From 8a66d15b8fdc4347aa6ae0a715b2feabda3f9899 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Mar 15 2023 07:00:12 +0000 Subject: Merge branch 'SLE15-SP5-GA' into SLE15-SP5-AZURE --- diff --git a/patches.kabi/fb_deferred_io-kABI-workaround.patch b/patches.kabi/fb_deferred_io-kABI-workaround.patch new file mode 100644 index 0000000..99fda19 --- /dev/null +++ b/patches.kabi/fb_deferred_io-kABI-workaround.patch @@ -0,0 +1,28 @@ +From: Takashi Iwai +Subject: kABI workaround for struct fb_deferred_io changes +Patch-mainline: Never, kABI workaround +References: bsc#1208266 + +A new field was added to struct fb_deferred_io that broke kABI. +For keeping kABI compatibility, change it for short to fit into the +existing hole (3 bytes for armv7hl), and wrap with __GENKSYMS__. + +Signed-off-by: Takashi Iwai + +--- + include/linux/fb.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/include/linux/fb.h ++++ b/include/linux/fb.h +@@ -212,7 +212,9 @@ struct fb_deferred_io { + /* delay between mkwrite and deferred handler */ + unsigned long delay; + bool sort_pagereflist; /* sort pagelist by offset */ +- int open_count; /* number of opened files; protected by fb_info lock */ ++#ifndef __GENKSYMS__ ++ short open_count; /* number of opened files; protected by fb_info lock */ ++#endif + struct mutex lock; /* mutex that protects the pageref list */ + struct list_head pagereflist; /* list of pagerefs for touched pages */ + /* callback */ diff --git a/patches.suse/drivers-net-qlcnic-Fix-potential-memory-leak-in-qlcn.patch b/patches.suse/drivers-net-qlcnic-Fix-potential-memory-leak-in-qlcn.patch new file mode 100644 index 0000000..391948c --- /dev/null +++ b/patches.suse/drivers-net-qlcnic-Fix-potential-memory-leak-in-qlcn.patch @@ -0,0 +1,37 @@ +From b9b6752e5fd333fb88023cb5de4c1e6c0ce9d4e2 Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Wed, 7 Dec 2022 08:54:10 +0000 +Subject: [PATCH 1/3] drivers: net: qlcnic: Fix potential memory leak in + qlcnic_sriov_init() +Patch-mainline: v6.2-rc1 +Git-commit: 01de1123322e4fe1bbd0fcdf0982511b55519c03 +References: jsc#PED-1523 + +If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp +needs to be freed. + +Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation") +Signed-off-by: Yuan Can +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 9282321c2e7f..f9dd50152b1e 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -221,6 +221,8 @@ int qlcnic_sriov_init(struct qlcnic_adapter *adapter, int num_vfs) + return 0; + + qlcnic_destroy_async_wq: ++ while (i--) ++ kfree(sriov->vf_info[i].vp); + destroy_workqueue(bc->bc_async_wq); + + qlcnic_destroy_trans_wq: +-- +2.16.4 + diff --git a/patches.suse/fbdev-Fix-incorrect-page-mapping-clearance-at-fb_def.patch b/patches.suse/fbdev-Fix-incorrect-page-mapping-clearance-at-fb_def.patch new file mode 100644 index 0000000..caa13a6 --- /dev/null +++ b/patches.suse/fbdev-Fix-incorrect-page-mapping-clearance-at-fb_def.patch @@ -0,0 +1,92 @@ +From: Takashi Iwai +Date: Wed, 8 Mar 2023 11:50:12 +0100 +Subject: [PATCH] fbdev: Fix incorrect page mapping clearance at fb_deferred_io_release() +Message-Id: <20230308105012.1845-1-tiwai@suse.de> +Patch-mainline: Submitted, linux-fbdev ML +References: bsc#1208266 + +The recent fix for the deferred I/O by the commit + 3efc61d95259 ("fbdev: Fix invalid page access after closing deferred I/O devices") +caused a regression when the same fb device is opened/closed while +it's being used. It resulted in a frozen screen even if something +is redrawn there after the close. The breakage is