From 989ee67852e431d7ea5a5dd590907fa0e0d5bb82 Mon Sep 17 00:00:00 2001 From: Davidlohr Bueso Date: Apr 13 2021 22:26:23 +0000 Subject: Merge branch 'SLE12-SP5' (8fc5925247b4) into 'SLE12-SP5-RT' No -rt specific changes this merge. --- diff --git a/blacklist.conf b/blacklist.conf index 881b2da..ad527ba 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1543,7 +1543,6 @@ c7fc46fd1410a7452db29ee8cd1f85c233000ec9 # kABI, the point is removing a global 526f3d96b8f83b1b13d73bd0b5c79cc2c487ec8e # it's more cleanup than fixup 9a7f12edf8848a9b355a86fc0183d7be932ef11e # cleanup a6aacb2b26e85aa619cf0c6f98d0ca77314cd2a1 # no changes: drm/amdgpu: force fbdev into vram -f058599e22d59e594e5aae1dc10560568d8f4a8b # depends on 0aaba41b58bc5f3074c0c0a6136b9500b5e29e19, which cannot be backported 34b13cb3eaa5ad205f4497da6420262da4940b9e # wrong fixes tag 9d82973e032e246ff5663c9805fbb5407ae932e3 # gcc10 warning fix, likely breaks kABI 73aca179d78eaa11604ba0783a6d8b2125fbc332 # not changing vermagic in released product @@ -1813,3 +1812,7 @@ a983b5ebee57209c99f68c8327072f25e0e6e3da # performance optimization, kABI change c9019e9bf42e66d028d70d2da6206cad4dd9250d # prereq for a983b5ebee57209c99f68c8327072f25e0e6e3da 60fc35f327e0a9e60b955c0f3c3ed623608d1baa # unavoidably breaks kABI c915ef890d5dc79f483e1ca3b3a5b5f1a170690c # Affected code does not exist: drm/amdgpu: Prevent shift wrapping in amdgpu_read_mask() +4d8654e81db7346f915eca9f1aff18f385cab621 # breaks existing setups by changing driver +bbda4b6c7d7c7f79da71f95c92a5d76be22c3efd # depends on 4.14 sstep.c rewrite +04b38d012556199ba4c31195940160e0c44c64f0 # touches ifdeffed out code, all configs have CONFIG_SECCOMP_FILTER=y +3c4fa46b30c551b1df2fb1574a684f68bc22067c # unlikely to be used on SLE kernels diff --git a/patches.suse/USB-replace-hardcode-maximum-usb-string-length-by-de.patch b/patches.suse/USB-replace-hardcode-maximum-usb-string-length-by-de.patch new file mode 100644 index 0000000..9cb0e5e --- /dev/null +++ b/patches.suse/USB-replace-hardcode-maximum-usb-string-length-by-de.patch @@ -0,0 +1,91 @@ +From 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Thu, 18 Jun 2020 17:13:38 +0800 +Subject: [PATCH] USB: replace hardcode maximum usb string length by definition +Git-commit: 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 +References: git-fixes +Patch-mainline: v5.9-rc1 + +Replace hardcoded maximum USB string length (126 bytes) by definition +"USB_MAX_STRING_LEN". + +Signed-off-by: Macpaul Lin +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/1592471618-29428-1-git-send-email-macpaul.lin@mediatek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/gadget/composite.c | 4 ++-- + drivers/usb/gadget/configfs.c | 2 +- + drivers/usb/gadget/usbstring.c | 4 ++-- + include/uapi/linux/usb/ch9.h | 3 +++ + 4 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 5c1eb96a5c57..8fbf73467fef 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1085,7 +1085,7 @@ static void collect_langs(struct usb_gadget_strings **sp, __le16 *buf) + while (*sp) { + s = *sp; + language = cpu_to_le16(s->language); +- for (tmp = buf; *tmp && tmp < &buf[126]; tmp++) { ++ for (tmp = buf; *tmp && tmp < &buf[USB_MAX_STRING_LEN]; tmp++) { + if (*tmp == language) + goto repeat; + } +@@ -1160,7 +1160,7 @@ static int get_string(struct usb_composite_dev *cdev, + collect_langs(sp, s->wData); + } + +- for (len = 0; len <= 126 && s->wData[len]; len++) ++ for (len = 0; len <= USB_MAX_STRING_LEN && s->wData[len]; len++) + continue; + if (!len) + return -EINVAL; +diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c +index 9dc06a4e1b30..56051bb97349 100644 +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -103,7 +103,7 @@ static int usb_string_copy(const char *s, char **s_copy) + char *str; + char *copy = *s_copy; + ret = strlen(s); +- if (ret > 126) ++ if (ret > USB_MAX_STRING_LEN) + return -EOVERFLOW; + + str = kstrdup(s, GFP_KERNEL); +diff --git a/drivers/usb/gadget/usbstring.c b/drivers/usb/gadget/usbstring.c +index 58a4d3325090..30f889ad3ad2 100644 +--- a/drivers/usb/gadget/usbstring.c ++++ b/drivers/usb/gadget/usbstring.c +@@ -55,9 +55,9 @@ usb_gadget_get_string (const struct usb_gadget_strings *table, int id, u8 *buf) + return -EINVAL; + + /* string descriptors have length, tag, then UTF16-LE text */ +- len = min ((size_t) 126, strlen (s->s)); ++ len = min((size_t)USB_MAX_STRING_LEN, strlen(s->s)); + len = utf8s_to_utf16s(s->s, len, UTF16_LITTLE_ENDIAN, +- (wchar_t *) &buf[2], 126); ++ (wchar_t *) &buf[2], USB_MAX_STRING_LEN); + if (len < 0) + return -EINVAL; + buf [0] = (len + 1) * 2; +diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h +index 456ab0c2b586..b1ed2ccfe9cf 100644 +--- a/include/uapi/linux/usb/ch9.h ++++ b/include/uapi/linux/usb/ch9.h +@@ -368,6 +368,9 @@ struct usb_config_descriptor { + + /*-------------------------------------------------------------------------*/ + ++/* USB String descriptors can contain at most 126 characters. */ ++#define USB_MAX_STRING_LEN 126 ++ + /* USB_DT_STRING: String descriptor */ + struct usb_string_descriptor { + __u8 bLength; +-- +2.26.2 + diff --git a/patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch b/patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch index 29f451a..15ec2e2 100644 --- a/patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch +++ b/patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch @@ -76,22 +76,21 @@ Acked-by: Alexei Starovoitov Acked-by: Gary Lin NOTE from Gary: - * 'BPF_JMP32' in the original commit is removed since the instruction is - not defined in this branch. - * 'is64' is removed since there is no user of the variable after removing - the diff for 'BPF_JMP32'. + * 'BPF_JMP32' is not defined in this branch. To emulate the instruction, + before 'BPF_JNE', 'src_reg' is copied to BPF_REG_AX with BPF_MOV32 to + make sure 'BPF_JNE' really compare the lower 32bit of 'src_reg'. + (Thanks for the suggestion from Nicolai Stange) --- - kernel/bpf/verifier.c | 29 +++++++++++++---------------- - 1 file changed, 13 insertions(+), 16 deletions(-) + kernel/bpf/verifier.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c -@@ -4628,31 +4628,28 @@ static int fixup_bpf_calls(struct bpf_ve - insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) || +@@ -4629,30 +4629,32 @@ static int fixup_bpf_calls(struct bpf_ve insn->code == (BPF_ALU | BPF_MOD | BPF_X) || insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { -- bool is64 = BPF_CLASS(insn->code) == BPF_ALU64; + bool is64 = BPF_CLASS(insn->code) == BPF_ALU64; - struct bpf_insn mask_and_div[] = { - BPF_MOV32_REG(insn->src_reg, insn->src_reg), + bool isdiv = BPF_OP(insn->code) == BPF_DIV; @@ -99,9 +98,11 @@ NOTE from Gary: + struct bpf_insn chk_and_div[] = { /* Rx div 0 -> 0 */ - BPF_JMP_IMM(BPF_JNE, insn->src_reg, 0, 2), -+ BPF_RAW_INSN(BPF_JMP | -+ BPF_JNE | BPF_K, insn->src_reg, -+ 0, 2, 0), ++ BPF_RAW_INSN((is64 ? BPF_ALU64 : BPF_ALU) | ++ BPF_MOV | BPF_X, ++ BPF_REG_AX, insn->src_reg, ++ 0, 0), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_AX, 0, 2), BPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg), BPF_JMP_IMM(BPF_JA, 0, 0, 1), *insn, @@ -111,9 +112,11 @@ NOTE from Gary: + struct bpf_insn chk_and_mod[] = { /* Rx mod 0 -> Rx */ - BPF_JMP_IMM(BPF_JEQ, insn->src_reg, 0, 1), -+ BPF_RAW_INSN(BPF_JMP | -+ BPF_JEQ | BPF_K, insn->src_reg, -+ 0, 1, 0), ++ BPF_RAW_INSN((is64 ? BPF_ALU64 : BPF_ALU) | ++ BPF_MOV | BPF_X, ++ BPF_REG_AX, insn->src_reg, ++ 0, 0), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_AX, 0, 1), *insn, }; - struct bpf_insn *patchlet; diff --git a/patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch b/patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch index 74dafc5..66a6a48 100644 --- a/patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch +++ b/patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch @@ -81,7 +81,7 @@ Acked-by: Alexei Starovoitov Acked-by: Gary Lin NOTE from Gary: - * 'is64' is added back since this commit really needs it. + - Modified the BPF_JNE diff to fit the code --- kernel/bpf/verifier.c | 11 +++++++---- @@ -89,29 +89,28 @@ NOTE from Gary: --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c -@@ -4628,10 +4628,11 @@ static int fixup_bpf_calls(struct bpf_ve - insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) || - insn->code == (BPF_ALU | BPF_MOD | BPF_X) || - insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { -+ bool is64 = BPF_CLASS(insn->code) == BPF_ALU64; +@@ -4632,7 +4632,7 @@ static int fixup_bpf_calls(struct bpf_ve bool isdiv = BPF_OP(insn->code) == BPF_DIV; struct bpf_insn *patchlet; struct bpf_insn chk_and_div[] = { - /* Rx div 0 -> 0 */ + /* [R,W]x div 0 -> 0 */ - BPF_RAW_INSN(BPF_JMP | - BPF_JNE | BPF_K, insn->src_reg, - 0, 2, 0), -@@ -4640,16 +4641,18 @@ static int fixup_bpf_calls(struct bpf_ve + BPF_RAW_INSN((is64 ? BPF_ALU64 : BPF_ALU) | + BPF_MOV | BPF_X, + BPF_REG_AX, insn->src_reg, +@@ -4643,18 +4643,21 @@ static int fixup_bpf_calls(struct bpf_ve *insn, }; struct bpf_insn chk_and_mod[] = { - /* Rx mod 0 -> Rx */ + /* [R,W]x mod 0 -> [R,W]x */ - BPF_RAW_INSN(BPF_JMP | - BPF_JEQ | BPF_K, insn->src_reg, -- 0, 1, 0), -+ 0, 1 + (is64 ? 0 : 1), 0), + BPF_RAW_INSN((is64 ? BPF_ALU64 : BPF_ALU) | + BPF_MOV | BPF_X, + BPF_REG_AX, insn->src_reg, + 0, 0), +- BPF_JMP_IMM(BPF_JNE, BPF_REG_AX, 0, 1), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_AX, 0, ++ 1 + (is64 ? 0 : 1)), *insn, + BPF_JMP_IMM(BPF_JA, 0, 0, 1), + BPF_MOV32_REG(insn->dst_reg, insn->dst_reg), diff --git a/patches.suse/bpf-x86-Validate-computation-of-branch-displacements.patch b/patches.suse/bpf-x86-Validate-computation-of-branch-displacements.patch new file mode 100644 index 0000000..6e231fc --- /dev/null +++ b/patches.suse/bpf-x86-Validate-computation-of-branch-displacements.patch @@ -0,0 +1,63 @@ +From: Piotr Krysiuk +Date: Mon, 5 Apr 2021 22:52:15 +0100 +Subject: bpf, x86: Validate computation of branch displacements for x86-64 +Patch-mainline: v5.12-rc7 +Git-commit: e4d4d456436bfb2fe412ee2cd489f7658449b098 +References: bsc#1184391 CVE-2021-29154 + +The branch displacement logic in the BPF JIT compilers for x86 assumes +that, for any generated branch instruction, the distance cannot +increase between optimization passes. + +But this assumption can be violated due to how the distances are +computed. Specifically, whenever a backward branch is processed in +do_jit(), the distance is computed by subtracting the positions in the +machine code from different optimization passes. This is because part +of addrs[] is already updated for the current optimization pass, before +the branch instruction is visited. + +And so the optimizer can expand blocks of machine code in some cases. + +This can confuse the optimizer logic, where it assumes that a fixed +point has been reached for all machine code blocks once the total +program size stops changing. And then the JIT compiler can output +abnormal machine code containing incorrect branch displacements. + +To mitigate this issue, we assert that a fixed point is reached while +populating the output image. This rejects any problematic programs. +The issue affects both x86-32 and x86-64. We mitigate separately to +ease backporting. + +Signed-off-by: Piotr Krysiuk +Reviewed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Acked-by: Gary Lin + +NOTE from Gary: + * x86-64 and x86-32 use the same jit code in this branch, so there is no + need the backport the x86-32 fix (26f55a59dc65ff77cd1c4b37991e26497fc68049). + +--- + arch/x86/net/bpf_jit_comp.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1060,7 +1060,16 @@ common_load: + } + + if (image) { +- if (unlikely(proglen + ilen > oldproglen)) { ++ /* ++ * When populating the image, assert that: ++ * ++ * i) We do not write beyond the allocated space, and ++ * ii) addrs[i] did not change from the prior run, in order ++ * to validate assumptions made for computing branch ++ * displacements. ++ */ ++ if (unlikely(proglen + ilen > oldproglen || ++ proglen + ilen != addrs[i])) { + pr_err("bpf_jit: fatal error\n"); + return -EFAULT; + } diff --git a/patches.suse/cifs-New-optype-for-session-operations-.patch b/patches.suse/cifs-New-optype-for-session-operations-.patch new file mode 100644 index 0000000..b778831 --- /dev/null +++ b/patches.suse/cifs-New-optype-for-session-operations-.patch @@ -0,0 +1,80 @@ +From: Shyam Prasad N +Date: Wed, 3 Feb 2021 22:49:52 -0800 +Subject: [PATCH] cifs: New optype for session operations. +Git-commit: 0f56db831456cb4bf85a15c7a900b7138d89b6eb +References: bsc#1181507 +Patch-mainline: v5.12-rc1 + +We used to share the CIFS_NEG_OP flag between negotiate and +session authentication. There was an assumption in the code that +CIFS_NEG_OP is used by negotiate only. So introcuded CIFS_SESS_OP +and used it for session setup optypes. + +Signed-off-by: Shyam Prasad N +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/cifsglob.h | 4 +++- + fs/cifs/smb2ops.c | 4 +++- + fs/cifs/smb2pdu.c | 2 +- + fs/cifs/transport.c | 4 ++-- + 4 files changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1734,7 +1734,9 @@ static inline bool is_retryable_error(in + #define CIFS_ECHO_OP 0x080 /* echo request */ + #define CIFS_OBREAK_OP 0x0100 /* oplock break request */ + #define CIFS_NEG_OP 0x0200 /* negotiate request */ +-#define CIFS_OP_MASK 0x0380 /* mask request type */ ++/* Lower bitmask values are reserved by others below. */ ++#define CIFS_SESS_OP 0x2000 /* session setup request */ ++#define CIFS_OP_MASK 0x2380 /* mask request type */ + + #define CIFS_HAS_CREDITS 0x0400 /* already has credits */ + #define CIFS_TRANSFORM_REQ 0x0800 /* transform request before sending */ +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -81,7 +81,9 @@ smb2_add_credits(struct TCP_Server_Info + printk_once(KERN_WARNING "server overflowed SMB3 credits\n"); + } + server->in_flight--; +- if (server->in_flight == 0 && (optype & CIFS_OP_MASK) != CIFS_NEG_OP) ++ if (server->in_flight == 0 && ++ ((optype & CIFS_OP_MASK) != CIFS_NEG_OP) && ++ ((optype & CIFS_OP_MASK) != CIFS_SESS_OP)) + rc = change_conf(server); + /* + * Sometimes server returns 0 credits on oplock break ack - we need to +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1189,7 +1189,7 @@ SMB2_sess_sendreceive(struct SMB2_sess_d + rc = cifs_send_recv(sess_data->xid, sess_data->ses, + &rqst, + &sess_data->buf0_type, +- CIFS_LOG_ERROR | CIFS_NEG_OP, &rsp_iov); ++ CIFS_LOG_ERROR | CIFS_SESS_OP, &rsp_iov); + cifs_small_buf_release(sess_data->iov[0].iov_base); + memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -1153,7 +1153,7 @@ compound_send_recv(const unsigned int xi + /* + * Compounding is never used during session establish. + */ +- if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP)) ++ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP) || (optype & CIFS_SESS_OP)) + smb311_update_preauth_hash(ses, rqst[0].rq_iov, + rqst[0].rq_nvec); + +@@ -1218,7 +1218,7 @@ compound_send_recv(const unsigned int xi + /* + * Compounding is