From dec37688b34431af81ce7de5127c98643f69916e Mon Sep 17 00:00:00 2001 From: Frederic Weisbecker Date: Oct 14 2022 13:12:03 +0000 Subject: Merge 'SLE12-SP5' (725117daeaf) into 'SLE12-SP5-RT' - No -rt specific changes this merge. --- diff --git a/blacklist.conf b/blacklist.conf index fb85d5f..8cd28cf 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2261,3 +2261,11 @@ a3f2fd22743fc56dd5e3896a3fbddd276df1577f # irrelevant in our configurations 9ef165406308515dcf2e3f6e97b39a1c56d86db5 # irrelevant in our configurations 26c6c2f8a907c9e3a2f24990552a4d77235791e6 # breaks kABI for an issue relevant only in a minor HC 41a91c606e7d2b74358a944525267cc451c271e8 # no gadget mode in SLE12 +00da0cb385d05a89226e150a102eb49d8abb0359 # documentation +df5b035b5683d6a25f077af889fb88e09827f8bc # we don't build CONFIG_SMP=n kernels +c57094a6e1ed5dd2d6401f79b8e6da34dd28f959 # Doesn't apply, not needed. Fixes a mess, not a bug. +51fd2eb52c0ca8275a906eed81878ef50ae94eb0 # Doesn't apply, not worth the churn. +8b766b0f8eece55155146f7628610ce54a065e0f # not required on SLE12-SP5: sysfb: Enable boot time VESA graphic mode selection +81fb55e500a82a070da20f02b2e252d6a09a34c3 # rejected for complexity: drm/vc4: hdmi: Add a spinlock to protect register access +82cb88af12d29eaa5350d9ba83f9c376f65b7fec # rejected for complexity: drm/vc4: hdmi: Use a mutex to prevent concurrent framework access +633be8c3c0c5e0cf176ce904083a4728ae8e4025 # rejected for complexity: drm/vc4: hdmi: Prevent access to crtc->state outside of KMS diff --git a/patches.suse/0002-kernel-smp-make-csdlock-timeout-depend-on-boot-param.patch b/patches.suse/0002-kernel-smp-make-csdlock-timeout-depend-on-boot-param.patch index 7fec10e..14503b8 100644 --- a/patches.suse/0002-kernel-smp-make-csdlock-timeout-depend-on-boot-param.patch +++ b/patches.suse/0002-kernel-smp-make-csdlock-timeout-depend-on-boot-param.patch @@ -28,7 +28,7 @@ index 4480fd47b88a..c59fd2958295 100644 @@ -193,12 +194,14 @@ static int __init csdlock_debug(char *str) } - early_param("csdlock_debug", csdlock_debug); + __setup("csdlock_debug=", csdlock_debug); +static int csdlock_timeout = 5000; +core_param(csdlock_timeout, csdlock_timeout, int, 0644); diff --git a/patches.suse/ACPI-processor-idle-Practically-limit-Dummy-wait-workaround-to-old-Intel-systems.patch b/patches.suse/ACPI-processor-idle-Practically-limit-Dummy-wait-workaround-to-old-Intel-systems.patch new file mode 100644 index 0000000..ec4b653 --- /dev/null +++ b/patches.suse/ACPI-processor-idle-Practically-limit-Dummy-wait-workaround-to-old-Intel-systems.patch @@ -0,0 +1,79 @@ +From 03dd42ad5ee34172181d8a92de9d6ede274d4645 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Thu, 22 Sep 2022 11:47:45 -0700 +Subject: [PATCH] ACPI: processor idle: Practically limit "Dummy wait" + workaround to old Intel systems + +References: bnc#1203802 +Patch-mainline: v6.0 +Git-commit: e400ad8b7e6a1b9102123c6240289a811501f7d9 + +Old, circa 2002 chipsets have a bug: they don't go idle when they are +supposed to. So, a workaround was added to slow the CPU down and +ensure that the CPU waits a bit for the chipset to actually go idle. +This workaround is ancient and has been in place in some form since +the original kernel ACPI implementation. + +But, this workaround is very painful on modern systems. The "inl()" +can take thousands of cycles (see Link: for some more detailed +numbers and some fun kernel archaeology). + +First and foremost, modern systems should not be using this code. +Typical Intel systems have not used it in over a decade because it is +horribly inferior to MWAIT-based idle. + +Despite this, people do seem to be tripping over this workaround on +AMD system today. + +Limit the "dummy wait" workaround to Intel systems. Keep Modern AMD +systems from tripping over the workaround. Remotely modern Intel +systems use intel_idle instead of this code and will, in practice, +remain unaffected by the dummy wait. + +Reported-by: K Prateek Nayak +Suggested-by: Rafael J. Wysocki +Signed-off-by: Dave Hansen +Reviewed-by: Mario Limonciello +Tested-by: K Prateek Nayak +Link: https://lore.kernel.org/all/20220921063638.2489-1-kprateek.nayak@amd.com/ +Link: https://lkml.kernel.org/r/20220922184745.3252932-1-dave.hansen@intel.com +Signed-off-by: Mel Gorman +--- + drivers/acpi/processor_idle.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 25cbada18e7c..fb42ca88f13a 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -687,10 +687,27 @@ static void wait_for_freeze(void) + /* No delay is needed if we are in guest */ + if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) + return; ++ /* ++ * Modern (>=Nehalem) Intel systems use ACPI via intel_idle, ++ * not this code. Assume that any Intel systems using this ++ * are ancient and may need the dummy wait. This also assumes ++ * that the motivating chipset issue was Intel-only. ++ */ ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) ++ return; + #endif +- /* Dummy wait op - must do something useless after P_LVL2 read +- because chipsets cannot guarantee that STPCLK# signal +- gets asserted in time to freeze execution properly. */ ++ /* ++ * Dummy wait op - must do something useless after P_LVL2 read ++ * because chipsets cannot guarantee that STPCLK# signal gets ++ * asserted in time to freeze execution properly ++ * ++ * This workaround has been in place since the original ACPI ++ * implementation was merged, circa 2002. ++ * ++ * If a profile is pointing to this instruction, please first ++ * consider moving your system to a more modern idle ++ * mechanism. ++ */ + inl(acpi_gbl_FADT.xpm_timer_block.address); + } + diff --git a/patches.suse/ACPI-processor_idle-Skip-dummy-wait-if-kernel-is-in-guest.patch b/patches.suse/ACPI-processor_idle-Skip-dummy-wait-if-kernel-is-in-guest.patch new file mode 100644 index 0000000..a455b3c --- /dev/null +++ b/patches.suse/ACPI-processor_idle-Skip-dummy-wait-if-kernel-is-in-guest.patch @@ -0,0 +1,75 @@ +From 57c8454f392dca11a46ac2a59d4bbb11941affd8 Mon Sep 17 00:00:00 2001 +From: Yin Fengwei +Date: Thu, 24 Oct 2019 15:04:20 +0800 +Subject: [PATCH] ACPI: processor_idle: Skip dummy wait if kernel is in guest + +References: bnc#1203802 +Patch-mainline: v5.5-rc1 +Git-commit: fa583f71a99c85e52781ed877c82c8757437b680 + +In function acpi_idle_do_entry(), an ioport access is used for +dummy wait to guarantee hardware behavior. But it could trigger +unnecessary VMexit if kernel is running as guest in virtualization +environment. + +If it's in virtualization environment, the deeper C state enter +operation (inb()) will trap to hypervisor. It's not needed to do +dummy wait after the inb() call. So we could just remove the +dummy io port access to avoid unnecessary VMexit. + +And keep dummy io port access to maintain timing for native +environment. + +Signed-off-by: Yin Fengwei +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Mel Gorman +--- + drivers/acpi/processor_idle.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 15d17bc6bae3..25cbada18e7c 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -681,6 +681,19 @@ static int acpi_idle_bm_check(void) + return bm_status; + } + ++static void wait_for_freeze(void) ++{ ++#ifdef CONFIG_X86 ++ /* No delay is needed if we are in guest */ ++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) ++ return; ++#endif ++ /* Dummy wait op - must do something useless after P_LVL2 read ++ because chipsets cannot guarantee that STPCLK# signal ++ gets asserted in time to freeze execution properly. */ ++ inl(acpi_gbl_FADT.xpm_timer_block.address); ++} ++ + /** + * acpi_idle_do_entry - enter idle state using the appropriate method + * @cx: cstate data +@@ -697,10 +710,7 @@ static void __cpuidle acpi_idle_do_entry(struct acpi_processor_cx *cx) + } else { + /* IO port based C-state */ + inb(cx->address); +- /* Dummy wait op - must do something useless after P_LVL2 read +- because chipsets cannot guarantee that STPCLK# signal +- gets asserted in time to freeze execution properly. */ +- inl(acpi_gbl_FADT.xpm_timer_block.address); ++ wait_for_freeze(); + } + } + +@@ -721,8 +731,7 @@ static int acpi_idle_play_dead(struct cpuidle_device *dev, int index) + safe_halt(); + else if (cx->entry_method == ACPI_CSTATE_SYSTEMIO) { + inb(cx->address); +- /* See comment in acpi_idle_do_entry() */ +- inl(acpi_gbl_FADT.xpm_timer_block.address); ++ wait_for_freeze(); + } else + return -ENODEV; + } diff --git a/patches.suse/KVM-x86-emulator-Fix-handing-of-POP-SS-to-correctly-.patch b/patches.suse/KVM-x86-emulator-Fix-handing-of-POP-SS-to-correctly-.patch new file mode 100644 index 0000000..56475a4 --- /dev/null +++ b/patches.suse/KVM-x86-emulator-Fix-handing-of-POP-SS-to-correctly-.patch @@ -0,0 +1,38 @@ +Patch-mainline: v6.1-rc1 +Git-commit: 6aa5c47c351b22c21205c87977c84809cd015fcf +References: git-fixes +From: Michal Luczaj +Date: Mon, 22 Aug 2022 00:06:47 +0200 +Subject: [PATCH] KVM: x86/emulator: Fix handing of POP SS to correctly set + interruptibility + +The emulator checks the wrong variable while setting the CPU +interruptibility state, the target segment is embedded in the instruction +opcode, not the ModR/M register. Fix the condition. + +Signed-off-by: Michal Luczaj +Fixes: a5457e7bcf9a ("KVM: emulate: POP SS triggers a MOV SS shadow too") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20220821215900.1419215-1-mhal@rbox.co +Signed-off-by: Sean Christopherson +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index f092c54d1a2f..08dbcff4045a 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1953,7 +1953,7 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt) + if (rc != X86EMUL_CONTINUE) + return rc; + +- if (ctxt->modrm_reg == VCPU_SREG_SS) ++ if (seg == VCPU_SREG_SS) + ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS; + if (ctxt->op_bytes > 2) + rsp_increment(ctxt, ctxt->op_bytes - 2); +-- +2.35.3 + diff --git a/patches.suse/USB-serial-option-add-Quectel-BG95-0x0203-compositio.patch b/patches.suse/USB-serial-option-add-Quectel-BG95-0x0203-compositio.patch new file mode 100644 index 0000000..d38ac8f --- /dev/null +++ b/patches.suse/USB-serial-option-add-Quectel-BG95-0x0203-compositio.patch @@ -0,0 +1,63 @@ +From f8f67eff6847f9b8d753fa029723bcc54296055a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Carl=20Yin=28=E6=AE=B7=E5=BC=A0=E6=88=90=29?