From f7e1ff8c32d8d5309efb293d45acbd4de59cc5a4 Mon Sep 17 00:00:00 2001 From: Frederic Weisbecker Date: Dec 13 2022 09:59:29 +0000 Subject: Merge 'SLE15-SP3' (774239cde25) into 'SLE15-SP3-RT' - No -rt specific changes this merge. --- diff --git a/patches.kabi/kABI-remove-new-member-of-usbip_device.patch b/patches.kabi/kABI-remove-new-member-of-usbip_device.patch index 285fac3..2d19067 100644 --- a/patches.kabi/kABI-remove-new-member-of-usbip_device.patch +++ b/patches.kabi/kABI-remove-new-member-of-usbip_device.patch @@ -15,11 +15,24 @@ Signed-off-by: Oliver Neukum drivers/usb/usbip/vhci_hcd.c | 3 ++- drivers/usb/usbip/vhci_sysfs.c | 12 ++++++------ scripts/bpf_helpers_doc.py | 0 + drivers/usb/core/devices.c | 2 ++ + drivers/usb/usbip/usbip_common.h | 5 ++--- + drivers/usb/usbip/vhci_hcd.c | 1 - + drivers/usb/usbip/vhci_sysfs.c | 12 ++++++------ 4 files changed, 10 insertions(+), 10 deletions(-) mode change 100644 => 100755 scripts/bpf_helpers_doc.py -diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h -index a7e6ce96f..1180c931e 100644 +--- a/drivers/usb/core/devices.c ++++ b/drivers/usb/core/devices.c +@@ -48,6 +48,8 @@ + + #include "usb.h" + ++DEFINE_MUTEX(suse_big_usbip_lock); ++ + /* Define ALLOW_SERIAL_NUMBER if you want to see the serial number of devices */ + #define ALLOW_SERIAL_NUMBER + --- a/drivers/usb/usbip/usbip_common.h +++ b/drivers/usb/usbip/usbip_common.h @@ -263,9 +263,6 @@ struct usbip_device { @@ -32,27 +45,16 @@ index a7e6ce96f..1180c931e 100644 int sockfd; struct socket *tcp_socket; -@@ -340,4 +337,6 @@ static inline int interface_to_devnum(struct usb_interface *interface) +@@ -340,4 +337,6 @@ static inline int interface_to_devnum(st return udev->devnum; } +extern struct mutex suse_big_usbip_lock; + #endif /* __USBIP_COMMON_H */ -diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c -index 170abb06a..32d653d36 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c -@@ -116,6 +116,8 @@ static const char * const bit_desc_ss[] = { - "R31", /*31*/ - }; - -+DEFINE_MUTEX(suse_big_usbip_lock); -+ - static void dump_port_status_diff(u32 prev_status, u32 new_status, bool usb3) - { - int i = 0; -@@ -1126,7 +1128,6 @@ static void vhci_device_init(struct vhci_device *vdev) +@@ -1126,7 +1126,6 @@ static void vhci_device_init(struct vhci vdev->ud.side = USBIP_VHCI; vdev->ud.status = VDEV_ST_NULL; spin_lock_init(&vdev->ud.lock); @@ -60,11 +62,9 @@ index 170abb06a..32d653d36 100644 INIT_LIST_HEAD(&vdev->priv_rx); INIT_LIST_HEAD(&vdev->priv_tx); -diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c -index ebc7be1d9..de5ab6f9c 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c -@@ -185,7 +185,7 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) +@@ -185,7 +185,7 @@ static int vhci_port_disconnect(struct v usbip_dbg_vhci_sysfs("enter\n"); @@ -73,7 +73,7 @@ index ebc7be1d9..de5ab6f9c 100644 /* lock */ spin_lock_irqsave(&vhci->lock, flags); -@@ -197,7 +197,7 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) +@@ -197,7 +197,7 @@ static int vhci_port_disconnect(struct v /* unlock */ spin_unlock(&vdev->ud.lock); spin_unlock_irqrestore(&vhci->lock, flags); @@ -82,7 +82,7 @@ index ebc7be1d9..de5ab6f9c 100644 return -EINVAL; } -@@ -208,7 +208,7 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) +@@ -208,7 +208,7 @@ static int vhci_port_disconnect(struct v usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN); @@ -91,7 +91,7 @@ index ebc7be1d9..de5ab6f9c 100644 return 0; } -@@ -354,7 +354,7 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, +@@ -354,7 +354,7 @@ static ssize_t attach_store(struct devic else vdev = &vhci->vhci_hcd_hs->vdev[rhport]; @@ -100,7 +100,7 @@ index ebc7be1d9..de5ab6f9c 100644 /* Extract socket from fd. */ socket = sockfd_lookup(sockfd, &err); -@@ -436,12 +436,12 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, +@@ -436,12 +436,12 @@ static ssize_t attach_store(struct devic dev_info(dev, "Device attached\n"); @@ -115,9 +115,3 @@ index ebc7be1d9..de5ab6f9c 100644 return err; } static DEVICE_ATTR_WO(attach); -diff --git a/scripts/bpf_helpers_doc.py b/scripts/bpf_helpers_doc.py -old mode 100644 -new mode 100755 --- -2.35.3 - diff --git a/patches.kabi/kabi-sk_buff_scm_io_uring.patch b/patches.kabi/kabi-sk_buff_scm_io_uring.patch new file mode 100644 index 0000000..0c46c7e --- /dev/null +++ b/patches.kabi/kabi-sk_buff_scm_io_uring.patch @@ -0,0 +1,39 @@ +From: David Disseldorp +Subject: [PATCH] kabi: sk_buff.scm_io_uring +Patch-mainline: Never, kABI fix +References: bsc#1204228 CVE-2022-2602 + +Commit 0091bfc81741 ("io_uring/af_unix: defer registered files gc to +io_uring") requires this kABI fix. pahole shows a gap here: +$ pahole -C sk_buff vmlinux +struct sk_buff { + ... + __u8 tc_from_ingress:1; /* 132: 0 1 */ + __u8 decrypted:1; /* 132: 1 1 */ + __u8 scm_io_uring:1; /* 132: 2 1 */ + + /* XXX 5 bits hole, try to pack */ + /* XXX 1 byte hole, try to pack */ + +Signed-off-by: David Disseldorp +--- + include/linux/skbuff.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index f86bbfcfa22ad..d305bf5ad125b 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -816,7 +816,9 @@ struct sk_buff { + #ifdef CONFIG_TLS_DEVICE + __u8 decrypted:1; + #endif ++#ifndef __GENKSYMS__ + __u8 scm_io_uring:1; ++#endif + + #ifdef CONFIG_NET_SCHED + __u16 tc_index; /* traffic control index */ +-- +2.35.3 + diff --git a/patches.kabi/usbip-stub_dev-remake-locking-for-kABI.patch b/patches.kabi/usbip-stub_dev-remake-locking-for-kABI.patch index 8940947..567e78c 100644 --- a/patches.kabi/usbip-stub_dev-remake-locking-for-kABI.patch +++ b/patches.kabi/usbip-stub_dev-remake-locking-for-kABI.patch @@ -9,15 +9,23 @@ use the global lock to preserve kABI signed-off-by: Oliver Neukum --- - drivers/usb/usbip/stub_dev.c | 9 ++++----- - drivers/usb/usbip/vhci_hcd.c | 1 + + drivers/usb/core/devices.c | 1 + + drivers/usb/usbip/stub_dev.c | 9 ++++----- 2 files changed, 5 insertions(+), 5 deletions(-) -diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c -index c64964c32..c60e6236a 100644 +--- a/drivers/usb/core/devices.c ++++ b/drivers/usb/core/devices.c +@@ -49,6 +49,7 @@ + #include "usb.h" + + DEFINE_MUTEX(suse_big_usbip_lock); ++EXPORT_SYMBOL(suse_big_usbip_lock); + + /* Define ALLOW_SERIAL_NUMBER if you want to see the serial number of devices */ + #define ALLOW_SERIAL_NUMBER --- a/drivers/usb/usbip/stub_dev.c +++ b/drivers/usb/usbip/stub_dev.c -@@ -63,7 +63,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a +@@ -63,7 +63,7 @@ static ssize_t usbip_sockfd_store(struct dev_info(dev, "stub up\n"); @@ -26,7 +34,7 @@ index c64964c32..c60e6236a 100644 spin_lock_irq(&sdev->ud.lock); if (sdev->ud.status != SDEV_ST_AVAILABLE) { -@@ -113,7 +113,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a +@@ -113,7 +113,7 @@ static ssize_t usbip_sockfd_store(struct wake_up_process(sdev->ud.tcp_rx); wake_up_process(sdev->ud.tcp_tx); @@ -35,7 +43,7 @@ index c64964c32..c60e6236a 100644 } else { dev_info(dev, "stub down\n"); -@@ -125,7 +125,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a +@@ -125,7 +125,7 @@ static ssize_t usbip_sockfd_store(struct spin_unlock_irq(&sdev->ud.lock); usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN); @@ -44,7 +52,7 @@ index c64964c32..c60e6236a 100644 } return count; -@@ -135,7 +135,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a +@@ -135,7 +135,7 @@ sock_err: err: spin_unlock_irq(&sdev->ud.lock); unlock_mutex: @@ -53,7 +61,7 @@ index c64964c32..c60e6236a 100644 return -EINVAL; } static DEVICE_ATTR_WO(usbip_sockfd); -@@ -301,7 +301,6 @@ static struct stub_device *stub_device_alloc(struct usb_device *udev) +@@ -301,7 +301,6 @@ static struct stub_device *stub_device_a sdev->ud.side = USBIP_STUB; sdev->ud.status = SDEV_ST_AVAILABLE; spin_lock_init(&sdev->ud.lock); @@ -61,18 +69,3 @@ index c64964c32..c60e6236a 100644 sdev->ud.tcp_socket = NULL; sdev->ud.sockfd = -1; -diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c -index 32d653d36..f12ca9e72 100644 ---- a/drivers/usb/usbip/vhci_hcd.c -+++ b/drivers/usb/usbip/vhci_hcd.c -@@ -117,6 +117,7 @@ static const char * const bit_desc_ss[] = { - }; - - DEFINE_MUTEX(suse_big_usbip_lock); -+EXPORT_SYMBOL(suse_big_usbip_lock); - - static void dump_port_status_diff(u32 prev_status, u32 new_status, bool usb3) - { --- -2.35.3 - diff --git a/patches.suse/0001-drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch b/patches.suse/0001-drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch new file mode 100644 index 0000000..4ea03fe --- /dev/null +++ b/patches.suse/0001-drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch @@ -0,0 +1,60 @@ +From ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 5 Apr 2022 21:22:06 +0800 +Subject: [PATCH] drivers: net: slip: fix NPD bug in sl_tx_timeout() +Git-commit: ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 +Patch-mainline: v5.18-rc2 +References: bsc#1205671 CVE-2022-41858 + +When a slip driver is detaching, the slip_close() will act to +cleanup necessary resources and sl->tty is set to NULL in +slip_close(). Meanwhile, the packet we transmit is blocked, +sl_tx_timeout() will be called. Although slip_close() and +sl_tx_timeout() use sl->lock to synchronize, we don`t judge +whether sl->tty equals to NULL in sl_tx_timeout() and the +null pointer dereference bug will happen. + + (Thread 1) | (Thread 2) + | slip_close() + | spin_lock_bh(&sl->lock) + | ... +... | sl->tty = NULL //(1) +sl_tx_timeout() | spin_unlock_bh(&sl->lock) + spin_lock(&sl->lock); | + ... | ... + tty_chars_in_buffer(sl->tty)| + if (tty->ops->..) //(2) | + ... | synchronize_rcu() + +We set NULL to sl->tty in position (1) and dereference sl->tty +in position (2). + +This patch adds check in sl_tx_timeout(). If sl->tty equals to +NULL, sl_tx_timeout() will goto out. + +Signed-off-by: Duoming Zhou +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/slip/slip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c +index 88396ff99f03..6865d32270e5 100644 +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -469,7 +469,7 @@ static void sl_tx_timeout(struct net_device *dev, unsigned int txqueue) + spin_lock(&sl->lock); + + if (netif_queue_stopped(dev)) { +- if (!netif_running(dev)) ++ if (!netif_running(dev) || !sl->tty) + goto out; + + /* May be we must check transmitter timeout here ? +-- +2.35.3 + diff --git a/patches.suse/0001-drm-i915-gvt-fix-double-free-bug-in-split_2MB_gtt_en.patch b/patches.suse/0001-drm-i915-gvt-fix-double-free-bug-in-split_2MB_gtt_en.patch new file mode 100644 index 0000000..f5427ba --- /dev/null +++ b/patches.suse/0001-drm-i915-gvt-fix-double-free-bug-in-split_2MB_gtt_en.patch @@ -0,0 +1,101 @@ +From ae6f406c15c59cc611d6182c90bc42082fe64a27 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Fri, 7 Oct 2022 09:37:08 +0800 +Subject: drm/i915/gvt: fix double free bug in split_2MB_gtt_entry +Patch-mainline: Submitted, https://lore.kernel.org/dri-devel/20221007013708.1946061-1-zyytlz.wz@163.com/ +References: bsc#1204780, CVE-2022-3707 + +If intel_gvt_dma_map_guest_page failed, it will call +ppgtt_invalidate_spt, which will finally free the spt. +But the caller does not notice that, it will free spt again in error path. + +Fix this by spliting invalidate and free in ppgtt_invalidate_spt. +Only free spt when in good case. + +Reported-by: Zheng Wang +Signed-off-by: Zheng Wang +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/i915/gvt/gtt.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c +index 52536b561805..3500ba000230 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.c ++++ b/drivers/gpu/drm/i915/gvt/gtt.c +@@ -941,6 +941,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt) + return atomic_dec_return(&spt->refcount); + } + ++static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt); + static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt); + + static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu, +@@ -977,7 +978,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu, + ops->get_pfn(e)); + return -ENXIO; + } +- return ppgtt_invalidate_spt(s); ++ return ppgtt_invalidate_and_free_spt(s); + } + + static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt, +@@ -998,18 +999,30 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt, + intel_gvt_hypervisor_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT); + } + +-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt) ++static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt) + { +- struct intel_vgpu *vgpu = spt->vgpu; +- struct intel_gvt_gtt_entry e; +- unsigned long index; + int ret; + + trace_spt_change(spt->vgpu->id, "die", spt, +- spt->guest_page.gfn, spt->shadow_page.type); +- ++ spt->guest_page.gfn, spt->shadow_page.type); + if (ppgtt_put_spt(spt) > 0) + return 0; ++ ret = ppgtt_invalidate_spt(spt); ++ if (!ret) { ++ trace_spt_change(spt->vgpu->id, "release", spt, ++ spt->guest_page.gfn, spt->shadow_page.type); ++ ppgtt_free_spt(spt); ++ } ++ ++ return ret; ++} ++ ++static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt) ++{ ++ struct intel_vgpu *vgpu = spt->vgpu; ++ struct intel_gvt_gtt_entry e; ++ unsigned long index; ++ int ret; + + for_each_present_shadow_entry(spt, &e, index) { + switch (e.type) { +@@ -1041,9 +1054,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt) + } + } + +- trace_spt_change(spt->vgpu->id, "release", spt, +- spt->guest_page.gfn, spt->shadow_page.type); +- ppgtt_free_spt(spt); + return 0; + fail: + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n", +@@ -1375,7 +1385,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt, + ret = -ENXIO; + goto fail; + } +- ret = ppgtt_invalidate_spt(s); ++ ret = ppgtt_invalidate_and_free_spt(s); + if (ret) + goto fail; + } else { +-- +2.38.0 + diff --git a/patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch b/patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch new file mode 100644 index 0000000..e46c331 --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch @@ -0,0 +1,54 @@ +From 711f8c3fb3db61897080468586b970c87c61d9e4 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 31 Oct 2022 16:10:32 -0700 +Subject: [PATCH] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 711f8c3fb3db61897080468586b970c87c61d9e4 +Patch-mainline: v6.1-rc4 +References: CVE-2022-42896 bsc#1205709 + +[ backport note: dropped the change for l2cap_ecred_conn_req() as this + kernel branch has no corresponding code yet -- tiwai ] + +The Bluetooth spec states that the valid range for SPSM is from +0x0001-0x00ff so it is invalid to accept values outside of this range: + + BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + page 1059: + Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + +Cve: CVE-2022-42896 +Cc: stable@vger.kernel.org +Reported-by: Tamás Koczka +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Tedd Ho-Jeong An +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5529,6 +5529,19 @@ static int l2cap_le_connect_req(struct l + BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), + scid, mtu, mps); + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_LE_BAD_PSM; ++ chan = NULL; ++ goto response; ++ } ++ + /* Check if we have socket listening on psm */ + pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, + &conn->hcon->dst, LE_LINK); diff --git a/patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch b/patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch new file mode 100644 index 0000000..c390203 --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch @@ -0,0 +1,66 @@ +From ae4569813a6e931258db627cdfe50dfb4f917d5d Mon Sep 17 00:00:00 2001 +From: Sungwoo Kim +Date: Fri, 18 Nov 2022 15:01:47 -0500 +Subject: [PATCH] Bluetooth: L2CAP: Fix u8 overflow +Git-commit: ae4569813a6e931258db627cdfe50dfb4f917d5d +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2022-45934 bsc#1205796 + +By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases +multiple times and eventually it will wrap around the maximum number +(i.e., 255). +This patch prevents this by adding a boundary check with +L2CAP_MAX_CONF_RSP + +Btmon log: +Bluetooth monitor ver 5.64 += Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 += Note: Bluetooth subsystem version 2.22 0.264636 +@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191 += New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604 +@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741 += Open Index: 00:00:00:00:00:00 [hci0] 13.900426 +(...) +> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106 + invalid packet size (12 != 1033) + 08 00 01 00 02 01 04 00 01 10 ff ff ............ +> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561 + invalid packet size (14 != 1547) + 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@..... +> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390 + invalid packet size (16 != 2061) + 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@....... +> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932 + invalid packet size (16 != 2061) + 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@....... += bluetoothd: Bluetooth daemon 5.43 14.401828 +> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753 + invalid packet size (12 != 1033) + 08 00 01 00 04 01 04 00 40 00 00 00 ........@... + +Signed-off-by: Sungwoo Kim +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 93802b27f2a5..a3e0dc6a6e73 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4453,7 +4453,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + + chan->ident = cmd->ident; + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); +- chan->num_conf_rsp++; ++ if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP) ++ chan->num_conf_rsp++; + + /* Reset config buffer. */ + chan->conf_len = 0; +-- +2.35.3 + diff --git a/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch b/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch index 77a0982..0854015 100644 --- a/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch +++ b/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch @@ -2,9 +2,9 @@ From cacdb14b1c8d3804a3a7d31773bc7569837b71a4 Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Sun, 4 Sep 2022 12:31:15 -0700 Subject: [PATCH] HID: roccat: Fix use-after-free in roccat_read() -Git-commit: cacdb14b1c8d3804a3a7d31773bc7569837b71a4 Patch-mainline: v6.1-rc1 -References: git-fixes +Git-commit: cacdb14b1c8d3804a3a7d31773bc7569837b71a4 +References: bsc#1203960 CVE-2022-41850 roccat_report_event() is responsible for registering roccat-related reports in struct roccat_device. diff --git a/patches.suse/NFSD-Cap-rsize_bop-result-based-on-send-buffer-size.patch b/patches.suse/NFSD-Cap-rsize_bop-result-based-on-send-buffer-size.patch new file mode 100644 index 0000000..29a1a40 --- /dev/null +++ b/patches.suse/NFSD-Cap-rsize_bop-result-based-on-send-buffer-size.patch @@ -0,0 +1,104 @@ +From: Chuck Lever +Date: Thu, 1 Sep 2022 15:29:55 -0400 +Subject: [PATCH] NFSD: Cap rsize_bop result based on send buffer size +Git-commit: 76ce4dcec0dc08a032db916841ddc4e3998be317 +Patch-mainline: v6.1 +References: bsc#1205128 CVE-2022-43945 + +Since before the git era, NFSD has conserved the number of pages +held by each nfsd thread by combining the RPC receive and send +buffers into a single array of pages. This works because there are +no cases where an operation needs a large RPC Call message and a +large RPC Reply at the same time. + +Once an RPC Call has been received, svc_process() updates +svc_rqst::rq_res to describe the part of rq_pages that can be +used for constructing the Reply. This means that the send buffer +(rq_res) shrinks when the received RPC record containing the RPC +Call is large. + +Add an NFSv4 helper that computes the size of the send buffer. It +replaces svc_max_payload() in spots where svc_max_payload() returns +a value that might be larger than the remaining send buffer space. +Callers who need to know the transport's actual maximum payload size +will continue to use svc_max_payload(). + +Signed-off-by: Chuck Lever +Acked-by: NeilBrown + +--- + fs/nfsd/nfs4proc.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -2079,6 +2079,22 @@ out: + + #define op_encode_channel_attrs_maxsz (6 + 1 + 1) + ++/* ++ * The _rsize() helpers are invoked by the NFSv4 COMPOUND decoder, which ++ * is called before sunrpc sets rq_res.buflen. Thus we have to compute ++ * the maximum payload size here, based on transport limits and the size ++ * of the remaining space in the rq_pages array. ++ */ ++static u32 nfsd4_max_payload(const struct svc_rqst *rqstp) ++{ ++ u32 buflen; ++ ++ buflen = (rqstp->rq_page_end - rqstp->rq_next_page) * PAGE_SIZE; ++ buflen -= rqstp->rq_auth_slack; ++ buflen -= rqstp->rq_res.head[0].iov_len; ++ return min_t(u32, buflen, svc_max_payload(rqstp)); ++} ++ + static inline u32 nfsd4_only_status_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op) + { + return (op_encode_hdr_size) * sizeof(__be32); +@@ -2119,9 +2135,9 @@ static inline u32 nfsd4_getattr_rsize(st + u32 ret = 0; + + if (bmap0 & FATTR4_WORD0_ACL) +- return svc_max_payload(rqstp); ++ return nfsd4_max_payload(rqstp); + if (bmap0 & FATTR4_WORD0_FS_LOCATIONS) +- return svc_max_payload(rqstp); ++ return nfsd4_max_payload(rqstp); + + if (bmap1 & FATTR4_WORD1_OWNER) { + ret += IDMAP_NAMESZ + 4; +@@ -2176,20 +2192,14 @@ static inline u32 nfsd4_open_rsize(struc + + static inline u32 nfsd4_read_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op) + { +- u32 maxcount = 0, rlen = 0; +- +- maxcount = svc_max_payload(rqstp); +- rlen = min(op->u.read.rd_length, maxcount); ++ u32 rlen = min(op->u.read.rd_length, nfsd4_max_payload(rqstp)); + + return (op_encode_hdr_size + 2 + XDR_QUADLEN(rlen)) * sizeof(__be32); + } + + static inline u32 nfsd4_readdir_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op) + { +- u32 maxcount = 0, rlen = 0; +- +- maxcount = svc_max_payload(rqstp); +- rlen = min(op->u.readdir.rd_maxcount, maxcount); ++ u32 rlen = min(op->u.readdir.rd_maxcount, nfsd4_max_payload(rqstp)); + + return (op_encode_hdr_size + op_encode_verifier_maxsz + + XDR_QUADLEN(rlen)) * sizeof(__be32); +@@ -2300,10 +2310,7 @@ static inline u32 nfsd4_offload_status_r + #ifdef CONFIG_NFSD_PNFS + static inline u32 nfsd4_getdeviceinfo_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op) + { +- u32 maxcount = 0, rlen = 0; +- +- maxcount = svc_max_payload(rqstp); +- rlen = min(op->u.getdeviceinfo.gd_maxcount, maxcount); ++ u32 rlen = min(op->u.getdeviceinfo.gd_maxcount, nfsd4_max_payload(rqstp)); + + return (op_encode_hdr_size + + 1 /* gd_layout_type*/ + diff --git a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch new file mode 100644 index 0000000..8035acc --- /dev/null +++ b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch @@ -0,0 +1,43 @@ +From: Chuck Lever +Date: Thu, 1 Sep 2022 15:10:18 -0400 +Subject: [PATCH] NFSD: Protect against send buffer overflow in NFSv2 READ +Git-commit: 401bc1f90874280a80b93f23be33a0e7e2d1f912 +Patch-mainline: v6.1 +References: bsc#1205128 CVE-2022-43945 + +Since before the git era, NFSD has conserved the number of pages +held by each nfsd thread by combining the RPC receive and send +buffers into a single array of pages. This works because there are +no cases where an operation needs a large RPC Call message and a +large RPC Reply at the same time. + +Once an RPC Call has been received, svc_process() updates +svc_rqst::rq_res to describe the part of rq_pages that can be +used for constructing the Reply. This means that the send buffer +(rq_res) shrinks when the received RPC record containing the RPC +Call is large. + +A client can force this shrinkage on TCP by sending a correctly- +formed RPC Call header contained in an RPC record that is +excessively large. The full maximum payload size cannot be +constructed in that case. + +Cc: +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Acked-by: NeilBrown + +--- + fs/nfsd/nfsxdr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfsd/nfsxdr.c ++++ b/fs/nfsd/nfsxdr.c +@@ -249,6 +249,7 @@ nfssvc_decode_readargs(struct svc_rqst * + p++; /* totalcount - unused */ + + len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2); ++ len = min_t(unsigned int, len, rqstp->rq_res.buflen); + + /* set up somewhere to store response. + * We take pages, put them on reslist and include in iovec diff --git a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-Rdir.patch b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-Rdir.patch new file mode 100644 index 0000000..f05822b --- /dev/null +++ b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-Rdir.patch @@ -0,0 +1,34 @@ +From: Chuck Lever +Date: Thu, 1 Sep 2022 15:10:05 -0400 +Subject: [PATCH] NFSD: Protect against send buffer overflow in NFSv2 READDIR +Git-commit: 00b4492686e0497fdb924a9d4c8f6f99377e176c +Patch-mainline: v6.1 +References: bsc#1205128 CVE-2022-43945 + +Restore the previous limit on the @count argument to prevent a +buffer overflow attack. + +Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow") +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Acked-by: NeilBrown + +--- + fs/nfsd/nfsproc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -531,8 +531,11 @@ nfsd_proc_readdir(struct svc_rqst *rqstp + SVCFH_fmt(&argp->fh), + argp->count, argp->cookie); + ++ count = argp->count; ++ if (count > PAGE_SIZE) ++ count = PAGE_SIZE; + /* Shrink to the client read size */ +- count = (argp->count >> 2) - 2; ++ count = (count >> 2) - 2; + + /* Make sure we've room for the NULL ptr & eof flag */ + count -= 2; diff --git a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch new file mode 100644 index 0000000..70f8071 --- /dev/null +++ b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch @@ -0,0 +1,64 @@ +From: Chuck Lever +Date: Thu, 1 Sep 2022 15:10:24 -0400 +Subject: [PATCH] NFSD: Protect against send buffer overflow in NFSv3 READ +Git-commit: fa6be9cc6e80ec79892ddf08a8c10cabab9baf38 +Patch-mainline: v6.1 +References: bsc#1205128 CVE-2022-43945 + +Since before the git era, NFSD has conserved the number of pages +held by each nfsd thread by combining the RPC receive and send +buffers into a single array of pages. This works because there are +no cases where an operation needs a large RPC Call message and a +large RPC Reply at the same time. + +Once an RPC Call has been received, svc_process() updates +svc_rqst::rq_res to describe the part of rq_pages that can be +used for constructing the Reply. This means that the send buffer +(rq_res) shrinks when the received RPC record containing the RPC +Call is large. + +A client can force this shrinkage on TCP by sending a correctly- +formed RPC Call header contained in an RPC record that is +excessively large. The full maximum payload size cannot be +constructed in that case. + +Cc: +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Acked-by: NeilBrown + +--- + fs/nfsd/nfs3proc.c | 4 ++++ + fs/nfsd/nfs3xdr.c | 1 + + 2 files changed, 5 insertions(+) + +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -156,6 +156,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp) + u32 max_blocksize = svc_max_payload(rqstp); + unsigned long cnt = min(argp->count, max_blocksize); + ++ cnt = min_t(unsigned long, cnt, rqstp->rq_res.buflen); ++ + dprintk("nfsd: READ(3) %s %lu bytes at %Lu\n", + SVCFH_fmt(&argp->fh), + (unsigned long) argp->count, +@@ -166,6 +168,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp) + * + 1 (xdr opaque byte count) = 26 + */ + resp->count = cnt; ++ if (argp->offset > (u64)OFFSET_MAX) ++ argp->offset = (u64)OFFSET_MAX; + svc_reserve_auth(rqstp, ((1 + NFS3_POST_OP_ATTR_WORDS + 3)<<2) + resp->count +4); + + fh_copy(&resp->fh, &argp->fh); +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -377,6 +377,7 @@ nfs3svc_decode_readargs(struct svc_rqst + + args->count = ntohl(*p++); + len = min(args->count, max_blocksize); ++ len = min(len, rqstp->rq_res.buflen); + + /* set up the kvec */ + v=0; diff --git a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch new file mode 100644 index 0000000..3210927 --- /dev/null +++ b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch @@ -0,0 +1,94 @@ +From: Chuck Lever +Date: Thu, 1 Sep 2022 15:10:12 -0400 +Subject: [PATCH] NFSD: Protect against send buffer overflow in NFSv3 READDIR +Git-commit: 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991 +Patch-mainline: v6.1 +References: bsc#1205128 CVE-2022-43945 + +Since before the git era, NFSD has conserved the number of pages +held by each nfsd thread by combining the RPC receive and send +buffers into a single array of pages. This works because there are +no cases where an operation needs a large RPC Call message and a +large RPC Reply message at the same time. + +Once an RPC Call has been received, svc_process() updates +svc_rqst::rq_res to describe the part of rq_pages that can be +used for constructing the Reply. This means that the send buffer +(rq_res) shrinks when the received RPC record containing the RPC +Call is large. + +A client can force this shrinkage on TCP by sending a correctly- +formed RPC Call header contained in an RPC record that is +excessively large. The full maximum payload size cannot be +constructed in that case. + +Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this +issue. + +Reported-by: Ben Ronallo +Cc: +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Acked-by: NeilBrown + +--- + fs/nfsd/nfs3proc.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -450,9 +450,17 @@ nfsd3_proc_readdir(struct svc_rqst *rqst + SVCFH_fmt(&argp->fh), + argp->count, (u32) argp->cookie); + ++ count = argp->count; ++ if (count > rqstp->rq_res.buflen) ++ count = rqstp->rq_res.buflen; ++ if (count > svc_max_payload(rqstp)) ++ count = svc_max_payload(rqstp); + /* Make sure we've room for the NULL ptr & eof flag, and shrink to + * client read size */ +- count = (argp->count >> 2) - 2; ++ count = count >> 2; ++ if (count < 2) ++ count = 2; ++ count -= 2; + + /* Read directory and encode entries on the fly */ + fh_copy(&resp->fh, &argp->fh); +@@ -503,7 +511,7 @@ nfsd3_proc_readdirplus(struct svc_rqst * + struct nfsd3_readdirargs *argp = rqstp->rq_argp; + struct nfsd3_readdirres *resp = rqstp->rq_resp; + __be32 nfserr; +- int count = 0; ++ int count; + loff_t offset; + struct page **p; + caddr_t page_addr = NULL; +@@ -512,9 +520,17 @@ nfsd3_proc_readdirplus(struct svc_rqst * + SVCFH_fmt(&argp->fh), + argp->count, (u32) argp->cookie); + ++ count = argp->count; ++ if (count > rqstp->rq_res.buflen) ++ count = rqstp->rq_res.buflen; ++ if (count > svc_max_payload(rqstp)) ++ count = svc_max_payload(rqstp); + /* Convert byte count to number of words (i.e. >> 2), + * and reserve room for the NULL ptr & eof flag (-2 words) */ +- resp->count = (argp->count >> 2) - 2; ++ count = argp->count >> 2; ++ if (count < 2) ++ count = 2; ++ resp->count = count - 2; + + /* Read directory and encode entries on the fly */ + fh_copy(&resp->fh, &argp->fh); +@@ -537,6 +553,7 @@ nfsd3_proc_readdirplus(struct svc_rqst * + &resp->common, + nfs3svc_encode_entry_plus); + memcpy(resp->verf, argp->verf, 8); ++ count = 0; + for (p = rqstp->rq_respages + 1; p < rqstp->rq_next_page; p++) { + page_addr = page_address(*p); + diff --git a/patches.suse/USB-add-usb_control_msg_send-and-usb_control_msg_rec.patch b/patches.suse/USB-add-usb_control_msg_send-and-usb_control_msg_rec.patch new file mode 100644 index 0000000..8530a96 --- /dev/null +++ b/patches.suse/USB-add-usb_control_msg_send-and-usb_control_msg_rec.patch @@ -0,0 +1,195 @@ +From 719b8f2850d3d9b863cc5e4f08e9ef0206e45b26 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 14 Sep 2020 17:37:47 +0200 +Subject: [PATCH] USB: add usb_control_msg_send() and usb_control_msg_recv() +Git-commit: 719b8f2850d3d9b863cc5e4f08e9ef0206e45b26 +Patch-mainline: v5.10-rc1 +References: CVE-2022-3903 bsc#1205220 + +New core functions to make sending/receiving USB control messages easier +and saner. + +In discussions, it turns out that the large majority of users of +usb_control_msg() do so in potentially incorrect ways. The most common +issue is where a "short" message is received, yet never detected +properly due to "incorrect" error handling. + +Handle all of this in the USB core with two new functions to try to make +working with USB control messages simpler. + +No more need for dynamic data, messages can be on the stack, and only +"complete" send/receive will work