From c911350cfd2bc939e01ecbc6e1df23246261fea6 Mon Sep 17 00:00:00 2001 From: Matt Fleming Date: Mar 04 2020 22:54:29 +0000 Subject: Merge SLE12-SP5 into SLE12-SP5-RT - Refresh -rt patches: patches.rt/0176-stop_machine-Use-raw-spinlocks.patch patches.rt/nohz_full-RT-jitter-reduction.patch --- diff --git a/blacklist.conf b/blacklist.conf index ebe03bc..7f831ac 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1437,3 +1437,31 @@ d950800e793cf06a8e261737d2d8b0114ab3351b # Duplicate of dcafbd50f2e4d5cc964aae40 dc39c1d68f256990d4bb0033a219e8ca15ba4d7f # ppc sstep emu 3a0990ca1a00cb9fd0278410b9b71a670ffcbffc # booke not supported 71eb40fc53371bc247c8066ae76ad9e22ae1e18d # booke not supported +afb89cd5f2ba2d5d04b85b2692a9a3d86b6fabd7 # drm/i915: stable fix, already applied +573e1fe003c1e2016bc40cc4f2b231e3b8c990f8 # drm/i915: stable fix, already applied +2d691aeca4aecbb8d0414a777a46981a8e142b05 # drm/i915: known to break things +0f0727d971f6fdf8f1077180d495ddb9928f0c8b # drm/amd: only for clang builds +71e5e886806ee3f8e0c44ed945eb2e4d6659c6e3 # wireless: only relevant for built-in kenrel +1e390478cfb527e34c9ab89ba57212cb05c33c51 # gpu/host1x: breaks kABI +5a2de63fd1a59c30c02526d427bc014b98adf508 # bridge: reverted by the below +278e2148c07559dd4ad8602f22366d61eb2ee7b7 # bridge: reverting the above +55576cf1853798e86f620766e23b604c9224c19c # regulator: cause a regression, reverted in below +350a0cba90e1bd40b1fe5b396923d2f3a61d1056 # regulator: reverting the above in 4.14.y stable +860dd4424f344400b491b212ee4acb3a358ba9d9 # Only needed for !CONFIG_HAS_DMA +0ed1325967ab5f7a4549a2641c6ebe115f76e228 # missing some of the infrastructure for this +6fbcdd59094ade30db63f32316e9502425d7b256 # bogus: data touched in c_i_u must go through c_f_u to reach kernel +97548575bef38abd06690a5a6f6816200c7e77f7 # breaks kAPI +14f4ca7e4d2825f9f71e22905ae177b899959f1d # breaks kAPI +3bc0bb36fa30e95ca829e9cf480e1ef7f7638333 # not applicable, no threaded cgroups in 4.12 +b34087157dd76e8d96e5e52808134a791ac61e57 # DIRECT_MAPPING_ERROR not present in SLE12-SP5 +b3ce6f6ff3c260ee53b0f2236e5fd950d46957da # not applicable, driver introduced in 5.2 +95c29d46ab2a517e4c26d0a07300edca6768db17 # not a bugfix +ee1438ce5dc4d67dd8dd1ff51583122a61f5bd9e # The problem introduced only with commit 988bec41318f +e39e773ad100ac94f8358d862f20101e802ae54c # kernel-doc fix +d9e9866803f7b6c3fdd35d345e97fb0b2908bbbc # Whitespace fix +b527b638fd63ba791dc90a0a6e9a3035b10df52b # many prerequisities, not worth it +bd0abfa8ca1dab85e9cedbf1988e5b4e53c67584 # Documentation only +fd933c00ebe220060e66fb136a7050a242456566 # Documentation only +39323c64b8a95d10ddc66dc815dd14efdddf6777 # Documentation only +84029fd04c201a4c7e0b07ba262664900f47c6f5 # changes limit semantics, fixes noncritical case, see bsc#1164094 +6df19872d881641e6394f93ef2938cffcbdae5bb # arm 32bit only diff --git a/config/x86_64/rt b/config/x86_64/rt index a461d26..be7d4bf 100644 --- a/config/x86_64/rt +++ b/config/x86_64/rt @@ -2183,7 +2183,7 @@ CONFIG_BLK_DEV_SD=m CONFIG_CHR_DEV_ST=m CONFIG_CHR_DEV_OSST=m CONFIG_BLK_DEV_SR=m -# CONFIG_BLK_DEV_SR_VENDOR is not set +CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_CHR_DEV_SG=m CONFIG_CHR_DEV_SCH=m CONFIG_SCSI_ENCLOSURE=m diff --git a/config/x86_64/rt_debug b/config/x86_64/rt_debug index c963f39..6f75137 100644 --- a/config/x86_64/rt_debug +++ b/config/x86_64/rt_debug @@ -2200,7 +2200,7 @@ CONFIG_BLK_DEV_SD=m CONFIG_CHR_DEV_ST=m CONFIG_CHR_DEV_OSST=m CONFIG_BLK_DEV_SR=m -# CONFIG_BLK_DEV_SR_VENDOR is not set +CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_CHR_DEV_SG=m CONFIG_CHR_DEV_SCH=m CONFIG_SCSI_ENCLOSURE=m diff --git a/kabi/severities b/kabi/severities index cc1694f..e6e11ba 100644 --- a/kabi/severities +++ b/kabi/severities @@ -29,6 +29,9 @@ xive_cleanup_irq_data PASS xive_native_populate_irq_data PASS # finctions internal to ppc radix mm radix__* PASS +# bsc#1157480 ltc#181028 power-specific devicetree hotplug handling +# With support for new devicetree format the old function does not make sense +rpaphp_get_drc_props PASS # IBM Z internal symbols # Cf. bsc#894391 / LTC#115441 and bsc#1134730 / LTC#173388 diff --git a/patches.kabi/can-skb-defined-kabi-workaround.patch b/patches.kabi/can-skb-defined-kabi-workaround.patch new file mode 100644 index 0000000..af08d8b --- /dev/null +++ b/patches.kabi/can-skb-defined-kabi-workaround.patch @@ -0,0 +1,28 @@ +From: Takashi Iwai +Subject: kABI workaround for can/skb.h inclusion +Patch-mainline: Never, kABI workaround +References: bsc#1051510 + +The patch + patches.suse/can-can_dropped_invalid_skb-ensure-an-initialized-he.patch +adds an inclusion of linux/can/netlink.h and this broke kABI from +undefined to defined. Work around it with the standard ifdef. + +Signed-off-by: Takashi Iwai + +--- + include/linux/can/dev.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/can/dev.h ++++ b/include/linux/can/dev.h +@@ -17,7 +17,9 @@ + #include + #include + #include ++#ifndef __GENKSYMS__ + #include ++#endif + #include + + /* diff --git a/patches.kabi/crypto-reexport-crypto_shoot_alg.patch b/patches.kabi/crypto-reexport-crypto_shoot_alg.patch new file mode 100644 index 0000000..9f2fe26 --- /dev/null +++ b/patches.kabi/crypto-reexport-crypto_shoot_alg.patch @@ -0,0 +1,42 @@ +From: Takashi Iwai +Subject: crypto: reexport crypto_shoot_alg() +Patch-mainline: Never, kABI workaround +References: bsc#1051510, kABI fix + +The patch patches.suse/crypto-api-Fix-race-condition-in-crypto_spawn_alg.patch +removed the exported symbol. Revive it for kABI compatibility. + +Signed-off-by: Takashi Iwai + +--- + crypto/api.c | 3 ++- + crypto/internal.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -339,12 +339,13 @@ static unsigned int crypto_ctxsize(struc + return len; + } + +-static void crypto_shoot_alg(struct crypto_alg *alg) ++void crypto_shoot_alg(struct crypto_alg *alg) + { + down_write(&crypto_alg_sem); + alg->cra_flags |= CRYPTO_ALG_DYING; + up_write(&crypto_alg_sem); + } ++EXPORT_SYMBOL_GPL(crypto_shoot_alg); + + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask) +--- a/crypto/internal.h ++++ b/crypto/internal.h +@@ -84,6 +84,7 @@ void crypto_alg_tested(const char *name, + void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, + struct crypto_alg *nalg); + void crypto_remove_final(struct list_head *list); ++void crypto_shoot_alg(struct crypto_alg *alg); + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask); + void *crypto_create_tfm(struct crypto_alg *alg, diff --git a/patches.kabi/libnvdimm-fix-devm_nsio_enable-kabi.patch b/patches.kabi/libnvdimm-fix-devm_nsio_enable-kabi.patch new file mode 100644 index 0000000..926e9bc --- /dev/null +++ b/patches.kabi/libnvdimm-fix-devm_nsio_enable-kabi.patch @@ -0,0 +1,84 @@ +From: Jan Kara +Subject: libnvdimm: Fix devm_nsio_enable() kabi +References: bsc#1153535 +Patch-mainline: Never, kABI fix + +devm_nsio_enable() and devm_nsio_disable() were exported and devm_nsio_enable() +had slightly different signature. Create stubs calling new functions to +maintain kABI. + +Signed-off-by: Jan Kara + +--- + drivers/nvdimm/claim.c | 9 ++++++++- + drivers/nvdimm/namespace_devs.c | 2 +- + drivers/nvdimm/nd-core.h | 11 +++++++++-- + 3 files changed, 18 insertions(+), 4 deletions(-) + +--- a/drivers/nvdimm/claim.c ++++ b/drivers/nvdimm/claim.c +@@ -306,7 +306,7 @@ static int nsio_rw_bytes(struct nd_names + return rc; + } + +-int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio, ++int devm_nsio_enable_size(struct device *dev, struct nd_namespace_io *nsio, + resource_size_t size) + { + struct resource *res = &nsio->res; +@@ -330,6 +330,12 @@ int devm_nsio_enable(struct device *dev, + return PTR_ERR_OR_ZERO(nsio->addr); + } + ++int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio) ++{ ++ return devm_nsio_enable_size(dev, nsio, resource_size(&nsio->res)); ++} ++EXPORT_SYMBOL_GPL(devm_nsio_enable); ++ + void devm_nsio_disable(struct device *dev, struct nd_namespace_io *nsio) + { + struct resource *res = &nsio->res; +@@ -338,3 +344,4 @@ void devm_nsio_disable(struct device *de + devm_exit_badblocks(dev, &nsio->bb); + devm_release_mem_region(dev, res->start, nsio->size); + } ++EXPORT_SYMBOL_GPL(devm_nsio_disable); +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -1776,7 +1776,7 @@ int devm_namespace_enable(struct device + { + if (is_namespace_blk(&ndns->dev)) + return 0; +- return devm_nsio_enable(dev, to_nd_namespace_io(&ndns->dev), size); ++ return devm_nsio_enable_size(dev, to_nd_namespace_io(&ndns->dev), size); + } + EXPORT_SYMBOL_GPL(devm_namespace_enable); + +--- a/drivers/nvdimm/nd-core.h ++++ b/drivers/nvdimm/nd-core.h +@@ -190,15 +190,22 @@ ssize_t nd_namespace_store(struct device + size_t len); + struct nd_pfn *to_nd_pfn_safe(struct device *dev); + #if IS_ENABLED(CONFIG_ND_CLAIM) +-int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio, ++int devm_nsio_enable_size(struct device *dev, struct nd_namespace_io *nsio, + resource_size_t size); ++int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio); + void devm_nsio_disable(struct device *dev, struct nd_namespace_io *nsio); + #else +-static inline int devm_nsio_enable(struct device *dev, ++static inline int devm_nsio_enable_size(struct device *dev, + struct nd_namespace_io *nsio, resource_size_t size) + { + return -ENXIO; + } ++ ++static inline int devm_nsio_enable(struct device *dev, ++ struct nd_namespace_io *nsio) ++{ ++ return -ENXIO; ++} + + static inline void devm_nsio_disable(struct device *dev, + struct nd_namespace_io *nsio) diff --git a/patches.kabi/netlink-nla_policy-kabi-workaround.patch b/patches.kabi/netlink-nla_policy-kabi-workaround.patch new file mode 100644 index 0000000..d489322 --- /dev/null +++ b/patches.kabi/netlink-nla_policy-kabi-workaround.patch @@ -0,0 +1,108 @@ +From: Cho, Yu-Chen +Subject: Fix kABI breakage by nl80211 security fix +Patch-mainline: Never, kABI fix +References: bsc#1152107 CVE-2019-16746 + +- The recent fix for nl80211 driver for a security issue + 0001-net-ipv4-Add-extack-messages-for-route-add-failures.patch + 0002-netlink-Return-extack-message-if-attribute-validatio.patch + 0003-netlink-add-NLA_REJECT-policy-type.patch + 0004-netlink-move-extack-setting-into-validate_nla.patch + 0005-netlink-allow-NLA_NESTED-to-specify-nested-policy-to.patch + 0006-netlink-add-nested-array-policy-validation.patch + 0007-netlink-make-validation_data-const.patch + 0008-netlink-add-attribute-range-validation-to-policy.patch + 0009-netlink-replace-__NLA_ENSURE-implementation.patch + 0010-netlink-add-validation-function-to-policy.patch + 0011-nl80211-validate-beacon-head.patch +which break kABI. +- Fix by restoring the old firmware struct with kABI markers. +- Add kABI markers for validate_nla_bitfield32 + +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 21 ++++++++++++++++++--- + lib/nlattr.c | 12 ++++++++++++ + 2 files changed, 30 insertions(+), 3 deletions(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -171,7 +171,6 @@ enum { + NLA_FLAG, + NLA_MSECS, + NLA_NESTED, +- NLA_NESTED_ARRAY, + NLA_NESTED_COMPAT, + NLA_NUL_STRING, + NLA_BINARY, +@@ -180,7 +179,10 @@ enum { + NLA_S32, + NLA_S64, + NLA_BITFIELD32, ++#ifndef __GENKSYMS__ + NLA_REJECT, ++ NLA_NESTED_ARRAY, ++#endif + __NLA_TYPE_MAX, + }; + +@@ -281,9 +283,21 @@ enum nla_policy_validation { + * }; + */ + struct nla_policy { +- u8 type; +- u8 validation_type; ++#ifdef __GENKSYMS__ ++ u16 type; ++#else ++#ifdef __BIG_ENDIAN ++ u8 validation_type; ++ u8 type; ++#else ++ u8 type; ++ u8 validation_type; ++#endif ++#endif + u16 len; ++#ifdef __GENKSYMS__ ++ void *validation_data; ++#else + union { + const void *validation_data; + struct { +@@ -292,6 +306,7 @@ struct nla_policy { + int (*validate)(const struct nlattr *attr, + struct netlink_ext_ack *extack); + }; ++#endif + }; + + #define NLA_POLICY_NESTED(maxattr, policy) \ +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -27,13 +27,25 @@ static const u8 nla_attr_minlen[NLA_TYPE + [NLA_S64] = sizeof(s64), + }; + ++#ifdef __GENKSYMS__ ++static int validate_nla_bitfield32(const struct nlattr *nla, ++ u32 *valid_flags_allowed) ++#else + static int validate_nla_bitfield32(const struct nlattr *nla, + const u32 *valid_flags_mask) ++#endif + { + const struct nla_bitfield32 *bf = nla_data(nla); + ++#ifdef __GENKSYMS__ ++ u32 *valid_flags_mask = valid_flags_allowed; ++ ++ if (!valid_flags_allowed) ++ return -EINVAL; ++#else + if (!valid_flags_mask) + return -EINVAL; ++#endif + + /*disallow invalid bit selector */ + if (bf->selector & ~*valid_flags_mask) diff --git a/patches.rt/0176-stop_machine-Use-raw-spinlocks.patch b/patches.rt/0176-stop_machine-Use-raw-spinlocks.patch index 3253dc1..17f01ca 100644 --- a/patches.rt/0176-stop_machine-Use-raw-spinlocks.patch +++ b/patches.rt/0176-stop_machine-Use-raw-spinlocks.patch @@ -16,7 +16,7 @@ Signed-off-by: Mike Galbraith --- a/kernel/stop_machine.c +++ b/kernel/stop_machine.c -@@ -36,7 +36,7 @@ struct cpu_stop_done { +@@ -37,7 +37,7 @@ struct cpu_stop_done { struct cpu_stopper { struct task_struct *thread; @@ -25,25 +25,24 @@ Signed-off-by: Mike Galbraith bool enabled; /* is this stopper enabled? */ struct list_head works; /* list of pending works */ -@@ -78,14 +78,14 @@ static bool cpu_stop_queue_work(unsigned - unsigned long flags; +@@ -82,13 +82,13 @@ static bool cpu_stop_queue_work(unsigned bool enabled; + preempt_disable(); - spin_lock_irqsave(&stopper->lock, flags); + raw_spin_lock_irqsave(&stopper->lock, flags); enabled = stopper->enabled; if (enabled) - __cpu_stop_queue_work(stopper, work); + __cpu_stop_queue_work(stopper, work, &wakeq); else if (work->done) cpu_stop_signal_done(work->done); - spin_unlock_irqrestore(&stopper->lock, flags); - + raw_spin_unlock_irqrestore(&stopper->lock, flags); - return enabled; - } -@@ -231,8 +231,8 @@ static int cpu_stop_queue_two_works(int - struct cpu_stopper *stopper2 = per_cpu_ptr(&cpu_stopper, cpu2); + wake_up_q(&wakeq); + preempt_enable(); +@@ -239,8 +239,8 @@ static int cpu_stop_queue_two_works(int + DEFINE_WAKE_Q(wakeq); int err; retry: - spin_lock_irq(&stopper1->lock); @@ -53,9 +52,9 @@ Signed-off-by: Mike Galbraith err = -ENOENT; if (!stopper1->enabled || !stopper2->enabled) -@@ -255,8 +255,8 @@ static int cpu_stop_queue_two_works(int - __cpu_stop_queue_work(stopper1, work1); - __cpu_stop_queue_work(stopper2, work2); +@@ -272,8 +272,8 @@ retry: + */ + preempt_disable(); unlock: - spin_unlock(&stopper2->lock); - spin_unlock_irq(&stopper1->lock); @@ -64,7 +63,7 @@ Signed-off-by: Mike Galbraith if (unlikely(err == -EDEADLK)) { while (stop_cpus_in_progress) -@@ -448,9 +448,9 @@ static int cpu_stop_should_run(unsigned +@@ -471,9 +471,9 @@ static int cpu_stop_should_run(unsigned unsigned long flags; int run; @@ -76,7 +75,7 @@ Signed-off-by: Mike Galbraith return run; } -@@ -461,13 +461,13 @@ static void cpu_stopper_thread(unsigned +@@ -484,13 +484,13 @@ static void cpu_stopper_thread(unsigned repeat: work = NULL; @@ -92,7 +91,7 @@ Signed-off-by: Mike Galbraith if (work) { cpu_stop_fn_t fn = work->fn; -@@ -475,15 +475,7 @@ static void cpu_stopper_thread(unsigned +@@ -498,15 +498,7 @@ repeat: struct cpu_stop_done *done = work->done; int ret; @@ -109,7 +108,7 @@ Signed-off-by: Mike Galbraith /* cpu stop callbacks must not sleep, make in_atomic() == T */ preempt_count_inc(); -@@ -551,7 +543,7 @@ static int __init cpu_stop_init(void) +@@ -574,7 +566,7 @@ static int __init cpu_stop_init(void) for_each_possible_cpu(cpu) { struct cpu_stopper *stopper = &per_cpu(cpu_stopper, cpu); diff --git a/patches.rt/nohz_full-RT-jitter-reduction.patch b/patches.rt/nohz_full-RT-jitter-reduction.patch index 8926468..e21204b 100644 --- a/patches.rt/nohz_full-RT-jitter-reduction.patch +++ b/patches.rt/nohz_full-RT-jitter-reduction.patch @@ -7,12 +7,12 @@ References: SLE Realtime Extension Signed-off-by: Mike Galbraith --- kernel/sched/core.c | 5 +++-- - kernel/time/clocksource.c | 5 +++++ - 2 files changed, 8 insertions(+), 2 deletions(-) + kernel/time/clocksource.c | 6 +++++- + 2 files changed, 8 insertions(+), 3 deletions(-) --- a/kernel/sched/core.c +++ b/kernel/sched/core.c -@@ -3228,12 +3228,13 @@ u64 scheduler_tick_max_deferment(void) +@@ -3264,12 +3264,13 @@ u64 scheduler_tick_max_deferment(void) struct rq *rq = this_rq(); unsigned long next, now = READ_ONCE(jiffies); @@ -30,17 +30,18 @@ Signed-off-by: Mike Galbraith --- a/kernel/time/clocksource.c +++ b/kernel/time/clocksource.c -@@ -278,8 +278,13 @@ static void clocksource_watchdog(unsigne +@@ -278,9 +278,13 @@ static void clocksource_watchdog(unsigne * to each other. */ next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask); +skip_nohz_full: if (next_cpu >= nr_cpu_ids) next_cpu = cpumask_first(cpu_online_mask); +- + if (next_cpu && tick_nohz_full_cpu(next_cpu)) { + next_cpu = cpumask_next(next_cpu, cpu_online_mask); + goto skip_nohz_full; + } - watchdog_timer.expires += WATCHDOG_INTERVAL; - add_timer_on(&watchdog_timer, next_cpu); - out: + /* + * Arm timer if not already pending: could race with concurrent + * pair clocksource_stop_watchdog() clocksource_start_watchdog(). diff --git a/patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch b/patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch new file mode 100644 index 0000000..1facfbe --- /dev/null +++ b/patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch @@ -0,0 +1,36 @@ +From 7dafba3762d6c0083ded00a48f8c1a158bc86717 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 12 Feb 2020 09:10:47 +0100 +Subject: [PATCH] ALSA: hda/realtek - Fix silent output on MSI-GL73 +Git-commit: 7dafba3762d6c0083ded00a48f8c1a158bc86717 +References: git-fixes +Patch-mainline: v5.6-rc2 + +MSI-GL73 laptop with ALC1220 codec requires a similar workaround for +Clevo laptops to enforce the DAC/mixer connection path. Set up a +quirk entry for that. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204159 +Cc: +Link: https://lore.kernel.org/r/20200212081047.27727-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Oliver Neukum +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 3ee88adf57e7..6c8cb4ce517e 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2447,6 +2447,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE), + SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), ++ SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), +-- +2.16.4 + diff --git a/patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch b/patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch new file mode 100644 index 0000000..1e0cef5 --- /dev/null +++ b/patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch @@ -0,0 +1,45 @@ +From 93f9d1a4ac5930654c17412e3911b46ece73755a Mon Sep 17 00:00:00 2001 +From: Arvind Sankar +Date: Tue, 11 Feb 2020 11:22:35 -0500 +Subject: [PATCH] ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 +Git-commit: 93f9d1a4ac5930654c17412e3911b46ece73755a +References: git-fixes +Patch-mainline: v5.6-rc2 + +The Audioengine D1 (0x2912:0x30c8) does support reading the sample rate, +but it returns the rate in byte-reversed order. + +When setting sampling rate, the driver produces these warning messages: +[168840.944226] usb 3-2.2: current rate 4500480 is different from the runtime rate 44100 +[168854.930414] usb 3-2.2: current rate 8436480 is different from the runtime rate 48000 +[168905.185825] usb 3-2.1.2: current rate 30465 is different from the runtime rate 96000 + +As can be seen from the hexadecimal conversion, the current rate read +back is byte-reversed from the rate that was set. + +44100 == 0x00ac44, 4500480 == 0x44ac00 +48000 == 0x00bb80, 8436480 == 0x80bb00 +96000 == 0x017700, 30465 == 0x007701 + +Rather than implementing a new quirk to reverse the order, just skip +checking the rate to avoid spamming the log. + +Signed-off-by: Arvind Sankar +Cc: +Link: https://lore.kernel.org/r/20200211162235.1639889-1-nivedita@alum.mit.edu +Signed-off-by: Takashi Iwai +Signed-off-by: Oliver Neukum +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1281,6 +1281,7 @@ bool snd_usb_get_sample_rate_quirk(struc + case USB_ID(0x1395, 0x740a): /* Sennheiser DECT */ + case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */ + case USB_ID(0x21B4, 0x0081): /* AudioQuest DragonFly */ ++ case USB_ID(0x2912, 0x30c8): /* Audioengine D1 */ + return true; + } + diff --git a/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch b/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch new file mode 100644 index 0000000..ae7515a --- /dev/null +++ b/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch @@ -0,0 +1,133 @@ +Patch-mainline: v5.1-rc6 +Git-commit: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c +From: Paolo Bonzini +Date: Thu, 11 Apr 2019 11:16:47 +0200 +Subject: [PATCH] KVM: fix spectrev1 gadgets +References: bsc#1164705 + +These were found with smatch, and then generalized when applicable. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 4 +++- + include/linux/kvm_host.h | 10 ++++++---- + virt/kvm/irqchip.c | 5 +++-- + virt/kvm/kvm_main.c | 6 ++++-- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 991fdf7fc17f..9bf70cf84564 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -133,6 +133,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map, + if (offset <= max_apic_id) { + u8 cluster_size = min(max_apic_id - offset + 1, 16U); + ++ offset = array_index_nospec(offset, map->max_apic_id + 1); + *cluster = &map->phys_map[offset]; + *mask = dest_id & (0xffff >> (16 - cluster_size)); + } else { +@@ -838,7 +839,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm, + if (irq->dest_id > map->max_apic_id) { + *bitmap = 0; + } else { +- *dst = &map->phys_map[irq->dest_id]; ++ u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1); ++ *dst = &map->phys_map[dest_id]; + *bitmap = 1; + } + return true; +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index 9d55c63db09b..640a03642766 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -484,10 +485,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) + + static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + { +- /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case +- * the caller has read kvm->online_vcpus before (as is the case +- * for kvm_for_each_vcpu, for example). +- */ ++ int num_vcpus = atomic_read(&kvm->online_vcpus); ++ i = array_index_nospec(i, num_vcpus); ++ ++ /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ + smp_rmb(); + return kvm->vcpus[i]; + } +@@ -571,6 +572,7 @@ void kvm_put_kvm(struct kvm *kvm); + + static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id) + { ++ as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM); + return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu, + lockdep_is_held(&kvm->slots_lock) || + !refcount_read(&kvm->users_count)); +diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c +index 3547b0d8c91e..79e59e4fa3dc 100644 +--- a/virt/kvm/irqchip.c ++++ b/virt/kvm/irqchip.c +@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *ei; + int r; ++ u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES); + + /* + * Do not allow GSI to be mapped to the same irqchip more than once. + * Allow only one to one mapping between GSI and non-irqchip routing. + */ +- hlist_for_each_entry(ei, &rt->map[ue->gsi], link) ++ hlist_for_each_entry(ei, &rt->map[gsi], link) + if (ei->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->u.irqchip.irqchip == ei->irqchip.irqchip) + return -EINVAL; + +- e->gsi = ue->gsi; ++ e->gsi = gsi; + e->type = ue->type; + r = kvm_set_routing_entry(kvm, e, ue); + if (r) +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 55fe8e20d8fd..dc8edc97ba85 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2982,12 +2982,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + struct kvm_device_ops *ops = NULL; + struct kvm_device *dev; + bool test = cd->flags & KVM_CREATE_DEVICE_TEST; ++ int type; + int ret; + + if (cd->type >= ARRAY_SIZE(kvm_device_ops_table)) + return -ENODEV; + +- ops = kvm_device_ops_table[cd->type]; ++ type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table)); ++ ops = kvm_device_ops_table[type]; + if (ops == NULL) + return -ENODEV; + +@@ -3002,7 +3004,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + dev->kvm = kvm; + + mutex_lock(&kvm->lock); +- ret = ops->create(dev, cd->type); ++ ret = ops->create(dev, type); + if (ret < 0) { + mutex_unlock(&kvm->lock); + kfree(dev); +-- +2.16.4 + diff --git a/patches.suse/0001-PCI-Vulcan-AHCI-PCI-bar-fix-for-Broadcom-Vulcan-earl.patch b/patches.suse/0001-PCI-Vulcan-AHCI-PCI-bar-fix-for-Broadcom-Vulcan-earl.patch index dff8cdc..a970448 100644 --- a/patches.suse/0001-PCI-Vulcan-AHCI-PCI-bar-fix-for-Broadcom-Vulcan-earl.patch +++ b/patches.suse/0001-PCI-Vulcan-AHCI-PCI-bar-fix-for-Broadcom-Vulcan-earl.patch @@ -18,14 +18,12 @@ Signed-off-by: Jayachandran C Signed-off-by: Robert Richter Signed-off-by: Mian Yousaf Kaukab --- - drivers/pci/quirks.c | 26 ++++++++++++++++++++++++++ + drivers/pci/quirks.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) -diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index cf782a814fb9..0d46fdf5d2d3 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c -@@ -3962,6 +3962,32 @@ static void quirk_mic_x200_dma_alias(struct pci_dev *pdev) +@@ -4135,6 +4135,32 @@ static void quirk_mic_x200_dma_alias(str DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2260, quirk_mic_x200_dma_alias); DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2264, quirk_mic_x200_dma_alias); @@ -56,8 +54,5 @@ index cf782a814fb9..0d46fdf5d2d3 100644 +#endif + /* - * The IOMMU and interrupt controller on Broadcom Vulcan/Cavium ThunderX2 are - * associated not at the root bus, but at a bridge below. This quirk avoids --- -2.11.0 - + * Intel Visual Compute Accelerator (VCA) is a family of PCIe add-in devices + * exposing computational units via Non Transparent Bridges (NTB, PEX 87xx). diff --git a/patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch b/patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch new file mode 100644 index 0000000..f5fac12 --- /dev/null +++ b/patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch @@ -0,0 +1,69 @@ +From 89340d0935c9296c7b8222b6eab30e67cb57ab82 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 9 Sep 2019 09:40:28 +0800 +Subject: [PATCH] Revert "locking/pvqspinlock: Don't wait if vCPU is preempted" +Git-commit: 89340d0935c9296c7b8222b6eab30e67cb57ab82 +Patch-mainline: v5.4-rc1 +References: bsc#1050549 + +This patch reverts commit 75437bb304b20 (locking/pvqspinlock: Don't +wait if vCPU is preempted). A large performance regression was caused +by this commit. on over-subscription scenarios. + +The test was run on a Xeon Skylake box, 2 sockets, 40 cores, 80 threads, +with three VMs of 80 vCPUs each. The score of ebizzy -M is reduced from +13000-14000 records/s to 1700-1800 records/s: + + Host Guest score + +vanilla w/o kvm optimizations upstream 1700-1800 records/s +vanilla w/o kvm optimizations revert 13000-14000 records/s +vanilla w/ kvm optimizations upstream 4500-5000 records/s +vanilla w/ kvm optimizations revert 14000-15500 records/s + +Exit from aggressive wait-early mechanism can result in premature yield +and extra scheduling latency. + +Actually, only 6% of wait_early events are caused by vcpu_is_preempted() +being true. However, when one vCPU voluntarily releases its vCPU, all +the subsequently waiters in the queue will do the same and the cascading +effect leads to bad performance. + +kvm optimizations: +[1] commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts) +[2] commit 266e85a5ec9 (KVM: X86: Boost queue head vCPU to mitigate lock waiter preemption) + +Tested-by: loobinliu@tencent.com +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Waiman Long +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: loobinliu@tencent.com +Cc: stable@vger.kernel.org +Fixes: 75437bb304b20 (locking/pvqspinlock: Don't wait if vCPU is preempted) +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Davidlohr Bueso + +--- + kernel/locking/qspinlock_paravirt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/qspinlock_paravirt.h b/kernel/locking/qspinlock_paravirt.h +index 89bab079e7a4..e84d21aa0722 100644 +--- a/kernel/locking/qspinlock_paravirt.h ++++ b/kernel/locking/qspinlock_paravirt.h +@@ -269,7 +269,7 @@ pv_wait_early(struct pv_node *prev, int loop) + if ((loop & PV_PREV_CHECK_MASK) != 0) + return false; + +- return READ_ONCE(prev->state) != vcpu_running || vcpu_is_preempted(prev->cpu); ++ return READ_ONCE(prev->state) != vcpu_running; + } + + /* +-- +2.16.4 + diff --git a/patches.suse/0001-USB-EHCI-Do-not-return-EPIPE-when-hub-is-disconnecte.patch b/patches.suse/0001-USB-EHCI-Do-not-return-EPIPE-when-hub-is-disconnecte.patch new file mode 100644 index 0000000..38f9471 --- /dev/null +++ b/patches.suse/0001-USB-EHCI-Do-not-return-EPIPE-when-hub-is-disconnecte.patch @@ -0,0 +1,89 @@ +From 64cc3f12d1c7dd054a215bc1ff9cc2abcfe35832 Mon Sep 17 00:00:00 2001 +From: Erkka Talvitie +Date: Wed, 11 Dec 2019 10:08:39 +0200 +Subject: [PATCH] USB: EHCI: Do not return -EPIPE when hub is disconnected +Git-commit: 64cc3f12d1c7dd054a215bc1ff9cc2abcfe35832 +References: git-fixes +Patch-mainline: v5.5 + +When disconnecting a USB hub that has some child device(s) connected to it +(such as a USB mouse), then the stack tries to clear halt and +reset device(s) which are _already_ physically disconnected. + +The issue has been reproduced with: + +CPU: IMX6D5EYM10AD or MCIMX6D5EYM10AE. +SW: U-Boot 2019.07 and kernel 4.19.40. + +CPU: HP Proliant Microserver Gen8. +SW: Linux version 4.2.3-300.fc23.x86_64 + +In this situation there will be error bit for MMF active yet the +CERR equals EHCI_TUNE_CERR + halt. Existing implementation +interprets this as a stall [1] (chapter 8.4.5). + +The possible conditions when the MMF will be active + halt +can be found from [2] (Table 4-13). + +Fix for the issue is to check whether MMF is active and PID Code is +IN before checking for the stall. If these conditions are true then +it is not a stall. + +What happens after the fix is that when disconnecting a hub with +attached device(s) the situation is not interpret as a stall. + +[1] [https://www.usb.org/document-library/usb-20-specification, usb_20.pdf] +[2] [https://www.intel.com/content/dam/www/public/us/en/documents/ + technical-specifications/ehci-specification-for-usb.pdf] + +Signed-off-by: Erkka Talvitie +Reviewed-by: Alan Stern +Cc: stable +Link: https://lore.kernel.org/r/ef70941d5f349767f19c0ed26b0dd9eed8ad81bb.1576050523.git.erkka.talvitie@vincit.fi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/ehci-q.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c +index aa2f77f1506d..8a5c9b3ebe1e 100644 +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -27,6 +27,10 @@ + + /*-------------------------------------------------------------------------*/ + ++/* PID Codes that are used here, from EHCI specification, Table 3-16. */ ++#define PID_CODE_IN 1 ++#define PID_CODE_SETUP 2 ++ + /* fill a qtd, returning how much of the buffer we were able to queue up */ + + static int +@@ -190,7 +194,7 @@ static int qtd_copy_status ( + int status = -EINPROGRESS; + + /* count IN/OUT bytes, not SETUP (even short packets) */ +- if (likely (QTD_PID (token) != 2)) ++ if (likely(QTD_PID(token) != PID_CODE_SETUP)) + urb->actual_length += length - QTD_LENGTH (token); + + /* don't modify error codes */ +@@ -206,6 +210,13 @@ static int qtd_copy_status ( + if (token & QTD_STS_BABBLE) { + /* FIXME "must" disable babbling device's port too */ + status = -EOVERFLOW; ++ /* ++ * When MMF is active and PID Code is IN, queue is halted. ++ * EHCI Specification, Table 4-13. ++ */ ++ } else if ((token & QTD_STS_MMF) && ++ (QTD_PID(token) == PID_CODE_IN)) { ++ status = -EPROTO; + /* CERR nonzero + halt --> stall */ + } else if (QTD_CERR(token)) { + status = -EPIPE; +-- +2.16.4 + diff --git a/patches.suse/0001-USB-core-fix-check-for-duplicate-endpoints.patch b/patches.suse/0001-USB-core-fix-check-for-duplicate-endpoints.patch new file mode 100644 index 0000000..55d17a0 --- /dev/null +++ b/patches.suse/0001-USB-core-fix-check-for-duplicate-endpoints.patch @@ -0,0 +1,132 @@ +From 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Dec 2019 17:10:16 +0100 +Subject: [PATCH] USB: core: fix check for duplicate endpoints +Git-commit: 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff +References: git-fixes +Patch-mainline: v5.5 + +Amend the endpoint-descriptor sanity checks to detect all duplicate +endpoint addresses in a configuration. + +Commit 0a8fd1346254 ("USB: fix problems with duplicate endpoint +addresses") added a check for duplicate endpoint addresses within a +single alternate setting, but did not look for duplicate addresses in +other interfaces. + +The current check would also not detect all duplicate addresses when one +endpoint is as a (bi-directional) control endpoint. + +This specifically avoids overwriting the endpoint entries in struct +usb_device when enabling a duplicate endpoint, something which could +potentially lead to crashes or leaks, for example, when endpoints are +later disabled. + +Cc: stable +Signed-off-by: Johan Hovold +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20191219161016.6695-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/core/config.c | 70 +++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 58 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 5f40117e68e7..21291950cc97 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -203,9 +203,58 @@ static const unsigned short super_speed_maxpacket_maxes[4] = { + [USB_ENDPOINT_XFER_INT] = 1024, + }; + +-static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, +- int asnum, struct usb_host_interface *ifp, int num_ep, +- unsigned char *buffer, int size) ++static bool endpoint_is_duplicate(struct usb_endpoint_descriptor *e1, ++ struct usb_endpoint_descriptor *e2) ++{ ++ if (e1->bEndpointAddress == e2->bEndpointAddress) ++ return true; ++ ++ if (usb_endpoint_xfer_control(e1) || usb_endpoint_xfer_control(e2)) { ++ if (usb_endpoint_num(e1) == usb_endpoint_num(e2)) ++ return true; ++ } ++ ++ return false; ++} ++ ++/* ++ * Check for duplicate endpoint addresses in other interfaces and in the ++ * altsetting currently being parsed. ++ */ ++static bool config_endpoint_is_duplicate(struct usb_host_config *config, ++ int inum, int asnum, struct usb_endpoint_descriptor *d) ++{ ++ struct usb_endpoint_descriptor *epd; ++ struct usb_interface_cache *intfc; ++ struct usb_host_interface *alt; ++ int i, j, k; ++ ++ for (i = 0; i < config->desc.bNumInterfaces; ++i) { ++ intfc = config->intf_cache[i]; ++ ++ for (j = 0; j < intfc->num_altsetting; ++j) { ++ alt = &intfc->altsetting[j]; ++ ++ if (alt->desc.bInterfaceNumber == inum && ++ alt->desc.bAlternateSetting != asnum) ++ continue; ++ ++ for (k = 0; k < alt->desc.bNumEndpoints; ++k) { ++ epd = &alt->endpoint[k].desc; ++ ++ if (endpoint_is_duplicate(epd, d)) ++ return true; ++ } ++ } ++ } ++ ++ return false; ++} ++ ++static int usb_parse_endpoint(struct device *ddev, int cfgno, ++ struct usb_host_config *config, int inum, int asnum, ++ struct usb_host_interface *ifp, int num_ep, ++ unsigned char *buffer, int size) + { + unsigned char *buffer0 = buffer; + struct usb_endpoint_descriptor *d; +@@ -242,13 +291,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, + goto skip_to_next_endpoint_or_interface_descriptor; + + /* Check for duplicate endpoint addresses */ +- for (i = 0; i < ifp->desc.bNumEndpoints; ++i) { +- if (ifp->endpoint[i].desc.bEndpointAddress == +- d->bEndpointAddress) { +- dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n", +- cfgno, inum, asnum, d->bEndpointAddress); +- goto skip_to_next_endpoint_or_interface_descriptor; +- } ++ if (config_endpoint_is_duplicate(config, inum, asnum, d)) { ++ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n", ++ cfgno, inum, asnum, d->bEndpointAddress); ++ goto skip_to_next_endpoint_or_interface_descriptor; + } + + endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; +@@ -522,8 +568,8 @@ static int usb_parse_interface(struct device *ddev, int cfgno, + if (((struct usb_descriptor_header *) buffer)->bDescriptorType + == USB_DT_INTERFACE) + break; +- retval = usb_parse_endpoint(ddev, cfgno, inum, asnum, alt, +- num_ep, buffer, size); ++ retval = usb_parse_endpoint(ddev, cfgno, config, inum, asnum, ++ alt, num_ep, buffer, size); + if (retval < 0) + return retval; + ++n; +-- +2.16.4 + diff --git a/patches.suse/0001-USB-serial-option-add-Telit-ME910G1-0x110a-compositi.patch b/patches.suse/0001-USB-serial-option-add-Telit-ME910G1-0x110a-compositi.patch new file mode 100644 index 0000000..447a32f --- /dev/null +++ b/patches.suse/0001-USB-serial-option-add-Telit-ME910G1-0x110a-compositi.patch @@ -0,0 +1,36 @@ +From 0d3010fa442429f8780976758719af05592ff19f Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Fri, 13 Dec 2019 14:56:15 +0100 +Subject: [PATCH] USB: serial: option: add Telit ME910G1 0x110a composition +Git-commit: 0d3010fa442429f8780976758719af05592ff19f +References: git-fixes +Patch-mainline: v5.5 + +This patch adds the following Telit ME910G1 composition: + +0x110a: tty, tty, tty, rmnet + +Signed-off-by: Daniele Palmas +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index e9491d400a24..fea09a3f491f 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1172,6 +1172,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = NCTRL(0) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1102, 0xff), /* Telit ME910 (ECM) */ + .driver_info = NCTRL(0) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x110a, 0xff), /* Telit ME910G1 */ ++ .driver_info = NCTRL(0) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), +-- +2.16.4 + diff --git a/patches.suse/0001-USB-serial-option-add-ZLP-support-for-0x1bc7-0x9010.patch b/patches.suse/0001-USB-serial-option-add-ZLP-support-for-0x1bc7-0x9010.patch new file mode 100644 index 0000000..82d5030 --- /dev/null +++ b/patches.suse/0001-USB-serial-option-add-ZLP-support-for-0x1bc7-0x9010.patch @@ -0,0 +1,92 @@ +From 2438c3a19dec5e98905fd3ffcc2f24716aceda6b Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Thu, 19 Dec 2019 11:07:07 +0100 +Subject: [PATCH] USB: serial: option: add ZLP support for 0x1bc7/0x9010 +Git-commit: 2438c3a19dec5e98905fd3ffcc2f24716aceda6b +References: git-fixes +Patch-mainline: v5.5 + +Telit FN980 flashing device 0x1bc7/0x9010 requires zero packet +to be sent if out data size is is equal to the endpoint max size. + +Signed-off-by: Daniele Palmas +[ johan: switch operands in conditional ] +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/option.c | 8 ++++++++ + drivers/usb/serial/usb-wwan.h | 1 + + drivers/usb/serial/usb_wwan.c | 4 ++++ + 3 files changed, 13 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index fea09a3f491f..2d919d0e6e45 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -567,6 +567,9 @@ static void option_instat_callback(struct urb *urb); + /* Interface must have two endpoints */ + #define NUMEP2 BIT(16) + ++/* Device needs ZLP */ ++#define ZLP BIT(17) ++ + + static const struct usb_device_id option_ids[] = { + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, +@@ -1198,6 +1201,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */ + .driver_info = NCTRL(0) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, 0x9010), /* Telit SBL FN980 flashing device */ ++ .driver_info = NCTRL(0) | ZLP }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff), + .driver_info = RSVD(1) }, +@@ -2099,6 +2104,9 @@ static int option_attach(struct usb_serial *serial) + if (!(device_flags & NCTRL(iface_desc->bInterfaceNumber))) + data->use_send_setup = 1; + ++ if (device_flags & ZLP) ++ data->use_zlp = 1; ++ + spin_lock_init(&data->susp_lock); + + usb_set_serial_data(serial, data); +diff --git a/drivers/usb/serial/usb-wwan.h b/drivers/usb/serial/usb-wwan.h +index 1c120eaf4091..934e9361cf6b 100644 +--- a/drivers/usb/serial/usb-wwan.h ++++ b/drivers/usb/serial/usb-wwan.h +@@ -38,6 +38,7 @@ struct usb_wwan_intf_private { + spinlock_t susp_lock; + unsigned int suspended:1; + unsigned int use_send_setup:1; ++ unsigned int use_zlp:1; + int in_flight; + unsigned int open_ports; + void *private; +diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c +index 7e855c87e4f7..13be21aad2f4 100644 +--- a/drivers/usb/serial/usb_wwan.c ++++ b/drivers/usb/serial/usb_wwan.c +@@ -461,6 +461,7 @@ static struct urb *usb_wwan_setup_urb(struct usb_serial_port *port, + void (*callback) (struct urb *)) + { + struct usb_serial *serial = port->serial; ++ struct usb_wwan_intf_private *intfdata = usb_get_serial_data(serial); + struct urb *urb; + + urb = usb_alloc_urb(0, GFP_KERNEL); /* No ISO */ +@@ -471,6 +472,9 @@ static struct urb *usb_wwan_setup_urb(struct usb_serial_port *port, + usb_sndbulkpipe(serial->dev, endpoint) | dir, + buf, len, callback, ctx); + ++ if (intfdata->use_zlp && dir == USB_DIR_OUT) ++ urb->transfer_flags |= URB_ZERO_PACKET; ++ + return urb; + } + +-- +2.16.4 + diff --git a/patches.suse/0001-USB-serial-option-add-support-for-Quectel-RM500Q-in-.patch b/patches.suse/0001-USB-serial-option-add-support-for-Quectel-RM500Q-in-.patch new file mode 100644 index 0000000..7a7ce25 --- /dev/null +++ b/patches.suse/0001-USB-serial-option-add-support-for-Quectel-RM500Q-in-.patch @@ -0,0 +1,49 @@ +From f3eaabbfd093c93d791eb930cc68d9b15246a65e Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Tue, 14 Jan 2020 14:29:23 +0100 +Subject: [PATCH] USB: serial: option: add support for Quectel RM500Q in QDL + mode +Git-commit: f3eaabbfd093c93d791eb930cc68d9b15246a65e +References: git-fixes +Patch-mainline: v5.5 + +Add support for Quectel RM500Q in QDL mode. + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 24 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0800 Rev= 0.00 +S: Manufacturer=Qualcomm CDMA Technologies MSM +S: Product=QUSB_BULK_SN:xxxxxxxx +S: SerialNumber=xxxxxxxx +C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 2mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +It is assumed that the ZLP flag required for other Qualcomm-based +5G devices also applies to Quectel RM500Q. + +Signed-off-by: Reinhard Speyerer +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 62bad1b2c18e..084cc2fff3ae 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1107,6 +1107,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10), ++ .driver_info = ZLP }, + + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, +-- +2.16.4 + diff --git a/patches.suse/0001-bcache-add-cond_resched-in-__bch_cache_cmp.patch b/patches.suse/0001-bcache-add-cond_resched-in-__bch_cache_cmp.patch new file mode 100644 index 0000000..d2d1079 --- /dev/null +++ b/patches.suse/0001-bcache-add-cond_resched-in-__bch_cache_cmp.patch @@ -0,0 +1,35 @@ +From d55a4ae9e1af5fb1657e38284ef46c56e668efdb Mon Sep 17 00:00:00 2001 +From: Shile Zhang +Date: Tue, 3 Sep 2019 21:25:43 +0800 +Subject: [PATCH] bcache: add cond_resched() in __bch_cache_cmp() +Git-commit: d55a4ae9e1af5fb1657e38284ef46c56e668efdb +Patch-mainline: v5.4-rc1 +References: bsc#1163762 + +Read /sys/fs/bcache//cacheN/priority_stats can take very long +time with huge cache after long run. + +Signed-off-by: Shile Zhang +Tested-by: Heitor Alves de Siqueira +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 9f0826712845..6b29e34acf7a 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -960,6 +960,7 @@ KTYPE(bch_cache_set_internal); + + static int __bch_cache_cmp(const void *l, const void *r) + { ++ cond_resched(); + return *((uint16_t *)r) - *((uint16_t *)l); + } + +-- +2.16.4 + diff --git a/patches.suse/0001-btrfs-dev-replace-remove-warning-for-unknown-return-.patch b/patches.suse/0001-btrfs-dev-replace-remove-warning-for-unknown-return-.patch new file mode 100644 index 0000000..dedbe97 --- /dev/null +++ b/patches.suse/0001-btrfs-dev-replace-remove-warning-for-unknown-return-.patch @@ -0,0 +1,65 @@ +From 4cea9037f82a6deed0f2f61e4054b7ae2519ef87 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Sat, 25 Jan 2020 12:35:38 +0100 +Git-commit: 4cea9037f82a6deed0f2f61e4054b7ae2519ef87 +References: dependency for bsc#1162067 +Patch-mainline: v5.5 +Subject: [PATCH] btrfs: dev-replace: remove warning for unknown return codes + when finished + +The fstests btrfs/011 triggered a warning at the end of device replace, + + [ 1891.998975] BTRFS warning (device vdd): failed setting block group ro: -28 + [ 1892.038338] BTRFS error (device vdd): btrfs_scrub_dev(/dev/vdd, 1, /dev/vdb) failed -28 + [ 1892.059993] ------------[ cut here ]------------ + [ 1892.063032] WARNING: CPU: 2 PID: 2244 at fs/btrfs/dev-replace.c:506 btrfs_dev_replace_start.cold+0xf9/0x140 [btrfs] + [ 1892.074346] CPU: 2 PID: 2244 Comm: btrfs Not tainted 5.5.0-rc7-default+ #942 + [ 1892.079956] RIP: 0010:btrfs_dev_replace_start.cold+0xf9/0x140 [btrfs] + + [ 1892.096576] RSP: 0018:ffffbb58c7b3fd10 EFLAGS: 00010286 + [ 1892.098311] RAX: 00000000ffffffe4 RBX: 0000000000000001 RCX: 8888888888888889 + [ 1892.100342] RDX: 0000000000000001 RSI: ffff9e889645f5d8 RDI: ffffffff92821080 + [ 1892.102291] RBP: ffff9e889645c000 R08: 000001b8878fe1f6 R09: 0000000000000000 + [ 1892.104239] R10: ffffbb58c7b3fd08 R11: 0000000000000000 R12: ffff9e88a0017000 + [ 1892.106434] R13: ffff9e889645f608 R14: ffff9e88794e1000 R15: ffff9e88a07b5200 + [ 1892.108642] FS: 00007fcaed3f18c0(0000) GS:ffff9e88bda00000(0000) knlGS:0000000000000000 + [ 1892.111558] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 1892.113492] CR2: 00007f52509ff420 CR3: 00000000603dd002 CR4: 0000000000160ee0 + + [ 1892.115814] Call Trace: + [ 1892.116896] btrfs_dev_replace_by_ioctl+0x35/0x60 [btrfs] + [ 1892.118962] btrfs_ioctl+0x1d62/0x2550 [btrfs] + +caused by the previous patch ("btrfs: scrub: Require mandatory block +group RO for dev-replace"). Hitting ENOSPC is possible and could happen +when the block group is set read-only, preventing NOCOW writes to the +area that's being accessed by dev-replace. + +This has happend with scratch devices of size 12G but not with 5G and +20G, so this is depends on timing and other activity on the filesystem. +The whole replace operation is restartable, the space state should be +examined by the user in any case. + +The error code is propagated back to the ioctl caller so the kernel +warning is causing false alerts. + +Signed-off-by: David Sterba +--- + fs/btrfs/dev-replace.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -407,11 +407,8 @@ int btrfs_dev_replace_start(struct btrfs + &dev_replace->scrub_progress, 0, 1); + + ret = btrfs_dev_replace_finishing(fs_info, ret); +- if (ret == -EINPROGRESS) { ++ if (ret == -EINPROGRESS) + ret = BTRFS_IOCTL_DEV_REPLACE_RESULT_SCRUB_INPROGRESS; +- } else { +- WARN_ON(ret); +- } + + return ret; + diff --git a/patches.suse/0001-btrfs-scrub-Require-mandatory-block-group-RO-for-dev.patch b/patches.suse/0001-btrfs-scrub-Require-mandatory-block-group-RO-for-dev.patch new file mode 100644 index 0000000..009a24d --- /dev/null +++ b/patches.suse/0001-btrfs-scrub-Require-mandatory-block-group-RO-for-dev.patch @@ -0,0 +1,135 @@ +From 1bbb97b8ce7ddf3a56645636c905cef706706dd9 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 24 Jan 2020 07:58:20 +0800 +Git-commit: 1bbb97b8ce7ddf3a56645636c905cef706706dd9 +References: bsc#1162067 +Patch-mainline: v5.5 +Subject: [PATCH] btrfs: scrub: Require mandatory block group RO for + dev-replace + +[BUG] +For dev-replace test cases with fsstress, like btrfs/06[45] btrfs/071, +looped runs can lead to random failure, where scrub finds csum error. + +The possibility is not high, around 1/20 to 1/100, but it's causing data +corruption. + +The bug is observable after commit b12de52896c0 ("btrfs: scrub: Don't +check free space before marking a block group RO") + +[CAUSE] +Dev-replace has two source of writes: + +- Write duplication + All writes to source device will also be duplicated to target device. + + Content: Not yet persisted data/meta + +- Scrub copy + Dev-replace reused scrub code to iterate through existing extents, and + copy the verified data to target device. + + Content: Previously persisted data and metadata + +The difference in contents makes the following race possible: + Regular Writer | Dev-replace +----------------------------------------------------------------- + ^ | + | Preallocate one data extent | + | at bytenr X, len 1M | + v | + ^ Commit transaction | + | Now extent [X, X+1M) is in | + v commit root | + ================== Dev replace starts ========================= + | ^ + | | Scrub extent [X, X+1M) + | | Read [X, X+1M) + | | (The content are mostly garbage + | | since it's preallocated) + ^ | v + | Write back happens for | + | extent [X, X+512K) | + | New data writes to both | + | source and target dev. | + v | + | ^ + | | Scrub writes back extent [X, X+1M) + | | to target device. + | | This will over write the new data in + | | [X, X+512K) + | v + +This race can only happen for nocow writes. Thus metadata and data cow +writes are safe, as COW will never overwrite extents of previous +transaction (in commit root). + +This behavior can be confirmed by disabling all fallocate related calls +in fsstress (*), then all related tests can pass a 2000 run loop. + +*: FSSTRESS_AVOID="-f fallocate=0 -f allocsp=0 -f zero=0 -f insert=0 \ + -f collapse=0 -f punch=0 -f resvsp=0" + I didn't expect resvsp ioctl will fallback to fallocate in VFS... + +[FIX] +Make dev-replace to require mandatory block group RO, and wait for current +nocow writes before calling scrub_chunk(). + +This patch will mostly revert commit 76a8efa171bf ("btrfs: Continue replace +when set_block_ro failed") for dev-replace path. + +The side effect is, dev-replace can be more strict on avaialble space, but +definitely worth to avoid data corruption. + +Reported-by: Filipe Manana +Fixes: 76a8efa171bf ("btrfs: Continue replace when set_block_ro failed") +Fixes: b12de52896c0 ("btrfs: scrub: Don't check free space before marking a block group RO") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +--- + fs/btrfs/scrub.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -3848,15 +3848,14 @@ int scrub_enumerate_chunks(struct scrub_ + */ + scrub_pause_on(fs_info); + ret = btrfs_inc_block_group_ro(fs_info, cache); +- scrub_pause_off(fs_info); + + if (ret == 0) { + ro_set = 1; +- } else if (ret == -ENOSPC) { ++ } else if (ret == -ENOSPC && !sctx->is_dev_replace) { + /* + * btrfs_inc_block_group_ro return -ENOSPC when it + * failed in creating new chunk for metadata. +- * It is not a problem for scrub/replace, because ++ * It is not a problem for scrub, because + * metadata are always cowed, and our scrub paused + * commit_transactions. + */ +@@ -3866,9 +3865,21 @@ int scrub_enumerate_chunks(struct scrub_ + "failed setting block group ro, ret=%d\n", + ret); + btrfs_put_block_group(cache); ++ scrub_pause_off(fs_info); + break; + } + ++ /* ++ * Now the target block is marked RO, wait for nocow writes to ++ * finish before dev-replace. ++ * COW is fine, as COW never overwrites extents in commit tree. ++ */ ++ if (sctx->is_dev_replace) { ++ btrfs_wait_nocow_writers(cache); ++ btrfs_wait_ordered_roots(fs_info, U64_MAX, cache->key.objectid, ++ cache->key.offset); ++ } ++ scrub_pause_off(fs_info); + btrfs_dev_replace_lock(&fs_info->dev_replace, 1); + dev_replace->cursor_right = found_key.offset + length; + dev_replace->cursor_left = found_key.offset; diff --git a/patches.suse/0001-enic-prevent-waking-up-stopped-tx-queues-over-watchd.patch b/patches.suse/0001-enic-prevent-waking-up-stopped-tx-queues-over-watchd.patch new file mode 100644 index 0000000..1c1dabc --- /dev/null +++ b/patches.suse/0001-enic-prevent-waking-up-stopped-tx-queues-over-watchd.patch @@ -0,0 +1,62 @@ +From 37aea32cd700416cf3d1b833e520f13942b372f0 Mon Sep 17 00:00:00 2001 +From: Firo Yang +Date: Wed, 12 Feb 2020 06:09:17 +0100 +Subject: [PATCH 1/1] enic: prevent waking up stopped tx queues over watchdog + reset + +Git-commit: 0f90522591fd09dd201065c53ebefdfe3c6b55cb +Patch-mainline: v5.6-rc2 +References: bsc#1133147 + +Recent months, our customer reported several kernel crashes all +preceding with following message: +NETDEV WATCHDOG: eth2 (enic): transmit queue 0 timed out +Error message of one of those crashes: +BUG: unable to handle kernel paging request at ffffffffa007e090 + +After analyzing severl vmcores, I found that most of crashes are +caused by memory corruption. And all the corrupted memory areas +are overwritten by data of network packets. Moreover, I also found +that the tx queues were enabled over watchdog reset. + +After going through the source code, I found that in enic_stop(), +the tx queues stopped by netif_tx_disable() could be woken up over +a small time window between netif_tx_disable() and the +napi_disable() by the following code path: +napi_poll-> + enic_poll_msix_wq-> + vnic_cq_service-> + enic_wq_service-> + netif_wake_subqueue(enic->netdev, q_number)-> + test_and_clear_bit(__QUEUE_STATE_DRV_XOFF, &txq->state) +In turn, upper netowrk stack could queue skb to ENIC NIC though +enic_hard_start_xmit(). And this might introduce some race condition. + +Our customer comfirmed that this kind of kernel crash doesn't occur over +90 days since they applied this patch. + +Signed-off-by: Firo Yang +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 4da796298602..cc6ab1474552 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1972,10 +1972,10 @@ static int enic_stop(struct net_device *netdev) + napi_disable(&enic->napi[i]); + + netif_carrier_off(netdev); +- netif_tx_disable(netdev); + if (vnic_dev_get_intr_mode(enic->vdev) == VNIC_DEV_INTR_MODE_MSIX) + for (i = 0; i < enic->wq_count; i++) + napi_disable(&enic->napi[enic_cq_wq(enic, i)]); ++ netif_tx_disable(netdev); + + if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) + enic_dev_del_station_addr(enic); +-- +2.16.4 + diff --git a/patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch b/patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch new file mode 100644 index 0000000..5bc12bd --- /dev/null +++ b/patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch @@ -0,0 +1,39 @@ +From 9db176bceb5c5df4990486709da386edadc6bd1d Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 21 Feb 2020 11:08:35 +0100 +Subject: [PATCH] ext4: fix mount failure with quota configured as module +Git-commit: 9db176bceb5c5df4990486709da386edadc6bd1d +Patch-mainline: v5.6-rc3 +References: bsc#1164471 + +When CONFIG_QFMT_V2 is configured as a module, the test in +ext4_feature_set_ok() fails and so mount of filesystems with quota or +project features fails. Fix the test to use IS_ENABLED macro which +works properly even for modules. + +Link: https://lore.kernel.org/r/20200221100835.9332-1-jack@suse.cz +Fixes: d65d87a07476 ("ext4: improve explanation of a mount failure caused by a misconfigured kernel") +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Denis Kirjanov +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 6928fc229799..ff1b764b0c0e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3034,7 +3034,7 @@ static int ext4_feature_set_ok(struct super_block *sb, int readonly) + return 0; + } + +-#if !defined(CONFIG_QUOTA) || !defined(CONFIG_QFMT_V2) ++#if !IS_ENABLED(CONFIG_QUOTA) || !IS_ENABLED(CONFIG_QFMT_V2) + if (!readonly && (ext4_has_feature_quota(sb) || + ext4_has_feature_project(sb))) { + ext4_msg(sb, KERN_ERR, +-- +2.16.4 + diff --git a/patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch b/patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch new file mode 100644 index 0000000..6d6e2af --- /dev/null +++ b/patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch @@ -0,0 +1,70 @@ +From 99143f82a255e7f054bead8443462fae76dd829e Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Jul 2019 14:56:17 +0200 +Subject: [PATCH] lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep + loop +Git-commit: 99143f82a255e7f054bead8443462fae76dd829e +Patch-mainline: v5.3-rc1 +References: bsc#1050549 + +While reviewing another read_slowpath patch, both Will and I noticed +another missing ACQUIRE, namely: + + X = 0; + + CPU0 CPU1 + + rwsem_down_read() + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + + X = 1; + rwsem_up_write(); + rwsem_mark_wake() + atomic_long_add(adjustment, &sem->count); + smp_store_release(&waiter->task, NULL); + + if (!waiter.task) + break; + + ... + } + + r = X; + +Allows 'r == 0'. + +Reported-by: Peter Zijlstra (Intel) +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ingo Molnar +Signed-off-by: Davidlohr Bueso + +--- + kernel/locking/rwsem-xadd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index 7d29e15d8f44..cca18df9925d 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -277,8 +277,10 @@ __rwsem_down_read_failed_common(struct rw_semaphore *sem, int state) + /* wait to be given the lock */ + while (true) { + set_current_state(state); +- if (!waiter.task) ++ if (!smp_load_acquire(&waiter.task)) { ++ /* Orders against rwsem_mark_wake()'s smp_store_release() */ + break; ++ } + if (signal_pending_state(state, current)) { + raw_spin_lock_irq(&sem->wait_lock); + if (waiter.task) +-- +2.16.4 + diff --git a/patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch b/patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch new file mode 100644 index 0000000..2869544 --- /dev/null +++ b/patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch @@ -0,0 +1,131 @@ +From a9e9bcb45b1525ba7aea26ed9441e8632aeeda58 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Sun, 28 Apr 2019 17:25:38 -0400 +Subject: [PATCH] locking/rwsem: Prevent decrement of reader count before increment +Git-commit: a9e9bcb45b1525ba7aea26ed9441e8632aeeda58 +Patch-mainline: v5.2-rc1 +References: bsc#1050549 + +During my rwsem testing, it was found that after a down_read(), the +reader count may occasionally become 0 or even negative. Consequently, +a writer may steal the lock at that time and execute with the reader +in parallel thus breaking the mutual exclusion guarantee of the write +lock. In other words, both readers and writer can become rwsem owners +simultaneously. + +The current reader wakeup code does it in one pass to clear waiter->task +and put them into wake_q before fully incrementing the reader count. +Once waiter->task is cleared, the corresponding reader may see it, +finish the critical section and do unlock to decrement the count before +the count is incremented. This is not a problem if there is only one +reader to wake up as the count has been pre-incremented by 1. It is +a problem if there are more than one readers to be woken up and writer +can steal the lock. + +The wakeup was actually done in 2 passes before the following v4.9 commit: + + 70800c3c0cc5 ("locking/rwsem: Scan the wait_list for readers only once") + +To fix this problem, the wakeup is now done in two passes +again. In the first pass, we collect the readers and count them. +The reader count is then fully incremented. In the second pass, the +waiter->task is then cleared and they are put into wake_q to be woken +up later. + +Signed-off-by: Waiman Long +Acked-by: Linus Torvalds +Cc: Borislav Petkov +Cc: Davidlohr Bueso +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Tim Chen +Cc: Will Deacon +Cc: huang ying +Fixes: 70800c3c0cc5 ("locking/rwsem: Scan the wait_list for readers only once") +Link: http://lkml.kernel.org/r/20190428212557.13482-2-longman@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Davidlohr Bueso + +--- + kernel/locking/rwsem-xadd.c | 44 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 14 deletions(-) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index 34c70a985ca9..7d29e15d8f44 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -129,6 +129,7 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + { + struct rwsem_waiter *waiter, *tmp; + long oldcount, woken = 0, adjustment = 0; ++ struct list_head wlist; + + /* + * Take a peek at the queue head waiter such that we can determine +@@ -187,18 +188,42 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + * of the queue. We know that woken will be at least 1 as we accounted + * for above. Note we increment the 'active part' of the count by the + * number of readers before waking any processes up. ++ * ++ * We have to do wakeup in 2 passes to prevent the possibility that ++ * the reader count may be decremented before it is incremented. It ++ * is because the to-be-woken waiter may not have slept yet. So it ++ * may see waiter->task got cleared, finish its critical section and ++ * do an unlock before the reader count increment. ++ * ++ * 1) Collect the read-waiters in a separate list, count them and ++ * fully increment the reader count in rwsem. ++ * 2) For each waiters in the new list, clear waiter->task and ++ * put them into wake_q to be woken up later. + */ +- list_for_each_entry_safe(waiter, tmp, &sem->wait_list, list) { +- struct task_struct *tsk; +- ++ list_for_each_entry(waiter, &sem->wait_list, list) { + if (waiter->type == RWSEM_WAITING_FOR_WRITE) + break; + + woken++; +- tsk = waiter->task; ++ } ++ list_cut_before(&wlist, &sem->wait_list, &waiter->list); ++ ++ adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; ++ if (list_empty(&sem->wait_list)) { ++ /* hit end of list above */ ++ adjustment -= RWSEM_WAITING_BIAS; ++ } ++ ++ if (adjustment) ++ atomic_long_add(adjustment, &sem->count); ++ ++ /* 2nd pass */ ++ list_for_each_entry_safe(waiter, tmp, &wlist, list) { ++ struct task_struct *tsk; + ++ tsk = waiter->task; + get_task_struct(tsk); +- list_del(&waiter->list); ++ + /* + * Ensure calling get_task_struct() before setting the reader + * waiter to nil such that rwsem_down_read_failed() cannot +@@ -212,15 +237,6 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + */ + wake_q_add_safe(wake_q, tsk); + } +- +- adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; +- if (list_empty(&sem->wait_list)) { +- /* hit end of list above */ +- adjustment -= RWSEM_WAITING_BIAS; +- } +- +- if (adjustment) +- atomic_long_add(adjustment, &sem->count); + } + + /* +-- +2.16.4 + diff --git a/patches.suse/0001-media-cec-CEC-2.0-only-bcast-messages-were-ignored.patch b/patches.suse/0001-media-cec-CEC-2.0-only-bcast-messages-were-ignored.patch new file mode 100644 index 0000000..1f46926 --- /dev/null +++ b/patches.suse/0001-media-cec-CEC-2.0-only-bcast-messages-were-ignored.patch @@ -0,0 +1,44 @@ +From cec935ce69fc386f13959578deb40963ebbb85c3 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 4 Dec 2019 08:52:08 +0100 +Subject: [PATCH] media: cec: CEC 2.0-only bcast messages were ignored +Git-commit: cec935ce69fc386f13959578deb40963ebbb85c3 +References: git-fixes +Patch-mainline: v5.5 + +Some messages are allowed to be a broadcast message in CEC 2.0 +only, and should be ignored by CEC 1.4 devices. + +Unfortunately, the check was wrong, causing such messages to be +marked as invalid under CEC 2.0. + +Signed-off-by: Hans Verkuil +Cc: # for v4.10 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/cec/cec-adap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c +index 9340435a94a0..e90c30dac68b 100644 +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -1085,11 +1085,11 @@ void cec_received_msg_ts(struct cec_adapter *adap, + valid_la = false; + else if (!cec_msg_is_broadcast(msg) && !(dir_fl & DIRECTED)) + valid_la = false; +- else if (cec_msg_is_broadcast(msg) && !(dir_fl & BCAST1_4)) ++ else if (cec_msg_is_broadcast(msg) && !(dir_fl & BCAST)) + valid_la = false; + else if (cec_msg_is_broadcast(msg) && +- adap->log_addrs.cec_version >= CEC_OP_CEC_VERSION_2_0 && +- !(dir_fl & BCAST2_0)) ++ adap->log_addrs.cec_version < CEC_OP_CEC_VERSION_2_0 && ++ !(dir_fl & BCAST1_4)) + valid_la = false; + } + if (valid_la && min_len) { +-- +2.16.4 + diff --git a/patches.suse/0001-media-exynos4-is-fix-wrong-mdev-and-v4l2-dev-order-i.patch b/patches.suse/0001-media-exynos4-is-fix-wrong-mdev-and-v4l2-dev-order-i.patch new file mode 100644 index 0000000..7d2dde0 --- /dev/null +++ b/patches.suse/0001-media-exynos4-is-fix-wrong-mdev-and-v4l2-dev-order-i.patch @@ -0,0 +1,74 @@ +From 4d741cbd58bf889c8a68cf6e592a7892b5c2802e Mon Sep 17 00:00:00 2001 +From: Seung-Woo Kim +Date: Mon, 4 Nov 2019 10:46:32 +0100 +Subject: [PATCH] media: exynos4-is: fix wrong mdev and v4l2 dev order in error + path +Git-commit: 4d741cbd58bf889c8a68cf6e592a7892b5c2802e +References: git-fixes +Patch-mainline: v5.5 + +When driver is built as module and probe during insmod is deferred +because of sensor subdevs, there is NULL pointer deference because +mdev is cleaned up and then access it from v4l2_device_unregister(). +Fix the wrong mdev and v4l2 dev order in error path of probe. + +This fixes below null pointer deference: + Unable to handle kernel NULL pointer dereference at virtual address 00000000 + pgd = ca026f68 + [00000000] *pgd=00000000 + Internal error: Oops: 5 [#1] PREEMPT SMP ARM + [...] + Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) + PC is at ida_free+0x7c/0x160 + LR is at xas_start+0x44/0x204 + [...] + [] (ida_free) from [] (__media_device_unregister_entity+0x18/0xc0) + [] (__media_device_unregister_entity) from [] (media_device_unregister_entity+0x2c/0x38) + [] (media_device_unregister_entity) from [] (v4l2_device_release+0xd0/0x104) + [] (v4l2_device_release) from [] (device_release+0x28/0x98) + [] (device_release) from [] (kobject_put+0xa4/0x208) + [] (kct_put) from [] (fimc_capture_subdev_unregistered+0x58/0x6c [s5p_fimc]) + [] (fimc_capture_subdev_unregistered [s5p_fimc]) from [] (v4l2_device_unregister_subdev+0x6c/0xa8) + [] (v4l2_device_unregister_subdev) from [] (v4l2_device_unregister+0x64/0x94) + [] (v4l2_device_unregister) from [] (fimc_md_probe+0x4ec/0xaf8 [s5p_fimc]) + [...] + +Signed-off-by: Seung-Woo Kim +Reviewed-by: Sylwester Nawrocki +Fixes: 9832e155f1ed ("[media] media-device: split media initialization and registration") +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/platform/exynos4-is/media-dev.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1439,12 +1439,12 @@ static int fimc_md_probe(struct platform + ret = v4l2_device_register(dev, &fmd->v4l2_dev); + if (ret < 0) { + v4l2_err(v4l2_dev, "Failed to register v4l2_device: %d\n", ret); +- return ret; ++ goto err_md; + } + + ret = fimc_md_get_clocks(fmd); + if (ret) +- goto err_md; ++ goto err_v4l2dev; + + ret = fimc_md_get_pinctrl(fmd); + if (ret < 0) { +@@ -1500,9 +1500,10 @@ err_clk: + fimc_md_put_clocks(fmd); + err_m_ent: + fimc_md_unregister_entities(fmd); ++err_v4l2dev: ++ v4l2_device_unregister(&fmd->v4l2_dev); + err_md: + media_device_cleanup(&fmd->media_dev); +- v4l2_device_unregister(&fmd->v4l2_dev); + return ret; + } + diff --git a/patches.suse/0001-media-ov6650-Fix-crop-rectangle-alignment-not-passed.patch b/patches.suse/0001-media-ov6650-Fix-crop-rectangle-alignment-not-passed.patch new file mode 100644 index 0000000..1a62cd6 --- /dev/null +++ b/patches.suse/0001-media-ov6650-Fix-crop-rectangle-alignment-not-passed.patch @@ -0,0 +1,88 @@ +From 7b188d6ba27a131e7934a51a14ece331c0491f18 Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Tue, 3 Sep 2019 17:11:38 -0300 +Subject: [PATCH] media: ov6650: Fix crop rectangle alignment not passed back +Git-commit: 7b188d6ba27a131e7934a51a14ece331c0491f18 +References: git-fixes +Patch-mainline: v5.5 + +Commit 4f996594ceaf ("[media] v4l2: make vidioc_s_crop const") +introduced a writable copy of constified user requested crop rectangle +in order to be able to perform hardware alignments on it. Later +on, commit 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video +ops") replaced s_crop() video operation using that const argument with +set_selection() pad operation which had a corresponding argument not +constified, however the original behavior of the driver was not +restored. Since that time, any hardware alignment applied on a user +requested crop rectangle is not passed back to the user calling +.set_selection() as it should be. + +Fix the issue by dropping the copy and replacing all references to it +with references to the crop rectangle embedded in the user argument. + +Fixes: 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video ops") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/i2c/soc_camera/ov6650.c | 32 +++++++++++++++----------------- + 1 file changed, 15 insertions(+), 17 deletions(-) + +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -464,39 +464,37 @@ static int ov6650_set_selection(struct v + { + struct i2c_client *client = v4l2_get_subdevdata(sd); + struct ov6650 *priv = to_ov6650(client); +- struct v4l2_rect rect = sel->r; + int ret; + + if (sel->which != V4L2_SUBDEV_FORMAT_ACTIVE || + sel->target != V4L2_SEL_TGT_CROP) + return -EINVAL; + +- rect.left = ALIGN(rect.left, 2); +- rect.width = ALIGN(rect.width, 2); +- rect.top = ALIGN(rect.top, 2); +- rect.height = ALIGN(rect.height, 2); +- soc_camera_limit_side(&rect.left, &rect.width, +- DEF_HSTRT << 1, 2, W_CIF); +- soc_camera_limit_side(&rect.top, &rect.height, +- DEF_VSTRT << 1, 2, H_CIF); ++ v4l_bound_align_image(&sel->r.width, 2, W_CIF, 1, ++ &sel->r.height, 2, H_CIF, 1, 0); ++ v4l_bound_align_image(&sel->r.left, DEF_HSTRT << 1, ++ (DEF_HSTRT << 1) + W_CIF - (__s32)sel->r.width, 1, ++ &sel->r.top, DEF_VSTRT << 1, ++ (DEF_VSTRT << 1) + H_CIF - (__s32)sel->r.height, ++ 1, 0); + +- ret = ov6650_reg_write(client, REG_HSTRT, rect.left >> 1); ++ ret = ov6650_reg_write(client, REG_HSTRT, sel->r.left >> 1); + if (!ret) { +- priv->rect.left = rect.left; ++ priv->rect.left = sel->r.left; + ret = ov6650_reg_write(client, REG_HSTOP, +- (rect.left + rect.width) >> 1); ++ (sel->r.left + sel->r.width) >> 1); + } + if (!ret) { +- priv->rect.width = rect.width; +- ret = ov6650_reg_write(client, REG_VSTRT, rect.top >> 1); ++ priv->rect.width = sel->r.width; ++ ret = ov6650_reg_write(client, REG_VSTRT, sel->r.top >> 1); + } + if (!ret) { +- priv->rect.top = rect.top; ++ priv->rect.top = sel->r.top; + ret = ov6650_reg_write(client, REG_VSTOP, +- (rect.top + rect.height) >> 1); ++ (sel->r.top + sel->r.height) >> 1); + } + if (!ret) +- priv->rect.height = rect.height; ++ priv->rect.height = sel->r.height; + + return ret; + } diff --git a/patches.suse/0001-media-ov6650-Fix-incorrect-use-of-JPEG-colorspace.patch b/patches.suse/0001-media-ov6650-Fix-incorrect-use-of-JPEG-colorspace.patch new file mode 100644 index 0000000..597fa6c --- /dev/null +++ b/patches.suse/0001-media-ov6650-Fix-incorrect-use-of-JPEG-colorspace.patch @@ -0,0 +1,86 @@ +From 12500731895ef09afc5b66b86b76c0884fb9c7bf Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Tue, 3 Sep 2019 17:11:39 -0300 +Subject: [PATCH] media: ov6650: Fix incorrect use of JPEG colorspace +Git-commit: 12500731895ef09afc5b66b86b76c0884fb9c7bf +References: git-fixes +Patch-mainline: v5.5 + +Since its initial submission, the driver selects V4L2_COLORSPACE_JPEG +for supported formats other than V4L2_MBUS_FMT_SBGGR8_1X8. According +to v4l2-compliance test program, V4L2_COLORSPACE_JPEG applies +exclusively to V4L2_PIX_FMT_JPEG. Since the sensor does not support +JPEG format, fix it to always select V4L2_COLORSPACE_SRGB. + +Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/i2c/soc_camera/ov6650.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -203,7 +203,6 @@ struct ov6650 { + unsigned long pclk_max; /* from resolution and format */ + struct v4l2_fract tpf; /* as requested with s_parm */ + u32 code; +- enum v4l2_colorspace colorspace; + }; + + +@@ -513,7 +512,7 @@ static int ov6650_get_fmt(struct v4l2_su + mf->width = priv->rect.width >> priv->half_scale; + mf->height = priv->rect.height >> priv->half_scale; + mf->code = priv->code; +- mf->colorspace = priv->colorspace; ++ mf->colorspace = V4L2_COLORSPACE_SRGB; + mf->field = V4L2_FIELD_NONE; + + return 0; +@@ -623,11 +622,6 @@ static int ov6650_s_fmt(struct v4l2_subd + priv->pclk_max = 8000000; + } + +- if (code == MEDIA_BUS_FMT_SBGGR8_1X8) +- priv->colorspace = V4L2_COLORSPACE_SRGB; +- else if (code != 0) +- priv->colorspace = V4L2_COLORSPACE_JPEG; +- + if (half_scale) { + dev_dbg(&client->dev, "max resolution: QCIF\n"); + coma_set |= COMA_QCIF; +@@ -680,7 +674,6 @@ static int ov6650_s_fmt(struct v4l2_subd + ret = ov6650_reg_rmw(client, REG_COML, coml_set, coml_mask); + + if (!ret) { +- mf->colorspace = priv->colorspace; + mf->width = priv->rect.width >> half_scale; + mf->height = priv->rect.height >> half_scale; + } +@@ -703,6 +696,7 @@ static int ov6650_set_fmt(struct v4l2_su + &mf->height, 2, H_CIF, 1, 0); + + mf->field = V4L2_FIELD_NONE; ++ mf->colorspace = V4L2_COLORSPACE_SRGB; + + switch (mf->code) { + case MEDIA_BUS_FMT_Y10_1X10: +@@ -712,7 +706,6 @@ static int ov6650_set_fmt(struct v4l2_su + case MEDIA_BUS_FMT_YUYV8_2X8: + case MEDIA_BUS_FMT_VYUY8_2X8: + case MEDIA_BUS_FMT_UYVY8_2X8: +- mf->colorspace = V4L2_COLORSPACE_JPEG; + break; + default: + mf->code = MEDIA_BUS_FMT_SBGGR8_1X8; +@@ -1045,7 +1038,6 @@ static int ov6650_probe(struct i2c_clien + priv->rect.height = H_CIF; + priv->half_scale = false; + priv->code = MEDIA_BUS_FMT_YUYV8_2X8; +- priv->colorspace = V4L2_COLORSPACE_JPEG; + + ret = ov6650_video_probe(client); + if (!ret) diff --git a/patches.suse/0001-media-pulse8-cec-fix-lost-cec_transmit_attempt_done-.patch b/patches.suse/0001-media-pulse8-cec-fix-lost-cec_transmit_attempt_done-.patch new file mode 100644 index 0000000..6990a83 --- /dev/null +++ b/patches.suse/0001-media-pulse8-cec-fix-lost-cec_transmit_attempt_done-.patch @@ -0,0 +1,84 @@ +From e5a52a1d15c79bb48a430fb263852263ec1d3f11 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sat, 7 Dec 2019 23:43:23 +0100 +Subject: [PATCH] media: pulse8-cec: fix lost cec_transmit_attempt_done() call +Git-commit: e5a52a1d15c79bb48a430fb263852263ec1d3f11 +REferences: git-fixes +Patch-mainline: v5.5 + +The periodic PING command could interfere with the result of +a CEC transmit, causing a lost cec_transmit_attempt_done() +call. + +Signed-off-by: Hans Verkuil +Cc: # for v4.10 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/pulse8-cec/pulse8-cec.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/pulse8-cec/pulse8-cec.c b/drivers/media/usb/pulse8-cec/pulse8-cec.c +index ac88ade94cda..59609556d969 100644 +--- a/drivers/media/usb/pulse8-cec/pulse8-cec.c ++++ b/drivers/media/usb/pulse8-cec/pulse8-cec.c +@@ -116,6 +116,7 @@ struct pulse8 { + unsigned int vers; + struct completion cmd_done; + struct work_struct work; ++ u8 work_result; + struct delayed_work ping_eeprom_work; + struct cec_msg rx_msg; + u8 data[DATA_SIZE]; +@@ -137,8 +138,10 @@ static void pulse8_irq_work_handler(struct work_struct *work) + { + struct pulse8 *pulse8 = + container_of(work, struct pulse8, work); ++ u8 result = pulse8->work_result; + +- switch (pulse8->data[0] & 0x3f) { ++ pulse8->work_result = 0; ++ switch (result & 0x3f) { + case MSGCODE_FRAME_DATA: + cec_received_msg(pulse8->adap, &pulse8->rx_msg); + break; +@@ -172,12 +175,12 @@ static irqreturn_t pulse8_interrupt(struct serio *serio, unsigned char data, + pulse8->escape = false; + } else if (data == MSGEND) { + struct cec_msg *msg = &pulse8->rx_msg; ++ u8 msgcode = pulse8->buf[0]; + + if (debug) + dev_info(pulse8->dev, "received: %*ph\n", + pulse8->idx, pulse8->buf); +- pulse8->data[0] = pulse8->buf[0]; +- switch (pulse8->buf[0] & 0x3f) { ++ switch (msgcode & 0x3f) { + case MSGCODE_FRAME_START: + msg->len = 1; + msg->msg[0] = pulse8->buf[1]; +@@ -186,14 +189,20 @@ static irqreturn_t pulse8_interrupt(struct serio *serio, unsigned char data, + if (msg->len == CEC_MAX_MSG_SIZE) + break; + msg->msg[msg->len++] = pulse8->buf[1]; +- if (pulse8->buf[0] & MSGCODE_FRAME_EOM) ++ if (msgcode & MSGCODE_FRAME_EOM) { ++ WARN_ON(pulse8->work_result); ++ pulse8->work_result = msgcode; + schedule_work(&pulse8->work); ++ break; ++ } + break; + case MSGCODE_TRANSMIT_SUCCEEDED: + case MSGCODE_TRANSMIT_FAILED_LINE: + case MSGCODE_TRANSMIT_FAILED_ACK: + case MSGCODE_TRANSMIT_FAILED_TIMEOUT_DATA: + case MSGCODE_TRANSMIT_FAILED_TIMEOUT_LINE: ++ WARN_ON(pulse8->work_result); ++ pulse8->work_result = msgcode; + schedule_work(&pulse8->work); + break; + case MSGCODE_HIGH_ERROR: +-- +2.16.4 + diff --git a/patches.suse/0001-mm-memory_hotplug-use-put_device-if-device_register-.patch b/patches.suse/0001-mm-memory_hotplug-use-put_device-if-device_register-.patch new file mode 100644 index 0000000..bd6ad3a --- /dev/null +++ b/patches.suse/0001-mm-memory_hotplug-use-put_device-if-device_register-.patch @@ -0,0 +1,47 @@ +From 085aa2de568493d7cde52126512d37260077811a Mon Sep 17 00:00:00 2001 +From: Arvind Yadav +Date: Thu, 26 Apr 2018 21:12:09 +0530 +Subject: [PATCH] mm: memory_hotplug: use put_device() if device_register fail +Git-commit: 085aa2de568493d7cde52126512d37260077811a +Patch-mainline: v4.18-rc1 +References: bsc#1159955 ltc#182993 + +if device_register() returned an error. Always use put_device() +to give up the initialized reference and release allocated memory. + +Signed-off-by: Arvind Yadav +Signed-off-by: Greg Kroah-Hartman +Acked-by: Michal Hocko + +--- + drivers/base/memory.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/memory.c b/drivers/base/memory.c +index bffe8616bd55..f5e560188a18 100644 +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -649,13 +649,19 @@ static const struct attribute_group *memory_memblk_attr_groups[] = { + static + int register_memory(struct memory_block *memory) + { ++ int ret; ++ + memory->dev.bus = &memory_subsys; + memory->dev.id = memory->start_section_nr / sections_per_block; + memory->dev.release = memory_block_release; + memory->dev.groups = memory_memblk_attr_groups; + memory->dev.offline = memory->state == MEM_OFFLINE; + +- return device_register(&memory->dev); ++ ret = device_register(&memory->dev); ++ if (ret) ++ put_device(&memory->dev); ++ ++ return ret; + } + + static int init_memory_block(struct memory_block **memory, +-- +2.16.4 + diff --git a/patches.suse/0001-pxa168fb-Fix-the-function-used-to-release-some-memor.patch b/patches.suse/0001-pxa168fb-Fix-the-function-used-to-release-some-memor.patch new file mode 100644 index 0000000..903679d --- /dev/null +++ b/patches.suse/0001-pxa168fb-Fix-the-function-used-to-release-some-memor.patch @@ -0,0 +1,56 @@ +From 3c911fe799d1c338d94b78e7182ad452c37af897 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 31 Aug 2019 12:00:24 +0200 +Subject: pxa168fb: Fix the function used to release some memory in an error + handling path +Git-commit: 3c911fe799d1c338d94b78e7182ad452c37af897 +Patch-mainline: v5.6-rc1 +References: bsc#1114279 + +In the probe function, some resources are allocated using 'dma_alloc_wc()', +they should be released with 'dma_free_wc()', not 'dma_free_coherent()'. + +We already use 'dma_free_wc()' in the remove function, but not in the +error handling path of the probe function. + +Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already +PAGE_ALIGNed. + +Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)") +Signed-off-by: Christophe JAILLET +Reviewed-by: Lubomir Rintel +CC: YueHaibing +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/pxa168fb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c +index c672c3354a2c..362d3dfe8287 100644 +--- a/drivers/video/fbdev/pxa168fb.c ++++ b/drivers/video/fbdev/pxa168fb.c +@@ -766,8 +766,8 @@ static int pxa168fb_probe(struct platform_device *pdev) + failed_free_clk: + clk_disable_unprepare(fbi->clk); + failed_free_fbmem: +- dma_free_coherent(fbi->dev, info->fix.smem_len, +- info->screen_base, fbi->fb_start_dma); ++ dma_free_wc(fbi->dev, info->fix.smem_len, ++ info->screen_base, fbi->fb_start_dma); + failed_free_info: + kfree(info); + +@@ -801,7 +801,7 @@ static int pxa168fb_remove(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + +- dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len), ++ dma_free_wc(fbi->dev, info->fix.smem_len, + info->screen_base, info->fix.smem_start); + + clk_disable_unprepare(fbi->clk); +-- +2.25.0 + diff --git a/patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch b/patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch new file mode 100644 index 0000000..ca445c1 --- /dev/null +++ b/patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch @@ -0,0 +1,50 @@ +From f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 29 Sep 2017 14:47:51 -0500 +Subject: [PATCH] rtlwifi: Fix MAX MPDU of VHT capability +Git-commit: f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 +References: FATE#326906, git-fixes +Patch-mainline: v4.15 + +We must choose only one of VHT_CAP among +IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895, +IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 and +IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454. + +Signed-off-by: Ping-Ke Shih +Signed-off-by: Larry Finger +Cc: Yan-Hsuan Chuang +Cc: Birming Chiu +Cc: Shaofu +Cc: Steven Ting +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index ea18aa7afecb..fcf6e31d0fb9 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -249,8 +249,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, + + vht_cap->vht_supported = true; + vht_cap->cap = +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | + IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_TXSTBC | +@@ -283,8 +281,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, + + vht_cap->vht_supported = true; + vht_cap->cap = +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | +- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | + IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_TXSTBC | +-- +2.16.4 + diff --git a/patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch b/patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch new file mode 100644 index 0000000..1711abf --- /dev/null +++ b/patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch @@ -0,0 +1,53 @@ +From ecf4000e0d925c6ba074d11801df4a4cdd8d5324 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 29 Sep 2017 14:47:52 -0500 +Subject: [PATCH] rtlwifi: Remove redundant semicolon in wifi.h. +Git-commit: ecf4000e0d925c6ba074d11801df4a4cdd8d5324 +References: FATE#326906, git-fixes +Patch-mainline: v4.15 + +The semicolon can cause compiler error, if it exists in if...else +statement. + +Signed-off-by: Ping-Ke Shih +Signed-off-by: Larry Finger +Cc: Yan-Hsuan Chuang +Cc: Birming Chiu +Cc: Shaofu +Cc: Steven Ting +Signed-off-by: Kalle Valo +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/realtek/rtlwifi/wifi.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index 1ab1024330fb..90e875beff66 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -2857,19 +2857,19 @@ value to host byte ordering.*/ + cpu_to_le32( \ + LE_BITS_CLEARED_TO_4BYTE(__pstart, __bitoffset, __bitlen) | \ + ((((u32)__val) & BIT_LEN_MASK_32(__bitlen)) << (__bitoffset)) \ +- ); ++ ) + #define SET_BITS_TO_LE_2BYTE(__pstart, __bitoffset, __bitlen, __val) \ + *((__le16 *)(__pstart)) = \ + cpu_to_le16( \ + LE_BITS_CLEARED_TO_2BYTE(__pstart, __bitoffset, __bitlen) | \ + ((((u16)__val) & BIT_LEN_MASK_16(__bitlen)) << (__bitoffset)) \ +- ); ++ ) + #define SET_BITS_TO_LE_1BYTE(__pstart, __bitoffset, __bitlen, __val) \ + *((u8 *)(__pstart)) = EF1BYTE \ + ( \ + LE_BITS_CLEARED_TO_1BYTE(__pstart, __bitoffset, __bitlen) | \ + ((((u8)__val) & BIT_LEN_MASK_8(__bitlen)) << (__bitoffset)) \ +- ); ++ ) + + #define N_BYTE_ALIGMENT(__value, __aligment) ((__aligment == 1) ? \ + (__value) : (((__value + __aligment - 1) / __aligment) * __aligment)) +-- +2.16.4 + diff --git a/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch b/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch index 5d4bd93..aee178c 100644 --- a/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch +++ b/patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch @@ -2,7 +2,8 @@ From e4ea643b871f05658438d5db6752c839db61ee28 Mon Sep 17 00:00:00 2001 From: Davidlohr Bueso Date: Tue, 26 Feb 2019 08:08:35 -0800 Subject: [PATCH] sched/wake_q: Reduce reference counting for special users -Patch-mainline: Not yet, queued via tip for v5.1. +Git-commit: 07879c6a3740fbbf3c8891a0ab484c20a12794d8 +Patch-mainline: v5.1-rc1 References: bsc#1050549 Some users, specifically futexes and rwsems, required fixes diff --git a/patches.suse/0001-usb-roles-fix-a-potential-use-after-free.patch b/patches.suse/0001-usb-roles-fix-a-potential-use-after-free.patch new file mode 100644 index 0000000..e9c5cb8 --- /dev/null +++ b/patches.suse/0001-usb-roles-fix-a-potential-use-after-free.patch @@ -0,0 +1,41 @@ +From 1848a543191ae32e558bb0a5974ae7c38ebd86fc Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Sun, 24 Nov 2019 22:22:36 +0800 +Subject: [PATCH] usb: roles: fix a potential use after free +Git-commit: 1848a543191ae32e558bb0a5974ae7c38ebd86fc +References: git-fixes +Patch-mainline: v5.5-rc2 + +Free the sw structure only after we are done using it. +This patch just moves the put_device() down a bit to avoid the +use after free. + +Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting") +Signed-off-by: Wen Yang +Reviewed-by: Heikki Krogerus +Reviewed-by: Peter Chen +Cc: stable +Cc: Hans de Goede +Cc: Chunfeng Yun +Cc: Suzuki K Poulose +Cc: linux-usb@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20191124142236.25671-1-wenyang@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/common/roles.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/common/roles.c ++++ b/drivers/usb/common/roles.c +@@ -130,8 +130,8 @@ EXPORT_SYMBOL_GPL(usb_role_switch_get); + void usb_role_switch_put(struct usb_role_switch *sw) + { + if (!IS_ERR_OR_NULL(sw)) { +- put_device(&sw->dev); + module_put(sw->dev.parent->driver->owner); ++ put_device(&sw->dev); + } + } + EXPORT_SYMBOL_GPL(usb_role_switch_put); diff --git a/patches.suse/0001-usbip-Fix-error-path-of-vhci_recv_ret_submit.patch b/patches.suse/0001-usbip-Fix-error-path-of-vhci_recv_ret_submit.patch new file mode 100644 index 0000000..14e3fb5 --- /dev/null +++ b/patches.suse/0001-usbip-Fix-error-path-of-vhci_recv_ret_submit.patch @@ -0,0 +1,74 @@ +From aabb5b833872524eaf28f52187e5987984982264 Mon Sep 17 00:00:00 2001 +From: Suwan Kim +Date: Fri, 13 Dec 2019 11:30:55 +0900 +Subject: [PATCH] usbip: Fix error path of vhci_recv_ret_submit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: aabb5b833872524eaf28f52187e5987984982264 +References: git-fixes +Patch-mainline: v5.5 + +If a transaction error happens in vhci_recv_ret_submit(), event +handler closes connection and changes port status to kick hub_event. +Then hub tries to flush the endpoint URBs, but that causes infinite +loop between usb_hub_flush_endpoint() and vhci_urb_dequeue() because +"vhci_priv" in vhci_urb_dequeue() was already released by +vhci_recv_ret_submit() before a transmission error occurred. Thus, +vhci_urb_dequeue() terminates early and usb_hub_flush_endpoint() +continuously calls vhci_urb_dequeue(). + +The root cause of this issue is that vhci_recv_ret_submit() +terminates early without giving back URB when transaction error +occurs in vhci_recv_ret_submit(). That causes the error URB to still +be linked at endpoint list without “vhci_priv". + +So, in the case of transaction error in vhci_recv_ret_submit(), +unlink URB from the endpoint, insert proper error code in +urb->status and give back URB. + +Reported-by: Marek Marczykowski-Górecki +Tested-by: Marek Marczykowski-Górecki +Signed-off-by: Suwan Kim +Cc: stable +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20191213023055.19933-3-suwan.kim027@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/usbip/vhci_rx.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c +index 33f8972ba842..00fc98741c5d 100644 +--- a/drivers/usb/usbip/vhci_rx.c ++++ b/drivers/usb/usbip/vhci_rx.c +@@ -77,16 +77,21 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0); + + /* recv transfer buffer */ +- if (usbip_recv_xbuff(ud, urb) < 0) +- return; ++ if (usbip_recv_xbuff(ud, urb) < 0) { ++ urb->status = -EPROTO; ++ goto error; ++ } + + /* recv iso_packet_descriptor */ +- if (usbip_recv_iso(ud, urb) < 0) +- return; ++ if (usbip_recv_iso(ud, urb) < 0) { ++ urb->status = -EPROTO; ++ goto error; ++ } + + /* restore the padding in iso packets */ + usbip_pad_iso(ud, urb); + ++error: + if (usbip_dbg_flag_vhci_rx) + usbip_dump_urb(urb); + +-- +2.16.4 + diff --git a/patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch b/patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch new file mode 100644 index 0000000..759fc4e --- /dev/null +++ b/patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch @@ -0,0 +1,44 @@ +Patch-mainline: v5.6-rc3 +Git-commit: 8645e56a4ad6dcbf504872db7f14a2f67db88ef2 +References: bsc#1065600 +From: Thomas Gleixner +Date: Wed, 19 Feb 2020 18:30:26 +0100 +Subject: [PATCH] xen: Enable interrupts when calling _cond_resched() + +xen_maybe_preempt_hcall() is called from the exception entry point +xen_do_hypervisor_callback with interrupts disabled. + +_cond_resched() evades the might_sleep() check in cond_resched() which +would have caught that and schedule_debug() unfortunately lacks a check +for irqs_disabled(). + +Enable interrupts around the call and use cond_resched() to catch future +issues. + +Fixes: fdfd811ddde3 ("x86/xen: allow privcmd hypercalls to be preempted") +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/878skypjrh.fsf@nanos.tec.linutronix.de +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +--- + drivers/xen/preempt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/xen/preempt.c b/drivers/xen/preempt.c +index 8b9919c26095..456a164364a2 100644 +--- a/drivers/xen/preempt.c ++++ b/drivers/xen/preempt.c +@@ -33,7 +33,9 @@ asmlinkage __visible void xen_maybe_preempt_hcall(void) + * cpu. + */ + __this_cpu_write(xen_in_preemptible_hcall, false); +- _cond_resched(); ++ local_irq_enable(); ++ cond_resched(); ++ local_irq_disable(); + __this_cpu_write(xen_in_preemptible_hcall, true); + } + } +-- +2.16.4 + diff --git a/patches.suse/0001-xen-balloon-Support-xend-based-toolstack-take-two.patch b/patches.suse/0001-xen-balloon-Support-xend-based-toolstack-take-two.patch new file mode 100644 index 0000000..803e8e0 --- /dev/null +++ b/patches.suse/0001-xen-balloon-Support-xend-based-toolstack-take-two.patch @@ -0,0 +1,48 @@ +Patch-mainline: v5.6-rc1 +Git-commit: eda4eabf86fd6806eaabc23fb90dd056fdac037b +References: bsc#1065600 +From: Juergen Gross +Date: Fri, 17 Jan 2020 14:49:31 +0100 +Subject: [PATCH] xen/balloon: Support xend-based toolstack take two + +Commit 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack") +tried to fix a regression with running on rather ancient Xen versions. +Unfortunately the fix was based on the assumption that xend would +just use another Xenstore node, but in reality only some downstream +versions of xend are doing that. The upstream xend does not write +that Xenstore node at all, so the problem must be fixed in another +way. + +The easiest way to achieve that is to fall back to the behavior +before commit 96edd61dcf4436 ("xen/balloon: don't online new memory +initially") in case the static memory maximum can't be read. + +This is achieved by setting static_max to the current number of +memory pages known by the system resulting in target_diff becoming +zero. + +Fixes: 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack") +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Cc: # 4.13 +Signed-off-by: Boris Ostrovsky +--- + drivers/xen/xen-balloon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/xen-balloon.c b/drivers/xen/xen-balloon.c +index 6d12fc368210..a8d24433c8e9 100644 +--- a/drivers/xen/xen-balloon.c ++++ b/drivers/xen/xen-balloon.c +@@ -82,7 +82,7 @@ static void watch_target(struct xenbus_watch *watch, + "%llu", &static_max) == 1)) + static_max >>= PAGE_SHIFT - 10; + else +- static_max = new_target; ++ static_max = balloon_stats.current_pages; + + target_diff = xen_pv_domain() ? 0 + : static_max - balloon_stats.target_pages; +-- +2.16.4 + diff --git a/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch b/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch new file mode 100644 index 0000000..032f55a --- /dev/null +++ b/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch @@ -0,0 +1,58 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:41 -0800 +Subject: [PATCH] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks +References: bsc#1164705 + +This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn(). +kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported +symbol, so KVM should treat it conservatively from a security perspective. + +Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index e9833e345a5c..2d4faefe8dd4 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -24,6 +24,7 @@ + #include "kvm_cache_regs.h" + #include + #include ++#include + #include + #include + +@@ -5200,10 +5201,15 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) + } + break; + case Escape: +- if (ctxt->modrm > 0xbf) +- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; +- else ++ if (ctxt->modrm > 0xbf) { ++ size_t size = ARRAY_SIZE(opcode.u.esc->high); ++ u32 index = array_index_nospec( ++ ctxt->modrm - 0xc0, size); ++ ++ opcode = opcode.u.esc->high[index]; ++ } else { + opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; ++ } + break; + case InstrDual: + if ((ctxt->modrm >> 6) == 3) +-- +2.16.4 + diff --git a/patches.suse/0002-bcache-Fix-an-error-code-in-bch_dump_read.patch b/patches.suse/0002-bcache-Fix-an-error-code-in-bch_dump_read.patch new file mode 100644 index 0000000..aca64d6 --- /dev/null +++ b/patches.suse/0002-bcache-Fix-an-error-code-in-bch_dump_read.patch @@ -0,0 +1,40 @@ +From d66c9920c0cf984cf99cab5036fd5f3a1b7fba46 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 3 Sep 2019 21:25:44 +0800 +Subject: [PATCH] bcache: Fix an error code in bch_dump_read() +Git-commit: d66c9920c0cf984cf99cab5036fd5f3a1b7fba46 +Patch-mainline: v5.4-rc1 +References: bsc#1163762 + +The copy_to_user() function returns the number of bytes remaining to be +copied, but the intention here was to return -EFAULT if the copy fails. + +Fixes: cafe56359144 ("bcache: A block layer cache") +Signed-off-by: Dan Carpenter +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/debug.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/debug.c b/drivers/md/bcache/debug.c +index 8b123be05254..336f43910383 100644 +--- a/drivers/md/bcache/debug.c ++++ b/drivers/md/bcache/debug.c +@@ -178,10 +178,9 @@ static ssize_t bch_dump_read(struct file *file, char __user *buf, + while (size) { + struct keybuf_key *w; + unsigned int bytes = min(i->bytes, size); +- int err = copy_to_user(buf, i->buf, bytes); + +- if (err) +- return err; ++ if (copy_to_user(buf, i->buf, bytes)) ++ return -EFAULT; + + ret += bytes; + buf += bytes; +-- +2.16.4 + diff --git a/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch b/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch new file mode 100644 index 0000000..6518be2 --- /dev/null +++ b/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch @@ -0,0 +1,62 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 8618793750071d66028584a83ed0b4fa7eb4f607 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:42 -0800 +Subject: [PATCH] KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from + Spectre-v1/L1TF attacks +References: bsc#1164712 + +This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data() +and kvm_hv_msr_set_crash_data(). +These functions contain index computations that use the +(attacker-controlled) MSR number. + +Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/hyperv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index b255b9e865e5..4df1c965bf1a 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -753,11 +753,12 @@ static int kvm_hv_msr_get_crash_data(struct kvm_vcpu *vcpu, + u32 index, u64 *pdata) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- *pdata = hv->hv_crash_param[index]; ++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)]; + return 0; + } + +@@ -796,11 +797,12 @@ static int kvm_hv_msr_set_crash_data(struct kvm_vcpu *vcpu, + u32 index, u64 data) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- hv->hv_crash_param[index] = data; ++ hv->hv_crash_param[array_index_nospec(index, size)] = data; + return 0; + } + +-- +2.16.4 + diff --git a/patches.suse/0003-closures-fix-a-race-on-wakeup-from-closure_sync.patch b/patches.suse/0003-closures-fix-a-race-on-wakeup-from-closure_sync.patch new file mode 100644 index 0000000..6d7e261 --- /dev/null +++ b/patches.suse/0003-closures-fix-a-race-on-wakeup-from-closure_sync.patch @@ -0,0 +1,49 @@ +From a22a9602b88fabf10847f238ff81fde5f906fef7 Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Tue, 3 Sep 2019 21:25:45 +0800 +Subject: [PATCH] closures: fix a race on wakeup from closure_sync +Git-commit: a22a9602b88fabf10847f238ff81fde5f906fef7 +Patch-mainline: v5.4-rc1 +References: bsc#1163762 + +The race was when a thread using closure_sync() notices cl->s->done == 1 +before the thread calling closure_put() calls wake_up_process(). Then, +it's possible for that thread to return and exit just before +wake_up_process() is called - so we're trying to wake up a process that +no longer exists. + +rcu_read_lock() is sufficient to protect against this, as there's an rcu +barrier somewhere in the process teardown path. + +Signed-off-by: Kent Overstreet +Acked-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/closure.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/closure.c b/drivers/md/bcache/closure.c +index 73f5319295bc..c12cd809ab19 100644 +--- a/drivers/md/bcache/closure.c ++++ b/drivers/md/bcache/closure.c +@@ -105,8 +105,14 @@ struct closure_syncer { + + static void closure_sync_fn(struct closure *cl) + { +- cl->s->done = 1; +- wake_up_process(cl->s->task); ++ struct closure_syncer *s = cl->s; ++ struct task_struct *p; ++ ++ rcu_read_lock(); ++ p = READ_ONCE(s->task); ++ s->done = 1; ++ wake_up_process(p); ++ rcu_read_unlock(); + } + + void __sched __closure_sync(struct closure *cl) +-- +2.16.4 + diff --git a/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch b/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch new file mode 100644 index 0000000..fbfaf8f --- /dev/null +++ b/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch @@ -0,0 +1,48 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 14e32321f3606e4b0970200b6e5e47ee6f1e6410 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:43 -0800 +Subject: [PATCH] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF + attacks +References: bsc#1164727 + +This fixes a Spectre-v1/L1TF vulnerability in picdev_write(). +It replaces index computations based on the (attacked-controlled) port +number with constants through a minor refactoring. + +Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/i8259.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c +index 8b38bb4868a6..629a09ca9860 100644 +--- a/arch/x86/kvm/i8259.c ++++ b/arch/x86/kvm/i8259.c +@@ -460,10 +460,14 @@ static int picdev_write(struct kvm_pic *s, + switch (addr) { + case 0x20: + case 0x21: ++ pic_lock(s); ++ pic_ioport_write(&s->pics[0], addr, data); ++ pic_unlock(s); ++ break; + case 0xa0: + case 0xa1: + pic_lock(s); +- pic_ioport_write(&s->pics[addr >> 7], addr, data); ++ pic_ioport_write(&s->pics[1], addr, data); + pic_unlock(s); + break; + case 0x4d0: +-- +2.16.4 + diff --git a/patches.suse/0004-bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch b/patches.suse/0004-bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch new file mode 100644 index 0000000..d2cff52 --- /dev/null +++ b/patches.suse/0004-bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch @@ -0,0 +1,97 @@ +From 34cf78bf34d48dddddfeeadb44f9841d7864997a Mon Sep 17 00:00:00 2001 +From: Guoju Fang +Date: Wed, 13 Nov 2019 16:03:16 +0800 +Subject: [PATCH] bcache: fix a lost wake-up problem caused by + mca_cannibalize_lock +Git-commit: 34cf78bf34d48dddddfeeadb44f9841d7864997a +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +This patch fix a lost wake-up problem caused by the race between +mca_cannibalize_lock and bch_cannibalize_unlock. + +Consider two processes, A and B. Process A is executing +mca_cannibalize_lock, while process B takes c->btree_cache_alloc_lock +and is executing bch_cannibalize_unlock. The problem happens that after +process A executes cmpxchg and will execute prepare_to_wait. In this +timeslice process B executes wake_up, but after that process A executes +prepare_to_wait and set the state to TASK_INTERRUPTIBLE. Then process A +goes to sleep but no one will wake up it. This problem may cause bcache +device to dead. + +Signed-off-by: Guoju Fang +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/bcache.h | 1 + + drivers/md/bcache/btree.c | 12 ++++++++---- + drivers/md/bcache/super.c | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 013e35a9e317..3653faf3bf48 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -582,6 +582,7 @@ struct cache_set { + */ + wait_queue_head_t btree_cache_wait; + struct task_struct *btree_cache_alloc_lock; ++ spinlock_t btree_cannibalize_lock; + + /* + * When we free a btree node, we increment the gen of the bucket the +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 00523cd1db80..39d7fc1ef1ee 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -910,15 +910,17 @@ static struct btree *mca_find(struct cache_set *c, struct bkey *k) + + static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op) + { +- struct task_struct *old; +- +- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current); +- if (old && old != current) { ++ spin_lock(&c->btree_cannibalize_lock); ++ if (likely(c->btree_cache_alloc_lock == NULL)) { ++ c->btree_cache_alloc_lock = current; ++ } else if (c->btree_cache_alloc_lock != current) { + if (op) + prepare_to_wait(&c->btree_cache_wait, &op->wait, + TASK_UNINTERRUPTIBLE); ++ spin_unlock(&c->btree_cannibalize_lock); + return -EINTR; + } ++ spin_unlock(&c->btree_cannibalize_lock); + + return 0; + } +@@ -953,10 +955,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op, + */ + static void bch_cannibalize_unlock(struct cache_set *c) + { ++ spin_lock(&c->btree_cannibalize_lock); + if (c->btree_cache_alloc_lock == current) { + c->btree_cache_alloc_lock = NULL; + wake_up(&c->btree_cache_wait); + } ++ spin_unlock(&c->btree_cannibalize_lock); + } + + static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op, +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 20ed838e9413..ebb854ed05a4 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1769,6 +1769,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + sema_init(&c->sb_write_mutex, 1); + mutex_init(&c->bucket_lock); + init_waitqueue_head(&c->btree_cache_wait); ++ spin_lock_init(&c->btree_cannibalize_lock); + init_waitqueue_head(&c->bucket_wait); + init_waitqueue_head(&c->gc_wait); + sema_init(&c->uuid_write_mutex, 1); +-- +2.16.4 + diff --git a/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch b/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch new file mode 100644 index 0000000..67fe331 --- /dev/null +++ b/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch @@ -0,0 +1,61 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 8c86405f606ca8508b8d9280680166ca26723695 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:44 -0800 +Subject: [PATCH] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF + attacks +References: bsc#1164728 + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/ioapic.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index 7312aab33298..c5776febb517 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + default: + { + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; +- u64 redir_content; ++ u64 redir_content = ~0ULL; + +- if (redir_index < IOAPIC_NUM_PINS) +- redir_content = +- ioapic->redirtbl[redir_index].bits; +- else +- redir_content = ~0ULL; ++ if (redir_index < IOAPIC_NUM_PINS) { ++ u32 index = array_index_nospec( ++ redir_index, IOAPIC_NUM_PINS); ++ ++ redir_content = ioapic->redirtbl[index].bits; ++ } + + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : +-- +2.16.4 + diff --git a/patches.suse/0005-bcache-fix-static-checker-warning-in-bcache_device_f.patch b/patches.suse/0005-bcache-fix-static-checker-warning-in-bcache_device_f.patch new file mode 100644 index 0000000..6c37948 --- /dev/null +++ b/patches.suse/0005-bcache-fix-static-checker-warning-in-bcache_device_f.patch @@ -0,0 +1,93 @@ +From 2d8869518a525c9bce5f5268419df9dfbe3dfdeb Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Wed, 13 Nov 2019 16:03:17 +0800 +Subject: [PATCH] bcache: fix static checker warning in bcache_device_free() +Git-commit: 2d8869518a525c9bce5f5268419df9dfbe3dfdeb +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +Commit cafe56359144 ("bcache: A block layer cache") leads to the +following static checker warning: + + ./drivers/md/bcache/super.c:770 bcache_device_free() + warn: variable dereferenced before check 'd->disk' (see line 766) + +drivers/md/bcache/super.c + 762 static void bcache_device_free(struct bcache_device *d) + 763 { + 764 lockdep_assert_held(&bch_register_lock); + 765 + 766 pr_info("%s stopped", d->disk->disk_name); + ^^^^^^^^^ +Unchecked dereference. + + 767 + 768 if (d->c) + 769 bcache_device_detach(d); + 770 if (d->disk && d->disk->flags & GENHD_FL_UP) + ^^^^^^^ +Check too late. + + 771 del_gendisk(d->disk); + 772 if (d->disk && d->disk->queue) + 773 blk_cleanup_queue(d->disk->queue); + 774 if (d->disk) { + 775 ida_simple_remove(&bcache_device_idx, + 776 first_minor_to_idx(d->disk->first_minor)); + 777 put_disk(d->disk); + 778 } + 779 + +It is not 100% sure that the gendisk struct of bcache device will always +be there, the warning makes sense when there is problem in block core. + +This patch tries to remove the static checking warning by checking +d->disk to avoid NULL pointer deferences. + +Reported-by: Dan Carpenter +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/super.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -762,20 +762,28 @@ static inline int idx_to_first_minor(int + + static void bcache_device_free(struct bcache_device *d) + { ++ struct gendisk *disk = d->disk; ++ + lockdep_assert_held(&bch_register_lock); + +- pr_info("%s stopped", d->disk->disk_name); ++ if (disk) ++ pr_info("%s stopped", disk->disk_name); ++ else ++ pr_err("bcache device (NULL gendisk) stopped"); + + if (d->c) + bcache_device_detach(d); +- if (d->disk && d->disk->flags & GENHD_FL_UP) +- del_gendisk(d->disk); +- if (d->disk && d->disk->queue) +- blk_cleanup_queue(d->disk->queue); +- if (d->disk) { ++ ++ if (disk) { ++ if (disk->flags & GENHD_FL_UP) ++ del_gendisk(disk); ++ ++ if (disk->queue) ++ blk_cleanup_queue(disk->queue); ++ + ida_simple_remove(&bcache_device_idx, +- first_minor_to_idx(d->disk->first_minor)); +- put_disk(d->disk); ++ first_minor_to_idx(disk->first_minor)); ++ put_disk(disk); + } + + if (d->bio_split) diff --git a/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch b/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch new file mode 100644 index 0000000..bbdb310 --- /dev/null +++ b/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch @@ -0,0 +1,43 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 670564559ca35b439c8d8861fc399451ddf95137 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:45 -0800 +Subject: [PATCH] KVM: x86: Protect ioapic_write_indirect() from + Spectre-v1/L1TF attacks +References: bsc#1164729 + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +This patch depends on patch +"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks". + +Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/ioapic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index c5776febb517..26aa22cb9b29 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -299,6 +299,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val) + ioapic_debug("change redir index %x val %x\n", index, val); + if (index >= IOAPIC_NUM_PINS) + return; ++ index = array_index_nospec(index, IOAPIC_NUM_PINS); + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; + /* Preserve read-only fields */ +-- +2.16.4 + diff --git a/patches.suse/0006-bcache-add-more-accurate-error-messages-in-read_supe.patch b/patches.suse/0006-bcache-add-more-accurate-error-messages-in-read_supe.patch new file mode 100644 index 0000000..20580c9 --- /dev/null +++ b/patches.suse/0006-bcache-add-more-accurate-error-messages-in-read_supe.patch @@ -0,0 +1,43 @@ +From aaf8dbeab5865720c66db60ae8329309e81a0c9c Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Wed, 13 Nov 2019 16:03:18 +0800 +Subject: [PATCH] bcache: add more accurate error messages in read_super() +Git-commit: aaf8dbeab5865720c66db60ae8329309e81a0c9c +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +Previous code only returns "Not a bcache superblock" for both bcache +super block offset and magic error. This patch addss more accurate error +messages, +- for super block unmatched offset: + "Not a bcache superblock (bad offset)" +- for super block unmatched magic number: + "Not a bcache superblock (bad magic)" + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 7beccede5360..623fdaf10c4c 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -92,10 +92,11 @@ static const char *read_super(struct cache_sb *sb, struct block_device *bdev, + pr_debug("read sb version %llu, flags %llu, seq %llu, journal size %u", + sb->version, sb->flags, sb->seq, sb->keys); + +- err = "Not a bcache superblock"; ++ err = "Not a bcache superblock (bad offset)"; + if (sb->offset != SB_SECTOR) + goto err; + ++ err = "Not a bcache superblock (bad magic)"; + if (memcmp(sb->magic, bcache_magic, 16)) + goto err; + +-- +2.16.4 + diff --git a/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch b/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch new file mode 100644 index 0000000..d11a2bb --- /dev/null +++ b/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch @@ -0,0 +1,57 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 4bf79cb089f6b1c6c632492c0271054ce52ad766 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:46 -0800 +Subject: [PATCH] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF + attacks +References: bsc#1164730 + +This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 88c3c0c6d1e3..865edce27a6a 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1791,15 +1791,20 @@ int kvm_lapic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val) + case APIC_LVTTHMR: + case APIC_LVTPC: + case APIC_LVT1: +- case APIC_LVTERR: ++ case APIC_LVTERR: { + /* TODO: Check vector */ ++ size_t size; ++ u32 index; ++ + if (!kvm_apic_sw_enabled(apic)) + val |= APIC_LVT_MASKED; +- +- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4]; ++ size = ARRAY_SIZE(apic_lvt_mask); ++ index = array_index_nospec( ++ (reg - APIC_LVTT) >> 4, size); ++ val &= apic_lvt_mask[index]; + kvm_lapic_set_reg(apic, reg, val); +- + break; ++ } + + case APIC_LVTT: + if (!kvm_apic_sw_enabled(apic)) +-- +2.16.4 + diff --git a/patches.suse/0007-bcache-deleted-code-comments-for-dead-code-in-bch_da.patch b/patches.suse/0007-bcache-deleted-code-comments-for-dead-code-in-bch_da.patch new file mode 100644 index 0000000..376ebb8 --- /dev/null +++ b/patches.suse/0007-bcache-deleted-code-comments-for-dead-code-in-bch_da.patch @@ -0,0 +1,46 @@ +From 41fa4deef90ba1cd048b740317f50b9decae9fc8 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Wed, 13 Nov 2019 16:03:19 +0800 +Subject: [PATCH] bcache: deleted code comments for dead code in + bch_data_insert_keys() +Git-commit: 41fa4deef90ba1cd048b740317f50b9decae9fc8 +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +In request.c:bch_data_insert_keys(), there is code comment for a piece +of dead code. This patch deletes the dead code and its code comment +since they are useless in practice. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/request.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index 41adcd1546f1..73478a91a342 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -62,18 +62,6 @@ static void bch_data_insert_keys(struct closure *cl) + struct bkey *replace_key = op->replace ? &op->replace_key : NULL; + int ret; + +- /* +- * If we're looping, might already be waiting on +- * another journal write - can't wait on more than one journal write at +- * a time +- * +- * XXX: this looks wrong +- */ +-#if 0 +- while (atomic_read(&s->cl.remaining) & CLOSURE_WAITING) +- closure_sync(&s->cl); +-#endif +- + if (!op->replace) + journal_ref = bch_journal(op->c, &op->insert_keys, + op->flush_journal ? cl : NULL); +-- +2.16.4 + diff --git a/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch b/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch new file mode 100644 index 0000000..129a207 --- /dev/null +++ b/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch @@ -0,0 +1,50 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 25a5edea71b7c154b6a0b8cec14c711cafa31d26 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:47 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations in + fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks +References: bsc#1164731 + +This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/mtrr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 25ce3edd1872..7f0059aa30e1 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -202,11 +202,15 @@ static bool fixed_msr_to_seg_unit(u32 msr, int *seg, int *unit) + break; + case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000: + *seg = 1; +- *unit = msr - MSR_MTRRfix16K_80000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix16K_80000, ++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1); + break; + case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000: + *seg = 2; +- *unit = msr - MSR_MTRRfix4K_C0000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix4K_C0000, ++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1); + break; + default: + return false; +-- +2.16.4 + diff --git a/patches.suse/0008-bcache-add-code-comment-bch_keylist_pop-and-bch_keyl.patch b/patches.suse/0008-bcache-add-code-comment-bch_keylist_pop-and-bch_keyl.patch new file mode 100644 index 0000000..5b0e099 --- /dev/null +++ b/patches.suse/0008-bcache-add-code-comment-bch_keylist_pop-and-bch_keyl.patch @@ -0,0 +1,43 @@ +From 06c1526da97dd0022973de3fc41b79b2d431b435 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Wed, 13 Nov 2019 16:03:20 +0800 +Subject: [PATCH] bcache: add code comment bch_keylist_pop() and + bch_keylist_pop_front() +Git-commit: 06c1526da97dd0022973de3fc41b79b2d431b435 +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +This patch adds simple code comments for bch_keylist_pop() and +bch_keylist_pop_front() in bset.c, to make the code more easier to +be understand. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/bset.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c +index 08768796b543..f37a429f093d 100644 +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -155,6 +155,7 @@ int __bch_keylist_realloc(struct keylist *l, unsigned int u64s) + return 0; + } + ++/* Pop the top key of keylist by pointing l->top to its previous key */ + struct bkey *bch_keylist_pop(struct keylist *l) + { + struct bkey *k = l->keys; +@@ -168,6 +169,7 @@ struct bkey *bch_keylist_pop(struct keylist *l) + return l->top = k; + } + ++/* Pop the bottom key of keylist and update l->top_p */ + void bch_keylist_pop_front(struct keylist *l) + { + l->top_p -= bkey_u64s(l->keys); +-- +2.16.4 + diff --git a/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch b/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch new file mode 100644 index 0000000..72ba054 --- /dev/null +++ b/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch @@ -0,0 +1,72 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 13c5183a4e643cc2b03a22d0e582c8e17bb7457d +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:48 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations in pmu.h from + Spectre-v1/L1TF attacks +References: bsc#1164732 + +This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and +get_fixed_pmc() functions. +They both contain index computations based on the (attacker-controlled) +MSR number. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/pmu.h | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h +index 7ebb62326c14..13332984b6d5 100644 +--- a/arch/x86/kvm/pmu.h ++++ b/arch/x86/kvm/pmu.h +@@ -1,6 +1,8 @@ + #ifndef __KVM_X86_PMU_H + #define __KVM_X86_PMU_H + ++#include ++ + #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu) + #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu)) + #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu) +@@ -80,8 +82,12 @@ static inline bool kvm_valid_perf_global_ctrl(struct kvm_pmu *pmu, + static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr, + u32 base) + { +- if (msr >= base && msr < base + pmu->nr_arch_gp_counters) +- return &pmu->gp_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_gp_counters); ++ ++ return &pmu->gp_counters[index]; ++ } + + return NULL; + } +@@ -91,8 +97,12 @@ static inline struct kvm_pmc *get_fixed_pmc(struct kvm_pmu *pmu, u32 msr) + { + int base = MSR_CORE_PERF_FIXED_CTR0; + +- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) +- return &pmu->fixed_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_fixed_counters); ++ ++ return &pmu->fixed_counters[index]; ++ } + + return NULL; + } +-- +2.16.4 + diff --git a/patches.suse/0009-bcache-fix-deadlock-in-bcache_allocator.patch b/patches.suse/0009-bcache-fix-deadlock-in-bcache_allocator.patch new file mode 100644 index 0000000..55d9bf4 --- /dev/null +++ b/patches.suse/0009-bcache-fix-deadlock-in-bcache_allocator.patch @@ -0,0 +1,155 @@ +From 84c529aea182939e68f618ed9813740c9165c7eb Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Wed, 13 Nov 2019 16:03:21 +0800 +Subject: [PATCH] bcache: fix deadlock in bcache_allocator +Git-commit: 84c529aea182939e68f618ed9813740c9165c7eb +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +bcache_allocator can call the following: + + bch_allocator_thread() + -> bch_prio_write() + -> bch_bucket_alloc() + -> wait on &ca->set->bucket_wait + +But the wake up event on bucket_wait is supposed to come from +bch_allocator_thread() itself => deadlock: + +[ 1158.490744] INFO: task bcache_allocato:15861 blocked for more than 10 seconds. +[ 1158.495929] Not tainted 5.3.0-050300rc3-generic #201908042232 +[ 1158.500653] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 1158.504413] bcache_allocato D 0 15861 2 0x80004000 +[ 1158.504419] Call Trace: +[ 1158.504429] __schedule+0x2a8/0x670 +[ 1158.504432] schedule+0x2d/0x90 +[ 1158.504448] bch_bucket_alloc+0xe5/0x370 [bcache] +[ 1158.504453] ? wait_woken+0x80/0x80 +[ 1158.504466] bch_prio_write+0x1dc/0x390 [bcache] +[ 1158.504476] bch_allocator_thread+0x233/0x490 [bcache] +[ 1158.504491] kthread+0x121/0x140 +[ 1158.504503] ? invalidate_buckets+0x890/0x890 [bcache] +[ 1158.504506] ? kthread_park+0xb0/0xb0 +[ 1158.504510] ret_from_fork+0x35/0x40 + +Fix by making the call to bch_prio_write() non-blocking, so that +bch_allocator_thread() never waits on itself. + +Moreover, make sure to wake up the garbage collector thread when +bch_prio_write() is failing to allocate buckets. + +Buglink: https://bugs.launchpad.net/bugs/1784665 +Buglink: https://bugs.launchpad.net/bugs/1796292 +Signed-off-by: Andrea Righi +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/alloc.c | 5 ++++- + drivers/md/bcache/bcache.h | 2 +- + drivers/md/bcache/super.c | 27 +++++++++++++++++++++------ + 3 files changed, 26 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index 6f776823b9ba..a1df0d95151c 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -377,7 +377,10 @@ static int bch_allocator_thread(void *arg) + if (!fifo_full(&ca->free_inc)) + goto retry_invalidate; + +- bch_prio_write(ca); ++ if (bch_prio_write(ca, false) < 0) { ++ ca->invalidate_needs_gc = 1; ++ wake_up_gc(ca->set); ++ } + } + } + out: +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 3653faf3bf48..50241e045c70 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -978,7 +978,7 @@ bool bch_cached_dev_error(struct cached_dev *dc); + __printf(2, 3) + bool bch_cache_set_error(struct cache_set *c, const char *fmt, ...); + +-void bch_prio_write(struct cache *ca); ++int bch_prio_write(struct cache *ca, bool wait); + void bch_write_bdev_super(struct cached_dev *dc, struct closure *parent); + + extern struct workqueue_struct *bcache_wq; +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 623fdaf10c4c..d1352fcc6ff2 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -530,12 +530,29 @@ static void prio_io(struct cache *ca, uint64_t bucket, int op, + closure_sync(cl); + } + +-void bch_prio_write(struct cache *ca) ++int bch_prio_write(struct cache *ca, bool wait) + { + int i; + struct bucket *b; + struct closure cl; + ++ pr_debug("free_prio=%zu, free_none=%zu, free_inc=%zu", ++ fifo_used(&ca->free[RESERVE_PRIO]), ++ fifo_used(&ca->free[RESERVE_NONE]), ++ fifo_used(&ca->free_inc)); ++ ++ /* ++ * Pre-check if there are enough free buckets. In the non-blocking ++ * scenario it's better to fail early rather than starting to allocate ++ * buckets and do a cleanup later in case of failure. ++ */ ++ if (!wait) { ++ size_t avail = fifo_used(&ca->free[RESERVE_PRIO]) + ++ fifo_used(&ca->free[RESERVE_NONE]); ++ if (prio_buckets(ca) > avail) ++ return -ENOMEM; ++ } ++ + closure_init_stack(&cl); + + lockdep_assert_held(&ca->set->bucket_lock); +@@ -545,9 +562,6 @@ void bch_prio_write(struct cache *ca) + atomic_long_add(ca->sb.bucket_size * prio_buckets(ca), + &ca->meta_sectors_written); + +- //pr_debug("free %zu, free_inc %zu, unused %zu", fifo_used(&ca->free), +- // fifo_used(&ca->free_inc), fifo_used(&ca->unused)); +- + for (i = prio_buckets(ca) - 1; i >= 0; --i) { + long bucket; + struct prio_set *p = ca->disk_buckets; +@@ -565,7 +579,7 @@ void bch_prio_write(struct cache *ca) + p->magic = pset_magic(&ca->sb); + p->csum = bch_crc64(&p->magic, bucket_bytes(ca) - 8); + +- bucket = bch_bucket_alloc(ca, RESERVE_PRIO, true); ++ bucket = bch_bucket_alloc(ca, RESERVE_PRIO, wait); + BUG_ON(bucket == -1); + + mutex_unlock(&ca->set->bucket_lock); +@@ -594,6 +608,7 @@ void bch_prio_write(struct cache *ca) + + ca->prio_last_buckets[i] = ca->prio_buckets[i]; + } ++ return 0; + } + + static void prio_read(struct cache *ca, uint64_t bucket) +@@ -1964,7 +1979,7 @@ static int run_cache_set(struct cache_set *c) + + mutex_lock(&c->bucket_lock); + for_each_cache(ca, c, i) +- bch_prio_write(ca); ++ bch_prio_write(ca, true); + mutex_unlock(&c->bucket_lock); + + err = "cannot allocate new UUID bucket"; +-- +2.16.4 + diff --git a/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch b/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch new file mode 100644 index 0000000..8aa91b3 --- /dev/null +++ b/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch @@ -0,0 +1,57 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 6ec4c5eee1750d5d17951c4e1960d953376a0dda +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:49 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations from + Spectre-v1/L1TF attacks in x86.c +References: bsc#1164733 + +This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and +get_msr_mce(). +Both functions contain index computations based on the +(attacker-controlled) MSR number. + +Fixes: 890ca9aefa78 ("KVM: Add MCE support") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 985066e1bda5..913e55f6dca3 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2138,7 +2138,10 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + /* only 0 or all 1s can be written to IA32_MCi_CTL + * some Linux kernels though clear bit 10 in bank 4 to + * workaround a BIOS/GART TBL issue on AMD K8s, ignore +@@ -2526,7 +2529,10 @@ static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host) + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + data = vcpu->arch.mce_banks[offset]; + break; + } +-- +2.16.4 + diff --git a/patches.suse/0010-bcache-add-code-comments-in-bch_btree_leaf_dirty.patch b/patches.suse/0010-bcache-add-code-comments-in-bch_btree_leaf_dirty.patch new file mode 100644 index 0000000..cbde5d3 --- /dev/null +++ b/patches.suse/0010-bcache-add-code-comments-in-bch_btree_leaf_dirty.patch @@ -0,0 +1,39 @@ +From 5dccefd3ea0b33cf3e5a45cbccc7e0bf22791655 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Wed, 13 Nov 2019 16:03:22 +0800 +Subject: [PATCH] bcache: add code comments in bch_btree_leaf_dirty() +Git-commit: 5dccefd3ea0b33cf3e5a45cbccc7e0bf22791655 +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +This patch adds code comments in bch_btree_leaf_dirty() to explain +why w->journal should always reference the eldest journal pin of +all the writing bkeys in the btree node. To make the bcache journal +code to be easier to be understood. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/btree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 39d7fc1ef1ee..48e33ee0d876 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -569,6 +569,11 @@ static void bch_btree_leaf_dirty(struct btree *b, atomic_t *journal_ref) + + set_btree_node_dirty(b); + ++ /* ++ * w->journal is always the oldest journal pin of all bkeys ++ * in the leaf node, to make sure the oldest jset seq won't ++ * be increased before this btree node is flushed. ++ */ + if (journal_ref) { + if (w->journal && + journal_pin_cmp(b->c, w->journal, journal_ref)) { +-- +2.16.4 + diff --git a/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch b/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch new file mode 100644 index 0000000..07d4f50 --- /dev/null +++ b/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch @@ -0,0 +1,60 @@ +Patch-mainline: v5.6-rc1 +Git-commit: ea740059ecb37807ba47b84b33d1447435a8d868 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:52 -0800 +Subject: [PATCH] KVM: x86: Protect DR-based index computations from + Spectre-v1/L1TF attacks +References: bsc#1164734 + +This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and +kvm_get_dr(). +Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are +exported symbols so KVM should tream them conservatively from a security +perspective. + +Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 913e55f6dca3..780224e76723 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -917,9 +917,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu *vcpu) + + static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- vcpu->arch.db[dr] = val; ++ vcpu->arch.db[array_index_nospec(dr, size)] = val; + if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)) + vcpu->arch.eff_db[dr] = val; + break; +@@ -956,9 +958,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr); + + int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- *val = vcpu->arch.db[dr]; ++ *val = vcpu->arch.db[array_index_nospec(dr, size)]; + break; + case 4: + /* fall through */ +-- +2.16.4 + diff --git a/patches.suse/0011-bcache-add-idle_max_writeback_rate-sysfs-interface.patch b/patches.suse/0011-bcache-add-idle_max_writeback_rate-sysfs-interface.patch new file mode 100644 index 0000000..ed67830 --- /dev/null +++ b/patches.suse/0011-bcache-add-idle_max_writeback_rate-sysfs-interface.patch @@ -0,0 +1,110 @@ +From c5fcdedcee4e6ae15c0eb5e0fbe25467e57d2963 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Wed, 13 Nov 2019 16:03:23 +0800 +Subject: [PATCH] bcache: add idle_max_writeback_rate sysfs interface +Git-commit: c5fcdedcee4e6ae15c0eb5e0fbe25467e57d2963 +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +For writeback mode, if there is no regular I/O request for a while, +the writeback rate will be set to the maximum value (1TB/s for now). +This is good for most of the storage workload, but there are still +people don't what the maximum writeback rate in I/O idle time. + +This patch adds a sysfs interface file idle_max_writeback_rate to +permit people to disable maximum writeback rate. Then the minimum +writeback rate can be advised by writeback_rate_minimum in the +bcache device's sysfs interface. + +Reported-by: Christian Balzer +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/bcache.h | 1 + + drivers/md/bcache/super.c | 1 + + drivers/md/bcache/sysfs.c | 7 +++++++ + drivers/md/bcache/writeback.c | 4 ++++ + 4 files changed, 13 insertions(+) + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 50241e045c70..9198c1b480d9 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -724,6 +724,7 @@ struct cache_set { + unsigned int gc_always_rewrite:1; + unsigned int shrinker_disabled:1; + unsigned int copy_gc_enabled:1; ++ unsigned int idle_max_writeback_rate_enabled:1; + + #define BUCKET_HASH_BITS 12 + struct hlist_head bucket_hash[1 << BUCKET_HASH_BITS]; +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index d1352fcc6ff2..77e9869345e7 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1834,6 +1834,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + c->congested_read_threshold_us = 2000; + c->congested_write_threshold_us = 20000; + c->error_limit = DEFAULT_IO_ERROR_LIMIT; ++ c->idle_max_writeback_rate_enabled = 1; + WARN_ON(test_and_clear_bit(CACHE_SET_IO_DISABLE, &c->flags)); + + return c; +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 627dcea0f5b6..733e2ddf3c78 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -134,6 +134,7 @@ rw_attribute(expensive_debug_checks); + rw_attribute(cache_replacement_policy); + rw_attribute(btree_shrinker_disabled); + rw_attribute(copy_gc_enabled); ++rw_attribute(idle_max_writeback_rate); + rw_attribute(gc_after_writeback); + rw_attribute(size); + +@@ -747,6 +748,8 @@ SHOW(__bch_cache_set) + sysfs_printf(gc_always_rewrite, "%i", c->gc_always_rewrite); + sysfs_printf(btree_shrinker_disabled, "%i", c->shrinker_disabled); + sysfs_printf(copy_gc_enabled, "%i", c->copy_gc_enabled); ++ sysfs_printf(idle_max_writeback_rate, "%i", ++ c->idle_max_writeback_rate_enabled); + sysfs_printf(gc_after_writeback, "%i", c->gc_after_writeback); + sysfs_printf(io_disable, "%i", + test_bit(CACHE_SET_IO_DISABLE, &c->flags)); +@@ -864,6 +867,9 @@ STORE(__bch_cache_set) + sysfs_strtoul_bool(gc_always_rewrite, c->gc_always_rewrite); + sysfs_strtoul_bool(btree_shrinker_disabled, c->shrinker_disabled); + sysfs_strtoul_bool(copy_gc_enabled, c->copy_gc_enabled); ++ sysfs_strtoul_bool(idle_max_writeback_rate, ++ c->idle_max_writeback_rate_enabled); ++ + /* + * write gc_after_writeback here may overwrite an already set + * BCH_DO_AUTO_GC, it doesn't matter because this flag will be +@@ -954,6 +960,7 @@ static struct attribute *bch_cache_set_internal_files[] = { + &sysfs_gc_always_rewrite, + &sysfs_btree_shrinker_disabled, + &sysfs_copy_gc_enabled, ++ &sysfs_idle_max_writeback_rate, + &sysfs_gc_after_writeback, + &sysfs_io_disable, + &sysfs_cutoff_writeback, +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c +index d60268fe49e1..4a40f9eadeaf 100644 +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -122,6 +122,10 @@ static void __update_writeback_rate(struct cached_dev *dc) + static bool set_at_max_writeback_rate(struct cache_set *c, + struct cached_dev *dc) + { ++ /* Don't sst max writeback rate if it is disabled */ ++ if (!c->idle_max_writeback_rate_enabled) ++ return false; ++ + /* Don't set max writeback rate if gc is running */ + if (!c->gc_mark_valid) + return false; +-- +2.16.4 + diff --git a/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch b/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch new file mode 100644 index 0000000..0b2dbb4 --- /dev/null +++ b/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch @@ -0,0 +1,77 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 66061740f1a487f4ed54fde75e724709f805da53 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:53 -0800 +Subject: [PATCH] KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks +References: bsc#1164735 + +This fixes Spectre-v1/L1TF vulnerabilities in intel_find_fixed_event() +and intel_rdpmc_ecx_to_pmc(). +kvm_rdpmc() (ancestor of intel_find_fixed_event()) and +reprogram_fixed_counter() (ancestor of intel_rdpmc_ecx_to_pmc()) are +exported symbols so KVM should treat them conservatively from a security +perspective. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/pmu_intel.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c +index 7023138b1cb0..34a3a17bb6d7 100644 +--- a/arch/x86/kvm/pmu_intel.c ++++ b/arch/x86/kvm/pmu_intel.c +@@ -87,10 +87,14 @@ static unsigned intel_find_arch_event(struct kvm_pmu *pmu, + + static unsigned intel_find_fixed_event(int idx) + { +- if (idx >= ARRAY_SIZE(fixed_pmc_events)) ++ u32 event; ++ size_t size = ARRAY_SIZE(fixed_pmc_events); ++ ++ if (idx >= size) + return PERF_COUNT_HW_MAX; + +- return intel_arch_events[fixed_pmc_events[idx]].event_type; ++ event = fixed_pmc_events[array_index_nospec(idx, size)]; ++ return intel_arch_events[event].event_type; + } + + /* check if a PMC is enabled by comparing it with globl_ctrl bits. */ +@@ -131,15 +135,19 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu, + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + bool fixed = idx & (1u << 30); + struct kvm_pmc *counters; ++ unsigned int num_counters; + + idx &= ~(3u << 30); +- if (!fixed && idx >= pmu->nr_arch_gp_counters) +- return NULL; +- if (fixed && idx >= pmu->nr_arch_fixed_counters) ++ if (fixed) { ++ counters = pmu->fixed_counters; ++ num_counters = pmu->nr_arch_fixed_counters; ++ } else { ++ counters = pmu->gp_counters; ++ num_counters = pmu->nr_arch_gp_counters; ++ } ++ if (idx >= num_counters) + return NULL; +- counters = fixed ? pmu->fixed_counters : pmu->gp_counters; +- +- return &counters[idx]; ++ return &counters[array_index_nospec(idx, num_counters)]; + } + + static bool intel_is_valid_msr(struct kvm_vcpu *vcpu, u32 msr) +-- +2.16.4 + diff --git a/patches.suse/0012-bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch b/patches.suse/0012-bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch new file mode 100644 index 0000000..91e583a --- /dev/null +++ b/patches.suse/0012-bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch @@ -0,0 +1,51 @@ +From 9fcc34b1a6dd4b8e5337e2b6ef45e428897eca6b Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Wed, 13 Nov 2019 16:03:24 +0800 +Subject: [PATCH] bcache: at least try to shrink 1 node in bch_mca_scan() +Git-commit: 9fcc34b1a6dd4b8e5337e2b6ef45e428897eca6b +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +In bch_mca_scan(), the number of shrinking btree node is calculated +by code like this, + unsigned long nr = sc->nr_to_scan; + + nr /= c->btree_pages; + nr = min_t(unsigned long, nr, mca_can_free(c)); +variable sc->nr_to_scan is number of objects (here is bcache B+tree +nodes' number) to shrink, and pointer variable sc is sent from memory +management code as parametr of a callback. + +If sc->nr_to_scan is smaller than c->btree_pages, after the above +calculation, variable 'nr' will be 0 and nothing will be shrunk. It is +frequeently observed that only 1 or 2 is set to sc->nr_to_scan and make +nr to be zero. Then bch_mca_scan() will do nothing more then acquiring +and releasing mutex c->bucket_lock. + +This patch checkes whether nr is 0 after the above calculation, if 0 +is the result then set 1 to variable 'n'. Then at least bch_mca_scan() +will try to shrink a single B+tree node. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/btree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 48e33ee0d876..3df5fa4a501c 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -754,6 +754,8 @@ static unsigned long bch_mca_scan(struct shrinker *shrink, + * IO can always make forward progress: + */ + nr /= c->btree_pages; ++ if (nr == 0) ++ nr = 1; + nr = min_t(unsigned long, nr, mca_can_free(c)); + + i = 0; +-- +2.16.4 + diff --git a/patches.suse/0012-drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch b/patches.suse/0012-drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch new file mode 100644 index 0000000..b80f372 --- /dev/null +++ b/patches.suse/0012-drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch @@ -0,0 +1,72 @@ +From 747a397d394fac0001e4b3c03d7dce3a118af567 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Wed, 13 Nov 2019 20:44:28 +0800 +Subject: [PATCH] drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 747a397d394fac0001e4b3c03d7dce3a118af567 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c: In function +‘gfx_v6_0_constants_init’: +drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c:1579:6: warning: variable +‘mc_shared_chmap’ set but not used [-Wunused-but-set-variable] + +Drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c: In function +‘gfx_v7_0_gpu_early_init’: +drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c:4262:6: warning: variable +‘mc_shared_chmap’ set but not used [-Wunused-but-set-variable] + +Fixes: 2cd46ad22383 ("drm/amdgpu: add graphic pipeline implementation for si v8") +Fixes: d93f3ca706b8 ("drm/amdgpu/gfx7: rework gpu_init()") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 3 +-- + drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c +@@ -1533,7 +1533,7 @@ static void gfx_v6_0_config_init(struct + static void gfx_v6_0_gpu_init(struct amdgpu_device *adev) + { + u32 gb_addr_config = 0; +- u32 mc_shared_chmap, mc_arb_ramcfg; ++ u32 mc_arb_ramcfg; + u32 sx_debug_1; + u32 hdp_host_path_cntl; + u32 tmp; +@@ -1635,7 +1635,6 @@ static void gfx_v6_0_gpu_init(struct amd + + WREG32(mmBIF_FB_EN, BIF_FB_EN__FB_READ_EN_MASK | BIF_FB_EN__FB_WRITE_EN_MASK); + +- mc_shared_chmap = RREG32(mmMC_SHARED_CHMAP); + adev->gfx.config.mc_arb_ramcfg = RREG32(mmMC_ARB_RAMCFG); + mc_arb_ramcfg = adev->gfx.config.mc_arb_ramcfg; + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c +@@ -4499,7 +4499,7 @@ static int gfx_v7_0_late_init(void *hand + static void gfx_v7_0_gpu_early_init(struct amdgpu_device *adev) + { + u32 gb_addr_config; +- u32 mc_shared_chmap, mc_arb_ramcfg; ++ u32 mc_arb_ramcfg; + u32 dimm00_addr_map, dimm01_addr_map, dimm10_addr_map, dimm11_addr_map; + u32 tmp; + +@@ -4576,7 +4576,6 @@ static void gfx_v7_0_gpu_early_init(stru + break; + } + +- mc_shared_chmap = RREG32(mmMC_SHARED_CHMAP); + adev->gfx.config.mc_arb_ramcfg = RREG32(mmMC_ARB_RAMCFG); + mc_arb_ramcfg = adev->gfx.config.mc_arb_ramcfg; + diff --git a/patches.suse/0013-bcache-remove-the-extra-cflags-for-request.o.patch b/patches.suse/0013-bcache-remove-the-extra-cflags-for-request.o.patch new file mode 100644 index 0000000..db46076 --- /dev/null +++ b/patches.suse/0013-bcache-remove-the-extra-cflags-for-request.o.patch @@ -0,0 +1,31 @@ +From 651bbba57ada682a8651768df6979598e28e3b8d Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 13 Nov 2019 16:03:25 +0800 +Subject: [PATCH] bcache: remove the extra cflags for request.o +Git-commit: 651bbba57ada682a8651768df6979598e28e3b8d +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +There is no block directory this file needs includes from. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/md/bcache/Makefile b/drivers/md/bcache/Makefile +index d26b35195825..fd714628da6a 100644 +--- a/drivers/md/bcache/Makefile ++++ b/drivers/md/bcache/Makefile +@@ -5,5 +5,3 @@ obj-$(CONFIG_BCACHE) += bcache.o + bcache-y := alloc.o bset.o btree.o closure.o debug.o extents.o\ + io.o journal.o movinggc.o request.o stats.o super.o sysfs.o trace.o\ + util.o writeback.o +- +-CFLAGS_request.o += -Iblock +-- +2.16.4 + diff --git a/patches.suse/0014-bcache-don-t-export-symbols.patch b/patches.suse/0014-bcache-don-t-export-symbols.patch new file mode 100644 index 0000000..95a9aeb --- /dev/null +++ b/patches.suse/0014-bcache-don-t-export-symbols.patch @@ -0,0 +1,199 @@ +From 15fbb2312f32cf99bd8e0247ac0240c9bce0ba47 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 13 Nov 2019 16:03:26 +0800 +Subject: [PATCH] bcache: don't export symbols +Git-commit: 15fbb2312f32cf99bd8e0247ac0240c9bce0ba47 +Patch-mainline: v5.5-rc1 +References: bsc#1163762 + +None of the exported bcache symbols are actually used anywhere. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/bset.c | 15 --------------- + drivers/md/bcache/closure.c | 7 ------- + 2 files changed, 22 deletions(-) + +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -310,7 +310,6 @@ void bch_btree_keys_free(struct btree_ke + t->tree = NULL; + t->data = NULL; + } +-EXPORT_SYMBOL(bch_btree_keys_free); + + int bch_btree_keys_alloc(struct btree_keys *b, + unsigned int page_order, +@@ -343,7 +342,6 @@ err: + bch_btree_keys_free(b); + return -ENOMEM; + } +-EXPORT_SYMBOL(bch_btree_keys_alloc); + + void bch_btree_keys_init(struct btree_keys *b, const struct btree_keys_ops *ops, + bool *expensive_debug_checks) +@@ -362,7 +360,6 @@ void bch_btree_keys_init(struct btree_ke + * any more. + */ + } +-EXPORT_SYMBOL(bch_btree_keys_init); + + /* Binary tree stuff for auxiliary search trees */ + +@@ -679,7 +676,6 @@ void bch_bset_init_next(struct btree_key + + bch_bset_build_unwritten_tree(b); + } +-EXPORT_SYMBOL(bch_bset_init_next); + + /* + * Build auxiliary binary tree 'struct bset_tree *t', this tree is used to +@@ -733,7 +729,6 @@ void bch_bset_build_written_tree(struct + j = inorder_next(j, t->size)) + make_bfloat(t, j); + } +-EXPORT_SYMBOL(bch_bset_build_written_tree); + + /* Insert */ + +@@ -781,7 +776,6 @@ fix_right: do { + j = j * 2 + 1; + } while (j < t->size); + } +-EXPORT_SYMBOL(bch_bset_fix_invalidated_key); + + static void bch_bset_fix_lookup_table(struct btree_keys *b, + struct bset_tree *t, +@@ -856,7 +850,6 @@ bool bch_bkey_try_merge(struct btree_key + + return b->ops->key_merge(b, l, r); + } +-EXPORT_SYMBOL(bch_bkey_try_merge); + + void bch_bset_insert(struct btree_keys *b, struct bkey *where, + struct bkey *insert) +@@ -876,7 +869,6 @@ void bch_bset_insert(struct btree_keys * + bkey_copy(where, insert); + bch_bset_fix_lookup_table(b, t, where); + } +-EXPORT_SYMBOL(bch_bset_insert); + + unsigned int bch_btree_insert_key(struct btree_keys *b, struct bkey *k, + struct bkey *replace_key) +@@ -932,7 +924,6 @@ copy: bkey_copy(m, k); + merged: + return status; + } +-EXPORT_SYMBOL(bch_btree_insert_key); + + /* Lookup */ + +@@ -1078,7 +1069,6 @@ struct bkey *__bch_bset_search(struct bt + + return i.l; + } +-EXPORT_SYMBOL(__bch_bset_search); + + /* Btree iterator */ + +@@ -1133,7 +1123,6 @@ struct bkey *bch_btree_iter_init(struct + { + return __bch_btree_iter_init(b, iter, search, b->set); + } +-EXPORT_SYMBOL(bch_btree_iter_init); + + static inline struct bkey *__bch_btree_iter_next(struct btree_iter *iter, + btree_iter_cmp_fn *cmp) +@@ -1166,7 +1155,6 @@ struct bkey *bch_btree_iter_next(struct + return __bch_btree_iter_next(iter, btree_iter_cmp); + + } +-EXPORT_SYMBOL(bch_btree_iter_next); + + struct bkey *bch_btree_iter_next_filter(struct btree_iter *iter, + struct btree_keys *b, ptr_filter_fn fn) +@@ -1202,7 +1190,6 @@ int bch_bset_sort_state_init(struct bset + + return 0; + } +-EXPORT_SYMBOL(bch_bset_sort_state_init); + + static void btree_mergesort(struct btree_keys *b, struct bset *out, + struct btree_iter *iter, +@@ -1319,7 +1306,6 @@ void bch_btree_sort_partial(struct btree + + EBUG_ON(oldsize >= 0 && bch_count_data(b) != oldsize); + } +-EXPORT_SYMBOL(bch_btree_sort_partial); + + void bch_btree_sort_and_fix_extents(struct btree_keys *b, + struct btree_iter *iter, +@@ -1372,7 +1358,6 @@ void bch_btree_sort_lazy(struct btree_ke + out: + bch_bset_build_written_tree(b); + } +-EXPORT_SYMBOL(bch_btree_sort_lazy); + + void bch_btree_keys_stats(struct btree_keys *b, struct bset_stats *stats) + { +--- a/drivers/md/bcache/closure.c ++++ b/drivers/md/bcache/closure.c +@@ -45,7 +45,6 @@ void closure_sub(struct closure *cl, int + { + closure_put_after_sub(cl, atomic_sub_return(v, &cl->remaining)); + } +-EXPORT_SYMBOL(closure_sub); + + /* + * closure_put - decrement a closure's refcount +@@ -54,7 +53,6 @@ void closure_put(struct closure *cl) + { + closure_put_after_sub(cl, atomic_dec_return(&cl->remaining)); + } +-EXPORT_SYMBOL(closure_put); + + /* + * closure_wake_up - wake up all closures on a wait list, without memory barrier +@@ -76,7 +74,6 @@ void __closure_wake_up(struct closure_wa + closure_sub(cl, CLOSURE_WAITING + 1); + } + } +-EXPORT_SYMBOL(__closure_wake_up); + + /** + * closure_wait - add a closure to a waitlist +@@ -96,7 +93,6 @@ bool closure_wait(struct closure_waitlis + + return true; + } +-EXPORT_SYMBOL(closure_wait); + + struct closure_syncer { + struct task_struct *task; +@@ -131,7 +127,6 @@ void __sched __closure_sync(struct closu + + __set_current_state(TASK_RUNNING); + } +-EXPORT_SYMBOL(__closure_sync); + + #ifdef CONFIG_BCACHE_CLOSURES_DEBUG + +@@ -149,7 +144,6 @@ void closure_debug_create(struct closure + list_add(&cl->all, &closure_list); + spin_unlock_irqrestore(&closure_list_lock, flags); + } +-EXPORT_SYMBOL(closure_debug_create); + + void closure_debug_destroy(struct closure *cl) + { +@@ -162,7 +156,6 @@ void closure_debug_destroy(struct closur + list_del(&cl->all); + spin_unlock_irqrestore(&closure_list_lock, flags); + } +-EXPORT_SYMBOL(closure_debug_destroy); + + static struct dentry *closure_debug; + diff --git a/patches.suse/0015-lib-crc64-include-linux-crc64.h-for-crc64_be.patch b/patches.suse/0015-lib-crc64-include-linux-crc64.h-for-crc64_be.patch new file mode 100644 index 0000000..d776f45 --- /dev/null +++ b/patches.suse/0015-lib-crc64-include-linux-crc64.h-for-crc64_be.patch @@ -0,0 +1,38 @@ +From 0e0c12316d8a645e7b1880e135837ee78d18aed9 Mon Sep 17 00:00:00 2001 +From: "Ben Dooks (Codethink)" +Date: Fri, 24 Jan 2020 01:01:35 +0800 +Subject: [PATCH] lib: crc64: include for 'crc64_be' +Git-commit: 0e0c12316d8a645e7b1880e135837ee78d18aed9 +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +The crc64_be() is declared in so include +this where the symbol is defined to avoid the following +Warning: + +lib/crc64.c:43:12: warning: symbol 'crc64_be' was not declared. Should it be static? + +Signed-off-by: Ben Dooks (Codethink) +Reviewed-by: Andy Shevchenko +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + lib/crc64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/crc64.c b/lib/crc64.c +index 0ef8ae6ac047..f8928ce28280 100644 +--- a/lib/crc64.c ++++ b/lib/crc64.c +@@ -28,6 +28,7 @@ + + #include + #include ++#include + #include "crc64table.h" + + MODULE_DESCRIPTION("CRC64 calculations"); +-- +2.16.4 + diff --git a/patches.suse/0016-bcache-add-code-comments-for-state-pool-in-__btree_s.patch b/patches.suse/0016-bcache-add-code-comments-for-state-pool-in-__btree_s.patch new file mode 100644 index 0000000..af42a91 --- /dev/null +++ b/patches.suse/0016-bcache-add-code-comments-for-state-pool-in-__btree_s.patch @@ -0,0 +1,38 @@ +From 7a0bc2a8966040d54289b64842d55e2cf4343ad9 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 24 Jan 2020 01:01:36 +0800 +Subject: [PATCH] bcache: add code comments for state->pool in __btree_sort() +Git-commit: 7a0bc2a8966040d54289b64842d55e2cf4343ad9 +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +To explain the pages allocated from mempool state->pool can be +swapped in __btree_sort(), because state->pool is a page pool, +which allocates pages by alloc_pages() indeed. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/bset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c +index cffcdc9feefb..4385303836d8 100644 +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -1257,6 +1257,11 @@ static void __btree_sort(struct btree_keys *b, struct btree_iter *iter, + * Our temporary buffer is the same size as the btree node's + * buffer, we can just swap buffers instead of doing a big + * memcpy() ++ * ++ * Don't worry event 'out' is allocated from mempool, it can ++ * still be swapped here. Because state->pool is a page mempool ++ * creaated by by mempool_init_page_pool(), which allocates ++ * pages by alloc_pages() indeed. + */ + + out->magic = b->set->data->magic; +-- +2.16.4 + diff --git a/patches.suse/0017-bcache-avoid-unnecessary-btree-nodes-flushing-in-btr.patch b/patches.suse/0017-bcache-avoid-unnecessary-btree-nodes-flushing-in-btr.patch new file mode 100644 index 0000000..889565b --- /dev/null +++ b/patches.suse/0017-bcache-avoid-unnecessary-btree-nodes-flushing-in-btr.patch @@ -0,0 +1,235 @@ +From 2aa8c529387c25606fdc1484154b92f8bfbc5746 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 24 Jan 2020 01:01:37 +0800 +Subject: [PATCH] bcache: avoid unnecessary btree nodes flushing in + btree_flush_write() +Git-commit: 2aa8c529387c25606fdc1484154b92f8bfbc5746 +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +the commit 91be66e1318f ("bcache: performance improvement for +btree_flush_write()") was an effort to flushing btree node with oldest +btree node faster in following methods, +- Only iterate dirty btree nodes in c->btree_cache, avoid scanning a lot + of clean btree nodes. +- Take c->btree_cache as a LRU-like list, aggressively flushing all + dirty nodes from tail of c->btree_cache util the btree node with + oldest journal entry is flushed. This is to reduce the time of holding + c->bucket_lock. + +Guoju Fang and Shuang Li reported that they observe unexptected extra +write I/Os on cache device after applying the above patch. Guoju Fang +provideed more detailed diagnose information that the aggressive +btree nodes flushing may cause 10x more btree nodes to flush in his +workload. He points out when system memory is large enough to hold all +btree nodes in memory, c->btree_cache is not a LRU-like list any more. +Then the btree node with oldest journal entry is very probably not- +close to the tail of c->btree_cache list. In such situation much more +dirty btree nodes will be aggressively flushed before the target node +is flushed. When slow SATA SSD is used as cache device, such over- +aggressive flushing behavior will cause performance regression. + +After spending a lot of time on debug and diagnose, I find the real +condition is more complicated, aggressive flushing dirty btree nodes +from tail of c->btree_cache list is not a good solution. +- When all btree nodes are cached in memory, c->btree_cache is not + a LRU-like list, the btree nodes with oldest journal entry won't + be close to the tail of the list. +- There can be hundreds dirty btree nodes reference the oldest journal + entry, before flushing all the nodes the oldest journal entry cannot + be reclaimed. +When the above two conditions mixed together, a simply flushing from +tail of c->btree_cache list is really NOT a good idea. + +Fortunately there is still chance to make btree_flush_write() work +better. Here is how this patch avoids unnecessary btree nodes flushing, +- Only acquire c->journal.lock when getting oldest journal entry of + fifo c->journal.pin. In rested locations check the journal entries + locklessly, so their values can be changed on other cores + in parallel. +- In loop list_for_each_entry_safe_reverse(), checking latest front + point of fifo c->journal.pin. If it is different from the original + point which we get with locking c->journal.lock, it means the oldest + journal entry is reclaim on other cores. At this moment, all selected + dirty nodes recorded in array btree_nodes[] are all flushed and clean + on other CPU cores, it is unncessary to iterate c->btree_cache any + longer. Just quit the list_for_each_entry_safe_reverse() loop and + the following for-loop will skip all the selected clean nodes. +- Find a proper time to quit the list_for_each_entry_safe_reverse() + loop. Check the refcount value of orignial fifo front point, if the + value is larger than selected node number of btree_nodes[], it means + more matching btree nodes should be scanned. Otherwise it means no + more matching btee nodes in rest of c->btree_cache list, the loop + can be quit. If the original oldest journal entry is reclaimed and + fifo front point is updated, the refcount of original fifo front point + will be 0, then the loop will be quit too. +- Not hold c->bucket_lock too long time. c->bucket_lock is also required + for space allocation for cached data, hold it for too long time will + block regular I/O requests. When iterating list c->btree_cache, even + there are a lot of maching btree nodes, in order to not holding + c->bucket_lock for too long time, only BTREE_FLUSH_NR nodes are + selected and to flush in following for-loop. +With this patch, only btree nodes referencing oldest journal entry +are flushed to cache device, no aggressive flushing for unnecessary +btree node any more. And in order to avoid blocking regluar I/O +requests, each time when btree_flush_write() called, at most only +BTREE_FLUSH_NR btree nodes are selected to flush, even there are more +maching btree nodes in list c->btree_cache. + +At last, one more thing to explain: Why it is safe to read front point +of c->journal.pin without holding c->journal.lock inside the +list_for_each_entry_safe_reverse() loop ? + +Here is my answer: When reading the front point of fifo c->journal.pin, +we don't need to know the exact value of front point, we just want to +check whether the value is different from the original front point +(which is accurate value because we get it while c->jouranl.lock is +held). For such purpose, it works as expected without holding +c->journal.lock. Even the front point is changed on other CPU core and +not updated to local core, and current iterating btree node has +identical journal entry local as original fetched fifo front point, it +is still safe. Because after holding mutex b->write_lock (with memory +barrier) this btree node can be found as clean and skipped, the loop +will quite latter when iterate on next node of list c->btree_cache. + +Fixes: 91be66e1318f ("bcache: performance improvement for btree_flush_write()") +Reported-by: Guoju Fang +Reported-by: Shuang Li +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/journal.c | 80 ++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 75 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index be2a2a201603..33ddc5269e8d 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -417,10 +417,14 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list) + + /* Journalling */ + ++#define nr_to_fifo_front(p, front_p, mask) (((p) - (front_p)) & (mask)) ++ + static void btree_flush_write(struct cache_set *c) + { + struct btree *b, *t, *btree_nodes[BTREE_FLUSH_NR]; +- unsigned int i, n; ++ unsigned int i, nr, ref_nr; ++ atomic_t *fifo_front_p, *now_fifo_front_p; ++ size_t mask; + + if (c->journal.btree_flushing) + return; +@@ -433,12 +437,50 @@ static void btree_flush_write(struct cache_set *c) + c->journal.btree_flushing = true; + spin_unlock(&c->journal.flush_write_lock); + ++ /* get the oldest journal entry and check its refcount */ ++ spin_lock(&c->journal.lock); ++ fifo_front_p = &fifo_front(&c->journal.pin); ++ ref_nr = atomic_read(fifo_front_p); ++ if (ref_nr <= 0) { ++ /* ++ * do nothing if no btree node references ++ * the oldest journal entry ++ */ ++ spin_unlock(&c->journal.lock); ++ goto out; ++ } ++ spin_unlock(&c->journal.lock); ++ ++ mask = c->journal.pin.mask; ++ nr = 0; + atomic_long_inc(&c->flush_write); + memset(btree_nodes, 0, sizeof(btree_nodes)); +- n = 0; + + mutex_lock(&c->bucket_lock); + list_for_each_entry_safe_reverse(b, t, &c->btree_cache, list) { ++ /* ++ * It is safe to get now_fifo_front_p without holding ++ * c->journal.lock here, because we don't need to know ++ * the exactly accurate value, just check whether the ++ * front pointer of c->journal.pin is changed. ++ */ ++ now_fifo_front_p = &fifo_front(&c->journal.pin); ++ /* ++ * If the oldest journal entry is reclaimed and front ++ * pointer of c->journal.pin changes, it is unnecessary ++ * to scan c->btree_cache anymore, just quit the loop and ++ * flush out what we have already. ++ */ ++ if (now_fifo_front_p != fifo_front_p) ++ break; ++ /* ++ * quit this loop if all matching btree nodes are ++ * scanned and record in btree_nodes[] already. ++ */ ++ ref_nr = atomic_read(fifo_front_p); ++ if (nr >= ref_nr) ++ break; ++ + if (btree_node_journal_flush(b)) + pr_err("BUG: flush_write bit should not be set here!"); + +@@ -454,17 +496,44 @@ static void btree_flush_write(struct cache_set *c) + continue; + } + ++ /* ++ * Only select the btree node which exactly references ++ * the oldest journal entry. ++ * ++ * If the journal entry pointed by fifo_front_p is ++ * reclaimed in parallel, don't worry: ++ * - the list_for_each_xxx loop will quit when checking ++ * next now_fifo_front_p. ++ * - If there are matched nodes recorded in btree_nodes[], ++ * they are clean now (this is why and how the oldest ++ * journal entry can be reclaimed). These selected nodes ++ * will be ignored and skipped in the folowing for-loop. ++ */ ++ if (nr_to_fifo_front(btree_current_write(b)->journal, ++ fifo_front_p, ++ mask) != 0) { ++ mutex_unlock(&b->write_lock); ++ continue; ++ } ++ + set_btree_node_journal_flush(b); + + mutex_unlock(&b->write_lock); + +- btree_nodes[n++] = b; +- if (n == BTREE_FLUSH_NR) ++ btree_nodes[nr++] = b; ++ /* ++ * To avoid holding c->bucket_lock too long time, ++ * only scan for BTREE_FLUSH_NR matched btree nodes ++ * at most. If there are more btree nodes reference ++ * the oldest journal entry, try to flush them next ++ * time when btree_flush_write() is called. ++ */ ++ if (nr == BTREE_FLUSH_NR) + break; + } + mutex_unlock(&c->bucket_lock); + +- for (i = 0; i < n; i++) { ++ for (i = 0; i < nr; i++) { + b = btree_nodes[i]; + if (!b) { + pr_err("BUG: btree_nodes[%d] is NULL", i); +@@ -497,6 +566,7 @@ static void btree_flush_write(struct cache_set *c) + mutex_unlock(&b->write_lock); + } + ++out: + spin_lock(&c->journal.flush_write_lock); + c->journal.btree_flushing = false; + spin_unlock(&c->journal.flush_write_lock); +-- +2.16.4 + diff --git a/patches.suse/0018-bcache-print-written-and-keys-in-trace_bcache_btree_.patch b/patches.suse/0018-bcache-print-written-and-keys-in-trace_bcache_btree_.patch new file mode 100644 index 0000000..2f4198c --- /dev/null +++ b/patches.suse/0018-bcache-print-written-and-keys-in-trace_bcache_btree_.patch @@ -0,0 +1,36 @@ +From d44330b7f13e7f243f7d0e0426741219708ff7de Mon Sep 17 00:00:00 2001 +From: Guoju Fang +Date: Fri, 24 Jan 2020 01:01:38 +0800 +Subject: [PATCH] bcache: print written and keys in trace_bcache_btree_write +Git-commit: d44330b7f13e7f243f7d0e0426741219708ff7de +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +It's useful to dump written block and keys on btree write, this patch +add them into trace_bcache_btree_write. + +Signed-off-by: Guoju Fang +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + include/trace/events/bcache.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/trace/events/bcache.h b/include/trace/events/bcache.h +index e4526f85c19d..0bddea663b3b 100644 +--- a/include/trace/events/bcache.h ++++ b/include/trace/events/bcache.h +@@ -275,7 +275,8 @@ TRACE_EVENT(bcache_btree_write, + __entry->keys = b->keys.set[b->keys.nsets].data->keys; + ), + +- TP_printk("bucket %zu", __entry->bucket) ++ TP_printk("bucket %zu written block %u + %u", ++ __entry->bucket, __entry->block, __entry->keys) + ); + + DEFINE_EVENT(btree_node, bcache_btree_node_alloc, +-- +2.16.4 + diff --git a/patches.suse/0019-bcache-remove-member-accessed-from-struct-btree.patch b/patches.suse/0019-bcache-remove-member-accessed-from-struct-btree.patch new file mode 100644 index 0000000..ccbda0c --- /dev/null +++ b/patches.suse/0019-bcache-remove-member-accessed-from-struct-btree.patch @@ -0,0 +1,84 @@ +From 125d98edd11464c8e0ec9eaaba7d682d0f832686 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 24 Jan 2020 01:01:40 +0800 +Subject: [PATCH] bcache: remove member accessed from struct btree +Git-commit: 125d98edd11464c8e0ec9eaaba7d682d0f832686 +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +The member 'accessed' of struct btree is used in bch_mca_scan() when +shrinking btree node caches. The original idea is, if b->accessed is +set, clean it and look at next btree node cache from c->btree_cache +list, and only shrink the caches whose b->accessed is cleaned. Then +only cold btree node cache will be shrunk. + +But when I/O pressure is high, it is very probably that b->accessed +of a btree node cache will be set again in bch_btree_node_get() +before bch_mca_scan() selects it again. Then there is no chance for +bch_mca_scan() to shrink enough memory back to slub or slab system. + +This patch removes member accessed from struct btree, then once a +btree node ache is selected, it will be immediately shunk. By this +change, bch_mca_scan() may release btree node cahce more efficiently. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/btree.c | 8 ++------ + drivers/md/bcache/btree.h | 2 -- + 2 files changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 14d6c33b0957..357535a5c89c 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -754,14 +754,12 @@ static unsigned long bch_mca_scan(struct shrinker *shrink, + b = list_first_entry(&c->btree_cache, struct btree, list); + list_rotate_left(&c->btree_cache); + +- if (!b->accessed && +- !mca_reap(b, 0, false)) { ++ if (!mca_reap(b, 0, false)) { + mca_bucket_free(b); + mca_data_free(b); + rw_unlock(true, b); + freed++; +- } else +- b->accessed = 0; ++ } + } + out: + mutex_unlock(&c->bucket_lock); +@@ -1069,7 +1067,6 @@ struct btree *bch_btree_node_get(struct cache_set *c, struct btree_op *op, + BUG_ON(!b->written); + + b->parent = parent; +- b->accessed = 1; + + for (; i <= b->keys.nsets && b->keys.set[i].size; i++) { + prefetch(b->keys.set[i].tree); +@@ -1160,7 +1157,6 @@ struct btree *__bch_btree_node_alloc(struct cache_set *c, struct btree_op *op, + goto retry; + } + +- b->accessed = 1; + b->parent = parent; + bch_bset_init_next(&b->keys, b->keys.set->data, bset_magic(&b->c->sb)); + +diff --git a/drivers/md/bcache/btree.h b/drivers/md/bcache/btree.h +index 76cfd121a486..f4dcca449391 100644 +--- a/drivers/md/bcache/btree.h ++++ b/drivers/md/bcache/btree.h +@@ -121,8 +121,6 @@ struct btree { + /* Key/pointer for this btree node */ + BKEY_PADDED(key); + +- /* Single bit - set when accessed, cleared by shrinker */ +- unsigned long accessed; + unsigned long seq; + struct rw_semaphore lock; + struct cache_set *c; +-- +2.16.4 + diff --git a/patches.suse/0020-bcache-reap-c-btree_cache_freeable-from-the-tail-in-.patch b/patches.suse/0020-bcache-reap-c-btree_cache_freeable-from-the-tail-in-.patch new file mode 100644 index 0000000..bcd7eaa --- /dev/null +++ b/patches.suse/0020-bcache-reap-c-btree_cache_freeable-from-the-tail-in-.patch @@ -0,0 +1,70 @@ +From d5c9c470b01177e4d90cdbf178b8c7f37f5b8795 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 24 Jan 2020 01:01:41 +0800 +Subject: [PATCH] bcache: reap c->btree_cache_freeable from the tail in + bch_mca_scan() +Git-commit: d5c9c470b01177e4d90cdbf178b8c7f37f5b8795 +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +In order to skip the most recently freed btree node cahce, currently +in bch_mca_scan() the first 3 caches in c->btree_cache_freeable list +are skipped when shrinking bcache node caches in bch_mca_scan(). The +related code in bch_mca_scan() is, + + 737 list_for_each_entry_safe(b, t, &c->btree_cache_freeable, list) { + 738 if (nr <= 0) + 739 goto out; + 740 + 741 if (++i > 3 && + 742 !mca_reap(b, 0, false)) { + lines free cache memory + 746 } + 747 nr--; + 748 } + +The problem is, if virtual memory code calls bch_mca_scan() and +the calculated 'nr' is 1 or 2, then in the above loop, nothing will +be shunk. In such case, if slub/slab manager calls bch_mca_scan() +for many times with small scan number, it does not help to shrink +cache memory and just wasts CPU cycles. + +This patch just selects btree node caches from tail of the +c->btree_cache_freeable list, then the newly freed host cache can +still be allocated by mca_alloc(), and at least 1 node can be shunk. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/btree.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 357535a5c89c..c3a314deb09d 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -734,17 +734,17 @@ static unsigned long bch_mca_scan(struct shrinker *shrink, + + i = 0; + btree_cache_used = c->btree_cache_used; +- list_for_each_entry_safe(b, t, &c->btree_cache_freeable, list) { ++ list_for_each_entry_safe_reverse(b, t, &c->btree_cache_freeable, list) { + if (nr <= 0) + goto out; + +- if (++i > 3 && +- !mca_reap(b, 0, false)) { ++ if (!mca_reap(b, 0, false)) { + mca_data_free(b); + rw_unlock(true, b); + freed++; + } + nr--; ++ i++; + } + + for (; (nr--) && i < btree_cache_used; i++) { +-- +2.16.4 + diff --git a/patches.suse/0021-bcache-reap-from-tail-of-c-btree_cache-in-bch_mca_sc.patch b/patches.suse/0021-bcache-reap-from-tail-of-c-btree_cache-in-bch_mca_sc.patch new file mode 100644 index 0000000..677f4ef --- /dev/null +++ b/patches.suse/0021-bcache-reap-from-tail-of-c-btree_cache-in-bch_mca_sc.patch @@ -0,0 +1,60 @@ +From e3de04469a49ee09c89e80bf821508df458ccee6 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 24 Jan 2020 01:01:42 +0800 +Subject: [PATCH] bcache: reap from tail of c->btree_cache in bch_mca_scan() +Git-commit: e3de04469a49ee09c89e80bf821508df458ccee6 +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +When shrink btree node cache from c->btree_cache in bch_mca_scan(), +no matter the selected node is reaped or not, it will be rotated from +the head to the tail of c->btree_cache list. But in bcache journal +code, when flushing the btree nodes with oldest journal entry, btree +nodes are iterated and slected from the tail of c->btree_cache list in +btree_flush_write(). The list_rotate_left() in bch_mca_scan() will +make btree_flush_write() iterate more nodes in c->btree_list in reverse +order. + +This patch just reaps the selected btree node cache, and not move it +from the head to the tail of c->btree_cache list. Then bch_mca_scan() +will not mess up c->btree_cache list to btree_flush_write(). + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/btree.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index c3a314deb09d..fa872df4e770 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -747,19 +747,19 @@ static unsigned long bch_mca_scan(struct shrinker *shrink, + i++; + } + +- for (; (nr--) && i < btree_cache_used; i++) { +- if (list_empty(&c->btree_cache)) ++ list_for_each_entry_safe_reverse(b, t, &c->btree_cache, list) { ++ if (nr <= 0 || i >= btree_cache_used) + goto out; + +- b = list_first_entry(&c->btree_cache, struct btree, list); +- list_rotate_left(&c->btree_cache); +- + if (!mca_reap(b, 0, false)) { + mca_bucket_free(b); + mca_data_free(b); + rw_unlock(true, b); + freed++; + } ++ ++ nr--; ++ i++; + } + out: + mutex_unlock(&c->bucket_lock); +-- +2.16.4 + diff --git a/patches.suse/0022-bcache-fix-memory-corruption-in-bch_cache_accounting.patch b/patches.suse/0022-bcache-fix-memory-corruption-in-bch_cache_accounting.patch new file mode 100644 index 0000000..e8e0d48 --- /dev/null +++ b/patches.suse/0022-bcache-fix-memory-corruption-in-bch_cache_accounting.patch @@ -0,0 +1,160 @@ +From 5bebf7486d4f4940b2a8e4009beb1dff5041853d Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 1 Feb 2020 22:42:31 +0800 +Subject: [PATCH] bcache: fix memory corruption in bch_cache_accounting_clear() +Git-commit: 5bebf7486d4f4940b2a8e4009beb1dff5041853d +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +Commit 83ff9318c44ba ("bcache: not use hard coded memset size in +bch_cache_accounting_clear()") tries to make the code more easy to +understand by removing the hard coded number with following change, + void bch_cache_accounting_clear(...) + { + memset(&acc->total.cache_hits, + 0, + - sizeof(unsigned long) * 7); + + sizeof(struct cache_stats)); + } + +Unfortunately the change was wrong (it also tells us the original code +was not easy to correctly understand). The hard coded number 7 is used +because in struct cache_stats, + 15 struct cache_stats { + 16 struct kobject kobj; + 17 + 18 unsigned long cache_hits; + 19 unsigned long cache_misses; + 20 unsigned long cache_bypass_hits; + 21 unsigned long cache_bypass_misses; + 22 unsigned long cache_readaheads; + 23 unsigned long cache_miss_collisions; + 24 unsigned long sectors_bypassed; + 25 + 26 unsigned int rescale; + 27 }; +only members in LINE 18-24 want to be set to 0. It is wrong to use +'sizeof(struct cache_stats)' to replace 'sizeof(unsigned long) * 7), the +memory objects behind acc->total is staled by this change. + +Сорокин Артем Сергеевич reports that by the following steps, kernel +panic will be triggered, +1. Create new set: make-bcache -B /dev/nvme1n1 -C /dev/sda --wipe-bcache +2. Run in /sys/fs/bcache/: + echo 1 > clear_stats && cat stats_five_minute/cache_bypass_hits + +I can reproduce the panic and get following dmesg with KASAN enabled, +[22613.172742] ================================================================== +[22613.172862] BUG: KASAN: null-ptr-deref in sysfs_kf_seq_show+0x117/0x230 +[22613.172864] Read of size 8 at addr 0000000000000000 by task cat/6753 + +[22613.172870] CPU: 1 PID: 6753 Comm: cat Not tainted 5.5.0-rc7-lp151.28.16-default+ #11 +[22613.172872] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 +[22613.172873] Call Trace: +[22613.172964] dump_stack+0x8b/0xbb +[22613.172968] ? sysfs_kf_seq_show+0x117/0x230 +[22613.172970] ? sysfs_kf_seq_show+0x117/0x230 +[22613.173031] __kasan_report+0x176/0x192 +[22613.173064] ? pr_cont_kernfs_name+0x40/0x60 +[22613.173067] ? sysfs_kf_seq_show+0x117/0x230 +[22613.173070] kasan_report+0xe/0x20 +[22613.173072] sysfs_kf_seq_show+0x117/0x230 +[22613.173105] seq_read+0x199/0x6d0 +[22613.173110] vfs_read+0xa5/0x1a0 +[22613.173113] ksys_read+0x110/0x160 +[22613.173115] ? kernel_write+0xb0/0xb0 +[22613.173177] do_syscall_64+0x77/0x290 +[22613.173238] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[22613.173241] RIP: 0033:0x7fc2c886ac61 +[22613.173244] Code: fe ff ff 48 8d 3d c7 a0 09 00 48 83 ec 08 e8 46 03 02 00 66 0f 1f 44 00 00 8b 05 ca fb 2c 00 48 63 ff 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48 89 +[22613.173245] RSP: 002b:00007ffebe776d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[22613.173248] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fc2c886ac61 +[22613.173249] RDX: 0000000000020000 RSI: 00007fc2c8cca000 RDI: 0000000000000003 +[22613.173250] RBP: 0000000000020000 R08: ffffffffffffffff R09: 0000000000000000 +[22613.173251] R10: 000000000000038c R11: 0000000000000246 R12: 00007fc2c8cca000 +[22613.173253] R13: 0000000000000003 R14: 00007fc2c8cca00f R15: 0000000000020000 +[22613.173255] ================================================================== +[22613.173256] Disabling lock debugging due to kernel taint +[22613.173350] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[22613.178380] #PF: supervisor read access in kernel mode +[22613.180959] #PF: error_code(0x0000) - not-present page +[22613.183444] PGD 0 P4D 0 +[22613.184867] Oops: 0000 [#1] SMP KASAN PTI +[22613.186797] CPU: 1 PID: 6753 Comm: cat Tainted: G B 5.5.0-rc7-lp151.28.16-default+ #11 +[22613.191253] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 +[22613.196706] RIP: 0010:sysfs_kf_seq_show+0x117/0x230 +[22613.199097] Code: ff 48 8b 0b 48 8b 44 24 08 48 01 e9 eb a6 31 f6 48 89 cf ba 00 10 00 00 48 89 4c 24 10 e8 b1 e6 e9 ff 4c 89 ff e8 19 07 ea ff <49> 8b 07 48 85 c0 48 89 44 24 08 0f 84 91 00 00 00 49 8b 6d 00 48 +[22613.208016] RSP: 0018:ffff8881d4f8fd78 EFLAGS: 00010246 +[22613.210448] RAX: 0000000000000000 RBX: ffff8881eb99b180 RCX: ffffffff810d9ef6 +[22613.213691] RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246 +[22613.216893] RBP: 0000000000001000 R08: fffffbfff072ddcd R09: fffffbfff072ddcd +[22613.220075] R10: 0000000000000001 R11: fffffbfff072ddcc R12: ffff8881de5c0200 +[22613.223256] R13: ffff8881ed175500 R14: ffff8881eb99b198 R15: 0000000000000000 +[22613.226290] FS: 00007fc2c8d3d500(0000) GS:ffff8881f2a80000(0000) knlGS:0000000000000000 +[22613.229637] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[22613.231993] CR2: 0000000000000000 CR3: 00000001ec89a004 CR4: 00000000003606e0 +[22613.234909] Call Trace: +[22613.235931] seq_read+0x199/0x6d0 +[22613.237259] vfs_read+0xa5/0x1a0 +[22613.239229] ksys_read+0x110/0x160 +[22613.240590] ? kernel_write+0xb0/0xb0 +[22613.242040] do_syscall_64+0x77/0x290 +[22613.243625] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[22613.245450] RIP: 0033:0x7fc2c886ac61 +[22613.246706] Code: fe ff ff 48 8d 3d c7 a0 09 00 48 83 ec 08 e8 46 03 02 00 66 0f 1f 44 00 00 8b 05 ca fb 2c 00 48 63 ff 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48 89 +[22613.253296] RSP: 002b:00007ffebe776d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[22613.255835] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fc2c886ac61 +[22613.258472] RDX: 0000000000020000 RSI: 00007fc2c8cca000 RDI: 0000000000000003 +[22613.260807] RBP: 0000000000020000 R08: ffffffffffffffff R09: 0000000000000000 +[22613.263188] R10: 000000000000038c R11: 0000000000000246 R12: 00007fc2c8cca000 +[22613.265598] R13: 0000000000000003 R14: 00007fc2c8cca00f R15: 0000000000020000 +[22613.268729] Modules linked in: scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs vmw_vsock_vmci_transport vsock fuse bnep kvm_intel kvm irqbypass crc32_pclmul crc32c_intel ghash_clmulni_intel snd_ens1371 snd_ac97_codec ac97_bus bcache snd_pcm btusb btrtl btbcm btintel crc64 aesni_intel glue_helper crypto_simd vmw_balloon cryptd bluetooth snd_timer snd_rawmidi snd joydev pcspkr e1000 rfkill vmw_vmci soundcore ecdh_generic ecc gameport i2c_piix4 mptctl ac button hid_generic usbhid sr_mod cdrom ata_generic ehci_pci vmwgfx uhci_hcd drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ttm ehci_hcd mptspi scsi_transport_spi mptscsih ata_piix mptbase ahci usbcore libahci drm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua +[22613.292429] CR2: 0000000000000000 +[22613.293563] ---[ end trace a074b26a8508f378 ]--- +[22613.295138] RIP: 0010:sysfs_kf_seq_show+0x117/0x230 +[22613.296769] Code: ff 48 8b 0b 48 8b 44 24 08 48 01 e9 eb a6 31 f6 48 89 cf ba 00 10 00 00 48 89 4c 24 10 e8 b1 e6 e9 ff 4c 89 ff e8 19 07 ea ff <49> 8b 07 48 85 c0 48 89 44 24 08 0f 84 91 00 00 00 49 8b 6d 00 48 +[22613.303553] RSP: 0018:ffff8881d4f8fd78 EFLAGS: 00010246 +[22613.305280] RAX: 0000000000000000 RBX: ffff8881eb99b180 RCX: ffffffff810d9ef6 +[22613.307924] RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246 +[22613.310272] RBP: 0000000000001000 R08: fffffbfff072ddcd R09: fffffbfff072ddcd +[22613.312685] R10: 0000000000000001 R11: fffffbfff072ddcc R12: ffff8881de5c0200 +[22613.315076] R13: ffff8881ed175500 R14: ffff8881eb99b198 R15: 0000000000000000 +[22613.318116] FS: 00007fc2c8d3d500(0000) GS:ffff8881f2a80000(0000) knlGS:0000000000000000 +[22613.320743] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[22613.322628] CR2: 0000000000000000 CR3: 00000001ec89a004 CR4: 00000000003606e0 + +Here this patch fixes the following problem by explicity set all the 7 +members to 0 in bch_cache_accounting_clear(). + +Reported-by: Сорокин Артем Сергеевич +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/stats.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/stats.c b/drivers/md/bcache/stats.c +index ba1c93791d8d..503aafe188dc 100644 +--- a/drivers/md/bcache/stats.c ++++ b/drivers/md/bcache/stats.c +@@ -109,9 +109,13 @@ int bch_cache_accounting_add_kobjs(struct cache_accounting *acc, + + void bch_cache_accounting_clear(struct cache_accounting *acc) + { +- memset(&acc->total.cache_hits, +- 0, +- sizeof(struct cache_stats)); ++ acc->total.cache_hits = 0; ++ acc->total.cache_misses = 0; ++ acc->total.cache_bypass_hits = 0; ++ acc->total.cache_bypass_misses = 0; ++ acc->total.cache_readaheads = 0; ++ acc->total.cache_miss_collisions = 0; ++ acc->total.sectors_bypassed = 0; + } + + void bch_cache_accounting_destroy(struct cache_accounting *acc) +-- +2.16.4 + diff --git a/patches.suse/0023-bcache-explicity-type-cast-in-bset_bkey_last.patch b/patches.suse/0023-bcache-explicity-type-cast-in-bset_bkey_last.patch new file mode 100644 index 0000000..4895405 --- /dev/null +++ b/patches.suse/0023-bcache-explicity-type-cast-in-bset_bkey_last.patch @@ -0,0 +1,51 @@ +From 7c02b0055f774ed9afb6e1c7724f33bf148ffdc0 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 1 Feb 2020 22:42:32 +0800 +Subject: [PATCH] bcache: explicity type cast in bset_bkey_last() +Git-commit: 7c02b0055f774ed9afb6e1c7724f33bf148ffdc0 +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +In bset.h, macro bset_bkey_last() is defined as, + bkey_idx((struct bkey *) (i)->d, (i)->keys) + +Parameter i can be variable type of data structure, the macro always +works once the type of struct i has member 'd' and 'keys'. + +bset_bkey_last() is also used in macro csum_set() to calculate the +checksum of a on-disk data structure. When csum_set() is used to +calculate checksum of on-disk bcache super block, the parameter 'i' +data type is struct cache_sb_disk. Inside struct cache_sb_disk (also in +struct cache_sb) the member keys is __u16 type. But bkey_idx() expects +unsigned int (a 32bit width), so there is problem when sending +parameters via stack to call bkey_idx(). + +Sparse tool from Intel 0day kbuild system reports this incompatible +problem. bkey_idx() is part of user space API, so the simplest fix is +to cast the (i)->keys to unsigned int type in macro bset_bkey_last(). + +Reported-by: kbuild test robot +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/bset.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h +index c71365e7c1fa..a50dcfda656f 100644 +--- a/drivers/md/bcache/bset.h ++++ b/drivers/md/bcache/bset.h +@@ -397,7 +397,8 @@ void bch_btree_keys_stats(struct btree_keys *b, struct bset_stats *state); + + /* Bkey utility code */ + +-#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, (i)->keys) ++#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, \ ++ (unsigned int)(i)->keys) + + static inline struct bkey *bset_bkey_idx(struct bset *i, unsigned int idx) + { +-- +2.16.4 + diff --git a/patches.suse/0024-bcache-add-readahead-cache-policy-options-via-sysfs-.patch b/patches.suse/0024-bcache-add-readahead-cache-policy-options-via-sysfs-.patch new file mode 100644 index 0000000..5581b51 --- /dev/null +++ b/patches.suse/0024-bcache-add-readahead-cache-policy-options-via-sysfs-.patch @@ -0,0 +1,147 @@ +From 038ba8cc1bffc51250add4a9b9249d4331576d8f Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 1 Feb 2020 22:42:33 +0800 +Subject: [PATCH] bcache: add readahead cache policy options via sysfs + interface +Git-commit: 038ba8cc1bffc51250add4a9b9249d4331576d8f +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +In year 2007 high performance SSD was still expensive, in order to +save more space for real workload or meta data, the readahead I/Os +for non-meta data was bypassed and not cached on SSD. + +In now days, SSD price drops a lot and people can find larger size +SSD with more comfortable price. It is unncessary to alway bypass +normal readahead I/Os to save SSD space for now. + +This patch adds options for readahead data cache policies via sysfs +file /sys/block/bcache/readahead_cache_policy, the options are, +- "all": cache all readahead data I/Os. +- "meta-only": only cache meta data, and bypass other regular I/Os. + +If users want to make bcache continue to only cache readahead request +for metadata and bypass regular data readahead, please set "meta-only" +to this sysfs file. By default, bcache will back to cache all read- +ahead requests now. + +Cc: stable@vger.kernel.org +Signed-off-by: Coly Li +Acked-by: Eric Wheeler +Cc: Michael Lyle +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/bcache.h | 3 +++ + drivers/md/bcache/request.c | 17 ++++++++++++----- + drivers/md/bcache/sysfs.c | 22 ++++++++++++++++++++++ + 3 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index adf26a21fcd1..74a9849ea164 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -330,6 +330,9 @@ struct cached_dev { + */ + atomic_t has_dirty; + ++#define BCH_CACHE_READA_ALL 0 ++#define BCH_CACHE_READA_META_ONLY 1 ++ unsigned int cache_readahead_policy; + struct bch_ratelimit writeback_rate; + struct delayed_work writeback_rate_update; + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index 73478a91a342..820d8402a1dc 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -379,13 +379,20 @@ static bool check_should_bypass(struct cached_dev *dc, struct bio *bio) + goto skip; + + /* +- * Flag for bypass if the IO is for read-ahead or background, +- * unless the read-ahead request is for metadata ++ * If the bio is for read-ahead or background IO, bypass it or ++ * not depends on the following situations, ++ * - If the IO is for meta data, always cache it and no bypass ++ * - If the IO is not meta data, check dc->cache_reada_policy, ++ * BCH_CACHE_READA_ALL: cache it and not bypass ++ * BCH_CACHE_READA_META_ONLY: not cache it and bypass ++ * That is, read-ahead request for metadata always get cached + * (eg, for gfs2 or xfs). + */ +- if (bio->bi_opf & (REQ_RAHEAD|REQ_BACKGROUND) && +- !