From a098dd930c7fc4f7b2dbd2de900664ed52ba74c6 Mon Sep 17 00:00:00 2001 From: Denis Kirjanov Date: Jun 04 2020 12:16:59 +0000 Subject: Merge remote-tracking branch 'remotes/origin/SLE15-SP1_EMBARGO' into SLE12-SP5_EMBARGO --- diff --git a/patches.suse/0001-btrfs-reloc-fix-reloc-root-leak-and-NULL-pointer-der.patch b/patches.suse/0001-btrfs-reloc-fix-reloc-root-leak-and-NULL-pointer-der.patch new file mode 100644 index 0000000..85263e6 --- /dev/null +++ b/patches.suse/0001-btrfs-reloc-fix-reloc-root-leak-and-NULL-pointer-der.patch @@ -0,0 +1,137 @@ +From 51415b6c1b117e223bc083e30af675cb5c5498f3 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 19 May 2020 10:13:20 +0800 +Patch-mainline: v5.8-rc1 +Git-commit: 51415b6c1b117e223bc083e30af675cb5c5498f3 +References: bsc#1171417 bsc#1160947 bsc#1172366 +Subject: [PATCH 1/2] btrfs: reloc: fix reloc root leak and NULL pointer + dereference + +[BUG] +When balance is canceled, there is a pretty high chance that unmounting +the fs can lead to lead the NULL pointer dereference: + + BTRFS warning (device dm-3): page private not zero on page 223158272 + ... + BTRFS warning (device dm-3): page private not zero on page 223162368 + BTRFS error (device dm-3): leaked root 18446744073709551608-304 refcount 1 + BUG: kernel NULL pointer dereference, address: 0000000000000168 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 2 PID: 5793 Comm: umount Tainted: G O 5.7.0-rc5-custom+ #53 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:__lock_acquire+0x5dc/0x24c0 + Call Trace: + lock_acquire+0xab/0x390 + _raw_spin_lock+0x39/0x80 + btrfs_release_extent_buffer_pages+0xd7/0x200 [btrfs] + release_extent_buffer+0xb2/0x170 [btrfs] + free_extent_buffer+0x66/0xb0 [btrfs] + btrfs_put_root+0x8e/0x130 [btrfs] + btrfs_check_leaked_roots.cold+0x5/0x5d [btrfs] + btrfs_free_fs_info+0xe5/0x120 [btrfs] + btrfs_kill_super+0x1f/0x30 [btrfs] + deactivate_locked_super+0x3b/0x80 + deactivate_super+0x3e/0x50 + cleanup_mnt+0x109/0x160 + __cleanup_mnt+0x12/0x20 + task_work_run+0x67/0xa0 + exit_to_usermode_loop+0xc5/0xd0 + syscall_return_slowpath+0x205/0x360 + do_syscall_64+0x6e/0xb0 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 + RIP: 0033:0x7fd028ef740b + +[CAUSE] +When balance is canceled, all reloc roots are marked as orphan, and +orphan reloc roots are going to be cleaned up. + +However for orphan reloc roots and merged reloc roots, their lifespan +are quite different: + + Merged reloc roots | Orphan reloc roots by cancel +-------------------------------------------------------------------- +create_reloc_root() | create_reloc_root() +|- refs == 1 | |- refs == 1 + | +btrfs_grab_root(reloc_root); | btrfs_grab_root(reloc_root); +|- refs == 2 | |- refs == 2 + | +root->reloc_root = reloc_root; | root->reloc_root = reloc_root; + >>> No difference so far <<< + | +prepare_to_merge() | prepare_to_merge() +|- btrfs_set_root_refs(item, 1);| |- if (!err) (err == -EINTR) + | +merge_reloc_roots() | merge_reloc_roots() +|- merge_reloc_root() | |- Doing nothing to put reloc root + |- insert_dirty_subvol() | |- refs == 2 + |- __del_reloc_root() | + |- btrfs_put_root() | + |- refs == 1 | + >>> Now orphan reloc roots still have refs 2 <<< + | +clean_dirty_subvols() | clean_dirty_subvols() +|- btrfs_drop_snapshot() | |- btrfS_drop_snapshot() + |- reloc_root get freed | |- reloc_root still has refs 2 + | related ebs get freed, but + | reloc_root still recorded in + | allocated_roots +btrfs_check_leaked_roots() | btrfs_check_leaked_roots() +|- No leaked roots | |- Leaked reloc_roots detected + | |- btrfs_put_root() + | |- free_extent_buffer(root->node); + | |- eb already freed, caused NULL + | pointer dereference + +[FIX] +The fix is to clear fs_root->reloc_root and put it at +merge_reloc_roots() time, so that we won't leak reloc roots. + +Fixes: d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots") +CC: stable@vger.kernel.org # 5.1+ +Tested-by: Johannes Thumshirn +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +--- +NOTE: Since we don't have the btrfs_put_root() refactor from Josef, +there is no need to call btrfs_put_fs_root(), or we can easily screw up +the root memories and leads to unexpected behavior. + +We'd better backport that series of patches before it's going to affect +more and more backports. +--- + fs/btrfs/relocation.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -2524,12 +2524,10 @@ again: + reloc_root = list_entry(reloc_roots.next, + struct btrfs_root, root_list); + ++ root = read_fs_root(fs_info, reloc_root->root_key.offset); + if (btrfs_root_refs(&reloc_root->root_item) > 0) { +- root = read_fs_root(fs_info, +- reloc_root->root_key.offset); + BUG_ON(IS_ERR(root)); + BUG_ON(root->reloc_root != reloc_root); +- + ret = merge_reloc_root(rc, root); + if (ret) { + if (list_empty(&reloc_root->root_list)) +@@ -2538,6 +2536,12 @@ again: + goto out; + } + } else { ++ if (!IS_ERR(root)) { ++ if (root->reloc_root == reloc_root) { ++ root->reloc_root = NULL; ++ } ++ } ++ + list_del_init(&reloc_root->root_list); + /* Don't forget to queue this reloc root for cleanup */ + list_add_tail(&reloc_root->reloc_dirty_list, diff --git a/patches.suse/0001-btrfs-relocation-Fix-reloc-root-leakage-and-the-NULL.patch b/patches.suse/0001-btrfs-relocation-Fix-reloc-root-leakage-and-the-NULL.patch deleted file mode 100644 index 46f9beb..0000000 --- a/patches.suse/0001-btrfs-relocation-Fix-reloc-root-leakage-and-the-NULL.patch +++ /dev/null @@ -1,125 +0,0 @@ -From b471ac73d73952aa2f14d17f068d61d0440b16e7 Mon Sep 17 00:00:00 2001 -From: Qu Wenruo -Date: Mon, 18 May 2020 15:44:32 +0800 -References: bsc#1171417 -Subject: [PATCH 1/2] btrfs: relocation: Fix reloc root leakage and the NULL - pointer reference caused by the leakage -Git-repo: https://github.com/kdave/btrfs-devel.git -Git-commit: 51415b6c1b117e223bc083e30af675cb5c5498f3 -Patch-mainline: Queued - -[BUG] -When balance is canceled, there is a pretty high chance that unmounting -the fs can lead to lead the NULL pointer dereference: - - BTRFS warning (device dm-3): page private not zero on page 223158272 - ... - BTRFS warning (device dm-3): page private not zero on page 223162368 - BTRFS error (device dm-3): leaked root 18446744073709551608-304 refcount 1 - BUG: kernel NULL pointer dereference, address: 0000000000000168 - #PF: supervisor read access in kernel mode - #PF: error_code(0x0000) - not-present page - PGD 0 P4D 0 - Oops: 0000 [#1] PREEMPT SMP NOPTI - CPU: 2 PID: 5793 Comm: umount Tainted: G O 5.7.0-rc5-custom+ #53 - Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 - RIP: 0010:__lock_acquire+0x5dc/0x24c0 - Call Trace: - lock_acquire+0xab/0x390 - _raw_spin_lock+0x39/0x80 - btrfs_release_extent_buffer_pages+0xd7/0x200 [btrfs] - release_extent_buffer+0xb2/0x170 [btrfs] - free_extent_buffer+0x66/0xb0 [btrfs] - btrfs_put_root+0x8e/0x130 [btrfs] - btrfs_check_leaked_roots.cold+0x5/0x5d [btrfs] - btrfs_free_fs_info+0xe5/0x120 [btrfs] - btrfs_kill_super+0x1f/0x30 [btrfs] - deactivate_locked_super+0x3b/0x80 - deactivate_super+0x3e/0x50 - cleanup_mnt+0x109/0x160 - __cleanup_mnt+0x12/0x20 - task_work_run+0x67/0xa0 - exit_to_usermode_loop+0xc5/0xd0 - syscall_return_slowpath+0x205/0x360 - do_syscall_64+0x6e/0xb0 - entry_SYSCALL_64_after_hwframe+0x49/0xb3 - RIP: 0033:0x7fd028ef740b - -[CAUSE] -When balance is canceled, all reloc roots are marked orphan, and orphan -reloc roots are going to be cleaned up. - -However for orphan reloc roots and merged reloc roots, their lifespan -are quite different: - Merged reloc roots | Orphan reloc roots by cancel --------------------------------------------------------------------- -create_reloc_root() | create_reloc_root() -|- refs == 1 | |- refs == 1 - | -btrfs_grab_root(reloc_root); | btrfs_grab_root(reloc_root); -|- refs == 2 | |- refs == 2 - | -root->reloc_root = reloc_root; | root->reloc_root = reloc_root; - >>> No difference so far <<< - | -prepare_to_merge() | prepare_to_merge() -|- btrfs_set_root_refs(item, 1);| |- if (!err) (err == -EINTR) - | -merge_reloc_roots() | merge_reloc_roots() -|- merge_reloc_root() | |- Doing nothing to put reloc root - |- insert_dirty_subvol() | |- refs == 2 - |- __del_reloc_root() | - |- btrfs_put_root() | - |- refs == 1 | - >>> Now orphan reloc roots still have refs 2 <<< - | -clean_dirty_subvols() | clean_dirty_subvols() -|- btrfs_drop_snapshot() | |- btrfS_drop_snapshot() - |- reloc_root get freed | |- reloc_root still has refs 2 - | related ebs get freed, but - | reloc_root still recorded in - | allocated_roots -btrfs_check_leaked_roots() | btrfs_check_leaked_roots() -|- No leaked roots | |- Leaked reloc_roots detected - | |- btrfs_put_root() - | |- free_extent_buffer(root->node); - | |- eb already freed, caused NULL - | pointer dereference - -[FIX] -The fix is to clear fs_root->reloc_root and put it at -merge_reloc_roots() time, so that we won't leak reloc roots. - -Fixes: d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots") -Signed-off-by: Qu Wenruo ---- - fs/btrfs/relocation.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/fs/btrfs/relocation.c -+++ b/fs/btrfs/relocation.c -@@ -2567,9 +2567,9 @@ again: - reloc_root = list_entry(reloc_roots.next, - struct btrfs_root, root_list); - -+ root = read_fs_root(fs_info, -+ reloc_root->root_key.offset); - if (btrfs_root_refs(&reloc_root->root_item) > 0) { -- root = read_fs_root(fs_info, -- reloc_root->root_key.offset); - BUG_ON(IS_ERR(root)); - BUG_ON(root->reloc_root != reloc_root); - -@@ -2581,6 +2581,12 @@ again: - goto out; - } - } else { -+ if (!IS_ERR(root)) { -+ if (root->reloc_root == reloc_root) { -+ root->reloc_root = NULL; -+ } -+ } -+ - list_del_init(&reloc_root->root_list); - /* Don't forget to queue this reloc root for cleanup */ - list_add_tail(&reloc_root->reloc_dirty_list, diff --git a/patches.suse/0002-btrfs-reloc-clear-DEAD_RELOC_TREE-bit-for-orphan-roo.patch b/patches.suse/0002-btrfs-reloc-clear-DEAD_RELOC_TREE-bit-for-orphan-roo.patch new file mode 100644 index 0000000..df5daf5 --- /dev/null +++ b/patches.suse/0002-btrfs-reloc-clear-DEAD_RELOC_TREE-bit-for-orphan-roo.patch @@ -0,0 +1,52 @@ +From 1dae7e0e58b484eaa43d530f211098fdeeb0f404 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 20 May 2020 14:58:51 +0800 +Patch-mainline: v5.8-rc1 +Git-commit: 1dae7e0e58b484eaa43d530f211098fdeeb0f404 +References: bsc#1171417 bsc#1160947 bsc#1172366 +Subject: [PATCH 2/2] btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots + to prevent runaway balance + +[BUG] +There are several reported runaway balance, that balance is flooding the +log with "found X extents" where the X never changes. + +[CAUSE] +Commit d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after +merge_reloc_roots") introduced BTRFS_ROOT_DEAD_RELOC_TREE bit to +indicate that one subvolume has finished its tree blocks swap with its +reloc tree. + +However if balance is canceled or hits ENOSPC halfway, we didn't clear +the BTRFS_ROOT_DEAD_RELOC_TREE bit, leaving that bit hanging forever +until unmount. + +Any subvolume root with that bit, would cause backref cache to skip this +tree block, as it has finished its tree block swap. This would cause +all tree blocks of that root be ignored by balance, leading to runaway +balance. + +[FIX] +Fix the problem by also clearing the BTRFS_ROOT_DEAD_RELOC_TREE bit for +the original subvolume of orphan reloc root. + +Add an umount check for the stale bit still set. + +Fixes: d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots") +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +--- + fs/btrfs/relocation.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -2540,6 +2540,8 @@ again: + if (root->reloc_root == reloc_root) { + root->reloc_root = NULL; + } ++ clear_bit(BTRFS_ROOT_DEAD_RELOC_TREE, ++ &root->state); + } + + list_del_init(&reloc_root->root_list); diff --git a/patches.suse/0002-btrfs-relocation-Clear-the-DEAD_RELOC_TREE-bit-for-o.patch b/patches.suse/0002-btrfs-relocation-Clear-the-DEAD_RELOC_TREE-bit-for-o.patch deleted file mode 100644 index 7ed139d..0000000 --- a/patches.suse/0002-btrfs-relocation-Clear-the-DEAD_RELOC_TREE-bit-for-o.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9973801ac79f1c8aaf80e00b4e3f357aebebc1a3 Mon Sep 17 00:00:00 2001 -From: Qu Wenruo -Date: Wed, 20 May 2020 14:00:57 +0800 -References: bsc#1171417 -Subject: [PATCH 2/2] btrfs: relocation: Clear the DEAD_RELOC_TREE bit for - orphan roots to prevent runaway balance -Git-repo: https://github.com/kdave/btrfs-devel.git -Git-commit: 1dae7e0e58b484eaa43d530f211098fdeeb0f404 -Patch-mainline: Queued - -[BUG] -There are several reported runaway balance, that balance is flooding the -kernel with "Found X extents" where the X never changes. - -[CAUSE] -Commit d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after -merge_reloc_roots") introduced BTRFS_ROOT_DEAD_RELOC_TREE bit to -indicate that one subvolume has finished its tree blocks swap with its -reloc tree. - -However if balance is canceled or hits ENOSPC halfway, we didn't clear -the BTRFS_ROOT_DEAD_RELOC_TREE bit, leaving that bit hanging forever -until unmount. - -Any subvolume root with that bit, would cause backref cache to skip this -tree block, as it has finished its tree block swap. -This would cause all tree blocks of that root be ignored by balance, -leading to runaway balance. - -[FIX] -Fix the problem by also clearing the BTRFS_ROOT_DEAD_RELOC_TREE bit for -the original subvolume of orphan reloc root. - -Furthermore to avoid such damn bug to bother anybody anymore, add -unmount time check to detect and warn about this bit. - -Fixes: d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots") -Signed-off-by: Qu Wenruo ---- - fs/btrfs/relocation.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/fs/btrfs/relocation.c -+++ b/fs/btrfs/relocation.c -@@ -2585,6 +2585,8 @@ again: - if (root->reloc_root == reloc_root) { - root->reloc_root = NULL; - } -+ clear_bit(BTRFS_ROOT_DEAD_RELOC_TREE, -+ &root->state); - } - - list_del_init(&reloc_root->root_list); diff --git a/patches.suse/0451-mtd-spi-nor-fsl-quadspi-Don-t-let-EINVAL-on-the-bus.patch b/patches.suse/0451-mtd-spi-nor-fsl-quadspi-Don-t-let-EINVAL-on-the-bus.patch deleted file mode 100644 index a16f6ae..0000000 --- a/patches.suse/0451-mtd-spi-nor-fsl-quadspi-Don-t-let-EINVAL-on-the-bus.patch +++ /dev/null @@ -1,80 +0,0 @@ -From: Ahmad Fatoum -Date: Fri, 21 Sep 2018 11:32:53 +0200 -Subject: mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus - -Git-commit: 000412276370a9bcfec73b3752ceefd9a927f1db -Patch-mainline: v4.20-rc1 -References: fate#326530,fate#326531,fate#326535,fate#326538,fate#326539 - -fsl_qspi_get_seqid() may return -EINVAL, but fsl_qspi_init_ahb_read() -doesn't check for error codes with the result that -EINVAL could find -itself signalled over the bus. - -In conjunction with the LS1046A SoC's A-009283 errata -("Illegal accesses to SPI flash memory can result in a system hang") -this illegal access to SPI flash memory results in a system hang -if userspace attempts reading later on. - -Avoid this by always checking fsl_qspi_get_seqid()'s return value -and bail out otherwise. - -Fixes: e46ecda764dc ("mtd: spi-nor: Add Freescale QuadSPI driver") -Cc: stable@vger.kernel.org -Signed-off-by: Ahmad Fatoum -Signed-off-by: Boris Brezillon -Signed-off-by: Mian Yousaf Kaukab ---- - drivers/mtd/spi-nor/fsl-quadspi.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/mtd/spi-nor/fsl-quadspi.c b/drivers/mtd/spi-nor/fsl-quadspi.c -index 7d9620c7ff6c..d1ace310e7c1 100644 ---- a/drivers/mtd/spi-nor/fsl-quadspi.c -+++ b/drivers/mtd/spi-nor/fsl-quadspi.c -@@ -543,6 +543,9 @@ fsl_qspi_runcmd(struct fsl_qspi *q, u8 cmd, unsigned int addr, int len) - - /* trigger the LUT now */ - seqid = fsl_qspi_get_seqid(q, cmd); -+ if (seqid < 0) -+ return seqid; -+ - qspi_writel(q, (seqid << QUADSPI_IPCR_SEQID_SHIFT) | len, - base + QUADSPI_IPCR); - -@@ -671,7 +674,7 @@ static void fsl_qspi_set_map_addr(struct fsl_qspi *q) - * causes the controller to clear the buffer, and use the sequence pointed - * by the QUADSPI_BFGENCR[SEQID] to initiate a read from the flash. - */ --static void fsl_qspi_init_ahb_read(struct fsl_qspi *q) -+static int fsl_qspi_init_ahb_read(struct fsl_qspi *q) - { - void __iomem *base = q->iobase; - int seqid; -@@ -696,8 +699,13 @@ static void fsl_qspi_init_ahb_read(struct fsl_qspi *q) - - /* Set the default lut sequence for AHB Read. */ - seqid = fsl_qspi_get_seqid(q, q->nor[0].read_opcode); -+ if (seqid < 0) -+ return seqid; -+ - qspi_writel(q, seqid << QUADSPI_BFGENCR_SEQID_SHIFT, - q->iobase + QUADSPI_BFGENCR); -+ -+ return 0; - } - - /* This function was used to prepare and enable QSPI clock */ -@@ -805,9 +813,7 @@ static int fsl_qspi_nor_setup_last(struct fsl_qspi *q) - fsl_qspi_init_lut(q); - - /* Init for AHB read */ -- fsl_qspi_init_ahb_read(q); -- -- return 0; -+ return fsl_qspi_init_ahb_read(q); - } - - static const struct of_device_id fsl_qspi_dt_ids[] = { --- -2.11.0 - diff --git a/patches.suse/ACPI-CPPC-Fix-reference-count-leak-in-acpi_cppc_proc.patch b/patches.suse/ACPI-CPPC-Fix-reference-count-leak-in-acpi_cppc_proc.patch new file mode 100644 index 0000000..783544c --- /dev/null +++ b/patches.suse/ACPI-CPPC-Fix-reference-count-leak-in-acpi_cppc_proc.patch @@ -0,0 +1,38 @@ +From 4d8be4bc94f74bb7d096e1c2e44457b530d5a170 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Wed, 27 May 2020 17:35:51 -0500 +Subject: [PATCH] ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() +Git-commit: 4d8be4bc94f74bb7d096e1c2e44457b530d5a170 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. Previous +commit "b8eb718348b8" fixed a similar problem. + +Fixes: 158c998ea44b ("ACPI / CPPC: add sysfs support to compute delivered performance") +Signed-off-by: Qiushi Wu +Cc: 4.10+ # 4.10+ +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/cppc_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c +index f8184004294a..7a99b19bb893 100644 +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -846,6 +846,7 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr) + "acpi_cppc"); + if (ret) { + per_cpu(cpc_desc_ptr, pr->id) = NULL; ++ kobject_put(&cpc_ptr->kobj); + goto out_free; + } + +-- +2.16.4 + diff --git a/patches.suse/ACPI-sysfs-Fix-reference-count-leak-in-acpi_sysfs_ad.patch b/patches.suse/ACPI-sysfs-Fix-reference-count-leak-in-acpi_sysfs_ad.patch new file mode 100644 index 0000000..d5cd61a --- /dev/null +++ b/patches.suse/ACPI-sysfs-Fix-reference-count-leak-in-acpi_sysfs_ad.patch @@ -0,0 +1,41 @@ +From 6e6c25283dff866308c87b49434c7dbad4774cc0 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Wed, 27 May 2020 16:17:17 -0500 +Subject: [PATCH] ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() +Git-commit: 6e6c25283dff866308c87b49434c7dbad4774cc0 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +kobject_init_and_add() takes reference even when it fails. +Thus, when kobject_init_and_add() returns an error, +kobject_put() must be called to properly clean up the kobject. + +Fixes: 3f8055c35836 ("ACPI / hotplug: Introduce user space interface for hotplug profiles") +Signed-off-by: Qiushi Wu +Cc: 3.10+ # 3.10+ +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c +index c60d2c6d31d6..3a89909b50a6 100644 +--- a/drivers/acpi/sysfs.c ++++ b/drivers/acpi/sysfs.c +@@ -993,8 +993,10 @@ void acpi_sysfs_add_hotplug_profile(struct acpi_hotplug_profile *hotplug, + + error = kobject_init_and_add(&hotplug->kobj, + &acpi_hotplug_profile_ktype, hotplug_kobj, "%s", name); +- if (error) ++ if (error) { ++ kobject_put(&hotplug->kobj); + goto err_out; ++ } + + kobject_uevent(&hotplug->kobj, KOBJ_ADD); + return; +-- +2.16.4 + diff --git a/patches.suse/Input-evdev-call-input_flush_device-on-release-not-f.patch b/patches.suse/Input-evdev-call-input_flush_device-on-release-not-f.patch new file mode 100644 index 0000000..c39efb1 --- /dev/null +++ b/patches.suse/Input-evdev-call-input_flush_device-on-release-not-f.patch @@ -0,0 +1,75 @@ +From 09264098ff153f60866039d60b31d39b66f55a31 Mon Sep 17 00:00:00 2001 +From: Brendan Shanks +Date: Wed, 22 Apr 2020 13:45:12 -0700 +Subject: [PATCH] Input: evdev - call input_flush_device() on release(), not flush() +Git-commit: 09264098ff153f60866039d60b31d39b66f55a31 +Patch-mainline: v5.7 +References: bsc#1051510 + +input_flush_device() should only be called once the struct file is being +released and no open descriptors remain, but evdev_flush() was calling +it whenever a file descriptor was closed. + +This caused uploaded force-feedback effects to be erased when a process +did a dup()/close() on the event FD, called system(), etc. + +Call input_flush_device() from evdev_release() instead. + +Reported-by: Mathieu Maret +Signed-off-by: Brendan Shanks +Link: https://lore.kernel.org/r/20200421231003.7935-1-bshanks@codeweavers.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/evdev.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c +index cb6e3a5f509c..0d57e51b8ba1 100644 +--- a/drivers/input/evdev.c ++++ b/drivers/input/evdev.c +@@ -326,20 +326,6 @@ static int evdev_fasync(int fd, struct file *file, int on) + return fasync_helper(fd, file, on, &client->fasync); + } + +-static int evdev_flush(struct file *file, fl_owner_t id) +-{ +- struct evdev_client *client = file->private_data; +- struct evdev *evdev = client->evdev; +- +- mutex_lock(&evdev->mutex); +- +- if (evdev->exist && !client->revoked) +- input_flush_device(&evdev->handle, file); +- +- mutex_unlock(&evdev->mutex); +- return 0; +-} +- + static void evdev_free(struct device *dev) + { + struct evdev *evdev = container_of(dev, struct evdev, dev); +@@ -453,6 +439,10 @@ static int evdev_release(struct inode *inode, struct file *file) + unsigned int i; + + mutex_lock(&evdev->mutex); ++ ++ if (evdev->exist && !client->revoked) ++ input_flush_device(&evdev->handle, file); ++ + evdev_ungrab(evdev, client); + mutex_unlock(&evdev->mutex); + +@@ -1310,7 +1300,6 @@ static const struct file_operations evdev_fops = { + .compat_ioctl = evdev_ioctl_compat, + #endif + .fasync = evdev_fasync, +- .flush = evdev_flush, + .llseek = no_llseek, + }; + +-- +2.16.4 + diff --git a/patches.suse/Input-i8042-add-ThinkPad-S230u-to-i8042-reset-list.patch b/patches.suse/Input-i8042-add-ThinkPad-S230u-to-i8042-reset-list.patch new file mode 100644 index 0000000..0697e15 --- /dev/null +++ b/patches.suse/Input-i8042-add-ThinkPad-S230u-to-i8042-reset-list.patch @@ -0,0 +1,60 @@ +From 2712c91a54a1058d55c284152b4d93c979b67be6 Mon Sep 17 00:00:00 2001 +From: Kevin Locke +Date: Mon, 27 Apr 2020 18:07:20 -0700 +Subject: [PATCH] Input: i8042 - add ThinkPad S230u to i8042 reset list +Git-commit: 2712c91a54a1058d55c284152b4d93c979b67be6 +Patch-mainline: v5.7 +References: bsc#1051510 + +On the Lenovo ThinkPad Twist S230u (3347-4HU) with BIOS version +"GDETC1WW (1.81 ) 06/27/2019", the keyboard, Synaptics TouchPad, and +TrackPoint either do not function or stop functioning a few minutes +after boot. This problem has been noted before, perhaps only occurring +with BIOS 1.57 and later.