never used during session establish. + */ +- if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP)) { ++ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP) || (optype & CIFS_SESS_OP)) { + struct kvec iov = { + .iov_base = resp_iov[0].iov_base, + .iov_len = resp_iov[0].iov_len diff --git a/patches.suse/cifs-Tracepoints-and-logs-for-tracing-credit-changes-.patch b/patches.suse/cifs-Tracepoints-and-logs-for-tracing-credit-changes-.patch new file mode 100644 index 0000000..159e2ef --- /dev/null +++ b/patches.suse/cifs-Tracepoints-and-logs-for-tracing-credit-changes-.patch @@ -0,0 +1,256 @@ +From: Shyam Prasad N +Date: Thu, 12 Nov 2020 08:56:49 -0800 +Subject: [PATCH] cifs: Tracepoints and logs for tracing credit changes. +Git-commit: cd7b699b0198a7fc24f6dc79985f6151f589518c +References: bsc#1181507 +Patch-mainline: v5.11-rc1 + +There is at least one suspected bug in crediting changes in cifs.ko +which has come up a few times in the discussions and in a customer +case. + +This change adds tracepoints to the code which modifies the server +credit values in any way. The goal is to be able to track the changes +to the credit values of the session to be able to catch when there is +a crediting bug. + +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/connect.c | 8 ++++++++ + fs/cifs/smb2ops.c | 41 +++++++++++++++++++++++++++++++++++++---- + fs/cifs/trace.h | 4 ++++ + fs/cifs/transport.c | 15 +++++++++++++++ + 4 files changed, 64 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 64a41b32fbb1..509a41ff56b8 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -845,6 +845,7 @@ static void + smb2_add_credits_from_hdr(char *buffer, struct TCP_Server_Info *server) + { + struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)buffer; ++ int scredits = server->credits; + + /* + * SMB1 does not use credits. +@@ -857,6 +858,13 @@ smb2_add_credits_from_hdr(char *buffer, struct TCP_Server_Info *server) + server->credits += le16_to_cpu(shdr->CreditRequest); + spin_unlock(&server->req_lock); + wake_up(&server->request_q); ++ ++ trace_smb3_add_credits(server->CurrentMid, ++ server->hostname, scredits, ++ le16_to_cpu(shdr->CreditRequest)); ++ cifs_server_dbg(FYI, "%s: added %u credits total=%d\n", ++ __func__, le16_to_cpu(shdr->CreditRequest), ++ scredits); + } + } + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index a505cc3e58da..949cd1177147 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -100,9 +100,10 @@ smb2_add_credits(struct TCP_Server_Info *server, + spin_unlock(&server->req_lock); + wake_up(&server->request_q); + +- if (reconnect_detected) ++ if (reconnect_detected) { + cifs_dbg(FYI, "trying to put %d credits from the old server instance %d\n", + add, instance); ++ } + + if (server->tcpStatus == CifsNeedReconnect + || server->tcpStatus == CifsExiting) +@@ -124,7 +125,7 @@ smb2_add_credits(struct TCP_Server_Info *server, + default: + trace_smb3_add_credits(server->CurrentMid, + server->hostname, rc, add); +- cifs_dbg(FYI, "add %u credits total=%d\n", add, rc); ++ cifs_dbg(FYI, "%s: added %u credits total=%d\n", __func__, add, rc); + } + } + +@@ -136,6 +137,11 @@ smb2_set_credits(struct TCP_Server_Info *server, const int val) + if (val == 1) + server->reconnect_instance++; + spin_unlock(&server->req_lock); ++ ++ trace_smb3_set_credits(server->CurrentMid, ++ server->hostname, val, val); ++ cifs_dbg(FYI, "%s: set %u credits\n", __func__, val); ++ + /* don't log while holding the lock */ + if (val == 1) + cifs_dbg(FYI, "set credits to 1 due to smb2 reconnect\n"); +@@ -202,6 +208,7 @@ smb2_wait_mtu_credits(struct TCP_Server_Info *server, unsigned int size, + DIV_ROUND_UP(*num, SMB2_MAX_BUFFER_SIZE); + credits->instance = server->reconnect_instance; + server->credits -= credits->value; ++ scredits = server->credits; + server->in_flight++; + if (server->in_flight > server->max_in_flight) + server->max_in_flight = server->in_flight; +@@ -209,6 +216,12 @@ smb2_wait_mtu_credits(struct TCP_Server_Info *server, unsigned int size, + } + } + spin_unlock(&server->req_lock); ++ ++ trace_smb3_add_credits(server->CurrentMid, ++ server->hostname, scredits, -(credits->value)); ++ cifs_dbg(FYI, "%s: removed %u credits total=%d\n", ++ __func__, credits->value, scredits); ++ + return rc; + } + +@@ -218,13 +231,17 @@ smb2_adjust_credits(struct TCP_Server_Info *server, + const unsigned int payload_size) + { + int new_val = DIV_ROUND_UP(payload_size, SMB2_MAX_BUFFER_SIZE); ++ int scredits; + + if (!credits->value || credits->value == new_val) + return 0; + + if (credits->value < new_val) { +- WARN_ONCE(1, "request has less credits (%d) than required (%d)", +- credits->value, new_val); ++ trace_smb3_too_many_credits(server->CurrentMid, ++ server->hostname, 0, credits->value - new_val); ++ cifs_server_dbg(VFS, "request has less credits (%d) than required (%d)", ++ credits->value, new_val); ++ + return -ENOTSUPP; + } + +@@ -232,15 +249,24 @@ smb2_adjust_credits(struct TCP_Server_Info *server, + + if (server->reconnect_instance != credits->instance) { + spin_unlock(&server->req_lock); ++ trace_smb3_reconnect_detected(server->CurrentMid, ++ server->hostname, 0, 0); + cifs_server_dbg(VFS, "trying to return %d credits to old session\n", + credits->value - new_val); + return -EAGAIN; + } + + server->credits += credits->value - new_val; ++ scredits = server->credits; + spin_unlock(&server->req_lock); + wake_up(&server->request_q); + credits->value = new_val; ++ ++ trace_smb3_add_credits(server->CurrentMid, ++ server->hostname, scredits, credits->value - new_val); ++ cifs_dbg(FYI, "%s: adjust added %u credits total=%d\n", ++ __func__, credits->value - new_val, scredits); ++ + return 0; + } + +@@ -2343,6 +2369,7 @@ static bool + smb2_is_status_pending(char *buf, struct TCP_Server_Info *server) + { + struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)buf; ++ int scredits; + + if (shdr->Status != STATUS_PENDING) + return false; +@@ -2350,8 +2377,14 @@ smb2_is_status_pending(char *buf, struct TCP_Server_Info *server) + if (shdr->CreditRequest) { + spin_lock(&server->req_lock); + server->credits += le16_to_cpu(shdr->CreditRequest); ++ scredits = server->credits; + spin_unlock(&server->req_lock); + wake_up(&server->request_q); ++ ++ trace_smb3_add_credits(server->CurrentMid, ++ server->hostname, scredits, le16_to_cpu(shdr->CreditRequest)); ++ cifs_dbg(FYI, "%s: status pending add %u credits total=%d\n", ++ __func__, le16_to_cpu(shdr->CreditRequest), scredits); + } + + return true; +diff --git a/fs/cifs/trace.h b/fs/cifs/trace.h +index 90e0fab69bb8..c3d1a584f251 100644 +--- a/fs/cifs/trace.h ++++ b/fs/cifs/trace.h +@@ -909,8 +909,12 @@ DEFINE_EVENT(smb3_credit_class, smb3_##name, \ + TP_ARGS(currmid, hostname, credits, credits_to_add)) + + DEFINE_SMB3_CREDIT_EVENT(reconnect_with_invalid_credits); ++DEFINE_SMB3_CREDIT_EVENT(reconnect_detected); + DEFINE_SMB3_CREDIT_EVENT(credit_timeout); ++DEFINE_SMB3_CREDIT_EVENT(insufficient_credits); ++DEFINE_SMB3_CREDIT_EVENT(too_many_credits); + DEFINE_SMB3_CREDIT_EVENT(add_credits); ++DEFINE_SMB3_CREDIT_EVENT(set_credits); + + #endif /* _CIFS_TRACE_H */ + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index 36b2ece43403..e9abb41aa89b 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -527,6 +527,7 @@ wait_for_free_credits(struct TCP_Server_Info *server, const int num_credits, + int *credits; + int optype; + long int t; ++ int scredits = server->credits; + + if (timeout < 0) + t = MAX_JIFFY_OFFSET; +@@ -624,12 +625,18 @@ wait_for_free_credits(struct TCP_Server_Info *server, const int num_credits, + /* update # of requests on the wire to server */ + if ((flags & CIFS_TIMEOUT_MASK) != CIFS_BLOCKING_OP) { + *credits -= num_credits; ++ scredits = *credits; + server->in_flight += num_credits; + if (server->in_flight > server->max_in_flight) + server->max_in_flight = server->in_flight; + *instance = server->reconnect_instance; + } + spin_unlock(&server->req_lock); ++ ++ trace_smb3_add_credits(server->CurrentMid, ++ server->hostname, scredits, -(num_credits)); ++ cifs_dbg(FYI, "%s: remove %u credits total=%d\n", ++ __func__, num_credits, scredits); + break; + } + } +@@ -649,10 +656,14 @@ wait_for_compound_request(struct TCP_Server_Info *server, int num, + const int flags, unsigned int *instance) + { + int *credits; ++ int scredits, sin_flight; + + credits = server->ops->get_credits_field(server, flags & CIFS_OP_MASK); + + spin_lock(&server->req_lock); ++ scredits = *credits; ++ sin_flight = server->in_flight; ++ + if (*credits < num) { + /* + * Return immediately if not too many requests in flight since +@@ -660,6 +671,10 @@ wait_for_compound_request(struct TCP_Server_Info *server, int num, + */ + if (server->in_flight < num - *credits) { + spin_unlock(&server->req_lock); ++ trace_smb3_insufficient_credits(server->CurrentMid, ++ server->hostname, scredits, sin_flight); ++ cifs_dbg(FYI, "%s: %d requests in flight, needed %d total=%d\n", ++ __func__, sin_flight, num, scredits); + return -ENOTSUPP; + } + } +-- +2.30.0 + + diff --git a/patches.suse/cifs-change-noisy-error-message-to-FYI.patch b/patches.suse/cifs-change-noisy-error-message-to-FYI.patch new file mode 100644 index 0000000..af83900 --- /dev/null +++ b/patches.suse/cifs-change-noisy-error-message-to-FYI.patch @@ -0,0 +1,46 @@ +From: Paulo Alcantara +Date: Mon, 8 Mar 2021 12:00:48 -0300 +Subject: [PATCH] cifs: change noisy error message to FYI +Git-commit: e3d100eae44b42f309c1366efb8397368f1cf8ed +References: bsc#1181507 +Patch-mainline: v5.12-rc3 + +A customer has reported that their dmesg were being flooded by + + CIFS: VFS: \\server Cancelling wait for mid xxx cmd: a + CIFS: VFS: \\server Cancelling wait for mid yyy cmd: b + CIFS: VFS: \\server Cancelling wait for mid zzz cmd: c + +because some processes that were performing statfs(2) on the share had +been interrupted due to their automount setup when certain users +logged in and out. + +Change it to FYI as they should be mostly informative rather than +error messages. + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Aurelien Aptel +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index e90a1d1380b0..15b72d2e8713 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -1207,7 +1207,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, + } + if (rc != 0) { + for (; i < num_rqst; i++) { +- cifs_server_dbg(VFS, "Cancelling wait for mid %llu cmd: %d\n", ++ cifs_server_dbg(FYI, "Cancelling wait for mid %llu cmd: %d\n", + midQ[i]->mid, le16_to_cpu(midQ[i]->command)); + send_cancel(server, &rqst[i], midQ[i]); + spin_lock(&GlobalMid_Lock); +-- +2.30.0 + + diff --git a/patches.suse/cifs-do-not-send-close-in-compound-create-close-requests.patch b/patches.suse/cifs-do-not-send-close-in-compound-create-close-requests.patch new file mode 100644 index 0000000..54006ca --- /dev/null +++ b/patches.suse/cifs-do-not-send-close-in-compound-create-close-requests.patch @@ -0,0 +1,180 @@ +From: Paulo Alcantara +Date: Mon, 8 Mar 2021 12:00:50 -0300 +Subject: [PATCH] cifs: do not send close in compound create+close requests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 04ad69c342fc4de5bd23be9ef15ea7574fb1a87e +References: bsc#1181507 +Patch-mainline: v5.12-rc3 + +In case of interrupted syscalls, prevent sending CLOSE commands for +compound CREATE+CLOSE requests by introducing an +CIFS_CP_CREATE_CLOSE_OP flag to indicate lower layers that it should +not send a CLOSE command to the MIDs corresponding the compound +CREATE+CLOSE request. + +A simple reproducer: + + #!/bin/bash + + mount //server/share /mnt -o username=foo,password=*** + tc qdisc add dev eth0 root netem delay 450ms + stat -f /mnt &>/dev/null & pid=$! + sleep 0.01 + kill $pid + tc qdisc del dev eth0 root + umount /mnt + +Before patch: + + ... + 6 0.256893470 192.168.122.2 → 192.168.122.15 SMB2 402 Create Request File: ;GetInfo Request FS_INFO/FileFsFullSizeInformation;Close Request + 7 0.257144491 192.168.122.15 → 192.168.122.2 SMB2 498 Create Response File: ;GetInfo Response;Close Response + 9 0.260798209 192.168.122.2 → 192.168.122.15 SMB2 146 Close Request File: + 10 0.260841089 192.168.122.15 → 192.168.122.2 SMB2 130 Close Response, Error: STATUS_FILE_CLOSED + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Aurelien Aptel +CC: +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/cifsglob.h | 19 ++++++++++--------- + fs/cifs/smb2inode.c | 1 + + fs/cifs/smb2misc.c | 8 ++++---- + fs/cifs/smb2ops.c | 8 ++++---- + fs/cifs/smb2proto.h | 3 +-- + fs/cifs/transport.c | 2 +- + 6 files changed, 21 insertions(+), 20 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -267,7 +267,7 @@ struct smb_version_operations { + /* verify the message */ + int (*check_message)(char *, unsigned int, struct TCP_Server_Info *); + bool (*is_oplock_break)(char *, struct TCP_Server_Info *); +- int (*handle_cancelled_mid)(char *, struct TCP_Server_Info *); ++ int (*handle_cancelled_mid)(struct mid_q_entry *, struct TCP_Server_Info *); + void (*downgrade_oplock)(struct TCP_Server_Info *server, + struct cifsInodeInfo *cinode, __u32 oplock, + unsigned int epoch, bool *purge_cache); +@@ -1731,16 +1731,17 @@ static inline bool is_retryable_error(in + #define CIFS_NO_RSP_BUF 0x040 /* no response buffer required */ + + /* Type of request operation */ +-#define CIFS_ECHO_OP 0x080 /* echo request */ +-#define CIFS_OBREAK_OP 0x0100 /* oplock break request */ +-#define CIFS_NEG_OP 0x0200 /* negotiate request */ ++#define CIFS_ECHO_OP 0x080 /* echo request */ ++#define CIFS_OBREAK_OP 0x0100 /* oplock break request */ ++#define CIFS_NEG_OP 0x0200 /* negotiate request */ ++#define CIFS_CP_CREATE_CLOSE_OP 0x0400 /* compound create+close request */ + /* Lower bitmask values are reserved by others below. */ +-#define CIFS_SESS_OP 0x2000 /* session setup request */ +-#define CIFS_OP_MASK 0x2380 /* mask request type */ ++#define CIFS_SESS_OP 0x2000 /* session setup request */ ++#define CIFS_OP_MASK 0x2780 /* mask request type */ + +-#define CIFS_HAS_CREDITS 0x0400 /* already has credits */ +-#define CIFS_TRANSFORM_REQ 0x0800 /* transform request before sending */ +-#define CIFS_NO_SRV_RSP 0x1000 /* there is no server response */ ++#define CIFS_HAS_CREDITS 0x0400 /* already has credits */ ++#define CIFS_TRANSFORM_REQ 0x0800 /* transform request before sending */ ++#define CIFS_NO_SRV_RSP 0x1000 /* there is no server response */ + + /* Security Flags: indicate type of session setup needed */ + #define CIFSSEC_MAY_SIGN 0x00001 +--- a/fs/cifs/smb2inode.c ++++ b/fs/cifs/smb2inode.c +@@ -308,6 +308,7 @@ smb2_compound_op(const unsigned int xid, + if (cfile) + goto after_close; + /* Close */ ++ flags |= CIFS_CP_CREATE_CLOSE_OP; + memset(&close_iov, 0, sizeof(close_iov)); + rqst[num_rqst].rq_iov = close_iov; + rqst[num_rqst].rq_nvec = 1; +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -822,14 +822,14 @@ smb2_handle_cancelled_close(struct cifs_ + } + + int +-smb2_handle_cancelled_mid(char *buffer, struct TCP_Server_Info *server) ++smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server) + { +- struct