs_dirhash(dir, de->name, ++ de->name_len, &h); + printk("%*.s:%x.%u ", len, name, h.hash, + (unsigned) ((char *) de - base)); + #endif +@@ -849,8 +851,14 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, + hinfo->seed = EXT4_SB(dir->i_sb)->s_hash_seed; + /* hash is already computed for encrypted casefolded directory */ + if (fname && fname_name(fname) && +- !(IS_ENCRYPTED(dir) && IS_CASEFOLDED(dir))) +- ext4fs_dirhash(dir, fname_name(fname), fname_len(fname), hinfo); ++ !(IS_ENCRYPTED(dir) && IS_CASEFOLDED(dir))) { ++ int ret = ext4fs_dirhash(dir, fname_name(fname), ++ fname_len(fname), hinfo); ++ if (ret < 0) { ++ ret_err = ERR_PTR(ret); ++ goto fail; ++ } ++ } + hash = hinfo->hash; + + if (root->info.unused_flags & 1) { +@@ -1111,7 +1119,12 @@ static int htree_dirblock_to_tree(struct file *dir_file, + hinfo->minor_hash = 0; + } + } else { +- ext4fs_dirhash(dir, de->name, de->name_len, hinfo); ++ err = ext4fs_dirhash(dir, de->name, ++ de->name_len, hinfo); ++ if (err < 0) { ++ count = err; ++ goto errout; ++ } + } + if ((hinfo->hash < start_hash) || + ((hinfo->hash == start_hash) && +@@ -1313,8 +1326,12 @@ static int dx_make_map(struct inode *dir, struct buffer_head *bh, + if (de->name_len && de->inode) { + if (ext4_hash_in_dirent(dir)) + h.hash = EXT4_DIRENT_HASH(de); +- else +- ext4fs_dirhash(dir, de->name, de->name_len, &h); ++ else { ++ int err = ext4fs_dirhash(dir, de->name, ++ de->name_len, &h); ++ if (err < 0) ++ return err; ++ } + map_tail--; + map_tail->hash = h.hash; + map_tail->offs = ((char *) de - base)>>2; +@@ -1452,10 +1469,9 @@ int ext4_fname_setup_ci_filename(struct inode *dir, const struct qstr *iname, + hinfo->hash_version = DX_HASH_SIPHASH; + hinfo->seed = NULL; + if (cf_name->name) +- ext4fs_dirhash(dir, cf_name->name, cf_name->len, hinfo); ++ return ext4fs_dirhash(dir, cf_name->name, cf_name->len, hinfo); + else +- ext4fs_dirhash(dir, iname->name, iname->len, hinfo); +- return 0; ++ return ext4fs_dirhash(dir, iname->name, iname->len, hinfo); + } + #endif + +@@ -2298,10 +2314,15 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, + fname->hinfo.seed = EXT4_SB(dir->i_sb)->s_hash_seed; + + /* casefolded encrypted hashes are computed on fname setup */ +- if (!ext4_hash_in_dirent(dir)) +- ext4fs_dirhash(dir, fname_name(fname), +- fname_len(fname), &fname->hinfo); +- ++ if (!ext4_hash_in_dirent(dir)) { ++ int err = ext4fs_dirhash(dir, fname_name(fname), ++ fname_len(fname), &fname->hinfo); ++ if (err < 0) { ++ brelse(bh2); ++ brelse(bh); ++ return err; ++ } ++ } + memset(frames, 0, sizeof(frames)); + frame = frames; + frame->entries = entries; +-- +2.35.3 + diff --git a/patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch b/patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch new file mode 100644 index 0000000..d96d7fc --- /dev/null +++ b/patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch @@ -0,0 +1,67 @@ +From 4c0b4818b1f636bc96359f7817a2d8bab6370162 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 5 May 2023 22:20:29 -0400 +Subject: [PATCH] ext4: improve error recovery code paths in __ext4_remount() +Git-commit: 4c0b4818b1f636bc96359f7817a2d8bab6370162 +Patch-mainline: v6.4-rc2 +References: bsc#1213017 + +If there are failures while changing the mount options in +__ext4_remount(), we need to restore the old mount options. + +This commit fixes two problem. The first is there is a chance that we +will free the old quota file names before a potential failure leading +to a use-after-free. The second problem addressed in this commit is +if there is a failed read/write to read-only transition, if the quota +has already been suspended, we need to renable quota handling. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-2-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/super.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index c7bc4a2709cc..bc0b4a98b337 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6617,9 +6617,6 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + } + + #ifdef CONFIG_QUOTA +- /* Release old quota file names */ +- for (i = 0; i < EXT4_MAXQUOTAS; i++) +- kfree(old_opts.s_qf_names[i]); + if (enable_quota) { + if (sb_any_quota_suspended(sb)) + dquot_resume(sb, -1); +@@ -6629,6 +6626,9 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + goto restore_opts; + } + } ++ /* Release old quota file names */ ++ for (i = 0; i < EXT4_MAXQUOTAS; i++) ++ kfree(old_opts.s_qf_names[i]); + #endif + if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks) + ext4_release_system_zone(sb); +@@ -6642,6 +6642,13 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + return 0; + + restore_opts: ++ /* ++ * If there was a failing r/w to ro transition, we may need to ++ * re-enable quota ++ */ ++ if ((sb->s_flags & SB_RDONLY) && !(old_sb_flags & SB_RDONLY) && ++ sb_any_quota_suspended(sb)) ++ dquot_resume(sb, -1); + sb->s_flags = old_sb_flags; + sbi->s_mount_opt = old_opts.s_mount_opt; + sbi->s_mount_opt2 = old_opts.s_mount_opt2; +-- +2.35.3 + diff --git a/patches.suse/ext4-move-where-set-the-MAY_INLINE_DATA-flag-is-set.patch b/patches.suse/ext4-move-where-set-the-MAY_INLINE_DATA-flag-is-set.patch new file mode 100644 index 0000000..cd0b5aa --- /dev/null +++ b/patches.suse/ext4-move-where-set-the-MAY_INLINE_DATA-flag-is-set.patch @@ -0,0 +1,61 @@ +From 1dcdce5919115a471bf4921a57f20050c545a236 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Tue, 7 Mar 2023 09:52:52 +0800 +Subject: [PATCH] ext4: move where set the MAY_INLINE_DATA flag is set +Git-commit: 1dcdce5919115a471bf4921a57f20050c545a236 +Patch-mainline: v6.3-rc2 +References: bsc#1213011 + +The only caller of ext4_find_inline_data_nolock() that needs setting of +EXT4_STATE_MAY_INLINE_DATA flag is ext4_iget_extra_inode(). In +ext4_write_inline_data_end() we just need to update inode->i_inline_off. +Since we are going to add one more caller that does not need to set +EXT4_STATE_MAY_INLINE_DATA, just move setting of EXT4_STATE_MAY_INLINE_DATA +out to ext4_iget_extra_inode(). + +Signed-off-by: Ye Bin +Cc: stable@kernel.org +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230307015253.2232062-2-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inline.c | 1 - + fs/ext4/inode.c | 7 ++++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 2b42ececa46d..1602d74b5eeb 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -159,7 +159,6 @@ int ext4_find_inline_data_nolock(struct inode *inode) + (void *)ext4_raw_inode(&is.iloc)); + EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + + le32_to_cpu(is.s.here->e_value_size); +- ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); + } + out: + brelse(is.iloc.bh); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index b65dadfe3b45..530e420ae0e8 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4797,8 +4797,13 @@ static inline int ext4_iget_extra_inode(struct inode *inode, + + if (EXT4_INODE_HAS_XATTR_SPACE(inode) && + *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { ++ int err; ++ + ext4_set_inode_state(inode, EXT4_STATE_XATTR); +- return ext4_find_inline_data_nolock(inode); ++ err = ext4_find_inline_data_nolock(inode); ++ if (!err && ext4_has_inline_data(inode)) ++ ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); ++ return err; + } else + EXT4_I(inode)->i_inline_off = 0; + return 0; +-- +2.35.3 + diff --git a/patches.suse/ext4-only-update-i_reserved_data_blocks-on-successfu.patch b/patches.suse/ext4-only-update-i_reserved_data_blocks-on-successfu.patch new file mode 100644 index 0000000..b0c8354 --- /dev/null +++ b/patches.suse/ext4-only-update-i_reserved_data_blocks-on-successfu.patch @@ -0,0 +1,100 @@ +From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 24 Apr 2023 11:38:35 +0800 +Subject: [PATCH] ext4: only update i_reserved_data_blocks on successful block + allocation +Git-commit: de25d6e9610a8b30cce9bbb19b50615d02ebca02 +Patch-mainline: v6.5-rc1 +References: bsc#1213019 + +In our fault injection test, we create an ext4 file, migrate it to +non-extent based file, then punch a hole and finally trigger a WARN_ON +in the ext4_da_update_reserve_space(): + +EXT4-fs warning (device sda): ext4_da_update_reserve_space:369: +ino 14, used 11 with only 10 reserved data blocks + +When writing back a non-extent based file, if we enable delalloc, the +number of reserved blocks will be subtracted from the number of blocks +mapped by ext4_ind_map_blocks(), and the extent status tree will be +updated. We update the extent status tree by first removing the old +extent_status and then inserting the new extent_status. If the block range +we remove happens to be in an extent, then we need to allocate another +extent_status with ext4_es_alloc_extent(). + + use old to remove to add new + |----------|------------|------------| + old extent_status + +The problem is that the allocation of a new extent_status failed due to a +fault injection, and __es_shrink() did not get free memory, resulting in +a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM, +we map to the same extent again, and the number of reserved blocks is again +subtracted from the number of blocks in that extent. Since the blocks in +the same extent are subtracted twice, we end up triggering WARN_ON at +ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks. + +For non-extent based file, we update the number of reserved blocks after +ext4_ind_map_blocks() is executed, which causes a problem that when we call +ext4_ind_map_blocks() to create a block, it doesn't always create a block, +but we always reduce the number of reserved blocks. So we move the logic +for updating reserved blocks to ext4_ind_map_blocks() to ensure that the +number of reserved blocks is updated only after we do succeed in allocating +some new blocks. + +Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/indirect.c | 8 ++++++++ + fs/ext4/inode.c | 10 ---------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c +index c68bebe7ff4b..a9f3716119d3 100644 +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -651,6 +651,14 @@ int ext4_ind_map_blocks(handle_t *handle, struct inode *inode, + + ext4_update_inode_fsync_trans(handle, inode, 1); + count = ar.len; ++ ++ /* ++ * Update reserved blocks/metadata blocks after successful block ++ * allocation which had been deferred till now. ++ */ ++ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) ++ ext4_da_update_reserve_space(inode, count, 1); ++ + got_it: + map->m_flags |= EXT4_MAP_MAPPED; + map->m_pblk = le32_to_cpu(chain[depth-1].key); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index c2868282ad81..ef7ec2690b84 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -632,16 +632,6 @@ int ext4_map_blocks(handle_t *handle, struct inode *inode, + */ + ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE); + } +- +- /* +- * Update reserved blocks/metadata blocks after successful +- * block allocation which had been deferred till now. We don't +- * support fallocate for non extent files. So we can update +- * reserve space here. +- */ +- if ((retval > 0) && +- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)) +- ext4_da_update_reserve_space(inode, retval, 1); + } + + if (retval > 0) { +-- +2.35.3 + diff --git a/patches.suse/ext4-refactor-ext4_free_blocks-to-pull-out-ext4_mb_c.patch b/patches.suse/ext4-refactor-ext4_free_blocks-to-pull-out-ext4_mb_c.patch new file mode 100644 index 0000000..894efb4 --- /dev/null +++ b/patches.suse/ext4-refactor-ext4_free_blocks-to-pull-out-ext4_mb_c.patch @@ -0,0 +1,240 @@ +From 8ac3939db99f99667b8eb670cf4baf292896e72d Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Wed, 16 Feb 2022 12:32:45 +0530 +Subject: [PATCH] ext4: refactor ext4_free_blocks() to pull out + ext4_mb_clear_bb() +Git-commit: 8ac3939db99f99667b8eb670cf4baf292896e72d +Patch-mainline: v5.18-rc1 +References: bsc#1213087 + +ext4_free_blocks() function became too long and confusing, this patch +just pulls out the ext4_mb_clear_bb() function logic from it +which clears the block bitmap and frees it. + +No functionality change in this patch + +Signed-off-by: Ritesh Harjani +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/22c30fbb26ba409cf8aa5f0c7912970272c459e8.1644992610.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/mballoc.c | 180 ++++++++++++++++++++++++++-------------------- + 1 file changed, 102 insertions(+), 78 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 816322eddd2b..7b80c5dd9f40 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5872,7 +5872,8 @@ static void ext4_free_blocks_simple(struct inode *inode, ext4_fsblk_t block, + } + + /** +- * ext4_free_blocks() -- Free given blocks and update quota ++ * ext4_mb_clear_bb() -- helper function for freeing blocks. ++ * Used by ext4_free_blocks() + * @handle: handle for this transaction + * @inode: inode + * @bh: optional buffer of the block to be freed +@@ -5880,9 +5881,9 @@ static void ext4_free_blocks_simple(struct inode *inode, ext4_fsblk_t block, + * @count: number of blocks to be freed + * @flags: flags used by ext4_free_blocks + */ +-void ext4_free_blocks(handle_t *handle, struct inode *inode, +- struct buffer_head *bh, ext4_fsblk_t block, +- unsigned long count, int flags) ++static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, ++ ext4_fsblk_t block, unsigned long count, ++ int flags) + { + struct buffer_head *bitmap_bh = NULL; + struct super_block *sb = inode->i_sb; +@@ -5899,80 +5900,6 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, + + sbi = EXT4_SB(sb); + +- if (sbi->s_mount_state & EXT4_FC_REPLAY) { +- ext4_free_blocks_simple(inode, block, count); +- return; +- } +- +- might_sleep(); +- if (bh) { +- if (block) +- BUG_ON(block != bh->b_blocknr); +- else +- block = bh->b_blocknr; +- } +- +- if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) && +- !ext4_inode_block_valid(inode, block, count)) { +- ext4_error(sb, "Freeing blocks not in datazone - " +- "block = %llu, count = %lu", block, count); +- goto error_return; +- } +- +- ext4_debug("freeing block %llu\n", block); +- trace_ext4_free_blocks(inode, block, count, flags); +- +- if (bh && (flags & EXT4_FREE_BLOCKS_FORGET)) { +- BUG_ON(count > 1); +- +- ext4_forget(handle, flags & EXT4_FREE_BLOCKS_METADATA, +- inode, bh, block); +- } +- +- /* +- * If the extent to be freed does not begin on a cluster +- * boundary, we need to deal with partial clusters at the +- * beginning and end of the extent. Normally we will free +- * blocks at the beginning or the end unless we are explicitly +- * requested to avoid doing so. +- */ +- overflow = EXT4_PBLK_COFF(sbi, block); +- if (overflow) { +- if (flags & EXT4_FREE_BLOCKS_NOFREE_FIRST_CLUSTER) { +- overflow = sbi->s_cluster_ratio - overflow; +- block += overflow; +- if (count > overflow) +- count -= overflow; +- else +- return; +- } else { +- block -= overflow; +- count += overflow; +- } +- } +- overflow = EXT4_LBLK_COFF(sbi, count); +- if (overflow) { +- if (flags & EXT4_FREE_BLOCKS_NOFREE_LAST_CLUSTER) { +- if (count > overflow) +- count -= overflow; +- else +- return; +- } else +- count += sbi->s_cluster_ratio - overflow; +- } +- +- if (!bh && (flags & EXT4_FREE_BLOCKS_FORGET)) { +- int i; +- int is_metadata = flags & EXT4_FREE_BLOCKS_METADATA; +- +- for (i = 0; i < count; i++) { +- cond_resched(); +- if (is_metadata) +- bh = sb_find_get_block(inode->i_sb, block + i); +- ext4_forget(handle, is_metadata, inode, bh, block + i); +- } +- } +- + do_more: + overflow = 0; + ext4_get_group_no_and_offset(sb, block, &block_group, &bit); +@@ -6140,6 +6067,103 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, + return; + } + ++/** ++ * ext4_free_blocks() -- Free given blocks and update quota ++ * @handle: handle for this transaction ++ * @inode: inode ++ * @bh: optional buffer of the block to be freed ++ * @block: starting physical block to be freed ++ * @count: number of blocks to be freed ++ * @flags: flags used by ext4_free_blocks ++ */ ++void ext4_free_blocks(handle_t *handle, struct inode *inode, ++ struct buffer_head *bh, ext4_fsblk_t block, ++ unsigned long count, int flags) ++{ ++ struct super_block *sb = inode->i_sb; ++ unsigned int overflow; ++ struct ext4_sb_info *sbi; ++ ++ sbi = EXT4_SB(sb); ++ ++ if (sbi->s_mount_state & EXT4_FC_REPLAY) { ++ ext4_free_blocks_simple(inode, block, count); ++ return; ++ } ++ ++ might_sleep(); ++ if (bh) { ++ if (block) ++ BUG_ON(block != bh->b_blocknr); ++ else ++ block = bh->b_blocknr; ++ } ++ ++ if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) && ++ !ext4_inode_block_valid(inode, block, count)) { ++ ext4_error(sb, "Freeing blocks not in datazone - " ++ "block = %llu, count = %lu", block, count); ++ return; ++ } ++ ++ ext4_debug("freeing block %llu\n", block); ++ trace_ext4_free_blocks(inode, block, count, flags); ++ ++ if (bh && (flags & EXT4_FREE_BLOCKS_FORGET)) { ++ BUG_ON(count > 1); ++ ++ ext4_forget(handle, flags & EXT4_FREE_BLOCKS_METADATA, ++ inode, bh, block); ++ } ++ ++ /* ++ * If the extent to be freed does not begin on a cluster ++ * boundary, we need to deal with partial clusters at the ++ * beginning and end of the extent. Normally we will free ++ * blocks at the beginning or the end unless we are explicitly ++ * requested to avoid doing so. ++ */ ++ overflow = EXT4_PBLK_COFF(sbi, block); ++ if (overflow) { ++ if (flags & EXT4_FREE_BLOCKS_NOFREE_FIRST_CLUSTER) { ++ overflow = sbi->s_cluster_ratio - overflow; ++ block += overflow; ++ if (count > overflow) ++ count -= overflow; ++ else ++ return; ++ } else { ++ block -= overflow; ++ count += overflow; ++ } ++ } ++ overflow = EXT4_LBLK_COFF(sbi, count); ++ if (overflow) { ++ if (flags & EXT4_FREE_BLOCKS_NOFREE_LAST_CLUSTER) { ++ if (count > overflow) ++ count -= overflow; ++ else ++ return; ++ } else ++ count += sbi->s_cluster_ratio - overflow; ++ } ++ ++ if (!bh && (flags & EXT4_FREE_BLOCKS_FORGET)) { ++ int i; ++ int is_metadata = flags & EXT4_FREE_BLOCKS_METADATA; ++ ++ for (i = 0; i < count; i++) { ++ cond_resched(); ++ if (is_metadata) ++ bh = sb_find_get_block(inode->i_sb, block + i); ++ ext4_forget(handle, is_metadata, inode, bh, block + i); ++ } ++ } ++ ++ ext4_mb_clear_bb(handle, inode, block, count, flags); ++ return; ++} ++ + /** + * ext4_group_add_blocks() -- Add given blocks to an existing group + * @handle: handle to this transaction +-- +2.35.3 + diff --git a/patches.suse/ext4-refuse-to-create-ea-block-when-umounted.patch b/patches.suse/ext4-refuse-to-create-ea-block-when-umounted.patch new file mode 100644 index 0000000..b58ff7d --- /dev/null +++ b/patches.suse/ext4-refuse-to-create-ea-block-when-umounted.patch @@ -0,0 +1,45 @@ +From f31173c19901a96bb2ebf6bcfec8a08df7095c91 Mon Sep 17 00:00:00 2001 +From: Jun Nie +Date: Tue, 3 Jan 2023 09:45:17 +0800 +Subject: [PATCH] ext4: refuse to create ea block when umounted +Git-commit: f31173c19901a96bb2ebf6bcfec8a08df7095c91 +Patch-mainline: v6.3-rc1 +References: bsc#1213093 + +The ea block expansion need to access s_root while it is +already set as NULL when umount is triggered. Refuse this +request to avoid panic. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-3-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/xattr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 38e08b438ccb..d8fef540ca9b 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1471,6 +1471,13 @@ static struct inode *ext4_xattr_inode_create(handle_t *handle, + uid_t owner[2] = { i_uid_read(inode), i_gid_read(inode) }; + int err; + ++ if (inode->i_sb->s_root == NULL) { ++ ext4_warning(inode->i_sb, ++ "refuse to create EA inode when umounting"); ++ WARN_ON(1); ++ return ERR_PTR(-EINVAL); ++ } ++ + /* + * Let the next inode be the goal, so we try and allocate the EA inode + * in the same group, or nearby one. +-- +2.35.3 + diff --git a/patches.suse/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_x.patch b/patches.suse/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_x.patch new file mode 100644 index 0000000..58b379b --- /dev/null +++ b/patches.suse/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_x.patch @@ -0,0 +1,39 @@ +From b928dfdcb27d8fa59917b794cfba53052a2f050f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:49 -0400 +Subject: [PATCH] ext4: set lockdep subclass for the ea_inode in + ext4_xattr_inode_cache_find() +Git-commit: b928dfdcb27d8fa59917b794cfba53052a2f050f +Patch-mainline: v6.4-rc5 +References: bsc#1213107 + +If the ea_inode has been pushed out of the inode cache while there is +still a reference in the mb_cache, the lockdep subclass will not be +set on the inode, which can lead to some lockdep false positives. + +Fixes: 33d201e0277b ("ext4: fix lockdep warning about recursive inode locking") +Cc: stable@kernel.org +Reported-by: syzbot+d4b971e744b1f5439336@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-3-tytso@mit.edu +Acked-by: Jan Kara + +--- + fs/ext4/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index a27208129a80..ff7ab63c5b4f 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1539,6 +1539,7 @@ ext4_xattr_inode_cache_find(struct inode *inode, const void *value, + EXT4_IGET_EA_INODE); + if (IS_ERR(ea_inode)) + goto next_entry; ++ ext4_xattr_inode_set_class(ea_inode); + if (i_size_read(ea_inode) == value_len && + !ext4_xattr_inode_read(ea_inode, ea_data, value_len) && + !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data, +-- +2.35.3 + diff --git a/patches.suse/ext4-turn-quotas-off-if-mount-failed-after-enabling-.patch b/patches.suse/ext4-turn-quotas-off-if-mount-failed-after-enabling-.patch new file mode 100644 index 0000000..1e6fc79 --- /dev/null +++ b/patches.suse/ext4-turn-quotas-off-if-mount-failed-after-enabling-.patch @@ -0,0 +1,76 @@ +From d13f99632748462c32fc95d729f5e754bab06064 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 27 Mar 2023 22:16:29 +0800 +Subject: [PATCH] ext4: turn quotas off if mount failed after enabling quotas +Git-commit: d13f99632748462c32fc95d729f5e754bab06064 +Patch-mainline: v6.5-rc1 +References: bsc#1213110 + +Yi found during a review of the patch "ext4: don't BUG on inconsistent +journal feature" that when ext4_mark_recovery_complete() returns an error +value, the error handling path does not turn off the enabled quotas, +which triggers the following kmemleak: + +================================================================ +unreferenced object 0xffff8cf68678e7c0 (size 64): +comm "mount", pid 746, jiffies 4294871231 (age 11.540s) +hex dump (first 32 bytes): +00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A... +c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H... +Backtrace: +[<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880 +[<00000000d4e621d7>] kmalloc_trace+0x39/0x140 +[<00000000837eee74>] v2_read_file_info+0x18a/0x3a0 +[<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770 +[<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0 +[<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4] +[<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4] +[<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4] +[<000000004a9489c4>] get_tree_bdev+0x1dc/0x370 +[<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4] +[<00000000c7cb663d>] vfs_get_tree+0x31/0x160 +[<00000000320e1bed>] do_new_mount+0x1d5/0x480 +[<00000000c074654c>] path_mount+0x22e/0xbe0 +[<0000000003e97a8e>] do_mount+0x95/0xc0 +[<000000002f3d3736>] __x64_sys_mount+0xc4/0x160 +[<0000000027d2140c>] do_syscall_64+0x3f/0x90 +================================================================ + +To solve this problem, we add a "failed_mount10" tag, and call +ext4_quota_off_umount() in this tag to release the enabled qoutas. + +Fixes: 11215630aada ("ext4: don't BUG on inconsistent journal feature") +Cc: stable@kernel.org +Signed-off-by: Zhang Yi +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230327141630.156875-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5135,7 +5135,7 @@ no_journal: + ext4_msg(sb, KERN_INFO, "recovery complete"); + err = ext4_mark_recovery_complete(sb, es); + if (err) +- goto failed_mount8; ++ goto failed_mount9; + } + if (EXT4_SB(sb)->s_journal) { + if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) +@@ -5181,7 +5181,9 @@ cantfind_ext4: + ext4_msg(sb, KERN_ERR, "VFS: Can't find ext4 filesystem"); + goto failed_mount; + +-failed_mount8: ++failed_mount9: ++ ext4_quota_off_umount(sb); ++failed_mount8: __maybe_unused + ext4_unregister_sysfs(sb); + kobject_put(&sbi->s_kobj); + failed_mount7: diff --git a/patches.suse/ext4-update-s_journal_inum-if-it-changes-after-journ.patch b/patches.suse/ext4-update-s_journal_inum-if-it-changes-after-journ.patch new file mode 100644 index 0000000..21ab0aa --- /dev/null +++ b/patches.suse/ext4-update-s_journal_inum-if-it-changes-after-journ.patch @@ -0,0 +1,53 @@ +From 3039d8b8692408438a618fac2776b629852663c3 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Sat, 7 Jan 2023 11:21:26 +0800 +Subject: [PATCH] ext4: update s_journal_inum if it changes after journal + replay +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 3039d8b8692408438a618fac2776b629852663c3 +Patch-mainline: v6.3-rc1 +References: bsc#1213094 + +When mounting a crafted ext4 image, s_journal_inum may change after journal +replay, which is obviously unreasonable because we have successfully loaded +and replayed the journal through the old s_journal_inum. And the new +s_journal_inum bypasses some of the checks in ext4_get_journal(), which +may trigger a null pointer dereference problem. So if s_journal_inum +changes after the journal replay, we ignore the change, and rewrite the +current journal_inum to the superblock. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541 +Reported-by: Luís Henriques +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230107032126.4165860-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/super.