[1][2][3][4][5] + +Odds of a BIOS fix appear to be low: 1.57 was released over 6 years ago +and although the [BIOS changelog] notes "Fixed an issue of UEFI +touchpad/trackpoint/keyboard/touchscreen" in 1.58, it appears to be +insufficient. + +Setting i8042.reset=1 or adding 33474HU to the reset list avoids the +issue on my system from either warm or cold boot. + +[1]: https://bugs.launchpad.net/bugs/1210748 +[2]: https://bbs.archlinux.org/viewtopic.php?pid=1360425 +[3]: https://forums.linuxmint.com/viewtopic.php?f=46&t=41200 +[4]: https://forums.linuxmint.com/viewtopic.php?f=49&t=157115 +[5]: https://forums.lenovo.com/topic/findpost/27/1337119 +[BIOS changelog]: https://download.lenovo.com/pccbbs/mobiles/gduj33uc.txt + +Signed-off-by: Kevin Locke +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/94f384b0f75f90f71425d7dce7ac82c59ddb87a8.1587702636.git.kevin@kevinlocke.name +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 08e919dbeb5d..7e048b557462 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -662,6 +662,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), + }, + }, ++ { ++ /* Lenovo ThinkPad Twist S230u */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "33474HU"), ++ }, ++ }, + { } + }; + +-- +2.16.4 + diff --git a/patches.suse/Input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch b/patches.suse/Input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch new file mode 100644 index 0000000..3a0d4f2 --- /dev/null +++ b/patches.suse/Input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch @@ -0,0 +1,38 @@ +From 5caab2da63207d6d631007f592f5219459e3454d Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 28 Apr 2020 16:09:53 -0700 +Subject: [PATCH] Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() +Git-commit: 5caab2da63207d6d631007f592f5219459e3454d +Patch-mainline: v5.7 +References: bsc#1051510 + +Fix to return a negative error code from the input_register_device() +error handling case instead of 0, as done elsewhere in this function. + +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20200428134948.78343-1-weiyongjun1@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/rmi4/rmi_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index c18e1a25bca6..258d5fe3d395 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -1210,7 +1210,8 @@ static int rmi_driver_probe(struct device *dev) + if (data->input) { + rmi_driver_set_input_name(rmi_dev, data->input); + if (!rmi_dev->xport->input) { +- if (input_register_device(data->input)) { ++ retval = input_register_device(data->input); ++ if (retval) { + dev_err(dev, "%s: Failed to register input device.\n", + __func__); + goto err_destroy_functions; +-- +2.16.4 + diff --git a/patches.suse/Input-usbtouchscreen-add-support-for-BonXeon-TP.patch b/patches.suse/Input-usbtouchscreen-add-support-for-BonXeon-TP.patch new file mode 100644 index 0000000..2a858ef --- /dev/null +++ b/patches.suse/Input-usbtouchscreen-add-support-for-BonXeon-TP.patch @@ -0,0 +1,37 @@ +From e3b4f94ef52ae1592cbe199bd38dbdc0d58b2217 Mon Sep 17 00:00:00 2001 +From: James Hilliard +Date: Sat, 18 Apr 2020 21:17:12 -0700 +Subject: [PATCH] Input: usbtouchscreen - add support for BonXeon TP +Git-commit: e3b4f94ef52ae1592cbe199bd38dbdc0d58b2217 +Patch-mainline: v5.7 +References: bsc#1051510 + +Based on available information this uses the singletouch irtouch +protocol. This is tested and confirmed to be fully functional on +the BonXeon TP hardware I have. + +Signed-off-by: James Hilliard +Link: https://lore.kernel.org/r/20200413184217.55700-1-james.hilliard1@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/usbtouchscreen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/touchscreen/usbtouchscreen.c b/drivers/input/touchscreen/usbtouchscreen.c +index 16d70201de4a..397cb1d3f481 100644 +--- a/drivers/input/touchscreen/usbtouchscreen.c ++++ b/drivers/input/touchscreen/usbtouchscreen.c +@@ -182,6 +182,7 @@ static const struct usb_device_id usbtouch_devices[] = { + #endif + + #ifdef CONFIG_TOUCHSCREEN_USB_IRTOUCH ++ {USB_DEVICE(0x255e, 0x0001), .driver_info = DEVTYPE_IRTOUCH}, + {USB_DEVICE(0x595a, 0x0001), .driver_info = DEVTYPE_IRTOUCH}, + {USB_DEVICE(0x6615, 0x0001), .driver_info = DEVTYPE_IRTOUCH}, + {USB_DEVICE(0x6615, 0x0012), .driver_info = DEVTYPE_IRTOUCH_HIRES}, +-- +2.16.4 + diff --git a/patches.suse/Input-xpad-add-custom-init-packet-for-Xbox-One-S-con.patch b/patches.suse/Input-xpad-add-custom-init-packet-for-Xbox-One-S-con.patch new file mode 100644 index 0000000..ae0c87e --- /dev/null +++ b/patches.suse/Input-xpad-add-custom-init-packet-for-Xbox-One-S-con.patch @@ -0,0 +1,59 @@ +From 764f7f911bf72450c51eb74cbb262ad9933741d8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Patron?= +Date: Wed, 22 Apr 2020 14:13:09 -0700 +Subject: [PATCH] Input: xpad - add custom init packet for Xbox One S controllers +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 764f7f911bf72450c51eb74cbb262ad9933741d8 +Patch-mainline: v5.7 +References: bsc#1051510 + +Sending [ 0x05, 0x20, 0x00, 0x0f, 0x06 ] packet for Xbox One S controllers +fixes an issue where controller is stuck in Bluetooth mode and not sending +any inputs. + +Signed-off-by: Łukasz Patron +Reviewed-by: Cameron Gutman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200422075206.18229-1-priv.luk@gmail.com +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/joystick/xpad.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 6b40a1c68f9f..c77cdb3b62b5 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -458,6 +458,16 @@ static const u8 xboxone_fw2015_init[] = { + 0x05, 0x20, 0x00, 0x01, 0x00 + }; + ++/* ++ * This packet is required for Xbox One S (0x045e:0x02ea) ++ * and Xbox One Elite Series 2 (0x045e:0x0b00) pads to ++ * initialize the controller that was previously used in ++ * Bluetooth mode. ++ */ ++static const u8 xboxone_s_init[] = { ++ 0x05, 0x20, 0x00, 0x0f, 0x06 ++}; ++ + /* + * This packet is required for the Titanfall 2 Xbox One pads + * (0x0e6f:0x0165) to finish initialization and for Hori pads +@@ -516,6 +526,8 @@ static const struct xboxone_init_packet xboxone_init_packets[] = { + XBOXONE_INIT_PKT(0x0e6f, 0x0165, xboxone_hori_init), + XBOXONE_INIT_PKT(0x0f0d, 0x0067, xboxone_hori_init), + XBOXONE_INIT_PKT(0x0000, 0x0000, xboxone_fw2015_init), ++ XBOXONE_INIT_PKT(0x045e, 0x02ea, xboxone_s_init), ++ XBOXONE_INIT_PKT(0x045e, 0x0b00, xboxone_s_init), + XBOXONE_INIT_PKT(0x0e6f, 0x0000, xboxone_pdp_init1), + XBOXONE_INIT_PKT(0x0e6f, 0x0000, xboxone_pdp_init2), + XBOXONE_INIT_PKT(0x24c6, 0x541a, xboxone_rumblebegin_init), +-- +2.16.4 + diff --git a/patches.suse/NFC-st21nfca-add-missed-kfree_skb-in-an-error-path.patch b/patches.suse/NFC-st21nfca-add-missed-kfree_skb-in-an-error-path.patch new file mode 100644 index 0000000..602ee85 --- /dev/null +++ b/patches.suse/NFC-st21nfca-add-missed-kfree_skb-in-an-error-path.patch @@ -0,0 +1,39 @@ +From 3decabdc714ca56c944f4669b4cdec5c2c1cea23 Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Thu, 28 May 2020 18:20:37 +0800 +Subject: [PATCH] NFC: st21nfca: add missed kfree_skb() in an error path +Git-commit: 3decabdc714ca56c944f4669b4cdec5c2c1cea23 +Patch-mainline: v5.7 +References: bsc#1051510 + +st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path. +Add the missed function call to fix it. + +Fixes: 1892bf844ea0 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode") +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/nfc/st21nfca/dep.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c +index a1d69f9b2d4a..0b9ca6d20ffa 100644 +--- a/drivers/nfc/st21nfca/dep.c ++++ b/drivers/nfc/st21nfca/dep.c +@@ -173,8 +173,10 @@ static int st21nfca_tm_send_atr_res(struct nfc_hci_dev *hdev, + memcpy(atr_res->gbi, atr_req->gbi, gb_len); + r = nfc_set_remote_general_bytes(hdev->ndev, atr_res->gbi, + gb_len); +- if (r < 0) ++ if (r < 0) { ++ kfree_skb(skb); + return r; ++ } + } + + info->dep_info.curr_nfc_dep_pni = 0; +-- +2.16.4 + diff --git a/patches.suse/af_packet-set-defaule-value-for-tmo.patch b/patches.suse/af_packet-set-defaule-value-for-tmo.patch index 0ec5a93..ac26082 100644 --- a/patches.suse/af_packet-set-defaule-value-for-tmo.patch +++ b/patches.suse/af_packet-set-defaule-value-for-tmo.patch @@ -4,7 +4,7 @@ Date: Mon, 9 Dec 2019 21:31:25 +0800 Subject: [PATCH] af_packet: set defaule value for tmo Git-commit: b43d1f9f7067c6759b1051e8ecb84e82cef569fe Patch-mainline: v5.5-rc3 -References: bsc#1051510 +References: CVE-2019-20812 bsc#1172453 bsc#1051510 There is softlockup when using TPACKET_V3: ... diff --git a/patches.suse/agp-intel-Reinforce-the-barrier-after-GTT-updates.patch b/patches.suse/agp-intel-Reinforce-the-barrier-after-GTT-updates.patch new file mode 100644 index 0000000..fe9d181 --- /dev/null +++ b/patches.suse/agp-intel-Reinforce-the-barrier-after-GTT-updates.patch @@ -0,0 +1,59 @@ +From f30d3ced9fafa03e4855508929b5b6334907f45e Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 10 Apr 2020 09:35:35 +0100 +Subject: [PATCH] agp/intel: Reinforce the barrier after GTT updates +Git-commit: f30d3ced9fafa03e4855508929b5b6334907f45e +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +After changing the timing between GTT updates and execution on the GPU, +we started seeing sporadic failures on Ironlake. These were narrowed +down to being an insufficiently strong enough barrier/delay after +updating the GTT and scheduling execution on the GPU. By forcing the +uncached read, and adding the missing barrier for the singular +insert_page (relocation paths), the sporadic failures go away. + +Fixes: 983d308cb8f6 ("agp/intel: Serialise after GTT updates") +Fixes: 3497971a71d8 ("agp/intel: Flush chipset writes after updating a single PTE") +Signed-off-by: Chris Wilson +Acked-by: Andi Shyti +Cc: stable@vger.kernel.org # v4.0+ +Link: https://patchwork.freedesktop.org/patch/msgid/20200410083535.25464-1-chris@chris-wilson.co.uk +Acked-by: Takashi Iwai + +--- + drivers/char/agp/intel-gtt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c +index 66a62d17a3f5..3d42fc4290bc 100644 +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -846,6 +846,7 @@ void intel_gtt_insert_page(dma_addr_t addr, + unsigned int flags) + { + intel_private.driver->write_entry(addr, pg, flags); ++ readl(intel_private.gtt + pg); + if (intel_private.driver->chipset_flush) + intel_private.driver->chipset_flush(); + } +@@ -871,7 +872,7 @@ void intel_gtt_insert_sg_entries(struct sg_table *st, + j++; + } + } +- wmb(); ++ readl(intel_private.gtt + j - 1); + if (intel_private.driver->chipset_flush) + intel_private.driver->chipset_flush(); + } +@@ -1105,6 +1106,7 @@ static void i9xx_cleanup(void) + + static void i9xx_chipset_flush(void) + { ++ wmb(); + if (intel_private.i9xx_flush_page) + writel(1, intel_private.i9xx_flush_page); + } +-- +2.16.4 + diff --git a/patches.suse/b43legacy-Fix-case-where-channel-status-is-corrupted.patch b/patches.suse/b43legacy-Fix-case-where-channel-status-is-corrupted.patch new file mode 100644 index 0000000..163cb9b --- /dev/null +++ b/patches.suse/b43legacy-Fix-case-where-channel-status-is-corrupted.patch @@ -0,0 +1,61 @@ +From ec4d3e3a054578de34cd0b587ab8a1ac36f629d9 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Tue, 7 Apr 2020 14:00:43 -0500 +Subject: [PATCH] b43legacy: Fix case where channel status is corrupted +Git-commit: ec4d3e3a054578de34cd0b587ab8a1ac36f629d9 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +This patch fixes commit 75388acd0cd8 ("add mac80211-based driver for +legacy BCM43xx devices") + +In https://bugzilla.kernel.org/show_bug.cgi?id=207093, a defect in +b43legacy is reported. Upon testing, thus problem exists on PPC and +X86 platforms, is present in the oldest kernel tested (3.2), and +has been present in the driver since it was first added to the kernel. + +The problem is a corrupted channel status received from the device. +Both the internal card in a PowerBook G4 and the PCMCIA version +(Broadcom BCM4306 with PCI ID 14e4:4320) have the problem. Only Rev, 2 +(revision 4 of the 802.11 core) of the chip has been tested. No other +devices using b43legacy are available for testing. + +Various sources of the problem were considered. Buffer overrun and +other sources of corruption within the driver were rejected because +the faulty channel status is always the same, not a random value. +It was concluded that the faulty data is coming from the device, probably +due to a firmware bug. As that source is not available, the driver +must take appropriate action to recover. + +At present, the driver reports the error, and them continues to process +the bad packet. This is believed that to be a mistake, and the correct +action is to drop the correpted packet. + +Fixes: 75388acd0cd8 ("add mac80211-based driver for legacy BCM43xx devices") +Cc: Stable +Signed-off-by: Larry Finger +Reported-and-tested by: F. Erhard + +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200407190043.1686-1-Larry.Finger@lwfinger.net +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/b43legacy/xmit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c +index e9b23c2e5bd4..efd63f4ce74f 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c ++++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c +@@ -558,6 +558,7 @@ void b43legacy_rx(struct b43legacy_wldev *dev, + default: + b43legacywarn(dev->wl, "Unexpected value for chanstat (0x%X)\n", + chanstat); ++ goto drop; + } + + memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status)); +-- +2.16.4 + diff --git a/patches.suse/clocksource-dw_apb_timer_of-Fix-missing-clockevent-t.patch b/patches.suse/clocksource-dw_apb_timer_of-Fix-missing-clockevent-t.patch new file mode 100644 index 0000000..b664048 --- /dev/null +++ b/patches.suse/clocksource-dw_apb_timer_of-Fix-missing-clockevent-t.patch @@ -0,0 +1,74 @@ +From 6d2e16a3181bafb77b535095c39ad1c8b9558c8c Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Thu, 21 May 2020 23:48:15 +0300 +Subject: [PATCH] clocksource: dw_apb_timer_of: Fix missing clockevent timers +Git-commit: 6d2e16a3181bafb77b535095c39ad1c8b9558c8c +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Commit 100214889973 ("clocksource: dw_apb_timer_of: use +clocksource_of_init") replaced a publicly available driver +initialization method with one called by the timer_probe() method +available after CLKSRC_OF. In current implementation it traverses +all the timers available in the system and calls their initialization +methods if corresponding devices were either in dtb or in acpi. But +if before the commit any number of available timers would be installed +as clockevent and clocksource devices, after that there would be at most +two. The rest are just ignored since default case branch doesn't do +anything. I don't see a reason of such behaviour, neither the commit +message explains it. Moreover this might be wrong if on some platforms +these timers might be used for different purpose, as virtually CPU-local +clockevent timers and as an independent broadcast timer. So in order +to keep the compatibility with the platforms where the order of the +timers detection has some meaning, lets add the secondly discovered +timer to be of clocksource/sched_clock type, while the very first and +the others would provide the clockevents service. + +Fixes: 100214889973 ("clocksource: dw_apb_timer_of: use clocksource_of_init") +Signed-off-by: Serge Semin +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: linux-rtc@vger.kernel.org +Cc: devicetree@vger.kernel.org +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200521204818.25436-7-Sergey.Semin@baikalelectronics.ru +Acked-by: Takashi Iwai + +--- + drivers/clocksource/dw_apb_timer_of.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/clocksource/dw_apb_timer_of.c b/drivers/clocksource/dw_apb_timer_of.c +index 2db490f35c20..ab3ddebe8344 100644 +--- a/drivers/clocksource/dw_apb_timer_of.c ++++ b/drivers/clocksource/dw_apb_timer_of.c +@@ -147,10 +147,6 @@ static int num_called; + static int __init dw_apb_timer_init(struct device_node *timer) + { + switch (num_called) { +- case 0: +- pr_debug("%s: found clockevent timer\n", __func__); +- add_clockevent(timer); +- break; + case 1: + pr_debug("%s: found clocksource timer\n", __func__); + add_clocksource(timer); +@@ -161,6 +157,8 @@ static int __init dw_apb_timer_init(struct device_node *timer) + #endif + break; + default: ++ pr_debug("%s: found clockevent timer\n", __func__); ++ add_clockevent(timer); + break; + } + +-- +2.16.4 + diff --git a/patches.suse/debugfs_lookup-switch-to-lookup_one_len_unlocked.patch b/patches.suse/debugfs_lookup-switch-to-lookup_one_len_unlocked.patch new file mode 100644 index 0000000..7d055d9 --- /dev/null +++ b/patches.suse/debugfs_lookup-switch-to-lookup_one_len_unlocked.patch @@ -0,0 +1,27 @@ +From: Al Viro +Date: Thu, 8 Mar 2018 11:01:22 -0500 +Subject: debugfs_lookup(): switch to lookup_one_len_unlocked() +Patch-mainline: v4.17-rc1 +Git-commit: cd1c0c9321999737073dcfc3364e194e02604bce +References: bsc#1171979 + +Signed-off-by: Al Viro +Acked-by: Thomas Bogendoerfer +--- + fs/debugfs/inode.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -276,10 +276,7 @@ struct dentry *debugfs_lookup(const char + if (!parent) + parent = debugfs_mount->mnt_root; + +- inode_lock(d_inode(parent)); +- dentry = lookup_one_len(name, parent, strlen(name)); +- inode_unlock(d_inode(parent)); +- ++ dentry = lookup_one_len_unlocked(name, parent, strlen(name)); + if (IS_ERR(dentry)) + return NULL; + if (!d_really_is_positive(dentry)) { diff --git a/patches.suse/dm-change-end_io-calling-convention.patch b/patches.suse/dm-change-end_io-calling-convention.patch index 2b9f8d2..e47c0e6 100644 --- a/patches.suse/dm-change-end_io-calling-convention.patch +++ b/patches.suse/dm-change-end_io-calling-convention.patch @@ -4,13 +4,14 @@ Date: Sat, 3 Jun 2017 09:38:03 +0200 Subject: [PATCH] dm: change ->end_io calling convention Git-commit: 1be5690984588953e759af0a4c6ddac182a1806c Patch-mainline: v4.13-rc1 -References: fate#322738,fate#322919,fate#322950,fate#323773 +References: fate#322738,fate#322919,fate#322950,fate#323773,bsc#1172378 Turn the error paramter into a pointer so that target drivers can change the value, and make sure only DM_ENDIO_* values are returned from the methods. [ hare: rebased for SLE15 SP1 ] +[ jeffm: added missing chunk in mirror_end_io ] Signed-off-by: Christoph Hellwig Signed-off-by: Mike Snitzer @@ -21,13 +22,13 @@ Signed-off-by: Hannes Reinecke drivers/md/dm-flakey.c | 8 ++++---- drivers/md/dm-log-writes.c | 4 ++-- drivers/md/dm-mpath.c | 11 ++++++----- - drivers/md/dm-raid1.c | 12 ++++++------ + drivers/md/dm-raid1.c | 14 +++++++------- drivers/md/dm-snap.c | 4 ++-- drivers/md/dm-stripe.c | 14 +++++++------- drivers/md/dm-thin.c | 4 ++-- drivers/md/dm.c | 36 ++++++++++++++++++------------------ include/linux/device-mapper.h | 2 +- - 10 files changed, 50 insertions(+), 49 deletions(-) + 10 files changed, 51 insertions(+), 50 deletions(-) --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -102,7 +103,7 @@ Signed-off-by: Hannes Reinecke /* --- a/drivers/md/dm-mpath.c +++ b/drivers/md/dm-mpath.c -@@ -1517,14 +1517,15 @@ static int multipath_end_io(struct dm_ta +@@ -1516,14 +1516,15 @@ static int multipath_end_io(struct dm_ta return r; } @@ -120,7 +121,7 @@ Signed-off-by: Hannes Reinecke goto done; if (pgpath) -@@ -1533,7 +1534,7 @@ static int multipath_end_io_bio(struct d +@@ -1532,7 +1533,7 @@ static int multipath_end_io_bio(struct d if (atomic_read(&m->nr_valid_paths) == 0 && !test_bit(MPATHF_QUEUE_IF_NO_PATH, &m->flags)) { dm_report_EIO(m); @@ -129,7 +130,7 @@ Signed-off-by: Hannes Reinecke goto done; } -@@ -1546,7 +1547,7 @@ static int multipath_end_io_bio(struct d +@@ -1545,7 +1546,7 @@ static int multipath_end_io_bio(struct d if (!test_bit(MPATHF_QUEUE_IO, &m->flags)) queue_work(kmultipathd, &m->process_queued_bios); @@ -138,7 +139,7 @@ Signed-off-by: Hannes Reinecke done: if (pgpath) { struct path_selector *ps = &pgpath->pg->ps; -@@ -1555,7 +1556,7 @@ done: +@@ -1554,7 +1555,7 @@ done: ps->type->end_io(ps, &pgpath->path, mpio->nr_bytes); } @@ -179,6 +180,15 @@ Signed-off-by: Hannes Reinecke if (!bio_record->details.bi_bdev) { /* * There wasn't enough memory to record necessary +@@ -1272,7 +1272,7 @@ static int mirror_end_io(struct dm_targe + * mirror in-sync. + */ + DMERR_LIMIT("Mirror read failed."); +- return -EIO; ++ return DM_ENDIO_DONE; + } + + m = bio_record->m; @@ -1302,7 +1302,7 @@ static int mirror_end_io(struct dm_targe out: bio_record->details.bi_bdev = NULL; diff --git a/patches.suse/drm-dp_mst-Reformat-drm_dp_check_act_status-a-bit.patch b/patches.suse/drm-dp_mst-Reformat-drm_dp_check_act_status-a-bit.patch new file mode 100644 index 0000000..6a9729a --- /dev/null +++ b/patches.suse/drm-dp_mst-Reformat-drm_dp_check_act_status-a-bit.patch @@ -0,0 +1,77 @@ +From a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Fri, 3 Apr 2020 14:08:32 -0400 +Subject: [PATCH] drm/dp_mst: Reformat drm_dp_check_act_status() a bit +Git-commit: a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Just add a bit more line wrapping, get rid of some extraneous +whitespace, remove an unneeded goto label, and move around some variable +declarations. No functional changes here. + +Signed-off-by: Lyude Paul +[this isn't a fix, but it's needed for the fix that comes after this] + +Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)") +Cc: Sean Paul +Cc: # v3.17+ +Reviewed-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20200406221253.1307209-3-lyude@redhat.