smb2_sync_hdr *sync_hdr = (struct smb2_sync_hdr *)buffer; +- struct smb2_create_rsp *rsp = (struct smb2_create_rsp *)buffer; ++ struct smb2_sync_hdr *sync_hdr = mid->resp_buf; ++ struct smb2_create_rsp *rsp = mid->resp_buf; + struct cifs_tcon *tcon; + int rc; + +- if (sync_hdr->Command != SMB2_CREATE || ++ if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || sync_hdr->Command != SMB2_CREATE || + sync_hdr->Status != STATUS_SUCCESS) + return 0; + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1123,7 +1123,7 @@ smb2_set_ea(const unsigned int xid, stru + struct cifs_ses *ses = tcon->ses; + __le16 *utf16_path = NULL; + int ea_name_len = strlen(ea_name); +- int flags = 0; ++ int flags = CIFS_CP_CREATE_CLOSE_OP; + int len; + struct smb_rqst rqst[3]; + int resp_buftype[3]; +@@ -1483,7 +1483,7 @@ smb2_ioctl_query_info(const unsigned int + struct smb_query_info qi; + struct smb_query_info __user *pqi; + int rc = 0; +- int flags = 0; ++ int flags = CIFS_CP_CREATE_CLOSE_OP; + struct smb2_query_info_rsp *qi_rsp = NULL; + struct smb2_ioctl_rsp *io_rsp = NULL; + void *buffer = NULL; +@@ -2435,7 +2435,7 @@ smb2_query_info_compound(const unsigned + struct cifs_sb_info *cifs_sb) + { + struct cifs_ses *ses = tcon->ses; +- int flags = 0; ++ int flags = CIFS_CP_CREATE_CLOSE_OP; + struct smb_rqst rqst[3]; + int resp_buftype[3]; + struct kvec rsp_iov[3]; +@@ -2828,7 +2828,7 @@ smb2_query_symlink(const unsigned int xi + unsigned int sub_offset; + unsigned int print_len; + unsigned int print_offset; +- int flags = 0; ++ int flags = CIFS_CP_CREATE_CLOSE_OP; + struct smb_rqst rqst[3]; + int resp_buftype[3]; + struct kvec rsp_iov[3]; +--- a/fs/cifs/smb2proto.h ++++ b/fs/cifs/smb2proto.h +@@ -226,8 +226,7 @@ extern int SMB2_oplock_break(const unsig + extern int smb2_handle_cancelled_close(struct cifs_tcon *tcon, + __u64 persistent_fid, + __u64 volatile_fid); +-extern int smb2_handle_cancelled_mid(char *buffer, +- struct TCP_Server_Info *server); ++extern int smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server); + void smb2_cancelled_close_fid(struct work_struct *work); + extern int SMB2_QFS_info(const unsigned int xid, struct cifs_tcon *tcon, + u64 persistent_file_id, u64 volatile_file_id, +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -101,7 +101,7 @@ static void _cifs_mid_q_entry_release(st + if (midEntry->resp_buf && (midEntry->mid_flags & MID_WAIT_CANCELLED) && + midEntry->mid_state == MID_RESPONSE_RECEIVED && + server->ops->handle_cancelled_mid) +- server->ops->handle_cancelled_mid(midEntry->resp_buf, server); ++ server->ops->handle_cancelled_mid(midEntry, server); + + midEntry->mid_state = MID_FREE; + atomic_dec(&midCount); diff --git a/patches.suse/cifs-print-MIDs-in-decimal-notation.patch b/patches.suse/cifs-print-MIDs-in-decimal-notation.patch new file mode 100644 index 0000000..f0e6b7a --- /dev/null +++ b/patches.suse/cifs-print-MIDs-in-decimal-notation.patch @@ -0,0 +1,72 @@ +From: Paulo Alcantara +Date: Mon, 8 Mar 2021 12:00:47 -0300 +Subject: [PATCH] cifs: print MIDs in decimal notation +Git-commit: bf1bc694b6b0cf49756cb06f8f38501b9b2c5527 +References: bsc#1181507 +Patch-mainline: v5.12-rc3 + +The MIDs are mostly printed as decimal, so let's make it consistent. + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Aurelien Aptel +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/cifs_debug.c | 2 +- + fs/cifs/connect.c | 4 ++-- + fs/cifs/smb2misc.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c +index 3aedc484e440..88a7958170ee 100644 +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -207,7 +207,7 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v) + from_kuid(&init_user_ns, cfile->uid), + cfile->dentry); + #ifdef CONFIG_CIFS_DEBUG2 +- seq_printf(m, " 0x%llx\n", cfile->fid.mid); ++ seq_printf(m, " %llu\n", cfile->fid.mid); + #else + seq_printf(m, "\n"); + #endif /* CIFS_DEBUG2 */ +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 68642e3d4270..eec8a2052da2 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -741,7 +741,7 @@ static void clean_demultiplex_info(struct TCP_Server_Info *server) + spin_lock(&GlobalMid_Lock); + list_for_each_safe(tmp, tmp2, &server->pending_mid_q) { + mid_entry = list_entry(tmp, struct mid_q_entry, qhead); +- cifs_dbg(FYI, "Clearing mid 0x%llx\n", mid_entry->mid); ++ cifs_dbg(FYI, "Clearing mid %llu\n", mid_entry->mid); + kref_get(&mid_entry->refcount); + mid_entry->mid_state = MID_SHUTDOWN; + list_move(&mid_entry->qhead, &dispose_list); +@@ -752,7 +752,7 @@ static void clean_demultiplex_info(struct TCP_Server_Info *server) + /* now walk dispose list and issue callbacks */ + list_for_each_safe(tmp, tmp2, &dispose_list) { + mid_entry = list_entry(tmp, struct mid_q_entry, qhead); +- cifs_dbg(FYI, "Callback mid 0x%llx\n", mid_entry->mid); ++ cifs_dbg(FYI, "Callback mid %llu\n", mid_entry->mid); + list_del_init(&mid_entry->qhead); + mid_entry->callback(mid_entry); + cifs_mid_q_entry_release(mid_entry); +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 60d4bd1eae2b..6e0ea19e710b 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -767,7 +767,7 @@ smb2_cancelled_close_fid(struct work_struct *work) + int rc; + + if (cancelled->mid) +- cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llx\n", ++ cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llu\n", + cancelled->mid); + else + cifs_tcon_dbg(VFS, "Close interrupted close\n"); +-- +2.30.0 + + diff --git a/patches.suse/cifs-return-proper-error-code-in-statfs-2-.patch b/patches.suse/cifs-return-proper-error-code-in-statfs-2-.patch new file mode 100644 index 0000000..285ba4c --- /dev/null +++ b/patches.suse/cifs-return-proper-error-code-in-statfs-2-.patch @@ -0,0 +1,39 @@ +From: Paulo Alcantara +Date: Mon, 8 Mar 2021 12:00:49 -0300 +Subject: [PATCH] cifs: return proper error code in statfs(2) +Git-commit: 14302ee3301b3a77b331cc14efb95bf7184c73cc +References: bsc#1181507 +Patch-mainline: v5.12-rc3 + +In cifs_statfs(), if server->ops->queryfs is not NULL, then we should +use its return value rather than always returning 0. Instead, use rc +variable as it is properly set to 0 in case there is no +server->ops->queryfs. + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Aurelien Aptel +Reviewed-by: Ronnie Sahlberg +CC: +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index d43e935d2df4..099ad9f3660b 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -290,7 +290,7 @@ cifs_statfs(struct dentry *dentry, struct kstatfs *buf) + rc = server->ops->queryfs(xid, tcon, cifs_sb, buf); + + free_xid(xid); +- return 0; ++ return rc; + } + + static long cifs_fallocate(struct file *file, int mode, loff_t off, loff_t len) +-- +2.30.0 + + diff --git a/patches.suse/cifs_debug-use-pd-instead-of-messing-with-d_name.patch b/patches.suse/cifs_debug-use-pd-instead-of-messing-with-d_name.patch new file mode 100644 index 0000000..758bccb --- /dev/null +++ b/patches.suse/cifs_debug-use-pd-instead-of-messing-with-d_name.patch @@ -0,0 +1,38 @@ +From: Al Viro +Date: Wed, 6 Jan 2021 21:53:52 -0500 +Subject: [PATCH] cifs_debug: use %pd instead of messing with ->d_name +Git-commit: b9e4666fc1c8f0e259c961cafca81046addb7dfe +References: bsc#1181507 +Patch-mainline: v5.11-rc3 + +Signed-off-by: Al Viro +Acked-by: Aurelien Aptel +--- + fs/cifs/cifs_debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c +index b231dcf1d1f9..aa697ccfa9dc 100644 +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -197,14 +197,14 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v) + cfile = list_entry(tmp2, struct cifsFileInfo, + tlist); + seq_printf(m, +- "0x%x 0x%llx 0x%x %d %d %d %s", ++ "0x%x 0x%llx 0x%x %d %d %d %pd", + tcon->tid, + cfile->fid.persistent_fid, + cfile->f_flags, + cfile->count, + cfile->pid, + from_kuid(&init_user_ns, cfile->uid), +- cfile->dentry->d_name.name); ++ cfile->dentry); + #ifdef CONFIG_CIFS_DEBUG2 + seq_printf(m, " 0x%llx\n", cfile->fid.mid); + #else +-- +2.30.0 + + diff --git a/patches.suse/firewire-nosy-Fix-a-use-after-free-bug-in-nosy_ioctl.patch b/patches.suse/firewire-nosy-Fix-a-use-after-free-bug-in-nosy_ioctl.patch new file mode 100644 index 0000000..b6e2e4a --- /dev/null +++ b/patches.suse/firewire-nosy-Fix-a-use-after-free-bug-in-nosy_ioctl.patch @@ -0,0 +1,119 @@ +From 829933ef05a951c8ff140e814656d73e74915faf Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Sat, 3 Apr 2021 06:58:36 +0000 +Subject: [PATCH] firewire: nosy: Fix a use-after-free bug in nosy_ioctl() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 829933ef05a951c8ff140e814656d73e74915faf +Patch-mainline: v5.12-rc6 +References: CVE-2021-3483 bsc#1184393 + +For each device, the nosy driver allocates a pcilynx structure. +A use-after-free might happen in the following scenario: + + 1. Open nosy device for the first time and call ioctl with command + NOSY_IOC_START, then a new client A will be malloced and added to + doubly linked list. + 2. Open nosy device for the second time and call ioctl with command + NOSY_IOC_START, then a new client B will be malloced and added to + doubly linked list. + 3. Call ioctl with command NOSY_IOC_START for client A, then client A + will be readded to the doubly linked list. Now the doubly linked + list is messed up. + 4. Close the first nosy device and nosy_release will be called. In + nosy_release, client A will be unlinked and freed. + 5. Close the second nosy device, and client A will be referenced, + resulting in UAF. + +The root cause of this bug is that the element in the doubly linked list +is reentered into the list. + +Fix this bug by adding a check before inserting a client. If a client +is already in the linked list, don't insert it. + +The following KASAN report reveals it: + + BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210 + Write of size 8 at addr ffff888102ad7360 by task poc + CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 + Call Trace: + nosy_release+0x1ea/0x210 + __fput+0x1e2/0x840 + task_work_run+0xe8/0x180 + exit_to_user_mode_prepare+0x114/0x120 + syscall_exit_to_user_mode+0x1d/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Allocated by task 337: + nosy_open+0x154/0x4d0 + misc_open+0x2ec/0x410 + chrdev_open+0x20d/0x5a0 + do_dentry_open+0x40f/0xe80 + path_openat+0x1cf9/0x37b0 + do_filp_open+0x16d/0x390 + do_sys_openat2+0x11d/0x360 + __x64_sys_open+0xfd/0x1a0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Freed by task 337: + kfree+0x8f/0x210 + nosy_release+0x158/0x210 + __fput+0x1e2/0x840 + task_work_run+0xe8/0x180 + exit_to_user_mode_prepare+0x114/0x120 + syscall_exit_to_user_mode+0x1d/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128 + The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380) + +[ Modified to use 'list_empty()' inside proper lock - Linus ] + +Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/ +Reported-and-tested-by: 马哲宇 (Zheyu Ma) +Signed-off-by: Zheyu Ma +Cc: Greg Kroah-Hartman +Cc: Stefan Richter +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + drivers/firewire/nosy.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index 5fd6a60b6741..88ed971e32c0 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -346,6 +346,7 @@ nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + struct client *client = file->private_data; + spinlock_t *client_list_lock = &client->lynx->client_list_lock; + struct nosy_stats stats; ++ int ret; + + switch (cmd) { + case NOSY_IOC_GET_STATS: +@@ -360,11 +361,15 @@ nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + return 0; + + case NOSY_IOC_START: ++ ret = -EBUSY; + spin_lock_irq(client_list_lock); +- list_add_tail(&client->link, &client->lynx->client_list); ++ if (list_empty(&client->link)) { ++ list_add_tail(&client->link, &client->lynx->client_list); ++ ret = 0; ++ } + spin_unlock_irq(client_list_lock); + +- return 0; ++ return ret; + + case NOSY_IOC_STOP: + spin_lock_irq(client_list_lock); +-- +2.26.2 + diff --git a/patches.suse/ibmvnic-Use-skb_frag_address-instead-of-hand-coding-.patch b/patches.suse/ibmvnic-Use-skb_frag_address-instead-of-hand-coding-.patch new file mode 100644 index 0000000..e6e7474 --- /dev/null +++ b/patches.suse/ibmvnic-Use-skb_frag_address-instead-of-hand-coding-.patch @@ -0,0 +1,38 @@ +From c3105f8485775943b2ccde09c7163510c161c965 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 4 Apr 2021 10:54:37 +0200 +Subject: [PATCH] ibmvnic: Use 'skb_frag_address()' instead of hand coding it + +References: bsc#1184114 ltc#192237 +Patch-mainline: queued +Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git +Git-commit: c3105f8485775943b2ccde09c7163510c161c965 + +'page_address(skb_frag_page()) + skb_frag_off()' can be replaced by an +equivalent 'skb_frag_address()' which is less verbose. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Acked-by: Michal Suchanek +--- + drivers/net/ethernet/ibm/ibmvnic.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1678,9 +1678,8 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) + for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { + const skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; + +- memcpy(dst + cur, +- page_address(skb_frag_page(frag)) + +- frag->page_offset, skb_frag_size(frag)); ++ memcpy(dst + cur, skb_frag_address(frag), ++ skb_frag_size(frag)); + cur += skb_frag_size(frag); + } + } else { +-- +2.26.2 + diff --git a/patches.suse/kvm-svm-periodically-schedule-when-unregistering-regions-on-destroy.patch b/patches.suse/kvm-svm-periodically-schedule-when-unregistering-regions-on-destroy.patch new file mode 100644 index 0000000..6311c95 --- /dev/null +++ b/patches.suse/kvm-svm-periodically-schedule-when-unregistering-regions-on-destroy.patch @@ -0,0 +1,54 @@ +From: David Rientjes +Date: Tue, 25 Aug 2020 12:56:28 -0700 +Subject: KVM: SVM: Periodically schedule when unregistering regions on destroy +Git-commit: 7be74942f184fdfba34ddd19a0d995deb34d4a03 +Patch-mainline: v5.9-rc5 +References: bsc#1184511 CVE-2020-36311 + +There may be many encrypted regions that need to be unregistered when a +SEV VM is destroyed. This can lead to soft lockups. For example, on a +host running 4.15: + +watchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348] +CPU: 206 PID: 194348 Comm: t_virtual_machi +RIP: 0010:free_unref_page_list+0x105/0x170 +... +Call Trace: + [<0>] release_pages+0x159/0x3d0 + [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd] + [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd] + [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd] + [<0>] kvm_arch_destroy_vm+0x47/0x200 + [<0>] kvm_put_kvm+0x1a8/0x2f0 + [<0>] kvm_vm_release+0x25/0x30 + [<0>] do_exit+0x335/0xc10 + [<0>] do_group_exit+0x3f/0xa0 + [<0>] get_signal+0x1bc/0x670 + [<0>] do_signal+0x31/0x130 + +Although the CLFLUSH is no longer issued on every encrypted region to be +unregistered, there are no other changes that can prevent soft lockups for +very large SEV VMs in the latest kernel. + +Periodically schedule if necessary. This still holds kvm->lock across the +resched, but since this only happens when the VM is destroyed this is +assumed to be acceptable. + +Signed-off-by: David Rientjes +Message-Id: +Signed-off-by: Paolo Bonzini +Acked-by: Borislav Petkov +--- + arch/x86/kvm/svm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1854,6 +1854,7 @@ static void sev_vm_destroy(struct kvm *k + list_for_each_safe(pos, q, head) { + __unregister_enc_region_locked(kvm, + list_entry(pos, struct enc_region, list)); ++ cond_resched(); + } + } + diff --git a/patches.suse/locking-mutex-Fix-non-debug-version-of-mutex_lock_io.patch b/patches.suse/locking-mutex-Fix-non-debug-version-of-mutex_lock_io.patch new file mode 100644 index 0000000..a36e85f --- /dev/null +++ b/patches.suse/locking-mutex-Fix-non-debug-version-of-mutex_lock_io.patch @@ -0,0 +1,42 @@ +From 291da9d4a9eb3a1cb0610b7f4480f5b52b1825e7 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 22 Mar 2021 09:46:13 +0100 +Subject: [PATCH] locking/mutex: Fix non debug version of mutex_lock_io_nested() +Git-commit: 291da9d4a9eb3a1cb0610b7f4480f5b52b1825e7 +Patch-mainline: v5.12-rc5 +References: git-fixes + +If CONFIG_DEBUG_LOCK_ALLOC=n then mutex_lock_io_nested() maps to +mutex_lock() which is clearly wrong because mutex_lock() lacks the +io_schedule_prepare()/finish() invocations. + +Map it to mutex_lock_io(). + +Fixes: f21860bac05b ("locking/mutex, sched/wait: Fix the mutex_lock_io_nested() define") +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/878s6fshii.fsf@nanos.tec.linutronix.de +Signed-off-by: Davidlohr Bueso + +--- + include/linux/mutex.