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 3b9e30e1afd9..45bcfd35e559 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5953,8 +5953,11 @@ static int ext4_load_journal(struct super_block *sb, + if (!really_read_only && journal_devnum && + journal_devnum != le32_to_cpu(es->s_journal_dev)) { + es->s_journal_dev = cpu_to_le32(journal_devnum); +- +- /* Make sure we flush the recovery flag to disk. */ ++ ext4_commit_super(sb); ++ } ++ if (!really_read_only && journal_inum && ++ journal_inum != le32_to_cpu(es->s_journal_inum)) { ++ es->s_journal_inum = cpu_to_le32(journal_inum); + ext4_commit_super(sb); + } + +-- +2.35.3 + diff --git a/patches.suse/ext4-use-ext4_fc_tl_mem-in-fast-commit-replay-path.patch b/patches.suse/ext4-use-ext4_fc_tl_mem-in-fast-commit-replay-path.patch new file mode 100644 index 0000000..60e4790 --- /dev/null +++ b/patches.suse/ext4-use-ext4_fc_tl_mem-in-fast-commit-replay-path.patch @@ -0,0 +1,143 @@ +From 11768cfd98136dd8399480c60b7a5d3d3c7b109b Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 16 Dec 2022 21:02:12 -0800 +Subject: [PATCH] ext4: use ext4_fc_tl_mem in fast-commit replay path +Git-commit: 11768cfd98136dd8399480c60b7a5d3d3c7b109b +Patch-mainline: v6.3-rc1 +References: bsc#1213092 + +To avoid 'sparse' warnings about missing endianness conversions, don't +store native endianness values into struct ext4_fc_tl. Instead, use a +separate struct type, ext4_fc_tl_mem. + +Fixes: dcc5827484d6 ("ext4: factor out ext4_fc_get_tl()") +Cc: Ye Bin +Signed-off-by: Eric Biggers +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221217050212.150665-1-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/fast_commit.c | 44 +++++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 18 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 4594b62f147b..b06de728b3b6 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1332,8 +1332,14 @@ struct dentry_info_args { + char *dname; + }; + ++/* Same as struct ext4_fc_tl, but uses native endianness fields */ ++struct ext4_fc_tl_mem { ++ u16 fc_tag; ++ u16 fc_len; ++}; ++ + static inline void tl_to_darg(struct dentry_info_args *darg, +- struct ext4_fc_tl *tl, u8 *val) ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct ext4_fc_dentry_info fcd; + +@@ -1345,16 +1351,18 @@ static inline void tl_to_darg(struct dentry_info_args *darg, + darg->dname_len = tl->fc_len - sizeof(struct ext4_fc_dentry_info); + } + +-static inline void ext4_fc_get_tl(struct ext4_fc_tl *tl, u8 *val) ++static inline void ext4_fc_get_tl(struct ext4_fc_tl_mem *tl, u8 *val) + { +- memcpy(tl, val, EXT4_FC_TAG_BASE_LEN); +- tl->fc_len = le16_to_cpu(tl->fc_len); +- tl->fc_tag = le16_to_cpu(tl->fc_tag); ++ struct ext4_fc_tl tl_disk; ++ ++ memcpy(&tl_disk, val, EXT4_FC_TAG_BASE_LEN); ++ tl->fc_len = le16_to_cpu(tl_disk.fc_len); ++ tl->fc_tag = le16_to_cpu(tl_disk.fc_tag); + } + + /* Unlink replay function */ +-static int ext4_fc_replay_unlink(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_unlink(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct inode *inode, *old_parent; + struct qstr entry; +@@ -1451,8 +1459,8 @@ static int ext4_fc_replay_link_internal(struct super_block *sb, + } + + /* Link replay function */ +-static int ext4_fc_replay_link(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_link(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct inode *inode; + struct dentry_info_args darg; +@@ -1506,8 +1514,8 @@ static int ext4_fc_record_modified_inode(struct super_block *sb, int ino) + /* + * Inode replay function + */ +-static int ext4_fc_replay_inode(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_inode(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct ext4_fc_inode fc_inode; + struct ext4_inode *raw_inode; +@@ -1609,8 +1617,8 @@ static int ext4_fc_replay_inode(struct super_block *sb, struct ext4_fc_tl *tl, + * inode for which we are trying to create a dentry here, should already have + * been replayed before we start here. + */ +-static int ext4_fc_replay_create(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_create(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + int ret = 0; + struct inode *inode = NULL; +@@ -1708,7 +1716,7 @@ int ext4_fc_record_regions(struct super_block *sb, int ino, + + /* Replay add range tag */ + static int ext4_fc_replay_add_range(struct super_block *sb, +- struct ext4_fc_tl *tl, u8 *val) ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct ext4_fc_add_range fc_add_ex; + struct ext4_extent newex, *ex; +@@ -1828,8 +1836,8 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + + /* Replay DEL_RANGE tag */ + static int +-ext4_fc_replay_del_range(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++ext4_fc_replay_del_range(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct inode *inode; + struct ext4_fc_del_range lrange; +@@ -2025,7 +2033,7 @@ static int ext4_fc_replay_scan(journal_t *journal, + struct ext4_fc_replay_state *state; + int ret = JBD2_FC_REPLAY_CONTINUE; + struct ext4_fc_add_range ext; +- struct ext4_fc_tl tl; ++ struct ext4_fc_tl_mem tl; + struct ext4_fc_tail tail; + __u8 *start, *end, *cur, *val; + struct ext4_fc_head head; +@@ -2144,7 +2152,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, + { + struct super_block *sb = journal->j_private; + struct ext4_sb_info *sbi = EXT4_SB(sb); +- struct ext4_fc_tl tl; ++ struct ext4_fc_tl_mem tl; + __u8 *start, *end, *cur, *val; + int ret = JBD2_FC_REPLAY_CONTINUE; + struct ext4_fc_replay_state *state = &sbi->s_fc_replay_state; +-- +2.35.3 + diff --git a/patches.suse/ext4-zero-i_disksize-when-initializing-the-bootloade.patch b/patches.suse/ext4-zero-i_disksize-when-initializing-the-bootloade.patch new file mode 100644 index 0000000..7d7b615 --- /dev/null +++ b/patches.suse/ext4-zero-i_disksize-when-initializing-the-bootloade.patch @@ -0,0 +1,65 @@ +From f5361da1e60d54ec81346aee8e3d8baf1be0b762 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Wed, 8 Mar 2023 11:26:43 +0800 +Subject: [PATCH] ext4: zero i_disksize when initializing the bootloader inode +Git-commit: f5361da1e60d54ec81346aee8e3d8baf1be0b762 +Patch-mainline: v6.3-rc2 +References: bsc#1213013 + +If the boot loader inode has never been used before, the +EXT4_IOC_SWAP_BOOT inode will initialize it, including setting the +i_size to 0. However, if the "never before used" boot loader has a +non-zero i_size, then i_disksize will be non-zero, and the +inconsistency between i_size and i_disksize can trigger a kernel +Warning: + + WARNING: CPU: 0 PID: 2580 at fs/ext4/file.c:319 + CPU: 0 PID: 2580 Comm: bb Not tainted 6.3.0-rc1-00004-g703695902cfa + RIP: 0010:ext4_file_write_iter+0xbc7/0xd10 + Call Trace: + vfs_write+0x3b1/0x5c0 + ksys_write+0x77/0x160 + __x64_sys_write+0x22/0x30 + do_syscall_64+0x39/0x80 + +Reproducer: 1. create corrupted image and mount it: + mke2fs -t ext4 /tmp/foo.img 200 + debugfs -wR "sif <5> size 25700" /tmp/foo.img + mount -t ext4 /tmp/foo.img /mnt + cd /mnt + echo 123 > file + 2. Run the reproducer program: + posix_memalign(&buf, 1024, 1024) + fd = open("file", O_RDWR | O_DIRECT); + ioctl(fd, EXT4_IOC_SWAP_BOOT); + write(fd, buf, 1024); + +Fix this by setting i_disksize as well as i_size to zero when +initiaizing the boot loader inode. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217159 +Cc: stable@kernel.org +Signed-off-by: Zhihao Cheng +Link: https://lore.kernel.org/r/20230308032643.641113-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 2e8c34036313..cc17205f7f49 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -431,6 +431,7 @@ static long swap_inode_boot_loader(struct super_block *sb, + ei_bl->i_flags = 0; + inode_set_iversion(inode_bl, 1); + i_size_write(inode_bl, 0); ++ EXT4_I(inode_bl)->i_disksize = inode_bl->i_size; + inode_bl->i_mode = S_IFREG; + if (ext4_has_feature_extents(sb)) { + ext4_set_inode_flag(inode_bl, EXT4_INODE_EXTENTS); +-- +2.35.3 + diff --git a/patches.suse/hvcs-Fix-hvcs-port-reference-counting.patch b/patches.suse/hvcs-Fix-hvcs-port-reference-counting.patch new file mode 100644 index 0000000..e6191e5 --- /dev/null +++ b/patches.suse/hvcs-Fix-hvcs-port-reference-counting.patch @@ -0,0 +1,64 @@ +From 6a9a733edd46732e906d976dc21a42dd361e53cc Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Wed, 1 Feb 2023 13:57:38 -0600 +Subject: [PATCH] hvcs: Fix hvcs port reference counting + +References: bsc#1213134 ltc#202861 +Patch-mainline: v6.3-rc1 +Git-commit: 6a9a733edd46732e906d976dc21a42dd361e53cc + +The hvcs driver only ever gets two references to the port. One +at initialization time, and one at install time. Remove the code +that was trying to do multiple port puts for each open, which +would result in more puts than gets. + +Signed-off-by: Brian King +Link: https://lore.kernel.org/r/20230201195743.303163-2-brking@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Michal Suchanek +--- + drivers/tty/hvc/hvcs.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index 4ba24963685e..faf5ccfc561e 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -1215,12 +1215,9 @@ static void hvcs_hangup(struct tty_struct * tty) + { + struct hvcs_struct *hvcsd = tty->driver_data; + unsigned long flags; +- int temp_open_count; + int irq; + + spin_lock_irqsave(&hvcsd->lock, flags); +- /* Preserve this so that we know how many kref refs to put */ +- temp_open_count = hvcsd->port.count; + + /* + * Don't kref put inside the spinlock because the destruction +@@ -1247,21 +1244,6 @@ static void hvcs_hangup(struct tty_struct * tty) + spin_unlock_irqrestore(&hvcsd->lock, flags); + + free_irq(irq, hvcsd); +- +- /* +- * We need to kref_put() for every open_count we have since the +- * tty_hangup() function doesn't invoke a close per open connection on a +- * non-console device. +- */ +- while(temp_open_count) { +- --temp_open_count; +- /* +- * The final put will trigger destruction of the hvcs_struct. +- * NOTE: If this hangup was signaled from user space then the +- * final put will never happen. +- */ +- tty_port_put(&hvcsd->port); +- } + } + + /* +-- +2.41.0 + diff --git a/patches.suse/hvcs-Get-reference-to-tty-in-remove.patch b/patches.suse/hvcs-Get-reference-to-tty-in-remove.patch new file mode 100644 index 0000000..3bda96a --- /dev/null +++ b/patches.suse/hvcs-Get-reference-to-tty-in-remove.patch @@ -0,0 +1,48 @@ +From 3a8d3b366ce47024bf274eac783f8af5df2780f5 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 3 Feb 2023 09:58:00 -0600 +Subject: [PATCH] hvcs: Get reference to tty in remove + +References: bsc#1213134 ltc#202861 +Patch-mainline: v6.3-rc1 +Git-commit: 3a8d3b366ce47024bf274eac783f8af5df2780f5 + +Grab a reference to the tty when removing the hvcs to ensure +it does not get freed unexpectedly. + +Signed-off-by: Brian King +Link: https://lore.kernel.org/r/20230203155802.404324-4-brking@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Michal Suchanek +--- + drivers/tty/hvc/hvcs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index 522910716025..8d40b20de277 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -799,7 +799,7 @@ static void hvcs_remove(struct vio_dev *dev) + + spin_lock_irqsave(&hvcsd->lock, flags); + +- tty = hvcsd->port.tty; ++ tty = tty_port_tty_get(&hvcsd->port); + + spin_unlock_irqrestore(&hvcsd->lock, flags); + +@@ -814,8 +814,10 @@ static void hvcs_remove(struct vio_dev *dev) + * hvcs_hangup. The tty should always be valid at this time unless a + * simultaneous tty close already cleaned up the hvcs_struct. + */ +- if (tty) ++ if (tty) { + tty_hangup(tty); ++ tty_kref_put(tty); ++ } + + printk(KERN_INFO "HVCS: vty-server@%X removed from the" + " vio bus.\n", dev->unit_address); +-- +2.41.0 + diff --git a/patches.suse/hvcs-Synchronize-hotplug-remove-with-port-free.patch b/patches.suse/hvcs-Synchronize-hotplug-remove-with-port-free.patch new file mode 100644 index 0000000..2401d29 --- /dev/null +++ b/patches.suse/hvcs-Synchronize-hotplug-remove-with-port-free.patch @@ -0,0 +1,134 @@ +From 28d49f8cbe9c7966f91ee1b5ec2f997f6e55bf9f Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 3 Feb 2023 09:58:02 -0600 +Subject: [PATCH] hvcs: Synchronize hotplug remove with port free + +References: bsc#1213134 ltc#202861 +Patch-mainline: v6.3-rc1 +Git-commit: 28d49f8cbe9c7966f91ee1b5ec2f997f6e55bf9f + +Synchronizes hotplug remove with the freeing of the port. +This ensures we have freed all the memory associated with +this port and are not leaking memory. + +Signed-off-by: Brian King +Link: https://lore.kernel.org/r/20230203155802.404324-6-brking@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Michal Suchanek +--- + drivers/tty/hvc/hvcs.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index ecf24195b1e9..1de1a09bf82d 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -52,6 +52,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -285,6 +286,7 @@ struct hvcs_struct { + char p_location_code[HVCS_CLC_LENGTH + 1]; /* CLC + Null Term */ + struct list_head next; /* list management */ + struct vio_dev *vdev; ++ struct completion *destroyed; + }; + + static LIST_HEAD(hvcs_structs); +@@ -663,11 +665,13 @@ static void hvcs_destruct_port(struct tty_port *p) + { + struct hvcs_struct *hvcsd = container_of(p, struct hvcs_struct, port); + struct vio_dev *vdev; ++ struct completion *comp; + unsigned long flags; + + spin_lock(&hvcs_structs_lock); + spin_lock_irqsave(&hvcsd->lock, flags); + ++ comp = hvcsd->destroyed; + /* the list_del poisons the pointers */ + list_del(&(hvcsd->next)); + +@@ -687,6 +691,7 @@ static void hvcs_destruct_port(struct tty_port *p) + + hvcsd->p_unit_address = 0; + hvcsd->p_partition_ID = 0; ++ hvcsd->destroyed = NULL; + hvcs_return_index(hvcsd->index); + memset(&hvcsd->p_location_code[0], 0x00, HVCS_CLC_LENGTH + 1); + +@@ -694,6 +699,8 @@ static void hvcs_destruct_port(struct tty_port *p) + spin_unlock(&hvcs_structs_lock); + + kfree(hvcsd); ++ if (comp) ++ complete(comp); + } + + static const struct tty_port_operations hvcs_port_ops = { +@@ -792,6 +799,7 @@ static int hvcs_probe( + static void hvcs_remove(struct vio_dev *dev) + { + struct hvcs_struct *hvcsd = dev_get_drvdata(&dev->dev); ++ DECLARE_COMPLETION_ONSTACK(comp); + unsigned long flags; + struct tty_struct *tty; + +@@ -799,16 +807,11 @@ static void hvcs_remove(struct vio_dev *dev) + + spin_lock_irqsave(&hvcsd->lock, flags); + ++ hvcsd->destroyed = ∁ + tty = tty_port_tty_get(&hvcsd->port); + + spin_unlock_irqrestore(&hvcsd->lock, flags); + +- /* +- * Let the last holder of this object cause it to be removed, which +- * would probably be tty_hangup below. +- */ +- tty_port_put(&hvcsd->port); +- + /* + * The tty should always be valid at this time unless a + * simultaneous tty close already cleaned up the hvcs_struct. +@@ -818,6 +821,8 @@ static void hvcs_remove(struct vio_dev *dev) + tty_kref_put(tty); + } + ++ tty_port_put(&hvcsd->port); ++ wait_for_completion(&comp); + printk(KERN_INFO "HVCS: vty-server@%X removed from the" + " vio bus.\n", dev->unit_address); + }; +@@ -1171,7 +1176,10 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp) + hvcsd = tty->driver_data; + + spin_lock_irqsave(&hvcsd->lock, flags); +- if (--hvcsd->port.count == 0) { ++ if (hvcsd->port.count == 0) { ++ spin_unlock_irqrestore(&hvcsd->lock, flags); ++ return; ++ } else if (--hvcsd->port.count == 0) { + + vio_disable_interrupts(hvcsd->vdev); + +@@ -1227,11 +1235,7 @@ static void hvcs_hangup(struct tty_struct * tty) + vio_disable_interrupts(hvcsd->vdev); + + hvcsd->todo_mask = 0; +- +- /* I don't think the tty needs the hvcs_struct pointer after a hangup */ +- tty->driver_data = NULL; + hvcsd->port.tty = NULL; +- + hvcsd->port.count = 0; + + /* This will drop any buffered data on the floor which is OK in a hangup +-- +2.41.0 + diff --git a/patches.suse/hvcs-Use-dev_groups-to-manage-hvcs-device-attributes.patch b/patches.suse/hvcs-Use-dev_groups-to-manage-hvcs-device-attributes.patch new file mode 100644 index 0000000..31b398f --- /dev/null +++ b/patches.suse/hvcs-Use-dev_groups-to-manage-hvcs-device-attributes.patch @@ -0,0 +1,90 @@ +From 760aa5e81f33e0da82512c4288489739a6d1c556 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 3 Feb 2023 09:57:58 -0600 +Subject: [PATCH] hvcs: Use dev_groups to manage hvcs device attributes + +References: bsc#1213134 ltc#202861 +Patch-mainline: v6.3-rc1 +Git-commit: 760aa5e81f33e0da82512c4288489739a6d1c556 + +Use the dev_groups functionality to manage the attribute groups +for hvcs devices. This simplifies the code and also eliminates +errors coming from kernfs when attempting to remove a console +device that is in use. + +Signed-off-by: Brian King +Link: https://lore.kernel.org/r/20230203155802.404324-2-brking@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Michal Suchanek +--- + drivers/tty/hvc/hvcs.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index faf5ccfc561e..0416601357e1 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -432,7 +432,7 @@ static ssize_t hvcs_index_show(struct device *dev, struct device_attribute *attr + + static DEVICE_ATTR(index, S_IRUGO, hvcs_index_show, NULL); + +-static struct attribute *hvcs_attrs[] = { ++static struct attribute *hvcs_dev_attrs[] = { + &dev_attr_partner_vtys.attr, + &dev_attr_partner_clcs.attr, + &dev_attr_current_vty.attr, +@@ -441,9 +441,7 @@ static struct attribute *hvcs_attrs[] = { + NULL, + }; + +-static struct attribute_group hvcs_attr_group = { +- .attrs = hvcs_attrs, +-}; ++ATTRIBUTE_GROUPS(hvcs_dev); + + static ssize_t rescan_show(struct device_driver *ddp, char *buf) + { +@@ -688,8 +686,6 @@ static void hvcs_destruct_port(struct tty_port *p) + spin_unlock_irqrestore(&hvcsd->lock, flags); + spin_unlock(&hvcs_structs_lock); + +- sysfs_remove_group(&vdev->dev.kobj, &hvcs_attr_group); +- + kfree(hvcsd); + } + +@@ -721,7 +717,6 @@ static int hvcs_probe( + { + struct hvcs_struct *hvcsd; + int index, rc; +- int retval; + + if (!dev || !id) { + printk(KERN_ERR "HVCS: probed with invalid parameter.\n"); +@@ -778,13 +773,6 @@ static int hvcs_probe( + list_add_tail(&(hvcsd->next), &hvcs_structs); + spin_unlock(&hvcs_structs_lock); + +- retval = sysfs_create_group(&dev->dev.kobj, &hvcs_attr_group); +- if (retval) { +- printk(KERN_ERR "HVCS: Can't create sysfs attrs for vty-server@%X\n", +- hvcsd->vdev->unit_address); +- return retval; +- } +- + printk(KERN_INFO "HVCS: vty-server@%X added to the vio bus.\n", dev->unit_address); + + /* +@@ -831,6 +819,9 @@ static struct vio_driver hvcs_vio_driver = { + .probe = hvcs_probe, + .remove = hvcs_remove, + .name = hvcs_driver_name, ++ .driver = { ++ .dev_groups = hvcs_dev_groups, ++ }, + }; + + /* Only called from hvcs_get_pi please */ +-- +2.41.0 + diff --git a/patches.suse/hvcs-Use-driver-groups-to-manage-driver-attributes.patch b/patches.suse/hvcs-Use-driver-groups-to-manage-driver-attributes.patch new file mode 100644 index 0000000..7e43d51 --- /dev/null +++ b/patches.suse/hvcs-Use-driver-groups-to-manage-driver-attributes.patch @@ -0,0 +1,74 @@ +From 503a90dd619d52dcac2cc68bd742aa914c7cd47a Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 3 Feb 2023 09:57:59 -0600 +Subject: [PATCH] hvcs: Use driver groups to manage driver attributes + +References: bsc#1213134 ltc#202861 +Patch-mainline: v6.3-rc1 +Git-commit: 503a90dd619d52dcac2cc68bd742aa914c7cd47a + +Rather than manually creating attributes for the hvcs driver, +let the driver core do this for us. This also fixes some hotplug +remove issues and ensures that cleanup of these attributes +is done in the right order. + +Signed-off-by: Brian King +Link: https://lore.kernel.org/r/20230203155802.404324-3-brking@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Michal Suchanek +--- + drivers/tty/hvc/hvcs.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index 0416601357e1..522910716025 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -466,6 +466,13 @@ static ssize_t rescan_store(struct device_driver *ddp, const char * buf, + + static DRIVER_ATTR_RW(rescan); + ++static struct attribute *hvcs_attrs[] = { ++ &driver_attr_rescan.attr, ++ NULL, ++}; ++ ++ATTRIBUTE_GROUPS(hvcs); ++ + static void hvcs_kick(void) + { + hvcs_kicked = 1; +@@ -820,6 +827,7 @@ static struct vio_driver hvcs_vio_driver = { + .remove = hvcs_remove, + .name = hvcs_driver_name, + .driver = { ++ .groups = hvcs_groups, + .dev_groups = hvcs_dev_groups, + }, + }; +@@ -1498,13 +1506,6 @@ static int __init hvcs_module_init(void) + + pr_info("HVCS: Driver registered.\n"); + +- /* This needs to be done AFTER the vio_register_driver() call or else +- * the kobjects won't be initialized properly. +- */ +- rc = driver_create_file(&(hvcs_vio_driver.driver), &driver_attr_rescan); +- if (rc) +- pr_warn("HVCS: Failed to create rescan file (err %d)\n", rc); +- + return 0; + } + +@@ -1529,8 +1530,6 @@ static void __exit hvcs_module_exit(void) + hvcs_pi_buff = NULL; + spin_unlock(&hvcs_pi_lock); + +- driver_remove_file(&hvcs_vio_driver.driver, &driver_attr_rescan); +- + tty_unregister_driver(hvcs_tty_driver); + + hvcs_free_index_list(); +-- +2.41.0 + diff --git a/patches.suse/hvcs-Use-vhangup-in-hotplug-remove.patch b/patches.suse/hvcs-Use-vhangup-in-hotplug-remove.patch new file mode 100644 index 0000000..ec8609a --- /dev/null +++ b/patches.suse/hvcs-Use-vhangup-in-hotplug-remove.patch @@ -0,0 +1,45 @@ +From d432228bc7b1b3f0ed06510278ff5a77b3749fe6 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 3 Feb 2023 09:58:01 -0600 +Subject: [PATCH] hvcs: Use vhangup in hotplug remove + +References: bsc#1213134 ltc#202861 +Patch-mainline: v6.3-rc1 +Git-commit: d432228bc7b1b3f0ed06510278ff5a77b3749fe6 + +When hotplug removing an hvcs device, we need to ensure the +hangup processing is done prior to exiting the remove function, +so use tty_vhangup to do the hangup processing directly +rather than using tty_hangup which simply schedules the hangup +work for later execution. + +Signed-off-by: Brian King +Link: https://lore.kernel.org/r/20230203155802.404324-5-brking@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Michal Suchanek +--- + drivers/tty/hvc/hvcs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index 8d40b20de277..ecf24195b1e9 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -810,12 +810,11 @@ static void hvcs_remove(struct vio_dev *dev) + tty_port_put(&hvcsd->port); + + /* +- * The hangup is a scheduled function which will auto chain call +- * hvcs_hangup. The tty should always be valid at this time unless a ++ * The tty should always be valid at this time unless a + * simultaneous tty close already cleaned up the hvcs_struct. + */ + if (tty) { +- tty_hangup(tty); ++ tty_vhangup(tty); + tty_kref_put(tty); + } + +-- +2.41.0 + diff --git a/patches.suse/inotify-Avoid-reporting-event-with-invalid-wd.patch b/patches.suse/inotify-Avoid-reporting-event-with-invalid-wd.patch new file mode 100644 index 0000000..8030d6a --- /dev/null +++ b/patches.suse/inotify-Avoid-reporting-event-with-invalid-wd.patch @@ -0,0 +1,66 @@ +From c915d8f5918bea7c3962b09b8884ca128bfd9b0c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 24 Apr 2023 18:32:19 +0200 +Subject: [PATCH] inotify: Avoid reporting event with invalid wd +Git-commit: c915d8f5918bea7c3962b09b8884ca128bfd9b0c +Patch-mainline: v6.4-rc2 +References: bsc#1213025 + +When inotify_freeing_mark() races with inotify_handle_inode_event() it +can happen that inotify_handle_inode_event() sees that i_mark->wd got +already reset to -1 and reports this value to userspace which can +confuse the inotify listener. Avoid the problem by validating that wd is +sensible (and pretend the mark got removed before the event got +generated otherwise). + +Cc: stable@vger.kernel.org +Fixes: 7e790dd5fc93 ("inotify: fix error paths in inotify_update_watch") +Message-id: <20230424163219.9250-1-jack@suse.cz> +Reported-by: syzbot+4a06d4373fd52f0b2f9c@syzkaller.appspotmail.com +Reviewed-by: Amir Goldstein +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/notify/inotify/inotify_fsnotify.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c +index 49cfe2ae6d23..993375f0db67 100644 +--- a/fs/notify/inotify/inotify_fsnotify.c ++++ b/fs/notify/inotify/inotify_fsnotify.c +@@ -65,7 +65,7 @@ int inotify_handle_inode_event(struct fsnotify_mark *inode_mark, u32 mask, + struct fsnotify_event *fsn_event; + struct fsnotify_group *group = inode_mark->group; + int ret; +- int len = 0; ++ int len = 0, wd; + int alloc_len = sizeof(struct inotify_event_info); + struct mem_cgroup *old_memcg; + +@@ -80,6 +80,13 @@ int inotify_handle_inode_event(struct fsnotify_mark *inode_mark, u32 mask, + i_mark = container_of(inode_mark, struct inotify_inode_mark, + fsn_mark); + ++ /* ++ * We can be racing with mark being detached. Don't report event with ++ * invalid wd. ++ */ ++ wd = READ_ONCE(i_mark->wd); ++ if (wd == -1) ++ return 0; + /* + * Whoever is interested in the event, pays for the allocation. Do not + * trigger OOM killer in the target monitoring memcg as it may have +@@ -110,7 +117,7 @@ int inotify_handle_inode_event(struct fsnotify_mark *inode_mark, u32 mask, + fsn_event = &event->fse; + fsnotify_init_event(fsn_event); + event->mask = mask; +- event->wd = i_mark->wd; ++ event->wd = wd; + event->sync_cookie = cookie; + event->name_len = len; + if (len) +-- +2.35.3 + diff --git a/patches.suse/io_uring-don-t-expose-io_fill_cqe_aux.patch b/patches.suse/io_uring-don-t-expose-io_fill_cqe_aux.patch new file mode 100644 index 0000000..541a1fd --- /dev/null +++ b/patches.suse/io_uring-don-t-expose-io_fill_cqe_aux.patch @@ -0,0 +1,152 @@ +From d245bca6375bccfd589a6a7d5007df28575bb626 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Fri, 17 Jun 2022 09:48:00 +0100 +Subject: [PATCH] io_uring: don't expose io_fill_cqe_aux() +Git-commit: d245bca6375bccfd589a6a7d5007df28575bb626 +Patch-mainline: v6.0-rc1 +References: bsc#1211014 CVE-2023-2430 + +Deduplicate some code and add a helper for filling an aux CQE, locking +and notification. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/b7c6557c8f9dc5c4cfb01292116c682a0ff61081.1655455613.