From c2c3bb03434b223ff51ed50bcb5c0e24d2996882 Mon Sep 17 00:00:00 2001 From: Davidlohr Bueso Date: Sep 07 2021 15:03:44 +0000 Subject: Merge branch 'SLE12-SP5' (888ca82e852e) into 'SLE12-SP5-RT' No -rt specific changes this merge. --- diff --git a/blacklist.conf b/blacklist.conf index b63c2b9..9940d7f 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1940,3 +1940,11 @@ bc9a2e226ea95e1699f7590845554de095308b75 # not needed in kernels older than SLE1 26e66a0cf258d413bd64095b0fea6e34f9e46587 # included as 176a7fca81c5090a7240664e3002c106d296bf31 1e7913ff5f9f1b73146ad8522958bd266f22a510 # not needed in kernels older than SLE15-SP2 74639cbf51d7c0304342544a83dfda354a6bd208 # not needed in kernels older than SLE15-SP2 +7f3d176f5f7e3f0477bf82df0f600fcddcdcc4e4 # Doesn't apply +27ba3e8ff3ab86449e63d38a8d623053591e65fa # Doesn't apply +24f6b6036c9eec21191646930ad42808e6180510 # Doesn't apply +848378812e40152abe9b9baf58ce2004f76fb988 # A fix for LLVM +854f32648b8a5e424d682953b1a9f3b7c3322701 # Doesn't apply +2ca11b0e043be6f5c2b188897e9a32275eaab046 # code comment +7eb000bdbe7c7da811ef51942b356f6e819b13ba # already applied +f87777a3c30cf50c66a20e1d153f0e003bb30774 # net: stmmac: not needed diff --git a/patches.kabi/kabi-mask-changes-to-vhost_dev_init-and-struct-vhost.patch b/patches.kabi/kabi-mask-changes-to-vhost_dev_init-and-struct-vhost.patch new file mode 100644 index 0000000..c75ec6f --- /dev/null +++ b/patches.kabi/kabi-mask-changes-to-vhost_dev_init-and-struct-vhost.patch @@ -0,0 +1,144 @@ +From: Michal Kubecek +Date: Tue, 7 Sep 2021 01:28:33 +0200 +Subject: kabi: mask changes to vhost_dev_init() and struct vhost_dev +Patch-mainline: Never, kabi workaround +References: CVE-2019-3900 bsc#1133374 + +Backport of mainline commit e82b9b0727ff ("vhost: introduce +vhost_exceeds_weight()")) adds two new members to struct vhost_dev and two +new parameters to vhost_dev_init(). + +Move new members into two 4-byte holes in struct vhost_dev and hide them +from genksyms. Rename vhost_dev_init() to vhost_dev_init_wt() and create +a wrapper under the original name which passes 0 for weight and byte_weight +(and modify the check in the vhost_exceeds_weight() to handle also zero +dev->weight). + +Signed-off-by: Michal Kubecek +--- + drivers/vhost/net.c | 6 +++--- + drivers/vhost/scsi.c | 4 ++-- + drivers/vhost/vhost.c | 15 +++++++++++---- + drivers/vhost/vhost.h | 14 +++++++++++--- + drivers/vhost/vsock.c | 6 +++--- + 5 files changed, 30 insertions(+), 15 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -1276,9 +1276,9 @@ static int vhost_net_open(struct inode *inode, struct file *f) + n->vqs[i].rx_ring = NULL; + vhost_net_buf_init(&n->vqs[i].rxq); + } +- vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX, +- UIO_MAXIOV + VHOST_NET_BATCH, +- VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT); ++ vhost_dev_init_wt(dev, vqs, VHOST_NET_VQ_MAX, ++ UIO_MAXIOV + VHOST_NET_BATCH, ++ VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT); + + vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev); + vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev); +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1438,8 +1438,8 @@ static int vhost_scsi_open(struct inode *inode, struct file *f) + vqs[i] = &vs->vqs[i].vq; + vs->vqs[i].vq.handle_kick = vhost_scsi_handle_kick; + } +- vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ, UIO_MAXIOV, +- VHOST_SCSI_WEIGHT, 0); ++ vhost_dev_init_wt(&vs->dev, vqs, VHOST_SCSI_MAX_VQ, UIO_MAXIOV, ++ VHOST_SCSI_WEIGHT, 0); + + vhost_scsi_init_inflight(vs, NULL); + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -422,7 +422,7 @@ bool vhost_exceeds_weight(struct vhost_virtqueue *vq, + struct vhost_dev *dev = vq->dev; + + if ((dev->byte_weight && total_len >= dev->byte_weight) || +- pkts >= dev->weight) { ++ (dev->weight && pkts >= dev->weight)) { + vhost_poll_queue(&vq->poll); + return true; + } +@@ -431,9 +431,9 @@ bool vhost_exceeds_weight(struct vhost_virtqueue *vq, + } + EXPORT_SYMBOL_GPL(vhost_exceeds_weight); + +-void vhost_dev_init(struct vhost_dev *dev, +- struct vhost_virtqueue **vqs, int nvqs, +- int iov_limit, int weight, int byte_weight) ++void vhost_dev_init_wt(struct vhost_dev *dev, ++ struct vhost_virtqueue **vqs, int nvqs, ++ int iov_limit, int weight, int byte_weight) + { + struct vhost_virtqueue *vq; + int i; +@@ -470,6 +470,13 @@ void vhost_dev_init(struct vhost_dev *dev, + POLLIN, dev); + } + } ++EXPORT_SYMBOL_GPL(vhost_dev_init_wt); ++ ++void vhost_dev_init(struct vhost_dev *dev, ++ struct vhost_virtqueue **vqs, int nvqs, int iov_limit) ++{ ++ vhost_dev_init_wt(dev, vqs, nvqs, iov_limit, 0, 0); ++} + EXPORT_SYMBOL_GPL(vhost_dev_init); + + /* Caller should have device mutex */ +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -169,6 +169,10 @@ struct vhost_dev { + struct mutex mutex; + struct vhost_virtqueue **vqs; + int nvqs; ++#ifndef __GENKSYMS__ ++ /* filling a 4-byte hole */ ++ int weight; ++#endif + struct file *log_file; + struct eventfd_ctx *log_ctx; + struct llist_head work_list; +@@ -176,17 +180,21 @@ struct vhost_dev { + struct vhost_umem *umem; + struct vhost_umem *iotlb; + spinlock_t iotlb_lock; ++#ifndef __GENKSYMS__ ++ /* filling a 4-byte hole */ ++ int byte_weight; ++#endif + struct list_head read_list; + struct list_head pending_list; + wait_queue_head_t wait; + int iov_limit; +- int weight; +- int byte_weight; + }; + + bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int total_len); + void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, +- int nvqs, int iov_limit, int weight, int byte_weight); ++ int nvqs, int iov_limit); ++void vhost_dev_init_wt(struct vhost_dev *, struct vhost_virtqueue **vqs, ++ int nvqs, int iov_limit, int weight, int byte_weight); + long vhost_dev_set_owner(struct vhost_dev *dev); + bool vhost_dev_has_owner(struct vhost_dev *dev); + long vhost_dev_check_owner(struct vhost_dev *); +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -545,9 +545,9 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file) + vsock->vqs[VSOCK_VQ_TX].handle_kick = vhost_vsock_handle_tx_kick; + vsock->vqs[VSOCK_VQ_RX].handle_kick = vhost_vsock_handle_rx_kick; + +- vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs), +- UIO_MAXIOV, VHOST_VSOCK_PKT_WEIGHT, +- VHOST_VSOCK_WEIGHT); ++ vhost_dev_init_wt(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs), ++ UIO_MAXIOV, VHOST_VSOCK_PKT_WEIGHT, ++ VHOST_VSOCK_WEIGHT); + + file->private_data = vsock; + spin_lock_init(&vsock->send_pkt_list_lock); diff --git a/patches.suse/0001-dm-writecache-handle-DAX-to-partitions-on-persistent.patch b/patches.suse/0001-dm-writecache-handle-DAX-to-partitions-on-persistent.patch new file mode 100644 index 0000000..0f9459b --- /dev/null +++ b/patches.suse/0001-dm-writecache-handle-DAX-to-partitions-on-persistent.patch @@ -0,0 +1,67 @@ +From f9e040efcc28309e5c592f7e79085a9a52e31f58 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 24 Aug 2020 11:09:47 -0400 +Subject: [PATCH] dm writecache: handle DAX to partitions on persistent memory + correctly +Git-commit: f9e040efcc28309e5c592f7e79085a9a52e31f58 +Patch-mainline: v5.9-rc4 +References: git-fixes + +The function dax_direct_access doesn't take partitions into account, +it always maps pages from the beginning of the device. Therefore, +persistent_memory_claim() must get the partition offset using +get_start_sect() and add it to the page offsets passed to +dax_direct_access(). + +Signed-off-by: Mikulas Patocka +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # 4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-writecache.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index 86dbe0c8b45c..6271d1e741cf 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -231,6 +231,7 @@ static int persistent_memory_claim(struct dm_writecache *wc) + pfn_t pfn; + int id; + struct page **pages; ++ sector_t offset; + + wc->memory_vmapped = false; + +@@ -245,9 +246,16 @@ static int persistent_memory_claim(struct dm_writecache *wc) + goto err1; + } + ++ offset = get_start_sect(wc->ssd_dev->bdev); ++ if (offset & (PAGE_SIZE / 512 - 1)) { ++ r = -EINVAL; ++ goto err1; ++ } ++ offset >>= PAGE_SHIFT - 9; ++ + id = dax_read_lock(); + +- da = dax_direct_access(wc->ssd_dev->dax_dev, 0, p, &wc->memory_map, &pfn); ++ da = dax_direct_access(wc->ssd_dev->dax_dev, offset, p, &wc->memory_map, &pfn); + if (da < 0) { + wc->memory_map = NULL; + r = da; +@@ -269,7 +277,7 @@ static int persistent_memory_claim(struct dm_writecache *wc) + i = 0; + do { + long daa; +- daa = dax_direct_access(wc->ssd_dev->dax_dev, i, p - i, ++ daa = dax_direct_access(wc->ssd_dev->dax_dev, offset + i, p - i, + NULL, &pfn); + if (daa <= 0) { + r = daa ? daa : -EINVAL; +-- +2.31.1 + diff --git a/patches.suse/0002-arch-x86-lib-usercopy_64.c-fix-__copy_user_flushcach.patch b/patches.suse/0002-arch-x86-lib-usercopy_64.c-fix-__copy_user_flushcach.patch new file mode 100644 index 0000000..13fbc0f --- /dev/null +++ b/patches.suse/0002-arch-x86-lib-usercopy_64.c-fix-__copy_user_flushcach.patch @@ -0,0 +1,54 @@ +From a1cd6c2ae47ee10ff21e62475685d5b399e2ed4a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 25 Sep 2020 21:19:24 -0700 +Subject: [PATCH] arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() + cache writeback +Git-commit: a1cd6c2ae47ee10ff21e62475685d5b399e2ed4a +Patch-mainline: v5.9-rc7 +References: git-fixes + +If we copy less than 8 bytes and if the destination crosses a cache +line, __copy_user_flushcache would invalidate only the first cache line. + +This patch makes it invalidate the second cache line as well. + +Fixes: 0aed55af88345b ("x86, uaccess: introduce copy_from_iter_flushcache for pmem / cache-bypass operations") +Signed-off-by: Mikulas Patocka +Signed-off-by: Andrew Morton +Reviewed-by: Dan Williams +Cc: Jan Kara +Cc: Jeff Moyer +Cc: Ingo Molnar +Cc: Christoph Hellwig +Cc: Toshi Kani +Cc: "H. Peter Anvin" +Cc: Al Viro +Cc: Thomas Gleixner +Cc: Matthew Wilcox +Cc: Ross Zwisler +Cc: Ingo Molnar +Cc: +Link: https://lkml.kernel.org/r/alpine.LRH.2.02.2009161451140.21915@file01.intranet.prod.int.rdu2.redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Coly Li + +--- + arch/x86/lib/usercopy_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c +index b0dfac3d3df7..1847e993ac63 100644 +--- a/arch/x86/lib/usercopy_64.c ++++ b/arch/x86/lib/usercopy_64.c +@@ -120,7 +120,7 @@ long __copy_user_flushcache(void *dst, const void __user *src, unsigned size) + */ + if (size < 8) { + if (!IS_ALIGNED(dest, 4) || size != 4) +- clean_cache_range(dst, 1); ++ clean_cache_range(dst, size); + } else { + if (!IS_ALIGNED(dest, 8)) { + dest = ALIGN(dest, boot_cpu_data.x86_clflush_size); +-- +2.31.1 + diff --git a/patches.suse/0003-overflow-Include-header-file-with-SIZE_MAX-declarati.patch b/patches.suse/0003-overflow-Include-header-file-with-SIZE_MAX-declarati.patch new file mode 100644 index 0000000..c9b8e1b --- /dev/null +++ b/patches.suse/0003-overflow-Include-header-file-with-SIZE_MAX-declarati.patch @@ -0,0 +1,42 @@ +From a4947e84f23474803b62a2759b5808147e4e15f9 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Sun, 13 Sep 2020 13:29:28 +0300 +Subject: [PATCH] overflow: Include header file with SIZE_MAX declaration +Git-commit: a4947e84f23474803b62a2759b5808147e4e15f9 +Patch-mainline: v5.10-rc1 +References: git-fixes + +The various array_size functions use SIZE_MAX define, but missed limits.h +causes to failure to compile code that needs overflow.h. + + In file included from drivers/infiniband/core/uverbs_std_types_device.c:6: + ./include/linux/overflow.h: In function 'array_size': + ./include/linux/overflow.h:258:10: error: 'SIZE_MAX' undeclared (first use in this function) + 258 | return SIZE_MAX; + | ^~~~~~~~ + +Fixes: 610b15c50e86 ("overflow.h: Add allocation size calculation helpers") +Link: https://lore.kernel.org/r/20200913102928.134985-1-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Coly Li + +--- + include/linux/overflow.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +index 93fcef105061..ff3c48f0abc5 100644 +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -3,6 +3,7 @@ + #define __LINUX_OVERFLOW_H + + #include ++#include + + /* + * In the fallback code below, we need to compute the minimum and +-- +2.31.1 + diff --git a/patches.suse/0004-dm-writecache-fix-the-maximum-number-of-arguments.patch b/patches.suse/0004-dm-writecache-fix-the-maximum-number-of-arguments.patch new file mode 100644 index 0000000..26af708 --- /dev/null +++ b/patches.suse/0004-dm-writecache-fix-the-maximum-number-of-arguments.patch @@ -0,0 +1,38 @@ +From 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 10 Nov 2020 07:45:13 -0500 +Subject: [PATCH] dm writecache: fix the maximum number of arguments +Git-commit: 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af +Patch-mainline: v5.10-rc7 +References: git-fixes + +Advance the maximum number of arguments to 16. +This fixes issue where certain operations, combined with table +configured args, exceed 10 arguments. + +Signed-off-by: Mikulas Patocka +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-writecache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index 1ea923af47c6..7d277de26b3a 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -2041,7 +2041,7 @@ static int writecache_ctr(struct dm_target *ti, unsigned argc, char **argv) + struct wc_memory_superblock s; + + static struct dm_arg _args[] = { +- {0, 10, "Invalid number of feature args"}, ++ {0, 16, "Invalid number of feature args"}, + }; + + as.argc = argc; +-- +2.31.1 + diff --git a/patches.suse/0005-dm-writecache-remove-BUG-and-fail-gracefully-instead.patch b/patches.suse/0005-dm-writecache-remove-BUG-and-fail-gracefully-instead.patch new file mode 100644 index 0000000..c484654 --- /dev/null +++ b/patches.suse/0005-dm-writecache-remove-BUG-and-fail-gracefully-instead.patch @@ -0,0 +1,41 @@ +From 857c4c0a8b2888d806f4308c58f59a6a81a1dee9 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Fri, 13 Nov 2020 14:52:28 -0800 +Subject: [PATCH] dm writecache: remove BUG() and fail gracefully instead +Git-commit: 857c4c0a8b2888d806f4308c58f59a6a81a1dee9 +Patch-mainline: v5.10-rc7 +References: git-fixes + +Building on arch/s390/ results in this build error: + +Cc1: some warnings being treated as errors +../drivers/md/dm-writecache.c: In function 'persistent_memory_claim': +../drivers/md/dm-writecache.c:323:1: error: no return statement in function returning non-void [-Werror=return-type] + +Fix this by replacing the BUG() with an -EOPNOTSUPP return. + +Fixes: 48debafe4f2f ("dm: add writecache target") +Reported-by: Randy Dunlap +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-writecache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index 7d277de26b3a..d5223a0e5cc5 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -319,7 +319,7 @@ static int persistent_memory_claim(struct dm_writecache *wc) + #else + static int persistent_memory_claim(struct dm_writecache *wc) + { +- BUG(); ++ return -EOPNOTSUPP; + } + #endif + +-- +2.31.1 + diff --git a/patches.suse/0006-dm-remove-invalid-sparse-__acquires-and-__releases-a.patch b/patches.suse/0006-dm-remove-invalid-sparse-__acquires-and-__releases-a.patch new file mode 100644 index 0000000..bb0b288 --- /dev/null +++ b/patches.suse/0006-dm-remove-invalid-sparse-__acquires-and-__releases-a.patch @@ -0,0 +1,45 @@ +From bde3808bc8c2741ad3d804f84720409aee0c2972 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Fri, 4 Dec 2020 15:25:18 -0500 +Subject: [PATCH] dm: remove invalid sparse __acquires and __releases + annotations +Git-commit: bde3808bc8c2741ad3d804f84720409aee0c2972 +Patch-mainline: v5.10-rc7 +References: git-fixes + +Fixes sparse warnings: +drivers/md/dm.c:508:12: warning: context imbalance in 'dm_prepare_ioctl' - wrong count at exit +drivers/md/dm.c:543:13: warning: context imbalance in 'dm_unprepare_ioctl' - wrong count at exit + +Fixes: 971888c46993f ("dm: hold DM table for duration of ioctl rather than use blkdev_get") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 45c623ff931a..4e0cbfe3f14d 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -509,7 +509,6 @@ static int dm_blk_report_zones(struct gendisk *disk, sector_t sector, + + static int dm_prepare_ioctl(struct mapped_device *md, int *srcu_idx, + struct block_device **bdev) +- __acquires(md->io_barrier) + { + struct dm_target *tgt; + struct dm_table *map; +@@ -543,7 +542,6 @@ static int dm_prepare_ioctl(struct mapped_device *md, int *srcu_idx, + } + + static void dm_unprepare_ioctl(struct mapped_device *md, int srcu_idx) +- __releases(md->io_barrier) + { + dm_put_live_table(md, srcu_idx); + } +-- +2.31.1 + diff --git a/patches.suse/0007-dm-zoned-select-CONFIG_CRC32.patch b/patches.suse/0007-dm-zoned-select-CONFIG_CRC32.patch new file mode 100644 index 0000000..75688c3 --- /dev/null +++ b/patches.suse/0007-dm-zoned-select-CONFIG_CRC32.patch @@ -0,0 +1,35 @@ +From b690bd546b227c32b860dae985a18bed8aa946fe Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Sun, 3 Jan 2021 22:40:51 +0100 +Subject: [PATCH] dm zoned: select CONFIG_CRC32 +Git-commit: b690bd546b227c32b860dae985a18bed8aa946fe +Patch-mainline: v5.11-rc4 +References: git-fixes + +Without crc32 support, this driver fails to link: + +Arm-linux-gnueabi-ld: drivers/md/dm-zoned-metadata.o: in function `dmz_write_sb': +dm-zoned-metadata.c:(.text+0xe98): undefined reference to `crc32_le' +Arm-linux-gnueabi-ld: drivers/md/dm-zoned-metadata.o: in function `dmz_check_sb': +dm-zoned-metadata.c:(.text+0x7978): undefined reference to `crc32_le' + +Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") +Signed-off-by: Arnd Bergmann +Reviewed-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/Kconfig ++++ b/drivers/md/Kconfig +@@ -544,6 +544,7 @@ config DM_ZONED + tristate "Drive-managed zoned block device target support" + depends on BLK_DEV_DM + depends on BLK_DEV_ZONED ++ select CRC32 + ---help--- + This device-mapper target takes a host-managed or host-aware zoned + block device and exposes most of its capacity as a regular block diff --git a/patches.suse/0008-mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch b/patches.suse/0008-mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch new file mode 100644 index 0000000..53cb2fb --- /dev/null +++ b/patches.suse/0008-mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch @@ -0,0 +1,56 @@ +From 5d5d19eda6b0ee790af89c45e3f678345be6f50f Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Thu, 25 Feb 2021 17:18:09 -0800 +Subject: [PATCH] mm/rmap: fix potential pte_unmap on an not mapped pte +Git-commit: 5d5d19eda6b0ee790af89c45e3f678345be6f50f +Patch-mainline: v5.12-rc1 +References: git-fixes + +For PMD-mapped page (usually THP), pvmw->pte is NULL. For PTE-mapped THP, +pvmw->pte is mapped. But for HugeTLB pages, pvmw->pte is not mapped and +set to the relevant page table entry. So in page_vma_mapped_walk_done(), +we may do pte_unmap() for HugeTLB pte which is not mapped. Fix this by +checking pvmw->page against PageHuge before trying to do pte_unmap(). + +Link: https://lkml.kernel.org/r/20210127093349.39081-1-linmiaohe@huawei.com +Fixes: ace71a19cec5 ("mm: introduce page_vma_mapped_walk()") +Signed-off-by: Hongxiang Lou +Signed-off-by: Miaohe Lin +Tested-by: Sedat Dilek +Cc: Kees Cook +Cc: Nathan Chancellor +Cc: Mike Kravetz +Cc: Shakeel Butt +Cc: Johannes Weiner +Cc: Vlastimil Babka +Cc: Michel Lespinasse +Cc: Nick Desaulniers +Cc: "Kirill A. Shutemov" +Cc: Wei Yang +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: Brian Geffon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Coly Li + +--- + include/linux/rmap.