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mutex.h b/include/linux/mutex.h +index 0cd631a19727..515cff77a4f4 100644 +--- a/include/linux/mutex.h ++++ b/include/linux/mutex.h +@@ -185,7 +185,7 @@ extern void mutex_lock_io(struct mutex *lock); + # define mutex_lock_interruptible_nested(lock, subclass) mutex_lock_interruptible(lock) + # define mutex_lock_killable_nested(lock, subclass) mutex_lock_killable(lock) + # define mutex_lock_nest_lock(lock, nest_lock) mutex_lock(lock) +-# define mutex_lock_io_nested(lock, subclass) mutex_lock(lock) ++# define mutex_lock_io_nested(lock, subclass) mutex_lock_io(lock) + #endif + + /* +-- +2.26.2 + diff --git a/patches.suse/media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch b/patches.suse/media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch new file mode 100644 index 0000000..225f217 --- /dev/null +++ b/patches.suse/media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch @@ -0,0 +1,83 @@ +From fb18802a338b36f675a388fc03d2aa504a0d0899 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Sat, 19 Dec 2020 23:29:58 +0100 +Subject: [PATCH] media: v4l: ioctl: Fix memory leak in video_usercopy +Git-commit: fb18802a338b36f675a388fc03d2aa504a0d0899 +Patch-mainline: v5.12-rc1 +References: bsc#1184120 CVE-2021-30002 + +When an IOCTL with argument size larger than 128 that also used array +arguments were handled, two memory allocations were made but alas, only +the latter one of them was released. This happened because there was only +a single local variable to hold such a temporary allocation. + +Fix this by adding separate variables to hold the pointers to the +temporary allocations. + +Reported-by: Arnd Bergmann +Reported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com +Fixes: d14e6d76ebf7 ("[media] v4l: Add multi-planar ioctl handling code") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Acked-by: Arnd Bergmann +Acked-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -2782,7 +2782,7 @@ video_usercopy(struct file *file, unsign + v4l2_kioctl func) + { + char sbuf[128]; +- void *mbuf = NULL; ++ void *mbuf = NULL, *array_buf = NULL; + void *parg = (void *)arg; + long err = -EINVAL; + bool has_array_args; +@@ -2837,20 +2837,14 @@ video_usercopy(struct file *file, unsign + has_array_args = err; + + if (has_array_args) { +- /* +- * When adding new types of array args, make sure that the +- * parent argument to ioctl (which contains the pointer to the +- * array) fits into sbuf (so that mbuf will still remain +- * unused up to here). +- */ +- mbuf = kmalloc(array_size, GFP_KERNEL); ++ array_buf = kmalloc(array_size, GFP_KERNEL); + err = -ENOMEM; +- if (NULL == mbuf) ++ if (array_buf == NULL) + goto out_array_args; + err = -EFAULT; +- if (copy_from_user(mbuf, user_ptr, array_size)) ++ if (copy_from_user(array_buf, user_ptr, array_size)) + goto out_array_args; +- *kernel_ptr = mbuf; ++ *kernel_ptr = array_buf; + } + + /* Handles IOCTL */ +@@ -2869,7 +2863,7 @@ video_usercopy(struct file *file, unsign + + if (has_array_args) { + *kernel_ptr = (void __force *)user_ptr; +- if (copy_to_user(user_ptr, mbuf, array_size)) ++ if (copy_to_user(user_ptr, array_buf, array_size)) + err = -EFAULT; + goto out_array_args; + } +@@ -2889,6 +2883,7 @@ out_array_args: + } + + out: ++ kfree(array_buf); + kfree(mbuf); + return err; + } diff --git a/patches.suse/n_tty-Fix-stall-at-n_tty_receive_char_special b/patches.suse/n_tty-Fix-stall-at-n_tty_receive_char_special index 56d4c96..6e3bfc5 100644 --- a/patches.suse/n_tty-Fix-stall-at-n_tty_receive_char_special +++ b/patches.suse/n_tty-Fix-stall-at-n_tty_receive_char_special @@ -4,7 +4,7 @@ Date: Sat, 26 May 2018 09:53:13 +0900 Subject: [PATCH] n_tty: Fix stall at n_tty_receive_char_special(). Git-commit: 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 Patch-mainline: v4.18-rc3 -References: bsc#1051510 +References: bsc#1051510 CVE-2021-20219 bsc#1184397 syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is because comparison is not working as expected since ldata->read_head can diff --git a/patches.suse/net-sched-disable-nolock-pfifo-fast.patch b/patches.suse/net-sched-disable-nolock-pfifo-fast.patch new file mode 100644 index 0000000..6583799 --- /dev/null +++ b/patches.suse/net-sched-disable-nolock-pfifo-fast.patch @@ -0,0 +1,35 @@ +From: Jiri Kosina +Date: Sat, 03 Apr 2021 15:00:00 +0200 +Subject: [PATCH] net: sched: disable TCQ_F_NOLOCK for pfifo_fast +Patch-mainline: never, proper fix in progress +References: bsc#1183405 + +The patch disables NOLOCK functionality for pfifo_fast and thus closes the following +race condition: + +- thread A holds seqlock on the qdisc and has finished processing / dequeuing packets + (has dequeued last packet) +- thread A iterates through the qdisc->dequeue() pfifo_fast's callback again and + determines that the queue is indeed empty +- thread B enqueues a packet. Since seqlock is still being held by thread A, it + assumes the packet will eventually be dequeued by the current lock holder +- thread A unlocks seqlock +- there is nobody to check for enqueued packets, until new packet is enqueued + +Fixes: c5ad119fb6c0 ("net: sched: pfifo_fast use skb_array") +Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") +Signed-off-by: Jiri Kosina + +--- + +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -806,7 +806,7 @@ + .dump = pfifo_fast_dump, + .change_tx_queue_len = pfifo_fast_change_tx_queue_len, + .owner = THIS_MODULE, +- .static_flags = TCQ_F_NOLOCK | TCQ_F_CPUSTATS, ++ .static_flags = TCQ_F_CPUSTATS, + }; + EXPORT_SYMBOL(pfifo_fast_ops); + diff --git a/patches.suse/nfc-Avoid-endless-loops-caused-by-repeated-llcp_sock.patch b/patches.suse/nfc-Avoid-endless-loops-caused-by-repeated-llcp_sock.patch new file mode 100644 index 0000000..01b58c7 --- /dev/null +++ b/patches.suse/nfc-Avoid-endless-loops-caused-by-repeated-llcp_sock.patch @@ -0,0 +1,49 @@ +From 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:13 +0800 +Subject: [PATCH] nfc: Avoid endless loops caused by repeated llcp_sock_connect() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 +Patch-mainline: v5.12-rc7 +References: CVE-2020-25673 bsc#1178181 + +When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is + LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, + nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. + sk->sk_node->next will point to itself, that will make an endless loop + and hang-up the system. +To fix it, check whether sk->sk_state is LLCP_CONNECTING in + llcp_sock_connect() to avoid repeated invoking. + +Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.11 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/nfc/llcp_sock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index 59172614b249..a3b46f888803 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + ret = -EISCONN; + goto error; + } ++ if (sk->sk_state == LLCP_CONNECTING) { ++ ret = -EINPROGRESS; ++ goto error; ++ } + + dev = nfc_get_device(addr->dev_idx); + if (dev == NULL) { +-- +2.26.2 + diff --git a/patches.suse/nfc-fix-memory-leak-in-llcp_sock_connect.patch b/patches.suse/nfc-fix-memory-leak-in-llcp_sock_connect.patch new file mode 100644 index 0000000..09c9beb --- /dev/null +++ b/patches.suse/nfc-fix-memory-leak-in-llcp_sock_connect.patch @@ -0,0 +1,44 @@ +From 7574fcdbdcb335763b6b322f6928dc0fd5730451 Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:12 +0800 +Subject: [PATCH] nfc: fix memory leak in llcp_sock_connect() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 7574fcdbdcb335763b6b322f6928dc0fd5730451 +Patch-mainline: v5.12-rc7 +References: CVE-2020-25672 bsc#1178181 + +[ backport note: adjusted to the old error path -- tiwai ] + +In llcp_sock_connect(), use kmemdup to allocate memory for + "llcp_sock->service_name". The memory is not released in the sock_unlink +label of the subsequent failure branch. +As a result, memory leakage occurs. + +fix CVE-2020-25672 + +Fixes: d646960f7986 ("NFC: Initial LLCP support") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.3 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/nfc/llcp_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -757,6 +757,9 @@ sock_unlink: + nfc_llcp_put_ssap(local, llcp_sock->ssap); + + nfc_llcp_sock_unlink(&local->connecting_sockets, sk); ++ kfree(llcp_sock->service_name); ++ llcp_sock->service_name = NULL; ++ + nfc_llcp_local_put(llcp_sock->local); + + put_dev: diff --git a/patches.suse/nfc-fix-refcount-leak-in-llcp_sock_bind.patch b/patches.suse/nfc-fix-refcount-leak-in-llcp_sock_bind.patch new file mode 100644 index 0000000..d48a166 --- /dev/null +++ b/patches.suse/nfc-fix-refcount-leak-in-llcp_sock_bind.patch @@ -0,0 +1,51 @@ +From c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:10 +0800 +Subject: [PATCH] nfc: fix refcount leak in llcp_sock_bind() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d +Patch-mainline: v5.12-rc7 +References: CVE-2020-25670 bsc#1178181 + +nfc_llcp_local_get() is invoked in llcp_sock_bind(), +but nfc_llcp_local_put() is not invoked in subsequent failure branches. +As a result, refcount leakage occurs. +To fix it, add calling nfc_llcp_local_put(). + +fix CVE-2020-25670 + +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.6 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/nfc/llcp_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index d257ed3b732a..68832ee4b9f8 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) + llcp_sock->service_name_len, + GFP_KERNEL); + if (!llcp_sock->service_name) { ++ nfc_llcp_local_put(llcp_sock->local); + ret = -ENOMEM; + goto put_dev; + } + llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); + if (llcp_sock->ssap == LLCP_SAP_MAX) { ++ nfc_llcp_local_put(llcp_sock->local); + kfree(llcp_sock->service_name); + llcp_sock->service_name = NULL; + ret = -EADDRINUSE; +-- +2.26.2 + diff --git a/patches.suse/nfc-fix-refcount-leak-in-llcp_sock_connect.patch b/patches.suse/nfc-fix-refcount-leak-in-llcp_sock_connect.patch new file mode 100644 index 0000000..722bef0 --- /dev/null +++ b/patches.suse/nfc-fix-refcount-leak-in-llcp_sock_connect.patch @@ -0,0 +1,50 @@ +From 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:11 +0800 +Subject: [PATCH] nfc: fix refcount leak in llcp_sock_connect() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 +Patch-mainline: v5.12-rc7 +References: CVE-2020-25671 bsc#1178181 + +[ backport note: adjusted to the old error path -- tiwai ] + +nfc_llcp_local_get() is invoked in llcp_sock_connect(), +but nfc_llcp_local_put() is not invoked in subsequent failure branches. +As a result, refcount leakage occurs. +To fix it, add calling nfc_llcp_local_put(). + +fix CVE-2020-25671 + +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.6 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/nfc/llcp_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -717,6 +717,7 @@ static int llcp_sock_connect(struct sock + llcp_sock->local = nfc_llcp_local_get(local); + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { ++ nfc_llcp_local_put(llcp_sock->local); + ret = -ENOMEM; + goto put_dev; + } +@@ -756,6 +757,7 @@ sock_unlink: + nfc_llcp_put_ssap(local, llcp_sock->ssap); + + nfc_llcp_sock_unlink(&local->connecting_sockets, sk); ++ nfc_llcp_local_put(llcp_sock->local); + + put_dev: + nfc_put_device(dev); diff --git a/patches.suse/powerpc-64s-Fix-instruction-encoding-for-lis-in-ppc_.patch b/patches.suse/powerpc-64s-Fix-instruction-encoding-for-lis-in-ppc_.patch new file mode 100644 index 0000000..2094ee9 --- /dev/null +++ b/patches.suse/powerpc-64s-Fix-instruction-encoding-for-lis-in-ppc_.patch @@ -0,0 +1,42 @@ +From cea15316ceee2d4a51dfdecd79e08a438135416c Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 4 Mar 2021 07:34:11 +0530 +Subject: [PATCH] powerpc/64s: Fix instruction encoding for lis in + ppc_function_entry() + +References: bsc#1065729 +Patch-mainline: v5.12-rc3 +Git-commit: cea15316ceee2d4a51dfdecd79e08a438135416c + +'lis r2,N' is 'addis r2,0,N' and the instruction encoding in the macro +LIS_R2 is incorrect (it currently maps to 'addis r0,r2,N'). Fix the +same. + +Fixes: c71b7eff426f ("powerpc: Add ABIv2 support to ppc_function_entry") +Cc: stable@vger.kernel.org # v3.16+ +Reported-by: Jiri Olsa +Signed-off-by: Naveen N. Rao +Acked-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210304020411.16796-1-naveen.n.rao@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/code-patching.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/code-patching.h b/arch/powerpc/include/asm/code-patching.h +index eacc9102c251..d5b3c3bb95b4 100644 +--- a/arch/powerpc/include/asm/code-patching.h ++++ b/arch/powerpc/include/asm/code-patching.h +@@ -73,7 +73,7 @@ void __patch_exception(int exc, unsigned long addr); + #endif + + #define OP_RT_RA_MASK 0xffff0000UL +-#define LIS_R2 0x3c020000UL ++#define LIS_R2 0x3c400000UL + #define ADDIS_R2_R12 0x3c4c0000UL + #define ADDI_R2_R2 0x38420000UL + +-- +2.26.2 + diff --git a/patches.suse/powerpc-pmem-Include-pmem-prototypes.patch b/patches.suse/powerpc-pmem-Include-pmem-prototypes.patch new file mode 100644 index 0000000..c2ba34d --- /dev/null +++ b/patches.suse/powerpc-pmem-Include-pmem-prototypes.patch @@ -0,0 +1,45 @@ +From d03f210e6ed8f5d64b00f0f07b03db74aa5b95a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Date: Mon, 4 Jan 2021 15:31:48 +0100 +Subject: [PATCH] powerpc/pmem: Include pmem prototypes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: bsc#1113295 git-fixes +Patch-mainline: v5.12-rc1 +Git-commit: d03f210e6ed8f5d64b00f0f07b03db74aa5b95a1 + +It fixes this W=1 compile error : + +../arch/powerpc/lib/pmem.c:51:6: error: no previous prototype for ‘arch_wb_cache_pmem’ [-Werror=missing-prototypes] + 51 | void arch_wb_cache_pmem(void *addr, size_t size) + | ^~~~~~~~~~~~~~~~~~ +../arch/powerpc/lib/pmem.c:58:6: error: no previous prototype for ‘arch_invalidate_pmem’ [-Werror=missing-prototypes] + 58 | void arch_invalidate_pmem(void *addr, size_t size) + | ^~~~~~~~~~~~~~~~~~~~ + +Fixes: 32ce3862af3c ("powerpc/lib: Implement PMEM API") +Signed-off-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210104143206.695198-6-clg@kaod.org +Acked-by: Michal Suchanek +--- + arch/powerpc/lib/pmem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/lib/pmem.c b/arch/powerpc/lib/pmem.c +index 1550e0d2513a..eb2919ddf9b9 100644 +--- a/arch/powerpc/lib/pmem.c ++++ b/arch/powerpc/lib/pmem.