(bio->bi_opf & (REQ_META|REQ_PRIO))) +- goto skip; ++ if ((bio->bi_opf & (REQ_RAHEAD|REQ_BACKGROUND))) { ++ if (!(bio->bi_opf & (REQ_META|REQ_PRIO)) && ++ (dc->cache_readahead_policy != BCH_CACHE_READA_ALL)) ++ goto skip; ++ } + + if (bio->bi_iter.bi_sector & (c->sb.block_size - 1) || + bio_sectors(bio) & (c->sb.block_size - 1)) { +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 733e2ddf3c78..3470fae4eabc 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -27,6 +27,12 @@ static const char * const bch_cache_modes[] = { + NULL + }; + ++static const char * const bch_reada_cache_policies[] = { ++ "all", ++ "meta-only", ++ NULL ++}; ++ + /* Default is 0 ("auto") */ + static const char * const bch_stop_on_failure_modes[] = { + "auto", +@@ -100,6 +106,7 @@ rw_attribute(congested_write_threshold_us); + rw_attribute(sequential_cutoff); + rw_attribute(data_csum); + rw_attribute(cache_mode); ++rw_attribute(readahead_cache_policy); + rw_attribute(stop_when_cache_set_failed); + rw_attribute(writeback_metadata); + rw_attribute(writeback_running); +@@ -168,6 +175,11 @@ SHOW(__bch_cached_dev) + bch_cache_modes, + BDEV_CACHE_MODE(&dc->sb)); + ++ if (attr == &sysfs_readahead_cache_policy) ++ return bch_snprint_string_list(buf, PAGE_SIZE, ++ bch_reada_cache_policies, ++ dc->cache_readahead_policy); ++ + if (attr == &sysfs_stop_when_cache_set_failed) + return bch_snprint_string_list(buf, PAGE_SIZE, + bch_stop_on_failure_modes, +@@ -353,6 +365,15 @@ STORE(__cached_dev) + } + } + ++ if (attr == &sysfs_readahead_cache_policy) { ++ v = __sysfs_match_string(bch_reada_cache_policies, -1, buf); ++ if (v < 0) ++ return v; ++ ++ if ((unsigned int) v != dc->cache_readahead_policy) ++ dc->cache_readahead_policy = v; ++ } ++ + if (attr == &sysfs_stop_when_cache_set_failed) { + v = __sysfs_match_string(bch_stop_on_failure_modes, -1, buf); + if (v < 0) +@@ -467,6 +488,7 @@ static struct attribute *bch_cached_dev_files[] = { + &sysfs_data_csum, + #endif + &sysfs_cache_mode, ++ &sysfs_readahead_cache_policy, + &sysfs_stop_when_cache_set_failed, + &sysfs_writeback_metadata, + &sysfs_writeback_running, +-- +2.16.4 + diff --git a/patches.suse/0025-bcache-fix-incorrect-data-type-usage-in-btree_flush_.patch b/patches.suse/0025-bcache-fix-incorrect-data-type-usage-in-btree_flush_.patch new file mode 100644 index 0000000..5b6bb31 --- /dev/null +++ b/patches.suse/0025-bcache-fix-incorrect-data-type-usage-in-btree_flush_.patch @@ -0,0 +1,85 @@ +From d1c3cc34f5a78b38d2b809b289d912c3560545df Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 1 Feb 2020 22:42:34 +0800 +Subject: [PATCH] bcache: fix incorrect data type usage in btree_flush_write() +Git-commit: d1c3cc34f5a78b38d2b809b289d912c3560545df +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +Dan Carpenter points out that from commit 2aa8c529387c ("bcache: avoid +unnecessary btree nodes flushing in btree_flush_write()"), there is a +incorrect data type usage which leads to the following static checker +Warning: drivers/md/bcache/journal.c:444 btree_flush_write() + warn: 'ref_nr' unsigned <= 0 + +drivers/md/bcache/journal.c + 422 static void btree_flush_write(struct cache_set *c) + 423 { + 424 struct btree *b, *t, *btree_nodes[BTREE_FLUSH_NR]; + 425 unsigned int i, nr, ref_nr; + ^^^^^^ + + 426 atomic_t *fifo_front_p, *now_fifo_front_p; + 427 size_t mask; + 428 + 429 if (c->journal.btree_flushing) + 430 return; + 431 + 432 spin_lock(&c->journal.flush_write_lock); + 433 if (c->journal.btree_flushing) { + 434 spin_unlock(&c->journal.flush_write_lock); + 435 return; + 436 } + 437 c->journal.btree_flushing = true; + 438 spin_unlock(&c->journal.flush_write_lock); + 439 + 440 /* get the oldest journal entry and check its refcount */ + 441 spin_lock(&c->journal.lock); + 442 fifo_front_p = &fifo_front(&c->journal.pin); + 443 ref_nr = atomic_read(fifo_front_p); + 444 if (ref_nr <= 0) { + ^^^^^^^^^^^ +Unsigned can't be less than zero. + + 445 /* + 446 * do nothing if no btree node references + 447 * the oldest journal entry + 448 */ + 449 spin_unlock(&c->journal.lock); + 450 goto out; + 451 } + 452 spin_unlock(&c->journal.lock); + +As the warning information indicates, local varaible ref_nr in unsigned +int type is wrong, which does not matche atomic_read() and the "<= 0" +checking. + +This patch fixes the above error by defining local variable ref_nr as +int type. + +Fixes: 2aa8c529387c ("bcache: avoid unnecessary btree nodes flushing in btree_flush_write()") +Reported-by: Dan Carpenter +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/journal.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index 33ddc5269e8d..6730820780b0 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -422,7 +422,8 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list) + static void btree_flush_write(struct cache_set *c) + { + struct btree *b, *t, *btree_nodes[BTREE_FLUSH_NR]; +- unsigned int i, nr, ref_nr; ++ unsigned int i, nr; ++ int ref_nr; + atomic_t *fifo_front_p, *now_fifo_front_p; + size_t mask; + +-- +2.16.4 + diff --git a/patches.suse/0026-bcache-check-return-value-of-prio_read.patch b/patches.suse/0026-bcache-check-return-value-of-prio_read.patch new file mode 100644 index 0000000..d1bd66e --- /dev/null +++ b/patches.suse/0026-bcache-check-return-value-of-prio_read.patch @@ -0,0 +1,82 @@ +From 49d08d596e85f39ded48e85df362827cbab1f5ae Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 1 Feb 2020 22:42:35 +0800 +Subject: [PATCH] bcache: check return value of prio_read() +Git-commit: 49d08d596e85f39ded48e85df362827cbab1f5ae +Patch-mainline: v5.6-rc1 +References: bsc#1163762 + +Now if prio_read() failed during starting a cache set, we can print +out error message in run_cache_set() and handle the failure properly. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe + +--- + drivers/md/bcache/super.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 3dea1d5acd5c..2749daf09724 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -609,12 +609,13 @@ int bch_prio_write(struct cache *ca, bool wait) + return 0; + } + +-static void prio_read(struct cache *ca, uint64_t bucket) ++static int prio_read(struct cache *ca, uint64_t bucket) + { + struct prio_set *p = ca->disk_buckets; + struct bucket_disk *d = p->data + prios_per_bucket(ca), *end = d; + struct bucket *b; + unsigned int bucket_nr = 0; ++ int ret = -EIO; + + for (b = ca->buckets; + b < ca->buckets + ca->sb.nbuckets; +@@ -627,11 +628,15 @@ static void prio_read(struct cache *ca, uint64_t bucket) + prio_io(ca, bucket, REQ_OP_READ, 0); + + if (p->csum != +- bch_crc64(&p->magic, bucket_bytes(ca) - 8)) ++ bch_crc64(&p->magic, bucket_bytes(ca) - 8)) { + pr_warn("bad csum reading priorities"); ++ goto out; ++ } + +- if (p->magic != pset_magic(&ca->sb)) ++ if (p->magic != pset_magic(&ca->sb)) { + pr_warn("bad magic reading priorities"); ++ goto out; ++ } + + bucket = p->next_bucket; + d = p->data; +@@ -640,6 +645,10 @@ static void prio_read(struct cache *ca, uint64_t bucket) + b->prio = le16_to_cpu(d->prio); + b->gen = b->last_gc = d->gen; + } ++ ++ ret = 0; ++out: ++ return ret; + } + + /* Bcache device */ +@@ -1873,8 +1882,10 @@ static int run_cache_set(struct cache_set *c) + j = &list_entry(journal.prev, struct journal_replay, list)->j; + + err = "IO error reading priorities"; +- for_each_cache(ca, c, i) +- prio_read(ca, j->prio_bucket[ca->sb.nr_this_dev]); ++ for_each_cache(ca, c, i) { ++ if (prio_read(ca, j->prio_bucket[ca->sb.nr_this_dev])) ++ goto err; ++ } + + /* + * If prio_read() fails it'll call cache_set_error and we'll +-- +2.16.4 + diff --git a/patches.suse/0027-bcache-ignore-pending-signals-when-creating-gc-and-a.patch b/patches.suse/0027-bcache-ignore-pending-signals-when-creating-gc-and-a.patch new file mode 100644 index 0000000..2c9b914 --- /dev/null +++ b/patches.suse/0027-bcache-ignore-pending-signals-when-creating-gc-and-a.patch @@ -0,0 +1,101 @@ +From 0b96da639a4874311e9b5156405f69ef9fc3bef8 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Thu, 13 Feb 2020 22:12:05 +0800 +Subject: [PATCH] bcache: ignore pending signals when creating gc and allocator + thread +Git-commit: 0b96da639a4874311e9b5156405f69ef9fc3bef8 +Patch-mainline: v5.6-rc2 +References: bsc#1163762, bsc#1112504 + +When run a cache set, all the bcache btree node of this cache set will +be checked by bch_btree_check(). If the bcache btree is very large, +iterating all the btree nodes will occupy too much system memory and +the bcache registering process might be selected and killed by system +OOM killer. kthread_run() will fail if current process has pending +signal, therefore the kthread creating in run_cache_set() for gc and +allocator kernel threads are very probably failed for a very large +bcache btree. + +Indeed such OOM is safe and the registering process will exit after +the registration done. Therefore this patch flushes pending signals +during the cache set start up, specificly in bch_cache_allocator_start() +and bch_gc_thread_start(), to make sure run_cache_set() won't fail for +large cahced data set. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +--- + drivers/md/bcache/alloc.c | 18 ++++++++++++++++-- + drivers/md/bcache/btree.c | 13 +++++++++++++ + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index a1df0d95151c..8bc1faf71ff2 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -67,6 +67,7 @@ + #include + #include + #include ++#include + #include + + #define MAX_OPEN_BUCKETS 128 +@@ -733,8 +734,21 @@ int bch_open_buckets_alloc(struct cache_set *c) + + int bch_cache_allocator_start(struct cache *ca) + { +- struct task_struct *k = kthread_run(bch_allocator_thread, +- ca, "bcache_allocator"); ++ struct task_struct *k; ++ ++ /* ++ * In case previous btree check operation occupies too many ++ * system memory for bcache btree node cache, and the ++ * registering process is selected by OOM killer. Here just ++ * ignore the SIGKILL sent by OOM killer if there is, to ++ * avoid kthread_run() being failed by pending signals. The ++ * bcache registering process will exit after the registration ++ * done. ++ */ ++ if (signal_pending(current)) ++ flush_signals(current); ++ ++ k = kthread_run(bch_allocator_thread, ca, "bcache_allocator"); + if (IS_ERR(k)) + return PTR_ERR(k); + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index fa872df4e770..b12186c87f52 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1913,6 +1914,18 @@ static int bch_gc_thread(void *arg) + + int bch_gc_thread_start(struct cache_set *c) + { ++ /* ++ * In case previous btree check operation occupies too many ++ * system memory for bcache btree node cache, and the ++ * registering process is selected by OOM killer. Here just ++ * ignore the SIGKILL sent by OOM killer if there is, to ++ * avoid kthread_run() being failed by pending signals. The ++ * bcache registering process will exit after the registration ++ * done. ++ */ ++ if (signal_pending(current)) ++ flush_signals(current); ++ + c->gc_thread = kthread_run(bch_gc_thread, c, "bcache_gc"); + return PTR_ERR_OR_ZERO(c->gc_thread); + } +-- +2.16.4 + diff --git a/patches.suse/0028-bcache-Revert-bcache-shrink-btree-node-cache-after-b.patch b/patches.suse/0028-bcache-Revert-bcache-shrink-btree-node-cache-after-b.patch new file mode 100644 index 0000000..87aa700 --- /dev/null +++ b/patches.suse/0028-bcache-Revert-bcache-shrink-btree-node-cache-after-b.patch @@ -0,0 +1,62 @@ +From 309cc719a2c869b71a7388209a0a80d4284d98fd Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Thu, 13 Feb 2020 22:12:06 +0800 +Subject: [PATCH] bcache: Revert "bcache: shrink btree node cache after + bch_btree_check()" +Git-commit: 309cc719a2c869b71a7388209a0a80d4284d98fd +Patch-mainline: v5.6-rc2 +References: bsc#1163762, bsc#1112504 + +This reverts commit 1df3877ff6a4810054237c3259d900ded4468969. + +In my testing, sometimes even all the cached btree nodes are freed, +creating gc and allocator kernel threads may still fail. Finally it +turns out that kthread_run() may fail if there is pending signal for +current task. And the pending signal is sent from OOM killer which +is triggered by memory consuption in bch_btree_check(). + +Therefore explicitly shrinking bcache btree node here does not help, +and after the shrinker callback is improved, as well as pending signals +are ignored before creating kernel threads, now such operation is +unncessary anymore. + +This patch reverts the commit 1df3877ff6a4 ("bcache: shrink btree node +cache after bch_btree_check()") because we have better improvement now. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +--- + drivers/md/bcache/super.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 2749daf09724..0c3c5419c52b 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1917,23 +1917,6 @@ static int run_cache_set(struct cache_set *c) + if (bch_btree_check(c)) + goto err; + +- /* +- * bch_btree_check() may occupy too much system memory which +- * has negative effects to user space application (e.g. data +- * base) performance. Shrink the mca cache memory proactively +- * here to avoid competing memory with user space workloads.. +- */ +- if (!c->shrinker_disabled) { +- struct shrink_control sc; +- +- sc.gfp_mask = GFP_KERNEL; +- sc.nr_to_scan = c->btree_cache_used * c->btree_pages; +- /* first run to clear b->accessed tag */ +- c->shrink.scan_objects(&c->shrink, &sc); +- /* second run to reap non-accessed nodes */ +- c->shrink.scan_objects(&c->shrink, &sc); +- } +- + bch_journal_mark(c, &journal); + bch_initial_gc_finish(c); + pr_debug("btree_check() done"); +-- +2.16.4 + diff --git a/patches.suse/0029-bcache-remove-macro-nr_to_fifo_front.patch b/patches.suse/0029-bcache-remove-macro-nr_to_fifo_front.patch new file mode 100644 index 0000000..96d3738 --- /dev/null +++ b/patches.suse/0029-bcache-remove-macro-nr_to_fifo_front.patch @@ -0,0 +1,46 @@ +From 4ec31cb6241d95879aac337cc6b50c45dd10cfcb Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Thu, 13 Feb 2020 22:12:07 +0800 +Subject: [PATCH] bcache: remove macro nr_to_fifo_front() +Git-commit: 4ec31cb6241d95879aac337cc6b50c45dd10cfcb +Patch-mainline: v5.6-rc2 +References: bsc#1163762 + +Macro nr_to_fifo_front() is only used once in btree_flush_write(), +it is unncessary indeed. This patch removes this macro and does +calculation directly in place. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +--- + drivers/md/bcache/journal.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index 6730820780b0..0e3ff9745ac7 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -417,8 +417,6 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list) + + /* Journalling */ + +-#define nr_to_fifo_front(p, front_p, mask) (((p) - (front_p)) & (mask)) +- + static void btree_flush_write(struct cache_set *c) + { + struct btree *b, *t, *btree_nodes[BTREE_FLUSH_NR]; +@@ -510,9 +508,8 @@ static void btree_flush_write(struct cache_set *c) + * journal entry can be reclaimed). These selected nodes + * will be ignored and skipped in the folowing for-loop. + */ +- if (nr_to_fifo_front(btree_current_write(b)->journal, +- fifo_front_p, +- mask) != 0) { ++ if (((btree_current_write(b)->journal - fifo_front_p) & ++ mask) != 0) { + mutex_unlock(&b->write_lock); + continue; + } +-- +2.16.4 + diff --git a/patches.suse/6pack-mkiss-fix-possible-deadlock.patch b/patches.suse/6pack-mkiss-fix-possible-deadlock.patch new file mode 100644 index 0000000..1e8d4a2 --- /dev/null +++ b/patches.suse/6pack-mkiss-fix-possible-deadlock.patch @@ -0,0 +1,185 @@ +From 5c9934b6767b16ba60be22ec3cbd4379ad64170d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 12 Dec 2019 10:32:13 -0800 +Subject: [PATCH] 6pack,mkiss: fix possible deadlock +Git-commit: 5c9934b6767b16ba60be22ec3cbd4379ad64170d +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +We got another syzbot report [1] that tells us we must use +write_lock_irq()/write_unlock_irq() to avoid possible deadlock. + +[1] + +Warning: inconsistent lock state +5.5.0-rc1-syzkaller #0 Not tainted + +Acked-by: Takashi Iwai + +-------------------------------- +inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage. +syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes: +ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 +{HARDIRQ-ON-W} state was registered at: + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] + _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319 + sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657 + tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489 + tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585 + tiocsetd drivers/tty/tty_io.c:2337 [inline] + tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597 + vfs_ioctl fs/ioctl.c:47 [inline] + file_ioctl fs/ioctl.c:545 [inline] + do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 + __do_sys_ioctl fs/ioctl.c:756 [inline] + __se_sys_ioctl fs/ioctl.c:754 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +irq event stamp: 3946 +hardirqs last enabled at (3945): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] +hardirqs last enabled at (3945): [] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199 +hardirqs last disabled at (3946): [] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42 +softirqs last enabled at (2658): [] spin_unlock_bh include/linux/spinlock.h:383 [inline] +softirqs last enabled at (2658): [] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222 +softirqs last disabled at (2656): [] spin_lock_bh include/linux/spinlock.h:343 [inline] +softirqs last disabled at (2656): [] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(disc_data_lock); + + lock(disc_data_lock); + + *** DEADLOCK *** + +5 locks held by syz-executor826/9605: + #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413 + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116 + #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823 + #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288 + +stack backtrace: +CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101 + valid_state kernel/locking/lockdep.c:3112 [inline] + mark_lock_irq kernel/locking/lockdep.c:3309 [inline] + mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666 + mark_usage kernel/locking/lockdep.c:3554 [inline] + __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909 + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] + _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223 + sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 + sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402 + tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536 + tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50 + tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387 + uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104 + serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761 + serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834 + serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline] + serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850 + serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126 + __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149 + handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189 + handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206 + handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830 + generic_handle_irq_desc include/linux/irqdesc.h:156 [inline] + do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607 + +RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline] +RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579 +Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7 +RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7 +RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd +RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000 +RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899 +R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138 +R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000 + mutex_optimistic_spin kernel/locking/mutex.c:673 [inline] + __mutex_lock_common kernel/locking/mutex.c:962 [inline] + __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106 + mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 + tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665 + __fput+0x2ff/0x890 fs/file_table.c:280 + ____fput+0x16/0x20 fs/file_table.c:313 + task_work_run+0x145/0x1c0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x8e7/0x2ef0 kernel/exit.c:797 + do_group_exit+0x135/0x360 kernel/exit.c:895 + __do_sys_exit_group kernel/exit.c:906 [inline] + __se_sys_exit_group kernel/exit.c:904 [inline] + __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x43fef8 +Code: Bad RIP value. +RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8 +RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 +RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0 +R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 +R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 + +Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Arnd Bergmann +Signed-off-by: Jakub Kicinski +--- + drivers/net/hamradio/6pack.c | 4 ++-- + drivers/net/hamradio/mkiss.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index 23281aeeb222..71d6629e65c9 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -654,10 +654,10 @@ static void sixpack_close(struct tty_struct *tty) + { + struct sixpack *sp; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + sp = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + if (!sp) + return; + +diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c +index c5bfa19ddb93..deef14215110 100644 +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -773,10 +773,10 @@ static void mkiss_close(struct tty_struct *tty) + { + struct mkiss *ax; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + ax = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + + if (!ax) + return; +-- +2.16.4 + diff --git a/patches.suse/ACPI-APEI-Switch-estatus-pool-to-use-vmalloc-memory.patch b/patches.suse/ACPI-APEI-Switch-estatus-pool-to-use-vmalloc-memory.patch new file mode 100644 index 0000000..0177dfd --- /dev/null +++ b/patches.suse/ACPI-APEI-Switch-estatus-pool-to-use-vmalloc-memory.patch @@ -0,0 +1,93 @@ +From 0ac234be1a9497498e57d958f4251f5257b116b4 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Tue, 29 Jan 2019 18:48:39 +0000 +Subject: [PATCH] ACPI / APEI: Switch estatus pool to use vmalloc memory +Git-commit: 0ac234be1a9497498e57d958f4251f5257b116b4 +Patch-mainline: v5.1-rc1 +References: bsc#1051510 + +The ghes code is careful to parse and round firmware's advertised +memory requirements for CPER records, up to a maximum of 64K. +However when ghes_estatus_pool_expand() does its work, it splits +the requested size into PAGE_SIZE granules. + +This means if firmware generates 5K of CPER records, and correctly +describes this in the table, __process_error() will silently fail as it +is unable to allocate more than PAGE_SIZE. + +Switch the estatus pool to vmalloc() memory. On x86 vmalloc() memory +may fault and be fixed up by vmalloc_fault(). To prevent this call +vmalloc_sync_all() before an NMI handler could discover the memory. + +Signed-off-by: James Morse +Reviewed-by: Borislav Petkov +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/apei/ghes.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index f0a704aed040..ee9206d5e119 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -170,40 +170,40 @@ static int ghes_estatus_pool_init(void) + return 0; + } + +-static void ghes_estatus_pool_free_chunk_page(struct gen_pool *pool, ++static void ghes_estatus_pool_free_chunk(struct gen_pool *pool, + struct gen_pool_chunk *chunk, + void *data) + { +- free_page(chunk->start_addr); ++ vfree((void *)chunk->start_addr); + } + + static void ghes_estatus_pool_exit(void) + { + gen_pool_for_each_chunk(ghes_estatus_pool, +- ghes_estatus_pool_free_chunk_page, NULL); ++ ghes_estatus_pool_free_chunk, NULL); + gen_pool_destroy(ghes_estatus_pool); + } + + static int ghes_estatus_pool_expand(unsigned long len) + { +- unsigned long i, pages, size, addr; +- int ret; ++ unsigned long size, addr; + + ghes_estatus_pool_size_request += PAGE_ALIGN(len); + size = gen_pool_size(ghes_estatus_pool); + if (size >= ghes_estatus_pool_size_request) + return 0; +- pages = (ghes_estatus_pool_size_request - size) / PAGE_SIZE; +- for (i = 0; i < pages; i++) { +- addr = __get_free_page(GFP_KERNEL); +- if (!addr) +- return -ENOMEM; +- ret = gen_pool_add(ghes_estatus_pool, addr, PAGE_SIZE, -1); +- if (ret) +- return ret; +- } + +- return 0; ++ addr = (unsigned long)vmalloc(PAGE_ALIGN(len)); ++ if (!addr) ++ return -ENOMEM; ++ ++ /* ++ * New allocation must be visible in all pgd before it can be found by ++ * an NMI allocating from the pool. ++ */ ++ vmalloc_sync_all(); ++ ++ return gen_pool_add(ghes_estatus_pool, addr, PAGE_ALIGN(len), -1); + } + + static int map_gen_v2(struct ghes *ghes) +-- +2.16.4 + diff --git a/patches.suse/ACPI-PM-Avoid-attaching-ACPI-PM-domain-to-certain-de.patch b/patches.suse/ACPI-PM-Avoid-attaching-ACPI-PM-domain-to-certain-de.patch new file mode 100644 index 0000000..91e0094 --- /dev/null +++ b/patches.suse/ACPI-PM-Avoid-attaching-ACPI-PM-domain-to-certain-de.patch @@ -0,0 +1,52 @@ +From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 4 Dec 2019 02:54:27 +0100 +Subject: [PATCH] ACPI: PM: Avoid attaching ACPI PM domain to certain devices +Git-commit: b9ea0bae260f6aae546db224daa6ac1bd9d94b91 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Certain ACPI-enumerated devices represented as platform devices in +Linux, like fans, require special low-level power management handling +implemented by their drivers that is not in agreement with the ACPI +PM domain behavior. That leads to problems with managing ACPI fans +during system-wide suspend and resume. + +For this reason, make acpi_dev_pm_attach() skip the affected devices +by adding a list of device IDs to avoid to it and putting the IDs of +the affected devices into that list. + +Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems) +Reported-by: Zhang Rui +Tested-by: Todd Brandt +Cc: 3.10+ # 3.10+ +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/device_pm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -1146,9 +1146,19 @@ static void acpi_dev_pm_detach(struct de + */ + int acpi_dev_pm_attach(struct device *dev, bool power_on) + { ++ /* ++ * Skip devices whose ACPI companions match the device IDs below, ++ * because they require special power management handling incompatible ++ * with the generic ACPI PM domain. ++ */ ++ static const struct acpi_device_id special_pm_ids[] = { ++ {"PNP0C0B", }, /* Generic ACPI fan */ ++ {"INT3404", }, /* Fan */ ++ {} ++ }; + struct acpi_device *adev = ACPI_COMPANION(dev); + +- if (!adev) ++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids)) + return -ENODEV; + + if (dev->pm_domain) diff --git a/patches.suse/ACPI-fix-acpi_find_child_device-invocation-in-acpi_p.patch b/patches.suse/ACPI-fix-acpi_find_child_device-invocation-in-acpi_p.patch new file mode 100644 index 0000000..07f2ba6 --- /dev/null +++ b/patches.suse/ACPI-fix-acpi_find_child_device-invocation-in-acpi_p.patch @@ -0,0 +1,36 @@ +From f8c6d1402b89f22a3647705d63cbd171aa19a77e Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Fri, 23 Nov 2018 23:07:14 +0300 +Subject: [PATCH] ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() +Git-commit: f8c6d1402b89f22a3647705d63cbd171aa19a77e +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +acpi_find_child_device() accepts boolean not pointer as last argument. + +Signed-off-by: Alexey Dobriyan +[ rjw: Subject ] + +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + include/linux/acpi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index ed80f147bd50..f788cdbbd1b0 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -101,7 +101,7 @@ static inline bool has_acpi_companion(struct device *dev) + static inline void acpi_preset_companion(struct device *dev, + struct acpi_device *parent, u64 addr) + { +- ACPI_COMPANION_SET(dev, acpi_find_child_device(parent, addr, NULL)); ++ ACPI_COMPANION_SET(dev, acpi_find_child_device(parent, addr, false)); + } + + static inline const char *acpi_dev_name(struct acpi_device *adev) +-- +2.16.4 + diff --git a/patches.suse/ACPI-video-Add-force_none-quirk-for-Dell-OptiPlex-90.patch b/patches.suse/ACPI-video-Add-force_none-quirk-for-Dell-OptiPlex-90.patch new file mode 100644 index 0000000..b295207 --- /dev/null +++ b/patches.suse/ACPI-video-Add-force_none-quirk-for-Dell-OptiPlex-90.patch @@ -0,0 +1,49 @@ +From 1f59ab2783aed04f1318b840950801e38b2bebdf Mon Sep 17 00:00:00 2001 +From: Alex Hung +Date: Wed, 12 Jul 2017 17:45:57 -0700 +Subject: [PATCH] ACPI / video: Add force_none quirk for Dell OptiPlex 9020M +Git-commit: 1f59ab2783aed04f1318b840950801e38b2bebdf +Patch-mainline: v4.14-rc1 +References: bsc#1051510 + +Dell OptiPlex 9020M is a micro PC desktop that has no built-in +LCD panel and its acpi_video does not work. + +Signed-off-by: Alex Hung +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/video_detect.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -103,6 +103,12 @@ static int video_detect_force_native(con + return 0; + } + ++static int video_detect_force_none(const struct dmi_system_id *d) ++{ ++ acpi_backlight_dmi = acpi_backlight_none; ++ return 0; ++} ++ + static const struct dmi_system_id video_detect_dmi_table[] = { + /* On Samsung X360, the BIOS will set a flag (VDRV) if generic + * ACPI backlight device is used. This flag will definitively break +@@ -314,6 +320,14 @@ static const struct dmi_system_id video_ + DMI_MATCH(DMI_PRODUCT_NAME, "Dell System XPS L702X"), + }, + }, ++ { ++ .callback = video_detect_force_none, ++ .ident = "Dell OptiPlex 9020M", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 9020M"), ++ }, ++ }, + { }, + }; + diff --git a/patches.suse/ACPI-video-Do-not-export-a-non-working-backlight-int.patch b/patches.suse/ACPI-video-Do-not-export-a-non-working-backlight-int.patch new file mode 100644 index 0000000..a806318 --- /dev/null +++ b/patches.suse/ACPI-video-Do-not-export-a-non-working-backlight-int.patch @@ -0,0 +1,58 @@ +From d21a91629f4b8e794fc4c0e0c17c85cedf1d806c Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 17 Dec 2019 20:08:11 +0100 +Subject: [PATCH] ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards +Git-commit: d21a91629f4b8e794fc4c0e0c17c85cedf1d806c +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Despite our heuristics to not wrongly export a non working ACPI backlight +interface on desktop machines, we still end up exporting one on desktops +using a motherboard from the MSI MS-7721 series. + +I've looked at improving the heuristics, but in this case a quirk seems +to be the only way to solve this. + +While at it also add a comment to separate the video_detect_force_none +entries in the video_detect_dmi_table from other type of entries, as we +already do for the other entry types. + +Cc: All applicable +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1783786 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/video_detect.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -311,6 +311,11 @@ static const struct dmi_system_id video_ + DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V131"), + }, + }, ++ ++ /* ++ * Desktops which falsely report a backlight and which our heuristics ++ * for this do not catch. ++ */ + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1123661 */ + .callback = video_detect_force_native, +@@ -328,6 +333,14 @@ static const struct dmi_system_id video_ + DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 9020M"), + }, + }, ++ { ++ .callback = video_detect_force_none, ++ .ident = "MSI MS-7721", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MSI"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "MS-7721"), ++ }, ++ }, + { }, + }; + diff --git a/patches.suse/ALSA-control-remove-useless-assignment-in-.info-call.patch b/patches.suse/ALSA-control-remove-useless-assignment-in-.info-call.patch new file mode 100644 index 0000000..a9a357b --- /dev/null +++ b/patches.suse/ALSA-control-remove-useless-assignment-in-.info-call.patch @@ -0,0 +1,39 @@ +From 1faa9d3a3ea7852761ff403f5a9d4a409c0bb199 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sat, 14 Dec 2019 22:13:51 +0900 +Subject: [PATCH] ALSA: control: remove useless assignment in .info callback of PCM chmap element +Git-commit: 1faa9d3a3ea7852761ff403f5a9d4a409c0bb199 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Control elements for PCM chmap return information to userspace abount +the maximum number of available PCM channels as the number of values +in the element. + +In current implementation the number is once initialized to zero, then +assigned to. This is useless and this commit fixes it. + +Fixes: 2d3391ec0ecc ("ALSA: PCM: channel mapping API implementation") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20191214131351.28950-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai + +--- + sound/core/pcm_lib.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c +index 2236b5e0c1f2..6f0a00fd3ae5 100644 +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -2308,7 +2308,6 @@ static int pcm_chmap_ctl_info(struct snd_kcontrol *kcontrol, + struct snd_pcm_chmap *info = snd_kcontrol_chip(kcontrol); + + uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER; +- uinfo->count = 0; + uinfo->count = info->max_channels; + uinfo->value.integer.min = 0; + uinfo->value.integer.max = SNDRV_CHMAP_LAST; +-- +2.16.4 + diff --git a/patches.suse/ALSA-dummy-Fix-PCM-format-loop-in-proc-output.patch b/patches.suse/ALSA-dummy-Fix-PCM-format-loop-in-proc-output.patch new file mode 100644 index 0000000..1d0e79c --- /dev/null +++ b/patches.suse/ALSA-dummy-Fix-PCM-format-loop-in-proc-output.patch @@ -0,0 +1,36 @@ +From 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 1 Feb 2020 09:05:30 +0100 +Subject: [PATCH] ALSA: dummy: Fix PCM format loop in proc output +Git-commit: 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +The loop termination for iterating over all formats should contain +SNDRV_PCM_FORMAT_LAST, not less than it. + +Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file") +Cc: +Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/drivers/dummy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c +index da0bd8960b3c..02ac3f4e0c02 100644 +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -903,7 +903,7 @@ static void print_formats(struct snd_dummy *dummy, + { + int i; + +- for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) { ++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) { + if (dummy->pcm_hw.formats & (1ULL << i)) + snd_iprintf(buffer, " %s", snd_pcm_format_name(i)); + } +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Add-Clevo-W65_67SB-the-power_save-blacklist.patch b/patches.suse/ALSA-hda-Add-Clevo-W65_67SB-the-power_save-blacklist.patch new file mode 100644 index 0000000..a80848f --- /dev/null +++ b/patches.suse/ALSA-hda-Add-Clevo-W65_67SB-the-power_save-blacklist.patch @@ -0,0 +1,40 @@ +From d8feb6080bb0c9f4d799a423d9453048fdd06990 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 25 Jan 2020 19:10:21 +0100 +Subject: [PATCH] ALSA: hda: Add Clevo W65_67SB the power_save blacklist +Git-commit: d8feb6080bb0c9f4d799a423d9453048fdd06990 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Using HDA power-saving on the Clevo W65_67SB causes the first 0.5 +seconds of audio to be missing every time audio starts playing. + +This commit adds the Clevo W65_67SB the power_save blacklist to avoid +this issue. + +Cc: stable@vger.kernel.org +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20200125181021.70446-1-hdegoede@redhat.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_intel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 8ef223aa1e37..e2d0a7c3ab26 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2188,6 +2188,8 @@ static struct snd_pci_quirk power_save_blacklist[] = { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1581607 */ + SND_PCI_QUIRK(0x1558, 0x3501, "Clevo W35xSS_370SS", 0), + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ ++ SND_PCI_QUIRK(0x1558, 0x6504, "Clevo W65_67SB", 0), ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ + SND_PCI_QUIRK(0x1028, 0x0497, "Dell Precision T3600", 0), + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ + /* Note the P55A-UD3 and Z87-D3HP share the subsys id for the HDA dev */ +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Add-Cometlake-S-PCI-ID.patch b/patches.suse/ALSA-hda-Add-Cometlake-S-PCI-ID.patch new file mode 100644 index 0000000..92c34fc --- /dev/null +++ b/patches.suse/ALSA-hda-Add-Cometlake-S-PCI-ID.patch @@ -0,0 +1,35 @@ +From b73a58549ea37a44434c7afab3c7ad9af210cfd9 Mon Sep 17 00:00:00 2001 +From: "Chiou, Cooper" +Date: Fri, 8 Nov 2019 15:13:49 +0800 +Subject: [PATCH] ALSA: hda: Add Cometlake-S PCI ID +Git-commit: b73a58549ea37a44434c7afab3c7ad9af210cfd9 +Patch-mainline: v5.4-rc8 +References: git-fixes + +Add HD Audio Device PCI ID for the Intel Cometlake-S platform + +Signed-off-by: Chiou, Cooper +Link: https://lore.kernel.org/r/20191108071349.12840-1-cooper.chiou@intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index cf53fbd872ee..c52419376c74 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2439,6 +2439,9 @@ static const struct pci_device_id azx_id + /* Cannonlake */ + { PCI_DEVICE(0x8086, 0x9dc8), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* CometLake-S */ ++ { PCI_DEVICE(0x8086, 0xa3f0), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + /* Icelake */ + { PCI_DEVICE(0x8086, 0x34c8), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Add-JasperLake-PCI-ID-and-codec-vid.patch b/patches.suse/ALSA-hda-Add-JasperLake-PCI-ID-and-codec-vid.patch new file mode 100644 index 0000000..6221547 --- /dev/null +++ b/patches.suse/ALSA-hda-Add-JasperLake-PCI-ID-and-codec-vid.patch @@ -0,0 +1,50 @@ +From 78be2228c15dd45865b102b29d72e721f0ace9b1 Mon Sep 17 00:00:00 2001 +From: Yong Zhi +Date: Fri, 31 Jan 2020 14:40:03 -0600 +Subject: [PATCH] ALSA: hda: Add JasperLake PCI ID and codec vid +Git-commit: 78be2228c15dd45865b102b29d72e721f0ace9b1 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Add HD Audio Device PCI ID and codec vendor_id for the Intel JasperLake +REV2/A0 silicon. + +Signed-off-by: Yong Zhi +Signed-off-by: Pierre-Louis Bossart +Cc: +Link: https://lore.kernel.org/r/20200131204003.10153-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_intel.c | 2 ++ + sound/pci/hda/patch_hdmi.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index b5e8d4301883..92a042e34d3e 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2451,6 +2451,8 @@ static const struct pci_device_id azx_ids[] = { + /* Jasperlake */ + { PCI_DEVICE(0x8086, 0x38c8), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ { PCI_DEVICE(0x8086, 0x4dc8), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + /* Tigerlake */ + { PCI_DEVICE(0x8086, 0xa0c8), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 48bddc218829..7c006f9858c0 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4256,6 +4256,7 @@ HDA_CODEC_ENTRY(0x8086280c, "Cannonlake HDMI", patch_i915_glk_hdmi), + HDA_CODEC_ENTRY(0x8086280d, "Geminilake HDMI", patch_i915_glk_hdmi), + HDA_CODEC_ENTRY(0x8086280f, "Icelake HDMI", patch_i915_icl_hdmi), + HDA_CODEC_ENTRY(0x80862812, "Tigerlake HDMI", patch_i915_tgl_hdmi), ++HDA_CODEC_ENTRY(0x8086281a, "Jasperlake HDMI", patch_i915_icl_hdmi), + HDA_CODEC_ENTRY(0x80862880, "CedarTrail HDMI", patch_generic_hdmi), + HDA_CODEC_ENTRY(0x80862882, "Valleyview2 HDMI", patch_i915_byt_hdmi), + HDA_CODEC_ENTRY(0x80862883, "Braswell HDMI", patch_i915_byt_hdmi), +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Add-docking-station-support-for-Lenovo-Thin.patch b/patches.suse/ALSA-hda-Add-docking-station-support-for-Lenovo-Thin.patch new file mode 100644 index 0000000..1c21769 --- /dev/null +++ b/patches.suse/ALSA-hda-Add-docking-station-support-for-Lenovo-Thin.patch @@ -0,0 +1,37 @@ +From ef7d84caa5928b40b1c93a26dbe5a3f12737c6ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Peter=20Gro=C3=9Fe?= +Date: Wed, 22 Jan 2020 19:01:06 +0100 +Subject: [PATCH] ALSA: hda - Add docking station support for Lenovo Thinkpad T420s +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: ef7d84caa5928b40b1c93a26dbe5a3f12737c6ab +Patch-mainline: v5.6-rc1 +References: git-fixes + +Lenovo Thinkpad T420s uses the same codec as T420, so apply the +same quirk to enable audio output on a docking station. + +Signed-off-by: Peter Große +Link: https://lore.kernel.org/r/20200122180106.9351-1-pegro@friiks.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 90aa0f400a57..1e20e85e9b46 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -922,6 +922,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x21d2, "Lenovo T420s", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Clear-RIRB-status-before-reading-WP.patch b/patches.suse/ALSA-hda-Clear-RIRB-status-before-reading-WP.patch new file mode 100644 index 0000000..8ad1591 --- /dev/null +++ b/patches.suse/ALSA-hda-Clear-RIRB-status-before-reading-WP.patch @@ -0,0 +1,56 @@ +From 6d011d5057ff88ee556c000ac6fe0be23bdfcd72 Mon Sep 17 00:00:00 2001 +From: Mohan Kumar +Date: Thu, 6 Feb 2020 15:40:53 +0530 +Subject: [PATCH] ALSA: hda: Clear RIRB status before reading WP +Git-commit: 6d011d5057ff88ee556c000ac6fe0be23bdfcd72 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +RIRB interrupt status getting cleared after the write pointer is read +causes a race condition, where last response(s) into RIRB may remain +unserviced by IRQ, eventually causing azx_rirb_get_response to fall +back to polling mode. Clearing the RIRB interrupt status ahead of +write pointer access ensures that this condition is avoided. + +Signed-off-by: Mohan Kumar +Signed-off-by: Viswanath L +Link: https://lore.kernel.org/r/1580983853-351-1-git-send-email-viswanathl@nvidia.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_controller.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index 9757667cdd58..2609e391ce54 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1110,16 +1110,23 @@ irqreturn_t azx_interrupt(int irq, void *dev_id) + if (snd_hdac_bus_handle_stream_irq(bus, status, stream_update)) + active = true; + +- /* clear rirb int */ + status = azx_readb(chip, RIRBSTS); + if (status & RIRB_INT_MASK) { ++ /* ++ * Clearing the interrupt status here ensures that no ++ * interrupt gets masked after the RIRB wp is read in ++ * snd_hdac_bus_update_rirb. This avoids a possible ++ * race condition where codec response in RIRB may ++ * remain unserviced by IRQ, eventually falling back ++ * to polling mode in azx_rirb_get_response. ++ */ ++ azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + active = true; + if (status & RIRB_INT_RESPONSE) { + if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND) + udelay(80); + snd_hdac_bus_update_rirb(bus); + } +- azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + } + } while (active && ++repeat < 10); + +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Constify-snd_kcontrol_new-items.patch b/patches.suse/ALSA-hda-Constify-snd_kcontrol_new-items.patch new file mode 100644 index 0000000..0937862 --- /dev/null +++ b/patches.suse/ALSA-hda-Constify-snd_kcontrol_new-items.patch @@ -0,0 +1,83 @@ +From 35ace5e8410e41df8719ee9fee49312655efa26a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 3 Jan 2020 09:16:52 +0100 +Subject: [PATCH] ALSA: hda: Constify snd_kcontrol_new items +Git-commit: 35ace5e8410e41df8719ee9fee49312655efa26a +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Most of snd_kcontrol_new definitions are read-only and passed as-is. +Let's declare them as const for further optimization. + +There should be no functional changes by this patch. + +Link: https://lore.kernel.org/r/20200103081714.9560-37-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_codec.c | 8 ++++---- + sound/pci/hda/patch_sigmatel.c | 6 +++--- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 8f166bbc438b..d039eeec080f 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -2387,7 +2387,7 @@ static int snd_hda_spdif_out_switch_put(struct snd_kcontrol *kcontrol, + return change; + } + +-static struct snd_kcontrol_new dig_mixes[] = { ++static const struct snd_kcontrol_new dig_mixes[] = { + { + .access = SNDRV_CTL_ELEM_ACCESS_READ, + .iface = SNDRV_CTL_ELEM_IFACE_MIXER, +@@ -2437,7 +2437,7 @@ int snd_hda_create_dig_out_ctls(struct hda_codec *codec, + { + int err; + struct snd_kcontrol *kctl; +- struct snd_kcontrol_new *dig_mix; ++ const struct snd_kcontrol_new *dig_mix; + int idx = 0; + int val = 0; + const int spdif_index = 16; +@@ -2655,7 +2655,7 @@ static int snd_hda_spdif_in_status_get(struct snd_kcontrol *kcontrol, + return 0; + } + +-static struct snd_kcontrol_new dig_in_ctls[] = { ++static const struct snd_kcontrol_new dig_in_ctls[] = { + { + .iface = SNDRV_CTL_ELEM_IFACE_MIXER, + .name = SNDRV_CTL_NAME_IEC958("", CAPTURE, SWITCH), +@@ -2687,7 +2687,7 @@ int snd_hda_create_spdif_in_ctls(struct hda_codec *codec, hda_nid_t nid) + { + int err; + struct snd_kcontrol *kctl; +- struct snd_kcontrol_new *dig_mix; ++ const struct snd_kcontrol_new *dig_mix; + int idx; + + idx = find_empty_mixer_ctl_idx(codec, "IEC958 Capture Switch", 0); +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 8ecb53bce509..9b816b377547 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -825,11 +825,11 @@ static int stac_auto_create_beep_ctls(struct hda_codec *codec, + struct sigmatel_spec *spec = codec->spec; + u32 caps = query_amp_caps(codec, nid, HDA_OUTPUT); + struct snd_kcontrol_new *knew; +- static struct snd_kcontrol_new abeep_mute_ctl = ++ static const struct snd_kcontrol_new abeep_mute_ctl = + HDA_CODEC_MUTE(NULL, 0, 0, 0); +- static struct snd_kcontrol_new dbeep_mute_ctl = ++ static const struct snd_kcontrol_new dbeep_mute_ctl = + HDA_CODEC_MUTE_BEEP(NULL, 0, 0, 0); +- static struct snd_kcontrol_new beep_vol_ctl = ++ static const struct snd_kcontrol_new beep_vol_ctl = + HDA_CODEC_VOLUME(NULL, 0, 0, 0); + + /* check for mute support for the the amp */ +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Constify-snd_pci_quirk-tables.patch b/patches.suse/ALSA-hda-Constify-snd_pci_quirk-tables.patch new file mode 100644 index 0000000..012ee99 --- /dev/null +++ b/patches.suse/ALSA-hda-Constify-snd_pci_quirk-tables.patch @@ -0,0 +1,63 @@ +From a5dc05e466b054722817e09e9e2867b2c373f570 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 3 Jan 2020 09:17:13 +0100 +Subject: [PATCH] ALSA: hda: Constify snd_pci_quirk tables +Git-commit: a5dc05e466b054722817e09e9e2867b2c373f570 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +The snd_pci_quirk tables are referred as read-only, hence they can be +declared as const gracefully. + +There should be no functional changes by this patch. + +Link: https://lore.kernel.org/r/20200103081714.9560-58-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_intel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 4733268ec74e..bebc31024737 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1490,7 +1490,7 @@ static bool check_hdmi_disabled(struct pci_dev *pci) + /* + * white/black-listing for position_fix + */ +-static struct snd_pci_quirk position_fix_list[] = { ++static const struct snd_pci_quirk position_fix_list[] = { + SND_PCI_QUIRK(0x1028, 0x01cc, "Dell D820", POS_FIX_LPIB), + SND_PCI_QUIRK(0x1028, 0x01de, "Dell Precision 390", POS_FIX_LPIB), + SND_PCI_QUIRK(0x103c, 0x306d, "HP dv3", POS_FIX_LPIB), +@@ -1583,7 +1583,7 @@ static void assign_position_fix(struct azx *chip, int fix) + /* + * black-lists for probe_mask + */ +-static struct snd_pci_quirk probe_mask_list[] = { ++static const struct snd_pci_quirk probe_mask_list[] = { + /* Thinkpad often breaks the controller communication when accessing + * to the non-working (or non-existing) modem codec slot. + */ +@@ -1631,7 +1631,7 @@ static void check_probe_mask(struct azx *chip, int dev) + /* + * white/black-list for enable_msi + */ +-static struct snd_pci_quirk msi_black_list[] = { ++static const struct snd_pci_quirk msi_black_list[] = { + SND_PCI_QUIRK(0x103c, 0x2191, "HP", 0), /* AMD Hudson */ + SND_PCI_QUIRK(0x103c, 0x2192, "HP", 0), /* AMD Hudson */ + SND_PCI_QUIRK(0x103c, 0x21f7, "HP", 0), /* AMD Hudson */ +@@ -2164,7 +2164,7 @@ static int azx_probe(struct pci_dev *pci, + * So we keep a list of devices where we disable powersaving as its known + * to causes problems on these devices. + */ +-static struct snd_pci_quirk power_save_blacklist[] = { ++static const struct snd_pci_quirk power_save_blacklist[] = { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ + SND_PCI_QUIRK(0x1849, 0xc892, "Asrock B85M-ITX", 0), + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-More-constifications.patch b/patches.suse/ALSA-hda-More-constifications.patch new file mode 100644 index 0000000..b51953a --- /dev/null +++ b/patches.suse/ALSA-hda-More-constifications.patch @@ -0,0 +1,270 @@ +From bf82326fce53321c3f9088874dc12dcbd6d0ca06 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 5 Jan 2020 15:47:24 +0100 +Subject: [PATCH] ALSA: hda: More constifications +Git-commit: bf82326fce53321c3f9088874dc12dcbd6d0ca06 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Apply const prefix to the remaining possible places: the string +tables, the rate tables, the verb tables, the index tables, etc. + +Just for minor optimization and no functional changes. + +Link: https://lore.kernel.org/r/20200105144823.29547-10-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/hda/hdac_device.c | 4 ++-- + sound/hda/hdmi_chmap.c | 2 +- + sound/pci/hda/hda_codec.c | 6 +++--- + sound/pci/hda/hda_eld.c | 6 +++--- + sound/pci/hda/hda_intel.c | 8 ++++---- + sound/pci/hda/hda_proc.c | 2 +- + sound/pci/hda/hda_sysfs.c | 2 +- + sound/pci/hda/patch_analog.c | 2 +- + sound/pci/hda/patch_ca0132.c | 18 +++++++++--------- + 9 files changed, 25 insertions(+), 25 deletions(-) + +--- a/sound/hda/hdac_device.c ++++ b/sound/hda/hdac_device.c +@@ -628,7 +628,7 @@ struct hda_vendor_id { + const char *name; + }; + +-static struct hda_vendor_id hda_vendor_ids[] = { ++static const struct hda_vendor_id hda_vendor_ids[] = { + { 0x1002, "ATI" }, + { 0x1013, "Cirrus Logic" }, + { 0x1057, "Motorola" }, +@@ -683,7 +683,7 @@ struct hda_rate_tbl { + (AC_FMT_BASE_##base##K | (((mult) - 1) << AC_FMT_MULT_SHIFT) | \ + (((div) - 1) << AC_FMT_DIV_SHIFT)) + +-static struct hda_rate_tbl rate_bits[] = { ++static const struct hda_rate_tbl rate_bits[] = { + /* rate in Hz, ALSA rate bitmask, HDA format value */ + + /* autodetected value used in snd_hda_query_supported_pcm */ +--- a/sound/hda/hdmi_chmap.c ++++ b/sound/hda/hdmi_chmap.c +@@ -58,7 +58,7 @@ static const char * const cea_speaker_al + /* + * ELD SA bits in the CEA Speaker Allocation data block + */ +-static int eld_speaker_allocation_bits[] = { ++static const int eld_speaker_allocation_bits[] = { + [0] = FL | FR, + [1] = LFE, + [2] = FC, +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3166,7 +3166,7 @@ static int get_empty_pcm_device(struct h + /* assigned to static slots up to dev#10; if more needed, assign + * the later slot dynamically (when CONFIG_SND_DYNAMIC_MINORS=y) + */ +- static int audio_idx[HDA_PCM_NTYPES][5] = { ++ static const int audio_idx[HDA_PCM_NTYPES][5] = { + [HDA_PCM_TYPE_AUDIO] = { 0, 2, 4, 5, -1 }, + [HDA_PCM_TYPE_SPDIF] = { 1, -1 }, + [HDA_PCM_TYPE_HDMI] = { 3, 7, 8, 9, -1 }, +@@ -3833,7 +3833,7 @@ EXPORT_SYMBOL_GPL(snd_hda_get_default_vr + unsigned int snd_hda_correct_pin_ctl(struct hda_codec *codec, + hda_nid_t pin, unsigned int val) + { +- static unsigned int cap_lists[][2] = { ++ static const unsigned int cap_lists[][2] = { + { AC_PINCTL_VREF_100, AC_PINCAP_VREF_100 }, + { AC_PINCTL_VREF_80, AC_PINCAP_VREF_80 }, + { AC_PINCTL_VREF_50, AC_PINCAP_VREF_50 }, +@@ -3978,7 +3978,7 @@ void snd_hda_bus_reset_codecs(struct hda + */ + void snd_print_pcm_bits(int pcm, char *buf, int buflen) + { +- static unsigned int bits[] = { 8, 16, 20, 24, 32 }; ++ static const unsigned int bits[] = { 8, 16, 20, 24, 32 }; + int i, j; + + for (i = 0, j = 0; i < ARRAY_SIZE(bits); i++) +--- a/sound/pci/hda/hda_eld.c ++++ b/sound/pci/hda/hda_eld.c +@@ -111,7 +111,7 @@ static const char * const cea_audio_codi + /* + * SS1:SS0 index => sample size + */ +-static int cea_sample_sizes[4] = { ++static const int cea_sample_sizes[4] = { + 0, /* 0: Refer to Stream Header */ + AC_SUPPCM_BITS_16, /* 1: 16 bits */ + AC_SUPPCM_BITS_20, /* 2: 20 bits */ +@@ -121,7 +121,7 @@ static int cea_sample_sizes[4] = { + /* + * SF2:SF1:SF0 index => sampling frequency + */ +-static int cea_sampling_frequencies[8] = { ++static const int cea_sampling_frequencies[8] = { + 0, /* 0: Refer to Stream Header */ + SNDRV_PCM_RATE_32000, /* 1: 32000Hz */ + SNDRV_PCM_RATE_44100, /* 2: 44100Hz */ +@@ -365,7 +365,7 @@ error: + */ + static void hdmi_print_pcm_rates(int pcm, char *buf, int buflen) + { +- static unsigned int alsa_rates[] = { ++ static const unsigned int alsa_rates[] = { + 5512, 8000, 11025, 16000, 22050, 32000, 44100, 48000, 64000, + 88200, 96000, 176400, 192000, 384000 + }; +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -383,7 +383,7 @@ enum { + #define IS_CFL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa348) + #define IS_CNL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9dc8) + +-static char *driver_short_names[] = { ++static const char * const driver_short_names[] = { + [AZX_DRIVER_ICH] = "HDA Intel", + [AZX_DRIVER_PCH] = "HDA Intel PCH", + [AZX_DRIVER_SCH] = "HDA Intel MID", +@@ -510,7 +510,7 @@ static void bxt_reduce_dma_latency(struc + static int intel_get_lctl_scf(struct azx *chip) + { + struct hdac_bus *bus = azx_bus(chip); +- static int preferred_bits[] = { 2, 3, 1, 4, 5 }; ++ static const int preferred_bits[] = { 2, 3, 1, 4, 5 }; + u32 val, t; + int i; + +@@ -1568,7 +1568,7 @@ static int check_position_fix(struct azx + + static void assign_position_fix(struct azx *chip, int fix) + { +- static azx_get_pos_callback_t callbacks[] = { ++ static const azx_get_pos_callback_t callbacks[] = { + [POS_FIX_AUTO] = NULL, + [POS_FIX_LPIB] = azx_get_pos_lpib, + [POS_FIX_POSBUF] = azx_get_pos_posbuf, +@@ -2290,7 +2290,7 @@ static void set_default_power_save(struc + } + + /* number of codec slots for each chipset: 0 = default slots (i.e. 4) */ +-static unsigned int azx_max_codecs[AZX_NUM_DRIVERS] = { ++static const unsigned int azx_max_codecs[AZX_NUM_DRIVERS] = { + [AZX_DRIVER_NVIDIA] = 8, + [AZX_DRIVER_TERA] = 1, + }; +--- a/sound/pci/hda/hda_proc.c ++++ b/sound/pci/hda/hda_proc.c +@@ -174,7 +174,7 @@ static void print_amp_vals(struct snd_in + + static void print_pcm_rates(struct snd_info_buffer *buffer, unsigned int pcm) + { +- static unsigned int rates[] = { ++ static const unsigned int rates[] = { + 8000, 11025, 16000, 22050, 32000, 44100, 48000, 88200, + 96000, 176400, 192000, 384000 + }; +--- a/sound/pci/hda/hda_sysfs.c ++++ b/sound/pci/hda/hda_sysfs.c +@@ -610,7 +610,7 @@ struct hda_patch_item { + void (*parser)(char *buf, struct hda_bus *bus, struct hda_codec **retc); + }; + +-static struct hda_patch_item patch_items[NUM_LINE_MODES] = { ++static const struct hda_patch_item patch_items[NUM_LINE_MODES] = { + [LINE_MODE_CODEC] = { + .tag = "[codec]", + .parser = parse_codec_mode, +--- a/sound/pci/hda/patch_analog.c ++++ b/sound/pci/hda/patch_analog.c +@@ -825,7 +825,7 @@ static int ad1988_add_spdif_mux_ctl(stru + /* we create four static faked paths, since AD codecs have odd + * widget connections regarding the SPDIF out source + */ +- static struct nid_path fake_paths[4] = { ++ static const struct nid_path fake_paths[4] = { + { + .depth = 3, + .path = { 0x02, 0x1d, 0x1b }, +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -3781,7 +3781,7 @@ static const unsigned int float_xbass_xo + /* The following are for tuning of products */ + #ifdef ENABLE_TUNING_CONTROLS + +-static unsigned int voice_focus_vals_lookup[] = { ++static const unsigned int voice_focus_vals_lookup[] = { + 0x41A00000, 0x41A80000, 0x41B00000, 0x41B80000, 0x41C00000, 0x41C80000, + 0x41D00000, 0x41D80000, 0x41E00000, 0x41E80000, 0x41F00000, 0x41F80000, + 0x42000000, 0x42040000, 0x42080000, 0x420C0000, 0x42100000, 0x42140000, +@@ -3811,7 +3811,7 @@ static unsigned int voice_focus_vals_loo + 0x43300000, 0x43310000, 0x43320000, 0x43330000, 0x43340000 + }; + +-static unsigned int mic_svm_vals_lookup[] = { ++static const unsigned int mic_svm_vals_lookup[] = { + 0x00000000, 0x3C23D70A, 0x3CA3D70A, 0x3CF5C28F, 0x3D23D70A, 0x3D4CCCCD, + 0x3D75C28F, 0x3D8F5C29, 0x3DA3D70A, 0x3DB851EC, 0x3DCCCCCD, 0x3DE147AE, + 0x3DF5C28F, 0x3E051EB8, 0x3E0F5C29, 0x3E19999A, 0x3E23D70A, 0x3E2E147B, +@@ -3831,7 +3831,7 @@ static unsigned int mic_svm_vals_lookup[ + 0x3F75C28F, 0x3F7851EC, 0x3F7AE148, 0x3F7D70A4, 0x3F800000 + }; + +-static unsigned int equalizer_vals_lookup[] = { ++static const unsigned int equalizer_vals_lookup[] = { + 0xC1C00000, 0xC1B80000, 0xC1B00000, 0xC1A80000, 0xC1A00000, 0xC1980000, + 0xC1900000, 0xC1880000, 0xC1800000, 0xC1700000, 0xC1600000, 0xC1500000, + 0xC1400000, 0xC1300000, 0xC1200000, 0xC1100000, 0xC1000000, 0xC0E00000, +@@ -3844,7 +3844,7 @@ static unsigned int equalizer_vals_looku + }; + + static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid, +- unsigned int *lookup, int idx) ++ const unsigned int *lookup, int idx) + { + int i = 0; + +@@ -7655,14 +7655,14 @@ static void ca0132_init_unsol(struct hda + */ + + /* Sends before DSP download. */ +-static struct hda_verb ca0132_base_init_verbs[] = { ++static const struct hda_verb ca0132_base_init_verbs[] = { + /*enable ct extension*/ + {0x15, VENDOR_CHIPIO_CT_EXTENSIONS_ENABLE, 0x1}, + {} + }; + + /* Send at exit. */ +-static struct hda_verb ca0132_base_exit_verbs[] = { ++static const struct hda_verb ca0132_base_exit_verbs[] = { + /*set afg to D3*/ + {0x01, AC_VERB_SET_POWER_STATE, 0x03}, + /*disable ct extension*/ +@@ -7672,7 +7672,7 @@ static struct hda_verb ca0132_base_exit_ + + /* Other verbs tables. Sends after DSP download. */ + +-static struct hda_verb ca0132_init_verbs0[] = { ++static const struct hda_verb ca0132_init_verbs0[] = { + /* chip init verbs */ + {0x15, 0x70D, 0xF0}, + {0x15, 0x70E, 0xFE}, +@@ -7705,7 +7705,7 @@ static struct hda_verb ca0132_init_verbs + }; + + /* Extra init verbs for desktop cards. */ +-static struct hda_verb ca0132_init_verbs1[] = { ++static const struct hda_verb ca0132_init_verbs1[] = { + {0x15, 0x70D, 0x20}, + {0x15, 0x70E, 0x19}, + {0x15, 0x707, 0x00}, +@@ -8880,7 +8880,7 @@ static int patch_ca0132(struct hda_codec + /* + * patch entries + */ +-static struct hda_device_id snd_hda_id_ca0132[] = { ++static const struct hda_device_id snd_hda_id_ca0132[] = { + HDA_CODEC_ENTRY(0x11020011, "CA0132", patch_ca0132), + {} /* terminator */ + }; diff --git a/patches.suse/ALSA-hda-Reset-stream-if-DMA-RUN-bit-not-cleared.patch b/patches.suse/ALSA-hda-Reset-stream-if-DMA-RUN-bit-not-cleared.patch new file mode 100644 index 0000000..150617d --- /dev/null +++ b/patches.suse/ALSA-hda-Reset-stream-if-DMA-RUN-bit-not-cleared.patch @@ -0,0 +1,89 @@ +From 7faa26c1bbe312d9191524e4b7ab010f91fcd654 Mon Sep 17 00:00:00 2001 +From: Mohan Kumar +Date: Tue, 28 Jan 2020 10:45:08 +0530 +Subject: [PATCH] ALSA: hda: Reset stream if DMA RUN bit not cleared +Git-commit: 7faa26c1bbe312d9191524e4b7ab010f91fcd654 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Tegra HDA has FIFO size which can hold upto 10 audio frames to support +DVFS. When HDA DMA RUN bit is set to 0 to stop the stream, the DMA RUN +bit will be cleared to 0 only after transferring all the remaining audio +frames queued up in the fifo. This is not in sync with spec which states +the controller will stop transmitting(output) in the beginning of the +next frame for the relevant stream. + +The above behavior with Tegra HDA was resulting in machine check error +during the system suspend flow with active audio playback with below kernel +error logs. +[ 33.524583] mc-err: [mcerr] (hda) csr_hdar: EMEM address decode error +[ 33.531088] mc-err: [mcerr] status = 0x20000015; addr = 0x00000000 +[ 33.537431] mc-err: [mcerr] secure: no, access-type: read, SMMU fault: none + +This was due to the fifo has more than one audio frame when the DMA +RUN bit is set to 0 during system suspend flow and the timeout handling in +snd_hdac_stream_sync() was not designed to handle this scenario. So the +DMA will continue running even after timeout hit until all remaining +audio frames in the fifo are transferred, but the suspend flow will try +to reset the controller and turn off the hda clocks without the knowledge +of the DMA is still running and could result in mc-err. + +The above issue can be resolved by doing stream reset with the help of +snd_hdac_stream_reset() which would ensure the DMA RUN bit is cleared +if the timeout was hit in snd_hdac_stream_sync(). + +Signed-off-by: Mohan Kumar +Link: https://lore.kernel.org/r/20200128051508.26064-1-mkumard@nvidia.com +Signed-off-by: Takashi Iwai + +--- + sound/hda/hdac_stream.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c +index d01e69139164..a314b03b4a4c 100644 +--- a/sound/hda/hdac_stream.c ++++ b/sound/hda/hdac_stream.c +@@ -631,20 +631,27 @@ void snd_hdac_stream_sync(struct hdac_stream *azx_dev, bool start, + nwait = 0; + i = 0; + list_for_each_entry(s, &bus->stream_list, list) { +- if (streams & (1 << i)) { +- if (start) { +- /* check FIFO gets ready */ +- if (!(snd_hdac_stream_readb(s, SD_STS) & +- SD_STS_FIFO_READY)) +- nwait++; +- } else { +- /* check RUN bit is cleared */ +- if (snd_hdac_stream_readb(s, SD_CTL) & +- SD_CTL_DMA_START) +- nwait++; ++ if (!(streams & (1 << i++))) ++ continue; ++ ++ if (start) { ++ /* check FIFO gets ready */ ++ if (!(snd_hdac_stream_readb(s, SD_STS) & ++ SD_STS_FIFO_READY)) ++ nwait++; ++ } else { ++ /* check RUN bit is cleared */ ++ if (snd_hdac_stream_readb(s, SD_CTL) & ++ SD_CTL_DMA_START) { ++ nwait++; ++ /* ++ * Perform stream reset if DMA RUN ++ * bit not cleared within given timeout ++ */ ++ if (timeout == 1) ++ snd_hdac_stream_reset(s); + } + } +- i++; + } + if (!nwait) + break; +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Use-scnprintf-for-printing-texts-for-sysfs-.patch b/patches.suse/ALSA-hda-Use-scnprintf-for-printing-texts-for-sysfs-.patch new file mode 100644 index 0000000..e766e61 --- /dev/null +++ b/patches.suse/ALSA-hda-Use-scnprintf-for-printing-texts-for-sysfs-.patch @@ -0,0 +1,92 @@ +From 44eeb081b8630bb3ad3cd381d1ae1831463e48bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 Feb 2020 10:14:09 +0100 +Subject: [PATCH] ALSA: hda: Use scnprintf() for printing texts for + sysfs/procfs +Git-commit: 44eeb081b8630bb3ad3cd381d1ae1831463e48bb +Patch-mainline: v5.6-rc3 +References: git-fixes + +Some code in HD-audio driver calls snprintf() in a loop and still +expects that the return value were actually written size, while +snprintf() returns the expected would-be length instead. When the +given buffer limit were small, this leads to a buffer overflow. + +Use scnprintf() for addressing those issues. It returns the actually +written size unlike snprintf(). + +Cc: +Link: https://lore.kernel.org/r/20200218091409.27162-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/hda/hdmi_chmap.c | 2 +- + sound/pci/hda/hda_codec.c | 2 +- + sound/pci/hda/hda_eld.c | 2 +- + sound/pci/hda/hda_sysfs.c | 4 ++-- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sound/hda/hdmi_chmap.c b/sound/hda/hdmi_chmap.c +index 5fd6d575e123..aad5c4bf4d34 100644 +--- a/sound/hda/hdmi_chmap.c ++++ b/sound/hda/hdmi_chmap.c +@@ -250,7 +250,7 @@ void snd_hdac_print_channel_allocation(int spk_alloc, char *buf, int buflen) + + for (i = 0, j = 0; i < ARRAY_SIZE(cea_speaker_allocation_names); i++) { + if (spk_alloc & (1 << i)) +- j += snprintf(buf + j, buflen - j, " %s", ++ j += scnprintf(buf + j, buflen - j, " %s", + cea_speaker_allocation_names[i]); + } + buf[j] = '\0'; /* necessary when j == 0 */ +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 5dc42f932739..53e7732ef752 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -4022,7 +4022,7 @@ void snd_print_pcm_bits(int pcm, char *buf, int buflen) + + for (i = 0, j = 0; i < ARRAY_SIZE(bits); i++) + if (pcm & (AC_SUPPCM_BITS_8 << i)) +- j += snprintf(buf + j, buflen - j, " %d", bits[i]); ++ j += scnprintf(buf + j, buflen - j, " %d", bits[i]); + + buf[j] = '\0'; /* necessary when j == 0 */ + } +diff --git a/sound/pci/hda/hda_eld.c b/sound/pci/hda/hda_eld.c +index bb46c89b7f63..136477ed46ae 100644 +--- a/sound/pci/hda/hda_eld.c ++++ b/sound/pci/hda/hda_eld.c +@@ -360,7 +360,7 @@ static void hdmi_print_pcm_rates(int pcm, char *buf, int buflen) + + for (i = 0, j = 0; i < ARRAY_SIZE(alsa_rates); i++) + if (pcm & (1 << i)) +- j += snprintf(buf + j, buflen - j, " %d", ++ j += scnprintf(buf + j, buflen - j, " %d", + alsa_rates[i]); + + buf[j] = '\0'; /* necessary when j == 0 */ +diff --git a/sound/pci/hda/hda_sysfs.c b/sound/pci/hda/hda_sysfs.c +index 0607ed5d1959..eb8ec109d7ad 100644 +--- a/sound/pci/hda/hda_sysfs.c ++++ b/sound/pci/hda/hda_sysfs.c +@@ -222,7 +222,7 @@ static ssize_t init_verbs_show(struct device *dev, + int i, len = 0; + mutex_lock(&codec->user_mutex); + snd_array_for_each(&codec->init_verbs, i, v) { +- len += snprintf(buf + len, PAGE_SIZE - len, ++ len += scnprintf(buf + len, PAGE_SIZE - len, + "0x%02x 0x%03x 0x%04x\n", + v->nid, v->verb, v->param); + } +@@ -272,7 +272,7 @@ static ssize_t hints_show(struct device *dev, + int i, len = 0; + mutex_lock(&codec->user_mutex); + snd_array_for_each(&codec->hints, i, hint) { +- len += snprintf(buf + len, PAGE_SIZE - len, ++ len += scnprintf(buf + len, PAGE_SIZE - len, + "%s = %s\n", hint->key, hint->val); + } + mutex_unlock(&codec->user_mutex); +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-analog-Minor-optimization-for-SPDIF-mux-con.patch b/patches.suse/ALSA-hda-analog-Minor-optimization-for-SPDIF-mux-con.patch new file mode 100644 index 0000000..a8b2d37 --- /dev/null +++ b/patches.suse/ALSA-hda-analog-Minor-optimization-for-SPDIF-mux-con.patch @@ -0,0 +1,100 @@ +From 2ba0176c709c103974cf55b6d373c4ea749c6391 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 15 Jan 2020 11:00:35 +0100 +Subject: [PATCH] ALSA: hda/analog - Minor optimization for SPDIF mux connections +Git-commit: 2ba0176c709c103974cf55b6d373c4ea749c6391 +Patch-mainline: v5.6-rc1 +References: git-fixes + +AD HD-audio codec driver has a few code lines invoking +snd_get_num_conns() and using its return value as the array index +without checking. This is basically safe in all those places; at the +second and later calls snd_get_num_conns() returns the value cached +from the first invocation, hence the value is always consistent. + +However, it looks a bit confusing as if a lack of the proper check. +This patch introduces a new field num_smux_conns in ad198x_spec for +simplifying the code. Now we store and refer to the value more +locally without invoking the extra function at each time. + +Reported-by: Colin King +Link: https://lore.kernel.org/r/20200115100035.22511-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_analog.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/patch_analog.c b/sound/pci/hda/patch_analog.c +index 88c46b051d14..2132b2acec4d 100644 +--- a/sound/pci/hda/patch_analog.c ++++ b/sound/pci/hda/patch_analog.c +@@ -28,6 +28,7 @@ struct ad198x_spec { + hda_nid_t eapd_nid; + + unsigned int beep_amp; /* beep amp value, set via set_beep_amp() */ ++ int num_smux_conns; + }; + + +@@ -453,8 +454,7 @@ static int ad1983_auto_smux_enum_info(struct snd_kcontrol *kcontrol, + struct ad198x_spec *spec = codec->spec; + static const char * const texts2[] = { "PCM", "ADC" }; + static const char * const texts3[] = { "PCM", "ADC1", "ADC2" }; +- hda_nid_t dig_out = spec->gen.multiout.dig_out_nid; +- int num_conns = snd_hda_get_num_conns(codec, dig_out); ++ int num_conns = spec->num_smux_conns; + + if (num_conns == 2) + return snd_hda_enum_helper_info(kcontrol, uinfo, 2, texts2); +@@ -481,7 +481,7 @@ static int ad1983_auto_smux_enum_put(struct snd_kcontrol *kcontrol, + struct ad198x_spec *spec = codec->spec; + unsigned int val = ucontrol->value.enumerated.item[0]; + hda_nid_t dig_out = spec->gen.multiout.dig_out_nid; +- int num_conns = snd_hda_get_num_conns(codec, dig_out); ++ int num_conns = spec->num_smux_conns; + + if (val >= num_conns) + return -EINVAL; +@@ -512,6 +512,7 @@ static int ad1983_add_spdif_mux_ctl(struct hda_codec *codec) + num_conns = snd_hda_get_num_conns(codec, dig_out); + if (num_conns != 2 && num_conns != 3) + return 0; ++ spec->num_smux_conns = num_conns; + if (!snd_hda_gen_add_kctl(&spec->gen, NULL, &ad1983_auto_smux_mixer)) + return -ENOMEM; + return 0; +@@ -730,10 +731,12 @@ static int ad1988_auto_smux_enum_info(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_info *uinfo) + { + struct hda_codec *codec = snd_kcontrol_chip(kcontrol); ++ struct ad198x_spec *spec = codec->spec; + static const char * const texts[] = { + "PCM", "ADC1", "ADC2", "ADC3", + }; +- int num_conns = snd_hda_get_num_conns(codec, 0x0b) + 1; ++ int num_conns = spec->num_smux_conns; ++ + if (num_conns > 4) + num_conns = 4; + return snd_hda_enum_helper_info(kcontrol, uinfo, num_conns, texts); +@@ -756,7 +759,7 @@ static int ad1988_auto_smux_enum_put(struct snd_kcontrol *kcontrol, + struct ad198x_spec *spec = codec->spec; + unsigned int val = ucontrol->value.enumerated.item[0]; + struct nid_path *path; +- int num_conns = snd_hda_get_num_conns(codec, 0x0b) + 1; ++ int num_conns = spec->num_smux_conns; + + if (val >= num_conns) + return -EINVAL; +@@ -847,6 +850,7 @@ static int ad1988_add_spdif_mux_ctl(struct hda_codec *codec) + num_conns = snd_hda_get_num_conns(codec, 0x0b) + 1; + if (num_conns != 3 && num_conns != 4) + return 0; ++ spec->num_smux_conns = num_conns; + + for (i = 0; i < num_conns; i++) { + struct nid_path *path = snd_array_new(&spec->gen.paths); +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-constify-and-cleanup-static-NodeID-tables.patch b/patches.suse/ALSA-hda-constify-and-cleanup-static-NodeID-tables.patch new file mode 100644 index 0000000..35f9f11 --- /dev/null +++ b/patches.suse/ALSA-hda-constify-and-cleanup-static-NodeID-tables.patch @@ -0,0 +1,355 @@ +From caf3c0437aaf2e63624c4aaf94c0dd38d1f897e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Fri, 3 Jan 2020 10:23:48 +0100 +Subject: [PATCH] ALSA: hda - constify and cleanup static NodeID tables +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: caf3c0437aaf2e63624c4aaf94c0dd38d1f897e3 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Make hda_nid_t tables static const, as they are not intended to be +modified by callees. + +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/5150c94101c9534f4c8e987324f6912c16d459f6.1578043216.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_generic.c | 4 +-- + sound/pci/hda/patch_analog.c | 6 ++-- + sound/pci/hda/patch_ca0132.c | 12 ++++---- + sound/pci/hda/patch_conexant.c | 6 ++-- + sound/pci/hda/patch_realtek.c | 62 +++++++++++++++++++++--------------------- + sound/pci/hda/patch_sigmatel.c | 4 +-- + sound/pci/hda/patch_via.c | 4 +-- + 7 files changed, 49 insertions(+), 49 deletions(-) + +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 10d502328b76..fc001c64ef20 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -4401,7 +4401,7 @@ EXPORT_SYMBOL_GPL(snd_hda_gen_fix_pin_power); + */ + + /* check each pin in the given array; returns true if any of them is plugged */ +-static bool detect_jacks(struct hda_codec *codec, int num_pins, hda_nid_t *pins) ++static bool detect_jacks(struct hda_codec *codec, int num_pins, const hda_nid_t *pins) + { + int i; + bool present = false; +@@ -4420,7 +4420,7 @@ static bool detect_jacks(struct hda_codec *codec, int num_pins, hda_nid_t *pins) + } + + /* standard HP/line-out auto-mute helper */ +-static void do_automute(struct hda_codec *codec, int num_pins, hda_nid_t *pins, ++static void do_automute(struct hda_codec *codec, int num_pins, const hda_nid_t *pins, + int *paths, bool mute) + { + struct hda_gen_spec *spec = codec->spec; +diff --git a/sound/pci/hda/patch_analog.c b/sound/pci/hda/patch_analog.c +index bc9dd8e6fd86..c64895f99299 100644 +--- a/sound/pci/hda/patch_analog.c ++++ b/sound/pci/hda/patch_analog.c +@@ -389,7 +389,7 @@ static int patch_ad1986a(struct hda_codec *codec) + { + int err; + struct ad198x_spec *spec; +- static hda_nid_t preferred_pairs[] = { ++ static const hda_nid_t preferred_pairs[] = { + 0x1a, 0x03, + 0x1b, 0x03, + 0x1c, 0x04, +@@ -519,9 +519,9 @@ static int ad1983_add_spdif_mux_ctl(struct hda_codec *codec) + + static int patch_ad1983(struct hda_codec *codec) + { ++ static const hda_nid_t conn_0c[] = { 0x08 }; ++ static const hda_nid_t conn_0d[] = { 0x09 }; + struct ad198x_spec *spec; +- static hda_nid_t conn_0c[] = { 0x08 }; +- static hda_nid_t conn_0d[] = { 0x09 }; + int err; + + err = alloc_ad_spec(codec); +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 32ed46464af7..250534f90ce0 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7802,23 +7802,23 @@ static void sbz_region2_exit(struct hda_codec *codec) + + static void sbz_set_pin_ctl_default(struct hda_codec *codec) + { +- hda_nid_t pins[5] = {0x0B, 0x0C, 0x0E, 0x12, 0x13}; ++ static const hda_nid_t pins[] = {0x0B, 0x0C, 0x0E, 0x12, 0x13}; + unsigned int i; + + snd_hda_codec_write(codec, 0x11, 0, + AC_VERB_SET_PIN_WIDGET_CONTROL, 0x40); + +- for (i = 0; i < 5; i++) ++ for (i = 0; i < ARRAY_SIZE(pins); i++) + snd_hda_codec_write(codec, pins[i], 0, + AC_VERB_SET_PIN_WIDGET_CONTROL, 0x00); + } + + static void ca0132_clear_unsolicited(struct hda_codec *codec) + { +- hda_nid_t pins[7] = {0x0B, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13}; ++ static const hda_nid_t pins[] = {0x0B, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13}; + unsigned int i; + +- for (i = 0; i < 7; i++) { ++ for (i = 0; i < ARRAY_SIZE(pins); i++) { + snd_hda_codec_write(codec, pins[i], 0, + AC_VERB_SET_UNSOLICITED_ENABLE, 0x00); + } +@@ -7842,10 +7842,10 @@ static void sbz_gpio_shutdown_commands(struct hda_codec *codec, int dir, + + static void zxr_dbpro_power_state_shutdown(struct hda_codec *codec) + { +- hda_nid_t pins[7] = {0x05, 0x0c, 0x09, 0x0e, 0x08, 0x11, 0x01}; ++ static const hda_nid_t pins[] = {0x05, 0x0c, 0x09, 0x0e, 0x08, 0x11, 0x01}; + unsigned int i; + +- for (i = 0; i < 7; i++) ++ for (i = 0; i < ARRAY_SIZE(pins); i++) + snd_hda_codec_write(codec, pins[i], 0, + AC_VERB_SET_POWER_STATE, 0x03); + } +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 90aa0f400a57..9853e00a0816 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -116,7 +116,7 @@ static void cx_auto_parse_eapd(struct hda_codec *codec) + } + + static void cx_auto_turn_eapd(struct hda_codec *codec, int num_pins, +- hda_nid_t *pins, bool on) ++ const hda_nid_t *pins, bool on) + { + int i; + for (i = 0; i < num_pins; i++) { +@@ -959,10 +959,10 @@ static const struct hda_model_fixup cxt5066_fixup_models[] = { + static void add_cx5051_fake_mutes(struct hda_codec *codec) + { + struct conexant_spec *spec = codec->spec; +- static hda_nid_t out_nids[] = { ++ static const hda_nid_t out_nids[] = { + 0x10, 0x11, 0 + }; +- hda_nid_t *p; ++ const hda_nid_t *p; + + for (p = out_nids; *p; p++) + snd_hda_override_amp_caps(codec, *p, HDA_OUTPUT, +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index dbfafee97931..5bb1959dae0f 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -464,10 +464,10 @@ static void set_eapd(struct hda_codec *codec, hda_nid_t nid, int on) + static void alc_auto_setup_eapd(struct hda_codec *codec, bool on) + { + /* We currently only handle front, HP */ +- static hda_nid_t pins[] = { ++ static const hda_nid_t pins[] = { + 0x0f, 0x10, 0x14, 0x15, 0x17, 0 + }; +- hda_nid_t *p; ++ const hda_nid_t *p; + for (p = pins; *p; p++) + set_eapd(codec, *p, on); + } +@@ -1935,19 +1935,19 @@ static void alc889_fixup_dac_route(struct hda_codec *codec, + { + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + /* fake the connections during parsing the tree */ +- hda_nid_t conn1[2] = { 0x0c, 0x0d }; +- hda_nid_t conn2[2] = { 0x0e, 0x0f }; +- snd_hda_override_conn_list(codec, 0x14, 2, conn1); +- snd_hda_override_conn_list(codec, 0x15, 2, conn1); +- snd_hda_override_conn_list(codec, 0x18, 2, conn2); +- snd_hda_override_conn_list(codec, 0x1a, 2, conn2); ++ static const hda_nid_t conn1[] = { 0x0c, 0x0d }; ++ static const hda_nid_t conn2[] = { 0x0e, 0x0f }; ++ snd_hda_override_conn_list(codec, 0x14, ARRAY_SIZE(conn1), conn1); ++ snd_hda_override_conn_list(codec, 0x15, ARRAY_SIZE(conn1), conn1); ++ snd_hda_override_conn_list(codec, 0x18, ARRAY_SIZE(conn2), conn2); ++ snd_hda_override_conn_list(codec, 0x1a, ARRAY_SIZE(conn2), conn2); + } else if (action == HDA_FIXUP_ACT_PROBE) { + /* restore the connections */ +- hda_nid_t conn[5] = { 0x0c, 0x0d, 0x0e, 0x0f, 0x26 }; +- snd_hda_override_conn_list(codec, 0x14, 5, conn); +- snd_hda_override_conn_list(codec, 0x15, 5, conn); +- snd_hda_override_conn_list(codec, 0x18, 5, conn); +- snd_hda_override_conn_list(codec, 0x1a, 5, conn); ++ static const hda_nid_t conn[] = { 0x0c, 0x0d, 0x0e, 0x0f, 0x26 }; ++ snd_hda_override_conn_list(codec, 0x14, ARRAY_SIZE(conn), conn); ++ snd_hda_override_conn_list(codec, 0x15, ARRAY_SIZE(conn), conn); ++ snd_hda_override_conn_list(codec, 0x18, ARRAY_SIZE(conn), conn); ++ snd_hda_override_conn_list(codec, 0x1a, ARRAY_SIZE(conn), conn); + } + } + +@@ -1955,8 +1955,8 @@ static void alc889_fixup_dac_route(struct hda_codec *codec, + static void alc889_fixup_mbp_vref(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { ++ static const hda_nid_t nids[] = { 0x14, 0x15, 0x19 }; + struct alc_spec *spec = codec->spec; +- static hda_nid_t nids[3] = { 0x14, 0x15, 0x19 }; + int i; + + if (action != HDA_FIXUP_ACT_INIT) +@@ -1992,7 +1992,7 @@ static void alc889_fixup_mac_pins(struct hda_codec *codec, + static void alc889_fixup_imac91_vref(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +- static hda_nid_t nids[2] = { 0x18, 0x1a }; ++ static const hda_nid_t nids[] = { 0x18, 0x1a }; + + if (action == HDA_FIXUP_ACT_INIT) + alc889_fixup_mac_pins(codec, nids, ARRAY_SIZE(nids)); +@@ -2002,7 +2002,7 @@ static void alc889_fixup_imac91_vref(struct hda_codec *codec, + static void alc889_fixup_mba11_vref(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +- static hda_nid_t nids[1] = { 0x18 }; ++ static const hda_nid_t nids[] = { 0x18 }; + + if (action == HDA_FIXUP_ACT_INIT) + alc889_fixup_mac_pins(codec, nids, ARRAY_SIZE(nids)); +@@ -2012,7 +2012,7 @@ static void alc889_fixup_mba11_vref(struct hda_codec *codec, + static void alc889_fixup_mba21_vref(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +- static hda_nid_t nids[2] = { 0x18, 0x19 }; ++ static const hda_nid_t nids[] = { 0x18, 0x19 }; + + if (action == HDA_FIXUP_ACT_INIT) + alc889_fixup_mac_pins(codec, nids, ARRAY_SIZE(nids)); +@@ -2094,7 +2094,7 @@ static void alc1220_fixup_clevo_p950(struct hda_codec *codec, + const struct hda_fixup *fix, + int action) + { +- hda_nid_t conn1[1] = { 0x0c }; ++ static const hda_nid_t conn1[] = { 0x0c }; + + if (action != HDA_FIXUP_ACT_PRE_PROBE) + return; +@@ -2103,8 +2103,8 @@ static void alc1220_fixup_clevo_p950(struct hda_codec *codec, + /* We therefore want to make sure 0x14 (front headphone) and + * 0x1b (speakers) use the stereo DAC 0x02 + */ +- snd_hda_override_conn_list(codec, 0x14, 1, conn1); +- snd_hda_override_conn_list(codec, 0x1b, 1, conn1); ++ snd_hda_override_conn_list(codec, 0x14, ARRAY_SIZE(conn1), conn1); ++ snd_hda_override_conn_list(codec, 0x1b, ARRAY_SIZE(conn1), conn1); + } + + static void alc_fixup_headset_mode_no_hp_mic(struct hda_codec *codec, +@@ -5243,7 +5243,7 @@ static void alc_fixup_tpt470_dock(struct hda_codec *codec, + * the speaker output becomes too low by some reason on Thinkpads with + * ALC298 codec + */ +- static hda_nid_t preferred_pairs[] = { ++ static const hda_nid_t preferred_pairs[] = { + 0x14, 0x03, 0x17, 0x02, 0x21, 0x02, + 0 + }; +@@ -5515,9 +5515,9 @@ static void alc290_fixup_mono_speakers(struct hda_codec *codec, + /* DAC node 0x03 is giving mono output. We therefore want to + make sure 0x14 (front speaker) and 0x15 (headphones) use the + stereo DAC, while leaving 0x17 (bass speaker) for node 0x03. */ +- hda_nid_t conn1[2] = { 0x0c }; +- snd_hda_override_conn_list(codec, 0x14, 1, conn1); +- snd_hda_override_conn_list(codec, 0x15, 1, conn1); ++ static const hda_nid_t conn1[] = { 0x0c }; ++ snd_hda_override_conn_list(codec, 0x14, ARRAY_SIZE(conn1), conn1); ++ snd_hda_override_conn_list(codec, 0x15, ARRAY_SIZE(conn1), conn1); + } + } + +@@ -5532,8 +5532,8 @@ static void alc298_fixup_speaker_volume(struct hda_codec *codec, + Pin Complex), since Node 0x02 has Amp-out caps, we can adjust + speaker's volume now. */ + +- hda_nid_t conn1[1] = { 0x0c }; +- snd_hda_override_conn_list(codec, 0x17, 1, conn1); ++ static const hda_nid_t conn1[] = { 0x0c }; ++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn1), conn1); + } + } + +@@ -5542,8 +5542,8 @@ static void alc295_fixup_disable_dac3(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { + if (action == HDA_FIXUP_ACT_PRE_PROBE) { +- hda_nid_t conn[2] = { 0x02, 0x03 }; +- snd_hda_override_conn_list(codec, 0x17, 2, conn); ++ static const hda_nid_t conn[] = { 0x02, 0x03 }; ++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn); + } + } + +@@ -5552,8 +5552,8 @@ static void alc285_fixup_speaker2_to_dac1(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { + if (action == HDA_FIXUP_ACT_PRE_PROBE) { +- hda_nid_t conn[1] = { 0x02 }; +- snd_hda_override_conn_list(codec, 0x17, 1, conn); ++ static const hda_nid_t conn[] = { 0x02 }; ++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn); + } + } + +@@ -5631,7 +5631,7 @@ static void alc274_fixup_bind_dacs(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { + struct alc_spec *spec = codec->spec; +- static hda_nid_t preferred_pairs[] = { ++ static const hda_nid_t preferred_pairs[] = { + 0x21, 0x03, 0x1b, 0x03, 0x16, 0x02, + 0 + }; +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 9b816b377547..a608d0486ae4 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -795,7 +795,7 @@ static int find_mute_led_cfg(struct hda_codec *codec, int default_polarity) + static bool has_builtin_speaker(struct hda_codec *codec) + { + struct sigmatel_spec *spec = codec->spec; +- hda_nid_t *nid_pin; ++ const hda_nid_t *nid_pin; + int nids, i; + + if (spec->gen.autocfg.line_out_type == AUTO_PIN_SPEAKER_OUT) { +@@ -2182,7 +2182,7 @@ static void hp_envy_ts_fixup_dac_bind(struct hda_codec *codec, + int action) + { + struct sigmatel_spec *spec = codec->spec; +- static hda_nid_t preferred_pairs[] = { ++ static const hda_nid_t preferred_pairs[] = { + 0xd, 0x13, + 0 + }; +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c +index 29dcdb8b36db..b40d01e01832 100644 +--- a/sound/pci/hda/patch_via.c ++++ b/sound/pci/hda/patch_via.c +@@ -1038,8 +1038,8 @@ static const struct snd_pci_quirk vt2002p_fixups[] = { + */ + static void fix_vt1802_connections(struct hda_codec *codec) + { +- static hda_nid_t conn_24[] = { 0x14, 0x1c }; +- static hda_nid_t conn_33[] = { 0x1c }; ++ static const hda_nid_t conn_24[] = { 0x14, 0x1c }; ++ static const hda_nid_t conn_33[] = { 0x1c }; + + snd_hda_override_conn_list(codec, 0x24, ARRAY_SIZE(conn_24), conn_24); + snd_hda_override_conn_list(codec, 0x33, ARRAY_SIZE(conn_33), conn_33); +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-constify-copied-structure.patch b/patches.suse/ALSA-hda-constify-copied-structure.patch new file mode 100644 index 0000000..5c999f7 --- /dev/null +++ b/patches.suse/ALSA-hda-constify-copied-structure.patch @@ -0,0 +1,37 @@ +From c56fc8c9ad7a8693a9c07a39fd3081576f908fea Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Wed, 1 Jan 2020 08:43:20 +0100 +Subject: [PATCH] ALSA: hda: constify copied structure +Git-commit: c56fc8c9ad7a8693a9c07a39fd3081576f908fea +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +The azx_pcm_hw structure is only copied into another structure, +so make it const. + +The opportunity for this change was found using Coccinelle. + +Signed-off-by: Julia Lawall +Link: https://lore.kernel.org/r/1577864614-5543-3-git-send-email-Julia.Lawall@inria.fr +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index a74c85867eb3..9757667cdd58 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -548,7 +548,7 @@ static int azx_get_time_info(struct snd_pcm_substream *substream, + return 0; + } + +-static struct snd_pcm_hardware azx_pcm_hw = { ++static const struct snd_pcm_hardware azx_pcm_hw = { + .info = (SNDRV_PCM_INFO_MMAP | + SNDRV_PCM_INFO_INTERLEAVED | + SNDRV_PCM_INFO_BLOCK_TRANSFER | +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-correct-kernel-doc-parameter-descriptions.patch b/patches.suse/ALSA-hda-correct-kernel-doc-parameter-descriptions.patch new file mode 100644 index 0000000..2d9997d --- /dev/null +++ b/patches.suse/ALSA-hda-correct-kernel-doc-parameter-descriptions.patch @@ -0,0 +1,73 @@ +From 4f5c26534d395bf68de38c3d4b6170ab28d49a05 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Mon, 13 Jan 2020 15:14:04 -0600 +Subject: [PATCH] ALSA: hda: correct kernel-doc parameter descriptions +Git-commit: 4f5c26534d395bf68de38c3d4b6170ab28d49a05 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +make W=1 throws warnings, provide missing documentation + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200113211405.28070-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_codec.c | 1 + + sound/pci/hda/hda_generic.c | 5 +++++ + sound/pci/hda/hda_jack.c | 2 ++ + sound/pci/hda/patch_ca0132.c | 1 + + 4 files changed, 9 insertions(+) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -853,6 +853,7 @@ static void snd_hda_codec_dev_release(st + /** + * snd_hda_codec_new - create a HDA codec + * @bus: the bus to assign ++ * @card: card for this codec + * @codec_addr: the codec address + * @codecp: the pointer to store the generated codec + * +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -4055,6 +4055,11 @@ static void call_ledtrig_micmute(struct + * + * Note that this fixup has to be called after other fixup that sets + * cap_sync_hook. Otherwise the chaining wouldn't work. ++ * ++ * @codec: the HDA codec ++ * @fix: fixup pointer ++ * @action: only supports HDA_FIXUP_ACT_PROBE value ++ * + */ + void snd_hda_gen_fixup_micmute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) +--- a/sound/pci/hda/hda_jack.c ++++ b/sound/pci/hda/hda_jack.c +@@ -109,6 +109,7 @@ EXPORT_SYMBOL_GPL(snd_hda_jack_tbl_get_f + * snd_hda_jack_tbl_new - create a jack-table entry for the given NID + * @codec: the HDA codec + * @nid: pin NID to assign ++ * @dev_id: pin device entry id + */ + static struct hda_jack_tbl * + snd_hda_jack_tbl_new(struct hda_codec *codec, hda_nid_t nid) +@@ -198,6 +199,7 @@ EXPORT_SYMBOL_GPL(snd_hda_jack_set_dirty + * snd_hda_pin_sense - execute pin sense measurement + * @codec: the CODEC to sense + * @nid: the pin NID to sense ++ * @dev_id: pin device entry id + * + * Execute necessary pin sense measurement and return its Presence Detect, + * Impedance, ELD Valid etc. status bits. +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1936,6 +1936,7 @@ static int dspio_send_scp_message(struct + * Prepare and send the SCP message to DSP + * @codec: the HDA codec + * @mod_id: ID of the DSP module to send the command ++ * @src_id: ID of the source + * @req: ID of request to send to the DSP module + * @dir: SET or GET + * @data: pointer to the data to send with the request, request specific diff --git a/patches.suse/ALSA-hda-hdmi-Clean-up-Intel-platform-specific-fixup.patch b/patches.suse/ALSA-hda-hdmi-Clean-up-Intel-platform-specific-fixup.patch new file mode 100644 index 0000000..c9c51d4 --- /dev/null +++ b/patches.suse/ALSA-hda-hdmi-Clean-up-Intel-platform-specific-fixup.patch @@ -0,0 +1,96 @@ +From cb45722b289b54476b68883985c2824c69a7fba9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 11 Nov 2019 20:09:37 +0100 +Subject: [PATCH] ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks +Git-commit: cb45722b289b54476b68883985c2824c69a7fba9 +Patch-mainline: v5.5-rc1 +References: bsc#1111666 + +Introduce a new flag in hdmi_spec to indicate the Intel platform- +specific fixups so that we can get rid of the lengthy codec ID +checks. The flag is set in intel_hsw_common_init() commonly. + +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20191111190937.19186-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_hdmi.c | 27 +++++---------------------- + 1 file changed, 5 insertions(+), 22 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index d24bd95c6e95..69d1a6e41f0d 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -37,25 +37,6 @@ static bool static_hdmi_pcm; + module_param(static_hdmi_pcm, bool, 0644); + MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info"); + +-#define is_haswell(codec) ((codec)->core.vendor_id == 0x80862807) +-#define is_broadwell(codec) ((codec)->core.vendor_id == 0x80862808) +-#define is_skylake(codec) ((codec)->core.vendor_id == 0x80862809) +-#define is_broxton(codec) ((codec)->core.vendor_id == 0x8086280a) +-#define is_kabylake(codec) ((codec)->core.vendor_id == 0x8086280b) +-#define is_geminilake(codec) (((codec)->core.vendor_id == 0x8086280d) || \ +- ((codec)->core.vendor_id == 0x80862800)) +-#define is_cannonlake(codec) ((codec)->core.vendor_id == 0x8086280c) +-#define is_icelake(codec) ((codec)->core.vendor_id == 0x8086280f) +-#define is_tigerlake(codec) ((codec)->core.vendor_id == 0x80862812) +-#define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec) \ +- || is_skylake(codec) || is_broxton(codec) \ +- || is_kabylake(codec) || is_geminilake(codec) \ +- || is_cannonlake(codec) || is_icelake(codec) \ +- || is_tigerlake(codec)) +-#define is_valleyview(codec) ((codec)->core.vendor_id == 0x80862882) +-#define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883) +-#define is_valleyview_plus(codec) (is_valleyview(codec) || is_cherryview(codec)) +- + struct hdmi_spec_per_cvt { + hda_nid_t cvt_nid; + int assigned; +@@ -162,6 +143,7 @@ struct hdmi_spec { + + bool dyn_pin_out; + bool dyn_pcm_assign; ++ bool intel_hsw_fixup; /* apply Intel platform-specific fixups */ + /* + * Non-generic VIA/NVIDIA specific + */ +@@ -925,7 +907,7 @@ static int hdmi_setup_stream(struct hda_codec *codec, hda_nid_t cvt_nid, + return err; + } + +- if (is_haswell_plus(codec)) { ++ if (spec->intel_hsw_fixup) { + + /* + * on recent platforms IEC Coding Type is required for HBR +@@ -1709,7 +1691,7 @@ static int hdmi_add_pin(struct hda_codec *codec, hda_nid_t pin_nid) + * To simplify the implementation, malloc all + * the virtual pins in the initialization statically + */ +- if (is_haswell_plus(codec)) { ++ if (spec->intel_hsw_fixup) { + /* + * On Intel platforms, device entries number is + * changed dynamically. If there is a DP MST +@@ -1758,7 +1740,7 @@ static int hdmi_add_pin(struct hda_codec *codec, hda_nid_t pin_nid) + per_pin->dev_id = i; + per_pin->non_pcm = false; + snd_hda_set_dev_select(codec, pin_nid, i); +- if (is_haswell_plus(codec)) ++ if (spec->intel_hsw_fixup) + intel_haswell_fixup_connect_list(codec, pin_nid); + err = hdmi_read_pin_conn(codec, pin_idx); + if (err < 0) +@@ -2825,6 +2807,7 @@ static int intel_hsw_common_init(struct hda_codec *codec, hda_nid_t vendor_nid, + spec->vendor_nid = vendor_nid; + spec->port_map = port_map; + spec->port_num = port_num; ++ spec->intel_hsw_fixup = true; + + intel_haswell_enable_all_pins(codec, true); + intel_haswell_fixup_enable_dp12(codec); +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-hdmi-add-Tigerlake-support.patch b/patches.suse/ALSA-hda-hdmi-add-Tigerlake-support.patch new file mode 100644 index 0000000..6453f85 --- /dev/null +++ b/patches.suse/ALSA-hda-hdmi-add-Tigerlake-support.patch @@ -0,0 +1,55 @@ +From 9a11ba7388f165762549903492fc34d29bbb3c04 Mon Sep 17 00:00:00 2001 +From: Kai Vehmanen +Date: Tue, 5 Nov 2019 18:10:53 +0200 +Subject: [PATCH] ALSA: hda: hdmi - add Tigerlake support +Git-commit: 9a11ba7388f165762549903492fc34d29bbb3c04 +Patch-mainline: v5.4-rc7 +References: bsc#1111666 + +Add Tigerlake HDMI codec support. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=205379 +Buglink: https://bugs.freedesktop.org/show_bug.cgi?id=112171 +Cc: Pan Xiuli +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20191105161053.22958-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_hdmi.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index b72553710ffb..3c720703ebb8 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2851,6 +2851,18 @@ static int patch_i915_icl_hdmi(struct hda_codec *codec) + return intel_hsw_common_init(codec, 0x02, map, ARRAY_SIZE(map)); + } + ++static int patch_i915_tgl_hdmi(struct hda_codec *codec) ++{ ++ /* ++ * pin to port mapping table where the value indicate the pin number and ++ * the index indicate the port number with 1 base. ++ */ ++ static const int map[] = {0x4, 0x6, 0x8, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf}; ++ ++ return intel_hsw_common_init(codec, 0x02, map, ARRAY_SIZE(map)); ++} ++ ++ + /* Intel Baytrail and Braswell; with eld notifier */ + static int patch_i915_byt_hdmi(struct hda_codec *codec) + { +@@ -4153,6 +4165,7 @@ HDA_CODEC_ENTRY(0x8086280b, "Kabylake HDMI", patch_i915_hsw_hdmi), + HDA_CODEC_ENTRY(0x8086280c, "Cannonlake HDMI", patch_i915_glk_hdmi), + HDA_CODEC_ENTRY(0x8086280d, "Geminilake HDMI", patch_i915_glk_hdmi), + HDA_CODEC_ENTRY(0x8086280f, "Icelake HDMI", patch_i915_icl_hdmi), ++HDA_CODEC_ENTRY(0x80862812, "Tigerlake HDMI", patch_i915_tgl_hdmi), + HDA_CODEC_ENTRY(0x80862880, "CedarTrail HDMI", patch_generic_hdmi), + HDA_CODEC_ENTRY(0x80862882, "Valleyview2 HDMI", patch_i915_byt_hdmi), + HDA_CODEC_ENTRY(0x80862883, "Braswell HDMI", patch_i915_byt_hdmi), +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch b/patches.suse/ALSA-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch new file mode 100644 index 0000000..9655c36 --- /dev/null +++ b/patches.suse/ALSA-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch @@ -0,0 +1,51 @@ +From 2928fa0a97ebb9549cb877fdc99aed9b95438c3a Mon Sep 17 00:00:00 2001 +From: Kai Vehmanen +Date: Mon, 20 Jan 2020 18:01:17 +0200 +Subject: [PATCH] ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() +Git-commit: 2928fa0a97ebb9549cb877fdc99aed9b95438c3a +Patch-mainline: v5.6-rc1 +References: git-fixes + +The initial snd_hda_get_sub_node() can fail on certain +devices (e.g. some Chromebook models using Intel GLK). +The failure rate is very low, but as this is is part of +the probe process, end-user impact is high. + +In observed cases, related hardware status registers have +expected values, but the node query still fails. Retrying +the node query does seem to help, so fix the problem by +adding retry logic to the query. This does not impact +non-Intel platforms. + +Buglink: https://github.com/thesofproject/linux/issues/1642 +Signed-off-by: Kai Vehmanen +Reviewed-by: Takashi Iwai +Link: https://lore.kernel.org/r/20200120160117.29130-4-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_hdmi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index ce3c212ee467..48bddc218829 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2833,9 +2833,12 @@ static int alloc_intel_hdmi(struct hda_codec *codec) + /* parse and post-process for Intel codecs */ + static int parse_intel_hdmi(struct hda_codec *codec) + { +- int err; ++ int err, retries = 3; ++ ++ do { ++ err = hdmi_parse_codec(codec); ++ } while (err < 0 && retries--); + +- err = hdmi_parse_codec(codec); + if (err < 0) { + generic_spec_free(codec); + return err; +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-hdmi-fix-pin-setup-on-Tigerlake.patch b/patches.suse/ALSA-hda-hdmi-fix-pin-setup-on-Tigerlake.patch new file mode 100644 index 0000000..82fccf4 --- /dev/null +++ b/patches.suse/ALSA-hda-hdmi-fix-pin-setup-on-Tigerlake.patch @@ -0,0 +1,43 @@ +From a7d0358ea3b7f8d7216e663c1ae71cabf7ac24e3 Mon Sep 17 00:00:00 2001 +From: Kai Vehmanen +Date: Mon, 11 Nov 2019 15:38:38 +0200 +Subject: [PATCH] ALSA: hda: hdmi - fix pin setup on Tigerlake +Git-commit: a7d0358ea3b7f8d7216e663c1ae71cabf7ac24e3 +Patch-mainline: v5.4-rc8 +References: bsc#1111666 + +Apply same logic to pin setup as on previous platforms. Fixes +errors in HDMI/DP playback. + +Tested with both snd-hda-intel and SOF drivers. + +Fixes: 9a11ba7388f1 ("ALSA: hda: hdmi - add Tigerlake support") +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20191111133838.21213-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_hdmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 3c720703ebb8..78bd2e3722c7 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -46,10 +46,12 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info"); + ((codec)->core.vendor_id == 0x80862800)) + #define is_cannonlake(codec) ((codec)->core.vendor_id == 0x8086280c) + #define is_icelake(codec) ((codec)->core.vendor_id == 0x8086280f) ++#define is_tigerlake(codec) ((codec)->core.vendor_id == 0x80862812) + #define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec) \ + || is_skylake(codec) || is_broxton(codec) \ + || is_kabylake(codec) || is_geminilake(codec) \ +- || is_cannonlake(codec) || is_icelake(codec)) ++ || is_cannonlake(codec) || is_icelake(codec) \ ++ || is_tigerlake(codec)) + #define is_valleyview(codec) ((codec)->core.vendor_id == 0x80862882) + #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883) + #define is_valleyview_plus(codec) (is_valleyview(codec) || is_cherryview(codec)) +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-patch_hdmi-remove-warnings-with-empty-body.patch b/patches.suse/ALSA-hda-patch_hdmi-remove-warnings-with-empty-body.patch new file mode 100644 index 0000000..b985cdd --- /dev/null +++ b/patches.suse/ALSA-hda-patch_hdmi-remove-warnings-with-empty-body.patch @@ -0,0 +1,53 @@ +From 75663c093d0bbbf51e3a3149f91f3148a7be3c5c Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Mon, 13 Jan 2020 15:14:05 -0600 +Subject: [PATCH] ALSA: hda: patch_hdmi: remove warnings with empty body +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 75663c093d0bbbf51e3a3149f91f3148a7be3c5c +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +make W=1 reports the following warnings, fix as suggested + +Sound/pci/hda/patch_hdmi.c: In function ‘hdmi_non_intrinsic_event’: +sound/pci/hda/patch_hdmi.c:824:3: warning: suggest braces around empty +body in an ‘if’ statement [-Wempty-body] + 824 | ; + | ^ +sound/pci/hda/patch_hdmi.c:826:3: warning: suggest braces around empty +body in an ‘if’ statement [-Wempty-body] + 826 | ; + | ^ + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200113211405.28070-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_hdmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 3a18fa4f8c21..ce3c212ee467 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -820,10 +820,12 @@ static void hdmi_non_intrinsic_event(struct hda_codec *codec, unsigned int res) + cp_ready); + + /* TODO */ +- if (cp_state) ++ if (cp_state) { + ; +- if (cp_ready) ++ } ++ if (cp_ready) { + ; ++ } + } + + +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-patch_realtek-fix-empty-macro-usage-in-if-b.patch b/patches.suse/ALSA-hda-patch_realtek-fix-empty-macro-usage-in-if-b.patch new file mode 100644 index 0000000..8fa3556 --- /dev/null +++ b/patches.suse/ALSA-hda-patch_realtek-fix-empty-macro-usage-in-if-b.patch @@ -0,0 +1,55 @@ +From 8a71821f12a010d7100f9cc1f7b218aff0313c4a Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Sat, 11 Jan 2020 15:47:35 -0600 +Subject: [PATCH] ALSA: hda: patch_realtek: fix empty macro usage in if block +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 8a71821f12a010d7100f9cc1f7b218aff0313c4a +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +GCC reports the following warning with W=1 + +Sound/pci/hda/patch_realtek.c: In function ‘alc269_suspend’: +sound/pci/hda/patch_realtek.c:3616:29: warning: suggest braces around +empty body in an ‘if’ statement [-Wempty-body] + 3616 | alc5505_dsp_suspend(codec); + | ^ + +Sound/pci/hda/patch_realtek.c: In function ‘alc269_resume’: +sound/pci/hda/patch_realtek.c:3651:28: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + 3651 | alc5505_dsp_resume(codec); + | ^ + +This is a classic macro problem and can indeed lead to bad program +flows. + +Fix by using the usual "do { } while (0)" pattern + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200111214736.3002-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 181e15072692..ed7982f5460d 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3601,8 +3601,8 @@ static void alc5505_dsp_init(struct hda_codec *codec) + } + + #ifdef HALT_REALTEK_ALC5505 +-#define alc5505_dsp_suspend(codec) /* NOP */ +-#define alc5505_dsp_resume(codec) /* NOP */ ++#define alc5505_dsp_suspend(codec) do { } while (0) /* NOP */ ++#define alc5505_dsp_resume(codec) do { } while (0) /* NOP */ + #else + #define alc5505_dsp_suspend(codec) alc5505_dsp_halt(codec) + #define alc5505_dsp_resume(codec) alc5505_dsp_back_from_halt(codec) +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-realtek-Add-Headset-Mic-supported-for-HP-cP.patch b/patches.suse/ALSA-hda-realtek-Add-Headset-Mic-supported-for-HP-cP.patch new file mode 100644 index 0000000..abd1af9 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-Headset-Mic-supported-for-HP-cP.patch @@ -0,0 +1,97 @@ +From 5af29028fd6db9438b5584ab7179710a0a22569d Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 17 Jan 2020 14:04:01 +0800 +Subject: [PATCH] ALSA: hda/realtek - Add Headset Mic supported for HP cPC +Git-commit: 5af29028fd6db9438b5584ab7179710a0a22569d +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +HP ALC671 need to support Headset Mic. + +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/r/06a9d2b176e14706976d6584cbe2d92a@realtek.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 44 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 27b522b9dfda..3b38a13abb7a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8484,6 +8484,29 @@ static void alc662_fixup_aspire_ethos_hp(struct hda_codec *codec, + } + } + ++static void alc671_fixup_hp_headset_mic2(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ static const struct hda_pintbl pincfgs[] = { ++ { 0x19, 0x02a11040 }, /* use as headset mic, with its own jack detect */ ++ { 0x1b, 0x0181304f }, ++ { } ++ }; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ spec->gen.mixer_nid = 0; ++ spec->parse_flags |= HDA_PINCFG_HEADSET_MIC; ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ break; ++ case HDA_FIXUP_ACT_INIT: ++ alc_write_coef_idx(codec, 0x19, 0xa054); ++ break; ++ } ++} ++ + static const struct coef_fw alc668_coefs[] = { + WRITE_COEF(0x01, 0xbebe), WRITE_COEF(0x02, 0xaaaa), WRITE_COEF(0x03, 0x0), + WRITE_COEF(0x04, 0x0180), WRITE_COEF(0x06, 0x0), WRITE_COEF(0x07, 0x0f80), +@@ -8557,6 +8580,7 @@ enum { + ALC662_FIXUP_LENOVO_MULTI_CODECS, + ALC669_FIXUP_ACER_ASPIRE_ETHOS, + ALC669_FIXUP_ACER_ASPIRE_ETHOS_HEADSET, ++ ALC671_FIXUP_HP_HEADSET_MIC2, + }; + + static const struct hda_fixup alc662_fixups[] = { +@@ -8898,6 +8922,10 @@ static const struct hda_fixup alc662_fixups[] = { + .chained = true, + .chain_id = ALC669_FIXUP_ACER_ASPIRE_ETHOS_HEADSET + }, ++ [ALC671_FIXUP_HP_HEADSET_MIC2] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc671_fixup_hp_headset_mic2, ++ }, + }; + + static const struct snd_pci_quirk alc662_fixup_tbl[] = { +@@ -9080,6 +9108,22 @@ static const struct snd_hda_pin_quirk alc662_pin_fixup_tbl[] = { + {0x12, 0x90a60130}, + {0x14, 0x90170110}, + {0x15, 0x0321101f}), ++ SND_HDA_PIN_QUIRK(0x10ec0671, 0x103c, "HP cPC", ALC671_FIXUP_HP_HEADSET_MIC2, ++ {0x14, 0x01014010}, ++ {0x17, 0x90170150}, ++ {0x1b, 0x01813030}, ++ {0x21, 0x02211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0671, 0x103c, "HP cPC", ALC671_FIXUP_HP_HEADSET_MIC2, ++ {0x14, 0x01014010}, ++ {0x18, 0x01a19040}, ++ {0x1b, 0x01813030}, ++ {0x21, 0x02211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0671, 0x103c, "HP cPC", ALC671_FIXUP_HP_HEADSET_MIC2, ++ {0x14, 0x01014020}, ++ {0x17, 0x90170110}, ++ {0x18, 0x01a19050}, ++ {0x1b, 0x01813040}, ++ {0x21, 0x02211030}), + {} + }; + +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-realtek-Apply-mic-mute-LED-quirk-for-Dell-E.patch b/patches.suse/ALSA-hda-realtek-Apply-mic-mute-LED-quirk-for-Dell-E.patch new file mode 100644 index 0000000..a2baf76 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Apply-mic-mute-LED-quirk-for-Dell-E.patch @@ -0,0 +1,59 @@ +From 5fab5829674c279839a7408ab30c71c6dfe726b9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 5 Jan 2020 09:11:19 +0100 +Subject: [PATCH] ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too +Git-commit: 5fab5829674c279839a7408ab30c71c6dfe726b9 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Dell E7xx laptops have also mic mute LED that is driven by the +dell-laptop platform driver. Bind it with the capture control as +already done for other models. + +A caveat is that the fixup hook for the mic mute LED has to be applied +at last, otherwise it results in the invalid override of the callback. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=205529 +Link: https://lore.kernel.org/r/20200105081119.21396-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5bb1959dae0f..7fb3d6868f7c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5844,6 +5844,7 @@ enum { + ALC288_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC288_FIXUP_DELL_XPS_13, + ALC288_FIXUP_DISABLE_AAMIX, ++ ALC292_FIXUP_DELL_E7X_AAMIX, + ALC292_FIXUP_DELL_E7X, + ALC292_FIXUP_DISABLE_AAMIX, + ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK, +@@ -6536,12 +6537,19 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC293_FIXUP_DELL1_MIC_NO_PRESENCE + }, +- [ALC292_FIXUP_DELL_E7X] = { ++ [ALC292_FIXUP_DELL_E7X_AAMIX] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_dell_xps13, + .chained = true, + .chain_id = ALC292_FIXUP_DISABLE_AAMIX + }, ++ [ALC292_FIXUP_DELL_E7X] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = snd_hda_gen_fixup_micmute_led, ++ /* micmute fixup must be applied at last */ ++ .chained_before = true, ++ .chain_id = ALC292_FIXUP_DELL_E7X_AAMIX, ++ }, + [ALC298_FIXUP_ALIENWARE_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-realtek-Fixed-one-of-HP-ALC671-platform-Hea.patch b/patches.suse/ALSA-hda-realtek-Fixed-one-of-HP-ALC671-platform-Hea.patch new file mode 100644 index 0000000..e487288 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Fixed-one-of-HP-ALC671-platform-Hea.patch @@ -0,0 +1,35 @@ +From f2adbae0cb20c8eaf06914b2187043ea944b0aff Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 5 Feb 2020 15:40:01 +0800 +Subject: [PATCH] ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported +Git-commit: f2adbae0cb20c8eaf06914b2187043ea944b0aff +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +HP want to keep BIOS verb table for release platform. +So, it need to add 0x19 pin for quirk. + +Fixes: 5af29028fd6d ("ALSA: hda/realtek - Add Headset Mic supported for HP cPC") +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/r/74636ccb700a4cbda24c58a99dc430ce@realtek.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 3b38a13abb7a..4770fb3f51fb 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9111,6 +9111,7 @@ static const struct snd_hda_pin_quirk alc662_pin_fixup_tbl[] = { + SND_HDA_PIN_QUIRK(0x10ec0671, 0x103c, "HP cPC", ALC671_FIXUP_HP_HEADSET_MIC2, + {0x14, 0x01014010}, + {0x17, 0x90170150}, ++ {0x19, 0x02a11060}, + {0x1b, 0x01813030}, + {0x21, 0x02211020}), + SND_HDA_PIN_QUIRK(0x10ec0671, 0x103c, "HP cPC", ALC671_FIXUP_HP_HEADSET_MIC2, +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-realtek-More-constifications.patch b/patches.suse/ALSA-hda-realtek-More-constifications.patch new file mode 100644 index 0000000..719c28c --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-More-constifications.patch @@ -0,0 +1,478 @@ +From 6b0f95c49d890440c01a759c767dfe40e2acdbf2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 5 Jan 2020 15:47:18 +0100 +Subject: [PATCH] ALSA: hda/realtek - More constifications +Git-commit: 6b0f95c49d890440c01a759c767dfe40e2acdbf2 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Apply const prefix to each coef table array. + +Just for minor optimization and no functional changes. + +Link: https://lore.kernel.org/r/20200105144823.29547-4-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 118 +++++++++++++++++++++--------------------- + 1 file changed, 59 insertions(+), 59 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 76b603544f2a..73407b25a777 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -948,7 +948,7 @@ struct alc_codec_rename_pci_table { + const char *name; + }; + +-static struct alc_codec_rename_table rename_tbl[] = { ++static const struct alc_codec_rename_table rename_tbl[] = { + { 0x10ec0221, 0xf00f, 0x1003, "ALC231" }, + { 0x10ec0269, 0xfff0, 0x3010, "ALC277" }, + { 0x10ec0269, 0xf0f0, 0x2010, "ALC259" }, +@@ -969,7 +969,7 @@ static struct alc_codec_rename_table rename_tbl[] = { + { } /* terminator */ + }; + +-static struct alc_codec_rename_pci_table rename_pci_tbl[] = { ++static const struct alc_codec_rename_pci_table rename_pci_tbl[] = { + { 0x10ec0280, 0x1028, 0, "ALC3220" }, + { 0x10ec0282, 0x1028, 0, "ALC3221" }, + { 0x10ec0283, 0x1028, 0, "ALC3223" }, +@@ -2995,7 +2995,7 @@ static void alc269_shutup(struct hda_codec *codec) + alc_shutup_pins(codec); + } + +-static struct coef_fw alc282_coefs[] = { ++static const struct coef_fw alc282_coefs[] = { + WRITE_COEF(0x03, 0x0002), /* Power Down Control */ + UPDATE_COEF(0x05, 0xff3f, 0x0700), /* FIFO and filter clock */ + WRITE_COEF(0x07, 0x0200), /* DMIC control */ +@@ -3107,7 +3107,7 @@ static void alc282_shutup(struct hda_codec *codec) + alc_write_coef_idx(codec, 0x78, coef78); + } + +-static struct coef_fw alc283_coefs[] = { ++static const struct coef_fw alc283_coefs[] = { + WRITE_COEF(0x03, 0x0002), /* Power Down Control */ + UPDATE_COEF(0x05, 0xff3f, 0x0700), /* FIFO and filter clock */ + WRITE_COEF(0x07, 0x0200), /* DMIC control */ +@@ -4183,7 +4183,7 @@ static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec, + } + } + +-static struct coef_fw alc225_pre_hsmode[] = { ++static const struct coef_fw alc225_pre_hsmode[] = { + UPDATE_COEF(0x4a, 1<<8, 0), + UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), + UPDATE_COEF(0x63, 3<<14, 3<<14), +@@ -4196,7 +4196,7 @@ static struct coef_fw alc225_pre_hsmode[] = { + + static void alc_headset_mode_unplugged(struct hda_codec *codec) + { +- static struct coef_fw coef0255[] = { ++ static const struct coef_fw coef0255[] = { + WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */ + WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */ + UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/ +@@ -4204,7 +4204,7 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec) + WRITE_COEFEX(0x57, 0x03, 0x8aa6), /* Direct Drive HP Amp control */ + {} + }; +- static struct coef_fw coef0256[] = { ++ static const struct coef_fw coef0256[] = { + WRITE_COEF(0x1b, 0x0c4b), /* LDO and MISC control */ + WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */ + WRITE_COEF(0x06, 0x6104), /* Set MIC2 Vref gate with HP */ +@@ -4212,7 +4212,7 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec) + UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/ + {} + }; +- static struct coef_fw coef0233[] = { ++ static const struct coef_fw coef0233[] = { + WRITE_COEF(0x1b, 0x0c0b), + WRITE_COEF(0x45, 0xc429), + UPDATE_COEF(0x35, 0x4000, 0), +@@ -4222,7 +4222,7 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec) + WRITE_COEF(0x32, 0x42a3), + {} + }; +- static struct coef_fw coef0288[] = { ++ static const struct coef_fw coef0288[] = { + UPDATE_COEF(0x4f, 0xfcc0, 0xc400), + UPDATE_COEF(0x50, 0x2000, 0x2000), + UPDATE_COEF(0x56, 0x0006, 0x0006), +@@ -4230,18 +4230,18 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec) + UPDATE_COEF(0x67, 0x2000, 0), + {} + }; +- static struct coef_fw coef0298[] = { ++ static const struct coef_fw coef0298[] = { + UPDATE_COEF(0x19, 0x1300, 0x0300), + {} + }; +- static struct coef_fw coef0292[] = { ++ static const struct coef_fw coef0292[] = { + WRITE_COEF(0x76, 0x000e), + WRITE_COEF(0x6c, 0x2400), + WRITE_COEF(0x18, 0x7308), + WRITE_COEF(0x6b, 0xc429), + {} + }; +- static struct coef_fw coef0293[] = { ++ static const struct coef_fw coef0293[] = { + UPDATE_COEF(0x10, 7<<8, 6<<8), /* SET Line1 JD to 0 */ + UPDATE_COEFEX(0x57, 0x05, 1<<15|1<<13, 0x0), /* SET charge pump by verb */ + UPDATE_COEFEX(0x57, 0x03, 1<<10, 1<<10), /* SET EN_OSW to 1 */ +@@ -4250,16 +4250,16 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec) + UPDATE_COEF(0x4a, 0x000f, 0x000e), /* Combo Jack auto detect */ + {} + }; +- static struct coef_fw coef0668[] = { ++ static const struct coef_fw coef0668[] = { + WRITE_COEF(0x15, 0x0d40), + WRITE_COEF(0xb7, 0x802b), + {} + }; +- static struct coef_fw coef0225[] = { ++ static const struct coef_fw coef0225[] = { + UPDATE_COEF(0x63, 3<<14, 0), + {} + }; +- static struct coef_fw coef0274[] = { ++ static const struct coef_fw coef0274[] = { + UPDATE_COEF(0x4a, 0x0100, 0), + UPDATE_COEFEX(0x57, 0x05, 0x4000, 0), + UPDATE_COEF(0x6b, 0xf000, 0x5000), +@@ -4324,25 +4324,25 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec) + static void alc_headset_mode_mic_in(struct hda_codec *codec, hda_nid_t hp_pin, + hda_nid_t mic_pin) + { +- static struct coef_fw coef0255[] = { ++ static const struct coef_fw coef0255[] = { + WRITE_COEFEX(0x57, 0x03, 0x8aa6), + WRITE_COEF(0x06, 0x6100), /* Set MIC2 Vref gate to normal */ + {} + }; +- static struct coef_fw coef0256[] = { ++ static const struct coef_fw coef0256[] = { + UPDATE_COEFEX(0x57, 0x05, 1<<14, 1<<14), /* Direct Drive HP Amp control(Set to verb control)*/ + WRITE_COEFEX(0x57, 0x03, 0x09a3), + WRITE_COEF(0x06, 0x6100), /* Set MIC2 Vref gate to normal */ + {} + }; +- static struct coef_fw coef0233[] = { ++ static const struct coef_fw coef0233[] = { + UPDATE_COEF(0x35, 0, 1<<14), + WRITE_COEF(0x06, 0x2100), + WRITE_COEF(0x1a, 0x0021), + WRITE_COEF(0x26, 0x008c), + {} + }; +- static struct coef_fw coef0288[] = { ++ static const struct coef_fw coef0288[] = { + UPDATE_COEF(0x4f, 0x00c0, 0), + UPDATE_COEF(0x50, 0x2000, 0), + UPDATE_COEF(0x56, 0x0006, 0), +@@ -4351,30 +4351,30 @@ static void alc_headset_mode_mic_in(struct hda_codec *codec, hda_nid_t hp_pin, + UPDATE_COEF(0x67, 0x2000, 0x2000), + {} + }; +- static struct coef_fw coef0292[] = { ++ static const struct coef_fw coef0292[] = { + WRITE_COEF(0x19, 0xa208), + WRITE_COEF(0x2e, 0xacf0), + {} + }; +- static struct coef_fw coef0293[] = { ++ static const struct coef_fw coef0293[] = { + UPDATE_COEFEX(0x57, 0x05, 0, 1<<15|1<<13), /* SET charge pump by verb */ + UPDATE_COEFEX(0x57, 0x03, 1<<10, 0), /* SET EN_OSW to 0 */ + UPDATE_COEF(0x1a, 1<<3, 0), /* Combo JD gating without LINE1-VREFO */ + {} + }; +- static struct coef_fw coef0688[] = { ++ static const struct coef_fw coef0688[] = { + WRITE_COEF(0xb7, 0x802b), + WRITE_COEF(0xb5, 0x1040), + UPDATE_COEF(0xc3, 0, 1<<12), + {} + }; +- static struct coef_fw coef0225[] = { ++ static const struct coef_fw coef0225[] = { + UPDATE_COEFEX(0x57, 0x05, 1<<14, 1<<14), + UPDATE_COEF(0x4a, 3<<4, 2<<4), + UPDATE_COEF(0x63, 3<<14, 0), + {} + }; +- static struct coef_fw coef0274[] = { ++ static const struct coef_fw coef0274[] = { + UPDATE_COEFEX(0x57, 0x05, 0x4000, 0x4000), + UPDATE_COEF(0x4a, 0x0010, 0), + UPDATE_COEF(0x6b, 0xf000, 0), +@@ -4460,7 +4460,7 @@ static void alc_headset_mode_mic_in(struct hda_codec *codec, hda_nid_t hp_pin, + + static void alc_headset_mode_default(struct hda_codec *codec) + { +- static struct coef_fw coef0225[] = { ++ static const struct coef_fw coef0225[] = { + UPDATE_COEF(0x45, 0x3f<<10, 0x30<<10), + UPDATE_COEF(0x45, 0x3f<<10, 0x31<<10), + UPDATE_COEF(0x49, 3<<8, 0<<8), +@@ -4469,14 +4469,14 @@ static void alc_headset_mode_default(struct hda_codec *codec) + UPDATE_COEF(0x67, 0xf000, 0x3000), + {} + }; +- static struct coef_fw coef0255[] = { ++ static const struct coef_fw coef0255[] = { + WRITE_COEF(0x45, 0xc089), + WRITE_COEF(0x45, 0xc489), + WRITE_COEFEX(0x57, 0x03, 0x8ea6), + WRITE_COEF(0x49, 0x0049), + {} + }; +- static struct coef_fw coef0256[] = { ++ static const struct coef_fw coef0256[] = { + WRITE_COEF(0x45, 0xc489), + WRITE_COEFEX(0x57, 0x03, 0x0da3), + WRITE_COEF(0x49, 0x0049), +@@ -4484,12 +4484,12 @@ static void alc_headset_mode_default(struct hda_codec *codec) + WRITE_COEF(0x06, 0x6100), + {} + }; +- static struct coef_fw coef0233[] = { ++ static const struct coef_fw coef0233[] = { + WRITE_COEF(0x06, 0x2100), + WRITE_COEF(0x32, 0x4ea3), + {} + }; +- static struct coef_fw coef0288[] = { ++ static const struct coef_fw coef0288[] = { + UPDATE_COEF(0x4f, 0xfcc0, 0xc400), /* Set to TRS type */ + UPDATE_COEF(0x50, 0x2000, 0x2000), + UPDATE_COEF(0x56, 0x0006, 0x0006), +@@ -4497,26 +4497,26 @@ static void alc_headset_mode_default(struct hda_codec *codec) + UPDATE_COEF(0x67, 0x2000, 0), + {} + }; +- static struct coef_fw coef0292[] = { ++ static const struct coef_fw coef0292[] = { + WRITE_COEF(0x76, 0x000e), + WRITE_COEF(0x6c, 0x2400), + WRITE_COEF(0x6b, 0xc429), + WRITE_COEF(0x18, 0x7308), + {} + }; +- static struct coef_fw coef0293[] = { ++ static const struct coef_fw coef0293[] = { + UPDATE_COEF(0x4a, 0x000f, 0x000e), /* Combo Jack auto detect */ + WRITE_COEF(0x45, 0xC429), /* Set to TRS type */ + UPDATE_COEF(0x1a, 1<<3, 0), /* Combo JD gating without LINE1-VREFO */ + {} + }; +- static struct coef_fw coef0688[] = { ++ static const struct coef_fw coef0688[] = { + WRITE_COEF(0x11, 0x0041), + WRITE_COEF(0x15, 0x0d40), + WRITE_COEF(0xb7, 0x802b), + {} + }; +- static struct coef_fw coef0274[] = { ++ static const struct coef_fw coef0274[] = { + WRITE_COEF(0x45, 0x4289), + UPDATE_COEF(0x4a, 0x0010, 0x0010), + UPDATE_COEF(0x6b, 0x0f00, 0), +@@ -4579,53 +4579,53 @@ static void alc_headset_mode_ctia(struct hda_codec *codec) + { + int val; + +- static struct coef_fw coef0255[] = { ++ static const struct coef_fw coef0255[] = { + WRITE_COEF(0x45, 0xd489), /* Set to CTIA type */ + WRITE_COEF(0x1b, 0x0c2b), + WRITE_COEFEX(0x57, 0x03, 0x8ea6), + {} + }; +- static struct coef_fw coef0256[] = { ++ static const struct coef_fw coef0256[] = { + WRITE_COEF(0x45, 0xd489), /* Set to CTIA type */ + WRITE_COEF(0x1b, 0x0e6b), + {} + }; +- static struct coef_fw coef0233[] = { ++ static const struct coef_fw coef0233[] = { + WRITE_COEF(0x45, 0xd429), + WRITE_COEF(0x1b, 0x0c2b), + WRITE_COEF(0x32, 0x4ea3), + {} + }; +- static struct coef_fw coef0288[] = { ++ static const struct coef_fw coef0288[] = { + UPDATE_COEF(0x50, 0x2000, 0x2000), + UPDATE_COEF(0x56, 0x0006, 0x0006), + UPDATE_COEF(0x66, 0x0008, 0), + UPDATE_COEF(0x67, 0x2000, 0), + {} + }; +- static struct coef_fw coef0292[] = { ++ static const struct coef_fw coef0292[] = { + WRITE_COEF(0x6b, 0xd429), + WRITE_COEF(0x76, 0x0008), + WRITE_COEF(0x18, 0x7388), + {} + }; +- static struct coef_fw coef0293[] = { ++ static const struct coef_fw coef0293[] = { + WRITE_COEF(0x45, 0xd429), /* Set to ctia type */ + UPDATE_COEF(0x10, 7<<8, 7<<8), /* SET Line1 JD to 1 */ + {} + }; +- static struct coef_fw coef0688[] = { ++ static const struct coef_fw coef0688[] = { + WRITE_COEF(0x11, 0x0001), + WRITE_COEF(0x15, 0x0d60), + WRITE_COEF(0xc3, 0x0000), + {} + }; +- static struct coef_fw coef0225_1[] = { ++ static const struct coef_fw coef0225_1[] = { + UPDATE_COEF(0x45, 0x3f<<10, 0x35<<10), + UPDATE_COEF(0x63, 3<<14, 2<<14), + {} + }; +- static struct coef_fw coef0225_2[] = { ++ static const struct coef_fw coef0225_2[] = { + UPDATE_COEF(0x45, 0x3f<<10, 0x35<<10), + UPDATE_COEF(0x63, 3<<14, 1<<14), + {} +@@ -4697,48 +4697,48 @@ static void alc_headset_mode_ctia(struct hda_codec *codec) + /* Nokia type */ + static void alc_headset_mode_omtp(struct hda_codec *codec) + { +- static struct coef_fw coef0255[] = { ++ static const struct coef_fw coef0255[] = { + WRITE_COEF(0x45, 0xe489), /* Set to OMTP Type */ + WRITE_COEF(0x1b, 0x0c2b), + WRITE_COEFEX(0x57, 0x03, 0x8ea6), + {} + }; +- static struct coef_fw coef0256[] = { ++ static const struct coef_fw coef0256[] = { + WRITE_COEF(0x45, 0xe489), /* Set to OMTP Type */ + WRITE_COEF(0x1b, 0x0e6b), + {} + }; +- static struct coef_fw coef0233[] = { ++ static const struct coef_fw coef0233[] = { + WRITE_COEF(0x45, 0xe429), + WRITE_COEF(0x1b, 0x0c2b), + WRITE_COEF(0x32, 0x4ea3), + {} + }; +- static struct coef_fw coef0288[] = { ++ static const struct coef_fw coef0288[] = { + UPDATE_COEF(0x50, 0x2000, 0x2000), + UPDATE_COEF(0x56, 0x0006, 0x0006), + UPDATE_COEF(0x66, 0x0008, 0), + UPDATE_COEF(0x67, 0x2000, 0), + {} + }; +- static struct coef_fw coef0292[] = { ++ static const struct coef_fw coef0292[] = { + WRITE_COEF(0x6b, 0xe429), + WRITE_COEF(0x76, 0x0008), + WRITE_COEF(0x18, 0x7388), + {} + }; +- static struct coef_fw coef0293[] = { ++ static const struct coef_fw coef0293[] = { + WRITE_COEF(0x45, 0xe429), /* Set to omtp type */ + UPDATE_COEF(0x10, 7<<8, 7<<8), /* SET Line1 JD to 1 */ + {} + }; +- static struct coef_fw coef0688[] = { ++ static const struct coef_fw coef0688[] = { + WRITE_COEF(0x11, 0x0001), + WRITE_COEF(0x15, 0x0d50), + WRITE_COEF(0xc3, 0x0000), + {} + }; +- static struct coef_fw coef0225[] = { ++ static const struct coef_fw coef0225[] = { + UPDATE_COEF(0x45, 0x3f<<10, 0x39<<10), + UPDATE_COEF(0x63, 3<<14, 2<<14), + {} +@@ -4798,17 +4798,17 @@ static void alc_determine_headset_type(struct hda_codec *codec) + int val; + bool is_ctia = false; + struct alc_spec *spec = codec->spec; +- static struct coef_fw coef0255[] = { ++ static const struct coef_fw coef0255[] = { + WRITE_COEF(0x45, 0xd089), /* combo jack auto switch control(Check type)*/ + WRITE_COEF(0x49, 0x0149), /* combo jack auto switch control(Vref + conteol) */ + {} + }; +- static struct coef_fw coef0288[] = { ++ static const struct coef_fw coef0288[] = { + UPDATE_COEF(0x4f, 0xfcc0, 0xd400), /* Check Type */ + {} + }; +- static struct coef_fw coef0298[] = { ++ static const struct coef_fw coef0298[] = { + UPDATE_COEF(0x50, 0x2000, 0x2000), + UPDATE_COEF(0x56, 0x0006, 0x0006), + UPDATE_COEF(0x66, 0x0008, 0), +@@ -4816,19 +4816,19 @@ static void alc_determine_headset_type(struct hda_codec *codec) + UPDATE_COEF(0x19, 0x1300, 0x1300), + {} + }; +- static struct coef_fw coef0293[] = { ++ static const struct coef_fw coef0293[] = { + UPDATE_COEF(0x4a, 0x000f, 0x0008), /* Combo Jack auto detect */ + WRITE_COEF(0x45, 0xD429), /* Set to ctia type */ + {} + }; +- static struct coef_fw coef0688[] = { ++ static const struct coef_fw coef0688[] = { + WRITE_COEF(0x11, 0x0001), + WRITE_COEF(0xb7, 0x802b), + WRITE_COEF(0x15, 0x0d60), + WRITE_COEF(0xc3, 0x0c00), + {} + }; +- static struct coef_fw coef0274[] = { ++ static const struct coef_fw coef0274[] = { + UPDATE_COEF(0x4a, 0x0010, 0), + UPDATE_COEF(0x4a, 0x8000, 0), + WRITE_COEF(0x45, 0xd289), +@@ -5115,7 +5115,7 @@ static void alc_fixup_headset_mode_no_hp_mic(struct hda_codec *codec, + static void alc255_set_default_jack_type(struct hda_codec *codec) + { + /* Set to iphone type */ +- static struct coef_fw alc255fw[] = { ++ static const struct coef_fw alc255fw[] = { + WRITE_COEF(0x1b, 0x880b), + WRITE_COEF(0x45, 0xd089), + WRITE_COEF(0x1b, 0x080b), +@@ -5123,7 +5123,7 @@ static void alc255_set_default_jack_type(struct hda_codec *codec) + WRITE_COEF(0x1b, 0x0c0b), + {} + }; +- static struct coef_fw alc256fw[] = { ++ static const struct coef_fw alc256fw[] = { + WRITE_COEF(0x1b, 0x884b), + WRITE_COEF(0x45, 0xd089), + WRITE_COEF(0x1b, 0x084b), +@@ -8482,7 +8482,7 @@ static void alc662_fixup_aspire_ethos_hp(struct hda_codec *codec, + } + } + +-static struct coef_fw alc668_coefs[] = { ++static const struct coef_fw alc668_coefs[] = { + WRITE_COEF(0x01, 0xbebe), WRITE_COEF(0x02, 0xaaaa), WRITE_COEF(0x03, 0x0), + WRITE_COEF(0x04, 0x0180), WRITE_COEF(0x06, 0x0), WRITE_COEF(0x07, 0x0f80), + WRITE_COEF(0x08, 0x0031), WRITE_COEF(0x0a, 0x0060), WRITE_COEF(0x0b, 0x0), +-- +2.16.4 + diff --git a/patches.suse/ALSA-seq-Avoid-concurrent-access-to-queue-flags.patch b/patches.suse/ALSA-seq-Avoid-concurrent-access-to-queue-flags.patch new file mode 100644 index 0000000..b6cce0c --- /dev/null +++ b/patches.suse/ALSA-seq-Avoid-concurrent-access-to-queue-flags.patch @@ -0,0 +1,99 @@ +From bb51e669fa49feb5904f452b2991b240ef31bc97 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 14 Feb 2020 12:13:14 +0100 +Subject: [PATCH] ALSA: seq: Avoid concurrent access to queue flags +Git-commit: bb51e669fa49feb5904f452b2991b240ef31bc97 +Patch-mainline: v5.6-rc3 +References: git-fixes + +The queue flags are represented in bit fields and the concurrent +access may result in unexpected results. Although the current code +should be mostly OK as it's only reading a field while writing other +fields as KCSAN reported, it's safer to cover both with a proper +spinlock protection. + +This patch fixes the possible concurrent read by protecting with +q->owner_lock. Also the queue owner field is protected as well since +it's the field to be protected by the lock itself. + +Reported-by: syzbot+65c6c92d04304d0a8efc@syzkaller.appspotmail.com +Reported-by: syzbot+e60ddfa48717579799dd@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20200214111316.26939-2-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/seq/seq_queue.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c +index caf68bf42f13..20c552cf8398 100644 +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -392,6 +392,7 @@ int snd_seq_queue_check_access(int queueid, int client) + int snd_seq_queue_set_owner(int queueid, int client, int locked) + { + struct snd_seq_queue *q = queueptr(queueid); ++ unsigned long flags; + + if (q == NULL) + return -EINVAL; +@@ -401,8 +402,10 @@ int snd_seq_queue_set_owner(int queueid, int client, int locked) + return -EPERM; + } + ++ spin_lock_irqsave(&q->owner_lock, flags); + q->locked = locked ? 1 : 0; + q->owner = client; ++ spin_unlock_irqrestore(&q->owner_lock, flags); + queue_access_unlock(q); + queuefree(q); + +@@ -539,15 +542,17 @@ void snd_seq_queue_client_termination(int client) + unsigned long flags; + int i; + struct snd_seq_queue *q; ++ bool matched; + + for (i = 0; i < SNDRV_SEQ_MAX_QUEUES; i++) { + if ((q = queueptr(i)) == NULL) + continue; + spin_lock_irqsave(&q->owner_lock, flags); +- if (q->owner == client) ++ matched = (q->owner == client); ++ if (matched) + q->klocked = 1; + spin_unlock_irqrestore(&q->owner_lock, flags); +- if (q->owner == client) { ++ if (matched) { + if (q->timer->running) + snd_seq_timer_stop(q->timer); + snd_seq_timer_reset(q->timer); +@@ -739,6 +744,8 @@ void snd_seq_info_queues_read(struct snd_info_entry *entry, + int i, bpm; + struct snd_seq_queue *q; + struct snd_seq_timer *tmr; ++ bool locked; ++ int owner; + + for (i = 0; i < SNDRV_SEQ_MAX_QUEUES; i++) { + if ((q = queueptr(i)) == NULL) +@@ -750,9 +757,14 @@ void snd_seq_info_queues_read(struct snd_info_entry *entry, + else + bpm = 0; + ++ spin_lock_irq(&q->owner_lock); ++ locked = q->locked; ++ owner = q->owner; ++ spin_unlock_irq(&q->owner_lock); ++ + snd_iprintf(buffer, "queue %d: [%s]\n", q->queue, q->name); +- snd_iprintf(buffer, "owned by client : %d\n", q->owner); +- snd_iprintf(buffer, "lock status : %s\n", q->locked ? "Locked" : "Free"); ++ snd_iprintf(buffer, "owned by client : %d\n", owner); ++ snd_iprintf(buffer, "lock status : %s\n", locked ? "Locked" : "Free"); + snd_iprintf(buffer, "queued time events : %d\n", snd_seq_prioq_avail(q->timeq)); + snd_iprintf(buffer, "queued tick events : %d\n", snd_seq_prioq_avail(q->tickq)); + snd_iprintf(buffer, "timer state : %s\n", tmr->running ? "Running" : "Stopped"); +-- +2.16.4 + diff --git a/patches.suse/ALSA-seq-Fix-concurrent-access-to-queue-current-tick.patch b/patches.suse/ALSA-seq-Fix-concurrent-access-to-queue-current-tick.patch new file mode 100644 index 0000000..96f751d --- /dev/null +++ b/patches.suse/ALSA-seq-Fix-concurrent-access-to-queue-current-tick.patch @@ -0,0 +1,146 @@ +From dc7497795e014d84699c3b8809ed6df35352dd74 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 14 Feb 2020 12:13:15 +0100 +Subject: [PATCH] ALSA: seq: Fix concurrent access to queue current tick/time +Git-commit: dc7497795e014d84699c3b8809ed6df35352dd74 +Patch-mainline: v5.6-rc3 +References: git-fixes + +snd_seq_check_queue() passes the current tick and time of the given +queue as a pointer to snd_seq_prioq_cell_out(), but those might be +updated concurrently by the seq timer update. + +Fix it by retrieving the current tick and time via the proper helper +functions at first, and pass those values to snd_seq_prioq_cell_out() +later in the loops. + +snd_seq_timer_get_cur_time() takes a new argument and adjusts with the +current system time only when it's requested so; this update isn't +needed for snd_seq_check_queue(), as it's called either from the +interrupt handler or right after queuing. + +Also, snd_seq_timer_get_cur_tick() is changed to read the value in the +spinlock for the concurrency, too. + +Reported-by: syzbot+fd5e0eaa1a32999173b2@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20200214111316.26939-3-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/seq/seq_clientmgr.c | 4 ++-- + sound/core/seq/seq_queue.c | 9 ++++++--- + sound/core/seq/seq_timer.c | 13 ++++++++++--- + sound/core/seq/seq_timer.h | 3 ++- + 4 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 6d9592f0ae1d..cc93157fa950 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -580,7 +580,7 @@ static int update_timestamp_of_queue(struct snd_seq_event *event, + event->queue = queue; + event->flags &= ~SNDRV_SEQ_TIME_STAMP_MASK; + if (real_time) { +- event->time.time = snd_seq_timer_get_cur_time(q->timer); ++ event->time.time = snd_seq_timer_get_cur_time(q->timer, true); + event->flags |= SNDRV_SEQ_TIME_STAMP_REAL; + } else { + event->time.tick = snd_seq_timer_get_cur_tick(q->timer); +@@ -1659,7 +1659,7 @@ static int snd_seq_ioctl_get_queue_status(struct snd_seq_client *client, + tmr = queue->timer; + status->events = queue->tickq->cells + queue->timeq->cells; + +- status->time = snd_seq_timer_get_cur_time(tmr); ++ status->time = snd_seq_timer_get_cur_time(tmr, true); + status->tick = snd_seq_timer_get_cur_tick(tmr); + + status->running = tmr->running; +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c +index 20c552cf8398..71a6ea62c3be 100644 +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -238,6 +238,8 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + { + unsigned long flags; + struct snd_seq_event_cell *cell; ++ snd_seq_tick_time_t cur_tick; ++ snd_seq_real_time_t cur_time; + + if (q == NULL) + return; +@@ -254,17 +256,18 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + + __again: + /* Process tick queue... */ ++ cur_tick = snd_seq_timer_get_cur_tick(q->timer); + for (;;) { +- cell = snd_seq_prioq_cell_out(q->tickq, +- &q->timer->tick.cur_tick); ++ cell = snd_seq_prioq_cell_out(q->tickq, &cur_tick); + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); + } + + /* Process time queue... */ ++ cur_time = snd_seq_timer_get_cur_time(q->timer, false); + for (;;) { +- cell = snd_seq_prioq_cell_out(q->timeq, &q->timer->cur_time); ++ cell = snd_seq_prioq_cell_out(q->timeq, &cur_time); + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); +diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c +index be59b59c9be4..1645e4142e30 100644 +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -428,14 +428,15 @@ int snd_seq_timer_continue(struct snd_seq_timer *tmr) + } + + /* return current 'real' time. use timeofday() to get better granularity. */ +-snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) ++snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr, ++ bool adjust_ktime) + { + snd_seq_real_time_t cur_time; + unsigned long flags; + + spin_lock_irqsave(&tmr->lock, flags); + cur_time = tmr->cur_time; +- if (tmr->running) { ++ if (adjust_ktime && tmr->running) { + struct timespec64 tm; + + ktime_get_ts64(&tm); +@@ -452,7 +453,13 @@ snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) + high PPQ values) */ + snd_seq_tick_time_t snd_seq_timer_get_cur_tick(struct snd_seq_timer *tmr) + { +- return tmr->tick.cur_tick; ++ snd_seq_tick_time_t cur_tick; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&tmr->lock, flags); ++ cur_tick = tmr->tick.cur_tick; ++ spin_unlock_irqrestore(&tmr->lock, flags); ++ return cur_tick; + } + + +diff --git a/sound/core/seq/seq_timer.h b/sound/core/seq/seq_timer.h +index 66c3e344eae3..4bec57df8158 100644 +--- a/sound/core/seq/seq_timer.h ++++ b/sound/core/seq/seq_timer.h +@@ -120,7 +120,8 @@ int snd_seq_timer_set_tempo_ppq(struct snd_seq_timer *tmr, int tempo, int ppq); + int snd_seq_timer_set_position_tick(struct snd_seq_timer *tmr, snd_seq_tick_time_t position); + int snd_seq_timer_set_position_time(struct snd_seq_timer *tmr, snd_seq_real_time_t position); + int snd_seq_timer_set_skew(struct snd_seq_timer *tmr, unsigned int skew, unsigned int base); +-snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr); ++snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr, ++ bool adjust_ktime); + snd_seq_tick_time_t snd_seq_timer_get_cur_tick(struct snd_seq_timer *tmr); + + extern int seq_default_timer_class; +-- +2.16.4 + diff --git a/patches.suse/ALSA-sh-Fix-compile-warning-wrt-const.patch b/patches.suse/ALSA-sh-Fix-compile-warning-wrt-const.patch new file mode 100644 index 0000000..bc0a44c --- /dev/null +++ b/patches.suse/ALSA-sh-Fix-compile-warning-wrt-const.patch @@ -0,0 +1,40 @@ +From f1dd4795b1523fbca7ab4344dd5a8bb439cc770d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 5 Jan 2020 15:48:23 +0100 +Subject: [PATCH] ALSA: sh: Fix compile warning wrt const +Git-commit: f1dd4795b1523fbca7ab4344dd5a8bb439cc770d +Patch-mainline: v5.6-rc1 +References: git-fixes + +A long-standing compile warning was seen during build test: + sound/sh/aica.c: In function 'load_aica_firmware': + sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] + +Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device") +Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/sh/aica.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/sh/aica.c b/sound/sh/aica.c +index f3cd12ff09c3..8fa68432d3c1 100644 +--- a/sound/sh/aica.c ++++ b/sound/sh/aica.c +@@ -101,10 +101,10 @@ static void spu_memset(u32 toi, u32 what, int length) + } + + /* spu_memload - write to SPU address space */ +-static void spu_memload(u32 toi, void *from, int length) ++static void spu_memload(u32 toi, const void *from, int length) + { + unsigned long flags; +- u32 *froml = from; ++ const u32 *froml = from; + u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi); + int i; + u32 val; +-- +2.16.4 + diff --git a/patches.suse/ALSA-sh-Fix-unused-variable-warnings.patch b/patches.suse/ALSA-sh-Fix-unused-variable-warnings.patch new file mode 100644 index 0000000..a7f9882 --- /dev/null +++ b/patches.suse/ALSA-sh-Fix-unused-variable-warnings.patch @@ -0,0 +1,53 @@ +From 5da116f164ce265e397b8f59af5c39e4a61d61a5 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 4 Jan 2020 12:00:57 +0100 +Subject: [PATCH] ALSA: sh: Fix unused variable warnings +Git-commit: 5da116f164ce265e397b8f59af5c39e4a61d61a5 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Remove unused variables that are left over after the conversion of new +PCM ops: + sound/sh/sh_dac_audio.c:166:26: warning: unused variable 'runtime' + sound/sh/sh_dac_audio.c:186:26: warning: unused variable 'runtime' + sound/sh/sh_dac_audio.c:205:26: warning: unused variable 'runtime' + +Fixes: 1cc2f8ba0b3e ("ALSA: sh: Convert to the new PCM ops") +Link: https://lore.kernel.org/r/20200104110057.13875-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/sh/sh_dac_audio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/sound/sh/sh_dac_audio.c b/sound/sh/sh_dac_audio.c +index 4affdc128119..feb28502940f 100644 +--- a/sound/sh/sh_dac_audio.c ++++ b/sound/sh/sh_dac_audio.c +@@ -163,7 +163,6 @@ static int snd_sh_dac_pcm_copy(struct snd_pcm_substream *substream, + { + /* channel is not used (interleaved data) */ + struct snd_sh_dac *chip = snd_pcm_substream_chip(substream); +- struct snd_pcm_runtime *runtime = substream->runtime; + + if (copy_from_user_toio(chip->data_buffer + pos, src, count)) + return -EFAULT; +@@ -183,7 +182,6 @@ static int snd_sh_dac_pcm_copy_kernel(struct snd_pcm_substream *substream, + { + /* channel is not used (interleaved data) */ + struct snd_sh_dac *chip = snd_pcm_substream_chip(substream); +- struct snd_pcm_runtime *runtime = substream->runtime; + + memcpy_toio(chip->data_buffer + pos, src, count); + chip->buffer_end = chip->data_buffer + pos + count; +@@ -202,7 +200,6 @@ static int snd_sh_dac_pcm_silence(struct snd_pcm_substream *substream, + { + /* channel is not used (interleaved data) */ + struct snd_sh_dac *chip = snd_pcm_substream_chip(substream); +- struct snd_pcm_runtime *runtime = substream->runtime; + + memset_io(chip->data_buffer + pos, 0, count); + chip->buffer_end = chip->data_buffer + pos + count; +-- +2.16.4 + diff --git a/patches.suse/ALSA-usb-audio-Fix-endianess-in-descriptor-validatio.patch b/patches.suse/ALSA-usb-audio-Fix-endianess-in-descriptor-validatio.patch new file mode 100644 index 0000000..d18af8f --- /dev/null +++ b/patches.suse/ALSA-usb-audio-Fix-endianess-in-descriptor-validatio.patch @@ -0,0 +1,55 @@ +From f8e5f90b3a53bb75f05124ed19156388379a337d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 1 Feb 2020 09:05:28 +0100 +Subject: [PATCH] ALSA: usb-audio: Fix endianess in descriptor validation +Git-commit: f8e5f90b3a53bb75f05124ed19156388379a337d +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +I overlooked that some fields are words and need the converts from +LE in the recently added USB descriptor validation code. +This patch fixes those with the proper macro usages. + +Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") +Cc: +Link: https://lore.kernel.org/r/20200201080530.22390-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/usb/validate.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/validate.c b/sound/usb/validate.c +index 4034c2072415..6fe206f6e911 100644 +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -110,7 +110,7 @@ static bool validate_processing_unit(const void *p, + default: + if (v->type == UAC1_EXTENSION_UNIT) + return true; /* OK */ +- switch (d->wProcessType) { ++ switch (le16_to_cpu(d->wProcessType)) { + case UAC_PROCESS_UP_DOWNMIX: + case UAC_PROCESS_DOLBY_PROLOGIC: + if (d->bLength < len + 1) /* bNrModes */ +@@ -125,7 +125,7 @@ static bool validate_processing_unit(const void *p, + case UAC_VERSION_2: + if (v->type == UAC2_EXTENSION_UNIT_V2) + return true; /* OK */ +- switch (d->wProcessType) { ++ switch (le16_to_cpu(d->wProcessType)) { + case UAC2_PROCESS_UP_DOWNMIX: + case UAC2_PROCESS_DOLBY_PROLOCIC: /* SiC! */ + if (d->bLength < len + 1) /* bNrModes */ +@@ -142,7 +142,7 @@ static bool validate_processing_unit(const void *p, + len += 2; /* wClusterDescrID */ + break; + } +- switch (d->wProcessType) { ++ switch (le16_to_cpu(d->wProcessType)) { + case UAC3_PROCESS_UP_DOWNMIX: + if (d->bLength < len + 1) /* bNrModes */ + return false; +-- +2.16.4 + diff --git a/patches.suse/ALSA-usb-audio-Fix-missing-error-check-at-mixer-reso.patch b/patches.suse/ALSA-usb-audio-Fix-missing-error-check-at-mixer-reso.patch new file mode 100644 index 0000000..2ab655c --- /dev/null +++ b/patches.suse/ALSA-usb-audio-Fix-missing-error-check-at-mixer-reso.patch @@ -0,0 +1,49 @@ +From 167beb1756791e0806365a3f86a0da10d7a327ee Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 9 Nov 2019 19:16:58 +0100 +Subject: [PATCH] ALSA: usb-audio: Fix missing error check at mixer resolution test +Git-commit: 167beb1756791e0806365a3f86a0da10d7a327ee +Patch-mainline: v5.4-rc8 +References: git-fixes + +A check of the return value from get_cur_mix_raw() is missing at the +resolution test code in get_min_max_with_quirks(), which may leave the +variable untouched, leading to a random uninitialized value, as +detected by syzkaller fuzzer. + +Add the missing return error check for fixing that. + +Reported-and-tested-by: syzbot+abe1ab7afc62c6bb6377@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20191109181658.30368-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/usb/mixer.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 3fd1d1749edf..45eee5cc312e 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1229,7 +1229,8 @@ static int get_min_max_with_quirks(struct usb_mixer_elem_info *cval, + if (cval->min + cval->res < cval->max) { + int last_valid_res = cval->res; + int saved, test, check; +- get_cur_mix_raw(cval, minchn, &saved); ++ if (get_cur_mix_raw(cval, minchn, &saved) < 0) ++ goto no_res_check; + for (;;) { + test = saved; + if (test < cval->max) +@@ -1249,6 +1250,7 @@ static int get_min_max_with_quirks(struct usb_mixer_elem_info *cval, + snd_usb_set_cur_mix_value(cval, minchn, 0, saved); + } + ++no_res_check: + cval->initialized = 1; + } + +-- +2.16.4 + diff --git a/patches.suse/ALSA-usb-audio-not-submit-urb-for-stopped-endpoint.patch b/patches.suse/ALSA-usb-audio-not-submit-urb-for-stopped-endpoint.patch new file mode 100644 index 0000000..6f6752c --- /dev/null +++ b/patches.suse/ALSA-usb-audio-not-submit-urb-for-stopped-endpoint.patch @@ -0,0 +1,47 @@ +From 528699317dd6dc722dccc11b68800cf945109390 Mon Sep 17 00:00:00 2001 +From: Henry Lin +Date: Wed, 13 Nov 2019 10:14:19 +0800 +Subject: [PATCH] ALSA: usb-audio: not submit urb for stopped endpoint +Git-commit: 528699317dd6dc722dccc11b68800cf945109390 +Patch-mainline: v5.4-rc8 +References: git-fixes + +While output urb's snd_complete_urb() is executing, calling +prepare_outbound_urb() may cause endpoint stopped before +prepare_outbound_urb() returns and result in next urb submitted +to stopped endpoint. usb-audio driver cannot re-use it afterwards as +the urb is still hold by usb stack. + +This change checks EP_FLAG_RUNNING flag after prepare_outbound_urb() again +to let snd_complete_urb() know the endpoint already stopped and does not +submit next urb. Below kind of error will be fixed: + +[ 213.153103] usb 1-2: timeout: still 1 active urbs on EP #1 +[ 213.164121] usb 1-2: cannot submit urb 0, error -16: unknown error + +Signed-off-by: Henry Lin +Cc: +Link: https://lore.kernel.org/r/20191113021420.13377-1-henryl@nvidia.com +Signed-off-by: Takashi Iwai + +--- + sound/usb/endpoint.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index a2ab8e8d3a93..4a9a2f6ef5a4 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -388,6 +388,9 @@ static void snd_complete_urb(struct urb *urb) + } + + prepare_outbound_urb(ep, ctx); ++ /* can be stopped during prepare callback */ ++ if (unlikely(!test_bit(EP_FLAG_RUNNING, &ep->flags))) ++ goto exit_clear; + } else { + retire_inbound_urb(ep, ctx); + /* can be stopped during retire callback */ +-- +2.16.4 + diff --git a/patches.suse/ASoC-cs4349-Use-PM-ops-cs4349_runtime_pm.patch b/patches.suse/ASoC-cs4349-Use-PM-ops-cs4349_runtime_pm.patch new file mode 100644 index 0000000..7017eb1 --- /dev/null +++ b/patches.suse/ASoC-cs4349-Use-PM-ops-cs4349_runtime_pm.patch @@ -0,0 +1,40 @@ +From 9b4275c415acca6264a3d7f1182589959c93d530 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 15 Aug 2019 17:01:57 +0800 +Subject: [PATCH] ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' +Git-commit: 9b4275c415acca6264a3d7f1182589959c93d530 +Patch-mainline: v5.4-rc1 +References: bsc#1051510 + +sound/soc/codecs/cs4349.c:358:32: warning: + cs4349_runtime_pm defined but not used [-Wunused-const-variable=] + +cs4349_runtime_pm ops already defined, it seems +we should enable it. + +Reported-by: Hulk Robot +Fixes: e40da86 ("ASoC: cs4349: Add support for Cirrus Logic CS4349") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20190815090157.70036-1-yuehaibing@huawei.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/cs4349.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/cs4349.c b/sound/soc/codecs/cs4349.c +index 09716fab1e26..3381209a882d 100644 +--- a/sound/soc/codecs/cs4349.c ++++ b/sound/soc/codecs/cs4349.c +@@ -378,6 +378,7 @@ static struct i2c_driver cs4349_i2c_driver = { + .driver = { + .name = "cs4349", + .of_match_table = cs4349_of_match, ++ .pm = &cs4349_runtime_pm, + }, + .id_table = cs4349_i2c_id, + .probe = cs4349_i2c_probe, +-- +2.16.4 + diff --git a/patches.suse/ASoC-msm8916-wcd-analog-Fix-selected-events-for-MIC-.patch b/patches.suse/ASoC-msm8916-wcd-analog-Fix-selected-events-for-MIC-.patch new file mode 100644 index 0000000..8ab8316 --- /dev/null +++ b/patches.suse/ASoC-msm8916-wcd-analog-Fix-selected-events-for-MIC-.patch @@ -0,0 +1,48 @@ +From e0beec88397b163c7c4ea6fcfb67e8e07a2671dc Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Sat, 11 Jan 2020 17:40:03 +0100 +Subject: [PATCH] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 +Git-commit: e0beec88397b163c7c4ea6fcfb67e8e07a2671dc +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +MIC BIAS External1 sets pm8916_wcd_analog_enable_micbias_ext1() +as event handler, which ends up in pm8916_wcd_analog_enable_micbias_ext(). + +But pm8916_wcd_analog_enable_micbias_ext() only handles the POST_PMU +event, which is not specified in the event flags for MIC BIAS External1. +This means that the code in the event handler is never actually run. + +Set SND_SOC_DAPM_POST_PMU as the only event for the handler to fix this. + +Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec") +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200111164006.43074-2-stephan@gerhold.net +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/msm8916-wcd-analog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c +index f53235be77d9..30b19f12fabc 100644 +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -938,10 +938,10 @@ static const struct snd_soc_dapm_widget pm8916_wcd_analog_dapm_widgets[] = { + + SND_SOC_DAPM_SUPPLY("MIC BIAS External1", CDC_A_MICB_1_EN, 7, 0, + pm8916_wcd_analog_enable_micbias_ext1, +- SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), ++ SND_SOC_DAPM_POST_PMU), + SND_SOC_DAPM_SUPPLY("MIC BIAS External2", CDC_A_MICB_2_EN, 7, 0, + pm8916_wcd_analog_enable_micbias_ext2, +- SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), ++ SND_SOC_DAPM_POST_PMU), + + SND_SOC_DAPM_ADC_E("ADC1", NULL, CDC_A_TX_1_EN, 7, 0, + pm8916_wcd_analog_enable_adc, +-- +2.16.4 + diff --git a/patches.suse/ASoC-sun8i-codec-Fix-setting-DAI-data-format.patch b/patches.suse/ASoC-sun8i-codec-Fix-setting-DAI-data-format.patch new file mode 100644 index 0000000..abed3d1 --- /dev/null +++ b/patches.suse/ASoC-sun8i-codec-Fix-setting-DAI-data-format.patch @@ -0,0 +1,47 @@ +From 96781fd941b39e1f78098009344ebcd7af861c67 Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Mon, 17 Feb 2020 00:42:22 -0600 +Subject: [PATCH] ASoC: sun8i-codec: Fix setting DAI data format +Git-commit: 96781fd941b39e1f78098009344ebcd7af861c67 +Patch-mainline: v5.6-rc3 +References: git-fixes + +Use the correct mask for this two-bit field. This fixes setting the DAI +data format to RIGHT_J or DSP_A. + +Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec") +Signed-off-by: Samuel Holland +Acked-by: Chen-Yu Tsai +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20200217064250.15516-7-samuel@sholland.org +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/sunxi/sun8i-codec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sunxi/sun8i-codec.c b/sound/soc/sunxi/sun8i-codec.c +index 55798bc8eae2..686561df8e13 100644 +--- a/sound/soc/sunxi/sun8i-codec.c ++++ b/sound/soc/sunxi/sun8i-codec.c +@@ -80,6 +80,7 @@ + + #define SUN8I_SYS_SR_CTRL_AIF1_FS_MASK GENMASK(15, 12) + #define SUN8I_SYS_SR_CTRL_AIF2_FS_MASK GENMASK(11, 8) ++#define SUN8I_AIF1CLK_CTRL_AIF1_DATA_FMT_MASK GENMASK(3, 2) + #define SUN8I_AIF1CLK_CTRL_AIF1_WORD_SIZ_MASK GENMASK(5, 4) + #define SUN8I_AIF1CLK_CTRL_AIF1_LRCK_DIV_MASK GENMASK(8, 6) + #define SUN8I_AIF1CLK_CTRL_AIF1_BCLK_DIV_MASK GENMASK(12, 9) +@@ -241,7 +242,7 @@ static int sun8i_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + return -EINVAL; + } + regmap_update_bits(scodec->regmap, SUN8I_AIF1CLK_CTRL, +- BIT(SUN8I_AIF1CLK_CTRL_AIF1_DATA_FMT), ++ SUN8I_AIF1CLK_CTRL_AIF1_DATA_FMT_MASK, + value << SUN8I_AIF1CLK_CTRL_AIF1_DATA_FMT); + + return 0; +-- +2.16.4 + diff --git a/patches.suse/Bluetooth-Fix-race-condition-in-hci_release_sock.patch b/patches.suse/Bluetooth-Fix-race-condition-in-hci_release_sock.patch new file mode 100644 index 0000000..c1b5e48 --- /dev/null +++ b/patches.suse/Bluetooth-Fix-race-condition-in-hci_release_sock.patch @@ -0,0 +1,48 @@ +From 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 15 Jan 2020 20:49:04 +0300 +Subject: [PATCH] Bluetooth: Fix race condition in hci_release_sock() +Git-commit: 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Syzbot managed to trigger a use after free "KASAN: use-after-free Write +in hci_sock_bind". I have reviewed the code manually and one possibly +cause I have found is that we are not holding lock_sock(sk) when we do +the hci_dev_put(hdev) in hci_sock_release(). My theory is that the bind +and the release are racing against each other which results in this use +after free. + +Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com +Signed-off-by: Dan Carpenter +Signed-off-by: Johan Hedberg +Acked-by: Takashi Iwai + +--- + net/bluetooth/hci_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 5756b124c2cb..9c4a093f8960 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -839,6 +839,8 @@ static int hci_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock(sk); ++ + switch (hci_pi(sk)->channel) { + case HCI_CHANNEL_MONITOR: + atomic_dec(&monitor_promisc); +@@ -886,6 +888,7 @@ static int hci_sock_release(struct socket *sock) + skb_queue_purge(&sk->sk_receive_queue); + skb_queue_purge(&sk->sk_write_queue); + ++ release_sock(sk); + sock_put(sk); + return 0; + } +-- +2.16.4 + diff --git a/patches.suse/Btrfs-fix-btrfs_write_inode-vs-delayed-iput-deadlock.patch b/patches.suse/Btrfs-fix-btrfs_write_inode-vs-delayed-iput-deadlock.patch new file mode 100644 index 0000000..1ee8d60 --- /dev/null +++ b/patches.suse/Btrfs-fix-btrfs_write_inode-vs-delayed-iput-deadlock.patch @@ -0,0 +1,116 @@ +From: Josef Bacik +Date: Fri, 20 Jul 2018 11:46:10 -0700 +Git-commit: 3c4276936f6fbe52884b4ea4e6cc120b890a0f9f +Patch-mainline: 4.19 +Subject: [PATCH] Btrfs: fix btrfs_write_inode vs delayed iput deadlock +References: bsc#1154243 + +We recently ran into the following deadlock involving +btrfs_write_inode(): + +[ +0.005066] __schedule+0x38e/0x8c0 +[ +0.007144] schedule+0x36/0x80 +[ +0.006447] bit_wait+0x11/0x60 +[ +0.006446] __wait_on_bit+0xbe/0x110 +[ +0.007487] ? bit_wait_io+0x60/0x60 +[ +0.007319] __inode_wait_for_writeback+0x96/0xc0 +[ +0.009568] ? autoremove_wake_function+0x40/0x40 +[ +0.009565] inode_wait_for_writeback+0x21/0x30 +[ +0.009224] evict+0xb0/0x190 +[ +0.006099] iput+0x1a8/0x210 +[ +0.006103] btrfs_run_delayed_iputs+0x73/0xc0 +[ +0.009047] btrfs_commit_transaction+0x799/0x8c0 +[ +0.009567] btrfs_write_inode+0x81/0xb0 +[ +0.008008] __writeback_single_inode+0x267/0x320 +[ +0.009569] writeback_sb_inodes+0x25b/0x4e0 +[ +0.008702] wb_writeback+0x102/0x2d0 +[ +0.007487] wb_workfn+0xa4/0x310 +[ +0.006794] ? wb_workfn+0xa4/0x310 +[ +0.007143] process_one_work+0x150/0x410 +[ +0.008179] worker_thread+0x6d/0x520 +[ +0.007490] kthread+0x12c/0x160 +[ +0.006620] ? put_pwq_unlocked+0x80/0x80 +[ +0.008185] ? kthread_park+0xa0/0xa0 +[ +0.007484] ? do_syscall_64+0x53/0x150 +[ +0.007837] ret_from_fork+0x29/0x40 + +Writeback calls: + +btrfs_write_inode + btrfs_commit_transaction + btrfs_run_delayed_iputs + +If iput() is called on that same inode, evict() will wait for writeback +forever. + +btrfs_write_inode() was originally added way back in 4730a4bc5bf3 +("btrfs_dirty_inode") to support O_SYNC writes. However, ->write_inode() +hasn't been used for O_SYNC since 148f948ba877 ("vfs: Introduce new +helpers for syncing after writing to O_SYNC file or IS_SYNC inode"), so +btrfs_write_inode() is actually unnecessary (and leads to a bunch of +unnecessary commits). Get rid of it, which also gets rid of the +deadlock. + +CC: stable@vger.kernel.org # 3.2+ +Signed-off-by: Josef Bacik +[Omar: new commit message] +Signed-off-by: Omar Sandoval +Signed-off-by: David Sterba +Signed-off-by: Filipe Manana +--- + fs/btrfs/inode.c | 26 -------------------------- + fs/btrfs/super.c | 1 - + 2 files changed, 27 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index e704efffeb2d..8713a090d4c4 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5863,32 +5863,6 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx) + return ret; + } + +-int btrfs_write_inode(struct inode *inode, struct writeback_control *wbc) +-{ +- struct btrfs_root *root = BTRFS_I(inode)->root; +- struct btrfs_trans_handle *trans; +- int ret = 0; +- bool nolock = false; +- +- if (test_bit(BTRFS_INODE_DUMMY, &BTRFS_I(inode)->runtime_flags)) +- return 0; +- +- if (btrfs_fs_closing(root->fs_info) && +- btrfs_is_free_space_inode(BTRFS_I(inode))) +- nolock = true; +- +- if (wbc->sync_mode == WB_SYNC_ALL) { +- if (nolock) +- trans = btrfs_join_transaction_nolock(root); +- else +- trans = btrfs_join_transaction(root); +- if (IS_ERR(trans)) +- return PTR_ERR(trans); +- ret = btrfs_commit_transaction(trans); +- } +- return ret; +-} +- + /* + * This is somewhat expensive, updating the tree every time the + * inode changes. But, it is most likely to find the inode in cache. +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index df41f0d32ca4..41aa55b91440 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -2360,7 +2360,6 @@ static const struct super_operations btrfs_super_ops = { + .sync_fs = btrfs_sync_fs, + .show_options = btrfs_show_options, + .show_devname = btrfs_show_devname, +- .write_inode = btrfs_write_inode, + .alloc_inode = btrfs_alloc_inode, + .destroy_inode = btrfs_destroy_inode, + .statfs = btrfs_statfs, +-- +2.16.4 + diff --git a/patches.suse/Btrfs-fix-infinite-loop-during-fsync-after-rename-op.patch b/patches.suse/Btrfs-fix-infinite-loop-during-fsync-after-rename-op.patch new file mode 100644 index 0000000..76a1d54 --- /dev/null +++ b/patches.suse/Btrfs-fix-infinite-loop-during-fsync-after-rename-op.patch @@ -0,0 +1,142 @@ +From: Filipe Manana +Date: Wed, 15 Jan 2020 13:21:35 +0000 +Git-commit: b5e4ff9d465da1233a2d9a47ebce487c70d8f4ab +Patch-mainline: 5.6-rc1 +Subject: [PATCH] Btrfs: fix infinite loop during fsync after rename + operations +References: bsc#1163383 + +Recently fsstress (from fstests) sporadically started to trigger an +infinite loop during fsync operations. This turned out to be because +support for the rename exchange and whiteout operations was added to +fsstress in fstests. These operations, unlike any others in fsstress, +cause file names to be reused, whence triggering this issue. However +it's not necessary to use rename exchange and rename whiteout operations +trigger this issue, simple rename operations and file creations are +enough to trigger the issue. + +The issue boils down to when we are logging inodes that conflict (that +had the name of any inode we need to log during the fsync operation), we +keep logging them even if they were already logged before, and after +that we check if there's any other inode that conflicts with them and +then add it again to the list of inodes to log. Skipping already logged +inodes fixes the issue. + +Consider the following example: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ mkdir /mnt/testdir # inode 257 + + $ touch /mnt/testdir/zz # inode 258 + $ ln /mnt/testdir/zz /mnt/testdir/zz_link + + $ touch /mnt/testdir/a # inode 259 + + $ sync + + # The following 3 renames achieve the same result as a rename exchange + # operation ( /mnt/testdir/zz_link to /mnt/testdir/a). + + $ mv /mnt/testdir/a /mnt/testdir/a/tmp + $ mv /mnt/testdir/zz_link /mnt/testdir/a + $ mv /mnt/testdir/a/tmp /mnt/testdir/zz_link + + # The following rename and file creation give the same result as a + # rename whiteout operation ( zz to a2). + + $ mv /mnt/testdir/zz /mnt/testdir/a2 + $ touch /mnt/testdir/zz # inode 260 + + $ xfs_io -c fsync /mnt/testdir/zz + --> results in the infinite loop + +The following steps happen: + +1) When logging inode 260, we find that its reference named "zz" was + used by inode 258 in the previous transaction (through the commit + root), so inode 258 is added to the list of conflicting indoes that + need to be logged; + +2) After logging inode 258, we find that its reference named "a" was + used by inode 259 in the previous transaction, and therefore we add + inode 259 to the list of conflicting inodes to be logged; + +3) After logging inode 259, we find that its reference named "zz_link" + was used by inode 258 in the previous transaction - we add inode 258 + to the list of conflicting inodes to log, again - we had already + logged it before at step 3. After logging it again, we find again + that inode 259 conflicts with him, and we add again 259 to the list, + etc - we end up repeating all the previous steps. + +So fix this by skipping logging of conflicting inodes that were already +logged. + +Fixes: 6b5fc433a7ad67 ("Btrfs: fix fsync after succession of renames of different files") +CC: stable@vger.kernel.org # 5.1+ +Signed-off-by: Filipe Manana +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +--- + fs/btrfs/tree-log.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 7ce9e9ad7de2..5320404777bc 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5182,6 +5182,50 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + } + continue; + } ++ /* ++ * If the inode was already logged skip it - otherwise we can ++ * hit an infinite loop. Example: ++ * ++ * From the commit root (previous transaction) we have the ++ * following inodes: ++ * ++ * inode 257 a directory ++ * inode 258 with references "zz" and "zz_link" on inode 257 ++ * inode 259 with reference "a" on inode 257 ++ * ++ * And in the current (uncommitted) transaction we have: ++ * ++ * inode 257 a directory, unchanged ++ * inode 258 with references "a" and "a2" on inode 257 ++ * inode 259 with reference "zz_link" on inode 257 ++ * inode 261 with reference "zz" on inode 257 ++ * ++ * When logging inode 261 the following infinite loop could ++ * happen if we don't skip already logged inodes: ++ * ++ * - we detect inode 258 as a conflicting inode, with inode 261 ++ * on reference "zz", and log it; ++ * ++ * - we detect inode 259 as a conflicting inode, with inode 258 ++ * on reference "a", and log it; ++ * ++ * - we detect inode 258 as a conflicting inode, with inode 259 ++ * on reference "zz_link", and log it - again! After this we ++ * repeat the above steps forever. ++ */ ++ spin_lock(&BTRFS_I(inode)->lock); ++ /* ++ * Check the inode's logged_trans only instead of ++ * btrfs_inode_in_log(). This is because the last_log_commit of ++ * the inode is not updated when we only log that it exists and ++ * and it has the full sync bit set (see btrfs_log_inode()). ++ */ ++ if (BTRFS_I(inode)->logged_trans == trans->transid) { ++ spin_unlock(&BTRFS_I(inode)->lock); ++ btrfs_add_delayed_iput(inode); ++ continue; ++ } ++ spin_unlock(&BTRFS_I(inode)->lock); + /* + * We are safe logging the other inode without acquiring its + * lock as long as we log with the LOG_INODE_EXISTS mode. We +-- +2.16.4 + diff --git a/patches.suse/Btrfs-fix-missing-data-checksums-after-replaying-a-l.patch b/patches.suse/Btrfs-fix-missing-data-checksums-after-replaying-a-l.patch new file mode 100644 index 0000000..8f8e0a8 --- /dev/null +++ b/patches.suse/Btrfs-fix-missing-data-checksums-after-replaying-a-l.patch @@ -0,0 +1,276 @@ +From: Filipe Manana +Date: Thu, 5 Dec 2019 16:58:30 +0000 +Git-commit: 40e046acbd2f369cfbf93c3413639c66514cec2d +Patch-mainline: 5.5-rc3 +Subject: [PATCH] Btrfs: fix missing data checksums after replaying a log + tree +References: bsc#1161931 + +When logging a file that has shared extents (reflinked with other files or +with itself), we can end up logging multiple checksum items that cover +overlapping ranges. This confuses the search for checksums at log replay +time causing some checksums to never be added to the fs/subvolume tree. + +Consider the following example of a file that shares the same extent at +offsets 0 and 256Kb: + + [ bytenr 13893632, offset 64Kb, len 64Kb ] + 0 64Kb + + [ bytenr 13631488, offset 64Kb, len 192Kb ] + 64Kb 256Kb + + [ bytenr 13893632, offset 0, len 256Kb ] + 256Kb 512Kb + +When logging the inode, at tree-log.c:copy_items(), when processing the +file extent item at offset 0, we log a checksum item covering the range +13959168 to 14024704, which corresponds to 13893632 + 64Kb and 13893632 + +64Kb + 64Kb, respectively. + +Later when processing the extent item at offset 256K, we log the checksums +for the range from 13893632 to 14155776 (which corresponds to 13893632 + +256Kb). These checksums get merged with the checksum item for the range +from 13631488 to 13893632 (13631488 + 256Kb), logged by a previous fsync. +So after this we get the two following checksum items in the log tree: + + (...) + item 6 key (EXTENT_CSUM EXTENT_CSUM 13631488) itemoff 3095 itemsize 512 + range start 13631488 end 14155776 length 524288 + item 7 key (EXTENT_CSUM EXTENT_CSUM 13959168) itemoff 3031 itemsize 64 + range start 13959168 end 14024704 length 65536 + +The first one covers the range from the second one, they overlap. + +So far this does not cause a problem after replaying the log, because +when replaying the file extent item for offset 256K, we copy all the +checksums for the extent 13893632 from the log tree to the fs/subvolume +tree, since searching for an checksum item for bytenr 13893632 leaves us +at the first checksum item, which covers the whole range of the extent. + +However if we write 64Kb to file offset 256Kb for example, we will +not be able to find and copy the checksums for the last 128Kb of the +extent at bytenr 13893632, referenced by the file range 384Kb to 512Kb. + +After writing 64Kb into file offset 256Kb we get the following extent +layout for our file: + + [ bytenr 13893632, offset 64K, len 64Kb ] + 0 64Kb + + [ bytenr 13631488, offset 64Kb, len 192Kb ] + 64Kb 256Kb + + [ bytenr 14155776, offset 0, len 64Kb ] + 256Kb 320Kb + + [ bytenr 13893632, offset 64Kb, len 192Kb ] + 320Kb 512Kb + +After fsync'ing the file, if we have a power failure and then mount +the filesystem to replay the log, the following happens: + +1) When replaying the file extent item for file offset 320Kb, we + lookup for the checksums for the extent range from 13959168 + (13893632 + 64Kb) to 14155776 (13893632 + 256Kb), through a call + to btrfs_lookup_csums_range(); + +2) btrfs_lookup_csums_range() finds the checksum item that starts + precisely at offset 13959168 (item 7 in the log tree, shown before); + +3) However that checksum item only covers 64Kb of data, and not 192Kb + of data; + +4) As a result only the checksums for the first 64Kb of data referenced + by the file extent item are found and copied to the fs/subvolume tree. + The remaining 128Kb of data, file range 384Kb to 512Kb, doesn't get + the corresponding data checksums found and copied to the fs/subvolume + tree. + +5) After replaying the log userspace will not be able to read the file + range from 384Kb to 512Kb, because the checksums are missing and + resulting in an -EIO error. + +The following steps reproduce this scenario: + + $ mkfs.btrfs -f /dev/sdc + $ mount /dev/sdc /mnt/sdc + + $ xfs_io -f -c "pwrite -S 0xa3 0 256K" /mnt/sdc/foobar + $ xfs_io -c "fsync" /mnt/sdc/foobar + $ xfs_io -c "pwrite -S 0xc7 256K 256K" /mnt/sdc/foobar + + $ xfs_io -c "reflink /mnt/sdc/foobar 320K 0 64K" /mnt/sdc/foobar + $ xfs_io -c "fsync" /mnt/sdc/foobar + + $ xfs_io -c "pwrite -S 0xe5 256K 64K" /mnt/sdc/foobar + $ xfs_io -c "fsync" /mnt/sdc/foobar + + + + $ mount /dev/sdc /mnt/sdc + $ md5sum /mnt/sdc/foobar + md5sum: /mnt/sdc/foobar: Input/output error + + $ dmesg | tail + [165305.003464] BTRFS info (device sdc): no csum found for inode 257 start 401408 + [165305.004014] BTRFS info (device sdc): no csum found for inode 257 start 405504 + [165305.004559] BTRFS info (device sdc): no csum found for inode 257 start 409600 + [165305.005101] BTRFS info (device sdc): no csum found for inode 257 start 413696 + [165305.005627] BTRFS info (device sdc): no csum found for inode 257 start 417792 + [165305.006134] BTRFS info (device sdc): no csum found for inode 257 start 421888 + [165305.006625] BTRFS info (device sdc): no csum found for inode 257 start 425984 + [165305.007278] BTRFS info (device sdc): no csum found for inode 257 start 430080 + [165305.008248] BTRFS warning (device sdc): csum failed root 5 ino 257 off 393216 csum 0x1337385e expected csum 0x00000000 mirror 1 + [165305.009550] BTRFS warning (device sdc): csum failed root 5 ino 257 off 393216 csum 0x1337385e expected csum 0x00000000 mirror 1 + +Fix this simply by deleting first any checksums, from the log tree, for the +range of the extent we are logging at copy_items(). This ensures we do not +get checksum items in the log tree that have overlapping ranges. + +This is a long time issue that has been present since we have the clone +(and deduplication) ioctl, and can happen both when an extent is shared +between different files and within the same file. + +A test case for fstests follows soon. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +--- + fs/btrfs/ctree.h | 3 ++- + fs/btrfs/extent-tree.c | 7 ++++--- + fs/btrfs/file-item.c | 7 +++++-- + fs/btrfs/tree-log.c | 29 ++++++++++++++++++++++++++--- + 4 files changed, 37 insertions(+), 9 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 1d1bdf1d436c..79fdd23579c8 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3214,8 +3214,9 @@ int btrfs_find_name_in_ext_backref(struct extent_buffer *leaf, int slot, + /* file-item.c */ + struct btrfs_dio_private; + int btrfs_del_csums(struct btrfs_trans_handle *trans, +- struct btrfs_fs_info *fs_info, u64 bytenr, u64 len); ++ struct btrfs_root *root, u64 bytenr, u64 len); + blk_status_t btrfs_lookup_bio_sums(struct inode *inode, struct bio *bio, u32 *dst); ++ + blk_status_t btrfs_lookup_bio_sums_dio(struct inode *inode, struct bio *bio, + u64 logical_offset); + int btrfs_insert_file_extent(struct btrfs_trans_handle *trans, +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 372e6e10ae01..33de94791249 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -2662,8 +2662,8 @@ static int cleanup_ref_head(struct btrfs_trans_handle *trans, + btrfs_pin_extent(fs_info, head->bytenr, + head->num_bytes, 1); + if (head->is_data) { +- ret = btrfs_del_csums(trans, fs_info, head->bytenr, +- head->num_bytes); ++ ret = btrfs_del_csums(trans, fs_info->csum_root, ++ head->bytenr, head->num_bytes); + } + } + +@@ -7143,7 +7143,8 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans, + btrfs_release_path(path); + + if (is_data) { +- ret = btrfs_del_csums(trans, info, bytenr, num_bytes); ++ ret = btrfs_del_csums(trans, info->csum_root, bytenr, ++ num_bytes); + if (ret) { + btrfs_abort_transaction(trans, ret); + goto out; +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c +index fdcb41002623..4cf850cbc9f3 100644 +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -590,9 +590,9 @@ static noinline void truncate_one_csum(struct btrfs_fs_info *fs_info, + * range of bytes. + */ + int btrfs_del_csums(struct btrfs_trans_handle *trans, +- struct btrfs_fs_info *fs_info, u64 bytenr, u64 len) ++ struct btrfs_root *root, u64 bytenr, u64 len) + { +- struct btrfs_root *root = fs_info->csum_root; ++ struct btrfs_fs_info *fs_info = trans->fs_info; + struct btrfs_path *path; + struct btrfs_key key; + u64 end_byte = bytenr + len; +@@ -602,6 +602,9 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans, + u16 csum_size = btrfs_super_csum_size(fs_info->super_copy); + int blocksize_bits = fs_info->sb->s_blocksize_bits; + ++ ASSERT(root == fs_info->csum_root || ++ root->root_key.objectid == BTRFS_TREE_LOG_OBJECTID); ++ + path = btrfs_alloc_path(); + if (!path) + return -ENOMEM; +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index a3b99e7d0730..883693e190b6 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -823,7 +823,8 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans, + struct btrfs_ordered_sum, + list); + if (!ret) +- ret = btrfs_del_csums(trans, fs_info, ++ ret = btrfs_del_csums(trans, ++ fs_info->csum_root, + sums->bytenr, + sums->len); + if (!ret) +@@ -3960,6 +3961,28 @@ static int log_inode_item(struct btrfs_trans_handle *trans, + return 0; + } + ++static int log_csums(struct btrfs_trans_handle *trans, ++ struct btrfs_root *log_root, ++ struct btrfs_ordered_sum *sums) ++{ ++ int ret; ++ ++ /* ++ * Due to extent cloning, we might have logged a csum item that covers a ++ * subrange of a cloned extent, and later we can end up logging a csum ++ * item for a larger subrange of the same extent or the entire range. ++ * This would leave csum items in the log tree that cover the same range ++ * and break the searches for checksums in the log tree, resulting in ++ * some checksums missing in the fs/subvolume tree. So just delete (or ++ * trim and adjust) any existing csum items in the log for this range. ++ */ ++ ret = btrfs_del_csums(trans, log_root, sums->bytenr, sums->len); ++ if (ret) ++ return ret; ++ ++ return btrfs_csum_file_blocks(trans, log_root, sums); ++} ++ + static noinline int copy_items(struct btrfs_trans_handle *trans, + struct btrfs_inode *inode, + struct btrfs_path *dst_path, +@@ -4105,7 +4128,7 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, + struct btrfs_ordered_sum, + list); + if (!ret) +- ret = btrfs_csum_file_blocks(trans, log, sums); ++ ret = log_csums(trans, log, sums); + list_del(&sums->list); + kfree(sums); + } +@@ -4426,7 +4449,7 @@ static int wait_ordered_extents(struct btrfs_trans_handle *trans, + struct btrfs_ordered_sum, + list); + if (!ret) +- ret = btrfs_csum_file_blocks(trans, log, sums); ++ ret = log_csums(trans, log, sums); + list_del(&sums->list); + kfree(sums); + } +-- +2.16.4 + diff --git a/patches.suse/Btrfs-fix-race-between-adding-and-putting-tree-mod-s.patch b/patches.suse/Btrfs-fix-race-between-adding-and-putting-tree-mod-s.patch new file mode 100644 index 0000000..67d80f4 --- /dev/null +++ b/patches.suse/Btrfs-fix-race-between-adding-and-putting-tree-mod-s.patch @@ -0,0 +1,247 @@ +From: Filipe Manana +Date: Wed, 22 Jan 2020 12:23:20 +0000 +Git-commit: 7227ff4de55d931bbdc156c8ef0ce4f100c78a5b +Patch-mainline: 5.6-rc1 +Subject: [PATCH] Btrfs: fix race between adding and putting tree mod seq + elements and nodes +References: bsc#1163384 + +There is a race between adding and removing elements to the tree mod log +list and rbtree that can lead to use-after-free problems. + +Consider the following example that explains how/why the problems happens: + +1) Task A has mod log element with sequence number 200. It currently is + the only element in the mod log list; + +2) Task A calls btrfs_put_tree_mod_seq() because it no longer needs to + access the tree mod log. When it enters the function, it initializes + 'min_seq' to (u64)-1. Then it acquires the lock 'tree_mod_seq_lock' + before checking if there are other elements in the mod seq list. + Since the list it empty, 'min_seq' remains set to (u64)-1. Then it + unlocks the lock 'tree_mod_seq_lock'; + +3) Before task A acquires the lock 'tree_mod_log_lock', task B adds + itself to the mod seq list through btrfs_get_tree_mod_seq() and gets a + sequence number of 201; + +4) Some other task, name it task C, modifies a btree and because there + elements in the mod seq list, it adds a tree mod elem to the tree + mod log rbtree. That node added to the mod log rbtree is assigned + a sequence number of 202; + +5) Task B, which is doing fiemap and resolving indirect back references, + calls btrfs get_old_root(), with 'time_seq' == 201, which in turn + calls tree_mod_log_search() - the search returns the mod log node + from the rbtree with sequence number 202, created by task C; + +6) Task A now acquires the lock 'tree_mod_log_lock', starts iterating + the mod log rbtree and finds the node with sequence number 202. Since + 202 is less than the previously computed 'min_seq', (u64)-1, it + removes the node and frees it; + +7) Task B still has a pointer to the node with sequence number 202, and + it dereferences the pointer itself and through the call to + __tree_mod_log_rewind(), resulting in a use-after-free problem. + +This issue can be triggered sporadically with the test case generic/561 +from fstests, and it happens more frequently with a higher number of +duperemove processes. When it happens to me, it either freezes the VM or +it produces a trace like the following before crashing: + + [ 1245.321140] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI + [ 1245.321200] CPU: 1 PID: 26997 Comm: pool Not tainted 5.5.0-rc6-btrfs-next-52 #1 + [ 1245.321235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 + [ 1245.321287] RIP: 0010:rb_next+0x16/0x50 + [ 1245.321307] Code: .... + [ 1245.321372] RSP: 0018:ffffa151c4d039b0 EFLAGS: 00010202 + [ 1245.321388] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8ae221363c80 RCX: 6b6b6b6b6b6b6b6b + [ 1245.321409] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8ae221363c80 + [ 1245.321439] RBP: ffff8ae20fcc4688 R08: 0000000000000002 R09: 0000000000000000 + [ 1245.321475] R10: ffff8ae20b120910 R11: 00000000243f8bb1 R12: 0000000000000038 + [ 1245.321506] R13: ffff8ae221363c80 R14: 000000000000075f R15: ffff8ae223f762b8 + [ 1245.321539] FS: 00007fdee1ec7700(0000) GS:ffff8ae236c80000(0000) knlGS:0000000000000000 + [ 1245.321591] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 1245.321614] CR2: 00007fded4030c48 CR3: 000000021da16003 CR4: 00000000003606e0 + [ 1245.321642] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [ 1245.321668] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [ 1245.321706] Call Trace: + [ 1245.321798] __tree_mod_log_rewind+0xbf/0x280 [btrfs] + [ 1245.321841] btrfs_search_old_slot+0x105/0xd00 [btrfs] + [ 1245.321877] resolve_indirect_refs+0x1eb/0xc60 [btrfs] + [ 1245.321912] find_parent_nodes+0x3dc/0x11b0 [btrfs] + [ 1245.321947] btrfs_check_shared+0x115/0x1c0 [btrfs] + [ 1245.321980] ? extent_fiemap+0x59d/0x6d0 [btrfs] + [ 1245.322029] extent_fiemap+0x59d/0x6d0 [btrfs] + [ 1245.322066] do_vfs_ioctl+0x45a/0x750 + [ 1245.322081] ksys_ioctl+0x70/0x80 + [ 1245.322092] ? trace_hardirqs_off_thunk+0x1a/0x1c + [ 1245.322113] __x64_sys_ioctl+0x16/0x20 + [ 1245.322126] do_syscall_64+0x5c/0x280 + [ 1245.322139] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [ 1245.322155] RIP: 0033:0x7fdee3942dd7 + [ 1245.322177] Code: .... + [ 1245.322258] RSP: 002b:00007fdee1ec6c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [ 1245.322294] RAX: ffffffffffffffda RBX: 00007fded40210d8 RCX: 00007fdee3942dd7 + [ 1245.322314] RDX: 00007fded40210d8 RSI: 00000000c020660b RDI: 0000000000000004 + [ 1245.322337] RBP: 0000562aa89e7510 R08: 0000000000000000 R09: 00007fdee1ec6d44 + [ 1245.322369] R10: 0000000000000073 R11: 0000000000000246 R12: 00007fdee1ec6d48 + [ 1245.322390] R13: 00007fdee1ec6d40 R14: 00007fded40210d0 R15: 00007fdee1ec6d50 + [ 1245.322423] Modules linked in: .... + [ 1245.323443] ---[ end trace 01de1e9ec5dff3cd ]--- + +Fix this by ensuring that btrfs_put_tree_mod_seq() computes the minimum +sequence number and iterates the rbtree while holding the lock +'tree_mod_log_lock' in write mode. Also get rid of the 'tree_mod_seq_lock' +lock, since it is now redundant. + +Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions") +Fixes: 097b8a7c9e48e2 ("Btrfs: join tree mod log code with the code holding back delayed refs") +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Josef Bacik +Reviewed-by: Nikolay Borisov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +--- + fs/btrfs/ctree.c | 8 ++------ + fs/btrfs/ctree.h | 6 ++---- + fs/btrfs/delayed-ref.c | 8 ++++---- + fs/btrfs/disk-io.c | 1 - + fs/btrfs/tests/btrfs-tests.c | 1 - + 5 files changed, 8 insertions(+), 16 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index efa913bc5625..356a1bba7645 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -339,12 +339,10 @@ u64 btrfs_get_tree_mod_seq(struct btrfs_fs_info *fs_info, + struct seq_list *elem) + { + tree_mod_log_write_lock(fs_info); +- spin_lock(&fs_info->tree_mod_seq_lock); + if (!elem->seq) { + elem->seq = btrfs_inc_tree_mod_seq(fs_info); + list_add_tail(&elem->list, &fs_info->tree_mod_seq_list); + } +- spin_unlock(&fs_info->tree_mod_seq_lock); + tree_mod_log_write_unlock(fs_info); + + return elem->seq; +@@ -364,7 +362,7 @@ void btrfs_put_tree_mod_seq(struct btrfs_fs_info *fs_info, + if (!seq_putting) + return; + +- spin_lock(&fs_info->tree_mod_seq_lock); ++ tree_mod_log_write_lock(fs_info); + list_del(&elem->list); + elem->seq = 0; + +@@ -375,19 +373,17 @@ void btrfs_put_tree_mod_seq(struct btrfs_fs_info *fs_info, + * blocker with lower sequence number exists, we + * cannot remove anything from the log + */ +- spin_unlock(&fs_info->tree_mod_seq_lock); ++ tree_mod_log_write_unlock(fs_info); + return; + } + min_seq = cur_elem->seq; + } + } +- spin_unlock(&fs_info->tree_mod_seq_lock); + + /* + * anything that's lower than the lowest existing (read: blocked) + * sequence number can be removed from the tree. + */ +- tree_mod_log_write_lock(fs_info); + tm_root = &fs_info->tree_mod_log; + for (node = rb_first(tm_root); node; node = next) { + next = rb_next(node); +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 79fdd23579c8..b3b45b24eadf 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -913,14 +913,12 @@ struct btrfs_fs_info { + struct list_head delayed_iputs; + struct mutex cleaner_delayed_iput_mutex; + +- /* this protects tree_mod_seq_list */ +- spinlock_t tree_mod_seq_lock; + atomic64_t tree_mod_seq; +- struct list_head tree_mod_seq_list; + +- /* this protects tree_mod_log */ ++ /* this protects tree_mod_log and tree_mod_seq_list */ + rwlock_t tree_mod_log_lock; + struct rb_root tree_mod_log; ++ struct list_head tree_mod_seq_list; + + atomic_t nr_async_submits; + atomic_t async_submit_draining; +diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c +index 869af3f28f9e..dbc7afbb3319 100644 +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -316,7 +316,7 @@ void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans, + if (head->is_data) + return; + +- spin_lock(&fs_info->tree_mod_seq_lock); ++ read_lock(&fs_info->tree_mod_log_lock); + if (!list_empty(&fs_info->tree_mod_seq_list)) { + struct seq_list *elem; + +@@ -324,7 +324,7 @@ void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans, + struct seq_list, list); + seq = elem->seq; + } +- spin_unlock(&fs_info->tree_mod_seq_lock); ++ read_unlock(&fs_info->tree_mod_log_lock); + + again: + for (node = rb_first(&head->ref_tree); node; node = rb_next(node)) { +@@ -343,7 +343,7 @@ int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info, + struct seq_list *elem; + int ret = 0; + +- spin_lock(&fs_info->tree_mod_seq_lock); ++ read_lock(&fs_info->tree_mod_log_lock); + if (!list_empty(&fs_info->tree_mod_seq_list)) { + elem = list_first_entry(&fs_info->tree_mod_seq_list, + struct seq_list, list); +@@ -357,7 +357,7 @@ int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info, + } + } + +- spin_unlock(&fs_info->tree_mod_seq_lock); ++ read_unlock(&fs_info->tree_mod_log_lock); + return ret; + } + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 9372435471cf..928ba1339a1e 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2544,7 +2544,6 @@ int open_ctree(struct super_block *sb, + spin_lock_init(&fs_info->delayed_iput_lock); + spin_lock_init(&fs_info->defrag_inodes_lock); + spin_lock_init(&fs_info->free_chunk_lock); +- spin_lock_init(&fs_info->tree_mod_seq_lock); + spin_lock_init(&fs_info->super_lock); + spin_lock_init(&fs_info->qgroup_op_lock); + spin_lock_init(&fs_info->buffer_lock); +diff --git a/fs/btrfs/tests/btrfs-tests.c b/fs/btrfs/tests/btrfs-tests.c +index c3492bc1cc60..c77432e9d397 100644 +--- a/fs/btrfs/tests/btrfs-tests.c ++++ b/fs/btrfs/tests/btrfs-tests.c +@@ -121,7 +121,6 @@ struct btrfs_fs_info *btrfs_alloc_dummy_fs_info(u32 nodesize, u32 sectorsize) + spin_lock_init(&fs_info->qgroup_op_lock); + spin_lock_init(&fs_info->super_lock); + spin_lock_init(&fs_info->fs_roots_radix_lock); +- spin_lock_init(&fs_info->tree_mod_seq_lock); + mutex_init(&fs_info->qgroup_ioctl_lock); + mutex_init(&fs_info->qgroup_rescan_lock); + rwlock_init(&fs_info->tree_mod_log_lock); +-- +2.16.4 + diff --git a/patches.suse/Btrfs-make-tree-checker-detect-checksum-items-with-o.patch b/patches.suse/Btrfs-make-tree-checker-detect-checksum-items-with-o.patch new file mode 100644 index 0000000..e75881e --- /dev/null +++ b/patches.suse/Btrfs-make-tree-checker-detect-checksum-items-with-o.patch @@ -0,0 +1,75 @@ +From: Filipe Manana +Date: Mon, 2 Dec 2019 11:01:03 +0000 +Git-commit: ad1d8c439978ede77cbf73cbdd11bafe810421a5 +Patch-mainline: 5.5-rc3 +Subject: [PATCH] Btrfs: make tree checker detect checksum items with + overlapping ranges +References: bsc#1161931 + +Having checksum items, either on the checksums tree or in a log tree, that +represent ranges that overlap each other is a sign of a corruption. Such +case confuses the checksum lookup code and can result in not being able to +find checksums or find stale checksums. + +So add a check for such case. + +This is motivated by a recent fix for a case where a log tree had checksum +items covering ranges that overlap each other due to extent cloning, and +resulted in missing checksums after replaying the log tree. It also helps +detect past issues such as stale and outdated checksums due to overlapping, +commit 27b9a8122ff71a ("Btrfs: fix csum tree corruption, duplicate and +outdated checksums"). + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +--- + fs/btrfs/tree-checker.