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/rmap.h b/include/linux/rmap.h +index 70085ca1a3fc..def5c62c93b3 100644 +--- a/include/linux/rmap.h ++++ b/include/linux/rmap.h +@@ -213,7 +213,8 @@ struct page_vma_mapped_walk { + + static inline void page_vma_mapped_walk_done(struct page_vma_mapped_walk *pvmw) + { +- if (pvmw->pte) ++ /* HugeTLB pte is set to the relevant page table entry without pte_mapped. */ ++ if (pvmw->pte && !PageHuge(pvmw->page)) + pte_unmap(pvmw->pte); + if (pvmw->ptl) + spin_unlock(pvmw->ptl); +-- +2.31.1 + diff --git a/patches.suse/0009-dm-verity-fix-DM_VERITY_OPTS_MAX-value.patch b/patches.suse/0009-dm-verity-fix-DM_VERITY_OPTS_MAX-value.patch new file mode 100644 index 0000000..123c5aa --- /dev/null +++ b/patches.suse/0009-dm-verity-fix-DM_VERITY_OPTS_MAX-value.patch @@ -0,0 +1,35 @@ +From 160f99db943224e55906dd83880da1a704c6e6b9 Mon Sep 17 00:00:00 2001 +From: JeongHyeon Lee +Date: Thu, 11 Mar 2021 21:10:50 +0900 +Subject: [PATCH] dm verity: fix DM_VERITY_OPTS_MAX value +Git-commit: 160f99db943224e55906dd83880da1a704c6e6b9 +Patch-mainline: v5.12-rc5 +References: git-fixes + +Three optional parameters must be accepted at once in a DM verity table, e.g.: + (verity_error_handling_mode) (ignore_zero_block) (check_at_most_once) +Fix this to be possible by incrementing DM_VERITY_OPTS_MAX. + +(Coly Li: rebased for Linux v4.12 based SUSE kernel) + +Signed-off-by: JeongHyeon Lee +Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to only validate hashes once") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-verity-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -34,7 +34,7 @@ + #define DM_VERITY_OPT_IGN_ZEROES "ignore_zero_blocks" + #define DM_VERITY_OPT_AT_MOST_ONCE "check_at_most_once" + +-#define DM_VERITY_OPTS_MAX (2 + DM_VERITY_OPTS_FEC) ++#define DM_VERITY_OPTS_MAX (3 + DM_VERITY_OPTS_FEC) + + static unsigned dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE; + diff --git a/patches.suse/0010-overflow-Correct-check_shl_overflow-comment.patch b/patches.suse/0010-overflow-Correct-check_shl_overflow-comment.patch new file mode 100644 index 0000000..ef06cd4 --- /dev/null +++ b/patches.suse/0010-overflow-Correct-check_shl_overflow-comment.patch @@ -0,0 +1,33 @@ +From 4578be130a6470d85ff05b13b75a00e6224eeeeb Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Thu, 1 Apr 2021 09:06:29 -0700 +Subject: [PATCH] overflow: Correct check_shl_overflow() comment +Git-commit: 4578be130a6470d85ff05b13b75a00e6224eeeeb +Patch-mainline: v5.13-rc1 +References: git-fixes + +A 'false' return means the value was safely set, so the comment should +say 'true' for when it is not considered safe. + +Cc: Jason Gunthorpe +Signed-off-by: Keith Busch +Signed-off-by: Kees Cook +Fixes: 0c66847793d1 ("overflow.h: Add arithmetic shift helper") +Link: https://lore.kernel.org/r/20210401160629.1941787-1-kbusch@kernel.org +Signed-off-by: Coly Li + +--- + include/linux/overflow.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -226,7 +226,7 @@ + * - 'a << s' sets the sign bit, if any, in '*d'. + * + * '*d' will hold the results of the attempted shift, but is not +- * considered "safe for use" if false is returned. ++ * considered "safe for use" if true is returned. + */ + #define check_shl_overflow(a, s, d) ({ \ + typeof(a) _a = a; \ diff --git a/patches.suse/0011-md-raid10-properly-indicate-failure-when-ending-a-fa.patch b/patches.suse/0011-md-raid10-properly-indicate-failure-when-ending-a-fa.patch new file mode 100644 index 0000000..12f8353 --- /dev/null +++ b/patches.suse/0011-md-raid10-properly-indicate-failure-when-ending-a-fa.patch @@ -0,0 +1,62 @@ +From 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 Mon Sep 17 00:00:00 2001 +From: Wei Shuyu +Date: Mon, 28 Jun 2021 15:15:08 +0800 +Subject: [PATCH] md/raid10: properly indicate failure when ending a failed + write request +Git-commit: 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 +Patch-mainline: v5.14-rc5 +References: git-fixes + +Similar to [1], this patch fixes the same bug in raid10. Also cleanup the +comments. + +[1] commit 2417b9869b81 ("md/raid1: properly indicate failure when ending + a failed write request") + +Cc: stable@vger.kernel.org +Fixes: 7cee6d4e6035 ("md/raid10: end bio when the device faulty") +Signed-off-by: Wei Shuyu +Acked-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Coly Li + +--- + drivers/md/raid1.c | 2 -- + drivers/md/raid10.c | 4 ++-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index ced076ba560e..753822ca9613 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -472,8 +472,6 @@ static void raid1_end_write_request(struct bio *bio) + /* + * When the device is faulty, it is not necessary to + * handle write error. +- * For failfast, this is the only remaining device, +- * We need to retry the write without FailFast. + */ + if (!test_bit(Faulty, &rdev->flags)) + set_bit(R1BIO_WriteError, &r1_bio->state); +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 13f5e6b2a73d..40e845fb9717 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -469,12 +469,12 @@ static void raid10_end_write_request(struct bio *bio) + /* + * When the device is faulty, it is not necessary to + * handle write error. +- * For failfast, this is the only remaining device, +- * We need to retry the write without FailFast. + */ + if (!test_bit(Faulty, &rdev->flags)) + set_bit(R10BIO_WriteError, &r10_bio->state); + else { ++ /* Fail the request */ ++ set_bit(R10BIO_Degraded, &r10_bio->state); + r10_bio->devs[slot].bio = NULL; + to_put = bio; + dec_rdev = 1; +-- +2.31.1 + diff --git a/patches.suse/Bluetooth-Move-shutdown-callback-before-flushing-tx-.patch b/patches.suse/Bluetooth-Move-shutdown-callback-before-flushing-tx-.patch new file mode 100644 index 0000000..d38a036 --- /dev/null +++ b/patches.suse/Bluetooth-Move-shutdown-callback-before-flushing-tx-.patch @@ -0,0 +1,79 @@ +From 0ea53674d07fb6db2dd7a7ec2fdc85a12eb246c2 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 10 Aug 2021 12:53:15 +0800 +Subject: [PATCH] Bluetooth: Move shutdown callback before flushing tx and rx queue +Git-commit: 0ea53674d07fb6db2dd7a7ec2fdc85a12eb246c2 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Commit 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues +are flushed or cancelled") introduced a regression that makes mtkbtsdio +driver stops working: +[ 36.593956] Bluetooth: hci0: Firmware already downloaded +[ 46.814613] Bluetooth: hci0: Execution of wmt command timed out +[ 46.814619] Bluetooth: hci0: Failed to send wmt func ctrl (-110) + +The shutdown callback depends on the result of hdev->rx_work, so we +should call it before flushing rx_work: +-> btmtksdio_shutdown() + -> mtk_hci_wmt_sync() + -> __hci_cmd_send() + -> wait for BTMTKSDIO_TX_WAIT_VND_EVT gets cleared + +-> btmtksdio_recv_event() + -> hci_recv_frame() + -> queue_work(hdev->workqueue, &hdev->rx_work) + -> clears BTMTKSDIO_TX_WAIT_VND_EVT + +So move the shutdown callback before flushing TX/RX queue to resolve the +issue. + +Reported-and-tested-by: Mattijs Korpershoek +Tested-by: Hsin-Yi Wang +Cc: Guenter Roeck +Fixes: 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues are flushed or cancelled") +Signed-off-by: Kai-Heng Feng +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + net/bluetooth/hci_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index cb2e9e513907..8622da2d9395 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1727,6 +1727,14 @@ int hci_dev_do_close(struct hci_dev *hdev) + hci_request_cancel_all(hdev); + hci_req_sync_lock(hdev); + ++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && ++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && ++ test_bit(HCI_UP, &hdev->flags)) { ++ /* Execute vendor specific shutdown routine */ ++ if (hdev->shutdown) ++ hdev->shutdown(hdev); ++ } ++ + if (!test_and_clear_bit(HCI_UP, &hdev->flags)) { + cancel_delayed_work_sync(&hdev->cmd_timer); + hci_req_sync_unlock(hdev); +@@ -1798,14 +1806,6 @@ int hci_dev_do_close(struct hci_dev *hdev) + clear_bit(HCI_INIT, &hdev->flags); + } + +- if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && +- !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && +- test_bit(HCI_UP, &hdev->flags)) { +- /* Execute vendor specific shutdown routine */ +- if (hdev->shutdown) +- hdev->shutdown(hdev); +- } +- + /* flush cmd work */ + flush_work(&hdev->cmd_work); + +-- +2.26.2 + diff --git a/patches.suse/Bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch b/patches.suse/Bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch new file mode 100644 index 0000000..7b7aa82 --- /dev/null +++ b/patches.suse/Bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch @@ -0,0 +1,46 @@ +From f41a4b2b5eb7872109723dab8ae1603bdd9d9ec1 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 19 Aug 2021 18:15:21 +0300 +Subject: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry +Git-commit: f41a4b2b5eb7872109723dab8ae1603bdd9d9ec1 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Syzbot hit "task hung" bug in hci_req_sync(). The problem was in +unreasonable huge inquiry timeout passed from userspace. +Fix it by adding sanity check for timeout value to hci_inquiry(). + +Since hci_inquiry() is the only user of hci_req_sync() with user +controlled timeout value, it makes sense to check timeout value in +hci_inquiry() and don't touch hci_req_sync(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + net/bluetooth/hci_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 8622da2d9395..f033c19e2f3b 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1343,6 +1343,12 @@ int hci_inquiry(void __user *arg) + goto done; + } + ++ /* Restrict maximum inquiry length to 60 seconds */ ++ if (ir.length > 60) { ++ err = -EINVAL; ++ goto done; ++ } ++ + hci_dev_lock(hdev); + if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || + inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) { +-- +2.26.2 + diff --git a/patches.suse/Bluetooth-avoid-circular-locks-in-sco_sock_connect.patch b/patches.suse/Bluetooth-avoid-circular-locks-in-sco_sock_connect.patch index bbbe0b6..24e3afe 100644 --- a/patches.suse/Bluetooth-avoid-circular-locks-in-sco_sock_connect.patch +++ b/patches.suse/Bluetooth-avoid-circular-locks-in-sco_sock_connect.patch @@ -3,8 +3,7 @@ From: Desmond Cheong Zhi Xi Date: Tue, 10 Aug 2021 12:14:06 +0800 Subject: [PATCH] Bluetooth: avoid circular locks in sco_sock_connect Git-commit: 734bc5ff783115aa3164f4e9dd5967ae78e0a8ab -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v5.15-rc1 References: CVE-2021-3640 bsc#1188172 In a future patch, calls to bh_lock_sock in sco.c should be replaced diff --git a/patches.suse/Bluetooth-fix-repeated-calls-to-sco_sock_kill.patch b/patches.suse/Bluetooth-fix-repeated-calls-to-sco_sock_kill.patch new file mode 100644 index 0000000..b59fc67 --- /dev/null +++ b/patches.suse/Bluetooth-fix-repeated-calls-to-sco_sock_kill.patch @@ -0,0 +1,82 @@ +From e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Tue, 10 Aug 2021 12:14:10 +0800 +Subject: [PATCH] Bluetooth: fix repeated calls to sco_sock_kill +Git-commit: e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 +Patch-mainline: v5.15-rc1 +References: git-fixes + +In commit 4e1a720d0312 ("Bluetooth: avoid killing an already killed +socket"), a check was added to sco_sock_kill to skip killing a socket +if the SOCK_DEAD flag was set. + +This was done after a trace for a use-after-free bug showed that the +same sock pointer was being killed twice. + +Unfortunately, this check prevents sco_sock_kill from running on any +socket. sco_sock_kill kills a socket only if it's zapped and orphaned, +however sock_orphan announces that the socket is dead before detaching +it. i.e., orphaned sockets have the SOCK_DEAD flag set. + +To fix this, we remove the check for SOCK_DEAD, and avoid repeated +calls to sco_sock_kill by removing incorrect calls in: + +1. sco_sock_timeout. The socket should not be killed on timeout as +further processing is expected to be done. For example, +sco_sock_connect sets the timer then waits for the socket to be +connected or for an error to be returned. + +2. sco_conn_del. This function should clean up resources for the +connection, but the socket itself should be cleaned up in +sco_sock_release. + +3. sco_sock_close. Calls to sco_sock_close in sco_sock_cleanup_listen +and sco_sock_release are followed by sco_sock_kill. Hence the +duplicated call should be removed. + +Fixes: 4e1a720d0312 ("Bluetooth: avoid killing an already killed socket") +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/sco.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -83,8 +83,6 @@ static void sco_sock_timeout(unsigned lo + sk->sk_err = ETIMEDOUT; + sk->sk_state_change(sk); + release_sock(sk); +- +- sco_sock_kill(sk); + sock_put(sk); + } + +@@ -176,7 +174,6 @@ static void sco_conn_del(struct hci_conn + sco_sock_clear_timer(sk); + sco_chan_del(sk, err); + release_sock(sk); +- sco_sock_kill(sk); + sock_put(sk); + } + +@@ -378,8 +375,7 @@ static void sco_sock_cleanup_listen(stru + */ + static void sco_sock_kill(struct sock *sk) + { +- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || +- sock_flag(sk, SOCK_DEAD)) ++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) + return; + + BT_DBG("sk %p state %d", sk, sk->sk_state); +@@ -431,7 +427,6 @@ static void sco_sock_close(struct sock * + lock_sock(sk); + __sco_sock_close(sk); + release_sock(sk); +- sco_sock_kill(sk); + } + + static void sco_sock_init(struct sock *sk, struct sock *parent) diff --git a/patches.suse/Bluetooth-increase-BTNAMSIZ-to-21-chars-to-fix-poten.patch b/patches.suse/Bluetooth-increase-BTNAMSIZ-to-21-chars-to-fix-poten.patch new file mode 100644 index 0000000..6164247 --- /dev/null +++ b/patches.suse/Bluetooth-increase-BTNAMSIZ-to-21-chars-to-fix-poten.patch @@ -0,0 +1,40 @@ +From 713baf3dae8f45dc8ada4ed2f5fdcbf94a5c274d Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 4 Aug 2021 16:09:51 +0100 +Subject: [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow +Git-commit: 713baf3dae8f45dc8ada4ed2f5fdcbf94a5c274d +Patch-mainline: v5.15-rc1 +References: git-fixes + +An earlier commit replaced using batostr to using %pMR sprintf for the +construction of session->name. Static analysis detected that this new +method can use a total of 21 characters (including the trailing '\0') +so we need to increase the BTNAMSIZ from 18 to 21 to fix potential +buffer overflows. + +Addresses-coverity: ("Out-of-bounds write") +Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr") +Signed-off-by: Colin Ian King +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + net/bluetooth/cmtp/cmtp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h +index c32638dddbf9..f6b9dc4e408f 100644 +--- a/net/bluetooth/cmtp/cmtp.h ++++ b/net/bluetooth/cmtp/cmtp.h +@@ -26,7 +26,7 @@ + #include + #include + +-#define BTNAMSIZ 18 ++#define BTNAMSIZ 21 + + /* CMTP ioctl defines */ + #define CMTPCONNADD _IOW('C', 200, int) +-- +2.26.2 + diff --git a/patches.suse/Bluetooth-sco-Fix-lock_sock-blockage-by-memcpy_from_.patch b/patches.suse/Bluetooth-sco-Fix-lock_sock-blockage-by-memcpy_from_.patch new file mode 100644 index 0000000..b96c3e9 --- /dev/null +++ b/patches.suse/Bluetooth-sco-Fix-lock_sock-blockage-by-memcpy_from_.patch @@ -0,0 +1,96 @@ +From 99c23da0eed4fd20cae8243f2b51e10e66aa0951 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 28 Aug 2021 18:18:18 +0200 +Subject: [PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() +Git-commit: 99c23da0eed4fd20cae8243f2b51e10e66aa0951 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2021-3640 bsc#1188172 + +The sco_send_frame() also takes lock_sock() during memcpy_from_msg() +call that may be endlessly blocked by a task with userfaultd +technique, and this will result in a hung task watchdog trigger. + +Just like the similar fix for hci_sock_sendmsg() in commit +92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves +the memcpy_from_msg() out of lock_sock() for addressing the hang. + +This should be the last piece for fixing CVE-2021-3640 after a few +already queued fixes. + +Signed-off-by: Takashi Iwai +Signed-off-by: Marcel Holtmann + +--- + net/bluetooth/sco.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 98a881586512..b62c91c627e2 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -280,7 +280,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk) + return err; + } + +-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) ++static int sco_send_frame(struct sock *sk, void *buf, int len, ++ unsigned int msg_flags) + { + struct sco_conn *conn = sco_pi(sk)->conn; + struct sk_buff *skb; +@@ -292,15 +293,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) + + BT_DBG("sk %p len %d", sk, len); + +- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); ++ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); + if (!skb) + return err; + +- if (memcpy_from_msg(skb_put(skb, len), msg, len)) { +- kfree_skb(skb); +- return -EFAULT; +- } +- ++ memcpy(skb_put(skb, len), buf, len); + hci_send_sco(conn->hcon, skb); + + return len; +@@ -725,6 +722,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { + struct sock *sk = sock->sk; ++ void *buf; + int err; + + BT_DBG("sock %p, sk %p", sock, sk); +@@ -736,14 +734,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + ++ buf = kmalloc(len, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ if (memcpy_from_msg(buf, msg, len)) { ++ kfree(buf); ++ return -EFAULT; ++ } ++ + lock_sock(sk); + + if (sk->sk_state == BT_CONNECTED) +- err = sco_send_frame(sk, msg, len); ++ err = sco_send_frame(sk, buf, len, msg->msg_flags); + else + err = -ENOTCONN; + + release_sock(sk); ++ kfree(buf); + return err; + } + +-- +2.26.2 + diff --git a/patches.suse/Bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch b/patches.suse/Bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch new file mode 100644 index 0000000..37a911d --- /dev/null +++ b/patches.suse/Bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch @@ -0,0 +1,45 @@ +From 59da0b38bc2ea570ede23a3332ecb3e7574ce6b2 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 25 Jun 2021 18:00:09 +0300 +Subject: [PATCH] Bluetooth: sco: prevent information leak in sco_conn_defer_accept() +Git-commit: 59da0b38bc2ea570ede23a3332ecb3e7574ce6b2 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Smatch complains that some of these struct members are not initialized +leading to a stack information disclosure: + + net/bluetooth/sco.c:778 sco_conn_defer_accept() warn: + check that 'cp.retrans_effort' doesn't leak information + +This seems like a valid warning. I've added a default case to fix +this issue. + +Fixes: 2f69a82acf6f ("Bluetooth: Use voice setting in deferred SCO connection request") +Signed-off-by: Dan Carpenter +Signed-off-by: Marcel Holtmann +Acked-by: Takashi Iwai + +--- + net/bluetooth/sco.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index d9a4e88dacbb..ffa2a77a3e4c 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -773,6 +773,11 @@ static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting) + cp.max_latency = cpu_to_le16(0xffff); + cp.retrans_effort = 0xff; + break; ++ default: ++ /* use CVSD settings as fallback */ ++ cp.max_latency = cpu_to_le16(0xffff); ++ cp.retrans_effort = 0xff; ++ break; + } + + hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, +-- +2.26.2 + diff --git a/patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch b/patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch index 608e539..790de31 100644 --- a/patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch +++ b/patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch @@ -3,8 +3,7 @@ From: Desmond Cheong Zhi Xi Date: Tue, 10 Aug 2021 12:14:07 +0800 Subject: [PATCH] Bluetooth: switch to lock_sock in SCO Git-commit: 27c24fda62b601d6f9ca5e992502578c4310876f -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v5.15-rc1 References: CVE-2021-3640 bsc#1188172 Since sco_sock_timeout is now scheduled using delayed work, it is no diff --git a/patches.suse/PCI-MSI-Correct-misleading-comments.patch b/patches.suse/PCI-MSI-Correct-misleading-comments.patch new file mode 100644 index 0000000..1ed68e4 --- /dev/null +++ b/patches.suse/PCI-MSI-Correct-misleading-comments.patch @@ -0,0 +1,45 @@ +From 689e6b5351573c38ccf92a0dd8b3e2c2241e4aff Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 29 Jul 2021 23:51:45 +0200 +Subject: [PATCH] PCI/MSI: Correct misleading comments +Git-commit: 689e6b5351573c38ccf92a0dd8b3e2c2241e4aff +Patch-mainline: v5.14-rc6 +References: git-fixes + +The comments about preserving the cached state in pci_msi[x]_shutdown() are +misleading as the MSI descriptors are freed right after those functions +return. So there is nothing to restore. Preparatory change. + +Signed-off-by: Thomas Gleixner +Tested-by: Marc Zyngier +Reviewed-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210729222542.621609423@linutronix.de +Acked-by: Takashi Iwai + +--- + drivers/pci/msi.