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Gabriel Krisman Bertazi +--- + fs/io_uring.c | 77 +++++++++++++++++++++++----------------------------------- + 1 file changed, 31 insertions(+), 46 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2440,8 +2440,8 @@ static inline bool __io_fill_cqe_req(str + } + } + +-static noinline bool io_fill_cqe_aux(struct io_ring_ctx *ctx, u64 user_data, +- s32 res, u32 cflags) ++static bool io_fill_cqe_aux(struct io_ring_ctx *ctx, u64 user_data, ++ s32 res, u32 cflags) + { + struct io_uring_cqe *cqe; + +@@ -2468,6 +2468,20 @@ static noinline bool io_fill_cqe_aux(str + return io_cqring_event_overflow(ctx, user_data, res, cflags, 0, 0); + } + ++static bool io_post_aux_cqe(struct io_ring_ctx *ctx, ++ u64 user_data, s32 res, u32 cflags) ++{ ++ bool filled; ++ ++ spin_lock(&ctx->completion_lock); ++ filled = io_fill_cqe_aux(ctx, user_data, res, cflags); ++ io_commit_cqring(ctx); ++ spin_unlock(&ctx->completion_lock); ++ if (filled) ++ io_cqring_ev_posted(ctx); ++ return filled; ++} ++ + static void __io_req_complete_put(struct io_kiocb *req) + { + /* +@@ -4942,7 +4956,6 @@ static int io_msg_ring(struct io_kiocb * + { + struct io_ring_ctx *target_ctx; + struct io_msg *msg = &req->msg; +- bool filled; + int ret; + + ret = -EBADFD; +@@ -4952,15 +4965,8 @@ static int io_msg_ring(struct io_kiocb * + ret = -EOVERFLOW; + target_ctx = req->file->private_data; + +- spin_lock(&target_ctx->completion_lock); +- filled = io_fill_cqe_aux(target_ctx, msg->user_data, msg->len, 0); +- io_commit_cqring(target_ctx); +- spin_unlock(&target_ctx->completion_lock); +- +- if (filled) { +- io_cqring_ev_posted(target_ctx); ++ if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, 0)) + ret = 0; +- } + + done: + if (ret < 0) +@@ -6271,22 +6277,12 @@ retry: + __io_req_complete(req, issue_flags, ret, 0); + return 0; + } +- if (ret >= 0) { +- bool filled; +- +- spin_lock(&ctx->completion_lock); +- filled = io_fill_cqe_aux(ctx, req->cqe.user_data, ret, +- IORING_CQE_F_MORE); +- io_commit_cqring(ctx); +- spin_unlock(&ctx->completion_lock); +- if (filled) { +- io_cqring_ev_posted(ctx); +- goto retry; +- } +- ret = -ECANCELED; +- } ++ if (ret < 0) ++ return ret; + +- return ret; ++ if (io_post_aux_cqe(ctx, req->cqe.user_data, ret, IORING_CQE_F_MORE)) ++ goto retry; ++ return -ECANCELED; + } + + static int io_connect_prep_async(struct io_kiocb *req) +@@ -6525,18 +6521,11 @@ static int io_poll_check_events(struct i + if (!(req->flags & REQ_F_APOLL_MULTISHOT)) { + __poll_t mask = mangle_poll(req->cqe.res & + req->apoll_events); +- bool filled; + +- spin_lock(&ctx->completion_lock); +- filled = io_fill_cqe_aux(ctx, req->cqe.user_data, +- mask, IORING_CQE_F_MORE); +- io_commit_cqring(ctx); +- spin_unlock(&ctx->completion_lock); +- if (filled) { +- io_cqring_ev_posted(ctx); +- continue; +- } +- return -ECANCELED; ++ if (!io_post_aux_cqe(ctx, req->cqe.user_data, ++ mask, IORING_CQE_F_MORE)) ++ return -ECANCELED; ++ continue; + } + + io_tw_lock(req->ctx, locked); +@@ -9598,17 +9587,13 @@ static void __io_rsrc_put_work(struct io + list_del(&prsrc->list); + + if (prsrc->tag) { +- if (ctx->flags & IORING_SETUP_IOPOLL) ++ if (ctx->flags & IORING_SETUP_IOPOLL) { + mutex_lock(&ctx->uring_lock); +- +- spin_lock(&ctx->completion_lock); +- io_fill_cqe_aux(ctx, prsrc->tag, 0, 0); +- io_commit_cqring(ctx); +- spin_unlock(&ctx->completion_lock); +- io_cqring_ev_posted(ctx); +- +- if (ctx->flags & IORING_SETUP_IOPOLL) ++ io_post_aux_cqe(ctx, prsrc->tag, 0, 0); + mutex_unlock(&ctx->uring_lock); ++ } else { ++ io_post_aux_cqe(ctx, prsrc->tag, 0, 0); ++ } + } + + rsrc_data->do_put(ctx, prsrc); diff --git a/patches.suse/io_uring-msg_ring-fix-missing-lock-on-overflow-for-I.patch b/patches.suse/io_uring-msg_ring-fix-missing-lock-on-overflow-for-I.patch new file mode 100644 index 0000000..6e8741e --- /dev/null +++ b/patches.suse/io_uring-msg_ring-fix-missing-lock-on-overflow-for-I.patch @@ -0,0 +1,72 @@ +From e12d7a46f65ae4b7d58a5e0c1cbfa825cf8d830d Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 19 Jan 2023 09:04:40 -0700 +Subject: [PATCH] io_uring/msg_ring: fix missing lock on overflow for IOPOLL +Git-commit: e12d7a46f65ae4b7d58a5e0c1cbfa825cf8d830d +Patch-mainline: v6.2-rc5 +References: bsc#1211014 CVE-2023-2430 + +If the target ring is configured with IOPOLL, then we always need to hold +the target ring uring_lock before posting CQEs. We could just grab it +unconditionally, but since we don't expect many target rings to be of this +type, make grabbing the uring_lock conditional on the ring type. + +Link: https://lore.kernel.org/io-uring/Y8krlYa52%2F0YGqkg@ip-172-31-85-199.ec2.internal/ +Reported-by: Xingyuan Mo +Signed-off-by: Jens Axboe +[backport: Partial backport, since we don't carry the TW support or FD passing.] +Signed-off-by: Gabriel Krisman Bertazi +--- + fs/io_uring.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4957,6 +4957,28 @@ static int io_nop(struct io_kiocb *req, + return 0; + } + ++static void io_double_unlock_ctx(struct io_ring_ctx *octx) ++{ ++ mutex_unlock(&octx->uring_lock); ++} ++ ++static int io_double_lock_ctx(struct io_ring_ctx *octx, ++ unsigned int issue_flags) ++{ ++ /* ++ * To ensure proper ordering between the two ctxs, we can only ++ * attempt a trylock on the target. If that fails and we already have ++ * the source ctx lock, punt to io-wq. ++ */ ++ if (!(issue_flags & IO_URING_F_UNLOCKED)) { ++ if (!mutex_trylock(&octx->uring_lock)) ++ return -EAGAIN; ++ return 0; ++ } ++ mutex_lock(&octx->uring_lock); ++ return 0; ++} ++ + static int io_msg_ring_prep(struct io_kiocb *req, + const struct io_uring_sqe *sqe) + { +@@ -4982,8 +5004,16 @@ static int io_msg_ring(struct io_kiocb * + ret = -EOVERFLOW; + target_ctx = req->file->private_data; + +- if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, 0)) +- ret = 0; ++ if (target_ctx->flags & IORING_SETUP_IOPOLL) { ++ if (unlikely(io_double_lock_ctx(target_ctx, issue_flags))) ++ return -EAGAIN; ++ if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, 0)) ++ ret = 0; ++ io_double_unlock_ctx(target_ctx); ++ } else { ++ if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, 0)) ++ ret = 0; ++ } + + done: + if (ret < 0) diff --git a/patches.suse/jbd2-fix-data-missing-when-reusing-bh-which-is-ready.patch b/patches.suse/jbd2-fix-data-missing-when-reusing-bh-which-is-ready.patch new file mode 100644 index 0000000..7ad906e --- /dev/null +++ b/patches.suse/jbd2-fix-data-missing-when-reusing-bh-which-is-ready.patch @@ -0,0 +1,151 @@ +From e6b9bd7290d334451ce054e98e752abc055e0034 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Tue, 10 Jan 2023 09:53:27 +0800 +Subject: [PATCH] jbd2: fix data missing when reusing bh which is ready to be + checkpointed +Git-commit: e6b9bd7290d334451ce054e98e752abc055e0034 +Patch-mainline: v6.3-rc1 +References: bsc#1213095 + +Following process will make data lost and could lead to a filesystem +corrupted problem: + +1. jh(bh) is inserted into T1->t_checkpoint_list, bh is dirty, and + jh->b_transaction = NULL +2. T1 is added into journal->j_checkpoint_transactions. +3. Get bh prepare to write while doing checkpoing: + PA PB + do_get_write_access jbd2_log_do_checkpoint + spin_lock(&jh->b_state_lock) + if (buffer_dirty(bh)) + clear_buffer_dirty(bh) // clear buffer dirty + set_buffer_jbddirty(bh) + transaction = + journal->j_checkpoint_transactions + jh = transaction->t_checkpoint_list + if (!buffer_dirty(bh)) + __jbd2_journal_remove_checkpoint(jh) + // bh won't be flushed + jbd2_cleanup_journal_tail + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved) +4. Aborting journal/Power-cut before writing latest bh on journal area. + +In this way we get a corrupted filesystem with bh's data lost. + +Fix it by moving the clearing of buffer_dirty bit just before the call +to __jbd2_journal_file_buffer(), both bit clearing and jh->b_transaction +assignment are under journal->j_list_lock locked, so that +jbd2_log_do_checkpoint() will wait until jh's new transaction fininshed +even bh is currently not dirty. And journal_shrink_one_cp_list() won't +remove jh from checkpoint list if the buffer head is reused in +do_get_write_access(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216898 +Cc: +Signed-off-by: Zhihao Cheng +Signed-off-by: zhanchengbin +Suggested-by: Jan Kara +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230110015327.1181863-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/jbd2/transaction.c | 50 +++++++++++++++++++++++++------------------ + 1 file changed, 29 insertions(+), 21 deletions(-) + +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 6a404ac1c178..15de1385012e 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1010,36 +1010,28 @@ do_get_write_access(handle_t *handle, struct journal_head *jh, + * ie. locked but not dirty) or tune2fs (which may actually have + * the buffer dirtied, ugh.) */ + +- if (buffer_dirty(bh)) { ++ if (buffer_dirty(bh) && jh->b_transaction) { ++ warn_dirty_buffer(bh); + /* +- * First question: is this buffer already part of the current +- * transaction or the existing committing transaction? +- */ +- if (jh->b_transaction) { +- J_ASSERT_JH(jh, +- jh->b_transaction == transaction || +- jh->b_transaction == +- journal->j_committing_transaction); +- if (jh->b_next_transaction) +- J_ASSERT_JH(jh, jh->b_next_transaction == +- transaction); +- warn_dirty_buffer(bh); +- } +- /* +- * In any case we need to clean the dirty flag and we must +- * do it under the buffer lock to be sure we don't race +- * with running write-out. ++ * We need to clean the dirty flag and we must do it under the ++ * buffer lock to be sure we don't race with running write-out. + */ + JBUFFER_TRACE(jh, "Journalling dirty buffer"); + clear_buffer_dirty(bh); ++ /* ++ * The buffer is going to be added to BJ_Reserved list now and ++ * nothing guarantees jbd2_journal_dirty_metadata() will be ++ * ever called for it. So we need to set jbddirty bit here to ++ * make sure the buffer is dirtied and written out when the ++ * journaling machinery is done with it. ++ */ + set_buffer_jbddirty(bh); + } + +- unlock_buffer(bh); +- + error = -EROFS; + if (is_handle_aborted(handle)) { + spin_unlock(&jh->b_state_lock); ++ unlock_buffer(bh); + goto out; + } + error = 0; +@@ -1049,8 +1041,10 @@ do_get_write_access(handle_t *handle, struct journal_head *jh, + * b_next_transaction points to it + */ + if (jh->b_transaction == transaction || +- jh->b_next_transaction == transaction) ++ jh->b_next_transaction == transaction) { ++ unlock_buffer(bh); + goto done; ++ } + + /* + * this is the first time this transaction is touching this buffer, +@@ -1074,10 +1068,24 @@ do_get_write_access(handle_t *handle, struct journal_head *jh, + */ + smp_wmb(); + spin_lock(&journal->j_list_lock); ++ if (test_clear_buffer_dirty(bh)) { ++ /* ++ * Execute buffer dirty clearing and jh->b_transaction ++ * assignment under journal->j_list_lock locked to ++ * prevent bh being removed from checkpoint list if ++ * the buffer is in an intermediate state (not dirty ++ * and jh->b_transaction is NULL). ++ */ ++ JBUFFER_TRACE(jh, "Journalling dirty buffer"); ++ set_buffer_jbddirty(bh); ++ } + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved); + spin_unlock(&journal->j_list_lock); ++ unlock_buffer(bh); + goto done; + } ++ unlock_buffer(bh); ++ + /* + * If there is already a copy-out version of this buffer, then we don't + * need to make another one +-- +2.35.3 + diff --git a/patches.suse/jdb2-Don-t-refuse-invalidation-of-already-invalidate.patch b/patches.suse/jdb2-Don-t-refuse-invalidation-of-already-invalidate.patch new file mode 100644 index 0000000..848f359 --- /dev/null +++ b/patches.suse/jdb2-Don-t-refuse-invalidation-of-already-invalidate.patch @@ -0,0 +1,45 @@ +From bd159398a2d2234de07d310132865706964aaaa7 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 29 Mar 2023 17:49:32 +0200 +Subject: [PATCH] jdb2: Don't refuse invalidation of already invalidated + buffers +Git-commit: bd159398a2d2234de07d310132865706964aaaa7 +Patch-mainline: v6.4-rc1 +References: bsc#1213014 + +When invalidating buffers under the partial tail page, +jbd2_journal_invalidate_folio() returns -EBUSY if the buffer is part of +the committing transaction as we cannot safely modify buffer state. +However if the buffer is already invalidated (due to previous +invalidation attempts from ext4_wait_for_tail_page_commit()), there's +nothing to do and there's no point in returning -EBUSY. This fixes +occasional warnings from ext4_journalled_invalidate_folio() triggered by +generic/051 fstest when blocksize < pagesize. + +Fixes: 53e872681fed ("ext4: fix deadlock in journal_unmap_buffer()") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230329154950.19720-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/jbd2/transaction.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 15de1385012e..18611241f451 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -2387,6 +2387,9 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, + spin_unlock(&jh->b_state_lock); + write_unlock(&journal->j_state_lock); + jbd2_journal_put_journal_head(jh); ++ /* Already zapped buffer? Nothing to do... */ ++ if (!bh->b_bdev) ++ return 0; + return -EBUSY; + } + /* +-- +2.35.3 + diff --git a/patches.suse/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch b/patches.suse/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch new file mode 100644 index 0000000..75b3f81 --- /dev/null +++ b/patches.suse/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch @@ -0,0 +1,41 @@ +From 1657f2934daf89e8d9fa4b2697008909eb22c73e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 26 May 2023 12:53:23 +0100 +Subject: [PATCH] media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() +Git-commit: 1657f2934daf89e8d9fa4b2697008909eb22c73e +Patch-mainline: v6.5-rc1 +References: git-fixes + +Ideally, strlen(cur->string.pointer) and strlen(out) would be the same. +But this code is using strscpy() to avoid a potential buffer overflow. +So in the same way we should take the strlen() of the smaller string to +avoid a buffer overflow in the caller, gmin_get_var_int(). + +Link: https://lore.kernel.org/r/26124bcd-8132-4483-9d67-225c87d424e8@kili.mountain + +Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans de Goede +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +index bc2dd96176d0..93bfb3fadcf7 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +@@ -1359,7 +1359,7 @@ static int gmin_get_config_dsm_var(struct device *dev, + dev_info(dev, "found _DSM entry for '%s': %s\n", var, + cur->string.pointer); + strscpy(out, cur->string.pointer, *out_len); +- *out_len = strlen(cur->string.pointer); ++ *out_len = strlen(out); + + ACPI_FREE(obj); + return 0; +-- +2.35.3 + diff --git a/patches.suse/media-cec-i2c-ch7322-also-select-REGMAP.patch b/patches.suse/media-cec-i2c-ch7322-also-select-REGMAP.patch new file mode 100644 index 0000000..810d9af --- /dev/null +++ b/patches.suse/media-cec-i2c-ch7322-also-select-REGMAP.patch @@ -0,0 +1,69 @@ +From 29f96ac23648b2259f42d40703c47dd18fd172ca Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Thu, 8 Jun 2023 04:54:35 +0200 +Subject: [PATCH] media: cec: i2c: ch7322: also select REGMAP +Git-commit: 29f96ac23648b2259f42d40703c47dd18fd172ca +Patch-mainline: v6.5-rc1 +References: git-fixes + +Selecting only REGMAP_I2C can leave REGMAP unset, causing build errors, +so also select REGMAP to prevent the build errors. + +../drivers/media/cec/i2c/ch7322.c:158:21: error: variable 'ch7322_regmap' has initializer but incomplete type + 158 | static const struct regmap_config ch7322_regmap = { +../drivers/media/cec/i2c/ch7322.c:159:10: error: 'const struct regmap_config' has no member named 'reg_bits' + 159 | .reg_bits = 8, +../drivers/media/cec/i2c/ch7322.c:159:21: warning: excess elements in struct initializer + 159 | .reg_bits = 8, +../drivers/media/cec/i2c/ch7322.c:160:10: error: 'const struct regmap_config' has no member named 'val_bits' + 160 | .val_bits = 8, +../drivers/media/cec/i2c/ch7322.c:160:21: warning: excess elements in struct initializer + 160 | .val_bits = 8, +../drivers/media/cec/i2c/ch7322.c:161:10: error: 'const struct regmap_config' has no member named 'max_register' + 161 | .max_register = 0x7f, +../drivers/media/cec/i2c/ch7322.c:161:25: warning: excess elements in struct initializer + 161 | .max_register = 0x7f, +../drivers/media/cec/i2c/ch7322.c:162:10: error: 'const struct regmap_config' has no member named 'disable_locking' + 162 | .disable_locking = true, +../drivers/media/cec/i2c/ch7322.c:162:28: warning: excess elements in struct initializer + 162 | .disable_locking = true, +../drivers/media/cec/i2c/ch7322.c: In function 'ch7322_probe': +../drivers/media/cec/i2c/ch7322.c:468:26: error: implicit declaration of function 'devm_regmap_init_i2c' [-Werror=implicit-function-declaration] + 468 | ch7322->regmap = devm_regmap_init_i2c(client, &ch7322_regmap); +../drivers/media/cec/i2c/ch7322.c:468:24: warning: assignment to 'struct regmap *' from 'int' makes pointer from integer without a cast [-Wint-conversion] + 468 | ch7322->regmap = devm_regmap_init_i2c(client, &ch7322_regmap); +../drivers/media/cec/i2c/ch7322.c: At top level: +../drivers/media/cec/i2c/ch7322.c:158:35: error: storage size of 'ch7322_regmap' isn't known + 158 | static const struct regmap_config ch7322_regmap = { + +Link: https://lore.kernel.org/linux-media/20230608025435.29249-1-rdunlap@infradead.org +Fixes: 21b9a47e0ec7 ("media: cec: i2c: ch7322: Add ch7322 CEC controller driver") +Signed-off-by: Randy Dunlap +Cc: Jeff Chase +Cc: Hans Verkuil +Cc: Joe Tessler +Cc: Arnd Bergmann +Cc: Mark Brown +Cc: Masahiro Yamada +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/cec/i2c/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/cec/i2c/Kconfig b/drivers/media/cec/i2c/Kconfig +index 70432a1d6918..d912d143fb31 100644 +--- a/drivers/media/cec/i2c/Kconfig ++++ b/drivers/media/cec/i2c/Kconfig +@@ -5,6 +5,7 @@ + config CEC_CH7322 + tristate "Chrontel CH7322 CEC controller" + depends on I2C ++ select REGMAP + select REGMAP_I2C + select CEC_CORE + help +-- +2.35.3 + diff --git a/patches.suse/media-i2c-Correct-format-propagation-for-st-mipid02.patch b/patches.suse/media-i2c-Correct-format-propagation-for-st-mipid02.patch new file mode 100644 index 0000000..15cb143 --- /dev/null +++ b/patches.suse/media-i2c-Correct-format-propagation-for-st-mipid02.patch @@ -0,0 +1,47 @@ +From 306c3190b30d4d6a098888b9d7d4cefaa0ddcb91 Mon Sep 17 00:00:00 2001 +From: Daniel Scally +Date: Tue, 2 May 2023 11:35:46 +0100 +Subject: [PATCH] media: i2c: Correct format propagation for st-mipid02 +Git-commit: 306c3190b30d4d6a098888b9d7d4cefaa0ddcb91 +Patch-mainline: v6.5-rc1 +References: git-fixes + +Format propagation in the st-mipid02 driver is incorrect in that when +setting format for V4L2_SUBDEV_FORMAT_TRY on the source pad, the +_active_ rather than _try_ format from the sink pad is propagated. +This causes problems with format negotiation - update the function to +propagate the correct format. + +Fixes: 642bb5e88fed ("media: st-mipid02: MIPID02 CSI-2 to PARALLEL bridge driver") +Signed-off-by: Daniel Scally +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Acked-by: Takashi Iwai + +--- + drivers/media/i2c/st-mipid02.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/st-mipid02.c b/drivers/media/i2c/st-mipid02.c +index 19efefe38727..dcd3ff2bbde9 100644 +--- a/drivers/media/i2c/st-mipid02.c ++++ b/drivers/media/i2c/st-mipid02.c +@@ -736,8 +736,13 @@ static void mipid02_set_fmt_source(struct v4l2_subdev *sd, + { + struct mipid02_dev *bridge = to_mipid02_dev(sd); + +- /* source pad mirror active sink pad */ +- format->format = bridge->fmt; ++ /* source pad mirror sink pad */ ++ if (format->which == V4L2_SUBDEV_FORMAT_ACTIVE) ++ format->format = bridge->fmt; ++ else ++ format->format = *v4l2_subdev_get_try_format(sd, sd_state, ++ MIPID02_SINK_0); ++ + /* but code may need to be converted */ + format->format.code = serial_to_parallel_code(format->format.code); + +-- +2.35.3 + diff --git a/patches.suse/media-usb-Check-az6007_read-return-value.patch b/patches.suse/media-usb-Check-az6007_read-return-value.patch new file mode 100644 index 0000000..9f69213 --- /dev/null +++ b/patches.suse/media-usb-Check-az6007_read-return-value.patch @@ -0,0 +1,38 @@ +From fdaca63186f59fc664b346c45b76576624b48e57 Mon Sep 17 00:00:00 2001 +From: Daniil Dulov +Date: Tue, 14 Mar 2023 10:04:49 -0700 +Subject: [PATCH] media: usb: Check az6007_read() return value +Git-commit: fdaca63186f59fc664b346c45b76576624b48e57 +Patch-mainline: v6.5-rc1 +References: git-fixes + +If az6007_read() returns error, there is no sence to continue. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c +index 62ee09f28a0b..7524c90f5da6 100644 +--- a/drivers/media/usb/dvb-usb-v2/az6007.c ++++ b/drivers/media/usb/dvb-usb-v2/az6007.c +@@ -202,7 +202,8 @@ static int az6007_rc_query(struct dvb_usb_device *d) + unsigned code; + enum rc_proto proto; + +- az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10); ++ if (az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10) < 0) ++ return -EIO; + + if (st->data[1] == 0x44) + return 0; +-- +2.35.3 + diff --git a/patches.suse/media-usb-siano-Fix-warning-due-to-null-work_func_t-.patch b/patches.suse/media-usb-siano-Fix-warning-due-to-null-work_func_t-.patch new file mode 100644 index 0000000..57e5893 --- /dev/null +++ b/patches.suse/media-usb-siano-Fix-warning-due-to-null-work_func_t-.patch @@ -0,0 +1,82 @@ +From 6f489a966fbeb0da63d45c2c66a8957eab604bf6 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 23 May 2023 07:59:32 +0800 +Subject: [PATCH] media: usb: siano: Fix warning due to null work_func_t function pointer +Git-commit: 6f489a966fbeb0da63d45c2c66a8957eab604bf6 +Patch-mainline: v6.5-rc1 +References: git-fixes + +The previous commit ebad8e731c1c ("media: usb: siano: Fix use after +free bugs caused by do_submit_urb") adds cancel_work_sync() in +smsusb_stop_streaming(). But smsusb_stop_streaming() may be called, +even if the work_struct surb->wq has not been initialized. As a result, +the warning will occur. One of the processes that could lead to warning +is shown below: + +smsusb_probe() + smsusb_init_device() + if (!dev->in_ep || !dev->out_ep || align < 0) { + smsusb_term_device(intf); + smsusb_stop_streaming() + cancel_work_sync(&dev->surbs[i].wq); + __cancel_work_timer() + __flush_work() + if (WARN_ON(!work->func)) // work->func is null + +The log reported by syzbot is shown below: + +Warning: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 +Modules linked in: +Cpu: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 +Rip: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 +... +Rsp: 0018:ffffc9000464ebf8 EFLAGS: 00010246 +Rax: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e +Rdx: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 +Rbp: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f +R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 +R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 +Fs: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Cr2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 +Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 + smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] + smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 + smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 + smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 +... + +This patch adds check before cancel_work_sync(). If surb->wq has not +been initialized, the cancel_work_sync() will not be executed. + +Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com +Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Acked-by: Takashi Iwai + +--- + drivers/media/usb/siano/smsusb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 6f443c542c6d..640737d3b8ae 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -179,7 +179,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) + + for (i = 0; i < MAX_URBS; i++) { + usb_kill_urb(&dev->surbs[i].urb); +- cancel_work_sync(&dev->surbs[i].wq); ++ if (dev->surbs[i].wq.func) ++ cancel_work_sync(&dev->surbs[i].wq); + + if (dev->surbs[i].cb) { + smscore_putbuffer(dev->coredev, dev->surbs[i].cb); +-- +2.35.3 + diff --git a/patches.suse/media-venus-helpers-Fix-ALIGN-of-non-power-of-two.patch b/patches.suse/media-venus-helpers-Fix-ALIGN-of-non-power-of-two.patch new file mode 100644 index 0000000..31d6d70 --- /dev/null +++ b/patches.suse/media-venus-helpers-Fix-ALIGN-of-non-power-of-two.patch @@ -0,0 +1,51 @@ +From 927e78ac8bc58155316cf6f46026e1912bbbbcfc Mon Sep 17 00:00:00 2001 +From: Rikard Falkeborn +Date: Sat, 12 Sep 2020 20:03:01 +0100 +Subject: [PATCH] media: venus: helpers: Fix ALIGN() of non power of two +Git-commit: 927e78ac8bc58155316cf6f46026e1912bbbbcfc +Patch-mainline: v6.5-rc1 +References: git-fixes + +ALIGN() expects its second argument to be a power of 2, otherwise +incorrect results are produced for some inputs. The output can be +both larger or smaller than what is expected. + +For example, ALIGN(304, 192) equals 320 instead of 384, and +ALIGN(65, 192) equals 256 instead of 192. + +However, nestling two ALIGN() as is done in this case seem to only +produce results equal to or bigger than the expected result if ALIGN() +had handled non powers of two, and that in turn results in framesizes +that are either the correct size or too large. + +Fortunately, since 192 * 4 / 3 equals 256, it turns out that one ALIGN() +is sufficient. + +Fixes: ab1eda449c6e ("media: venus: vdec: handle 10bit bitstreams") +Signed-off-by: Rikard Falkeborn +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/qcom/venus/helpers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c +index 3267a4ebe4af..7281bc6cdb39 100644 +--- a/drivers/media/platform/qcom/venus/helpers.c ++++ b/drivers/media/platform/qcom/venus/helpers.c +@@ -1031,8 +1031,8 @@ static u32 get_framesize_raw_yuv420_tp10_ubwc(u32 width, u32 height) + u32 extradata = SZ_16K; + u32 size; + +- y_stride = ALIGN(ALIGN(width, 192) * 4 / 3, 256); +- uv_stride = ALIGN(ALIGN(width, 192) * 4 / 3, 256); ++ y_stride = ALIGN(width * 4 / 3, 256); ++ uv_stride = ALIGN(width * 4 / 3, 256); + y_sclines = ALIGN(height, 16); + uv_sclines = ALIGN((height + 1) >> 1, 16); + +-- +2.35.3 + diff --git a/patches.suse/media-videodev2.h-Fix-struct-v4l2_input-tuner-index-.patch b/patches.suse/media-videodev2.h-Fix-struct-v4l2_input-tuner-index-.patch new file mode 100644 index 0000000..1d7d19c --- /dev/null +++ b/patches.suse/media-videodev2.h-Fix-struct-v4l2_input-tuner-index-.patch @@ -0,0 +1,62 @@ +From 26ae58f65e64fa7ba61d64bae752e59e08380c6a Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 18 May 2023 15:36:49 +0200 +Subject: [PATCH] media: videodev2.h: Fix struct v4l2_input tuner index comment +Git-commit: 26ae58f65e64fa7ba61d64bae752e59e08380c6a +Patch-mainline: v6.5-rc1 +References: git-fixes + +VIDIOC_ENUMINPUT documentation describes the tuner field of +struct v4l2_input as index: + +Documentation/userspace-api/media/v4l/vidioc-enuminput.rst +" +* - __u32 + - ``tuner`` + - Capture devices can have zero or more tuners (RF demodulators). + When the ``type`` is set to ``V4L2_INPUT_TYPE_TUNER`` this is an + RF connector and this field identifies the tuner. It corresponds + to struct :c:type:`v4l2_tuner` field ``index``. For + details on tuners see :ref:`tuner`. +" + +Drivers I could find also use the 'tuner' field as an index, e.g.: +drivers/media/pci/bt8xx/bttv-driver.c bttv_enum_input() +drivers/media/usb/go7007/go7007-v4l2.c vidioc_enum_input() + +However, the UAPI comment claims this field is 'enum v4l2_tuner_type': +include/uapi/linux/videodev2.h + +This field being 'enum v4l2_tuner_type' is unlikely as it seems to be +never used that way in drivers, and documentation confirms it. It seem +this comment got in accidentally in the commit which this patch fixes. +Fix the UAPI comment to stop confusion. + +This was pointed out by Dmitry while reviewing VIDIOC_ENUMINPUT +support for strace. + +Fixes: 6016af82eafc ("[media] v4l2: use __u32 rather than enums in ioctl() structs") +Signed-off-by: Marek Vasut +Signed-off-by: Hans Verkuil +Acked-by: Takashi Iwai + +--- + include/uapi/linux/videodev2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index 9e7cf1d36945..5d8bd754c69f 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -1720,7 +1720,7 @@ struct v4l2_input { + __u8 name[32]; /* Label */ + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ +- __u32 tuner; /* enum v4l2_tuner_type */ ++ __u32 tuner; /* Tuner index */ + v4l2_std_id std; + __u32 status; + __u32 capabilities; +-- +2.35.3 + diff --git a/patches.suse/msft-hv-2815-PCI-hv-Fix-a-race-condition-bug-in-hv_pci_query_rela.patch b/patches.suse/msft-hv-2815-PCI-hv-Fix-a-race-condition-bug-in-hv_pci_query_rela.patch new file mode 100644 index 0000000..bc0fabe --- /dev/null +++ b/patches.suse/msft-hv-2815-PCI-hv-Fix-a-race-condition-bug-in-hv_pci_query_rela.patch @@ -0,0 +1,56 @@ +From: Dexuan Cui +Date: Wed, 14 Jun 2023 21:44:47 -0700 +Patch-mainline: v6.4 +Subject: PCI: hv: Fix a race condition bug in hv_pci_query_relations() +Git-commit: 440b5e3663271b0ffbd4908115044a6a51fb938b +References: bsc#1207185 + +Since day 1 of the driver, there has been a race between +hv_pci_query_relations() and survey_child_resources(): during fast +device hotplug, hv_pci_query_relations() may error out due to +device-remove and the stack variable 'comp' is no longer valid; +however, pci_devices_present_work() -> survey_child_resources() -> +complete() may be running on another CPU and accessing the no-longer-valid +'comp'. Fix the race by flushing the workqueue before we exit from +hv_pci_query_relations(). + +Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Acked-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615044451.5580-2-decui@microsoft.com +Signed-off-by: Wei Liu +Acked-by: Olaf Hering +--- + drivers/pci/controller/pci-hyperv.c | 18 +++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -3401,6 +3401,24 @@ static int hv_pci_query_relations(struct hv_device *hdev) + if (!ret) + ret = wait_for_response(hdev, &comp); + ++ /* ++ * In the case of fast device addition/removal, it's possible that ++ * vmbus_sendpacket() or wait_for_response() returns -ENODEV but we ++ * already got a PCI_BUS_RELATIONS* message from the host and the ++ * channel callback already scheduled a work to hbus->wq, which can be ++ * running pci_devices_present_work() -> survey_child_resources() -> ++ * complete(&hbus->survey_event), even after hv_pci_query_relations() ++ * exits and the stack variable 'comp' is no longer valid; as a result, ++ * a hang or a page fault may happen when the complete() calls ++ * raw_spin_lock_irqsave(). Flush hbus->wq before we exit from ++ * hv_pci_query_relations() to avoid the issues. Note: if 'ret' is ++ * -ENODEV, there can't be any more work item scheduled to hbus->wq ++ * after the flush_workqueue(): see vmbus_onoffer_rescind() -> ++ * vmbus_reset_channel_cb(), vmbus_rescind_cleanup() -> ++ * channel->rescind = true. ++ */ ++ flush_workqueue(hbus->wq); ++ + return ret; + } + diff --git a/patches.suse/msft-hv-2816-PCI-hv-Fix-a-race-condition-in-hv_irq_unmask-that-ca.patch b/patches.suse/msft-hv-2816-PCI-hv-Fix-a-race-condition-in-hv_irq_unmask-that-ca.patch new file mode 100644 index 0000000..77c8934 --- /dev/null +++ b/patches.suse/msft-hv-2816-PCI-hv-Fix-a-race-condition-in-hv_irq_unmask-that-ca.patch @@ -0,0 +1,72 @@ +From: Dexuan Cui +Date: Wed, 14 Jun 2023 21:44:48 -0700 +Patch-mainline: v6.4 +Subject: PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic +Git-commit: 2738d5ab7929a845b654cd171a1e275c37eb428e +References: bsc#1207185 + +When the host tries to remove a PCI device, the host first sends a +PCI_EJECT message to the guest, and the guest is supposed to gracefully +remove the PCI device and send a PCI_EJECTION_COMPLETE message to the host; +the host then sends a VMBus message CHANNELMSG_RESCIND_CHANNELOFFER to +the guest (when the guest receives this message, the device is already +unassigned from the guest) and the guest can do some final cleanup work; +if the guest fails to respond to the PCI_EJECT message within one minute, +the host sends the VMBus message CHANNELMSG_RESCIND_CHANNELOFFER and +removes the PCI device forcibly. + +In the case of fast device addition/removal, it's possible that the PCI +device driver is still configuring MSI-X interrupts when the guest receives +the PCI_EJECT message; the channel callback calls hv_pci_eject_device(), +which sets hpdev->state to hv_pcichild_ejecting, and schedules a work +hv_eject_device_work(); if the PCI device driver is calling +pci_alloc_irq_vectors() -> ... -> hv_compose_msi_msg(), we can break the +while loop in hv_compose_msi_msg() due to the updated hpdev->state, and +leave data->chip_data with its default value of NULL; later, when the PCI +device driver calls request_irq() -> ... -> hv_irq_unmask(), the guest +crashes in hv_arch_irq_unmask() due to data->chip_data being NULL. + +Fix the issue by not testing hpdev->state in the while loop: when the +guest receives PCI_EJECT, the device is still assigned to the guest, and +the guest has one minute to finish the device removal gracefully. We don't +really need to (and we should not) test hpdev->state in the loop. + +Fixes: de0aa7b2f97d ("PCI: hv: Fix 2 hang issues in hv_compose_msi_msg()") +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615044451.5580-3-decui@microsoft.com +Signed-off-by: Wei Liu +Acked-by: Olaf Hering +--- + drivers/pci/controller/pci-hyperv.c | 11 ++++----- + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -635,6 +635,11 @@ static void hv_arch_irq_unmask(struct irq_data *data) + pbus = pdev->bus; + hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); + int_desc = data->chip_data; ++ if (!int_desc) { ++ dev_warn(&hbus->hdev->device, "%s() can not unmask irq %u\n", ++ __func__, data->irq); ++ return; ++ } + + spin_lock_irqsave(&hbus->retarget_msi_interrupt_lock, flags); + +@@ -2004,12 +2009,6 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + hv_pci_onchannelcallback(hbus); + spin_unlock_irqrestore(&channel->sched_lock, flags); + +- if (hpdev->state == hv_pcichild_ejecting) { +- dev_err_once(&hbus->hdev->device, +- "the device is being ejected\n"); +- goto enable_tasklet; +- } +- + udelay(100); + } + diff --git a/patches.suse/msft-hv-2817-PCI-hv-Remove-the-useless-hv_pcichild_state-from-str.patch b/patches.suse/msft-hv-2817-PCI-hv-Remove-the-useless-hv_pcichild_state-from-str.patch new file mode 100644 index 0000000..49cc74d --- /dev/null +++ b/patches.suse/msft-hv-2817-PCI-hv-Remove-the-useless-hv_pcichild_state-from-str.patch @@ -0,0 +1,61 @@ +From: Dexuan Cui +Date: Wed, 14 Jun 2023 21:44:49 -0700 +Patch-mainline: v6.4 +Subject: PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev +Git-commit: add9195e69c94b32e96f78c2f9cea68f0e850b3f +References: bsc#1207185 + +The hpdev->state is never really useful. The only use in +hv_pci_eject_device() and hv_eject_device_work() is not really necessary. + +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Acked-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615044451.5580-4-decui@microsoft.com +Signed-off-by: Wei Liu +Acked-by: Olaf Hering +--- + drivers/pci/controller/pci-hyperv.c | 12 --------- + 1 file changed, 12 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -545,19 +545,10 @@ struct hv_dr_state { + struct hv_pcidev_description func[]; + }; + +-enum hv_pcichild_state { +- hv_pcichild_init = 0, +- hv_pcichild_requirements, +- hv_pcichild_resourced, +- hv_pcichild_ejecting, +- hv_pcichild_maximum +-}; +- + struct hv_pci_dev { + /* List protected by pci_rescan_remove_lock */ + struct list_head list_entry; + refcount_t refs; +- enum hv_pcichild_state state; + struct pci_slot *pci_slot; + struct hv_pcidev_description desc; + bool reported_missing; +@@ -2843,8 +2834,6 @@ static void hv_eject_device_work(struct work_struct *work) + hpdev = container_of(work, struct hv_pci_dev, wrk); + hbus = hpdev->hbus; + +- WARN_ON(hpdev->state != hv_pcichild_ejecting); +- + /* + * Ejection can come before or after the PCI bus has been set up, so + * attempt to find it and tear down the bus state, if it exists. This +@@ -2901,7 +2890,6 @@ static void hv_pci_eject_device(struct hv_pci_dev *hpdev) + return; + } + +- hpdev->state = hv_pcichild_ejecting; + get_pcichild(hpdev); + INIT_WORK(&hpdev->wrk, hv_eject_device_work); + queue_work(hbus->wq, &hpdev->wrk); diff --git a/patches.suse/msft-hv-2818-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-.patch b/patches.suse/msft-hv-2818-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-.patch new file mode 100644 index 0000000..f9bcb24 --- /dev/null +++ b/patches.suse/msft-hv-2818-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-.patch @@ -0,0 +1,143 @@ +From: Dexuan Cui +Date: Wed, 14 Jun 2023 21:44:50 -0700 +Patch-mainline: v6.4 +Subject: Revert "PCI: hv: Fix a timing issue which causes kdump to fail occasionally" +Git-commit: a847234e24d03d01a9566d1d9dcce018cc018d67 +References: bsc#1207185 + +This reverts commit d6af2ed29c7c1c311b96dac989dcb991e90ee195. + +The statement "the hv_pci_bus_exit() call releases structures of all its +child devices" in commit d6af2ed29c7c is not true: in the path +hv_pci_probe() -> hv_pci_enter_d0() -> hv_pci_bus_exit(hdev, true): the +parameter "keep_devs" is true, so hv_pci_bus_exit() does *not* release the +child "struct hv_pci_dev *hpdev" that is created earlier in +pci_devices_present_work() -> new_pcichild_device(). + +The commit d6af2ed29c7c was originally made in July 2020 for RHEL 7.7, +where the old version of hv_pci_bus_exit() was used; when the commit was +rebased and merged into the upstream, people didn't notice that it's +not really necessary. The commit itself doesn't cause any issue, but it +makes hv_pci_probe() more complicated. Revert it to facilitate some +upcoming changes to hv_pci_probe(). + +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Acked-by: Wei Hu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615044451.5580-5-decui@microsoft.com +Signed-off-by: Wei Liu +Acked-by: Olaf Hering +--- + drivers/pci/controller/pci-hyperv.c | 71 ++++----- + 1 file changed, 34 insertions(+), 37 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -3318,8 +3318,10 @@ static int hv_pci_enter_d0(struct hv_device *hdev) + struct pci_bus_d0_entry *d0_entry; + struct hv_pci_compl comp_pkt; + struct pci_packet *pkt; ++ bool retry = true; + int ret; + ++enter_d0_retry: + /* + * Tell the host that the bus is ready to use, and moved into the + * powered-on state. This includes telling the host which region +@@ -3346,6 +3348,38 @@ static int hv_pci_enter_d0(struct hv_device *hdev) + if (ret) + goto exit; + ++ /* ++ * In certain case (Kdump) the pci device of interest was ++ * not cleanly shut down and resource is still held on host ++ * side, the host could return invalid device status. ++ * We need to explicitly request host to release the resource ++ * and try to enter D0 again. ++ */ ++ if (comp_pkt.completion_status < 0 && retry) { ++ retry = false; ++ ++ dev_err(&hdev->device, "Retrying D0 Entry\n"); ++ ++ /* ++ * Hv_pci_bus_exit() calls hv_send_resource_released() ++ * to free up resources of its child devices. ++ * In the kdump kernel we need to set the ++ * wslot_res_allocated to 255 so it scans all child ++ * devices to release resources allocated in the ++ * normal kernel before panic happened. ++ */ ++ hbus->wslot_res_allocated = 255; ++ ++ ret = hv_pci_bus_exit(hdev, true); ++ ++ if (ret == 0) { ++ kfree(pkt); ++ goto enter_d0_retry; ++ } ++ dev_err(&hdev->device, ++ "Retrying D0 failed with ret %d\n", ret); ++ } ++ + if (comp_pkt.completion_status < 0) { + dev_err(&hdev->device, + "PCI Pass-through VSP failed D0 Entry with status %x\n", +@@ -3591,7 +3625,6 @@ static int hv_pci_probe(struct hv_device *hdev, + struct hv_pcibus_device *hbus; + u16 dom_req, dom; + char *name; +- bool enter_d0_retry = true; + int ret; + + /* +@@ -3708,47 +3741,11 @@ static int hv_pci_probe(struct hv_device *hdev, + if (ret) + goto free_fwnode; + +-retry: + ret = hv_pci_query_relations(hdev); + if (ret) + goto free_irq_domain; + + ret = hv_pci_enter_d0(hdev); +- /* +- * In certain case (Kdump) the pci device of interest was +- * not cleanly shut down and resource is still held on host +- * side, the host could return invalid device status. +- * We need to explicitly request host to release the resource +- * and try to enter D0 again. +- * Since the hv_pci_bus_exit() call releases structures +- * of all its child devices, we need to start the retry from +- * hv_pci_query_relations() call, requesting host to send +- * the synchronous child device relations message before this +- * information is needed in hv_send_resources_allocated() +- * call later. +- */ +- if (ret == -EPROTO && enter_d0_retry) { +- enter_d0_retry = false; +- +- dev_err(&hdev->device, "Retrying D0 Entry\n"); +- +- /* +- * Hv_pci_bus_exit() calls hv_send_resources_released() +- * to free up resources of its child devices. +- * In the kdump kernel we need to set the +- * wslot_res_allocated to 255 so it scans all child +- * devices to release resources allocated in the +- * normal kernel before panic happened. +- */ +- hbus->wslot_res_allocated = 255; +- ret = hv_pci_bus_exit(hdev, true); +- +- if (ret == 0) +- goto retry; +- +- dev_err(&hdev->device, +- "Retrying D0 failed with ret %d\n", ret); +- } + if (ret) + goto free_irq_domain; + diff --git a/patches.suse/msft-hv-2819-PCI-hv-Add-a-per-bus-mutex-state_lock.patch b/patches.suse/msft-hv-2819-PCI-hv-Add-a-per-bus-mutex-state_lock.patch new file mode 100644 index 0000000..f5ca496 --- /dev/null +++ b/patches.suse/msft-hv-2819-PCI-hv-Add-a-per-bus-mutex-state_lock.patch @@ -0,0 +1,162 @@ +From: Dexuan Cui +Date: Wed, 14 Jun 2023 21:44:51 -0700 +Patch-mainline: v6.4 +Subject: PCI: hv: Add a per-bus mutex state_lock +Git-commit: 067d6ec7ed5b49380688e06c1e5f883a71bef4fe +References: bsc#1207185 + +In the case of fast device addition/removal, it's possible that +hv_eject_device_work() can start to run before create_root_hv_pci_bus() +starts to run; as a result, the pci_get_domain_bus_and_slot() in +hv_eject_device_work() can return a 'pdev' of NULL, and +hv_eject_device_work() can remove the 'hpdev', and immediately send a +message PCI_EJECTION_COMPLETE to the host, and the host immediately +unassigns the PCI device from the guest; meanwhile, +create_root_hv_pci_bus() and the PCI device driver can be probing the +dead PCI device and reporting timeout errors. + +Fix the issue by adding a per-bus mutex 'state_lock' and grabbing the +mutex before powering on the PCI bus in hv_pci_enter_d0(): when +hv_eject_device_work() starts to run, it's able to find the 'pdev' and call +pci_stop_and_remove_bus_device(pdev): if the PCI device driver has +loaded, the PCI device driver's probe() function is already called in +create_root_hv_pci_bus() -> pci_bus_add_devices(), and now +hv_eject_device_work() -> pci_stop_and_remove_bus_device() is able +to call the PCI device driver's remove() function and remove the device +reliably; if the PCI device driver hasn't loaded yet, the function call +hv_eject_device_work() -> pci_stop_and_remove_bus_device() is able to +remove the PCI device reliably and the PCI device driver's probe() +function won't be called; if the PCI device driver's probe() is already +running (e.g., systemd-udev is loading the PCI device driver), it must +be holding the per-device lock, and after the probe() finishes and releases +the lock, hv_eject_device_work() -> pci_stop_and_remove_bus_device() is +able to proceed to remove the device reliably. + +Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Acked-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615044451.5580-6-decui@microsoft.com +Signed-off-by: Wei Liu +Acked-by: Olaf Hering +--- + drivers/pci/controller/pci-hyperv.c | 29 ++++++++- + 1 file changed, 26 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -489,7 +489,10 @@ struct hv_pcibus_device { + struct fwnode_handle *fwnode; + /* Protocol version negotiated with the host */ + enum pci_protocol_version_t protocol_version; ++ ++ struct mutex state_lock; + enum hv_pcibus_state state; ++ + struct hv_device *hdev; + resource_size_t low_mmio_space; + resource_size_t high_mmio_space; +@@ -2605,6 +2608,8 @@ static void pci_devices_present_work(struct work_struct *work) + if (!dr) + return; + ++ mutex_lock(&hbus->state_lock); ++ + /* First, mark all existing children as reported missing. */ + spin_lock_irqsave(&hbus->device_list_lock, flags); + list_for_each_entry(hpdev, &hbus->children, list_entry) { +@@ -2686,6 +2691,8 @@ static void pci_devices_present_work(struct work_struct *work) + break; + } + ++ mutex_unlock(&hbus->state_lock); ++ + kfree(dr); + } + +@@ -2834,6 +2841,8 @@ static void hv_eject_device_work(struct work_struct *work) + hpdev = container_of(work, struct hv_pci_dev, wrk); + hbus = hpdev->hbus; + ++ mutex_lock(&hbus->state_lock); ++ + /* + * Ejection can come before or after the PCI bus has been set up, so + * attempt to find it and tear down the bus state, if it exists. This +@@ -2870,6 +2879,8 @@ static void hv_eject_device_work(struct work_struct *work) + put_pcichild(hpdev); + put_pcichild(hpdev); + /* hpdev has been freed. Do not use it any more. */ ++ ++ mutex_unlock(&hbus->state_lock); + } + + /** +@@ -3636,6 +3647,7 @@ static int hv_pci_probe(struct hv_device *hdev, + return -ENOMEM; + + hbus->bridge = bridge; ++ mutex_init(&hbus->state_lock); + hbus->state = hv_pcibus_init; + hbus->wslot_res_allocated = -1; + +@@ -3745,9 +3757,11 @@ static int hv_pci_probe(struct hv_device *hdev, + if (ret) + goto free_irq_domain; + ++ mutex_lock(&hbus->state_lock); ++ + ret = hv_pci_enter_d0(hdev); + if (ret) +- goto free_irq_domain; ++ goto release_state_lock; + + ret = hv_pci_allocate_bridge_windows(hbus); + if (ret) +@@ -3765,12 +3779,15 @@ static int hv_pci_probe(struct hv_device *hdev, + if (ret) + goto free_windows; + ++ mutex_unlock(&hbus->state_lock); + return 0; + + free_windows: + hv_pci_free_bridge_windows(hbus); + exit_d0: + (void) hv_pci_bus_exit(hdev, true); ++release_state_lock: ++ mutex_unlock(&hbus->state_lock); + free_irq_domain: + irq_domain_remove(hbus->irq_domain); + free_fwnode: +@@ -4020,20 +4037,26 @@ static int hv_pci_resume(struct hv_device *hdev) + if (ret) + goto out; + ++ mutex_lock(&hbus->state_lock); ++ + ret = hv_pci_enter_d0(hdev); + if (ret) +- goto out; ++ goto release_state_lock; + + ret = hv_send_resources_allocated(hdev); + if (ret) +- goto out; ++ goto release_state_lock; + + prepopulate_bars(hbus); + + hv_pci_restore_msi_state(hbus); + + hbus->state = hv_pcibus_installed; ++ mutex_unlock(&hbus->state_lock); + return 0; ++ ++release_state_lock: ++ mutex_unlock(&hbus->state_lock); + out: + vmbus_close(hdev->channel); + return ret; diff --git a/patches.suse/ntb-idt-Fix-error-handling-in-idt_pci_driver_init.patch b/patches.suse/ntb-idt-Fix-error-handling-in-idt_pci_driver_init.patch new file mode 100644 index 0000000..9036603 --- /dev/null +++ b/patches.suse/ntb-idt-Fix-error-handling-in-idt_pci_driver_init.patch @@ -0,0 +1,66 @@ +From c012968259b451dc4db407f2310fe131eaefd800 Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Sat, 5 Nov 2022 09:43:01 +0000 +Subject: [PATCH] ntb: idt: Fix error handling in idt_pci_driver_init() +Git-commit: c012968259b451dc4db407f2310fe131eaefd800 +Patch-mainline: v6.5-rc1 +References: git-fixes + +A problem about ntb_hw_idt create debugfs failed is triggered with the +following log given: + + [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 + [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! + +The reason is that idt_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_idt can never be created later. + + idt_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Acked-by: Takashi Iwai + +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index 0ed6f809ff2e..51799fccf840 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -2891,6 +2891,7 @@ static struct pci_driver idt_pci_driver = { + + static int __init idt_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + /* Create the top DebugFS directory if the FS is initialized */ +@@ -2898,7 +2899,11 @@ static int __init idt_pci_driver_init(void) + dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); + + /* Register the NTB hardware driver to handle the PCI device */ +- return pci_register_driver(&idt_pci_driver); ++ ret = pci_register_driver(&idt_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(dbgfs_topdir); ++ ++ return ret; + } + module_init(idt_pci_driver_init); + +-- +2.35.3 + diff --git a/patches.suse/ntb-intel-Fix-error-handling-in-intel_ntb_pci_driver.patch b/patches.suse/ntb-intel-Fix-error-handling-in-intel_ntb_pci_driver.patch new file mode 100644 index 0000000..098cccf --- /dev/null +++ b/patches.suse/ntb-intel-Fix-error-handling-in-intel_ntb_pci_driver.patch @@ -0,0 +1,65 @@ +From 4c3c796aca02883ad35bb117468938cc4022ca41 Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Sat, 5 Nov 2022 09:43:22 +0000 +Subject: [PATCH] ntb: intel: Fix error handling in intel_ntb_pci_driver_init() +Git-commit: 4c3c796aca02883ad35bb117468938cc4022ca41 +Patch-mainline: v6.5-rc1 +References: git-fixes + +A problem about ntb_hw_intel create debugfs failed is triggered with the +following log given: + + [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 + [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! + +The reason is that intel_ntb_pci_driver_init() returns +pci_register_driver() directly without checking its return value, if +pci_register_driver() failed, it returns without destroy the newly created +debugfs, resulting the debugfs of ntb_hw_intel can never be created later. + + intel_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Yuan Can +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Acked-by: Takashi Iwai + +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 84772013812b..60a4ebc7bf35 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -2064,12 +2064,17 @@ static struct pci_driver intel_ntb_pci_driver = { + + static int __init intel_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&intel_ntb_pci_driver); ++ ret = pci_register_driver(&intel_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(intel_ntb_pci_driver_init); + +-- +2.35.3 + diff --git a/patches.suse/opp-Fix-use-after-free-in-lazy_opp_tables-after-prob.patch b/patches.suse/opp-Fix-use-after-free-in-lazy_opp_tables-after-prob.patch new file mode 100644 index 0000000..3050b49 --- /dev/null +++ b/patches.suse/opp-Fix-use-after-free-in-lazy_opp_tables-after-prob.patch @@ -0,0 +1,59 @@ +From b2a2ab039bd58f51355e33d7d3fc64605d7f870d Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 30 May 2023 17:54:46 +0200 +Subject: [PATCH] opp: Fix use-after-free in lazy_opp_tables after probe deferral +Git-commit: b2a2ab039bd58f51355e33d7d3fc64605d7f870d +Patch-mainline: v6.5-rc1 +References: git-fixes + +When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns +-EPROBE_DEFER, the opp_table is freed again, to wait until all the +interconnect paths are available. + +However, if the OPP table is using required-opps then it may already +have been added to the global lazy_opp_tables list. The error path +does not remove the opp_table from the list again. + +This can cause crashes later when the provider of the required-opps +is added, since we will iterate over OPP tables that have already been +freed. E.g.: + + Unable to handle kernel NULL pointer dereference when read + CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3 + PC is at _of_add_opp_table_v2 (include/linux/of.h:949 + drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404 + drivers/opp/of.c:1032) -> lazy_link_required_opp_table() + +Fix this by calling _of_clear_opp_table() to remove the opp_table from +the list and clear other allocated resources. While at it, also add the +missing mutex_destroy() calls in the error path. + +Cc: stable@vger.kernel.org +Suggested-by: Viresh Kumar +Fixes: 7eba0c7641b0 ("opp: Allow lazy-linking of required-opps") +Signed-off-by: Stephan Gerhold +Signed-off-by: Viresh Kumar +Acked-by: Takashi Iwai + +--- + drivers/opp/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/opp/core.c b/drivers/opp/core.c +index 85cbc8de407c..7046487dc6f4 100644 +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -1358,7 +1358,10 @@ static struct opp_table *_allocate_opp_table(struct device *dev, int index) + return opp_table; + + remove_opp_dev: ++ _of_clear_opp_table(opp_table); + _remove_opp_dev(opp_dev, opp_table); ++ mutex_destroy(&opp_table->genpd_virt_dev_lock); ++ mutex_destroy(&opp_table->lock); + err: + kfree(opp_table); + return ERR_PTR(ret); +-- +2.35.3 + diff --git a/patches.suse/phy-Revert-phy-Remove-SOC_EXYNOS4212-dep.