From 9f726f3d948ebb5f2e3e4702067ea2d510b2621d Mon Sep 17 00:00:00 2001 From: Frederic Weisbecker Date: Nov 03 2022 10:51:11 +0000 Subject: Merge 'SLE12-SP5' (f9e77058c25) into 'SLE12-SP5-RT' - No -rt specific changes this merge. --- diff --git a/blacklist.conf b/blacklist.conf index 8cd28cf..0a535ce 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2269,3 +2269,5 @@ c57094a6e1ed5dd2d6401f79b8e6da34dd28f959 # Doesn't apply, not needed. Fixes a m 81fb55e500a82a070da20f02b2e252d6a09a34c3 # rejected for complexity: drm/vc4: hdmi: Add a spinlock to protect register access 82cb88af12d29eaa5350d9ba83f9c376f65b7fec # rejected for complexity: drm/vc4: hdmi: Use a mutex to prevent concurrent framework access 633be8c3c0c5e0cf176ce904083a4728ae8e4025 # rejected for complexity: drm/vc4: hdmi: Prevent access to crtc->state outside of KMS +b06ca3d5a43ca2dd806f7688a17e8e7e0619a80a # doesn't apply +8ffe20d08f2c95d702c453020d03a4c568a988f0 # duplicate of b4a64ed6e7b857317070fcb9d87ff5d4a73be3e8 diff --git a/patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged b/patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged new file mode 100644 index 0000000..43643b4 --- /dev/null +++ b/patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged @@ -0,0 +1,47 @@ +From: Dario Faggioli +Date: Thu Oct 13 18:19:43 2022 +Subject: kABI: fix kABI after "KVM: Add infrastructure and macro to mark VM as bugged" +Patch-mainline: never, SUSE kABI +References: bsc#1200788 CVE-2022-2153 + +Patch "KVM: Add infrastructure and macro to mark VM as bugged" +breaks kABI. The kvm struct has several holes, e.g.: + + /* --- cacheline 37 boundary (2368 bytes) --- */ + atomic_t online_vcpus; /* 2368 4 */ + int created_vcpus; /* 2372 4 */ + int last_boosted_vcpu; /* 2376 4 */ + + /* XXX 4 bytes hole, try to pack */ + + struct list_head vm_list; /* 2384 16 */ + struct mutex lock; /* 2400 32 */ + /* --- cacheline 38 boundary (2432 bytes) --- */ + +Move the new member there as a workaround. + +Signed-off-by: Dario Faggioli +--- + include/linux/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -405,6 +405,9 @@ + atomic_t online_vcpus; + int created_vcpus; + int last_boosted_vcpu; ++#ifndef __GENKSYMS__ ++ bool vm_bugged; ++#endif + struct list_head vm_list; + struct mutex lock; + struct kvm_io_bus __rcu *buses[KVM_NR_BUSES]; +@@ -449,7 +452,6 @@ + struct srcu_struct srcu; + struct srcu_struct irq_srcu; + pid_t userspace_pid; +- bool vm_bugged; + }; + + #define kvm_err(fmt, ...) \ diff --git a/patches.kabi/kABI-Fix-after-adding-trace_iterator.wait_index.patch b/patches.kabi/kABI-Fix-after-adding-trace_iterator.wait_index.patch new file mode 100644 index 0000000..cc51b3e --- /dev/null +++ b/patches.kabi/kABI-Fix-after-adding-trace_iterator.wait_index.patch @@ -0,0 +1,36 @@ +From: Petr Pavlu +Date: Sun, 30 Oct 2022 14:09:24 +0100 +Subject: kABI: Fix after adding trace_iterator.wait_index +Patch-mainline: Never, kABI fix +References: git-fixes + +Change type of the new field trace_iterator.wait_index from long to int +so it fits in a 4-byte hole after cpu_file. The smaller size is +sufficient. + +Signed-off-by: Petr Pavlu +--- + include/linux/trace_events.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h +index 05a6a0f..ad78336 100644 +--- a/include/linux/trace_events.h ++++ b/include/linux/trace_events.h +@@ -77,10 +77,12 @@ struct trace_iterator { + struct trace_buffer *trace_buffer; + void *private; + int cpu_file; ++#ifndef __GENKSYMS__ ++ int wait_index; ++#endif + struct mutex mutex; + struct ring_buffer_iter **buffer_iter; + unsigned long iter_flags; +- long wait_index; + + /* trace_seq for __print_flags() and __print_symbolic() etc. */ + struct trace_seq tmp_seq; +-- +2.35.3 + diff --git a/patches.suse/Input-gscps2-check-return-value-of-ioremap-in-gscps2.patch b/patches.suse/Input-gscps2-check-return-value-of-ioremap-in-gscps2.patch new file mode 100644 index 0000000..fe742e0 --- /dev/null +++ b/patches.suse/Input-gscps2-check-return-value-of-ioremap-in-gscps2.patch @@ -0,0 +1,35 @@ +From e61b3125a4f036b3c6b87ffd656fc1ab00440ae9 Mon Sep 17 00:00:00 2001 +From: Xie Shaowen +Date: Tue, 2 Aug 2022 15:20:33 +0800 +Subject: [PATCH] Input: gscps2 - check return value of ioremap() in + gscps2_probe() +Git-commit: e61b3125a4f036b3c6b87ffd656fc1ab00440ae9 +References: git-fixes +Patch-mainline: v6.0-rc1 + +The function ioremap() in gscps2_probe() can fail, so +its return value should be checked. + +Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache") +Cc: # v5.6+ +Reported-by: Hacash Robot +Signed-off-by: Xie Shaowen +Signed-off-by: Helge Deller +Signed-off-by: Oliver Neukum +--- + drivers/input/serio/gscps2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/serio/gscps2.c ++++ b/drivers/input/serio/gscps2.c +@@ -351,6 +351,10 @@ static int gscps2_probe(struct parisc_de + ps2port->port = serio; + ps2port->padev = dev; + ps2port->addr = ioremap_nocache(hpa, GSC_STATUS + 4); ++ if (!ps2port->addr) { ++ ret = -ENOMEM; ++ goto fail_nomem; ++ } + spin_lock_init(&ps2port->lock); + + gscps2_reset(ps2port); diff --git a/patches.suse/Input-xpad-add-supported-devices-as-contributed-on-g.patch b/patches.suse/Input-xpad-add-supported-devices-as-contributed-on-g.patch new file mode 100644 index 0000000..e8dc31c --- /dev/null +++ b/patches.suse/Input-xpad-add-supported-devices-as-contributed-on-g.patch @@ -0,0 +1,103 @@ +From b382c5e37344883dc97525d05f1f6b788f549985 Mon Sep 17 00:00:00 2001 +From: Pavel Rojtberg +Date: Thu, 18 Aug 2022 17:44:08 +0200 +Subject: [PATCH] Input: xpad - add supported devices as contributed on github +Git-commit: b382c5e37344883dc97525d05f1f6b788f549985 +References: git-fixes +Patch-mainline: v6.1-rc1 + +This is based on multiple commits at https://github.com/paroj/xpad + +Cc: stable@vger.kernel.org +Signed-off-by: Jasper Poppe +Signed-off-by: Jeremy Palmer +Signed-off-by: Ruineka +Signed-off-by: Cleber de Mattos Casali +Signed-off-by: Kyle Gospodnetich +Signed-off-by: Pavel Rojtberg +Link: https://lore.kernel.org/r/20220818154411.510308-2-rojtberg@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Oliver Neukum +--- + drivers/input/joystick/xpad.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -129,6 +129,8 @@ static const struct xpad_device { + u8 xtype; + } xpad_device[] = { + { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, ++ { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 }, ++ { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 }, + { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, +@@ -259,6 +261,7 @@ static const struct xpad_device { + { 0x0f0d, 0x0063, "Hori Real Arcade Pro Hayabusa (USA) Xbox One", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, + { 0x0f0d, 0x0067, "HORIPAD ONE", 0, XTYPE_XBOXONE }, + { 0x0f0d, 0x0078, "Hori Real Arcade Pro V Kai Xbox One", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, ++ { 0x0f0d, 0x00c5, "Hori Fighting Commander ONE", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, + { 0x0f30, 0x010b, "Philips Recoil", 0, XTYPE_XBOX }, + { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX }, + { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX }, +@@ -275,6 +278,7 @@ static const struct xpad_device { + { 0x1430, 0x8888, "TX6500+ Dance Pad (first generation)", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX }, + { 0x1430, 0xf801, "RedOctane Controller", 0, XTYPE_XBOX360 }, + { 0x146b, 0x0601, "BigBen Interactive XBOX 360 Controller", 0, XTYPE_XBOX360 }, ++ { 0x146b, 0x0604, "Bigben Interactive DAIJA Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x1532, 0x0037, "Razer Sabertooth", 0, XTYPE_XBOX360 }, + { 0x1532, 0x0a00, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, + { 0x1532, 0x0a03, "Razer Wildcat", 0, XTYPE_XBOXONE }, +@@ -339,6 +343,7 @@ static const struct xpad_device { + { 0x24c6, 0x5502, "Hori Fighting Stick VX Alt", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x5503, "Hori Fighting Edge", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x5506, "Hori SOULCALIBUR V Stick", 0, XTYPE_XBOX360 }, ++ { 0x24c6, 0x5510, "Hori Fighting Commander ONE (Xbox 360/PC Mode)", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x550d, "Hori GEM Xbox controller", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x550e, "Hori Real Arcade Pro V Kai 360", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x551a, "PowerA FUSION Pro Controller", 0, XTYPE_XBOXONE }, +@@ -348,6 +353,14 @@ static const struct xpad_device { + { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 }, + { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 }, ++ { 0x2563, 0x058d, "OneXPlayer Gamepad", 0, XTYPE_XBOX360 }, ++ { 0x2dc8, 0x2000, "8BitDo Pro 2 Wired Controller fox Xbox", 0, XTYPE_XBOXONE }, ++ { 0x31e3, 0x1100, "Wooting One", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1200, "Wooting Two", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1210, "Wooting Lekker", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1220, "Wooting Two HE", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1300, "Wooting 60HE (AVR)", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1310, "Wooting 60HE (ARM)", 0, XTYPE_XBOX360 }, + { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, + { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, + { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX }, +@@ -433,6 +446,7 @@ static const signed short xpad_abs_trigg + static struct usb_device_id xpad_table[] = { + { USB_INTERFACE_INFO('X', 'B', 0) }, /* X-Box USB-IF not approved class */ + XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */ ++ XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ + XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */ + XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ +@@ -443,6 +457,7 @@ static struct usb_device_id xpad_table[] + { USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */ + XPAD_XBOXONE_VENDOR(0x0738), /* Mad Catz FightStick TE 2 */ + XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz GamePad */ ++ XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */ + XPAD_XBOX360_VENDOR(0x0e6f), /* 0x0e6f X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */ + XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */ +@@ -463,8 +478,12 @@ static struct usb_device_id xpad_table[] + XPAD_XBOXONE_VENDOR(0x20d6), /* PowerA Controllers */ + XPAD_XBOX360_VENDOR(0x24c6), /* PowerA Controllers */ + XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */ ++ XPAD_XBOX360_VENDOR(0x2563), /* OneXPlayer Gamepad */ ++ XPAD_XBOX360_VENDOR(0x260d), /* Dareu H101 */ ++ XPAD_XBOXONE_VENDOR(0x2dc8), /* 8BitDo Pro 2 Wired Controller for Xbox */ + XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */ + XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */ ++ XPAD_XBOX360_VENDOR(0x31e3), /* Wooting Keyboards */ + XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */ + { } + }; diff --git a/patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged b/patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged new file mode 100644 index 0000000..8b263f5 --- /dev/null +++ b/patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged @@ -0,0 +1,123 @@ +From: Sean Christopherson +Date: Fri, 2 Jul 2021 15:04:23 -0700 +Subject: KVM: Add infrastructure and macro to mark VM as bugged +Git-commit: 0b8f11737cffc1a406d1134b58687abc29d76b52 +Patch-mainline: v5.15-rc1 +References: bsc#1200788 CVE-2022-2153 + +Signed-off-by: Sean Christopherson +Signed-off-by: Isaku Yamahata +Reviewed-by: Paolo Bonzini +Message-Id: <3a0998645c328bf0895f1290e61821b70f048549.1625186503.git.isaku.yamahata@intel.com> +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + include/linux/kvm_host.h | 28 +++++++++++++++++++++++++++- + virt/kvm/kvm_main.c | 10 +++++----- + 2 files changed, 32 insertions(+), 6 deletions(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -128,6 +128,7 @@ + #define KVM_REQ_MMU_RELOAD (1 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP) + #define KVM_REQ_PENDING_TIMER 2 + #define KVM_REQ_UNHALT 3 ++#define KVM_REQ_VM_BUGGED (4 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP) + #define KVM_REQUEST_ARCH_BASE 8 + + #define KVM_ARCH_REQ_FLAGS(nr, flags) ({ \ +@@ -448,6 +449,7 @@ + struct srcu_struct srcu; + struct srcu_struct irq_srcu; + pid_t userspace_pid; ++ bool vm_bugged; + }; + + #define kvm_err(fmt, ...) \ +@@ -476,6 +478,31 @@ + #define vcpu_err(vcpu, fmt, ...) \ + kvm_err("vcpu%i " fmt, (vcpu)->vcpu_id, ## __VA_ARGS__) + ++bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req); ++static inline void kvm_vm_bugged(struct kvm *kvm) ++{ ++ kvm->vm_bugged = true; ++ kvm_make_all_cpus_request(kvm, KVM_REQ_VM_BUGGED); ++} ++ ++#define KVM_BUG(cond, kvm, fmt...) \ ++({ \ ++ int __ret = (cond); \ ++ \ ++ if (WARN_ONCE(__ret && !(kvm)->vm_bugged, fmt)) \ ++ kvm_vm_bugged(kvm); \ ++ unlikely(__ret); \ ++}) ++ ++#define KVM_BUG_ON(cond, kvm) \ ++({ \ ++ int __ret = (cond); \ ++ \ ++ if (WARN_ON_ONCE(__ret && !(kvm)->vm_bugged)) \ ++ kvm_vm_bugged(kvm); \ ++ unlikely(__ret); \ ++}) ++ + static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) + { + return srcu_dereference_check(kvm->buses[idx], &kvm->srcu, +@@ -732,7 +732,6 @@ void kvm_reload_remote_mmus(struct kvm * + + bool kvm_make_vcpus_request_mask(struct kvm *kvm, unsigned int req, + unsigned long *vcpu_bitmap, cpumask_var_t tmp); +-bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req); + + long kvm_arch_dev_ioctl(struct file *filp, + unsigned int ioctl, unsigned long arg); +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2673,7 +2673,7 @@ + struct kvm_fpu *fpu = NULL; + struct kvm_sregs *kvm_sregs = NULL; + +- if (vcpu->kvm->mm != current->mm) ++ if (vcpu->kvm->mm != current->mm || vcpu->kvm->vm_bugged) + return -EIO; + + if (unlikely(_IOC_TYPE(ioctl) != KVMIO)) +@@ -2877,7 +2877,7 @@ + void __user *argp = compat_ptr(arg); + int r; + +- if (vcpu->kvm->mm != current->mm) ++ if (vcpu->kvm->mm != current->mm || vcpu->kvm->vm_bugged) + return -EIO; + + switch (ioctl) { +@@ -2935,7 +2935,7 @@ + { + struct kvm_device *dev = filp->private_data; + +- if (dev->kvm->mm != current->mm) ++ if (dev->kvm->mm != current->mm || dev->kvm->vm_bugged) + return -EIO; + + switch (ioctl) { +@@ -3100,7 +3100,7 @@ + void __user *argp = (void __user *)arg; + int r; + +- if (kvm->mm != current->mm) ++ if (kvm->mm != current->mm || kvm->vm_bugged) + return -EIO; + switch (ioctl) { + case KVM_CREATE_VCPU: +@@ -3277,7 +3277,7 @@ + struct kvm *kvm = filp->private_data; + int r; + +- if (kvm->mm != current->mm) ++ if (kvm->mm != current->mm || kvm->vm_bugged) + return -EIO; + switch (ioctl) { + case KVM_GET_DIRTY_LOG: { diff --git a/patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de b/patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de new file mode 100644 index 0000000..2480820 --- /dev/null +++ b/patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de @@ -0,0 +1,37 @@ +From: Vitaly Kuznetsov +Date: Fri, 25 Mar 2022 14:21:39 +0100 +Subject: KVM: x86: Avoid theoretical NULL pointer dereference in + kvm_irq_delivery_to_apic_fast() +Git-commit: 00b5f37189d24ac3ed46cb7f11742094778c46ce +Patch-mainline: v5.18-rc1 +References: bsc#1200788 CVE-2022-2153 + +When kvm_irq_delivery_to_apic_fast() is called with APIC_DEST_SELF +shorthand, 'src' must not be NULL. Crash the VM with KVM_BUG_ON() +instead of crashing the host. + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20220325132140.25650-3-vkuznets@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + arch/x86/kvm/lapic.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 80a2020c4db4..66b0eb0bda94 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1024,6 +1024,10 @@ bool kvm_irq_delivery_to_apic_fast(struct kvm *kvm, struct kvm_lapic *src, + *r = -1; + + if (irq->shorthand == APIC_DEST_SELF) { ++ if (KVM_BUG_ON(!src, kvm)) { ++ *r = 0; ++ return true; ++ } + *r = kvm_apic_set_irq(src->vcpu, irq, dest_map); + return true; + } + diff --git a/patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i b/patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i new file mode 100644 index 0000000..2f055f0 --- /dev/null +++ b/patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i @@ -0,0 +1,41 @@ +From: Vitaly Kuznetsov +Date: Fri, 25 Mar 2022 14:21:38 +0100 +Subject: KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC + irq +Git-commit: 7ec37d1cbe17d8189d9562178d8b29167fe1c31a +Patch-mainline: v5.18-rc1 +References: bsc#1200788 CVE-2022-2153 + +When KVM_CAP_HYPERV_SYNIC{,2} is activated, KVM already checks for +irqchip_in_kernel() so normally SynIC irqs should never be set. It is, +however, possible for a misbehaving VMM to write to SYNIC/STIMER MSRs +causing erroneous behavior. + +The immediate issue being fixed is that kvm_irq_delivery_to_apic() +(kvm_irq_delivery_to_apic_fast()) crashes when called with +'irq.shorthand = APIC_DEST_SELF' and 'src == NULL'. + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20220325132140.25650-2-vkuznets@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + arch/x86/kvm/hyperv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index a32f54ab84a2..f715b5a2b0e4 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -449,6 +449,9 @@ static int synic_set_irq(struct kvm_vcpu_hv_synic *synic, u32 sint) + struct kvm_lapic_irq irq; + int ret, vector; + ++ if (KVM_BUG_ON(!lapic_in_kernel(vcpu), vcpu->kvm)) ++ return -EINVAL; ++ + if (sint >= ARRAY_SIZE(synic->sint)) + return -EINVAL; + + diff --git a/patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac b/patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac new file mode 100644 index 0000000..cb46b51 --- /dev/null +++ b/patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac @@ -0,0 +1,65 @@ +From: Vitaly Kuznetsov +Date: Fri, 25 Mar 2022 14:21:40 +0100 +Subject: KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't + activated +Git-commit: b1e34d325397a33d97d845e312d7cf2a8b646b44 +Patch-mainline: v5.18-rc1 +References: bsc#1200788 CVE-2022-2153 + +Setting non-zero values to SYNIC/STIMER MSRs activates certain features, +this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated. + +Note, it would've been better to forbid writing anything to SYNIC/STIMER +MSRs, including zeroes, however, at least QEMU tries clearing +HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat +'special' as writing zero there triggers an action, this also should not +happen when SynIC wasn't activated. + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20220325132140.25650-4-vkuznets@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + arch/x86/kvm/hyperv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -214,7 +214,7 @@ + struct kvm_vcpu *vcpu = synic_to_vcpu(synic); + int ret; + +- if (!synic->active && !host) ++ if (!synic->active && (!host || data)) + return 1; + + trace_kvm_hv_synic_set_msr(vcpu->vcpu_id, msr, data, host); +@@ -260,6 +260,9 @@ + case HV_X64_MSR_EOM: { + int i; + ++ if (!synic->active) ++ break; ++ + for (i = 0; i < ARRAY_SIZE(synic->sint); i++) + kvm_hv_notify_acked_sint(vcpu, i); + break; +@@ -526,7 +529,7 @@ + struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); + struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); + +- if (!synic->active && !host) ++ if (!synic->active && (!host || config)) + return 1; + + trace_kvm_hv_stimer_set_config(stimer_to_vcpu(stimer)->vcpu_id, +@@ -549,7 +552,7 @@ + struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); + struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); + +- if (!synic->active && !host) ++ if (!synic->active && (!host || count)) + return 1; + + trace_kvm_hv_stimer_set_count(stimer_to_vcpu(stimer)->vcpu_id, diff --git a/patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC b/patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC new file mode 100644 index 0000000..37bc647 --- /dev/null +++ b/patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC @@ -0,0 +1,46 @@ +From: Vitaly Kuznetsov +Date: Thu, 24 Sep 2020 16:57:52 +0200 +Subject: KVM: x86: hyper-v: disallow configuring SynIC timers with no SynIC +Git-commit: dbcf3f96fa662bd5e1f93ea7c10a8dd0dce180ae +Patch-mainline: v5.10-rc1 +References: bsc#1200788 CVE-2022-2153 + +Hyper-V Synthetic timers require SynIC but we don't seem to check that +upon HV_X64_MSR_STIMER[X]_CONFIG/HV_X64_MSR_STIMER0_COUNT writes. Make +the behavior match synic_set_msr(). + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20200924145757.1035782-3-vkuznets@redhat.com> +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + arch/x86/kvm/hyperv.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -516,6 +516,11 @@ static int stimer_set_config(struct kvm_ + { + union hv_stimer_config new_config = {.as_uint64 = config}, + old_config = {.as_uint64 = stimer->config.as_uint64}; ++ struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); ++ struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); ++ ++ if (!synic->active && !host) ++ return 1; + + trace_kvm_hv_stimer_set_config(stimer_to_vcpu(stimer)->vcpu_id, + stimer->index, config, host); +@@ -537,6 +543,12 @@ + static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, + bool host) + { ++ struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); ++ struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); ++ ++ if (!synic->active && !host) ++ return 1; ++ + trace_kvm_hv_stimer_set_count(stimer_to_vcpu(stimer)->vcpu_id, + stimer->index, count, host); + diff --git a/patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch b/patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch index a838b63..3207252 100644 --- a/patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch +++ b/patches.suse/Revert-USB-serial-ch341-add-new-Product-ID-for-CH341.patch @@ -26,8 +26,8 @@ Signed-off-by: Oliver Neukum --- a/drivers/usb/serial/ch341.c +++ b/drivers/usb/serial/ch341.c -@@ -83,7 +83,6 @@ - #define CH341_LCR_CS5 0x00 +@@ -79,7 +79,6 @@ + #define CH341_QUIRK_LIMITED_PRESCALER BIT(0) static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x1a86, 0x5512) }, diff --git a/patches.suse/Revert-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch b/patches.suse/Revert-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch new file mode 100644 index 0000000..1adcb05 --- /dev/null +++ b/patches.suse/Revert-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch @@ -0,0 +1,68 @@ +From b896d6e6e524451d3912eb83c57e1cb952d8f84b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 3 May 2021 13:56:49 +0200 +Subject: [PATCH 14/19] Revert "niu: fix missing checks of niu_pci_eeprom_read" +Git-commit: 7930742d6a0ff091c85b92ef4e076432d8d8cb79 +Patch-mainline: v5.13-rc3 +References: git-fixes + +This reverts commit 26fd962bde0b15e54234fe762d86bc0349df1de4. + +Because of recent interactions with developers from @umn.edu, all +commits from them have been recently re-reviewed to ensure if they were +correct or not. + +Upon review, this commit was found to be incorrect for the reasons +below, so it must be reverted. It will be fixed up "correctly" in a +later kernel change. + +The change here was incorrect. While it is nice to check if +niu_pci_eeprom_read() succeeded or not when using the data, any error +that might have happened was not propagated upwards properly, causing +the kernel to assume that these reads were successful, which results in +invalid data in the buffer that was to contain the successfully read +data. + +Cc: Kangjie Lu +Cc: Shannon Nelson +Cc: David S. Miller +Fixes: 26fd962bde0b ("niu: fix missing checks of niu_pci_eeprom_read") +Cc: stable +Link: https://lore.kernel.org/r/20210503115736.2104747-23-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/sun/niu.