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -903,7 +903,6 @@ static void pci_msi_shutdown(struct pci_ + + /* Return the device with MSI unmasked as initial states */ + mask = msi_mask(desc->msi_attrib.multi_cap); +- /* Keep cached state to be restored */ + __pci_msi_desc_mask_irq(desc, mask, 0); + + /* Restore dev->irq to its default pin-assertion irq */ +@@ -989,10 +988,8 @@ static void pci_msix_shutdown(struct pci + } + + /* Return the device with MSI-X masked as initial states */ +- for_each_pci_msi_entry(entry, dev) { +- /* Keep cached states to be restored */ ++ for_each_pci_msi_entry(entry, dev) + __pci_msix_desc_mask_irq(entry, 1); +- } + + pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_ENABLE, 0); + pci_intx_for_msi(dev, 1); diff --git a/patches.suse/PCI-MSI-Use-msi_mask_irq-in-pci_msi_shutdown.patch b/patches.suse/PCI-MSI-Use-msi_mask_irq-in-pci_msi_shutdown.patch new file mode 100644 index 0000000..5813160 --- /dev/null +++ b/patches.suse/PCI-MSI-Use-msi_mask_irq-in-pci_msi_shutdown.patch @@ -0,0 +1,33 @@ +From d28d4ad2a1aef27458b3383725bb179beb8d015c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 29 Jul 2021 23:51:46 +0200 +Subject: [PATCH] PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() +Git-commit: d28d4ad2a1aef27458b3383725bb179beb8d015c +Patch-mainline: v5.14-rc6 +References: git-fixes + +No point in using the raw write function from shutdown. Preparatory change +to introduce proper serialization for the msi_desc::masked cache. + +Signed-off-by: Thomas Gleixner +Tested-by: Marc Zyngier +Reviewed-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210729222542.674391354@linutronix.de +Acked-by: Takashi Iwai + +--- + drivers/pci/msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -903,7 +903,7 @@ static void pci_msi_shutdown(struct pci_ + + /* Return the device with MSI unmasked as initial states */ + mask = msi_mask(desc->msi_attrib.multi_cap); +- __pci_msi_desc_mask_irq(desc, mask, 0); ++ msi_mask_irq(desc, mask, 0); + + /* Restore dev->irq to its default pin-assertion irq */ + dev->irq = desc->msi_attrib.default_irq; diff --git a/patches.suse/PCI-PM-Enable-PME-if-it-can-be-signaled-from-D3cold.patch b/patches.suse/PCI-PM-Enable-PME-if-it-can-be-signaled-from-D3cold.patch new file mode 100644 index 0000000..85c3e5f --- /dev/null +++ b/patches.suse/PCI-PM-Enable-PME-if-it-can-be-signaled-from-D3cold.patch @@ -0,0 +1,56 @@ +From 0e00392a895c95c6d12d42158236c8862a2f43f2 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 29 Jul 2021 16:49:10 +0200 +Subject: [PATCH] PCI: PM: Enable PME if it can be signaled from D3cold +Git-commit: 0e00392a895c95c6d12d42158236c8862a2f43f2 +Patch-mainline: v5.15-rc1 +References: git-fixes + +PME signaling is only enabled by __pci_enable_wake() if the target +device can signal PME from the given target power state (to avoid +pointless reconfiguration of the device), but if the hierarchy above +the device goes into D3cold, the device itself will end up in D3cold +too, so if it can signal PME from D3cold, it should be enabled to +do so in __pci_enable_wake(). + +[Note that if the device does not end up in D3cold and it cannot + signal PME from the original target power state, it will not signal + PME, so in that case the behavior does not change.] + +Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/ +Fixes: 5bcc2fb4e815 ("PCI PM: Simplify PCI wake-up code") +Reported-by: Mika Westerberg +Reported-by: Utkarsh H Patel +Reported-by: Koba Ko +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Tested-by: Mika Westerberg +Acked-by: Takashi Iwai + +--- + drivers/pci/pci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 2806f0ce4fee..a5e6759c407b 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2491,7 +2491,14 @@ static int __pci_enable_wake(struct pci_dev *dev, pci_power_t state, bool enable + if (enable) { + int error; + +- if (pci_pme_capable(dev, state)) ++ /* ++ * Enable PME signaling if the device can signal PME from ++ * D3cold regardless of whether or not it can signal PME from ++ * the current target state, because that will allow it to ++ * signal PME when the hierarchy above it goes into D3cold and ++ * the device itself ends up in D3cold as a result of that. ++ */ ++ if (pci_pme_capable(dev, state) || pci_pme_capable(dev, PCI_D3cold)) + pci_pme_active(dev, true); + else + ret = 1; +-- +2.26.2 + diff --git a/patches.suse/Revert-USB-serial-ch341-fix-character-loss-at-high-t.patch b/patches.suse/Revert-USB-serial-ch341-fix-character-loss-at-high-t.patch new file mode 100644 index 0000000..76aaa98 --- /dev/null +++ b/patches.suse/Revert-USB-serial-ch341-fix-character-loss-at-high-t.patch @@ -0,0 +1,49 @@ +From df7b16d1c00ecb3da3a30c999cdb39f273c99a2f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 24 Aug 2021 14:19:26 +0200 +Subject: [PATCH] Revert "USB: serial: ch341: fix character loss at high transfer rates" +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: df7b16d1c00ecb3da3a30c999cdb39f273c99a2f +Patch-mainline: v5.14 +References: git-fixes + +This reverts commit 3c18e9baee0ef97510dcda78c82285f52626764b. + +These devices do not appear to send a zero-length packet when the +transfer size is a multiple of the bulk-endpoint max-packet size. This +means that incoming data may not be processed by the driver until a +short packet is received or the receive buffer is full. + +Revert back to using endpoint-sized receive buffers to avoid stalled +reads. + +Reported-by: Paul Größel +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214131 +Fixes: 3c18e9baee0e ("USB: serial: ch341: fix character loss at high transfer rates") +Cc: stable@vger.kernel.org +Cc: Willy Tarreau +Link: https://lore.kernel.org/r/20210824121926.19311-1-johan@kernel.org +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/ch341.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c +index 8a521b5ea769..2db917eab799 100644 +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -851,7 +851,6 @@ static struct usb_serial_driver ch341_device = { + .owner = THIS_MODULE, + .name = "ch341-uart", + }, +- .bulk_in_size = 512, + .id_table = id_table, + .num_ports = 1, + .open = ch341_open, +-- +2.26.2 + diff --git a/patches.suse/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch b/patches.suse/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch new file mode 100644 index 0000000..59f320d --- /dev/null +++ b/patches.suse/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch @@ -0,0 +1,42 @@ +From fd6729ec534cffbbeb3917761e6d1fe6a412d3fe Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 13 Aug 2021 14:34:38 +0300 +Subject: [PATCH] ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() +Git-commit: fd6729ec534cffbbeb3917761e6d1fe6a412d3fe +Patch-mainline: v5.15-rc1 +References: git-fixes + +This error path is unlikely because of it checked for NULL and +returned -ENOMEM earlier in the function. But it should return +an error code here as well if we ever do hit it because of a +race condition or something. + +Fixes: bdcd81707973 ("Add ath6kl cleaned up driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210813113438.GB30697@kili +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index b137e7f34397..bd1ef6334997 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -2504,8 +2504,10 @@ static int ath6kl_wmi_sync_point(struct wmi *wmi, u8 if_idx) + goto free_data_skb; + + for (index = 0; index < num_pri_streams; index++) { +- if (WARN_ON(!data_sync_bufs[index].skb)) ++ if (WARN_ON(!data_sync_bufs[index].skb)) { ++ ret = -ENOMEM; + goto free_data_skb; ++ } + + ep_id = ath6kl_ac2_endpoint_id(wmi->parent_dev, + data_sync_bufs[index]. +-- +2.26.2 + diff --git a/patches.suse/bcma-Fix-memory-leak-for-internally-handled-cores.patch b/patches.suse/bcma-Fix-memory-leak-for-internally-handled-cores.patch new file mode 100644 index 0000000..99e5522 --- /dev/null +++ b/patches.suse/bcma-Fix-memory-leak-for-internally-handled-cores.patch @@ -0,0 +1,65 @@ +From b63aed3ff195130fef12e0af590f4838cf0201d8 Mon Sep 17 00:00:00 2001 +From: Zenghui Yu +Date: Tue, 27 Jul 2021 10:52:31 +0800 +Subject: [PATCH] bcma: Fix memory leak for internally-handled cores +Git-commit: b63aed3ff195130fef12e0af590f4838cf0201d8 +Patch-mainline: v5.15-rc1 +References: git-fixes + +kmemleak reported that dev_name() of internally-handled cores were leaked +on driver unbinding. Let's use device_initialize() to take refcounts for +them and put_device() to properly free the related stuff. + +While looking at it, there's another potential issue for those which should +be *registered* into driver core. If device_register() failed, we put +device once and freed bcma_device structures. In bcma_unregister_cores(), +they're treated as unregistered and we hit both UAF and double-free. That +smells not good and has also been fixed now. + +Fixes: ab54bc8460b5 ("bcma: fill core details for every device") +Signed-off-by: Zenghui Yu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210727025232.663-2-yuzenghui@huawei.com +Acked-by: Takashi Iwai + +--- + drivers/bcma/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c +index 6535614a7dc1..1df2b5801c3b 100644 +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -236,6 +236,7 @@ EXPORT_SYMBOL(bcma_core_irq); + + void bcma_prepare_core(struct bcma_bus *bus, struct bcma_device *core) + { ++ device_initialize(&core->dev); + core->dev.release = bcma_release_core_dev; + core->dev.bus = &bcma_bus_type; + dev_set_name(&core->dev, "bcma%d:%d", bus->num, core->core_index); +@@ -277,11 +278,10 @@ static void bcma_register_core(struct bcma_bus *bus, struct bcma_device *core) + { + int err; + +- err = device_register(&core->dev); ++ err = device_add(&core->dev); + if (err) { + bcma_err(bus, "Could not register dev for core 0x%03X\n", + core->id.id); +- put_device(&core->dev); + return; + } + core->dev_registered = true; +@@ -372,7 +372,7 @@ void bcma_unregister_cores(struct bcma_bus *bus) + /* Now noone uses internally-handled cores, we can free them */ + list_for_each_entry_safe(core, tmp, &bus->cores, list) { + list_del(&core->list); +- kfree(core); ++ put_device(&core->dev); + } + } + +-- +2.26.2 + diff --git a/patches.suse/can-usb-esd_usb2-esd_usb2_rx_event-fix-the-interchan.patch b/patches.suse/can-usb-esd_usb2-esd_usb2_rx_event-fix-the-interchan.patch new file mode 100644 index 0000000..7b075bc --- /dev/null +++ b/patches.suse/can-usb-esd_usb2-esd_usb2_rx_event-fix-the-interchan.patch @@ -0,0 +1,45 @@ +From 044012b52029204900af9e4230263418427f4ba4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20M=C3=A4tje?= +Date: Wed, 25 Aug 2021 23:52:27 +0200 +Subject: [PATCH] can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 044012b52029204900af9e4230263418427f4ba4 +Patch-mainline: v5.14 +References: git-fixes + +This patch fixes the interchanged fetch of the CAN RX and TX error +counters from the ESD_EV_CAN_ERROR_EXT message. The RX error counter +is really in struct rx_msg::data[2] and the TX error counter is in +struct rx_msg::data[3]. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Link: https://lore.kernel.org/r/20210825215227.4947-2-stefan.maetje@esd.eu +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Mätje +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/esd_usb2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c +index 66fa8b07c2e6..95ae740fc311 100644 +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -224,8 +224,8 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + if (id == ESD_EV_CAN_ERROR_EXT) { + u8 state = msg->msg.rx.data[0]; + u8 ecc = msg->msg.rx.data[1]; +- u8 txerr = msg->msg.rx.data[2]; +- u8 rxerr = msg->msg.rx.data[3]; ++ u8 rxerr = msg->msg.rx.data[2]; ++ u8 txerr = msg->msg.rx.data[3]; + + skb = alloc_can_err_skb(priv->netdev, &cf); + if (skb == NULL) { +-- +2.26.2 + diff --git a/patches.suse/i2c-dev-zero-out-array-used-for-i2c-reads-from-users.patch b/patches.suse/i2c-dev-zero-out-array-used-for-i2c-reads-from-users.patch new file mode 100644 index 0000000..d3bc9cf --- /dev/null +++ b/patches.suse/i2c-dev-zero-out-array-used-for-i2c-reads-from-users.patch @@ -0,0 +1,53 @@ +From 86ff25ed6cd8240d18df58930bd8848b19fce308 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 29 Jul 2021 16:35:32 +0200 +Subject: [PATCH] i2c: dev: zero out array used for i2c reads from userspace +Git-commit: 86ff25ed6cd8240d18df58930bd8848b19fce308 +Patch-mainline: v5.14-rc6 +References: git-fixes + +If an i2c driver happens to not provide the full amount of data that a +user asks for, it is possible that some uninitialized data could be sent +to userspace. While all in-kernel drivers look to be safe, just be sure +by initializing the buffer to zero before it is passed to the i2c driver +so that any future drivers will not have this issue. + +Also properly copy the amount of data recvieved to the userspace buffer, +as pointed out by Dan Carpenter. + +Reported-by: Eric Dumazet +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + drivers/i2c/i2c-dev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index cb64fe649390..77f576e51652 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -141,7 +141,7 @@ static ssize_t i2cdev_read(struct file *file, char __user *buf, size_t count, + if (count > 8192) + count = 8192; + +- tmp = kmalloc(count, GFP_KERNEL); ++ tmp = kzalloc(count, GFP_KERNEL); + if (tmp == NULL) + return -ENOMEM; + +@@ -150,7 +150,8 @@ static ssize_t i2cdev_read(struct file *file, char __user *buf, size_t count, + + ret = i2c_master_recv(client, tmp, count); + if (ret >= 0) +- ret = copy_to_user(buf, tmp, count) ? -EFAULT : ret; ++ if (copy_to_user(buf, tmp, ret)) ++ ret = -EFAULT; + kfree(tmp); + return ret; + } +-- +2.26.2 + diff --git a/patches.suse/i2c-highlander-add-IRQ-check.patch b/patches.suse/i2c-highlander-add-IRQ-check.patch new file mode 100644 index 0000000..3b2ff8d --- /dev/null +++ b/patches.suse/i2c-highlander-add-IRQ-check.patch @@ -0,0 +1,39 @@ +From f16a3bb69aa6baabf8f0aca982c8cf21e2a4f6bc Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sun, 30 May 2021 22:13:45 +0300 +Subject: [PATCH] i2c: highlander: add IRQ check +Git-commit: f16a3bb69aa6baabf8f0aca982c8cf21e2a4f6bc +Patch-mainline: v5.15-rc1 +References: git-fixes + +The driver is written as if platform_get_irq() returns 0 on errors (while +actually it returns a negative error code), blithely passing these error +codes to request_irq() (which takes *unsigned* IRQ #) -- which fails with +-EINVAL. Add the necessary error check to the pre-existing *if* statement +forcing the driver into the polling mode... + +Fixes: 4ad48e6ab18c ("i2c: Renesas Highlander FPGA SMBus support") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + drivers/i2c/busses/i2c-highlander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-highlander.c b/drivers/i2c/busses/i2c-highlander.c +index 803dad70e2a7..a2add128d084 100644 +--- a/drivers/i2c/busses/i2c-highlander.c ++++ b/drivers/i2c/busses/i2c-highlander.c +@@ -379,7 +379,7 @@ static int highlander_i2c_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, dev); + + dev->irq = platform_get_irq(pdev, 0); +- if (iic_force_poll) ++ if (dev->irq < 0 || iic_force_poll) + dev->irq = 0; + + if (dev->irq) { +-- +2.26.2 + diff --git a/patches.suse/i2c-iop3xx-fix-deferred-probing.patch b/patches.suse/i2c-iop3xx-fix-deferred-probing.patch new file mode 100644 index 0000000..53a6598 --- /dev/null +++ b/patches.suse/i2c-iop3xx-fix-deferred-probing.patch @@ -0,0 +1,53 @@ +From a1299505162ad00def3573260c2c68b9c8e8d697 Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Thu, 12 Aug 2021 23:35:09 +0300 +Subject: [PATCH] i2c: iop3xx: fix deferred probing +Git-commit: a1299505162ad00def3573260c2c68b9c8e8d697 +Patch-mainline: v5.15-rc1 +References: git-fixes + +When adding the code to handle platform_get_irq*() errors in the commit +489447380a29 ("handle errors returned by platform_get_irq*()"), the +actual error code was enforced to be -ENXIO in the driver for some +strange reason. This didn't matter much until the deferred probing was +introduced -- which requires an actual error code to be propagated +upstream from the failure site. + +While fixing this, also stop overriding the errors from request_irq() to +-EIO (done since the pre-git era). + +Fixes: 489447380a29 ("[PATCH] handle errors returned by platform_get_irq*()") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + drivers/i2c/busses/i2c-iop3xx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-iop3xx.c b/drivers/i2c/busses/i2c-iop3xx.c +index cfecaf18ccbb..4a6ff54d87fe 100644 +--- a/drivers/i2c/busses/i2c-iop3xx.c ++++ b/drivers/i2c/busses/i2c-iop3xx.c +@@ -469,16 +469,14 @@ iop3xx_i2c_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- ret = -ENXIO; ++ ret = irq; + goto unmap; + } + ret = request_irq(irq, iop3xx_i2c_irq_handler, 0, + pdev->name, adapter_data); + +- if (ret) { +- ret = -EIO; ++ if (ret) + goto unmap; +- } + + memcpy(new_adapter->name, pdev->name, strlen(pdev->name)); + new_adapter->owner = THIS_MODULE; +-- +2.26.2 + diff --git a/patches.suse/i2c-mt65xx-fix-IRQ-check.patch b/patches.suse/i2c-mt65xx-fix-IRQ-check.patch new file mode 100644 index 0000000..753a5df --- /dev/null +++ b/patches.suse/i2c-mt65xx-fix-IRQ-check.patch @@ -0,0 +1,38 @@ +From 58fb7c643d346e2364404554f531cfa6a1a3917c Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sun, 4 Jul 2021 17:38:45 +0300 +Subject: [PATCH] i2c: mt65xx: fix IRQ check +Git-commit: 58fb7c643d346e2364404554f531cfa6a1a3917c +Patch-mainline: v5.15-rc1 +References: git-fixes + +Iff platform_get_irq() returns 0, the driver's probe() method will return 0 +early (as if the method's call was successful). Let's consider IRQ0 valid +for simplicity -- devm_request_irq() can always override that decision... + +Fixes: ce38815d39ea ("I2C: mediatek: Add driver for MediaTek I2C controller") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Qii Wang +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + drivers/i2c/busses/i2c-mt65xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c +index 4ca716e09149..477480d1de6b 100644 +--- a/drivers/i2c/busses/i2c-mt65xx.c ++++ b/drivers/i2c/busses/i2c-mt65xx.c +@@ -1211,7 +1211,7 @@ static int mtk_i2c_probe(struct platform_device *pdev) + return PTR_ERR(i2c->pdmabase); + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) + return irq; + + init_completion(&i2c->msg_complete); +-- +2.26.2 + diff --git a/patches.suse/i2c-s3c2410-fix-IRQ-check.patch b/patches.suse/i2c-s3c2410-fix-IRQ-check.patch new file mode 100644 index 0000000..344c703 --- /dev/null +++ b/patches.suse/i2c-s3c2410-fix-IRQ-check.patch @@ -0,0 +1,38 @@ +From d6840a5e370b7ea4fde16ce2caf431bcc87f9a75 Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sun, 4 Jul 2021 17:45:25 +0300 +Subject: [PATCH] i2c: s3c2410: fix IRQ check +Git-commit: d6840a5e370b7ea4fde16ce2caf431bcc87f9a75 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Iff platform_get_irq() returns 0, the driver's probe() method will return 0 +early (as if the method's call was successful). Let's consider IRQ0 valid +for simplicity -- devm_request_irq() can always override that decision... + +Fixes: e0d1ec97853f ("i2c-s3c2410: Change IRQ to be plain integer.") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + drivers/i2c/busses/i2c-s3c2410.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c +index 4d82761e1585..b49a1b170bb2 100644 +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -1137,7 +1137,7 @@ static int s3c24xx_i2c_probe(struct platform_device *pdev) + */ + if (!(i2c->quirks & QUIRK_POLL)) { + i2c->irq = ret = platform_get_irq(pdev, 0); +- if (ret <= 0) { ++ if (ret < 0) { + dev_err(&pdev->dev, "cannot find IRQ\n"); + clk_unprepare(i2c->clk); + return ret; +-- +2.26.2 + diff --git a/patches.suse/i40e-Fix-Error-I40E_AQ_RC_EINVAL-when-removing-VFs.patch b/patches.suse/i40e-Fix-Error-I40E_AQ_RC_EINVAL-when-removing-VFs.patch new file mode 100644 index 0000000..4b2039e --- /dev/null +++ b/patches.suse/i40e-Fix-Error-I40E_AQ_RC_EINVAL-when-removing-VFs.patch @@ -0,0 +1,99 @@ +From dd809e91c9cb9b538d42b06045c07a553d7cff28 Mon Sep 17 00:00:00 2001 +From: Sylwester Dziedziuch +Date: Thu, 22 Oct 2020 12:39:36 +0200 +Subject: [PATCH 3/5] i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs +Git-commit: 3ac874fa84d1baaf0c0175f2a1499f5d88d528b2 +References: git-fixes +Patch-mainline: v5.11-rc3 + +When removing VFs for PF added to bridge there was +an error I40E_AQ_RC_EINVAL. It was caused by not properly +resetting and reinitializing PF when adding/removing VFs. +Changed how reset is performed when adding/removing VFs +to properly reinitialize PFs VSI. + +Fixes: fc60861e9b00 ("i40e: start up in VEPA mode by default") +Signed-off-by: Sylwester Dziedziuch +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/intel/i40e/i40e.h | 3 +++ + drivers/net/ethernet/intel/i40e/i40e_main.c | 10 ++++++++++ + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++-- + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index ceedbc6eede8..2671c230abb3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -151,6 +151,7 @@ enum i40e_state_t { + __I40E_RESET_INTR_RECEIVED, + __I40E_REINIT_REQUESTED, + __I40E_PF_RESET_REQUESTED, ++ __I40E_PF_RESET_AND_REBUILD_REQUESTED, + __I40E_CORE_RESET_REQUESTED, + __I40E_GLOBAL_RESET_REQUESTED, + __I40E_EMP_RESET_REQUESTED, +@@ -180,6 +181,8 @@ enum i40e_state_t { + }; + + #define I40E_PF_RESET_FLAG BIT_ULL(__I40E_PF_RESET_REQUESTED) ++#define I40E_PF_RESET_AND_REBUILD_FLAG \ ++ BIT_ULL(__I40E_PF_RESET_AND_REBUILD_REQUESTED) + + /* VSI state flags */ + enum i40e_vsi_state_t { +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 3aaeae19b8fd..be388ab8d535 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -67,6 +67,8 @@ static int i40e_setup_misc_vector(struct i40e_pf *pf); + static void i40e_determine_queue_usage(struct i40e_pf *pf); + static int i40e_setup_pf_filter_control(struct i40e_pf *pf); + static void i40e_prep_for_reset(struct i40e_pf *pf, bool lock_acquired); ++static void i40e_reset_and_rebuild(struct i40e_pf *pf, bool reinit, ++ bool lock_acquired); + static int i40e_reset(struct i40e_pf *pf); + static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired); + static int i40e_setup_misc_vector_for_recovery_mode(struct i40e_pf *pf); +@@ -8046,6 +8048,14 @@ void i40e_do_reset(struct i40e_pf *pf, u32 reset_flags, bool lock_acquired) + dev_dbg(&pf->pdev->dev, "PFR requested\n"); + i40e_handle_reset_warning(pf, lock_acquired); + ++ } else if (reset_flags & I40E_PF_RESET_AND_REBUILD_FLAG) { ++ /* Request a PF Reset ++ * ++ * Resets PF and reinitializes PFs VSI. ++ */ ++ i40e_prep_for_reset(pf, lock_acquired); ++ i40e_reset_and_rebuild(pf, true, lock_acquired); ++ + } else if (reset_flags & BIT_ULL(__I40E_REINIT_REQUESTED)) { + int v; + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 379c55701b62..5c40f3790f64 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1730,7 +1730,7 @@ int i40e_pci_sriov_configure(struct pci_dev *pdev, int num_vfs) + if (num_vfs) { + if (!