without causing an error. + +Link: https://lore.kernel.org/r/20200914153756.3412156-3-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/message.c | 133 +++++++++++++++++++++++++++++++++++++ + include/linux/usb.h | 6 ++ + 2 files changed, 139 insertions(+) + +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index ae1de9cc4b09..1dc53b12a26a 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -162,6 +162,139 @@ int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request, + } + EXPORT_SYMBOL_GPL(usb_control_msg); + ++/** ++ * usb_control_msg_send - Builds a control "send" message, sends it off and waits for completion ++ * @dev: pointer to the usb device to send the message to ++ * @endpoint: endpoint to send the message to ++ * @request: USB message request value ++ * @requesttype: USB message request type value ++ * @value: USB message value ++ * @index: USB message index value ++ * @driver_data: pointer to the data to send ++ * @size: length in bytes of the data to send ++ * @timeout: time in msecs to wait for the message to complete before timing ++ * out (if 0 the wait is forever) ++ * ++ * Context: !in_interrupt () ++ * ++ * This function sends a control message to a specified endpoint that is not ++ * expected to fill in a response (i.e. a "send message") and waits for the ++ * message to complete, or timeout. ++ * ++ * Do not use this function from within an interrupt context. If you need ++ * an asynchronous message, or need to send a message from within interrupt ++ * context, use usb_submit_urb(). If a thread in your driver uses this call, ++ * make sure your disconnect() method can wait for it to complete. Since you ++ * don't have a handle on the URB used, you can't cancel the request. ++ * ++ * The data pointer can be made to a reference on the stack, or anywhere else, ++ * as it will not be modified at all. This does not have the restriction that ++ * usb_control_msg() has where the data pointer must be to dynamically allocated ++ * memory (i.e. memory that can be successfully DMAed to a device). ++ * ++ * Return: If successful, 0 is returned, Otherwise, a negative error number. ++ */ ++int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request, ++ __u8 requesttype, __u16 value, __u16 index, ++ const void *driver_data, __u16 size, int timeout) ++{ ++ unsigned int pipe = usb_sndctrlpipe(dev, endpoint); ++ int ret; ++ u8 *data = NULL; ++ ++ if (usb_pipe_type_check(dev, pipe)) ++ return -EINVAL; ++ ++ if (size) { ++ data = kmemdup(driver_data, size, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ } ++ ++ ret = usb_control_msg(dev, pipe, request, requesttype, value, index, ++ data, size, timeout); ++ kfree(data); ++ ++ if (ret < 0) ++ return ret; ++ if (ret == size) ++ return 0; ++ return -EINVAL; ++} ++EXPORT_SYMBOL_GPL(usb_control_msg_send); ++ ++/** ++ * usb_control_msg_recv - Builds a control "receive" message, sends it off and waits for completion ++ * @dev: pointer to the usb device to send the message to ++ * @endpoint: endpoint to send the message to ++ * @request: USB message request value ++ * @requesttype: USB message request type value ++ * @value: USB message value ++ * @index: USB message index value ++ * @driver_data: pointer to the data to be filled in by the message ++ * @size: length in bytes of the data to be received ++ * @timeout: time in msecs to wait for the message to complete before timing ++ * out (if 0 the wait is forever) ++ * ++ * Context: !in_interrupt () ++ * ++ * This function sends a control message to a specified endpoint that is ++ * expected to fill in a response (i.e. a "receive message") and waits for the ++ * message to complete, or timeout. ++ * ++ * Do not use this function from within an interrupt context. If you need ++ * an asynchronous message, or need to send a message from within interrupt ++ * context, use usb_submit_urb(). If a thread in your driver uses this call, ++ * make sure your disconnect() method can wait for it to complete. Since you ++ * don't have a handle on the URB used, you can't cancel the request. ++ * ++ * The data pointer can be made to a reference on the stack, or anywhere else ++ * that can be successfully written to. This function does not have the ++ * restriction that usb_control_msg() has where the data pointer must be to ++ * dynamically allocated memory (i.e. memory that can be successfully DMAed to a ++ * device). ++ * ++ * The "whole" message must be properly received from the device in order for ++ * this function to be successful. If a device returns less than the expected ++ * amount of data, then the function will fail. Do not use this for messages ++ * where a variable amount of data might be returned. ++ * ++ * Return: If successful, 0 is returned, Otherwise, a negative error number. ++ */ ++int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request, ++ __u8 requesttype, __u16 value, __u16 index, ++ void *driver_data, __u16 size, int timeout) ++{ ++ unsigned int pipe = usb_rcvctrlpipe(dev, endpoint); ++ int ret; ++ u8 *data; ++ ++ if (!size || !driver_data || usb_pipe_type_check(dev, pipe)) ++ return -EINVAL; ++ ++ data = kmalloc(size, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ ++ ret = usb_control_msg(dev, pipe, request, requesttype, value, index, ++ data, size, timeout); ++ ++ if (ret < 0) ++ goto exit; ++ ++ if (ret == size) { ++ memcpy(driver_data, data, size); ++ ret = 0; ++ } else { ++ ret = -EINVAL; ++ } ++ ++exit: ++ kfree(data); ++ return ret; ++} ++EXPORT_SYMBOL_GPL(usb_control_msg_recv); ++ + /** + * usb_interrupt_msg - Builds an interrupt urb, sends it off and waits for completion + * @usb_dev: pointer to the usb device to send the message to +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 0b3963d7ec38..a5460f08126e 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -1802,6 +1802,12 @@ extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe, + int timeout); + + /* wrappers around usb_control_msg() for the most common standard requests */ ++int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request, ++ __u8 requesttype, __u16 value, __u16 index, ++ const void *data, __u16 size, int timeout); ++int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request, ++ __u8 requesttype, __u16 value, __u16 index, ++ void *data, __u16 size, int timeout); + extern int usb_get_descriptor(struct usb_device *dev, unsigned char desctype, + unsigned char descindex, void *buf, int size); + extern int usb_get_status(struct usb_device *dev, +-- +2.35.3 + diff --git a/patches.suse/USB-core-message.c-use-usb_control_msg_send-in-a-few.patch b/patches.suse/USB-core-message.c-use-usb_control_msg_send-in-a-few.patch new file mode 100644 index 0000000..6f36dad --- /dev/null +++ b/patches.suse/USB-core-message.c-use-usb_control_msg_send-in-a-few.patch @@ -0,0 +1,112 @@ +From 297e84c04d76b9fdbac463e6378f5db7e9283ecd Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 14 Sep 2020 17:37:48 +0200 +Subject: [PATCH] USB: core: message.c: use usb_control_msg_send() in a few places +Git-commit: 297e84c04d76b9fdbac463e6378f5db7e9283ecd +Patch-mainline: v5.10-rc1 +References: CVE-2022-3903 bsc#1205220 + +There are a few calls to usb_control_msg() that can be converted to use +usb_control_msg_send() instead, so do that in order to make the error +checking a bit simpler. + +Cc: Alan Stern +Cc: "Rafael J. Wysocki" +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200914153756.3412156-4-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/message.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 1dc53b12a26a..1580694e3b95 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1081,7 +1081,7 @@ int usb_set_isoch_delay(struct usb_device *dev) + if (dev->speed < USB_SPEED_SUPER) + return 0; + +- return usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ++ return usb_control_msg_send(dev, 0, + USB_REQ_SET_ISOCH_DELAY, + USB_DIR_OUT | USB_TYPE_STANDARD | USB_RECIP_DEVICE, + dev->hub_delay, 0, NULL, 0, +@@ -1203,13 +1203,13 @@ int usb_clear_halt(struct usb_device *dev, int pipe) + * (like some ibmcam model 1 units) seem to expect hosts to make + * this request for iso endpoints, which can't halt! + */ +- result = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- USB_REQ_CLEAR_FEATURE, USB_RECIP_ENDPOINT, +- USB_ENDPOINT_HALT, endp, NULL, 0, +- USB_CTRL_SET_TIMEOUT); ++ result = usb_control_msg_send(dev, 0, ++ USB_REQ_CLEAR_FEATURE, USB_RECIP_ENDPOINT, ++ USB_ENDPOINT_HALT, endp, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + + /* don't un-halt or force to DATA0 except on success */ +- if (result < 0) ++ if (result) + return result; + + /* NOTE: seems like Microsoft and Apple don't bother verifying +@@ -1571,9 +1571,10 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate) + if (dev->quirks & USB_QUIRK_NO_SET_INTF) + ret = -EPIPE; + else +- ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- USB_REQ_SET_INTERFACE, USB_RECIP_INTERFACE, +- alternate, interface, NULL, 0, 5000); ++ ret = usb_control_msg_send(dev, 0, ++ USB_REQ_SET_INTERFACE, ++ USB_RECIP_INTERFACE, alternate, ++ interface, NULL, 0, 5000); + + /* 9.4.10 says devices don't need this and are free to STALL the + * request if the interface only has one alternate setting. +@@ -1583,7 +1584,7 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate) + "manual set_interface for iface %d, alt %d\n", + interface, alternate); + manual = 1; +- } else if (ret < 0) { ++ } else if (ret) { + /* Re-instate the old alt setting */ + usb_hcd_alloc_bandwidth(dev, NULL, alt, iface->cur_altsetting); + usb_enable_lpm(dev); +@@ -1707,11 +1708,10 @@ int usb_reset_configuration(struct usb_device *dev) + mutex_unlock(hcd->bandwidth_mutex); + return retval; + } +- retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- USB_REQ_SET_CONFIGURATION, 0, +- config->desc.bConfigurationValue, 0, +- NULL, 0, USB_CTRL_SET_TIMEOUT); +- if (retval < 0) { ++ retval = usb_control_msg_send(dev, 0, USB_REQ_SET_CONFIGURATION, 0, ++ config->desc.bConfigurationValue, 0, ++ NULL, 0, USB_CTRL_SET_TIMEOUT); ++ if (retval) { + usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL); + usb_enable_lpm(dev); + mutex_unlock(hcd->bandwidth_mutex); +@@ -2096,10 +2096,10 @@ int usb_set_configuration(struct usb_device *dev, int configuration) + } + kfree(new_interfaces); + +- ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- USB_REQ_SET_CONFIGURATION, 0, configuration, 0, +- NULL, 0, USB_CTRL_SET_TIMEOUT); +- if (ret < 0 && cp) { ++ ret = usb_control_msg_send(dev, 0, USB_REQ_SET_CONFIGURATION, 0, ++ configuration, 0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); ++ if (ret && cp) { + /* + * All the old state is gone, so what else can we do? + * The device is probably useless now anyway. +-- +2.35.3 + diff --git a/patches.suse/USB-core-return-EREMOTEIO-on-short-usb_control_msg_r.patch b/patches.suse/USB-core-return-EREMOTEIO-on-short-usb_control_msg_r.patch new file mode 100644 index 0000000..88171b8 --- /dev/null +++ b/patches.suse/USB-core-return-EREMOTEIO-on-short-usb_control_msg_r.patch @@ -0,0 +1,46 @@ +From 9dc9c8543aa0b9ef8852330b27cd2eef337bea18 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 4 Dec 2020 09:51:10 +0100 +Subject: [PATCH] USB: core: return -EREMOTEIO on short usb_control_msg_recv() +Git-commit: 9dc9c8543aa0b9ef8852330b27cd2eef337bea18 +Patch-mainline: v5.11-rc1 +References: CVE-2022-3903 bsc#1205220 + +Return -EREMOTEIO instead of -EINVAL on short control transfers when +using the new usb_control_msg_recv() helper. + +EINVAL is used to report invalid arguments (e.g. to the helper) and +should not be used for unrelated errors. + +Many driver currently return -EIO on short control transfers but since +host-controller drivers already use -EREMOTEIO for short transfers +whenever the URB_SHORT_NOT_OK flag is set, let's use that here as well. + +This also allows usb_control_msg_recv() to eventually use +URB_SHORT_NOT_OK without changing the return value again. + +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20201204085110.20055-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/message.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 0d8f75e94d46..d92a04de0c50 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -289,7 +289,7 @@ int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request, + memcpy(driver_data, data, size); + ret = 0; + } else { +- ret = -EINVAL; ++ ret = -EREMOTEIO; + } + + exit: +-- +2.35.3 + diff --git a/patches.suse/USB-correct-API-of-usb_control_msg_send-recv.patch b/patches.suse/USB-correct-API-of-usb_control_msg_send-recv.patch new file mode 100644 index 0000000..61eec11 --- /dev/null +++ b/patches.suse/USB-correct-API-of-usb_control_msg_send-recv.patch @@ -0,0 +1,149 @@ +From ddd1198e3e0935066d6e309180d49f64ef4fa702 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 23 Sep 2020 15:43:42 +0200 +Subject: [PATCH] USB: correct API of usb_control_msg_send/recv +Git-commit: ddd1198e3e0935066d6e309180d49f64ef4fa702 +Patch-mainline: v5.10-rc1 +References: CVE-2022-3903 bsc#1205220 + +They need to specify how memory is to be allocated, +as control messages need to work in contexts that require GFP_NOIO. + +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20200923134348.23862-9-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/message.c | 25 ++++++++++++++++--------- + include/linux/usb.h | 6 ++++-- + 2 files changed, 20 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 1580694e3b95..f4107b9e8c38 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -174,6 +174,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg); + * @size: length in bytes of the data to send + * @timeout: time in msecs to wait for the message to complete before timing + * out (if 0 the wait is forever) ++ * @memflags: the flags for memory allocation for buffers + * + * Context: !in_interrupt () + * +@@ -196,7 +197,8 @@ EXPORT_SYMBOL_GPL(usb_control_msg); + */ + int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request, + __u8 requesttype, __u16 value, __u16 index, +- const void *driver_data, __u16 size, int timeout) ++ const void *driver_data, __u16 size, int timeout, ++ gfp_t memflags) + { + unsigned int pipe = usb_sndctrlpipe(dev, endpoint); + int ret; +@@ -206,7 +208,7 @@ int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request, + return -EINVAL; + + if (size) { +- data = kmemdup(driver_data, size, GFP_KERNEL); ++ data = kmemdup(driver_data, size, memflags); + if (!data) + return -ENOMEM; + } +@@ -235,6 +237,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send); + * @size: length in bytes of the data to be received + * @timeout: time in msecs to wait for the message to complete before timing + * out (if 0 the wait is forever) ++ * @memflags: the flags for memory allocation for buffers + * + * Context: !in_interrupt () + * +@@ -263,7 +266,8 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send); + */ + int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request, + __u8 requesttype, __u16 value, __u16 index, +- void *driver_data, __u16 size, int timeout) ++ void *driver_data, __u16 size, int timeout, ++ gfp_t memflags) + { + unsigned int pipe = usb_rcvctrlpipe(dev, endpoint); + int ret; +@@ -272,7 +276,7 @@ int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request, + if (!size || !driver_data || usb_pipe_type_check(dev, pipe)) + return -EINVAL; + +- data = kmalloc(size, GFP_KERNEL); ++ data = kmalloc(size, memflags); + if (!data) + return -ENOMEM; + +@@ -1085,7 +1089,8 @@ int usb_set_isoch_delay(struct usb_device *dev) + USB_REQ_SET_ISOCH_DELAY, + USB_DIR_OUT | USB_TYPE_STANDARD | USB_RECIP_DEVICE, + dev->hub_delay, 0, NULL, 0, +- USB_CTRL_SET_TIMEOUT); ++ USB_CTRL_SET_TIMEOUT, ++ GFP_NOIO); + } + + /** +@@ -1206,7 +1211,7 @@ int usb_clear_halt(struct usb_device *dev, int pipe) + result = usb_control_msg_send(dev, 0, + USB_REQ_CLEAR_FEATURE, USB_RECIP_ENDPOINT, + USB_ENDPOINT_HALT, endp, NULL, 0, +- USB_CTRL_SET_TIMEOUT); ++ USB_CTRL_SET_TIMEOUT, GFP_NOIO); + + /* don't un-halt or force to DATA0 except on success */ + if (result) +@@ -1574,7 +1579,8 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate) + ret = usb_control_msg_send(dev, 