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 89b024ddfcd7..00f810cb140d 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -239,7 +239,7 @@ static int check_extent_data_item(struct extent_buffer *leaf, + } + + static int check_csum_item(struct extent_buffer *leaf, struct btrfs_key *key, +- int slot) ++ int slot, struct btrfs_key *prev_key) + { + struct btrfs_fs_info *fs_info = leaf->fs_info; + u32 sectorsize = fs_info->sectorsize; +@@ -263,6 +263,20 @@ static int check_csum_item(struct extent_buffer *leaf, struct btrfs_key *key, + btrfs_item_size_nr(leaf, slot), csumsize); + return -EUCLEAN; + } ++ if (slot > 0 && prev_key->type == BTRFS_EXTENT_CSUM_KEY) { ++ u64 prev_csum_end; ++ u32 prev_item_size; ++ ++ prev_item_size = btrfs_item_size_nr(leaf, slot - 1); ++ prev_csum_end = (prev_item_size / csumsize) * sectorsize; ++ prev_csum_end += prev_key->offset; ++ if (prev_csum_end > key->offset) { ++ generic_err(leaf, slot - 1, ++"csum end range (%llu) goes beyond the start range (%llu) of the next csum item", ++ prev_csum_end, key->offset); ++ return -EUCLEAN; ++ } ++ } + return 0; + } + +@@ -1233,7 +1247,7 @@ static int check_leaf_item(struct extent_buffer *leaf, + ret = check_extent_data_item(leaf, key, slot, prev_key); + break; + case BTRFS_EXTENT_CSUM_KEY: +- ret = check_csum_item(leaf, key, slot); ++ ret = check_csum_item(leaf, key, slot, prev_key); + break; + case BTRFS_DIR_ITEM_KEY: + case BTRFS_DIR_INDEX_KEY: +-- +2.16.4 + diff --git a/patches.suse/Btrfs-send-skip-backreference-walking-for-extents-wi.patch b/patches.suse/Btrfs-send-skip-backreference-walking-for-extents-wi.patch new file mode 100644 index 0000000..ca417f0 --- /dev/null +++ b/patches.suse/Btrfs-send-skip-backreference-walking-for-extents-wi.patch @@ -0,0 +1,91 @@ +From: Filipe Manana +Date: Wed, 30 Oct 2019 12:23:01 +0000 +Git-commit: fd0ddbe2509568b00df364156f47561e9f469f15 +Patch-mainline: 5.5-rc1 +Subject: [PATCH] Btrfs: send, skip backreference walking for extents with + many references +References: bsc#1162139 + +Backreference walking, which is used by send to figure if it can issue +clone operations instead of write operations, can be very slow and use +too much memory when extents have many references. This change simply +skips backreference walking when an extent has more than 64 references, +in which case we fallback to a write operation instead of a clone +operation. This limit is conservative and in practice I observed no +signicant slowdown with up to 100 references and still low memory usage +up to that limit. + +This is a temporary workaround until there are speedups in the backref +walking code, and as such it does not attempt to add extra interfaces or +knobs to tweak the threshold. + +Reported-by: Atemu +Link: https://lore.kernel.org/linux-btrfs/CAE4GHgkvqVADtS4AzcQJxo0Q1jKQgKaW3JGp3SGdoinVo=C9eQ@mail.gmail.com/T/#me55dc0987f9cc2acaa54372ce0492c65782be3fa +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +--- + fs/btrfs/send.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index a3dd934ad293..ad20cabbefa4 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -36,6 +36,14 @@ + #include "transaction.h" + #include "compression.h" + ++/* ++ * Maximum number of references an extent can have in order for us to attempt to ++ * issue clone operations instead of write operations. This currently exists to ++ * avoid hitting limitations of the backreference walking code (taking a lot of ++ * time and using too much memory for extents with large number of references). ++ */ ++#define SEND_MAX_EXTENT_REFS 64 ++ + /* + * A fs_path is a helper to dynamically build path names with unknown size. + * It reallocates the internal buffer on demand. +@@ -1328,6 +1336,7 @@ static int find_extent_clone(struct send_ctx *sctx, + struct clone_root *cur_clone_root; + struct btrfs_key found_key; + struct btrfs_path *tmp_path; ++ struct btrfs_extent_item *ei; + int compressed; + u32 i; + +@@ -1377,7 +1386,6 @@ static int find_extent_clone(struct send_ctx *sctx, + ret = extent_from_logical(fs_info, disk_byte, tmp_path, + &found_key, &flags); + up_read(&fs_info->commit_root_sem); +- btrfs_release_path(tmp_path); + + if (ret < 0) + goto out; +@@ -1386,6 +1394,21 @@ static int find_extent_clone(struct send_ctx *sctx, + goto out; + } + ++ ei = btrfs_item_ptr(tmp_path->nodes[0], tmp_path->slots[0], ++ struct btrfs_extent_item); ++ /* ++ * Backreference walking (iterate_extent_inodes() below) is currently ++ * too expensive when an extent has a large number of references, both ++ * in time spent and used memory. So for now just fallback to write ++ * operations instead of clone operations when an extent has more than ++ * a certain amount of references. ++ */ ++ if (btrfs_extent_refs(tmp_path->nodes[0], ei) > SEND_MAX_EXTENT_REFS) { ++ ret = -ENOENT; ++ goto out; ++ } ++ btrfs_release_path(tmp_path); ++ + /* + * Setup the clone roots. + */ +-- +2.16.4 + diff --git a/patches.suse/Input-aiptek-fix-endpoint-sanity-check.patch b/patches.suse/Input-aiptek-fix-endpoint-sanity-check.patch new file mode 100644 index 0000000..59d076b --- /dev/null +++ b/patches.suse/Input-aiptek-fix-endpoint-sanity-check.patch @@ -0,0 +1,51 @@ +From 3111491fca4f01764e0c158c5e0f7ced808eef51 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 11:59:32 -0800 +Subject: [PATCH] Input: aiptek - fix endpoint sanity check +Git-commit: 3111491fca4f01764e0c158c5e0f7ced808eef51 +Patch-mainline: v5.5 +References: bsc#1051510 + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/tablet/aiptek.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c +index 2ca586fb914f..06d0ffef4a17 100644 +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1802,14 +1802,14 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + + /* Verify that a device really has an endpoint */ +- if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&intf->dev, + "interface has %d endpoints, but must have minimum 1\n", +- intf->altsetting[0].desc.bNumEndpoints); ++ intf->cur_altsetting->desc.bNumEndpoints); + err = -EINVAL; + goto fail3; + } +- endpoint = &intf->altsetting[0].endpoint[0].desc; ++ endpoint = &intf->cur_altsetting->endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives + * input. +-- +2.16.4 + diff --git a/patches.suse/Input-gtco-fix-endpoint-sanity-check.patch b/patches.suse/Input-gtco-fix-endpoint-sanity-check.patch new file mode 100644 index 0000000..942c364 --- /dev/null +++ b/patches.suse/Input-gtco-fix-endpoint-sanity-check.patch @@ -0,0 +1,63 @@ +From a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 12:00:18 -0800 +Subject: [PATCH] Input: gtco - fix endpoint sanity check +Git-commit: a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 +Patch-mainline: v5.5 +References: bsc#1051510 + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/tablet/gtco.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 35031228a6d0..799c94dda651 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + } + + /* Sanity check that a device has an endpoint */ +- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&usbinterface->dev, + "Invalid number of endpoints\n"); + error = -EINVAL; + goto err_free_urb; + } + +- /* +- * The endpoint is always altsetting 0, we know this since we know +- * this device only has one interrupt endpoint +- */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + /* Some debug */ + dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); +@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + input_dev->dev.parent = &usbinterface->dev; + + /* Setup the URB, it will be posted later on open of input device */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + usb_fill_int_urb(gtco->urbinfo, + udev, +-- +2.16.4 + diff --git a/patches.suse/Input-keyspan-remote-fix-control-message-timeouts.patch b/patches.suse/Input-keyspan-remote-fix-control-message-timeouts.patch new file mode 100644 index 0000000..c3edca3 --- /dev/null +++ b/patches.suse/Input-keyspan-remote-fix-control-message-timeouts.patch @@ -0,0 +1,67 @@ +From ba9a103f40fc4a3ec7558ec9b0b97d4f92034249 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Jan 2020 10:38:57 -0800 +Subject: [PATCH] Input: keyspan-remote - fix control-message timeouts +Git-commit: ba9a103f40fc4a3ec7558ec9b0b97d4f92034249 +Patch-mainline: v5.5 +References: bsc#1051510 + +The driver was issuing synchronous uninterruptible control requests +without using a timeout. This could lead to the driver hanging on probe +due to a malfunctioning (or malicious) device until the device is +physically disconnected. While sleeping in probe the driver prevents +other devices connected to the same hub from being added to (or removed +from) the bus. + +The USB upper limit of five seconds per request should be more than +enough. + +Fixes: 99f83c9c9ac9 ("[PATCH] USB: add driver for Keyspan Digital Remote") +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Cc: stable # 2.6.13 +Link: https://lore.kernel.org/r/20200113171715.30621-1-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/misc/keyspan_remote.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/misc/keyspan_remote.c b/drivers/input/misc/keyspan_remote.c +index 83368f1e7c4e..4650f4a94989 100644 +--- a/drivers/input/misc/keyspan_remote.c ++++ b/drivers/input/misc/keyspan_remote.c +@@ -336,7 +336,8 @@ static int keyspan_setup(struct usb_device* dev) + int retval = 0; + + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- 0x11, 0x40, 0x5601, 0x0, NULL, 0, 0); ++ 0x11, 0x40, 0x5601, 0x0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + if (retval) { + dev_dbg(&dev->dev, "%s - failed to set bit rate due to error: %d\n", + __func__, retval); +@@ -344,7 +345,8 @@ static int keyspan_setup(struct usb_device* dev) + } + + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- 0x44, 0x40, 0x0, 0x0, NULL, 0, 0); ++ 0x44, 0x40, 0x0, 0x0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + if (retval) { + dev_dbg(&dev->dev, "%s - failed to set resume sensitivity due to error: %d\n", + __func__, retval); +@@ -352,7 +354,8 @@ static int keyspan_setup(struct usb_device* dev) + } + + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- 0x22, 0x40, 0x0, 0x0, NULL, 0, 0); ++ 0x22, 0x40, 0x0, 0x0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + if (retval) { + dev_dbg(&dev->dev, "%s - failed to turn receive on due to error: %d\n", + __func__, retval); +-- +2.16.4 + diff --git a/patches.suse/Input-pegasus_notetaker-fix-endpoint-sanity-check.patch b/patches.suse/Input-pegasus_notetaker-fix-endpoint-sanity-check.patch new file mode 100644 index 0000000..b3863a7 --- /dev/null +++ b/patches.suse/Input-pegasus_notetaker-fix-endpoint-sanity-check.patch @@ -0,0 +1,41 @@ +From bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 11:55:47 -0800 +Subject: [PATCH] Input: pegasus_notetaker - fix endpoint sanity check +Git-commit: bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 +Patch-mainline: v5.5 +References: bsc#1051510 + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could be used by a +malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer +dereference. + +Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") +Signed-off-by: Johan Hovold +Acked-by: Martin Kepplinger +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-2-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/tablet/pegasus_notetaker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c +index a1f3a0cb197e..38f087404f7a 100644 +--- a/drivers/input/tablet/pegasus_notetaker.c ++++ b/drivers/input/tablet/pegasus_notetaker.c +@@ -275,7 +275,7 @@ static int pegasus_probe(struct usb_interface *intf, + return -ENODEV; + + /* Sanity check that the device has an endpoint */ +- if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&intf->dev, "Invalid number of endpoints\n"); + return -EINVAL; + } +-- +2.16.4 + diff --git a/patches.suse/Input-pm8xxx-vib-fix-handling-of-separate-enable-reg.patch b/patches.suse/Input-pm8xxx-vib-fix-handling-of-separate-enable-reg.patch new file mode 100644 index 0000000..4dd0685 --- /dev/null +++ b/patches.suse/Input-pm8xxx-vib-fix-handling-of-separate-enable-reg.patch @@ -0,0 +1,48 @@ +From 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Fri, 17 Jan 2020 13:40:36 -0800 +Subject: [PATCH] Input: pm8xxx-vib - fix handling of separate enable register +Git-commit: 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 +Patch-mainline: v5.5 +References: bsc#1051510 + +Setting the vibrator enable_mask is not implemented correctly: + +For regmap_update_bits(map, reg, mask, val) we give in either +regs->enable_mask or 0 (= no-op) as mask and "val" as value. +But "val" actually refers to the vibrator voltage control register, +which has nothing to do with the enable_mask. + +So we usually end up doing nothing when we really wanted +to enable the vibrator. + +We want to set or clear the enable_mask (to enable/disable the vibrator). +Therefore, change the call to always modify the enable_mask +and set the bits only if we want to enable the vibrator. + +Fixes: d4c7c5c96c92 ("Input: pm8xxx-vib - handle separate enable register") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200114183442.45720-1-stephan@gerhold.net +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/misc/pm8xxx-vibrator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/misc/pm8xxx-vibrator.c b/drivers/input/misc/pm8xxx-vibrator.c +index ecd762f93732..53ad25eaf1a2 100644 +--- a/drivers/input/misc/pm8xxx-vibrator.c ++++ b/drivers/input/misc/pm8xxx-vibrator.c +@@ -90,7 +90,7 @@ static int pm8xxx_vib_set(struct pm8xxx_vib *vib, bool on) + + if (regs->enable_mask) + rc = regmap_update_bits(vib->regmap, regs->enable_addr, +- on ? regs->enable_mask : 0, val); ++ regs->enable_mask, on ? ~0 : 0); + + return rc; + } +-- +2.16.4 + diff --git a/patches.suse/Input-rmi_f54-read-from-FIFO-in-32-byte-blocks.patch b/patches.suse/Input-rmi_f54-read-from-FIFO-in-32-byte-blocks.patch new file mode 100644 index 0000000..c4b89da --- /dev/null +++ b/patches.suse/Input-rmi_f54-read-from-FIFO-in-32-byte-blocks.patch @@ -0,0 +1,105 @@ +From c15f8ba6dc1f6a8330cd89374a21388a5d91f92c Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 16 Jan 2020 20:12:53 -0800 +Subject: [PATCH] Input: rmi_f54 - read from FIFO in 32 byte blocks +Git-commit: c15f8ba6dc1f6a8330cd89374a21388a5d91f92c +Patch-mainline: v5.5 +References: bsc#1051510 + +The F54 Report Data is apparently read through a fifo and for +the smbus protocol that means that between reading a block of 32 +bytes the rmiaddr shouldn't be incremented. However, changing +that causes other non-fifo reads to fail and so that change was +reverted. + +This patch changes just the F54 function and it now reads 32 bytes +at a time from the fifo, using the F54_FIFO_OFFSET to update the +start address that is used when reading from the fifo. + +This has only been tested with smbus, not with i2c or spi. But I +suspect that the same is needed there since I think similar +problems will occur there when reading more than 256 bytes. + +Signed-off-by: Hans Verkuil +Tested-by: Hans Verkuil +Reported-by: Timo Kaufmann +Link: https://lore.kernel.org/r/20200115124819.3191024-3-hverkuil-cisco@xs4all.nl +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/rmi4/rmi_f54.c | 43 +++++++++++++++++++++++++++---------------- + 1 file changed, 27 insertions(+), 16 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c +index 0bc01cfc2b51..6b23e679606e 100644 +--- a/drivers/input/rmi4/rmi_f54.c ++++ b/drivers/input/rmi4/rmi_f54.c +@@ -24,6 +24,12 @@ + #define F54_NUM_TX_OFFSET 1 + #define F54_NUM_RX_OFFSET 0 + ++/* ++ * The smbus protocol can read only 32 bytes max at a time. ++ * But this should be fine for i2c/spi as well. ++ */ ++#define F54_REPORT_DATA_SIZE 32 ++ + /* F54 commands */ + #define F54_GET_REPORT 1 + #define F54_FORCE_CAL 2 +@@ -526,6 +532,7 @@ static void rmi_f54_work(struct work_struct *work) + int report_size; + u8 command; + int error; ++ int i; + + report_size = rmi_f54_get_report_size(f54); + if (report_size == 0) { +@@ -558,23 +565,27 @@ static void rmi_f54_work(struct work_struct *work) + + rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Get report command completed, reading data\n"); + +- fifo[0] = 0; +- fifo[1] = 0; +- error = rmi_write_block(fn->rmi_dev, +- fn->fd.data_base_addr + F54_FIFO_OFFSET, +- fifo, sizeof(fifo)); +- if (error) { +- dev_err(&fn->dev, "Failed to set fifo start offset\n"); +- goto abort; +- } ++ for (i = 0; i < report_size; i += F54_REPORT_DATA_SIZE) { ++ int size = min(F54_REPORT_DATA_SIZE, report_size - i); ++ ++ fifo[0] = i & 0xff; ++ fifo[1] = i >> 8; ++ error = rmi_write_block(fn->rmi_dev, ++ fn->fd.data_base_addr + F54_FIFO_OFFSET, ++ fifo, sizeof(fifo)); ++ if (error) { ++ dev_err(&fn->dev, "Failed to set fifo start offset\n"); ++ goto abort; ++ } + +- error = rmi_read_block(fn->rmi_dev, fn->fd.data_base_addr + +- F54_REPORT_DATA_OFFSET, f54->report_data, +- report_size); +- if (error) { +- dev_err(&fn->dev, "%s: read [%d bytes] returned %d\n", +- __func__, report_size, error); +- goto abort; ++ error = rmi_read_block(fn->rmi_dev, fn->fd.data_base_addr + ++ F54_REPORT_DATA_OFFSET, ++ f54->report_data + i, size); ++ if (error) { ++ dev_err(&fn->dev, "%s: read [%d bytes] returned %d\n", ++ __func__, size, error); ++ goto abort; ++ } + } + + abort: +-- +2.16.4 + diff --git a/patches.suse/Input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_.patch b/patches.suse/Input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_.patch new file mode 100644 index 0000000..36f28a2 --- /dev/null +++ b/patches.suse/Input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_.patch @@ -0,0 +1,47 @@ +From 97e24b095348a15ec08c476423c3b3b939186ad7 Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Fri, 10 Jan 2020 10:30:04 -0800 +Subject: [PATCH] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register +Git-commit: 97e24b095348a15ec08c476423c3b3b939186ad7 +Patch-mainline: v5.5 +References: bsc#1051510 + +The driver misses a check for devm_thermal_zone_of_sensor_register(). +Add a check to fix it. + +Fixes: e28d0c9cd381 ("input: convert sun4i-ts to use devm_thermal_zone_of_sensor_register") +Signed-off-by: Chuhong Yuan +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/sun4i-ts.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/sun4i-ts.c b/drivers/input/touchscreen/sun4i-ts.c +index 0af0fe8c40d7..742a7e96c1b5 100644 +--- a/drivers/input/touchscreen/sun4i-ts.c ++++ b/drivers/input/touchscreen/sun4i-ts.c +@@ -237,6 +237,7 @@ static int sun4i_ts_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; + struct device *hwmon; ++ struct thermal_zone_device *thermal; + int error; + u32 reg; + bool ts_attached; +@@ -355,7 +356,10 @@ static int sun4i_ts_probe(struct platform_device *pdev) + if (IS_ERR(hwmon)) + return PTR_ERR(hwmon); + +- devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, &sun4i_ts_tz_ops); ++ thermal = devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, ++ &sun4i_ts_tz_ops); ++ if (IS_ERR(thermal)) ++ return PTR_ERR(thermal); + + writel(TEMP_IRQ_EN(1), ts->base + TP_INT_FIFOC); + +-- +2.16.4 + diff --git a/patches.suse/Input-sur40-fix-interface-sanity-checks.patch b/patches.suse/Input-sur40-fix-interface-sanity-checks.patch new file mode 100644 index 0000000..71e0416 --- /dev/null +++ b/patches.suse/Input-sur40-fix-interface-sanity-checks.patch @@ -0,0 +1,41 @@ +From 6b32391ed675827f8425a414abbc6fbd54ea54fe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 12:01:27 -0800 +Subject: [PATCH] Input: sur40 - fix interface sanity checks +Git-commit: 6b32391ed675827f8425a414abbc6fbd54ea54fe +Patch-mainline: v5.5 +References: bsc#1051510 + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/sur40.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/sur40.c b/drivers/input/touchscreen/sur40.c +index 1dd47dda71cd..34d31c7ec8ba 100644 +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -661,7 +661,7 @@ static int sur40_probe(struct usb_interface *interface, + int error; + + /* Check if we really have the right interface. */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0xFF) + return -ENODEV; + +-- +2.16.4 + diff --git a/patches.suse/Input-synaptics-rmi4-simplify-data-read-in-rmi_f54_w.patch b/patches.suse/Input-synaptics-rmi4-simplify-data-read-in-rmi_f54_w.patch new file mode 100644 index 0000000..ed9ad70 --- /dev/null +++ b/patches.suse/Input-synaptics-rmi4-simplify-data-read-in-rmi_f54_w.patch @@ -0,0 +1,120 @@ +From d843304b22e84b41dd00663a13cb960d2f4d064d Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Mon, 4 Nov 2019 15:59:38 -0800 +Subject: [PATCH] Input: synaptics-rmi4 - simplify data read in rmi_f54_work +Git-commit: d843304b22e84b41dd00663a13cb960d2f4d064d +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +The body of the for loop is only ever run once as the second standard_report +element is never changed from its initial zero init, so the loop condition is +never satisfies after the first run. Equally the start member of the first +element is never changed from 0, so the index offset is always a constant 0. + +Remove this needless obfuscation of the code and write it in a straight +forward manner. + +Signed-off-by: Lucas Stach +Link: https://lore.kernel.org/r/20191104114454.10500-3-l.stach@pengutronix.de +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/rmi4/rmi_f54.c | 48 +++++++++++++++----------------------------- + 1 file changed, 16 insertions(+), 32 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c +index 710b02595486..514f5568b74d 100644 +--- a/drivers/input/rmi4/rmi_f54.c ++++ b/drivers/input/rmi4/rmi_f54.c +@@ -81,11 +81,6 @@ static const char * const rmi_f54_report_type_names[] = { + = "Full Raw Capacitance RX Offset Removed", + }; + +-struct rmi_f54_reports { +- int start; +- int size; +-}; +- + struct f54_data { + struct rmi_function *fn; + +@@ -98,7 +93,6 @@ struct f54_data { + enum rmi_f54_report_type report_type; + u8 *report_data; + int report_size; +- struct rmi_f54_reports standard_report[2]; + + bool is_busy; + struct mutex status_mutex; +@@ -516,13 +510,10 @@ static void rmi_f54_work(struct work_struct *work) + struct f54_data *f54 = container_of(work, struct f54_data, work.work); + struct rmi_function *fn = f54->fn; + u8 fifo[2]; +- struct rmi_f54_reports *report; + int report_size; + u8 command; +- u8 *data; + int error; + +- data = f54->report_data; + report_size = rmi_f54_get_report_size(f54); + if (report_size == 0) { + dev_err(&fn->dev, "Bad report size, report type=%d\n", +@@ -530,8 +521,6 @@ static void rmi_f54_work(struct work_struct *work) + error = -EINVAL; + goto error; /* retry won't help */ + } +- f54->standard_report[0].size = report_size; +- report = f54->standard_report; + + mutex_lock(&f54->data_mutex); + +@@ -556,28 +545,23 @@ static void rmi_f54_work(struct work_struct *work) + + rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Get report command completed, reading data\n"); + +- report_size = 0; +- for (; report->size; report++) { +- fifo[0] = report->start & 0xff; +- fifo[1] = (report->start >> 8) & 0xff; +- error = rmi_write_block(fn->rmi_dev, +- fn->fd.data_base_addr + F54_FIFO_OFFSET, +- fifo, sizeof(fifo)); +- if (error) { +- dev_err(&fn->dev, "Failed to set fifo start offset\n"); +- goto abort; +- } ++ fifo[0] = 0; ++ fifo[1] = 0; ++ error = rmi_write_block(fn->rmi_dev, ++ fn->fd.data_base_addr + F54_FIFO_OFFSET, ++ fifo, sizeof(fifo)); ++ if (error) { ++ dev_err(&fn->dev, "Failed to set fifo start offset\n"); ++ goto abort; ++ } + +- error = rmi_read_block(fn->rmi_dev, fn->fd.data_base_addr + +- F54_REPORT_DATA_OFFSET, data, +- report->size); +- if (error) { +- dev_err(&fn->dev, "%s: read [%d bytes] returned %d\n", +- __func__, report->size, error); +- goto abort; +- } +- data += report->size; +- report_size += report->size; ++ error = rmi_read_block(fn->rmi_dev, fn->fd.data_base_addr + ++ F54_REPORT_DATA_OFFSET, f54->report_data, ++ report_size); ++ if (error) { ++ dev_err(&fn->dev, "%s: read [%d bytes] returned %d\n", ++ __func__, report_size, error); ++ goto abort; + } + + abort: +-- +2.16.4 + diff --git a/patches.suse/KVM-Clean-up-__kvm_gfn_to_hva_cache_init-and-its-cal.patch b/patches.suse/KVM-Clean-up-__kvm_gfn_to_hva_cache_init-and-its-cal.patch new file mode 100644 index 0000000..3f020f7 --- /dev/null +++ b/patches.suse/KVM-Clean-up-__kvm_gfn_to_hva_cache_init-and-its-cal.patch @@ -0,0 +1,77 @@ +From: Sean Christopherson +Date: Thu, 9 Jan 2020 14:58:55 -0500 +Subject: KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers +Patch-mainline: v5.6-rc1 +Git-commit: 6ad1e29fe0aba843dfffc714fced0ef6a2e19502 +References: bsc#1133021 + +Barret reported a (technically benign) bug where nr_pages_avail can be +accessed without being initialized if gfn_to_hva_many() fails. + + virt/kvm/kvm_main.c:2193:13: warning: 'nr_pages_avail' may be + used uninitialized in this function [-Wmaybe-uninitialized] + +Rather than simply squashing the warning by initializing nr_pages_avail, +fix the underlying issues by reworking __kvm_gfn_to_hva_cache_init() to +return immediately instead of continuing on. Now that all callers check +the result and/or bail immediately on a bad hva, there's no need to +explicitly nullify the memslot on error. + +Reported-by: Barret Rhoden +Fixes: f1b9dd5eb86c ("kvm: Disallow wraparound in kvm_gfn_to_hva_cache_init") +Cc: Jim Mattson +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Acked-by: Liang Yan +--- + virt/kvm/kvm_main.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2002,33 +2002,36 @@ static int __kvm_gfn_to_hva_cache_init(s + gfn_t end_gfn = (gpa + len - 1) >> PAGE_SHIFT; + gfn_t nr_pages_needed = end_gfn - start_gfn + 1; + gfn_t nr_pages_avail; +- int r = start_gfn <= end_gfn ? 0 : -EINVAL; + +- ghc->gpa = gpa; ++ /* Update ghc->generation before performing any error checks. */ + ghc->generation = slots->generation; +- ghc->len = len; +- ghc->hva = KVM_HVA_ERR_BAD; ++ ++ if (start_gfn > end_gfn) { ++ ghc->hva = KVM_HVA_ERR_BAD; ++ return -EINVAL; ++ } + + /* + * If the requested region crosses two memslots, we still + * verify that the entire region is valid here. + */ +- while (!r && start_gfn <= end_gfn) { ++ for ( ; start_gfn <= end_gfn; start_gfn += nr_pages_avail) { + ghc->memslot = __gfn_to_memslot(slots, start_gfn); + ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, + &nr_pages_avail); + if (kvm_is_error_hva(ghc->hva)) +- r = -EFAULT; +- start_gfn += nr_pages_avail; ++ return -EFAULT; + } + + /* Use the slow path for cross page reads and writes. */ +- if (!r && nr_pages_needed == 1) ++ if (nr_pages_needed == 1) + ghc->hva += offset; + else + ghc->memslot = NULL; + +- return r; ++ ghc->gpa = gpa; ++ ghc->len = len; ++ return 0; + } + + int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc, diff --git a/patches.suse/KVM-PPC-Book3S-HV-Uninit-vCPU-if-vcore-creation-fail.patch b/patches.suse/KVM-PPC-Book3S-HV-Uninit-vCPU-if-vcore-creation-fail.patch new file mode 100644 index 0000000..beb46ed --- /dev/null +++ b/patches.suse/KVM-PPC-Book3S-HV-Uninit-vCPU-if-vcore-creation-fail.patch @@ -0,0 +1,48 @@ +From 1a978d9d3e72ddfa40ac60d26301b154247ee0bc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 18 Dec 2019 13:54:46 -0800 +Subject: [PATCH] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails + +References: bsc#1061840 +Patch-mainline: v5.6-rc1 +Git-commit: 1a978d9d3e72ddfa40ac60d26301b154247ee0bc + +Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any +resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page. + +Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Sean Christopherson +Acked-by: Paul Mackerras +Signed-off-by: Paolo Bonzini +Acked-by: Michal Suchanek +--- + arch/powerpc/kvm/book3s_hv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 6ff3f896d908..ef6aa63b071b 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -2368,7 +2368,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_hv(struct kvm *kvm, + mutex_unlock(&kvm->lock); + + if (!vcore) +- goto free_vcpu; ++ goto uninit_vcpu; + + spin_lock(&vcore->lock); + ++vcore->num_threads; +@@ -2385,6 +2385,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_hv(struct kvm *kvm, + + return vcpu; + ++uninit_vcpu: ++ kvm_vcpu_uninit(vcpu); + free_vcpu: + kmem_cache_free(kvm_vcpu_cache, vcpu); + out: +-- +2.23.0 + diff --git a/patches.suse/KVM-PPC-Book3S-PR-Fix-Werror-return-type-build-failu.patch b/patches.suse/KVM-PPC-Book3S-PR-Fix-Werror-return-type-build-failu.patch new file mode 100644 index 0000000..f2fb9a3 --- /dev/null +++ b/patches.suse/KVM-PPC-Book3S-PR-Fix-Werror-return-type-build-failu.patch @@ -0,0 +1,32 @@ +From fd24a8624eb29d3b6b7df68096ce0321b19b03c6 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Sun, 26 Jan 2020 17:31:58 -0500 +Subject: [PATCH] KVM: PPC: Book3S PR: Fix -Werror=return-type build failure + +References: bsc#1061840 +Patch-mainline: v5.6-rc1 +Git-commit: fd24a8624eb29d3b6b7df68096ce0321b19b03c6 + +Fixes: 3a167beac07c ("kvm: powerpc: Add kvmppc_ops callback") +Signed-off-by: David Michael +Signed-off-by: Paul Mackerras +Acked-by: Michal Suchanek +--- + arch/powerpc/kvm/book3s_pr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c +index ce4fcf76e53e..eb86a2f26986 100644 +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -2030,6 +2030,7 @@ static int kvm_vm_ioctl_get_smmu_info_pr(struct kvm *kvm, + { + /* We should not get called */ + BUG(); ++ return 0; + } + #endif /* CONFIG_PPC64 */ + +-- +2.23.0 + diff --git a/patches.suse/KVM-PPC-Book3S-PR-Free-shared-page-if-mmu-initializa.patch b/patches.suse/KVM-PPC-Book3S-PR-Free-shared-page-if-mmu-initializa.patch new file mode 100644 index 0000000..c45e4d4 --- /dev/null +++ b/patches.suse/KVM-PPC-Book3S-PR-Free-shared-page-if-mmu-initializa.patch @@ -0,0 +1,46 @@ +From cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 18 Dec 2019 13:54:47 -0800 +Subject: [PATCH] KVM: PPC: Book3S PR: Free shared page if mmu initialization + fails + +References: bsc#1061840 +Patch-mainline: v5.6-rc1 +Git-commit: cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 + +Explicitly free the shared page if kvmppc_mmu_init() fails during +kvmppc_core_vcpu_create(), as the page is freed only in +kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit(). + +Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Sean Christopherson +Acked-by: Paul Mackerras +Signed-off-by: Paolo Bonzini +Acked-by: Michal Suchanek +--- + arch/powerpc/kvm/book3s_pr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c +index ce4fcf76e53e..26ca62b6d773 100644 +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -1806,10 +1806,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_pr(struct kvm *kvm, + + err = kvmppc_mmu_init(vcpu); + if (err < 0) +- goto uninit_vcpu; ++ goto free_shared_page; + + return vcpu; + ++free_shared_page: ++ free_page((unsigned long)vcpu->arch.shared); + uninit_vcpu: + kvm_vcpu_uninit(vcpu); + free_shadow_vcpu: +-- +2.23.0 + diff --git a/patches.suse/NFC-pn544-Adjust-indentation-in-pn544_hci_check_pres.patch b/patches.suse/NFC-pn544-Adjust-indentation-in-pn544_hci_check_pres.patch new file mode 100644 index 0000000..10356b3 --- /dev/null +++ b/patches.suse/NFC-pn544-Adjust-indentation-in-pn544_hci_check_pres.patch @@ -0,0 +1,49 @@ +From 5080832627b65e3772a35d1dced68c64e2b24442 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 17 Dec 2019 18:21:52 -0700 +Subject: [PATCH] NFC: pn544: Adjust indentation in pn544_hci_check_presence +Git-commit: 5080832627b65e3772a35d1dced68c64e2b24442 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Clang warns + +../drivers/nfc/pn544/pn544.c:696:4: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + return nfc_hci_send_cmd(hdev, NFC_HCI_RF_READER_A_GATE, + ^ +../drivers/nfc/pn544/pn544.c:692:3: note: previous statement is here + if (target->nfcid1_len != 4 && target->nfcid1_len != 7 && + ^ +1 warning generated. + +This warning occurs because there is a space after the tab on this line. +Remove it so that the indentation is consistent with the Linux kernel +coding style and clang no longer warns. + +Fixes: da052850b911 ("NFC: Add pn544 presence check for different targets") +Link: https://github.com/ClangBuiltLinux/linux/issues/814 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/nfc/pn544/pn544.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/pn544/pn544.c b/drivers/nfc/pn544/pn544.c +index cda996f6954e..2b83156efe3f 100644 +--- a/drivers/nfc/pn544/pn544.c ++++ b/drivers/nfc/pn544/pn544.c +@@ -693,7 +693,7 @@ static int pn544_hci_check_presence(struct nfc_hci_dev *hdev, + target->nfcid1_len != 10) + return -EOPNOTSUPP; + +- return nfc_hci_send_cmd(hdev, NFC_HCI_RF_READER_A_GATE, ++ return nfc_hci_send_cmd(hdev, NFC_HCI_RF_READER_A_GATE, + PN544_RF_READER_CMD_ACTIVATE_NEXT, + target->nfcid1, target->nfcid1_len, NULL); + } else if (target->supported_protocols & (NFC_PROTO_JEWEL_MASK | +-- +2.16.4 + diff --git a/patches.suse/PCI-Add-DMA-alias-quirk-for-Intel-VCA-NTB.patch b/patches.suse/PCI-Add-DMA-alias-quirk-for-Intel-VCA-NTB.patch new file mode 100644 index 0000000..4f52c93 --- /dev/null +++ b/patches.suse/PCI-Add-DMA-alias-quirk-for-Intel-VCA-NTB.patch @@ -0,0 +1,75 @@ +From 56b4cd4b7da9ee95778eb5c8abea49f641ebfd91 Mon Sep 17 00:00:00 2001 +From: Slawomir Pawlowski +Date: Tue, 17 Sep 2019 09:20:48 +0000 +Subject: [PATCH] PCI: Add DMA alias quirk for Intel VCA NTB +Git-commit: 56b4cd4b7da9ee95778eb5c8abea49f641ebfd91 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Intel Visual Compute Accelerator (VCA) is a family of PCIe add-in devices +exposing computational units via Non Transparent Bridges (NTB, PEX 87xx). + +Similarly to MIC x200, we need to add DMA aliases to allow buffer access +when IOMMU is enabled. + +Add aliases to allow computational unit access to host memory. These +aliases mark the whole VCA device as one IOMMU group. + +All possible slot numbers (0x20) are used, since we are unable to tell what +slot is used on other side. This quirk is intended for both host and +computational unit sides. The VCA devices have up to five functions: four +for DMA channels and one additional. + +Link: https://lore.kernel.org/r/5683A335CC8BE1438C3C30C49DCC38DF637CED8E@IRSMSX102.ger.corp.intel.com +Signed-off-by: Slawomir Pawlowski +Signed-off-by: Przemek Kitszel +Signed-off-by: Bjorn Helgaas +Acked-by: Takashi Iwai + +--- + drivers/pci/quirks.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4136,6 +4136,40 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2264, quirk_mic_x200_dma_alias); + + /* ++ * Intel Visual Compute Accelerator (VCA) is a family of PCIe add-in devices ++ * exposing computational units via Non Transparent Bridges (NTB, PEX 87xx). ++ * ++ * Similarly to MIC x200, we need to add DMA aliases to allow buffer access ++ * when IOMMU is enabled. These aliases allow computational unit access to ++ * host memory. These aliases mark the whole VCA device as one IOMMU ++ * group. ++ * ++ * All possible slot numbers (0x20) are used, since we are unable to tell ++ * what slot is used on other side. This quirk is intended for both host ++ * and computational unit sides. The VCA devices have up to five functions ++ * (four for DMA channels and one additional). ++ */ ++static void quirk_pex_vca_alias(struct pci_dev *pdev) ++{ ++ const unsigned int num_pci_slots = 0x20; ++ unsigned int slot; ++ ++ for (slot = 0; slot < num_pci_slots; slot++) { ++ pci_add_dma_alias(pdev, PCI_DEVFN(slot, 0x0)); ++ pci_add_dma_alias(pdev, PCI_DEVFN(slot, 0x1)); ++ pci_add_dma_alias(pdev, PCI_DEVFN(slot, 0x2)); ++ pci_add_dma_alias(pdev, PCI_DEVFN(slot, 0x3)); ++ pci_add_dma_alias(pdev, PCI_DEVFN(slot, 0x4)); ++ } ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2954, quirk_pex_vca_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2955, quirk_pex_vca_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2956, quirk_pex_vca_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2958, quirk_pex_vca_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2959, quirk_pex_vca_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x295A, quirk_pex_vca_alias); ++ ++/* + * The IOMMU and interrupt controller on Broadcom Vulcan/Cavium ThunderX2 are + * associated not at the root bus, but at a bridge below. This quirk avoids + * generating invalid DMA aliases. diff --git a/patches.suse/PCI-Don-t-disable-bridge-BARs-when-assigning-bus-res.patch b/patches.suse/PCI-Don-t-disable-bridge-BARs-when-assigning-bus-res.patch new file mode 100644 index 0000000..e523bc6 --- /dev/null +++ b/patches.suse/PCI-Don-t-disable-bridge-BARs-when-assigning-bus-res.patch @@ -0,0 +1,110 @@ +From 9db8dc6d0785225c42a37be7b44d1b07b31b8957 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 8 Jan 2020 14:32:08 -0700 +Subject: [PATCH] PCI: Don't disable bridge BARs when assigning bus resources +Git-commit: 9db8dc6d0785225c42a37be7b44d1b07b31b8957 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Some PCI bridges implement BARs in addition to bridge windows. For +example, here's a PLX switch: + + 04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI + Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca) + (prog-if 00 [Normal decode]) + Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0 + Memory at 90a00000 (32-bit, non-prefetchable) [size=256K] + Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0 + I/O behind bridge: 00002000-00003fff + Memory behind bridge: 90000000-909fffff + Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff + +Previously, when the kernel assigned resource addresses (with the +pci=realloc command line parameter, for example) it could clear the struct +resource corresponding to the BAR. When this happened, lspci would report +this BAR as "ignored": + + Region 0: Memory at (32-bit, non-prefetchable) [size=256K] + +This is because the kernel reports a zero start address and zero flags +in the corresponding sysfs resource file and in /proc/bus/pci/devices. +Investigation with 'lspci -x', however, shows the BIOS-assigned address +will still be programmed in the device's BAR registers. + +It's clearly a bug that the kernel lost track of the BAR value, but in most +cases, this still won't result in a visible issue because nothing uses the +memory, so nothing is affected. However, when an IOMMU is in use, it will +not reserve this space in the IOVA because the kernel no longer thinks the +range is valid. (See dmar_init_reserved_ranges() for the Intel +implementation of this.) + +Without the proper reserved range, a DMA mapping may allocate an IOVA that +matches a bridge BAR, which results in DMA accesses going to the BAR +instead of the intended RAM. + +The problem was in pci_assign_unassigned_root_bus_resources(). When any +resource from a bridge device fails to get assigned, the code set the +resource's flags to zero. This makes sense for bridge windows, as they +will be re-enabled later, but for regular BARs, it makes the kernel +permanently lose track of the fact that they decode address space. + +Change pci_assign_unassigned_root_bus_resources() and +pci_assign_unassigned_bridge_resources() so they only clear "res->flags" +for bridge *windows*, not bridge BARs. + +Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)") +Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com +[bhelgaas: commit log, check for pci_is_bridge()] +Reported-by: Kit Chow +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Acked-by: Takashi Iwai + +--- + drivers/pci/setup-bus.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1825,12 +1825,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + +@@ -2071,12 +2077,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + diff --git a/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch b/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch new file mode 100644 index 0000000..90606c9 --- /dev/null +++ b/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch @@ -0,0 +1,31 @@ +From: Navid Emamdoost +Date: Mon, 25 Nov 2019 13:52:52 -0600 +Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn() +Git-commit: 8c386cc817878588195dde38e919aa6ba9409d58 +Patch-mainline: 5.6-rc1 +References: git-fixes + +In the implementation of pci_iov_add_virtfn() the allocated virtfn is +leaked if pci_setup_device() fails. The error handling is not calling +pci_stop_and_remove_bus_device(). Change the goto label to failed2. + +Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()") +Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Helgaas +Signed-off-by: Jiri Slaby +--- + drivers/pci/iov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -137,7 +137,7 @@ int pci_iov_add_virtfn(struct pci_dev *d + pci_read_config_word(dev, iov->pos + PCI_SRIOV_VF_DID, &virtfn->device); + rc = pci_setup_device(virtfn); + if (rc) +- goto failed0; ++ goto failed1; + + virtfn->dev.parent = dev->dev.parent; + virtfn->physfn = pci_dev_get(dev); diff --git a/patches.suse/PCI-rpadlpar-Fix-leaked-device_node-references-in-ad.patch b/patches.suse/PCI-rpadlpar-Fix-leaked-device_node-references-in-ad.patch index f029f91..30d1c4f 100644 --- a/patches.suse/PCI-rpadlpar-Fix-leaked-device_node-references-in-ad.patch +++ b/patches.suse/PCI-rpadlpar-Fix-leaked-device_node-references-in-ad.patch @@ -1,10 +1,12 @@ From fb26228bfc4ce3951544848555c0278e2832e618 Mon Sep 17 00:00:00 2001 From: Tyrel Datwyler Date: Fri, 22 Mar 2019 13:27:21 -0500 -Subject: [PATCH] PCI: rpadlpar: Fix leaked device_node references in add/remove paths -Git-commit: fb26228bfc4ce3951544848555c0278e2832e618 -Patch-mainline: v5.2-rc1 +Subject: [PATCH] PCI: rpadlpar: Fix leaked device_node references in + add/remove paths + References: bsc#1051510 +Patch-mainline: v5.2-rc1 +Git-commit: fb26228bfc4ce3951544848555c0278e2832e618 The find_dlpar_node() helper returns a device node with its reference incremented. Both the add and remove paths use this helper for find the @@ -18,23 +20,24 @@ iterate over its children. Signed-off-by: Tyrel Datwyler Signed-off-by: Bjorn Helgaas -Acked-by: Takashi Iwai - +Acked-by: Michal Suchanek --- - drivers/pci/hotplug/rpadlpar_core.c | 4 ++++ + drivers/pci/hotplug/rpadlpar_core.c | 4 ++++ 1 file changed, 4 insertions(+) +diff --git a/drivers/pci/hotplug/rpadlpar_core.c b/drivers/pci/hotplug/rpadlpar_core.c +index e2356a9c7088..182f9e3443ee 100644 --- a/drivers/pci/hotplug/rpadlpar_core.c +++ b/drivers/pci/hotplug/rpadlpar_core.c -@@ -55,6 +55,7 @@ static struct device_node *find_vio_slot - if ((rc == 0) && (!strcmp(drc_name, name))) +@@ -51,6 +51,7 @@ static struct device_node *find_vio_slot_node(char *drc_name) + if (rc == 0) break; } + of_node_put(parent); return dn; } -@@ -78,6 +79,7 @@ static struct device_node *find_php_slot +@@ -71,6 +72,7 @@ static struct device_node *find_php_slot_pci_node(char *drc_name, return np; } @@ -42,7 +45,7 @@ Acked-by: Takashi Iwai static struct device_node *find_dlpar_node(char *drc_name, int *node_type) { struct device_node *dn; -@@ -313,6 +315,7 @@ int dlpar_add_slot(char *drc_name) +@@ -306,6 +308,7 @@ int dlpar_add_slot(char *drc_name) rc = dlpar_add_phb(drc_name, dn); break; } @@ -50,7 +53,7 @@ Acked-by: Takashi Iwai printk(KERN_INFO "%s: slot %s added\n", DLPAR_MODULE_NAME, drc_name); exit: -@@ -446,6 +449,7 @@ int dlpar_remove_slot(char *drc_name) +@@ -439,6 +442,7 @@ int dlpar_remove_slot(char *drc_name) rc = dlpar_remove_pci_slot(drc_name, dn); break; } @@ -58,3 +61,6 @@ Acked-by: Takashi Iwai vm_unmap_aliases(); printk(KERN_INFO "%s: slot %s removed\n", DLPAR_MODULE_NAME, drc_name); +-- +2.23.0 + diff --git a/patches.suse/PCI-rpaphp-Add-drc-info-support-for-hotplug-slot-reg.patch b/patches.suse/PCI-rpaphp-Add-drc-info-support-for-hotplug-slot-reg.patch new file mode 100644 index 0000000..78da6d2 --- /dev/null +++ b/patches.suse/PCI-rpaphp-Add-drc-info-support-for-hotplug-slot-reg.patch @@ -0,0 +1,140 @@ +From efeda8fada43783635f0274b0a0fa0d0fb6debb8 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:33 -0600 +Subject: [PATCH] PCI: rpaphp: Add drc-info support for hotplug slot + registration + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: efeda8fada43783635f0274b0a0fa0d0fb6debb8 + +Split physical PCI slot registration scanning into separate routines +that support the old ibm,drc-* properties and one that supports the +new compressed ibm,drc-info property. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-7-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + drivers/pci/hotplug/rpaphp_core.c | 89 ++++++++++++++++++++++++------- + 1 file changed, 69 insertions(+), 20 deletions(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index e18e9a0e959c..75d577126144 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -328,23 +328,48 @@ static int is_php_dn(struct device_node *dn, const int **indexes, + return 1; + } + +-/** +- * rpaphp_add_slot -- declare a hotplug slot to the hotplug subsystem. +- * @dn: device node of slot +- * +- * This subroutine will register a hotpluggable slot with the +- * PCI hotplug infrastructure. This routine is typically called +- * during boot time, if the hotplug slots are present at boot time, +- * or is called later, by the dlpar add code, if the slot is +- * being dynamically added during runtime. +- * +- * If the device node points at an embedded (built-in) slot, this +- * routine will just return without doing anything, since embedded +- * slots cannot be hotplugged. +- * +- * To remove a slot, it suffices to call rpaphp_deregister_slot(). +- */ +-int rpaphp_add_slot(struct device_node *dn) ++static int rpaphp_drc_info_add_slot(struct device_node *dn) ++{ ++ struct slot *slot; ++ struct property *info; ++ struct of_drc_info drc; ++ char drc_name[MAX_DRC_NAME_LEN]; ++ const __be32 *cur; ++ u32 count; ++ int retval = 0; ++ ++ info = of_find_property(dn, "ibm,drc-info", NULL); ++ if (!info) ++ return 0; ++ ++ cur = of_prop_next_u32(info, NULL, &count); ++ if (cur) ++ cur++; ++ else ++ return 0; ++ ++ of_read_drc_info_cell(&info, &cur, &drc); ++ if (!is_php_type(drc.drc_type)) ++ return 0; ++ ++ sprintf(drc_name, "%s%d", drc.drc_name_prefix, drc.drc_name_suffix_start); ++ ++ slot = alloc_slot_struct(dn, drc.drc_index_start, drc_name, drc.drc_power_domain); ++ if (!slot) ++ return -ENOMEM; ++ ++ slot->type = simple_strtoul(drc.drc_type, NULL, 10); ++ retval = rpaphp_enable_slot(slot); ++ if (!retval) ++ retval = rpaphp_register_slot(slot); ++ ++ if (retval) ++ dealloc_slot_struct(slot); ++ ++ return retval; ++} ++ ++static int rpaphp_drc_add_slot(struct device_node *dn) + { + struct slot *slot; + int retval = 0; +@@ -352,9 +377,6 @@ int rpaphp_add_slot(struct device_node *dn) + const int *indexes, *names, *types, *power_domains; + char *name, *type; + +- if (!dn->name || strcmp(dn->name, "pci")) +- return 0; +- + /* If this is not a hotplug slot, return without doing anything. */ + if (!is_php_dn(dn, &indexes, &names, &types, &power_domains)) + return 0; +@@ -393,6 +415,33 @@ int rpaphp_add_slot(struct device_node *dn) + /* XXX FIXME: reports a failure only if last entry in loop failed */ + return retval; + } ++ ++/** ++ * rpaphp_add_slot -- declare a hotplug slot to the hotplug subsystem. ++ * @dn: device node of slot ++ * ++ * This subroutine will register a hotpluggable slot with the ++ * PCI hotplug infrastructure. This routine is typically called ++ * during boot time, if the hotplug slots are present at boot time, ++ * or is called later, by the dlpar add code, if the slot is ++ * being dynamically added during runtime. ++ * ++ * If the device node points at an embedded (built-in) slot, this ++ * routine will just return without doing anything, since embedded ++ * slots cannot be hotplugged. ++ * ++ * To remove a slot, it suffices to call rpaphp_deregister_slot(). ++ */ ++int rpaphp_add_slot(struct device_node *dn) ++{ ++ if (!dn->name || strcmp(dn->name, "pci")) ++ return 0; ++ ++ if (of_find_property(dn, "ibm,drc-info", NULL)) ++ return rpaphp_drc_info_add_slot(dn); ++ else ++ return rpaphp_drc_add_slot(dn); ++} + EXPORT_SYMBOL_GPL(rpaphp_add_slot); + + static void __exit cleanup_slots(void) +-- +2.23.0 + diff --git a/patches.suse/PCI-rpaphp-Annotate-and-correctly-byte-swap-DRC-prop.patch b/patches.suse/PCI-rpaphp-Annotate-and-correctly-byte-swap-DRC-prop.patch new file mode 100644 index 0000000..18cccf7 --- /dev/null +++ b/patches.suse/PCI-rpaphp-Annotate-and-correctly-byte-swap-DRC-prop.patch @@ -0,0 +1,116 @@ +From 0737686778c6dbe0908d684dd5b9c05b127526ba Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:35 -0600 +Subject: [PATCH] PCI: rpaphp: Annotate and correctly byte swap DRC properties + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: 0737686778c6dbe0908d684dd5b9c05b127526ba + +The device tree is in big endian format and any properties directly +retrieved using OF helpers that don't explicitly byte swap should +be annotated. In particular there are several places where we grab +the opaque property value for the old ibm,drc-* properties and the +ibm,my-drc-index property. + +Fix this for better static checking by annotating values we know to +explicitly big endian, and byte swap where appropriate. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-9-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + drivers/pci/hotplug/rpaphp_core.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index 75d577126144..129534c6ad6b 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -154,11 +154,11 @@ static enum pci_bus_speed get_max_bus_speed(struct slot *slot) + return speed; + } + +-static int get_children_props(struct device_node *dn, const int **drc_indexes, +- const int **drc_names, const int **drc_types, +- const int **drc_power_domains) ++static int get_children_props(struct device_node *dn, const __be32 **drc_indexes, ++ const __be32 **drc_names, const __be32 **drc_types, ++ const __be32 **drc_power_domains) + { +- const int *indexes, *names, *types, *domains; ++ const __be32 *indexes, *names, *types, *domains; + + indexes = of_get_property(dn, "ibm,drc-indexes", NULL); + names = of_get_property(dn, "ibm,drc-names", NULL); +@@ -194,8 +194,8 @@ static int rpaphp_check_drc_props_v1(struct device_node *dn, char *drc_name, + char *drc_type, unsigned int my_index) + { + char *name_tmp, *type_tmp; +- const int *indexes, *names; +- const int *types, *domains; ++ const __be32 *indexes, *names; ++ const __be32 *types, *domains; + int i, rc; + + rc = get_children_props(dn->parent, &indexes, &names, &types, &domains); +@@ -208,7 +208,7 @@ static int rpaphp_check_drc_props_v1(struct device_node *dn, char *drc_name, + + /* Iterate through parent properties, looking for my-drc-index */ + for (i = 0; i < be32_to_cpu(indexes[0]); i++) { +- if ((unsigned int) indexes[i + 1] == my_index) ++ if (be32_to_cpu(indexes[i + 1]) == my_index) + break; + + name_tmp += (strlen(name_tmp) + 1); +@@ -267,7 +267,7 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, + char *drc_type) + { +- const unsigned int *my_index; ++ const __be32 *my_index; + + my_index = of_get_property(dn, "ibm,my-drc-index", NULL); + if (!my_index) { +@@ -277,10 +277,10 @@ int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, + + if (of_find_property(dn->parent, "ibm,drc-info", NULL)) + return rpaphp_check_drc_props_v2(dn, drc_name, drc_type, +- *my_index); ++ be32_to_cpu(*my_index)); + else + return rpaphp_check_drc_props_v1(dn, drc_name, drc_type, +- *my_index); ++ be32_to_cpu(*my_index)); + } + EXPORT_SYMBOL_GPL(rpaphp_check_drc_props); + +@@ -311,10 +311,11 @@ static int is_php_type(char *drc_type) + * for built-in pci slots (even when the built-in slots are + * dlparable.) + */ +-static int is_php_dn(struct device_node *dn, const int **indexes, +- const int **names, const int **types, const int **power_domains) ++static int is_php_dn(struct device_node *dn, const __be32 **indexes, ++ const __be32 **names, const __be32 **types, ++ const __be32 **power_domains) + { +- const int *drc_types; ++ const __be32 *drc_types; + int rc; + + rc = get_children_props(dn, indexes, names, &drc_types, power_domains); +@@ -374,7 +375,7 @@ static int rpaphp_drc_add_slot(struct device_node *dn) + struct slot *slot; + int retval = 0; + int i; +- const int *indexes, *names, *types, *power_domains; ++ const __be32 *indexes, *names, *types, *power_domains; + char *name, *type; + + /* If this is not a hotplug slot, return without doing anything. */ +-- +2.23.0 + diff --git a/patches.suse/PCI-rpaphp-Avoid-a-sometimes-uninitialized-warning.patch b/patches.suse/PCI-rpaphp-Avoid-a-sometimes-uninitialized-warning.patch new file mode 100644 index 0000000..c223c83 --- /dev/null +++ b/patches.suse/PCI-rpaphp-Avoid-a-sometimes-uninitialized-warning.patch @@ -0,0 +1,87 @@ +From 0df3e42167caaf9f8c7b64de3da40a459979afe8 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 3 Jun 2019 15:11:58 -0700 +Subject: [PATCH] PCI: rpaphp: Avoid a sometimes-uninitialized warning + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.4-rc1 +Git-commit: 0df3e42167caaf9f8c7b64de3da40a459979afe8 + +When building with -Wsometimes-uninitialized, clang warns: + +drivers/pci/hotplug/rpaphp_core.c:243:14: warning: variable 'fndit' is +used uninitialized whenever 'for' loop exits because its condition is +false [-Wsometimes-uninitialized] + for (j = 0; j < entries; j++) { + ^~~~~~~~~~~ +drivers/pci/hotplug/rpaphp_core.c:256:6: note: uninitialized use occurs +here + if (fndit) + ^~~~~ +drivers/pci/hotplug/rpaphp_core.c:243:14: note: remove the condition if +it is always true + for (j = 0; j < entries; j++) { + ^~~~~~~~~~~ +drivers/pci/hotplug/rpaphp_core.c:233:14: note: initialize the variable +'fndit' to silence this warning + int j, fndit; + ^ + = 0 + +fndit is only used to gate a sprintf call, which can be moved into the +loop to simplify the code and eliminate the local variable, which will +fix this warning. + +Fixes: 2fcf3ae508c2 ("hotplug/drc-info: Add code to search ibm,drc-info property") +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Acked-by: Tyrel Datwyler +Acked-by: Joel Savitz +Signed-off-by: Michael Ellerman +Link: https://github.com/ClangBuiltLinux/linux/issues/504 +Link: https://lore.kernel.org/r/20190603221157.58502-1-natechancellor@gmail.com +Acked-by: Michal Suchanek +--- + drivers/pci/hotplug/rpaphp_core.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index bcd5d357ca23..c3899ee1db99 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -230,7 +230,7 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + struct of_drc_info drc; + const __be32 *value; + char cell_drc_name[MAX_DRC_NAME_LEN]; +- int j, fndit; ++ int j; + + info = of_find_property(dn->parent, "ibm,drc-info", NULL); + if (info == NULL) +@@ -245,17 +245,13 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + + /* Should now know end of current entry */ + +- if (my_index > drc.last_drc_index) +- continue; +- +- fndit = 1; +- break; ++ /* Found it */ ++ if (my_index <= drc.last_drc_index) { ++ sprintf(cell_drc_name, "%s%d", drc.drc_name_prefix, ++ my_index); ++ break; ++ } + } +- /* Found it */ +- +- if (fndit) +- sprintf(cell_drc_name, "%s%d", drc.drc_name_prefix, +- my_index); + + if (((drc_name == NULL) || + (drc_name && !strcmp(drc_name, cell_drc_name))) && +-- +2.23.0 + diff --git a/patches.suse/PCI-rpaphp-Correctly-match-ibm-my-drc-index-to-drc-n.patch b/patches.suse/PCI-rpaphp-Correctly-match-ibm-my-drc-index-to-drc-n.patch new file mode 100644 index 0000000..1bdafe7 --- /dev/null +++ b/patches.suse/PCI-rpaphp-Correctly-match-ibm-my-drc-index-to-drc-n.patch @@ -0,0 +1,51 @@ +From 4f9f2d3d7a434b7f882b72550194c9278f4a3925 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:36 -0600 +Subject: [PATCH] PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name + when using drc-info + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: 4f9f2d3d7a434b7f882b72550194c9278f4a3925 + +The newer ibm,drc-info property is a condensed description of the old +ibm,drc-* properties (ie. names, types, indexes, and power-domains). +When matching a drc-index to a drc-name we need to verify that the +index is within the start and last drc-index range and map it to a +drc-name using the drc-name-prefix and logical index. + +Fix the mapping by checking that the index is within the range of the +current drc-info entry, and build the name from the drc-name-prefix +concatenated with the starting drc-name-suffix value and the sequential +index obtained by subtracting ibm,my-drc-index from this entries +drc-start-index. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-10-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + drivers/pci/hotplug/rpaphp_core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index 129534c6ad6b..951f7f216fb3 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -248,9 +248,10 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + /* Should now know end of current entry */ + + /* Found it */ +- if (my_index <= drc.last_drc_index) { ++ if (my_index >= drc.drc_index_start && my_index <= drc.last_drc_index) { ++ int index = my_index - drc.drc_index_start; + sprintf(cell_drc_name, "%s%d", drc.drc_name_prefix, +- my_index); ++ drc.drc_name_suffix_start + index); + break; + } + } +-- +2.23.0 + diff --git a/patches.suse/PCI-rpaphp-Don-t-rely-on-firmware-feature-to-imply-d.patch b/patches.suse/PCI-rpaphp-Don-t-rely-on-firmware-feature-to-imply-d.patch new file mode 100644 index 0000000..b58ff96 --- /dev/null +++ b/patches.suse/PCI-rpaphp-Don-t-rely-on-firmware-feature-to-imply-d.patch @@ -0,0 +1,49 @@ +From 52e2b0f16574afd082cff0f0e8567b2d9f68c033 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:32 -0600 +Subject: [PATCH] PCI: rpaphp: Don't rely on firmware feature to imply drc-info + support + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: 52e2b0f16574afd082cff0f0e8567b2d9f68c033 + +In the event that the partition is migrated to a platform with older +firmware that doesn't support the ibm,drc-info property the device +tree is modified to remove the ibm,drc-info property and replace it +with the older style ibm,drc-* properties for types, names, indexes, +and power-domains. One of the requirements of the drc-info firmware +feature is that the client is able to handle both the new property, +and old style properties at runtime. Therefore we can't rely on the +firmware feature alone to dictate which property is currently +present in the device tree. + +Fix this short coming by checking explicitly for the ibm,drc-info +property, and falling back to the older ibm,drc-* properties if it +doesn't exist. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-6-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + drivers/pci/hotplug/rpaphp_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index e3502644a45c..e18e9a0e959c 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -275,7 +275,7 @@ int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, + return -EINVAL; + } + +- if (firmware_has_feature(FW_FEATURE_DRC_INFO)) ++ if (of_find_property(dn->parent, "ibm,drc-info", NULL)) + return rpaphp_check_drc_props_v2(dn, drc_name, drc_type, + *my_index); + else +-- +2.23.0 + diff --git a/patches.suse/PCI-rpaphp-Fix-up-pointer-to-first-drc-info-entry.patch b/patches.suse/PCI-rpaphp-Fix-up-pointer-to-first-drc-info-entry.patch new file mode 100644 index 0000000..79322c4 --- /dev/null +++ b/patches.suse/PCI-rpaphp-Fix-up-pointer-to-first-drc-info-entry.patch @@ -0,0 +1,43 @@ +From 9723c25f99aff0451cfe6392e1b9fdd99d0bf9f0 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:31 -0600 +Subject: [PATCH] PCI: rpaphp: Fix up pointer to first drc-info entry + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: 9723c25f99aff0451cfe6392e1b9fdd99d0bf9f0 + +The first entry of the ibm,drc-info property is an int encoded count +of the number of drc-info entries that follow. The "value" pointer +returned by of_prop_next_u32() is still pointing at the this value +when we call of_read_drc_info_cell(), but the helper function +expects that value to be pointing at the first element of an entry. + +Fix up by incrementing the "value" pointer to point at the first +element of the first drc-info entry prior. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-5-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + drivers/pci/hotplug/rpaphp_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index 18627bb21e9e..e3502644a45c 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -239,6 +239,8 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + value = of_prop_next_u32(info, NULL, &entries); + if (!value) + return -EINVAL; ++ else ++ value++; + + for (j = 0; j < entries; j++) { + of_read_drc_info_cell(&info, &value, &drc); +-- +2.23.0 + diff --git a/patches.suse/PCI-switchtec-Fix-vep_vector_number-ioread-width.patch b/patches.suse/PCI-switchtec-Fix-vep_vector_number-ioread-width.patch new file mode 100644 index 0000000..bcd8f2e --- /dev/null +++ b/patches.suse/PCI-switchtec-Fix-vep_vector_number-ioread-width.patch @@ -0,0 +1,38 @@ +From 9375646b4cf03aee81bc6c305aa18cc80b682796 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Mon, 6 Jan 2020 12:03:27 -0700 +Subject: [PATCH] PCI/switchtec: Fix vep_vector_number ioread width +Git-commit: 9375646b4cf03aee81bc6c305aa18cc80b682796 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +vep_vector_number is actually a 16 bit register which should be read with +ioread16() instead of ioread32(). + +Fixes: 080b47def5e5 ("MicroSemi Switchtec management interface driver") +Link: https://lore.kernel.org/r/20200106190337.2428-3-logang@deltatee.com +Reported-by: Doug Meyer +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Acked-by: Takashi Iwai + +--- + drivers/pci/switch/switchtec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c +index 2bf670977b9c..9c3ad09d3022 100644 +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1276,7 +1276,7 @@ static int switchtec_init_isr(struct switchtec_dev *stdev) + if (nvecs < 0) + return nvecs; + +- event_irq = ioread32(&stdev->mmio_part_cfg->vep_vector_number); ++ event_irq = ioread16(&stdev->mmio_part_cfg->vep_vector_number); + if (event_irq < 0 || event_irq >= nvecs) + return -EFAULT; + +-- +2.16.4 + diff --git a/patches.suse/Revert-Input-synaptics-rmi4-don-t-increment-rmiaddr-.patch b/patches.suse/Revert-Input-synaptics-rmi4-don-t-increment-rmiaddr-.patch new file mode 100644 index 0000000..b91dff9 --- /dev/null +++ b/patches.suse/Revert-Input-synaptics-rmi4-don-t-increment-rmiaddr-.patch @@ -0,0 +1,54 @@ +From 8ff771f8c8d55d95f102cf88a970e541a8bd6bcf Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 16 Jan 2020 20:12:27 -0800 +Subject: [PATCH] Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers" +Git-commit: 8ff771f8c8d55d95f102cf88a970e541a8bd6bcf +Patch-mainline: v5.5 +References: bsc#1051510 + +This reverts commit a284e11c371e446371675668d8c8120a27227339. + +This causes problems (drifting cursor) with at least the F11 function that +reads more than 32 bytes. + +The real issue is in the F54 driver, and so this should be fixed there, and +not in rmi_smbus.c. + +So first revert this bad commit, then fix the real problem in F54 in another +patch. + +Signed-off-by: Hans Verkuil +Reported-by: Timo Kaufmann +Fixes: a284e11c371e ("Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200115124819.3191024-2-hverkuil-cisco@xs4all.nl +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/rmi4/rmi_smbus.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/input/rmi4/rmi_smbus.c b/drivers/input/rmi4/rmi_smbus.c +index b313c579914f..2407ea43de59 100644 +--- a/drivers/input/rmi4/rmi_smbus.c ++++ b/drivers/input/rmi4/rmi_smbus.c +@@ -163,6 +163,7 @@ static int rmi_smb_write_block(struct rmi_transport_dev *xport, u16 rmiaddr, + /* prepare to write next block of bytes */ + cur_len -= SMB_MAX_COUNT; + databuff += SMB_MAX_COUNT; ++ rmiaddr += SMB_MAX_COUNT; + } + exit: + mutex_unlock(&rmi_smb->page_mutex); +@@ -214,6 +215,7 @@ static int rmi_smb_read_block(struct rmi_transport_dev *xport, u16 rmiaddr, + /* prepare to read next block of bytes */ + cur_len -= SMB_MAX_COUNT; + databuff += SMB_MAX_COUNT; ++ rmiaddr += SMB_MAX_COUNT; + } + + retval = 0; +-- +2.16.4 + diff --git a/patches.suse/Revert-ath10k-fix-DMA-related-firmware-crashes-on-mu.patch b/patches.suse/Revert-ath10k-fix-DMA-related-firmware-crashes-on-mu.patch new file mode 100644 index 0000000..5553572 --- /dev/null +++ b/patches.suse/Revert-ath10k-fix-DMA-related-firmware-crashes-on-mu.patch @@ -0,0 +1,49 @@ +From a1769bb68a850508a492e3674ab1e5e479b11254 Mon Sep 17 00:00:00 2001 +From: Zhi Chen +Date: Tue, 14 Jan 2020 12:35:21 +0800 +Subject: [PATCH] Revert "ath10k: fix DMA related firmware crashes on multiple devices" +Git-commit: a1769bb68a850508a492e3674ab1e5e479b11254 +Patch-mainline: v5.6-rc1 +References: git-fixes + +This reverts commit 76d164f582150fd0259ec0fcbc485470bcd8033e. +PCIe hung issue was observed on multiple platforms. The issue was reproduced +when DUT was configured as AP and associated with 50+ STAs. + +For QCA9984/QCA9888, the DMA_BURST_SIZE register controls the AXI burst size +of the RD/WR access to the HOST MEM. +0 - No split , RAW read/write transfer size from MAC is put out on bus + as burst length +1 - Split at 256 byte boundary +2,3 - Reserved + +With PCIe protocol analyzer, we can see DMA Read crossing 4KB boundary when +issue happened. It broke PCIe spec and caused PCIe stuck. So revert +the default value from 0 to 1. + +Tested: IPQ8064 + QCA9984 with firmware 10.4-3.10-00047 QCS404 + QCA9984 with firmware 10.4-3.9.0.2--00044 Synaptics AS370 + QCA9888 with firmware 10.4-3.9.0.2--00040 + +Signed-off-by: Zhi Chen +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath10k/hw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h +index 21b7a2a873b0..775fd62fb92d 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.h ++++ b/drivers/net/wireless/ath/ath10k/hw.h +@@ -816,7 +816,7 @@ ath10k_is_rssi_enable(struct ath10k_hw_params *hw, + + #define TARGET_10_4_TX_DBG_LOG_SIZE 1024 + #define TARGET_10_4_NUM_WDS_ENTRIES 32 +-#define TARGET_10_4_DMA_BURST_SIZE 0 ++#define TARGET_10_4_DMA_BURST_SIZE 1 + #define TARGET_10_4_MAC_AGGR_DELIM 0 + #define TARGET_10_4_RX_SKIP_DEFRAG_TIMEOUT_DUP_DETECTION_CHECK 1 + #define TARGET_10_4_VOW_CONFIG 0 +-- +2.16.4 + diff --git a/patches.suse/Staging-iio-adt7316-Fix-i2c-data-reading-set-the-dat.patch b/patches.suse/Staging-iio-adt7316-Fix-i2c-data-reading-set-the-dat.patch new file mode 100644 index 0000000..9c0db17 --- /dev/null +++ b/patches.suse/Staging-iio-adt7316-Fix-i2c-data-reading-set-the-dat.patch @@ -0,0 +1,39 @@ +From 688cd642ba0c393344c802647848da5f0d925d0e Mon Sep 17 00:00:00 2001 +From: Shreeya Patel +Date: Sat, 17 Nov 2018 04:19:07 +0530 +Subject: [PATCH] Staging: iio: adt7316: Fix i2c data reading, set the data field +Git-commit: 688cd642ba0c393344c802647848da5f0d925d0e +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +adt7316_i2c_read function nowhere sets the data field. +It is necessary to have an appropriate value for it. +Hence, assign the value stored in 'ret' variable to data field. + +This is an ancient bug, and as no one seems to have noticed, +probably no sense in applying it to stable. + +Signed-off-by: Shreeya Patel +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/staging/iio/addac/adt7316-i2c.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/iio/addac/adt7316-i2c.c b/drivers/staging/iio/addac/adt7316-i2c.c +index f66dd3ebbab1..856bcfa60c6c 100644 +--- a/drivers/staging/iio/addac/adt7316-i2c.c ++++ b/drivers/staging/iio/addac/adt7316-i2c.c +@@ -35,6 +35,8 @@ static int adt7316_i2c_read(void *client, u8 reg, u8 *data) + return ret; + } + ++ *data = ret; ++ + return 0; + } + +-- +2.16.4 + diff --git a/patches.suse/USB-atm-ueagle-atm-add-missing-endpoint-check.patch b/patches.suse/USB-atm-ueagle-atm-add-missing-endpoint-check.patch new file mode 100644 index 0000000..ce4577a --- /dev/null +++ b/patches.suse/USB-atm-ueagle-atm-add-missing-endpoint-check.patch @@ -0,0 +1,90 @@ +From 09068c1ad53fb077bdac288869dec2435420bdc4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:25:58 +0100 +Subject: [PATCH] USB: atm: ueagle-atm: add missing endpoint check +Git-commit: 09068c1ad53fb077bdac288869dec2435420bdc4 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Make sure that the interrupt interface has an endpoint before trying to +access its endpoint descriptors to avoid dereferencing a NULL pointer. + +The driver binds to the interrupt interface with interface number 0, but +must not assume that this interface or its current alternate setting are +the first entries in the corresponding configuration arrays. + +Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") +Cc: stable # 2.6.16 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/usb/atm/ueagle-atm.c ++++ b/drivers/usb/atm/ueagle-atm.c +@@ -2167,10 +2167,11 @@ resubmit: + /* + * Start the modem : init the data and start kernel thread + */ +-static int uea_boot(struct uea_softc *sc) ++static int uea_boot(struct uea_softc *sc, struct usb_interface *intf) + { +- int ret, size; + struct intr_pkt *intr; ++ int ret = -ENOMEM; ++ int size; + + uea_enters(INS_TO_USBDEV(sc)); + +@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc + if (UEA_CHIP_VERSION(sc) == ADI930) + load_XILINX_firmware(sc); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { ++ ret = -ENODEV; ++ goto err0; ++ } ++ + intr = kmalloc(size, GFP_KERNEL); + if (!intr) + goto err0; +@@ -2206,8 +2212,7 @@ static int uea_boot(struct uea_softc *sc + usb_fill_int_urb(sc->urb_int, sc->usb_dev, + usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), + intr, size, uea_intr, sc, +- sc->usb_dev->actconfig->interface[0]->altsetting[0]. +- endpoint[0].desc.bInterval); ++ intf->cur_altsetting->endpoint[0].desc.bInterval); + + ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); + if (ret < 0) { +@@ -2222,6 +2227,7 @@ static int uea_boot(struct uea_softc *sc + sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); + if (IS_ERR(sc->kthread)) { + uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); ++ ret = PTR_ERR(sc->kthread); + goto err2; + } + +@@ -2236,7 +2242,7 @@ err1: + kfree(intr); + err0: + uea_leaves(INS_TO_USBDEV(sc)); +- return -ENOMEM; ++ return ret; + } + + /* +@@ -2597,7 +2603,7 @@ static int uea_bind(struct usbatm_data * + if (ret < 0) + goto error; + +- ret = uea_boot(sc); ++ ret = uea_boot(sc, intf); + if (ret < 0) + goto error_rm_grp; + diff --git a/patches.suse/USB-serial-io_edgeport-add-missing-active-port-sanit.patch b/patches.suse/USB-serial-io_edgeport-add-missing-active-port-sanit.patch index c9eb8ac..7adbbbe 100644 --- a/patches.suse/USB-serial-io_edgeport-add-missing-active-port-sanit.patch +++ b/patches.suse/USB-serial-io_edgeport-add-missing-active-port-sanit.patch @@ -23,7 +23,7 @@ Acked-by: Takashi Iwai --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c -@@ -1733,7 +1733,8 @@ static void edge_break(struct tty_struct +@@ -1738,7 +1738,8 @@ static void edge_break(struct tty_struct static void process_rcvd_data(struct edgeport_serial *edge_serial, unsigned char *buffer, __u16 bufferLength) { @@ -33,7 +33,7 @@ Acked-by: Takashi Iwai struct usb_serial_port *port; struct edgeport_port *edge_port; __u16 lastBufferLength; -@@ -1838,9 +1839,8 @@ static void process_rcvd_data(struct edg +@@ -1843,9 +1844,8 @@ static void process_rcvd_data(struct edg /* spit this data back into the tty driver if this port is open */ @@ -43,9 +43,9 @@ Acked-by: Takashi Iwai + if (rxLen && edge_serial->rxPort < serial->num_ports) { + port = serial->port[edge_serial->rxPort]; edge_port = usb_get_serial_port_data(port); - if (edge_port->open) { + if (edge_port && edge_port->open) { dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", -@@ -1850,8 +1850,8 @@ static void process_rcvd_data(struct edg +@@ -1855,8 +1855,8 @@ static void process_rcvd_data(struct edg rxLen); edge_port->port->icount.rx += rxLen; } @@ -55,7 +55,7 @@ Acked-by: Takashi Iwai break; case EXPECT_HDR3: /* Expect 3rd byte of status header */ -@@ -1886,6 +1886,8 @@ static void process_rcvd_status(struct e +@@ -1891,6 +1891,8 @@ static void process_rcvd_status(struct e __u8 code = edge_serial->rxStatusCode; /* switch the port pointer to the one being currently talked about */ diff --git a/patches.suse/USB-serial-io_edgeport-handle-unbound-ports-on-URB-c.patch b/patches.suse/USB-serial-io_edgeport-handle-unbound-ports-on-URB-c.patch new file mode 100644 index 0000000..455dc44 --- /dev/null +++ b/patches.suse/USB-serial-io_edgeport-handle-unbound-ports-on-URB-c.patch @@ -0,0 +1,44 @@ +From e37d1aeda737a20b1846a91a3da3f8b0f00cf690 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Jan 2020 10:50:23 +0100 +Subject: [PATCH] USB: serial: io_edgeport: handle unbound ports on URB completion +Git-commit: e37d1aeda737a20b1846a91a3da3f8b0f00cf690 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +Check for NULL port data in the shared interrupt and bulk completion +callbacks to avoid dereferencing a NULL pointer in case a device sends +data for a port device which isn't bound to a driver (e.g. due to a +malicious device having unexpected endpoints or after an allocation +failure on port probe). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/io_edgeport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -720,7 +720,7 @@ static void edge_interrupt_callback(stru + if (txCredits) { + port = edge_serial->serial->port[portNumber]; + edge_port = usb_get_serial_port_data(port); +- if (edge_port->open) { ++ if (edge_port && edge_port->open) { + spin_lock_irqsave(&edge_port->ep_lock, + flags); + edge_port->txCredits += txCredits; +@@ -1847,7 +1847,7 @@ static void process_rcvd_data(struct edg + port = edge_serial->serial->port[ + edge_serial->rxPort]; + edge_port = usb_get_serial_port_data(port); +- if (edge_port->open) { ++ if (edge_port && edge_port->open) { + dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", + __func__, rxLen, + edge_serial->rxPort); diff --git a/patches.suse/USB-serial-io_edgeport-use-irqsave-in-USB-s-complete.patch b/patches.suse/USB-serial-io_edgeport-use-irqsave-in-USB-s-complete.patch new file mode 100644 index 0000000..3c93fae --- /dev/null +++ b/patches.suse/USB-serial-io_edgeport-use-irqsave-in-USB-s-complete.patch @@ -0,0 +1,99 @@ +From dd1fae527612543e560e84f2eba4f6ef2006ac55 Mon Sep 17 00:00:00 2001 +From: John Ogness +Date: Sun, 24 Jun 2018 00:32:06 +0200 +Subject: [PATCH] USB: serial: io_edgeport: use irqsave() in USB's complete callback +Git-commit: dd1fae527612543e560e84f2eba4f6ef2006ac55 +Patch-mainline: v4.19-rc1 +References: bsc#1051510 + +The USB completion callback does not disable interrupts while acquiring +the lock. We want to remove the local_irq_disable() invocation from +__usb_hcd_giveback_urb() and therefore it is required for the callback +handler to disable the interrupts while acquiring the lock. +The callback may be invoked either in IRQ or BH context depending on the +USB host controller. +Use the _irqsave() variant of the locking primitives. + +Signed-off-by: John Ogness +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/io_edgeport.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c +index 17283f4b4779..97c69d373ca6 100644 +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -648,6 +648,7 @@ static void edge_interrupt_callback(struct urb *urb) + struct usb_serial_port *port; + unsigned char *data = urb->transfer_buffer; + int length = urb->actual_length; ++ unsigned long flags; + int bytes_avail; + int position; + int txCredits; +@@ -679,7 +680,7 @@ static void edge_interrupt_callback(struct urb *urb) + if (length > 1) { + bytes_avail = data[0] | (data[1] << 8); + if (bytes_avail) { +- spin_lock(&edge_serial->es_lock); ++ spin_lock_irqsave(&edge_serial->es_lock, flags); + edge_serial->rxBytesAvail += bytes_avail; + dev_dbg(dev, + "%s - bytes_avail=%d, rxBytesAvail=%d, read_in_progress=%d\n", +@@ -702,7 +703,8 @@ static void edge_interrupt_callback(struct urb *urb) + edge_serial->read_in_progress = false; + } + } +- spin_unlock(&edge_serial->es_lock); ++ spin_unlock_irqrestore(&edge_serial->es_lock, ++ flags); + } + } + /* grab the txcredits for the ports if available */ +@@ -715,9 +717,11 @@ static void edge_interrupt_callback(struct urb *urb) + port = edge_serial->serial->port[portNumber]; + edge_port = usb_get_serial_port_data(port); + if (edge_port->open) { +- spin_lock(&edge_port->ep_lock); ++ spin_lock_irqsave(&edge_port->ep_lock, ++ flags); + edge_port->txCredits += txCredits; +- spin_unlock(&edge_port->ep_lock); ++ spin_unlock_irqrestore(&edge_port->ep_lock, ++ flags); + dev_dbg(dev, "%s - txcredits for port%d = %d\n", + __func__, portNumber, + edge_port->txCredits); +@@ -758,6 +762,7 @@ static void edge_bulk_in_callback(struct urb *urb) + int retval; + __u16 raw_data_length; + int status = urb->status; ++ unsigned long flags; + + if (status) { + dev_dbg(&urb->dev->dev, "%s - nonzero read bulk status received: %d\n", +@@ -777,7 +782,7 @@ static void edge_bulk_in_callback(struct urb *urb) + + usb_serial_debug_data(dev, __func__, raw_data_length, data); + +- spin_lock(&edge_serial->es_lock); ++ spin_lock_irqsave(&edge_serial->es_lock, flags); + + /* decrement our rxBytes available by the number that we just got */ + edge_serial->rxBytesAvail -= raw_data_length; +@@ -801,7 +806,7 @@ static void edge_bulk_in_callback(struct urb *urb) + edge_serial->read_in_progress = false; + } + +- spin_unlock(&edge_serial->es_lock); ++ spin_unlock_irqrestore(&edge_serial->es_lock, flags); + } + + +-- +2.16.4 + diff --git a/patches.suse/USB-serial-ir-usb-add-missing-endpoint-sanity-check.patch b/patches.suse/USB-serial-ir-usb-add-missing-endpoint-sanity-check.patch new file mode 100644 index 0000000..9e0e02b --- /dev/null +++ b/patches.suse/USB-serial-ir-usb-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,44 @@ +From 2988a8ae7476fe9535ab620320790d1714bdad1d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:26 +0100 +Subject: [PATCH] USB: serial: ir-usb: add missing endpoint sanity check +Git-commit: 2988a8ae7476fe9535ab620320790d1714bdad1d +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Add missing endpoint sanity check to avoid dereferencing a NULL-pointer +on open() in case a device lacks a bulk-out endpoint. + +Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using +generic framework") the oops would instead happen on open() if the +device lacked a bulk-in endpoint and on write() if it lacked a bulk-out +endpoint. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/ir-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/serial/ir-usb.c b/drivers/usb/serial/ir-usb.c +index 302eb9530859..c3b06fc5a7f0 100644 +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -195,6 +195,9 @@ static int ir_startup(struct usb_serial *serial) + struct usb_irda_cs_descriptor *irda_desc; + int rates; + ++ if (serial->num_bulk_in < 1 || serial->num_bulk_out < 1) ++ return -ENODEV; ++ + irda_desc = irda_usb_find_class_desc(serial, 0); + if (!irda_desc) { + dev_err(&serial->dev->dev, +-- +2.16.4 + diff --git a/patches.suse/USB-serial-ir-usb-fix-IrLAP-framing.patch b/patches.suse/USB-serial-ir-usb-fix-IrLAP-framing.patch new file mode 100644 index 0000000..41b5ec4 --- /dev/null +++ b/patches.suse/USB-serial-ir-usb-fix-IrLAP-framing.patch @@ -0,0 +1,177 @@ +From 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:28 +0100 +Subject: [PATCH] USB: serial: ir-usb: fix IrLAP framing +Git-commit: 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +switched to using the generic write implementation which may combine +multiple write requests into larger transfers. This can break the IrLAP +protocol where end-of-frame is determined using the USB short packet +mechanism, for example, if multiple frames are sent in rapid succession. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Cc: stable # 2.6.35 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/ir-usb.c | 113 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 91 insertions(+), 22 deletions(-) + +diff --git a/drivers/usb/serial/ir-usb.c b/drivers/usb/serial/ir-usb.c +index 26eab1307165..627bea7e6cfb 100644 +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -45,9 +45,10 @@ static int buffer_size; + static int xbof = -1; + + static int ir_startup (struct usb_serial *serial); +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port); +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size); ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count); ++static int ir_write_room(struct tty_struct *tty); ++static void ir_write_bulk_callback(struct urb *urb); + static void ir_process_read_urb(struct urb *urb); + static void ir_set_termios(struct tty_struct *tty, + struct usb_serial_port *port, struct ktermios *old_termios); +@@ -77,8 +78,9 @@ static struct usb_serial_driver ir_device = { + .num_ports = 1, + .set_termios = ir_set_termios, + .attach = ir_startup, +- .open = ir_open, +- .prepare_write_buffer = ir_prepare_write_buffer, ++ .write = ir_write, ++ .write_room = ir_write_room, ++ .write_bulk_callback = ir_write_bulk_callback, + .process_read_urb = ir_process_read_urb, + }; + +@@ -254,35 +256,102 @@ static int ir_startup(struct usb_serial *serial) + return 0; + } + +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port) ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count) + { +- int i; ++ struct urb *urb = NULL; ++ unsigned long flags; ++ int ret; + +- for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) +- port->write_urbs[i]->transfer_flags = URB_ZERO_PACKET; ++ if (port->bulk_out_size == 0) ++ return -EINVAL; + +- /* Start reading from the device */ +- return usb_serial_generic_open(tty, port); +-} ++ if (count == 0) ++ return 0; + +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size) +-{ +- unsigned char *buf = dest; +- int count; ++ count = min(count, port->bulk_out_size - 1); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ if (__test_and_clear_bit(0, &port->write_urbs_free)) { ++ urb = port->write_urbs[0]; ++ port->tx_bytes += count; ++ } ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ if (!urb) ++ return 0; + + /* + * The first byte of the packet we send to the device contains an +- * inbound header which indicates an additional number of BOFs and ++ * outbound header which indicates an additional number of BOFs and + * a baud rate change. + * + * See section 5.4.2.2 of the USB IrDA spec. + */ +- *buf = ir_xbof | ir_baud; ++ *(u8 *)urb->transfer_buffer = ir_xbof | ir_baud; ++ ++ memcpy(urb->transfer_buffer + 1, buf, count); ++ ++ urb->transfer_buffer_length = count + 1; ++ urb->transfer_flags = URB_ZERO_PACKET; ++ ++ ret = usb_submit_urb(urb, GFP_ATOMIC); ++ if (ret) { ++ dev_err(&port->dev, "failed to submit write urb: %d\n", ret); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= count; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ return ret; ++ } ++ ++ return count; ++} ++ ++static void ir_write_bulk_callback(struct urb *urb) ++{ ++ struct usb_serial_port *port = urb->context; ++ int status = urb->status; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= urb->transfer_buffer_length - 1; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ switch (status) { ++ case 0: ++ break; ++ case -ENOENT: ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ dev_dbg(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ case -EPIPE: ++ dev_err(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ default: ++ dev_err(&port->dev, "nonzero write-urb status: %d\n", status); ++ break; ++ } ++ ++ usb_serial_port_softint(port); ++} ++ ++static int ir_write_room(struct tty_struct *tty) ++{ ++ struct usb_serial_port *port = tty->driver_data; ++ int count = 0; ++ ++ if (port->bulk_out_size == 0) ++ return 0; ++ ++ if (test_bit(0, &port->write_urbs_free)) ++ count = port->bulk_out_size - 1; + +- count = kfifo_out_locked(&port->write_fifo, buf + 1, size - 1, +- &port->lock); +- return count + 1; ++ return count; + } + + static void ir_process_read_urb(struct urb *urb) +-- +2.16.4 + diff --git a/patches.suse/USB-serial-ir-usb-fix-link-speed-handling.patch b/patches.suse/USB-serial-ir-usb-fix-link-speed-handling.patch new file mode 100644 index 0000000..3e152da --- /dev/null +++ b/patches.suse/USB-serial-ir-usb-fix-link-speed-handling.patch @@ -0,0 +1,108 @@ +From 17a0184ca17e288decdca8b2841531e34d49285f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:27 +0100 +Subject: [PATCH] USB: serial: ir-usb: fix link-speed handling +Git-commit: 17a0184ca17e288decdca8b2841531e34d49285f +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB +IrDA header with common defines, but mistakingly switched to using the +class-descriptor baud-rate bitmask values for the outbound header. + +This broke link-speed handling for rates above 9600 baud, but a device +would also be able to operate at the default 9600 baud until a +link-speed request was issued (e.g. using the TCGETS ioctl). + +Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module") +Cc: stable # 2.6.27 +Cc: Felipe Balbi +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/ir-usb.c | 20 ++++++++++---------- + include/linux/usb/irda.h | 13 ++++++++++++- + 2 files changed, 22 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/serial/ir-usb.c b/drivers/usb/serial/ir-usb.c +index c3b06fc5a7f0..26eab1307165 100644 +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -335,34 +335,34 @@ static void ir_set_termios(struct tty_struct *tty, + + switch (baud) { + case 2400: +- ir_baud = USB_IRDA_BR_2400; ++ ir_baud = USB_IRDA_LS_2400; + break; + case 9600: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + break; + case 19200: +- ir_baud = USB_IRDA_BR_19200; ++ ir_baud = USB_IRDA_LS_19200; + break; + case 38400: +- ir_baud = USB_IRDA_BR_38400; ++ ir_baud = USB_IRDA_LS_38400; + break; + case 57600: +- ir_baud = USB_IRDA_BR_57600; ++ ir_baud = USB_IRDA_LS_57600; + break; + case 115200: +- ir_baud = USB_IRDA_BR_115200; ++ ir_baud = USB_IRDA_LS_115200; + break; + case 576000: +- ir_baud = USB_IRDA_BR_576000; ++ ir_baud = USB_IRDA_LS_576000; + break; + case 1152000: +- ir_baud = USB_IRDA_BR_1152000; ++ ir_baud = USB_IRDA_LS_1152000; + break; + case 4000000: +- ir_baud = USB_IRDA_BR_4000000; ++ ir_baud = USB_IRDA_LS_4000000; + break; + default: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + baud = 9600; + } + +diff --git a/include/linux/usb/irda.h b/include/linux/usb/irda.h +index 396d2b043e64..556a801efce3 100644 +--- a/include/linux/usb/irda.h ++++ b/include/linux/usb/irda.h +@@ -119,11 +119,22 @@ struct usb_irda_cs_descriptor { + * 6 - 115200 bps + * 7 - 576000 bps + * 8 - 1.152 Mbps +- * 9 - 5 mbps ++ * 9 - 4 Mbps + * 10..15 - Reserved + */ + #define USB_IRDA_STATUS_LINK_SPEED 0x0f + ++#define USB_IRDA_LS_NO_CHANGE 0 ++#define USB_IRDA_LS_2400 1 ++#define USB_IRDA_LS_9600 2 ++#define USB_IRDA_LS_19200 3 ++#define USB_IRDA_LS_38400 4 ++#define USB_IRDA_LS_57600 5 ++#define USB_IRDA_LS_115200 6 ++#define USB_IRDA_LS_576000 7 ++#define USB_IRDA_LS_1152000 8 ++#define USB_IRDA_LS_4000000 9 ++ + /* The following is a 4-bit value used only for + * outbound header: + * +-- +2.16.4 + diff --git a/patches.suse/USB-serial-option-Add-support-for-Quectel-RM500Q.patch b/patches.suse/USB-serial-option-Add-support-for-Quectel-RM500Q.patch new file mode 100644 index 0000000..c8d4b9f --- /dev/null +++ b/patches.suse/USB-serial-option-Add-support-for-Quectel-RM500Q.patch @@ -0,0 +1,357 @@ +From accf227de4d211b52c830a58b2df00d5739f2389 Mon Sep 17 00:00:00 2001 +From: Kristian Evensen +Date: Mon, 13 Jan 2020 15:14:05 +0100 +Subject: [PATCH] USB: serial: option: Add support for Quectel RM500Q +Git-commit: accf227de4d211b52c830a58b2df00d5739f2389 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +RM500Q is a 5G module from Quectel, supporting both standalone and +non-standalone modes. Unlike other recent Quectel modems, it is possible +to identify the diagnostic interface (bInterfaceProtocol is unique). +Thus, there is no need to check for the number of endpoints or reserve +interfaces. The interface number is still dynamic though, so matching on +interface number is not possible and two entries have to be added to the +table. + +Output from usb-devices with all interfaces enabled (order is diag, +nmea, at_port, modem, rmnet and adb): + +Bus 004 Device 007: ID 2c7c:0800 Quectel Wireless Solutions Co., Ltd. +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 3.20 + bDeviceClass 0 (Defined at Interface level) + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 9 + idVendor 0x2c7c Quectel Wireless Solutions Co., Ltd. + idProduct 0x0800 + bcdDevice 4.14 + iManufacturer 1 Quectel + iProduct 2 LTE-A Module + iSerial 3 40046d60 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 328 + bNumInterfaces 6 + bConfigurationValue 1 + iConfiguration 4 DIAG_SER_RMNET + bmAttributes 0xa0 + (Bus Powered) + Remote Wakeup + MaxPower 224mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 48 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + ** UNRECOGNIZED: 05 24 00 10 01 + ** UNRECOGNIZED: 05 24 01 00 00 + ** UNRECOGNIZED: 04 24 02 02 + ** UNRECOGNIZED: 05 24 06 00 00 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x83 EP 3 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x000a 1x 10 bytes + bInterval 9 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 2 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + ** UNRECOGNIZED: 05 24 00 10 01 + ** UNRECOGNIZED: 05 24 01 00 00 + ** UNRECOGNIZED: 04 24 02 02 + ** UNRECOGNIZED: 05 24 06 00 00 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x85 EP 5 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x000a 1x 10 bytes + bInterval 9 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x84 EP 4 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x03 EP 3 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 3 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + ** UNRECOGNIZED: 05 24 00 10 01 + ** UNRECOGNIZED: 05 24 01 00 00 + ** UNRECOGNIZED: 04 24 02 02 + ** UNRECOGNIZED: 05 24 06 00 00 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x87 EP 7 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x000a 1x 10 bytes + bInterval 9 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x86 EP 6 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x04 EP 4 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 4 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 5 CDEV Serial + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x88 EP 8 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0008 1x 8 bytes + bInterval 9 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x8e EP 14 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 6 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x0f EP 15 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 2 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 5 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 66 + bInterfaceProtocol 1 + iInterface 6 ADB Interface + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x05 EP 5 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x89 EP 9 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 0 + bMaxBurst 0 +Binary Object Store Descriptor: + bLength 5 + bDescriptorType 15 + wTotalLength 42 + bNumDeviceCaps 3 + USB 2.0 Extension Device Capability: + bLength 7 + bDescriptorType 16 + bDevCapabilityType 2 + bmAttributes 0x00000006 + Link Power Management (LPM) Supported + SuperSpeed USB Device Capability: + bLength 10 + bDescriptorType 16 + bDevCapabilityType 3 + bmAttributes 0x00 + wSpeedsSupported 0x000f + Device can operate at Low Speed (1Mbps) + Device can operate at Full Speed (12Mbps) + Device can operate at High Speed (480Mbps) + Device can operate at SuperSpeed (5Gbps) + bFunctionalitySupport 1 + Lowest fully-functional device speed is Full Speed (12Mbps) + bU1DevExitLat 1 micro seconds + bU2DevExitLat 500 micro seconds + ** UNRECOGNIZED: 14 10 0a 00 01 00 00 00 00 11 00 00 30 40 0a 00 b0 40 0a 00 +Device Status: 0x0000 + (Bus Powered) + +Signed-off-by: Kristian Evensen +Cc: stable +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 2d919d0e6e45..62bad1b2c18e 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -248,6 +248,7 @@ static void option_instat_callback(struct urb *urb); + #define QUECTEL_PRODUCT_BG96 0x0296 + #define QUECTEL_PRODUCT_EP06 0x0306 + #define QUECTEL_PRODUCT_EM12 0x0512 ++#define QUECTEL_PRODUCT_RM500Q 0x0800 + + #define CMOTECH_VENDOR_ID 0x16d8 + #define CMOTECH_PRODUCT_6001 0x6001 +@@ -1104,6 +1105,9 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0xff, 0xff), + .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) }, ++ + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), +-- +2.16.4 + diff --git a/patches.suse/USB-serial-simple-Add-Motorola-Solutions-TETRA-MTP3x.patch b/patches.suse/USB-serial-simple-Add-Motorola-Solutions-TETRA-MTP3x.patch new file mode 100644 index 0000000..e32ec60 --- /dev/null +++ b/patches.suse/USB-serial-simple-Add-Motorola-Solutions-TETRA-MTP3x.patch @@ -0,0 +1,215 @@ +From 260e41ac4dd3e5acb90be624c03ba7f019615b75 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jer=C3=B3nimo=20Borque?= +Date: Thu, 9 Jan 2020 12:23:34 -0300 +Subject: [PATCH] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 260e41ac4dd3e5acb90be624c03ba7f019615b75 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +Add device-ids for the Motorola Solutions TETRA radios MTP3xxx series +and MTP85xx series + +$ lsusb -vd 0cad: + +Bus 001 Device 009: ID 0cad:9015 Motorola CGISS TETRA PEI interface +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x0cad Motorola CGISS + idProduct 0x9015 + bcdDevice 24.16 + iManufacturer 1 + iProduct 2 + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0037 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 3 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + +Bus 001 Device 010: ID 0cad:9013 Motorola CGISS TETRA PEI interface +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x0cad Motorola CGISS + idProduct 0x9013 + bcdDevice 24.16 + iManufacturer 1 + iProduct 2 + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0037 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 3 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + +Signed-off-by: Jerónimo Borque +Cc: stable +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/usb-serial-simple.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index edbbb13d6de6..bd23a7cb1be2 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -86,6 +86,8 @@ DEVICE(moto_modem, MOTO_IDS); + #define MOTOROLA_TETRA_IDS() \ + { USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \ + { USB_DEVICE(0x0cad, 0x9012) }, /* MTP6550 */ \ ++ { USB_DEVICE(0x0cad, 0x9013) }, /* MTP3xxx */ \ ++ { USB_DEVICE(0x0cad, 0x9015) }, /* MTP85xx */ \ + { USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */ + DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); + +-- +2.16.4 + diff --git a/patches.suse/acpi-watchdog-allow-disabling-wdat-at-boot.patch b/patches.suse/acpi-watchdog-allow-disabling-wdat-at-boot.patch new file mode 100644 index 0000000..701204f --- /dev/null +++ b/patches.suse/acpi-watchdog-allow-disabling-wdat-at-boot.patch @@ -0,0 +1,65 @@ +From: Jean Delvare +Date: Thu, 6 Feb 2020 16:58:45 +0100 +Subject: ACPI: watchdog: Allow disabling WDAT at boot +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: 3f9e12e0df012c4a9a7fd7eb0d3ae69b459d6b2c +Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm.git +References: bsc#1162557 + +In case the WDAT interface is broken, give the user an option to +ignore it to let a native driver bind to the watchdog device instead. + +Signed-off-by: Jean Delvare +Acked-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +--- + Documentation/admin-guide/kernel-parameters.txt | 4 ++++ + drivers/acpi/acpi_watchdog.c | 12 +++++++++++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -136,6 +136,10 @@ + dynamic table installation which will install SSDT + tables to /sys/firmware/acpi/tables/dynamic. + ++ acpi_no_watchdog [HW,ACPI,WDT] ++ Ignore the ACPI-based watchdog interface (WDAT) and let ++ a native driver control the watchdog device instead. ++ + acpi_rsdp= [ACPI,EFI,KEXEC] + Pass the RSDP address to the kernel, mostly used + on machines running EFI runtime service to boot the +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -58,12 +58,14 @@ static bool acpi_watchdog_uses_rtc(const + } + #endif + ++static bool acpi_no_watchdog; ++ + static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void) + { + const struct acpi_table_wdat *wdat = NULL; + acpi_status status; + +- if (acpi_disabled) ++ if (acpi_disabled || acpi_no_watchdog) + return NULL; + + status = acpi_get_table(ACPI_SIG_WDAT, 0, +@@ -91,6 +93,14 @@ bool acpi_has_watchdog(void) + } + EXPORT_SYMBOL_GPL(acpi_has_watchdog); + ++/* ACPI watchdog can be disabled on boot command line */ ++static int __init disable_acpi_watchdog(char *str) ++{ ++ acpi_no_watchdog = true; ++ return 1; ++} ++__setup("acpi_no_watchdog", disable_acpi_watchdog); ++ + void __init acpi_watchdog_init(void) + { + const struct acpi_wdat_entry *entries; diff --git a/patches.suse/acpi-watchdog-fix-init-failure-with-overlapping-register.patch b/patches.suse/acpi-watchdog-fix-init-failure-with-overlapping-register.patch new file mode 100644 index 0000000..8c60959 --- /dev/null +++ b/patches.suse/acpi-watchdog-fix-init-failure-with-overlapping-register.patch @@ -0,0 +1,37 @@ +From: Ryan Kennedy +Date: Sat, 15 Jul 2017 17:48:18 -0400 +Subject: ACPI / watchdog: Fix init failure with overlapping register regions +Patch-mainline: v4.13 +Git-commit: 31e86cb99a3af0653f0e317fdd9c05b530c70af8 +References: bsc#1162557 + +Partially overlapping regions cause platform device creation +to fail. The latter of two overlapping resources will fail to be +reserved. Fix this by merging overlapping resource ranges while +enumerating WDAT table entries. + +Signed-off-by: Ryan Kennedy +Acked-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +Acked-by: Jean Delvare + +--- + drivers/acpi/acpi_watchdog.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -86,7 +86,12 @@ void __init acpi_watchdog_init(void) + + found = false; + resource_list_for_each_entry(rentry, &resource_list) { +- if (resource_contains(rentry->res, &res)) { ++ if (rentry->res->flags == res.flags && ++ resource_overlaps(rentry->res, &res)) { ++ if (res.start < rentry->res->start) ++ rentry->res->start = res.start; ++ if (res.end > rentry->res->end) ++ rentry->res->end = res.end; + found = true; + break; + } diff --git a/patches.suse/acpi-watchdog-set-default-timeout-in-probe.patch b/patches.suse/acpi-watchdog-set-default-timeout-in-probe.patch new file mode 100644 index 0000000..5d253b5 --- /dev/null +++ b/patches.suse/acpi-watchdog-set-default-timeout-in-probe.patch @@ -0,0 +1,58 @@ +From: Mika Westerberg +Subject: ACPI / watchdog: Set default timeout in probe +Date: Wed, 12 Feb 2020 17:59:41 +0300 +Patch-mainline: Submitted by Mika Westerberg 2020-02-12 +References: bsc#1162557 + +If the BIOS default timeout for the watchdog is too small userspace may +not have enough time to configure new timeout after opening the device +before the system is already reset. For this reason program default +timeout of 30 seconds in the driver probe and allow userspace to change +this from command line or through module parameter (wdat_wdt.timeout). + +Reported-by: Jean Delvare +Signed-off-by: Mika Westerberg +Acked-by: Jean Delvare +--- + drivers/watchdog/wdat_wdt.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/watchdog/wdat_wdt.c ++++ b/drivers/watchdog/wdat_wdt.c +@@ -57,6 +57,13 @@ module_param(nowayout, bool, 0); + MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started (default=" + __MODULE_STRING(WATCHDOG_NOWAYOUT) ")"); + ++#define WDAT_DEFAULT_TIMEOUT 30 ++ ++static int timeout = WDAT_DEFAULT_TIMEOUT; ++module_param(timeout, int, 0); ++MODULE_PARM_DESC(timeout, "Watchdog timeout in seconds (default=" ++ __MODULE_STRING(WDAT_DEFAULT_TIMEOUT) ")"); ++ + static int wdat_wdt_read(struct wdat_wdt *wdat, + const struct wdat_instruction *instr, u32 *value) + { +@@ -440,6 +447,22 @@ static int wdat_wdt_probe(struct platfor + + platform_set_drvdata(pdev, wdat); + ++ /* ++ * Set initial timeout so that userspace has time to configure the ++ * watchdog properly after it has opened the device. In some cases ++ * the BIOS default is too short and causes immediate reboot. ++ */ ++ if (timeout * 1000 < wdat->wdd.min_hw_heartbeat_ms || ++ timeout * 1000 > wdat->wdd.max_hw_heartbeat_ms) { ++ dev_warn(&pdev->dev, "Invalid timeout %d given, using %d\n", ++ timeout, WDAT_DEFAULT_TIMEOUT); ++ timeout = WDAT_DEFAULT_TIMEOUT; ++ } ++ ++ ret = wdat_wdt_set_timeout(&wdat->wdd, timeout); ++ if (ret) ++ return ret; ++ + watchdog_set_nowayout(&wdat->wdd, nowayout); + return devm_watchdog_register_device(&pdev->dev, &wdat->wdd); + } diff --git a/patches.suse/af_packet-set-defaule-value-for-tmo.patch b/patches.suse/af_packet-set-defaule-value-for-tmo.patch new file mode 100644 index 0000000..0ec5a93 --- /dev/null +++ b/patches.suse/af_packet-set-defaule-value-for-tmo.patch @@ -0,0 +1,59 @@ +From b43d1f9f7067c6759b1051e8ecb84e82cef569fe Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Mon, 9 Dec 2019 21:31:25 +0800 +Subject: [PATCH] af_packet: set defaule value for tmo +Git-commit: b43d1f9f7067c6759b1051e8ecb84e82cef569fe +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +There is softlockup when using TPACKET_V3: +... +NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms! +(__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x44/0x54) +(_raw_spin_unlock_irqrestore) from [] (mod_timer+0x210/0x25c) +(mod_timer) from [] +(prb_retire_rx_blk_timer_expired+0x68/0x11c) +(prb_retire_rx_blk_timer_expired) from [] +(call_timer_fn+0x90/0x17c) +(call_timer_fn) from [] (run_timer_softirq+0x2d4/0x2fc) +(run_timer_softirq) from [] (__do_softirq+0x218/0x318) +(__do_softirq) from [] (irq_exit+0x88/0xac) +(irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +(msa_irq_exit) from [] (handle_IPI+0x650/0x7f4) +(handle_IPI) from [] (gic_handle_irq+0x108/0x118) +(gic_handle_irq) from [] (__irq_usr+0x44/0x5c) +... + +If __ethtool_get_link_ksettings() is failed in +prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies +is zero and the timer expire for retire_blk_timer is turn to +mod_timer(&pkc->retire_blk_timer, jiffies + 0), +which will trigger cpu usage of softirq is 100%. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Tested-by: Xiao Jiangfeng +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/packet/af_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 53c1d41fb1c9..118cd66b7516 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -544,7 +544,8 @@ static int prb_calc_retire_blk_tmo(struct packet_sock *po, + msec = 1; + div = ecmd.base.speed / 1000; + } +- } ++ } else ++ return DEFAULT_PRB_RETIRE_TOV; + + mbits = (blk_size_in_bytes * 8) / (1024 * 1024); + +-- +2.16.4 + diff --git a/patches.suse/arm64-Revert-support-for-execute-only-user-mappings.patch b/patches.suse/arm64-Revert-support-for-execute-only-user-mappings.patch new file mode 100644 index 0000000..c76f57b --- /dev/null +++ b/patches.suse/arm64-Revert-support-for-execute-only-user-mappings.patch @@ -0,0 +1,112 @@ +From: Catalin Marinas +Date: Mon, 6 Jan 2020 14:35:39 +0000 +Subject: arm64: Revert support for execute-only user mappings +Git-commit: 24cecc37746393432d994c0dbc251fb9ac7c5d72 +Patch-mainline: v5.5-rc6 +References: bsc#1160218 + +The ARMv8 64-bit architecture supports execute-only user permissions by +clearing the PTE_USER and PTE_UXN bits, practically making it a mostly +privileged mapping but from which user running at EL0 can still execute. + +The downside, however, is that the kernel at EL1 inadvertently reading +such mapping would not trip over the PAN (privileged access never) +protection. + +Revert the relevant bits from commit cab15ce604e5 ("arm64: Introduce +execute-only page access permissions") so that PROT_EXEC implies +PROT_READ (and therefore PTE_USER) until the architecture gains proper +support for execute-only user mappings. + +Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions") +Cc: # 4.9.x- +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Linus Torvalds +Signed-off-by: Matthias Brugger +--- + arch/arm64/include/asm/pgtable-prot.h | 5 ++--- + arch/arm64/include/asm/pgtable.h | 10 +++------- + arch/arm64/mm/fault.c | 2 +- + mm/mmap.c | 6 ------ + 4 files changed, 6 insertions(+), 17 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -75,13 +75,12 @@ + #define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_WRITE) + #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) + #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN) +-#define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN) + + #define __P000 PAGE_NONE + #define __P001 PAGE_READONLY + #define __P010 PAGE_READONLY + #define __P011 PAGE_READONLY +-#define __P100 PAGE_EXECONLY ++#define __P100 PAGE_READONLY_EXEC + #define __P101 PAGE_READONLY_EXEC + #define __P110 PAGE_READONLY_EXEC + #define __P111 PAGE_READONLY_EXEC +@@ -90,7 +89,7 @@ + #define __S001 PAGE_READONLY + #define __S010 PAGE_SHARED + #define __S011 PAGE_SHARED +-#define __S100 PAGE_EXECONLY ++#define __S100 PAGE_READONLY_EXEC + #define __S101 PAGE_READONLY_EXEC + #define __S110 PAGE_SHARED_EXEC + #define __S111 PAGE_SHARED_EXEC +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -105,12 +105,8 @@ extern unsigned long empty_zero_page[PAG + #define pte_dirty(pte) (pte_sw_dirty(pte) || pte_hw_dirty(pte)) + + #define pte_valid(pte) (!!(pte_val(pte) & PTE_VALID)) +-/* +- * Execute-only user mappings do not have the PTE_USER bit set. All valid +- * kernel mappings have the PTE_UXN bit set. +- */ + #define pte_valid_not_user(pte) \ +- ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN)) ++ ((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID) + #define pte_valid_young(pte) \ + ((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF)) + #define pte_valid_user(pte) \ +@@ -126,8 +122,8 @@ extern unsigned long empty_zero_page[PAG + + /* + * p??_access_permitted() is true for valid user mappings (subject to the +- * write permission check) other than user execute-only which do not have the +- * PTE_USER bit set. PROT_NONE mappings do not have the PTE_VALID bit set. ++ * write permission check). PROT_NONE mappings do not have the PTE_VALID bit ++ * set. + */ + #define pte_access_permitted(pte, write) \ + (pte_valid_user(pte) && (!(write) || pte_write(pte))) +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -325,7 +325,7 @@ static int __kprobes do_page_fault(unsig + struct task_struct *tsk; + struct mm_struct *mm; + int fault, sig, code; +- unsigned long vm_flags = VM_READ | VM_WRITE; ++ unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC; + unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; + + if (notify_page_fault(regs, esr)) +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -89,12 +89,6 @@ static void unmap_region(struct mm_struc + * MAP_PRIVATE r: (no) no r: (yes) yes r: (no) yes r: (no) yes + * w: (no) no w: (no) no w: (copy) copy w: (no) no + * x: (no) no x: (no) yes x: (no) yes x: (yes) yes +- * +- * On arm64, PROT_EXEC has the following behaviour for both MAP_SHARED and +- * MAP_PRIVATE: +- * r: (no) no +- * w: (no) no +- * x: (yes) yes + */ + pgprot_t protection_map[16] = { + __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111, diff --git a/patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch b/patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch new file mode 100644 index 0000000..0b9c38a --- /dev/null +++ b/patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch @@ -0,0 +1,111 @@ +From: Prabhakar Kushwaha +Date: Sat, 25 Jan 2020 03:37:29 +0000 +Subject: ata: ahci: Add shutdown to freeze hardware resources of ahci +Git-commit: 10a663a1b15134a5a714aa515e11425a44d4fdf7 +Patch-mainline: v5.6-rc1 +References: bsc#1164388 + +device_shutdown() called from reboot or power_shutdown expect +all devices to be shutdown. Same is true for even ahci pci driver. +As no ahci shutdown function is implemented, the ata subsystem +always remains alive with DMA & interrupt support. File system +related calls should not be honored after device_shutdown(). + +So defining ahci pci driver shutdown to freeze hardware (mask +interrupt, stop DMA engine and free DMA resources). + +Signed-off-by: Prabhakar Kushwaha +Signed-off-by: Jens Axboe +Signed-off-by: Matthias Brugger +--- + drivers/ata/ahci.c | 7 +++++++ + drivers/ata/libata-core.c | 21 +++++++++++++++++++++ + include/linux/libata.h | 1 + + 3 files changed, 29 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 4bfd1b14b390..11ea1aff40db 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -81,6 +81,7 @@ enum board_ids { + + static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static void ahci_remove_one(struct pci_dev *dev); ++static void ahci_shutdown_one(struct pci_dev *dev); + static int ahci_vt8251_hardreset(struct ata_link *link, unsigned int *class, + unsigned long deadline); + static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class, +@@ -606,6 +607,7 @@ static struct pci_driver ahci_pci_driver = { + .id_table = ahci_pci_tbl, + .probe = ahci_init_one, + .remove = ahci_remove_one, ++ .shutdown = ahci_shutdown_one, + .driver = { + .pm = &ahci_pci_pm_ops, + }, +@@ -1877,6 +1879,11 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + return 0; + } + ++static void ahci_shutdown_one(struct pci_dev *pdev) ++{ ++ ata_pci_shutdown_one(pdev); ++} ++ + static void ahci_remove_one(struct pci_dev *pdev) + { + pm_runtime_get_noresume(&pdev->dev); +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 6f4ab5c5b52d..42c8728f6117 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6767,6 +6767,26 @@ void ata_pci_remove_one(struct pci_dev *pdev) + ata_host_detach(host); + } + ++void ata_pci_shutdown_one(struct pci_dev *pdev) ++{ ++ struct ata_host *host = pci_get_drvdata(pdev); ++ int i; ++ ++ for (i = 0; i < host->n_ports; i++) { ++ struct ata_port *ap = host->ports[i]; ++ ++ ap->pflags |= ATA_PFLAG_FROZEN; ++ ++ /* Disable port interrupts */ ++ if (ap->ops->freeze) ++ ap->ops->freeze(ap); ++ ++ /* Stop the port DMA engines */ ++ if (ap->ops->port_stop) ++ ap->ops->port_stop(ap); ++ } ++} ++ + /* move to PCI subsystem */ + int pci_test_config_bits(struct pci_dev *pdev, const struct pci_bits *bits) + { +@@ -7387,6 +7407,7 @@ EXPORT_SYMBOL_GPL(ata_timing_cycle2mode); + + #ifdef CONFIG_PCI + EXPORT_SYMBOL_GPL(pci_test_config_bits); ++EXPORT_SYMBOL_GPL(ata_pci_shutdown_one); + EXPORT_SYMBOL_GPL(ata_pci_remove_one); + #ifdef CONFIG_PM + EXPORT_SYMBOL_GPL(ata_pci_device_do_suspend); +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 2dbde119721d..bff539918d82 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -1221,6 +1221,7 @@ struct pci_bits { + }; + + extern int pci_test_config_bits(struct pci_dev *pdev, const struct pci_bits *bits); ++extern void ata_pci_shutdown_one(struct pci_dev *pdev); + extern void ata_pci_remove_one(struct pci_dev *pdev); + + #ifdef CONFIG_PM +-- +2.25.0 + diff --git a/patches.suse/ath10k-Correct-the-DMA-direction-for-management-tx-b.patch b/patches.suse/ath10k-Correct-the-DMA-direction-for-management-tx-b.patch new file mode 100644 index 0000000..dca47d7 --- /dev/null +++ b/patches.suse/ath10k-Correct-the-DMA-direction-for-management-tx-b.patch @@ -0,0 +1,57 @@ +From 6ba8b3b6bd772f575f7736c8fd893c6981fcce16 Mon Sep 17 00:00:00 2001 +From: Rakesh Pillai +Date: Tue, 21 Jan 2020 12:42:28 +0530 +Subject: [PATCH] ath10k: Correct the DMA direction for management tx buffers +Git-commit: 6ba8b3b6bd772f575f7736c8fd893c6981fcce16 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +The management packets, send to firmware via WMI, are +mapped using the direction DMA_TO_DEVICE. Currently in +case of wmi cleanup, these buffers are being unmapped +using an incorrect DMA direction. This can cause unwanted +behavior when the host driver is handling a restart +of the wlan firmware. + +We might see a trace like below + +[] __dma_inv_area+0x28/0x58 +[] ath10k_wmi_mgmt_tx_clean_up_pending+0x60/0xb0 [ath10k_core] +[] idr_for_each+0x78/0xe4 +[] ath10k_wmi_detach+0x4c/0x7c [ath10k_core] +[] ath10k_core_stop+0x58/0x68 [ath10k_core] +[] ath10k_halt+0xec/0x13c [ath10k_core] +[] ath10k_core_restart+0x11c/0x1a8 [ath10k_core] +[] process_one_work+0x16c/0x31c + +Fix the incorrect DMA direction during the wmi +management tx buffer cleanup. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1 + +Fixes: dc405152bb6 ("ath10k: handle mgmt tx completion event") +Signed-off-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath10k/wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 13f7531d945d..61885d4d662c 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -9490,7 +9490,7 @@ static int ath10k_wmi_mgmt_tx_clean_up_pending(int msdu_id, void *ptr, + + msdu = pkt_addr->vaddr; + dma_unmap_single(ar->dev, pkt_addr->paddr, +- msdu->len, DMA_FROM_DEVICE); ++ msdu->len, DMA_TO_DEVICE); + ieee80211_free_txskb(ar->hw, msdu); + + return 0; +-- +2.16.4 + diff --git a/patches.suse/ath10k-pci-Fix-comment-on-ath10k_pci_dump_memory_sra.patch b/patches.suse/ath10k-pci-Fix-comment-on-ath10k_pci_dump_memory_sra.patch new file mode 100644 index 0000000..5532124 --- /dev/null +++ b/patches.suse/ath10k-pci-Fix-comment-on-ath10k_pci_dump_memory_sra.patch @@ -0,0 +1,37 @@ +From 63ec5cbc31f7c37870b7fbd33d9f1a50ba320221 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 19 Dec 2019 13:15:39 +0000 +Subject: [PATCH] ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram +Git-commit: 63ec5cbc31f7c37870b7fbd33d9f1a50ba320221 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +The description of ath10k_pci_dump_memory_sram() is inaccurate, an error +can never be returned, it is always the length. Update the comment to +reflect. + +Fixes: 219cc084c6706 ("ath10k: add memory dump support QCA9984") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath10k/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 4822a65f6f3c..ded7a220a4aa 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1578,7 +1578,7 @@ static int ath10k_pci_set_ram_config(struct ath10k *ar, u32 config) + return 0; + } + +-/* if an error happened returns < 0, otherwise the length */ ++/* Always returns the length */ + static int ath10k_pci_dump_memory_sram(struct ath10k *ar, + const struct ath10k_mem_region *region, + u8 *buf) +-- +2.16.4 + diff --git a/patches.suse/ath10k-pci-Only-dump-ATH10K_MEM_REGION_TYPE_IOREG-wh.patch b/patches.suse/ath10k-pci-Only-dump-ATH10K_MEM_REGION_TYPE_IOREG-wh.patch new file mode 100644 index 0000000..1362719 --- /dev/null +++ b/patches.suse/ath10k-pci-Only-dump-ATH10K_MEM_REGION_TYPE_IOREG-wh.patch @@ -0,0 +1,73 @@ +From d239380196c4e27a26fa4bea73d2bf994c14ec2d Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 19 Dec 2019 13:15:38 +0000 +Subject: [PATCH] ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe +Git-commit: d239380196c4e27a26fa4bea73d2bf994c14ec2d +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +ath10k_pci_dump_memory_reg() will try to access memory of type +ATH10K_MEM_REGION_TYPE_IOREG however, if a hardware restart is in progress +this can crash a system. + +Individual ioread32() time has been observed to jump from 15-20 ticks to > +80k ticks followed by a secure-watchdog bite and a system reset. + +Work around this corner case by only issuing the read transaction when the +driver state is ATH10K_STATE_ON. + +Tested-on: QCA9988 PCI 10.4-3.9.0.2-00044 + +Fixes: 219cc084c6706 ("ath10k: add memory dump support QCA9984") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath10k/pci.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index bb44f5a0941b..4822a65f6f3c 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1604,11 +1604,22 @@ static int ath10k_pci_dump_memory_reg(struct ath10k *ar, + { + struct ath10k_pci *ar_pci = ath10k_pci_priv(ar); + u32 i; ++ int ret; ++ ++ mutex_lock(&ar->conf_mutex); ++ if (ar->state != ATH10K_STATE_ON) { ++ ath10k_warn(ar, "Skipping pci_dump_memory_reg invalid state\n"); ++ ret = -EIO; ++ goto done; ++ } + + for (i = 0; i < region->len; i += 4) + *(u32 *)(buf + i) = ioread32(ar_pci->mem + region->start + i); + +- return region->len; ++ ret = region->len; ++done: ++ mutex_unlock(&ar->conf_mutex); ++ return ret; + } + + /* if an error happened returns < 0, otherwise the length */ +@@ -1704,7 +1715,11 @@ static void ath10k_pci_dump_memory(struct ath10k *ar, + count = ath10k_pci_dump_memory_sram(ar, current_region, buf); + break; + case ATH10K_MEM_REGION_TYPE_IOREG: +- count = ath10k_pci_dump_memory_reg(ar, current_region, buf); ++ ret = ath10k_pci_dump_memory_reg(ar, current_region, buf); ++ if (ret < 0) ++ break; ++ ++ count = ret; + break; + default: + ret = ath10k_pci_dump_memory_generic(ar, current_region, buf); +-- +2.16.4 + diff --git a/patches.suse/ath9k-fix-storage-endpoint-lookup.patch b/patches.suse/ath9k-fix-storage-endpoint-lookup.patch new file mode 100644 index 0000000..85dc8f1 --- /dev/null +++ b/patches.suse/ath9k-fix-storage-endpoint-lookup.patch @@ -0,0 +1,41 @@ +From 0ef332951e856efa89507cdd13ba8f4fb8d4db12 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:20 +0100 +Subject: [PATCH] ath9k: fix storage endpoint lookup +Git-commit: 0ef332951e856efa89507cdd13ba8f4fb8d4db12 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") +Cc: stable # 2.6.39 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index fb649d85b8fc..dd0c32379375 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1216,7 +1216,7 @@ static void ath9k_hif_usb_firmware_cb(const struct firmware *fw, void *context) + static int send_eject_command(struct usb_interface *interface) + { + struct usb_device *udev = interface_to_usbdev(interface); +- struct usb_host_interface *iface_desc = &interface->altsetting[0]; ++ struct usb_host_interface *iface_desc = interface->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep; +-- +2.16.4 + diff --git a/patches.suse/batman-adv-Fix-DAT-candidate-selection-on-little-end.patch b/patches.suse/batman-adv-Fix-DAT-candidate-selection-on-little-end.patch new file mode 100644 index 0000000..95d1147 --- /dev/null +++ b/patches.suse/batman-adv-Fix-DAT-candidate-selection-on-little-end.patch @@ -0,0 +1,53 @@ +From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 28 Nov 2019 12:25:45 +0100 +Subject: [PATCH] batman-adv: Fix DAT candidate selection on little endian systems +Git-commit: 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +The distributed arp table is using a DHT to store and retrieve MAC address +information for an IP address. This is done using unicast messages to +selected peers. The potential peers are looked up using the IP address and +the VID. + +While the IP address is always stored in big endian byte order, this is not +the case of the VID. It can (depending on the host system) either be big +endian or little endian. The host must therefore always convert it to big +endian to ensure that all devices calculate the same peers for the same +lookup data. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Acked-by: Takashi Iwai + +--- + net/batman-adv/distributed-arp-table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c +index b0af3a11d406..ec7bf5a4a9fc 100644 +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -285,6 +285,7 @@ static u32 batadv_hash_dat(const void *data, u32 size) + u32 hash = 0; + const struct batadv_dat_entry *dat = data; + const unsigned char *key; ++ __be16 vid; + u32 i; + + key = (const unsigned char *)&dat->ip; +@@ -294,7 +295,8 @@ static u32 batadv_hash_dat(const void *data, u32 size) + hash ^= (hash >> 6); + } + +- key = (const unsigned char *)&dat->vid; ++ vid = htons(dat->vid); ++ key = (__force const unsigned char *)&vid; + for (i = 0; i < sizeof(dat->vid); i++) { + hash += key[i]; + hash += (hash << 10); +-- +2.16.4 + diff --git a/patches.suse/bcma-remove-set-but-not-used-variable-sizel.patch b/patches.suse/bcma-remove-set-but-not-used-variable-sizel.patch new file mode 100644 index 0000000..00afb95 --- /dev/null +++ b/patches.suse/bcma-remove-set-but-not-used-variable-sizel.patch @@ -0,0 +1,59 @@ +From f427939391f290cbeabe0231eb8a116429d823f0 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Wed, 27 Nov 2019 20:44:33 +0800 +Subject: [PATCH] bcma: remove set but not used variable 'sizel' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: f427939391f290cbeabe0231eb8a116429d823f0 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/bcma/scan.c: In function ‘bcma_erom_get_addr_desc’: + +drivers/bcma/scan.c:222:20: warning: variable ‘sizel’ set but +not used [-Wunused-but-set-variable] + +It is never used, and so can be removed. + +Fixes: 8369ae33b705 ("bcma: add Broadcom specific AMBA bus driver") +Signed-off-by: yu kuai +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/bcma/scan.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/bcma/scan.c b/drivers/bcma/scan.c +index 4a2d1b235fb5..1f2de714b401 100644 +--- a/drivers/bcma/scan.c ++++ b/drivers/bcma/scan.c +@@ -219,7 +219,7 @@ static s32 bcma_erom_get_mst_port(struct bcma_bus *bus, u32 __iomem **eromptr) + static u32 bcma_erom_get_addr_desc(struct bcma_bus *bus, u32 __iomem **eromptr, + u32 type, u8 port) + { +- u32 addrl, addrh, sizel, sizeh = 0; ++ u32 addrl, addrh, sizeh = 0; + u32 size; + + u32 ent = bcma_erom_get_ent(bus, eromptr); +@@ -239,12 +239,9 @@ static u32 bcma_erom_get_addr_desc(struct bcma_bus *bus, u32 __iomem **eromptr, + + if ((ent & SCAN_ADDR_SZ) == SCAN_ADDR_SZ_SZD) { + size = bcma_erom_get_ent(bus, eromptr); +- sizel = size & SCAN_SIZE_SZ; + if (size & SCAN_SIZE_SG32) + sizeh = bcma_erom_get_ent(bus, eromptr); +- } else +- sizel = SCAN_ADDR_SZ_BASE << +- ((ent & SCAN_ADDR_SZ) >> SCAN_ADDR_SZ_SHIFT); ++ } + + return addrl; + } +-- +2.16.4 + diff --git a/patches.suse/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-CPU.patch b/patches.suse/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-CPU.patch index 569ff2e..526a824 100644 --- a/patches.suse/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-CPU.patch +++ b/patches.suse/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-CPU.patch @@ -2,7 +2,7 @@ From 8962842ca5abdcf98e22ab3b2b45a103f0408b95 Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Sat, 2 Nov 2019 16:02:15 +0800 Subject: [PATCH] blk-mq: avoid sysfs buffer overflow with too many CPU cores -References: bsc#1159377 +References: bsc#1159377 bsc#1163840 Git-commit: 8962842ca5abdcf98e22ab3b2b45a103f0408b95 Patch-mainline: v5.5-rc1 @@ -19,17 +19,15 @@ Cc: stable@vger.kernel.org Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load") Signed-off-by: Ming Lei Signed-off-by: Jens Axboe -Signed-off-by: Thomas Abraham -[tabraham@suse.com : handled backport, modified for context] +Acked-by: Jan Kara + --- - block/blk-mq-sysfs.c | 15 ++++++++++----- + block/blk-mq-sysfs.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) -diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c -index 81a273b43329..4caa56d1bc85 100644 --- a/block/blk-mq-sysfs.c +++ b/block/blk-mq-sysfs.c -@@ -158,20 +158,25 @@ static ssize_t blk_mq_hw_sysfs_nr_reserved_tags_show(struct blk_mq_hw_ctx *hctx, +@@ -151,20 +151,25 @@ static ssize_t blk_mq_hw_sysfs_nr_reserv static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page) { @@ -60,6 +58,3 @@ index 81a273b43329..4caa56d1bc85 100644 } static struct attribute *default_ctx_attrs[] = { --- -2.16.4 - diff --git a/patches.suse/blk-mq-make-sure-that-line-break-can-be-printed.patch b/patches.suse/blk-mq-make-sure-that-line-break-can-be-printed.patch index 2d64b1c..3683942 100644 --- a/patches.suse/blk-mq-make-sure-that-line-break-can-be-printed.patch +++ b/patches.suse/blk-mq-make-sure-that-line-break-can-be-printed.patch @@ -2,7 +2,7 @@ From d2c9be89f8ebe7ebcc97676ac40f8dec1cf9b43a Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Mon, 4 Nov 2019 16:26:53 +0800 Subject: [PATCH] blk-mq: make sure that line break can be printed -References: bsc#1159377 +References: bsc#1159377 bsc#1164098 Git-commit: d2c9be89f8ebe7ebcc97676ac40f8dec1cf9b43a Patch-mainline: v5.5-rc1 @@ -14,7 +14,8 @@ in, so fixed it. Fixes: 8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores") Signed-off-by: Ming Lei Signed-off-by: Jens Axboe -Signed-off-by: Thomas Abraham +Acked-by: Jan Kara + --- block/blk-mq-sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches.suse/bonding-fix-potential-NULL-deref-in-bond_update_slav.patch b/patches.suse/bonding-fix-potential-NULL-deref-in-bond_update_slav.patch new file mode 100644 index 0000000..8718523 --- /dev/null +++ b/patches.suse/bonding-fix-potential-NULL-deref-in-bond_update_slav.patch @@ -0,0 +1,79 @@ +From a7137534b597b7c303203e6bc3ed87e87a273bb8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 7 Oct 2019 15:43:01 -0700 +Subject: [PATCH] bonding: fix potential NULL deref in bond_update_slave_arr +Git-commit: a7137534b597b7c303203e6bc3ed87e87a273bb8 +Patch-mainline: v5.4-rc4 +References: bsc#1051510 + +syzbot got a NULL dereference in bond_update_slave_arr() [1], +happening after a failure to allocate bond->slave_arr + +A workqueue (bond_slave_arr_handler) is supposed to retry +the allocation later, but if the slave is removed before +the workqueue had a chance to complete, bond->slave_arr +can still be NULL. + +[1] + +Failed to build slave-array. +Kasan: CONFIG_KASAN_INLINE enabled +Kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +Modules linked in: +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Rip: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039 +Rsp: 0018:ffff88018fe33678 EFLAGS: 00010246 +Rax: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000 +Rdx: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20 +Rbp: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0 +Fs: 00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000 +Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Cr2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0 +Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + [] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923 + [] bond_release drivers/net/bonding/bond_main.c:2039 [inline] + [] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562 + [] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328 + [] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495 + [] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088 + [] sock_ioctl+0x300/0x5d0 net/socket.c:1196 + [] vfs_ioctl fs/ioctl.c:47 [inline] + [] file_ioctl fs/ioctl.c:501 [inline] + [] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688 + [] SYSC_ioctl fs/ioctl.c:705 [inline] + [] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696 + [] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305 + [] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Mahesh Bandewar +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 931d9d935686..21d8fcc83c9c 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4039,7 +4039,7 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave) + * this to-be-skipped slave to send a packet out. + */ + old_arr = rtnl_dereference(bond->slave_arr); +- for (idx = 0; idx < old_arr->count; idx++) { ++ for (idx = 0; old_arr != NULL && idx < old_arr->count; idx++) { + if (skipslave == old_arr->arr[idx]) { + old_arr->arr[idx] = + old_arr->arr[old_arr->count-1]; +-- +2.16.4 + diff --git a/patches.suse/bonding-fix-unexpected-IFF_BONDING-bit-unset.patch b/patches.suse/bonding-fix-unexpected-IFF_BONDING-bit-unset.patch new file mode 100644 index 0000000..b293dd4 --- /dev/null +++ b/patches.suse/bonding-fix-unexpected-IFF_BONDING-bit-unset.patch @@ -0,0 +1,95 @@ +From 65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 21 Oct 2019 18:47:52 +0000 +Subject: [PATCH] bonding: fix unexpected IFF_BONDING bit unset +Git-commit: 65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e +Patch-mainline: v5.4-rc6 +References: bsc#1051510 + +The IFF_BONDING means bonding master or bonding slave device. +->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets +IFF_BONDING flag. + +bond0<--bond1 + +Both bond0 and bond1 are bonding device and these should keep having +IFF_BONDING flag until they are removed. +But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine +do not check whether the slave device is the bonding type or not. +This patch adds the interface type check routine before removing +IFF_BONDING flag. + +Test commands: + ip link add bond0 type bond + ip link add bond1 type bond + ip link set bond1 master bond0 + ip link set bond1 nomaster + ip link del bond1 type bond + ip link add bond1 type bond + +Splat looks like: +[ 226.665555] proc_dir_entry 'bonding/bond1' already registered +[ 226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0 +[ 226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix +[ 226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96 +[ 226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 226.670652] RIP: 0010:proc_register+0x2a9/0x3e0 +[ 226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e +0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00 +[ 226.675007] RSP: 0018:ffff888050e17078 EFLAGS: 00010282 +[ 226.675761] RAX: dffffc0000000008 RBX: ffff88805fdd0f10 RCX: ffffffff9dd344e2 +[ 226.676757] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806c9f6b8c +[ 226.677751] RBP: ffff8880507160f3 R08: ffffed100d940019 R09: ffffed100d940019 +[ 226.678761] R10: 0000000000000001 R11: ffffed100d940018 R12: ffff888050716008 +[ 226.679757] R13: ffff8880507160f2 R14: dffffc0000000000 R15: ffffed100a0e2c1e +[ 226.680758] FS: 00007fdc217cc0c0(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000 +[ 226.681886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 226.682719] CR2: 00007f49313424d0 CR3: 0000000050e46001 CR4: 00000000000606f0 +[ 226.683727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 226.684725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 226.685681] Call Trace: +[ 226.687089] proc_create_seq_private+0xb3/0xf0 +[ 226.687778] bond_create_proc_entry+0x1b3/0x3f0 [bonding] +[ 226.691458] bond_netdev_event+0x433/0x970 [bonding] +[ 226.692139] ? __module_text_address+0x13/0x140 +[ 226.692779] notifier_call_chain+0x90/0x160 +[ 226.693401] register_netdevice+0x9b3/0xd80 +[ 226.694010] ? alloc_netdev_mqs+0x854/0xc10 +[ 226.694629] ? netdev_change_features+0xa0/0xa0 +[ 226.695278] ? rtnl_create_link+0x2ed/0xad0 +[ 226.695849] bond_newlink+0x2a/0x60 [bonding] +[ 226.696422] __rtnl_newlink+0xb9f/0x11b0 +[ 226.696968] ? rtnl_link_unregister+0x220/0x220 +[ ... ] + +Fixes: 0b680e753724 ("[PATCH] bonding: Add priv_flag to avoid event mishandling") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/bonding/bond_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1775,7 +1775,8 @@ err_detach: + slave_disable_netpoll(new_slave); + + err_close: +- slave_dev->priv_flags &= ~IFF_BONDING; ++ if (!netif_is_bond_master(slave_dev)) ++ slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); + + err_restore_mac: +@@ -1978,7 +1979,8 @@ static int __bond_release_one(struct net + else + dev_set_mtu(slave_dev, slave->original_mtu); + +- slave_dev->priv_flags &= ~IFF_BONDING; ++ if (!netif_is_bond_master(slave_dev)) ++ slave_dev->priv_flags &= ~IFF_BONDING; + + bond_free_slave(slave); + diff --git a/patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch b/patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch new file mode 100644 index 0000000..d1c7ece --- /dev/null +++ b/patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch @@ -0,0 +1,34 @@ +From 5cc509aa83c6acd2c5cd94f99065c39d2bd0a490 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 22 Nov 2019 13:19:48 -0600 +Subject: [PATCH] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() +Git-commit: 5cc509aa83c6acd2c5cd94f99065c39d2bd0a490 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +In the implementation of brcmf_p2p_create_p2pdev() the allocated memory +for p2p_vif is leaked when the mac address is the same as primary +interface. To fix this, go to error path to release p2p_vif via +brcmf_free_vif(). + +Fixes: cb746e47837a ("brcmfmac: check p2pdev mac address uniqueness") +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +@@ -2089,7 +2089,8 @@ static struct wireless_dev *brcmf_p2p_cr + /* firmware requires unique mac address for p2pdev interface */ + if (addr && ether_addr_equal(addr, pri_ifp->mac_addr)) { + brcmf_err("discovery vif must be different from primary interface\n"); +- return ERR_PTR(-EINVAL); ++ err = -EINVAL; ++ goto fail; + } + + brcmf_p2p_generate_bss_mac(p2p, addr); diff --git a/patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_usbdev_qinit.patch b/patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_usbdev_qinit.patch new file mode 100644 index 0000000..c1bddd5 --- /dev/null +++ b/patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_usbdev_qinit.patch @@ -0,0 +1,36 @@ +From 4282dc057d750c6a7dd92953564b15c26b54c22c Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Sat, 14 Dec 2019 19:51:14 -0600 +Subject: [PATCH] brcmfmac: Fix memory leak in brcmf_usbdev_qinit +Git-commit: 4282dc057d750c6a7dd92953564b15c26b54c22c +Patch-mainline: v5.6-rc1 +References: git-fixes + +In the implementation of brcmf_usbdev_qinit() the allocated memory for +reqs is leaking if usb_alloc_urb() fails. Release reqs in the error +handling path. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +index 7cdfde9b3dea..575ed19e9195 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -430,6 +430,7 @@ brcmf_usbdev_qinit(struct list_head *q, int qsize) + usb_free_urb(req->urb); + list_del(q->next); + } ++ kfree(reqs); + return NULL; + + } +-- +2.16.4 + diff --git a/patches.suse/brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch b/patches.suse/brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch new file mode 100644 index 0000000..6a0b53c --- /dev/null +++ b/patches.suse/brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch @@ -0,0 +1,41 @@ +From 216b44000ada87a63891a8214c347e05a4aea8fe Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 3 Dec 2019 12:58:55 +0300 +Subject: [PATCH] brcmfmac: Fix use after free in brcmf_sdio_readframes() +Git-commit: 216b44000ada87a63891a8214c347e05a4aea8fe +Patch-mainline: v5.6-rc1 +References: git-fixes + +The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a +static checker warning: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() + error: dereferencing freed memory 'pkt' + +It looks like there was supposed to be a continue after we free "pkt". + +Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") +Signed-off-by: Dan Carpenter +Acked-by: Franky Lin +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index 264ad63232f8..1dea0178832e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -1935,6 +1935,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; + brcmu_pkt_buf_free_skb(pkt); ++ continue; + } + bus->sdcnt.rx_readahead_cnt++; + if (rd->len != roundup(rd_new.len, 16)) { +-- +2.16.4 + diff --git a/patches.suse/brcmfmac-fix-interface-sanity-check.patch b/patches.suse/brcmfmac-fix-interface-sanity-check.patch new file mode 100644 index 0000000..b5bf868 --- /dev/null +++ b/patches.suse/brcmfmac-fix-interface-sanity-check.patch @@ -0,0 +1,50 @@ +From 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:22 +0100 +Subject: [PATCH] brcmfmac: fix interface sanity check +Git-commit: 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Cc: stable # 3.4 +Cc: Arend van Spriel +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +index 06f3c01f10b3..7cdfde9b3dea 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -1348,7 +1348,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + goto fail; + } + +- desc = &intf->altsetting[0].desc; ++ desc = &intf->cur_altsetting->desc; + if ((desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) || + (desc->bInterfaceSubClass != 2) || + (desc->bInterfaceProtocol != 0xff)) { +@@ -1361,7 +1361,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + + num_of_eps = desc->bNumEndpoints; + for (ep = 0; ep < num_of_eps; ep++) { +- endpoint = &intf->altsetting[0].endpoint[ep].desc; ++ endpoint = &intf->cur_altsetting->endpoint[ep].desc; + endpoint_num = usb_endpoint_num(endpoint); + if (!usb_endpoint_xfer_bulk(endpoint)) + continue; +-- +2.16.4 + diff --git a/patches.suse/brcmfmac-sdio-Fix-OOB-interrupt-initialization-on-br.patch b/patches.suse/brcmfmac-sdio-Fix-OOB-interrupt-initialization-on-br.patch new file mode 100644 index 0000000..8cc4859 --- /dev/null +++ b/patches.suse/brcmfmac-sdio-Fix-OOB-interrupt-initialization-on-br.patch @@ -0,0 +1,62 @@ +From 8c8e60fb86a90a30721bbd797f58f96b3980dcc1 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Thu, 26 Dec 2019 10:20:33 +0100 +Subject: [PATCH] brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 +Git-commit: 8c8e60fb86a90a30721bbd797f58f96b3980dcc1 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Commit 262f2b53f679 ("brcmfmac: call brcmf_attach() just before calling +brcmf_bus_started()") changed the initialization order of the brcmfmac +SDIO driver. Unfortunately since brcmf_sdiod_intr_register() is now +called before the sdiodev->bus_if initialization, it reads the wrong +chip ID and fails to initialize the GPIO on brcm43362. Thus the chip +cannot send interrupts and fails to probe: + +[ 12.517023] brcmfmac: brcmf_sdio_bus_rxctl: resumed on timeout +[ 12.531214] ieee80211 phy0: brcmf_bus_started: failed: -110 +[ 12.536976] ieee80211 phy0: brcmf_attach: dongle is not responding: err=-110 +[ 12.566467] brcmfmac: brcmf_sdio_firmware_callback: brcmf_attach failed + +Initialize the bus interface earlier to ensure that +brcmf_sdiod_intr_register() properly sets up the OOB interrupt. + +Buglink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908438 +Fixes: 262f2b53f679 ("brcmfmac: call brcmf_attach() just before calling brcmf_bus_started()") +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -4157,6 +4157,12 @@ static void brcmf_sdio_firmware_callback + } + + if (err == 0) { ++ /* Assign bus interface call back */ ++ sdiod->bus_if->dev = sdiod->dev; ++ sdiod->bus_if->ops = &brcmf_sdio_bus_ops; ++ sdiod->bus_if->chip = bus->ci->chip; ++ sdiod->bus_if->chiprev = bus->ci->chiprev; ++ + /* Allow full data communication using DPC from now on. */ + brcmf_sdiod_change_state(bus->sdiodev, BRCMF_SDIOD_DATA); + +@@ -4171,12 +4177,6 @@ static void brcmf_sdio_firmware_callback + + sdio_release_host(sdiod->func1); + +- /* Assign bus interface call back */ +- sdiod->bus_if->dev = sdiod->dev; +- sdiod->bus_if->ops = &brcmf_sdio_bus_ops; +- sdiod->bus_if->chip = bus->ci->chip; +- sdiod->bus_if->chiprev = bus->ci->chiprev; +- + /* Attach to the common layer, reserve hdr space */ + err = brcmf_attach(sdiod->dev, sdiod->settings); + if (err != 0) { diff --git a/patches.suse/btrfs-abort-transaction-after-failed-inode-updates-i.patch b/patches.suse/btrfs-abort-transaction-after-failed-inode-updates-i.patch new file mode 100644 index 0000000..466f940 --- /dev/null +++ b/patches.suse/btrfs-abort-transaction-after-failed-inode-updates-i.patch @@ -0,0 +1,50 @@ +From: Josef Bacik +Date: Fri, 6 Dec 2019 09:37:15 -0500 +Git-commit: c7e54b5102bf3614cadb9ca32d7be73bad6cecf0 +Patch-mainline: 5.5-rc3 +Subject: [PATCH] btrfs: abort transaction after failed inode updates in + create_subvol +References: bsc#1161936 + +We can just abort the transaction here, and in fact do that for every +other failure in this function except these two cases. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Reviewed-by: Johannes Thumshirn +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Filipe Manana +--- + fs/btrfs/ioctl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 5a70cb428d83..8f9ed2209769 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -610,12 +610,18 @@ static noinline int create_subvol(struct inode *dir, + + btrfs_i_size_write(BTRFS_I(dir), dir->i_size + namelen * 2); + ret = btrfs_update_inode(trans, root, dir); +- BUG_ON(ret); ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); ++ goto fail; ++ } + + ret = btrfs_add_root_ref(trans, fs_info, + objectid, root->root_key.objectid, + btrfs_ino(BTRFS_I(dir)), index, name, namelen); +- BUG_ON(ret); ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); ++ goto fail; ++ } + + ret = btrfs_uuid_tree_add(trans, fs_info, root_item->uuid, + BTRFS_UUID_KEY_SUBVOL, objectid); +-- +2.16.4 + diff --git a/patches.suse/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch b/patches.suse/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch new file mode 100644 index 0000000..1a50485 --- /dev/null +++ b/patches.suse/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch @@ -0,0 +1,67 @@ +From: Josef Bacik +Date: Tue, 19 Nov 2019 13:59:35 -0500 +Git-commit: f72ff01df9cf5db25c76674cac16605992d15467 +Patch-mainline: 5.5-rc3 +Subject: [PATCH] btrfs: do not call synchronize_srcu() in inode_tree_del +References: bsc#1161934 + +Testing with the new fsstress uncovered a pretty nasty deadlock with +lookup and snapshot deletion. + +Process A +unlink + -> final iput + -> inode_tree_del + -> synchronize_srcu(subvol_srcu) + +Process B +btrfs_lookup <- srcu_read_lock() acquired here + -> btrfs_iget + -> find inode that has I_FREEING set + -> __wait_on_freeing_inode() + +We're holding the srcu_read_lock() while doing the iget in order to make +sure our fs root doesn't go away, and then we are waiting for the inode +to finish freeing. However because the free'ing process is doing a +synchronize_srcu() we deadlock. + +Fix this by dropping the synchronize_srcu() in inode_tree_del(). We +don't need people to stop accessing the fs root at this point, we're +only adding our empty root to the dead roots list. + +A larger much more invasive fix is forthcoming to address how we deal +with fs roots, but this fixes the immediate problem. + +Fixes: 76dda93c6ae2 ("Btrfs: add snapshot/subvolume destroy ioctl") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Filipe Manana +--- + fs/btrfs/inode.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index fe0ae52757b4..e704efffeb2d 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5366,7 +5366,6 @@ static void inode_tree_add(struct inode *inode) + + static void inode_tree_del(struct inode *inode) + { +- struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb); + struct btrfs_root *root = BTRFS_I(inode)->root; + int empty = 0; + +@@ -5379,7 +5378,6 @@ static void inode_tree_del(struct inode *inode) + spin_unlock(&root->inode_lock); + + if (empty && btrfs_root_refs(&root->root_item) == 0) { +- synchronize_srcu(&fs_info->subvol_srcu); + spin_lock(&root->inode_lock); + empty = RB_EMPTY_ROOT(&root->inode_tree); + spin_unlock(&root->inode_lock); +-- +2.16.4 + diff --git a/patches.suse/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch b/patches.suse/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch new file mode 100644 index 0000000..b8cbe3f --- /dev/null +++ b/patches.suse/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch @@ -0,0 +1,49 @@ +From: Josef Bacik +Date: Tue, 19 Nov 2019 13:59:20 -0500 +Subject: btrfs: don't double lock the subvol_sem for rename exchange +Git-commit: 943eb3bf25f4a7b745dd799e031be276aa104d82 +Patch-mainline: v5.5-rc3 +References: bsc#1162943 + +If we're rename exchanging two subvols we'll try to lock this lock +twice, which is bad. Just lock once if either of the ino's are subvols. + +Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Acked-by: Nikolay Borisov +--- + fs/btrfs/inode.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 5766c2d19896..e3c76645cad7 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9554,9 +9554,8 @@ static int btrfs_rename_exchange(struct inode *old_dir, + btrfs_init_log_ctx(&ctx_dest, new_inode); + + /* close the race window with snapshot create/destroy ioctl */ +- if (old_ino == BTRFS_FIRST_FREE_OBJECTID) +- down_read(&fs_info->subvol_sem); +- if (new_ino == BTRFS_FIRST_FREE_OBJECTID) ++ if (old_ino == BTRFS_FIRST_FREE_OBJECTID || ++ new_ino == BTRFS_FIRST_FREE_OBJECTID) + down_read(&fs_info->subvol_sem); + + /* +@@ -9790,9 +9789,8 @@ static int btrfs_rename_exchange(struct inode *old_dir, + ret = ret ? ret : ret2; + } + out_notrans: +- if (new_ino == BTRFS_FIRST_FREE_OBJECTID) +- up_read(&fs_info->subvol_sem); +- if (old_ino == BTRFS_FIRST_FREE_OBJECTID) ++ if (new_ino == BTRFS_FIRST_FREE_OBJECTID || ++ old_ino == BTRFS_FIRST_FREE_OBJECTID) + up_read(&fs_info->subvol_sem); + + ASSERT(list_empty(&ctx_root.list)); + diff --git a/patches.suse/btrfs-handle-ENOENT-in-btrfs_uuid_tree_iterate.patch b/patches.suse/btrfs-handle-ENOENT-in-btrfs_uuid_tree_iterate.patch new file mode 100644 index 0000000..23c532a --- /dev/null +++ b/patches.suse/btrfs-handle-ENOENT-in-btrfs_uuid_tree_iterate.patch @@ -0,0 +1,39 @@ +From: Josef Bacik +Date: Fri, 6 Dec 2019 11:39:00 -0500 +Git-commit: 714cd3e8cba6841220dce9063a7388a81de03825 +Patch-mainline: 5.5-rc3 +Subject: [PATCH] btrfs: handle ENOENT in btrfs_uuid_tree_iterate +References: bsc#1161937 + +If we get an -ENOENT back from btrfs_uuid_iter_rem when iterating the +uuid tree we'll just continue and do btrfs_next_item(). However we've +done a btrfs_release_path() at this point and no longer have a valid +path. So increment the key and go back and do a normal search. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Reviewed-by: Johannes Thumshirn +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Filipe Manana +--- + fs/btrfs/uuid-tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/uuid-tree.c b/fs/btrfs/uuid-tree.c +index 726f928238d0..331f3a1ad23b 100644 +--- a/fs/btrfs/uuid-tree.c ++++ b/fs/btrfs/uuid-tree.c +@@ -336,6 +336,8 @@ int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info, + } + if (ret < 0 && ret != -ENOENT) + goto out; ++ key.offset++; ++ goto again_search_slot; + } + item_size -= sizeof(subid_le); + offset += sizeof(subid_le); +-- +2.16.4 + diff --git a/patches.suse/btrfs-record-all-roots-for-rename-exchange-on-a-subv.patch b/patches.suse/btrfs-record-all-roots-for-rename-exchange-on-a-subv.patch new file mode 100644 index 0000000..15fb3d9 --- /dev/null +++ b/patches.suse/btrfs-record-all-roots-for-rename-exchange-on-a-subv.patch @@ -0,0 +1,45 @@ +From: Josef Bacik +Date: Fri, 15 Nov 2019 15:43:06 -0500 +Git-commit: 3e1740993e43116b3bc71b0aad1e6872f6ccf341 +Patch-mainline: 5.5-rc1 +Subject: [PATCH] btrfs: record all roots for rename exchange on a subvol +References: bsc#1161933 + +Testing with the new fsstress support for subvolumes uncovered a pretty +bad problem with rename exchange on subvolumes. We're modifying two +different subvolumes, but we only start the transaction on one of them, +so the other one is not added to the dirty root list. This is caught by +btrfs_cow_block() with a warning because the root has not been updated, +however if we do not modify this root again we'll end up pointing at an +invalid root because the root item is never updated. + +Fix this by making sure we add the destination root to the trans list, +the same as we do with normal renames. This fixes the corruption. + +Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Filipe Manana +--- + fs/btrfs/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 8ec46239a7ca..fe0ae52757b4 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9473,6 +9473,9 @@ static int btrfs_rename_exchange(struct inode *old_dir, + goto out_notrans; + } + ++ if (dest != root) ++ btrfs_record_root_in_trans(trans, dest); ++ + /* + * We need to find a free sequence number both in the source and + * in the destination directory for the exchange. +-- +2.16.4 + diff --git a/patches.suse/btrfs-skip-log-replay-on-orphaned-roots.patch b/patches.suse/btrfs-skip-log-replay-on-orphaned-roots.patch new file mode 100644 index 0000000..ee4c274 --- /dev/null +++ b/patches.suse/btrfs-skip-log-replay-on-orphaned-roots.patch @@ -0,0 +1,80 @@ +From: Josef Bacik +Date: Fri, 6 Dec 2019 09:37:17 -0500 +Git-commit: 9bc574de590510eff899c3ca8dbaf013566b5efe +Patch-mainline: 5.5-rc3 +Subject: [PATCH] btrfs: skip log replay on orphaned roots +References: bsc#1161935 + +My fsstress modifications coupled with generic/475 uncovered a failure +to mount and replay the log if we hit a orphaned root. We do not want +to replay the log for an orphan root, but it's completely legitimate to +have an orphaned root with a log attached. Fix this by simply skipping +replaying the log. We still need to pin it's root node so that we do +not overwrite it while replaying other logs, as we re-read the log root +at every stage of the replay. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Filipe Manana +--- + fs/btrfs/tree-log.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 883693e190b6..7ce9e9ad7de2 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6497,9 +6497,28 @@ int btrfs_recover_log_trees(struct btrfs_root *log_root_tree) + wc.replay_dest = btrfs_read_fs_root_no_name(fs_info, &tmp_key); + if (IS_ERR(wc.replay_dest)) { + ret = PTR_ERR(wc.replay_dest); ++ ++ /* ++ * We didn't find the subvol, likely because it was ++ * deleted. This is ok, simply skip this log and go to ++ * the next one. ++ * ++ * We need to exclude the root because we can't have ++ * other log replays overwriting this log as we'll read ++ * it back in a few more times. This will keep our ++ * block from being modified, and we'll just bail for ++ * each subsequent pass. ++ */ ++ if (ret == -ENOENT) ++ ret = btrfs_pin_extent_for_log_replay(fs_info, ++ log->node->start, ++ log->node->len); + free_extent_buffer(log->node); + free_extent_buffer(log->commit_root); + kfree(log); ++ ++ if (!ret) ++ goto next; + btrfs_handle_fs_error(fs_info, ret, + "Couldn't read target root for tree log recovery."); + goto error; +@@ -6531,7 +6550,6 @@ int btrfs_recover_log_trees(struct btrfs_root *log_root_tree) + &root->highest_objectid); + } + +- key.offset = found_key.offset - 1; + wc.replay_dest->log_root = NULL; + free_extent_buffer(log->node); + free_extent_buffer(log->commit_root); +@@ -6539,9 +6557,10 @@ int btrfs_recover_log_trees(struct btrfs_root *log_root_tree) + + if (ret) + goto error; +- ++next: + if (found_key.offset == 0) + break; ++ key.offset = found_key.offset - 1; + } + btrfs_release_path(path); + +-- +2.16.4 + diff --git a/patches.suse/can-can_dropped_invalid_skb-ensure-an-initialized-he.patch b/patches.suse/can-can_dropped_invalid_skb-ensure-an-initialized-he.patch new file mode 100644 index 0000000..a21a837 --- /dev/null +++ b/patches.suse/can-can_dropped_invalid_skb-ensure-an-initialized-he.patch @@ -0,0 +1,92 @@ +From e7153bf70c3496bac00e7e4f395bb8d8394ac0ea Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Sat, 7 Dec 2019 19:34:18 +0100 +Subject: [PATCH] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs +Git-commit: e7153bf70c3496bac00e7e4f395bb8d8394ac0ea +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +KMSAN sysbot detected a read access to an untinitialized value in the +headroom of an outgoing CAN related sk_buff. When using CAN sockets this +area is filled appropriately - but when using a packet socket this +initialization is missing. + +The problematic read access occurs in the CAN receive path which can +only be triggered when the sk_buff is sent through a (virtual) CAN +interface. So we check in the sending path whether we need to perform +the missing initializations. + +Fixes: d3b58c47d330d ("can: replace timestamp as unique skb attribute") +Reported-by: syzbot+b02ff0707a97e4e79ebb@syzkaller.appspotmail.com +Signed-off-by: Oliver Hartkopp +Tested-by: Oliver Hartkopp +Cc: linux-stable # >= v4.1 +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + include/linux/can/dev.h | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/include/linux/can/dev.h b/include/linux/can/dev.h +index 9b3c720a31b1..5e3d45525bd3 100644 +--- a/include/linux/can/dev.h ++++ b/include/linux/can/dev.h +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -91,6 +92,36 @@ struct can_priv { + #define get_can_dlc(i) (min_t(__u8, (i), CAN_MAX_DLC)) + #define get_canfd_dlc(i) (min_t(__u8, (i), CANFD_MAX_DLC)) + ++/* Check for outgoing skbs that have not been created by the CAN subsystem */ ++static inline bool can_skb_headroom_valid(struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ /* af_packet creates a headroom of HH_DATA_MOD bytes which is fine */ ++ if (WARN_ON_ONCE(skb_headroom(skb) < sizeof(struct can_skb_priv))) ++ return false; ++ ++ /* af_packet does not apply CAN skb specific settings */ ++ if (skb->ip_summed == CHECKSUM_NONE) { ++ /* init headroom */ ++ can_skb_prv(skb)->ifindex = dev->ifindex; ++ can_skb_prv(skb)->skbcnt = 0; ++ ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ++ /* preform proper loopback on capable devices */ ++ if (dev->flags & IFF_ECHO) ++ skb->pkt_type = PACKET_LOOPBACK; ++ else ++ skb->pkt_type = PACKET_HOST; ++ ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ } ++ ++ return true; ++} ++ + /* Drop a given socketbuffer if it does not contain a valid CAN frame. */ + static inline bool can_dropped_invalid_skb(struct net_device *dev, + struct sk_buff *skb) +@@ -108,6 +139,9 @@ static inline bool can_dropped_invalid_skb(struct net_device *dev, + } else + goto inval_skb; + ++ if (!can_skb_headroom_valid(dev, skb)) ++ goto inval_skb; ++ + return false; + + inval_skb: +-- +2.16.4 + diff --git a/patches.suse/can-slip-Protect-tty-disc_data-in-write_wakeup-and-c.patch b/patches.suse/can-slip-Protect-tty-disc_data-in-write_wakeup-and-c.patch new file mode 100644 index 0000000..28328fb --- /dev/null +++ b/patches.suse/can-slip-Protect-tty-disc_data-in-write_wakeup-and-c.patch @@ -0,0 +1,116 @@ +From 0ace17d56824165c7f4c68785d6b58971db954dd Mon Sep 17 00:00:00 2001 +From: Richard Palethorpe +Date: Tue, 21 Jan 2020 14:42:58 +0100 +Subject: [PATCH] can, slip: Protect tty->disc_data in write_wakeup and close with RCU +Git-commit: 0ace17d56824165c7f4c68785d6b58971db954dd +Patch-mainline: v5.5 +References: bsc#1051510 + +write_wakeup can happen in parallel with close/hangup where tty->disc_data +is set to NULL and the netdevice is freed thus also freeing +disc_data. write_wakeup accesses disc_data so we must prevent close from +freeing the netdev while write_wakeup has a non-NULL view of +tty->disc_data. + +We also need to make sure that accesses to disc_data are atomic. Which can +all be done with RCU. + +This problem was found by Syzkaller on SLCAN, but the same issue is +reproducible with the SLIP line discipline using an LTP test based on the +Syzkaller reproducer. + +A fix which didn't use RCU was posted by Hillf Danton. + +Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup") +Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip") +Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com +Signed-off-by: Richard Palethorpe +Cc: Wolfgang Grandegger +Cc: Marc Kleine-Budde +Cc: "David S. Miller" +Cc: Tyler Hall +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: syzkaller@googlegroups.com +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/can/slcan.c | 12 ++++++++++-- + drivers/net/slip/slip.c | 12 ++++++++++-- + 2 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c +index 2e57122f02fb..2f5c287eac95 100644 +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -344,9 +344,16 @@ static void slcan_transmit(struct work_struct *work) + */ + static void slcan_write_wakeup(struct tty_struct *tty) + { +- struct slcan *sl = tty->disc_data; ++ struct slcan *sl; ++ ++ rcu_read_lock(); ++ sl = rcu_dereference(tty->disc_data); ++ if (!sl) ++ goto out; + + schedule_work(&sl->tx_work); ++out: ++ rcu_read_unlock(); + } + + /* Send a can_frame to a TTY queue. */ +@@ -644,10 +651,11 @@ static void slcan_close(struct tty_struct *tty) + return; + + spin_lock_bh(&sl->lock); +- tty->disc_data = NULL; ++ rcu_assign_pointer(tty->disc_data, NULL); + sl->tty = NULL; + spin_unlock_bh(&sl->lock); + ++ synchronize_rcu(); + flush_work(&sl->tx_work); + + /* Flush network side */ +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c +index 2a91c192659f..61d7e0d1d77d 100644 +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -452,9 +452,16 @@ static void slip_transmit(struct work_struct *work) + */ + static void slip_write_wakeup(struct tty_struct *tty) + { +- struct slip *sl = tty->disc_data; ++ struct slip *sl; ++ ++ rcu_read_lock(); ++ sl = rcu_dereference(tty->disc_data); ++ if (!sl) ++ goto out; + + schedule_work(&sl->tx_work); ++out: ++ rcu_read_unlock(); + } + + static void sl_tx_timeout(struct net_device *dev) +@@ -882,10 +889,11 @@ static void slip_close(struct tty_struct *tty) + return; + + spin_lock_bh(&sl->lock); +- tty->disc_data = NULL; ++ rcu_assign_pointer(tty->disc_data, NULL); + sl->tty = NULL; + spin_unlock_bh(&sl->lock); + ++ synchronize_rcu(); + flush_work(&sl->tx_work); + + /* VSV = very important to remove timers */ +-- +2.16.4 + diff --git a/patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch b/patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch new file mode 100644 index 0000000..539dcbc --- /dev/null +++ b/patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch @@ -0,0 +1,69 @@ +From 366ba7c71ef77c08d06b18ad61b26e2df7352338 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= +Date: Tue, 19 Nov 2019 21:37:08 +0000 +Subject: [PATCH] cdrom: respect device capabilities during opening action +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: boo#1164632 +Patch-mainline: v5.5-rc1 +Git-commit: 366ba7c71ef77c08d06b18ad61b26e2df7352338 + +Reading the TOC only works if the device can play audio, otherwise +these commands fail (and possibly bring the device to an unhealthy +state.) + +Similarly, cdrom_mmc3_profile() should only be called if the device +supports generic packet commands. + +To: Jens Axboe +Cc: linux-kernel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Signed-off-by: Diego Elio Pettenò +Signed-off-by: Jens Axboe +Acked-by: Michal Suchanek +--- + drivers/cdrom/cdrom.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index ac42ae4651ce..eebdcbef0578 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -996,6 +996,12 @@ static void cdrom_count_tracks(struct cdrom_device_info *cdi, tracktype *tracks) + tracks->xa = 0; + tracks->error = 0; + cd_dbg(CD_COUNT_TRACKS, "entering cdrom_count_tracks\n"); ++ ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) { ++ tracks->error = CDS_NO_INFO; ++ return; ++ } ++ + /* Grab the TOC header so we can see how many tracks there are */ + ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCHDR, &header); + if (ret) { +@@ -1162,7 +1168,8 @@ int cdrom_open(struct cdrom_device_info *cdi, struct block_device *bdev, + ret = open_for_data(cdi); + if (ret) + goto err; +- cdrom_mmc3_profile(cdi); ++ if (CDROM_CAN(CDC_GENERIC_PACKET)) ++ cdrom_mmc3_profile(cdi); + if (mode & FMODE_WRITE) { + ret = -EROFS; + if (cdrom_open_write(cdi)) +@@ -2882,6 +2889,9 @@ int cdrom_get_last_written(struct cdrom_device_info *cdi, long *last_written) + it doesn't give enough information or fails. then we return + the toc contents. */ + use_toc: ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) ++ return -ENOSYS; ++ + toc.cdte_format = CDROM_MSF; + toc.cdte_track = CDROM_LEADOUT; + if ((ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCENTRY, &toc))) +-- +2.23.0 + diff --git a/patches.suse/cfg80211-check-for-set_wiphy_params.patch b/patches.suse/cfg80211-check-for-set_wiphy_params.patch new file mode 100644 index 0000000..9846ce3 --- /dev/null +++ b/patches.suse/cfg80211-check-for-set_wiphy_params.patch @@ -0,0 +1,40 @@ +From 24953de0a5e31dcca7e82c8a3c79abc2dfe8fb6e Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 13 Jan 2020 12:53:59 +0100 +Subject: [PATCH] cfg80211: check for set_wiphy_params +Git-commit: 24953de0a5e31dcca7e82c8a3c79abc2dfe8fb6e +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +Check if set_wiphy_params is assigned and return an error if not, +some drivers (e.g. virt_wifi where syzbot reported it) don't have +it. + +Reported-by: syzbot+e8a797964a4180eb57d5@syzkaller.appspotmail.com +Reported-by: syzbot+34b582cf32c1db008f8e@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200113125358.ac07f276efff.Ibd85ee1b12e47b9efb00a2adc5cd3fac50da791a@changeid +Acked-by: Takashi Iwai + +--- + net/wireless/rdev-ops.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h +index 663c0d3127a4..e0d34f796d0b 100644 +--- a/net/wireless/rdev-ops.h ++++ b/net/wireless/rdev-ops.h +@@ -538,6 +538,10 @@ static inline int + rdev_set_wiphy_params(struct cfg80211_registered_device *rdev, u32 changed) + { + int ret; ++ ++ if (!rdev->ops->set_wiphy_params) ++ return -EOPNOTSUPP; ++ + trace_rdev_set_wiphy_params(&rdev->wiphy, changed); + ret = rdev->ops->set_wiphy_params(&rdev->wiphy, changed); + trace_rdev_return_int(&rdev->wiphy, ret); +-- +2.16.4 + diff --git a/patches.suse/cfg80211-fix-deadlocks-in-autodisconnect-work.patch b/patches.suse/cfg80211-fix-deadlocks-in-autodisconnect-work.patch new file mode 100644 index 0000000..d464333 --- /dev/null +++ b/patches.suse/cfg80211-fix-deadlocks-in-autodisconnect-work.patch @@ -0,0 +1,46 @@ +From 5a128a088a2ab0b5190eeb232b5aa0b1017a0317 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Wed, 8 Jan 2020 12:55:36 +0100 +Subject: [PATCH] cfg80211: fix deadlocks in autodisconnect work +Git-commit: 5a128a088a2ab0b5190eeb232b5aa0b1017a0317 +Patch-mainline: v5.5-rc7 +References: bsc#1111666 + +Use methods which do not try to acquire the wdev lock themselves. + +Cc: stable@vger.kernel.org +Fixes: 37b1c004685a3 ("cfg80211: Support all iftypes in autodisconnect_wk") +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20200108115536.2262-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/wireless/sme.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 7a6c38ddc65a..d32a2ec4d96a 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -1307,14 +1307,14 @@ void cfg80211_autodisconnect_wk(struct work_struct *work) + if (wdev->conn_owner_nlportid) { + switch (wdev->iftype) { + case NL80211_IFTYPE_ADHOC: +- cfg80211_leave_ibss(rdev, wdev->netdev, false); ++ __cfg80211_leave_ibss(rdev, wdev->netdev, false); + break; + case NL80211_IFTYPE_AP: + case NL80211_IFTYPE_P2P_GO: +- cfg80211_stop_ap(rdev, wdev->netdev, false); ++ __cfg80211_stop_ap(rdev, wdev->netdev, false); + break; + case NL80211_IFTYPE_MESH_POINT: +- cfg80211_leave_mesh(rdev, wdev->netdev); ++ __cfg80211_leave_mesh(rdev, wdev->netdev); + break; + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_P2P_CLIENT: +-- +2.16.4 + diff --git a/patches.suse/cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch b/patches.suse/cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch new file mode 100644 index 0000000..66551ff --- /dev/null +++ b/patches.suse/cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch @@ -0,0 +1,36 @@ +From df16737d438f534d0cc9948c7c5158f1986c5c87 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 8 Jan 2020 18:06:30 +0100 +Subject: [PATCH] cfg80211: fix memory leak in cfg80211_cqm_rssi_update +Git-commit: df16737d438f534d0cc9948c7c5158f1986c5c87 +Patch-mainline: v5.5-rc7 +References: bsc#1111666 + +The per-tid statistics need to be released after the call to rdev_get_station + +Cc: stable@vger.kernel.org +Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20200108170630.33680-2-nbd@nbd.name +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 73e1430c7ac5..1e97ac5435b2 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -10843,6 +10843,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, + if (err) + return err; + ++ cfg80211_sinfo_release_content(&sinfo); + if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG)) + wdev->cqm_config->last_rssi_event_value = + (s8) sinfo.rx_beacon_signal_avg; +-- +2.16.4 + diff --git a/patches.suse/chardev-Avoid-potential-use-after-free-in-chrdev_ope.patch b/patches.suse/chardev-Avoid-potential-use-after-free-in-chrdev_ope.patch new file mode 100644 index 0000000..d58b1f0 --- /dev/null +++ b/patches.suse/chardev-Avoid-potential-use-after-free-in-chrdev_ope.patch @@ -0,0 +1,101 @@ +From 68faa679b8be1a74e6663c21c3a9d25d32f1c079 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 19 Dec 2019 12:02:03 +0000 +Subject: [PATCH] chardev: Avoid potential use-after-free in 'chrdev_open()' +Git-commit: 68faa679b8be1a74e6663c21c3a9d25d32f1c079 +Patch-mainline: v5.5-rc6 +References: bsc#1163849 + +'chrdev_open()' calls 'cdev_get()' to obtain a reference to the +'struct cdev *' stashed in the 'i_cdev' field of the target inode +structure. If the pointer is NULL, then it is initialised lazily by +looking up the kobject in the 'cdev_map' and so the whole procedure is +protected by the 'cdev_lock' spinlock to serialise initialisation of +the shared pointer. + +Unfortunately, it is possible for the initialising thread to fail *after* +installing the new pointer, for example if the subsequent '->open()' call +on the file fails. In this case, 'cdev_put()' is called, the reference +count on the kobject is dropped and, if nobody else has taken a reference, +the release function is called which finally clears 'inode->i_cdev' from +'cdev_purge()' before potentially freeing the object. The problem here +is that a racing thread can happily take the 'cdev_lock' and see the +non-NULL pointer in the inode, which can result in a refcount increment +from zero and a warning: + + | ------------[ cut here ]------------ + | refcount_t: addition on 0; use-after-free. + | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0 + | Modules linked in: + | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22 + | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 + | RIP: 0010:refcount_warn_saturate+0x6d/0xf0 + | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08 + | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282 + | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000 + | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798 + | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039 + | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700 + | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700 + | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000 + | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0 + | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + | Call Trace: + | kobject_get+0x5c/0x60 + | cdev_get+0x2b/0x60 + | chrdev_open+0x55/0x220 + | ? cdev_put.part.3+0x20/0x20 + | do_dentry_open+0x13a/0x390 + | path_openat+0x2c8/0x1470 + | do_filp_open+0x93/0x100 + | ? selinux_file_ioctl+0x17f/0x220 + | do_sys_open+0x186/0x220 + | do_syscall_64+0x48/0x150 + | entry_SYSCALL_64_after_hwframe+0x44/0xa9 + | RIP: 0033:0x7f3b87efcd0e + | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4 + | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 + | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e + | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c + | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000 + | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e + | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000 + | ---[ end trace 24f53ca58db8180a ]--- + +Since 'cdev_get()' can already fail to obtain a reference, simply move +it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()', +which will cause the racing thread to return -ENXIO if the initialising +thread fails unexpectedly. + +Cc: Hillf Danton +Cc: Andrew Morton +Cc: Al Viro +Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com +Signed-off-by: Will Deacon +Cc: stable +Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Jan Kara + +--- + fs/char_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/char_dev.c b/fs/char_dev.c +index 00dfe17871ac..c5e6eff5a381 100644 +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -352,7 +352,7 @@ static struct kobject *cdev_get(struct cdev *p) + + if (owner && !try_module_get(owner)) + return NULL; +- kobj = kobject_get(&p->kobj); ++ kobj = kobject_get_unless_zero(&p->kobj); + if (!kobj) + module_put(owner); + return kobj; +-- +2.16.4 + diff --git a/patches.suse/cifs-fix-mount-option-display-for-sec-krb5i.patch b/patches.suse/cifs-fix-mount-option-display-for-sec-krb5i.patch new file mode 100644 index 0000000..9401bf7 --- /dev/null +++ b/patches.suse/cifs-fix-mount-option-display-for-sec-krb5i.patch @@ -0,0 +1,46 @@ +From 3f6166aaf19902f2f3124b5426405e292e8974dd Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Mon, 10 Feb 2020 10:38:14 +0100 +Subject: [PATCH] cifs: fix mount option display for sec=krb5i +Git-commit: 3f6166aaf19902f2f3124b5426405e292e8974dd +Patch-mainline: 5.6-rc2 +References: bsc#1161907 + +Fix display for sec=krb5i which was wrongly interleaved by cruid, +resulting in string "sec=krb5,cruid=<...>i" instead of +"sec=krb5i,cruid=<...>". + +Fixes: 96281b9e46eb ("smb3: for kerberos mounts display the credential uid used") +Signed-off-by: Petr Pavlu +Signed-off-by: Steve French +--- + fs/cifs/cifsfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index febab27cd838..46ebaf3f0824 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -414,7 +414,7 @@ cifs_show_security(struct seq_file *s, struct cifs_ses *ses) + seq_puts(s, "ntlm"); + break; + case Kerberos: +- seq_printf(s, "krb5,cruid=%u", from_kuid_munged(&init_user_ns,ses->cred_uid)); ++ seq_puts(s, "krb5"); + break; + case RawNTLMSSP: + seq_puts(s, "ntlmssp"); +@@ -427,6 +427,10 @@ cifs_show_security(struct seq_file *s, struct cifs_ses *ses) + + if (ses->sign) + seq_puts(s, "i"); ++ ++ if (ses->sectype == Kerberos) ++ seq_printf(s, ",cruid=%u", ++ from_kuid_munged(&init_user_ns, ses->cred_uid)); + } + + static void +-- +2.16.4 + diff --git a/patches.suse/clk-Don-t-try-to-enable-critical-clocks-if-prepare-f.patch b/patches.suse/clk-Don-t-try-to-enable-critical-clocks-if-prepare-f.patch new file mode 100644 index 0000000..06bebba --- /dev/null +++ b/patches.suse/clk-Don-t-try-to-enable-critical-clocks-if-prepare-f.patch @@ -0,0 +1,65 @@ +From 12ead77432f2ce32dea797742316d15c5800cb32 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 25 Dec 2019 08:34:29 -0800 +Subject: [PATCH] clk: Don't try to enable critical clocks if prepare failed +Git-commit: 12ead77432f2ce32dea797742316d15c5800cb32 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +The following traceback is seen if a critical clock fails to prepare. + +bcm2835-clk 3f101000.cprman: plld: couldn't lock PLL + +Acked-by: Takashi Iwai + +------------[ cut here ]------------ +Enabling unprepared plld_per +WARNING: CPU: 1 PID: 1 at drivers/clk/clk.c:1014 clk_core_enable+0xcc/0x2c0 +... +Call trace: + clk_core_enable+0xcc/0x2c0 + __clk_register+0x5c4/0x788 + devm_clk_hw_register+0x4c/0xb0 + bcm2835_register_pll_divider+0xc0/0x150 + bcm2835_clk_probe+0x134/0x1e8 + platform_drv_probe+0x50/0xa0 + really_probe+0xd4/0x308 + driver_probe_device+0x54/0xe8 + device_driver_attach+0x6c/0x78 + __driver_attach+0x54/0xd8 +... + +Check return values from clk_core_prepare() and clk_core_enable() and +bail out if any of those functions returns an error. + +Cc: Jerome Brunet +Fixes: 99652a469df1 ("clk: migrate the count of orphaned clocks at init") +Signed-off-by: Guenter Roeck +Link: https://lkml.kernel.org/r/20191225163429.29694-1-linux@roeck-us.net +Signed-off-by: Stephen Boyd +--- + drivers/clk/clk.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2511,11 +2511,17 @@ static int __clk_core_init(struct clk_co + if (core->flags & CLK_IS_CRITICAL) { + unsigned long flags; + +- clk_core_prepare(core); ++ ret = clk_core_prepare(core); ++ if (ret) ++ goto out; + + flags = clk_enable_lock(); +- clk_core_enable(core); ++ ret = clk_core_enable(core); + clk_enable_unlock(flags); ++ if (ret) { ++ clk_core_unprepare(core); ++ goto out; ++ } + } + + /* diff --git a/patches.suse/clk-mmp2-Fix-the-order-of-timer-mux-parents.patch b/patches.suse/clk-mmp2-Fix-the-order-of-timer-mux-parents.patch new file mode 100644 index 0000000..ac7cca8 --- /dev/null +++ b/patches.suse/clk-mmp2-Fix-the-order-of-timer-mux-parents.patch @@ -0,0 +1,41 @@ +From 8bea5ac0fbc5b2103f8779ddff216122e3c2e1ad Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Wed, 18 Dec 2019 20:04:54 +0100 +Subject: [PATCH] clk: mmp2: Fix the order of timer mux parents +Git-commit: 8bea5ac0fbc5b2103f8779ddff216122e3c2e1ad +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +Determined empirically, no documentation is available. + +The OLPC XO-1.75 laptop used parent 1, that one being VCTCXO/4 (65MHz), but +thought it's a VCTCXO/2 (130MHz). The mmp2 timer driver, not knowing +what is going on, ended up just dividing the rate as of +commit f36797ee4380 ("ARM: mmp/mmp2: dt: enable the clock")' + +Link: https://lore.kernel.org/r/20191218190454.420358-3-lkundrak@v3.sk +Signed-off-by: Lubomir Rintel +Acked-by: Stephen Boyd +Signed-off-by: Olof Johansson +Acked-by: Takashi Iwai + +--- + drivers/clk/mmp/clk-of-mmp2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/mmp/clk-of-mmp2.c b/drivers/clk/mmp/clk-of-mmp2.c +index a60a1be937ad..b4a95cbbda98 100644 +--- a/drivers/clk/mmp/clk-of-mmp2.c ++++ b/drivers/clk/mmp/clk-of-mmp2.c +@@ -134,7 +134,7 @@ static DEFINE_SPINLOCK(ssp3_lock); + static const char *ssp_parent_names[] = {"vctcxo_4", "vctcxo_2", "vctcxo", "pll1_16"}; + + static DEFINE_SPINLOCK(timer_lock); +-static const char *timer_parent_names[] = {"clk32", "vctcxo_2", "vctcxo_4", "vctcxo"}; ++static const char *timer_parent_names[] = {"clk32", "vctcxo_4", "vctcxo_2", "vctcxo"}; + + static DEFINE_SPINLOCK(reset_lock); + +-- +2.16.4 + diff --git a/patches.suse/clk-qcom-rcg2-Don-t-crash-if-our-parent-can-t-be-fou.patch b/patches.suse/clk-qcom-rcg2-Don-t-crash-if-our-parent-can-t-be-fou.patch new file mode 100644 index 0000000..1d12cad --- /dev/null +++ b/patches.suse/clk-qcom-rcg2-Don-t-crash-if-our-parent-can-t-be-fou.patch @@ -0,0 +1,70 @@ +From 908b050114d8fefdddc57ec9fbc213c3690e7f5f Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Mon, 3 Feb 2020 10:31:34 -0800 +Subject: [PATCH] clk: qcom: rcg2: Don't crash if our parent can't be found; return an error +Git-commit: 908b050114d8fefdddc57ec9fbc213c3690e7f5f +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +When I got my clock parenting slightly wrong I ended up with a crash +that looked like this: + + Unable to handle kernel NULL pointer dereference at virtual + address 0000000000000000 + ... + pc : clk_hw_get_rate+0x14/0x44 + ... + Call trace: + clk_hw_get_rate+0x14/0x44 + _freq_tbl_determine_rate+0x94/0xfc + clk_rcg2_determine_rate+0x2c/0x38 + clk_core_determine_round_nolock+0x4c/0x88 + clk_core_round_rate_nolock+0x6c/0xa8 + clk_core_round_rate_nolock+0x9c/0xa8 + clk_core_set_rate_nolock+0x70/0x180 + clk_set_rate+0x3c/0x6c + of_clk_set_defaults+0x254/0x360 + platform_drv_probe+0x28/0xb0 + really_probe+0x120/0x2dc + driver_probe_device+0x64/0xfc + device_driver_attach+0x4c/0x6c + __driver_attach+0xac/0xc0 + bus_for_each_dev+0x84/0xcc + driver_attach+0x2c/0x38 + bus_add_driver+0xfc/0x1d0 + driver_register+0x64/0xf8 + __platform_driver_register+0x4c/0x58 + msm_drm_register+0x5c/0x60 + ... + +It turned out that clk_hw_get_parent_by_index() was returning NULL and +we weren't checking. Let's check it so that we don't crash. + +Fixes: ac269395cdd8 ("clk: qcom: Convert to clk_hw based provider APIs") +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Link: https://lkml.kernel.org/r/20200203103049.v4.1.I7487325fe8e701a68a07d3be8a6a4b571eca9cfa@changeid +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/qcom/clk-rcg2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index 973ecf4f6bc5..357159fe85b5 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -218,6 +218,9 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw, const struct freq_tbl *f, + + clk_flags = clk_hw_get_flags(hw); + p = clk_hw_get_parent_by_index(hw, index); ++ if (!p) ++ return -EINVAL; ++ + if (clk_flags & CLK_SET_RATE_PARENT) { + rate = f->freq; + if (f->pre_div) { +-- +2.16.4 + diff --git a/patches.suse/clk-sunxi-ng-add-mux-and-pll-notifiers-for-A64-CPU-c.patch b/patches.suse/clk-sunxi-ng-add-mux-and-pll-notifiers-for-A64-CPU-c.patch new file mode 100644 index 0000000..43afa90 --- /dev/null +++ b/patches.suse/clk-sunxi-ng-add-mux-and-pll-notifiers-for-A64-CPU-c.patch @@ -0,0 +1,79 @@ +From ec97faff743b398e21f74a54c81333f3390093aa Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Fri, 3 Jan 2020 22:35:03 -0800 +Subject: [PATCH] clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock +Git-commit: ec97faff743b398e21f74a54c81333f3390093aa +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The A64 PLL_CPU clock has the same instability if some factor changed +without the PLL gated like other SoCs with sun6i-style CCU, e.g. A33, +H3. + +Add the mux and pll notifiers for A64 CPU clock to workaround the +problem. + +Fixes: c6a0637460c2 ("clk: sunxi-ng: Add A64 clocks") +Signed-off-by: Icenowy Zheng +Signed-off-by: Vasily Khoruzhick +Signed-off-by: Maxime Ripard +Acked-by: Takashi Iwai + +--- + drivers/clk/sunxi-ng/ccu-sun50i-a64.