(pf->flags & I40E_FLAG_VEB_MODE_ENABLED)) { + pf->flags |= I40E_FLAG_VEB_MODE_ENABLED; +- i40e_do_reset_safe(pf, I40E_PF_RESET_FLAG); ++ i40e_do_reset_safe(pf, I40E_PF_RESET_AND_REBUILD_FLAG); + } + ret = i40e_pci_sriov_enable(pdev, num_vfs); + goto sriov_configure_out; +@@ -1739,7 +1739,7 @@ int i40e_pci_sriov_configure(struct pci_dev *pdev, int num_vfs) + if (!pci_vfs_assigned(pf->pdev)) { + i40e_free_vfs(pf); + pf->flags &= ~I40E_FLAG_VEB_MODE_ENABLED; +- i40e_do_reset_safe(pf, I40E_PF_RESET_FLAG); ++ i40e_do_reset_safe(pf, I40E_PF_RESET_AND_REBUILD_FLAG); + } else { + dev_warn(&pdev->dev, "Unable to free VFs because some are assigned to VMs.\n"); + ret = -EINVAL; +-- +2.16.4 + diff --git a/patches.suse/l2tp-pass-tunnel-pointer-to-session_create.patch b/patches.suse/l2tp-pass-tunnel-pointer-to-session_create.patch index e6aa3ce..f92ab70 100644 --- a/patches.suse/l2tp-pass-tunnel-pointer-to-session_create.patch +++ b/patches.suse/l2tp-pass-tunnel-pointer-to-session_create.patch @@ -3,7 +3,7 @@ Date: Fri, 1 Sep 2017 17:58:51 +0200 Subject: l2tp: pass tunnel pointer to ->session_create() Patch-mainline: v4.14-rc1 Git-commit: f026bc29a8e093edfbb2a77700454b285c97e8ad -References: bsc#1076830 +References: CVE-2018-9517 bsc#1076830 bsc#1108488 Using l2tp_tunnel_find() in pppol2tp_session_create() and l2tp_eth_create() is racy, because no reference is held on the diff --git a/patches.suse/mac80211-Fix-insufficient-headroom-issue-for-AMSDU.patch b/patches.suse/mac80211-Fix-insufficient-headroom-issue-for-AMSDU.patch new file mode 100644 index 0000000..49f8d38 --- /dev/null +++ b/patches.suse/mac80211-Fix-insufficient-headroom-issue-for-AMSDU.patch @@ -0,0 +1,43 @@ +From f50d2ff8f016b79a2ff4acd5943a1eda40c545d4 Mon Sep 17 00:00:00 2001 +From: Chih-Kang Chang +Date: Mon, 16 Aug 2021 16:51:28 +0800 +Subject: [PATCH] mac80211: Fix insufficient headroom issue for AMSDU +Git-commit: f50d2ff8f016b79a2ff4acd5943a1eda40c545d4 +Patch-mainline: v5.15-rc1 +References: git-fixes + +ieee80211_amsdu_realloc_pad() fails to account for extra_tx_headroom, +the original reserved headroom might be eaten. Add the necessary +extra_tx_headroom. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Chih-Kang Chang +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20210816085128.10931-2-pkshih@realtek.com +[fix indentation] + +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/mac80211/tx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 1f7571777fb1..2d1193ed3eb5 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3242,7 +3242,9 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata, + if (info->control.flags & IEEE80211_TX_CTRL_AMSDU) + return true; + +- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr))) ++ if (!ieee80211_amsdu_realloc_pad(local, skb, ++ sizeof(*amsdu_hdr) + ++ local->hw.extra_tx_headroom)) + return false; + + data = skb_push(skb, sizeof(*amsdu_hdr)); +-- +2.26.2 + diff --git a/patches.suse/md-display-timeout-error.patch b/patches.suse/md-display-timeout-error.patch index 0db86df..65cba2e 100644 --- a/patches.suse/md-display-timeout-error.patch +++ b/patches.suse/md-display-timeout-error.patch @@ -19,7 +19,7 @@ Signed-off-by: Neil Brown --- a/drivers/md/md.c +++ b/drivers/md/md.c -@@ -865,8 +865,10 @@ static void super_written(struct bio *bi +@@ -901,8 +901,10 @@ static void super_written(struct bio *bi if (bio->bi_status) { pr_err("md: super_written gets error=%d\n", bio->bi_status); md_error(mddev, rdev); @@ -32,7 +32,7 @@ Signed-off-by: Neil Brown set_bit(MD_SB_NEED_REWRITE, &mddev->sb_flags); set_bit(LastDev, &rdev->flags); } -@@ -1231,6 +1233,7 @@ static int super_90_validate(struct mdde +@@ -1267,6 +1269,7 @@ static int super_90_validate(struct mdde rdev->raid_disk = -1; clear_bit(Faulty, &rdev->flags); @@ -40,7 +40,7 @@ Signed-off-by: Neil Brown clear_bit(In_sync, &rdev->flags); clear_bit(Bitmap_sync, &rdev->flags); clear_bit(WriteMostly, &rdev->flags); -@@ -1746,6 +1749,7 @@ static int super_1_validate(struct mddev +@@ -1782,6 +1785,7 @@ static int super_1_validate(struct mddev rdev->raid_disk = -1; clear_bit(Faulty, &rdev->flags); @@ -48,7 +48,7 @@ Signed-off-by: Neil Brown clear_bit(In_sync, &rdev->flags); clear_bit(Bitmap_sync, &rdev->flags); clear_bit(WriteMostly, &rdev->flags); -@@ -1872,6 +1876,9 @@ static int super_1_validate(struct mddev +@@ -1908,6 +1912,9 @@ static int super_1_validate(struct mddev break; case MD_DISK_ROLE_JOURNAL: /* journal device */ if (!(le32_to_cpu(sb->feature_map) & MD_FEATURE_JOURNAL)) { @@ -58,7 +58,7 @@ Signed-off-by: Neil Brown /* journal device without journal feature */ pr_warn("md: journal device provided without journal feature, ignoring the device\n"); return -EINVAL; -@@ -1880,6 +1887,11 @@ static int super_1_validate(struct mddev +@@ -1916,6 +1923,11 @@ static int super_1_validate(struct mddev rdev->journal_tail = le64_to_cpu(sb->journal_tail); rdev->raid_disk = 0; break; @@ -70,7 +70,7 @@ Signed-off-by: Neil Brown default: rdev->saved_raid_disk = role; if ((le32_to_cpu(sb->feature_map) & -@@ -2065,9 +2077,12 @@ retry: +@@ -2101,9 +2113,12 @@ retry: rdev_for_each(rdev2, mddev) { i = rdev2->desc_nr; @@ -86,7 +86,7 @@ Signed-off-by: Neil Brown sb->dev_roles[i] = cpu_to_le16(rdev2->raid_disk); else if (test_bit(Journal, &rdev2->flags)) sb->dev_roles[i] = cpu_to_le16(MD_DISK_ROLE_JOURNAL); -@@ -2824,6 +2839,8 @@ state_show(struct md_rdev *rdev, char *p +@@ -2860,6 +2875,8 @@ state_show(struct md_rdev *rdev, char *p (!test_bit(ExternalBbl, &flags) && rdev->badblocks.unacked_exist)) len += sprintf(page+len, "faulty%s", sep); @@ -95,7 +95,7 @@ Signed-off-by: Neil Brown if (test_bit(In_sync, &flags)) len += sprintf(page+len, "in_sync%s", sep); if (test_bit(Journal, &flags)) -@@ -2879,6 +2896,11 @@ state_store(struct md_rdev *rdev, const +@@ -2915,6 +2932,11 @@ state_store(struct md_rdev *rdev, const err = 0; else err = -EBUSY; @@ -107,7 +107,7 @@ Signed-off-by: Neil Brown } else if (cmd_match(buf, "remove")) { if (rdev->mddev->pers) { clear_bit(Blocked, &rdev->flags); -@@ -3130,6 +3152,7 @@ slot_store(struct md_rdev *rdev, const c +@@ -3166,6 +3188,7 @@ slot_store(struct md_rdev *rdev, const c rdev->raid_disk = slot; /* assume it is working */ clear_bit(Faulty, &rdev->flags); @@ -115,7 +115,7 @@ Signed-off-by: Neil Brown clear_bit(WriteMostly, &rdev->flags); set_bit(In_sync, &rdev->flags); sysfs_notify_dirent_safe(rdev->sysfs_state); -@@ -6498,9 +6521,11 @@ static int get_disk_info(struct mddev *m +@@ -6532,9 +6555,11 @@ static int get_disk_info(struct mddev *m info.minor = MINOR(rdev->bdev->bd_dev); info.raid_disk = rdev->raid_disk; info.state = 0; @@ -129,7 +129,7 @@ Signed-off-by: Neil Brown info.state |= (1<flags)) seq_printf(seq, "(J)"); if (test_bit(Faulty, &rdev->flags)) { @@ -171,15 +171,15 @@ Signed-off-by: Neil Brown /* * this branch is our 'one mirror IO has finished' event handler: */ -@@ -515,6 +517,8 @@ static void raid10_end_write_request(str +@@ -513,6 +515,8 @@ static void raid10_end_write_request(str if (!test_bit(Faulty, &rdev->flags)) set_bit(R10BIO_WriteError, &r10_bio->state); else { + if (bio->bi_status == BLK_STS_TIMEOUT) + set_bit(Timeout, &rdev->flags); + /* Fail the request */ + set_bit(R10BIO_Degraded, &r10_bio->state); r10_bio->devs[slot].bio = NULL; - to_put = bio; - dec_rdev = 1; @@ -950,7 +954,11 @@ static void flush_pending_writes(struct bio->bi_next = NULL; bio_set_dev(bio, rdev->bdev); diff --git a/patches.suse/media-go7007-fix-memory-leak-in-go7007_usb_probe.patch b/patches.suse/media-go7007-fix-memory-leak-in-go7007_usb_probe.patch new file mode 100644 index 0000000..26c43c2 --- /dev/null +++ b/patches.suse/media-go7007-fix-memory-leak-in-go7007_usb_probe.patch @@ -0,0 +1,66 @@ +From 47d94dad8e64b2fc1d8f66ce7acf714f9462c60f Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 20 Jun 2021 21:45:02 +0200 +Subject: [PATCH] media: go7007: fix memory leak in go7007_usb_probe +Git-commit: 47d94dad8e64b2fc1d8f66ce7acf714f9462c60f +References: git-fixes +Patch-mainline: v5.15-rc1 + +In commit 137641287eb4 ("go7007: add sanity checking for endpoints") +endpoint sanity check was introduced, but if check fails it simply +returns with leaked pointers. + +Cutted log from my local syzbot instance: + +BUG: memory leak +unreferenced object 0xffff8880209f0000 (size 8192): + comm "kworker/0:4", pid 4916, jiffies 4295263583 (age 29.310s) + hex dump (first 32 bytes): + 30 b0 27 22 80 88 ff ff 75 73 62 2d 64 75 6d 6d 0.'"....usb-dumm + 79 5f 68 63 64 2e 33 2d 31 00 00 00 00 00 00 00 y_hcd.3-1....... + backtrace: + [] kmalloc include/linux/slab.h:556 [inline] + [] kzalloc include/linux/slab.h:686 [inline] + [] go7007_alloc+0x46/0xb40 drivers/media/usb/go7007/go7007-driver.c:696 + [] go7007_usb_probe+0x13e/0x2200 drivers/media/usb/go7007/go7007-usb.c:1114 + [] usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396 + [] really_probe+0x291/0xf60 drivers/base/dd.c:576 + +BUG: memory leak +unreferenced object 0xffff88801e2f2800 (size 512): + comm "kworker/0:4", pid 4916, jiffies 4295263583 (age 29.310s) + hex dump (first 32 bytes): + 00 87 40 8a ff ff ff ff 00 00 00 00 00 00 00 00 ..@............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc include/linux/slab.h:556 [inline] + [] kzalloc include/linux/slab.h:686 [inline] + [] go7007_usb_probe+0x184/0x2200 drivers/media/usb/go7007/go7007-usb.c:1118 + [] usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396 + [] really_probe+0x291/0xf60 drivers/base/dd.c:576 + +Fixes: 137641287eb4 ("go7007: add sanity checking for endpoints") +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/go7007/go7007-usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c +index dbf0455d5d50..eeb85981e02b 100644 +--- a/drivers/media/usb/go7007/go7007-usb.c ++++ b/drivers/media/usb/go7007/go7007-usb.c +@@ -1134,7 +1134,7 @@ static int go7007_usb_probe(struct usb_interface *intf, + + ep = usb->usbdev->ep_in[4]; + if (!ep) +- return -ENODEV; ++ goto allocfail; + + /* Allocate the URB and buffer for receiving incoming interrupts */ + usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL); +-- +2.26.2 + diff --git a/patches.suse/memcg-enable-accounting-for-file-lock-caches.patch b/patches.suse/memcg-enable-accounting-for-file-lock-caches.patch new file mode 100644 index 0000000..36fbe0f --- /dev/null +++ b/patches.suse/memcg-enable-accounting-for-file-lock-caches.patch @@ -0,0 +1,67 @@ +From: Vasily Averin +Date: Thu, 2 Sep 2021 14:55:19 -0700 +Subject: memcg: enable accounting for file lock caches +Git-commit: 0f12156dff2862ac54235fc72703f18770769042 +Patch-mainline: v5.15-rc1 +References: bsc#1190115 + +User can create file locks for each open file and force kernel to allocate +small but long-living objects per each open file. + +It makes sense to account for these objects to limit the host's memory +consumption from inside the memcg-limited container. + +Link: https://lkml.kernel.org/r/b009f4c7-f0ab-c0ec-8e83-918f47d677da@virtuozzo.com +Signed-off-by: Vasily Averin +Reviewed-by: Shakeel Butt +Cc: Alexander Viro +Cc: Alexey Dobriyan +Cc: Andrei Vagin +Cc: Borislav Petkov +Cc: Borislav Petkov +Cc: Christian Brauner +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: "Eric W. Biederman" +Cc: Greg Kroah-Hartman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: "J. Bruce Fields" +Cc: Jeff Layton +Cc: Jens Axboe +Cc: Jiri Slaby +Cc: Johannes Weiner +Cc: Kirill Tkhai +Cc: Michal Hocko +Cc: Oleg Nesterov +Cc: Roman Gushchin +Cc: Serge Hallyn +Cc: Tejun Heo +Cc: Thomas Gleixner +Cc: Vladimir Davydov +Cc: Yutian Yang +Cc: Zefan Li +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[mkoutny: adjust context] +Acked-by: Michal Koutný +--- + fs/locks.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -2813,10 +2813,12 @@ static int __init filelock_init(void) + int i; + + flctx_cache = kmem_cache_create("file_lock_ctx", +- sizeof(struct file_lock_context), 0, SLAB_PANIC, NULL); ++ sizeof(struct file_lock_context), 0, ++ SLAB_PANIC | SLAB_ACCOUNT, NULL); + + filelock_cache = kmem_cache_create("file_lock_cache", +- sizeof(struct file_lock), 0, SLAB_PANIC, NULL); ++ sizeof(struct file_lock), 0, ++ SLAB_PANIC | SLAB_ACCOUNT, NULL); + + + for_each_possible_cpu(i) { diff --git a/patches.suse/memcg-enable-accounting-of-ipc-resources.patch b/patches.suse/memcg-enable-accounting-of-ipc-resources.patch new file mode 100644 index 0000000..01c0792 --- /dev/null +++ b/patches.suse/memcg-enable-accounting-of-ipc-resources.patch @@ -0,0 +1,119 @@ +From: Vasily Averin +Date: Thu, 2 Sep 2021 14:55:31 -0700 +Subject: memcg: enable accounting of ipc resources +Git-commit: 18319498fdd4cdf8c1c2c48cd432863b1f915d6f +Patch-mainline: v5.15-rc1 +References: bsc#1190115 CVE-2021-3759 + +When user creates IPC objects it forces kernel to allocate memory for +these long-living objects. + +It makes sense to account them to restrict the host's memory consumption +from inside the memcg-limited container. + +This patch enables accounting for IPC shared memory segments, messages +semaphores and semaphore's undo lists. + +Link: https://lkml.kernel.org/r/d6507b06-4df6-78f8-6c54-3ae86e3b5339@virtuozzo.com +Signed-off-by: Vasily Averin +Reviewed-by: Shakeel Butt +Cc: Alexander Viro +Cc: Alexey Dobriyan +Cc: Andrei Vagin +Cc: Borislav Petkov +Cc: Borislav Petkov +Cc: Christian Brauner +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: "Eric W. Biederman" +Cc: Greg Kroah-Hartman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: "J. Bruce Fields" +Cc: Jeff Layton +Cc: Jens Axboe +Cc: Jiri Slaby +Cc: Johannes Weiner +Cc: Kirill Tkhai +Cc: Michal Hocko +Cc: Oleg Nesterov +Cc: Roman Gushchin +Cc: Serge Hallyn +Cc: Tejun Heo +Cc: Thomas Gleixner +Cc: Vladimir Davydov +Cc: Yutian Yang +Cc: Zefan Li +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[mkoutny: just add accounting, adjust for missing commits fc37a3b8b438 ("ipc + sem: use kvmalloc for sem_undo allocation") and bc8136a543aa ("ipc: + use kmalloc for msg_queue and shmid_kernel") and 4a2ae92993be + ("ipc/sem.c: replace kvmalloc/memset with kvzalloc and use + struct_size")] +Acked-by: Michal Koutný +--- + ipc/msg.c | 2 +- + ipc/sem.c | 8 ++++---- + ipc/shm.c | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -118,7 +118,7 @@ static int newque(struct ipc_namespace * + key_t key = params->key; + int msgflg = params->flg; + +- msq = kvmalloc(sizeof(*msq), GFP_KERNEL); ++ msq = kvmalloc(sizeof(*msq), GFP_KERNEL_ACCOUNT); + if (unlikely(!msq)) + return -ENOMEM; + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -453,7 +453,7 @@ static struct sem_array *sem_alloc(size_ + return NULL; + + size = sizeof(*sma) + nsems * sizeof(sma->sems[0]); +- sma = kvmalloc(size, GFP_KERNEL); ++ sma = kvmalloc(size, GFP_KERNEL_ACCOUNT); + if (unlikely(!sma)) + return NULL; + +@@ -1638,7 +1638,7 @@ static inline int get_undo_list(struct s + + undo_list = current->sysvsem.undo_list; + if (!undo_list) { +- undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL); ++ undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL_ACCOUNT); + if (undo_list == NULL) + return -ENOMEM; + spin_lock_init(&undo_list->lock); +@@ -1722,7 +1722,7 @@ static struct sem_undo *find_alloc_undo( + rcu_read_unlock(); + + /* step 2: allocate new undo structure */ +- new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); ++ new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL_ACCOUNT); + if (!new) { + ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); + return ERR_PTR(-ENOMEM); +@@ -1786,7 +1786,7 @@ SYSCALL_DEFINE4(semtimedop, int, semid, + if (nsops > ns->sc_semopm) + return -E2BIG; + if (nsops > SEMOPM_FAST) { +- sops = kvmalloc(sizeof(*sops)*nsops, GFP_KERNEL); ++ sops = kvmalloc(sizeof(*sops)*nsops, GFP_KERNEL_ACCOUNT); + if (sops == NULL) + return -ENOMEM; + } +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -564,7 +564,7 @@ static int newseg(struct ipc_namespace * + ns->shm_tot + numpages > ns->shm_ctlall) + return -ENOSPC; + +- shp = kvmalloc(sizeof(*shp), GFP_KERNEL); ++ shp = kvmalloc(sizeof(*shp), GFP_KERNEL_ACCOUNT); + if (unlikely(!shp)) + return -ENOMEM; + diff --git a/patches.suse/mm-vmscan-guarantee-drop_slab_node-termination.patch b/patches.suse/mm-vmscan-guarantee-drop_slab_node-termination.patch new file mode 100644 index 0000000..10e1555 --- /dev/null +++ b/patches.suse/mm-vmscan-guarantee-drop_slab_node-termination.patch @@ -0,0 +1,80 @@ +From: Vlastimil Babka +Date: Thu, 2 Sep 2021 14:59:53 -0700 +Subject: mm, vmscan: guarantee drop_slab_node() termination +Git-commit: 1399af7e54896c774d67f1c1acc491b07149421d +Patch-mainline: v5.14 or v5.14-rc8 (next release) +References: VM Functionality, bsc#1189301 + +drop_slab_node() is called as part of echo 2>/proc/sys/vm/drop_caches +operation. It iterates over all memcgs and calls shrink_slab() which in +turn iterates over all slab shrinkers. Freed objects are counted and as +long as the total number of freed objects from all memcgs and shrinkers is +higher than 10, drop_slab_node() loops for another full memcgs*shrinkers +iteration. + +This arbitrary constant threshold of 10 can result in effectively an +infinite loop on a system with large number of memcgs and/or parallel +activity that allocates new objects. This has been reported previously by +Chunxin Zang [1] and recently by our customer. + +The previous report [1] has resulted in commit 069c411de40a ("mm/vmscan: +fix infinite loop in drop_slab_node") which added a check for signals +allowing the user to terminate the command writing to drop_caches. At the +time it was also considered to make the threshold grow with each iteration +to guarantee termination, but such patch hasn't been formally proposed +yet. + +This patch implements the dynamically growing threshold. At first +iteration it's enough to free one object to continue, and this threshold +effectively doubles with each iteration. Our customer's feedback was +positive. + +There is always a risk that this change will result on some system in a +previously terminating drop_caches operation to terminate sooner and free +fewer objects. Ideally the semantics would guarantee freeing all freeable +objects that existed at the moment of starting the operation, while not +looping forever for newly allocated objects, but that's not feasible to +track. In the less ideal solution based on thresholds, arguably the +termination guarantee is more important than the exhaustiveness guarantee. +If there are reports of large regression wrt being exhaustive, we can +tune how fast the threshold grows. + +[1] https://lore.kernel.org/lkml/20200909152047.27905-1-zangchunxin@bytedance.com/T/#u + +[vbabka@suse.cz: avoid undefined shift behaviour] + Link: https://lkml.kernel.org/r/2f034e6f-a753-550a-f374-e4e23899d3d5@suse.cz + +Link: https://lkml.kernel.org/r/20210818152239.25502-1-vbabka@suse.cz +Signed-off-by: Vlastimil Babka +Reported-by: Chunxin Zang +Cc: Muchun Song +Cc: Chris Down +Cc: Michal Hocko +Cc: Matthew Wilcox +Cc: Vlastimil Babka +Cc: Kefeng Wang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + mm/vmscan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -521,6 +521,7 @@ out: + void drop_slab_node(int nid) + { + unsigned long freed; ++ int shift = 0; + + do { + struct mem_cgroup *memcg = NULL; +@@ -533,7 +534,7 @@ void drop_slab_node(int nid) + freed += shrink_slab(GFP_KERNEL, nid, memcg, + 1000, 1000); + } while ((memcg = mem_cgroup_iter(NULL, memcg, NULL)) != NULL); +- } while (freed > 10); ++ } while ((freed >> shift++) > 1); + } + + void drop_slab(void) diff --git a/patches.suse/mmc-dw_mmc-Fix-issue-with-uninitialized-dma_slave_co.patch b/patches.suse/mmc-dw_mmc-Fix-issue-with-uninitialized-dma_slave_co.patch new file mode 100644 index 0000000..449bcdc --- /dev/null +++ b/patches.suse/mmc-dw_mmc-Fix-issue-with-uninitialized-dma_slave_co.patch @@ -0,0 +1,47 @@ +From c3ff0189d3bc9c03845fe37472c140f0fefd0c79 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 10 Aug 2021 11:16:43 +0300 +Subject: [PATCH] mmc: dw_mmc: Fix issue with uninitialized dma_slave_config +Git-commit: c3ff0189d3bc9c03845fe37472c140f0fefd0c79 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For dw_mmc, this is probably not currently an issue but is still good to +fix though. + +Fixes: 3fc7eaef44db ("mmc: dw_mmc: Add external dma interface support") +Cc: Shawn Lin +Cc: Jaehoon Chung +Cc: Peter Ujfalusi +Cc: Vinod Koul +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081644.19353-2-tony@atomide.