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index 3f0e34bdf772..1c0aee4ada92 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -8119,8 +8119,6 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + start += 3; + + prop_len = niu_pci_eeprom_read(np, start + 4); +- if (prop_len < 0) +- return prop_len; + err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64); + if (err < 0) + return err; +@@ -8165,12 +8163,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + netif_printk(np, probe, KERN_DEBUG, np->dev, + "VPD_SCAN: Reading in property [%s] len[%d]\n", + namebuf, prop_len); +- for (i = 0; i < prop_len; i++) { +- err = niu_pci_eeprom_read(np, off + i); +- if (err >= 0) +- *prop_buf = err; +- ++prop_buf; +- } ++ for (i = 0; i < prop_len; i++) ++ *prop_buf++ = niu_pci_eeprom_read(np, off + i); + } + + start += len; +-- +2.16.4 + diff --git a/patches.suse/USB-serial-ch341-add-basis-for-quirk-detection.patch b/patches.suse/USB-serial-ch341-add-basis-for-quirk-detection.patch new file mode 100644 index 0000000..7994d75 --- /dev/null +++ b/patches.suse/USB-serial-ch341-add-basis-for-quirk-detection.patch @@ -0,0 +1,109 @@ +From c404bf4aa9236cb4d1068e499ae42acf48a6ff97 Mon Sep 17 00:00:00 2001 +From: Michael Hanselmann +Date: Tue, 31 Mar 2020 23:37:18 +0000 +Subject: [PATCH] USB: serial: ch341: add basis for quirk detection +Git-commit: c404bf4aa9236cb4d1068e499ae42acf48a6ff97 +References: git-fixes +Patch-mainline: v5.8-rc1 + +A subset of CH341 devices does not support all features, namely the +prescaler is limited to a reduced precision and there is no support for +sending a RS232 break condition. This patch adds a detection function +which will be extended to set quirk flags as they're implemented. + +The author's affected device has an imprint of "340" on the +turquoise-colored plug, but not all such devices appear to be affected. + +Signed-off-by: Michael Hanselmann +Link: https://lore.kernel.org/r/1e1ae0da6082bb528a44ef323d4e1d3733d38858.1585697281.git.public@hansmi.ch +[ johan: use long type for quirks; rephrase and use port device for + messages; handle short reads; set quirk flags directly in + helper function ] +Cc: stable # 5.5 +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/ch341.c | 53 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c +index c5ecdcd51ffc..f2b93f4554a7 100644 +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -87,6 +87,7 @@ struct ch341_private { + u8 mcr; + u8 msr; + u8 lcr; ++ unsigned long quirks; + }; + + static void ch341_set_termios(struct tty_struct *tty, +@@ -308,6 +309,53 @@ out: kfree(buffer); + return r; + } + ++static int ch341_detect_quirks(struct usb_serial_port *port) ++{ ++ struct ch341_private *priv = usb_get_serial_port_data(port); ++ struct usb_device *udev = port->serial->dev; ++ const unsigned int size = 2; ++ unsigned long quirks = 0; ++ char *buffer; ++ int r; ++ ++ buffer = kmalloc(size, GFP_KERNEL); ++ if (!buffer) ++ return -ENOMEM; ++ ++ /* ++ * A subset of CH34x devices does not support all features. The ++ * prescaler is limited and there is no support for sending a RS232 ++ * break condition. A read failure when trying to set up the latter is ++ * used to detect these devices. ++ */ ++ r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), CH341_REQ_READ_REG, ++ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, ++ CH341_REG_BREAK, 0, buffer, size, DEFAULT_TIMEOUT); ++ if (r == -EPIPE) { ++ dev_dbg(&port->dev, "break control not supported\n"); ++ r = 0; ++ goto out; ++ } ++ ++ if (r != size) { ++ if (r >= 0) ++ r = -EIO; ++ dev_err(&port->dev, "failed to read break control: %d\n", r); ++ goto out; ++ } ++ ++ r = 0; ++out: ++ kfree(buffer); ++ ++ if (quirks) { ++ dev_dbg(&port->dev, "enabling quirk flags: 0x%02lx\n", quirks); ++ priv->quirks |= quirks; ++ } ++ ++ return r; ++} ++ + static int ch341_port_probe(struct usb_serial_port *port) + { + struct ch341_private *priv; +@@ -330,6 +378,11 @@ static int ch341_port_probe(struct usb_serial_port *port) + goto error; + + usb_set_serial_port_data(port, priv); ++ ++ r = ch341_detect_quirks(port); ++ if (r < 0) ++ goto error; ++ + return 0; + + error: kfree(priv); +-- +2.35.3 + diff --git a/patches.suse/USB-serial-ch341-fix-lockup-of-devices-with-limited-.patch b/patches.suse/USB-serial-ch341-fix-lockup-of-devices-with-limited-.patch new file mode 100644 index 0000000..d3e1d3a --- /dev/null +++ b/patches.suse/USB-serial-ch341-fix-lockup-of-devices-with-limited-.patch @@ -0,0 +1,91 @@ +From c432df155919582a3cefa35a8f86256c830fa9a4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 14 May 2020 11:36:45 +0200 +Subject: [PATCH] USB: serial: ch341: fix lockup of devices with limited + prescaler +Git-commit: c432df155919582a3cefa35a8f86256c830fa9a4 +References: git-fixes +Patch-mainline: v5.8-rc1 + +Michael Hanselmann reports that + + [a] subset of all CH341 devices stop responding to bulk + transfers, usually after the third byte, when the highest + prescaler bit (0b100) is set. There is one exception, namely a + prescaler of exactly 0b111 (fact=1, ps=3). + +Fix this by forcing a lower base clock (fact = 0) whenever needed. + +This specifically makes the standard rates 110, 134 and 200 bps work +again with these devices. + +Fixes: 35714565089e ("USB: serial: ch341: reimplement line-speed handling") +Cc: stable # 5.5 +Reported-by: Michael Hanselmann +Link: https://lore.kernel.org/r/20200514141743.GE25962@localhost +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/ch341.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c +index f2b93f4554a7..89675ee29645 100644 +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -73,6 +73,8 @@ + #define CH341_LCR_CS6 0x01 + #define CH341_LCR_CS5 0x00 + ++#define CH341_QUIRK_LIMITED_PRESCALER BIT(0) ++ + static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x4348, 0x5523) }, + { USB_DEVICE(0x1a86, 0x7523) }, +@@ -160,9 +162,11 @@ static const speed_t ch341_min_rates[] = { + * 2 <= div <= 256 if fact = 0, or + * 9 <= div <= 256 if fact = 1 + */ +-static int ch341_get_divisor(speed_t speed) ++static int ch341_get_divisor(struct ch341_private *priv) + { + unsigned int fact, div, clk_div; ++ speed_t speed = priv->baud_rate; ++ bool force_fact0 = false; + int ps; + + /* +@@ -188,8 +192,12 @@ static int ch341_get_divisor(speed_t speed) + clk_div = CH341_CLK_DIV(ps, fact); + div = CH341_CLKRATE / (clk_div * speed); + ++ /* Some devices require a lower base clock if ps < 3. */ ++ if (ps < 3 && (priv->quirks & CH341_QUIRK_LIMITED_PRESCALER)) ++ force_fact0 = true; ++ + /* Halve base clock (fact = 0) if required. */ +- if (div < 9 || div > 255) { ++ if (div < 9 || div > 255 || force_fact0) { + div /= 2; + clk_div *= 2; + fact = 0; +@@ -228,7 +236,7 @@ static int ch341_set_baudrate_lcr(struct usb_device *dev, + if (!priv->baud_rate) + return -EINVAL; + +- val = ch341_get_divisor(priv->baud_rate); ++ val = ch341_get_divisor(priv); + if (val < 0) + return -EINVAL; + +@@ -333,6 +341,7 @@ static int ch341_detect_quirks(struct usb_serial_port *port) + CH341_REG_BREAK, 0, buffer, size, DEFAULT_TIMEOUT); + if (r == -EPIPE) { + dev_dbg(&port->dev, "break control not supported\n"); ++ quirks = CH341_QUIRK_LIMITED_PRESCALER; + r = 0; + goto out; + } +-- +2.35.3 + diff --git a/patches.suse/USB-serial-ch341-fix-lost-character-on-LCR-updates.patch b/patches.suse/USB-serial-ch341-fix-lost-character-on-LCR-updates.patch new file mode 100644 index 0000000..62ae47d --- /dev/null +++ b/patches.suse/USB-serial-ch341-fix-lost-character-on-LCR-updates.patch @@ -0,0 +1,59 @@ +From 8e83622ae7ca481c76c8fd9579877f6abae64ca2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 31 Aug 2022 10:15:24 +0200 +Subject: [PATCH] USB: serial: ch341: fix lost character on LCR updates +Git-commit: 8e83622ae7ca481c76c8fd9579877f6abae64ca2 +References: git-fixes +Patch-mainline: v6.0-rc4 + +Disable LCR updates for pre-0x30 devices which use a different (unknown) +protocol for line control and where the current register write causes +the next received character to be lost. + +Note that updating LCR using the INIT command has no effect on these +devices either. + +Reported-by: Jonathan Woithe +Tested-by: Jonathan Woithe +Link: https://lore.kernel.org/r/Ys1iPTfiZRWj2gXs@marvin.atrad.com.au +Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on reconfiguration") +Fixes: 55fa15b5987d ("USB: serial: ch341: fix baud rate and line-control handling") +Cc: stable@vger.kernel.org # 4.10 +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/ch341.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -96,6 +96,7 @@ struct ch341_private { + u8 msr; + u8 lcr; + unsigned long quirks; ++ u8 version; + }; + + static void ch341_set_termios(struct tty_struct *tty, +@@ -250,6 +251,10 @@ static int ch341_set_baudrate_lcr(struct + * CH341A buffers data until a full endpoint-size packet (32 bytes) + * has been received unless bit 7 is set. + */ ++ ++ if (priv->version < 0x30) ++ return 0; ++ + val |= BIT(7); + + r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, val); +@@ -307,7 +312,9 @@ static int ch341_configure(struct usb_de + r = ch341_control_in(dev, CH341_REQ_READ_VERSION, 0, 0, buffer, size); + if (r < 0) + goto out; +- dev_dbg(&dev->dev, "Chip version: 0x%02x\n", buffer[0]); ++ ++ priv->version = buffer[0]; ++ dev_dbg(&dev->dev, "Chip version: 0x%02x\n", priv->version); + + r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0, 0); + if (r < 0) diff --git a/patches.suse/USB-serial-ch341-fix-receiver-regression.patch b/patches.suse/USB-serial-ch341-fix-receiver-regression.patch new file mode 100644 index 0000000..784bdcc --- /dev/null +++ b/patches.suse/USB-serial-ch341-fix-receiver-regression.patch @@ -0,0 +1,55 @@ +From 7c3d02285ad558691f27fde760bcd841baa27eab Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 6 Feb 2020 12:18:19 +0100 +Subject: [PATCH] USB: serial: ch341: fix receiver regression +Git-commit: 7c3d02285ad558691f27fde760bcd841baa27eab +References: git-fixes +Patch-mainline: v5.6-rc3 + +While assumed not to make a difference, not using the factor-2 prescaler +makes the receiver more susceptible to errors. + +Specifically, there have been reports of problems with devices that +cannot generate a 115200 rate with a smaller error than 2.1% (e.g. +117647 bps). But this can also be reproduced with a low-speed RS232 +tranceiver at 115200 when the input rate matches the nominal rate. + +So whenever possible, enable the factor-2 prescaler and halve the +divisor in order to use settings closer to that of the previous +algorithm. + +Fixes: 35714565089e ("USB: serial: ch341: reimplement line-speed handling") +Cc: stable # 5.5 +Reported-by: Jakub Nantl +Tested-by: Jakub Nantl +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/ch341.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c +index d3f420f3a083..c5ecdcd51ffc 100644 +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -205,6 +205,16 @@ static int ch341_get_divisor(speed_t speed) + 16 * speed - 16 * CH341_CLKRATE / (clk_div * (div + 1))) + div++; + ++ /* ++ * Prefer lower base clock (fact = 0) if even divisor. ++ * ++ * Note that this makes the receiver more tolerant to errors. ++ */ ++ if (fact == 1 && div % 2 == 0) { ++ div /= 2; ++ fact = 0; ++ } ++ + return (0x100 - div) << 8 | fact << 2 | ps; + } + +-- +2.35.3 + diff --git a/patches.suse/USB-serial-ch341-reimplement-line-speed-handling.patch b/patches.suse/USB-serial-ch341-reimplement-line-speed-handling.patch new file mode 100644 index 0000000..d773ad2 --- /dev/null +++ b/patches.suse/USB-serial-ch341-reimplement-line-speed-handling.patch @@ -0,0 +1,193 @@ +From 35714565089e5e8b091c1155517b67e29118f09d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 1 Nov 2019 18:24:10 +0100 +Subject: [PATCH] USB: serial: ch341: reimplement line-speed handling +Git-commit: 35714565089e5e8b091c1155517b67e29118f09d +References: git-fixes +Patch-mainline: v5.5-rc1 + +The current ch341 divisor algorithm was known to give inaccurate results +for certain higher line speeds. Jonathan Olds +investigated this, determined the basic equations used to derive the +divisors and confirmed them experimentally [1]. + +The equations Jonathan used could be generalised further to: + + baudrate = 48000000 / (2^(12 - 3 * ps - fact) * div), where + + 0 <= ps <= 3, + 0 <= fact <= 1, + 2 <= div <= 256 if fact = 0, or + 9 <= div <= 256 if fact = 1 + +which will also give better results for lower rates. + +Notably the error is reduced for the following standard rates: + + 1152000 (4.0% instead of 15% error) + 921600 (0.16% instead of -7.5% error) + 576000 (-0.80% instead of -5.6% error) + 200 (0.16% instead of -0.69% error) + 134 (-0.05% instead of -0.63% error) + 110 (0.03% instead of -0.44% error) + +but also for many non-standard ones. + +The current algorithm also suffered from rounding issues (e.g. +requesting 2950000 Bd resulted in a rate of 2 MBd instead of 3 MBd and +thus a -32% instead of 1.7% error). + +The new algorithm was inspired by the current vendor driver even if that +one only handles two higher rates that require fact=1 by hard coding the +corresponding divisors [2]. + +Michael Dreher also did a similar generalisation of +Jonathan's work and has published his results with a very good summary +that provides further insights into how this device works [3]. + +[1] https://lkml.kernel.org/r/000001d51f34$bad6afd0$30840f70$@co.nz +[2] http://www.wch.cn/download/CH341SER_LINUX_ZIP.html +[3] https://github.com/nospam2000/ch341-baudrate-calculation + +Reported-by: Jonathan Olds +Tested-by: Jonathan Olds +Cc: Michael Dreher +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/ch341.c | 97 +++++++++++++++++++++++++++++--------- + 1 file changed, 75 insertions(+), 22 deletions(-) + +diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c +index 3bb1fff02bed..df582fe855f0 100644 +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -48,12 +48,6 @@ + #define CH341_BIT_DCD 0x08 + #define CH341_BITS_MODEM_STAT 0x0f /* all bits */ + +-/*******************************/ +-/* baudrate calculation factor */ +-/*******************************/ +-#define CH341_BAUDBASE_FACTOR 1532620800 +-#define CH341_BAUDBASE_DIVMAX 3 +- + /* Break support - the information used to implement this was gleaned from + * the Net/FreeBSD uchcom.c driver by Takanori Watanabe. Domo arigato. + */ +@@ -144,37 +138,96 @@ static int ch341_control_in(struct usb_device *dev, + return 0; + } + ++#define CH341_CLKRATE 48000000 ++#define CH341_CLK_DIV(ps, fact) (1 << (12 - 3 * (ps) - (fact))) ++#define CH341_MIN_RATE(ps) (CH341_CLKRATE / (CH341_CLK_DIV((ps), 1) * 512)) ++ ++static const speed_t ch341_min_rates[] = { ++ CH341_MIN_RATE(0), ++ CH341_MIN_RATE(1), ++ CH341_MIN_RATE(2), ++ CH341_MIN_RATE(3), ++}; ++ ++/* ++ * The device line speed is given by the following equation: ++ * ++ * baudrate = 48000000 / (2^(12 - 3 * ps - fact) * div), where ++ * ++ * 0 <= ps <= 3, ++ * 0 <= fact <= 1, ++ * 2 <= div <= 256 if fact = 0, or ++ * 9 <= div <= 256 if fact = 1 ++ */ ++static int ch341_get_divisor(speed_t speed) ++{ ++ unsigned int fact, div, clk_div; ++ int ps; ++ ++ /* ++ * Clamp to supported range, this makes the (ps < 0) and (div < 2) ++ * sanity checks below redundant. ++ */ ++ speed = clamp(speed, 46U, 3000000U); ++ ++ /* ++ * Start with highest possible base clock (fact = 1) that will give a ++ * divisor strictly less than 512. ++ */ ++ fact = 1; ++ for (ps = 3; ps >= 0; ps--) { ++ if (speed > ch341_min_rates[ps]) ++ break; ++ } ++ ++ if (ps < 0) ++ return -EINVAL; ++ ++ /* Determine corresponding divisor, rounding down. */ ++ clk_div = CH341_CLK_DIV(ps, fact); ++ div = CH341_CLKRATE / (clk_div * speed); ++ ++ /* Halve base clock (fact = 0) if required. */ ++ if (div < 9 || div > 255) { ++ div /= 2; ++ clk_div *= 2; ++ fact = 0; ++ } ++ ++ if (div < 2) ++ return -EINVAL; ++ ++ /* ++ * Pick next divisor if resulting rate is closer to the requested one, ++ * scale up to avoid rounding errors on low rates. ++ */ ++ if (16 * CH341_CLKRATE / (clk_div * div) - 16 * speed >= ++ 16 * speed - 16 * CH341_CLKRATE / (clk_div * (div + 1))) ++ div++; ++ ++ return (0x100 - div) << 8 | fact << 2 | ps; ++} ++ + static int ch341_set_baudrate_lcr(struct usb_device *dev, + struct ch341_private *priv, u8 lcr) + { +- short a; ++ int val; + int r; +- unsigned long factor; +- short divisor; + + if (!priv->baud_rate) + return -EINVAL; +- factor = (CH341_BAUDBASE_FACTOR / priv->baud_rate); +- divisor = CH341_BAUDBASE_DIVMAX; +- +- while ((factor > 0xfff0) && divisor) { +- factor >>= 3; +- divisor--; +- } + +- if (factor > 0xfff0) ++ val = ch341_get_divisor(priv->baud_rate); ++ if (val < 0) + return -EINVAL; + +- factor = 0x10000 - factor; +- a = (factor & 0xff00) | divisor; +- + /* + * CH341A buffers data until a full endpoint-size packet (32 bytes) + * has been received unless bit 7 is set. + */ +- a |= BIT(7); ++ val |= BIT(7); + +- r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a); ++ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, val); + if (r) + return r; + +-- +2.35.3 + diff --git a/patches.suse/USB-serial-ch341-sort-device-id-entries.patch b/patches.suse/USB-serial-ch341-sort-device-id-entries.patch index 8802d5d..c00275b 100644 --- a/patches.suse/USB-serial-ch341-sort-device-id-entries.patch +++ b/patches.suse/USB-serial-ch341-sort-device-id-entries.patch @@ -19,8 +19,8 @@ Signed-off-by: Oliver Neukum --- a/drivers/usb/serial/ch341.c +++ b/drivers/usb/serial/ch341.c -@@ -83,11 +83,11 @@ - #define CH341_LCR_CS5 0x00 +@@ -79,11 +79,11 @@ + #define CH341_QUIRK_LIMITED_PRESCALER BIT(0) static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x4348, 0x5523) }, diff --git a/patches.suse/amd-xgbe-Update-DMA-coherency-values.patch b/patches.suse/amd-xgbe-Update-DMA-coherency-values.patch new file mode 100644 index 0000000..256fb1d --- /dev/null +++ b/patches.suse/amd-xgbe-Update-DMA-coherency-values.patch @@ -0,0 +1,41 @@ +From 72fb2f96fb6883f8e51d56c0b707015e8ac8ebb6 Mon Sep 17 00:00:00 2001 +From: Shyam Sundar S K +Date: Thu, 25 Mar 2021 08:39:12 +0530 +Subject: [PATCH 11/19] amd-xgbe: Update DMA coherency values +Git-commit: d75135082698140a26a56defe1bbc1b06f26a41f +Patch-mainline: v5.12-rc7 +References: git-fixes + +Based on the IOMMU configuration, the current cache control settings can +result in possible coherency issues. The hardware team has recommended +new settings for the PCI device path to eliminate the issue. + +Fixes: 6f595959c095 ("amd-xgbe: Adjust register settings to improve performance") +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/amd/xgbe/xgbe.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index 5897e46faca5..95b590f1efae 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -180,9 +180,9 @@ + #define XGBE_DMA_SYS_AWCR 0x30303030 + + /* DMA cache settings - PCI device */ +-#define XGBE_DMA_PCI_ARCR 0x00000003 +-#define XGBE_DMA_PCI_AWCR 0x13131313 +-#define XGBE_DMA_PCI_AWARCR 0x00000313 ++#define XGBE_DMA_PCI_ARCR 0x000f0f0f ++#define XGBE_DMA_PCI_AWCR 0x0f0f0f0f ++#define XGBE_DMA_PCI_AWARCR 0x00000f0f + + /* DMA channel interrupt modes */ + #define XGBE_IRQ_MODE_EDGE 0 +-- +2.16.4 + diff --git a/patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch b/patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch new file mode 100644 index 0000000..d13adcf --- /dev/null +++ b/patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch @@ -0,0 +1,33 @@ +From: Jianglei Nie +Date: Fri, 30 Sep 2022 14:28:43 +0800 +Subject: bnx2x: fix potential memory leak in bnx2x_tpa_stop() +Patch-mainline: v6.1-rc1 +Git-commit: b43f9acbb8942b05252be83ac25a81cec70cc192 +References: bsc#1204402 CVE-2022-3542 + +bnx2x_tpa_stop() allocates a memory chunk from new_data with +bnx2x_frag_alloc(). The new_data should be freed when gets some error. +But when "pad + len > fp->rx_buf_size" is true, bnx2x_tpa_stop() returns +without releasing the new_data, which will lead to a memory leak. + +We should free the new_data with bnx2x_frag_free() when "pad + len > +fp->rx_buf_size" is true. + +Fixes: 07b0f00964def8af9321cfd6c4a7e84f6362f728 ("bnx2x: fix possible panic under memory stress") +Signed-off-by: Jianglei Nie +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -787,6 +787,7 @@ static void bnx2x_tpa_stop(struct bnx2x + BNX2X_ERR("skb_put is about to fail... pad %d len %d rx_buf_size %d\n", + pad, len, fp->rx_buf_size); + bnx2x_panic(); ++ bnx2x_frag_free(fp, new_data); + return; + } + #endif diff --git a/patches.suse/bnxt-don-t-lock-the-tx-queue-from-napi-poll.patch b/patches.suse/bnxt-don-t-lock-the-tx-queue-from-napi-poll.patch new file mode 100644 index 0000000..60d639e --- /dev/null +++ b/patches.suse/bnxt-don-t-lock-the-tx-queue-from-napi-poll.patch @@ -0,0 +1,140 @@ +From ff179fe46f0f819fed05494930c495f67089db6f Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Thu, 12 Aug 2021 14:42:39 -0700 +Subject: [PATCH 5/7] bnxt: don't lock the tx queue from napi poll +Git-commit: 3c603136c9f82833813af77185618de5af67676c +Patch-mainline: v5.14-rc7 +References: git-fixes + +We can't take the tx lock from the napi poll routine, because +netpoll can poll napi at any moment, including with the tx lock +already held. + +The tx lock is protecting against two paths - the disable +path, and (as Michael points out) the NETDEV_TX_BUSY case +which may occur if NAPI completions race with start_xmit +and both decide to re-enable the queue. + +For the disable/ifdown path use synchronize_net() to make sure +closing the device does not race we restarting the queues. +Annotate accesses to dev_state against data races. + +For the NAPI cleanup vs start_xmit path - appropriate barriers +are already in place in the main spot where Tx queue is stopped +but we need to do the same careful dance in the TX_BUSY case. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Reviewed-by: Michael Chan +Reviewed-by: Edwin Peer +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 54 ++++++++++++++++++------------- + 1 file changed, 32 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 391682cdba9b..a076a7e67d7f 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -338,6 +338,26 @@ static u16 bnxt_xmit_get_cfa_action(struct sk_buff *skb) + return md_dst->u.port_info.port_id; + } + ++static bool bnxt_txr_netif_try_stop_queue(struct bnxt *bp, ++ struct bnxt_tx_ring_info *txr, ++ struct netdev_queue *txq) ++{ ++ netif_tx_stop_queue(txq); ++ ++ /* netif_tx_stop_queue() must be done before checking ++ * tx index in bnxt_tx_avail() below, because in ++ * bnxt_tx_int(), we update tx index before checking for ++ * netif_tx_queue_stopped(). ++ */ ++ smp_mb(); ++ if (bnxt_tx_avail(bp, txr) > bp->tx_wake_thresh) { ++ netif_tx_wake_queue(txq); ++ return false; ++ } ++ ++ return true; ++} ++ + static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct bnxt *bp = netdev_priv(dev); +@@ -365,8 +385,8 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev) + + free_size = bnxt_tx_avail(bp, txr); + if (unlikely(free_size < skb_shinfo(skb)->nr_frags + 2)) { +- netif_tx_stop_queue(txq); +- return NETDEV_TX_BUSY; ++ if (bnxt_txr_netif_try_stop_queue(bp, txr, txq)) ++ return NETDEV_TX_BUSY; + } + + length = skb->len; +@@ -577,16 +597,7 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev) + if (skb->xmit_more && !tx_buf->is_push) + bnxt_db_write(bp, &txr->tx_db, prod); + +- netif_tx_stop_queue(txq); +- +- /* netif_tx_stop_queue() must be done before checking +- * tx index in bnxt_tx_avail() below, because in +- * bnxt_tx_int(), we update tx index before checking for +- * netif_tx_queue_stopped(). +- */ +- smp_mb(); +- if (bnxt_tx_avail(bp, txr) > bp->tx_wake_thresh) +- netif_tx_wake_queue(txq); ++ bnxt_txr_netif_try_stop_queue(bp, txr, txq); + } + return NETDEV_TX_OK; + +@@ -670,14 +681,9 @@ static void bnxt_tx_int(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts) + smp_mb(); + + if (unlikely(netif_tx_queue_stopped(txq)) && +- (bnxt_tx_avail(bp, txr) > bp->tx_wake_thresh)) { +- __netif_tx_lock(txq, smp_processor_id()); +- if (netif_tx_queue_stopped(txq) && +- bnxt_tx_avail(bp, txr) > bp->tx_wake_thresh && +- txr->dev_state != BNXT_DEV_STATE_CLOSING) +- netif_tx_wake_queue(txq); +- __netif_tx_unlock(txq); +- } ++ bnxt_tx_avail(bp, txr) > bp->tx_wake_thresh && ++ READ_ONCE(txr->dev_state) != BNXT_DEV_STATE_CLOSING) ++ netif_tx_wake_queue(txq); + } + + static struct page *__bnxt_alloc_rx_page(struct bnxt *bp, dma_addr_t *mapping, +@@ -7775,9 +7781,11 @@ void bnxt_tx_disable(struct bnxt *bp) + if (bp->tx_ring) { + for (i = 0; i < bp->tx_nr_rings; i++) { + txr = &bp->tx_ring[i]; +- txr->dev_state = BNXT_DEV_STATE_CLOSING; ++ WRITE_ONCE(txr->dev_state, BNXT_DEV_STATE_CLOSING); + } + } ++ /* Make sure napi polls see @dev_state change */ ++ synchronize_net(); + /* Drop carrier first to prevent TX timeout */ + netif_carrier_off(bp->dev); + /* Stop all TX queues */ +@@ -7791,8 +7799,10 @@ void bnxt_tx_enable(struct bnxt *bp) + + for (i = 0; i < bp->tx_nr_rings; i++) { + txr = &bp->tx_ring[i]; +- txr->dev_state = 0; ++ WRITE_ONCE(txr->dev_state, 0); + } ++ /* Make sure napi polls see @dev_state change */ ++ synchronize_net(); + netif_tx_wake_all_queues(bp->dev); + if (bp->link_info.link_up) + netif_carrier_on(bp->dev); +-- +2.16.4 + diff --git a/patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch b/patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch new file mode 100644 index 0000000..9172381 --- /dev/null +++ b/patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch @@ -0,0 +1,70 @@ +From 6bc19876924f48964182659b14322c165c3c99d0 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Fri, 23 Apr 2021 18:13:19 -0400 +Subject: [PATCH 13/19] bnxt_en: Fix RX consumer index logic in the error path. +Git-commit: bbd6f0a948139970f4a615dff189d9a503681a39 +Patch-mainline: v5.13-rc1 +References: git-fixes + +In bnxt_rx_pkt(), the RX buffers are expected to complete in order. +If the RX consumer index indicates an out of order buffer completion, +it means we are hitting a hardware bug and the driver will abort all +remaining RX packets and reset the RX ring. The RX consumer index +that we pass to bnxt_discard_rx() is not correct. We should be +passing the current index (tmp_raw_cons) instead of the old index +(raw_cons). This bug can cause us to be at the wrong index when +trying to abort the next RX packet. It can crash like this: + + #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 + #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 + #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e + #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 + #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 + #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e + #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 + #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e + #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 + #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 + [exception RIP: bnxt_rx_pkt+237] + RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 + RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 + RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 + RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d + R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 + R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +Fixes: a1b0e4e684e9 ("bnxt_en: Improve RX consumer index validity check.") +Reviewed-by: Pavan Chebbi +Reviewed-by: Andy Gospodarek +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 3c14d1a2efaa..391682cdba9b 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1607,12 +1607,14 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + + cons = rxcmp->rx_cmp_opaque; + if (unlikely(cons != rxr->rx_next_cons)) { +- int rc1 = bnxt_discard_rx(bp, cpr, raw_cons, rxcmp); ++ int rc1 = bnxt_discard_rx(bp, cpr, &tmp_raw_cons, rxcmp); + + netdev_warn(bp->dev, "RX cons %x != expected cons %x\n", + cons, rxr->rx_next_cons); + bnxt_sched_reset(bp, rxr); +- return rc1; ++ if (rc1) ++ return rc1; ++ goto next_rx_no_prod_no_len; + } + rx_buf = &rxr->rx_buf_ring[cons]; + data = rx_buf->data; +-- +2.16.4 + diff --git a/patches.suse/bnxt_en-reverse-order-of-TX-disable-and-carrier-off.patch b/patches.suse/bnxt_en-reverse-order-of-TX-disable-and-carrier-off.patch new file mode 100644 index 0000000..ec614fb --- /dev/null +++ b/patches.suse/bnxt_en-reverse-order-of-TX-disable-and-carrier-off.patch @@ -0,0 +1,41 @@ +From 0fe91559d9999183757c74e720ee48501f1e8b85 Mon Sep 17 00:00:00 2001 +From: Edwin Peer +Date: Thu, 11 Feb 2021 02:24:23 -0500 +Subject: [PATCH 01/19] bnxt_en: reverse order of TX disable and carrier off +Git-commit: 132e0b65dc2b8bfa9721bfce834191f24fd1d7ed +Patch-mainline: v5.12-rc1 +References: git-fixes + +A TX queue can potentially immediately timeout after it is stopped +and the last TX timestamp on that queue was more than 5 seconds ago with +carrier still up. Prevent these intermittent false TX timeouts +by bringing down carrier first before calling netif_tx_disable(). + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index b1ba6df8911d..3c14d1a2efaa 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -7776,9 +7776,10 @@ void bnxt_tx_disable(struct bnxt *bp) + txr->dev_state = BNXT_DEV_STATE_CLOSING; + } + } ++ /* Drop carrier first to prevent TX timeout */ ++ netif_carrier_off(bp->dev); + /* Stop all TX queues */ + netif_tx_disable(bp->dev); +- netif_carrier_off(bp->dev); + } + + void bnxt_tx_enable(struct bnxt *bp) +-- +2.16.4 + diff --git a/patches.suse/ethernet-sun-niu-fix-missing-checks-of-niu_pci_eepro.patch b/patches.suse/ethernet-sun-niu-fix-missing-checks-of-niu_pci_eepro.patch new file mode 100644 index 0000000..e243c1e --- /dev/null +++ b/patches.suse/ethernet-sun-niu-fix-missing-checks-of-niu_pci_eepro.patch @@ -0,0 +1,127 @@ +From fc532203ac4548cac5bc093d56e34fa8a7e28459 Mon Sep 17 00:00:00 2001 +From: Du Cheng +Date: Mon, 3 May 2021 13:56:50 +0200 +Subject: [PATCH 15/19] ethernet: sun: niu: fix missing checks of + niu_pci_eeprom_read() +Git-commit: e6e337708c22f80824b82d4af645f20715730ad0 +Patch-mainline: v5.13-rc3 +References: git-fixes + +niu_pci_eeprom_read() may fail, so add checks to its return value and +propagate the error up the callstack. + +An examination of the callstack up to niu_pci_eeprom_read shows that: + +niu_pci_eeprom_read() // returns int + niu_pci_vpd_scan_props() // returns int + niu_pci_vpd_fetch() // returns *void* + niu_get_invariants() // returns int + +since niu_pci_vpd_fetch() returns void which breaks the bubbling up, +change its return type to int so that error is propagated upwards. + +Signed-off-by: Du Cheng +Cc: Shannon Nelson +Cc: David S. Miller +Cc: stable +Link: https://lore.kernel.org/r/20210503115736.2104747-24-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/sun/niu.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index 1c0aee4ada92..8a9a175e3c92 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -8119,6 +8119,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + start += 3; + + prop_len = niu_pci_eeprom_read(np, start + 4); ++ if (prop_len < 0) ++ return prop_len; + err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64); + if (err < 0) + return err; +@@ -8163,8 +8165,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + netif_printk(np, probe, KERN_DEBUG, np->dev, + "VPD_SCAN: Reading in property [%s] len[%d]\n", + namebuf, prop_len); +- for (i = 0; i < prop_len; i++) +- *prop_buf++ = niu_pci_eeprom_read(np, off + i); ++ for (i = 0; i < prop_len; i++) { ++ err = niu_pci_eeprom_read(np, off + i); ++ if (err < 0) ++ return err; ++ *prop_buf++ = err; ++ } + } + + start += len; +@@ -8174,14 +8180,14 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + } + + /* ESPC_PIO_EN_ENABLE must be set */ +-static void niu_pci_vpd_fetch(struct niu *np, u32 start) ++static int niu_pci_vpd_fetch(struct niu *np, u32 start) + { + u32 offset; + int err; + + err = niu_pci_eeprom_read16_swp(np, start + 1); + if (err < 0) +- return; ++ return err; + + offset = err + 3; + +@@ -8190,12 +8196,14 @@ static void niu_pci_vpd_fetch(struct niu *np, u32 start) + u32 end; + + err = niu_pci_eeprom_read(np, here); ++ if (err < 0) ++ return err; + if (err != 0x90) +- return; ++ return -EINVAL; + + err = niu_pci_eeprom_read16_swp(np, here + 1); + if (err < 0) +- return; ++ return err; + + here = start + offset + 3; + end = start + offset + err; +@@ -8203,9 +8211,12 @@ static void niu_pci_vpd_fetch(struct niu *np, u32 start) + offset += err; + + err = niu_pci_vpd_scan_props(np, here, end); +- if (err < 0 || err == 1) +- return; ++ if (err < 0) ++ return err; ++ if (err == 1) ++ return -EINVAL; + } ++ return 0; + } + + /* ESPC_PIO_EN_ENABLE must be set */ +@@ -9298,8 +9309,11 @@ static int niu_get_invariants(struct niu *np) + offset = niu_pci_vpd_offset(np); + netif_printk(np, probe, KERN_DEBUG, np->dev, + "%s() VPD offset [%08x]\n", __func__, offset); +- if (offset) +- niu_pci_vpd_fetch(np, offset); ++ if (offset) { ++ err = niu_pci_vpd_fetch(np, offset); ++ if (err < 0) ++ return err; ++ } + nw64(ESPC_PIO_EN, 0); + + if (np->flags & NIU_FLAGS_VPD_VALID) { +-- +2.16.4 + diff --git a/patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch b/patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch new file mode 100644 index 0000000..280d208 --- /dev/null +++ b/patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch @@ -0,0 +1,45 @@ +From ac6800e279a22b28f4fc21439843025a0d5bf03e Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Thu, 14 Jul 2022 14:11:26 +0800 +Subject: [PATCH] fs: Add missing umask strip in vfs_tmpfile +Git-commit: ac6800e279a22b28f4fc21439843025a0d5bf03e +Patch-mainline: v6.0-rc1 +References: bsc#1198702 CVE-2021-4037 + +All creation paths except for O_TMPFILE handle umask in the vfs directly +if the filesystem doesn't support or enable POSIX ACLs. If the filesystem +does then umask handling is deferred until posix_acl_create(). +Because, O_TMPFILE misses umask handling in the vfs it will not honor +umask settings. Fix this by adding the missing umask handling. + +Link: https://lore.kernel.org/r/1657779088-2242-2-git-send-email-xuyang2018.jy@fujitsu.com +Fixes: 60545d0d4610 ("[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...") +Cc: # 4.19+ +Reported-by: Christian Brauner (Microsoft) +Reviewed-by: Darrick J. Wong +Reviewed-and-tested-by: Jeff Layton +Acked-by: Christian Brauner (Microsoft) +Signed-off-by: Yang Xu +Signed-off-by: Christian Brauner (Microsoft) +Acked-by: Anthony Iliopoulos + +--- + fs/namei.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/namei.c b/fs/namei.c +index a253bd4f7f91..a1f574d8d457 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3475,6 +3475,8 @@ struct dentry *vfs_tmpfile(struct dentry *dentry, umode_t mode, int open_flag) + child = d_alloc(dentry, &name); + if (unlikely(!child)) + goto out_err; ++ if (!IS_POSIXACL(dir)) ++ mode &= ~current_umask(); + error = dir->i_op->tmpfile(dir, child, mode); + if (error) + goto out_err; +-- +2.35.3 + diff --git a/patches.suse/fs-add-mode_strip_sgid-helper.patch b/patches.suse/fs-add-mode_strip_sgid-helper.patch new file mode 100644 index 0000000..02cfb7e --- /dev/null +++ b/patches.suse/fs-add-mode_strip_sgid-helper.patch @@ -0,0 +1,107 @@ +From 2b3416ceff5e6bd4922f6d1c61fb68113dd82302 Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Thu, 14 Jul 2022 14:11:25 +0800 +Subject: [PATCH] fs: add mode_strip_sgid() helper +Git-commit: 2b3416ceff5e6bd4922f6d1c61fb68113dd82302 +Patch-mainline: v6.0-rc1 +References: bsc#1198702 CVE-2021-4037 + +Add a dedicated helper to handle the setgid bit when creating a new file +in a setgid directory. This is a preparatory patch for moving setgid +stripping into the vfs. The patch contains no functional changes. + +Currently the setgid stripping logic is open-coded directly in +inode_init_owner() and the individual filesystems are responsible for +handling setgid inheritance. Since this has proven to be brittle as +evidenced by old issues we uncovered over the last months (see [1] to +[3] below) we will try to move this logic into the vfs. + +Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [1] +Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [2] +Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [3] +Link: https://lore.kernel.org/r/1657779088-2242-1-git-send-email-xuyang2018.jy@fujitsu.com +Reviewed-by: Darrick J. Wong +Reviewed-by: Christian Brauner (Microsoft) +Reviewed-and-tested-by: Jeff Layton +Signed-off-by: Yang Xu +Signed-off-by: Christian Brauner (Microsoft) +Acked-by: Anthony Iliopoulos + +--- + fs/inode.c | 34 ++++++++++++++++++++++++++++++---- + include/linux/fs.h | 3 +++ + 2 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 6dfc4d272f50..a707346538af 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -2007,10 +2007,8 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, + /* Directories are special, and always inherit S_ISGID */ + if (S_ISDIR(mode)) + mode |= S_ISGID; +- else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && +- !in_group_p(inode->i_gid) && +- !capable_wrt_inode_uidgid(dir, CAP_FSETID)) +- mode &= ~S_ISGID; ++ else ++ mode = mode_strip_sgid(dir, mode); + } else + inode->i_gid = current_fsgid(); + inode->i_mode = mode; +@@ -2129,3 +2127,31 @@ struct timespec current_time(struct inode *inode) + return timespec_trunc(now, inode->i_sb->s_time_gran); + } + EXPORT_SYMBOL(current_time); ++ ++/** ++ * mode_strip_sgid - handle the sgid bit for non-directories ++ * @dir: parent directory inode ++ * @mode: mode of the file to be created in @dir ++ * ++ * If the @mode of the new file has both the S_ISGID and S_IXGRP bit ++ * raised and @dir has the S_ISGID bit raised ensure that the caller is ++ * either in the group of the parent directory or they have CAP_FSETID ++ * in their user namespace and are privileged over the parent directory. ++ * In all other cases, strip the S_ISGID bit from @mode. ++ * ++ * Return: the new mode to use for the file ++ */ ++umode_t mode_strip_sgid(const struct inode *dir, umode_t mode) ++{ ++ if ((mode & (S_ISGID | S_IXGRP)) != (S_ISGID | S_IXGRP)) ++ return mode; ++ if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID)) ++ return mode; ++ if (in_group_p(dir->i_gid)) ++ return mode; ++ if (capable_wrt_inode_uidgid(dir, CAP_FSETID)) ++ return mode; ++ ++ return mode & ~S_ISGID; ++} ++EXPORT_SYMBOL(mode_strip_sgid); +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 85ba7c86b25f..297ada3a4dcd 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1618,6 +1618,7 @@ extern struct dentry *vfs_tmpfile(struct dentry *dentry, umode_t mode, + extern void inode_init_owner(struct inode *inode, const struct inode *dir, + umode_t mode); + extern bool may_open_dev(const struct path *path); ++ + /* + * VFS FS_IOC_FIEMAP helper definitions. + */ +@@ -1632,6 +1633,8 @@ int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical, + u64 phys, u64 len, u32 flags); + int fiemap_check_flags(struct fiemap_extent_info *fieinfo, u32 fs_flags); + ++umode_t mode_strip_sgid(const struct inode *dir, umode_t mode); ++ + /* + * File types + * +-- +2.35.3 + diff --git a/patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch b/patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch new file mode 100644 index 0000000..9d227b8 --- /dev/null +++ b/patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch @@ -0,0 +1,364 @@ +From 1639a49ccdce58ea248841ed9b23babcce6dbb0b Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Thu, 14 Jul 2022 14:11:27 +0800 +Subject: [PATCH] fs: move S_ISGID stripping into the vfs_*() helpers +Git-commit: 1639a49ccdce58ea248841ed9b23babcce6dbb0b +Patch-mainline: v6.0-rc1 +References: bsc#1198702 CVE-2021-4037 + +Move setgid handling out of individual filesystems and into the VFS +itself to stop the proliferation of setgid inheritance bugs. + +Creating files that have both the S_IXGRP and S_ISGID bit raised in +directories that themselves have the S_ISGID bit set requires additional +privileges to avoid security issues. + +When a filesystem creates a new inode it needs to take care that the +caller is either in the group of the newly created inode or they have +CAP_FSETID in their current user namespace and are privileged over the +parent directory of the new inode. If any of these two conditions is +true then the S_ISGID bit can be raised for an S_IXGRP file and if not +it needs to be stripped. + +However, there are several key issues with the current implementation: + +* S_ISGID stripping logic is entangled with umask stripping. + + If a filesystem doesn't support or enable POSIX ACLs then umask + stripping is done directly in the vfs before calling into the + filesystem. + If the filesystem does support POSIX ACLs then unmask stripping may be + done in the filesystem itself when calling posix_acl_create(). + + Since umask stripping has an effect on S_ISGID inheritance, e.g., by + stripping the S_IXGRP bit from the file to be created and all relevant + filesystems have to call posix_acl_create() before inode_init_owner() + where we currently take care of S_ISGID handling S_ISGID handling is + order dependent. IOW, whether or not you get a setgid bit depends on + POSIX ACLs and umask and in what order they are called. + + Note that technically filesystems are free to impose their own + ordering between posix_acl_create() and inode_init_owner() meaning + that there's additional ordering issues that influence S_SIGID + inheritance. + +* Filesystems that don't rely on inode_init_owner() don't get S_ISGID + stripping logic. + + While that may be intentional (e.g. network filesystems might just + defer setgid stripping to a server) it is often just a security issue. + +This is not just ugly it's unsustainably messy especially since we do +still have bugs in this area years after the initial round of setgid +bugfixes. + +So the current state is quite messy and while we won't be able to make +it completely clean as posix_acl_create() is still a filesystem specific +call we can improve the S_SIGD stripping situation quite a bit by +hoisting it out of inode_init_owner() and into the vfs creation +operations. This means we alleviate the burden for filesystems to handle +S_ISGID stripping correctly and can standardize the ordering between +S_ISGID and umask stripping in the vfs. + +We add a new helper vfs_prepare_mode() so S_ISGID handling is now done +in the VFS before umask handling. This has S_ISGID handling is +unaffected unaffected by whether umask stripping is done by the VFS +itself (if no POSIX ACLs are supported or enabled) or in the filesystem +in posix_acl_create() (if POSIX ACLs are supported). + +The vfs_prepare_mode() helper is called directly in vfs_*() helpers that +create new filesystem objects. We need to move them into there to make +sure that filesystems like overlayfs hat have callchains like: + +sys_mknod() +-> do_mknodat(mode) + -> .mknod = ovl_mknod(mode) + -> ovl_create(mode) + -> vfs_mknod(mode) + +get S_ISGID stripping done when calling into lower filesystems via +vfs_*() creation helpers. Moving vfs_prepare_mode() into e.g. +vfs_mknod() takes care of that. This is in any case semantically cleaner +because S_ISGID stripping is VFS security requirement. + +Security hooks so far have seen the mode with the umask applied but +without S_ISGID handling done. The relevant hooks are called outside of +vfs_*() creation helpers so by calling vfs_prepare_mode() from vfs_*() +helpers the security hooks would now see the mode without umask +stripping applied. For now we fix this by passing the mode with umask +settings applied to not risk any regressions for LSM hooks. IOW, nothing +changes for LSM hooks. It is worth pointing out that security hooks +never saw the mode that is seen by the filesystem when actually creating +the file. They have always been completely misplaced for that to work. + +The following filesystems use inode_init_owner() and thus relied on +S_ISGID stripping: spufs, 9p, bfs, btrfs, ext2, ext4, f2fs, hfsplus, +hugetlbfs, jfs, minix, nilfs2, ntfs3, ocfs2, omfs, overlayfs, ramfs, +reiserfs, sysv, ubifs, udf, ufs, xfs, zonefs, bpf, tmpfs. + +All of the above filesystems end up calling inode_init_owner() when new +filesystem objects are created through the ->mkdir(), ->mknod(), +->create(), ->tmpfile(), ->rename() inode operations. + +Since directories always inherit the S_ISGID bit with the exception of +xfs when irix_sgid_inherit mode is turned on S_ISGID stripping doesn't +apply. The ->symlink() and ->link() inode operations trivially inherit +the mode from the target and the ->rename() inode operation inherits the +mode from the source inode. All other creation inode operations will get +S_ISGID handling via vfs_prepare_mode() when called from their relevant +vfs_*() helpers. + +In addition to this there are filesystems which allow the creation of +filesystem objects through ioctl()s or - in the case of spufs - +circumventing the vfs in other ways. If filesystem objects are created +through ioctl()s the vfs doesn't know about it and can't apply regular +permission checking including S_ISGID logic. Therfore, a filesystem +relying on S_ISGID stripping in inode_init_owner() in their ioctl() +callpath will be affected by moving this logic into the vfs. We audited +those filesystems: + +* btrfs allows the creation of filesystem objects through various + ioctls(). Snapshot creation literally takes a snapshot and so the mode + is fully preserved and S_ISGID stripping doesn't apply. + + Creating a new subvolum relies on inode_init_owner() in + btrfs_new_subvol_inode() but only creates directories and doesn't + raise S_ISGID. + +* ocfs2 has a peculiar implementation of reflinks. In contrast to e.g. + xfs and btrfs FICLONE/FICLONERANGE ioctl() that is only concerned with + the actual extents ocfs2 uses a separate ioctl() that also creates the + target file. + + Iow, ocfs2 circumvents the vfs entirely here and did indeed rely on + inode_init_owner() to strip the S_ISGID bit. This is the only place + where a filesystem needs to call mode_strip_sgid() directly but this + is self-inflicted pain. + +* spufs doesn't go through the vfs at all and doesn't use ioctl()s + either. Instead it has a dedicated system call spufs_create() which + allows the creation of filesystem objects. But spufs only creates + directories and doesn't allo S_SIGID bits, i.e. it specifically only + allows 0777 bits. + +* bpf uses vfs_mkobj() but also doesn't allow S_ISGID bits to be created. + +The patch will have an effect on ext2 when the EXT2_MOUNT_GRPID mount +option is used, on ext4 when the EXT4_MOUNT_GRPID mount option is used, +and on xfs when the XFS_FEAT_GRPID mount option is used. When any of +these filesystems are mounted with their respective GRPID option then +newly created files inherit the parent directories group +unconditionally. In these cases non of the filesystems call +inode_init_owner() and thus did never strip the S_ISGID bit for newly +created files. Moving this logic into the VFS means that they now get +the S_ISGID bit stripped. This is a user visible change. If this leads +to regressions we will either need to figure out a better way or we need +to revert. However, given the various setgid bugs that we found just in +the last two years this is a regression risk we should take. + +Associated with this change is a new set of fstests to enforce the +semantics for all new filesystems. + +Link: https://lore.kernel.org/ceph-devel/20220427092201.wvsdjbnc7b4dttaw@wittgenstein [1] +Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [2] +Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [3] +Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [4] +Link: https://lore.kernel.org/r/1657779088-2242-3-git-send-email-xuyang2018.jy@fujitsu.com +Suggested-by: Dave Chinner +Suggested-by: Christian Brauner (Microsoft) +Reviewed-by: Darrick J. Wong +Reviewed-and-tested-by: Jeff Layton +Signed-off-by: Yang Xu +[: rewrote commit message] +Signed-off-by: Christian Brauner (Microsoft) +Acked-by: Anthony Iliopoulos + +--- + fs/inode.c | 2 - + fs/namei.c | 95 +++++++++++++++++++++++++++++++++++++++++------- + fs/ocfs2/namei.c | 1 + + 3 files changed, 83 insertions(+), 15 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index a707346538af..3c22db68fc37 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -2007,8 +2007,6 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, + /* Directories are special, and always inherit S_ISGID */ + if (S_ISDIR(mode)) + mode |= S_ISGID; +- else +- mode = mode_strip_sgid(dir, mode); + } else + inode->i_gid = current_fsgid(); + inode->i_mode = mode; +diff --git a/fs/namei.c b/fs/namei.c +index a1f574d8d457..5e42b4ac6258 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2932,6 +2932,78 @@ void unlock_rename(struct dentry *p1, struct dentry *p2) + } + EXPORT_SYMBOL(unlock_rename); + ++/** ++ * mode_strip_umask - handle vfs umask stripping ++ * @dir: parent directory of the new inode ++ * @mode: mode of the new inode to be created in @dir ++ * ++ * Umask stripping depends on whether or not the filesystem supports POSIX ++ * ACLs. If the filesystem doesn't support it umask stripping is done directly ++ * in here. If the filesystem does support POSIX ACLs umask stripping is ++ * deferred until the filesystem calls posix_acl_create(). ++ * ++ * Returns: mode ++ */ ++static inline umode_t mode_strip_umask(const struct inode *dir, umode_t mode) ++{ ++ if (!IS_POSIXACL(dir)) ++ mode &= ~current_umask(); ++ return mode; ++} ++ ++/** ++ * vfs_prepare_mode - prepare the mode to be used for a new inode ++ * @dir: parent directory of the new inode ++ * @mode: mode of the new inode ++ * @mask_perms: allowed permission by the vfs ++ * @type: type of file to be created ++ * ++ * This helper consolidates and enforces vfs restrictions on the @mode of a new ++ * object to be created. ++ * ++ * Umask stripping depends on whether the filesystem supports POSIX ACLs (see ++ * the kernel documentation for mode_strip_umask()). Moving umask stripping ++ * after setgid stripping allows the same ordering for both non-POSIX ACL and ++ * POSIX ACL supporting filesystems. ++ * ++ * Note that it's currently valid for @type to be 0 if a directory is created. ++ * Filesystems raise that flag individually and we need to check whether each ++ * filesystem can deal with receiving S_IFDIR from the vfs before we enforce a ++ * non-zero type. ++ * ++ * Returns: mode to be passed to the filesystem ++ */ ++static inline umode_t vfs_prepare_mode(const struct inode *dir, umode_t mode, ++ umode_t mask_perms, umode_t type) ++{ ++ mode = mode_strip_sgid(dir, mode); ++ mode = mode_strip_umask(dir, mode); ++ ++ /* ++ * Apply the vfs mandated allowed permission mask and set the type of ++ * file to be created before we call into the filesystem. ++ */ ++ mode &= (mask_perms & ~S_IFMT); ++ mode |= (type & S_IFMT); ++ ++ return mode; ++} ++ ++/** ++ * vfs_create - create new file ++ * @dir: inode of @dentry ++ * @dentry: pointer to dentry of the base directory ++ * @mode: mode of the new file ++ * @want_excl: whether the file must not yet exist ++ * ++ * Create a new file. ++ * ++ * If the inode has been found through an idmapped mount the user namespace of ++ * the vfsmount must be passed through @mnt_userns. This function will then take ++ * care to map the inode according to @mnt_userns before checking permissions. ++ * On non-idmapped mounts or if permission checking is to be performed on the ++ * raw inode simply passs init_user_ns. ++ */ + int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, + bool want_excl) + { +@@ -2941,8 +3013,8 @@ int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, + + if (!dir->i_op->create) + return -EACCES; /* shouldn't it be ENOSYS? */ +- mode &= S_IALLUGO; +- mode |= S_IFREG; ++ ++ mode = vfs_prepare_mode(dir, mode, S_IALLUGO, S_IFREG); + error = security_inode_create(dir, dentry, mode); + if (error) + return error; +@@ -3196,8 +3268,7 @@ static int lookup_open(struct nameidata *nd, struct path *path, + * O_EXCL open we want to return EEXIST not EROFS). + */ + if (open_flag & O_CREAT) { +- if (!IS_POSIXACL(dir->d_inode)) +- mode &= ~current_umask(); ++ mode = vfs_prepare_mode(dir->d_inode, mode, mode, mode); + if (unlikely(!got_write)) { + create_error = -EROFS; + open_flag &= ~O_CREAT; +@@ -3475,8 +3546,7 @@ struct dentry *vfs_tmpfile(struct dentry *dentry, umode_t mode, int open_flag) + child = d_alloc(dentry, &name); + if (unlikely(!child)) + goto out_err; +- if (!IS_POSIXACL(dir)) +- mode &= ~current_umask(); ++ mode = vfs_prepare_mode(dir, mode, mode, mode); + error = dir->i_op->tmpfile(dir, child, mode); + if (error) + goto out_err; +@@ -3758,6 +3828,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) + if (!dir->i_op->mknod) + return -EPERM; + ++ mode = vfs_prepare_mode(dir, mode, mode, mode); + error = devcgroup_inode_mknod(mode, dev); + if (error) + return error; +@@ -3806,9 +3877,8 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + +- if (!IS_POSIXACL(path.dentry->d_inode)) +- mode &= ~current_umask(); +- error = security_path_mknod(&path, dentry, mode, dev); ++ error = security_path_mknod(&path, dentry, ++ mode_strip_umask(path.dentry->d_inode, mode), dev); + if (error) + goto out; + switch (mode & S_IFMT) { +@@ -3850,7 +3920,7 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) + if (!dir->i_op->mkdir) + return -EPERM; + +- mode &= (S_IRWXUGO|S_ISVTX); ++ mode = vfs_prepare_mode(dir, mode, S_IRWXUGO | S_ISVTX, 0); + error = security_inode_mkdir(dir, dentry, mode); + if (error) + return error; +@@ -3877,9 +3947,8 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + +- if (!IS_POSIXACL(path.dentry->d_inode)) +- mode &= ~current_umask(); +- error = security_path_mkdir(&path, dentry, mode); ++ error = security_path_mkdir(&path, dentry, ++ mode_strip_umask(path.dentry->d_inode, mode)); + if (!error) + error = vfs_mkdir(path.dentry->d_inode, dentry, mode); + done_path_create(&path, dentry); +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index c801eddc4bf3..200959c7ca86 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -212,6 +212,7 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) + * callers. */ + if (S_ISDIR(mode)) + set_nlink(inode, 2); ++ mode = mode_strip_sgid(dir, mode); + inode_init_owner(inode, dir, mode); + status = dquot_initialize(inode); + if (status) +-- +2.35.3 + diff --git a/patches.suse/ftrace-Fix-char-print-issue-in-print_ip_ins.patch b/patches.suse/ftrace-Fix-char-print-issue-in-print_ip_ins.patch new file mode 100644 index 0000000..2b62bd4 --- /dev/null +++ b/patches.suse/ftrace-Fix-char-print-issue-in-print_ip_ins.patch @@ -0,0 +1,53 @@ +From: Zheng Yejian +Date: Tue, 11 Oct 2022 12:03:52 +0000 +Subject: ftrace: Fix char print issue in print_ip_ins() +Git-commit: 30f7d1cac2aab8fec560a388ad31ca5e5d04a822 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When ftrace bug happened, following log shows every hex data in +problematic ip address: + actual: ffffffe8:6b:ffffffd9:01:21 + +But so many 'f's seem a little confusing, and that is because format +'%x' being used to print signed chars in array 'ins'. As suggested +by Joe, change to use format "%*phC" to print array 'ins'. + +After this patch, the log is like: + actual: e8:6b:d9:01:21 + +Link: https://lkml.kernel.org/r/20221011120352.1878494-1-zhengyejian1@huawei.com + +Fixes: 6c14133d2d3f ("ftrace: Do not blindly read the ip address in ftrace_bug()") +Suggested-by: Joe Perches +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/ftrace.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 83362a155791..75c16215d065 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -2028,7 +2028,6 @@ static int ftrace_hash_ipmodify_update(struct ftrace_ops *ops, + static void print_ip_ins(const char *fmt, const unsigned char *p) + { + char ins[MCOUNT_INSN_SIZE]; +- int i; + + if (probe_kernel_read(ins, p, MCOUNT_INSN_SIZE)) { + printk(KERN_CONT "%s[FAULT] %px\n", fmt, p); +@@ -2036,9 +2035,7 @@ static void print_ip_ins(const char *fmt, const unsigned char *p) + } + + printk(KERN_CONT "%s", fmt); +- +- for (i = 0; i < MCOUNT_INSN_SIZE; i++) +- printk(KERN_CONT "%s%02x", i ? ":" : "", ins[i]); ++ pr_cont("%*phC", MCOUNT_INSN_SIZE, ins); + } + + static struct ftrace_ops * + diff --git a/patches.suse/i40e-Fix-flow-for-IPv6-next-header-extension-header.patch b/patches.suse/i40e-Fix-flow-for-IPv6-next-header-extension-header.patch new file mode 100644 index 0000000..1787e0a --- /dev/null +++ b/patches.suse/i40e-Fix-flow-for-IPv6-next-header-extension-header.patch @@ -0,0 +1,62 @@ +From fab2bdc84727620e644e637bed88c512b9c05266 Mon Sep 17 00:00:00 2001 +From: Slawomir Laba +Date: Thu, 10 Sep 2020 07:57:04 +0000 +Subject: [PATCH 06/19] i40e: Fix flow for IPv6 next header (extension header) +Git-commit: 92c6058024e87087cf1b99b0389d67c0a886360e +Patch-mainline: v5.12-rc1 +References: git-fixes + +When a packet contains an IPv6 header with next header which is +an extension header and not a protocol one, the kernel function +skb_transport_header called with such sk_buff will return a +pointer to the extension header and not to the TCP one. + +The above explained call caused a problem with packet processing +for skb with encapsulation for tunnel with I40E_TX_CTX_EXT_IP_IPV6. +The extension header was not skipped at all. + +The ipv6_skip_exthdr function does check if next header of the IPV6 +header is an extension header and doesn't modify the l4_proto pointer +if it points to a protocol header value so its safe to omit the +comparison of exthdr and l4.hdr pointers. The ipv6_skip_exthdr can +return value -1. This means that the skipping process failed +and there is something wrong with the packet so it will be dropped. + +Fixes: a3fd9d8876a5 ("i40e/i40evf: Handle IPv6 extension headers in checksum offload") +Signed-off-by: Slawomir Laba +Signed-off-by: Przemyslaw Patynowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 734d95943967..4cb16178adb9 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -3109,13 +3109,16 @@ static int i40e_tx_enable_csum(struct sk_buff *skb, u32 *tx_flags, + + l4_proto = ip.v4->protocol; + } else if (*tx_flags & I40E_TX_FLAGS_IPV6) { ++ int ret; ++ + tunnel |= I40E_TX_CTX_EXT_IP_IPV6; + + exthdr = ip.hdr + sizeof(*ip.v6); + l4_proto = ip.v6->nexthdr; +- if (l4.hdr != exthdr) +- ipv6_skip_exthdr(skb, exthdr - skb->data, +- &l4_proto, &frag_off); ++ ret = ipv6_skip_exthdr(skb, exthdr - skb->data, ++ &l4_proto, &frag_off); ++ if (ret < 0) ++ return -1; + } + + /* define outer transport */ +-- +2.16.4 + diff --git a/patches.suse/i40e-Fix-overwriting-flow-control-settings-during-dr.patch b/patches.suse/i40e-Fix-overwriting-flow-control-settings-during-dr.patch new file mode 100644 index 0000000..8ee74a5 --- /dev/null +++ b/patches.suse/i40e-Fix-overwriting-flow-control-settings-during-dr.patch @@ -0,0 +1,87 @@ +From 8914049573a85f410cb230f7155bf45e41a5e54b Mon Sep 17 00:00:00 2001 +From: Mateusz Palczewski +Date: Tue, 24 Nov 2020 15:08:27 +0000 +Subject: [PATCH 07/19] i40e: Fix overwriting flow control settings during + driver loading +Git-commit: 4cdb9f80dcd46aab3c0020b4a6920c22735c5d6e +Patch-mainline: v5.12-rc1 +References: git-fixes + +During driver loading flow control settings were written to FW +using a variable which was always zero, since it was being set +only by ethtool. This behavior has been corrected and driver +no longer overwrites the default FW/NVM settings. + +Fixes: 373149fc99a0 ("i40e: Decrease the scope of rtnl lock") +Signed-off-by: Dawid Lukwinski +Signed-off-by: Mateusz Palczewski +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 27 --------------------------- + 1 file changed, 27 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 682b9b342c4f..2a7697c4c935 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -9617,7 +9617,6 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + int old_recovery_mode_bit = test_bit(__I40E_RECOVERY_MODE, pf->state); + struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; + struct i40e_hw *hw = &pf->hw; +- u8 set_fc_aq_fail = 0; + i40e_status ret; + u32 val; + int v; +@@ -9737,13 +9736,6 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + i40e_stat_str(&pf->hw, ret), + i40e_aq_str(&pf->hw, pf->hw.aq.asq_last_status)); + +- /* make sure our flow control settings are restored */ +- ret = i40e_set_fc(&pf->hw, &set_fc_aq_fail, true); +- if (ret) +- dev_dbg(&pf->pdev->dev, "setting flow control: ret = %s last_status = %s\n", +- i40e_stat_str(&pf->hw, ret), +- i40e_aq_str(&pf->hw, pf->hw.aq.asq_last_status)); +- + /* Rebuild the VSIs and VEBs that existed before reset. + * They are still in our local switch element arrays, so only + * need to rebuild the switch model in the HW. +@@ -14354,7 +14346,6 @@ static int i40e_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + int err; + u32 val; + u32 i; +- u8 set_fc_aq_fail; + + err = pci_enable_device_mem(pdev); + if (err) +@@ -14653,24 +14644,6 @@ static int i40e_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + } + INIT_LIST_HEAD(&pf->vsi[pf->lan_vsi]->ch_list); + +- /* Make sure flow control is set according to current settings */ +- err = i40e_set_fc(hw, &set_fc_aq_fail, true); +- if (set_fc_aq_fail & I40E_SET_FC_AQ_FAIL_GET) +- dev_dbg(&pf->pdev->dev, +- "Set fc with err %s aq_err %s on get_phy_cap\n", +- i40e_stat_str(hw, err), +- i40e_aq_str(hw, hw->aq.asq_last_status)); +- if (set_fc_aq_fail & I40E_SET_FC_AQ_FAIL_SET) +- dev_dbg(&pf->pdev->dev, +- "Set fc with err %s aq_err %s on set_phy_config\n", +- i40e_stat_str(hw, err), +- i40e_aq_str(hw, hw->aq.asq_last_status)); +- if (set_fc_aq_fail & I40E_SET_FC_AQ_FAIL_UPDATE) +- dev_dbg(&pf->pdev->dev, +- "Set fc with err %s aq_err %s on get_link_info\n", +- i40e_stat_str(hw, err), +- i40e_aq_str(hw, hw->aq.asq_last_status)); +- + /* if FDIR VSI was set up, start it now */ + for (i = 0; i < pf->num_alloc_vsi; i++) { + if (pf->vsi[i] && pf->vsi[i]->type == I40E_VSI_FDIR) { +-- +2.16.4 + diff --git a/patches.suse/i40e-improve-locking-of-mac_filter_hash.patch b/patches.suse/i40e-improve-locking-of-mac_filter_hash.patch new file mode 100644 index 0000000..62b91c0 --- /dev/null +++ b/patches.suse/i40e-improve-locking-of-mac_filter_hash.patch @@ -0,0 +1,85 @@ +From b0706e5a21bb73b6e5c858ccc24eab53ee450a8b Mon Sep 17 00:00:00 2001 +From: Stefan Assmann +Date: Thu, 4 Mar 2021 10:34:30 +0100 +Subject: [PATCH 7/7] i40e: improve locking of mac_filter_hash +Git-commit: 8b4b06919fd66caf49fdf4fe59f9d6312cf7956d +Patch-mainline: v5.15-rc1 +References: git-fixes + +i40e_config_vf_promiscuous_mode() calls +i40e_getnum_vf_vsi_vlan_filters() without acquiring the +mac_filter_hash_lock spinlock. + +This is unsafe because mac_filter_hash may get altered in another thread +while i40e_getnum_vf_vsi_vlan_filters() traverses the hashes. + +Simply adding the spinlock in i40e_getnum_vf_vsi_vlan_filters() is not +possible as it already gets called in i40e_get_vlan_list_sync() with the +spinlock held. Therefore adding a wrapper that acquires the spinlock and +call the correct function where appropriate. + +Fixes: 37d318d7805f ("i40e: Remove scheduling while atomic possibility") +Fix-suggested-by: Paolo Abeni +Signed-off-by: Stefan Assmann +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 23 +++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index ec133b017f6b..a166494d249a 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1133,12 +1133,12 @@ static int i40e_quiesce_vf_pci(struct i40e_vf *vf) + } + + /** +- * i40e_getnum_vf_vsi_vlan_filters ++ * __i40e_getnum_vf_vsi_vlan_filters + * @vsi: pointer to the vsi + * + * called to get the number of VLANs offloaded on this VF + **/ +-static int i40e_getnum_vf_vsi_vlan_filters(struct i40e_vsi *vsi) ++static int __i40e_getnum_vf_vsi_vlan_filters(struct i40e_vsi *vsi) + { + struct i40e_mac_filter *f; + u16 num_vlans = 0, bkt; +@@ -1151,6 +1151,23 @@ static int i40e_getnum_vf_vsi_vlan_filters(struct i40e_vsi *vsi) + return num_vlans; + } + ++/** ++ * i40e_getnum_vf_vsi_vlan_filters ++ * @vsi: pointer to the vsi ++ * ++ * wrapper for __i40e_getnum_vf_vsi_vlan_filters() with spinlock held ++ **/ ++static int i40e_getnum_vf_vsi_vlan_filters(struct i40e_vsi *vsi) ++{ ++ int num_vlans; ++ ++ spin_lock_bh(&vsi->mac_filter_hash_lock); ++ num_vlans = __i40e_getnum_vf_vsi_vlan_filters(vsi); ++ spin_unlock_bh(&vsi->mac_filter_hash_lock); ++ ++ return num_vlans; ++} ++ + /** + * i40e_get_vlan_list_sync + * @vsi: pointer to the VSI +@@ -1168,7 +1185,7 @@ static void i40e_get_vlan_list_sync(struct i40e_vsi *vsi, u16 *num_vlans, + int bkt; + + spin_lock_bh(&vsi->mac_filter_hash_lock); +- *num_vlans = i40e_getnum_vf_vsi_vlan_filters(vsi); ++ *num_vlans = __i40e_getnum_vf_vsi_vlan_filters(vsi); + *vlan_list = kcalloc(*num_vlans, sizeof(**vlan_list), GFP_ATOMIC); + if (!(*vlan_list)) + goto err; +-- +2.16.4 + diff --git a/patches.suse/memcg-kmem-do-not-fail-__GFP_NOFAIL-charges.patch b/patches.suse/memcg-kmem-do-not-fail-__GFP_NOFAIL-charges.patch new file mode 100644 index 0000000..3e7e950 --- /dev/null +++ b/patches.suse/memcg-kmem-do-not-fail-__GFP_NOFAIL-charges.patch @@ -0,0 +1,87 @@ +From: Michal Hocko +Date: Wed, 25 Sep 2019 16:45:53 -0700 +Subject: memcg, kmem: do not fail __GFP_NOFAIL charges +Git-commit: e55d9d9bfb69405bd7615c0f8d229d8fafb3e9b8 +Patch-mainline: v5.4-rc1 +References: bsc#1204755 + +Thomas has noticed the following NULL ptr dereference when using cgroup +v1 kmem limit: +BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +PGD 0 +P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 3 PID: 16923 Comm: gtk-update-icon Not tainted 4.19.51 #42 +Hardware name: Gigabyte Technology Co., Ltd. Z97X-Gaming G1/Z97X-Gaming G1, BIOS F9 07/31/2015 +RIP: 0010:create_empty_buffers+0x24/0x100 +Code: cd 0f 1f 44 00 00 0f 1f 44 00 00 41 54 49 89 d4 ba 01 00 00 00 55 53 48 89 fb e8 97 fe ff ff 48 89 c5 48 89 c2 eb 03 48 89 ca <48> 8b 4a 08 4c 09 22 48 85 c9 75 f1 48 89 6a 08 48 8b 43 18 48 8d +RSP: 0018:ffff927ac1b37bf8 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: fffff2d4429fd740 RCX: 0000000100097149 +RDX: 0000000000000000 RSI: 0000000000000082 RDI: ffff9075a99fbe00 +RBP: 0000000000000000 R08: fffff2d440949cc8 R09: 00000000000960c0 +R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff907601f18360 R14: 0000000000002000 R15: 0000000000001000 +FS: 00007fb55b288bc0(0000) GS:ffff90761f8c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000008 CR3: 000000007aebc002 CR4: 00000000001606e0 +Call Trace: + create_page_buffers+0x4d/0x60 + __block_write_begin_int+0x8e/0x5a0 + ? ext4_inode_attach_jinode.part.82+0xb0/0xb0 + ? jbd2__journal_start+0xd7/0x1f0 + ext4_da_write_begin+0x112/0x3d0 + generic_perform_write+0xf1/0x1b0 + ? file_update_time+0x70/0x140 + __generic_file_write_iter+0x141/0x1a0 + ext4_file_write_iter+0xef/0x3b0 + __vfs_write+0x17e/0x1e0 + vfs_write+0xa5/0x1a0 + ksys_write+0x57/0xd0 + do_syscall_64+0x55/0x160 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Tetsuo then noticed that this is because the __memcg_kmem_charge_memcg +fails __GFP_NOFAIL charge when the kmem limit is reached. This is a wrong +behavior because nofail allocations are not allowed to fail. Normal +charge path simply forces the charge even if that means to cross the +limit. Kmem accounting should be doing the same. + +Link: http://lkml.kernel.org/r/20190906125608.32129-1-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Thomas Lindroth +Debugged-by: Tetsuo Handa +Cc: Johannes Weiner +Cc: Vladimir Davydov +Cc: Andrey Ryabinin +Cc: Thomas Lindroth +Cc: Shakeel Butt +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Michal Koutný +--- + mm/memcontrol.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 2156ef775d04..c313c49074ca 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2943,6 +2943,16 @@ int __memcg_kmem_charge_memcg(struct page *page, gfp_t gfp, int order, + + if (!cgroup_subsys_on_dfl(memory_cgrp_subsys) && + !page_counter_try_charge(&memcg->kmem, nr_pages, &counter)) { ++ ++ /* ++ * Enforce __GFP_NOFAIL allocation because callers are not ++ * prepared to see failures and likely do not have any failure ++ * handling code. ++ */ ++ if (gfp & __GFP_NOFAIL) { ++ page_counter_charge(&memcg->kmem, nr_pages); ++ return 0; ++ } + cancel_charge(memcg, nr_pages); + return -ENOMEM; + } + diff --git a/patches.suse/net-amd-xgbe-Fix-NETDEV-WATCHDOG-transmit-queue-time.patch b/patches.suse/net-amd-xgbe-Fix-NETDEV-WATCHDOG-transmit-queue-time.patch new file mode 100644 index 0000000..f53ee39 --- /dev/null +++ b/patches.suse/net-amd-xgbe-Fix-NETDEV-WATCHDOG-transmit-queue-time.patch @@ -0,0 +1,78 @@ +From 7f63d423ecb449dd00ded989b740328775e27e9a Mon Sep 17 00:00:00 2001 +From: Shyam Sundar S K +Date: Wed, 17 Feb 2021 00:37:08 +0530 +Subject: [PATCH 02/19] net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue + timeout warning +Git-commit: 186edbb510bd60e748f93975989ccba25ee99c50 +Patch-mainline: v5.12-rc1 +References: git-fixes + +The current driver calls netif_carrier_off() late in the link tear down +which can result in a netdev watchdog timeout. + +Calling netif_carrier_off() immediately after netif_tx_stop_all_queues() +avoids the warning. + + ------------[ cut here ]------------ + NETDEV WATCHDOG: enp3s0f2 (amd-xgbe): transmit queue 0 timed out + WARNING: CPU: 3 PID: 0 at net/sched/sch_generic.c:461 dev_watchdog+0x20d/0x220 + Modules linked in: amd_xgbe(E) amd-xgbe 0000:03:00.2 enp3s0f2: Link is Down + CPU: 3 PID: 0 Comm: swapper/3 Tainted: G E + Hardware name: AMD Bilby-RV2/Bilby-RV2, BIOS RBB1202A 10/18/2019 + RIP: 0010:dev_watchdog+0x20d/0x220 + Code: 00 49 63 4e e0 eb 92 4c 89 e7 c6 05 c6 e2 c1 00 01 e8 e7 ce fc ff 89 d9 48 + RSP: 0018:ffff90cfc28c3e88 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 + RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffff90cfc28d63c0 + RBP: ffff90cfb977845c R08: 0000000000000050 R09: 0000000000196018 + R10: ffff90cfc28c3ef8 R11: 0000000000000000 R12: ffff90cfb9778000 + R13: 0000000000000003 R14: ffff90cfb9778480 R15: 0000000000000010 + FS: 0000000000000000(0000) GS:ffff90cfc28c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f240ff2d9d0 CR3: 00000001e3e0a000 CR4: 00000000003406e0 + Call Trace: + + ? pfifo_fast_reset+0x100/0x100 + call_timer_fn+0x2b/0x130 + run_timer_softirq+0x3e8/0x440 + ? enqueue_hrtimer+0x39/0x90 + +Fixes: e722ec82374b ("amd-xgbe: Update the BelFuse quirk to support SGMII") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 1 + + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 4f12e5232650..a1067c881053 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1445,6 +1445,7 @@ static void xgbe_stop(struct xgbe_prv_data *pdata) + return; + + netif_tx_stop_all_queues(netdev); ++ netif_carrier_off(pdata->netdev); + + xgbe_stop_timers(pdata); + flush_workqueue(pdata->dev_workqueue); +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 8a3a60bb2688..4d5506d92897 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -1396,7 +1396,6 @@ static void xgbe_phy_stop(struct xgbe_prv_data *pdata) + pdata->phy_if.phy_impl.stop(pdata); + + pdata->phy.link = 0; +- netif_carrier_off(pdata->netdev); + + xgbe_phy_adjust_link(pdata); + } +-- +2.16.4 + diff --git a/patches.suse/net-amd-xgbe-Fix-network-fluctuations-when-using-1G-.patch b/patches.suse/net-amd-xgbe-Fix-network-fluctuations-when-using-1G-.patch new file mode 100644 index 0000000..b2b288d --- /dev/null +++ b/patches.suse/net-amd-xgbe-Fix-network-fluctuations-when-using-1G-.patch @@ -0,0 +1,41 @@ +From ae92baa40e56fd2d6dabf451fa6a2289f0d10c36 Mon Sep 17 00:00:00 2001 +From: Shyam Sundar S K +Date: Wed, 17 Feb 2021 00:37:10 +0530 +Subject: [PATCH 04/19] net: amd-xgbe: Fix network fluctuations when using 1G + BELFUSE SFP +Git-commit: 9eab3fdb419916f66a72d1572f68d82cd9b3f963 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Frequent link up/down events can happen when a Bel Fuse SFP part is +connected to the amd-xgbe device. Try to avoid the frequent link +issues by resetting the PHY as documented in Bel Fuse SFP datasheets. + +Fixes: e722ec82374b ("amd-xgbe: Update the BelFuse quirk to support SGMII") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index ee6c92eb2fda..726f4cbd6846 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -912,6 +912,9 @@ static bool xgbe_phy_belfuse_phy_quirks(struct xgbe_prv_data *pdata) + if ((phy_id & 0xfffffff0) != 0x03625d10) + return false; + ++ /* Reset PHY - wait for self-clearing reset bit to clear */ ++ genphy_soft_reset(phy_data->phydev); ++ + /* Disable RGMII mode */ + phy_write(phy_data->phydev, 0x18, 0x7007); + reg = phy_read(phy_data->phydev, 0x18); +-- +2.16.4 + diff --git a/patches.suse/net-amd-xgbe-Reset-link-when-the-link-never-comes-ba.patch b/patches.suse/net-amd-xgbe-Reset-link-when-the-link-never-comes-ba.patch new file mode 100644 index 0000000..1977193 --- /dev/null +++ b/patches.suse/net-amd-xgbe-Reset-link-when-the-link-never-comes-ba.patch @@ -0,0 +1,66 @@ +From d6bec23f35940b40ad19ebf7684ab8991a43823f Mon Sep 17 00:00:00 2001 +From: Shyam Sundar S K +Date: Wed, 17 Feb 2021 00:37:09 +0530 +Subject: [PATCH 03/19] net: amd-xgbe: Reset link when the link never comes + back +Git-commit: 84fe68eb67f9499309cffd97c1ba269de125ff14 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Normally, auto negotiation and reconnect should be automatically done by +the hardware. But there seems to be an issue where auto negotiation has +to be restarted manually. This happens because of link training and so +even though still connected to the partner the link never "comes back". +This needs an auto-negotiation restart. + +Also, a change in xgbe-mdio is needed to get ethtool to recognize the +link down and get the link change message. This change is only +required in a backplane connection mode. + +Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 2 +- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 4d5506d92897..156a0bc8ab01 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -1345,7 +1345,7 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata) + &an_restart); + if (an_restart) { + xgbe_phy_config_aneg(pdata); +- return; ++ goto adjust_link; + } + + if (pdata->phy.link) { +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index b2e98e83639c..ee6c92eb2fda 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2666,6 +2666,14 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + if (reg & MDIO_STAT1_LSTATUS) + return 1; + ++ if (pdata->phy.autoneg == AUTONEG_ENABLE && ++ phy_data->port_mode == XGBE_PORT_MODE_BACKPLANE) { ++ if (!test_bit(XGBE_LINK_INIT, &pdata->dev_state)) { ++ netif_carrier_off(pdata->netdev); ++ *an_restart = 1; ++ } ++ } ++ + /* No link, attempt a receiver reset cycle */ + if (phy_data->rrc_count++ > XGBE_RRC_FREQUENCY) { + phy_data->rrc_count = 0; +-- +2.16.4 + diff --git a/patches.suse/net-dsa-mt7530-add-the-missing-RxUnicast-MIB-counter.patch b/patches.suse/net-dsa-mt7530-add-the-missing-RxUnicast-MIB-counter.patch new file mode 100644 index 0000000..3501a40 --- /dev/null +++ b/patches.suse/net-dsa-mt7530-add-the-missing-RxUnicast-MIB-counter.patch @@ -0,0 +1,33 @@ +From 96a4580d5377c02a157efd6d74466353bb81dcac Mon Sep 17 00:00:00 2001 +From: DENG Qingfang +Date: Fri, 6 Aug 2021 12:05:27 +0800 +Subject: [PATCH 2/7] net: dsa: mt7530: add the missing RxUnicast MIB counter +Git-commit: aff51c5da3208bd164381e1488998667269c6cf4 +Patch-mainline: v5.14-rc6 +References: git-fixes + +Add the missing RxUnicast counter. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Signed-off-by: DENG Qingfang +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/dsa/mt7530.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index b968bc8e2b58..10bc0f3082a7 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -55,6 +55,7 @@ static const struct mt7530_mib_desc mt7530_mib[] = { + MIB_DESC(2, 0x48, "TxBytes"), + MIB_DESC(1, 0x60, "RxDrop"), + MIB_DESC(1, 0x64, "RxFiltering"), ++ MIB_DESC(1, 0x68, "RxUnicast"), + MIB_DESC(1, 0x6c, "RxMulticast"), + MIB_DESC(1, 0x70, "RxBroadcast"), + MIB_DESC(1, 0x74, "RxAlignErr"), +-- +2.16.4 + diff --git a/patches.suse/net-ethernet-ezchip-fix-UAF-in-nps_enet_remove.patch b/patches.suse/net-ethernet-ezchip-fix-UAF-in-nps_enet_remove.patch new file mode 100644 index 0000000..2a9991f --- /dev/null +++ b/patches.suse/net-ethernet-ezchip-fix-UAF-in-nps_enet_remove.patch @@ -0,0 +1,38 @@ +From 873725cfa035a170cbdf7ecc80f6ec72850950a1 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 18 Jun 2021 19:14:31 +0300 +Subject: [PATCH 19/19] net: ethernet: ezchip: fix UAF in nps_enet_remove +Git-commit: e4b8700e07a86e8eab6916aa5c5ba99042c34089 +Patch-mainline: v5.14-rc1 +References: git-fixes + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after netif_napi_del() +call. + +Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/ezchip/nps_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c +index 659f1ad37e96..fbadf08b7c5d 100644 +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -658,8 +658,8 @@ static s32 nps_enet_remove(struct platform_device *pdev) + struct nps_enet_priv *priv = netdev_priv(ndev); + + unregister_netdev(ndev); +- free_netdev(ndev); + netif_napi_del(&priv->napi); ++ free_netdev(ndev); + + return 0; + } +-- +2.16.4 + diff --git a/patches.suse/net-lapbether-Prevent-racing-when-checking-whether-t.patch b/patches.suse/net-lapbether-Prevent-racing-when-checking-whether-t.patch new file mode 100644 index 0000000..56811bb --- /dev/null +++ b/patches.suse/net-lapbether-Prevent-racing-when-checking-whether-t.patch @@ -0,0 +1,139 @@ +From 788115e0096a2ed4a47293f0484438b5b17f5b0b Mon Sep 17 00:00:00 2001 +From: Xie He +Date: Wed, 10 Mar 2021 23:23:09 -0800 +Subject: [PATCH 12/19] net: lapbether: Prevent racing when checking whether + the netif is running +Git-commit: 5acd0cfbfbb5a688da1bfb1a2152b0c855115a35 +Patch-mainline: v5.13-rc1 +References: git-fixes + +There are two "netif_running" checks in this driver. One is in +"lapbeth_xmit" and the other is in "lapbeth_rcv". They serve to make +sure that the LAPB APIs called in these functions are called before +"lapb_unregister" is called by the "ndo_stop" function. + +However, these "netif_running" checks are unreliable, because it's +possible that immediately after "netif_running" returns true, "ndo_stop" +is called (which causes "lapb_unregister" to be called). + +This patch adds locking to make sure "lapbeth_xmit" and "lapbeth_rcv" can +reliably check and ensure the netif is running while doing their work. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xie He +Acked-by: Martin Schiller +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/wan/lapbether.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index fd6acf0dcec3..91cfcb98051f 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -56,6 +56,8 @@ struct lapbethdev { + struct list_head node; + struct net_device *ethdev; /* link to ethernet device */ + struct net_device *axdev; /* lapbeth device (lapb#) */ ++ bool up; ++ spinlock_t up_lock; /* Protects "up" */ + }; + + static LIST_HEAD(lapbeth_devices); +@@ -103,8 +105,9 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe + rcu_read_lock(); + lapbeth = lapbeth_get_x25_dev(dev); + if (!lapbeth) +- goto drop_unlock; +- if (!netif_running(lapbeth->axdev)) ++ goto drop_unlock_rcu; ++ spin_lock_bh(&lapbeth->up_lock); ++ if (!lapbeth->up) + goto drop_unlock; + + len = skb->data[0] + skb->data[1] * 256; +@@ -119,11 +122,14 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe + goto drop_unlock; + } + out: ++ spin_unlock_bh(&lapbeth->up_lock); + rcu_read_unlock(); + return 0; + drop_unlock: + kfree_skb(skb); + goto out; ++drop_unlock_rcu: ++ rcu_read_unlock(); + drop: + kfree_skb(skb); + return 0; +@@ -151,13 +157,11 @@ static int lapbeth_data_indication(struct net_device *dev, struct sk_buff *skb) + static netdev_tx_t lapbeth_xmit(struct sk_buff *skb, + struct net_device *dev) + { ++ struct lapbethdev *lapbeth = netdev_priv(dev); + int err; + +- /* +- * Just to be *really* sure not to send anything if the interface +- * is down, the ethernet device may have gone. +- */ +- if (!netif_running(dev)) ++ spin_lock_bh(&lapbeth->up_lock); ++ if (!lapbeth->up) + goto drop; + + switch (skb->data[0]) { +@@ -182,6 +186,7 @@ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb, + goto drop; + } + out: ++ spin_unlock_bh(&lapbeth->up_lock); + return NETDEV_TX_OK; + drop: + kfree_skb(skb); +@@ -271,6 +276,7 @@ static const struct lapb_register_struct lapbeth_callbacks = { + */ + static int lapbeth_open(struct net_device *dev) + { ++ struct lapbethdev *lapbeth = netdev_priv(dev); + int err; + + if ((err = lapb_register(dev, &lapbeth_callbacks)) != LAPB_OK) { +@@ -278,13 +284,22 @@ static int lapbeth_open(struct net_device *dev) + return -ENODEV; + } + ++ spin_lock_bh(&lapbeth->up_lock); ++ lapbeth->up = true; ++ spin_unlock_bh(&lapbeth->up_lock); ++ + return 0; + } + + static int lapbeth_close(struct net_device *dev) + { ++ struct lapbethdev *lapbeth = netdev_priv(dev); + int err; + ++ spin_lock_bh(&lapbeth->up_lock); ++ lapbeth->up = false; ++ spin_unlock_bh(&lapbeth->up_lock); ++ + if ((err = lapb_unregister(dev)) != LAPB_OK) + pr_err("lapb_unregister error: %d\n", err); + +@@ -332,6 +347,9 @@ static int lapbeth_new_device(struct net_device *dev) + dev_hold(dev); + lapbeth->ethdev = dev; + ++ lapbeth->up = false; ++ spin_lock_init(&lapbeth->up_lock); ++ + rc = -EIO; + if (register_netdevice(ndev)) + goto fail; +-- +2.16.4 + diff --git a/patches.suse/net-marvell-fix-MVNETA_TX_IN_PRGRS-bit-number.patch b/patches.suse/net-marvell-fix-MVNETA_TX_IN_PRGRS-bit-number.patch new file mode 100644 index 0000000..0ad3096 --- /dev/null +++ b/patches.suse/net-marvell-fix-MVNETA_TX_IN_PRGRS-bit-number.patch @@ -0,0 +1,35 @@ +From ade3c482e7398a61604a9c9549d5f854d9dd9486 Mon Sep 17 00:00:00 2001 +From: Maxim Kiselev +Date: Fri, 20 Aug 2021 18:39:51 +0300 +Subject: [PATCH 6/7] net: marvell: fix MVNETA_TX_IN_PRGRS bit number +Git-commit: 359f4cdd7d78fdf8c098713b05fee950a730f131 +Patch-mainline: v5.14 +References: git-fixes + +According to Armada XP datasheet bit at 0 position is corresponding for +TxInProg indication. + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit") +Signed-off-by: Maxim Kiselev +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index b7e0dc3693eb..10fbd54eafbb 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -100,7 +100,7 @@ + #define MVNETA_DESC_SWAP BIT(6) + #define MVNETA_TX_BRST_SZ_MASK(burst) ((burst) << 22) + #define MVNETA_PORT_STATUS 0x2444 +-#define MVNETA_TX_IN_PRGRS BIT(1) ++#define MVNETA_TX_IN_PRGRS BIT(0) + #define MVNETA_TX_FIFO_EMPTY BIT(8) + #define MVNETA_RX_MIN_FRAME_SIZE 0x247c + #define MVNETA_SERDES_CFG 0x24A0 +-- +2.16.4 + diff --git a/patches.suse/net-mlx4-Fix-EEPROM-dump-support.patch b/patches.suse/net-mlx4-Fix-EEPROM-dump-support.patch new file mode 100644 index 0000000..886bd2e --- /dev/null +++ b/patches.suse/net-mlx4-Fix-EEPROM-dump-support.patch @@ -0,0 +1,204 @@ +From 2f7126038cc52b506702bdc7056f36298b8a28ce Mon Sep 17 00:00:00 2001 +From: Vladyslav Tarasiuk +Date: Sun, 9 May 2021 09:43:18 +0300 +Subject: [PATCH 16/19] net/mlx4: Fix EEPROM dump support +Git-commit: db825feefc6868896fed5e361787ba3bee2fd906 +Patch-mainline: v5.13-rc4 +References: git-fixes + +Fix SFP and QSFP* EEPROM queries by setting i2c_address, offset and page +number correctly. For SFP set the following params: +- I2C address for offsets 0-255 is 0x50. For 256-511 - 0x51. +- Page number is zero. +- Offset is 0-255. + +At the same time, QSFP* parameters are different: +- I2C address is always 0x50. +- Page number is not limited to zero. +- Offset is 0-255 for page zero and 128-255 for others. + +To set parameters accordingly to cable used, implement function to query +module ID and implement respective helper functions to set parameters +correctly. + +Fixes: 135dd9594f12 ("net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query") +Signed-off-by: Vladyslav Tarasiuk +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 +- + drivers/net/ethernet/mellanox/mlx4/port.c | 107 +++++++++++++++++++++++- + 2 files changed, 104 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index 7a99eb1572fd..6a005014d46a 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2011,8 +2011,6 @@ static int mlx4_en_set_tunable(struct net_device *dev, + return ret; + } + +-#define MLX4_EEPROM_PAGE_LEN 256 +- + static int mlx4_en_get_module_info(struct net_device *dev, + struct ethtool_modinfo *modinfo) + { +@@ -2047,7 +2045,7 @@ static int mlx4_en_get_module_info(struct net_device *dev, + break; + case MLX4_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN; ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; + break; + default: + return -EINVAL; +diff --git a/drivers/net/ethernet/mellanox/mlx4/port.c b/drivers/net/ethernet/mellanox/mlx4/port.c +index ba6ac31a339d..256a06b3c096 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/port.c ++++ b/drivers/net/ethernet/mellanox/mlx4/port.c +@@ -1973,6 +1973,7 @@ EXPORT_SYMBOL(mlx4_get_roce_gid_from_slave); + #define I2C_ADDR_LOW 0x50 + #define I2C_ADDR_HIGH 0x51 + #define I2C_PAGE_SIZE 256 ++#define I2C_HIGH_PAGE_SIZE 128 + + /* Module Info Data */ + struct mlx4_cable_info { +@@ -2026,6 +2027,88 @@ static inline const char *cable_info_mad_err_str(u16 mad_status) + return "Unknown Error"; + } + ++static int mlx4_get_module_id(struct mlx4_dev *dev, u8 port, u8 *module_id) ++{ ++ struct mlx4_cmd_mailbox *inbox, *outbox; ++ struct mlx4_mad_ifc *inmad, *outmad; ++ struct mlx4_cable_info *cable_info; ++ int ret; ++ ++ inbox = mlx4_alloc_cmd_mailbox(dev); ++ if (IS_ERR(inbox)) ++ return PTR_ERR(inbox); ++ ++ outbox = mlx4_alloc_cmd_mailbox(dev); ++ if (IS_ERR(outbox)) { ++ mlx4_free_cmd_mailbox(dev, inbox); ++ return PTR_ERR(outbox); ++ } ++ ++ inmad = (struct mlx4_mad_ifc *)(inbox->buf); ++ outmad = (struct mlx4_mad_ifc *)(outbox->buf); ++ ++ inmad->method = 0x1; /* Get */ ++ inmad->class_version = 0x1; ++ inmad->mgmt_class = 0x1; ++ inmad->base_version = 0x1; ++ inmad->attr_id = cpu_to_be16(0xFF60); /* Module Info */ ++ ++ cable_info = (struct mlx4_cable_info *)inmad->data; ++ cable_info->dev_mem_address = 0; ++ cable_info->page_num = 0; ++ cable_info->i2c_addr = I2C_ADDR_LOW; ++ cable_info->size = cpu_to_be16(1); ++ ++ ret = mlx4_cmd_box(dev, inbox->dma, outbox->dma, port, 3, ++ MLX4_CMD_MAD_IFC, MLX4_CMD_TIME_CLASS_C, ++ MLX4_CMD_NATIVE); ++ if (ret) ++ goto out; ++ ++ if (be16_to_cpu(outmad->status)) { ++ /* Mad returned with bad status */ ++ ret = be16_to_cpu(outmad->status); ++ mlx4_warn(dev, ++ "MLX4_CMD_MAD_IFC Get Module ID attr(%x) port(%d) i2c_addr(%x) offset(%d) size(%d): Response Mad Status(%x) - %s\n", ++ 0xFF60, port, I2C_ADDR_LOW, 0, 1, ret, ++ cable_info_mad_err_str(ret)); ++ ret = -ret; ++ goto out; ++ } ++ cable_info = (struct mlx4_cable_info *)outmad->data; ++ *module_id = cable_info->data[0]; ++out: ++ mlx4_free_cmd_mailbox(dev, inbox); ++ mlx4_free_cmd_mailbox(dev, outbox); ++ return ret; ++} ++ ++static void mlx4_sfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset) ++{ ++ *i2c_addr = I2C_ADDR_LOW; ++ *page_num = 0; ++ ++ if (*offset < I2C_PAGE_SIZE) ++ return; ++ ++ *i2c_addr = I2C_ADDR_HIGH; ++ *offset -= I2C_PAGE_SIZE; ++} ++ ++static void mlx4_qsfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset) ++{ ++ /* Offsets 0-255 belong to page 0. ++ * Offsets 256-639 belong to pages 01, 02, 03. ++ * For example, offset 400 is page 02: 1 + (400 - 256) / 128 = 2 ++ */ ++ if (*offset < I2C_PAGE_SIZE) ++ *page_num = 0; ++ else ++ *page_num = 1 + (*offset - I2C_PAGE_SIZE) / I2C_HIGH_PAGE_SIZE; ++ *i2c_addr = I2C_ADDR_LOW; ++ *offset -= *page_num * I2C_HIGH_PAGE_SIZE; ++} ++ + /** + * mlx4_get_module_info - Read cable module eeprom data + * @dev: mlx4_dev. +@@ -2045,12 +2128,30 @@ int mlx4_get_module_info(struct mlx4_dev *dev, u8 port, + struct mlx4_cmd_mailbox *inbox, *outbox; + struct mlx4_mad_ifc *inmad, *outmad; + struct mlx4_cable_info *cable_info; +- u16 i2c_addr; ++ u8 module_id, i2c_addr, page_num; + int ret; + + if (size > MODULE_INFO_MAX_READ) + size = MODULE_INFO_MAX_READ; + ++ ret = mlx4_get_module_id(dev, port, &module_id); ++ if (ret) ++ return ret; ++ ++ switch (module_id) { ++ case MLX4_MODULE_ID_SFP: ++ mlx4_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ case MLX4_MODULE_ID_QSFP: ++ case MLX4_MODULE_ID_QSFP_PLUS: ++ case MLX4_MODULE_ID_QSFP28: ++ mlx4_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ default: ++ mlx4_err(dev, "Module ID not recognized: %#x\n", module_id); ++ return -EINVAL; ++ } ++ + inbox = mlx4_alloc_cmd_mailbox(dev); + if (IS_ERR(inbox)) + return PTR_ERR(inbox); +@@ -2076,11 +2177,9 @@ int mlx4_get_module_info(struct mlx4_dev *dev, u8 port, + */ + size -= offset + size - I2C_PAGE_SIZE; + +- i2c_addr = I2C_ADDR_LOW; +- + cable_info = (struct mlx4_cable_info *)inmad->data; + cable_info->dev_mem_address = cpu_to_be16(offset); +- cable_info->page_num = 0; ++ cable_info->page_num = page_num; + cable_info->i2c_addr = i2c_addr; + cable_info->size = cpu_to_be16(size); + +-- +2.16.4 + diff --git a/patches.suse/net-mlx4_core-Add-missed-mlx4_free_cmd_mailbox.patch b/patches.suse/net-mlx4_core-Add-missed-mlx4_free_cmd_mailbox.patch new file mode 100644 index 0000000..1685a0c --- /dev/null +++ b/patches.suse/net-mlx4_core-Add-missed-mlx4_free_cmd_mailbox.patch @@ -0,0 +1,38 @@ +From 9e4b3cf0c3b6e5b3a23693e53366e8386001ecb7 Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Sun, 21 Feb 2021 22:35:59 +0800 +Subject: [PATCH 05/19] net/mlx4_core: Add missed mlx4_free_cmd_mailbox() +Git-commit: 8eb65fda4a6dbd59cd5de24b106a10b6ee0d2176 +Patch-mainline: v5.12-rc1 +References: git-fixes + +mlx4_do_mirror_rule() forgets to call mlx4_free_cmd_mailbox() to +free the memory region allocated by mlx4_alloc_cmd_mailbox() before +an exit. +Add the missed call to fix it. + +Fixes: 78efed275117 ("net/mlx4_core: Support mirroring VF DMFS rules on both ports") +Signed-off-by: Chuhong Yuan +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20210221143559.390277-1-hslester96@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index cfa13729152b..4c7bb728f674 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -4984,6 +4984,7 @@ static int mlx4_do_mirror_rule(struct mlx4_dev *dev, struct res_fs_rule *fs_rule + + if (!fs_rule->mirr_mbox) { + mlx4_err(dev, "rule mirroring mailbox is null\n"); ++ mlx4_free_cmd_mailbox(dev, mailbox); + return -EINVAL; + } + memcpy(mailbox->buf, fs_rule->mirr_mbox, fs_rule->mirr_mbox_size); +-- +2.16.4 + diff --git a/patches.suse/net-mlx5e-Remove-dependency-in-IPsec-initialization-.patch b/patches.suse/net-mlx5e-Remove-dependency-in-IPsec-initialization-.patch new file mode 100644 index 0000000..d9eedfd --- /dev/null +++ b/patches.suse/net-mlx5e-Remove-dependency-in-IPsec-initialization-.patch @@ -0,0 +1,43 @@ +From 7e94b078557cfc06ba5c574fb4567ae305499589 Mon Sep 17 00:00:00 2001 +From: Huy Nguyen +Date: Fri, 28 May 2021 13:20:32 -0500 +Subject: [PATCH 17/19] net/mlx5e: Remove dependency in IPsec initialization + flows +Git-commit: 8ad893e516a77209a1818a2072d2027d87db809f +Patch-mainline: v5.13-rc7 +References: git-fixes + +Currently, IPsec feature is disabled because mlx5e_build_nic_netdev +is required to be called after mlx5e_ipsec_init. This requirement is +invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize +independent resources. + +Remove ipsec pointer check in mlx5e_build_nic_netdev so that the +two functions can be called at any order. + +Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure") +Signed-off-by: Huy Nguyen +Reviewed-by: Raed Salem +Signed-off-by: Saeed Mahameed +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index cf58c9637904..c467f5e981f6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -515,9 +515,6 @@ void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv) + struct mlx5_core_dev *mdev = priv->mdev; + struct net_device *netdev = priv->netdev; + +- if (!priv->ipsec) +- return; +- + if (!(mlx5_accel_ipsec_device_caps(mdev) & MLX5_ACCEL_IPSEC_CAP_ESP) || + !MLX5_CAP_ETH(mdev, swp)) { + mlx5_core_dbg(mdev, "mlx5e: ESP and SWP offload not supported\n"); +-- +2.16.4 + diff --git a/patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch b/patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch new file mode 100644 index 0000000..c1552ca --- /dev/null +++ b/patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch @@ -0,0 +1,39 @@ +From 1f9f11b5c0bb6ed67e8263bcb9dc7e836ac78d2d Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 10 May 2021 12:58:05 +0300 +Subject: [PATCH 18/19] net: mvpp2: Put fwnode in error case during ->probe() +Git-commit: 71f0891c84dfdc448736082ab0a00acd29853896 +Patch-mainline: v5.14-rc1 +References: git-fixes + +In each iteration fwnode_for_each_available_child_node() bumps a reference +counting of a loop variable followed by dropping in on a next iteration, + +Since in error case the loop is broken, we have to drop a reference count +by ourselves. Do it for port_fwnode in error case during ->probe(). + +Fixes: 248122212f68 ("net: mvpp2: use device_*/fwnode_* APIs instead of of_*") +Cc: Marcin Wojtas +Signed-off-by: Andy Shevchenko +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index f54316fa2bf0..8f77fe7800c6 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5448,6 +5448,8 @@ static int mvpp2_probe(struct platform_device *pdev) + return 0; + + err_port_probe: ++ fwnode_handle_put(port_fwnode); ++ + i = 0; + fwnode_for_each_available_child_node(fwnode, port_fwnode) { + if (priv->port_list[i]) +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-fix-watchdog-timeout-during-suspend-resum.patch b/patches.suse/net-stmmac-fix-watchdog-timeout-during-suspend-resum.patch new file mode 100644 index 0000000..5b9f1c7 --- /dev/null +++ b/patches.suse/net-stmmac-fix-watchdog-timeout-during-suspend-resum.patch @@ -0,0 +1,48 @@ +From 0411e3d3435ad66957c2e3d08f6356e9ce7b470f Mon Sep 17 00:00:00 2001 +From: Joakim Zhang +Date: Thu, 25 Feb 2021 17:01:11 +0800 +Subject: [PATCH 10/19] net: stmmac: fix watchdog timeout during suspend/resume + stress test +Git-commit: c511819d138de38e1637eedb645c207e09680d0f +Patch-mainline: v5.12-rc3 +References: git-fixes + +stmmac_xmit() call stmmac_tx_timer_arm() at the end to modify tx timer to +do the transmission cleanup work. Imagine such a situation, stmmac enters +suspend immediately after tx timer modified, it's expire callback +stmmac_tx_clean() would not be invoked. This could affect BQL, since +netdev_tx_sent_queue() has been called, but netdev_tx_completed_queue() +have not been involved, as a result, dql_avail(&dev_queue->dql) finally +always return a negative value. + +__dev_queue_xmit->__dev_xmit_skb->qdisc_run->__qdisc_run->qdisc_restart->dequeue_skb: + if ((q->flags & TCQ_F_ONETXQUEUE) && + netif_xmit_frozen_or_stopped(txq)) // __QUEUE_STATE_STACK_XOFF is set + +Net core will stop transmitting any more. Finillay, net watchdong would timeout. +To fix this issue, we should call netdev_tx_reset_queue() in stmmac_resume(). + +Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx") +Signed-off-by: Joakim Zhang +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index b2a313ef33ec..3df7cd7a2216 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4450,6 +4450,8 @@ static void stmmac_reset_queues_param(struct stmmac_priv *priv) + tx_q->cur_tx = 0; + tx_q->dirty_tx = 0; + tx_q->mss = 0; ++ ++ netdev_tx_reset_queue(netdev_get_tx_queue(priv->dev, queue)); + } + } + +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-stop-each-tx-channel-independently.patch b/patches.suse/net-stmmac-stop-each-tx-channel-independently.patch new file mode 100644 index 0000000..d0124ff --- /dev/null +++ b/patches.suse/net-stmmac-stop-each-tx-channel-independently.patch @@ -0,0 +1,37 @@ +From 653dea74cd3812d4ca602dae9fe913a60bcf542e Mon Sep 17 00:00:00 2001 +From: Joakim Zhang +Date: Thu, 25 Feb 2021 17:01:10 +0800 +Subject: [PATCH 09/19] net: stmmac: stop each tx channel independently +Git-commit: a3e860a83397bf761ec1128a3f0ba186445992c6 +Patch-mainline: v5.12-rc3 +References: git-fixes + +If clear GMAC_CONFIG_TE bit, it would stop all tx channels, but users +may only want to stop specific tx channel. + +Fixes: 48863ce5940f ("stmmac: add DMA support for GMAC 4.xx") +Signed-off-by: Joakim Zhang +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +index 49f5687879df..32461909264a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +@@ -63,10 +63,6 @@ void dwmac4_dma_stop_tx(void __iomem *ioaddr, u32 chan) + + value &= ~DMA_CONTROL_ST; + writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan)); +- +- value = readl(ioaddr + GMAC_CONFIG); +- value &= ~GMAC_CONFIG_TE; +- writel(value, ioaddr + GMAC_CONFIG); + } + + void dwmac4_dma_start_rx(void __iomem *ioaddr, u32 chan) +-- +2.16.4 + diff --git a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch index 07c5992..98f0d50 100644 --- a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch +++ b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch @@ -4,7 +4,7 @@ Date: Wed, 26 Jan 2022 14:14:52 +0100 Subject: [PATCH] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Git-commit: 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 -References: bsc#1196018 CVE-2022-28748 +References: bsc#1196018 CVE-2022-28748 CVE-2022-2964 Patch-mainline: v5.17-rc4 ax88179_rx_fixup() contains several out-of-bounds accesses that can be diff --git a/patches.suse/net-usb-qmi_wwan-Add-new-usb-id-for-Dell-branded-EM7.patch b/patches.suse/net-usb-qmi_wwan-Add-new-usb-id-for-Dell-branded-EM7.patch new file mode 100644 index 0000000..25a62f4 --- /dev/null +++ b/patches.suse/net-usb-qmi_wwan-Add-new-usb-id-for-Dell-branded-EM7.patch @@ -0,0 +1,38 @@ +From 797666cd5af041ffb66642fff62f7389f08566a2 Mon Sep 17 00:00:00 2001 +From: Frank Wunderlich +Date: Mon, 26 Sep 2022 17:07:40 +0200 +Subject: [PATCH] net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 797666cd5af041ffb66642fff62f7389f08566a2 +References: git-fixes +Patch-mainline: v6.1-rc1 + +Add support for Dell 5811e (EM7455) with USB-id 0x413c:0x81c2. + +Signed-off-by: Frank Wunderlich +Cc: stable@vger.kernel.org +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20220926150740.6684-3-linux@fw-web.