= + +Date: Fri, 2 Sep 2022 09:49:43 +0000 +Subject: [PATCH] USB: serial: option: add Quectel BG95 0x0203 composition +Git-commit: f8f67eff6847f9b8d753fa029723bcc54296055a +References: git-fixes +Patch-mainline: v6.0-rc7 + +Add support for the following Quectel BG95 composition: + +0x0203: Diag + GNSS + Modem + ECM + +usb-devices output: +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0203 Rev= 0.00 +S: Manufacturer=Quectel, Incorporated +S: Product=Quectel LPWA Module +S: SerialNumber=71d3a21b +C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +A: FirstIf#= 3 IfCount= 2 Cls=02(comm.) Sub=00 Prot=00 +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +I: If#= 4 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I:* If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Carl Yin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index a5e8374a8d71..50a9cb0791f7 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1138,6 +1138,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0, 0) }, ++ { USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, 0x0203, 0xff), /* BG95-M3 */ ++ .driver_info = ZLP }, + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96), + .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0xff, 0xff), +-- +2.35.3 + diff --git a/patches.suse/USB-serial-option-add-Quectel-RM520N.patch b/patches.suse/USB-serial-option-add-Quectel-RM520N.patch new file mode 100644 index 0000000..ed4eef5 --- /dev/null +++ b/patches.suse/USB-serial-option-add-Quectel-RM520N.patch @@ -0,0 +1,67 @@ +From d640c4cb8f2f933c0ca896541f9de7fb1ae245f4 Mon Sep 17 00:00:00 2001 +From: jerry meng +Date: Mon, 5 Sep 2022 14:35:33 +0800 +Subject: [PATCH] USB: serial: option: add Quectel RM520N +Git-commit: d640c4cb8f2f933c0ca896541f9de7fb1ae245f4 +References: git-fixes +Patch-mainline: v6.0-rc7 + +add support for Quectel RM520N which is based on Qualcomm SDX62 chip. + +0x0801: DIAG + NMEA + AT + MODEM + RMNET + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 10 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0801 Rev= 5.04 +S: Manufacturer=Quectel +S: Product=RM520N-GL +S: SerialNumber=384af524 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: jerry meng +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -258,6 +258,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_EM05G 0x030a + #define QUECTEL_PRODUCT_EM12 0x0512 + #define QUECTEL_PRODUCT_RM500Q 0x0800 ++#define QUECTEL_PRODUCT_RM520N 0x0801 + #define QUECTEL_PRODUCT_EC200S_CN 0x6002 + #define QUECTEL_PRODUCT_EC200T 0x6026 + #define QUECTEL_PRODUCT_RM500K 0x7001 +@@ -1154,6 +1155,9 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10), + .driver_info = ZLP }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500K, 0xff, 0x00, 0x00) }, diff --git a/patches.suse/efi-capsule-loader-Fix-use-after-free-in-efi_capsule.patch b/patches.suse/efi-capsule-loader-Fix-use-after-free-in-efi_capsule.patch new file mode 100644 index 0000000..f309fcd --- /dev/null +++ b/patches.suse/efi-capsule-loader-Fix-use-after-free-in-efi_capsule.patch @@ -0,0 +1,85 @@ +From: Hyunwoo Kim +Date: Wed, 7 Sep 2022 09:07:14 -0700 +Subject: efi: capsule-loader: Fix use-after-free in efi_capsule_write +Patch-mainline: v6.0-rc5 +Git-commit: 9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95 +References: bsc#1203322 CVE-2022-40307 + +A race condition may occur if the user calls close() on another thread +during a write() operation on the device node of the efi capsule. + +This is a race condition that occurs between the efi_capsule_write() and +efi_capsule_flush() functions of efi_capsule_fops, which ultimately +results in UAF. + +So, the page freeing process is modified to be done in +efi_capsule_release() instead of efi_capsule_flush(). + +Joey Lee: +Using (!cap_info->header_obtained) instead of (cap_info->header.headersize == 0) +to avoid backporting too many patches to v4.12 for caching header to +cap_info->header. + +Cc: # v4.9+ +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/all/20220907102920.GA88602@ubuntu/ +Signed-off-by: Ard Biesheuvel +Acked-by: Lee, Chun-Yi +--- + drivers/firmware/efi/capsule-loader.c | 31 +++++++------------------------ + 1 file changed, 7 insertions(+), 24 deletions(-) + +--- a/drivers/firmware/efi/capsule-loader.c ++++ b/drivers/firmware/efi/capsule-loader.c +@@ -235,29 +235,6 @@ failed: + } + + /** +- * efi_capsule_flush - called by file close or file flush +- * @file: file pointer +- * @id: not used +- * +- * If a capsule is being partially uploaded then calling this function +- * will be treated as upload termination and will free those completed +- * buffer pages and -ECANCELED will be returned. +- **/ +-static int efi_capsule_flush(struct file *file, fl_owner_t id) +-{ +- int ret = 0; +- struct capsule_info *cap_info = file->private_data; +- +- if (cap_info->index > 0) { +- pr_err("%s: capsule upload not complete\n", __func__); +- efi_free_all_buff_pages(cap_info); +- ret = -ECANCELED; +- } +- +- return ret; +-} +- +-/** + * efi_capsule_release - called by file close + * @inode: not used + * @file: file pointer +@@ -269,6 +246,13 @@ static int efi_capsule_release(struct in + { + struct capsule_info *cap_info = file->private_data; + ++ if (cap_info->index > 0 && ++ ((!cap_info->header_obtained) || ++ cap_info->count < cap_info->total_size)) { ++ pr_err("capsule upload not complete\n"); ++ efi_free_all_buff_pages(cap_info); ++ } ++ + kfree(cap_info->pages); + kfree(file->private_data); + file->private_data = NULL; +@@ -308,7 +292,6 @@ static const struct file_operations efi_ + .owner = THIS_MODULE, + .open = efi_capsule_open, + .write = efi_capsule_write, +- .flush = efi_capsule_flush, + .release = efi_capsule_release, + .llseek = no_llseek, + }; diff --git a/patches.suse/locking-csd_lock-Change-csdlock_debug-from-early_par.patch b/patches.suse/locking-csd_lock-Change-csdlock_debug-from-early_par.patch new file mode 100644 index 0000000..c38f095 --- /dev/null +++ b/patches.suse/locking-csd_lock-Change-csdlock_debug-from-early_par.patch @@ -0,0 +1,55 @@ +Patch-mainline: v6.0-rc1 +Git-commit: 9c9b26b0df270d4f9246e483a44686fca951a29c +References: git-fixes +From: Chen Zhongjin +Date: Tue, 10 May 2022 17:46:39 +0800 +Subject: [PATCH] locking/csd_lock: Change csdlock_debug from early_param to + __setup + +The csdlock_debug kernel-boot parameter is parsed by the +early_param() function csdlock_debug(). If set, csdlock_debug() +invokes static_branch_enable() to enable csd_lock_wait feature, which +triggers a panic on arm64 for kernels built with CONFIG_SPARSEMEM=y and +CONFIG_SPARSEMEM_VMEMMAP=n. + +With CONFIG_SPARSEMEM_VMEMMAP=n, __nr_to_section is called in +static_key_enable() and returns NULL, resulting in a NULL dereference +because mem_section is initialized only later in sparse_init(). + +This is also a problem for powerpc because early_param() functions +are invoked earlier than jump_label_init(), also resulting in +static_key_enable() failures. These failures cause the warning "static +key 'xxx' used before call to jump_label_init()". + +Thus, early_param is too early for csd_lock_wait to run +static_branch_enable(), so changes it to __setup to fix these. + +Fixes: 8d0968cc6b8f ("locking/csd_lock: Add boot parameter for controlling CSD lock debugging") +Cc: stable@vger.kernel.org +Reported-by: Chen jingwen +Signed-off-by: Chen Zhongjin +Signed-off-by: Paul E. McKenney +Signed-off-by: Juergen Gross +--- + kernel/smp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/smp.c b/kernel/smp.c +index dd215f439426..650810a6f29b 100644 +--- a/kernel/smp.c ++++ b/kernel/smp.c +@@ -174,9 +174,9 @@ static int __init csdlock_debug(char *str) + if (val) + enable_csdlock_debug = true; + +- return 0; ++ return 1; + } +-early_param("csdlock_debug", csdlock_debug); ++__setup("csdlock_debug=", csdlock_debug); + + static DEFINE_PER_CPU(call_single_data_t *, cur_csd); + static DEFINE_PER_CPU(smp_call_func_t, cur_csd_func); +-- +2.35.3 + diff --git a/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch new file mode 100644 index 0000000..faec977 --- /dev/null +++ b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch @@ -0,0 +1,144 @@ +From: Zheng Wang +Date: Thu, 6 Oct 2022 23:26:43 +0800 +Subject: [PATCH] misc: sgi-gru: fix use-after-free error in + gru_set_context_option, gru_fault and gru_handle_user_call_os +Message-Id: <20221006152643.1694235-1-zyytlz.wz@163.com> +Patch-mainline: Submitted, LKML +References: CVE-2022-3424 bsc#1204166 + +Gts may be freed in gru_check_chiplet_assignment. +The caller still use it after that, UAF happens. + +Fix it by introducing a return value to see if it's in error path or not. +Free the gts in caller if gru_check_chiplet_assignment check failed. + +Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2") +Reported-by: Zheng Wang +Signed-off-by: Zheng Wang +Signed-off-by: Takashi Iwai + +--- + drivers/misc/sgi-gru/grufault.c | 15 ++++++++++++--- + drivers/misc/sgi-gru/grumain.c | 17 +++++++++++++---- + drivers/misc/sgi-gru/grutables.h | 2 +- + 3 files changed, 26 insertions(+), 8 deletions(-) + +diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c +index d7ef61e602ed..f1e5b96fef4b 100644 +--- a/drivers/misc/sgi-gru/grufault.c ++++ b/drivers/misc/sgi-gru/grufault.c +@@ -656,7 +656,9 @@ int gru_handle_user_call_os(unsigned long cb) + if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE) + goto exit; + +- gru_check_context_placement(gts); ++ ret = gru_check_context_placement(gts); ++ if (ret) ++ goto err; + + /* + * CCH may contain stale data if ts_force_cch_reload is set. +@@ -677,6 +679,10 @@ int gru_handle_user_call_os(unsigned long cb) + exit: + gru_unlock_gts(gts); + return ret; ++err: ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ return -EINVAL; + } + + /* +@@ -874,7 +880,7 @@ int gru_set_context_option(unsigned long arg) + } else { + gts->ts_user_blade_id = req.val1; + gts->ts_user_chiplet_id = req.val0; +- gru_check_context_placement(gts); ++ ret = gru_check_context_placement(gts); + } + break; + case sco_gseg_owner: +@@ -889,6 +895,9 @@ int gru_set_context_option(unsigned long arg) + ret = -EINVAL; + } + gru_unlock_gts(gts); +- ++ if (ret) { ++ gru_unload_context(gts, 1); ++ ret = -EINVAL; ++ } + return ret; + } +diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c +index 9afda47efbf2..79903cf7e706 100644 +--- a/drivers/misc/sgi-gru/grumain.c ++++ b/drivers/misc/sgi-gru/grumain.c +@@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru, + * chiplet. Misassignment can occur if the process migrates to a different + * blade or if the user changes the selected blade/chiplet. + */ +-void gru_check_context_placement(struct gru_thread_state *gts) ++int gru_check_context_placement(struct gru_thread_state *gts) + { + struct