From 9b5c31876c5ad1f72d25896d902664beba18e032 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Dec 10 2022 08:24:18 +0000 Subject: Merge branch 'SLE15-SP4' into SLE15-SP4-AZURE --- diff --git a/blacklist.conf b/blacklist.conf index 3620426..4f5ccae 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -496,4 +496,5 @@ bc369921d6708542eb93da33478762f1162a5805 # Incorrect fixes tag. SP4 doesn't car 89d43d0551a848e70e63d9ba11534aaeabc82443 # N/A as e1a4541ec0b9 ("ceph: flush the mdlog before waiting on unsafe reqs") isn't backported aa1d627207cace003163dee24d1c06fa4e910c6b # N/A as 89d43d0551a8 ("ceph: put the requests/sessions when it fails to alloc memory") isn't backported 5bd76b8de5b74fa941a6eafee87728a0fe072267 # N/A as 89d43d0551a8 ("ceph: put the requests/sessions when it fails to alloc memory") isn't backported -1b2ba3c5616e17ff951359e25c658a1c3f146f1e # flush mdlog not available in this kernel \ No newline at end of file +1b2ba3c5616e17ff951359e25c658a1c3f146f1e # flush mdlog not available in this kernel +80019f1138324b6f35ae728b4f25eeb08899b452 # N/A as 5d5b74aa9c76 ("fuse: allow sharing existing sb") isn't backported \ No newline at end of file diff --git a/patches.suse/ACPI-HMAT-Fix-initiator-registration-for-single-init.patch b/patches.suse/ACPI-HMAT-Fix-initiator-registration-for-single-init.patch new file mode 100644 index 0000000..6f748e9 --- /dev/null +++ b/patches.suse/ACPI-HMAT-Fix-initiator-registration-for-single-init.patch @@ -0,0 +1,111 @@ +From 48d4180939e12c4bd2846f984436d895bb9699ed Mon Sep 17 00:00:00 2001 +From: Vishal Verma +Date: Wed, 16 Nov 2022 16:37:37 -0700 +Subject: [PATCH] ACPI: HMAT: Fix initiator registration for single-initiator systems +Git-commit: 48d4180939e12c4bd2846f984436d895bb9699ed +Patch-mainline: v6.1-rc8 +References: git-fixes + +In a system with a single initiator node, and one or more memory-only +'target' nodes, the memory-only node(s) would fail to register their +initiator node correctly. i.e. in sysfs: + + # ls /sys/devices/system/node/node0/access0/targets/ + node0 + +Where as the correct behavior should be: + + # ls /sys/devices/system/node/node0/access0/targets/ + node0 node1 + +This happened because hmat_register_target_initiators() uses list_sort() +to sort the initiator list, but the sort comparision function +(initiator_cmp()) is overloaded to also set the node mask's bits. + +In a system with a single initiator, the list is singular, and list_sort +elides the comparision helper call. Thus the node mask never gets set, +and the subsequent search for the best initiator comes up empty. + +Add a new helper to consume the sorted initiator list, and generate the +nodemask, decoupling it from the overloaded initiator_cmp() comparision +callback. This prevents the singular list corner case naturally, and +makes the code easier to follow as well. + +Cc: +Cc: Rafael J. Wysocki +Cc: Liu Shixin +Cc: Dan Williams +Cc: Kirill A. Shutemov +Reported-by: Chris Piper +Signed-off-by: Vishal Verma +Acked-by: Rafael J. Wysocki +Acked-by: Kirill A. Shutemov +Link: https://lore.kernel.org/r/20221116-acpi_hmat_fix-v2-2-3712569be691@intel.com +Signed-off-by: Dan Williams +Acked-by: Takashi Iwai + +--- + drivers/acpi/numa/hmat.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 144a84f429ed..6cceca64a6bc 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -562,17 +562,26 @@ static int initiator_cmp(void *priv, const struct list_head *a, + { + struct memory_initiator *ia; + struct memory_initiator *ib; +- unsigned long *p_nodes = priv; + + ia = list_entry(a, struct memory_initiator, node); + ib = list_entry(b, struct memory_initiator, node); + +- set_bit(ia->processor_pxm, p_nodes); +- set_bit(ib->processor_pxm, p_nodes); +- + return ia->processor_pxm - ib->processor_pxm; + } + ++static int initiators_to_nodemask(unsigned long *p_nodes) ++{ ++ struct memory_initiator *initiator; ++ ++ if (list_empty(&initiators)) ++ return -ENXIO; ++ ++ list_for_each_entry(initiator, &initiators, node) ++ set_bit(initiator->processor_pxm, p_nodes); ++ ++ return 0; ++} ++ + static void hmat_register_target_initiators(struct memory_target *target) + { + static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); +@@ -609,7 +618,10 @@ static void hmat_register_target_initiators(struct memory_target *target) + * initiators. + */ + bitmap_zero(p_nodes, MAX_NUMNODES); +- list_sort(p_nodes, &initiators, initiator_cmp); ++ list_sort(NULL, &initiators, initiator_cmp); ++ if (initiators_to_nodemask(p_nodes) < 0) ++ return; ++ + if (!access0done) { + for (i = WRITE_LATENCY; i <= READ_BANDWIDTH; i++) { + loc = localities_types[i]; +@@ -643,7 +655,9 @@ static void hmat_register_target_initiators(struct memory_target *target) + + /* Access 1 ignores Generic Initiators */ + bitmap_zero(p_nodes, MAX_NUMNODES); +- list_sort(p_nodes, &initiators, initiator_cmp); ++ if (initiators_to_nodemask(p_nodes) < 0) ++ return; ++ + for (i = WRITE_LATENCY; i <= READ_BANDWIDTH; i++) { + loc = localities_types[i]; + if (!loc) +-- +2.35.3 + diff --git a/patches.suse/ACPI-HMAT-remove-unnecessary-variable-initialization.patch b/patches.suse/ACPI-HMAT-remove-unnecessary-variable-initialization.patch new file mode 100644 index 0000000..a4d31e1 --- /dev/null +++ b/patches.suse/ACPI-HMAT-remove-unnecessary-variable-initialization.patch @@ -0,0 +1,41 @@ +From 14f16d47561ba9249efc6c2db9d47ed56841f070 Mon Sep 17 00:00:00 2001 +From: Vishal Verma +Date: Wed, 16 Nov 2022 16:37:36 -0700 +Subject: [PATCH] ACPI: HMAT: remove unnecessary variable initialization +Git-commit: 14f16d47561ba9249efc6c2db9d47ed56841f070 +Patch-mainline: v6.1-rc8 +References: git-fixes + +In hmat_register_target_initiators(), the variable 'best' gets +initialized in the outer per-locality-type for loop. The initialization +just before setting up 'Access 1' targets was unnecessary. Remove it. + +Cc: Rafael J. Wysocki +Cc: Liu Shixin +Cc: Dan Williams +Acked-by: Kirill A. Shutemov +Acked-by: Rafael J. Wysocki +Signed-off-by: Vishal Verma +Link: https://lore.kernel.org/r/20221116-acpi_hmat_fix-v2-1-3712569be691@intel.com +Signed-off-by: Dan Williams +Acked-by: Takashi Iwai + +--- + drivers/acpi/numa/hmat.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 23f49a2f4d14..144a84f429ed 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -644,7 +644,6 @@ static void hmat_register_target_initiators(struct memory_target *target) + /* Access 1 ignores Generic Initiators */ + bitmap_zero(p_nodes, MAX_NUMNODES); + list_sort(p_nodes, &initiators, initiator_cmp); +- best = 0; + for (i = WRITE_LATENCY; i <= READ_BANDWIDTH; i++) { + loc = localities_types[i]; + if (!loc) +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-6LoWPAN-add-missing-hci_dev_put-in-get_l2c.patch b/patches.suse/Bluetooth-6LoWPAN-add-missing-hci_dev_put-in-get_l2c.patch new file mode 100644 index 0000000..248644e --- /dev/null +++ b/patches.suse/Bluetooth-6LoWPAN-add-missing-hci_dev_put-in-get_l2c.patch @@ -0,0 +1,35 @@ +From 747da1308bdd5021409974f9180f0d8ece53d142 Mon Sep 17 00:00:00 2001 +From: Wang ShaoBo +Date: Wed, 9 Nov 2022 17:37:26 +0800 +Subject: [PATCH] Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() +Git-commit: 747da1308bdd5021409974f9180f0d8ece53d142 +Patch-mainline: v6.1 +References: git-fixes + +hci_get_route() takes reference, we should use hci_dev_put() to release +it when not need anymore. + +Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one") +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/6lowpan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 215af9b3b589..c57d643afb10 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -972,6 +972,7 @@ static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type, + hci_dev_lock(hdev); + hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type); + hci_dev_unlock(hdev); ++ hci_dev_put(hdev); + + if (!hcon) + return -ENOENT; +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-Fix-not-cleanup-led-when-bt_init-fails.patch b/patches.suse/Bluetooth-Fix-not-cleanup-led-when-bt_init-fails.patch new file mode 100644 index 0000000..37bb6ff --- /dev/null +++ b/patches.suse/Bluetooth-Fix-not-cleanup-led-when-bt_init-fails.patch @@ -0,0 +1,51 @@ +From 