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 0cb187def5bc..26c34a7c21bd 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1402,6 +1402,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ ++ {QMI_FIXED_INTF(0x413c, 0x81c2, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */ +-- +2.35.3 + diff --git a/patches.suse/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch b/patches.suse/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch new file mode 100644 index 0000000..515869e --- /dev/null +++ b/patches.suse/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch @@ -0,0 +1,52 @@ +From bae88e3798dae246872a03c43ad4cfa6d9317717 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Wed, 4 Aug 2021 18:52:20 +0300 +Subject: [PATCH 1/7] net: vxge: fix use-after-free in vxge_device_unregister +Git-commit: 942e560a3d3862dd5dee1411dbdd7097d29b8416 +Patch-mainline: v5.14-rc5 +References: git-fixes + +Smatch says: +drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); +drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); +drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); +drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); + +Since vdev pointer is netdev private data accessing it after free_netdev() +call can cause use-after-free bug. Fix it by moving free_netdev() call at +the end of the function + +Fixes: 6cca200362b4 ("vxge: cleanup probe error paths") +Reported-by: Dan Carpenter +Signed-off-by: Pavel Skripkin +Reviewed-by: Jesse Brandeburg +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/neterion/vxge/vxge-main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c +index 5dd5f61e1114..683b1ab8fd6e 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c ++++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c +@@ -3537,13 +3537,13 @@ static void vxge_device_unregister(struct __vxge_hw_device *hldev) + + kfree(vdev->vpaths); + +- /* we are safe to free it now */ +- free_netdev(dev); +- + vxge_debug_init(vdev->level_trace, "%s: ethernet device unregistered", + buf); + vxge_debug_entryexit(vdev->level_trace, "%s: %s:%d Exiting...", buf, + __func__, __LINE__); ++ ++ /* we are safe to free it now */ ++ free_netdev(dev); + } + + /* +-- +2.16.4 + diff --git a/patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch b/patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch new file mode 100644 index 0000000..419770b --- /dev/null +++ b/patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch @@ -0,0 +1,72 @@ +From: Jialiang Wang +Date: Wed, 10 Aug 2022 15:30:57 +0800 +Subject: nfp: fix use-after-free in area_cache_get() +Patch-mainline: v6.0-rc1 +Git-commit: 02e1a114fdb71e59ee6770294166c30d437bf86a +References: bsc#1204415 CVE-2022-3545 + +area_cache_get() is used to distribute cache->area and set cache->id, + and if cache->id is not 0 and cache->area->kref refcount is 0, it will + release the cache->area by nfp_cpp_area_release(). area_cache_get() + set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire(). + +But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is + is already set but the refcount is not increased as expected. At this + time, calling the nfp_cpp_area_release() will cause use-after-free. + +To avoid the use-after-free, set cache->id after area_init() and + nfp_cpp_area_acquire() complete successfully. + +Note: This vulnerability is triggerable by providing emulated device + equipped with specified configuration. + + BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1 + + Call Trace: + + nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884) + + Allocated by task 1: + nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303) + nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802) + nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230) + nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215) + nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744) + + Freed by task 1: + kfree (mm/slub.c:4562) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873) + nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973) + nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48) + +Signed-off-by: Jialiang Wang +Reviewed-by: Yinjun Zhang +Acked-by: Simon Horman +Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c +@@ -856,7 +856,6 @@ area_cache_get(struct nfp_cpp *cpp, u32 + } + + /* Adjust the start address to be cache size aligned */ +- cache->id = id; + cache->addr = addr & ~(u64)(cache->size - 1); + + /* Re-init to the new ID and address */ +@@ -876,6 +875,8 @@ area_cache_get(struct nfp_cpp *cpp, u32 + return NULL; + } + ++ cache->id = id; ++ + exit: + /* Adjust offset */ + *offset = addr - cache->addr; diff --git a/patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch b/patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch new file mode 100644 index 0000000..59df95e --- /dev/null +++ b/patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch @@ -0,0 +1,71 @@ +From d0d51a97063db4704a5ef6bc978dddab1636a306 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 7 Oct 2022 17:52:26 +0900 +Subject: [PATCH] nilfs2: fix leak of nilfs_root in case of writer thread creation failure +Git-commit: d0d51a97063db4704a5ef6bc978dddab1636a306 +Patch-mainline: v6.1-rc1 +References: CVE-2022-3646 bsc#1204646 + +If nilfs_attach_log_writer() failed to create a log writer thread, it +frees a data structure of the log writer without any cleanup. After +commit e912a5b66837 ("nilfs2: use root object to get ifile"), this causes +a leak of struct nilfs_root, which started to leak an ifile metadata inode +and a kobject on that struct. + +In addition, if the kernel is booted with panic_on_warn, the above +ifile metadata inode leak will cause the following panic when the +nilfs2 kernel module is removed: + + kmem_cache_destroy nilfs2_inode_cache: Slab cache still has objects when + called from nilfs_destroy_cachep+0x16/0x3a [nilfs2] + WARNING: CPU: 8 PID: 1464 at mm/slab_common.c:494 kmem_cache_destroy+0x138/0x140 + ... + RIP: 0010:kmem_cache_destroy+0x138/0x140 + Code: 00 20 00 00 e8 a9 55 d8 ff e9 76 ff ff ff 48 8b 53 60 48 c7 c6 20 70 65 86 48 c7 c7 d8 69 9c 86 48 8b 4c 24 28 e8 ef 71 c7 00 <0f> 0b e9 53 ff ff ff c3 48 81 ff ff 0f 00 00 77 03 31 c0 c3 53 48 + ... + Call Trace: + + ? nilfs_palloc_freev.cold.24+0x58/0x58 [nilfs2] + nilfs_destroy_cachep+0x16/0x3a [nilfs2] + exit_nilfs_fs+0xa/0x1b [nilfs2] + __x64_sys_delete_module+0x1d9/0x3a0 + ? __sanitizer_cov_trace_pc+0x1a/0x50 + ? syscall_trace_enter.isra.19+0x119/0x190 + do_syscall_64+0x34/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + ... + + Kernel panic - not syncing: panic_on_warn set ... + +This patch fixes these issues by calling nilfs_detach_log_writer() cleanup +function if spawning the log writer thread fails. + +Link: https://lkml.kernel.org/r/20221007085226.57667-1-konishi.ryusuke@gmail.com +Fixes: e912a5b66837 ("nilfs2: use root object to get ifile") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+7381dc4ad60658ca4c05@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Acked-by: Takashi Iwai + +--- + fs/nilfs2/segment.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2797,10 +2797,9 @@ int nilfs_attach_log_writer(struct super + inode_attach_wb(nilfs->ns_bdev->bd_inode, NULL); + + err = nilfs_segctor_start_thread(nilfs->ns_writer); +- if (err) { +- kfree(nilfs->ns_writer); +- nilfs->ns_writer = NULL; +- } ++ if (unlikely(err)) ++ nilfs_detach_log_writer(sb); ++ + return err; + } + diff --git a/patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch new file mode 100644 index 0000000..8bd6967 --- /dev/null +++ b/patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch @@ -0,0 +1,68 @@ +From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Tue, 4 Oct 2022 00:05:19 +0900 +Subject: [PATCH] nilfs2: fix use-after-free bug of struct nilfs_root +Git-commit: d325dc6eb763c10f591c239550b8c7e5466a5d09 +Patch-mainline: v6.1-rc1 +References: CVE-2022-3649 bsc#1204647 + +If the beginning of the inode bitmap area is corrupted on disk, an inode +with the same inode number as the root inode can be allocated and fail +soon after. In this case, the subsequent call to nilfs_clear_inode() on +that bogus root inode will wrongly decrement the reference counter of +struct nilfs_root, and this will erroneously free struct nilfs_root, +causing kernel oopses. + +This fixes the problem by changing nilfs_new_inode() to skip reserved +inode numbers while repairing the inode bitmap. + +Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com +Reported-by: Khalid Masum +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Acked-by: Takashi Iwai + +--- + fs/nilfs2/inode.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -344,6 +344,7 @@ struct inode *nilfs_new_inode(struct ino + struct inode *inode; + struct nilfs_inode_info *ii; + struct nilfs_root *root; ++ struct buffer_head *bh; + int err = -ENOMEM; + ino_t ino; + +@@ -359,11 +360,25 @@ struct inode *nilfs_new_inode(struct ino + ii->i_state = BIT(NILFS_I_NEW); + ii->i_root = root; + +- err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + /* reference count of i_bh inherits from nilfs_mdt_read_block() */ + ++ if (unlikely(ino < NILFS_USER_INO)) { ++ nilfs_msg(sb, KERN_WARNING, ++ "inode bitmap is inconsistent for reserved inodes"); ++ do { ++ brelse(bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); ++ if (unlikely(err)) ++ goto failed_ifile_create_inode; ++ } while (ino < NILFS_USER_INO); ++ ++ nilfs_msg(sb, KERN_INFO, "repaired inode bitmap for reserved inodes"); ++ } ++ ii->i_bh = bh; ++ + atomic64_inc(&root->inodes_count); + inode_init_owner(inode, dir, mode); + inode->i_ino = ino; diff --git a/patches.suse/nvmem-core-Check-input-parameter-for-NULL-in-nvmem_u.patch b/patches.suse/nvmem-core-Check-input-parameter-for-NULL-in-nvmem_u.patch new file mode 100644 index 0000000..a851d68 --- /dev/null +++ b/patches.suse/nvmem-core-Check-input-parameter-for-NULL-in-nvmem_u.patch @@ -0,0 +1,33 @@ +From 8c751e0d9a5264376935a84429a2d468c8877d99 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Sun, 20 Feb 2022 15:15:17 +0000 +Subject: [PATCH] nvmem: core: Check input parameter for NULL in + nvmem_unregister() +Git-commit: 8c751e0d9a5264376935a84429a2d468c8877d99 +References: bsc#1204241 +Patch-mainline: v5.18-rc1 + +nvmem_unregister() frees resources and standard pattern is to allow +caller to not care if it's NULL or not. This will reduce burden on +the callers to perform this check. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220220151527.17216-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/nvmem/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -527,6 +527,8 @@ EXPORT_SYMBOL_GPL(nvmem_register); + */ + int nvmem_unregister(struct nvmem_device *nvmem) + { ++ if (!nvmem) ++ return 0; + mutex_lock(&nvmem_mutex); + if (nvmem->users) { + mutex_unlock(&nvmem_mutex); diff --git a/patches.suse/ppp-Fix-generating-ifname-when-empty-IFLA_IFNAME-is-.patch b/patches.suse/ppp-Fix-generating-ifname-when-empty-IFLA_IFNAME-is-.patch new file mode 100644 index 0000000..dff1b53 --- /dev/null +++ b/patches.suse/ppp-Fix-generating-ifname-when-empty-IFLA_IFNAME-is-.patch @@ -0,0 +1,55 @@ +From a33f669662b9a96da36c48b703eb5672209249d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Sat, 7 Aug 2021 15:27:03 +0200 +Subject: [PATCH 3/7] ppp: Fix generating ifname when empty IFLA_IFNAME is + specified +Git-commit: 2459dcb96bcba94c08d6861f8a050185ff301672 +Patch-mainline: v5.14-rc6 +References: git-fixes + +IFLA_IFNAME is nul-term string which means that IFLA_IFNAME buffer can be +larger than length of string which contains. + +Function __rtnl_newlink() generates new own ifname if either IFLA_IFNAME +was not specified at all or userspace passed empty nul-term string. + +It is expected that if userspace does not specify ifname for new ppp netdev +then kernel generates one in format "ppp" where id matches to the ppp +unit id which can be later obtained by PPPIOCGUNIT ioctl. + +And it works in this way if IFLA_IFNAME is not specified at all. But it +does not work when IFLA_IFNAME is specified with empty string. + +So fix this logic also for empty IFLA_IFNAME in ppp_nl_newlink() function +and correctly generates ifname based on ppp unit identifier if userspace +did not provided preferred ifname. + +Without this patch when IFLA_IFNAME was specified with empty string then +kernel created a new ppp interface in format "ppp" but id did not +match ppp unit id returned by PPPIOCGUNIT ioctl. In this case id was some +number generated by __rtnl_newlink() function. + +Signed-off-by: Pali Rohár +Fixes: bb8082f69138 ("ppp: build ifname using unit identifier for rtnl based devices") +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ppp/ppp_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 352e751125fb..56b0bd90a9fb 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1116,7 +1116,7 @@ static int ppp_nl_newlink(struct net *src_net, struct net_device *dev, + * the PPP unit identifer as suffix (i.e. ppp). This allows + * userspace to infer the device name using to the PPPIOCGUNIT ioctl. + */ +- if (!tb[IFLA_IFNAME]) ++ if (!tb[IFLA_IFNAME] || !nla_len(tb[IFLA_IFNAME]) || !*(char *)nla_data(tb[IFLA_IFNAME])) + conf.ifname_is_set = false; + + err = ppp_dev_configure(src_net, dev, &conf); +-- +2.16.4 + diff --git a/patches.suse/ppp-Fix-generating-ppp-unit-id-when-ifname-is-not-sp.patch b/patches.suse/ppp-Fix-generating-ppp-unit-id-when-ifname-is-not-sp.patch new file mode 100644 index 0000000..a6852c1 --- /dev/null +++ b/patches.suse/ppp-Fix-generating-ppp-unit-id-when-ifname-is-not-sp.patch @@ -0,0 +1,111 @@ +From d4027a91b06857d69b29bd05ea79ec61b1d96950 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Sat, 7 Aug 2021 18:00:50 +0200 +Subject: [PATCH 4/7] ppp: Fix generating ppp unit id when ifname is not + specified +Git-commit: 3125f26c514826077f2a4490b75e9b1c7a644c42 +Patch-mainline: v5.14-rc6 +References: git-fixes + +When registering new ppp interface via PPPIOCNEWUNIT ioctl then kernel has +to choose interface name as this ioctl API does not support specifying it. + +Kernel in this case register new interface with name "ppp" where +is the ppp unit id, which can be obtained via PPPIOCGUNIT ioctl. This +applies also in the case when registering new ppp interface via rtnl +without supplying IFLA_IFNAME. + +PPPIOCNEWUNIT ioctl allows to specify own ppp unit id which will kernel +assign to ppp interface, in case this ppp id is not already used by other +ppp interface. + +In case user does not specify ppp unit id then kernel choose the first free +ppp unit id. This applies also for case when creating ppp interface via +rtnl method as it does not provide a way for specifying own ppp unit id. + +If some network interface (does not have to be ppp) has name "ppp" +with this first free ppp id then PPPIOCNEWUNIT ioctl or rtnl call fails. + +And registering new ppp interface is not possible anymore, until interface +which holds conflicting name is renamed. Or when using rtnl method with +custom interface name in IFLA_IFNAME. + +As list of allocated / used ppp unit ids is not possible to retrieve from +kernel to userspace, userspace has no idea what happens nor which interface +is doing this conflict. + +So change the algorithm how ppp unit id is generated. And choose the first +number which is not neither used as ppp unit id nor in some network +interface with pattern "ppp". + +This issue can be simply reproduced by following pppd call when there is no +ppp interface registered and also no interface with name pattern "ppp": + + pppd ifname ppp1 +ipv6 noip noauth nolock local nodetach pty "pppd +ipv6 noip noauth nolock local nodetach notty" + +Or by creating the one ppp interface (which gets assigned ppp unit id 0), +renaming it to "ppp1" and then trying to create a new ppp interface (which +will always fails as next free ppp unit id is 1, but network interface with +name "ppp1" exists). + +This patch fixes above described issue by generating new and new ppp unit +id until some non-conflicting id with network interfaces is generated. + +Signed-off-by: Pali Rohár +Cc: stable@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ppp/ppp_generic.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 56b0bd90a9fb..95314906f0e0 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -288,7 +288,7 @@ static struct channel *ppp_find_channel(struct ppp_net *pn, int unit); + static int ppp_connect_channel(struct channel *pch, int unit); + static int ppp_disconnect_channel(struct channel *pch); + static void ppp_destroy_channel(struct channel *pch); +-static int unit_get(struct idr *p, void *ptr); ++static int unit_get(struct idr *p, void *ptr, int min); + static int unit_set(struct idr *p, void *ptr, int n); + static void unit_put(struct idr *p, int n); + static void *unit_find(struct idr *p, int n); +@@ -965,9 +965,20 @@ static int ppp_unit_register(struct ppp *ppp, int unit, bool ifname_is_set) + mutex_lock(&pn->all_ppp_mutex); + + if (unit < 0) { +- ret = unit_get(&pn->units_idr, ppp); ++ ret = unit_get(&pn->units_idr, ppp, 0); + if (ret < 0) + goto err; ++ if (!ifname_is_set) { ++ while (1) { ++ snprintf(ppp->dev->name, IFNAMSIZ, "ppp%i", ret); ++ if (!__dev_get_by_name(ppp->ppp_net, ppp->dev->name)) ++ break; ++ unit_put(&pn->units_idr, ret); ++ ret = unit_get(&pn->units_idr, ppp, ret + 1); ++ if (ret < 0) ++ goto err; ++ } ++ } + } else { + /* Caller asked for a specific unit number. Fail with -EEXIST + * if unavailable. For backward compatibility, return -EEXIST +@@ -3254,9 +3265,9 @@ static int unit_set(struct idr *p, void *ptr, int n) + } + + /* get new free unit number and associate pointer with it */ +-static int unit_get(struct idr *p, void *ptr) ++static int unit_get(struct idr *p, void *ptr, int min) + { +- return idr_alloc(p, ptr, 0, 0, GFP_KERNEL); ++ return idr_alloc(p, ptr, min, 0, GFP_KERNEL); + } + + /* put unit number back to a pool */ +-- +2.16.4 + diff --git a/patches.suse/r8169-fix-jumbo-packet-handling-on-RTL8168e.patch b/patches.suse/r8169-fix-jumbo-packet-handling-on-RTL8168e.patch new file mode 100644 index 0000000..f65c076 --- /dev/null +++ b/patches.suse/r8169-fix-jumbo-packet-handling-on-RTL8168e.patch @@ -0,0 +1,50 @@ +From f99ae312b20809b1e0f96ce9db2218bcbc066cd6 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Thu, 25 Feb 2021 16:05:19 +0100 +Subject: [PATCH 08/19] r8169: fix jumbo packet handling on RTL8168e +Git-commit: 6cf739131a15e4177e58a1b4f2bede9d5da78552 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Josef reported [0] that using jumbo packets fails on RTL8168e. +Aligning the values for register MaxTxPacketSize with the +vendor driver fixes the problem. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=211827 + +Fixes: d58d46b5d851 ("r8169: jumbo fixes.") +Reported-by: Josef Oškera +Tested-by: Josef Oškera +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/b15ddef7-0d50-4320-18f4-6a3f86fbfd3e@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/realtek/r8169.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c +index 073ccf996c4c..7fc5f683b9ee 100644 +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -5067,7 +5067,7 @@ static void r8168e_hw_jumbo_enable(struct rtl8169_private *tp) + { + void __iomem *ioaddr = tp->mmio_addr; + +- RTL_W8(MaxTxPacketSize, 0x3f); ++ RTL_W8(MaxTxPacketSize, 0x24); + RTL_W8(Config3, RTL_R8(Config3) | Jumbo_En0); + RTL_W8(Config4, RTL_R8(Config4) | 0x01); + rtl_tx_performance_tweak(tp->pci_dev, PCI_EXP_DEVCTL_READRQ_512B); +@@ -5077,7 +5077,7 @@ static void r8168e_hw_jumbo_disable(struct rtl8169_private *tp) + { + void __iomem *ioaddr = tp->mmio_addr; + +- RTL_W8(MaxTxPacketSize, 0x0c); ++ RTL_W8(MaxTxPacketSize, 0x3f); + RTL_W8(Config3, RTL_R8(Config3) & ~Jumbo_En0); + RTL_W8(Config4, RTL_R8(Config4) & ~0x01); + rtl_tx_performance_tweak(tp->pci_dev, 0x5 << MAX_READ_REQUEST_SHIFT); +-- +2.16.4 + diff --git a/patches.suse/ring-buffer-Add-ring_buffer_wake_waiters.patch b/patches.suse/ring-buffer-Add-ring_buffer_wake_waiters.patch new file mode 100644 index 0000000..3b7290b --- /dev/null +++ b/patches.suse/ring-buffer-Add-ring_buffer_wake_waiters.patch @@ -0,0 +1,121 @@ +From: "Steven Rostedt (Google)" +Date: Wed, 28 Sep 2022 13:39:38 -0400 +Subject: ring-buffer: Add ring_buffer_wake_waiters() +Git-commit: 7e9fbbb1b776d8d7969551565bc246f74ec53b27 +Patch-mainline: v6.1-rc1 +References: git-fixes + +On closing of a file that represents a ring buffer or flushing the file, +there may be waiters on the ring buffer that needs to be woken up and exit +the ring_buffer_wait() function. + +Add ring_buffer_wake_waiters() to wake up the waiters on the ring buffer +and allow them to exit the wait loop. + +Link: https://lkml.kernel.org/r/20220928133938.28dc2c27@gandalf.local.home + +Cc: stable@vger.kernel.org +Cc: Ingo Molnar +Cc: Andrew Morton +Fixes: 15693458c4bc0 ("tracing/ring-buffer: Move poll wake ups into ring buffer code") +Signed-off-by: Steven Rostedt (Google) +[ppavlu: s/trace_buffer/ring_buffer/ because we don't have cleanup + commit 13292494379f ("tracing: Make struct ring_buffer less ambiguous").] +Acked-by: Petr Pavlu +--- + include/linux/ring_buffer.h | 2 +- + kernel/trace/ring_buffer.c | 39 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h +index dac53fd3afea..2504df9a0453 100644 +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -101,7 +101,7 @@ __ring_buffer_alloc(unsigned long size, unsigned flags, struct lock_class_key *k + int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full); + int ring_buffer_poll_wait(struct ring_buffer *buffer, int cpu, + struct file *filp, poll_table *poll_table); +- ++void ring_buffer_wake_waiters(struct ring_buffer *buffer, int cpu); + + #define RING_BUFFER_ALL_CPUS -1 + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 5a7d818ca3ea..3046deacf7b3 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -413,6 +413,7 @@ struct rb_irq_work { + struct irq_work work; + wait_queue_head_t waiters; + wait_queue_head_t full_waiters; ++ long wait_index; + bool waiters_pending; + bool full_waiters_pending; + bool wakeup_full; +@@ -924,6 +925,37 @@ static void rb_wake_up_waiters(struct irq_work *work) + } + } + ++/** ++ * ring_buffer_wake_waiters - wake up any waiters on this ring buffer ++ * @buffer: The ring buffer to wake waiters on ++ * ++ * In the case of a file that represents a ring buffer is closing, ++ * it is prudent to wake up any waiters that are on this. ++ */ ++void ring_buffer_wake_waiters(struct ring_buffer *buffer, int cpu) ++{ ++ struct ring_buffer_per_cpu *cpu_buffer; ++ struct rb_irq_work *rbwork; ++ ++ if (cpu == RING_BUFFER_ALL_CPUS) { ++ ++ /* Wake up individual ones too. One level recursion */ ++ for_each_buffer_cpu(buffer, cpu) ++ ring_buffer_wake_waiters(buffer, cpu); ++ ++ rbwork = &buffer->irq_work; ++ } else { ++ cpu_buffer = buffer->buffers[cpu]; ++ rbwork = &cpu_buffer->irq_work; ++ } ++ ++ rbwork->wait_index++; ++ /* make sure the waiters see the new index */ ++ smp_wmb(); ++ ++ rb_wake_up_waiters(&rbwork->work); ++} ++ + /** + * ring_buffer_wait - wait for input to the ring buffer + * @buffer: buffer to wait on +@@ -939,6 +971,7 @@ int ring_buffer_wait(struct ring_buffer *buffer, int cpu, int full) + struct ring_buffer_per_cpu *uninitialized_var(cpu_buffer); + DEFINE_WAIT(wait); + struct rb_irq_work *work; ++ long wait_index; + int ret = 0; + + /* +@@ -957,6 +990,7 @@ int ring_buffer_wait(struct ring_buffer *buffer, int cpu, int full) + work = &cpu_buffer->irq_work; + } + ++ wait_index = READ_ONCE(work->wait_index); + + while (true) { + if (full) +@@ -1021,6 +1055,11 @@ int ring_buffer_wait(struct ring_buffer *buffer, int cpu, int full) + } + + schedule(); ++ ++ /* Make sure to see the new wait index */ ++ smp_rmb(); ++ if (wait_index != work->wait_index) ++ break; + } + + if (full) + diff --git a/patches.suse/ring-buffer-Check-pending-waiters-when-doing-wake-ups-as-well.patch b/patches.suse/ring-buffer-Check-pending-waiters-when-doing-wake-ups-as-well.patch new file mode 100644 index 0000000..cabb9aa --- /dev/null +++ b/patches.suse/ring-buffer-Check-pending-waiters-when-doing-wake-ups-as-well.patch @@ -0,0 +1,46 @@ +From: "Steven Rostedt (Google)" +Date: Tue, 27 Sep 2022 19:15:25 -0400 +Subject: ring-buffer: Check pending waiters when doing wake ups as well +Git-commit: ec0bbc5ec5664dcee344f79373852117dc672c86 +Patch-mainline: v6.1-rc1 +References: git-fixes + +The wake up waiters only checks the "wakeup_full" variable and not the +"full_waiters_pending". The full_waiters_pending is set when a waiter is +added to the wait queue. The wakeup_full is only set when an event is +triggered, and it clears the full_waiters_pending to avoid multiple calls +to irq_work_queue(). + +The irq_work callback really needs to check both wakeup_full as well as +full_waiters_pending such that this code can be used to wake up waiters +when a file is closed that represents the ring buffer and the waiters need +to be woken up. + +Link: https://lkml.kernel.org/r/20220927231824.209460321@goodmis.org + +Cc: stable@vger.kernel.org +Cc: Ingo Molnar +Cc: Andrew Morton +Fixes: 15693458c4bc0 ("tracing/ring-buffer: Move poll wake ups into ring buffer code") +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/ring_buffer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 02db92c9eb1b..5a7d818ca3ea 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -917,8 +917,9 @@ static void rb_wake_up_waiters(struct irq_work *work) + struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work); + + wake_up_all(&rbwork->waiters); +- if (rbwork->wakeup_full) { ++ if (rbwork->full_waiters_pending || rbwork->wakeup_full) { + rbwork->wakeup_full = false; ++ rbwork->full_waiters_pending = false; + wake_up_all(&rbwork->full_waiters); + } + } + diff --git a/patches.suse/ring-buffer-Fix-race-between-reset-page-and-reading-page.patch b/patches.suse/ring-buffer-Fix-race-between-reset-page-and-reading-page.patch new file mode 100644 index 0000000..05790f1 --- /dev/null +++ b/patches.suse/ring-buffer-Fix-race-between-reset-page-and-reading-page.patch @@ -0,0 +1,116 @@ +From: "Steven Rostedt (Google)" +Date: Thu, 29 Sep 2022 10:49:09 -0400 +Subject: ring-buffer: Fix race between reset page and reading page +Git-commit: a0fcaaed0c46cf9399d3a2d6e0c87ddb3df0e044 +Patch-mainline: v6.1-rc1 +References: git-fixes + +The ring buffer is broken up into sub buffers (currently of page size). +Each sub buffer has a pointer to its "tail" (the last event written to the +sub buffer). When a new event is requested, the tail is locally +incremented to cover the size of the new event. This is done in a way that +there is no need for locking. + +If the tail goes past the end of the sub buffer, the process of moving to +the next sub buffer takes place. After setting the current sub buffer to +the next one, the previous one that had the tail go passed the end of the +sub buffer needs to be reset back to the original tail location (before +the new event was requested) and the rest of the sub buffer needs to be +"padded". + +The race happens when a reader takes control of the sub buffer. As readers +do a "swap" of sub buffers from the ring buffer to get exclusive access to +the sub buffer, it replaces the "head" sub buffer with an empty sub buffer +that goes back into the writable portion of the ring buffer. This swap can +happen as soon as the writer moves to the next sub buffer and before it +updates the last sub buffer with padding. + +Because the sub buffer can be released to the reader while the writer is +still updating the padding, it is possible for the reader to see the event +that goes past the end of the sub buffer. This can cause obvious issues. + +To fix this, add a few memory barriers so that the reader definitely sees +the updates to the sub buffer, and also waits until the writer has put +back the "tail" of the sub buffer back to the last event that was written +on it. + +To be paranoid, it will only spin for 1 second, otherwise it will +warn and shutdown the ring buffer code. 1 second should be enough as +the writer does have preemption disabled. If the writer doesn't move +within 1 second (with preemption disabled) something is horribly +wrong. No interrupt should last 1 second! + +Link: https://lore.kernel.org/all/20220830120854.7545-1-jiazi.li@transsion.com/ +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216369 +Link: https://lkml.kernel.org/r/20220929104909.0650a36c@gandalf.local.home + +Cc: Ingo Molnar +Cc: Andrew Morton +Cc: stable@vger.kernel.org +Fixes: c7b0930857e22 ("ring-buffer: prevent adding write in discarded area") +Reported-by: Jiazi.Li +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/ring_buffer.