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c +index 49bd7a4c015c..5f66bf879772 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c ++++ b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c +@@ -921,11 +921,26 @@ static const struct sunxi_ccu_desc sun50i_a64_ccu_desc = { + .num_resets = ARRAY_SIZE(sun50i_a64_ccu_resets), + }; + ++static struct ccu_pll_nb sun50i_a64_pll_cpu_nb = { ++ .common = &pll_cpux_clk.common, ++ /* copy from pll_cpux_clk */ ++ .enable = BIT(31), ++ .lock = BIT(28), ++}; ++ ++static struct ccu_mux_nb sun50i_a64_cpu_nb = { ++ .common = &cpux_clk.common, ++ .cm = &cpux_clk.mux, ++ .delay_us = 1, /* > 8 clock cycles at 24 MHz */ ++ .bypass_index = 1, /* index of 24 MHz oscillator */ ++}; ++ + static int sun50i_a64_ccu_probe(struct platform_device *pdev) + { + struct resource *res; + void __iomem *reg; + u32 val; ++ int ret; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + reg = devm_ioremap_resource(&pdev->dev, res); +@@ -939,7 +954,18 @@ static int sun50i_a64_ccu_probe(struct platform_device *pdev) + + writel(0x515, reg + SUN50I_A64_PLL_MIPI_REG); + +- return sunxi_ccu_probe(pdev->dev.of_node, reg, &sun50i_a64_ccu_desc); ++ ret = sunxi_ccu_probe(pdev->dev.of_node, reg, &sun50i_a64_ccu_desc); ++ if (ret) ++ return ret; ++ ++ /* Gate then ungate PLL CPU after any rate changes */ ++ ccu_pll_notifier_register(&sun50i_a64_pll_cpu_nb); ++ ++ /* Reparent CPU during PLL CPU rate changes */ ++ ccu_mux_notifier_register(pll_cpux_clk.common.hw.clk, ++ &sun50i_a64_cpu_nb); ++ ++ return 0; + } + + static const struct of_device_id sun50i_a64_ccu_ids[] = { +-- +2.16.4 + diff --git a/patches.suse/clk-sunxi-sun9i-mmc-Implement-reset-callback-for-res.patch b/patches.suse/clk-sunxi-sun9i-mmc-Implement-reset-callback-for-res.patch new file mode 100644 index 0000000..2f58ab2 --- /dev/null +++ b/patches.suse/clk-sunxi-sun9i-mmc-Implement-reset-callback-for-res.patch @@ -0,0 +1,65 @@ +From 61d2f2a05765a5f57149efbd93e3e81a83cbc2c1 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Mon, 18 Dec 2017 11:57:51 +0800 +Subject: [PATCH] clk: sunxi: sun9i-mmc: Implement reset callback for reset controls +Git-commit: 61d2f2a05765a5f57149efbd93e3e81a83cbc2c1 +Patch-mainline: v4.15-rc5 +References: bsc#1051510 + +Our MMC host driver now issues a reset, instead of just deasserting +the reset control, since commit c34eda69ad4c ("mmc: sunxi: Reset the +device at probe time"). The sun9i-mmc clock driver does not support +this, and will fail, which results in MMC not probing. + +This patch implements the reset callback by asserting the reset control, +then deasserting it after a small delay. + +Fixes: 7a6fca879f59 ("clk: sunxi: Add driver for A80 MMC config clocks/resets") +Cc: # 4.14.x +Signed-off-by: Chen-Yu Tsai +Acked-by: Philipp Zabel +Acked-by: Maxime Ripard +Signed-off-by: Michael Turquette +Link: lkml.kernel.org/r/20171218035751.20661-1-wens@csie.org +Acked-by: Takashi Iwai + +--- + drivers/clk/sunxi/clk-sun9i-mmc.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/clk/sunxi/clk-sun9i-mmc.c b/drivers/clk/sunxi/clk-sun9i-mmc.c +index a1a634253d6f..f00d8758ba24 100644 +--- a/drivers/clk/sunxi/clk-sun9i-mmc.c ++++ b/drivers/clk/sunxi/clk-sun9i-mmc.c +@@ -16,6 +16,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -83,9 +84,20 @@ static int sun9i_mmc_reset_deassert(struct reset_controller_dev *rcdev, + return 0; + } + ++static int sun9i_mmc_reset_reset(struct reset_controller_dev *rcdev, ++ unsigned long id) ++{ ++ sun9i_mmc_reset_assert(rcdev, id); ++ udelay(10); ++ sun9i_mmc_reset_deassert(rcdev, id); ++ ++ return 0; ++} ++ + static const struct reset_control_ops sun9i_mmc_reset_ops = { + .assert = sun9i_mmc_reset_assert, + .deassert = sun9i_mmc_reset_deassert, ++ .reset = sun9i_mmc_reset_reset, + }; + + static int sun9i_a80_mmc_config_clk_probe(struct platform_device *pdev) +-- +2.16.4 + diff --git a/patches.suse/clk-tegra-Mark-fuse-clock-as-critical.patch b/patches.suse/clk-tegra-Mark-fuse-clock-as-critical.patch new file mode 100644 index 0000000..a4a383a --- /dev/null +++ b/patches.suse/clk-tegra-Mark-fuse-clock-as-critical.patch @@ -0,0 +1,43 @@ +From bf83b96f87ae2abb1e535306ea53608e8de5dfbb Mon Sep 17 00:00:00 2001 +From: Stephen Warren +Date: Thu, 3 Oct 2019 14:50:30 -0600 +Subject: [PATCH] clk: tegra: Mark fuse clock as critical +Git-commit: bf83b96f87ae2abb1e535306ea53608e8de5dfbb +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +For a little over a year, U-Boot on Tegra124 has configured the flow +controller to perform automatic RAM re-repair on off->on power +transitions of the CPU rail[1]. This is mandatory for correct operation +of Tegra124. However, RAM re-repair relies on certain clocks, which the +kernel must enable and leave running. The fuse clock is one of those +clocks. Mark this clock as critical so that LP1 power mode (system +suspend) operates correctly. + +[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair + +Reported-by: Jonathan Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Warren +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/clk/tegra/clk-tegra-periph.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/clk/tegra/clk-tegra-periph.c ++++ b/drivers/clk/tegra/clk-tegra-periph.c +@@ -824,7 +824,11 @@ static struct tegra_periph_init_data gat + GATE("vcp", "clk_m", 29, 0, tegra_clk_vcp, 0), + GATE("apbdma", "clk_m", 34, 0, tegra_clk_apbdma, 0), + GATE("kbc", "clk_32k", 36, TEGRA_PERIPH_ON_APB | TEGRA_PERIPH_NO_RESET, tegra_clk_kbc, 0), +- GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, 0), ++ /* ++ * Critical for RAM re-repair operation, which must occur on resume ++ * from LP1 system suspend and as part of CCPLEX cluster switching. ++ */ ++ GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, CLK_IS_CRITICAL), + GATE("fuse_burn", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse_burn, 0), + GATE("kfuse", "clk_m", 40, TEGRA_PERIPH_ON_APB, tegra_clk_kfuse, 0), + GATE("apbif", "clk_m", 107, TEGRA_PERIPH_ON_APB, tegra_clk_apbif, 0), diff --git a/patches.suse/clocksource-Prevent-double-add_timer_on-for-watchdog.patch b/patches.suse/clocksource-Prevent-double-add_timer_on-for-watchdog.patch new file mode 100644 index 0000000..04929b5 --- /dev/null +++ b/patches.suse/clocksource-Prevent-double-add_timer_on-for-watchdog.patch @@ -0,0 +1,100 @@ +From febac332a819f0e764aa4da62757ba21d18c182b Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Fri, 31 Jan 2020 19:08:59 +0300 +Subject: [PATCH] clocksource: Prevent double add_timer_on() for watchdog_timer +Git-commit: febac332a819f0e764aa4da62757ba21d18c182b +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Kernel crashes inside QEMU/KVM are observed: + + kernel BUG at kernel/time/timer.c:1154! + BUG_ON(timer_pending(timer) || !timer->function) in add_timer_on(). + +At the same time another cpu got: + + general protection fault: 0000 [#1] SMP PTI of poinson pointer 0xdead000000000200 in: + + __hlist_del at include/linux/list.h:681 + (inlined by) detach_timer at kernel/time/timer.c:818 + (inlined by) expire_timers at kernel/time/timer.c:1355 + (inlined by) __run_timers at kernel/time/timer.c:1686 + (inlined by) run_timer_softirq at kernel/time/timer.c:1699 + +Unfortunately kernel logs are badly scrambled, stacktraces are lost. + +Printing the timer->function before the BUG_ON() pointed to +clocksource_watchdog(). + +The execution of clocksource_watchdog() can race with a sequence of +clocksource_stop_watchdog() .. clocksource_start_watchdog(): + +expire_timers() + detach_timer(timer, true); + timer->entry.pprev = NULL; + raw_spin_unlock_irq(&base->lock); + call_timer_fn + clocksource_watchdog() + + clocksource_watchdog_kthread() or + clocksource_unbind() + + spin_lock_irqsave(&watchdog_lock, flags); + clocksource_stop_watchdog(); + del_timer(&watchdog_timer); + watchdog_running = 0; + spin_unlock_irqrestore(&watchdog_lock, flags); + + spin_lock_irqsave(&watchdog_lock, flags); + clocksource_start_watchdog(); + add_timer_on(&watchdog_timer, ...); + watchdog_running = 1; + spin_unlock_irqrestore(&watchdog_lock, flags); + + spin_lock(&watchdog_lock); + add_timer_on(&watchdog_timer, ...); + BUG_ON(timer_pending(timer) || !timer->function); + timer_pending() -> true + BUG() + +I.e. inside clocksource_watchdog() watchdog_timer could be already armed. + +Check timer_pending() before calling add_timer_on(). This is sufficient as +all operations are synchronized by watchdog_lock. + +Fixes: 75c5158f70c0 ("timekeeping: Update clocksource with stop_machine") +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/158048693917.4378.13823603769948933793.stgit@buzz +Acked-by: Takashi Iwai + +--- + kernel/time/clocksource.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index fff5f64981c6..428beb69426a 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -293,8 +293,15 @@ static void clocksource_watchdog(struct timer_list *unused) + next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask); + if (next_cpu >= nr_cpu_ids) + next_cpu = cpumask_first(cpu_online_mask); +- watchdog_timer.expires += WATCHDOG_INTERVAL; +- add_timer_on(&watchdog_timer, next_cpu); ++ ++ /* ++ * Arm timer if not already pending: could race with concurrent ++ * pair clocksource_stop_watchdog() clocksource_start_watchdog(). ++ */ ++ if (!timer_pending(&watchdog_timer)) { ++ watchdog_timer.expires += WATCHDOG_INTERVAL; ++ add_timer_on(&watchdog_timer, next_cpu); ++ } + out: + spin_unlock(&watchdog_lock); + } +-- +2.16.4 + diff --git a/patches.suse/clocksource-drivers-bcm2835_timer-Fix-memory-leak-of.patch b/patches.suse/clocksource-drivers-bcm2835_timer-Fix-memory-leak-of.patch new file mode 100644 index 0000000..0cc2fd1 --- /dev/null +++ b/patches.suse/clocksource-drivers-bcm2835_timer-Fix-memory-leak-of.patch @@ -0,0 +1,51 @@ +From 2052d032c06761330bca4944bb7858b00960e868 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 19 Dec 2019 21:32:46 +0000 +Subject: [PATCH] clocksource/drivers/bcm2835_timer: Fix memory leak of timer +Git-commit: 2052d032c06761330bca4944bb7858b00960e868 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Currently when setup_irq fails the error exit path will leak the +recently allocated timer structure. Originally the code would +throw a panic but a later commit changed the behaviour to return +via the err_iounmap path and hence we now have a memory leak. Fix +this by adding a err_timer_free error path that kfree's timer. + +Addresses-coverity: ("Resource Leak") +Fixes: 524a7f08983d ("clocksource/drivers/bcm2835_timer: Convert init function to return error") +Signed-off-by: Colin Ian King +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20191219213246.34437-1-colin.king@canonical.com +Acked-by: Takashi Iwai + +--- + drivers/clocksource/bcm2835_timer.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/bcm2835_timer.c b/drivers/clocksource/bcm2835_timer.c +index 2b196cbfadb6..b235f446ee50 100644 +--- a/drivers/clocksource/bcm2835_timer.c ++++ b/drivers/clocksource/bcm2835_timer.c +@@ -121,7 +121,7 @@ static int __init bcm2835_timer_init(struct device_node *node) + ret = setup_irq(irq, &timer->act); + if (ret) { + pr_err("Can't set up timer IRQ\n"); +- goto err_iounmap; ++ goto err_timer_free; + } + + clockevents_config_and_register(&timer->evt, freq, 0xf, 0xffffffff); +@@ -130,6 +130,9 @@ static int __init bcm2835_timer_init(struct device_node *node) + + return 0; + ++err_timer_free: ++ kfree(timer); ++ + err_iounmap: + iounmap(base); + return ret; +-- +2.16.4 + diff --git a/patches.suse/crypto-af_alg-Use-bh_lock_sock-in-sk_destruct.patch b/patches.suse/crypto-af_alg-Use-bh_lock_sock-in-sk_destruct.patch new file mode 100644 index 0000000..71d6509 --- /dev/null +++ b/patches.suse/crypto-af_alg-Use-bh_lock_sock-in-sk_destruct.patch @@ -0,0 +1,47 @@ +From 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 5 Dec 2019 13:45:05 +0800 +Subject: [PATCH] crypto: af_alg - Use bh_lock_sock in sk_destruct +Git-commit: 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +As af_alg_release_parent may be called from BH context (most notably +due to an async request that only completes after socket closure, +or as reported here because of an RCU-delayed sk_destruct call), we +must use bh_lock_sock instead of lock_sock. + +Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com +Reported-by: Eric Dumazet +Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...") +Cc: +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + crypto/af_alg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 0dceaabc6321..3d8e53010cda 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -134,11 +134,13 @@ void af_alg_release_parent(struct sock *sk) + sk = ask->parent; + ask = alg_sk(sk); + +- lock_sock(sk); ++ local_bh_disable(); ++ bh_lock_sock(sk); + ask->nokey_refcnt -= nokey; + if (!last) + last = !--ask->refcnt; +- release_sock(sk); ++ bh_unlock_sock(sk); ++ local_bh_enable(); + + if (last) + sock_put(sk); +-- +2.16.4 + diff --git a/patches.suse/crypto-api-Check-spawn-alg-under-lock-in-crypto_drop.patch b/patches.suse/crypto-api-Check-spawn-alg-under-lock-in-crypto_drop.patch new file mode 100644 index 0000000..db565ee --- /dev/null +++ b/patches.suse/crypto-api-Check-spawn-alg-under-lock-in-crypto_drop.patch @@ -0,0 +1,43 @@ +From 7db3b61b6bba4310f454588c2ca6faf2958ad79f Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 6 Dec 2019 13:55:17 +0800 +Subject: [PATCH] crypto: api - Check spawn->alg under lock in crypto_drop_spawn +Git-commit: 7db3b61b6bba4310f454588c2ca6faf2958ad79f +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +We need to check whether spawn->alg is NULL under lock as otherwise +the algorithm could be removed from under us after we have checked +it and found it to be non-NULL. This could cause us to remove the +spawn from a non-existent list. + +Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...") +Cc: +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + crypto/algapi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/crypto/algapi.c b/crypto/algapi.c +index b052f38edba6..9ecb4a57b342 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -669,11 +669,9 @@ EXPORT_SYMBOL_GPL(crypto_grab_spawn); + + void crypto_drop_spawn(struct crypto_spawn *spawn) + { +- if (!spawn->alg) +- return; +- + down_write(&crypto_alg_sem); +- list_del(&spawn->list); ++ if (spawn->alg) ++ list_del(&spawn->list); + up_write(&crypto_alg_sem); + } + EXPORT_SYMBOL_GPL(crypto_drop_spawn); +-- +2.16.4 + diff --git a/patches.suse/crypto-api-Fix-race-condition-in-crypto_spawn_alg.patch b/patches.suse/crypto-api-Fix-race-condition-in-crypto_spawn_alg.patch new file mode 100644 index 0000000..e9b4d15 --- /dev/null +++ b/patches.suse/crypto-api-Fix-race-condition-in-crypto_spawn_alg.patch @@ -0,0 +1,90 @@ +From 73669cc556462f4e50376538d77ee312142e8a8a Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Sat, 7 Dec 2019 22:15:15 +0800 +Subject: [PATCH] crypto: api - Fix race condition in crypto_spawn_alg +Git-commit: 73669cc556462f4e50376538d77ee312142e8a8a +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The function crypto_spawn_alg is racy because it drops the lock +before shooting the dying algorithm. The algorithm could disappear +altogether before we shoot it. + +This patch fixes it by moving the shooting into the locked section. + +Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + crypto/algapi.c | 16 +++++----------- + crypto/api.c | 3 +-- + crypto/internal.h | 1 - + 3 files changed, 6 insertions(+), 14 deletions(-) + +diff --git a/crypto/algapi.c b/crypto/algapi.c +index 9ecb4a57b342..54e844ad9364 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -679,22 +679,16 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn); + static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn) + { + struct crypto_alg *alg; +- struct crypto_alg *alg2; + + down_read(&crypto_alg_sem); + alg = spawn->alg; +- alg2 = alg; +- if (alg2) +- alg2 = crypto_mod_get(alg2); +- up_read(&crypto_alg_sem); +- +- if (!alg2) { +- if (alg) +- crypto_shoot_alg(alg); +- return ERR_PTR(-EAGAIN); ++ if (alg && !crypto_mod_get(alg)) { ++ alg->cra_flags |= CRYPTO_ALG_DYING; ++ alg = NULL; + } ++ up_read(&crypto_alg_sem); + +- return alg; ++ return alg ?: ERR_PTR(-EAGAIN); + } + + struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type, +diff --git a/crypto/api.c b/crypto/api.c +index ef96142ceca7..676d54ffada8 100644 +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -331,13 +331,12 @@ static unsigned int crypto_ctxsize(struct crypto_alg *alg, u32 type, u32 mask) + return len; + } + +-void crypto_shoot_alg(struct crypto_alg *alg) ++static void crypto_shoot_alg(struct crypto_alg *alg) + { + down_write(&crypto_alg_sem); + alg->cra_flags |= CRYPTO_ALG_DYING; + up_write(&crypto_alg_sem); + } +-EXPORT_SYMBOL_GPL(crypto_shoot_alg); + + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask) +diff --git a/crypto/internal.h b/crypto/internal.h +index ff06a3bd1ca1..d5ebc60c5143 100644 +--- a/crypto/internal.h ++++ b/crypto/internal.h +@@ -65,7 +65,6 @@ void crypto_alg_tested(const char *name, int err); + void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, + struct crypto_alg *nalg); + void crypto_remove_final(struct list_head *list); +-void crypto_shoot_alg(struct crypto_alg *alg); + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask); + void *crypto_create_tfm(struct crypto_alg *alg, +-- +2.16.4 + diff --git a/patches.suse/crypto-atmel-sha-fix-error-handling-when-setting-hma.patch b/patches.suse/crypto-atmel-sha-fix-error-handling-when-setting-hma.patch new file mode 100644 index 0000000..7cd6a28 --- /dev/null +++ b/patches.suse/crypto-atmel-sha-fix-error-handling-when-setting-hma.patch @@ -0,0 +1,47 @@ +From b529f1983b2dcc46354f311feda92e07b6e9e2da Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 30 Dec 2019 21:19:33 -0600 +Subject: [PATCH] crypto: atmel-sha - fix error handling when setting hmac key +Git-commit: b529f1983b2dcc46354f311feda92e07b6e9e2da +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +HMAC keys can be of any length, and atmel_sha_hmac_key_set() can only +fail due to -ENOMEM. But atmel_sha_hmac_setkey() incorrectly treated +any error as a "bad key length" error. Fix it to correctly propagate +the -ENOMEM error code and not set any tfm result flags. + +Fixes: 81d8750b2b59 ("crypto: atmel-sha - add support to hmac(shaX)") +Cc: Nicolas Ferre +Cc: Alexandre Belloni +Cc: Ludovic Desroches +Signed-off-by: Eric Biggers +Reviewed-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/atmel-sha.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/crypto/atmel-sha.c b/drivers/crypto/atmel-sha.c +index e8e4200c1ab3..d3bcd14201c2 100644 +--- a/drivers/crypto/atmel-sha.c ++++ b/drivers/crypto/atmel-sha.c +@@ -1853,12 +1853,7 @@ static int atmel_sha_hmac_setkey(struct crypto_ahash *tfm, const u8 *key, + { + struct atmel_sha_hmac_ctx *hmac = crypto_ahash_ctx(tfm); + +- if (atmel_sha_hmac_key_set(&hmac->hkey, key, keylen)) { +- crypto_ahash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); +- return -EINVAL; +- } +- +- return 0; ++ return atmel_sha_hmac_key_set(&hmac->hkey, key, keylen); + } + + static int atmel_sha_hmac_init(struct ahash_request *req) +-- +2.16.4 + diff --git a/patches.suse/crypto-caam-qi2-fix-typo-in-algorithm-s-driver-name.patch b/patches.suse/crypto-caam-qi2-fix-typo-in-algorithm-s-driver-name.patch new file mode 100644 index 0000000..7f10ba7 --- /dev/null +++ b/patches.suse/crypto-caam-qi2-fix-typo-in-algorithm-s-driver-name.patch @@ -0,0 +1,36 @@ +From 53146d152510584c2034c62778a7cbca25743ce9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 13 Jan 2020 10:54:35 +0200 +Subject: [PATCH] crypto: caam/qi2 - fix typo in algorithm's driver name +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 53146d152510584c2034c62778a7cbca25743ce9 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Fixes: 8d818c105501 ("crypto: caam/qi2 - add DPAA2-CAAM driver") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/caam/caamalg_qi2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/caam/caamalg_qi2.c b/drivers/crypto/caam/caamalg_qi2.c +index fe2a628e8905..28669cbecf77 100644 +--- a/drivers/crypto/caam/caamalg_qi2.c ++++ b/drivers/crypto/caam/caamalg_qi2.c +@@ -2455,7 +2455,7 @@ static struct caam_aead_alg driver_aeads[] = { + .cra_name = "echainiv(authenc(hmac(sha256)," + "cbc(des)))", + .cra_driver_name = "echainiv-authenc-" +- "hmac-sha256-cbc-desi-" ++ "hmac-sha256-cbc-des-" + "caam-qi2", + .cra_blocksize = DES_BLOCK_SIZE, + }, +-- +2.16.4 + diff --git a/patches.suse/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch b/patches.suse/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch new file mode 100644 index 0000000..573baa5 --- /dev/null +++ b/patches.suse/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch @@ -0,0 +1,96 @@ +From bd56cea012fc2d6381e8cd3209510ce09f9de8c9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 30 Dec 2019 21:19:31 -0600 +Subject: [PATCH] crypto: chelsio - fix writing tfm flags to wrong place +Git-commit: bd56cea012fc2d6381e8cd3209510ce09f9de8c9 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The chelsio crypto driver is casting 'struct crypto_aead' directly to +'struct crypto_tfm', which is incorrect because the crypto_tfm isn't the +first field of 'struct crypto_aead'. Consequently, the calls to +crypto_tfm_set_flags() are modifying some other field in the struct. + +Also, the driver is setting CRYPTO_TFM_RES_BAD_KEY_LEN in +->setauthsize(), not just in ->setkey(). This is incorrect since this +flag is for bad key lengths, not for bad authentication tag lengths. + +Fix these bugs by removing the broken crypto_tfm_set_flags() calls from +->setauthsize() and by fixing them in ->setkey(). + +Fixes: 324429d74127 ("chcr: Support for Chelsio's Crypto Hardware") +Cc: # v4.9+ +Cc: Atul Gupta +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/chelsio/chcr_algo.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c +index 586dbc69d0cd..5b7dbe7cdb17 100644 +--- a/drivers/crypto/chelsio/chcr_algo.c ++++ b/drivers/crypto/chelsio/chcr_algo.c +@@ -3196,9 +3196,6 @@ static int chcr_gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize) + aeadctx->mayverify = VERIFY_SW; + break; + default: +- +- crypto_tfm_set_flags((struct crypto_tfm *) tfm, +- CRYPTO_TFM_RES_BAD_KEY_LEN); + return -EINVAL; + } + return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize); +@@ -3223,8 +3220,6 @@ static int chcr_4106_4309_setauthsize(struct crypto_aead *tfm, + aeadctx->mayverify = VERIFY_HW; + break; + default: +- crypto_tfm_set_flags((struct crypto_tfm *)tfm, +- CRYPTO_TFM_RES_BAD_KEY_LEN); + return -EINVAL; + } + return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize); +@@ -3265,8 +3260,6 @@ static int chcr_ccm_setauthsize(struct crypto_aead *tfm, + aeadctx->mayverify = VERIFY_HW; + break; + default: +- crypto_tfm_set_flags((struct crypto_tfm *)tfm, +- CRYPTO_TFM_RES_BAD_KEY_LEN); + return -EINVAL; + } + return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize); +@@ -3291,8 +3284,7 @@ static int chcr_ccm_common_setkey(struct crypto_aead *aead, + ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; + mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; + } else { +- crypto_tfm_set_flags((struct crypto_tfm *)aead, +- CRYPTO_TFM_RES_BAD_KEY_LEN); ++ crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN); + aeadctx->enckey_len = 0; + return -EINVAL; + } +@@ -3330,8 +3322,7 @@ static int chcr_aead_rfc4309_setkey(struct crypto_aead *aead, const u8 *key, + int error; + + if (keylen < 3) { +- crypto_tfm_set_flags((struct crypto_tfm *)aead, +- CRYPTO_TFM_RES_BAD_KEY_LEN); ++ crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN); + aeadctx->enckey_len = 0; + return -EINVAL; + } +@@ -3381,8 +3372,7 @@ static int chcr_gcm_setkey(struct crypto_aead *aead, const u8 *key, + } else if (keylen == AES_KEYSIZE_256) { + ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; + } else { +- crypto_tfm_set_flags((struct crypto_tfm *)aead, +- CRYPTO_TFM_RES_BAD_KEY_LEN); ++ crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN); + pr_err("GCM: Invalid key length %d\n", keylen); + ret = -EINVAL; + goto out; +-- +2.16.4 + diff --git a/patches.suse/crypto-pcrypt-Do-not-clear-MAY_SLEEP-flag-in-origina.patch b/patches.suse/crypto-pcrypt-Do-not-clear-MAY_SLEEP-flag-in-origina.patch new file mode 100644 index 0000000..b8b9714 --- /dev/null +++ b/patches.suse/crypto-pcrypt-Do-not-clear-MAY_SLEEP-flag-in-origina.patch @@ -0,0 +1,36 @@ +From e8d998264bffade3cfe0536559f712ab9058d654 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 29 Nov 2019 16:40:24 +0800 +Subject: [PATCH] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request +Git-commit: e8d998264bffade3cfe0536559f712ab9058d654 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +We should not be modifying the original request's MAY_SLEEP flag +upon completion. It makes no sense to do so anyway. + +Reported-by: Eric Biggers +Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...") +Signed-off-by: Herbert Xu +Tested-by: Eric Biggers +Acked-by: Takashi Iwai + +--- + crypto/pcrypt.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c +index 3e026e7a7e75..a4f3b3f342c8 100644 +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -71,7 +71,6 @@ static void pcrypt_aead_done(struct crypto_async_request *areq, int err) + struct padata_priv *padata = pcrypt_request_padata(preq); + + padata->info = err; +- req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + + padata_do_serial(padata); + } +-- +2.16.4 + diff --git a/patches.suse/crypto-picoxcell-adjust-the-position-of-tasklet_init.patch b/patches.suse/crypto-picoxcell-adjust-the-position-of-tasklet_init.patch new file mode 100644 index 0000000..93b4a44 --- /dev/null +++ b/patches.suse/crypto-picoxcell-adjust-the-position-of-tasklet_init.patch @@ -0,0 +1,61 @@ +From 7f8c36fe9be46862c4f3c5302f769378028a34fa Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Tue, 10 Dec 2019 00:21:44 +0800 +Subject: [PATCH] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill +Git-commit: 7f8c36fe9be46862c4f3c5302f769378028a34fa +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Since tasklet is needed to be initialized before registering IRQ +handler, adjust the position of tasklet_init to fix the wrong order. + +Besides, to fix the missed tasklet_kill, this patch adds a helper +function and uses devm_add_action to kill the tasklet automatically. + +Fixes: ce92136843cb ("crypto: picoxcell - add support for the picoxcell crypto engines") +Signed-off-by: Chuhong Yuan +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/picoxcell_crypto.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/picoxcell_crypto.c ++++ b/drivers/crypto/picoxcell_crypto.c +@@ -1616,6 +1616,11 @@ static const struct of_device_id spacc_o + MODULE_DEVICE_TABLE(of, spacc_of_id_table); + #endif /* CONFIG_OF */ + ++static void spacc_tasklet_kill(void *data) ++{ ++ tasklet_kill(data); ++} ++ + static int spacc_probe(struct platform_device *pdev) + { + int i, err, ret = -EINVAL; +@@ -1659,6 +1664,14 @@ static int spacc_probe(struct platform_d + return -ENXIO; + } + ++ tasklet_init(&engine->complete, spacc_spacc_complete, ++ (unsigned long)engine); ++ ++ ret = devm_add_action(&pdev->dev, spacc_tasklet_kill, ++ &engine->complete); ++ if (ret) ++ return ret; ++ + if (devm_request_irq(&pdev->dev, irq->start, spacc_spacc_irq, 0, + engine->name, engine)) { + dev_err(engine->dev, "failed to request IRQ\n"); +@@ -1721,8 +1734,6 @@ static int spacc_probe(struct platform_d + INIT_LIST_HEAD(&engine->completed); + INIT_LIST_HEAD(&engine->in_progress); + engine->in_flight = 0; +- tasklet_init(&engine->complete, spacc_spacc_complete, +- (unsigned long)engine); + + platform_set_drvdata(pdev, engine); + diff --git a/patches.suse/dma-mapping-fix-return-type-of-dma_set_max_seg_size.patch b/patches.suse/dma-mapping-fix-return-type-of-dma_set_max_seg_size.patch new file mode 100644 index 0000000..30d839c --- /dev/null +++ b/patches.suse/dma-mapping-fix-return-type-of-dma_set_max_seg_size.patch @@ -0,0 +1,41 @@ +From c9d76d0655c06b8c1f944e46c4fd9e9cf4b331c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= +Date: Wed, 29 Aug 2018 23:29:21 +0200 +Subject: [PATCH] dma-mapping: fix return type of dma_set_max_seg_size() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: c9d76d0655c06b8c1f944e46c4fd9e9cf4b331c0 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +The function dma_set_max_seg_size() can return either 0 on success or +-EIO on error. Change its return type from unsigned int to int to +capture this. + +Signed-off-by: Niklas Söderlund +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Christoph Hellwig +Acked-by: Takashi Iwai + +--- + include/linux/dma-mapping.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h +index 15bd41447025..0f81c713f6e9 100644 +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -676,8 +676,7 @@ static inline unsigned int dma_get_max_seg_size(struct device *dev) + return SZ_64K; + } + +-static inline unsigned int dma_set_max_seg_size(struct device *dev, +- unsigned int size) ++static inline int dma_set_max_seg_size(struct device *dev, unsigned int size) + { + if (dev->dma_parms) { + dev->dma_parms->max_segment_size = size; +-- +2.16.4 + diff --git a/patches.suse/dmaengine-Fix-access-to-uninitialized-dma_slave_caps.patch b/patches.suse/dmaengine-Fix-access-to-uninitialized-dma_slave_caps.patch new file mode 100644 index 0000000..8e9ebde --- /dev/null +++ b/patches.suse/dmaengine-Fix-access-to-uninitialized-dma_slave_caps.patch @@ -0,0 +1,61 @@ +From 53a256a9b925b47c7e67fc1f16ca41561a7b877c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 5 Dec 2019 12:54:49 +0100 +Subject: [PATCH] dmaengine: Fix access to uninitialized dma_slave_caps +Git-commit: 53a256a9b925b47c7e67fc1f16ca41561a7b877c +Patch-mainline: v5.5-rc5 +References: bsc#1051510 + +dmaengine_desc_set_reuse() allocates a struct dma_slave_caps on the +stack, populates it using dma_get_slave_caps() and then accesses one +of its members. + +However dma_get_slave_caps() may fail and this isn't accounted for, +leading to a legitimate warning of gcc-4.9 (but not newer versions): + + In file included from drivers/spi/spi-bcm2835.c:19:0: + drivers/spi/spi-bcm2835.c: In function 'dmaengine_desc_set_reuse': +>> include/linux/dmaengine.h:1370:10: warning: 'caps.descriptor_reuse' is used uninitialized in this function [-Wuninitialized] + if (caps.descriptor_reuse) { + +Fix it, thereby also silencing the gcc-4.9 warning. + +The issue has been present for 4 years but surfaces only now that +the first caller of dmaengine_desc_set_reuse() has been added in +spi-bcm2835.c. Another user of reusable DMA descriptors has existed +for a while in pxa_camera.c, but it sets the DMA_CTRL_REUSE flag +directly instead of calling dmaengine_desc_set_reuse(). Nevertheless, +tag this commit for stable in case there are out-of-tree users. + +Fixes: 272420214d26 ("dmaengine: Add DMA_CTRL_REUSE") +Reported-by: kbuild test robot +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.3+ +Link: https://lore.kernel.org/r/ca92998ccc054b4f2bfd60ef3adbab2913171eac.1575546234.git.lukas@wunner.de +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + include/linux/dmaengine.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h +index 8fcdee1c0cf9..dad4a68fa009 100644 +--- a/include/linux/dmaengine.h ++++ b/include/linux/dmaengine.h +@@ -1364,8 +1364,11 @@ static inline int dma_get_slave_caps(struct dma_chan *chan, + static inline int dmaengine_desc_set_reuse(struct dma_async_tx_descriptor *tx) + { + struct dma_slave_caps caps; ++ int ret; + +- dma_get_slave_caps(tx->chan, &caps); ++ ret = dma_get_slave_caps(tx->chan, &caps); ++ if (ret) ++ return ret; + + if (caps.descriptor_reuse) { + tx->flags |= DMA_CTRL_REUSE; +-- +2.16.4 + diff --git a/patches.suse/dmaengine-coh901318-Fix-a-double-lock-bug.patch b/patches.suse/dmaengine-coh901318-Fix-a-double-lock-bug.patch new file mode 100644 index 0000000..4be37a7 --- /dev/null +++ b/patches.suse/dmaengine-coh901318-Fix-a-double-lock-bug.patch @@ -0,0 +1,51 @@ +From 627469e4445b9b12e0229b3bdf8564d5ce384dd7 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 6 Nov 2018 11:33:48 +0800 +Subject: [PATCH] dmaengine: coh901318: Fix a double-lock bug +Git-commit: 627469e4445b9b12e0229b3bdf8564d5ce384dd7 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +The function coh901318_alloc_chan_resources() calls spin_lock_irqsave() +before calling coh901318_config(). +But coh901318_config() calls spin_lock_irqsave() again in its +definition, which may cause a double-lock bug. + +Because coh901318_config() is only called by +coh901318_alloc_chan_resources(), the bug fix is to remove the +calls to spin-lock and -unlock functions in coh901318_config(). + +Signed-off-by: Jia-Ju Bai +Reviewed-by: Linus Walleij +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/coh901318.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c +index eebaba3d9e78..fd862a478738 100644 +--- a/drivers/dma/coh901318.c ++++ b/drivers/dma/coh901318.c +@@ -1807,8 +1807,6 @@ static int coh901318_config(struct coh901318_chan *cohc, + int channel = cohc->id; + void __iomem *virtbase = cohc->base->virtbase; + +- spin_lock_irqsave(&cohc->lock, flags); +- + if (param) + p = param; + else +@@ -1828,8 +1826,6 @@ static int coh901318_config(struct coh901318_chan *cohc, + coh901318_set_conf(cohc, p->config); + coh901318_set_ctrl(cohc, p->ctrl_lli_last); + +- spin_unlock_irqrestore(&cohc->lock, flags); +- + return 0; + } + +-- +2.16.4 + diff --git a/patches.suse/dmaengine-coh901318-Remove-unused-variable.patch b/patches.suse/dmaengine-coh901318-Remove-unused-variable.patch new file mode 100644 index 0000000..620b8e8 --- /dev/null +++ b/patches.suse/dmaengine-coh901318-Remove-unused-variable.patch @@ -0,0 +1,40 @@ +From 35faaf0df42d285b40f8a6310afbe096720f7758 Mon Sep 17 00:00:00 2001 +From: Vinod Koul +Date: Mon, 26 Nov 2018 13:34:15 +0530 +Subject: [PATCH] dmaengine: coh901318: Remove unused variable +Git-commit: 35faaf0df42d285b40f8a6310afbe096720f7758 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +Commit 627469e4445b ("dmaengine: coh901318: Fix a double-lock bug") left +flags variable unused, so remove it to fix the warning. + +Drivers/dma/coh901318.c: In function 'coh901318_config': +drivers/dma/coh901318.c:1805:16: warning: unused variable 'flags' [-Wunused-variable] + unsigned long flags; + ^~~~~ + +Fixes: 627469e4445b ("dmaengine: coh901318: Fix a double-lock bug") +Reported-by: Stephen Rothwell +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/dma/coh901318.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c +index fd862a478738..b69d66e44052 100644 +--- a/drivers/dma/coh901318.c ++++ b/drivers/dma/coh901318.c +@@ -1802,7 +1802,6 @@ static struct dma_chan *coh901318_xlate(struct of_phandle_args *dma_spec, + static int coh901318_config(struct coh901318_chan *cohc, + struct coh901318_params *param) + { +- unsigned long flags; + const struct coh901318_params *p; + int channel = cohc->id; + void __iomem *virtbase = cohc->base->virtbase; +-- +2.16.4 + diff --git a/patches.suse/do_last-fetch-directory--i_mode-and--i_uid-before-its-too-late.patch b/patches.suse/do_last-fetch-directory--i_mode-and--i_uid-before-its-too-late.patch new file mode 100644 index 0000000..0388e76 --- /dev/null +++ b/patches.suse/do_last-fetch-directory--i_mode-and--i_uid-before-its-too-late.patch @@ -0,0 +1,73 @@ +From d0cb50185ae942b03c4327be322055d622dc79f6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun Jan 26 09:29:34 2020 -0500 +Subject: [PATCH] do_last(): fetch directory ->i_mode and ->i_uid before it's too late +Git-commit: d0cb50185ae942b03c4327be322055d622dc79f6 +References: bsc#1162109,CVE-2020-8428 +Patch-mainline: v5.5 + +may_create_in_sticky() call is done when we already have dropped the +reference to dir. + +Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files) +Signed-off-by: Al Viro +Acked-by: Goldwyn Rodrigues + +--- + fs/namei.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1023,7 +1023,8 @@ + * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory + * should be allowed, or not, on files that already + * exist. +- * @dir: the sticky parent directory ++ * @dir_mode: mode bits of directory ++ * @dir_uid: owner of directory + * @inode: the inode of the file to open + * + * Block an O_CREAT open of a FIFO (or a regular file) when: +@@ -1039,18 +1040,18 @@ + * + * Returns 0 if the open is allowed, -ve on error. + */ +-static int may_create_in_sticky(struct dentry * const dir, ++static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid, + struct inode * const inode) + { + if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || + (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || +- likely(!(dir->d_inode->i_mode & S_ISVTX)) || +- uid_eq(inode->i_uid, dir->d_inode->i_uid) || ++ likely(!(dir_mode & S_ISVTX)) || ++ uid_eq(inode->i_uid, dir_uid) || + uid_eq(current_fsuid(), inode->i_uid)) + return 0; + +- if (likely(dir->d_inode->i_mode & 0002) || +- (dir->d_inode->i_mode & 0020 && ++ if (likely(dir_mode & 0002) || ++ (dir_mode & 0020 && + ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) || + (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) { + return -EACCES; +@@ -3265,6 +3266,8 @@ + int *opened) + { + struct dentry *dir = nd->path.dentry; ++ kuid_t dir_uid = dir->d_inode->i_uid; ++ umode_t dir_mode = dir->d_inode->i_mode; + int open_flag = op->open_flag; + bool will_truncate = (open_flag & O_TRUNC) != 0; + bool got_write = false; +@@ -3400,7 +3403,7 @@ + error = -EISDIR; + if (d_is_dir(nd->path.dentry)) + goto out; +- error = may_create_in_sticky(dir, ++ error = may_create_in_sticky(dir_mode, dir_uid, + d_backing_inode(nd->path.dentry)); + if (unlikely(error)) + goto out; diff --git a/patches.suse/documentation-document-arm64-kpti-control b/patches.suse/documentation-document-arm64-kpti-control new file mode 100644 index 0000000..cbe3d14 --- /dev/null +++ b/patches.suse/documentation-document-arm64-kpti-control @@ -0,0 +1,35 @@ +From: Jeremy Linton +Date: Fri, 25 Jan 2019 12:07:00 -0600 +Subject: Documentation: Document arm64 kpti control +Git-commit: de19055564c8f8f9d366f8db3395836da0b2176c +Patch-mainline: v5.1-rc1 +References: bsc#1162623 + +For a while Arm64 has been capable of force enabling +or disabling the kpti mitigations. Lets make sure the +documentation reflects that. + +Signed-off-by: Jeremy Linton +Reviewed-by: Andre Przywara +Signed-off-by: Jonathan Corbet +Acked-by: Joerg Roedel +--- + Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -1832,6 +1832,12 @@ + kmemcheck=2 (one-shot mode) + Default: 2 (one-shot mode) + ++ kpti= [ARM64] Control page table isolation of user ++ and kernel address spaces. ++ Default: enabled on cores which need mitigation. ++ 0: force disabled ++ 1: force enabled ++ + kvm.ignore_msrs=[KVM] Ignore guest accesses to unhandled MSRs. + Default is 0 (don't ignore, but inject #GP) + + diff --git a/patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch b/patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch new file mode 100644 index 0000000..45a6e93 --- /dev/null +++ b/patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch @@ -0,0 +1,130 @@ +From 973086759974f36987e3c0e9c78bb1e9a41661cc Mon Sep 17 00:00:00 2001 +From: Scott Cheloha +Date: Tue, 17 Dec 2019 13:32:38 -0600 +Subject: [PATCH] drivers/base/memory.c: cache blocks in radix tree to + accelerate lookup + +References: bsc#1159955 ltc#182993 +Patch-mainline: submitted https://lore.kernel.org/lkml/20191217193238.3098-1-cheloha@linux.vnet.ibm.com/ + +mhocko@suse.com: +Keep find_memory_block_hinted because there are still users. The +upstream has removed this by dd625285910d ("drivers/base/memory.c: +get rid of find_memory_block_hinted()") which would require more patches +to be backported so go an easier path and simply emulate the +functionality by ignoring the hint. The radix tree O(log(N)) should work +reasonably well. + +Searching for a particular memory block by id is slow because each block +device is kept in an unsorted linked list on the subsystem bus. + +Lookup is much faster if we cache the blocks in a radix tree. Memory +subsystem initialization and hotplug/hotunplug is at least a little faster +for any machine with more than ~100 blocks, and the speedup grows with +the block count. + +Signed-off-by: Scott Cheloha +Acked-by: David Hildenbrand +Acked-by: Michal Suchanek +Signed-off-by: Michal Hocko +--- + drivers/base/memory.c | 53 +++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 26 deletions(-) + +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -48,6 +49,13 @@ static struct bus_type memory_subsys = { + .offline = memory_subsys_offline, + }; + ++/* ++ * Memory blocks are cached in a local radix tree to avoid ++ * a costly linear search for the corresponding device on ++ * the subsystem bus. ++ */ ++static RADIX_TREE(memory_blocks, GFP_KERNEL); ++ + static BLOCKING_NOTIFIER_HEAD(memory_chain); + + int register_memory_notifier(struct notifier_block *nb) +@@ -576,36 +584,21 @@ int __weak arch_get_memory_phys_device(u + return 0; + } + +-/* +- * A reference for the returned object is held and the reference for the +- * hinted object is released. +- */ +-struct memory_block *find_memory_block_hinted(struct mem_section *section, +- struct memory_block *hint) ++struct memory_block *find_memory_block(struct mem_section *section) + { + int block_id = base_memory_block_id(__section_nr(section)); +- struct device *hintdev = hint ? &hint->dev : NULL; +- struct device *dev; ++ struct memory_block *mem; + +- dev = subsys_find_device_by_id(&memory_subsys, block_id, hintdev); +- if (hint) +- put_device(&hint->dev); +- if (!dev) +- return NULL; +- return to_memory_block(dev); ++ mem = radix_tree_lookup(&memory_blocks, block_id); ++ if (mem) ++ get_device(&mem->dev); ++ return mem; + } + +-/* +- * For now, we have a linear search to go find the appropriate +- * memory_block corresponding to a particular phys_index. If +- * this gets to be a real problem, we can always use a radix +- * tree or something here. +- * +- * This could be made generic for all device subsystems. +- */ +-struct memory_block *find_memory_block(struct mem_section *section) ++struct memory_block *find_memory_block_hinted(struct mem_section *section, ++ struct memory_block *hint) + { +- return find_memory_block_hinted(section, NULL); ++ return find_memory_block(section); + } + + static struct attribute *memory_memblk_attrs[] = { +@@ -643,9 +636,15 @@ int register_memory(struct memory_block + memory->dev.offline = memory->state == MEM_OFFLINE; + + ret = device_register(&memory->dev); +- if (ret) ++ if (ret) { + put_device(&memory->dev); +- ++ return ret; ++ } ++ ret = radix_tree_insert(&memory_blocks, memory->dev.id, memory); ++ if (ret) { ++ put_device(&memory->dev); ++ device_unregister(&memory->dev); ++ } + return ret; + } + +@@ -734,6 +733,8 @@ unregister_memory(struct memory_block *m + { + BUG_ON(memory->dev.bus != &memory_subsys); + ++ WARN_ON(radix_tree_delete(&memory_blocks, memory->dev.id) == NULL); ++ + /* drop the ref. we got in remove_memory_block() */ + put_device(&memory->dev); + device_unregister(&memory->dev); diff --git a/patches.suse/drivers-base-memory.c-don-t-access-uninitialized-mem.patch b/patches.suse/drivers-base-memory.c-don-t-access-uninitialized-mem.patch new file mode 100644 index 0000000..378bf89 --- /dev/null +++ b/patches.suse/drivers-base-memory.c-don-t-access-uninitialized-mem.patch @@ -0,0 +1,59 @@ +From 641fe2e9387a36f9ee01d7c69382d1fe147a5e98 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Fri, 18 Oct 2019 20:19:16 -0700 +Subject: [PATCH] drivers/base/memory.c: don't access uninitialized memmaps in soft_offline_page_store() +Git-commit: 641fe2e9387a36f9ee01d7c69382d1fe147a5e98 +Patch-mainline: v5.4-rc4 +References: bsc#1051510 + +Uninitialized memmaps contain garbage and in the worst case trigger kernel +BUGs, especially with CONFIG_PAGE_POISONING. They should not get touched. + +Right now, when trying to soft-offline a PFN that resides on a memory +block that was never onlined, one gets a misleading error with +Config_page_poisoning: + + :/# echo 5637144576 > /sys/devices/system/memory/soft_offline_page + [ 23.097167] soft offline: 0x150000 page already poisoned + +But the actual result depends on the garbage in the memmap. + +soft_offline_page() can only work with online pages, it returns -EIO in +case of ZONE_DEVICE. Make sure to only forward pages that are online +(iow, managed by the buddy) and, therefore, have an initialized memmap. + +Add a check against pfn_to_online_page() and similarly return -EIO. + +Link: http://lkml.kernel.org/r/20191010141200.8985-1-david@redhat.com +Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") [visible after d0dc12e86b319] +Signed-off-by: David Hildenbrand +Acked-by: Naoya Horiguchi +Acked-by: Michal Hocko +Cc: Greg Kroah-Hartman +Cc: "Rafael J. Wysocki" +Cc: [4.13+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + drivers/base/memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/base/memory.c b/drivers/base/memory.c +index 6bea4f3f8040..55907c27075b 100644 +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -540,6 +540,9 @@ static ssize_t soft_offline_page_store(struct device *dev, + pfn >>= PAGE_SHIFT; + if (!pfn_valid(pfn)) + return -ENXIO; ++ /* Only online pages can be soft-offlined (esp., not ZONE_DEVICE). */ ++ if (!pfn_to_online_page(pfn)) ++ return -EIO; + ret = soft_offline_page(pfn_to_page(pfn), 0); + return ret == 0 ? count : ret; + } +-- +2.16.4 + diff --git a/patches.suse/drm-amd-display-Retrain-dongles-when-SINK_COUNT-beco.patch b/patches.suse/drm-amd-display-Retrain-dongles-when-SINK_COUNT-beco.patch new file mode 100644 index 0000000..94f0a36 --- /dev/null +++ b/patches.suse/drm-amd-display-Retrain-dongles-when-SINK_COUNT-beco.patch @@ -0,0 +1,71 @@ +From 3eb6d7aca53d81ce888624f09cd44dc0302161e8 Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Tue, 21 Jan 2020 16:12:45 -0500 +Subject: [PATCH] drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero +Git-commit: 3eb6d7aca53d81ce888624f09cd44dc0302161e8 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +[WHY] +Two years ago the patch referenced by the Fixes tag stopped running +dp_verify_link_cap_with_retries during DP detection when the reason +for the detection was a short-pulse interrupt. This effectively meant +that we were no longer doing the verify_link_cap training on active +dongles when their SINK_COUNT changed from 0 to 1. + +A year ago this was partly remedied with: +commit 80adaebd2d41 ("drm/amd/display: Don't skip link training for empty dongle") + +This made sure that we trained the dongle on initial hotplug (without +connected downstream devices). + +This is all fine and dandy if it weren't for the fact that there are +some dongles on the market that don't like link training when SINK_COUNT +is 0 These dongles will in fact indicate a SINK_COUNT of 0 immediately +after hotplug, even when a downstream device is connected, and then +trigger a shortpulse interrupt indicating a SINK_COUNT change to 1. + +In order to play nicely we will need our policy to not link train an +active DP dongle when SINK_COUNT is 0 but ensure we train it when the +SINK_COUNT changes to 1. + +[HOW] +Call dp_verify_link_cap_with_retries on detection even when the detection +is triggered from a short pulse interrupt. + +With this change we can also revert this commit which we'll do in a separate +follow-up change: +commit 80adaebd2d41 ("drm/amd/display: Don't skip link training for empty dongle") + +Fixes: 0301ccbaf67d ("drm/amd/display: DP Compliance 400.1.1 failure") +Suggested-by: Louis Li +Tested-by: Louis Li +Cc: Wenjing Liu +Cc: Hersen Wu +Cc: Eric Yang +Reviewed-by: Wenjing Liu +Signed-off-by: Harry Wentland +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index a50768a7ba68..cc2e05003595 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -969,8 +969,7 @@ static bool dc_link_detect_helper(struct dc_link *link, + same_edid = is_same_edid(&prev_sink->dc_edid, &sink->dc_edid); + + if (link->connector_signal == SIGNAL_TYPE_DISPLAY_PORT && +- sink_caps.transaction_type == DDC_TRANSACTION_TYPE_I2C_OVER_AUX && +- reason != DETECT_REASON_HPDRX) { ++ sink_caps.transaction_type == DDC_TRANSACTION_TYPE_I2C_OVER_AUX) { + /* + * TODO debug why Dell 2413 doesn't like + * two link trainings +-- +2.16.4 + diff --git a/patches.suse/drm-amd-powerplay-remove-set-but-not-used-variable-u.patch b/patches.suse/drm-amd-powerplay-remove-set-but-not-used-variable-u.patch new file mode 100644 index 0000000..70fa8ee --- /dev/null +++ b/patches.suse/drm-amd-powerplay-remove-set-but-not-used-variable-u.patch @@ -0,0 +1,62 @@ +From 472b36a2ab67880e89d6b0cd0e243830e8cb75e1 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Wed, 13 Nov 2019 20:44:34 +0800 +Subject: [PATCH] drm/amd/powerplay: remove set but not used variable 'us_mvdd' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 472b36a2ab67880e89d6b0cd0e243830e8cb75e1 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c: In +function ‘vegam_populate_smc_acpi_level’: +drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c:1117:11: +Warning: variable 'us_mvdd' set but not used [-Wunused-but-set-variable] + +It is never used, so can be removed. + +Fixes: ac7822b0026f ("drm/amd/powerplay: add smumgr support for VEGAM (v2)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c b/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c +index ae18fbcb26fb..2068eb00d2f8 100644 +--- a/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c +@@ -1114,7 +1114,6 @@ static int vegam_populate_smc_acpi_level(struct pp_hwmgr *hwmgr, + (struct phm_ppt_v1_information *)(hwmgr->pptable); + SMIO_Pattern vol_level; + uint32_t mvdd; +- uint16_t us_mvdd; + + table->ACPILevel.Flags &= ~PPSMC_SWSTATE_FLAG_DC; + +@@ -1168,17 +1167,6 @@ static int vegam_populate_smc_acpi_level(struct pp_hwmgr *hwmgr, + "in Clock Dependency Table", + ); + +- us_mvdd = 0; +- if ((SMU7_VOLTAGE_CONTROL_NONE == data->mvdd_control) || +- (data->mclk_dpm_key_disabled)) +- us_mvdd = data->vbios_boot_state.mvdd_bootup_value; +- else { +- if (!vegam_populate_mvdd_value(hwmgr, +- data->dpm_table.mclk_table.dpm_levels[0].value, +- &vol_level)) +- us_mvdd = vol_level.Voltage; +- } +- + if (!vegam_populate_mvdd_value(hwmgr, 0, &vol_level)) + table->MemoryACPILevel.MinMvdd = PP_HOST_TO_SMC_UL(vol_level.Voltage); + else +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-add-function-parameter-description-in-amd-e8b74035.patch b/patches.suse/drm-amdgpu-add-function-parameter-description-in-amd-e8b74035.patch new file mode 100644 index 0000000..3640511 --- /dev/null +++ b/patches.suse/drm-amdgpu-add-function-parameter-description-in-amd-e8b74035.patch @@ -0,0 +1,37 @@ +From e8b74035d8032dd8cc8fe8ff6eaecb20827227c2 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 4 Nov 2019 21:27:22 +0800 +Subject: [PATCH] drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' +Git-commit: e8b74035d8032dd8cc8fe8ff6eaecb20827227c2 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc warning: + +drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c:313: warning: Function +parameter or member 'flags' not described in 'amdgpu_gart_bind' + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c +index 19705e399905..e01e681d2a60 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c +@@ -302,6 +302,7 @@ int amdgpu_gart_map(struct amdgpu_device *adev, uint64_t offset, + * @pages: number of pages to bind + * @pagelist: pages to bind + * @dma_addr: DMA addresses of pages ++ * @flags: page table entry flags + * + * Binds the requested pages to the gart page table + * (all asics). +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-add-function-parameter-description-in-amd.patch b/patches.suse/drm-amdgpu-add-function-parameter-description-in-amd.patch new file mode 100644 index 0000000..6ccfa84 --- /dev/null +++ b/patches.suse/drm-amdgpu-add-function-parameter-description-in-amd.patch @@ -0,0 +1,32 @@ +From b8b721305770cf85bffbe7ce1e0dc5fb6c4fef47 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 4 Nov 2019 21:27:21 +0800 +Subject: [PATCH] drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' +Git-commit: b8b721305770cf85bffbe7ce1e0dc5fb6c4fef47 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Fixes gcc warning: + +drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:1954: warning: Function +parameter or member 'state' not described in 'amdgpu_device_set_cg_state' + +Fixes: e3ecdffac9cc ("drm/amdgpu: add documentation for amdgpu_device.c") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2921,6 +2921,7 @@ static bool amdgpu_device_ip_check_soft_ + * amdgpu_device_ip_pre_soft_reset - prepare for soft reset + * + * @adev: amdgpu_device pointer ++ * @state: clockgating state (gate or ungate) + * + * The list of all the hardware IPs that make up the asic is walked and the + * pre_soft_reset callbacks are run if the block is hung. pre_soft_reset diff --git a/patches.suse/drm-amdgpu-fix-ring-test-failure-issue-during-s3-in-.patch b/patches.suse/drm-amdgpu-fix-ring-test-failure-issue-during-s3-in-.patch new file mode 100644 index 0000000..719c0ec --- /dev/null +++ b/patches.suse/drm-amdgpu-fix-ring-test-failure-issue-during-s3-in-.patch @@ -0,0 +1,60 @@ +From ce0e22f5d886d1b56c7ab4347c45b9ac5fcc058d Mon Sep 17 00:00:00 2001 +From: Louis Li +Date: Sat, 25 May 2019 06:39:47 +0800 +Subject: [PATCH] drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: ce0e22f5d886d1b56c7ab4347c45b9ac5fcc058d +Patch-mainline: v5.2-rc4 +References: bsc#1111666 + +[What] +vce ring test fails consistently during resume in s3 cycle, due to +mismatch read & write pointers. +On debug/analysis its found that rptr to be compared is not being +correctly updated/read, which leads to this failure. +Below is the failure signature: + [drm:amdgpu_vce_ring_test_ring] *ERROR* amdgpu: ring 12 test failed + [drm:amdgpu_device_ip_resume_phase2] *ERROR* resume of IP block failed -110 + [drm:amdgpu_device_resume] *ERROR* amdgpu_device_ip_resume failed (-110). + +[How] +fetch rptr appropriately, meaning move its read location further down +in the code flow. +With this patch applied the s3 failure is no more seen for >5k s3 cycles, +which otherwise is pretty consistent. + +V2: remove reduntant fetch of rptr + +Signed-off-by: Louis Li +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +@@ -1070,7 +1070,7 @@ void amdgpu_vce_ring_emit_fence(struct a + int amdgpu_vce_ring_test_ring(struct amdgpu_ring *ring) + { + struct amdgpu_device *adev = ring->adev; +- uint32_t rptr = amdgpu_ring_get_rptr(ring); ++ uint32_t rptr; + unsigned i; + int r, timeout = adev->usec_timeout; + +@@ -1084,6 +1084,9 @@ int amdgpu_vce_ring_test_ring(struct amd + ring->idx, r); + return r; + } ++ ++ rptr = amdgpu_ring_get_rptr(ring); ++ + amdgpu_ring_write(ring, VCE_CMD_END); + amdgpu_ring_commit(ring); + diff --git a/patches.suse/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch b/patches.suse/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch new file mode 100644 index 0000000..0c7ec71 --- /dev/null +++ b/patches.suse/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch @@ -0,0 +1,74 @@ +From bae028e3e521e8cb8caf2cc16a455ce4c55f2332 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 4 Nov 2019 21:27:20 +0800 +Subject: [PATCH] drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table +Git-commit: bae028e3e521e8cb8caf2cc16a455ce4c55f2332 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c: In function +'amdgpu_atombios_get_connector_info_from_object_table': +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:26: warning: variable +'grph_obj_num' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:13: warning: variable +'grph_obj_id' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:37: warning: variable +'con_obj_type' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:24: warning: variable +'con_obj_num' set but not used [-Wunused-but-set-variable] + +They are never used, so can be removed. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +index 72232fccf61a..be6d0cfe41ae 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -338,17 +338,9 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + path_size += le16_to_cpu(path->usSize); + + if (device_support & le16_to_cpu(path->usDeviceTag)) { +- uint8_t con_obj_id, con_obj_num, con_obj_type; +- +- con_obj_id = ++ uint8_t con_obj_id = + (le16_to_cpu(path->usConnObjectId) & OBJECT_ID_MASK) + >> OBJECT_ID_SHIFT; +- con_obj_num = +- (le16_to_cpu(path->usConnObjectId) & ENUM_ID_MASK) +- >> ENUM_ID_SHIFT; +- con_obj_type = +- (le16_to_cpu(path->usConnObjectId) & +- OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; + + /* Skip TV/CV support */ + if ((le16_to_cpu(path->usDeviceTag) == +@@ -373,14 +365,7 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + router.ddc_valid = false; + router.cd_valid = false; + for (j = 0; j < ((le16_to_cpu(path->usSize) - 8) / 2); j++) { +- uint8_t grph_obj_id, grph_obj_num, grph_obj_type; +- +- grph_obj_id = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- OBJECT_ID_MASK) >> OBJECT_ID_SHIFT; +- grph_obj_num = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- ENUM_ID_MASK) >> ENUM_ID_SHIFT; ++ uint8_t grph_obj_type= + grph_obj_type = + (le16_to_cpu(path->usGraphicObjIds[j]) & + OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-remove-always-false-comparison-in-amdgpu_.patch b/patches.suse/drm-amdgpu-remove-always-false-comparison-in-amdgpu_.patch new file mode 100644 index 0000000..46bacf2 --- /dev/null +++ b/patches.suse/drm-amdgpu-remove-always-false-comparison-in-amdgpu_.patch @@ -0,0 +1,44 @@ +From 220ac8d1444054ade07ce14498fcda266410f90e Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 4 Nov 2019 21:27:25 +0800 +Subject: [PATCH] drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 220ac8d1444054ade07ce14498fcda266410f90e +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc '-Wtype-limits' warning: + +Drivers/gpu/drm/amd/amdgpu/atombios_i2c.c: In function +‘amdgpu_atombios_i2c_process_i2c_ch’: +drivers/gpu/drm/amd/amdgpu/atombios_i2c.c:79:11: warning: comparison is +always false due to limited range of data type [-Wtype-limits] + +'num' is 'u8', so it will never be greater than 'TOM_MAX_HW_I2C_READ', +which is defined as 255. Therefore, the comparison can be removed. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/atombios_i2c.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/atombios_i2c.c ++++ b/drivers/gpu/drm/amd/amdgpu/atombios_i2c.c +@@ -76,11 +76,6 @@ static int amdgpu_atombios_i2c_process_i + } + args.lpI2CDataOut = cpu_to_le16(out); + } else { +- if (num > ATOM_MAX_HW_I2C_READ) { +- DRM_ERROR("hw i2c: tried to read too many bytes (%d vs 255)\n", num); +- r = -EINVAL; +- goto done; +- } + args.ucRegIndex = 0; + args.lpI2CDataOut = 0; + } diff --git a/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-amdgpu_c.patch b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-amdgpu_c.patch new file mode 100644 index 0000000..27b62b7 --- /dev/null +++ b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-amdgpu_c.patch @@ -0,0 +1,50 @@ +From 4f2922d12d6c63d0f4aa4e859ad95aee6d0d4ea0 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Wed, 13 Nov 2019 20:44:29 +0800 +Subject: [PATCH] drm/amdgpu: remove set but not used variable 'amdgpu_connector' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 4f2922d12d6c63d0f4aa4e859ad95aee6d0d4ea0 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/amdgpu/amdgpu_display.c: In function +‘amdgpu_display_crtc_scaling_mode_fixup’: +drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:693:27: warning: variable +‘amdgpu_connector’ set but not used [-Wunused-but-set-variable] + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index d2dd59a95e8a..6a27027a6f20 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -690,7 +690,6 @@ bool amdgpu_display_crtc_scaling_mode_fixup(struct drm_crtc *crtc, + struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); + struct amdgpu_encoder *amdgpu_encoder; + struct drm_connector *connector; +- struct amdgpu_connector *amdgpu_connector; + u32 src_v = 1, dst_v = 1; + u32 src_h = 1, dst_h = 1; + +@@ -702,7 +701,6 @@ bool amdgpu_display_crtc_scaling_mode_fixup(struct drm_crtc *crtc, + continue; + amdgpu_encoder = to_amdgpu_encoder(encoder); + connector = amdgpu_get_connector_for_encoder(encoder); +- amdgpu_connector = to_amdgpu_connector(connector); + + /* set scaling */ + if (amdgpu_encoder->rmx_type == RMX_OFF) +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig.patch b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig.patch new file mode 100644 index 0000000..6baaeb9 --- /dev/null +++ b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig.patch @@ -0,0 +1,50 @@ +From d1d09dc417826f5a983e0f4f212f227beeb65e29 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 4 Nov 2019 21:27:24 +0800 +Subject: [PATCH] drm/amdgpu: remove set but not used variable 'dig' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: d1d09dc417826f5a983e0f4f212f227beeb65e29 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/amdgpu/atombios_dp.c: In function +‘amdgpu_atombios_dp_link_train’: +drivers/gpu/drm/amd/amdgpu/atombios_dp.c:716:34: warning: variable ‘dig’ +set but not used [-Wunused-but-set-variable] + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/atombios_dp.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +index 94265306ab11..ea702a64f807 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c ++++ b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +@@ -710,7 +710,6 @@ void amdgpu_atombios_dp_link_train(struct drm_encoder *encoder, + struct drm_device *dev = encoder->dev; + struct amdgpu_device *adev = dev->dev_private; + struct amdgpu_encoder *amdgpu_encoder = to_amdgpu_encoder(encoder); +- struct amdgpu_encoder_atom_dig *dig; + struct amdgpu_connector *amdgpu_connector; + struct amdgpu_connector_atom_dig *dig_connector; + struct amdgpu_atombios_dp_link_train_info dp_info; +@@ -718,7 +717,6 @@ void amdgpu_atombios_dp_link_train(struct drm_encoder *encoder, + + if (!amdgpu_encoder->enc_priv) + return; +- dig = amdgpu_encoder->enc_priv; + + amdgpu_connector = to_amdgpu_connector(connector); + if (!amdgpu_connector->con_priv) +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig_conn.patch b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig_conn.patch new file mode 100644 index 0000000..3053a59 --- /dev/null +++ b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig_conn.patch @@ -0,0 +1,53 @@ +From 5bea7fedb7fe4d5e6d3ba9f385dd3619fb004ce7 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 4 Nov 2019 21:27:23 +0800 +Subject: [PATCH] drm/amdgpu: remove set but not used variable 'dig_connector' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5bea7fedb7fe4d5e6d3ba9f385dd3619fb004ce7 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/amdgpu/atombios_dp.c: In function +‘amdgpu_atombios_dp_get_panel_mode’: +drivers/gpu/drm/amd/amdgpu/atombios_dp.c:364:36: warning: variable +‘dig_connector’ set but not used [-Wunused-but-set-variable] + +It is never used, so can be removed. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/atombios_dp.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +index 6858cde9fc5d..94265306ab11 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c ++++ b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +@@ -361,7 +361,6 @@ int amdgpu_atombios_dp_get_panel_mode(struct drm_encoder *encoder, + struct drm_connector *connector) + { + struct amdgpu_connector *amdgpu_connector = to_amdgpu_connector(connector); +- struct amdgpu_connector_atom_dig *dig_connector; + int panel_mode = DP_PANEL_MODE_EXTERNAL_DP_MODE; + u16 dp_bridge = amdgpu_connector_encoder_get_dp_bridge_encoder_id(connector); + u8 tmp; +@@ -369,8 +368,6 @@ int amdgpu_atombios_dp_get_panel_mode(struct drm_encoder *encoder, + if (!amdgpu_connector->con_priv) + return panel_mode; + +- dig_connector = amdgpu_connector->con_priv; +- + if (dp_bridge != ENCODER_OBJECT_ID_NONE) { + /* DP bridge chips */ + if (drm_dp_dpcd_readb(&amdgpu_connector->ddc_bus->aux, +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-invalid.patch b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-invalid.patch new file mode 100644 index 0000000..601cc43 --- /dev/null +++ b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-invalid.patch @@ -0,0 +1,50 @@ +From 9e089a29c696d86d26e79737bafbce94738fb462 Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Wed, 13 Nov 2019 20:44:31 +0800 +Subject: [PATCH] drm/amdgpu: remove set but not used variable 'invalid' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 9e089a29c696d86d26e79737bafbce94738fb462 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c: In function +‘amdgpu_amdkfd_evict_userptr’: +drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c:1665:6: warning: +variable ‘invalid’ set but not used [-Wunused-but-set-variable] + +'invalid' is never used, so can be removed. Thus 'atomic_inc_return' +can be replaced as 'atomic_inc' + +Fixes: 5ae0283e831a ("drm/amdgpu: Add userptr support for KFD") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index ae6f5446262c..a1ed8a8e3752 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1662,10 +1662,10 @@ int amdgpu_amdkfd_evict_userptr(struct kgd_mem *mem, + struct mm_struct *mm) + { + struct amdkfd_process_info *process_info = mem->process_info; +- int invalid, evicted_bos; ++ int evicted_bos; + int r = 0; + +- invalid = atomic_inc_return(&mem->invalid); ++ atomic_inc(&mem->invalid); + evicted_bos = atomic_inc_return(&process_info->evicted_bos); + if (evicted_bos == 1) { + /* First eviction, stop the queues */ +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch new file mode 100644 index 0000000..22b94bd --- /dev/null +++ b/patches.suse/drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch @@ -0,0 +1,51 @@ +From e98042db2cb8d0b728cd76e05b9c2e1c84b7f72b Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 4 Nov 2019 21:27:26 +0800 +Subject: [PATCH] drm/amdgpu: remove set but not used variable 'mc_shared_chmap' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: e98042db2cb8d0b728cd76e05b9c2e1c84b7f72b +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c: In function +‘gfx_v8_0_gpu_early_init’: +drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c:1713:6: warning: variable +‘mc_shared_chmap’ set but not used [-Wunused-but-set-variable] + +Fixes: 0bde3a95eaa9 ("drm/amdgpu: split gfx8 gpu init into sw and hw parts") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +index ffbde9136372..14e774d52727 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -1710,7 +1710,7 @@ static int gfx_v8_0_do_edc_gpr_workarounds(struct amdgpu_device *adev) + static int gfx_v8_0_gpu_early_init(struct amdgpu_device *adev) + { + u32 gb_addr_config; +- u32 mc_shared_chmap, mc_arb_ramcfg; ++ u32 mc_arb_ramcfg; + u32 dimm00_addr_map, dimm01_addr_map, dimm10_addr_map, dimm11_addr_map; + u32 tmp; + int ret; +@@ -1850,7 +1850,6 @@ static int gfx_v8_0_gpu_early_init(struct amdgpu_device *adev) + break; + } + +- mc_shared_chmap = RREG32(mmMC_SHARED_CHMAP); + adev->gfx.config.mc_arb_ramcfg = RREG32(mmMC_ARB_RAMCFG); + mc_arb_ramcfg = adev->gfx.config.mc_arb_ramcfg; + +-- +2.16.4 + diff --git a/patches.suse/drm-amdgpu-uvd-vcn-fetch-ring-s-read_ptr-after-alloc.patch b/patches.suse/drm-amdgpu-uvd-vcn-fetch-ring-s-read_ptr-after-alloc.patch new file mode 100644 index 0000000..6e39d84 --- /dev/null +++ b/patches.suse/drm-amdgpu-uvd-vcn-fetch-ring-s-read_ptr-after-alloc.patch @@ -0,0 +1,96 @@ +From 517b91f4cde3043d77b2178548473e8545ef07cb Mon Sep 17 00:00:00 2001 +From: Shirish S +Date: Tue, 4 Jun 2019 21:25:03 +0530 +Subject: [PATCH] drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 517b91f4cde3043d77b2178548473e8545ef07cb +Patch-mainline: v5.2-rc5 +References: bsc#1111666 + +[What] +readptr read always returns zero, since most likely +these blocks are either power or clock gated. + +[How] +fetch rptr after amdgpu_ring_alloc() which informs +the power management code that the block is about to be +used and hence the gating is turned off. + +Signed-off-by: Louis Li +Signed-off-by: Shirish S +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 5 ++++- + drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c | 5 ++++- + drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c +@@ -431,7 +431,7 @@ error: + int amdgpu_vcn_enc_ring_test_ring(struct amdgpu_ring *ring) + { + struct amdgpu_device *adev = ring->adev; +- uint32_t rptr = amdgpu_ring_get_rptr(ring); ++ uint32_t rptr; + unsigned i; + int r; + +@@ -441,6 +441,9 @@ int amdgpu_vcn_enc_ring_test_ring(struct + ring->idx, r); + return r; + } ++ ++ rptr = amdgpu_ring_get_rptr(ring); ++ + amdgpu_ring_write(ring, VCN_ENC_CMD_END); + amdgpu_ring_commit(ring); + +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c +@@ -170,7 +170,7 @@ static void uvd_v6_0_enc_ring_set_wptr(s + static int uvd_v6_0_enc_ring_test_ring(struct amdgpu_ring *ring) + { + struct amdgpu_device *adev = ring->adev; +- uint32_t rptr = amdgpu_ring_get_rptr(ring); ++ uint32_t rptr; + unsigned i; + int r; + +@@ -180,6 +180,9 @@ static int uvd_v6_0_enc_ring_test_ring(s + ring->idx, r); + return r; + } ++ ++ rptr = amdgpu_ring_get_rptr(ring); ++ + amdgpu_ring_write(ring, HEVC_ENC_CMD_END); + amdgpu_ring_commit(ring); + +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c +@@ -175,7 +175,7 @@ static void uvd_v7_0_enc_ring_set_wptr(s + static int uvd_v7_0_enc_ring_test_ring(struct amdgpu_ring *ring) + { + struct amdgpu_device *adev = ring->adev; +- uint32_t rptr = amdgpu_ring_get_rptr(ring); ++ uint32_t rptr; + unsigned i; + int r; + +@@ -188,6 +188,9 @@ static int uvd_v7_0_enc_ring_test_ring(s + ring->me, ring->idx, r); + return r; + } ++ ++ rptr = amdgpu_ring_get_rptr(ring); ++ + amdgpu_ring_write(ring, HEVC_ENC_CMD_END); + amdgpu_ring_commit(ring); + diff --git a/patches.suse/drm-bridge-dw-hdmi-constify-copied-structure.patch b/patches.suse/drm-bridge-dw-hdmi-constify-copied-structure.patch new file mode 100644 index 0000000..7f2feaf --- /dev/null +++ b/patches.suse/drm-bridge-dw-hdmi-constify-copied-structure.patch @@ -0,0 +1,40 @@ +From d969ebe922aa13d1ec99659b6d2332e4811c4d61 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Wed, 1 Jan 2020 08:43:33 +0100 +Subject: [PATCH] drm: bridge: dw-hdmi: constify copied structure +Git-commit: d969ebe922aa13d1ec99659b6d2332e4811c4d61 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The dw_hdmi_hw structure is only copied into another structure, +so make it const. + +The opportunity for this change was found using Coccinelle. + +Fixes: 7ed6c665e19d ("drm: bridge/dw_hdmi-ahb-audio: add audio driver") +Signed-off-by: Julia Lawall +Reviewed-by: Laurent Pinchart +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/1577864614-5543-16-git-send-email-Julia.Lawall@inria.fr +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c +index 2b7539701b42..dd56996fe9c7 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c +@@ -291,7 +291,7 @@ static irqreturn_t snd_dw_hdmi_irq(int irq, void *data) + return IRQ_HANDLED; + } + +-static struct snd_pcm_hardware dw_hdmi_hw = { ++static const struct snd_pcm_hardware dw_hdmi_hw = { + .info = SNDRV_PCM_INFO_INTERLEAVED | + SNDRV_PCM_INFO_BLOCK_TRANSFER | + SNDRV_PCM_INFO_MMAP | +-- +2.16.4 + diff --git a/patches.suse/drm-i915-Call-dma_set_max_seg_size-in-i915_driver_hw.patch b/patches.suse/drm-i915-Call-dma_set_max_seg_size-in-i915_driver_hw.patch new file mode 100644 index 0000000..df6f11d --- /dev/null +++ b/patches.suse/drm-i915-Call-dma_set_max_seg_size-in-i915_driver_hw.patch @@ -0,0 +1,86 @@ +From 32f0a982650b123bdab36865617d3e03ebcacf3b Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Fri, 23 Aug 2019 16:52:51 -0400 +Subject: [PATCH] drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() +Git-commit: 32f0a982650b123bdab36865617d3e03ebcacf3b +Patch-mainline: v5.3-rc7 +No-fix: acd674af95d3f627062007429b9c195c6b32361d +References: bsc#1111666 + +Currently, we don't call dma_set_max_seg_size() for i915 because we +intentionally do not limit the segment length that the device supports. +However, this results in a warning being emitted if we try to map +anything larger than SZ_64K on a kernel with CONFIG_DMA_API_DEBUG_SG +Enabled: + +[ 7.751926] DMA-API: i915 0000:00:02.0: mapping sg segment longer +than device claims to support [len=98304] [max=65536] +[ 7.751934] WARNING: CPU: 5 PID: 474 at kernel/dma/debug.c:1220 +debug_dma_map_sg+0x20f/0x340 + +This was originally brought up on +https://bugs.freedesktop.org/show_bug.cgi?id=108517 , and the consensus +there was it wasn't really useful to set a limit (and that dma-debug +isn't really all that useful for i915 in the first place). Unfortunately +though, CONFIG_DMA_API_DEBUG_SG is enabled in the debug configs for +various distro kernels. Since a WARN_ON() will disable automatic problem +reporting (and cause any CI with said option enabled to start +complaining), we really should just fix the problem. + +Note that as me and Chris Wilson discussed, the other solution for this +would be to make DMA-API not make such assumptions when a driver hasn't +explicitly set a maximum segment size. But, taking a look at the commit +which originally introduced this behavior, commit 78c47830a5cb +("dma-debug: check scatterlist segments"), there is an explicit mention +of this assumption and how it applies to devices with no segment size: + + Conversely, devices which are less limited than the rather + conservative defaults, or indeed have no limitations at all + (e.g. GPUs with their own internal MMU), should be encouraged to + set appropriate dma_parms, as they may get more efficient DMA + mapping performance out of it. + +So unless there's any concerns (I'm open to discussion!), let's just +follow suite and call dma_set_max_seg_size() with UINT_MAX as our limit +to silence any warnings. + +Changes since v3: +* Drop patch for enabling CONFIG_DMA_API_DEBUG_SG in CI. It looks like + just turning it on causes the kernel to spit out bogus WARN_ONs() + during some igt tests which would otherwise require teaching igt to + disable the various DMA-API debugging options causing this. This is + too much work to be worth it, since DMA-API debugging is useless for + us. So, we'll just settle with this single patch to squelch WARN_ONs() + during driver load for users that have CONFIG_DMA_API_DEBUG_SG turned + on for some reason. +* Move dma_set_max_seg_size() call into i915_driver_hw_probe() - Chris + Wilson + +Signed-off-by: Lyude Paul +Reviewed-by: Chris Wilson +Cc: # v4.18+ +Link: https://patchwork.freedesktop.org/patch/msgid/20190823205251.14298-1-lyude@redhat.com +(cherry picked from commit acd674af95d3f627062007429b9c195c6b32361d) + +Signed-off-by: Jani Nikula +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/i915_drv.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -1128,6 +1128,12 @@ static int i915_driver_init_hw(struct dr + + pci_set_master(pdev); + ++ /* ++ * We don't have a max segment size, so set it to the max so sg's ++ * debugging layer doesn't complain ++ */ ++ dma_set_max_seg_size(&pdev->dev, UINT_MAX); ++ + /* overlay on gen2 is broken and can't address above 1G */ + if (IS_GEN2(dev_priv)) { + ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(30)); diff --git a/patches.suse/drm-i915-Handle-vm_mmap-error-during-I915_GEM_MMAP-i.patch b/patches.suse/drm-i915-Handle-vm_mmap-error-during-I915_GEM_MMAP-i.patch new file mode 100644 index 0000000..baab393 --- /dev/null +++ b/patches.suse/drm-i915-Handle-vm_mmap-error-during-I915_GEM_MMAP-i.patch @@ -0,0 +1,68 @@ +From ebfb6977801da521d8d5d752d373a187e2a2b9b3 Mon Sep 17 00:00:00 2001 +From: Joonas Lahtinen +Date: Thu, 7 Feb 2019 10:54:54 +0200 +Subject: [PATCH] drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set +Git-commit: ebfb6977801da521d8d5d752d373a187e2a2b9b3 +Patch-mainline: v5.1-rc1 +References: bsc#1111666 + +Add err goto label and use it when VMA can't be established or changes +underneath. + +V2: +- Dropping Fixes: as it's indeed impossible to race an object to the + error address. (Chris) +V3: +- Use IS_ERR_VALUE (Chris) + +Reported-by: Adam Zabrocki +Signed-off-by: Joonas Lahtinen +Cc: Chris Wilson +Cc: Tvrtko Ursulin +Cc: Adam Zabrocki +Reviewed-by: Tvrtko Ursulin #v2 +Reviewed-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20190207085454.10598-2-joonas.lahtinen@linux.intel.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/i915_gem.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1889,6 +1889,9 @@ i915_gem_mmap_ioctl(struct drm_device *d + addr = vm_mmap(obj->base.filp, 0, args->size, + PROT_READ | PROT_WRITE, MAP_SHARED, + args->offset); ++ if (IS_ERR_VALUE(addr)) ++ goto err; ++ + if (args->flags & I915_MMAP_WC) { + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; +@@ -1904,17 +1907,22 @@ i915_gem_mmap_ioctl(struct drm_device *d + else + addr = -ENOMEM; + up_write(&mm->mmap_sem); ++ if (IS_ERR_VALUE(addr)) ++ goto err; + + /* This may race, but that's ok, it only gets set */ + WRITE_ONCE(obj->frontbuffer_ggtt_origin, ORIGIN_CPU); + } + i915_gem_object_put(obj); +- if (IS_ERR((void *)addr)) +- return addr; + + args->addr_ptr = (uint64_t) addr; + + return 0; ++ ++err: ++ i915_gem_object_put(obj); ++ ++ return addr; + } + + static unsigned int tile_row_pages(struct drm_i915_gem_object *obj) diff --git a/patches.suse/drm-i915-Make-sure-cdclk-is-high-enough-for-DP-audio.patch b/patches.suse/drm-i915-Make-sure-cdclk-is-high-enough-for-DP-audio.patch new file mode 100644 index 0000000..39fe6db --- /dev/null +++ b/patches.suse/drm-i915-Make-sure-cdclk-is-high-enough-for-DP-audio.patch @@ -0,0 +1,68 @@ +From a8f196a0fa6391a436f63f360a1fb57031fdf26c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 17 Jul 2019 14:45:36 +0300 +Subject: [PATCH] drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: a8f196a0fa6391a436f63f360a1fb57031fdf26c +Patch-mainline: v5.3-rc3 +No-fix: bffb31f73b29a60ef693842d8744950c2819851d +References: bsc#1111666 + +On VLV/CHV there is some kind of linkage between the cdclk frequency +and the DP link frequency. The spec says: +"For DP audio configuration, cdclk frequency shall be set to + meet the following requirements: + DP Link Frequency(MHz) | Cdclk frequency(MHz) + 270 | 320 or higher + 162 | 200 or higher" + +I suspect that would more accurately be expressed as +"cdclk >= DP link clock", and in any case we can express it like +that in the code because of the limited set of cdclk (200, 266, +320, 400 MHz) and link frequencies (162 and 270 MHz) we support. + +Without this we can end up in a situation where the cdclk +is too low and enabling DP audio will kill the pipe. Happens +eg. with 2560x1440 modes where the 266MHz cdclk is sufficient +to pump the pixels (241.5 MHz dotclock) but is too low for +the DP audio due to the link frequency being 270 MHz. + +V2: Spell out the cdclk and link frequencies we actually support + +Cc: stable@vger.kernel.org +Tested-by: Stefan Gottwald +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111149 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20190717114536.22937-1-ville.syrjala@linux.intel.com +Acked-by: Chris Wilson +(cherry picked from commit bffb31f73b29a60ef693842d8744950c2819851d) + +Signed-off-by: Jani Nikula +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/intel_cdclk.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_cdclk.c ++++ b/drivers/gpu/drm/i915/intel_cdclk.c +@@ -2269,6 +2269,17 @@ int intel_crtc_compute_min_cdclk(const s + min_cdclk = max(2 * 96000, min_cdclk); + + /* ++ * "For DP audio configuration, cdclk frequency shall be set to ++ * meet the following requirements: ++ * DP Link Frequency(MHz) | Cdclk frequency(MHz) ++ * 270 | 320 or higher ++ * 162 | 200 or higher" ++ */ ++ if ((IS_VALLEYVIEW(dev_priv) || IS_CHERRYVIEW(dev_priv)) && ++ intel_crtc_has_dp_encoder(crtc_state) && crtc_state->has_audio) ++ min_cdclk = max(crtc_state->port_clock, min_cdclk); ++ ++ /* + * On Valleyview some DSI panels lose (v|h)sync when the clock is lower + * than 320000KHz. + */ diff --git a/patches.suse/drm-i915-Sanity-check-mmap-length-against-object-siz.patch b/patches.suse/drm-i915-Sanity-check-mmap-length-against-object-siz.patch new file mode 100644 index 0000000..51391ca --- /dev/null +++ b/patches.suse/drm-i915-Sanity-check-mmap-length-against-object-siz.patch @@ -0,0 +1,78 @@ +From 000c4f90e3f0194eef218ff2c6a8fd8ca1de4313 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 14 Mar 2019 07:58:29 +0000 +Subject: [PATCH] drm/i915: Sanity check mmap length against object size +Git-commit: 000c4f90e3f0194eef218ff2c6a8fd8ca1de4313 +Patch-mainline: v5.1-rc2 +No-fix: 794a11cb67201ad1bb61af510bb8460280feb3f3 +References: bsc#1111666 + +We assumed that vm_mmap() would reject an attempt to mmap past the end of +the filp (our object), but we were wrong. + +Applications that tried to use the mmap beyond the end of the object +would be greeted by a SIGBUS. After this patch, those applications will +be told about the error on creating the mmap, rather than at a random +moment on later access. + +Reported-by: Antonio Argenziano +Testcase: igt/gem_mmap/bad-size +Signed-off-by: Chris Wilson +Cc: Antonio Argenziano +Cc: Joonas Lahtinen +Cc: Tvrtko Ursulin +Cc: stable@vger.kernel.org +Reviewed-by: Tvrtko Ursulin +Reviewed-by: Joonas Lahtinen +Link: https://patchwork.freedesktop.org/patch/msgid/20190314075829.16838-1-chris@chris-wilson.co.uk +(cherry picked from commit 794a11cb67201ad1bb61af510bb8460280feb3f3) + +Signed-off-by: Rodrigo Vivi +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/i915_gem.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1882,8 +1882,13 @@ i915_gem_mmap_ioctl(struct drm_device *d + * pages from. + */ + if (!obj->base.filp) { +- i915_gem_object_put(obj); +- return -ENXIO; ++ addr = -ENXIO; ++ goto err; ++ } ++ ++ if (range_overflows(args->offset, args->size, (u64)obj->base.size)) { ++ addr = -EINVAL; ++ goto err; + } + + addr = vm_mmap(obj->base.filp, 0, args->size, +@@ -1897,8 +1902,8 @@ i915_gem_mmap_ioctl(struct drm_device *d + struct vm_area_struct *vma; + + if (down_write_killable(&mm->mmap_sem)) { +- i915_gem_object_put(obj); +- return -EINTR; ++ addr = -EINTR; ++ goto err; + } + vma = find_vma(mm, addr); + if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) +@@ -1916,12 +1921,10 @@ i915_gem_mmap_ioctl(struct drm_device *d + i915_gem_object_put(obj); + + args->addr_ptr = (uint64_t) addr; +- + return 0; + + err: + i915_gem_object_put(obj); +- + return addr; + } + diff --git a/patches.suse/drm-i915-perf-add-missing-delay-for-OA-muxes-configu.patch b/patches.suse/drm-i915-perf-add-missing-delay-for-OA-muxes-configu.patch new file mode 100644 index 0000000..c0a40bd --- /dev/null +++ b/patches.suse/drm-i915-perf-add-missing-delay-for-OA-muxes-configu.patch @@ -0,0 +1,97 @@ +From 8f48de49795ca52f70c96558ccc6a0c174504779 Mon Sep 17 00:00:00 2001 +From: Lionel Landwerlin +Date: Wed, 10 Jul 2019 11:55:24 +0100 +Subject: [PATCH] drm/i915/perf: add missing delay for OA muxes configuration +Git-commit: 8f48de49795ca52f70c96558ccc6a0c174504779 +Patch-mainline: v5.3-rc3 +No-fix: 14bfcd3e0daeb0f757a02aac85fd03e0933ab37e +References: bsc#1111666 + +This was dropped from the original patch series, we weren't sure +whether it was needed at the time. More recent tests show it's +definitely needed to have acurate performance data. + +Signed-off-by: Lionel Landwerlin +Fixes: 19f81df2859eb1 ("drm/i915/perf: Add OA unit support for Gen 8+") +Acked-by: Chris Wilson +[ickle: combine duplicate code and comments] +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20190710105524.23017-1-chris@chris-wilson.co.uk +(cherry picked from commit 14bfcd3e0daeb0f757a02aac85fd03e0933ab37e) + +Signed-off-by: Jani Nikula +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/i915_perf.c | 45 ++++++++++++++++++++++----------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -1564,26 +1564,10 @@ static void config_oa_regs(struct drm_i9 + } + } + +-static int hsw_enable_metric_set(struct drm_i915_private *dev_priv, +- const struct i915_oa_config *oa_config) ++static void delay_after_mux(void) + { +- /* PRM: +- * +- * OA unit is using “crclk” for its functionality. When trunk +- * level clock gating takes place, OA clock would be gated, +- * unable to count the events from non-render clock domain. +- * Render clock gating must be disabled when OA is enabled to +- * count the events from non-render domain. Unit level clock +- * gating for RCS should also be disabled. +- */ +- I915_WRITE(GEN7_MISCCPCTL, (I915_READ(GEN7_MISCCPCTL) & +- ~GEN7_DOP_CLOCK_GATE_ENABLE)); +- I915_WRITE(GEN6_UCGCTL1, (I915_READ(GEN6_UCGCTL1) | +- GEN6_CSUNIT_CLOCK_GATE_DISABLE)); +- +- config_oa_regs(dev_priv, oa_config->mux_regs, oa_config->mux_regs_len); +- +- /* It apparently takes a fairly long time for a new MUX ++ /* ++ * It apparently takes a fairly long time for a new MUX + * configuration to be be applied after these register writes. + * This delay duration was derived empirically based on the + * render_basic config but hopefully it covers the maximum +@@ -1605,6 +1589,28 @@ static int hsw_enable_metric_set(struct + * a delay at this location would mitigate any invalid reports. + */ + usleep_range(15000, 20000); ++} ++ ++static int hsw_enable_metric_set(struct drm_i915_private *dev_priv, ++ const struct i915_oa_config *oa_config) ++{ ++ /* ++ * PRM: ++ * ++ * OA unit is using “crclk” for its functionality. When trunk ++ * level clock gating takes place, OA clock would be gated, ++ * unable to count the events from non-render clock domain. ++ * Render clock gating must be disabled when OA is enabled to ++ * count the events from non-render domain. Unit level clock ++ * gating for RCS should also be disabled. ++ */ ++ I915_WRITE(GEN7_MISCCPCTL, (I915_READ(GEN7_MISCCPCTL) & ++ ~GEN7_DOP_CLOCK_GATE_ENABLE)); ++ I915_WRITE(GEN6_UCGCTL1, (I915_READ(GEN6_UCGCTL1) | ++ GEN6_CSUNIT_CLOCK_GATE_DISABLE)); ++ ++ config_oa_regs(dev_priv, oa_config->mux_regs, oa_config->mux_regs_len); ++ delay_after_mux(); + + config_oa_regs(dev_priv, oa_config->b_counter_regs, + oa_config->b_counter_regs_len); +@@ -1913,6 +1919,7 @@ static int gen8_enable_metric_set(struct + return ret; + + config_oa_regs(dev_priv, oa_config->mux_regs, oa_config->mux_regs_len); ++ delay_after_mux(); + + config_oa_regs(dev_priv, oa_config->b_counter_regs, + oa_config->b_counter_regs_len); diff --git a/patches.suse/drm-msm-mdp4-Adjust-indentation-in-mdp4_dsi_encoder_.patch b/patches.suse/drm-msm-mdp4-Adjust-indentation-in-mdp4_dsi_encoder_.patch new file mode 100644 index 0000000..c06964c --- /dev/null +++ b/patches.suse/drm-msm-mdp4-Adjust-indentation-in-mdp4_dsi_encoder_.patch @@ -0,0 +1,51 @@ +From 251e3cb1418ff3f5061ee31335e346e852b16573 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 9 Dec 2019 13:32:30 -0700 +Subject: [PATCH] drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable +Git-commit: 251e3cb1418ff3f5061ee31335e346e852b16573 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Clang warns: + +../drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c:124:3: warning: +misleading indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + mdp4_crtc_set_config(encoder->crtc, + ^ +../drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c:121:2: note: +previous statement is here + if (mdp4_dsi_encoder->enabled) + ^ + +This warning occurs because there is a space after the tab on this line. +Remove it so that the indentation is consistent with the Linux kernel +coding style and clang no longer warns. + +Fixes: 776638e73a19 ("drm/msm/dsi: Add a mdp4 encoder for DSI") +Link: https://github.com/ClangBuiltLinux/linux/issues/792 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Rob Clark +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c +index 772f0753ed38..aaf2f26f8505 100644 +--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c ++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c +@@ -121,7 +121,7 @@ static void mdp4_dsi_encoder_enable(struct drm_encoder *encoder) + if (mdp4_dsi_encoder->enabled) + return; + +- mdp4_crtc_set_config(encoder->crtc, ++ mdp4_crtc_set_config(encoder->crtc, + MDP4_DMA_CONFIG_PACK_ALIGN_MSB | + MDP4_DMA_CONFIG_DEFLKR_EN | + MDP4_DMA_CONFIG_DITHER_EN | +-- +2.16.4 + diff --git a/patches.suse/drm-mst-Fix-MST-sideband-up-reply-failure-handling.patch b/patches.suse/drm-mst-Fix-MST-sideband-up-reply-failure-handling.patch new file mode 100644 index 0000000..03e3495 --- /dev/null +++ b/patches.suse/drm-mst-Fix-MST-sideband-up-reply-failure-handling.patch @@ -0,0 +1,83 @@ +From d8fd3722207f154b53c80eee2cf4977c3fc25a92 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 May 2019 00:24:33 +0300 +Subject: [PATCH] drm/mst: Fix MST sideband up-reply failure handling +Git-commit: d8fd3722207f154b53c80eee2cf4977c3fc25a92 +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +Fix the breakage resulting in the stacktrace below, due to tx queue +being full when trying to send an up-reply. txmsg->seqno is -1 in this +case leading to a corruption of the mstb object by + + txmsg->dst->tx_slots[txmsg->seqno] = NULL; + +in process_single_up_tx_qlock(). + +[ +0,005162] [drm:process_single_tx_qlock [drm_kms_helper]] set_hdr_from_dst_qlock: failed to find slot +[ +0,000015] [drm:drm_dp_send_up_ack_reply.constprop.19 [drm_kms_helper]] failed to send msg in q -11 +[ +0,000939] BUG: kernel NULL pointer dereference, address: 00000000000005a0 +[ +0,006982] #PF: supervisor write access in kernel mode +[ +0,005223] #PF: error_code(0x0002) - not-present page +[ +0,005135] PGD 0 P4D 0 +[ +0,002581] Oops: 0002 [#1] PREEMPT SMP NOPTI +[ +0,004359] CPU: 1 PID: 1200 Comm: kworker/u16:3 Tainted: G U 5.2.0-rc1+ #410 +[ +0,008433] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP, BIOS ICLSFWR1.R00.3175.A00.1904261428 04/26/2019 +[ +0,013323] Workqueue: i915-dp i915_digport_work_func [i915] +[ +0,005676] RIP: 0010:queue_work_on+0x19/0x70 +[ +0,004372] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 41 56 49 89 f6 41 55 41 89 fd 41 54 55 53 48 89 d3 9c 5d fa e8 e7 81 0c 00 48 0f ba 2b 00 73 31 45 31 e4 f7 c5 00 02 00 00 74 13 e8 cf 7f +[ +0,018750] RSP: 0018:ffffc900007dfc50 EFLAGS: 00010006 +[ +0,005222] RAX: 0000000000000046 RBX: 00000000000005a0 RCX: 0000000000000001 +[ +0,007133] RDX: 000000000001b608 RSI: 0000000000000000 RDI: ffffffff82121972 +[ +0,007129] RBP: 0000000000000202 R08: 0000000000000000 R09: 0000000000000001 +[ +0,007129] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88847bfa5096 +[ +0,007131] R13: 0000000000000010 R14: ffff88849c08f3f8 R15: 0000000000000000 +[ +0,007128] FS: 0000000000000000(0000) GS:ffff88849dc80000(0000) knlGS:0000000000000000 +[ +0,008083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0,005749] CR2: 00000000000005a0 CR3: 0000000005210006 CR4: 0000000000760ee0 +[ +0,007128] PKRU: 55555554 +[ +0,002722] Call Trace: +[ +0,002458] drm_dp_mst_handle_up_req+0x517/0x540 [drm_kms_helper] +[ +0,006197] ? drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper] +[ +0,005764] drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper] +[ +0,005623] ? intel_dp_hpd_pulse+0x205/0x370 [i915] +[ +0,005018] intel_dp_hpd_pulse+0x205/0x370 [i915] +[ +0,004836] i915_digport_work_func+0xbb/0x140 [i915] +[ +0,005108] process_one_work+0x245/0x610 +[ +0,004027] worker_thread+0x37/0x380 +[ +0,003684] ? process_one_work+0x610/0x610 +[ +0,004184] kthread+0x119/0x130 +[ +0,003240] ? kthread_park+0x80/0x80 +[ +0,003668] ret_from_fork+0x24/0x50 + +Cc: Lyude Paul +Cc: Dave Airlie +Signed-off-by: Imre Deak +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190523212433.9058-1-imre.deak@intel.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index da1abca1b9e9..0984b9a34d55 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1996,7 +1996,11 @@ static void process_single_up_tx_qlock(struct drm_dp_mst_topology_mgr *mgr, + if (ret != 1) + DRM_DEBUG_KMS("failed to send msg in q %d\n", ret); + +- txmsg->dst->tx_slots[txmsg->seqno] = NULL; ++ if (txmsg->seqno != -1) { ++ WARN_ON((unsigned int)txmsg->seqno > ++ ARRAY_SIZE(txmsg->dst->tx_slots)); ++ txmsg->dst->tx_slots[txmsg->seqno] = NULL; ++ } + } + + static void drm_dp_queue_down_tx(struct drm_dp_mst_topology_mgr *mgr, +-- +2.16.4 + diff --git a/patches.suse/drm-nouveau-Fix-copy-paste-error-in-nouveau_fence_wa.patch b/patches.suse/drm-nouveau-Fix-copy-paste-error-in-nouveau_fence_wa.patch new file mode 100644 index 0000000..606383f --- /dev/null +++ b/patches.suse/drm-nouveau-Fix-copy-paste-error-in-nouveau_fence_wa.patch @@ -0,0 +1,36 @@ +From 1eb013473bff5f95b6fe1ca4dd7deda47257b9c2 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 10 Jan 2020 14:32:01 +0800 +Subject: [PATCH] drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler +Git-commit: 1eb013473bff5f95b6fe1ca4dd7deda47257b9c2 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Like other cases, it should use rcu protected 'chan' rather +than 'fence->channel' in nouveau_fence_wait_uevent_handler. + +Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu") +Signed-off-by: YueHaibing +Signed-off-by: Ben Skeggs +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c +index 9118df035b28..70bb6bb97af8 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -156,7 +156,7 @@ nouveau_fence_wait_uevent_handler(struct nvif_notify *notify) + + fence = list_entry(fctx->pending.next, typeof(*fence), head); + chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); +- if (nouveau_fence_update(fence->channel, fctx)) ++ if (nouveau_fence_update(chan, fctx)) + ret = NVIF_NOTIFY_DROP; + } + spin_unlock_irqrestore(&fctx->lock, flags); +-- +2.16.4 + diff --git a/patches.suse/drm-nouveau-bar-gf100-ensure-BAR-is-mapped.patch b/patches.suse/drm-nouveau-bar-gf100-ensure-BAR-is-mapped.patch new file mode 100644 index 0000000..4eccd3d --- /dev/null +++ b/patches.suse/drm-nouveau-bar-gf100-ensure-BAR-is-mapped.patch @@ -0,0 +1,36 @@ +From 12e08beb32d64b6070b718630490db83dd321c8c Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 15 Mar 2019 18:05:17 -0600 +Subject: [PATCH] drm/nouveau/bar/gf100: ensure BAR is mapped +Git-commit: 12e08beb32d64b6070b718630490db83dd321c8c +Patch-mainline: v5.2-rc1 +References: bsc#1111666 + +If the BAR is zero size, it indicates it was never successfully mapped. +Ensure that the BAR is valid during initialization before attempting to +use it. + +Signed-off-by: Jon Derrick +Signed-off-by: Ben Skeggs +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c +index a3ba7f50198b..a3dcb09a40ee 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gf100.c +@@ -94,6 +94,8 @@ gf100_bar_oneinit_bar(struct gf100_bar *bar, struct gf100_barN *bar_vm, + return ret; + + bar_len = device->func->resource_size(device, bar_nr); ++ if (!bar_len) ++ return -ENOMEM; + if (bar_nr == 3 && bar->bar2_halve) + bar_len >>= 1; + +-- +2.16.4 + diff --git a/patches.suse/drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch b/patches.suse/drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch new file mode 100644 index 0000000..db55165 --- /dev/null +++ b/patches.suse/drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch @@ -0,0 +1,34 @@ +From 307a312df9c43fdea286ad17f748aaf777cc434a Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 15 Mar 2019 18:05:15 -0600 +Subject: [PATCH] drm/nouveau/bar/nv50: check bar1 vmm return value +Git-commit: 307a312df9c43fdea286ad17f748aaf777cc434a +Patch-mainline: v5.2-rc1 +References: bsc#1111666 + +Check bar1's new vmm creation return value for errors. + +Signed-off-by: Jon Derrick +Signed-off-by: Ben Skeggs +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c +index 157b076a1272..8e64b19f3f8a 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c +@@ -168,6 +168,8 @@ nv50_bar_oneinit(struct nvkm_bar *base) + + ret = nvkm_vmm_new(device, start, limit-- - start, NULL, 0, + &bar1_lock, "bar1", &bar->bar1_vmm); ++ if (ret) ++ return ret; + + atomic_inc(&bar->bar1_vmm->engref[NVKM_SUBDEV_BAR]); + bar->bar1_vmm->debug = bar->base.subdev.debug; +-- +2.16.4 + diff --git a/patches.suse/drm-nouveau-mmu-qualify-vmm-during-dtor.patch b/patches.suse/drm-nouveau-mmu-qualify-vmm-during-dtor.patch new file mode 100644 index 0000000..80320e2 --- /dev/null +++ b/patches.suse/drm-nouveau-mmu-qualify-vmm-during-dtor.patch @@ -0,0 +1,36 @@ +From 15516bf9abaa41421a6ded79a5a2fee86f9594e5 Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 15 Mar 2019 18:05:18 -0600 +Subject: [PATCH] drm/nouveau/mmu: qualify vmm during dtor +Git-commit: 15516bf9abaa41421a6ded79a5a2fee86f9594e5 +Patch-mainline: v5.2-rc1 +References: bsc#1111666 + +If the BAR initialization failed it may leave the vmm structure in an +unitialized state, leading to a null-pointer-dereference when the vmm is +dereferenced during teardown. + +Signed-off-by: Jon Derrick +Signed-off-by: Ben Skeggs +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +index fa93f964e6a4..41640e0584ac 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +@@ -1783,7 +1783,7 @@ nvkm_vmm_get(struct nvkm_vmm *vmm, u8 page, u64 size, struct nvkm_vma **pvma) + void + nvkm_vmm_part(struct nvkm_vmm *vmm, struct nvkm_memory *inst) + { +- if (inst && vmm->func->part) { ++ if (inst && vmm && vmm->func->part) { + mutex_lock(&vmm->mutex); + vmm->func->part(vmm, inst); + mutex_unlock(&vmm->mutex); +-- +2.16.4 + diff --git a/patches.suse/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch b/patches.suse/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch new file mode 100644 index 0000000..34aceec --- /dev/null +++ b/patches.suse/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch @@ -0,0 +1,48 @@ +From 3613a9bea95a1470dd42e4ed1cc7d86ebe0a2dc0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 8 Jan 2020 08:46:01 +0300 +Subject: [PATCH] drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() +Git-commit: 3613a9bea95a1470dd42e4ed1cc7d86ebe0a2dc0 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +We accidentally set "psb" which is a no-op instead of "*psb" so it +generates a static checker warning. We should probably set it before +the first error return so that it's always initialized. + +Fixes: 923f1bd27bf1 ("drm/nouveau/secboot/gm20b: add secure boot support") +Signed-off-by: Dan Carpenter +Signed-off-by: Ben Skeggs +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c +index 72690d80f0ad..32a584c4757f 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c +@@ -129,6 +129,7 @@ gm20b_secboot_new(struct nvkm_device *device, int index, + struct gm200_secboot *gsb; + struct nvkm_acr *acr; + ++ *psb = NULL; + acr = acr_r352_new(BIT(NVKM_SECBOOT_FALCON_FECS) | + BIT(NVKM_SECBOOT_FALCON_PMU)); + if (IS_ERR(acr)) +@@ -137,10 +138,8 @@ gm20b_secboot_new(struct nvkm_device *device, int index, + acr->optional_falcons = BIT(NVKM_SECBOOT_FALCON_PMU); + + gsb = kzalloc(sizeof(*gsb), GFP_KERNEL); +- if (!gsb) { +- psb = NULL; ++ if (!gsb) + return -ENOMEM; +- } + *psb = &gsb->base; + + ret = nvkm_secboot_ctor(&gm20b_secboot, acr, device, index, &gsb->base); +-- +2.16.4 + diff --git a/patches.suse/drm-rect-Avoid-division-by-zero.patch b/patches.suse/drm-rect-Avoid-division-by-zero.patch new file mode 100644 index 0000000..b646dd6 --- /dev/null +++ b/patches.suse/drm-rect-Avoid-division-by-zero.patch @@ -0,0 +1,51 @@ +From 433480c1afd44f3e1e664b85063d98cefeefa0ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 22 Nov 2019 19:56:20 +0200 +Subject: [PATCH] drm/rect: Avoid division by zero +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 433480c1afd44f3e1e664b85063d98cefeefa0ed +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Check for zero width/height destination rectangle in +drm_rect_clip_scaled() to avoid a division by zero. + +Cc: stable@vger.kernel.org +Fixes: f96bdf564f3e ("drm/rect: Handle rounding errors in drm_rect_clip_scaled, v3.") +Cc: Maarten Lankhorst +Cc: Benjamin Gaignard +Cc: Daniel Vetter +Testcase: igt/kms_selftest/drm_rect_clip_scaled_div_by_zero +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20191122175623.13565-2-ville.syrjala@linux.intel.com +Reviewed-by: Daniel Vetter +Reviewed-by: Benjamin Gaignard +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_rect.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_rect.c b/drivers/gpu/drm/drm_rect.c +index b8363aaa9032..818738e83d06 100644 +--- a/drivers/gpu/drm/drm_rect.c ++++ b/drivers/gpu/drm/drm_rect.c +@@ -54,7 +54,12 @@ EXPORT_SYMBOL(drm_rect_intersect); + + static u32 clip_scaled(u32 src, u32 dst, u32 clip) + { +- u64 tmp = mul_u32_u32(src, dst - clip); ++ u64 tmp; ++ ++ if (dst == 0) ++ return 0; ++ ++ tmp = mul_u32_u32(src, dst - clip); + + /* + * Round toward 1.0 when clipping so that we don't accidentally +-- +2.16.4 + diff --git a/patches.suse/drm-rect-update-kerneldoc-for-drm_rect_clip_scaled.patch b/patches.suse/drm-rect-update-kerneldoc-for-drm_rect_clip_scaled.patch new file mode 100644 index 0000000..df4e50d --- /dev/null +++ b/patches.suse/drm-rect-update-kerneldoc-for-drm_rect_clip_scaled.patch @@ -0,0 +1,52 @@ +From 94fee4a74d04b4298892850287c2a879dbd01e2a Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Tue, 26 Nov 2019 15:52:13 +0100 +Subject: [PATCH] drm/rect: update kerneldoc for drm_rect_clip_scaled() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 94fee4a74d04b4298892850287c2a879dbd01e2a +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +This was forgotten in f96bdf564f3e ("drm/rect: Handle rounding errors +in drm_rect_clip_scaled, v3.") + +Spotted while reviewing patches from Ville touching this area. + +Reviewed-by: Ville Syrjälä +Fixes: f96bdf564f3e ("drm/rect: Handle rounding errors in drm_rect_clip_scaled, v3.") +Cc: Maarten Lankhorst +Cc: Benjamin Gaignard +Cc: Ville Syrjala +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191126145213.380079-1-daniel.vetter@ffwll.ch +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_rect.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_rect.c b/drivers/gpu/drm/drm_rect.c +index 1e1e2101007a..0460e874896e 100644 +--- a/drivers/gpu/drm/drm_rect.c ++++ b/drivers/gpu/drm/drm_rect.c +@@ -81,11 +81,13 @@ static u32 clip_scaled(int src, int dst, int *clip) + * @clip: clip rectangle + * + * Clip rectangle @dst by rectangle @clip. Clip rectangle @src by the +- * same amounts multiplied by @hscale and @vscale. ++ * the corresponding amounts, retaining the vertical and horizontal scaling ++ * factors from @src to @dst. + * + * RETURNS: ++ * + * %true if rectangle @dst is still visible after being clipped, +- * %false otherwise ++ * %false otherwise. + */ + bool drm_rect_clip_scaled(struct drm_rect *src, struct drm_rect *dst, + const struct drm_rect *clip) +-- +2.16.4 + diff --git a/patches.suse/drm-rockchip-lvds-Fix-indentation-of-a-define.patch b/patches.suse/drm-rockchip-lvds-Fix-indentation-of-a-define.patch new file mode 100644 index 0000000..3a42db3 --- /dev/null +++ b/patches.suse/drm-rockchip-lvds-Fix-indentation-of-a-define.patch @@ -0,0 +1,36 @@ +From eb503ee2c9bfb0392a204d9705ca70d683a08cdd Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 24 Dec 2019 15:38:52 +0100 +Subject: [PATCH] drm/rockchip: lvds: Fix indentation of a #define +Git-commit: eb503ee2c9bfb0392a204d9705ca70d683a08cdd +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Fix a #define indentation before adding more lines. + +Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS") +Signed-off-by: Miquel Raynal +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20191224143900.23567-4-miquel.raynal@bootlin.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/rockchip/rockchip_lvds.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.h b/drivers/gpu/drm/rockchip/rockchip_lvds.h +index 029bad8e1a14..1387bcbc4bc0 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_lvds.h ++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.h +@@ -70,7 +70,7 @@ + #define RK3288_LVDS_CFG_REG21 0x84 + #define RK3288_LVDS_CFG_REG21_TX_ENABLE 0x92 + #define RK3288_LVDS_CFG_REG21_TX_DISABLE 0x00 +-#define RK3288_LVDS_CH1_OFFSET 0x100 ++#define RK3288_LVDS_CH1_OFFSET 0x100 + + /* fbdiv value is split over 2 registers, with bit8 in reg2 */ + #define RK3288_LVDS_PLL_FBDIV_REG2(_fbd) \ +-- +2.16.4 + diff --git a/patches.suse/drm-sun4i-tcon-Set-RGB-DCLK-min.-divider-based-on-ha.patch b/patches.suse/drm-sun4i-tcon-Set-RGB-DCLK-min.-divider-based-on-ha.patch new file mode 100644 index 0000000..618f916 --- /dev/null +++ b/patches.suse/drm-sun4i-tcon-Set-RGB-DCLK-min.-divider-based-on-ha.patch @@ -0,0 +1,131 @@ +From 4396393fb96449c56423fb4b351f76e45a6bcaf6 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Tue, 7 Jan 2020 15:01:13 +0800 +Subject: [PATCH] drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model +Git-commit: 4396393fb96449c56423fb4b351f76e45a6bcaf6 +Patch-mainline: v5.5-rc6 +References: bsc#1111666 + +In commit 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK +to 1.") it was assumed that all TCON variants support a minimum divider +of 1 if only DCLK was used. + +However, the oldest generation of hardware only supports minimum divider +of 4 if only DCLK is used. If a divider of 1 was used on this old +hardware, some scrolling artifact would appear. A divider of 2 seemed +OK, but a divider of 3 had artifacts as well. + +Set the minimum divider when outputing to parallel RGB based on the +hardware model, with a minimum of 4 for the oldest (A10/A10s/A13/A20) +hardware, and a minimum of 1 for the rest. A value is not set for the +TCON variants lacking channel 0. + +This fixes the scrolling artifacts seen on my A13 tablet. + +Fixes: 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.") +Cc: # 5.4.x +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200107070113.28951-1-wens@kernel.org +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 15 ++++++++++++--- + drivers/gpu/drm/sun4i/sun4i_tcon.h | 1 + + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c +index 42651d737c55..c81cdce6ed55 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -489,7 +489,7 @@ static void sun4i_tcon0_mode_set_rgb(struct sun4i_tcon *tcon, + + WARN_ON(!tcon->quirks->has_channel_0); + +- tcon->dclk_min_div = 1; ++ tcon->dclk_min_div = tcon->quirks->dclk_min_div; + tcon->dclk_max_div = 127; + sun4i_tcon0_mode_set_common(tcon, mode); + +@@ -1426,12 +1426,14 @@ static int sun8i_r40_tcon_tv_set_mux(struct sun4i_tcon *tcon, + static const struct sun4i_tcon_quirks sun4i_a10_quirks = { + .has_channel_0 = true, + .has_channel_1 = true, ++ .dclk_min_div = 4, + .set_mux = sun4i_a10_tcon_set_mux, + }; + + static const struct sun4i_tcon_quirks sun5i_a13_quirks = { + .has_channel_0 = true, + .has_channel_1 = true, ++ .dclk_min_div = 4, + .set_mux = sun5i_a13_tcon_set_mux, + }; + +@@ -1440,6 +1442,7 @@ static const struct sun4i_tcon_quirks sun6i_a31_quirks = { + .has_channel_1 = true, + .has_lvds_alt = true, + .needs_de_be_mux = true, ++ .dclk_min_div = 1, + .set_mux = sun6i_tcon_set_mux, + }; + +@@ -1447,11 +1450,13 @@ static const struct sun4i_tcon_quirks sun6i_a31s_quirks = { + .has_channel_0 = true, + .has_channel_1 = true, + .needs_de_be_mux = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun7i_a20_quirks = { + .has_channel_0 = true, + .has_channel_1 = true, ++ .dclk_min_div = 4, + /* Same display pipeline structure as A10 */ + .set_mux = sun4i_a10_tcon_set_mux, + }; +@@ -1459,11 +1464,13 @@ static const struct sun4i_tcon_quirks sun7i_a20_quirks = { + static const struct sun4i_tcon_quirks sun8i_a33_quirks = { + .has_channel_0 = true, + .has_lvds_alt = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun8i_a83t_lcd_quirks = { + .supports_lvds = true, + .has_channel_0 = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun8i_a83t_tv_quirks = { +@@ -1477,11 +1484,13 @@ static const struct sun4i_tcon_quirks sun8i_r40_tv_quirks = { + + static const struct sun4i_tcon_quirks sun8i_v3s_quirks = { + .has_channel_0 = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun9i_a80_tcon_lcd_quirks = { +- .has_channel_0 = true, +- .needs_edp_reset = true, ++ .has_channel_0 = true, ++ .needs_edp_reset = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun9i_a80_tcon_tv_quirks = { +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.h b/drivers/gpu/drm/sun4i/sun4i_tcon.h +index f9f1fe80b206..a62ec826ae71 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.h ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.h +@@ -224,6 +224,7 @@ struct sun4i_tcon_quirks { + bool needs_de_be_mux; /* sun6i needs mux to select backend */ + bool needs_edp_reset; /* a80 edp reset needed for tcon0 access */ + bool supports_lvds; /* Does the TCON support an LVDS output? */ ++ u8 dclk_min_div; /* minimum divider for TCON0 DCLK */ + + /* callback to handle tcon muxing options */ + int (*set_mux)(struct sun4i_tcon *, const struct drm_encoder *); +-- +2.16.4 + diff --git a/patches.suse/drm-sun4i-tcon-Set-min-division-of-TCON0_DCLK-to-1.patch b/patches.suse/drm-sun4i-tcon-Set-min-division-of-TCON0_DCLK-to-1.patch new file mode 100644 index 0000000..e389e9f --- /dev/null +++ b/patches.suse/drm-sun4i-tcon-Set-min-division-of-TCON0_DCLK-to-1.patch @@ -0,0 +1,44 @@ +From 0b8e7bbde5e7e2c419567e1ee29587dae3b78ee3 Mon Sep 17 00:00:00 2001 +From: Yunhao Tian +Date: Wed, 13 Nov 2019 13:27:25 +0000 +Subject: [PATCH] drm/sun4i: tcon: Set min division of TCON0_DCLK to 1. +Git-commit: 0b8e7bbde5e7e2c419567e1ee29587dae3b78ee3 +Patch-mainline: v5.4-rc8 +References: bsc#1111666 + +The datasheet of V3s (and various other chips) wrote +that TCON0_DCLK_DIV can be >= 1 if only dclk is used, +and must >= 6 if dclk1 or dclk2 is used. As currently +neither dclk1 nor dclk2 is used (no writes to these +bits), let's set minimal division to 1. + +If this minimal division is 6, some common dot clock +frequencies can't be produced (e.g. 30MHz will not be +possible and will fallback to 25MHz), which is +obviously not an expected behaviour. + +Signed-off-by: Yunhao Tian +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/linux-arm-kernel/MN2PR08MB57905AD8A00C08DA219377C989760@MN2PR08MB5790.namprd08.prod.outlook.com/ +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c +index 04c721d0d3b9..b89439ed210d 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -488,7 +488,7 @@ static void sun4i_tcon0_mode_set_rgb(struct sun4i_tcon *tcon, + + WARN_ON(!tcon->quirks->has_channel_0); + +- tcon->dclk_min_div = 6; ++ tcon->dclk_min_div = 1; + tcon->dclk_max_div = 127; + sun4i_tcon0_mode_set_common(tcon, mode); + +-- +2.16.4 + diff --git a/patches.suse/drm-ttm-ttm_tt_init_fields-can-be-static.patch b/patches.suse/drm-ttm-ttm_tt_init_fields-can-be-static.patch new file mode 100644 index 0000000..84236e2 --- /dev/null +++ b/patches.suse/drm-ttm-ttm_tt_init_fields-can-be-static.patch @@ -0,0 +1,41 @@ +From 2869e82eb4ffda7afc76c1ff0d52592df7b0d1c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Mon, 4 Nov 2019 12:59:01 +0100 +Subject: [PATCH] drm/ttm: ttm_tt_init_fields() can be static +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 2869e82eb4ffda7afc76c1ff0d52592df7b0d1c8 +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Fixes: 75a57669cbc8 ("drm/ttm: add ttm_sg_tt_init") +Signed-off-by: Fengguang Wu +Reviewed-by: Christian König +Signed-off-by: Christian König +Link: https://patchwork.kernel.org/patch/10263323/ +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/ttm/ttm_tt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c +index e0e9b4f69db6..2ec448e1d663 100644 +--- a/drivers/gpu/drm/ttm/ttm_tt.c ++++ b/drivers/gpu/drm/ttm/ttm_tt.c +@@ -223,8 +223,9 @@ void ttm_tt_destroy(struct ttm_tt *ttm) + ttm->func->destroy(ttm); + } + +-void ttm_tt_init_fields(struct ttm_tt *ttm, struct ttm_buffer_object *bo, +- uint32_t page_flags) ++static void ttm_tt_init_fields(struct ttm_tt *ttm, ++ struct ttm_buffer_object *bo, ++ uint32_t page_flags) + { + ttm->bdev = bo->bdev; + ttm->num_pages = bo->num_pages; +-- +2.16.4 + diff --git a/patches.suse/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch b/patches.suse/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch new file mode 100644 index 0000000..5307483 --- /dev/null +++ b/patches.suse/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch @@ -0,0 +1,40 @@ +From 40efb09a7f53125719e49864da008495e39aaa1e Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Tue, 24 Sep 2019 23:37:58 -0500 +Subject: [PATCH] drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add +Git-commit: 40efb09a7f53125719e49864da008495e39aaa1e +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +In vmw_cmdbuf_res_add if drm_ht_insert_item fails the allocated memory +for cres should be released. + +Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace") +Signed-off-by: Navid Emamdoost +Reviewed-by: Thomas Hellstrom +Signed-off-by: Thomas Hellstrom +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +index 4ac55fc2bf97..44d858ce4ce7 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +@@ -209,8 +209,10 @@ int vmw_cmdbuf_res_add(struct vmw_cmdbuf_res_manager *man, + + cres->hash.key = user_key | (res_type << 24); + ret = drm_ht_insert_item(&man->resources, &cres->hash); +- if (unlikely(ret != 0)) ++ if (unlikely(ret != 0)) { ++ kfree(cres); + goto out_invalid_key; ++ } + + cres->state = VMW_CMDBUF_RES_ADD; + cres->res = vmw_resource_reference(res); +-- +2.16.4 + diff --git a/patches.suse/ext2-check-err-when-partial-NULL.patch b/patches.suse/ext2-check-err-when-partial-NULL.patch new file mode 100644 index 0000000..b853731 --- /dev/null +++ b/patches.suse/ext2-check-err-when-partial-NULL.patch @@ -0,0 +1,45 @@ +From e705f4b8aa27a59f8933e8f384e9752f052c469c Mon Sep 17 00:00:00 2001 +From: Chengguang Xu +Date: Tue, 5 Nov 2019 12:51:00 +0800 +Subject: [PATCH] ext2: check err when partial != NULL +Git-commit: e705f4b8aa27a59f8933e8f384e9752f052c469c +Patch-mainline: v5.5-rc1 +References: bsc#1163859 + +Check err when partial == NULL is meaningless because +partial == NULL means getting branch successfully without +error. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191105045100.7104-1-cgxu519@mykernel.net +Signed-off-by: Chengguang Xu +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/ext2/inode.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c +index 7004ce581a32..a16c53655e77 100644 +--- a/fs/ext2/inode.c ++++ b/fs/ext2/inode.c +@@ -701,10 +701,13 @@ static int ext2_get_blocks(struct inode *inode, + if (!partial) { + count++; + mutex_unlock(&ei->truncate_mutex); +- if (err) +- goto cleanup; + goto got_it; + } ++ ++ if (err) { ++ mutex_unlock(&ei->truncate_mutex); ++ goto cleanup; ++ } + } + + /* +-- +2.16.4 + diff --git a/patches.suse/ext4-add-cond_resched-to-ext4_protect_reserved_inode.patch b/patches.suse/ext4-add-cond_resched-to-ext4_protect_reserved_inode.patch new file mode 100644 index 0000000..2dd8b05 --- /dev/null +++ b/patches.suse/ext4-add-cond_resched-to-ext4_protect_reserved_inode.patch @@ -0,0 +1,68 @@ +From af133ade9a40794a37104ecbcc2827c0ea373a3c Mon Sep 17 00:00:00 2001 +From: Shijie Luo +Date: Mon, 10 Feb 2020 20:17:52 -0500 +Subject: [PATCH] ext4: add cond_resched() to ext4_protect_reserved_inode +Git-commit: af133ade9a40794a37104ecbcc2827c0ea373a3c +Patch-mainline: v5.6-rc2 +References: bsc#1164069 CVE-2020-8992 + +When journal size is set too big by "mkfs.ext4 -J size=", or when +we mount a crafted image to make journal inode->i_size too big, +the loop, "while (i < num)", holds cpu too long. This could cause +soft lockup. + +[ 529.357541] Call trace: +[ 529.357551] dump_backtrace+0x0/0x198 +[ 529.357555] show_stack+0x24/0x30 +[ 529.357562] dump_stack+0xa4/0xcc +[ 529.357568] watchdog_timer_fn+0x300/0x3e8 +[ 529.357574] __hrtimer_run_queues+0x114/0x358 +[ 529.357576] hrtimer_interrupt+0x104/0x2d8 +[ 529.357580] arch_timer_handler_virt+0x38/0x58 +[ 529.357584] handle_percpu_devid_irq+0x90/0x248 +[ 529.357588] generic_handle_irq+0x34/0x50 +[ 529.357590] __handle_domain_irq+0x68/0xc0 +[ 529.357593] gic_handle_irq+0x6c/0x150 +[ 529.357595] el1_irq+0xb8/0x140 +[ 529.357599] __ll_sc_atomic_add_return_acquire+0x14/0x20 +[ 529.357668] ext4_map_blocks+0x64/0x5c0 [ext4] +[ 529.357693] ext4_setup_system_zone+0x330/0x458 [ext4] +[ 529.357717] ext4_fill_super+0x2170/0x2ba8 [ext4] +[ 529.357722] mount_bdev+0x1a8/0x1e8 +[ 529.357746] ext4_mount+0x44/0x58 [ext4] +[ 529.357748] mount_fs+0x50/0x170 +[ 529.357752] vfs_kern_mount.part.9+0x54/0x188 +[ 529.357755] do_mount+0x5ac/0xd78 +[ 529.357758] ksys_mount+0x9c/0x118 +[ 529.357760] __arm64_sys_mount+0x28/0x38 +[ 529.357764] el0_svc_common+0x78/0x130 +[ 529.357766] el0_svc_handler+0x38/0x78 +[ 529.357769] el0_svc+0x8/0xc +[ 541.356516] watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [mount:18674] + +Link: https://lore.kernel.org/r/20200211011752.29242-1-luoshijie1@huawei.com +Reviewed-by: Jan Kara +Signed-off-by: Shijie Luo +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/block_validity.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 1ee04e76bbe0..0a734ffb4310 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -207,6 +207,7 @@ static int ext4_protect_reserved_inode(struct super_block *sb, + return PTR_ERR(inode); + num = (inode->i_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits; + while (i < num) { ++ cond_resched(); + map.m_lblk = i; + map.m_len = num - i; + n = ext4_map_blocks(NULL, inode, &map, 0); +-- +2.16.4 + diff --git a/patches.suse/ext4-check-for-directory-entries-too-close-to-block-.patch b/patches.suse/ext4-check-for-directory-entries-too-close-to-block-.patch new file mode 100644 index 0000000..ff6e93a --- /dev/null +++ b/patches.suse/ext4-check-for-directory-entries-too-close-to-block-.patch @@ -0,0 +1,43 @@ +From 109ba779d6cca2d519c5dd624a3276d03e21948e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Dec 2019 18:02:13 +0100 +Subject: [PATCH] ext4: check for directory entries too close to block end +Git-commit: 109ba779d6cca2d519c5dd624a3276d03e21948e +Patch-mainline: v5.5-rc3 +References: bsc#1163861 + +ext4_check_dir_entry() currently does not catch a case when a directory +entry ends so close to the block end that the header of the next +directory entry would not fit in the remaining space. This can lead to +directory iteration code trying to access address beyond end of current +buffer head leading to oops. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c +index 9fdd2b269d61..6305d5ec25af 100644 +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -81,6 +81,11 @@ int __ext4_check_dir_entry(const char *function, unsigned int line, + error_msg = "rec_len is too small for name_len"; + else if (unlikely(((char *) de - buf) + rlen > size)) + error_msg = "directory entry overrun"; ++ else if (unlikely(((char *) de - buf) + rlen > ++ size - EXT4_DIR_REC_LEN(1) && ++ ((char *) de - buf) + rlen != size)) { ++ error_msg = "directory entry too close to block end"; ++ } + else if (unlikely(le32_to_cpu(de->inode) > + le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) + error_msg = "inode out of bounds"; +-- +2.16.4 + diff --git a/patches.suse/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch b/patches.suse/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch new file mode 100644 index 0000000..98b078f --- /dev/null +++ b/patches.suse/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch @@ -0,0 +1,124 @@ +From 565333a1554d704789e74205989305c811fd9c7a Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Thu, 19 Sep 2019 14:35:08 +0800 +Subject: [PATCH] ext4: fix a bug in ext4_wait_for_tail_page_commit +Git-commit: 565333a1554d704789e74205989305c811fd9c7a +Patch-mainline: v5.5-rc1 +References: bsc#1163841 + +No need to wait for any commit once the page is fully truncated. +Besides, it may confuse e.g. concurrent ext4_writepage() with the page +still be dirty (will be cleared by truncate_pagecache() in +ext4_setattr()) but buffers has been freed; and then trigger a bug +show as below: + +[ 26.057508] ------------[ cut here ]------------ +[ 26.058531] kernel BUG at fs/ext4/inode.c:2134! +... +[ 26.088130] Call trace: +[ 26.088695] ext4_writepage+0x914/0xb28 +[ 26.089541] writeout.isra.4+0x1b4/0x2b8 +[ 26.090409] move_to_new_page+0x3b0/0x568 +[ 26.091338] __unmap_and_move+0x648/0x988 +[ 26.092241] unmap_and_move+0x48c/0xbb8 +[ 26.093096] migrate_pages+0x220/0xb28 +[ 26.093945] kernel_mbind+0x828/0xa18 +[ 26.094791] __arm64_sys_mbind+0xc8/0x138 +[ 26.095716] el0_svc_common+0x190/0x490 +[ 26.096571] el0_svc_handler+0x60/0xd0 +[ 26.097423] el0_svc+0x8/0xc + +Run the procedure (generate by syzkaller) parallel with ext3. + +void main() +{ + int fd, fd1, ret; + void *addr; + size_t length = 4096; + int flags; + off_t offset = 0; + char *str = "12345"; + + fd = open("a", O_RDWR | O_CREAT); + assert(fd >= 0); + + /* Truncate to 4k */ + ret = ftruncate(fd, length); + assert(ret == 0); + + /* Journal data mode */ + flags = 0xc00f; + ret = ioctl(fd, _IOW('f', 2, long), &flags); + assert(ret == 0); + + /* Truncate to 0 */ + fd1 = open("a", O_TRUNC | O_NOATIME); + assert(fd1 >= 0); + + addr = mmap(NULL, length, PROT_WRITE | PROT_READ, + MAP_SHARED, fd, offset); + assert(addr != (void *)-1); + + memcpy(addr, str, 5); + mbind(addr, length, 0, 0, 0, MPOL_MF_MOVE); +} + +And the bug will be triggered once we seen the below order. + +reproduce1 reproduce2 + +... | ... +truncate to 4k | +change to journal data mode | + | memcpy(set page dirty) +truncate to 0: | +Ext4_setattr: | +... | +ext4_wait_for_tail_page_commit | + | mbind(trigger bug) +truncate_pagecache(clean dirty)| ... +... | + +mbind will call ext4_writepage() since the page still be dirty, and then +report the bug since the buffers has been free. Fix it by return +directly once offset equals to 0 which means the page has been fully +truncated. + +Reported-by: Hulk Robot +Signed-off-by: yangerkun +Link: https://lore.kernel.org/r/20190919063508.1045-1-yangerkun@huawei.com +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index de70f19bfa7e..8c37626e4c01 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5114,11 +5114,15 @@ static void ext4_wait_for_tail_page_commit(struct inode *inode) + + offset = inode->i_size & (PAGE_SIZE - 1); + /* +- * All buffers in the last page remain valid? Then there's nothing to +- * do. We do the check mainly to optimize the common PAGE_SIZE == +- * blocksize case ++ * If the page is fully truncated, we don't need to wait for any commit ++ * (and we even should not as __ext4_journalled_invalidatepage() may ++ * strip all buffers from the page but keep the page dirty which can then ++ * confuse e.g. concurrent ext4_writepage() seeing dirty page without ++ * buffers). Also we don't need to wait for any commit if all buffers in ++ * the page remain valid. This is most beneficial for the common case of ++ * blocksize == PAGESIZE. + */ +- if (offset > PAGE_SIZE - i_blocksize(inode)) ++ if (!offset || offset > (PAGE_SIZE - i_blocksize(inode))) + return; + while (1) { + page = find_lock_page(inode->i_mapping, +-- +2.16.4 + diff --git a/patches.suse/ext4-fix-checksum-errors-with-indexed-dirs.patch b/patches.suse/ext4-fix-checksum-errors-with-indexed-dirs.patch new file mode 100644 index 0000000..23dd1ec --- /dev/null +++ b/patches.suse/ext4-fix-checksum-errors-with-indexed-dirs.patch @@ -0,0 +1,135 @@ +From 48a34311953d921235f4d7bbd2111690d2e469cf Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 10 Feb 2020 15:43:16 +0100 +Subject: [PATCH] ext4: fix checksum errors with indexed dirs +Git-commit: 48a34311953d921235f4d7bbd2111690d2e469cf +Patch-mainline: v5.6-rc2 +References: bsc#1160979 + +DIR_INDEX has been introduced as a compat ext4 feature. That means that +even kernels / tools that don't understand the feature may modify the +filesystem. This works because for kernels not understanding indexed dir +format, internal htree nodes appear just as empty directory entries. +Index dir aware kernels then check the htree structure is still +consistent before using the data. This all worked reasonably well until +metadata checksums were introduced. The problem is that these +effectively made DIR_INDEX only ro-compatible because internal htree +nodes store checksums in a different place than normal directory blocks. +Thus any modification ignorant to DIR_INDEX (or just clearing +EXT4_INDEX_FL from the inode) will effectively cause checksum mismatch +and trigger kernel errors. So we have to be more careful when dealing +with indexed directories on filesystems with checksumming enabled. + +1) We just disallow loading any directory inodes with EXT4_INDEX_FL when +DIR_INDEX is not enabled. This is harsh but it should be very rare (it +means someone disabled DIR_INDEX on existing filesystem and didn't run +e2fsck), e2fsck can fix the problem, and we don't want to answer the +difficult question: "Should we rather corrupt the directory more or +should we ignore that DIR_INDEX feature is not set?" + +2) When we find out htree structure is corrupted (but the filesystem and +the directory should in support htrees), we continue just ignoring htree +information for reading but we refuse to add new entries to the +directory to avoid corrupting it more. + +Link: https://lore.kernel.org/r/20200210144316.22081-1-jack@suse.cz +Fixes: dbe89444042a ("ext4: Calculate and verify checksums for htree nodes") +Reviewed-by: Andreas Dilger +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/dir.c | 14 ++++++++------ + fs/ext4/ext4.h | 5 ++++- + fs/ext4/inode.c | 12 ++++++++++++ + fs/ext4/namei.c | 7 +++++++ + 4 files changed, 31 insertions(+), 7 deletions(-) + +diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c +index 1f340743c9a8..9aa1f75409b0 100644 +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -129,12 +129,14 @@ static int ext4_readdir(struct file *file, struct dir_context *ctx) + if (err != ERR_BAD_DX_DIR) { + return err; + } +- /* +- * We don't set the inode dirty flag since it's not +- * critical that it get flushed back to the disk. +- */ +- ext4_clear_inode_flag(file_inode(file), +- EXT4_INODE_INDEX); ++ /* Can we just clear INDEX flag to ignore htree information? */ ++ if (!ext4_has_metadata_csum(sb)) { ++ /* ++ * We don't set the inode dirty flag since it's not ++ * critical that it gets flushed back to the disk. ++ */ ++ ext4_clear_inode_flag(inode, EXT4_INODE_INDEX); ++ } + } + + if (ext4_has_inline_data(inode)) { +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 9a2ee2428ecc..4441331d06cc 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2544,8 +2544,11 @@ void ext4_insert_dentry(struct inode *inode, + struct ext4_filename *fname); + static inline void ext4_update_dx_flag(struct inode *inode) + { +- if (!ext4_has_feature_dir_index(inode->i_sb)) ++ if (!ext4_has_feature_dir_index(inode->i_sb)) { ++ /* ext4_iget() should have caught this... */ ++ WARN_ON_ONCE(ext4_has_feature_metadata_csum(inode->i_sb)); + ext4_clear_inode_flag(inode, EXT4_INODE_INDEX); ++ } + } + static const unsigned char ext4_filetype_table[] = { + DT_UNKNOWN, DT_REG, DT_DIR, DT_CHR, DT_BLK, DT_FIFO, DT_SOCK, DT_LNK +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 3313168b680f..c04a15fc8b6a 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4644,6 +4644,18 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + ret = -EFSCORRUPTED; + goto bad_inode; + } ++ /* ++ * If dir_index is not enabled but there's dir with INDEX flag set, ++ * we'd normally treat htree data as empty space. But with metadata ++ * checksumming that corrupts checksums so forbid that. ++ */ ++ if (!ext4_has_feature_dir_index(sb) && ext4_has_metadata_csum(sb) && ++ ext4_test_inode_flag(inode, EXT4_INODE_INDEX)) { ++ ext4_error_inode(inode, function, line, 0, ++ "iget: Dir with htree data on filesystem without dir_index feature."); ++ ret = -EFSCORRUPTED; ++ goto bad_inode; ++ } + ei->i_disksize = inode->i_size; + #ifdef CONFIG_QUOTA + ei->i_reserved_quota = 0; +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 129d2ebae00d..ceff4b4b1877 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2213,6 +2213,13 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, + retval = ext4_dx_add_entry(handle, &fname, dir, inode); + if (!retval || (retval != ERR_BAD_DX_DIR)) + goto out; ++ /* Can we just ignore htree data? */ ++ if (ext4_has_metadata_csum(sb)) { ++ EXT4_ERROR_INODE(dir, ++ "Directory has corrupted htree index."); ++ retval = -EFSCORRUPTED; ++ goto out; ++ } + ext4_clear_inode_flag(dir, EXT4_INODE_INDEX); + dx_fallback++; + ext4_mark_inode_dirty(handle, dir); +-- +2.16.4 + diff --git a/patches.suse/ext4-fix-deadlock-allocating-crypto-bounce-page-from.patch b/patches.suse/ext4-fix-deadlock-allocating-crypto-bounce-page-from.patch new file mode 100644 index 0000000..e3baad6 --- /dev/null +++ b/patches.suse/ext4-fix-deadlock-allocating-crypto-bounce-page-from.patch @@ -0,0 +1,76 @@ +From 547c556f4db7c09447ecf5f833ab6aaae0c5ab58 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 31 Dec 2019 12:11:49 -0600 +Subject: [PATCH] ext4: fix deadlock allocating crypto bounce page from mempool +Git-commit: 547c556f4db7c09447ecf5f833ab6aaae0c5ab58 +Patch-mainline: v5.6-rc1 +References: bsc#1163842 + +ext4_writepages() on an encrypted file has to encrypt the data, but it +can't modify the pagecache pages in-place, so it encrypts the data into +bounce pages and writes those instead. All bounce pages are allocated +from a mempool using GFP_NOFS. + +This is not correct use of a mempool, and it can deadlock. This is +because GFP_NOFS includes __GFP_DIRECT_RECLAIM, which enables the "never +fail" mode for mempool_alloc() where a failed allocation will fall back +to waiting for one of the preallocated elements in the pool. + +But since this mode is used for all a bio's pages and not just the +first, it can deadlock waiting for pages already in the bio to be freed. + +This deadlock can be reproduced by patching mempool_alloc() to pretend +that pool->alloc() always fails (so that it always falls back to the +preallocations), and then creating an encrypted file of size > 128 KiB. + +Fix it by only using GFP_NOFS for the first page in the bio. For +subsequent pages just use GFP_NOWAIT, and if any of those fail, just +submit the bio and start a new one. + +This will need to be fixed in f2fs too, but that's less straightforward. + +Fixes: c9af28fdd449 ("ext4 crypto: don't let data integrity writebacks fail with ENOMEM") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Link: https://lore.kernel.org/r/20191231181149.47619-1-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/page-io.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/fs/ext4/page-io.c ++++ b/fs/ext4/page-io.c +@@ -478,17 +478,26 @@ int ext4_bio_write_page(struct ext4_io_s + nr_to_submit) { + gfp_t gfp_flags = GFP_NOFS; + ++ /* ++ * Since bounce page allocation uses a mempool, we can only use ++ * a waiting mask (i.e. request guaranteed allocation) on the ++ * first page of the bio. Otherwise it can deadlock. ++ */ ++ if (io->io_bio) ++ gfp_flags = GFP_NOWAIT | __GFP_NOWARN; + retry_encrypt: + data_page = fscrypt_encrypt_page(inode, page, PAGE_SIZE, 0, + page->index, gfp_flags); + if (IS_ERR(data_page)) { + ret = PTR_ERR(data_page); +- if (ret == -ENOMEM && wbc->sync_mode == WB_SYNC_ALL) { +- if (io->io_bio) { ++ if (ret == -ENOMEM && ++ (io->io_bio || wbc->sync_mode == WB_SYNC_ALL)) { ++ gfp_flags = GFP_NOFS; ++ if (io->io_bio) + ext4_io_submit(io); +- congestion_wait(BLK_RW_ASYNC, HZ/50); +- } +- gfp_flags |= __GFP_NOFAIL; ++ else ++ gfp_flags |= __GFP_NOFAIL; ++ congestion_wait(BLK_RW_ASYNC, HZ/50); + goto retry_encrypt; + } + data_page = NULL; diff --git a/patches.suse/ext4-improve-explanation-of-a-mount-failure-caused-b.patch b/patches.suse/ext4-improve-explanation-of-a-mount-failure-caused-b.patch new file mode 100644 index 0000000..e29ad35 --- /dev/null +++ b/patches.suse/ext4-improve-explanation-of-a-mount-failure-caused-b.patch @@ -0,0 +1,60 @@ +From d65d87a07476aa17df2dcb3ad18c22c154315bec Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 14 Feb 2020 18:11:19 -0500 +Subject: [PATCH] ext4: improve explanation of a mount failure caused by a + misconfigured kernel +Git-commit: d65d87a07476aa17df2dcb3ad18c22c154315bec +Patch-mainline: v5.6-rc2 +References: bsc#1163843 + +If CONFIG_QFMT_V2 is not enabled, but CONFIG_QUOTA is enabled, when a +user tries to mount a file system with the quota or project quota +enabled, the kernel will emit a very confusing messsage: + + EXT4-fs warning (device vdc): ext4_enable_quotas:5914: Failed to enable quota tracking (type=0, err=-3). Please run e2fsck to fix. + EXT4-fs (vdc): mount failed + +We will now report an explanatory message indicating which kernel +configuration options have to be enabled, to avoid customer/sysadmin +confusion. + +Link: https://lore.kernel.org/r/20200215012738.565735-1-tytso@mit.edu +Google-bug-id: 149093531 +Fixes: 7c319d328505b778 ("ext4: make quota as first class supported feature") +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/super.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index b0b9150c9773..f131eaa52f22 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3009,17 +3009,11 @@ static int ext4_feature_set_ok(struct super_block *sb, int readonly) + return 0; + } + +-#ifndef CONFIG_QUOTA +- if (ext4_has_feature_quota(sb) && !readonly) { ++#if !defined(CONFIG_QUOTA) || !defined(CONFIG_QFMT_V2) ++ if (!readonly && (ext4_has_feature_quota(sb) || ++ ext4_has_feature_project(sb))) { + ext4_msg(sb, KERN_ERR, +- "Filesystem with quota feature cannot be mounted RDWR " +- "without CONFIG_QUOTA"); +- return 0; +- } +- if (ext4_has_feature_project(sb) && !readonly) { +- ext4_msg(sb, KERN_ERR, +- "Filesystem with project quota feature cannot be mounted RDWR " +- "without CONFIG_QUOTA"); ++ "The kernel was not built with CONFIG_QUOTA and CONFIG_QFMT_V2"); + return 0; + } + #endif /* CONFIG_QUOTA */ +-- +2.16.4 + diff --git a/patches.suse/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch b/patches.suse/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch new file mode 100644 index 0000000..b02c58a --- /dev/null +++ b/patches.suse/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch @@ -0,0 +1,76 @@ +From 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 Mon Sep 17 00:00:00 2001 +From: "zhangyi (F)" +Date: Wed, 4 Dec 2019 20:46:12 +0800 +Subject: [PATCH] ext4, jbd2: ensure panic when aborting with zero errno +Git-commit: 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 +Patch-mainline: v5.6-rc1 +References: bsc#1163853 + +JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2 +aborted, and then __ext4_abort() and ext4_handle_error() can invoke +panic if ERRORS_PANIC is specified. But if the journal has been aborted +with zero errno, jbd2_journal_abort() didn't set this flag so we can +no longer panic. Fix this by always record the proper errno in the +journal superblock. + +Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/jbd2/checkpoint.c | 2 +- + fs/jbd2/journal.c | 15 ++++----------- + 2 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c +index 8fff6677a5da..96bf33986d03 100644 +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -164,7 +164,7 @@ void __jbd2_log_wait_for_space(journal_t *journal) + "journal space in %s\n", __func__, + journal->j_devname); + WARN_ON(1); +- jbd2_journal_abort(journal, 0); ++ jbd2_journal_abort(journal, -EIO); + } + write_lock(&journal->j_state_lock); + } else { +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 5f9edb12f11a..9e9275540071 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2156,12 +2156,10 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + __jbd2_journal_abort_hard(journal); + +- if (errno) { +- jbd2_journal_update_sb_errno(journal); +- write_lock(&journal->j_state_lock); +- journal->j_flags |= JBD2_REC_ERR; +- write_unlock(&journal->j_state_lock); +- } ++ jbd2_journal_update_sb_errno(journal); ++ write_lock(&journal->j_state_lock); ++ journal->j_flags |= JBD2_REC_ERR; ++ write_unlock(&journal->j_state_lock); + } + + /** +@@ -2203,11 +2201,6 @@ static void __journal_abort_soft (journal_t *journal, int errno) + * failure to disk. ext3_error, for example, now uses this + * functionality. + * +- * Errors which originate from within the journaling layer will NOT +- * supply an errno; a null errno implies that absolutely no further +- * writes are done to the journal (unless there are any already in +- * progress). +- * + */ + + void jbd2_journal_abort(journal_t *journal, int errno) +-- +2.16.4 + diff --git a/patches.suse/firestream-fix-memory-leaks.patch b/patches.suse/firestream-fix-memory-leaks.patch new file mode 100644 index 0000000..d3bfa04 --- /dev/null +++ b/patches.suse/firestream-fix-memory-leaks.patch @@ -0,0 +1,57 @@ +From fa865ba183d61c1ec8cbcab8573159c3b72b89a4 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sat, 25 Jan 2020 14:33:29 +0000 +Subject: [PATCH] firestream: fix memory leaks +Git-commit: fa865ba183d61c1ec8cbcab8573159c3b72b89a4 +Patch-mainline: v5.5 +References: bsc#1051510 + +In fs_open(), 'vcc' is allocated through kmalloc() and assigned to +'atm_vcc->dev_data.' In the following execution, if an error occurs, e.g., +there is no more free channel, an error code EBUSY or ENOMEM will be +returned. However, 'vcc' is not deallocated, leading to memory leaks. Note +that, in normal cases where fs_open() returns 0, 'vcc' will be deallocated +in fs_close(). But, if fs_open() fails, there is no guarantee that +fs_close() will be invoked. + +To fix this issue, deallocate 'vcc' before the error code is returned. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/atm/firestream.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c +index aad00d2b28f5..cc87004d5e2d 100644 +--- a/drivers/atm/firestream.c ++++ b/drivers/atm/firestream.c +@@ -912,6 +912,7 @@ static int fs_open(struct atm_vcc *atm_vcc) + } + if (!to) { + printk ("No more free channels for FS50..\n"); ++ kfree(vcc); + return -EBUSY; + } + vcc->channo = dev->channo; +@@ -922,6 +923,7 @@ static int fs_open(struct atm_vcc *atm_vcc) + if (((DO_DIRECTION(rxtp) && dev->atm_vccs[vcc->channo])) || + ( DO_DIRECTION(txtp) && test_bit (vcc->channo, dev->tx_inuse))) { + printk ("Channel is in use for FS155.\n"); ++ kfree(vcc); + return -EBUSY; + } + } +@@ -935,6 +937,7 @@ static int fs_open(struct atm_vcc *atm_vcc) + tc, sizeof (struct fs_transmit_config)); + if (!tc) { + fs_dprintk (FS_DEBUG_OPEN, "fs: can't alloc transmit_config.\n"); ++ kfree(vcc); + return -ENOMEM; + } + +-- +2.16.4 + diff --git a/patches.suse/fix-autofs-regression-caused-by-follow_managed-changes.patch b/patches.suse/fix-autofs-regression-caused-by-follow_managed-changes.patch new file mode 100644 index 0000000..ef6a74c --- /dev/null +++ b/patches.suse/fix-autofs-regression-caused-by-follow_managed-changes.patch @@ -0,0 +1,30 @@ +From 508c8772760d4ef9c1a044519b564710c3684fc5 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue Jan 14 22:09:57 2020 -0500 +Subject: [PATCH] fix autofs regression caused by follow_managed() changes +Git-commit: 508c8772760d4ef9c1a044519b564710c3684fc5 +References: bsc#1159271 +Patch-mainline: v5.5-rc7 + +we need to reload ->d_flags after the call of ->d_manage() - the thing +might've been called with dentry still negative and have the damn thing +turned positive while we'd waited. + +Fixes: d41efb522e90 "fs/namei.c: pull positivity check into follow_managed()" +Reported-by: Ian Kent +Tested-by: Ian Kent +Signed-off-by: Al Viro +Acked-by: Goldwyn Rodrigues + +diff --git a/fs/namei.c b/fs/namei.c +index 204677c..d2720dc 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1232,6 +1232,7 @@ static int follow_managed(struct path *path, struct nameidata *nd) + BUG_ON(!path->dentry->d_op); + BUG_ON(!path->dentry->d_op->d_manage); + ret = path->dentry->d_op->d_manage(path, false); ++ flags = smp_load_acquire(&path->dentry->d_flags); + if (ret < 0) + break; + } diff --git a/patches.suse/fix-dget_parent-fastpath-race.patch b/patches.suse/fix-dget_parent-fastpath-race.patch new file mode 100644 index 0000000..7343831 --- /dev/null +++ b/patches.suse/fix-dget_parent-fastpath-race.patch @@ -0,0 +1,70 @@ +From e84009336711d2bba885fc9cea66348ddfce3758 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu Oct 31 01:43:31 2019 -0400 +Subject: [PATCH] fix dget_parent() fastpath race +Git-commit: e84009336711d2bba885fc9cea66348ddfce3758 +References: bsc#1159271 +Patch-mainline: v5.5-rc1 + +We are overoptimistic about taking the fast path there; seeing +the same value in ->d_parent after having grabbed a reference +to that parent does *not* mean that it has remained our parent +all along. + +That wouldn't be a big deal (in the end it is our parent and +we have grabbed the reference we are about to return), but... +the situation with barriers is messed up. + +We might have hit the following sequence: + +d is a dentry of /tmp/a/b +CPU1: CPU2: +parent = d->d_parent (i.e. dentry of /tmp/a) + rename /tmp/a/b to /tmp/b + rmdir /tmp/a, making its dentry negative +grab reference to parent, +end up with cached parent->d_inode (NULL) + mkdir /tmp/a, rename /tmp/b to /tmp/a/b +recheck d->d_parent, which is back to original +decide that everything's fine and return the reference we'd got. + +The trouble is, caller (on CPU1) will observe dget_parent() +returning an apparently negative dentry. It actually is positive, +but CPU1 has stale ->d_inode cached. + +Use d->d_seq to see if it has been moved instead of rechecking ->d_parent. +NOTE: we are *NOT* going to retry on any kind of ->d_seq mismatch; +we just go into the slow path in such case. We don't wait for ->d_seq +to become even either - again, if we are racing with renames, we +can bloody well go to slow path anyway. + +Signed-off-by: Al Viro +Acked-by: Goldwyn Rodrigues + +--- + fs/dcache.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -849,17 +849,19 @@ + { + int gotref; + struct dentry *ret; ++ unsigned seq; + + /* + * Do optimistic parent lookup without any + * locking. + */ + rcu_read_lock(); ++ seq = raw_seqcount_begin(&dentry->d_seq); + ret = ACCESS_ONCE(dentry->d_parent); + gotref = lockref_get_not_zero(&ret->d_lockref); + rcu_read_unlock(); + if (likely(gotref)) { +- if (likely(ret == ACCESS_ONCE(dentry->d_parent))) ++ if (!read_seqcount_retry(&dentry->d_seq, seq)) + return ret; + dput(ret); + } diff --git a/patches.suse/fs-cifs-Fix-atime-update-check-vs-mtime.patch b/patches.suse/fs-cifs-Fix-atime-update-check-vs-mtime.patch index 9133ae2..f6de9e7 100644 --- a/patches.suse/fs-cifs-Fix-atime-update-check-vs-mtime.patch +++ b/patches.suse/fs-cifs-Fix-atime-update-check-vs-mtime.patch @@ -26,7 +26,7 @@ Acked-by: Paulo Alcantara spin_lock(&inode->i_lock); /* we do not want atime to be less than mtime, it broke some apps */ - if (timespec_compare(&fattr->cf_atime, &fattr->cf_mtime)) -+ if (timespec64_compare(&fattr->cf_atime, &fattr->cf_mtime) < 0) ++ if (timespec_compare(&fattr->cf_atime, &fattr->cf_mtime) < 0) inode->i_atime = fattr->cf_mtime; else inode->i_atime = fattr->cf_atime; diff --git a/patches.suse/fs-open.c-allow-opening-only-regular-files-during-ex.patch b/patches.suse/fs-open.c-allow-opening-only-regular-files-during-ex.patch new file mode 100644 index 0000000..39647c3 --- /dev/null +++ b/patches.suse/fs-open.c-allow-opening-only-regular-files-during-ex.patch @@ -0,0 +1,64 @@ +From 73601ea5b7b18eb234219ae2adf77530f389da79 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 28 Mar 2019 20:43:30 -0700 +Subject: [PATCH] fs/open.c: allow opening only regular files during execve() +Git-commit: 73601ea5b7b18eb234219ae2adf77530f389da79 +Patch-mainline: v5.1-rc3 +References: bsc#1163845 + +syzbot is hitting lockdep warning [1] due to trying to open a fifo +during an execve() operation. But we don't need to open non regular +files during an execve() operation, for all files which we will need are +the executable file itself and the interpreter programs like /bin/sh and +ld-linux.so.2 . + +Since the manpage for execve(2) says that execve() returns EACCES when +the file or a script interpreter is not a regular file, and the manpage +for uselib(2) says that uselib() can return EACCES, and we use +FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non +regular file is requested with FMODE_EXEC set. + +Since this deadlock followed by khungtaskd warnings is trivially +reproducible by a local unprivileged user, and syzbot's frequent crash +due to this deadlock defers finding other bugs, let's workaround this +deadlock until we get a chance to find a better solution. + +[1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce + +Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Reported-by: syzbot +Fixes: 8924feff66f35fe2 ("splice: lift pipe_lock out of splice_to_pipe()") +Signed-off-by: Tetsuo Handa +Acked-by: Kees Cook +Cc: Al Viro +Cc: Eric Biggers +Cc: Dmitry Vyukov +Cc: [4.9+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Jan Kara + +--- + fs/open.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/open.c b/fs/open.c +index 0285ce7dbd51..f1c2f855fd43 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -733,6 +733,12 @@ static int do_dentry_open(struct file *f, + return 0; + } + ++ /* Any file opened for execve()/uselib() has to be a regular file. */ ++ if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) { ++ error = -EACCES; ++ goto cleanup_file; ++ } ++ + if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { + error = get_write_access(inode); + if (unlikely(error)) +-- +2.16.4 + diff --git a/patches.suse/fscrypt-don-t-set-policy-for-a-dead-directory.patch b/patches.suse/fscrypt-don-t-set-policy-for-a-dead-directory.patch new file mode 100644 index 0000000..ea41372 --- /dev/null +++ b/patches.suse/fscrypt-don-t-set-policy-for-a-dead-directory.patch @@ -0,0 +1,44 @@ +From 5858bdad4d0d0fc18bf29f34c3ac836e0b59441f Mon Sep 17 00:00:00 2001 +From: Hongjie Fang +Date: Wed, 22 May 2019 10:02:53 +0800 +Subject: [PATCH] fscrypt: don't set policy for a dead directory +Git-commit: 5858bdad4d0d0fc18bf29f34c3ac836e0b59441f +Patch-mainline: v5.3-rc1 +References: bsc#1163846 + +The directory may have been removed when entering +fscrypt_ioctl_set_policy(). If so, the empty_dir() check will return +error for ext4 file system. + +ext4_rmdir() sets i_size = 0, then ext4_empty_dir() reports an error +because 'inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)'. If +the fs is mounted with errors=panic, it will trigger a panic issue. + +Add the check IS_DEADDIR() to fix this problem. + +Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support") +Cc: # v4.1+ +Signed-off-by: Hongjie Fang +Signed-off-by: Eric Biggers +Acked-by: Jan Kara + +--- + fs/crypto/policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c +index d536889ac31b..4941fe8471ce 100644 +--- a/fs/crypto/policy.c ++++ b/fs/crypto/policy.c +@@ -81,6 +81,8 @@ int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) + if (ret == -ENODATA) { + if (!S_ISDIR(inode->i_mode)) + ret = -ENOTDIR; ++ else if (IS_DEADDIR(inode)) ++ ret = -ENOENT; + else if (!inode->i_sb->s_cop->empty_dir(inode)) + ret = -ENOTEMPTY; + else +-- +2.16.4 + diff --git a/patches.suse/fsnamei.c-fix-missing-barriers-when-checking-positivity.patch b/patches.suse/fsnamei.c-fix-missing-barriers-when-checking-positivity.patch new file mode 100644 index 0000000..1dc2339 --- /dev/null +++ b/patches.suse/fsnamei.c-fix-missing-barriers-when-checking-positivity.patch @@ -0,0 +1,114 @@ +From 2fa6b1e01a9b1a54769c394f06cd72c3d12a2d48 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue Nov 12 16:13:06 2019 -0500 +Subject: [PATCH] fs/namei.c: fix missing barriers when checking positivity +Git-commit: 2fa6b1e01a9b1a54769c394f06cd72c3d12a2d48 +References: bsc#1159271 +Patch-mainline: v5.5-rc1 + +Pinned negative dentries can, generally, be made positive +by another thread. Conditions that prevent that are + * ->d_lock on dentry in question + * parent directory held at least shared + * nobody else could have observed the address of dentry +Most of the places working with those fall into one of those +categories; however, d_lookup() and friends need to be used +with some care. Fortunately, there's not a lot of call sites, +and with few exceptions all of those fall under one of the +cases above. + +Exceptions are all in fs/namei.c - in lookup_fast(), lookup_dcache() +and mountpoint_last(). Another one is lookup_slow() - there +dcache lookup is done with parent held shared, but the result +is used after we'd drop the lock. The same happens in do_last() - +the lookup (in lookup_one()) is done with parent locked, but +result is used after unlocking. + +lookup_fast(), do_last() and mountpoint_last() flat-out reject +negatives. + +Most of lookup_dcache() calls are made with parent locked at least +shared; the only exception is lookup_one_len_unlocked(). It might +return pinned negative, needs serious care from callers. Fortunately, +almost nobody calls it directly anymore; all but two callers have +converted to lookup_positive_unlocked(), which rejects negatives. + +lookup_slow() is called by the same lookup_one_len_unlocked() (see +above), mountpoint_last() and walk_component(). In those two negatives +are rejected. + +In other words, there is a small set of places where we need to +check carefully if a pinned potentially negative dentry is, in +fact, positive. After that check we want to be sure that both +->d_inode and type bits in ->d_flags are stable and observed. +The set consists of follow_managed() (where the rejection happens +for lookup_fast(), walk_component() and do_last()), last_mountpoint() +and lookup_positive_unlocked(). + +Solution: + 1) transition from negative to positive (in __d_set_inode_and_type()) +stores ->d_inode, then uses smp_store_release() to set ->d_flags type bits. + 2) aforementioned 3 places in fs/namei.c fetch ->d_flags with +smp_load_acquire() and bugger off if it type bits say "negative". +That way anyone downstream of those checks has dentry know positive pinned, +with ->d_inode and type bits of ->d_flags stable and observed. + +I considered splitting off d_lookup_positive(), so that the checks could +be done right there, under ->d_lock. However, that leads to massive +duplication of rather subtle code in fs/namei.c and fs/dcache.c. It's +worse than it might seem, thanks to autofs ->d_manage() getting involved ;-/ +No matter what, autofs_d_manage()/autofs_d_automount() must live with +the possibility of pinned negative dentry passed their way, becoming +positive under them - that's the intended behaviour when lookup comes +in the middle of automount in progress, so we can't keep them out of +the area that has to deal with those, more's the pity... + +Reported-by: Ritesh Harjani +Signed-off-by: Al Viro +Acked-by: Goldwyn Rodrigues + +--- + fs/dcache.c | 2 +- + fs/namei.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -315,7 +315,7 @@ + flags = READ_ONCE(dentry->d_flags); + flags &= ~(DCACHE_ENTRY_TYPE | DCACHE_FALLTHRU); + flags |= type_flags; +- WRITE_ONCE(dentry->d_flags, flags); ++ smp_store_release(&dentry->d_flags, flags); + } + + static inline void __d_clear_type_and_inode(struct dentry *dentry) +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1242,7 +1242,7 @@ + /* Given that we're not holding a lock here, we retain the value in a + * local variable for each dentry as we look at it so that we don't see + * the components of that value change under us */ +- while (flags = READ_ONCE(path->dentry->d_flags), ++ while (flags = smp_load_acquire(&path->dentry->d_flags), + unlikely(flags & DCACHE_MANAGED_DENTRY)) { + /* Allow the filesystem to manage the transit without i_mutex + * being held. */ +@@ -2601,7 +2601,7 @@ + struct dentry *base, int len) + { + struct dentry *ret = lookup_one_len_unlocked(name, base, len); +- if (!IS_ERR(ret) && d_is_negative(ret)) { ++ if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) { + dput(ret); + ret = ERR_PTR(-ENOENT); + } +@@ -2703,7 +2703,7 @@ + return PTR_ERR(path.dentry); + } + } +- if (d_is_negative(path.dentry)) { ++ if (d_flags_negative(smp_load_acquire(&path.dentry->d_flags))) { + dput(path.dentry); + return -ENOENT; + } diff --git a/patches.suse/fsnamei.c-pull-positivity-check-into-follow_managed.patch b/patches.suse/fsnamei.c-pull-positivity-check-into-follow_managed.patch new file mode 100644 index 0000000..23e1dfe --- /dev/null +++ b/patches.suse/fsnamei.c-pull-positivity-check-into-follow_managed.patch @@ -0,0 +1,147 @@ +From d41efb522e902364ab09c782d511c1bedc388ddd Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Mon Nov 4 22:30:52 2019 -0500 +Subject: [PATCH] fs/namei.c: pull positivity check into follow_managed() +Git-commit: d41efb522e902364ab09c782d511c1bedc388ddd +References: bsc#1159271 +Patch-mainline: v5.5-rc1 + +There are 4 callers; two proceed to check if result is positive and +fail with ENOENT if it isn't; one (in handle_lookup_down()) is +guaranteed to yield positive and one (in lookup_fast()) is _preceded_ +by positivity check. + +However, follow_managed() on a negative dentry is a (fairly cheap) +no-op on anything other than autofs. And negative autofs dentries +are never hashed, so lookup_fast() is not going to run into one +of those. Moreover, successful follow_managed() on a _positive_ +dentry never yields a negative one (and we significantly rely upon +that in callers of lookup_fast()). + +In other words, we can easily transpose the positivity check and +the call of follow_managed() in lookup_fast(). And that allows +to fold the positivity check *into* follow_managed(), simplifying +life for the code downstream of its calls. + +Signed-off-by: Al Viro +Acked-by: Goldwyn Rodrigues + +diff --git a/fs/namei.c b/fs/namei.c +index 671c3c1..ef55155 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1206,25 +1206,25 @@ static int follow_automount(struct path *path, struct nameidata *nd, + * - Flagged as automount point + * + * This may only be called in refwalk mode. ++ * On success path->dentry is known positive. + * + * Serialization is taken care of in namespace.c + */ + static int follow_managed(struct path *path, struct nameidata *nd) + { + struct vfsmount *mnt = path->mnt; /* held by caller, must be left alone */ +- unsigned managed; ++ unsigned flags; + bool need_mntput = false; + int ret = 0; + + /* Given that we're not holding a lock here, we retain the value in a + * local variable for each dentry as we look at it so that we don't see + * the components of that value change under us */ +- while (managed = READ_ONCE(path->dentry->d_flags), +- managed &= DCACHE_MANAGED_DENTRY, +- unlikely(managed != 0)) { ++ while (flags = READ_ONCE(path->dentry->d_flags), ++ unlikely(flags & DCACHE_MANAGED_DENTRY)) { + /* Allow the filesystem to manage the transit without i_mutex + * being held. */ +- if (managed & DCACHE_MANAGE_TRANSIT) { ++ if (flags & DCACHE_MANAGE_TRANSIT) { + BUG_ON(!path->dentry->d_op); + BUG_ON(!path->dentry->d_op->d_manage); + ret = path->dentry->d_op->d_manage(path, false); +@@ -1233,7 +1233,7 @@ static int follow_managed(struct path *path, struct nameidata *nd) + } + + /* Transit to a mounted filesystem. */ +- if (managed & DCACHE_MOUNTED) { ++ if (flags & DCACHE_MOUNTED) { + struct vfsmount *mounted = lookup_mnt(path); + if (mounted) { + dput(path->dentry); +@@ -1252,7 +1252,7 @@ static int follow_managed(struct path *path, struct nameidata *nd) + } + + /* Handle an automount point */ +- if (managed & DCACHE_NEED_AUTOMOUNT) { ++ if (flags & DCACHE_NEED_AUTOMOUNT) { + ret = follow_automount(path, nd, &need_mntput); + if (ret < 0) + break; +@@ -1265,10 +1265,12 @@ static int follow_managed(struct path *path, struct nameidata *nd) + + if (need_mntput && path->mnt == mnt) + mntput(path->mnt); +- if (ret == -EISDIR || !ret) +- ret = 1; + if (need_mntput) + nd->flags |= LOOKUP_JUMPED; ++ if (ret == -EISDIR || !ret) ++ ret = 1; ++ if (ret > 0 && unlikely(d_flags_negative(flags))) ++ ret = -ENOENT; + if (unlikely(ret < 0)) + path_put_conditional(path, nd); + return ret; +@@ -1617,10 +1619,6 @@ static int lookup_fast(struct nameidata *nd, + dput(dentry); + return status; + } +- if (unlikely(d_is_negative(dentry))) { +- dput(dentry); +- return -ENOENT; +- } + + path->mnt = mnt; + path->dentry = dentry; +@@ -1807,11 +1805,6 @@ static int walk_component(struct nameidata *nd, int flags) + if (unlikely(err < 0)) + return err; + +- if (unlikely(d_is_negative(path.dentry))) { +- path_to_nameidata(&path, nd); +- return -ENOENT; +- } +- + seq = 0; /* we are already out of RCU mode */ + inode = d_backing_inode(path.dentry); + } +@@ -3352,11 +3345,6 @@ static int do_last(struct nameidata *nd, + if (unlikely(error < 0)) + return error; + +- if (unlikely(d_is_negative(path.dentry))) { +- path_to_nameidata(&path, nd); +- return -ENOENT; +- } +- + /* + * create/update audit record if it already exists. + */ +diff --git a/include/linux/dcache.h b/include/linux/dcache.h +index 10090f1..c1488cc 100644 +--- a/include/linux/dcache.h ++++ b/include/linux/dcache.h +@@ -440,6 +440,11 @@ static inline bool d_is_negative(const struct dentry *dentry) + return d_is_miss(dentry); + } + ++static inline bool d_flags_negative(unsigned flags) ++{ ++ return (flags & DCACHE_ENTRY_TYPE) == DCACHE_MISS_TYPE; ++} ++ + static inline bool d_is_positive(const struct dentry *dentry) + { + return !d_is_negative(dentry); diff --git a/patches.suse/ftrace-add-comment-to-why-rcu_dereference_sched-is-open-coded.patch b/patches.suse/ftrace-add-comment-to-why-rcu_dereference_sched-is-open-coded.patch new file mode 100644 index 0000000..e689e0e --- /dev/null +++ b/patches.suse/ftrace-add-comment-to-why-rcu_dereference_sched-is-open-coded.patch @@ -0,0 +1,49 @@ +From: "Steven Rostedt (VMware)" +Date: Wed, 5 Feb 2020 02:17:57 -0500 +Subject: ftrace: Add comment to why rcu_dereference_sched() is open coded +Git-commit: 16052dd5bdfa16dbe18d8c1d4cde2ddab9d23177 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Because the function graph tracer can execute in sections where RCU is not +"watching", the rcu_dereference_sched() for the has needs to be open coded. +This is fine because the RCU "flavor" of the ftrace hash is protected by +its own RCU handling (it does its own little synchronization on every CPU +and does not rely on RCU sched). + +Acked-by: Joel Fernandes (Google) +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + kernel/trace/trace.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h +index 022def96d307..8c52f5de9384 100644 +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -975,6 +975,11 @@ static inline int ftrace_graph_addr(struct ftrace_graph_ent *trace) + + preempt_disable_notrace(); + ++ /* ++ * Have to open code "rcu_dereference_sched()" because the ++ * function graph tracer can be called when RCU is not ++ * "watching". ++ */ + hash = rcu_dereference_protected(ftrace_graph_hash, !preemptible()); + + if (ftrace_hash_empty(hash)) { +@@ -1022,6 +1027,11 @@ static inline int ftrace_graph_notrace_addr(unsigned long addr) + + preempt_disable_notrace(); + ++ /* ++ * Have to open code "rcu_dereference_sched()" because the ++ * function graph tracer can be called when RCU is not ++ * "watching". ++ */ + notrace_hash = rcu_dereference_protected(ftrace_graph_notrace_hash, + !preemptible()); + + diff --git a/patches.suse/ftrace-protect-ftrace_graph_hash-with-ftrace_sync.patch b/patches.suse/ftrace-protect-ftrace_graph_hash-with-ftrace_sync.patch new file mode 100644 index 0000000..c5ff8af --- /dev/null +++ b/patches.suse/ftrace-protect-ftrace_graph_hash-with-ftrace_sync.patch @@ -0,0 +1,62 @@ +From: "Steven Rostedt (VMware)" +Date: Wed, 5 Feb 2020 09:20:32 -0500 +Subject: ftrace: Protect ftrace_graph_hash with ftrace_sync +Git-commit: 54a16ff6f2e50775145b210bcd94d62c3c2af117 +Patch-mainline: v5.6-rc1 +References: git-fixes + +As function_graph tracer can run when RCU is not "watching", it can not be +protected by synchronize_rcu() it requires running a task on each CPU before +it can be freed. Calling schedule_on_each_cpu(ftrace_sync) needs to be used. + +Link: https://lore.kernel.org/r/20200205131110.GT2935@paulmck-ThinkPad-P72 + +Cc: stable@vger.kernel.org +Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables") +Reported-by: "Paul E. McKenney" +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + kernel/trace/ftrace.c | 11 +++++++++-- + kernel/trace/trace.h | 2 ++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5079,8 +5079,15 @@ ftrace_graph_release(struct inode *inode + + mutex_unlock(&graph_lock); + +- /* Wait till all users are no longer using the old hash */ +- synchronize_sched(); ++ /* ++ * We need to do a hard force of sched synchronization. ++ * This is because we use preempt_disable() to do RCU, but ++ * the function tracers can be called where RCU is not watching ++ * (like before user_exit()). We can not rely on the RCU ++ * infrastructure to do the synchronization, thus we must do it ++ * ourselves. ++ */ ++ schedule_on_each_cpu(ftrace_sync); + + free_ftrace_hash(old_hash); + } +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -825,6 +825,7 @@ static inline int ftrace_graph_addr(unsi + * Have to open code "rcu_dereference_sched()" because the + * function graph tracer can be called when RCU is not + * "watching". ++ * Protected with schedule_on_each_cpu(ftrace_sync) + */ + hash = rcu_dereference_protected(ftrace_graph_hash, !preemptible()); + +@@ -862,6 +863,7 @@ static inline int ftrace_graph_notrace_a + * Have to open code "rcu_dereference_sched()" because the + * function graph tracer can be called when RCU is not + * "watching". ++ * Protected with schedule_on_each_cpu(ftrace_sync) + */ + notrace_hash = rcu_dereference_protected(ftrace_graph_notrace_hash, + !preemptible()); diff --git a/patches.suse/genirq-proc-Return-proper-error-code-when-irq_set_af.patch b/patches.suse/genirq-proc-Return-proper-error-code-when-irq_set_af.patch new file mode 100644 index 0000000..f9f7131 --- /dev/null +++ b/patches.suse/genirq-proc-Return-proper-error-code-when-irq_set_af.patch @@ -0,0 +1,43 @@ +From 6714796edcce27f7a1845e2f79783cd51bb4799b Mon Sep 17 00:00:00 2001 +From: Wen Yaxng +Date: Wed, 8 Nov 2017 09:55:03 +0800 +Subject: [PATCH] genirq/proc: Return proper error code when irq_set_affinity() + fails +Git-commit: 6714796edcce27f7a1845e2f79783cd51bb4799b +Patch-mainline: 4.15-rc1 +References: bnc#1105392 + +write_irq_affinity() returns the number of written bytes, which means +success, unconditionally whether the actual irq_set_affinity() call +succeeded or not. + +Add proper error handling and pass the error code returned from +irq_set_affinity() back to user space in case of failure. + +[ tglx: Fixed coding style and massaged changelog ] + +Signed-off-by: Wen Yang +Signed-off-by: Thomas Gleixner +Reviewed-by: Jiang Biao +Cc: zhong.weidong@zte.com.cn +Link: https://lkml.kernel.org/r/1510106103-184761-1-git-send-email-wen.yang99@zte.com.cn +Acked-by: Michal Hocko + +--- + kernel/irq/proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/irq/proc.c ++++ b/kernel/irq/proc.c +@@ -124,8 +124,9 @@ static ssize_t write_irq_affinity(int ty + code to set default SMP affinity. */ + err = irq_select_affinity_usr(irq, new_value) ? -EINVAL : count; + } else { +- irq_set_affinity(irq, new_value); +- err = count; ++ err = irq_set_affinity(irq, new_value); ++ if (!err) ++ err = count; + } + + free_cpumask: diff --git a/patches.suse/gtp-avoid-zero-size-hashtable.patch b/patches.suse/gtp-avoid-zero-size-hashtable.patch new file mode 100644 index 0000000..17e24b8 --- /dev/null +++ b/patches.suse/gtp-avoid-zero-size-hashtable.patch @@ -0,0 +1,37 @@ +From: Taehee Yoo +Date: Wed, 11 Dec 2019 08:23:48 +0000 +Subject: gtp: avoid zero size hashtable +Git-commit: 6a902c0f31993ab02e1b6ea7085002b9c9083b6a +Patch-mainline: 5.5-rc3 +References: networking-stable-20_01_01 + +GTP default hashtable size is 1024 and userspace could set specific +hashtable size with IFLA_GTP_PDP_HASHSIZE. If hashtable size is set to 0 +from userspace, hashtable will not work and panic will occur. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Jiri Slaby +--- + drivers/net/gtp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -658,10 +658,13 @@ static int gtp_newlink(struct net *src_n + if (err < 0) + return err; + +- if (!data[IFLA_GTP_PDP_HASHSIZE]) ++ if (!data[IFLA_GTP_PDP_HASHSIZE]) { + hashsize = 1024; +- else ++ } else { + hashsize = nla_get_u32(data[IFLA_GTP_PDP_HASHSIZE]); ++ if (!hashsize) ++ hashsize = 1024; ++ } + + err = gtp_hashtable_new(gtp, hashsize); + if (err < 0) diff --git a/patches.suse/gtp-do-not-allow-adding-duplicate-tid-and-ms_addr-pd.patch b/patches.suse/gtp-do-not-allow-adding-duplicate-tid-and-ms_addr-pd.patch new file mode 100644 index 0000000..0ab00d8 --- /dev/null +++ b/patches.suse/gtp-do-not-allow-adding-duplicate-tid-and-ms_addr-pd.patch @@ -0,0 +1,86 @@ +From: Taehee Yoo +Date: Wed, 11 Dec 2019 08:23:00 +0000 +Subject: gtp: do not allow adding duplicate tid and ms_addr pdp context +Git-commit: 6b01b1d9b2d38dc84ac398bfe9f00baff06a31e5 +Patch-mainline: 5.5-rc3 +References: networking-stable-20_01_01 + +GTP RX packet path lookups pdp context with TID. If duplicate TID pdp +contexts are existing in the list, it couldn't select correct pdp context. +So, TID value should be unique. +GTP TX packet path lookups pdp context with ms_addr. If duplicate ms_addr pdp +contexts are existing in the list, it couldn't select correct pdp context. +So, ms_addr value should be unique. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Jiri Slaby +--- + drivers/net/gtp.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -908,24 +908,31 @@ static void ipv4_pdp_fill(struct pdp_ctx + } + } + +-static int ipv4_pdp_add(struct gtp_dev *gtp, struct sock *sk, +- struct genl_info *info) ++static int gtp_pdp_add(struct gtp_dev *gtp, struct sock *sk, ++ struct genl_info *info) + { ++ struct pdp_ctx *pctx, *pctx_tid = NULL; + struct net_device *dev = gtp->dev; + u32 hash_ms, hash_tid = 0; +- struct pdp_ctx *pctx; ++ unsigned int version; + bool found = false; + __be32 ms_addr; + + ms_addr = nla_get_be32(info->attrs[GTPA_MS_ADDRESS]); + hash_ms = ipv4_hashfn(ms_addr) % gtp->hash_size; ++ version = nla_get_u32(info->attrs[GTPA_VERSION]); + +- hlist_for_each_entry_rcu(pctx, >p->addr_hash[hash_ms], hlist_addr) { +- if (pctx->ms_addr_ip4.s_addr == ms_addr) { +- found = true; +- break; +- } +- } ++ pctx = ipv4_pdp_find(gtp, ms_addr); ++ if (pctx) ++ found = true; ++ if (version == GTP_V0) ++ pctx_tid = gtp0_pdp_find(gtp, ++ nla_get_u64(info->attrs[GTPA_TID])); ++ else if (version == GTP_V1) ++ pctx_tid = gtp1_pdp_find(gtp, ++ nla_get_u32(info->attrs[GTPA_I_TEI])); ++ if (pctx_tid) ++ found = true; + + if (found) { + if (info->nlhdr->nlmsg_flags & NLM_F_EXCL) +@@ -933,6 +940,11 @@ static int ipv4_pdp_add(struct gtp_dev * + if (info->nlhdr->nlmsg_flags & NLM_F_REPLACE) + return -EOPNOTSUPP; + ++ if (pctx && pctx_tid) ++ return -EEXIST; ++ if (!pctx) ++ pctx = pctx_tid; ++ + ipv4_pdp_fill(pctx, info); + + if (pctx->gtp_version == GTP_V0) +@@ -1055,7 +1067,7 @@ static int gtp_genl_new_pdp(struct sk_bu + goto out_unlock; + } + +- err = ipv4_pdp_add(gtp, sk, info); ++ err = gtp_pdp_add(gtp, sk, info); + + out_unlock: + rcu_read_unlock(); diff --git a/patches.suse/gtp-fix-an-use-after-free-in-ipv4_pdp_find.patch b/patches.suse/gtp-fix-an-use-after-free-in-ipv4_pdp_find.patch new file mode 100644 index 0000000..b37a3bc --- /dev/null +++ b/patches.suse/gtp-fix-an-use-after-free-in-ipv4_pdp_find.patch @@ -0,0 +1,159 @@ +From: Taehee Yoo +Date: Wed, 11 Dec 2019 08:23:34 +0000 +Subject: gtp: fix an use-after-free in ipv4_pdp_find() +Git-commit: 94dc550a5062030569d4aa76e10e50c8fc001930 +Patch-mainline: 5.5-rc3 +References: networking-stable-20_01_01 + +ipv4_pdp_find() is called in TX packet path of GTP. +ipv4_pdp_find() internally uses gtp->tid_hash to lookup pdp context. +In the current code, gtp->tid_hash and gtp->addr_hash are freed by +->dellink(), which is gtp_dellink(). +But gtp_dellink() would be called while packets are processing. +So, gtp_dellink() should not free gtp->tid_hash and gtp->addr_hash. +Instead, dev->priv_destructor() would be used because this callback +is called after all packet processing safely. + +Test commands: + ip link add veth1 type veth peer name veth2 + ip a a 172.0.0.1/24 dev veth1 + ip link set veth1 up + ip a a 172.99.0.1/32 dev lo + + gtp-link add gtp1 & + + gtp-tunnel add gtp1 v1 200 100 172.99.0.2 172.0.0.2 + ip r a 172.99.0.2/32 dev gtp1 + ip link set gtp1 mtu 1500 + + ip netns add ns2 + ip link set veth2 netns ns2 + ip netns exec ns2 ip a a 172.0.0.2/24 dev veth2 + ip netns exec ns2 ip link set veth2 up + ip netns exec ns2 ip a a 172.99.0.2/32 dev lo + ip netns exec ns2 ip link set lo up + + ip netns exec ns2 gtp-link add gtp2 & + ip netns exec ns2 gtp-tunnel add gtp2 v1 100 200 172.99.0.1 172.0.0.1 + ip netns exec ns2 ip r a 172.99.0.1/32 dev gtp2 + ip netns exec ns2 ip link set gtp2 mtu 1500 + + hping3 172.99.0.2 -2 --flood & + ip link del gtp1 + +Splat looks like: +[ 72.568081][ T1195] BUG: KASAN: use-after-free in ipv4_pdp_find.isra.12+0x130/0x170 [gtp] +[ 72.568916][ T1195] Read of size 8 at addr ffff8880b9a35d28 by task hping3/1195 +[ 72.569631][ T1195] +[ 72.569861][ T1195] CPU: 2 PID: 1195 Comm: hping3 Not tainted 5.5.0-rc1 #199 +[ 72.570547][ T1195] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 72.571438][ T1195] Call Trace: +[ 72.571764][ T1195] dump_stack+0x96/0xdb +[ 72.572171][ T1195] ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp] +[ 72.572761][ T1195] print_address_description.constprop.5+0x1be/0x360 +[ 72.573400][ T1195] ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp] +[ 72.573971][ T1195] ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp] +[ 72.574544][ T1195] __kasan_report+0x12a/0x16f +[ 72.575014][ T1195] ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp] +[ 72.575593][ T1195] kasan_report+0xe/0x20 +[ 72.576004][ T1195] ipv4_pdp_find.isra.12+0x130/0x170 [gtp] +[ 72.576577][ T1195] gtp_build_skb_ip4+0x199/0x1420 [gtp] +[ ... ] +[ 72.647671][ T1195] BUG: unable to handle page fault for address: ffff8880b9a35d28 +[ 72.648512][ T1195] #PF: supervisor read access in kernel mode +[ 72.649158][ T1195] #PF: error_code(0x0000) - not-present page +[ 72.649849][ T1195] PGD a6c01067 P4D a6c01067 PUD 11fb07067 PMD 11f939067 PTE 800fffff465ca060 +[ 72.652958][ T1195] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 72.653834][ T1195] CPU: 2 PID: 1195 Comm: hping3 Tainted: G B 5.5.0-rc1 #199 +[ 72.668062][ T1195] RIP: 0010:ipv4_pdp_find.isra.12+0x86/0x170 [gtp] +[ ... ] +[ 72.679168][ T1195] Call Trace: +[ 72.679603][ T1195] gtp_build_skb_ip4+0x199/0x1420 [gtp] +[ 72.681915][ T1195] ? ipv4_pdp_find.isra.12+0x170/0x170 [gtp] +[ 72.682513][ T1195] ? lock_acquire+0x164/0x3b0 +[ 72.682966][ T1195] ? gtp_dev_xmit+0x35e/0x890 [gtp] +[ 72.683481][ T1195] gtp_dev_xmit+0x3c2/0x890 [gtp] +[ ... ] + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Jiri Slaby +--- + drivers/net/gtp.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -631,9 +631,16 @@ static void gtp_link_setup(struct net_de + } + + static int gtp_hashtable_new(struct gtp_dev *gtp, int hsize); +-static void gtp_hashtable_free(struct gtp_dev *gtp); + static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]); + ++static void gtp_destructor(struct net_device *dev) ++{ ++ struct gtp_dev *gtp = netdev_priv(dev); ++ ++ kfree(gtp->addr_hash); ++ kfree(gtp->tid_hash); ++} ++ + static int gtp_newlink(struct net *src_net, struct net_device *dev, + struct nlattr *tb[], struct nlattr *data[], + struct netlink_ext_ack *extack) +@@ -668,13 +675,15 @@ static int gtp_newlink(struct net *src_n + + gn = net_generic(dev_net(dev), gtp_net_id); + list_add_rcu(>p->list, &gn->gtp_dev_list); ++ dev->priv_destructor = gtp_destructor; + + netdev_dbg(dev, "registered new GTP interface\n"); + + return 0; + + out_hashtable: +- gtp_hashtable_free(gtp); ++ kfree(gtp->addr_hash); ++ kfree(gtp->tid_hash); + out_encap: + gtp_encap_disable(gtp); + return err; +@@ -683,9 +692,14 @@ out_encap: + static void gtp_dellink(struct net_device *dev, struct list_head *head) + { + struct gtp_dev *gtp = netdev_priv(dev); ++ struct pdp_ctx *pctx; ++ int i; ++ ++ for (i = 0; i < gtp->hash_size; i++) ++ hlist_for_each_entry_rcu(pctx, >p->tid_hash[i], hlist_tid) ++ pdp_context_delete(pctx); + + gtp_encap_disable(gtp); +- gtp_hashtable_free(gtp); + list_del_rcu(>p->list); + unregister_netdevice_queue(dev, head); + } +@@ -760,20 +774,6 @@ err1: + return -ENOMEM; + } + +-static void gtp_hashtable_free(struct gtp_dev *gtp) +-{ +- struct pdp_ctx *pctx; +- int i; +- +- for (i = 0; i < gtp->hash_size; i++) +- hlist_for_each_entry_rcu(pctx, >p->tid_hash[i], hlist_tid) +- pdp_context_delete(pctx); +- +- synchronize_rcu(); +- kfree(gtp->addr_hash); +- kfree(gtp->tid_hash); +-} +- + static struct sock *gtp_encap_enable_socket(int fd, int type, + struct gtp_dev *gtp) + { diff --git a/patches.suse/gtp-fix-wrong-condition-in-gtp_genl_dump_pdp.patch b/patches.suse/gtp-fix-wrong-condition-in-gtp_genl_dump_pdp.patch new file mode 100644 index 0000000..8d38b50 --- /dev/null +++ b/patches.suse/gtp-fix-wrong-condition-in-gtp_genl_dump_pdp.patch @@ -0,0 +1,100 @@ +From: Taehee Yoo +Date: Wed, 11 Dec 2019 08:23:17 +0000 +Subject: gtp: fix wrong condition in gtp_genl_dump_pdp() +Git-commit: 94a6d9fb88df43f92d943c32b84ce398d50bf49f +Patch-mainline: 5.5-rc3 +References: networking-stable-20_01_01 + +gtp_genl_dump_pdp() is ->dumpit() callback of GTP module and it is used +to dump pdp contexts. it would be re-executed because of dump packet size. + +If dump packet size is too big, it saves current dump pointer +(gtp interface pointer, bucket, TID value) then it restarts dump from +last pointer. +Current GTP code allows adding zero TID pdp context but dump code +ignores zero TID value. So, last dump pointer will not be found. + +In addition, this patch adds missing rcu_read_lock() in +gtp_genl_dump_pdp(). + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Jiri Slaby +--- + drivers/net/gtp.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -42,7 +42,6 @@ struct pdp_ctx { + struct hlist_node hlist_addr; + + union { +- u64 tid; + struct { + u64 tid; + u16 flow; +@@ -1224,43 +1223,46 @@ static int gtp_genl_dump_pdp(struct sk_b + struct netlink_callback *cb) + { + struct gtp_dev *last_gtp = (struct gtp_dev *)cb->args[2], *gtp; ++ int i, j, bucket = cb->args[0], skip = cb->args[1]; + struct net *net = sock_net(skb->sk); +- struct gtp_net *gn = net_generic(net, gtp_net_id); +- unsigned long tid = cb->args[1]; +- int i, k = cb->args[0], ret; + struct pdp_ctx *pctx; ++ struct gtp_net *gn; ++ ++ gn = net_generic(net, gtp_net_id); + + if (cb->args[4]) + return 0; + ++ rcu_read_lock(); + list_for_each_entry_rcu(gtp, &gn->gtp_dev_list, list) { + if (last_gtp && last_gtp != gtp) + continue; + else + last_gtp = NULL; + +- for (i = k; i < gtp->hash_size; i++) { +- hlist_for_each_entry_rcu(pctx, >p->tid_hash[i], hlist_tid) { +- if (tid && tid != pctx->u.tid) +- continue; +- else +- tid = 0; +- +- ret = gtp_genl_fill_info(skb, +- NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, +- cb->nlh->nlmsg_type, pctx); +- if (ret < 0) { ++ for (i = bucket; i < gtp->hash_size; i++) { ++ j = 0; ++ hlist_for_each_entry_rcu(pctx, >p->tid_hash[i], ++ hlist_tid) { ++ if (j >= skip && ++ gtp_genl_fill_info(skb, ++ NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, ++ cb->nlh->nlmsg_type, pctx)) { + cb->args[0] = i; +- cb->args[1] = pctx->u.tid; ++ cb->args[1] = j; + cb->args[2] = (unsigned long)gtp; + goto out; + } ++ j++; + } ++ skip = 0; + } ++ bucket = 0; + } + cb->args[4] = 1; + out: ++ rcu_read_unlock(); + return skb->len; + } + diff --git a/patches.suse/hotplug-drc-info-Add-code-to-search-ibm-drc-info-pro.patch b/patches.suse/hotplug-drc-info-Add-code-to-search-ibm-drc-info-pro.patch new file mode 100644 index 0000000..6d59cf9 --- /dev/null +++ b/patches.suse/hotplug-drc-info-Add-code-to-search-ibm-drc-info-pro.patch @@ -0,0 +1,272 @@ +From 2fcf3ae508c23bea25ab0a0e639805eb7e573b58 Mon Sep 17 00:00:00 2001 +From: Michael Bringmann +Date: Fri, 1 Dec 2017 17:19:48 -0600 +Subject: [PATCH] hotplug/drc-info: Add code to search ibm,drc-info property + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v4.16-rc1 +Git-commit: 2fcf3ae508c23bea25ab0a0e639805eb7e573b58 + +rpadlpar_core.c: Provide parallel routines to search the older device- +tree properties ("ibm,drc-indexes", "ibm,drc-names", "ibm,drc-types" +and "ibm,drc-power-domains"), or the new property "ibm,drc-info". + +The interface to examine the DRC information is changed from a "get" +function that returns values for local verification elsewhere, to a +"check" function that validates the 'name' and/or 'type' of a device +node. This update hides the format of the underlying device-tree +properties, and concentrates the value checks into a single function +without requiring the user to verify whether a search was successful. + +Signed-off-by: Michael Bringmann +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + drivers/pci/hotplug/rpadlpar_core.c | 13 ++-- + drivers/pci/hotplug/rpadlpar_sysfs.c | 3 +- + drivers/pci/hotplug/rpaphp.h | 8 +- + drivers/pci/hotplug/rpaphp_core.c | 107 ++++++++++++++++++++------- + 4 files changed, 94 insertions(+), 37 deletions(-) + +diff --git a/drivers/pci/hotplug/rpadlpar_core.c b/drivers/pci/hotplug/rpadlpar_core.c +index a3449d717a99..fc01d7d807f3 100644 +--- a/drivers/pci/hotplug/rpadlpar_core.c ++++ b/drivers/pci/hotplug/rpadlpar_core.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include "../pci.h" + #include "rpaphp.h" +@@ -44,15 +45,14 @@ static struct device_node *find_vio_slot_node(char *drc_name) + { + struct device_node *parent = of_find_node_by_name(NULL, "vdevice"); + struct device_node *dn = NULL; +- char *name; + int rc; + + if (!parent) + return NULL; + + while ((dn = of_get_next_child(parent, dn))) { +- rc = rpaphp_get_drc_props(dn, NULL, &name, NULL, NULL); +- if ((rc == 0) && (!strcmp(drc_name, name))) ++ rc = rpaphp_check_drc_props(dn, drc_name, NULL); ++ if (rc == 0) + break; + } + +@@ -64,15 +64,12 @@ static struct device_node *find_php_slot_pci_node(char *drc_name, + char *drc_type) + { + struct device_node *np = NULL; +- char *name; +- char *type; + int rc; + + while ((np = of_find_node_by_name(np, "pci"))) { +- rc = rpaphp_get_drc_props(np, NULL, &name, &type, NULL); ++ rc = rpaphp_check_drc_props(np, drc_name, drc_type); + if (rc == 0) +- if (!strcmp(drc_name, name) && !strcmp(drc_type, type)) +- break; ++ break; + } + + return np; +diff --git a/drivers/pci/hotplug/rpadlpar_sysfs.c b/drivers/pci/hotplug/rpadlpar_sysfs.c +index edb5d8a53020..b806314349cf 100644 +--- a/drivers/pci/hotplug/rpadlpar_sysfs.c ++++ b/drivers/pci/hotplug/rpadlpar_sysfs.