2f3957c7eb4e07df944169a3e50a4d6790e1c744 Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Tue, 29 Nov 2022 17:25:56 +0800 +Subject: [PATCH] Bluetooth: Fix not cleanup led when bt_init fails +Git-commit: 2f3957c7eb4e07df944169a3e50a4d6790e1c744 +Patch-mainline: v6.1 +References: git-fixes + +bt_init() calls bt_leds_init() to register led, but if it fails later, +bt_leds_cleanup() is not called to unregister it. + +This can cause panic if the argument "bluetooth-power" in text is freed +and then another led_trigger_register() tries to access it: + +Bug: unable to handle page fault for address: ffffffffc06d3bc0 +Rip: 0010:strcmp+0xc/0x30 Call Trace: led_trigger_register+0x10d/0x4f0 led_trigger_register_simple+0x7d/0x100 bt_init+0x39/0xf7 [bluetooth] do_one_initcall+0xd0/0x4e0 + +Fixes: e64c97b53bc6 ("Bluetooth: Add combined LED trigger for controller power") +Signed-off-by: Chen Zhongjin +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/af_bluetooth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index dc65974f5adb..1c3c7ff5c3c6 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -737,7 +737,7 @@ static int __init bt_init(void) + + err = bt_sysfs_init(); + if (err < 0) +- return err; ++ goto cleanup_led; + + err = sock_register(&bt_sock_family_ops); + if (err) +@@ -773,6 +773,8 @@ static int __init bt_init(void) + sock_unregister(PF_BLUETOOTH); + cleanup_sysfs: + bt_sysfs_cleanup(); ++cleanup_led: ++ bt_leds_cleanup(); + return err; + } + +-- +2.35.3 + diff --git a/patches.suse/HID-core-fix-shift-out-of-bounds-in-hid_report_raw_e.patch b/patches.suse/HID-core-fix-shift-out-of-bounds-in-hid_report_raw_e.patch new file mode 100644 index 0000000..8a406d3 --- /dev/null +++ b/patches.suse/HID-core-fix-shift-out-of-bounds-in-hid_report_raw_e.patch @@ -0,0 +1,77 @@ +From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 16 Nov 2022 07:14:28 +0000 +Subject: [PATCH] HID: core: fix shift-out-of-bounds in hid_report_raw_event +Git-commit: ec61b41918587be530398b0d1c9a0d16619397e5 +Patch-mainline: v6.1 +References: git-fixes + +Syzbot reported shift-out-of-bounds in hid_report_raw_event. + +microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > +32! (swapper/0) +====================================================================== +Ubsan: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 +shift exponent 127 is too large for 32-bit type 'int' +Cpu: 0 PID: 0 Comm: swapper/0 Not tainted +6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 + snto32 drivers/hid/hid-core.c:1323 [inline] + hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] + hid_process_report drivers/hid/hid-core.c:1665 [inline] + hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 + hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 + hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 + __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 + dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers+0x76a/0x980 kernel/time/timer.c:1790 + run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 + __do_softirq+0x277/0x75b kernel/softirq.c:571 + __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 +====================================================================== + +If the size of the integer (unsigned n) is bigger than 32 in snto32(), +shift exponent will be too large for 32-bit type 'int', resulting in a +shift-out-of-bounds bug. +Fix this by adding a check on the size of the integer (unsigned n) in +snto32(). To add support for n greater than 32 bits, set n to 32, if n +is greater than 32. + +Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: ZhangPeng +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 9c1d31f63f85..bd47628da6be 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1315,6 +1315,9 @@ static s32 snto32(__u32 value, unsigned n) + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); +-- +2.35.3 + diff --git a/patches.suse/HID-hid-lg4ff-Add-check-for-empty-lbuf.patch b/patches.suse/HID-hid-lg4ff-Add-check-for-empty-lbuf.patch new file mode 100644 index 0000000..c33470d --- /dev/null +++ b/patches.suse/HID-hid-lg4ff-Add-check-for-empty-lbuf.patch @@ -0,0 +1,42 @@ +From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Fri, 11 Nov 2022 15:55:11 +0300 +Subject: [PATCH] HID: hid-lg4ff: Add check for empty lbuf +Git-commit: d180b6496143cd360c5d5f58ae4b9a8229c1f344 +Patch-mainline: v6.1 +References: git-fixes + +If an empty buf is received, lbuf is also empty. So lbuf is +accessed by index -1. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes") +Signed-off-by: Anastasia Belova +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-lg4ff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c +index 5e6a0cef2a06..e3fcf1353fb3 100644 +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_store(struct device *dev, struct device_att + return -ENOMEM; + + i = strlen(lbuf); ++ ++ if (i == 0) { ++ kfree(lbuf); ++ return -EINVAL; ++ } ++ + if (lbuf[i-1] == '\n') { + if (i == 1) { + kfree(lbuf); +-- +2.35.3 + diff --git a/patches.suse/NFC-nci-Bounds-check-struct-nfc_target-arrays.patch b/patches.suse/NFC-nci-Bounds-check-struct-nfc_target-arrays.patch new file mode 100644 index 0000000..2e9b1d5 --- /dev/null +++ b/patches.suse/NFC-nci-Bounds-check-struct-nfc_target-arrays.patch @@ -0,0 +1,62 @@ +From e329e71013c9b5a4535b099208493c7826ee4a64 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 2 Dec 2022 13:44:14 -0800 +Subject: [PATCH] NFC: nci: Bounds check struct nfc_target arrays +Git-commit: e329e71013c9b5a4535b099208493c7826ee4a64 +Patch-mainline: v6.1 +References: git-fixes + +While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: + + memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) + +This appears to be a legitimate lack of bounds checking in +nci_add_new_protocol(). Add the missing checks. + +Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com +Link: https://lore.kernel.org/lkml/0000000000001c590f05ee7b3ff4@google.com +Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support") +Signed-off-by: Kees Cook +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221202214410.never.693-kees@kernel.org +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + net/nfc/nci/ntf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c +index 282c51051dcc..994a0a1efb58 100644 +--- a/net/nfc/nci/ntf.c ++++ b/net/nfc/nci/ntf.c +@@ -240,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + target->sens_res = nfca_poll->sens_res; + target->sel_res = nfca_poll->sel_res; + target->nfcid1_len = nfca_poll->nfcid1_len; ++ if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1)) ++ return -EPROTO; + if (target->nfcid1_len > 0) { + memcpy(target->nfcid1, nfca_poll->nfcid1, + target->nfcid1_len); +@@ -248,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params; + + target->sensb_res_len = nfcb_poll->sensb_res_len; ++ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res)) ++ return -EPROTO; + if (target->sensb_res_len > 0) { + memcpy(target->sensb_res, nfcb_poll->sensb_res, + target->sensb_res_len); +@@ -256,6 +260,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params; + + target->sensf_res_len = nfcf_poll->sensf_res_len; ++ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res)) ++ return -EPROTO; + if (target->sensf_res_len > 0) { + memcpy(target->sensf_res, nfcf_poll->sensf_res, + target->sensf_res_len); +-- +2.35.3 + diff --git a/patches.suse/ca8210-Fix-crash-by-zero-initializing-data.patch b/patches.suse/ca8210-Fix-crash-by-zero-initializing-data.patch new file mode 100644 index 0000000..ce20831 --- /dev/null +++ b/patches.suse/ca8210-Fix-crash-by-zero-initializing-data.patch @@ -0,0 +1,40 @@ +From 1e24c54da257ab93cff5826be8a793b014a5dc9c Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Mon, 21 Nov 2022 01:22:01 +0100 +Subject: [PATCH] ca8210: Fix crash by zero initializing data +Git-commit: 1e24c54da257ab93cff5826be8a793b014a5dc9c +Patch-mainline: v6.1 +References: git-fixes + +The struct cas_control embeds multiple generic SPI structures and we +have to make sure these structures are initialized to default values. +This driver does not set all attributes. When using kmalloc before some +attributes were not initialized and contained random data which caused +random crashes at bootup. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Hauke Mehrtens +Link: https://lore.kernel.org/r/20221121002201.1339636-1-hauke@hauke-m.de +Signed-off-by: Stefan Schmidt +Acked-by: Takashi Iwai + +--- + drivers/net/ieee802154/ca8210.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 450b16ad40a4..e1a569b99e4a 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -885,7 +885,7 @@ static int ca8210_spi_transfer( + + dev_dbg(&spi->dev, "%s called\n", __func__); + +- cas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC); ++ cas_ctl = kzalloc(sizeof(*cas_ctl), GFP_ATOMIC); + if (!cas_ctl) + return -ENOMEM; + +-- +2.35.3 + diff --git a/patches.suse/drm-vc4-hvs-Reset-muxes-at-probe-time.patch b/patches.suse/drm-vc4-hvs-Reset-muxes-at-probe-time.patch deleted file mode 100644 index 0cee627..0000000 --- a/patches.suse/drm-vc4-hvs-Reset-muxes-at-probe-time.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 8514e6b1f40319e31ac4aa3fbf606796786366c9 Mon Sep 17 00:00:00 2001 -From: Maxime Ripard -Date: Mon, 28 Mar 2022 17:36:54 +0200 -Subject: [PATCH] drm/vc4: hvs: Reset muxes at probe time -Git-commit: 8514e6b1f40319e31ac4aa3fbf606796786366c9 -Patch-mainline: v5.19-rc1 -References: git-fixes - -By default, the HVS driver will force the HVS output 3 to be muxed to -the HVS channel 2. However, the Transposer can only be assigned to the -HVS channel 2, so whenever we try to use the writeback connector, we'll -mux its associated output (Output 2) to the channel 2. - -This leads to both the output 2 and 3 feeding from the same channel, -which is explicitly discouraged in the documentation. - -In order to avoid this, let's reset all the output muxes to their reset -value. - -Fixes: 87ebcd42fb7b ("drm/vc4: crtc: Assign output to channel automatically") -Signed-off-by: Maxime Ripard -Acked-by: Thomas Zimmermann -Link: https://lore.kernel.org/r/20220328153659.2382206-2-maxime@cerno.tech -Acked-by: Takashi Iwai - ---- - drivers/gpu/drm/vc4/vc4_hvs.c | 26 +++++++++++++++++++++----- - 1 file changed, 21 insertions(+), 5 deletions(-) - -diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c -index 9194cb52e706..2a58fc421cf6 100644 ---- a/drivers/gpu/drm/vc4/vc4_hvs.c -+++ b/drivers/gpu/drm/vc4/vc4_hvs.c -@@ -611,6 +611,7 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data) - struct vc4_hvs *hvs = NULL; - int ret; - u32 dispctrl; -+ u32 reg; - - hvs = devm_kzalloc(&pdev->dev, sizeof(*hvs), GFP_KERNEL); - if (!hvs) -@@ -682,6 +683,26 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data) - - vc4->hvs = hvs; - -+ reg = HVS_READ(SCALER_DISPECTRL); -+ reg &= ~SCALER_DISPECTRL_DSP2_MUX_MASK; -+ HVS_WRITE(SCALER_DISPECTRL, -+ reg | VC4_SET_FIELD(0, SCALER_DISPECTRL_DSP2_MUX)); -+ -+ reg = HVS_READ(SCALER_DISPCTRL); -+ reg &= ~SCALER_DISPCTRL_DSP3_MUX_MASK; -+ HVS_WRITE(SCALER_DISPCTRL, -+ reg | VC4_SET_FIELD(3, SCALER_DISPCTRL_DSP3_MUX)); -+ -+ reg = HVS_READ(SCALER_DISPEOLN); -+ reg &= ~SCALER_DISPEOLN_DSP4_MUX_MASK; -+ HVS_WRITE(SCALER_DISPEOLN, -+ reg | VC4_SET_FIELD(3, SCALER_DISPEOLN_DSP4_MUX)); -+ -+ reg = HVS_READ(SCALER_DISPDITHER); -+ reg &= ~SCALER_DISPDITHER_DSP5_MUX_MASK; -+ HVS_WRITE(SCALER_DISPDITHER, -+ reg | VC4_SET_FIELD(3, SCALER_DISPDITHER_DSP5_MUX)); -+ - dispctrl = HVS_READ(SCALER_DISPCTRL); - - dispctrl |= SCALER_DISPCTRL_ENABLE; -@@ -689,10 +710,6 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data) - SCALER_DISPCTRL_DISPEIRQ(1) | - SCALER_DISPCTRL_DISPEIRQ(2); - -- /* Set DSP3 (PV1) to use HVS channel 2, which would otherwise -- * be unused. -- */ -- dispctrl &= ~SCALER_DISPCTRL_DSP3_MUX_MASK; - dispctrl &= ~(SCALER_DISPCTRL_DMAEIRQ | - SCALER_DISPCTRL_SLVWREIRQ | - SCALER_DISPCTRL_SLVRDEIRQ | -@@ -706,7 +723,6 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data) - SCALER_DISPCTRL_DSPEISLUR(1) | - SCALER_DISPCTRL_DSPEISLUR(2) | - SCALER_DISPCTRL_SCLEIRQ); -- dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_DSP3_MUX); - - HVS_WRITE(SCALER_DISPCTRL, dispctrl); - --- -2.35.3 - diff --git a/patches.suse/e1000e-Fix-TX-dispatch-condition.patch b/patches.suse/e1000e-Fix-TX-dispatch-condition.patch new file mode 100644 index 0000000..1bb968e --- /dev/null +++ b/patches.suse/e1000e-Fix-TX-dispatch-condition.patch @@ -0,0 +1,67 @@ +From eed913f6919e253f35d454b2f115f2a4db2b741a Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Fri, 28 Oct 2022 22:00:00 +0900 +Subject: [PATCH] e1000e: Fix TX dispatch condition +Git-commit: eed913f6919e253f35d454b2f115f2a4db2b741a +Patch-mainline: v6.1 +References: git-fixes + +e1000_xmit_frame is expected to stop the queue and dispatch frames to +hardware if there is not sufficient space for the next frame in the +buffer, but sometimes it failed to do so because the estimated maximum +size of frame was wrong. As the consequence, the later invocation of +e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer +remained forever, resulting in a watchdog failure. + +This change fixes the estimated size by making it match with the +condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to +account for the following lines which determines the space requirement +for not causing NETDEV_TX_BUSY: + ``` + /* reserve a descriptor for the offload context */ + if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL)) + count++; + count++; + + count += DIV_ROUND_UP(len, adapter->tx_fifo_limit); + ``` + +This issue was found when running http-stress02 test included in Linux +Test Project 20220930 on QEMU with the following commandline: +``` +qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8 + -drive if=virtio,format=raw,file=root.img,file.locking=on + -device e1000e,netdev=netdev + -netdev tap,script=ifup,downscript=no,id=netdev +``` + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Signed-off-by: Akihiko Odaki +Tested-by: Gurucharan G (A Contingent worker at Intel) +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 49e926959ad3..55cf2f62bb30 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5936,9 +5936,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + e1000_tx_queue(tx_ring, tx_flags, count); + /* Make sure there is space in the ring for the next send. */ + e1000_maybe_stop_tx(tx_ring, +- (MAX_SKB_FRAGS * ++ ((MAX_SKB_FRAGS + 1) * + DIV_ROUND_UP(PAGE_SIZE, +- adapter->tx_fifo_limit) + 2)); ++ adapter->tx_fifo_limit) + 4)); + + if (!netdev_xmit_more() || + netif_xmit_stopped(netdev_get_tx_queue(netdev, 0))) { +-- +2.35.3 + diff --git a/patches.suse/fbdev-smscufx-Fix-several-use-after-free-bugs.patch b/patches.suse/fbdev-smscufx-Fix-several-use-after-free-bugs.patch new file mode 100644 index 0000000..58c2d80 --- /dev/null +++ b/patches.suse/fbdev-smscufx-Fix-several-use-after-free-bugs.patch @@ -0,0 +1,173 @@ +From cc67482c9e5f2c80d62f623bcc347c29f9f648e1 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 20 Oct 2022 18:15:44 -0700 +Subject: [PATCH] fbdev: smscufx: Fix several use-after-free bugs +Git-commit: cc67482c9e5f2c80d62f623bcc347c29f9f648e1 +Patch-mainline: v6.1-rc3 +References: git-fixes + +Several types of UAFs can occur when physically removing a USB device. + +Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and +in this function, there is kref_put() that finally calls ufx_free(). + +This fix prevents multiple UAFs. + +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/ +Cc: +Signed-off-by: Helge Deller +Acked-by: Takashi Iwai + +--- + drivers/video/fbdev/smscufx.c | 55 +++++++++++++++++++---------------- + 1 file changed, 30 insertions(+), 25 deletions(-) + +diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c +index e65bdc499c23..9343b7a4ac89 100644 +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -97,7 +97,6 @@ struct ufx_data { + struct kref kref; + int fb_count; + bool virtualized; /* true when physical usb device not present */ +- struct delayed_work free_framebuffer_work; + atomic_t usb_active; /* 0 = update virtual buffer, but no usb traffic */ + atomic_t lost_pixels; /* 1 = a render op failed. Need screen refresh */ + u8 *edid; /* null until we read edid from hw or get from sysfs */ +@@ -1117,15 +1116,24 @@ static void ufx_free(struct kref *kref) + { + struct ufx_data *dev = container_of(kref, struct