-from-PHY_E.patch b/patches.suse/phy-Revert-phy-Remove-SOC_EXYNOS4212-dep.-from-PHY_E.patch new file mode 100644 index 0000000..dfd1a8b --- /dev/null +++ b/patches.suse/phy-Revert-phy-Remove-SOC_EXYNOS4212-dep.-from-PHY_E.patch @@ -0,0 +1,40 @@ +From f64df08226038ba472a5f124e28ebc3b75e3b3ae Mon Sep 17 00:00:00 2001 +From: Artur Weber +Date: Mon, 1 May 2023 21:55:20 +0200 +Subject: [PATCH] phy: Revert "phy: Remove SOC_EXYNOS4212 dep. from PHY_EXYNOS4X12_USB" +Git-commit: f64df08226038ba472a5f124e28ebc3b75e3b3ae +Patch-mainline: v6.5-rc1 +References: git-fixes + +Support for the Exynos4212 SoC was originally dropped as there were +no boards using it. We will be adding a device that uses it, so add +it back. + +This reverts commit fee7e1d50c6e6da1d99035181ba5a5c88f5bb526. + +Signed-off-by: Artur Weber +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230501195525.6268-9-aweber.kernel@gmail.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/phy/samsung/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/samsung/Kconfig b/drivers/phy/samsung/Kconfig +index 3ccaabf2850a..f10afa3d7ff5 100644 +--- a/drivers/phy/samsung/Kconfig ++++ b/drivers/phy/samsung/Kconfig +@@ -59,7 +59,7 @@ config PHY_EXYNOS4210_USB2 + config PHY_EXYNOS4X12_USB2 + bool + depends on PHY_SAMSUNG_USB2 +- default SOC_EXYNOS3250 || SOC_EXYNOS4412 ++ default SOC_EXYNOS3250 || SOC_EXYNOS4212 || SOC_EXYNOS4412 + + config PHY_EXYNOS5250_USB2 + bool +-- +2.35.3 + diff --git a/patches.suse/phy-tegra-xusb-Clear-the-driver-reference-in-usb-phy.patch b/patches.suse/phy-tegra-xusb-Clear-the-driver-reference-in-usb-phy.patch new file mode 100644 index 0000000..043324e --- /dev/null +++ b/patches.suse/phy-tegra-xusb-Clear-the-driver-reference-in-usb-phy.patch @@ -0,0 +1,45 @@ +From c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d Mon Sep 17 00:00:00 2001 +From: EJ Hsu +Date: Fri, 9 Jun 2023 14:29:32 +0800 +Subject: [PATCH] phy: tegra: xusb: Clear the driver reference in usb-phy dev +Git-commit: c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d +Patch-mainline: v6.5-rc1 +References: git-fixes + +For the dual-role port, it will assign the phy dev to usb-phy dev and +use the port dev driver as the dev driver of usb-phy. + +When we try to destroy the port dev, it will destroy its dev driver +as well. But we did not remove the reference from usb-phy dev. This +might cause the use-after-free issue in KASAN. + +Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support") +Cc: stable@vger.kernel.org + +Signed-off-by: EJ Hsu +Signed-off-by: Haotien Hsu +Acked-by: Thierry Reding +Acked-by: Jon Hunter +Link: https://lore.kernel.org/r/20230609062932.3276509-1-haotienh@nvidia.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/phy/tegra/xusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index b55d4e9f42b5..b5bad46a04a3 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -568,6 +568,7 @@ static void tegra_xusb_port_unregister(struct tegra_xusb_port *port) + usb_role_switch_unregister(port->usb_role_sw); + cancel_work_sync(&port->usb_phy_work); + usb_remove_phy(&port->usb_phy); ++ port->usb_phy.dev->driver = NULL; + } + + if (port->ops->remove) +-- +2.35.3 + diff --git a/patches.suse/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch b/patches.suse/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch new file mode 100644 index 0000000..1901799 --- /dev/null +++ b/patches.suse/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch @@ -0,0 +1,40 @@ +From 44faada0f38fc333d392af04c343b0e23f8f5d81 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 31 May 2023 10:39:50 +0300 +Subject: [PATCH] phy: tegra: xusb: check return value of devm_kzalloc() +Git-commit: 44faada0f38fc333d392af04c343b0e23f8f5d81 +Patch-mainline: v6.5-rc1 +References: git-fixes + +devm_kzalloc() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: f67213cee2b3 ("phy: tegra: xusb: Add usb-role-switch support") +Signed-off-by: Claudiu Beznea +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20230531073950.145339-1-claudiu.beznea@microchip.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/phy/tegra/xusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index b5bad46a04a3..a296b87dced1 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -676,6 +676,9 @@ static int tegra_xusb_setup_usb_role_switch(struct tegra_xusb_port *port) + port->dev.driver = devm_kzalloc(&port->dev, + sizeof(struct device_driver), + GFP_KERNEL); ++ if (!port->dev.driver) ++ return -ENOMEM; ++ + port->dev.driver->owner = THIS_MODULE; + + port->usb_role_sw = usb_role_switch_register(&port->dev, +-- +2.35.3 + diff --git a/patches.suse/pwm-ab8500-Fix-error-code-in-probe.patch b/patches.suse/pwm-ab8500-Fix-error-code-in-probe.patch new file mode 100644 index 0000000..fd0f1b0 --- /dev/null +++ b/patches.suse/pwm-ab8500-Fix-error-code-in-probe.patch @@ -0,0 +1,41 @@ +From cdcffafc4d845cc0c6392cba168c7a942734cce7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 22 May 2023 14:07:42 +0300 +Subject: [PATCH] pwm: ab8500: Fix error code in probe() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: cdcffafc4d845cc0c6392cba168c7a942734cce7 +Patch-mainline: v6.5-rc1 +References: git-fixes + +This code accidentally return positive EINVAL instead of negative +-EINVAL. + +Fixes: eb41f334589d ("pwm: ab8500: Fix register offset calculation to not depend on probe order") +Signed-off-by: Dan Carpenter +Reviewed-by: Uwe Kleine-König +Reviewed-by: Linus Walleij +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/pwm/pwm-ab8500.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-ab8500.c b/drivers/pwm/pwm-ab8500.c +index 507ff0d5f7bd..583a7d69c741 100644 +--- a/drivers/pwm/pwm-ab8500.c ++++ b/drivers/pwm/pwm-ab8500.c +@@ -190,7 +190,7 @@ static int ab8500_pwm_probe(struct platform_device *pdev) + int err; + + if (pdev->id < 1 || pdev->id > 31) +- return dev_err_probe(&pdev->dev, EINVAL, "Invalid device id %d\n", pdev->id); ++ return dev_err_probe(&pdev->dev, -EINVAL, "Invalid device id %d\n", pdev->id); + + /* + * Nothing to be done in probe, this is required to get the +-- +2.35.3 + diff --git a/patches.suse/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch b/patches.suse/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch new file mode 100644 index 0000000..b140e89 --- /dev/null +++ b/patches.suse/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch @@ -0,0 +1,48 @@ +From 661dfb7f46298e53f6c3deaa772fa527aae86193 Mon Sep 17 00:00:00 2001 +From: Fancy Fang +Date: Fri, 5 May 2023 14:58:39 +0800 +Subject: [PATCH] pwm: imx-tpm: force 'real_period' to be zero in suspend +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 661dfb7f46298e53f6c3deaa772fa527aae86193 +Patch-mainline: v6.5-rc1 +References: git-fixes + +During suspend, all the tpm registers will lose values. +So the 'real_period' value of struct 'imx_tpm_pwm_chip' +should be forced to be zero to force the period update +code can be executed after system resume back. + +Signed-off-by: Fancy Fang +Signed-off-by: Clark Wang +Acked-by: Uwe Kleine-König +Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support") +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/pwm/pwm-imx-tpm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/pwm/pwm-imx-tpm.c b/drivers/pwm/pwm-imx-tpm.c +index 5e2b452ee5f2..98ab65c89685 100644 +--- a/drivers/pwm/pwm-imx-tpm.c ++++ b/drivers/pwm/pwm-imx-tpm.c +@@ -397,6 +397,13 @@ static int __maybe_unused pwm_imx_tpm_suspend(struct device *dev) + if (tpm->enable_count > 0) + return -EBUSY; + ++ /* ++ * Force 'real_period' to be zero to force period update code ++ * can be executed after system resume back, since suspend causes ++ * the period related registers to become their reset values. ++ */ ++ tpm->real_period = 0; ++ + clk_disable_unprepare(tpm->clk); + + return 0; +-- +2.35.3 + diff --git a/patches.suse/pwm-sysfs-Do-not-apply-state-to-already-disabled-PWM.patch b/patches.suse/pwm-sysfs-Do-not-apply-state-to-already-disabled-PWM.patch new file mode 100644 index 0000000..e7b59b7 --- /dev/null +++ b/patches.suse/pwm-sysfs-Do-not-apply-state-to-already-disabled-PWM.patch @@ -0,0 +1,90 @@ +From 38ba83598633373f47951384cfc389181c8d1bed Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 12 May 2023 18:47:36 +0200 +Subject: [PATCH] pwm: sysfs: Do not apply state to already disabled PWMs +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 38ba83598633373f47951384cfc389181c8d1bed +Patch-mainline: v6.5-rc1 +References: git-fixes + +If the PWM is exported but not enabled, do not call pwm_class_apply_state(). +First of all, in this case, period may still be unconfigured and this would +make pwm_class_apply_state() return -EINVAL, and then suspend would fail. +Second, it makes little sense to apply state onto PWM that is not enabled +before suspend. + +Failing case: +" +$ echo 1 > /sys/class/pwm/pwmchip4/export +$ echo mem > /sys/power/state +... +pwm pwmchip4: PM: dpm_run_callback(): pwm_class_suspend+0x1/0xa8 returns -22 +pwm pwmchip4: PM: failed to suspend: error -22 +Pm: Some devices failed to suspend, or early wake event detected +" + +Working case: +" +$ echo 1 > /sys/class/pwm/pwmchip4/export +$ echo 100 > /sys/class/pwm/pwmchip4/pwm1/period +$ echo 10 > /sys/class/pwm/pwmchip4/pwm1/duty_cycle +$ echo mem > /sys/power/state +... +" + +Do not call pwm_class_apply_state() in case the PWM is disabled +to fix this issue. + +Fixes: 7fd4edc57bbae ("pwm: sysfs: Add suspend/resume support") +Signed-off-by: Marek Vasut +Fixes: ef2bf4997f7d ("pwm: Improve args checking in pwm_apply_state()") +Reviewed-by: Brian Norris +Reviewed-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/pwm/sysfs.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/pwm/sysfs.c b/drivers/pwm/sysfs.c +index 1a106ec32939..8d1254761e4d 100644 +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -424,6 +424,13 @@ static int pwm_class_resume_npwm(struct device *parent, unsigned int npwm) + if (!export) + continue; + ++ /* If pwmchip was not enabled before suspend, do nothing. */ ++ if (!export->suspend.enabled) { ++ /* release lock taken in pwm_class_get_state */ ++ mutex_unlock(&export->lock); ++ continue; ++ } ++ + state.enabled = export->suspend.enabled; + ret = pwm_class_apply_state(export, pwm, &state); + if (ret < 0) +@@ -448,7 +455,17 @@ static int pwm_class_suspend(struct device *parent) + if (!export) + continue; + ++ /* ++ * If pwmchip was not enabled before suspend, save ++ * state for resume time and do nothing else. ++ */ + export->suspend = state; ++ if (!state.enabled) { ++ /* release lock taken in pwm_class_get_state */ ++ mutex_unlock(&export->lock); ++ continue; ++ } ++ + state.enabled = false; + ret = pwm_class_apply_state(export, pwm, &state); + if (ret < 0) { +-- +2.35.3 + diff --git a/patches.suse/rtc-efi-Add-wakeup-support.patch b/patches.suse/rtc-efi-Add-wakeup-support.patch new file mode 100644 index 0000000..aa0e665 --- /dev/null +++ b/patches.suse/rtc-efi-Add-wakeup-support.patch @@ -0,0 +1,31 @@ +From eec79501cce6e8965e92174760c6a9e92d78a038 Mon Sep 17 00:00:00 2001 +From: Riwen Lu +Date: Wed, 10 Aug 2022 15:01:09 +0800 +Subject: [PATCH] rtc: efi: Add wakeup support +Git-commit: eec79501cce6e8965e92174760c6a9e92d78a038 +Patch-mainline: v6.2-rc1 +References: bsc#1213116 + +Add wakeup support for rtc-efi, so we can wakeup from S3/S4/S5 through +rtcwake. + +Signed-off-by: Riwen Lu +Link: https://lore.kernel.org/r/TYWP286MB260191455377CEBD2336557EB1659@TYWP286MB2601.JPNP286.PROD.OUTLOOK.COM +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-efi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/rtc/rtc-efi.c ++++ b/drivers/rtc/rtc-efi.c +@@ -270,6 +270,8 @@ static int __init efi_rtc_probe(struct p + rtc->ops = &efi_rtc_ops; + rtc->uie_unsupported = 1; + ++ device_init_wakeup(&dev->dev, true); ++ + return devm_rtc_register_device(rtc); + } + diff --git a/patches.suse/rtc-efi-Enable-SET-GET-WAKEUP-services-as-optional.patch b/patches.suse/rtc-efi-Enable-SET-GET-WAKEUP-services-as-optional.patch new file mode 100644 index 0000000..b281e7e --- /dev/null +++ b/patches.suse/rtc-efi-Enable-SET-GET-WAKEUP-services-as-optional.patch @@ -0,0 +1,117 @@ +From 101ca8d05913b7d1e6e8b9dd792193d4082fff86 Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Mon, 2 Jan 2023 17:06:30 -0600 +Subject: [PATCH] rtc: efi: Enable SET/GET WAKEUP services as optional +Git-commit: 101ca8d05913b7d1e6e8b9dd792193d4082fff86 +Patch-mainline: v6.2-rc7 +References: bsc#1213116 + +[ backport note: the patch slightly modified, only clearing + RTC_FEATURE_ALARM feature bit, and skip RTC_FEATURE_ALARM_WAKEUP_ONLY + bit, as the latter isn't defined in SLE15-SP5. + Also, rtc->uie_unsupported setup is kept as is. -- tiwai ] + +The current implementation of rtc-efi is expecting all the 4 +time services GET{SET}_TIME{WAKEUP} must be supported by UEFI +firmware. As per the EFI_RT_PROPERTIES_TABLE, the platform +specific implementations can choose to enable selective time +services based on the RTC device capabilities. + +This patch does the following changes to provide GET/SET RTC +services on platforms that do not support the WAKEUP feature. + +1) Relax time services cap check when creating a platform device. +2) Clear RTC_FEATURE_ALARM bit in the absence of WAKEUP services. +3) Conditional alarm entries in '/proc/driver/rtc'. + +Cc: # v6.0+ +Signed-off-by: Shanker Donthineni +Link: https://lore.kernel.org/r/20230102230630.192911-1-sdonthineni@nvidia.com +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-efi.c | 45 +++++++++++++++++++++++++-------------------- + include/linux/efi.h | 3 ++- + 2 files changed, 27 insertions(+), 21 deletions(-) + +--- a/drivers/rtc/rtc-efi.c ++++ b/drivers/rtc/rtc-efi.c +@@ -188,9 +188,10 @@ static int efi_set_time(struct device *d + + static int efi_procfs(struct device *dev, struct seq_file *seq) + { +- efi_time_t eft, alm; +- efi_time_cap_t cap; +- efi_bool_t enabled, pending; ++ efi_time_t eft, alm; ++ efi_time_cap_t cap; ++ efi_bool_t enabled, pending; ++ struct rtc_device *rtc = dev_get_drvdata(dev); + + memset(&eft, 0, sizeof(eft)); + memset(&alm, 0, sizeof(alm)); +@@ -213,23 +214,25 @@ static int efi_procfs(struct device *dev + /* XXX fixme: convert to string? */ + seq_printf(seq, "Timezone\t: %u\n", eft.timezone); + +- seq_printf(seq, +- "Alarm Time\t: %u:%u:%u.%09u\n" +- "Alarm Date\t: %u-%u-%u\n" +- "Alarm Daylight\t: %u\n" +- "Enabled\t\t: %s\n" +- "Pending\t\t: %s\n", +- alm.hour, alm.minute, alm.second, alm.nanosecond, +- alm.year, alm.month, alm.day, +- alm.daylight, +- enabled == 1 ? "yes" : "no", +- pending == 1 ? "yes" : "no"); +- +- if (eft.timezone == EFI_UNSPECIFIED_TIMEZONE) +- seq_puts(seq, "Timezone\t: unspecified\n"); +- else +- /* XXX fixme: convert to string? */ +- seq_printf(seq, "Timezone\t: %u\n", alm.timezone); ++ if (test_bit(RTC_FEATURE_ALARM, rtc->features)) { ++ seq_printf(seq, ++ "Alarm Time\t: %u:%u:%u.%09u\n" ++ "Alarm Date\t: %u-%u-%u\n" ++ "Alarm Daylight\t: %u\n" ++ "Enabled\t\t: %s\n" ++ "Pending\t\t: %s\n", ++ alm.hour, alm.minute, alm.second, alm.nanosecond, ++ alm.year, alm.month, alm.day, ++ alm.daylight, ++ enabled == 1 ? "yes" : "no", ++ pending == 1 ? "yes" : "no"); ++ ++ if (eft.timezone == EFI_UNSPECIFIED_TIMEZONE) ++ seq_puts(seq, "Timezone\t: unspecified\n"); ++ else ++ /* XXX fixme: convert to string? */ ++ seq_printf(seq, "Timezone\t: %u\n", alm.timezone); ++ } + + /* + * now prints the capabilities +@@ -269,6 +272,8 @@ static int __init efi_rtc_probe(struct p + + rtc->ops = &efi_rtc_ops; + rtc->uie_unsupported = 1; ++ if (!efi_rt_services_supported(EFI_RT_SUPPORTED_WAKEUP_SERVICES)) ++ clear_bit(RTC_FEATURE_ALARM, rtc->features); + + device_init_wakeup(&dev->dev, true); + +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -651,7 +651,8 @@ extern struct efi { + + #define EFI_RT_SUPPORTED_ALL 0x3fff + +-#define EFI_RT_SUPPORTED_TIME_SERVICES 0x000f ++#define EFI_RT_SUPPORTED_TIME_SERVICES 0x0003 ++#define EFI_RT_SUPPORTED_WAKEUP_SERVICES 0x000c + #define EFI_RT_SUPPORTED_VARIABLE_SERVICES 0x0070 + + extern struct mm_struct efi_mm; diff --git a/patches.suse/rtc-efi-switch-to-devm_rtc_allocate_device.patch b/patches.suse/rtc-efi-switch-to-devm_rtc_allocate_device.patch new file mode 100644 index 0000000..6b4f0a9 --- /dev/null +++ b/patches.suse/rtc-efi-switch-to-devm_rtc_allocate_device.patch @@ -0,0 +1,47 @@ +From 8aa74363969f172c845b270b47a3d22871d7e156 Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Wed, 9 Mar 2022 17:22:54 +0100 +Subject: [PATCH] rtc: efi: switch to devm_rtc_allocate_device +Git-commit: 8aa74363969f172c845b270b47a3d22871d7e156 +Patch-mainline: v5.18-rc1 +References: bsc#1213116 + +Switch to devm_rtc_allocate_device/devm_rtc_register_device, this allows +for further improvement of the driver. + +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220309162301.61679-23-alexandre.belloni@bootlin.com +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-efi.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/rtc/rtc-efi.c b/drivers/rtc/rtc-efi.c +index 138c5e0046c8..0c0e382c22e2 100644 +--- a/drivers/rtc/rtc-efi.c ++++ b/drivers/rtc/rtc-efi.c +@@ -261,15 +261,16 @@ static int __init efi_rtc_probe(struct platform_device *dev) + if (efi.get_time(&eft, &cap) != EFI_SUCCESS) + return -ENODEV; + +- rtc = devm_rtc_device_register(&dev->dev, "rtc-efi", &efi_rtc_ops, +- THIS_MODULE); ++ rtc = devm_rtc_allocate_device(&dev->dev); + if (IS_ERR(rtc)) + return PTR_ERR(rtc); + +- rtc->uie_unsupported = 1; + platform_set_drvdata(dev, rtc); + +- return 0; ++ rtc->ops = &efi_rtc_ops; ++ rtc->uie_unsupported = 1; ++ ++ return devm_rtc_register_device(rtc); + } + + static struct platform_driver efi_rtc_driver = { +-- +2.35.3 + diff --git a/patches.suse/sched-Fix-DEBUG-SCHEDSTATS-warn.patch b/patches.suse/sched-Fix-DEBUG-SCHEDSTATS-warn.patch new file mode 100644 index 0000000..24899f3 --- /dev/null +++ b/patches.suse/sched-Fix-DEBUG-SCHEDSTATS-warn.patch @@ -0,0 +1,45 @@ +From 769fdf83df57b373660343ef4270b3ada91ef434 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 6 Oct 2021 10:12:05 +0200 +Subject: [PATCH] sched: Fix DEBUG && !SCHEDSTATS warn +Git-commit: 769fdf83df57b373660343ef4270b3ada91ef434 +Patch-mainline: v5.16-rc1 +References: git-fixes + +When !SCHEDSTATS schedstat_enabled() is an unconditional 0 and the +whole block doesn't exist, however GCC figures the scoped variable +'stats' is unused and complains about it. + +Upgrade the warning from -Wunused-variable to -Wunused-but-set-variable +by writing it in two statements. This fixes the build because the new +warning is in W=1. + +Given that whole if(0) {} thing, I don't feel motivated to change +things overly much and quite strongly feel this is the compiler being +daft. + +Fixes: cb3e971c435d ("sched: Make struct sched_statistics independent of fair sched class") +Reported-by: Stephen Rothwell +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Frederic Weisbecker +--- + kernel/sched/debug.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c +index 26fac5e28bc0..7dcbaa31c5d9 100644 +--- a/kernel/sched/debug.c ++++ b/kernel/sched/debug.c +@@ -463,7 +463,8 @@ static void print_cfs_group_stats(struct seq_file *m, int cpu, struct task_group + PN(se->sum_exec_runtime); + + if (schedstat_enabled()) { +- struct sched_statistics *stats = __schedstats_from_se(se); ++ struct sched_statistics *stats; ++ stats = __schedstats_from_se(se); + + PN_SCHEDSTAT(wait_start); + PN_SCHEDSTAT(sleep_start); +-- +2.34.1 + diff --git a/patches.suse/sched-debug-fix-dentry-leak-in-update_sched_domain_d.patch b/patches.suse/sched-debug-fix-dentry-leak-in-update_sched_domain_d.patch new file mode 100644 index 0000000..7a0cde3 --- /dev/null +++ b/patches.suse/sched-debug-fix-dentry-leak-in-update_sched_domain_d.patch @@ -0,0 +1,54 @@ +From c2e406596571659451f4b95e37ddfd5a8ef1d0dc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 2 Sep 2022 14:31:07 +0200 +Subject: [PATCH] sched/debug: fix dentry leak in update_sched_domain_debugfs +Git-commit: c2e406596571659451f4b95e37ddfd5a8ef1d0dc +Patch-mainline: v6.0-rc5 +References: git-fixes + +Kuyo reports that the pattern of using debugfs_remove(debugfs_lookup()) +leaks a dentry and with a hotplug stress test, the machine eventually +runs out of memory. + +Fix this up by using the newly created debugfs_lookup_and_remove() call +instead which properly handles the dentry reference counting logic. + +Cc: Major Chen +Cc: stable +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Juri Lelli +Cc: Vincent Guittot +Cc: Dietmar Eggemann +Cc: Steven Rostedt +Cc: Ben Segall +Cc: Mel Gorman +Cc: Daniel Bristot de Oliveira +Cc: Valentin Schneider +Cc: Matthias Brugger +Reported-by: Kuyo Chang +Tested-by: Kuyo Chang +Acked-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220902123107.109274-2-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Frederic Weisbecker +--- + kernel/sched/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c +index bb3d63bdf4ae..667876da8382 100644 +--- a/kernel/sched/debug.c ++++ b/kernel/sched/debug.c +@@ -416,7 +416,7 @@ void update_sched_domain_debugfs(void) + char buf[32]; + + snprintf(buf, sizeof(buf), "cpu%d", cpu); +- debugfs_remove(debugfs_lookup(buf, sd_dentry)); ++ debugfs_lookup_and_remove(buf, sd_dentry); + d_cpu = debugfs_create_dir(buf, sd_dentry); + + i = 0; +-- +2.34.1 + diff --git a/patches.suse/selftests-mptcp-depend-on-SYN_COOKIES.patch b/patches.suse/selftests-mptcp-depend-on-SYN_COOKIES.patch new file mode 100644 index 0000000..cd7c317 --- /dev/null +++ b/patches.suse/selftests-mptcp-depend-on-SYN_COOKIES.patch @@ -0,0 +1,45 @@ +From 6c8880fcaa5c45355179b759c1d11737775e31fc Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:40 +0200 +Subject: [PATCH] selftests: mptcp: depend on SYN_COOKIES +Git-commit: 6c8880fcaa5c45355179b759c1d11737775e31fc +Patch-mainline: v6.5-rc1 +References: git-fixes + +MPTCP selftests are using TCP SYN Cookies for quite a while now, since +v5.9. + +Some CIs don't have this config option enabled and this is causing +issues in the tests: + + # ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 167ms) sysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory + # [ OK ]./mptcp_connect.sh: line 554: [: -eq: unary operator expected + +There is no impact in the results but the test is not doing what it is +supposed to do. + +Fixes: fed61c4b584c ("selftests: mptcp: make 2nd net namespace use tcp syn cookies unconditionally") +Cc: stable@vger.kernel.org +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + tools/testing/selftests/net/mptcp/config | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/mptcp/config b/tools/testing/selftests/net/mptcp/config +index 6032f9b23c4c..e317c2e44dae 100644 +--- a/tools/testing/selftests/net/mptcp/config ++++ b/tools/testing/selftests/net/mptcp/config +@@ -6,6 +6,7 @@ CONFIG_INET_DIAG=m + CONFIG_INET_MPTCP_DIAG=m + CONFIG_VETH=y + CONFIG_NET_SCH_NETEM=m ++CONFIG_SYN_COOKIES=y + CONFIG_NETFILTER=y + CONFIG_NETFILTER_ADVANCED=y + CONFIG_NETFILTER_NETLINK=m +-- +2.35.3 + diff --git a/patches.suse/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch b/patches.suse/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch new file mode 100644 index 0000000..99ad68c --- /dev/null +++ b/patches.suse/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch @@ -0,0 +1,60 @@ +From 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Tue, 4 Jul 2023 22:44:37 +0200 +Subject: [PATCH] selftests: mptcp: sockopt: return error if wrong mark +Git-commit: 9ac4c28eb70cd5ea5472a5e1c495dcdd597d4597 +Patch-mainline: v6.5-rc1 +References: git-fixes + +When an error was detected when checking the marks, a message was +correctly printed mentioning the error but followed by another one +saying everything was OK and the selftest was not marked as failed as +expected. + +Now the 'ret' variable is directly set to 1 in order to make sure the +exit is done with an error, similar to what is done in other functions. +While at it, the error is correctly propagated to the caller. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +index c21bfd7f0c01..dc8d473fc82c 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +@@ -128,6 +128,7 @@ check_mark() + for v in $values; do + if [ $v -ne 0 ]; then + echo "FAIL: got $tables $values in ns $ns , not 0 - not all expected packets marked" 1>&2 ++ ret=1 + return 1 + fi + done +@@ -227,11 +228,11 @@ do_transfer() + fi + + if [ $local_addr = "::" ];then +- check_mark $listener_ns 6 +- check_mark $connector_ns 6 ++ check_mark $listener_ns 6 || retc=1 ++ check_mark $connector_ns 6 || retc=1 + else +- check_mark $listener_ns 4 +- check_mark $connector_ns 4 ++ check_mark $listener_ns 4 || retc=1 ++ check_mark $connector_ns 4 || retc=1 + fi + + check_transfer $cin $sout "file received by server" +-- +2.35.3 + diff --git a/patches.suse/soundwire-qcom-fix-storing-port-config-out-of-bounds.patch b/patches.suse/soundwire-qcom-fix-storing-port-config-out-of-bounds.patch new file mode 100644 index 0000000..424ac8b --- /dev/null +++ b/patches.suse/soundwire-qcom-fix-storing-port-config-out-of-bounds.patch @@ -0,0 +1,48 @@ +From 490937d479abe5f6584e69b96df066bc87be92e9 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 1 Jun 2023 12:25:25 +0200 +Subject: [PATCH] soundwire: qcom: fix storing port config out-of-bounds +Git-commit: 490937d479abe5f6584e69b96df066bc87be92e9 +Patch-mainline: v6.5-rc1 +References: git-fixes + +The 'qcom_swrm_ctrl->pconfig' has size of QCOM_SDW_MAX_PORTS (14), +however we index it starting from 1, not 0, to match real port numbers. +This can lead to writing port config past 'pconfig' bounds and +overwriting next member of 'qcom_swrm_ctrl' struct. Reported also by +Smatch: + + drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow 'ctrl->pconfig' 14 <= 14 + +Fixes: 9916c02ccd74 ("soundwire: qcom: cleanup internal port config indexing") +Cc: +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/r/202305201301.sCJ8UDKV-lkp@intel.com/ +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230601102525.609627-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/soundwire/qcom.