0, + USB_REQ_SET_INTERFACE, + USB_RECIP_INTERFACE, alternate, +- interface, NULL, 0, 5000); ++ interface, NULL, 0, 5000, ++ GFP_NOIO); + + /* 9.4.10 says devices don't need this and are free to STALL the + * request if the interface only has one alternate setting. +@@ -1710,7 +1716,8 @@ int usb_reset_configuration(struct usb_device *dev) + } + retval = usb_control_msg_send(dev, 0, USB_REQ_SET_CONFIGURATION, 0, + config->desc.bConfigurationValue, 0, +- NULL, 0, USB_CTRL_SET_TIMEOUT); ++ NULL, 0, USB_CTRL_SET_TIMEOUT, ++ GFP_NOIO); + if (retval) { + usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL); + usb_enable_lpm(dev); +@@ -2098,7 +2105,7 @@ int usb_set_configuration(struct usb_device *dev, int configuration) + + ret = usb_control_msg_send(dev, 0, USB_REQ_SET_CONFIGURATION, 0, + configuration, 0, NULL, 0, +- USB_CTRL_SET_TIMEOUT); ++ USB_CTRL_SET_TIMEOUT, GFP_NOIO); + if (ret && cp) { + /* + * All the old state is gone, so what else can we do? +diff --git a/include/linux/usb.h b/include/linux/usb.h +index a5460f08126e..7d72c4e0713c 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -1804,10 +1804,12 @@ extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe, + /* wrappers around usb_control_msg() for the most common standard requests */ + int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request, + __u8 requesttype, __u16 value, __u16 index, +- const void *data, __u16 size, int timeout); ++ const void *data, __u16 size, int timeout, ++ gfp_t memflags); + int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request, + __u8 requesttype, __u16 value, __u16 index, +- void *data, __u16 size, int timeout); ++ void *data, __u16 size, int timeout, ++ gfp_t memflags); + extern int usb_get_descriptor(struct usb_device *dev, unsigned char desctype, + unsigned char descindex, void *buf, int size); + extern int usb_get_status(struct usb_device *dev, +-- +2.35.3 + diff --git a/patches.suse/USB-move-snd_usb_pipe_sanity_check-into-the-USB-core.patch b/patches.suse/USB-move-snd_usb_pipe_sanity_check-into-the-USB-core.patch new file mode 100644 index 0000000..ba296ce --- /dev/null +++ b/patches.suse/USB-move-snd_usb_pipe_sanity_check-into-the-USB-core.patch @@ -0,0 +1,209 @@ +From fcc2cc1f35613c016e1de25bb001bfdd9eaa25f9 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 14 Sep 2020 17:37:46 +0200 +Subject: [PATCH] USB: move snd_usb_pipe_sanity_check into the USB core +Git-commit: fcc2cc1f35613c016e1de25bb001bfdd9eaa25f9 +Patch-mainline: v5.10-rc1 +References: CVE-2022-3903 bsc#1205220 + +snd_usb_pipe_sanity_check() is a great function, so let's move it into +the USB core so that other parts of the kernel, including the USB core, +can call it. + +Name it usb_pipe_type_check() to match the existing +usb_urb_ep_type_check() call, which now uses this function. + +Cc: Jaroslav Kysela +Cc: "Gustavo A. R. Silva" +Cc: Eli Billauer +Cc: Emiliano Ingrassia +Cc: Alan Stern +Cc: Alexander Tsoy +Cc: "Geoffrey D. Bennett" +Cc: Jussi Laako +Cc: Nick Kossifidis +Cc: Dmitry Panchenko +Cc: Chris Wulff +Cc: Jesus Ramos +Reviewed-by: Takashi Iwai +Link: https://lore.kernel.org/r/20200914153756.3412156-2-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/urb.c | 31 +++++++++++++++++++++++-------- + include/linux/usb.h | 1 + + sound/usb/helper.c | 16 +--------------- + sound/usb/helper.h | 1 - + sound/usb/mixer_scarlett_gen2.c | 2 +- + sound/usb/quirks.c | 10 +++++----- + 6 files changed, 31 insertions(+), 30 deletions(-) + +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -192,24 +192,39 @@ static const int pipetypes[4] = { + }; + + /** +- * usb_urb_ep_type_check - sanity check of endpoint in the given urb +- * @urb: urb to be checked ++ * usb_pipe_type_check - sanity check of a specific pipe for a usb device ++ * @dev: struct usb_device to be checked ++ * @pipe: pipe to check + * + * This performs a light-weight sanity check for the endpoint in the +- * given urb. It returns 0 if the urb contains a valid endpoint, otherwise +- * a negative error code. ++ * given usb device. It returns 0 if the pipe is valid for the specific usb ++ * device, otherwise a negative error code. + */ +-int usb_urb_ep_type_check(const struct urb *urb) ++int usb_pipe_type_check(struct usb_device *dev, unsigned int pipe) + { + const struct usb_host_endpoint *ep; + +- ep = usb_pipe_endpoint(urb->dev, urb->pipe); ++ ep = usb_pipe_endpoint(dev, pipe); + if (!ep) + return -EINVAL; +- if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) ++ if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) + return -EINVAL; + return 0; + } ++EXPORT_SYMBOL_GPL(usb_pipe_type_check); ++ ++/** ++ * usb_urb_ep_type_check - sanity check of endpoint in the given urb ++ * @urb: urb to be checked ++ * ++ * This performs a light-weight sanity check for the endpoint in the ++ * given urb. It returns 0 if the urb contains a valid endpoint, otherwise ++ * a negative error code. ++ */ ++int usb_urb_ep_type_check(const struct urb *urb) ++{ ++ return usb_pipe_type_check(urb->dev, urb->pipe); ++} + EXPORT_SYMBOL_GPL(usb_urb_ep_type_check); + + /** +@@ -474,7 +489,7 @@ int usb_submit_urb(struct urb *urb, gfp_ + */ + + /* Check that the pipe's type matches the endpoint's type */ +- if (usb_urb_ep_type_check(urb)) ++ if (usb_pipe_type_check(urb->dev, urb->pipe)) + dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", + usb_pipetype(urb->pipe), pipetypes[xfertype]); + +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -1758,6 +1758,7 @@ static inline int usb_urb_dir_out(struct + return (urb->transfer_flags & URB_DIR_MASK) == URB_DIR_OUT; + } + ++int usb_pipe_type_check(struct usb_device *dev, unsigned int pipe); + int usb_urb_ep_type_check(const struct urb *urb); + + void *usb_alloc_coherent(struct usb_device *dev, size_t size, +--- a/sound/usb/helper.c ++++ b/sound/usb/helper.c +@@ -63,20 +63,6 @@ void *snd_usb_find_csint_desc(void *buff + return NULL; + } + +-/* check the validity of pipe and EP types */ +-int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe) +-{ +- static const int pipetypes[4] = { +- PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT +- }; +- struct usb_host_endpoint *ep; +- +- ep = usb_pipe_endpoint(dev, pipe); +- if (!ep || usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) +- return -EINVAL; +- return 0; +-} +- + /* + * Wrapper for usb_control_msg(). + * Allocates a temp buffer to prevent dmaing from/to the stack. +@@ -89,7 +75,7 @@ int snd_usb_ctl_msg(struct usb_device *d + void *buf = NULL; + int timeout; + +- if (snd_usb_pipe_sanity_check(dev, pipe)) ++ if (usb_pipe_type_check(dev, pipe)) + return -EINVAL; + + if (size > 0) { +--- a/sound/usb/helper.h ++++ b/sound/usb/helper.h +@@ -7,7 +7,6 @@ unsigned int snd_usb_combine_bytes(unsig + void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype); + void *snd_usb_find_csint_desc(void *descstart, int desclen, void *after, u8 dsubtype); + +-int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe); + int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe, + __u8 request, __u8 requesttype, __u16 value, __u16 index, + void *data, __u16 size); +--- a/sound/usb/mixer_scarlett_gen2.c ++++ b/sound/usb/mixer_scarlett_gen2.c +@@ -2083,7 +2083,7 @@ static int scarlett2_mixer_status_create + return 0; + } + +- if (snd_usb_pipe_sanity_check(dev, pipe)) ++ if (usb_pipe_type_check(dev, pipe)) + return -EINVAL; + + mixer->urb = usb_alloc_urb(0, GFP_KERNEL); +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -887,7 +887,7 @@ static int snd_usb_accessmusic_boot_quir + static const u8 seq[] = { 0x4e, 0x73, 0x52, 0x01 }; + void *buf; + +- if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x05))) ++ if (usb_pipe_type_check(dev, usb_sndintpipe(dev, 0x05))) + return -EINVAL; + buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL); + if (!buf) +@@ -916,7 +916,7 @@ static int snd_usb_nativeinstruments_boo + { + int ret; + +- if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0))) ++ if (usb_pipe_type_check(dev, usb_sndctrlpipe(dev, 0))) + return -EINVAL; + ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), + 0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE, +@@ -1025,7 +1025,7 @@ static int snd_usb_axefx3_boot_quirk(str + + dev_dbg(&dev->dev, "Waiting for Axe-Fx III to boot up...\n"); + +- if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0))) ++ if (usb_pipe_type_check(dev, usb_sndctrlpipe(dev, 0))) + return -EINVAL; + /* If the Axe-Fx III has not fully booted, it will timeout when trying + * to enable the audio streaming interface. A more generous timeout is +@@ -1059,7 +1059,7 @@ static int snd_usb_motu_microbookii_comm + { + int err, actual_length; + +- if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x01))) ++ if (usb_pipe_type_check(dev, usb_sndintpipe(dev, 0x01))) + return -EINVAL; + err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x01), buf, *length, + &actual_length, 1000); +@@ -1071,7 +1071,7 @@ static int snd_usb_motu_microbookii_comm + + memset(buf, 0, buf_size); + +- if (snd_usb_pipe_sanity_check(dev, usb_rcvintpipe(dev, 0x82))) ++ if (usb_pipe_type_check(dev, usb_rcvintpipe(dev, 0x82))) + return -EINVAL; + err = usb_interrupt_msg(dev, usb_rcvintpipe(dev, 0x82), buf, buf_size, + &actual_length, 1000); diff --git a/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch b/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch deleted file mode 100644 index 556e014..0000000 --- a/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch +++ /dev/null @@ -1,99 +0,0 @@ -From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 -From: Chen Yu -Date: Fri, 10 Jul 2020 12:12:01 +0800 -Subject: [PATCH] intel_idle: Customize IceLake server support -Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 -Patch-mainline: v5.9-rc1 -References: jsc#SLE-12679 - -On ICX platform, the C1E auto-promotion is enabled by default. -As a result, the CPU might fall into C1E more offen than previous -platforms. Besides, the C1E is not exposed to sysfs on ICX, which -is inconsistent with previous server platforms. - -So disable C1E auto-promotion and expose C1E as a separate idle -state, so the C1E and C6 can be disabled via sysfs when necessary. - -Beside C1 and C1E, the exit latency of C6 was measured -by a dedicated tool. However the exit latency(41us) exposed -by _CST is much smaller than the one we measured(128us). This -is probably due to the _CST uses the exit latency when woken -up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose -the latter as we need the longest latency in theory. - -Reported-by: kernel test robot -Tested-by: Artem Bityutskiy -Acked-by: Artem Bityutskiy -Reviewed-by: Zhang Rui -Signed-off-by: Chen Yu -Signed-off-by: Rafael J. Wysocki -Acked-by: Takashi Iwai - ---- - drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c -index 3f86f36dab2b..fd0fa9e7900b 100644 ---- a/drivers/idle/intel_idle.c -+++ b/drivers/idle/intel_idle.c -@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { - .enter = NULL } - }; - -+static struct cpuidle_state icx_cstates[] __initdata = { -+ { -+ .name = "C1", -+ .desc = "MWAIT 0x00", -+ .flags = MWAIT2flg(0x00), -+ .exit_latency = 1, -+ .target_residency = 1, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C1E", -+ .desc = "MWAIT 0x01", -+ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, -+ .exit_latency = 4, -+ .target_residency = 4, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C6", -+ .desc = "MWAIT 0x20", -+ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, -+ .exit_latency = 128, -+ .target_residency = 384, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .enter = NULL } -+}; -+ - static struct cpuidle_state atom_cstates[] __initdata = { - { - .name = "C1E", -@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { - .use_acpi = true, - }; - -+static const struct idle_cpu idle_cpu_icx __initconst = { -+ .state_table = icx_cstates, -+ .disable_promotion_to_c1e = true, -+ .use_acpi = true, -+}; -+ - static const struct idle_cpu idle_cpu_avn __initconst = { - .state_table = avn_cstates, - .disable_promotion_to_c1e = true, -@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), -+ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), --- -2.16.4 - diff --git a/patches.suse/cifs-skip-extra-NULL-byte-in-filenames.patch b/patches.suse/cifs-skip-extra-NULL-byte-in-filenames.patch new file mode 100644 index 0000000..4791d18 --- /dev/null +++ b/patches.suse/cifs-skip-extra-NULL-byte-in-filenames.patch @@ -0,0 +1,65 @@ +From: Paulo Alcantara +Date: Fri, 19 Aug 2022 17:00:19 -0300 +Subject: [PATCH] cifs: skip extra NULL byte in filenames +Git-commit: a1d2eb51f0a33c28f5399a1610e66b3fbd24e884 +References: bsc#1204791 +Patch-mainline: v6.0-rc3 + +Since commit: + cifs: alloc_path_with_tree_prefix: do not append sep. if the path is empty +alloc_path_with_tree_prefix() function was no longer including the +trailing separator when @path is empty, although @out_len was still +assuming a path separator thus adding an extra byte to the final +filename. + +This has caused mount issues in some Synology servers due to the extra +NULL byte in filenames when sending SMB2_CREATE requests with +SMB2_FLAGS_DFS_OPERATIONS set. + +Fix this by checking if @path is not empty and then add extra byte for +separator. Also, do not include any trailing NULL bytes in filename +as MS-SMB2 requires it to be 8-byte aligned and not NULL terminated. + +Cc: stable@vger.kernel.org +Fixes: 7eacba3b00a3 ("cifs: alloc_path_with_tree_prefix: do not append sep. if the path is empty") +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Acked-by: Enzo Matsumiya +--- + fs/cifs/smb2pdu.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 91cfc5b47ac7..128e44e57528 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2572,19 +2572,15 @@ alloc_path_with_tree_prefix(__le16 **out_path, int *out_size, int *out_len, + + path_len = UniStrnlen((wchar_t *)path, PATH_MAX); + +- /* +- * make room for one path separator between the treename and +- * path +- */ +- *out_len = treename_len + 1 + path_len; ++ /* make room for one path separator only if @path isn't empty */ ++ *out_len = treename_len + (path[0] ? 1 : 0) + path_len; + + /* +- * final path needs to be null-terminated UTF16 with a +- * size aligned to 8 ++ * final path needs to be 8-byte aligned as specified in ++ * MS-SMB2 2.2.13 SMB2 CREATE Request. + */ +- +- *out_size = roundup((*out_len+1)*2, 8); +- *out_path = kzalloc(*out_size, GFP_KERNEL); ++ *out_size = roundup(*out_len * sizeof(__le16), 8); ++ *out_path = kzalloc(*out_size + sizeof(__le16) /* null */, GFP_KERNEL); + if (!*out_path) + return -ENOMEM; + +-- +2.35.3 + + diff --git a/patches.suse/docs-kernel-parameters-Update-descriptions-for-mitig.patch b/patches.suse/docs-kernel-parameters-Update-descriptions-for-mitig.patch new file mode 100644 index 0000000..f7fa868 --- /dev/null +++ b/patches.suse/docs-kernel-parameters-Update-descriptions-for-mitig.patch @@ -0,0 +1,38 @@ +From: Eiichi Tsukata +Date: Thu, 28 Jul 2022 04:39:07 +0000 +Subject: docs/kernel-parameters: Update descriptions for "mitigations=" param + with retbleed +Git-commit: ea304a8b89fd0d6cf94ee30cb139dc23d9f1a62f +Patch-mainline: 5.19 +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271 bsc#1206032 + +Updates descriptions for "mitigations=off" and "mitigations=auto,nosmt" +with the respective retbleed= settings. + +Signed-off-by: Eiichi Tsukata +Signed-off-by: Borislav Petkov +Cc: corbet@lwn.net +Link: https://lore.kernel.org/r/20220728043907.165688-1-eiichi.tsukata@nutanix.com +Signed-off-by: Jiri Slaby +--- + Documentation/admin-guide/kernel-parameters.txt | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2741,6 +2741,7 @@ + no_entry_flush [PPC] + no_uaccess_flush [PPC] + mmio_stale_data=off [X86] ++ retbleed=off [X86] + + Exceptions: + This does not have any effect on +@@ -2763,6 +2764,7 @@ + mds=full,nosmt [X86] + tsx_async_abort=full,nosmt [X86] + mmio_stale_data=full,nosmt [X86] ++ retbleed=auto,nosmt [X86] + + mminit_loglevel= + [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this diff --git a/patches.suse/drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch b/patches.suse/drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch deleted file mode 100644 index 2234b7c..0000000 --- a/patches.suse/drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 Mon Sep 17 00:00:00 2001 -From: Duoming Zhou -Date: Tue, 5 Apr 2022 21:22:06 +0800 -Subject: [PATCH] drivers: net: slip: fix NPD bug in sl_tx_timeout() -Git-commit: ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 -Patch-mainline: v5.18-rc2 -References: git-fixes - -When a slip driver is detaching, the slip_close() will act to -cleanup necessary resources and sl->tty is set to NULL in -slip_close(). Meanwhile, the packet we transmit is blocked, -sl_tx_timeout() will be called. Although slip_close() and -sl_tx_timeout() use sl->lock to synchronize, we don`t judge -whether sl->tty equals to NULL in sl_tx_timeout() and the -null pointer dereference bug will happen. - - (Thread 1) | (Thread 2) - | slip_close() - | spin_lock_bh(&sl->lock) - | ... -... | sl->tty = NULL //(1) -sl_tx_timeout() | spin_unlock_bh(&sl->lock) - spin_lock(&sl->lock); | - ... | ... - tty_chars_in_buffer(sl->tty)| - if (tty->ops->..) //(2) | - ... | synchronize_rcu() - -We set NULL to sl->tty in position (1) and dereference sl->tty -in position (2). - -This patch adds check in sl_tx_timeout(). If sl->tty equals to -NULL, sl_tx_timeout() will goto out. - -Signed-off-by: Duoming Zhou -Reviewed-by: Jiri Slaby -Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cn -Signed-off-by: Jakub Kicinski -Acked-by: Takashi Iwai - ---- - drivers/net/slip/slip.