diff --git a/patches.suse/ALSA-hdmi-Expose-all-pins-on-MSI-MS-7C94-board.patch b/patches.suse/ALSA-hdmi-Expose-all-pins-on-MSI-MS-7C94-board.patch new file mode 100644 index 0000000..8a85b47 --- /dev/null +++ b/patches.suse/ALSA-hdmi-Expose-all-pins-on-MSI-MS-7C94-board.patch @@ -0,0 +1,39 @@ +From 33f735f137c6539e3ceceb515cd1e2a644005b49 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 16 Jul 2021 15:56:00 +0200 +Subject: [PATCH] ALSA: hdmi: Expose all pins on MSI MS-7C94 board +Git-commit: 33f735f137c6539e3ceceb515cd1e2a644005b49 +Patch-mainline: v5.14-rc3 +References: git-fixes + +The BIOS on MSI Mortar B550m WiFi (MS-7C94) board with AMDGPU seems +disabling the other pins than HDMI although it has more outputs +including DP. + +This patch adds the board to the allow list for enabling all pins. + +Reported-by: Damjan Georgievski +Cc: +Link: https://lore.kernel.org/r/CAEk1YH4Jd0a8vfZxORVu7qg+Zsc-K+pR187ezNq8QhJBPW4gpw@mail.gmail.com +Link: https://lore.kernel.org/r/20210716135600.24176-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 4b2cc8cb55c4..84c088912b3c 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1940,6 +1940,7 @@ static int hdmi_add_cvt(struct hda_codec *codec, hda_nid_t cvt_nid) + static const struct snd_pci_quirk force_connect_list[] = { + SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), ++ SND_PCI_QUIRK(0x1462, 0xec94, "MS-7C94", 1), + {} + }; + +-- +2.26.2 + diff --git a/patches.suse/ALSA-sb-Fix-potential-ABBA-deadlock-in-CSP-driver.patch b/patches.suse/ALSA-sb-Fix-potential-ABBA-deadlock-in-CSP-driver.patch new file mode 100644 index 0000000..4cdf1b6 --- /dev/null +++ b/patches.suse/ALSA-sb-Fix-potential-ABBA-deadlock-in-CSP-driver.patch @@ -0,0 +1,79 @@ +From 1c2b9519159b470ef24b2638f4794e86e2952ab7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 16 Jul 2021 15:27:23 +0200 +Subject: [PATCH] ALSA: sb: Fix potential ABBA deadlock in CSP driver +Git-commit: 1c2b9519159b470ef24b2638f4794e86e2952ab7 +Patch-mainline: v5.14-rc3 +References: git-fixes + +SB16 CSP driver may hit potentially a typical ABBA deadlock in two +code paths: + + In snd_sb_csp_stop(): + spin_lock_irqsave(&p->chip->mixer_lock, flags); + spin_lock(&p->chip->reg_lock); + + In snd_sb_csp_load(): + spin_lock_irqsave(&p->chip->reg_lock, flags); + spin_lock(&p->chip->mixer_lock); + +Also the similar pattern is seen in snd_sb_csp_start(). + +Although the practical impact is very small (those states aren't +triggered in the same running state and this happens only on a real +hardware, decades old ISA sound boards -- which must be very difficult +to find nowadays), it's a real scenario and has to be fixed. + +This patch addresses those deadlocks by splitting the locks in +snd_sb_csp_start() and snd_sb_csp_stop() for avoiding the nested +locks. + +Reported-by: Jia-Ju Bai +Cc: +Link: https://lore.kernel.org/r/7b0fcdaf-cd4f-4728-2eae-48c151a92e10@gmail.com +Link: https://lore.kernel.org/r/20210716132723.13216-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/isa/sb/sb16_csp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/isa/sb/sb16_csp.c b/sound/isa/sb/sb16_csp.c +index 5bbe6695689d..7ad8c5f7b664 100644 +--- a/sound/isa/sb/sb16_csp.c ++++ b/sound/isa/sb/sb16_csp.c +@@ -816,6 +816,7 @@ static int snd_sb_csp_start(struct snd_sb_csp * p, int sample_width, int channel + mixR = snd_sbmixer_read(p->chip, SB_DSP4_PCM_DEV + 1); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL & 0x7); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR & 0x7); ++ spin_unlock_irqrestore(&p->chip->mixer_lock, flags); + + spin_lock(&p->chip->reg_lock); + set_mode_register(p->chip, 0xc0); /* c0 = STOP */ +@@ -855,6 +856,7 @@ static int snd_sb_csp_start(struct snd_sb_csp * p, int sample_width, int channel + spin_unlock(&p->chip->reg_lock); + + /* restore PCM volume */ ++ spin_lock_irqsave(&p->chip->mixer_lock, flags); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR); + spin_unlock_irqrestore(&p->chip->mixer_lock, flags); +@@ -880,6 +882,7 @@ static int snd_sb_csp_stop(struct snd_sb_csp * p) + mixR = snd_sbmixer_read(p->chip, SB_DSP4_PCM_DEV + 1); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL & 0x7); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR & 0x7); ++ spin_unlock_irqrestore(&p->chip->mixer_lock, flags); + + spin_lock(&p->chip->reg_lock); + if (p->running & SNDRV_SB_CSP_ST_QSOUND) { +@@ -894,6 +897,7 @@ static int snd_sb_csp_stop(struct snd_sb_csp * p) + spin_unlock(&p->chip->reg_lock); + + /* restore PCM volume */ ++ spin_lock_irqsave(&p->chip->mixer_lock, flags); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR); + spin_unlock_irqrestore(&p->chip->mixer_lock, flags); +-- +2.26.2 + diff --git a/patches.suse/ALSA-usb-audio-Add-registration-quirk-for-JBL-Quantu.patch b/patches.suse/ALSA-usb-audio-Add-registration-quirk-for-JBL-Quantu.patch new file mode 100644 index 0000000..9f1971d --- /dev/null +++ b/patches.suse/ALSA-usb-audio-Add-registration-quirk-for-JBL-Quantu.patch @@ -0,0 +1,42 @@ +From b0084afde27fe8a504377dee65f55bc6aa776937 Mon Sep 17 00:00:00 2001 +From: Alexander Tsoy +Date: Thu, 22 Jul 2021 02:56:05 +0300 +Subject: [PATCH] ALSA: usb-audio: Add registration quirk for JBL Quantum headsets +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: b0084afde27fe8a504377dee65f55bc6aa776937 +Patch-mainline: v5.14-rc3 +References: git-fixes + +These devices has two interfaces, but only the second interface +contains the capture endpoint, thus quirk is required to delay the +registration until the second interface appears. + +Tested-by: Jakub FiĊĦer +Signed-off-by: Alexander Tsoy +Cc: +Link: https://lore.kernel.org/r/20210721235605.53741-1-alexander@tsoy.me +Signed-off-by: Takashi Iwai + +--- + sound/usb/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 8b8bee3c3dd6..e7accd87e063 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1897,6 +1897,9 @@ static const struct registration_quirk registration_quirks[] = { + REG_QUIRK_ENTRY(0x0951, 0x16d8, 2), /* Kingston HyperX AMP */ + REG_QUIRK_ENTRY(0x0951, 0x16ed, 2), /* Kingston HyperX Cloud Alpha S */ + REG_QUIRK_ENTRY(0x0951, 0x16ea, 2), /* Kingston HyperX Cloud Flight S */ ++ REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2), /* JBL Quantum 600 */ ++ REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2), /* JBL Quantum 400 */ ++ REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2), /* JBL Quantum 800 */ + { 0 } /* terminator */ + }; + +-- +2.26.2 + diff --git a/patches.suse/ASoC-rt5631-Fix-regcache-sync-errors-on-resume.patch b/patches.suse/ASoC-rt5631-Fix-regcache-sync-errors-on-resume.patch new file mode 100644 index 0000000..39ddab5 --- /dev/null +++ b/patches.suse/ASoC-rt5631-Fix-regcache-sync-errors-on-resume.patch @@ -0,0 +1,43 @@ +From c71f78a662611fe2c67f3155da19b0eff0f29762 Mon Sep 17 00:00:00 2001 +From: Maxim Schwalm +Date: Mon, 12 Jul 2021 03:50:11 +0300 +Subject: [PATCH] ASoC: rt5631: Fix regcache sync errors on resume +Git-commit: c71f78a662611fe2c67f3155da19b0eff0f29762 +Patch-mainline: v5.14-rc3 +References: git-fixes + +The ALC5631 does not like multi-write accesses, avoid them. This fixes: + +rt5631 4-001a: Unable to sync registers 0x3a-0x3c. -121 + +errors on resume from suspend (and all registers after the registers in +the error not being synced). + +Inspired by commit 2d30e9494f1e ("ASoC: rt5651: Fix regcache sync errors +on resume") from Hans de Geode, which fixed the same errors on ALC5651. + +Signed-off-by: Maxim Schwalm +Link: https://lore.kernel.org/r/20210712005011.28536-1-digetx@gmail.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/rt5631.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5631.c b/sound/soc/codecs/rt5631.c +index 3000bc128b5b..38356ea2bd6e 100644 +--- a/sound/soc/codecs/rt5631.c ++++ b/sound/soc/codecs/rt5631.c +@@ -1695,6 +1695,8 @@ static const struct regmap_config rt5631_regmap_config = { + .reg_defaults = rt5631_reg, + .num_reg_defaults = ARRAY_SIZE(rt5631_reg), + .cache_type = REGCACHE_RBTREE, ++ .use_single_read = true, ++ .use_single_write = true, + }; + + static int rt5631_i2c_probe(struct i2c_client *i2c, +-- +2.26.2 + diff --git a/patches.suse/Input-ili210x-add-missing-negation-for-touch-indicat.patch b/patches.suse/Input-ili210x-add-missing-negation-for-touch-indicat.patch new file mode 100644 index 0000000..de37114 --- /dev/null +++ b/patches.suse/Input-ili210x-add-missing-negation-for-touch-indicat.patch @@ -0,0 +1,33 @@ +From ac05a8a927e5a1027592d8f98510a511dadeed14 Mon Sep 17 00:00:00 2001 +From: Hansem Ro +Date: Thu, 6 May 2021 13:27:10 -0700 +Subject: [PATCH] Input: ili210x - add missing negation for touch indication on + ili210x +Git-commit: ac05a8a927e5a1027592d8f98510a511dadeed14 +References: git-fixes +Patch-mainline: v5.13-rc1 + +This adds the negation needed for proper finger detection on Ilitek +ili2107/ili210x. This fixes polling issues (on Amazon Kindle Fire) +caused by returning false for the cooresponding finger on the touchscreen. + +Signed-off-by: Hansem Ro +Fixes: e3559442afd2a ("ili210x - rework the touchscreen sample processing") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Oliver Neukum +--- + drivers/input/touchscreen/ili210x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ili210x.c ++++ b/drivers/input/touchscreen/ili210x.c +@@ -109,7 +109,7 @@ static bool ili210x_touchdata_to_coords( + if (finger >= ILI210X_TOUCHES) + return false; + +- if (touchdata[0] & BIT(finger)) ++ if (!touchdata[0] & BIT(finger)) + return false; + + *x = get_unaligned_be16(touchdata + 1 + (finger * 4) + 0); diff --git a/patches.suse/KVM-PPC-Book3S-Fix-H_RTAS-rets-buffer-overflow.patch b/patches.suse/KVM-PPC-Book3S-Fix-H_RTAS-rets-buffer-overflow.patch new file mode 100644 index 0000000..97275d3 --- /dev/null +++ b/patches.suse/KVM-PPC-Book3S-Fix-H_RTAS-rets-buffer-overflow.patch @@ -0,0 +1,80 @@ +From f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 20 Jul 2021 20:43:09 +1000 +Subject: [PATCH] KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + +References: bsc#1188838 CVE-2021-37576 +Patch-mainline: v5.14-rc3 +Git-commit: f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a + +The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on +the rtas_args.nargs that was provided by the guest. That guest nargs +value is not range checked, so the guest can cause the host rets pointer +to be pointed outside the args array. The individual rtas function +handlers check the nargs and nrets values to ensure they are correct, +but if they are not, the handlers store a -3 (0xfffffffd) failure +indication in rets[0] which corrupts host memory. + +Fix this by testing up front whether the guest supplied nargs and nret +would exceed the array size, and fail the hcall directly without storing +a failure indication to rets[0]. + +Also expand on a comment about why we kill the guest and try not to +return errors directly if we have a valid rets[0] pointer. + +Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls") +Cc: stable@vger.kernel.org # v3.10+ +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Acked-by: Michal Suchanek +--- + arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c +index c5e677508d3b..0f847f1e5ddd 100644 +--- a/arch/powerpc/kvm/book3s_rtas.c ++++ b/arch/powerpc/kvm/book3s_rtas.c +@@ -242,6 +242,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + * value so we can restore it on the way out. + */ + orig_rets = args.rets; ++ if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) { ++ /* ++ * Don't overflow our args array: ensure there is room for ++ * at least rets[0] (even if the call specifies 0 nret). ++ * ++ * Each handler must then check for the correct nargs and nret ++ * values, but they may always return failure in rets[0]. ++ */ ++ rc = -EINVAL; ++ goto fail; ++ } + args.rets = &args.args[be32_to_cpu(args.nargs)]; + + mutex_lock(&vcpu->kvm->arch.rtas_token_lock); +@@ -269,9 +280,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + fail: + /* + * We only get here if the guest has called RTAS with a bogus +- * args pointer. That means we can't get to the args, and so we +- * can't fail the RTAS call. So fail right out to userspace, +- * which should kill the guest. ++ * args pointer or nargs/nret values that would overflow the ++ * array. That means we can't get to the args, and so we can't ++ * fail the RTAS call. So fail right out to userspace, which ++ * should kill the guest. ++ * ++ * SLOF should actually pass the hcall return value from the ++ * rtas handler call in r3, so enter_rtas could be modified to ++ * return a failure indication in r3 and we could return such ++ * errors to the guest rather than failing to host userspace. ++ * However old guests that don't test for failure could then ++ * continue silently after errors, so for now we won't do this. + */ + return rc; + } +-- +2.26.2 + diff --git a/patches.suse/Revert-ACPI-resources-Add-checks-for-ACPI-IRQ-overri.patch b/patches.suse/Revert-ACPI-resources-Add-checks-for-ACPI-IRQ-overri.patch new file mode 100644 index 0000000..ee2a6c9 --- /dev/null +++ b/patches.suse/Revert-ACPI-resources-Add-checks-for-ACPI-IRQ-overri.patch @@ -0,0 +1,57 @@ +From e0eef3690dc66b3ecc6e0f1267f332403eb22bea Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 28 Jul 2021 23:19:58 +0800 +Subject: [PATCH] Revert "ACPI: resources: Add checks for ACPI IRQ override" +Git-commit: e0eef3690dc66b3ecc6e0f1267f332403eb22bea +Patch-mainline: v5.14-rc4 +References: git-fixes + +The commit 0ec4e55e9f57 ("ACPI: resources: Add checks for ACPI IRQ +override") introduces regression on some platforms, at least it makes +the UART can't get correct irq setting on two different platforms, +and it makes the kernel can't bootup on these two platforms. + +This reverts commit 0ec4e55e9f571f08970ed115ec0addc691eda613. + +Regression-discuss: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +Reported-by: PGNd +Cc: 5.4+ # 5.4+ +Signed-off-by: Hui Wang +Acked-by: Greg Kroah-Hartman +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/resource.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index dc01fb550b28..ee78a210c606 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -423,13 +423,6 @@ static void acpi_dev_get_irqresource(struct resource *res, u32 gsi, + } + } + +-static bool irq_is_legacy(struct acpi_resource_irq *irq) +-{ +- return irq->triggering == ACPI_EDGE_SENSITIVE && +- irq->polarity == ACPI_ACTIVE_HIGH && +- irq->shareable == ACPI_EXCLUSIVE; +-} +- + /** + * acpi_dev_resource_interrupt - Extract ACPI interrupt resource information. + * @ares: Input ACPI resource object. +@@ -468,7 +461,7 @@ bool acpi_dev_resource_interrupt(struct acpi_resource *ares, int index, + } + acpi_dev_get_irqresource(res, irq->interrupts[index], + irq->triggering, irq->polarity, +- irq->shareable, irq_is_legacy(irq)); ++ irq->shareable, true); + break; + case ACPI_RESOURCE_TYPE_EXTENDED_IRQ: + ext_irq = &ares->data.extended_irq; +-- +2.26.2 + diff --git a/patches.suse/Revert-be2net-disable-bh-with-spin_lock-in-be_proces.patch b/patches.suse/Revert-be2net-disable-bh-with-spin_lock-in-be_proces.patch new file mode 100644 index 0000000..efcddd4 --- /dev/null +++ b/patches.suse/Revert-be2net-disable-bh-with-spin_lock-in-be_proces.patch @@ -0,0 +1,109 @@ +From: Petr Oros +Date: Fri, 25 Jun 2021 10:27:45 +0200 +Subject: Revert "be2net: disable bh with spin_lock in be_process_mcc" +Patch-mainline: v5.14-rc1 +Git-commit: d6765985a42a660f078896d5c5b27f97c580a490 +References: git-fixes + +Patch was based on wrong presumption that be_poll can be called only +from bh context. It reintroducing old regression (also reverted) and +causing deadlock when we use netconsole with benet in bonding. + +Old revert: commit 072a9c486004 ("netpoll: revert 6bdb7fe3104 and fix +be_poll() instead") + +[ 331.269715] bond0: (slave enp0s7f0): Releasing backup interface +[ 331.270121] CPU: 4 PID: 1479 Comm: ifenslave Not tainted 5.13.0-rc7+ #2 +[ 331.270122] Call Trace: +[ 331.270122] [c00000001789f200] [c0000000008c505c] dump_stack+0x100/0x174 (unreliable) +[ 331.270124] [c00000001789f240] [c008000001238b9c] be_poll+0x64/0xe90 [be2net] +[ 331.270125] [c00000001789f330] [c000000000d1e6e4] netpoll_poll_dev+0x174/0x3d0 +[ 331.270127] [c00000001789f400] [c008000001bc167c] bond_poll_controller+0xb4/0x130 [bonding] +[ 331.270128] [c00000001789f450] [c000000000d1e624] netpoll_poll_dev+0xb4/0x3d0 +[ 331.270129] [c00000001789f520] [c000000000d1ed88] netpoll_send_skb+0x448/0x470 +[ 331.270130] [c00000001789f5d0] [c0080000011f14f8] write_msg+0x180/0x1b0 [netconsole] +[ 331.270131] [c00000001789f640] [c000000000230c0c] console_unlock+0x54c/0x790 +[ 331.270132] [c00000001789f7b0] [c000000000233098] vprintk_emit+0x2d8/0x450 +[ 331.270133] [c00000001789f810] [c000000000234758] vprintk+0xc8/0x270 +[ 331.270134] [c00000001789f850] [c000000000233c28] printk+0x40/0x54 +[ 331.270135] [c00000001789f870] [c000000000ccf908] __netdev_printk+0x150/0x198 +[ 331.270136] [c00000001789f910] [c000000000ccfdb4] netdev_info+0x68/0x94 +[ 331.270137] [c00000001789f950] [c008000001bcbd70] __bond_release_one+0x188/0x6b0 [bonding] +[ 331.270138] [c00000001789faa0] [c008000001bcc6f4] bond_do_ioctl+0x42c/0x490 [bonding] +[ 331.270139] [c00000001789fb60] [c000000000d0d17c] dev_ifsioc+0x17c/0x400 +[ 331.270140] [c00000001789fbc0] [c000000000d0db70] dev_ioctl+0x390/0x890 +[ 331.270141] [c00000001789fc10] [c000000000c7c76c] sock_do_ioctl+0xac/0x1b0 +[ 331.270142] [c00000001789fc90] [c000000000c7ffac] sock_ioctl+0x31c/0x6e0 +[ 331.270143] [c00000001789fd60] [c0000000005b9728] sys_ioctl+0xf8/0x150 +[ 331.270145] [c00000001789fdb0] [c0000000000336c0] system_call_exception+0x160/0x2f0 +[ 331.270146] [c00000001789fe10] [c00000000000d35c] system_call_common+0xec/0x278 +[ 331.270147] --- interrupt: c00 at 0x7fffa6c6ec00 +[ 331.270147] NIP: 00007fffa6c6ec00 LR: 0000000105c4185c CTR: 0000000000000000 +[ 331.270148] REGS: c00000001789fe80 TRAP: 0c00 Not tainted (5.13.0-rc7+) +[ 331.270148] MSR: 800000000280f033 CR: 28000428 XER: 00000000 +[ 331.270155] IRQMASK: 0 +[ 331.270156] GPR00: 0000000000000036 00007fffd494d5b0 00007fffa6d57100 0000000000000003 +[ 331.270158] GPR04: 0000000000008991 00007fffd494d6d0 0000000000000008 00007fffd494f28c +[ 331.270161] GPR08: 0000000000000003 0000000000000000 0000000000000000 0000000000000000 +[ 331.270164] GPR12: 0000000000000000 00007fffa6dfa220 0000000000000000 0000000000000000 +[ 331.270167] GPR16: 0000000105c44880 0000000000000000 0000000105c60088 0000000105c60318 +[ 331.270170] GPR20: 0000000105c602c0 0000000105c44560 0000000000000000 0000000000000000 +[ 331.270172] GPR24: 00007fffd494dc50 00007fffd494d6a8 0000000105c60008 00007fffd494d6d0 +[ 331.270175] GPR28: 00007fffd494f27e 0000000105c6026c 00007fffd494f284 0000000000000000 +[ 331.270178] NIP [00007fffa6c6ec00] 0x7fffa6c6ec00 +[ 331.270178] LR [0000000105c4185c] 0x105c4185c +[ 331.270179] --- interrupt: c00 + +This reverts commit d0d006a43e9a7a796f6f178839c92fcc222c564d. + +Fixes: d0d006a43e9a7a ("be2net: disable bh with spin_lock in be_process_mcc") +Signed-off-by: Petr Oros +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 6 ++++-- + drivers/net/ethernet/emulex/benet/be_main.c | 2 ++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -550,7 +550,7 @@ int be_process_mcc(struct be_adapter *ad + int num = 0, status = 0; + struct be_mcc_obj *mcc_obj = &adapter->mcc_obj; + +- spin_lock_bh(&adapter->mcc_cq_lock); ++ spin_lock(&adapter->mcc_cq_lock); + + while ((compl = be_mcc_compl_get(adapter))) { + if (compl->flags & CQE_FLAGS_ASYNC_MASK) { +@@ -566,7 +566,7 @@ int be_process_mcc(struct be_adapter *ad + if (num) + be_cq_notify(adapter, mcc_obj->cq.id, mcc_obj->rearm_cq, num); + +- spin_unlock_bh(&adapter->mcc_cq_lock); ++ spin_unlock(&adapter->mcc_cq_lock); + return status; + } + +@@ -581,7 +581,9 @@ static int be_mcc_wait_compl(struct be_a + if (be_check_error(adapter, BE_ERROR_ANY)) + return -EIO; + ++ local_bh_disable(); + status = be_process_mcc(adapter); ++ local_bh_enable(); + + if (atomic_read(&mcc_obj->q.used) == 0) + break; +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -5631,7 +5631,9 @@ static void be_worker(struct work_struct + * mcc completions + */ + if (!netif_running(adapter->netdev)) { ++ local_bh_disable(); + be_process_mcc(adapter); ++ local_bh_enable(); + goto reschedule; + } + diff --git a/patches.suse/USB-serial-cp210x-add-ID-for-CEL-EM3588-USB-ZigBee-s.patch b/patches.suse/USB-serial-cp210x-add-ID-for-CEL-EM3588-USB-ZigBee-s.patch new file mode 100644 index 0000000..da75a50 --- /dev/null +++ b/patches.suse/USB-serial-cp210x-add-ID-for-CEL-EM3588-USB-ZigBee-s.patch @@ -0,0 +1,34 @@ +From d6a206e60124a9759dd7f6dfb86b0e1d3b1df82e Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Wed, 21 Jul 2021 17:17:45 +0100 +Subject: [PATCH] USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick +Git-commit: d6a206e60124a9759dd7f6dfb86b0e1d3b1df82e +Patch-mainline: v5.14-rc3 +References: git-fixes + +Add the USB serial device ID for the CEL ZigBee EM3588 radio stick. + +Signed-off-by: John Keeping +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index af286240807e..3c80bfbf3bec 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -155,6 +155,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */ + { USB_DEVICE(0x10C4, 0x89FB) }, /* Qivicon ZigBee USB Radio Stick */ + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */ ++ { USB_DEVICE(0x10C4, 0x8A5B) }, /* CEL EM3588 ZigBee USB Stick */ + { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */ + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */ + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ +-- +2.26.2 + diff --git a/patches.suse/USB-serial-option-add-support-for-u-blox-LARA-R6-fam.patch b/patches.suse/USB-serial-option-add-support-for-u-blox-LARA-R6-fam.patch new file mode 100644 index 0000000..e706638 --- /dev/null +++ b/patches.suse/USB-serial-option-add-support-for-u-blox-LARA-R6-fam.patch @@ -0,0 +1,54 @@ +From 94b619a07655805a1622484967754f5848640456 Mon Sep 17 00:00:00 2001 +From: Marco De Marco +Date: Mon, 5 Jul 2021 19:44:21 +0000 +Subject: [PATCH] USB: serial: option: add support for u-blox LARA-R6 family +Git-commit: 94b619a07655805a1622484967754f5848640456 +Patch-mainline: v5.14-rc3 +References: git-fixes + +The patch is meant to support LARA-R6 Cat 1 module family. + +Module USB ID: +Vendor ID: 0x05c6 +Product ID: 0x90fA + +Interface layout: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: QMI wwan (not available in all versions) + +Signed-off-by: Marco De Marco +Link: https://lore.kernel.org/r/49260184.kfMIbaSn9k@mars +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 7608584ef4fe..0fbe253dc570 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -238,6 +238,7 @@ static void option_instat_callback(struct urb *urb); + #define QUECTEL_PRODUCT_UC15 