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index f6adf2c6c1ac..7970fdb27ba0 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -202,7 +202,8 @@ struct qcom_swrm_ctrl { + u32 intr_mask; + u8 rcmd_id; + u8 wcmd_id; +- struct qcom_swrm_port_config pconfig[QCOM_SDW_MAX_PORTS]; ++ /* Port numbers are 1 - 14 */ ++ struct qcom_swrm_port_config pconfig[QCOM_SDW_MAX_PORTS + 1]; + struct sdw_stream_runtime *sruntime[SWRM_MAX_DAIS]; + enum sdw_slave_status status[SDW_MAX_DEVICES + 1]; + int (*reg_read)(struct qcom_swrm_ctrl *ctrl, int reg, u32 *val); +-- +2.35.3 + diff --git a/patches.suse/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch b/patches.suse/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch new file mode 100644 index 0000000..676fb3f --- /dev/null +++ b/patches.suse/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch @@ -0,0 +1,58 @@ +From 7c1f23ad34fcdace50275a6aa1e1969b41c6233f Mon Sep 17 00:00:00 2001 +From: Jonas Gorski +Date: Thu, 29 Jun 2023 15:43:05 +0200 +Subject: [PATCH] spi: bcm-qspi: return error if neither hif_mspi nor mspi is available +Git-commit: 7c1f23ad34fcdace50275a6aa1e1969b41c6233f +Patch-mainline: v6.5-rc1 +References: git-fixes + +If neither a "hif_mspi" nor "mspi" resource is present, the driver will +just early exit in probe but still return success. Apart from not doing +anything meaningful, this would then also lead to a null pointer access +on removal, as platform_get_drvdata() would return NULL, which it would +then try to dereference when trying to unregister the spi master. + +Fix this by unconditionally calling devm_ioremap_resource(), as it can +handle a NULL res and will then return a viable ERR_PTR() if we get one. + +The "return 0;" was previously a "goto qspi_resource_err;" where then +ret was returned, but since ret was still initialized to 0 at this place +this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix +use-after-free on unbind"). The issue was not introduced by this commit, +only made more obvious. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Jonas Gorski +Reviewed-by: Kamal Dasu +Link: https://lore.kernel.org/r/20230629134306.95823-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-bcm-qspi.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 6b46a3b67c41..d91dfbe47aa5 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1543,13 +1543,9 @@ int bcm_qspi_probe(struct platform_device *pdev, + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "mspi"); + +- if (res) { +- qspi->base[MSPI] = devm_ioremap_resource(dev, res); +- if (IS_ERR(qspi->base[MSPI])) +- return PTR_ERR(qspi->base[MSPI]); +- } else { +- return 0; +- } ++ qspi->base[MSPI] = devm_ioremap_resource(dev, res); ++ if (IS_ERR(qspi->base[MSPI])) ++ return PTR_ERR(qspi->base[MSPI]); + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); + if (res) { +-- +2.35.3 + diff --git a/patches.suse/suse-hv-pci-hyperv-Add-a-per-bus-mutex-state_lock.patch b/patches.suse/suse-hv-pci-hyperv-Add-a-per-bus-mutex-state_lock.patch deleted file mode 100644 index e7e121c..0000000 --- a/patches.suse/suse-hv-pci-hyperv-Add-a-per-bus-mutex-state_lock.patch +++ /dev/null @@ -1,151 +0,0 @@ -From: Dexuan Cui -Date: Mon, 27 Mar 2023 21:51:21 -0700 -Patch-mainline: never, testing -Subject: PCI: hv: Add a per-bus mutex state_lock -References: bsc#1207185 - -In the case of fast device addition/removal, it's possible that -hv_eject_device_work() can start to run before create_root_hv_pci_bus() -starts to run; as a result, the pci_get_domain_bus_and_slot() in -hv_eject_device_work() can return a 'pdev' of NULL, and -hv_eject_device_work() can remove the 'hpdev', and immediately send a -message PCI_EJECTION_COMPLETE to the host, and the host immediately -unassigns the PCI device from the guest; meanwhile, -create_root_hv_pci_bus() and the PCI device driver can be probing the -dead PCI device and reporting timeout errors. - -Fix the issue by adding a per-bus mutex 'state_lock' and grabbing the -mutex before powering on the PCI bus in hv_pci_enter_d0(): when -hv_eject_device_work() starts to run, it's able to find the 'pdev' and call -pci_stop_and_remove_bus_device(pdev): if the PCI device driver has -loaded, the PCI device driver's probe() function is already called in -create_root_hv_pci_bus() -> pci_bus_add_devices(), and now -hv_eject_device_work() -> pci_stop_and_remove_bus_device() is able -to call the PCI device driver's remove() function and remove the device -reliably; if the PCI device driver hasn't loaded yet, the function call -hv_eject_device_work() -> pci_stop_and_remove_bus_device() is able to -remove the PCI device reliably and the PCI device driver's probe() -function won't be called; if the PCI device driver's probe() is already -running (e.g., systemd-udev is loading the PCI device driver), it must -be holding the per-device lock, and after the probe() finishes and releases -the lock, hv_eject_device_work() -> pci_stop_and_remove_bus_device() is -able to proceed to remove the device reliably. - -Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") -Signed-off-by: Dexuan Cui -Acked-by: Olaf Hering ---- a/drivers/pci/controller/pci-hyperv.c -+++ b/drivers/pci/controller/pci-hyperv.c -@@ -489,7 +489,10 @@ struct hv_pcibus_device { - struct fwnode_handle *fwnode; - /* Protocol version negotiated with the host */ - enum pci_protocol_version_t protocol_version; -+ -+ struct mutex state_lock; - enum hv_pcibus_state state; -+ - struct hv_device *hdev; - resource_size_t low_mmio_space; - resource_size_t high_mmio_space; -@@ -2525,6 +2528,8 @@ static void pci_devices_present_work(str - if (!dr) - return; - -+ mutex_lock(&hbus->state_lock); -+ - /* First, mark all existing children as reported missing. */ - spin_lock_irqsave(&hbus->device_list_lock, flags); - list_for_each_entry(hpdev, &hbus->children, list_entry) { -@@ -2606,6 +2611,8 @@ static void pci_devices_present_work(str - break; - } - -+ mutex_unlock(&hbus->state_lock); -+ - kfree(dr); - } - -@@ -2754,6 +2761,8 @@ static void hv_eject_device_work(struct - hpdev = container_of(work, struct hv_pci_dev, wrk); - hbus = hpdev->hbus; - -+ mutex_lock(&hbus->state_lock); -+ - /* - * Ejection can come before or after the PCI bus has been set up, so - * attempt to find it and tear down the bus state, if it exists. This -@@ -2790,6 +2799,8 @@ static void hv_eject_device_work(struct - put_pcichild(hpdev); - put_pcichild(hpdev); - /* hpdev has been freed. Do not use it any more. */ -+ -+ mutex_unlock(&hbus->state_lock); - } - - /** -@@ -3575,6 +3586,7 @@ static int hv_pci_probe(struct hv_device - return -ENOMEM; - - hbus->bridge = bridge; -+ mutex_init(&hbus->state_lock); - hbus->state = hv_pcibus_init; - hbus->wslot_res_allocated = -1; - -@@ -3683,9 +3695,11 @@ static int hv_pci_probe(struct hv_device - if (ret) - goto free_irq_domain; - -+ mutex_lock(&hbus->state_lock); -+ - ret = hv_pci_enter_d0(hdev); - if (ret) -- goto free_irq_domain; -+ goto release_state_lock; - - ret = hv_pci_allocate_bridge_windows(hbus); - if (ret) -@@ -3703,12 +3717,15 @@ static int hv_pci_probe(struct hv_device - if (ret) - goto free_windows; - -+ mutex_unlock(&hbus->state_lock); - return 0; - - free_windows: - hv_pci_free_bridge_windows(hbus); - exit_d0: - (void) hv_pci_bus_exit(hdev, true); -+release_state_lock: -+ mutex_unlock(&hbus->state_lock); - free_irq_domain: - irq_domain_remove(hbus->irq_domain); - free_fwnode: -@@ -3957,20 +3974,26 @@ static int hv_pci_resume(struct hv_devic - if (ret) - goto out; - -+ mutex_lock(&hbus->state_lock); -+ - ret = hv_pci_enter_d0(hdev); - if (ret) -- goto out; -+ goto release_state_lock; - - ret = hv_send_resources_allocated(hdev); - if (ret) -- goto out; -+ goto release_state_lock; - - prepopulate_bars(hbus); - - hv_pci_restore_msi_state(hbus); - - hbus->state = hv_pcibus_installed; -+ mutex_unlock(&hbus->state_lock); - return 0; -+ -+release_state_lock: -+ mutex_unlock(&hbus->state_lock); - out: - vmbus_close(hdev->channel); - return ret; diff --git a/patches.suse/suse-hv-pci-hyperv-Fix-a-race-condition-in-hv_irq_unmask-that-can-cause-panic.patch b/patches.suse/suse-hv-pci-hyperv-Fix-a-race-condition-in-hv_irq_unmask-that-can-cause-panic.patch deleted file mode 100644 index 01a35b1..0000000 --- a/patches.suse/suse-hv-pci-hyperv-Fix-a-race-condition-in-hv_irq_unmask-that-can-cause-panic.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Dexuan Cui -Date: Mon, 27 Mar 2023 21:51:18 -0700 -Patch-mainline: never, testing -Subject: PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic -References: bsc#1207185 - -When the host tries to remove a PCI device, the host first sends a -PCI_EJECT message to the guest, and the guest is supposed to gracefully -remove the PCI device and send a PCI_EJECTION_COMPLETE message to the host; -the host then sends a VMBus message CHANNELMSG_RESCIND_CHANNELOFFER to -the guest (when the guest receives this message, the device is already -unassigned from the guest) and the guest can do some final cleanup work; -if the guest fails to respond to the PCI_EJECT message within one minute, -the host sends the VMBus message CHANNELMSG_RESCIND_CHANNELOFFER and -removes the PCI device forcibly. - -In the case of fast device addition/removal, it's possible that the PCI -device driver is still configuring MSI-X interrupts when the guest receives -the PCI_EJECT message; the channel callback calls hv_pci_eject_device(), -which sets hpdev->state to hv_pcichild_ejecting, and schedules a work -hv_eject_device_work(); if the PCI device driver is calling -pci_alloc_irq_vectors() -> ... -> hv_compose_msi_msg(), we can break the -while loop in hv_compose_msi_msg() due to the updated hpdev->state, and -leave data->chip_data with its default value of NULL; later, when the PCI -device driver calls request_irq() -> ... -> hv_irq_unmask(), the guest -crashes in hv_arch_irq_unmask() due to data->chip_data being NULL. - -Fix the issue by not testing hpdev->state in the while loop: when the -guest receives PCI_EJECT, the device is still assigned to the guest, and -the guest has one minute to finish the device removal gracefully. We don't -really need to (and we should not) test hpdev->state in the loop. - -Fixes: de0aa7b2f97d ("PCI: hv: Fix 2 hang issues in hv_compose_msi_msg()") -Signed-off-by: Dexuan Cui -Acked-by: Olaf Hering ---- a/drivers/pci/controller/pci-hyperv.c -+++ b/drivers/pci/controller/pci-hyperv.c -@@ -656,6 +656,11 @@ static void hv_arch_irq_unmask(struct ir - pbus = pdev->bus; - hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); - int_desc = data->chip_data; -+ if (!int_desc) { -+ dev_warn(&hbus->hdev->device, "%s() can not unmask irq %u\n", -+ __func__, data->irq); -+ return; -+ } - - spin_lock_irqsave(&hbus->retarget_msi_interrupt_lock, flags); - -@@ -1924,12 +1929,6 @@ static void hv_compose_msi_msg(struct ir - hv_pci_onchannelcallback(hbus); - spin_unlock_irqrestore(&channel->sched_lock, flags); - -- if (hpdev->state == hv_pcichild_ejecting) { -- dev_err_once(&hbus->hdev->device, -- "the device is being ejected\n"); -- goto enable_tasklet; -- } -- - udelay(100); - } - diff --git a/patches.suse/suse-hv-pci-hyperv-Remove-the-useless-hv_pcichild_state-from-struct-hv_pci_dev.patch b/patches.suse/suse-hv-pci-hyperv-Remove-the-useless-hv_pcichild_state-from-struct-hv_pci_dev.patch deleted file mode 100644 index 8216fe4..0000000 --- a/patches.suse/suse-hv-pci-hyperv-Remove-the-useless-hv_pcichild_state-from-struct-hv_pci_dev.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Dexuan Cui -Date: Mon, 27 Mar 2023 21:51:19 -0700 -Patch-mainline: never, testing -Subject: PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev -References: bsc#1207185 - -The hpdev->state is never really useful. The only use in -hv_pci_eject_device() and hv_eject_device_work() is not really necessary. - -Signed-off-by: Dexuan Cui -Acked-by: Olaf Hering ---- a/drivers/pci/controller/pci-hyperv.c -+++ b/drivers/pci/controller/pci-hyperv.c -@@ -553,19 +553,10 @@ struct hv_dr_state { - struct hv_pcidev_description func[]; - }; - --enum hv_pcichild_state { -- hv_pcichild_init = 0, -- hv_pcichild_requirements, -- hv_pcichild_resourced, -- hv_pcichild_ejecting, -- hv_pcichild_maximum --}; -- - struct hv_pci_dev { - /* List protected by pci_rescan_remove_lock */ - struct list_head list_entry; - refcount_t refs; -- enum hv_pcichild_state state; - struct pci_slot *pci_slot; - struct hv_pcidev_description desc; - bool reported_missing; -@@ -2763,8 +2754,6 @@ static void hv_eject_device_work(struct - hpdev = container_of(work, struct hv_pci_dev, wrk); - hbus = hpdev->hbus; - -- WARN_ON(hpdev->state != hv_pcichild_ejecting); -- - /* - * Ejection can come before or after the PCI bus has been set up, so - * attempt to find it and tear down the bus state, if it exists. This -@@ -2821,7 +2810,6 @@ static void hv_pci_eject_device(struct h - return; - } - -- hpdev->state = hv_pcichild_ejecting; - get_pcichild(hpdev); - INIT_WORK(&hpdev->wrk, hv_eject_device_work); - queue_work(hbus->wq, &hpdev->wrk); diff --git a/patches.suse/suse-hv-pci-hyperv-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-to-fail-occasionally.patch b/patches.suse/suse-hv-pci-hyperv-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-to-fail-occasionally.patch deleted file mode 100644 index 93b8361..0000000 --- a/patches.suse/suse-hv-pci-hyperv-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-to-fail-occasionally.patch +++ /dev/null @@ -1,132 +0,0 @@ -From: Dexuan Cui -Date: Mon, 27 Mar 2023 21:51:20 -0700 -Patch-mainline: never, testing -Subject: Revert "PCI: hv: Fix a timing issue which causes kdump to fail occasionally" -References: bsc#1207185 - -This reverts commit d6af2ed29c7c1c311b96dac989dcb991e90ee195. - -The statement "the hv_pci_bus_exit() call releases structures of all its -child devices" in commit d6af2ed29c7c is not true: in the path -hv_pci_probe() -> hv_pci_enter_d0() -> hv_pci_bus_exit(hdev, true): the -parameter "keep_devs" is true, so hv_pci_bus_exit() does *not* release the -child "struct hv_pci_dev *hpdev" that is created earlier in -pci_devices_present_work() -> new_pcichild_device(). - -The commit d6af2ed29c7c was originally made in July 2020 for RHEL 7.7, -where the old version of hv_pci_bus_exit() was used; when the commit was -rebased and merged into the upstream, people didn't notice that it's -not really necessary. The commit itself doesn't cause any issue, but it -makes hv_pci_probe() more complicated. Revert it to facilitate some -upcoming changes to hv_pci_probe(). - -Signed-off-by: Dexuan Cui -Acked-by: Olaf Hering ---- a/drivers/pci/controller/pci-hyperv.c -+++ b/drivers/pci/controller/pci-hyperv.c -@@ -3238,8 +3238,10 @@ static int hv_pci_enter_d0(struct hv_dev - struct pci_bus_d0_entry *d0_entry; - struct hv_pci_compl comp_pkt; - struct pci_packet *pkt; -+ bool retry = true; - int ret; - -+enter_d0_retry: - /* - * Tell the host that the bus is ready to use, and moved into the - * powered-on state. This includes telling the host which region -@@ -3266,6 +3268,38 @@ static int hv_pci_enter_d0(struct hv_dev - if (ret) - goto exit; - -+ /* -+ * In certain case (Kdump) the pci device of interest was -+ * not cleanly shut down and resource is still held on host -+ * side, the host could return invalid device status. -+ * We need to explicitly request host to release the resource -+ * and try to enter D0 again. -+ */ -+ if (comp_pkt.completion_status < 0 && retry) { -+ retry = false; -+ -+ dev_err(&hdev->device, "Retrying D0 Entry\n"); -+ -+ /* -+ * Hv_pci_bus_exit() calls hv_send_resource_released() -+ * to free up resources of its child devices. -+ * In the kdump kernel we need to set the -+ * wslot_res_allocated to 255 so it scans all child -+ * devices to release resources allocated in the -+ * normal kernel before panic happened. -+ */ -+ hbus->wslot_res_allocated = 255; -+ -+ ret = hv_pci_bus_exit(hdev, true); -+ -+ if (ret == 0) { -+ kfree(pkt); -+ goto enter_d0_retry; -+ } -+ dev_err(&hdev->device, -+ "Retrying D0 failed with ret %d\n", ret); -+ } -+ - if (comp_pkt.completion_status < 0) { - dev_err(&hdev->device, - "PCI Pass-through VSP failed D0 Entry with status %x\n", -@@ -3506,7 +3540,6 @@ static int hv_pci_probe(struct hv_device - struct hv_pcibus_device *hbus; - u16 dom_req, dom; - char *name; -- bool enter_d0_retry = true; - int ret; - - /* -@@ -3646,47 +3679,11 @@ static int hv_pci_probe(struct hv_device - if (ret) - goto free_fwnode; - --retry: - ret = hv_pci_query_relations(hdev); - if (ret) - goto free_irq_domain; - - ret = hv_pci_enter_d0(hdev); -- /* -- * In certain case (Kdump) the pci device of interest was -- * not cleanly shut down and resource is still held on host -- * side, the host could return invalid device status. -- * We need to explicitly request host to release the resource -- * and try to enter D0 again. -- * Since the hv_pci_bus_exit() call releases structures -- * of all its child devices, we need to start the retry from -- * hv_pci_query_relations() call, requesting host to send -- * the synchronous child device relations message before this -- * information is needed in hv_send_resources_allocated() -- * call later. -- */ -- if (ret == -EPROTO && enter_d0_retry) { -- enter_d0_retry = false; -- -- dev_err(&hdev->device, "Retrying D0 Entry\n"); -- -- /* -- * Hv_pci_bus_exit() calls hv_send_resources_released() -- * to free up resources of its child devices. -- * In the kdump kernel we need to set the -- * wslot_res_allocated to 255 so it scans all child -- * devices to release resources allocated in the -- * normal kernel before panic happened. -- */ -- hbus->wslot_res_allocated = 255; -- ret = hv_pci_bus_exit(hdev, true); -- -- if (ret == 0) -- goto retry; -- -- dev_err(&hdev->device, -- "Retrying D0 failed with ret %d\n", ret); -- } - if (ret) - goto free_irq_domain; - diff --git a/patches.suse/suse-hv-pci-hyperv-fix-a-race-condition-bug-in-hv_pci_query_relations.patch b/patches.suse/suse-hv-pci-hyperv-fix-a-race-condition-bug-in-hv_pci_query_relations.patch deleted file mode 100644 index 9fa04f9..0000000 --- a/patches.suse/suse-hv-pci-hyperv-fix-a-race-condition-bug-in-hv_pci_query_relations.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Dexuan Cui -Date: Mon, 27 Mar 2023 21:51:17 -0700 -Patch-mainline: never, testing -Subject: PCI: hv: fix a race condition bug in hv_pci_query_relations() -References: bsc#1207185 - -Fix the longstanding race between hv_pci_query_relations() and -survey_child_resources() by flushing the workqueue before we exit from -hv_pci_query_relations(). - -Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") -Signed-off-by: Dexuan Cui -Acked-by: Olaf Hering ---- ---- a/drivers/pci/controller/pci-hyperv.c -+++ b/drivers/pci/controller/pci-hyperv.c -@@ -3321,6 +3321,19 @@ static int hv_pci_query_relations(struct - if (!ret) - ret = wait_for_response(hdev, &comp); - -+ /* -+ * In the case of fast device addition/removal, it's possible that -+ * vmbus_sendpacket() or wait_for_response() returns -ENODEV but we -+ * already got a PCI_BUS_RELATIONS* message from the host and the -+ * channel callback already scheduled a work to hbus->wq, which can be -+ * running survey_child_resources() -> complete(&hbus->survey_event), -+ * even after hv_pci_query_relations() exits and the stack variable -+ * 'comp' is no longer valid. This can cause a strange hang issue -+ * or sometimes a page fault. Flush hbus->wq before we exit from -+ * hv_pci_query_relations() to avoid the issues. -+ */ -+ flush_workqueue(hbus->wq); -+ - return ret; - } - diff --git a/patches.suse/udf-Avoid-double-brelse-in-udf_rename.patch b/patches.suse/udf-Avoid-double-brelse-in-udf_rename.patch new file mode 100644 index 0000000..00b145d --- /dev/null +++ b/patches.suse/udf-Avoid-double-brelse-in-udf_rename.patch @@ -0,0 +1,93 @@ +From c791730f2554a9ebb8f18df9368dc27d4ebc38c2 Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida +Date: Sun, 23 Oct 2022 18:57:41 +0900 +Subject: [PATCH] udf: Avoid double brelse() in udf_rename() +Git-commit: c791730f2554a9ebb8f18df9368dc27d4ebc38c2 +Patch-mainline: v6.2-rc1 +References: bsc#1213032 + +syzbot reported a warning like below [1]: + +Vfs: brelse: Trying to free free buffer +Warning: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 +... +Call Trace: + + invalidate_bh_lru+0x99/0x150 + smp_call_function_many_cond+0xe2a/0x10c0 + ? generic_remap_file_range_prep+0x50/0x50 + ? __brelse+0xa0/0xa0 + ? __mutex_lock+0x21c/0x12d0 + ? smp_call_on_cpu+0x250/0x250 + ? rcu_read_lock_sched_held+0xb/0x60 + ? lock_release+0x587/0x810 + ? __brelse+0xa0/0xa0 + ? generic_remap_file_range_prep+0x50/0x50 + on_each_cpu_cond_mask+0x3c/0x80 + blkdev_flush_mapping+0x13a/0x2f0 + blkdev_put_whole+0xd3/0xf0 + blkdev_put+0x222/0x760 + deactivate_locked_super+0x96/0x160 + deactivate_super+0xda/0x100 + cleanup_mnt+0x222/0x3d0 + task_work_run+0x149/0x240 + ? task_work_cancel+0x30/0x30 + do_exit+0xb29/0x2a40 + ? reacquire_held_locks+0x4a0/0x4a0 + ? do_raw_spin_lock+0x12a/0x2b0 + ? mm_update_next_owner+0x7c0/0x7c0 + ? rwlock_bug.part.0+0x90/0x90 + ? zap_other_threads+0x234/0x2d0 + do_group_exit+0xd0/0x2a0 + __x64_sys_exit_group+0x3a/0x50 + do_syscall_64+0x34/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The cause of the issue is that brelse() is called on both ofibh.sbh +and ofibh.ebh by udf_find_entry() when it returns NULL. However, +brelse() is called by udf_rename(), too. So, b_count on buffer_head +becomes unbalanced. + +This patch fixes the issue by not calling brelse() by udf_rename() +when udf_find_entry() returns NULL. + +Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1] +Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com +Acked-by: Jan Kara + +--- + fs/udf/namei.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index fb4c30e05245..d6081538bfc0 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1091,8 +1091,9 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + return -EINVAL; + + ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi); +- if (IS_ERR(ofi)) { +- retval = PTR_ERR(ofi); ++ if (!ofi || IS_ERR(ofi)) { ++ if (IS_ERR(ofi)) ++ retval = PTR_ERR(ofi); + goto end_rename; + } + +@@ -1101,8 +1102,7 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + + brelse(ofibh.sbh); + tloc = lelb_to_cpu(ocfi.icb.extLocation); +- if (!ofi || udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) +- != old_inode->i_ino) ++ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino) + goto end_rename; + + nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi); +-- +2.35.3 + diff --git a/patches.suse/udf-Define-EFSCORRUPTED-error-code.patch b/patches.suse/udf-Define-EFSCORRUPTED-error-code.patch new file mode 100644 index 0000000..d350358 --- /dev/null +++ b/patches.suse/udf-Define-EFSCORRUPTED-error-code.patch @@ -0,0 +1,34 @@ +From 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 29 Sep 2022 16:34:45 +0200 +Subject: [PATCH] udf: Define EFSCORRUPTED error code +Git-commit: 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 +Patch-mainline: v6.3-rc1 +References: bsc#1213038 + +Similarly to other filesystems define EFSCORRUPTED error code for +reporting internal filesystem corruption. + +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/udf_sb.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h +index 291b56dd011e..6bccff3c70f5 100644 +--- a/fs/udf/udf_sb.h ++++ b/fs/udf/udf_sb.h +@@ -55,6 +55,8 @@ + #define MF_DUPLICATE_MD 0x01 + #define MF_MIRROR_FE_LOADED 0x02 + ++#define EFSCORRUPTED EUCLEAN ++ + struct udf_meta_data { + __u32 s_meta_file_loc; + __u32 s_mirror_file_loc; +-- +2.35.3 + diff --git a/patches.suse/udf-Detect-system-inodes-linked-into-directory-hiera.patch b/patches.suse/udf-Detect-system-inodes-linked-into-directory-hiera.patch new file mode 100644 index 0000000..04f246c --- /dev/null +++ b/patches.suse/udf-Detect-system-inodes-linked-into-directory-hiera.patch @@ -0,0 +1,45 @@ +From 85a37983ec69cc9fcd188bc37c4de15ee326355a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 3 Jan 2023 10:03:35 +0100 +Subject: [PATCH] udf: Detect system inodes linked into directory hierarchy +Git-commit: 85a37983ec69cc9fcd188bc37c4de15ee326355a +Patch-mainline: v6.3-rc1 +References: bsc#1213114 + +When UDF filesystem is corrupted, hidden system inodes can be linked +into directory hierarchy which is an avenue for further serious +corruption of the filesystem and kernel confusion as noticed by syzbot +fuzzed images. Refuse to access system inodes linked into directory +hierarchy and vice versa. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+38695a20b8addcbc1084@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 9ee269d3d546..96873fa2f683 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1813,8 +1813,13 @@ struct inode *__udf_iget(struct super_block *sb, struct kernel_lb_addr *ino, + if (!inode) + return ERR_PTR(-ENOMEM); + +- if (!(inode->i_state & I_NEW)) ++ if (!