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/dw_mmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c +index 29c848e25df6..6578cc64ae9e 100644 +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -787,6 +787,7 @@ static int dw_mci_edmac_start_dma(struct dw_mci *host, + int ret = 0; + + /* Set external dma config: burst size, burst width */ ++ memset(&cfg, 0, sizeof(cfg)); + cfg.dst_addr = host->phy_regs + fifo_offset; + cfg.src_addr = cfg.dst_addr; + cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +-- +2.26.2 + diff --git a/patches.suse/mmc-moxart-Fix-issue-with-uninitialized-dma_slave_co.patch b/patches.suse/mmc-moxart-Fix-issue-with-uninitialized-dma_slave_co.patch new file mode 100644 index 0000000..0e2fcf4 --- /dev/null +++ b/patches.suse/mmc-moxart-Fix-issue-with-uninitialized-dma_slave_co.patch @@ -0,0 +1,46 @@ +From ee5165354d498e5bceb0b386e480ac84c5f8c28c Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 10 Aug 2021 11:16:44 +0300 +Subject: [PATCH] mmc: moxart: Fix issue with uninitialized dma_slave_config +Git-commit: ee5165354d498e5bceb0b386e480ac84c5f8c28c +Patch-mainline: v5.15-rc1 +References: git-fixes + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For moxart, this is probably not currently an issue but is still good to +fix though. + +Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver") +Cc: Jonas Jensen +Cc: Vinod Koul +Cc: Peter Ujfalusi +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081644.19353-3-tony@atomide.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/moxart-mmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c +index bde298887579..6c9d38132f74 100644 +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -628,6 +628,7 @@ static int moxart_probe(struct platform_device *pdev) + host->dma_chan_tx, host->dma_chan_rx); + host->have_dma = true; + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + +-- +2.26.2 + diff --git a/patches.suse/net-mvpp2-Add-TCAM-entry-to-drop-flow-control-pause-.patch b/patches.suse/net-mvpp2-Add-TCAM-entry-to-drop-flow-control-pause-.patch new file mode 100644 index 0000000..a93fee2 --- /dev/null +++ b/patches.suse/net-mvpp2-Add-TCAM-entry-to-drop-flow-control-pause-.patch @@ -0,0 +1,96 @@ +From ba395fedb22754cc5adabe40fb91c4acdd568c86 Mon Sep 17 00:00:00 2001 +From: Stefan Chulski +Date: Thu, 17 Dec 2020 20:30:17 +0200 +Subject: [PATCH 4/5] net: mvpp2: Add TCAM entry to drop flow control pause + frames +Git-commit: 3f48fab62bb81a7f9d01e9d43c40395fad011dd5 +References: git-fixes +Patch-mainline: v5.11-rc3 + +Issue: +Flow control frame used to pause GoP(MAC) was delivered to the CPU +and created a load on the CPU. Since XOFF/XON frames are used only +by MAC, these frames should be dropped inside MAC. + +Fix: +According to 802.3-2012 - IEEE Standard for Ethernet pause frame +has unique destination MAC address 01-80-C2-00-00-01. +Add TCAM parser entry to track and drop pause frames by destination MAC. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Stefan Chulski +Link: https://lore.kernel.org/r/1608229817-21951-1-git-send-email-stefanc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 33 ++++++++++++++++++++++++++ + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.h | 2 +- + 2 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index 5692c6087bbb..f069593d7e50 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -405,6 +405,38 @@ static int mvpp2_prs_tcam_first_free(struct mvpp2 *priv, unsigned char start, + return -EINVAL; + } + ++/* Drop flow control pause frames */ ++static void mvpp2_prs_drop_fc(struct mvpp2 *priv) ++{ ++ unsigned char da[ETH_ALEN] = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x01 }; ++ struct mvpp2_prs_entry pe; ++ unsigned int len; ++ ++ memset(&pe, 0, sizeof(pe)); ++ ++ /* For all ports - drop flow control frames */ ++ pe.index = MVPP2_PE_FC_DROP; ++ mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC); ++ ++ /* Set match on DA */ ++ len = ETH_ALEN; ++ while (len--) ++ mvpp2_prs_tcam_data_byte_set(&pe, len, da[len], 0xff); ++ ++ mvpp2_prs_sram_ri_update(&pe, MVPP2_PRS_RI_DROP_MASK, ++ MVPP2_PRS_RI_DROP_MASK); ++ ++ mvpp2_prs_sram_bits_set(&pe, MVPP2_PRS_SRAM_LU_GEN_BIT, 1); ++ mvpp2_prs_sram_next_lu_set(&pe, MVPP2_PRS_LU_FLOWS); ++ ++ /* Mask all ports */ ++ mvpp2_prs_tcam_port_map_set(&pe, MVPP2_PRS_PORT_MASK); ++ ++ /* Update shadow table and hw entry */ ++ mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_MAC); ++ mvpp2_prs_hw_write(priv, &pe); ++} ++ + /* Enable/disable dropping all mac da's */ + static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add) + { +@@ -1162,6 +1194,7 @@ static void mvpp2_prs_mac_init(struct mvpp2 *priv) + mvpp2_prs_hw_write(priv, &pe); + + /* Create dummy entries for drop all and promiscuous modes */ ++ mvpp2_prs_drop_fc(priv); + mvpp2_prs_mac_drop_all_set(priv, 0, false); + mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false); + mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false); +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.h +index e22f6c85d380..4b68dd374733 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.h +@@ -129,7 +129,7 @@ + #define MVPP2_PE_VID_EDSA_FLTR_DEFAULT (MVPP2_PRS_TCAM_SRAM_SIZE - 7) + #define MVPP2_PE_VLAN_DBL (MVPP2_PRS_TCAM_SRAM_SIZE - 6) + #define MVPP2_PE_VLAN_NONE (MVPP2_PRS_TCAM_SRAM_SIZE - 5) +-/* reserved */ ++#define MVPP2_PE_FC_DROP (MVPP2_PRS_TCAM_SRAM_SIZE - 4) + #define MVPP2_PE_MAC_MC_PROMISCUOUS (MVPP2_PRS_TCAM_SRAM_SIZE - 3) + #define MVPP2_PE_MAC_UC_PROMISCUOUS (MVPP2_PRS_TCAM_SRAM_SIZE - 2) + #define MVPP2_PE_MAC_NON_PROMISCUOUS (MVPP2_PRS_TCAM_SRAM_SIZE - 1) +-- +2.16.4 + diff --git a/patches.suse/net-mvpp2-prs-fix-PPPoE-with-ipv6-packet-parse.patch b/patches.suse/net-mvpp2-prs-fix-PPPoE-with-ipv6-packet-parse.patch new file mode 100644 index 0000000..e7b93cd --- /dev/null +++ b/patches.suse/net-mvpp2-prs-fix-PPPoE-with-ipv6-packet-parse.patch @@ -0,0 +1,40 @@ +From 6ae23f13e5c2f2bdaee7f2804cbbfc1557ccd93a Mon Sep 17 00:00:00 2001 +From: Stefan Chulski +Date: Thu, 17 Dec 2020 20:37:46 +0200 +Subject: [PATCH 5/5] net: mvpp2: prs: fix PPPoE with ipv6 packet parse +Git-commit: fec6079b2eeab319d9e3d074f54d3b6f623e9701 +References: git-fixes +Patch-mainline: v5.11-rc3 + +Current PPPoE+IPv6 entry is jumping to 'next-hdr' +field and not to 'DIP' field as done for IPv4. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Reported-by: Liron Himi +Signed-off-by: Stefan Chulski +Link: https://lore.kernel.org/r/1608230266-22111-1-git-send-email-stefanc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index f069593d7e50..a30eb90ba3d2 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -1680,8 +1680,9 @@ static int mvpp2_prs_pppoe_init(struct mvpp2 *priv) + mvpp2_prs_sram_next_lu_set(&pe, MVPP2_PRS_LU_IP6); + mvpp2_prs_sram_ri_update(&pe, MVPP2_PRS_RI_L3_IP6, + MVPP2_PRS_RI_L3_PROTO_MASK); +- /* Skip eth_type + 4 bytes of IPv6 header */ +- mvpp2_prs_sram_shift_set(&pe, MVPP2_ETH_TYPE_LEN + 4, ++ /* Jump to DIP of IPV6 header */ ++ mvpp2_prs_sram_shift_set(&pe, MVPP2_ETH_TYPE_LEN + 8 + ++ MVPP2_MAX_L3_ADDR_SIZE, + MVPP2_PRS_SRAM_OP_SEL_SHIFT_ADD); + /* Set L3 offset */ + mvpp2_prs_sram_offset_set(&pe, MVPP2_PRS_SRAM_UDF_TYPE_L3, +-- +2.16.4 + diff --git a/patches.suse/ocfs2-ocfs2_downconvert_lock-failure-results-in-dead.patch b/patches.suse/ocfs2-ocfs2_downconvert_lock-failure-results-in-dead.patch new file mode 100644 index 0000000..9c54d55 --- /dev/null +++ b/patches.suse/ocfs2-ocfs2_downconvert_lock-failure-results-in-dead.patch @@ -0,0 +1,69 @@ +From 9673e0050c39b0534d0e2ca431223f52089f4959 Mon Sep 17 00:00:00 2001 +From: Gang He +Date: Thu, 2 Sep 2021 14:50:17 -0700 +Subject: [PATCH] ocfs2: ocfs2_downconvert_lock failure results in deadlock +Git-commit: 9673e0050c39b0534d0e2ca431223f52089f4959 +Patch-mainline: v5.15-rc1 +References: bsc#1188439 + +Usually, ocfs2_downconvert_lock() function always downconverts dlm lock to +the expected level for satisfy dlm bast requests from the other nodes. + +But there is a rare situation. When dlm lock conversion is being +canceled, ocfs2_downconvert_lock() function will return -EBUSY. You need +to be aware that ocfs2_cancel_convert() function is asynchronous in fsdlm +implementation. + +If we does not requeue this lockres entry, ocfs2 downconvert thread no +longer handles this dlm lock bast request. Then, the other nodes will not +get the dlm lock again, the current node's process will be blocked when +acquire this dlm lock again. + +Link: https://lkml.kernel.org/r/20210830044621.12544-1-ghe@suse.com +Signed-off-by: Gang He +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + fs/ocfs2/dlmglue.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c +index 33fbdc823278..359524b7341f 100644 +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -3912,6 +3913,17 @@ static int ocfs2_unblock_lock(struct ocfs2_super *osb, + spin_unlock_irqrestore(&lockres->l_lock, flags); + ret = ocfs2_downconvert_lock(osb, lockres, new_level, set_lvb, + gen); ++ /* The dlm lock convert is being cancelled in background, ++ * ocfs2_cancel_convert() is asynchronous in fs/dlm, ++ * requeue it, try again later. ++ */ ++ if (ret == -EBUSY) { ++ ctl->requeue = 1; ++ mlog(ML_BASTS, "lockres %s, ReQ: Downconvert busy\n", ++ lockres->l_name); ++ ret = 0; ++ msleep(20); ++ } + + leave: + if (ret) +-- +2.32.0 + diff --git a/patches.suse/power-supply-max17042-handle-fails-of-reading-status.patch b/patches.suse/power-supply-max17042-handle-fails-of-reading-status.patch new file mode 100644 index 0000000..6018753 --- /dev/null +++ b/patches.suse/power-supply-max17042-handle-fails-of-reading-status.patch @@ -0,0 +1,48 @@ +From 54784ffa5b267f57161eb8fbb811499f22a0a0bf Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 16 Aug 2021 10:27:14 +0200 +Subject: [PATCH] power: supply: max17042: handle fails of reading status register +Git-commit: 54784ffa5b267f57161eb8fbb811499f22a0a0bf +Patch-mainline: v5.15-rc1 +References: git-fixes + +Reading status register can fail in the interrupt handler. In such +case, the regmap_read() will not store anything useful under passed +'val' variable and random stack value will be used to determine type of +interrupt. + +Handle the regmap_read() failure to avoid handling interrupt type and +triggering changed power supply event based on random stack value. + +Fixes: 39e7213edc4f ("max17042_battery: Support regmap to access device's registers") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/power/supply/max17042_battery.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c +index f28c90ea41b4..62eb5ae36bb0 100644 +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -869,8 +869,12 @@ static irqreturn_t max17042_thread_handler(int id, void *dev) + { + struct max17042_chip *chip = dev; + u32 val; ++ int ret; ++ ++ ret = regmap_read(chip->regmap, MAX17042_STATUS, &val); ++ if (ret) ++ return IRQ_HANDLED; + +- regmap_read(chip->regmap, MAX17042_STATUS, &val); + if ((val & STATUS_INTR_SOCMIN_BIT) || + (val & STATUS_INTR_SOCMAX_BIT)) { + dev_info(&chip->client->dev, "SOC threshold INTR\n"); +-- +2.26.2 + diff --git a/patches.suse/qlcnic-Fix-error-code-in-probe.patch b/patches.suse/qlcnic-Fix-error-code-in-probe.patch new file mode 100644 index 0000000..3a7cd39 --- /dev/null +++ b/patches.suse/qlcnic-Fix-error-code-in-probe.patch @@ -0,0 +1,35 @@ +From 2c0f584f90554ffd764e53f6945493c35bcdc949 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 16 Dec 2020 11:38:04 +0300 +Subject: [PATCH 1/5] qlcnic: Fix error code in probe +Git-commit: 0d52848632a357948028eab67ff9b7cc0c12a0fb +References: git-fixes +Patch-mainline: v5.11-rc1 + +Return -EINVAL if we can't find the correct device. Currently it +returns success. + +Fixes: 13159183ec7a ("qlcnic: 83xx base driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/X9nHbMqEyI/xPfGd@mwanda +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index 3dce9739c1d3..7af62f40be03 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2505,6 +2505,7 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + qlcnic_sriov_vf_register_map(ahw); + break; + default: ++ err = -EINVAL; + goto err_out_free_hw_res; + } + +-- +2.16.4 + diff --git a/patches.suse/scsi-core-Add-scsi_prot_ref_tag-helper.patch b/patches.suse/scsi-core-Add-scsi_prot_ref_tag-helper.patch index 8f0d0c0..a82d600 100644 --- a/patches.suse/scsi-core-Add-scsi_prot_ref_tag-helper.patch +++ b/patches.suse/scsi-core-Add-scsi_prot_ref_tag-helper.patch @@ -1,8 +1,7 @@ From: "Martin K. Petersen" Date: Tue, 8 Jun 2021 23:39:15 -0400 Subject: scsi: core: Add scsi_prot_ref_tag() helper -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 7ba46799d34695534666a3f71a2be10ea85ece6c References: bsc#1189392 diff --git a/patches.suse/scsi-ibmvfc-Do-not-wait-for-initial-device-scan.patch b/patches.suse/scsi-ibmvfc-Do-not-wait-for-initial-device-scan.patch index 2f451da..c90623c 100644 --- a/patches.suse/scsi-ibmvfc-Do-not-wait-for-initial-device-scan.patch +++ b/patches.suse/scsi-ibmvfc-Do-not-wait-for-initial-device-scan.patch @@ -1,8 +1,7 @@ From: Hannes Reinecke Date: Tue, 17 Aug 2021 09:53:06 +0200 Subject: scsi: ibmvfc: Do not wait for initial device scan -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 7a3795f28795e5bdc71498728bdfe4f921ce6c27 References: bsc#1127650 diff --git a/patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch b/patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch new file mode 100644 index 0000000..0b1d6ee --- /dev/null +++ b/patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch @@ -0,0 +1,46 @@ +From: Javed Hasan +Date: Tue, 15 Jun 2021 09:59:39 -0700 +Subject: scsi: libfc: Fix array index out of bound exception +Patch-mainline: v5.14-rc1 +Git-commit: b27c4577557045f1ab3cdfeabfc7f3cd24aca1fe +References: bsc#1188616 + +Fix array index out of bound exception in fc_rport_prli_resp(). + +Link: https://lore.kernel.org/r/20210615165939.24327-1-jhasan@marvell.com +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/libfc/fc_rport.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/libfc/fc_rport.c ++++ b/drivers/scsi/libfc/fc_rport.c +@@ -1173,6 +1173,7 @@ static void fc_rport_prli_resp(struct fc + resp_code = (pp->spp.spp_flags & FC_SPP_RESP_MASK); + FC_RPORT_DBG(rdata, "PRLI spp_flags = 0x%x spp_type 0x%x\n", + pp->spp.spp_flags, pp->spp.spp_type); ++ + rdata->spp_type = pp->spp.spp_type; + if (resp_code != FC_SPP_RESP_ACK) { + if (resp_code == FC_SPP_RESP_CONF) +@@ -1195,11 +1196,13 @@ static void fc_rport_prli_resp(struct fc + /* + * Call prli provider if we should act as a target + */ +- prov = fc_passive_prov[rdata->spp_type]; +- if (prov) { +- memset(&temp_spp, 0, sizeof(temp_spp)); +- prov->prli(rdata, pp->prli.prli_spp_len, +- &pp->spp, &temp_spp); ++ if (rdata->spp_type < FC_FC4_PROV_SIZE) { ++ prov = fc_passive_prov[rdata->spp_type]; ++ if (prov) { ++ memset(&temp_spp, 0, sizeof(temp_spp)); ++ prov->prli(rdata, pp->prli.prli_spp_len, ++ &pp->spp, &temp_spp); ++ } + } + /* + * Check if the image pair could be established diff --git a/patches.suse/scsi-lpfc-Add-256-Gb-link-speed-support.patch b/patches.suse/scsi-lpfc-Add-256-Gb-link-speed-support.patch index 1b88a5e..3fae085 100644 --- a/patches.suse/scsi-lpfc-Add-256-Gb-link-speed-support.patch +++ b/patches.suse/scsi-lpfc-Add-256-Gb-link-speed-support.patch @@ -1,8 +1,7 @@ From: James Smart Date: Thu, 22 Jul 2021 15:17:19 -0700 Subject: scsi: lpfc: Add 256 Gb link speed support -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: bfc477854a42c3de6c2f34c7e8f7ef9917ef53ca References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Add-PCI-ID-support-for-LPe37000-LPe38000-s.patch b/patches.suse/scsi-lpfc-Add-PCI-ID-support-for-LPe37000-LPe38000-s.patch index 96c6448..92ce132 100644 --- a/patches.suse/scsi-lpfc-Add-PCI-ID-support-for-LPe37000-LPe38000-s.patch +++ b/patches.suse/scsi-lpfc-Add-PCI-ID-support-for-LPe37000-LPe38000-s.patch @@ -1,8 +1,7 @@ From: James Smart Date: Thu, 22 Jul 2021 15:17:16 -0700 Subject: scsi: lpfc: Add PCI ID support for LPe37000/LPe38000 series adapters -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: f449a3d7a1530db44e7bba1a875f522115e99ab5 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Call-discovery-state-machine-when-handling.patch b/patches.suse/scsi-lpfc-Call-discovery-state-machine-when-handling.patch index 901e3cf..5962f34 100644 --- a/patches.suse/scsi-lpfc-Call-discovery-state-machine-when-handling.patch +++ b/patches.suse/scsi-lpfc-Call-discovery-state-machine-when-handling.patch @@ -2,8 +2,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:47 -0700 Subject: scsi: lpfc: Call discovery state machine when handling PLOGI/ADISC completions -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: c65436b21c3abbdaacd9c9f68bf2fa94e103168d References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Clear-outstanding-active-mailbox-during-PC.patch b/patches.suse/scsi-lpfc-Clear-outstanding-active-mailbox-during-PC.patch index 5ec7ae9..0bd1958 100644 --- a/patches.suse/scsi-lpfc-Clear-outstanding-active-mailbox-during-PC.patch +++ b/patches.suse/scsi-lpfc-Clear-outstanding-active-mailbox-during-PC.patch @@ -2,8 +2,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:43 -0700 Subject: scsi: lpfc: Clear outstanding active mailbox during PCI function reset -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: a9978e3978406ef5e35870b10e677cf75a2620b6 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Copyright-updates-for-12.8.0.11-patches.patch b/patches.suse/scsi-lpfc-Copyright-updates-for-12.8.0.11-patches.patch index 3e55153..01a98b8 100644 --- a/patches.suse/scsi-lpfc-Copyright-updates-for-12.8.0.11-patches.patch +++ b/patches.suse/scsi-lpfc-Copyright-updates-for-12.8.0.11-patches.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:51 -0700 Subject: scsi: lpfc: Copyright updates for 12.8.0.11 patches -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: f2af8ffc63a184ab425e0a02308f7fdcf8a53f1c References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Copyright-updates-for-14.0.0.0-patches.patch b/patches.suse/scsi-lpfc-Copyright-updates-for-14.0.0.0-patches.patch index 56c85d4..b0c0383 100644 --- a/patches.suse/scsi-lpfc-Copyright-updates-for-14.0.0.0-patches.patch +++ b/patches.suse/scsi-lpfc-Copyright-updates-for-14.0.0.0-patches.patch @@ -1,8 +1,7 @@ From: James Smart Date: Thu, 22 Jul 2021 15:17:21 -0700 Subject: scsi: lpfc: Copyright updates for 14.0.0.0 patches -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 45e524d61ec4dd600f4d34360301398d52594a44 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Delay-unregistering-from-transport-until-G.patch b/patches.suse/scsi-lpfc-Delay-unregistering-from-transport-until-G.patch index d2437ad..b59b57b 100644 --- a/patches.suse/scsi-lpfc-Delay-unregistering-from-transport-until-G.patch +++ b/patches.suse/scsi-lpfc-Delay-unregistering-from-transport-until-G.patch @@ -2,8 +2,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:46 -0700 Subject: scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 0614568361b0c1827f999b1fff21223a496c740b References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Discovery-state-machine-fixes-for-LOGO-han.patch b/patches.suse/scsi-lpfc-Discovery-state-machine-fixes-for-LOGO-han.patch index f16811f..5c06366 100644 --- a/patches.suse/scsi-lpfc-Discovery-state-machine-fixes-for-LOGO-han.patch +++ b/patches.suse/scsi-lpfc-Discovery-state-machine-fixes-for-LOGO-han.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:36 -0700 Subject: scsi: lpfc: Discovery state machine fixes for LOGO handling -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: e77803bdbf0aad98d36b1d3fa082852831814edd References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Enable-adisc-discovery-after-RSCN-by-defau.patch b/patches.suse/scsi-lpfc-Enable-adisc-discovery-after-RSCN-by-defau.patch index 3299619..9065bd4 100644 --- a/patches.suse/scsi-lpfc-Enable-adisc-discovery-after-RSCN-by-defau.patch +++ b/patches.suse/scsi-lpfc-Enable-adisc-discovery-after-RSCN-by-defau.