0x9090 + /* These u-blox products use Qualcomm's vendor ID */ + #define UBLOX_PRODUCT_R410M 0x90b2 ++#define UBLOX_PRODUCT_R6XX 0x90fa + /* These Yuga products use Qualcomm's vendor ID */ + #define YUGA_PRODUCT_CLM920_NC5 0x9625 + +@@ -1101,6 +1102,8 @@ static const struct usb_device_id option_ids[] = { + /* u-blox products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), + .driver_info = RSVD(1) | RSVD(3) }, ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R6XX), ++ .driver_info = RSVD(3) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, +-- +2.26.2 + diff --git a/patches.suse/USB-usb-storage-Add-LaCie-Rugged-USB3-FW-to-IGNORE_U.patch b/patches.suse/USB-usb-storage-Add-LaCie-Rugged-USB3-FW-to-IGNORE_U.patch new file mode 100644 index 0000000..bc15159 --- /dev/null +++ b/patches.suse/USB-usb-storage-Add-LaCie-Rugged-USB3-FW-to-IGNORE_U.patch @@ -0,0 +1,48 @@ +From 6abf2fe6b4bf6e5256b80c5817908151d2d33e9f Mon Sep 17 00:00:00 2001 +From: Julian Sikorski +Date: Tue, 20 Jul 2021 19:19:10 +0200 +Subject: [PATCH] USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS +Git-commit: 6abf2fe6b4bf6e5256b80c5817908151d2d33e9f +Patch-mainline: v5.14-rc3 +References: git-fixes + +LaCie Rugged USB3-FW appears to be incompatible with UAS. It generates +errors like: +[ 1151.582598] sd 14:0:0:0: tag#16 uas_eh_abort_handler 0 uas-tag 1 inflight: IN +[ 1151.582602] sd 14:0:0:0: tag#16 CDB: Report supported operation codes a3 0c 01 12 00 00 00 00 02 00 00 00 +[ 1151.588594] scsi host14: uas_eh_device_reset_handler start +[ 1151.710482] usb 2-4: reset SuperSpeed Gen 1 USB device number 2 using xhci_hcd +[ 1151.741398] scsi host14: uas_eh_device_reset_handler success +[ 1181.785534] scsi host14: uas_eh_device_reset_handler start + +Signed-off-by: Julian Sikorski +Cc: stable +Link: https://lore.kernel.org/r/20210720171910.36497-1-belegdol+github@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h +index f9677a5ec31b..c35a6db993f1 100644 +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -45,6 +45,13 @@ UNUSUAL_DEV(0x059f, 0x105f, 0x0000, 0x9999, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_REPORT_OPCODES | US_FL_NO_SAME), + ++/* Reported-by: Julian Sikorski */ ++UNUSUAL_DEV(0x059f, 0x1061, 0x0000, 0x9999, ++ "LaCie", ++ "Rugged USB3-FW", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_IGNORE_UAS), ++ + /* + * Apricorn USB3 dongle sometimes returns "USBSUSBSUSBS" in response to SCSI + * commands in UAS mode. Observed with the 1.28 firmware; are there others? +-- +2.26.2 + diff --git a/patches.suse/bnxt_en-Add-missing-check-for-BNXT_STATE_ABORT_ERR-i.patch b/patches.suse/bnxt_en-Add-missing-check-for-BNXT_STATE_ABORT_ERR-i.patch new file mode 100644 index 0000000..c6172ad --- /dev/null +++ b/patches.suse/bnxt_en-Add-missing-check-for-BNXT_STATE_ABORT_ERR-i.patch @@ -0,0 +1,33 @@ +From: Michael Chan +Date: Sun, 18 Jul 2021 15:36:28 -0400 +Subject: bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in + bnxt_fw_rset_task() +Patch-mainline: v5.14-rc3 +Git-commit: 6cd657cb3ee6f4de57e635b126ffbe0e51d00f1a +References: jsc#SLE-8371 bsc#1153274 + +In the BNXT_FW_RESET_STATE_POLL_VF state in bnxt_fw_reset_task() after all +VFs have unregistered, we need to check for BNXT_STATE_ABORT_ERR after +we acquire the rtnl_lock. If the flag is set, we need to abort. + +Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10794,6 +10794,10 @@ static void bnxt_fw_reset_task(struct wo + } + bp->fw_reset_timestamp = jiffies; + rtnl_lock(); ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ rtnl_unlock(); ++ goto fw_reset_abort; ++ } + bnxt_fw_reset_close(bp); + if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) { + bp->fw_reset_state = BNXT_FW_RESET_STATE_POLL_FW_DOWN; diff --git a/patches.suse/bnxt_en-Check-abort-error-state-in-bnxt_half_open_ni.patch b/patches.suse/bnxt_en-Check-abort-error-state-in-bnxt_half_open_ni.patch new file mode 100644 index 0000000..5dd093f --- /dev/null +++ b/patches.suse/bnxt_en-Check-abort-error-state-in-bnxt_half_open_ni.patch @@ -0,0 +1,61 @@ +From: Somnath Kotur +Date: Sun, 18 Jul 2021 15:36:31 -0400 +Subject: bnxt_en: Check abort error state in bnxt_half_open_nic() +Patch-mainline: v5.14-rc3 +Git-commit: 11a39259ff79b74bc99f8b7c44075a2d6d5e7ab1 +References: jsc#SLE-8371 bsc#1153274 + +bnxt_half_open_nic() is called during during ethtool self test and is +protected by rtnl_lock. Firmware reset can be happening at the same +time. Only critical portions of the entire firmware reset sequence +are protected by the rtnl_lock. It is possible that bnxt_half_open_nic() +can be called when the firmware reset sequence is aborting. In that +case, bnxt_half_open_nic() needs to check if the ABORT_ERR flag is set +and abort if it is. The ethtool self test will fail but the NIC will be +brought to a consistent IF_DOWN state. + +Without this patch, if bnxt_half_open_nic() were to continue in this +error state, it may crash like this: + + bnxt_en 0000:82:00.1 enp130s0f1np1: FW reset in progress during close, FW reset will be aborted + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + ... + Process ethtool (pid: 333327, stack limit = 0x0000000046476577) + Call trace: + bnxt_alloc_mem+0x444/0xef0 [bnxt_en] + bnxt_half_open_nic+0x24/0xb8 [bnxt_en] + bnxt_self_test+0x2dc/0x390 [bnxt_en] + ethtool_self_test+0xe0/0x1f8 + dev_ethtool+0x1744/0x22d0 + dev_ioctl+0x190/0x3e0 + sock_ioctl+0x238/0x480 + do_vfs_ioctl+0xc4/0x758 + ksys_ioctl+0x84/0xb8 + __arm64_sys_ioctl+0x28/0x38 + el0_svc_handler+0xb0/0x180 + el0_svc+0x8/0xc + +Fixes: a1301f08c5ac ("bnxt_en: Check abort error state in bnxt_open_nic().") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9246,6 +9246,12 @@ int bnxt_half_open_nic(struct bnxt *bp) + { + int rc = 0; + ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ netdev_err(bp->dev, "A previous firmware reset has not completed, aborting half open\n"); ++ rc = -ENODEV; ++ goto half_open_err; ++ } ++ + rc = bnxt_alloc_mem(bp, false); + if (rc) { + netdev_err(bp->dev, "bnxt_alloc_mem err: %x\n", rc); diff --git a/patches.suse/bnxt_en-Refresh-RoCE-capabilities-in-bnxt_ulp_probe.patch b/patches.suse/bnxt_en-Refresh-RoCE-capabilities-in-bnxt_ulp_probe.patch new file mode 100644 index 0000000..b326d25 --- /dev/null +++ b/patches.suse/bnxt_en-Refresh-RoCE-capabilities-in-bnxt_ulp_probe.patch @@ -0,0 +1,44 @@ +From: Michael Chan +Date: Sun, 18 Jul 2021 15:36:27 -0400 +Subject: bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe() +Patch-mainline: v5.14-rc3 +Git-commit: 2c9f046bc377efd1f5e26e74817d5f96e9506c86 +References: jsc#SLE-8371 bsc#1153274 + +The capabilities can change after firmware upgrade/downgrade, so we +should get the up-to-date RoCE capabilities everytime bnxt_ulp_probe() +is called. + +Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.") +Reviewed-by: Somnath Kotur +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -479,15 +479,16 @@ struct bnxt_en_dev *bnxt_ulp_probe(struc + if (!edev) + return ERR_PTR(-ENOMEM); + edev->en_ops = &bnxt_en_ops_tbl; +- if (bp->flags & BNXT_FLAG_ROCEV1_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; +- if (bp->flags & BNXT_FLAG_ROCEV2_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + edev->net = dev; + edev->pdev = bp->pdev; + edev->l2_db_size = bp->db_size; + edev->l2_db_size_nc = bp->db_size; + bp->edev = edev; + } ++ edev->flags &= ~BNXT_EN_FLAG_ROCE_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV1_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV2_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + return bp->edev; + } diff --git a/patches.suse/bnxt_en-don-t-disable-an-already-disabled-PCI-device.patch b/patches.suse/bnxt_en-don-t-disable-an-already-disabled-PCI-device.patch new file mode 100644 index 0000000..0ac3bc4 --- /dev/null +++ b/patches.suse/bnxt_en-don-t-disable-an-already-disabled-PCI-device.patch @@ -0,0 +1,34 @@ +From: Kalesh AP +Date: Sun, 18 Jul 2021 15:36:25 -0400 +Subject: bnxt_en: don't disable an already disabled PCI device +Patch-mainline: v5.14-rc3 +Git-commit: c81cfb6256d90ea5ba4a6fb280ea3b171be4e05c +References: git-fixes + +If device is already disabled in reset path and PCI io error is +detected before the device could be enabled, driver could +call pci_disable_device() for already disabled device. Fix this +problem by calling pci_disable_device() only if the device is already +enabled. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -12170,7 +12170,8 @@ static pci_ers_result_t bnxt_io_error_de + if (netif_running(netdev)) + bnxt_close(netdev); + +- pci_disable_device(pdev); ++ if (pci_is_enabled(pdev)) ++ pci_disable_device(pdev); + bnxt_free_ctx_mem(bp); + kfree(bp->ctx); + bp->ctx = NULL; diff --git a/patches.suse/can-ems_usb-fix-memory-leak.patch b/patches.suse/can-ems_usb-fix-memory-leak.patch new file mode 100644 index 0000000..adcc8b4 --- /dev/null +++ b/patches.suse/can-ems_usb-fix-memory-leak.patch @@ -0,0 +1,98 @@ +From 9969e3c5f40c166e3396acc36c34f9de502929f6 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 27 Jul 2021 20:00:33 +0300 +Subject: [PATCH] can: ems_usb: fix memory leak +Git-commit: 9969e3c5f40c166e3396acc36c34f9de502929f6 +Patch-mainline: v5.14-rc4 +References: git-fixes + +In ems_usb_start() MAX_RX_URBS coherent buffers are allocated and +there is nothing, that frees them: + +1) In callback function the urb is resubmitted and that's all +2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER + is not set (see ems_usb_start) and this flag cannot be used with + coherent buffers. + +So, all allocated buffers should be freed with usb_free_coherent() +explicitly. + +Side note: This code looks like a copy-paste of other can drivers. The +same patch was applied to mcba_usb driver and it works nice with real +hardware. There is no change in functionality, only clean-up code for +coherent buffers. + +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Link: https://lore.kernel.org/r/59aa9fbc9a8cbf9af2bbd2f61a659c480b415800.1627404470.git.paskripkin@gmail.com +Cc: linux-stable +Signed-off-by: Pavel Skripkin +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/ems_usb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c +index 0a37af4a3fa4..2b5302e72435 100644 +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -255,6 +255,8 @@ struct ems_usb { + unsigned int free_slots; /* remember number of available slots */ + + struct ems_cpc_msg active_params; /* active controller parameters */ ++ void *rxbuf[MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[MAX_RX_URBS]; + }; + + static void ems_usb_read_interrupt_callback(struct urb *urb) +@@ -587,6 +589,7 @@ static int ems_usb_start(struct ems_usb *dev) + for (i = 0; i < MAX_RX_URBS; i++) { + struct urb *urb = NULL; + u8 *buf = NULL; ++ dma_addr_t buf_dma; + + /* create a URB, and a buffer for it */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -596,7 +599,7 @@ static int ems_usb_start(struct ems_usb *dev) + } + + buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + netdev_err(netdev, "No memory left for USB buffer\n"); + usb_free_urb(urb); +@@ -604,6 +607,8 @@ static int ems_usb_start(struct ems_usb *dev) + break; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, dev->udev, usb_rcvbulkpipe(dev->udev, 2), + buf, RX_BUFFER_SIZE, + ems_usb_read_bulk_callback, dev); +@@ -619,6 +624,9 @@ static int ems_usb_start(struct ems_usb *dev) + break; + } + ++ dev->rxbuf[i] = buf; ++ dev->rxbuf_dma[i] = buf_dma; ++ + /* Drop reference, USB core will take care of freeing it */ + usb_free_urb(urb); + } +@@ -684,6 +692,10 @@ static void unlink_all_urbs(struct ems_usb *dev) + + usb_kill_anchored_urbs(&dev->rx_submitted); + ++ for (i = 0; i < MAX_RX_URBS; ++i) ++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE, ++ dev->rxbuf[i], dev->rxbuf_dma[i]); ++ + usb_kill_anchored_urbs(&dev->tx_submitted); + atomic_set(&dev->active_tx_urbs, 0); + +-- +2.26.2 + diff --git a/patches.suse/can-esd_usb2-fix-memory-leak.patch b/patches.suse/can-esd_usb2-fix-memory-leak.patch new file mode 100644 index 0000000..61d4936 --- /dev/null +++ b/patches.suse/can-esd_usb2-fix-memory-leak.patch @@ -0,0 +1,102 @@ +From 928150fad41ba16df7fcc9f7f945747d0f56cbb6 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 27 Jul 2021 20:00:46 +0300 +Subject: [PATCH] can: esd_usb2: fix memory leak +Git-commit: 928150fad41ba16df7fcc9f7f945747d0f56cbb6 +Patch-mainline: v5.14-rc4 +References: git-fixes + +In esd_usb2_setup_rx_urbs() MAX_RX_URBS coherent buffers are allocated +and there is nothing, that frees them: + +1) In callback function the urb is resubmitted and that's all +2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER + is not set (see esd_usb2_setup_rx_urbs) and this flag cannot be used + with coherent buffers. + +So, all allocated buffers should be freed with usb_free_coherent() +explicitly. + +Side note: This code looks like a copy-paste of other can drivers. The +same patch was applied to mcba_usb driver and it works nice with real +hardware. There is no change in functionality, only clean-up code for +coherent buffers. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Link: https://lore.kernel.org/r/b31b096926dcb35998ad0271aac4b51770ca7cc8.1627404470.git.paskripkin@gmail.com +Cc: linux-stable +Signed-off-by: Pavel Skripkin +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/esd_usb2.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c +index 65b58f8fc328..66fa8b07c2e6 100644 +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -195,6 +195,8 @@ struct esd_usb2 { + int net_count; + u32 version; + int rxinitdone; ++ void *rxbuf[MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[MAX_RX_URBS]; + }; + + struct esd_usb2_net_priv { +@@ -545,6 +547,7 @@ static int esd_usb2_setup_rx_urbs(struct esd_usb2 *dev) + for (i = 0; i < MAX_RX_URBS; i++) { + struct urb *urb = NULL; + u8 *buf = NULL; ++ dma_addr_t buf_dma; + + /* create a URB, and a buffer for it */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -554,7 +557,7 @@ static int esd_usb2_setup_rx_urbs(struct esd_usb2 *dev) + } + + buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + dev_warn(dev->udev->dev.parent, + "No memory left for USB buffer\n"); +@@ -562,6 +565,8 @@ static int esd_usb2_setup_rx_urbs(struct esd_usb2 *dev) + goto freeurb; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, dev->udev, + usb_rcvbulkpipe(dev->udev, 1), + buf, RX_BUFFER_SIZE, +@@ -574,8 +579,12 @@ static int esd_usb2_setup_rx_urbs(struct esd_usb2 *dev) + usb_unanchor_urb(urb); + usb_free_coherent(dev->udev, RX_BUFFER_SIZE, buf, + urb->transfer_dma); ++ goto freeurb; + } + ++ dev->rxbuf[i] = buf; ++ dev->rxbuf_dma[i] = buf_dma; ++ + freeurb: + /* Drop reference, USB core will take care of freeing it */ + usb_free_urb(urb); +@@ -663,6 +672,11 @@ static void unlink_all_urbs(struct esd_usb2 *dev) + int i, j; + + usb_kill_anchored_urbs(&dev->rx_submitted); ++ ++ for (i = 0; i < MAX_RX_URBS; ++i) ++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE, ++ dev->rxbuf[i], dev->rxbuf_dma[i]); ++ + for (i = 0; i < dev->net_count; i++) { + priv = dev->nets[i]; + if (priv) { +-- +2.26.2 + diff --git a/patches.suse/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch b/patches.suse/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch new file mode 100644 index 0000000..b27d546 --- /dev/null +++ b/patches.suse/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch @@ -0,0 +1,38 @@ +From f6b3c7848e66e9046c8a79a5b88fd03461cc252b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 29 Jul 2021 17:12:46 +0300 +Subject: [PATCH] can: hi311x: fix a signedness bug in hi3110_cmd() +Git-commit: f6b3c7848e66e9046c8a79a5b88fd03461cc252b +Patch-mainline: v5.14-rc4 +References: git-fixes + +The hi3110_cmd() is supposed to return zero on success and negative +error codes on failure, but it was accidentally declared as a u8 when +it needs to be an int type. + +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +Link: https://lore.kernel.org/r/20210729141246.GA1267@kili +Signed-off-by: Dan Carpenter +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/spi/hi311x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index dd17b8c53e1c..89d9c986a229 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -218,7 +218,7 @@ static int hi3110_spi_trans(struct spi_device *spi, int len) + return ret; + } + +-static u8 hi3110_cmd(struct spi_device *spi, u8 command) ++static int hi3110_cmd(struct spi_device *spi, u8 command) + { + struct hi3110_priv *priv = spi_get_drvdata(spi); + +-- +2.26.2 + diff --git a/patches.suse/can-mcba_usb_start-add-missing-urb-transfer_dma-init.patch b/patches.suse/can-mcba_usb_start-add-missing-urb-transfer_dma-init.patch new file mode 100644 index 0000000..fb5fbe9 --- /dev/null +++ b/patches.suse/can-mcba_usb_start-add-missing-urb-transfer_dma-init.patch @@ -0,0 +1,57 @@ +From fc43fb69a7af92839551f99c1a96a37b77b3ae7a Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 25 Jul 2021 13:36:30 +0300 +Subject: [PATCH] can: mcba_usb_start(): add missing urb->transfer_dma initialization +Git-commit: fc43fb69a7af92839551f99c1a96a37b77b3ae7a +Patch-mainline: v5.14-rc4 +References: git-fixes + +Yasushi reported, that his Microchip CAN Analyzer stopped working +since commit 91c02557174b ("can: mcba_usb: fix memory leak in +mcba_usb"). The problem was in missing urb->transfer_dma +initialization. + +In my previous patch to this driver I refactored mcba_usb_start() code +to avoid leaking usb coherent buffers. To archive it, I passed local +stack variable to usb_alloc_coherent() and then saved it to private +array to correctly free all coherent buffers on ->close() call. But I +forgot to initialize urb->transfer_dma with variable passed to +usb_alloc_coherent(). + +All of this was causing device to not work, since dma addr 0 is not +valid and following log can be found on bug report page, which points +exactly to problem described above. + +| DMAR: [DMA Write] Request device [00:14.0] PASID ffffffff fault addr 0 [fault reason 05] PTE Write access is not set + +Fixes: 91c02557174b ("can: mcba_usb: fix memory leak in mcba_usb") +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990850 +Link: https://lore.kernel.org/r/20210725103630.23864-1-paskripkin@gmail.com +Cc: linux-stable +Reported-by: Yasushi SHOJI +Signed-off-by: Pavel Skripkin +Tested-by: Yasushi SHOJI +[mkl: fixed typos in commit message - thanks Yasushi SHOJI] +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/mcba_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c +index a45865bd7254..a1a154c08b7f 100644 +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -653,6 +653,8 @@ static int mcba_usb_start(struct mcba_priv *priv) + break; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, priv->udev, + usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN), + buf, MCBA_USB_RX_BUFF_SIZE, +-- +2.26.2 + diff --git a/patches.suse/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-UA.patch b/patches.suse/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-UA.patch new file mode 100644 index 0000000..80306b8 --- /dev/null +++ b/patches.suse/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-UA.patch @@ -0,0 +1,168 @@ +From 54f93336d000229f72c26d8a3f69dd256b744528 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Thu, 22 Jul 2021 15:08:19 +0800 +Subject: [PATCH] can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF +Git-commit: 54f93336d000229f72c26d8a3f69dd256b744528 +Patch-mainline: v5.14-rc4 +References: git-fixes + +We get a bug during ltp can_filter test as following. + +=========================================== +[60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +[60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0 +[60919.265443] Oops: 0000 [#1] SMP PTI +[60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G W 4.19.90+ #1 +[60919.266068] RIP: 0010:selinux_socket_sock_rcv_skb+0x3e/0x200 +[60919.293289] RSP: 0018:ffff8d53bfc03cf8 EFLAGS: 00010246 +[60919.307140] RAX: 0000000000000000 RBX: 000000000000001d RCX: 0000000000000007 +[60919.320756] RDX: 0000000000000001 RSI: ffff8d5104a8ed00 RDI: ffff8d53bfc03d30 +[60919.334319] RBP: ffff8d9338056800 R08: ffff8d53bfc29d80 R09: 0000000000000001 +[60919.347969] R10: ffff8d53bfc03ec0 R11: ffffb8526ef47c98 R12: ffff8d53bfc03d30 +[60919.350320] perf: interrupt took too long (3063 > 2500), lowering kernel.perf_event_max_sample_rate to 65000 +[60919.361148] R13: 0000000000000001 R14: ffff8d53bcf90000 R15: 0000000000000000 +[60919.361151] FS: 00007fb78b6b3600(0000) GS:ffff8d53bfc00000(0000) knlGS:0000000000000000 +[60919.400812] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[60919.413730] CR2: 0000000000000010 CR3: 0000003e3f784006 CR4: 00000000007606e0 +[60919.426479] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[60919.439339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[60919.451608] PKRU: 55555554 +[60919.463622] Call Trace: +[60919.475617] +[60919.487122] ? update_load_avg+0x89/0x5d0 +[60919.498478] ? update_load_avg+0x89/0x5d0 +[60919.509822] ? account_entity_enqueue+0xc5/0xf0 +[60919.520709] security_sock_rcv_skb+0x2a/0x40 +[60919.531413] sk_filter_trim_cap+0x47/0x1b0 +[60919.542178] ? kmem_cache_alloc+0x38/0x1b0 +[60919.552444] sock_queue_rcv_skb+0x17/0x30 +[60919.562477] raw_rcv+0x110/0x190 [can_raw] +[60919.572539] can_rcv_filter+0xbc/0x1b0 [can] +[60919.582173] can_receive+0x6b/0xb0 [can] +[60919.591595] can_rcv+0x31/0x70 [can] +[60919.600783] __netif_receive_skb_one_core+0x5a/0x80 +[60919.609864] process_backlog+0x9b/0x150 +[60919.618691] net_rx_action+0x156/0x400 +[60919.627310] ? sched_clock_cpu+0xc/0xa0 +[60919.635714] __do_softirq+0xe8/0x2e9 +[60919.644161] do_softirq_own_stack+0x2a/0x40 +[60919.652154] +[60919.659899] do_softirq.part.17+0x4f/0x60 +[60919.667475] __local_bh_enable_ip+0x60/0x70 +[60919.675089] __dev_queue_xmit+0x539/0x920 +[60919.682267] ? finish_wait+0x80/0x80 +[60919.689218] ? finish_wait+0x80/0x80 +[60919.695886] ? sock_alloc_send_pskb+0x211/0x230 +[60919.702395] ? can_send+0xe5/0x1f0 [can] +[60919.708882] can_send+0xe5/0x1f0 [can] +[60919.715037] raw_sendmsg+0x16d/0x268 [can_raw] + +It's because raw_setsockopt() concurrently with +unregister_netdevice_many(). Concurrent scenario as following. + + cpu0 cpu1 +raw_bind +raw_setsockopt unregister_netdevice_many + unlist_netdevice +dev_get_by_index raw_notifier +raw_enable_filters ...... +can_rx_register +can_rcv_list_find(..., net->can.rx_alldev_list) + +...... + +sock_close +raw_release(sock_a) + +...... + +can_receive +can_rcv_filter(net->can.rx_alldev_list, ...) +raw_rcv(skb, sock_a) +BUG + +After unlist_netdevice(), dev_get_by_index() return NULL in +raw_setsockopt(). Function raw_enable_filters() will add sock +and can_filter to net->can.rx_alldev_list. Then the sock is closed. +Followed by, we sock_sendmsg() to a new vcan device use the same +can_filter. Protocol stack match the old receiver whose sock has +been released on net->can.rx_alldev_list in can_rcv_filter(). +Function raw_rcv() uses the freed sock. UAF BUG is triggered. + +We can find that the key issue is that net_device has not been +protected in raw_setsockopt(). Use rtnl_lock to protect net_device +in raw_setsockopt(). + +Fixes: c18ce101f2e4 ("[CAN]: Add raw protocol") +Link: https://lore.kernel.org/r/20210722070819.1048263-1-william.xuanziyang@huawei.com +Cc: linux-stable +Signed-off-by: Ziyang Xuan +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + net/can/raw.