because the patch +was made under a wrong assumption of a single open; in the current +code, fb_deferred_io_release() cleans up the page mapping of the +pageref list and it calls cancel_delayed_work_sync() unconditionally, +where both are no correct behavior for multiple opens. + +This patch adds a refcount for the opens of the device, and applies +the cleanup only when all files get closed. + +As both fb_deferred_io_open() and _close() are called always in the +fb_info lock (mutex), it's safe to use the normal int for the +refcounting. + +Also, a useless BUG_ON() is dropped. + +Fixes: 3efc61d95259 ("fbdev: Fix invalid page access after closing deferred I/O devices") +Cc: +Signed-off-by: Takashi Iwai + +--- + drivers/video/fbdev/core/fb_defio.c | 17 +++++++++++++---- + include/linux/fb.h | 1 + + 2 files changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/video/fbdev/core/fb_defio.c ++++ b/drivers/video/fbdev/core/fb_defio.c +@@ -316,17 +316,18 @@ void fb_deferred_io_open(struct fb_info + struct inode *inode, + struct file *file) + { ++ struct fb_deferred_io *fbdefio = info->fbdefio; ++ + file->f_mapping->a_ops = &fb_deferred_io_aops; ++ fbdefio->open_count++; + } + EXPORT_SYMBOL_GPL(fb_deferred_io_open); + +-void fb_deferred_io_release(struct fb_info *info) ++static void fb_deferred_io_lastclose(struct fb_info *info) + { +- struct fb_deferred_io *fbdefio = info->fbdefio; + struct page *page; + int i; + +- BUG_ON(!fbdefio); + cancel_delayed_work_sync(&info->deferred_work); + + /* clear out the mapping that we setup */ +@@ -335,13 +336,21 @@ void fb_deferred_io_release(struct fb_in + page->mapping = NULL; + } + } ++ ++void fb_deferred_io_release(struct fb_info *info) ++{ ++ struct fb_deferred_io *fbdefio = info->fbdefio; ++ ++ if (!--fbdefio->open_count) ++ fb_deferred_io_lastclose(info); ++} + EXPORT_SYMBOL_GPL(fb_deferred_io_release); + + void fb_deferred_io_cleanup(struct fb_info *info) + { + struct fb_deferred_io *fbdefio = info->fbdefio; + +- fb_deferred_io_release(info); ++ fb_deferred_io_lastclose(info); + + kvfree(info->pagerefs); + mutex_destroy(&fbdefio->lock); +--- a/include/linux/fb.h ++++ b/include/linux/fb.h +@@ -212,6 +212,7 @@ struct fb_deferred_io { + /* delay between mkwrite and deferred handler */ + unsigned long delay; + bool sort_pagereflist; /* sort pagelist by offset */ ++ int open_count; /* number of opened files; protected by fb_info lock */ + struct mutex lock; /* mutex that protects the pageref list */ + struct list_head pagereflist; /* list of pagerefs for touched pages */ + /* callback */ diff --git a/patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch b/patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch index 015988d..4708e35 100644 --- a/patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch +++ b/patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch @@ -2,8 +2,8 @@ From: Takashi Iwai Date: Sun, 29 Jan 2023 09:28:56 +0100 Subject: [PATCH] fbdev: Fix invalid page access after closing deferred I/O devices -Message-Id: <20230129082856.22113-1-tiwai@suse.de> -Patch-mainline: Submitted, linux-fbdev ML +Git-commit: 3efc61d95259956db25347e2a9562c3e54546e20 +Patch-mainline: v6.2 References: bsc#1207284 When a fbdev with deferred I/O is once opened and closed, the dirty diff --git a/patches.suse/qlcnic-Clean-up-some-inconsistent-indenting.patch b/patches.suse/qlcnic-Clean-up-some-inconsistent-indenting.patch new file mode 100644 index 0000000..714f9f6 --- /dev/null +++ b/patches.suse/qlcnic-Clean-up-some-inconsistent-indenting.patch @@ -0,0 +1,38 @@ +From 9b9727caf629320b93afefc019ccfd644b609a81 Mon Sep 17 00:00:00 2001 +From: Jiapeng Chong +Date: Mon, 12 Dec 2022 13:58:13 +0800 +Subject: [PATCH 2/3] qlcnic: Clean up some inconsistent indenting +Patch-mainline: v6.2-rc1 +Git-commit: 02abf84aa52da86586ec6323969afa158ec6e4aa +References: jsc#PED-1523 + +No functional modification involved. + +drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c:714 qlcnic_validate_ring_count() warn: inconsistent indenting. + +Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3419 +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/20221212055813.91154-1-jiapeng.chong@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +index 1ee491f78c6b..c1436e1554de 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +@@ -711,7 +711,7 @@ static int qlcnic_validate_ring_count(struct qlcnic_adapter *adapter, + } + } + +- if (tx_ring != 0) { ++ if (tx_ring != 0) { + if (tx_ring > adapter->max_tx_rings) { + netdev_err(adapter->netdev, + "Invalid ring count, Tx ring count %d should not be greater than max %d driver Tx rings.\n", +-- +2.16.4 + diff --git a/patches.suse/qlcnic-prevent-dcb-use-after-free-on-qlcnic_dcb_enab.patch b/patches.suse/qlcnic-prevent-dcb-use-after-free-on-qlcnic_dcb_enab.patch new file mode 100644 index 0000000..efed019 --- /dev/null +++ b/patches.suse/qlcnic-prevent-dcb-use-after-free-on-qlcnic_dcb_enab.patch @@ -0,0 +1,103 @@ +From 6766b4ae84648a778c2c3f8b2e0c4561eb1ba37c Mon Sep 17 00:00:00 2001 +From: Daniil Tatianin +Date: Thu, 22 Dec 2022 14:52:28 +0300 +Subject: [PATCH 3/3] qlcnic: prevent ->dcb use-after-free on + qlcnic_dcb_enable() failure +Patch-mainline: v6.2-rc3 +Git-commit: 13a7c8964afcd8ca43c0b6001ebb0127baa95362 +References: jsc#PED-1523 + +adapter->dcb would get silently freed inside qlcnic_dcb_enable() in +case qlcnic_dcb_attach() would return an error, which always happens +under OOM conditions. This would lead to use-after-free because both +of the existing callers invoke qlcnic_dcb_get_info() on the obtained +pointer, which is potentially freed at that point. + +Propagate errors from qlcnic_dcb_enable(), and instead free the dcb +pointer at callsite using qlcnic_dcb_free(). This also removes the now +unused qlcnic_clear_dcb_ops() helper, which was a simple wrapper around +kfree() also causing memory leaks for partially initialized dcb. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: 3c44bba1d270 ("qlcnic: Disable DCB operations from SR-IOV VFs") +Reviewed-by: Michal Swiatkowski +Signed-off-by: Daniil Tatianin +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 8 +++++++- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h | 10 ++-------- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 8 +++++++- + 3 files changed, 16 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +index dbb800769cb6..c95d56e56c59 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +@@ -2505,7 +2505,13 @@ int qlcnic_83xx_init(struct qlcnic_adapter *adapter) + goto disable_mbx_intr; + + qlcnic_83xx_clear_function_resources(adapter); +- qlcnic_dcb_enable(adapter->dcb); ++ ++ err = qlcnic_dcb_enable(adapter->dcb); ++ if (err) { ++ qlcnic_dcb_free(adapter->dcb); ++ goto disable_mbx_intr; ++ } ++ + qlcnic_83xx_initialize_nic(adapter, 1); + qlcnic_dcb_get_info(adapter->dcb); + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h +index 7519773eaca6..22afa2be85fd 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h +@@ -41,11 +41,6 @@ struct qlcnic_dcb { + unsigned long state; + }; + +-static inline void qlcnic_clear_dcb_ops(struct