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:45 -0700 Subject: scsi: lpfc: Enable adisc discovery after RSCN by default -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 816bd88dffc5716d8bff7cce9dbaa19ef375bc97 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Fix-KASAN-slab-out-of-bounds-in-lpfc_unreg.patch b/patches.suse/scsi-lpfc-Fix-KASAN-slab-out-of-bounds-in-lpfc_unreg.patch index 5383e0f..615bd93 100644 --- a/patches.suse/scsi-lpfc-Fix-KASAN-slab-out-of-bounds-in-lpfc_unreg.patch +++ b/patches.suse/scsi-lpfc-Fix-KASAN-slab-out-of-bounds-in-lpfc_unreg.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:42 -0700 Subject: scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfc_unreg_rpi() routine -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: affbe24429410fddf4e50ca456c090ed6d8e05bf References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Fix-NULL-ptr-dereference-with-NPIV-ports-f.patch b/patches.suse/scsi-lpfc-Fix-NULL-ptr-dereference-with-NPIV-ports-f.patch index 09d9430..4f1fb5b 100644 --- a/patches.suse/scsi-lpfc-Fix-NULL-ptr-dereference-with-NPIV-ports-f.patch +++ b/patches.suse/scsi-lpfc-Fix-NULL-ptr-dereference-with-NPIV-ports-f.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:39 -0700 Subject: scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 2d338eb55b14ab9d245e8b1d982adecca8c4c613 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Fix-NVMe-support-reporting-in-log-message.patch b/patches.suse/scsi-lpfc-Fix-NVMe-support-reporting-in-log-message.patch index 620ea4c..c1c9087 100644 --- a/patches.suse/scsi-lpfc-Fix-NVMe-support-reporting-in-log-message.patch +++ b/patches.suse/scsi-lpfc-Fix-NVMe-support-reporting-in-log-message.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:32 -0700 Subject: scsi: lpfc: Fix NVMe support reporting in log message -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: ae463b60235e7a5decffbb0bd7209952ccda78eb References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Fix-cq_id-truncation-in-rq-create.patch b/patches.suse/scsi-lpfc-Fix-cq_id-truncation-in-rq-create.patch index bf1cfc6..1717630 100644 --- a/patches.suse/scsi-lpfc-Fix-cq_id-truncation-in-rq-create.patch +++ b/patches.suse/scsi-lpfc-Fix-cq_id-truncation-in-rq-create.patch @@ -1,8 +1,7 @@ From: James Smart Date: Thu, 22 Jul 2021 15:17:17 -0700 Subject: scsi: lpfc: Fix cq_id truncation in rq create -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: df3d78c3eb4eba13b3ef9740a8c664508ee644ae References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Fix-memory-leaks-in-error-paths-while-issu.patch b/patches.suse/scsi-lpfc-Fix-memory-leaks-in-error-paths-while-issu.patch index 531f41b..3721037 100644 --- a/patches.suse/scsi-lpfc-Fix-memory-leaks-in-error-paths-while-issu.patch +++ b/patches.suse/scsi-lpfc-Fix-memory-leaks-in-error-paths-while-issu.patch @@ -2,8 +2,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:40 -0700 Subject: scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: cd6047e92c6a5b0a44479cf98f76aac56ddfe108 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Fix-possible-ABBA-deadlock-in-nvmet_xri_ab.patch b/patches.suse/scsi-lpfc-Fix-possible-ABBA-deadlock-in-nvmet_xri_ab.patch index a4f5c3b..5041bb2 100644 --- a/patches.suse/scsi-lpfc-Fix-possible-ABBA-deadlock-in-nvmet_xri_ab.patch +++ b/patches.suse/scsi-lpfc-Fix-possible-ABBA-deadlock-in-nvmet_xri_ab.patch @@ -1,8 +1,7 @@ From: James Smart Date: Fri, 30 Jul 2021 09:33:09 -0700 Subject: scsi: lpfc: Fix possible ABBA deadlock in nvmet_xri_aborted() -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 7740b615b6665e47f162e261d805f1bbbac15876 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Fix-target-reset-handler-from-falsely-retu.patch b/patches.suse/scsi-lpfc-Fix-target-reset-handler-from-falsely-retu.patch index 05d38c3..077d5b1 100644 --- a/patches.suse/scsi-lpfc-Fix-target-reset-handler-from-falsely-retu.patch +++ b/patches.suse/scsi-lpfc-Fix-target-reset-handler-from-falsely-retu.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:37 -0700 Subject: scsi: lpfc: Fix target reset handler from falsely returning FAILURE -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 21990d3d1861c7aa8e3e4ed98614f0c161c29b0c References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Improve-firmware-download-logging.patch b/patches.suse/scsi-lpfc-Improve-firmware-download-logging.patch index 4534278..e52b8b3 100644 --- a/patches.suse/scsi-lpfc-Improve-firmware-download-logging.patch +++ b/patches.suse/scsi-lpfc-Improve-firmware-download-logging.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:34 -0700 Subject: scsi: lpfc: Improve firmware download logging -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 16a93e83c87edab9ea646be879a1cbbe7bf3bca6 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Keep-NDLP-reference-until-after-freeing-th.patch b/patches.suse/scsi-lpfc-Keep-NDLP-reference-until-after-freeing-th.patch index 80ea331..c91d9cb 100644 --- a/patches.suse/scsi-lpfc-Keep-NDLP-reference-until-after-freeing-th.patch +++ b/patches.suse/scsi-lpfc-Keep-NDLP-reference-until-after-freeing-th.patch @@ -2,8 +2,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:38 -0700 Subject: scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 4e670c8afd47d535f65edf0d2b7f54f103fd59a2 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Remove-REG_LOGIN-check-requirement-to-issu.patch b/patches.suse/scsi-lpfc-Remove-REG_LOGIN-check-requirement-to-issu.patch index 2ce3718..f5791ba 100644 --- a/patches.suse/scsi-lpfc-Remove-REG_LOGIN-check-requirement-to-issu.patch +++ b/patches.suse/scsi-lpfc-Remove-REG_LOGIN-check-requirement-to-issu.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:41 -0700 Subject: scsi: lpfc: Remove REG_LOGIN check requirement to issue an ELS RDF -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: e78c006f4c888231cdabb8a4286ba17980a903fa References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Remove-redundant-assignment-to-pointer-pcm.patch b/patches.suse/scsi-lpfc-Remove-redundant-assignment-to-pointer-pcm.patch index 616c2bf..a72be3a 100644 --- a/patches.suse/scsi-lpfc-Remove-redundant-assignment-to-pointer-pcm.patch +++ b/patches.suse/scsi-lpfc-Remove-redundant-assignment-to-pointer-pcm.patch @@ -1,8 +1,7 @@ From: Colin Ian King Date: Wed, 21 Jul 2021 10:53:50 +0100 Subject: scsi: lpfc: Remove redundant assignment to pointer pcmd -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: ff2d86d04d2614e33e122eb9a43ae9fd2a7274af References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Remove-use-of-kmalloc-in-trace-event-loggi.patch b/patches.suse/scsi-lpfc-Remove-use-of-kmalloc-in-trace-event-loggi.patch index 9e8bc01..4e44094 100644 --- a/patches.suse/scsi-lpfc-Remove-use-of-kmalloc-in-trace-event-loggi.patch +++ b/patches.suse/scsi-lpfc-Remove-use-of-kmalloc-in-trace-event-loggi.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:33 -0700 Subject: scsi: lpfc: Remove use of kmalloc() in trace event logging -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: e8613084053d406c22914385a488e8b85072100c References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Revise-Topology-and-RAS-support-checks-for.patch b/patches.suse/scsi-lpfc-Revise-Topology-and-RAS-support-checks-for.patch index ca4585a..b6ec733 100644 --- a/patches.suse/scsi-lpfc-Revise-Topology-and-RAS-support-checks-for.patch +++ b/patches.suse/scsi-lpfc-Revise-Topology-and-RAS-support-checks-for.patch @@ -1,8 +1,7 @@ From: James Smart Date: Thu, 22 Jul 2021 15:17:18 -0700 Subject: scsi: lpfc: Revise Topology and RAS support checks for new adapters -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: f6c5e6c4561d2a94a8eb39e6d4cb87a715bbd3de References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Skip-issuing-ADISC-when-node-is-in-NPR-sta.patch b/patches.suse/scsi-lpfc-Skip-issuing-ADISC-when-node-is-in-NPR-sta.patch index 5548bae..32a091c 100644 --- a/patches.suse/scsi-lpfc-Skip-issuing-ADISC-when-node-is-in-NPR-sta.patch +++ b/patches.suse/scsi-lpfc-Skip-issuing-ADISC-when-node-is-in-NPR-sta.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:49 -0700 Subject: scsi: lpfc: Skip issuing ADISC when node is in NPR state -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: ab803860882514ddbf97713b143b861b524e8476 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Skip-reg_vpi-when-link-is-down-for-SLI3-in.patch b/patches.suse/scsi-lpfc-Skip-reg_vpi-when-link-is-down-for-SLI3-in.patch index 29eab6a..af68093 100644 --- a/patches.suse/scsi-lpfc-Skip-reg_vpi-when-link-is-down-for-SLI3-in.patch +++ b/patches.suse/scsi-lpfc-Skip-reg_vpi-when-link-is-down-for-SLI3-in.patch @@ -2,8 +2,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:48 -0700 Subject: scsi: lpfc: Skip reg_vpi when link is down for SLI3 in ADISC cmpl path -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 02607fbaf00d9aac8fe97b1d9643f09ebdb47922 References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Update-lpfc-version-to-12.8.0.11.patch b/patches.suse/scsi-lpfc-Update-lpfc-version-to-12.8.0.11.patch index 7a6b3f4..0a58d81 100644 --- a/patches.suse/scsi-lpfc-Update-lpfc-version-to-12.8.0.11.patch +++ b/patches.suse/scsi-lpfc-Update-lpfc-version-to-12.8.0.11.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:50 -0700 Subject: scsi: lpfc: Update lpfc version to 12.8.0.11 -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 545a68e711ee4d6ed11cec956bb06cb52c95e83a References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.0.patch b/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.0.patch index 94a2c3b..98cbd4b 100644 --- a/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.0.patch +++ b/patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.0.patch @@ -1,8 +1,7 @@ From: James Smart Date: Thu, 22 Jul 2021 15:17:20 -0700 Subject: scsi: lpfc: Update lpfc version to 14.0.0.0 -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 95518cabe1193e1746c77be6d8233d76dcf1969e References: bsc#1189385 diff --git a/patches.suse/scsi-lpfc-Use-PBDE-feature-enabled-bit-to-determine-.patch b/patches.suse/scsi-lpfc-Use-PBDE-feature-enabled-bit-to-determine-.patch index 8b4095e..c36075c 100644 --- a/patches.suse/scsi-lpfc-Use-PBDE-feature-enabled-bit-to-determine-.patch +++ b/patches.suse/scsi-lpfc-Use-PBDE-feature-enabled-bit-to-determine-.patch @@ -1,8 +1,7 @@ From: James Smart Date: Wed, 7 Jul 2021 11:43:44 -0700 Subject: scsi: lpfc: Use PBDE feature enabled bit to determine PBDE support -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 137ddf0384722afef308dd40696fba55e6680ad2 References: bsc#1189385 diff --git a/patches.suse/scsi-qla2xxx-Fix-spelling-mistakes-allloc-alloc.patch b/patches.suse/scsi-qla2xxx-Fix-spelling-mistakes-allloc-alloc.patch index cf704ca..eccc842 100644 --- a/patches.suse/scsi-qla2xxx-Fix-spelling-mistakes-allloc-alloc.patch +++ b/patches.suse/scsi-qla2xxx-Fix-spelling-mistakes-allloc-alloc.patch @@ -1,8 +1,7 @@ From: Colin Ian King Date: Thu, 29 Jul 2021 09:24:13 +0100 Subject: scsi: qla2xxx: Fix spelling mistakes "allloc" -> "alloc" -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 0f783c2d640ac03ad3bb3ba6b7a1287ddf18031d References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-Fix-use-after-free-in-debug-code.patch b/patches.suse/scsi-qla2xxx-Fix-use-after-free-in-debug-code.patch index cab5bd2..3703aa5 100644 --- a/patches.suse/scsi-qla2xxx-Fix-use-after-free-in-debug-code.patch +++ b/patches.suse/scsi-qla2xxx-Fix-use-after-free-in-debug-code.patch @@ -1,8 +1,7 @@ From: Dan Carpenter Date: Tue, 3 Aug 2021 18:56:25 +0300 Subject: scsi: qla2xxx: Fix use after free in debug code -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: e3d2612f583ba6e234cb7fe4559132c8f28905f1 References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-Remove-redundant-continue-statement-in-.patch b/patches.suse/scsi-qla2xxx-Remove-redundant-continue-statement-in-.patch index 75be03a..383b910 100644 --- a/patches.suse/scsi-qla2xxx-Remove-redundant-continue-statement-in-.patch +++ b/patches.suse/scsi-qla2xxx-Remove-redundant-continue-statement-in-.patch @@ -1,8 +1,7 @@ From: Colin Ian King Date: Fri, 2 Jul 2021 14:15:42 +0100 Subject: scsi: qla2xxx: Remove redundant continue statement in a for-loop -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 37306698c3d023c10a2b1a01baac3089b52412f6 References: bsc#1189392 diff --git a/patches.suse/scsi-qla2xxx-Remove-redundant-initialization-of-vari.patch b/patches.suse/scsi-qla2xxx-Remove-redundant-initialization-of-vari.patch index ebccc6e..db34c05 100644 --- a/patches.suse/scsi-qla2xxx-Remove-redundant-initialization-of-vari.patch +++ b/patches.suse/scsi-qla2xxx-Remove-redundant-initialization-of-vari.patch @@ -1,8 +1,7 @@ From: Colin Ian King Date: Wed, 4 Aug 2021 14:13:44 +0100 Subject: scsi: qla2xxx: Remove redundant initialization of variable num_cnt -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 77d0f07abada8c9aeb54caba879a298a0b94c02a References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-Remove-unused-variable-status.patch b/patches.suse/scsi-qla2xxx-Remove-unused-variable-status.patch index 9aebaf3..161ca20 100644 --- a/patches.suse/scsi-qla2xxx-Remove-unused-variable-status.patch +++ b/patches.suse/scsi-qla2xxx-Remove-unused-variable-status.patch @@ -1,8 +1,7 @@ From: Bill Wendling Date: Mon, 26 Jul 2021 13:19:24 -0700 Subject: scsi: qla2xxx: Remove unused variable 'status' -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: cb51bcd5c34b0558ba2bb04963bcb1053375a8e4 References: bsc#1189392 diff --git a/patches.suse/scsi-qla2xxx-Update-version-to-10.02.00.107-k.patch b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.00.107-k.patch index 1024f54..92aca06 100644 --- a/patches.suse/scsi-qla2xxx-Update-version-to-10.02.00.107-k.patch +++ b/patches.suse/scsi-qla2xxx-Update-version-to-10.02.00.107-k.patch @@ -1,8 +1,7 @@ From: Nilesh Javali Date: Wed, 23 Jun 2021 22:26:06 -0700 Subject: scsi: qla2xxx: Update version to 10.02.00.107-k -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 9798c653547d35cebef59d35edbbc269d85fb1b3 References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-Use-the-proper-SCSI-midlayer-interfaces.patch b/patches.suse/scsi-qla2xxx-Use-the-proper-SCSI-midlayer-interfaces.patch index 0c0a6bb..b74e54d 100644 --- a/patches.suse/scsi-qla2xxx-Use-the-proper-SCSI-midlayer-interfaces.patch +++ b/patches.suse/scsi-qla2xxx-Use-the-proper-SCSI-midlayer-interfaces.patch @@ -1,8 +1,7 @@ From: "Martin K. Petersen" Date: Tue, 8 Jun 2021 23:39:17 -0400 Subject: scsi: qla2xxx: Use the proper SCSI midlayer interfaces for PI -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: e2e9cd68fb3c673f7c1e12792f3137b77f6f7431 References: bsc#1189392 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-authentication-pass-fail-bsgs.patch b/patches.suse/scsi-qla2xxx-edif-Add-authentication-pass-fail-bsgs.patch index 0283ade..135c897 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-authentication-pass-fail-bsgs.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-authentication-pass-fail-bsgs.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:26:01 -0700 Subject: scsi: qla2xxx: edif: Add authentication pass + fail bsgs -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 8a4bb2c1dd623b5a71609de5b04ef3b5086b0a3e References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-detection-of-secure-device.patch b/patches.suse/scsi-qla2xxx-edif-Add-detection-of-secure-device.patch index 0f5a9ba..667d469 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-detection-of-secure-device.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-detection-of-secure-device.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:26:02 -0700 Subject: scsi: qla2xxx: edif: Add detection of secure device -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 9efea843a906c6674ac6728f3f5db2cbfa3e1830 References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-doorbell-notification-for-app.patch b/patches.suse/scsi-qla2xxx-edif-Add-doorbell-notification-for-app.patch index 31644dd..aaa4028 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-doorbell-notification-for-app.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-doorbell-notification-for-app.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:26:03 -0700 Subject: scsi: qla2xxx: edif: Add doorbell notification for app -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 7a09e8d92c6d56121910ccb2e8bc0d1affff66ee References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-encryption-to-I-O-path.patch b/patches.suse/scsi-qla2xxx-edif-Add-encryption-to-I-O-path.patch index 23f70f8..fb5431c 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-encryption-to-I-O-path.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-encryption-to-I-O-path.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:26:04 -0700 Subject: scsi: qla2xxx: edif: Add encryption to I/O path -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 44d018577f179383ea2c409f3a392e9dbd1a155e References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-extraction-of-auth_els-from-th.patch b/patches.suse/scsi-qla2xxx-edif-Add-extraction-of-auth_els-from-th.patch index 03defe4..266c75b 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-extraction-of-auth_els-from-th.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-extraction-of-auth_els-from-th.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:25:59 -0700 Subject: scsi: qla2xxx: edif: Add extraction of auth_els from the wire -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: fac2807946c10b9a509b9c348afd442fa823c5f7 References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-getfcinfo-and-statistic-bsgs.patch b/patches.suse/scsi-qla2xxx-edif-Add-getfcinfo-and-statistic-bsgs.patch index a5e2dc0..01286c2 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-getfcinfo-and-statistic-bsgs.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-getfcinfo-and-statistic-bsgs.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:25:57 -0700 Subject: scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 7878f22a2e03b69baf792f74488962981a1c9547 References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-key-update.patch b/patches.suse/scsi-qla2xxx-edif-Add-key-update.patch index 7f85bcc..ab72050 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-key-update.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-key-update.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:26:00 -0700 Subject: scsi: qla2xxx: edif: Add key update -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: dd30706e73b70d67e88fdaca688db7a3374fd5de References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-send-receive-and-accept-for-au.patch b/patches.suse/scsi-qla2xxx-edif-Add-send-receive-and-accept-for-au.patch index a7394f6..8670032 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-send-receive-and-accept-for-au.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-send-receive-and-accept-for-au.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:25:58 -0700 Subject: scsi: qla2xxx: edif: Add send, receive, and accept for auth_els -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 84318a9f01ce13650ea23eb6362066bb95ccc9fe References: bsc#1189384 diff --git a/patches.suse/scsi-qla2xxx-edif-Add-start-stop-bsgs.patch b/patches.suse/scsi-qla2xxx-edif-Add-start-stop-bsgs.patch index e69192e..5a148dc 100644 --- a/patches.suse/scsi-qla2xxx-edif-Add-start-stop-bsgs.patch +++ b/patches.suse/scsi-qla2xxx-edif-Add-start-stop-bsgs.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:25:56 -0700 Subject: scsi: qla2xxx: edif: Add start + stop bsgs -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 7ebb336e45ef1ce23462c3bbd03779929008901f References: bsc#1189392 diff --git a/patches.suse/scsi-qla2xxx-edif-Increment-command-and-completion-c.patch b/patches.suse/scsi-qla2xxx-edif-Increment-command-and-completion-c.patch index dce31fb..e901b21 100644 --- a/patches.suse/scsi-qla2xxx-edif-Increment-command-and-completion-c.patch +++ b/patches.suse/scsi-qla2xxx-edif-Increment-command-and-completion-c.