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/net/can/raw.c b/net/can/raw.c +index ed4fcb7ab0c3..cd5a49380116 100644 +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -546,10 +546,18 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, + return -EFAULT; + } + ++ rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) ++ if (ro->bound && ro->ifindex) { + dev = dev_get_by_index(sock_net(sk), ro->ifindex); ++ if (!dev) { ++ if (count > 1) ++ kfree(filter); ++ err = -ENODEV; ++ goto out_fil; ++ } ++ } + + if (ro->bound) { + /* (try to) register the new filters */ +@@ -588,6 +596,7 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, + dev_put(dev); + + release_sock(sk); ++ rtnl_unlock(); + + break; + +@@ -600,10 +609,16 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, + + err_mask &= CAN_ERR_MASK; + ++ rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) ++ if (ro->bound && ro->ifindex) { + dev = dev_get_by_index(sock_net(sk), ro->ifindex); ++ if (!dev) { ++ err = -ENODEV; ++ goto out_err; ++ } ++ } + + /* remove current error mask */ + if (ro->bound) { +@@ -627,6 +642,7 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, + dev_put(dev); + + release_sock(sk); ++ rtnl_unlock(); + + break; + +-- +2.26.2 + diff --git a/patches.suse/can-usb_8dev-fix-memory-leak.patch b/patches.suse/can-usb_8dev-fix-memory-leak.patch new file mode 100644 index 0000000..33c79a6 --- /dev/null +++ b/patches.suse/can-usb_8dev-fix-memory-leak.patch @@ -0,0 +1,99 @@ +From 0e865f0c31928d6a313269ef624907eec55287c4 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 27 Jul 2021 19:59:57 +0300 +Subject: [PATCH] can: usb_8dev: fix memory leak +Git-commit: 0e865f0c31928d6a313269ef624907eec55287c4 +Patch-mainline: v5.14-rc4 +References: git-fixes + +In usb_8dev_start() MAX_RX_URBS coherent buffers are allocated and +there is nothing, that frees them: + +1) In callback function the urb is resubmitted and that's all +2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER + is not set (see usb_8dev_start) and this flag cannot be used with + coherent buffers. + +So, all allocated buffers should be freed with usb_free_coherent() +explicitly. + +Side note: This code looks like a copy-paste of other can drivers. The +same patch was applied to mcba_usb driver and it works nice with real +hardware. There is no change in functionality, only clean-up code for +coherent buffers. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Link: https://lore.kernel.org/r/d39b458cd425a1cf7f512f340224e6e9563b07bd.1627404470.git.paskripkin@gmail.com +Cc: linux-stable +Signed-off-by: Pavel Skripkin +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/usb_8dev.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c +index b6e7ef0d5bc6..d1b83bd1b3cb 100644 +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -137,7 +137,8 @@ struct usb_8dev_priv { + u8 *cmd_msg_buffer; + + struct mutex usb_8dev_cmd_lock; +- ++ void *rxbuf[MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[MAX_RX_URBS]; + }; + + /* tx frame */ +@@ -733,6 +734,7 @@ static int usb_8dev_start(struct usb_8dev_priv *priv) + for (i = 0; i < MAX_RX_URBS; i++) { + struct urb *urb = NULL; + u8 *buf; ++ dma_addr_t buf_dma; + + /* create a URB, and a buffer for it */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -742,7 +744,7 @@ static int usb_8dev_start(struct usb_8dev_priv *priv) + } + + buf = usb_alloc_coherent(priv->udev, RX_BUFFER_SIZE, GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + netdev_err(netdev, "No memory left for USB buffer\n"); + usb_free_urb(urb); +@@ -750,6 +752,8 @@ static int usb_8dev_start(struct usb_8dev_priv *priv) + break; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, priv->udev, + usb_rcvbulkpipe(priv->udev, + USB_8DEV_ENDP_DATA_RX), +@@ -767,6 +771,9 @@ static int usb_8dev_start(struct usb_8dev_priv *priv) + break; + } + ++ priv->rxbuf[i] = buf; ++ priv->rxbuf_dma[i] = buf_dma; ++ + /* Drop reference, USB core will take care of freeing it */ + usb_free_urb(urb); + } +@@ -836,6 +843,10 @@ static void unlink_all_urbs(struct usb_8dev_priv *priv) + + usb_kill_anchored_urbs(&priv->rx_submitted); + ++ for (i = 0; i < MAX_RX_URBS; ++i) ++ usb_free_coherent(priv->udev, RX_BUFFER_SIZE, ++ priv->rxbuf[i], priv->rxbuf_dma[i]); ++ + usb_kill_anchored_urbs(&priv->tx_submitted); + atomic_set(&priv->active_tx_urbs, 0); + +-- +2.26.2 + diff --git a/patches.suse/cxgb4-fix-IRQ-free-race-during-driver-unload.patch b/patches.suse/cxgb4-fix-IRQ-free-race-during-driver-unload.patch new file mode 100644 index 0000000..13859cf --- /dev/null +++ b/patches.suse/cxgb4-fix-IRQ-free-race-during-driver-unload.patch @@ -0,0 +1,80 @@ +From: Shahjada Abul Husain +Date: Thu, 8 Jul 2021 21:51:56 +0530 +Subject: cxgb4: fix IRQ free race during driver unload +Patch-mainline: v5.14-rc2 +Git-commit: 015fe6fd29c4b9ac0f61b8c4455ef88e6018b9cc +References: git-fixes + +IRQs are requested during driver's ndo_open() and then later +freed up in disable_interrupts() during driver unload. +A race exists where driver can set the CXGB4_FULL_INIT_DONE +flag in ndo_open() after the disable_interrupts() in driver +unload path checks it, and hence misses calling free_irq(). + +Fix by unregistering netdevice first and sync with driver's +ndo_open(). This ensures disable_interrupts() checks the flag +correctly and frees up the IRQs properly. + +Fixes: b37987e8db5f ("cxgb4: Disable interrupts and napi before unregistering netdev") +Signed-off-by: Shahjada Abul Husain +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 18 ++++++++++-------- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 3 +++ + 2 files changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -2345,6 +2345,9 @@ static void detach_ulds(struct adapter * + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + list_del(&adap->list_node); + +@@ -6596,10 +6599,13 @@ static void remove_one(struct pci_dev *p + */ + destroy_workqueue(adapter->workq); + +- if (is_uld(adapter)) { +- detach_ulds(adapter); +- t4_uld_clean_up(adapter); +- } ++ detach_ulds(adapter); ++ ++ for_each_port(adapter, i) ++ if (adapter->port[i]->reg_state == NETREG_REGISTERED) ++ unregister_netdev(adapter->port[i]); ++ ++ t4_uld_clean_up(adapter); + + adap_free_hma_mem(adapter); + +@@ -6607,10 +6613,6 @@ static void remove_one(struct pci_dev *p + + cxgb4_free_mps_ref_entries(adapter); + +- for_each_port(adapter, i) +- if (adapter->port[i]->reg_state == NETREG_REGISTERED) +- unregister_netdev(adapter->port[i]); +- + debugfs_remove_recursive(adapter->debugfs_root); + + if (!is_t4(adapter->params.chip)) +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -580,6 +580,9 @@ void t4_uld_clean_up(struct adapter *ada + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + for (i = 0; i < CXGB4_ULD_MAX; i++) { + if (!adap->uld[i].handle) diff --git a/patches.suse/drm-Return-ENOTTY-for-non-drm-ioctls.patch b/patches.suse/drm-Return-ENOTTY-for-non-drm-ioctls.patch new file mode 100644 index 0000000..df546ea --- /dev/null +++ b/patches.suse/drm-Return-ENOTTY-for-non-drm-ioctls.patch @@ -0,0 +1,63 @@ +From 3abab27c322e0f2acf981595aa8040c9164dc9fb Mon Sep 17 00:00:00 2001 +From: Charles Baylis +Date: Fri, 16 Jul 2021 17:43:12 +0100 +Subject: [PATCH] drm: Return -ENOTTY for non-drm ioctls +Git-commit: 3abab27c322e0f2acf981595aa8040c9164dc9fb +Patch-mainline: v5.14-rc3 +References: git-fixes + +Drm: Return -ENOTTY for non-drm ioctls + +Return -ENOTTY from drm_ioctl() when userspace passes in a cmd number +which doesn't relate to the drm subsystem. + +Glibc uses the TCGETS ioctl to implement isatty(), and without this +change isatty() returns it incorrectly returns true for drm devices. + +To test run this command: +$ if [ -t 0 ]; then echo is a tty; fi < /dev/dri/card0 +which shows "is a tty" without this patch. + +This may also modify memory which the userspace application is not +expecting. + +Signed-off-by: Charles Baylis +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/YPG3IBlzaMhfPqCr@stando.fishzet.co.uk +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_ioctl.c | 3 +++ + include/drm/drm_ioctl.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index 98ae00661656..f454e0424086 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -834,6 +834,9 @@ long drm_ioctl(struct file *filp, + if (drm_dev_is_unplugged(dev)) + return -ENODEV; + ++ if (DRM_IOCTL_TYPE(cmd) != DRM_IOCTL_BASE) ++ return -ENOTTY; ++ + is_driver_ioctl = nr >= DRM_COMMAND_BASE && nr < DRM_COMMAND_END; + + if (is_driver_ioctl) { +diff --git a/include/drm/drm_ioctl.h b/include/drm/drm_ioctl.h +index 10100a4bbe2a..afb27cb6a7bd 100644 +--- a/include/drm/drm_ioctl.h ++++ b/include/drm/drm_ioctl.h +@@ -68,6 +68,7 @@ typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd, + unsigned long arg); + + #define DRM_IOCTL_NR(n) _IOC_NR(n) ++#define DRM_IOCTL_TYPE(n) _IOC_TYPE(n) + #define DRM_MAJOR 226 + + /** +-- +2.26.2 + diff --git a/patches.suse/e1000e-Check-the-PCIm-state.patch b/patches.suse/e1000e-Check-the-PCIm-state.patch new file mode 100644 index 0000000..b9f030d --- /dev/null +++ b/patches.suse/e1000e-Check-the-PCIm-state.patch @@ -0,0 +1,56 @@ +From: Sasha Neftin +Date: Thu, 24 Jun 2021 12:02:48 -0700 +Subject: e1000e: Check the PCIm state +Patch-mainline: v5.14-rc1 +Git-commit: 2e7256f12cdb16eaa2515b6231d665044a07c51a +References: git-fixes + +Complete to commit def4ec6dce393e ("e1000e: PCIm function state support") +Check the PCIm state only on CSME systems. There is no point to do this +check on non CSME systems. +This patch fixes a generation a false-positive warning: +"Error in exiting dmoff" + +Fixes: def4ec6dce39 ("e1000e: PCIm function state support") +Signed-off-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5203,18 +5203,20 @@ static void e1000_watchdog_task(struct w + pm_runtime_resume(netdev->dev.parent); + + /* Checking if MAC is in DMoff state*/ +- pcim_state = er32(STATUS); +- while (pcim_state & E1000_STATUS_PCIM_STATE) { +- if (tries++ == dmoff_exit_timeout) { +- e_dbg("Error in exiting dmoff\n"); +- break; +- } +- usleep_range(10000, 20000); ++ if (er32(FWSM) & E1000_ICH_FWSM_FW_VALID) { + pcim_state = er32(STATUS); ++ while (pcim_state & E1000_STATUS_PCIM_STATE) { ++ if (tries++ == dmoff_exit_timeout) { ++ e_dbg("Error in exiting dmoff\n"); ++ break; ++ } ++ usleep_range(10000, 20000); ++ pcim_state = er32(STATUS); + +- /* Checking if MAC exited DMoff state */ +- if (!(pcim_state & E1000_STATUS_PCIM_STATE)) +- e1000_phy_hw_reset(&adapter->hw); ++ /* Checking if MAC exited DMoff state */ ++ if (!