qlcnic_dcb *dcb) +-{ +- kfree(dcb); +-} +- + static inline int qlcnic_dcb_get_hw_capability(struct qlcnic_dcb *dcb) + { + if (dcb && dcb->ops->get_hw_capability) +@@ -112,9 +107,8 @@ static inline void qlcnic_dcb_init_dcbnl_ops(struct qlcnic_dcb *dcb) + dcb->ops->init_dcbnl_ops(dcb); + } + +-static inline void qlcnic_dcb_enable(struct qlcnic_dcb *dcb) ++static inline int qlcnic_dcb_enable(struct qlcnic_dcb *dcb) + { +- if (dcb && qlcnic_dcb_attach(dcb)) +- qlcnic_clear_dcb_ops(dcb); ++ return dcb ? qlcnic_dcb_attach(dcb) : 0; + } + #endif +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index 28476b982bab..44dac3c0908e 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2599,7 +2599,13 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + "Device does not support MSI interrupts\n"); + + if (qlcnic_82xx_check(adapter)) { +- qlcnic_dcb_enable(adapter->dcb); ++ err = qlcnic_dcb_enable(adapter->dcb); ++ if (err) { ++ qlcnic_dcb_free(adapter->dcb); ++ dev_err(&pdev->dev, "Failed to enable DCB\n"); ++ goto err_out_free_hw; ++ } ++ + qlcnic_dcb_get_info(adapter->dcb); + err = qlcnic_setup_intr(adapter); + +-- +2.16.4 + diff --git a/series.conf b/series.conf index 0aa9a6c..2208bc5 100644 --- a/series.conf +++ b/series.conf @@ -36414,6 +36414,8 @@ patches.suse/Bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch patches.suse/Bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch patches.suse/Bluetooth-RFCOMM-don-t-call-kfree_skb-under-spin_loc.patch + patches.suse/qlcnic-Clean-up-some-inconsistent-indenting.patch + patches.suse/drivers-net-qlcnic-Fix-potential-memory-leak-in-qlcn.patch patches.suse/hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch patches.suse/af_unix-call-proto_unregister-in-the-error-path-in-a.patch patches.suse/ipvs-fix-type-warning-in-do_div-on-32-bit.patch @@ -36710,6 +36712,7 @@ patches.suse/gpio-sifive-Fix-refcount-leak-in-sifive_gpio_probe.patch patches.suse/vmxnet3-correctly-report-csum_level-for-encapsulated.patch patches.suse/net-sched-fix-memory-leak-in-tcindex_set_parms.patch + patches.suse/qlcnic-prevent-dcb-use-after-free-on-qlcnic_dcb_enab.patch patches.suse/nfc-Fix-potential-resource-leaks.patch patches.suse/net-phy-xgmiitorgmii-Fix-refcount-leak-in-xgmiitorgm.patch patches.suse/dt-bindings-net-sun8i-emac-Add-phy-supply-property.patch @@ -36872,6 +36875,7 @@ patches.suse/VMCI-Use-threaded-irqs-instead-of-tasklets.patch patches.suse/module-Don-t-wait-for-GOING-modules.patch patches.suse/Fix-page-corruption-caused-by-racy-check-in-__free_pages.patch + patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch patches.suse/ibmvnic-Toggle-between-queue-types-in-affinity-mappi.patch patches.suse/ipmi-ssif-resend_msg-cannot-fail.patch patches.suse/ipmi_ssif-Rename-idle-state-and-check.patch @@ -37192,7 +37196,7 @@ ######################################################## patches.suse/0001-firmware-sysfb-Add-parameter-to-enable-sysfb-support.patch patches.suse/0001-drm-i915-gvt-fix-double-free-bug-in-split_2MB_gtt_en.patch - patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch + patches.suse/fbdev-Fix-incorrect-page-mapping-clearance-at-fb_def.patch ######################################################## # Storage @@ -37383,6 +37387,7 @@ # kABI consistency patches ######################################################## patches.rpmify/BTF-Don-t-break-ABI-when-debuginfo-is-disabled.patch + patches.kabi/fb_deferred_io-kABI-workaround.patch ######################################################## # SLE15-SP3 OOT performance patches evaluated but left