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 3046deacf7b3..c3f354cfc5ba 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2648,6 +2648,9 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, + /* Mark the rest of the page with padding */ + rb_event_set_padding(event); + ++ /* Make sure the padding is visible before the write update */ ++ smp_wmb(); ++ + /* Set the write back to the previous setting */ + local_sub(length, &tail_page->write); + return; +@@ -2659,6 +2662,9 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, + /* time delta must be non zero */ + event->time_delta = 1; + ++ /* Make sure the padding is visible before the tail_page->write update */ ++ smp_wmb(); ++ + /* Set write to end of buffer */ + length = (tail + length) - BUF_PAGE_SIZE; + local_sub(length, &tail_page->write); +@@ -4627,6 +4633,33 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) + arch_spin_unlock(&cpu_buffer->lock); + local_irq_restore(flags); + ++ /* ++ * The writer has preempt disable, wait for it. But not forever ++ * Although, 1 second is pretty much "forever" ++ */ ++#define USECS_WAIT 1000000 ++ for (nr_loops = 0; nr_loops < USECS_WAIT; nr_loops++) { ++ /* If the write is past the end of page, a writer is still updating it */ ++ if (likely(!reader || rb_page_write(reader) <= BUF_PAGE_SIZE)) ++ break; ++ ++ udelay(1); ++ ++ /* Get the latest version of the reader write value */ ++ smp_rmb(); ++ } ++ ++ /* The writer is not moving forward? Something is wrong */ ++ if (RB_WARN_ON(cpu_buffer, nr_loops == USECS_WAIT)) ++ reader = NULL; ++ ++ /* ++ * Make sure we see any padding after the write update ++ * (see rb_reset_tail()) ++ */ ++ smp_rmb(); ++ ++ + return reader; + } + + diff --git a/patches.suse/tracing-Add-ioctl-to-force-ring-buffer-waiters-to-wake-up.patch b/patches.suse/tracing-Add-ioctl-to-force-ring-buffer-waiters-to-wake-up.patch new file mode 100644 index 0000000..e36ddbe --- /dev/null +++ b/patches.suse/tracing-Add-ioctl-to-force-ring-buffer-waiters-to-wake-up.patch @@ -0,0 +1,63 @@ +From: "Steven Rostedt (Google)" +Date: Thu, 29 Sep 2022 09:50:29 -0400 +Subject: tracing: Add ioctl() to force ring buffer waiters to wake up +Git-commit: 01b2a52171735c6eea80ee2f355f32bea6c41418 +Patch-mainline: v6.1-rc1 +References: git-fixes + +If a process is waiting on the ring buffer for data, there currently isn't +a clean way to force it to wake up. Add an ioctl call that will force any +tasks that are waiting on the trace_pipe_raw file to wake up. + +Link: https://lkml.kernel.org/r/20220929095029.117f913f@gandalf.local.home + +Cc: stable@vger.kernel.org +Cc: Ingo Molnar +Cc: Andrew Morton +Fixes: e30f53aad2202 ("tracing: Do not busy wait in buffer splice") +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/trace.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index e101b0764b39..58afc83afc9d 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -8349,12 +8349,34 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + return ret; + } + ++/* An ioctl call with cmd 0 to the ring buffer file will wake up all waiters */ ++static long tracing_buffers_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ++{ ++ struct ftrace_buffer_info *info = file->private_data; ++ struct trace_iterator *iter = &info->iter; ++ ++ if (cmd) ++ return -ENOIOCTLCMD; ++ ++ mutex_lock(&trace_types_lock); ++ ++ iter->wait_index++; ++ /* Make sure the waiters see the new wait_index */ ++ smp_wmb(); ++ ++ ring_buffer_wake_waiters(iter->trace_buffer->buffer, iter->cpu_file); ++ ++ mutex_unlock(&trace_types_lock); ++ return 0; ++} ++ + static const struct file_operations tracing_buffers_fops = { + .open = tracing_buffers_open, + .read = tracing_buffers_read, + .poll = tracing_buffers_poll, + .release = tracing_buffers_release, + .splice_read = tracing_buffers_splice_read, ++ .unlocked_ioctl = tracing_buffers_ioctl, + .llseek = no_llseek, + }; + + diff --git a/patches.suse/tracing-Disable-interrupt-or-preemption-before-acquiring-arch_spinlock_t.patch b/patches.suse/tracing-Disable-interrupt-or-preemption-before-acquiring-arch_spinlock_t.patch new file mode 100644 index 0000000..4989617 --- /dev/null +++ b/patches.suse/tracing-Disable-interrupt-or-preemption-before-acquiring-arch_spinlock_t.patch @@ -0,0 +1,97 @@ +From: Waiman Long +Date: Thu, 22 Sep 2022 10:56:22 -0400 +Subject: tracing: Disable interrupt or preemption before acquiring + arch_spinlock_t +Git-commit: c0a581d7126c0bbc96163276f585fd7b4e4d8d0e +Patch-mainline: v6.1-rc1 +References: git-fixes + +It was found that some tracing functions in kernel/trace/trace.c acquire +an arch_spinlock_t with preemption and irqs enabled. An example is the +tracing_saved_cmdlines_size_read() function which intermittently causes +a "BUG: using smp_processor_id() in preemptible" warning when the LTP +read_all_proc test is run. + +That can be problematic in case preemption happens after acquiring the +lock. Add the necessary preemption or interrupt disabling code in the +appropriate places before acquiring an arch_spinlock_t. + +The convention here is to disable preemption for trace_cmdline_lock and +interupt for max_lock. + +Link: https://lkml.kernel.org/r/20220922145622.1744826-1-longman@redhat.com + +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Will Deacon +Cc: Boqun Feng +Cc: stable@vger.kernel.org +Fixes: a35873a0993b ("tracing: Add conditional snapshot") +Fixes: 939c7a4f04fc ("tracing: Introduce saved_cmdlines_size file") +Suggested-by: Steven Rostedt +Signed-off-by: Waiman Long +Signed-off-by: Steven Rostedt (Google) +[ppavlu: +* Strip the local_irq_disable()/local_irq_enable() additions for + max_lock which are related to non-picked + commit a35873a0993b ("tracing: Add conditional snapshot"). +* Remove the lockdep_assert_preemption_disabled() assertion added + to trace_save_cmdline() because it is not available. It requires + commit 8fd8ad5c5dfc ("lockdep: Add preemption enabled/disabled assertion APIs").] +Acked-by: Petr Pavlu +--- + kernel/trace/trace.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index d3005279165d..aed7ea6e6045 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2200,6 +2206,11 @@ static size_t tgid_map_max; + + #define SAVED_CMDLINES_DEFAULT 128 + #define NO_CMDLINE_MAP UINT_MAX ++/* ++ * Preemption must be disabled before acquiring trace_cmdline_lock. ++ * The various trace_arrays' max_lock must be acquired in a context ++ * where interrupt is disabled. ++ */ + static arch_spinlock_t trace_cmdline_lock = __ARCH_SPIN_LOCK_UNLOCKED; + struct saved_cmdlines_buffer { + unsigned map_pid_to_cmdline[PID_MAX_DEFAULT+1]; +@@ -2412,6 +2423,9 @@ static int trace_save_cmdline(struct task_struct *tsk) + * the lock, but we also don't want to spin + * nor do we want to disable interrupts, + * so if we miss here, then better luck next time. ++ * ++ * This is called within the scheduler and wake up, so interrupts ++ * had better been disabled and run queue lock been held. + */ + if (!arch_spin_trylock(&trace_cmdline_lock)) + return 0; +@@ -5890,9 +5905,11 @@ tracing_saved_cmdlines_size_read(struct file *filp, char __user *ubuf, + char buf[64]; + int r; + ++ preempt_disable(); + arch_spin_lock(&trace_cmdline_lock); + r = scnprintf(buf, sizeof(buf), "%u\n", savedcmd->cmdline_num); + arch_spin_unlock(&trace_cmdline_lock); ++ preempt_enable(); + + return simple_read_from_buffer(ubuf, cnt, ppos, buf, r); + } +@@ -5917,10 +5934,12 @@ static int tracing_resize_saved_cmdlines(unsigned int val) + return -ENOMEM; + } + ++ preempt_disable(); + arch_spin_lock(&trace_cmdline_lock); + savedcmd_temp = savedcmd; + savedcmd = s; + arch_spin_unlock(&trace_cmdline_lock); ++ preempt_enable(); + free_saved_cmdlines_buffer(savedcmd_temp); + + return 0; + diff --git a/patches.suse/tracing-Do-not-free-snapshot-if-tracer-is-on-cmdline.patch b/patches.suse/tracing-Do-not-free-snapshot-if-tracer-is-on-cmdline.patch new file mode 100644 index 0000000..c9a09df --- /dev/null +++ b/patches.suse/tracing-Do-not-free-snapshot-if-tracer-is-on-cmdline.patch @@ -0,0 +1,83 @@ +From: "Steven Rostedt (Google)" +Date: Wed, 5 Oct 2022 11:37:57 -0400 +Subject: tracing: Do not free snapshot if tracer is on cmdline +Git-commit: a541a9559bb0a8ecc434de01d3e4826c32e8bb53 +Patch-mainline: v6.1-rc1 +References: git-fixes + +The ftrace_boot_snapshot and alloc_snapshot cmdline options allocate the +snapshot buffer at boot up for use later. The ftrace_boot_snapshot in +particular requires the snapshot to be allocated because it will take a +snapshot at the end of boot up allowing to see the traces that happened +during boot so that it's not lost when user space takes over. + +When a tracer is registered (started) there's a path that checks if it +requires the snapshot buffer or not, and if it does not and it was +allocated it will do a synchronization and free the snapshot buffer. + +This is only required if the previous tracer was using it for "max +latency" snapshots, as it needs to make sure all max snapshots are +complete before freeing. But this is only needed if the previous tracer +was using the snapshot buffer for latency (like irqoff tracer and +friends). But it does not make sense to free it, if the previous tracer +was not using it, and the snapshot was allocated by the cmdline +parameters. This basically takes away the point of allocating it in the +first place! + +Note, the allocated snapshot worked fine for just trace events, but fails +when a tracer is enabled on the cmdline. + +Further investigation, this goes back even further and it does not require +a tracer on the cmdline to fail. Simply enable snapshots and then enable a +tracer, and it will remove the snapshot. + +Link: https://lkml.kernel.org/r/20221005113757.041df7fe@gandalf.local.home + +Cc: Masami Hiramatsu +Cc: Andrew Morton +Cc: stable@vger.kernel.org +Fixes: 45ad21ca5530 ("tracing: Have trace_array keep track if snapshot buffer is allocated") +Reported-by: Ross Zwisler +Tested-by: Ross Zwisler +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/trace.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index def721de68a0..47a44b055a1d 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6428,12 +6428,12 @@ int tracing_set_tracer(struct trace_array *tr, const char *buf) + if (tr->current_trace->reset) + tr->current_trace->reset(tr); + ++#ifdef CONFIG_TRACER_MAX_TRACE ++ had_max_tr = tr->current_trace->use_max_tr; ++ + /* Current trace needs to be nop_trace before synchronize_sched */ + tr->current_trace = &nop_trace; + +-#ifdef CONFIG_TRACER_MAX_TRACE +- had_max_tr = tr->allocated_snapshot; +- + if (had_max_tr && !t->use_max_tr) { + /* + * We need to make sure that the update_max_tr sees that +@@ -6446,11 +6446,13 @@ int tracing_set_tracer(struct trace_array *tr, const char *buf) + free_snapshot(tr); + } + +- if (t->use_max_tr && !had_max_tr) { ++ if (t->use_max_tr && !tr->allocated_snapshot) { + ret = tracing_alloc_snapshot_instance(tr); + if (ret < 0) + goto out; + } ++#else ++ tr->current_trace = &nop_trace; + #endif + + if (t->init) { + diff --git a/patches.suse/tracing-Simplify-conditional-compilation-code-in-tracing_set_tracer.patch b/patches.suse/tracing-Simplify-conditional-compilation-code-in-tracing_set_tracer.patch new file mode 100644 index 0000000..acfc971 --- /dev/null +++ b/patches.suse/tracing-Simplify-conditional-compilation-code-in-tracing_set_tracer.patch @@ -0,0 +1,36 @@ +From: sunliming +Date: Thu, 2 Jun 2022 22:06:13 +0800 +Subject: tracing: Simplify conditional compilation code in + tracing_set_tracer() +Git-commit: f4b0d318097e45cbac5e14976f8bb56aa2cef504 +Patch-mainline: v5.19-rc4 +References: git-fixes + +Two conditional compilation directives "#ifdef CONFIG_TRACER_MAX_TRACE" +are used consecutively, and no other code in between. Simplify conditional +the compilation code and only use one "#ifdef CONFIG_TRACER_MAX_TRACE". + +Link: https://lkml.kernel.org/r/20220602140613.545069-1-sunliming@kylinos.cn + +Signed-off-by: sunliming +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/trace.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 2c95992e2c71..a8cfac0611bc 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6424,9 +6424,7 @@ int tracing_set_tracer(struct trace_array *tr, const char *buf) + synchronize_sched(); + free_snapshot(tr); + } +-#endif + +-#ifdef CONFIG_TRACER_MAX_TRACE + if (t->use_max_tr && !had_max_tr) { + ret = tracing_alloc_snapshot_instance(tr); + if (ret < 0) + diff --git a/patches.suse/tracing-Wake-up-ring-buffer-waiters-on-closing-of-the-file.patch b/patches.suse/tracing-Wake-up-ring-buffer-waiters-on-closing-of-the-file.patch new file mode 100644 index 0000000..82c5350 --- /dev/null +++ b/patches.suse/tracing-Wake-up-ring-buffer-waiters-on-closing-of-the-file.patch @@ -0,0 +1,82 @@ +From: "Steven Rostedt (Google)" +Date: Tue, 27 Sep 2022 19:15:27 -0400 +Subject: tracing: Wake up ring buffer waiters on closing of the file +Git-commit: f3ddb74ad0790030c9592229fb14d8c451f4e9a8 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When the file that represents the ring buffer is closed, there may be +waiters waiting on more input from the ring buffer. Call +ring_buffer_wake_waiters() to wake up any waiters when the file is +closed. + +Link: https://lkml.kernel.org/r/20220927231825.182416969@goodmis.org + +Cc: stable@vger.kernel.org +Cc: Ingo Molnar +Cc: Andrew Morton +Fixes: e30f53aad2202 ("tracing: Do not busy wait in buffer splice") +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + include/linux/trace_events.h | 1 + + kernel/trace/trace.c | 15 +++++++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h +index 8401dec93c15..20749bd9db71 100644 +--- a/include/linux/trace_events.h ++++ b/include/linux/trace_events.h +@@ -92,6 +92,7 @@ struct trace_iterator { + struct mutex mutex; + struct ring_buffer_iter **buffer_iter; + unsigned long iter_flags; ++ long wait_index; + + /* trace_seq for __print_flags() and __print_symbolic() etc. */ + struct trace_seq tmp_seq; +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index aed7ea6e6045..e101b0764b39 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -8160,6 +8160,12 @@ static int tracing_buffers_release(struct inode *inode, struct file *file) + + __trace_array_put(iter->tr); + ++ iter->wait_index++; ++ /* Make sure the waiters see the new wait_index */ ++ smp_wmb(); ++ ++ ring_buffer_wake_waiters(iter->trace_buffer->buffer, iter->cpu_file); ++ + if (info->spare) + ring_buffer_free_read_page(iter->trace_buffer->buffer, + info->spare_cpu, info->spare); +@@ -8313,6 +8319,8 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + + /* did we read anything? */ + if (!spd.nr_pages) { ++ long wait_index; ++ + if (ret) + goto out; + +@@ -8320,10 +8328,17 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + if ((file->f_flags & O_NONBLOCK) || (flags & SPLICE_F_NONBLOCK)) + goto out; + ++ wait_index = READ_ONCE(iter->wait_index); ++ + ret = wait_on_pipe(iter, true); + if (ret) + goto out; + ++ /* Make sure we see the new wait_index */ ++ smp_rmb(); ++ if (wait_index != iter->wait_index) ++ goto out; ++ + goto again; + } + + diff --git a/patches.suse/tracing-Wake-up-waiters-when-tracing-is-disabled.patch b/patches.suse/tracing-Wake-up-waiters-when-tracing-is-disabled.patch new file mode 100644 index 0000000..6b68b2b --- /dev/null +++ b/patches.suse/tracing-Wake-up-waiters-when-tracing-is-disabled.patch @@ -0,0 +1,44 @@ +From: "Steven Rostedt (Google)" +Date: Wed, 28 Sep 2022 18:22:20 -0400 +Subject: tracing: Wake up waiters when tracing is disabled +Git-commit: 2b0fd9a59b7990c161fa1cb7b79edb22847c87c2 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When tracing is disabled, there's no reason that waiters should stay +waiting, wake them up, otherwise tasks get stuck when they should be +flushing the buffers. + +Cc: stable@vger.kernel.org +Fixes: e30f53aad2202 ("tracing: Do not busy wait in buffer splice") +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/trace.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 58afc83afc9d..bb5597c6bfc1 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -8334,6 +8334,10 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + if (ret) + goto out; + ++ /* No need to wait after waking up when tracing is off */ ++ if (!tracer_tracing_is_on(iter->tr)) ++ goto out; ++ + /* Make sure we see the new wait_index */ + smp_rmb(); + if (wait_index != iter->wait_index) +@@ -9065,6 +9069,8 @@ rb_simple_write(struct file *filp, const char __user *ubuf, + tracer_tracing_off(tr); + if (tr->current_trace->stop) + tr->current_trace->stop(tr); ++ /* Wake up any waiters */ ++ ring_buffer_wake_waiters(buffer, RING_BUFFER_ALL_CPUS); + } + mutex_unlock(&trace_types_lock); + } + diff --git a/patches.suse/usb-mon-make-mmapped-memory-read-only.patch b/patches.suse/usb-mon-make-mmapped-memory-read-only.patch new file mode 100644 index 0000000..8a7daa8 --- /dev/null +++ b/patches.suse/usb-mon-make-mmapped-memory-read-only.patch @@ -0,0 +1,52 @@ +From a659daf63d16aa883be42f3f34ff84235c302198 Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Mon, 19 Sep 2022 14:59:57 -0700 +Subject: [PATCH] usb: mon: make mmapped memory read only +Git-commit: a659daf63d16aa883be42f3f34ff84235c302198 +References: bsc#1204653 CVE-2022-43750 +Patch-mainline: v6.1-rc1 + +Syzbot found an issue in usbmon module, where the user space client can +corrupt the monitor's internal memory, causing the usbmon module to +crash the kernel with segfault, UAF, etc. + +The reproducer mmaps the /dev/usbmon memory to user space, and +overwrites it with arbitrary data, which causes all kinds of issues. + +Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set. +Also clear VM_MAYWRITE to make it impossible to change it to writable +later. + +Cc: "Dmitry Vyukov" +Cc: stable +Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") +Suggested-by: PaX Team # for the VM_MAYRITE portion +Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a +Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com +Signed-off-by: Tadeusz Struk +Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/mon/mon_bin.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c +index f48a23adbc35..094e812e9e69 100644 +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1268,6 +1268,11 @@ static int mon_bin_mmap(struct file *filp, struct vm_area_struct *vma) + { + /* don't do anything here: "fault" will set up page table entries */ + vma->vm_ops = &mon_bin_vm_ops; ++ ++ if (vma->vm_flags & VM_WRITE) ++ return -EPERM; ++ ++ vma->vm_flags &= ~VM_MAYWRITE; + vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; + vma->vm_private_data = filp->private_data; + mon_bin_vma_open(vma); +-- +2.35.3 + diff --git a/patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch b/patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch new file mode 100644 index 0000000..471a377 --- /dev/null +++ b/patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch @@ -0,0 +1,88 @@ +From 7e97cfed9929eaabc41829c395eb0d1350fccb9d Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Mon, 8 Aug 2022 11:04:47 -0700 +Subject: [PATCH] vsock: Fix memory leak in vsock_connect() +Git-commit: 7e97cfed9929eaabc41829c395eb0d1350fccb9d +Patch-mainline: v6.0-rc1 +References: CVE-2022-3629 bsc#1204635 + +An O_NONBLOCK vsock_connect() request may try to reschedule +@connect_work. Imagine the following sequence of vsock_connect() +Requests: + + 1. The 1st, non-blocking request schedules @connect_work, which will + expire after 200 jiffies. Socket state is now SS_CONNECTING; + + 2. Later, the 2nd, blocking request gets interrupted by a signal after + a few jiffies while waiting for the connection to be established. + Socket state is back to SS_UNCONNECTED, but @connect_work is still + pending, and will expire after 100 jiffies. + + 3. Now, the 3rd, non-blocking request tries to schedule @connect_work + again. Since @connect_work is already scheduled, + schedule_delayed_work() silently returns. sock_hold() is called + twice, but sock_put() will only be called once in + vsock_connect_timeout(), causing a memory leak reported by syzbot: + + BUG: memory leak + unreferenced object 0xffff88810ea56a40 (size 1232): + comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ + backtrace: + [] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930 + [] sk_alloc+0x32/0x2e0 net/core/sock.c:1989 + [] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734 + [] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203 + [] __sock_create+0x1ab/0x2b0 net/socket.c:1468 + [] sock_create net/socket.c:1519 [inline] + [] __sys_socket+0x6f/0x140 net/socket.c:1561 + [] __do_sys_socket net/socket.c:1570 [inline] + [] __se_sys_socket net/socket.c:1568 [inline] + [] __x64_sys_socket+0x1a/0x20 net/socket.c:1568 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + <...> + +Use mod_delayed_work() instead: if @connect_work is already scheduled, +reschedule it, and undo sock_hold() to keep the reference count +balanced. + +Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Co-developed-by: Stefano Garzarella +Signed-off-by: Stefano Garzarella +Reviewed-by: Stefano Garzarella +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/vmw_vsock/af_vsock.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index f04abf662ec6..4d68681f5abe 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1391,7 +1391,14 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + * timeout fires. + */ + sock_hold(sk); +- schedule_delayed_work(&vsk->connect_work, timeout); ++ ++ /* If the timeout function is already scheduled, ++ * reschedule it, then ungrab the socket refcount to ++ * keep it balanced. ++ */ ++ if (mod_delayed_work(system_wq, &vsk->connect_work, ++ timeout)) ++ sock_put(sk); + + /* Skip ahead to preserve error code set above. */ + goto out_wait; +-- +2.35.3 + diff --git a/patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch b/patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch new file mode 100644 index 0000000..b19bbd8 --- /dev/null +++ b/patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch @@ -0,0 +1,123 @@ +From 6788ba8aed4e28e90f72d68a9d794e34eac17295 Mon Sep 17 00:00:00 2001 +From: Dokyung Song +Date: Fri, 21 Oct 2022 15:13:59 +0900 +Subject: [PATCH] wifi: brcmfmac: Fix potential buffer overflow in + brcmf_fweh_event_worker() +Git-commit: 6788ba8aed4e28e90f72d68a9d794e34eac17295 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git +Patch-mainline: Queued in subsystem maintainer repository +References: CVE-2022-3628 bsc#1204868 + +This patch fixes an intra-object buffer overflow in brcmfmac that occurs +when the device provides a 'bsscfgidx' equal to or greater than the +buffer size. The patch adds a check that leads to a safe failure if that +is the case. + +This fixes CVE-2022-3628. + +Ubsan: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index 52 is out of range for type 'brcmf_if *[16]' +Cpu: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Workqueue: events brcmf_fweh_event_worker +Call Trace: + dump_stack_lvl+0x57/0x7d + ubsan_epilogue+0x5/0x40 + __ubsan_handle_out_of_bounds+0x69/0x80 + ? memcpy+0x39/0x60 + brcmf_fweh_event_worker+0xae1/0xc00 + ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 + ? rcu_read_lock_sched_held+0xa1/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + process_one_work+0x873/0x13e0 + ? lock_release+0x640/0x640 + ? pwq_dec_nr_in_flight+0x320/0x320 + ? rwlock_bug.part.0+0x90/0x90 + worker_thread+0x8b/0xd10 + ? __kthread_parkme+0xd9/0x1d0 + ? process_one_work+0x13e0/0x13e0 + kthread+0x379/0x450 + ? _raw_spin_unlock_irq+0x24/0x30 + ? set_kthread_struct+0x100/0x100 + ret_from_fork+0x1f/0x30 +================================================================================ +general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN +Kasan: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff] +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Rip: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 +Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 +Rsp: 0018:ffffc9000259fbd8 EFLAGS: 00010207 +Rax: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 +Rdx: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 +Rbp: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 +R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 +R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 +Fs: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 +Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Cr2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 +Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Pkru: 55555554 +Call Trace: + brcmf_fweh_event_worker+0x117/0xc00 + ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 + ? rcu_read_lock_sched_held+0xa1/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + process_one_work+0x873/0x13e0 + ? lock_release+0x640/0x640 + ? pwq_dec_nr_in_flight+0x320/0x320 + ? rwlock_bug.part.0+0x90/0x90 + worker_thread+0x8b/0xd10 + ? __kthread_parkme+0xd9/0x1d0 + ? process_one_work+0x13e0/0x13e0 + kthread+0x379/0x450 + ? _raw_spin_unlock_irq+0x24/0x30 + ? set_kthread_struct+0x100/0x100 + ret_from_fork+0x1f/0x30 +Modules linked in: 88XXau(O) 88x2bu(O) +---[ end trace 41d302138f3ff55a ]--- +RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 +Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 +RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 +RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 +RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 +RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 +R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 +R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 +FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception + +Reported-by: Dokyung Song +Reported-by: Jisoo Jang +Reported-by: Minsuk Kang +Reviewed-by: Arend van Spriel +Cc: +Signed-off-by: Dokyung Song +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221021061359.GA550858@laguna +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -237,6 +237,10 @@ static void brcmf_fweh_event_worker(stru + brcmf_fweh_event_name(event->code), event->code, + event->emsg.ifidx, event->emsg.bsscfgidx, + event->emsg.addr); ++ if (event->emsg.bsscfgidx >= BRCMF_MAX_IFS) { ++ brcmf_err("invalid bsscfg index: %u\n", event->emsg.bsscfgidx); ++ goto event_free; ++ } + + /* convert event message */ + emsg_be = &event->emsg; diff --git a/series.conf b/series.conf index 14e52b0..7b3963e 100644 --- a/series.conf +++ b/series.conf @@ -52671,6 +52671,7 @@ patches.suse/ceph-fix-directories-inode-i_blkbits-initialization.patch patches.suse/ceph-update-the-mtime-when-truncating-up.patch patches.suse/ceph-reconnect-connection-if-session-hang-in-opening-state.patch + patches.suse/memcg-kmem-do-not-fail-__GFP_NOFAIL-charges.patch patches.suse/kexec-bail-out-upon-sigkill-when-allocating-memory patches.suse/0001-xen-pci-reserve-MCFG-areas-earlier.patch patches.suse/s390-topology-avoid-firing-events-before-kobjs-are-created @@ -53586,6 +53587,7 @@ patches.suse/0001-USB-chaoskey-fix-error-case-of-a-timeout.patch patches.suse/0001-USBIP-add-config-dependency-for-SGL_ALLOC.patch patches.suse/0001-usbip-Fix-uninitialized-symbol-nents-in-stub_recv_cm.patch + patches.suse/USB-serial-ch341-reimplement-line-speed-handling.patch patches.suse/USB-serial-mos7840-add-USB-ID-to-support-Moxa-UPort-.patch patches.suse/USB-serial-option-add-support-for-DW5821e-with-eSIM-.patch patches.suse/USB-serial-mos7720-fix-remote-wakeup.patch @@ -54944,6 +54946,7 @@ patches.suse/0001-USB-Fix-novation-SourceControl-XL-after-suspend.patch patches.suse/0001-USB-misc-iowarrior-add-support-for-2-OEMed-devices.patch patches.suse/0001-USB-misc-iowarrior-add-support-for-the-28-and-28L-de.patch + patches.suse/USB-serial-ch341-fix-receiver-regression.patch patches.suse/0001-thunderbolt-Prevent-crash-if-non-active-NVMem-file-i.patch patches.suse/0001-usb-gadget-composite-Fix-bMaxPower-for-SuperSpeedPlu.patch patches.suse/0001-usb-dwc2-Fix-in-ISOC-request-length-checking.patch @@ -56402,6 +56405,8 @@ patches.suse/usb-musb-Fix-runtime-PM-imbalance-on-error.patch patches.suse/CDC-ACM-heed-quirk-also-in-error-handling.patch patches.suse/USB-serial-usb_wwan-do-not-resubmit-rx-urb-on-fatal-.patch + patches.suse/USB-serial-ch341-add-basis-for-quirk-detection.patch + patches.suse/USB-serial-ch341-fix-lockup-of-devices-with-limited-.patch patches.suse/USB-serial-qcserial-add-DW5816e-QDL-support.patch patches.suse/USB-serial-option-add-Telit-LE910C1-EUX-compositions.patch patches.suse/serial-amba-pl011-Make-sure-we-initialize-the-port.l.patch @@ -58080,6 +58085,7 @@ patches.suse/vfio-pci-decouple-pci_command_memory-bit-checks-from-is_virtfn patches.suse/Werror-return-type.patch patches.suse/KVM-x86-emulating-RDPID-failure-shall-return-UD-rath.patch + patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC patches.suse/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages patches.suse/0001-KVM-SVM-Initialize-prev_ga_tag-before-use.patch patches.suse/Convert-trailing-spaces-and-periods-in-path-components.patch @@ -59056,12 +59062,16 @@ patches.suse/bpf_lru_list-Read-double-checked-variable-once-witho.patch patches.suse/bpf-Remove-MTU-check-in-__bpf_skb_max_len.patch patches.suse/ibmvnic-Set-to-CLOSED-state-even-on-error.patch + patches.suse/bnxt_en-reverse-order-of-TX-disable-and-carrier-off.patch patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch patches.suse/cxgb4-chtls-cxgbit-Keeping-the-max-ofld-immediate-da.patch patches.suse/b43-N-PHY-Fix-the-update-of-coef-for-the-PHY-revisio.patch patches.suse/ibmvnic-add-memory-barrier-to-protect-long-term-buff.patch patches.suse/ibmvnic-skip-send_request_unmap-for-timeout-reset.patch patches.suse/ibmvnic-serialize-access-to-work-queue-on-remove.patch + patches.suse/net-amd-xgbe-Fix-NETDEV-WATCHDOG-transmit-queue-time.patch + patches.suse/net-amd-xgbe-Reset-link-when-the-link-never-comes-ba.patch + patches.suse/net-amd-xgbe-Fix-network-fluctuations-when-using-1G-.patch patches.suse/net-re-solve-some-conflicts-after-net-net-next-merge.patch patches.suse/reset-hisilicon-correct-vendor-prefix.patch patches.suse/vt-drop-old-FONT-ioctls.patch @@ -59224,13 +59234,17 @@ patches.suse/ocfs2-fix-a-use-after-free-on-error.patch patches.suse/0002-video-fbdev-acornfb-remove-free_unused_pages.patch patches.suse/PCI-Align-checking-of-syscall-user-config-accessors.patch + patches.suse/net-mlx4_core-Add-missed-mlx4_free_cmd_mailbox.patch + patches.suse/i40e-Fix-flow-for-IPv6-next-header-extension-header.patch patches.suse/i40e-Add-zero-initialization-of-AQ-command-structure.patch + patches.suse/i40e-Fix-overwriting-flow-control-settings-during-dr.patch patches.suse/i40e-Fix-add-TC-filter-for-IPv6.patch patches.suse/i40e-Fix-endianness-conversions.patch patches.suse/ice-Account-for-port-VLAN-in-VF-max-packet-size-calc.patch patches.suse/net-usb-qmi_wwan-support-ZTE-P685M-modem.patch patches.suse/ibmvnic-fix-a-race-between-open-and-reset.patch patches.suse/net-phy-micrel-set-soft_reset-callback-to-genphy_sof-764d31ca.patch + patches.suse/r8169-fix-jumbo-packet-handling-on-RTL8168e.patch patches.suse/drm-msm-a5xx-Remove-overwriting-A5XX_PC_DBG_ECO_CNTL.patch patches.suse/0005-drm-msm-dsi-Correct-io_start-for-MSM8994-20nm-PHY.patch patches.suse/pwm-rockchip-rockchip_pwm_probe-Remove-superfluous-c.patch @@ -59274,6 +59288,8 @@ patches.suse/RDMA-uverbs-Fix-kernel-doc-warning-of-_uverbs_alloc.patch patches.suse/powerpc-pseries-Don-t-enforce-MSI-affinity-with-kdum.patch patches.suse/gpiolib-acpi-Add-missing-IRQF_ONESHOT.patch + patches.suse/net-stmmac-stop-each-tx-channel-independently.patch + patches.suse/net-stmmac-fix-watchdog-timeout-during-suspend-resum.patch patches.suse/net-hns3-fix-query-vlan-mask-value-error-for-flow-di.patch patches.suse/net-hns3-fix-bug-when-calculating-the-TCAM-table-inf.patch patches.suse/can-skb-can_skb_set_owner-fix-ref-counting-if-socket.patch @@ -59451,6 +59467,7 @@ patches.suse/RDMA-cxgb4-check-for-ipv6-address-properly-while-des.patch patches.suse/RDMA-addr-Be-strict-with-gid-size.patch patches.suse/cifs-On-cifs_reconnect-resolve-the-hostname-again-.patch + patches.suse/amd-xgbe-Update-DMA-coherency-values.patch patches.suse/nfc-fix-refcount-leak-in-llcp_sock_bind.patch patches.suse/nfc-fix-refcount-leak-in-llcp_sock_connect.patch patches.suse/nfc-fix-memory-leak-in-llcp_sock_connect.patch @@ -59764,6 +59781,7 @@ patches.suse/netdevice-Add-missing-IFF_PHONY_HEADROOM-self-defini.patch patches.suse/xsk-Respect-device-s-headroom-and-tailroom-on-generi.patch patches.suse/ethernet-amazon-ena-A-typo-fix-in-the-file-ena_com.h.patch + patches.suse/net-lapbether-Prevent-racing-when-checking-whether-t.patch patches.suse/i40e-optimize-for-XDP_REDIRECT-in-xsk-path.patch patches.suse/inet-use-bigger-hash-table-for-IP-ID-generation.patch patches.suse/net-gve-convert-strlcpy-to-strscpy.patch @@ -59805,6 +59823,7 @@ patches.suse/net-davinci_emac-Fix-incorrect-masking-of-tx-and-rx-.patch patches.suse/net-phy-intel-xway-enable-integrated-led-functions.patch patches.suse/bnxt_en-fix-ternary-sign-extension-bug-in-bnxt_show_.patch + patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch patches.suse/net-emac-emac-mac-Fix-a-use-after-free-in-emac_mac_t.patch patches.suse/powerpc-fadump-Mark-fadump_calculate_reserve_size-as.patch @@ -59946,6 +59965,8 @@ patches.suse/serial-max310x-unregister-uart-driver-in-case-of-fai.patch patches.suse/net-rtlwifi-properly-check-for-alloc_workqueue-failu.patch patches.suse/net-stmicro-handle-clk_prepare-failure-during-init.patch + patches.suse/Revert-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch + patches.suse/ethernet-sun-niu-fix-missing-checks-of-niu_pci_eepro.patch patches.suse/qlcnic-Add-null-check-after-calling-netdev_alloc_skb.patch patches.suse/char-hpet-add-checks-after-calling-ioremap.patch patches.suse/0001-Revert-video-hgafb-fix-potential-NULL-pointer-derefe.patch @@ -59981,6 +60002,7 @@ patches.suse/locking-mutex-clear-MUTEX_FLAGS-if-wait_list-is-empt.patch patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch patches.suse/net-netcp-Fix-an-error-message.patch + patches.suse/net-mlx4-Fix-EEPROM-dump-support.patch patches.suse/cfg80211-mitigate-A-MSDU-aggregation-attacks.patch patches.suse/bpf-Add-kconfig-knob-for-disabling-unpriv-bpf-by-def.patch patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch @@ -60097,6 +60119,7 @@ patches.suse/net-ena-fix-DMA-mapping-function-issues-in-XDP.patch patches.suse/mac80211-remove-warning-in-ieee80211_get_sband.patch patches.suse/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch + patches.suse/net-mlx5e-Remove-dependency-in-IPsec-initialization-.patch patches.suse/alx-Fix-an-error-handling-path-in-alx_probe.patch patches.suse/net-stmmac-dwmac1000-Fix-extended-MAC-address-regist.patch patches.suse/qlcnic-Fix-an-error-handling-path-in-qlcnic_probe.patch @@ -60221,6 +60244,7 @@ patches.suse/HID-wacom-Correct-base-usage-for-capacitive-ExpressK.patch patches.suse/block-fix-trace-completion-for-chained-bio.patch patches.suse/nvme-verify-MNAN-value-if-ANA-is-enabled.patch + patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch patches.suse/net-pch_gbe-Propagate-error-from-devm_gpio_request_o.patch patches.suse/mvpp2-suppress-warning.patch patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch @@ -60288,6 +60312,7 @@ patches.suse/Bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch patches.suse/gve-DQO-Fix-off-by-one-in-gve_rx_dqo.patch patches.suse/net-ethernet-aeroflex-fix-UAF-in-greth_of_remove.patch + patches.suse/net-ethernet-ezchip-fix-UAF-in-nps_enet_remove.patch patches.suse/net-sched-add-barrier-to-ensure-correct-ordering-for.patch patches.suse/msft-hv-2398-hv_netvsc-Set-needed_headroom-according-to-VF.patch patches.suse/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch @@ -60550,6 +60575,7 @@ patches.suse/nfp-update-ethtool-reporting-of-pauseframe-control.patch patches.suse/bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch patches.suse/net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch + patches.suse/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch patches.suse/ALSA-seq-Fix-racy-deletion-of-subscriber.patch patches.suse/RDMA-rxe-Use-the-correct-size-of-wqe-when-processing.patch patches.suse/RDMA-rxe-Restore-setting-tot_len-in-the-IPv4-header.patch @@ -60566,6 +60592,9 @@ patches.suse/ASoC-cs42l42-Fix-inversion-of-ADC-Notch-Switch-contr.patch patches.suse/ASoC-cs42l42-Remove-duplicate-control-for-WNF-filter.patch patches.suse/ceph-take-snap_empty_lock-atomically-with-snaprealm-refcount-change.patch + patches.suse/net-dsa-mt7530-add-the-missing-RxUnicast-MIB-counter.patch + patches.suse/ppp-Fix-generating-ifname-when-empty-IFLA_IFNAME-is-.patch + patches.suse/ppp-Fix-generating-ppp-unit-id-when-ifname-is-not-sp.patch patches.suse/ice-Prevent-probing-virtual-functions.patch patches.suse/iavf-Set-RSS-LUT-and-key-in-reset-handle-path.patch patches.suse/net-linkwatch-fix-failure-to-restore-device-state-ac.patch @@ -60584,6 +60613,7 @@ patches.suse/genirq-Provide-IRQCHIP_AFFINITY_PRE_STARTUP.patch patches.suse/x86-msi-Force-affinity-setup-before-startup.patch patches.suse/btrfs-prevent-rename2-from-exchanging-a-subvol-with-a-directory-from-different-parents.patch + patches.suse/bnxt-don-t-lock-the-tx-queue-from-napi-poll.patch patches.suse/bnxt-disable-napi-before-canceling-DIM.patch patches.suse/net-6pack-fix-slab-out-of-bounds-in-decode_data.patch patches.suse/bnxt_en-Add-missing-DMA-memory-barriers.patch @@ -60596,6 +60626,7 @@ patches.suse/xgene-v2-Fix-a-resource-leak-in-the-error-handling-p.patch patches.suse/e1000e-Fix-the-max-snoop-no-snoop-latency-for-10M.patch patches.suse/e1000e-Do-not-take-care-about-recovery-NVM-checksum.patch + patches.suse/net-marvell-fix-MVNETA_TX_IN_PRGRS-bit-number.patch patches.suse/can-usb-esd_usb2-esd_usb2_rx_event-fix-the-interchan.patch patches.suse/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch patches.suse/USB-serial-option-add-new-VID-PID-to-support-Fibocom.patch @@ -60636,6 +60667,7 @@ patches.suse/0001-dm-crypt-Avoid-percpu_counter-spinlock-contention-in.patch patches.suse/gve-fix-the-wrong-AdminQ-buffer-overflow-check.patch patches.suse/igmp-Add-ip_mc_list-lock-in-ip_check_mc_rcu.patch + patches.suse/i40e-improve-locking-of-mac_filter_hash.patch patches.suse/usb-hso-fix-error-handling-code-of-hso_create_net_de.patch patches.suse/Bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch patches.suse/Bluetooth-increase-BTNAMSIZ-to-21-chars-to-fix-poten.patch @@ -60803,6 +60835,7 @@ patches.suse/SUNRPC-Simplify-socket-shutdown-when-not-reusing-TCP.patch patches.suse/fuse-truncate-pagecache-on-atomic_o_trunc.patch patches.suse/0002-backlight-pwm_bl-Improve-bootloader-kernel-device-ha.patch + patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged patches.suse/KVM-x86-Migrate-the-PIT-only-if-vcpu0-is-migrated-no.patch patches.suse/KVM-x86-Don-t-force-set-BSP-bit-when-local-APIC-is-m.patch patches.suse/KVM-s390-index-kvm-arch.idle_mask-by-vcpu_idx @@ -61542,6 +61575,7 @@ patches.suse/USB-serial-pl2303-add-IBM-device-IDs.patch patches.suse/USB-storage-ums-realtek-fix-error-code-in-rts51x_rea.patch patches.suse/USB-usb-storage-Fix-use-of-bitfields-for-hardware-da.patch + patches.suse/nvmem-core-Check-input-parameter-for-NULL-in-nvmem_u.patch patches.suse/mxser-fix-xmit_buf-leak-in-activate-when-LSR-0xff.patch patches.suse/xen-fix-is_xen_pmu.patch patches.suse/livepatch-Don-t-block-removal-of-patches-that-are-safe-to-unload.patch @@ -61561,6 +61595,9 @@ patches.suse/cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info-.patch patches.suse/cifs-fix-NULL-ptr-dereference-in-smb2_ioctl_query_info-.patch patches.suse/xen-blkfront-fix-comment-for-need_copy.patch + patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i + patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de + patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac patches.suse/x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch @@ -61743,6 +61780,7 @@ patches.suse/smb3-add-trace-point-for-SMB2_set_eof.patch patches.suse/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch patches.suse/ext4-make-variable-count-signed.patch + patches.suse/tracing-Simplify-conditional-compilation-code-in-tracing_set_tracer.patch patches.suse/ata-libata-add-qc-flags-in-ata_qc_complete_template-tracepoint.patch patches.suse/x86-xen-Remove-undefined-behavior-in-setup_features.patch patches.suse/USB-serial-option-add-Telit-LE910Cx-0x1250-compositi.patch @@ -61871,6 +61909,7 @@ patches.suse/ext4-check-if-directory-block-is-within-i_size.patch patches.suse/ext4-make-sure-ext4_append-always-allocates-new-bloc.patch patches.suse/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch + patches.suse/Input-gscps2-check-return-value-of-ioremap-in-gscps2.patch patches.suse/0004-Revert-drivers-video-backlight-platform_lcd.c-add-su.patch patches.suse/powerpc-powernv-Avoid-crashing-if-rng-is-NULL.patch patches.suse/powerpc-powernv-kvm-Use-darn-for-H_RANDOM-on-Power9.patch @@ -61896,10 +61935,15 @@ patches.suse/fuse-limit-nsec.patch patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch patches.suse/x86-speculation-Add-LFENCE-to-RSB-fill-sequence.patch + patches.suse/fs-add-mode_strip_sgid-helper.patch + patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch + patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch patches.suse/NFSv4.1-RECLAIM_COMPLETE-must-handle-EACCES.patch patches.suse/SUNRPC-Reinitialise-the-backchannel-request-buffers-.patch patches.suse/ceph-don-t-truncate-file-in-atomic_open.patch + patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch patches.suse/net_sched-cls_route-remove-from-list-when-handle-is-.patch + patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch patches.suse/scsi-lpfc-Check-the-return-value-of-alloc_workqueue.patch patches.suse/cifs-fix-lock-length-calculation.patch patches.suse/cifs-Do-not-use-tcon-cfid-directly-use-the-cfid-we-get-from-open_.patch @@ -61927,6 +61971,7 @@ patches.suse/USB-serial-option-add-Quectel-EM060K-modem.patch patches.suse/USB-serial-ftdi_sio-add-Omron-CS1W-CIF31-device-id.patch patches.suse/USB-serial-cp210x-add-Decagon-UCA-device-id.patch + patches.suse/USB-serial-ch341-fix-lost-character-on-LCR-updates.patch patches.suse/s390-hugetlb-fix-prepare_hugepage_range-check-for-2-GB-hugepages patches.suse/efi-capsule-loader-Fix-use-after-free-in-efi_capsule.patch patches.suse/sch_sfb-Don-t-assume-the-skb-is-still-around-after-e.patch @@ -61943,7 +61988,9 @@ patches.suse/ACPI-processor-idle-Practically-limit-Dummy-wait-workaround-to-old-Intel-systems.patch patches.suse/Input-melfas_mip4-fix-return-value-check-in-mip4_pro.patch patches.suse/usbnet-Fix-memory-leak-in-usbnet_disconnect.patch + patches.suse/net-usb-qmi_wwan-Add-new-usb-id-for-Dell-branded-EM7.patch patches.suse/mISDN-fix-use-after-free-bugs-in-l1oip-timer-handler.patch + patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch patches.suse/r8152-Rate-limit-overflow-messages.patch patches.suse/scsi-qla2xxx-remove-unused-del_sess_list-field.patch patches.suse/scsi-qla2xxx-remove-unused-qlt_tmr_work.patch @@ -61958,11 +62005,24 @@ patches.suse/scsi-qla2xxx-drop-did_target_failure-use.patch patches.suse/scsi-qla2xxx-remove-unused-declarations-for-qla2xxx.patch patches.suse/scsi-stex-Properly-zero-out-the-passthrough-command-structure.patch + patches.suse/usb-mon-make-mmapped-memory-read-only.patch patches.suse/KVM-x86-emulator-Fix-handing-of-POP-SS-to-correctly-.patch patches.suse/powerpc-pci_dn-Add-missing-of_node_put.patch patches.suse/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch patches.suse/powerpc-mm-64s-Drop-pgd_huge.patch + patches.suse/tracing-Disable-interrupt-or-preemption-before-acquiring-arch_spinlock_t.patch + patches.suse/ring-buffer-Check-pending-waiters-when-doing-wake-ups-as-well.patch + patches.suse/ring-buffer-Add-ring_buffer_wake_waiters.patch + patches.suse/tracing-Wake-up-ring-buffer-waiters-on-closing-of-the-file.patch + patches.suse/tracing-Add-ioctl-to-force-ring-buffer-waiters-to-wake-up.patch + patches.suse/tracing-Wake-up-waiters-when-tracing-is-disabled.patch + patches.suse/ring-buffer-Fix-race-between-reset-page-and-reading-page.patch + patches.suse/tracing-Do-not-free-snapshot-if-tracer-is-on-cmdline.patch + patches.suse/Input-xpad-add-supported-devices-as-contributed-on-g.patch + patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch + patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch + patches.suse/ftrace-Fix-char-print-issue-in-print_ip_ins.patch patches.suse/tcp-udp-Fix-memory-leak-in-ipv6_renew_options.patch patches.suse/kcm-avoid-potential-race-in-kcm_tx_work.patch @@ -62526,6 +62586,7 @@ patches.suse/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch patches.suse/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch + patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch ######################################################## # ISDN @@ -62988,6 +63049,8 @@ patches.kabi/qed-fixup-kabi-for-qed_rdma_create_qp_in_params.patch patches.kabi/kABI-Fix-kABI-after-mm-rmap-Fix-anon_vma-degree-ambi.patch patches.kabi/usb.h-struct-usb_device-hide-new-member.patch + patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged + patches.kabi/kABI-Fix-after-adding-trace_iterator.wait_index.patch ######################################################## # You'd better have a good reason for adding a patch