(inode->i_state & I_NEW)) { ++ if (UDF_I(inode)->i_hidden != hidden_inode) { ++ iput(inode); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + return inode; ++ } + + memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); + err = udf_read_inode(inode, hidden_inode); +-- +2.35.3 + diff --git a/patches.suse/udf-Discard-preallocation-before-extending-file-with.patch b/patches.suse/udf-Discard-preallocation-before-extending-file-with.patch new file mode 100644 index 0000000..3fa26be --- /dev/null +++ b/patches.suse/udf-Discard-preallocation-before-extending-file-with.patch @@ -0,0 +1,136 @@ +From 16d0556568148bdcaa45d077cac9f8f7077cf70a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 7 Dec 2022 18:17:34 +0100 +Subject: [PATCH] udf: Discard preallocation before extending file with a hole +Git-commit: 16d0556568148bdcaa45d077cac9f8f7077cf70a +Patch-mainline: v6.2-rc1 +References: bsc#1213036 + +When extending file with a hole, we tried to preserve existing +preallocation for the file. However that is not very useful and +complicates code because the previous extent may need to be rounded to +block boundary as well (which we forgot to do thus causing data +corruption for sequence like: + +xfs_io -f -c "pwrite 0x75e63 11008" -c "truncate 0x7b24b" \ + -c "truncate 0xabaa3" -c "pwrite 0xac70b 22954" \ + -c "pwrite 0x93a43 11358" -c "pwrite 0xb8e65 52211" file + +with 512-byte block size. Just discard preallocation before extending +file to simplify things and also fix this data corruption. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 46 ++++++++++++++++++---------------------------- + 1 file changed, 18 insertions(+), 28 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 0246b1b86fb9..44988e4c3fb2 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -434,6 +434,12 @@ static int udf_get_block(struct inode *inode, sector_t block, + iinfo->i_next_alloc_goal++; + } + ++ /* ++ * Block beyond EOF and prealloc extents? Just discard preallocation ++ * as it is not useful and complicates things. ++ */ ++ if (((loff_t)block) << inode->i_blkbits > iinfo->i_lenExtents) ++ udf_discard_prealloc(inode); + udf_clear_extent_cache(inode); + phys = inode_getblk(inode, block, &err, &new); + if (!phys) +@@ -483,8 +489,6 @@ static int udf_do_extend_file(struct inode *inode, + uint32_t add; + int count = 0, fake = !(last_ext->extLength & UDF_EXTENT_LENGTH_MASK); + struct super_block *sb = inode->i_sb; +- struct kernel_lb_addr prealloc_loc = {}; +- uint32_t prealloc_len = 0; + struct udf_inode_info *iinfo; + int err; + +@@ -505,19 +509,6 @@ static int udf_do_extend_file(struct inode *inode, + ~(sb->s_blocksize - 1); + } + +- /* Last extent are just preallocated blocks? */ +- if ((last_ext->extLength & UDF_EXTENT_FLAG_MASK) == +- EXT_NOT_RECORDED_ALLOCATED) { +- /* Save the extent so that we can reattach it to the end */ +- prealloc_loc = last_ext->extLocation; +- prealloc_len = last_ext->extLength; +- /* Mark the extent as a hole */ +- last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED | +- (last_ext->extLength & UDF_EXTENT_LENGTH_MASK); +- last_ext->extLocation.logicalBlockNum = 0; +- last_ext->extLocation.partitionReferenceNum = 0; +- } +- + /* Can we merge with the previous extent? */ + if ((last_ext->extLength & UDF_EXTENT_FLAG_MASK) == + EXT_NOT_RECORDED_NOT_ALLOCATED) { +@@ -545,7 +536,7 @@ static int udf_do_extend_file(struct inode *inode, + * more extents, we may need to enter possible following + * empty indirect extent. + */ +- if (new_block_bytes || prealloc_len) ++ if (new_block_bytes) + udf_next_aext(inode, last_pos, &tmploc, &tmplen, 0); + } + +@@ -579,17 +570,6 @@ static int udf_do_extend_file(struct inode *inode, + } + + out: +- /* Do we have some preallocated blocks saved? */ +- if (prealloc_len) { +- err = udf_add_aext(inode, last_pos, &prealloc_loc, +- prealloc_len, 1); +- if (err) +- return err; +- last_ext->extLocation = prealloc_loc; +- last_ext->extLength = prealloc_len; +- count++; +- } +- + /* last_pos should point to the last written extent... */ + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT) + last_pos->offset -= sizeof(struct short_ad); +@@ -642,8 +622,17 @@ static int udf_extend_file(struct inode *inode, loff_t newsize) + else + BUG(); + ++ /* ++ * When creating hole in file, just don't bother with preserving ++ * preallocation. It likely won't be very useful anyway. ++ */ ++ udf_discard_prealloc(inode); ++ + etype = inode_bmap(inode, first_block, &epos, &eloc, &elen, &offset); + within_final_block = (etype != -1); ++ /* We don't expect extents past EOF... */ ++ WARN_ON_ONCE(etype != -1 && ++ elen > ((loff_t)offset + 1) << inode->i_blkbits); + + if ((!epos.bh && epos.offset == udf_file_entry_alloc_offset(inode)) || + (epos.bh && epos.offset == sizeof(struct allocExtDesc))) { +@@ -772,10 +761,11 @@ static sector_t inode_getblk(struct inode *inode, sector_t block, + goto out_free; + } + +- /* Are we beyond EOF? */ ++ /* Are we beyond EOF and preallocated extent? */ + if (etype == -1) { + int ret; + loff_t hole_len; ++ + isBeyondEOF = true; + if (count) { + if (c) +-- +2.35.3 + diff --git a/patches.suse/udf-Do-not-bother-looking-for-prealloc-extents-if-i_.patch b/patches.suse/udf-Do-not-bother-looking-for-prealloc-extents-if-i_.patch new file mode 100644 index 0000000..b62a956 --- /dev/null +++ b/patches.suse/udf-Do-not-bother-looking-for-prealloc-extents-if-i_.patch @@ -0,0 +1,40 @@ +From 6ad53f0f71c52871202a7bf096feb2c59db33fc5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 7 Dec 2022 17:34:33 +0100 +Subject: [PATCH] udf: Do not bother looking for prealloc extents if + i_lenExtents matches i_size +Git-commit: 6ad53f0f71c52871202a7bf096feb2c59db33fc5 +Patch-mainline: v6.2-rc1 +References: bsc#1213035 + +If rounded block-rounded i_lenExtents matches block rounded i_size, +there are no preallocation extents. Do not bother walking extent linked +list. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/truncate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c +index a9790fb32f5f..036ebd892b85 100644 +--- a/fs/udf/truncate.c ++++ b/fs/udf/truncate.c +@@ -127,9 +127,10 @@ void udf_discard_prealloc(struct inode *inode) + uint64_t lbcount = 0; + int8_t etype = -1, netype; + struct udf_inode_info *iinfo = UDF_I(inode); ++ int bsize = 1 << inode->i_blkbits; + + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB || +- inode->i_size == iinfo->i_lenExtents) ++ ALIGN(inode->i_size, bsize) == ALIGN(iinfo->i_lenExtents, bsize)) + return; + + epos.block = iinfo->i_location; +-- +2.35.3 + diff --git a/patches.suse/udf-Do-not-bother-merging-very-long-extents.patch b/patches.suse/udf-Do-not-bother-merging-very-long-extents.patch new file mode 100644 index 0000000..bd2ea89 --- /dev/null +++ b/patches.suse/udf-Do-not-bother-merging-very-long-extents.patch @@ -0,0 +1,57 @@ +From 53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 16 Dec 2022 12:37:51 +0100 +Subject: [PATCH] udf: Do not bother merging very long extents +Git-commit: 53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced +Patch-mainline: v6.3-rc1 +References: bsc#1213040 + +When merging very long extents we try to push as much length as possible +to the first extent. However this is unnecessarily complicated and not +really worth the trouble. Furthermore there was a bug in the logic +resulting in corrupting extents in the file as syzbot reproducer shows. +So just don't bother with the merging of extents that are too long +together. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+60f291a24acecb3c2bd5@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index e077183e2ee3..5498365669eb 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -997,23 +997,8 @@ static void udf_merge_extents(struct inode *inode, struct kernel_long_ad *laarr, + blocksize - 1) >> blocksize_bits)))) { + + if (((li->extLength & UDF_EXTENT_LENGTH_MASK) + +- (lip1->extLength & UDF_EXTENT_LENGTH_MASK) + +- blocksize - 1) & ~UDF_EXTENT_LENGTH_MASK) { +- lip1->extLength = (lip1->extLength - +- (li->extLength & +- UDF_EXTENT_LENGTH_MASK) + +- UDF_EXTENT_LENGTH_MASK) & +- ~(blocksize - 1); +- li->extLength = (li->extLength & +- UDF_EXTENT_FLAG_MASK) + +- (UDF_EXTENT_LENGTH_MASK + 1) - +- blocksize; +- lip1->extLocation.logicalBlockNum = +- li->extLocation.logicalBlockNum + +- ((li->extLength & +- UDF_EXTENT_LENGTH_MASK) >> +- blocksize_bits); +- } else { ++ (lip1->extLength & UDF_EXTENT_LENGTH_MASK) + ++ blocksize - 1) <= UDF_EXTENT_LENGTH_MASK) { + li->extLength = lip1->extLength + + (((li->extLength & + UDF_EXTENT_LENGTH_MASK) + +-- +2.35.3 + diff --git a/patches.suse/udf-Do-not-update-file-length-for-failed-writes-to-i.patch b/patches.suse/udf-Do-not-update-file-length-for-failed-writes-to-i.patch new file mode 100644 index 0000000..816a78a --- /dev/null +++ b/patches.suse/udf-Do-not-update-file-length-for-failed-writes-to-i.patch @@ -0,0 +1,68 @@ +From 256fe4162f8b5a1625b8603ca5f7ff79725bfb47 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Jan 2023 20:14:47 +0100 +Subject: [PATCH] udf: Do not update file length for failed writes to inline + files +Git-commit: 256fe4162f8b5a1625b8603ca5f7ff79725bfb47 +Patch-mainline: v6.3-rc1 +References: bsc#1213041 + +When write to inline file fails (or happens only partly), we still +updated length of inline data as if the whole write succeeded. Fix the +update of length of inline data to happen only if the write succeeds. + +Reported-by: syzbot+0937935b993956ba28ab@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/file.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/fs/udf/file.c b/fs/udf/file.c +index 5c659e23e578..8be51161f3e5 100644 +--- a/fs/udf/file.c ++++ b/fs/udf/file.c +@@ -149,26 +149,24 @@ static ssize_t udf_file_write_iter(struct kiocb *iocb, struct iov_iter *from) + goto out; + + down_write(&iinfo->i_data_sem); +- if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { +- loff_t end = iocb->ki_pos + iov_iter_count(from); +- +- if (inode->i_sb->s_blocksize < +- (udf_file_entry_alloc_offset(inode) + end)) { +- err = udf_expand_file_adinicb(inode); +- if (err) { +- inode_unlock(inode); +- udf_debug("udf_expand_adinicb: err=%d\n", err); +- return err; +- } +- } else { +- iinfo->i_lenAlloc = max(end, inode->i_size); +- up_write(&iinfo->i_data_sem); ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB && ++ inode->i_sb->s_blocksize < (udf_file_entry_alloc_offset(inode) + ++ iocb->ki_pos + iov_iter_count(from))) { ++ err = udf_expand_file_adinicb(inode); ++ if (err) { ++ inode_unlock(inode); ++ udf_debug("udf_expand_adinicb: err=%d\n", err); ++ return err; + } + } else + up_write(&iinfo->i_data_sem); + + retval = __generic_file_write_iter(iocb, from); + out: ++ down_write(&iinfo->i_data_sem); ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB && retval > 0) ++ iinfo->i_lenAlloc = inode->i_size; ++ up_write(&iinfo->i_data_sem); + inode_unlock(inode); + + if (retval > 0) { +-- +2.35.3 + diff --git a/patches.suse/udf-Fix-error-handling-in-udf_new_inode.patch b/patches.suse/udf-Fix-error-handling-in-udf_new_inode.patch new file mode 100644 index 0000000..b6a7e58 --- /dev/null +++ b/patches.suse/udf-Fix-error-handling-in-udf_new_inode.patch @@ -0,0 +1,45 @@ +From f05f2429eec60851b98bdde213de31dab697c01b Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 14 Dec 2021 11:04:29 +0100 +Subject: [PATCH] udf: Fix error handling in udf_new_inode() +Git-commit: f05f2429eec60851b98bdde213de31dab697c01b +Patch-mainline: v5.17-rc1 +References: bsc#1213112 + +When memory allocation of iinfo or block allocation fails, already +allocated struct udf_inode_info gets freed with iput() and +udf_evict_inode() may look at inode fields which are not properly +initialized. Fix it by marking inode bad before dropping reference to it +in udf_new_inode(). + +Reported-by: syzbot+9ca499bb57a2b9e4c652@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/ialloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/udf/ialloc.c b/fs/udf/ialloc.c +index 2ecf0e87660e..b5d611cee749 100644 +--- a/fs/udf/ialloc.c ++++ b/fs/udf/ialloc.c +@@ -77,6 +77,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode) + GFP_KERNEL); + } + if (!iinfo->i_data) { ++ make_bad_inode(inode); + iput(inode); + return ERR_PTR(-ENOMEM); + } +@@ -86,6 +87,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode) + dinfo->i_location.partitionReferenceNum, + start, &err); + if (err) { ++ make_bad_inode(inode); + iput(inode); + return ERR_PTR(err); + } +-- +2.35.3 + diff --git a/patches.suse/udf-Fix-extending-file-within-last-block.patch b/patches.suse/udf-Fix-extending-file-within-last-block.patch new file mode 100644 index 0000000..a14a7d9 --- /dev/null +++ b/patches.suse/udf-Fix-extending-file-within-last-block.patch @@ -0,0 +1,104 @@ +From 1f3868f06855c97a4954c99b36f3fc9eb8f60326 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 8 Dec 2022 13:03:30 +0100 +Subject: [PATCH] udf: Fix extending file within last block +Git-commit: 1f3868f06855c97a4954c99b36f3fc9eb8f60326 +Patch-mainline: v6.2-rc1 +References: bsc#1213037 + +When extending file within last block it can happen that the extent is +already rounded to the blocksize and thus contains the offset we want to +grow up to. In such case we would mistakenly expand the last extent and +make it one block longer than it should be, exposing unallocated block +in a file and causing data corruption. Fix the problem by properly +detecting this case and bailing out. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 44988e4c3fb2..1d7c2a812fc1 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -585,13 +585,17 @@ static int udf_do_extend_file(struct inode *inode, + static void udf_do_extend_final_block(struct inode *inode, + struct extent_position *last_pos, + struct kernel_long_ad *last_ext, +- uint32_t final_block_len) ++ uint32_t new_elen) + { +- struct super_block *sb = inode->i_sb; + uint32_t added_bytes; + +- added_bytes = final_block_len - +- (last_ext->extLength & (sb->s_blocksize - 1)); ++ /* ++ * Extent already large enough? It may be already rounded up to block ++ * size... ++ */ ++ if (new_elen <= (last_ext->extLength & UDF_EXTENT_LENGTH_MASK)) ++ return; ++ added_bytes = (last_ext->extLength & UDF_EXTENT_LENGTH_MASK) - new_elen; + last_ext->extLength += added_bytes; + UDF_I(inode)->i_lenExtents += added_bytes; + +@@ -608,12 +612,12 @@ static int udf_extend_file(struct inode *inode, loff_t newsize) + int8_t etype; + struct super_block *sb = inode->i_sb; + sector_t first_block = newsize >> sb->s_blocksize_bits, offset; +- unsigned long partial_final_block; ++ loff_t new_elen; + int adsize; + struct udf_inode_info *iinfo = UDF_I(inode); + struct kernel_long_ad extent; + int err = 0; +- int within_final_block; ++ bool within_last_ext; + + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT) + adsize = sizeof(struct short_ad); +@@ -629,9 +633,9 @@ static int udf_extend_file(struct inode *inode, loff_t newsize) + udf_discard_prealloc(inode); + + etype = inode_bmap(inode, first_block, &epos, &eloc, &elen, &offset); +- within_final_block = (etype != -1); ++ within_last_ext = (etype != -1); + /* We don't expect extents past EOF... */ +- WARN_ON_ONCE(etype != -1 && ++ WARN_ON_ONCE(within_last_ext && + elen > ((loff_t)offset + 1) << inode->i_blkbits); + + if ((!epos.bh && epos.offset == udf_file_entry_alloc_offset(inode)) || +@@ -648,19 +652,17 @@ static int udf_extend_file(struct inode *inode, loff_t newsize) + extent.extLength |= etype << 30; + } + +- partial_final_block = newsize & (sb->s_blocksize - 1); ++ new_elen = ((loff_t)offset << inode->i_blkbits) | ++ (newsize & (sb->s_blocksize - 1)); + + /* File has extent covering the new size (could happen when extending + * inside a block)? + */ +- if (within_final_block) { ++ if (within_last_ext) { + /* Extending file within the last file block */ +- udf_do_extend_final_block(inode, &epos, &extent, +- partial_final_block); ++ udf_do_extend_final_block(inode, &epos, &extent, new_elen); + } else { +- loff_t add = ((loff_t)offset << sb->s_blocksize_bits) | +- partial_final_block; +- err = udf_do_extend_file(inode, &epos, &extent, add); ++ err = udf_do_extend_file(inode, &epos, &extent, new_elen); + } + + if (err < 0) +-- +2.35.3 + diff --git a/patches.suse/udf-Fix-preallocation-discarding-at-indirect-extent-.patch b/patches.suse/udf-Fix-preallocation-discarding-at-indirect-extent-.patch new file mode 100644 index 0000000..289be95 --- /dev/null +++ b/patches.suse/udf-Fix-preallocation-discarding-at-indirect-extent-.patch @@ -0,0 +1,101 @@ +From cfe4c1b25dd6d2f056afc00b7c98bcb3dd0b1fc3 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 7 Dec 2022 17:25:10 +0100 +Subject: [PATCH] udf: Fix preallocation discarding at indirect extent boundary +Git-commit: cfe4c1b25dd6d2f056afc00b7c98bcb3dd0b1fc3 +Patch-mainline: v6.2-rc1 +References: bsc#1213034 + +When preallocation extent is the first one in the extent block, the +code would corrupt extent tree header instead. Fix the problem and use +udf_delete_aext() for deleting extent to avoid some code duplication. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/truncate.c | 45 +++++++++++++-------------------------------- + 1 file changed, 13 insertions(+), 32 deletions(-) + +diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c +index 532cda99644e..a9790fb32f5f 100644 +--- a/fs/udf/truncate.c ++++ b/fs/udf/truncate.c +@@ -120,60 +120,41 @@ void udf_truncate_tail_extent(struct inode *inode) + + void udf_discard_prealloc(struct inode *inode) + { +- struct extent_position epos = { NULL, 0, {0, 0} }; ++ struct extent_position epos = {}; ++ struct extent_position prev_epos = {}; + struct kernel_lb_addr eloc; + uint32_t elen; + uint64_t lbcount = 0; + int8_t etype = -1, netype; +- int adsize; + struct udf_inode_info *iinfo = UDF_I(inode); + + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB || + inode->i_size == iinfo->i_lenExtents) + return; + +- if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT) +- adsize = sizeof(struct short_ad); +- else if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_LONG) +- adsize = sizeof(struct long_ad); +- else +- adsize = 0; +- + epos.block = iinfo->i_location; + + /* Find the last extent in the file */ +- while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 1)) != -1) { +- etype = netype; ++ while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 0)) != -1) { ++ brelse(prev_epos.bh); ++ prev_epos = epos; ++ if (prev_epos.bh) ++ get_bh(prev_epos.bh); ++ ++ etype = udf_next_aext(inode, &epos, &eloc, &elen, 1); + lbcount += elen; + } + if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30)) { +- epos.offset -= adsize; + lbcount -= elen; +- extent_trunc(inode, &epos, &eloc, etype, elen, 0); +- if (!epos.bh) { +- iinfo->i_lenAlloc = +- epos.offset - +- udf_file_entry_alloc_offset(inode); +- mark_inode_dirty(inode); +- } else { +- struct allocExtDesc *aed = +- (struct allocExtDesc *)(epos.bh->b_data); +- aed->lengthAllocDescs = +- cpu_to_le32(epos.offset - +- sizeof(struct allocExtDesc)); +- if (!UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_STRICT) || +- UDF_SB(inode->i_sb)->s_udfrev >= 0x0201) +- udf_update_tag(epos.bh->b_data, epos.offset); +- else +- udf_update_tag(epos.bh->b_data, +- sizeof(struct allocExtDesc)); +- mark_buffer_dirty_inode(epos.bh, inode); +- } ++ udf_delete_aext(inode, prev_epos); ++ udf_free_blocks(inode->i_sb, inode, &eloc, 0, ++ DIV_ROUND_UP(elen, 1 << inode->i_blkbits)); + } + /* This inode entry is in-memory only and thus we don't have to mark + * the inode dirty */ + iinfo->i_lenExtents = lbcount; + brelse(epos.bh); ++ brelse(prev_epos.bh); + } + + static void udf_update_alloc_ext_desc(struct inode *inode, +-- +2.35.3 + diff --git a/patches.suse/udf-Preserve-link-count-of-system-files.patch b/patches.suse/udf-Preserve-link-count-of-system-files.patch new file mode 100644 index 0000000..666378e --- /dev/null +++ b/patches.suse/udf-Preserve-link-count-of-system-files.patch @@ -0,0 +1,78 @@ +From fc8033a34a3ca7d23353e645e6dde5d364ac5f12 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 3 Jan 2023 09:56:56 +0100 +Subject: [PATCH] udf: Preserve link count of system files +Git-commit: fc8033a34a3ca7d23353e645e6dde5d364ac5f12 +Patch-mainline: v6.3-rc1 +References: bsc#1213113 + +System files in UDF filesystem have link count 0. To not confuse VFS we +fudge the link count to be 1 when reading such inodes however we forget +to restore the link count of 0 when writing such inodes. Fix that. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 9 +++++++-- + fs/udf/super.c | 1 + + fs/udf/udf_i.h | 3 ++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 31965c3798f2..9ee269d3d546 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1301,6 +1301,7 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode) + ret = -EIO; + goto out; + } ++ iinfo->i_hidden = hidden_inode; + iinfo->i_unique = 0; + iinfo->i_lenEAttr = 0; + iinfo->i_lenExtents = 0; +@@ -1636,8 +1637,12 @@ static int udf_update_inode(struct inode *inode, int do_sync) + + if (S_ISDIR(inode->i_mode) && inode->i_nlink > 0) + fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1); +- else +- fe->fileLinkCount = cpu_to_le16(inode->i_nlink); ++ else { ++ if (iinfo->i_hidden) ++ fe->fileLinkCount = cpu_to_le16(0); ++ else ++ fe->fileLinkCount = cpu_to_le16(inode->i_nlink); ++ } + + fe->informationLength = cpu_to_le64(inode->i_size); + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 06eda8177b5f..241b40e886b3 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -147,6 +147,7 @@ static struct inode *udf_alloc_inode(struct super_block *sb) + ei->i_next_alloc_goal = 0; + ei->i_strat4096 = 0; + ei->i_streamdir = 0; ++ ei->i_hidden = 0; + init_rwsem(&ei->i_data_sem); + ei->cached_extent.lstart = -1; + spin_lock_init(&ei->i_extent_cache_lock); +diff --git a/fs/udf/udf_i.h b/fs/udf/udf_i.h +index 06ff7006b822..312b7c9ef10e 100644 +--- a/fs/udf/udf_i.h ++++ b/fs/udf/udf_i.h +@@ -44,7 +44,8 @@ struct udf_inode_info { + unsigned i_use : 1; /* unallocSpaceEntry */ + unsigned i_strat4096 : 1; + unsigned i_streamdir : 1; +- unsigned reserved : 25; ++ unsigned i_hidden : 1; /* hidden system inode */ ++ unsigned reserved : 24; + __u8 *i_data; + struct kernel_lb_addr i_locStreamdir; + __u64 i_lenStreams; +-- +2.35.3 + diff --git a/patches.suse/udf-Truncate-added-extents-on-failed-expansion.patch b/patches.suse/udf-Truncate-added-extents-on-failed-expansion.patch new file mode 100644 index 0000000..ae54a1a --- /dev/null +++ b/patches.suse/udf-Truncate-added-extents-on-failed-expansion.patch @@ -0,0 +1,70 @@ +From 70bfb3a8d661d4fdc742afc061b88a7f3fc9f500 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 15 Dec 2022 14:24:03 +0100 +Subject: [PATCH] udf: Truncate added extents on failed expansion +Git-commit: 70bfb3a8d661d4fdc742afc061b88a7f3fc9f500 +Patch-mainline: v6.3-rc1 +References: bsc#1213039 + +When a file expansion failed because we didn't have enough space for +indirect extents make sure we truncate extents created so far so that we +don't leave extents beyond EOF. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/udf/inode.