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index c6caa0d604ae..e7a5bd3e6015 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -4451,33 +4451,31 @@ static int drm_dp_dpcd_write_payload(struct drm_dp_mst_topology_mgr *mgr, + */ + int drm_dp_check_act_status(struct drm_dp_mst_topology_mgr *mgr) + { ++ int count = 0, ret; + u8 status; +- int ret; +- int count = 0; + + do { +- ret = drm_dp_dpcd_readb(mgr->aux, DP_PAYLOAD_TABLE_UPDATE_STATUS, &status); +- ++ ret = drm_dp_dpcd_readb(mgr->aux, ++ DP_PAYLOAD_TABLE_UPDATE_STATUS, ++ &status); + if (ret < 0) { +- DRM_DEBUG_KMS("failed to read payload table status %d\n", ret); +- goto fail; ++ DRM_DEBUG_KMS("failed to read payload table status %d\n", ++ ret); ++ return ret; + } + + if (status & DP_PAYLOAD_ACT_HANDLED) + break; + count++; + udelay(100); +- + } while (count < 30); + + if (!(status & DP_PAYLOAD_ACT_HANDLED)) { +- DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n", status, count); +- ret = -EINVAL; +- goto fail; ++ DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n", ++ status, count); ++ return -EINVAL; + } + return 0; +-fail: +- return ret; + } + EXPORT_SYMBOL(drm_dp_check_act_status); + +-- +2.16.4 + diff --git a/patches.suse/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch b/patches.suse/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch new file mode 100644 index 0000000..4be3357 --- /dev/null +++ b/patches.suse/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch @@ -0,0 +1,39 @@ +From 1d605416fb7175e1adf094251466caa52093b413 Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko +Date: Wed, 27 May 2020 22:20:52 -0700 +Subject: [PATCH] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() +Git-commit: 1d605416fb7175e1adf094251466caa52093b413 +Patch-mainline: v5.7 +References: CVE-2020-10732 bsc#1171220 + +KMSAN reported uninitialized data being written to disk when dumping +core. As a result, several kilobytes of kmalloc memory may be written +to the core file and then read by a non-privileged user. + +Reported-by: sam +Signed-off-by: Alexander Potapenko +Signed-off-by: Andrew Morton +Acked-by: Kees Cook +Cc: Al Viro +Cc: Alexey Dobriyan +Cc: +Link: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com +Link: https://github.com/google/kmsan/issues/76 +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + fs/binfmt_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1728,7 +1728,7 @@ static int fill_thread_core_info(struct + (!regset->active || regset->active(t->task, regset) > 0)) { + int ret; + size_t size = regset_size(t->task, regset); +- void *data = kmalloc(size, GFP_KERNEL); ++ void *data = kzalloc(size, GFP_KERNEL); + if (unlikely(!data)) + return 0; + ret = regset->get(t->task, regset, diff --git a/patches.suse/gpio-tegra-mask-GPIO-IRQs-during-IRQ-shutdown.patch b/patches.suse/gpio-tegra-mask-GPIO-IRQs-during-IRQ-shutdown.patch new file mode 100644 index 0000000..96981ce --- /dev/null +++ b/patches.suse/gpio-tegra-mask-GPIO-IRQs-during-IRQ-shutdown.patch @@ -0,0 +1,34 @@ +From 0cf253eed5d2bdf7bb3152457b38f39b012955f7 Mon Sep 17 00:00:00 2001 +From: Stephen Warren +Date: Mon, 27 Apr 2020 17:26:05 -0600 +Subject: [PATCH] gpio: tegra: mask GPIO IRQs during IRQ shutdown +Git-commit: 0cf253eed5d2bdf7bb3152457b38f39b012955f7 +Patch-mainline: v5.7-rc6 +References: bsc#1051510 + +The driver currently leaves GPIO IRQs unmasked even when the GPIO IRQ +client has released the GPIO IRQ. This allows the HW to raise IRQs, and +SW to process them, after shutdown. Fix this by masking the IRQ when it's +shut down. This is usually taken care of by the irqchip core, but since +this driver has a custom irq_shutdown implementation, it must do this +explicitly itself. + +Signed-off-by: Stephen Warren +Link: https://lore.kernel.org/r/20200427232605.11608-1-swarren@wwwdotorg.org +Signed-off-by: Linus Walleij +Acked-by: Takashi Iwai + +--- + drivers/gpio/gpio-tegra.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -353,6 +353,7 @@ static void tegra_gpio_irq_shutdown(stru + struct tegra_gpio_info *tgi = bank->tgi; + int gpio = d->hwirq; + ++ tegra_gpio_irq_mask(d); + gpiochip_unlock_as_irq(&tgi->gc, gpio); + } + diff --git a/patches.suse/hsr-check-protocol-version-in-hsr_newlink.patch b/patches.suse/hsr-check-protocol-version-in-hsr_newlink.patch new file mode 100644 index 0000000..d5f4438 --- /dev/null +++ b/patches.suse/hsr-check-protocol-version-in-hsr_newlink.patch @@ -0,0 +1,51 @@ +From: Taehee Yoo +Date: Tue, 7 Apr 2020 13:23:21 +0000 +Subject: hsr: check protocol version in hsr_newlink() +Git-commit: 4faab8c446def7667adf1f722456c2f4c304069c +Patch-mainline: 5.7-rc2 +References: networking-stable-20_04_17 + +In the current hsr code, only 0 and 1 protocol versions are valid. +But current hsr code doesn't check the version, which is received by +userspace. + +Test commands: + ip link add dummy0 type dummy + ip link add dummy1 type dummy + ip link add hsr0 type hsr slave1 dummy0 slave2 dummy1 version 4 + +In the test commands, version 4 is invalid. +So, the command should be failed. + +After this patch, following error will occur. +"Error: hsr: Only versions 0..1 are supported." + +Fixes: ee1c27977284 ("net/hsr: Added support for HSR v1") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/hsr/hsr_netlink.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/hsr/hsr_netlink.c ++++ b/net/hsr/hsr_netlink.c +@@ -64,10 +64,16 @@ static int hsr_newlink(struct net *src_n + else + multicast_spec = nla_get_u8(data[IFLA_HSR_MULTICAST_SPEC]); + +- if (!data[IFLA_HSR_VERSION]) ++ if (!data[IFLA_HSR_VERSION]) { + hsr_version = 0; +- else ++ } else { + hsr_version = nla_get_u8(data[IFLA_HSR_VERSION]); ++ if (hsr_version > 1) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "Only versions 0..1 are supported"); ++ return -EINVAL; ++ } ++ } + + return hsr_dev_finalize(dev, link, multicast_spec, hsr_version); + } diff --git a/patches.suse/iommu-fix-reference-count-leak-in-iommu_group_alloc b/patches.suse/iommu-fix-reference-count-leak-in-iommu_group_alloc new file mode 100644 index 0000000..5710661 --- /dev/null +++ b/patches.suse/iommu-fix-reference-count-leak-in-iommu_group_alloc @@ -0,0 +1,33 @@ +From: Qiushi Wu +Date: Wed, 27 May 2020 16:00:19 -0500 +Subject: iommu: Fix reference count leak in iommu_group_alloc. +Git-commit: 7cc31613734c4870ae32f5265d576ef296621343 +Patch-mainline: v5.7 +References: bsc#1172397 + +kobject_init_and_add() takes reference even when it fails. +Thus, when kobject_init_and_add() returns an error, +kobject_put() must be called to properly clean up the kobject. + +Fixes: d72e31c93746 ("iommu: IOMMU Groups") +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200527210020.6522-1-wu000273@umn.edu +Signed-off-by: Joerg Roedel +--- + drivers/iommu/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index 1faa08c8bbb4..03d6a26687bc 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -510,7 +510,7 @@ struct iommu_group *iommu_group_alloc(void) + NULL, "%d", group->id); + if (ret) { + ida_simple_remove(&iommu_group_ida, group->id); +- kfree(group); ++ kobject_put(&group->kobj); + return ERR_PTR(ret); + } + + diff --git a/patches.suse/ipv6-fix-IPV6_ADDRFORM-operation-logic.patch b/patches.suse/ipv6-fix-IPV6_ADDRFORM-operation-logic.patch new file mode 100644 index 0000000..1864f84 --- /dev/null +++ b/patches.suse/ipv6-fix-IPV6_ADDRFORM-operation-logic.patch @@ -0,0 +1,75 @@ +From: Hangbin Liu +Date: Mon, 1 Jun 2020 11:55:03 +0800 +Subject: ipv6: fix IPV6_ADDRFORM operation logic +Patch-mainline: v5.8-rc1 +Git-commit: 79a1f0ccdbb4ad700590f61b00525b390cb53905 +References: bsc#1171662 + +Socket option IPV6_ADDRFORM supports UDP/UDPLITE and TCP at present. +Previously the checking logic looks like: +if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE) + do_some_check; +else if (sk->sk_protocol != IPPROTO_TCP) + break; + +After commit b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation"), TCP +was blocked as the logic changed to: +if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE) + do_some_check; +else if (sk->sk_protocol == IPPROTO_TCP) + do_some_check; + break; +else + break; + +Then after commit 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation") +UDP/UDPLITE were blocked as the logic changed to: +if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE) + do_some_check; +if (sk->sk_protocol == IPPROTO_TCP) + do_some_check; + +if (sk->sk_protocol != IPPROTO_TCP) + break; + +Fix it by using Eric's code and simply remove the break in TCP check, which +looks like: +if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE) + do_some_check; +else if (sk->sk_protocol == IPPROTO_TCP) + do_some_check; +else + break; + +Fixes: 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/ipv6/ipv6_sockglue.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -185,14 +185,15 @@ static int do_ipv6_setsockopt(struct soc + retv = -EBUSY; + break; + } +- } +- if (sk->sk_protocol == IPPROTO_TCP && +- sk->sk_prot != &tcpv6_prot) { +- retv = -EBUSY; ++ } else if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_prot != &tcpv6_prot) { ++ retv = -EBUSY; ++ break; ++ } ++ } else { + break; + } +- if (sk->sk_protocol != IPPROTO_TCP) +- break; ++ + if (sk->sk_state != TCP_ESTABLISHED) { + retv = -ENOTCONN; + break; diff --git a/patches.suse/l2tp-Allow-management-of-tunnels-and-session-in-user.patch b/patches.suse/l2tp-Allow-management-of-tunnels-and-session-in-user.patch new file mode 100644 index 0000000..e2f65b3 --- /dev/null +++ b/patches.suse/l2tp-Allow-management-of-tunnels-and-session-in-user.patch @@ -0,0 +1,96 @@ +From: =?UTF-8?q?Michael=20Wei=C3=9F?= +Date: Tue, 7 Apr 2020 13:11:48 +0200 +Subject: l2tp: Allow management of tunnels and session in user namespace +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 2abe05234f2e892728c388169631e4b99f354c86 +Patch-mainline: 5.7-rc2 +References: networking-stable-20_04_17 + +Creation and management of L2TPv3 tunnels and session through netlink +requires CAP_NET_ADMIN. However, a process with CAP_NET_ADMIN in a +non-initial user namespace gets an EPERM due to the use of the +genetlink GENL_ADMIN_PERM flag. Thus, management of L2TP VPNs inside +an unprivileged container won't work. + +We replaced the GENL_ADMIN_PERM by the GENL_UNS_ADMIN_PERM flag +similar to other network modules which also had this problem, e.g., +openvswitch (commit 4a92602aa1cd "openvswitch: allow management from +inside user namespaces") and nl80211 (commit 5617c6cd6f844 "nl80211: +Allow privileged operations from user namespaces"). + +I tested this in the container runtime trustm3 (trustm3.github.io) +and was able to create l2tp tunnels and sessions in unpriviliged +(user namespaced) containers using a private network namespace. +For other runtimes such as docker or lxc this should work, too. + +Signed-off-by: Michael Weiß +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/l2tp/l2tp_netlink.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -958,51 +958,51 @@ static const struct genl_ops l2tp_nl_ops + .cmd = L2TP_CMD_TUNNEL_CREATE, + .doit = l2tp_nl_cmd_tunnel_create, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + { + .cmd = L2TP_CMD_TUNNEL_DELETE, + .doit = l2tp_nl_cmd_tunnel_delete, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + { + .cmd = L2TP_CMD_TUNNEL_MODIFY, + .doit = l2tp_nl_cmd_tunnel_modify, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + { + .cmd = L2TP_CMD_TUNNEL_GET, + .doit = l2tp_nl_cmd_tunnel_get, + .dumpit = l2tp_nl_cmd_tunnel_dump, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + { + .cmd = L2TP_CMD_SESSION_CREATE, + .doit = l2tp_nl_cmd_session_create, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + { + .cmd = L2TP_CMD_SESSION_DELETE, + .doit = l2tp_nl_cmd_session_delete, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + { + .cmd = L2TP_CMD_SESSION_MODIFY, + .doit = l2tp_nl_cmd_session_modify, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + { + .cmd = L2TP_CMD_SESSION_GET, + .doit = l2tp_nl_cmd_session_get, + .dumpit = l2tp_nl_cmd_session_dump, + .policy = l2tp_nl_policy, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + }, + }; + diff --git a/patches.suse/mac80211-mesh-fix-discovery-timer-re-arming-issue-cr.patch b/patches.suse/mac80211-mesh-fix-discovery-timer-re-arming-issue-cr.patch new file mode 100644 index 0000000..92d6133 --- /dev/null +++ b/patches.suse/mac80211-mesh-fix-discovery-timer-re-arming-issue-cr.patch @@ -0,0 +1,169 @@ +From e2d4a80f93fcfaf72e2e20daf6a28e39c3b90677 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Fri, 22 May 2020 19:04:13 +0200 +Subject: [PATCH] mac80211: mesh: fix discovery timer re-arming issue / crash +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: e2d4a80f93fcfaf72e2e20daf6a28e39c3b90677 +Patch-mainline: v5.7 +References: bsc#1051510 + +On a non-forwarding 802.11s link between two fairly busy +neighboring nodes (iperf with -P 16 at ~850MBit/s TCP; +1733.3 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 4), so with +frequent PREQ retries, usually after around 30-40 seconds the +following crash would occur: + +[ 1110.822428] Unable to handle kernel read from unreadable memory at virtual address 00000000 +[ 1110.830786] Mem abort info: +[ 1110.833573] Exception class = IABT (current EL), IL = 32 bits +[ 1110.839494] SET = 0, FnV = 0 +[ 1110.842546] EA = 0, S1PTW = 0 +[ 1110.845678] user pgtable: 4k pages, 48-bit VAs, pgd = ffff800076386000 +[ 1110.852204] [0000000000000000] *pgd=00000000f6322003, *pud=00000000f62de003, *pmd=0000000000000000 +[ 1110.861167] Internal error: Oops: 86000004 [#1] PREEMPT SMP +[ 1110.866730] Modules linked in: pppoe ppp_async batman_adv ath10k_pci ath10k_core ath pppox ppp_generic nf_conntrack_ipv6 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 usb_storage xhci_plat_hcd xhci_pci xhci_hcd dwc3 usbcore usb_common +[ 1110.932190] Process swapper/3 (pid: 0, stack limit = 0xffff0000090c8000) +[ 1110.938884] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.14.162 #0 +[ 1110.944965] Hardware name: LS1043A RGW Board (DT) +[ 1110.949658] task: ffff8000787a81c0 task.stack: ffff0000090c8000 +[ 1110.955568] PC is at 0x0 +[ 1110.958097] LR is at call_timer_fn.isra.27+0x24/0x78 +[ 1110.963055] pc : [<0000000000000000>] lr : [] pstate: 00400145 +[ 1110.970440] sp : ffff00000801be10 +[ 1110.973744] x29: ffff00000801be10 x28: ffff000008bf7018 +[ 1110.979047] x27: ffff000008bf87c8 x26: ffff000008c160c0 +[ 1110.984352] x25: 0000000000000000 x24: 0000000000000000 +[ 1110.989657] x23: dead000000000200 x22: 0000000000000000 +[ 1110.994959] x21: 0000000000000000 x20: 0000000000000101 +[ 1111.000262] x19: ffff8000787a81c0 x18: 0000000000000000 +[ 1111.005565] x17: ffff0000089167b0 x16: 0000000000000058 +[ 1111.010868] x15: ffff0000089167b0 x14: 0000000000000000 +[ 1111.016172] x13: ffff000008916788 x12: 0000000000000040 +[ 1111.021475] x11: ffff80007fda9af0 x10: 0000000000000001 +[ 1111.026777] x9 : ffff00000801bea0 x8 : 0000000000000004 +[ 1111.032080] x7 : 0000000000000000 x6 : ffff80007fda9aa8 +[ 1111.037383] x5 : ffff00000801bea0 x4 : 0000000000000010 +[ 1111.042685] x3 : ffff00000801be98 x2 : 0000000000000614 +[ 1111.047988] x1 : 0000000000000000 x0 : 0000000000000000 +[ 1111.053290] Call trace: +[ 1111.055728] Exception stack(0xffff00000801bcd0 to 0xffff00000801be10) +[ 1111.062158] bcc0: 0000000000000000 0000000000000000 +[ 1111.069978] bce0: 0000000000000614 ffff00000801be98 0000000000000010 ffff00000801bea0 +[ 1111.077798] bd00: ffff80007fda9aa8 0000000000000000 0000000000000004 ffff00000801bea0 +[ 1111.085618] bd20: 0000000000000001 ffff80007fda9af0 0000000000000040 ffff000008916788 +[ 1111.093437] bd40: 0000000000000000 ffff0000089167b0 0000000000000058 ffff0000089167b0 +[ 1111.101256] bd60: 0000000000000000 ffff8000787a81c0 0000000000000101 0000000000000000 +[ 1111.109075] bd80: 0000000000000000 dead000000000200 0000000000000000 0000000000000000 +[ 1111.116895] bda0: ffff000008c160c0 ffff000008bf87c8 ffff000008bf7018 ffff00000801be10 +[ 1111.124715] bdc0: ffff0000080ff29c ffff00000801be10 0000000000000000 0000000000400145 +[ 1111.132534] bde0: ffff8000787a81c0 ffff00000801bde8 0000ffffffffffff 000001029eb19be8 +[ 1111.140353] be00: ffff00000801be10 0000000000000000 +[ 1111.145220] [< (null)>] (null) +[ 1111.149917] [] run_timer_softirq+0x184/0x398 +[ 1111.155741] [] __do_softirq+0x100/0x1fc +[ 1111.161130] [] irq_exit+0x80/0xd8 +[ 1111.166002] [] __handle_domain_irq+0x88/0xb0 +[ 1111.171825] [] gic_handle_irq+0x68/0xb0 +[ 1111.177213] Exception stack(0xffff0000090cbe30 to 0xffff0000090cbf70) +[ 1111.183642] be20: 0000000000000020 0000000000000000 +[ 1111.191461] be40: 0000000000000001 0000000000000000 00008000771af000 0000000000000000 +[ 1111.199281] be60: ffff000008c95180 0000000000000000 ffff000008c19360 ffff0000090cbef0 +[ 1111.207101] be80: 0000000000000810 0000000000000400 0000000000000098 ffff000000000000 +[ 1111.214920] bea0: 0000000000000001 ffff0000089167b0 0000000000000000 ffff0000089167b0 +[ 1111.222740] bec0: 0000000000000000 ffff000008c198e8 ffff000008bf7018 ffff000008c19000 +[ 1111.230559] bee0: 0000000000000000 0000000000000000 ffff8000787a81c0 ffff000008018000 +[ 1111.238380] bf00: ffff00000801c000 ffff00000913ba34 ffff8000787a81c0 ffff0000090cbf70 +[ 1111.246199] bf20: ffff0000080857cc ffff0000090cbf70 ffff0000080857d0 0000000000400145 +[ 1111.254020] bf40: ffff000008018000 ffff00000801c000 ffffffffffffffff ffff0000080fa574 +[ 1111.261838] bf60: ffff0000090cbf70 ffff0000080857d0 +[ 1111.266706] [] el1_irq+0xe8/0x18c +[ 1111.271576] [] arch_cpu_idle+0x10/0x18 +[ 1111.276880] [] do_idle+0xec/0x1b8 +[ 1111.281748] [] cpu_startup_entry+0x20/0x28 +[ 1111.287399] [] secondary_start_kernel+0x104/0x110 +[ 1111.293662] Code: bad PC value +[ 1111.296710] ---[ end trace 555b6ca4363c3edd ]--- +[ 1111.301318] Kernel panic - not syncing: Fatal exception in interrupt +[ 1111.307661] SMP: stopping secondary CPUs +[ 1111.311574] Kernel Offset: disabled +[ 1111.315053] CPU features: 0x0002000 +[ 1111.318530] Memory Limit: none +[ 1111.321575] Rebooting in 3 seconds.. + +With some added debug output / delays we were able to push the crash from +the timer callback runner into the callback function and by that shedding +some light on which object holding the timer gets corrupted: + +[ 401.720899] Unable to handle kernel read from unreadable memory at virtual address 00000868 +[...] +[ 402.335836] [] _raw_spin_lock_bh+0x14/0x48 +[ 402.341548] [] mesh_path_timer+0x10c/0x248 [mac80211] +[ 402.348154] [] call_timer_fn.isra.27+0x24/0x78 +[ 402.354150] [] run_timer_softirq+0x184/0x398 +[ 402.359974] [] __do_softirq+0x100/0x1fc +[ 402.365362] [] irq_exit+0x80/0xd8 +[ 402.370231] [] __handle_domain_irq+0x88/0xb0 +[ 402.376053] [] gic_handle_irq+0x68/0xb0 + +The issue happens due to the following sequence of events: + +1) mesh_path_start_discovery(): +-> spin_unlock_bh(&mpath->state_lock) before mesh_path_sel_frame_tx() + +2) mesh_path_free_rcu() +-> del_timer_sync(&mpath->timer) + [...] +-> kfree_rcu(mpath) + +3) mesh_path_start_discovery(): +-> mod_timer(&mpath->timer, ...) + [...] +-> rcu_read_unlock() + +4) mesh_path_free_rcu()'s kfree_rcu(): +-> kfree(mpath) + +5) mesh_path_timer() starts after timeout, using freed mpath object + +So a use-after-free issue due to a timer re-arming bug caused by an +early spin-unlocking. + +This patch fixes this issue by re-checking if mpath is about to be +free'd and if so bails out of re-arming the timer. + +Cc: stable@vger.kernel.org +Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") +Cc: Simon Wunderlich +Signed-off-by: Linus Lüssing +Link: https://lore.kernel.org/r/20200522170413.14973-1-linus.luessing@c0d3.blue +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/mac80211/mesh_hwmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 38a0383dfbcf..aa5150929996 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -1103,7 +1103,14 @@ void mesh_path_start_discovery(struct ieee80211_sub_if_data *sdata) + mesh_path_sel_frame_tx(MPATH_PREQ, 0, sdata->vif.addr, ifmsh->sn, + target_flags, mpath->dst, mpath->sn, da, 0, + ttl, lifetime, 0, ifmsh->preq_id++, sdata); ++ ++ spin_lock_bh(&mpath->state_lock); ++ if (mpath->flags & MESH_PATH_DELETED) { ++ spin_unlock_bh(&mpath->state_lock); ++ goto enddiscovery; ++ } + mod_timer(&mpath->timer, jiffies + mpath->discovery_timeout); ++ spin_unlock_bh(&mpath->state_lock); + + enddiscovery: + rcu_read_unlock(); +-- +2.16.4 + diff --git a/patches.suse/media-dvb-return-EREMOTEIO-on-i2c-transfer-failure.patch b/patches.suse/media-dvb-return-EREMOTEIO-on-i2c-transfer-failure.patch new file mode 100644 index 0000000..7137f91 --- /dev/null +++ b/patches.suse/media-dvb-return-EREMOTEIO-on-i2c-transfer-failure.patch @@ -0,0 +1,43 @@ +From 96f3a9392799dd0f6472648a7366622ffd0989f3 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 10 Feb 2020 18:51:33 +0100 +Subject: [PATCH] media: dvb: return -EREMOTEIO on i2c transfer failure. +Git-commit: 96f3a9392799dd0f6472648a7366622ffd0989f3 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Currently when i2c transfers fail the error return -EREMOTEIO +is assigned to err but then later overwritten when the tuner +attach call is made. Fix this by returning early with the +error return code -EREMOTEIO on i2c transfer failure errors. + +If the transfer fails, an uninitialized value will be read from b2. + +Addresses-coverity: ("Unused value") + +Fixes: fbfee8684ff2 ("V4L/DVB (5651): Dibusb-mb: convert pll handling to properly use dvb-pll") +Signed-off-by: Colin Ian King +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb/dibusb-mb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dibusb-mb.c b/drivers/media/usb/dvb-usb/dibusb-mb.c +index f462c918d5a4..e9dc27f73970 100644 +--- a/drivers/media/usb/dvb-usb/dibusb-mb.c ++++ b/drivers/media/usb/dvb-usb/dibusb-mb.c +@@ -81,7 +81,7 @@ static int dibusb_tuner_probe_and_attach(struct dvb_usb_adapter *adap) + + if (i2c_transfer(&adap->dev->i2c_adap, msg, 2) != 2) { + err("tuner i2c write failed."); +- ret = -EREMOTEIO; ++ return -EREMOTEIO; + } + + if (adap->fe_adap[0].fe->ops.i2c_gate_ctrl) +-- +2.16.4 + diff --git a/patches.suse/media-platform-fcp-Set-appropriate-DMA-parameters.patch b/patches.suse/media-platform-fcp-Set-appropriate-DMA-parameters.patch new file mode 100644 index 0000000..929687f --- /dev/null +++ b/patches.suse/media-platform-fcp-Set-appropriate-DMA-parameters.patch @@ -0,0 +1,66 @@ +From dd844fb8e50b12e65bbdc5746c9876c6735500df Mon Sep 17 00:00:00 2001 +From: Kieran Bingham +Date: Tue, 7 Apr 2020 17:44:17 +0200 +Subject: [PATCH] media: platform: fcp: Set appropriate DMA parameters +Git-commit: dd844fb8e50b12e65bbdc5746c9876c6735500df +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Enabling CONFIG_DMA_API_DEBUG=y and CONFIG_DMA_API_DEBUG_SG=y will +enable extra validation on DMA operations ensuring that the size +restraints are met. + +When using the FCP in conjunction with the VSP1/DU, and display frames, +the size of the DMA operations is larger than the default maximum +segment size reported by the DMA core (64K). With the DMA debug enabled, +this produces a warning such as the following: + +"dma-api: rcar-fcp fea27000.fcp: mapping sg segment longer than device +claims to support [len=3145728] [max=65536]" + +We have no specific limitation on the segment size which isn't already +handled by the VSP1/DU which actually handles the DMA allcoations and +buffer management, so define a maximum segment size of up to 4GB (a 32 +bit mask). + +Reported-by: Geert Uytterhoeven +Fixes: 7b49235e83b2 ("[media] v4l: Add Renesas R-Car FCP driver") +Signed-off-by: Kieran Bingham +Reviewed-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/platform/rcar-fcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/platform/rcar-fcp.c ++++ b/drivers/media/platform/rcar-fcp.c +@@ -12,6 +12,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -24,6 +25,7 @@ + struct rcar_fcp_device { + struct list_head list; + struct device *dev; ++ struct device_dma_parameters dma_parms; + }; + + static LIST_HEAD(fcp_devices); +@@ -140,6 +142,9 @@ static int rcar_fcp_probe(struct platfor + + fcp->dev = &pdev->dev; + ++ fcp->dev->dma_parms = &fcp->dma_parms; ++ dma_set_max_seg_size(fcp->dev, DMA_BIT_MASK(32)); ++ + pm_runtime_enable(&pdev->dev); + + mutex_lock(&fcp_lock); diff --git a/patches.suse/mlxsw-Fix-some-IS_ERR-vs-NULL-bugs.patch b/patches.suse/mlxsw-Fix-some-IS_ERR-vs-NULL-bugs.patch new file mode 100644 index 0000000..5e3ca38 --- /dev/null +++ b/patches.suse/mlxsw-Fix-some-IS_ERR-vs-NULL-bugs.patch @@ -0,0 +1,59 @@ +From: Dan Carpenter +Date: Wed, 22 Apr 2020 12:36:41 +0300 +Subject: mlxsw: Fix some IS_ERR() vs NULL bugs +Git-commit: c391eb8366ae052d571bb2841f1ccb4d39f3ceb8 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +The mlxsw_sp_acl_rulei_create() function is supposed to return an error +pointer from mlxsw_afa_block_create(). The problem is that these +functions both return NULL instead of error pointers. Half the callers +expect NULL and half expect error pointers so it could lead to a NULL +dereference on failure. + +This patch changes both of them to return error pointers and changes all +the callers which checked for NULL to check for IS_ERR() instead. + +[js] no spectrum_acl and spectrum_mr_tcam in 4.12 yet. + +Fixes: 4cda7d8d7098 ("mlxsw: core: Introduce flexible actions support") +Signed-off-by: Dan Carpenter +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c | 4 ++-- + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c +@@ -318,7 +318,7 @@ struct mlxsw_afa_block *mlxsw_afa_block_ + + block = kzalloc(sizeof(*block), GFP_KERNEL); + if (!block) +- return NULL; ++ return ERR_PTR(-ENOMEM); + INIT_LIST_HEAD(&block->resource_list); + block->afa = mlxsw_afa; + +@@ -331,7 +331,7 @@ struct mlxsw_afa_block *mlxsw_afa_block_ + mlxsw_afa_set_destroy(block->first_set); + err_first_set_create: + kfree(block); +- return NULL; ++ return ERR_PTR(-ENOMEM); + } + EXPORT_SYMBOL(mlxsw_afa_block_create); + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c +@@ -278,7 +278,7 @@ mlxsw_sp_acl_rulei_create(struct mlxsw_s + + rulei = kzalloc(sizeof(*rulei), GFP_KERNEL); + if (!rulei) +- return NULL; ++ return ERR_PTR(-ENOMEM); + rulei->act_block = mlxsw_afa_block_create(acl->mlxsw_sp->afa); + if (IS_ERR(rulei->act_block)) { + err = PTR_ERR(rulei->act_block); diff --git a/patches.suse/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch b/patches.suse/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch new file mode 100644 index 0000000..1e20f22 --- /dev/null +++ b/patches.suse/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch @@ -0,0 +1,38 @@ +From 1194be8c949b8190b2882ad8335a5d98aa50c735 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Tue, 26 May 2020 18:22:01 +0800 +Subject: [PATCH] mmc: sdhci-esdhc-imx: fix the mask for tuning start point +Git-commit: 1194be8c949b8190b2882ad8335a5d98aa50c735 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +According the RM, the bit[6~0] of register ESDHC_TUNING_CTRL is +TUNING_START_TAP, bit[7] of this register is to disable the command +CRC check for standard tuning. So fix it here. + +Fixes: d87fc9663688 ("mmc: sdhci-esdhc-imx: support setting tuning start point") +Signed-off-by: Haibo Chen +Link: https://lore.kernel.org/r/1590488522-9292-1-git-send-email-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 5a27511438c8..37d466776dc1 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -90,7 +90,7 @@ + #define ESDHC_STD_TUNING_EN (1 << 24) + /* NOTE: the minimum valid tuning start tap for mx6sl is 1 */ + #define ESDHC_TUNING_START_TAP_DEFAULT 0x1 +-#define ESDHC_TUNING_START_TAP_MASK 0xff ++#define ESDHC_TUNING_START_TAP_MASK 0x7f + #define ESDHC_TUNING_STEP_MASK 0x00070000 + #define ESDHC_TUNING_STEP_SHIFT 16 + +-- +2.16.4 + diff --git a/patches.suse/mmc-sdhci-msm-Clear-tuning-done-flag-while-hs400-tun.patch b/patches.suse/mmc-sdhci-msm-Clear-tuning-done-flag-while-hs400-tun.patch new file mode 100644 index 0000000..9afdc2a --- /dev/null +++ b/patches.suse/mmc-sdhci-msm-Clear-tuning-done-flag-while-hs400-tun.patch @@ -0,0 +1,41 @@ +From 9253d71011c349d5f5cc0cebdf68b4a80811b92d Mon Sep 17 00:00:00 2001 +From: Veerabhadrarao Badiganti +Date: Thu, 28 May 2020 20:43:52 +0530 +Subject: [PATCH] mmc: sdhci-msm: Clear tuning done flag while hs400 tuning +Git-commit: 9253d71011c349d5f5cc0cebdf68b4a80811b92d +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Clear tuning_done flag while executing tuning to ensure vendor +specific HS400 settings are applied properly when the controller +is re-initialized in HS400 mode. + +Without this, re-initialization of the qcom SDHC in HS400 mode fails +while resuming the driver from runtime-suspend or system-suspend. + +Fixes: ff06ce417828 ("mmc: sdhci-msm: Add HS400 platform support") +Cc: stable@vger.kernel.org +Signed-off-by: Veerabhadrarao Badiganti +Link: https://lore.kernel.org/r/1590678838-18099-1-git-send-email-vbadigan@codeaurora.org +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-msm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -839,6 +839,12 @@ static int sdhci_msm_execute_tuning(stru + return 0; + + /* ++ * Clear tuning_done flag before tuning to ensure proper ++ * HS400 settings. ++ */ ++ msm_host->tuning_done = 0; ++ ++ /* + * For HS400 tuning in HS200 timing requires: + * - select MCLK/2 in VENDOR_SPEC + * - program MCLK to 400MHz (or nearest supported) in GCC diff --git a/patches.suse/mmc-sdio-Fix-potential-NULL-pointer-error-in-mmc_sdi.patch b/patches.suse/mmc-sdio-Fix-potential-NULL-pointer-error-in-mmc_sdi.patch new file mode 100644 index 0000000..2816b97 --- /dev/null +++ b/patches.suse/mmc-sdio-Fix-potential-NULL-pointer-error-in-mmc_sdi.patch @@ -0,0 +1,44 @@ +From f04086c225da11ad16d7f9a2fbca6483ab16dded Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Thu, 30 Apr 2020 11:16:37 +0200 +Subject: [PATCH] mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() +Git-commit: f04086c225da11ad16d7f9a2fbca6483ab16dded +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +During some scenarios mmc_sdio_init_card() runs a retry path for the UHS-I +specific initialization, which leads to removal of the previously allocated +card. A new card is then re-allocated while retrying. + +However, in one of the corresponding error paths we may end up to remove an +already removed card, which likely leads to a NULL pointer exception. So, +let's fix this. + +Fixes: 5fc3d80ef496 ("mmc: sdio: don't use rocr to check if the card could support UHS mode") +Cc: +Signed-off-by: Ulf Hansson +Link: https://lore.kernel.org/r/20200430091640.455-2-ulf.hansson@linaro.org +Acked-by: Takashi Iwai + +--- + drivers/mmc/core/sdio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c +index ebb387aa5158..d35679e6e6aa 100644 +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -718,9 +718,8 @@ static int mmc_sdio_init_card(struct mmc_host *host, u32 ocr, + /* Retry init sequence, but without R4_18V_PRESENT. */ + retries = 0; + goto try_again; +- } else { +- goto remove; + } ++ return err; + } + + /* +-- +2.16.4 + diff --git a/patches.suse/mtd-spi-nor-fsl-quadspi-don-t-let-einval-on-the-bus.patch b/patches.suse/mtd-spi-nor-fsl-quadspi-don-t-let-einval-on-the-bus.patch new file mode 100644 index 0000000..87c2054 --- /dev/null +++ b/patches.suse/mtd-spi-nor-fsl-quadspi-don-t-let-einval-on-the-bus.patch @@ -0,0 +1,74 @@ +From: Ahmad Fatoum +Date: Fri, 21 Sep 2018 11:32:53 +0200 +Subject: mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus +Git-commit: 000412276370a9bcfec73b3752ceefd9a927f1db +Patch-mainline: v4.20-rc1 +References: git-fixes,fate#326530,fate#326531,fate#326535,fate#326538,fate#326539 + +fsl_qspi_get_seqid() may return -EINVAL, but fsl_qspi_init_ahb_read() +doesn't check for error codes with the result that -EINVAL could find +itself signalled over the bus. + +In conjunction with the LS1046A SoC's A-009283 errata +("Illegal accesses to SPI flash memory can result in a system hang") +this illegal access to SPI flash memory results in a system hang +if userspace attempts reading later on. + +Avoid this by always checking fsl_qspi_get_seqid()'s return value +and bail out otherwise. + +Fixes: e46ecda764dc ("mtd: spi-nor: Add Freescale QuadSPI driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmad Fatoum +Signed-off-by: Boris Brezillon +Acked-by: Nicolas Saenz Julienne +--- + drivers/mtd/spi-nor/fsl-quadspi.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/spi-nor/fsl-quadspi.c ++++ b/drivers/mtd/spi-nor/fsl-quadspi.c +@@ -533,6 +533,9 @@ fsl_qspi_runcmd(struct fsl_qspi *q, u8 c + + /* trigger the LUT now */ + seqid = fsl_qspi_get_seqid(q, cmd); ++ if (seqid < 0) ++ return seqid; ++ + qspi_writel(q, (seqid << QUADSPI_IPCR_SEQID_SHIFT) | len, + base + QUADSPI_IPCR); + +@@ -661,7 +664,7 @@ static void fsl_qspi_set_map_addr(struct + * causes the controller to clear the buffer, and use the sequence pointed + * by the QUADSPI_BFGENCR[SEQID] to initiate a read from the flash. + */ +-static void fsl_qspi_init_ahb_read(struct fsl_qspi *q) ++static int fsl_qspi_init_ahb_read(struct fsl_qspi *q) + { + void __iomem *base = q->iobase; + int seqid; +@@ -686,8 +689,13 @@ static void fsl_qspi_init_ahb_read(struc + + /* Set the default lut sequence for AHB Read. */ + seqid = fsl_qspi_get_seqid(q, q->nor[0].read_opcode); ++ if (seqid < 0) ++ return seqid; ++ + qspi_writel(q, seqid << QUADSPI_BFGENCR_SEQID_SHIFT, + q->iobase + QUADSPI_BFGENCR); ++ ++ return 0; + } + + /* This function was used to prepare and enable QSPI clock */ +@@ -794,9 +802,7 @@ static int fsl_qspi_nor_setup_last(struc + fsl_qspi_init_lut(q); + + /* Init for AHB read */ +- fsl_qspi_init_ahb_read(q); +- +- return 0; ++ return fsl_qspi_init_ahb_read(q); + } + + static const struct of_device_id fsl_qspi_dt_ids[] = { diff --git a/patches.suse/mwifiex-Fix-memory-corruption-in-dump_station.patch b/patches.suse/mwifiex-Fix-memory-corruption-in-dump_station.patch new file mode 100644 index 0000000..fe2f89e --- /dev/null +++ b/patches.suse/mwifiex-Fix-memory-corruption-in-dump_station.patch @@ -0,0 +1,92 @@ +From 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Fri, 15 May 2020 09:59:24 +0200 +Subject: [PATCH] mwifiex: Fix memory corruption in dump_station +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +The mwifiex_cfg80211_dump_station() uses static variable for iterating +over a linked list of all associated stations (when the driver is in UAP +role). This has a race condition if .dump_station is called in parallel +for multiple interfaces. This corruption can be triggered by registering +multiple SSIDs and calling, in parallel for multiple interfaces + iw dev station dump + +[16750.719775] Unable to handle kernel paging request at virtual address dead000000000110 +... +[16750.899173] Call trace: +[16750.901696] mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex] +[16750.907824] nl80211_dump_station+0xbc/0x278 [cfg80211] +[16750.913160] netlink_dump+0xe8/0x320 +[16750.916827] netlink_recvmsg+0x1b4/0x338 +[16750.920861] ____sys_recvmsg+0x7c/0x2b0 +[16750.924801] ___sys_recvmsg+0x70/0x98 +[16750.928564] __sys_recvmsg+0x58/0xa0 +[16750.932238] __arm64_sys_recvmsg+0x28/0x30 +[16750.936453] el0_svc_common.constprop.3+0x90/0x158 +[16750.941378] do_el0_svc+0x74/0x90 +[16750.944784] el0_sync_handler+0x12c/0x1a8 +[16750.948903] el0_sync+0x114/0x140 +[16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060) +[16750.958583] ---[ end trace c8ad181c2f4b8576 ]--- + +This patch drops the use of the static iterator, and instead every time +the function is called iterates to the idx-th position of the +linked-list. + +It would be better to convert the code not to use linked list for +associated stations storage (since the chip has a limited number of +associated stations anyway - it could just be an array). Such a change +may be proposed in the future. In the meantime this patch can backported +into stable kernels in this simple form. + +Fixes: 8baca1a34d4c ("mwifiex: dump station support in uap mode") +Signed-off-by: Pali Rohár +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 1566d2197906..12bfd653a405 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -1496,7 +1496,8 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev, + int idx, u8 *mac, struct station_info *sinfo) + { + struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev); +- static struct mwifiex_sta_node *node; ++ struct mwifiex_sta_node *node; ++ int i; + + if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) && + priv->media_connected && idx == 0) { +@@ -1506,13 +1507,10 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev, + mwifiex_send_cmd(priv, HOST_CMD_APCMD_STA_LIST, + HostCmd_ACT_GEN_GET, 0, NULL, true); + +- if (node && (&node->list == &priv->sta_list)) { +- node = NULL; +- return -ENOENT; +- } +- +- node = list_prepare_entry(node, &priv->sta_list, list); +- list_for_each_entry_continue(node, &priv->sta_list, list) { ++ i = 0; ++ list_for_each_entry(node, &priv->sta_list, list) { ++ if (i++ != idx) ++ continue; + ether_addr_copy(mac, node->mac_addr); + return mwifiex_dump_station_info(priv, node, sinfo); + } +-- +2.16.4 + diff --git a/patches.suse/mwifiex-avoid-Wstringop-overflow-warning.patch b/patches.suse/mwifiex-avoid-Wstringop-overflow-warning.patch new file mode 100644 index 0000000..32631c5 --- /dev/null +++ b/patches.suse/mwifiex-avoid-Wstringop-overflow-warning.patch @@ -0,0 +1,99 @@ +From 08afb432c996e34e7047110a4d8c6979b8bd2b19 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 30 Apr 2020 23:30:45 +0200 +Subject: [PATCH] mwifiex: avoid -Wstringop-overflow warning +Git-commit: 08afb432c996e34e7047110a4d8c6979b8bd2b19 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +gcc-10 reports a warning for mwifiex_cmd_802_11_key_material_v1: + +Drivers/net/wireless/marvell/mwifiex/sta_cmd.c: In function 'mwifiex_cmd_802_11_key_material_v1': +Cc1: warning: writing 16 bytes into a region of size 0 [-Wstringop-overflow=] +In file included from drivers/net/wireless/marvell/mwifiex/sta_cmd.c:23: +drivers/net/wireless/marvell/mwifiex/fw.h:993:9: note: at offset 0 to object 'action' with size 2 declared here + 993 | __le16 action; + | ^~~~~~ + +As the warning makes no sense, I reported it as a bug for gcc. In the +meantime using a temporary pointer for the key data makes the code easier +to read and stops the warning. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94881 +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200430213101.135134-4-arnd@arndb.de +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/marvell/mwifiex/sta_cmd.c | 39 +++++++++++--------------- + 1 file changed, 16 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmd.c b/drivers/net/wireless/marvell/mwifiex/sta_cmd.c +index 0bd93f26bd7f..8bd355d7974e 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmd.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmd.c +@@ -853,43 +853,36 @@ mwifiex_cmd_802_11_key_material_v1(struct mwifiex_private *priv, + memset(&key_material->key_param_set, 0, + sizeof(struct mwifiex_ie_type_key_param_set)); + if (enc_key->is_wapi_key) { ++ struct mwifiex_ie_type_key_param_set *set; ++ + mwifiex_dbg(priv->adapter, INFO, "info: Set WAPI Key\n"); +- key_material->key_param_set.key_type_id = +- cpu_to_le16(KEY_TYPE_ID_WAPI); ++ set = &key_material->key_param_set; ++ set->key_type_id = cpu_to_le16(KEY_TYPE_ID_WAPI); + if (cmd_oid == KEY_INFO_ENABLED) +- key_material->key_param_set.key_info = +- cpu_to_le16(KEY_ENABLED); ++ set->key_info = cpu_to_le16(KEY_ENABLED); + else +- key_material->key_param_set.key_info = +- cpu_to_le16(!KEY_ENABLED); ++ set->key_info = cpu_to_le16(!KEY_ENABLED); + +- key_material->key_param_set.key[0] = enc_key->key_index; ++ set->key[0] = enc_key->key_index; + if (!priv->sec_info.wapi_key_on) +- key_material->key_param_set.key[1] = 1; ++ set->key[1] = 1; + else + /* set 0 when re-key */ +- key_material->key_param_set.key[1] = 0; ++ set->key[1] = 0; + + if (!is_broadcast_ether_addr(enc_key->mac_addr)) { + /* WAPI pairwise key: unicast */ +- key_material->key_param_set.key_info |= +- cpu_to_le16(KEY_UNICAST); ++ set->key_info |= cpu_to_le16(KEY_UNICAST); + } else { /* WAPI group key: multicast */ +- key_material->key_param_set.key_info |= +- cpu_to_le16(KEY_MCAST); ++ set->key_info |= cpu_to_le16(KEY_MCAST); + priv->sec_info.wapi_key_on = true; + } + +- key_material->key_param_set.type = +- cpu_to_le16(TLV_TYPE_KEY_MATERIAL); +- key_material->key_param_set.key_len = +- cpu_to_le16(WAPI_KEY_LEN); +- memcpy(&key_material->key_param_set.key[2], +- enc_key->key_material, enc_key->key_len); +- memcpy(&key_material->key_param_set.key[2 + enc_key->key_len], +- enc_key->pn, PN_LEN); +- key_material->key_param_set.length = +- cpu_to_le16(WAPI_KEY_LEN + KEYPARAMSET_FIXED_LEN); ++ set->type = cpu_to_le16(TLV_TYPE_KEY_MATERIAL); ++ set->key_len = cpu_to_le16(WAPI_KEY_LEN); ++ memcpy(&set->key[2], enc_key->key_material, enc_key->key_len); ++ memcpy(&set->key[2 + enc_key->key_len], enc_key->pn, PN_LEN); ++ set->length = cpu_to_le16(WAPI_KEY_LEN + KEYPARAMSET_FIXED_LEN); + + key_param_len = (WAPI_KEY_LEN + KEYPARAMSET_FIXED_LEN) + + sizeof(struct mwifiex_ie_types_header); +-- +2.16.4 + diff --git a/patches.suse/net-bcmgenet-correct-per-TX-RX-ring-statistics.patch b/patches.suse/net-bcmgenet-correct-per-TX-RX-ring-statistics.patch new file mode 100644 index 0000000..3206cdd --- /dev/null +++ b/patches.suse/net-bcmgenet-correct-per-TX-RX-ring-statistics.patch @@ -0,0 +1,41 @@ +From: Doug Berger +Date: Thu, 23 Apr 2020 15:44:17 -0700 +Subject: net: bcmgenet: correct per TX/RX ring statistics +Git-commit: a6d0b83f25073bdf08b8547aeff961a62c6ab229 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +The change to track net_device_stats per ring to better support SMP +missed updating the rx_dropped member. + +The ndo_get_stats method is also needed to combine the results for +ethtool statistics (-S) before filling in the ethtool structure. + +Fixes: 37a30b435b92 ("net: bcmgenet: Track per TX/RX rings statistics") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -954,6 +954,8 @@ static void bcmgenet_get_ethtool_stats(s + if (netif_running(dev)) + bcmgenet_update_mib_counters(priv); + ++ dev->netdev_ops->ndo_get_stats(dev); ++ + for (i = 0; i < BCMGENET_STATS_LEN; i++) { + const struct bcmgenet_stats *s; + char *p; +@@ -3130,6 +3132,7 @@ static struct net_device_stats *bcmgenet + dev->stats.rx_packets = rx_packets; + dev->stats.rx_errors = rx_errors; + dev->stats.rx_missed_errors = rx_errors; ++ dev->stats.rx_dropped = rx_dropped; + return &dev->stats; + } + diff --git a/patches.suse/net-dsa-b53-Fix-ARL-register-definitions.patch b/patches.suse/net-dsa-b53-Fix-ARL-register-definitions.patch new file mode 100644 index 0000000..84afe82 --- /dev/null +++ b/patches.suse/net-dsa-b53-Fix-ARL-register-definitions.patch @@ -0,0 +1,40 @@ +From: Florian Fainelli +Date: Mon, 20 Apr 2020 20:26:53 -0700 +Subject: net: dsa: b53: Fix ARL register definitions +Git-commit: c2e77a18a7ed65eb48f6e389b6a59a0fd753646a +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +The ARL {MAC,VID} tuple and the forward entry were off by 0x10 bytes, +which means that when we read/wrote from/to ARL bin index 0, we were +actually accessing the ARLA_RWCTRL register. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Reviewed-by: Andrew Lunn +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/dsa/b53/b53_regs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -294,7 +294,7 @@ + * + * BCM5325 and BCM5365 share most definitions below + */ +-#define B53_ARLTBL_MAC_VID_ENTRY(n) (0x10 * (n)) ++#define B53_ARLTBL_MAC_VID_ENTRY(n) ((0x10 * (n)) + 0x10) + #define ARLTBL_MAC_MASK 0xffffffffffffULL + #define ARLTBL_VID_S 48 + #define ARLTBL_VID_MASK_25 0xff +@@ -306,7 +306,7 @@ + #define ARLTBL_VALID_25 BIT(63) + + /* ARL Table Data Entry N Registers (32 bit) */ +-#define B53_ARLTBL_DATA_ENTRY(n) ((0x10 * (n)) + 0x08) ++#define B53_ARLTBL_DATA_ENTRY(n) ((0x10 * (n)) + 0x18) + #define ARLTBL_DATA_PORT_ID_MASK 0x1ff + #define ARLTBL_TC(tc) ((3 & tc) << 11) + #define ARLTBL_AGE BIT(14) diff --git a/patches.suse/net-dsa-b53-Rework-ARL-bin-logic.patch b/patches.suse/net-dsa-b53-Rework-ARL-bin-logic.patch new file mode 100644 index 0000000..1d0502b --- /dev/null +++ b/patches.suse/net-dsa-b53-Rework-ARL-bin-logic.patch @@ -0,0 +1,110 @@ +From: Florian Fainelli +Date: Mon, 20 Apr 2020 20:26:54 -0700 +Subject: net: dsa: b53: Rework ARL bin logic +Git-commit: 6344dbde6a27d10d16246d734b968f84887841e2 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +When asking the ARL to read a MAC address, we will get a number of bins +returned in a single read. Out of those bins, there can essentially be 3 +states: + +- all bins are full, we have no space left, and we can either replace an + existing address or return that full condition + +- the MAC address was found, then we need to return its bin index and + modify that one, and only that one + +- the MAC address was not found and we have a least one bin free, we use + that bin index location then + +The code would unfortunately fail on all counts. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/dsa/b53/b53_common.c | 30 ++++++++++++++++++++++++++---- + drivers/net/dsa/b53/b53_regs.h | 3 +++ + 2 files changed, 29 insertions(+), 4 deletions(-) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1138,6 +1138,7 @@ static int b53_arl_read(struct b53_devic + u16 vid, struct b53_arl_entry *ent, u8 *idx, + bool is_valid) + { ++ DECLARE_BITMAP(free_bins, B53_ARLTBL_MAX_BIN_ENTRIES); + unsigned int i; + int ret; + +@@ -1145,6 +1146,8 @@ static int b53_arl_read(struct b53_devic + if (ret) + return ret; + ++ bitmap_zero(free_bins, dev->num_arl_entries); ++ + /* Read the bins */ + for (i = 0; i < dev->num_arl_entries; i++) { + u64 mac_vid; +@@ -1156,13 +1159,21 @@ static int b53_arl_read(struct b53_devic + B53_ARLTBL_DATA_ENTRY(i), &fwd_entry); + b53_arl_to_entry(ent, mac_vid, fwd_entry); + +- if (!(fwd_entry & ARLTBL_VALID)) ++ if (!(fwd_entry & ARLTBL_VALID)) { ++ set_bit(i, free_bins); + continue; ++ } + if ((mac_vid & ARLTBL_MAC_MASK) != mac) + continue; + *idx = i; ++ return 0; + } + ++ if (bitmap_weight(free_bins, dev->num_arl_entries) == 0) ++ return -ENOSPC; ++ ++ *idx = find_first_bit(free_bins, dev->num_arl_entries); ++ + return -ENOENT; + } + +@@ -1192,10 +1203,21 @@ static int b53_arl_op(struct b53_device + if (op) + return ret; + +- /* We could not find a matching MAC, so reset to a new entry */ +- if (ret) { ++ switch (ret) { ++ case -ENOSPC: ++ dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", ++ addr, vid); ++ return is_valid ? ret : 0; ++ case -ENOENT: ++ /* We could not find a matching MAC, so reset to a new entry */ ++ dev_dbg(dev->dev, "{%pM,%.4d} not found, using idx: %d\n", ++ addr, vid, idx); + fwd_entry = 0; +- idx = 1; ++ break; ++ default: ++ dev_dbg(dev->dev, "{%pM,%.4d} found, using idx: %d\n", ++ addr, vid, idx); ++ break; + } + + memset(&ent, 0, sizeof(ent)); +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -313,6 +313,9 @@ + #define ARLTBL_STATIC BIT(15) + #define ARLTBL_VALID BIT(16) + ++/* Maximum number of bin entries in the ARL for all switches */ ++#define B53_ARLTBL_MAX_BIN_ENTRIES 4 ++ + /* ARL Search Control Register (8 bit) */ + #define B53_ARL_SRCH_CTL 0x50 + #define B53_ARL_SRCH_CTL_25 0x20 diff --git a/patches.suse/net-ipv4-devinet-Fix-crash-when-add-del-multicast-IP.patch b/patches.suse/net-ipv4-devinet-Fix-crash-when-add-del-multicast-IP.patch new file mode 100644 index 0000000..7a3dfe2 --- /dev/null +++ b/patches.suse/net-ipv4-devinet-Fix-crash-when-add-del-multicast-IP.patch @@ -0,0 +1,98 @@ +From: Taras Chornyi +Date: Thu, 9 Apr 2020 20:25:24 +0300 +Subject: net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin +Git-commit: 690cc86321eb9bcee371710252742fb16fe96824 +Patch-mainline: 5.7-rc2 +References: networking-stable-20_04_17 + +When CONFIG_IP_MULTICAST is not set and multicast ip is added to the device +with autojoin flag or when multicast ip is deleted kernel will crash. + +steps to reproduce: + +ip addr add 224.0.0.0/32 dev eth0 +ip addr del 224.0.0.0/32 dev eth0 + +or + +ip addr add 224.0.0.0/32 dev eth0 autojoin + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 + pc : _raw_write_lock_irqsave+0x1e0/0x2ac + lr : lock_sock_nested+0x1c/0x60 + Call trace: + _raw_write_lock_irqsave+0x1e0/0x2ac + lock_sock_nested+0x1c/0x60 + ip_mc_config.isra.28+0x50/0xe0 + inet_rtm_deladdr+0x1a8/0x1f0 + rtnetlink_rcv_msg+0x120/0x350 + netlink_rcv_skb+0x58/0x120 + rtnetlink_rcv+0x14/0x20 + netlink_unicast+0x1b8/0x270 + netlink_sendmsg+0x1a0/0x3b0 + ____sys_sendmsg+0x248/0x290 + ___sys_sendmsg+0x80/0xc0 + __sys_sendmsg+0x68/0xc0 + __arm64_sys_sendmsg+0x20/0x30 + el0_svc_common.constprop.2+0x88/0x150 + do_el0_svc+0x20/0x80 + el0_sync_handler+0x118/0x190 + el0_sync+0x140/0x180 + +Fixes: 93a714d6b53d ("multicast: Extend ip address command to enable multicast group join/leave on") +Signed-off-by: Taras Chornyi +Signed-off-by: Vadym Kochan +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/ipv4/devinet.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -559,12 +559,15 @@ struct in_ifaddr *inet_ifa_byprefix(stru + return NULL; + } + +-static int ip_mc_config(struct sock *sk, bool join, const struct in_ifaddr *ifa) ++static int ip_mc_autojoin_config(struct net *net, bool join, ++ const struct in_ifaddr *ifa) + { ++#if defined(CONFIG_IP_MULTICAST) + struct ip_mreqn mreq = { + .imr_multiaddr.s_addr = ifa->ifa_address, + .imr_ifindex = ifa->ifa_dev->dev->ifindex, + }; ++ struct sock *sk = net->ipv4.mc_autojoin_sk; + int ret; + + ASSERT_RTNL(); +@@ -577,6 +580,9 @@ static int ip_mc_config(struct sock *sk, + release_sock(sk); + + return ret; ++#else ++ return -EOPNOTSUPP; ++#endif + } + + static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -618,7 +624,7 @@ static int inet_rtm_deladdr(struct sk_bu + continue; + + if (ipv4_is_multicast(ifa->ifa_address)) +- ip_mc_config(net->ipv4.mc_autojoin_sk, false, ifa); ++ ip_mc_autojoin_config(net, false, ifa); + __inet_del_ifa(in_dev, ifap, 1, nlh, NETLINK_CB(skb).portid); + return 0; + } +@@ -876,8 +882,7 @@ static int inet_rtm_newaddr(struct sk_bu + */ + set_ifa_lifetime(ifa, valid_lft, prefered_lft); + if (ifa->ifa_flags & IFA_F_MCAUTOJOIN) { +- int ret = ip_mc_config(net->ipv4.mc_autojoin_sk, +- true, ifa); ++ int ret = ip_mc_autojoin_config(net, true, ifa); + + if (ret < 0) { + inet_free_ifa(ifa); diff --git a/patches.suse/net-ipv6-do-not-consider-routes-via-gateways-for-any.patch b/patches.suse/net-ipv6-do-not-consider-routes-via-gateways-for-any.patch new file mode 100644 index 0000000..de516f8 --- /dev/null +++ b/patches.suse/net-ipv6-do-not-consider-routes-via-gateways-for-any.patch @@ -0,0 +1,65 @@ +From: Tim Stallard +Date: Fri, 3 Apr 2020 21:26:21 +0100 +Subject: net: ipv6: do not consider routes via gateways for anycast address + check +Git-commit: 03e2a984b6165621f287fadf5f4b5cd8b58dcaba +Patch-mainline: 5.7-rc2 +References: networking-stable-20_04_17 + +The behaviour for what is considered an anycast address changed in +commit 45e4fd26683c ("ipv6: Only create RTF_CACHE routes after +encountering pmtu exception"). This now considers the first +address in a subnet where there is a route via a gateway +to be an anycast address. + +This breaks path MTU discovery and traceroutes when a host in a +remote network uses the address at the start of a prefix +(eg 2600:: advertised as 2600::/48 in the DFZ) as ICMP errors +will not be sent to anycast addresses. + +This patch excludes any routes with a gateway, or via point to +point links, like the behaviour previously from +rt6_is_gw_or_nonexthop in net/ipv6/route.c. + +This can be tested with: +ip link add v1 type veth peer name v2 +ip netns add test +ip netns exec test ip link set lo up +ip link set v2 netns test +ip link set v1 up +ip netns exec test ip link set v2 up +ip addr add 2001:db8::1/64 dev v1 nodad +ip addr add 2001:db8:100:: dev lo nodad +ip netns exec test ip addr add 2001:db8::2/64 dev v2 nodad +ip netns exec test ip route add unreachable 2001:db8:1::1 +ip netns exec test ip route add 2001:db8:100::/64 via 2001:db8::1 +ip netns exec test sysctl net.ipv6.conf.all.forwarding=1 +ip route add 2001:db8:1::1 via 2001:db8::2 +ping -I 2001:db8::1 2001:db8:1::1 -c1 +ping -I 2001:db8:100:: 2001:db8:1::1 -c1 +ip addr delete 2001:db8:100:: dev lo +ip netns delete test + +Currently the first ping will get back a destination unreachable ICMP +error, but the second will never get a response, with "icmp6_send: +acast source" logged. After this patch, both get destination +unreachable ICMP replies. + +Fixes: 45e4fd26683c ("ipv6: Only create RTF_CACHE routes after encountering pmtu exception") +Signed-off-by: Tim Stallard +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/net/ip6_route.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -195,6 +195,7 @@ static inline bool ipv6_anycast_destinat + + return rt->rt6i_flags & RTF_ANYCAST || + (rt->rt6i_dst.plen < 127 && ++ !(rt->rt6i_flags & (RTF_GATEWAY | RTF_NONEXTHOP)) && + ipv6_addr_equal(&rt->rt6i_dst.addr, daddr)); + } + diff --git a/patches.suse/net-mlx4_en-avoid-indirect-call-in-TX-completion.patch b/patches.suse/net-mlx4_en-avoid-indirect-call-in-TX-completion.patch new file mode 100644 index 0000000..238f911 --- /dev/null +++ b/patches.suse/net-mlx4_en-avoid-indirect-call-in-TX-completion.patch @@ -0,0 +1,67 @@ +From: Eric Dumazet +Date: Wed, 15 Apr 2020 09:46:52 -0700 +Subject: net/mlx4_en: avoid indirect call in TX completion +Git-commit: 310660a14b74c380b0ef5c12b66933d6a3d1b59f +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +Commit 9ecc2d86171a ("net/mlx4_en: add xdp forwarding and data write support") +brought another indirect call in fast path. + +Use INDIRECT_CALL_2() helper to avoid the cost of the indirect call +when/if CONFIG_RETPOLINE=y + +Signed-off-by: Eric Dumazet +Cc: Tariq Toukan +Cc: Willem de Bruijn +Reviewed-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/mellanox/mlx4/en_tx.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include "mlx4_en.h" + +@@ -264,6 +265,10 @@ static void mlx4_en_stamp_wqe(struct mlx + } + } + ++INDIRECT_CALLABLE_DECLARE(u32 mlx4_en_free_tx_desc(struct mlx4_en_priv *priv, ++ struct mlx4_en_tx_ring *ring, ++ int index, u64 timestamp, ++ int napi_mode)); + + u32 mlx4_en_free_tx_desc(struct mlx4_en_priv *priv, + struct mlx4_en_tx_ring *ring, +@@ -332,6 +337,11 @@ u32 mlx4_en_free_tx_desc(struct mlx4_en_ + return tx_info->nr_txbb; + } + ++INDIRECT_CALLABLE_DECLARE(u32 mlx4_en_recycle_tx_desc(struct mlx4_en_priv *priv, ++ struct mlx4_en_tx_ring *ring, ++ int index, u64 timestamp, ++ int napi_mode)); ++ + u32 mlx4_en_recycle_tx_desc(struct mlx4_en_priv *priv, + struct mlx4_en_tx_ring *ring, + int index, u64 timestamp, +@@ -452,7 +462,9 @@ bool mlx4_en_process_tx_cq(struct net_de + timestamp = mlx4_en_get_cqe_ts(cqe); + + /* free next descriptor */ +- last_nr_txbb = ring->free_tx_desc( ++ last_nr_txbb = INDIRECT_CALL_2(ring->free_tx_desc, ++ mlx4_en_free_tx_desc, ++ mlx4_en_recycle_tx_desc, + priv, ring, ring_index, + timestamp, napi_budget); + diff --git a/patches.suse/net-netrom-Fix-potential-nr_neigh-refcnt-leak-in-nr_.patch b/patches.suse/net-netrom-Fix-potential-nr_neigh-refcnt-leak-in-nr_.patch new file mode 100644 index 0000000..fcba05b --- /dev/null +++ b/patches.suse/net-netrom-Fix-potential-nr_neigh-refcnt-leak-in-nr_.patch @@ -0,0 +1,39 @@ +From: Xiyu Yang +Date: Wed, 15 Apr 2020 16:36:19 +0800 +Subject: net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node +Git-commit: d03f228470a8c0a22b774d1f8d47071e0de4f6dd +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +nr_add_node() invokes nr_neigh_get_dev(), which returns a local +reference of the nr_neigh object to "nr_neigh" with increased refcnt. + +When nr_add_node() returns, "nr_neigh" becomes invalid, so the refcount +should be decreased to keep refcount balanced. + +The issue happens in one normal path of nr_add_node(), which forgets to +decrease the refcnt increased by nr_neigh_get_dev() and causes a refcnt +leak. It should decrease the refcnt before the function returns like +other normal paths do. + +Fix this issue by calling nr_neigh_put() before the nr_add_node() +returns. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/netrom/nr_route.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -199,6 +199,7 @@ static int __must_check nr_add_node(ax25 + /* refcount initialized at 1 */ + spin_unlock_bh(&nr_node_list_lock); + ++ nr_neigh_put(nr_neigh); + return 0; + } + nr_node_lock(nr_node); diff --git a/patches.suse/net-revert-default-NAPI-poll-timeout-to-2-jiffies.patch b/patches.suse/net-revert-default-NAPI-poll-timeout-to-2-jiffies.patch new file mode 100644 index 0000000..7301aff --- /dev/null +++ b/patches.suse/net-revert-default-NAPI-poll-timeout-to-2-jiffies.patch @@ -0,0 +1,33 @@ +From: Konstantin Khlebnikov +Date: Mon, 6 Apr 2020 14:39:32 +0300 +Subject: net: revert default NAPI poll timeout to 2 jiffies +Git-commit: a4837980fd9fa4c70a821d11831698901baef56b +Patch-mainline: 5.7-rc2 +References: networking-stable-20_04_17 + +For HZ < 1000 timeout 2000us rounds up to 1 jiffy but expires randomly +because next timer interrupt could come shortly after starting softirq. + +For commonly used CONFIG_HZ=1000 nothing changes. + +Fixes: 7acf8a1e8a28 ("Replace 2 jiffies with sysctl netdev_budget_usecs to enable softirq tuning") +Reported-by: Dmitry Yakunin +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/core/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3574,7 +3574,8 @@ EXPORT_SYMBOL(netdev_max_backlog); + + int netdev_tstamp_prequeue __read_mostly = 1; + int netdev_budget __read_mostly = 300; +-unsigned int __read_mostly netdev_budget_usecs = 2000; ++/* Must be at least 2 jiffes to guarantee 1 jiffy timeout */ ++unsigned int __read_mostly netdev_budget_usecs = 2 * USEC_PER_SEC / HZ; + int weight_p __read_mostly = 64; /* old backlog weight */ + int dev_weight_rx_bias __read_mostly = 1; /* bias for backlog weight */ + int dev_weight_tx_bias __read_mostly = 1; /* bias for output_queue quota */ diff --git a/patches.suse/net-x25-Fix-x25_neigh-refcnt-leak-when-receiving-fra.patch b/patches.suse/net-x25-Fix-x25_neigh-refcnt-leak-when-receiving-fra.patch new file mode 100644 index 0000000..92cb579 --- /dev/null +++ b/patches.suse/net-x25-Fix-x25_neigh-refcnt-leak-when-receiving-fra.patch @@ -0,0 +1,45 @@ +From: Xiyu Yang +Date: Thu, 23 Apr 2020 13:13:03 +0800 +Subject: net/x25: Fix x25_neigh refcnt leak when receiving frame +Git-commit: f35d12971b4d814cdb2f659d76b42f0c545270b6 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +x25_lapb_receive_frame() invokes x25_get_neigh(), which returns a +reference of the specified x25_neigh object to "nb" with increased +refcnt. + +When x25_lapb_receive_frame() returns, local variable "nb" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one path of +x25_lapb_receive_frame(). When pskb_may_pull() returns false, the +function forgets to decrease the refcnt increased by x25_get_neigh(), +causing a refcnt leak. + +Fix this issue by calling x25_neigh_put() when pskb_may_pull() returns +false. + +Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/x25/x25_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/x25/x25_dev.c ++++ b/net/x25/x25_dev.c +@@ -120,8 +120,10 @@ int x25_lapb_receive_frame(struct sk_buf + goto drop; + } + +- if (!pskb_may_pull(skb, 1)) ++ if (!pskb_may_pull(skb, 1)) { ++ x25_neigh_put(nb); + return 0; ++ } + + switch (skb->data[0]) { + diff --git a/patches.suse/new-helper-lookup_positive_unlocked.patch b/patches.suse/new-helper-lookup_positive_unlocked.patch index 313ecb1..f3b1e3d 100644 --- a/patches.suse/new-helper-lookup_positive_unlocked.patch +++ b/patches.suse/new-helper-lookup_positive_unlocked.patch @@ -32,7 +32,7 @@ Acked-by: Goldwyn Rodrigues --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c -@@ -687,11 +687,6 @@ +@@ -707,11 +707,6 @@ cifs_get_root(struct smb_vol *vol, struc struct inode *dir = d_inode(dentry); struct dentry *child; @@ -44,7 +44,7 @@ Acked-by: Goldwyn Rodrigues if (!S_ISDIR(dir->i_mode)) { dput(dentry); dentry = ERR_PTR(-ENOTDIR); -@@ -708,7 +703,7 @@ +@@ -728,7 +723,7 @@ cifs_get_root(struct smb_vol *vol, struc while (*s && *s != sep) s++; @@ -55,14 +55,12 @@ Acked-by: Goldwyn Rodrigues } while (!IS_ERR(dentry)); --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c -@@ -276,15 +276,11 @@ +@@ -281,13 +281,9 @@ struct dentry *debugfs_lookup(const char + if (!parent) parent = debugfs_mount->mnt_root; - inode_lock(d_inode(parent)); -- dentry = lookup_one_len(name, parent, strlen(name)); +- dentry = lookup_one_len_unlocked(name, parent, strlen(name)); + dentry = lookup_positive_unlocked(name, parent, strlen(name)); - inode_unlock(d_inode(parent)); - if (IS_ERR(dentry)) return NULL; - if (!d_really_is_positive(dentry)) { @@ -74,7 +72,7 @@ Acked-by: Goldwyn Rodrigues EXPORT_SYMBOL_GPL(debugfs_lookup); --- a/fs/kernfs/mount.c +++ b/fs/kernfs/mount.c -@@ -139,7 +139,7 @@ +@@ -212,7 +212,7 @@ struct dentry *kernfs_node_dentry(struct dput(dentry); return ERR_PTR(-EINVAL); } @@ -85,7 +83,7 @@ Acked-by: Goldwyn Rodrigues if (IS_ERR(dtmp)) --- a/fs/namei.c +++ b/fs/namei.c -@@ -2589,6 +2589,26 @@ +@@ -2589,6 +2589,26 @@ struct dentry *lookup_one_len_unlocked(c } EXPORT_SYMBOL(lookup_one_len_unlocked); @@ -114,7 +112,7 @@ Acked-by: Goldwyn Rodrigues { --- a/fs/nfsd/nfs3xdr.c +++ b/fs/nfsd/nfs3xdr.c -@@ -829,13 +829,11 @@ +@@ -794,13 +794,11 @@ compose_entry_fh(struct nfsd3_readdirres } else dchild = dget(dparent); } else @@ -131,7 +129,7 @@ Acked-by: Goldwyn Rodrigues rv = fh_compose(fhp, exp, dchild, &cd->fh); --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c -@@ -2923,18 +2923,9 @@ +@@ -2923,18 +2923,9 @@ nfsd4_encode_dirent_fattr(struct xdr_str __be32 nfserr; int ignore_crossmnt = 0; @@ -153,7 +151,7 @@ Acked-by: Goldwyn Rodrigues /* --- a/fs/overlayfs/namei.c +++ b/fs/overlayfs/namei.c -@@ -189,7 +189,7 @@ +@@ -189,7 +189,7 @@ static int ovl_lookup_single(struct dent struct dentry *this; int err; @@ -162,7 +160,7 @@ Acked-by: Goldwyn Rodrigues if (IS_ERR(this)) { err = PTR_ERR(this); this = NULL; -@@ -197,8 +197,6 @@ +@@ -197,8 +197,6 @@ static int ovl_lookup_single(struct dent goto out; goto out_err; } @@ -171,7 +169,7 @@ Acked-by: Goldwyn Rodrigues if (ovl_dentry_weird(this)) { /* Don't support traversing automounts and other weirdness */ -@@ -517,7 +515,7 @@ +@@ -517,7 +515,7 @@ bool ovl_lower_positive(struct dentry *d struct dentry *this; struct dentry *lowerdir = poe->lowerstack[i].dentry; @@ -180,7 +178,7 @@ Acked-by: Goldwyn Rodrigues name->len); if (IS_ERR(this)) { switch (PTR_ERR(this)) { -@@ -534,10 +532,8 @@ +@@ -534,10 +532,8 @@ bool ovl_lower_positive(struct dentry *d break; } } else { @@ -195,7 +193,7 @@ Acked-by: Goldwyn Rodrigues } --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c -@@ -2456,21 +2456,14 @@ +@@ -2457,21 +2457,14 @@ int dquot_quota_on_mount(struct super_bl struct dentry *dentry; int error; @@ -220,7 +218,7 @@ Acked-by: Goldwyn Rodrigues } --- a/include/linux/namei.h +++ b/include/linux/namei.h -@@ -82,6 +82,7 @@ +@@ -82,6 +82,7 @@ extern int kern_path_mountpoint(int, con extern struct dentry *lookup_one_len(const char *, struct dentry *, int); extern struct dentry *lookup_one_len_unlocked(const char *, struct dentry *, int); diff --git a/patches.suse/nvme-fc-print-proper-nvme-fc-devloss_tmo-value.patch b/patches.suse/nvme-fc-print-proper-nvme-fc-devloss_tmo-value.patch new file mode 100644 index 0000000..5aae1c6 --- /dev/null +++ b/patches.suse/nvme-fc-print-proper-nvme-fc-devloss_tmo-value.patch @@ -0,0 +1,34 @@ +From: Martin George +Date: Tue, 12 May 2020 22:17:04 +0530 +Subject: nvme-fc: print proper nvme-fc devloss_tmo value +Patch-mainline: v5.8-rc1 +Git-commit: 614fc1c0d980423a131bfb5c93d8d53e5272f587 +References: bsc#1172391 + +The nvme-fc devloss_tmo is computed as the min of either the +ctrl_loss_tmo (max_retries * reconnect_delay) or the remote port's +devloss_tmo. But what gets printed as the nvme-fc devloss_tmo in +nvme_fc_reconnect_or_delete() is always the remote port's devloss_tmo +value. So correct this by printing the min value instead. + +Signed-off-by: Martin George +Reviewed-by: James Smart +Signed-off-by: Christoph Hellwig +Acked-by: Daniel Wagner +--- + drivers/nvme/host/fc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2902,7 +2902,9 @@ nvme_fc_reconnect_or_delete(struct nvme_ + dev_warn(ctrl->ctrl.device, + "NVME-FC{%d}: dev_loss_tmo (%d) expired " + "while waiting for remoteport connectivity.