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "rpaphp.h" + #include "rpadlpar.h" + #include "../pci.h" + +@@ -27,8 +28,6 @@ + #define ADD_SLOT_ATTR_NAME add_slot + #define REMOVE_SLOT_ATTR_NAME remove_slot + +-#define MAX_DRC_NAME_LEN 64 +- + static ssize_t add_slot_store(struct kobject *kobj, struct kobj_attribute *attr, + const char *buf, size_t nbytes) + { +diff --git a/drivers/pci/hotplug/rpaphp.h b/drivers/pci/hotplug/rpaphp.h +index 7db024e68fe6..bdb844b01a3d 100644 +--- a/drivers/pci/hotplug/rpaphp.h ++++ b/drivers/pci/hotplug/rpaphp.h +@@ -64,6 +64,10 @@ extern bool rpaphp_debug; + #define CONFIGURED 1 + #define EMPTY 0 + ++/* DRC constants */ ++ ++#define MAX_DRC_NAME_LEN 64 ++ + /* + * struct slot - slot information for each *physical* slot + */ +@@ -91,8 +95,8 @@ int rpaphp_get_sensor_state(struct slot *slot, int *state); + + /* rpaphp_core.c */ + int rpaphp_add_slot(struct device_node *dn); +-int rpaphp_get_drc_props(struct device_node *dn, int *drc_index, +- char **drc_name, char **drc_type, int *drc_power_domain); ++int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, ++ char *drc_type); + + /* rpaphp_slot.c */ + void dealloc_slot_struct(struct slot *slot); +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index 1e29abaaea08..53902c7c38f2 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include /* for eeh_add_device() */ + #include /* rtas_call */ + #include /* for pci_controller */ +@@ -196,25 +197,21 @@ static int get_children_props(struct device_node *dn, const int **drc_indexes, + return 0; + } + +-/* To get the DRC props describing the current node, first obtain it's +- * my-drc-index property. Next obtain the DRC list from it's parent. Use +- * the my-drc-index for correlation, and obtain the requested properties. ++ ++/* Verify the existence of 'drc_name' and/or 'drc_type' within the ++ * current node. First obtain it's my-drc-index property. Next, ++ * obtain the DRC info from it's parent. Use the my-drc-index for ++ * correlation, and obtain/validate the requested properties. + */ +-int rpaphp_get_drc_props(struct device_node *dn, int *drc_index, +- char **drc_name, char **drc_type, int *drc_power_domain) ++ ++static int rpaphp_check_drc_props_v1(struct device_node *dn, char *drc_name, ++ char *drc_type, unsigned int my_index) + { ++ char *name_tmp, *type_tmp; + const int *indexes, *names; + const int *types, *domains; +- const unsigned int *my_index; +- char *name_tmp, *type_tmp; + int i, rc; + +- my_index = of_get_property(dn, "ibm,my-drc-index", NULL); +- if (!my_index) { +- /* Node isn't DLPAR/hotplug capable */ +- return -EINVAL; +- } +- + rc = get_children_props(dn->parent, &indexes, &names, &types, &domains); + if (rc < 0) { + return -EINVAL; +@@ -225,24 +222,84 @@ int rpaphp_get_drc_props(struct device_node *dn, int *drc_index, + + /* Iterate through parent properties, looking for my-drc-index */ + for (i = 0; i < be32_to_cpu(indexes[0]); i++) { +- if ((unsigned int) indexes[i + 1] == *my_index) { +- if (drc_name) +- *drc_name = name_tmp; +- if (drc_type) +- *drc_type = type_tmp; +- if (drc_index) +- *drc_index = be32_to_cpu(*my_index); +- if (drc_power_domain) +- *drc_power_domain = be32_to_cpu(domains[i+1]); +- return 0; +- } ++ if ((unsigned int) indexes[i + 1] == my_index) ++ break; ++ + name_tmp += (strlen(name_tmp) + 1); + type_tmp += (strlen(type_tmp) + 1); + } + ++ if (((drc_name == NULL) || (drc_name && !strcmp(drc_name, name_tmp))) && ++ ((drc_type == NULL) || (drc_type && !strcmp(drc_type, type_tmp)))) ++ return 0; ++ + return -EINVAL; + } +-EXPORT_SYMBOL_GPL(rpaphp_get_drc_props); ++ ++static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, ++ char *drc_type, unsigned int my_index) ++{ ++ struct property *info; ++ unsigned int entries; ++ struct of_drc_info drc; ++ const __be32 *value; ++ char cell_drc_name[MAX_DRC_NAME_LEN]; ++ int j, fndit; ++ ++ info = of_find_property(dn->parent, "ibm,drc-info", NULL); ++ if (info == NULL) ++ return -EINVAL; ++ ++ value = of_prop_next_u32(info, NULL, &entries); ++ if (!value) ++ return -EINVAL; ++ ++ for (j = 0; j < entries; j++) { ++ of_read_drc_info_cell(&info, &value, &drc); ++ ++ /* Should now know end of current entry */ ++ ++ if (my_index > drc.last_drc_index) ++ continue; ++ ++ fndit = 1; ++ break; ++ } ++ /* Found it */ ++ ++ if (fndit) ++ sprintf(cell_drc_name, "%s%d", drc.drc_name_prefix, ++ my_index); ++ ++ if (((drc_name == NULL) || ++ (drc_name && !strcmp(drc_name, cell_drc_name))) && ++ ((drc_type == NULL) || ++ (drc_type && !strcmp(drc_type, drc.drc_type)))) ++ return 0; ++ ++ return -EINVAL; ++} ++ ++int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, ++ char *drc_type) ++{ ++ const unsigned int *my_index; ++ ++ my_index = of_get_property(dn, "ibm,my-drc-index", NULL); ++ if (!my_index) { ++ /* Node isn't DLPAR/hotplug capable */ ++ return -EINVAL; ++ } ++ ++ if (firmware_has_feature(FW_FEATURE_DRC_INFO)) ++ return rpaphp_check_drc_props_v2(dn, drc_name, drc_type, ++ *my_index); ++ else ++ return rpaphp_check_drc_props_v1(dn, drc_name, drc_type, ++ *my_index); ++} ++EXPORT_SYMBOL_GPL(rpaphp_check_drc_props); ++ + + static int is_php_type(char *drc_type) + { +-- +2.23.0 + diff --git a/patches.suse/hwmon-adt7475-Make-volt2reg-return-same-reg-as-reg2v.patch b/patches.suse/hwmon-adt7475-Make-volt2reg-return-same-reg-as-reg2v.patch new file mode 100644 index 0000000..9c692e7 --- /dev/null +++ b/patches.suse/hwmon-adt7475-Make-volt2reg-return-same-reg-as-reg2v.patch @@ -0,0 +1,48 @@ +From cf3ca1877574a306c0207cbf7fdf25419d9229df Mon Sep 17 00:00:00 2001 +From: Luuk Paulussen +Date: Fri, 6 Dec 2019 12:16:59 +1300 +Subject: [PATCH] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input +Git-commit: cf3ca1877574a306c0207cbf7fdf25419d9229df +Patch-mainline: v5.5 +References: bsc#1051510 + +reg2volt returns the voltage that matches a given register value. +Converting this back the other way with volt2reg didn't return the same +register value because it used truncation instead of rounding. + +This meant that values read from sysfs could not be written back to sysfs +to set back the same register value. + +With this change, volt2reg will return the same value for every voltage +previously returned by reg2volt (for the set of possible input values) + +Signed-off-by: Luuk Paulussen +Link: https://lore.kernel.org/r/20191205231659.1301-1-luuk.paulussen@alliedtelesis.co.nz +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Acked-by: Takashi Iwai + +--- + drivers/hwmon/adt7475.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c +index 6c64d50c9aae..01c2eeb02aa9 100644 +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -294,9 +294,10 @@ static inline u16 volt2reg(int channel, long volt, u8 bypass_attn) + long reg; + + if (bypass_attn & (1 << channel)) +- reg = (volt * 1024) / 2250; ++ reg = DIV_ROUND_CLOSEST(volt * 1024, 2250); + else +- reg = (volt * r[1] * 1024) / ((r[0] + r[1]) * 2250); ++ reg = DIV_ROUND_CLOSEST(volt * r[1] * 1024, ++ (r[0] + r[1]) * 2250); + return clamp_val(reg, 0, 1023) & (0xff << 2); + } + +-- +2.16.4 + diff --git a/patches.suse/hwmon-core-Do-not-use-device-managed-functions-for-m.patch b/patches.suse/hwmon-core-Do-not-use-device-managed-functions-for-m.patch new file mode 100644 index 0000000..ebb154b --- /dev/null +++ b/patches.suse/hwmon-core-Do-not-use-device-managed-functions-for-m.patch @@ -0,0 +1,234 @@ +From 3bf8bdcf3bada771eb12b57f2a30caee69e8ab8d Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 16 Jan 2020 10:44:17 -0800 +Subject: [PATCH] hwmon: (core) Do not use device managed functions for memory allocations +Git-commit: 3bf8bdcf3bada771eb12b57f2a30caee69e8ab8d +Patch-mainline: v5.5 +References: bsc#1051510 + +The hwmon core uses device managed functions, tied to the hwmon parent +device, for various internal memory allocations. This is problematic +since hwmon device lifetime does not necessarily match its parent's +device lifetime. If there is a mismatch, memory leaks will accumulate +until the parent device is released. + +Fix the problem by managing all memory allocations internally. The only +exception is memory allocation for thermal device registration, which +can be tied to the hwmon device, along with thermal device registration +itself. + +Fixes: d560168b5d0f ("hwmon: (core) New hwmon registration API") +Cc: stable@vger.kernel.org # v4.14.x: 47c332deb8e8: hwmon: Deal with errors from the thermal subsystem +Cc: stable@vger.kernel.org # v4.14.x: 74e3512731bd: hwmon: (core) Fix double-free in __hwmon_device_register() +Cc: stable@vger.kernel.org # v4.9.x: 3a412d5e4a1c: hwmon: (core) Simplify sysfs attribute name allocation +Cc: stable@vger.kernel.org # v4.9.x: 47c332deb8e8: hwmon: Deal with errors from the thermal subsystem +Cc: stable@vger.kernel.org # v4.9.x: 74e3512731bd: hwmon: (core) Fix double-free in __hwmon_device_register() +Cc: stable@vger.kernel.org # v4.9+ +Cc: Martin K. Petersen +Signed-off-by: Guenter Roeck +Acked-by: Takashi Iwai + +--- + drivers/hwmon/hwmon.c | 68 ++++++++++++++++++++++++++++++-------------------- + 1 file changed, 41 insertions(+), 27 deletions(-) + +--- a/drivers/hwmon/hwmon.c ++++ b/drivers/hwmon/hwmon.c +@@ -51,6 +51,7 @@ struct hwmon_device_attribute { + + #define to_hwmon_attr(d) \ + container_of(d, struct hwmon_device_attribute, dev_attr) ++#define to_dev_attr(a) container_of(a, struct device_attribute, attr) + + /* + * Thermal zone information +@@ -58,7 +59,7 @@ struct hwmon_device_attribute { + * also provides the sensor index. + */ + struct hwmon_thermal_data { +- struct hwmon_device *hwdev; /* Reference to hwmon device */ ++ struct device *dev; /* Reference to hwmon device */ + int index; /* sensor index */ + }; + +@@ -95,9 +96,27 @@ static const struct attribute_group *hwm + NULL + }; + ++static void hwmon_free_attrs(struct attribute **attrs) ++{ ++ int i; ++ ++ for (i = 0; attrs[i]; i++) { ++ struct device_attribute *dattr = to_dev_attr(attrs[i]); ++ struct hwmon_device_attribute *hattr = to_hwmon_attr(dattr); ++ ++ kfree(hattr); ++ } ++ kfree(attrs); ++} ++ + static void hwmon_dev_release(struct device *dev) + { +- kfree(to_hwmon_device(dev)); ++ struct hwmon_device *hwdev = to_hwmon_device(dev); ++ ++ if (hwdev->group.attrs) ++ hwmon_free_attrs(hwdev->group.attrs); ++ kfree(hwdev->groups); ++ kfree(hwdev); + } + + static struct class hwmon_class = { +@@ -121,11 +140,11 @@ static DEFINE_IDA(hwmon_ida); + static int hwmon_thermal_get_temp(void *data, int *temp) + { + struct hwmon_thermal_data *tdata = data; +- struct hwmon_device *hwdev = tdata->hwdev; ++ struct hwmon_device *hwdev = to_hwmon_device(tdata->dev); + int ret; + long t; + +- ret = hwdev->chip->ops->read(&hwdev->dev, hwmon_temp, hwmon_temp_input, ++ ret = hwdev->chip->ops->read(tdata->dev, hwmon_temp, hwmon_temp_input, + tdata->index, &t); + if (ret < 0) + return ret; +@@ -139,8 +158,7 @@ static struct thermal_zone_of_device_ops + .get_temp = hwmon_thermal_get_temp, + }; + +-static int hwmon_thermal_add_sensor(struct device *dev, +- struct hwmon_device *hwdev, int index) ++static int hwmon_thermal_add_sensor(struct device *dev, int index) + { + struct hwmon_thermal_data *tdata; + struct thermal_zone_device *tzd; +@@ -149,10 +167,10 @@ static int hwmon_thermal_add_sensor(stru + if (!tdata) + return -ENOMEM; + +- tdata->hwdev = hwdev; ++ tdata->dev = dev; + tdata->index = index; + +- tzd = devm_thermal_zone_of_sensor_register(&hwdev->dev, index, tdata, ++ tzd = devm_thermal_zone_of_sensor_register(dev, index, tdata, + &hwmon_thermal_ops); + /* + * If CONFIG_THERMAL_OF is disabled, this returns -ENODEV, +@@ -164,8 +182,7 @@ static int hwmon_thermal_add_sensor(stru + return 0; + } + #else +-static int hwmon_thermal_add_sensor(struct device *dev, +- struct hwmon_device *hwdev, int index) ++static int hwmon_thermal_add_sensor(struct device *dev, int index) + { + return 0; + } +@@ -242,8 +259,7 @@ static bool is_string_attr(enum hwmon_se + (type == hwmon_fan && attr == hwmon_fan_label); + } + +-static struct attribute *hwmon_genattr(struct device *dev, +- const void *drvdata, ++static struct attribute *hwmon_genattr(const void *drvdata, + enum hwmon_sensor_types type, + u32 attr, + int index, +@@ -271,7 +287,7 @@ static struct attribute *hwmon_genattr(s + if ((mode & S_IWUGO) && !ops->write) + return ERR_PTR(-EINVAL); + +- hattr = devm_kzalloc(dev, sizeof(*hattr), GFP_KERNEL); ++ hattr = kzalloc(sizeof(*hattr), GFP_KERNEL); + if (!hattr) + return ERR_PTR(-ENOMEM); + +@@ -474,8 +490,7 @@ static int hwmon_num_channel_attrs(const + return n; + } + +-static int hwmon_genattrs(struct device *dev, +- const void *drvdata, ++static int hwmon_genattrs(const void *drvdata, + struct attribute **attrs, + const struct hwmon_ops *ops, + const struct hwmon_channel_info *info) +@@ -501,7 +516,7 @@ static int hwmon_genattrs(struct device + attr_mask &= ~BIT(attr); + if (attr >= template_size) + return -EINVAL; +- a = hwmon_genattr(dev, drvdata, info->type, attr, i, ++ a = hwmon_genattr(drvdata, info->type, attr, i, + templates[attr], ops); + if (IS_ERR(a)) { + if (PTR_ERR(a) != -ENOENT) +@@ -515,8 +530,7 @@ static int hwmon_genattrs(struct device + } + + static struct attribute ** +-__hwmon_create_attrs(struct device *dev, const void *drvdata, +- const struct hwmon_chip_info *chip) ++__hwmon_create_attrs(const void *drvdata, const struct hwmon_chip_info *chip) + { + int ret, i, aindex = 0, nattrs = 0; + struct attribute **attrs; +@@ -527,15 +541,17 @@ __hwmon_create_attrs(struct device *dev, + if (nattrs == 0) + return ERR_PTR(-EINVAL); + +- attrs = devm_kcalloc(dev, nattrs + 1, sizeof(*attrs), GFP_KERNEL); ++ attrs = kcalloc(nattrs + 1, sizeof(*attrs), GFP_KERNEL); + if (!attrs) + return ERR_PTR(-ENOMEM); + + for (i = 0; chip->info[i]; i++) { +- ret = hwmon_genattrs(dev, drvdata, &attrs[aindex], chip->ops, ++ ret = hwmon_genattrs(drvdata, &attrs[aindex], chip->ops, + chip->info[i]); +- if (ret < 0) ++ if (ret < 0) { ++ hwmon_free_attrs(attrs); + return ERR_PTR(ret); ++ } + aindex += ret; + } + +@@ -577,14 +593,13 @@ __hwmon_device_register(struct device *d + for (i = 0; groups[i]; i++) + ngroups++; + +- hwdev->groups = devm_kcalloc(dev, ngroups, sizeof(*groups), +- GFP_KERNEL); ++ hwdev->groups = kcalloc(ngroups, sizeof(*groups), GFP_KERNEL); + if (!hwdev->groups) { + err = -ENOMEM; + goto free_hwmon; + } + +- attrs = __hwmon_create_attrs(dev, drvdata, chip); ++ attrs = __hwmon_create_attrs(drvdata, chip); + if (IS_ERR(attrs)) { + err = PTR_ERR(attrs); + goto free_hwmon; +@@ -629,8 +644,7 @@ __hwmon_device_register(struct device *d + hwmon_temp_input, j)) + continue; + if (info[i]->config[j] & HWMON_T_INPUT) { +- err = hwmon_thermal_add_sensor(dev, +- hwdev, j); ++ err = hwmon_thermal_add_sensor(hdev, j); + if (err) { + device_unregister(hdev); + goto ida_remove; +@@ -643,7 +657,7 @@ __hwmon_device_register(struct device *d + return hdev; + + free_hwmon: +- kfree(hwdev); ++ hwmon_dev_release(hdev); + ida_remove: + ida_simple_remove(&hwmon_ida, id); + return ERR_PTR(err); diff --git a/patches.suse/hwmon-k10temp-Add-support-for-AMD-family-17h-model-7.patch b/patches.suse/hwmon-k10temp-Add-support-for-AMD-family-17h-model-7.patch new file mode 100644 index 0000000..7e43b1b --- /dev/null +++ b/patches.suse/hwmon-k10temp-Add-support-for-AMD-family-17h-model-7.patch @@ -0,0 +1,66 @@ +From 12163cfbfc0f804cc7d27bc20e8d266ce7459260 Mon Sep 17 00:00:00 2001 +From: Marcel Bocu +Date: Mon, 22 Jul 2019 20:46:53 +0300 +Subject: [PATCH] hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs +Git-commit: 12163cfbfc0f804cc7d27bc20e8d266ce7459260 +Patch-mainline: v5.4-rc1 +References: bsc#1163206 + +It would seem like model 70h is behaving in the same way as model 30h, +so let's just add the new F3 PCI ID to the list of compatible devices. + +Unlike previous Ryzen/Threadripper, Ryzen gen 3 processors do not need +temperature offsets anymore. This has been reported in the press and +verified on my Ryzen 3700X by checking that the idle temperature +reported by k10temp is matching the temperature reported by the +firmware. + +Vicki Pfau sent an identical patch after I checked that no-one had +written this patch. I would have been happy about dropping my patch but +unlike for his patch series, I had already Cc:ed the x86 people and +they already reviewed the changes. Since Vicki has not answered to +any email after his initial series, let's assume she is on vacation +and let's avoid duplication of reviews from the maintainers and merge +my series. To acknowledge Vicki's anteriority, I added her S-o-b to +the patch. + +v2, suggested by Guenter Roeck and Brian Woods: + - rename from 71h to 70h + +Signed-off-by: Vicki Pfau +Signed-off-by: Marcel Bocu +Tested-by: Marcel Bocu + +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: x86@kernel.org +Cc: "Woods, Brian" +Cc: Clemens Ladisch +Cc: Jean Delvare +Cc: Guenter Roeck +Cc: linux-hwmon@vger.kernel.org +Link: https://lore.kernel.org/r/20190722174653.2391-1-marcel.p.bocu@gmail.com +Signed-off-by: Guenter Roeck +Acked-by: Takashi Iwai + +--- + drivers/hwmon/k10temp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c +index c77e89239dcd..5c1dddde193c 100644 +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -360,6 +360,7 @@ static const struct pci_device_id k10tem + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_17H_M10H_DF_F3) }, ++ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_17H_M70H_DF_F3) }, + { PCI_VDEVICE(HYGON, PCI_DEVICE_ID_AMD_17H_DF_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_17H_M30H_DF_F3) }, + {} +-- +2.16.4 + diff --git a/patches.suse/hwmon-nct7802-Fix-voltage-limits-to-wrong-registers.patch b/patches.suse/hwmon-nct7802-Fix-voltage-limits-to-wrong-registers.patch new file mode 100644 index 0000000..18fefe8 --- /dev/null +++ b/patches.suse/hwmon-nct7802-Fix-voltage-limits-to-wrong-registers.patch @@ -0,0 +1,41 @@ +From 7713e62c8623c54dac88d1fa724aa487a38c3efb Mon Sep 17 00:00:00 2001 +From: Gilles Buloz +Date: Wed, 27 Nov 2019 18:09:34 +0100 +Subject: [PATCH] hwmon: (nct7802) Fix voltage limits to wrong registers +Git-commit: 7713e62c8623c54dac88d1fa724aa487a38c3efb +Patch-mainline: v5.5 +References: bsc#1051510 + +in0 thresholds are written to the in2 thresholds registers +in2 thresholds to in3 thresholds +in3 thresholds to in4 thresholds +in4 thresholds to in0 thresholds + +Signed-off-by: Gilles Buloz +Link: https://lore.kernel.org/r/5de0f509.rc0oEvPOMjbfPW1w%gilles.buloz@kontron.com +Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Acked-by: Takashi Iwai + +--- + drivers/hwmon/nct7802.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/nct7802.c b/drivers/hwmon/nct7802.c +index f3dd2a17bd42..7915c2f2c85d 100644 +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -23,8 +23,8 @@ + static const u8 REG_VOLTAGE[5] = { 0x09, 0x0a, 0x0c, 0x0d, 0x0e }; + + static const u8 REG_VOLTAGE_LIMIT_LSB[2][5] = { +- { 0x40, 0x00, 0x42, 0x44, 0x46 }, +- { 0x3f, 0x00, 0x41, 0x43, 0x45 }, ++ { 0x46, 0x00, 0x40, 0x42, 0x44 }, ++ { 0x45, 0x00, 0x3f, 0x41, 0x43 }, + }; + + static const u8 REG_VOLTAGE_LIMIT_MSB[5] = { 0x48, 0x00, 0x47, 0x47, 0x48 }; +-- +2.16.4 + diff --git a/patches.suse/hwmon-pmbus-ltc2978-Fix-PMBus-polling-of-MFR_COMMON-.patch b/patches.suse/hwmon-pmbus-ltc2978-Fix-PMBus-polling-of-MFR_COMMON-.patch new file mode 100644 index 0000000..0801293 --- /dev/null +++ b/patches.suse/hwmon-pmbus-ltc2978-Fix-PMBus-polling-of-MFR_COMMON-.patch @@ -0,0 +1,44 @@ +From cf2b012c90e74e85d8aea7d67e48868069cfee0c Mon Sep 17 00:00:00 2001 +From: Mike Jones +Date: Tue, 28 Jan 2020 10:59:59 -0700 +Subject: [PATCH] hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions. +Git-commit: cf2b012c90e74e85d8aea7d67e48868069cfee0c +Patch-mainline: v5.6-rc2 +References: bsc#1051510 + +Change 21537dc driver PMBus polling of MFR_COMMON from bits 5/4 to +bits 6/5. This fixs a LTC297X family bug where polling always returns +not busy even when the part is busy. This fixes a LTC388X and +LTM467X bug where polling used PEND and NOT_IN_TRANS, and BUSY was +not polled, which can lead to NACKing of commands. LTC388X and +LTM467X modules now poll BUSY and PEND, increasing reliability by +eliminating NACKing of commands. + +Signed-off-by: Mike Jones +Link: https://lore.kernel.org/r/1580234400-2829-2-git-send-email-michael-a1.jones@analog.com +Fixes: e04d1ce9bbb49 ("hwmon: (ltc2978) Add polling for chips requiring it") +Signed-off-by: Guenter Roeck +Acked-by: Takashi Iwai + +--- + drivers/hwmon/pmbus/ltc2978.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/pmbus/ltc2978.c b/drivers/hwmon/pmbus/ltc2978.c +index f01f4887fb2e..a91ed01abb68 100644 +--- a/drivers/hwmon/pmbus/ltc2978.c ++++ b/drivers/hwmon/pmbus/ltc2978.c +@@ -82,8 +82,8 @@ enum chips { ltc2974, ltc2975, ltc2977, ltc2978, ltc2980, ltc3880, ltc3882, + + #define LTC_POLL_TIMEOUT 100 /* in milli-seconds */ + +-#define LTC_NOT_BUSY BIT(5) +-#define LTC_NOT_PENDING BIT(4) ++#define LTC_NOT_BUSY BIT(6) ++#define LTC_NOT_PENDING BIT(5) + + /* + * LTC2978 clears peak data whenever the CLEAR_FAULTS command is executed, which +-- +2.16.4 + diff --git a/patches.suse/i2c-imx-don-t-print-error-message-on-probe-defer.patch b/patches.suse/i2c-imx-don-t-print-error-message-on-probe-defer.patch new file mode 100644 index 0000000..fbbc564 --- /dev/null +++ b/patches.suse/i2c-imx-don-t-print-error-message-on-probe-defer.patch @@ -0,0 +1,40 @@ +From fece4978510e43f09c8cd386fee15210e8c68493 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Wed, 14 Nov 2018 18:29:13 +0100 +Subject: [PATCH] i2c: imx: don't print error message on probe defer +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: fece4978510e43f09c8cd386fee15210e8c68493 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +Probe deferral is a normal operating condition in the probe function, +so don't spam the log with an error in this case. + +Signed-off-by: Lucas Stach +Acked-by: Uwe Kleine-König +Signed-off-by: Wolfram Sang +Acked-by: Takashi Iwai + +--- + drivers/i2c/busses/i2c-imx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c +index c406700789e1..fa9ad53845d9 100644 +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -1090,7 +1090,8 @@ static int i2c_imx_probe(struct platform_device *pdev) + /* Get I2C clock */ + i2c_imx->clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(i2c_imx->clk)) { +- dev_err(&pdev->dev, "can't get I2C clock\n"); ++ if (PTR_ERR(i2c_imx->clk) != -EPROBE_DEFER) ++ dev_err(&pdev->dev, "can't get I2C clock\n"); + return PTR_ERR(i2c_imx->clk); + } + +-- +2.16.4 + diff --git a/patches.suse/iio-adc-max9611-Fix-too-short-conversion-time-delay.patch b/patches.suse/iio-adc-max9611-Fix-too-short-conversion-time-delay.patch new file mode 100644 index 0000000..7990ace --- /dev/null +++ b/patches.suse/iio-adc-max9611-Fix-too-short-conversion-time-delay.patch @@ -0,0 +1,93 @@ +From 9fd229c478fbf77c41c8528aa757ef14210365f6 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 2 Dec 2019 09:55:46 +0100 +Subject: [PATCH] iio: adc: max9611: Fix too short conversion time delay +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 9fd229c478fbf77c41c8528aa757ef14210365f6 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature +reading in probe"), max9611 initialization sometimes fails on the +Salvator-X(S) development board with: + + max9611 4-007f: Invalid value received from ADC 0x8000: aborting + max9611: probe of 4-007f failed with error -5 + +The max9611 driver tests communications with the chip by reading the die +temperature during the probe function, which returns an invalid value. + +According to the datasheet, the typical ADC conversion time is 2 ms, but +no minimum or maximum values are provided. Maxim Technical Support +confirmed this was tested with temperature Ta=25 degreeC, and promised +to inform me if a maximum/minimum value is available (they didn't get +back to me, so I assume it is not). + +However, the driver assumes a 1 ms conversion time. Usually the +usleep_range() call returns after more than 1.8 ms, hence it succeeds. +When it returns earlier, the data register may be read too early, and +the previous measurement value will be returned. After boot, this is +the temperature POR (power-on reset) value, causing the failure above. + +Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs. + +Note that this issue has always been present, but it was exposed by the +aformentioned commit. + +Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Jacopo Mondi +Reviewed-by: Wolfram Sang +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/iio/adc/max9611.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c +index da073d72f649..e480529b3f04 100644 +--- a/drivers/iio/adc/max9611.c ++++ b/drivers/iio/adc/max9611.c +@@ -89,6 +89,12 @@ + #define MAX9611_TEMP_SCALE_NUM 1000000 + #define MAX9611_TEMP_SCALE_DIV 2083 + ++/* ++ * Conversion time is 2 ms (typically) at Ta=25 degreeC ++ * No maximum value is known, so play it safe. ++ */ ++#define MAX9611_CONV_TIME_US_RANGE 3000, 3300 ++ + struct max9611_dev { + struct device *dev; + struct i2c_client *i2c_client; +@@ -236,11 +242,9 @@ static int max9611_read_single(struct max9611_dev *max9611, + return ret; + } + +- /* +- * need a delay here to make register configuration +- * stabilize. 1 msec at least, from empirical testing. +- */ +- usleep_range(1000, 2000); ++ /* need a delay here to make register configuration stabilize. */ ++ ++ usleep_range(MAX9611_CONV_TIME_US_RANGE); + + ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr); + if (ret < 0) { +@@ -507,7 +511,7 @@ static int max9611_init(struct max9611_dev *max9611) + MAX9611_REG_CTRL2, 0); + return ret; + } +- usleep_range(1000, 2000); ++ usleep_range(MAX9611_CONV_TIME_US_RANGE); + + return 0; + } +-- +2.16.4 + diff --git a/patches.suse/iommu-amd-fix-iommu-perf-counter-clobbering-during-init b/patches.suse/iommu-amd-fix-iommu-perf-counter-clobbering-during-init new file mode 100644 index 0000000..87b1c66 --- /dev/null +++ b/patches.suse/iommu-amd-fix-iommu-perf-counter-clobbering-during-init @@ -0,0 +1,70 @@ +From: Shuah Khan +Date: Thu, 23 Jan 2020 15:32:14 -0700 +Subject: iommu/amd: Fix IOMMU perf counter clobbering during init +Git-commit: 8c17bbf6c8f70058a66305f2e1982552e6ea7f47 +Patch-mainline: v5.5 +References: bsc#1162617 + +init_iommu_perf_ctr() clobbers the register when it checks write access +to IOMMU perf counters and fails to restore when they are writable. + +Add save and restore to fix it. + +Signed-off-by: Shuah Khan +Fixes: 30861ddc9cca4 ("perf/x86/amd: Add IOMMU Performance Counter resource management") +Reviewed-by: Suravee Suthikulpanit +Tested-by: Suravee Suthikulpanit +Signed-off-by: Joerg Roedel +--- + drivers/iommu/amd_iommu_init.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -1661,27 +1661,39 @@ static int iommu_pc_get_set_reg(struct a + + static void init_iommu_perf_ctr(struct amd_iommu *iommu) + { +- u64 val = 0xabcd, val2 = 0; ++ u64 val = 0xabcd, val2 = 0, save_reg = 0; + + if (!iommu_feature(iommu, FEATURE_PC)) + return; + + amd_iommu_pc_present = true; + ++ /* save the value to restore, if writable */ ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false)) ++ goto pc_false; ++ + /* Check if the performance counters can be written to */ + if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) || + (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) || +- (val != val2)) { +- pr_err("AMD-Vi: Unable to write to IOMMU perf counter.\n"); +- amd_iommu_pc_present = false; +- return; +- } ++ (val != val2)) ++ goto pc_false; ++ ++ /* restore */ ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true)) ++ goto pc_false; + + pr_info("AMD-Vi: IOMMU performance counters supported\n"); + + val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET); + iommu->max_banks = (u8) ((val >> 12) & 0x3f); + iommu->max_counters = (u8) ((val >> 7) & 0xf); ++ ++ return; ++ ++pc_false: ++ pr_err("AMD-Vi: Unable to read/write to IOMMU perf counter.\n"); ++ amd_iommu_pc_present = false; ++ return; + } + + static ssize_t amd_iommu_show_cap(struct device *dev, + diff --git a/patches.suse/iommu-arm-smmu-v3-populate-vmid-field-for-cmdq_op_tlbi_nh_va b/patches.suse/iommu-arm-smmu-v3-populate-vmid-field-for-cmdq_op_tlbi_nh_va new file mode 100644 index 0000000..b3fe3a4 --- /dev/null +++ b/patches.suse/iommu-arm-smmu-v3-populate-vmid-field-for-cmdq_op_tlbi_nh_va @@ -0,0 +1,30 @@ +From: Shameer Kolothum +Date: Wed, 13 Nov 2019 16:11:38 +0000 +Subject: iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA +Git-commit: 935d43ba272e0001f8ef446a3eff15d8175cb11b +Patch-mainline: v5.6-rc1 +References: bsc#1164314 + +CMDQ_OP_TLBI_NH_VA requires VMID and this was missing since +commit 1c27df1c0a82 ("iommu/arm-smmu: Use correct address mask +for CMD_TLBI_S2_IPA"). Add it back. + +Fixes: 1c27df1c0a82 ("iommu/arm-smmu: Use correct address mask for CMD_TLBI_S2_IPA") +Signed-off-by: Shameer Kolothum +Signed-off-by: Will Deacon +Acked-by: Joerg Roedel +--- + drivers/iommu/arm-smmu-v3.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -850,6 +850,7 @@ static int arm_smmu_cmdq_build_cmd(u64 * + cmd[1] |= FIELD_PREP(CMDQ_CFGI_1_RANGE, 31); + break; + case CMDQ_OP_TLBI_NH_VA: ++ cmd[0] |= FIELD_PREP(CMDQ_TLBI_0_VMID, ent->tlbi.vmid); + cmd[0] |= FIELD_PREP(CMDQ_TLBI_0_ASID, ent->tlbi.asid); + cmd[1] |= FIELD_PREP(CMDQ_TLBI_1_LEAF, ent->tlbi.leaf); + cmd[1] |= ent->tlbi.addr & CMDQ_TLBI_1_VA_MASK; + diff --git a/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch b/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch index 99c5229..8882a64 100644 --- a/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch +++ b/patches.suse/iommu-io-pgtable-arm-Add-support-for-non-strict-mode.patch @@ -31,12 +31,12 @@ Signed-off-by: Matthias Brugger --- a/drivers/iommu/io-pgtable-arm.c +++ b/drivers/iommu/io-pgtable-arm.c @@ -549,6 +549,7 @@ static int arm_lpae_split_blk_unmap(stru - return __arm_lpae_unmap(data, iova, size, lvl, tablep); - - io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); -+ io_pgtable_tlb_sync(&data->iop); - return size; - } + tablep = iopte_deref(pte, data); + } else if (unmap_idx >= 0) { + io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); ++ io_pgtable_tlb_sync(&data->iop); + return size; + } @@ -579,6 +580,13 @@ static int __arm_lpae_unmap(struct arm_l io_pgtable_tlb_sync(iop); diff --git a/patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch b/patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch new file mode 100644 index 0000000..12298bd --- /dev/null +++ b/patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch @@ -0,0 +1,51 @@ +From: Robin Murphy +Date: Thu, 6 Sep 2018 17:59:50 +0100 +Subject: iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() +Git-commit: 85c7a0f1ef624ef58173ef52ea77780257bdfe04 +Patch-mainline: v4.20-rc1 +References: bsc#1164115 + +In removing the pagetable-wide lock, we gained the possibility of the +vanishingly unlikely case where we have a race between two concurrent +unmappers splitting the same block entry. The logic to handle this is +fairly straightforward - whoever loses the race frees their partial +next-level table and instead dereferences the winner's newly-installed +entry in order to fall back to a regular unmap, which intentionally +echoes the pre-existing case of recursively splitting a 1GB block down +to 4KB pages by installing a full table of 2MB blocks first. + +Unfortunately, the chump who implemented that logic failed to update the +condition check for that fallback, meaning that if said race occurs at +the last level (where the loser's unmap_idx is valid) then the unmap +won't actually happen. Fix that to properly account for both the race +and recursive cases. + +Fixes: 2c3d273eabe8 ("iommu/io-pgtable-arm: Support lockless operation") +Signed-off-by: Robin Murphy +[will: re-jig control flow to avoid duplicate cmpxchg test] +Signed-off-by: Will Deacon +Signed-off-by: Matthias Brugger +--- + drivers/iommu/io-pgtable-arm.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/io-pgtable-arm.c ++++ b/drivers/iommu/io-pgtable-arm.c +@@ -543,13 +543,12 @@ static int arm_lpae_split_blk_unmap(stru + return 0; + + tablep = iopte_deref(pte, data); ++ } else if (unmap_idx >= 0) { ++ io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); ++ return size; + } + +- if (unmap_idx < 0) +- return __arm_lpae_unmap(data, iova, size, lvl, tablep); +- +- io_pgtable_tlb_add_flush(&data->iop, iova, size, size, true); +- return size; ++ return __arm_lpae_unmap(data, iova, size, lvl, tablep); + } + + static int __arm_lpae_unmap(struct arm_lpae_io_pgtable *data, diff --git a/patches.suse/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch b/patches.suse/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch new file mode 100644 index 0000000..c6a9a9b --- /dev/null +++ b/patches.suse/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch @@ -0,0 +1,41 @@ +From c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 26 Jan 2020 00:09:54 +0000 +Subject: [PATCH] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop +Git-commit: c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 +Patch-mainline: v5.6-rc1 +References: git-fixes + +The loop counter addr is a u16 where as the upper limit of the loop +is an int. In the unlikely event that the il->cfg->eeprom_size is +greater than 64K then we end up with an infinite loop since addr will +wrap around an never reach upper loop limit. Fix this by making addr +an int. + +Addresses-coverity: ("Infinite loop") +Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") +Signed-off-by: Colin Ian King +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlegacy/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index d966b29b45ee..348c17ce72f5 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -699,7 +699,7 @@ il_eeprom_init(struct il_priv *il) + u32 gp = _il_rd(il, CSR_EEPROM_GP); + int sz; + int ret; +- u16 addr; ++ int addr; + + /* allocate eeprom */ + sz = il->cfg->eeprom_size; +-- +2.16.4 + diff --git a/patches.suse/iwlwifi-clear-persistence-bit-according-to-device-fa.patch b/patches.suse/iwlwifi-clear-persistence-bit-according-to-device-fa.patch new file mode 100644 index 0000000..c57afb5 --- /dev/null +++ b/patches.suse/iwlwifi-clear-persistence-bit-according-to-device-fa.patch @@ -0,0 +1,105 @@ +From 44f61b5c832c4085fcf476484efeaeef96dcfb8b Mon Sep 17 00:00:00 2001 +From: Shahar S Matityahu +Date: Wed, 29 May 2019 16:39:51 +0300 +Subject: [PATCH] iwlwifi: clear persistence bit according to device family +Git-commit: 44f61b5c832c4085fcf476484efeaeef96dcfb8b +Patch-mainline: v5.2-rc6 +References: bsc#1111666 + +The driver attempts to clear persistence bit on any device familiy even +though only 9000 and 22000 families require it. Clear the bit only on +the relevant device families. + +Each HW has different address to the write protection register. Use the +right register for each HW + +Signed-off-by: Shahar S Matityahu +Fixes: 8954e1eb2270 ("iwlwifi: trans: Clear persistence bit when starting the FW") +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/iwl-prph.h | 7 +++ + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 44 ++++++++++++++++++------ + 2 files changed, 39 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-prph.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-prph.h +@@ -401,7 +401,12 @@ enum aux_misc_master1_en { + #define AUX_MISC_MASTER1_SMPHR_STATUS 0xA20800 + #define RSA_ENABLE 0xA24B08 + #define PREG_AUX_BUS_WPROT_0 0xA04CC0 +-#define PREG_PRPH_WPROT_0 0xA04CE0 ++ ++/* device family 9000 WPROT register */ ++#define PREG_PRPH_WPROT_9000 0xA04CE0 ++/* device family 22000 WPROT register */ ++#define PREG_PRPH_WPROT_22000 0xA04D00 ++ + #define SB_CPU_1_STATUS 0xA01E30 + #define SB_CPU_2_STATUS 0xA01E34 + #define UMAG_SB_CPU_1_STATUS 0xA038C0 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1730,10 +1730,39 @@ static int iwl_pcie_init_msix_handler(st + return 0; + } + ++static int iwl_trans_pcie_clear_persistence_bit(struct iwl_trans *trans) ++{ ++ u32 hpm, wprot; ++ ++ switch (trans->cfg->device_family) { ++ case IWL_DEVICE_FAMILY_9000: ++ wprot = PREG_PRPH_WPROT_9000; ++ break; ++ case IWL_DEVICE_FAMILY_22000: ++ wprot = PREG_PRPH_WPROT_22000; ++ break; ++ default: ++ return 0; ++ } ++ ++ hpm = iwl_trans_read_prph(trans, HPM_DEBUG); ++ if (hpm != 0xa5a5a5a0 && (hpm & PERSISTENCE_BIT)) { ++ u32 wprot_val = iwl_trans_read_prph(trans, wprot); ++ ++ if (wprot_val & PREG_WFPM_ACCESS) { ++ IWL_ERR(trans, ++ "Error, can not clear persistence bit\n"); ++ return -EPERM; ++ } ++ iwl_trans_write_prph(trans, HPM_DEBUG, hpm & ~PERSISTENCE_BIT); ++ } ++ ++ return 0; ++} ++ + static int _iwl_trans_pcie_start_hw(struct iwl_trans *trans, bool low_power) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); +- u32 hpm; + int err; + + lockdep_assert_held(&trans_pcie->mutex); +@@ -1744,16 +1773,9 @@ static int _iwl_trans_pcie_start_hw(stru + return err; + } + +- hpm = iwl_trans_read_prph(trans, HPM_DEBUG); +- if (hpm != 0xa5a5a5a0 && (hpm & PERSISTENCE_BIT)) { +- if (iwl_trans_read_prph(trans, PREG_PRPH_WPROT_0) & +- PREG_WFPM_ACCESS) { +- IWL_ERR(trans, +- "Error, can not clear persistence bit\n"); +- return -EPERM; +- } +- iwl_trans_write_prph(trans, HPM_DEBUG, hpm & ~PERSISTENCE_BIT); +- } ++ err = iwl_trans_pcie_clear_persistence_bit(trans); ++ if (err) ++ return err; + + iwl_trans_pcie_sw_reset(trans); + diff --git a/patches.suse/iwlwifi-don-t-throw-error-when-trying-to-remove-IGTK.patch b/patches.suse/iwlwifi-don-t-throw-error-when-trying-to-remove-IGTK.patch new file mode 100644 index 0000000..9609b35 --- /dev/null +++ b/patches.suse/iwlwifi-don-t-throw-error-when-trying-to-remove-IGTK.patch @@ -0,0 +1,60 @@ +From 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Fri, 31 Jan 2020 15:45:25 +0200 +Subject: [PATCH] iwlwifi: don't throw error when trying to remove IGTK +Git-commit: 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The IGTK keys are only removed by mac80211 after it has already +removed the AP station. This causes the driver to throw an error +because mac80211 is trying to remove the IGTK when the station doesn't +exist anymore. + +The firmware is aware that the station has been removed and can deal +with it the next time we try to add an IGTK for a station, so we +shouldn't try to remove the key if the station ID is +IWL_MVM_INVALID_STA. Do this by removing the check for mvm_sta before +calling iwl_mvm_send_sta_igtk() and check return from that function +gracefully if the station ID is invalid. + +Cc: stable@vger.kernel.org # 4.12+ +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 7b35f416404c..64ef3f3ba23b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -3320,6 +3320,10 @@ static int iwl_mvm_send_sta_igtk(struct iwl_mvm *mvm, + igtk_cmd.sta_id = cpu_to_le32(sta_id); + + if (remove_key) { ++ /* This is a valid situation for IGTK */ ++ if (sta_id == IWL_MVM_INVALID_STA) ++ return 0; ++ + igtk_cmd.ctrl_flags |= cpu_to_le32(STA_KEY_NOT_VALID); + } else { + struct ieee80211_key_seq seq; +@@ -3574,9 +3578,9 @@ int iwl_mvm_remove_sta_key(struct iwl_mvm *mvm, + IWL_DEBUG_WEP(mvm, "mvm remove dynamic key: idx=%d sta=%d\n", + keyconf->keyidx, sta_id); + +- if (mvm_sta && (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC || +- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 || +- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256)) ++ if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC || ++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 || ++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256) + return iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, true); + + if (!__test_and_clear_bit(keyconf->hw_key_idx, mvm->fw_key_table)) { +-- +2.16.4 + diff --git a/patches.suse/iwlwifi-mvm-fix-NVM-check-for-3168-devices.patch b/patches.suse/iwlwifi-mvm-fix-NVM-check-for-3168-devices.patch new file mode 100644 index 0000000..1444b3b --- /dev/null +++ b/patches.suse/iwlwifi-mvm-fix-NVM-check-for-3168-devices.patch @@ -0,0 +1,39 @@ +From b3f20e098293892388d6a0491d6bbb2efb46fbff Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Mon, 25 Nov 2019 13:21:58 +0200 +Subject: [PATCH] iwlwifi: mvm: fix NVM check for 3168 devices +Git-commit: b3f20e098293892388d6a0491d6bbb2efb46fbff +Patch-mainline: v5.5 +References: bsc#1051510 + +We had a check on !NVM_EXT and then a check for NVM_SDP in the else +block of this if. The else block, obviously, could only be reached if +using NVM_EXT, so it would never be NVM_SDP. + +Fix that by checking whether the nvm_type is IWL_NVM instead of +checking for !IWL_NVM_EXT to solve this issue. + +Reported-by: Stefan Sperling +Signed-off-by: Luca Coelho +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +index 945c1ea5cda8..493bcc54a848 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -281,7 +281,7 @@ iwl_parse_nvm_sections(struct iwl_mvm *mvm) + int regulatory_type; + + /* Checking for required sections */ +- if (mvm->trans->cfg->nvm_type != IWL_NVM_EXT) { ++ if (mvm->trans->cfg->nvm_type == IWL_NVM) { + if (!mvm->nvm_sections[NVM_SECTION_TYPE_SW].data || + !mvm->nvm_sections[mvm->cfg->nvm_hw_section_num].data) { + IWL_ERR(mvm, "Can't parse empty OTP/NVM sections\n"); +-- +2.16.4 + diff --git a/patches.suse/iwlwifi-trans-Clear-persistence-bit-when-starting-th.patch b/patches.suse/iwlwifi-trans-Clear-persistence-bit-when-starting-th.patch new file mode 100644 index 0000000..1f4d610 --- /dev/null +++ b/patches.suse/iwlwifi-trans-Clear-persistence-bit-when-starting-th.patch @@ -0,0 +1,111 @@ +From 8954e1eb2270fa2effffd031b4839253952c76f2 Mon Sep 17 00:00:00 2001 +From: Shahar S Matityahu +Date: Wed, 4 Jul 2018 15:31:36 +0300 +Subject: [PATCH] iwlwifi: trans: Clear persistence bit when starting the FW +Git-commit: 8954e1eb2270fa2effffd031b4839253952c76f2 +Patch-mainline: v5.0-rc1 +References: bsc#1111666 + +In D3 suspend flow in 9260 gen2 HW, the NIC receives two PERST signals. +The first PERST is expected and indicates the device on coming resume flow. +The second PERST causes FW restart FW restart. +In order to avoid this issue, the FW set the persistence bit on. +Once this bit is set, the FW ignores reset attempts. +The problem is when the FW gets assert during D3 and then the persistence +bit is set and causes the FW to ignore reset. +To handle this issue, the FW opens the preg bit which allows access +to the persistence bit, so that the driver clear the persistence bit +and reset the NIC. + +The flow is as follows: +the driver checks if the persistence bit is set. +If the bit is set, the driver checks if he can clear the bit. +If the driver can not clear the bit then there is no point to continue +configuring the NIC since it will fail. + +The fix was added is in start HW flow instead of the resume flow since in +general, if the persistence bit is set, the driver can not start the FW. +So it is good to check it when we start configuring the NIC. + +The driver does not need to close the preg bit since the FW close it +during the start flow. + +Signed-off-by: Shahar S Matityahu +Signed-off-by: Luca Coelho +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/iwl-prph.h | 7 +++++++ + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 12 ++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-prph.h b/drivers/net/wireless/intel/iwlwifi/iwl-prph.h +index 0f51c7bea8d0..2084c63dc670 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-prph.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-prph.h +@@ -8,6 +8,7 @@ + * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH + * Copyright(c) 2016 Intel Deutschland GmbH ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -30,6 +31,7 @@ + * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH + * Copyright(c) 2016 Intel Deutschland GmbH ++ * Copyright (C) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -394,6 +396,7 @@ enum aux_misc_master1_en { + #define AUX_MISC_MASTER1_SMPHR_STATUS 0xA20800 + #define RSA_ENABLE 0xA24B08 + #define PREG_AUX_BUS_WPROT_0 0xA04CC0 ++#define PREG_PRPH_WPROT_0 0xA04CE0 + #define SB_CPU_1_STATUS 0xA01E30 + #define SB_CPU_2_STATUS 0xA01E34 + #define UMAG_SB_CPU_1_STATUS 0xA038C0 +@@ -420,4 +423,8 @@ enum { + #define UREG_CHICK (0xA05C00) + #define UREG_CHICK_MSI_ENABLE BIT(24) + #define UREG_CHICK_MSIX_ENABLE BIT(25) ++ ++#define HPM_DEBUG 0xA03440 ++#define PERSISTENCE_BIT BIT(12) ++#define PREG_WFPM_ACCESS BIT(12) + #endif /* __iwl_prph_h__ */ +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index 5bafb3f46eb8..890b51b223a1 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1729,6 +1729,7 @@ static int iwl_pcie_init_msix_handler(struct pci_dev *pdev, + static int _iwl_trans_pcie_start_hw(struct iwl_trans *trans, bool low_power) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); ++ u32 hpm; + int err; + + lockdep_assert_held(&trans_pcie->mutex); +@@ -1739,6 +1740,17 @@ static int _iwl_trans_pcie_start_hw(struct iwl_trans *trans, bool low_power) + return err; + } + ++ hpm = iwl_trans_read_prph(trans, HPM_DEBUG); ++ if (hpm != 0xa5a5a5a0 && (hpm & PERSISTENCE_BIT)) { ++ if (iwl_trans_read_prph(trans, PREG_PRPH_WPROT_0) & ++ PREG_WFPM_ACCESS) { ++ IWL_ERR(trans, ++ "Error, can not clear persistence bit\n"); ++ return -EPERM; ++ } ++ iwl_trans_write_prph(trans, HPM_DEBUG, hpm & ~PERSISTENCE_BIT); ++ } ++ + iwl_trans_pcie_sw_reset(trans); + + err = iwl_pcie_apm_init(trans); +-- +2.16.4 + diff --git a/patches.suse/jbd2-Fix-possible-overflow-in-jbd2_log_space_left.patch b/patches.suse/jbd2-Fix-possible-overflow-in-jbd2_log_space_left.patch new file mode 100644 index 0000000..9c92ca8 --- /dev/null +++ b/patches.suse/jbd2-Fix-possible-overflow-in-jbd2_log_space_left.patch @@ -0,0 +1,53 @@ +From add3efdd78b8a0478ce423bb9d4df6bd95e8b335 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 5 Nov 2019 17:44:07 +0100 +Subject: [PATCH] jbd2: Fix possible overflow in jbd2_log_space_left() +Git-commit: add3efdd78b8a0478ce423bb9d4df6bd95e8b335 +Patch-mainline: v5.5-rc1 +References: bsc#1163860 + +When number of free space in the journal is very low, the arithmetic in +jbd2_log_space_left() could underflow resulting in very high number of +free blocks and thus triggering assertion failure in transaction commit +code complaining there's not enough space in the journal: + +J_ASSERT(journal->j_free > 1); + +Properly check for the low number of free blocks. + +Cc: stable@vger.kernel.org +Reviewed-by: Theodore Ts'o +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + include/linux/jbd2.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h +index 603fbc4e2f70..10e6049c0ba9 100644 +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1582,7 +1582,7 @@ static inline int jbd2_space_needed(journal_t *journal) + static inline unsigned long jbd2_log_space_left(journal_t *journal) + { + /* Allow for rounding errors */ +- unsigned long free = journal->j_free - 32; ++ long free = journal->j_free - 32; + + if (journal->j_committing_transaction) { + unsigned long committing = atomic_read(&journal-> +@@ -1591,7 +1591,7 @@ static inline unsigned long jbd2_log_space_left(journal_t *journal) + /* Transaction + control blocks */ + free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT); + } +- return free; ++ return max_t(long, free, 0); + } + + /* +-- +2.16.4 + diff --git a/patches.suse/jbd2-clear-JBD2_ABORT-flag-before-journal_reset-to-u.patch b/patches.suse/jbd2-clear-JBD2_ABORT-flag-before-journal_reset-to-u.patch new file mode 100644 index 0000000..518acf7 --- /dev/null +++ b/patches.suse/jbd2-clear-JBD2_ABORT-flag-before-journal_reset-to-u.patch @@ -0,0 +1,56 @@ +From a09decff5c32060639a685581c380f51b14e1fc2 Mon Sep 17 00:00:00 2001 +From: Kai Li +Date: Sat, 11 Jan 2020 10:25:42 +0800 +Subject: [PATCH] jbd2: clear JBD2_ABORT flag before journal_reset to update + log tail info when load journal +Git-commit: a09decff5c32060639a685581c380f51b14e1fc2 +Patch-mainline: v5.6-rc1 +References: bsc#1163862 + +If the journal is dirty when the filesystem is mounted, jbd2 will replay +the journal but the journal superblock will not be updated by +journal_reset() because JBD2_ABORT flag is still set (it was set in +journal_init_common()). This is problematic because when a new transaction +is then committed, it will be recorded in block 1 (journal->j_tail was set +to 1 in journal_reset()). If unclean shutdown happens again before the +journal superblock is updated, the new recorded transaction will not be +replayed during the next mount (because of stale sb->s_start and +sb->s_sequence values) which can lead to filesystem corruption. + +Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail") +Signed-off-by: Kai Li +Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/jbd2/journal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 5e408ee24a1a..069b22eba795 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1710,6 +1710,11 @@ int jbd2_journal_load(journal_t *journal) + journal->j_devname); + return -EFSCORRUPTED; + } ++ /* ++ * clear JBD2_ABORT flag initialized in journal_init_common ++ * here to update log tail information with the newest seq. ++ */ ++ journal->j_flags &= ~JBD2_ABORT; + + /* OK, we've finished with the dynamic journal bits: + * reinitialise the dynamic contents of the superblock in memory +@@ -1717,7 +1722,6 @@ int jbd2_journal_load(journal_t *journal) + if (journal_reset(journal)) + goto recovery_error; + +- journal->j_flags &= ~JBD2_ABORT; + journal->j_flags |= JBD2_LOADED; + return 0; + +-- +2.16.4 + diff --git a/patches.suse/jbd2-do-not-clear-the-BH_Mapped-flag-when-forgetting.patch b/patches.suse/jbd2-do-not-clear-the-BH_Mapped-flag-when-forgetting.patch new file mode 100644 index 0000000..c535cc9 --- /dev/null +++ b/patches.suse/jbd2-do-not-clear-the-BH_Mapped-flag-when-forgetting.patch @@ -0,0 +1,95 @@ +From c96dceeabf765d0b1b1f29c3bf50a5c01315b820 Mon Sep 17 00:00:00 2001 +From: "zhangyi (F)" +Date: Thu, 13 Feb 2020 14:38:21 +0800 +Subject: [PATCH] jbd2: do not clear the BH_Mapped flag when forgetting a + metadata buffer +Git-commit: c96dceeabf765d0b1b1f29c3bf50a5c01315b820 +Patch-mainline: v5.6-rc2 +References: bsc#1163836 + +Commit 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from +an older transaction") set the BH_Freed flag when forgetting a metadata +buffer which belongs to the committing transaction, it indicate the +committing process clear dirty bits when it is done with the buffer. But +it also clear the BH_Mapped flag at the same time, which may trigger +below NULL pointer oops when block_size < PAGE_SIZE. + +rmdir 1 kjournald2 mkdir 2 + jbd2_journal_commit_transaction + commit transaction N +jbd2_journal_forget +set_buffer_freed(bh1) + jbd2_journal_commit_transaction + commit transaction N+1 + ... + clear_buffer_mapped(bh1) + ext4_getblk(bh2 ummapped) + ... + grow_dev_page + init_page_buffers + bh1->b_private=NULL + bh2->b_private=NULL + jbd2_journal_put_journal_head(jh1) + __journal_remove_journal_head(hb1) + jh1 is NULL and trigger oops + +*) Dir entry block bh1 and bh2 belongs to one page, and the bh2 has + already been unmapped. + +For the metadata buffer we forgetting, we should always keep the mapped +flag and clear the dirty flags is enough, so this patch pick out the +these buffers and keep their BH_Mapped flag. + +Link: https://lore.kernel.org/r/20200213063821.30455-3-yi.zhang@huawei.com +Fixes: 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from an older transaction") +Reviewed-by: Jan Kara +Signed-off-by: zhangyi (F) +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/jbd2/commit.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 6396fe70085b..27373f5792a4 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -985,12 +985,29 @@ void jbd2_journal_commit_transaction(journal_t *journal) + * pagesize and it is attached to the last partial page. + */ + if (buffer_freed(bh) && !jh->b_next_transaction) { ++ struct address_space *mapping; ++ + clear_buffer_freed(bh); + clear_buffer_jbddirty(bh); +- clear_buffer_mapped(bh); +- clear_buffer_new(bh); +- clear_buffer_req(bh); +- bh->b_bdev = NULL; ++ ++ /* ++ * Block device buffers need to stay mapped all the ++ * time, so it is enough to clear buffer_jbddirty and ++ * buffer_freed bits. For the file mapping buffers (i.e. ++ * journalled data) we need to unmap buffer and clear ++ * more bits. We also need to be careful about the check ++ * because the data page mapping can get cleared under ++ * out hands, which alse need not to clear more bits ++ * because the page and buffers will be freed and can ++ * never be reused once we are done with them. ++ */ ++ mapping = READ_ONCE(bh->b_page->mapping); ++ if (mapping && !sb_is_blkdev_sb(mapping->host->i_sb)) { ++ clear_buffer_mapped(bh); ++ clear_buffer_new(bh); ++ clear_buffer_req(bh); ++ bh->b_bdev = NULL; ++ } + } + + if (buffer_jbddirty(bh)) { +-- +2.16.4 + diff --git a/patches.suse/jbd2-make-sure-ESHUTDOWN-to-be-recorded-in-the-journ.patch b/patches.suse/jbd2-make-sure-ESHUTDOWN-to-be-recorded-in-the-journ.patch new file mode 100644 index 0000000..d38a74b --- /dev/null +++ b/patches.suse/jbd2-make-sure-ESHUTDOWN-to-be-recorded-in-the-journ.patch @@ -0,0 +1,44 @@ +From 0e98c084a21177ef136149c6a293b3d1eb33ff92 Mon Sep 17 00:00:00 2001 +From: "zhangyi (F)" +Date: Wed, 4 Dec 2019 20:46:13 +0800 +Subject: [PATCH] jbd2: make sure ESHUTDOWN to be recorded in the journal + superblock +Git-commit: 0e98c084a21177ef136149c6a293b3d1eb33ff92 +Patch-mainline: v5.6-rc1 +References: bsc#1163863 + +Commit fb7c02445c49 ("ext4: pass -ESHUTDOWN code to jbd2 layer") want +to allow jbd2 layer to distinguish shutdown journal abort from other +error cases. So the ESHUTDOWN should be taken precedence over any other +errno which has already been recoded after EXT4_FLAGS_SHUTDOWN is set, +but it only update errno in the journal suoerblock now if the old errno +is 0. + +Fixes: fb7c02445c49 ("ext4: pass -ESHUTDOWN code to jbd2 layer") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-4-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/jbd2/journal.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 9e9275540071..a821c469cab6 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2147,8 +2147,7 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + if (journal->j_flags & JBD2_ABORT) { + write_unlock(&journal->j_state_lock); +- if (!old_errno && old_errno != -ESHUTDOWN && +- errno == -ESHUTDOWN) ++ if (old_errno != -ESHUTDOWN && errno == -ESHUTDOWN) + jbd2_journal_update_sb_errno(journal); + return; + } +-- +2.16.4 + diff --git a/patches.suse/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch b/patches.suse/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch new file mode 100644 index 0000000..8fe0263 --- /dev/null +++ b/patches.suse/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch @@ -0,0 +1,100 @@ +From 6a66a7ded12baa6ebbb2e3e82f8cb91382814839 Mon Sep 17 00:00:00 2001 +From: "zhangyi (F)" +Date: Thu, 13 Feb 2020 14:38:20 +0800 +Subject: [PATCH] jbd2: move the clearing of b_modified flag to the + journal_unmap_buffer() +Git-commit: 6a66a7ded12baa6ebbb2e3e82f8cb91382814839 +Patch-mainline: v5.6-rc2 +References: bsc#1163880 + +There is no need to delay the clearing of b_modified flag to the +transaction committing time when unmapping the journalled buffer, so +just move it to the journal_unmap_buffer(). + +Link: https://lore.kernel.org/r/20200213063821.30455-2-yi.zhang@huawei.com +Reviewed-by: Jan Kara +Signed-off-by: zhangyi (F) +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/jbd2/commit.c | 43 +++++++++++++++---------------------------- + fs/jbd2/transaction.c | 10 ++++++---- + 2 files changed, 21 insertions(+), 32 deletions(-) + +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -969,34 +969,21 @@ restart_loop: + * it. */ + + /* +- * A buffer which has been freed while still being journaled by +- * a previous transaction. +- */ +- if (buffer_freed(bh)) { +- /* +- * If the running transaction is the one containing +- * "add to orphan" operation (b_next_transaction != +- * NULL), we have to wait for that transaction to +- * commit before we can really get rid of the buffer. +- * So just clear b_modified to not confuse transaction +- * credit accounting and refile the buffer to +- * BJ_Forget of the running transaction. If the just +- * committed transaction contains "add to orphan" +- * operation, we can completely invalidate the buffer +- * now. We are rather through in that since the +- * buffer may be still accessible when blocksize < +- * pagesize and it is attached to the last partial +- * page. +- */ +- jh->b_modified = 0; +- if (!jh->b_next_transaction) { +- clear_buffer_freed(bh); +- clear_buffer_jbddirty(bh); +- clear_buffer_mapped(bh); +- clear_buffer_new(bh); +- clear_buffer_req(bh); +- bh->b_bdev = NULL; +- } ++ * A buffer which has been freed while still being journaled ++ * by a previous transaction, refile the buffer to BJ_Forget of ++ * the running transaction. If the just committed transaction ++ * contains "add to orphan" operation, we can completely ++ * invalidate the buffer now. We are rather through in that ++ * since the buffer may be still accessible when blocksize < ++ * pagesize and it is attached to the last partial page. ++ */ ++ if (buffer_freed(bh) && !jh->b_next_transaction) { ++ clear_buffer_freed(bh); ++ clear_buffer_jbddirty(bh); ++ clear_buffer_mapped(bh); ++ clear_buffer_new(bh); ++ clear_buffer_req(bh); ++ bh->b_bdev = NULL; + } + + if (buffer_jbddirty(bh)) { +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -2231,14 +2231,16 @@ static int journal_unmap_buffer(journal_ + return -EBUSY; + } + /* +- * OK, buffer won't be reachable after truncate. We just set +- * j_next_transaction to the running transaction (if there is +- * one) and mark buffer as freed so that commit code knows it +- * should clear dirty bits when it is done with the buffer. ++ * OK, buffer won't be reachable after truncate. We just clear ++ * b_modified to not confuse transaction credit accounting, and ++ * set j_next_transaction to the running transaction (if there ++ * is one) and mark buffer as freed so that commit code knows ++ * it should clear dirty bits when it is done with the buffer. + */ + set_buffer_freed(bh); + if (journal->j_running_transaction && buffer_jbddirty(bh)) + jh->b_next_transaction = journal->j_running_transaction; ++ jh->b_modified = 0; + jbd2_journal_put_journal_head(jh); + spin_unlock(&journal->j_list_lock); + jbd_unlock_bh_state(bh); diff --git a/patches.suse/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch b/patches.suse/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch new file mode 100644 index 0000000..91762ac --- /dev/null +++ b/patches.suse/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch @@ -0,0 +1,51 @@ +From d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 Mon Sep 17 00:00:00 2001 +From: "zhangyi (F)" +Date: Wed, 4 Dec 2019 20:46:11 +0800 +Subject: [PATCH] jbd2: switch to use jbd2_journal_abort() when failed to + submit the commit record +Git-commit: d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 +Patch-mainline: v5.6-rc1 +References: bsc#1163852 + +We invoke jbd2_journal_abort() to abort the journal and record errno +in the jbd2 superblock when committing journal transaction besides the +failure on submitting the commit record. But there is no need for the +case and we can also invoke jbd2_journal_abort() instead of +__jbd2_journal_abort_hard(). + +Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/jbd2/commit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 7f0b362b3842..2494095e0340 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -782,7 +782,7 @@ void jbd2_journal_commit_transaction(journal_t *journal) + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + + blk_finish_plug(&plug); +@@ -875,7 +875,7 @@ void jbd2_journal_commit_transaction(journal_t *journal) + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + if (cbh) + err = journal_wait_on_commit_record(journal, cbh); +-- +2.16.4 + diff --git a/patches.suse/kconfig-fix-broken-dependency-in-randconfig-generate.patch b/patches.suse/kconfig-fix-broken-dependency-in-randconfig-generate.patch new file mode 100644 index 0000000..130b184 --- /dev/null +++ b/patches.suse/kconfig-fix-broken-dependency-in-randconfig-generate.patch @@ -0,0 +1,46 @@ +From c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sat, 1 Feb 2020 14:03:11 +0900 +Subject: [PATCH] kconfig: fix broken dependency in randconfig-generated .config +Git-commit: c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5) +produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y, +which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency. + +This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs +CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the +value of CONFIG_EFI is calculated. + +When this happens, the has_changed flag should be set. + +Currently, it takes the result from the last iteration. It should +accumulate all the results of the loop. + +Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig") +Reported-by: Vincenzo Frascino +Signed-off-by: Masahiro Yamada +Acked-by: Takashi Iwai + +--- + scripts/kconfig/confdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c +index 11f6c72c2eee..63d307b0d1ac 100644 +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -1312,7 +1312,7 @@ bool conf_set_all_new_symbols(enum conf_def_mode mode) + + sym_calc_value(csym); + if (mode == def_random) +- has_changed = randomize_choice_values(csym); ++ has_changed |= randomize_choice_values(csym); + else { + set_all_choice_values(csym); + has_changed = true; +-- +2.16.4 + diff --git a/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions b/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions new file mode 100644 index 0000000..6993706 --- /dev/null +++ b/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions @@ -0,0 +1,87 @@ +From: Oliver Upton +Date: Tue, 4 Feb 2020 15:26:31 -0800 +Subject: KVM: nVMX: Check IO instruction VM-exit conditions +Git-commit: 35a571346a94fb93b5b3b6a599675ef3384bc75c +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +Consult the 'unconditional IO exiting' and 'use IO bitmaps' VM-execution +controls when checking instruction interception. If the 'use IO bitmaps' +VM-execution control is 1, check the instruction access against the IO +bitmaps to determine if the instruction causes a VM-exit. + +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/nested.c | 2 +- + arch/x86/kvm/vmx/vmx.c | 57 ++++++++++++++++++++++++++++++++++++++++++----- + 2 files changed, 52 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8570,7 +8570,7 @@ static bool nested_vmx_exit_handled_io(s + struct vmcs12 *vmcs12) + { + unsigned long exit_qualification; +- unsigned int port; ++ unsigned short port; + int size; + + if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) +@@ -12386,10 +12386,55 @@ static void nested_vmx_entry_failure(str + to_vmx(vcpu)->nested.sync_shadow_vmcs = true; + } + ++static int vmx_check_intercept_io(struct kvm_vcpu *vcpu, ++ struct x86_instruction_info *info) ++{ ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu); ++ unsigned short port; ++ bool intercept; ++ int size; ++ ++ if (info->intercept == x86_intercept_in || ++ info->intercept == x86_intercept_ins) { ++ port = info->src_val; ++ size = info->dst_bytes; ++ } else { ++ port = info->dst_val; ++ size = info->src_bytes; ++ } ++ ++ /* ++ * If the 'use IO bitmaps' VM-execution control is 0, IO instruction ++ * VM-exits depend on the 'unconditional IO exiting' VM-execution ++ * control. ++ * ++ * Otherwise, IO instruction VM-exits are controlled by the IO bitmaps. ++ */ ++ if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) ++ intercept = nested_cpu_has(vmcs12, ++ CPU_BASED_UNCOND_IO_EXITING); ++ else ++ intercept = nested_vmx_check_io_bitmaps(vcpu, port, size); ++ ++ return intercept ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; ++} ++ + static int vmx_check_intercept(struct kvm_vcpu *vcpu, + struct x86_instruction_info *info, + enum x86_intercept_stage stage) + { ++ switch (info->intercept) { ++ case x86_intercept_in: ++ case x86_intercept_ins: ++ case x86_intercept_out: ++ case x86_intercept_outs: ++ return vmx_check_intercept_io(vcpu, info); ++ ++ /* TODO: check more intercepts... */ ++ default: ++ break; ++ } ++ + return X86EMUL_UNHANDLEABLE; + } + diff --git a/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode b/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode new file mode 100644 index 0000000..dc989c6 --- /dev/null +++ b/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode @@ -0,0 +1,31 @@ +From: Paolo Bonzini +Date: Tue, 4 Feb 2020 15:26:29 -0800 +Subject: KVM: nVMX: Don't emulate instructions in guest mode +Git-commit: 07721feee46b4b248402133228235318199b05ec +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +vmx_check_intercept is not yet fully implemented. To avoid emulating +instructions disallowed by the L1 hypervisor, refuse to emulate +instructions by default. + +Cc: stable@vger.kernel.org +[Made commit, added commit msg - Oliver] +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -12378,7 +12378,7 @@ static int vmx_check_intercept(struct kv + struct x86_instruction_info *info, + enum x86_intercept_stage stage) + { +- return X86EMUL_CONTINUE; ++ return X86EMUL_UNHANDLEABLE; + } + + #ifdef CONFIG_X86_64 diff --git a/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function b/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function new file mode 100644 index 0000000..f67b2f3 --- /dev/null +++ b/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function @@ -0,0 +1,78 @@ +From: Oliver Upton +Date: Tue, 4 Feb 2020 15:26:30 -0800 +Subject: KVM: nVMX: Refactor IO bitmap checks into helper function +Git-commit: e71237d3ff1abf9f3388337cfebf53b96df2020d +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +Checks against the IO bitmap are useful for both instruction emulation +and VM-exit reflection. Refactor the IO bitmap checks into a helper +function. + +Signed-off-by: Oliver Upton +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/nested.c | 39 +++++++++++++++++++++++++-------------- + arch/x86/kvm/vmx/nested.h | 2 ++ + 2 files changed, 27 insertions(+), 14 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8529,23 +8529,17 @@ static int (*const kvm_vmx_exit_handlers + static const int kvm_vmx_max_exit_handlers = + ARRAY_SIZE(kvm_vmx_exit_handlers); + +-static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu, +- struct vmcs12 *vmcs12) ++/* ++ * Return true if an IO instruction with the specified port and size should cause ++ * a VM-exit into L1. ++ */ ++static bool nested_vmx_check_io_bitmaps(struct kvm_vcpu *vcpu, unsigned int port, ++ int size) + { +- unsigned long exit_qualification; ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu); + gpa_t bitmap, last_bitmap; +- unsigned int port; +- int size; + u8 b; + +- if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) +- return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING); +- +- exit_qualification = vmcs_readl(EXIT_QUALIFICATION); +- +- port = exit_qualification >> 16; +- size = (exit_qualification & 7) + 1; +- + last_bitmap = (gpa_t)-1; + b = -1; + +@@ -8572,6 +8566,24 @@ static bool nested_vmx_exit_handled_io(s + return false; + } + ++static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu, ++ struct vmcs12 *vmcs12) ++{ ++ unsigned long exit_qualification; ++ unsigned int port; ++ int size; ++ ++ if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) ++ return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING); ++ ++ exit_qualification = vmcs_readl(EXIT_QUALIFICATION); ++ ++ port = exit_qualification >> 16; ++ size = (exit_qualification & 7) + 1; ++ ++ return nested_vmx_check_io_bitmaps(vcpu, port, size); ++} ++ + /* + * Return 1 if we should exit from L2 to L1 to handle an MSR access access, + * rather than handle it ourselves in L0. I.e., check whether L1 expressed diff --git a/patches.suse/kvm-svm-override-default-mmio-mask-if-memory-encryption-is-enabled b/patches.suse/kvm-svm-override-default-mmio-mask-if-memory-encryption-is-enabled new file mode 100644 index 0000000..ed93263 --- /dev/null +++ b/patches.suse/kvm-svm-override-default-mmio-mask-if-memory-encryption-is-enabled @@ -0,0 +1,87 @@ +From: Tom Lendacky +Date: Thu, 9 Jan 2020 17:42:16 -0600 +Subject: KVM: SVM: Override default MMIO mask if memory encryption is enabled +Git-commit: 52918ed5fcf05d97d257f4131e19479da18f5d16 +Patch-mainline: v5.6-rc1 +References: bsc#1162618 + +The KVM MMIO support uses bit 51 as the reserved bit to cause nested page +faults when a guest performs MMIO. The AMD memory encryption support uses +a CPUID function to define the encryption bit position. Given this, it is +possible that these bits can conflict. + +Use svm_hardware_setup() to override the MMIO mask if memory encryption +support is enabled. Various checks are performed to ensure that the mask +is properly defined and rsvd_bits() is used to generate the new mask (as +was done prior to the change that necessitated this patch). + +Fixes: 28a1f3ac1d0c ("kvm: x86: Set highest physical address bits in non-present/reserved SPTEs") +Suggested-by: Sean Christopherson +Reviewed-by: Sean Christopherson +Signed-off-by: Tom Lendacky +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/svm.c | 43 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1271,6 +1271,47 @@ static void shrink_ple_window(struct kvm + control->pause_filter_count, old); + } + ++/* ++ * The default MMIO mask is a single bit (excluding the present bit), ++ * which could conflict with the memory encryption bit. Check for ++ * memory encryption support and override the default MMIO mask if ++ * memory encryption is enabled. ++ */ ++static __init void svm_adjust_mmio_mask(void) ++{ ++ unsigned int enc_bit, mask_bit; ++ u64 msr, mask; ++ ++ /* If there is no memory encryption support, use existing mask */ ++ if (cpuid_eax(0x80000000) < 0x8000001f) ++ return; ++ ++ /* If memory encryption is not enabled, use existing mask */ ++ rdmsrl(MSR_K8_SYSCFG, msr); ++ if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT)) ++ return; ++ ++ enc_bit = cpuid_ebx(0x8000001f) & 0x3f; ++ mask_bit = boot_cpu_data.x86_phys_bits; ++ ++ /* Increment the mask bit if it is the same as the encryption bit */ ++ if (enc_bit == mask_bit) ++ mask_bit++; ++ ++ /* ++ * If the mask bit location is below 52, then some bits above the ++ * physical addressing limit will always be reserved, so use the ++ * rsvd_bits() function to generate the mask. This mask, along with ++ * the present bit, will be used to generate a page fault with ++ * PFER.RSV = 1. ++ * ++ * If the mask bit location is 52 (or above), then clear the mask. ++ */ ++ mask = (mask_bit < 52) ? rsvd_bits(mask_bit, 51) | PT_PRESENT_MASK : 0; ++ ++ kvm_mmu_set_mmio_spte_mask(mask, mask); ++} ++ + static __init int svm_hardware_setup(void) + { + int cpu; +@@ -1325,6 +1366,8 @@ static __init int svm_hardware_setup(voi + } + } + ++ svm_adjust_mmio_mask(); ++ + for_each_possible_cpu(cpu) { + r = svm_cpu_init(cpu); + if (r) + diff --git a/patches.suse/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch b/patches.suse/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch new file mode 100644 index 0000000..fd8cc48 --- /dev/null +++ b/patches.suse/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch @@ -0,0 +1,51 @@ +From 4e456fee215677584cafa7f67298a76917e89c64 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 30 Jan 2020 22:16:37 -0800 +Subject: [PATCH] lib/scatterlist.c: adjust indentation in __sg_alloc_table +Git-commit: 4e456fee215677584cafa7f67298a76917e89c64 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Clang warns: + + ../lib/scatterlist.c:314:5: warning: misleading indentation; statement + is not part of the previous 'if' [-Wmisleading-indentation] + return -ENOMEM; + ^ + ../lib/scatterlist.c:311:4: note: previous statement is here + if (prv) + ^ + 1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +Link: http://lkml.kernel.org/r/20191218033606.11942-1-natechancellor@gmail.com +Link: https://github.com/ClangBuiltLinux/linux/issues/830 +Fixes: edce6820a9fd ("scatterlist: prevent invalid free when alloc fails") +Signed-off-by: Nathan Chancellor +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + lib/scatterlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/scatterlist.c b/lib/scatterlist.c +index c2cf2c311b7d..5813072bc589 100644 +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -311,7 +311,7 @@ int __sg_alloc_table(struct sg_table *table, unsigned int nents, + if (prv) + table->nents = ++table->orig_nents; + +- return -ENOMEM; ++ return -ENOMEM; + } + + sg_init_table(sg, alloc_size); +-- +2.16.4 + diff --git a/patches.suse/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krea.patch b/patches.suse/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krea.patch new file mode 100644 index 0000000..6cfe632 --- /dev/null +++ b/patches.suse/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krea.patch @@ -0,0 +1,43 @@ +From 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 30 Jan 2020 22:13:51 -0800 +Subject: [PATCH] lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() +Git-commit: 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +In case memory resources for _ptr2_ were allocated, release them before +return. + +Notice that in case _ptr1_ happens to be NULL, krealloc() behaves +exactly like kmalloc(). + +Addresses-coverity-id: 1490594 ("Resource leak") +Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor +Fixes: 3f15801cdc23 ("lib: add kasan test module") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + lib/test_kasan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/test_kasan.c b/lib/test_kasan.c +index 328d33beae36..3872d250ed2c 100644 +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -158,6 +158,7 @@ static noinline void __init kmalloc_oob_krealloc_more(void) + if (!ptr1 || !ptr2) { + pr_err("Allocation failed\n"); + kfree(ptr1); ++ kfree(ptr2); + return; + } + +-- +2.16.4 + diff --git a/patches.suse/libertas-Fix-two-buffer-overflows-at-parsing-bss-des.patch b/patches.suse/libertas-Fix-two-buffer-overflows-at-parsing-bss-des.patch index 18a7bcc..3b2b121 100644 --- a/patches.suse/libertas-Fix-two-buffer-overflows-at-parsing-bss-des.patch +++ b/patches.suse/libertas-Fix-two-buffer-overflows-at-parsing-bss-des.patch @@ -3,8 +3,7 @@ From: Wen Huang Date: Thu, 28 Nov 2019 18:51:04 +0800 Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor Git-commit: e5e884b42639c74b5b57dc277909915c0aefc8bb -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v5.5 References: CVE-2019-14896 bsc#1157157 CVE-2019-14897 bsc#1157155 add_ie_rates() copys rates without checking the length diff --git a/patches.suse/libertas-dont-exit-from-lbs_ibss_join_existing-with.patch b/patches.suse/libertas-dont-exit-from-lbs_ibss_join_existing-with.patch index 164e213..27654de 100644 --- a/patches.suse/libertas-dont-exit-from-lbs_ibss_join_existing-with.patch +++ b/patches.suse/libertas-dont-exit-from-lbs_ibss_join_existing-with.patch @@ -1,8 +1,8 @@ From: Nicolai Stange Subject: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Date: Tue, 14 Jan 2020 11:39:02 +0100 -Message-id: <20200114103903.2336-2-nstange@suse.de> -Patch-mainline: Submitted, linux-wireless ML +Git-commit: c7bf1fb7ddca331780b9a733ae308737b39f1ad4 +Patch-mainline: v5.6-rc1 References: CVE-2019-14896 bsc#1157157 CVE-2019-14897 bsc#1157155 Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss @@ -14,6 +14,7 @@ critical section without a corresponding rcu_read_unlock(). Fix this. Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") Signed-off-by: Nicolai Stange +Signed-off-by: Kalle Valo Acked-by: Takashi Iwai --- diff --git a/patches.suse/libertas-make-lbs_ibss_join_existing-return-error.patch b/patches.suse/libertas-make-lbs_ibss_join_existing-return-error.patch index 8666097..d873a96 100644 --- a/patches.suse/libertas-make-lbs_ibss_join_existing-return-error.patch +++ b/patches.suse/libertas-make-lbs_ibss_join_existing-return-error.patch @@ -1,8 +1,8 @@ From: Nicolai Stange Subject: [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Date: Tue, 14 Jan 2020 11:39:03 +0100 -Message-id: <20200114103903.2336-3-nstange@suse.de> -Patch-mainline: Submitted, linux-wireless ML +Git-commit: 1754c4f60aaf1e17d886afefee97e94d7f27b4cb +Patch-mainline: v5.6-rc1 References: CVE-2019-14896 bsc#1157157 CVE-2019-14897 bsc#1157155 Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss @@ -18,6 +18,7 @@ number of supplied rates fails. Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") Signed-off-by: Nicolai Stange +Signed-off-by: Kalle Valo Acked-by: Takashi Iwai --- diff --git a/patches.suse/libnvdimm-namespace-Differentiate-between-probe-mapp.patch b/patches.suse/libnvdimm-namespace-Differentiate-between-probe-mapp.patch new file mode 100644 index 0000000..47860b9 --- /dev/null +++ b/patches.suse/libnvdimm-namespace-Differentiate-between-probe-mapp.patch @@ -0,0 +1,359 @@ +From 8f4b01fcded2dc821349cc0edfa5311c05abe293 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Thu, 31 Oct 2019 16:27:41 +0530 +Subject: [PATCH] libnvdimm/namespace: Differentiate between probe mapping and + runtime mapping +Git-commit: 8f4b01fcded2dc821349cc0edfa5311c05abe293 +Patch-mainline: v5.5-rc1 +References: bsc#1153535 + +The nvdimm core currently maps the full namespace to an ioremap range +while probing the namespace mode. This can result in probe failures on +architectures that have limited ioremap space. + +For example, with a large btt namespace that consumes most of I/O remap +range, depending on the sequence of namespace initialization, the user +can find a pfn namespace initialization failure due to unavailable I/O +remap space which nvdimm core uses for temporary mapping. + +nvdimm core can avoid this failure by only mapping the reserved info +block area to check for pfn superblock type and map the full namespace +resource only before using the namespace. + +Given that personalities like BTT can be layered on top of any namespace +type create a generic form of devm_nsio_enable (devm_namespace_enable) +and use it inside the per-personality attach routines. Now +devm_namespace_enable() is always paired with disable unless the mapping +is going to be used for long term runtime access. + +Signed-off-by: Aneesh Kumar K.V +Link: https://lore.kernel.org/r/20191017073308.32645-1-aneesh.kumar@linux.ibm.com +[djbw: reworks to move devm_namespace_{en,dis}able into *attach helpers] +Reported-by: kbuild test robot +Link: https://lore.kernel.org/r/20191031105741.102793-2-aneesh.kumar@linux.ibm.com +Signed-off-by: Dan Williams +Acked-by: Jan Kara +[On 4.12 we don't have drivers/dax/pmem/core.c, the code is in +drivers/dax/pmem.c +We don't have commit a3619190d62e ("libnvdimm/pfn: stop padding pmem +namespaces to section alignment") which requires some context adjustment +and adds one more patch site for replacing info_block_reserve] +Acked-by: Michal Suchanek +--- + drivers/dax/pmem/core.c | 6 +++--- + drivers/nvdimm/btt.c | 10 ++++++++-- + drivers/nvdimm/claim.c | 14 ++++++-------- + drivers/nvdimm/namespace_devs.c | 17 +++++++++++++++++ + drivers/nvdimm/nd-core.h | 17 +++++++++++++++++ + drivers/nvdimm/nd.h | 20 +++++++++----------- + drivers/nvdimm/pfn_devs.c | 18 +++++++++++------- + drivers/nvdimm/pmem.c | 17 +++++++++++++---- + 8 files changed, 84 insertions(+), 35 deletions(-) + +--- a/drivers/nvdimm/btt.c ++++ b/drivers/nvdimm/btt.c +@@ -1670,7 +1670,8 @@ int nvdimm_namespace_attach_btt(struct n + struct nd_region *nd_region; + struct btt_sb *btt_sb; + struct btt *btt; +- size_t rawsize; ++ size_t size, rawsize; ++ int rc; + + if (!nd_btt->uuid || !nd_btt->ndns || !nd_btt->lbasize) { + dev_dbg(&nd_btt->dev, "incomplete btt configuration\n"); +@@ -1681,6 +1682,11 @@ int nvdimm_namespace_attach_btt(struct n + if (!btt_sb) + return -ENOMEM; + ++ size = nvdimm_namespace_capacity(ndns); ++ rc = devm_namespace_enable(&nd_btt->dev, ndns, size); ++ if (rc) ++ return rc; ++ + /* + * If this returns < 0, that is ok as it just means there wasn't + * an existing BTT, and we're creating a new one. We still need to +@@ -1689,7 +1695,7 @@ int nvdimm_namespace_attach_btt(struct n + */ + nd_btt_version(nd_btt, ndns, btt_sb); + +- rawsize = nvdimm_namespace_capacity(ndns) - nd_btt->initial_offset; ++ rawsize = size - nd_btt->initial_offset; + if (rawsize < ARENA_MIN_SIZE) { + dev_dbg(&nd_btt->dev, "%s must be at least %ld bytes\n", + dev_name(&ndns->dev), +--- a/drivers/nvdimm/claim.c ++++ b/drivers/nvdimm/claim.c +@@ -306,13 +306,14 @@ static int nsio_rw_bytes(struct nd_names + return rc; + } + +-int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio) ++int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio, ++ resource_size_t size) + { + struct resource *res = &nsio->res; + struct nd_namespace_common *ndns = &nsio->common; + +- nsio->size = resource_size(res); +- if (!devm_request_mem_region(dev, res->start, resource_size(res), ++ nsio->size = size; ++ if (!devm_request_mem_region(dev, res->start, size, + dev_name(&ndns->dev))) { + dev_warn(dev, "could not reserve region %pR\n", res); + return -EBUSY; +@@ -324,12 +325,10 @@ int devm_nsio_enable(struct device *dev, + nvdimm_badblocks_populate(to_nd_region(ndns->dev.parent), &nsio->bb, + &nsio->res); + +- nsio->addr = devm_memremap(dev, res->start, resource_size(res), +- ARCH_MEMREMAP_PMEM); ++ nsio->addr = devm_memremap(dev, res->start, size, ARCH_MEMREMAP_PMEM); + + return PTR_ERR_OR_ZERO(nsio->addr); + } +-EXPORT_SYMBOL_GPL(devm_nsio_enable); + + void devm_nsio_disable(struct device *dev, struct nd_namespace_io *nsio) + { +@@ -337,6 +336,5 @@ void devm_nsio_disable(struct device *de + + devm_memunmap(dev, nsio->addr); + devm_exit_badblocks(dev, &nsio->bb); +- devm_release_mem_region(dev, res->start, resource_size(res)); ++ devm_release_mem_region(dev, res->start, nsio->size); + } +-EXPORT_SYMBOL_GPL(devm_nsio_disable); +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -1771,6 +1771,23 @@ struct nd_namespace_common *nvdimm_names + } + EXPORT_SYMBOL(nvdimm_namespace_common_probe); + ++int devm_namespace_enable(struct device *dev, struct nd_namespace_common *ndns, ++ resource_size_t size) ++{ ++ if (is_namespace_blk(&ndns->dev)) ++ return 0; ++ return devm_nsio_enable(dev, to_nd_namespace_io(&ndns->dev), size); ++} ++EXPORT_SYMBOL_GPL(devm_namespace_enable); ++ ++void devm_namespace_disable(struct device *dev, struct nd_namespace_common *ndns) ++{ ++ if (is_namespace_blk(&ndns->dev)) ++ return; ++ devm_nsio_disable(dev, to_nd_namespace_io(&ndns->dev)); ++} ++EXPORT_SYMBOL_GPL(devm_namespace_disable); ++ + static struct device **create_namespace_io(struct nd_region *nd_region) + { + struct nd_namespace_io *nsio; +--- a/drivers/nvdimm/nd-core.h ++++ b/drivers/nvdimm/nd-core.h +@@ -189,4 +189,21 @@ ssize_t nd_namespace_store(struct device + struct nd_namespace_common **_ndns, const char *buf, + size_t len); + struct nd_pfn *to_nd_pfn_safe(struct device *dev); ++#if IS_ENABLED(CONFIG_ND_CLAIM) ++int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio, ++ resource_size_t size); ++void devm_nsio_disable(struct device *dev, struct nd_namespace_io *nsio); ++#else ++static inline int devm_nsio_enable(struct device *dev, ++ struct nd_namespace_io *nsio, resource_size_t size) ++{ ++ return -ENXIO; ++} ++ ++static inline void devm_nsio_disable(struct device *dev, ++ struct nd_namespace_io *nsio) ++{ ++} ++#endif ++ + #endif /* __ND_CORE_H__ */ +--- a/drivers/nvdimm/nd.h ++++ b/drivers/nvdimm/nd.h +@@ -219,6 +219,11 @@ struct nd_dax { + struct nd_pfn nd_pfn; + }; + ++static inline u32 nd_info_block_reserve(void) ++{ ++ return ALIGN(SZ_8K, PAGE_SIZE); ++} ++ + enum nd_async_mode { + ND_SYNC, + ND_ASYNC, +@@ -381,25 +386,18 @@ const char *nvdimm_namespace_disk_name(s + unsigned int pmem_sector_size(struct nd_namespace_common *ndns); + void nvdimm_badblocks_populate(struct nd_region *nd_region, + struct badblocks *bb, const struct resource *res); ++int devm_namespace_enable(struct device *dev, struct nd_namespace_common *ndns, ++ resource_size_t size); ++void devm_namespace_disable(struct device *dev, ++ struct nd_namespace_common *ndns); + #if IS_ENABLED(CONFIG_ND_CLAIM) + int nvdimm_setup_pfn(struct nd_pfn *nd_pfn, struct dev_pagemap *pgmap); +-int devm_nsio_enable(struct device *dev, struct nd_namespace_io *nsio); +-void devm_nsio_disable(struct device *dev, struct nd_namespace_io *nsio); + #else + static inline int nvdimm_setup_pfn(struct nd_pfn *nd_pfn, + struct dev_pagemap *pgmap) + { + return -ENXIO; + } +-static inline int devm_nsio_enable(struct device *dev, +- struct nd_namespace_io *nsio) +-{ +- return -ENXIO; +-} +-static inline void devm_nsio_disable(struct device *dev, +- struct nd_namespace_io *nsio) +-{ +-} + #endif + int nd_blk_region_init(struct nd_region *nd_region); + int nd_region_activate(struct nd_region *nd_region); +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -384,6 +384,15 @@ static int nd_pfn_clear_memmap_errors(st + meta_start = (SZ_4K + sizeof(*pfn_sb)) >> 9; + meta_num = (le64_to_cpu(pfn_sb->dataoff) >> 9) - meta_start; + ++ /* ++ * re-enable the namespace with correct size so that we can access ++ * the device memmap area. ++ */ ++ devm_namespace_disable(&nd_pfn->dev, ndns); ++ rc = devm_namespace_enable(&nd_pfn->dev, ndns, le64_to_cpu(pfn_sb->dataoff)); ++ if (rc) ++ return rc; ++ + do { + unsigned long zero_len; + u64 nsoff; +@@ -581,11 +590,6 @@ int nd_pfn_probe(struct device *dev, str + } + EXPORT_SYMBOL(nd_pfn_probe); + +-static u32 info_block_reserve(void) +-{ +- return ALIGN(SZ_8K, PAGE_SIZE); +-} +- + /* + * We hotplug memory at section granularity, pad the reserved area from + * the previous section base to the namespace base address. +@@ -599,7 +603,7 @@ static unsigned long init_altmap_base(re + + static unsigned long init_altmap_reserve(resource_size_t base) + { +- unsigned long reserve = info_block_reserve() >> PAGE_SHIFT; ++ unsigned long reserve = nd_info_block_reserve() >> PAGE_SHIFT; + unsigned long base_pfn = PHYS_PFN(base); + + reserve += base_pfn - PFN_SECTION_ALIGN_DOWN(base_pfn); +@@ -614,7 +618,7 @@ static int __nvdimm_setup_pfn(struct nd_ + u64 offset = le64_to_cpu(pfn_sb->dataoff); + u32 start_pad = __le32_to_cpu(pfn_sb->start_pad); + u32 end_trunc = __le32_to_cpu(pfn_sb->end_trunc); +- u32 reserve = info_block_reserve(); ++ u32 reserve = nd_info_block_reserve(); + struct nd_namespace_common *ndns = nd_pfn->ndns; + struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); + resource_size_t base = nsio->res.start + start_pad; +@@ -696,7 +700,7 @@ static int nd_pfn_init(struct nd_pfn *nd + u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0; + struct nd_namespace_common *ndns = nd_pfn->ndns; + struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); +- u32 start_pad, end_trunc, reserve = info_block_reserve(); ++ u32 start_pad, end_trunc, reserve = nd_info_block_reserve(); + resource_size_t start, size; + struct nd_region *nd_region; + struct nd_pfn_sb *pfn_sb; +--- a/drivers/nvdimm/pmem.c ++++ b/drivers/nvdimm/pmem.c +@@ -367,6 +367,10 @@ static int pmem_attach_disk(struct devic + if (!pmem) + return -ENOMEM; + ++ rc = devm_namespace_enable(dev, ndns, nd_info_block_reserve()); ++ if (rc) ++ return rc; ++ + /* while nsio_rw_bytes is active, parse a pfn info block if present */ + if (is_nd_pfn(dev)) { + nd_pfn = to_nd_pfn(dev); +@@ -376,7 +380,7 @@ static int pmem_attach_disk(struct devic + } + + /* we're attaching a block device, disable raw namespace access */ +- devm_nsio_disable(dev, nsio); ++ devm_namespace_disable(dev, ndns); + + dev_set_drvdata(dev, pmem); + pmem->phys_addr = res->start; +@@ -492,25 +496,30 @@ static int pmem_attach_disk(struct devic + static int nd_pmem_probe(struct device *dev) + { + struct nd_namespace_common *ndns; ++ int ret; + + ndns = nvdimm_namespace_common_probe(dev); + if (IS_ERR(ndns)) + return PTR_ERR(ndns); + +- if (devm_nsio_enable(dev, to_nd_namespace_io(&ndns->dev))) +- return -ENXIO; +- + if (is_nd_btt(dev)) + return nvdimm_namespace_attach_btt(ndns); + + if (is_nd_pfn(dev)) + return pmem_attach_disk(dev, ndns); + ++ ret = devm_namespace_enable(dev, ndns, nd_info_block_reserve()); ++ if (ret) ++ return ret; ++ + /* if we find a valid info-block we'll come back as that personality */ + if (nd_btt_probe(dev, ndns) == 0 || nd_pfn_probe(dev, ndns) == 0 + || nd_dax_probe(dev, ndns) == 0) + return -ENXIO; + ++ /* probe complete, attach handles namespace enabling */ ++ devm_namespace_disable(dev, ndns); ++ + /* ...otherwise we're just a raw pmem device */ + return pmem_attach_disk(dev, ndns); + } +--- a/drivers/dax/pmem/core.c ++++ b/drivers/dax/pmem/core.c +@@ -25,19 +25,19 @@ struct dev_dax *__dax_pmem_probe(struct + ndns = nvdimm_namespace_common_probe(dev); + if (IS_ERR(ndns)) + return ERR_CAST(ndns); +- nsio = to_nd_namespace_io(&ndns->dev); + + /* parse the 'pfn' info block via ->rw_bytes */ +- rc = devm_nsio_enable(dev, nsio); ++ rc = devm_namespace_enable(dev, ndns, nd_info_block_reserve()); + if (rc) + return ERR_PTR(rc); + rc = nvdimm_setup_pfn(nd_pfn, &pgmap); + if (rc) + return ERR_PTR(rc); +- devm_nsio_disable(dev, nsio); ++ devm_namespace_disable(dev, ndns); + + /* reserve the metadata area, device-dax will reserve the data */ + pfn_sb = nd_pfn->pfn_sb; ++ nsio = to_nd_namespace_io(&ndns->dev); + offset = le64_to_cpu(pfn_sb->dataoff); + if (!devm_request_mem_region(dev, nsio->res.start, offset, + dev_name(&ndns->dev))) { diff --git a/patches.suse/libnvdimm-pfn-Account-for-PAGE_SIZE-info-block-size-.patch b/patches.suse/libnvdimm-pfn-Account-for-PAGE_SIZE-info-block-size-.patch new file mode 100644 index 0000000..f587bba --- /dev/null +++ b/patches.suse/libnvdimm-pfn-Account-for-PAGE_SIZE-info-block-size-.patch @@ -0,0 +1,110 @@ +From 11a358109e0c48fa74f27e750dde4d25de4d5fc3 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 6 Feb 2019 13:04:53 +1100 +Subject: [PATCH] libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in + nd_pfn_init() +References: bsc#1127682 bsc#1153535 ltc#175033 ltc#181834 +Patch-mainline: v5.1-rc1 +Git-commit: 11a358109e0c48fa74f27e750dde4d25de4d5fc3 + +Similar to commit 07464e88365e ("libnvdimm: Fix altmap reservation size +calculation") (bsc#1127682) provide for a reservation of a full page +worth of info block space at info-block establishment time. Typically +there is already slack in the padding from honoring the default 2MB +alignment, but provide for a reservation for corner case configurations +that would otherwise fit. + +Cc: Oliver O'Halloran +Signed-off-by: Dan Williams +Acked-by: Michal Suchanek +--- + drivers/nvdimm/pfn_devs.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c +index 7760c1b91853..ba74a341da5d 100644 +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -580,6 +580,11 @@ int nd_pfn_probe(struct device *dev, struct nd_namespace_common *ndns) + } + EXPORT_SYMBOL(nd_pfn_probe); + ++static u32 info_block_reserve(void) ++{ ++ return ALIGN(SZ_8K, PAGE_SIZE); ++} ++ + /* + * We hotplug memory at section granularity, pad the reserved area from + * the previous section base to the namespace base address. +@@ -593,7 +598,7 @@ static unsigned long init_altmap_base(resource_size_t base) + + static unsigned long init_altmap_reserve(resource_size_t base) + { +- unsigned long reserve = PFN_UP(SZ_8K); ++ unsigned long reserve = info_block_reserve() >> PAGE_SHIFT; + unsigned long base_pfn = PHYS_PFN(base); + + reserve += base_pfn - PFN_SECTION_ALIGN_DOWN(base_pfn); +@@ -608,6 +613,7 @@ static int __nvdimm_setup_pfn(struct nd_pfn *nd_pfn, struct dev_pagemap *pgmap) + u64 offset = le64_to_cpu(pfn_sb->dataoff); + u32 start_pad = __le32_to_cpu(pfn_sb->start_pad); + u32 end_trunc = __le32_to_cpu(pfn_sb->end_trunc); ++ u32 reserve = info_block_reserve(); + struct nd_namespace_common *ndns = nd_pfn->ndns; + struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); + resource_size_t base = nsio->res.start + start_pad; +@@ -621,7 +627,7 @@ static int __nvdimm_setup_pfn(struct nd_pfn *nd_pfn, struct dev_pagemap *pgmap) + res->end -= end_trunc; + + if (nd_pfn->mode == PFN_MODE_RAM) { +- if (offset < SZ_8K) ++ if (offset < reserve) + return -EINVAL; + nd_pfn->npfns = le64_to_cpu(pfn_sb->npfns); + pgmap->altmap_valid = false; +@@ -634,7 +640,7 @@ static int __nvdimm_setup_pfn(struct nd_pfn *nd_pfn, struct dev_pagemap *pgmap) + le64_to_cpu(nd_pfn->pfn_sb->npfns), + nd_pfn->npfns); + memcpy(altmap, &__altmap, sizeof(*altmap)); +- altmap->free = PHYS_PFN(offset - SZ_8K); ++ altmap->free = PHYS_PFN(offset - reserve); + altmap->alloc = 0; + pgmap->altmap_valid = true; + } else +@@ -687,9 +693,9 @@ static int nd_pfn_init(struct nd_pfn *nd_pfn) + u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0; + struct nd_namespace_common *ndns = nd_pfn->ndns; + struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); ++ u32 start_pad, end_trunc, reserve = info_block_reserve(); + resource_size_t start, size; + struct nd_region *nd_region; +- u32 start_pad, end_trunc; + struct nd_pfn_sb *pfn_sb; + unsigned long npfns; + phys_addr_t offset; +@@ -734,7 +740,7 @@ static int nd_pfn_init(struct nd_pfn *nd_pfn) + */ + start = nsio->res.start + start_pad; + size = resource_size(&nsio->res); +- npfns = PFN_SECTION_ALIGN_UP((size - start_pad - end_trunc - SZ_8K) ++ npfns = PFN_SECTION_ALIGN_UP((size - start_pad - end_trunc - reserve) + / PAGE_SIZE); + if (nd_pfn->mode == PFN_MODE_PMEM) { + /* +@@ -742,10 +748,10 @@ static int nd_pfn_init(struct nd_pfn *nd_pfn) + * when populating the vmemmap. This *should* be equal to + * PMD_SIZE for most architectures. + */ +- offset = ALIGN(start + SZ_8K + 64 * npfns + dax_label_reserve, ++ offset = ALIGN(start + reserve + 64 * npfns + dax_label_reserve, + max(nd_pfn->align, PMD_SIZE)) - start; + } else if (nd_pfn->mode == PFN_MODE_RAM) +- offset = ALIGN(start + SZ_8K + dax_label_reserve, ++ offset = ALIGN(start + reserve + dax_label_reserve, + nd_pfn->align) - start; + else + return -ENXIO; +-- +2.23.0 + diff --git a/patches.suse/livepatch-samples-selftest-use-klp_shadow_alloc-api-correctly.patch b/patches.suse/livepatch-samples-selftest-use-klp_shadow_alloc-api-correctly.patch new file mode 100644 index 0000000..a92c313 --- /dev/null +++ b/patches.suse/livepatch-samples-selftest-use-klp_shadow_alloc-api-correctly.patch @@ -0,0 +1,199 @@ +From: Petr Mladek +Date: Thu, 16 Jan 2020 16:31:44 +0100 +Subject: livepatch/samples/selftest: Use klp_shadow_alloc() API correctly +Git-commit: be6da98425b69388ed31b18bd2497f826116f29b (partial) +Patch-mainline: v5.6-rc1 +References: bsc#1071995 +Patch-filtered: lib/livepatch/ + +The commit e91c2518a5d22a ("livepatch: Initialize shadow variables +safely by a custom callback") leads to the following static checker +warning: + + samples/livepatch/livepatch-shadow-fix1.c:86 livepatch_fix1_dummy_alloc() + error: 'klp_shadow_alloc()' 'leak' too small (4 vs 8) + +It is because klp_shadow_alloc() is used a wrong way: + + int *leak; + shadow_leak = klp_shadow_alloc(d, SV_LEAK, sizeof(leak), GFP_KERNEL, + shadow_leak_ctor, leak); + +The code is supposed to store the "leak" pointer into the shadow variable. +3rd parameter correctly passes size of the data (size of pointer). But +the 5th parameter is wrong. It should pass pointer to the data (pointer +to the pointer) but it passes the pointer directly. + +It works because shadow_leak_ctor() handle "ctor_data" as the data +instead of pointer to the data. But it is semantically wrong and +confusing. + +The same problem is also in the module used by selftests. In this case, +"pvX" variables are introduced. They represent the data stored in +the shadow variables. + +Reported-by: Dan Carpenter +Signed-off-by: Petr Mladek +Reviewed-by: Joe Lawrence +Acked-by: Miroslav Benes +Reviewed-by: Kamalesh Babulal +Signed-off-by: Jiri Kosina +--- + + lib/livepatch/test_klp_shadow_vars.c | 52 ++++++++++++++++++++--------------- + 1 file changed, 30 insertions(+), 22 deletions(-) + +--- a/lib/livepatch/test_klp_shadow_vars.c ++++ b/lib/livepatch/test_klp_shadow_vars.c +@@ -73,13 +73,13 @@ static void *shadow_alloc(void *obj, unsigned long id, size_t size, + gfp_t gfp_flags, klp_shadow_ctor_t ctor, + void *ctor_data) + { +- int *var = ctor_data; ++ int **var = ctor_data; + int **sv; + + sv = klp_shadow_alloc(obj, id, size, gfp_flags, ctor, var); + pr_info("klp_%s(obj=PTR%d, id=0x%lx, size=%zx, gfp_flags=%pGg), ctor=PTR%d, ctor_data=PTR%d = PTR%d\n", + __func__, ptr_id(obj), id, size, &gfp_flags, ptr_id(ctor), +- ptr_id(var), ptr_id(sv)); ++ ptr_id(*var), ptr_id(sv)); + + return sv; + } +@@ -88,13 +88,13 @@ static void *shadow_get_or_alloc(void *obj, unsigned long id, size_t size, + gfp_t gfp_flags, klp_shadow_ctor_t ctor, + void *ctor_data) + { +- int *var = ctor_data; ++ int **var = ctor_data; + int **sv; + + sv = klp_shadow_get_or_alloc(obj, id, size, gfp_flags, ctor, var); + pr_info("klp_%s(obj=PTR%d, id=0x%lx, size=%zx, gfp_flags=%pGg), ctor=PTR%d, ctor_data=PTR%d = PTR%d\n", + __func__, ptr_id(obj), id, size, &gfp_flags, ptr_id(ctor), +- ptr_id(var), ptr_id(sv)); ++ ptr_id(*var), ptr_id(sv)); + + return sv; + } +@@ -118,11 +118,14 @@ static void shadow_free_all(unsigned long id, klp_shadow_dtor_t dtor) + static int shadow_ctor(void *obj, void *shadow_data, void *ctor_data) + { + int **sv = shadow_data; +- int *var = ctor_data; ++ int **var = ctor_data; + +- *sv = var; ++ if (!var) ++ return -EINVAL; ++ ++ *sv = *var; + pr_info("%s: PTR%d -> PTR%d\n", +- __func__, ptr_id(sv), ptr_id(var)); ++ __func__, ptr_id(sv), ptr_id(*var)); + + return 0; + } +@@ -139,19 +142,24 @@ static int test_klp_shadow_vars_init(void) + { + void *obj = THIS_MODULE; + int id = 0x1234; +- size_t size = sizeof(int *); + gfp_t gfp_flags = GFP_KERNEL; + + int var1, var2, var3, var4; ++ int *pv1, *pv2, *pv3, *pv4; + int **sv1, **sv2, **sv3, **sv4; + + int **sv; + ++ pv1 = &var1; ++ pv2 = &var2; ++ pv3 = &var3; ++ pv4 = &var4; ++ + ptr_id(NULL); +- ptr_id(&var1); +- ptr_id(&var2); +- ptr_id(&var3); +- ptr_id(&var4); ++ ptr_id(pv1); ++ ptr_id(pv2); ++ ptr_id(pv3); ++ ptr_id(pv4); + + /* + * With an empty shadow variable hash table, expect not to find +@@ -164,15 +172,15 @@ static int test_klp_shadow_vars_init(void) + /* + * Allocate a few shadow variables with different and . + */ +- sv1 = shadow_alloc(obj, id, size, gfp_flags, shadow_ctor, &var1); ++ sv1 = shadow_alloc(obj, id, sizeof(pv1), gfp_flags, shadow_ctor, &pv1); + if (!sv1) + return -ENOMEM; + +- sv2 = shadow_alloc(obj + 1, id, size, gfp_flags, shadow_ctor, &var2); ++ sv2 = shadow_alloc(obj + 1, id, sizeof(pv2), gfp_flags, shadow_ctor, &pv2); + if (!sv2) + return -ENOMEM; + +- sv3 = shadow_alloc(obj, id + 1, size, gfp_flags, shadow_ctor, &var3); ++ sv3 = shadow_alloc(obj, id + 1, sizeof(pv3), gfp_flags, shadow_ctor, &pv3); + if (!sv3) + return -ENOMEM; + +@@ -183,20 +191,20 @@ static int test_klp_shadow_vars_init(void) + sv = shadow_get(obj, id); + if (!sv) + return -EINVAL; +- if (sv == sv1 && *sv1 == &var1) ++ if (sv == sv1 && *sv1 == pv1) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv1), ptr_id(*sv1)); + + sv = shadow_get(obj + 1, id); + if (!sv) + return -EINVAL; +- if (sv == sv2 && *sv2 == &var2) ++ if (sv == sv2 && *sv2 == pv2) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv2), ptr_id(*sv2)); + sv = shadow_get(obj, id + 1); + if (!sv) + return -EINVAL; +- if (sv == sv3 && *sv3 == &var3) ++ if (sv == sv3 && *sv3 == pv3) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv3), ptr_id(*sv3)); + +@@ -204,14 +212,14 @@ static int test_klp_shadow_vars_init(void) + * Allocate or get a few more, this time with the same , . + * The second invocation should return the same shadow var. + */ +- sv4 = shadow_get_or_alloc(obj + 2, id, size, gfp_flags, shadow_ctor, &var4); ++ sv4 = shadow_get_or_alloc(obj + 2, id, sizeof(pv4), gfp_flags, shadow_ctor, &pv4); + if (!sv4) + return -ENOMEM; + +- sv = shadow_get_or_alloc(obj + 2, id, size, gfp_flags, shadow_ctor, &var4); ++ sv = shadow_get_or_alloc(obj + 2, id, sizeof(pv4), gfp_flags, shadow_ctor, &pv4); + if (!sv) + return -EINVAL; +- if (sv == sv4 && *sv4 == &var4) ++ if (sv == sv4 && *sv4 == pv4) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv4), ptr_id(*sv4)); + +@@ -240,7 +248,7 @@ static int test_klp_shadow_vars_init(void) + sv = shadow_get(obj, id + 1); + if (!sv) + return -EINVAL; +- if (sv == sv3 && *sv3 == &var3) ++ if (sv == sv3 && *sv3 == pv3) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv3), ptr_id(*sv3)); + + + diff --git a/patches.suse/livepatch-selftest-clean-up-shadow-variable-names-and-type.patch b/patches.suse/livepatch-selftest-clean-up-shadow-variable-names-and-type.patch new file mode 100644 index 0000000..afcb19d --- /dev/null +++ b/patches.suse/livepatch-selftest-clean-up-shadow-variable-names-and-type.patch @@ -0,0 +1,225 @@ +From: Petr Mladek +Date: Thu, 16 Jan 2020 16:31:43 +0100 +Subject: livepatch/selftest: Clean up shadow variable names and type +Git-commit: c24c57a4cc8a2f64de32084958920773c0906bc7 +Patch-mainline: v5.6-rc1 +References: bsc#1071995 + +The shadow variable selftest is quite tricky. Especially it is problematic +to understand what values are stored, returned, and printed. + +Make it easier to understand by using "int *var, **sv" variables +consistently everywhere instead of the generic "void *", "ret", +and "ctor_data". + +Signed-off-by: Petr Mladek +Reviewed-by: Joe Lawrence +Acked-by: Miroslav Benes +Reviewed-by: Kamalesh Babulal +Signed-off-by: Jiri Kosina +--- + lib/livepatch/test_klp_shadow_vars.c | 93 ++++++++++++++++++++---------------- + 1 file changed, 52 insertions(+), 41 deletions(-) + +diff --git a/lib/livepatch/test_klp_shadow_vars.c b/lib/livepatch/test_klp_shadow_vars.c +index fe5c413efe96..4e94f46234e8 100644 +--- a/lib/livepatch/test_klp_shadow_vars.c ++++ b/lib/livepatch/test_klp_shadow_vars.c +@@ -60,36 +60,43 @@ static int ptr_id(void *ptr) + */ + static void *shadow_get(void *obj, unsigned long id) + { +- void *ret = klp_shadow_get(obj, id); ++ int **sv; + ++ sv = klp_shadow_get(obj, id); + pr_info("klp_%s(obj=PTR%d, id=0x%lx) = PTR%d\n", +- __func__, ptr_id(obj), id, ptr_id(ret)); ++ __func__, ptr_id(obj), id, ptr_id(sv)); + +- return ret; ++ return sv; + } + + static void *shadow_alloc(void *obj, unsigned long id, size_t size, + gfp_t gfp_flags, klp_shadow_ctor_t ctor, + void *ctor_data) + { +- void *ret = klp_shadow_alloc(obj, id, size, gfp_flags, ctor, +- ctor_data); ++ int *var = ctor_data; ++ int **sv; ++ ++ sv = klp_shadow_alloc(obj, id, size, gfp_flags, ctor, var); + pr_info("klp_%s(obj=PTR%d, id=0x%lx, size=%zx, gfp_flags=%pGg), ctor=PTR%d, ctor_data=PTR%d = PTR%d\n", + __func__, ptr_id(obj), id, size, &gfp_flags, ptr_id(ctor), +- ptr_id(ctor_data), ptr_id(ret)); +- return ret; ++ ptr_id(var), ptr_id(sv)); ++ ++ return sv; + } + + static void *shadow_get_or_alloc(void *obj, unsigned long id, size_t size, + gfp_t gfp_flags, klp_shadow_ctor_t ctor, + void *ctor_data) + { +- void *ret = klp_shadow_get_or_alloc(obj, id, size, gfp_flags, ctor, +- ctor_data); ++ int *var = ctor_data; ++ int **sv; ++ ++ sv = klp_shadow_get_or_alloc(obj, id, size, gfp_flags, ctor, var); + pr_info("klp_%s(obj=PTR%d, id=0x%lx, size=%zx, gfp_flags=%pGg), ctor=PTR%d, ctor_data=PTR%d = PTR%d\n", + __func__, ptr_id(obj), id, size, &gfp_flags, ptr_id(ctor), +- ptr_id(ctor_data), ptr_id(ret)); +- return ret; ++ ptr_id(var), ptr_id(sv)); ++ ++ return sv; + } + + static void shadow_free(void *obj, unsigned long id, klp_shadow_dtor_t dtor) +@@ -110,18 +117,22 @@ static void shadow_free_all(unsigned long id, klp_shadow_dtor_t dtor) + /* Shadow variable constructor - remember simple pointer data */ + static int shadow_ctor(void *obj, void *shadow_data, void *ctor_data) + { +- int **shadow_int = shadow_data; +- *shadow_int = ctor_data; ++ int **sv = shadow_data; ++ int *var = ctor_data; ++ ++ *sv = var; + pr_info("%s: PTR%d -> PTR%d\n", +- __func__, ptr_id(shadow_int), ptr_id(ctor_data)); ++ __func__, ptr_id(sv), ptr_id(var)); + + return 0; + } + + static void shadow_dtor(void *obj, void *shadow_data) + { ++ int **sv = shadow_data; ++ + pr_info("%s(obj=PTR%d, shadow_data=PTR%d)\n", +- __func__, ptr_id(obj), ptr_id(shadow_data)); ++ __func__, ptr_id(obj), ptr_id(sv)); + } + + static int test_klp_shadow_vars_init(void) +@@ -134,7 +145,7 @@ static int test_klp_shadow_vars_init(void) + int var1, var2, var3, var4; + int **sv1, **sv2, **sv3, **sv4; + +- void *ret; ++ int **sv; + + ptr_id(NULL); + ptr_id(&var1); +@@ -146,8 +157,8 @@ static int test_klp_shadow_vars_init(void) + * With an empty shadow variable hash table, expect not to find + * any matches. + */ +- ret = shadow_get(obj, id); +- if (!ret) ++ sv = shadow_get(obj, id); ++ if (!sv) + pr_info(" got expected NULL result\n"); + + /* +@@ -169,23 +180,23 @@ static int test_klp_shadow_vars_init(void) + * Verify we can find our new shadow variables and that they point + * to expected data. + */ +- ret = shadow_get(obj, id); +- if (!ret) ++ sv = shadow_get(obj, id); ++ if (!sv) + return -EINVAL; +- if (ret == sv1 && *sv1 == &var1) ++ if (sv == sv1 && *sv1 == &var1) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv1), ptr_id(*sv1)); + +- ret = shadow_get(obj + 1, id); +- if (!ret) ++ sv = shadow_get(obj + 1, id); ++ if (!sv) + return -EINVAL; +- if (ret == sv2 && *sv2 == &var2) ++ if (sv == sv2 && *sv2 == &var2) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv2), ptr_id(*sv2)); +- ret = shadow_get(obj, id + 1); +- if (!ret) ++ sv = shadow_get(obj, id + 1); ++ if (!sv) + return -EINVAL; +- if (ret == sv3 && *sv3 == &var3) ++ if (sv == sv3 && *sv3 == &var3) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv3), ptr_id(*sv3)); + +@@ -197,10 +208,10 @@ static int test_klp_shadow_vars_init(void) + if (!sv4) + return -ENOMEM; + +- ret = shadow_get_or_alloc(obj + 2, id, size, gfp_flags, shadow_ctor, &var4); +- if (!ret) ++ sv = shadow_get_or_alloc(obj + 2, id, size, gfp_flags, shadow_ctor, &var4); ++ if (!sv) + return -EINVAL; +- if (ret == sv4 && *sv4 == &var4) ++ if (sv == sv4 && *sv4 == &var4) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv4), ptr_id(*sv4)); + +@@ -209,27 +220,27 @@ static int test_klp_shadow_vars_init(void) + * longer find them. + */ + shadow_free(obj, id, shadow_dtor); /* sv1 */ +- ret = shadow_get(obj, id); +- if (!ret) ++ sv = shadow_get(obj, id); ++ if (!sv) + pr_info(" got expected NULL result\n"); + + shadow_free(obj + 1, id, shadow_dtor); /* sv2 */ +- ret = shadow_get(obj + 1, id); +- if (!ret) ++ sv = shadow_get(obj + 1, id); ++ if (!sv) + pr_info(" got expected NULL result\n"); + + shadow_free(obj + 2, id, shadow_dtor); /* sv4 */ +- ret = shadow_get(obj + 2, id); +- if (!ret) ++ sv = shadow_get(obj + 2, id); ++ if (!sv) + pr_info(" got expected NULL result\n"); + + /* + * We should still find an variable. + */ +- ret = shadow_get(obj, id + 1); +- if (!ret) ++ sv = shadow_get(obj, id + 1); ++ if (!sv) + return -EINVAL; +- if (ret == sv3 && *sv3 == &var3) ++ if (sv == sv3 && *sv3 == &var3) + pr_info(" got expected PTR%d -> PTR%d result\n", + ptr_id(sv3), ptr_id(*sv3)); + +@@ -237,8 +248,8 @@ static int test_klp_shadow_vars_init(void) + * Free all the variables, too. + */ + shadow_free_all(id + 1, shadow_dtor); /* sv3 */ +- ret = shadow_get(obj, id); +- if (!ret) ++ sv = shadow_get(obj, id); ++ if (!sv) + pr_info(" shadow_get() got expected NULL result\n"); + + + diff --git a/patches.suse/mac80211-Do-not-send-Layer-2-Update-frame-before-aut.patch b/patches.suse/mac80211-Do-not-send-Layer-2-Update-frame-before-aut.patch new file mode 100644 index 0000000..9d10d73 --- /dev/null +++ b/patches.suse/mac80211-Do-not-send-Layer-2-Update-frame-before-aut.patch @@ -0,0 +1,107 @@ +From 3e493173b7841259a08c5c8e5cbe90adb349da7e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Wed, 11 Sep 2019 16:03:05 +0300 +Subject: [PATCH] mac80211: Do not send Layer 2 Update frame before authorization +Git-commit: 3e493173b7841259a08c5c8e5cbe90adb349da7e +Patch-mainline: v5.3 +References: bsc#1051510 + +The Layer 2 Update frame is used to update bridges when a station roams +to another AP even if that STA does not transmit any frames after the +reassociation. This behavior was described in IEEE Std 802.11F-2003 as +something that would happen based on MLME-ASSOCIATE.indication, i.e., +before completing 4-way handshake. However, this IEEE trial-use +recommended practice document was published before RSN (IEEE Std +802.11i-2004) and as such, did not consider RSN use cases. Furthermore, +IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been +maintained amd should not be used anymore. + +Sending out the Layer 2 Update frame immediately after association is +fine for open networks (and also when using SAE, FT protocol, or FILS +authentication when the station is actually authenticated by the time +association completes). However, it is not appropriate for cases where +RSN is used with PSK or EAP authentication since the station is actually +fully authenticated only once the 4-way handshake completes after +authentication and attackers might be able to use the unauthenticated +triggering of Layer 2 Update frame transmission to disrupt bridge +behavior. + +Fix this by postponing transmission of the Layer 2 Update frame from +station entry addition to the point when the station entry is marked +authorized. Similarly, send out the VLAN binding update only if the STA +entry has already been authorized. + +Signed-off-by: Jouni Malinen +Reviewed-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/mac80211/cfg.c | 14 ++++---------- + net/mac80211/sta_info.c | 4 ++++ + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 111c400199ec..4105c97c7ba1 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1529,7 +1529,6 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, + struct sta_info *sta; + struct ieee80211_sub_if_data *sdata; + int err; +- int layer2_update; + + if (params->vlan) { + sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan); +@@ -1573,18 +1572,12 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, + test_sta_flag(sta, WLAN_STA_ASSOC)) + rate_control_rate_init(sta); + +- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN || +- sdata->vif.type == NL80211_IFTYPE_AP; +- + err = sta_info_insert_rcu(sta); + if (err) { + rcu_read_unlock(); + return err; + } + +- if (layer2_update) +- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); +- + rcu_read_unlock(); + + return 0; +@@ -1682,10 +1675,11 @@ static int ieee80211_change_station(struct wiphy *wiphy, + sta->sdata = vlansdata; + ieee80211_check_fast_xmit(sta); + +- if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) ++ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { + ieee80211_vif_inc_num_mcast(sta->sdata); +- +- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); ++ cfg80211_send_layer2_update(sta->sdata->dev, ++ sta->sta.addr); ++ } + } + + err = sta_apply_parameters(local, sta, params); +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 95eb8220e2e4..5fb368cc2633 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1979,6 +1979,10 @@ int sta_info_move_state(struct sta_info *sta, + ieee80211_check_fast_xmit(sta); + ieee80211_check_fast_rx(sta); + } ++ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN || ++ sta->sdata->vif.type == NL80211_IFTYPE_AP) ++ cfg80211_send_layer2_update(sta->sdata->dev, ++ sta->sta.addr); + break; + default: + break; +-- +2.16.4 + diff --git a/patches.suse/mac80211-Fix-TKIP-replay-protection-immediately-afte.patch b/patches.suse/mac80211-Fix-TKIP-replay-protection-immediately-afte.patch new file mode 100644 index 0000000..e903ca8 --- /dev/null +++ b/patches.suse/mac80211-Fix-TKIP-replay-protection-immediately-afte.patch @@ -0,0 +1,64 @@ +From 6f601265215a421f425ba3a4850a35861d024643 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 7 Jan 2020 17:35:45 +0200 +Subject: [PATCH] mac80211: Fix TKIP replay protection immediately after key setup +Git-commit: 6f601265215a421f425ba3a4850a35861d024643 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +TKIP replay protection was skipped for the very first frame received +after a new key is configured. While this is potentially needed to avoid +dropping a frame in some cases, this does leave a window for replay +attacks with group-addressed frames at the station side. Any earlier +frame sent by the AP using the same key would be accepted as a valid +frame and the internal RSC would then be updated to the TSC from that +frame. This would allow multiple previously transmitted group-addressed +frames to be replayed until the next valid new group-addressed frame +from the AP is received by the station. + +Fix this by limiting the no-replay-protection exception to apply only +for the case where TSC=0, i.e., when this is for the very first frame +protected using the new key, and the local RSC had not been set to a +higher value when configuring the key (which may happen with GTK). + +Signed-off-by: Jouni Malinen +Link: https://lore.kernel.org/r/20200107153545.10934-1-j@w1.fi +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/mac80211/tkip.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c +index 727dc9f3f3b3..e7f57bb18f6e 100644 +--- a/net/mac80211/tkip.c ++++ b/net/mac80211/tkip.c +@@ -263,9 +263,21 @@ int ieee80211_tkip_decrypt_data(struct arc4_ctx *ctx, + if ((keyid >> 6) != key->conf.keyidx) + return TKIP_DECRYPT_INVALID_KEYIDX; + +- if (rx_ctx->ctx.state != TKIP_STATE_NOT_INIT && +- (iv32 < rx_ctx->iv32 || +- (iv32 == rx_ctx->iv32 && iv16 <= rx_ctx->iv16))) ++ /* Reject replays if the received TSC is smaller than or equal to the ++ * last received value in a valid message, but with an exception for ++ * the case where a new key has been set and no valid frame using that ++ * key has yet received and the local RSC was initialized to 0. This ++ * exception allows the very first frame sent by the transmitter to be ++ * accepted even if that transmitter were to use TSC 0 (IEEE 802.11 ++ * described TSC to be initialized to 1 whenever a new key is taken into ++ * use). ++ */ ++ if (iv32 < rx_ctx->iv32 || ++ (iv32 == rx_ctx->iv32 && ++ (iv16 < rx_ctx->iv16 || ++ (iv16 == rx_ctx->iv16 && ++ (rx_ctx->iv32 || rx_ctx->iv16 || ++ rx_ctx->ctx.state != TKIP_STATE_NOT_INIT))))) + return TKIP_DECRYPT_REPLAY; + + if (only_iv) { +-- +2.16.4 + diff --git a/patches.suse/mac80211-fix-ieee80211_txq_setup_flows-failure-path.patch b/patches.suse/mac80211-fix-ieee80211_txq_setup_flows-failure-path.patch new file mode 100644 index 0000000..f24d412 --- /dev/null +++ b/patches.suse/mac80211-fix-ieee80211_txq_setup_flows-failure-path.patch @@ -0,0 +1,37 @@ +From 6dd47d9754ff0589715054b11294771f2c9a16ac Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 5 Nov 2019 15:41:11 +0100 +Subject: [PATCH] mac80211: fix ieee80211_txq_setup_flows() failure path +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 6dd47d9754ff0589715054b11294771f2c9a16ac +Patch-mainline: v5.4-rc7 +References: bsc#1111666 + +If ieee80211_txq_setup_flows() fails, we don't clean up LED +state properly, leading to crashes later on, fix that. + +Fixes: dc8b274f0952 ("mac80211: Move up init of TXQs") +Signed-off-by: Johannes Berg +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20191105154110.1ccf7112ba5d.I0ba865792446d051867b33153be65ce6b063d98c@changeid +Acked-by: Takashi Iwai + +--- + net/mac80211/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1196,9 +1196,9 @@ int ieee80211_register_hw(struct ieee802 + ieee80211_remove_interfaces(local); + fail_rate: + rtnl_unlock(); +- ieee80211_led_exit(local); + ieee80211_wep_free(local); + fail_flows: ++ ieee80211_led_exit(local); + destroy_workqueue(local->workqueue); + fail_workqueue: + wiphy_unregister(local->hw.wiphy); diff --git a/patches.suse/mac80211-mesh-restrict-airtime-metric-to-peered-esta.patch b/patches.suse/mac80211-mesh-restrict-airtime-metric-to-peered-esta.patch new file mode 100644 index 0000000..8eae77c --- /dev/null +++ b/patches.suse/mac80211-mesh-restrict-airtime-metric-to-peered-esta.patch @@ -0,0 +1,56 @@ +From 02a614499600af836137c3fbc4404cd96365fff2 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Tue, 3 Dec 2019 19:06:44 +0100 +Subject: [PATCH] mac80211: mesh: restrict airtime metric to peered established plinks +Git-commit: 02a614499600af836137c3fbc4404cd96365fff2 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +The following warning is triggered every time an unestablished mesh peer +gets dumped. Checks if a peer link is established before retrieving the +airtime link metric. + +[ 9563.022567] WARNING: CPU: 0 PID: 6287 at net/mac80211/mesh_hwmp.c:345 + airtime_link_metric_get+0xa2/0xb0 [mac80211] +[ 9563.022697] Hardware name: PC Engines apu2/apu2, BIOS v4.10.0.3 +[ 9563.022756] RIP: 0010:airtime_link_metric_get+0xa2/0xb0 [mac80211] +[ 9563.022838] Call Trace: +[ 9563.022897] sta_set_sinfo+0x936/0xa10 [mac80211] +[ 9563.022964] ieee80211_dump_station+0x6d/0x90 [mac80211] +[ 9563.023062] nl80211_dump_station+0x154/0x2a0 [cfg80211] +[ 9563.023120] netlink_dump+0x17b/0x370 +[ 9563.023130] netlink_recvmsg+0x2a4/0x480 +[ 9563.023140] ____sys_recvmsg+0xa6/0x160 +[ 9563.023154] ___sys_recvmsg+0x93/0xe0 +[ 9563.023169] __sys_recvmsg+0x7e/0xd0 +[ 9563.023210] do_syscall_64+0x4e/0x140 +[ 9563.023217] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20191203180644.70653-1-markus.theil@tu-ilmenau.de +[rewrite commit message] + +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/mac80211/mesh_hwmp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 68af62306385..d69983370381 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -328,6 +328,9 @@ u32 airtime_link_metric_get(struct ieee80211_local *local, + unsigned long fail_avg = + ewma_mesh_fail_avg_read(&sta->mesh->fail_avg); + ++ if (sta->mesh->plink_state != NL80211_PLINK_ESTAB) ++ return MAX_METRIC; ++ + /* Try to get rate based on HW/SW RC algorithm. + * Rate is returned in units of Kbps, correct this + * to comply with airtime calculation units +-- +2.16.4 + diff --git a/patches.suse/macvlan-do-not-assume-mac_header-is-set-in-macvlan_b.patch b/patches.suse/macvlan-do-not-assume-mac_header-is-set-in-macvlan_b.patch new file mode 100644 index 0000000..d2d1847 --- /dev/null +++ b/patches.suse/macvlan-do-not-assume-mac_header-is-set-in-macvlan_b.patch @@ -0,0 +1,174 @@ +From 96cc4b69581db68efc9749ef32e9cf8e0160c509 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 6 Jan 2020 12:30:48 -0800 +Subject: [PATCH] macvlan: do not assume mac_header is set in macvlan_broadcast() +Git-commit: 96cc4b69581db68efc9749ef32e9cf8e0160c509 +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +Use of eth_hdr() in tx path is error prone. + +Many drivers call skb_reset_mac_header() before using it, +but others do not. + +Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") +attempted to fix this generically, but commit d346a3fae3ff +("packet: introduce PACKET_QDISC_BYPASS socket option") brought +back the macvlan bug. + +Lets add a new helper, so that tx paths no longer have +to call skb_reset_mac_header() only to get a pointer +to skb->data. + +Hopefully we will be able to revert 6d1ccff62780 +("net: reset mac header in dev_start_xmit()") and save few cycles +in transmit fast path. + +Bug: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] +Bug: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] +Bug: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 +Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 + +Cpu: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:639 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 + __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] + mc_hash drivers/net/macvlan.c:251 [inline] + macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 + macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] + macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 + __netdev_start_xmit include/linux/netdevice.h:4447 [inline] + netdev_start_xmit include/linux/netdevice.h:4461 [inline] + dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 + packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 + packet_snd net/packet/af_packet.c:2966 [inline] + packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:659 + __sys_sendto+0x262/0x380 net/socket.c:1985 + __do_sys_sendto net/socket.c:1997 [inline] + __se_sys_sendto net/socket.c:1993 [inline] + __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +Rip: 0033:0x442639 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +Rsp: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +Rax: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 +Rdx: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 +Rbp: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 + +Allocated by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc mm/kasan/common.c:513 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 + __do_kmalloc mm/slab.c:3656 [inline] + __kmalloc+0x163/0x770 mm/slab.c:3665 + kmalloc include/linux/slab.h:561 [inline] + tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:335 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10a/0x2c0 mm/slab.c:3757 + tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880a4932000 + which belongs to the cache kmalloc-4k of size 4096 +The buggy address is located 1025 bytes inside of + 4096-byte region [ffff8880a4932000, ffff8880a4933000) +The buggy address belongs to the page: +page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 +Raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 +Raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/macvlan.c | 2 +- + include/linux/if_ether.h | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 05631d97eeb4..747c0542a53c 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -259,7 +259,7 @@ static void macvlan_broadcast(struct sk_buff *skb, + struct net_device *src, + enum macvlan_mode mode) + { +- const struct ethhdr *eth = eth_hdr(skb); ++ const struct ethhdr *eth = skb_eth_hdr(skb); + const struct macvlan_dev *vlan; + struct sk_buff *nskb; + unsigned int i; +diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h +index 76cf11e905e1..8a9792a6427a 100644 +--- a/include/linux/if_ether.h ++++ b/include/linux/if_ether.h +@@ -24,6 +24,14 @@ static inline struct ethhdr *eth_hdr(const struct sk_buff *skb) + return (struct ethhdr *)skb_mac_header(skb); + } + ++/* Prefer this version in TX path, instead of ++ * skb_reset_mac_header() + eth_hdr() ++ */ ++static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb) ++{ ++ return (struct ethhdr *)skb->data; ++} ++ + static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb) + { + return (struct ethhdr *)skb_inner_mac_header(skb); +-- +2.16.4 + diff --git a/patches.suse/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch b/patches.suse/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch new file mode 100644 index 0000000..c5dcf08 --- /dev/null +++ b/patches.suse/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch @@ -0,0 +1,54 @@ +From 1712b2fff8c682d145c7889d2290696647d82dab Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 14 Jan 2020 13:00:35 -0800 +Subject: [PATCH] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() +Git-commit: 1712b2fff8c682d145c7889d2290696647d82dab +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +I missed the fact that macvlan_broadcast() can be used both +in RX and TX. + +skb_eth_hdr() makes only sense in TX paths, so we can not +use it blindly in macvlan_broadcast() + +Fixes: 96cc4b69581d ("macvlan: do not assume mac_header is set in macvlan_broadcast()") +Signed-off-by: Eric Dumazet +Reported-by: Jurgen Van Ham +Tested-by: Matteo Croce +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 747c0542a53c..c5bf61565726 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -259,7 +259,7 @@ static void macvlan_broadcast(struct sk_buff *skb, + struct net_device *src, + enum macvlan_mode mode) + { +- const struct ethhdr *eth = skb_eth_hdr(skb); ++ const struct ethhdr *eth = eth_hdr(skb); + const struct macvlan_dev *vlan; + struct sk_buff *nskb; + unsigned int i; +@@ -513,10 +513,11 @@ static int macvlan_queue_xmit(struct sk_buff *skb, struct net_device *dev) + const struct macvlan_dev *dest; + + if (vlan->mode == MACVLAN_MODE_BRIDGE) { +- const struct ethhdr *eth = (void *)skb->data; ++ const struct ethhdr *eth = skb_eth_hdr(skb); + + /* send to other bridge ports directly */ + if (is_multicast_ether_addr(eth->h_dest)) { ++ skb_reset_mac_header(skb); + macvlan_broadcast(skb, port, dev, MACVLAN_MODE_BRIDGE); + goto xmit_world; + } +-- +2.16.4 + diff --git a/patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch b/patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch new file mode 100644 index 0000000..f77ac05 --- /dev/null +++ b/patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch @@ -0,0 +1,39 @@ +From f68334a85ee9120678c06a8da4a1711be7be86a2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 Feb 2020 09:22:08 +0100 +Subject: [PATCH] md/raid0: Fix buffer overflow at debug print +Patch-mainline: Not yet, waiting for patch author posting upstream +References: bsc#1164051 + +The debug print text in dump_zones() is formatted via a loop of +snprintf(). Since snprintf() returns the number of would-be-printed +characters, not the actually output, the length calculation in the +loop overflows the actual buffer size, which leads to a WARNING in +vsnprintf(). + +Replace snprintf() with scnprintf() to calculate properly with the +actual output size. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Coly Li +--- + drivers/md/raid0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index 322386ff5d22..3e16be05b98f 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -63,7 +63,7 @@ static void dump_zones(struct mddev *mddev) + int len = 0; + + for (k = 0; k < conf->strip_zone[j].nb_dev; k++) +- len += snprintf(line+len, 200-len, "%s%s", k?"/":"", ++ len += scnprintf(line+len, 200-len, "%s%s", k?"/":"", + bdevname(conf->devlist[j*raid_disks + + k]->bdev, b)); + pr_debug("md: zone%d=[%s]\n", j, line); +-- +2.16.4 + diff --git a/patches.suse/media-af9005-uninitialized-variable-printked.patch b/patches.suse/media-af9005-uninitialized-variable-printked.patch new file mode 100644 index 0000000..9091b5c --- /dev/null +++ b/patches.suse/media-af9005-uninitialized-variable-printked.patch @@ -0,0 +1,35 @@ +From 51d0c99b391f0cac61ad7b827c26f549ee55672c Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 10 Nov 2019 11:15:37 +0100 +Subject: [PATCH] media: af9005: uninitialized variable printked +Git-commit: 51d0c99b391f0cac61ad7b827c26f549ee55672c +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +If usb_bulk_msg() fails, actual_length can be uninitialized. + +Reported-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb/af9005.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c +index ac93e88d7038..89b4b5d84cdf 100644 +--- a/drivers/media/usb/dvb-usb/af9005.c ++++ b/drivers/media/usb/dvb-usb/af9005.c +@@ -554,7 +554,7 @@ static int af9005_boot_packet(struct usb_device *udev, int type, u8 *reply, + u8 *buf, int size) + { + u16 checksum; +- int act_len, i, ret; ++ int act_len = 0, i, ret; + + memset(buf, 0, size); + buf[0] = (u8) (FW_BULKOUT_SIZE & 0xff); +-- +2.16.4 + diff --git a/patches.suse/media-digitv-don-t-continue-if-remote-control-state-.patch b/patches.suse/media-digitv-don-t-continue-if-remote-control-state-.patch new file mode 100644 index 0000000..10aba79 --- /dev/null +++ b/patches.suse/media-digitv-don-t-continue-if-remote-control-state-.patch @@ -0,0 +1,52 @@ +From eecc70d22ae51225de1ef629c1159f7116476b2e Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 10 Nov 2019 11:04:40 +0100 +Subject: [PATCH] media: digitv: don't continue if remote control state can't be read +Git-commit: eecc70d22ae51225de1ef629c1159f7116476b2e +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +This results in an uninitialized variable read. + +Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb/digitv.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c +index dd5bb230cec1..99a39339d45d 100644 +--- a/drivers/media/usb/dvb-usb/digitv.c ++++ b/drivers/media/usb/dvb-usb/digitv.c +@@ -230,18 +230,22 @@ static struct rc_map_table rc_map_digitv_table[] = { + + static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + { +- int i; ++ int ret, i; + u8 key[5]; + u8 b[4] = { 0 }; + + *event = 0; + *state = REMOTE_NO_KEY_PRESSED; + +- digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4); ++ ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4); ++ if (ret) ++ return ret; + + /* Tell the device we've read the remote. Not sure how necessary + this is, but the Nebula SDK does it. */ +- digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0); ++ ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0); ++ if (ret) ++ return ret; + + /* if something is inside the buffer, simulate key press */ + if (key[1] != 0) +-- +2.16.4 + diff --git a/patches.suse/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch b/patches.suse/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch new file mode 100644 index 0000000..cdd441f --- /dev/null +++ b/patches.suse/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch @@ -0,0 +1,42 @@ +From 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 12 Nov 2019 10:22:28 +0100 +Subject: [PATCH] media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 +Git-commit: 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +This fixes a syzbot failure since actlen could be uninitialized, +but it was still used. + +Syzbot link: + +https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1 + +Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Acked-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-urb.c b/drivers/media/usb/dvb-usb/dvb-usb-urb.c +index c1b4e94a37f8..2aabf90d8697 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-urb.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-urb.c +@@ -12,7 +12,7 @@ + int dvb_usb_generic_rw(struct dvb_usb_device *d, u8 *wbuf, u16 wlen, u8 *rbuf, + u16 rlen, int delay_ms) + { +- int actlen,ret = -ENOMEM; ++ int actlen = 0, ret = -ENOMEM; + + if (!d || wbuf == NULL || wlen == 0) + return -EINVAL; +-- +2.16.4 + diff --git a/patches.suse/media-gspca-zero-usb_buf.patch b/patches.suse/media-gspca-zero-usb_buf.patch new file mode 100644 index 0000000..3a92bda --- /dev/null +++ b/patches.suse/media-gspca-zero-usb_buf.patch @@ -0,0 +1,46 @@ +From de89d0864f66c2a1b75becfdd6bf3793c07ce870 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 12 Nov 2019 10:22:24 +0100 +Subject: [PATCH] media: gspca: zero usb_buf +Git-commit: de89d0864f66c2a1b75becfdd6bf3793c07ce870 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Allocate gspca_dev->usb_buf with kzalloc instead of kmalloc to +ensure it is property zeroed. This fixes various syzbot errors +about uninitialized data. + +Syzbot links: + +https://syzkaller.appspot.com/bug?extid=32310fc2aea76898d074 +https://syzkaller.appspot.com/bug?extid=99706d6390be1ac542a2 +https://syzkaller.appspot.com/bug?extid=64437af5c781a7f0e08e + +Reported-and-tested-by: syzbot+32310fc2aea76898d074@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+99706d6390be1ac542a2@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+64437af5c781a7f0e08e@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/gspca/gspca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c +index 4add2b12d330..c1b307bbe540 100644 +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -1461,7 +1461,7 @@ int gspca_dev_probe2(struct usb_interface *intf, + pr_err("couldn't kzalloc gspca struct\n"); + return -ENOMEM; + } +- gspca_dev->usb_buf = kmalloc(USB_BUF_SZ, GFP_KERNEL); ++ gspca_dev->usb_buf = kzalloc(USB_BUF_SZ, GFP_KERNEL); + if (!gspca_dev->usb_buf) { + pr_err("out of memory\n"); + ret = -ENOMEM; +-- +2.16.4 + diff --git a/patches.suse/media-iguanair-fix-endpoint-sanity-check.patch b/patches.suse/media-iguanair-fix-endpoint-sanity-check.patch new file mode 100644 index 0000000..6820833 --- /dev/null +++ b/patches.suse/media-iguanair-fix-endpoint-sanity-check.patch @@ -0,0 +1,44 @@ +From 1b257870a78b0a9ce98fdfb052c58542022ffb5b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 3 Jan 2020 17:35:13 +0100 +Subject: [PATCH] media: iguanair: fix endpoint sanity check +Git-commit: 1b257870a78b0a9ce98fdfb052c58542022ffb5b +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Make sure to use the current alternate setting, which need not be the +first one by index, when verifying the endpoint descriptors and +initialising the URBs. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 26ff63137c45 ("[media] Add support for the IguanaWorks USB IR Transceiver") +Fixes: ab1cbdf159be ("media: iguanair: add sanity checks") +Cc: stable # 3.6 +Cc: Oliver Neukum +Signed-off-by: Johan Hovold +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/rc/iguanair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c +index 872d6441e512..a7deca1fefb7 100644 +--- a/drivers/media/rc/iguanair.c ++++ b/drivers/media/rc/iguanair.c +@@ -413,7 +413,7 @@ static int iguanair_probe(struct usb_interface *intf, + int ret, pipein, pipeout; + struct usb_host_interface *idesc; + +- idesc = intf->altsetting; ++ idesc = intf->cur_altsetting; + if (idesc->desc.bNumEndpoints < 2) + return -ENODEV; + +-- +2.16.4 + diff --git a/patches.suse/media-uvcvideo-Avoid-cyclic-entity-chains-due-to-mal.patch b/patches.suse/media-uvcvideo-Avoid-cyclic-entity-chains-due-to-mal.patch new file mode 100644 index 0000000..81d3cc1 --- /dev/null +++ b/patches.suse/media-uvcvideo-Avoid-cyclic-entity-chains-due-to-mal.patch @@ -0,0 +1,118 @@ +From 68035c80e129c4cfec659aac4180354530b26527 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 8 Nov 2019 16:48:38 +0100 +Subject: [PATCH] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors +Git-commit: 68035c80e129c4cfec659aac4180354530b26527 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked +up the following WARNING from the UVC chain scanning code: + + | list_add double add: new=ffff880069084010, prev=ffff880069084010, + | next=ffff880067d22298. + | ------------[ cut here ]------------ + | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0 + | Modules linked in: + | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted + | 4.14.0-rc2-42613-g1488251d1a98 #238 + | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + | Workqueue: usb_hub_wq hub_event + | task: ffff88006b01ca40 task.stack: ffff880064358000 + | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29 + | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286 + | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000 + | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac + | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000 + | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010 + | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0 + | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 + | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0 + | Call Trace: + | __list_add ./include/linux/list.h:59 + | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92 + | uvc_scan_chain_forward.isra.8+0x373/0x416 + | drivers/media/usb/uvc/uvc_driver.c:1471 + | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585 + | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769 + | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104 + +Looking into the output from usbmon, the interesting part is the +following data packet: + + ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080 + 00090403 00000e01 00000924 03000103 7c003328 010204db + +If we drop the lead configuration and interface descriptors, we're left +with an output terminal descriptor describing a generic display: + + /* Output terminal descriptor */ + buf[0] 09 + buf[1] 24 + buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */ + buf[3] 00 /* ID */ + buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */ + buf[5] 03 + buf[6] 7c + buf[7] 00 /* source ID refers to self! */ + buf[8] 33 + +The problem with this descriptor is that it is self-referential: the +source ID of 0 matches itself! This causes the 'struct uvc_entity' +representing the display to be added to its chain list twice during +'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is +processed directly from the 'dev->entities' list and then again +immediately afterwards when trying to follow the source ID in +'uvc_scan_chain_forward()' + +Add a check before adding an entity to a chain list to ensure that the +entity is not already part of a chain. + +Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/ + +Cc: +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Reported-by: Andrey Konovalov +Signed-off-by: Will Deacon +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 428235ca2635..2b688cc39bb8 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1493,6 +1493,11 @@ static int uvc_scan_chain_forward(struct uvc_video_chain *chain, + break; + if (forward == prev) + continue; ++ if (forward->chain.next || forward->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", forward->id); ++ return -EINVAL; ++ } + + switch (UVC_ENTITY_TYPE(forward)) { + case UVC_VC_EXTENSION_UNIT: +@@ -1574,6 +1579,13 @@ static int uvc_scan_chain_backward(struct uvc_video_chain *chain, + return -1; + } + ++ if (term->chain.next || term->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", ++ term->id); ++ return -EINVAL; ++ } ++ + if (uvc_trace_param & UVC_TRACE_PROBE) + printk(KERN_CONT " %d", term->id); + +-- +2.16.4 + diff --git a/patches.suse/media-v4l2-core-set-pages-dirty-upon-releasing-DMA-b.patch b/patches.suse/media-v4l2-core-set-pages-dirty-upon-releasing-DMA-b.patch new file mode 100644 index 0000000..e5977bc --- /dev/null +++ b/patches.suse/media-v4l2-core-set-pages-dirty-upon-releasing-DMA-b.patch @@ -0,0 +1,68 @@ +From 3c7470b6f68434acae459482ab920d1e3fabd1c7 Mon Sep 17 00:00:00 2001 +From: John Hubbard +Date: Thu, 30 Jan 2020 22:12:50 -0800 +Subject: [PATCH] media/v4l2-core: set pages dirty upon releasing DMA buffers +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 3c7470b6f68434acae459482ab920d1e3fabd1c7 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +After DMA is complete, and the device and CPU caches are synchronized, +it's still required to mark the CPU pages as dirty, if the data was +coming from the device. However, this driver was just issuing a bare +put_page() call, without any set_page_dirty*() call. + +Fix the problem, by calling set_page_dirty_lock() if the CPU pages were +potentially receiving data from the device. + +Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com +Signed-off-by: John Hubbard +Reviewed-by: Christoph Hellwig +Acked-by: Hans Verkuil +Cc: Mauro Carvalho Chehab +Cc: +Cc: Alex Williamson +Cc: Aneesh Kumar K.V +Cc: Björn Töpel +Cc: Daniel Vetter +Cc: Dan Williams +Cc: Ira Weiny +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Gunthorpe +Cc: Jens Axboe +Cc: Jerome Glisse +Cc: Jonathan Corbet +Cc: Kirill A. Shutemov +Cc: Leon Romanovsky +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/v4l2-core/videobuf-dma-sg.c b/drivers/media/v4l2-core/videobuf-dma-sg.c +index 66a6c6c236a7..28262190c3ab 100644 +--- a/drivers/media/v4l2-core/videobuf-dma-sg.c ++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c +@@ -349,8 +349,11 @@ int videobuf_dma_free(struct videobuf_dmabuf *dma) + BUG_ON(dma->sglen); + + if (dma->pages) { +- for (i = 0; i < dma->nr_pages; i++) ++ for (i = 0; i < dma->nr_pages; i++) { ++ if (dma->direction == DMA_FROM_DEVICE) ++ set_page_dirty_lock(dma->pages[i]); + put_page(dma->pages[i]); ++ } + kfree(dma->pages); + dma->pages = NULL; + } +-- +2.16.4 + diff --git a/patches.suse/media-v4l2-ioctl.c-zero-reserved-fields-for-S-TRY_FM.patch b/patches.suse/media-v4l2-ioctl.c-zero-reserved-fields-for-S-TRY_FM.patch new file mode 100644 index 0000000..a7f885b --- /dev/null +++ b/patches.suse/media-v4l2-ioctl.c-zero-reserved-fields-for-S-TRY_FM.patch @@ -0,0 +1,112 @@ +From ee8951e56c0f960b9621636603a822811cef3158 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sun, 10 Nov 2019 07:27:04 +0100 +Subject: [PATCH] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT +Git-commit: ee8951e56c0f960b9621636603a822811cef3158 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +v4l2_vbi_format, v4l2_sliced_vbi_format and v4l2_sdr_format +have a reserved array at the end that should be zeroed by drivers +as per the V4L2 spec. Older drivers often do not do this, so just +handle this in the core. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index 60453b21a855..4e700583659b 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -1617,12 +1617,12 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops, + case V4L2_BUF_TYPE_VBI_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_s_fmt_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_s_fmt_sliced_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_VIDEO_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_vid_out)) +@@ -1648,22 +1648,22 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops, + case V4L2_BUF_TYPE_VBI_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_s_fmt_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_s_fmt_sliced_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SDR_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_sdr_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_s_fmt_sdr_cap(file, fh, arg); + case V4L2_BUF_TYPE_SDR_OUTPUT: + if (unlikely(!ops->vidioc_s_fmt_sdr_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_s_fmt_sdr_out(file, fh, arg); + case V4L2_BUF_TYPE_META_CAPTURE: + if (unlikely(!ops->vidioc_s_fmt_meta_cap)) +@@ -1719,12 +1719,12 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops, + case V4L2_BUF_TYPE_VBI_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_try_fmt_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_try_fmt_sliced_vbi_cap(file, fh, arg); + case V4L2_BUF_TYPE_VIDEO_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_vid_out)) +@@ -1750,22 +1750,22 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops, + case V4L2_BUF_TYPE_VBI_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.vbi); ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags); + return ops->vidioc_try_fmt_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sliced); ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size); + return ops->vidioc_try_fmt_sliced_vbi_out(file, fh, arg); + case V4L2_BUF_TYPE_SDR_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_sdr_cap)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_try_fmt_sdr_cap(file, fh, arg); + case V4L2_BUF_TYPE_SDR_OUTPUT: + if (unlikely(!ops->vidioc_try_fmt_sdr_out)) + break; +- CLEAR_AFTER_FIELD(p, fmt.sdr); ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize); + return ops->vidioc_try_fmt_sdr_out(file, fh, arg); + case V4L2_BUF_TYPE_META_CAPTURE: + if (unlikely(!ops->vidioc_try_fmt_meta_cap)) +-- +2.16.4 + diff --git a/patches.suse/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-.patch b/patches.suse/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-.patch new file mode 100644 index 0000000..8a58843 --- /dev/null +++ b/patches.suse/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-.patch @@ -0,0 +1,82 @@ +From f51e50db4c20d46930b33be3f208851265694f3e Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Tue, 17 Dec 2019 21:00:22 +0100 +Subject: [PATCH] media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments +Git-commit: f51e50db4c20d46930b33be3f208851265694f3e +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +boundary->width and boundary->height are sizes relative to +boundary->left and boundary->top coordinates, but they were not being +taken into consideration to adjust r->left and r->top, leading to the +following error: + +Consider the follow as initial values for boundary and r: + +struct v4l2_rect boundary = { + .left = 100, + .top = 100, + .width = 800, + .height = 600, +} + +struct v4l2_rect r = { + .left = 0, + .top = 0, + .width = 1920, + .height = 960, +} + +calling v4l2_rect_map_inside(&r, &boundary) was modifying r to: + +r = { + .left = 0, + .top = 0, + .width = 800, + .height = 600, +} + +Which is wrongly outside the boundary rectangle, because: + + v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600 + ... + if (r->left + r->width > boundary->width) // true + r->left = boundary->width - r->width; // r->left = 800 - 800 + if (r->top + r->height > boundary->height) // true + r->top = boundary->height - r->height; // r->height = 600 - 600 + +Fix this by considering top/left coordinates from boundary. + +Fixes: ac49de8c49d7 ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions") +Signed-off-by: Helen Koike +Cc: # for v4.7 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + include/media/v4l2-rect.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/media/v4l2-rect.h b/include/media/v4l2-rect.h +index c86474dc7b55..8800a640c224 100644 +--- a/include/media/v4l2-rect.h ++++ b/include/media/v4l2-rect.h +@@ -63,10 +63,10 @@ static inline void v4l2_rect_map_inside(struct v4l2_rect *r, + r->left = boundary->left; + if (r->top < boundary->top) + r->top = boundary->top; +- if (r->left + r->width > boundary->width) +- r->left = boundary->width - r->width; +- if (r->top + r->height > boundary->height) +- r->top = boundary->height - r->height; ++ if (r->left + r->width > boundary->left + boundary->width) ++ r->left = boundary->left + boundary->width - r->width; ++ if (r->top + r->height > boundary->top + boundary->height) ++ r->top = boundary->top + boundary->height - r->height; + } + + /** +-- +2.16.4 + diff --git a/patches.suse/mfd-da9062-Fix-watchdog-compatible-string.patch b/patches.suse/mfd-da9062-Fix-watchdog-compatible-string.patch new file mode 100644 index 0000000..2b0e020 --- /dev/null +++ b/patches.suse/mfd-da9062-Fix-watchdog-compatible-string.patch @@ -0,0 +1,39 @@ +From 1112ba02ff1190ca9c15a912f9269e54b46d2d82 Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Wed, 8 Jan 2020 10:57:02 +0100 +Subject: [PATCH] mfd: da9062: Fix watchdog compatible string +Git-commit: 1112ba02ff1190ca9c15a912f9269e54b46d2d82 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The watchdog driver compatible is "dlg,da9062-watchdog" and not +"dlg,da9062-wdt". Therefore the mfd-core can't populate the of_node and +fwnode. As result the watchdog driver can't parse the devicetree. + +Fixes: 9b40b030c4ad ("mfd: da9062: Supply core driver") +Signed-off-by: Marco Felsch +Acked-by: Guenter Roeck +Reviewed-by: Adam Thomson +Signed-off-by: Lee Jones +Acked-by: Takashi Iwai + +--- + drivers/mfd/da9062-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/da9062-core.c b/drivers/mfd/da9062-core.c +index 5290bdc0ddcd..419c73533401 100644 +--- a/drivers/mfd/da9062-core.c ++++ b/drivers/mfd/da9062-core.c +@@ -256,7 +256,7 @@ static const struct mfd_cell da9062_devs[] = { + .name = "da9062-watchdog", + .num_resources = ARRAY_SIZE(da9062_wdt_resources), + .resources = da9062_wdt_resources, +- .of_compatible = "dlg,da9062-wdt", ++ .of_compatible = "dlg,da9062-watchdog", + }, + { + .name = "da9062-thermal", +-- +2.16.4 + diff --git a/patches.suse/mfd-dln2-More-sanity-checking-for-endpoints.patch b/patches.suse/mfd-dln2-More-sanity-checking-for-endpoints.patch new file mode 100644 index 0000000..9312a03 --- /dev/null +++ b/patches.suse/mfd-dln2-More-sanity-checking-for-endpoints.patch @@ -0,0 +1,59 @@ +From 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 21 Nov 2019 11:28:10 +0100 +Subject: [PATCH] mfd: dln2: More sanity checking for endpoints +Git-commit: 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +It is not enough to check for the number of endpoints. +The types must also be correct. + +Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Lee Jones +Acked-by: Takashi Iwai + +--- + drivers/mfd/dln2.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 381593fbe50f..7841c11411d0 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -722,6 +722,8 @@ static int dln2_probe(struct usb_interface *interface, + const struct usb_device_id *usb_id) + { + struct usb_host_interface *hostif = interface->cur_altsetting; ++ struct usb_endpoint_descriptor *epin; ++ struct usb_endpoint_descriptor *epout; + struct device *dev = &interface->dev; + struct dln2_dev *dln2; + int ret; +@@ -731,12 +733,19 @@ static int dln2_probe(struct usb_interface *interface, + hostif->desc.bNumEndpoints < 2) + return -ENODEV; + ++ epin = &hostif->endpoint[0].desc; ++ epout = &hostif->endpoint[1].desc; ++ if (!usb_endpoint_is_bulk_out(epout)) ++ return -ENODEV; ++ if (!usb_endpoint_is_bulk_in(epin)) ++ return -ENODEV; ++ + dln2 = kzalloc(sizeof(*dln2), GFP_KERNEL); + if (!dln2) + return -ENOMEM; + +- dln2->ep_out = hostif->endpoint[0].desc.bEndpointAddress; +- dln2->ep_in = hostif->endpoint[1].desc.bEndpointAddress; ++ dln2->ep_out = epout->bEndpointAddress; ++ dln2->ep_in = epin->bEndpointAddress; + dln2->usb_dev = usb_get_dev(interface_to_usbdev(interface)); + dln2->interface = interface; + usb_set_intfdata(interface, dln2); +-- +2.16.4 + diff --git a/patches.suse/mfd-rn5t618-Mark-ADC-control-register-volatile.patch b/patches.suse/mfd-rn5t618-Mark-ADC-control-register-volatile.patch new file mode 100644 index 0000000..6674242 --- /dev/null +++ b/patches.suse/mfd-rn5t618-Mark-ADC-control-register-volatile.patch @@ -0,0 +1,34 @@ +From 2f3dc25c0118de03a00ddc88b61f7216854f534d Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Fri, 17 Jan 2020 22:59:22 +0100 +Subject: [PATCH] mfd: rn5t618: Mark ADC control register volatile +Git-commit: 2f3dc25c0118de03a00ddc88b61f7216854f534d +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +There is a bit which gets cleared after conversion. + +Fixes: 9bb9e29c78f8 ("mfd: Add Ricoh RN5T618 PMIC core driver") +Signed-off-by: Andreas Kemnade +Signed-off-by: Lee Jones +Acked-by: Takashi Iwai + +--- + drivers/mfd/rn5t618.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/rn5t618.c b/drivers/mfd/rn5t618.c +index da5cd9c92a59..ead2e79036a9 100644 +--- a/drivers/mfd/rn5t618.c ++++ b/drivers/mfd/rn5t618.c +@@ -26,6 +26,7 @@ static bool rn5t618_volatile_reg(struct device *dev, unsigned int reg) + case RN5T618_WATCHDOGCNT: + case RN5T618_DCIRQ: + case RN5T618_ILIMDATAH ... RN5T618_AIN0DATAL: ++ case RN5T618_ADCCNT3: + case RN5T618_IR_ADC1 ... RN5T618_IR_ADC3: + case RN5T618_IR_GPR: + case RN5T618_IR_GPF: +-- +2.16.4 + diff --git a/patches.suse/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch b/patches.suse/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch new file mode 100644 index 0000000..8035b1c --- /dev/null +++ b/patches.suse/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch @@ -0,0 +1,59 @@ +From 2a187d03352086e300daa2044051db00044cd171 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Wed, 15 Jan 2020 10:54:35 +0100 +Subject: [PATCH] mmc: sdhci: fix minimum clock rate for v3 controller +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 2a187d03352086e300daa2044051db00044cd171 +Patch-mainline: v5.5 +References: bsc#1051510 + +For SDHCIv3+ with programmable clock mode, minimal clock frequency is +still base clock / max(divider). Minimal programmable clock frequency is +always greater than minimal divided clock frequency. Without this patch, +SDHCI uses out-of-spec initial frequency when multiplier is big enough: + +Mmc1: mmc_rescan_try_freq: trying to init card at 468750 Hz +[for 480 MHz source clock divided by 1024] + +The code in sdhci_calc_clk() already chooses a correct SDCLK clock mode. + +Fixes: c3ed3877625f ("mmc: sdhci: add support for programmable clock mode") +Cc: # 4f6aa3264af4: mmc: tegra: Only advertise UHS modes if IO regulator is present +Cc: +Signed-off-by: Michał Mirosław +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/ffb489519a446caffe7a0a05c4b9372bd52397bb.1579082031.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c +index 1b1c26da3fe0..659a9459ace3 100644 +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -3913,11 +3913,13 @@ int sdhci_setup_host(struct sdhci_host *host) + if (host->ops->get_min_clock) + mmc->f_min = host->ops->get_min_clock(host); + else if (host->version >= SDHCI_SPEC_300) { +- if (host->clk_mul) { +- mmc->f_min = (host->max_clk * host->clk_mul) / 1024; ++ if (host->clk_mul) + max_clk = host->max_clk * host->clk_mul; +- } else +- mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300; ++ /* ++ * Divided Clock Mode minimum clock rate is always less than ++ * Programmable Clock Mode minimum clock rate. ++ */ ++ mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300; + } else + mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_200; + +-- +2.16.4 + diff --git a/patches.suse/mmc-spi-Toggle-SPI-polarity-do-not-hardcode-it.patch b/patches.suse/mmc-spi-Toggle-SPI-polarity-do-not-hardcode-it.patch new file mode 100644 index 0000000..b471031 --- /dev/null +++ b/patches.suse/mmc-spi-Toggle-SPI-polarity-do-not-hardcode-it.patch @@ -0,0 +1,68 @@ +From af3ed119329cf9690598c5a562d95dfd128e91d6 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 4 Dec 2019 16:27:49 +0100 +Subject: [PATCH] mmc: spi: Toggle SPI polarity, do not hardcode it +Git-commit: af3ed119329cf9690598c5a562d95dfd128e91d6 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The code in mmc_spi_initsequence() tries to send a burst with +high chipselect and for this reason hardcodes the device into +SPI_CS_HIGH. + +This is not good because the SPI_CS_HIGH flag indicates +logical "asserted" CS not always the physical level. In +some cases the signal is inverted in the GPIO library and +in that case SPI_CS_HIGH is already set, and enforcing +SPI_CS_HIGH again will actually drive it low. + +Instead of hard-coding this, toggle the polarity so if the +default is LOW it goes high to assert chipselect but if it +is already high then toggle it low instead. + +Cc: Phil Elwell +Reported-by: Mark Brown +Signed-off-by: Linus Walleij +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20191204152749.12652-1-linus.walleij@linaro.org +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/mmc_spi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c +index 74c6cfbf9172..1f02f54f09c0 100644 +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -1134,17 +1134,22 @@ static void mmc_spi_initsequence(struct mmc_spi_host *host) + * SPI protocol. Another is that when chipselect is released while + * the card returns BUSY status, the clock must issue several cycles + * with chipselect high before the card will stop driving its output. ++ * ++ * SPI_CS_HIGH means "asserted" here. In some cases like when using ++ * GPIOs for chip select, SPI_CS_HIGH is set but this will be logically ++ * inverted by gpiolib, so if we want to ascertain to drive it high ++ * we should toggle the default with an XOR as we do here. + */ +- host->spi->mode |= SPI_CS_HIGH; ++ host->spi->mode ^= SPI_CS_HIGH; + if (spi_setup(host->spi) != 0) { + /* Just warn; most cards work without it. */ + dev_warn(&host->spi->dev, + "can't change chip-select polarity\n"); +- host->spi->mode &= ~SPI_CS_HIGH; ++ host->spi->mode ^= SPI_CS_HIGH; + } else { + mmc_spi_readbytes(host, 18); + +- host->spi->mode &= ~SPI_CS_HIGH; ++ host->spi->mode ^= SPI_CS_HIGH; + if (spi_setup(host->spi) != 0) { + /* Wot, we can't get the same setup we had before? */ + dev_err(&host->spi->dev, +-- +2.16.4 + diff --git a/patches.suse/mmc-tegra-fix-SDR50-tuning-override.patch b/patches.suse/mmc-tegra-fix-SDR50-tuning-override.patch new file mode 100644 index 0000000..b07eca8 --- /dev/null +++ b/patches.suse/mmc-tegra-fix-SDR50-tuning-override.patch @@ -0,0 +1,44 @@ +From f571389c0b015e76f91c697c4c1700aba860d34f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Tue, 7 Jan 2020 10:47:34 +0100 +Subject: [PATCH] mmc: tegra: fix SDR50 tuning override +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: f571389c0b015e76f91c697c4c1700aba860d34f +Patch-mainline: v5.5 +References: bsc#1051510 + +Commit 7ad2ed1dfcbe inadvertently mixed up a quirk flag's name and +broke SDR50 tuning override. Use correct NVQUIRK_ name. + +Fixes: 7ad2ed1dfcbe ("mmc: tegra: enable UHS-I modes") +Cc: +Acked-by: Adrian Hunter +Reviewed-by: Thierry Reding +Tested-by: Thierry Reding +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/9aff1d859935e59edd81e4939e40d6c55e0b55f6.1578390388.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-tegra.c b/drivers/mmc/host/sdhci-tegra.c +index 7bc950520fd9..403ac44a7378 100644 +--- a/drivers/mmc/host/sdhci-tegra.c ++++ b/drivers/mmc/host/sdhci-tegra.c +@@ -386,7 +386,7 @@ static void tegra_sdhci_reset(struct sdhci_host *host, u8 mask) + misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_DDR50; + if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR104) + misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_SDR104; +- if (soc_data->nvquirks & SDHCI_MISC_CTRL_ENABLE_SDR50) ++ if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR50) + clk_ctrl |= SDHCI_CLOCK_CTRL_SDR50_TUNING_OVERRIDE; + } + +-- +2.16.4 + diff --git a/patches.suse/mod_devicetable-fix-PHY-module-format.patch b/patches.suse/mod_devicetable-fix-PHY-module-format.patch new file mode 100644 index 0000000..89bee69 --- /dev/null +++ b/patches.suse/mod_devicetable-fix-PHY-module-format.patch @@ -0,0 +1,41 @@ +From: Russell King +Date: Thu, 19 Dec 2019 23:24:47 +0000 +Subject: mod_devicetable: fix PHY module format +Git-commit: d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +When a PHY is probed, if the top bit is set, we end up requesting a +module with the string "mdio:-10101110000000100101000101010001" - +the top bit is printed to a signed -1 value. This leads to the module +not being loaded. + +Fix the module format string and the macro generating the values for +it to ensure that we only print unsigned types and the top bit is +always 0/1. We correctly end up with +"mdio:10101110000000100101000101010001". + +Fixes: 8626d3b43280 ("phylib: Support phy module autoloading") +Reviewed-by: Andrew Lunn +Signed-off-by: Russell King +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/linux/mod_devicetable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mod_devicetable.h ++++ b/include/linux/mod_devicetable.h +@@ -515,9 +515,9 @@ struct platform_device_id { + #define MDIO_NAME_SIZE 32 + #define MDIO_MODULE_PREFIX "mdio:" + +-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d" ++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u" + #define MDIO_ID_ARGS(_id) \ +- (_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ ++ ((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ + ((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \ + ((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \ + ((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \ diff --git a/patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch b/patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch new file mode 100644 index 0000000..f9a8e42 --- /dev/null +++ b/patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch @@ -0,0 +1,109 @@ +From: Haiyang Zhang +Date: Thu, 21 Nov 2019 13:33:40 -0800 +Patch-mainline: v5.4 +Subject: hv_netvsc: Fix offset usage in netvsc_send_table() +Git-commit: 71f21959dd5516031db4f011e15e9a9508b93a7d +References: bsc#1164598 + +To reach the data region, the existing code adds offset in struct +nvsp_5_send_indirect_table on the beginning of this struct. But the +offset should be based on the beginning of its container, +struct nvsp_message. This bug causes the first table entry missing, +and adds an extra zero from the zero pad after the data region. +This can put extra burden on the channel 0. + +So, correct the offset usage. Also add a boundary check to ensure +not reading beyond data region. + +Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling (vRSS)") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/hyperv/hyperv_net.h | 3 ++- + drivers/net/hyperv/netvsc.c | 26 ++++++++++++++++++-------- + 2 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -609,7 +609,8 @@ struct nvsp_5_send_indirect_table { + /* The number of entries in the send indirection table */ + u32 count; + +- /* The offset of the send indirection table from top of this struct. ++ /* The offset of the send indirection table from the beginning of ++ * struct nvsp_message. + * The send indirection table tells which channel to put the send + * traffic on. Each entry is a channel number. + */ +diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1178,20 +1178,28 @@ static int netvsc_receive(struct net_device *ndev, + } + + static void netvsc_send_table(struct net_device *ndev, +- const struct nvsp_message *nvmsg) ++ const struct nvsp_message *nvmsg, ++ u32 msglen) + { + struct net_device_context *net_device_ctx = netdev_priv(ndev); +- u32 count, *tab; ++ u32 count, offset, *tab; + int i; + + count = nvmsg->msg.v5_msg.send_table.count; ++ offset = nvmsg->msg.v5_msg.send_table.offset; ++ + if (count != VRSS_SEND_TAB_SIZE) { + netdev_err(ndev, "Received wrong send-table size:%u\n", count); + return; + } + +- tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table + +- nvmsg->msg.v5_msg.send_table.offset); ++ if (offset > msglen - count * sizeof(u32)) { ++ netdev_err(ndev, "Received send-table offset too big:%u\n", ++ offset); ++ return; ++ } ++ ++ tab = (void *)nvmsg + offset; + + for (i = 0; i < count; i++) + net_device_ctx->tx_table[i] = tab[i]; +@@ -1209,12 +1217,13 @@ static void netvsc_send_vf(struct net_device *ndev, + net_device_ctx->vf_alloc ? "added" : "removed"); + } + +-static void netvsc_receive_inband(struct net_device *ndev, +- const struct nvsp_message *nvmsg) ++static void netvsc_receive_inband(struct net_device *ndev, ++ const struct nvsp_message *nvmsg, ++ u32 msglen) + { + switch (nvmsg->hdr.msg_type) { + case NVSP_MSG5_TYPE_SEND_INDIRECTION_TABLE: +- netvsc_send_table(ndev, nvmsg); ++ netvsc_send_table(ndev, nvmsg, msglen); + break; + + case NVSP_MSG4_TYPE_SEND_VF_ASSOCIATION: +@@ -1232,6 +1241,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device, + { + struct vmbus_channel *channel = nvchan->channel; + const struct nvsp_message *nvmsg = hv_pkt_data(desc); ++ u32 msglen = hv_pkt_datalen(desc); + + trace_nvsp_recv(ndev, channel, nvmsg); + +@@ -1247,7 +1257,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device, + break; + + case VM_PKT_DATA_INBAND: +- netvsc_receive_inband(ndev, nvmsg); ++ netvsc_receive_inband(ndev, nvmsg, msglen); + break; + + default: diff --git a/patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch b/patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch new file mode 100644 index 0000000..638e770 --- /dev/null +++ b/patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch @@ -0,0 +1,77 @@ +From: Haiyang Zhang +Date: Thu, 21 Nov 2019 13:33:41 -0800 +Patch-mainline: v5.4 +Subject: hv_netvsc: Fix send_table offset in case of a host bug +Git-commit: 171c1fd98df3d5948d9a9eb755274850fa5e59c6 +References: bsc#1164598 + +If negotiated NVSP version <= NVSP_PROTOCOL_VERSION_6, the offset may +be wrong (too small) due to a host bug. This can cause missing the +end of the send indirection table, and add multiple zero entries from +leading zeros before the data region. This bug adds extra burden on +channel 0. + +So fix the offset by computing it from the data structure sizes. This +will ensure netvsc driver runs normally on unfixed hosts, and future +fixed hosts. + +Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling (vRSS)") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/hyperv/netvsc.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1178,6 +1178,7 @@ static int netvsc_receive(struct net_device *ndev, + } + + static void netvsc_send_table(struct net_device *ndev, ++ struct netvsc_device *nvscdev, + const struct nvsp_message *nvmsg, + u32 msglen) + { +@@ -1193,6 +1194,16 @@ static void netvsc_send_table(struct net_device *ndev, + return; + } + ++ /* If negotiated version <= NVSP_PROTOCOL_VERSION_6, the offset may be ++ * wrong due to a host bug. So fix the offset here. ++ */ ++ if (nvscdev->nvsp_version <= NVSP_PROTOCOL_VERSION_6 && ++ msglen >= sizeof(struct nvsp_message_header) + ++ sizeof(union nvsp_6_message_uber) + count * sizeof(u32)) ++ offset = sizeof(struct nvsp_message_header) + ++ sizeof(union nvsp_6_message_uber); ++ ++ /* Boundary check for all versions */ + if (offset > msglen - count * sizeof(u32)) { + netdev_err(ndev, "Received send-table offset too big:%u\n", + offset); +@@ -1218,12 +1229,13 @@ static void netvsc_send_vf(struct net_device *ndev, + } + + static void netvsc_receive_inband(struct net_device *ndev, ++ struct netvsc_device *nvscdev, + const struct nvsp_message *nvmsg, + u32 msglen) + { + switch (nvmsg->hdr.msg_type) { + case NVSP_MSG5_TYPE_SEND_INDIRECTION_TABLE: +- netvsc_send_table(ndev, nvmsg, msglen); ++ netvsc_send_table(ndev, nvscdev, nvmsg, msglen); + break; + + case NVSP_MSG4_TYPE_SEND_VF_ASSOCIATION: +@@ -1257,7 +1269,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device, + break; + + case VM_PKT_DATA_INBAND: +- netvsc_receive_inband(ndev, nvmsg, msglen); ++ netvsc_receive_inband(ndev, net_device, nvmsg, msglen); + break; + + default: diff --git a/patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch b/patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch new file mode 100644 index 0000000..3f230f3 --- /dev/null +++ b/patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch @@ -0,0 +1,46 @@ +From: Haiyang Zhang +Date: Wed, 11 Dec 2019 14:26:27 -0800 +Patch-mainline: v5.5-rc3 +Subject: hv_netvsc: Fix tx_table init in rndis_set_subchannel() +Git-commit: c39ea5cba5a2e97fc01b78c85208bf31383b399c +References: bsc#1164598 + +Host can provide send indirection table messages anytime after RSS is +enabled by calling rndis_filter_set_rss_param(). So the host provided +table values may be overwritten by the initialization in +rndis_set_subchannel(). + +To prevent this problem, move the tx_table initialization before calling +rndis_filter_set_rss_param(). + +Fixes: a6fb6aa3cfa9 ("hv_netvsc: Set tx_table to equal weight after subchannels open") +Signed-off-by: Haiyang Zhang +Signed-off-by: Jakub Kicinski +Acked-by: Olaf Hering +--- + drivers/net/hyperv/rndis_filter.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -1171,6 +1171,9 @@ int rndis_set_subchannel(struct net_device *ndev, + wait_event(nvdev->subchan_open, + atomic_read(&nvdev->open_chn) == nvdev->num_chn); + ++ for (i = 0; i < VRSS_SEND_TAB_SIZE; i++) ++ ndev_ctx->tx_table[i] = i % nvdev->num_chn; ++ + /* ignore failures from setting rss parameters, still have channels */ + if (dev_info) + rndis_filter_set_rss_param(rdev, dev_info->rss_key); +@@ -1180,9 +1183,6 @@ int rndis_set_subchannel(struct net_device *ndev, + netif_set_real_num_tx_queues(ndev, nvdev->num_chn); + netif_set_real_num_rx_queues(ndev, nvdev->num_chn); + +- for (i = 0; i < VRSS_SEND_TAB_SIZE; i++) +- ndev_ctx->tx_table[i] = i % nvdev->num_chn; +- + return 0; + } + diff --git a/patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch b/patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch new file mode 100644 index 0000000..9801432 --- /dev/null +++ b/patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch @@ -0,0 +1,108 @@ +From: Haiyang Zhang +Date: Thu, 19 Dec 2019 18:28:10 -0800 +Patch-mainline: v5.5-rc3 +Subject: hv_netvsc: Fix unwanted rx_table reset +Git-commit: b0689faa8efc5a3391402d7ae93bd373b7248e51 +References: bsc#1164598 + +In existing code, the receive indirection table, rx_table, is in +struct rndis_device, which will be reset when changing MTU, ringparam, +etc. User configured receive indirection table values will be lost. + +To fix this, move rx_table to struct net_device_context, and check +netif_is_rxfh_configured(), so rx_table will be set to default only +if no user configured value. + +Fixes: ff4a44199012 ("netvsc: allow get/set of RSS indirection table") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/hyperv/hyperv_net.h | 3 ++- + drivers/net/hyperv/netvsc_drv.c | 4 ++-- + drivers/net/hyperv/rndis_filter.c | 10 +++++++--- + 3 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -169,7 +169,6 @@ struct rndis_device { + + u8 hw_mac_adr[ETH_ALEN]; + u8 rss_key[NETVSC_HASH_KEYLEN]; +- u16 rx_table[ITAB_NUM]; + }; + + +@@ -940,6 +939,8 @@ struct net_device_context { + + u32 tx_table[VRSS_SEND_TAB_SIZE]; + ++ u16 rx_table[ITAB_NUM]; ++ + /* Ethtool settings */ + u8 duplex; + u32 speed; +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1662,7 +1662,7 @@ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key, + rndis_dev = ndev->extension; + if (indir) { + for (i = 0; i < ITAB_NUM; i++) +- indir[i] = rndis_dev->rx_table[i]; ++ indir[i] = ndc->rx_table[i]; + } + + if (key) +@@ -1692,7 +1692,7 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir, + return -EINVAL; + + for (i = 0; i < ITAB_NUM; i++) +- rndis_dev->rx_table[i] = indir[i]; ++ ndc->rx_table[i] = indir[i]; + } + + if (!key) { +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -773,6 +773,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + const u8 *rss_key, u16 flag) + { + struct net_device *ndev = rdev->ndev; ++ struct net_device_context *ndc = netdev_priv(ndev); + struct rndis_request *request; + struct rndis_set_request *set; + struct rndis_set_complete *set_complete; +@@ -812,7 +813,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + /* Set indirection table entries */ + itab = (u32 *)(rssp + 1); + for (i = 0; i < ITAB_NUM; i++) +- itab[i] = rdev->rx_table[i]; ++ itab[i] = ndc->rx_table[i]; + + /* Set hask key values */ + keyp = (u8 *)((unsigned long)rssp + rssp->hashkey_offset); +@@ -1312,6 +1313,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + struct netvsc_device_info *device_info) + { + struct net_device *net = hv_get_drvdata(dev); ++ struct net_device_context *ndc = netdev_priv(net); + struct netvsc_device *net_device; + struct rndis_device *rndis_device; + struct ndis_recv_scale_cap rsscap; +@@ -1398,9 +1400,11 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + /* We will use the given number of channels if available. */ + net_device->num_chn = min(net_device->max_chn, device_info->num_chn); + +- for (i = 0; i < ITAB_NUM; i++) +- rndis_device->rx_table[i] = ethtool_rxfh_indir_default( ++ if (!netif_is_rxfh_configured(net)) { ++ for (i = 0; i < ITAB_NUM; i++) ++ ndc->rx_table[i] = ethtool_rxfh_indir_default( + i, net_device->num_chn); ++ } + + atomic_set(&net_device->open_chn, 1); + vmbus_set_sc_create_callback(dev->channel, netvsc_sc_open); diff --git a/patches.suse/mtd-fix-mtd_oobavail-incoherent-returned-value.patch b/patches.suse/mtd-fix-mtd_oobavail-incoherent-returned-value.patch new file mode 100644 index 0000000..b64da54 --- /dev/null +++ b/patches.suse/mtd-fix-mtd_oobavail-incoherent-returned-value.patch @@ -0,0 +1,36 @@ +From 4348433d8c0234f44adb6e12112e69343f50f0c5 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Sun, 18 Nov 2018 21:18:30 +0100 +Subject: [PATCH] mtd: fix mtd_oobavail() incoherent returned value +Git-commit: 4348433d8c0234f44adb6e12112e69343f50f0c5 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +mtd_oobavail() returns either mtd->oovabail or mtd->oobsize. Both +values are unsigned 32-bit entities, so there is no reason to pretend +returning a signed one. + +Signed-off-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Acked-by: Takashi Iwai + +--- + include/linux/mtd/mtd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mtd/mtd.h b/include/linux/mtd/mtd.h +index cd0be91bdefa..035d641e8847 100644 +--- a/include/linux/mtd/mtd.h ++++ b/include/linux/mtd/mtd.h +@@ -386,7 +386,7 @@ static inline struct device_node *mtd_get_of_node(struct mtd_info *mtd) + return dev_of_node(&mtd->dev); + } + +-static inline int mtd_oobavail(struct mtd_info *mtd, struct mtd_oob_ops *ops) ++static inline u32 mtd_oobavail(struct mtd_info *mtd, struct mtd_oob_ops *ops) + { + return ops->mode == MTD_OPS_AUTO_OOB ? mtd->oobavail : mtd->oobsize; + } +-- +2.16.4 + diff --git a/patches.suse/mwifiex-delete-unused-mwifiex_get_intf_num.patch b/patches.suse/mwifiex-delete-unused-mwifiex_get_intf_num.patch new file mode 100644 index 0000000..6ddfe0b --- /dev/null +++ b/patches.suse/mwifiex-delete-unused-mwifiex_get_intf_num.patch @@ -0,0 +1,51 @@ +From 1c9f329b084b7b8ea6d60d91a202e884cdcf6aae Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Dec 2019 16:39:11 -0800 +Subject: [PATCH] mwifiex: delete unused mwifiex_get_intf_num() +Git-commit: 1c9f329b084b7b8ea6d60d91a202e884cdcf6aae +Patch-mainline: v5.6-rc1 +References: bsc#1111666 + +Commit 7afb94da3cd8 ("mwifiex: update set_mac_address logic") fixed the +only user of this function, partly because the author seems to have +noticed that, as written, it's on the borderline between highly +misleading and buggy. + +Anyway, no sense in keeping dead code around: let's drop it. + +Fixes: 7afb94da3cd8 ("mwifiex: update set_mac_address logic") +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/marvell/mwifiex/main.h | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h +index 547ff3c578ee..fa5634af40f7 100644 +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -1295,19 +1295,6 @@ mwifiex_copy_rates(u8 *dest, u32 pos, u8 *src, int len) + return pos; + } + +-/* This function return interface number with the same bss_type. +- */ +-static inline u8 +-mwifiex_get_intf_num(struct mwifiex_adapter *adapter, u8 bss_type) +-{ +- u8 i, num = 0; +- +- for (i = 0; i < adapter->priv_num; i++) +- if (adapter->priv[i] && adapter->priv[i]->bss_type == bss_type) +- num++; +- return num; +-} +- + /* + * This function returns the correct private structure pointer based + * upon the BSS type and BSS number. +-- +2.16.4 + diff --git a/patches.suse/mwifiex-drop-most-magic-numbers-from-mwifiex_process.patch b/patches.suse/mwifiex-drop-most-magic-numbers-from-mwifiex_process.patch new file mode 100644 index 0000000..b54176d --- /dev/null +++ b/patches.suse/mwifiex-drop-most-magic-numbers-from-mwifiex_process.patch @@ -0,0 +1,229 @@ +From 70e5b8f445fd27fde0c5583460e82539a7242424 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 6 Dec 2019 11:45:35 -0800 +Subject: [PATCH] mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() +Git-commit: 70e5b8f445fd27fde0c5583460e82539a7242424 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Before commit 1e58252e334d ("mwifiex: Fix heap overflow in +mmwifiex_process_tdls_action_frame()"), +mwifiex_process_tdls_action_frame() already had too many magic numbers. +But this commit just added a ton more, in the name of checking for +buffer overflows. That seems like a really bad idea. + +Let's make these magic numbers a little less magic, by +(a) factoring out 'pos[1]' as 'ie_len' +(b) using 'sizeof' on the appropriate source or destination fields where + possible, instead of bare numbers +(c) dropping redundant checks, per below. + +Regarding redundant checks: the beginning of the loop has this: + + if (pos + 2 + pos[1] > end) + break; + +but then individual 'case's include stuff like this: + + if (pos > end - 3) + return; + if (pos[1] != 1) + return; + +Note that the second 'return' (validating the length, pos[1]) combined +with the above condition (ensuring 'pos + 2 + length' doesn't exceed +'end'), makes the first 'return' (whose 'if' can be reworded as 'pos > +end - pos[1] - 2') redundant. Rather than unwind the magic numbers +there, just drop those conditions. + +Fixes: 1e58252e334d ("mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()") +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/marvell/mwifiex/tdls.c | 75 +++++++++++------------------ + 1 file changed, 28 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c +index 7caf1d26124a..f8f282ce39bd 100644 +--- a/drivers/net/wireless/marvell/mwifiex/tdls.c ++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c +@@ -894,7 +894,7 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + u8 *peer, *pos, *end; + u8 i, action, basic; + u16 cap = 0; +- int ie_len = 0; ++ int ies_len = 0; + + if (len < (sizeof(struct ethhdr) + 3)) + return; +@@ -916,7 +916,7 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + pos = buf + sizeof(struct ethhdr) + 4; + /* payload 1+ category 1 + action 1 + dialog 1 */ + cap = get_unaligned_le16(pos); +- ie_len = len - sizeof(struct ethhdr) - TDLS_REQ_FIX_LEN; ++ ies_len = len - sizeof(struct ethhdr) - TDLS_REQ_FIX_LEN; + pos += 2; + break; + +@@ -926,7 +926,7 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + /* payload 1+ category 1 + action 1 + dialog 1 + status code 2*/ + pos = buf + sizeof(struct ethhdr) + 6; + cap = get_unaligned_le16(pos); +- ie_len = len - sizeof(struct ethhdr) - TDLS_RESP_FIX_LEN; ++ ies_len = len - sizeof(struct ethhdr) - TDLS_RESP_FIX_LEN; + pos += 2; + break; + +@@ -934,7 +934,7 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + if (len < (sizeof(struct ethhdr) + TDLS_CONFIRM_FIX_LEN)) + return; + pos = buf + sizeof(struct ethhdr) + TDLS_CONFIRM_FIX_LEN; +- ie_len = len - sizeof(struct ethhdr) - TDLS_CONFIRM_FIX_LEN; ++ ies_len = len - sizeof(struct ethhdr) - TDLS_CONFIRM_FIX_LEN; + break; + default: + mwifiex_dbg(priv->adapter, ERROR, "Unknown TDLS frame type.