ufx_data, kref); + +- /* this function will wait for all in-flight urbs to complete */ +- if (dev->urbs.count > 0) +- ufx_free_urb_list(dev); ++ kfree(dev); ++} + +- pr_debug("freeing ufx_data %p", dev); ++static void ufx_ops_destory(struct fb_info *info) ++{ ++ struct ufx_data *dev = info->par; ++ int node = info->node; + +- kfree(dev); ++ /* Assume info structure is freed after this point */ ++ framebuffer_release(info); ++ ++ pr_debug("fb_info for /dev/fb%d has been freed", node); ++ ++ /* release reference taken by kref_init in probe() */ ++ kref_put(&dev->kref, ufx_free); + } + ++ + static void ufx_release_urb_work(struct work_struct *work) + { + struct urb_node *unode = container_of(work, struct urb_node, +@@ -1134,14 +1142,9 @@ static void ufx_release_urb_work(struct work_struct *work) + up(&unode->dev->urbs.limit_sem); + } + +-static void ufx_free_framebuffer_work(struct work_struct *work) ++static void ufx_free_framebuffer(struct ufx_data *dev) + { +- struct ufx_data *dev = container_of(work, struct ufx_data, +- free_framebuffer_work.work); + struct fb_info *info = dev->info; +- int node = info->node; +- +- unregister_framebuffer(info); + + if (info->cmap.len != 0) + fb_dealloc_cmap(&info->cmap); +@@ -1153,11 +1156,6 @@ static void ufx_free_framebuffer_work(struct work_struct *work) + + dev->info = NULL; + +- /* Assume info structure is freed after this point */ +- framebuffer_release(info); +- +- pr_debug("fb_info for /dev/fb%d has been freed", node); +- + /* ref taken in probe() as part of registering framebfufer */ + kref_put(&dev->kref, ufx_free); + } +@@ -1169,11 +1167,13 @@ static int ufx_ops_release(struct fb_info *info, int user) + { + struct ufx_data *dev = info->par; + ++ mutex_lock(&disconnect_mutex); ++ + dev->fb_count--; + + /* We can't free fb_info here - fbmem will touch it when we return */ + if (dev->virtualized && (dev->fb_count == 0)) +- schedule_delayed_work(&dev->free_framebuffer_work, HZ); ++ ufx_free_framebuffer(dev); + + if ((dev->fb_count == 0) && (info->fbdefio)) { + fb_deferred_io_cleanup(info); +@@ -1186,6 +1186,8 @@ static int ufx_ops_release(struct fb_info *info, int user) + + kref_put(&dev->kref, ufx_free); + ++ mutex_unlock(&disconnect_mutex); ++ + return 0; + } + +@@ -1292,6 +1294,7 @@ static const struct fb_ops ufx_ops = { + .fb_blank = ufx_ops_blank, + .fb_check_var = ufx_ops_check_var, + .fb_set_par = ufx_ops_set_par, ++ .fb_destroy = ufx_ops_destory, + }; + + /* Assumes &info->lock held by caller +@@ -1673,9 +1676,6 @@ static int ufx_usb_probe(struct usb_interface *interface, + goto destroy_modedb; + } + +- INIT_DELAYED_WORK(&dev->free_framebuffer_work, +- ufx_free_framebuffer_work); +- + retval = ufx_reg_read(dev, 0x3000, &id_rev); + check_warn_goto_error(retval, "error %d reading 0x3000 register from device", retval); + dev_dbg(dev->gdev, "ID_REV register value 0x%08x", id_rev); +@@ -1748,10 +1748,12 @@ static int ufx_usb_probe(struct usb_interface *interface, + static void ufx_usb_disconnect(struct usb_interface *interface) + { + struct ufx_data *dev; ++ struct fb_info *info; + + mutex_lock(&disconnect_mutex); + + dev = usb_get_intfdata(interface); ++ info = dev->info; + + pr_debug("USB disconnect starting\n"); + +@@ -1765,12 +1767,15 @@ static void ufx_usb_disconnect(struct usb_interface *interface) + + /* if clients still have us open, will be freed on last close */ + if (dev->fb_count == 0) +- schedule_delayed_work(&dev->free_framebuffer_work, 0); ++ ufx_free_framebuffer(dev); + +- /* release reference taken by kref_init in probe() */ +- kref_put(&dev->kref, ufx_free); ++ /* this function will wait for all in-flight urbs to complete */ ++ if (dev->urbs.count > 0) ++ ufx_free_urb_list(dev); + +- /* consider ufx_data freed */ ++ pr_debug("freeing ufx_data %p", dev); ++ ++ unregister_framebuffer(info); + + mutex_unlock(&disconnect_mutex); + } +-- +2.35.3 + diff --git a/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch b/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch index 05ee5f0..7b1cf9f 100644 --- a/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch +++ b/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch @@ -1,9 +1,9 @@ -From 6a7bca685c93fd18133d313716e141faac3bddc3 Mon Sep 17 00:00:00 2001 +From 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Sun, 25 Sep 2022 06:32:43 -0700 Subject: [PATCH] fbdev: smscufx: Fix use-after-free in ufx_ops_open() -Git-commit: cc67482c9e5f2c80d62f623bcc347c29f9f648e1 -Patch-mainline: v6.1-rc3 +Git-commit: 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c +Patch-mainline: v6.1-rc1 References: CVE-2022-41849 bsc#1203992 A race condition may occur if the user physically removes the diff --git a/patches.suse/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch b/patches.suse/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch new file mode 100644 index 0000000..6450d1f --- /dev/null +++ b/patches.suse/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch @@ -0,0 +1,89 @@ +From: Miklos Szeredi +Date: Wed, 23 Nov 2022 09:10:42 +0100 +Subject: fuse: lock inode unconditionally in fuse_fallocate() +Git-commit: 44361e8cf9ddb23f17bdcc40ca944abf32e83e79 +Patch-mainline: v6.1-rc8 +References: bsc#1206273 + +file_modified() must be called with inode lock held. fuse_fallocate() +didn't lock the inode in case of just FALLOC_KEEP_SIZE flags value, which +resulted in a kernel Warning in notify_change(). + +Lock the inode unconditionally, like all other fallocate implementations +do. + +Reported-by: Pengfei Xu +Reported-and-tested-by: syzbot+462da39f0667b357c4b6@syzkaller.appspotmail.com +Fixes: 4a6f278d4827 ("fuse: add file_modified() to fallocate") +Signed-off-by: Miklos Szeredi +Acked-by: Luis Henriques + +--- + fs/fuse/file.c | 37 ++++++++++++++++--------------------- + 1 file changed, 16 insertions(+), 21 deletions(-) + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 71bfb663aac5..89f4741728ba 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -2963,11 +2963,9 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset, + .mode = mode + }; + int err; +- bool lock_inode = !(mode & FALLOC_FL_KEEP_SIZE) || +- (mode & (FALLOC_FL_PUNCH_HOLE | +- FALLOC_FL_ZERO_RANGE)); +- +- bool block_faults = FUSE_IS_DAX(inode) && lock_inode; ++ bool block_faults = FUSE_IS_DAX(inode) && ++ (!(mode & FALLOC_FL_KEEP_SIZE) || ++ (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE))); + + if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE | + FALLOC_FL_ZERO_RANGE)) +@@ -2976,22 +2974,20 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset, + if (fm->fc->no_fallocate) + return -EOPNOTSUPP; + +- if (lock_inode) { +- inode_lock(inode); +- if (block_faults) { +- filemap_invalidate_lock(inode->i_mapping); +- err = fuse_dax_break_layouts(inode, 0, 0); +- if (err) +- goto out; +- } ++ inode_lock(inode); ++ if (block_faults) { ++ filemap_invalidate_lock(inode->i_mapping); ++ err = fuse_dax_break_layouts(inode, 0, 0); ++ if (err) ++ goto out; ++ } + +- if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) { +- loff_t endbyte = offset + length - 1; ++ if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) { ++ loff_t endbyte = offset + length - 1; + +- err = fuse_writeback_range(inode, offset, endbyte); +- if (err) +- goto out; +- } ++ err = fuse_writeback_range(inode, offset, endbyte); ++ if (err) ++ goto out; + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +@@ -3039,8 +3035,7 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset, + if (block_faults) + filemap_invalidate_unlock(inode->i_mapping); + +- if (lock_inode) +- inode_unlock(inode); ++ inode_unlock(inode); + + fuse_flush_time_update(inode); + + diff --git a/patches.suse/gpio-amd8111-Fix-PCI-device-reference-count-leak.patch b/patches.suse/gpio-amd8111-Fix-PCI-device-reference-count-leak.patch new file mode 100644 index 0000000..2a20817 --- /dev/null +++ b/patches.suse/gpio-amd8111-Fix-PCI-device-reference-count-leak.patch @@ -0,0 +1,54 @@ +From 45fecdb9f658d9c82960c98240bc0770ade19aca Mon Sep 17 00:00:00 2001 +From: Xiongfeng Wang +Date: Tue, 22 Nov 2022 20:35:08 +0800 +Subject: [PATCH] gpio: amd8111: Fix PCI device reference count leak +Git-commit: 45fecdb9f658d9c82960c98240bc0770ade19aca +Patch-mainline: v6.1 +References: git-fixes + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. Add the missing +pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL +input parameter, there is no problem for the 'Device not found' branch. +For the normal path, add pci_dev_put() in amd_gpio_exit(). + +Fixes: f942a7de047d ("gpio: add a driver for GPIO pins found on AMD-8111 south bridge chips") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Bartosz Golaszewski +Acked-by: Takashi Iwai + +--- + drivers/gpio/gpio-amd8111.