(pcim_state & E1000_STATUS_PCIM_STATE)) ++ e1000_phy_hw_reset(&adapter->hw); ++ } + } + + /* update snapshot of PHY registers on LSC */ diff --git a/patches.suse/e1000e-Fix-an-error-handling-path-in-e1000_probe.patch b/patches.suse/e1000e-Fix-an-error-handling-path-in-e1000_probe.patch new file mode 100644 index 0000000..35a89ea --- /dev/null +++ b/patches.suse/e1000e-Fix-an-error-handling-path-in-e1000_probe.patch @@ -0,0 +1,31 @@ +From: Christophe JAILLET +Date: Wed, 16 Jun 2021 07:05:53 +0200 +Subject: e1000e: Fix an error handling path in 'e1000_probe()' +Patch-mainline: v5.14-rc2 +Git-commit: 4589075608420bc49fcef6e98279324bf2bb91ae +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 111b9dc5c981 ("e1000e: add aer support") +Signed-off-by: Christophe JAILLET +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7590,6 +7590,7 @@ err_flashmap: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: diff --git a/patches.suse/firmware-arm_scmi-Fix-possible-scmi_linux_errmap-buf.patch b/patches.suse/firmware-arm_scmi-Fix-possible-scmi_linux_errmap-buf.patch new file mode 100644 index 0000000..6f37f75 --- /dev/null +++ b/patches.suse/firmware-arm_scmi-Fix-possible-scmi_linux_errmap-buf.patch @@ -0,0 +1,57 @@ +From 7a691f16ccad05d770f813d9c4b4337a30c6d63f Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Wed, 7 Jul 2021 14:50:28 +0100 +Subject: [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow +Git-commit: 7a691f16ccad05d770f813d9c4b4337a30c6d63f +Patch-mainline: v5.14-rc2 +References: git-fixes + +The scmi_linux_errmap buffer access index is supposed to depend on the +array size to prevent element out of bounds access. It uses SCMI_ERR_MAX +to check bounds but that can mismatch with the array size. It also +changes the success into -EIO though scmi_linux_errmap is never used in +case of success, it is expected to work for success case too. + +It is slightly confusing code as the negative of the error code +is used as index to the buffer. Fix it by negating it at the start and +make it more readable. + +Link: https://lore.kernel.org/r/20210707135028.1869642-1-sudeep.holla@arm.com +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Reviewed-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Acked-by: Takashi Iwai + +--- + drivers/firmware/arm_scmi/driver.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 66e5e694be7d..36d80661d473 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -47,7 +47,6 @@ enum scmi_error_codes { + SCMI_ERR_GENERIC = -8, /* Generic Error */ + SCMI_ERR_HARDWARE = -9, /* Hardware Error */ + SCMI_ERR_PROTOCOL = -10,/* Protocol Error */ +- SCMI_ERR_MAX + }; + + /* List of all SCMI devices active in system */ +@@ -166,8 +165,10 @@ static const int scmi_linux_errmap[] = { + + static inline int scmi_to_linux_errno(int errno) + { +- if (errno < SCMI_SUCCESS && errno > SCMI_ERR_MAX) +- return scmi_linux_errmap[-errno]; ++ int err_idx = -errno; ++ ++ if (err_idx >= SCMI_SUCCESS && err_idx < ARRAY_SIZE(scmi_linux_errmap)) ++ return scmi_linux_errmap[err_idx]; + return -EIO; + } + +-- +2.26.2 + diff --git a/patches.suse/firmware-arm_scmi-Fix-range-check-for-the-maximum-nu.patch b/patches.suse/firmware-arm_scmi-Fix-range-check-for-the-maximum-nu.patch new file mode 100644 index 0000000..a02616e --- /dev/null +++ b/patches.suse/firmware-arm_scmi-Fix-range-check-for-the-maximum-nu.patch @@ -0,0 +1,40 @@ +From bdb8742dc6f7c599c3d61959234fe4c23638727b Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Mon, 12 Jul 2021 15:18:18 +0100 +Subject: [PATCH] firmware: arm_scmi: Fix range check for the maximum number of pending messages +Git-commit: bdb8742dc6f7c599c3d61959234fe4c23638727b +Patch-mainline: v5.14-rc2 +References: git-fixes + +SCMI message headers carry a sequence number and such field is sized to +allow for MSG_TOKEN_MAX distinct numbers; moreover zero is not really an +acceptable maximum number of pending in-flight messages. + +Fix accordingly the checks performed on the value exported by transports +in scmi_desc.max_msg + +Link: https://lore.kernel.org/r/20210712141833.6628-3-cristian.marussi@arm.com +Reported-by: Vincent Guittot +Signed-off-by: Cristian Marussi +[sudeep.holla: updated the patch title and error message] +Signed-off-by: Sudeep Holla +Acked-by: Takashi Iwai + +--- + drivers/firmware/arm_scmi/driver.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -629,8 +629,9 @@ static int scmi_xfer_info_init(struct sc + struct scmi_xfers_info *info = &sinfo->minfo; + + /* Pre-allocated messages, no more than what hdr.seq can support */ +- if (WARN_ON(desc->max_msg >= MSG_TOKEN_MAX)) { +- dev_err(dev, "Maximum message of %d exceeds supported %ld\n", ++ if (WARN_ON(!desc->max_msg || desc->max_msg > MSG_TOKEN_MAX)) { ++ dev_err(dev, ++ "Invalid maximum messages %d, not in range [1 - %lu]\n", + desc->max_msg, MSG_TOKEN_MAX); + return -EINVAL; + } diff --git a/patches.suse/firmware-efi-Tell-memblock-about-EFI-iomem-reservati.patch b/patches.suse/firmware-efi-Tell-memblock-about-EFI-iomem-reservati.patch new file mode 100644 index 0000000..e107d7c --- /dev/null +++ b/patches.suse/firmware-efi-Tell-memblock-about-EFI-iomem-reservati.patch @@ -0,0 +1,71 @@ +From 2bab693a608bdf614b9fcd44083c5100f34b9f77 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 13 Jul 2021 19:43:26 +0100 +Subject: [PATCH] firmware/efi: Tell memblock about EFI iomem reservations +Git-commit: 2bab693a608bdf614b9fcd44083c5100f34b9f77 +Patch-mainline: v5.14-rc3 +References: git-fixes + +kexec_load_file() relies on the memblock infrastructure to avoid +stamping over regions of memory that are essential to the survival +of the system. + +However, nobody seems to agree how to flag these regions as reserved, +and (for example) EFI only publishes its reservations in /proc/iomem +for the benefit of the traditional, userspace based kexec tool. + +On arm64 platforms with GICv3, this can result in the payload being +placed at the location of the LPI tables. Shock, horror! + +Let's augment the EFI reservation code with a memblock_reserve() call, +protecting our dear tables from the secondary kernel invasion. + +Reported-by: Moritz Fischer +Tested-by: Moritz Fischer +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Cc: Ard Biesheuvel +Cc: James Morse +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Ard Biesheuvel +Acked-by: Takashi Iwai + +--- + drivers/firmware/efi/efi.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index 4b7ee3fa9224..847f33ffc4ae 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -896,6 +896,7 @@ static int __init efi_memreserve_map_root(void) + static int efi_mem_reserve_iomem(phys_addr_t addr, u64 size) + { + struct resource *res, *parent; ++ int ret; + + res = kzalloc(sizeof(struct resource), GFP_ATOMIC); + if (!res) +@@ -908,7 +909,17 @@ static int efi_mem_reserve_iomem(phys_addr_t addr, u64 size) + + /* we expect a conflict with a 'System RAM' region */ + parent = request_resource_conflict(&iomem_resource, res); +- return parent ? request_resource(parent, res) : 0; ++ ret = parent ? request_resource(parent, res) : 0; ++ ++ /* ++ * Given that efi_mem_reserve_iomem() can be called at any ++ * time, only call memblock_reserve() if the architecture ++ * keeps the infrastructure around. ++ */ ++ if (IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK) && !ret) ++ memblock_reserve(addr, size); ++ ++ return ret; + } + + int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) +-- +2.26.2 + diff --git a/patches.suse/i40e-Fix-autoneg-disabling-for-non-10GBaseT-links.patch b/patches.suse/i40e-Fix-autoneg-disabling-for-non-10GBaseT-links.patch new file mode 100644 index 0000000..387517e --- /dev/null +++ b/patches.suse/i40e-Fix-autoneg-disabling-for-non-10GBaseT-links.patch @@ -0,0 +1,34 @@ +From: Mateusz Palczewski +Date: Wed, 10 Mar 2021 11:12:54 +0000 +Subject: i40e: Fix autoneg disabling for non-10GBaseT links +Patch-mainline: v5.14-rc1 +Git-commit: 9262793e59f0423437166a879a73d056b1fe6f9a +References: git-fixes + +Disabling autonegotiation was allowed only for 10GBaseT PHY. +The condition was changed to check if link media type is BaseT. + +Fixes: 3ce12ee9d8f9 ("i40e: Fix order of checks when enabling/disabling autoneg in ethtool") +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Karen Sornek +Signed-off-by: Dawid Lukwinski +Signed-off-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -1259,8 +1259,7 @@ static int i40e_set_link_ksettings(struc + if (ethtool_link_ksettings_test_link_mode(&safe_ks, + supported, + Autoneg) && +- hw->phy.link_info.phy_type != +- I40E_PHY_TYPE_10GBASE_T) { ++ hw->phy.media_type != I40E_MEDIA_TYPE_BASET) { + netdev_info(netdev, "Autoneg cannot be disabled on this phy\n"); + err = -EINVAL; + goto done; diff --git a/patches.suse/i40e-Fix-error-handling-in-i40e_vsi_open.patch b/patches.suse/i40e-Fix-error-handling-in-i40e_vsi_open.patch new file mode 100644 index 0000000..829f29f --- /dev/null +++ b/patches.suse/i40e-Fix-error-handling-in-i40e_vsi_open.patch @@ -0,0 +1,31 @@ +From: Dinghao Liu +Date: Sun, 28 Feb 2021 19:50:58 +0800 +Subject: i40e: Fix error handling in i40e_vsi_open +Patch-mainline: v5.14-rc1 +Git-commit: 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e +References: git-fixes + +When vsi->type == I40E_VSI_FDIR, we have caught the return value of +i40e_vsi_request_irq() but without further handling. Check and execute +memory clean on failure just like the other i40e_vsi_request_irq(). + +Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown") +Signed-off-by: Dinghao Liu +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -8303,6 +8303,8 @@ int i40e_vsi_open(struct i40e_vsi *vsi) + dev_driver_string(&pf->pdev->dev), + dev_name(&pf->pdev->dev)); + err = i40e_vsi_request_irq(vsi, int_name); ++ if (err) ++ goto err_setup_rx; + + } else { + err = -EINVAL; diff --git a/patches.suse/iavf-Fix-an-error-handling-path-in-iavf_probe.patch b/patches.suse/iavf-Fix-an-error-handling-path-in-iavf_probe.patch new file mode 100644 index 0000000..ec050d4 --- /dev/null +++ b/patches.suse/iavf-Fix-an-error-handling-path-in-iavf_probe.patch @@ -0,0 +1,29 @@ +From: Christophe JAILLET +Date: Wed, 16 Jun 2021 07:53:02 +0200 +Subject: iavf: Fix an error handling path in 'iavf_probe()' +Patch-mainline: v5.14-rc2 +Git-commit: af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3762,6 +3762,7 @@ static int iavf_probe(struct pci_dev *pd + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + err_pci_reg: + err_dma: diff --git a/patches.suse/igb-Check-if-num-of-q_vectors-is-smaller-than-max-be.patch b/patches.suse/igb-Check-if-num-of-q_vectors-is-smaller-than-max-be.patch new file mode 100644 index 0000000..3476cff --- /dev/null +++ b/patches.suse/igb-Check-if-num-of-q_vectors-is-smaller-than-max-be.patch @@ -0,0 +1,52 @@ +From: Aleksandr Loktionov +Date: Thu, 22 Apr 2021 10:19:23 +0000 +Subject: igb: Check if num of q_vectors is smaller than max before array + access +Patch-mainline: v5.14-rc2 +Git-commit: 6c19d772618fea40d9681f259368f284a330fd90 +References: git-fixes + +Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed +beyond its size. It was fixed by using a local variable num_q_vectors +as a limit for loop index, and ensure that num_q_vectors is not bigger +than MAX_Q_VECTORS. + +Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI") +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Grzegorz Siwik +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Slawomir Laba +Reviewed-by: Sylwester Dziedziuch +Reviewed-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -940,6 +940,7 @@ static void igb_configure_msix(struct ig + **/ + static int