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + #include + +-- +2.26.2 + diff --git a/patches.suse/powerpc-pseries-mobility-handle-premature-return-fro.patch b/patches.suse/powerpc-pseries-mobility-handle-premature-return-fro.patch new file mode 100644 index 0000000..891354d --- /dev/null +++ b/patches.suse/powerpc-pseries-mobility-handle-premature-return-fro.patch @@ -0,0 +1,103 @@ +From 274cb1ca2e7ce02cab56f5f4c61a74aeb566f931 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Mon, 15 Mar 2021 03:00:45 -0500 +Subject: [PATCH] powerpc/pseries/mobility: handle premature return from H_JOIN + +References: bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922 +Patch-mainline: v5.12 or v5.12-rc6 (next release) +Git-commit: 274cb1ca2e7ce02cab56f5f4c61a74aeb566f931 + +The pseries join/suspend sequence in its current form was written with +the assumption that it was the only user of H_PROD and that it needn't +handle spurious successful returns from H_JOIN. That's wrong; +powerpc's paravirt spinlock code uses H_PROD, and CPUs entering +do_join() can be woken prematurely from H_JOIN with a status of +H_SUCCESS as a result. This causes all CPUs to exit the sequence +early, preventing suspend from occurring at all. + +Add a 'done' boolean flag to the pseries_suspend_info struct, and have +the waking thread set it before waking the other threads. Threads +which receive H_SUCCESS from H_JOIN retry if the 'done' flag is still +unset. + +Fixes: 9327dc0aeef3 ("powerpc/pseries/mobility: use stop_machine for join/suspend") +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210315080045.460331-3-nathanl@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/mobility.c | 26 ++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index a6739ce9feac..e83e0891272d 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -458,9 +458,12 @@ static int do_suspend(void) + * or if an error is received from H_JOIN. The thread which performs + * the first increment (i.e. sets it to 1) is responsible for + * waking the other threads. ++ * @done: False if join/suspend is in progress. True if the operation is ++ * complete (successful or not). + */ + struct pseries_suspend_info { + atomic_t counter; ++ bool done; + }; + + static int do_join(void *arg) +@@ -470,6 +473,7 @@ static int do_join(void *arg) + long hvrc; + int ret; + ++retry: + /* Must ensure MSR.EE off for H_JOIN. */ + hard_irq_disable(); + hvrc = plpar_hcall_norets(H_JOIN); +@@ -485,8 +489,20 @@ static int do_join(void *arg) + case H_SUCCESS: + /* + * The suspend is complete and this cpu has received a +- * prod. ++ * prod, or we've received a stray prod from unrelated ++ * code (e.g. paravirt spinlocks) and we need to join ++ * again. ++ * ++ * This barrier orders the return from H_JOIN above vs ++ * the load of info->done. It pairs with the barrier ++ * in the wakeup/prod path below. + */ ++ smp_mb(); ++ if (READ_ONCE(info->done) == false) { ++ pr_info_ratelimited("premature return from H_JOIN on CPU %i, retrying", ++ smp_processor_id()); ++ goto retry; ++ } + ret = 0; + break; + case H_BAD_MODE: +@@ -500,6 +516,13 @@ static int do_join(void *arg) + + if (atomic_inc_return(counter) == 1) { + pr_info("CPU %u waking all threads\n", smp_processor_id()); ++ WRITE_ONCE(info->done, true); ++ /* ++ * This barrier orders the store to info->done vs subsequent ++ * H_PRODs to wake the other CPUs. It pairs with the barrier ++ * in the H_SUCCESS case above. ++ */ ++ smp_mb(); + prod_others(); + } + /* +@@ -553,6 +576,7 @@ static int pseries_suspend(u64 handle) + + info = (struct pseries_suspend_info) { + .counter = ATOMIC_INIT(0), ++ .done = false, + }; + + ret = stop_machine(do_join, &info, cpu_online_mask); +-- +2.26.2 + diff --git a/patches.suse/powerpc-pseries-mobility-use-struct-for-shared-state.patch b/patches.suse/powerpc-pseries-mobility-use-struct-for-shared-state.patch new file mode 100644 index 0000000..1039c24 --- /dev/null +++ b/patches.suse/powerpc-pseries-mobility-use-struct-for-shared-state.patch @@ -0,0 +1,70 @@ +From e834df6cfc71d8e5ce2c27a0184145ea125c3f0f Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Mon, 15 Mar 2021 03:00:44 -0500 +Subject: [PATCH] powerpc/pseries/mobility: use struct for shared state + +References: bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922 +Patch-mainline: v5.12 or v5.12-rc6 (next release) +Git-commit: e834df6cfc71d8e5ce2c27a0184145ea125c3f0f + +The atomic_t counter is the only shared state for the join/suspend +sequence so far, but that will change. Contain it in a +struct (pseries_suspend_info), and document its intended use. No +functional change. + +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210315080045.460331-2-nathanl@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/mobility.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index ea4d6a660e0d..a6739ce9feac 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -452,9 +452,21 @@ static int do_suspend(void) + return ret; + } + ++/** ++ * struct pseries_suspend_info - State shared between CPUs for join/suspend. ++ * @counter: Threads are to increment this upon resuming from suspend ++ * or if an error is received from H_JOIN. The thread which performs ++ * the first increment (i.e. sets it to 1) is responsible for ++ * waking the other threads. ++ */ ++struct pseries_suspend_info { ++ atomic_t counter; ++}; ++ + static int do_join(void *arg) + { +- atomic_t *counter = arg; ++ struct pseries_suspend_info *info = arg; ++ atomic_t *counter = &info->counter; + long hvrc; + int ret; + +@@ -535,11 +547,15 @@ static int pseries_suspend(u64 handle) + int ret; + + while (true) { +- atomic_t counter = ATOMIC_INIT(0); ++ struct pseries_suspend_info info; + unsigned long vasi_state; + int vasi_err; + +- ret = stop_machine(do_join, &counter, cpu_online_mask); ++ info = (struct pseries_suspend_info) { ++ .counter = ATOMIC_INIT(0), ++ }; ++ ++ ret = stop_machine(do_join, &info, cpu_online_mask); + if (ret == 0) + break; + /* +-- +2.26.2 + diff --git a/patches.suse/powerpc-pseries-ras-Remove-unused-variable-status.patch b/patches.suse/powerpc-pseries-ras-Remove-unused-variable-status.patch new file mode 100644 index 0000000..5effbe3 --- /dev/null +++ b/patches.suse/powerpc-pseries-ras-Remove-unused-variable-status.patch @@ -0,0 +1,66 @@ +From aa23ea0c5f7f9a46e6aa3be0a4cfdfb80fabca6d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Date: Mon, 4 Jan 2021 15:31:45 +0100 +Subject: [PATCH] powerpc/pseries/ras: Remove unused variable 'status' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: bsc#1065729 +Patch-mainline: v5.12-rc1 +Git-commit: aa23ea0c5f7f9a46e6aa3be0a4cfdfb80fabca6d + +The last use of 'status' was removed in 2012. Remove the variable to +fix this W=1 compile error. + +../arch/powerpc/platforms/pseries/ras.c: In function ‘ras_epow_interrupt’: +../arch/powerpc/platforms/pseries/ras.c:318:6: error: variable ‘status’ set but not used [-Werror=unused-but-set-variable] + 318 | int status; + | ^~~~~~ + +Fixes: 55fc0c561742 ("powerpc/pseries: Parse and handle EPOW interrupts") +Signed-off-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210104143206.695198-3-clg@kaod.org +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/ras.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c +index 149cec2212e6..bcb614ffce6a 100644 +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -315,12 +315,10 @@ static irqreturn_t ras_hotplug_interrupt(int irq, void *dev_id) + /* Handle environmental and power warning (EPOW) interrupts. */ + static irqreturn_t ras_epow_interrupt(int irq, void *dev_id) + { +- int status; + int state; + int critical; + +- status = rtas_get_sensor_fast(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX, +- &state); ++ rtas_get_sensor_fast(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX, &state); + + if (state > 3) + critical = 1; /* Time Critical */ +@@ -329,12 +327,9 @@ static irqreturn_t ras_epow_interrupt(int irq, void *dev_id) + + spin_lock(&ras_log_buf_lock); + +- status = rtas_call(ras_check_exception_token, 6, 1, NULL, +- RTAS_VECTOR_EXTERNAL_INTERRUPT, +- virq_to_hw(irq), +- RTAS_EPOW_WARNING, +- critical, __pa(&ras_log_buf), +- rtas_get_error_log_max()); ++ rtas_call(ras_check_exception_token, 6, 1, NULL, RTAS_VECTOR_EXTERNAL_INTERRUPT, ++ virq_to_hw(irq), RTAS_EPOW_WARNING, critical, __pa(&ras_log_buf), ++ rtas_get_error_log_max()); + + log_error(ras_log_buf, ERR_TYPE_RTAS_LOG, 0); + +-- +2.26.2 + diff --git a/patches.suse/s390-pci-Fix-s390_mmio_read-write-with-MIO.patch b/patches.suse/s390-pci-Fix-s390_mmio_read-write-with-MIO.patch new file mode 100644 index 0000000..4753ffb --- /dev/null +++ b/patches.suse/s390-pci-Fix-s390_mmio_read-write-with-MIO.patch @@ -0,0 +1,358 @@ +From: Niklas Schnelle +Subject: s390/pci: Fix s390_mmio_read/write with MIO +Patch-mainline: v5.7-rc7 +Git-commit: f058599e22d59e594e5aae1dc10560568d8f4a8b +References: LTC#192079 bsc#1183755 + +Description: s390/pci: Fix s390_mmio_read/write with MIO +Symptom: When MIO is available and in use the s390_mmio_read/write + syscalls used to access pseudo MMIO memory from userspace cause + a kernel panic. While the syscalls aren't really needed when + using MIO as the new PCI instructions are not privileged, we + still need to support them for compatibility. +Problem: The new PCI instructions work with virtual memory and + automatically do a page table walk just like normal load/store. + When executed in kernel space the virtual memory is setup for + the kernel not userspace and thus does not include the MMIO + memory mapping leading to an illegal access. +Solution: Execute the new PCI instructions as if executed by the userspace + application invoking the syscall. To do that execute them in + secondary address space mode +Reproduction: Try to run an RDMA application from user space, e.g. + ibv_rc_pingpong + + server process: + ibv_rc_pingpong -d mlx5_0 -g 0 & + + client process: + ibv_rc_pingpong -d mlx5_0 -g 0 localhost + +Upstream-Description: + + s390/pci: Fix s390_mmio_read/write with MIO + + The s390_mmio_read/write syscalls are currently broken when running with + MIO. + + The new pcistb_mio/pcstg_mio/pcilg_mio instructions are executed + similiarly to normal load/store instructions and do address translation + in the current address space. That means inside the kernel they are + aware of mappings into kernel address space while outside the kernel + they use user space mappings (usually created through mmap'ing a PCI + device file). + + Now when existing user space applications use the s390_pci_mmio_write + and s390_pci_mmio_read syscalls, they pass I/O addresses that are mapped + into user space so as to be usable with the new instructions without + needing a syscall. Accessing these addresses with the old instructions + as done currently leads to a kernel panic. + + Also, for such a user space mapping there may not exist an equivalent + kernel space mapping which means we can't just use the new instructions + in kernel space. + + Instead of replicating user mappings in the kernel which then might + collide with other mappings, we can conceptually execute the new + instructions as if executed by the user space application using the + secondary address space. This even allows us to directly store to the + user pointer without the need for copy_to/from_user(). + + Cc: stable@vger.kernel.org + Fixes: 71ba41c9b1d9 ("s390/pci: provide support for MIO instructions") + Signed-off-by: Niklas Schnelle + Reviewed-by: Sven Schnelle + Signed-off-by: Vasily Gorbik + + +Signed-off-by: Niklas Schnelle +Acked-by: Petr Tesarik +--- + arch/s390/include/asm/pci_io.h | 10 + + arch/s390/pci/pci_mmio.c | 210 ++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 216 insertions(+), 4 deletions(-) + +--- a/arch/s390/include/asm/pci_io.h ++++ b/arch/s390/include/asm/pci_io.h +@@ -7,6 +7,10 @@ + #include + #include + ++/* I/O size constraints */ ++#define ZPCI_MAX_READ_SIZE 8 ++#define ZPCI_MAX_WRITE_SIZE 128 ++ + /* I/O Map */ + #define ZPCI_IOMAP_SHIFT 48 + #define ZPCI_IOMAP_ADDR_BASE 0x8000000000000000UL +@@ -139,7 +143,8 @@ static inline int zpci_memcpy_fromio(voi + + while (n > 0) { + size = zpci_get_max_write_size((u64 __force) src, +- (u64) dst, n, 8); ++ (u64) dst, n, ++ ZPCI_MAX_READ_SIZE); + rc = zpci_read_single(dst, src, size); + if (rc) + break; +@@ -160,7 +165,8 @@ static inline int zpci_memcpy_toio(volat + + while (n > 0) { + size = zpci_get_max_write_size((u64 __force) dst, +- (u64) src, n, 128); ++ (u64) src, n, ++ ZPCI_MAX_WRITE_SIZE); + if (size > 8) /* main path */ + rc = zpci_write_block(dst, src, size); + else +--- a/arch/s390/pci/pci_mmio.c ++++ b/arch/s390/pci/pci_mmio.c +@@ -10,6 +10,112 @@ + #include + #include + #include ++#include ++#include ++#include ++ ++static inline void zpci_err_mmio(u8 cc, u8 status, u64 offset) ++{ ++ struct { ++ u64 offset; ++ u8 cc; ++ u8 status; ++ } data = {offset, cc, status}; ++ ++ zpci_err_hex(&data, sizeof(data)); ++} ++ ++static inline int __pcistb_mio_inuser( ++ void __iomem *ioaddr, const void __user *src, ++ u64 len, u8 *status) ++{ ++ int cc = -ENXIO; ++ ++ asm volatile ( ++ " sacf 256\n" ++ "0: .insn rsy,0xeb00000000d4,%[len],%[ioaddr],%[src]\n" ++ "1: ipm %[cc]\n" ++ " srl %[cc],28\n" ++ "2: sacf 768\n" ++ EX_TABLE(0b, 2b) EX_TABLE(1b, 2b) ++ : [cc] "+d" (cc), [len] "+d" (len) ++ : [ioaddr] "a" (ioaddr), [src] "Q" (*((u8 __force *)src)) ++ : "cc", "memory"); ++ *status = len >> 24 & 0xff; ++ return cc; ++} ++ ++static inline int __pcistg_mio_inuser( ++ void __iomem *ioaddr, const void __user *src, ++ u64 ulen, u8 *status) ++{ ++ register u64 addr asm("2") = (u64 __force) ioaddr; ++ register u64 len asm("3") = ulen; ++ int cc = -ENXIO; ++ u64 val = 0; ++ u64 cnt = ulen; ++ u8 tmp; ++ ++ /* ++ * copy 0 < @len <= 8 bytes from @src into the right most bytes of ++ * a register, then store it to PCI at @ioaddr while in secondary ++ * address space. pcistg then uses the user mappings. ++ */ ++ asm volatile ( ++ " sacf 256\n" ++ "0: llgc %[tmp],0(%[src])\n" ++ " sllg %[val],%[val],8\n" ++ " aghi %[src],1\n" ++ " ogr %[val],%[tmp]\n" ++ " brctg %[cnt],0b\n" ++ "1: .insn rre,0xb9d40000,%[val],%[ioaddr]\n" ++ "2: ipm %[cc]\n" ++ " srl %[cc],28\n" ++ "3: sacf 768\n" ++ EX_TABLE(0b, 3b) EX_TABLE(1b, 3b) EX_TABLE(2b, 3b) ++ : ++ [src] "+a" (src), [cnt] "+d" (cnt), ++ [val] "+d" (val), [tmp] "=d" (tmp), ++ [len] "+d" (len), [cc] "+d" (cc), ++ [ioaddr] "+a" (addr) ++ :: "cc", "memory"); ++ *status = len >> 24 & 0xff; ++ ++ /* did we read everything from user memory? */ ++ if (!cc && cnt != 0) ++ cc = -EFAULT; ++ ++ return cc; ++} ++ ++static inline int __memcpy_toio_inuser(void __iomem *dst, ++ const void __user *src, size_t n) ++{ ++ int size, rc = 0; ++ u8 status = 0; ++ ++ if (!src) ++ return -EINVAL; ++ ++ load_kernel_asce(); ++ while (n > 0) { ++ size = zpci_get_max_write_size((u64 __force) dst, ++ (u64 __force) src, n, ++ ZPCI_MAX_WRITE_SIZE); ++ if (size > 8) /* main path */ ++ rc = __pcistb_mio_inuser(dst, src, size, &status); ++ else ++ rc = __pcistg_mio_inuser(dst, src, size, &status); ++ if (rc) ++ break; ++ src += size; ++ dst += size; ++ n -= size; ++ } ++ if (rc) ++ zpci_err_mmio(rc, status, (__force u64) dst); ++ return rc; ++} + + static long get_pfn(unsigned long user_addr, unsigned long access, + unsigned long *pfn) +@@ -45,6 +151,20 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, uns + + if (length <= 0 || PAGE_SIZE - (mmio_addr & ~PAGE_MASK) < length) + return -EINVAL; ++ ++ /* ++ * Only support read access to MIO capable devices on a MIO enabled ++ * system. Otherwise we would have to check for every address if it is ++ * a special ZPCI_ADDR and we would have to do a get_pfn() which we ++ * don't need for MIO capable devices. ++ */ ++ if (static_branch_likely(&have_mio)) { ++ ret = __memcpy_toio_inuser((void __iomem *) mmio_addr, ++ user_buffer, ++ length); ++ return ret; ++ } ++ + if (length > 64) { + buf = kmalloc(length, GFP_KERNEL); + if (!buf) +@@ -55,7 +175,8 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, uns + ret = get_pfn(mmio_addr, VM_WRITE, &pfn); + if (ret) + goto out; +- io_addr = (void __iomem *)((pfn << PAGE_SHIFT) | (mmio_addr & ~PAGE_MASK)); ++ io_addr = (void __iomem *)((pfn << PAGE_SHIFT) | ++ (mmio_addr & ~PAGE_MASK)); + + ret = -EFAULT; + if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE) +@@ -71,6 +192,76 @@ out: + return ret; + } + ++static inline int __pcilg_mio_inuser( ++ void __user *dst, const void __iomem *ioaddr, ++ u64 ulen, u8 *status) ++{ ++ register u64 addr asm("2") = (u64 __force) ioaddr; ++ register u64 len asm("3") = ulen; ++ u64 cnt = ulen; ++ int shift = ulen * 8; ++ int cc = -ENXIO; ++ u64 val, tmp; ++ ++ /* ++ * read 0 < @len <= 8 bytes from the PCI memory mapped at @ioaddr (in ++ * user space) into a register using pcilg then store these bytes at ++ * user address @dst ++ */ ++ asm volatile ( ++ " sacf 256\n" ++ "0: .insn rre,0xb9d60000,%[val],%[ioaddr]\n" ++ "1: ipm %[cc]\n" ++ " srl %[cc],28\n" ++ " ltr %[cc],%[cc]\n" ++ " jne 4f\n" ++ "2: ahi %[shift],-8\n" ++ " srlg %[tmp],%[val],0(%[shift])\n" ++ "3: stc %[tmp],0(%[dst])\n" ++ " aghi %[dst],1\n" ++ " brctg %[cnt],2b\n" ++ "4: sacf 768\n" ++ EX_TABLE(0b, 4b) EX_TABLE(1b, 4b) EX_TABLE(3b, 4b) ++ : ++ [cc] "+d" (cc), [val] "=d" (val), [len] "+d" (len), ++ [dst] "+a" (dst), [cnt] "+d" (cnt), [tmp] "=d" (tmp), ++ [shift] "+d" (shift) ++ : ++ [ioaddr] "a" (addr) ++ : "cc", "memory"); ++ ++ /* did we write everything to the user space buffer? */ ++ if (!cc && cnt != 0) ++ cc = -EFAULT; ++ ++ *status = len >> 24 & 0xff; ++ return cc; ++} ++ ++static inline int __memcpy_fromio_inuser(void __user *dst, ++ const void __iomem *src, ++ unsigned long n) ++{ ++ int size, rc = 0; ++ u8 status; ++ ++ load_kernel_asce(); ++ while (n > 0) { ++ size = zpci_get_max_write_size((u64 __force) src, ++ (u64 __force) dst, n, ++ ZPCI_MAX_READ_SIZE); ++ rc = __pcilg_mio_inuser(dst, src, size, &status); ++ if (rc) ++ break; ++ src += size; ++ dst += size; ++ n -= size; ++ } ++ if (rc) ++ zpci_err_mmio(rc, status, (__force u64) dst); ++ return rc; ++} ++ + SYSCALL_DEFINE3(s390_pci_mmio_read, unsigned long, mmio_addr, + void __user *, user_buffer, size_t, length) + { +@@ -85,12 +276,27 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsi + + if (length <= 0 || PAGE_SIZE - (mmio_addr & ~PAGE_MASK) < length) + return -EINVAL; ++ ++ /* ++ * Only support write access to MIO capable devices on a MIO enabled ++ * system. Otherwise we would have to check for every address if it is ++ * a special ZPCI_ADDR and we would have to do a get_pfn() which we ++ * don't need for MIO capable devices. ++ */ ++ if (static_branch_likely(&have_mio)) { ++ ret = __memcpy_fromio_inuser( ++ user_buffer, (const void __iomem *)mmio_addr, ++ length); ++ return ret; ++ } ++ + if (length > 64) { + buf = kmalloc(length, GFP_KERNEL); + if (!buf) + return -ENOMEM; +- } else ++ } else { + buf = local_buf; ++ } + + ret = get_pfn(mmio_addr, VM_READ, &pfn); + if (ret) diff --git a/patches.suse/smb3-add-dynamic-trace-point-to-trace-when-credits-obtained.patch b/patches.suse/smb3-add-dynamic-trace-point-to-trace-when-credits-obtained.patch new file mode 100644 index 0000000..b07e783 --- /dev/null +++ b/patches.suse/smb3-add-dynamic-trace-point-to-trace-when-credits-obtained.patch @@ -0,0 +1,128 @@ +From: Steve French +Date: Mon, 19 Oct 2020 18:18:15 -0500 +Subject: [PATCH] smb3: add dynamic trace point to trace when credits obtained +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 9eec21bfbe9096141f15c624d3d0c2142121f6cb +References: bsc#1181507 +Patch-mainline: v5.10-rc1 + +SMB3 crediting is used for flow control, and it can be useful to +trace for problem determination how many credits were acquired +and for which operation. + +Here is an example ("trace-cmd record -e *add_credits"): +cifsd-9522    [010] ....  5995.202712: smb3_add_credits: + server=localhost current_mid=0x12 credits=373 credits_to_add=10 +cifsd-9522    [010] ....  5995.204040: smb3_add_credits: + server=localhost current_mid=0x15 credits=400 credits_to_add=30 + +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/smb2ops.c | 4 +++- + fs/cifs/trace.h | 18 ++++++++++++------ + fs/cifs/transport.c | 5 +++-- + 3 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 0dfa832a3de0..f085fe32c342 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -72,7 +72,7 @@ smb2_add_credits(struct TCP_Server_Info *server, + /* eg found case where write overlapping reconnect messed up credits */ + if (((optype & CIFS_OP_MASK) == CIFS_NEG_OP) && (*val != 0)) + trace_smb3_reconnect_with_invalid_credits(server->CurrentMid, +- server->hostname, *val); ++ server->hostname, *val, add); + if ((instance == 0) || (instance == server->reconnect_instance)) + *val += add; + else +@@ -121,6 +121,8 @@ smb2_add_credits(struct TCP_Server_Info *server, + cifs_dbg(FYI, "disabling oplocks\n"); + break; + default: ++ trace_smb3_add_credits(server->CurrentMid, ++ server->hostname, rc, add); + cifs_dbg(FYI, "add %u credits total=%d\n", add, rc); + } + } +diff --git a/fs/cifs/trace.h b/fs/cifs/trace.h +index eef4b08c7208..90e0fab69bb8 100644 +--- a/fs/cifs/trace.h ++++ b/fs/cifs/trace.h +@@ -878,33 +878,39 @@ DEFINE_SMB3_RECONNECT_EVENT(partial_send_reconnect); + DECLARE_EVENT_CLASS(smb3_credit_class, + TP_PROTO(__u64 currmid, + char *hostname, +- int credits), +- TP_ARGS(currmid, hostname, credits), ++ int credits, ++ int credits_to_add), ++ TP_ARGS(currmid, hostname, credits, credits_to_add), + TP_STRUCT__entry( + __field(__u64, currmid) + __field(char *, hostname) + __field(int, credits) ++ __field(int, credits_to_add) + ), + TP_fast_assign( + __entry->currmid = currmid; + __entry->hostname = hostname; + __entry->credits = credits; ++ __entry->credits_to_add = credits_to_add; + ), +- TP_printk("server=%s current_mid=0x%llx credits=%d", ++ TP_printk("server=%s current_mid=0x%llx credits=%d credits_to_add=%d", + __entry->hostname, + __entry->currmid, +- __entry->credits) ++ __entry->credits, ++ __entry->credits_to_add) + ) + + #define DEFINE_SMB3_CREDIT_EVENT(name) \ + DEFINE_EVENT(smb3_credit_class, smb3_##name, \ + TP_PROTO(__u64 currmid, \ + char *hostname, \ +- int credits), \ +- TP_ARGS(currmid, hostname, credits)) ++ int credits, \ ++ int credits_to_add), \ ++ TP_ARGS(currmid, hostname, credits, credits_to_add)) + + DEFINE_SMB3_CREDIT_EVENT(reconnect_with_invalid_credits); + DEFINE_SMB3_CREDIT_EVENT(credit_timeout); ++DEFINE_SMB3_CREDIT_EVENT(add_credits); + + #endif /* _CIFS_TRACE_H */ + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index ac7632482736..e27e255d40dd 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -563,7 +563,7 @@ wait_for_free_credits(struct TCP_Server_Info *server, const int num_credits, + cifs_num_waiters_dec(server); + if (!rc) { + trace_smb3_credit_timeout(server->CurrentMid, +- server->hostname, num_credits); ++ server->hostname, num_credits, 0); + cifs_server_dbg(VFS, "wait timed out after %d ms\n", + timeout); + return -ENOTSUPP; +@@ -604,7 +604,8 @@ wait_for_free_credits(struct TCP_Server_Info *server, const int num_credits, + if (!rc) { + trace_smb3_credit_timeout( + server->CurrentMid, +- server->hostname, num_credits); ++ server->hostname, num_credits, ++ 0); + cifs_server_dbg(VFS, "wait timed out after %d ms\n", + timeout); + return -ENOTSUPP; +-- +2.30.0 + + diff --git a/patches.suse/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch b/patches.suse/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch new file mode 100644 index 0000000..6ceb3c6 --- /dev/null +++ b/patches.suse/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch @@ -0,0 +1,62 @@ +From: Pavel Shilovsky +Date: Tue, 2 Feb 2021 22:34:32 -0600 +Subject: [PATCH] smb3: fix crediting for compounding when only one request in + flight +Git-commit: 91792bb8089b63b7b780251eb83939348ac58a64 +References: bsc#1181507 +Patch-mainline: v5.11-rc7 + +Currently we try to guess if a compound request is going to +succeed waiting for credits or not based on the number of +requests in flight. This approach doesn't work correctly +all the time because there may be only one request in +flight which is going to bring multiple credits satisfying +the compound request. + +Change the behavior to fail a request only if there are no requests +in flight at all and proceed waiting for credits otherwise. + +Cc: # 5.1+ +Signed-off-by: Pavel Shilovsky +Reviewed-by: Tom Talpey +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Acked-by: Aurelien Aptel +--- + fs/cifs/transport.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index 95ef26b555b9..4a2b836eb017 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -666,10 +666,22 @@ wait_for_compound_request(struct TCP_Server_Info *server, int num, + + if (*credits < num) { + /* +- * Return immediately if not too many requests in flight since +- * we will likely be stuck on waiting for credits. ++ * If the server is tight on resources or just gives us less ++ * credits for other reasons (e.g. requests are coming out of ++ * order and the server delays granting more credits until it ++ * processes a missing mid) and we exhausted most available ++ * credits there may be situations when we try to send ++ * a compound request but we don't have enough credits. At this ++ * point the client needs to decide if it should wait for ++ * additional credits or fail the request. If at least one ++ * request is in flight there is a high probability that the ++ * server will return enough credits to satisfy this compound ++ * request. ++ * ++ * Return immediately if no requests in flight since we will be ++ * stuck on waiting for credits. + */ +- if (server->in_flight < num - *credits) { ++ if (server->in_flight == 0) { + spin_unlock(&server->req_lock); + trace_smb3_insufficient_credits(server->CurrentMid, + server->hostname, scredits, sin_flight); +-- +2.30.0 + + diff --git a/patches.suse/usbip-fix-stub_dev-to-check-for-stream-socket.patch b/patches.suse/usbip-fix-stub_dev-to-check-for-stream-socket.patch new file mode 100644 index 0000000..2019620 --- /dev/null +++ b/patches.suse/usbip-fix-stub_dev-to-check-for-stream-socket.patch @@ -0,0 +1,56 @@ +From 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Sun, 7 Mar 2021 20:53:26 -0700 +Subject: [PATCH] usbip: fix stub_dev to check for stream socket +Git-commit: 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 +References: git-fixes +Patch-mainline: v5.12-rc3 + +Fix usbip_sockfd_store() to validate the passed in file descriptor is +a stream socket. If the file descriptor passed was a SOCK_DGRAM socket, +sock_recvmsg() can't detect end of stream. + +Cc: stable@vger.kernel.org +Suggested-by: Tetsuo Handa +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/e942d2bd03afb8e8552bd2a5d84e18d17670d521.1615171203.git.skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/usbip/stub_dev.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index 2305d425e6c9..90c105469a07 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -69,8 +69,16 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a + } + + socket = sockfd_lookup(sockfd, &err); +- if (!socket) ++ if (!socket) { ++ dev_err(dev, "failed to lookup sock"); + goto err; ++ } ++ ++ if (socket->type != SOCK_STREAM) { ++ dev_err(dev, "Expecting SOCK_STREAM - found %d", ++ socket->type); ++ goto sock_err; ++ } + + sdev->ud.tcp_socket = socket; + sdev->ud.sockfd = sockfd; +@@ -100,6 +108,8 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a + + return count; + ++sock_err: ++ sockfd_put(socket); + err: + spin_unlock_irq(&sdev->ud.lock); + return -EINVAL; +-- +2.26.2 + diff --git a/patches.suse/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-.patch b/patches.suse/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-.patch index 9a3eb3d..947e6e4 100644 --- a/patches.suse/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-.patch +++ b/patches.suse/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-.patch @@ -89,9 +89,9 @@ Acked-by: Takashi Iwai if (!sdev) { dev_err(dev, "sdev is null\n"); -@@ -86,20 +88,36 @@ static ssize_t store_sockfd(struct devic - if (!socket) - goto err; +@@ -94,20 +96,36 @@ static ssize_t store_sockfd(struct devic + goto sock_err; + } - sdev->ud.tcp_socket = socket; - sdev->ud.sockfd = sockfd; diff --git a/patches.suse/usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch b/patches.suse/usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch index 6f7b985..736f499 100644 --- a/patches.suse/usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch +++ b/patches.suse/usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch @@ -86,9 +86,9 @@ Acked-by: Takashi Iwai /* * @rhport: port number of vhci_hcd -@@ -313,9 +315,24 @@ static ssize_t store_attach(struct devic - if (!socket) +@@ -321,9 +323,24 @@ static ssize_t store_attach(struct devic return -EINVAL; + } - /* now need lock until setting vdev status as used */ + /* create threads before locking */ @@ -113,7 +113,7 @@ Acked-by: Takashi Iwai spin_lock_irqsave(&vhci->lock, flags); spin_lock(&vdev->ud.lock); -@@ -325,6 +342,8 @@ static ssize_t store_attach(struct devic +@@ -333,6 +350,8 @@ static ssize_t store_attach(struct devic spin_unlock_irqrestore(&vhci->lock, flags); sockfd_put(socket); @@ -122,7 +122,7 @@ Acked-by: Takashi Iwai dev_err(dev, "port %d already used\n", rhport); return -EINVAL; -@@ -339,14 +358,16 @@ static ssize_t store_attach(struct devic +@@ -347,14 +366,16 @@ static ssize_t store_attach(struct devic vdev->speed = speed; vdev->ud.sockfd = sockfd; vdev->ud.tcp_socket = socket; diff --git a/patches.suse/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch b/patches.suse/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch new file mode 100644 index 0000000..6539bca --- /dev/null +++ b/patches.suse/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch @@ -0,0 +1,47 @@ +From f55a0571690c4aae03180e001522538c0927432f Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Sun, 7 Mar 2021 20:53:27 -0700 +Subject: [PATCH] usbip: fix vhci_hcd to check for stream socket +Git-commit: f55a0571690c4aae03180e001522538c0927432f +References: git-fixes +Patch-mainline: v5.12-rc3 + +Fix attach_store() to validate the passed in file descriptor is a +stream socket. If the file descriptor passed was a SOCK_DGRAM socket, +sock_recvmsg() can't detect end of stream. + +Cc: stable@vger.kernel.org +Suggested-by: Tetsuo Handa +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/52712aa308915bda02cece1589e04ee8b401d1f3.1615171203.git.skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/usbip/vhci_sysfs.