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpio/gpio-amd8111.c b/drivers/gpio/gpio-amd8111.c +index 14e6b3e64add..6f3ded619c8b 100644 +--- a/drivers/gpio/gpio-amd8111.c ++++ b/drivers/gpio/gpio-amd8111.c +@@ -226,7 +226,10 @@ static int __init amd_gpio_init(void) + ioport_unmap(gp.pm); + goto out; + } ++ return 0; ++ + out: ++ pci_dev_put(pdev); + return err; + } + +@@ -234,6 +237,7 @@ static void __exit amd_gpio_exit(void) + { + gpiochip_remove(&gp.chip); + ioport_unmap(gp.pm); ++ pci_dev_put(gp.pdev); + } + + module_init(amd_gpio_init); +-- +2.35.3 + diff --git a/patches.suse/ieee802154-cc2520-Fix-error-return-code-in-cc2520_hw.patch b/patches.suse/ieee802154-cc2520-Fix-error-return-code-in-cc2520_hw.patch new file mode 100644 index 0000000..47f3e3a --- /dev/null +++ b/patches.suse/ieee802154-cc2520-Fix-error-return-code-in-cc2520_hw.patch @@ -0,0 +1,37 @@ +From 4d002d6a2a00ac1c433899bd7625c6400a74cfba Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Sun, 20 Nov 2022 15:50:46 +0800 +Subject: [PATCH] ieee802154: cc2520: Fix error return code in cc2520_hw_init() +Git-commit: 4d002d6a2a00ac1c433899bd7625c6400a74cfba +Patch-mainline: v6.1 +References: git-fixes + +In cc2520_hw_init(), if oscillator start failed, the error code +should be returned. + +Fixes: 0da6bc8cc341 ("ieee802154: cc2520: adds driver for TI CC2520 radio") +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/r/20221120075046.2213633-1-william.xuanziyang@huawei.com +Signed-off-by: Stefan Schmidt +Acked-by: Takashi Iwai + +--- + drivers/net/ieee802154/cc2520.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c +index c69b87d3837d..edc769daad07 100644 +--- a/drivers/net/ieee802154/cc2520.c ++++ b/drivers/net/ieee802154/cc2520.c +@@ -970,7 +970,7 @@ static int cc2520_hw_init(struct cc2520_private *priv) + + if (timeout-- <= 0) { + dev_err(&priv->spi->dev, "oscillator start failed!\n"); +- return ret; ++ return -ETIMEDOUT; + } + udelay(1); + } while (!(status & CC2520_STATUS_XOSC32M_STABLE)); +-- +2.35.3 + diff --git a/patches.suse/mac802154-fix-missing-INIT_LIST_HEAD-in-ieee802154_i.patch b/patches.suse/mac802154-fix-missing-INIT_LIST_HEAD-in-ieee802154_i.patch new file mode 100644 index 0000000..5e059d2 --- /dev/null +++ b/patches.suse/mac802154-fix-missing-INIT_LIST_HEAD-in-ieee802154_i.patch @@ -0,0 +1,56 @@ +From b3d72d3135d2ef68296c1ee174436efd65386f04 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Wed, 30 Nov 2022 09:17:05 +0000 +Subject: [PATCH] mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() +Git-commit: b3d72d3135d2ef68296c1ee174436efd65386f04 +Patch-mainline: v6.1 +References: git-fixes + +Kernel fault injection test reports null-ptr-deref as follows: + +Bug: kernel NULL pointer dereference, address: 0000000000000008 +Rip: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 +Call Trace: + + raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 + call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 + unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 + unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 + register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 + ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 + ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 + mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 + +ieee802154_if_add() allocates wpan_dev as netdev's private data, but not +init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage +the list when device register/unregister, and may lead to null-ptr-deref. + +Use INIT_LIST_HEAD() on it to initialize it correctly. + +Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list") +Signed-off-by: Wei Yongjun +Acked-by: Alexander Aring + +Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com +Signed-off-by: Stefan Schmidt +Acked-by: Takashi Iwai + +--- + net/mac802154/iface.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index 500ed1b81250..7e2065e72915 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -662,6 +662,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name, + sdata->dev = ndev; + sdata->wpan_dev.wpan_phy = local->hw.phy; + sdata->local = local; ++ INIT_LIST_HEAD(&sdata->wpan_dev.list); + + /* setup type-dependent data */ + ret = ieee802154_setup_sdata(sdata, type); +-- +2.35.3 + diff --git a/patches.suse/macsec-add-missing-attribute-validation-for-offload.patch b/patches.suse/macsec-add-missing-attribute-validation-for-offload.patch new file mode 100644 index 0000000..bf0887b --- /dev/null +++ b/patches.suse/macsec-add-missing-attribute-validation-for-offload.patch @@ -0,0 +1,38 @@ +From 38099024e51ee37dee5f0f577ca37175c932e3f7 Mon Sep 17 00:00:00 2001 +From: Emeel Hakim +Date: Wed, 7 Dec 2022 12:16:18 +0200 +Subject: [PATCH] macsec: add missing attribute validation for offload +Git-commit: 38099024e51ee37dee5f0f577ca37175c932e3f7 +Patch-mainline: v6.1 +References: git-fixes + +Add missing attribute validation for IFLA_MACSEC_OFFLOAD +to the netlink policy. + +Fixes: 791bb3fcafce ("net: macsec: add support for specifying offload upon link creation") +Signed-off-by: Emeel Hakim +Reviewed-by: Jiri Pirko +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20221207101618.989-1-ehakim@nvidia.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index f41f67b583db..2fbac51b9b19 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3698,6 +3698,7 @@ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { + [IFLA_MACSEC_SCB] = { .type = NLA_U8 }, + [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 }, + [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 }, ++ [IFLA_MACSEC_OFFLOAD] = { .type = NLA_U8 }, + }; + + static void macsec_free_netdev(struct net_device *dev) +-- +2.35.3 + diff --git a/patches.suse/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch b/patches.suse/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch new file mode 100644 index 0000000..9a09230 --- /dev/null +++ b/patches.suse/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch @@ -0,0 +1,77 @@ +From cb37617687f2bfa5b675df7779f869147c9002bd Mon Sep 17 00:00:00 2001 +From: Zeng Heng +Date: Sat, 3 Dec 2022 15:34:41 +0800 +Subject: [PATCH] net: mdio: fix unbalanced fwnode reference count in mdio_device_release() +Git-commit: cb37617687f2bfa5b675df7779f869147c9002bd +Patch-mainline: v6.1 +References: git-fixes + +There is warning report about of_node refcount leak +while probing mdio device: + +Of: ERROR: memory leak, expected refcount 1 instead of 2, +of_node_get()/of_node_put() unbalanced - destroy cset entry: +attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4 + +In of_mdiobus_register_device(), we increase fwnode refcount +by fwnode_handle_get() before associating the of_node with +mdio device, but it has never been decreased in normal path. +Since that, in mdio_device_release(), it needs to call +fwnode_handle_put() in addition instead of calling kfree() +directly. + +After above, just calling mdio_device_free() in the error handle +path of of_mdiobus_register_device() is enough to keep the +refcount balanced. + +Fixes: a9049e0c513c ("mdio: Add support for mdio drivers.") +Signed-off-by: Zeng Heng +Reviewed-by: Yang Yingliang +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20221203073441.3885317-1-zengheng4@huawei.com +Signed-off-by: Paolo Abeni +Acked-by: Takashi Iwai + +--- + drivers/net/mdio/of_mdio.c | 3 ++- + drivers/net/phy/mdio_device.c | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/mdio/of_mdio.c b/drivers/net/mdio/of_mdio.c +index 796e9c7857d0..510822d6d0d9 100644 +--- a/drivers/net/mdio/of_mdio.c ++++ b/drivers/net/mdio/of_mdio.c +@@ -68,8 +68,9 @@ static int of_mdiobus_register_device(struct mii_bus *mdio, + /* All data is now stored in the mdiodev struct; register it. */ + rc = mdio_device_register(mdiodev); + if (rc) { ++ device_set_node(&mdiodev->dev, NULL); ++ fwnode_handle_put(fwnode); + mdio_device_free(mdiodev); +- of_node_put(child); + return rc; + } + +diff --git a/drivers/net/phy/mdio_device.c b/drivers/net/phy/mdio_device.c +index 250742ffdfd9..044828d081d2 100644 +--- a/drivers/net/phy/mdio_device.c ++++ b/drivers/net/phy/mdio_device.