\n"); +@@ -947,33 +947,33 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + + sta_ptr->tdls_cap.capab = cpu_to_le16(cap); + +- for (end = pos + ie_len; pos + 1 < end; pos += 2 + pos[1]) { +- if (pos + 2 + pos[1] > end) ++ for (end = pos + ies_len; pos + 1 < end; pos += 2 + pos[1]) { ++ u8 ie_len = pos[1]; ++ ++ if (pos + 2 + ie_len > end) + break; + + switch (*pos) { + case WLAN_EID_SUPP_RATES: +- if (pos[1] > 32) ++ if (ie_len > sizeof(sta_ptr->tdls_cap.rates)) + return; +- sta_ptr->tdls_cap.rates_len = pos[1]; +- for (i = 0; i < pos[1]; i++) ++ sta_ptr->tdls_cap.rates_len = ie_len; ++ for (i = 0; i < ie_len; i++) + sta_ptr->tdls_cap.rates[i] = pos[i + 2]; + break; + + case WLAN_EID_EXT_SUPP_RATES: +- if (pos[1] > 32) ++ if (ie_len > sizeof(sta_ptr->tdls_cap.rates)) + return; + basic = sta_ptr->tdls_cap.rates_len; +- if (pos[1] > 32 - basic) ++ if (ie_len > sizeof(sta_ptr->tdls_cap.rates) - basic) + return; +- for (i = 0; i < pos[1]; i++) ++ for (i = 0; i < ie_len; i++) + sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2]; +- sta_ptr->tdls_cap.rates_len += pos[1]; ++ sta_ptr->tdls_cap.rates_len += ie_len; + break; + case WLAN_EID_HT_CAPABILITY: +- if (pos > end - sizeof(struct ieee80211_ht_cap) - 2) +- return; +- if (pos[1] != sizeof(struct ieee80211_ht_cap)) ++ if (ie_len != sizeof(struct ieee80211_ht_cap)) + return; + /* copy the ie's value into ht_capb*/ + memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2, +@@ -981,59 +981,45 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + sta_ptr->is_11n_enabled = 1; + break; + case WLAN_EID_HT_OPERATION: +- if (pos > end - +- sizeof(struct ieee80211_ht_operation) - 2) +- return; +- if (pos[1] != sizeof(struct ieee80211_ht_operation)) ++ if (ie_len != sizeof(struct ieee80211_ht_operation)) + return; + /* copy the ie's value into ht_oper*/ + memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2, + sizeof(struct ieee80211_ht_operation)); + break; + case WLAN_EID_BSS_COEX_2040: +- if (pos > end - 3) +- return; +- if (pos[1] != 1) ++ if (ie_len != sizeof(pos[2])) + return; + sta_ptr->tdls_cap.coex_2040 = pos[2]; + break; + case WLAN_EID_EXT_CAPABILITY: +- if (pos > end - sizeof(struct ieee_types_header)) +- return; +- if (pos[1] < sizeof(struct ieee_types_header)) ++ if (ie_len < sizeof(struct ieee_types_header)) + return; +- if (pos[1] > 8) ++ if (ie_len > 8) + return; + memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos, + sizeof(struct ieee_types_header) + +- min_t(u8, pos[1], 8)); ++ min_t(u8, ie_len, 8)); + break; + case WLAN_EID_RSN: +- if (pos > end - sizeof(struct ieee_types_header)) ++ if (ie_len < sizeof(struct ieee_types_header)) + return; +- if (pos[1] < sizeof(struct ieee_types_header)) +- return; +- if (pos[1] > IEEE_MAX_IE_SIZE - ++ if (ie_len > IEEE_MAX_IE_SIZE - + sizeof(struct ieee_types_header)) + return; + memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, + sizeof(struct ieee_types_header) + +- min_t(u8, pos[1], IEEE_MAX_IE_SIZE - ++ min_t(u8, ie_len, IEEE_MAX_IE_SIZE - + sizeof(struct ieee_types_header))); + break; + case WLAN_EID_QOS_CAPA: +- if (pos > end - 3) +- return; +- if (pos[1] != 1) ++ if (ie_len != sizeof(pos[2])) + return; + sta_ptr->tdls_cap.qos_info = pos[2]; + break; + case WLAN_EID_VHT_OPERATION: + if (priv->adapter->is_hw_11ac_capable) { +- if (pos > end - +- sizeof(struct ieee80211_vht_operation) - 2) +- return; +- if (pos[1] != ++ if (ie_len != + sizeof(struct ieee80211_vht_operation)) + return; + /* copy the ie's value into vhtoper*/ +@@ -1043,10 +1029,7 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + break; + case WLAN_EID_VHT_CAPABILITY: + if (priv->adapter->is_hw_11ac_capable) { +- if (pos > end - +- sizeof(struct ieee80211_vht_cap) - 2) +- return; +- if (pos[1] != sizeof(struct ieee80211_vht_cap)) ++ if (ie_len != sizeof(struct ieee80211_vht_cap)) + return; + /* copy the ie's value into vhtcap*/ + memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2, +@@ -1056,9 +1039,7 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + break; + case WLAN_EID_AID: + if (priv->adapter->is_hw_11ac_capable) { +- if (pos > end - 4) +- return; +- if (pos[1] != 2) ++ if (ie_len != sizeof(u16)) + return; + sta_ptr->tdls_cap.aid = + get_unaligned_le16((pos + 2)); +-- +2.16.4 + diff --git a/patches.suse/mwifiex-fix-unbalanced-locking-in-mwifiex_process_co.patch b/patches.suse/mwifiex-fix-unbalanced-locking-in-mwifiex_process_co.patch new file mode 100644 index 0000000..f9dd695 --- /dev/null +++ b/patches.suse/mwifiex-fix-unbalanced-locking-in-mwifiex_process_co.patch @@ -0,0 +1,40 @@ +From 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 6 Jan 2020 14:42:12 -0800 +Subject: [PATCH] mwifiex: fix unbalanced locking in + mwifiex_process_country_ie() +Git-commit: 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c +Patch-mainline: v5.6-rc1 +References: CVE-2019-14895 bsc#1157158 + +We called rcu_read_lock(), so we need to call rcu_read_unlock() before +we return. + +Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()") +Cc: stable@vger.kernel.org +Cc: huangwen +Cc: Ganapathi Bhat +Signed-off-by: Brian Norris +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +index 6dd835f1efc2..fbfa0b15d0c8 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +@@ -232,6 +232,7 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv, + + if (country_ie_len > + (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { ++ rcu_read_unlock(); + mwifiex_dbg(priv->adapter, ERROR, + "11D: country_ie_len overflow!, deauth AP\n"); + return -EINVAL; +-- +2.16.4 + diff --git a/patches.suse/mwifiex-update-set_mac_address-logic.patch b/patches.suse/mwifiex-update-set_mac_address-logic.patch new file mode 100644 index 0000000..79bd791 --- /dev/null +++ b/patches.suse/mwifiex-update-set_mac_address-logic.patch @@ -0,0 +1,45 @@ +From 7afb94da3cd8a28ed7ae268143117bf1ac8a3371 Mon Sep 17 00:00:00 2001 +From: Sharvari Harisangam +Date: Wed, 12 Jun 2019 20:42:11 +0530 +Subject: [PATCH] mwifiex: update set_mac_address logic +Git-commit: 7afb94da3cd8a28ed7ae268143117bf1ac8a3371 +Patch-mainline: v5.3-rc1 +References: bsc#1111666 + +In set_mac_address, driver check for interfaces with same bss_type +For first STA entry, this would return 3 interfaces since all priv's have +bss_type as 0 due to kzalloc. Thus mac address gets changed for STA +unexpected. This patch adds check for first STA and avoids mac address +change. This patch also adds mac_address change for p2p based on bss_num +type. + +Signed-off-by: Sharvari Harisangam +Signed-off-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/marvell/mwifiex/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c +index f6da8edab7f1..4c14b4865367 100644 +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -960,10 +960,10 @@ int mwifiex_set_mac_address(struct mwifiex_private *priv, + + mac_addr = old_mac_addr; + +- if (priv->bss_type == MWIFIEX_BSS_TYPE_P2P) ++ if (priv->bss_type == MWIFIEX_BSS_TYPE_P2P) { + mac_addr |= BIT_ULL(MWIFIEX_MAC_LOCAL_ADMIN_BIT); +- +- if (mwifiex_get_intf_num(priv->adapter, priv->bss_type) > 1) { ++ mac_addr += priv->bss_num; ++ } else if (priv->adapter->priv[0] != priv) { + /* Set mac address based on bss_type/bss_num */ + mac_addr ^= BIT_ULL(priv->bss_type + 8); + mac_addr += priv->bss_num; +-- +2.16.4 + diff --git a/patches.suse/namei-only-return-ECHILD-from-follow_dotdot_rcu.patch b/patches.suse/namei-only-return-ECHILD-from-follow_dotdot_rcu.patch new file mode 100644 index 0000000..a30efb9 --- /dev/null +++ b/patches.suse/namei-only-return-ECHILD-from-follow_dotdot_rcu.patch @@ -0,0 +1,45 @@ +From 2b98149c2377bff12be5dd3ce02ae0506e2dd613 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Sat, 7 Dec 2019 01:13:26 +1100 +Subject: [PATCH] namei: only return -ECHILD from follow_dotdot_rcu() +Git-commit: 2b98149c2377bff12be5dd3ce02ae0506e2dd613 +Patch-mainline: v5.6-rc1 +References: bsc#1163851 + +It's over-zealous to return hard errors under RCU-walk here, given that +a REF-walk will be triggered for all other cases handling ".." under +RCU. + +The original purpose of this check was to ensure that if a rename occurs +such that a directory is moved outside of the bind-mount which the +resolution started in, it would be detected and blocked to avoid being +able to mess with paths outside of the bind-mount. However, triggering a +new REF-walk is just as effective a solution. + +Cc: "Eric W. Biederman" +Fixes: 397d425dc26d ("vfs: Test for and handle paths that are unreachable from their mnt_root") +Suggested-by: Al Viro +Signed-off-by: Aleksa Sarai +Signed-off-by: Al Viro +Acked-by: Jan Kara + +--- + fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namei.c b/fs/namei.c +index d6c91d1e88cb..17ebaac2da49 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1365,7 +1365,7 @@ static int follow_dotdot_rcu(struct nameidata *nd) + nd->path.dentry = parent; + nd->seq = seq; + if (unlikely(!path_connected(&nd->path))) +- return -ENOENT; ++ return -ECHILD; + break; + } else { + struct mount *mnt = real_mount(nd->path.mnt); +-- +2.16.4 + diff --git a/patches.suse/net-add-extack-arg-to-lwtunnel-build-state.patch b/patches.suse/net-add-extack-arg-to-lwtunnel-build-state.patch index cf9329e..ee037cb 100644 --- a/patches.suse/net-add-extack-arg-to-lwtunnel-build-state.patch +++ b/patches.suse/net-add-extack-arg-to-lwtunnel-build-state.patch @@ -29,9 +29,9 @@ Acked-by: Thomas Bogendoerfer --- a/include/linux/netlink.h +++ b/include/linux/netlink.h -@@ -97,6 +97,16 @@ struct netlink_ext_ack { - #define NL_SET_ERR_MSG_MOD(extack, msg) \ - NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg) +@@ -102,6 +102,16 @@ struct netlink_ext_ack { + (extack)->bad_attr = (attr); \ + } while (0) +#define NL_SET_ERR_MSG_ATTR(extack, attr, msg) do { \ + static const char __msg[] = (msg); \ diff --git a/patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch b/patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch new file mode 100644 index 0000000..2532163 --- /dev/null +++ b/patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch @@ -0,0 +1,29 @@ +From: John Fastabend +Date: Tue, 15 Aug 2017 22:31:10 -0700 +Subject: net: add sendmsg_locked and sendpage_locked to af_inet6 +Patch-mainline: v4.14-rc1 +Git-commit: 45f91bdcd5c5ba559a4bb7c3a0e0709476cf570f +References: bsc#1144162 + +To complete the sendmsg_locked and sendpage_locked implementation add +the hooks for af_inet6 as well. + +Signed-off-by: John Fastabend +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + net/ipv6/af_inet6.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -596,6 +596,8 @@ const struct proto_ops inet6_stream_ops = { + .recvmsg = inet_recvmsg, /* ok */ + .mmap = sock_no_mmap, + .sendpage = inet_sendpage, ++ .sendmsg_locked = tcp_sendmsg_locked, ++ .sendpage_locked = tcp_sendpage_locked, + .splice_read = tcp_splice_read, + .read_sock = tcp_read_sock, + .peek_len = tcp_peek_len, diff --git a/patches.suse/net-dst-Force-4-byte-alignment-of-dst_metrics.patch b/patches.suse/net-dst-Force-4-byte-alignment-of-dst_metrics.patch new file mode 100644 index 0000000..1d02dbf --- /dev/null +++ b/patches.suse/net-dst-Force-4-byte-alignment-of-dst_metrics.patch @@ -0,0 +1,58 @@ +From: Geert Uytterhoeven +Date: Fri, 20 Dec 2019 14:31:40 +0100 +Subject: net: dst: Force 4-byte alignment of dst_metrics +Git-commit: 258a980d1ec23e2c786e9536a7dd260bea74bae6 +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +When storing a pointer to a dst_metrics structure in dst_entry._metrics, +two flags are added in the least significant bits of the pointer value. +Hence this assumes all pointers to dst_metrics structures have at least +4-byte alignment. + +However, on m68k, the minimum alignment of 32-bit values is 2 bytes, not +4 bytes. Hence in some kernel builds, dst_default_metrics may be only +2-byte aligned, leading to obscure boot warnings like: + + WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x44/0x9a + refcount_t: underflow; use-after-free. + Modules linked in: + CPU: 0 PID: 7 Comm: ksoftirqd/0 Tainted: G W 5.5.0-rc2-atari-01448-g114a1a1038af891d-dirty #261 + Stack from 10835e6c: + 10835e6c 0038134f 00023fa6 00394b0f 0000001c 00000009 00321560 00023fea + 00394b0f 0000001c 001a70f8 00000009 00000000 10835eb4 00000001 00000000 + 04208040 0000000a 00394b4a 10835ed4 00043aa8 001a70f8 00394b0f 0000001c + 00000009 00394b4a 0026aba8 003215a4 00000003 00000000 0026d5a8 00000001 + 003215a4 003a4361 003238d6 000001f0 00000000 003215a4 10aa3b00 00025e84 + 003ddb00 10834000 002416a8 10aa3b00 00000000 00000080 000aa038 0004854a + Call Trace: [<00023fa6>] __warn+0xb2/0xb4 + [<00023fea>] warn_slowpath_fmt+0x42/0x64 + [<001a70f8>] refcount_warn_saturate+0x44/0x9a + [<00043aa8>] printk+0x0/0x18 + [<001a70f8>] refcount_warn_saturate+0x44/0x9a + [<0026aba8>] refcount_sub_and_test.constprop.73+0x38/0x3e + [<0026d5a8>] ipv4_dst_destroy+0x5e/0x7e + [<00025e84>] __local_bh_enable_ip+0x0/0x8e + [<002416a8>] dst_destroy+0x40/0xae + +Fix this by forcing 4-byte alignment of all dst_metrics structures. + +Fixes: e5fd387ad5b30ca3 ("ipv6: do not overwrite inetpeer metrics prematurely") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/net/dst.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -108,7 +108,7 @@ struct dst_entry { + struct dst_metrics { + u32 metrics[RTAX_MAX]; + atomic_t refcnt; +-}; ++} __aligned(4); /* Low pointer bits contain DST_METRICS_FLAGS */ + extern const struct dst_metrics dst_default_metrics; + + u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old); diff --git a/patches.suse/net-ena-fix-napi-handler-misbehavior-when-the-napi-b.patch b/patches.suse/net-ena-fix-napi-handler-misbehavior-when-the-napi-b.patch new file mode 100644 index 0000000..512e329 --- /dev/null +++ b/patches.suse/net-ena-fix-napi-handler-misbehavior-when-the-napi-b.patch @@ -0,0 +1,52 @@ +From: Netanel Belgazal +Date: Tue, 10 Dec 2019 11:27:44 +0000 +Subject: net: ena: fix napi handler misbehavior when the napi budget is zero +Git-commit: 24dee0c7478d1a1e00abdf5625b7f921467325dc +Patch-mainline: 5.5-rc3 +References: networking-stable-20_01_01 + +In netpoll the napi handler could be called with budget equal to zero. +Current ENA napi handler doesn't take that into consideration. + +The napi handler handles Rx packets in a do-while loop. +Currently, the budget check happens only after decrementing the +budget, therefore the napi handler, in rare cases, could run over +MAX_INT packets. + +In addition to that, this moves all budget related variables to int +calculation and stop mixing u32 to avoid ambiguity + +Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -1226,8 +1226,8 @@ static int ena_io_poll(struct napi_struc + struct ena_napi *ena_napi = container_of(napi, struct ena_napi, napi); + struct ena_ring *tx_ring, *rx_ring; + +- u32 tx_work_done; +- u32 rx_work_done; ++ int tx_work_done; ++ int rx_work_done = 0; + int tx_budget; + int napi_comp_call = 0; + int ret; +@@ -1244,7 +1244,11 @@ static int ena_io_poll(struct napi_struc + } + + tx_work_done = ena_clean_tx_irq(tx_ring, tx_budget); +- rx_work_done = ena_clean_rx_irq(rx_ring, napi, budget); ++ /* On netpoll the budget is zero and the handler should only clean the ++ * tx completions. ++ */ ++ if (likely(budget)) ++ rx_work_done = ena_clean_rx_irq(rx_ring, napi, budget); + + /* If the device is about to reset or down, avoid unmask + * the interrupt and return 0 so NAPI won't reschedule diff --git a/patches.suse/net-hisilicon-Fix-a-BUG-trigered-by-wrong-bytes_comp.patch b/patches.suse/net-hisilicon-Fix-a-BUG-trigered-by-wrong-bytes_comp.patch new file mode 100644 index 0000000..8e8a924 --- /dev/null +++ b/patches.suse/net-hisilicon-Fix-a-BUG-trigered-by-wrong-bytes_comp.patch @@ -0,0 +1,88 @@ +From: Jiangfeng Xiao +Date: Thu, 19 Dec 2019 10:08:07 +0800 +Subject: net: hisilicon: Fix a BUG trigered by wrong bytes_compl +Git-commit: 90b3b339364c76baa2436445401ea9ade040c216 +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +When doing stress test, we get the following trace: +kernel BUG at lib/dynamic_queue_limits.c:26! +Internal error: Oops - BUG: 0 [#1] SMP ARM +Modules linked in: hip04_eth +CPU: 0 PID: 2003 Comm: tDblStackPcap0 Tainted: G O L 4.4.197 #1 +Hardware name: Hisilicon A15 +task: c3637668 task.stack: de3bc000 +PC is at dql_completed+0x18/0x154 +LR is at hip04_tx_reclaim+0x110/0x174 [hip04_eth] +pc : [] lr : [] psr: 800f0313 +sp : de3bdc2c ip : 00000000 fp : c020fb10 +r10: 00000000 r9 : c39b4224 r8 : 00000001 +r7 : 00000046 r6 : c39b4000 r5 : 0078f392 r4 : 0078f392 +r3 : 00000047 r2 : 00000000 r1 : 00000046 r0 : df5d5c80 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 32c5387d Table: 1e189b80 DAC: 55555555 +Process tDblStackPcap0 (pid: 2003, stack limit = 0xde3bc190) +Stack: (0xde3bdc2c to 0xde3be000) +[] (dql_completed) from [] (hip04_tx_reclaim+0x110/0x174 [hip04_eth]) +[] (hip04_tx_reclaim [hip04_eth]) from [] (hip04_rx_poll+0x20/0x388 [hip04_eth]) +[] (hip04_rx_poll [hip04_eth]) from [] (net_rx_action+0x120/0x374) +[] (net_rx_action) from [] (__do_softirq+0x218/0x318) +[] (__do_softirq) from [] (irq_exit+0x88/0xac) +[] (irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +[] (msa_irq_exit) from [] (__handle_domain_irq+0x110/0x148) +[] (__handle_domain_irq) from [] (gic_handle_irq+0xd4/0x118) +[] (gic_handle_irq) from [] (__irq_svc+0x40/0x58) +Exception stack(0xde3bdde0 to 0xde3bde28) +dde0: 00000000 00008001 c3637668 00000000 00000000 a00f0213 dd3627a0 c0af6380 +de00: c086d380 a00f0213 c0a22a50 de3bde6c 00000002 de3bde30 c0558138 c055813c +de20: 600f0213 ffffffff +[] (__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x44/0x54) +Kernel panic - not syncing: Fatal exception in interrupt + +Pre-modification code: +int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) +{ +[...] +[1] priv->tx_head = TX_NEXT(tx_head); +[2] count++; +[3] netdev_sent_queue(ndev, skb->len); +[...] +} +An rx interrupt occurs if hip04_mac_start_xmit just executes to the line 2, +tx_head has been updated, but corresponding 'skb->len' has not been +added to dql_queue. + +And then +hip04_mac_interrupt->__napi_schedule->hip04_rx_poll->hip04_tx_reclaim + +In hip04_tx_reclaim, because tx_head has been updated, +bytes_compl will plus an additional "skb-> len" +which has not been added to dql_queue. And then +trigger the BUG_ON(bytes_compl > num_queued - dql->num_completed). + +To solve the problem described above, we put +"netdev_sent_queue(ndev, skb->len);" +before +"priv->tx_head = TX_NEXT(tx_head);" + +Fixes: a41ea46a9a12 ("net: hisilicon: new hip04 ethernet driver") +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -454,9 +454,9 @@ static int hip04_mac_start_xmit(struct s + skb_tx_timestamp(skb); + + hip04_set_xmit_desc(priv, phys); +- priv->tx_head = TX_NEXT(tx_head); + count++; + netdev_sent_queue(ndev, skb->len); ++ priv->tx_head = TX_NEXT(tx_head); + + stats->tx_bytes += skb->len; + stats->tx_packets++; diff --git a/patches.suse/net-ipv4-Add-extack-messages-for-route-add-failures.patch b/patches.suse/net-ipv4-Add-extack-messages-for-route-add-failures.patch new file mode 100644 index 0000000..0b78e9a --- /dev/null +++ b/patches.suse/net-ipv4-Add-extack-messages-for-route-add-failures.patch @@ -0,0 +1,33 @@ +From: David Ahern +Date: Sun, 21 May 2017 10:12:03 -0600 +Subject: [PATCH] net: ipv4: Add extack messages for route add failures +Patch-mainline: v4.13-rc1 +Git-commit: c3ab2b4ec8f7c0700bf10957171c479bf3dbca52 (partial) +References: bsc#1152107 CVE-2019-16746 + +Add messages for non-obvious errors (e.g, no need to add text for malloc +failures or ENODEV failures). This mostly covers the annoying EINVAL errors +Some message strings violate the 80-columns but searchable strings need to +trump that rule. + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/linux/netlink.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/include/linux/netlink.h ++++ b/include/linux/netlink.h +@@ -97,6 +97,11 @@ struct netlink_ext_ack { + #define NL_SET_ERR_MSG_MOD(extack, msg) \ + NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg) + ++#define NL_SET_BAD_ATTR(extack, attr) do { \ ++ if ((extack)) \ ++ (extack)->bad_attr = (attr); \ ++} while (0) ++ + extern void netlink_kernel_release(struct sock *sk); + extern int __netlink_change_ngroups(struct sock *sk, unsigned int groups); + extern int netlink_change_ngroups(struct sock *sk, unsigned int groups); diff --git a/patches.suse/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-b.patch b/patches.suse/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-b.patch new file mode 100644 index 0000000..2ce3bbc --- /dev/null +++ b/patches.suse/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-b.patch @@ -0,0 +1,44 @@ +From: Jia-Ju Bai +Date: Wed, 18 Dec 2019 17:21:55 +0800 +Subject: net: nfc: nci: fix a possible sleep-in-atomic-context bug in + nci_uart_tty_receive() +Git-commit: b7ac893652cafadcf669f78452329727e4e255cc +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +The kernel may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +net/nfc/nci/uart.c, 349: + nci_skb_alloc in nci_uart_default_recv_buf +net/nfc/nci/uart.c, 255: + (FUNC_PTR)nci_uart_default_recv_buf in nci_uart_tty_receive +net/nfc/nci/uart.c, 254: + spin_lock in nci_uart_tty_receive + +nci_skb_alloc(GFP_KERNEL) can sleep at runtime. +(FUNC_PTR) means a function pointer is called. + +To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC for +nci_skb_alloc(). + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/nfc/nci/uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/nci/uart.c ++++ b/net/nfc/nci/uart.c +@@ -348,7 +348,7 @@ static int nci_uart_default_recv_buf(str + nu->rx_packet_len = -1; + nu->rx_skb = nci_skb_alloc(nu->ndev, + NCI_MAX_PACKET_SIZE, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!nu->rx_skb) + return -ENOMEM; + } diff --git a/patches.suse/net-qlogic-Fix-error-paths-in-ql_alloc_large_buffers.patch b/patches.suse/net-qlogic-Fix-error-paths-in-ql_alloc_large_buffers.patch new file mode 100644 index 0000000..dd7c2bc --- /dev/null +++ b/patches.suse/net-qlogic-Fix-error-paths-in-ql_alloc_large_buffers.patch @@ -0,0 +1,74 @@ +From: Ben Hutchings +Date: Tue, 17 Dec 2019 01:57:40 +0000 +Subject: net: qlogic: Fix error paths in ql_alloc_large_buffers() +Git-commit: cad46039e4c99812db067c8ac22a864960e7acc4 +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +ql_alloc_large_buffers() has the usual RX buffer allocation +loop where it allocates skbs and maps them for DMA. It also +treats failure as a fatal error. + +There are (at least) three bugs in the error paths: + +1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the +first buffer that couldn't be allocated will have .skb == NULL. +But the qla_buf[] array is not zero-initialised. + +2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is +incorrect for the last allocated skb, if DMA mapping failed. + +3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in +ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any() +after the skb is recorded in lrg_buf[], so ql_free_large_buffers() +will double-free it. + +The bugs are somewhat inter-twined, so fix them all at once: + +* Clear each entry in qla_buf[] before attempting to allocate + an skb for it. This goes half-way to fixing bug 1. +* Set the .skb field only after the skb is DMA-mapped. This + fixes the rest. + +Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...") +Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...") +Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2758,6 +2758,9 @@ static int ql_alloc_large_buffers(struct + int err; + + for (i = 0; i < qdev->num_large_buffers; i++) { ++ lrg_buf_cb = &qdev->lrg_buf[i]; ++ memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); ++ + skb = netdev_alloc_skb(qdev->ndev, + qdev->lrg_buffer_len); + if (unlikely(!skb)) { +@@ -2768,11 +2771,7 @@ static int ql_alloc_large_buffers(struct + ql_free_large_buffers(qdev); + return -ENOMEM; + } else { +- +- lrg_buf_cb = &qdev->lrg_buf[i]; +- memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); + lrg_buf_cb->index = i; +- lrg_buf_cb->skb = skb; + /* + * We save some space to copy the ethhdr from first + * buffer +@@ -2794,6 +2793,7 @@ static int ql_alloc_large_buffers(struct + return -ENOMEM; + } + ++ lrg_buf_cb->skb = skb; + dma_unmap_addr_set(lrg_buf_cb, mapaddr, map); + dma_unmap_len_set(lrg_buf_cb, maplen, + qdev->lrg_buffer_len - diff --git a/patches.suse/net-sched-correct-flower-port-blocking.patch b/patches.suse/net-sched-correct-flower-port-blocking.patch new file mode 100644 index 0000000..375a785 --- /dev/null +++ b/patches.suse/net-sched-correct-flower-port-blocking.patch @@ -0,0 +1,65 @@ +From: Jason Baron +Date: Mon, 17 Feb 2020 15:38:09 -0500 +Subject: net: sched: correct flower port blocking +Git-commit: 8a9093c79863b58cc2f9874d7ae788f0d622a596 +Patch-mainline: 5.6-rc3 +References: git-fixes + +tc flower rules that are based on src or dst port blocking are sometimes +ineffective due to uninitialized stack data. __skb_flow_dissect() extracts +ports from the skb for tc flower to match against. However, the port +dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in +key_control->flags. All callers of __skb_flow_dissect(), zero-out the +key_control field except for fl_classify() as used by the flower +classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to +__skb_flow_dissect(), since key_control is allocated on the stack +and may not be initialized. + +Since key_basic and key_control are present for all flow keys, let's +make sure they are initialized. + +Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments") +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Acked-by: Cong Wang +Signed-off-by: Jason Baron +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/net/flow_dissector.h | 9 +++++++++ + net/sched/cls_flower.c | 1 + + 2 files changed, 10 insertions(+) + +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -3,6 +3,7 @@ + + #include + #include ++#include + #include + + /** +@@ -272,4 +273,12 @@ static inline void *skb_flow_dissector_t + return ((char *)target_container) + flow_dissector->offset[key_id]; + } + ++static inline void ++flow_dissector_init_keys(struct flow_dissector_key_control *key_control, ++ struct flow_dissector_key_basic *key_basic) ++{ ++ memset(key_control, 0, sizeof(*key_control)); ++ memset(key_basic, 0, sizeof(*key_basic)); ++} ++ + #endif +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -157,6 +157,7 @@ static int fl_classify(struct sk_buff *s + struct fl_flow_key skb_mkey; + + list_for_each_entry_rcu(mask, &head->masks, list) { ++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic); + fl_clear_masked_range(&skb_key, mask); + + skb_key.indev_ifindex = skb->skb_iif; diff --git a/patches.suse/net-usb-lan78xx-Fix-suspend-resume-PHY-register-acce.patch b/patches.suse/net-usb-lan78xx-Fix-suspend-resume-PHY-register-acce.patch new file mode 100644 index 0000000..2a6c59c --- /dev/null +++ b/patches.suse/net-usb-lan78xx-Fix-suspend-resume-PHY-register-acce.patch @@ -0,0 +1,32 @@ +From: Cristian Birsan +Date: Thu, 12 Dec 2019 13:52:47 +0200 +Subject: net: usb: lan78xx: Fix suspend/resume PHY register access error +Git-commit: 20032b63586ac6c28c936dff696981159913a13f +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +Lan78xx driver accesses the PHY registers through MDIO bus over USB +connection. When performing a suspend/resume, the PHY registers can be +accessed before the USB connection is resumed. This will generate an +error and will prevent the device to resume correctly. +This patch adds the dependency between the MDIO bus and USB device to +allow correct handling of suspend/resume. + +Fixes: ce85e13ad6ef ("lan78xx: Update to use phylib instead of mii_if_info.") +Signed-off-by: Cristian Birsan +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/usb/lan78xx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1765,6 +1765,7 @@ static int lan78xx_mdio_init(struct lan7 + dev->mdiobus->read = lan78xx_mdiobus_read; + dev->mdiobus->write = lan78xx_mdiobus_write; + dev->mdiobus->name = "lan78xx-mdiobus"; ++ dev->mdiobus->parent = &dev->udev->dev; + + snprintf(dev->mdiobus->id, MII_BUS_ID_SIZE, "usb-%03d:%03d", + dev->udev->bus->busnum, dev->udev->devnum); diff --git a/patches.suse/netlink-Return-extack-message-if-attribute-validatio.patch b/patches.suse/netlink-Return-extack-message-if-attribute-validatio.patch new file mode 100644 index 0000000..4ff9e47 --- /dev/null +++ b/patches.suse/netlink-Return-extack-message-if-attribute-validatio.patch @@ -0,0 +1,29 @@ +From: David Ahern +Date: Tue, 26 Jun 2018 12:39:18 -0700 +Subject: [PATCH] netlink: Return extack message if attribute validation fails +Patch-mainline: v4.19-rc1 +Git-commit: 7861552cedd81a164c0d5d1c89fe2cb45a3ed41b +References: bsc#1152107 CVE-2019-16746 + +Have one extack message for parsing and validating. + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + lib/nlattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -229,8 +229,8 @@ int nla_parse(struct nlattr **tb, int ma + if (policy) { + err = validate_nla(nla, maxtype, policy); + if (err < 0) { +- if (extack) +- extack->bad_attr = nla; ++ NL_SET_ERR_MSG_ATTR(extack, nla, ++ "Attribute failed policy validation"); + goto errout; + } + } diff --git a/patches.suse/netlink-add-NLA_REJECT-policy-type.patch b/patches.suse/netlink-add-NLA_REJECT-policy-type.patch new file mode 100644 index 0000000..217b631 --- /dev/null +++ b/patches.suse/netlink-add-NLA_REJECT-policy-type.patch @@ -0,0 +1,125 @@ +From: Johannes Berg +Date: Mon, 17 Sep 2018 11:57:28 +0200 +Subject: [PATCH] netlink: add NLA_REJECT policy type +Patch-mainline: v4.20-rc1 +Git-commit: 568b742a9d9888aca876b6ad9fa45490f18bee0a +References: bsc#1152107 CVE-2019-16746 + +In some situations some netlink attributes may be used for output +only (kernel->userspace) or may be reserved for future use. It's +then helpful to be able to prevent userspace from using them in +messages sent to the kernel, since they'd otherwise be ignored and +any future will become impossible if this happens. + +Add NLA_REJECT to the policy which does nothing but reject (with +EINVAL) validation of any messages containing this attribute. +Allow for returning a specific extended ACK error message in the +validation_data pointer. + +While at it clear up the documentation a bit - the NLA_BITFIELD32 +documentation was added to the list of len field descriptions. + +Also, use NL_SET_BAD_ATTR() in one place where it's open-coded. + +The specific case I have in mind now is a shared nested attribute +containing request/response data, and it would be pointless and +potentially confusing to have userspace include response data in +the messages that actually contain a request. + +Signed-off-by: Johannes Berg +Reviewed-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 13 ++++++++++++- + lib/nlattr.c | 23 ++++++++++++++++------- + 2 files changed, 28 insertions(+), 8 deletions(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -179,6 +179,7 @@ enum { + NLA_S32, + NLA_S64, + NLA_BITFIELD32, ++ NLA_REJECT, + __NLA_TYPE_MAX, + }; + +@@ -207,9 +208,19 @@ enum { + * NLA_MSECS Leaving the length field zero will verify the + * given type fits, using it verifies minimum length + * just like "All other" +- * NLA_BITFIELD32 A 32-bit bitmap/bitselector attribute ++ * NLA_BITFIELD32 Unused ++ * NLA_REJECT Unused + * All other Minimum length of attribute payload + * ++ * Meaning of `validation_data' field: ++ * NLA_BITFIELD32 This is a 32-bit bitmap/bitselector attribute and ++ * validation data must point to a u32 value of valid ++ * flags ++ * NLA_REJECT This attribute is always rejected and validation data ++ * may point to a string to report as the error instead ++ * of the generic one in extended ACK. ++ * All other Unused ++ * + * Example: + * static const struct nla_policy my_policy[ATTR_MAX+1] = { + * [ATTR_FOO] = { .type = NLA_U16 }, +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -52,7 +52,8 @@ static int validate_nla_bitfield32(const + } + + static int validate_nla(const struct nlattr *nla, int maxtype, +- const struct nla_policy *policy) ++ const struct nla_policy *policy, ++ const char **error_msg) + { + const struct nla_policy *pt; + int minlen = 0, attrlen = nla_len(nla), type = nla_type(nla); +@@ -65,6 +66,11 @@ static int validate_nla(const struct nla + BUG_ON(pt->type > NLA_TYPE_MAX); + + switch (pt->type) { ++ case NLA_REJECT: ++ if (pt->validation_data && error_msg) ++ *error_msg = pt->validation_data; ++ return -EINVAL; ++ + case NLA_FLAG: + if (attrlen > 0) + return -ERANGE; +@@ -158,11 +164,10 @@ int nla_validate(const struct nlattr *he + int rem; + + nla_for_each_attr(nla, head, len, rem) { +- int err = validate_nla(nla, maxtype, policy); ++ int err = validate_nla(nla, maxtype, policy, NULL); + + if (err < 0) { +- if (extack) +- extack->bad_attr = nla; ++ NL_SET_BAD_ATTR(extack, nla); + return err; + } + } +@@ -226,11 +231,15 @@ int nla_parse(struct nlattr **tb, int ma + u16 type = nla_type(nla); + + if (type > 0 && type <= maxtype) { ++ static const char _msg[] = "Attribute failed policy validation"; ++ const char *msg = _msg; ++ + if (policy) { +- err = validate_nla(nla, maxtype, policy); ++ err = validate_nla(nla, maxtype, policy, &msg); + if (err < 0) { +- NL_SET_ERR_MSG_ATTR(extack, nla, +- "Attribute failed policy validation"); ++ NL_SET_BAD_ATTR(extack, nla); ++ if (extack) ++ extack->_msg = msg; + goto errout; + } + } diff --git a/patches.suse/netlink-add-attribute-range-validation-to-policy.patch b/patches.suse/netlink-add-attribute-range-validation-to-policy.patch new file mode 100644 index 0000000..b5f71b1 --- /dev/null +++ b/patches.suse/netlink-add-attribute-range-validation-to-policy.patch @@ -0,0 +1,226 @@ +From: Johannes Berg +Date: Thu, 27 Sep 2018 11:28:35 +0200 +Subject: [PATCH] netlink: add attribute range validation to policy +Patch-mainline: v4.20-rc1 +Git-commit: 3e48be05f3c7eb6f6126939e9d957903c5cfeee5 +References: bsc#1152107 CVE-2019-16746 + +Without further bloating the policy structs, we can overload +the `validation_data' pointer with a struct of s16 min, max +and use those to validate ranges in NLA_{U,S}{8,16,32,64} +attributes. + +It may sound strange to validate NLA_U32 with a s16 max, but +in many cases NLA_U32 is used for enums etc. since there's no +size benefit in using a smaller attribute width anyway, due +to netlink attribute alignment; in cases like that it's still +useful, particularly when the attribute really transports an +enum value. + +Doing so lets us remove quite a bit of validation code, if we +can be sure that these attributes aren't used by userspace in +places where they're ignored today. + +To achieve all this, split the 'type' field and introduce a +new 'validation_type' field which indicates what further +validation (beyond the validation prescribed by the type of +the attribute) is done. This currently allows for no further +validation (the default), as well as min, max and range checks. + +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 67 ++++++++++++++++++++++++++++++++++++++++++++-- + lib/nlattr.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 136 insertions(+), 3 deletions(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -186,9 +186,19 @@ enum { + + #define NLA_TYPE_MAX (__NLA_TYPE_MAX - 1) + ++enum nla_policy_validation { ++ NLA_VALIDATE_NONE, ++ NLA_VALIDATE_RANGE, ++ NLA_VALIDATE_MIN, ++ NLA_VALIDATE_MAX, ++}; ++ + /** + * struct nla_policy - attribute validation policy + * @type: Type of attribute or NLA_UNSPEC ++ * @validation_type: type of attribute validation done in addition to ++ * type-specific validation (e.g. range), see ++ * &enum nla_policy_validation + * @len: Type specific length of payload + * + * Policies are defined as arrays of this struct, the array must be +@@ -233,7 +243,26 @@ enum { + * nested attributes directly inside, while an array has + * the nested attributes at another level down and the + * attributes directly in the nesting don't matter. +- * All other Unused ++ * All other Unused - but note that it's a union ++ * ++ * Meaning of `min' and `max' fields, use via NLA_POLICY_MIN, NLA_POLICY_MAX ++ * and NLA_POLICY_RANGE: ++ * NLA_U8, ++ * NLA_U16, ++ * NLA_U32, ++ * NLA_U64, ++ * NLA_S8, ++ * NLA_S16, ++ * NLA_S32, ++ * NLA_S64 These are used depending on the validation_type ++ * field, if that is min/max/range then the minimum, ++ * maximum and both are used (respectively) to check ++ * the value of the integer attribute. ++ * Note that in the interest of code simplicity and ++ * struct size both limits are s16, so you cannot ++ * enforce a range that doesn't fall within the range ++ * of s16 - do that as usual in the code instead. ++ * All other Unused - but note that it's a union + * + * Example: + * static const struct nla_policy my_policy[ATTR_MAX+1] = { +@@ -244,9 +273,15 @@ enum { + * }; + */ + struct nla_policy { +- u16 type; ++ u8 type; ++ u8 validation_type; + u16 len; +- const void *validation_data; ++ union { ++ const void *validation_data; ++ struct { ++ s16 min, max; ++ }; ++ }; + }; + + #define NLA_POLICY_NESTED(maxattr, policy) \ +@@ -254,6 +289,32 @@ struct nla_policy { + #define NLA_POLICY_NESTED_ARRAY(maxattr, policy) \ + { .type = NLA_NESTED_ARRAY, .validation_data = policy, .len = maxattr } + ++#define __NLA_ENSURE(condition) (sizeof(char[1 - 2*!(condition)]) - 1) ++#define NLA_ENSURE_INT_TYPE(tp) \ ++ (__NLA_ENSURE(tp == NLA_S8 || tp == NLA_U8 || \ ++ tp == NLA_S16 || tp == NLA_U16 || \ ++ tp == NLA_S32 || tp == NLA_U32 || \ ++ tp == NLA_S64 || tp == NLA_U64) + tp) ++ ++#define NLA_POLICY_RANGE(tp, _min, _max) { \ ++ .type = NLA_ENSURE_INT_TYPE(tp), \ ++ .validation_type = NLA_VALIDATE_RANGE, \ ++ .min = _min, \ ++ .max = _max \ ++} ++ ++#define NLA_POLICY_MIN(tp, _min) { \ ++ .type = NLA_ENSURE_INT_TYPE(tp), \ ++ .validation_type = NLA_VALIDATE_MIN, \ ++ .min = _min, \ ++} ++ ++#define NLA_POLICY_MAX(tp, _max) { \ ++ .type = NLA_ENSURE_INT_TYPE(tp), \ ++ .validation_type = NLA_VALIDATE_MAX, \ ++ .max = _max, \ ++} ++ + /** + * struct nl_info - netlink source information + * @nlh: Netlink message header of original request +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -78,6 +78,64 @@ static int nla_validate_array(const stru + return 0; + } + ++static int nla_validate_int_range(const struct nla_policy *pt, ++ const struct nlattr *nla, ++ struct netlink_ext_ack *extack) ++{ ++ bool validate_min, validate_max; ++ s64 value; ++ ++ validate_min = pt->validation_type == NLA_VALIDATE_RANGE || ++ pt->validation_type == NLA_VALIDATE_MIN; ++ validate_max = pt->validation_type == NLA_VALIDATE_RANGE || ++ pt->validation_type == NLA_VALIDATE_MAX; ++ ++ switch (pt->type) { ++ case NLA_U8: ++ value = nla_get_u8(nla); ++ break; ++ case NLA_U16: ++ value = nla_get_u16(nla); ++ break; ++ case NLA_U32: ++ value = nla_get_u32(nla); ++ break; ++ case NLA_S8: ++ value = nla_get_s8(nla); ++ break; ++ case NLA_S16: ++ value = nla_get_s16(nla); ++ break; ++ case NLA_S32: ++ value = nla_get_s32(nla); ++ break; ++ case NLA_S64: ++ value = nla_get_s64(nla); ++ break; ++ case NLA_U64: ++ /* treat this one specially, since it may not fit into s64 */ ++ if ((validate_min && nla_get_u64(nla) < pt->min) || ++ (validate_max && nla_get_u64(nla) > pt->max)) { ++ NL_SET_ERR_MSG_ATTR(extack, nla, ++ "integer out of range"); ++ return -ERANGE; ++ } ++ return 0; ++ default: ++ WARN_ON(1); ++ return -EINVAL; ++ } ++ ++ if ((validate_min && value < pt->min) || ++ (validate_max && value > pt->max)) { ++ NL_SET_ERR_MSG_ATTR(extack, nla, ++ "integer out of range"); ++ return -ERANGE; ++ } ++ ++ return 0; ++} ++ + static int validate_nla(const struct nlattr *nla, int maxtype, + const struct nla_policy *policy, + struct netlink_ext_ack *extack) +@@ -213,6 +271,20 @@ static int validate_nla(const struct nla + goto out_err; + } + ++ /* further validation */ ++ switch (pt->validation_type) { ++ case NLA_VALIDATE_NONE: ++ /* nothing to do */ ++ break; ++ case NLA_VALIDATE_RANGE: ++ case NLA_VALIDATE_MIN: ++ case NLA_VALIDATE_MAX: ++ err = nla_validate_int_range(pt, nla, extack); ++ if (err) ++ return err; ++ break; ++ } ++ + return 0; + out_err: + NL_SET_ERR_MSG_ATTR(extack, nla, "Attribute failed policy validation"); diff --git a/patches.suse/netlink-add-nested-array-policy-validation.patch b/patches.suse/netlink-add-nested-array-policy-validation.patch new file mode 100644 index 0000000..3b10ce0 --- /dev/null +++ b/patches.suse/netlink-add-nested-array-policy-validation.patch @@ -0,0 +1,139 @@ +From: Johannes Berg +Date: Wed, 26 Sep 2018 11:15:34 +0200 +Subject: [PATCH] netlink: add nested array policy validation +Patch-mainline: v4.20-rc1 +Git-commit: 1501d13596b92d6d1f0ea5e104be838188b6e026 +References: bsc#1152107 CVE-2019-16746 + +Sometimes nested netlink attributes are just used as arrays, with +the nla_type() of each not being used; we have this in nl80211 and +e.g. NFTA_SET_ELEM_LIST_ELEMENTS. + +Add the ability to validate this type of message directly in the +policy, by adding the type NLA_NESTED_ARRAY which does exactly +this: require a first level of nesting but ignore the attribute +type, and then inside each require a second level of nested and +validate those attributes against a given policy (if present). + +Note that some nested array types actually require that all of +the entries have the same index, this is possible to express in +a nested policy already, apart from the validation that only the +one allowed type is used. + +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 12 ++++++++++- + lib/nlattr.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+), 1 deletion(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -171,6 +171,7 @@ enum { + NLA_FLAG, + NLA_MSECS, + NLA_NESTED, ++ NLA_NESTED_ARRAY, + NLA_NESTED_COMPAT, + NLA_NUL_STRING, + NLA_BINARY, +@@ -198,7 +199,8 @@ enum { + * NLA_NUL_STRING Maximum length of string (excluding NUL) + * NLA_FLAG Unused + * NLA_BINARY Maximum length of attribute payload +- * NLA_NESTED Length verification is done by checking len of ++ * NLA_NESTED, ++ * NLA_NESTED_ARRAY Length verification is done by checking len of + * nested header (or empty); len field is used if + * validation_data is also used, for the max attr + * number in the nested policy. +@@ -225,6 +227,12 @@ enum { + * `len' to the max attribute number. + * Note that nla_parse() will validate, but of course not + * parse, the nested sub-policies. ++ * NLA_NESTED_ARRAY Points to a nested policy to validate, must also set ++ * `len' to the max attribute number. The difference to ++ * NLA_NESTED is the structure - NLA_NESTED has the ++ * nested attributes directly inside, while an array has ++ * the nested attributes at another level down and the ++ * attributes directly in the nesting don't matter. + * All other Unused + * + * Example: +@@ -243,6 +251,8 @@ struct nla_policy { + + #define NLA_POLICY_NESTED(maxattr, policy) \ + { .type = NLA_NESTED, .validation_data = policy, .len = maxattr } ++#define NLA_POLICY_NESTED_ARRAY(maxattr, policy) \ ++ { .type = NLA_NESTED_ARRAY, .validation_data = policy, .len = maxattr } + + /** + * struct nl_info - netlink source information +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -50,6 +50,34 @@ static int validate_nla_bitfield32(const + return 0; + } + ++static int nla_validate_array(const struct nlattr *head, int len, int maxtype, ++ const struct nla_policy *policy, ++ struct netlink_ext_ack *extack) ++{ ++ const struct nlattr *entry; ++ int rem; ++ ++ nla_for_each_attr(entry, head, len, rem) { ++ int ret; ++ ++ if (nla_len(entry) == 0) ++ continue; ++ ++ if (nla_len(entry) < NLA_HDRLEN) { ++ NL_SET_ERR_MSG_ATTR(extack, entry, ++ "Array element too short"); ++ return -ERANGE; ++ } ++ ++ ret = nla_validate(nla_data(entry), nla_len(entry), ++ maxtype, policy, extack); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ + static int validate_nla(const struct nlattr *nla, int maxtype, + const struct nla_policy *policy, + struct netlink_ext_ack *extack) +@@ -146,6 +174,29 @@ static int validate_nla(const struct nla + if (err < 0) { + /* + * return directly to preserve the inner ++ * error message/attribute pointer ++ */ ++ return err; ++ } ++ } ++ break; ++ case NLA_NESTED_ARRAY: ++ /* a nested array attribute is allowed to be empty; if its not, ++ * it must have a size of at least NLA_HDRLEN. ++ */ ++ if (attrlen == 0) ++ break; ++ if (attrlen < NLA_HDRLEN) ++ goto out_err; ++ if (pt->validation_data) { ++ int err; ++ ++ err = nla_validate_array(nla_data(nla), nla_len(nla), ++ pt->len, pt->validation_data, ++ extack); ++ if (err < 0) { ++ /* ++ * return directly to preserve the inner + * error message/attribute pointer + */ + return err; diff --git a/patches.suse/netlink-add-validation-function-to-policy.patch b/patches.suse/netlink-add-validation-function-to-policy.patch new file mode 100644 index 0000000..6097c67 --- /dev/null +++ b/patches.suse/netlink-add-validation-function-to-policy.patch @@ -0,0 +1,106 @@ +From: Johannes Berg +Date: Thu, 27 Sep 2018 11:28:36 +0200 +Subject: [PATCH] netlink: add validation function to policy +Patch-mainline: v4.20-rc1 +Git-commit: 33188bd6430ef06d206ae4fda2cc92f14f16fd20 +References: bsc#1152107 CVE-2019-16746 + +Add the ability to have an arbitrary validation function attached +to a netlink policy that doesn't already use the validation_data +pointer in another way. + +This can be useful to validate for example the content of a binary +attribute, like in nl80211 the "(information) elements", which must +be valid streams of "u8 type, u8 length, u8 value[length]". + +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 24 +++++++++++++++++++++++- + lib/nlattr.c | 7 +++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -191,13 +191,14 @@ enum nla_policy_validation { + NLA_VALIDATE_RANGE, + NLA_VALIDATE_MIN, + NLA_VALIDATE_MAX, ++ NLA_VALIDATE_FUNCTION, + }; + + /** + * struct nla_policy - attribute validation policy + * @type: Type of attribute or NLA_UNSPEC + * @validation_type: type of attribute validation done in addition to +- * type-specific validation (e.g. range), see ++ * type-specific validation (e.g. range, function call), see + * &enum nla_policy_validation + * @len: Type specific length of payload + * +@@ -264,6 +265,13 @@ enum nla_policy_validation { + * of s16 - do that as usual in the code instead. + * All other Unused - but note that it's a union + * ++ * Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN: ++ * NLA_BINARY Validation function called for the attribute, ++ * not compatible with use of the validation_data ++ * as in NLA_BITFIELD32, NLA_REJECT, NLA_NESTED and ++ * NLA_NESTED_ARRAY. ++ * All other Unused - but note that it's a union ++ * + * Example: + * static const struct nla_policy my_policy[ATTR_MAX+1] = { + * [ATTR_FOO] = { .type = NLA_U16 }, +@@ -281,6 +289,8 @@ struct nla_policy { + struct { + s16 min, max; + }; ++ int (*validate)(const struct nlattr *attr, ++ struct netlink_ext_ack *extack); + }; + }; + +@@ -295,6 +305,11 @@ struct nla_policy { + tp == NLA_S16 || tp == NLA_U16 || \ + tp == NLA_S32 || tp == NLA_U32 || \ + tp == NLA_S64 || tp == NLA_U64) + tp) ++#define NLA_ENSURE_NO_VALIDATION_PTR(tp) \ ++ (__NLA_ENSURE(tp != NLA_BITFIELD32 && \ ++ tp != NLA_REJECT && \ ++ tp != NLA_NESTED && \ ++ tp != NLA_NESTED_ARRAY) + tp) + + #define NLA_POLICY_RANGE(tp, _min, _max) { \ + .type = NLA_ENSURE_INT_TYPE(tp), \ +@@ -315,6 +330,13 @@ struct nla_policy { + .max = _max, \ + } + ++#define NLA_POLICY_VALIDATE_FN(tp, fn, ...) { \ ++ .type = NLA_ENSURE_NO_VALIDATION_PTR(tp), \ ++ .validation_type = NLA_VALIDATE_FUNCTION, \ ++ .validate = fn, \ ++ .len = __VA_ARGS__ + 0, \ ++} ++ + /** + * struct nl_info - netlink source information + * @nlh: Netlink message header of original request +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -283,6 +283,13 @@ static int validate_nla(const struct nla + if (err) + return err; + break; ++ case NLA_VALIDATE_FUNCTION: ++ if (pt->validate) { ++ err = pt->validate(nla, extack); ++ if (err) ++ return err; ++ } ++ break; + } + + return 0; diff --git a/patches.suse/netlink-allow-NLA_NESTED-to-specify-nested-policy-to.patch b/patches.suse/netlink-allow-NLA_NESTED-to-specify-nested-policy-to.patch new file mode 100644 index 0000000..96a13ea --- /dev/null +++ b/patches.suse/netlink-allow-NLA_NESTED-to-specify-nested-policy-to.patch @@ -0,0 +1,82 @@ +From: Johannes Berg +Date: Wed, 26 Sep 2018 11:15:33 +0200 +Subject: [PATCH] netlink: allow NLA_NESTED to specify nested policy to + validate +Patch-mainline: v4.20-rc1 +Git-commit: 9a659a35ba177cec30676e170fb6ed98157bcb0d +References: bsc#1152107 CVE-2019-16746 + +Now that we have a validation_data pointer, and the len field in +the policy is unused for NLA_NESTED, we can allow using them both +to have nested validation. This can be nice in code, although we +still have to use nla_parse_nested() or similar which would also +take a policy; however, it also serves as documentation in the +policy without requiring a look at the code. + +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 13 +++++++++++-- + lib/nlattr.c | 14 ++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -198,8 +198,10 @@ enum { + * NLA_NUL_STRING Maximum length of string (excluding NUL) + * NLA_FLAG Unused + * NLA_BINARY Maximum length of attribute payload +- * NLA_NESTED Don't use `len' field -- length verification is +- * done by checking len of nested header (or empty) ++ * NLA_NESTED Length verification is done by checking len of ++ * nested header (or empty); len field is used if ++ * validation_data is also used, for the max attr ++ * number in the nested policy. + * NLA_NESTED_COMPAT Minimum length of structure payload + * NLA_U8, NLA_U16, + * NLA_U32, NLA_U64, +@@ -219,6 +221,10 @@ enum { + * NLA_REJECT This attribute is always rejected and validation data + * may point to a string to report as the error instead + * of the generic one in extended ACK. ++ * NLA_NESTED Points to a nested policy to validate, must also set ++ * `len' to the max attribute number. ++ * Note that nla_parse() will validate, but of course not ++ * parse, the nested sub-policies. + * All other Unused + * + * Example: +@@ -235,6 +241,9 @@ struct nla_policy { + const void *validation_data; + }; + ++#define NLA_POLICY_NESTED(maxattr, policy) \ ++ { .type = NLA_NESTED, .validation_data = policy, .len = maxattr } ++ + /** + * struct nl_info - netlink source information + * @nlh: Netlink message header of original request +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -138,6 +138,20 @@ static int validate_nla(const struct nla + */ + if (attrlen == 0) + break; ++ if (attrlen < NLA_HDRLEN) ++ goto out_err; ++ if (pt->validation_data) { ++ err = nla_validate(nla_data(nla), nla_len(nla), pt->len, ++ pt->validation_data, extack); ++ if (err < 0) { ++ /* ++ * return directly to preserve the inner ++ * error message/attribute pointer ++ */ ++ return err; ++ } ++ } ++ break; + default: + if (pt->len) + minlen = pt->len; diff --git a/patches.suse/netlink-make-validation_data-const.patch b/patches.suse/netlink-make-validation_data-const.patch new file mode 100644 index 0000000..44737fd --- /dev/null +++ b/patches.suse/netlink-make-validation_data-const.patch @@ -0,0 +1,52 @@ +From: Johannes Berg +Date: Wed, 26 Sep 2018 11:15:31 +0200 +Subject: [PATCH] netlink: make validation_data const +Patch-mainline: v4.20-rc1 +Git-commit: 48fde90a78f8c67e2bec5061f9725fe363519feb +References: bsc#1152107 CVE-2019-16746 + +The validation data is only used within the policy that +should usually already be const, and isn't changed in any +code that uses it. Therefore, make the validation_data +pointer const. + +While at it, remove the duplicate variable in the bitfield +validation that I'd otherwise have to change to const. + +Reviewed-by: David Ahern +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 2 +- + lib/nlattr.c | 5 ++--- + 2 files changed, 3 insertions(+), 4 deletions(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -232,7 +232,7 @@ enum { + struct nla_policy { + u16 type; + u16 len; +- void *validation_data; ++ const void *validation_data; + }; + + /** +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -28,12 +28,11 @@ static const u8 nla_attr_minlen[NLA_TYPE + }; + + static int validate_nla_bitfield32(const struct nlattr *nla, +- u32 *valid_flags_allowed) ++ const u32 *valid_flags_mask) + { + const struct nla_bitfield32 *bf = nla_data(nla); +- u32 *valid_flags_mask = valid_flags_allowed; + +- if (!valid_flags_allowed) ++ if (!valid_flags_mask) + return -EINVAL; + + /*disallow invalid bit selector */ diff --git a/patches.suse/netlink-move-extack-setting-into-validate_nla.patch b/patches.suse/netlink-move-extack-setting-into-validate_nla.patch new file mode 100644 index 0000000..22efdea --- /dev/null +++ b/patches.suse/netlink-move-extack-setting-into-validate_nla.patch @@ -0,0 +1,184 @@ +From: Johannes Berg +Date: Wed, 26 Sep 2018 11:15:32 +0200 +Subject: [PATCH] netlink: move extack setting into validate_nla() +Patch-mainline: v4.20-rc1 +Git-commit: c29f1845b2b22974411278bad3a2ac0b7815dfb4 +References: bsc#1152107 CVE-2019-16746 + +This unifies the code between nla_parse() which sets the bad +attribute pointer and an error message, and nla_validate() +which only sets the bad attribute pointer. + +It also cleans up the code for NLA_REJECT and paves the way +for nested policy validation, as it will allow us to easily +skip setting the "generic" message without any extra args +like the **error_msg now, just passing the extack through is +now enough. + +While at it, remove the unnecessary label in nla_parse(). + +Suggested-by: David Ahern +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + lib/nlattr.c | 66 +++++++++++++++++++++++++++++++---------------------------- + 1 file changed, 35 insertions(+), 31 deletions(-) + +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -52,10 +52,11 @@ static int validate_nla_bitfield32(const + + static int validate_nla(const struct nlattr *nla, int maxtype, + const struct nla_policy *policy, +- const char **error_msg) ++ struct netlink_ext_ack *extack) + { + const struct nla_policy *pt; + int minlen = 0, attrlen = nla_len(nla), type = nla_type(nla); ++ int err = -ERANGE; + + if (type <= 0 || type > maxtype) + return 0; +@@ -66,20 +67,27 @@ static int validate_nla(const struct nla + + switch (pt->type) { + case NLA_REJECT: +- if (pt->validation_data && error_msg) +- *error_msg = pt->validation_data; +- return -EINVAL; ++ if (extack && pt->validation_data) { ++ NL_SET_BAD_ATTR(extack, nla); ++ extack->_msg = pt->validation_data; ++ return -EINVAL; ++ } ++ err = -EINVAL; ++ goto out_err; + + case NLA_FLAG: + if (attrlen > 0) +- return -ERANGE; ++ goto out_err; + break; + + case NLA_BITFIELD32: + if (attrlen != sizeof(struct nla_bitfield32)) +- return -ERANGE; ++ goto out_err; + +- return validate_nla_bitfield32(nla, pt->validation_data); ++ err = validate_nla_bitfield32(nla, pt->validation_data); ++ if (err) ++ goto out_err; ++ break; + + case NLA_NUL_STRING: + if (pt->len) +@@ -87,13 +95,15 @@ static int validate_nla(const struct nla + else + minlen = attrlen; + +- if (!minlen || memchr(nla_data(nla), '\0', minlen) == NULL) +- return -EINVAL; ++ if (!minlen || memchr(nla_data(nla), '\0', minlen) == NULL) { ++ err = -EINVAL; ++ goto out_err; ++ } + /* fall through */ + + case NLA_STRING: + if (attrlen < 1) +- return -ERANGE; ++ goto out_err; + + if (pt->len) { + char *buf = nla_data(nla); +@@ -102,13 +112,13 @@ static int validate_nla(const struct nla + attrlen--; + + if (attrlen > pt->len) +- return -ERANGE; ++ goto out_err; + } + break; + + case NLA_BINARY: + if (pt->len && attrlen > pt->len) +- return -ERANGE; ++ goto out_err; + break; + + case NLA_NESTED_COMPAT: +@@ -135,10 +145,13 @@ static int validate_nla(const struct nla + minlen = nla_attr_minlen[pt->type]; + + if (attrlen < minlen) +- return -ERANGE; ++ goto out_err; + } + + return 0; ++out_err: ++ NL_SET_ERR_MSG_ATTR(extack, nla, "Attribute failed policy validation"); ++ return err; + } + + /** +@@ -163,12 +176,10 @@ int nla_validate(const struct nlattr *he + int rem; + + nla_for_each_attr(nla, head, len, rem) { +- int err = validate_nla(nla, maxtype, policy, NULL); ++ int err = validate_nla(nla, maxtype, policy, extack); + +- if (err < 0) { +- NL_SET_BAD_ATTR(extack, nla); ++ if (err < 0) + return err; +- } + } + + return 0; +@@ -222,7 +233,7 @@ int nla_parse(struct nlattr **tb, int ma + struct netlink_ext_ack *extack) + { + const struct nlattr *nla; +- int rem, err; ++ int rem; + + memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1)); + +@@ -230,17 +241,12 @@ int nla_parse(struct nlattr **tb, int ma + u16 type = nla_type(nla); + + if (type > 0 && type <= maxtype) { +- static const char _msg[] = "Attribute failed policy validation"; +- const char *msg = _msg; +- + if (policy) { +- err = validate_nla(nla, maxtype, policy, &msg); +- if (err < 0) { +- NL_SET_BAD_ATTR(extack, nla); +- if (extack) +- extack->_msg = msg; +- goto errout; +- } ++ int err = validate_nla(nla, maxtype, policy, ++ extack); ++ ++ if (err < 0) ++ return err; + } + + tb[type] = (struct nlattr *)nla; +@@ -251,9 +257,7 @@ int nla_parse(struct nlattr **tb, int ma + pr_warn_ratelimited("netlink: %d bytes leftover after parsing attributes in process `%s'.\n", + rem, current->comm); + +- err = 0; +-errout: +- return err; ++ return 0; + } + EXPORT_SYMBOL(nla_parse); + diff --git a/patches.suse/netlink-replace-__NLA_ENSURE-implementation.patch b/patches.suse/netlink-replace-__NLA_ENSURE-implementation.patch new file mode 100644 index 0000000..286aa43 --- /dev/null +++ b/patches.suse/netlink-replace-__NLA_ENSURE-implementation.patch @@ -0,0 +1,29 @@ +From: Johannes Berg +Date: Fri, 12 Oct 2018 12:53:00 +0200 +Subject: [PATCH] netlink: replace __NLA_ENSURE implementation +Patch-mainline: v4.20-rc1 +Git-commit: 5886d932e52acfbe12ea5aac8e7c3ad6f16364d1 +References: bsc#1152107 CVE-2019-16746 + +We already have BUILD_BUG_ON_ZERO() which I just hadn't found +before, so we should use it here instead of open-coding another +implementation thereof. + +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Acked-by: Cho, Yu-Chen +--- + include/net/netlink.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -289,7 +289,7 @@ struct nla_policy { + #define NLA_POLICY_NESTED_ARRAY(maxattr, policy) \ + { .type = NLA_NESTED_ARRAY, .validation_data = policy, .len = maxattr } + +-#define __NLA_ENSURE(condition) (sizeof(char[1 - 2*!(condition)]) - 1) ++#define __NLA_ENSURE(condition) BUILD_BUG_ON_ZERO(!(condition)) + #define NLA_ENSURE_INT_TYPE(tp) \ + (__NLA_ENSURE(tp == NLA_S8 || tp == NLA_U8 || \ + tp == NLA_S16 || tp == NLA_U16 || \ diff --git a/patches.suse/new-helper-lookup_positive_unlocked.patch b/patches.suse/new-helper-lookup_positive_unlocked.patch new file mode 100644 index 0000000..313ecb1 --- /dev/null +++ b/patches.suse/new-helper-lookup_positive_unlocked.patch @@ -0,0 +1,230 @@ +From 6c2d4798a8d16cf4f3a28c3cd4af4f1dcbbb4d04 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu Oct 31 01:21:58 2019 -0400 +Subject: [PATCH] new helper: lookup_positive_unlocked() +Git-commit: 6c2d4798a8d16cf4f3a28c3cd4af4f1dcbbb4d04 +References: bsc#1159271 +Patch-mainline: v5.5-rc1 + +Most of the callers of lookup_one_len_unlocked() treat negatives are +ERR_PTR(-ENOENT). Provide a helper that would do just that. Note +that a pinned positive dentry remains positive - it's ->d_inode is +stable, etc.; a pinned _negative_ dentry can become positive at any +point as long as you are not holding its parent at least shared. +So using lookup_one_len_unlocked() needs to be careful; +lookup_positive_unlocked() is safer and that's what the callers +end up open-coding anyway. + +Signed-off-by: Al Viro +Acked-by: Goldwyn Rodrigues + +--- + fs/cifs/cifsfs.c | 7 +------ + fs/debugfs/inode.c | 6 +----- + fs/kernfs/mount.c | 2 +- + fs/namei.c | 20 ++++++++++++++++++++ + fs/nfsd/nfs3xdr.c | 4 +--- + fs/nfsd/nfs4xdr.c | 11 +---------- + fs/overlayfs/namei.c | 12 ++++-------- + fs/quota/dquot.c | 9 +-------- + include/linux/namei.h | 1 + + 9 files changed, 31 insertions(+), 41 deletions(-) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -687,11 +687,6 @@ + struct inode *dir = d_inode(dentry); + struct dentry *child; + +- if (!dir) { +- dput(dentry); +- dentry = ERR_PTR(-ENOENT); +- break; +- } + if (!S_ISDIR(dir->i_mode)) { + dput(dentry); + dentry = ERR_PTR(-ENOTDIR); +@@ -708,7 +703,7 @@ + while (*s && *s != sep) + s++; + +- child = lookup_one_len_unlocked(p, dentry, s - p); ++ child = lookup_positive_unlocked(p, dentry, s - p); + dput(dentry); + dentry = child; + } while (!IS_ERR(dentry)); +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -276,15 +276,11 @@ + parent = debugfs_mount->mnt_root; + + inode_lock(d_inode(parent)); +- dentry = lookup_one_len(name, parent, strlen(name)); ++ dentry = lookup_positive_unlocked(name, parent, strlen(name)); + inode_unlock(d_inode(parent)); + + if (IS_ERR(dentry)) + return NULL; +- if (!d_really_is_positive(dentry)) { +- dput(dentry); +- return NULL; +- } + return dentry; + } + EXPORT_SYMBOL_GPL(debugfs_lookup); +--- a/fs/kernfs/mount.c ++++ b/fs/kernfs/mount.c +@@ -139,7 +139,7 @@ + dput(dentry); + return ERR_PTR(-EINVAL); + } +- dtmp = lookup_one_len_unlocked(kntmp->name, dentry, ++ dtmp = lookup_positive_unlocked(kntmp->name, dentry, + strlen(kntmp->name)); + dput(dentry); + if (IS_ERR(dtmp)) +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2589,6 +2589,26 @@ + } + EXPORT_SYMBOL(lookup_one_len_unlocked); + ++/* ++ * Like lookup_one_len_unlocked(), except that it yields ERR_PTR(-ENOENT) ++ * on negatives. Returns known positive or ERR_PTR(); that's what ++ * most of the users want. Note that pinned negative with unlocked parent ++ * _can_ become positive at any time, so callers of lookup_one_len_unlocked() ++ * need to be very careful; pinned positives have ->d_inode stable, so ++ * this one avoids such problems. ++ */ ++struct dentry *lookup_positive_unlocked(const char *name, ++ struct dentry *base, int len) ++{ ++ struct dentry *ret = lookup_one_len_unlocked(name, base, len); ++ if (!IS_ERR(ret) && d_is_negative(ret)) { ++ dput(ret); ++ ret = ERR_PTR(-ENOENT); ++ } ++ return ret; ++} ++EXPORT_SYMBOL(lookup_positive_unlocked); ++ + #ifdef CONFIG_UNIX98_PTYS + int path_pts(struct path *path) + { +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -829,13 +829,11 @@ + } else + dchild = dget(dparent); + } else +- dchild = lookup_one_len_unlocked(name, dparent, namlen); ++ dchild = lookup_positive_unlocked(name, dparent, namlen); + if (IS_ERR(dchild)) + return rv; + if (d_mountpoint(dchild)) + goto out; +- if (d_really_is_negative(dchild)) +- goto out; + if (dchild->d_inode->i_ino != ino) + goto out; + rv = fh_compose(fhp, exp, dchild, &cd->fh); +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2923,18 +2923,9 @@ + __be32 nfserr; + int ignore_crossmnt = 0; + +- dentry = lookup_one_len_unlocked(name, cd->rd_fhp->fh_dentry, namlen); ++ dentry = lookup_positive_unlocked(name, cd->rd_fhp->fh_dentry, namlen); + if (IS_ERR(dentry)) + return nfserrno(PTR_ERR(dentry)); +- if (d_really_is_negative(dentry)) { +- /* +- * we're not holding the i_mutex here, so there's +- * a window where this directory entry could have gone +- * away. +- */ +- dput(dentry); +- return nfserr_noent; +- } + + exp_get(exp); + /* +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -189,7 +189,7 @@ + struct dentry *this; + int err; + +- this = lookup_one_len_unlocked(name, base, namelen); ++ this = lookup_positive_unlocked(name, base, namelen); + if (IS_ERR(this)) { + err = PTR_ERR(this); + this = NULL; +@@ -197,8 +197,6 @@ + goto out; + goto out_err; + } +- if (!this->d_inode) +- goto put_and_out; + + if (ovl_dentry_weird(this)) { + /* Don't support traversing automounts and other weirdness */ +@@ -517,7 +515,7 @@ + struct dentry *this; + struct dentry *lowerdir = poe->lowerstack[i].dentry; + +- this = lookup_one_len_unlocked(name->name, lowerdir, ++ this = lookup_positive_unlocked(name->name, lowerdir, + name->len); + if (IS_ERR(this)) { + switch (PTR_ERR(this)) { +@@ -534,10 +532,8 @@ + break; + } + } else { +- if (this->d_inode) { +- positive = !ovl_is_whiteout(this); +- done = true; +- } ++ positive = !ovl_is_whiteout(this); ++ done = true; + dput(this); + } + } +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2456,21 +2456,14 @@ + struct dentry *dentry; + int error; + +- dentry = lookup_one_len_unlocked(qf_name, sb->s_root, strlen(qf_name)); ++ dentry = lookup_positive_unlocked(qf_name, sb->s_root, strlen(qf_name)); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + +- if (d_really_is_negative(dentry)) { +- error = -ENOENT; +- goto out; +- } +- + error = security_quota_on(dentry); + if (!error) + error = vfs_load_quota_inode(d_inode(dentry), type, format_id, + DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); +- +-out: + dput(dentry); + return error; + } +--- a/include/linux/namei.h ++++ b/include/linux/namei.h +@@ -82,6 +82,7 @@ + + extern struct dentry *lookup_one_len(const char *, struct dentry *, int); + extern struct dentry *lookup_one_len_unlocked(const char *, struct dentry *, int); ++extern struct dentry *lookup_positive_unlocked(const char *, struct dentry *, int); + + extern int follow_down_one(struct path *); + extern int follow_down(struct path *); diff --git a/patches.suse/nl80211-validate-beacon-head.patch b/patches.suse/nl80211-validate-beacon-head.patch new file mode 100644 index 0000000..961eedc --- /dev/null +++ b/patches.suse/nl80211-validate-beacon-head.patch @@ -0,0 +1,78 @@ +From: Johannes Berg +Date: Fri, 20 Sep 2019 21:54:17 +0200 +Subject: [PATCH] nl80211: validate beacon head +Patch-mainline: v5.4-rc2 +Git-commit: f88eb7c0d002a67ef31aeb7850b42ff69abc46dc +References: bsc#1152107 CVE-2019-16746 + +We currently don't validate the beacon head, i.e. the header, +fixed part and elements that are to go in front of the TIM +element. This means that the variable elements there can be +malformed, e.g. have a length exceeding the buffer size, but +most downstream code from this assumes that this has already +been checked. + +Add the necessary checks to the netlink policy. + +Cc: stable@vger.kernel.org +Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings") +Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid +Signed-off-by: Johannes Berg +Acked-by: Cho, Yu-Chen +--- + net/wireless/nl80211.c | 37 +++++++++++++++++++++++++++++++++++-- + 1 file changed, 35 insertions(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -200,6 +200,38 @@ cfg80211_get_dev_from_info(struct net *n + return __cfg80211_rdev_from_attrs(netns, info->attrs); + } + ++static int validate_beacon_head(const struct nlattr *attr, ++ struct netlink_ext_ack *extack) ++{ ++ const u8 *data = nla_data(attr); ++ unsigned int len = nla_len(attr); ++ const struct element *elem; ++ const struct ieee80211_mgmt *mgmt = (void *)data; ++ unsigned int fixedlen = offsetof(struct ieee80211_mgmt, ++ u.beacon.variable); ++ ++ if (len < fixedlen) ++ goto err; ++ ++ if (ieee80211_hdrlen(mgmt->frame_control) != ++ offsetof(struct ieee80211_mgmt, u.beacon)) ++ goto err; ++ ++ data += fixedlen; ++ len -= fixedlen; ++ ++ for_each_element(elem, data, len) { ++ /* nothing */ ++ } ++ ++ if (for_each_element_completed(elem, data, len)) ++ return 0; ++ ++err: ++ NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head"); ++ return -EINVAL; ++} ++ + /* policy for the attributes */ + static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { + [NL80211_ATTR_WIPHY] = { .type = NLA_U32 }, +@@ -238,8 +270,9 @@ static const struct nla_policy nl80211_p + + [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 }, + [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 }, +- [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY, +- .len = IEEE80211_MAX_DATA_LEN }, ++ [NL80211_ATTR_BEACON_HEAD] = ++ NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head, ++ IEEE80211_MAX_DATA_LEN), + [NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY, + .len = IEEE80211_MAX_DATA_LEN }, + [NL80211_ATTR_STA_AID] = { .type = NLA_U16 }, diff --git a/patches.suse/nvme-fix-the-parameter-order-for-nvme_get_log-in-nvm.patch b/patches.suse/nvme-fix-the-parameter-order-for-nvme_get_log-in-nvm.patch new file mode 100644 index 0000000..683bcd0 --- /dev/null +++ b/patches.suse/nvme-fix-the-parameter-order-for-nvme_get_log-in-nvm.patch @@ -0,0 +1,35 @@ +From: Yi Zhang +Date: Fri, 14 Feb 2020 18:48:02 +0800 +Subject: nvme: fix the parameter order for nvme_get_log in + nvme_get_fw_slot_info +Patch-mainline: v5.6-rc2 +Git-commit: f25372ffc3f6c2684b57fb718219137e6ee2b64c +References: bsc#1163774 + +nvme fw-activate operation will get bellow warning log, +fix it by update the parameter order + +[ 113.231513] nvme nvme0: Get FW SLOT INFO log error + +Fixes: 0e98719b0e4b ("nvme: simplify the API for getting log pages") +Reported-by: Sujith Pandel +Reviewed-by: David Milburn +Signed-off-by: Yi Zhang +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Acked-by: Daniel Wagner +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3369,7 +3369,7 @@ static void nvme_get_fw_slot_info(struct + if (!log) + return; + +- if (nvme_get_log(ctrl, NVME_NSID_ALL, 0, NVME_LOG_FW_SLOT, log, ++ if (nvme_get_log(ctrl, NVME_NSID_ALL, NVME_LOG_FW_SLOT, 0, log, + sizeof(*log), 0)) + dev_warn(ctrl->device, "Get FW SLOT INFO log error\n"); + kfree(log); diff --git a/patches.suse/orinoco_usb-fix-interface-sanity-check.patch b/patches.suse/orinoco_usb-fix-interface-sanity-check.patch new file mode 100644 index 0000000..553a620 --- /dev/null +++ b/patches.suse/orinoco_usb-fix-interface-sanity-check.patch @@ -0,0 +1,43 @@ +From b73e05aa543cf8db4f4927e36952360d71291d41 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:23 +0100 +Subject: [PATCH] orinoco_usb: fix interface sanity check +Git-commit: b73e05aa543cf8db4f4927e36952360d71291d41 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver") +Cc: stable # 2.6.35 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +index 40a8b941ad5c..8c79b963bcff 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +@@ -1608,9 +1608,9 @@ static int ezusb_probe(struct usb_interface *interface, + /* set up the endpoint information */ + /* check out the endpoints */ + +- iface_desc = &interface->altsetting[0].desc; ++ iface_desc = &interface->cur_altsetting->desc; + for (i = 0; i < iface_desc->bNumEndpoints; ++i) { +- ep = &interface->altsetting[0].endpoint[i].desc; ++ ep = &interface->cur_altsetting->endpoint[i].desc; + + if (usb_endpoint_is_bulk_in(ep)) { + /* we found a bulk in endpoint */ +-- +2.16.4 + diff --git a/patches.suse/percpu-separate-decrypted-varaibles-anytime-encryption-can-be-enabled.patch b/patches.suse/percpu-separate-decrypted-varaibles-anytime-encryption-can-be-enabled.patch new file mode 100644 index 0000000..2b799a9 --- /dev/null +++ b/patches.suse/percpu-separate-decrypted-varaibles-anytime-encryption-can-be-enabled.patch @@ -0,0 +1,40 @@ +From: Erdem Aktas +Date: Fri, 13 Dec 2019 13:31:46 -0800 +Subject: percpu: Separate decrypted varaibles anytime encryption can be enabled +Git-commit: 264b0d2bee148073c117e7bbbde5be7125a53be1 +Patch-mainline: v5.6-rc1 +References: bsc#1114279 + +CONFIG_VIRTUALIZATION may not be enabled for memory encrypted guests. If +disabled, decrypted per-CPU variables may end up sharing the same page +with variables that should be left encrypted. + +Always separate per-CPU variables that should be decrypted into their own +page anytime memory encryption can be enabled in the guest rather than +rely on any other config option that may not be enabled. + +Fixes: ac26963a1175 ("percpu: Introduce DEFINE_PER_CPU_DECRYPTED") +Cc: stable@vger.kernel.org # 4.15+ +Signed-off-by: Erdem Aktas +Signed-off-by: David Rientjes +Signed-off-by: Dennis Zhou +Acked-by: Borislav Petkov +--- + include/linux/percpu-defs.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/linux/percpu-defs.h b/include/linux/percpu-defs.h +index a6fabd865211..176bfbd52d97 100644 +--- a/include/linux/percpu-defs.h ++++ b/include/linux/percpu-defs.h +@@ -175,8 +175,7 @@ + * Declaration/definition used for per-CPU variables that should be accessed + * as decrypted when memory encryption is enabled in the guest. + */ +-#if defined(CONFIG_VIRTUALIZATION) && defined(CONFIG_AMD_MEM_ENCRYPT) +- ++#ifdef CONFIG_AMD_MEM_ENCRYPT + #define DECLARE_PER_CPU_DECRYPTED(type, name) \ + DECLARE_PER_CPU_SECTION(type, name, "..decrypted") + + diff --git a/patches.suse/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload b/patches.suse/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload new file mode 100644 index 0000000..1b63282 --- /dev/null +++ b/patches.suse/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload @@ -0,0 +1,89 @@ +From: Kan Liang +Date: Tue, 21 Jan 2020 11:01:25 -0800 +Subject: perf/x86/intel: Fix inaccurate period in context switch for + auto-reload +Git-commit: f861854e1b435b27197417f6f90d87188003cb24 +Patch-mainline: v5.6-rc2 +References: bsc#1164315 + +Perf doesn't take the left period into account when auto-reload is +enabled with fixed period sampling mode in context switch. + +Here is the MSR trace of the perf command as below. +(The MSR trace is simplified from a ftrace log.) + + #perf record -e cycles:p -c 2000000 -- ./triad_loop + + //The MSR trace of task schedule out + //perf disable all counters, disable PEBS, disable GP counter 0, + //read GP counter 0, and re-enable all counters. + //The counter 0 stops at 0xfffffff82840 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 0 + write_msr: MSR_P6_EVNTSEL0(186), value 40003003c + rdpmc: 0, value fffffff82840 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + + //The MSR trace of the same task schedule in again + //perf disable all counters, enable and set GP counter 0, + //enable PEBS, and re-enable all counters. + //0xffffffe17b80 (-2000000) is written to GP counter 0. + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PMC0(4c1), value ffffffe17b80 + write_msr: MSR_P6_EVNTSEL0(186), value 40043003c + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 1 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + +When the same task schedule in again, the counter should starts from +previous left. However, it starts from the fixed period -2000000 again. + +A special variant of intel_pmu_save_and_restart() is used for +auto-reload, which doesn't update the hwc->period_left. +When the monitored task schedules in again, perf doesn't know the left +period. The fixed period is used, which is inaccurate. + +With auto-reload, the counter always has a negative counter value. So +the left period is -value. Update the period_left in +intel_pmu_save_and_restart_reload(). + +With the patch: + + //The MSR trace of task schedule out + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 0 + write_msr: MSR_P6_EVNTSEL0(186), value 40003003c + rdpmc: 0, value ffffffe25cbc + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + + //The MSR trace of the same task schedule in again + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0 + write_msr: MSR_IA32_PMC0(4c1), value ffffffe25cbc + write_msr: MSR_P6_EVNTSEL0(186), value 40043003c + write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 1 + write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff + +Fixes: d31fc13fdcb2 ("perf/x86/intel: Fix event update for auto-reload") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Link: https://lkml.kernel.org/r/20200121190125.3389-1-kan.liang@linux.intel.com + +Acked-by: Joerg Roedel +--- + arch/x86/events/intel/ds.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index 4b94ae4ae369..dc43cc124e09 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1714,6 +1714,8 @@ intel_pmu_save_and_restart_reload(struct perf_event *event, int count) + old = ((s64)(prev_raw_count << shift) >> shift); + local64_add(new - old + count * period, &event->count); + ++ local64_set(&hwc->period_left, -new); ++ + perf_event_update_userpage(event); + + return 0; + diff --git a/patches.suse/phy-qualcomm-Adjust-indentation-in-read_poll_timeout.patch b/patches.suse/phy-qualcomm-Adjust-indentation-in-read_poll_timeout.patch new file mode 100644 index 0000000..891b480 --- /dev/null +++ b/patches.suse/phy-qualcomm-Adjust-indentation-in-read_poll_timeout.patch @@ -0,0 +1,52 @@ +From a89806c998ee123bb9c0f18526e55afd12c0c0ab Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 17 Dec 2019 18:36:37 -0700 +Subject: [PATCH] phy: qualcomm: Adjust indentation in read_poll_timeout +Git-commit: a89806c998ee123bb9c0f18526e55afd12c0c0ab +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Clang warns: + +../drivers/phy/qualcomm/phy-qcom-apq8064-sata.c:83:4: warning: +misleading indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + usleep_range(DELAY_INTERVAL_US, DELAY_INTERVAL_US + 50); + ^ +../drivers/phy/qualcomm/phy-qcom-apq8064-sata.c:80:3: note: previous +statement is here + if (readl_relaxed(addr) & mask) + ^ +1 warning generated. + +This warning occurs because there is a space after the tab on this line. +Remove it so that the indentation is consistent with the Linux kernel +coding style and clang no longer warns. + +Fixes: 1de990d8a169 ("phy: qcom: Add driver for QCOM APQ8064 SATA PHY") +Link: https://github.com/ClangBuiltLinux/linux/issues/816 +Signed-off-by: Nathan Chancellor +Reviewed-by: Bjorn Andersson +Signed-off-by: Kishon Vijay Abraham I +Acked-by: Takashi Iwai + +--- + drivers/phy/qualcomm/phy-qcom-apq8064-sata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c b/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c +index 42bc5150dd92..febe0aef68d4 100644 +--- a/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c ++++ b/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c +@@ -80,7 +80,7 @@ static int read_poll_timeout(void __iomem *addr, u32 mask) + if (readl_relaxed(addr) & mask) + return 0; + +- usleep_range(DELAY_INTERVAL_US, DELAY_INTERVAL_US + 50); ++ usleep_range(DELAY_INTERVAL_US, DELAY_INTERVAL_US + 50); + } while (!time_after(jiffies, timeout)); + + return (readl_relaxed(addr) & mask) ? 0 : -ETIMEDOUT; +-- +2.16.4 + diff --git a/patches.suse/pinctrl-cherryview-Fix-irq_valid_mask-calculation.patch b/patches.suse/pinctrl-cherryview-Fix-irq_valid_mask-calculation.patch new file mode 100644 index 0000000..c4a8eea --- /dev/null +++ b/patches.suse/pinctrl-cherryview-Fix-irq_valid_mask-calculation.patch @@ -0,0 +1,53 @@ +From 63bdef6cd6941917c823b9cc9aa0219d19fcb716 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 18 Oct 2019 11:08:42 +0200 +Subject: [PATCH] pinctrl: cherryview: Fix irq_valid_mask calculation +Git-commit: 63bdef6cd6941917c823b9cc9aa0219d19fcb716 +No-fix: 3739898576a13a41e319cf7d875cb68b9d9d35cc +Patch-mainline: v5.4-rc7 +References: bsc#1111666 + +Commit 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux +GPIO translation") has made the cherryview gpio numbers sparse, to get +a 1:1 mapping between ACPI pin numbers and gpio numbers in Linux. + +This has greatly simplified things, but the code setting the +irq_valid_mask was not updated for this, so the valid mask is still in +the old "compressed" numbering with the gaps in the pin numbers skipped, +which is wrong as irq_valid_mask needs to be expressed in gpio numbers. + +This results in the following error on devices using pin 24 (0x0018) on +the north GPIO controller as an ACPI event source: + +[ 0.422452] cherryview-pinctrl INT33FF:01: Failed to translate GPIO to IRQ + +This has been reported (by email) to be happening on a Caterpillar CAT T20 +tablet and I've reproduced this myself on a Medion Akoya e2215t 2-in-1. + +This commit uses the pin number instead of the compressed index into +community->pins to clear the correct bits in irq_valid_mask for GPIOs +using GPEs for interrupts, fixing these errors and in case of the +Medion Akoya e2215t also fixing the LID switch not working. + +Cc: stable@vger.kernel.org +Fixes: 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation") +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Mika Westerberg +Acked-by: Takashi Iwai + +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1587,7 +1587,7 @@ static int chv_gpio_probe(struct chv_pin + intsel >>= CHV_PADCTRL0_INTSEL_SHIFT; + + if (need_valid_mask && intsel >= community->nirqs) +- clear_bit(i, chip->irq_valid_mask); ++ clear_bit(desc->number, chip->irq_valid_mask); + } + + /* diff --git a/patches.suse/pinctrl-qcom-ssbi-gpio-fix-gpio-hog-related-boot-iss.patch b/patches.suse/pinctrl-qcom-ssbi-gpio-fix-gpio-hog-related-boot-iss.patch new file mode 100644 index 0000000..02ac866 --- /dev/null +++ b/patches.suse/pinctrl-qcom-ssbi-gpio-fix-gpio-hog-related-boot-iss.patch @@ -0,0 +1,69 @@ +From 7ed07855773814337b9814f1c3e866df52ebce68 Mon Sep 17 00:00:00 2001 +From: Brian Masney +Date: Sat, 10 Nov 2018 20:34:11 -0500 +Subject: [PATCH] pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues +Git-commit: 7ed07855773814337b9814f1c3e866df52ebce68 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +When attempting to setup up a gpio hog, device probing will repeatedly +fail with -EPROBE_DEFERED errors. It is caused by a circular dependency +between the gpio and pinctrl frameworks. If the gpio-ranges property is +present in device tree, then the gpio framework will handle the gpio pin +registration and eliminate the circular dependency. + +See Christian Lamparter's commit a86caa9ba5d7 ("pinctrl: msm: fix +gpio-hog related boot issues") for a detailed commit message that +explains the issue in much more detail. The code comment in this commit +came from Christian's commit. + +I did not test this change against any hardware supported by this +particular driver, however I was able to validate this same fix works +for pinctrl-spmi-gpio.c using a LG Nexus 5 (hammerhead) phone. + +Signed-off-by: Brian Masney +Reviewed-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Acked-by: Takashi Iwai + +--- + drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c +index 6b30bef829ab..ded7d765af2e 100644 +--- a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c ++++ b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c +@@ -762,12 +762,23 @@ static int pm8xxx_gpio_probe(struct platform_device *pdev) + return ret; + } + +- ret = gpiochip_add_pin_range(&pctrl->chip, +- dev_name(pctrl->dev), +- 0, 0, pctrl->chip.ngpio); +- if (ret) { +- dev_err(pctrl->dev, "failed to add pin range\n"); +- goto unregister_gpiochip; ++ /* ++ * For DeviceTree-supported systems, the gpio core checks the ++ * pinctrl's device node for the "gpio-ranges" property. ++ * If it is present, it takes care of adding the pin ranges ++ * for the driver. In this case the driver can skip ahead. ++ * ++ * In order to remain compatible with older, existing DeviceTree ++ * files which don't set the "gpio-ranges" property or systems that ++ * utilize ACPI the driver has to call gpiochip_add_pin_range(). ++ */ ++ if (!of_property_read_bool(pctrl->dev->of_node, "gpio-ranges")) { ++ ret = gpiochip_add_pin_range(&pctrl->chip, dev_name(pctrl->dev), ++ 0, 0, pctrl->chip.ngpio); ++ if (ret) { ++ dev_err(pctrl->dev, "failed to add pin range\n"); ++ goto unregister_gpiochip; ++ } + } + + platform_set_drvdata(pdev, pctrl); +-- +2.16.4 + diff --git a/patches.suse/pinctrl-sh-pfc-r8a7778-Fix-duplicate-SDSELF_B-and-SD.patch b/patches.suse/pinctrl-sh-pfc-r8a7778-Fix-duplicate-SDSELF_B-and-SD.patch new file mode 100644 index 0000000..aff4012 --- /dev/null +++ b/patches.suse/pinctrl-sh-pfc-r8a7778-Fix-duplicate-SDSELF_B-and-SD.patch @@ -0,0 +1,45 @@ +From 805f635703b2562b5ddd822c62fc9124087e5dd5 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 18 Dec 2019 20:48:07 +0100 +Subject: [PATCH] pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B +Git-commit: 805f635703b2562b5ddd822c62fc9124087e5dd5 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The FN_SDSELF_B and FN_SD1_CLK_B enum IDs are used twice, which means +one set of users must be wrong. Replace them by the correct enum IDs. + +Fixes: 87f8c988636db0d4 ("sh-pfc: Add r8a7778 pinmux support") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191218194812.12741-2-geert+renesas@glider.be +Acked-by: Takashi Iwai + +--- + drivers/pinctrl/sh-pfc/pfc-r8a7778.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/sh-pfc/pfc-r8a7778.c b/drivers/pinctrl/sh-pfc/pfc-r8a7778.c +index 24866a5958ae..a9875038ed9b 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-r8a7778.c ++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7778.c +@@ -2305,7 +2305,7 @@ static const struct pinmux_cfg_reg pinmux_config_regs[] = { + FN_ATAG0_A, 0, FN_REMOCON_B, 0, + /* IP0_11_8 [4] */ + FN_SD1_DAT2_A, FN_MMC_D2, 0, FN_BS, +- FN_ATADIR0_A, 0, FN_SDSELF_B, 0, ++ FN_ATADIR0_A, 0, FN_SDSELF_A, 0, + FN_PWM4_B, 0, 0, 0, + 0, 0, 0, 0, + /* IP0_7_5 [3] */ +@@ -2349,7 +2349,7 @@ static const struct pinmux_cfg_reg pinmux_config_regs[] = { + FN_TS_SDAT0_A, 0, 0, 0, + 0, 0, 0, 0, + /* IP1_10_8 [3] */ +- FN_SD1_CLK_B, FN_MMC_D6, 0, FN_A24, ++ FN_SD1_CD_A, FN_MMC_D6, 0, FN_A24, + FN_DREQ1_A, 0, FN_HRX0_B, FN_TS_SPSYNC0_A, + /* IP1_7_5 [3] */ + FN_A23, FN_HTX0_B, FN_TX2_B, FN_DACK2_A, +-- +2.16.4 + diff --git a/patches.suse/power-supply-ltc2941-battery-gauge-fix-use-after-fre.patch b/patches.suse/power-supply-ltc2941-battery-gauge-fix-use-after-fre.patch new file mode 100644 index 0000000..0a57424 --- /dev/null +++ b/patches.suse/power-supply-ltc2941-battery-gauge-fix-use-after-fre.patch @@ -0,0 +1,45 @@ +From a60ec78d306c6548d4adbc7918b587a723c555cc Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Thu, 19 Sep 2019 11:11:37 -0400 +Subject: [PATCH] power: supply: ltc2941-battery-gauge: fix use-after-free +Git-commit: a60ec78d306c6548d4adbc7918b587a723c555cc +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +This driver's remove path calls cancel_delayed_work(). +However, that function does not wait until the work function +finishes. This could mean that the work function is still +running after the driver's remove function has finished, +which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +that the work is properly cancelled, no longer running, and +unable to re-schedule itself. + +This issue was detected with the help of Coccinelle. + +Cc: stable +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/power/supply/ltc2941-battery-gauge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/ltc2941-battery-gauge.c b/drivers/power/supply/ltc2941-battery-gauge.c +index da49436176cd..30a9014b2f95 100644 +--- a/drivers/power/supply/ltc2941-battery-gauge.c ++++ b/drivers/power/supply/ltc2941-battery-gauge.c +@@ -449,7 +449,7 @@ static int ltc294x_i2c_remove(struct i2c_client *client) + { + struct ltc294x_info *info = i2c_get_clientdata(client); + +- cancel_delayed_work(&info->work); ++ cancel_delayed_work_sync(&info->work); + power_supply_unregister(info->supply); + return 0; + } +-- +2.16.4 + diff --git a/patches.suse/powerpc-Enable-support-for-ibm-drc-info-devtree-prop.patch b/patches.suse/powerpc-Enable-support-for-ibm-drc-info-devtree-prop.patch new file mode 100644 index 0000000..fbf5ab5 --- /dev/null +++ b/patches.suse/powerpc-Enable-support-for-ibm-drc-info-devtree-prop.patch @@ -0,0 +1,35 @@ +From 02ef6dd8109b581343ebeb1c4c973513682535d6 Mon Sep 17 00:00:00 2001 +From: Michael Bringmann +Date: Fri, 1 Dec 2017 17:19:55 -0600 +Subject: [PATCH] powerpc: Enable support for ibm,drc-info devtree property + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v4.16-rc1 +Git-commit: 02ef6dd8109b581343ebeb1c4c973513682535d6 + +prom_init.c: Enable support for new DRC device tree property +"ibm,drc-info" in initial handshake between the Linux kernel and +the front end processor. + +Signed-off-by: Michael Bringmann +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/prom_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index acf4b2e0530c..adf044daafd7 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -874,6 +874,7 @@ struct ibm_arch_vec __cacheline_aligned ibm_architecture_vec = { + .mmu = 0, + .hash_ext = 0, + .radix_ext = 0, ++ .byte22 = OV5_FEAT(OV5_DRC_INFO), + }, + + /* option vector 6: IBM PAPR hints */ +-- +2.23.0 + diff --git a/patches.suse/powerpc-avoid-adjusting-memory_limit-for-capture-ker.patch b/patches.suse/powerpc-avoid-adjusting-memory_limit-for-capture-ker.patch new file mode 100644 index 0000000..fb9bc09 --- /dev/null +++ b/patches.suse/powerpc-avoid-adjusting-memory_limit-for-capture-ker.patch @@ -0,0 +1,105 @@ +From 5189c44bcdcc903120a3a793c4de78066dfc9c00 Mon Sep 17 00:00:00 2001 +Message-Id: <5189c44bcdcc903120a3a793c4de78066dfc9c00.1582043081.git.msuchanek@suse.de> +In-Reply-To: +From: Hari Bathini +Date: Fri, 28 Jun 2019 00:51:19 +0530 +Subject: [PATCH rebased 2/2] powerpc: avoid adjusting memory_limit for capture + kernel memory reservation + +Patch-mainline: submitted https://patchwork.ozlabs.org/patch/1240173/ +References: bsc#1140025 ltc#176086 + +Currently, if memory_limit is specified and it overlaps with memory to +be reserved for capture kernel, memory_limit is adjusted to accommodate +capture kernel. With memory reservation for capture kernel moved later +(after enforcing memory limit), this adjustment no longer holds water. +So, avoid adjusting memory_limit and error out instead. + +Signed-off-by: Hari Bathini +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/fadump.c | 16 ---------------- + arch/powerpc/kernel/machine_kexec.c | 22 +++++++++++----------- + 2 files changed, 11 insertions(+), 27 deletions(-) + +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +index 4eab972..a784695 100644 +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -476,22 +476,6 @@ int __init fadump_reserve_mem(void) + #endif + } + +- /* +- * Calculate the memory boundary. +- * If memory_limit is less than actual memory boundary then reserve +- * the memory for fadump beyond the memory_limit and adjust the +- * memory_limit accordingly, so that the running kernel can run with +- * specified memory_limit. +- */ +- if (memory_limit && memory_limit < memblock_end_of_DRAM()) { +- size = get_fadump_area_size(); +- if ((memory_limit + size) < memblock_end_of_DRAM()) +- memory_limit += size; +- else +- memory_limit = memblock_end_of_DRAM(); +- printk(KERN_INFO "Adjusted memory_limit for firmware-assisted" +- " dump, now %#016llx\n", memory_limit); +- } + if (memory_limit) + memory_boundary = memory_limit; + else +diff --git a/arch/powerpc/kernel/machine_kexec.c b/arch/powerpc/kernel/machine_kexec.c +index c4ed328..fc5533b 100644 +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -125,10 +125,8 @@ void __init reserve_crashkernel(void) + crashk_res.end = crash_base + crash_size - 1; + } + +- if (crashk_res.end == crashk_res.start) { +- crashk_res.start = crashk_res.end = 0; +- return; +- } ++ if (crashk_res.end == crashk_res.start) ++ goto error_out; + + /* We might have got these values via the command line or the + * device tree, either way sanitise them now. */ +@@ -170,15 +168,13 @@ void __init reserve_crashkernel(void) + if (overlaps_crashkernel(__pa(_stext), _end - _stext)) { + printk(KERN_WARNING + "Crash kernel can not overlap current kernel\n"); +- crashk_res.start = crashk_res.end = 0; +- return; ++ goto error_out; + } + + /* Crash kernel trumps memory limit */ + if (memory_limit && memory_limit <= crashk_res.end) { +- memory_limit = crashk_res.end + 1; +- printk("Adjusted memory limit for crashkernel, now 0x%llx\n", +- memory_limit); ++ pr_err("Crash kernel size can't exceed memory_limit\n"); ++ goto error_out; + } + + printk(KERN_INFO "Reserving %ldMB of memory at %ldMB " +@@ -190,9 +186,13 @@ void __init reserve_crashkernel(void) + if (!memblock_is_region_memory(crashk_res.start, crash_size) || + memblock_reserve(crashk_res.start, crash_size)) { + pr_err("Failed to reserve memory for crashkernel!\n"); +- crashk_res.start = crashk_res.end = 0; +- return; ++ goto error_out; + } ++ ++ return; ++error_out: ++ crashk_res.start = crashk_res.end = 0; ++ return; + } + + int overlaps_crashkernel(unsigned long start, unsigned long size) + + diff --git a/patches.suse/powerpc-mm-Remove-kvm-radix-prefetch-workaround-for-.patch b/patches.suse/powerpc-mm-Remove-kvm-radix-prefetch-workaround-for-.patch new file mode 100644 index 0000000..2473243 --- /dev/null +++ b/patches.suse/powerpc-mm-Remove-kvm-radix-prefetch-workaround-for-.patch @@ -0,0 +1,131 @@ +From 736bcdd3a9fc672af33fb83230ecd0570ec38ec6 Mon Sep 17 00:00:00 2001 +From: Jordan Niethe +Date: Fri, 6 Dec 2019 14:17:22 +1100 +Subject: [PATCH] powerpc/mm: Remove kvm radix prefetch workaround for Power9 + DD2.2 + +References: bsc#1061840 +Patch-mainline: v5.6-rc1 +Git-commit: 736bcdd3a9fc672af33fb83230ecd0570ec38ec6 + +Commit a25bd72badfa ("powerpc/mm/radix: Workaround prefetch issue with +KVM") introduced a number of workarounds as coming out of a guest with +the mmu enabled would make the cpu would start running in hypervisor +state with the PID value from the guest. The cpu will then start +prefetching for the hypervisor with that PID value. + +In Power9 DD2.2 the cpu behaviour was modified to fix this. When +accessing Quadrant 0 in hypervisor mode with LPID != 0 prefetching will +not be performed. This means that we can get rid of the workarounds for +Power9 DD2.2 and later revisions. Add a new cpu feature +CPU_FTR_P9_RADIX_PREFETCH_BUG to indicate if the workarounds are needed. + +Signed-off-by: Jordan Niethe +Acked-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191206031722.25781-1-jniethe5@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/cputable.h | 7 +++++-- + arch/powerpc/kernel/dt_cpu_ftrs.c | 13 ++++++++----- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 2 ++ + arch/powerpc/mm/book3s64/radix_pgtable.c | 6 +++++- + arch/powerpc/mm/book3s64/radix_tlb.c | 3 +++ + 5 files changed, 23 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/include/asm/cputable.h ++++ b/arch/powerpc/include/asm/cputable.h +@@ -214,6 +214,7 @@ static inline void cpu_feature_keys_init + #define CPU_FTR_P9_TM_XER_SO_BUG LONG_ASM_CONST(0x0000200000000000) + #define CPU_FTR_P9_TLBIE_STQ_BUG LONG_ASM_CONST(0x0000400000000000) + #define CPU_FTR_P9_TLBIE_ERAT_BUG LONG_ASM_CONST(0x0001000000000000) ++#define CPU_FTR_P9_RADIX_PREFETCH_BUG LONG_ASM_CONST(0x0002000000000000) + + #ifndef __ASSEMBLY__ + +@@ -462,8 +463,10 @@ static inline void cpu_feature_keys_init + CPU_FTR_DBELL | CPU_FTR_HAS_PPR | CPU_FTR_ARCH_207S | \ + CPU_FTR_TM_COMP | CPU_FTR_ARCH_300 | CPU_FTR_PKEY | \ + CPU_FTR_P9_TLBIE_STQ_BUG | CPU_FTR_P9_TLBIE_ERAT_BUG) +-#define CPU_FTRS_POWER9_DD2_0 CPU_FTRS_POWER9 +-#define CPU_FTRS_POWER9_DD2_1 (CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD2_1) ++#define CPU_FTRS_POWER9_DD2_0 (CPU_FTRS_POWER9 | CPU_FTR_P9_RADIX_PREFETCH_BUG) ++#define CPU_FTRS_POWER9_DD2_1 (CPU_FTRS_POWER9 | \ ++ CPU_FTR_P9_RADIX_PREFETCH_BUG | \ ++ CPU_FTR_POWER9_DD2_1) + #define CPU_FTRS_POWER9_DD2_2 (CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD2_1 | \ + CPU_FTR_P9_TM_HV_ASSIST | \ + CPU_FTR_P9_TM_XER_SO_BUG) +--- a/arch/powerpc/kernel/dt_cpu_ftrs.c ++++ b/arch/powerpc/kernel/dt_cpu_ftrs.c +@@ -725,17 +725,20 @@ static __init void cpufeatures_cpu_quirk + /* + * Not all quirks can be derived from the cpufeatures device tree. + */ +- if ((version & 0xffffefff) == 0x004e0200) +- ; /* DD2.0 has no feature flag */ +- else if ((version & 0xffffefff) == 0x004e0201) ++ if ((version & 0xffffefff) == 0x004e0200) { ++ /* DD2.0 has no feature flag */ ++ cur_cpu_spec->cpu_features |= CPU_FTR_P9_RADIX_PREFETCH_BUG; ++ } else if ((version & 0xffffefff) == 0x004e0201) { + cur_cpu_spec->cpu_features |= CPU_FTR_POWER9_DD2_1; +- else if ((version & 0xffffefff) == 0x004e0202) { ++ cur_cpu_spec->cpu_features |= CPU_FTR_P9_RADIX_PREFETCH_BUG; ++ } else if ((version & 0xffffefff) == 0x004e0202) { + cur_cpu_spec->cpu_features |= CPU_FTR_P9_TM_HV_ASSIST; + cur_cpu_spec->cpu_features |= CPU_FTR_P9_TM_XER_SO_BUG; + cur_cpu_spec->cpu_features |= CPU_FTR_POWER9_DD2_1; +- } else if ((version & 0xffff0000) == 0x004e0000) ++ } else if ((version & 0xffff0000) == 0x004e0000) { + /* DD2.1 and up have DD2_1 */ + cur_cpu_spec->cpu_features |= CPU_FTR_POWER9_DD2_1; ++ } + + if ((version & 0xffff0000) == 0x004e0000) { + cur_cpu_spec->cpu_features &= ~(CPU_FTR_DAWR); +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1953,6 +1953,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + tlbsync + ptesync + ++BEGIN_FTR_SECTION + /* Radix: Handle the case where the guest used an illegal PID */ + LOAD_REG_ADDR(r4, mmu_base_pid) + lwz r3, VCPU_GUEST_PID(r9) +@@ -1982,6 +1983,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + addi r7,r7,0x1000 + bdnz 1b + ptesync ++END_FTR_SECTION_IFSET(CPU_FTR_P9_RADIX_PREFETCH_BUG) + + 2: + #endif /* CONFIG_PPC_RADIX_MMU */ +--- a/arch/powerpc/mm/pgtable-radix.c ++++ b/arch/powerpc/mm/pgtable-radix.c +@@ -274,7 +274,11 @@ static void __init radix_init_pgtable(vo + reg->base + reg->size)); + + /* Find out how many PID bits are supported */ +- if (cpu_has_feature(CPU_FTR_HVMODE)) { ++ if (!cpu_has_feature(CPU_FTR_P9_RADIX_PREFETCH_BUG)) { ++ if (!mmu_pid_bits) ++ mmu_pid_bits = 20; ++ mmu_base_pid = 1; ++ } else if (cpu_has_feature(CPU_FTR_HVMODE)) { + if (!mmu_pid_bits) + mmu_pid_bits = 20; + #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE +--- a/arch/powerpc/mm/tlb-radix.c ++++ b/arch/powerpc/mm/tlb-radix.c +@@ -963,6 +963,9 @@ extern void radix_kvm_prefetch_workaroun + if (unlikely(pid == MMU_NO_CONTEXT)) + return; + ++ if (!cpu_has_feature(CPU_FTR_P9_RADIX_PREFETCH_BUG)) ++ return; ++ + /* + * If this context hasn't run on that CPU before and KVM is + * around, there's a slim chance that the guest on another diff --git a/patches.suse/powerpc-papr_scm-Don-t-enable-direct-map-for-a-regio.patch b/patches.suse/powerpc-papr_scm-Don-t-enable-direct-map-for-a-regio.patch new file mode 100644 index 0000000..6060ff9 --- /dev/null +++ b/patches.suse/powerpc-papr_scm-Don-t-enable-direct-map-for-a-regio.patch @@ -0,0 +1,45 @@ +From 7e6f8cbc5e10cf7601c762db267b795273d53078 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Wed, 8 Jan 2020 12:16:47 +0530 +Subject: [PATCH] powerpc/papr_scm: Don't enable direct map for a region by + default + +References: bsc#1129551 +Patch-mainline: v5.6-rc1 +Git-commit: 7e6f8cbc5e10cf7601c762db267b795273d53078 + +Setting ND_REGION_PAGEMAP flag implies namespace mode defaults to fsdax mode. +This also means kernel ends up creating struct page backing for these namspace +ranges. With large namespaces that is not the right thing to do. We +should let the user select the mode he/she wants the namespace to be created +with. + +Hence disable ND_REGION_PAGEMAP for papr_scm regions. We still keep the flag for +of_pmem because it supports only small persistent memory regions. + +This is similar to what is done for x86 with commit +commit: 004f1afbe199 ("libnvdimm, pmem: direct map legacy pmem by default") + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200108064647.169637-1-aneesh.kumar@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/papr_scm.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c +index cdd316c6cef3..8da39a9c5569 100644 +--- a/arch/powerpc/platforms/pseries/papr_scm.c ++++ b/arch/powerpc/platforms/pseries/papr_scm.c +@@ -357,7 +357,6 @@ static int papr_scm_nvdimm_init(struct papr_scm_priv *p) + ndr_desc.mapping = &mapping; + ndr_desc.num_mappings = 1; + ndr_desc.nd_set = &p->nd_set; +- set_bit(ND_REGION_PAGEMAP, &ndr_desc.flags); + + if (p->is_volatile) + p->region = nvdimm_volatile_region_create(p->bus, &ndr_desc); +-- +2.23.0 + diff --git a/patches.suse/powerpc-papr_scm-Fix-leaking-bus_desc.provider_name-.patch b/patches.suse/powerpc-papr_scm-Fix-leaking-bus_desc.provider_name-.patch new file mode 100644 index 0000000..a2e29fa --- /dev/null +++ b/patches.suse/powerpc-papr_scm-Fix-leaking-bus_desc.provider_name-.patch @@ -0,0 +1,49 @@ +From 5649607a8d0b0e019a4db14aab3de1e16c3a2b4f Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Wed, 22 Jan 2020 21:21:40 +0530 +Subject: [PATCH] powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in + some paths + +References: FATE#327775 bsc#1142685 ltc#179509 +Patch-mainline: v5.6-rc1 +Git-commit: 5649607a8d0b0e019a4db14aab3de1e16c3a2b4f + +String 'bus_desc.provider_name' allocated inside +papr_scm_nvdimm_init() will leaks in case call to +nvdimm_bus_register() fails or when papr_scm_remove() is called. + +This minor patch ensures that 'bus_desc.provider_name' is freed in +error path for nvdimm_bus_register() as well as in papr_scm_remove(). + +Fixes: b5beae5e224f ("powerpc/pseries: Add driver for PAPR SCM regions") +Signed-off-by: Vaibhav Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200122155140.120429-1-vaibhav@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/papr_scm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c +index 8da39a9c5569..0b4467e378e5 100644 +--- a/arch/powerpc/platforms/pseries/papr_scm.c ++++ b/arch/powerpc/platforms/pseries/papr_scm.c +@@ -323,6 +323,7 @@ static int papr_scm_nvdimm_init(struct papr_scm_priv *p) + p->bus = nvdimm_bus_register(NULL, &p->bus_desc); + if (!p->bus) { + dev_err(dev, "Error creating nvdimm bus %pOF\n", p->dn); ++ kfree(p->bus_desc.provider_name); + return -ENXIO; + } + +@@ -477,6 +478,7 @@ static int papr_scm_remove(struct platform_device *pdev) + + nvdimm_bus_unregister(p->bus); + drc_pmem_unbind(p); ++ kfree(p->bus_desc.provider_name); + kfree(p); + + return 0; +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Add-cpu-DLPAR-support-for-drc-info-p.patch b/patches.suse/powerpc-pseries-Add-cpu-DLPAR-support-for-drc-info-p.patch new file mode 100644 index 0000000..a1089d8 --- /dev/null +++ b/patches.suse/powerpc-pseries-Add-cpu-DLPAR-support-for-drc-info-p.patch @@ -0,0 +1,220 @@ +From b015f6bc9547dbc056edde7177c7868ca8629c4c Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:30 -0600 +Subject: [PATCH] powerpc/pseries: Add cpu DLPAR support for drc-info property + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: b015f6bc9547dbc056edde7177c7868ca8629c4c + +Older firmwares provided information about Dynamic Reconfig +Connectors (DRC) through several device tree properties, namely +ibm,drc-types, ibm,drc-indexes, ibm,drc-names, and +ibm,drc-power-domains. New firmwares have the ability to present this +same information in a much condensed format through a device tree +property called ibm,drc-info. + +The existing cpu DLPAR hotplug code only understands the older DRC +property format when validating the drc-index of a cpu during a +hotplug add. This updates those code paths to use the ibm,drc-info +property, when present, instead for validation. + +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-4-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 127 ++++++++++++++++--- + 1 file changed, 112 insertions(+), 15 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index 8ab24bd7f89c..3e8cbfe7a80f 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -465,17 +465,67 @@ static bool dlpar_cpu_exists(struct device_node *parent, u32 drc_index) + return found; + } + ++static bool drc_info_valid_index(struct device_node *parent, u32 drc_index) ++{ ++ struct property *info; ++ struct of_drc_info drc; ++ const __be32 *value; ++ u32 index; ++ int count, i, j; ++ ++ info = of_find_property(parent, "ibm,drc-info", NULL); ++ if (!info) ++ return false; ++ ++ value = of_prop_next_u32(info, NULL, &count); ++ ++ /* First value of ibm,drc-info is number of drc-info records */ ++ if (value) ++ value++; ++ else ++ return false; ++ ++ for (i = 0; i < count; i++) { ++ if (of_read_drc_info_cell(&info, &value, &drc)) ++ return false; ++ ++ if (strncmp(drc.drc_type, "CPU", 3)) ++ break; ++ ++ if (drc_index > drc.last_drc_index) ++ continue; ++ ++ index = drc.drc_index_start; ++ for (j = 0; j < drc.num_sequential_elems; j++) { ++ if (drc_index == index) ++ return true; ++ ++ index += drc.sequential_inc; ++ } ++ } ++ ++ return false; ++} ++ + static bool valid_cpu_drc_index(struct device_node *parent, u32 drc_index) + { + bool found = false; + int rc, index; + +- index = 0; ++ if (of_find_property(parent, "ibm,drc-info", NULL)) ++ return drc_info_valid_index(parent, drc_index); ++ ++ /* Note that the format of the ibm,drc-indexes array is ++ * the number of entries in the array followed by the array ++ * of drc values so we start looking at index = 1. ++ */ ++ index = 1; + while (!found) { + u32 drc; + + rc = of_property_read_u32_index(parent, "ibm,drc-indexes", + index++, &drc); ++ + if (rc) + break; + +@@ -718,19 +768,52 @@ static int dlpar_cpu_remove_by_count(u32 cpus_to_remove) + return rc; + } + +-static int find_dlpar_cpus_to_add(u32 *cpu_drcs, u32 cpus_to_add) ++static int find_drc_info_cpus_to_add(struct device_node *cpus, ++ struct property *info, ++ u32 *cpu_drcs, u32 cpus_to_add) + { +- struct device_node *parent; ++ struct of_drc_info drc; ++ const __be32 *value; ++ u32 count, drc_index; + int cpus_found = 0; +- int index, rc; ++ int i, j; + +- parent = of_find_node_by_path("/cpus"); +- if (!parent) { +- pr_warn("Could not find CPU root node in device tree\n"); +- kfree(cpu_drcs); ++ if (!info) + return -1; ++ ++ value = of_prop_next_u32(info, NULL, &count); ++ if (value) ++ value++; ++ ++ for (i = 0; i < count; i++) { ++ of_read_drc_info_cell(&info, &value, &drc); ++ if (strncmp(drc.drc_type, "CPU", 3)) ++ break; ++ ++ drc_index = drc.drc_index_start; ++ for (j = 0; j < drc.num_sequential_elems; j++) { ++ if (dlpar_cpu_exists(cpus, drc_index)) ++ continue; ++ ++ cpu_drcs[cpus_found++] = drc_index; ++ ++ if (cpus_found == cpus_to_add) ++ return cpus_found; ++ ++ drc_index += drc.sequential_inc; ++ } + } + ++ return cpus_found; ++} ++ ++static int find_drc_index_cpus_to_add(struct device_node *cpus, ++ u32 *cpu_drcs, u32 cpus_to_add) ++{ ++ int cpus_found = 0; ++ int index, rc; ++ u32 drc_index; ++ + /* Search the ibm,drc-indexes array for possible CPU drcs to + * add. Note that the format of the ibm,drc-indexes array is + * the number of entries in the array followed by the array +@@ -738,25 +821,25 @@ static int find_dlpar_cpus_to_add(u32 *cpu_drcs, u32 cpus_to_add) + */ + index = 1; + while (cpus_found < cpus_to_add) { +- u32 drc; ++ rc = of_property_read_u32_index(cpus, "ibm,drc-indexes", ++ index++, &drc_index); + +- rc = of_property_read_u32_index(parent, "ibm,drc-indexes", +- index++, &drc); + if (rc) + break; + +- if (dlpar_cpu_exists(parent, drc)) ++ if (dlpar_cpu_exists(cpus, drc_index)) + continue; + +- cpu_drcs[cpus_found++] = drc; ++ cpu_drcs[cpus_found++] = drc_index; + } + +- of_node_put(parent); + return cpus_found; + } + + static int dlpar_cpu_add_by_count(u32 cpus_to_add) + { ++ struct device_node *parent; ++ struct property *info; + u32 *cpu_drcs; + int cpus_added = 0; + int cpus_found; +@@ -768,7 +851,21 @@ static int dlpar_cpu_add_by_count(u32 cpus_to_add) + if (!cpu_drcs) + return -EINVAL; + +- cpus_found = find_dlpar_cpus_to_add(cpu_drcs, cpus_to_add); ++ parent = of_find_node_by_path("/cpus"); ++ if (!parent) { ++ pr_warn("Could not find CPU root node in device tree\n"); ++ kfree(cpu_drcs); ++ return -1; ++ } ++ ++ info = of_find_property(parent, "ibm,drc-info", NULL); ++ if (info) ++ cpus_found = find_drc_info_cpus_to_add(parent, info, cpu_drcs, cpus_to_add); ++ else ++ cpus_found = find_drc_index_cpus_to_add(parent, cpu_drcs, cpus_to_add); ++ ++ of_node_put(parent); ++ + if (cpus_found < cpus_to_add) { + pr_warn("Failed to find enough CPUs (%d of %d) to add\n", + cpus_found, cpus_to_add); +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Advance-pfn-if-section-is-not-presen.patch b/patches.suse/powerpc-pseries-Advance-pfn-if-section-is-not-presen.patch new file mode 100644 index 0000000..c021920 --- /dev/null +++ b/patches.suse/powerpc-pseries-Advance-pfn-if-section-is-not-presen.patch @@ -0,0 +1,43 @@ +From fbee6ba2dca30d302efe6bddb3a886f5e964a257 Mon Sep 17 00:00:00 2001 +From: Pingfan Liu +Date: Fri, 10 Jan 2020 12:54:02 +0800 +Subject: [PATCH] powerpc/pseries: Advance pfn if section is not present in + lmb_is_removable() + +References: bsc#1065729 +Patch-mainline: v5.6-rc1 +Git-commit: fbee6ba2dca30d302efe6bddb3a886f5e964a257 + +In lmb_is_removable(), if a section is not present, it should continue +to test the rest of the sections in the block. But the current code +fails to do so. + +Fixes: 51925fb3c5c9 ("powerpc/pseries: Implement memory hotplug remove in the kernel") +Cc: stable@vger.kernel.org # v4.1+ +Signed-off-by: Pingfan Liu +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1578632042-12415-1-git-send-email-kernelfans@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index c126b94d1943..a4d40a3ceea3 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -360,8 +360,10 @@ static bool lmb_is_removable(struct drmem_lmb *lmb) + + for (i = 0; i < scns_per_block; i++) { + pfn = PFN_DOWN(phys_addr); +- if (!pfn_present(pfn)) ++ if (!pfn_present(pfn)) { ++ phys_addr += MIN_MEMORY_BLOCK_SIZE; + continue; ++ } + + rc = rc && is_mem_section_removable(pfn, PAGES_PER_SECTION); + phys_addr += MIN_MEMORY_BLOCK_SIZE; +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Allow-not-having-ibm-hypertas-functi.patch b/patches.suse/powerpc-pseries-Allow-not-having-ibm-hypertas-functi.patch new file mode 100644 index 0000000..17596bd --- /dev/null +++ b/patches.suse/powerpc-pseries-Allow-not-having-ibm-hypertas-functi.patch @@ -0,0 +1,160 @@ +From 7559d3d295f3365ea7ac0c0274c05e633fe4f594 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Mon, 16 Dec 2019 15:19:22 +1100 +Subject: [PATCH] powerpc/pseries: Allow not having ibm, + hypertas-functions::hcall-multi-tce for DDW + +References: bsc#1065729 +Patch-mainline: v5.6-rc1 +Git-commit: 7559d3d295f3365ea7ac0c0274c05e633fe4f594 + +By default a pseries guest supports a H_PUT_TCE hypercall which maps +a single IOMMU page in a DMA window. Additionally the hypervisor may +support H_PUT_TCE_INDIRECT/H_STUFF_TCE which update multiple TCEs at once; +this is advertised via the device tree /rtas/ibm,hypertas-functions +property which Linux converts to FW_FEATURE_MULTITCE. + +FW_FEATURE_MULTITCE is checked when dma_iommu_ops is used; however +the code managing the huge DMA window (DDW) ignores it and calls +H_PUT_TCE_INDIRECT even if it is explicitly disabled via +the "multitce=off" kernel command line parameter. + +This adds FW_FEATURE_MULTITCE checking to the DDW code path. + +This changes tce_build_pSeriesLP to take liobn and page size as +the huge window does not have iommu_table descriptor which usually +the place to store these numbers. + +Fixes: 4e8b0cf46b25 ("powerpc/pseries: Add support for dynamic dma windows") +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: Thiago Jung Bauermann +Tested-by: Thiago Jung Bauermann +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191216041924.42318-3-aik@ozlabs.ru +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/iommu.c | 43 +++++++++++++++++--------- + 1 file changed, 29 insertions(+), 14 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c +index df7db33ca93b..b4ce9d472dfe 100644 +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -132,10 +132,10 @@ static unsigned long tce_get_pseries(struct iommu_table *tbl, long index) + return be64_to_cpu(*tcep); + } + +-static void tce_free_pSeriesLP(struct iommu_table*, long, long); ++static void tce_free_pSeriesLP(unsigned long liobn, long, long); + static void tce_freemulti_pSeriesLP(struct iommu_table*, long, long); + +-static int tce_build_pSeriesLP(struct iommu_table *tbl, long tcenum, ++static int tce_build_pSeriesLP(unsigned long liobn, long tcenum, long tceshift, + long npages, unsigned long uaddr, + enum dma_data_direction direction, + unsigned long attrs) +@@ -146,25 +146,25 @@ static int tce_build_pSeriesLP(struct iommu_table *tbl, long tcenum, + int ret = 0; + long tcenum_start = tcenum, npages_start = npages; + +- rpn = __pa(uaddr) >> TCE_SHIFT; ++ rpn = __pa(uaddr) >> tceshift; + proto_tce = TCE_PCI_READ; + if (direction != DMA_TO_DEVICE) + proto_tce |= TCE_PCI_WRITE; + + while (npages--) { +- tce = proto_tce | (rpn & TCE_RPN_MASK) << TCE_RPN_SHIFT; +- rc = plpar_tce_put((u64)tbl->it_index, (u64)tcenum << 12, tce); ++ tce = proto_tce | (rpn & TCE_RPN_MASK) << tceshift; ++ rc = plpar_tce_put((u64)liobn, (u64)tcenum << tceshift, tce); + + if (unlikely(rc == H_NOT_ENOUGH_RESOURCES)) { + ret = (int)rc; +- tce_free_pSeriesLP(tbl, tcenum_start, ++ tce_free_pSeriesLP(liobn, tcenum_start, + (npages_start - (npages + 1))); + break; + } + + if (rc && printk_ratelimit()) { + printk("tce_build_pSeriesLP: plpar_tce_put failed. rc=%lld\n", rc); +- printk("\tindex = 0x%llx\n", (u64)tbl->it_index); ++ printk("\tindex = 0x%llx\n", (u64)liobn); + printk("\ttcenum = 0x%llx\n", (u64)tcenum); + printk("\ttce val = 0x%llx\n", tce ); + dump_stack(); +@@ -193,7 +193,8 @@ static int tce_buildmulti_pSeriesLP(struct iommu_table *tbl, long tcenum, + unsigned long flags; + + if ((npages == 1) || !firmware_has_feature(FW_FEATURE_MULTITCE)) { +- return tce_build_pSeriesLP(tbl, tcenum, npages, uaddr, ++ return tce_build_pSeriesLP(tbl->it_index, tcenum, ++ tbl->it_page_shift, npages, uaddr, + direction, attrs); + } + +@@ -209,8 +210,9 @@ static int tce_buildmulti_pSeriesLP(struct iommu_table *tbl, long tcenum, + /* If allocation fails, fall back to the loop implementation */ + if (!tcep) { + local_irq_restore(flags); +- return tce_build_pSeriesLP(tbl, tcenum, npages, uaddr, +- direction, attrs); ++ return tce_build_pSeriesLP(tbl->it_index, tcenum, ++ tbl->it_page_shift, ++ npages, uaddr, direction, attrs); + } + __this_cpu_write(tce_page, tcep); + } +@@ -261,16 +263,16 @@ static int tce_buildmulti_pSeriesLP(struct iommu_table *tbl, long tcenum, + return ret; + } + +-static void tce_free_pSeriesLP(struct iommu_table *tbl, long tcenum, long npages) ++static void tce_free_pSeriesLP(unsigned long liobn, long tcenum, long npages) + { + u64 rc; + + while (npages--) { +- rc = plpar_tce_put((u64)tbl->it_index, (u64)tcenum << 12, 0); ++ rc = plpar_tce_put((u64)liobn, (u64)tcenum << 12, 0); + + if (rc && printk_ratelimit()) { + printk("tce_free_pSeriesLP: plpar_tce_put failed. rc=%lld\n", rc); +- printk("\tindex = 0x%llx\n", (u64)tbl->it_index); ++ printk("\tindex = 0x%llx\n", (u64)liobn); + printk("\ttcenum = 0x%llx\n", (u64)tcenum); + dump_stack(); + } +@@ -285,7 +287,7 @@ static void tce_freemulti_pSeriesLP(struct iommu_table *tbl, long tcenum, long n + u64 rc; + + if (!firmware_has_feature(FW_FEATURE_MULTITCE)) +- return tce_free_pSeriesLP(tbl, tcenum, npages); ++ return tce_free_pSeriesLP(tbl->it_index, tcenum, npages); + + rc = plpar_tce_stuff((u64)tbl->it_index, (u64)tcenum << 12, 0, npages); + +@@ -400,6 +402,19 @@ static int tce_setrange_multi_pSeriesLP(unsigned long start_pfn, + u64 rc = 0; + long l, limit; + ++ if (!firmware_has_feature(FW_FEATURE_MULTITCE)) { ++ unsigned long tceshift = be32_to_cpu(maprange->tce_shift); ++ unsigned long dmastart = (start_pfn << PAGE_SHIFT) + ++ be64_to_cpu(maprange->dma_base); ++ unsigned long tcenum = dmastart >> tceshift; ++ unsigned long npages = num_pfn << PAGE_SHIFT >> tceshift; ++ void *uaddr = __va(start_pfn << PAGE_SHIFT); ++ ++ return tce_build_pSeriesLP(be32_to_cpu(maprange->liobn), ++ tcenum, tceshift, npages, (unsigned long) uaddr, ++ DMA_BIDIRECTIONAL, 0); ++ } ++ + local_irq_disable(); /* to protect tcep and the page behind it */ + tcep = __this_cpu_read(tce_page); + +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Enable-support-for-ibm-drc-info-prop.patch b/patches.suse/powerpc-pseries-Enable-support-for-ibm-drc-info-prop.patch new file mode 100644 index 0000000..a52b763 --- /dev/null +++ b/patches.suse/powerpc-pseries-Enable-support-for-ibm-drc-info-prop.patch @@ -0,0 +1,37 @@ +From 0a87ccd3699983645f54cafd2258514a716b20b8 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:37 -0600 +Subject: [PATCH] powerpc/pseries: Enable support for ibm,drc-info property + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: 0a87ccd3699983645f54cafd2258514a716b20b8 + +Advertise client support for the PAPR architected ibm,drc-info device +tree property during CAS handshake. + +Fixes: c7a3275e0f9e ("powerpc/pseries: Revert support for ibm,drc-info devtree property") +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-11-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/prom_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index 90987db10974..577345382b23 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -1065,7 +1065,7 @@ static const struct ibm_arch_vec ibm_architecture_vec_template __initconst = { + .reserved2 = 0, + .reserved3 = 0, + .subprocessors = 1, +- .byte22 = OV5_FEAT(OV5_DRMEM_V2), ++ .byte22 = OV5_FEAT(OV5_DRMEM_V2) | OV5_FEAT(OV5_DRC_INFO), + .intarch = 0, + .mmu = 0, + .hash_ext = 0, +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Fix-bad-drc_index_start-value-parsin.patch b/patches.suse/powerpc-pseries-Fix-bad-drc_index_start-value-parsin.patch new file mode 100644 index 0000000..72b77b4 --- /dev/null +++ b/patches.suse/powerpc-pseries-Fix-bad-drc_index_start-value-parsin.patch @@ -0,0 +1,68 @@ +From 57409d4fb12c185b2c0689e0496878c8f6bb5b58 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:28 -0600 +Subject: [PATCH] powerpc/pseries: Fix bad drc_index_start value parsing of + drc-info entry + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: 57409d4fb12c185b2c0689e0496878c8f6bb5b58 + +The ibm,drc-info property is an array property that contains drc-info +entries such that each entry is made up of 2 string encoded elements +followed by 5 int encoded elements. The of_read_drc_info_cell() +helper contains comments that correctly name the expected elements +and their encoding. However, the usage of of_prop_next_string() and +of_prop_next_u32() introduced a subtle skippage of the first u32. +This is a result of of_prop_next_string() returning a pointer to the +next property value which is not a string, but actually a (__be32 *). +As, a result the following call to of_prop_next_u32() passes over the +current int encoded value and actually stores the next one wrongly. + +Simply endian swap the current value in place after reading the first +two string values. The remaining int encoded values can then be read +correctly using of_prop_next_u32(). + +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-2-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/of_helpers.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/of_helpers.c b/arch/powerpc/platforms/pseries/of_helpers.c +index 6df192f38f80..66dfd8256712 100644 +--- a/arch/powerpc/platforms/pseries/of_helpers.c ++++ b/arch/powerpc/platforms/pseries/of_helpers.c +@@ -45,14 +45,14 @@ struct device_node *pseries_of_derive_parent(const char *path) + int of_read_drc_info_cell(struct property **prop, const __be32 **curval, + struct of_drc_info *data) + { +- const char *p; ++ const char *p = (char *)(*curval); + const __be32 *p2; + + if (!data) + return -EINVAL; + + /* Get drc-type:encode-string */ +- p = data->drc_type = (char*) (*curval); ++ data->drc_type = (char *)p; + p = of_prop_next_string(*prop, p); + if (!p) + return -EINVAL; +@@ -65,9 +65,7 @@ int of_read_drc_info_cell(struct property **prop, const __be32 **curval, + + /* Get drc-index-start:encode-int */ + p2 = (const __be32 *)p; +- p2 = of_prop_next_u32(*prop, p2, &data->drc_index_start); +- if (!p2) +- return -EINVAL; ++ data->drc_index_start = be32_to_cpu(*p2); + + /* Get drc-name-suffix-start:encode-int */ + p2 = of_prop_next_u32(*prop, p2, &data->drc_name_suffix_start); +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Fix-drc-info-mappings-of-logical-cpu.patch b/patches.suse/powerpc-pseries-Fix-drc-info-mappings-of-logical-cpu.patch new file mode 100644 index 0000000..ea756d4 --- /dev/null +++ b/patches.suse/powerpc-pseries-Fix-drc-info-mappings-of-logical-cpu.patch @@ -0,0 +1,117 @@ +From 775fa495af04e0bdb3a00085aaa2d915ed51388f Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:29 -0600 +Subject: [PATCH] powerpc/pseries: Fix drc-info mappings of logical cpus to + drc-index + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v5.5-rc1 +Git-commit: 775fa495af04e0bdb3a00085aaa2d915ed51388f + +There are a couple subtle errors in the mapping between cpu-ids and a +cpus associated drc-index when using the new ibm,drc-info property. + +The first is that while drc-info may have been a supported firmware +feature at boot it is possible we have migrated to a CEC with older +firmware that doesn't support the ibm,drc-info property. In that case +the device tree would have been updated after migration to remove the +ibm,drc-info property and replace it with the older style ibm,drc-* +properties for types, indexes, names, and power-domains. PAPR even +goes as far as dictating that if we advertise support for drc-info +that we are capable of supporting either property type at runtime. + +The second is that the first value of the ibm,drc-info property is +the int encoded count of drc-info entries. As such "value" returned +by of_prop_next_u32() is pointing at that count, and not the first +element of the first drc-info entry as is expected by the +of_read_drc_info_cell() helper. + +Fix the first by ignoring DRC-INFO firmware feature and instead +testing directly for ibm,drc-info, and then falling back to the +old style ibm,drc-indexes in the case it doesn't exit. + +Fix the second by incrementing value to the next element prior to +parsing drc-info entries. + +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-3-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + .../platforms/pseries/pseries_energy.c | 23 ++++++++----------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/pseries_energy.c b/arch/powerpc/platforms/pseries/pseries_energy.c +index a96874f9492f..09e98d301db0 100644 +--- a/arch/powerpc/platforms/pseries/pseries_energy.c ++++ b/arch/powerpc/platforms/pseries/pseries_energy.c +@@ -36,6 +36,7 @@ static int sysfs_entries; + static u32 cpu_to_drc_index(int cpu) + { + struct device_node *dn = NULL; ++ struct property *info; + int thread_index; + int rc = 1; + u32 ret = 0; +@@ -47,20 +48,18 @@ static u32 cpu_to_drc_index(int cpu) + /* Convert logical cpu number to core number */ + thread_index = cpu_core_index_of_thread(cpu); + +- if (firmware_has_feature(FW_FEATURE_DRC_INFO)) { +- struct property *info = NULL; ++ info = of_find_property(dn, "ibm,drc-info", NULL); ++ if (info) { + struct of_drc_info drc; + int j; + u32 num_set_entries; + const __be32 *value; + +- info = of_find_property(dn, "ibm,drc-info", NULL); +- if (info == NULL) +- goto err_of_node_put; +- + value = of_prop_next_u32(info, NULL, &num_set_entries); + if (!value) + goto err_of_node_put; ++ else ++ value++; + + for (j = 0; j < num_set_entries; j++) { + +@@ -110,6 +109,7 @@ static u32 cpu_to_drc_index(int cpu) + static int drc_index_to_cpu(u32 drc_index) + { + struct device_node *dn = NULL; ++ struct property *info; + const int *indexes; + int thread_index = 0, cpu = 0; + int rc = 1; +@@ -117,21 +117,18 @@ static int drc_index_to_cpu(u32 drc_index) + dn = of_find_node_by_path("/cpus"); + if (dn == NULL) + goto err; +- +- if (firmware_has_feature(FW_FEATURE_DRC_INFO)) { +- struct property *info = NULL; ++ info = of_find_property(dn, "ibm,drc-info", NULL); ++ if (info) { + struct of_drc_info drc; + int j; + u32 num_set_entries; + const __be32 *value; + +- info = of_find_property(dn, "ibm,drc-info", NULL); +- if (info == NULL) +- goto err_of_node_put; +- + value = of_prop_next_u32(info, NULL, &num_set_entries); + if (!value) + goto err_of_node_put; ++ else ++ value++; + + for (j = 0; j < num_set_entries; j++) { + +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Fix-vector5-in-ibm-architecture-vect.patch b/patches.suse/powerpc-pseries-Fix-vector5-in-ibm-architecture-vect.patch new file mode 100644 index 0000000..d8d8ab6 --- /dev/null +++ b/patches.suse/powerpc-pseries-Fix-vector5-in-ibm-architecture-vect.patch @@ -0,0 +1,39 @@ +From b0c41b8b6e43120d7c35e4709508a3d90a09646e Mon Sep 17 00:00:00 2001 +From: Bharata B Rao +Date: Tue, 6 Mar 2018 13:44:32 +0530 +Subject: [PATCH] powerpc/pseries: Fix vector5 in ibm architecture vector table + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v4.16-rc5 +Git-commit: b0c41b8b6e43120d7c35e4709508a3d90a09646e + +With ibm,dynamic-memory-v2 and ibm,drc-info coming around the same +time, byte22 in vector5 of ibm architecture vector table got set twice +separately. The end result is that guest kernel isn't advertising +support for ibm,dynamic-memory-v2. + +Fix this by removing the duplicate assignment of byte22. + +Fixes: 02ef6dd8109b ("powerpc: Enable support for ibm,drc-info devtree property") +Signed-off-by: Bharata B Rao +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/prom_init.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index d22c41c26bb3..acf4b2e0530c 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -874,7 +874,6 @@ struct ibm_arch_vec __cacheline_aligned ibm_architecture_vec = { + .mmu = 0, + .hash_ext = 0, + .radix_ext = 0, +- .byte22 = 0, + }, + + /* option vector 6: IBM PAPR hints */ +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Revert-support-for-ibm-drc-info-devt.patch b/patches.suse/powerpc-pseries-Revert-support-for-ibm-drc-info-devt.patch new file mode 100644 index 0000000..6ff9b19 --- /dev/null +++ b/patches.suse/powerpc-pseries-Revert-support-for-ibm-drc-info-devt.patch @@ -0,0 +1,54 @@ +From c7a3275e0f9e461bb8942132aa6914aae59e7103 Mon Sep 17 00:00:00 2001 +From: Michael Bringmann +Date: Tue, 13 Feb 2018 14:02:53 -0600 +Subject: [PATCH] powerpc/pseries: Revert support for ibm,drc-info devtree + property + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v4.16-rc3 +Git-commit: c7a3275e0f9e461bb8942132aa6914aae59e7103 + +This reverts commit 02ef6dd8109b581343ebeb1c4c973513682535d6. + +The earlier patch tried to enable support for a new property +"ibm,drc-info" on powerpc systems. + +Unfortunately, some errors in the associated patch set break things +in some of the DLPAR operations. In particular when attempting to +hot-add a new CPU or set of CPUs, the original patch failed to +properly calculate the available resources, and aborted the operation. +In addition, the original set missed several opportunities to compress +and reuse common code. + +As the associated patch set was meant to provide an optimization of +storage and performance of a set of device-tree properties for future +systems with large amounts of resources, reverting just restores +the previous behavior for existing systems. It seems unnecessary +to enable this feature and introduce the consequent problems in the +field that it will cause at this time, so please revert it for now +until testing of the corrections are finished properly. + +Fixes: 02ef6dd8109b ("powerpc: Enable support for ibm,drc-info devtree property") +Signed-off-by: Michael W. Bringmann +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/prom_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index adf044daafd7..d22c41c26bb3 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -874,7 +874,7 @@ struct ibm_arch_vec __cacheline_aligned ibm_architecture_vec = { + .mmu = 0, + .hash_ext = 0, + .radix_ext = 0, +- .byte22 = OV5_FEAT(OV5_DRC_INFO), ++ .byte22 = 0, + }, + + /* option vector 6: IBM PAPR hints */ +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-energy-Use-OF-accessor-functions-to-.patch b/patches.suse/powerpc-pseries-energy-Use-OF-accessor-functions-to-.patch index aa497dd..c8537b5 100644 --- a/patches.suse/powerpc-pseries-energy-Use-OF-accessor-functions-to-.patch +++ b/patches.suse/powerpc-pseries-energy-Use-OF-accessor-functions-to-.patch @@ -26,56 +26,50 @@ Reviewed-by: Vaidyanathan Srinivasan Signed-off-by: Michael Ellerman Acked-by: Michal Suchanek --- - .../platforms/pseries/pseries_energy.c | 28 +++++++++++-------- - 1 file changed, 17 insertions(+), 11 deletions(-) + .../platforms/pseries/pseries_energy.c | 27 ++++++++++++------- + 1 file changed, 18 insertions(+), 9 deletions(-) +diff --git a/arch/powerpc/platforms/pseries/pseries_energy.c b/arch/powerpc/platforms/pseries/pseries_energy.c +index 6ed22127391b..921f12182f3e 100644 --- a/arch/powerpc/platforms/pseries/pseries_energy.c +++ b/arch/powerpc/platforms/pseries/pseries_energy.c -@@ -38,27 +38,33 @@ static int sysfs_entries; - static u32 cpu_to_drc_index(int cpu) - { - struct device_node *dn = NULL; -- const int *indexes; -+ u32 nr_drc_indexes, i_drc_index; - int i; -- int rc = 1; -+ int rc; - u32 ret = 0; +@@ -77,18 +77,27 @@ static u32 cpu_to_drc_index(int cpu) - dn = of_find_node_by_path("/cpus"); - if (dn == NULL) - goto err; -- indexes = of_get_property(dn, "ibm,drc-indexes", NULL); -- if (indexes == NULL) -- goto err_of_node_put; -+ - /* Convert logical cpu number to core number */ - i = cpu_core_index_of_thread(cpu); + ret = drc.drc_index_start + (thread_index * drc.sequential_inc); + } else { +- const __be32 *indexes; +- +- indexes = of_get_property(dn, "ibm,drc-indexes", NULL); +- if (indexes == NULL) +- goto err_of_node_put; ++ u32 nr_drc_indexes, thread_drc_index; + + /* +- * The first element indexes[0] is the number of drc_indexes +- * returned in the list. Hence thread_index+1 will get the +- * drc_index corresponding to core number thread_index. ++ * The first element of ibm,drc-indexes array is the ++ * number of drc_indexes returned in the list. Hence ++ * thread_index+1 will get the drc_index corresponding ++ * to core number thread_index. + */ +- ret = indexes[thread_index + 1]; ++ rc = of_property_read_u32_index(dn, "ibm,drc-indexes", ++ 0, &nr_drc_indexes); ++ if (rc) ++ goto err_of_node_put; + - /* -- * The first element indexes[0] is the number of drc_indexes -- * returned in the list. Hence i+1 will get the drc_index -- * corresponding to core number i. -+ * The first element of "ibm,drc-indexes" is the number of -+ * drc_indexes returned in the list. Hence i + 1 will get the -+ * drc_index corresponding to core number i. - */ -- WARN_ON(i > indexes[0]); -- ret = indexes[i + 1]; -- rc = 0; -+ rc = of_property_read_u32_index(dn, "ibm,drc-indexes", -+ 0, &nr_drc_indexes); -+ if (rc) -+ goto err_of_node_put; ++ WARN_ON_ONCE(thread_index > nr_drc_indexes); ++ rc = of_property_read_u32_index(dn, "ibm,drc-indexes", ++ thread_index + 1, ++ &thread_drc_index); ++ if (rc) ++ goto err_of_node_put; + -+ WARN_ON_ONCE(i > nr_drc_indexes); -+ rc = of_property_read_u32_index(dn, "ibm,drc-indexes", -+ i + 1, &i_drc_index); -+ if (!rc) -+ ret = i_drc_index; ++ ret = thread_drc_index; + } - err_of_node_put: - of_node_put(dn); + rc = 0; -- -2.20.1 +2.23.0 diff --git a/patches.suse/powerpc-pseries-hotplug-memory-Change-rc-variable-to.patch b/patches.suse/powerpc-pseries-hotplug-memory-Change-rc-variable-to.patch new file mode 100644 index 0000000..9f47dae --- /dev/null +++ b/patches.suse/powerpc-pseries-hotplug-memory-Change-rc-variable-to.patch @@ -0,0 +1,51 @@ +From b948aaaf3e39cc475e45fea727638f191a5cb1b4 Mon Sep 17 00:00:00 2001 +From: Leonardo Bras +Date: Fri, 2 Aug 2019 10:39:15 -0300 +Subject: [PATCH] powerpc/pseries/hotplug-memory: Change rc variable to bool + +References: bsc#1065729 +Patch-mainline: v5.5-rc1 +Git-commit: b948aaaf3e39cc475e45fea727638f191a5cb1b4 + +Changes the return variable to bool (as the return value) and +avoids doing a ternary operation before returning. + +Signed-off-by: Leonardo Bras +Reviewed-by: David Hildenbrand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190802133914.30413-1-leonardo@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index 8e700390f3d6..c126b94d1943 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -338,7 +338,7 @@ static int pseries_remove_mem_node(struct device_node *np) + static bool lmb_is_removable(struct drmem_lmb *lmb) + { + int i, scns_per_block; +- int rc = 1; ++ bool rc = true; + unsigned long pfn, block_sz; + u64 phys_addr; + +@@ -363,11 +363,11 @@ static bool lmb_is_removable(struct drmem_lmb *lmb) + if (!pfn_present(pfn)) + continue; + +- rc &= is_mem_section_removable(pfn, PAGES_PER_SECTION); ++ rc = rc && is_mem_section_removable(pfn, PAGES_PER_SECTION); + phys_addr += MIN_MEMORY_BLOCK_SIZE; + } + +- return rc ? true : false; ++ return rc; + } + + static int dlpar_add_lmb(struct drmem_lmb *); +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-lparcfg-Fix-display-of-Maximum-Memor.patch b/patches.suse/powerpc-pseries-lparcfg-Fix-display-of-Maximum-Memor.patch index 3471404..0f82fc7 100644 --- a/patches.suse/powerpc-pseries-lparcfg-Fix-display-of-Maximum-Memor.patch +++ b/patches.suse/powerpc-pseries-lparcfg-Fix-display-of-Maximum-Memor.patch @@ -4,8 +4,7 @@ Date: Wed, 15 Jan 2020 08:53:59 -0600 Subject: [PATCH] powerpc/pseries/lparcfg: Fix display of Maximum Memory References: bsc#1162028 ltc#181740 -Patch-mainline: queued -Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git +Patch-mainline: v5.6-rc1 Git-commit: f1dbc1c5c70d0d4c60b5d467ba941fba167c12f6 Correct overflow problem in calculation and display of Maximum Memory diff --git a/patches.suse/powerpc-pseries-vio-Fix-iommu_table-use-after-free-r.patch b/patches.suse/powerpc-pseries-vio-Fix-iommu_table-use-after-free-r.patch new file mode 100644 index 0000000..87929ae --- /dev/null +++ b/patches.suse/powerpc-pseries-vio-Fix-iommu_table-use-after-free-r.patch @@ -0,0 +1,67 @@ +From aff8c8242bc638ba57247ae1ec5f272ac3ed3b92 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Mon, 20 Jan 2020 14:10:02 -0800 +Subject: [PATCH] powerpc/pseries/vio: Fix iommu_table use-after-free refcount + warning + +References: bsc#1065729 +Patch-mainline: v5.6-rc1 +Git-commit: aff8c8242bc638ba57247ae1ec5f272ac3ed3b92 + +Commit e5afdf9dd515 ("powerpc/vfio_spapr_tce: Add reference counting to +iommu_table") missed an iommu_table allocation in the pseries vio code. +The iommu_table is allocated with kzalloc and as a result the associated +kref gets a value of zero. This has the side effect that during a DLPAR +remove of the associated virtual IOA the iommu_tce_table_put() triggers +a use-after-free underflow warning. + +Call Trace: +[c0000002879e39f0] [c00000000071ecb4] refcount_warn_saturate+0x184/0x190 +(unreliable) +[c0000002879e3a50] [c0000000000500ac] iommu_tce_table_put+0x9c/0xb0 +[c0000002879e3a70] [c0000000000f54e4] vio_dev_release+0x34/0x70 +[c0000002879e3aa0] [c00000000087cfa4] device_release+0x54/0xf0 +[c0000002879e3b10] [c000000000d64c84] kobject_cleanup+0xa4/0x240 +[c0000002879e3b90] [c00000000087d358] put_device+0x28/0x40 +[c0000002879e3bb0] [c0000000007a328c] dlpar_remove_slot+0x15c/0x250 +[c0000002879e3c50] [c0000000007a348c] remove_slot_store+0xac/0xf0 +[c0000002879e3cd0] [c000000000d64220] kobj_attr_store+0x30/0x60 +[c0000002879e3cf0] [c0000000004ff13c] sysfs_kf_write+0x6c/0xa0 +[c0000002879e3d10] [c0000000004fde4c] kernfs_fop_write+0x18c/0x260 +[c0000002879e3d60] [c000000000410f3c] __vfs_write+0x3c/0x70 +[c0000002879e3d80] [c000000000415408] vfs_write+0xc8/0x250 +[c0000002879e3dd0] [c0000000004157dc] ksys_write+0x7c/0x120 +[c0000002879e3e20] [c00000000000b278] system_call+0x5c/0x68 + +Further, since the refcount was always zero the iommu_tce_table_put() +fails to call the iommu_table release function resulting in a leak. + +Fix this issue be initilizing the iommu_table kref immediately after +allocation. + +Fixes: e5afdf9dd515 ("powerpc/vfio_spapr_tce: Add reference counting to iommu_table") +Signed-off-by: Tyrel Datwyler +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1579558202-26052-1-git-send-email-tyreld@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/vio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/vio.c b/arch/powerpc/platforms/pseries/vio.c +index 79e2287991db..f682b7babc09 100644 +--- a/arch/powerpc/platforms/pseries/vio.c ++++ b/arch/powerpc/platforms/pseries/vio.c +@@ -1176,6 +1176,8 @@ static struct iommu_table *vio_build_iommu_table(struct vio_dev *dev) + if (tbl == NULL) + return NULL; + ++ kref_init(&tbl->it_kref); ++ + of_parse_dma_window(dev->dev.of_node, dma_window, + &tbl->it_index, &offset, &size); + +-- +2.23.0 + diff --git a/patches.suse/powerpc-reserve-memory-for-capture-kernel-after-huge.patch b/patches.suse/powerpc-reserve-memory-for-capture-kernel-after-huge.patch new file mode 100644 index 0000000..b8cf2ec --- /dev/null +++ b/patches.suse/powerpc-reserve-memory-for-capture-kernel-after-huge.patch @@ -0,0 +1,60 @@ +From f0e3acbcd3ba16d06d4f3e51b90655c69004768c Mon Sep 17 00:00:00 2001 +Message-Id: +From: Hari Bathini +Date: Fri, 28 Jun 2019 00:51:09 +0530 +Subject: [PATCH rebased 1/2] powerpc: reserve memory for capture kernel after + hugepages init + +Patch-mainline: submitted https://patchwork.ozlabs.org/patch/1240173/ +References: bsc#1140025 ltc#176086 + +Sometimes, memory reservation for KDump/FADump can overlap with memory +marked for hugepages. This overlap leads to error, hang in KDump case +and copy error reported by f/w in case of FADump, while trying to +capture dump. Report error while setting up memory for the capture +kernel instead of running into issues while capturing dump, by moving +KDump/FADump reservation below MMU early init and failing gracefully +when hugepages memory overlaps with capture kernel memory. + +Signed-off-by: Hari Bathini +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/prom.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index 7159e79..454e19cf 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -731,14 +731,6 @@ void __init early_init_devtree(void *params) + if (PHYSICAL_START > MEMORY_START) + memblock_reserve(MEMORY_START, 0x8000); + reserve_kdump_trampoline(); +-#ifdef CONFIG_FA_DUMP +- /* +- * If we fail to reserve memory for firmware-assisted dump then +- * fallback to kexec based kdump. +- */ +- if (fadump_reserve_mem() == 0) +-#endif +- reserve_crashkernel(); + early_reserve_mem(); + + /* Ensure that total memory size is page-aligned. */ +@@ -777,6 +769,14 @@ void __init early_init_devtree(void *params) + #endif + + mmu_early_init_devtree(); ++#ifdef CONFIG_FA_DUMP ++ /* ++ * If we fail to reserve memory for firmware-assisted dump then ++ * fallback to kexec based kdump. ++ */ ++ if (fadump_reserve_mem() == 0) ++#endif ++ reserve_crashkernel(); + + #ifdef CONFIG_PPC_POWERNV + /* Scan and build the list of machine check recoverable ranges */ + + diff --git a/patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch b/patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch new file mode 100644 index 0000000..e44a127 --- /dev/null +++ b/patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch @@ -0,0 +1,291 @@ +From 2464cc4c345699adea52c7aef75707207cb8a2f6 Mon Sep 17 00:00:00 2001 +From: Gustavo Luiz Duarte +Date: Tue, 11 Feb 2020 00:38:29 -0300 +Subject: [PATCH] powerpc/tm: Fix clearing MSR[TS] in current when reclaiming + on signal delivery + +References: bsc#1118338 ltc#173734 +Patch-mainline: v5.6-rc3 +Git-commit: 2464cc4c345699adea52c7aef75707207cb8a2f6 + +After a treclaim, we expect to be in non-transactional state. If we +don't clear the current thread's MSR[TS] before we get preempted, then +tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in +suspended transaction state. + +When handling a signal caught in transactional state, +handle_rt_signal64() calls get_tm_stackpointer() that treclaims the +transaction using tm_reclaim_current() but without clearing the +thread's MSR[TS]. This can cause the TM Bad Thing exception below if +later we pagefault and get preempted trying to access the user's +sigframe, using __put_user(). Afterwards, when we are rescheduled back +into do_page_fault() (but now in suspended state since the thread's +MSR[TS] was not cleared), upon executing 'rfid' after completion of +the page fault handling, the exception is raised because a transition +from suspended to non-transactional state is invalid. + + Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033 + Oops: Unrecoverable exception, sig: 6 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32 + NIP: c00000000000de44 LR: c000000000034728 CTR: 0000000000000000 + REGS: c00000003fe7bd70 TRAP: 0700 Not tainted (5.4.0-rc2) + MSR: 8000000302a03031 CR: 44000884 XER: 00000000 + CFAR: c00000000000dda4 IRQMASK: 0 + PACATMSCRATCH: 800000010280b033 + GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78 + GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0 + GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000 + GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000 + GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140 + GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800 + GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000 + NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0 + LR [c000000000034728] handle_rt_signal64+0x78/0xc50 + Call Trace: + [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable) + [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460 + [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74 + Instruction dump: + 7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088 + 60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989 + ---[ end trace 93094aa44b442f87 ]--- + +The simplified sequence of events that triggers the above exception is: + + ... # userspace in NON-TRANSACTIONAL state + tbegin # userspace in TRANSACTIONAL state + signal delivery # kernelspace in SUSPENDED state + handle_rt_signal64() + get_tm_stackpointer() + treclaim # kernelspace in NON-TRANSACTIONAL state + __put_user() + page fault happens. We will never get back here because of the TM Bad Thing exception. + + page fault handling kicks in and we voluntarily preempt ourselves + do_page_fault() + __schedule() + __switch_to(other_task) + + our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared + __switch_to(our_task) + switch_to_tm() + tm_recheckpoint_new_task() + trechkpt # kernelspace in SUSPENDED state + + The page fault handling resumes, but now we are in suspended transaction state + do_page_fault() completes + rfid <----- trying to get back where the page fault happened (we were non-transactional back then) + TM Bad Thing # illegal transition from suspended to non-transactional + +This patch fixes that issue by clearing the current thread's MSR[TS] +just after treclaim in get_tm_stackpointer() so that we stay in +non-transactional state in case we are preempted. In order to make +treclaim and clearing the thread's MSR[TS] atomic from a preemption +perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is +used. It's also necessary to save the previous value of the thread's +MSR before get_tm_stackpointer() is called so that it can be exposed +to the signal handler later in setup_tm_sigcontexts() to inform the +userspace MSR at the moment of the signal delivery. + +Found with tm-signal-context-force-tm kernel selftest. + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9 +Signed-off-by: Gustavo Luiz Duarte +Acked-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/signal.c | 17 +++++++++++++++-- + arch/powerpc/kernel/signal_32.c | 28 ++++++++++++++-------------- + arch/powerpc/kernel/signal_64.c | 22 ++++++++++------------ + 3 files changed, 39 insertions(+), 28 deletions(-) + +diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c +index e6c30cee6abf..d215f9554553 100644 +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -200,14 +200,27 @@ unsigned long get_tm_stackpointer(struct task_struct *tsk) + * normal/non-checkpointed stack pointer. + */ + ++ unsigned long ret = tsk->thread.regs->gpr[1]; ++ + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BUG_ON(tsk != current); + + if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) { ++ preempt_disable(); + tm_reclaim_current(TM_CAUSE_SIGNAL); + if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr)) +- return tsk->thread.ckpt_regs.gpr[1]; ++ ret = tsk->thread.ckpt_regs.gpr[1]; ++ ++ /* ++ * If we treclaim, we must clear the current thread's TM bits ++ * before re-enabling preemption. Otherwise we might be ++ * preempted and have the live MSR[TS] changed behind our back ++ * (tm_recheckpoint_new_task() would recheckpoint). Besides, we ++ * enter the signal handler in non-transactional state. ++ */ ++ tsk->thread.regs->msr &= ~MSR_TS_MASK; ++ preempt_enable(); + } + #endif +- return tsk->thread.regs->gpr[1]; ++ return ret; + } +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index 98600b276f76..1b090a76b444 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -489,19 +489,11 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame, + */ + static int save_tm_user_regs(struct pt_regs *regs, + struct mcontext __user *frame, +- struct mcontext __user *tm_frame, int sigret) ++ struct mcontext __user *tm_frame, int sigret, ++ unsigned long msr) + { +- unsigned long msr = regs->msr; +- + WARN_ON(tm_suspend_disabled); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + /* Save both sets of general registers */ + if (save_general_regs(¤t->thread.ckpt_regs, frame) + || save_general_regs(regs, tm_frame)) +@@ -912,6 +904,10 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -944,13 +940,13 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_frame = &rt_sf->uc_transact.uc_mcontext; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (__put_user((unsigned long)&rt_sf->uc_transact, + &rt_sf->uc.uc_link) || + __put_user((unsigned long)tm_frame, + &rt_sf->uc_transact.uc_regs)) + goto badframe; +- if (save_tm_user_regs(regs, frame, tm_frame, sigret)) ++ if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr)) + goto badframe; + } + else +@@ -1369,6 +1365,10 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset, + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -1402,9 +1402,9 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset, + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_mctx = &frame->mctx_transact; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact, +- sigret)) ++ sigret, msr)) + goto badframe; + } + else +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 117515564ec7..84ed2e77ef9c 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -192,7 +192,8 @@ static long setup_sigcontext(struct sigcontext __user *sc, + static long setup_tm_sigcontexts(struct sigcontext __user *sc, + struct sigcontext __user *tm_sc, + struct task_struct *tsk, +- int signr, sigset_t *set, unsigned long handler) ++ int signr, sigset_t *set, unsigned long handler, ++ unsigned long msr) + { + /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the + * process never used altivec yet (MSR_VEC is zero in pt_regs of +@@ -207,12 +208,11 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc); + #endif + struct pt_regs *regs = tsk->thread.regs; +- unsigned long msr = tsk->thread.regs->msr; + long err = 0; + + BUG_ON(tsk != current); + +- BUG_ON(!MSR_TM_ACTIVE(regs->msr)); ++ BUG_ON(!MSR_TM_ACTIVE(msr)); + + WARN_ON(tm_suspend_disabled); + +@@ -222,13 +222,6 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + */ + msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + #ifdef CONFIG_ALTIVEC + err |= __put_user(v_regs, &sc->v_regs); + err |= __put_user(tm_v_regs, &tm_sc->v_regs); +@@ -824,6 +817,10 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + unsigned long newsp = 0; + long err = 0; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -841,7 +838,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + err |= __put_user(0, &frame->uc.uc_flags); + err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]); + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + /* The ucontext_t passed to userland points to the second + * ucontext_t (for transactional state) with its uc_link ptr. + */ +@@ -849,7 +846,8 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext, + &frame->uc_transact.uc_mcontext, + tsk, ksig->sig, NULL, +- (unsigned long)ksig->ka.sa.sa_handler); ++ (unsigned long)ksig->ka.sa.sa_handler, ++ msr); + } else + #endif + { +-- +2.23.0 + diff --git a/patches.suse/powerpc-xive-Discard-ESB-load-value-when-interrupt-i.patch b/patches.suse/powerpc-xive-Discard-ESB-load-value-when-interrupt-i.patch new file mode 100644 index 0000000..5e0cca0 --- /dev/null +++ b/patches.suse/powerpc-xive-Discard-ESB-load-value-when-interrupt-i.patch @@ -0,0 +1,78 @@ +From 17328f218fb760c9c6accc5b52494889243a6b98 Mon Sep 17 00:00:00 2001 +From: Frederic Barrat +Date: Mon, 13 Jan 2020 14:01:18 +0100 +Subject: [PATCH] powerpc/xive: Discard ESB load value when interrupt is + invalid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: fate#322438 bsc#1085030 +Patch-mainline: v5.5 +Git-commit: 17328f218fb760c9c6accc5b52494889243a6b98 + +A load on an ESB page returning all 1's means that the underlying +device has invalidated the access to the PQ state of the interrupt +through mmio. It may happen, for example when querying a PHB interrupt +while the PHB is in an error state. + +In that case, we should consider the interrupt to be invalid when +checking its state in the irq_get_irqchip_state() handler. + +Fixes: da15c03b047d ("powerpc/xive: Implement get_irqchip_state method for XIVE to fix shutdown race") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Frederic Barrat +[clg: wrote a commit log, introduced XIVE_ESB_INVALID ] +Signed-off-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200113130118.27969-1-clg@kaod.org +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/xive-regs.h | 1 + + arch/powerpc/sysdev/xive/common.c | 15 ++++++++++++--- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/include/asm/xive-regs.h b/arch/powerpc/include/asm/xive-regs.h +index f2dfcd50a2d3..33aee7490cbb 100644 +--- a/arch/powerpc/include/asm/xive-regs.h ++++ b/arch/powerpc/include/asm/xive-regs.h +@@ -39,6 +39,7 @@ + + #define XIVE_ESB_VAL_P 0x2 + #define XIVE_ESB_VAL_Q 0x1 ++#define XIVE_ESB_INVALID 0xFF + + /* + * Thread Management (aka "TM") registers +diff --git a/arch/powerpc/sysdev/xive/common.c b/arch/powerpc/sysdev/xive/common.c +index f5fadbd2533a..9651ca061828 100644 +--- a/arch/powerpc/sysdev/xive/common.c ++++ b/arch/powerpc/sysdev/xive/common.c +@@ -972,12 +972,21 @@ static int xive_get_irqchip_state(struct irq_data *data, + enum irqchip_irq_state which, bool *state) + { + struct xive_irq_data *xd = irq_data_get_irq_handler_data(data); ++ u8 pq; + + switch (which) { + case IRQCHIP_STATE_ACTIVE: +- *state = !xd->stale_p && +- (xd->saved_p || +- !!(xive_esb_read(xd, XIVE_ESB_GET) & XIVE_ESB_VAL_P)); ++ pq = xive_esb_read(xd, XIVE_ESB_GET); ++ ++ /* ++ * The esb value being all 1's means we couldn't get ++ * the PQ state of the interrupt through mmio. It may ++ * happen, for example when querying a PHB interrupt ++ * while the PHB is in an error state. We consider the ++ * interrupt to be inactive in that case. ++ */ ++ *state = (pq != XIVE_ESB_INVALID) && !xd->stale_p && ++ (xd->saved_p || !!(pq & XIVE_ESB_VAL_P)); + return 0; + default: + return -EINVAL; +-- +2.23.0 + diff --git a/patches.suse/powerpc-xive-Implement-get_irqchip_state-method-for-.patch b/patches.suse/powerpc-xive-Implement-get_irqchip_state-method-for-.patch index 6fd224a..2806212 100644 --- a/patches.suse/powerpc-xive-Implement-get_irqchip_state-method-for-.patch +++ b/patches.suse/powerpc-xive-Implement-get_irqchip_state-method-for-.patch @@ -4,7 +4,7 @@ Date: Tue, 13 Aug 2019 20:06:48 +1000 Subject: [PATCH] powerpc/xive: Implement get_irqchip_state method for XIVE to fix shutdown race -References: bsc#1065729 +References: fate#322438 bsc#1085030 Patch-mainline: v5.4-rc1 Git-commit: da15c03b047dca891d37b9f4ef9ca14d84a6484f diff --git a/patches.suse/powerpc-xmon-don-t-access-ASDR-in-VMs.patch b/patches.suse/powerpc-xmon-don-t-access-ASDR-in-VMs.patch new file mode 100644 index 0000000..3209cf0 --- /dev/null +++ b/patches.suse/powerpc-xmon-don-t-access-ASDR-in-VMs.patch @@ -0,0 +1,50 @@ +From c2a20711fc181e7f22ee5c16c28cb9578af84729 Mon Sep 17 00:00:00 2001 +From: Sukadev Bhattiprolu +Date: Mon, 6 Jan 2020 13:50:02 -0600 +Subject: [PATCH] powerpc/xmon: don't access ASDR in VMs + +References: bsc#1065729 +Patch-mainline: v5.6-rc1 +Git-commit: c2a20711fc181e7f22ee5c16c28cb9578af84729 + +ASDR is HV-privileged and must only be accessed in HV-mode. +Fixes a Program Check (0x700) when xmon in a VM dumps SPRs. + +Fixes: d1e1b351f50f ("powerpc/xmon: Add ISA v3.0 SPRs to SPR dump") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200107021633.GB29843@us.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/xmon/xmon.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index a7056049709e..03d23075ac43 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -1949,15 +1949,14 @@ static void dump_300_sprs(void) + + printf("pidr = %.16lx tidr = %.16lx\n", + mfspr(SPRN_PID), mfspr(SPRN_TIDR)); +- printf("asdr = %.16lx psscr = %.16lx\n", +- mfspr(SPRN_ASDR), hv ? mfspr(SPRN_PSSCR) +- : mfspr(SPRN_PSSCR_PR)); ++ printf("psscr = %.16lx\n", ++ hv ? mfspr(SPRN_PSSCR) : mfspr(SPRN_PSSCR_PR)); + + if (!hv) + return; + +- printf("ptcr = %.16lx\n", +- mfspr(SPRN_PTCR)); ++ printf("ptcr = %.16lx asdr = %.16lx\n", ++ mfspr(SPRN_PTCR), mfspr(SPRN_ASDR)); + #endif + } + +-- +2.23.0 + diff --git a/patches.suse/ppp-Adjust-indentation-into-ppp_async_input.patch b/patches.suse/ppp-Adjust-indentation-into-ppp_async_input.patch new file mode 100644 index 0000000..7eb145e --- /dev/null +++ b/patches.suse/ppp-Adjust-indentation-into-ppp_async_input.patch @@ -0,0 +1,65 @@ +From 08cbc75f96029d3092664213a844a5e25523aa35 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 9 Dec 2019 15:38:59 -0700 +Subject: [PATCH] ppp: Adjust indentation into ppp_async_input +Git-commit: 08cbc75f96029d3092664213a844a5e25523aa35 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Clang warns: + +../drivers/net/ppp/ppp_async.c:877:6: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + ap->rpkt = skb; + ^ +../drivers/net/ppp/ppp_async.c:875:5: note: previous statement is here + if (!skb) + ^ +1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Clean up this entire block's indentation so that it is consistent +with the Linux kernel coding style and clang no longer warns. + +Fixes: 6722e78c9005 ("[PPP]: handle misaligned accesses") +Link: https://github.com/ClangBuiltLinux/linux/issues/800 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ppp/ppp_async.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c +index a7b9cf3269bf..29a0917a81e6 100644 +--- a/drivers/net/ppp/ppp_async.c ++++ b/drivers/net/ppp/ppp_async.c +@@ -874,15 +874,15 @@ ppp_async_input(struct asyncppp *ap, const unsigned char *buf, + skb = dev_alloc_skb(ap->mru + PPP_HDRLEN + 2); + if (!skb) + goto nomem; +- ap->rpkt = skb; +- } +- if (skb->len == 0) { +- /* Try to get the payload 4-byte aligned. +- * This should match the +- * PPP_ALLSTATIONS/PPP_UI/compressed tests in +- * process_input_packet, but we do not have +- * enough chars here to test buf[1] and buf[2]. +- */ ++ ap->rpkt = skb; ++ } ++ if (skb->len == 0) { ++ /* Try to get the payload 4-byte aligned. ++ * This should match the ++ * PPP_ALLSTATIONS/PPP_UI/compressed tests in ++ * process_input_packet, but we do not have ++ * enough chars here to test buf[1] and buf[2]. ++ */ + if (buf[0] != PPP_ALLSTATIONS) + skb_reserve(skb, 2 + (buf[0] & 1)); + } +-- +2.16.4 + diff --git a/patches.suse/pseries-drc-info-Search-DRC-properties-for-CPU-index.patch b/patches.suse/pseries-drc-info-Search-DRC-properties-for-CPU-index.patch new file mode 100644 index 0000000..82598c0 --- /dev/null +++ b/patches.suse/pseries-drc-info-Search-DRC-properties-for-CPU-index.patch @@ -0,0 +1,298 @@ +From e83636ac333441a17436a1fcd196308f59cd0b51 Mon Sep 17 00:00:00 2001 +From: Michael Bringmann +Date: Fri, 1 Dec 2017 17:19:43 -0600 +Subject: [PATCH] pseries/drc-info: Search DRC properties for CPU indexes + +References: FATE#326955 bsc#1157480 ltc#181028 +Patch-mainline: v4.16-rc1 +Git-commit: e83636ac333441a17436a1fcd196308f59cd0b51 + +pseries/drc-info: Provide parallel routines to convert between +drc_index and CPU numbers at runtime, using the older device-tree +properties ("ibm,drc-indexes", "ibm,drc-names", "ibm,drc-types" +and "ibm,drc-power-domains"), or the new property "ibm,drc-info". + +Signed-off-by: Michael Bringmann +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/prom.h | 15 +++ + arch/powerpc/platforms/pseries/of_helpers.c | 60 +++++++++ + .../platforms/pseries/pseries_energy.c | 126 ++++++++++++++---- + 3 files changed, 173 insertions(+), 28 deletions(-) + +diff --git a/arch/powerpc/include/asm/prom.h b/arch/powerpc/include/asm/prom.h +index 2ab5d732fefa..b04c5ce8191b 100644 +--- a/arch/powerpc/include/asm/prom.h ++++ b/arch/powerpc/include/asm/prom.h +@@ -80,6 +80,21 @@ extern void of_instantiate_rtc(void); + + extern int of_get_ibm_chip_id(struct device_node *np); + ++struct of_drc_info { ++ char *drc_type; ++ char *drc_name_prefix; ++ u32 drc_index_start; ++ u32 drc_name_suffix_start; ++ u32 num_sequential_elems; ++ u32 sequential_inc; ++ u32 drc_power_domain; ++ u32 last_drc_index; ++}; ++ ++extern int of_read_drc_info_cell(struct property **prop, ++ const __be32 **curval, struct of_drc_info *data); ++ ++ + /* + * There are two methods for telling firmware what our capabilities are. + * Newer machines have an "ibm,client-architecture-support" method on the +diff --git a/arch/powerpc/platforms/pseries/of_helpers.c b/arch/powerpc/platforms/pseries/of_helpers.c +index 7e75101fa522..6df192f38f80 100644 +--- a/arch/powerpc/platforms/pseries/of_helpers.c ++++ b/arch/powerpc/platforms/pseries/of_helpers.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + + #include "of_helpers.h" + +@@ -37,3 +38,62 @@ struct device_node *pseries_of_derive_parent(const char *path) + kfree(parent_path); + return parent ? parent : ERR_PTR(-EINVAL); + } ++ ++ ++/* Helper Routines to convert between drc_index to cpu numbers */ ++ ++int of_read_drc_info_cell(struct property **prop, const __be32 **curval, ++ struct of_drc_info *data) ++{ ++ const char *p; ++ const __be32 *p2; ++ ++ if (!data) ++ return -EINVAL; ++ ++ /* Get drc-type:encode-string */ ++ p = data->drc_type = (char*) (*curval); ++ p = of_prop_next_string(*prop, p); ++ if (!p) ++ return -EINVAL; ++ ++ /* Get drc-name-prefix:encode-string */ ++ data->drc_name_prefix = (char *)p; ++ p = of_prop_next_string(*prop, p); ++ if (!p) ++ return -EINVAL; ++ ++ /* Get drc-index-start:encode-int */ ++ p2 = (const __be32 *)p; ++ p2 = of_prop_next_u32(*prop, p2, &data->drc_index_start); ++ if (!p2) ++ return -EINVAL; ++ ++ /* Get drc-name-suffix-start:encode-int */ ++ p2 = of_prop_next_u32(*prop, p2, &data->drc_name_suffix_start); ++ if (!p2) ++ return -EINVAL; ++ ++ /* Get number-sequential-elements:encode-int */ ++ p2 = of_prop_next_u32(*prop, p2, &data->num_sequential_elems); ++ if (!p2) ++ return -EINVAL; ++ ++ /* Get sequential-increment:encode-int */ ++ p2 = of_prop_next_u32(*prop, p2, &data->sequential_inc); ++ if (!p2) ++ return -EINVAL; ++ ++ /* Get drc-power-domain:encode-int */ ++ p2 = of_prop_next_u32(*prop, p2, &data->drc_power_domain); ++ if (!p2) ++ return -EINVAL; ++ ++ /* Should now know end of current entry */ ++ (*curval) = (void *)p2; ++ data->last_drc_index = data->drc_index_start + ++ ((data->num_sequential_elems - 1) * data->sequential_inc); ++ ++ return 0; ++} ++EXPORT_SYMBOL(of_read_drc_info_cell); +diff --git a/arch/powerpc/platforms/pseries/pseries_energy.c b/arch/powerpc/platforms/pseries/pseries_energy.c +index 35c891aabef0..6ed22127391b 100644 +--- a/arch/powerpc/platforms/pseries/pseries_energy.c ++++ b/arch/powerpc/platforms/pseries/pseries_energy.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + + #define MODULE_VERS "1.0" +@@ -38,26 +39,58 @@ static int sysfs_entries; + static u32 cpu_to_drc_index(int cpu) + { + struct device_node *dn = NULL; +- const int *indexes; +- int i; ++ int thread_index; + int rc = 1; + u32 ret = 0; + + dn = of_find_node_by_path("/cpus"); + if (dn == NULL) + goto err; +- indexes = of_get_property(dn, "ibm,drc-indexes", NULL); +- if (indexes == NULL) +- goto err_of_node_put; ++ + /* Convert logical cpu number to core number */ +- i = cpu_core_index_of_thread(cpu); +- /* +- * The first element indexes[0] is the number of drc_indexes +- * returned in the list. Hence i+1 will get the drc_index +- * corresponding to core number i. +- */ +- WARN_ON(i > indexes[0]); +- ret = indexes[i + 1]; ++ thread_index = cpu_core_index_of_thread(cpu); ++ ++ if (firmware_has_feature(FW_FEATURE_DRC_INFO)) { ++ struct property *info = NULL; ++ struct of_drc_info drc; ++ int j; ++ u32 num_set_entries; ++ const __be32 *value; ++ ++ info = of_find_property(dn, "ibm,drc-info", NULL); ++ if (info == NULL) ++ goto err_of_node_put; ++ ++ value = of_prop_next_u32(info, NULL, &num_set_entries); ++ if (!value) ++ goto err_of_node_put; ++ ++ for (j = 0; j < num_set_entries; j++) { ++ ++ of_read_drc_info_cell(&info, &value, &drc); ++ if (strncmp(drc.drc_type, "CPU", 3)) ++ goto err; ++ ++ if (thread_index < drc.last_drc_index) ++ break; ++ } ++ ++ ret = drc.drc_index_start + (thread_index * drc.sequential_inc); ++ } else { ++ const __be32 *indexes; ++ ++ indexes = of_get_property(dn, "ibm,drc-indexes", NULL); ++ if (indexes == NULL) ++ goto err_of_node_put; ++ ++ /* ++ * The first element indexes[0] is the number of drc_indexes ++ * returned in the list. Hence thread_index+1 will get the ++ * drc_index corresponding to core number thread_index. ++ */ ++ ret = indexes[thread_index + 1]; ++ } ++ + rc = 0; + + err_of_node_put: +@@ -72,34 +105,71 @@ static int drc_index_to_cpu(u32 drc_index) + { + struct device_node *dn = NULL; + const int *indexes; +- int i, cpu = 0; ++ int thread_index = 0, cpu = 0; + int rc = 1; + + dn = of_find_node_by_path("/cpus"); + if (dn == NULL) + goto err; +- indexes = of_get_property(dn, "ibm,drc-indexes", NULL); +- if (indexes == NULL) +- goto err_of_node_put; +- /* +- * First element in the array is the number of drc_indexes +- * returned. Search through the list to find the matching +- * drc_index and get the core number +- */ +- for (i = 0; i < indexes[0]; i++) { +- if (indexes[i + 1] == drc_index) ++ ++ if (firmware_has_feature(FW_FEATURE_DRC_INFO)) { ++ struct property *info = NULL; ++ struct of_drc_info drc; ++ int j; ++ u32 num_set_entries; ++ const __be32 *value; ++ ++ info = of_find_property(dn, "ibm,drc-info", NULL); ++ if (info == NULL) ++ goto err_of_node_put; ++ ++ value = of_prop_next_u32(info, NULL, &num_set_entries); ++ if (!value) ++ goto err_of_node_put; ++ ++ for (j = 0; j < num_set_entries; j++) { ++ ++ of_read_drc_info_cell(&info, &value, &drc); ++ if (strncmp(drc.drc_type, "CPU", 3)) ++ goto err; ++ ++ if (drc_index > drc.last_drc_index) { ++ cpu += drc.num_sequential_elems; ++ continue; ++ } ++ cpu += ((drc_index - drc.drc_index_start) / ++ drc.sequential_inc); ++ ++ thread_index = cpu_first_thread_of_core(cpu); ++ rc = 0; + break; ++ } ++ } else { ++ unsigned long int i; ++ ++ indexes = of_get_property(dn, "ibm,drc-indexes", NULL); ++ if (indexes == NULL) ++ goto err_of_node_put; ++ /* ++ * First element in the array is the number of drc_indexes ++ * returned. Search through the list to find the matching ++ * drc_index and get the core number ++ */ ++ for (i = 0; i < indexes[0]; i++) { ++ if (indexes[i + 1] == drc_index) ++ break; ++ } ++ /* Convert core number to logical cpu number */ ++ thread_index = cpu_first_thread_of_core(i); ++ rc = 0; + } +- /* Convert core number to logical cpu number */ +- cpu = cpu_first_thread_of_core(i); +- rc = 0; + + err_of_node_put: + of_node_put(dn); + err: + if (rc) + printk(KERN_WARNING "drc_index_to_cpu(%d) failed", drc_index); +- return cpu; ++ return thread_index; + } + + /* +-- +2.23.0 + diff --git a/patches.suse/pstore-ram-Write-new-dumps-to-start-of-recycled-zone.patch b/patches.suse/pstore-ram-Write-new-dumps-to-start-of-recycled-zone.patch new file mode 100644 index 0000000..fafafad --- /dev/null +++ b/patches.suse/pstore-ram-Write-new-dumps-to-start-of-recycled-zone.patch @@ -0,0 +1,48 @@ +From 9e5f1c19800b808a37fb9815a26d382132c26c3d Mon Sep 17 00:00:00 2001 +From: Aleksandr Yashkin +Date: Mon, 23 Dec 2019 18:38:16 +0500 +Subject: [PATCH] pstore/ram: Write new dumps to start of recycled zones +Git-commit: 9e5f1c19800b808a37fb9815a26d382132c26c3d +Patch-mainline: v5.5-rc5 +References: bsc#1051510 + +The ram_core.c routines treat przs as circular buffers. When writing a +new crash dump, the old buffer needs to be cleared so that the new dump +doesn't end up in the wrong place (i.e. at the end). + +The solution to this problem is to reset the circular buffer state before +writing a new Oops dump. + +Signed-off-by: Aleksandr Yashkin +Signed-off-by: Nikolay Merinov +Signed-off-by: Ariel Gilman +Link: https://lore.kernel.org/r/20191223133816.28155-1-n.merinov@inango-systems.com +Fixes: 896fc1f0c4c6 ("pstore/ram: Switch to persistent_ram routines") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Acked-by: Takashi Iwai + +--- + fs/pstore/ram.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -439,6 +439,17 @@ static int notrace ramoops_pstore_write( + + prz = cxt->dprzs[cxt->dump_write_cnt]; + ++ /* ++ * Since this is a new crash dump, we need to reset the buffer in ++ * case it still has an old dump present. Without this, the new dump ++ * will get appended, which would seriously confuse anything trying ++ * to check dump file contents. Specifically, ramoops_read_kmsg_hdr() ++ * expects to find a dump header in the beginning of buffer data, so ++ * we must to reset the buffer values, in order to ensure that the ++ * header will be written to the beginning of the buffer. ++ */ ++ persistent_ram_zap(prz); ++ + /* Build header and append record contents. */ + hlen = ramoops_write_kmsg_hdr(prz, record->compressed); + size = record->size; diff --git a/patches.suse/pwm-Remove-set-but-not-set-variable-pwm.patch b/patches.suse/pwm-Remove-set-but-not-set-variable-pwm.patch new file mode 100644 index 0000000..710fe83 --- /dev/null +++ b/patches.suse/pwm-Remove-set-but-not-set-variable-pwm.patch @@ -0,0 +1,51 @@ +From 9871abffc81048e20f02e15d6aa4558a44ad53ea Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 20 Jan 2020 19:51:43 +0800 +Subject: [PATCH] pwm: Remove set but not set variable 'pwm' +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 9871abffc81048e20f02e15d6aa4558a44ad53ea +Patch-mainline: v5.6-rc1 +References: git-fixes + +Fixes gcc '-Wunused-but-set-variable' warning: + + drivers/pwm/pwm-pca9685.c: In function ‘pca9685_pwm_gpio_free’: + drivers/pwm/pwm-pca9685.c:162:21: warning: variable ‘pwm’ set but not used [-Wunused-but-set-variable] + +It is never used, and so can be removed. In that case, hold and release +the lock 'pca->lock' can be removed since nothing will be done between +them. + +Fixes: e926b12c611c ("pwm: Clear chip_data in pwm_put()") +Signed-off-by: yu kuai +Acked-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/pwm/pwm-pca9685.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/pwm/pwm-pca9685.c b/drivers/pwm/pwm-pca9685.c +index 168684b02ebc..b07bdca3d510 100644 +--- a/drivers/pwm/pwm-pca9685.c ++++ b/drivers/pwm/pwm-pca9685.c +@@ -159,13 +159,9 @@ static void pca9685_pwm_gpio_set(struct gpio_chip *gpio, unsigned int offset, + static void pca9685_pwm_gpio_free(struct gpio_chip *gpio, unsigned int offset) + { + struct pca9685 *pca = gpiochip_get_data(gpio); +- struct pwm_device *pwm; + + pca9685_pwm_gpio_set(gpio, offset, 0); + pm_runtime_put(pca->chip.dev); +- mutex_lock(&pca->lock); +- pwm = &pca->chip.pwms[offset]; +- mutex_unlock(&pca->lock); + } + + static int pca9685_pwm_gpio_get_direction(struct gpio_chip *chip, +-- +2.16.4 + diff --git a/patches.suse/pwm-omap-dmtimer-Remove-PWM-chip-in-.remove-before-m.patch b/patches.suse/pwm-omap-dmtimer-Remove-PWM-chip-in-.remove-before-m.patch new file mode 100644 index 0000000..fde9c36 --- /dev/null +++ b/patches.suse/pwm-omap-dmtimer-Remove-PWM-chip-in-.remove-before-m.patch @@ -0,0 +1,52 @@ +From 43efdc8f0e6d7088ec61bd55a73bf853f002d043 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Mon, 11 Nov 2019 10:03:54 +0100 +Subject: [PATCH] pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 43efdc8f0e6d7088ec61bd55a73bf853f002d043 +Patch-mainline: v5.6-rc1 +References: git-fixes + +In the old code (e.g.) mutex_destroy() was called before +pwmchip_remove(). Between these two calls it is possible that a PWM +callback is used which tries to grab the mutex. + +Fixes: 6604c6556db9 ("pwm: Add PWM driver for OMAP using dual-mode timers") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/pwm/pwm-omap-dmtimer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-omap-dmtimer.c b/drivers/pwm/pwm-omap-dmtimer.c +index 00772fc53490..bdf94c78655f 100644 +--- a/drivers/pwm/pwm-omap-dmtimer.c ++++ b/drivers/pwm/pwm-omap-dmtimer.c +@@ -351,6 +351,11 @@ static int pwm_omap_dmtimer_probe(struct platform_device *pdev) + static int pwm_omap_dmtimer_remove(struct platform_device *pdev) + { + struct pwm_omap_dmtimer_chip *omap = platform_get_drvdata(pdev); ++ int ret; ++ ++ ret = pwmchip_remove(&omap->chip); ++ if (ret) ++ return ret; + + if (pm_runtime_active(&omap->dm_timer_pdev->dev)) + omap->pdata->stop(omap->dm_timer); +@@ -359,7 +364,7 @@ static int pwm_omap_dmtimer_remove(struct platform_device *pdev) + + mutex_destroy(&omap->mutex); + +- return pwmchip_remove(&omap->chip); ++ return 0; + } + + static const struct of_device_id pwm_omap_dmtimer_of_match[] = { +-- +2.16.4 + diff --git a/patches.suse/qede-Fix-multicast-mac-configuration.patch b/patches.suse/qede-Fix-multicast-mac-configuration.patch new file mode 100644 index 0000000..28718e7 --- /dev/null +++ b/patches.suse/qede-Fix-multicast-mac-configuration.patch @@ -0,0 +1,31 @@ +From: Manish Chopra +Date: Thu, 12 Dec 2019 06:49:28 -0800 +Subject: qede: Fix multicast mac configuration +Git-commit: 0af67e49b018e7280a4227bfe7b6005bc9d3e442 +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +Driver doesn't accommodate the configuration for max number +of multicast mac addresses, in such particular case it leaves +the device with improper/invalid multicast configuration state, +causing connectivity issues (in lacp bonding like scenarios). + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/qlogic/qede/qede_filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c +@@ -1227,7 +1227,7 @@ qede_configure_mcast_filtering(struct ne + netif_addr_lock_bh(ndev); + + mc_count = netdev_mc_count(ndev); +- if (mc_count < 64) { ++ if (mc_count <= 64) { + netdev_for_each_mc_addr(ha, ndev) { + ether_addr_copy(temp, ha->addr); + temp += ETH_ALEN; diff --git a/patches.suse/qmi_wwan-Add-support-for-Quectel-RM500Q.patch b/patches.suse/qmi_wwan-Add-support-for-Quectel-RM500Q.patch new file mode 100644 index 0000000..686013e --- /dev/null +++ b/patches.suse/qmi_wwan-Add-support-for-Quectel-RM500Q.patch @@ -0,0 +1,39 @@ +From a9ff44f0e61d074f29770413fef6a5452be7b83e Mon Sep 17 00:00:00 2001 +From: Kristian Evensen +Date: Mon, 13 Jan 2020 14:57:40 +0100 +Subject: [PATCH] qmi_wwan: Add support for Quectel RM500Q +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: a9ff44f0e61d074f29770413fef6a5452be7b83e +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +RM500Q is a 5G module from Quectel, supporting both standalone and +non-standalone modes. The normal Quectel quirks apply (DTR and dynamic +interface numbers). + +Signed-off-by: Kristian Evensen +Acked-by: Bjørn Mork +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 4196c0e32740..9485c8d1de8a 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1062,6 +1062,7 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0125)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */ + {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0306)}, /* Quectel EP06/EG06/EM06 */ + {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0512)}, /* Quectel EG12/EM12 */ ++ {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0800)}, /* Quectel RM500Q-GL */ + + /* 3. Combined interface devices matching on interface number */ + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ +-- +2.16.4 + diff --git a/patches.suse/quota-Check-that-quota-is-not-dirty-before-release.patch b/patches.suse/quota-Check-that-quota-is-not-dirty-before-release.patch new file mode 100644 index 0000000..ad3e06d --- /dev/null +++ b/patches.suse/quota-Check-that-quota-is-not-dirty-before-release.patch @@ -0,0 +1,84 @@ +From df4bb5d128e2c44848aeb36b7ceceba3ac85080d Mon Sep 17 00:00:00 2001 +From: Dmitry Monakhov +Date: Thu, 31 Oct 2019 10:39:20 +0000 +Subject: [PATCH] quota: Check that quota is not dirty before release +Git-commit: df4bb5d128e2c44848aeb36b7ceceba3ac85080d +Patch-mainline: v5.5-rc1 +References: bsc#1163858 + +There is a race window where quota was redirted once we drop dq_list_lock inside dqput(), +but before we grab dquot->dq_lock inside dquot_release() + +TASK1 TASK2 (chowner) +->dqput() + we_slept: + spin_lock(&dq_list_lock) + if (dquot_dirty(dquot)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->write_dquot(dquot); + goto we_slept + if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->release_dquot(dquot); + dqget() + mark_dquot_dirty() + dqput() + goto we_slept; + } +So dquot dirty quota will be released by TASK1, but on next we_sleept loop +we detect this and call ->write_dquot() for it. +Xfstest: https://github.com/dmonakhov/xfstests/commit/440a80d4cbb39e9234df4d7240aee1d551c36107 + +Link: https://lore.kernel.org/r/20191031103920.3919-2-dmonakhov@openvz.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Monakhov +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/ocfs2/quota_global.c | 2 +- + fs/quota/dquot.c | 2 +- + include/linux/quotaops.h | 10 ++++++++++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -723,7 +723,7 @@ static int ocfs2_release_dquot(struct dq + + mutex_lock(&dquot->dq_lock); + /* Check whether we are not racing with some other dqget() */ +- if (atomic_read(&dquot->dq_count) > 1) ++ if (dquot_is_busy(dquot)) + goto out; + /* Running from downconvert thread? Postpone quota processing to wq */ + if (current == osb->dc_task) { +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -479,7 +479,7 @@ int dquot_release(struct dquot *dquot) + + mutex_lock(&dquot->dq_lock); + /* Check whether we are not racing with some other dqget() */ +- if (atomic_read(&dquot->dq_count) > 1) ++ if (dquot_is_busy(dquot)) + goto out_dqlock; + mutex_lock(&dqopt->dqio_mutex); + if (dqopt->ops[dquot->dq_id.type]->release_dqblk) { +--- a/include/linux/quotaops.h ++++ b/include/linux/quotaops.h +@@ -55,6 +55,16 @@ static inline struct dquot *dqgrab(struc + atomic_inc(&dquot->dq_count); + return dquot; + } ++ ++static inline bool dquot_is_busy(struct dquot *dquot) ++{ ++ if (test_bit(DQ_MOD_B, &dquot->dq_flags)) ++ return true; ++ if (atomic_read(&dquot->dq_count) > 1) ++ return true; ++ return false; ++} ++ + void dqput(struct dquot *dquot); + int dquot_scan_active(struct super_block *sb, + int (*fn)(struct dquot *dquot, unsigned long priv), diff --git a/patches.suse/quota-fix-livelock-in-dquot_writeback_dquots.patch b/patches.suse/quota-fix-livelock-in-dquot_writeback_dquots.patch new file mode 100644 index 0000000..4c1017d --- /dev/null +++ b/patches.suse/quota-fix-livelock-in-dquot_writeback_dquots.patch @@ -0,0 +1,48 @@ +From 6ff33d99fc5c96797103b48b7b0902c296f09c05 Mon Sep 17 00:00:00 2001 +From: Dmitry Monakhov +Date: Thu, 31 Oct 2019 10:39:19 +0000 +Subject: [PATCH] quota: fix livelock in dquot_writeback_dquots +Git-commit: 6ff33d99fc5c96797103b48b7b0902c296f09c05 +Patch-mainline: v5.5-rc1 +References: bsc#1163857 + +Write only quotas which are dirty at entry. + +Xfstest: https://github.com/dmonakhov/xfstests/commit/b10ad23566a5bf75832a6f500e1236084083cddc + +Link: https://lore.kernel.org/r/20191031103920.3919-1-dmonakhov@openvz.org +Cc: stable@vger.kernel.org +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Dmitry Monakhov +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/quota/dquot.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -611,7 +611,7 @@ EXPORT_SYMBOL(dquot_scan_active); + /* Write all dquot structures to quota files */ + int dquot_writeback_dquots(struct super_block *sb, int type) + { +- struct list_head *dirty; ++ struct list_head dirty; + struct dquot *dquot; + struct quota_info *dqopt = sb_dqopt(sb); + int cnt; +@@ -625,9 +625,10 @@ int dquot_writeback_dquots(struct super_ + if (!sb_has_quota_active(sb, cnt)) + continue; + spin_lock(&dq_list_lock); +- dirty = &dqopt->info[cnt].dqi_dirty_list; +- while (!list_empty(dirty)) { +- dquot = list_first_entry(dirty, struct dquot, ++ /* Move list away to avoid livelock. */ ++ list_replace_init(&dqopt->info[cnt].dqi_dirty_list, &dirty); ++ while (!list_empty(&dirty)) { ++ dquot = list_first_entry(&dirty, struct dquot, + dq_dirty); + /* Dirty and inactive can be only bad dquot... */ + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { diff --git a/patches.suse/r8152-get-default-setting-of-WOL-before-initializing.patch b/patches.suse/r8152-get-default-setting-of-WOL-before-initializing.patch new file mode 100644 index 0000000..006011f --- /dev/null +++ b/patches.suse/r8152-get-default-setting-of-WOL-before-initializing.patch @@ -0,0 +1,44 @@ +From 9583a3638dc07cc1878f41265e85ed497f72efcb Mon Sep 17 00:00:00 2001 +From: Hayes Wang +Date: Wed, 22 Jan 2020 16:02:07 +0800 +Subject: [PATCH] r8152: get default setting of WOL before initializing +Git-commit: 9583a3638dc07cc1878f41265e85ed497f72efcb +Patch-mainline: v5.5 +References: bsc#1051510 + +Initailization would reset runtime suspend by tp->saved_wolopts, so +the tp->saved_wolopts should be set before initializing. + +Signed-off-by: Hayes Wang +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/usb/r8152.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5263,6 +5263,11 @@ static int rtl8152_probe(struct usb_inte + + intf->needs_remote_wakeup = 1; + ++ if (!rtl_can_wakeup(tp)) ++ __rtl_set_wol(tp, 0); ++ else ++ tp->saved_wolopts = __rtl_get_wol(tp); ++ + tp->rtl_ops.init(tp); + queue_delayed_work(system_long_wq, &tp->hw_phy_work, 0); + set_ethernet_addr(tp); +@@ -5276,10 +5281,6 @@ static int rtl8152_probe(struct usb_inte + goto out1; + } + +- if (!rtl_can_wakeup(tp)) +- __rtl_set_wol(tp, 0); +- +- tp->saved_wolopts = __rtl_get_wol(tp); + if (tp->saved_wolopts) + device_set_wakeup_enable(&udev->dev, true); + else diff --git a/patches.suse/regulator-Fix-return-value-of-_set_load-stub.patch b/patches.suse/regulator-Fix-return-value-of-_set_load-stub.patch new file mode 100644 index 0000000..0f2803b --- /dev/null +++ b/patches.suse/regulator-Fix-return-value-of-_set_load-stub.patch @@ -0,0 +1,38 @@ +From f1abf67217de91f5cd3c757ae857632ca565099a Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Fri, 16 Nov 2018 19:19:30 -0800 +Subject: [PATCH] regulator: Fix return value of _set_load() stub +Git-commit: f1abf67217de91f5cd3c757ae857632ca565099a +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +The stub implementation of _set_load() returns a mode value which is +within the bounds of valid return codes for success (the documentation +just says that failures are negative error codes) but not sensible or +what the actual implementation does. Fix it to just return 0. + +Reported-by: Cheng-Yi Chiang +Signed-off-by: Mark Brown +Reviewed-by: Douglas Anderson +Acked-by: Takashi Iwai + +--- + include/linux/regulator/consumer.