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Wed, 23 Jun 2021 22:26:05 -0700 Subject: scsi: qla2xxx: edif: Increment command and completion counts -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.15-rc1 Git-commit: 71bef5020cd13e1aaa878d10481aafc1ecd4a8f6 References: bsc#1189384 diff --git a/patches.suse/sctp-implement-memory-accounting-on-rx-path.patch b/patches.suse/sctp-implement-memory-accounting-on-rx-path.patch new file mode 100644 index 0000000..15eccea --- /dev/null +++ b/patches.suse/sctp-implement-memory-accounting-on-rx-path.patch @@ -0,0 +1,122 @@ +From: Xin Long +Date: Mon, 15 Apr 2019 17:15:07 +0800 +Subject: sctp: implement memory accounting on rx path +Patch-mainline: v5.2-rc1 +Git-commit: 9dde27de3e5efa0d032f3c891a0ca833a0d31911 +References: CVE-2019-3874 bsc#1129898 + +sk_forward_alloc's updating is also done on rx path, but to be consistent +we change to use sk_mem_charge() in sctp_skb_set_owner_r(). + +In sctp_eat_data(), it's not enough to check sctp_memory_pressure only, +which doesn't work for mem_cgroup_sockets_enabled, so we change to use +sk_under_memory_pressure(). + +When it's under memory pressure, sk_mem_reclaim() and sk_rmem_schedule() +should be called on both RENEGE or CHUNK DELIVERY path exit the memory +pressure status as soon as possible. + +Note that sk_rmem_schedule() is using datalen to make things easy there. + +Reported-by: Matteo Croce +Tested-by: Matteo Croce +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + include/net/sctp/sctp.h | 2 +- + net/sctp/sm_statefuns.c | 6 ++++-- + net/sctp/ulpevent.c | 19 ++++++++----------- + net/sctp/ulpqueue.c | 3 ++- + 4 files changed, 15 insertions(+), 15 deletions(-) + +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -423,7 +423,7 @@ static inline void sctp_skb_set_owner_r(struct sk_buff *skb, struct sock *sk) + /* + * This mimics the behavior of skb_set_owner_r + */ +- sk->sk_forward_alloc -= event->rmem_len; ++ sk_mem_charge(sk, event->rmem_len); + } + + /* Tests if the list has one and only one entry. */ +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -6331,13 +6331,15 @@ static int sctp_eat_data(const struct sctp_association *asoc, + * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our + * memory usage too much + */ +- if (*sk->sk_prot_creator->memory_pressure) { ++ if (sk_under_memory_pressure(sk)) { + if (sctp_tsnmap_has_gap(map) && + (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { + pr_debug("%s: under pressure, reneging for tsn:%u\n", + __func__, tsn); + deliver = SCTP_CMD_RENEGE; +- } ++ } else { ++ sk_mem_reclaim(sk); ++ } + } + + /* +--- a/net/sctp/ulpevent.c ++++ b/net/sctp/ulpevent.c +@@ -634,8 +634,9 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc, + gfp_t gfp) + { + struct sctp_ulpevent *event = NULL; +- struct sk_buff *skb; +- size_t padding, len; ++ struct sk_buff *skb = chunk->skb; ++ struct sock *sk = asoc->base.sk; ++ size_t padding, datalen; + int rx_count; + + /* +@@ -646,15 +647,12 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc, + if (asoc->ep->rcvbuf_policy) + rx_count = atomic_read(&asoc->rmem_alloc); + else +- rx_count = atomic_read(&asoc->base.sk->sk_rmem_alloc); ++ rx_count = atomic_read(&sk->sk_rmem_alloc); + +- if (rx_count >= asoc->base.sk->sk_rcvbuf) { ++ datalen = ntohs(chunk->chunk_hdr->length); + +- if ((asoc->base.sk->sk_userlocks & SOCK_RCVBUF_LOCK) || +- (!sk_rmem_schedule(asoc->base.sk, chunk->skb, +- chunk->skb->truesize))) +- goto fail; +- } ++ if (rx_count >= sk->sk_rcvbuf || !sk_rmem_schedule(sk, skb, datalen)) ++ goto fail; + + /* Clone the original skb, sharing the data. */ + skb = skb_clone(chunk->skb, gfp); +@@ -681,8 +679,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc, + * The sender should never pad with more than 3 bytes. The receiver + * MUST ignore the padding bytes. + */ +- len = ntohs(chunk->chunk_hdr->length); +- padding = SCTP_PAD4(len) - len; ++ padding = SCTP_PAD4(datalen) - datalen; + + /* Fixup cloned skb with just this chunks data. */ + skb_trim(skb, chunk->chunk_end - padding - skb->data); +--- a/net/sctp/ulpqueue.c ++++ b/net/sctp/ulpqueue.c +@@ -1104,7 +1104,8 @@ void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk, + } + } + /* If able to free enough room, accept this chunk. */ +- if (chunk && (freed >= needed)) { ++ if (chunk && sk_rmem_schedule(asoc->base.sk, chunk->skb, needed) && ++ freed >= needed) { + int retval; + retval = sctp_ulpq_tail_data(ulpq, chunk, gfp); + /* diff --git a/patches.suse/sctp-implement-memory-accounting-on-tx-path.patch b/patches.suse/sctp-implement-memory-accounting-on-tx-path.patch new file mode 100644 index 0000000..7adc43d --- /dev/null +++ b/patches.suse/sctp-implement-memory-accounting-on-tx-path.patch @@ -0,0 +1,58 @@ +From: Xin Long +Date: Mon, 15 Apr 2019 17:15:06 +0800 +Subject: sctp: implement memory accounting on tx path +Patch-mainline: v5.2-rc1 +Git-commit: 1033990ac5b2ab6cee93734cb6d301aa3a35bcaa +References: CVE-2019-3874 bsc#1129898 + +Now when sending packets, sk_mem_charge() and sk_mem_uncharge() have been +used to set sk_forward_alloc. We just need to call sk_wmem_schedule() to +check if the allocated should be raised, and call sk_mem_reclaim() to +check if the allocated should be reduced when it's under memory pressure. + +If sk_wmem_schedule() returns false, which means no memory is allowed to +allocate, it will block and wait for memory to become available. + +Note different from tcp, sctp wait_for_buf happens before allocating any +skb, so memory accounting check is done with the whole msg_len before it +too. + +Reported-by: Matteo Croce +Tested-by: Matteo Croce +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + net/sctp/socket.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1977,8 +1977,11 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) + if (sctp_wspace(asoc) < msg_len) + sctp_prsctp_prune(asoc, sinfo, msg_len - sctp_wspace(asoc)); + ++ if (sk_under_memory_pressure(sk)) ++ sk_mem_reclaim(sk); ++ + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); +- if (!sctp_wspace(asoc)) { ++ if (!sctp_wspace(asoc) || !sk_wmem_schedule(sk, msg_len)) { + err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + if (err) + goto out_free; +@@ -7807,7 +7810,10 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + goto do_error; + if (signal_pending(current)) + goto do_interrupted; +- if (msg_len <= sctp_wspace(asoc)) ++ if (sk_under_memory_pressure(sk)) ++ sk_mem_reclaim(sk); ++ if (msg_len <= sctp_wspace(asoc) && ++ sk_wmem_schedule(sk, msg_len)) + break; + + /* Let another process have a go. Since we are going diff --git a/patches.suse/spi-spi-fsl-dspi-Fix-issue-with-uninitialized-dma_sl.patch b/patches.suse/spi-spi-fsl-dspi-Fix-issue-with-uninitialized-dma_sl.patch new file mode 100644 index 0000000..836a4b3 --- /dev/null +++ b/patches.suse/spi-spi-fsl-dspi-Fix-issue-with-uninitialized-dma_sl.patch @@ -0,0 +1,48 @@ +From 209ab223ad5b18e437289235e3bde12593b94ac4 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 10 Aug 2021 11:17:26 +0300 +Subject: [PATCH] spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config +Git-commit: 209ab223ad5b18e437289235e3bde12593b94ac4 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For spi-fsl-dspi, this is probably not currently an issue but is still +good to fix though. + +Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid") +Cc: Sanchayan Maity +Cc: Vladimir Oltean +Cc: Peter Ujfalusi +Cc: Vinod Koul +Signed-off-by: Tony Lindgren +Acked-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20210810081727.19491-1-tony@atomide.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-fsl-dspi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c +index fb45e6af6638..fd004c9db9dc 100644 +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -530,6 +530,7 @@ static int dspi_request_dma(struct fsl_dspi *dspi, phys_addr_t phy_addr) + goto err_rx_dma_buf; + } + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.src_addr = phy_addr + SPI_POPR; + cfg.dst_addr = phy_addr + SPI_PUSHR; + cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +-- +2.26.2 + diff --git a/patches.suse/spi-spi-pic32-Fix-issue-with-uninitialized-dma_slave.patch b/patches.suse/spi-spi-pic32-Fix-issue-with-uninitialized-dma_slave.patch new file mode 100644 index 0000000..9566a50 --- /dev/null +++ b/patches.suse/spi-spi-pic32-Fix-issue-with-uninitialized-dma_slave.patch @@ -0,0 +1,46 @@ +From 976c1de1de147bb7f4e0d87482f375221c05aeaf Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 10 Aug 2021 11:17:27 +0300 +Subject: [PATCH] spi: spi-pic32: Fix issue with uninitialized dma_slave_config +Git-commit: 976c1de1de147bb7f4e0d87482f375221c05aeaf +Patch-mainline: v5.15-rc1 +References: git-fixes + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For spi-pic32, this is probably not currently an issue but is still good to +fix though. + +Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") +Cc: Purna Chandra Mandal +Cc: Peter Ujfalusi +Cc: Vinod Koul +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081727.19491-2-tony@atomide.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-pic32.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-pic32.c b/drivers/spi/spi-pic32.c +index 104bde153efd..5eb7b61bbb4d 100644 +--- a/drivers/spi/spi-pic32.c ++++ b/drivers/spi/spi-pic32.c +@@ -361,6 +361,7 @@ static int pic32_spi_dma_config(struct pic32_spi *pic32s, u32 dma_width) + struct dma_slave_config cfg; + int ret; + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.device_fc = true; + cfg.src_addr = pic32s->dma_base + buf_offset; + cfg.dst_addr = pic32s->dma_base + buf_offset; +-- +2.26.2 + diff --git a/patches.suse/usb-max-3421-Prevent-corruption-of-freed-memory.patch b/patches.suse/usb-max-3421-Prevent-corruption-of-freed-memory.patch index 4fde810..e38c7cc 100644 --- a/patches.suse/usb-max-3421-Prevent-corruption-of-freed-memory.patch +++ b/patches.suse/usb-max-3421-Prevent-corruption-of-freed-memory.patch @@ -4,7 +4,7 @@ Date: Fri, 25 Jun 2021 15:14:56 +1200 Subject: [PATCH] usb: max-3421: Prevent corruption of freed memory Git-commit: b5fdf5c6e6bee35837e160c00ac89327bdad031b Patch-mainline: v5.14-rc3 -References: git-fixes +References: CVE-2021-38204, bsc#1189291 The MAX-3421 USB driver remembers the state of the USB toggles for a device/endpoint. To save SPI writes, this was only done when a new diff --git a/patches.suse/vhost-introduce-vhost_exceeds_weight.patch b/patches.suse/vhost-introduce-vhost_exceeds_weight.patch new file mode 100644 index 0000000..ba6e446 --- /dev/null +++ b/patches.suse/vhost-introduce-vhost_exceeds_weight.patch @@ -0,0 +1,199 @@ +From: Jason Wang +Date: Fri, 17 May 2019 00:29:49 -0400 +Subject: vhost: introduce vhost_exceeds_weight() +Patch-mainline: v5.2-rc4 +Git-commit: e82b9b0727ff6d665fff2d326162b460dded554d +References: CVE-2019-3900 bsc#1133374 + +We used to have vhost_exceeds_weight() for vhost-net to: + +- prevent vhost kthread from hogging the cpu +- balance the time spent between TX and RX + +This function could be useful for vsock and scsi as well. So move it +to vhost.c. Device must specify a weight which counts the number of +requests, or it can also specific a byte_weight which counts the +number of bytes that has been processed. + +Signed-off-by: Jason Wang +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Michael S. Tsirkin +Acked-by: Michal Kubecek + +--- + drivers/vhost/net.c | 22 ++++++---------------- + drivers/vhost/scsi.c | 9 ++++++++- + drivers/vhost/vhost.c | 20 +++++++++++++++++++- + drivers/vhost/vhost.h | 5 ++++- + drivers/vhost/vsock.c | 12 +++++++++++- + 5 files changed, 48 insertions(+), 20 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -598,12 +598,6 @@ static size_t init_iov_iter(struct vhost_virtqueue *vq, struct iov_iter *iter, + return iov_iter_count(iter); + } + +-static bool vhost_exceeds_weight(int pkts, int total_len) +-{ +- return total_len >= VHOST_NET_WEIGHT || +- pkts >= VHOST_NET_PKT_WEIGHT; +-} +- + static int get_tx_bufs(struct vhost_net *net, + struct vhost_net_virtqueue *nvq, + struct msghdr *msg, +@@ -799,10 +793,8 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) + vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head); + vq->heads[nvq->done_idx].len = 0; + ++nvq->done_idx; +- if (vhost_exceeds_weight(++sent_pkts, total_len)) { +- vhost_poll_queue(&vq->poll); ++ if (vhost_exceeds_weight(vq, ++sent_pkts, total_len)) + break; +- } + } + + vhost_tx_batch(net, nvq, sock, &msg); +@@ -904,10 +896,9 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) + else + vhost_zerocopy_signal_used(net, vq); + vhost_net_tx_packet(net); +- if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) { +- vhost_poll_queue(&vq->poll); ++ if (unlikely(vhost_exceeds_weight(vq, ++sent_pkts, ++ total_len))) + break; +- } + } + } + +@@ -1192,10 +1183,8 @@ static void handle_rx(struct vhost_net *net) + vhost_log_write(vq, vq_log, log, vhost_len, + vq->iov, in); + total_len += vhost_len; +- if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) { +- vhost_poll_queue(&vq->poll); ++ if (unlikely(vhost_exceeds_weight(vq, ++recv_pkts, total_len))) + goto out; +- } + } + if (unlikely(busyloop_intr)) + vhost_poll_queue(&vq->poll); +@@ -1291,7 +1280,8 @@ static int vhost_net_open(struct inode *inode, struct file *f) + vhost_net_buf_init(&n->vqs[i].rxq); + } + vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX, +- UIO_MAXIOV + VHOST_NET_BATCH); ++ UIO_MAXIOV + VHOST_NET_BATCH, ++ VHOST_NET_WEIGHT, VHOST_NET_PKT_WEIGHT); + + vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev); + vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev); +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -58,6 +58,12 @@ + #define VHOST_SCSI_PREALLOC_UPAGES 2048 + #define VHOST_SCSI_PREALLOC_PROT_SGLS 512 + ++/* Max number of requests before requeueing the job. ++ * Using this limit prevents one virtqueue from starving others with ++ * request. ++ */ ++#define VHOST_SCSI_WEIGHT 256 ++ + struct vhost_scsi_inflight { + /* Wait for the flush operation to finish */ + struct completion comp; +@@ -1432,7 +1438,8 @@ static int vhost_scsi_open(struct inode *inode, struct file *f) + vqs[i] = &vs->vqs[i].vq; + vs->vqs[i].vq.handle_kick = vhost_scsi_handle_kick; + } +- vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ, UIO_MAXIOV); ++ vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ, UIO_MAXIOV, ++ VHOST_SCSI_WEIGHT, 0); + + vhost_scsi_init_inflight(vs, NULL); + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -416,8 +416,24 @@ static void vhost_dev_free_iovecs(struct vhost_dev *dev) + vhost_vq_free_iovecs(dev->vqs[i]); + } + ++bool vhost_exceeds_weight(struct vhost_virtqueue *vq, ++ int pkts, int total_len) ++{ ++ struct vhost_dev *dev = vq->dev; ++ ++ if ((dev->byte_weight && total_len >= dev->byte_weight) || ++ pkts >= dev->weight) { ++ vhost_poll_queue(&vq->poll); ++ return true; ++ } ++ ++ return false; ++} ++EXPORT_SYMBOL_GPL(vhost_exceeds_weight); ++ + void vhost_dev_init(struct vhost_dev *dev, +- struct vhost_virtqueue **vqs, int nvqs, int iov_limit) ++ struct vhost_virtqueue **vqs, int nvqs, ++ int iov_limit, int weight, int byte_weight) + { + struct vhost_virtqueue *vq; + int i; +@@ -432,6 +448,8 @@ void vhost_dev_init(struct vhost_dev *dev, + dev->mm = NULL; + dev->worker = NULL; + dev->iov_limit = iov_limit; ++ dev->weight = weight; ++ dev->byte_weight = byte_weight; + init_llist_head(&dev->work_list); + init_waitqueue_head(&dev->wait); + INIT_LIST_HEAD(&dev->read_list); +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -180,10 +180,13 @@ struct vhost_dev { + struct list_head pending_list; + wait_queue_head_t wait; + int iov_limit; ++ int weight; ++ int byte_weight; + }; + ++bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int total_len); + void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, +- int nvqs, int iov_limit); ++ int nvqs, int iov_limit, int weight, int byte_weight); + long vhost_dev_set_owner(struct vhost_dev *dev); + bool vhost_dev_has_owner(struct vhost_dev *dev); + long vhost_dev_check_owner(struct vhost_dev *); +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -21,6 +21,14 @@ + #include "vhost.h" + + #define VHOST_VSOCK_DEFAULT_HOST_CID 2 ++/* Max number of bytes transferred before requeueing the job. ++ * Using this limit prevents one virtqueue from starving others. */ ++#define VHOST_VSOCK_WEIGHT 0x80000 ++/* Max number of packets transferred before requeueing the job. ++ * Using this limit prevents one virtqueue from starving others with ++ * small pkts. ++ */ ++#define VHOST_VSOCK_PKT_WEIGHT 256 + + enum { + VHOST_VSOCK_FEATURES = VHOST_FEATURES, +@@ -533,7 +541,9 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file) + vsock->vqs[VSOCK_VQ_TX].handle_kick = vhost_vsock_handle_tx_kick; + vsock->vqs[VSOCK_VQ_RX].handle_kick = vhost_vsock_handle_rx_kick; + +- vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs), UIO_MAXIOV); ++ vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs), ++ UIO_MAXIOV, VHOST_VSOCK_PKT_WEIGHT, ++ VHOST_VSOCK_WEIGHT); + + file->private_data = vsock; + spin_lock_init(&vsock->send_pkt_list_lock); diff --git a/patches.suse/vhost-scsi-add-weight-support.patch b/patches.suse/vhost-scsi-add-weight-support.patch new file mode 100644 index 0000000..fc1184c --- /dev/null +++ b/patches.suse/vhost-scsi-add-weight-support.patch @@ -0,0 +1,59 @@ +From: Jason Wang +Date: Fri, 17 May 2019 00:29:52 -0400 +Subject: vhost: scsi: add weight support +Patch-mainline: v5.2-rc4 +Git-commit: c1ea02f15ab5efb3e93fc3144d895410bf79fcf2 +References: CVE-2019-3900 bsc#1133374 + +This patch will check the weight and exit the loop if we exceeds the +weight. This is useful for preventing scsi kthread from hogging cpu +which is guest triggerable. + +This addresses CVE-2019-3900. + +Cc: Paolo Bonzini +Cc: Stefan Hajnoczi +Fixes: 057cbf49a1f0 ("tcm_vhost: Initial merge for vhost level target fabric driver") +Signed-off-by: Jason Wang +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefan Hajnoczi +Acked-by: Michal Kubecek + +SLE(4.12 based): omitted part patching code added by mainline commit +0d02dbd68c47 ("vhost/scsi: Respond to control queue operations") which has +not bee backported into any 4.12 based SLE branch. + +--- + drivers/vhost/scsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -851,7 +851,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) + u64 tag; + u32 exp_data_len, data_direction; + unsigned int out = 0, in = 0; +- int head, ret, prot_bytes; ++ int head, ret, prot_bytes, c = 0; + size_t req_size, rsp_size = sizeof(struct virtio_scsi_cmd_resp); + size_t out_size, in_size; + u16 lun; +@@ -870,7 +870,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) + + vhost_disable_notify(&vs->dev, vq); + +- for (;;) { ++ do { + head = vhost_get_vq_desc(vq, vq->iov, + ARRAY_SIZE(vq->iov), &out, &in, + NULL, NULL); +@@ -1085,7 +1085,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) + */ + INIT_WORK(&cmd->work, vhost_scsi_submission_work); + queue_work(vhost_scsi_workqueue, &cmd->work); +- } ++ } while (likely(!vhost_exceeds_weight(vq, ++c, 0))); + out: + mutex_unlock(&vq->mutex); + } diff --git a/patches.suse/vhost-vsock-add-weight-support.patch b/patches.suse/vhost-vsock-add-weight-support.patch new file mode 100644 index 0000000..b5757ac --- /dev/null +++ b/patches.suse/vhost-vsock-add-weight-support.patch @@ -0,0 +1,89 @@ +From: Jason Wang +Date: Fri, 17 May 2019 00:29:51 -0400 +Subject: vhost: vsock: add weight support +Patch-mainline: v5.2-rc4 +Git-commit: e79b431fb901ba1106670bcc80b9b617b25def7d +References: CVE-2019-3900 bsc#1133374 + +This patch will check the weight and exit the loop if we exceeds the +weight. This is useful for preventing vsock kthread from hogging cpu +which is guest triggerable. The weight can help to avoid starving the +request from on direction while another direction is being processed. + +The value of weight is picked from vhost-net. + +This addresses CVE-2019-3900. + +Cc: Stefan Hajnoczi +Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") +Signed-off-by: Jason Wang +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Michael S. Tsirkin +Acked-by: Michal Kubecek + +--- + drivers/vhost/vsock.