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 9655fc014c7a..e077183e2ee3 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -431,8 +431,10 @@ static int udf_do_extend_file(struct inode *inode, + } + + if (fake) { +- udf_add_aext(inode, last_pos, &last_ext->extLocation, +- last_ext->extLength, 1); ++ err = udf_add_aext(inode, last_pos, &last_ext->extLocation, ++ last_ext->extLength, 1); ++ if (err < 0) ++ goto out_err; + count++; + } else { + struct kernel_lb_addr tmploc; +@@ -466,7 +468,7 @@ static int udf_do_extend_file(struct inode *inode, + err = udf_add_aext(inode, last_pos, &last_ext->extLocation, + last_ext->extLength, 1); + if (err) +- return err; ++ goto out_err; + count++; + } + if (new_block_bytes) { +@@ -475,7 +477,7 @@ static int udf_do_extend_file(struct inode *inode, + err = udf_add_aext(inode, last_pos, &last_ext->extLocation, + last_ext->extLength, 1); + if (err) +- return err; ++ goto out_err; + count++; + } + +@@ -489,6 +491,11 @@ static int udf_do_extend_file(struct inode *inode, + return -EIO; + + return count; ++out_err: ++ /* Remove extents we've created so far */ ++ udf_clear_extent_cache(inode); ++ udf_truncate_extents(inode); ++ return err; + } + + /* Extend the final block of the file to final_block_len bytes */ +-- +2.35.3 + diff --git a/patches.suse/writeback-fix-call-of-incorrect-macro.patch b/patches.suse/writeback-fix-call-of-incorrect-macro.patch new file mode 100644 index 0000000..f04411a --- /dev/null +++ b/patches.suse/writeback-fix-call-of-incorrect-macro.patch @@ -0,0 +1,41 @@ +From 3e46c89c74f2c38e5337d2cf44b0b551adff1cb4 Mon Sep 17 00:00:00 2001 +From: Maxim Korotkov +Date: Thu, 19 Jan 2023 13:44:43 +0300 +Subject: [PATCH] writeback: fix call of incorrect macro +Git-commit: 3e46c89c74f2c38e5337d2cf44b0b551adff1cb4 +Patch-mainline: v6.4-rc1 +References: bsc#1213024 + + the variable 'history' is of type u16, it may be an error + that the hweight32 macro was used for it + I guess macro hweight16 should be used + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2a81490811d0 ("writeback: implement foreign cgroup inode detection") +Signed-off-by: Maxim Korotkov +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230119104443.3002-1-korotkov.maxim.s@gmail.com +Signed-off-by: Jens Axboe +Acked-by: Jan Kara + +--- + fs/fs-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 195dc23e0d83..6faeb45234ed 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -829,7 +829,7 @@ void wbc_detach_inode(struct writeback_control *wbc) + * is okay. The main goal is avoiding keeping an inode on + * the wrong wb for an extended period of time. + */ +- if (hweight32(history) > WB_FRN_HIST_THR_SLOTS) ++ if (hweight16(history) > WB_FRN_HIST_THR_SLOTS) + inode_switch_wbs(inode, max_id); + } + +-- +2.35.3 + diff --git a/scripts/gitlog2changes b/scripts/gitlog2changes index 15435c5..7992c78 100755 --- a/scripts/gitlog2changes +++ b/scripts/gitlog2changes @@ -70,7 +70,7 @@ sub parse_gitlog { my $expect = $states[$st]; if ($expect eq "blank") { if ($gpgsig > 0) { - if ($line =~ /-----END PGP SIGNATURE-----/) { + if ($line =~ /-----END (SSH|PGP) SIGNATURE-----/) { $gpgsig = 0; } next; diff --git a/series.conf b/series.conf index 928ce5b..689604b 100644 --- a/series.conf +++ b/series.conf @@ -6992,6 +6992,7 @@ patches.suse/sched-Move-kprobes-cleanup-out-of-finish_task_switch.patch patches.suse/sched-Remove-pointless-preemption-disable-in-sched_submit_work.patch patches.suse/sched-fair-Removed-useless-update-of-p-recent_used_cpu.patch + patches.suse/sched-Fix-DEBUG-SCHEDSTATS-warn.patch patches.suse/sched-numa-Replace-hard-coded-number-by-a-define-in-numa_task_group.patch patches.suse/sched-numa-Remove-the-redundant-member-numa_group-fault_cpus.patch patches.suse/sched-numa-Fix-a-few-comments.patch @@ -14236,7 +14237,6 @@ patches.suse/0956-drm-i915-Test-all-device-memory-on-probing.patch patches.suse/0957-drm-i915-ttm-fix-large-buffer-population-trucation.patch patches.suse/0958-drm-i915-debugfs-add-noreclaim-annotations.patch - patches.suse/0959-drm-i915-replace-X86_FEATURE_PAT-with-pat_enabled.patch patches.suse/0960-drm-i915-guc-Remove-racey-GEM_BUG_ON.patch patches.suse/0961-drm-i915-guc-Don-t-hog-IRQs-when-destroying-contexts.patch patches.suse/0962-drm-i915-guc-Add-extra-debug-on-CT-deadlock.patch @@ -16265,6 +16265,7 @@ patches.suse/usb-dwc2-gadget-initialize-max_speed-from-params.patch patches.suse/usb-gadget-u_audio-Subdevice-0-for-capture-ctls.patch patches.suse/filemap-Remove-PageHWPoison-check-from-next_uptodate_page.patch + patches.suse/udf-Fix-error-handling-in-udf_new_inode.patch patches.suse/fuse-Pass-correct-lend-value-to-filemap_write_and_wait_range.patch patches.suse/fscache-cachefiles-Disable-configuration.patch patches.suse/cachefiles-Delete-the-cachefiles-driver-pending-rewrite.patch @@ -19130,6 +19131,9 @@ patches.suse/NFSD-prevent-integer-overflow-on-32-bit-systems.patch patches.suse/ext4-correct-cluster-len-and-clusters-changed-accoun.patch patches.suse/ext4-fix-ext4_mb_mark_bb-with-flex_bg-with-fast_comm.patch + patches.suse/ext4-refactor-ext4_free_blocks-to-pull-out-ext4_mb_c.patch + patches.suse/ext4-add-ext4_sb_block_valid-refactored-out-of-ext4_.patch + patches.suse/ext4-add-strict-range-checks-while-freeing-blocks.patch patches.suse/ext4-fix-fs-corruption-when-tring-to-remove-a-non-em.patch patches.suse/ext4-fix-ext4_fc_stats-trace-point.patch patches.suse/btrfs-remove-write-and-wait-of-struct-walk_control.patch @@ -23502,6 +23506,7 @@ patches.suse/rtc-pl031-fix-rtc-features-null-pointer-dereference.patch patches.suse/rtc-sun6i-Fix-time-overflow-handling.patch patches.suse/rtc-wm8350-Handle-error-for-wm8350_register_irq.patch + patches.suse/rtc-efi-switch-to-devm_rtc_allocate_device.patch patches.suse/rtc-mc146818-lib-Fix-the-AltCentury-for-AMD-platform.patch patches.suse/rtc-check-if-__rtc_read_time-was-successful.patch patches.suse/Input-add-bounds-checking-to-input_set_capability.patch @@ -30246,6 +30251,7 @@ patches.suse/Documentation-PM-Drop-pme_interrupt-reference.patch patches.suse/thermal-tools-tmon-Include-pthread-and-time-headers-.patch patches.suse/thermal-core-Remove-duplicate-information-when-an-er.patch + patches.suse/io_uring-don-t-expose-io_fill_cqe_aux.patch patches.suse/0020-block-fix-infinite-loop-for-invalid-zone-append.patch patches.suse/0021-block-bio-remove-duplicate-append-pages-code.patch patches.suse/0153-block-factor-out-a-chunk_size_left-helper.patch @@ -32734,6 +32740,7 @@ patches.suse/ext4-remove-EA-inode-entry-from-mbcache-on-inode-evi.patch patches.suse/ext4-unindent-codeblock-in-ext4_xattr_block_set.patch patches.suse/ext4-fix-race-when-reusing-xattr-blocks.patch + patches.suse/ext4-block-range-must-be-validated-before-use-in-ext.patch patches.suse/jbd2-fix-assertion-jh-b_frozen_data-NULL-failure-whe.patch patches.suse/ext4-avoid-resizing-to-a-partial-cluster-size.patch patches.suse/xfs-fix-use-after-free-in-xattr-node-block-inactivat.patch @@ -33986,7 +33993,6 @@ patches.suse/perf-x86-intel-ds-Fix-precise-store-latency-handling.patch patches.suse/perf-x86-intel-Fix-pebs-event-constraints-for-ADL.patch patches.suse/perf-x86-intel-uncore-Fix-broken-read_counter-for-SNB-IMC-PMU.patch - patches.suse/x86-PAT-Have-pat_enabled-properly-reflect-state-when.patch patches.suse/x86-bugs-add-unknown-reporting-for-mmio-stale-data.patch patches.suse/x86-nospec-unwreck-the-rsb-stuffing.patch patches.suse/x86-cpu-Add-new-Raptor-Lake-CPU-model-number.patch @@ -34285,6 +34291,7 @@ patches.suse/nvmet-fix-mar-and-mor-off-by-one-errors.patch patches.suse/nvme-requeue-aen-after-firmware-activation.patch patches.suse/debugfs-add-debugfs_lookup_and_remove.patch + patches.suse/sched-debug-fix-dentry-leak-in-update_sched_domain_d.patch patches.suse/scsi-lpfc-Return-DID_TRANSPORT_DISRUPTED-instead-of-.patch patches.suse/scsi-lpfc-Add-missing-destroy_workqueue-in-error-pat.patch patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch @@ -36165,7 +36172,7 @@ patches.suse/0386-drm-amd-display-Removed-unused-variable-sdp_stream_e.patch patches.suse/0387-drm-amd-display-Remove-unused-struct-i2c_id_config_a.patch patches.suse/0388-drm-amdgpu-Fix-VRAM-BO-swap-issue.patch - patches.suse/0389-drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch + patches.suse/drm-amdgpu-Set-vmbo-destroy-after-pt-bo-is-created.patch patches.suse/0390-drm-amdgpu-Correct-amdgpu_amdkfd_total_mem_size-calc.patch patches.suse/Revert-drm-amdgpu-use-dirty-framebuffer-helper.patch patches.suse/0392-drm-amd-display-explicitly-disable-psr_feature_enabl.patch @@ -37418,6 +37425,7 @@ patches.suse/ext4-silence-the-warning-when-evicting-inode-with-di.patch patches.suse/ext4-add-inode-table-check-in-__ext4_get_inode_loc-t.patch patches.suse/jbd2-use-the-correct-print-format.patch + patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-qu.patch patches.suse/ext4-add-helper-to-check-quota-inums.patch patches.suse/ext4-add-EXT4_IGET_BAD-flag-to-prevent-unexpected-ba.patch patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-bo.patch @@ -37446,6 +37454,11 @@ patches.suse/ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an.patch patches.suse/ext4-fix-reserved-cluster-accounting-in-__es_remove_.patch patches.suse/fuse-always-revalidate-rename-target-dentry.patch + patches.suse/udf-Avoid-double-brelse-in-udf_rename.patch + patches.suse/udf-Fix-preallocation-discarding-at-indirect-extent-.patch + patches.suse/udf-Do-not-bother-looking-for-prealloc-extents-if-i_.patch + patches.suse/udf-Discard-preallocation-before-extending-file-with.patch + patches.suse/udf-Fix-extending-file-within-last-block.patch patches.suse/fs-jfs-fix-shift-out-of-bounds-in-dbAllocAG.patch patches.suse/jfs-Fix-fortify-moan-in-symlink.patch patches.suse/fs-jfs-fix-shift-out-of-bounds-in-dbDiscardAG.patch @@ -37505,6 +37518,8 @@ patches.suse/nvme-return-err-on-nvme_init_non_mdts_limits-fail.patch patches.suse/block-Do-not-reread-partition-table-on-exclusively-o.patch patches.suse/floppy-Fix-memory-leak-in-do_floppy_init.patch + patches.suse/0001-nvme-introduce-nvme_start_request.patch + patches.suse/0002-nvme-multipath-support-io-stats-on-the-mpath-device.patch patches.suse/0043-blktrace-Fix-output-non-blktrace-event-when-blk_classic-option-enabled.patch patches.suse/ata-libata-fix-NCQ-autosense-logic.patch patches.suse/0044-dm-thin-Fix-UAF-in-run_timer_softirq.patch @@ -38160,6 +38175,7 @@ patches.suse/dmaengine-idxd-Fix-crc_val-field-for-completion-reco.patch patches.suse/rtc-ds1347-fix-value-written-to-century-register.patch patches.suse/rtc-snvs-Allow-a-time-difference-on-clock-register-r.patch + patches.suse/rtc-efi-Add-wakeup-support.patch patches.suse/rtc-pcf85063-Fix-reading-alarm.patch patches.suse/rtc-st-lpc-Add-missing-clk_disable_unprepare-in-st_r.patch patches.suse/rtc-pic32-Move-devm_rtc_allocate_device-earlier-in-p.patch @@ -38608,6 +38624,7 @@ patches.suse/mmc-sunxi-mmc-Fix-clock-refcount-imbalance-during-un.patch patches.suse/ACPI-PRM-Check-whether-EFI-runtime-is-available.patch patches.suse/btrfs-fix-race-between-quota-rescan-and-disable-lead.patch + patches.suse/io_uring-msg_ring-fix-missing-lock-on-overflow-for-I.patch patches.suse/blk-cgroup-fix-missing-pd_online_fn-while-activating-policy-e3ff.patch patches.suse/nvme-pci-fix-timeout-request-state-check.patch patches.suse/RDMA-rxe-Fix-inaccurate-constants-in-rxe_type_info.patch @@ -38788,6 +38805,7 @@ patches.suse/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq-b600.patch patches.suse/nvme-fc-fix-a-missing-queue-put-in-nvmet_fc_ls_creat.patch patches.suse/nvme-auth-use-workqueue-dedicated-to-authentication.patch + patches.suse/rtc-efi-Enable-SET-GET-WAKEUP-services-as-optional.patch patches.suse/powerpc-64s-Fix-local-irq-disable-when-PMIs-are-disa.patch patches.suse/powerpc-kexec_file-Fix-division-by-zero-in-extra-siz.patch patches.suse/powerpc-64s-radix-Fix-crash-with-unaligned-relocated.patch @@ -38931,6 +38949,12 @@ patches.suse/0001-kvm-initialize-all-of-the-kvm_debugregs-structure-be.patch patches.suse/alarmtimer-Prevent-starvation-by-small-intervals-and.patch patches.suse/KEYS-asymmetric-Fix-ECDSA-use-via-keyctl-uapi.patch + patches.suse/udf-Define-EFSCORRUPTED-error-code.patch + patches.suse/udf-Truncate-added-extents-on-failed-expansion.patch + patches.suse/udf-Do-not-bother-merging-very-long-extents.patch + patches.suse/udf-Do-not-update-file-length-for-failed-writes-to-i.patch + patches.suse/udf-Preserve-link-count-of-system-files.patch + patches.suse/udf-Detect-system-inodes-linked-into-directory-hiera.patch patches.suse/udf-Check-consistency-of-Space-Bitmap-Descriptor.patch patches.suse/nvme-auth-don-t-use-NVMe-status-codes.patch patches.suse/s390-dasd-Fix-potential-memleak-in-dasd_eckd_init.patch @@ -39397,8 +39421,14 @@ patches.suse/serial-sc16is7xx-setup-GPIO-controller-later-in-prob.patch patches.suse/serial-tegra-Add-missing-clk_disable_unprepare-in-te.patch patches.suse/tty-serial-fsl_lpuart-Fix-the-wrong-RXWATER-setting-.patch + patches.suse/hvcs-Fix-hvcs-port-reference-counting.patch patches.suse/serial-fsl_lpuart-fix-RS485-RTS-polariy-inverse-issu.patch patches.suse/tty-serial-imx-disable-Ageing-Timer-interrupt-reques.patch + patches.suse/hvcs-Use-dev_groups-to-manage-hvcs-device-attributes.patch + patches.suse/hvcs-Use-driver-groups-to-manage-driver-attributes.patch + patches.suse/hvcs-Get-reference-to-tty-in-remove.patch + patches.suse/hvcs-Use-vhangup-in-hotplug-remove.patch + patches.suse/hvcs-Synchronize-hotplug-remove-with-port-free.patch patches.suse/staging-emxx_udc-Add-checks-for-dma_alloc_coherent.patch patches.suse/Revert-char-pcmcia-cm4000_cs-Replace-mdelay-with-usl.patch patches.suse/comedi-use-menuconfig-for-main-Comedi-menu.patch @@ -39562,10 +39592,17 @@ patches.suse/wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch patches.suse/vc_screen-modify-vcs_size-handling-in-vcs_read.patch patches.suse/vc_screen-don-t-clobber-return-value-in-vcs_read.patch + patches.suse/ext4-use-ext4_fc_tl_mem-in-fast-commit-replay-path.patch + patches.suse/ext4-refuse-to-create-ea-block-when-umounted.patch + patches.suse/ext4-fail-ext4_iget-if-special-inode-unallocated.patch + patches.suse/ext4-update-s_journal_inum-if-it-changes-after-journ.patch + patches.suse/jbd2-fix-data-missing-when-reusing-bh-which-is-ready.patch + patches.suse/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch patches.suse/ext4-Fix-possible-corruption-when-moving-a-directory.patch patches.suse/ext4-fix-incorrect-options-show-of-original-mount_op.patch patches.suse/pwm-stm32-lp-fix-the-check-on-arr-and-cmp-registers-.patch patches.suse/fs-jfs-fix-shift-exponent-db_agl2size-negative.patch + patches.suse/0001-ubi-ensure-that-VID-header-offset-VID-header-size-al.patch patches.suse/regulator-core-Use-ktime_get_boottime-to-determine-h.patch patches.suse/spi-tegra210-quad-Fix-validate-combined-sequence.patch patches.suse/spi-tegra210-quad-Fix-iterator-outside-loop.patch @@ -39677,6 +39714,9 @@ patches.suse/ext4-fix-RENAME_WHITEOUT-handling-for-inline-directo.patch patches.suse/ext4-fix-another-off-by-one-fsmap-error-on-1k-block-.patch patches.suse/ext4-Fix-deadlock-during-directory-rename.patch + patches.suse/ext4-move-where-set-the-MAY_INLINE_DATA-flag-is-set.patch + patches.suse/ext4-fix-WARNING-in-ext4_update_inline_data.patch + patches.suse/ext4-zero-i_disksize-when-initializing-the-bootloade.patch patches.suse/watch_queue-fix-IOC_WATCH_QUEUE_SET_SIZE-alloc-error.patch patches.suse/fork-allow-CLONE_NEWTIME-in-clone3-flags.patch patches.suse/staging-rtl8192e-Remove-function-.dm_check_ac_dc_pow.patch @@ -40108,6 +40148,7 @@ patches.suse/ALSA-hda-hdmi-disable-KAE-for-Intel-DG2.patch patches.suse/scsi-ses-Handle-enclosure-with-just-a-primary-component-gracefully.patch patches.suse/i2c-ocores-generate-stop-condition-after-timeout-in-.patch + patches.suse/0001-ubi-Fix-failure-attaching-when-vid_hdr-offset-equals.patch patches.suse/cifs-fix-negotiate-context-parsing.patch patches.suse/purgatory-fix-disabling-debug-info.patch patches.suse/powerpc-papr_scm-Update-the-NUMA-distance-table-for-.patch @@ -40270,6 +40311,7 @@ patches.suse/crypto-caam-Clear-some-memory-in-instantiate_rng.patch patches.suse/crypto-sa2ul-Select-CRYPTO_DES.patch patches.suse/crypto-drbg-Only-fail-when-jent-is-unavailable-in-FI.patch + patches.suse/jdb2-Don-t-refuse-invalidation-of-already-invalidate.patch patches.suse/s390-dasd-fix-hanging-blockdevice-after-request-requeue.patch patches.suse/nvmet-fix-Identify-Namespace-handling.patch patches.suse/nvmet-fix-Identify-Controller-handling.patch @@ -40472,6 +40514,8 @@ patches.suse/smb3-make-query_on_disk_id-open-context-consistent-and-move-to-comm.patch patches.suse/smb3-move-some-common-open-context-structs-to-smbfs_common.patch patches.suse/cifs-update-internal-module-version-number-for-cifs-ko-9be11a69.patch + patches.suse/ext4-fix-i_disksize-exceeding-i_size-problem-in-pari.patch + patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch patches.suse/rtc-omap-include-header-for-omap_rtc_power_off_progr.patch patches.suse/rtc-meson-vrtc-Use-ktime_get_real_ts64-to-get-the-cu.patch patches.suse/KVM-arm64-Limit-length-in-kvm_vm_ioctl_mte_copy_tags-to-INT_MAX.patch @@ -40519,6 +40563,7 @@ patches.suse/drm-amdgpu-add-a-missing-lock-for-AMDGPU_SCHED.patch patches.suse/drm-i915-dsi-Use-unconditional-msleep-instead-of-int.patch patches.suse/tracing-Fix-permissions-for-the-buffer_percent-file.patch + patches.suse/Documentation-timers-hrtimers-Make-hybrid-union-hist.patch patches.suse/i2c-tegra-Fix-PEC-support-for-SMBUS-block-read.patch patches.suse/i2c-omap-Fix-standard-mode-false-ACK-readings.patch patches.suse/ixgbe-Fix-panic-during-XDP_TX-with-64-CPUs.patch @@ -40539,6 +40584,7 @@ patches.suse/ALSA-caiaq-input-Add-error-handling-for-unsupported-.patch patches.suse/ASoC-Intel-soc-acpi-byt-Fix-WM510205-match-no-longer.patch patches.suse/ALSA-hda-realtek-Fix-mute-and-micmute-LEDs-for-an-HP.patch + patches.suse/writeback-fix-call-of-incorrect-macro.patch patches.suse/scsi-qedi-Fix-use-after-free-bug-in-qedi_remove.patch patches.suse/nilfs2-fix-infinite-loop-in-nilfs_mdt_get_block.patch patches.suse/nilfs2-do-not-write-dirty-data-after-degenerating-to.patch @@ -40556,7 +40602,9 @@ patches.suse/platform-x86-touchscreen_dmi-Add-upside-down-quirk-f.patch patches.suse/platform-x86-touchscreen_dmi-Add-info-for-the-Dexp-U.patch patches.suse/gfs2-Don-t-deref-jdesc-in-evict.patch + patches.suse/inotify-Avoid-reporting-event-with-invalid-wd.patch patches.suse/net-mdio-mvusb-Fix-an-error-handling-path-in-mvusb_m.patch + patches.suse/Documentation-bonding-fix-the-doc-of-peer_notif_dela.patch patches.suse/gve-Remove-the-code-of-clearing-PBA-bit.patch patches.suse/docs-networking-fix-x25-iface.rst-heading-index-orde.patch patches.suse/0001-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch @@ -40582,6 +40630,15 @@ patches.suse/fbdev-imsttfb-Fix-use-after-free-bug-in-imsttfb_prob.patch patches.suse/fbdev-modedb-Add-1920x1080-at-60-Hz-video-mode.patch patches.suse/fbdev-stifb-Fix-info-entry-in-sti_struct-on-error-pa.patch + patches.suse/ext4-fix-WARNING-in-mb_find_extent.patch + patches.suse/ext4-fix-lockdep-warning-when-enabling-MMP.patch + patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch + patches.suse/ext4-fix-data-races-when-using-cached-status-extents.patch + patches.suse/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-.patch + patches.suse/ext4-improve-error-handling-from-ext4_dirhash.patch + patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch + patches.suse/ext4-fix-deadlock-when-converting-an-inline-director.patch + patches.suse/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-.patch patches.suse/locking-rwsem-Add-__always_inline-annotation-to-__do.patch patches.suse/ARM-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch patches.suse/ARM-9296-1-HP-Jornada-7XX-fix-kernel-doc-warnings.patch @@ -40751,6 +40808,10 @@ patches.suse/dmaengine-pl330-rename-_start-to-prevent-build-error.patch patches.suse/tracing-histograms-Allow-variables-to-have-some-modifiers.patch patches.suse/regmap-Account-for-register-length-when-chunking.patch + patches.suse/ext4-add-EA_INODE-checking-to-ext4_iget.patch + patches.suse/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_x.patch + patches.suse/ext4-disallow-ea_inodes-with-extended-attributes.patch + patches.suse/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_i.patch patches.suse/RDMA-bnxt_re-Fix-the-page_size-used-during-the-MR-cr.patch patches.suse/RDMA-efa-Fix-unsupported-page-sizes-in-device.patch patches.suse/RDMA-hns-Fix-timeout-attr-in-query-qp-for-HIP08.patch @@ -40929,6 +40990,11 @@ patches.suse/USB-dwc3-fix-use-after-free-on-core-driver-unbind.patch patches.suse/usb-typec-ucsi-Fix-command-cancellation.patch patches.suse/staging-octeon-delete-my-name-from-TODO-contact.patch + patches.suse/msft-hv-2815-PCI-hv-Fix-a-race-condition-bug-in-hv_pci_query_rela.patch + patches.suse/msft-hv-2816-PCI-hv-Fix-a-race-condition-in-hv_irq_unmask-that-ca.patch + patches.suse/msft-hv-2817-PCI-hv-Remove-the-useless-hv_pcichild_state-from-str.patch + patches.suse/msft-hv-2818-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-.patch + patches.suse/msft-hv-2819-PCI-hv-Add-a-per-bus-mutex-state_lock.patch patches.suse/ACPI-sleep-Avoid-breaking-S3-wakeup-due-to-might_sle.patch patches.suse/writeback-fix-dereferencing-NULL-mapping-host-on-writeback_page_template.patch patches.suse/mm-vmalloc-do-not-output-a-spurious-warning-when-huge-vmalloc-fails.patch @@ -41056,6 +41122,7 @@ patches.suse/drm-amd-display-Explicitly-specify-update-type-per-p.patch patches.suse/drm-amdkfd-Fix-potential-deallocation-of-previously-.patch patches.suse/drm-amd-display-drop-redundant-memset-in-get_availab.patch + patches.suse/drm-amdgpu-Validate-VM-ioctl-flags.patch patches.suse/drm-amd-display-Fix-artifacting-on-eDP-panels-when-e.patch patches.suse/drm-radeon-fix-possible-division-by-zero-errors.patch patches.suse/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch @@ -41065,6 +41132,10 @@ patches.suse/drm-msm-dpu-do-not-enable-color-management-if-DSPPs-.patch patches.suse/drm-msm-dp-Free-resources-after-unregistering-them.patch patches.suse/drm-msm-dpu-correct-MERGE_3D-length.patch + patches.suse/ext4-only-update-i_reserved_data_blocks-on-successfu.patch + patches.suse/ext4-Fix-reusing-stale-buffer-heads-from-last-failed.patch + patches.suse/ext4-turn-quotas-off-if-mount-failed-after-enabling-.patch + patches.suse/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch patches.suse/soc-samsung-exynos-pmu-Re-introduce-Exynos4212-suppo.patch patches.suse/bus-ti-sysc-Fix-dispc-quirk-masking-bool-variables.patch patches.suse/drivers-meson-secure-pwrc-always-enable-DMA-domain.patch @@ -41082,6 +41153,7 @@ patches.suse/RDMA-rxe-Remove-dangling-declaration-of-rxe_cq_disab.patch patches.suse/IB-hfi1-Fix-wrong-mmu_node-used-for-user-SDMA-packet.patch patches.suse/RDMA-hns-Fix-hns_roce_table_get-return-value.patch + patches.suse/RDMA-rxe-Fix-access-checks-in-rxe_check_bind_mw.patch patches.suse/RDMA-vmw_pvrdma-Remove-unnecessary-check-on-wr-opcod.patch patches.suse/RDMA-bnxt_re-wraparound-mbox-producer-index.patch patches.suse/RDMA-bnxt_re-Avoid-calling-wake_up-threads-from-spin.patch @@ -41175,6 +41247,52 @@ patches.suse/usb-dwc3-qcom-Fix-an-error-handling-path-in-dwc3_qco.patch patches.suse/usb-dwc3-meson-g12a-Fix-an-error-handling-path-in-dw.patch patches.suse/usb-dwc3-gadget-Propagate-core-init-errors-to-UDC-du.patch + patches.suse/clk-qcom-camcc-sc7180-Add-parent-dependency-to-all-c.patch + patches.suse/clk-qcom-gcc-ipq6018-Use-floor-ops-for-sdcc-clocks.patch + patches.suse/opp-Fix-use-after-free-in-lazy_opp_tables-after-prob.patch + patches.suse/media-usb-Check-az6007_read-return-value.patch + patches.suse/media-videodev2.h-Fix-struct-v4l2_input-tuner-index-.patch + patches.suse/media-usb-siano-Fix-warning-due-to-null-work_func_t-.patch + patches.suse/media-i2c-Correct-format-propagation-for-st-mipid02.patch + patches.suse/media-venus-helpers-Fix-ALIGN-of-non-power-of-two.patch + patches.suse/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch + patches.suse/media-cec-i2c-ch7322-also-select-REGMAP.patch + patches.suse/soundwire-qcom-fix-storing-port-config-out-of-bounds.patch + patches.suse/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch + patches.suse/pwm-sysfs-Do-not-apply-state-to-already-disabled-PWM.patch + patches.suse/pwm-ab8500-Fix-error-code-in-probe.patch + patches.suse/Add-MODULE_FIRMWARE-for-FIRMWARE_TG357766.patch + patches.suse/docs-networking-Update-codeaurora-references-for-rmn.patch + patches.suse/Documentation-ABI-sysfs-class-net-qmi-pass_through-c.patch + patches.suse/selftests-mptcp-sockopt-return-error-if-wrong-mark.patch + patches.suse/selftests-mptcp-depend-on-SYN_COOKIES.patch + patches.suse/phy-Revert-phy-Remove-SOC_EXYNOS4212-dep.-from-PHY_E.patch + patches.suse/phy-tegra-xusb-Clear-the-driver-reference-in-usb-phy.patch + patches.suse/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch + patches.suse/dt-bindings-phy-brcm-brcmstb-usb-phy-Fix-error-in-co.patch + patches.suse/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch + patches.suse/Fix-documentation-of-panic_on_warn.patch + patches.suse/drm-i915-psr-Use-hw.adjusted-mode-when-calculating-i.patch + patches.suse/Revert-drm-amd-display-edp-do-not-add-non-edid-timin.patch + patches.suse/apparmor-fix-missing-error-check-for-rhashtable_inse.patch + patches.suse/ALSA-oxfw-make-read-only-const-array-models-static.patch + patches.suse/ALSA-fireface-make-read-only-const-array-for-model-n.patch + patches.suse/ALSA-hda-realtek-Add-quirk-for-Clevo-NPx0SNx.patch + patches.suse/ALSA-hda-realtek-Add-quirks-for-Unis-H3C-Desktop-B76.patch + patches.suse/ALSA-hda-fix-a-possible-null-pointer-dereference-due.patch + patches.suse/ALSA-pcm-Fix-potential-data-race-at-PCM-memory-alloc.patch + patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GX650P.patch + patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GA402X.patch + patches.suse/ALSA-hda-realtek-Amend-G634-quirk-to-enable-rear-spe.patch + patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-G614Jx.patch + patches.suse/ALSA-hda-realtek-Whitespace-fix.patch + patches.suse/ALSA-jack-Fix-mutex-call-in-snd_jack_report.patch + patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-ROG-GZ301V.patch + patches.suse/ntb-idt-Fix-error-handling-in-idt_pci_driver_init.patch + patches.suse/NTB-amd-Fix-error-handling-in-amd_ntb_pci_driver_ini.patch + patches.suse/ntb-intel-Fix-error-handling-in-intel_ntb_pci_driver.patch + patches.suse/NTB-ntb_transport-fix-possible-memory-leak-while-dev.patch + patches.suse/NTB-ntb_tool-Add-check-for-devm_kcalloc.patch # bpf/bpf patches.suse/ibmvnic-Do-not-reset-dql-stats-on-NON_FATAL-err.patch @@ -41215,6 +41333,15 @@ patches.suse/x86-mem_encrypt-Unbreak-the-AMD_MEM_ENCRYPT-n-build.patch + patches.suse/drm-amdgpu-fix-clearing-mappings-for-BOs-that-are-al.patch + patches.suse/drm-amd-pm-revise-the-ASPM-settings-for-thunderbolt-.patch + patches.suse/drm-amd-display-add-a-NULL-pointer-check.patch + patches.suse/drm-amd-display-disable-seamless-boot-if-force_odm_c.patch + patches.suse/drm-amd-pm-update-the-LC_L1_INACTIVITY-setting-to-ad.patch + patches.suse/drm-amd-Disable-PSR-SU-on-Parade-0803-TCON.patch + patches.suse/drm-amdgpu-fix-number-of-fence-calculations.patch + patches.suse/drm-amd-Don-t-try-to-enable-secure-display-TA-multip.patch + ######################################################## # kbuild/module infrastructure fixes ######################################################## @@ -41483,11 +41610,6 @@ ######################################################## patches.suse/suse-hv-HV_ISOLATION_TYPE_TDX.patch patches.suse/suse-hv-guest-os-id.patch - patches.suse/suse-hv-pci-hyperv-fix-a-race-condition-bug-in-hv_pci_query_relations.patch - patches.suse/suse-hv-pci-hyperv-Fix-a-race-condition-in-hv_irq_unmask-that-can-cause-panic.patch - patches.suse/suse-hv-pci-hyperv-Remove-the-useless-hv_pcichild_state-from-struct-hv_pci_dev.patch - patches.suse/suse-hv-pci-hyperv-Revert-PCI-hv-Fix-a-timing-issue-which-causes-kdump-to-fail-occasionally.patch - patches.suse/suse-hv-pci-hyperv-Add-a-per-bus-mutex-state_lock.patch patches.suse/0001-kvm-Reintroduce-nopvspin-kernel-parameter.patch ######################################################## @@ -41747,6 +41869,8 @@ +mgorman patches.suse/cpuidle-Poll-for-a-minimum-of-30ns-and-poll-for-a-tick-if-lower-c-states-are-disabled.patch +mgorman patches.suse/sched-nohz-Avoid-disabling-the-tick-for-very-short-durations.patch ++bug1212456 patches.suse/0959-drm-i915-replace-X86_FEATURE_PAT-with-pat_enabled.patch ++bug1212456 patches.suse/x86-PAT-Have-pat_enabled-properly-reflect-state-when.patch ######################################################## # You'd better have a good reason for adding a patch # below here.