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h +index 25602afd4844..f3f76051e8b0 100644 +--- a/include/linux/regulator/consumer.h ++++ b/include/linux/regulator/consumer.h +@@ -508,7 +508,7 @@ static inline int regulator_get_error_flags(struct regulator *regulator, + + static inline int regulator_set_load(struct regulator *regulator, int load_uA) + { +- return REGULATOR_MODE_NORMAL; ++ return 0; + } + + static inline int regulator_allow_bypass(struct regulator *regulator, +-- +2.16.4 + diff --git a/patches.suse/regulator-rk808-Lower-log-level-on-optional-GPIOs-be.patch b/patches.suse/regulator-rk808-Lower-log-level-on-optional-GPIOs-be.patch new file mode 100644 index 0000000..223285b --- /dev/null +++ b/patches.suse/regulator-rk808-Lower-log-level-on-optional-GPIOs-be.patch @@ -0,0 +1,44 @@ +From b8a039d37792067c1a380dc710361905724b9b2f Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 3 Dec 2019 17:47:09 +0100 +Subject: [PATCH] regulator: rk808: Lower log level on optional GPIOs being not available +Git-commit: b8a039d37792067c1a380dc710361905724b9b2f +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +RK808 can leverage a couple of GPIOs to tweak the ramp rate during DVS +(Dynamic Voltage Scaling). These GPIOs are entirely optional but a +dev_warn() appeared when cleaning this driver to use a more up-to-date +gpiod API. At least reduce the log level to 'info' as it is totally +fine to not populate these GPIO on a hardware design. + +This change is trivial but it is worth not polluting the logs during +bringup phase by having real warnings and errors sorted out +correctly. + +Fixes: a13eaf02e2d6 ("regulator: rk808: make better use of the gpiod API") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20191203164709.11127-1-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/regulator/rk808-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c +index 5b4003226484..31f79fda3238 100644 +--- a/drivers/regulator/rk808-regulator.c ++++ b/drivers/regulator/rk808-regulator.c +@@ -1282,7 +1282,7 @@ static int rk808_regulator_dt_parse_pdata(struct device *dev, + } + + if (!pdata->dvs_gpio[i]) { +- dev_warn(dev, "there is no dvs%d gpio\n", i); ++ dev_info(dev, "there is no dvs%d gpio\n", i); + continue; + } + +-- +2.16.4 + diff --git a/patches.suse/regulator-rn5t618-fix-module-aliases.patch b/patches.suse/regulator-rn5t618-fix-module-aliases.patch new file mode 100644 index 0000000..a3fb8ff --- /dev/null +++ b/patches.suse/regulator-rn5t618-fix-module-aliases.patch @@ -0,0 +1,36 @@ +From 62a1923cc8fe095912e6213ed5de27abbf1de77e Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Wed, 11 Dec 2019 23:16:00 +0100 +Subject: [PATCH] regulator: rn5t618: fix module aliases +Git-commit: 62a1923cc8fe095912e6213ed5de27abbf1de77e +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +platform device aliases were missing, preventing +autoloading of module. + +Fixes: 811b700630ff ("regulator: rn5t618: add driver for Ricoh RN5T618 regulators") +Signed-off-by: Andreas Kemnade +Link: https://lore.kernel.org/r/20191211221600.29438-1-andreas@kemnade.info +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/regulator/rn5t618-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/rn5t618-regulator.c b/drivers/regulator/rn5t618-regulator.c +index eb807a059479..aa6e7c5341ce 100644 +--- a/drivers/regulator/rn5t618-regulator.c ++++ b/drivers/regulator/rn5t618-regulator.c +@@ -148,6 +148,7 @@ static struct platform_driver rn5t618_regulator_driver = { + + module_platform_driver(rn5t618_regulator_driver); + ++MODULE_ALIAS("platform:rn5t618-regulator"); + MODULE_AUTHOR("Beniamino Galvani "); + MODULE_DESCRIPTION("RN5T618 regulator driver"); + MODULE_LICENSE("GPL v2"); +-- +2.16.4 + diff --git a/patches.suse/reiserfs-Fix-memory-leak-of-journal-device-string.patch b/patches.suse/reiserfs-Fix-memory-leak-of-journal-device-string.patch new file mode 100644 index 0000000..ce03cf6 --- /dev/null +++ b/patches.suse/reiserfs-Fix-memory-leak-of-journal-device-string.patch @@ -0,0 +1,45 @@ +From 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 12 Dec 2019 11:30:03 +0100 +Subject: [PATCH] reiserfs: Fix memory leak of journal device string +Git-commit: 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c +Patch-mainline: v5.6-rc1 +References: bsc#1163867 + +When a filesystem is mounted with jdev mount option, we store the +journal device name in an allocated string in superblock. However we +fail to ever free that string. Fix it. + +Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com +Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts") +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/reiserfs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index 3244037b1286..d127af64283e 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -629,6 +629,7 @@ static void reiserfs_put_super(struct super_block *s) + reiserfs_write_unlock(s); + mutex_destroy(&REISERFS_SB(s)->lock); + destroy_workqueue(REISERFS_SB(s)->commit_wq); ++ kfree(REISERFS_SB(s)->s_jdev); + kfree(s->s_fs_info); + s->s_fs_info = NULL; + } +@@ -2240,6 +2241,7 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + kfree(qf_names[j]); + } + #endif ++ kfree(sbi->s_jdev); + kfree(sbi); + + s->s_fs_info = NULL; +-- +2.16.4 + diff --git a/patches.suse/reiserfs-Fix-spurious-unlock-in-reiserfs_fill_super-.patch b/patches.suse/reiserfs-Fix-spurious-unlock-in-reiserfs_fill_super-.patch new file mode 100644 index 0000000..9eb3444 --- /dev/null +++ b/patches.suse/reiserfs-Fix-spurious-unlock-in-reiserfs_fill_super-.patch @@ -0,0 +1,37 @@ +From 4d5c1adaf893b8aa52525d2b81995e949bcb3239 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 12 Dec 2019 11:35:58 +0100 +Subject: [PATCH] reiserfs: Fix spurious unlock in reiserfs_fill_super() error + handling +Git-commit: 4d5c1adaf893b8aa52525d2b81995e949bcb3239 +Patch-mainline: v5.6-rc1 +References: bsc#1163869 + +When we fail to allocate string for journal device name we jump to +'error' label which tries to unlock reiserfs write lock which is not +held. Jump to 'error_unlocked' instead. + +Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization") +Signed-off-by: Jan Kara +Acked-by: Jan Kara + +--- + fs/reiserfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index d127af64283e..a6bce5b1fb1d 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1948,7 +1948,7 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + if (!sbi->s_jdev) { + SWARN(silent, s, "", "Cannot allocate memory for " + "journal device name"); +- goto error; ++ goto error_unlocked; + } + } + #ifdef CONFIG_QUOTA +-- +2.16.4 + diff --git a/patches.suse/rsi_91x_usb-fix-interface-sanity-check.patch b/patches.suse/rsi_91x_usb-fix-interface-sanity-check.patch new file mode 100644 index 0000000..ce4101a --- /dev/null +++ b/patches.suse/rsi_91x_usb-fix-interface-sanity-check.patch @@ -0,0 +1,36 @@ +From 3139b180906af43bc09bd3373fc2338a8271d9d9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:25 +0100 +Subject: [PATCH] rsi_91x_usb: fix interface sanity check +Git-commit: 3139b180906af43bc09bd3373fc2338a8271d9d9 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Cc: stable # 3.15 +Cc: Fariya Fatima +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -103,7 +103,7 @@ static int rsi_find_bulk_in_and_out_endp + __le16 buffer_size; + int ii, bep_found = 0; + +- iface_desc = &(interface->altsetting[0]); ++ iface_desc = interface->cur_altsetting; + + for (ii = 0; ii < iface_desc->desc.bNumEndpoints; ++ii) { + endpoint = &(iface_desc->endpoint[ii].desc); diff --git a/patches.suse/rtc-cmos-Stop-using-shared-IRQ.patch b/patches.suse/rtc-cmos-Stop-using-shared-IRQ.patch new file mode 100644 index 0000000..74f4f33 --- /dev/null +++ b/patches.suse/rtc-cmos-Stop-using-shared-IRQ.patch @@ -0,0 +1,83 @@ +From b6da197a2e9670df6f07e6698629e9ce95ab614e Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Thu, 23 Jan 2020 15:14:35 +0200 +Subject: [PATCH] rtc: cmos: Stop using shared IRQ +Git-commit: b6da197a2e9670df6f07e6698629e9ce95ab614e +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +As reported by Guilherme G. Piccoli: + +Acked-by: Takashi Iwai + +---8<---8<---8<--- + +The rtc-cmos interrupt setting was changed in the commit 079062b28fb4 +("rtc: cmos: prevent kernel warning on IRQ flags mismatch") in order +to allow shared interrupts; according to that commit's description, +some machine got kernel warnings due to the interrupt line being shared +between rtc-cmos and other hardware, and rtc-cmos didn't allow IRQ sharing +that time. + +After the aforementioned commit though it was observed a huge increase +in lost HPET interrupts in some systems, observed through the following +kernel message: + +[...] hpet1: lost 35 rtc interrupts + +After investigation, it was narrowed down to the shared interrupts +usage when having the kernel option "irqpoll" enabled. In this case, +all IRQ handlers are called for non-timer interrupts, if such handlers +are setup in shared IRQ lines. The rtc-cmos IRQ handler could be set to +hpet_rtc_interrupt(), which will produce the kernel "lost interrupts" +message after doing work - lots of readl/writel to HPET registers, which +are known to be slow. + +Although "irqpoll" is not a default kernel option, it's used in some contexts, +one being the kdump kernel (which is an already "impaired" kernel usually +running with 1 CPU available), so the performance burden could be considerable. +Also, the same issue would happen (in a shorter extent though) when using +"irqfixup" kernel option. + +In a quick experiment, a virtual machine with uptime of 2 minutes produced +>300 calls to hpet_rtc_interrupt() when "irqpoll" was set, whereas without +sharing interrupts this number reduced to 1 interrupt. Machines with more +hardware than a VM should generate even more unnecessary HPET interrupts +in this scenario. + +---8<---8<---8<--- + +After looking into the rtc-cmos driver history and DSDT table from +the Microsoft Surface 3, we may notice that Hans de Goede submitted +a correct fix (see dependency below). Thus, we simply revert +the culprit commit. + +Fixes: 079062b28fb4 ("rtc: cmos: prevent kernel warning on IRQ flags mismatch") +Depends-on: a1e23a42f1bd ("rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs") +Reported-by: Guilherme G. Piccoli +Cc: Hans de Goede +Signed-off-by: Andy Shevchenko +Tested-by: Guilherme G. Piccoli +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20200123131437.28157-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Alexandre Belloni +--- + drivers/rtc/rtc-cmos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index 033303708c8b..cb28bbdc9e17 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -850,7 +850,7 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq) + rtc_cmos_int_handler = cmos_interrupt; + + retval = request_irq(rtc_irq, rtc_cmos_int_handler, +- IRQF_SHARED, dev_name(&cmos_rtc.rtc->dev), ++ 0, dev_name(&cmos_rtc.rtc->dev), + cmos_rtc.rtc); + if (retval < 0) { + dev_dbg(dev, "IRQ %d is already in use\n", rtc_irq); +-- +2.16.4 + diff --git a/patches.suse/rtc-dt-binding-abx80x-fix-resistance-scale.patch b/patches.suse/rtc-dt-binding-abx80x-fix-resistance-scale.patch new file mode 100644 index 0000000..df41bcc --- /dev/null +++ b/patches.suse/rtc-dt-binding-abx80x-fix-resistance-scale.patch @@ -0,0 +1,31 @@ +From 73852e56827f5cb5db9d6e8dd8191fc2f2e8f424 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Mon, 19 Nov 2018 14:34:02 +0200 +Subject: [PATCH] rtc: dt-binding: abx80x: fix resistance scale +Git-commit: 73852e56827f5cb5db9d6e8dd8191fc2f2e8f424 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +The abracon,tc-resistor property value is in kOhm. + +Signed-off-by: Baruch Siach +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + Documentation/devicetree/bindings/rtc/abracon,abx80x.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt b/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt +index be789685a1c2..18b892d010d8 100644 +--- a/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt ++++ b/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt +@@ -27,4 +27,4 @@ and valid to enable charging: + + - "abracon,tc-diode": should be "standard" (0.6V) or "schottky" (0.3V) + - "abracon,tc-resistor": should be <0>, <3>, <6> or <11>. 0 disables the output +- resistor, the other values are in ohm. ++ resistor, the other values are in kOhm. +-- +2.16.4 + diff --git a/patches.suse/rtc-hym8563-Return-EINVAL-if-the-time-is-known-to-be.patch b/patches.suse/rtc-hym8563-Return-EINVAL-if-the-time-is-known-to-be.patch new file mode 100644 index 0000000..e47b9d8 --- /dev/null +++ b/patches.suse/rtc-hym8563-Return-EINVAL-if-the-time-is-known-to-be.patch @@ -0,0 +1,39 @@ +From f236a2a2ebabad0848ad0995af7ad1dc7029e895 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 12 Dec 2019 16:31:10 +0100 +Subject: [PATCH] rtc: hym8563: Return -EINVAL if the time is known to be invalid +Git-commit: f236a2a2ebabad0848ad0995af7ad1dc7029e895 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The current code returns -EPERM when the voltage loss bit is set. +Since the bit indicates that the time value is not valid, return +-EINVAL instead, which is the appropriate error code for this +situation. + +Fixes: dcaf03849352 ("rtc: add hym8563 rtc-driver") +Signed-off-by: Paul Kocialkowski +Link: https://lore.kernel.org/r/20191212153111.966923-1-paul.kocialkowski@bootlin.com +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-hym8563.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c +index 443f6d05ce29..fb6d7967ec00 100644 +--- a/drivers/rtc/rtc-hym8563.c ++++ b/drivers/rtc/rtc-hym8563.c +@@ -97,7 +97,7 @@ static int hym8563_rtc_read_time(struct device *dev, struct rtc_time *tm) + + if (!hym8563->valid) { + dev_warn(&client->dev, "no valid clock/calendar values available\n"); +- return -EPERM; ++ return -EINVAL; + } + + ret = i2c_smbus_read_i2c_block_data(client, HYM8563_SEC, 7, buf); +-- +2.16.4 + diff --git a/patches.suse/rtc-max8997-Fix-the-returned-value-in-case-of-error-.patch b/patches.suse/rtc-max8997-Fix-the-returned-value-in-case-of-error-.patch new file mode 100644 index 0000000..5781853 --- /dev/null +++ b/patches.suse/rtc-max8997-Fix-the-returned-value-in-case-of-error-.patch @@ -0,0 +1,36 @@ +From 41ef3878203cd9218d92eaa07df4b85a2cb128fb Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 14 Nov 2018 18:19:51 +0100 +Subject: [PATCH] rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' +Git-commit: 41ef3878203cd9218d92eaa07df4b85a2cb128fb +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +In case of error, we return 0. +This is spurious and not consistent with the other functions of the driver. +Propagate the error code instead. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-max8997.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-max8997.c b/drivers/rtc/rtc-max8997.c +index 08c661a332ec..20e50d9fdf88 100644 +--- a/drivers/rtc/rtc-max8997.c ++++ b/drivers/rtc/rtc-max8997.c +@@ -215,7 +215,7 @@ static int max8997_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) + + out: + mutex_unlock(&info->lock); +- return 0; ++ return ret; + } + + static int max8997_rtc_stop_alarm(struct max8997_rtc_info *info) +-- +2.16.4 + diff --git a/patches.suse/rtc-msm6242-Fix-reading-of-10-hour-digit.patch b/patches.suse/rtc-msm6242-Fix-reading-of-10-hour-digit.patch new file mode 100644 index 0000000..bee346b --- /dev/null +++ b/patches.suse/rtc-msm6242-Fix-reading-of-10-hour-digit.patch @@ -0,0 +1,44 @@ +From e34494c8df0cd96fc432efae121db3212c46ae48 Mon Sep 17 00:00:00 2001 +From: Kars de Jong +Date: Sat, 16 Nov 2019 12:05:48 +0100 +Subject: [PATCH] rtc: msm6242: Fix reading of 10-hour digit +Git-commit: e34494c8df0cd96fc432efae121db3212c46ae48 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +The driver was reading the wrong register as the 10-hour digit due to +a misplaced ')'. It was in fact reading the 1-second digit register due +to this bug. + +Also remove the use of a magic number for the hour mask and use the define +for it which was already present. + +Fixes: 4f9b9bba1dd1 ("rtc: Add an RTC driver for the Oki MSM6242") +Tested-by: Kars de Jong +Signed-off-by: Kars de Jong +Link: https://lore.kernel.org/r/20191116110548.8562-1-jongk@linux-m68k.org +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-msm6242.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-msm6242.c b/drivers/rtc/rtc-msm6242.c +index 1c2d3c4a4963..b1f2bedee77e 100644 +--- a/drivers/rtc/rtc-msm6242.c ++++ b/drivers/rtc/rtc-msm6242.c +@@ -133,7 +133,8 @@ static int msm6242_read_time(struct device *dev, struct rtc_time *tm) + msm6242_read(priv, MSM6242_SECOND1); + tm->tm_min = msm6242_read(priv, MSM6242_MINUTE10) * 10 + + msm6242_read(priv, MSM6242_MINUTE1); +- tm->tm_hour = (msm6242_read(priv, MSM6242_HOUR10 & 3)) * 10 + ++ tm->tm_hour = (msm6242_read(priv, MSM6242_HOUR10) & ++ MSM6242_HOUR10_HR_MASK) * 10 + + msm6242_read(priv, MSM6242_HOUR1); + tm->tm_mday = msm6242_read(priv, MSM6242_DAY10) * 10 + + msm6242_read(priv, MSM6242_DAY1); +-- +2.16.4 + diff --git a/patches.suse/rtc-pcf8523-set-xtal-load-capacitance-from-DT.patch b/patches.suse/rtc-pcf8523-set-xtal-load-capacitance-from-DT.patch new file mode 100644 index 0000000..5ac16d8 --- /dev/null +++ b/patches.suse/rtc-pcf8523-set-xtal-load-capacitance-from-DT.patch @@ -0,0 +1,90 @@ +From 189927e719e36ceefbb8037f23d3849e47833aef Mon Sep 17 00:00:00 2001 +From: Sam Ravnborg +Date: Sat, 19 Jan 2019 10:00:30 +0100 +Subject: [PATCH] rtc: pcf8523: set xtal load capacitance from DT +Git-commit: 189927e719e36ceefbb8037f23d3849e47833aef +Patch-mainline: v5.1-rc1 +References: bsc#1051510 + +Add support for specifying the xtal load capacitance in the DT node. +The pcf8523 supports xtal load capacitance of 7pF or 12.5pF. +If the rtc has the wrong configuration the time will +drift several hours/week. + +The driver use the default value 12.5pF. + +The DT may specify either 7000fF or 12500fF. +(The DT uses femto Farad to avoid decimal numbers). +Other values are warned and the driver uses the default value. + +Signed-off-by: Sam Ravnborg +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-pcf8523.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/rtc/rtc-pcf8523.c b/drivers/rtc/rtc-pcf8523.c +index fb13933f4006..b5c61a70b5df 100644 +--- a/drivers/rtc/rtc-pcf8523.c ++++ b/drivers/rtc/rtc-pcf8523.c +@@ -97,8 +97,9 @@ static int pcf8523_voltage_low(struct i2c_client *client) + return !!(value & REG_CONTROL3_BLF); + } + +-static int pcf8523_select_capacitance(struct i2c_client *client, bool high) ++static int pcf8523_load_capacitance(struct i2c_client *client) + { ++ u32 load; + u8 value; + int err; + +@@ -106,14 +107,24 @@ static int pcf8523_select_capacitance(struct i2c_client *client, bool high) + if (err < 0) + return err; + +- if (!high) +- value &= ~REG_CONTROL1_CAP_SEL; +- else ++ load = 12500; ++ of_property_read_u32(client->dev.of_node, "quartz-load-femtofarads", ++ &load); ++ ++ switch (load) { ++ default: ++ dev_warn(&client->dev, "Unknown quartz-load-femtofarads value: %d. Assuming 12500", ++ load); ++ /* fall through */ ++ case 12500: + value |= REG_CONTROL1_CAP_SEL; ++ break; ++ case 7000: ++ value &= ~REG_CONTROL1_CAP_SEL; ++ break; ++ } + + err = pcf8523_write(client, REG_CONTROL1, value); +- if (err < 0) +- return err; + + return err; + } +@@ -347,9 +358,10 @@ static int pcf8523_probe(struct i2c_client *client, + if (!pcf) + return -ENOMEM; + +- err = pcf8523_select_capacitance(client, true); ++ err = pcf8523_load_capacitance(client); + if (err < 0) +- return err; ++ dev_warn(&client->dev, "failed to set xtal load capacitance: %d", ++ err); + + err = pcf8523_set_pm(client, 0); + if (err < 0) +-- +2.16.4 + diff --git a/patches.suse/rtc-s35390a-Change-buf-s-type-to-u8-in-s35390a_init.patch b/patches.suse/rtc-s35390a-Change-buf-s-type-to-u8-in-s35390a_init.patch new file mode 100644 index 0000000..4c19a99 --- /dev/null +++ b/patches.suse/rtc-s35390a-Change-buf-s-type-to-u8-in-s35390a_init.patch @@ -0,0 +1,40 @@ +From ef0f02fd69a02b50e468a4ddbe33e3d81671e248 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 19 Oct 2018 13:43:45 -0700 +Subject: [PATCH] rtc: s35390a: Change buf's type to u8 in s35390a_init +Git-commit: ef0f02fd69a02b50e468a4ddbe33e3d81671e248 +Patch-mainline: v4.20-rc1 +References: bsc#1051510 + +Clang warns: + +drivers/rtc/rtc-s35390a.c:124:27: warning: implicit conversion from +'int' to 'char' changes value from 192 to -64 [-Wconstant-conversion] + buf = S35390A_FLAG_RESET | S35390A_FLAG_24H; + ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~ +1 warning generated. + +Update buf to be an unsigned 8-bit integer, which matches the buf member +in struct i2c_msg. + +https://github.com/ClangBuiltLinux/linux/issues/145 + +Signed-off-by: Nathan Chancellor +Signed-off-by: Alexandre Belloni +Acked-by: Takashi Iwai + +--- + drivers/rtc/rtc-s35390a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-s35390a.c ++++ b/drivers/rtc/rtc-s35390a.c +@@ -113,7 +113,7 @@ static int s35390a_get_reg(struct s35390 + */ + static int s35390a_reset(struct s35390a *s35390a, char *status1) + { +- char buf; ++ u8 buf; + int ret; + unsigned initcount = 0; + diff --git a/patches.suse/rtl8xxxu-fix-interface-sanity-check.patch b/patches.suse/rtl8xxxu-fix-interface-sanity-check.patch new file mode 100644 index 0000000..8d68261 --- /dev/null +++ b/patches.suse/rtl8xxxu-fix-interface-sanity-check.patch @@ -0,0 +1,41 @@ +From 39a4281c312f2d226c710bc656ce380c621a2b16 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:24 +0100 +Subject: [PATCH] rtl8xxxu: fix interface sanity check +Git-commit: 39a4281c312f2d226c710bc656ce380c621a2b16 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Cc: stable # 4.4 +Cc: Jes Sorensen +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index aa2bb2ae9809..54a1a4ea107b 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -6384,7 +6384,7 @@ static int rtl8xxxu_parse_usb(struct rtl8xxxu_priv *priv, + u8 dir, xtype, num; + int ret = 0; + +- host_interface = &interface->altsetting[0]; ++ host_interface = interface->cur_altsetting; + interface_desc = &host_interface->desc; + endpoints = interface_desc->bNumEndpoints; + +-- +2.16.4 + diff --git a/patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch b/patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch deleted file mode 100644 index 74c989a..0000000 --- a/patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 Mon Sep 17 00:00:00 2001 -From: Ping-Ke Shih -Date: Fri, 29 Sep 2017 14:47:51 -0500 -Subject: [PATCH] rtlwifi: Fix MAX MPDU of VHT capability -Git-commit: f06eb3f9c03eda3bf7e40b49f5a4b032752bb176 -Patch-mainline: v4.15-rc1 -References: FATE#326906 - -We must choose only one of VHT_CAP among -IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895, -IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 and -IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454. - -Signed-off-by: Ping-Ke Shih -Signed-off-by: Larry Finger -Cc: Yan-Hsuan Chuang -Cc: Birming Chiu -Cc: Shaofu -Cc: Steven Ting -Signed-off-by: Kalle Valo -Acked-by: Takashi Iwai - ---- - drivers/net/wireless/realtek/rtlwifi/base.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c -index ea18aa7afecb..fcf6e31d0fb9 100644 ---- a/drivers/net/wireless/realtek/rtlwifi/base.c -+++ b/drivers/net/wireless/realtek/rtlwifi/base.c -@@ -249,8 +249,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, - - vht_cap->vht_supported = true; - vht_cap->cap = -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | - IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | - IEEE80211_VHT_CAP_SHORT_GI_80 | - IEEE80211_VHT_CAP_TXSTBC | -@@ -283,8 +281,6 @@ static void _rtl_init_hw_vht_capab(struct ieee80211_hw *hw, - - vht_cap->vht_supported = true; - vht_cap->cap = -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 | -- IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 | - IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 | - IEEE80211_VHT_CAP_SHORT_GI_80 | - IEEE80211_VHT_CAP_TXSTBC | --- -2.19.2 - diff --git a/patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch b/patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch deleted file mode 100644 index 52d51e2..0000000 --- a/patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch +++ /dev/null @@ -1,54 +0,0 @@ -From ecf4000e0d925c6ba074d11801df4a4cdd8d5324 Mon Sep 17 00:00:00 2001 -From: Ping-Ke Shih -Date: Fri, 29 Sep 2017 14:47:52 -0500 -Subject: [PATCH] rtlwifi: Remove redundant semicolon in wifi.h. -Git-commit: ecf4000e0d925c6ba074d11801df4a4cdd8d5324 -Patch-mainline: v4.15-rc1 -References: FATE#326906 - -The semicolon can cause compiler error, if it exists in if...else -statement. - -Signed-off-by: Ping-Ke Shih -Signed-off-by: Larry Finger -Cc: Yan-Hsuan Chuang -Cc: Birming Chiu -Cc: Shaofu -Cc: Steven Ting -Signed-off-by: Kalle Valo -Acked-by: Takashi Iwai - ---- - drivers/net/wireless/realtek/rtlwifi/wifi.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h -index 1ab1024330fb..90e875beff66 100644 ---- a/drivers/net/wireless/realtek/rtlwifi/wifi.h -+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h -@@ -2857,19 +2857,19 @@ value to host byte ordering.*/ - cpu_to_le32( \ - LE_BITS_CLEARED_TO_4BYTE(__pstart, __bitoffset, __bitlen) | \ - ((((u32)__val) & BIT_LEN_MASK_32(__bitlen)) << (__bitoffset)) \ -- ); -+ ) - #define SET_BITS_TO_LE_2BYTE(__pstart, __bitoffset, __bitlen, __val) \ - *((__le16 *)(__pstart)) = \ - cpu_to_le16( \ - LE_BITS_CLEARED_TO_2BYTE(__pstart, __bitoffset, __bitlen) | \ - ((((u16)__val) & BIT_LEN_MASK_16(__bitlen)) << (__bitoffset)) \ -- ); -+ ) - #define SET_BITS_TO_LE_1BYTE(__pstart, __bitoffset, __bitlen, __val) \ - *((u8 *)(__pstart)) = EF1BYTE \ - ( \ - LE_BITS_CLEARED_TO_1BYTE(__pstart, __bitoffset, __bitlen) | \ - ((((u8)__val) & BIT_LEN_MASK_8(__bitlen)) << (__bitoffset)) \ -- ); -+ ) - - #define N_BYTE_ALIGMENT(__value, __aligment) ((__aligment == 1) ? \ - (__value) : (((__value + __aligment - 1) / __aligment) * __aligment)) --- -2.19.2 - diff --git a/patches.suse/s390-ftrace-generate-traced-function-stack-frame.patch b/patches.suse/s390-ftrace-generate-traced-function-stack-frame.patch new file mode 100644 index 0000000..4202cda --- /dev/null +++ b/patches.suse/s390-ftrace-generate-traced-function-stack-frame.patch @@ -0,0 +1,96 @@ +From: Vasily Gorbik +Date: Tue, 10 Dec 2019 14:33:39 +0100 +Subject: s390/ftrace: generate traced function stack frame +Git-commit: 45f7a0da600d3c409b5ad8d5ddddacd98ddc8840 +Patch-mainline: v5.6-rc1 +References: jsc#SLE-11178 jsc#SLE-11179 + +Currently backtrace from ftraced function does not contain ftraced +function itself. e.g. for "path_openat": + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Ftraced function is expected in the backtrace by ftrace kselftests, which +are now failing. It would also be nice to have it for clarity reasons. + +"ftrace_caller" itself is called without stack frame allocated for it +and does not store its caller (ftraced function). Instead it simply +allocates a stack frame for "ftrace_trace_function" and sets backchain +to point to ftraced function stack frame (which contains ftraced function +caller in saved r14). + +To fix this issue make "ftrace_caller" allocate a stack frame +for itself just to store ftraced function for the stack unwinder. +As a result backtrace looks like the following: + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +path_openat+0x6/0xd60 <-- ftraced function +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Reported-by: Sven Schnelle +Tested-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Acked-by: Miroslav Benes +--- + arch/s390/kernel/mcount.S | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/s390/kernel/mcount.S ++++ b/arch/s390/kernel/mcount.S +@@ -24,6 +24,12 @@ ENTRY(ftrace_stub) + #define STACK_PTREGS (STACK_FRAME_OVERHEAD) + #define STACK_PTREGS_GPRS (STACK_PTREGS + __PT_GPRS) + #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ++#ifdef __PACK_STACK ++/* allocate just enough for r14, r15 and backchain */ ++#define TRACED_FUNC_FRAME_SIZE 24 ++#else ++#define TRACED_FUNC_FRAME_SIZE STACK_FRAME_OVERHEAD ++#endif + + ENTRY(_mcount) + BR_EX %r14 +@@ -38,9 +44,16 @@ ENTRY(ftrace_caller) + #ifndef CC_USING_HOTPATCH + aghi %r0,MCOUNT_RETURN_FIXUP + #endif +- aghi %r15,-STACK_FRAME_SIZE ++ # allocate stack frame for ftrace_caller to contain traced function ++ aghi %r15,-TRACED_FUNC_FRAME_SIZE + stg %r1,__SF_BACKCHAIN(%r15) ++ stg %r0,(__SF_GPRS+8*8)(%r15) ++ stg %r15,(__SF_GPRS+9*8)(%r15) ++ # allocate pt_regs and stack frame for ftrace_trace_function ++ aghi %r15,-STACK_FRAME_SIZE + stg %r1,(STACK_PTREGS_GPRS+15*8)(%r15) ++ aghi %r1,-TRACED_FUNC_FRAME_SIZE ++ stg %r1,__SF_BACKCHAIN(%r15) + stg %r0,(STACK_PTREGS_PSW+8)(%r15) + stmg %r2,%r14,(STACK_PTREGS_GPRS+2*8)(%r15) + #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES diff --git a/patches.suse/scsi-qla2xxx-Add-D-Port-Diagnostic-reason-explanatio.patch b/patches.suse/scsi-qla2xxx-Add-D-Port-Diagnostic-reason-explanatio.patch index 6f6b8d5..c736ead 100644 --- a/patches.suse/scsi-qla2xxx-Add-D-Port-Diagnostic-reason-explanatio.patch +++ b/patches.suse/scsi-qla2xxx-Add-D-Port-Diagnostic-reason-explanatio.patch @@ -1,8 +1,7 @@ From: Joe Carnuccio Date: Tue, 17 Dec 2019 14:06:09 -0800 Subject: scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 425215647fc53ba183026e03206fa86fe5a4f542 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Add-a-shadow-variable-to-hold-disc_stat.patch b/patches.suse/scsi-qla2xxx-Add-a-shadow-variable-to-hold-disc_stat.patch index 8f8f5f0..b457c59 100644 --- a/patches.suse/scsi-qla2xxx-Add-a-shadow-variable-to-hold-disc_stat.patch +++ b/patches.suse/scsi-qla2xxx-Add-a-shadow-variable-to-hold-disc_stat.patch @@ -2,8 +2,7 @@ From: Shyam Sundar Date: Tue, 17 Dec 2019 14:06:06 -0800 Subject: scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 27258a5771446f9c7edc929ecb76fe2c12c29d97 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Cleanup-unused-async_logout_done.patch b/patches.suse/scsi-qla2xxx-Cleanup-unused-async_logout_done.patch index d0e965d..a22fda6 100644 --- a/patches.suse/scsi-qla2xxx-Cleanup-unused-async_logout_done.patch +++ b/patches.suse/scsi-qla2xxx-Cleanup-unused-async_logout_done.patch @@ -1,8 +1,7 @@ From: Shyam Sundar Date: Tue, 17 Dec 2019 14:06:07 -0800 Subject: scsi: qla2xxx: Cleanup unused async_logout_done -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 96a0eb7164d125100ac692c7efeb6e70a7585042 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Consolidate-fabric-scan.patch b/patches.suse/scsi-qla2xxx-Consolidate-fabric-scan.patch index c29db53..5c18f2f 100644 --- a/patches.suse/scsi-qla2xxx-Consolidate-fabric-scan.patch +++ b/patches.suse/scsi-qla2xxx-Consolidate-fabric-scan.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Tue, 17 Dec 2019 14:06:13 -0800 Subject: scsi: qla2xxx: Consolidate fabric scan -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: f994c6d168c66ae74890b254fdc4af055dfa9419 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Correct-fcport-flags-handling.patch b/patches.suse/scsi-qla2xxx-Correct-fcport-flags-handling.patch index 70a1c88..1781b91 100644 --- a/patches.suse/scsi-qla2xxx-Correct-fcport-flags-handling.patch +++ b/patches.suse/scsi-qla2xxx-Correct-fcport-flags-handling.patch @@ -1,8 +1,7 @@ From: Shyam Sundar Date: Tue, 17 Dec 2019 14:06:12 -0800 Subject: scsi: qla2xxx: Correct fcport flags handling -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 17e64648aa476092eb959e6e431c7ec8f7bfd4e7 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Fix-RIDA-Format-2.patch b/patches.suse/scsi-qla2xxx-Fix-RIDA-Format-2.patch index 84e4635..c9e95d2 100644 --- a/patches.suse/scsi-qla2xxx-Fix-RIDA-Format-2.patch +++ b/patches.suse/scsi-qla2xxx-Fix-RIDA-Format-2.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Tue, 17 Dec 2019 14:06:14 -0800 Subject: scsi: qla2xxx: Fix RIDA Format-2 -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 118f01e7d92e47a71baab8a32d420d98f9bbfe78 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Fix-a-NULL-pointer-dereference-in-an-er.patch b/patches.suse/scsi-qla2xxx-Fix-a-NULL-pointer-dereference-in-an-er.patch new file mode 100644 index 0000000..7db8f18 --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-a-NULL-pointer-dereference-in-an-er.patch @@ -0,0 +1,107 @@ +From: Bart Van Assche +Date: Fri, 17 Jan 2020 20:20:56 -0800 +Subject: scsi: qla2xxx: Fix a NULL pointer dereference in an error path +Patch-mainline: v5.6-rc1 +Git-commit: 17c5f65db629a3bd95ac8eb960940b6fbb39a310 +References: bsc#1157966 bsc#1158013 bsc#1157424 + +This patch fixes the following Coverity complaint: + +FORWARD_NULL + +qla_init.c: 5275 in qla2x00_configure_local_loop() +5269 +5270 if (fcport->scan_state == QLA_FCPORT_FOUND) +5271 qla24xx_fcport_handle_login(vha, fcport); +5272 } +5273 +5274 cleanup_allocation: +>>> CID 353340: (FORWARD_NULL) +>>> Passing null pointer "new_fcport" to "qla2x00_free_fcport", which dereferences it. +5275 qla2x00_free_fcport(new_fcport); +5276 +5277 if (rval != QLA_SUCCESS) { +5278 ql_dbg(ql_dbg_disc, vha, 0x2098, +5279 "Configure local loop error exit: rval=%x.\n", rval); +5280 } +qla_init.c: 5275 in qla2x00_configure_local_loop() +5269 +5270 if (fcport->scan_state == QLA_FCPORT_FOUND) +5271 qla24xx_fcport_handle_login(vha, fcport); +5272 } +5273 +5274 cleanup_allocation: +>>> CID 353340: (FORWARD_NULL) +>>> Passing null pointer "new_fcport" to "qla2x00_free_fcport", which dereferences it. +5275 qla2x00_free_fcport(new_fcport); +5276 +5277 if (rval != QLA_SUCCESS) { +5278 ql_dbg(ql_dbg_disc, vha, 0x2098, +5279 "Configure local loop error exit: rval=%x.\n", rval); +5280 } + +Fixes: 3dae220595ba ("scsi: qla2xxx: Use common routine to free fcport struct") +Cc: Himanshu Madhani +Cc: Quinn Tran +Cc: Martin Wilck +Cc: Daniel Wagner +Cc: Roman Bolshakov +Link: https://lore.kernel.org/r/20200118042056.32232-1-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Reviewed-by: Ewan D. Milne +Reviewed-by: Daniel Wagner +Signed-off-by: Martin K. Petersen +--- + drivers/scsi/qla2xxx/qla_init.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5108,7 +5108,7 @@ skip_login: + rval = qla2x00_get_id_list(vha, ha->gid_list, ha->gid_list_dma, + &entries); + if (rval != QLA_SUCCESS) +- goto cleanup_allocation; ++ goto err; + + ql_dbg(ql_dbg_disc, vha, 0x2011, + "Entries in ID list (%d).\n", entries); +@@ -5138,7 +5138,7 @@ skip_login: + ql_log(ql_log_warn, vha, 0x2012, + "Memory allocation failed for fcport.\n"); + rval = QLA_MEMORY_ALLOC_FAILED; +- goto cleanup_allocation; ++ goto err; + } + new_fcport->flags &= ~FCF_FABRIC_DEVICE; + +@@ -5228,7 +5228,7 @@ skip_login: + ql_log(ql_log_warn, vha, 0xd031, + "Failed to allocate memory for fcport.\n"); + rval = QLA_MEMORY_ALLOC_FAILED; +- goto cleanup_allocation; ++ goto err; + } + spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags); + new_fcport->flags &= ~FCF_FABRIC_DEVICE; +@@ -5271,15 +5271,14 @@ skip_login: + qla24xx_fcport_handle_login(vha, fcport); + } + +-cleanup_allocation: + qla2x00_free_fcport(new_fcport); + +- if (rval != QLA_SUCCESS) { +- ql_dbg(ql_dbg_disc, vha, 0x2098, +- "Configure local loop error exit: rval=%x.\n", rval); +- } ++ return rval; + +- return (rval); ++err: ++ ql_dbg(ql_dbg_disc, vha, 0x2098, ++ "Configure local loop error exit: rval=%x.\n", rval); ++ return rval; + } + + static void diff --git a/patches.suse/scsi-qla2xxx-Fix-fabric-scan-hang.patch b/patches.suse/scsi-qla2xxx-Fix-fabric-scan-hang.patch index 70b811a..10792ff 100644 --- a/patches.suse/scsi-qla2xxx-Fix-fabric-scan-hang.patch +++ b/patches.suse/scsi-qla2xxx-Fix-fabric-scan-hang.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Tue, 17 Dec 2019 14:06:05 -0800 Subject: scsi: qla2xxx: Fix fabric scan hang -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: f57a0107359605b29f4ea9afb8ee2e03473b1448 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Fix-mtcp-dump-collection-failure.patch b/patches.suse/scsi-qla2xxx-Fix-mtcp-dump-collection-failure.patch index 9257219..854ddd5 100644 --- a/patches.suse/scsi-qla2xxx-Fix-mtcp-dump-collection-failure.patch +++ b/patches.suse/scsi-qla2xxx-Fix-mtcp-dump-collection-failure.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Tue, 17 Dec 2019 14:06:16 -0800 Subject: scsi: qla2xxx: Fix mtcp dump collection failure -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 641e0efddcbde52461e017136acd3ce7f2ef0c14 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Fix-stuck-login-session-using-prli_pend.patch b/patches.suse/scsi-qla2xxx-Fix-stuck-login-session-using-prli_pend.patch index f1ae307..6f9ad34 100644 --- a/patches.suse/scsi-qla2xxx-Fix-stuck-login-session-using-prli_pend.patch +++ b/patches.suse/scsi-qla2xxx-Fix-stuck-login-session-using-prli_pend.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Tue, 17 Dec 2019 14:06:11 -0800 Subject: scsi: qla2xxx: Fix stuck login session using prli_pend_timer -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 8aaac2d7da873aebeba92c666f82c00bbd74aaf9 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Fix-stuck-session-in-GNL.patch b/patches.suse/scsi-qla2xxx-Fix-stuck-session-in-GNL.patch index 727b58c..33ccccc 100644 --- a/patches.suse/scsi-qla2xxx-Fix-stuck-session-in-GNL.patch +++ b/patches.suse/scsi-qla2xxx-Fix-stuck-session-in-GNL.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Tue, 17 Dec 2019 14:06:15 -0800 Subject: scsi: qla2xxx: Fix stuck session in GNL -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: e1217dc3edce62895595cf484af33b9e0379b7f3 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Fix-the-endianness-of-the-qla82xx_get_f.patch b/patches.suse/scsi-qla2xxx-Fix-the-endianness-of-the-qla82xx_get_f.patch index 87d4a55..2830b0c 100644 --- a/patches.suse/scsi-qla2xxx-Fix-the-endianness-of-the-qla82xx_get_f.patch +++ b/patches.suse/scsi-qla2xxx-Fix-the-endianness-of-the-qla82xx_get_f.patch @@ -2,8 +2,7 @@ From: Bart Van Assche Date: Wed, 18 Dec 2019 16:49:05 -0800 Subject: scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 3f5f7335e5e234e340b48ecb24c2aba98a61f934 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Fix-unbound-NVME-response-length.patch b/patches.suse/scsi-qla2xxx-Fix-unbound-NVME-response-length.patch new file mode 100644 index 0000000..2beec4c --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-unbound-NVME-response-length.patch @@ -0,0 +1,76 @@ +From: Arun Easi +Date: Thu, 23 Jan 2020 20:50:14 -0800 +Subject: scsi: qla2xxx: Fix unbound NVME response length +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Git-commit: 538e574b23489452ab06f61e83c1f6b5f984ab7e +References: bsc#1157966 bsc#1158013 bsc#1157424 + +On certain cases when response length is less than 32, NVME response data +is supplied inline in IOCB. This is indicated by some combination of state +flags. There was an instance when a high, and incorrect, response length +was indicated causing driver to overrun buffers. Fix this by checking and +limiting the response payload length. + +Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200124045014.23554-1-hmadhani@marvell.com +Signed-off-by: Arun Easi +Signed-off-by: Himanshu Madhani +Reviewed-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Acked-by: Daniel Wagner +--- + drivers/scsi/qla2xxx/qla_dbg.c | 6 ------ + drivers/scsi/qla2xxx/qla_dbg.h | 6 ++++++ + drivers/scsi/qla2xxx/qla_isr.c | 12 ++++++++++++ + 3 files changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_dbg.c ++++ b/drivers/scsi/qla2xxx/qla_dbg.c +@@ -2519,12 +2519,6 @@ qla83xx_fw_dump_failed: + /* Driver Debug Functions. */ + /****************************************************************************/ + +-static inline int +-ql_mask_match(uint level) +-{ +- return (level & ql2xextended_error_logging) == level; +-} +- + /* + * This function is for formatting and logging debug information. + * It is to be used when vha is available. It formats the message +--- a/drivers/scsi/qla2xxx/qla_dbg.h ++++ b/drivers/scsi/qla2xxx/qla_dbg.h +@@ -374,3 +374,9 @@ extern int qla24xx_dump_ram(struct qla_h + extern void qla24xx_pause_risc(struct device_reg_24xx __iomem *, + struct qla_hw_data *); + extern int qla24xx_soft_reset(struct qla_hw_data *); ++ ++static inline int ++ql_mask_match(uint level) ++{ ++ return (level & ql2xextended_error_logging) == level; ++} +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1939,6 +1939,18 @@ static void qla24xx_nvme_iocb_entry(scsi + inbuf = (uint32_t *)&sts->nvme_ersp_data; + outbuf = (uint32_t *)fd->rspaddr; + iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len); ++ if (unlikely(iocb->u.nvme.rsp_pyld_len > ++ sizeof(struct nvme_fc_ersp_iu))) { ++ if (ql_mask_match(ql_dbg_io)) { ++ WARN_ONCE(1, "Unexpected response payload length %u.\n", ++ iocb->u.nvme.rsp_pyld_len); ++ ql_log(ql_log_warn, fcport->vha, 0x5100, ++ "Unexpected response payload length %u.\n", ++ iocb->u.nvme.rsp_pyld_len); ++ } ++ iocb->u.nvme.rsp_pyld_len = ++ sizeof(struct nvme_fc_ersp_iu); ++ } + iter = iocb->u.nvme.rsp_pyld_len >> 2; + for (; iter; iter--) + *outbuf++ = swab32(*inbuf++); diff --git a/patches.suse/scsi-qla2xxx-Fix-update_fcport-for-current_topology.patch b/patches.suse/scsi-qla2xxx-Fix-update_fcport-for-current_topology.patch index 576d9e0..9f59554 100644 --- a/patches.suse/scsi-qla2xxx-Fix-update_fcport-for-current_topology.patch +++ b/patches.suse/scsi-qla2xxx-Fix-update_fcport-for-current_topology.patch @@ -1,8 +1,7 @@ From: Himanshu Madhani Date: Tue, 17 Dec 2019 14:06:08 -0800 Subject: scsi: qla2xxx: Fix update_fcport for current_topology -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 89eb2e7e794da2691e5aca02ed102bb287e3575a References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Improve-readability-of-the-code-that-ha.patch b/patches.suse/scsi-qla2xxx-Improve-readability-of-the-code-that-ha.patch index 06ce483..880ac46 100644 --- a/patches.suse/scsi-qla2xxx-Improve-readability-of-the-code-that-ha.patch +++ b/patches.suse/scsi-qla2xxx-Improve-readability-of-the-code-that-ha.patch @@ -2,8 +2,7 @@ From: Bart Van Assche Date: Wed, 18 Dec 2019 16:47:06 -0800 Subject: scsi: qla2xxx: Improve readability of the code that handles qla_flt_header -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: a27747a207887420106aca284c0e98ba5e547d78 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Remove-defer-flag-to-indicate-immeadiat.patch b/patches.suse/scsi-qla2xxx-Remove-defer-flag-to-indicate-immeadiat.patch index cd4c9c4..976b2f8 100644 --- a/patches.suse/scsi-qla2xxx-Remove-defer-flag-to-indicate-immeadiat.patch +++ b/patches.suse/scsi-qla2xxx-Remove-defer-flag-to-indicate-immeadiat.patch @@ -1,8 +1,7 @@ From: Himanshu Madhani Date: Tue, 17 Dec 2019 14:06:04 -0800 Subject: scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 3c75ad1d87c7d277c6174051b98757fe981d592d References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Update-driver-version-to-10.01.00.22-k.patch b/patches.suse/scsi-qla2xxx-Update-driver-version-to-10.01.00.22-k.patch index de315cf..0c09cb7 100644 --- a/patches.suse/scsi-qla2xxx-Update-driver-version-to-10.01.00.22-k.patch +++ b/patches.suse/scsi-qla2xxx-Update-driver-version-to-10.01.00.22-k.patch @@ -1,8 +1,7 @@ From: Himanshu Madhani Date: Tue, 17 Dec 2019 14:06:17 -0800 Subject: scsi: qla2xxx: Update driver version to 10.01.00.22-k -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 5a2673267a4900104f44a6335e344a4e3024f146 References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Use-common-routine-to-free-fcport-struc.patch b/patches.suse/scsi-qla2xxx-Use-common-routine-to-free-fcport-struc.patch index f148fbd..2536b6c 100644 --- a/patches.suse/scsi-qla2xxx-Use-common-routine-to-free-fcport-struc.patch +++ b/patches.suse/scsi-qla2xxx-Use-common-routine-to-free-fcport-struc.patch @@ -1,8 +1,7 @@ From: Quinn Tran Date: Tue, 17 Dec 2019 14:06:10 -0800 Subject: scsi: qla2xxx: Use common routine to free fcport struct -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: 3dae220595baa7a9fb582b851b54c10ad6a0cbae References: bsc#1158013 diff --git a/patches.suse/scsi-qla2xxx-Use-get_unaligned_-instead-of-open-codi.patch b/patches.suse/scsi-qla2xxx-Use-get_unaligned_-instead-of-open-codi.patch index 16dfb6b..b5e076a 100644 --- a/patches.suse/scsi-qla2xxx-Use-get_unaligned_-instead-of-open-codi.patch +++ b/patches.suse/scsi-qla2xxx-Use-get_unaligned_-instead-of-open-codi.patch @@ -2,8 +2,7 @@ From: Bart Van Assche Date: Wed, 18 Dec 2019 16:50:50 -0800 Subject: scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git +Patch-mainline: v5.6-rc1 Git-commit: a9c4ae108610716140bdec56ae0bebbe1c5cbe49 References: bsc#1158013 diff --git a/patches.suse/sctp-fully-initialize-v4-addr-in-some-functions.patch b/patches.suse/sctp-fully-initialize-v4-addr-in-some-functions.patch new file mode 100644 index 0000000..48d192d --- /dev/null +++ b/patches.suse/sctp-fully-initialize-v4-addr-in-some-functions.patch @@ -0,0 +1,105 @@ +From: Xin Long +Date: Mon, 9 Dec 2019 13:45:54 +0800 +Subject: sctp: fully initialize v4 addr in some functions +Git-commit: b6f3320b1d5267e7b583a6d0c88dda518101740c +Patch-mainline: 5.5-rc3 +References: networking-stable-19_12_28 + +Syzbot found a crash: + + BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] + BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] + BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + Call Trace: + crc32_body lib/crc32.c:112 [inline] + crc32_le_generic lib/crc32.c:179 [inline] + __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 + crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 + crc32c+0x150/0x220 lib/libcrc32c.c:47 + sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 + __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 + sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] + sctp_packet_pack net/sctp/output.c:528 [inline] + sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 + sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] + sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 + sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 + sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] + sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] + sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 + sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 + sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 + sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] + sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 + +The issue was caused by transport->ipaddr set with uninit addr param, which +was passed by: + + sctp_transport_init net/sctp/transport.c:47 [inline] + sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 + sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 + sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] + +where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize +the padding of addr->v4. + +Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) +will become the part of skb, and the issue occurs. + +This patch is to fix it by initializing the padding of addr->v4 in +sctp_v4_from_addr_param(), as well as other functions that do the similar +thing, and these functions shouldn't trust that the caller initializes the +memory, as Marcelo suggested. + +Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/sctp/protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -254,6 +254,7 @@ static void sctp_v4_from_skb(union sctp_ + sa->sin_port = sh->dest; + sa->sin_addr.s_addr = ip_hdr(skb)->daddr; + } ++ memset(sa->sin_zero, 0, sizeof(sa->sin_zero)); + } + + /* Initialize an sctp_addr from a socket. */ +@@ -262,6 +263,7 @@ static void sctp_v4_from_sk(union sctp_a + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = 0; + addr->v4.sin_addr.s_addr = inet_sk(sk)->inet_rcv_saddr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize sk->sk_rcv_saddr from sctp_addr. */ +@@ -284,6 +286,7 @@ static void sctp_v4_from_addr_param(unio + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = port; + addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize an address parameter from a sctp_addr and return the length +@@ -308,6 +311,7 @@ static void sctp_v4_dst_saddr(union sctp + saddr->v4.sin_family = AF_INET; + saddr->v4.sin_port = port; + saddr->v4.sin_addr.s_addr = fl4->saddr; ++ memset(saddr->v4.sin_zero, 0, sizeof(saddr->v4.sin_zero)); + } + + /* Compare two addresses exactly. */ +@@ -330,6 +334,7 @@ static void sctp_v4_inaddr_any(union sct + addr->v4.sin_family = AF_INET; + addr->v4.sin_addr.s_addr = htonl(INADDR_ANY); + addr->v4.sin_port = port; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Is this a wildcard address? */ diff --git a/patches.suse/serial-8250_bcm2835aux-Fix-line-mismatch-on-driver-u.patch b/patches.suse/serial-8250_bcm2835aux-Fix-line-mismatch-on-driver-u.patch new file mode 100644 index 0000000..27d78d6 --- /dev/null +++ b/patches.suse/serial-8250_bcm2835aux-Fix-line-mismatch-on-driver-u.patch @@ -0,0 +1,54 @@ +From dc76697d7e933d5e299116f219c890568785ea15 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 16 Jan 2020 13:14:01 +0100 +Subject: [PATCH] serial: 8250_bcm2835aux: Fix line mismatch on driver unbind +Git-commit: dc76697d7e933d5e299116f219c890568785ea15 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Unbinding the bcm2835aux UART driver raises the following error if the +maximum number of 8250 UARTs is set to 1 (via the 8250.nr_uarts module +parameter or CONFIG_SERIAL_8250_RUNTIME_UARTS): + +(NULL device *): Removing wrong port: a6f80333 != fa20408b + +That's because bcm2835aux_serial_probe() retrieves UART line number 1 +from the devicetree and stores it in data->uart.port.line, while +serial8250_register_8250_port() instead uses UART line number 0, +which is stored in data->line. + +On driver unbind, bcm2835aux_serial_remove() uses data->uart.port.line, +which contains the wrong number. Fix it. + +The issue does not occur if the maximum number of 8250 UARTs is >= 2. + +Fixes: bdc5f3009580 ("serial: bcm2835: add driver for bcm2835-aux-uart") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.6+ +Cc: Martin Sperl +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/912ccf553c5258135c6d7e8f404a101ef320f0f4.1579175223.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/8250/8250_bcm2835aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_bcm2835aux.c b/drivers/tty/serial/8250/8250_bcm2835aux.c +index 8ce700c1a7fc..4997c519ebb3 100644 +--- a/drivers/tty/serial/8250/8250_bcm2835aux.c ++++ b/drivers/tty/serial/8250/8250_bcm2835aux.c +@@ -113,7 +113,7 @@ static int bcm2835aux_serial_remove(struct platform_device *pdev) + { + struct bcm2835aux_data *data = platform_get_drvdata(pdev); + +- serial8250_unregister_port(data->uart.port.line); ++ serial8250_unregister_port(data->line); + clk_disable_unprepare(data->clk); + + return 0; +-- +2.16.4 + diff --git a/patches.suse/serial-ifx6x60-add-missed-pm_runtime_disable.patch b/patches.suse/serial-ifx6x60-add-missed-pm_runtime_disable.patch new file mode 100644 index 0000000..add88b8 --- /dev/null +++ b/patches.suse/serial-ifx6x60-add-missed-pm_runtime_disable.patch @@ -0,0 +1,38 @@ +From 50b2b571c5f3df721fc81bf9a12c521dfbe019ba Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Mon, 18 Nov 2019 10:48:33 +0800 +Subject: [PATCH] serial: ifx6x60: add missed pm_runtime_disable +Git-commit: 50b2b571c5f3df721fc81bf9a12c521dfbe019ba +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +The driver forgets to call pm_runtime_disable in remove. +Add the missed calls to fix it. + +Signed-off-by: Chuhong Yuan +Cc: stable +Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/ifx6x60.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c +index ffefd218761e..31033d517e82 100644 +--- a/drivers/tty/serial/ifx6x60.c ++++ b/drivers/tty/serial/ifx6x60.c +@@ -1230,6 +1230,9 @@ static int ifx_spi_spi_remove(struct spi_device *spi) + struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi); + /* stop activity */ + tasklet_kill(&ifx_dev->io_work_tasklet); ++ ++ pm_runtime_disable(&spi->dev); ++ + /* free irq */ + free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), ifx_dev); + free_irq(gpio_to_irq(ifx_dev->gpio.srdy), ifx_dev); +-- +2.16.4 + diff --git a/patches.suse/serial-pl011-Fix-DMA-flush_buffer.patch b/patches.suse/serial-pl011-Fix-DMA-flush_buffer.patch new file mode 100644 index 0000000..e1f8aa6 --- /dev/null +++ b/patches.suse/serial-pl011-Fix-DMA-flush_buffer.patch @@ -0,0 +1,78 @@ +From f6a196477184b99a31d16366a8e826558aa11f6d Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Mon, 18 Nov 2019 10:25:47 +0100 +Subject: [PATCH] serial: pl011: Fix DMA ->flush_buffer() +Git-commit: f6a196477184b99a31d16366a8e826558aa11f6d +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +PL011's ->flush_buffer() implementation releases and reacquires the port +lock. Due to a race condition here, data can end up being added to the +circular buffer but neither being discarded nor being sent out. This +leads to, for example, tcdrain(2) waiting indefinitely. + +Process A Process B + +uart_flush_buffer() + - acquire lock + - circ_clear + - pl011_flush_buffer() + -- release lock + -- dmaengine_terminate_all() + + uart_write() + - acquire lock + - add chars to circ buffer + - start_tx() + -- start DMA + - release lock + + -- acquire lock + -- turn off DMA + -- release lock + + // Data in circ buffer but DMA is off + +According to the comment in the code, the releasing of the lock around +dmaengine_terminate_all() is to avoid a deadlock with the DMA engine +callback. However, since the time this code was written, the DMA engine +API documentation seems to have been clarified to say that +dmaengine_terminate_all() (in the identically implemented but +differently named dmaengine_terminate_async() variant) does not wait for +any running complete callback to be completed and can even be called +from a complete callback. So there is no possibility of deadlock if the +DMA engine driver implements this API correctly. + +So we should be able to just remove this release and reacquire of the +lock to prevent the aforementioned race condition. + +Signed-off-by: Vincent Whitchurch +Cc: stable +Link: https://lore.kernel.org/r/20191118092547.32135-1-vincent.whitchurch@axis.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/amba-pl011.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index 38e2d25f7e23..4b28134d596a 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -813,10 +813,8 @@ __acquires(&uap->port.lock) + if (!uap->using_tx_dma) + return; + +- /* Avoid deadlock with the DMA engine callback */ +- spin_unlock(&uap->port.lock); +- dmaengine_terminate_all(uap->dmatx.chan); +- spin_lock(&uap->port.lock); ++ dmaengine_terminate_async(uap->dmatx.chan); ++ + if (uap->dmatx.queued) { + dma_unmap_sg(uap->dmatx.chan->device->dev, &uap->dmatx.sg, 1, + DMA_TO_DEVICE); +-- +2.16.4 + diff --git a/patches.suse/serial-serial_core-Perform-NULL-checks-for-break_ctl.patch b/patches.suse/serial-serial_core-Perform-NULL-checks-for-break_ctl.patch new file mode 100644 index 0000000..45cf2a7 --- /dev/null +++ b/patches.suse/serial-serial_core-Perform-NULL-checks-for-break_ctl.patch @@ -0,0 +1,131 @@ +From 7d73170e1c282576419f8b50a771f1fcd2b81a94 Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Wed, 20 Nov 2019 23:18:53 +0800 +Subject: [PATCH] serial: serial_core: Perform NULL checks for break_ctl ops +Git-commit: 7d73170e1c282576419f8b50a771f1fcd2b81a94 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Doing fuzz test on sbsa uart device, causes a kernel crash +due to NULL pointer dereference: + +Acked-by: Takashi Iwai + +------------[ cut here ]------------ +Unable to handle kernel paging request at virtual address fffffffffffffffc +pgd = ffffffe331723000 +[fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000 +Internal error: Oops: 96000005 [#1] PREEMPT SMP +Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O) +Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O) +hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O) +mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O) +uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4 +iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd +usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid +ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod +yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand +nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe +cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry +nfsv3 nfs nfs_acl lockd sunrpc grace autofs4 +CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1 +task: ffffffe32b23f110 task.stack: ffffffe32bda4000 +PC is at uart_break_ctl+0x44/0x84 +LR is at uart_break_ctl+0x34/0x84 +pc : [] lr : [] pstate: 80000005 +sp : ffffffe32bda7cc0 +x29: ffffffe32bda7cc0 x28: ffffffe32b23f110 +x27: ffffff8393402000 x26: 0000000000000000 +x25: ffffffe32b233f40 x24: ffffffc07a8ec680 +x23: 0000000000005425 x22: 00000000ffffffff +x21: ffffffe33ed73c98 x20: 0000000000000000 +x19: ffffffe33ed94168 x18: 0000000000000004 +x17: 0000007f92ae9d30 x16: ffffff8392fa6064 +x15: 0000000000000010 x14: 0000000000000000 +x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000020 x10: 0000007ffdac1708 +x9 : 0000000000000078 x8 : 000000000000001d +x7 : 0000000052a64887 x6 : ffffffe32bda7e08 +x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000 +x3 : ffffff83938d5018 x2 : 0000000000000080 +x1 : ffffffe32b23c040 x0 : ffffff83934428f8 +virtual start addr offset is 38ac00000 +module base offset is 2cd4cf1000 +linear region base offset is : 0 +Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000) +Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000) +7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054 +7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c +7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600 +7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425 +7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003 +7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e +7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600 +7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410 +7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978 +7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc +7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 +7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0 +7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 +7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78 +7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c +7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425 +7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014 +7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078 +7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000 +7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30 +7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0 +7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840 +7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000 +7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d +7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +Call trace: +Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0) +7aa0: 0000000000001000 0000007fffffffff +7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025 +7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c +7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20 +7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000 +7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110 +7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600 +7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018 +7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887 +7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020 +7be0: 0000000000000000 0000000000000000 +[] uart_break_ctl+0x44/0x84 +[] send_break+0xa0/0x114 +[] tty_ioctl+0xc50/0xe84 +[] do_vfs_ioctl+0xc4/0x6e8 +[] SyS_ioctl+0x68/0x9c +[] __sys_trace_return+0x0/0x4 +Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280) +---[ end trace 8606094f1960c5e0 ]--- +Kernel panic - not syncing: Fatal exception + +Fix this problem by adding NULL checks prior to calling break_ctl ops. + +Signed-off-by: Jiangfeng Xiao +Cc: stable +Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index c4a414a46c7f..b0a6eb106edb 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1111,7 +1111,7 @@ static int uart_break_ctl(struct tty_struct *tty, int break_state) + if (!uport) + goto out; + +- if (uport->type != PORT_UNKNOWN) ++ if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl) + uport->ops->break_ctl(uport, break_state); + ret = 0; + out: +-- +2.16.4 + diff --git a/patches.suse/serial-stm32-fix-transmit_chars-when-tx-is-stopped.patch b/patches.suse/serial-stm32-fix-transmit_chars-when-tx-is-stopped.patch new file mode 100644 index 0000000..7cd172c --- /dev/null +++ b/patches.suse/serial-stm32-fix-transmit_chars-when-tx-is-stopped.patch @@ -0,0 +1,52 @@ +From b83b957c91f68e53f0dc596e129e8305761f2a32 Mon Sep 17 00:00:00 2001 +From: Erwan Le Ray +Date: Tue, 21 May 2019 17:45:44 +0200 +Subject: [PATCH] serial: stm32: fix transmit_chars when tx is stopped +Git-commit: b83b957c91f68e53f0dc596e129e8305761f2a32 +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +Disables the tx irq when the transmission is ended and updates stop_tx +conditions for code cleanup. + +Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver") +Signed-off-by: Erwan Le Ray +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/stm32-usart.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c +index 0a7953e5ce47..2e7757d5e5d8 100644 +--- a/drivers/tty/serial/stm32-usart.c ++++ b/drivers/tty/serial/stm32-usart.c +@@ -420,13 +420,8 @@ static void stm32_transmit_chars(struct uart_port *port) + return; + } + +- if (uart_tx_stopped(port)) { +- stm32_stop_tx(port); +- return; +- } +- +- if (uart_circ_empty(xmit)) { +- stm32_stop_tx(port); ++ if (uart_circ_empty(xmit) || uart_tx_stopped(port)) { ++ stm32_clr_bits(port, ofs->cr1, USART_CR1_TXEIE); + return; + } + +@@ -439,7 +434,7 @@ static void stm32_transmit_chars(struct uart_port *port) + uart_write_wakeup(port); + + if (uart_circ_empty(xmit)) +- stm32_stop_tx(port); ++ stm32_clr_bits(port, ofs->cr1, USART_CR1_TXEIE); + } + + static irqreturn_t stm32_interrupt(int irq, void *ptr) +-- +2.16.4 + diff --git a/patches.suse/sh_eth-TSU_QTAG0-1-registers-the-same-as-TSU_QTAGM0-.patch b/patches.suse/sh_eth-TSU_QTAG0-1-registers-the-same-as-TSU_QTAGM0-.patch new file mode 100644 index 0000000..fac4418 --- /dev/null +++ b/patches.suse/sh_eth-TSU_QTAG0-1-registers-the-same-as-TSU_QTAGM0-.patch @@ -0,0 +1,83 @@ +From 4869a1476df5ef2d09fa52acc9cfcc21b47194c5 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sat, 24 Feb 2018 20:28:16 +0300 +Subject: [PATCH] sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 +Git-commit: 4869a1476df5ef2d09fa52acc9cfcc21b47194c5 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +The TSU_QTAG0/1 registers found in the Gigabit Ether controllers actually +have the same long name as the TSU_QTAGM0/1 registers in the early Ether +Controllers: Qtag Addition/Deletion Set Register (Port 0/1 to 1/0); thus +there's no need to make a difference in sh_eth_tsu_init() between those +controllers. Unfortunately, we can't just remove TSU_QTAG0/1 from the +register *enum* because that would break the ethtool register dump... + +Fixes: b0ca2a21f769 ("sh_eth: Add support of SH7763 to sh_eth") +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/renesas/sh_eth.c | 15 ++++----------- + drivers/net/ethernet/renesas/sh_eth.h | 4 ++-- + 2 files changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index d7d5a6d15219..4502ff7bc19f 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -123,8 +123,8 @@ static const u16 sh_eth_offset_gigabit[SH_ETH_MAX_REGISTER_OFFSET] = { + [TSU_FWSL0] = 0x0030, + [TSU_FWSL1] = 0x0034, + [TSU_FWSLC] = 0x0038, +- [TSU_QTAG0] = 0x0040, +- [TSU_QTAG1] = 0x0044, ++ [TSU_QTAGM0] = 0x0040, ++ [TSU_QTAGM1] = 0x0044, + [TSU_FWSR] = 0x0050, + [TSU_FWINMK] = 0x0054, + [TSU_ADQT0] = 0x0048, +@@ -2097,8 +2097,6 @@ static size_t __sh_eth_get_regs(struct net_device *ndev, u32 *buf) + add_tsu_reg(TSU_FWSL0); + add_tsu_reg(TSU_FWSL1); + add_tsu_reg(TSU_FWSLC); +- add_tsu_reg(TSU_QTAG0); +- add_tsu_reg(TSU_QTAG1); + add_tsu_reg(TSU_QTAGM0); + add_tsu_reg(TSU_QTAGM1); + add_tsu_reg(TSU_FWSR); +@@ -2934,13 +2932,8 @@ static void sh_eth_tsu_init(struct sh_eth_private *mdp) + sh_eth_tsu_write(mdp, 0, TSU_FWSL0); + sh_eth_tsu_write(mdp, 0, TSU_FWSL1); + sh_eth_tsu_write(mdp, TSU_FWSLC_POSTENU | TSU_FWSLC_POSTENL, TSU_FWSLC); +- if (sh_eth_is_gether(mdp)) { +- sh_eth_tsu_write(mdp, 0, TSU_QTAG0); /* Disable QTAG(0->1) */ +- sh_eth_tsu_write(mdp, 0, TSU_QTAG1); /* Disable QTAG(1->0) */ +- } else { +- sh_eth_tsu_write(mdp, 0, TSU_QTAGM0); /* Disable QTAG(0->1) */ +- sh_eth_tsu_write(mdp, 0, TSU_QTAGM1); /* Disable QTAG(1->0) */ +- } ++ sh_eth_tsu_write(mdp, 0, TSU_QTAGM0); /* Disable QTAG(0->1) */ ++ sh_eth_tsu_write(mdp, 0, TSU_QTAGM1); /* Disable QTAG(1->0) */ + sh_eth_tsu_write(mdp, 0, TSU_FWSR); /* all interrupt status clear */ + sh_eth_tsu_write(mdp, 0, TSU_FWINMK); /* Disable all interrupt */ + sh_eth_tsu_write(mdp, 0, TSU_TEN); /* Disable all CAM entry */ +diff --git a/drivers/net/ethernet/renesas/sh_eth.h b/drivers/net/ethernet/renesas/sh_eth.h +index a6753ccba711..35bfeeb3fcdc 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.h ++++ b/drivers/net/ethernet/renesas/sh_eth.h +@@ -118,8 +118,8 @@ enum { + TSU_FWSL0, + TSU_FWSL1, + TSU_FWSLC, +- TSU_QTAG0, +- TSU_QTAG1, ++ TSU_QTAG0, /* Same as TSU_QTAGM0 */ ++ TSU_QTAG1, /* Same as TSU_QTAGM1 */ + TSU_QTAGM0, + TSU_QTAGM1, + TSU_FWSR, +-- +2.16.4 + diff --git a/patches.suse/sh_eth-check-sh_eth_cpu_data-dual_port-when-dumping-.patch b/patches.suse/sh_eth-check-sh_eth_cpu_data-dual_port-when-dumping-.patch new file mode 100644 index 0000000..0619ad1 --- /dev/null +++ b/patches.suse/sh_eth-check-sh_eth_cpu_data-dual_port-when-dumping-.patch @@ -0,0 +1,74 @@ +From 3249b1e442a1be1a6b9f1026785b519d1443f807 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Wed, 8 Jan 2020 23:42:42 +0300 +Subject: [PATCH] sh_eth: check sh_eth_cpu_data::dual_port when dumping registers +Git-commit: 3249b1e442a1be1a6b9f1026785b519d1443f807 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +When adding the sh_eth_cpu_data::dual_port flag I forgot to add the flag +checks to __sh_eth_get_regs(), causing the non-existing TSU registers to +be dumped by 'ethtool' on the single port Ether controllers having TSU... + +Fixes: a94cf2a614f8 ("sh_eth: fix TSU init on SH7734/R8A7740") +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/renesas/sh_eth.c | 38 +++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index e19b49c4013e..3591285250e1 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2204,24 +2204,28 @@ static size_t __sh_eth_get_regs(struct net_device *ndev, u32 *buf) + if (cd->tsu) { + add_tsu_reg(ARSTR); + add_tsu_reg(TSU_CTRST); +- add_tsu_reg(TSU_FWEN0); +- add_tsu_reg(TSU_FWEN1); +- add_tsu_reg(TSU_FCM); +- add_tsu_reg(TSU_BSYSL0); +- add_tsu_reg(TSU_BSYSL1); +- add_tsu_reg(TSU_PRISL0); +- add_tsu_reg(TSU_PRISL1); +- add_tsu_reg(TSU_FWSL0); +- add_tsu_reg(TSU_FWSL1); ++ if (cd->dual_port) { ++ add_tsu_reg(TSU_FWEN0); ++ add_tsu_reg(TSU_FWEN1); ++ add_tsu_reg(TSU_FCM); ++ add_tsu_reg(TSU_BSYSL0); ++ add_tsu_reg(TSU_BSYSL1); ++ add_tsu_reg(TSU_PRISL0); ++ add_tsu_reg(TSU_PRISL1); ++ add_tsu_reg(TSU_FWSL0); ++ add_tsu_reg(TSU_FWSL1); ++ } + add_tsu_reg(TSU_FWSLC); +- add_tsu_reg(TSU_QTAGM0); +- add_tsu_reg(TSU_QTAGM1); +- add_tsu_reg(TSU_FWSR); +- add_tsu_reg(TSU_FWINMK); +- add_tsu_reg(TSU_ADQT0); +- add_tsu_reg(TSU_ADQT1); +- add_tsu_reg(TSU_VTAG0); +- add_tsu_reg(TSU_VTAG1); ++ if (cd->dual_port) { ++ add_tsu_reg(TSU_QTAGM0); ++ add_tsu_reg(TSU_QTAGM1); ++ add_tsu_reg(TSU_FWSR); ++ add_tsu_reg(TSU_FWINMK); ++ add_tsu_reg(TSU_ADQT0); ++ add_tsu_reg(TSU_ADQT1); ++ add_tsu_reg(TSU_VTAG0); ++ add_tsu_reg(TSU_VTAG1); ++ } + add_tsu_reg(TSU_ADSBSY); + add_tsu_reg(TSU_TEN); + add_tsu_reg(TSU_POST1); +-- +2.16.4 + diff --git a/patches.suse/sh_eth-fix-TSU-init-on-SH7734-R8A7740.patch b/patches.suse/sh_eth-fix-TSU-init-on-SH7734-R8A7740.patch new file mode 100644 index 0000000..cc15b78 --- /dev/null +++ b/patches.suse/sh_eth-fix-TSU-init-on-SH7734-R8A7740.patch @@ -0,0 +1,87 @@ +From a94cf2a614f8bc5b2b33c708626ce695bf71e424 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sat, 24 Feb 2018 22:41:45 +0300 +Subject: [PATCH] sh_eth: fix TSU init on SH7734/R8A7740 +Git-commit: a94cf2a614f8bc5b2b33c708626ce695bf71e424 +Patch-mainline: v4.17-rc1 +References: bsc#1051510 + +It appears that the single port Ether controllers having TSU (like SH7734/ +R8A7740) need the same kind of treating in sh_eth_tsu_init() as R7S72100 +currently has -- they also don't have the TSU registers related e.g. to +passing the frames between ports. Add the 'sh_eth_cpu_data::dual_port' +flag and use it as a new criterion for taking a "short path" in the TSU +init sequence in order to avoid writing to the non-existent registers... + +Fixes: f0e81fecd4f8 ("net: sh_eth: Add support SH7734") +Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740") +Signed-off-by: Sergei Shtylyov +Tested-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/renesas/sh_eth.c | 6 +++++- + drivers/net/ethernet/renesas/sh_eth.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 4502ff7bc19f..d3e1bc05ca9c 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -752,6 +752,7 @@ static struct sh_eth_cpu_data sh7757_data = { + .rpadir = 1, + .rpadir_value = 2 << 16, + .rtrate = 1, ++ .dual_port = 1, + }; + + #define SH_GIGA_ETH_BASE 0xfee00000UL +@@ -830,6 +831,7 @@ static struct sh_eth_cpu_data sh7757_data_giga = { + .no_trimd = 1, + .no_ade = 1, + .tsu = 1, ++ .dual_port = 1, + }; + + /* SH7734 */ +@@ -900,6 +902,7 @@ static struct sh_eth_cpu_data sh7763_data = { + .tsu = 1, + .irq_flags = IRQF_SHARED, + .magic = 1, ++ .dual_port = 1, + }; + + static struct sh_eth_cpu_data sh7619_data = { +@@ -932,6 +935,7 @@ static struct sh_eth_cpu_data sh771x_data = { + EESIPR_RRFIP | EESIPR_RTLFIP | EESIPR_RTSFIP | + EESIPR_PREIP | EESIPR_CERFIP, + .tsu = 1, ++ .dual_port = 1, + }; + + static void sh_eth_set_default_cpu_data(struct sh_eth_cpu_data *cd) +@@ -2915,7 +2919,7 @@ static int sh_eth_vlan_rx_kill_vid(struct net_device *ndev, + /* SuperH's TSU register init function */ + static void sh_eth_tsu_init(struct sh_eth_private *mdp) + { +- if (sh_eth_is_rz_fast_ether(mdp)) { ++ if (!mdp->cd->dual_port) { + sh_eth_tsu_write(mdp, 0, TSU_TEN); /* Disable all CAM entry */ + sh_eth_tsu_write(mdp, TSU_FWSLC_POSTENU | TSU_FWSLC_POSTENL, + TSU_FWSLC); /* Enable POST registers */ +diff --git a/drivers/net/ethernet/renesas/sh_eth.h b/drivers/net/ethernet/renesas/sh_eth.h +index 35bfeeb3fcdc..5bbaf9e56e92 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.h ++++ b/drivers/net/ethernet/renesas/sh_eth.h +@@ -509,6 +509,7 @@ struct sh_eth_cpu_data { + unsigned rmiimode:1; /* EtherC has RMIIMODE register */ + unsigned rtrate:1; /* EtherC has RTRATE register */ + unsigned magic:1; /* EtherC has ECMR.MPDE and ECSR.MPD */ ++ unsigned dual_port:1; /* Dual EtherC/E-DMAC */ + }; + + struct sh_eth_private { +-- +2.16.4 + diff --git a/patches.suse/sh_eth-fix-TXALCR1-offsets.patch b/patches.suse/sh_eth-fix-TXALCR1-offsets.patch new file mode 100644 index 0000000..bed27c1 --- /dev/null +++ b/patches.suse/sh_eth-fix-TXALCR1-offsets.patch @@ -0,0 +1,46 @@ +From 50f3d740d376f664f6accc7e86c9afd8f1c7e1e4 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sun, 7 Jan 2018 00:26:47 +0300 +Subject: [PATCH] sh_eth: fix TXALCR1 offsets +Git-commit: 50f3d740d376f664f6accc7e86c9afd8f1c7e1e4 +Patch-mainline: v4.15-rc8 +References: bsc#1051510 + +The TXALCR1 offsets are incorrect in the register offset tables, most +probably due to copy&paste error. Luckily, the driver never uses this +register. :-) + +Fixes: 4a55530f38e4 ("net: sh_eth: modify the definitions of register") +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index f21c1db91c3f..b9e2846589f8 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -147,7 +147,7 @@ static const u16 sh_eth_offset_gigabit[SH_ETH_MAX_REGISTER_OFFSET] = { + [FWNLCR0] = 0x0090, + [FWALCR0] = 0x0094, + [TXNLCR1] = 0x00a0, +- [TXALCR1] = 0x00a0, ++ [TXALCR1] = 0x00a4, + [RXNLCR1] = 0x00a8, + [RXALCR1] = 0x00ac, + [FWNLCR1] = 0x00b0, +@@ -399,7 +399,7 @@ static const u16 sh_eth_offset_fast_sh3_sh2[SH_ETH_MAX_REGISTER_OFFSET] = { + [FWNLCR0] = 0x0090, + [FWALCR0] = 0x0094, + [TXNLCR1] = 0x00a0, +- [TXALCR1] = 0x00a0, ++ [TXALCR1] = 0x00a4, + [RXNLCR1] = 0x00a8, + [RXALCR1] = 0x00ac, + [FWNLCR1] = 0x00b0, +-- +2.16.4 + diff --git a/patches.suse/sh_eth-fix-dumping-ARSTR.patch b/patches.suse/sh_eth-fix-dumping-ARSTR.patch new file mode 100644 index 0000000..722c68e --- /dev/null +++ b/patches.suse/sh_eth-fix-dumping-ARSTR.patch @@ -0,0 +1,39 @@ +From 17d0fb0caa68f2bfd8aaa8125ff15abebfbfa1d7 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sat, 13 Jan 2018 20:22:01 +0300 +Subject: [PATCH] sh_eth: fix dumping ARSTR +Git-commit: 17d0fb0caa68f2bfd8aaa8125ff15abebfbfa1d7 +Patch-mainline: v4.15-rc9 +References: bsc#1051510 + +ARSTR is always located at the start of the TSU register region, thus +using add_reg() instead of add_tsu_reg() in __sh_eth_get_regs() to dump it +causes EDMR or EDSR (depending on the register layout) to be dumped instead +of ARSTR. Use the correct condition/macro there... + +Fixes: 6b4b4fead342 ("sh_eth: Implement ethtool register dump operations") +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/renesas/sh_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index b9e2846589f8..53924a4fc31c 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2089,8 +2089,8 @@ static size_t __sh_eth_get_regs(struct net_device *ndev, u32 *buf) + add_reg(CSMR); + if (cd->select_mii) + add_reg(RMII_MII); +- add_reg(ARSTR); + if (cd->tsu) { ++ add_tsu_reg(ARSTR); + add_tsu_reg(TSU_CTRST); + add_tsu_reg(TSU_FWEN0); + add_tsu_reg(TSU_FWEN1); +-- +2.16.4 + diff --git a/patches.suse/sh_eth-fix-invalid-context-bug-while-calling-auto-ne.patch b/patches.suse/sh_eth-fix-invalid-context-bug-while-calling-auto-ne.patch new file mode 100644 index 0000000..163a8d5 --- /dev/null +++ b/patches.suse/sh_eth-fix-invalid-context-bug-while-calling-auto-ne.patch @@ -0,0 +1,53 @@ +From 53a710b5044d8475faa6813000b6dd659400ef7b Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Wed, 4 Jul 2018 11:12:39 +0300 +Subject: [PATCH] sh_eth: fix invalid context bug while calling auto-negotiation by ethtool +Git-commit: 53a710b5044d8475faa6813000b6dd659400ef7b +Patch-mainline: v4.18-rc6 +References: bsc#1051510 + +Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O +potentially sleeping") phy_start_aneg() function utilizes a mutex +to serialize changes to phy state, however the helper function is +called in atomic context. + +The bug can be reproduced by running "ethtool -r" command, the bug +is reported if CONFIG_DEBUG_ATOMIC_SLEEP build option is enabled. + +Fixes: dc19e4e5e02f ("sh: sh_eth: Add support ethtool") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/renesas/sh_eth.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index e9007b613f17..e8aca46bb925 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2265,18 +2265,10 @@ static void sh_eth_get_regs(struct net_device *ndev, struct ethtool_regs *regs, + + static int sh_eth_nway_reset(struct net_device *ndev) + { +- struct sh_eth_private *mdp = netdev_priv(ndev); +- unsigned long flags; +- int ret; +- + if (!ndev->phydev) + return -ENODEV; + +- spin_lock_irqsave(&mdp->lock, flags); +- ret = phy_start_aneg(ndev->phydev); +- spin_unlock_irqrestore(&mdp->lock, flags); +- +- return ret; ++ return phy_start_aneg(ndev->phydev); + } + + static u32 sh_eth_get_msglevel(struct net_device *ndev) +-- +2.16.4 + diff --git a/patches.suse/sh_eth-fix-invalid-context-bug-while-changing-link-o.patch b/patches.suse/sh_eth-fix-invalid-context-bug-while-changing-link-o.patch new file mode 100644 index 0000000..9e606e1 --- /dev/null +++ b/patches.suse/sh_eth-fix-invalid-context-bug-while-changing-link-o.patch @@ -0,0 +1,126 @@ +From 5cb3f52a11e18628fc4bee76dd14b1f0b76349de Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Wed, 4 Jul 2018 11:12:40 +0300 +Subject: [PATCH] sh_eth: fix invalid context bug while changing link options by ethtool +Git-commit: 5cb3f52a11e18628fc4bee76dd14b1f0b76349de +Patch-mainline: v4.18-rc6 +References: bsc#1051510 + +The change fixes sleep in atomic context bug, which is encountered +every time when link settings are changed by ethtool. + +Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O +potentially sleeping") phy_start_aneg() function utilizes a mutex +to serialize changes to phy state, however that helper function is +called in atomic context under a grabbed spinlock, because +phy_start_aneg() is called by phy_ethtool_ksettings_set() and by +replaced phy_ethtool_sset() helpers from phylib. + +Now duplex mode setting is enforced in sh_eth_adjust_link() only, +also now RX/TX is disabled when link is put down or modifications +to E-MAC registers ECMR and GECMR are expected for both cases of +checked and ignored link status pin state from E-MAC interrupt handler. + +For reference the change is a partial rework of commit 1e1b812bbe10 +("sh_eth: fix handling of no LINK signal"). + +Fixes: dc19e4e5e02f ("sh: sh_eth: Add support ethtool") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/renesas/sh_eth.c | 49 +++++++++++------------------------ + 1 file changed, 15 insertions(+), 34 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index e8aca46bb925..8e429e865552 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1927,8 +1927,15 @@ static void sh_eth_adjust_link(struct net_device *ndev) + { + struct sh_eth_private *mdp = netdev_priv(ndev); + struct phy_device *phydev = ndev->phydev; ++ unsigned long flags; + int new_state = 0; + ++ spin_lock_irqsave(&mdp->lock, flags); ++ ++ /* Disable TX and RX right over here, if E-MAC change is ignored */ ++ if (mdp->cd->no_psr || mdp->no_ether_link) ++ sh_eth_rcv_snd_disable(ndev); ++ + if (phydev->link) { + if (phydev->duplex != mdp->duplex) { + new_state = 1; +@@ -1947,18 +1954,21 @@ static void sh_eth_adjust_link(struct net_device *ndev) + sh_eth_modify(ndev, ECMR, ECMR_TXF, 0); + new_state = 1; + mdp->link = phydev->link; +- if (mdp->cd->no_psr || mdp->no_ether_link) +- sh_eth_rcv_snd_enable(ndev); + } + } else if (mdp->link) { + new_state = 1; + mdp->link = 0; + mdp->speed = 0; + mdp->duplex = -1; +- if (mdp->cd->no_psr || mdp->no_ether_link) +- sh_eth_rcv_snd_disable(ndev); + } + ++ /* Enable TX and RX right over here, if E-MAC change is ignored */ ++ if ((mdp->cd->no_psr || mdp->no_ether_link) && phydev->link) ++ sh_eth_rcv_snd_enable(ndev); ++ ++ mmiowb(); ++ spin_unlock_irqrestore(&mdp->lock, flags); ++ + if (new_state && netif_msg_link(mdp)) + phy_print_status(phydev); + } +@@ -2049,39 +2059,10 @@ static int sh_eth_get_link_ksettings(struct net_device *ndev, + static int sh_eth_set_link_ksettings(struct net_device *ndev, + const struct ethtool_link_ksettings *cmd) + { +- struct sh_eth_private *mdp = netdev_priv(ndev); +- unsigned long flags; +- int ret; +- + if (!ndev->phydev) + return -ENODEV; + +- spin_lock_irqsave(&mdp->lock, flags); +- +- /* disable tx and rx */ +- sh_eth_rcv_snd_disable(ndev); +- +- ret = phy_ethtool_ksettings_set(ndev->phydev, cmd); +- if (ret) +- goto error_exit; +- +- if (cmd->base.duplex == DUPLEX_FULL) +- mdp->duplex = 1; +- else +- mdp->duplex = 0; +- +- if (mdp->cd->set_duplex) +- mdp->cd->set_duplex(ndev); +- +-error_exit: +- mdelay(1); +- +- /* enable tx and rx */ +- sh_eth_rcv_snd_enable(ndev); +- +- spin_unlock_irqrestore(&mdp->lock, flags); +- +- return ret; ++ return phy_ethtool_ksettings_set(ndev->phydev, cmd); + } + + /* If it is ever necessary to increase SH_ETH_REG_DUMP_MAX_REGS, the +-- +2.16.4 + diff --git a/patches.suse/soc-renesas-rcar-sysc-Add-goto-to-of_node_put-before.patch b/patches.suse/soc-renesas-rcar-sysc-Add-goto-to-of_node_put-before.patch new file mode 100644 index 0000000..44a8c4f --- /dev/null +++ b/patches.suse/soc-renesas-rcar-sysc-Add-goto-to-of_node_put-before.patch @@ -0,0 +1,44 @@ +From da51ceda8ab054bf3b4c5cf86a8deec7d7849a5c Mon Sep 17 00:00:00 2001 +From: Nishka Dasgupta +Date: Thu, 15 Aug 2019 11:43:54 +0530 +Subject: [PATCH] soc: renesas: rcar-sysc: Add goto to of_node_put() before return +Git-commit: da51ceda8ab054bf3b4c5cf86a8deec7d7849a5c +Patch-mainline: v5.4-rc1 +References: bsc#1051510 + +The local variable np in function rcar_sysc_pd_init takes the return +value of of_find_matching_node_and_match(), which gets a node but does +not put it. If np is not put before the function returns, it may cause +a memory leak. + +Hence, remove the return statement that does not immediately follow a +putting of np. Replace it with a goto pointing to a pre-existing label +that first puts np and then returns the required value. + +Issue found with Coccinelle. + +Fixes: afa6f53df6052968 ("soc: renesas: rcar-sysc: Add support for fixing up power area tables") +Signed-off-by: Nishka Dasgupta +Signed-off-by: Geert Uytterhoeven +Acked-by: Takashi Iwai + +--- + drivers/soc/renesas/rcar-sysc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/renesas/rcar-sysc.c b/drivers/soc/renesas/rcar-sysc.c +index 02b29ea62dc4..54baa2fe8527 100644 +--- a/drivers/soc/renesas/rcar-sysc.c ++++ b/drivers/soc/renesas/rcar-sysc.c +@@ -346,7 +346,7 @@ static int __init rcar_sysc_pd_init(void) + if (info->init) { + error = info->init(); + if (error) +- return error; ++ goto out_put; + } + + has_cpg_mstp = of_find_compatible_node(NULL, NULL, +-- +2.16.4 + diff --git a/patches.suse/soc-tegra-fuse-Correct-straps-address-for-older-Tegr.patch b/patches.suse/soc-tegra-fuse-Correct-straps-address-for-older-Tegr.patch new file mode 100644 index 0000000..ca8cf61 --- /dev/null +++ b/patches.suse/soc-tegra-fuse-Correct-straps-address-for-older-Tegr.patch @@ -0,0 +1,37 @@ +From 2d9ea1934f8ef0dfb862d103389562cc28b4fc03 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Wed, 18 Dec 2019 21:23:03 +0300 +Subject: [PATCH] soc/tegra: fuse: Correct straps' address for older Tegra124 device trees +Git-commit: 2d9ea1934f8ef0dfb862d103389562cc28b4fc03 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Trying to read out Chip ID before APBMISC registers are mapped won't +succeed, in a result Tegra124 gets a wrong address for the HW straps +register if machine uses an old outdated device tree. + +Fixes: 297c4f3dcbff ("soc/tegra: fuse: Restrict legacy code to 32-bit ARM") +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Acked-by: Takashi Iwai + +--- + drivers/soc/tegra/fuse/tegra-apbmisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/fuse/tegra-apbmisc.c b/drivers/soc/tegra/fuse/tegra-apbmisc.c +index 3a787a30c3b1..6259390f68f4 100644 +--- a/drivers/soc/tegra/fuse/tegra-apbmisc.c ++++ b/drivers/soc/tegra/fuse/tegra-apbmisc.c +@@ -121,7 +121,7 @@ void __init tegra_init_apbmisc(void) + apbmisc.flags = IORESOURCE_MEM; + + /* strapping options */ +- if (tegra_get_chip_id() == TEGRA124) { ++ if (of_machine_is_compatible("nvidia,tegra124")) { + straps.start = 0x7000e864; + straps.end = 0x7000e867; + } else { +-- +2.16.4 + diff --git a/patches.suse/soc-ti-wkup_m3_ipc-Fix-race-condition-with-rproc_boo.patch b/patches.suse/soc-ti-wkup_m3_ipc-Fix-race-condition-with-rproc_boo.patch new file mode 100644 index 0000000..99d309c --- /dev/null +++ b/patches.suse/soc-ti-wkup_m3_ipc-Fix-race-condition-with-rproc_boo.patch @@ -0,0 +1,55 @@ +From 03729cfa0d543bc996bf959e762ec999afc8f3d2 Mon Sep 17 00:00:00 2001 +From: Dave Gerlach +Date: Wed, 11 Dec 2019 22:03:14 -0600 +Subject: [PATCH] soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot +Git-commit: 03729cfa0d543bc996bf959e762ec999afc8f3d2 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +Any user of wkup_m3_ipc calls wkup_m3_ipc_get to get a handle and this +checks the value of the static variable m3_ipc_state to see if the +wkup_m3 is ready. Currently this is populated during probe before +rproc_boot has been called, meaning there is a window of time that +wkup_m3_ipc_get can return a valid handle but the wkup_m3 itself is not +ready, leading to invalid IPC calls to the wkup_m3 and system +instability. + +To avoid this, move the population of the m3_ipc_state variable until +after rproc_boot has succeeded to guarantee a valid and usable handle +is always returned. + +Reported-by: Suman Anna +Signed-off-by: Dave Gerlach +Acked-by: Santosh Shilimkar +Signed-off-by: Tony Lindgren +Acked-by: Takashi Iwai + +--- + drivers/soc/ti/wkup_m3_ipc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/ti/wkup_m3_ipc.c b/drivers/soc/ti/wkup_m3_ipc.c +index 378369d9364a..e9ece45d7a33 100644 +--- a/drivers/soc/ti/wkup_m3_ipc.c ++++ b/drivers/soc/ti/wkup_m3_ipc.c +@@ -419,6 +419,8 @@ static void wkup_m3_rproc_boot_thread(struct wkup_m3_ipc *m3_ipc) + ret = rproc_boot(m3_ipc->rproc); + if (ret) + dev_err(dev, "rproc_boot failed\n"); ++ else ++ m3_ipc_state = m3_ipc; + + do_exit(0); + } +@@ -505,8 +507,6 @@ static int wkup_m3_ipc_probe(struct platform_device *pdev) + goto err_put_rproc; + } + +- m3_ipc_state = m3_ipc; +- + return 0; + + err_put_rproc: +-- +2.16.4 + diff --git a/patches.suse/spi-tegra114-clear-packed-bit-for-unpacked-mode.patch b/patches.suse/spi-tegra114-clear-packed-bit-for-unpacked-mode.patch new file mode 100644 index 0000000..befed3d --- /dev/null +++ b/patches.suse/spi-tegra114-clear-packed-bit-for-unpacked-mode.patch @@ -0,0 +1,38 @@ +From 7b3d10cdf54b8bc1dc0da21faed9789ac4da3684 Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 26 Mar 2019 22:56:23 -0700 +Subject: [PATCH] spi: tegra114: clear packed bit for unpacked mode +Git-commit: 7b3d10cdf54b8bc1dc0da21faed9789ac4da3684 +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +Fixes: Clear packed bit when not using packed mode. + +Packed bit is not cleared when not using packed mode. This results +in transfer timeouts for the unpacked mode transfers followed by the +packed mode transfers. + +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-tegra114.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index a76acedd7e2f..1435792944c4 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -730,6 +730,8 @@ static int tegra_spi_start_transfer_one(struct spi_device *spi, + + if (tspi->is_packed) + command1 |= SPI_PACKED; ++ else ++ command1 &= ~SPI_PACKED; + + command1 &= ~(SPI_CS_SEL_MASK | SPI_TX_EN | SPI_RX_EN); + tspi->cur_direction = 0; +-- +2.16.4 + diff --git a/patches.suse/spi-tegra114-configure-dma-burst-size-to-fifo-trig-l.patch b/patches.suse/spi-tegra114-configure-dma-burst-size-to-fifo-trig-l.patch new file mode 100644 index 0000000..30e7e49 --- /dev/null +++ b/patches.suse/spi-tegra114-configure-dma-burst-size-to-fifo-trig-l.patch @@ -0,0 +1,135 @@ +From f4ce428c41fb22e3ed55496dded94df44cb920fa Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 26 Mar 2019 22:56:29 -0700 +Subject: [PATCH] spi: tegra114: configure dma burst size to fifo trig level +Git-commit: f4ce428c41fb22e3ed55496dded94df44cb920fa +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +Fixes: Configure DMA burst size to be same as SPI TX/RX trigger levels +to avoid mismatch. + +SPI FIFO trigger levels are calculated based on the transfer length. +So this patch moves DMA slave configuration to happen before start +of DMAs. + +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-tegra114.c | 52 ++++++++++++++++++++++++++-------------------- + 1 file changed, 30 insertions(+), 22 deletions(-) + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index 28aa080a94ff..05bb2f9bff3c 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -529,6 +529,8 @@ static int tegra_spi_start_dma_based_transfer( + u32 val; + unsigned int len; + int ret = 0; ++ u8 dma_burst; ++ struct dma_slave_config dma_sconfig = {0}; + + val = SPI_DMA_BLK_SET(tspi->curr_dma_words - 1); + tegra_spi_writel(tspi, val, SPI_DMA_BLK); +@@ -540,12 +542,16 @@ static int tegra_spi_start_dma_based_transfer( + len = tspi->curr_dma_words * 4; + + /* Set attention level based on length of transfer */ +- if (len & 0xF) ++ if (len & 0xF) { + val |= SPI_TX_TRIG_1 | SPI_RX_TRIG_1; +- else if (((len) >> 4) & 0x1) ++ dma_burst = 1; ++ } else if (((len) >> 4) & 0x1) { + val |= SPI_TX_TRIG_4 | SPI_RX_TRIG_4; +- else ++ dma_burst = 4; ++ } else { + val |= SPI_TX_TRIG_8 | SPI_RX_TRIG_8; ++ dma_burst = 8; ++ } + + if (tspi->cur_direction & DATA_DIR_TX) + val |= SPI_IE_TX; +@@ -556,7 +562,18 @@ static int tegra_spi_start_dma_based_transfer( + tegra_spi_writel(tspi, val, SPI_DMA_CTL); + tspi->dma_control_reg = val; + ++ dma_sconfig.device_fc = true; + if (tspi->cur_direction & DATA_DIR_TX) { ++ dma_sconfig.dst_addr = tspi->phys + SPI_TX_FIFO; ++ dma_sconfig.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; ++ dma_sconfig.dst_maxburst = dma_burst; ++ ret = dmaengine_slave_config(tspi->tx_dma_chan, &dma_sconfig); ++ if (ret < 0) { ++ dev_err(tspi->dev, ++ "DMA slave config failed: %d\n", ret); ++ return ret; ++ } ++ + tegra_spi_copy_client_txbuf_to_spi_txbuf(tspi, t); + ret = tegra_spi_start_tx_dma(tspi, len); + if (ret < 0) { +@@ -567,6 +584,16 @@ static int tegra_spi_start_dma_based_transfer( + } + + if (tspi->cur_direction & DATA_DIR_RX) { ++ dma_sconfig.src_addr = tspi->phys + SPI_RX_FIFO; ++ dma_sconfig.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; ++ dma_sconfig.src_maxburst = dma_burst; ++ ret = dmaengine_slave_config(tspi->rx_dma_chan, &dma_sconfig); ++ if (ret < 0) { ++ dev_err(tspi->dev, ++ "DMA slave config failed: %d\n", ret); ++ return ret; ++ } ++ + /* Make the dma buffer to read by dma */ + dma_sync_single_for_device(tspi->dev, tspi->rx_dma_phys, + tspi->dma_buf_size, DMA_FROM_DEVICE); +@@ -626,7 +653,6 @@ static int tegra_spi_init_dma_param(struct tegra_spi_data *tspi, + u32 *dma_buf; + dma_addr_t dma_phys; + int ret; +- struct dma_slave_config dma_sconfig; + + dma_chan = dma_request_slave_channel_reason(tspi->dev, + dma_to_memory ? "rx" : "tx"); +@@ -646,19 +672,6 @@ static int tegra_spi_init_dma_param(struct tegra_spi_data *tspi, + return -ENOMEM; + } + +- if (dma_to_memory) { +- dma_sconfig.src_addr = tspi->phys + SPI_RX_FIFO; +- dma_sconfig.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +- dma_sconfig.src_maxburst = 0; +- } else { +- dma_sconfig.dst_addr = tspi->phys + SPI_TX_FIFO; +- dma_sconfig.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +- dma_sconfig.dst_maxburst = 0; +- } +- +- ret = dmaengine_slave_config(dma_chan, &dma_sconfig); +- if (ret) +- goto scrub; + if (dma_to_memory) { + tspi->rx_dma_chan = dma_chan; + tspi->rx_dma_buf = dma_buf; +@@ -669,11 +682,6 @@ static int tegra_spi_init_dma_param(struct tegra_spi_data *tspi, + tspi->tx_dma_phys = dma_phys; + } + return 0; +- +-scrub: +- dma_free_coherent(tspi->dev, tspi->dma_buf_size, dma_buf, dma_phys); +- dma_release_channel(dma_chan); +- return ret; + } + + static void tegra_spi_deinit_dma_param(struct tegra_spi_data *tspi, +-- +2.16.4 + diff --git a/patches.suse/spi-tegra114-fix-for-unpacked-mode-transfers.patch b/patches.suse/spi-tegra114-fix-for-unpacked-mode-transfers.patch new file mode 100644 index 0000000..9b2ca75 --- /dev/null +++ b/patches.suse/spi-tegra114-fix-for-unpacked-mode-transfers.patch @@ -0,0 +1,164 @@ +From 1a89ac5b91895127f7c586ec5075c3753ca25501 Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 26 Mar 2019 22:56:24 -0700 +Subject: [PATCH] spi: tegra114: fix for unpacked mode transfers +Git-commit: 1a89ac5b91895127f7c586ec5075c3753ca25501 +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +Fixes: computation of actual bytes to fill/receive in/from FIFO in unpacked +mode when transfer length is not a multiple of requested bits per word. + +unpacked mode transfers fails when the transfer includes partial bytes in +the last word. + +Total words to be written/read to/from FIFO is computed based on transfer +length and bits per word. Unpacked mode includes 0 padding bytes for partial +words to align with bits per word and these extra bytes are also accounted +for calculating bytes left to transfer in the current driver. + +This causes extra bytes access of tx/rx buffers along with buffer index +position crossing actual length where remain_len becomes negative and due to +unsigned type, negative value is a 32 bit representation of signed value +and transferred bytes never meets the actual transfer length resulting in +transfer timeout and a hang. + +This patch fixes this with proper computation of the actual bytes to fill in +FIFO during transmit and the actual bytes to read from FIFO during receive +ignoring 0 padded bytes. + +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-tegra114.c | 43 ++++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index 1435792944c4..876eb2acdef1 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -307,10 +307,16 @@ static unsigned tegra_spi_fill_tx_fifo_from_client_txbuf( + x |= (u32)(*tx_buf++) << (i * 8); + tegra_spi_writel(tspi, x, SPI_TX_FIFO); + } ++ ++ tspi->cur_tx_pos += written_words * tspi->bytes_per_word; + } else { ++ unsigned int write_bytes; + max_n_32bit = min(tspi->curr_dma_words, tx_empty_count); + written_words = max_n_32bit; + nbytes = written_words * tspi->bytes_per_word; ++ if (nbytes > t->len - tspi->cur_pos) ++ nbytes = t->len - tspi->cur_pos; ++ write_bytes = nbytes; + for (count = 0; count < max_n_32bit; count++) { + u32 x = 0; + +@@ -319,8 +325,10 @@ static unsigned tegra_spi_fill_tx_fifo_from_client_txbuf( + x |= (u32)(*tx_buf++) << (i * 8); + tegra_spi_writel(tspi, x, SPI_TX_FIFO); + } ++ ++ tspi->cur_tx_pos += write_bytes; + } +- tspi->cur_tx_pos += written_words * tspi->bytes_per_word; ++ + return written_words; + } + +@@ -344,20 +352,27 @@ static unsigned int tegra_spi_read_rx_fifo_to_client_rxbuf( + for (i = 0; len && (i < 4); i++, len--) + *rx_buf++ = (x >> i*8) & 0xFF; + } +- tspi->cur_rx_pos += tspi->curr_dma_words * tspi->bytes_per_word; + read_words += tspi->curr_dma_words; ++ tspi->cur_rx_pos += tspi->curr_dma_words * tspi->bytes_per_word; + } else { + u32 rx_mask = ((u32)1 << t->bits_per_word) - 1; ++ u8 bytes_per_word = tspi->bytes_per_word; ++ unsigned int read_bytes; + ++ len = rx_full_count * bytes_per_word; ++ if (len > t->len - tspi->cur_pos) ++ len = t->len - tspi->cur_pos; ++ read_bytes = len; + for (count = 0; count < rx_full_count; count++) { + u32 x = tegra_spi_readl(tspi, SPI_RX_FIFO) & rx_mask; + +- for (i = 0; (i < tspi->bytes_per_word); i++) ++ for (i = 0; len && (i < bytes_per_word); i++, len--) + *rx_buf++ = (x >> (i*8)) & 0xFF; + } +- tspi->cur_rx_pos += rx_full_count * tspi->bytes_per_word; + read_words += rx_full_count; ++ tspi->cur_rx_pos += read_bytes; + } ++ + return read_words; + } + +@@ -372,12 +387,17 @@ static void tegra_spi_copy_client_txbuf_to_spi_txbuf( + unsigned len = tspi->curr_dma_words * tspi->bytes_per_word; + + memcpy(tspi->tx_dma_buf, t->tx_buf + tspi->cur_pos, len); ++ tspi->cur_tx_pos += tspi->curr_dma_words * tspi->bytes_per_word; + } else { + unsigned int i; + unsigned int count; + u8 *tx_buf = (u8 *)t->tx_buf + tspi->cur_tx_pos; + unsigned consume = tspi->curr_dma_words * tspi->bytes_per_word; ++ unsigned int write_bytes; + ++ if (consume > t->len - tspi->cur_pos) ++ consume = t->len - tspi->cur_pos; ++ write_bytes = consume; + for (count = 0; count < tspi->curr_dma_words; count++) { + u32 x = 0; + +@@ -386,8 +406,9 @@ static void tegra_spi_copy_client_txbuf_to_spi_txbuf( + x |= (u32)(*tx_buf++) << (i * 8); + tspi->tx_dma_buf[count] = x; + } ++ ++ tspi->cur_tx_pos += write_bytes; + } +- tspi->cur_tx_pos += tspi->curr_dma_words * tspi->bytes_per_word; + + /* Make the dma buffer to read by dma */ + dma_sync_single_for_device(tspi->dev, tspi->tx_dma_phys, +@@ -405,20 +426,28 @@ static void tegra_spi_copy_spi_rxbuf_to_client_rxbuf( + unsigned len = tspi->curr_dma_words * tspi->bytes_per_word; + + memcpy(t->rx_buf + tspi->cur_rx_pos, tspi->rx_dma_buf, len); ++ tspi->cur_rx_pos += tspi->curr_dma_words * tspi->bytes_per_word; + } else { + unsigned int i; + unsigned int count; + unsigned char *rx_buf = t->rx_buf + tspi->cur_rx_pos; + u32 rx_mask = ((u32)1 << t->bits_per_word) - 1; ++ unsigned consume = tspi->curr_dma_words * tspi->bytes_per_word; ++ unsigned int read_bytes; + ++ if (consume > t->len - tspi->cur_pos) ++ consume = t->len - tspi->cur_pos; ++ read_bytes = consume; + for (count = 0; count < tspi->curr_dma_words; count++) { + u32 x = tspi->rx_dma_buf[count] & rx_mask; + +- for (i = 0; (i < tspi->bytes_per_word); i++) ++ for (i = 0; consume && (i < tspi->bytes_per_word); ++ i++, consume--) + *rx_buf++ = (x >> (i*8)) & 0xFF; + } ++ ++ tspi->cur_rx_pos += read_bytes; + } +- tspi->cur_rx_pos += tspi->curr_dma_words * tspi->bytes_per_word; + + /* Make the dma buffer to read by dma */ + dma_sync_single_for_device(tspi->dev, tspi->rx_dma_phys, +-- +2.16.4 + diff --git a/patches.suse/spi-tegra114-flush-fifos.patch b/patches.suse/spi-tegra114-flush-fifos.patch new file mode 100644 index 0000000..bdddede --- /dev/null +++ b/patches.suse/spi-tegra114-flush-fifos.patch @@ -0,0 +1,107 @@ +From c4fc9e5b28ff787e35137c2cc13316bb11d7657b Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 26 Mar 2019 22:56:28 -0700 +Subject: [PATCH] spi: tegra114: flush fifos +Git-commit: c4fc9e5b28ff787e35137c2cc13316bb11d7657b +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +Fixes: Flush TX and RX FIFOs before start of new transfer and on FIFO +overflow or underrun errors. + +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-tegra114.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index a6153b905d1a..28aa080a94ff 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -499,22 +499,37 @@ static int tegra_spi_start_rx_dma(struct tegra_spi_data *tspi, int len) + return 0; + } + +-static int tegra_spi_start_dma_based_transfer( +- struct tegra_spi_data *tspi, struct spi_transfer *t) ++static int tegra_spi_flush_fifos(struct tegra_spi_data *tspi) + { +- u32 val; +- unsigned int len; +- int ret = 0; ++ unsigned long timeout = jiffies + HZ; + u32 status; + +- /* Make sure that Rx and Tx fifo are empty */ + status = tegra_spi_readl(tspi, SPI_FIFO_STATUS); + if ((status & SPI_FIFO_EMPTY) != SPI_FIFO_EMPTY) { +- dev_err(tspi->dev, "Rx/Tx fifo are not empty status 0x%08x\n", +- (unsigned)status); +- return -EIO; ++ status |= SPI_RX_FIFO_FLUSH | SPI_TX_FIFO_FLUSH; ++ tegra_spi_writel(tspi, status, SPI_FIFO_STATUS); ++ while ((status & SPI_FIFO_EMPTY) != SPI_FIFO_EMPTY) { ++ status = tegra_spi_readl(tspi, SPI_FIFO_STATUS); ++ if (time_after(jiffies, timeout)) { ++ dev_err(tspi->dev, ++ "timeout waiting for fifo flush\n"); ++ return -EIO; ++ } ++ ++ udelay(1); ++ } + } + ++ return 0; ++} ++ ++static int tegra_spi_start_dma_based_transfer( ++ struct tegra_spi_data *tspi, struct spi_transfer *t) ++{ ++ u32 val; ++ unsigned int len; ++ int ret = 0; ++ + val = SPI_DMA_BLK_SET(tspi->curr_dma_words - 1); + tegra_spi_writel(tspi, val, SPI_DMA_BLK); + +@@ -779,6 +794,9 @@ static int tegra_spi_start_transfer_one(struct spi_device *spi, + dev_dbg(tspi->dev, "The def 0x%x and written 0x%x\n", + tspi->def_command1_reg, (unsigned)command1); + ++ ret = tegra_spi_flush_fifos(tspi); ++ if (ret < 0) ++ return ret; + if (total_fifo_words > SPI_FIFO_DEPTH) + ret = tegra_spi_start_dma_based_transfer(tspi, t); + else +@@ -876,6 +894,7 @@ static int tegra_spi_transfer_one_message(struct spi_master *master, + (tspi->cur_direction & DATA_DIR_RX)) + dmaengine_terminate_all(tspi->rx_dma_chan); + ret = -EIO; ++ tegra_spi_flush_fifos(tspi); + reset_control_assert(tspi->rst); + udelay(2); + reset_control_deassert(tspi->rst); +@@ -929,6 +948,7 @@ static irqreturn_t handle_cpu_based_xfer(struct tegra_spi_data *tspi) + tspi->status_reg); + dev_err(tspi->dev, "CpuXfer 0x%08x:0x%08x\n", + tspi->command1_reg, tspi->dma_control_reg); ++ tegra_spi_flush_fifos(tspi); + reset_control_assert(tspi->rst); + udelay(2); + reset_control_deassert(tspi->rst); +@@ -1001,6 +1021,7 @@ static irqreturn_t handle_dma_based_xfer(struct tegra_spi_data *tspi) + tspi->status_reg); + dev_err(tspi->dev, "DmaXfer 0x%08x:0x%08x\n", + tspi->command1_reg, tspi->dma_control_reg); ++ tegra_spi_flush_fifos(tspi); + reset_control_assert(tspi->rst); + udelay(2); + reset_control_deassert(tspi->rst); +-- +2.16.4 + diff --git a/patches.suse/spi-tegra114-terminate-dma-and-reset-on-transfer-tim.patch b/patches.suse/spi-tegra114-terminate-dma-and-reset-on-transfer-tim.patch new file mode 100644 index 0000000..9dc7373 --- /dev/null +++ b/patches.suse/spi-tegra114-terminate-dma-and-reset-on-transfer-tim.patch @@ -0,0 +1,43 @@ +From 32bd1a9551cae34e6889afa235c7afdfede9aeac Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 26 Mar 2019 22:56:27 -0700 +Subject: [PATCH] spi: tegra114: terminate dma and reset on transfer timeout +Git-commit: 32bd1a9551cae34e6889afa235c7afdfede9aeac +Patch-mainline: v5.2-rc1 +References: bsc#1051510 + +Fixes: terminate DMA and perform controller reset on transfer timeout +to clear the FIFO's and errors. + +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-tegra114.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index 876eb2acdef1..a6153b905d1a 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -869,7 +869,16 @@ static int tegra_spi_transfer_one_message(struct spi_master *master, + if (WARN_ON(ret == 0)) { + dev_err(tspi->dev, + "spi transfer timeout, err %d\n", ret); ++ if (tspi->is_curr_dma_xfer && ++ (tspi->cur_direction & DATA_DIR_TX)) ++ dmaengine_terminate_all(tspi->tx_dma_chan); ++ if (tspi->is_curr_dma_xfer && ++ (tspi->cur_direction & DATA_DIR_RX)) ++ dmaengine_terminate_all(tspi->rx_dma_chan); + ret = -EIO; ++ reset_control_assert(tspi->rst); ++ udelay(2); ++ reset_control_deassert(tspi->rst); + goto complete_xfer; + } + +-- +2.16.4 + diff --git a/patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch b/patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch new file mode 100644 index 0000000..2849d84 --- /dev/null +++ b/patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch @@ -0,0 +1,68 @@ +From 396bbe1427828be1025fb052b7e04b42f421352d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= +Date: Tue, 19 Nov 2019 21:37:09 +0000 +Subject: [PATCH] sr_vendor: support Beurer GL50 evo CD-on-a-chip devices. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +References: boo#1164632 +Patch-mainline: v5.5-rc1 +Git-commit: 396bbe1427828be1025fb052b7e04b42f421352d + +The Beurer GL50 evo uses a Cygnal-manufactured CD-on-a-chip that only +accepts a subset of SCSI commands, and supports neither audio commands +nor generic packet commands. + +Actually sending those commands bring the device to an unrecoverable +state that causes the device to hang and reset. + +To: Jens Axboe +Cc: linux-kernel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Signed-off-by: Diego Elio Pettenò +Signed-off-by: Jens Axboe +Acked-by: Michal Suchanek +--- + drivers/scsi/sr_vendor.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c +index e3b0ce25162b..17a56c87d383 100644 +--- a/drivers/scsi/sr_vendor.c ++++ b/drivers/scsi/sr_vendor.c +@@ -61,6 +61,7 @@ + #define VENDOR_NEC 2 + #define VENDOR_TOSHIBA 3 + #define VENDOR_WRITER 4 /* pre-scsi3 writers */ ++#define VENDOR_CYGNAL_85ED 5 /* CD-on-a-chip */ + + #define VENDOR_TIMEOUT 30*HZ + +@@ -99,6 +100,23 @@ void sr_vendor_init(Scsi_CD *cd) + } else if (!strncmp(vendor, "TOSHIBA", 7)) { + cd->vendor = VENDOR_TOSHIBA; + ++ } else if (!strncmp(vendor, "Beurer", 6) && ++ !strncmp(model, "Gluco Memory", 12)) { ++ /* The Beurer GL50 evo uses a Cygnal-manufactured CD-on-a-chip ++ that only accepts a subset of SCSI commands. Most of the ++ not-implemented commands are fine to fail, but a few, ++ particularly around the MMC or Audio commands, will put the ++ device into an unrecoverable state, so they need to be ++ avoided at all costs. ++ */ ++ cd->vendor = VENDOR_CYGNAL_85ED; ++ cd->cdi.mask |= ( ++ CDC_MULTI_SESSION | ++ CDC_CLOSE_TRAY | CDC_OPEN_TRAY | ++ CDC_LOCK | ++ CDC_GENERIC_PACKET | ++ CDC_PLAY_AUDIO ++ ); + } + #endif + } +-- +2.23.0 + diff --git a/patches.suse/stacktrace-get-rid-of-unneeded-pattern.patch b/patches.suse/stacktrace-get-rid-of-unneeded-pattern.patch index 0e3c86b..36d9f6d 100644 --- a/patches.suse/stacktrace-get-rid-of-unneeded-pattern.patch +++ b/patches.suse/stacktrace-get-rid-of-unneeded-pattern.patch @@ -3,7 +3,7 @@ Date: Mon, 11 Nov 2019 10:26:47 +0100 Subject: stacktrace: Get rid of unneeded '!!' pattern Git-commit: 4b48512c2e9c63b62d7da23563cdb224b4d61d72 Patch-mainline: v5.5-rc1 -References: jsc#SLE-11178 +References: jsc#SLE-11177 My commit b0c51f158455 ("stacktrace: Don't skip first entry on noncurrent tasks") adds one or zero to skipnr by "!!(current == tsk)". diff --git a/patches.suse/staging-comedi-adv_pci1710-fix-AI-channels-16-31-for.patch b/patches.suse/staging-comedi-adv_pci1710-fix-AI-channels-16-31-for.patch new file mode 100644 index 0000000..8265e2b --- /dev/null +++ b/patches.suse/staging-comedi-adv_pci1710-fix-AI-channels-16-31-for.patch @@ -0,0 +1,45 @@ +From a9d3a9cedc1330c720e0ddde1978a8e7771da5ab Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 27 Dec 2019 17:00:54 +0000 +Subject: [PATCH] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 +Git-commit: a9d3a9cedc1330c720e0ddde1978a8e7771da5ab +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +The Advantech PCI-1713 has 32 analog input channels, but an incorrect +bit-mask in the definition of the `PCI171X_MUX_CHANH(x)` and +PCI171X_MUX_CHANL(x)` macros is causing channels 16 to 31 to be aliases +of channels 0 to 15. Change the bit-mask value from 0xf to 0xff to fix +it. Note that the channel numbers will have been range checked already, +so the bit-mask isn't really needed. + +Fixes: 92c65e5553ed ("staging: comedi: adv_pci1710: define the mux control register bits") +Reported-by: Dmytro Fil +Cc: # v4.5+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20191227170054.32051-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/comedi/drivers/adv_pci1710.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/comedi/drivers/adv_pci1710.c b/drivers/staging/comedi/drivers/adv_pci1710.c +index dbff0f7e7cf5..ddc0dc93d08b 100644 +--- a/drivers/staging/comedi/drivers/adv_pci1710.c ++++ b/drivers/staging/comedi/drivers/adv_pci1710.c +@@ -46,8 +46,8 @@ + #define PCI171X_RANGE_UNI BIT(4) + #define PCI171X_RANGE_GAIN(x) (((x) & 0x7) << 0) + #define PCI171X_MUX_REG 0x04 /* W: A/D multiplexor control */ +-#define PCI171X_MUX_CHANH(x) (((x) & 0xf) << 8) +-#define PCI171X_MUX_CHANL(x) (((x) & 0xf) << 0) ++#define PCI171X_MUX_CHANH(x) (((x) & 0xff) << 8) ++#define PCI171X_MUX_CHANL(x) (((x) & 0xff) << 0) + #define PCI171X_MUX_CHAN(x) (PCI171X_MUX_CHANH(x) | PCI171X_MUX_CHANL(x)) + #define PCI171X_STATUS_REG 0x06 /* R: status register */ + #define PCI171X_STATUS_IRQ BIT(11) /* 1=IRQ occurred */ +-- +2.16.4 + diff --git a/patches.suse/staging-rtl8188eu-fix-interface-sanity-check.patch b/patches.suse/staging-rtl8188eu-fix-interface-sanity-check.patch new file mode 100644 index 0000000..bf7cb45 --- /dev/null +++ b/patches.suse/staging-rtl8188eu-fix-interface-sanity-check.patch @@ -0,0 +1,41 @@ +From 74ca34118a0e05793935d804ccffcedd6eb56596 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:47:50 +0100 +Subject: [PATCH] staging: rtl8188eu: fix interface sanity check +Git-commit: 74ca34118a0e05793935d804ccffcedd6eb56596 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20") +Cc: stable # 3.12 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +index 4fac9dca798e..a7cac0719b8b 100644 +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -70,7 +70,7 @@ static struct dvobj_priv *usb_dvobj_init(struct usb_interface *usb_intf) + phost_conf = pusbd->actconfig; + pconf_desc = &phost_conf->desc; + +- phost_iface = &usb_intf->altsetting[0]; ++ phost_iface = usb_intf->cur_altsetting; + piface_desc = &phost_iface->desc; + + pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces; +-- +2.16.4 + diff --git a/patches.suse/staging-vt6656-Fix-false-Tx-excessive-retries-report.patch b/patches.suse/staging-vt6656-Fix-false-Tx-excessive-retries-report.patch new file mode 100644 index 0000000..ac9f550 --- /dev/null +++ b/patches.suse/staging-vt6656-Fix-false-Tx-excessive-retries-report.patch @@ -0,0 +1,44 @@ +From 9dd631fa99dc0a0dfbd191173bf355ba30ea786a Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:41:36 +0000 +Subject: [PATCH] staging: vt6656: Fix false Tx excessive retries reporting. +Git-commit: 9dd631fa99dc0a0dfbd191173bf355ba30ea786a +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +The driver reporting IEEE80211_TX_STAT_ACK is not being handled +correctly. The driver should only report on TSR_TMO flag is not +set indicating no transmission errors and when not IEEE80211_TX_CTL_NO_ACK +is being requested. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/340f1f7f-c310-dca5-476f-abc059b9cd97@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/vt6656/int.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/vt6656/int.c b/drivers/staging/vt6656/int.c +index f40947955675..af215860be4c 100644 +--- a/drivers/staging/vt6656/int.c ++++ b/drivers/staging/vt6656/int.c +@@ -99,9 +99,11 @@ static int vnt_int_report_rate(struct vnt_private *priv, u8 pkt_no, u8 tsr) + + info->status.rates[0].count = tx_retry; + +- if (!(tsr & (TSR_TMO | TSR_RETRYTMO))) { ++ if (!(tsr & TSR_TMO)) { + info->status.rates[0].idx = idx; +- info->flags |= IEEE80211_TX_STAT_ACK; ++ ++ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK)) ++ info->flags |= IEEE80211_TX_STAT_ACK; + } + + ieee80211_tx_status_irqsafe(priv->hw, context->skb); +-- +2.16.4 + diff --git a/patches.suse/staging-vt6656-correct-packet-types-for-CTS-protect-.patch b/patches.suse/staging-vt6656-correct-packet-types-for-CTS-protect-.patch new file mode 100644 index 0000000..cee5790 --- /dev/null +++ b/patches.suse/staging-vt6656-correct-packet-types-for-CTS-protect-.patch @@ -0,0 +1,67 @@ +From d971fdd3412f8342747778fb59b8803720ed82b1 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:40:58 +0000 +Subject: [PATCH] staging: vt6656: correct packet types for CTS protect, mode. +Git-commit: d971fdd3412f8342747778fb59b8803720ed82b1 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +It appears that the driver still transmits in CTS protect mode even +though it is not enabled in mac80211. + +That is both packet types PK_TYPE_11GA and PK_TYPE_11GB both use CTS protect. +The only difference between them GA does not use B rates. + +Find if only B rate in GB or GA in protect mode otherwise transmit packets +as PK_TYPE_11A. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/9c1323ff-dbb3-0eaa-43e1-9453f7390dc0@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/vt6656/device.h | 2 ++ + drivers/staging/vt6656/rxtx.c | 12 ++++++++---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/vt6656/device.h b/drivers/staging/vt6656/device.h +index 6074ceda78bf..0a3f98f64916 100644 +--- a/drivers/staging/vt6656/device.h ++++ b/drivers/staging/vt6656/device.h +@@ -52,6 +52,8 @@ + #define RATE_AUTO 12 + + #define MAX_RATE 12 ++#define VNT_B_RATES (BIT(RATE_1M) | BIT(RATE_2M) |\ ++ BIT(RATE_5M) | BIT(RATE_11M)) + + /* + * device specific +diff --git a/drivers/staging/vt6656/rxtx.c b/drivers/staging/vt6656/rxtx.c +index f9020a4f7bbf..39b557511b24 100644 +--- a/drivers/staging/vt6656/rxtx.c ++++ b/drivers/staging/vt6656/rxtx.c +@@ -815,10 +815,14 @@ int vnt_tx_packet(struct vnt_private *priv, struct sk_buff *skb) + if (info->band == NL80211_BAND_5GHZ) { + pkt_type = PK_TYPE_11A; + } else { +- if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) +- pkt_type = PK_TYPE_11GB; +- else +- pkt_type = PK_TYPE_11GA; ++ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) { ++ if (priv->basic_rates & VNT_B_RATES) ++ pkt_type = PK_TYPE_11GB; ++ else ++ pkt_type = PK_TYPE_11GA; ++ } else { ++ pkt_type = PK_TYPE_11A; ++ } + } + } else { + pkt_type = PK_TYPE_11B; +-- +2.16.4 + diff --git a/patches.suse/staging-vt6656-use-NULLFUCTION-stack-on-mac80211.patch b/patches.suse/staging-vt6656-use-NULLFUCTION-stack-on-mac80211.patch new file mode 100644 index 0000000..dfcad6e --- /dev/null +++ b/patches.suse/staging-vt6656-use-NULLFUCTION-stack-on-mac80211.patch @@ -0,0 +1,66 @@ +From d579c43c82f093e63639151625b2139166c730fd Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:41:20 +0000 +Subject: [PATCH] staging: vt6656: use NULLFUCTION stack on mac80211 +Git-commit: d579c43c82f093e63639151625b2139166c730fd +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +It appears that the drivers does not go into power save correctly the +NULL data packets are not being transmitted because it not enabled +in mac80211. + +The driver needs to capture ieee80211_is_nullfunc headers and +copy the duration_id to it's own duration data header. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/610971ae-555b-a6c3-61b3-444a0c1e35b4@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/vt6656/main_usb.c | 1 + + drivers/staging/vt6656/rxtx.c | 14 +++++--------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -983,6 +983,7 @@ vt6656_probe(struct usb_interface *intf, + ieee80211_hw_set(priv->hw, RX_INCLUDES_FCS); + ieee80211_hw_set(priv->hw, REPORTS_TX_ACK_STATUS); + ieee80211_hw_set(priv->hw, SUPPORTS_PS); ++ ieee80211_hw_set(priv->hw, PS_NULLFUNC_STACK); + + priv->hw->max_signal = 100; + +--- a/drivers/staging/vt6656/rxtx.c ++++ b/drivers/staging/vt6656/rxtx.c +@@ -277,11 +277,9 @@ static u16 vnt_rxtx_datahead_g(struct vn + PK_TYPE_11B, &buf->b); + + /* Get Duration and TimeStamp */ +- if (ieee80211_is_pspoll(hdr->frame_control)) { +- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15)); +- +- buf->duration_a = dur; +- buf->duration_b = dur; ++ if (ieee80211_is_nullfunc(hdr->frame_control)) { ++ buf->duration_a = hdr->duration_id; ++ buf->duration_b = hdr->duration_id; + } else { + buf->duration_a = vnt_get_duration_le(priv, + tx_context->pkt_type, need_ack); +@@ -370,10 +368,8 @@ static u16 vnt_rxtx_datahead_ab(struct v + tx_context->pkt_type, &buf->ab); + + /* Get Duration and TimeStampOff */ +- if (ieee80211_is_pspoll(hdr->frame_control)) { +- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15)); +- +- buf->duration = dur; ++ if (ieee80211_is_nullfunc(hdr->frame_control)) { ++ buf->duration = hdr->duration_id; + } else { + buf->duration = vnt_get_duration_le(priv, tx_context->pkt_type, + need_ack); diff --git a/patches.suse/staging-wlan-ng-ensure-error-return-is-actually-retu.patch b/patches.suse/staging-wlan-ng-ensure-error-return-is-actually-retu.patch new file mode 100644 index 0000000..df1eebd --- /dev/null +++ b/patches.suse/staging-wlan-ng-ensure-error-return-is-actually-retu.patch @@ -0,0 +1,41 @@ +From 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 14 Jan 2020 18:16:04 +0000 +Subject: [PATCH] staging: wlan-ng: ensure error return is actually returned +Git-commit: 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Currently when the call to prism2sta_ifst fails a netdev_err error +is reported, error return variable result is set to -1 but the +function always returns 0 for success. Fix this by returning +the error value in variable result rather than 0. + +Addresses-coverity: ("Unused value") +Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver") +Signed-off-by: Colin Ian King +Cc: stable +Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/wlan-ng/prism2mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/wlan-ng/prism2mgmt.c b/drivers/staging/wlan-ng/prism2mgmt.c +index 7350fe5d96a3..a8860d2aee68 100644 +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -959,7 +959,7 @@ int prism2mgmt_flashdl_state(struct wlandevice *wlandev, void *msgp) + } + } + +- return 0; ++ return result; + } + + /*---------------------------------------------------------------- +-- +2.16.4 + diff --git a/patches.suse/stop_machine-Atomically-queue-and-wake-stopper-threa.patch b/patches.suse/stop_machine-Atomically-queue-and-wake-stopper-threa.patch new file mode 100644 index 0000000..e477290 --- /dev/null +++ b/patches.suse/stop_machine-Atomically-queue-and-wake-stopper-threa.patch @@ -0,0 +1,100 @@ +From cfd355145c32bb7ccb65fccbe2d67280dc2119e1 Mon Sep 17 00:00:00 2001 +From: Prasad Sodagudi +Date: Fri, 3 Aug 2018 13:56:06 -0700 +Subject: [PATCH] stop_machine: Atomically queue and wake stopper threads +References: bsc#1088810, bsc#1161702 +Git-commit: cfd355145c32bb7ccb65fccbe2d67280dc2119e1 +Patch-mainline: v4.19-rc1 + +When cpu_stop_queue_work() releases the lock for the stopper +thread that was queued into its wake queue, preemption is +enabled, which leads to the following deadlock: + +CPU0 CPU1 +sched_setaffinity(0, ...) +__set_cpus_allowed_ptr() +stop_one_cpu(0, ...) stop_two_cpus(0, 1, ...) +cpu_stop_queue_work(0, ...) cpu_stop_queue_two_works(0, ..., 1, ...) + +-grabs lock for migration/0- + -spins with preemption disabled, + waiting for migration/0's lock to be + released- + +-adds work items for migration/0 +and queues migration/0 to its +wake_q- + +-releases lock for migration/0 + and preemption is enabled- + +-current thread is preempted, +and __set_cpus_allowed_ptr +has changed the thread's +cpu allowed mask to CPU1 only- + + -acquires migration/0 and migration/1's + locks- + + -adds work for migration/0 but does not + add migration/0 to wake_q, since it is + already in a wake_q- + + -adds work for migration/1 and adds + migration/1 to its wake_q- + + -releases migration/0 and migration/1's + locks, wakes migration/1, and enables + preemption- + + -since migration/1 is requested to run, + migration/1 begins to run and waits on + migration/0, but migration/0 will never + be able to run, since the thread that + can wake it is affine to CPU1- + +Disable preemption in cpu_stop_queue_work() before queueing works for +stopper threads, and queueing the stopper thread in the wake queue, to +ensure that the operation of queueing the works and waking the stopper +threads is atomic. + +Fixes: 0b26351b910f ("stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock") +Signed-off-by: Prasad Sodagudi +Signed-off-by: Isaac J. Manjarres +Signed-off-by: Thomas Gleixner +Cc: peterz@infradead.org +Cc: matt@codeblueprint.co.uk +Cc: bigeasy@linutronix.de +Cc: gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1533329766-4856-1-git-send-email-isaacm@codeaurora.org + +Co-Developed-by: Isaac J. Manjarres +Signed-off-by: Thomas Abraham +--- + kernel/stop_machine.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/stop_machine.c b/kernel/stop_machine.c +index e190d1ef3a23..69eb76daed34 100644 +--- a/kernel/stop_machine.c ++++ b/kernel/stop_machine.c +@@ -81,6 +81,7 @@ static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work) + unsigned long flags; + bool enabled; + ++ preempt_disable(); + spin_lock_irqsave(&stopper->lock, flags); + enabled = stopper->enabled; + if (enabled) +@@ -90,6 +91,7 @@ static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work) + spin_unlock_irqrestore(&stopper->lock, flags); + + wake_up_q(&wakeq); ++ preempt_enable(); + + return enabled; + } +-- +2.16.4 + diff --git a/patches.suse/stop_machine-Disable-preemption-after-queueing-stopp.patch b/patches.suse/stop_machine-Disable-preemption-after-queueing-stopp.patch new file mode 100644 index 0000000..cbbe529 --- /dev/null +++ b/patches.suse/stop_machine-Disable-preemption-after-queueing-stopp.patch @@ -0,0 +1,95 @@ +From 2610e88946632afb78aa58e61f11368ac4c0af7b Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Tue, 17 Jul 2018 12:35:29 -0700 +Subject: [PATCH] stop_machine: Disable preemption after queueing stopper + threads +References: bsc#1088810, bsc#1161702 +Git-commit: 2610e88946632afb78aa58e61f11368ac4c0af7b +Patch-mainline: v4.18-rc8 + +This commit: + + 9fb8d5dc4b64 ("stop_machine, Disable preemption when waking two stopper threads") + +does not fully address the race condition that can occur +as follows: + +On one CPU, call it CPU 3, thread 1 invokes +cpu_stop_queue_two_works(2, 3,...), and the execution is such +that thread 1 queues the works for migration/2 and migration/3, +and is preempted after releasing the locks for migration/2 and +migration/3, but before waking the threads. + +Then, On CPU 2, a kworker, call it thread 2, is running, +and it invokes cpu_stop_queue_two_works(1, 2,...), such that +thread 2 queues the works for migration/1 and migration/2. +Meanwhile, on CPU 3, thread 1 resumes execution, and wakes +migration/2 and migration/3. This means that when CPU 2 +releases the locks for migration/1 and migration/2, but before +it wakes those threads, it can be preempted by migration/2. + +If thread 2 is preempted by migration/2, then migration/2 will +execute the first work item successfully, since migration/3 +was woken up by CPU 3, but when it goes to execute the second +work item, it disables preemption, calls multi_cpu_stop(), +and thus, CPU 2 will wait forever for migration/1, which should +have been woken up by thread 2. However migration/1 cannot be +woken up by thread 2, since it is a kworker, so it is affine to +CPU 2, but CPU 2 is running migration/2 with preemption +disabled, so thread 2 will never run. + +Disable preemption after queueing works for stopper threads +to ensure that the operation of queueing the works and waking +the stopper threads is atomic. + +Co-Developed-by: Prasad Sodagudi +Co-Developed-by: Pavankumar Kondeti +Signed-off-by: Isaac J. Manjarres +Signed-off-by: Prasad Sodagudi +Signed-off-by: Pavankumar Kondeti +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: bigeasy@linutronix.de +Cc: gregkh@linuxfoundation.org +Cc: matt@codeblueprint.co.uk +Fixes: 9fb8d5dc4b64 ("stop_machine, Disable preemption when waking two stopper threads") +Link: http://lkml.kernel.org/r/1531856129-9871-1-git-send-email-isaacm@codeaurora.org +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Abraham +--- + kernel/stop_machine.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/kernel/stop_machine.c b/kernel/stop_machine.c +index 1ff523dae6e2..e190d1ef3a23 100644 +--- a/kernel/stop_machine.c ++++ b/kernel/stop_machine.c +@@ -260,6 +260,15 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1, + err = 0; + __cpu_stop_queue_work(stopper1, work1, &wakeq); + __cpu_stop_queue_work(stopper2, work2, &wakeq); ++ /* ++ * The waking up of stopper threads has to happen ++ * in the same scheduling context as the queueing. ++ * Otherwise, there is a possibility of one of the ++ * above stoppers being woken up by another CPU, ++ * and preempting us. This will cause us to n ot ++ * wake up the other stopper forever. ++ */ ++ preempt_disable(); + unlock: + spin_unlock(&stopper2->lock); + spin_unlock_irq(&stopper1->lock); +@@ -271,7 +280,6 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1, + } + + if (!err) { +- preempt_disable(); + wake_up_q(&wakeq); + preempt_enable(); + } +-- +2.16.4 + diff --git a/patches.suse/stop_machine-Disable-preemption-when-waking-two-stop.patch b/patches.suse/stop_machine-Disable-preemption-when-waking-two-stop.patch new file mode 100644 index 0000000..6400a15 --- /dev/null +++ b/patches.suse/stop_machine-Disable-preemption-when-waking-two-stop.patch @@ -0,0 +1,73 @@ +From 9fb8d5dc4b649dd190e1af4ead670753e71bf907 Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Tue, 3 Jul 2018 15:02:14 -0700 +Subject: [PATCH] stop_machine: Disable preemption when waking two stopper + threads +References: bsc#1088810, bsc#1161702 +Git-commit: 9fb8d5dc4b649dd190e1af4ead670753e71bf907 +Patch-mainline: v4.18-rc6 + +When cpu_stop_queue_two_works() begins to wake the stopper threads, it does +so without preemption disabled, which leads to the following race +condition: + +The source CPU calls cpu_stop_queue_two_works(), with cpu1 as the source +CPU, and cpu2 as the destination CPU. When adding the stopper threads to +the wake queue used in this function, the source CPU stopper thread is +added first, and the destination CPU stopper thread is added last. + +When wake_up_q() is invoked to wake the stopper threads, the threads are +woken up in the order that they are queued in, so the source CPU's stopper +thread is woken up first, and it preempts the thread running on the source +CPU. + +The stopper thread will then execute on the source CPU, disable preemption, +and begin executing multi_cpu_stop(), and wait for an ack from the +destination CPU's stopper thread, with preemption still disabled. Since the +worker thread that woke up the stopper thread on the source CPU is affine +to the source CPU, and preemption is disabled on the source CPU, that +thread will never run to dequeue the destination CPU's stopper thread from +the wake queue, and thus, the destination CPU's stopper thread will never +run, causing the source CPU's stopper thread to wait forever, and stall. + +Disable preemption when waking the stopper threads in +cpu_stop_queue_two_works(). + +Fixes: 0b26351b910f ("stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock") +Co-Developed-by: Prasad Sodagudi +Signed-off-by: Prasad Sodagudi +Co-Developed-by: Pavankumar Kondeti +Signed-off-by: Pavankumar Kondeti +Signed-off-by: Isaac J. Manjarres +Signed-off-by: Thomas Gleixner +Cc: peterz@infradead.org +Cc: matt@codeblueprint.co.uk +Cc: bigeasy@linutronix.de +Cc: gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1530655334-4601-1-git-send-email-isaacm@codeaurora.org +Signed-off-by: Thomas Abraham +--- + kernel/stop_machine.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/kernel/stop_machine.c b/kernel/stop_machine.c +index f89014a2c238..1ff523dae6e2 100644 +--- a/kernel/stop_machine.c ++++ b/kernel/stop_machine.c +@@ -270,7 +270,11 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1, + goto retry; + } + +- wake_up_q(&wakeq); ++ if (!err) { ++ preempt_disable(); ++ wake_up_q(&wakeq); ++ preempt_enable(); ++ } + + return err; + } +-- +2.16.4 + diff --git a/patches.suse/stop_machine-sched-Fix-migrate_swap-vs.-active_balan.patch b/patches.suse/stop_machine-sched-Fix-migrate_swap-vs.-active_balan.patch new file mode 100644 index 0000000..cf3e68a --- /dev/null +++ b/patches.suse/stop_machine-sched-Fix-migrate_swap-vs.-active_balan.patch @@ -0,0 +1,124 @@ +From 0b26351b910fb8fe6a056f8a1bbccabe50c0e19f Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 20 Apr 2018 11:50:05 +0200 +Subject: [PATCH] stop_machine, sched: Fix migrate_swap() vs. active_balance() + deadlock +References: bsc#1088810, bsc#1161702 +Git-commit: 0b26351b910fb8fe6a056f8a1bbccabe50c0e19f +Patch-mainline: v4.17-rc5 + +Matt reported the following deadlock: + +CPU0 CPU1 + +schedule(.prev=migrate/0) + pick_next_task() ... + idle_balance() migrate_swap() + active_balance() stop_two_cpus() + spin_lock(stopper0->lock) + spin_lock(stopper1->lock) + ttwu(migrate/0) + smp_cond_load_acquire() -- waits for schedule() + stop_one_cpu(1) + spin_lock(stopper1->lock) -- waits for stopper lock + +Fix this deadlock by taking the wakeups out from under stopper->lock. +This allows the active_balance() to queue the stop work and finish the +context switch, which in turn allows the wakeup from migrate_swap() to +observe the context and complete the wakeup. + +Signed-off-by: Peter Zijlstra (Intel) +Reported-by: Matt Fleming +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Matt Fleming +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180420095005.GH4064@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Abraham +--- + kernel/stop_machine.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/kernel/stop_machine.c b/kernel/stop_machine.c +index b7591261652d..64c0291b579c 100644 +--- a/kernel/stop_machine.c ++++ b/kernel/stop_machine.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + /* + * Structure to determine completion condition and record errors. May +@@ -65,27 +66,31 @@ static void cpu_stop_signal_done(struct cpu_stop_done *done) + } + + static void __cpu_stop_queue_work(struct cpu_stopper *stopper, +- struct cpu_stop_work *work) ++ struct cpu_stop_work *work, ++ struct wake_q_head *wakeq) + { + list_add_tail(&work->list, &stopper->works); +- wake_up_process(stopper->thread); ++ wake_q_add(wakeq, stopper->thread); + } + + /* queue @work to @stopper. if offline, @work is completed immediately */ + static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work) + { + struct cpu_stopper *stopper = &per_cpu(cpu_stopper, cpu); ++ DEFINE_WAKE_Q(wakeq); + unsigned long flags; + bool enabled; + + spin_lock_irqsave(&stopper->lock, flags); + enabled = stopper->enabled; + if (enabled) +- __cpu_stop_queue_work(stopper, work); ++ __cpu_stop_queue_work(stopper, work, &wakeq); + else if (work->done) + cpu_stop_signal_done(work->done); + spin_unlock_irqrestore(&stopper->lock, flags); + ++ wake_up_q(&wakeq); ++ + return enabled; + } + +@@ -229,6 +234,7 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1, + { + struct cpu_stopper *stopper1 = per_cpu_ptr(&cpu_stopper, cpu1); + struct cpu_stopper *stopper2 = per_cpu_ptr(&cpu_stopper, cpu2); ++ DEFINE_WAKE_Q(wakeq); + int err; + retry: + spin_lock_irq(&stopper1->lock); +@@ -252,8 +258,8 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1, + goto unlock; + + err = 0; +- __cpu_stop_queue_work(stopper1, work1); +- __cpu_stop_queue_work(stopper2, work2); ++ __cpu_stop_queue_work(stopper1, work1, &wakeq); ++ __cpu_stop_queue_work(stopper2, work2, &wakeq); + unlock: + spin_unlock(&stopper2->lock); + spin_unlock_irq(&stopper1->lock); +@@ -263,6 +269,9 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1, + cpu_relax(); + goto retry; + } ++ ++ wake_up_q(&wakeq); ++ + return err; + } + /** +-- +2.16.4 + diff --git a/patches.suse/swiotlb-do-not-panic-on-mapping-failures b/patches.suse/swiotlb-do-not-panic-on-mapping-failures new file mode 100644 index 0000000..a515578 --- /dev/null +++ b/patches.suse/swiotlb-do-not-panic-on-mapping-failures @@ -0,0 +1,77 @@ +From: Christoph Hellwig +Date: Thu, 12 Apr 2018 10:38:08 +0200 +Subject: swiotlb: do not panic on mapping failures +Git-commit: 8088546832aa2c0d8f99dd56edf6384f8a9b63b3 +Patch-mainline: v4.20-rc1 +References: bsc#1162171 + +All properly written drivers now have error handling in the +dma_map_single / dma_map_page callers. As swiotlb_tbl_map_single already +prints a useful warning when running out of swiotlb pool space we can +also remove swiotlb_full entirely as it serves no purpose now. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Robin Murphy +Acked-by: Petr Tesarik +Acked-by: Joerg Roedel +--- + kernel/dma/swiotlb.c | 33 +-------------------------------- + 1 file changed, 1 insertion(+), 32 deletions(-) + +--- a/lib/swiotlb.c ++++ b/lib/swiotlb.c +@@ -799,34 +799,6 @@ swiotlb_free_coherent(struct device *hwd + } + EXPORT_SYMBOL(swiotlb_free_coherent); + +-static void +-swiotlb_full(struct device *dev, size_t size, enum dma_data_direction dir, +- int do_panic) +-{ +- if (swiotlb_force == SWIOTLB_NO_FORCE) +- return; +- +- /* +- * Ran out of IOMMU space for this operation. This is very bad. +- * Unfortunately the drivers cannot handle this operation properly. +- * unless they check for dma_mapping_error (most don't) +- * When the mapping is small enough return a static buffer to limit +- * the damage, or panic when the transfer is too big. +- */ +- dev_err_ratelimited(dev, "DMA: Out of SW-IOMMU space for %zu bytes\n", +- size); +- +- if (size <= io_tlb_overflow || !do_panic) +- return; +- +- if (dir == DMA_BIDIRECTIONAL) +- panic("DMA: Random memory could be DMA accessed\n"); +- if (dir == DMA_FROM_DEVICE) +- panic("DMA: Random memory could be DMA written\n"); +- if (dir == DMA_TO_DEVICE) +- panic("DMA: Random memory could be DMA read\n"); +-} +- + /* + * Map a single buffer of the indicated size for DMA in streaming mode. The + * physical address to use is returned. +@@ -855,10 +827,8 @@ dma_addr_t swiotlb_map_page(struct devic + + /* Oh well, have to allocate and map a bounce buffer. */ + map = map_single(dev, phys, size, dir, attrs); +- if (map == SWIOTLB_MAP_ERROR) { +- swiotlb_full(dev, size, dir, 1); ++ if (map == SWIOTLB_MAP_ERROR) + return swiotlb_phys_to_dma(dev, io_tlb_overflow_buffer); +- } + + dev_addr = swiotlb_phys_to_dma(dev, map); + +@@ -996,7 +966,6 @@ swiotlb_map_sg_attrs(struct device *hwde + if (map == SWIOTLB_MAP_ERROR) { + /* Don't panic here, we expect map_sg users + to do proper error handling. */ +- swiotlb_full(hwdev, sg->length, dir, 0); + attrs |= DMA_ATTR_SKIP_CPU_SYNC; + swiotlb_unmap_sg_attrs(hwdev, sgl, i, dir, + attrs); diff --git a/patches.suse/swiotlb-remove-the-overflow-buffer b/patches.suse/swiotlb-remove-the-overflow-buffer new file mode 100644 index 0000000..529c741 --- /dev/null +++ b/patches.suse/swiotlb-remove-the-overflow-buffer @@ -0,0 +1,169 @@ +From: Christoph Hellwig +Date: Thu, 16 Aug 2018 15:30:39 +0300 +Subject: swiotlb: remove the overflow buffer +Git-commit: dff8d6c1ed584de65aac40494d3e7468c50980c3 +Patch-mainline: v4.20-rc1 +References: bsc#1162171 + +Like all other dma mapping drivers just return an error code instead +of an actual memory buffer. The reason for the overflow buffer was +that at the time swiotlb was invented there was no way to check for +dma mapping errors, but this has long been fixed. + +Signed-off-by: Christoph Hellwig +Acked-by: Catalin Marinas +Reviewed-by: Robin Murphy +Reviewed-by: Konrad Rzeszutek Wilk +Acked-by: Petr Tesarik +Acked-by: Joerg Roedel +--- + arch/arm64/mm/dma-mapping.c | 2 +- + arch/powerpc/kernel/dma-swiotlb.c | 4 +-- + include/linux/dma-direct.h | 2 ++ + include/linux/swiotlb.h | 3 -- + kernel/dma/direct.c | 2 -- + kernel/dma/swiotlb.c | 59 ++------------------------------------- + 6 files changed, 8 insertions(+), 64 deletions(-) + +--- a/lib/swiotlb.c ++++ b/lib/swiotlb.c +@@ -70,13 +70,6 @@ static phys_addr_t io_tlb_start, io_tlb_ + static unsigned long io_tlb_nslabs; + + /* +- * When the IOMMU overflows we return a fallback buffer. This sets the size. +- */ +-static unsigned long io_tlb_overflow = 32*1024; +- +-static phys_addr_t io_tlb_overflow_buffer; +- +-/* + * This is a free list describing the number of free entries available from + * each index + */ +@@ -123,7 +116,6 @@ setup_io_tlb_npages(char *str) + return 0; + } + early_param("swiotlb", setup_io_tlb_npages); +-/* make io_tlb_overflow tunable too? */ + + unsigned long swiotlb_nr_tbl(void) + { +@@ -211,16 +203,10 @@ void __init swiotlb_update_mem_attribute + bytes = PAGE_ALIGN(io_tlb_nslabs << IO_TLB_SHIFT); + swiotlb_set_mem_attributes(vaddr, bytes); + memset(vaddr, 0, bytes); +- +- vaddr = phys_to_virt(io_tlb_overflow_buffer); +- bytes = PAGE_ALIGN(io_tlb_overflow); +- swiotlb_set_mem_attributes(vaddr, bytes); +- memset(vaddr, 0, bytes); + } + + int __init swiotlb_init_with_tbl(char *tlb, unsigned long nslabs, int verbose) + { +- void *v_overflow_buffer; + unsigned long i, bytes; + + bytes = nslabs << IO_TLB_SHIFT; +@@ -230,17 +216,6 @@ int __init swiotlb_init_with_tbl(char *t + io_tlb_end = io_tlb_start + bytes; + + /* +- * Get the overflow emergency buffer +- */ +- v_overflow_buffer = memblock_virt_alloc_low_nopanic( +- PAGE_ALIGN(io_tlb_overflow), +- PAGE_SIZE); +- if (!v_overflow_buffer) +- return -ENOMEM; +- +- io_tlb_overflow_buffer = __pa(v_overflow_buffer); +- +- /* + * Allocate and initialize the free list array. This array is used + * to find contiguous free memory regions of size up to IO_TLB_SEGSIZE + * between io_tlb_start and io_tlb_end. +@@ -347,7 +322,6 @@ int + swiotlb_late_init_with_tbl(char *tlb, unsigned long nslabs) + { + unsigned long i, bytes; +- unsigned char *v_overflow_buffer; + + bytes = nslabs << IO_TLB_SHIFT; + +@@ -359,18 +333,6 @@ swiotlb_late_init_with_tbl(char *tlb, un + memset(tlb, 0, bytes); + + /* +- * Get the overflow emergency buffer +- */ +- v_overflow_buffer = (void *)__get_free_pages(GFP_DMA, +- get_order(io_tlb_overflow)); +- if (!v_overflow_buffer) +- goto cleanup2; +- +- swiotlb_set_mem_attributes(v_overflow_buffer, io_tlb_overflow); +- memset(v_overflow_buffer, 0, io_tlb_overflow); +- io_tlb_overflow_buffer = virt_to_phys(v_overflow_buffer); +- +- /* + * Allocate and initialize the free list array. This array is used + * to find contiguous free memory regions of size up to IO_TLB_SEGSIZE + * between io_tlb_start and io_tlb_end. +@@ -406,10 +368,6 @@ cleanup4: + sizeof(int))); + io_tlb_list = NULL; + cleanup3: +- free_pages((unsigned long)v_overflow_buffer, +- get_order(io_tlb_overflow)); +- io_tlb_overflow_buffer = 0; +-cleanup2: + io_tlb_end = 0; + io_tlb_start = 0; + io_tlb_nslabs = 0; +@@ -423,8 +381,6 @@ void __init swiotlb_free(void) + return; + + if (late_alloc) { +- free_pages((unsigned long)phys_to_virt(io_tlb_overflow_buffer), +- get_order(io_tlb_overflow)); + free_pages((unsigned long)io_tlb_orig_addr, + get_order(io_tlb_nslabs * sizeof(phys_addr_t))); + free_pages((unsigned long)io_tlb_list, get_order(io_tlb_nslabs * +@@ -432,8 +388,6 @@ void __init swiotlb_free(void) + free_pages((unsigned long)phys_to_virt(io_tlb_start), + get_order(io_tlb_nslabs << IO_TLB_SHIFT)); + } else { +- memblock_free_late(io_tlb_overflow_buffer, +- PAGE_ALIGN(io_tlb_overflow)); + memblock_free_late(__pa(io_tlb_orig_addr), + PAGE_ALIGN(io_tlb_nslabs * sizeof(phys_addr_t))); + memblock_free_late(__pa(io_tlb_list), +@@ -828,7 +782,7 @@ dma_addr_t swiotlb_map_page(struct devic + /* Oh well, have to allocate and map a bounce buffer. */ + map = map_single(dev, phys, size, dir, attrs); + if (map == SWIOTLB_MAP_ERROR) +- return swiotlb_phys_to_dma(dev, io_tlb_overflow_buffer); ++ return (dma_addr_t)SWIOTLB_MAP_ERROR; + + dev_addr = swiotlb_phys_to_dma(dev, map); + +@@ -839,7 +793,7 @@ dma_addr_t swiotlb_map_page(struct devic + attrs |= DMA_ATTR_SKIP_CPU_SYNC; + swiotlb_tbl_unmap_single(dev, map, size, dir, attrs); + +- return swiotlb_phys_to_dma(dev, io_tlb_overflow_buffer); ++ return (dma_addr_t)SWIOTLB_MAP_ERROR; + } + EXPORT_SYMBOL_GPL(swiotlb_map_page); + +@@ -1040,7 +994,7 @@ EXPORT_SYMBOL(swiotlb_sync_sg_for_device + int + swiotlb_dma_mapping_error(struct device *hwdev, dma_addr_t dma_addr) + { +- return (dma_addr == swiotlb_phys_to_dma(hwdev, io_tlb_overflow_buffer)); ++ return (dma_addr == (dma_addr_t)SWIOTLB_MAP_ERROR); + } + EXPORT_SYMBOL(swiotlb_dma_mapping_error); + diff --git a/patches.suse/tcp-Don-t-dequeue-SYN-FIN-segments-from-write-queue.patch b/patches.suse/tcp-Don-t-dequeue-SYN-FIN-segments-from-write-queue.patch new file mode 100644 index 0000000..e7270ed --- /dev/null +++ b/patches.suse/tcp-Don-t-dequeue-SYN-FIN-segments-from-write-queue.patch @@ -0,0 +1,94 @@ +From: Christoph Paasch +Date: Fri, 13 Sep 2019 13:08:19 -0700 +Subject: tcp: Don't dequeue SYN/FIN-segments from write-queue +Patch-mainline: 4.14.146 +Git-commit: ba2ddb43f270e6492ccce4fc42fc32c611de8f68 +References: git-gixes + +If a SYN/FIN-segment is on the write-queue, skb->len is 0, but the +segment actually has been transmitted. end_seq and seq of the tcp_skb_cb +in that case will indicate this difference. + +We should not remove such segments from the write-queue as we might be +in SYN_SENT-state and a retransmission-timer is running. When that one +fires, packets_out will be 1, but the write-queue would be empty, +resulting in: + +[ 61.280214] ------------[ cut here ]------------ +[ 61.281307] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:429 tcp_retransmit_timer+0x18f9/0x2660 +[ 61.283498] Modules linked in: +[ 61.284084] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.142 #58 +[ 61.285214] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 +[ 61.286644] task: ffffffff8401e1c0 task.stack: ffffffff84000000 +[ 61.287758] RIP: 0010:tcp_retransmit_timer+0x18f9/0x2660 +[ 61.288715] RSP: 0018:ffff88806ce07cb8 EFLAGS: 00010206 +[ 61.289669] RAX: ffffffff8401e1c0 RBX: ffff88805c998b00 RCX: 0000000000000006 +[ 61.290968] RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff88805c9994d8 +[ 61.292314] RBP: ffff88805c99919a R08: ffff88807fff901c R09: ffff88807fff9008 +[ 61.293547] R10: ffff88807fff9017 R11: ffff88807fff9010 R12: ffff88805c998b30 +[ 61.294834] R13: ffffffff844b9380 R14: 0000000000000000 R15: ffff88805c99930c +[ 61.296086] FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 +[ 61.297523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 61.298646] CR2: 00007f721da50ff8 CR3: 0000000004014002 CR4: 00000000001606f0 +[ 61.299944] Call Trace: +[ 61.300403] +[ 61.300806] ? kvm_sched_clock_read+0x21/0x30 +[ 61.301689] ? sched_clock+0x5/0x10 +[ 61.302433] ? sched_clock_cpu+0x18/0x170 +[ 61.303173] tcp_write_timer_handler+0x2c1/0x7a0 +[ 61.304038] tcp_write_timer+0x13e/0x160 +[ 61.304794] call_timer_fn+0x14a/0x5f0 +[ 61.305480] ? tcp_write_timer_handler+0x7a0/0x7a0 +[ 61.306364] ? __next_timer_interrupt+0x140/0x140 +[ 61.307229] ? _raw_spin_unlock_irq+0x24/0x40 +[ 61.308033] ? tcp_write_timer_handler+0x7a0/0x7a0 +[ 61.308887] ? tcp_write_timer_handler+0x7a0/0x7a0 +[ 61.309760] run_timer_softirq+0xc41/0x1080 +[ 61.310539] ? trigger_dyntick_cpu.isra.33+0x180/0x180 +[ 61.311506] ? ktime_get+0x13f/0x1c0 +[ 61.312232] ? clockevents_program_event+0x10d/0x2f0 +[ 61.313158] __do_softirq+0x20b/0x96b +[ 61.313889] irq_exit+0x1a7/0x1e0 +[ 61.314513] smp_apic_timer_interrupt+0xfc/0x4d0 +[ 61.315386] apic_timer_interrupt+0x8f/0xa0 +[ 61.316129] + +Followed by a panic. + +So, before removing an skb with skb->len == 0, let's make sure that the +skb is really empty by checking the end_seq and seq. + +This patch needs to be backported only to 4.14 and older (among those +that applied the backport of fdfc5c8594c2). + +Reported-by: Luis Henriques +Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases") +Cc: Eric Dumazet +Cc: Jason Baron +Cc: Vladimir Rutsky +Cc: Soheil Hassas Yeganeh +Cc: Neal Cardwell +Signed-off-by: Christoph Paasch +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + net/ipv4/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index efe767e20d01..c1f59a53f68f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -922,7 +922,8 @@ static int tcp_send_mss(struct sock *sk, int *size_goal, int flags) + */ + static void tcp_remove_empty_skb(struct sock *sk, struct sk_buff *skb) + { +- if (skb && !skb->len) { ++ if (skb && !skb->len && ++ TCP_SKB_CB(skb)->end_seq == TCP_SKB_CB(skb)->seq) { + tcp_unlink_write_queue(skb, sk); + tcp_check_send_head(sk, skb); + sk_wmem_free_skb(sk, skb); +-- +2.23.0 + diff --git a/patches.suse/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch b/patches.suse/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch new file mode 100644 index 0000000..628e5d4 --- /dev/null +++ b/patches.suse/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch @@ -0,0 +1,51 @@ +From: Eric Dumazet +Date: Thu, 12 Dec 2019 12:55:29 -0800 +Subject: tcp: do not send empty skb from tcp_write_xmit() +Git-commit: 1f85e6267caca44b30c54711652b0726fadbb131 +Patch-mainline: 5.5-rc3 +References: networking-stable-20_01_01 + +Backport of commit fdfc5c8594c2 ("tcp: remove empty skb from +write queue in error cases") in linux-4.14 stable triggered +various bugs. One of them has been fixed in commit ba2ddb43f270 +("tcp: Don't dequeue SYN/FIN-segments from write-queue"), but +we still have crashes in some occasions. + +Root-cause is that when tcp_sendmsg() has allocated a fresh +skb and could not append a fragment before being blocked +in sk_stream_wait_memory(), tcp_write_xmit() might be called +and decide to send this fresh and empty skb. + +Sending an empty packet is not only silly, it might have caused +many issues we had in the past with tp->packets_out being +out of sync. + +Fixes: c65f7f00c587 ("[TCP]: Simplify SKB data portion allocation with NETIF_F_SG.") +Signed-off-by: Eric Dumazet +Cc: Christoph Paasch +Acked-by: Neal Cardwell +Cc: Jason Baron +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: Jakub Kicinski +Signed-off-by: Jiri Slaby +--- + net/ipv4/tcp_output.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2380,6 +2380,14 @@ static bool tcp_write_xmit(struct sock * + if (tcp_small_queue_check(sk, skb, 0)) + break; + ++ /* Argh, we hit an empty skb(), presumably a thread ++ * is sleeping in sendmsg()/sk_stream_wait_memory(). ++ * We do not want to send a pure-ack packet and have ++ * a strange looking rtx queue with empty packet(s). ++ */ ++ if (TCP_SKB_CB(skb)->end_seq == TCP_SKB_CB(skb)->seq) ++ break; ++ + if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp))) + break; + diff --git a/patches.suse/tracing-annotate-ftrace_graph_hash-pointer-with-_rcu.patch b/patches.suse/tracing-annotate-ftrace_graph_hash-pointer-with-_rcu.patch new file mode 100644 index 0000000..857212b --- /dev/null +++ b/patches.suse/tracing-annotate-ftrace_graph_hash-pointer-with-_rcu.patch @@ -0,0 +1,67 @@ +From: Amol Grover +Date: Sat, 1 Feb 2020 12:57:04 +0530 +Subject: tracing: Annotate ftrace_graph_hash pointer with __rcu +Git-commit: 24a9729f831462b1d9d61dc85ecc91c59037243f +Patch-mainline: v5.6-rc1 +References: git-fixes + +Fix following instances of sparse error +kernel/trace/ftrace.c:5664:29: error: incompatible types in comparison +kernel/trace/ftrace.c:5785:21: error: incompatible types in comparison +kernel/trace/ftrace.c:5864:36: error: incompatible types in comparison +kernel/trace/ftrace.c:5866:25: error: incompatible types in comparison + +Use rcu_dereference_protected to access the __rcu annotated pointer. + +Link: http://lkml.kernel.org/r/20200201072703.17330-1-frextrite@gmail.com + +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Amol Grover +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + kernel/trace/ftrace.c | 2 +- + kernel/trace/trace.h | 9 ++++++--- + 2 files changed, 7 insertions(+), 4 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4806,7 +4806,7 @@ static const struct file_operations ftra + + static DEFINE_MUTEX(graph_lock); + +-struct ftrace_hash *ftrace_graph_hash = EMPTY_HASH; ++struct ftrace_hash __rcu *ftrace_graph_hash = EMPTY_HASH; + struct ftrace_hash *ftrace_graph_notrace_hash = EMPTY_HASH; + + enum graph_filter_type { +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -811,21 +811,24 @@ extern void __trace_graph_return(struct + unsigned long flags, int pc); + + #ifdef CONFIG_DYNAMIC_FTRACE +-extern struct ftrace_hash *ftrace_graph_hash; ++extern struct ftrace_hash __rcu *ftrace_graph_hash; + extern struct ftrace_hash *ftrace_graph_notrace_hash; + + static inline int ftrace_graph_addr(unsigned long addr) + { + int ret = 0; ++ struct ftrace_hash *hash; + + preempt_disable_notrace(); + +- if (ftrace_hash_empty(ftrace_graph_hash)) { ++ hash = rcu_dereference_protected(ftrace_graph_hash, !preemptible()); ++ ++ if (ftrace_hash_empty(hash)) { + ret = 1; + goto out; + } + +- if (ftrace_lookup_ip(ftrace_graph_hash, addr)) { ++ if (ftrace_lookup_ip(hash, addr)) { + /* + * If no irqs are to be traced, but a set_graph_function + * is set, and called by an interrupt handler, we still diff --git a/patches.suse/tracing-annotate-ftrace_graph_notrace_hash-pointer-with-_rcu.patch b/patches.suse/tracing-annotate-ftrace_graph_notrace_hash-pointer-with-_rcu.patch new file mode 100644 index 0000000..3bb7c89 --- /dev/null +++ b/patches.suse/tracing-annotate-ftrace_graph_notrace_hash-pointer-with-_rcu.patch @@ -0,0 +1,63 @@ +From: Amol Grover +Date: Wed, 5 Feb 2020 11:27:02 +0530 +Subject: tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu +Git-commit: fd0e6852c407dd9aefc594f54ddcc21d84803d3b +Patch-mainline: v5.6-rc1 +References: git-fixes + +Fix following instances of sparse error +kernel/trace/ftrace.c:5667:29: error: incompatible types in comparison +kernel/trace/ftrace.c:5813:21: error: incompatible types in comparison +kernel/trace/ftrace.c:5868:36: error: incompatible types in comparison +kernel/trace/ftrace.c:5870:25: error: incompatible types in comparison + +Use rcu_dereference_protected to dereference the newly annotated pointer. + +Link: http://lkml.kernel.org/r/20200205055701.30195-1-frextrite@gmail.com + +Signed-off-by: Amol Grover +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + kernel/trace/ftrace.c | 2 +- + kernel/trace/trace.h | 8 ++++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4807,7 +4807,7 @@ static const struct file_operations ftra + static DEFINE_MUTEX(graph_lock); + + struct ftrace_hash __rcu *ftrace_graph_hash = EMPTY_HASH; +-struct ftrace_hash *ftrace_graph_notrace_hash = EMPTY_HASH; ++struct ftrace_hash __rcu *ftrace_graph_notrace_hash = EMPTY_HASH; + + enum graph_filter_type { + GRAPH_FILTER_NOTRACE = 0, +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -812,7 +812,7 @@ extern void __trace_graph_return(struct + + #ifdef CONFIG_DYNAMIC_FTRACE + extern struct ftrace_hash __rcu *ftrace_graph_hash; +-extern struct ftrace_hash *ftrace_graph_notrace_hash; ++extern struct ftrace_hash __rcu *ftrace_graph_notrace_hash; + + static inline int ftrace_graph_addr(unsigned long addr) + { +@@ -849,10 +849,14 @@ out: + static inline int ftrace_graph_notrace_addr(unsigned long addr) + { + int ret = 0; ++ struct ftrace_hash *notrace_hash; + + preempt_disable_notrace(); + +- if (ftrace_lookup_ip(ftrace_graph_notrace_hash, addr)) ++ notrace_hash = rcu_dereference_protected(ftrace_graph_notrace_hash, ++ !preemptible()); ++ ++ if (ftrace_lookup_ip(notrace_hash, addr)) + ret = 1; + + preempt_enable_notrace(); diff --git a/patches.suse/tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch b/patches.suse/tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch new file mode 100644 index 0000000..dd0d99c --- /dev/null +++ b/patches.suse/tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch @@ -0,0 +1,54 @@ +From: Luis Henriques +Date: Tue, 9 Sep 2014 22:49:41 +0100 +Subject: tracing: Fix tracing_stat return values in error handling paths +Git-commit: afccc00f75bbbee4e4ae833a96c2d29a7259c693 +Patch-mainline: v5.6-rc1 +References: git-fixes + +tracing_stat_init() was always returning '0', even on the error paths. It +now returns -ENODEV if tracing_init_dentry() fails or -ENOMEM if it fails +to created the 'trace_stat' debugfs directory. + +Link: http://lkml.kernel.org/r/1410299381-20108-1-git-send-email-luis.henriques@canonical.com + +Fixes: ed6f1c996bfe4 ("tracing: Check return value of tracing_init_dentry()") +Signed-off-by: Luis Henriques +[ Pulled from the archeological digging of my INBOX ] +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + kernel/trace/trace_stat.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index da8a38c3d5e4..d1fa19773cc8 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -280,18 +280,22 @@ static int tracing_stat_init(void) + + d_tracing = tracing_init_dentry(); + if (IS_ERR(d_tracing)) +- return 0; ++ return -ENODEV; + + stat_dir = tracefs_create_dir("trace_stat", d_tracing); +- if (!stat_dir) ++ if (!stat_dir) { + pr_warn("Could not create tracefs 'trace_stat' entry\n"); ++ return -ENOMEM; ++ } + return 0; + } + + static int init_stat_file(struct stat_session *session) + { +- if (!stat_dir && tracing_stat_init()) +- return -ENODEV; ++ int ret; ++ ++ if (!stat_dir && (ret = tracing_stat_init())) ++ return ret; + + session->file = tracefs_create_file(session->ts->name, 0644, + stat_dir, + diff --git a/patches.suse/tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch b/patches.suse/tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch new file mode 100644 index 0000000..12c0cfb --- /dev/null +++ b/patches.suse/tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch @@ -0,0 +1,83 @@ +From: "Steven Rostedt (VMware)" +Date: Fri, 24 Jan 2020 17:47:49 -0500 +Subject: tracing: Fix very unlikely race of registering two stat tracers +Git-commit: dfb6cd1e654315168e36d947471bd2a0ccd834ae +Patch-mainline: v5.6-rc1 +References: git-fixes + +Looking through old emails in my INBOX, I came across a patch from Luis +Henriques that attempted to fix a race of two stat tracers registering the +same stat trace (extremely unlikely, as this is done in the kernel, and +probably doesn't even exist). The submitted patch wasn't quite right as it +needed to deal with clean up a bit better (if two stat tracers were the +same, it would have the same files). + +But to make the code cleaner, all we needed to do is to keep the +all_stat_sessions_mutex held for most of the registering function. + +Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com + +Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine") +Reported-by: Luis Henriques +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + kernel/trace/trace_stat.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index 874f1274cf99..da8a38c3d5e4 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -304,7 +304,7 @@ static int init_stat_file(struct stat_session *session) + int register_stat_tracer(struct tracer_stat *trace) + { + struct stat_session *session, *node; +- int ret; ++ int ret = -EINVAL; + + if (!trace) + return -EINVAL; +@@ -315,17 +315,15 @@ int register_stat_tracer(struct tracer_stat *trace) + /* Already registered? */ + mutex_lock(&all_stat_sessions_mutex); + list_for_each_entry(node, &all_stat_sessions, session_list) { +- if (node->ts == trace) { +- mutex_unlock(&all_stat_sessions_mutex); +- return -EINVAL; +- } ++ if (node->ts == trace) ++ goto out; + } +- mutex_unlock(&all_stat_sessions_mutex); + ++ ret = -ENOMEM; + /* Init the session */ + session = kzalloc(sizeof(*session), GFP_KERNEL); + if (!session) +- return -ENOMEM; ++ goto out; + + session->ts = trace; + INIT_LIST_HEAD(&session->session_list); +@@ -334,15 +332,16 @@ int register_stat_tracer(struct tracer_stat *trace) + ret = init_stat_file(session); + if (ret) { + destroy_session(session); +- return ret; ++ goto out; + } + ++ ret = 0; + /* Register */ +- mutex_lock(&all_stat_sessions_mutex); + list_add_tail(&session->session_list, &all_stat_sessions); ++ out: + mutex_unlock(&all_stat_sessions_mutex); + +- return 0; ++ return ret; + } + + void unregister_stat_tracer(struct tracer_stat *trace) + diff --git a/patches.suse/tracing-xen-ordered-comparison-of-function-pointers.patch b/patches.suse/tracing-xen-ordered-comparison-of-function-pointers.patch new file mode 100644 index 0000000..f45b48c --- /dev/null +++ b/patches.suse/tracing-xen-ordered-comparison-of-function-pointers.patch @@ -0,0 +1,53 @@ +From: Changbin Du +Date: Sun, 12 Jan 2020 11:42:31 +0800 +Subject: tracing: xen: Ordered comparison of function pointers +Git-commit: d0695e2351102affd8efae83989056bc4b275917 +Patch-mainline: v5.5 +References: git-fixes + +Just as commit 0566e40ce7 ("tracing: initcall: Ordered comparison of +function pointers"), this patch fixes another remaining one in xen.h +found by clang-9. + +In file included from arch/x86/xen/trace.c:21: +In file included from ./include/trace/events/xen.h:475: +In file included from ./include/trace/define_trace.h:102: +In file included from ./include/trace/trace_events.h:473: +./include/trace/events/xen.h:69:7: warning: ordered comparison of function \ +pointers ('xen_mc_callback_fn_t' (aka 'void (*)(void *)') and 'xen_mc_callback_fn_t') [-Wordered-compare-function-pointers] + __field(xen_mc_callback_fn_t, fn) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/trace/trace_events.h:421:29: note: expanded from macro '__field' + ^ +./include/trace/trace_events.h:407:6: note: expanded from macro '__field_ext' + is_signed_type(type), filter_type); \ + ^ +./include/linux/trace_events.h:554:44: note: expanded from macro 'is_signed_type' + ^ + +Fixes: c796f213a6934 ("xen/trace: add multicall tracing") +Signed-off-by: Changbin Du +Signed-off-by: Steven Rostedt (VMware) +Acked-by: Miroslav Benes +--- + include/trace/events/xen.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/trace/events/xen.h b/include/trace/events/xen.h +index 9a0e8af21310..a5ccfa67bc5c 100644 +--- a/include/trace/events/xen.h ++++ b/include/trace/events/xen.h +@@ -66,7 +66,11 @@ TRACE_EVENT(xen_mc_callback, + TP_PROTO(xen_mc_callback_fn_t fn, void *data), + TP_ARGS(fn, data), + TP_STRUCT__entry( +- __field(xen_mc_callback_fn_t, fn) ++ /* ++ * Use field_struct to avoid is_signed_type() ++ * comparison of a function pointer. ++ */ ++ __field_struct(xen_mc_callback_fn_t, fn) + __field(void *, data) + ), + TP_fast_assign( + diff --git a/patches.suse/tty-n_hdlc-fix-build-on-SPARC.patch b/patches.suse/tty-n_hdlc-fix-build-on-SPARC.patch new file mode 100644 index 0000000..fa9764f --- /dev/null +++ b/patches.suse/tty-n_hdlc-fix-build-on-SPARC.patch @@ -0,0 +1,52 @@ +From 47a7e5e97d4edd7b14974d34f0e5a5560fad2915 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 30 Sep 2019 19:15:12 -0700 +Subject: [PATCH] tty: n_hdlc: fix build on SPARC +Git-commit: 47a7e5e97d4edd7b14974d34f0e5a5560fad2915 +Patch-mainline: v5.4-rc3 +References: bsc#1051510 + +Fix tty driver build on SPARC by not using __exitdata. +It appears that SPARC does not support section .exit.data. + +Fixes these build errors: + +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o + +Reported-by: kbuild test robot +Fixes: 063246641d4a ("format-security: move static strings to const") +Signed-off-by: Randy Dunlap +Cc: Kees Cook +Cc: Greg Kroah-Hartman +Cc: "David S. Miller" +Cc: Andrew Morton +Link: https://lore.kernel.org/r/675e7bd9-955b-3ff3-1101-a973b58b5b75@infradead.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/n_hdlc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c +index e55c79eb6430..98361acd3053 100644 +--- a/drivers/tty/n_hdlc.c ++++ b/drivers/tty/n_hdlc.c +@@ -968,6 +968,11 @@ static int __init n_hdlc_init(void) + + } /* end of init_module() */ + ++#ifdef CONFIG_SPARC ++#undef __exitdata ++#define __exitdata ++#endif ++ + static const char hdlc_unregister_ok[] __exitdata = + KERN_INFO "N_HDLC: line discipline unregistered\n"; + static const char hdlc_unregister_fail[] __exitdata = +-- +2.16.4 + diff --git a/patches.suse/tty-serial-atmel-Add-is_half_duplex-helper.patch b/patches.suse/tty-serial-atmel-Add-is_half_duplex-helper.patch new file mode 100644 index 0000000..00daeee --- /dev/null +++ b/patches.suse/tty-serial-atmel-Add-is_half_duplex-helper.patch @@ -0,0 +1,83 @@ +From f3040983132bf3477acd45d2452a906e67c2fec9 Mon Sep 17 00:00:00 2001 +From: Razvan Stefanescu +Date: Tue, 19 Mar 2019 15:20:34 +0200 +Subject: [PATCH] tty/serial: atmel: Add is_half_duplex helper +Git-commit: f3040983132bf3477acd45d2452a906e67c2fec9 +No-fix: 6952a0956e8bafcec79a13c59dfa7566dce11205 +Patch-mainline: v5.1-rc3 +References: bsc#1051510 + +[ backport note: this is a backport from 4.14.y stable, + commit 6952a0956e8bafcec79a13c59dfa7566dce11205 ] + +Use a helper function to check that a port needs to use half duplex +communication, replacing several occurrences of multi-line bit checking. + +Fixes: b389f173aaa1 ("tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done") +Cc: stable +Signed-off-by: Razvan Stefanescu +Acked-by: Richard Genoud +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/atmel_serial.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -255,6 +255,12 @@ static inline void atmel_uart_write_char + + #endif + ++static inline int atmel_uart_is_half_duplex(struct uart_port *port) ++{ ++ return (port->rs485.flags & SER_RS485_ENABLED) && ++ !(port->rs485.flags & SER_RS485_RX_DURING_TX); ++} ++ + #ifdef CONFIG_SERIAL_ATMEL_PDC + static bool atmel_use_pdc_rx(struct uart_port *port) + { +@@ -506,9 +512,9 @@ static void atmel_stop_tx(struct uart_po + /* Disable interrupts */ + atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask); + +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) ++ if (atmel_uart_is_half_duplex(port)) + atmel_start_rx(port); ++ + } + + /* +@@ -525,8 +531,7 @@ static void atmel_start_tx(struct uart_p + return; + + if (atmel_use_pdc_tx(port) || atmel_use_dma_tx(port)) +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) ++ if (atmel_uart_is_half_duplex(port)) + atmel_stop_rx(port); + + if (atmel_use_pdc_tx(port)) +@@ -823,8 +828,7 @@ static void atmel_complete_tx_dma(void * + */ + if (!uart_circ_empty(xmit)) + atmel_tasklet_schedule(atmel_port, &atmel_port->tasklet_tx); +- else if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) { ++ else if (atmel_uart_is_half_duplex(port)) { + /* DMA done, stop TX, start RX for RS485 */ + atmel_start_rx(port); + } +@@ -1400,8 +1404,7 @@ static void atmel_tx_pdc(struct uart_por + atmel_uart_writel(port, ATMEL_US_IER, + atmel_port->tx_done_mask); + } else { +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) { ++ if (atmel_uart_is_half_duplex(port)) { + /* DMA done, stop TX, start RX for RS485 */ + atmel_start_rx(port); + } diff --git a/patches.suse/tty-serial-msm_serial-Fix-lockup-for-sysrq-and-oops.patch b/patches.suse/tty-serial-msm_serial-Fix-lockup-for-sysrq-and-oops.patch new file mode 100644 index 0000000..dabc22d --- /dev/null +++ b/patches.suse/tty-serial-msm_serial-Fix-lockup-for-sysrq-and-oops.patch @@ -0,0 +1,72 @@ +From 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Wed, 27 Nov 2019 22:15:43 +0800 +Subject: [PATCH] tty: serial: msm_serial: Fix lockup for sysrq and oops +Git-commit: 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug") +has mentioned the uart driver might cause recursive locking between +normal printing and the kernel debugging facilities (e.g. sysrq and +oops). In the commit it gave out suggestion for fixing recursive +locking issue: "The solution is to avoid locking in the sysrq case +and trylock in the oops_in_progress case." + +This patch follows the suggestion (also used the exactly same code with +other serial drivers, e.g. amba-pl011.c) to fix the recursive locking +issue, this can avoid stuck caused by deadlock and print out log for +sysrq and oops. + +Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") +Signed-off-by: Leo Yan +Reviewed-by: Jeffrey Hugo +Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/serial/msm_serial.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index 1cbae0768b1f..f6c45a796433 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1580,6 +1580,7 @@ static void __msm_console_write(struct uart_port *port, const char *s, + int num_newlines = 0; + bool replaced = false; + void __iomem *tf; ++ int locked = 1; + + if (is_uartdm) + tf = port->membase + UARTDM_TF; +@@ -1592,7 +1593,13 @@ static void __msm_console_write(struct uart_port *port, const char *s, + num_newlines++; + count += num_newlines; + +- spin_lock(&port->lock); ++ if (port->sysrq) ++ locked = 0; ++ else if (oops_in_progress) ++ locked = spin_trylock(&port->lock); ++ else ++ spin_lock(&port->lock); ++ + if (is_uartdm) + msm_reset_dm_count(port, count); + +@@ -1628,7 +1635,9 @@ static void __msm_console_write(struct uart_port *port, const char *s, + iowrite32_rep(tf, buf, 1); + i += num_chars; + } +- spin_unlock(&port->lock); ++ ++ if (locked) ++ spin_unlock(&port->lock); + } + + static void msm_console_write(struct console *co, const char *s, +-- +2.16.4 + diff --git a/patches.suse/tty-vt-keyboard-reject-invalid-keycodes.patch b/patches.suse/tty-vt-keyboard-reject-invalid-keycodes.patch new file mode 100644 index 0000000..6f3cb55 --- /dev/null +++ b/patches.suse/tty-vt-keyboard-reject-invalid-keycodes.patch @@ -0,0 +1,57 @@ +From b2b2dd71e0859436d4e05b2f61f86140250ed3f8 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 22 Nov 2019 12:42:20 -0800 +Subject: [PATCH] tty: vt: keyboard: reject invalid keycodes +Git-commit: b2b2dd71e0859436d4e05b2f61f86140250ed3f8 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Do not try to handle keycodes that are too big, otherwise we risk doing +out-of-bounds writes: + +Bug: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] +Bug: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] +Bug: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 +Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 +... + kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] + kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 + input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 + input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 + input_pass_values drivers/input/input.c:949 [inline] + input_set_keycode+0x290/0x320 drivers/input/input.c:954 + evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 + evdev_do_ioctl drivers/input/evdev.c:1150 [inline] + +In this case we were dealing with a fuzzed HID device that declared over +12K buttons, and while HID layer should not be reporting to us such big +keycodes, we should also be defensive and reject invalid data ourselves as +well. + +Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com +Signed-off-by: Dmitry Torokhov +Cc: stable +Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/tty/vt/keyboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c +index 515fc095e3b4..15d33fa0c925 100644 +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -1491,7 +1491,7 @@ static void kbd_event(struct input_handle *handle, unsigned int event_type, + + if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev)) + kbd_rawcode(value); +- if (event_type == EV_KEY) ++ if (event_type == EV_KEY && event_code <= KEY_MAX) + kbd_keycode(event_code, value, HW_RAW(handle->dev)); + + spin_unlock(&kbd_event_lock); +-- +2.16.4 + diff --git a/patches.suse/ubifs-Fix-FS_IOC_SETFLAGS-unexpectedly-clearing-encr.patch b/patches.suse/ubifs-Fix-FS_IOC_SETFLAGS-unexpectedly-clearing-encr.patch new file mode 100644 index 0000000..2261950 --- /dev/null +++ b/patches.suse/ubifs-Fix-FS_IOC_SETFLAGS-unexpectedly-clearing-encr.patch @@ -0,0 +1,56 @@ +From 2b57067a7778484c10892fa191997bfda29fea13 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Dec 2019 14:23:24 -0800 +Subject: [PATCH] ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag +Git-commit: 2b57067a7778484c10892fa191997bfda29fea13 +Patch-mainline: v5.6-rc1 +References: bsc#1163855 + +UBIFS's implementation of FS_IOC_SETFLAGS fails to preserve existing +inode flags that aren't settable by FS_IOC_SETFLAGS, namely the encrypt +flag. This causes the encrypt flag to be unexpectedly cleared. + +Fix it by preserving existing unsettable flags, like ext4 and f2fs do. + +Test case with kvm-xfstests shell: + + FSTYP=ubifs KEYCTL_PROG=keyctl + . fs/ubifs/config + . ~/xfstests/common/encrypt + dev=$(__blkdev_to_ubi_volume /dev/vdc) + ubiupdatevol -t $dev + mount $dev /mnt -t ubifs + k=$(_generate_session_encryption_key) + mkdir /mnt/edir + xfs_io -c "set_encpolicy $k" /mnt/edir + echo contents > /mnt/edir/file + chattr +i /mnt/edir/file + chattr -i /mnt/edir/file + +With the bug, the following errors occur on the last command: + + [ 18.081559] fscrypt (ubifs, inode 67): Inconsistent encryption context (parent directory: 65) + chattr: Operation not permitted while reading flags on /mnt/edir/file + +Fixes: d475a507457b ("ubifs: Add skeleton for fscrypto") +Cc: # v4.10+ +Signed-off-by: Eric Biggers +Signed-off-by: Richard Weinberger +Acked-by: Jan Kara + +--- + fs/ubifs/ioctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/ioctl.c ++++ b/fs/ubifs/ioctl.c +@@ -129,7 +129,8 @@ static int setflags(struct inode *inode, + } + } + +- ui->flags = ioctl2ubifs(flags); ++ ui->flags &= ~ioctl2ubifs(UBIFS_SUPPORTED_IOCTL_FLAGS); ++ ui->flags |= ioctl2ubifs(flags); + ubifs_set_inode_flags(inode); + inode->i_ctime = current_time(inode); + release = ui->dirty; diff --git a/patches.suse/ubifs-Fix-deadlock-in-concurrent-bulk-read-and-write.patch b/patches.suse/ubifs-Fix-deadlock-in-concurrent-bulk-read-and-write.patch new file mode 100644 index 0000000..6ee9e3b --- /dev/null +++ b/patches.suse/ubifs-Fix-deadlock-in-concurrent-bulk-read-and-write.patch @@ -0,0 +1,59 @@ +From f5de5b83303e61b1f3fb09bd77ce3ac2d7a475f2 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Sat, 11 Jan 2020 17:50:36 +0800 +Subject: [PATCH] ubifs: Fix deadlock in concurrent bulk-read and writepage +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: f5de5b83303e61b1f3fb09bd77ce3ac2d7a475f2 +Patch-mainline: v5.6-rc1 +References: bsc#1163856 + +In ubifs, concurrent execution of writepage and bulk read on the same file +may cause ABBA deadlock, for example (Reproduce method see Link): + +Process A(Bulk-read starts from page4) Process B(write page4 back) + vfs_read wb_workfn or fsync + ... ... + generic_file_buffered_read write_cache_pages + ubifs_readpage LOCK(page4) + + ubifs_bulk_read ubifs_writepage + LOCK(ui->ui_mutex) ubifs_write_inode + + ubifs_do_bulk_read LOCK(ui->ui_mutex) + find_or_create_page(alloc page4) ↑ + LOCK(page4) <-- ABBA deadlock occurs! + +In order to ensure the serialization execution of bulk read, we can't +remove the big lock 'ui->ui_mutex' in ubifs_bulk_read(). Instead, we +allow ubifs_do_bulk_read() to lock page failed by replacing +find_or_create_page(FGP_LOCK) with +pagecache_get_page(FGP_LOCK | FGP_NOWAIT). + +Signed-off-by: Zhihao Cheng +Suggested-by: zhangyi (F) +Cc: +Fixes: 4793e7c5e1c ("UBIFS: add bulk-read facility") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206153 +Signed-off-by: Richard Weinberger +Acked-by: Jan Kara + +--- + fs/ubifs/file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ubifs/file.c ++++ b/fs/ubifs/file.c +@@ -796,8 +796,9 @@ static int ubifs_do_bulk_read(struct ubi + + if (page_offset > end_index) + break; +- page = find_or_create_page(mapping, page_offset, +- GFP_NOFS); ++ page = pagecache_get_page(mapping, page_offset, ++ FGP_LOCK|FGP_ACCESSED|FGP_CREAT|FGP_NOWAIT, ++ GFP_NOFS); + if (!page) + break; + if (!PageUptodate(page)) diff --git a/patches.suse/ubifs-Reject-unsupported-ioctl-flags-explicitly.patch b/patches.suse/ubifs-Reject-unsupported-ioctl-flags-explicitly.patch new file mode 100644 index 0000000..e21c07f --- /dev/null +++ b/patches.suse/ubifs-Reject-unsupported-ioctl-flags-explicitly.patch @@ -0,0 +1,51 @@ +From 2fe8b2d5578d7d142982e3bf62e4c0caf8b8fe02 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Sat, 9 Feb 2019 16:54:20 +0800 +Subject: [PATCH] ubifs: Reject unsupported ioctl flags explicitly +Git-commit: 2fe8b2d5578d7d142982e3bf62e4c0caf8b8fe02 +Patch-mainline: v5.1-rc1 +References: bsc#1163844 + +Reject unsupported ioctl flags explicitly, so the following command +on a regular ubifs file will fail: + chattr +d ubifs_file + +And xfstests generic/424 will pass. + +Signed-off-by: Hou Tao +Signed-off-by: Richard Weinberger +Acked-by: Jan Kara + +--- + fs/ubifs/ioctl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ubifs/ioctl.c b/fs/ubifs/ioctl.c +index 0164bcc827f8..daf9f93e15de 100644 +--- a/fs/ubifs/ioctl.c ++++ b/fs/ubifs/ioctl.c +@@ -28,6 +28,11 @@ + #include + #include "ubifs.h" + ++/* Need to be kept consistent with checked flags in ioctl2ubifs() */ ++#define UBIFS_SUPPORTED_IOCTL_FLAGS \ ++ (FS_COMPR_FL | FS_SYNC_FL | FS_APPEND_FL | \ ++ FS_IMMUTABLE_FL | FS_DIRSYNC_FL) ++ + /** + * ubifs_set_inode_flags - set VFS inode flags. + * @inode: VFS inode to set flags for +@@ -169,6 +174,9 @@ long ubifs_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + if (get_user(flags, (int __user *) arg)) + return -EFAULT; + ++ if (flags & ~UBIFS_SUPPORTED_IOCTL_FLAGS) ++ return -EOPNOTSUPP; ++ + if (!S_ISDIR(inode->i_mode)) + flags &= ~FS_DIRSYNC_FL; + +-- +2.16.4 + diff --git a/patches.suse/ubifs-don-t-trigger-assertion-on-invalid-no-key-file.patch b/patches.suse/ubifs-don-t-trigger-assertion-on-invalid-no-key-file.patch new file mode 100644 index 0000000..5286ef9 --- /dev/null +++ b/patches.suse/ubifs-don-t-trigger-assertion-on-invalid-no-key-file.patch @@ -0,0 +1,48 @@ +From f0d07a98a070bb5e443df19c3aa55693cbca9341 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 20 Jan 2020 14:31:59 -0800 +Subject: [PATCH] ubifs: don't trigger assertion on invalid no-key filename +Git-commit: f0d07a98a070bb5e443df19c3aa55693cbca9341 +Patch-mainline: v5.6-rc1 +References: bsc#1163850 + +If userspace provides an invalid fscrypt no-key filename which encodes a +hash value with any of the UBIFS node type bits set (i.e. the high 3 +bits), gracefully report ENOENT rather than triggering ubifs_assert(). + +Test case with kvm-xfstests shell: + + . fs/ubifs/config + . ~/xfstests/common/encrypt + dev=$(__blkdev_to_ubi_volume /dev/vdc) + ubiupdatevol $dev -t + mount $dev /mnt -t ubifs + mkdir /mnt/edir + xfs_io -c set_encpolicy /mnt/edir + rm /mnt/edir/_,,,,,DAAAAAAAAAAAAAAAAAAAAAAAAAA + +With the bug, the following assertion fails on the 'rm' command: + + [ 19.066048] UBIFS error (ubi0:0 pid 379): ubifs_assert_failed: UBIFS assert failed: !(hash & ~UBIFS_S_KEY_HASH_MASK), in fs/ubifs/key.h:170 + +Fixes: f4f61d2cc6d8 ("ubifs: Implement encrypted filenames") +Cc: # v4.10+ +Link: https://lore.kernel.org/r/20200120223201.241390-5-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Acked-by: Jan Kara + +--- + fs/ubifs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -253,6 +253,8 @@ static struct dentry *ubifs_lookup(struc + if (nm.hash) { + ubifs_assert(fname_len(&nm) == 0); + ubifs_assert(fname_name(&nm) == NULL); ++ if (nm.hash & ~UBIFS_S_KEY_HASH_MASK) ++ goto done; /* ENOENT */ + dent_key_init_hash(c, &key, dir->i_ino, nm.hash); + err = ubifs_tnc_lookup_dh(c, &key, dent, nm.minor_hash); + } else { diff --git a/patches.suse/udp-fix-integer-overflow-while-computing-available-s.patch b/patches.suse/udp-fix-integer-overflow-while-computing-available-s.patch new file mode 100644 index 0000000..7eee58b --- /dev/null +++ b/patches.suse/udp-fix-integer-overflow-while-computing-available-s.patch @@ -0,0 +1,37 @@ +From: Antonio Messina +Date: Thu, 19 Dec 2019 15:08:03 +0100 +Subject: udp: fix integer overflow while computing available space in + sk_rcvbuf +Git-commit: feed8a4fc9d46c3126fb9fcae0e9248270c6321a +Patch-mainline: 5.5-rc5 +References: networking-stable-20_01_01 + +When the size of the receive buffer for a socket is close to 2^31 when +computing if we have enough space in the buffer to copy a packet from +the queue to the buffer we might hit an integer overflow. + +When an user set net.core.rmem_default to a value close to 2^31 UDP +packets are dropped because of this overflow. This can be visible, for +instance, with failure to resolve hostnames. + +This can be fixed by casting sk_rcvbuf (which is an int) to unsigned +int, similarly to how it is done in TCP. + +Signed-off-by: Antonio Messina +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/ipv4/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1283,7 +1283,7 @@ int __udp_enqueue_schedule_skb(struct so + * queue contains some other skb + */ + rmem = atomic_add_return(size, &sk->sk_rmem_alloc); +- if (rmem > (size + sk->sk_rcvbuf)) ++ if (rmem > (size + (unsigned int)sk->sk_rcvbuf)) + goto uncharge_drop; + + spin_lock(&list->lock); diff --git a/patches.suse/usb-chipidea-host-Disable-port-power-only-if-previou.patch b/patches.suse/usb-chipidea-host-Disable-port-power-only-if-previou.patch new file mode 100644 index 0000000..061fca9 --- /dev/null +++ b/patches.suse/usb-chipidea-host-Disable-port-power-only-if-previou.patch @@ -0,0 +1,82 @@ +From c1ffba305dbcf3fb9ca969c20a97acbddc38f8e9 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 26 Dec 2019 07:57:54 -0800 +Subject: [PATCH] usb: chipidea: host: Disable port power only if previously enabled +Git-commit: c1ffba305dbcf3fb9ca969c20a97acbddc38f8e9 +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +On shutdown, ehci_power_off() is called unconditionally to power off +each port, even if it was never called to power on the port. +For chipidea, this results in a call to ehci_ci_portpower() with a request +to power off ports even if the port was never powered on. +This results in the following warning from the regulator code. + +Warning: CPU: 0 PID: 182 at drivers/regulator/core.c:2596 _regulator_disable+0x1a8/0x210 +unbalanced disables for usb_otg2_vbus +Modules linked in: +Cpu: 0 PID: 182 Comm: init Not tainted 5.4.6 #1 +Hardware name: Freescale i.MX7 Dual (Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xe0/0x10c) +[] (dump_stack) from [] (__warn+0xf4/0x10c) +[] (__warn) from [] (warn_slowpath_fmt+0x78/0xbc) +[] (warn_slowpath_fmt) from [] (_regulator_disable+0x1a8/0x210) +[] (_regulator_disable) from [] (regulator_disable+0x38/0xe8) +[] (regulator_disable) from [] (ehci_ci_portpower+0x38/0xdc) +[] (ehci_ci_portpower) from [] (ehci_port_power+0x50/0xa4) +[] (ehci_port_power) from [] (ehci_silence_controller+0x5c/0xc4) +[] (ehci_silence_controller) from [] (ehci_stop+0x3c/0xcc) +[] (ehci_stop) from [] (usb_remove_hcd+0xe0/0x19c) +[] (usb_remove_hcd) from [] (host_stop+0x38/0xa8) +[] (host_stop) from [] (ci_hdrc_remove+0x44/0xe4) +... + +Keeping track of the power enable state avoids the warning and traceback. + +Fixes: c8679a2fb8dec ("usb: chipidea: host: add portpower override") +Cc: Michael Grzeschik +Cc: Peter Chen +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20191226155754.25451-1-linux@roeck-us.net +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/chipidea/host.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c +index b45ceb91c735..48e4a5ca1835 100644 +--- a/drivers/usb/chipidea/host.c ++++ b/drivers/usb/chipidea/host.c +@@ -26,6 +26,7 @@ static int (*orig_bus_suspend)(struct usb_hcd *hcd); + + struct ehci_ci_priv { + struct regulator *reg_vbus; ++ bool enabled; + }; + + static int ehci_ci_portpower(struct usb_hcd *hcd, int portnum, bool enable) +@@ -37,7 +38,7 @@ static int ehci_ci_portpower(struct usb_hcd *hcd, int portnum, bool enable) + int ret = 0; + int port = HCS_N_PORTS(ehci->hcs_params); + +- if (priv->reg_vbus) { ++ if (priv->reg_vbus && enable != priv->enabled) { + if (port > 1) { + dev_warn(dev, + "Not support multi-port regulator control\n"); +@@ -53,6 +54,7 @@ static int ehci_ci_portpower(struct usb_hcd *hcd, int portnum, bool enable) + enable ? "enable" : "disable", ret); + return ret; + } ++ priv->enabled = enable; + } + + if (enable && (ci->platdata->phy_mode == USBPHY_INTERFACE_MODE_HSIC)) { +-- +2.16.4 + diff --git a/patches.suse/usb-core-hub-Improved-device-recognition-on-remote-w.patch b/patches.suse/usb-core-hub-Improved-device-recognition-on-remote-w.patch new file mode 100644 index 0000000..c072c23 --- /dev/null +++ b/patches.suse/usb-core-hub-Improved-device-recognition-on-remote-w.patch @@ -0,0 +1,70 @@ +From 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 Mon Sep 17 00:00:00 2001 +From: Keiya Nobuta +Date: Thu, 9 Jan 2020 14:14:48 +0900 +Subject: [PATCH] usb: core: hub: Improved device recognition on remote wakeup +Git-commit: 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +If hub_activate() is called before D+ has stabilized after remote +wakeup, the following situation might occur: + + __ ___________________ + / \ / +D+ __/ \__/ + +Hub _______________________________ + | ^ ^ ^ + | | | | +Host _____v__|___|___________|______ + | | | | + | | | \-- Interrupt Transfer (*3) + | | \-- ClearPortFeature (*2) + | \-- GetPortStatus (*1) + \-- Host detects remote wakeup + +- D+ goes high, Host starts running by remote wakeup +- D+ is not stable, goes low +- Host requests GetPortStatus at (*1) and gets the following hub status: + - Current Connect Status bit is 0 + - Connect Status Change bit is 1 +- D+ stabilizes, goes high +- Host requests ClearPortFeature and thus Connect Status Change bit is + cleared at (*2) +- After waiting 100 ms, Host starts the Interrupt Transfer at (*3) +- Since the Connect Status Change bit is 0, Hub returns NAK. + +In this case, port_event() is not called in hub_event() and Host cannot +recognize device. To solve this issue, flag change_bits even if only +Connect Status Change bit is 1 when got in the first GetPortStatus. + +This issue occurs rarely because it only if D+ changes during a very +short time between GetPortStatus and ClearPortFeature. However, it is +fatal if it occurs in embedded system. + +Signed-off-by: Keiya Nobuta +Cc: stable +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200109051448.28150-1-nobuta.keiya@fujitsu.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/hub.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 8c4e5adbf820..3405b146edc9 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1192,6 +1192,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + * PORT_OVER_CURRENT is not. So check for any of them. + */ + if (udev || (portstatus & USB_PORT_STAT_CONNECTION) || ++ (portchange & USB_PORT_STAT_C_CONNECTION) || + (portstatus & USB_PORT_STAT_OVERCURRENT) || + (portchange & USB_PORT_STAT_C_OVERCURRENT)) + set_bit(port1, hub->change_bits); +-- +2.16.4 + diff --git a/patches.suse/usb-dwc3-turn-off-VBUS-when-leaving-host-mode.patch b/patches.suse/usb-dwc3-turn-off-VBUS-when-leaving-host-mode.patch new file mode 100644 index 0000000..2206031 --- /dev/null +++ b/patches.suse/usb-dwc3-turn-off-VBUS-when-leaving-host-mode.patch @@ -0,0 +1,40 @@ +From 09ed259fac621634d51cd986aa8d65f035662658 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Wed, 11 Dec 2019 10:10:03 -0600 +Subject: [PATCH] usb: dwc3: turn off VBUS when leaving host mode +Git-commit: 09ed259fac621634d51cd986aa8d65f035662658 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +VBUS should be turned off when leaving the host mode. +Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to +turn off VBUS power. + +Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function") +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc3/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index f561c6c9e8a9..1d85c42b9c67 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1246,6 +1246,9 @@ static void dwc3_core_exit_mode(struct dwc3 *dwc) + /* do nothing */ + break; + } ++ ++ /* de-assert DRVVBUS for HOST and OTG mode */ ++ dwc3_set_prtcap(dwc, DWC3_GCTL_PRTCAP_DEVICE); + } + + static void dwc3_get_properties(struct dwc3 *dwc) +-- +2.16.4 + diff --git a/patches.suse/usb-gadget-Zero-ffs_io_data.patch b/patches.suse/usb-gadget-Zero-ffs_io_data.patch new file mode 100644 index 0000000..06d32eb --- /dev/null +++ b/patches.suse/usb-gadget-Zero-ffs_io_data.patch @@ -0,0 +1,54 @@ +From 508595515f4bcfe36246e4a565cf280937aeaade Mon Sep 17 00:00:00 2001 +From: Andrzej Pietrasiewicz +Date: Mon, 3 Jun 2019 19:05:28 +0200 +Subject: [PATCH] usb: gadget: Zero ffs_io_data +Git-commit: 508595515f4bcfe36246e4a565cf280937aeaade +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +In some cases the "Allocate & copy" block in ffs_epfile_io() is not +executed. Consequently, in such a case ffs_alloc_buffer() is never called +and struct ffs_io_data is not initialized properly. This in turn leads to +problems when ffs_free_buffer() is called at the end of ffs_epfile_io(). + +This patch uses kzalloc() instead of kmalloc() in the aio case and memset() +in non-aio case to properly initialize struct ffs_io_data. + +Signed-off-by: Andrzej Pietrasiewicz +Signed-off-by: Felipe Balbi +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/function/f_fs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1101,11 +1101,12 @@ static ssize_t ffs_epfile_write_iter(str + ENTER(); + + if (!is_sync_kiocb(kiocb)) { +- p = kmalloc(sizeof(io_data), GFP_KERNEL); ++ p = kzalloc(sizeof(io_data), GFP_KERNEL); + if (unlikely(!p)) + return -ENOMEM; + p->aio = true; + } else { ++ memset(p, 0, sizeof(*p)); + p->aio = false; + } + +@@ -1137,11 +1138,12 @@ static ssize_t ffs_epfile_read_iter(stru + ENTER(); + + if (!is_sync_kiocb(kiocb)) { +- p = kmalloc(sizeof(io_data), GFP_KERNEL); ++ p = kzalloc(sizeof(io_data), GFP_KERNEL); + if (unlikely(!p)) + return -ENOMEM; + p->aio = true; + } else { ++ memset(p, 0, sizeof(*p)); + p->aio = false; + } + diff --git a/patches.suse/usb-gadget-f_ecm-Use-atomic_t-to-track-in-flight-req.patch b/patches.suse/usb-gadget-f_ecm-Use-atomic_t-to-track-in-flight-req.patch new file mode 100644 index 0000000..c6dd9fa --- /dev/null +++ b/patches.suse/usb-gadget-f_ecm-Use-atomic_t-to-track-in-flight-req.patch @@ -0,0 +1,96 @@ +From d710562e01c48d59be3f60d58b7a85958b39aeda Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 9 Jan 2020 13:17:22 +0000 +Subject: [PATCH] usb: gadget: f_ecm: Use atomic_t to track in-flight request +Git-commit: d710562e01c48d59be3f60d58b7a85958b39aeda +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Currently ecm->notify_req is used to flag when a request is in-flight. +ecm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the ECM driver will +unconditionally free ecm->notify_req leading to a NULL pointer dereference. + +Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function") +Cc: stable +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/function/f_ecm.