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + void mdio_device_free(struct mdio_device *mdiodev) + { +@@ -30,6 +31,7 @@ EXPORT_SYMBOL(mdio_device_free); + + static void mdio_device_release(struct device *dev) + { ++ fwnode_handle_put(dev->fwnode); + kfree(to_mdio_device(dev)); + } + +-- +2.35.3 + diff --git a/patches.suse/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch b/patches.suse/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch new file mode 100644 index 0000000..bb40c68 --- /dev/null +++ b/patches.suse/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch @@ -0,0 +1,34 @@ +From ed14e5903638f6eb868e3e2b4e610985e6a6c876 Mon Sep 17 00:00:00 2001 +From: Zhengchao Shao +Date: Wed, 7 Dec 2022 09:50:01 +0800 +Subject: [PATCH] net: thunderbolt: fix memory leak in tbnet_open() +Git-commit: ed14e5903638f6eb868e3e2b4e610985e6a6c876 +Patch-mainline: v6.1 +References: git-fixes + +When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in +tb_xdomain_alloc_out_hopid() is not released. Add +tb_xdomain_release_out_hopid() to the error path to release ida. + +Fixes: 180b0689425c ("thunderbolt: Allow multiple DMA tunnels over a single XDomain connection") +Signed-off-by: Zhengchao Shao +Acked-by: Mika Westerberg +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20221207015001.1755826-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/thunderbolt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/thunderbolt.c ++++ b/drivers/net/thunderbolt.c +@@ -902,6 +902,7 @@ static int tbnet_open(struct net_device + tbnet_start_poll, net); + if (!ring) { + netdev_err(dev, "failed to allocate Rx ring\n"); ++ tb_xdomain_release_out_hopid(xd, hopid); + tb_ring_free(net->tx_ring.ring); + net->tx_ring.ring = NULL; + return -ENOMEM; diff --git a/patches.suse/nilfs2-fix-NULL-pointer-dereference-in-nilfs_palloc_.patch b/patches.suse/nilfs2-fix-NULL-pointer-dereference-in-nilfs_palloc_.patch new file mode 100644 index 0000000..e77f900 --- /dev/null +++ b/patches.suse/nilfs2-fix-NULL-pointer-dereference-in-nilfs_palloc_.patch @@ -0,0 +1,112 @@ +From f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Sat, 19 Nov 2022 21:05:42 +0900 +Subject: [PATCH] nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() +Git-commit: f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4 +Patch-mainline: v6.1-rc8 +References: git-fixes + +Syzbot reported a null-ptr-deref bug: + + NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP + frequency < 30 seconds + general protection fault, probably for non-canonical address + 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + CPU: 1 PID: 3603 Comm: segctord Not tainted + 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 + Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google + 10/11/2022 + RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0 + fs/nilfs2/alloc.c:608 + Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 + 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 + 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 + RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 + RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d + RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 + RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f + R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 + R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 + FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 + Call Trace: + + nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline] + nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193 + nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236 + nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940 + nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline] + nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline] + nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 + nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337 + nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568 + nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018 + nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 + nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline] + nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline] + nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 + nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 + nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline] + nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 + kthread+0x2e4/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + ... + +If DAT metadata file is corrupted on disk, there is a case where +req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during +a b-tree operation that cascadingly updates ancestor nodes of the b-tree, +because nilfs_dat_commit_alloc() for a lower level block can initialize +the blocknr on the same DAT entry between nilfs_dat_prepare_end() and +nilfs_dat_commit_end(). + +If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free() +without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and +causes the NULL pointer dereference above in +nilfs_palloc_commit_free_entry() function, which leads to a crash. + +Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh +before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free(). + +This also calls nilfs_error() in that case to notify that there is a fatal +flaw in the filesystem metadata and prevent further operations. + +Link: https://lkml.kernel.org/r/00000000000097c20205ebaea3d6@google.com +Link: https://lkml.kernel.org/r/20221114040441.1649940-1-zhangpeng362@huawei.com +Link: https://lkml.kernel.org/r/20221119120542.17204-1-konishi.ryusuke@gmail.com +Signed-off-by: ZhangPeng +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+ebe05ee8e98f755f61d0@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Acked-by: Takashi Iwai + +--- + fs/nilfs2/dat.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/nilfs2/dat.c b/fs/nilfs2/dat.c +index 3b55e239705f..9930fa901039 100644 +--- a/fs/nilfs2/dat.c ++++ b/fs/nilfs2/dat.c +@@ -111,6 +111,13 @@ static void nilfs_dat_commit_free(struct inode *dat, + kunmap_atomic(kaddr); + + nilfs_dat_commit_entry(dat, req); ++ ++ if (unlikely(req->pr_desc_bh == NULL || req->pr_bitmap_bh == NULL)) { ++ nilfs_error(dat->i_sb, ++ "state inconsistency probably due to duplicate use of vblocknr = %llu", ++ (unsigned long long)req->pr_entry_nr); ++ return; ++ } + nilfs_palloc_commit_free_entry(dat, req); + } + +-- +2.35.3 + diff --git a/patches.suse/pinctrl-intel-Save-and-restore-pins-in-direct-IRQ-mo.patch b/patches.suse/pinctrl-intel-Save-and-restore-pins-in-direct-IRQ-mo.patch new file mode 100644 index 0000000..a0fe6a9 --- /dev/null +++ b/patches.suse/pinctrl-intel-Save-and-restore-pins-in-direct-IRQ-mo.patch @@ -0,0 +1,90 @@ +From 6989ea4881c8944fbf04378418bb1af63d875ef8 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 25 Nov 2022 00:29:26 +0200 +Subject: [PATCH] pinctrl: intel: Save and restore pins in "direct IRQ" mode +Git-commit: 6989ea4881c8944fbf04378418bb1af63d875ef8 +Patch-mainline: v6.1-rc8 +References: git-fixes + +The firmware on some systems may configure GPIO pins to be +an interrupt source in so called "direct IRQ" mode. In such +cases the GPIO controller driver has no idea if those pins +are being used or not. At the same time, there is a known bug +in the firmwares that don't restore the pin settings correctly +after suspend, i.e. by an unknown reason the Rx value becomes +inverted. + +Hence, let's save and restore the pins that are configured +as GPIOs in the input mode with GPIROUTIOXAPIC bit set. + +Cc: stable@vger.kernel.org +Reported-and-tested-by: Dale Smith +Reported-and-tested-by: John Harris +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=214749 +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Link: https://lore.kernel.org/r/20221124222926.72326-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Acked-by: Takashi Iwai + +--- + drivers/pinctrl/intel/pinctrl-intel.c | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index 52ecd66ce357..047a8374b4fd 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -436,9 +436,14 @@ static void __intel_gpio_set_direction(void __iomem *padcfg0, bool input) + writel(value, padcfg0); + } + ++static int __intel_gpio_get_gpio_mode(u32 value) ++{ ++ return (value & PADCFG0_PMODE_MASK) >> PADCFG0_PMODE_SHIFT; ++} ++ + static int intel_gpio_get_gpio_mode(void __iomem *padcfg0) + { +- return (readl(padcfg0) & PADCFG0_PMODE_MASK) >> PADCFG0_PMODE_SHIFT; ++ return __intel_gpio_get_gpio_mode(readl(padcfg0)); + } + + static void intel_gpio_set_gpio_mode(void __iomem *padcfg0) +@@ -1674,6 +1679,7 @@ EXPORT_SYMBOL_GPL(intel_pinctrl_get_soc_data); + static bool intel_pinctrl_should_save(struct intel_pinctrl *pctrl, unsigned int pin) + { + const struct pin_desc *pd = pin_desc_get(pctrl->pctldev, pin); ++ u32 value; + + if (!pd || !intel_pad_usable(pctrl, pin)) + return false; +@@ -1688,6 +1694,25 @@ static bool intel_pinctrl_should_save(struct intel_pinctrl *pctrl, unsigned int + gpiochip_line_is_irq(&pctrl->chip, intel_pin_to_gpio(pctrl, pin))) + return true; + ++ /* ++ * The firmware on some systems may configure GPIO pins to be ++ * an interrupt source in so called "direct IRQ" mode. In such ++ * cases the GPIO controller driver has no idea if those pins ++ * are being used or not. At the same time, there is a known bug ++ * in the firmwares that don't restore the pin settings correctly ++ * after suspend, i.e. by an unknown reason the Rx value becomes ++ * inverted. ++ * ++ * Hence, let's save and restore the pins that are configured ++ * as GPIOs in the input mode with GPIROUTIOXAPIC bit set. ++ * ++ * See https://bugzilla.kernel.org/show_bug.cgi?id=214749. ++ */ ++ value = readl(intel_get_padcfg(pctrl, pin, PADCFG0)); ++ if ((value & PADCFG0_GPIROUTIOXAPIC) && (value & PADCFG0_GPIOTXDIS) && ++ (__intel_gpio_get_gpio_mode(value) == PADCFG0_PMODE_GPIO)) ++ return true; ++ + return false; + } + +-- +2.35.3 + diff --git a/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch b/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch new file mode 100644 index 0000000..948a3f1 --- /dev/null +++ b/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch @@ -0,0 +1,45 @@ +From e6cfaf34be9fcd1a8285a294e18986bfc41a409c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 11:33:40 -0800 +Subject: [PATCH] proc: avoid integer type confusion in get_proc_long +Git-commit: e6cfaf34be9fcd1a8285a294e18986bfc41a409c +Patch-mainline: v6.1 +References: CVE-2022-4378 bsc#1206207 + +proc_get_long() is passed a size_t, but then assigns it to an 'int' +variable for the length. Let's not do that, even if our IO paths are +limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + +So do the proper test in the rigth type. + +Reported-by: Kyle Zeng +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + kernel/sysctl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 188c305aeb8b..8898ddeaaf75 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -342,13 +342,12 @@ static int proc_get_long(char **buf, size_t *size, + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + +-- +2.35.3 + diff --git a/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch b/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch new file mode 100644 index 0000000..028cd7d --- /dev/null +++ b/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch @@ -0,0 +1,111 @@ +From bce9332220bd677d83b19d21502776ad555a0e73 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 12:09:06 -0800 +Subject: [PATCH] proc: proc_skip_spaces() shouldn't think it is working on C strings +Git-commit: bce9332220bd677d83b19d21502776ad555a0e73 +Patch-mainline: v6.1 +References: CVE-2022-4378 bsc#1206207 + +proc_skip_spaces() seems to think it is working on C strings, and ends +up being just a wrapper around skip_spaces() with a really odd calling +convention. + +Instead of basing it on skip_spaces(), it should have looked more like +proc_skip_char(), which really is the exact same function (except it +skips a particular character, rather than whitespace). So use that as +inspiration, odd coding and all. + +Now the calling convention actually makes sense and works for the +intended purpose. + +Reported-and-tested-by: Kyle Zeng +Acked-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + kernel/sysctl.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 8898ddeaaf75..c6d9dec11b74 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -267,13 +267,14 @@ int proc_dostring(struct ctl_table *table, int write, + ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -520,7 +521,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -547,7 +548,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; +@@ -589,7 +590,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + if (left > PAGE_SIZE - 1) + left = PAGE_SIZE - 1; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -609,7 +610,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + if (err) +@@ -1074,7 +1075,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -1103,7 +1104,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; +-- +2.35.3 + diff --git a/patches.suse/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch b/patches.suse/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch new file mode 100644 index 0000000..6c0fcba --- /dev/null +++ b/patches.suse/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch @@ -0,0 +1,40 @@ +From 85a0506c073332a3057f5a9635fa0d4db5a8e03b Mon Sep 17 00:00:00 2001 +From: Zhengchao Shao +Date: Thu, 1 Dec 2022 16:22:46 +0800 +Subject: [PATCH] selftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offload +Git-commit: 85a0506c073332a3057f5a9635fa0d4db5a8e03b +Patch-mainline: v6.1 +References: git-fixes + +When testing in kci_test_ipsec_offload, srcip is configured as $dstip, +it should add xfrm policy rule in instead of out. +The test result of this patch is as follows: +Pass: ipsec_offload + +Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test") +Signed-off-by: Zhengchao Shao +Acked-by: Hangbin Liu +Link: https://lore.kernel.org/r/20221201082246.14131-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + tools/testing/selftests/net/rtnetlink.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 0900c5438fbb..275491be3da2 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -782,7 +782,7 @@ kci_test_ipsec_offload() + tmpl proto esp src $srcip dst $dstip spi 9 \ + mode transport reqid 42 + check_err $? +- ip x p add dir out src $dstip/24 dst $srcip/24 \ ++ ip x p add dir in src $dstip/24 dst $srcip/24 \ + tmpl proto esp src $dstip dst $srcip spi 9 \ + mode transport reqid 42 + check_err $? +-- +2.35.3 + diff --git a/patches.suse/vmxnet3-correctly-report-encapsulated-LRO-packet.patch b/patches.suse/vmxnet3-correctly-report-encapsulated-LRO-packet.patch new file mode 100644 index 0000000..5bebfdd --- /dev/null +++ b/patches.suse/vmxnet3-correctly-report-encapsulated-LRO-packet.patch @@ -0,0 +1,86 @@ +From 40b8c2a1af03ba3e8da55a4490d646bfa845e71a Mon Sep 17 00:00:00 2001 +From: Ronak Doshi +Date: Wed, 30 Nov 2022 00:21:46 -0800 +Subject: [PATCH] vmxnet3: correctly report encapsulated LRO packet +Git-commit: 40b8c2a1af03ba3e8da55a4490d646bfa845e71a +Patch-mainline: v6.1 +References: git-fixes + +Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload +support") added support for encapsulation offload. However, the +pathc did not report correctly the encapsulated packet which is +LRO'ed by the hypervisor. + +This patch fixes this issue by using correct callback for the LRO'ed +encapsulated packet. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index d3e7b27eb933..3111a8a6b26a 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1396,6 +1396,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + }; + u32 num_pkts = 0; + bool skip_page_frags = false; ++ bool encap_lro = false; + struct Vmxnet3_RxCompDesc *rcd; + struct vmxnet3_rx_ctx *ctx = &rq->rx_ctx; + u16 segCnt = 0, mss = 0; +@@ -1556,13 +1557,18 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + if (VMXNET3_VERSION_GE_2(adapter) && + rcd->type == VMXNET3_CDTYPE_RXCOMP_LRO) { + struct Vmxnet3_RxCompDescExt *rcdlro; ++ union Vmxnet3_GenericDesc *gdesc; ++ + rcdlro = (struct Vmxnet3_RxCompDescExt *)rcd; ++ gdesc = (union Vmxnet3_GenericDesc *)rcd; + + segCnt = rcdlro->segCnt; + WARN_ON_ONCE(segCnt == 0); + mss = rcdlro->mss; + if (unlikely(segCnt <= 1)) + segCnt = 0; ++ encap_lro = (le32_to_cpu(gdesc->dword[0]) & ++ (1UL << VMXNET3_RCD_HDR_INNER_SHIFT)); + } else { + segCnt = 0; + } +@@ -1630,7 +1636,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + vmxnet3_rx_csum(adapter, skb, + (union Vmxnet3_GenericDesc *)rcd); + skb->protocol = eth_type_trans(skb, adapter->netdev); +- if (!rcd->tcp || ++ if ((!rcd->tcp && !encap_lro) || + !(adapter->netdev->features & NETIF_F_LRO)) + goto not_lro; + +@@ -1639,7 +1645,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + SKB_GSO_TCPV4 : SKB_GSO_TCPV6; + skb_shinfo(skb)->gso_size = mss; + skb_shinfo(skb)->gso_segs = segCnt; +- } else if (segCnt != 0 || skb->len > mtu) { ++ } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) { + u32 hlen; + + hlen = vmxnet3_get_hdr_len(adapter, skb, +@@ -1668,6 +1674,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + napi_gro_receive(&rq->napi, skb); + + ctx->skb = NULL; ++ encap_lro = false; + num_pkts++; + } + +-- +2.35.3 + diff --git a/patches.suse/vmxnet3-use-correct-intrConf-reference-when-using-ex.patch b/patches.suse/vmxnet3-use-correct-intrConf-reference-when-using-ex.patch new file mode 100644 index 0000000..35efc7c --- /dev/null +++ b/patches.suse/vmxnet3-use-correct-intrConf-reference-when-using-ex.patch @@ -0,0 +1,63 @@ +From 409e8ec8c5825591895937b8499b54aa2476fae7 Mon Sep 17 00:00:00 2001 +From: Ronak Doshi +Date: Wed, 30 Nov 2022 00:21:47 -0800 +Subject: [PATCH] vmxnet3: use correct intrConf reference when using extended queues +Git-commit: 409e8ec8c5825591895937b8499b54aa2476fae7 +Patch-mainline: v6.1 +References: git-fixes + +Commit 39f9895a00f4 ("vmxnet3: add support for 32 Tx/Rx queues") +added support for 32Tx/Rx queues. As a part of this patch, intrConf +structure was extended to incorporate increased queues. + +This patch fixes the issue where incorrect reference is being used. + +Fixes: 39f9895a00f4 ("vmxnet3: add support for 32 Tx/Rx queues") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 3111a8a6b26a..6f1e560fb15c 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -75,8 +75,14 @@ vmxnet3_enable_all_intrs(struct vmxnet3_adapter *adapter) + + for (i = 0; i < adapter->intr.num_intrs; i++) + vmxnet3_enable_intr(adapter, i); +- adapter->shared->devRead.intrConf.intrCtrl &= ++ if (!VMXNET3_VERSION_GE_6(adapter) || ++ !adapter->queuesExtEnabled) { ++ adapter->shared->devRead.intrConf.intrCtrl &= + cpu_to_le32(~VMXNET3_IC_DISABLE_ALL); ++ } else { ++ adapter->shared->devReadExt.intrConfExt.intrCtrl &= ++ cpu_to_le32(~VMXNET3_IC_DISABLE_ALL); ++ } + } + + +@@ -85,8 +91,14 @@ vmxnet3_disable_all_intrs(struct vmxnet3_adapter *adapter) + { + int i; + +- adapter->shared->devRead.intrConf.intrCtrl |= ++ if (!VMXNET3_VERSION_GE_6(adapter) || ++ !adapter->queuesExtEnabled) { ++ adapter->shared->devRead.intrConf.intrCtrl |= + cpu_to_le32(VMXNET3_IC_DISABLE_ALL); ++ } else { ++ adapter->shared->devReadExt.intrConfExt.intrCtrl |= ++ cpu_to_le32(VMXNET3_IC_DISABLE_ALL); ++ } + for (i = 0; i < adapter->intr.num_intrs; i++) + vmxnet3_disable_intr(adapter, i); + } +-- +2.35.3 + diff --git a/series.conf b/series.conf index 35e07d1..02da8a2 100644 --- a/series.conf +++ b/series.conf @@ -12733,7 +12733,6 @@ patches.suse/0005-stm-ltdc-fix-two-incorrect-NULL-checks-on-list-itera.patch patches.suse/drm-sti-don-t-use-kernel-doc-markers.patch patches.suse/fbcon-Consistently-protect-deferred_takeover-with-co.patch - patches.suse/drm-vc4-hvs-Reset-muxes-at-probe-time.patch patches.suse/drm-vc4-txp-Don-t-set-TXP_VSTART_AT_EOF.patch patches.suse/drm-vc4-txp-Force-alpha-to-be-0xff-if-it-s-disabled.patch patches.suse/drm-komeda-Fix-an-undefined-behavior-bug-in-komeda_p.patch @@ -15831,6 +15830,7 @@ patches.suse/smb3-rename-encryption-decryption-TFMs.patch patches.suse/cifs-secmech-use-shash_desc-directly-remove-sdesc.patch patches.suse/smb3-fix-oops-in-calculating-shash_setkey.patch + patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch patches.suse/Input-xpad-add-supported-devices-as-contributed-on-g.patch patches.suse/Input-xpad-fix-wireless-360-controller-breaking-afte.patch patches.suse/Input-synaptics-rmi4-fix-firmware-update-operations-.patch @@ -16064,7 +16064,7 @@ patches.suse/iio-adxl372-Fix-unsafe-buffer-attributes.patch patches.suse/iio-bmc150-accel-core-Fix-unsafe-buffer-attributes.patch patches.suse/fbdev-da8xx-fb-Fix-error-handling-in-.remove.patch - patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch + patches.suse/fbdev-smscufx-Fix-several-use-after-free-bugs.patch patches.suse/fbdev-cyber2000fb-fix-missing-pci_disable_device.patch patches.suse/capabilities-fix-potential-memleak-on-error-path-fro.patch patches.suse/btrfs-send-fix-send-failure-of-a-subcase-of-orphan-i.patch @@ -16381,6 +16381,7 @@ patches.suse/usb-dwc3-exynos-Fix-remove-function.patch patches.suse/usb-dwc3-gadget-Clear-ep-descriptor-last.patch patches.suse/usb-cdnsp-fix-issue-with-ZLP-added-TD_SIZE-1.patch + patches.suse/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch patches.suse/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch patches.suse/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch patches.suse/can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch @@ -16410,6 +16411,7 @@ patches.suse/hwmon-ibmpex-Fix-possible-UAF-when-ibmpex_register_b.patch patches.suse/hwmon-coretemp-Check-for-null-before-removing-sysfs-.patch patches.suse/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch + patches.suse/nilfs2-fix-NULL-pointer-dereference-in-nilfs_palloc_.patch patches.suse/ALSA-dice-fix-regression-for-Lexicon-I-ONIX-FW810S.patch patches.suse/ASoC-ops-Fix-bounds-check-for-_sx-controls.patch patches.suse/x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch @@ -16418,12 +16420,33 @@ patches.suse/mmc-mmc_test-Fix-removal-of-debugfs-file.patch patches.suse/mmc-sdhci-sprd-Fix-no-reset-data-and-command-after-v.patch patches.suse/pinctrl-single-Fix-potential-division-by-zero.patch + patches.suse/pinctrl-intel-Save-and-restore-pins-in-direct-IRQ-mo.patch + patches.suse/ACPI-HMAT-remove-unnecessary-variable-initialization.patch + patches.suse/ACPI-HMAT-Fix-initiator-registration-for-single-init.patch patches.suse/i2c-npcm7xx-Fix-error-handling-in-npcm_i2c_init.patch patches.suse/i2c-imx-Only-DMA-messages-with-I2C_M_DMA_SAFE-flag-s.patch patches.suse/Input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_.patch patches.suse/char-tpm-Protect-tpm_pm_suspend-with-locks.patch + patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch + patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch + patches.suse/gpio-amd8111-Fix-PCI-device-reference-count-leak.patch + patches.suse/HID-hid-lg4ff-Add-check-for-empty-lbuf.patch + patches.suse/HID-core-fix-shift-out-of-bounds-in-hid_report_raw_e.patch + patches.suse/e1000e-Fix-TX-dispatch-condition.patch + patches.suse/vmxnet3-correctly-report-encapsulated-LRO-packet.patch + patches.suse/vmxnet3-use-correct-intrConf-reference-when-using-ex.patch + patches.suse/Bluetooth-6LoWPAN-add-missing-hci_dev_put-in-get_l2c.patch + patches.suse/Bluetooth-Fix-not-cleanup-led-when-bt_init-fails.patch + patches.suse/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch + patches.suse/NFC-nci-Bounds-check-struct-nfc_target-arrays.patch + patches.suse/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch + patches.suse/ieee802154-cc2520-Fix-error-return-code-in-cc2520_hw.patch + patches.suse/ca8210-Fix-crash-by-zero-initializing-data.patch + patches.suse/mac802154-fix-missing-INIT_LIST_HEAD-in-ieee802154_i.patch + patches.suse/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch + patches.suse/macsec-add-missing-attribute-validation-for-offload.patch # jejb/scsi for-next patches.suse/scsi-lpfc-Set-sli4_param-s-cmf-option-to-zero-when-C.patch