\n", +- ctrl->cnum, portptr->dev_loss_tmo); ++ ctrl->cnum, min_t(int, portptr->dev_loss_tmo, ++ (ctrl->ctrl.opts->max_reconnects * ++ ctrl->ctrl.opts->reconnect_delay))); + WARN_ON(nvme_delete_ctrl(&ctrl->ctrl)); + } + } diff --git a/patches.suse/relay-handle-alloc_percpu-returning-NULL-in-relay_open.patch b/patches.suse/relay-handle-alloc_percpu-returning-NULL-in-relay_open.patch new file mode 100644 index 0000000..f5954bb --- /dev/null +++ b/patches.suse/relay-handle-alloc_percpu-returning-NULL-in-relay_open.patch @@ -0,0 +1,69 @@ +From: Daniel Axtens +Subject: [PATCH v2] relay: handle alloc_percpu returning NULL in relay_open +Date: Thu, 19 Dec 2019 23:12:56 +1100 +Message-id: <20191219121256.26480-1-dja@axtens.net> +Patch-mainline: Submitted, LKML +References: CVE-2019-19462 bsc#1158265 + +alloc_percpu() may return NULL, which means chan->buf may be set to +NULL. In that case, when we do *per_cpu_ptr(chan->buf, ...), we +dereference an invalid pointer: + +Bug: Unable to handle kernel data access at 0x7dae0000 +Faulting instruction address: 0xc0000000003f3fec +... +NIP [c0000000003f3fec] relay_open+0x29c/0x600 +LR [c0000000003f3fc0] relay_open+0x270/0x600 +Call Trace: +[c000000054353a70] [c0000000003f3fb4] relay_open+0x264/0x600 (unreliable) +[c000000054353b00] [c000000000451764] __blk_trace_setup+0x254/0x600 +[c000000054353bb0] [c000000000451b78] blk_trace_setup+0x68/0xa0 +[c000000054353c10] [c0000000010da77c] sg_ioctl+0x7bc/0x2e80 +[c000000054353cd0] [c000000000758cbc] do_vfs_ioctl+0x13c/0x1300 +[c000000054353d90] [c000000000759f14] ksys_ioctl+0x94/0x130 +[c000000054353de0] [c000000000759ff8] sys_ioctl+0x48/0xb0 +[c000000054353e20] [c00000000000bcd0] system_call+0x5c/0x68 + +Check if alloc_percpu returns NULL. + +This was found by syzkaller both on x86 and powerpc, and the reproducer +it found on powerpc is capable of hitting the issue as an unprivileged +user. + +Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") +Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com +Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com +Cc: Akash Goel +Cc: Andrew Donnellan # syzkaller-ppc64 +Reviewed-by: Michael Ellerman +Reviewed-by: Andrew Donnellan +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Daniel Axtens +Acked-by: Takashi Iwai + +--- + kernel/relay.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/relay.c b/kernel/relay.c +index ade14fb7ce2e..4b760ec16342 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename, + return NULL; + + chan->buf = alloc_percpu(struct rchan_buf *); ++ if (!chan->buf) { ++ kfree(chan); ++ return NULL; ++ } ++ + chan->version = RELAYFS_CHANNEL_VERSION; + chan->n_subbufs = n_subbufs; + chan->subbuf_size = subbuf_size; +-- +2.20.1 + + diff --git a/patches.suse/rtlwifi-Fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch b/patches.suse/rtlwifi-Fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch new file mode 100644 index 0000000..d5edcdc --- /dev/null +++ b/patches.suse/rtlwifi-Fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch @@ -0,0 +1,62 @@ +From beb12813bc75d4a23de43b85ad1c7cb28d27631e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 13 May 2020 12:39:51 +0300 +Subject: [PATCH] rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() +Git-commit: beb12813bc75d4a23de43b85ad1c7cb28d27631e +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Seven years ago we tried to fix a leak but actually introduced a double +free instead. It was an understandable mistake because the code was a +bit confusing and the free was done in the wrong place. The "skb" +pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit(). +The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup() +and I've cleaned the code up a bit to hopefully make it more clear. + +Fixes: 36ef0b473fbf ("rtlwifi: usb: add missing freeing of skbuff") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200513093951.GD347693@mwanda +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 348b0072cdd6..c66c6dc00378 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -881,10 +881,8 @@ static struct urb *_rtl_usb_tx_urb_setup(struct ieee80211_hw *hw, + + WARN_ON(NULL == skb); + _urb = usb_alloc_urb(0, GFP_ATOMIC); +- if (!_urb) { +- kfree_skb(skb); ++ if (!_urb) + return NULL; +- } + _rtl_install_trx_info(rtlusb, skb, ep_num); + usb_fill_bulk_urb(_urb, rtlusb->udev, usb_sndbulkpipe(rtlusb->udev, + ep_num), skb->data, skb->len, _rtl_tx_complete, skb); +@@ -898,7 +896,6 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb, + struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw)); + u32 ep_num; + struct urb *_urb = NULL; +- struct sk_buff *_skb = NULL; + + WARN_ON(NULL == rtlusb->usb_tx_aggregate_hdl); + if (unlikely(IS_USB_STOP(rtlusb))) { +@@ -907,8 +904,7 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb, + return; + } + ep_num = rtlusb->ep_map.ep_mapping[qnum]; +- _skb = skb; +- _urb = _rtl_usb_tx_urb_setup(hw, _skb, ep_num); ++ _urb = _rtl_usb_tx_urb_setup(hw, skb, ep_num); + if (unlikely(!_urb)) { + pr_err("Can't allocate urb. Drop skb!\n"); + kfree_skb(skb); +-- +2.16.4 + diff --git a/patches.suse/spi-bcm-qspi-when-tx-rx-buffer-is-NULL-set-to-0.patch b/patches.suse/spi-bcm-qspi-when-tx-rx-buffer-is-NULL-set-to-0.patch new file mode 100644 index 0000000..707656e --- /dev/null +++ b/patches.suse/spi-bcm-qspi-when-tx-rx-buffer-is-NULL-set-to-0.patch @@ -0,0 +1,66 @@ +From 4df3bea7f9d2ddd9ac2c29ba945c7c4db2def29c Mon Sep 17 00:00:00 2001 +From: Justin Chen +Date: Mon, 20 Apr 2020 15:08:49 -0400 +Subject: [PATCH] spi: bcm-qspi: when tx/rx buffer is NULL set to 0 +Git-commit: 4df3bea7f9d2ddd9ac2c29ba945c7c4db2def29c +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Currently we set the tx/rx buffer to 0xff when NULL. This causes +problems with some spi slaves where 0xff is a valid command. Looking +at other drivers, the tx/rx buffer is usually set to 0x00 when NULL. +Following this convention solves the issue. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Justin Chen +Signed-off-by: Kamal Dasu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200420190853.45614-6-kdasu.kdev@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-bcm-qspi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 22f9fe1bf976..afed1ea62ec1 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -666,7 +666,7 @@ static void read_from_hw(struct bcm_qspi *qspi, int slots) + if (buf) + buf[tp.byte] = read_rxram_slot_u8(qspi, slot); + dev_dbg(&qspi->pdev->dev, "RD %02x\n", +- buf ? buf[tp.byte] : 0xff); ++ buf ? buf[tp.byte] : 0x0); + } else { + u16 *buf = tp.trans->rx_buf; + +@@ -674,7 +674,7 @@ static void read_from_hw(struct bcm_qspi *qspi, int slots) + buf[tp.byte / 2] = read_rxram_slot_u16(qspi, + slot); + dev_dbg(&qspi->pdev->dev, "RD %04x\n", +- buf ? buf[tp.byte] : 0xffff); ++ buf ? buf[tp.byte / 2] : 0x0); + } + + update_qspi_trans_byte_count(qspi, &tp, +@@ -729,13 +729,13 @@ static int write_to_hw(struct bcm_qspi *qspi, struct spi_device *spi) + while (!tstatus && slot < MSPI_NUM_CDRAM) { + if (tp.trans->bits_per_word <= 8) { + const u8 *buf = tp.trans->tx_buf; +- u8 val = buf ? buf[tp.byte] : 0xff; ++ u8 val = buf ? buf[tp.byte] : 0x00; + + write_txram_slot_u8(qspi, slot, val); + dev_dbg(&qspi->pdev->dev, "WR %02x\n", val); + } else { + const u16 *buf = tp.trans->tx_buf; +- u16 val = buf ? buf[tp.byte / 2] : 0xffff; ++ u16 val = buf ? buf[tp.byte / 2] : 0x0000; + + write_txram_slot_u16(qspi, slot, val); + dev_dbg(&qspi->pdev->dev, "WR %04x\n", val); +-- +2.16.4 + diff --git a/patches.suse/spi-bcm2835-fix-3-wire-mode-if-dma-is-enabled.patch b/patches.suse/spi-bcm2835-fix-3-wire-mode-if-dma-is-enabled.patch new file mode 100644 index 0000000..651ace4 --- /dev/null +++ b/patches.suse/spi-bcm2835-fix-3-wire-mode-if-dma-is-enabled.patch @@ -0,0 +1,51 @@ +From: Lukas Wunner +Date: Wed, 3 Jul 2019 12:29:31 +0200 +Subject: spi: bcm2835: Fix 3-wire mode if DMA is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 8d8bef50365847134b51c1ec46786bc2873e4e47 +Patch-mainline: v5.3-rc4 +References: git-fixes + +Commit 6935224da248 ("spi: bcm2835: enable support of 3-wire mode") +added 3-wire support to the BCM2835 SPI driver by setting the REN bit +(Read Enable) in the CS register when receiving data. The REN bit puts +the transmitter in high-impedance state. The driver recognizes that +data is to be received by checking whether the rx_buf of a transfer is +non-NULL. + +Commit 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers +meeting certain conditions") subsequently broke 3-wire support because +it set the SPI_MASTER_MUST_RX flag which causes spi_map_msg() to replace +rx_buf with a dummy buffer if it is NULL. As a result, rx_buf is +*always* non-NULL if DMA is enabled. + +Reinstate 3-wire support by not only checking whether rx_buf is non-NULL, +but also checking that it is not the dummy buffer. + +Fixes: 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions") +Reported-by: Nuno Sá +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.2+ +Cc: Martin Sperl +Acked-by: Stefan Wahren +Link: https://lore.kernel.org/r/328318841455e505370ef8ecad97b646c033dc8a.1562148527.git.lukas@wunner.de +Signed-off-by: Mark Brown +Acked-by: Nicolas Saenz Julienne +--- + drivers/spi/spi-bcm2835.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -554,7 +554,8 @@ static int bcm2835_spi_transfer_one(stru + bcm2835_wr(bs, BCM2835_SPI_CLK, cdiv); + + /* handle all the 3-wire mode */ +- if ((spi->mode & SPI_3WIRE) && (tfr->rx_buf)) ++ if (spi->mode & SPI_3WIRE && tfr->rx_buf && ++ tfr->rx_buf != master->dummy_rx) + cs |= BCM2835_SPI_CS_REN; + else + cs &= ~BCM2835_SPI_CS_REN; diff --git a/patches.suse/spi-bcm63xx-hsspi-Really-keep-pll-clk-enabled.patch b/patches.suse/spi-bcm63xx-hsspi-Really-keep-pll-clk-enabled.patch new file mode 100644 index 0000000..ec29e53 --- /dev/null +++ b/patches.suse/spi-bcm63xx-hsspi-Really-keep-pll-clk-enabled.patch @@ -0,0 +1,47 @@ +From 51bddd4501bc414b8b1e8f4d096b4a5304068169 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 28 Feb 2020 22:38:38 +0100 +Subject: [PATCH] spi: bcm63xx-hsspi: Really keep pll clk enabled +Git-commit: 51bddd4501bc414b8b1e8f4d096b4a5304068169 +Patch-mainline: v5.6-rc5 +References: bsc#1051510 + +The purpose of commit 0fd85869c2a9 ("spi/bcm63xx-hsspi: keep pll clk enabled") +was to keep the pll clk enabled through the lifetime of the device. + +In order to do that, some 'clk_prepare_enable()'/'clk_disable_unprepare()' +calls have been added in the error handling path of the probe function, in +the remove function and in the suspend and resume functions. + +However, a 'clk_disable_unprepare()' call has been unfortunately left in +the probe function. So the commit seems to be more or less a no-op. + +Axe it now, so that the pll clk is left enabled through the lifetime of +the device, as described in the commit. + +Fixes: 0fd85869c2a9 ("spi/bcm63xx-hsspi: keep pll clk enabled") +Signed-off-by: Christophe JAILLET +Acked-by: Jonas Gorski +Link: https://lore.kernel.org/r/20200228213838.7124-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-bcm63xx-hsspi.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 7327309ea3d5..6c235306c0e4 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -366,7 +366,6 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev) + goto out_disable_clk; + + rate = clk_get_rate(pll_clk); +- clk_disable_unprepare(pll_clk); + if (!rate) { + ret = -EINVAL; + goto out_disable_pll_clk; +-- +2.16.4 + diff --git a/patches.suse/spi-dw-Add-SPI-Rx-done-wait-method-to-DMA-based-tran.patch b/patches.suse/spi-dw-Add-SPI-Rx-done-wait-method-to-DMA-based-tran.patch new file mode 100644 index 0000000..782b479 --- /dev/null +++ b/patches.suse/spi-dw-Add-SPI-Rx-done-wait-method-to-DMA-based-tran.patch @@ -0,0 +1,108 @@ +From 33726eff3d98e643f7d7a0940f4024844b430c82 Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Fri, 29 May 2020 16:11:54 +0300 +Subject: [PATCH] spi: dw: Add SPI Rx-done wait method to DMA-based transfer +Git-commit: 33726eff3d98e643f7d7a0940f4024844b430c82 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Having any data left in the Rx FIFO after the DMA engine claimed it has +finished all DMA transactions is an abnormal situation, since the DW SPI +controller driver expects to have all the data being fetched and placed +into the SPI Rx buffer at that moment. In case if that has happened we +hopefully assume that the DMA engine may still be doing the data fetching, +thus we give it sometime to finish. If after a short period of time the +data is still left in the Rx FIFO, the driver will give up waiting and +return an error indicating that the SPI controller/DMA engine must have +hung up or failed at some point of doing their duties. + +Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support") +Co-developed-by: Georgy Vlasov +Signed-off-by: Georgy Vlasov +Signed-off-by: Serge Semin +Cc: Ramil Zaripov +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Arnd Bergmann +Cc: Andy Shevchenko +Cc: Feng Tang +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: devicetree@vger.kernel.org +Link: https://lore.kernel.org/r/20200529131205.31838-6-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-dw-mid.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 47 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index 846e3db91329..abd6955ad1f7 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -248,6 +248,49 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws, + return txdesc; + } + ++static inline bool dw_spi_dma_rx_busy(struct dw_spi *dws) ++{ ++ return !!(dw_readl(dws, DW_SPI_SR) & SR_RF_NOT_EMPT); ++} ++ ++static int dw_spi_dma_wait_rx_done(struct dw_spi *dws) ++{ ++ int retry = WAIT_RETRIES; ++ struct spi_delay delay; ++ unsigned long ns, us; ++ u32 nents; ++ ++ /* ++ * It's unlikely that DMA engine is still doing the data fetching, but ++ * if it's let's give it some reasonable time. The timeout calculation ++ * is based on the synchronous APB/SSI reference clock rate, on a ++ * number of data entries left in the Rx FIFO, times a number of clock ++ * periods normally needed for a single APB read/write transaction ++ * without PREADY signal utilized (which is true for the DW APB SSI ++ * controller). ++ */ ++ nents = dw_readl(dws, DW_SPI_RXFLR); ++ ns = 4U * NSEC_PER_SEC / dws->max_freq * nents; ++ if (ns <= NSEC_PER_USEC) { ++ delay.unit = SPI_DELAY_UNIT_NSECS; ++ delay.value = ns; ++ } else { ++ us = DIV_ROUND_UP(ns, NSEC_PER_USEC); ++ delay.unit = SPI_DELAY_UNIT_USECS; ++ delay.value = clamp_val(us, 0, USHRT_MAX); ++ } ++ ++ while (dw_spi_dma_rx_busy(dws) && retry--) ++ spi_delay_exec(&delay, NULL); ++ ++ if (retry < 0) { ++ dev_err(&dws->master->dev, "Rx hanged up\n"); ++ return -EIO; ++ } ++ ++ return 0; ++} ++ + /* + * dws->dma_chan_busy is set before the dma transfer starts, callback for rx + * channel will clear a corresponding bit. +@@ -358,7 +401,10 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, struct spi_transfer *xfer) + return ret; + } + +- return 0; ++ if (rxdesc && dws->master->cur_msg->status == -EINPROGRESS) ++ ret = dw_spi_dma_wait_rx_done(dws); ++ ++ return ret; + } + + static void mid_spi_dma_stop(struct dw_spi *dws) +-- +2.16.4 + diff --git a/patches.suse/spi-dw-Add-SPI-Tx-done-wait-method-to-DMA-based-tran.patch b/patches.suse/spi-dw-Add-SPI-Tx-done-wait-method-to-DMA-based-tran.patch new file mode 100644 index 0000000..cd91038 --- /dev/null +++ b/patches.suse/spi-dw-Add-SPI-Tx-done-wait-method-to-DMA-based-tran.patch @@ -0,0 +1,95 @@ +From 1ade2d8a72f9240825f6be050f0d49c840f7daeb Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Fri, 29 May 2020 16:11:53 +0300 +Subject: [PATCH] spi: dw: Add SPI Tx-done wait method to DMA-based transfer +Git-commit: 1ade2d8a72f9240825f6be050f0d49c840f7daeb +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Since DMA transfers are performed asynchronously with actual SPI bus +transfers, then even if DMA transactions are finished it doesn't mean +all data is actually pushed to the SPI bus. Some data might still be +in the controller FIFO. This is specifically true for Tx-only transfers. +In this case if the next SPI transfer is recharged while a tail of the +previous one is still in FIFO, we'll loose that tail data. In order to +fix that problem let's add the wait procedure of the Tx SPI transfer +completion after the DMA transactions are finished. + +Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support") +Co-developed-by: Georgy Vlasov +Signed-off-by: Georgy Vlasov +Signed-off-by: Serge Semin +Cc: Ramil Zaripov +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Arnd Bergmann +Cc: Andy Shevchenko +Cc: Feng Tang +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: devicetree@vger.kernel.org +Link: https://lore.kernel.org/r/20200529131205.31838-5-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-dw-mid.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -26,6 +26,7 @@ + #include + #include + ++#define WAIT_RETRIES 5 + #define RX_BUSY 0 + #define TX_BUSY 1 + +@@ -132,6 +133,33 @@ static enum dma_slave_buswidth convert_d + return DMA_SLAVE_BUSWIDTH_UNDEFINED; + } + ++static inline bool dw_spi_dma_tx_busy(struct dw_spi *dws) ++{ ++ return !(dw_readl(dws, DW_SPI_SR) & SR_TF_EMPT); ++} ++ ++static int dw_spi_dma_wait_tx_done(struct dw_spi *dws, ++ struct spi_transfer *xfer) ++{ ++ int retry = WAIT_RETRIES; ++ struct spi_delay delay; ++ u32 nents; ++ ++ nents = dw_readl(dws, DW_SPI_TXFLR); ++ delay.unit = SPI_DELAY_UNIT_SCK; ++ delay.value = nents * dws->n_bytes * BITS_PER_BYTE; ++ ++ while (dw_spi_dma_tx_busy(dws) && retry--) ++ spi_delay_exec(&delay, xfer); ++ ++ if (retry < 0) { ++ dev_err(&dws->master->dev, "Tx hanged up\n"); ++ return -EIO; ++ } ++ ++ return 0; ++} ++ + /* + * dws->dma_chan_busy is set before the dma transfer starts, callback for tx + * channel will clear a corresponding bit. +@@ -270,6 +298,12 @@ static int mid_spi_dma_transfer(struct d + dma_async_issue_pending(dws->txchan); + } + ++ if (txdesc && dws->master->cur_msg->status == -EINPROGRESS) { ++ ret = dw_spi_dma_wait_tx_done(dws, xfer); ++ if (ret) ++ return ret; ++ } ++ + return 0; + } + diff --git a/patches.suse/spi-dw-Zero-DMA-Tx-and-Rx-configurations-on-stack.patch b/patches.suse/spi-dw-Zero-DMA-Tx-and-Rx-configurations-on-stack.patch new file mode 100644 index 0000000..3b8e49d --- /dev/null +++ b/patches.suse/spi-dw-Zero-DMA-Tx-and-Rx-configurations-on-stack.patch @@ -0,0 +1,48 @@ +From 3cb97e223d277f84171cc4ccecab31e08b2ee7b5 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 6 May 2020 18:30:18 +0300 +Subject: [PATCH] spi: dw: Zero DMA Tx and Rx configurations on stack +Git-commit: 3cb97e223d277f84171cc4ccecab31e08b2ee7b5 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Some DMA controller drivers do not tolerate non-zero values in +the DMA configuration structures. Zero them to avoid issues with +such DMA controller drivers. Even despite above this is a good +practice per se. + +Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support") +Signed-off-by: Andy Shevchenko +Acked-by: Feng Tang +Cc: Feng Tang +Link: https://lore.kernel.org/r/20200506153025.21441-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-dw-mid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index 9cc010e9737e..86d9f79267f0 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -147,6 +147,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws, + if (!xfer->tx_buf) + return NULL; + ++ memset(&txconf, 0, sizeof(txconf)); + txconf.direction = DMA_MEM_TO_DEV; + txconf.dst_addr = dws->dma_addr; + txconf.dst_maxburst = 16; +@@ -193,6 +194,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws, + if (!xfer->rx_buf) + return NULL; + ++ memset(&rxconf, 0, sizeof(rxconf)); + rxconf.direction = DMA_DEV_TO_MEM; + rxconf.src_addr = dws->dma_addr; + rxconf.src_maxburst = 16; +-- +2.16.4 + diff --git a/patches.suse/spi-fsl-don-t-map-irq-during-probe.patch b/patches.suse/spi-fsl-don-t-map-irq-during-probe.patch new file mode 100644 index 0000000..439bbfb --- /dev/null +++ b/patches.suse/spi-fsl-don-t-map-irq-during-probe.patch @@ -0,0 +1,89 @@ +From: Christophe Leroy +Date: Mon, 9 Dec 2019 15:27:27 +0000 +Subject: spi: fsl: don't map irq during probe +Git-commit: 3194d2533efffae8b815d84729ecc58b6a9000ab +Patch-mainline: v5.5-rc3 +References: git-fixes + +With lastest kernel, the following warning is observed at startup: + +[ 1.500609] ------------[ cut here ]------------ +[ 1.505225] remove_proc_entry: removing non-empty directory 'irq/22', leaking at least 'fsl_spi' +[ 1.514234] WARNING: CPU: 0 PID: 1 at fs/proc/generic.c:682 remove_proc_entry+0x198/0x1c0 +[ 1.522403] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-s3k-dev-02248-g93532430a4ff #2564 +[ 1.530724] NIP: c0197694 LR: c0197694 CTR: c0050d80 +[ 1.535762] REGS: df4a5af0 TRAP: 0700 Not tainted (5.4.0-02248-g93532430a4ff) +[ 1.543818] MSR: 00029032 CR: 22028222 XER: 00000000 +[ 1.550524] +[ 1.550524] GPR00: c0197694 df4a5ba8 df4a0000 00000054 00000000 00000000 00004a38 00000010 +[ 1.550524] GPR08: c07c5a30 00000800 00000000 00001032 22000208 00000000 c0004b14 00000000 +[ 1.550524] GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c0830000 c07fc078 +[ 1.550524] GPR24: c08e8ca0 df665d10 df60ea98 c07c9db8 00000001 df5d5ae3 df5d5a80 df43f8e3 +[ 1.585327] NIP [c0197694] remove_proc_entry+0x198/0x1c0 +[ 1.590628] LR [c0197694] remove_proc_entry+0x198/0x1c0 +[ 1.595829] Call Trace: +[ 1.598280] [df4a5ba8] [c0197694] remove_proc_entry+0x198/0x1c0 (unreliable) +[ 1.605321] [df4a5bd8] [c0067acc] unregister_irq_proc+0x5c/0x70 +[ 1.611238] [df4a5bf8] [c005fbc4] free_desc+0x3c/0x80 +[ 1.616286] [df4a5c18] [c005fe2c] irq_free_descs+0x70/0xa8 +[ 1.621778] [df4a5c38] [c033d3fc] of_fsl_spi_probe+0xdc/0x3cc +[ 1.627525] [df4a5c88] [c02f0f64] platform_drv_probe+0x44/0xa4 +[ 1.633350] [df4a5c98] [c02eee44] really_probe+0x1ac/0x418 +[ 1.638829] [df4a5cc8] [c02ed3e8] bus_for_each_drv+0x64/0xb0 +[ 1.644481] [df4a5cf8] [c02ef950] __device_attach+0xd4/0x128 +[ 1.650132] [df4a5d28] [c02ed61c] bus_probe_device+0xa0/0xbc +[ 1.655783] [df4a5d48] [c02ebbe8] device_add+0x544/0x74c +[ 1.661096] [df4a5d88] [c0382b78] of_platform_device_create_pdata+0xa4/0x100 +[ 1.668131] [df4a5da8] [c0382cf4] of_platform_bus_create+0x120/0x20c +[ 1.674474] [df4a5df8] [c0382d50] of_platform_bus_create+0x17c/0x20c +[ 1.680818] [df4a5e48] [c0382e88] of_platform_bus_probe+0x9c/0xf0 +[ 1.686907] [df4a5e68] [c0751404] __machine_initcall_cmpcpro_cmpcpro_declare_of_platform_devices+0x74/0x1a4 +[ 1.696629] [df4a5e98] [c072a4cc] do_one_initcall+0x8c/0x1d4 +[ 1.702282] [df4a5ef8] [c072a768] kernel_init_freeable+0x154/0x204 +[ 1.708455] [df4a5f28] [c0004b2c] kernel_init+0x18/0x110 +[ 1.713769] [df4a5f38] [c00122ac] ret_from_kernel_thread+0x14/0x1c +[ 1.719926] Instruction dump: +[ 1.722889] 2c030000 4182004c 3863ffb0 3c80c05f 80e3005c 388436a0 3c60c06d 7fa6eb78 +[ 1.730630] 7fe5fb78 38840280 38634178 4be8c611 <0fe00000> 4bffff6c 3c60c071 7fe4fb78 +[ 1.738556] ---[ end trace 05d0720bf2e352e2 ]--- + +The problem comes from the error path which calls +irq_dispose_mapping() while the IRQ has been requested with +devm_request_irq(). + +IRQ doesn't need to be mapped with irq_of_parse_and_map(). The only +need is to get the IRQ virtual number. For that, use +of_irq_to_resource() instead of the +irq_of_parse_and_map()/irq_dispose_mapping() pair. + +Fixes: 500a32abaf81 ("spi: fsl: Call irq_dispose_mapping in err path") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Link: https://lore.kernel.org/r/518cfb83347d5372748e7fe72f94e2e9443d0d4a.1575905123.git.christophe.leroy@c-s.fr +Signed-off-by: Mark Brown +Acked-by: Nicolas Saenz Julienne +--- + drivers/spi/spi-fsl-spi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -832,8 +832,8 @@ static int of_fsl_spi_probe(struct platf + if (ret) + goto err; + +- irq = irq_of_parse_and_map(np, 0); +- if (!irq) { ++ irq = of_irq_to_resource(np, 0, NULL); ++ if (irq <= 0) { + ret = -EINVAL; + goto err; + } +@@ -847,7 +847,6 @@ static int of_fsl_spi_probe(struct platf + return 0; + + err: +- irq_dispose_mapping(irq); + if (type == TYPE_FSL) + of_fsl_spi_free_chipselects(dev); + return ret; diff --git a/patches.suse/spi-fsl-use-platform_get_irq-instead-of-of_irq_to_resource.patch b/patches.suse/spi-fsl-use-platform_get_irq-instead-of-of_irq_to_resource.patch new file mode 100644 index 0000000..65cd2f0 --- /dev/null +++ b/patches.suse/spi-fsl-use-platform_get_irq-instead-of-of_irq_to_resource.patch @@ -0,0 +1,42 @@ +From: Christophe Leroy +Date: Thu, 12 Dec 2019 17:47:24 +0000 +Subject: spi: fsl: use platform_get_irq() instead of of_irq_to_resource() +Git-commit: 63aa6a692595d47a0785297b481072086b9272d2 +Patch-mainline: v5.5-rc3 +References: git-fixes + +Unlike irq_of_parse_and_map() which has a dummy definition on SPARC, +of_irq_to_resource() hasn't. + +But as platform_get_irq() can be used instead and is generic, use it. + +Reported-by: kbuild test robot +Suggested-by: Mark Brown +Fixes: 3194d2533eff ("spi: fsl: don't map irq during probe") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Link: https://lore.kernel.org/r/091a277fd0b3356dca1e29858c1c96983fc9cb25.1576172743.git.christophe.leroy@c-s.fr +Signed-off-by: Mark Brown +Acked-by: Nicolas Saenz Julienne +--- + drivers/spi/spi-fsl-spi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c +index d0ad9709f4a6..fb4159ad6bf6 100644 +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -746,9 +746,9 @@ static int of_fsl_spi_probe(struct platform_device *ofdev) + if (ret) + goto err; + +- irq = of_irq_to_resource(np, 0, NULL); +- if (irq <= 0) { +- ret = -EINVAL; ++ irq = platform_get_irq(ofdev, 0); ++ if (irq < 0) { ++ ret = irq; + goto err; + } + + diff --git a/patches.suse/spi-pxa2xx-Add-CS-control-clock-quirk.patch b/patches.suse/spi-pxa2xx-Add-CS-control-clock-quirk.patch new file mode 100644 index 0000000..dc19a79 --- /dev/null +++ b/patches.suse/spi-pxa2xx-Add-CS-control-clock-quirk.patch @@ -0,0 +1,82 @@ +From 683f65ded66a9a7ff01ed7280804d2132ebfdf7e Mon Sep 17 00:00:00 2001 +From: Evan Green +Date: Tue, 11 Feb 2020 14:37:00 -0800 +Subject: [PATCH] spi: pxa2xx: Add CS control clock quirk +Git-commit: 683f65ded66a9a7ff01ed7280804d2132ebfdf7e +Patch-mainline: v5.6-rc5 +References: bsc#1051510 + +In some circumstances on Intel LPSS controllers, toggling the LPSS +CS control register doesn't actually cause the CS line to toggle. +This seems to be failure of dynamic clock gating that occurs after +going through a suspend/resume transition, where the controller +is sent through a reset transition. This ruins SPI transactions +that either rely on delay_usecs, or toggle the CS line without +sending data. + +Whenever CS is toggled, momentarily set the clock gating register +to "Force On" to poke the controller into acting on CS. + +Signed-off-by: Rajat Jain +Signed-off-by: Evan Green +Link: https://lore.kernel.org/r/20200211223700.110252-1-rajatja@google.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-pxa2xx.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -76,6 +76,10 @@ MODULE_ALIAS("platform:pxa2xx-spi"); + #define LPSS_CAPS_CS_EN_SHIFT 9 + #define LPSS_CAPS_CS_EN_MASK (0xf << LPSS_CAPS_CS_EN_SHIFT) + ++#define LPSS_PRIV_CLOCK_GATE 0x38 ++#define LPSS_PRIV_CLOCK_GATE_CLK_CTL_MASK 0x3 ++#define LPSS_PRIV_CLOCK_GATE_CLK_CTL_FORCE_ON 0x3 ++ + struct lpss_config { + /* LPSS offset from drv_data->ioaddr */ + unsigned offset; +@@ -92,6 +96,8 @@ struct lpss_config { + unsigned cs_sel_shift; + unsigned cs_sel_mask; + unsigned cs_num; ++ /* Quirks */ ++ unsigned cs_clk_stays_gated : 1; + }; + + /* Keep these sorted with enum pxa_ssp_type */ +@@ -162,6 +168,7 @@ static const struct lpss_config lpss_pla + .tx_threshold_hi = 56, + .cs_sel_shift = 8, + .cs_sel_mask = 3 << 8, ++ .cs_clk_stays_gated = true, + }, + }; + +@@ -385,6 +392,22 @@ static void lpss_ssp_cs_control(struct d + else + value |= LPSS_CS_CONTROL_CS_HIGH; + __lpss_ssp_write_priv(drv_data, config->reg_cs_ctrl, value); ++ if (config->cs_clk_stays_gated) { ++ u32 clkgate; ++ ++ /* ++ * Changing CS alone when dynamic clock gating is on won't ++ * actually flip CS at that time. This ruins SPI transfers ++ * that specify delays, or have no data. Toggle the clock mode ++ * to force on briefly to poke the CS pin to move. ++ */ ++ clkgate = __lpss_ssp_read_priv(drv_data, LPSS_PRIV_CLOCK_GATE); ++ value = (clkgate & ~LPSS_PRIV_CLOCK_GATE_CLK_CTL_MASK) | ++ LPSS_PRIV_CLOCK_GATE_CLK_CTL_FORCE_ON; ++ ++ __lpss_ssp_write_priv(drv_data, LPSS_PRIV_CLOCK_GATE, value); ++ __lpss_ssp_write_priv(drv_data, LPSS_PRIV_CLOCK_GATE, clkgate); ++ } + } + + static void cs_assert(struct driver_data *drv_data) diff --git a/patches.suse/spi-qup-call-spi_qup_pm_resume_runtime-before-suspen.patch b/patches.suse/spi-qup-call-spi_qup_pm_resume_runtime-before-suspen.patch new file mode 100644 index 0000000..5c22ae3 --- /dev/null +++ b/patches.suse/spi-qup-call-spi_qup_pm_resume_runtime-before-suspen.patch @@ -0,0 +1,55 @@ +From 136b5cd2e2f97581ae560cff0db2a3b5369112da Mon Sep 17 00:00:00 2001 +From: Yuji Sasaki +Date: Fri, 14 Feb 2020 13:13:40 +0530 +Subject: [PATCH] spi: qup: call spi_qup_pm_resume_runtime before suspending +Git-commit: 136b5cd2e2f97581ae560cff0db2a3b5369112da +Patch-mainline: v5.6-rc5 +References: bsc#1051510 + +spi_qup_suspend() will cause synchronous external abort when +runtime suspend is enabled and applied, as it tries to +access SPI controller register while clock is already disabled +in spi_qup_pm_suspend_runtime(). + +Signed-off-by: Yuji sasaki +Signed-off-by: Vinod Koul +Link: https://lore.kernel.org/r/20200214074340.2286170-1-vkoul@kernel.org +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-qup.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index dd3434a407ea..a364b99497e2 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1217,6 +1217,11 @@ static int spi_qup_suspend(struct device *device) + struct spi_qup *controller = spi_master_get_devdata(master); + int ret; + ++ if (pm_runtime_suspended(device)) { ++ ret = spi_qup_pm_resume_runtime(device); ++ if (ret) ++ return ret; ++ } + ret = spi_master_suspend(master); + if (ret) + return ret; +@@ -1225,10 +1230,8 @@ static int spi_qup_suspend(struct device *device) + if (ret) + return ret; + +- if (!pm_runtime_suspended(device)) { +- clk_disable_unprepare(controller->cclk); +- clk_disable_unprepare(controller->iclk); +- } ++ clk_disable_unprepare(controller->cclk); ++ clk_disable_unprepare(controller->iclk); + return 0; + } + +-- +2.16.4 + diff --git a/patches.suse/spi-spi-fsl-dspi-replace-interruptible-wait-queue-with-a-simple-completion.patch b/patches.suse/spi-spi-fsl-dspi-replace-interruptible-wait-queue-with-a-simple-completion.patch new file mode 100644 index 0000000..07ff489 --- /dev/null +++ b/patches.suse/spi-spi-fsl-dspi-replace-interruptible-wait-queue-with-a-simple-completion.patch @@ -0,0 +1,165 @@ +From: Vladimir Oltean +Date: Wed, 18 Mar 2020 02:15:57 +0200 +Subject: spi: spi-fsl-dspi: Replace interruptible wait queue with a simple + completion +Git-commit: 4f5ee75ea1718a09149460b3df993f389a67b56a +Patch-mainline: v5.7-rc1 +References: git-fixes + +Currently the driver puts the process in interruptible sleep waiting for +the interrupt train to finish transfer to/from the tx_buf and rx_buf. + +But exiting the process with ctrl-c may make the kernel panic: the +wait_event_interruptible call will return -ERESTARTSYS, which a proper +driver implementation is perhaps supposed to handle, but nonetheless +this one doesn't, and aborts the transfer altogether. + +Actually when the task is interrupted, there is still a high chance that +the dspi_interrupt is still triggering. And if dspi_transfer_one_message +returns execution all the way to the spi_device driver, that can free +the spi_message and spi_transfer structures, leaving the interrupts to +access a freed tx_buf and rx_buf. + +hexdump -C /dev/mtd0 +00000000 00 75 68 75 0a ff ff ff ff ff ff ff ff ff ff ff +|.uhu............| +00000010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +|................| +* +^C[ 38.495955] fsl-dspi 2120000.spi: Waiting for transfer to complete failed! +[ 38.503097] spi_master spi2: failed to transfer one message from queue +[ 38.509729] Unable to handle kernel paging request at virtual address ffff800095ab3377 +[ 38.517676] Mem abort info: +[ 38.520474] ESR = 0x96000045 +[ 38.523533] EC = 0x25: DABT (current EL), IL = 32 bits +[ 38.528861] SET = 0, FnV = 0 +[ 38.531921] EA = 0, S1PTW = 0 +[ 38.535067] Data abort info: +[ 38.537952] ISV = 0, ISS = 0x00000045 +[ 38.541797] CM = 0, WnR = 1 +[ 38.544771] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000082621000 +[ 38.551494] [ffff800095ab3377] pgd=00000020fffff003, p4d=00000020fffff003, pud=0000000000000000 +[ 38.560229] Internal error: Oops: 96000045 [#1] PREEMPT SMP +[ 38.565819] Modules linked in: +[ 38.568882] CPU: 0 PID: 2729 Comm: hexdump Not tainted 5.6.0-rc4-next-20200306-00052-gd8730cdc8a0b-dirty #193 +[ 38.578834] Hardware name: Kontron SMARC-sAL28 (Single PHY) on SMARC Eval 2.0 carrier (DT) +[ 38.587129] pstate: 20000085 (nzCv daIf -PAN -UAO) +[ 38.591941] pc : ktime_get_real_ts64+0x3c/0x110 +[ 38.596487] lr : spi_take_timestamp_pre+0x40/0x90 +[ 38.601203] sp : ffff800010003d90 +[ 38.604525] x29: ffff800010003d90 x28: ffff80001200e000 +[ 38.609854] x27: ffff800011da9000 x26: ffff002079c40400 +[ 38.615184] x25: ffff8000117fe018 x24: ffff800011daa1a0 +[ 38.620513] x23: ffff800015ab3860 x22: ffff800095ab3377 +[ 38.625841] x21: 000000000000146e x20: ffff8000120c3000 +[ 38.631170] x19: ffff0020795f6e80 x18: ffff800011da9948 +[ 38.636498] x17: 0000000000000000 x16: 0000000000000000 +[ 38.641826] x15: ffff800095ab3377 x14: 0720072007200720 +[ 38.647155] x13: 0720072007200765 x12: 0775076507750771 +[ 38.652483] x11: 0720076d076f0772 x10: 0000000000000040 +[ 38.657812] x9 : ffff8000108e2100 x8 : ffff800011dcabe8 +[ 38.663139] x7 : 0000000000000000 x6 : ffff800015ab3a60 +[ 38.668468] x5 : 0000000007200720 x4 : ffff800095ab3377 +[ 38.673796] x3 : 0000000000000000 x2 : 0000000000000ab0 +[ 38.679125] x1 : ffff800011daa000 x0 : 0000000000000026 +[ 38.684454] Call trace: +[ 38.686905] ktime_get_real_ts64+0x3c/0x110 +[ 38.691100] spi_take_timestamp_pre+0x40/0x90 +[ 38.695470] dspi_fifo_write+0x58/0x2c0 +[ 38.699315] dspi_interrupt+0xbc/0xd0 +[ 38.702987] __handle_irq_event_percpu+0x78/0x2c0 +[ 38.707706] handle_irq_event_percpu+0x3c/0x90 +[ 38.712161] handle_irq_event+0x4c/0xd0 +[ 38.716008] handle_fasteoi_irq+0xbc/0x170 +[ 38.720115] generic_handle_irq+0x2c/0x40 +[ 38.724135] __handle_domain_irq+0x68/0xc0 +[ 38.728243] gic_handle_irq+0xc8/0x160 +[ 38.732000] el1_irq+0xb8/0x180 +[ 38.735149] spi_nor_spimem_read_data+0xe0/0x140 +[ 38.739779] spi_nor_read+0xc4/0x120 +[ 38.743364] mtd_read_oob+0xa8/0xc0 +[ 38.746860] mtd_read+0x4c/0x80 +[ 38.750007] mtdchar_read+0x108/0x2a0 +[ 38.753679] __vfs_read+0x20/0x50 +[ 38.757002] vfs_read+0xa4/0x190 +[ 38.760237] ksys_read+0x6c/0xf0 +[ 38.763471] __arm64_sys_read+0x20/0x30 +[ 38.767319] el0_svc_common.constprop.3+0x90/0x160 +[ 38.772125] do_el0_svc+0x28/0x90 +[ 38.775449] el0_sync_handler+0x118/0x190 +[ 38.779468] el0_sync+0x140/0x180 +[ 38.782793] Code: 91000294 1400000f d50339bf f9405e80 (f90002c0) +[ 38.788910] ---[ end trace 55da560db4d6bef7 ]--- +[ 38.793540] Kernel panic - not syncing: Fatal exception in interrupt +[ 38.799914] SMP: stopping secondary CPUs +[ 38.803849] Kernel Offset: disabled +[ 38.807344] CPU features: 0x10002,20006008 +[ 38.811451] Memory Limit: none +[ 38.814513] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +So it is clear that the "interruptible" part isn't handled correctly. +When the process receives a signal, one could either attempt a clean +abort (which appears to be difficult with this hardware) or just keep +restarting the sleep until the wait queue really completes. But checking +in a loop for -ERESTARTSYS is a bit too complicated for this driver, so +just make the sleep uninterruptible, to avoid all that nonsense. + +The wait queue was actually restructured as a completion, after polling +other drivers for the most "popular" approach. + +Fixes: 349ad66c0ab0 ("spi:Add Freescale DSPI driver for Vybrid VF610 platform") +Reported-by: Michael Walle +Signed-off-by: Vladimir Oltean +Tested-by: Michael Walle +Link: https://lore.kernel.org/r/20200318001603.9650-7-olteanv@gmail.com +Signed-off-by: Mark Brown +Acked-by: Nicolas Saenz Julienne +--- + drivers/spi/spi-fsl-dspi.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -190,8 +190,7 @@ struct fsl_dspi { + u8 bytes_per_word; + const struct fsl_dspi_devtype_data *devtype_data; + +- wait_queue_head_t waitq; +- u32 waitflags; ++ struct completion xfer_done; + + struct fsl_dspi_dma *dma; + }; +@@ -719,11 +718,8 @@ static int dspi_transfer_one_message(str + } + + if (trans_mode != DSPI_DMA_MODE) { +- if (wait_event_interruptible(dspi->waitq, +- dspi->waitflags)) +- dev_err(&dspi->pdev->dev, +- "wait transfer complete fail!\n"); +- dspi->waitflags = 0; ++ wait_for_completion(&dspi->xfer_done); ++ reinit_completion(&dspi->xfer_done); + } + + if (transfer->delay_usecs) +@@ -867,8 +863,7 @@ static irqreturn_t dspi_interrupt(int ir + } + + if (!dspi->len) { +- dspi->waitflags = 1; +- wake_up_interruptible(&dspi->waitq); ++ complete(&dspi->xfer_done); + } else { + switch (trans_mode) { + case DSPI_EOQ_MODE: +@@ -1041,7 +1036,7 @@ static int dspi_probe(struct platform_de + master->max_speed_hz = + clk_get_rate(dspi->clk) / dspi->devtype_data->max_clock_factor; + +- init_waitqueue_head(&dspi->waitq); ++ init_completion(&dspi->xfer_done); + platform_set_drvdata(pdev, master); + + ret = spi_register_master(master); diff --git a/patches.suse/spi-spi-s3c64xx-fix-system-resume-support.patch b/patches.suse/spi-spi-s3c64xx-fix-system-resume-support.patch new file mode 100644 index 0000000..c61afa6 --- /dev/null +++ b/patches.suse/spi-spi-s3c64xx-fix-system-resume-support.patch @@ -0,0 +1,47 @@ +From: Marek Szyprowski +Date: Wed, 16 May 2018 10:42:39 +0200 +Subject: spi: spi-s3c64xx: Fix system resume support +Git-commit: e935dba111621bd6a0c5d48e6511a4d9885103b4 +Patch-mainline: v4.18-rc1 +References: git-fixes + +Since Linux v4.10 release (commit 1d9174fbc55e "PM / Runtime: Defer +resuming of the device in pm_runtime_force_resume()"), +pm_runtime_force_resume() function doesn't runtime resume device if it was +not runtime active before system suspend. Thus, driver should not do any +register access after pm_runtime_force_resume() without checking the +runtime status of the device. To fix this issue, simply move +s3c64xx_spi_hwinit() call to s3c64xx_spi_runtime_resume() to ensure that +hardware is always properly initialized. This fixes Synchronous external +abort issue on system suspend/resume cycle on newer Exynos SoCs. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org + +Acked-by: Nicolas Saenz Julienne +--- + drivers/spi/spi-s3c64xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -1273,8 +1273,6 @@ static int s3c64xx_spi_resume(struct dev + if (ret < 0) + return ret; + +- s3c64xx_spi_hwinit(sdd, sdd->port_id); +- + return spi_master_resume(master); + } + #endif /* CONFIG_PM_SLEEP */ +@@ -1312,6 +1310,8 @@ static int s3c64xx_spi_runtime_resume(st + if (ret != 0) + goto err_disable_src_clk; + ++ s3c64xx_spi_hwinit(sdd, sdd->port_id); ++ + return 0; + + err_disable_src_clk: diff --git a/patches.suse/spi-zynqmp-remove-entry-that-causes-a-cs-glitch.patch b/patches.suse/spi-zynqmp-remove-entry-that-causes-a-cs-glitch.patch new file mode 100644 index 0000000..7d2a473 --- /dev/null +++ b/patches.suse/spi-zynqmp-remove-entry-that-causes-a-cs-glitch.patch @@ -0,0 +1,58 @@ +From 5dd8304981ecffa77bb72b1c57c4be5dfe6cfae9 Mon Sep 17 00:00:00 2001 +From: Thommy Jakobsson +Date: Mon, 24 Feb 2020 17:26:43 +0100 +Subject: [PATCH] spi/zynqmp: remove entry that causes a cs glitch +Git-commit: 5dd8304981ecffa77bb72b1c57c4be5dfe6cfae9 +Patch-mainline: v5.6-rc5 +References: bsc#1051510 + +In the public interface for chipselect, there is always an entry +commented as "Dummy generic FIFO entry" pushed down to the fifo right +after the activate/deactivate command. The dummy entry is 0x0, +irregardless if the intention was to activate or deactive the cs. This +causes the cs line to glitch rather than beeing activated in the case +when there was an activate command. + +This has been observed on oscilloscope, and have caused problems for at +least one specific flash device type connected to the qspi port. After +the change the glitch is gone and cs goes active when intended. + +The reason why this worked before (except for the glitch) was because +when sending the actual data, the CS bits are once again set. Since +most flashes uses mode 0, there is always a half clk period anyway for +cs to clk active setup time. If someone would rely on timing from a +chip_select call to a transfer_one, it would fail though. + +It is unknown why the dummy entry was there in the first place, git log +seems to be of no help in this case. The reference manual gives no +indication of the necessity of this. In fact the lower 8 bits are a +setup (or hold in case of deactivate) time expressed in cycles. So this +should not be needed to fulfill any setup/hold timings. + +Signed-off-by: Thommy Jakobsson +Reviewed-by: Naga Sureshkumar Relli +Link: https://lore.kernel.org/r/20200224162643.29102-1-thommyj@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-zynqmp-gqspi.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/spi/spi-zynqmp-gqspi.c b/drivers/spi/spi-zynqmp-gqspi.c +index 60c4de4e4485..7412a3042a8d 100644 +--- a/drivers/spi/spi-zynqmp-gqspi.c ++++ b/drivers/spi/spi-zynqmp-gqspi.c +@@ -401,9 +401,6 @@ static void zynqmp_qspi_chipselect(struct spi_device *qspi, bool is_high) + + zynqmp_gqspi_write(xqspi, GQSPI_GEN_FIFO_OFST, genfifoentry); + +- /* Dummy generic FIFO entry */ +- zynqmp_gqspi_write(xqspi, GQSPI_GEN_FIFO_OFST, 0x0); +- + /* Manually start the generic FIFO command */ + zynqmp_gqspi_write(xqspi, GQSPI_CONFIG_OFST, + zynqmp_gqspi_read(xqspi, GQSPI_CONFIG_OFST) | +-- +2.16.4 + diff --git a/patches.suse/tcp-cache-line-align-MAX_TCP_HEADER.patch b/patches.suse/tcp-cache-line-align-MAX_TCP_HEADER.patch new file mode 100644 index 0000000..11bbd9b --- /dev/null +++ b/patches.suse/tcp-cache-line-align-MAX_TCP_HEADER.patch @@ -0,0 +1,36 @@ +From: Eric Dumazet +Date: Fri, 17 Apr 2020 07:10:23 -0700 +Subject: tcp: cache line align MAX_TCP_HEADER +Git-commit: 9bacd256f1354883d3c1402655153367982bba49 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +TCP stack is dumb in how it cooks its output packets. + +Depending on MAX_HEADER value, we might chose a bad ending point +for the headers. + +If we align the end of TCP headers to cache line boundary, we +make sure to always use the smallest number of cache lines, +which always help. + +Signed-off-by: Eric Dumazet +Cc: Soheil Hassas Yeganeh +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/net/tcp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -51,7 +51,7 @@ extern struct inet_hashinfo tcp_hashinfo + extern struct percpu_counter tcp_orphan_count; + void tcp_time_wait(struct sock *sk, int state, int timeo); + +-#define MAX_TCP_HEADER (128 + MAX_HEADER) ++#define MAX_TCP_HEADER L1_CACHE_ALIGN(128 + MAX_HEADER) + #define MAX_TCP_OPTION_SPACE 40 + #define TCP_MIN_SND_MSS 48 + #define TCP_MIN_GSO_SIZE (TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE) diff --git a/patches.suse/team-fix-hang-in-team_mode_get.patch b/patches.suse/team-fix-hang-in-team_mode_get.patch new file mode 100644 index 0000000..fc10aa8 --- /dev/null +++ b/patches.suse/team-fix-hang-in-team_mode_get.patch @@ -0,0 +1,88 @@ +From: Taehee Yoo +Date: Mon, 20 Apr 2020 15:01:33 +0000 +Subject: team: fix hang in team_mode_get() +Git-commit: 1c30fbc76b8f0c07c92a8ca4cd7c456612e17eb5 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +When team mode is changed or set, the team_mode_get() is called to check +whether the mode module is inserted or not. If the mode module is not +inserted, it calls the request_module(). +In the request_module(), it creates a child process, which is +the "modprobe" process and waits for the done of the child process. +At this point, the following locks were used. +down_read(&cb_lock()); by genl_rcv() + genl_lock(); by genl_rcv_msc() + rtnl_lock(); by team_nl_cmd_options_set() + mutex_lock(&team->lock); by team_nl_team_get() + +Concurrently, the team module could be removed by rmmod or "modprobe -r" +The __exit function of team module is team_module_exit(), which calls +team_nl_fini() and it tries to acquire following locks. +down_write(&cb_lock); + genl_lock(); +Because of the genl_lock() and cb_lock, this process can't be finished +earlier than request_module() routine. + +The problem secenario. +CPU0 CPU1 +team_mode_get + request_module() + modprobe -r team_mode_roundrobin + team <--(B) + modprobe team <--(A) + team_mode_roundrobin + +By request_module(), the "modprobe team_mode_roundrobin" command +will be executed. At this point, the modprobe process will decide +that the team module should be inserted before team_mode_roundrobin. +Because the team module is being removed. + +By the module infrastructure, the same module insert/remove operations +can't be executed concurrently. +So, (A) waits for (B) but (B) also waits for (A) because of locks. +So that the hang occurs at this point. + +Test commands: + while : + do + teamd -d & + killall teamd & + modprobe -rv team_mode_roundrobin & + done + +The approach of this patch is to hold the reference count of the team +module if the team module is compiled as a module. If the reference count +of the team module is not zero while request_module() is being called, +the team module will not be removed at that moment. +So that the above scenario could not occur. + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Signed-off-by: Taehee Yoo +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/team/team.