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c +index 460d5d7c984f..7f5cf488b2b1 100644 +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -52,6 +52,7 @@ struct f_ecm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + /* FIXME is_open needs some irq-ish locking +@@ -380,7 +381,7 @@ static void ecm_do_notify(struct f_ecm *ecm) + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ecm->notify_count)) + return; + + event = req->buf; +@@ -420,10 +421,10 @@ static void ecm_do_notify(struct f_ecm *ecm) + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ecm->ctrl_id); + +- ecm->notify_req = NULL; ++ atomic_inc(&ecm->notify_count); + status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC); + if (status < 0) { +- ecm->notify_req = req; ++ atomic_dec(&ecm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -448,17 +449,19 @@ static void ecm_notify_complete(struct usb_ep *ep, struct usb_request *req) + switch (req->status) { + case 0: + /* no fault */ ++ atomic_dec(&ecm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ecm->notify_count, 0); + ecm->notify_state = ECM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ecm->notify_count); + break; + } +- ecm->notify_req = req; + ecm_do_notify(ecm); + } + +@@ -907,6 +910,11 @@ static void ecm_unbind(struct usb_configuration *c, struct usb_function *f) + + usb_free_all_descriptors(f); + ++ if (atomic_read(&ecm->notify_count)) { ++ usb_ep_dequeue(ecm->notify, ecm->notify_req); ++ atomic_set(&ecm->notify_count, 0); ++ } ++ + kfree(ecm->notify_req->buf); + usb_ep_free_request(ecm->notify, ecm->notify_req); + } +-- +2.16.4 + diff --git a/patches.suse/usb-gadget-f_ncm-Use-atomic_t-to-track-in-flight-req.patch b/patches.suse/usb-gadget-f_ncm-Use-atomic_t-to-track-in-flight-req.patch new file mode 100644 index 0000000..41d4355 --- /dev/null +++ b/patches.suse/usb-gadget-f_ncm-Use-atomic_t-to-track-in-flight-req.patch @@ -0,0 +1,102 @@ +From 5b24c28cfe136597dc3913e1c00b119307a20c7e Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 9 Jan 2020 13:17:21 +0000 +Subject: [PATCH] usb: gadget: f_ncm: Use atomic_t to track in-flight request +Git-commit: 5b24c28cfe136597dc3913e1c00b119307a20c7e +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +Currently ncm->notify_req is used to flag when a request is in-flight. +ncm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the NCM driver will +unconditionally free ncm->notify_req leading to a NULL pointer dereference. + +Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility") +Cc: stable +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/function/f_ncm.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c +index 2d6e76e4cffa..1d900081b1f0 100644 +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -53,6 +53,7 @@ struct f_ncm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + const struct ndp_parser_opts *parser_opts; +@@ -547,7 +548,7 @@ static void ncm_do_notify(struct f_ncm *ncm) + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ncm->notify_count)) + return; + + event = req->buf; +@@ -587,7 +588,8 @@ static void ncm_do_notify(struct f_ncm *ncm) + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ncm->ctrl_id); + +- ncm->notify_req = NULL; ++ atomic_inc(&ncm->notify_count); ++ + /* + * In double buffering if there is a space in FIFO, + * completion callback can be called right after the call, +@@ -597,7 +599,7 @@ static void ncm_do_notify(struct f_ncm *ncm) + status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC); + spin_lock(&ncm->lock); + if (status < 0) { +- ncm->notify_req = req; ++ atomic_dec(&ncm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -632,17 +634,19 @@ static void ncm_notify_complete(struct usb_ep *ep, struct usb_request *req) + case 0: + VDBG(cdev, "Notification %02x sent\n", + event->bNotificationType); ++ atomic_dec(&ncm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ncm->notify_count, 0); + ncm->notify_state = NCM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ncm->notify_count); + break; + } +- ncm->notify_req = req; + ncm_do_notify(ncm); + spin_unlock(&ncm->lock); + } +@@ -1649,6 +1653,11 @@ static void ncm_unbind(struct usb_configuration *c, struct usb_function *f) + ncm_string_defs[0].id = 0; + usb_free_all_descriptors(f); + ++ if (atomic_read(&ncm->notify_count)) { ++ usb_ep_dequeue(ncm->notify, ncm->notify_req); ++ atomic_set(&ncm->notify_count, 0); ++ } ++ + kfree(ncm->notify_req->buf); + usb_ep_free_request(ncm->notify, ncm->notify_req); + } +-- +2.16.4 + diff --git a/patches.suse/usb-gadget-legacy-set-max_speed-to-super-speed.patch b/patches.suse/usb-gadget-legacy-set-max_speed-to-super-speed.patch new file mode 100644 index 0000000..9b5c117 --- /dev/null +++ b/patches.suse/usb-gadget-legacy-set-max_speed-to-super-speed.patch @@ -0,0 +1,79 @@ +From 463f67aec2837f981b0a0ce8617721ff59685c00 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Mon, 23 Dec 2019 08:47:35 +0200 +Subject: [PATCH] usb: gadget: legacy: set max_speed to super-speed +Git-commit: 463f67aec2837f981b0a0ce8617721ff59685c00 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +These interfaces do support super-speed so let's not +limit maximum speed to high-speed. + +Cc: +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/legacy/cdc2.c | 2 +- + drivers/usb/gadget/legacy/g_ffs.c | 2 +- + drivers/usb/gadget/legacy/multi.c | 2 +- + drivers/usb/gadget/legacy/ncm.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/legacy/cdc2.c b/drivers/usb/gadget/legacy/cdc2.c +index da1c37933ca1..8d7a556ece30 100644 +--- a/drivers/usb/gadget/legacy/cdc2.c ++++ b/drivers/usb/gadget/legacy/cdc2.c +@@ -225,7 +225,7 @@ static struct usb_composite_driver cdc_driver = { + .name = "g_cdc", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = cdc_bind, + .unbind = cdc_unbind, + }; +diff --git a/drivers/usb/gadget/legacy/g_ffs.c b/drivers/usb/gadget/legacy/g_ffs.c +index b640ed3fcf70..ae6d8f7092b8 100644 +--- a/drivers/usb/gadget/legacy/g_ffs.c ++++ b/drivers/usb/gadget/legacy/g_ffs.c +@@ -149,7 +149,7 @@ static struct usb_composite_driver gfs_driver = { + .name = DRIVER_NAME, + .dev = &gfs_dev_desc, + .strings = gfs_dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = gfs_bind, + .unbind = gfs_unbind, + }; +diff --git a/drivers/usb/gadget/legacy/multi.c b/drivers/usb/gadget/legacy/multi.c +index 50515f9e1022..ec9749845660 100644 +--- a/drivers/usb/gadget/legacy/multi.c ++++ b/drivers/usb/gadget/legacy/multi.c +@@ -482,7 +482,7 @@ static struct usb_composite_driver multi_driver = { + .name = "g_multi", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = multi_bind, + .unbind = multi_unbind, + .needs_serial = 1, +diff --git a/drivers/usb/gadget/legacy/ncm.c b/drivers/usb/gadget/legacy/ncm.c +index 8465f081e921..c61e71ba7045 100644 +--- a/drivers/usb/gadget/legacy/ncm.c ++++ b/drivers/usb/gadget/legacy/ncm.c +@@ -197,7 +197,7 @@ static struct usb_composite_driver ncm_driver = { + .name = "g_ncm", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = gncm_bind, + .unbind = gncm_unbind, + }; +-- +2.16.4 + diff --git a/patches.suse/usb-host-xhci-hub-fix-extra-endianness-conversion.patch b/patches.suse/usb-host-xhci-hub-fix-extra-endianness-conversion.patch new file mode 100644 index 0000000..59b3e4a --- /dev/null +++ b/patches.suse/usb-host-xhci-hub-fix-extra-endianness-conversion.patch @@ -0,0 +1,39 @@ +From 6269e4c76eacabaea0d0099200ae1a455768d208 Mon Sep 17 00:00:00 2001 +From: Ruslan Bilovol +Date: Sun, 7 Jul 2019 15:17:19 +0300 +Subject: [PATCH] usb: host: xhci-hub: fix extra endianness conversion +Git-commit: 6269e4c76eacabaea0d0099200ae1a455768d208 +Patch-mainline: v5.4-rc1 +References: bsc#1051510 + +Don't do extra cpu_to_le32 conversion for +put_unaligned_le32 because it is already implemented +in this function. + +Fixes sparse error: +xhci-hub.c:1152:44: warning: incorrect type in argument 1 (different base types) +xhci-hub.c:1152:44: expected unsigned int [usertype] val +xhci-hub.c:1152:44: got restricted __le32 [usertype] + +Fixes: 395f540 "xhci: support new USB 3.1 hub request to get extended port status" +Cc: Mathias Nyman +Signed-off-by: Ruslan Bilovol +Link: https://lore.kernel.org/r/1562501839-26522-1-git-send-email-ruslan.bilovol@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1108,7 +1108,7 @@ int xhci_hub_control(struct usb_hcd *hcd + } + port_li = readl(port_array[wIndex] + PORTLI); + status = xhci_get_ext_port_status(temp, port_li); +- put_unaligned_le32(cpu_to_le32(status), &buf[4]); ++ put_unaligned_le32(status, &buf[4]); + } + break; + case SetPortFeature: diff --git a/patches.suse/usb-musb-dma-Correct-parameter-passed-to-IRQ-handler.patch b/patches.suse/usb-musb-dma-Correct-parameter-passed-to-IRQ-handler.patch new file mode 100644 index 0000000..52bcf9d --- /dev/null +++ b/patches.suse/usb-musb-dma-Correct-parameter-passed-to-IRQ-handler.patch @@ -0,0 +1,40 @@ +From c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Mon, 16 Dec 2019 10:18:43 -0600 +Subject: [PATCH] usb: musb: dma: Correct parameter passed to IRQ handler +Git-commit: c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +The IRQ handler was passed a pointer to a struct dma_controller, but the +argument was then casted to a pointer to a struct musb_dma_controller. + +Fixes: 427c4f333474 ("usb: struct device - replace bus_id with dev_name(), dev_set_name()") +Signed-off-by: Paul Cercueil +Tested-by: Artur Rojek +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Link: https://lore.kernel.org/r/20191216161844.772-2-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/musb/musbhsdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/musb/musbhsdma.c b/drivers/usb/musb/musbhsdma.c +index 5fc6825745f2..2d3751d885b4 100644 +--- a/drivers/usb/musb/musbhsdma.c ++++ b/drivers/usb/musb/musbhsdma.c +@@ -425,7 +425,7 @@ struct dma_controller *musbhs_dma_controller_create(struct musb *musb, + controller->controller.channel_abort = dma_channel_abort; + + if (request_irq(irq, dma_controller_irq, 0, +- dev_name(musb->controller), &controller->controller)) { ++ dev_name(musb->controller), controller)) { + dev_err(dev, "request_irq %d failed!\n", irq); + musb_dma_controller_destroy(&controller->controller); + +-- +2.16.4 + diff --git a/patches.suse/usb-musb-fix-idling-for-suspend-after-disconnect-int.patch b/patches.suse/usb-musb-fix-idling-for-suspend-after-disconnect-int.patch new file mode 100644 index 0000000..90f0360 --- /dev/null +++ b/patches.suse/usb-musb-fix-idling-for-suspend-after-disconnect-int.patch @@ -0,0 +1,67 @@ +From 5fbf7a2534703fd71159d3d71504b0ad01b43394 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 7 Jan 2020 09:26:24 -0600 +Subject: [PATCH] usb: musb: fix idling for suspend after disconnect interrupt +Git-commit: 5fbf7a2534703fd71159d3d71504b0ad01b43394 +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +When disconnected as USB B-device, suspend interrupt should come before +diconnect interrupt, because the DP/DM pins are shorter than the +VBUS/GND pins on the USB connectors. But we sometimes get a suspend +interrupt after disconnect interrupt. In that case we have devctl set to +99 with VBUS still valid and musb_pm_runtime_check_session() wrongly +thinks we have an active session. We have no other interrupts after +disconnect coming in this case at least with the omap2430 glue. + +Let's fix the issue by checking the interrupt status again with +delayed work for the devctl 99 case. In the suspend after disconnect +case the devctl session bit has cleared by then and musb can idle. +For a typical USB B-device connect case we just continue with normal +interrupts. + +Fixes: 467d5c980709 ("usb: musb: Implement session bit based runtime PM for musb-core") + +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Sebastian Reichel +Cc: stable@vger.kernel.org +Signed-off-by: Tony Lindgren +Signed-off-by: Bin Liu +Link: https://lore.kernel.org/r/20200107152625.857-2-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/musb/musb_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 15cca912c53e..0096fc303cd4 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -1840,6 +1840,9 @@ ATTRIBUTE_GROUPS(musb); + #define MUSB_QUIRK_B_INVALID_VBUS_91 (MUSB_DEVCTL_BDEVICE | \ + (2 << MUSB_DEVCTL_VBUS_SHIFT) | \ + MUSB_DEVCTL_SESSION) ++#define MUSB_QUIRK_B_DISCONNECT_99 (MUSB_DEVCTL_BDEVICE | \ ++ (3 << MUSB_DEVCTL_VBUS_SHIFT) | \ ++ MUSB_DEVCTL_SESSION) + #define MUSB_QUIRK_A_DISCONNECT_19 ((3 << MUSB_DEVCTL_VBUS_SHIFT) | \ + MUSB_DEVCTL_SESSION) + +@@ -1862,6 +1865,11 @@ static void musb_pm_runtime_check_session(struct musb *musb) + s = MUSB_DEVCTL_FSDEV | MUSB_DEVCTL_LSDEV | + MUSB_DEVCTL_HR; + switch (devctl & ~s) { ++ case MUSB_QUIRK_B_DISCONNECT_99: ++ musb_dbg(musb, "Poll devctl in case of suspend after disconnect\n"); ++ schedule_delayed_work(&musb->irq_work, ++ msecs_to_jiffies(1000)); ++ break; + case MUSB_QUIRK_B_INVALID_VBUS_91: + if (musb->quirk_retries && !musb->flush_irq_work) { + musb_dbg(musb, +-- +2.16.4 + diff --git a/patches.suse/usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch b/patches.suse/usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch new file mode 100644 index 0000000..b483631 --- /dev/null +++ b/patches.suse/usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch @@ -0,0 +1,47 @@ +From bc3bdb12bbb3492067c8719011576370e959a2e6 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 8 Sep 2015 09:53:38 -0700 +Subject: [PATCH] usb-storage: Disable UAS on JMicron SATA enclosure +Git-commit: bc3bdb12bbb3492067c8719011576370e959a2e6 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Steve Ellis reported incorrect block sizes and alignement +offsets with a SATA enclosure. Adding a quirk to disable +UAS fixes the problems. + +Reported-by: Steven Ellis +Cc: Pacho Ramos +Signed-off-by: Laura Abbott +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/storage/unusual_uas.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h +index d0bdebd87ce3..1b23741036ee 100644 +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -87,12 +87,15 @@ UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_IGNORE_UAS), + +-/* Reported-by: Takeo Nakayama */ ++/* ++ * Initially Reported-by: Takeo Nakayama ++ * UAS Ignore Reported by Steven Ellis ++ */ + UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999, + "JMicron", + "JMS566", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_NO_REPORT_OPCODES), ++ US_FL_NO_REPORT_OPCODES | US_FL_IGNORE_UAS), + + /* Reported-by: Hans de Goede */ + UNUSUAL_DEV(0x4971, 0x1012, 0x0000, 0x9999, +-- +2.16.4 + diff --git a/patches.suse/usb-typec-tcpci-mask-event-interrupts-when-remove-dr.patch b/patches.suse/usb-typec-tcpci-mask-event-interrupts-when-remove-dr.patch new file mode 100644 index 0000000..20145ba --- /dev/null +++ b/patches.suse/usb-typec-tcpci-mask-event-interrupts-when-remove-dr.patch @@ -0,0 +1,38 @@ +From 3ba76256fc4e2a0d7fb26cc95459041ea0e88972 Mon Sep 17 00:00:00 2001 +From: Jun Li +Date: Mon, 20 Jan 2020 06:43:19 +0000 +Subject: [PATCH] usb: typec: tcpci: mask event interrupts when remove driver +Git-commit: 3ba76256fc4e2a0d7fb26cc95459041ea0e88972 +Patch-mainline: v5.6-rc1 +References: bsc#1051510 + +This is to prevent any possible events generated while unregister +tpcm port. + +Fixes: 74e656d6b055 ("staging: typec: Type-C Port Controller Interface driver (tcpci)") +Signed-off-by: Li Jun +Reviewed-by: Heikki Krogerus +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/1579502333-4145-1-git-send-email-jun.li@nxp.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/typec/tcpci.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/typec/tcpm/tcpci.c ++++ b/drivers/usb/typec/tcpm/tcpci.c +@@ -491,6 +491,12 @@ static int tcpci_probe(struct i2c_client + static int tcpci_remove(struct i2c_client *client) + { + struct tcpci_chip *chip = i2c_get_clientdata(client); ++ int err; ++ ++ /* Disable chip interrupts before unregistering port */ ++ err = tcpci_write16(chip->tcpci, TCPC_ALERT_MASK, 0); ++ if (err < 0) ++ return err; + + tcpci_unregister_port(chip->tcpci); + diff --git a/patches.suse/vfs-fix-do_last-regression.patch b/patches.suse/vfs-fix-do_last-regression.patch new file mode 100644 index 0000000..39926f2 --- /dev/null +++ b/patches.suse/vfs-fix-do_last-regression.patch @@ -0,0 +1,62 @@ +From 6404674acd596de41fd3ad5f267b4525494a891a Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat Feb 1 16:26:45 2020 +0000 +Subject: [PATCH] vfs: fix do_last() regression +Git-commit: 6404674acd596de41fd3ad5f267b4525494a891a +References: bsc#1162109,CVE-2020-8428 +Patch-mainline: v5.5 + +Brown paperbag time: fetching ->i_uid/->i_mode really should've been +done from nd->inode. I even suggested that, but the reason for that has +slipped through the cracks and I went for dir->d_inode instead - made +for more "obvious" patch. + +Analysis: + + - at the entry into do_last() and all the way to step_into(): dir (aka + nd->path.dentry) is known not to have been freed; so's nd->inode and + it's equal to dir->d_inode unless we are already doomed to -ECHILD. + inode of the file to get opened is not known. + + - after step_into(): inode of the file to get opened is known; dir + might be pointing to freed memory/be negative/etc. + + - at the call of may_create_in_sticky(): guaranteed to be out of RCU + mode; inode of the file to get opened is known and pinned; dir might + be garbage. + +The last was the reason for the original patch. Except that at the +do_last() entry we can be in RCU mode and it is possible that +nd->path.dentry->d_inode has already changed under us. + +In that case we are going to fail with -ECHILD, but we need to be +careful; nd->inode is pointing to valid struct inode and it's the same +as nd->path.dentry->d_inode in "won't fail with -ECHILD" case, so we +should use that. + +Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" +Reported-by: syzbot+190005201ced78a74ad6@syzkaller.appspotmail.com +Wearing-brown-paperbag: Al Viro +Cc: stable@kernel.org +Fixes: d0cb50185ae9 ("do_last(): fetch directory ->i_mode and ->i_uid before it's too late") +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Acked-by: Goldwyn Rodrigues + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3280,8 +3280,8 @@ + int *opened) + { + struct dentry *dir = nd->path.dentry; +- kuid_t dir_uid = dir->d_inode->i_uid; +- umode_t dir_mode = dir->d_inode->i_mode; ++ kuid_t dir_uid = nd->inode->i_uid; ++ umode_t dir_mode = nd->inode->i_mode; + int open_flag = op->open_flag; + bool will_truncate = (open_flag & O_TRUNC) != 0; + bool got_write = false; diff --git a/patches.suse/vhost-vsock-accept-only-packets-with-the-right-dst_c.patch b/patches.suse/vhost-vsock-accept-only-packets-with-the-right-dst_c.patch new file mode 100644 index 0000000..5c32cdf --- /dev/null +++ b/patches.suse/vhost-vsock-accept-only-packets-with-the-right-dst_c.patch @@ -0,0 +1,33 @@ +From: Stefano Garzarella +Date: Fri, 6 Dec 2019 15:39:12 +0100 +Subject: vhost/vsock: accept only packets with the right dst_cid +Git-commit: 8a3cc29c316c17de590e3ff8b59f3d6cbfd37b0a +Patch-mainline: 5.5-rc1 +References: networking-stable-20_01_01 + +When we receive a new packet from the guest, we check if the +src_cid is correct, but we forgot to check the dst_cid. + +The host should accept only packets where dst_cid is +equal to the host CID. + +Signed-off-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/vhost/vsock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -396,7 +396,9 @@ static void vhost_vsock_handle_tx_kick(s + virtio_transport_deliver_tap_pkt(pkt); + + /* Only accept correctly addressed packets */ +- if (le64_to_cpu(pkt->hdr.src_cid) == vsock->guest_cid) ++ if (le64_to_cpu(pkt->hdr.src_cid) == vsock->guest_cid && ++ le64_to_cpu(pkt->hdr.dst_cid) == ++ vhost_transport_get_local_cid()) + virtio_transport_recv_pkt(pkt); + else + virtio_transport_free_pkt(pkt); diff --git a/patches.suse/virtio_ring-fix-unmap-of-indirect-descriptors b/patches.suse/virtio_ring-fix-unmap-of-indirect-descriptors new file mode 100644 index 0000000..8c28ab4 --- /dev/null +++ b/patches.suse/virtio_ring-fix-unmap-of-indirect-descriptors @@ -0,0 +1,50 @@ +From: Matthias Lange +Date: Fri, 6 Sep 2019 16:59:01 +0200 +Subject: virtio_ring: fix unmap of indirect descriptors +Git-commit: cf8f1696709ad5bb3138ed8c771c2eb98950cd8a +Patch-mainline: v5.3 +References: bsc#1162171 + +The function virtqueue_add_split() DMA-maps the scatterlist buffers. In +case a mapping error occurs the already mapped buffers must be unmapped. +This happens by jumping to the 'unmap_release' label. + +In case of indirect descriptors the release is wrong and may leak kernel +memory. Because the implementation assumes that the head descriptor is +already mapped it starts iterating over the descriptor list starting +from the head descriptor. However for indirect descriptors the head +descriptor is never mapped in case of an error. + +The fix is to initialize the start index with zero in case of indirect +descriptors and use the 'desc' pointer directly for iterating over the +descriptor chain. + +Signed-off-by: Matthias Lange +Signed-off-by: Michael S. Tsirkin +Acked-by: Joerg Roedel +--- + drivers/virtio/virtio_ring.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -418,13 +418,17 @@ static inline int virtqueue_add(struct v + + unmap_release: + err_idx = i; +- i = head; ++ ++ if (indirect) ++ i = 0; ++ else ++ i = head; + + for (n = 0; n < total_sg; n++) { + if (i == err_idx) + break; + vring_unmap_one(vq, &desc[i]); +- i = virtio16_to_cpu(_vq->vdev, vq->vring.desc[i].next); ++ i = virtio16_to_cpu(_vq->vdev, desc[i].next); + } + + if (indirect) diff --git a/patches.suse/vt-selection-close-sel_buffer-race.patch b/patches.suse/vt-selection-close-sel_buffer-race.patch new file mode 100644 index 0000000..ab51197 --- /dev/null +++ b/patches.suse/vt-selection-close-sel_buffer-race.patch @@ -0,0 +1,153 @@ +From: Jiri Slaby +Date: Mon, 10 Feb 2020 09:11:31 +0100 +Subject: vt: selection, close sel_buffer race +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git#tty-linus +Git-commit: 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 +Patch-mainline: Queued in subsystem maintainer repository +References: bnc#1162928 CVE-2020-8648 + +syzkaller reported this UAF: +BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 +Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184 + +CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Call Trace: +... + kasan_report+0xe/0x20 mm/kasan/common.c:634 + n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 + tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461 + paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372 + tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044 + vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364 + tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657 + vfs_ioctl fs/ioctl.c:47 [inline] + +It is due to a race between parallel paste_selection (TIOCL_PASTESEL) +and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer, +while the other frees it and reallocates a new one for another +selection. Add a mutex to close this race. + +The mutex takes care properly of sel_buffer and sel_buffer_lth only. The +other selection global variables (like sel_start, sel_end, and sel_cons) +are protected only in set_selection_user. The other functions need quite +some more work to close the races of the variables there. This is going +to happen later. + +This likely fixes (I am unsure as there is no reproducer provided) bug +206361 too. It was marked as CVE-2020-8648. + +Signed-off-by: Jiri Slaby +Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com +References: https://bugzilla.kernel.org/show_bug.cgi?id=206361 +Cc: stable +Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/selection.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/tty/vt/selection.c ++++ b/drivers/tty/vt/selection.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -42,6 +43,7 @@ static volatile int sel_start = -1; /* + static int sel_end; + static int sel_buffer_lth; + static char *sel_buffer; ++static DEFINE_MUTEX(sel_lock); + + /* clear_selection, highlight and highlight_pointer can be called + from interrupt (via scrollback/front) */ +@@ -161,7 +163,7 @@ int set_selection(const struct tiocl_sel + char *bp, *obp; + int i, ps, pe, multiplier; + u16 c; +- int mode; ++ int mode, ret = 0; + + poke_blanked_console(); + +@@ -201,6 +203,7 @@ int set_selection(const struct tiocl_sel + pe = tmp; + } + ++ mutex_lock(&sel_lock); + if (sel_cons != vc_cons[fg_console].d) { + clear_selection(); + sel_cons = vc_cons[fg_console].d; +@@ -246,9 +249,10 @@ int set_selection(const struct tiocl_sel + break; + case TIOCL_SELPOINTER: + highlight_pointer(pe); +- return 0; ++ goto unlock; + default: +- return -EINVAL; ++ ret = -EINVAL; ++ goto unlock; + } + + /* remove the pointer */ +@@ -270,7 +274,7 @@ int set_selection(const struct tiocl_sel + else if (new_sel_start == sel_start) + { + if (new_sel_end == sel_end) /* no action required */ +- return 0; ++ goto unlock; + else if (new_sel_end > sel_end) /* extend to right */ + highlight(sel_end + 2, new_sel_end); + else /* contract from right */ +@@ -297,7 +301,8 @@ int set_selection(const struct tiocl_sel + if (!bp) { + printk(KERN_WARNING "selection: kmalloc() failed\n"); + clear_selection(); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto unlock; + } + kfree(sel_buffer); + sel_buffer = bp; +@@ -322,7 +327,9 @@ int set_selection(const struct tiocl_sel + } + } + sel_buffer_lth = bp - sel_buffer; +- return 0; ++unlock: ++ mutex_unlock(&sel_lock); ++ return ret; + } + + /* Insert the contents of the selection buffer into the +@@ -351,6 +358,7 @@ int paste_selection(struct tty_struct *t + tty_buffer_lock_exclusive(&vc->port); + + add_wait_queue(&vc->paste_wait, &wait); ++ mutex_lock(&sel_lock); + while (sel_buffer && sel_buffer_lth > pasted) { + set_current_state(TASK_INTERRUPTIBLE); + if (signal_pending(current)) { +@@ -358,7 +366,9 @@ int paste_selection(struct tty_struct *t + break; + } + if (tty_throttled(tty)) { ++ mutex_unlock(&sel_lock); + schedule(); ++ mutex_lock(&sel_lock); + continue; + } + __set_current_state(TASK_RUNNING); +@@ -367,6 +377,7 @@ int paste_selection(struct tty_struct *t + count); + pasted += count; + } ++ mutex_unlock(&sel_lock); + remove_wait_queue(&vc->paste_wait, &wait); + __set_current_state(TASK_RUNNING); + diff --git a/patches.suse/vt-selection-handle-pending-signals-in-paste_selecti.patch b/patches.suse/vt-selection-handle-pending-signals-in-paste_selecti.patch new file mode 100644 index 0000000..a2ebabd --- /dev/null +++ b/patches.suse/vt-selection-handle-pending-signals-in-paste_selecti.patch @@ -0,0 +1,70 @@ +From: Jiri Slaby +Date: Mon, 10 Feb 2020 09:11:30 +0100 +Subject: vt: selection, handle pending signals in paste_selection +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git#tty-linus +Git-commit: 687bff0cd08f790d540cfb7b2349f0d876cdddec +Patch-mainline: Queued in subsystem maintainer repository +References: bnc#1162928 CVE-2020-8648 + +When pasting a selection to a vt, the task is set as INTERRUPTIBLE while +waiting for a tty to unthrottle. But signals are not handled at all. +Normally, this is not a problem as tty_ldisc_receive_buf receives all +the goods and a user has no reason to interrupt the task. + +There are two scenarios where this matters: +1) when the tty is throttled and a signal is sent to the process, it + spins on a CPU until the tty is unthrottled. schedule() does not + really echedule, but returns immediately, of course. +2) when the sel_buffer becomes invalid, KASAN prevents any reads from it + and the loop simply does not proceed and spins forever (causing the + tty to throttle, but the code never sleeps, the same as above). This + sometimes happens as there is a race in the sel_buffer handling code. + +So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR +in case a signal is pending. + +Signed-off-by: Jiri Slaby +Cc: stable +Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/selection.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/tty/vt/selection.c ++++ b/drivers/tty/vt/selection.c +@@ -26,6 +26,8 @@ + #include + #include + ++#include ++ + /* Don't take this from : 011-015 on the screen aren't spaces */ + #define isspace(c) ((c) == ' ') + +@@ -337,6 +339,7 @@ int paste_selection(struct tty_struct *t + unsigned int count; + struct tty_ldisc *ld; + DECLARE_WAITQUEUE(wait, current); ++ int ret = 0; + + console_lock(); + poke_blanked_console(); +@@ -350,6 +353,10 @@ int paste_selection(struct tty_struct *t + add_wait_queue(&vc->paste_wait, &wait); + while (sel_buffer && sel_buffer_lth > pasted) { + set_current_state(TASK_INTERRUPTIBLE); ++ if (signal_pending(current)) { ++ ret = -EINTR; ++ break; ++ } + if (tty_throttled(tty)) { + schedule(); + continue; +@@ -365,5 +372,5 @@ int paste_selection(struct tty_struct *t + + tty_buffer_unlock_exclusive(&vc->port); + tty_ldisc_deref(ld); +- return 0; ++ return ret; + } diff --git a/patches.suse/watchdog-max77620_wdt-fix-potential-build-errors.patch b/patches.suse/watchdog-max77620_wdt-fix-potential-build-errors.patch new file mode 100644 index 0000000..cec551d --- /dev/null +++ b/patches.suse/watchdog-max77620_wdt-fix-potential-build-errors.patch @@ -0,0 +1,37 @@ +From da9e3f4e30a53cd420cf1e6961c3b4110f0f21f0 Mon Sep 17 00:00:00 2001 +From: David Engraf +Date: Wed, 27 Nov 2019 09:46:17 +0100 +Subject: [PATCH] watchdog: max77620_wdt: fix potential build errors +Git-commit: da9e3f4e30a53cd420cf1e6961c3b4110f0f21f0 +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +max77620_wdt uses watchdog core functions. Enable CONFIG_WATCHDOG_CORE +to fix potential build errors. + +Signed-off-by: David Engraf +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20191127084617.16937-1-david.engraf@sysgo.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Acked-by: Takashi Iwai + +--- + drivers/watchdog/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig +index 1679e0dc869b..2e5e52d7ee8f 100644 +--- a/drivers/watchdog/Kconfig ++++ b/drivers/watchdog/Kconfig +@@ -687,6 +687,7 @@ config MAX63XX_WATCHDOG + config MAX77620_WATCHDOG + tristate "Maxim Max77620 Watchdog Timer" + depends on MFD_MAX77620 || COMPILE_TEST ++ select WATCHDOG_CORE + help + This is the driver for the Max77620 watchdog timer. + Say 'Y' here to enable the watchdog timer support for +-- +2.16.4 + diff --git a/patches.suse/watchdog-rn5t618_wdt-fix-module-aliases.patch b/patches.suse/watchdog-rn5t618_wdt-fix-module-aliases.patch new file mode 100644 index 0000000..053c83a --- /dev/null +++ b/patches.suse/watchdog-rn5t618_wdt-fix-module-aliases.patch @@ -0,0 +1,37 @@ +From a76dfb859cd42df6e3d1910659128ffcd2fb6ba2 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Fri, 13 Dec 2019 22:48:02 +0100 +Subject: [PATCH] watchdog: rn5t618_wdt: fix module aliases +Git-commit: a76dfb859cd42df6e3d1910659128ffcd2fb6ba2 +Patch-mainline: v5.5-rc6 +References: bsc#1051510 + +Platform device aliases were missing so module autoloading +did not work. + +Signed-off-by: Andreas Kemnade +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20191213214802.22268-1-andreas@kemnade.info +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Acked-by: Takashi Iwai + +--- + drivers/watchdog/rn5t618_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/rn5t618_wdt.c b/drivers/watchdog/rn5t618_wdt.c +index 234876047431..6e524c8e26a8 100644 +--- a/drivers/watchdog/rn5t618_wdt.c ++++ b/drivers/watchdog/rn5t618_wdt.c +@@ -188,6 +188,7 @@ static struct platform_driver rn5t618_wdt_driver = { + + module_platform_driver(rn5t618_wdt_driver); + ++MODULE_ALIAS("platform:rn5t618-wdt"); + MODULE_AUTHOR("Beniamino Galvani "); + MODULE_DESCRIPTION("RN5T618 watchdog driver"); + MODULE_LICENSE("GPL v2"); +-- +2.16.4 + diff --git a/patches.suse/watchdog-wdat_wdt-fix-get_timeleft-call-for-wdat_wdt.patch b/patches.suse/watchdog-wdat_wdt-fix-get_timeleft-call-for-wdat_wdt.patch new file mode 100644 index 0000000..06d7587 --- /dev/null +++ b/patches.suse/watchdog-wdat_wdt-fix-get_timeleft-call-for-wdat_wdt.patch @@ -0,0 +1,33 @@ +From: Bryan Tan +Date: Wed, 10 Apr 2019 12:49:33 +0000 +Subject: watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt +Patch-mainline: v5.2 +Git-commit: 0a48f239bfce525f4b7de0952aadce89ac2c2689 +References: bsc#1162557 + +The get_timeleft call for wdat_wdt was using ACPI_WDAT_GET_COUNTDOWN +when running an action on the device, which would return the configured +countdown, instead of ACPI_WDAT_GET_CURRENT_COUNTDOWN, which returns the +time left before the watchdog will fire. This change corrects that. + +Signed-off-by: Bryan Tan +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Acked-by: Jean Delvare + +--- + drivers/watchdog/wdat_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/watchdog/wdat_wdt.c ++++ b/drivers/watchdog/wdat_wdt.c +@@ -287,7 +287,7 @@ static unsigned int wdat_wdt_get_timelef + struct wdat_wdt *wdat = to_wdat_wdt(wdd); + u32 periods = 0; + +- wdat_wdt_run_action(wdat, ACPI_WDAT_GET_COUNTDOWN, 0, &periods); ++ wdat_wdt_run_action(wdat, ACPI_WDAT_GET_CURRENT_COUNTDOWN, 0, &periods); + return periods * wdat->period / 1000; + } + diff --git a/patches.suse/wireless-fix-enabling-channel-12-for-custom-regulato.patch b/patches.suse/wireless-fix-enabling-channel-12-for-custom-regulato.patch new file mode 100644 index 0000000..3552f36 --- /dev/null +++ b/patches.suse/wireless-fix-enabling-channel-12-for-custom-regulato.patch @@ -0,0 +1,66 @@ +From c4b9d655e445a8be0bff624aedea190606b5ebbc Mon Sep 17 00:00:00 2001 +From: Ganapathi Bhat +Date: Fri, 20 Dec 2019 10:14:32 +0000 +Subject: [PATCH] wireless: fix enabling channel 12 for custom regulatory domain +Git-commit: c4b9d655e445a8be0bff624aedea190606b5ebbc +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +Commit e33e2241e272 ("Revert "cfg80211: Use 5MHz bandwidth by +default when checking usable channels"") fixed a broken +regulatory (leaving channel 12 open for AP where not permitted). +Apply a similar fix to custom regulatory domain processing. + +Signed-off-by: Cathy Luo +Signed-off-by: Ganapathi Bhat +Link: https://lore.kernel.org/r/1576836859-8945-1-git-send-email-ganapathi.bhat@nxp.com +[reword commit message, fix coding style, add a comment] + +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/wireless/reg.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 446c76d44e65..3c2070040277 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2261,14 +2261,15 @@ static void update_all_wiphy_regulatory(enum nl80211_reg_initiator initiator) + + static void handle_channel_custom(struct wiphy *wiphy, + struct ieee80211_channel *chan, +- const struct ieee80211_regdomain *regd) ++ const struct ieee80211_regdomain *regd, ++ u32 min_bw) + { + u32 bw_flags = 0; + const struct ieee80211_reg_rule *reg_rule = NULL; + const struct ieee80211_power_rule *power_rule = NULL; + u32 bw; + +- for (bw = MHZ_TO_KHZ(20); bw >= MHZ_TO_KHZ(5); bw = bw / 2) { ++ for (bw = MHZ_TO_KHZ(20); bw >= min_bw; bw = bw / 2) { + reg_rule = freq_reg_info_regd(MHZ_TO_KHZ(chan->center_freq), + regd, bw); + if (!IS_ERR(reg_rule)) +@@ -2324,8 +2325,14 @@ static void handle_band_custom(struct wiphy *wiphy, + if (!sband) + return; + ++ /* ++ * We currently assume that you always want at least 20 MHz, ++ * otherwise channel 12 might get enabled if this rule is ++ * compatible to US, which permits 2402 - 2472 MHz. ++ */ + for (i = 0; i < sband->n_channels; i++) +- handle_channel_custom(wiphy, &sband->channels[i], regd); ++ handle_channel_custom(wiphy, &sband->channels[i], regd, ++ MHZ_TO_KHZ(20)); + } + + /* Used by drivers prior to wiphy registration */ +-- +2.16.4 + diff --git a/patches.suse/wireless-wext-avoid-gcc-O3-warning.patch b/patches.suse/wireless-wext-avoid-gcc-O3-warning.patch new file mode 100644 index 0000000..b598eb7 --- /dev/null +++ b/patches.suse/wireless-wext-avoid-gcc-O3-warning.patch @@ -0,0 +1,56 @@ +From e16119655c9e6c4aa5767cd971baa9c491f41b13 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 7 Jan 2020 21:07:35 +0100 +Subject: [PATCH] wireless: wext: avoid gcc -O3 warning +Git-commit: e16119655c9e6c4aa5767cd971baa9c491f41b13 +Patch-mainline: v5.5-rc7 +References: bsc#1051510 + +After the introduction of CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3, +the wext code produces a bogus warning: + +In function 'iw_handler_get_iwstats', + inlined from 'ioctl_standard_call' at net/wireless/wext-core.c:1015:9, + inlined from 'wireless_process_ioctl' at net/wireless/wext-core.c:935:10, + inlined from 'wext_ioctl_dispatch.part.8' at net/wireless/wext-core.c:986:8, + inlined from 'wext_handle_ioctl': +net/wireless/wext-core.c:671:3: error: argument 1 null where non-null expected [-Werror=nonnull] + memcpy(extra, stats, sizeof(struct iw_statistics)); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from arch/x86/include/asm/string.h:5, +Net/wireless/wext-core.c: In function 'wext_handle_ioctl': +arch/x86/include/asm/string_64.h:14:14: note: in a call to function 'memcpy' declared here + +The problem is that ioctl_standard_call() sometimes calls the handler +with a NULL argument that would cause a problem for iw_handler_get_iwstats. +However, iw_handler_get_iwstats never actually gets called that way. + +Marking that function as noinline avoids the warning and leads +to slightly smaller object code as well. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20200107200741.3588770-1-arnd@arndb.de +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + net/wireless/wext-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 5e677dac2a0c..69102fda9ebd 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -657,7 +657,8 @@ struct iw_statistics *get_wireless_stats(struct net_device *dev) + return NULL; + } + +-static int iw_handler_get_iwstats(struct net_device * dev, ++/* noinline to avoid a bogus warning with -O3 */ ++static noinline int iw_handler_get_iwstats(struct net_device * dev, + struct iw_request_info * info, + union iwreq_data * wrqu, + char * extra) +-- +2.16.4 + diff --git a/patches.suse/x86-amd_nb-Add-PCI-device-IDs-for-family-17h-model-7.patch b/patches.suse/x86-amd_nb-Add-PCI-device-IDs-for-family-17h-model-7.patch new file mode 100644 index 0000000..987132b --- /dev/null +++ b/patches.suse/x86-amd_nb-Add-PCI-device-IDs-for-family-17h-model-7.patch @@ -0,0 +1,97 @@ +From af4e1c5eca95bed1192d8dc45c8ed63aea2209e8 Mon Sep 17 00:00:00 2001 +From: Marcel Bocu +Date: Mon, 22 Jul 2019 20:45:10 +0300 +Subject: [PATCH] x86/amd_nb: Add PCI device IDs for family 17h, model 70h +Git-commit: af4e1c5eca95bed1192d8dc45c8ed63aea2209e8 +Patch-mainline: v5.4-rc1 +References: bsc#1163206 + +The AMD Ryzen gen 3 processors came with a different PCI IDs for the +function 3 & 4 which are used to access the SMN interface. The root +PCI address however remained at the same address as the model 30h. + +Adding the F3/F4 PCI IDs respectively to the misc and link ids appear +to be sufficient for k10temp, so let's add them and follow up on the +patch if other functions need more tweaking. + +Vicki Pfau sent an identical patch after I checked that no-one had +written this patch. I would have been happy about dropping my patch but +unlike for his patch series, I had already Cc:ed the x86 people and +they already reviewed the changes. Since Vicki has not answered to +any email after his initial series, let's assume she is on vacation +and let's avoid duplication of reviews from the maintainers and merge +my series. To acknowledge Vicki's anteriority, I added her S-o-b to +the patch. + +v2, suggested by Guenter Roeck and Brian Woods: + - rename from 71h to 70h + +Signed-off-by: Vicki Pfau +Signed-off-by: Marcel Bocu +Tested-by: Marcel Bocu +Acked-by: Thomas Gleixner +Acked-by: Brian Woods +Acked-by: Bjorn Helgaas # pci_ids.h + +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: x86@kernel.org +Cc: "Woods, Brian" +Cc: Clemens Ladisch +Cc: Jean Delvare +Cc: Guenter Roeck +Cc: linux-hwmon@vger.kernel.org +Link: https://lore.kernel.org/r/20190722174510.2179-1-marcel.p.bocu@gmail.com +Signed-off-by: Guenter Roeck +Acked-by: Takashi Iwai + +--- + arch/x86/kernel/amd_nb.c | 3 +++ + include/linux/pci_ids.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c +index d63e63b7d1d9..251c795b4eb3 100644 +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -21,6 +21,7 @@ + #define PCI_DEVICE_ID_AMD_17H_DF_F4 0x1464 + #define PCI_DEVICE_ID_AMD_17H_M10H_DF_F4 0x15ec + #define PCI_DEVICE_ID_AMD_17H_M30H_DF_F4 0x1494 ++#define PCI_DEVICE_ID_AMD_17H_M70H_DF_F4 0x1444 + + /* Protect the PCI config register pairs used for SMN and DF indirect access. */ + static DEFINE_MUTEX(smn_mutex); +@@ -50,6 +51,7 @@ const struct pci_device_id amd_nb_misc_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_M10H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_M30H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F3) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_M70H_DF_F3) }, + {} + }; + EXPORT_SYMBOL_GPL(amd_nb_misc_ids); +@@ -63,6 +65,7 @@ static const struct pci_device_id amd_nb_link_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F4) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_M10H_DF_F4) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_M30H_DF_F4) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_M70H_DF_F4) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F4) }, + {} + }; +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index c842735a4f45..4b97f427cc92 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -548,6 +548,7 @@ + #define PCI_DEVICE_ID_AMD_17H_DF_F3 0x1463 + #define PCI_DEVICE_ID_AMD_17H_M10H_DF_F3 0x15eb + #define PCI_DEVICE_ID_AMD_17H_M30H_DF_F3 0x1493 ++#define PCI_DEVICE_ID_AMD_17H_M70H_DF_F3 0x1443 + #define PCI_DEVICE_ID_AMD_CNB17H_F3 0x1703 + #define PCI_DEVICE_ID_AMD_LANCE 0x2000 + #define PCI_DEVICE_ID_AMD_LANCE_HOME 0x2001 +-- +2.16.4 + diff --git a/patches.suse/x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear b/patches.suse/x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear new file mode 100644 index 0000000..b152a6b --- /dev/null +++ b/patches.suse/x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear @@ -0,0 +1,64 @@ +From: Pawan Gupta +Date: Fri, 10 Jan 2020 14:50:54 -0800 +Subject: x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR +Git-commit: 5efc6fa9044c3356d6046c6e1da6d02572dbed6b +Patch-mainline: v5.6-rc1 +References: bsc#1162619 + +/proc/cpuinfo currently reports Hardware Lock Elision (HLE) feature to +be present on boot cpu even if it was disabled during the bootup. This +is because cpuinfo_x86->x86_capability HLE bit is not updated after TSX +state is changed via the new MSR IA32_TSX_CTRL. + +Update the cached HLE bit also since it is expected to change after an +update to CPUID_CLEAR bit in MSR IA32_TSX_CTRL. + +Fixes: 95c5824f75f3 ("x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default") +Signed-off-by: Pawan Gupta +Signed-off-by: Thomas Gleixner +Tested-by: Neelima Krishnan +Reviewed-by: Dave Hansen +Reviewed-by: Josh Poimboeuf +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/2529b99546294c893dfa1c89e2b3e46da3369a59.1578685425.git.pawan.kumar.gupta@linux.intel.com + +Acked-by: Joerg Roedel +--- + arch/x86/kernel/cpu/tsx.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c +index 3e20d322bc98..032509adf9de 100644 +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -115,11 +115,12 @@ void __init tsx_init(void) + tsx_disable(); + + /* +- * tsx_disable() will change the state of the +- * RTM CPUID bit. Clear it here since it is now +- * expected to be not set. ++ * tsx_disable() will change the state of the RTM and HLE CPUID ++ * bits. Clear them here since they are now expected to be not ++ * set. + */ + setup_clear_cpu_cap(X86_FEATURE_RTM); ++ setup_clear_cpu_cap(X86_FEATURE_HLE); + } else if (tsx_ctrl_state == TSX_CTRL_ENABLE) { + + /* +@@ -131,10 +132,10 @@ void __init tsx_init(void) + tsx_enable(); + + /* +- * tsx_enable() will change the state of the +- * RTM CPUID bit. Force it here since it is now +- * expected to be set. ++ * tsx_enable() will change the state of the RTM and HLE CPUID ++ * bits. Force them here since they are now expected to be set. + */ + setup_force_cpu_cap(X86_FEATURE_RTM); ++ setup_force_cpu_cap(X86_FEATURE_HLE); + } + } + diff --git a/patches.suse/x86-resctrl-check-monitoring-static-key-in-the-mbm-overflow-handler.patch b/patches.suse/x86-resctrl-check-monitoring-static-key-in-the-mbm-overflow-handler.patch new file mode 100644 index 0000000..4b5cccc --- /dev/null +++ b/patches.suse/x86-resctrl-check-monitoring-static-key-in-the-mbm-overflow-handler.patch @@ -0,0 +1,62 @@ +From: Xiaochen Shen +Date: Thu, 12 Dec 2019 04:05:05 +0800 +Subject: x86/resctrl: Check monitoring static key in the MBM overflow handler +Git-commit: 536a0d8e79fb928f2735db37dda95682b6754f9a +Patch-mainline: v5.6-rc1 +References: bsc#1114279 + +Currently, there are three static keys in the resctrl file system: +rdt_mon_enable_key and rdt_alloc_enable_key indicate if the monitoring +feature and the allocation feature are enabled, respectively. The +rdt_enable_key is enabled when either the monitoring feature or the +allocation feature is enabled. + +If no monitoring feature is present (either hardware doesn't support a +monitoring feature or the feature is disabled by the kernel command line +option "rdt="), rdt_enable_key is still enabled but rdt_mon_enable_key +is disabled. + +MBM is a monitoring feature. The MBM overflow handler intends to +check if the monitoring feature is not enabled for fast return. + +So check the rdt_mon_enable_key in it instead of the rdt_enable_key as +former is the more accurate check. + + [ bp: Massage commit message. ] + +Fixes: e33026831bdb ("x86/intel_rdt/mbm: Handle counter overflow") +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/1576094705-13660-1-git-send-email-xiaochen.shen@intel.com +--- + arch/x86/kernel/cpu/intel_rdt_monitor.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/monitor.c ++++ b/arch/x86/kernel/cpu/resctrl/monitor.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "internal.h" + + struct rmid_entry { +@@ -525,7 +526,7 @@ void mbm_handle_overflow(struct work_str + + mutex_lock(&rdtgroup_mutex); + +- if (!static_branch_likely(&rdt_enable_key)) ++ if (!static_branch_likely(&rdt_mon_enable_key)) + goto out_unlock; + + d = get_domain_from_cpu(cpu, &rdt_resources_all[RDT_RESOURCE_L3]); +@@ -554,7 +555,7 @@ void mbm_setup_overflow_handler(struct r + unsigned long delay = msecs_to_jiffies(delay_ms); + int cpu; + +- if (!static_branch_likely(&rdt_enable_key)) ++ if (!static_branch_likely(&rdt_mon_enable_key)) + return; + cpu = cpumask_any(&dom->cpu_mask); + dom->mbm_work_cpu = cpu; diff --git a/patches.suse/x86-resctrl-fix-a-deadlock-due-to-inaccurate-reference.patch b/patches.suse/x86-resctrl-fix-a-deadlock-due-to-inaccurate-reference.patch new file mode 100644 index 0000000..c80b5e2 --- /dev/null +++ b/patches.suse/x86-resctrl-fix-a-deadlock-due-to-inaccurate-reference.patch @@ -0,0 +1,213 @@ +From: Xiaochen Shen +Date: Thu, 9 Jan 2020 00:28:05 +0800 +Subject: x86/resctrl: Fix a deadlock due to inaccurate reference +Git-commit: 334b0f4e9b1b4a1d475f803419d202f6c5e4d18e +Patch-mainline: v5.6-rc1 +References: bsc#1112178 + +There is a race condition which results in a deadlock when rmdir and +mkdir execute concurrently: + +$ ls /sys/fs/resctrl/c1/mon_groups/m1/ +cpus cpus_list mon_data tasks + +Thread 1: rmdir /sys/fs/resctrl/c1 +Thread 2: mkdir /sys/fs/resctrl/c1/mon_groups/m1 + +3 locks held by mkdir/48649: + #0: (sb_writers#17){.+.+}, at: [] mnt_want_write+0x20/0x50 + #1: (&type->i_mutex_dir_key#8/1){+.+.}, at: [] filename_create+0x7b/0x170 + #2: (rdtgroup_mutex){+.+.}, at: [] rdtgroup_kn_lock_live+0x3d/0x70 + +4 locks held by rmdir/48652: + #0: (sb_writers#17){.+.+}, at: [] mnt_want_write+0x20/0x50 + #1: (&type->i_mutex_dir_key#8/1){+.+.}, at: [] do_rmdir+0x13f/0x1e0 + #2: (&type->i_mutex_dir_key#8){++++}, at: [] vfs_rmdir+0x4d/0x120 + #3: (rdtgroup_mutex){+.+.}, at: [] rdtgroup_kn_lock_live+0x3d/0x70 + +Thread 1 is deleting control group "c1". Holding rdtgroup_mutex, +kernfs_remove() removes all kernfs nodes under directory "c1" +recursively, then waits for sub kernfs node "mon_groups" to drop active +reference. + +Thread 2 is trying to create a subdirectory "m1" in the "mon_groups" +directory. The wrapper kernfs_iop_mkdir() takes an active reference to +the "mon_groups" directory but the code drops the active reference to +the parent directory "c1" instead. + +As a result, Thread 1 is blocked on waiting for active reference to drop +and never release rdtgroup_mutex, while Thread 2 is also blocked on +trying to get rdtgroup_mutex. + +Thread 1 (rdtgroup_rmdir) Thread 2 (rdtgroup_mkdir) +(rmdir /sys/fs/resctrl/c1) (mkdir /sys/fs/resctrl/c1/mon_groups/m1) +------------------------- ------------------------- + kernfs_iop_mkdir + /* + * kn: "m1", parent_kn: "mon_groups", + * prgrp_kn: parent_kn->parent: "c1", + * + * "mon_groups", parent_kn->active++: 1 + */ + kernfs_get_active(parent_kn) +kernfs_iop_rmdir + /* "c1", kn->active++ */ + kernfs_get_active(kn) + + rdtgroup_kn_lock_live + atomic_inc(&rdtgrp->waitcount) + /* "c1", kn->active-- */ + kernfs_break_active_protection(kn) + mutex_lock + + rdtgroup_rmdir_ctrl + free_all_child_rdtgrp + sentry->flags = RDT_DELETED + + rdtgroup_ctrl_remove + rdtgrp->flags = RDT_DELETED + kernfs_get(kn) + kernfs_remove(rdtgrp->kn) + __kernfs_remove + /* "mon_groups", sub_kn */ + atomic_add(KN_DEACTIVATED_BIAS, &sub_kn->active) + kernfs_drain(sub_kn) + /* + * sub_kn->active == KN_DEACTIVATED_BIAS + 1, + * waiting on sub_kn->active to drop, but it + * never drops in Thread 2 which is blocked + * on getting rdtgroup_mutex. + */ +Thread 1 hangs here ----> + wait_event(sub_kn->active == KN_DEACTIVATED_BIAS) + ... + rdtgroup_mkdir + rdtgroup_mkdir_mon(parent_kn, prgrp_kn) + mkdir_rdt_prepare(parent_kn, prgrp_kn) + rdtgroup_kn_lock_live(prgrp_kn) + atomic_inc(&rdtgrp->waitcount) + /* + * "c1", prgrp_kn->active-- + * + * The active reference on "c1" is + * dropped, but not matching the + * actual active reference taken + * on "mon_groups", thus causing + * Thread 1 to wait forever while + * holding rdtgroup_mutex. + */ + kernfs_break_active_protection( + prgrp_kn) + /* + * Trying to get rdtgroup_mutex + * which is held by Thread 1. + */ +Thread 2 hangs here ----> mutex_lock + ... + +The problem is that the creation of a subdirectory in the "mon_groups" +directory incorrectly releases the active protection of its parent +directory instead of itself before it starts waiting for rdtgroup_mutex. +This is triggered by the rdtgroup_mkdir() flow calling +rdtgroup_kn_lock_live()/rdtgroup_kn_unlock() with kernfs node of the +parent control group ("c1") as argument. It should be called with kernfs +node "mon_groups" instead. What is currently missing is that the +kn->priv of "mon_groups" is NULL instead of pointing to the rdtgrp. + +Fix it by pointing kn->priv to rdtgrp when "mon_groups" is created. Then +it could be passed to rdtgroup_kn_lock_live()/rdtgroup_kn_unlock() +instead. And then it operates on the same rdtgroup structure but handles +the active reference of kernfs node "mon_groups" to prevent deadlock. +The same changes are also made to the "mon_data" directories. + +This results in some unused function parameters that will be cleaned up +in follow-up patch as the focus here is on the fix only in support of +backporting efforts. + +Fixes: c7d9aac61311 ("x86/intel_rdt/cqm: Add mkdir support for RDT monitoring") +Suggested-by: Reinette Chatre +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov +Reviewed-by: Reinette Chatre +Reviewed-by: Tony Luck +Acked-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1578500886-21771-4-git-send-email-xiaochen.shen@intel.com +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -2005,7 +2005,7 @@ static struct dentry *rdt_mount(struct f + + if (rdt_mon_capable) { + ret = mongroup_create_dir(rdtgroup_default.kn, +- NULL, "mon_groups", ++ &rdtgroup_default, "mon_groups", + &kn_mongrp); + if (ret) { + dentry = ERR_PTR(ret); +@@ -2414,7 +2414,7 @@ static int mkdir_mondata_all(struct kern + /* + * Create the mon_data directory first. + */ +- ret = mongroup_create_dir(parent_kn, NULL, "mon_data", &kn); ++ ret = mongroup_create_dir(parent_kn, prgrp, "mon_data", &kn); + if (ret) + return ret; + +@@ -2613,7 +2613,7 @@ static int mkdir_rdt_prepare(struct kern + uint files = 0; + int ret; + +- prdtgrp = rdtgroup_kn_lock_live(prgrp_kn); ++ prdtgrp = rdtgroup_kn_lock_live(parent_kn); + if (!prdtgrp) { + ret = -ENODEV; + goto out_unlock; +@@ -2686,7 +2686,7 @@ static int mkdir_rdt_prepare(struct kern + kernfs_activate(kn); + + /* +- * The caller unlocks the prgrp_kn upon success. ++ * The caller unlocks the parent_kn upon success. + */ + return 0; + +@@ -2697,7 +2697,7 @@ out_destroy: + out_free_rgrp: + kfree(rdtgrp); + out_unlock: +- rdtgroup_kn_unlock(prgrp_kn); ++ rdtgroup_kn_unlock(parent_kn); + return ret; + } + +@@ -2735,7 +2735,7 @@ static int rdtgroup_mkdir_mon(struct ker + */ + list_add_tail(&rdtgrp->mon.crdtgrp_list, &prgrp->mon.crdtgrp_list); + +- rdtgroup_kn_unlock(prgrp_kn); ++ rdtgroup_kn_unlock(parent_kn); + return ret; + } + +@@ -2778,7 +2778,7 @@ static int rdtgroup_mkdir_ctrl_mon(struc + * Create an empty mon_groups directory to hold the subset + * of tasks and cpus to monitor. + */ +- ret = mongroup_create_dir(kn, NULL, "mon_groups", NULL); ++ ret = mongroup_create_dir(kn, rdtgrp, "mon_groups", NULL); + if (ret) { + rdt_last_cmd_puts("kernfs subdir error\n"); + goto out_del_list; +@@ -2794,7 +2794,7 @@ out_id_free: + out_common_fail: + mkdir_rdt_prepare_clean(rdtgrp); + out_unlock: +- rdtgroup_kn_unlock(prgrp_kn); ++ rdtgroup_kn_unlock(parent_kn); + return ret; + } + diff --git a/patches.suse/x86-resctrl-fix-use-after-free-due-to-inaccurate-refcount-of-rdtgroup.patch b/patches.suse/x86-resctrl-fix-use-after-free-due-to-inaccurate-refcount-of-rdtgroup.patch new file mode 100644 index 0000000..dae2bfd --- /dev/null +++ b/patches.suse/x86-resctrl-fix-use-after-free-due-to-inaccurate-refcount-of-rdtgroup.patch @@ -0,0 +1,121 @@ +From: Xiaochen Shen +Date: Thu, 9 Jan 2020 00:28:04 +0800 +Subject: x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup +Git-commit: 074fadee59ee7a9d2b216e9854bd4efb5dad679f +Patch-mainline: v5.6-rc1 +References: bsc#1112178 + +There is a race condition in the following scenario which results in an +use-after-free issue when reading a monitoring file and deleting the +parent ctrl_mon group concurrently: + +Thread 1 calls atomic_inc() to take refcount of rdtgrp and then calls +kernfs_break_active_protection() to drop the active reference of kernfs +node in rdtgroup_kn_lock_live(). + +In Thread 2, kernfs_remove() is a blocking routine. It waits on all sub +kernfs nodes to drop the active reference when removing all subtree +kernfs nodes recursively. Thread 2 could block on kernfs_remove() until +Thread 1 calls kernfs_break_active_protection(). Only after +kernfs_remove() completes the refcount of rdtgrp could be trusted. + +Before Thread 1 calls atomic_inc() and kernfs_break_active_protection(), +Thread 2 could call kfree() when the refcount of rdtgrp (sentry) is 0 +instead of 1 due to the race. + +In Thread 1, in rdtgroup_kn_unlock(), referring to earlier rdtgrp memory +(rdtgrp->waitcount) which was already freed in Thread 2 results in +use-after-free issue. + +Thread 1 (rdtgroup_mondata_show) Thread 2 (rdtgroup_rmdir) +-------------------------------- ------------------------- +rdtgroup_kn_lock_live + /* + * kn active protection until + * kernfs_break_active_protection(kn) + */ + rdtgrp = kernfs_to_rdtgroup(kn) + rdtgroup_kn_lock_live + atomic_inc(&rdtgrp->waitcount) + mutex_lock + rdtgroup_rmdir_ctrl + free_all_child_rdtgrp + /* + * sentry->waitcount should be 1 + * but is 0 now due to the race. + */ + kfree(sentry)*[1] + /* + * Only after kernfs_remove() + * completes, the refcount of + * rdtgrp could be trusted. + */ + atomic_inc(&rdtgrp->waitcount) + /* kn->active-- */ + kernfs_break_active_protection(kn) + rdtgroup_ctrl_remove + rdtgrp->flags = RDT_DELETED + /* + * Blocking routine, wait for + * all sub kernfs nodes to drop + * active reference in + * kernfs_break_active_protection. + */ + kernfs_remove(rdtgrp->kn) + rdtgroup_kn_unlock + mutex_unlock + atomic_dec_and_test( + &rdtgrp->waitcount) + && (flags & RDT_DELETED) + kernfs_unbreak_active_protection(kn) + kfree(rdtgrp) + mutex_lock +mon_event_read +rdtgroup_kn_unlock + mutex_unlock + /* + * Use-after-free: refer to earlier rdtgrp + * memory which was freed in [1]. + */ + atomic_dec_and_test(&rdtgrp->waitcount) + && (flags & RDT_DELETED) + /* kn->active++ */ + kernfs_unbreak_active_protection(kn) + kfree(rdtgrp) + +Fix it by moving free_all_child_rdtgrp() to after kernfs_remove() in +rdtgroup_rmdir_ctrl() to ensure it has the accurate refcount of rdtgrp. + +Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support") +Suggested-by: Reinette Chatre +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov +Reviewed-by: Reinette Chatre +Reviewed-by: Tony Luck +Acked-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1578500886-21771-3-git-send-email-xiaochen.shen@intel.com +--- + arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +index 23904ab55c65..caab397287ff 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -2920,13 +2920,13 @@ static int rdtgroup_rmdir_ctrl(struct ke + closid_free(rdtgrp->closid); + free_rmid(rdtgrp->mon.rmid); + ++ rdtgroup_ctrl_remove(kn, rdtgrp); ++ + /* + * Free all the child monitor group rmids. + */ + free_all_child_rdtgrp(rdtgrp); + +- rdtgroup_ctrl_remove(kn, rdtgrp); +- + return 0; + } + diff --git a/patches.suse/x86-resctrl-fix-use-after-free-when-deleting-resource-groups.patch b/patches.suse/x86-resctrl-fix-use-after-free-when-deleting-resource-groups.patch new file mode 100644 index 0000000..dc3948b --- /dev/null +++ b/patches.suse/x86-resctrl-fix-use-after-free-when-deleting-resource-groups.patch @@ -0,0 +1,218 @@ +From: Xiaochen Shen +Date: Thu, 9 Jan 2020 00:28:03 +0800 +Subject: x86/resctrl: Fix use-after-free when deleting resource groups +Git-commit: b8511ccc75c033f6d54188ea4df7bf1e85778740 +Patch-mainline: v5.6-rc1 +References: bsc#1114279 + +A resource group (rdtgrp) contains a reference count (rdtgrp->waitcount) +that indicates how many waiters expect this rdtgrp to exist. Waiters +could be waiting on rdtgroup_mutex or some work sitting on a task's +workqueue for when the task returns from kernel mode or exits. + +The deletion of a rdtgrp is intended to have two phases: + + (1) while holding rdtgroup_mutex the necessary cleanup is done and + rdtgrp->flags is set to RDT_DELETED, + + (2) after releasing the rdtgroup_mutex, the rdtgrp structure is freed + only if there are no waiters and its flag is set to RDT_DELETED. Upon + gaining access to rdtgroup_mutex or rdtgrp, a waiter is required to check + for the RDT_DELETED flag. + +When unmounting the resctrl file system or deleting ctrl_mon groups, +all of the subdirectories are removed and the data structure of rdtgrp +is forcibly freed without checking rdtgrp->waitcount. If at this point +there was a waiter on rdtgrp then a use-after-free issue occurs when the +waiter starts running and accesses the rdtgrp structure it was waiting +on. + +See kfree() calls in [1], [2] and [3] in these two call paths in +following scenarios: +(1) rdt_kill_sb() -> rmdir_all_sub() -> free_all_child_rdtgrp() +(2) rdtgroup_rmdir() -> rdtgroup_rmdir_ctrl() -> free_all_child_rdtgrp() + +There are several scenarios that result in use-after-free issue in +following: + +Scenario 1: +----------- +In Thread 1, rdtgroup_tasks_write() adds a task_work callback +move_myself(). If move_myself() is scheduled to execute after Thread 2 +rdt_kill_sb() is finished, referring to earlier rdtgrp memory +(rdtgrp->waitcount) which was already freed in Thread 2 results in +use-after-free issue. + +Thread 1 (rdtgroup_tasks_write) Thread 2 (rdt_kill_sb) +------------------------------- ---------------------- +rdtgroup_kn_lock_live + atomic_inc(&rdtgrp->waitcount) + mutex_lock +rdtgroup_move_task + __rdtgroup_move_task + /* + * Take an extra refcount, so rdtgrp cannot be freed + * before the call back move_myself has been invoked + */ + atomic_inc(&rdtgrp->waitcount) + /* Callback move_myself will be scheduled for later */ + task_work_add(move_myself) +rdtgroup_kn_unlock + mutex_unlock + atomic_dec_and_test(&rdtgrp->waitcount) + && (flags & RDT_DELETED) + mutex_lock + rmdir_all_sub + /* + * sentry and rdtgrp are freed + * without checking refcount + */ + free_all_child_rdtgrp + kfree(sentry)*[1] + kfree(rdtgrp)*[2] + mutex_unlock +/* + * Callback is scheduled to execute + * after rdt_kill_sb is finished + */ +move_myself + /* + * Use-after-free: refer to earlier rdtgrp + * memory which was freed in [1] or [2]. + */ + atomic_dec_and_test(&rdtgrp->waitcount) + && (flags & RDT_DELETED) + kfree(rdtgrp) + +Scenario 2: +----------- +In Thread 1, rdtgroup_tasks_write() adds a task_work callback +move_myself(). If move_myself() is scheduled to execute after Thread 2 +rdtgroup_rmdir() is finished, referring to earlier rdtgrp memory +(rdtgrp->waitcount) which was already freed in Thread 2 results in +use-after-free issue. + +Thread 1 (rdtgroup_tasks_write) Thread 2 (rdtgroup_rmdir) +------------------------------- ------------------------- +rdtgroup_kn_lock_live + atomic_inc(&rdtgrp->waitcount) + mutex_lock +rdtgroup_move_task + __rdtgroup_move_task + /* + * Take an extra refcount, so rdtgrp cannot be freed + * before the call back move_myself has been invoked + */ + atomic_inc(&rdtgrp->waitcount) + /* Callback move_myself will be scheduled for later */ + task_work_add(move_myself) +rdtgroup_kn_unlock + mutex_unlock + atomic_dec_and_test(&rdtgrp->waitcount) + && (flags & RDT_DELETED) + rdtgroup_kn_lock_live + atomic_inc(&rdtgrp->waitcount) + mutex_lock + rdtgroup_rmdir_ctrl + free_all_child_rdtgrp + /* + * sentry is freed without + * checking refcount + */ + kfree(sentry)*[3] + rdtgroup_ctrl_remove + rdtgrp->flags = RDT_DELETED + rdtgroup_kn_unlock + mutex_unlock + atomic_dec_and_test( + &rdtgrp->waitcount) + && (flags & RDT_DELETED) + kfree(rdtgrp) +/* + * Callback is scheduled to execute + * after rdt_kill_sb is finished + */ +move_myself + /* + * Use-after-free: refer to earlier rdtgrp + * memory which was freed in [3]. + */ + atomic_dec_and_test(&rdtgrp->waitcount) + && (flags & RDT_DELETED) + kfree(rdtgrp) + +If CONFIG_DEBUG_SLAB=y, Slab corruption on kmalloc-2k can be observed +like following. Note that "0x6b" is POISON_FREE after kfree(). The +corrupted bits "0x6a", "0x64" at offset 0x424 correspond to +waitcount member of struct rdtgroup which was freed: + + Slab corruption (Not tainted): kmalloc-2k start=ffff9504c5b0d000, len=2048 + 420: 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkjkkkkkkkkkkk + Single bit error detected. Probably bad RAM. + Run memtest86+ or a similar memory test tool. + Next obj: start=ffff9504c5b0d800, len=2048 + 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + + Slab corruption (Not tainted): kmalloc-2k start=ffff9504c58ab800, len=2048 + 420: 6b 6b 6b 6b 64 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkdkkkkkkkkkkk + Prev obj: start=ffff9504c58ab000, len=2048 + 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + +Fix this by taking reference count (waitcount) of rdtgrp into account in +the two call paths that currently do not do so. Instead of always +freeing the resource group it will only be freed if there are no waiters +on it. If there are waiters, the resource group will have its flags set +to RDT_DELETED. + +It will be left to the waiter to free the resource group when it starts +running and finding that it was the last waiter and the resource group +has been removed (rdtgrp->flags & RDT_DELETED) since. (1) rdt_kill_sb() +-> rmdir_all_sub() -> free_all_child_rdtgrp() (2) rdtgroup_rmdir() -> +rdtgroup_rmdir_ctrl() -> free_all_child_rdtgrp() + +Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support") +Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system") +Suggested-by: Reinette Chatre +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov +Reviewed-by: Reinette Chatre +Reviewed-by: Tony Luck +Acked-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1578500886-21771-2-git-send-email-xiaochen.shen@intel.com +--- + arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +index dac7209a0708..23904ab55c65 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -2167,7 +2167,11 @@ static void free_all_child_rdtgrp(struct + list_for_each_entry_safe(sentry, stmp, head, mon.crdtgrp_list) { + free_rmid(sentry->mon.rmid); + list_del(&sentry->mon.crdtgrp_list); +- kfree(sentry); ++ ++ if (atomic_read(&sentry->waitcount) != 0) ++ sentry->flags = RDT_DELETED; ++ else ++ kfree(sentry); + } + } + +@@ -2205,7 +2209,11 @@ static void rmdir_all_sub(void) + + kernfs_remove(rdtgrp->kn); + list_del(&rdtgrp->rdtgroup_list); +- kfree(rdtgrp); ++ ++ if (atomic_read(&rdtgrp->waitcount) != 0) ++ rdtgrp->flags = RDT_DELETED; ++ else ++ kfree(rdtgrp); + } + /* Notify online CPUs to update per cpu storage and PQR_ASSOC MSR */ + update_closid_rmid(cpu_online_mask, &rdtgroup_default); diff --git a/patches.suse/x86-resctrl-prevent-possible-overrun-during-bitmap-operations.patch b/patches.suse/x86-resctrl-prevent-possible-overrun-during-bitmap-operations.patch new file mode 100644 index 0000000..4c64633 --- /dev/null +++ b/patches.suse/x86-resctrl-prevent-possible-overrun-during-bitmap-operations.patch @@ -0,0 +1,118 @@ +From: Reinette Chatre +Date: Wed, 19 Jun 2019 13:27:16 -0700 +Subject: x86/resctrl: Prevent possible overrun during bitmap operations +Git-commit: 32f010deab575199df4ebe7b6aec20c17bb7eccd +Patch-mainline: v5.2-rc7 +References: bsc#1114648 + +While the DOC at the beginning of lib/bitmap.c explicitly states that +"The number of valid bits in a given bitmap does _not_ need to be an +exact multiple of BITS_PER_LONG.", some of the bitmap operations do +indeed access BITS_PER_LONG portions of the provided bitmap no matter +the size of the provided bitmap. + +For example, if find_first_bit() is provided with an 8 bit bitmap the +operation will access BITS_PER_LONG bits from the provided bitmap. While +the operation ensures that these extra bits do not affect the result, +the memory is still accessed. + +The capacity bitmasks (CBMs) are typically stored in u32 since they +can never exceed 32 bits. A few instances exist where a bitmap_* +operation is performed on a CBM by simply pointing the bitmap operation +to the stored u32 value. + +The consequence of this pattern is that some bitmap_* operations will +access out-of-bounds memory when interacting with the provided CBM. + +This same issue has previously been addressed with commit 49e00eee0061 +("x86/intel_rdt: Fix out-of-bounds memory access in CBM tests") +but at that time not all instances of the issue were fixed. + +Fix this by using an unsigned long to store the capacity bitmask data +that is passed to bitmap functions. + +Fixes: e651901187ab ("x86/intel_rdt: Introduce "bit_usage" to display cache allocations details") +Fixes: f4e80d67a527 ("x86/intel_rdt: Resctrl files reflect pseudo-locked information") +Fixes: 95f0b77efa57 ("x86/intel_rdt: Initialize new resource group with sane defaults") +Signed-off-by: Reinette Chatre +Signed-off-by: Borislav Petkov +Cc: Fenghua Yu +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: stable +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: x86-ml +Link: https://lkml.kernel.org/r/58c9b6081fd9bf599af0dfc01a6fdd335768efef.1560975645.git.reinette.chatre@intel.com +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 35 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 19 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index 869cbef5da81..f9d8ed6ab03b 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -804,8 +804,12 @@ static int rdt_bit_usage_show(struct kernfs_open_file *of, + struct seq_file *seq, void *v) + { + struct rdt_resource *r = of->kn->parent->priv; +- u32 sw_shareable = 0, hw_shareable = 0; +- u32 exclusive = 0, pseudo_locked = 0; ++ /* ++ * Use unsigned long even though only 32 bits are used to ensure ++ * test_bit() is used safely. ++ */ ++ unsigned long sw_shareable = 0, hw_shareable = 0; ++ unsigned long exclusive = 0, pseudo_locked = 0; + struct rdt_domain *dom; + int i, hwb, swb, excl, psl; + enum rdtgrp_mode mode; +@@ -850,10 +854,10 @@ static int rdt_bit_usage_show(struct kernfs_open_file *of, + } + for (i = r->cache.cbm_len - 1; i >= 0; i--) { + pseudo_locked = dom->plr ? dom->plr->cbm : 0; +- hwb = test_bit(i, (unsigned long *)&hw_shareable); +- swb = test_bit(i, (unsigned long *)&sw_shareable); +- excl = test_bit(i, (unsigned long *)&exclusive); +- psl = test_bit(i, (unsigned long *)&pseudo_locked); ++ hwb = test_bit(i, &hw_shareable); ++ swb = test_bit(i, &sw_shareable); ++ excl = test_bit(i, &exclusive); ++ psl = test_bit(i, &pseudo_locked); + if (hwb && swb) + seq_putc(seq, 'X'); + else if (hwb && !swb) +@@ -2494,26 +2498,19 @@ static int mkdir_mondata_all(struct kernfs_node *parent_kn, + */ + static void cbm_ensure_valid(u32 *_val, struct rdt_resource *r) + { +- /* +- * Convert the u32 _val to an unsigned long required by all the bit +- * operations within this function. No more than 32 bits of this +- * converted value can be accessed because all bit operations are +- * additionally provided with cbm_len that is initialized during +- * hardware enumeration using five bits from the EAX register and +- * thus never can exceed 32 bits. +- */ +- unsigned long *val = (unsigned long *)_val; ++ unsigned long val = *_val; + unsigned int cbm_len = r->cache.cbm_len; + unsigned long first_bit, zero_bit; + +- if (*val == 0) ++ if (val == 0) + return; + +- first_bit = find_first_bit(val, cbm_len); +- zero_bit = find_next_zero_bit(val, cbm_len, first_bit); ++ first_bit = find_first_bit(&val, cbm_len); ++ zero_bit = find_next_zero_bit(&val, cbm_len, first_bit); + + /* Clear any remaining bits to ensure contiguous region */ +- bitmap_clear(val, zero_bit, cbm_len - zero_bit); ++ bitmap_clear(&val, zero_bit, cbm_len - zero_bit); ++ *_val = (u32)val; + } + + /* + diff --git a/patches.suse/xfrm-Fix-transport-mode-skb-control-buffer-usage.patch b/patches.suse/xfrm-Fix-transport-mode-skb-control-buffer-usage.patch new file mode 100644 index 0000000..bccdd20 --- /dev/null +++ b/patches.suse/xfrm-Fix-transport-mode-skb-control-buffer-usage.patch @@ -0,0 +1,38 @@ +From: Steffen Klassert +Date: Mon, 19 Mar 2018 07:15:39 +0100 +Subject: xfrm: Fix transport mode skb control buffer usage. +Patch-mainline: v4.16 +Git-commit: 9a3fb9fb84cc30577c1b012a6a3efda944684291 +References: bsc#1161552 + +A recent commit introduced a new struct xfrm_trans_cb +that is used with the sk_buff control buffer. Unfortunately +it placed the structure in front of the control buffer and +overlooked that the IPv4/IPv6 control buffer is still needed +for some layer 4 protocols. As a result the IPv4/IPv6 control +buffer is overwritten with this structure. Fix this by setting +a apropriate header in front of the structure. + +Fixes acf568ee859f ("xfrm: Reinject transport-mode packets ...") +Signed-off-by: Steffen Klassert +Acked-by: Michal Kubecek + +--- + net/xfrm/xfrm_input.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -25,6 +25,12 @@ struct xfrm_trans_tasklet { + }; + + struct xfrm_trans_cb { ++ union { ++ struct inet_skb_parm h4; ++#if IS_ENABLED(CONFIG_IPV6) ++ struct inet6_skb_parm h6; ++#endif ++ } header; + int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb); + }; + diff --git a/patches.suse/xfrm-fix-sa-selector-validation.patch b/patches.suse/xfrm-fix-sa-selector-validation.patch new file mode 100644 index 0000000..1869c7c --- /dev/null +++ b/patches.suse/xfrm-fix-sa-selector-validation.patch @@ -0,0 +1,43 @@ +From b8d6d0079757cbd1b69724cfd1c08e2171c68cee Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Fri, 14 Jun 2019 11:13:55 +0200 +Subject: [PATCH] xfrm: fix sa selector validation +Patch-mainline: v5.3-rc1 +Git-commit: b8d6d0079757cbd1b69724cfd1c08e2171c68cee +References: bsc#1156609 + +After commit b38ff4075a80, the following command does not work anymore: +$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \ + mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \ + 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4 + +In fact, the selector is not mandatory, allow the user to provide an empty +selector. + +Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation") +CC: Anirudh Gupta +Signed-off-by: Nicolas Dichtel +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Petr Vorel +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 74a3d1e0ff63..6626564f1fb7 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + } + + switch (p->sel.family) { ++ case AF_UNSPEC: ++ break; ++ + case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; +-- +2.16.4 + diff --git a/patches.suse/xhci-Fix-memory-leak-in-xhci_add_in_port.patch b/patches.suse/xhci-Fix-memory-leak-in-xhci_add_in_port.patch new file mode 100644 index 0000000..dd32846 --- /dev/null +++ b/patches.suse/xhci-Fix-memory-leak-in-xhci_add_in_port.patch @@ -0,0 +1,92 @@ +From ce91f1a43b37463f517155bdfbd525eb43adbd1a Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 11 Dec 2019 16:20:02 +0200 +Subject: [PATCH] xhci: Fix memory leak in xhci_add_in_port() +Git-commit: ce91f1a43b37463f517155bdfbd525eb43adbd1a +No-fix: 1fbaac5f1827570565dd0373190e75bde878c854 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +[ backport note: this is a backport from 4.14.y stable tree, + commit 1fbaac5f1827570565dd0373190e75bde878c854 ] + +When xHCI is part of Alpine or Titan Ridge Thunderbolt controller and +the xHCI device is hot-removed as a result of unplugging a dock for +example, the driver leaks memory it allocates for xhci->usb3_rhub.psi +and xhci->usb2_rhub.psi in xhci_add_in_port() as reported by kmemleak: + +unreferenced object 0xffff922c24ef42f0 (size 16): + comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) + hex dump (first 16 bytes): + 21 00 0c 00 12 00 dc 05 23 00 e0 01 00 00 00 00 !.......#....... + backtrace: + [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 + [<0000000001b6d775>] xhci_init+0x7c/0x160 + [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 + [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 + [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 + [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 + [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 + [<00000000b9231f25>] local_pci_probe+0x3d/0x70 + [<000000006385c9d7>] pci_device_probe+0xd0/0x150 + [<0000000070241068>] really_probe+0xf5/0x3c0 + [<0000000061f35c0a>] driver_probe_device+0x58/0x100 + [<000000009da11198>] bus_for_each_drv+0x79/0xc0 + [<000000009ce45f69>] __device_attach+0xda/0x160 + [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 + [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 + [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 +unreferenced object 0xffff922c24ef3318 (size 8): + comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) + hex dump (first 8 bytes): + 34 01 05 00 35 41 0a 00 4...5A.. + backtrace: + [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 + [<0000000001b6d775>] xhci_init+0x7c/0x160 + [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 + [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 + [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 + [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 + [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 + [<00000000b9231f25>] local_pci_probe+0x3d/0x70 + [<000000006385c9d7>] pci_device_probe+0xd0/0x150 + [<0000000070241068>] really_probe+0xf5/0x3c0 + [<0000000061f35c0a>] driver_probe_device+0x58/0x100 + [<000000009da11198>] bus_for_each_drv+0x79/0xc0 + [<000000009ce45f69>] __device_attach+0xda/0x160 + [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 + [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 + [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 + +Fix this by calling kfree() for the both psi objects in +xhci_mem_cleanup(). + +Cc: # 4.4+ +Fixes: 47189098f8be ("xhci: parse xhci protocol speed ID list for usb 3.1 usage") +Signed-off-by: Mika Westerberg +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-mem.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1907,10 +1907,14 @@ no_bw: + kfree(xhci->hw_ports); + kfree(xhci->rh_bw); + kfree(xhci->ext_caps); ++ kfree(xhci->usb2_rhub.psi); ++ kfree(xhci->usb3_rhub.psi); + + xhci->usb2_ports = NULL; + xhci->usb3_ports = NULL; + xhci->port_array = NULL; ++ xhci->usb2_rhub.psi = NULL; ++ xhci->usb3_rhub.psi = NULL; + xhci->usb2_rhub.ports = NULL; + xhci->usb3_rhub.ports = NULL; + xhci->hw_ports = NULL; diff --git a/patches.suse/xhci-fix-USB3-device-initiated-resume-race-with-root.patch b/patches.suse/xhci-fix-USB3-device-initiated-resume-race-with-root.patch new file mode 100644 index 0000000..9207b29 --- /dev/null +++ b/patches.suse/xhci-fix-USB3-device-initiated-resume-race-with-root.patch @@ -0,0 +1,108 @@ +From 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 11 Dec 2019 16:20:03 +0200 +Subject: [PATCH] xhci: fix USB3 device initiated resume race with roothub autosuspend +Git-commit: 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 +No-fix: d12f592f95c956813e513a9f443f1375f5c73b28 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +[ backport note: this is a backport from stable 4.14.y, commit + d12f592f95c956813e513a9f443f1375f5c73b28 ] + +A race in xhci USB3 remote wake handling may force device back to suspend +after it initiated resume siganaling, causing a missed resume event or warm +reset of device. + +When a USB3 link completes resume signaling and goes to enabled (UO) +state a interrupt is issued and the interrupt handler will clear the +bus_state->port_remote_wakeup resume flag, allowing bus suspend. + +If the USB3 roothub thread just finished reading port status before +the interrupt, finding ports still in suspended (U3) state, but hasn't +yet started suspending the hub, then the xhci interrupt handler will clear +the flag that prevented roothub suspend and allow bus to suspend, forcing +all port links back to suspended (U3) state. + +Example case: +usb_runtime_suspend() # because all ports still show suspended U3 + usb_suspend_both() + hub_suspend(); # successful as hub->wakeup_bits not set yet +==> INTERRUPT +xhci_irq() + handle_port_status() + clear bus_state->port_remote_wakeup + usb_wakeup_notification() + sets hub->wakeup_bits; + kick_hub_wq() +<== END INTERRUPT + hcd_bus_suspend() + xhci_bus_suspend() # success as port_remote_wakeup bits cleared + +Fix this by increasing roothub usage count during port resume to prevent +roothub autosuspend, and by making sure bus_state->port_remote_wakeup +flag is only cleared after resume completion is visible, i.e. +after xhci roothub returned U0 or other non-U3 link state link on a +get port status request. + +Issue rootcaused by Chiasheng Lee + +Cc: +Cc: Lee, Hou-hsun +Reported-by: Lee, Chiasheng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-hub.c | 8 ++++++++ + drivers/usb/host/xhci-ring.c | 6 +----- + 2 files changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -877,6 +877,14 @@ static u32 xhci_get_port_status(struct u + status |= USB_PORT_STAT_C_BH_RESET << 16; + if ((raw_port_status & PORT_CEC)) + status |= USB_PORT_STAT_C_CONFIG_ERROR << 16; ++ ++ /* USB3 remote wake resume signaling completed */ ++ if (bus_state->port_remote_wakeup & (1 << wIndex) && ++ (raw_port_status & PORT_PLS_MASK) != XDEV_RESUME && ++ (raw_port_status & PORT_PLS_MASK) != XDEV_RECOVERY) { ++ bus_state->port_remote_wakeup &= ~(1 << wIndex); ++ usb_hcd_end_port_resume(&hcd->self, wIndex); ++ } + } + + if (hcd->speed < HCD_USB3) { +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1679,9 +1679,6 @@ static void handle_port_status(struct xh + usb_hcd_resume_root_hub(hcd); + } + +- if (hcd->speed >= HCD_USB3 && (portsc & PORT_PLS_MASK) == XDEV_INACTIVE) +- bus_state->port_remote_wakeup &= ~(1 << faked_port_index); +- + if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_RESUME) { + xhci_dbg(xhci, "port resume event for port %d\n", port_id); + +@@ -1700,6 +1697,7 @@ static void handle_port_status(struct xh + bus_state->port_remote_wakeup |= 1 << faked_port_index; + xhci_test_and_clear_bit(xhci, port_array, + faked_port_index, PORT_PLC); ++ usb_hcd_start_port_resume(&hcd->self, faked_port_index); + xhci_set_link_state(xhci, port_array, faked_port_index, + XDEV_U0); + /* Need to wait until the next link state change +@@ -1737,8 +1735,6 @@ static void handle_port_status(struct xh + if (slot_id && xhci->devs[slot_id]) + xhci_ring_device(xhci, slot_id); + if (bus_state->port_remote_wakeup & (1 << faked_port_index)) { +- bus_state->port_remote_wakeup &= +- ~(1 << faked_port_index); + xhci_test_and_clear_bit(xhci, port_array, + faked_port_index, PORT_PLC); + usb_wakeup_notification(hcd->self.root_hub, diff --git a/patches.suse/xhci-make-sure-interrupts-are-restored-to-correct-st.patch b/patches.suse/xhci-make-sure-interrupts-are-restored-to-correct-st.patch new file mode 100644 index 0000000..44a3218 --- /dev/null +++ b/patches.suse/xhci-make-sure-interrupts-are-restored-to-correct-st.patch @@ -0,0 +1,68 @@ +From bd82873f23c9a6ad834348f8b83f3b6a5bca2c65 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 11 Dec 2019 16:20:07 +0200 +Subject: [PATCH] xhci: make sure interrupts are restored to correct state +Git-commit: bd82873f23c9a6ad834348f8b83f3b6a5bca2c65 +No-fix: d12f592f95c956813e513a9f443f1375f5c73b28 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +[ backport note: this is a backport from stable 4.14.y, + commit d12f592f95c956813e513a9f443f1375f5c73b28 ] + +spin_unlock_irqrestore() might be called with stale flags after +reading port status, possibly restoring interrupts to a incorrect +state. + +If a usb2 port just finished resuming while the port status is read +the spin lock will be temporary released and re-acquired in a separate +function. The flags parameter is passed as value instead of a pointer, +not updating flags properly before the final spin_unlock_irqrestore() +is called. + +Cc: # v3.12+ +Fixes: 8b3d45705e54 ("usb: Fix xHCI host issues on remote wakeup.") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-7-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-hub.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -845,7 +845,7 @@ static u32 xhci_get_port_status(struct u + struct xhci_bus_state *bus_state, + __le32 __iomem **port_array, + u16 wIndex, u32 raw_port_status, +- unsigned long flags) ++ unsigned long *flags) + __releases(&xhci->lock) + __acquires(&xhci->lock) + { +@@ -935,12 +935,12 @@ static u32 xhci_get_port_status(struct u + xhci_set_link_state(xhci, port_array, wIndex, + XDEV_U0); + +- spin_unlock_irqrestore(&xhci->lock, flags); ++ spin_unlock_irqrestore(&xhci->lock, *flags); + time_left = wait_for_completion_timeout( + &bus_state->rexit_done[wIndex], + msecs_to_jiffies( + XHCI_MAX_REXIT_TIMEOUT_MS)); +- spin_lock_irqsave(&xhci->lock, flags); ++ spin_lock_irqsave(&xhci->lock, *flags); + + if (time_left) { + slot_id = xhci_find_slot_id_by_port(hcd, +@@ -1088,7 +1088,7 @@ int xhci_hub_control(struct usb_hcd *hcd + break; + } + status = xhci_get_port_status(hcd, bus_state, port_array, +- wIndex, temp, flags); ++ wIndex, temp, &flags); + if (status == 0xffffffff) + goto error; + diff --git a/patches.suse/zd1211rw-fix-storage-endpoint-lookup.patch b/patches.suse/zd1211rw-fix-storage-endpoint-lookup.patch new file mode 100644 index 0000000..9abb4fd --- /dev/null +++ b/patches.suse/zd1211rw-fix-storage-endpoint-lookup.patch @@ -0,0 +1,41 @@ +From 2d68bb2687abb747558b933e80845ff31570a49c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:26 +0100 +Subject: [PATCH] zd1211rw: fix storage endpoint lookup +Git-commit: 2d68bb2687abb747558b933e80845ff31570a49c +Patch-mainline: v5.6-rc1 +References: git-fixes + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device") +Cc: stable # 2.6.19 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/zydas/zd1211rw/zd_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c +index 7b5c2fe5bd4d..8ff0374126e4 100644 +--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c ++++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c +@@ -1263,7 +1263,7 @@ static void print_id(struct usb_device *udev) + static int eject_installer(struct usb_interface *intf) + { + struct usb_device *udev = interface_to_usbdev(intf); +- struct usb_host_interface *iface_desc = &intf->altsetting[0]; ++ struct usb_host_interface *iface_desc = intf->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep; +-- +2.16.4 + diff --git a/rpm/kabi.pl b/rpm/kabi.pl index bce16b1..ffe73be 100755 --- a/rpm/kabi.pl +++ b/rpm/kabi.pl @@ -9,6 +9,9 @@ use Data::Dumper; my @rules; my ($opt_verbose, $opt_rules); +# if Module.symvers also lists namespaces (>=5.4) +my $use_namespaces; + sub load_rules { my $file = shift; my $errors = 0; @@ -33,8 +36,14 @@ sub load_rules { $pattern =~ s/\*/.*/g; $pattern =~ s/\?/./g; $pattern =~ s/.*/^$&\$/; + + # If it matches a module path or vmlinux if ($pattern =~ /\/|^vmlinux$/) { $new->{mod} = $pattern; + # If it's not a path and the string is all uppercase, assume it's a namespace + } elsif ($use_namespaces && + $pattern !~ /\// && $pattern eq uc($pattern)) { + $new->{namespace} = $pattern; } else { $new->{sym} = $pattern; } @@ -47,20 +56,44 @@ sub load_rules { close($fh); } +# Return 1 if using new (>=5.4) Module.symvers format with namespaces +sub symvers_uses_namespaces { + my $file = shift; + xopen(my $fh, '<', $file); + my $line = <$fh>; + chomp $line; + + # If there are 5 tab delimited fields, then it's a newer (>=5.4) + # Module.symvers format with namespaces. The older Module.symvers + # format only has 4 fields (crc, symbol, module, export type). + my @l = split(/\t/, $line); + if (@l > 4) { + return 1; + } else { + return 0; + } +} + sub load_symvers { my $file = shift; my %res; my $errors = 0; + my $new; xopen(my $fh, '<', $file); while (<$fh>) { - my @l = split(/\s+/); - if (@l < 3) { + chomp; + my @l = split(/\t/); + if (@l < 4) { print STDERR "$file:$.: unknown line\n"; $errors++; next; } - my $new = { crc => $l[0], mod => $l[2], type => $l[3] }; + if ($use_namespaces) { + $new = { crc => $l[0], namespace => $l[2], mod => $l[3], type => $l[4] }; + } else { + $new = { crc => $l[0], mod => $l[2], type => $l[3] }; + } $res{$l[1]} = $new; } if (!%res) { @@ -99,18 +132,25 @@ sub type_compatible { my $kabi_errors = 0; sub kabi_change { - my ($sym, $mod, $message) = @_; + my ($sym, $symvers, $message) = @_; my $fail = 1; for my $rule (@rules) { - if ($rule->{mod} && $mod =~ $rule->{mod} || - $rule->{sym} && $sym =~ $rule->{sym}) { + if ($rule->{mod} && $symvers->{mod} =~ $rule->{mod} || + $rule->{sym} && $sym =~ $rule->{sym} || + ($use_namespaces && $rule->{namespace} && + $symvers->{namespace} =~ $rule->{namespace})) { $fail = $rule->{fail}; last; } } return unless $fail or $opt_verbose; - print STDERR "KABI: symbol $sym($mod) $message"; + + print STDERR "KABI: symbol $sym(mod:$symvers->{mod}"; + if ($use_namespaces && $symvers->{namespace}) { + print STDERR " ns:$symvers->{namespace}"; + } + print STDERR ") $message"; if ($fail) { $kabi_errors++; print STDERR "\n"; @@ -131,6 +171,10 @@ if (!$res || @ARGV != 2) { print STDERR "Usage: $0 [--rules ] Module.symvers.old Module.symvers\n"; exit 1; } + +# Determine symvers format +$use_namespaces = symvers_uses_namespaces($ARGV[0]); + if (defined($opt_rules)) { load_rules($opt_rules); } @@ -139,12 +183,12 @@ my %new = load_symvers($ARGV[1]); for my $sym (sort keys(%old)) { if (!$new{$sym}) { - kabi_change($sym, $old{$sym}->{mod}, "lost"); + kabi_change($sym, $old{$sym}, "lost"); } elsif ($old{$sym}->{crc} ne $new{$sym}->{crc}) { - kabi_change($sym, $old{$sym}->{mod}, "changed crc from " . + kabi_change($sym, $old{$sym}, "changed crc from " . "$old{$sym}->{crc} to $new{$sym}->{crc}"); } elsif (!type_compatible($old{$sym}->{type}, $new{$sym}->{type})) { - kabi_change($sym, $old{$sym}->{mod}, "changed type from " . + kabi_change($sym, $old{$sym}, "changed type from " . "$old{$sym}->{type} to $new{$sym}->{type}"); } } diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 4d13bcb..b2f7e31 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -107,7 +107,9 @@ Provides: multiversion(kernel) # owned by multiple packages now. The dependency is not correct wrt openSUSE # 11.2 - 11.4, but we primarily care about the supported upgrade path. Obsoletes: %name-base < 3.1 +%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure") Recommends: kernel-firmware +%endif # The following is copied to the -base subpackage as well # BEGIN COMMON DEPS Requires(pre): coreutils awk @@ -168,6 +170,8 @@ Conflicts: udev < 118 Conflicts: lvm2 < 2.02.33 # Interface to hv_kvp_daemon changed Conflicts: hyper-v < 4 +# drc-info requires powerpc-utils update jsc#SLE-11054, jsc#ECO-920 +Conflicts: powerpc-utils < 1.3.7.1 %ifarch %ix86 Conflicts: libc.so.6()(64bit) %endif @@ -997,7 +1001,7 @@ Conflicts: libc.so.6()(64bit) %description extra @DESCRIPTION@ -This package contains additional modules not supported by Novell. +This package contains additional modules not supported by SUSE. %source_timestamp diff --git a/series.conf b/series.conf index 555590e..5f58f31 100644 --- a/series.conf +++ b/series.conf @@ -1810,6 +1810,7 @@ patches.suse/net-Define-SCM_TIMESTAMPING_PKTINFO-on-all-architect.patch patches.suse/net-Fix-parisc-SCM_TIMESTAMPING_PKTINFO-value.patch patches.suse/net-ipv4-Plumb-extack-through-route-add-functions.patch + patches.suse/net-ipv4-Add-extack-messages-for-route-add-failures.patch patches.suse/net-ipv6-Plumb-extack-through-route-add-functions.patch patches.suse/net-ipv6-Add-extack-messages-for-route-add-failures.patch patches.suse/nfp-add-nfp_cppcore_pcie_unit-helper.patch @@ -5940,6 +5941,7 @@ patches.suse/cpufreq-docs-Add-missing-cpuinfo_cur_freq-descriptio patches.suse/cpufreq-intel_pstate-Drop-get-from-intel_pstate-structure.patch patches.suse/0029-thunderbolt-icm-Ignore-mailbox-errors-in-icm_suspend.patch + patches.suse/acpi-watchdog-fix-init-failure-with-overlapping-register.patch patches.suse/0009-mailbox-pcc-Fix-crash-when-request-PCC-channel-0.patch patches.suse/0001-ipc-add-missing-container_of-s-for-randstruct.patch patches.suse/powerpc-mm-Fix-pmd-pte_devmap-on-non-leaf-entries.patch @@ -8174,6 +8176,7 @@ patches.suse/0003-ACPI-processor-use-dev_dbg-instead-of-dev_warn-when-.patch patches.suse/0010-mailbox-pcc-Drop-uninformative-output-during-boot.patch patches.suse/ACPI-boot-Correct-address-space-of-__acpi_map_table.patch + patches.suse/ACPI-video-Add-force_none-quirk-for-Dell-OptiPlex-90.patch patches.suse/0031-ACPI-APEI-Enable-APEI-multiple-GHES-source-to-share-.patch patches.suse/ACPI-APEI-fix-the-wrong-iteration-of-generic-error-s.patch patches.suse/ACPI-APEI-EINJ-Subtract-any-matching-Register-Region @@ -8767,6 +8770,7 @@ patches.suse/virtio-put-paren-around-sizeof.patch patches.suse/mlx4-sizeof-style-usage.patch patches.suse/liquidio-update-VF-s-netdev-max_mtu-if-there-s-a-cha.patch + patches.suse/net-add-sendmsg_locked-and-sendpage_locked-to-af_ine.patch patches.suse/net-fixes-for-skb_send_sock.patch patches.suse/bpf-introduce-new-program-type-for-skbs-on-sockets.patch patches.suse/bpf-export-bpf_prog_inc_not_zero.patch @@ -11976,6 +11980,7 @@ patches.suse/irqdomain-Update-the-comments-of-fwnode-field-of-irq.patch patches.suse/irqchip-gic-v3-its-Fix-VPE-activate-callback-return-.patch patches.suse/0001-irqchip-exiu-Add-support-for-Socionext-Synquacer-EXI.patch + patches.suse/genirq-proc-Return-proper-error-code-when-irq_set_af.patch patches.suse/timer-Provide-wrappers-safe-for-use-with-LOCKDEP.patch patches.suse/scsi-fcoe-convert-timers-to-use-timer_setup patches.suse/0004-clocksource-drivers-rockchip-pr_err-strings-should-e.patch @@ -13745,8 +13750,8 @@ patches.suse/mwifiex-minor-cleanups-w-sta_list_spinlock-in-cfg802.patch patches.suse/mwifiex-double-the-size-of-chan_stats-array-in-adapt.patch patches.suse/mwifiex-Use-put_unaligned_le32.patch - patches.suse/rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch - patches.suse/rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch + patches.suse/0001-rtlwifi-Fix-MAX-MPDU-of-VHT-capability.patch + patches.suse/0001-rtlwifi-Remove-redundant-semicolon-in-wifi.h.patch patches.suse/rtlwifi-rtl8192ee-Make-driver-support-64bits-DMA.patch patches.suse/rtlwifi-Implement-rtl_get_tx_hw_rate-to-yield-correc.patch patches.suse/rtlwifi-Add-rtl_get_hal_edca_param-to-generate-regis.patch @@ -18696,6 +18701,7 @@ patches.suse/openvswitch-Fix-pop_vlan-action-for-double-tagged-fr.patch patches.suse/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch patches.suse/clk-fix-a-panic-error-caused-by-accessing-NULL-point.patch + patches.suse/clk-sunxi-sun9i-mmc-Implement-reset-callback-for-res.patch patches.suse/3512-drm-ttm-fix-incorrect-calculate-on-shrink_pages patches.suse/3513-drm-ttm-max_cpages-is-in-unit-of-native-page patches.suse/3514-drm-amdgpu-fix-map_queues-paramter @@ -19010,6 +19016,7 @@ patches.suse/sctp-fix-the-handling-of-ICMP-Frag-Needed-for-too-sm.patch patches.suse/phylink-mark-expected-switch-fall-throughs-in-phylin.patch patches.suse/mdio-sun4i-Fix-a-memory-leak + patches.suse/sh_eth-fix-TXALCR1-offsets.patch patches.suse/block-drain-queue-before-waiting-for-q_usage_counter.patch patches.suse/nvme-pci-move-use_sgl-initialization-to-nvme_init_io.patch patches.suse/nvme-fix-sector-units-when-going-between-formats.patch @@ -19149,6 +19156,7 @@ patches.suse/netlink-extack-needs-to-be-reset-each-time-through-l.patch patches.suse/ipv6-ip6_make_skb-needs-to-clear-cork.base.dst.patch patches.suse/net-tls-Fix-inverted-error-codes-to-avoid-endless-lo.patch + patches.suse/sh_eth-fix-dumping-ARSTR.patch patches.suse/net-Allow-neigh-contructor-functions-ability-to-modi.patch patches.suse/ipv4-Make-neigh-lookup-keys-for-loopback-point-to-po.patch patches.suse/ibmvnic-Fix-pending-MAC-address-changes.patch @@ -23541,6 +23549,9 @@ patches.suse/powerpc-sys_pkey_mprotect-system-call.patch patches.suse/powerpc-powernv-ioda-Finish-removing-explicit-max-wi.patch patches.suse/powerpc-firmware-Add-definitions-for-new-drc-info-fi.patch + patches.suse/pseries-drc-info-Search-DRC-properties-for-CPU-index.patch + patches.suse/hotplug-drc-info-Add-code-to-search-ibm-drc-info-pro.patch + patches.suse/powerpc-Enable-support-for-ibm-drc-info-devtree-prop.patch patches.suse/powerpc-xive-Move-definition-of-ESB-bits.patch patches.suse/powerpc-xive-Add-interrupt-flag-to-disable-automatic.patch patches.suse/KVM-PPC-Book3S-HV-Improve-handling-of-debug-trigger-.patch @@ -24662,6 +24673,7 @@ patches.suse/net_sched-gen_estimator-fix-broken-estimators-based-.patch patches.suse/powerpc-eeh-Fix-crashes-in-eeh_report_resume.patch patches.suse/powerpc-pseries-Fix-duplicate-firmware-feature-for-D.patch + patches.suse/powerpc-pseries-Revert-support-for-ibm-drc-info-devt.patch patches.suse/powerpc-bpf-jit-Fix-32-bit-JIT-for-seccomp_data-acce.patch patches.suse/powerpc-mm-drmem-Fix-unexpected-flag-value-in-ibm-dy.patch patches.suse/powerpc-pseries-Support-firmware-disable-of-RFI-flus.patch @@ -24915,6 +24927,7 @@ patches.suse/Input-mms114-fix-license-module-information patches.suse/Input-matrix_keypad-fix-race-when-disabling-interrup patches.suse/virtio_ring-fix-num_free-handling-in-error-case + patches.suse/powerpc-pseries-Fix-vector5-in-ibm-architecture-vect.patch patches.suse/ALSA-hda-Fix-a-wrong-FIXUP-for-alc289-on-Dell-machin patches.suse/ALSA-hda-realtek-Add-support-headset-mode-for-DELL-W patches.suse/ALSA-hda-realtek-Add-headset-mode-support-for-Dell-2 @@ -25472,6 +25485,7 @@ patches.suse/vti6-Properly-adjust-vti6-MTU-from-MTU-of-lower-devi.patch patches.suse/vti6-Keep-set-MTU-on-link-creation-or-change-validat.patch patches.suse/vti6-Fix-dev-max_mtu-setting.patch + patches.suse/xfrm-Fix-transport-mode-skb-control-buffer-usage.patch patches.suse/lan78xx-Crash-in-lan78xx_writ_reg-Workqueue-events-l.patch patches.suse/msft-hv-1654-hv_netvsc-enable-multicast-if-necessary.patch patches.suse/qede-Do-not-drop-rx-checksum-invalidated-packets.patch @@ -27207,6 +27221,8 @@ patches.suse/mlxsw-spectrum_kvdl-use-div_u64-for-64-bit-division.patch patches.suse/mlxsw-spectrum_kvdl-avoid-uninitialized-variable-war.patch patches.suse/sfc-falcon-remove-duplicated-bit-wise-or-of-LOOPBACK.patch + patches.suse/sh_eth-TSU_QTAG0-1-registers-the-same-as-TSU_QTAGM0-.patch + patches.suse/sh_eth-fix-TSU-init-on-SH7734-R8A7740.patch patches.suse/ixgbe-remove-redundant-initialization-of-pool.patch patches.suse/ixgbe-Avoid-to-write-the-RETA-table-when-unnecessary.patch patches.suse/ixgbe-prevent-ptp_rx_hang-from-running-when-in-FILTE.patch @@ -30290,6 +30306,7 @@ patches.suse/cifs-smbd-Enable-signing-with-smbdirect.patch patches.suse/cifs-smb2ops-Fix-listxattr-when-there-are-no-EAs.patch patches.suse/smb3-directory-sync-should-not-return-an-error.patch + patches.suse/stop_machine-sched-Fix-migrate_swap-vs.-active_balan.patch patches.suse/perf-x86-fix-possible-spectre-v1-indexing-for-hw_perf_event-cache_ patches.suse/perf-x86-fix-possible-spectre-v1-indexing-for-x86_pmu-event_map patches.suse/perf-x86-msr-fix-possible-spectre-v1-indexing-in-the-msr-driver @@ -31131,6 +31148,7 @@ patches.suse/driver-core-Don-t-ignore-class_dir_create_and_add-fa patches.suse/firmware-add-firmware_request_nowarn-load-firmware-without-warnings.patch patches.suse/ath10k-re-enable-the-firmware-fallback-mechanism-for.patch + patches.suse/0001-mm-memory_hotplug-use-put_device-if-device_register-.patch patches.suse/0075-serial-mvebu-uart-add-suspend-resume-support.patch patches.suse/earlycon-Initialize-port-uartclk-based-on-clock-freq.patch patches.suse/sc16is7xx-Check-for-an-error-when-the-clock-is-enabl @@ -35168,6 +35186,8 @@ patches.suse/qmi_wwan-add-support-for-Quectel-EG91 patches.suse/liquidio-make-timeout-HZ-independent-and-readable.patch patches.suse/ipv4-Return-EINVAL-when-ping_group_range-sysctl-does.patch + patches.suse/sh_eth-fix-invalid-context-bug-while-calling-auto-ne.patch + patches.suse/sh_eth-fix-invalid-context-bug-while-changing-link-o.patch patches.suse/cxgb4-assume-flash-part-size-to-be-4MB-if-it-can-t-b.patch patches.suse/net-bridge-fix-br_vlan_get_-pvid-info-return-values.patch patches.suse/s390-sles15sp1-00-12-18-net-smc-reduce-sock_put-for-fallback-sockets.patch @@ -35297,6 +35317,7 @@ patches.suse/powerpc-powernv-Fix-save-restore-of-SPRG3-on-entry-e.patch patches.suse/lib-iov_iter-Fix-pipe-handling-in-_copy_to_iter_mcsa.patch patches.suse/x86-asm-memcpy_mcsafe-Fix-copy_to_user_mcsafe-except.patch + patches.suse/stop_machine-Disable-preemption-when-waking-two-stop.patch patches.suse/x86-events-intel-ds-fix-bts_interrupt_threshold-alignment.patch patches.suse/x86-mce-remove-min-interval-polling-limitation patches.suse/soc-imx-gpc-restrict-register-range-for-regmap-acces @@ -35419,6 +35440,7 @@ patches.suse/perf-x86-amd-ibs-don-t-access-non-started-event patches.suse/perf-x86-intel-fix-unwind-errors-from-pebs-entries-mk-ii.patch patches.suse/perf-core-fix-crash-when-using-hw-tracing-kernel-filters.patch + patches.suse/stop_machine-Disable-preemption-after-queueing-stopp.patch patches.suse/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch patches.suse/x86-boot-fix-if_changed-build-flip-flop-bug patches.suse/squashfs-more-metadata-hardening.patch @@ -35553,6 +35575,7 @@ patches.suse/0006-irqchip-gic-v3-its-Honor-hypervisor-enforced-LPI-ran.patch patches.suse/0007-irqchip-gic-v3-its-Reduce-minimum-LPI-allocation-to-.patch patches.suse/0002-rculist-Improve-documentation-for-list_for_each_entr.patch + patches.suse/stop_machine-Atomically-queue-and-wake-stopper-threa.patch patches.suse/sched-numa-Remove-redundant-field.patch patches.suse/sched-numa-Evaluate-move-once-per-node.patch patches.suse/sched-numa-Simplify-load_too_imbalanced.patch @@ -35687,6 +35710,7 @@ patches.suse/0001-btrfs-Don-t-remove-block-group-still-has-pinned-down.patch patches.suse/0015-btrfs-tree-checker-Verify-block_group_item.patch patches.suse/0016-btrfs-tree-checker-Detect-invalid-and-empty-essentia.patch + patches.suse/Btrfs-fix-btrfs_write_inode-vs-delayed-iput-deadlock.patch patches.suse/btrfs-fix-mount-failure-after-fsync-due-to-hard-link.patch patches.suse/btrfs-fix-send-failure-when-root-has-deleted-files-s.patch patches.suse/btrfs-simplify-IS_ERR-PTR_ERR-checks.patch @@ -36225,6 +36249,7 @@ patches.suse/netdevsim-add-ipsec-offload-testing.patch patches.suse/net-phy-xgmiitorgmii-Check-phy_driver-ready-before-a.patch patches.suse/net-phy-xgmiitorgmii-Check-read_status-results.patch + patches.suse/netlink-Return-extack-message-if-attribute-validatio.patch patches.suse/netem-slotting-with-non-uniform-distribution.patch patches.suse/net-sched-actions-fix-coding-style-in-pedit-action.patch patches.suse/net-sched-actions-fix-sparse-warning.patch @@ -39341,6 +39366,7 @@ patches.suse/uwb-hwa-rc-fix-memory-leak-at-probe.patch patches.suse/0001-usb-typec-unlock-dp-lock-on-error-exit-path-and-also.patch patches.suse/0001-usb-typec-avoid-format-overflow-warning.patch + patches.suse/USB-serial-io_edgeport-use-irqsave-in-USB-s-complete.patch patches.suse/USB-serial-sierra-fix-potential-deadlock-at-close.patch patches.suse/USB-serial-kobil_sct-fix-modem-status-error-handling.patch patches.suse/0094-phy-mvebu-cp110-comphy-switch-to-SPDX-identifier.patch @@ -41309,6 +41335,7 @@ patches.suse/iavf-rename-most-of-i40e-strings.patch patches.suse/iavf-finish-renaming-files-to-iavf.patch patches.suse/intel-ethernet-use-correct-module-license.patch + patches.suse/netlink-add-NLA_REJECT-policy-type.patch patches.suse/veth-rename-pcpu_vstats-as-pcpu_lstats.patch patches.suse/net-cavium-fix-return-type-of-ndo_start_xmit-functio.patch patches.suse/net-ibm-fix-return-type-of-ndo_start_xmit-function.patch @@ -41447,6 +41474,10 @@ patches.suse/net-vhost-replace-magic-number-of-lock-annotation.patch patches.suse/net-vhost-factor-out-busy-polling-logic-to-vhost_net.patch patches.suse/net-vhost-add-rx-busy-polling-in-tx-path.patch + patches.suse/netlink-make-validation_data-const.patch + patches.suse/netlink-move-extack-setting-into-validate_nla.patch + patches.suse/netlink-allow-NLA_NESTED-to-specify-nested-policy-to.patch + patches.suse/netlink-add-nested-array-policy-validation.patch patches.suse/qed-Remove-set-but-not-used-variable-p_archipelago.patch patches.suse/net-core-make-function-___gnet_stats_copy_basic-stat.patch patches.suse/net-tls-Make-function-get_rec-static.patch @@ -41503,6 +41534,8 @@ patches.suse/net-hns3-Add-reset-handle-for-flow-director.patch patches.suse/net-hns3-Remove-all-flow-director-rules-when-unload-.patch patches.suse/net-hns3-Add-support-for-enable-disable-flow-directo.patch + patches.suse/netlink-add-attribute-range-validation-to-policy.patch + patches.suse/netlink-add-validation-function-to-policy.patch patches.suse/net_sched-fix-a-crash-in-tc_new_tfilter.patch patches.suse/net-phy-improve-handling-delayed-work.patch patches.suse/msft-hv-1776-hv_netvsc-Fix-rndis_per_packet_info-internal-field-i.patch @@ -41752,6 +41785,7 @@ patches.suse/mac80211-minstrel-fix-using-short-preamble-CCK-rates.patch patches.suse/mac80211-minstrel-fix-CCK-rate-group-streams-value.patch patches.suse/mac80211-minstrel-fix-sampling-reporting-of-CCK-rate.patch + patches.suse/netlink-replace-__NLA_ENSURE-implementation.patch patches.suse/net-hns3-Enable-promisc-mode-when-mac-vlan-table-is-.patch patches.suse/net-hns3-Resume-promisc-mode-and-vlan-filter-status-.patch patches.suse/net-hns3-Resume-promisc-mode-and-vlan-filter-status--829edbd8.patch @@ -42677,6 +42711,7 @@ patches.suse/mei-samples-fix-a-signedness-bug-in-amt_host_if_call.patch patches.suse/gsmi-Fix-bug-in-append_to_eventlog-sysfs-handler.patch patches.suse/msft-hv-1784-hv_balloon-Replace-spin_is_locked-with-lockdep.patch + patches.suse/iommu-io-pgtable-arm-Fix-race-handling-in-split_blk_.patch patches.suse/iommu-arm-smmu-v3-Fix-unexpected-CMD_SYNC-timeout.patch patches.suse/iommu-arm-smmu-v3-Avoid-back-to-back-CMD_SYNC-operat.patch patches.suse/iommu-arm-smmu-v3-Implement-flush_iotlb_all-hook.patch @@ -42696,6 +42731,8 @@ patches.suse/iommu-iova-Optimise-attempts-to-allocate-iova-from-3.patch patches.suse/iommu-Add-fast-hook-for-getting-DMA-domains.patch patches.suse/iommu-dma-Use-fast-DMA-domain-lookup.patch + patches.suse/swiotlb-do-not-panic-on-mapping-failures + patches.suse/swiotlb-remove-the-overflow-buffer patches.suse/0458-thermal-qoriq-add-i.mx8mq-support.patch patches.suse/thermal-rcar_thermal-Prevent-hardware-access-during-.patch patches.suse/thermal-da9062-61-Prevent-hardware-access-during-sys.patch @@ -42846,6 +42883,7 @@ patches.suse/0432-rtc-ds1307-add-offset-sysfs-for-mt41txx-chips.patch patches.suse/0433-rtc-ds1307-add-frequency_test_enable-attribute-on-m4.patch patches.suse/0457-rtc-ds1307-fix-ds1339-wakealarm-support.patch + patches.suse/rtc-s35390a-Change-buf-s-type-to-u8-in-s35390a_init.patch patches.suse/Input-st1232-set-INPUT_PROP_DIRECT-property.patch patches.suse/Input-silead-try-firmware-reload-after-unsuccessful-.patch patches.suse/Input-synaptics-avoid-using-uninitialized-variable-w.patch @@ -44355,6 +44393,7 @@ patches.suse/drm-msm-dsi-fix-dsi-clock-names-in-DSI-10nm-PLL-driv.patch patches.suse/drm-msm-dpu-Only-check-flush-register-against-pendin.patch patches.suse/jffs2-Fix-use-of-uninitialized-delayed_work-lockdep-.patch + patches.suse/mtd-fix-mtd_oobavail-incoherent-returned-value.patch patches.suse/0039-mtd-spi-nor-add-entry-for-mt35xu512aba-flash.patch patches.suse/media-mtk-vcodec-Release-device-nodes-in-mtk_vcodec_.patch patches.suse/media-pulse8-cec-return-0-when-invalidating-the-logi.patch @@ -44414,7 +44453,9 @@ patches.suse/ACPICA-Use-d-for-signed-int-print-formatting-instead.patch patches.suse/ACPI-LPSS-Ignore-acpi_device_fix_up_power-return-val.patch patches.suse/ACPI-APEI-Clear-GHES-block_status-before-panic.patch + patches.suse/ACPI-fix-acpi_find_child_device-invocation-in-acpi_p.patch patches.suse/pwm-clps711x-Fix-period-calculation.patch + patches.suse/regulator-Fix-return-value-of-_set_load-stub.patch patches.suse/drivers-regulator-fix-a-missing-check-of-return-valu.patch patches.suse/regulator-tps65910-fix-a-missing-check-of-return-val.patch patches.suse/spi-bcm2835-Avoid-finishing-transfer-prematurely-in-.patch @@ -44752,6 +44793,7 @@ patches.suse/ath9k-dynack-check-da-enabled-first-in-sampling-rout.patch patches.suse/ath9k-dynack-make-ewma-estimation-faster.patch patches.suse/iwlwifi-mvm-synchronize-TID-queue-removal.patch + patches.suse/iwlwifi-trans-Clear-persistence-bit-when-starting-th.patch patches.suse/iwlwifi-fw-do-not-set-sgi-bits-for-HE-connection.patch patches.suse/iwlwifi-pcie-don-t-reset-TXQ-write-pointer.patch patches.suse/iwlwifi-mvm-Send-non-offchannel-traffic-via-AP-sta.patch @@ -44991,6 +45033,7 @@ patches.suse/nvme-tcp-fix-endianess-annotations.patch patches.suse/nvme-tcp-fix-spelling-mistake-attepmpt-attempt.patch patches.suse/sata_rcar-fix-deferred-probing.patch + patches.suse/dma-mapping-fix-return-type-of-dma_set_max_seg_size.patch patches.suse/scsi-mpt3sas-Update-MPI-headers-to-support-Aero-cont.patch patches.suse/scsi-mpt3sas-Add-support-for-Aero-controllers.patch patches.suse/scsi-mpt3sas-Added-new-define-variable-IOC_OPERATION.patch @@ -45290,6 +45333,7 @@ patches.suse/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch patches.suse/staging-iio-ad2s90-Make-probe-handle-spi_setup-failu.patch patches.suse/staging-iio-ad7780-update-voltage-on-read.patch + patches.suse/Staging-iio-adt7316-Fix-i2c-data-reading-set-the-dat.patch patches.suse/staging-bcm2835-camera-Abort-probe-if-there-is-no-ca.patch patches.suse/staging-vchiq_arm-Fix-camera-device-registration.patch patches.suse/iio-accel-kxcjk1013-Add-KIOX010A-ACPI-Hardware-ID.patch @@ -45335,6 +45379,7 @@ patches.suse/pinctrl-max77620-Use-define-directive-for-max77620_p.patch patches.suse/pinctrl-lpc18xx-Use-define-directive-for-PIN_CONFIG_.patch patches.suse/pinctrl-zynq-Use-define-directive-for-PIN_CONFIG_IO_.patch + patches.suse/pinctrl-qcom-ssbi-gpio-fix-gpio-hog-related-boot-iss.patch patches.suse/pinctrl-imx-fix-no_pad_ctl-setting-for-mmio-pads.patch patches.suse/pinctrl-sx150x-handle-failure-case-of-devm_kstrdup.patch patches.suse/pinctrl-sunxi-a64-Rename-function-csi0-to-csi.patch @@ -45356,8 +45401,12 @@ patches.suse/pinctrl-sh-pfc-sh7734-Fix-shifted-values-in-IPSR10.patch patches.suse/pinctrl-freescale-break-dependency-on-soc_imx8mq-for-i-mx8mq.patch patches.suse/rtc-m41t80-Correct-alarm-month-range-with-RTC-reads.patch + patches.suse/rtc-max8997-Fix-the-returned-value-in-case-of-error-.patch + patches.suse/rtc-dt-binding-abx80x-fix-resistance-scale.patch patches.suse/0001-dt-bindings-rtc-sun6i-rtc-Fix-register-range-in-exam.patch patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch + patches.suse/dmaengine-coh901318-Fix-a-double-lock-bug.patch + patches.suse/dmaengine-coh901318-Remove-unused-variable.patch patches.suse/dmaengine-dw-dmac-implement-dma-protection-control-s.patch patches.suse/dmaengine-xilinx_dma-Remove-__aligned-attribute-on-z.patch patches.suse/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems @@ -45486,6 +45535,7 @@ patches.suse/pci-iov-factor-out-sriov_add_vfs patches.suse/pci-iov-add-flag-so-platforms-can-skip-vf-scanning patches.suse/s390-pci-skip-vf-scanning + patches.suse/i2c-imx-don-t-print-error-message-on-probe-defer.patch patches.suse/i2c-sh_mobile-add-support-for-r8a77990-R-Car-E3.patch patches.suse/i2c-axxia-check-for-error-conditions-first.patch patches.suse/video-clps711x-fb-release-disp-device-node-in-probe.patch @@ -46544,6 +46594,7 @@ patches.suse/clocksource-drivers-exynos_mct-Fix-error-path-in-tim.patch patches.suse/irqchip-gic-v3-its-Avoid-parsing-_indirect_-twice-fo.patch patches.suse/efi-memattr-Don-t-bail-on-zero-VA-if-it-equals-the-r.patch + patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch patches.suse/perf-core-add-function-to-test-for-event-exclusion-flags.patch patches.suse/perf-core-add-perf_pmu_cap_no_exclude-for-exclusion-incapable-pmus.patch patches.suse/x86-cpu-amd-set-the-cpb-bit-unconditionally-on-f17h.patch @@ -46570,6 +46621,7 @@ patches.suse/cpufreq-Reorder-and-simplify-cpufreq_update_policy.patch patches.suse/cpufreq-acpi-cpufreq-Report-if-CPU-doesn-t-support-b.patch patches.suse/ACPI-APEI-Don-t-wait-to-serialise-with-oops-messages.patch + patches.suse/ACPI-APEI-Switch-estatus-pool-to-use-vmalloc-memory.patch patches.suse/ACPI-video-Refactor-and-fix-dmi_is_desktop.patch patches.suse/ACPI-video-Extend-chassis-type-detection-with-a-Lunc.patch patches.suse/device-property-Fix-the-length-used-in-PROPERTY_ENTR.patch @@ -46710,6 +46762,7 @@ patches.suse/drm-amd-display-Enable-vblank-interrupt-during-CRC-c.patch patches.suse/drm-i915-cfl-Adding-another-PCI-Device-ID.patch patches.suse/drm-rcar-du-add-missing-of_node_put.patch + patches.suse/drm-i915-Handle-vm_mmap-error-during-I915_GEM_MMAP-i.patch patches.suse/drm-amd-display-Disconnect-mpcc-when-changing-tg.patch patches.suse/drm-amd-display-Don-t-re-program-planes-for-DPMS-cha.patch patches.suse/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch @@ -46771,6 +46824,7 @@ patches.suse/i2c-tegra-fix-maximum-transfer-size.patch patches.suse/iscsi_ibft-Fix-missing-break-in-switch-statement.patch patches.suse/thermal-mediatek-fix-register-index-error.patch + patches.suse/rtc-pcf8523-set-xtal-load-capacitance-from-DT.patch patches.suse/rtc-cmos-ignore-bogus-century-byte.patch patches.suse/rtc-ds1672-fix-unintended-sign-extension.patch patches.suse/rtc-ds1307-correct-register-offset-for-rx8130.patch @@ -46803,6 +46857,7 @@ patches.suse/0292-bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch patches.suse/0293-bcache-use-REQ_META-REQ_PRIO-to-indicate-bio-for-met.patch patches.suse/block-don-t-use-bio-bi_vcnt-to-figure-out-segment-number.patch + patches.suse/documentation-document-arm64-kpti-control patches.suse/doc-rcu-Suspicious-RCU-usage-is-a-warning.patch patches.suse/CIFS-Fix-leaking-locked-VFS-cache-pages-in-writeback-retry.patch patches.suse/cifs-Fix-NULL-pointer-dereference-of-devname.patch @@ -47165,12 +47220,14 @@ patches.suse/jbd2-fix-compile-warning-when-using-JBUFFER_TRACE.patch patches.suse/nfsd-fix-performance-limiting-session-calculation.patch patches.suse/nfsd-fix-memory-corruption-caused-by-readdir.patch + patches.suse/ubifs-Reject-unsupported-ioctl-flags-explicitly.patch patches.suse/acpi-nfit-Fix-bus-command-validation.patch patches.suse/libnvdimm-label-clear-updating-flag-after-label-set-update.patch patches.suse/nfit-Fix-nfit_intel_shutdown_status-command-submissi.patch patches.suse/nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch patches.suse/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch patches.suse/libnvdimm-Fix-altmap-reservation-size-calculation.patch + patches.suse/libnvdimm-pfn-Account-for-PAGE_SIZE-info-block-size-.patch patches.suse/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch patches.suse/nfit-ars-Attempt-a-short-ARS-whenever-the-ARS-state-.patch patches.suse/nfit-ars-Attempt-short-ARS-even-in-the-no_init_ars-c.patch @@ -47342,6 +47399,7 @@ patches.suse/drm-udl-use-drm_gem_object_put_unlocked.patch patches.suse/drm-nouveau-debugfs-Fix-check-of-pm_runtime_get_sync.patch patches.suse/drm-i915-bios-assume-eDP-is-present-on-port-A-when-t.patch + patches.suse/drm-i915-Sanity-check-mmap-length-against-object-siz.patch patches.suse/drm-exynos-mixer-fix-MIXER-shadow-registry-synchroni.patch patches.suse/drm-vmwgfx-return-0-when-gmrid-get_node-runs-out-of-id-s.patch patches.suse/0001-drm-vmwgfx-Don-t-double-free-the-mode-stored-in-par-.patch @@ -47474,6 +47532,7 @@ patches.suse/iommu-don-t-print-warning-when-iommu-driver-only-supports-unmanaged-domains patches.suse/iommu-amd-reserve-exclusion-range-in-iova-domain patches.suse/mm-Fix-modifying-of-page-protection-by-insert_pfn.patch + patches.suse/fs-open.c-allow-opening-only-regular-files-during-ex.patch patches.suse/mm-hotplug-fix-offline-undo_isolate_page_range.patch patches.suse/ocfs2-fix-inode-bh-swapping-mixup-in-ocfs2_reflink_i.patch patches.suse/0001-mm-debug.c-fix-__dump_page-when-mapping-host-is-not-.patch @@ -47506,6 +47565,7 @@ patches.suse/sc16is7xx-missing-unregister-delete-driver-on-error-.patch patches.suse/serial-ar933x_uart-Fix-build-failure-with-disabled-c.patch patches.suse/serial-sh-sci-Fix-setting-SCSCR_TIE-while-transferri.patch + patches.suse/tty-serial-atmel-Add-is_half_duplex-helper.patch patches.suse/Disable-kgdboc-failed-by-echo-space-to-sys-module-kg.patch patches.suse/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch patches.suse/staging-rtl8188eu-Fix-potential-NULL-pointer-derefer.patch @@ -47683,6 +47743,7 @@ patches.suse/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep patches.suse/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu patches.suse/kvm-x86-always-use-32-bit-smram-save-state-for-32-bit-kernels + patches.suse/0001-KVM-fix-spectrev1-gadgets.patch patches.suse/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch patches.suse/cfg80211-Handle-WMM-rules-in-regulatory-domain-inter.patch patches.suse/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch @@ -47982,6 +48043,11 @@ patches.suse/spi-Fix-zero-length-xfer-bug.patch patches.suse/spi-rspi-Fix-sequencer-reset-during-initialization.patch patches.suse/spi-spi-topcliff-pch-Fix-to-handle-empty-DMA-buffers.patch + patches.suse/spi-tegra114-clear-packed-bit-for-unpacked-mode.patch + patches.suse/spi-tegra114-fix-for-unpacked-mode-transfers.patch + patches.suse/spi-tegra114-terminate-dma-and-reset-on-transfer-tim.patch + patches.suse/spi-tegra114-flush-fifos.patch + patches.suse/spi-tegra114-configure-dma-burst-size-to-fifo-trig-l.patch patches.suse/spi-tegra114-reset-controller-on-probe.patch patches.suse/spi-pxa2xx-fix-SCR-divisor-calculation.patch patches.suse/spi-bcm2835aux-unifying-code-between-polling-and-int.patch @@ -48751,7 +48817,10 @@ patches.suse/drm-udl-introduce-a-macro-to-convert-dev-to-udl.patch patches.suse/drm-udl-move-to-embedding-drm-device-inside-udl-devi.patch patches.suse/drm-lease-Make-sure-implicit-planes-are-leased.patch + patches.suse/drm-nouveau-bar-nv50-check-bar1-vmm-return-value.patch patches.suse/drm-nouveau-bar-nv50-ensure-BAR-is-mapped.patch + patches.suse/drm-nouveau-bar-gf100-ensure-BAR-is-mapped.patch + patches.suse/drm-nouveau-mmu-qualify-vmm-during-dtor.patch patches.suse/0001-drm-nouveau-i2c-Disable-i2c-bus-access-after-fini.patch patches.suse/drm-i915-icl-Whitelist-GEN9_SLICE_COMMON_ECO_CHICKEN.patch patches.suse/drm-etnaviv-avoid-DMA-API-warning-when-importing-buf.patch @@ -48891,6 +48960,7 @@ patches.suse/watchdog-fix-compile-time-error-of-pretimeout-govern.patch patches.suse/watchdog-f71808e_wdt-fix-F81866-bit-operation.patch patches.suse/watchdog-imx2_wdt-Fix-set_timeout-for-big-timeout-va.patch + patches.suse/watchdog-wdat_wdt-fix-get_timeleft-call-for-wdat_wdt.patch patches.suse/iommu-arm-smmu-v3-Don-t-disable-SMMU-in-kdump-kernel.patch patches.suse/iommu-vt-d-don-t-request-page-request-irq-under-dmar_global_lock patches.suse/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly @@ -48991,6 +49061,7 @@ patches.suse/soc-mediatek-pwrap-Zero-initialize-rdata-in-pwrap_in.patch patches.suse/soc-rockchip-Set-the-proper-PWM-for-rk3288.patch patches.suse/objtool-fix-function-fallthrough-detection.patch + patches.suse/0001-locking-rwsem-Prevent-decrement-of-reader-count-befo.patch patches.suse/0001-ntp-Allow-TAI-UTC-offset-to-be-set-to-zero.patch patches.suse/x86-speculation-mds-revert-cpu-buffer-clear-on-double-fault-exit.patch patches.suse/configfs-fix-possible-use-after-free-in-configfs_reg.patch @@ -49235,6 +49306,7 @@ patches.suse/drm-i915-gvt-Initialize-intel_gvt_gtt_entry-in-stack.patch patches.suse/0002-drm-i915-gvt-refine-ggtt-range-validation.patch patches.suse/0003-drm-i915-gvt-Fix-cmd-length-of-VEB_DI_IECP.patch + patches.suse/drm-amdgpu-fix-ring-test-failure-issue-during-s3-in-.patch patches.suse/drm-msm-fix-fb-references-in-async-update.patch patches.suse/drm-vc4-fix-fb-references-in-async-update.patch patches.suse/drm-don-t-block-fb-changes-for-async-plane-updates.patch @@ -49298,6 +49370,7 @@ patches.suse/drm-panel-orientation-quirks-Add-quirk-for-GPD-Micro.patch patches.suse/drm-edid-abstract-override-firmware-EDID-retrieval.patch patches.suse/drm-add-fallback-override-firmware-EDID-modes-workar.patch + patches.suse/drm-amdgpu-uvd-vcn-fetch-ring-s-read_ptr-after-alloc.patch patches.suse/cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch patches.suse/USB-usb-storage-Add-new-ID-to-ums-realtek.patch patches.suse/USB-Fix-chipmunk-like-voice-when-using-Logitech-C270.patch @@ -49318,6 +49391,7 @@ patches.suse/x86-microcode-cpuhotplug-add-a-microcode-loader-cpu-hotplug-callback.patch patches.suse/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch patches.suse/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch + patches.suse/iwlwifi-clear-persistence-bit-according-to-device-fa.patch patches.suse/iwlwifi-Fix-double-free-problems-in-iwl_req_fw_callb.patch patches.suse/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch @@ -49442,6 +49516,7 @@ patches.suse/perf-x86-clean-up-pebs_xmm_regs.patch patches.suse/perf-x86-remove-pmu-pebs_no_xmm_regs.patch patches.suse/x86-microcode-fix-the-microcode-load-on-cpu-hotplug-for-real.patch + patches.suse/x86-resctrl-prevent-possible-overrun-during-bitmap-operations.patch patches.suse/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch patches.suse/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch patches.suse/cifs-fix-crash-querying-symlinks-stored-as-reparse-points.patch @@ -49657,6 +49732,7 @@ patches.suse/documentation-dma-api-fix-a-function-name-of-max_mapping_size patches.suse/docs-move-protection-keys.rst-to-the-core-api-book.patch patches.suse/udf-Fix-incorrect-final-NOT_ALLOCATED-hole-extent-le.patch + patches.suse/fscrypt-don-t-set-policy-for-a-dead-directory.patch patches.suse/mm-add-filemap_fdatawait_range_keep_errors.patch patches.suse/jbd2-introduce-jbd2_inode-dirty-range-scoping.patch patches.suse/ext4-use-jbd2_inode-dirty-range-scoping.patch @@ -49777,6 +49853,7 @@ patches.suse/ath10k-Do-not-send-probe-response-template-for-mesh.patch patches.suse/ath10k-add-peer-id-check-in-ath10k_peer_find_by_id.patch patches.suse/0001-p54usb-Fix-race-between-disconnect-and-firmware-load.patch + patches.suse/mwifiex-update-set_mac_address-logic.patch patches.suse/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch patches.suse/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch patches.suse/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch @@ -49852,6 +49929,7 @@ patches.suse/bonding-validate-ip-header-before-check-IPPROTO_IGMP.patch patches.suse/0001-xfrm-Fix-xfrm-sel-prefix-length-validation.patch patches.suse/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch + patches.suse/xfrm-fix-sa-selector-validation.patch patches.suse/nfc-fix-potential-illegal-memory-access.patch patches.suse/tcp-Reset-bytes_acked-and-bytes_received-when-discon.patch patches.suse/net-tls-fix-socket-wmem-accounting-on-fallback-with-.patch @@ -49946,6 +50024,7 @@ patches.suse/staging-comedi-dt282x-fix-a-null-pointer-deref-on-in.patch patches.suse/iio-iio-utils-Fix-possible-incorrect-mask-calculatio.patch patches.suse/tty-max310x-Fix-invalid-baudrate-divisors-calculator.patch + patches.suse/serial-stm32-fix-transmit_chars-when-tx-is-stopped.patch patches.suse/tty-serial-cpm_uart-fix-init-when-SMC-is-relocated.patch patches.suse/tty-serial-digicolor-Fix-digicolor-usart-already-reg.patch patches.suse/serial-8250-Fix-TX-interrupt-handling-condition.patch @@ -49957,6 +50036,7 @@ patches.suse/tty-serial_core-Set-port-active-bit-in-uart_port_act.patch patches.suse/Revert-serial-8250-Don-t-service-RX-FIFO-if-interrup.patch patches.suse/usb-core-hub-Disable-hub-initiated-U1-U2.patch + patches.suse/usb-gadget-Zero-ffs_io_data.patch patches.suse/usb-gadget-ether-Fix-race-between-gether_disconnect-.patch patches.suse/phy-renesas-rcar-gen2-Fix-memory-leak-at-error-paths.patch patches.suse/USB-serial-option-add-support-for-GosunCn-ME3630-RND.patch @@ -50046,6 +50126,7 @@ patches.suse/drm-amdkfd-Fix-a-potential-memory-leak.patch patches.suse/drm-amdkfd-Fix-sdma-queue-map-issue.patch patches.suse/drm-edid-Fix-a-missing-check-bug-in-drm_load_edid_firmware.patch + patches.suse/drm-mst-Fix-MST-sideband-up-reply-failure-handling.patch patches.suse/drm-bridge-tc358767-read-display_props-in-get_modes.patch patches.suse/drm-bridge-sii902x-pixel-clock-unit-is-10kHz-instead.patch patches.suse/drm-Flush-output-polling-on-shutdown.patch @@ -50296,6 +50377,7 @@ patches.suse/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-for-pa_iova_pfn patches.suse/s390-dma-provide-proper-ARCH_ZONE_DMA_BITS patches.suse/virtio-s390-fix-race-on-airq_areas + patches.suse/0001-lcoking-rwsem-Add-missing-ACQUIRE-to-read_slowpath-s.patch patches.suse/tty-ldsem-locking-rwsem-Add-missing-ACQUIRE-to-read_.patch patches.suse/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch patches.suse/sched-fair-Use-RCU-accessors-consistently-for-numa_g.patch @@ -50332,7 +50414,9 @@ patches.suse/0001-xen-swiotlb-fix-condition-for-calling-xen_destroy_co.patch patches.suse/drm-i915-perf-fix-ICL-perf-register-offsets.patch patches.suse/drm-i915-perf-ensure-we-keep-a-reference-on-the-driv.patch + patches.suse/drm-i915-perf-add-missing-delay-for-OA-muxes-configu.patch patches.suse/0005-drm-i915-Lock-the-engine-while-dumping-the-active-re.patch + patches.suse/drm-i915-Make-sure-cdclk-is-high-enough-for-DP-audio.patch patches.suse/drm-i915-Fix-GEN8_MCR_SELECTOR-programming.patch patches.suse/drm-i915-Fix-the-TBT-AUX-power-well-enabling.patch patches.suse/drm-i915-gvt-fix-incorrect-cache-entry-for-guest-pag.patch @@ -50575,6 +50659,7 @@ patches.suse/cifs-Use-kzfree-to-zero-out-the-password.patch patches.suse/0001-drm-amdgpu-Add-APTX-quirk-for-Dell-Latitude-5495.patch patches.suse/0001-drm-i915-Don-t-deballoon-unused-ggtt-drm_mm_node-in-.patch + patches.suse/drm-i915-Call-dma_set_max_seg_size-in-i915_driver_hw.patch patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch patches.suse/mmc-core-Fix-init-of-SD-cards-reporting-an-invalid-V.patch patches.suse/crypto-ccp-Ignore-unconfigured-CCP-device-on-suspend.patch @@ -50628,6 +50713,7 @@ patches.suse/gpio-fix-line-flag-validation-in-lineevent_create.patch patches.suse/gpiolib-acpi-Add-gpiolib_acpi_run_edge_events_on_boo.patch patches.suse/genirq-Prevent-NULL-pointer-dereference-in-resend_ir.patch + patches.suse/virtio_ring-fix-unmap-of-indirect-descriptors patches.suse/vhost-make-sure-log_num-in_num.patch patches.suse/Btrfs-fix-assertion-failure-during-fsync-and-use-of-.patch patches.suse/0001-drm-i915-Restore-relaxed-padding-OCL_OOB_SUPPRES_ENA.patch @@ -50646,6 +50732,7 @@ patches.suse/bridge-mdb-remove-wrong-use-of-NLM_F_MULTI.patch patches.suse/sch_hhf-ensure-quantum-and-hhf_non_hh_weight-are-non.patch patches.suse/wimax-i2400-fix-memory-leak.patch + patches.suse/mac80211-Do-not-send-Layer-2-Update-frame-before-aut.patch patches.suse/tcp-fix-tcp_ecn_withdraw_cwr-to-clear-TCP_ECN_QUEUE_.patch patches.suse/ixgbe-Prevent-u8-wrapping-of-ITR-value-to-something-.patch patches.suse/ixgbe-fix-double-clean-of-Tx-descriptors-with-xdp.patch @@ -50660,6 +50747,8 @@ patches.suse/tpm_tis_core-Set-TPM_CHIP_FLAG_IRQ-before-probing-fo.patch patches.suse/edac-amd64-decode-syndrome-before-translating-address.patch patches.suse/hwmon-lm75-Fix-write-operations-for-negative-tempera.patch + patches.suse/x86-amd_nb-Add-PCI-device-IDs-for-family-17h-model-7.patch + patches.suse/hwmon-k10temp-Add-support-for-AMD-family-17h-model-7.patch patches.suse/hwmon-acpi_power_meter-Change-log-level-for-unsafe-s.patch patches.suse/hwmon-shtc1-fix-shtc1-and-shtw1-id-mask.patch patches.suse/regulator-lm363x-Fix-off-by-one-n_voltages-for-lm363.patch @@ -50681,6 +50770,7 @@ patches.suse/iommu-dma-fix-for-dereferencing-before-null-checking patches.suse/iommu-don-t-use-sme_active-in-generic-code patches.suse/qla2xxx-remove-SGI-SN2-support.patch + patches.suse/soc-renesas-rcar-sysc-Add-goto-to-of_node_put-before.patch patches.suse/objtool-clobber-user-cflags-variable.patch patches.suse/efi-cper-print-AER-info-of-PCIe-fatal-error.patch patches.suse/x86-kconfig-remove-x86_direct_gbpages-dependency-on-debug_pagealloc.patch @@ -50705,6 +50795,9 @@ patches.suse/md-only-call-set_in_sync-when-it-is-expected-to-succ.patch patches.suse/md-don-t-report-active-array_state-until-after-reval.patch patches.suse/nvme-multipath-fix-ana-log-nsid-lookup-when-nsid-is-.patch + patches.suse/0001-bcache-add-cond_resched-in-__bch_cache_cmp.patch + patches.suse/0002-bcache-Fix-an-error-code-in-bch_dump_read.patch + patches.suse/0003-closures-fix-a-race-on-wakeup-from-closure_sync.patch patches.suse/0001-md-raid0-avoid-RAID0-data-corruption-due-to-layout-c.patch patches.suse/mmc-sdhci-Fix-incorrect-switch-to-HS-mode.patch patches.suse/ALSA-firewire-tascam-handle-error-code-when-getting-.patch @@ -50742,6 +50835,7 @@ patches.suse/ALSA-hda-hdmi-remove-redundant-assignment-to-variabl.patch patches.suse/Add-Acer-Aspire-Ethos-8951G-model-quirk.patch patches.suse/ASoC-es8328-Fix-copy-paste-error-in-es8328_right_lin.patch + patches.suse/ASoC-cs4349-Use-PM-ops-cs4349_runtime_pm.patch patches.suse/ASoC-wm8737-Fix-copy-paste-error-in-wm8737_snd_contr.patch patches.suse/ASoC-Intel-Fix-use-of-potentially-uninitialized-vari.patch patches.suse/ASoC-Intel-NHLT-Fix-debug-print-format.patch @@ -50797,6 +50891,7 @@ patches.suse/KVM-PPC-Book3S-HV-Check-for-MMU-ready-on-piggybacked.patch patches.suse/KVM-PPC-Book3S-HV-Don-t-lose-pending-doorbell-reques.patch patches.suse/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op + patches.suse/usb-host-xhci-hub-fix-extra-endianness-conversion.patch patches.suse/0001-usbip-Implement-SG-support-to-vhci-hcd-and-stub-driv.patch patches.suse/USB-usbcore-Fix-slab-out-of-bounds-bug-during-device.patch patches.suse/tty-serial-fsl_lpuart-Use-appropriate-lpuart32_-I-O-.patch @@ -50890,6 +50985,7 @@ patches.suse/drm-msm-dsi-Fix-return-value-check-for-clk_get_paren.patch patches.suse/0001-drm-i915-gvt-update-vgpu-workload-head-pointer-corre.patch patches.suse/0002-drm-nouveau-kms-nv50-Don-t-create-MSTMs-for-eDP-conn.patch + patches.suse/PCI-rpaphp-Avoid-a-sometimes-uninitialized-warning.patch patches.suse/powerpc-powernv-Restrict-OPAL-symbol-map-to-only-be-.patch patches.suse/powerpc-pseries-Fix-cpu_hotplug_lock-acquisition-in-.patch patches.suse/powerpc-powernv-ioda-Fix-race-in-TCE-level-allocatio.patch @@ -51125,6 +51221,7 @@ patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch patches.suse/thermal_hwmon-Sanitize-thermal_zone-type.patch patches.suse/thermal-Fix-use-after-free-when-unregistering-therma.patch + patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch patches.suse/nfsd-handle-drc-over-allocation-gracefully.patch patches.suse/nfsd-degraded-slot-count-more-gracefully-as-allocati.patch @@ -51190,6 +51287,7 @@ patches.suse/net-Unpublish-sk-from-sk_reuseport_cb-before-call_rc.patch patches.suse/ieee802154-atusb-fix-use-after-free-at-disconnect.patch patches.suse/ieee802154-ca8210-prevent-memory-leak.patch + patches.suse/nl80211-validate-beacon-head.patch patches.suse/nl80211-fix-null-pointer-dereference.patch patches.suse/mac80211-fix-txq-null-pointer-dereference.patch patches.suse/net-sched-cbs-Avoid-division-by-zero-when-calculatin.patch @@ -51265,6 +51363,7 @@ patches.suse/USB-iowarrior-fix-use-after-free-after-driver-unbind.patch patches.suse/USB-yurex-fix-NULL-derefs-on-disconnect.patch patches.suse/serial-uartlite-fix-exit-path-null-pointer.patch + patches.suse/tty-n_hdlc-fix-build-on-SPARC.patch patches.suse/serial-mctrl_gpio-Check-for-NULL-pointer.patch patches.suse/serial-fix-kernel-doc-warning-in-comments.patch patches.suse/staging-bcm2835-audio-Fix-draining-behavior-regressi.patch @@ -51299,6 +51398,7 @@ patches.suse/ceph-just-skip-unrecognized-info-in-ceph_reply_info_extra.patch patches.suse/filldir-remove-WARN_ON_ONCE-for-bad-directory-entries.patch patches.suse/0001-md-raid0-fix-warning-message-for-parameter-default_l.patch + patches.suse/drivers-base-memory.c-don-t-access-uninitialized-mem.patch patches.suse/ocfs2-fix-panic-due-to-ocfs2_wq-is-null.patch patches.suse/net-dsa-b53-Do-not-clear-existing-mirrored-port-mask.patch patches.suse/net_sched-fix-backward-compatibility-for-TCA_ACT_KIN.patch @@ -51306,6 +51406,7 @@ patches.suse/mac80211-Reject-malformed-SSID-elements.patch patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch patches.suse/mac80211-accept-deauth-frames-in-IBSS-mode.patch + patches.suse/bonding-fix-potential-NULL-deref-in-bond_update_slav.patch patches.suse/phylink-fix-kernel-doc-warnings.patch patches.suse/act_mirred-Fix-mirred_init_module-error-handling.patch patches.suse/net-smc-fix-smcd-link-group-creation-with-vlan-id.patch @@ -51371,6 +51472,7 @@ patches.suse/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch patches.suse/r8152-add-device-id-for-Lenovo-ThinkPad-USB-C-Dock-G.patch patches.suse/net-openvswitch-free-vport-unless-register_netdevice.patch + patches.suse/bonding-fix-unexpected-IFF_BONDING-bit-unset.patch patches.suse/net-smc-fix-closing-of-fallback-smc-sockets patches.suse/net-smc-keep-vlan_id-for-smc-r-in-smc_listen_work patches.suse/netns-fix-GFP-flags-in-rtnl_net_notifyid.patch @@ -51424,6 +51526,7 @@ patches.suse/0005-drm-radeon-fix-si_enable_smc_cac-failed-issue.patch patches.suse/ALSA-bebob-fix-to-detect-configured-source-of-sampli.patch patches.suse/ALSA-hda-ca0132-Fix-possible-workqueue-stall.patch + patches.suse/ALSA-hda-hdmi-add-Tigerlake-support.patch patches.suse/ALSA-timer-Fix-incorrectly-assigned-timer-instance.patch patches.suse/ASoC-msm8916-wcd-analog-Fix-RX1-selection-in-RDAC2-M.patch patches.suse/ASoC-compress-fix-unsigned-integer-overflow-check.patch @@ -51462,6 +51565,7 @@ patches.suse/net-hns-Fix-the-stray-netpoll-locks-causing-deadlock.patch patches.suse/ipv4-Fix-table-id-reference-in-fib_sync_down_addr.patch patches.suse/net-ethernet-octeon_mgmt-Account-for-second-possible.patch + patches.suse/mac80211-fix-ieee80211_txq_setup_flows-failure-path.patch patches.suse/mac80211-fix-station-inactive_time-shortly-after-boo.patch patches.suse/vsock-virtio-fix-sock-refcnt-holding-during-the-shut.patch patches.suse/net-fix-data-race-in-neigh_event_send.patch @@ -51469,6 +51573,7 @@ patches.suse/ice-fix-potential-infinite-loop-because-loop-counter.patch patches.suse/watchdog-meson-Fix-the-wrong-value-of-left-time.patch patches.suse/0001-btrfs-tree-checker-Fix-wrong-check-on-max-devid.patch + patches.suse/pinctrl-cherryview-Fix-irq_valid_mask-calculation.patch patches.suse/pinctrl-cherryview-Allocate-IRQ-chip-dynamic.patch patches.suse/SMB3-Fix-persistent-handles-reconnect.patch patches.suse/stacktrace-don-t-skip-first-entry-on-noncurrent-tasks.patch @@ -51518,6 +51623,11 @@ patches.suse/ecryptfs_lookup_interpose-lower_dentry-d_inode-is-no.patch patches.suse/ecryptfs_lookup_interpose-lower_dentry-d_parent-is-n.patch patches.suse/drm-i915-gvt-fix-dropping-obj-reference-twice.patch + patches.suse/drm-sun4i-tcon-Set-min-division-of-TCON0_DCLK-to-1.patch + patches.suse/ALSA-usb-audio-Fix-missing-error-check-at-mixer-reso.patch + patches.suse/ALSA-hda-Add-Cometlake-S-PCI-ID.patch + patches.suse/ALSA-hda-hdmi-fix-pin-setup-on-Tigerlake.patch + patches.suse/ALSA-usb-audio-not-submit-urb-for-stopped-endpoint.patch patches.suse/ALSA-pcm-Fix-stream-lock-usage-in-snd_pcm_period_ela.patch patches.suse/ALSA-usb-audio-Fix-incorrect-NULL-check-in-create_ya.patch patches.suse/ALSA-usb-audio-Fix-incorrect-size-check-for-processi.patch @@ -51552,6 +51662,8 @@ patches.suse/net-mlx5-Update-the-list-of-the-PCI-supported-device-b7eca940.patch patches.suse/0001-nfc-port100-handle-command-failure-cleanly.patch patches.suse/sfc-Only-cancel-the-PPS-workqueue-if-it-exists.patch + patches.suse/msft-hv-1986-hv_netvsc-Fix-offset-usage-in-netvsc_send_table.patch + patches.suse/msft-hv-1987-hv_netvsc-Fix-send_table-offset-in-case-of-a-host-bu.patch patches.suse/net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch patches.suse/0001-virtio_ring-fix-return-code-on-DMA-mapping-fails.patch patches.suse/virtio_console-allocate-inbufs-in-add_port-only-if-i.patch @@ -51559,6 +51671,17 @@ patches.suse/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-CPU.patch patches.suse/blk-mq-make-sure-that-line-break-can-be-printed.patch patches.suse/loop-fix-no-unmap-write-zeroes-request-behavior.patch + patches.suse/0004-bcache-fix-a-lost-wake-up-problem-caused-by-mca_cann.patch + patches.suse/0005-bcache-fix-static-checker-warning-in-bcache_device_f.patch + patches.suse/0006-bcache-add-more-accurate-error-messages-in-read_supe.patch + patches.suse/0007-bcache-deleted-code-comments-for-dead-code-in-bch_da.patch + patches.suse/0008-bcache-add-code-comment-bch_keylist_pop-and-bch_keyl.patch + patches.suse/0009-bcache-fix-deadlock-in-bcache_allocator.patch + patches.suse/0010-bcache-add-code-comments-in-bch_btree_leaf_dirty.patch + patches.suse/0011-bcache-add-idle_max_writeback_rate-sysfs-interface.patch + patches.suse/0012-bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch + patches.suse/0013-bcache-remove-the-extra-cflags-for-request.o.patch + patches.suse/0014-bcache-don-t-export-symbols.patch patches.suse/nbd-prevent-memory-leak.patch patches.suse/mtd-spear_smi-Fix-Write-Burst-mode.patch patches.suse/mtd-spi-nor-fix-silent-truncation-in-spi_nor_read.patch @@ -51566,7 +51689,9 @@ patches.suse/Btrfs-fix-negative-subv_writers-counter-and-data-spa.patch patches.suse/0001-btrfs-volumes-Use-more-straightforward-way-to-calcul.patch patches.suse/0002-btrfs-Ensure-we-trim-ranges-across-block-group-bound.patch + patches.suse/Btrfs-send-skip-backreference-walking-for-extents-wi.patch patches.suse/Btrfs-fix-block-group-remaining-RO-forever-after-err.patch + patches.suse/btrfs-record-all-roots-for-rename-exchange-on-a-subv.patch patches.suse/s390-unwind-fix-get_stack_pointernull-null.patch patches.suse/s390-process-avoid-custom-stack-unwinding-in-get_wchan.patch patches.suse/s390-mm-properly-clear-page_noexec-bit-when-it-is-not-supported @@ -51655,6 +51780,7 @@ patches.suse/ALSA-firewire-motu-Correct-a-typo-in-the-clock-proc-.patch patches.suse/ALSA-6fire-Drop-the-dead-code.patch patches.suse/ALSA-pcm-Yet-another-missing-check-of-non-cached-buf.patch + patches.suse/ALSA-hda-hdmi-Clean-up-Intel-platform-specific-fixup.patch patches.suse/ALSA-usb-audio-Add-skip_validation-option.patch patches.suse/ALSA-hda-hdmi-fix-port-numbering-for-ICL-and-TGL-pla.patch patches.suse/ALSA-hda-hdmi-remove-redundant-code-comments.patch @@ -51672,6 +51798,8 @@ patches.suse/media-vim2m-Fix-abort-issue.patch patches.suse/media-cec.h-CEC_OP_REC_FLAG_-values-were-swapped.patch patches.suse/0001-media-ov6650-Fix-control-handler-not-freed-on-init-e.patch + patches.suse/0001-media-ov6650-Fix-crop-rectangle-alignment-not-passed.patch + patches.suse/0001-media-ov6650-Fix-incorrect-use-of-JPEG-colorspace.patch patches.suse/media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch patches.suse/media-usbvision-Fix-races-among-open-close-and-disco.patch patches.suse/media-ti-vpe-vpe-Fix-Motion-Vector-vpdma-stride.patch @@ -51683,8 +51811,10 @@ patches.suse/media-radio-wl1273-fix-interrupt-masking-on-release.patch patches.suse/media-exynos4-is-Fix-recursive-locking-in-isp_video_.patch patches.suse/media-vivid-Fix-wrong-locking-that-causes-race-condi.patch + patches.suse/0001-media-exynos4-is-fix-wrong-mdev-and-v4l2-dev-order-i.patch patches.suse/0001-b2c2-flexcop-usb-add-sanity-checking.patch patches.suse/media-flexcop-usb-ensure-EIO-is-returned-on-error-co.patch + patches.suse/media-v4l2-ioctl.c-zero-reserved-fields-for-S-TRY_FM.patch patches.suse/pinctl-ti-iodelay-fix-error-checking-on-pinctrl_coun.patch patches.suse/pinctrl-samsung-Fix-device-node-refcount-leaks-in-S3.patch patches.suse/0035-pinctrl-samsung-Fix-device-node-refcount-leaks-in-S3.patch @@ -51719,6 +51849,7 @@ patches.suse/USB-uas-honor-flag-to-avoid-CAPACITY16.patch patches.suse/USB-uas-heed-CAPACITY_HEURISTICS.patch patches.suse/USB-documentation-flags-on-usb-storage-versus-UAS.patch + patches.suse/usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch patches.suse/mei-fix-modalias-documentation.patch patches.suse/mei-bus-prefix-device-names-on-bus-with-the-bus-name.patch patches.suse/ppdev-fix-PPGETTIME-PPSETTIME-ioctls.patch @@ -51765,7 +51896,9 @@ patches.suse/drm-radeon-fix-bad-DMA-from-INTERRUPT_CNTL2.patch patches.suse/0006-drm-amdgpu-fix-bad-DMA-from-INTERRUPT_CNTL2.patch patches.suse/iomap-Fix-pipe-page-leakage-during-splicing.patch + patches.suse/jbd2-Fix-possible-overflow-in-jbd2_log_space_left.patch patches.suse/ext4-update-direct-I-O-read-lock-pattern-for-IOCB_NO.patch + patches.suse/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch patches.suse/ext4-add-more-paranoia-checking-in-ext4_expand_extra.patch patches.suse/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch patches.suse/cifs-add-support-for-flock.patch @@ -51783,6 +51916,9 @@ patches.suse/cifs-Fix-lookup-of-root-ses-in-DFS-referral-cache.patch patches.suse/cifs-Fix-potential-softlockups-while-refreshing-DFS-cache.patch patches.suse/cifs-Fix-retrieval-of-DFS-referrals-in-cifs_mount-.patch + patches.suse/quota-fix-livelock-in-dquot_writeback_dquots.patch + patches.suse/quota-Check-that-quota-is-not-dirty-before-release.patch + patches.suse/ext2-check-err-when-partial-NULL.patch patches.suse/powerpc-papr_scm-Fix-an-off-by-one-check-in-papr_scm.patch patches.suse/powerpc-pkeys-remove-unused-pkey_allows_readwrite.patch patches.suse/powerpc-pseries-Don-t-opencode-HPTE_V_BOLTED.patch @@ -51795,9 +51931,19 @@ patches.suse/powerpc-security-Fix-debugfs-data-leak-on-32-bit.patch patches.suse/powerpc-Allow-flush_icache_range-to-work-across-rang.patch patches.suse/powerpc-Allow-64bit-VDSO-__kernel_sync_dicache-to-wo.patch + patches.suse/powerpc-pseries-Fix-bad-drc_index_start-value-parsin.patch + patches.suse/powerpc-pseries-Fix-drc-info-mappings-of-logical-cpu.patch + patches.suse/powerpc-pseries-Add-cpu-DLPAR-support-for-drc-info-p.patch + patches.suse/PCI-rpaphp-Fix-up-pointer-to-first-drc-info-entry.patch + patches.suse/PCI-rpaphp-Don-t-rely-on-firmware-feature-to-imply-d.patch + patches.suse/PCI-rpaphp-Add-drc-info-support-for-hotplug-slot-reg.patch + patches.suse/PCI-rpaphp-Annotate-and-correctly-byte-swap-DRC-prop.patch + patches.suse/PCI-rpaphp-Correctly-match-ibm-my-drc-index-to-drc-n.patch + patches.suse/powerpc-pseries-Enable-support-for-ibm-drc-info-prop.patch patches.suse/powerpc-security-Fix-wrong-message-when-RFI-Flush-is.patch patches.suse/powerpc-pseries-Drop-pointless-static-qualifier-in-v.patch patches.suse/powerpc-xive-Prevent-page-fault-issues-in-the-machin.patch + patches.suse/powerpc-pseries-hotplug-memory-Change-rc-variable-to.patch patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch patches.suse/powerpc-mm-drop-ifdef-CONFIG_MMU-in-is_ioremap_addr.patch patches.suse/powerpc-powernv-Disable-native-PCIe-port-management.patch @@ -51808,7 +51954,11 @@ patches.suse/gpio-mpc8xxx-Don-t-overwrite-default-irq_set_type-ca.patch patches.suse/platform-x86-hp-wmi-Fix-ACPI-errors-caused-by-too-sm.patch patches.suse/platform-x86-hp-wmi-Fix-ACPI-errors-caused-by-passin.patch + patches.suse/cdrom-respect-device-capabilities-during-opening-act.patch + patches.suse/sr_vendor-support-Beurer-GL50-evo-CD-on-a-chip-devic.patch + patches.suse/libnvdimm-namespace-Differentiate-between-probe-mapp.patch patches.suse/libnvdimm-export-the-target_node-attribute-for-regions-and-namespaces.patch + patches.suse/Input-synaptics-rmi4-simplify-data-read-in-rmi_f54_w.patch patches.suse/Input-synaptics-switch-another-X1-Carbon-6-to-RMI-SM.patch patches.suse/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch patches.suse/net-sched-fix-tc-s-class-show-no-bstats-on-class-wit.patch @@ -51918,6 +52068,7 @@ patches.suse/s390-unwind-filter-out-unreliable-bogus-r14.patch patches.suse/s390-unwind-add-stack-pointer-alignment-sanity-checks.patch patches.suse/s390-livepatch-implement-reliable-stack-tracing-for-the-consistency-model.patch + patches.suse/rtc-msm6242-Fix-reading-of-10-hour-digit.patch patches.suse/0001-PCI-pciehp-Avoid-returning-prematurely-from-sysfs-re.patch patches.suse/PCI-pciehp-Do-not-disable-interrupt-twice-on-suspend.patch patches.suse/ACPI-hotplug-PCI-Allocate-resources-directly-under-t.patch @@ -51925,6 +52076,7 @@ patches.suse/PCI-MSI-Fix-incorrect-MSI-X-masking-on-resume.patch patches.suse/PCI-PM-Clear-PCIe-PME-Status-even-for-legacy-power-m.patch patches.suse/PCI-Fix-Intel-ACS-quirk-UPDCR-register-address.patch + patches.suse/PCI-Add-DMA-alias-quirk-for-Intel-VCA-NTB.patch patches.suse/PCI-Apply-Cavium-ACS-quirk-to-ThunderX2-and-ThunderX.patch patches.suse/PCI-dwc-Fix-find_next_bit-usage.patch patches.suse/PCI-rcar-Fix-missing-MACCTLR-register-setting-in-ini.patch @@ -51932,6 +52084,10 @@ patches.suse/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_.patch patches.suse/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch patches.suse/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch + patches.suse/serial-pl011-Fix-DMA-flush_buffer.patch + patches.suse/serial-ifx6x60-add-missed-pm_runtime_disable.patch + patches.suse/serial-serial_core-Perform-NULL-checks-for-break_ctl.patch + patches.suse/tty-vt-keyboard-reject-invalid-keycodes.patch patches.suse/ACPI-OSL-only-free-map-once-in-osl.c.patch patches.suse/ACPI-bus-Fix-NULL-pointer-check-in-acpi_bus_get_priv.patch patches.suse/ACPI-sysfs-Change-ACPI_MASKABLE_GPE_MAX-to-0x100.patch @@ -51939,6 +52095,10 @@ patches.suse/drm-limit-to-INT_MAX-in-create_blob-ioctl.patch patches.suse/thermal-Fix-deadlock-in-thermal-thermal_zone_device_.patch patches.suse/moduleparam-fix-parameter-description-mismatch.patch + patches.suse/fsnamei.c-pull-positivity-check-into-follow_managed.patch + patches.suse/new-helper-lookup_positive_unlocked.patch + patches.suse/fix-dget_parent-fastpath-race.patch + patches.suse/fsnamei.c-fix-missing-barriers-when-checking-positivity.patch patches.suse/0001-xen-blkback-Avoid-unmapping-unmapped-grant-pages.patch patches.suse/0001-drm-msm-include-linux-sched-task.h.patch patches.suse/0002-drm-radeon-fix-r1xx-r2xx-register-checker-for-POT-te.patch @@ -51971,6 +52131,7 @@ patches.suse/net-mlx5e-Fix-SFF-8472-eeprom-length.patch patches.suse/inet-protect-against-too-small-mtu-values.patch patches.suse/net-ethernet-ti-cpsw-fix-extra-rx-interrupt.patch + patches.suse/vhost-vsock-accept-only-packets-with-the-right-dst_c.patch patches.suse/dma-buf-Fix-memory-leak-in-sync_file_merge.patch patches.suse/drm-meson-venc-cvbs-fix-CVBS-mode-matching.patch patches.suse/ALSA-echoaudio-simplify-get_audio_levels.patch @@ -51978,18 +52139,26 @@ patches.suse/ALSA-fireface-fix-return-value-in-error-path-of-isoc.patch patches.suse/ALSA-hda-hdmi-Fix-duplicate-unref-of-pci_dev.patch patches.suse/ALSA-hda-realtek-Line-out-jack-doesn-t-work-on-a-Del.patch + patches.suse/ACPI-PM-Avoid-attaching-ACPI-PM-domain-to-certain-de.patch patches.suse/smb3-fix-refcount-underflow-warning-on-unmount-when-no-directory-le.patch patches.suse/SMB3-Fix-crash-in-SMB2_open_init-due-to-uninitialized-field-in-comp.patch patches.suse/CIFS-Close-cached-root-handle-only-if-it-has-a-lease.patch + patches.suse/0001-usb-roles-fix-a-potential-use-after-free.patch patches.suse/usb-core-urb-fix-URB-structure-initialization-functi.patch patches.suse/usb-mon-Fix-a-deadlock-in-usbmon-between-mmap-and-re.patch patches.suse/USB-serial-io_edgeport-fix-epic-endpoint-lookup.patch patches.suse/USB-idmouse-fix-interface-sanity-checks.patch patches.suse/USB-adutux-fix-interface-sanity-check.patch + patches.suse/USB-atm-ueagle-atm-add-missing-endpoint-check.patch patches.suse/usb-dwc3-ep0-Clear-started-flag-on-completion.patch + patches.suse/xhci-Fix-memory-leak-in-xhci_add_in_port.patch + patches.suse/xhci-fix-USB3-device-initiated-resume-race-with-root.patch patches.suse/usb-xhci-only-set-D3hot-for-pci-device.patch patches.suse/xhci-Increase-STS_HALT-timeout-in-xhci_suspend.patch patches.suse/xhci-handle-some-XHCI_TRUST_TX_LENGTH-quirks-cases-a.patch + patches.suse/xhci-make-sure-interrupts-are-restored-to-correct-st.patch + patches.suse/iio-adc-max9611-Fix-too-short-conversion-time-delay.patch + patches.suse/staging-rtl8188eu-fix-interface-sanity-check.patch patches.suse/scsi-qla2xxx-Correctly-retrieve-and-interpret-active.patch patches.suse/scsi-qla2xxx-Added-support-for-MPI-and-PEP-regions-f.patch patches.suse/scsi-qla2xxx-Fix-incorrect-SFUB-length-used-for-Secu.patch @@ -52008,15 +52177,26 @@ patches.suse/0013-scsi-qla2xxx-Add-debug-dump-of-LOGO-payload-and-ELS-.patch patches.suse/scsi-libsas-stop-discovering-if-oob-mode-is-disconnected patches.suse/IB-mlx5-Fix-steering-rule-of-drop-and-count.patch + patches.suse/regulator-rn5t618-fix-module-aliases.patch + patches.suse/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch + patches.suse/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch + patches.suse/Btrfs-fix-missing-data-checksums-after-replaying-a-l.patch + patches.suse/Btrfs-make-tree-checker-detect-checksum-items-with-o.patch patches.suse/Btrfs-fix-removal-logic-of-the-tree-mod-log-that-lea.patch + patches.suse/btrfs-abort-transaction-after-failed-inode-updates-i.patch + patches.suse/btrfs-handle-ENOENT-in-btrfs_uuid_tree_iterate.patch + patches.suse/btrfs-skip-log-replay-on-orphaned-roots.patch patches.suse/ALSA-pcm-Avoid-possible-info-leaks-from-PCM-stream-b.patch patches.suse/ALSA-hda-ca0132-Keep-power-on-during-processing-DSP-.patch patches.suse/ALSA-hda-ca0132-Avoid-endless-loop.patch patches.suse/ALSA-hda-ca0132-Fix-work-handling-in-delayed-HP-dete.patch patches.suse/ALSA-hda-Downgrade-error-message-for-single-cmd-fall.patch patches.suse/ASoC-wm8962-fix-lambda-value.patch + patches.suse/0001-USB-EHCI-Do-not-return-EPIPE-when-hub-is-disconnecte.patch patches.suse/usbip-Fix-receive-error-in-vhci-hcd-when-using-scatt.patch + patches.suse/0001-usbip-Fix-error-path-of-vhci_recv_ret_submit.patch patches.suse/usb-xhci-Fix-build-warning-seen-with-CONFIG_PM-n.patch + patches.suse/tty-serial-msm_serial-Fix-lockup-for-sysrq-and-oops.patch patches.suse/Revert-mmc-sdhci-Fix-incorrect-switch-to-HS-mode.patch patches.suse/mmc-mediatek-fix-CMD_TA-to-2-for-MT8173-HS200-HS400-.patch patches.suse/mmc-sdhci-of-esdhc-Revert-mmc-sdhci-of-esdhc-add-err.patch @@ -52039,21 +52219,42 @@ patches.suse/s390-unwind-stop-gracefully-at-user-mode-pt_regs-in-irq-stack.patch patches.suse/s390-ftrace-save-traced-function-caller.patch patches.suse/tracing-have-the-histogram-compare-functions-convert-to-u64-first.patch + patches.suse/sctp-fully-initialize-v4-addr-in-some-functions.patch patches.suse/netfilter-nf_queue-enqueue-skbs-with-NULL-dst.patch + patches.suse/af_packet-set-defaule-value-for-tmo.patch patches.suse/fjes-fix-missed-check-in-fjes_acpi_add.patch patches.suse/bnxt_en-Fix-MSIX-request-logic-for-RDMA-driver.patch patches.suse/bnxt_en-Return-error-if-FW-returns-more-data-than-du.patch + patches.suse/net-ena-fix-napi-handler-misbehavior-when-the-napi-b.patch + patches.suse/net-usb-lan78xx-Fix-suspend-resume-PHY-register-acce.patch + patches.suse/qede-Fix-multicast-mac-configuration.patch patches.suse/bnxt-apply-computed-clamp-value-for-coalece-paramete.patch patches.suse/net-ibmvnic-Fix-typo-in-retry-check.patch + patches.suse/6pack-mkiss-fix-possible-deadlock.patch + patches.suse/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch + patches.suse/msft-hv-1997-hv_netvsc-Fix-tx_table-init-in-rndis_set_subchannel.patch patches.suse/bonding-fix-active-backup-transition-after-link-fail.patch + patches.suse/gtp-do-not-allow-adding-duplicate-tid-and-ms_addr-pd.patch + patches.suse/gtp-fix-wrong-condition-in-gtp_genl_dump_pdp.patch + patches.suse/gtp-fix-an-use-after-free-in-ipv4_pdp_find.patch + patches.suse/gtp-avoid-zero-size-hashtable.patch patches.suse/mwifiex-fix-possible-heap-overflow-in-mwifiex_proces.patch patches.suse/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_a.patch + patches.suse/net-qlogic-Fix-error-paths-in-ql_alloc_large_buffers.patch + patches.suse/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-b.patch patches.suse/net-sysctl-Fix-compiler-warning-when-only-cBPF-is-pr.patch + patches.suse/net-hisilicon-Fix-a-BUG-trigered-by-wrong-bytes_comp.patch patches.suse/qede-Disable-hardware-gro-when-xdp-prog-is-installed.patch + patches.suse/mod_devicetable-fix-PHY-module-format.patch + patches.suse/msft-hv-1998-hv_netvsc-Fix-unwanted-rx_table-reset.patch + patches.suse/net-dst-Force-4-byte-alignment-of-dst_metrics.patch patches.suse/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature-spec_ctrl_ssbd + patches.suse/ext4-check-for-directory-entries-too-close-to-block-.patch patches.suse/gpio-Fix-error-message-on-out-of-range-GPIO-in-looku.patch patches.suse/scsi-lpfc-fix-build-failure-with-DEBUGFS-disabled.patch + patches.suse/udp-fix-integer-overflow-while-computing-available-s.patch patches.suse/net-mlxfw-Fix-out-of-memory-error-in-mfa2-flash-burn.patch + patches.suse/pstore-ram-Write-new-dumps-to-start-of-recycled-zone.patch patches.suse/0001-drm-sun4i-hdmi-Remove-duplicate-cleanup-calls.patch patches.suse/ALSA-hda-realtek-Add-headset-Mic-no-shutup-for-ALC28.patch patches.suse/ALSA-usb-audio-fix-set_format-altsetting-sanity-chec.patch @@ -52064,33 +52265,60 @@ patches.suse/ALSA-hda-realtek-Enable-the-bass-speaker-of-ASUS-UX4.patch patches.suse/exit-panic-before-exit_mm-on-global-init-exit.patch patches.suse/Btrfs-fix-infinite-loop-during-nocow-writeback-due-t.patch + patches.suse/0001-media-cec-CEC-2.0-only-bcast-messages-were-ignored.patch + patches.suse/0001-media-pulse8-cec-fix-lost-cec_transmit_attempt_done-.patch + patches.suse/dmaengine-Fix-access-to-uninitialized-dma_slave_caps.patch + patches.suse/arm64-Revert-support-for-execute-only-user-mappings.patch + patches.suse/watchdog-max77620_wdt-fix-potential-build-errors.patch + patches.suse/watchdog-rn5t618_wdt-fix-module-aliases.patch patches.suse/ftrace-avoid-potential-division-by-zero-in-function-profiler.patch patches.suse/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch + patches.suse/can-can_dropped_invalid_skb-ensure-an-initialized-he.patch patches.suse/can-gs_usb-gs_usb_probe-use-descriptors-of-current-a.patch patches.suse/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-retu.patch patches.suse/mlxsw-spectrum_qdisc-Ignore-grafting-of-invisible-FI.patch + patches.suse/macvlan-do-not-assume-mac_header-is-set-in-macvlan_b.patch patches.suse/HID-hidraw-Fix-returning-EPOLLOUT-from-hidraw_poll.patch patches.suse/HID-uhid-Fix-returning-EPOLLOUT-from-uhid_char_poll.patch patches.suse/RDMA-bnxt_re-Avoid-freeing-MR-resources-if-dereg-fai.patch patches.suse/IB-hfi1-Don-t-cancel-unused-work-item.patch patches.suse/drm-dp_mst-correct-the-shifting-in-DP_REMOTE_I2C_REA.patch + patches.suse/drm-sun4i-tcon-Set-RGB-DCLK-min.-divider-based-on-ha.patch patches.suse/drm-fb-helper-Round-up-bits_per_pixel-if-possible.patch patches.suse/ALSA-hda-realtek-Add-new-codec-supported-for-ALCS120.patch patches.suse/ALSA-usb-audio-Apply-the-sample-rate-quirk-for-Bose-.patch patches.suse/ALSA-hda-realtek-Set-EAPD-control-to-default-for-ALC.patch patches.suse/ALSA-hda-realtek-Add-quirk-for-the-bass-speaker-on-L.patch + patches.suse/staging-comedi-adv_pci1710-fix-AI-channels-16-31-for.patch + patches.suse/chardev-Avoid-potential-use-after-free-in-chrdev_ope.patch + patches.suse/0001-USB-core-fix-check-for-duplicate-endpoints.patch + patches.suse/usb-musb-dma-Correct-parameter-passed-to-IRQ-handler.patch + patches.suse/usb-chipidea-host-Disable-port-power-only-if-previou.patch + patches.suse/0001-USB-serial-option-add-Telit-ME910G1-0x110a-compositi.patch + patches.suse/0001-USB-serial-option-add-ZLP-support-for-0x1bc7-0x9010.patch + patches.suse/usb-musb-fix-idling-for-suspend-after-disconnect-int.patch patches.suse/HID-hidraw-uhid-Always-report-EPOLLOUT.patch patches.suse/iommu-remove-device-link-to-group-on-failure patches.suse/iommu-vt-d-unlink-device-if-failed-to-add-to-group patches.suse/drm-i915-gen9-Clear-residual-context-state-on-contex.patch patches.suse/mm-debug_pagealloc-don-t-rely-on-static-keys-too-ear.patch + patches.suse/fix-autofs-regression-caused-by-follow_managed-changes.patch patches.suse/platform-x86-asus-wmi-Fix-keyboard-brightness-cannot.patch + patches.suse/clk-Don-t-try-to-enable-critical-clocks-if-prepare-f.patch + patches.suse/clk-mmp2-Fix-the-order-of-timer-mux-parents.patch + patches.suse/soc-ti-wkup_m3_ipc-Fix-race-condition-with-rproc_boo.patch patches.suse/ALSA-usb-audio-fix-sync-ep-altsetting-sanity-check.patch patches.suse/ALSA-seq-Fix-racy-access-for-queue-timer-in-proc-rea.patch + patches.suse/ASoC-msm8916-wcd-analog-Fix-selected-events-for-MIC-.patch patches.suse/0001-btrfs-relocation-fix-reloc_root-lifespan-and-access.patch + patches.suse/usb-core-hub-Improved-device-recognition-on-remote-w.patch + patches.suse/USB-serial-simple-Add-Motorola-Solutions-TETRA-MTP3x.patch + patches.suse/USB-serial-option-Add-support-for-Quectel-RM500Q.patch patches.suse/USB-serial-opticon-fix-control-message-timeouts.patch + patches.suse/0001-USB-serial-option-add-support-for-Quectel-RM500Q-in-.patch patches.suse/USB-serial-suppress-driver-bind-attributes.patch patches.suse/USB-serial-ch341-handle-unbound-port-at-reset_resume.patch + patches.suse/USB-serial-io_edgeport-handle-unbound-ports-on-URB-c.patch patches.suse/USB-serial-io_edgeport-add-missing-active-port-sanit.patch patches.suse/USB-serial-keyspan-handle-unbound-ports.patch patches.suse/USB-serial-quatech2-handle-unbound-ports.patch @@ -52098,14 +52326,129 @@ patches.suse/x86-resctrl-fix-an-imbalance-in-domain_remove_cpu.patch patches.suse/x86-resctrl-fix-potential-memory-leak.patch patches.suse/drm-i915-Add-missing-include-file-linux-math64.h.patch + patches.suse/sh_eth-check-sh_eth_cpu_data-dual_port-when-dumping-.patch + patches.suse/qmi_wwan-Add-support-for-Quectel-RM500Q.patch patches.suse/NFC-pn533-fix-bulk-message-timeout.patch patches.suse/net-usb-lan78xx-limit-size-of-local-TSO-packets.patch patches.suse/r8152-add-missing-endpoint-sanity-check.patch + patches.suse/mac80211-mesh-restrict-airtime-metric-to-peered-esta.patch + patches.suse/wireless-fix-enabling-channel-12-for-custom-regulato.patch + patches.suse/mac80211-Fix-TKIP-replay-protection-immediately-afte.patch + patches.suse/wireless-wext-avoid-gcc-O3-warning.patch + patches.suse/cfg80211-fix-deadlocks-in-autodisconnect-work.patch + patches.suse/cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch + patches.suse/cfg80211-check-for-set_wiphy_params.patch patches.suse/cfg80211-fix-page-refcount-issue-in-A-MSDU-decap.patch + patches.suse/batman-adv-Fix-DAT-candidate-selection-on-little-end.patch patches.suse/bpf-sockmap-Read-psock-ingress_msg-before-sk_receive.patch patches.suse/bpf-Fix-incorrect-verifier-simulation-of-ARSH-under-.patch - - # jejb/scsi for-next + patches.suse/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch + patches.suse/hwmon-nct7802-Fix-voltage-limits-to-wrong-registers.patch + patches.suse/hwmon-adt7475-Make-volt2reg-return-same-reg-as-reg2v.patch + patches.suse/hwmon-core-Do-not-use-device-managed-functions-for-m.patch + patches.suse/tracing-xen-ordered-comparison-of-function-pointers.patch + patches.suse/mmc-tegra-fix-SDR50-tuning-override.patch + patches.suse/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch + patches.suse/powerpc-xive-Discard-ESB-load-value-when-interrupt-i.patch + patches.suse/iommu-amd-fix-iommu-perf-counter-clobbering-during-init + patches.suse/Input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_.patch + patches.suse/Input-pegasus_notetaker-fix-endpoint-sanity-check.patch + patches.suse/Input-aiptek-fix-endpoint-sanity-check.patch + patches.suse/Input-gtco-fix-endpoint-sanity-check.patch + patches.suse/Input-sur40-fix-interface-sanity-checks.patch + patches.suse/Revert-Input-synaptics-rmi4-don-t-increment-rmiaddr-.patch + patches.suse/Input-rmi_f54-read-from-FIFO-in-32-byte-blocks.patch + patches.suse/Input-keyspan-remote-fix-control-message-timeouts.patch + patches.suse/Input-pm8xxx-vib-fix-handling-of-separate-enable-reg.patch + patches.suse/0001-btrfs-scrub-Require-mandatory-block-group-RO-for-dev.patch + patches.suse/0001-btrfs-dev-replace-remove-warning-for-unknown-return-.patch + patches.suse/can-slip-Protect-tty-disc_data-in-write_wakeup-and-c.patch + patches.suse/r8152-get-default-setting-of-WOL-before-initializing.patch + patches.suse/libertas-Fix-two-buffer-overflows-at-parsing-bss-des.patch + patches.suse/iwlwifi-mvm-fix-NVM-check-for-3168-devices.patch + patches.suse/firestream-fix-memory-leaks.patch + patches.suse/do_last-fetch-directory--i_mode-and--i_uid-before-its-too-late.patch + patches.suse/mmc-spi-Toggle-SPI-polarity-do-not-hardcode-it.patch + patches.suse/livepatch-selftest-clean-up-shadow-variable-names-and-type.patch + patches.suse/livepatch-samples-selftest-use-klp_shadow_alloc-api-correctly.patch + patches.suse/regulator-rk808-Lower-log-level-on-optional-GPIOs-be.patch + patches.suse/ACPI-video-Do-not-export-a-non-working-backlight-int.patch + patches.suse/0015-lib-crc64-include-linux-crc64.h-for-crc64_be.patch + patches.suse/0016-bcache-add-code-comments-for-state-pool-in-__btree_s.patch + patches.suse/0017-bcache-avoid-unnecessary-btree-nodes-flushing-in-btr.patch + patches.suse/0018-bcache-print-written-and-keys-in-trace_bcache_btree_.patch + patches.suse/0019-bcache-remove-member-accessed-from-struct-btree.patch + patches.suse/0020-bcache-reap-c-btree_cache_freeable-from-the-tail-in-.patch + patches.suse/0021-bcache-reap-from-tail-of-c-btree_cache-in-bch_mca_sc.patch + patches.suse/clocksource-drivers-bcm2835_timer-Fix-memory-leak-of.patch + patches.suse/x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear + patches.suse/x86-resctrl-check-monitoring-static-key-in-the-mbm-overflow-handler.patch + patches.suse/Btrfs-fix-infinite-loop-during-fsync-after-rename-op.patch + patches.suse/ubifs-don-t-trigger-assertion-on-invalid-no-key-file.patch + patches.suse/crypto-pcrypt-Do-not-clear-MAY_SLEEP-flag-in-origina.patch + patches.suse/crypto-af_alg-Use-bh_lock_sock-in-sk_destruct.patch + patches.suse/crypto-api-Check-spawn-alg-under-lock-in-crypto_drop.patch + patches.suse/crypto-api-Fix-race-condition-in-crypto_spawn_alg.patch + patches.suse/crypto-picoxcell-adjust-the-position-of-tasklet_init.patch + patches.suse/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch + patches.suse/crypto-atmel-sha-fix-error-handling-when-setting-hma.patch + patches.suse/crypto-caam-qi2-fix-typo-in-algorithm-s-driver-name.patch + patches.suse/ppp-Adjust-indentation-into-ppp_async_input.patch + patches.suse/NFC-pn544-Adjust-indentation-in-pn544_hci_check_pres.patch + patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_p2p_create_p2pdev.patch + patches.suse/bcma-remove-set-but-not-used-variable-sizel.patch + patches.suse/brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch + patches.suse/mwifiex-delete-unused-mwifiex_get_intf_num.patch + patches.suse/brcmfmac-fix-interface-sanity-check.patch + patches.suse/orinoco_usb-fix-interface-sanity-check.patch + patches.suse/rtl8xxxu-fix-interface-sanity-check.patch + patches.suse/rsi_91x_usb-fix-interface-sanity-check.patch + patches.suse/zd1211rw-fix-storage-endpoint-lookup.patch + patches.suse/brcmfmac-Fix-memory-leak-in-brcmf_usbdev_qinit.patch + patches.suse/ath9k-fix-storage-endpoint-lookup.patch + patches.suse/Bluetooth-Fix-race-condition-in-hci_release_sock.patch + patches.suse/mwifiex-drop-most-magic-numbers-from-mwifiex_process.patch + patches.suse/brcmfmac-sdio-Fix-OOB-interrupt-initialization-on-br.patch + patches.suse/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch + patches.suse/ath10k-pci-Only-dump-ATH10K_MEM_REGION_TYPE_IOREG-wh.patch + patches.suse/ath10k-pci-Fix-comment-on-ath10k_pci_dump_memory_sra.patch + patches.suse/Revert-ath10k-fix-DMA-related-firmware-crashes-on-mu.patch + patches.suse/ath10k-Correct-the-DMA-direction-for-management-tx-b.patch + patches.suse/ALSA-control-remove-useless-assignment-in-.info-call.patch + patches.suse/ALSA-hda-constify-copied-structure.patch + patches.suse/ALSA-hda-Constify-snd_kcontrol_new-items.patch + patches.suse/ALSA-hda-Constify-snd_pci_quirk-tables.patch + patches.suse/ALSA-hda-constify-and-cleanup-static-NodeID-tables.patch + patches.suse/ALSA-sh-Fix-unused-variable-warnings.patch + patches.suse/ALSA-hda-realtek-Apply-mic-mute-LED-quirk-for-Dell-E.patch + patches.suse/ALSA-hda-realtek-More-constifications.patch + patches.suse/ALSA-hda-More-constifications.patch + patches.suse/ALSA-sh-Fix-compile-warning-wrt-const.patch + patches.suse/ALSA-hda-patch_realtek-fix-empty-macro-usage-in-if-b.patch + patches.suse/ALSA-hda-correct-kernel-doc-parameter-descriptions.patch + patches.suse/ALSA-hda-patch_hdmi-remove-warnings-with-empty-body.patch + patches.suse/ALSA-hda-analog-Minor-optimization-for-SPDIF-mux-con.patch + patches.suse/ALSA-hda-realtek-Add-Headset-Mic-supported-for-HP-cP.patch + patches.suse/ALSA-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch + patches.suse/ALSA-hda-Add-docking-station-support-for-Lenovo-Thin.patch + patches.suse/ALSA-hda-Add-Clevo-W65_67SB-the-power_save-blacklist.patch + patches.suse/s390-ftrace-generate-traced-function-stack-frame.patch + patches.suse/pinctrl-sh-pfc-r8a7778-Fix-duplicate-SDSELF_B-and-SD.patch + patches.suse/usb-gadget-legacy-set-max_speed-to-super-speed.patch + patches.suse/usb-dwc3-turn-off-VBUS-when-leaving-host-mode.patch + patches.suse/usb-gadget-f_ncm-Use-atomic_t-to-track-in-flight-req.patch + patches.suse/usb-gadget-f_ecm-Use-atomic_t-to-track-in-flight-req.patch + patches.suse/phy-qualcomm-Adjust-indentation-in-read_poll_timeout.patch + patches.suse/usb-typec-tcpci-mask-event-interrupts-when-remove-dr.patch + patches.suse/USB-serial-ir-usb-add-missing-endpoint-sanity-check.patch + patches.suse/USB-serial-ir-usb-fix-link-speed-handling.patch + patches.suse/USB-serial-ir-usb-fix-IrLAP-framing.patch + patches.suse/serial-8250_bcm2835aux-Fix-line-mismatch-on-driver-u.patch + patches.suse/staging-vt6656-correct-packet-types-for-CTS-protect-.patch + patches.suse/staging-vt6656-use-NULLFUCTION-stack-on-mac80211.patch + patches.suse/staging-vt6656-Fix-false-Tx-excessive-retries-report.patch + patches.suse/staging-wlan-ng-ensure-error-return-is-actually-retu.patch + patches.suse/namei-only-return-ECHILD-from-follow_dotdot_rcu.patch patches.suse/scsi-qla2xxx-Remove-defer-flag-to-indicate-immeadiat.patch patches.suse/scsi-qla2xxx-Fix-fabric-scan-hang.patch patches.suse/scsi-qla2xxx-Add-a-shadow-variable-to-hold-disc_stat.patch @@ -52123,9 +52466,145 @@ patches.suse/scsi-qla2xxx-Improve-readability-of-the-code-that-ha.patch patches.suse/scsi-qla2xxx-Fix-the-endianness-of-the-qla82xx_get_f.patch patches.suse/scsi-qla2xxx-Use-get_unaligned_-instead-of-open-codi.patch - - # powerpc/linux next + patches.suse/scsi-qla2xxx-Fix-a-NULL-pointer-dereference-in-an-er.patch + patches.suse/power-supply-ltc2941-battery-gauge-fix-use-after-fre.patch + patches.suse/drm-ttm-ttm_tt_init_fields-can-be-static.patch + patches.suse/drm-rect-Avoid-division-by-zero.patch + patches.suse/drm-rect-update-kerneldoc-for-drm_rect_clip_scaled.patch + patches.suse/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch + patches.suse/drm-amdgpu-add-function-parameter-description-in-amd.patch + patches.suse/drm-amdgpu-add-function-parameter-description-in-amd-e8b74035.patch + patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig_conn.patch + patches.suse/drm-amdgpu-remove-set-but-not-used-variable-dig.patch + patches.suse/drm-amdgpu-remove-always-false-comparison-in-amdgpu_.patch + patches.suse/drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch + patches.suse/0012-drm-amdgpu-remove-set-but-not-used-variable-mc_share.patch + patches.suse/drm-amdgpu-remove-set-but-not-used-variable-amdgpu_c.patch + patches.suse/drm-amdgpu-remove-set-but-not-used-variable-invalid.patch + patches.suse/drm-amd-powerplay-remove-set-but-not-used-variable-u.patch + patches.suse/0001-pxa168fb-Fix-the-function-used-to-release-some-memor.patch + patches.suse/drm-rockchip-lvds-Fix-indentation-of-a-define.patch + patches.suse/drm-bridge-dw-hdmi-constify-copied-structure.patch + patches.suse/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch + patches.suse/drm-nouveau-Fix-copy-paste-error-in-nouveau_fence_wa.patch + patches.suse/drm-msm-mdp4-Adjust-indentation-in-mdp4_dsi_encoder_.patch + patches.suse/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch + patches.suse/ext4-fix-deadlock-allocating-crypto-bounce-page-from.patch + patches.suse/jbd2-clear-JBD2_ABORT-flag-before-journal_reset-to-u.patch + patches.suse/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch + patches.suse/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch + patches.suse/jbd2-make-sure-ESHUTDOWN-to-be-recorded-in-the-journ.patch + patches.suse/reiserfs-Fix-memory-leak-of-journal-device-string.patch + patches.suse/reiserfs-Fix-spurious-unlock-in-reiserfs_fill_super-.patch + patches.suse/ubifs-Fix-FS_IOC_SETFLAGS-unexpectedly-clearing-encr.patch + patches.suse/ubifs-Fix-deadlock-in-concurrent-bulk-read-and-write.patch + patches.suse/kvm-svm-override-default-mmio-mask-if-memory-encryption-is-enabled + patches.suse/KVM-PPC-Book3S-HV-Uninit-vCPU-if-vcore-creation-fail.patch + patches.suse/KVM-PPC-Book3S-PR-Free-shared-page-if-mmu-initializa.patch + patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch + patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch + patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch + patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch + patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch + patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch + patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch + patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch + patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch + patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch + patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch + patches.suse/KVM-Clean-up-__kvm_gfn_to_hva_cache_init-and-its-cal.patch + patches.suse/KVM-PPC-Book3S-PR-Fix-Werror-return-type-build-failu.patch + patches.suse/x86-resctrl-fix-use-after-free-when-deleting-resource-groups.patch + patches.suse/x86-resctrl-fix-use-after-free-due-to-inaccurate-refcount-of-rdtgroup.patch + patches.suse/x86-resctrl-fix-a-deadlock-due-to-inaccurate-reference.patch + patches.suse/media-v4l2-core-set-pages-dirty-upon-releasing-DMA-b.patch + patches.suse/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krea.patch + patches.suse/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch + patches.suse/media-gspca-zero-usb_buf.patch + patches.suse/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch + patches.suse/media-digitv-don-t-continue-if-remote-control-state-.patch + patches.suse/media-af9005-uninitialized-variable-printked.patch + patches.suse/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-.patch + patches.suse/media-iguanair-fix-endpoint-sanity-check.patch + patches.suse/media-uvcvideo-Avoid-cyclic-entity-chains-due-to-mal.patch + patches.suse/PCI-Don-t-disable-bridge-BARs-when-assigning-bus-res.patch + patches.suse/PCI-switchtec-Fix-vep_vector_number-ioread-width.patch + patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch + patches.suse/vfs-fix-do_last-regression.patch + patches.suse/mfd-dln2-More-sanity-checking-for-endpoints.patch + patches.suse/mfd-da9062-Fix-watchdog-compatible-string.patch + patches.suse/mfd-rn5t618-Mark-ADC-control-register-volatile.patch + patches.suse/Btrfs-fix-race-between-adding-and-putting-tree-mod-s.patch + patches.suse/clk-sunxi-ng-add-mux-and-pll-notifiers-for-A64-CPU-c.patch + patches.suse/clk-tegra-Mark-fuse-clock-as-critical.patch + patches.suse/percpu-separate-decrypted-varaibles-anytime-encryption-can-be-enabled.patch + patches.suse/rtc-hym8563-Return-EINVAL-if-the-time-is-known-to-be.patch + patches.suse/rtc-cmos-Stop-using-shared-IRQ.patch + patches.suse/powerpc-pseries-Allow-not-having-ibm-hypertas-functi.patch + patches.suse/powerpc-xmon-don-t-access-ASDR-in-VMs.patch + patches.suse/powerpc-pseries-Advance-pfn-if-section-is-not-presen.patch + patches.suse/powerpc-papr_scm-Don-t-enable-direct-map-for-a-regio.patch + patches.suse/powerpc-pseries-vio-Fix-iommu_table-use-after-free-r.patch + patches.suse/powerpc-papr_scm-Fix-leaking-bus_desc.provider_name-.patch + patches.suse/powerpc-mm-Remove-kvm-radix-prefetch-workaround-for-.patch patches.suse/powerpc-pseries-lparcfg-Fix-display-of-Maximum-Memor.patch + patches.suse/0001-xen-balloon-Support-xend-based-toolstack-take-two.patch + patches.suse/iommu-arm-smmu-v3-populate-vmid-field-for-cmdq_op_tlbi_nh_va + patches.suse/pwm-omap-dmtimer-Remove-PWM-chip-in-.remove-before-m.patch + patches.suse/pwm-Remove-set-but-not-set-variable-pwm.patch + patches.suse/ata-ahci-Add-shutdown-to-freeze-hardware-resources-o.patch + patches.suse/0022-bcache-fix-memory-corruption-in-bch_cache_accounting.patch + patches.suse/0023-bcache-explicity-type-cast-in-bset_bkey_last.patch + patches.suse/0024-bcache-add-readahead-cache-policy-options-via-sysfs-.patch + patches.suse/0025-bcache-fix-incorrect-data-type-usage-in-btree_flush_.patch + patches.suse/0026-bcache-check-return-value-of-prio_read.patch + patches.suse/tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch + patches.suse/tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch + patches.suse/tracing-annotate-ftrace_graph_hash-pointer-with-_rcu.patch + patches.suse/tracing-annotate-ftrace_graph_notrace_hash-pointer-with-_rcu.patch + patches.suse/ftrace-add-comment-to-why-rcu_dereference_sched-is-open-coded.patch + patches.suse/ftrace-protect-ftrace_graph_hash-with-ftrace_sync.patch + patches.suse/ALSA-hda-Reset-stream-if-DMA-RUN-bit-not-cleared.patch + patches.suse/ALSA-hda-Add-JasperLake-PCI-ID-and-codec-vid.patch + patches.suse/ALSA-usb-audio-Fix-endianess-in-descriptor-validatio.patch + patches.suse/ALSA-dummy-Fix-PCM-format-loop-in-proc-output.patch + patches.suse/ALSA-hda-realtek-Fixed-one-of-HP-ALC671-platform-Hea.patch + patches.suse/ALSA-hda-Clear-RIRB-status-before-reading-WP.patch + patches.suse/clk-qcom-rcg2-Don-t-crash-if-our-parent-can-t-be-fou.patch + patches.suse/drm-amd-display-Retrain-dongles-when-SINK_COUNT-beco.patch + patches.suse/soc-tegra-fuse-Correct-straps-address-for-older-Tegr.patch + patches.suse/mwifiex-fix-unbalanced-locking-in-mwifiex_process_co.patch + patches.suse/libertas-dont-exit-from-lbs_ibss_join_existing-with.patch + patches.suse/libertas-make-lbs_ibss_join_existing-return-error.patch + patches.suse/iwlwifi-don-t-throw-error-when-trying-to-remove-IGTK.patch + patches.suse/clocksource-Prevent-double-add_timer_on-for-watchdog.patch + patches.suse/kconfig-fix-broken-dependency-in-randconfig-generate.patch + patches.suse/0001-ALSA-usb-audio-Apply-sample-rate-quirk-for-Audioengi.patch + patches.suse/0001-ALSA-hda-realtek-Fix-silent-output-on-MSI-GL73.patch + patches.suse/0001-enic-prevent-waking-up-stopped-tx-queues-over-watchd.patch + patches.suse/perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload + patches.suse/hwmon-pmbus-ltc2978-Fix-PMBus-polling-of-MFR_COMMON-.patch + patches.suse/ext4-fix-checksum-errors-with-indexed-dirs.patch + patches.suse/ext4-add-cond_resched-to-ext4_protect_reserved_inode.patch + patches.suse/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch + patches.suse/jbd2-do-not-clear-the-BH_Mapped-flag-when-forgetting.patch + patches.suse/ext4-improve-explanation-of-a-mount-failure-caused-b.patch + patches.suse/cifs-fix-mount-option-display-for-sec-krb5i.patch + patches.suse/0027-bcache-ignore-pending-signals-when-creating-gc-and-a.patch + patches.suse/0028-bcache-Revert-bcache-shrink-btree-node-cache-after-b.patch + patches.suse/0029-bcache-remove-macro-nr_to_fifo_front.patch + patches.suse/nvme-fix-the-parameter-order-for-nvme_get_log-in-nvm.patch + patches.suse/ALSA-seq-Avoid-concurrent-access-to-queue-flags.patch + patches.suse/ALSA-seq-Fix-concurrent-access-to-queue-current-tick.patch + patches.suse/ALSA-hda-Use-scnprintf-for-printing-texts-for-sysfs-.patch + patches.suse/ASoC-sun8i-codec-Fix-setting-DAI-data-format.patch + patches.suse/net-sched-correct-flower-port-blocking.patch + patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch + patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch + patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch + patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode + patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function + patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -52141,10 +52620,13 @@ patches.suse/powerpc-pseries-mobility-notify-network-peers-after-.patch patches.suse/cifs-Fix-mount-options-set-in-automount.patch patches.suse/cifs-Fix-memory-allocation-in-__smb2_handle_cancelle.patch + patches.suse/powerpc-reserve-memory-for-capture-kernel-after-huge.patch + patches.suse/powerpc-avoid-adjusting-memory_limit-for-capture-ker.patch ######################################################## # end of sorted patches ######################################################## + patches.suse/scsi-qla2xxx-Fix-unbound-NVME-response-length.patch # ras/edac-for-next, 5.4 queue patches.suse/edac-amd64-support-more-than-two-controllers-for-chip-selects-handling.patch @@ -52246,7 +52728,6 @@ # locking/core ######################################################## patches.suse/sched-optimize-latency-defaults.patch - patches.suse/0001-sched-wake_q-Reduce-reference-counting-for-special-u.patch # that benefits. If unsure, mail performance@suse.de # not enable without a specific example of a workload and machine @@ -52335,6 +52816,8 @@ # bsc#1156286 patches.suse/prevent-active-list-thrashing.patch + patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch + ######################################################## # misc small fixes ######################################################## @@ -52395,6 +52878,8 @@ patches.suse/acpi_thinkpad_introduce_acpi_root_table_boot_param.patch patches.suse/acpi_thermal_passive_blacklist.patch patches.suse/ACPI-acpi_pad-Do-not-launch-acpi_pad-threads-on-idle-cpus.patch + patches.suse/acpi-watchdog-allow-disabling-wdat-at-boot.patch + patches.suse/acpi-watchdog-set-default-timeout-in-probe.patch ######################################################## # Driver core @@ -52544,6 +53029,7 @@ patches.suse/scsi-retry-alua-transition-in-progress patches.suse/megaraid-mbox-fix-SG_IO patches.suse/fcoe-reduce-max_sectors + patches.suse/md-raid0-fix-buffer-overflow-at-debug-print.patch # bsc#1048585 bsc#1080813 patches.suse/delay-add-poll_event_interruptible.patch @@ -52601,6 +53087,7 @@ patches.suse/irda-Only-insert-new-objects-into-the-global-databas.patch patches.suse/qed-use-specical-suse-engineering-version.patch patches.suse/tcp-fix-tcp_rtx_queue_tail-in-case-of-empty-retransm.patch + patches.suse/tcp-Don-t-dequeue-SYN-FIN-segments-from-write-queue.patch ######################################################## # Netfilter @@ -52610,14 +53097,12 @@ ######################################################## # Wireless Networking ######################################################## - patches.suse/libertas-Fix-two-buffer-overflows-at-parsing-bss-des.patch - patches.suse/libertas-dont-exit-from-lbs_ibss_join_existing-with.patch - patches.suse/libertas-make-lbs_ibss_join_existing-return-error.patch patches.suse/b43-missing-firmware-info.patch patches.kabi/ath10k-last_wmi_vdev_start_status-kabi-workaround.patch patches.kabi/ath10k-hw_filter_reset_required-kabi-fix.patch patches.kabi/iwlwifi-iwl_rx_cmd_buffer-kabi-fix.patch patches.kabi/mwifiex-power_cfg-kabi-workaround.patch + patches.kabi/netlink-nla_policy-kabi-workaround.patch ######################################################## # ISDN @@ -52648,6 +53133,8 @@ patches.suse/tty-Don-t-return-EAGAIN-in-blocking-read.patch patches.suse/tty-make-R3964-line-discipline-fail.patch + patches.suse/vt-selection-handle-pending-signals-in-paste_selecti.patch + patches.suse/vt-selection-close-sel_buffer-race.patch patches.suse/nvdimm-testing-provide-SZ_4G.patch @@ -52881,8 +53368,11 @@ patches.kabi/kABI-Fix-for-KVM-x86-Introduce-vcpu-arch.xsaves_enab.patch patches.kabi/ipmi-dont-allow-device-module-unload-when-in-use.patch patches.kabi/sctp-cache-netns-in-sctp_ep_common.patch + patches.kabi/can-skb-defined-kabi-workaround.patch + patches.kabi/crypto-reexport-crypto_shoot_alg.patch patches.kabi/bpf-protect-new-fields-in-bpf-structs.patch + patches.kabi/libnvdimm-fix-devm_nsio_enable-kabi.patch ######################################################## # You'd better have a good reason for adding a patch