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c +index 96e5371dc335..1e1ae9bd06ab 100644 +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -349,8 +349,16 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, + + /* Extract socket from fd. */ + socket = sockfd_lookup(sockfd, &err); +- if (!socket) ++ if (!socket) { ++ dev_err(dev, "failed to lookup sock"); + return -EINVAL; ++ } ++ if (socket->type != SOCK_STREAM) { ++ dev_err(dev, "Expecting SOCK_STREAM - found %d", ++ socket->type); ++ sockfd_put(socket); ++ return -EINVAL; ++ } + + /* now need lock until setting vdev status as used */ + +-- +2.26.2 + diff --git a/patches.suse/vsprintf-Do-not-have-bprintf-dereference-pointers.patch b/patches.suse/vsprintf-Do-not-have-bprintf-dereference-pointers.patch new file mode 100644 index 0000000..1fef2ec --- /dev/null +++ b/patches.suse/vsprintf-Do-not-have-bprintf-dereference-pointers.patch @@ -0,0 +1,188 @@ +From 841a915d20c7b22fc4f36f12368daf94d9f8cb10 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 28 Dec 2017 20:40:25 -0500 +Subject: [PATCH] vsprintf: Do not have bprintf dereference pointers +Git-commit: 841a915d20c7b22fc4f36f12368daf94d9f8cb10 +Patch-mainline: v4.16-rc1 +References: bsc#1184494 + +When trace_printk() was introduced, it was discussed that making it be as +low overhead as possible, that the processing of the format string should be +delayed until it is read. That is, a "trace_printk()" should not convert +the %d into numbers and so on, but instead, save the fmt string and all the +args in the buffer at the time of recording. When the trace_printk() data is +read, it would then parse the format string and do the conversions of the +saved arguments in the tracing buffer. + +The code to perform this was added to vsprintf where vbin_printf() would +save the arguments of a specified format string in a buffer, then +bstr_printf() could be used to convert the buffer with the same format +string into the final output, as if vsprintf() was called in one go. + +The issue arises when dereferenced pointers are used. The problem is that +something like %*pbl which reads a bitmask, will save the pointer to the +bitmask in the buffer. Then the reading of the buffer via bstr_printf() will +then look at the pointer to process the final output. Obviously the value of +that pointer could have changed since the time it was recorded to the time +the buffer is read. Worse yet, the bitmask could be unmapped, and the +reading of the trace buffer could actually cause a kernel oops. + +Another problem is that user space tools such as perf and trace-cmd do not +have access to the contents of these pointers, and they become useless when +the tracing buffer is extracted. + +Instead of having vbin_printf() simply save the pointer in the buffer for +later processing, have it perform the formatting at the time bin_printf() is +called. This will fix the issue of dereferencing pointers at a later time, +and has the extra benefit of having user space tools understand these +values. + +Since perf and trace-cmd already can handle %p[sSfF] via saving kallsyms, +their pointers are saved and not processed during vbin_printf(). If they +were converted, it would break perf and trace-cmd, as they would not know +how to deal with the conversion. + +Link: http://lkml.kernel.org/r/20171228204025.14a71d8f@gandalf.local.home + +Reported-by: Thomas Gleixner +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Petr Mladek + +--- + lib/vsprintf.c | 82 ++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 69 insertions(+), 13 deletions(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index 01c3957b2de6..c0c3542d92fa 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -2516,29 +2516,34 @@ int vbin_printf(u32 *bin_buf, size_t size, const char *fmt, va_list args) + { + struct printf_spec spec = {0}; + char *str, *end; ++ int width; + + str = (char *)bin_buf; + end = (char *)(bin_buf + size); + + #define save_arg(type) \ +-do { \ ++({ \ ++ unsigned long long value; \ + if (sizeof(type) == 8) { \ +- unsigned long long value; \ ++ unsigned long long val8; \ + str = PTR_ALIGN(str, sizeof(u32)); \ +- value = va_arg(args, unsigned long long); \ ++ val8 = va_arg(args, unsigned long long); \ + if (str + sizeof(type) <= end) { \ +- *(u32 *)str = *(u32 *)&value; \ +- *(u32 *)(str + 4) = *((u32 *)&value + 1); \ ++ *(u32 *)str = *(u32 *)&val8; \ ++ *(u32 *)(str + 4) = *((u32 *)&val8 + 1); \ + } \ ++ value = val8; \ + } else { \ +- unsigned long value; \ ++ unsigned int val4; \ + str = PTR_ALIGN(str, sizeof(type)); \ +- value = va_arg(args, int); \ ++ val4 = va_arg(args, int); \ + if (str + sizeof(type) <= end) \ +- *(typeof(type) *)str = (type)value; \ ++ *(typeof(type) *)str = (type)(long)val4; \ ++ value = (unsigned long long)val4; \ + } \ + str += sizeof(type); \ +-} while (0) ++ value; \ ++}) + + while (*fmt) { + int read = format_decode(fmt, &spec); +@@ -2554,7 +2559,10 @@ do { \ + + case FORMAT_TYPE_WIDTH: + case FORMAT_TYPE_PRECISION: +- save_arg(int); ++ width = (int)save_arg(int); ++ /* Pointers may require the width */ ++ if (*fmt == 'p') ++ set_field_width(&spec, width); + break; + + case FORMAT_TYPE_CHAR: +@@ -2576,7 +2584,27 @@ do { \ + } + + case FORMAT_TYPE_PTR: +- save_arg(void *); ++ /* Dereferenced pointers must be done now */ ++ switch (*fmt) { ++ /* Dereference of functions is still OK */ ++ case 'S': ++ case 's': ++ case 'F': ++ case 'f': ++ save_arg(void *); ++ break; ++ default: ++ if (!isalnum(*fmt)) { ++ save_arg(void *); ++ break; ++ } ++ str = pointer(fmt, str, end, va_arg(args, void *), ++ spec); ++ if (str + 1 < end) ++ *str++ = '\0'; ++ else ++ end[-1] = '\0'; /* Must be nul terminated */ ++ } + /* skip all alphanumeric pointer suffixes */ + while (isalnum(*fmt)) + fmt++; +@@ -2728,11 +2756,39 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) + break; + } + +- case FORMAT_TYPE_PTR: +- str = pointer(fmt, str, end, get_arg(void *), spec); ++ case FORMAT_TYPE_PTR: { ++ bool process = false; ++ int copy, len; ++ /* Non function dereferences were already done */ ++ switch (*fmt) { ++ case 'S': ++ case 's': ++ case 'F': ++ case 'f': ++ process = true; ++ break; ++ default: ++ if (!isalnum(*fmt)) { ++ process = true; ++ break; ++ } ++ /* Pointer dereference was already processed */ ++ if (str < end) { ++ len = copy = strlen(args); ++ if (copy > end - str) ++ copy = end - str; ++ memcpy(str, args, copy); ++ str += len; ++ args += len; ++ } ++ } ++ if (process) ++ str = pointer(fmt, str, end, get_arg(void *), spec); ++ + while (isalnum(*fmt)) + fmt++; + break; ++ } + + case FORMAT_TYPE_PERCENT_CHAR: + if (str < end) +-- +2.26.2 + diff --git a/patches.suse/vsprintf-Do-not-preprocess-non-dereferenced-pointers.patch b/patches.suse/vsprintf-Do-not-preprocess-non-dereferenced-pointers.patch new file mode 100644 index 0000000..b6d76e6 --- /dev/null +++ b/patches.suse/vsprintf-Do-not-preprocess-non-dereferenced-pointers.patch @@ -0,0 +1,50 @@ +From 1e6338cfb50e244c445ad7d891b35385bd0ee757 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Tue, 3 Apr 2018 14:38:53 -0400 +Subject: [PATCH] vsprintf: Do not preprocess non-dereferenced pointers for + bprintf (%px and %pK) +Git-commit: 1e6338cfb50e244c445ad7d891b35385bd0ee757 +Patch-mainline: v4.17-rc1 +References: bsc#1184494 + +Commit 841a915d20c7b2 ("printf: Do not have bprintf dereference pointers") +would preprocess various pointers that are dereferenced in the bprintf() +because the recording and printing are done at two different times. Some +pointers stayed dereferenced in the ring buffer because user space could +handle them (namely "%pS" and friends). Pointers that are not dereferenced +should not be processed immediately but instead just saved directly. + +Cc: stable@vger.kernel.org +Fixes: 841a915d20c7b2 ("printf: Do not have bprintf dereference pointers") +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Petr Mladek + +--- + lib/vsprintf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index d7a708f82559..89f8a4a4b770 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -2591,6 +2591,8 @@ int vbin_printf(u32 *bin_buf, size_t size, const char *fmt, va_list args) + case 's': + case 'F': + case 'f': ++ case 'x': ++ case 'K': + save_arg(void *); + break; + default: +@@ -2765,6 +2767,8 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) + case 's': + case 'F': + case 'f': ++ case 'x': ++ case 'K': + process = true; + break; + default: +-- +2.26.2 + diff --git a/patches.suse/vsprintf-Fix-off-by-one-bug-in-bstr_printf-processin.patch b/patches.suse/vsprintf-Fix-off-by-one-bug-in-bstr_printf-processin.patch new file mode 100644 index 0000000..961f84b --- /dev/null +++ b/patches.suse/vsprintf-Fix-off-by-one-bug-in-bstr_printf-processin.patch @@ -0,0 +1,58 @@ +From 62165600ae73ebd76e2d9b992b36360408d570d8 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 5 Oct 2018 10:08:03 -0400 +Subject: [PATCH] vsprintf: Fix off-by-one bug in bstr_printf() processing + dereferenced pointers +Git-commit: 62165600ae73ebd76e2d9b992b36360408d570d8 +Patch-mainline: v4.19-rc8 +References: bsc#1184494 + +The functions vbin_printf() and bstr_printf() are used by trace_printk() to +try to keep the overhead down during printing. trace_printk() uses +vbin_printf() at the time of execution, as it only scans the fmt string to +record the printf values into the buffer, and then uses vbin_printf() to do +the conversions to print the string based on the format and the saved +values in the buffer. + +This is an issue for dereferenced pointers, as before commit 841a915d20c7b, +the processing of the pointer could happen some time after the pointer value +was recorded (reading the trace buffer). This means the processing of the +value at a later time could show different results, or even crash the +system, if the pointer no longer existed. + +Commit 841a915d20c7b addressed this by processing dereferenced pointers at +the time of execution and save the result in the ring buffer as a string. +The bstr_printf() would then treat these pointers as normal strings, and +print the value. But there was an off-by-one bug here, where after +processing the argument, it move the pointer only "strlen(arg)" which made +the arg pointer not point to the next argument in the ring buffer, but +instead point to the nul character of the last argument. This causes any +values after a dereferenced pointer to be corrupted. + +Cc: stable@vger.kernel.org +Fixes: 841a915d20c7b ("vsprintf: Do not have bprintf dereference pointers") +Reported-by: Nikolay Borisov +Tested-by: Nikolay Borisov +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Petr Mladek + +--- + lib/vsprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index d5b3a3f95c01..812e59e13fe6 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -2794,7 +2794,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) + copy = end - str; + memcpy(str, args, copy); + str += len; +- args += len; ++ args += len + 1; + } + } + if (process) +-- +2.26.2 + diff --git a/patches.suse/x86-ioapic-ignore-irq2-again.patch b/patches.suse/x86-ioapic-ignore-irq2-again.patch new file mode 100644 index 0000000..4ae80d1 --- /dev/null +++ b/patches.suse/x86-ioapic-ignore-irq2-again.patch @@ -0,0 +1,71 @@ +From: Thomas Gleixner +Date: Thu, 18 Mar 2021 20:26:47 +0100 +Subject: x86/ioapic: Ignore IRQ2 again +Git-commit: a501b048a95b79e1e34f03cac3c87ff1e9f229ad +Patch-mainline: v5.12-rc4 +References: 12sp5 + +Vitaly ran into an issue with hotplugging CPU0 on an Amazon instance where +the matrix allocator claimed to be out of vectors. He analyzed it down to +the point that IRQ2, the PIC cascade interrupt, which is supposed to be not +ever routed to the IO/APIC ended up having an interrupt vector assigned +which got moved during unplug of CPU0. + +The underlying issue is that IRQ2 for various reasons (see commit +af174783b925 ("x86: I/O APIC: Never configure IRQ2" for details) is treated +as a reserved system vector by the vector core code and is not accounted as +a regular vector. The Amazon BIOS has an routing entry of pin2 to IRQ2 +which causes the IO/APIC setup to claim that interrupt which is granted by +the vector domain because there is no sanity check. As a consequence the +allocation counter of CPU0 underflows which causes a subsequent unplug to +fail with: + + [ ... ] CPU 0 has 4294967295 vectors, 589 available. Cannot disable CPU + +There is another sanity check missing in the matrix allocator, but the +underlying root cause is that the IO/APIC code lost the IRQ2 ignore logic +during the conversion to irqdomains. + +For almost 6 years nobody complained about this wreckage, which might +indicate that this requirement could be lifted, but for any system which +actually has a PIC IRQ2 is unusable by design so any routing entry has no +effect and the interrupt cannot be connected to a device anyway. + +Due to that and due to history biased paranoia reasons restore the IRQ2 +ignore logic and treat it as non existent despite a routing entry claiming +otherwise. + +Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces") +Reported-by: Vitaly Kuznetsov +Signed-off-by: Thomas Gleixner +Tested-by: Vitaly Kuznetsov +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210318192819.636943062@linutronix.de + +Acked-by: Borislav Petkov +--- + arch/x86/kernel/apic/io_apic.