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -480,6 +480,9 @@ static const struct team_mode *team_mode + struct team_mode_item *mitem; + const struct team_mode *mode = NULL; + ++ if (!try_module_get(THIS_MODULE)) ++ return NULL; ++ + spin_lock(&mode_list_lock); + mitem = __find_mode(kind); + if (!mitem) { +@@ -495,6 +498,7 @@ static const struct team_mode *team_mode + } + + spin_unlock(&mode_list_lock); ++ module_put(THIS_MODULE); + return mode; + } + diff --git a/patches.suse/usb-gadget-legacy-fix-redundant-initialization-warni.patch b/patches.suse/usb-gadget-legacy-fix-redundant-initialization-warni.patch new file mode 100644 index 0000000..e8ac444 --- /dev/null +++ b/patches.suse/usb-gadget-legacy-fix-redundant-initialization-warni.patch @@ -0,0 +1,63 @@ +From d13cce757954fa663c69845611957396843ed87a Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Fri, 3 Apr 2020 22:16:51 +0900 +Subject: [PATCH] usb: gadget: legacy: fix redundant initialization warnings +Git-commit: d13cce757954fa663c69845611957396843ed87a +Patch-mainline: v5.7-rc6 +References: bsc#1051510 + +Fix the following cppcheck warnings: + +drivers/usb/gadget/legacy/inode.c:1364:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ + value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1331:15: note: value is initialized + int value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1364:8: note: value is overwritten + value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1817:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ + value = -EINVAL; + ^ +drivers/usb/gadget/legacy/inode.c:1787:18: note: value is initialized + ssize_t value = len, length = len; + ^ +drivers/usb/gadget/legacy/inode.c:1817:8: note: value is overwritten + value = -EINVAL; + ^ + +Acked-by: Alan Stern +Reported-by: kbuild test robot +Signed-off-by: Masahiro Yamada +Signed-off-by: Felipe Balbi +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/legacy/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index aa0de9e35afa..3afddd3bea6e 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1361,7 +1361,6 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + + req->buf = dev->rbuf; + req->context = NULL; +- value = -EOPNOTSUPP; + switch (ctrl->bRequest) { + + case USB_REQ_GET_DESCRIPTOR: +@@ -1784,7 +1783,7 @@ static ssize_t + dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) + { + struct dev_data *dev = fd->private_data; +- ssize_t value = len, length = len; ++ ssize_t value, length = len; + unsigned total; + u32 tag; + char *kbuf; +-- +2.16.4 + diff --git a/patches.suse/video-fbdev-w100fb-Fix-a-potential-double-free.patch b/patches.suse/video-fbdev-w100fb-Fix-a-potential-double-free.patch new file mode 100644 index 0000000..c76e068 --- /dev/null +++ b/patches.suse/video-fbdev-w100fb-Fix-a-potential-double-free.patch @@ -0,0 +1,54 @@ +From 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 6 May 2020 20:19:02 +0200 +Subject: [PATCH] video: fbdev: w100fb: Fix a potential double free. +Git-commit: 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in +the 'w100fb_restore_vidmem' function. (these functions are called +respectively from the 'suspend' and the 'resume' functions) + +However, it is also freed in the 'remove' function. + +In order to avoid a potential double free, set the corresponding pointer +to NULL once freed in the 'w100fb_restore_vidmem' function. + +Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence") +Cc: Richard Purdie +Cc: Antonino Daplas +Cc: Bartlomiej Zolnierkiewicz +Cc: # v2.6.14+ +Signed-off-by: Christophe JAILLET +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200506181902.193290-1-christophe.jaillet@wanadoo.fr +Acked-by: Takashi Iwai + +--- + drivers/video/fbdev/w100fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/w100fb.c b/drivers/video/fbdev/w100fb.c +index 2d6e2738b792..d96ab28f8ce4 100644 +--- a/drivers/video/fbdev/w100fb.c ++++ b/drivers/video/fbdev/w100fb.c +@@ -588,6 +588,7 @@ static void w100fb_restore_vidmem(struct w100fb_par *par) + memsize=par->mach->mem->size; + memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize); + vfree(par->saved_extmem); ++ par->saved_extmem = NULL; + } + if (par->saved_intmem) { + memsize=MEM_INT_SIZE; +@@ -596,6 +597,7 @@ static void w100fb_restore_vidmem(struct w100fb_par *par) + else + memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize); + vfree(par->saved_intmem); ++ par->saved_intmem = NULL; + } + } + +-- +2.16.4 + diff --git a/patches.suse/vrf-Check-skb-for-XFRM_TRANSFORMED-flag.patch b/patches.suse/vrf-Check-skb-for-XFRM_TRANSFORMED-flag.patch new file mode 100644 index 0000000..b9b3414 --- /dev/null +++ b/patches.suse/vrf-Check-skb-for-XFRM_TRANSFORMED-flag.patch @@ -0,0 +1,42 @@ +From: David Ahern +Date: Mon, 20 Apr 2020 17:13:52 -0600 +Subject: vrf: Check skb for XFRM_TRANSFORMED flag +Git-commit: 16b9db1ce34ff00d6c18e82825125cfef0cdfb13 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +To avoid a loop with qdiscs and xfrms, check if the skb has already gone +through the qdisc attached to the VRF device and then to the xfrm layer. +If so, no need for a second redirect. + +Fixes: 193125dbd8eb ("net: Introduce VRF device driver") +Reported-by: Trev Larock +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/vrf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -530,7 +530,8 @@ static struct sk_buff *vrf_ip6_out(struc + if (rt6_need_strict(&ipv6_hdr(skb)->daddr)) + return skb; + +- if (qdisc_tx_is_default(vrf_dev)) ++ if (qdisc_tx_is_default(vrf_dev) || ++ IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) + return vrf_ip6_out_direct(vrf_dev, sk, skb); + + return vrf_ip6_out_redirect(vrf_dev, skb); +@@ -776,7 +777,8 @@ static struct sk_buff *vrf_ip_out(struct + ipv4_is_lbcast(ip_hdr(skb)->daddr)) + return skb; + +- if (qdisc_tx_is_default(vrf_dev)) ++ if (qdisc_tx_is_default(vrf_dev) || ++ IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) + return vrf_ip_out_direct(vrf_dev, sk, skb); + + return vrf_ip_out_redirect(vrf_dev, skb); diff --git a/patches.suse/wcn36xx-Fix-error-handling-path-in-wcn36xx_probe.patch b/patches.suse/wcn36xx-Fix-error-handling-path-in-wcn36xx_probe.patch new file mode 100644 index 0000000..8792c9b --- /dev/null +++ b/patches.suse/wcn36xx-Fix-error-handling-path-in-wcn36xx_probe.patch @@ -0,0 +1,56 @@ +From a86308fc534edeceaf64670c691e17485436a4f4 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 8 May 2020 05:56:03 +0300 +Subject: [PATCH] wcn36xx: Fix error handling path in 'wcn36xx_probe()' +Git-commit: a86308fc534edeceaf64670c691e17485436a4f4 +Patch-mainline: v5.8-rc1 +References: bsc#1051510 + +In case of error, 'qcom_wcnss_open_channel()' must be undone by a call to +'rpmsg_destroy_ept()', as already done in the remove function. + +Fixes: 5052de8deff5 ("soc: qcom: smd: Transition client drivers from smd to rpmsg") +Signed-off-by: Christophe JAILLET +Reviewed-by: Bjorn Andersson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200507043619.200051-1-christophe.jaillet@wanadoo.fr +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/wcn36xx/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index e49c306e0eef..702b689c06df 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -1339,7 +1339,7 @@ static int wcn36xx_probe(struct platform_device *pdev) + if (addr && ret != ETH_ALEN) { + wcn36xx_err("invalid local-mac-address\n"); + ret = -EINVAL; +- goto out_wq; ++ goto out_destroy_ept; + } else if (addr) { + wcn36xx_info("mac address: %pM\n", addr); + SET_IEEE80211_PERM_ADDR(wcn->hw, addr); +@@ -1347,7 +1347,7 @@ static int wcn36xx_probe(struct platform_device *pdev) + + ret = wcn36xx_platform_get_resources(wcn, pdev); + if (ret) +- goto out_wq; ++ goto out_destroy_ept; + + wcn36xx_init_ieee80211(wcn); + ret = ieee80211_register_hw(wcn->hw); +@@ -1359,6 +1359,8 @@ static int wcn36xx_probe(struct platform_device *pdev) + out_unmap: + iounmap(wcn->ccu_base); + iounmap(wcn->dxe_base); ++out_destroy_ept: ++ rpmsg_destroy_ept(wcn->smd_channel); + out_wq: + ieee80211_free_hw(hw); + out_err: +-- +2.16.4 + diff --git a/patches.suse/xfrm-Always-set-XFRM_TRANSFORMED-in-xfrm-4-6-_output.patch b/patches.suse/xfrm-Always-set-XFRM_TRANSFORMED-in-xfrm-4-6-_output.patch new file mode 100644 index 0000000..4b4bdbe --- /dev/null +++ b/patches.suse/xfrm-Always-set-XFRM_TRANSFORMED-in-xfrm-4-6-_output.patch @@ -0,0 +1,45 @@ +From: David Ahern +Date: Mon, 20 Apr 2020 17:13:51 -0600 +Subject: xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish +Git-commit: 0c922a4850eba2e668f73a3f1153196e09abb251 +Patch-mainline: 5.7-rc3 +References: networking-stable-20_04_27 + +IPSKB_XFRM_TRANSFORMED and IP6SKB_XFRM_TRANSFORMED are skb flags set by +xfrm code to tell other skb handlers that the packet has been passed +through the xfrm output functions. Simplify the code and just always +set them rather than conditionally based on netfilter enabled thus +making the flag available for other users. + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/ipv4/xfrm4_output.c | 2 -- + net/ipv6/xfrm6_output.c | 2 -- + 2 files changed, 4 deletions(-) + +--- a/net/ipv4/xfrm4_output.c ++++ b/net/ipv4/xfrm4_output.c +@@ -76,9 +76,7 @@ int xfrm4_output_finish(struct sock *sk, + { + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); + +-#ifdef CONFIG_NETFILTER + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; +-#endif + + return xfrm_output(sk, skb); + } +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -130,9 +130,7 @@ int xfrm6_output_finish(struct sock *sk, + { + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); + +-#ifdef CONFIG_NETFILTER + IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; +-#endif + + return xfrm_output(sk, skb); + } diff --git a/series.conf b/series.conf index 7b911e5..ae1d91e 100644 --- a/series.conf +++ b/series.conf @@ -28112,6 +28112,7 @@ patches.suse/0003-ipc-msg-Fix-msgctl-.-IPC_STAT-.-between-pid-namespac.patch patches.suse/0004-ipc-sem-Fix-semctl-.-GETPID-.-between-pid-namespaces.patch patches.suse/0005-ipc-shm-Fix-pid-freeing.patch + patches.suse/debugfs_lookup-switch-to-lookup_one_len_unlocked.patch patches.suse/xfs-Remove-dead-code-from-inode-recover-function.patch patches.suse/xfs-fix-transaction-allocation-deadlock-in-IO-path.patch patches.suse/xfs-Correctly-invert-xfs_buftarg-LRU-isolation-logic.patch @@ -30930,6 +30931,7 @@ patches.suse/0009-spi-Extend-the-core-to-ease-integration-of-SPI-memor.patch patches.suse/0010-spi-Make-support-for-regular-transfers-optional-when.patch patches.suse/0043-mtd-spi-nor-Use-the-spi_mem_xx-API.patch + patches.suse/spi-spi-s3c64xx-fix-system-resume-support.patch patches.suse/spi-Add-missing-pm_runtime_put_noidle-after-failed-g.patch patches.suse/0044-mtd-devices-m25p80-Use-spi_mem_set_drvdata-instead-o.patch patches.suse/regmap-skip-clk_put-for-attached-clocks-when-freeing-context @@ -41058,7 +41060,7 @@ patches.suse/hwmon-pmbus-Fix-page-count-auto-detection.patch patches.suse/jffs2-free-jffs2_sb_info-through-jffs2_kill_sb.patch patches.suse/0048-mtd-devices-m25p80-Make-sure-WRITE_EN-is-issued-befo.patch - patches.suse/0451-mtd-spi-nor-fsl-quadspi-Don-t-let-EINVAL-on-the-bus.patch + patches.suse/mtd-spi-nor-fsl-quadspi-don-t-let-einval-on-the-bus.patch patches.suse/mtd-spi-nor-intel-spi-Add-support-for-Intel-Ice-Lake.patch patches.suse/mtd-spi-nor-fsl-quadspi-fix-read-error-for-flash-siz.patch patches.suse/0413-mtd-rawnand-fsl_ifc-check-result-of-SRAM-initializat.patch @@ -50717,6 +50719,7 @@ patches.suse/mm-migrate-c-initialize-pud_entry-in-migrate_vma.patch patches.suse/eeprom-at24-make-spd-world-readable-again.patch patches.suse/powerpc-nvdimm-Pick-nearby-online-node-if-the-device.patch + patches.suse/spi-bcm2835-fix-3-wire-mode-if-dma-is-enabled.patch patches.suse/0001-x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch patches.suse/x86-speculation-swapgs-exclude-ATOMs-from-speculating-through-SWAPGS.patch @@ -52708,6 +52711,8 @@ patches.suse/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func patches.suse/IB-mlx5-Fix-steering-rule-of-drop-and-count.patch patches.suse/efi-Don-t-attempt-to-map-RCI2-config-table-if-it-doe.patch + patches.suse/spi-fsl-don-t-map-irq-during-probe.patch + patches.suse/spi-fsl-use-platform_get_irq-instead-of-of_irq_to_resource.patch patches.suse/regulator-rn5t618-fix-module-aliases.patch patches.suse/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch patches.suse/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch @@ -53487,6 +53492,10 @@ patches.suse/0001-drm-i915-selftests-Fix-return-in-assert_mmap_offset.patch patches.suse/fat-fix-uninit-memory-access-for-partial-initialized.patch patches.suse/hwmon-adt7462-Fix-an-error-return-in-ADT7462_REG_VOL.patch + patches.suse/spi-qup-call-spi_qup_pm_resume_runtime-before-suspen.patch + patches.suse/spi-pxa2xx-Add-CS-control-clock-quirk.patch + patches.suse/spi-zynqmp-remove-entry-that-causes-a-cs-glitch.patch + patches.suse/spi-bcm63xx-hsspi-Really-keep-pll-clk-enabled.patch patches.suse/0001-vgacon-Fix-a-UAF-in-vgacon_invert_region.patch patches.suse/ALSA-hda-realtek-Fix-a-regression-for-mute-led-on-Le.patch patches.suse/ALSA-hda-realtek-Add-Headset-Mic-supported.patch @@ -53659,6 +53668,7 @@ patches.suse/staging-rtl8188eu-Add-ASUS-USB-N10-Nano-B1-to-device.patch patches.suse/staging-wlan-ng-fix-ODEBUG-bug-in-prism2sta_disconne.patch patches.suse/staging-wlan-ng-fix-use-after-free-Read-in-hfa384x_u.patch + patches.suse/spi-spi-fsl-dspi-replace-interruptible-wait-queue-with-a-simple-completion.patch patches.suse/acpi-x86-ignore-unspecified-bit-positions-in-the-ACP.patch patches.suse/objtool-add-is_static_jump-helper.patch patches.suse/objtool-add-relocation-check-for-alternative-sections.patch @@ -53998,6 +54008,11 @@ patches.suse/msft-hv-2049-x86-Hyper-V-Report-crash-register-data-when-sysctl_r.patch patches.suse/msft-hv-2050-x86-Hyper-V-Report-crash-data-in-die-when-panic_on_o.patch patches.suse/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch + patches.suse/net-ipv6-do-not-consider-routes-via-gateways-for-any.patch + patches.suse/net-revert-default-NAPI-poll-timeout-to-2-jiffies.patch + patches.suse/hsr-check-protocol-version-in-hsr_newlink.patch + patches.suse/l2tp-Allow-management-of-tunnels-and-session-in-user.patch + patches.suse/net-ipv4-devinet-Fix-crash-when-add-del-multicast-IP.patch patches.suse/mac80211_hwsim-Use-kstrndup-in-place-of-kasprintf.patch patches.suse/xsk-Add-missing-check-on-user-supplied-headroom-size.patch patches.suse/ALSA-ctxfi-Remove-unnecessary-cast-in-kfree.patch @@ -54046,10 +54061,21 @@ patches.suse/ALSA-usb-audio-Fix-usb-audio-refcnt-leak-when-gettin.patch patches.suse/ALSA-hda-realtek-Add-new-codec-supported-for-ALC245.patch patches.suse/ALSA-hda-Always-use-jackpoll-helper-for-jack-update-.patch + patches.suse/net-netrom-Fix-potential-nr_neigh-refcnt-leak-in-nr_.patch patches.suse/wimax-i2400m-Fix-potential-urb-refcnt-leak.patch + patches.suse/net-mlx4_en-avoid-indirect-call-in-TX-completion.patch + patches.suse/tcp-cache-line-align-MAX_TCP_HEADER.patch patches.suse/ipv6-fix-restrict-IPV6_ADDRFORM-operation.patch + patches.suse/team-fix-hang-in-team_mode_get.patch patches.suse/net-mlx5-Fix-failing-fw-tracer-allocation-on-s390.patch patches.suse/macvlan-fix-null-dereference-in-macvlan_device_event.patch + patches.suse/xfrm-Always-set-XFRM_TRANSFORMED-in-xfrm-4-6-_output.patch + patches.suse/vrf-Check-skb-for-XFRM_TRANSFORMED-flag.patch + patches.suse/net-dsa-b53-Fix-ARL-register-definitions.patch + patches.suse/net-dsa-b53-Rework-ARL-bin-logic.patch + patches.suse/mlxsw-Fix-some-IS_ERR-vs-NULL-bugs.patch + patches.suse/net-x25-Fix-x25_neigh-refcnt-leak-when-receiving-fra.patch + patches.suse/net-bcmgenet-correct-per-TX-RX-ring-statistics.patch patches.suse/iwlwifi-pcie-actually-release-queue-memory-in-TVQM.patch patches.suse/macsec-avoid-to-set-wrong-mtu.patch patches.suse/bpf-Forbid-XADD-on-spilled-pointers-for-unprivileged.patch @@ -54152,6 +54178,7 @@ patches.suse/x86-unwind-orc-don-t-skip-the-first-frame-for-inactive-tasks.patch patches.suse/x86-unwind-orc-prevent-unwinding-before-orc-initialization.patch patches.suse/x86-unwind-orc-fix-error-path-for-bad-orc-entry-type.patch + patches.suse/gpio-tegra-mask-GPIO-IRQs-during-IRQ-shutdown.patch patches.suse/mmc-core-check-request-type-before-completing-the-request.patch patches.suse/mmc-core-fix-recursive-locking-issue-in-cqe-recovery-path.patch patches.suse/0002-drm-i915-gvt-Init-DPLL-DDI-vreg-for-virtual-display-.patch @@ -54175,6 +54202,7 @@ patches.suse/x86-unwind-orc-fix-error-handling-in-_unwind_start.patch patches.suse/usb-gadget-audio-Fix-a-missing-error-return-value-in.patch patches.suse/usb-gadget-net2272-Fix-a-memory-leak-in-an-error-han.patch + patches.suse/usb-gadget-legacy-fix-redundant-initialization-warni.patch patches.suse/usb-gadget-legacy-fix-error-return-code-in-cdc_bind.patch patches.suse/usb-gadget-legacy-fix-error-return-code-in-gncm_bind.patch patches.suse/usb-xhci-Fix-NULL-pointer-dereference-when-enqueuing.patch @@ -54197,13 +54225,46 @@ patches.suse/iio-sca3000-Remove-an-erroneous-get_device.patch patches.suse/mei-release-me_cl-object-reference.patch patches.suse/x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch + patches.suse/Input-usbtouchscreen-add-support-for-BonXeon-TP.patch + patches.suse/Input-evdev-call-input_flush_device-on-release-not-f.patch + patches.suse/Input-xpad-add-custom-init-packet-for-Xbox-One-S-con.patch + patches.suse/Input-i8042-add-ThinkPad-S230u-to-i8042-reset-list.patch patches.suse/Input-synaptics-rmi4-really-fix-attn_data-use-after-.patch + patches.suse/Input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch + patches.suse/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch patches.suse/ALSA-hwdep-fix-a-left-shifting-1-by-31-UB-bug.patch patches.suse/ALSA-hda-realtek-Add-a-model-for-Thinkpad-T570-witho.patch patches.suse/ALSA-usb-audio-mixer-volume-quirk-for-ESS-Technology.patch patches.suse/ALSA-usb-audio-Quirks-for-Gigabyte-TRX40-Aorus-Maste.patch patches.suse/ALSA-hda-realtek-Add-new-codec-supported-for-ALC287.patch + patches.suse/iommu-fix-reference-count-leak-in-iommu_group_alloc + patches.suse/mac80211-mesh-fix-discovery-timer-re-arming-issue-cr.patch + patches.suse/NFC-st21nfca-add-missed-kfree_skb-in-an-error-path.patch patches.suse/drivers-net-ibmvnic-Update-VNIC-protocol-version-rep.patch + patches.suse/spi-bcm-qspi-when-tx-rx-buffer-is-NULL-set-to-0.patch + patches.suse/spi-dw-Zero-DMA-Tx-and-Rx-configurations-on-stack.patch + patches.suse/spi-dw-Add-SPI-Tx-done-wait-method-to-DMA-based-tran.patch + patches.suse/spi-dw-Add-SPI-Rx-done-wait-method-to-DMA-based-tran.patch + patches.suse/mmc-sdio-Fix-potential-NULL-pointer-error-in-mmc_sdi.patch + patches.suse/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch + patches.suse/mmc-sdhci-msm-Clear-tuning-done-flag-while-hs400-tun.patch + patches.suse/ACPI-sysfs-Fix-reference-count-leak-in-acpi_sysfs_ad.patch + patches.suse/ACPI-CPPC-Fix-reference-count-leak-in-acpi_cppc_proc.patch + patches.suse/agp-intel-Reinforce-the-barrier-after-GTT-updates.patch + patches.suse/drm-dp_mst-Reformat-drm_dp_check_act_status-a-bit.patch + patches.suse/video-fbdev-w100fb-Fix-a-potential-double-free.patch + patches.suse/nvme-fc-print-proper-nvme-fc-devloss_tmo-value.patch + patches.suse/0001-btrfs-reloc-fix-reloc-root-leak-and-NULL-pointer-der.patch + patches.suse/0002-btrfs-reloc-clear-DEAD_RELOC_TREE-bit-for-orphan-roo.patch + patches.suse/clocksource-dw_apb_timer_of-Fix-missing-clockevent-t.patch + patches.suse/b43legacy-Fix-case-where-channel-status-is-corrupted.patch + patches.suse/mwifiex-avoid-Wstringop-overflow-warning.patch + patches.suse/rtlwifi-Fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch + patches.suse/mwifiex-Fix-memory-corruption-in-dump_station.patch + patches.suse/wcn36xx-Fix-error-handling-path-in-wcn36xx_probe.patch + patches.suse/ipv6-fix-IPV6_ADDRFORM-operation-logic.patch + patches.suse/media-dvb-return-EREMOTEIO-on-i2c-transfer-failure.patch + patches.suse/media-platform-fcp-Set-appropriate-DMA-parameters.patch # jejb/scsi for-next patches.suse/scsi-lpfc-remove-duplicate-unloading-checks.patch @@ -54225,10 +54286,6 @@ patches.suse/0005-MODSIGN-Allow-the-db-UEFI-variable-to-be-suppressed.patch patches.suse/0006-modsign-Use-secondary-trust-keyring-for-module-signi.patch - # https://github.com/kdave/btrfs-devel.git misc-next - patches.suse/0001-btrfs-relocation-Fix-reloc-root-leakage-and-the-NULL.patch - patches.suse/0002-btrfs-relocation-Clear-the-DEAD_RELOC_TREE-bit-for-o.patch - # out-of-tree patches patches.suse/net-mvpp2-fix-condition-for-setting-up-link-interrup.patch patches.suse/cifs-handle-netapp-error-codes.patch @@ -54443,6 +54500,8 @@ patches.suse/mm-fix-mremap-not-considering-huge-pmd-devmap.patch + patches.suse/relay-handle-alloc_percpu-returning-NULL-in-relay_open.patch + ######################################################## # misc small fixes ########################################################