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -86,6 +86,7 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock, + struct vhost_virtqueue *vq) + { + struct vhost_virtqueue *tx_vq = &vsock->vqs[VSOCK_VQ_TX]; ++ int pkts = 0, total_len = 0; + bool added = false; + bool restart_tx = false; + +@@ -97,7 +98,7 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock, + /* Avoid further vmexits, we're already processing the virtqueue */ + vhost_disable_notify(&vsock->dev, vq); + +- for (;;) { ++ do { + struct virtio_vsock_pkt *pkt; + struct iov_iter iov_iter; + unsigned out, in; +@@ -182,8 +183,9 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock, + */ + virtio_transport_deliver_tap_pkt(pkt); + ++ total_len += pkt->len; + virtio_transport_free_pkt(pkt); +- } ++ } while(likely(!vhost_exceeds_weight(vq, ++pkts, total_len))); + if (added) + vhost_signal(&vsock->dev, vq); + +@@ -358,7 +360,7 @@ static void vhost_vsock_handle_tx_kick(struct vhost_work *work) + struct vhost_vsock *vsock = container_of(vq->dev, struct vhost_vsock, + dev); + struct virtio_vsock_pkt *pkt; +- int head; ++ int head, pkts = 0, total_len = 0; + unsigned int out, in; + bool added = false; + +@@ -368,7 +370,7 @@ static void vhost_vsock_handle_tx_kick(struct vhost_work *work) + goto out; + + vhost_disable_notify(&vsock->dev, vq); +- for (;;) { ++ do { + u32 len; + + if (!vhost_vsock_more_replies(vsock)) { +@@ -411,9 +413,11 @@ static void vhost_vsock_handle_tx_kick(struct vhost_work *work) + else + virtio_transport_free_pkt(pkt); + +- vhost_add_used(vq, head, sizeof(pkt->hdr) + len); ++ len += sizeof(pkt->hdr); ++ vhost_add_used(vq, head, len); ++ total_len += len; + added = true; +- } ++ } while(likely(!vhost_exceeds_weight(vq, ++pkts, total_len))); + + no_more_replies: + if (added) diff --git a/patches.suse/vhost_net-fix-possible-infinite-loop.patch b/patches.suse/vhost_net-fix-possible-infinite-loop.patch new file mode 100644 index 0000000..194e6f6 --- /dev/null +++ b/patches.suse/vhost_net-fix-possible-infinite-loop.patch @@ -0,0 +1,134 @@ +From: Jason Wang +Date: Fri, 17 May 2019 00:29:50 -0400 +Subject: vhost_net: fix possible infinite loop +Patch-mainline: v5.2-rc4 +Git-commit: e2412c07f8f3040593dfb88207865a3cd58680c0 +References: CVE-2019-3900 bsc#1133374 + +When the rx buffer is too small for a packet, we will discard the vq +descriptor and retry it for the next packet: + +while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk, + &busyloop_intr))) { +... + /* On overrun, truncate and discard */ + if (unlikely(headcount > UIO_MAXIOV)) { + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); + err = sock->ops->recvmsg(sock, &msg, + 1, MSG_DONTWAIT | MSG_TRUNC); + pr_debug("Discarded rx packet: len %zd\n", sock_len); + continue; + } +... +} + +This makes it possible to trigger a infinite while..continue loop +through the co-opreation of two VMs like: + +1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the + vhost process as much as possible e.g using indirect descriptors or + other. +2) Malicious VM2 generate packets to VM1 as fast as possible + +Fixing this by checking against weight at the end of RX and TX +loop. This also eliminate other similar cases when: + +- userspace is consuming the packets in the meanwhile +- theoretical TOCTOU attack if guest moving avail index back and forth + to hit the continue after vhost find guest just add new buffers + +This addresses CVE-2019-3900. + +Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") +Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") +Signed-off-by: Jason Wang +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Michael S. Tsirkin +Acked-by: Michal Kubecek + +--- + drivers/vhost/net.c | 29 +++++++++++++---------------- + 1 file changed, 13 insertions(+), 16 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -727,7 +727,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) + int sent_pkts = 0; + bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX); + +- for (;;) { ++ do { + bool busyloop_intr = false; + + if (nvq->done_idx == VHOST_NET_BATCH) +@@ -793,9 +793,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) + vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head); + vq->heads[nvq->done_idx].len = 0; + ++nvq->done_idx; +- if (vhost_exceeds_weight(vq, ++sent_pkts, total_len)) +- break; +- } ++ } while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len))); + + vhost_tx_batch(net, nvq, sock, &msg); + } +@@ -820,7 +818,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) + bool zcopy_used; + int sent_pkts = 0; + +- for (;;) { ++ do { + bool busyloop_intr; + + /* Release DMAs done buffers first */ +@@ -896,10 +894,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) + else + vhost_zerocopy_signal_used(net, vq); + vhost_net_tx_packet(net); +- if (unlikely(vhost_exceeds_weight(vq, ++sent_pkts, +- total_len))) +- break; +- } ++ } while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len))); + } + + /* Expects to be always run from workqueue - which acts as +@@ -1097,8 +1092,11 @@ static void handle_rx(struct vhost_net *net) + vq->log : NULL; + mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF); + +- while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk, +- &busyloop_intr))) { ++ do { ++ sock_len = vhost_net_rx_peek_head_len(net, sock->sk, ++ &busyloop_intr); ++ if (!sock_len) ++ break; + sock_len += sock_hlen; + vhost_len = sock_len + vhost_hlen; + headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx, +@@ -1183,12 +1181,11 @@ static void handle_rx(struct vhost_net *net) + vhost_log_write(vq, vq_log, log, vhost_len, + vq->iov, in); + total_len += vhost_len; +- if (unlikely(vhost_exceeds_weight(vq, ++recv_pkts, total_len))) +- goto out; +- } ++ } while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len))); ++ + if (unlikely(busyloop_intr)) + vhost_poll_queue(&vq->poll); +- else ++ else if (!sock_len) + vhost_net_enable_vq(net, vq); + out: + vhost_net_signal_used(nvq); +@@ -1281,7 +1278,7 @@ static int vhost_net_open(struct inode *inode, struct file *f) + } + vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX, + UIO_MAXIOV + VHOST_NET_BATCH, +- VHOST_NET_WEIGHT, VHOST_NET_PKT_WEIGHT); ++ VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT); + + vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev); + vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev); diff --git a/patches.suse/virtio_console-Assure-used-length-from-device-is-lim.patch b/patches.suse/virtio_console-Assure-used-length-from-device-is-lim.patch index 34905d9..b4a64be 100644 --- a/patches.suse/virtio_console-Assure-used-length-from-device-is-lim.patch +++ b/patches.suse/virtio_console-Assure-used-length-from-device-is-lim.patch @@ -4,7 +4,7 @@ Date: Tue, 25 May 2021 20:56:22 +0800 Subject: [PATCH] virtio_console: Assure used length from device is limited Git-commit: d00d8da5869a2608e97cfede094dfc5e11462a46 Patch-mainline: v5.14-rc1 -References: git-fixes +References: CVE-2021-38160, bsc#1190117 The buf->len might come from an untrusted device. This ensures the value would not exceed the size of the buffer diff --git a/patches.suse/virtio_net-Fix-error-code-in-probe.patch b/patches.suse/virtio_net-Fix-error-code-in-probe.patch new file mode 100644 index 0000000..69e88bb --- /dev/null +++ b/patches.suse/virtio_net-Fix-error-code-in-probe.patch @@ -0,0 +1,38 @@ +From 0231ce4e35781438883493a1055cff69269217e4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 4 Dec 2020 17:23:16 +0300 +Subject: [PATCH 2/5] virtio_net: Fix error code in probe() +Git-commit: 411ea23a76526e6efed0b601abb603d3c981b333 +References: git-fixes +Patch-mainline: v5.11-rc1 + +Set a negative error code intead of returning success if the MTU has +been changed to something invalid. + +Fixes: fe36cbe0671e ("virtio_net: clear MTU when out of range") +Reported-by: Robert Buhren +Reported-by: Felicitas Hetzelt +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/X8pGVJSeeCdII1Ys@mwanda +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Denis Kirjanov +--- + drivers/net/virtio_net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 626b143c9bd9..f279e2f3e50a 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -3050,6 +3050,7 @@ static int virtnet_probe(struct virtio_device *vdev) + */ + dev_err(&vdev->dev, "device MTU appears to have changed " + "it is now %d < %d", mtu, dev->min_mtu); ++ err = -EINVAL; + goto free; + } + +-- +2.16.4 + diff --git a/patches.suse/vt_kdsetmode-extend-console-locking.patch b/patches.suse/vt_kdsetmode-extend-console-locking.patch new file mode 100644 index 0000000..42915e9 --- /dev/null +++ b/patches.suse/vt_kdsetmode-extend-console-locking.patch @@ -0,0 +1,44 @@ +From: Linus Torvalds +Date: Mon, 30 Aug 2021 08:55:18 -0700 +Subject: vt_kdsetmode: extend console locking +Git-commit: 2287a51ba822384834dafc1c798453375d1107c7 +Patch-mainline: 5.15-rc1 +References: bsc#1190025 CVE-2021-3753 + +As per the long-suffering comment. + +Reported-by: Minh Yuan +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Signed-off-by: Linus Torvalds +Signed-off-by: Jiri Slaby +--- + drivers/tty/vt/vt_ioctl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -479,16 +479,19 @@ int vt_ioctl(struct tty_struct *tty, + ret = -EINVAL; + goto out; + } +- /* FIXME: this needs the console lock extending */ +- if (vc->vc_mode == (unsigned char) arg) ++ console_lock(); ++ if (vc->vc_mode == (unsigned char) arg) { ++ console_unlock(); + break; ++ } + vc->vc_mode = (unsigned char) arg; +- if (console != fg_console) ++ if (console != fg_console) { ++ console_unlock(); + break; ++ } + /* + * explicitly blank/unblank the screen if switching modes + */ +- console_lock(); + if (arg == KD_TEXT) + do_unblank_screen(1); + else diff --git a/series.conf b/series.conf index e53041e..0c2e589 100644 --- a/series.conf +++ b/series.conf @@ -49047,6 +49047,8 @@ patches.suse/net-hns3-do-not-initialize-MDIO-bus-when-PHY-is-inex.patch patches.suse/net-hns3-free-the-pending-skb-when-clean-RX-ring.patch patches.suse/net-hns3-code-optimization-for-command-queue-spin-lo.patch + patches.suse/sctp-implement-memory-accounting-on-tx-path.patch + patches.suse/sctp-implement-memory-accounting-on-rx-path.patch patches.suse/net-hns3-fix-sparse-warning-when-calling-hclge_set_v.patch patches.suse/net-hns3-fix-for-vport-bw_limit-overflow-problem.patch patches.suse/bnx2x-Replace-magic-numbers-with-macro-definitions.patch @@ -50049,6 +50051,10 @@ patches.suse/stacktrace-unbreak-stack_trace_save_tsk_reliable.patch patches.suse/efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch patches.suse/x86-cpu-amd-don-t-force-the-cpb-cap-when-running-under-a-hypervisor.patch + patches.suse/vhost-introduce-vhost_exceeds_weight.patch + patches.suse/vhost_net-fix-possible-infinite-loop.patch + patches.suse/vhost-vsock-add-weight-support.patch + patches.suse/vhost-scsi-add-weight-support.patch patches.suse/0002-rcu-locking-and-unlocking-need-to-always-be-at-least.patch patches.suse/SUNRPC-fix-regression-in-umount-of-a-secure-mount.patch patches.suse/NFSv4.1-Again-fix-a-race-where-CB_NOTIFY_LOCK-fails-.patch @@ -57009,6 +57015,7 @@ patches.suse/sdhci-tegra-Remove-SDHCI_QUIRK_DATA_TIMEOUT_USES_SDC.patch patches.suse/btrfs-tree-checker-fix-the-error-message-for-transid.patch patches.suse/fix-regression-in-epoll-Keep-a-reference-on-files-added-to-the-check-list.patch + patches.suse/0001-dm-writecache-handle-DAX-to-partitions-on-persistent.patch patches.suse/0001-dm-cache-metadata-Avoid-returning-cmd-bm-wild-pointe.patch patches.suse/0002-dm-thin-metadata-Avoid-returning-cmd-bm-wild-pointer.patch patches.suse/HID-core-Correctly-handle-ReportSize-being-zero.patch @@ -57180,6 +57187,7 @@ patches.suse/drm-sun4i-mixer-Extend-regmap-max_register.patch patches.suse/spi-fsl-espi-Only-process-interrupts-for-expected-ev.patch patches.suse/kvm-svm-add-a-dedicated-invd-intercept-routine.patch + patches.suse/0002-arch-x86-lib-usercopy_64.c-fix-__copy_user_flushcach.patch patches.suse/s390-zcrypt-fix-zcrypt_perdev_reqcnt-ioctl patches.suse/scsi-lpfc-Fix-initial-FLOGI-failure-due-to-BBSCN-not.patch patches.suse/clocksource-drivers-h8300_timer8-Fix-wrong-return-va.patch @@ -57572,6 +57580,7 @@ patches.suse/RDMA-hns-Fix-missing-sq_sig_type-when-querying-QP.patch patches.suse/RDMA-addr-Fix-race-with-netevent_callback-rdma_addr_.patch patches.suse/RDMA-qedr-Endianness-warnings-cleanup.patch + patches.suse/0003-overflow-Include-header-file-with-SIZE_MAX-declarati.patch patches.suse/RDMA-ipoib-Set-rtnl_link_ops-for-ipoib-interfaces.patch patches.suse/RDMA-bnxt_re-Fix-sizeof-mismatch-for-allocation-of-p.patch patches.suse/IB-rdmavt-Fix-sizeof-mismatch.patch @@ -57923,6 +57932,9 @@ patches.suse/chelsio-chtls-fix-a-double-free-in-chtls_setkey.patch patches.suse/net-mvpp2-Fix-error-return-code-in-mvpp2_open.patch patches.suse/drm-rockchip-Avoid-uninitialized-use-of-endpoint-id-.patch + patches.suse/0004-dm-writecache-fix-the-maximum-number-of-arguments.patch + patches.suse/0005-dm-writecache-remove-BUG-and-fail-gracefully-instead.patch + patches.suse/0006-dm-remove-invalid-sparse-__acquires-and-__releases-a.patch patches.suse/msft-hv-2173-scsi-storvsc-Fix-error-return-in-storvsc_probe.patch patches.suse/cifs-set_root_ses-ipc.patch patches.suse/powerpc-64s-Fix-hash-ISA-v3.0-TLBIEL-instruction-gen.patch @@ -58247,6 +58259,7 @@ patches.suse/powerpc-perf-Exclude-kernel-samples-while-counting-e.patch patches.suse/net-core-introduce-__netdev_notify_peers.patch patches.suse/use-__netdev_notify_peers-in-ibmvnic.patch + patches.suse/qlcnic-Fix-error-code-in-probe.patch patches.suse/cifs-Tracepoints-and-logs-for-tracing-credit-changes-.patch patches.suse/gpio-mvebu-update-Armada-XP-per-CPU-comment.patch patches.suse/pwm-lp3943-Dynamically-allocate-PWM-chip-base.patch @@ -58268,6 +58281,7 @@ patches.suse/ALSA-usb-audio-Disable-sample-read-check-if-firmware.patch patches.suse/ALSA-pcm-Clear-the-full-allocated-memory-at-hw_param.patch patches.suse/ALSA-pcm-oss-Fix-a-few-more-UBSAN-fixes.patch + patches.suse/virtio_net-Fix-error-code-in-probe.patch patches.suse/libnvdimm-namespace-Fix-reaping-of-invalidated-block.patch patches.suse/libnvdimm-label-Return-ENXIO-for-no-slot-in-__blk_la.patch patches.suse/s390-dasd-fix-hanging-device-offline-processing @@ -58279,6 +58293,9 @@ patches.suse/ext4-fix-deadlock-with-fs-freezing-and-EA-inodes.patch patches.suse/ext4-don-t-remount-read-only-with-errors-continue-on.patch patches.suse/scsi-cxgb4i-fix-tls-dependency + patches.suse/i40e-Fix-Error-I40E_AQ_RC_EINVAL-when-removing-VFs.patch + patches.suse/net-mvpp2-Add-TCAM-entry-to-drop-flow-control-pause-.patch + patches.suse/net-mvpp2-prs-fix-PPPoE-with-ipv6-packet-parse.patch patches.suse/ethernet-ucc_geth-fix-use-after-free-in-ucc_geth_rem.patch patches.suse/net-mvpp2-Fix-GoP-port-3-Networking-Complex-Control-.patch patches.suse/ibmvnic-fix-login-buffer-memory-leak.patch @@ -58353,6 +58370,7 @@ patches.suse/ext4-fix-superblock-checksum-failure-when-setting-pa.patch patches.suse/ext4-fix-bug-for-rename-with-RENAME_WHITEOUT.patch patches.suse/RDMA-mlx5-Fix-wrong-free-of-blue-flame-register-on-e.patch + patches.suse/0007-dm-zoned-select-CONFIG_CRC32.patch patches.suse/0005-dm-snapshot-flush-merged-data-before-committing-meta.patch patches.suse/0006-dm-eliminate-potential-source-of-excessive-kernel-lo.patch patches.suse/powerpc-Fix-alignment-bug-within-the-init-sections.patch @@ -58620,6 +58638,7 @@ patches.suse/pwm-rockchip-rockchip_pwm_probe-Remove-superfluous-c.patch patches.suse/SUNRPC-correct-error-code-comment-in-xs_tcp_setup_so.patch patches.suse/mm-fix-memory_failure-handling-of-dax-namespace-meta.patch + patches.suse/0008-mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch patches.suse/x86-fix-seq_file-iteration-for-pat-memtype.c.patch patches.suse/cifs-New-optype-for-session-operations-.patch patches.suse/cifs-fix-nodfs-mount-option.patch @@ -58769,6 +58788,7 @@ patches.suse/net-mlx5e-Fix-error-path-for-ethtool-set-priv-flag.patch patches.suse/drm-msm-fix-shutdown-hook-in-case-GPU-components-fai.patch patches.suse/bus-omap_l3_noc-mark-l3-irqs-as-IRQF_NO_THREAD.patch + patches.suse/0009-dm-verity-fix-DM_VERITY_OPTS_MAX-value.patch patches.suse/0016-dm-ioctl-fix-out-of-bounds-array-access-when-no-devi.patch patches.suse/scsi-qedi-fix-error-return-code-of-qedi_alloc_global_queues patches.suse/scsi-mpt3sas-fix-error-return-code-of-mpt3sas_base_attach @@ -58947,6 +58967,7 @@ patches.suse/spi-spi-ti-qspi-Free-DMA-resources.patch patches.suse/spi-dln2-Fix-reference-leak-to-master.patch patches.suse/spi-omap-100k-Fix-reference-leak-to-master.patch + patches.suse/0010-overflow-Correct-check_shl_overflow-comment.patch patches.suse/media-ite-cir-check-for-receive-overflow.patch patches.suse/media-omap4iss-return-error-code-when-omap4iss_get-f.patch patches.suse/media-media-saa7164-fix-saa7164_encoder_register-mem.patch @@ -59621,6 +59642,7 @@ patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch patches.suse/rtc-max77686-Do-not-enforce-incorrect-interrupt-trig.patch patches.suse/scsi-qla2xxx-Add-heartbeat-check.patch + patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch patches.suse/ibmvnic-retry-reset-if-there-are-no-other-resets.patch patches.suse/gve-Fix-an-error-handling-path-in-gve_probe.patch patches.suse/gve-Propagate-error-codes-to-caller.patch @@ -59670,6 +59692,7 @@ patches.suse/Bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch patches.suse/ALSA-seq-Fix-racy-deletion-of-subscriber.patch patches.suse/spi-mediatek-Fix-fifo-transfer.patch + patches.suse/0011-md-raid10-properly-indicate-failure-when-ending-a-fa.patch patches.suse/USB-usbtmc-Fix-RCU-stall-warning.patch patches.suse/USB-serial-ch341-fix-character-loss-at-high-transfer.patch patches.suse/USB-serial-option-add-Telit-FD980-composition-0x1056.patch @@ -59681,14 +59704,39 @@ patches.suse/ASoC-cs42l42-Fix-inversion-of-ADC-Notch-Switch-contr.patch patches.suse/ASoC-cs42l42-Remove-duplicate-control-for-WNF-filter.patch patches.suse/xen-events-Fix-race-in-set_evtchn_to_irq.patch + patches.suse/i2c-dev-zero-out-array-used-for-i2c-reads-from-users.patch patches.suse/iio-humidity-hdc100x-Add-margin-to-the-conversion-ti.patch patches.suse/iio-adc-Fix-incorrect-exit-of-for-loop.patch patches.suse/ACPI-NFIT-Fix-support-for-virtual-SPA-ranges.patch patches.suse/scsi-lpfc-Move-initialization-of-phba-poll_list-earl.patch patches.suse/PCI-MSI-Enable-and-mask-MSI-X-early.patch patches.suse/PCI-MSI-Do-not-set-invalid-bits-in-MSI-mask.patch - - # jejb/scsi for-next + patches.suse/PCI-MSI-Correct-misleading-comments.patch + patches.suse/PCI-MSI-Use-msi_mask_irq-in-pci_msi_shutdown.patch + patches.suse/can-usb-esd_usb2-esd_usb2_rx_event-fix-the-interchan.patch + patches.suse/Revert-USB-serial-ch341-fix-character-loss-at-high-t.patch + patches.suse/vt_kdsetmode-extend-console-locking.patch + patches.suse/spi-spi-fsl-dspi-Fix-issue-with-uninitialized-dma_sl.patch + patches.suse/spi-spi-pic32-Fix-issue-with-uninitialized-dma_slave.patch + patches.suse/power-supply-max17042-handle-fails-of-reading-status.patch + patches.suse/PCI-PM-Enable-PME-if-it-can-be-signaled-from-D3cold.patch + patches.suse/mmc-dw_mmc-Fix-issue-with-uninitialized-dma_slave_co.patch + patches.suse/mmc-moxart-Fix-issue-with-uninitialized-dma_slave_co.patch + patches.suse/i2c-highlander-add-IRQ-check.patch + patches.suse/i2c-iop3xx-fix-deferred-probing.patch + patches.suse/i2c-s3c2410-fix-IRQ-check.patch + patches.suse/i2c-mt65xx-fix-IRQ-check.patch + patches.suse/Bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch + patches.suse/Bluetooth-increase-BTNAMSIZ-to-21-chars-to-fix-poten.patch + patches.suse/Bluetooth-avoid-circular-locks-in-sco_sock_connect.patch + patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch + patches.suse/Bluetooth-fix-repeated-calls-to-sco_sock_kill.patch + patches.suse/Bluetooth-Move-shutdown-callback-before-flushing-tx-.patch + patches.suse/Bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch + patches.suse/mac80211-Fix-insufficient-headroom-issue-for-AMSDU.patch + patches.suse/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch + patches.suse/bcma-Fix-memory-leak-for-internally-handled-cores.patch + patches.suse/media-go7007-fix-memory-leak-in-go7007_usb_probe.patch patches.suse/scsi-qla2xxx-Remove-redundant-continue-statement-in-.patch patches.suse/scsi-lpfc-Fix-NVMe-support-reporting-in-log-message.patch patches.suse/scsi-lpfc-Remove-use-of-kmalloc-in-trace-event-loggi.patch @@ -59734,6 +59782,11 @@ patches.suse/scsi-lpfc-Fix-possible-ABBA-deadlock-in-nvmet_xri_ab.patch patches.suse/scsi-qla2xxx-Fix-use-after-free-in-debug-code.patch patches.suse/scsi-qla2xxx-Remove-redundant-initialization-of-vari.patch + patches.suse/scsi-ibmvfc-Do-not-wait-for-initial-device-scan.patch + patches.suse/ocfs2-ocfs2_downconvert_lock-failure-results-in-dead.patch + patches.suse/memcg-enable-accounting-for-file-lock-caches.patch + patches.suse/memcg-enable-accounting-of-ipc-resources.patch + patches.suse/mm-vmscan-guarantee-drop_slab_node-termination.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -59742,9 +59795,6 @@ patches.suse/0005-MODSIGN-Allow-the-db-UEFI-variable-to-be-suppressed.patch patches.suse/0006-modsign-Use-secondary-trust-keyring-for-module-signi.patch - # mkp/scsi queue - patches.suse/scsi-ibmvfc-Do-not-wait-for-initial-device-scan.patch - # out-of-tree patches patches.suse/net-mvpp2-fix-condition-for-setting-up-link-interrup.patch patches.suse/cifs-handle-netapp-error-codes.patch @@ -60284,8 +60334,7 @@ patches.suse/ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch patches.suse/ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch - patches.suse/Bluetooth-avoid-circular-locks-in-sco_sock_connect.patch - patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch + patches.suse/Bluetooth-sco-Fix-lock_sock-blockage-by-memcpy_from_.patch ######################################################## # ISDN @@ -60674,6 +60723,7 @@ patches.kabi/PCI-quirks-fix-false-kABI-positive.patch patches.kabi/kabi-fix-nvme_wait_freeze_timeout-return-type.patch patches.kabi/kabi-fix-after-kvm-vcpu-id-array-fix.patch + patches.kabi/kabi-mask-changes-to-vhost_dev_init-and-struct-vhost.patch ######################################################## # You'd better have a good reason for adding a patch