gru_state *gru; ++ int ret = 0; + + /* + * If the current task is the context owner, verify that the +@@ -727,14 +728,16 @@ void gru_check_context_placement(struct gru_thread_state *gts) + */ + gru = gts->ts_gru; + if (!gru || gts->ts_tgid_owner != current->tgid) +- return; ++ return ret; + + if (!gru_check_chiplet_assignment(gru, gts)) { + STAT(check_context_unload); +- gru_unload_context(gts, 1); ++ ret = -EINVAL; + } else if (gru_retarget_intr(gts)) { + STAT(check_context_retarget_intr); + } ++ ++ return ret; + } + + +@@ -919,6 +922,7 @@ vm_fault_t gru_fault(struct vm_fault *vmf) + struct gru_thread_state *gts; + unsigned long paddr, vaddr; + unsigned long expires; ++ int ret; + + vaddr = vmf->address; + gru_dbg(grudev, "vma %p, vaddr 0x%lx (0x%lx)\n", +@@ -934,7 +938,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf) + mutex_lock(>s->ts_ctxlock); + preempt_disable(); + +- gru_check_context_placement(gts); ++ ret = gru_check_context_placement(gts); ++ if (ret) { ++ mutex_unlock(>s->ts_ctxlock); ++ gru_unload_context(gts, 1); ++ return ret; ++ } + + if (!gts->ts_gru) { + STAT(load_user_context); +diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h +index 5efc869fe59a..f4a5a787685f 100644 +--- a/drivers/misc/sgi-gru/grutables.h ++++ b/drivers/misc/sgi-gru/grutables.h +@@ -632,7 +632,7 @@ extern int gru_user_flush_tlb(unsigned long arg); + extern int gru_user_unload_context(unsigned long arg); + extern int gru_get_exception_detail(unsigned long arg); + extern int gru_set_context_option(unsigned long address); +-extern void gru_check_context_placement(struct gru_thread_state *gts); ++extern int gru_check_context_placement(struct gru_thread_state *gts); + extern int gru_cpu_fault_map_id(void); + extern struct vm_area_struct *gru_find_vma(unsigned long vaddr); + extern void gru_flush_all_tlb(struct gru_state *gru); +-- +2.35.3 + diff --git a/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch b/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch index 18e1180..d1ed08a 100644 --- a/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch +++ b/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch @@ -3,7 +3,7 @@ Date: Wed, 31 Aug 2022 19:06:00 +0200 Subject: mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse Git-commit: 2555283eb40df89945557273121e9393ef9b542b Patch-mainline: v6.0-rc4 -References: git-fixes, bsc#1203098 +References: CVE-2022-42703, bsc#1204168, git-fixes, bsc#1203098 anon_vma->degree tracks the combined number of child anon_vmas and VMAs that use the anon_vma as their ->anon_vma. diff --git a/patches.suse/nvme-restrict-management-ioctls-to-admin.patch b/patches.suse/nvme-restrict-management-ioctls-to-admin.patch new file mode 100644 index 0000000..ebd1f3e --- /dev/null +++ b/patches.suse/nvme-restrict-management-ioctls-to-admin.patch @@ -0,0 +1,40 @@ +From: Keith Busch +Date: Thu, 22 Sep 2022 07:54:06 -0700 +Subject: [PATCH] nvme: restrict management ioctls to admin +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: git://git.infradead.org/nvme.git +Git-commit: 23e085b2dead13b51fe86d27069895b740f749c0 +References: bsc#1203290 CVE-2022-3169 + +The passthrough commands already have this restriction, but the other +operations do not. Require the same capabilities for all users as all of +these operations, which include resets and rescans, can be disruptive. + +Signed-off-by: Keith Busch +Signed-off-by: Christoph Hellwig +[dwagner: updated context] +Acked-by: Daniel Wagner +--- + drivers/nvme/host/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2577,11 +2577,17 @@ static long nvme_dev_ioctl(struct file * + case NVME_IOCTL_IO_CMD: + return nvme_dev_user_cmd(ctrl, argp); + case NVME_IOCTL_RESET: ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; + dev_warn(ctrl->device, "resetting controller\n"); + return nvme_reset_ctrl_sync(ctrl); + case NVME_IOCTL_SUBSYS_RESET: ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; + return nvme_reset_subsystem(ctrl); + case NVME_IOCTL_RESCAN: ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; + nvme_queue_scan(ctrl); + return 0; + default: diff --git a/patches.suse/s390-hugetlb-fix-prepare_hugepage_range-check-for-2-GB-hugepages b/patches.suse/s390-hugetlb-fix-prepare_hugepage_range-check-for-2-GB-hugepages new file mode 100644 index 0000000..9541876 --- /dev/null +++ b/patches.suse/s390-hugetlb-fix-prepare_hugepage_range-check-for-2-GB-hugepages @@ -0,0 +1,43 @@ +From: Gerald Schaefer +Date: Fri, 19 Aug 2022 18:53:43 +0200 +Subject: s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages +Git-commit: 7c8d42fdf1a84b1a0dd60d6528309c8ec127e87c +Patch-mainline: v6.0-rc4 +References: bsc#1203142 LTC#199883 + +The alignment check in prepare_hugepage_range() is wrong for 2 GB +hugepages, it only checks for 1 MB hugepage alignment. + +This can result in kernel crash in __unmap_hugepage_range() at the +BUG_ON(start & ~huge_page_mask(h)) alignment check, for mappings +created with MAP_FIXED at unaligned address. + +Fix this by correctly handling multiple hugepage sizes, similar to the +generic version of prepare_hugepage_range(). + +Fixes: d08de8e2d867 ("s390/mm: add support for 2GB hugepages") +Cc: # 4.8+ +Acked-by: Alexander Gordeev +Signed-off-by: Gerald Schaefer +Signed-off-by: Vasily Gorbik +Acked-by: Petr Tesarik +--- + arch/s390/include/asm/hugetlb.