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c -index 88396ff99f03..6865d32270e5 100644 ---- a/drivers/net/slip/slip.c -+++ b/drivers/net/slip/slip.c -@@ -469,7 +469,7 @@ static void sl_tx_timeout(struct net_device *dev, unsigned int txqueue) - spin_lock(&sl->lock); - - if (netif_queue_stopped(dev)) { -- if (!netif_running(dev)) -+ if (!netif_running(dev) || !sl->tty) - goto out; - - /* May be we must check transmitter timeout here ? --- -2.35.3 - diff --git a/patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch b/patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch new file mode 100644 index 0000000..ce50fca --- /dev/null +++ b/patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch @@ -0,0 +1,38 @@ +From 04aa64375f48a5d430b5550d9271f8428883e550 Mon Sep 17 00:00:00 2001 +From: Andrzej Hajda +Date: Mon, 14 Nov 2022 11:38:24 +0100 +Subject: [PATCH] drm/i915: fix TLB invalidation for Gen12 video and compute engines +Git-commit: 04aa64375f48a5d430b5550d9271f8428883e550 +Patch-mainline: v6.1-rc8 +References: CVE-2022-4139 bsc#1205700 + +In case of Gen12 video and compute engines, TLB_INV registers are masked - +to modify one bit, corresponding bit in upper half of the register must +be enabled, otherwise nothing happens. + +Cve: CVE-2022-4139 +Suggested-by: Chris Wilson +Signed-off-by: Andrzej Hajda +Acked-by: Daniel Vetter +Fixes: 7938d61591d3 ("drm/i915: Flush TLBs before releasing backing store") +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/gt/intel_gt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/gt/intel_gt.c ++++ b/drivers/gpu/drm/i915/gt/intel_gt.c +@@ -742,6 +742,10 @@ void intel_gt_invalidate_tlbs(struct int + if (!i915_mmio_reg_offset(rb.reg)) + continue; + ++ if (INTEL_GEN(i915) == 12 && (engine->class == VIDEO_DECODE_CLASS || ++ engine->class == VIDEO_ENHANCEMENT_CLASS)) ++ rb.bit = _MASKED_BIT_ENABLE(rb.bit); ++ + intel_uncore_write_fw(uncore, rb.reg, rb.bit); + } + diff --git a/patches.suse/intel_idle-Customize-IceLake-server-support.patch b/patches.suse/intel_idle-Customize-IceLake-server-support.patch new file mode 100644 index 0000000..556e014 --- /dev/null +++ b/patches.suse/intel_idle-Customize-IceLake-server-support.patch @@ -0,0 +1,99 @@ +From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 +From: Chen Yu +Date: Fri, 10 Jul 2020 12:12:01 +0800 +Subject: [PATCH] intel_idle: Customize IceLake server support +Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 +Patch-mainline: v5.9-rc1 +References: jsc#SLE-12679 + +On ICX platform, the C1E auto-promotion is enabled by default. +As a result, the CPU might fall into C1E more offen than previous +platforms. Besides, the C1E is not exposed to sysfs on ICX, which +is inconsistent with previous server platforms. + +So disable C1E auto-promotion and expose C1E as a separate idle +state, so the C1E and C6 can be disabled via sysfs when necessary. + +Beside C1 and C1E, the exit latency of C6 was measured +by a dedicated tool. However the exit latency(41us) exposed +by _CST is much smaller than the one we measured(128us). This +is probably due to the _CST uses the exit latency when woken +up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose +the latter as we need the longest latency in theory. + +Reported-by: kernel test robot +Tested-by: Artem Bityutskiy +Acked-by: Artem Bityutskiy +Reviewed-by: Zhang Rui +Signed-off-by: Chen Yu +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c +index 3f86f36dab2b..fd0fa9e7900b 100644 +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { + .enter = NULL } + }; + ++static struct cpuidle_state icx_cstates[] __initdata = { ++ { ++ .name = "C1", ++ .desc = "MWAIT 0x00", ++ .flags = MWAIT2flg(0x00), ++ .exit_latency = 1, ++ .target_residency = 1, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C1E", ++ .desc = "MWAIT 0x01", ++ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, ++ .exit_latency = 4, ++ .target_residency = 4, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C6", ++ .desc = "MWAIT 0x20", ++ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .exit_latency = 128, ++ .target_residency = 384, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .enter = NULL } ++}; ++ + static struct cpuidle_state atom_cstates[] __initdata = { + { + .name = "C1E", +@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { + .use_acpi = true, + }; + ++static const struct idle_cpu idle_cpu_icx __initconst = { ++ .state_table = icx_cstates, ++ .disable_promotion_to_c1e = true, ++ .use_acpi = true, ++}; ++ + static const struct idle_cpu idle_cpu_avn __initconst = { + .state_table = avn_cstates, + .disable_promotion_to_c1e = true, +@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), ++ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), +-- +2.16.4 + diff --git a/patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch b/patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch new file mode 100644 index 0000000..086fa4e --- /dev/null +++ b/patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch @@ -0,0 +1,111 @@ +From 813d8fe5d30388f73a21d3a2bf46b0a1fd72498c Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Sun, 16 Oct 2022 22:42:54 +0100 +Subject: [PATCH] io_uring/af_unix: defer registered files gc to io_uring + release +Git-commit: 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 +Patch-mainline: v6.1-rc1 +References: bsc#1204228 CVE-2022-2602 + +[ upstream commit 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 ] + +Instead of putting io_uring's registered files in unix_gc() we want it +to be done by io_uring itself. The trick here is to consider io_uring +registered files for cycle detection but not actually putting them down. +Because io_uring can't register other ring instances, this will remove +all refs to the ring file triggering the ->release path and clean up +with io_ring_ctx_free(). + +Cc: stable@vger.kernel.org +Fixes: 6b06314c47e1 ("io_uring: add file set registration") +Reported-and-tested-by: David Bouman +Signed-off-by: Pavel Begunkov +Signed-off-by: Thadeu Lima de Souza Cascardo +[axboe: add kerneldoc comment to skb, fold in skb leak fix] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +Acked-by: David Disseldorp: +--- + fs/io_uring.c | 1 + + include/linux/skbuff.h | 2 ++ + net/unix/garbage.c | 20 ++++++++++++++++++++ + 3 files changed, 23 insertions(+) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 31a3a00ef48e2..b4c533f7dfed2 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2721,6 +2721,7 @@ static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset) + } + + skb->sk = sk; ++ skb->scm_io_uring = 1; + skb->destructor = io_destruct_skb; + + fpl->user = get_uid(ctx->user); +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index fd405e3d44a43..f86bbfcfa22ad 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -652,6 +652,7 @@ typedef unsigned char *sk_buff_data_t; + * @wifi_acked: whether frame was acked on wifi or not + * @no_fcs: Request NIC to treat last 4 bytes as Ethernet FCS + * @csum_not_inet: use CRC32c to resolve CHECKSUM_PARTIAL ++ * @scm_io_uring: SKB holds io_uring registered files + * @dst_pending_confirm: need to confirm neighbour + * @decrypted: Decrypted SKB + * @napi_id: id of the NAPI struct this skb came from +@@ -815,6 +816,7 @@ struct sk_buff { + #ifdef CONFIG_TLS_DEVICE + __u8 decrypted:1; + #endif ++ __u8 scm_io_uring:1; + + #ifdef CONFIG_NET_SCHED + __u16 tc_index; /* traffic control index */ +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 12e2ddaf887f2..04bbdce5373cd 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -201,6 +201,7 @@ void wait_for_unix_gc(void) + /* The external entry point: unix_gc() */ + void unix_gc(void) + { ++ struct sk_buff *next_skb, *skb; + struct unix_sock *u; + struct unix_sock *next; + struct sk_buff_head hitlist; +@@ -292,11 +293,30 @@ void unix_gc(void) + + spin_unlock(&unix_gc_lock); + ++ /* We need io_uring to clean its registered files, ignore all io_uring ++ * originated skbs. It's fine as io_uring doesn't keep references to ++ * other io_uring instances and so killing all other files in the cycle ++ * will put all io_uring references forcing it to go through normal ++ * release.path eventually putting registered files. ++ */ ++ skb_queue_walk_safe(&hitlist, skb, next_skb) { ++ if (skb->scm_io_uring) { ++ __skb_unlink(skb, &hitlist); ++ skb_queue_tail(&skb->sk->sk_receive_queue, skb); ++ } ++ } ++ + /* Here we are. Hitlist is filled. Die. */ + __skb_queue_purge(&hitlist); + + spin_lock(&unix_gc_lock); + ++ /* There could be io_uring registered files, just push them back to ++ * the inflight list ++ */ ++ list_for_each_entry_safe(u, next, &gc_candidates, link) ++ list_move_tail(&u->link, &gc_inflight_list); ++ + /* All candidates should have been detached by now. */ + BUG_ON(!list_empty(&gc_candidates)); + gc_in_progress = false; +-- +2.35.3 + diff --git a/patches.suse/media-mceusb-Use-new-usb_control_msg_-routines.patch b/patches.suse/media-mceusb-Use-new-usb_control_msg_-routines.patch new file mode 100644 index 0000000..d4651ba --- /dev/null +++ b/patches.suse/media-mceusb-Use-new-usb_control_msg_-routines.patch @@ -0,0 +1,132 @@ +From 608e58a0f4617977178131f5f68a3fce1d3f5316 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 26 Aug 2022 15:31:40 -0400 +Subject: [PATCH] media: mceusb: Use new usb_control_msg_*() routines +Git-commit: 608e58a0f4617977178131f5f68a3fce1d3f5316 +Alt-commit: 41fd1cb6151439b205ac7611883d85ae14250172 +Patch-mainline: v6.0-rc4 +References: CVE-2022-3903 bsc#1205220 + +Automatic kernel fuzzing led to a WARN about invalid pipe direction in +the mceusb driver: + +------------[ cut here ]------------ +usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 +WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 +usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 +Modules linked in: +CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.13.0-1ubuntu1.1 04/01/2014 +Workqueue: usb_hub_wq hub_event +RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 +Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8 +44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b +e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41 +RSP: 0018:ffffc900032becf0 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000 +RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90 +RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000 +R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000 +R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500 +FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0 +Call Trace: + +usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58 +usb_internal_control_msg drivers/usb/core/message.c:102 [inline] +usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153 +mceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline] +mceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807 + +The reason for the warning is clear enough; the driver sends an +unusual read request on endpoint 0 but does not set the USB_DIR_IN bit +in the bRequestType field. + +More importantly, the whole situation can be avoided and the driver +simplified by converting it over to the relatively new +usb_control_msg_recv() and usb_control_msg_send() routines. That's +what this fix does. + +Link: https://lore.kernel.org/all/CAB7eexLLApHJwZfMQ=X-PtRhw0BgO+5KcSMS05FNUYejJXqtSA@mail.gmail.com/ +Cc: Mauro Carvalho Chehab +Cc: stable@vger.kernel.org +Reported-and-tested-by: Rondreis +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YwkfnBFCSEVC6XZu@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/media/rc/mceusb.c | 35 ++++++++++++++--------------------- + 1 file changed, 14 insertions(+), 21 deletions(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1416,42 +1416,37 @@ static void mceusb_gen1_init(struct mceu + { + int ret; + struct device *dev = ir->dev; +- char *data; +- +- data = kzalloc(USB_CTRL_MSG_SZ, GFP_KERNEL); +- if (!data) { +- dev_err(dev, "%s: memory allocation failed!", __func__); +- return; +- } ++ char data[USB_CTRL_MSG_SZ]; + + /* + * This is a strange one. Windows issues a set address to the device + * on the receive control pipe and expect a certain value pair back + */ +- ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0), +- USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0, +- data, USB_CTRL_MSG_SZ, 3000); ++ ret = usb_control_msg_recv(ir->usbdev, 0, USB_REQ_SET_ADDRESS, ++ USB_DIR_IN | USB_TYPE_VENDOR, ++ 0, 0, data, USB_CTRL_MSG_SZ, 3000, ++ GFP_KERNEL); + dev_dbg(dev, "set address - ret = %d", ret); + dev_dbg(dev, "set address - data[0] = %d, data[1] = %d", + data[0], data[1]); + + /* set feature: bit rate 38400 bps */ +- ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), +- USB_REQ_SET_FEATURE, USB_TYPE_VENDOR, +- 0xc04e, 0x0000, NULL, 0, 3000); ++ ret = usb_control_msg_send(ir->usbdev, 0, ++ USB_REQ_SET_FEATURE, USB_TYPE_VENDOR, ++ 0xc04e, 0x0000, NULL, 0, 3000, GFP_KERNEL); + + dev_dbg(dev, "set feature - ret = %d", ret); + + /* bRequest 4: set char length to 8 bits */ +- ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), +- 4, USB_TYPE_VENDOR, +- 0x0808, 0x0000, NULL, 0, 3000); ++ ret = usb_control_msg_send(ir->usbdev, 0, ++ 4, USB_TYPE_VENDOR, ++ 0x0808, 0x0000, NULL, 0, 3000, GFP_KERNEL); + dev_dbg(dev, "set char length - retB = %d", ret); + + /* bRequest 2: set handshaking to use DTR/DSR */ +- ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), +- 2, USB_TYPE_VENDOR, +- 0x0000, 0x0100, NULL, 0, 3000); ++ ret = usb_control_msg_send(ir->usbdev, 0, ++ 2, USB_TYPE_VENDOR, ++ 0x0000, 0x0100, NULL, 0, 3000, GFP_KERNEL); + dev_dbg(dev, "set handshake - retC = %d", ret); + + /* device resume */ +@@ -1459,8 +1454,6 @@ static void mceusb_gen1_init(struct mceu + + /* get hw/sw revision? */ + mce_command_out(ir, GET_REVISION, sizeof(GET_REVISION)); +- +- kfree(data); + } + + static void mceusb_gen2_init(struct mceusb_dev *ir) diff --git a/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch index faec977..b016551 100644 --- a/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch +++ b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch @@ -1,76 +1,73 @@ +From 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc Mon Sep 17 00:00:00 2001 From: Zheng Wang -Date: Thu, 6 Oct 2022 23:26:43 +0800 -Subject: [PATCH] misc: sgi-gru: fix use-after-free error in - gru_set_context_option, gru_fault and gru_handle_user_call_os -Message-Id: <20221006152643.1694235-1-zyytlz.wz@163.com> -Patch-mainline: Submitted, LKML +Date: Thu, 10 Nov 2022 11:50:33 +0800 +Subject: [PATCH] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os +Git-commit: 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git +Patch-mainline: Queued in subsystem maintainer repo References: CVE-2022-3424 bsc#1204166 -Gts may be freed in gru_check_chiplet_assignment. -The caller still use it after that, UAF happens. +In some bad situation, the gts may be freed gru_check_chiplet_assignment. +The call chain can be gru_unload_context->gru_free_gru_context->gts_drop +and kfree finally. However, the caller didn't know if the gts is freed +or not and use it afterwards. This will trigger a Use after Free bug. Fix it by introducing a return value to see if it's in error path or not. Free the gts in caller if gru_check_chiplet_assignment check failed. Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2") -Reported-by: Zheng Wang Signed-off-by: Zheng Wang -Signed-off-by: Takashi Iwai +Acked-by: Dimitri Sivanich +Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai --- - drivers/misc/sgi-gru/grufault.c | 15 ++++++++++++--- - drivers/misc/sgi-gru/grumain.c | 17 +++++++++++++---- + drivers/misc/sgi-gru/grufault.c | 13 +++++++++++-- + drivers/misc/sgi-gru/grumain.c | 22 ++++++++++++++++++---- drivers/misc/sgi-gru/grutables.h | 2 +- - 3 files changed, 26 insertions(+), 8 deletions(-) + 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c -index d7ef61e602ed..f1e5b96fef4b 100644 +index d7ef61e602ed..b836936e9747 100644 --- a/drivers/misc/sgi-gru/grufault.c +++ b/drivers/misc/sgi-gru/grufault.c -@@ -656,7 +656,9 @@ int gru_handle_user_call_os(unsigned long cb) +@@ -648,6 +648,7 @@ int gru_handle_user_call_os(unsigned long cb) + if ((cb & (GRU_HANDLE_STRIDE - 1)) || ucbnum >= GRU_NUM_CB) + return -EINVAL; + ++again: + gts = gru_find_lock_gts(cb); + if (!gts) + return -EINVAL; +@@ -656,7 +657,11 @@ int gru_handle_user_call_os(unsigned long cb) if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE) goto exit; - gru_check_context_placement(gts); -+ ret = gru_check_context_placement(gts); -+ if (ret) -+ goto err; ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ goto again; ++ } /* * CCH may contain stale data if ts_force_cch_reload is set. -@@ -677,6 +679,10 @@ int gru_handle_user_call_os(unsigned long cb) - exit: - gru_unlock_gts(gts); - return ret; -+err: -+ gru_unlock_gts(gts); -+ gru_unload_context(gts, 1); -+ return -EINVAL; - } - - /* -@@ -874,7 +880,7 @@ int gru_set_context_option(unsigned long arg) +@@ -874,7 +879,11 @@ int gru_set_context_option(unsigned long arg) } else { gts->ts_user_blade_id = req.val1; gts->ts_user_chiplet_id = req.val0; - gru_check_context_placement(gts); -+ ret = gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ return ret; ++ } } break; case sco_gseg_owner: -@@ -889,6 +895,9 @@ int gru_set_context_option(unsigned long arg) - ret = -EINVAL; - } - gru_unlock_gts(gts); -- -+ if (ret) { -+ gru_unload_context(gts, 1); -+ ret = -EINVAL; -+ } - return ret; - } diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c -index 9afda47efbf2..79903cf7e706 100644 +index 6706ef3c5977..4eb4b9455139 100644 --- a/drivers/misc/sgi-gru/grumain.c +++ b/drivers/misc/sgi-gru/grumain.c @@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru, @@ -85,9 +82,16 @@ index 9afda47efbf2..79903cf7e706 100644 /* * If the current task is the context owner, verify that the -@@ -727,14 +728,16 @@ void gru_check_context_placement(struct gru_thread_state *gts) +@@ -726,15 +727,23 @@ void gru_check_context_placement(struct gru_thread_state *gts) + * references. Pthread apps use non-owner references to the CBRs. */ gru = gts->ts_gru; ++ /* ++ * If gru or gts->ts_tgid_owner isn't initialized properly, return ++ * success to indicate that the caller does not need to unload the ++ * gru context.The caller is responsible for their inspection and ++ * reinitialization if needed. ++ */ if (!gru || gts->ts_tgid_owner != current->tgid) - return; + return ret; @@ -104,30 +108,22 @@ index 9afda47efbf2..79903cf7e706 100644 } -@@ -919,6 +922,7 @@ vm_fault_t gru_fault(struct vm_fault *vmf) - struct gru_thread_state *gts; - unsigned long paddr, vaddr; - unsigned long expires; -+ int ret; - - vaddr = vmf->address; - gru_dbg(grudev, "vma %p, vaddr 0x%lx (0x%lx)\n", -@@ -934,7 +938,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf) +@@ -934,7 +943,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf) mutex_lock(>s->ts_ctxlock); preempt_disable(); - gru_check_context_placement(gts); -+ ret = gru_check_context_placement(gts); -+ if (ret) { ++ if (gru_check_context_placement(gts)) { ++ preempt_enable(); + mutex_unlock(>s->ts_ctxlock); + gru_unload_context(gts, 1); -+ return ret; ++ return VM_FAULT_NOPAGE; + } if (!gts->ts_gru) { STAT(load_user_context); diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h -index 5efc869fe59a..f4a5a787685f 100644 +index 8c52776db234..640daf1994df 100644 --- a/drivers/misc/sgi-gru/grutables.h +++ b/drivers/misc/sgi-gru/grutables.h @@ -632,7 +632,7 @@ extern int gru_user_flush_tlb(unsigned long arg); diff --git a/patches.suse/nfsd-show_open-NULL-deref.patch b/patches.suse/nfsd-show_open-NULL-deref.patch new file mode 100644 index 0000000..02f8f84 --- /dev/null +++ b/patches.suse/nfsd-show_open-NULL-deref.patch @@ -0,0 +1,79 @@ +From: "J. Bruce Fields" +Date: Wed, 15 Jul 2020 13:31:36 -0400 +Subject: [PATCH] nfsd4: fix NULL dereference in nfsd/clients display code +Git-commit: 9affa435817711861d774f5626c393c80f16d044 +Patch-mainline: v5.8-rc7 +References: git-fixes + +We hold the cl_lock here, and that's enough to keep stateid's from going +away, but it's not enough to prevent the files they point to from going +away. Take fi_lock and a reference and check for NULL, as we do in +other code. + +Reported-by: NeilBrown +Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens") +Reviewed-by: NeilBrown +Signed-off-by: J. Bruce Fields +Acked-by: NeilBrown + +--- + fs/nfsd/nfs4state.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -506,6 +506,17 @@ find_any_file(struct nfs4_file *f) + return ret; + } + ++static struct file *find_deleg_file(struct nfs4_file *f) ++{ ++ struct file *ret = NULL; ++ ++ spin_lock(&f->fi_lock); ++ if (f->fi_deleg_file) ++ ret = get_file(f->fi_deleg_file); ++ spin_unlock(&f->fi_lock); ++ return ret; ++} ++ + static atomic_long_t num_delegations; + unsigned long max_delegations; + +@@ -2364,6 +2375,8 @@ static int nfs4_show_open(struct seq_fil + oo = ols->st_stateowner; + nf = st->sc_file; + file = find_any_file(nf); ++ if (!file) ++ return 0; + + seq_printf(s, "- 0x%16phN: { type: open, ", &st->sc_stateid); + +@@ -2397,6 +2410,8 @@ static int nfs4_show_lock(struct seq_fil + oo = ols->st_stateowner; + nf = st->sc_file; + file = find_any_file(nf); ++ if (!file) ++ return 0; + + seq_printf(s, "- 0x%16phN: { type: lock, ", &st->sc_stateid); + +@@ -2425,7 +2440,9 @@ static int nfs4_show_deleg(struct seq_fi + + ds = delegstateid(st); + nf = st->sc_file; +- file = nf->fi_deleg_file; ++ file = find_deleg_file(nf); ++ if (!file) ++ return 0; + + seq_printf(s, "- 0x%16phN: { type: deleg, ", &st->sc_stateid); + +@@ -2437,6 +2454,7 @@ static int nfs4_show_deleg(struct seq_fi + + nfs4_show_superblock(s, file); + seq_printf(s, " }\n"); ++ fput(file); + + return 0; + } diff --git a/patches.suse/nfsd4-fix-NULL-dereference-in-nfsd-clients-display-c.patch b/patches.suse/nfsd4-fix-NULL-dereference-in-nfsd-clients-display-c.patch deleted file mode 100644 index 02f8f84..0000000 --- a/patches.suse/nfsd4-fix-NULL-dereference-in-nfsd-clients-display-c.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: "J. Bruce Fields" -Date: Wed, 15 Jul 2020 13:31:36 -0400 -Subject: [PATCH] nfsd4: fix NULL dereference in nfsd/clients display code -Git-commit: 9affa435817711861d774f5626c393c80f16d044 -Patch-mainline: v5.8-rc7 -References: git-fixes - -We hold the cl_lock here, and that's enough to keep stateid's from going -away, but it's not enough to prevent the files they point to from going -away. Take fi_lock and a reference and check for NULL, as we do in -other code. - -Reported-by: NeilBrown -Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens") -Reviewed-by: NeilBrown -Signed-off-by: J. Bruce Fields -Acked-by: NeilBrown - ---- - fs/nfsd/nfs4state.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - ---- a/fs/nfsd/nfs4state.c -+++ b/fs/nfsd/nfs4state.c -@@ -506,6 +506,17 @@ find_any_file(struct nfs4_file *f) - return ret; - } - -+static struct file *find_deleg_file(struct nfs4_file *f) -+{ -+ struct file *ret = NULL; -+ -+ spin_lock(&f->fi_lock); -+ if (f->fi_deleg_file) -+ ret = get_file(f->fi_deleg_file); -+ spin_unlock(&f->fi_lock); -+ return ret; -+} -+ - static atomic_long_t num_delegations; - unsigned long max_delegations; - -@@ -2364,6 +2375,8 @@ static int nfs4_show_open(struct seq_fil - oo = ols->st_stateowner; - nf = st->sc_file; - file = find_any_file(nf); -+ if (!file) -+ return 0; - - seq_printf(s, "- 0x%16phN: { type: open, ", &st->sc_stateid); - -@@ -2397,6 +2410,8 @@ static int nfs4_show_lock(struct seq_fil - oo = ols->st_stateowner; - nf = st->sc_file; - file = find_any_file(nf); -+ if (!file) -+ return 0; - - seq_printf(s, "- 0x%16phN: { type: lock, ", &st->sc_stateid); - -@@ -2425,7 +2440,9 @@ static int nfs4_show_deleg(struct seq_fi - - ds = delegstateid(st); - nf = st->sc_file; -- file = nf->fi_deleg_file; -+ file = find_deleg_file(nf); -+ if (!file) -+ return 0; - - seq_printf(s, "- 0x%16phN: { type: deleg, ", &st->sc_stateid); - -@@ -2437,6 +2454,7 @@ static int nfs4_show_deleg(struct seq_fi - - nfs4_show_superblock(s, file); - seq_printf(s, " }\n"); -+ fput(file); - - return 0; - } diff --git a/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch b/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch new file mode 100644 index 0000000..948a3f1 --- /dev/null +++ b/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch @@ -0,0 +1,45 @@ +From e6cfaf34be9fcd1a8285a294e18986bfc41a409c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 11:33:40 -0800 +Subject: [PATCH] proc: avoid integer type confusion in get_proc_long +Git-commit: e6cfaf34be9fcd1a8285a294e18986bfc41a409c +Patch-mainline: v6.1 +References: CVE-2022-4378 bsc#1206207 + +proc_get_long() is passed a size_t, but then assigns it to an 'int' +variable for the length. Let's not do that, even if our IO paths are +limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + +So do the proper test in the rigth type. + +Reported-by: Kyle Zeng +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + kernel/sysctl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 188c305aeb8b..8898ddeaaf75 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -342,13 +342,12 @@ static int proc_get_long(char **buf, size_t *size, + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + +-- +2.35.3 + diff --git a/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch b/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch new file mode 100644 index 0000000..eec6a30 --- /dev/null +++ b/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch @@ -0,0 +1,106 @@ +From bce9332220bd677d83b19d21502776ad555a0e73 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 12:09:06 -0800 +Subject: [PATCH] proc: proc_skip_spaces() shouldn't think it is working on C strings +Git-commit: bce9332220bd677d83b19d21502776ad555a0e73 +Patch-mainline: v6.1 +References: CVE-2022-4378 bsc#1206207 + +proc_skip_spaces() seems to think it is working on C strings, and ends +up being just a wrapper around skip_spaces() with a really odd calling +convention. + +Instead of basing it on skip_spaces(), it should have looked more like +proc_skip_char(), which really is the exact same function (except it +skips a particular character, rather than whitespace). So use that as +inspiration, odd coding and all. + +Now the calling convention actually makes sense and works for the +intended purpose. + +Reported-and-tested-by: Kyle Zeng +Acked-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + kernel/sysctl.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2169,13 +2169,14 @@ int proc_dostring(struct ctl_table *tabl + (char __user *)buffer, lenp, ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -2412,7 +2413,7 @@ static int __do_proc_dointvec(void *tbl_ + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -2443,7 +2444,7 @@ static int __do_proc_dointvec(void *tbl_ + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) +@@ -2492,7 +2493,7 @@ static int do_proc_douintvec_w(unsigned + if (IS_ERR(kbuf)) + return -EINVAL; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -2512,7 +2513,7 @@ static int do_proc_douintvec_w(unsigned + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + kfree(kbuf); +@@ -2926,7 +2927,7 @@ static int __do_proc_doulongvec_minmax(v + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -2959,7 +2960,7 @@ static int __do_proc_doulongvec_minmax(v + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) diff --git a/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch b/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch index b0f567b..df95e6a 100644 --- a/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch +++ b/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch @@ -2,8 +2,8 @@ From: Alexandre Chartre Date: Tue, 14 Jun 2022 23:15:50 +0200 Subject: x86/bugs: Add AMD retbleed= boot parameter Git-commit: 7fbf47c7ce50b38a64576b150e7011ae73d54669 -Patch-mainline: v5.19-rc7 -References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271 +Patch-mainline: v5.19-rc4 +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271 bsc#1206032 Add the "retbleed=" boot parameter to select a mitigation for RETBleed. Possible values are "off", "auto" and "unret" @@ -22,11 +22,35 @@ Signed-off-by: Borislav Petkov Reviewed-by: Josh Poimboeuf Signed-off-by: Borislav Petkov --- - Documentation/admin-guide/kernel-parameters.txt | 14 +++ + Documentation/admin-guide/kernel-parameters.txt | 15 +++ arch/x86/Kconfig | 3 arch/x86/kernel/cpu/bugs.c | 108 +++++++++++++++++++++++- - 3 files changed, 124 insertions(+), 1 deletion(-) + 3 files changed, 125 insertions(+), 1 deletion(-) +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4370,6 +4370,21 @@ + + retain_initrd [RAM] Keep initrd memory after extraction + ++ retbleed= [X86] Control mitigation of RETBleed (Arbitrary ++ Speculative Code Execution with Return Instructions) ++ vulnerability. ++ ++ off - unconditionally disable ++ auto - automatically select a migitation ++ unret - force enable untrained return thunks, ++ only effective on AMD Zen {1,2} ++ based systems. ++ ++ Selecting 'auto' will choose a mitigation method at run ++ time according to the CPU. ++ ++ Not specifying this option is equivalent to retbleed=auto. ++ + rfkill.default_state= + 0 "airplane mode". All wifi, bluetooth, wimax, gps, fm, + etc. communication is blocked by default. --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -456,6 +456,9 @@ config RETPOLINE @@ -112,7 +136,7 @@ Signed-off-by: Borislav Petkov + +static void __init retbleed_select_mitigation(void) +{ -+ if (!boot_cpu_has_bug(X86_BUG_RETBLEED)) ++ if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off()) + return; + + switch (retbleed_cmd) { @@ -177,26 +201,3 @@ Signed-off-by: Borislav Petkov } static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4370,6 +4370,20 @@ - - retain_initrd [RAM] Keep initrd memory after extraction - -+ retbleed= [X86] Control mitigation of RETBleed (Arbitrary -+ Speculative Code Execution with Return Instructions) -+ vulnerability. -+ -+ auto - automatically select a migitation -+ unret - force enable untrained return thunks, -+ only effective on AMD Zen {1,2} -+ based systems. -+ -+ Selecting 'auto' will choose a mitigation method at run -+ time according to the CPU. -+ -+ Not specifying this option is equivalent to retbleed=auto. -+ - rfkill.default_state= - 0 "airplane mode". All wifi, bluetooth, wimax, gps, fm, - etc. communication is blocked by default. diff --git a/patches.suse/x86-bugs-Add-retbleed-ibpb.patch b/patches.suse/x86-bugs-Add-retbleed-ibpb.patch index b47bc68..198df6e 100644 --- a/patches.suse/x86-bugs-Add-retbleed-ibpb.patch +++ b/patches.suse/x86-bugs-Add-retbleed-ibpb.patch @@ -44,6 +44,29 @@ Signed-off-by: Borislav Petkov arch/x86/kernel/cpu/bugs.c | 43 ++++++++++++++++++------ 6 files changed, 77 insertions(+), 13 deletions(-) +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4380,6 +4380,9 @@ + disabling SMT if necessary for + the full mitigation (only on Zen1 + and older without STIBP). ++ ibpb - mitigate short speculation windows on ++ basic block boundaries too. Safe, highest ++ perf impact. + unret - force enable untrained return thunks, + only effective on AMD f15h-f17h + based systems. +--- a/arch/x86/entry/Makefile ++++ b/arch/x86/entry/Makefile +@@ -7,7 +7,7 @@ OBJECT_FILES_NON_STANDARD_entry_64_compa + + CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,) + CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,) +-obj-y := entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o ++obj-y := entry.o entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o + obj-y += common.o + + obj-y += vdso/ --- /dev/null +++ b/arch/x86/entry/entry.S @@ -0,0 +1,32 @@ @@ -79,17 +102,6 @@ Signed-off-by: Borislav Petkov +EXPORT_SYMBOL_GPL(entry_ibpb); + +.popsection ---- a/arch/x86/entry/Makefile -+++ b/arch/x86/entry/Makefile -@@ -7,7 +7,7 @@ OBJECT_FILES_NON_STANDARD_entry_64_compa - - CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,) - CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,) --obj-y := entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o -+obj-y := entry.o entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o - obj-y += common.o - - obj-y += vdso/ --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -289,7 +289,7 @@ @@ -103,7 +115,7 @@ Signed-off-by: Borislav Petkov #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h -@@ -151,14 +151,17 @@ +@@ -171,14 +171,17 @@ * return thunk isn't mapped into the userspace tables (then again, AMD * typically has NO_MELTDOWN). * @@ -123,7 +135,7 @@ Signed-off-by: Borislav Petkov #endif .endm -@@ -175,6 +178,7 @@ +@@ -195,6 +198,7 @@ extern void __x86_return_thunk(void); extern void zen_untrain_ret(void); @@ -176,7 +188,7 @@ Signed-off-by: Borislav Petkov { + bool mitigate_smt = false; + - if (!boot_cpu_has_bug(X86_BUG_RETBLEED)) + if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off()) return; @@ -826,11 +833,21 @@ static void __init retbleed_select_mitig @@ -244,15 +256,3 @@ Signed-off-by: Borislav Petkov /* * Let IBRS trump all on Intel without affecting the effects of the * retbleed= cmdline option. ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4379,6 +4379,9 @@ - disabling SMT if necessary for - the full mitigation (only on Zen1 - and older without STIBP). -+ ibpb - mitigate short speculation windows on -+ basic block boundaries too. Safe, highest -+ perf impact. - unret - force enable untrained return thunks, - only effective on AMD f15h-f17h - based systems. diff --git a/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch b/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch index 1ce8f46..9fdade8 100644 --- a/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch +++ b/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch @@ -14,10 +14,35 @@ Signed-off-by: Kim Phillips Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Borislav Petkov --- - Documentation/admin-guide/kernel-parameters.txt | 14 ++++- + Documentation/admin-guide/kernel-parameters.txt | 16 ++++-- arch/x86/kernel/cpu/bugs.c | 58 +++++++++++++++++++----- - 2 files changed, 56 insertions(+), 16 deletions(-) + 2 files changed, 57 insertions(+), 17 deletions(-) +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4374,11 +4374,17 @@ + Speculative Code Execution with Return Instructions) + vulnerability. + +- off - unconditionally disable +- auto - automatically select a migitation +- unret - force enable untrained return thunks, +- only effective on AMD Zen {1,2} +- based systems. ++ off - no mitigation ++ auto - automatically select a migitation ++ auto,nosmt - automatically select a mitigation, ++ disabling SMT if necessary for ++ the full mitigation (only on Zen1 ++ and older without STIBP). ++ unret - force enable untrained return thunks, ++ only effective on AMD f15h-f17h ++ based systems. ++ unret,nosmt - like unret, will disable SMT when STIBP ++ is not available. + + Selecting 'auto' will choose a mitigation method at run + time according to the CPU. --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -732,19 +732,34 @@ static enum retbleed_mitigation retbleed @@ -111,26 +136,3 @@ Signed-off-by: Borislav Petkov return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]); } ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4374,10 +4374,16 @@ - Speculative Code Execution with Return Instructions) - vulnerability. - -- auto - automatically select a migitation -- unret - force enable untrained return thunks, -- only effective on AMD Zen {1,2} -- based systems. -+ auto - automatically select a migitation -+ auto,nosmt - automatically select a mitigation, -+ disabling SMT if necessary for -+ the full mitigation (only on Zen1 -+ and older without STIBP). -+ unret - force enable untrained return thunks, -+ only effective on AMD f15h-f17h -+ based systems. -+ unret,nosmt - like unret, will disable SMT when STIBP -+ is not available. - - Selecting 'auto' will choose a mitigation method at run - time according to the CPU. diff --git a/patches.suse/x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch b/patches.suse/x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch new file mode 100644 index 0000000..0f09a26 --- /dev/null +++ b/patches.suse/x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch @@ -0,0 +1,139 @@ +From: Pawan Gupta +Date: Wed, 30 Nov 2022 07:25:51 -0800 +Subject: x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume + from S3 +Git-commit: 66065157420c5b9b3f078f43d313c153e1ff7f83 +Patch-mainline: 6.1-rc8 +References: bsc#1206037 + +The "force" argument to write_spec_ctrl_current() is currently ambiguous +as it does not guarantee the MSR write. This is due to the optimization +that writes to the MSR happen only when the new value differs from the +cached value. + +This is fine in most cases, but breaks for S3 resume when the cached MSR +value gets out of sync with the hardware MSR value due to S3 resetting +it. + +When x86_spec_ctrl_current is same as x86_spec_ctrl_base, the MSR write +is skipped. Which results in SPEC_CTRL mitigations not getting restored. + +Move the MSR write from write_spec_ctrl_current() to a new function that +unconditionally writes to the MSR. Update the callers accordingly and +rename functions. + + [ bp: Rework a bit. ] + +Fixes: caa0ff24d5d0 ("x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value") +Suggested-by: Borislav Petkov +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Thomas Gleixner +Cc: +Link: https://lore.kernel.org/r/806d39b0bfec2fe8f50dc5446dff20f5bb24a959.1669821572.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Linus Torvalds +Signed-off-by: Jiri Slaby +--- + arch/x86/include/asm/nospec-branch.h | 2 +- + arch/x86/kernel/cpu/bugs.c | 21 ++++++++++++++------- + arch/x86/kernel/process.c | 2 +- + 3 files changed, 16 insertions(+), 9 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -342,7 +342,7 @@ static inline void indirect_branch_predi + /* The Intel SPEC CTRL MSR base value cache */ + extern u64 x86_spec_ctrl_base; + extern u64 x86_spec_ctrl_current; +-extern void write_spec_ctrl_current(u64 val, bool force); ++extern void update_spec_ctrl_cond(u64 val); + extern u64 spec_ctrl_current(void); + + /* +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -59,11 +59,18 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_current) + + static DEFINE_MUTEX(spec_ctrl_mutex); + ++/* Update SPEC_CTRL MSR and its cached copy unconditionally */ ++static void update_spec_ctrl(u64 val) ++{ ++ this_cpu_write(x86_spec_ctrl_current, val); ++ wrmsrl(MSR_IA32_SPEC_CTRL, val); ++} ++ + /* + * Keep track of the SPEC_CTRL MSR value for the current task, which may differ + * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update(). + */ +-void write_spec_ctrl_current(u64 val, bool force) ++void update_spec_ctrl_cond(u64 val) + { + if (this_cpu_read(x86_spec_ctrl_current) == val) + return; +@@ -74,7 +81,7 @@ void write_spec_ctrl_current(u64 val, bo + * When KERNEL_IBRS this MSR is written on return-to-user, unless + * forced the update can be delayed until that time. + */ +- if (force || !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS)) ++ if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS)) + wrmsrl(MSR_IA32_SPEC_CTRL, val); + } + +@@ -1276,7 +1283,7 @@ static void __init spec_ctrl_disable_ker + + if (ia32_cap & ARCH_CAP_RRSBA) { + x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; +- write_spec_ctrl_current(x86_spec_ctrl_base, true); ++ update_spec_ctrl(x86_spec_ctrl_base); + } + } + +@@ -1397,7 +1404,7 @@ static void __init spectre_v2_select_mit + + if (spectre_v2_in_ibrs_mode(mode)) { + x86_spec_ctrl_base |= SPEC_CTRL_IBRS; +- write_spec_ctrl_current(x86_spec_ctrl_base, true); ++ update_spec_ctrl(x86_spec_ctrl_base); + } + + switch (mode) { +@@ -1499,7 +1506,7 @@ static void __init spectre_v2_select_mit + static void update_stibp_msr(void * __unused) + { + u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP); +- write_spec_ctrl_current(val, true); ++ update_spec_ctrl(val); + } + + /* Update x86_spec_ctrl_base in case SMT state changed. */ +@@ -1721,7 +1728,7 @@ static enum ssb_mitigation __init __ssb_ + x86_amd_ssb_disable(); + } else { + x86_spec_ctrl_base |= SPEC_CTRL_SSBD; +- write_spec_ctrl_current(x86_spec_ctrl_base, true); ++ update_spec_ctrl(x86_spec_ctrl_base); + } + } + +@@ -1939,7 +1946,7 @@ int arch_prctl_spec_ctrl_get(struct task + void x86_spec_ctrl_setup_ap(void) + { + if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) +- write_spec_ctrl_current(x86_spec_ctrl_base, true); ++ update_spec_ctrl(x86_spec_ctrl_base); + + if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) + x86_amd_ssb_disable(); +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -551,7 +551,7 @@ static __always_inline void __speculatio + } + + if (updmsr) +- write_spec_ctrl_current(msr, false); ++ update_spec_ctrl_cond(msr); + } + + static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk) diff --git a/patches.suse/x86-cpu-Restore-AMD-s-DE_CFG-MSR-after-resume.patch b/patches.suse/x86-cpu-Restore-AMD-s-DE_CFG-MSR-after-resume.patch new file mode 100644 index 0000000..cfc8f50 --- /dev/null +++ b/patches.suse/x86-cpu-Restore-AMD-s-DE_CFG-MSR-after-resume.patch @@ -0,0 +1,165 @@ +From: Borislav Petkov +Date: Mon, 14 Nov 2022 12:44:01 +0100 +Subject: x86/cpu: Restore AMD's DE_CFG MSR after resume +Git-commit: 2632daebafd04746b4b96c2f26a6021bc38f6209 +Patch-mainline: v6.1-rc6 +References: bsc#1205473 + +DE_CFG contains the LFENCE serializing bit, restore it on resume too. +This is relevant to older families due to the way how they do S3. + +Unify and correct naming while at it. + +[js] + * no msr-index.h -- remove hunks + * more replaces of the old MSR_F10H_DECFG + +Fixes: e4d0e84e4907 ("x86/cpu/AMD: Make LFENCE a serializing instruction") +Reported-by: Andrew Cooper +Reported-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Cc: +Signed-off-by: Linus Torvalds +Signed-off-by: Jiri Slaby +--- + arch/x86/include/asm/msr-index.h | 8 +++++--- + arch/x86/kernel/cpu/amd.c | 10 ++++------ + arch/x86/kernel/cpu/hygon.c | 8 ++++---- + arch/x86/kvm/svm.c | 10 +++++----- + arch/x86/kvm/x86.c | 2 +- + arch/x86/power/cpu.c | 1 + + 6 files changed, 20 insertions(+), 19 deletions(-) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -467,6 +467,11 @@ + #define MSR_AMD_PPIN 0xc00102f1 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022 ++ ++#define MSR_AMD64_DE_CFG 0xc0011029 ++#define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 ++#define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE BIT_ULL(MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT) ++ + #define MSR_AMD64_BU_CFG2 0xc001102a + #define MSR_AMD64_IBSFETCHCTL 0xc0011030 + #define MSR_AMD64_IBSFETCHLINAD 0xc0011031 +@@ -541,9 +546,6 @@ + #define FAM10H_MMIO_CONF_BASE_MASK 0xfffffffULL + #define FAM10H_MMIO_CONF_BASE_SHIFT 20 + #define MSR_FAM10H_NODE_ID 0xc001100c +-#define MSR_F10H_DECFG 0xc0011029 +-#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT 1 +-#define MSR_F10H_DECFG_LFENCE_SERIALIZE BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT) + + /* K8 MSRs */ + #define MSR_K8_TOP_MEM1 0xc001001a +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -827,8 +827,6 @@ static void init_amd_gh(struct cpuinfo_x + set_cpu_bug(c, X86_BUG_AMD_TLB_MMATCH); + } + +-#define MSR_AMD64_DE_CFG 0xC0011029 +- + static void init_amd_ln(struct cpuinfo_x86 *c) + { + /* +@@ -1025,16 +1023,16 @@ static void init_amd(struct cpuinfo_x86 + * msr_set_bit() uses the safe accessors, too, even if the MSR + * is not present. + */ +- msr_set_bit(MSR_F10H_DECFG, +- MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT); ++ msr_set_bit(MSR_AMD64_DE_CFG, ++ MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT); + + /* + * Verify that the MSR write was successful (could be running + * under a hypervisor) and only then assume that LFENCE is + * serializing. + */ +- ret = rdmsrl_safe(MSR_F10H_DECFG, &val); +- if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) { ++ ret = rdmsrl_safe(MSR_AMD64_DE_CFG, &val); ++ if (!ret && (val & MSR_AMD64_DE_CFG_LFENCE_SERIALIZE)) { + /* A serializing LFENCE stops RDTSC speculation */ + set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC); + } else { +--- a/arch/x86/kernel/cpu/hygon.c ++++ b/arch/x86/kernel/cpu/hygon.c +@@ -345,16 +345,16 @@ static void init_hygon(struct cpuinfo_x8 + * msr_set_bit() uses the safe accessors, too, even if the MSR + * is not present. + */ +- msr_set_bit(MSR_F10H_DECFG, +- MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT); ++ msr_set_bit(MSR_AMD64_DE_CFG, ++ MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT); + + /* + * Verify that the MSR write was successful (could be running + * under a hypervisor) and only then assume that LFENCE is + * serializing. + */ +- ret = rdmsrl_safe(MSR_F10H_DECFG, &val); +- if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) { ++ ret = rdmsrl_safe(MSR_AMD64_DE_CFG, &val); ++ if (!ret && (val & MSR_AMD64_DE_CFG_LFENCE_SERIALIZE)) { + /* A serializing LFENCE stops RDTSC speculation */ + set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC); + } else { +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -4200,9 +4200,9 @@ static int svm_get_msr_feature(struct kv + msr->data = 0; + + switch (msr->index) { +- case MSR_F10H_DECFG: +- if (boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) +- msr->data |= MSR_F10H_DECFG_LFENCE_SERIALIZE; ++ case MSR_AMD64_DE_CFG: ++ if (cpu_feature_enabled(X86_FEATURE_LFENCE_RDTSC)) ++ msr->data |= MSR_AMD64_DE_CFG_LFENCE_SERIALIZE; + break; + default: + return 1; +@@ -4305,7 +4305,7 @@ static int svm_get_msr(struct kvm_vcpu * + msr_info->data = 0x1E; + } + break; +- case MSR_F10H_DECFG: ++ case MSR_AMD64_DE_CFG: + msr_info->data = svm->msr_decfg; + break; + default: +@@ -4476,7 +4476,7 @@ static int svm_set_msr(struct kvm_vcpu * + case MSR_VM_IGNNE: + vcpu_unimpl(vcpu, "unimplemented wrmsr: 0x%x data 0x%llx\n", ecx, data); + break; +- case MSR_F10H_DECFG: { ++ case MSR_AMD64_DE_CFG: { + struct kvm_msr_entry msr_entry; + + msr_entry.index = msr->index; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1290,7 +1290,7 @@ static u32 msr_based_features[] = { + MSR_IA32_VMX_EPT_VPID_CAP, + MSR_IA32_VMX_VMFUNC, + +- MSR_F10H_DECFG, ++ MSR_AMD64_DE_CFG, + MSR_IA32_UCODE_REV, + MSR_IA32_ARCH_CAPABILITIES, + }; +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -512,6 +512,7 @@ static void pm_save_spec_msr(void) + MSR_TSX_FORCE_ABORT, + MSR_IA32_MCU_OPT_CTRL, + MSR_AMD64_LS_CFG, ++ MSR_AMD64_DE_CFG, + }; + + msr_build_context(spec_msr_id, ARRAY_SIZE(spec_msr_id)); diff --git a/patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch b/patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch index 3419ec9..67203d2 100644 --- a/patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch +++ b/patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch @@ -148,7 +148,7 @@ Signed-off-by: Borislav Petkov #endif /* _ASM_X86_CPUFEATURES_H */ --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h -@@ -139,6 +139,10 @@ +@@ -141,6 +141,10 @@ * bit available to control VERW * behavior. */ @@ -161,7 +161,7 @@ Signed-off-by: Borislav Petkov #define L1D_FLUSH BIT(0) /* --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h -@@ -138,14 +138,29 @@ +@@ -154,14 +154,29 @@ #endif .endm @@ -194,8 +194,8 @@ Signed-off-by: Borislav Petkov .endm --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -1264,6 +1264,53 @@ static enum spectre_v2_mitigation __init - return SPECTRE_V2_RETPOLINE; +@@ -1280,6 +1280,53 @@ static void __init spec_ctrl_disable_ker + } } +static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) @@ -248,7 +248,7 @@ Signed-off-by: Borislav Petkov static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); -@@ -1401,28 +1448,7 @@ static void __init spectre_v2_select_mit +@@ -1425,28 +1472,7 @@ static void __init spectre_v2_select_mit setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); @@ -278,7 +278,7 @@ Signed-off-by: Borislav Petkov /* * Retpoline protects the kernel, but doesn't protect firmware. IBRS -@@ -2153,6 +2179,19 @@ static char *ibpb_state(void) +@@ -2177,6 +2203,19 @@ static char *ibpb_state(void) return ""; } @@ -298,7 +298,7 @@ Signed-off-by: Borislav Petkov static ssize_t spectre_v2_show_state(char *buf) { if (spectre_v2_enabled == SPECTRE_V2_LFENCE) -@@ -2165,12 +2204,13 @@ static ssize_t spectre_v2_show_state(cha +@@ -2189,12 +2228,13 @@ static ssize_t spectre_v2_show_state(cha spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); diff --git a/patches.suse/x86-speculation-Disable-RRSBA-behavior.patch b/patches.suse/x86-speculation-Disable-RRSBA-behavior.patch new file mode 100644 index 0000000..5605ba8 --- /dev/null +++ b/patches.suse/x86-speculation-Disable-RRSBA-behavior.patch @@ -0,0 +1,124 @@ +From: Pawan Gupta +Date: Fri, 8 Jul 2022 13:36:09 -0700 +Subject: x86/speculation: Disable RRSBA behavior +Git-commit: 4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e +Patch-mainline: 5.19-rc7 +References: bsc#1201455 CVE-2022-28693 + +Some Intel processors may use alternate predictors for RETs on +RSB-underflow. This condition may be vulnerable to Branch History +Injection (BHI) and intramode-BTI. + +Kernel earlier added spectre_v2 mitigation modes (eIBRS+Retpolines, +eIBRS+LFENCE, Retpolines) which protect indirect CALLs and JMPs against +such attacks. However, on RSB-underflow, RET target prediction may +fallback to alternate predictors. As a result, RET's predicted target +may get influenced by branch history. + +A new MSR_IA32_SPEC_CTRL bit (RRSBA_DIS_S) controls this fallback +behavior when in kernel mode. When set, RETs will not take predictions +from alternate predictors, hence mitigating RETs as well. Support for +this is enumerated by CPUID.7.2.EDX[RRSBA_CTRL] (bit2). + +For spectre v2 mitigation, when a user selects a mitigation that +protects indirect CALLs and JMPs against BHI and intramode-BTI, set +RRSBA_DIS_S also to protect RETs for RSB-underflow case. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Jiri Slaby +--- + arch/x86/include/asm/cpufeatures.h | 2 +- + arch/x86/include/asm/msr-index.h | 9 +++++++++ + arch/x86/kernel/cpu/bugs.c | 26 ++++++++++++++++++++++++++ + arch/x86/kernel/cpu/scattered.c | 1 + + 4 files changed, 37 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -290,7 +290,7 @@ + #define X86_FEATURE_SPLIT_LOCK_DETECT (11*32+ 6) /* #AC for split lock */ + #define X86_FEATURE_PER_THREAD_MBA (11*32+ 7) /* "" Per-thread Memory Bandwidth Allocation */ + #define X86_FEATURE_ENTRY_IBPB (11*32+10) /* "" Issue an IBPB on kernel entry */ +-/* FREE! (11*32+11) */ ++#define X86_FEATURE_RRSBA_CTRL (11*32+11) /* "" RET prediction control */ + #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ + #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ + #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -51,6 +51,8 @@ + #define SPEC_CTRL_STIBP BIT(SPEC_CTRL_STIBP_SHIFT) /* STIBP mask */ + #define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */ + #define SPEC_CTRL_SSBD BIT(SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ ++#define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */ ++#define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT) + + #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ + #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ +@@ -145,6 +147,13 @@ + * Writeback and invalidate the + * L1 data cache. + */ ++#define ARCH_CAP_RRSBA BIT(19) /* ++ * Indicates RET may use predictors ++ * other than the RSB. With eIBRS ++ * enabled predictions in kernel mode ++ * are restricted to targets in ++ * kernel. ++ */ + + #define MSR_IA32_BBL_CR_CTL 0x00000119 + #define MSR_IA32_BBL_CR_CTL3 0x0000011e +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1264,6 +1264,22 @@ static enum spectre_v2_mitigation __init + return SPECTRE_V2_RETPOLINE; + } + ++/* Disable in-kernel use of non-RSB RET predictors */ ++static void __init spec_ctrl_disable_kernel_rrsba(void) ++{ ++ u64 ia32_cap; ++ ++ if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL)) ++ return; ++ ++ ia32_cap = x86_read_arch_cap_msr(); ++ ++ if (ia32_cap & ARCH_CAP_RRSBA) { ++ x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; ++ write_spec_ctrl_current(x86_spec_ctrl_base, true); ++ } ++} ++ + static void __init spectre_v2_select_mitigation(void) + { + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); +@@ -1357,6 +1373,16 @@ static void __init spectre_v2_select_mit + break; + } + ++ /* ++ * Disable alternate RSB predictions in kernel when indirect CALLs and ++ * JMPs gets protection against BHI and Intramode-BTI, but RET ++ * prediction from a non-RSB predictor is still a risk. ++ */ ++ if (mode == SPECTRE_V2_EIBRS_LFENCE || ++ mode == SPECTRE_V2_EIBRS_RETPOLINE || ++ mode == SPECTRE_V2_RETPOLINE) ++ spec_ctrl_disable_kernel_rrsba(); ++ + spectre_v2_enabled = mode; + pr_info("%s\n", spectre_v2_strings[mode]); + +--- a/arch/x86/kernel/cpu/scattered.c ++++ b/arch/x86/kernel/cpu/scattered.c +@@ -26,6 +26,7 @@ struct cpuid_bit { + static const struct cpuid_bit cpuid_bits[] = { + { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 }, + { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, ++ { X86_FEATURE_RRSBA_CTRL, CPUID_EDX, 2, 0x00000007, 2 }, + { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, + { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, + { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, diff --git a/series.conf b/series.conf index fc02fa1..cf19826 100644 --- a/series.conf +++ b/series.conf @@ -36788,7 +36788,7 @@ patches.suse/mm-mmap-c-close-race-between-munmap-and-expand_upwards-downwards.patch patches.suse/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch patches.suse/io-mapping-indicate-mapping-failure.patch - patches.suse/nfsd4-fix-NULL-dereference-in-nfsd-clients-display-c.patch + patches.suse/nfsd-show_open-NULL-deref.patch patches.suse/bnxt_en-Fix-race-when-modifying-pause-settings.patch patches.suse/bnxt_en-Init-ethtool-link-settings-after-reading-upd.patch patches.suse/bnxt_en-Fix-completion-ring-sizing-with-TPA-enabled.patch @@ -37419,7 +37419,7 @@ patches.suse/cpuidle-psci-Fix-error-path-via-converting-to-a-plat.patch patches.suse/cpuidle-psci-Convert-PM-domain-to-platform-driver.patch patches.suse/cpuidle-psci-Prevent-domain-idlestates-until-consume.patch - patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch + patches.suse/intel_idle-Customize-IceLake-server-support.patch patches.suse/powercap-intel_rapl-add-support-for-Sapphire-Rapids.patch patches.suse/powercap-Add-Power-Limit4-support.patch patches.suse/ACPICA-Replace-one-element-array-with-flexible-array.patch @@ -44208,6 +44208,9 @@ patches.suse/usb-core-driver-fix-stray-tabs-in-error-messages.patch patches.suse/usb-ohci-Default-to-per-port-over-current-protection.patch patches.suse/usb-ohci-Make-distrust_firmware-param-default-to-fal.patch + patches.suse/USB-move-snd_usb_pipe_sanity_check-into-the-USB-core.patch + patches.suse/USB-add-usb_control_msg_send-and-usb_control_msg_rec.patch + patches.suse/USB-core-message.c-use-usb_control_msg_send-in-a-few.patch patches.suse/USB-adutux-fix-debugging.patch patches.suse/usb-host-xhci-plat-add-platform-data-support.patch patches.suse/usb-host-xhci-plat-add-.suspend_quirk-for-struct-xhc.patch @@ -44219,6 +44222,7 @@ patches.suse/usb-xhci-add-debugfs-support-for-ep-with-stream.patch patches.suse/usb-chipidea-imx-add-two-samsung-picophy-parameters-tuning-implementation.patch patches.suse/usb-chipidea-ci_hdrc_imx-restore-pinctrl.patch + patches.suse/USB-correct-API-of-usb_control_msg_send-recv.patch patches.suse/Revert-cdc-acm-hardening-against-malicious-devices.patch patches.suse/USB-cdc-acm-handle-broken-union-descriptors.patch patches.suse/ACPI-Export-acpi_get_first_physical_node-to-modules.patch @@ -47346,6 +47350,7 @@ patches.suse/ASoC-SOF-modify-the-SOF_DBG-flags.patch patches.suse/ASoC-SOF-Intel-hda-fix-the-condition-passed-to-sof_d.patch patches.suse/usb-max3421-fix-return-error-code-in-max3421_probe.patch + patches.suse/USB-core-return-EREMOTEIO-on-short-usb_control_msg_r.patch patches.suse/usb-chipidea-ci_hdrc_imx-Pass-DISABLE_DEVICE_STREAMI.patch patches.suse/USB-dummy-hcd-Fix-uninitialized-array-use-in-init.patch patches.suse/usb-mtu3-fix-memory-corruption-in-mtu3_debugfs_regse.patch @@ -56084,7 +56089,7 @@ patches.suse/ice-synchronize_rcu-when-terminating-rings.patch patches.suse/net-usb-aqc111-Fix-out-of-bounds-accesses-in-RX-fixu.patch patches.suse/bpf-Resolve-to-prog-aux-dst_prog-type-only-for-BPF_P.patch - patches.suse/drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch + patches.suse/0001-drivers-net-slip-fix-NPD-bug-in-sl_tx_timeout.patch patches.suse/cifs-fix-potential-race-with-cifsd-thread.patch patches.suse/cifs-remove-check-of-list-iterator-against-head-past-the-loop-body.patch patches.suse/cifs-force-new-session-setup-and-tcon-for-dfs.patch @@ -57002,6 +57007,7 @@ patches.suse/x86-bugs-Add-Cannon-lake-to-RETBleed-affected-CPU-list.patch patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-not-supp.patch patches.suse/x86-kexec-disable-ret-on-kexec.patch + patches.suse/x86-speculation-Disable-RRSBA-behavior.patch patches.suse/drm-i915-fix-a-possible-refcount-leak-in-intel_dp_ad.patch patches.suse/drm-panfrost-Put-mapping-instead-of-shmem-obj-on-pan.patch patches.suse/drm-panfrost-Fix-shrinker-list-corruption-by-madvise.patch @@ -57057,6 +57063,7 @@ patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_c.patch patches.suse/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch patches.suse/virtio-net-fix-the-race-between-refill-work-and-clos.patch + patches.suse/docs-kernel-parameters-Update-descriptions-for-mitig.patch patches.suse/arm64-errata-Remove-AES-hwcap-for-COMPAT-tasks.patch patches.suse/arm64-cpufeature-Allow-different-PMU-versions-in-ID_DFR0_EL1.patch patches.suse/meson-mx-socinfo-Fix-refcount-leak-in-meson_mx_socin.patch @@ -57514,6 +57521,7 @@ patches.suse/s390-fix-double-free-of-GS-and-RI-CBs-on-fork-failure patches.suse/s390-mm-do-not-trigger-write-fault-when-vma-does-not-allow-VM_WRITE patches.suse/ACPI-processor-Remove-freq-Qos-request-for-all-CPUs.patch + patches.suse/cifs-skip-extra-NULL-byte-in-filenames.patch patches.suse/asm-generic-sections-refactor-memory_intersects.patch patches.suse/HID-steam-Prevent-NULL-pointer-dereference-in-steam_.patch patches.suse/HID-hidraw-fix-memory-leak-in-hidraw_release.patch @@ -57544,6 +57552,7 @@ patches.suse/usb-gadget-udc-xilinx-replace-memcpy-with-memcpy_toi.patch patches.suse/usb-dwc2-fix-wrong-order-of-phy_power_on-and-phy_ini.patch patches.suse/USB-core-Prevent-nested-device-reset-calls.patch + patches.suse/media-mceusb-Use-new-usb_control_msg_-routines.patch patches.suse/usb-gadget-mass_storage-Fix-cdrom-data-transfers-on-.patch patches.suse/Revert-usb-add-quirks-for-Lenovo-OneLink-Dock.patch patches.suse/USB-serial-option-add-support-for-OPPO-R11-diag-port.patch @@ -57674,6 +57683,11 @@ patches.suse/ACPI-video-Add-Toshiba-Satellite-Portege-Z830-quirk.patch patches.suse/thermal-intel_powerclamp-Use-get_cpu-instead-of-smp_.patch patches.suse/efi-Correct-Macmini-DMI-match-in-uefi-cert-quirk.patch + patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-Rdir.patch + patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch + patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch + patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch + patches.suse/NFSD-Cap-rsize_bop-result-based-on-send-buffer-size.patch patches.suse/openvswitch-Fix-double-reporting-of-drops-in-dropwat.patch patches.suse/openvswitch-Fix-overreporting-of-drops-in-dropwatch.patch patches.suse/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch @@ -57947,6 +57961,7 @@ patches.suse/wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch patches.suse/kcm-avoid-potential-race-in-kcm_tx_work.patch patches.suse/mmc-sdhci-sprd-Fix-minimum-clock-limit.patch + patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch patches.suse/ALSA-hda-realtek-remove-ALC289_FIXUP_DUAL_SPK-for-De.patch patches.suse/ALSA-hda-realtek-Correct-pin-configs-for-ASUS-G533Z.patch patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-GV601R-laptop.patch @@ -58018,6 +58033,7 @@ patches.suse/mISDN-fix-possible-memory-leak-in-mISDN_register_dev.patch patches.suse/isdn-mISDN-netjet-fix-wrong-check-of-device-registra.patch patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch + patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch patches.suse/Bluetooth-L2CAP-Fix-l2cap_global_chan_by_psm.patch patches.suse/Bluetooth-L2CAP-Fix-attempting-to-access-uninitializ.patch patches.suse/ibmvnic-Free-rwi-on-reset-success.patch @@ -58065,6 +58081,7 @@ patches.suse/ata-libata-transport-fix-error-handling-in-ata_tdev_.patch patches.suse/scsi-ibmvfc-Avoid-path-failures-during-live-migratio.patch patches.suse/scsi-scsi_transport_sas-Fix-error-handling-in-sas_phy_add.patch + patches.suse/x86-cpu-Restore-AMD-s-DE_CFG-MSR-after-resume.patch patches.suse/pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch patches.suse/xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch patches.suse/mISDN-fix-possible-memory-leak-in-mISDN_dsp_element_.patch @@ -58143,10 +58160,14 @@ patches.suse/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch patches.suse/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch patches.suse/net-ethernet-renesas-ravb-Fix-promiscuous-mode-after.patch + patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch patches.suse/hwmon-i5500_temp-fix-missing-pci_disable_device.patch patches.suse/hwmon-ibmpex-Fix-possible-UAF-when-ibmpex_register_b.patch patches.suse/hwmon-coretemp-Check-for-null-before-removing-sysfs-.patch patches.suse/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch + patches.suse/x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch + patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch + patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch # jejb/scsi for-next patches.suse/scsi-lpfc-Set-sli4_param-s-cmf-option-to-zero-when-C.patch @@ -58201,6 +58222,7 @@ patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch patches.suse/x86-kexec-Fix-double-free-of-elf-header-buffer.patch + patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch ######################################################## # kbuild/module infrastructure fixes @@ -58491,6 +58513,7 @@ patches.suse/drm-ast-Add-support-for-AIP200.patch patches.suse/drm-ast-Add-support-for-1152x864-mode.patch patches.suse/drm-ast-Add-25MHz-refclk-support.patch + patches.suse/0001-drm-i915-gvt-fix-double-free-bug-in-split_2MB_gtt_en.patch ######################################################## # Storage @@ -58774,6 +58797,7 @@ patches.kabi/usbip-stub_dev-remake-locking-for-kABI.patch patches.kabi/usbip-vudc_sysfs-use-global-lock.patch patches.kabi/usbip-usbip_event-use-global-lock.patch + patches.kabi/kabi-sk_buff_scm_io_uring.patch ######################################################## # You'd better have a good reason for adding a patch