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index c3b60c37c728..73ff4dd426a8 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -1032,6 +1032,16 @@ static int mp_map_pin_to_irq(u32 gsi, int idx, int ioapic, int pin, + if (idx >= 0 && test_bit(mp_irqs[idx].srcbus, mp_bus_not_pci)) { + irq = mp_irqs[idx].srcbusirq; + legacy = mp_is_legacy_irq(irq); ++ /* ++ * IRQ2 is unusable for historical reasons on systems which ++ * have a legacy PIC. See the comment vs. IRQ2 further down. ++ * ++ * If this gets removed at some point then the related code ++ * in lapic_assign_system_vectors() needs to be adjusted as ++ * well. ++ */ ++ if (legacy && irq == PIC_CASCADE_IR) ++ return -EINVAL; + } + + mutex_lock(&ioapic_mutex); + diff --git a/patches.suse/x86-mem_encrypt-correct-physical-address-calculation-in-_set_clr_pte_enc.patch b/patches.suse/x86-mem_encrypt-correct-physical-address-calculation-in-_set_clr_pte_enc.patch new file mode 100644 index 0000000..4ba44d0 --- /dev/null +++ b/patches.suse/x86-mem_encrypt-correct-physical-address-calculation-in-_set_clr_pte_enc.patch @@ -0,0 +1,47 @@ +From: Isaku Yamahata +Date: Thu, 18 Mar 2021 13:26:57 -0700 +Subject: x86/mem_encrypt: Correct physical address calculation in + __set_clr_pte_enc() +Git-commit: 8249d17d3194eac064a8ca5bc5ca0abc86feecde +Patch-mainline: v5.12-rc5 +References: 12sp5 + +The pfn variable contains the page frame number as returned by the +pXX_pfn() functions, shifted to the right by PAGE_SHIFT to remove the +page bits. After page protection computations are done to it, it gets +shifted back to the physical address using page_level_shift(). + +That is wrong, of course, because that function determines the shift +length based on the level of the page in the page table but in all the +cases, it was shifted by PAGE_SHIFT before. + +Therefore, shift it back using PAGE_SHIFT to get the correct physical +address. + + [ bp: Rewrite commit message. ] + +Fixes: dfaaec9033b8 ("x86: Add support for changing memory encryption attribute in early boot") +Signed-off-by: Isaku Yamahata +Signed-off-by: Borislav Petkov +Reviewed-by: Kirill A. Shutemov +Reviewed-by: Tom Lendacky +Cc: +Link: https://lkml.kernel.org/r/81abbae1657053eccc535c16151f63cd049dcb97.1616098294.git.isaku.yamahata@intel.com +--- + arch/x86/mm/mem_encrypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c +index 4b01f7dbaf30..ae78cef79980 100644 +--- a/arch/x86/mm/mem_encrypt.c ++++ b/arch/x86/mm/mem_encrypt.c +@@ -262,7 +262,7 @@ static void __init __set_clr_pte_enc(pte_t *kpte, int level, bool enc) + if (pgprot_val(old_prot) == pgprot_val(new_prot)) + return; + +- pa = pfn << page_level_shift(level); ++ pa = pfn << PAGE_SHIFT; + size = page_level_size(level); + + /* + diff --git a/patches.suse/xen-events-fix-setting-irq-affinity.patch b/patches.suse/xen-events-fix-setting-irq-affinity.patch new file mode 100644 index 0000000..5b1cf38 --- /dev/null +++ b/patches.suse/xen-events-fix-setting-irq-affinity.patch @@ -0,0 +1,49 @@ +Patch-mainline: Submitted, 2021/04/21 - stable@vger.kernel.org +From: Juergen Gross +Date: Mon, 12 Apr 2021 07:50:03 +0200 +References: bsc#1184583 XSA-332 CVE-2020-27673 +Subject: [PATCH] xen/events: fix setting irq affinity + +The backport of upstream patch 25da4618af240fbec61 ("xen/events: don't +unmask an event channel when an eoi is pending") introduced a +regression for stable kernels 5.10 and older: setting IRQ affinity for +IRQs related to interdomain events would no longer work, as moving the +IRQ to its new cpu was not included in the irq_ack callback for those +events. + +Fix that by adding the needed call. + +Note that kernels 5.11 and later don't need the explicit moving of the +IRQ to the target cpu in the irq_ack callback, due to a rework of the +affinity setting in kernel 5.11. + +Signed-off-by: Juergen Gross +--- + drivers/xen/events/events_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 7bd03f6e0422..ee5269331406 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1809,7 +1809,7 @@ static void lateeoi_ack_dynirq(struct irq_data *data) + + if (VALID_EVTCHN(evtchn)) { + do_mask(info, EVT_MASK_REASON_EOI_PENDING); +- event_handler_exit(info); ++ ack_dynirq(data); + } + } + +@@ -1820,7 +1820,7 @@ static void lateeoi_mask_ack_dynirq(struct irq_data *data) + + if (VALID_EVTCHN(evtchn)) { + do_mask(info, EVT_MASK_REASON_EXPLICIT); +- event_handler_exit(info); ++ ack_dynirq(data); + } + } + +-- +2.26.2 + diff --git a/series.conf b/series.conf index 33ae08f..de9409a 100644 --- a/series.conf +++ b/series.conf @@ -22244,6 +22244,7 @@ patches.suse/kconfig-Fix-expr_free-E_NOT-leak patches.suse/kconfig-use-bool-instead-of-boolean-for-type-definit.patch patches.suse/trace_uprobe-display-correct-offset-in-uprobe_events.patch + patches.suse/vsprintf-Do-not-have-bprintf-dereference-pointers.patch patches.suse/3547-vfio-simplify-capability-helper patches.suse/printk-Add-console-owner-and-waiter-logic-to-load-ba.patch patches.suse/printk-Hide-console-waiter-logic-into-helpers.patch @@ -29630,6 +29631,7 @@ patches.suse/fs-dax-use-page-mapping-to-warn-if-truncate-collides.patch patches.suse/dax-introduce-config_dax_driver.patch patches.suse/0041-dax-dm-allow-device-mapper-to-operate-without-dax-su.patch + patches.suse/vsprintf-Do-not-preprocess-non-dereferenced-pointers.patch patches.suse/ring-buffer-Check-if-memory-is-available-before-allo.patch patches.suse/dmaengine-at_xdmac-fix-rare-residue-corruption patches.suse/dmaengine-pl330-fix-a-race-condition-in-case-of-thre @@ -41127,6 +41129,7 @@ patches.suse/mach64-detect-the-dot-clock-divider-correctly-on-spa.patch patches.suse/s390-cio-fix-how-vfio-ccw-checks-pinned-pages patches.suse/of-unittest-Disable-interrupt-node-tests-for-old-wor.patch + patches.suse/vsprintf-Fix-off-by-one-bug-in-bstr_printf-processin.patch patches.suse/0161-dm-cache-destroy-migration_cache-if-cache-target-reg.patch patches.suse/0162-dm-fix-report-zone-remapping-to-account-for-partitio.patch patches.suse/0163-dm-linear-eliminate-linear_end_io-call-if-CONFIG_DM_.patch @@ -55546,6 +55549,7 @@ patches.suse/ALSA-hda-realtek-Add-more-fixup-entries-for-Clevo-ma.patch patches.suse/0002-drm-etnaviv-fix-perfmon-domain-interation.patch patches.suse/scsi-qla2xxx-Do-not-log-message-when-reading-port-sp.patch + patches.suse/s390-pci-Fix-s390_mmio_read-write-with-MIO.patch patches.suse/iio-dac-vf610-Fix-an-error-handling-path-in-vf610_da.patch patches.suse/staging-iio-ad2s1210-Fix-SPI-reading.patch patches.suse/iio-adc-stm32-adc-fix-device-used-to-request-dma.patch @@ -56359,6 +56363,7 @@ patches.suse/md-raid5-Fix-Force-reconstruct-write-io-stuck-in-deg.patch patches.suse/devres-keep-both-device-name-and-resource-name-in-pr.patch patches.suse/driver-core-Avoid-binding-drivers-to-dead-devices.patch + patches.suse/USB-replace-hardcode-maximum-usb-string-length-by-de.patch patches.suse/USB-rename-USB-quirk-to-USB_QUIRK_ENDPOINT_IGNORE.patch patches.suse/usbip-tools-fix-build-error-for-multiple-definition.patch patches.suse/usbip-tools-fix-module-name-in-man-page.patch @@ -56899,6 +56904,7 @@ patches.suse/i2c-algo-pca-Reapply-i2c-bus-settings-after-reset.patch patches.suse/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch patches.suse/btrfs-require-only-sector-size-alignment-for-parent-.patch + patches.suse/kvm-svm-periodically-schedule-when-unregistering-regions-on-destroy.patch patches.suse/video-fbdev-fix-OOB-read-in-vga_8planes_imageblit.patch patches.suse/debugfs-Fix-module-state-check-condition.patch patches.suse/staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_.patch @@ -57374,6 +57380,7 @@ patches.suse/0001-KVM-SVM-Initialize-prev_ga_tag-before-use.patch patches.suse/Convert-trailing-spaces-and-periods-in-path-components.patch patches.suse/cifs-Return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch + patches.suse/smb3-add-dynamic-trace-point-to-trace-when-credits-obtained.patch patches.suse/cifs-remove-bogus-debug-code.patch patches.suse/icmp-randomize-the-global-rate-limiter.patch patches.suse/nfc-Ensure-presence-of-NFC_ATTR_FIRMWARE_NAME-attrib.patch @@ -57943,6 +57950,7 @@ patches.suse/powerpc-perf-Exclude-kernel-samples-while-counting-e.patch patches.suse/net-core-introduce-__netdev_notify_peers.patch patches.suse/use-__netdev_notify_peers-in-ibmvnic.patch + patches.suse/cifs-Tracepoints-and-logs-for-tracing-credit-changes-.patch patches.suse/pwm-lp3943-Dynamically-allocate-PWM-chip-base.patch patches.suse/HSI-omap_ssi-Don-t-jump-to-free-ID-in-ssi_add_contro.patch patches.suse/power-supply-bq24190_charger-fix-reference-leak.patch @@ -58096,6 +58104,7 @@ patches.suse/USB-serial-cp210x-add-pid-vid-for-WSDA-200-USB.patch patches.suse/USB-serial-option-Adding-support-for-Cinterion-MV31.patch patches.suse/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch + patches.suse/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch patches.suse/cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fai.patch patches.suse/x86-apic-add-extra-serialization-for-non-serializing-msrs.patch patches.suse/0001-libnvdimm-dimm-Avoid-race-between-probe-and-availabl.patch @@ -58169,6 +58178,7 @@ patches.suse/0008-xen-scsiback-don-t-handle-error-by-BUG.patch patches.suse/0009-xen-blkback-fix-error-handling-in-xen_blkbk_map.patch patches.suse/msft-hv-2226-Drivers-hv-vmbus-Avoid-use-after-free-in-vmbus_onoff.patch + patches.suse/media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch patches.suse/media-vsp1-Fix-an-error-handling-path-in-the-probe-f.patch patches.suse/media-media-pci-Fix-memleak-in-empress_init.patch patches.suse/media-tm6000-Fix-memleak-in-tm6000_start_stream.patch @@ -58217,11 +58227,14 @@ patches.suse/RDMA-rxe-Remove-useless-code-in-rxe_recv.c.patch patches.suse/RDMA-srp-Fix-support-for-unpopulated-and-unbalanced-.patch patches.suse/printk-fix-deadlock-when-kernel-panic.patch + patches.suse/cifs_debug-use-pd-instead-of-messing-with-d_name.patch patches.suse/quota-Fix-memory-leak-when-handling-corrupted-quota-.patch patches.suse/amba-Fix-resource-leak-for-drivers-without-.remove.patch patches.suse/powerpc-perf-hv-24x7-Dont-create-sysfs-event-files-f.patch + patches.suse/powerpc-pseries-ras-Remove-unused-variable-status.patch patches.suse/powerpc-pseries-eeh-Make-pseries_pcibios_bus_add_dev.patch patches.suse/powerpc-pseries-ras-Make-init_ras_hotplug_IRQ-static.patch + patches.suse/powerpc-pmem-Include-pmem-prototypes.patch patches.suse/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch patches.suse/HID-wacom-Ignore-attempts-to-overwrite-the-touch_max.patch patches.suse/HID-core-detect-and-skip-invalid-inputs-to-snto32.patch @@ -58248,6 +58261,7 @@ patches.suse/drm-msm-a5xx-Remove-overwriting-A5XX_PC_DBG_ECO_CNTL.patch patches.suse/0005-drm-msm-dsi-Correct-io_start-for-MSM8994-20nm-PHY.patch patches.suse/pwm-rockchip-rockchip_pwm_probe-Remove-superfluous-c.patch + patches.suse/cifs-New-optype-for-session-operations-.patch patches.suse/cifs-fix-nodfs-mount-option.patch patches.suse/cifs-check-all-path-components-in-resolved-dfs-target.patch patches.suse/cifs-introduce-helper-for-finding-referral-server.patch @@ -58275,6 +58289,10 @@ patches.suse/ibmvnic-remove-excessive-irqsave.patch patches.suse/gianfar-fix-jumbo-packets-napi-rx-overrun-crash.patch patches.suse/ethernet-alx-fix-order-of-calls-on-resume.patch + patches.suse/cifs-print-MIDs-in-decimal-notation.patch + patches.suse/cifs-change-noisy-error-message-to-FYI.patch + patches.suse/cifs-return-proper-error-code-in-statfs-2-.patch + patches.suse/cifs-do-not-send-close-in-compound-create-close-requests.patch patches.suse/s390-cio-return-efault-if-copy_to_user-fails-51c44bab.patch patches.suse/s390-crypto-return-efault-if-copy_to_user-fails.patch patches.suse/s390-cio-return-efault-if-copy_to_user-fails-d9c48a94.patch @@ -58291,6 +58309,8 @@ patches.suse/ALSA-hda-Drop-the-BATCH-workaround-for-AMD-controlle.patch patches.suse/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch patches.suse/usb-gadget-f_uac2-always-increase-endpoint-max_packe.patch + patches.suse/usbip-fix-stub_dev-to-check-for-stream-socket.patch + patches.suse/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch patches.suse/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-.patch patches.suse/usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch patches.suse/USB-serial-io_edgeport-fix-memory-leak-in-edge_start.patch @@ -58307,10 +58327,12 @@ patches.suse/staging-comedi-pcl818-Fix-endian-problem-for-AI-comm.patch patches.suse/staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_s.patch patches.suse/staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_se.patch + patches.suse/powerpc-64s-Fix-instruction-encoding-for-lis-in-ppc_.patch patches.suse/btrfs-fix-race-when-cloning-extent-buffer-during-rew.patch patches.suse/Revert-PM-runtime-Update-device-status-before-lettin.patch patches.suse/s390-vtime-fix-increased-steal-time-accounting.patch patches.suse/PCI-rpadlpar-Fix-potential-drc_name-corruption-in-st.patch + patches.suse/x86-ioapic-ignore-irq2-again.patch patches.suse/firmware-efi-Fix-a-use-after-bug-in-efi_mem_reserve_.patch patches.suse/perf-x86-intel-fix-a-crash-caused-by-zero-pebs-status.patch patches.suse/usb-storage-Add-quirk-to-defeat-Kindle-s-automatic-u.patch @@ -58334,7 +58356,20 @@ patches.suse/can-peak_usb-Revert-can-peak_usb-add-forgotten-suppo.patch patches.suse/drm-msm-fix-shutdown-hook-in-case-GPU-components-fai.patch patches.suse/bus-omap_l3_noc-mark-l3-irqs-as-IRQF_NO_THREAD.patch + patches.suse/locking-mutex-Fix-non-debug-version-of-mutex_lock_io.patch + patches.suse/x86-mem_encrypt-correct-physical-address-calculation-in-_set_clr_pte_enc.patch patches.suse/xen-blkback-don-t-leak-persistent-grants-from-xen_bl.patch + patches.suse/powerpc-pseries-mobility-use-struct-for-shared-state.patch + patches.suse/powerpc-pseries-mobility-handle-premature-return-fro.patch + patches.suse/firewire-nosy-Fix-a-use-after-free-bug-in-nosy_ioctl.patch + patches.suse/nfc-fix-refcount-leak-in-llcp_sock_bind.patch + patches.suse/nfc-fix-refcount-leak-in-llcp_sock_connect.patch + patches.suse/nfc-fix-memory-leak-in-llcp_sock_connect.patch + patches.suse/nfc-Avoid-endless-loops-caused-by-repeated-llcp_sock.patch + patches.suse/bpf-x86-Validate-computation-of-branch-displacements.patch + + # netdev/net-next + patches.suse/ibmvnic-Use-skb_frag_address-instead-of-hand-coding-.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -58887,6 +58922,7 @@ patches.suse/tcp-fix-tcp_rtx_queue_tail-in-case-of-empty-retransm.patch patches.suse/tcp-Don-t-dequeue-SYN-FIN-segments-from-write-queue.patch patches.suse/net-fix-race-condition-in-__inet_lookup_established.patch + patches.suse/net-sched-disable-nolock-pfifo-fast.patch ######################################################## # Netfilter @@ -59124,6 +59160,8 @@ patches.suse/xen-disable_hotplug_cpu.patch patches.suse/0001-xen-don-t-reschedule-in-preemption-off-sections.patch + patches.suse/xen-events-fix-setting-irq-affinity.patch + # XSA-349 cleanup patches patches.suse/0001-xen-revert-Disallow-pending-watch-messages.patch patches.suse/0002-xen-revert-Count-pending-messages-for-each-watch.patch