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/hugetlb.h ++++ b/arch/s390/include/asm/hugetlb.h +@@ -29,9 +29,11 @@ pte_t huge_ptep_get_and_clear(struct mm_ + static inline int prepare_hugepage_range(struct file *file, + unsigned long addr, unsigned long len) + { +- if (len & ~HPAGE_MASK) ++ struct hstate *h = hstate_file(file); ++ ++ if (len & ~huge_page_mask(h)) + return -EINVAL; +- if (addr & ~HPAGE_MASK) ++ if (addr & ~huge_page_mask(h)) + return -EINVAL; + return 0; + } diff --git a/patches.suse/s390-hypfs-avoid-error-message-under-KVM.patch b/patches.suse/s390-hypfs-avoid-error-message-under-KVM.patch new file mode 100644 index 0000000..19301ef --- /dev/null +++ b/patches.suse/s390-hypfs-avoid-error-message-under-KVM.patch @@ -0,0 +1,57 @@ +Patch-mainline: v6.0-rc2 +Git-commit: 7b6670b03641ac308aaa6fa2e6f964ac993b5ea3 +References: bsc#1032323 +From: Juergen Gross +Date: Mon, 20 Jun 2022 11:45:34 +0200 +Subject: [PATCH] s390/hypfs: avoid error message under KVM + +When booting under KVM the following error messages are issued: + +hypfs.7f5705: The hardware system does not support hypfs +hypfs.7a79f0: Initialization of hypfs failed with rc=-61 + +Demote the severity of first message from "error" to "info" and issue +the second message only in other error cases. + +Signed-off-by: Juergen Gross +Acked-by: Heiko Carstens +Acked-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20220620094534.18967-1-jgross@suse.com +[arch/s390/hypfs/hypfs_diag.c changed description] +Signed-off-by: Alexander Gordeev +--- + arch/s390/hypfs/hypfs_diag.c | 2 +- + arch/s390/hypfs/inode.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/hypfs/hypfs_diag.c b/arch/s390/hypfs/hypfs_diag.c +index f0bc4dc3e9bf..6511d15ace45 100644 +--- a/arch/s390/hypfs/hypfs_diag.c ++++ b/arch/s390/hypfs/hypfs_diag.c +@@ -437,7 +437,7 @@ __init int hypfs_diag_init(void) + int rc; + + if (diag204_probe()) { +- pr_err("The hardware system does not support hypfs\n"); ++ pr_info("The hardware system does not support hypfs\n"); + return -ENODATA; + } + if (diag204_info_type == DIAG204_INFO_EXT) { +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c +index 5c97f48cea91..ee919bfc8186 100644 +--- a/arch/s390/hypfs/inode.c ++++ b/arch/s390/hypfs/inode.c +@@ -496,9 +496,9 @@ static int __init hypfs_init(void) + hypfs_vm_exit(); + fail_hypfs_diag_exit: + hypfs_diag_exit(); ++ pr_err("Initialization of hypfs failed with rc=%i\n", rc); + fail_dbfs_exit: + hypfs_dbfs_exit(); +- pr_err("Initialization of hypfs failed with rc=%i\n", rc); + return rc; + } + device_initcall(hypfs_init) +-- +2.35.3 + diff --git a/patches.suse/s390-mm-do-not-trigger-write-fault-when-vma-does-not-allow-VM_WRITE b/patches.suse/s390-mm-do-not-trigger-write-fault-when-vma-does-not-allow-VM_WRITE new file mode 100644 index 0000000..e24eba7 --- /dev/null +++ b/patches.suse/s390-mm-do-not-trigger-write-fault-when-vma-does-not-allow-VM_WRITE @@ -0,0 +1,47 @@ +From: Gerald Schaefer +Date: Wed, 17 Aug 2022 15:26:03 +0200 +Subject: s390/mm: do not trigger write fault when vma does not allow VM_WRITE +Git-commit: 41ac42f137080bc230b5882e3c88c392ab7f2d32 +Patch-mainline: v6.0-rc3 +References: bsc#1203198 LTC#199898 + +For non-protection pXd_none() page faults in do_dat_exception(), we +call do_exception() with access == (VM_READ | VM_WRITE | VM_EXEC). +In do_exception(), vma->vm_flags is checked against that before +calling handle_mm_fault(). + +Since commit 92f842eac7ee3 ("[S390] store indication fault optimization"), +we call handle_mm_fault() with FAULT_FLAG_WRITE, when recognizing that +it was a write access. However, the vma flags check is still only +checking against (VM_READ | VM_WRITE | VM_EXEC), and therefore also +calling handle_mm_fault() with FAULT_FLAG_WRITE in cases where the vma +does not allow VM_WRITE. + +Fix this by changing access check in do_exception() to VM_WRITE only, +when recognizing write access. + +Link: https://lkml.kernel.org/r/20220811103435.188481-3-david@redhat.com +Fixes: 92f842eac7ee3 ("[S390] store indication fault optimization") +Cc: +Reported-by: David Hildenbrand +Reviewed-by: Heiko Carstens +Signed-off-by: Gerald Schaefer +Signed-off-by: Vasily Gorbik +Acked-by: Petr Tesarik +--- + arch/s390/mm/fault.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/mm/fault.c ++++ b/arch/s390/mm/fault.c +@@ -432,7 +432,9 @@ static inline int do_exception(struct pt + flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; + if (user_mode(regs)) + flags |= FAULT_FLAG_USER; +- if (access == VM_WRITE || (trans_exc_code & store_indication) == 0x400) ++ if ((trans_exc_code & store_indication) == 0x400) ++ access = VM_WRITE; ++ if (access == VM_WRITE) + flags |= FAULT_FLAG_WRITE; + down_read(&mm->mmap_sem); + diff --git a/patches.suse/scsi-qla2xxx-add-debugfs-create-delete-helpers.patch b/patches.suse/scsi-qla2xxx-add-debugfs-create-delete-helpers.patch index ef809a8..09f03f6 100644 --- a/patches.suse/scsi-qla2xxx-add-debugfs-create-delete-helpers.patch +++ b/patches.suse/scsi-qla2xxx-add-debugfs-create-delete-helpers.patch @@ -1,8 +1,7 @@ From: Arun Easi Date: Fri, 26 Aug 2022 03:25:55 -0700 Subject: scsi: qla2xxx: Add debugfs create/delete helpers -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: 389f179b868e43121c6cfccfbf5e495842a766fd References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-add-nvme-parameters-support-in-auxiliary-image-status.patch b/patches.suse/scsi-qla2xxx-add-nvme-parameters-support-in-auxiliary-image-status.patch index 4a57a95..4f68287 100644 --- a/patches.suse/scsi-qla2xxx-add-nvme-parameters-support-in-auxiliary-image-status.patch +++ b/patches.suse/scsi-qla2xxx-add-nvme-parameters-support-in-auxiliary-image-status.patch @@ -1,8 +1,7 @@ From: Anil Gurumurthy Date: Fri, 26 Aug 2022 03:25:56 -0700 Subject: scsi: qla2xxx: Add NVMe parameters support in Auxiliary Image Status -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: d9ba85efc3fc743aa3c958efa996f397719cdc2a References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-always-wait-for-qlt_sess_work_fn-from.patch b/patches.suse/scsi-qla2xxx-always-wait-for-qlt_sess_work_fn-from.patch index e056bf4..d77941d 100644 --- a/patches.suse/scsi-qla2xxx-always-wait-for-qlt_sess_work_fn-from.patch +++ b/patches.suse/scsi-qla2xxx-always-wait-for-qlt_sess_work_fn-from.patch @@ -2,8 +2,7 @@ From: Tetsuo Handa Date: Sun, 21 Aug 2022 12:59:00 +0900 Subject: scsi: qla2xxx: Always wait for qlt_sess_work_fn() from qlt_stop_phase1() -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: a4345557527f7d9dab6684fc2d1dd7800e99d73a References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-avoid-flush_scheduled_work-usage.patch b/patches.suse/scsi-qla2xxx-avoid-flush_scheduled_work-usage.patch index 3ae1d40..aed1081 100644 --- a/patches.suse/scsi-qla2xxx-avoid-flush_scheduled_work-usage.patch +++ b/patches.suse/scsi-qla2xxx-avoid-flush_scheduled_work-usage.patch @@ -1,8 +1,7 @@ From: Tetsuo Handa Date: Sun, 21 Aug 2022 12:59:44 +0900 Subject: scsi: qla2xxx: Avoid flush_scheduled_work() usage -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: 3cb0643a9aae7cf360102a6a9db47f5ce9fefdb1 References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-drop-did_target_failure-use.patch b/patches.suse/scsi-qla2xxx-drop-did_target_failure-use.patch index 0d23047..b844726 100644 --- a/patches.suse/scsi-qla2xxx-drop-did_target_failure-use.patch +++ b/patches.suse/scsi-qla2xxx-drop-did_target_failure-use.patch @@ -1,8 +1,7 @@ From: Mike Christie Date: Thu, 11 Aug 2022 20:00:23 -0500 Subject: scsi: qla2xxx: Drop DID_TARGET_FAILURE use -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: a965d35c8741724eb69050948024f35d268645ab References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-fix-response-queue-handler-reading-stale-packets.patch b/patches.suse/scsi-qla2xxx-fix-response-queue-handler-reading-stale-packets.patch index a9acf6d..bed9416 100644 --- a/patches.suse/scsi-qla2xxx-fix-response-queue-handler-reading-stale-packets.patch +++ b/patches.suse/scsi-qla2xxx-fix-response-queue-handler-reading-stale-packets.patch @@ -1,8 +1,7 @@ From: Arun Easi Date: Fri, 26 Aug 2022 03:25:54 -0700 Subject: scsi: qla2xxx: Fix response queue handler reading stale packets -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: e4f8a29deb3ba30e414dfb6b09e3ae3bf6dbe74a References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-log-message-skipping-scsi_scan_host-as.patch b/patches.suse/scsi-qla2xxx-log-message-skipping-scsi_scan_host-as.patch index abcbcd2..caca4e9 100644 --- a/patches.suse/scsi-qla2xxx-log-message-skipping-scsi_scan_host-as.patch +++ b/patches.suse/scsi-qla2xxx-log-message-skipping-scsi_scan_host-as.patch @@ -2,8 +2,7 @@ From: Mauricio Faria de Oliveira Date: Thu, 25 Aug 2022 09:01:59 -0300 Subject: scsi: qla2xxx: Log message "skipping scsi_scan_host()" as informational -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: eee8bb4a2b58212843aec92dd6c8c1cc193209e0 References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-remove-unused-declarations-for-qla2xxx.patch b/patches.suse/scsi-qla2xxx-remove-unused-declarations-for-qla2xxx.patch index 9c58769..5e5e480 100644 --- a/patches.suse/scsi-qla2xxx-remove-unused-declarations-for-qla2xxx.patch +++ b/patches.suse/scsi-qla2xxx-remove-unused-declarations-for-qla2xxx.patch @@ -1,8 +1,7 @@ From: Gaosheng Cui Date: Tue, 13 Sep 2022 10:37:21 +0800 Subject: scsi: qla2xxx: Remove unused declarations for qla2xxx -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: 1b80addaae099dc33e683d971aba90eeeaf887a3 References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-remove-unused-del_sess_list-field.patch b/patches.suse/scsi-qla2xxx-remove-unused-del_sess_list-field.patch index 29821db..c885424 100644 --- a/patches.suse/scsi-qla2xxx-remove-unused-del_sess_list-field.patch +++ b/patches.suse/scsi-qla2xxx-remove-unused-del_sess_list-field.patch @@ -1,8 +1,7 @@ From: Tetsuo Handa Date: Sun, 21 Aug 2022 12:57:50 +0900 Subject: scsi: qla2xxx: Remove unused del_sess_list field -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: e6852b41b560129bb000538490ca39a0be2b591c References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-remove-unused-qlt_tmr_work.patch b/patches.suse/scsi-qla2xxx-remove-unused-qlt_tmr_work.patch index a6738dd..2da2318 100644 --- a/patches.suse/scsi-qla2xxx-remove-unused-qlt_tmr_work.patch +++ b/patches.suse/scsi-qla2xxx-remove-unused-qlt_tmr_work.patch @@ -1,8 +1,7 @@ From: Tetsuo Handa Date: Sun, 21 Aug 2022 12:58:24 +0900 Subject: scsi: qla2xxx: Remove unused qlt_tmr_work() -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: 1b2b8d45ccd6a61f88c0d5a55c9119c3b710bfa5 References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-revert-scsi-qla2xxx-fix-response-queue-handler.patch b/patches.suse/scsi-qla2xxx-revert-scsi-qla2xxx-fix-response-queue-handler.patch index 53a15a3..a70af48 100644 --- a/patches.suse/scsi-qla2xxx-revert-scsi-qla2xxx-fix-response-queue-handler.patch +++ b/patches.suse/scsi-qla2xxx-revert-scsi-qla2xxx-fix-response-queue-handler.patch @@ -2,8 +2,7 @@ From: Arun Easi Date: Fri, 26 Aug 2022 03:25:53 -0700 Subject: scsi: qla2xxx: Revert "scsi: qla2xxx: Fix response queue handler reading stale packets" -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: 6dc45a7322cb9db48a5b6696597a00ef7c778ef9 References: bsc#1203935 diff --git a/patches.suse/scsi-qla2xxx-update-version-to-10.02.07.900-k.patch b/patches.suse/scsi-qla2xxx-update-version-to-10.02.07.900-k.patch index 4243476..a8bd23d 100644 --- a/patches.suse/scsi-qla2xxx-update-version-to-10.02.07.900-k.patch +++ b/patches.suse/scsi-qla2xxx-update-version-to-10.02.07.900-k.patch @@ -1,8 +1,7 @@ From: Nilesh Javali Date: Fri, 26 Aug 2022 03:25:59 -0700 Subject: scsi: qla2xxx: Update version to 10.02.07.900-k -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git +Patch-mainline: v6.1-rc1 Git-commit: fed842d04dad979f0e74926720474ab0b037e7e8 References: bsc#1203935 diff --git a/patches.suse/scsi-stex-Properly-zero-out-the-passthrough-command-structure.patch b/patches.suse/scsi-stex-Properly-zero-out-the-passthrough-command-structure.patch new file mode 100644 index 0000000..b3f0495 --- /dev/null +++ b/patches.suse/scsi-stex-Properly-zero-out-the-passthrough-command-structure.patch @@ -0,0 +1,68 @@ +From: Linus Torvalds +Date: Fri, 9 Sep 2022 08:54:47 +0200 +Subject: scsi: stex: Properly zero out the passthrough command structure +Git-commit: 6022f210461fef67e6e676fd8544ca02d1bcfa7a +Patch-mainline: v6.0 or v6.0-rc8 (next release) +References: bsc#1203514 CVE-2022-40768 + +The passthrough structure is declared off of the stack, so it needs to be +set to zero before copied back to userspace to prevent any unintentional +data leakage. Switch things to be statically allocated which will fill the +unused fields with 0 automatically. + +[lduncan: refreshed to apply cleanly.] + +Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com +Cc: stable@kernel.org +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: Dan Carpenter +Reported-by: hdthky +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Martin K. Petersen +Acked-by: Lee Duncan +--- + drivers/scsi/stex.c | 17 +++++++++-------- + include/scsi/scsi_cmnd.h | 2 +- + 2 files changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/stex.c ++++ b/drivers/scsi/stex.c +@@ -673,16 +673,17 @@ stex_queuecommand_lck(struct scsi_cmnd * + return 0; + case PASSTHRU_CMD: + if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) { +- struct st_drvver ver; ++ const struct st_drvver ver = { ++ .major = ST_VER_MAJOR, ++ .minor = ST_VER_MINOR, ++ .oem = ST_OEM, ++ .build = ST_BUILD_VER, ++ .signature[0] = PASSTHRU_SIGNATURE, ++ .console_id = host->max_id - 1, ++ .host_no = hba->host->host_no, ++ }; + size_t cp_len = sizeof(ver); + +- ver.major = ST_VER_MAJOR; +- ver.minor = ST_VER_MINOR; +- ver.oem = ST_OEM; +- ver.build = ST_BUILD_VER; +- ver.signature[0] = PASSTHRU_SIGNATURE; +- ver.console_id = host->max_id - 1; +- ver.host_no = hba->host->host_no; + cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len); + cmd->result = sizeof(ver) == cp_len ? + DID_OK << 16 | COMMAND_COMPLETE << 8 : +--- a/include/scsi/scsi_cmnd.h ++++ b/include/scsi/scsi_cmnd.h +@@ -219,7 +219,7 @@ static inline struct scsi_data_buffer *s + } + + static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd, +- void *buf, int buflen) ++ const void *buf, int buflen) + { + return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd), + buf, buflen); diff --git a/patches.suse/x86-xen-Remove-undefined-behavior-in-setup_features.patch b/patches.suse/x86-xen-Remove-undefined-behavior-in-setup_features.patch new file mode 100644 index 0000000..a2a971f --- /dev/null +++ b/patches.suse/x86-xen-Remove-undefined-behavior-in-setup_features.patch @@ -0,0 +1,33 @@ +Patch-mainline: v5.19-rc4 +Git-commit: ecb6237fa397b7b810d798ad19322eca466dbab1 +References: git-fixes +From: Julien Grall +Date: Fri, 17 Jun 2022 11:30:37 +0100 +Subject: [PATCH] x86/xen: Remove undefined behavior in setup_features() + +1 << 31 is undefined. So switch to 1U << 31. + +Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") +Signed-off-by: Julien Grall +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20220617103037.57828-1-julien@xen.org +Signed-off-by: Juergen Gross +--- + drivers/xen/features.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/features.c b/drivers/xen/features.c +index 7b591443833c..87f1828d40d5 100644 +--- a/drivers/xen/features.c ++++ b/drivers/xen/features.c +@@ -42,6 +42,6 @@ void xen_setup_features(void) + if (HYPERVISOR_xen_version(XENVER_get_features, &fi) < 0) + break; + for (j = 0; j < 32; j++) +- xen_features[i * 32 + j] = !!(fi.submap & 1<