igb_request_msix(struct igb_adapter *adapter) + { ++ unsigned int num_q_vectors = adapter->num_q_vectors; + struct net_device *netdev = adapter->netdev; + int i, err = 0, vector = 0, free_vector = 0; + +@@ -948,7 +949,13 @@ static int igb_request_msix(struct igb_a + if (err) + goto err_out; + +- for (i = 0; i < adapter->num_q_vectors; i++) { ++ if (num_q_vectors > MAX_Q_VECTORS) { ++ num_q_vectors = MAX_Q_VECTORS; ++ dev_warn(&adapter->pdev->dev, ++ "The number of queue vectors (%d) is higher than max allowed (%d)\n", ++ adapter->num_q_vectors, MAX_Q_VECTORS); ++ } ++ for (i = 0; i < num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + + vector++; diff --git a/patches.suse/igb-Fix-an-error-handling-path-in-igb_probe.patch b/patches.suse/igb-Fix-an-error-handling-path-in-igb_probe.patch new file mode 100644 index 0000000..fdf4a22 --- /dev/null +++ b/patches.suse/igb-Fix-an-error-handling-path-in-igb_probe.patch @@ -0,0 +1,30 @@ +From: Christophe JAILLET +Date: Sat, 12 Jun 2021 22:08:33 +0200 +Subject: igb: Fix an error handling path in 'igb_probe()' +Patch-mainline: v5.14-rc2 +Git-commit: fea03b1cebd653cd095f2e9a58cfe1c85661c363 +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igb/igb_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3470,6 +3470,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: diff --git a/patches.suse/igb-Fix-position-of-assignment-to-ring.patch b/patches.suse/igb-Fix-position-of-assignment-to-ring.patch new file mode 100644 index 0000000..82dd403 --- /dev/null +++ b/patches.suse/igb-Fix-position-of-assignment-to-ring.patch @@ -0,0 +1,39 @@ +From: Jedrzej Jagielski +Date: Fri, 11 Jun 2021 22:42:17 +0000 +Subject: igb: Fix position of assignment to *ring +Patch-mainline: v5.14-rc2 +Git-commit: 382a7c20d9253bcd5715789b8179528d0f3de72c +References: git-fixes + +Assignment to *ring should be done after correctness check of the +argument queue. + +Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()") +Signed-off-by: Jedrzej Jagielski +Acked-by: Vinicius Costa Gomes +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1694,14 +1694,15 @@ static bool is_any_txtime_enabled(struct + **/ + static void igb_config_tx_modes(struct igb_adapter *adapter, int queue) + { +- struct igb_ring *ring = adapter->tx_ring[queue]; + struct net_device *netdev = adapter->netdev; + struct e1000_hw *hw = &adapter->hw; ++ struct igb_ring *ring; + u32 tqavcc, tqavctrl; + u16 value; + + WARN_ON(hw->mac.type != e1000_i210); + WARN_ON(queue < 0 || queue > 1); ++ ring = adapter->tx_ring[queue]; + + /* If any of the Qav features is enabled, configure queues as SR and + * with HIGH PRIO. If none is, then configure them with LOW PRIO and diff --git a/patches.suse/igb-Fix-use-after-free-error-during-reset.patch b/patches.suse/igb-Fix-use-after-free-error-during-reset.patch new file mode 100644 index 0000000..e24b63f --- /dev/null +++ b/patches.suse/igb-Fix-use-after-free-error-during-reset.patch @@ -0,0 +1,38 @@ +From: Vinicius Costa Gomes +Date: Thu, 13 May 2021 17:31:04 -0700 +Subject: igb: Fix use-after-free error during reset +Patch-mainline: v5.14-rc2 +Git-commit: 7b292608db23ccbbfbfa50cdb155d01725d7a52e +References: git-fixes + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igb_poll() runs +while the controller is reset this can lead to the driver try to free +a skb that was already freed. + +(The crash is harder to reproduce with the igb driver, but the same +potential problem exists as the code is identical to igc) + +Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") +Signed-off-by: Vinicius Costa Gomes +Reported-by: Erez Geva +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4678,6 +4678,8 @@ static void igb_clean_tx_ring(struct igb + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; diff --git a/patches.suse/igc-Fix-an-error-handling-path-in-igc_probe.patch b/patches.suse/igc-Fix-an-error-handling-path-in-igc_probe.patch new file mode 100644 index 0000000..516302c --- /dev/null +++ b/patches.suse/igc-Fix-an-error-handling-path-in-igc_probe.patch @@ -0,0 +1,31 @@ +From: Christophe JAILLET +Date: Sat, 12 Jun 2021 22:00:05 +0200 +Subject: igc: Fix an error handling path in 'igc_probe()' +Patch-mainline: v5.14-rc2 +Git-commit: c6bc9e5ce5d37cb3e6b552f41b92a193db1806ab +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: c9a11c23ceb6 ("igc: Add netdev") +Signed-off-by: Christophe JAILLET +Tested-by: Dvora Fuxbrumer +Acked-by: Sasha Neftin +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -4817,6 +4817,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: diff --git a/patches.suse/igc-Fix-use-after-free-error-during-reset.patch b/patches.suse/igc-Fix-use-after-free-error-during-reset.patch new file mode 100644 index 0000000..b4642c9 --- /dev/null +++ b/patches.suse/igc-Fix-use-after-free-error-during-reset.patch @@ -0,0 +1,86 @@ +From: Vinicius Costa Gomes +Date: Thu, 13 May 2021 17:31:03 -0700 +Subject: igc: Fix use-after-free error during reset +Patch-mainline: v5.14-rc2 +Git-commit: 56ea7ed103b46970e171eb1c95916f393d64eeff +References: git-fixes + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igc_poll() runs +while the controller is being reset this can lead to the driver try to +free a skb that was already freed. + +Log message: + + [ 101.525242] refcount_t: underflow; use-after-free. + [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0 + [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E) + x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E) + ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E) + rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E) + soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E) + iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E) + soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E) + autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) + i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E) + [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E) + e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E) + usbcore(E) drm(E) button(E) video(E) + [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe + [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 + [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0 + [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 + 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 + [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 + [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 + [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff + [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 + [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 + [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 + [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 + [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 + [ 101.525343] Call Trace: + [ 101.525346] sock_wfree+0x9c/0xa0 + [ 101.525353] unix_destruct_scm+0x7b/0xa0 + [ 101.525358] skb_release_head_state+0x40/0x90 + [ 101.525362] skb_release_all+0xe/0x30 + [ 101.525364] napi_consume_skb+0x57/0x160 + [ 101.525367] igc_poll+0xb7/0xc80 [igc] + [ 101.525376] ? sched_clock+0x5/0x10 + [ 101.525381] ? sched_clock_cpu+0xe/0x100 + [ 101.525385] net_rx_action+0x14c/0x410 + [ 101.525388] __do_softirq+0xe9/0x2f4 + [ 101.525391] __local_bh_enable_ip+0xe3/0x110 + [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0 + [ 101.525398] irq_forced_thread_fn+0x6a/0x80 + [ 101.525401] irq_thread+0xe8/0x180 + [ 101.525403] ? wake_threads_waitq+0x30/0x30 + [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0 + [ 101.525408] kthread+0x183/0x1a0 + [ 101.525412] ? kthread_park+0x80/0x80 + [ 101.525415] ret_from_fork+0x22/0x30 + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Reported-by: Erez Geva +Signed-off-by: Vinicius Costa Gomes +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -205,6 +205,8 @@ static void igc_clean_tx_ring(struct igc + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; diff --git a/patches.suse/igc-change-default-return-of-igc_read_phy_reg.patch b/patches.suse/igc-change-default-return-of-igc_read_phy_reg.patch new file mode 100644 index 0000000..9897e4b --- /dev/null +++ b/patches.suse/igc-change-default-return-of-igc_read_phy_reg.patch @@ -0,0 +1,38 @@ +From: Tom Rix +Date: Fri, 21 May 2021 12:50:19 -0700 +Subject: igc: change default return of igc_read_phy_reg() +Patch-mainline: v5.14-rc2 +Git-commit: 05682a0a61b6cbecd97a0f37f743b2cbfd516977 +References: git-fixes + +Static analysis reports this problem + +igc_main.c:4944:20: warning: The left operand of '&' + is a garbage value + if (!(phy_data & SR_1000T_REMOTE_RX_STATUS) && + ~~~~~~~~ ^ + +phy_data is set by the call to igc_read_phy_reg() only if +there is a read_reg() op, else it is unset and a 0 is +returned. Change the return to -EOPNOTSUPP. + +Fixes: 208983f099d9 ("igc: Add watchdog") +Signed-off-by: Tom Rix +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/igc/igc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -531,7 +531,7 @@ static inline s32 igc_read_phy_reg(struc + if (hw->phy.ops.read_reg) + return hw->phy.ops.read_reg(hw, offset, data); + +- return 0; ++ return -EOPNOTSUPP; + } + + void igc_reinit_locked(struct igc_adapter *); diff --git a/patches.suse/iio-accel-bma180-Use-explicit-member-assignment.patch b/patches.suse/iio-accel-bma180-Use-explicit-member-assignment.patch new file mode 100644 index 0000000..a80fb4c --- /dev/null +++ b/patches.suse/iio-accel-bma180-Use-explicit-member-assignment.patch @@ -0,0 +1,106 @@ +From 9436abc40139503a7cea22a96437697d048f31c0 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 11 Dec 2019 22:38:18 +0100 +Subject: [PATCH] iio: accel: bma180: Use explicit member assignment +Git-commit: 9436abc40139503a7cea22a96437697d048f31c0 +Patch-mainline: v5.6-rc1 +References: git-fixes + +This uses the C99 explicit .member assignment for the +variant data in struct bma180_part_info. This makes it +easier to understand and add new variants. + +Cc: Peter Meerwald +Cc: Oleksandr Kravchenko +Signed-off-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/iio/accel/bma180.c | 68 ++++++++++++++++++++++++-------------- + 1 file changed, 44 insertions(+), 24 deletions(-) + +diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c +index c2c15a4f9ee1..45dd096c0220 100644 +--- a/drivers/iio/accel/bma180.c ++++ b/drivers/iio/accel/bma180.c +@@ -632,32 +632,52 @@ static const struct iio_chan_spec bma250_channels[] = { + + static const struct bma180_part_info bma180_part_info[] = { + [BMA180] = { +- bma180_channels, ARRAY_SIZE(bma180_channels), +- bma180_scale_table, ARRAY_SIZE(bma180_scale_table), +- bma180_bw_table, ARRAY_SIZE(bma180_bw_table), +- BMA180_CTRL_REG0, BMA180_RESET_INT, +- BMA180_CTRL_REG0, BMA180_SLEEP, +- BMA180_BW_TCS, BMA180_BW, +- BMA180_OFFSET_LSB1, BMA180_RANGE, +- BMA180_TCO_Z, BMA180_MODE_CONFIG, BMA180_LOW_POWER, +- BMA180_CTRL_REG3, BMA180_NEW_DATA_INT, +- BMA180_RESET, +- bma180_chip_config, +- bma180_chip_disable, ++ .channels = bma180_channels, ++ .num_channels = ARRAY_SIZE(bma180_channels), ++ .scale_table = bma180_scale_table, ++ .num_scales = ARRAY_SIZE(bma180_scale_table), ++ .bw_table = bma180_bw_table, ++ .num_bw = ARRAY_SIZE(bma180_bw_table), ++ .int_reset_reg = BMA180_CTRL_REG0, ++ .int_reset_mask = BMA180_RESET_INT, ++ .sleep_reg = BMA180_CTRL_REG0, ++ .sleep_mask = BMA180_SLEEP, ++ .bw_reg = BMA180_BW_TCS, ++ .bw_mask = BMA180_BW, ++ .scale_reg = BMA180_OFFSET_LSB1, ++ .scale_mask = BMA180_RANGE, ++ .power_reg = BMA180_TCO_Z, ++ .power_mask = BMA180_MODE_CONFIG, ++ .lowpower_val = BMA180_LOW_POWER, ++ .int_enable_reg = BMA180_CTRL_REG3, ++ .int_enable_mask = BMA180_NEW_DATA_INT, ++ .softreset_reg = BMA180_RESET, ++ .chip_config = bma180_chip_config, ++ .chip_disable = bma180_chip_disable, + }, + [BMA250] = { +- bma250_channels, ARRAY_SIZE(bma250_channels), +- bma250_scale_table, ARRAY_SIZE(bma250_scale_table), +- bma250_bw_table, ARRAY_SIZE(bma250_bw_table), +- BMA250_INT_RESET_REG, BMA250_INT_RESET_MASK, +- BMA250_POWER_REG, BMA250_SUSPEND_MASK, +- BMA250_BW_REG, BMA250_BW_MASK, +- BMA250_RANGE_REG, BMA250_RANGE_MASK, +- BMA250_POWER_REG, BMA250_LOWPOWER_MASK, 1, +- BMA250_INT_ENABLE_REG, BMA250_DATA_INTEN_MASK, +- BMA250_RESET_REG, +- bma250_chip_config, +- bma250_chip_disable, ++ .channels = bma250_channels, ++ .num_channels = ARRAY_SIZE(bma250_channels), ++ .scale_table = bma250_scale_table, ++ .num_scales = ARRAY_SIZE(bma250_scale_table), ++ .bw_table = bma250_bw_table, ++ .num_bw = ARRAY_SIZE(bma250_bw_table), ++ .int_reset_reg = BMA250_INT_RESET_REG, ++ .int_reset_mask = BMA250_INT_RESET_MASK, ++ .sleep_reg = BMA250_POWER_REG, ++ .sleep_mask = BMA250_SUSPEND_MASK, ++ .bw_reg = BMA250_BW_REG, ++ .bw_mask = BMA250_BW_MASK, ++ .scale_reg = BMA250_RANGE_REG, ++ .scale_mask = BMA250_RANGE_MASK, ++ .power_reg = BMA250_POWER_REG, ++ .power_mask = BMA250_LOWPOWER_MASK, ++ .lowpower_val = 1, ++ .int_enable_reg = BMA250_INT_ENABLE_REG, ++ .int_enable_mask = BMA250_DATA_INTEN_MASK, ++ .softreset_reg = BMA250_RESET_REG, ++ .chip_config = bma250_chip_config, ++ .chip_disable = bma250_chip_disable, + }, + }; + +-- +2.26.2 + diff --git a/patches.suse/ixgbe-Fix-an-error-handling-path-in-ixgbe_probe.patch b/patches.suse/ixgbe-Fix-an-error-handling-path-in-ixgbe_probe.patch new file mode 100644 index 0000000..0a9ca04 --- /dev/null +++ b/patches.suse/ixgbe-Fix-an-error-handling-path-in-ixgbe_probe.patch @@ -0,0 +1,30 @@ +From: Christophe JAILLET +Date: Sat, 12 Jun 2021 15:46:09 +0200 +Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()' +Patch-mainline: v5.14-rc2 +Git-commit: dd2aefcd5e37989ae5f90afdae44bbbf3a2990da +References: git-fixes + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -11210,6 +11210,7 @@ err_ioremap: + disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: diff --git a/patches.suse/ixgbe-Fix-packet-corruption-due-to-missing-DMA-sync.patch b/patches.suse/ixgbe-Fix-packet-corruption-due-to-missing-DMA-sync.patch new file mode 100644 index 0000000..b9df5a7 --- /dev/null +++ b/patches.suse/ixgbe-Fix-packet-corruption-due-to-missing-DMA-sync.patch @@ -0,0 +1,53 @@ +From: Markus Boehme +Date: Tue, 20 Jul 2021 16:26:19 -0700 +Subject: ixgbe: Fix packet corruption due to missing DMA sync +Patch-mainline: v5.14-rc3 +Git-commit: 09cfae9f13d51700b0fecf591dcd658fc5375428 +References: git-fixes + +When receiving a packet with multiple fragments, hardware may still +touch the first fragment until the entire packet has been received. The +driver therefore keeps the first fragment mapped for DMA until end of +packet has been asserted, and delays its dma_sync call until then. + +The driver tries to fit multiple receive buffers on one page. When using +3K receive buffers (e.g. using Jumbo frames and legacy-rx is turned +off/build_skb is being used) on an architecture with 4K pages, the +driver allocates an order 1 compound page and uses one page per receive +buffer. To determine the correct offset for a delayed DMA sync of the +first fragment of a multi-fragment packet, the driver then cannot just +use PAGE_MASK on the DMA address but has to construct a mask based on +the actual size of the backing page. + +Using PAGE_MASK in the 3K RX buffer/4K page architecture configuration +will always sync the first page of a compound page. With the SWIOTLB +enabled this can lead to corrupted packets (zeroed out first fragment, +re-used garbage from another packet) and various consequences, such as +slow/stalling data transfers and connection resets. For example, testing +on a link with MTU exceeding 3058 bytes on a host with SWIOTLB enabled +(e.g. "iommu=soft swiotlb=262144,force") TCP transfers quickly fizzle +out without this patch. + +Cc: stable@vger.kernel.org +Fixes: 0c5661ecc5dd7 ("ixgbe: fix crash in build_skb Rx code path") +Signed-off-by: Markus Boehme +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -1827,7 +1827,8 @@ static void ixgbe_dma_sync_frag(struct i + struct sk_buff *skb) + { + if (ring_uses_build_skb(rx_ring)) { +- unsigned long offset = (unsigned long)(skb->data) & ~PAGE_MASK; ++ unsigned long mask = (unsigned long)ixgbe_rx_pg_size(rx_ring) - 1; ++ unsigned long offset = (unsigned long)(skb->data) & mask; + + dma_sync_single_range_for_cpu(rx_ring->dev, + IXGBE_CB(skb)->dma, diff --git a/patches.suse/kvm-i8254-remove-redundant-assignment-to-pointer-s.patch b/patches.suse/kvm-i8254-remove-redundant-assignment-to-pointer-s.patch new file mode 100644 index 0000000..15ae679 --- /dev/null +++ b/patches.suse/kvm-i8254-remove-redundant-assignment-to-pointer-s.patch @@ -0,0 +1,35 @@ +From: Colin Ian King +Date: Wed, 10 Jun 2020 00:31:21 +0100 +Subject: kvm: i8254: remove redundant assignment to pointer s +Git-commit: cd18eaeaffa6e5291cdbcd591334d577c4e897df +Patch-mainline: v5.8-rc1 +References: bsc#1188770 + +The pointer s is being assigned a value that is never read, the +assignment is redundant and can be removed. + +Addresses-Coverity: ("Unused value") +Signed-off-by: Colin Ian King +Message-Id: <20200609233121.1118683-1-colin.king@canonical.com> +Fixes: 7837699fa6d7 ("KVM: In kernel PIT model") +Signed-off-by: Paolo Bonzini +Signed-off-by: Jose R. Ziviani +--- + arch/x86/kvm/i8254.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c +index 4a6dc54cc12b..bf49f8084086 100644 +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -450,7 +450,6 @@ static int pit_ioport_write(struct kvm_vcpu *vcpu, + if (channel == 3) { + /* Read-Back Command. */ + for (channel = 0; channel < 3; channel++) { +- s = &pit_state->channels[channel]; + if (val & (2 << channel)) { + if (!(val & 0x20)) + pit_latch_count(pit, channel); +-- +2.32.0 + diff --git a/patches.suse/kvm-lapic-prevent-setting-the-tscdeadline-timer-if-t.patch b/patches.suse/kvm-lapic-prevent-setting-the-tscdeadline-timer-if-t.patch new file mode 100644 index 0000000..545f1a1 --- /dev/null +++ b/patches.suse/kvm-lapic-prevent-setting-the-tscdeadline-timer-if-t.patch @@ -0,0 +1,36 @@ +From: Wanpeng Li +Date: Fri, 31 Jul 2020 11:12:19 +0800 +Subject: KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw + disabled +Git-commit: d2286ba7d574ba3103a421a2f9ec17cb5b0d87a1 +Patch-mainline: v5.8 +References: bsc#1188771 + +Prevent setting the tscdeadline timer if the lapic is hw disabled. + +Fixes: bce87cce88 (KVM: x86: consolidate different ways to test for in-kernel LAPIC) +Cc: +Signed-off-by: Wanpeng Li +Message-Id: <1596165141-28874-1-git-send-email-wanpengli@tencent.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jose R. Ziviani +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 77cf8818aa40..19068fae8f97 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -2090,7 +2090,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data) + { + struct kvm_lapic *apic = vcpu->arch.apic; + +- if (!lapic_in_kernel(vcpu) || apic_lvtt_oneshot(apic) || ++ if (!kvm_apic_present(vcpu) || apic_lvtt_oneshot(apic) || + apic_lvtt_period(apic)) + return; + +-- +2.32.0 + diff --git a/patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch b/patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch new file mode 100644 index 0000000..b829267 --- /dev/null +++ b/patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch @@ -0,0 +1,41 @@ +From: Jim Mattson +Date: Wed, 2 Jun 2021 13:52:24 -0700 +Subject: kvm: LAPIC: Restore guard to prevent illegal APIC register access +Git-commit: 218bf772bddd221489c38dde6ef8e917131161f6 +Patch-mainline: v5.13-rc7 +References: bsc#1188772 + +Per the SDM, "any access that touches bytes 4 through 15 of an APIC +register may cause undefined behavior and must not be executed." +Worse, such an access in kvm_lapic_reg_read can result in a leak of +kernel stack contents. Prior to commit 01402cf81051 ("kvm: LAPIC: +write down valid APIC registers"), such an access was explicitly +disallowed. Restore the guard that was removed in that commit. + +Fixes: 01402cf81051 ("kvm: LAPIC: write down valid APIC registers") +Signed-off-by: Jim Mattson +Reported-by: syzbot +Message-Id: <20210602205224.3189316-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jose R. Ziviani +--- + arch/x86/kvm/lapic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 19068fae8f97..c935c28b4b00 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1337,6 +1337,9 @@ int kvm_lapic_reg_read(struct kvm_lapic *apic, u32 offset, int len, + if (!apic_x2apic_mode(apic)) + valid_reg_mask |= APIC_REG_MASK(APIC_ARBPRI); + ++ if (alignment + len > 4) ++ return 1; ++ + if (offset > 0x3f0 || !(valid_reg_mask & APIC_REG_MASK(offset))) + return 1; + +-- +2.32.0 + diff --git a/patches.suse/kvm-nvmx-consult-only-the-basic-exit-reason-when-rou.patch b/patches.suse/kvm-nvmx-consult-only-the-basic-exit-reason-when-rou.patch new file mode 100644 index 0000000..1190e1e --- /dev/null +++ b/patches.suse/kvm-nvmx-consult-only-the-basic-exit-reason-when-rou.patch @@ -0,0 +1,54 @@ +From: Sean Christopherson +Date: Thu, 27 Feb 2020 09:44:30 -0800 +Subject: KVM: nVMX: Consult only the "basic" exit reason when routing nested + exit +Git-commit: 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 +Patch-mainline: v5.8-rc1 +References: bsc#1188773 + +Consult only the basic exit reason, i.e. bits 15:0 of vmcs.EXIT_REASON, +when determining whether a nested VM-Exit should be reflected into L1 or +handled by KVM in L0. + +For better or worse, the switch statement in nested_vmx_exit_reflected() +currently defaults to "true", i.e. reflects any nested VM-Exit without +dedicated logic. Because the case statements only contain the basic +exit reason, any VM-Exit with modifier bits set will be reflected to L1, +even if KVM intended to handle it in L0. + +Practically speaking, this only affects EXIT_REASON_MCE_DURING_VMENTRY, +i.e. a #MC that occurs on nested VM-Enter would be incorrectly routed to +L1, as "failed VM-Entry" is the only modifier that KVM can currently +encounter. The SMM modifiers will never be generated as KVM doesn't +support/employ a SMI Transfer Monitor. Ditto for "exit from enclave", +as KVM doesn't yet support virtualizing SGX, i.e. it's impossible to +enter an enclave in a KVM guest (L1 or L2). + +Fixes: 644d711aa0e1 ("KVM: nVMX: Deciding if L0 or L1 should handle an L2 exit") +Cc: Jim Mattson +Cc: Xiaoyao Li +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200227174430.26371-1-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jose R. Ziviani +--- + arch/x86/kvm/vmx/nested.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index a20083ac1ea3..6ee196da166d 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -5380,7 +5380,7 @@ bool nested_vmx_exit_reflected(struct kvm_vcpu *vcpu, u32 exit_reason) + vmcs_read32(VM_EXIT_INTR_ERROR_CODE), + KVM_ISA_VMX); + +- switch (exit_reason) { ++ switch ((u16)exit_reason) { + case EXIT_REASON_EXCEPTION_NMI: + if (is_nmi(intr_info)) + return false; +-- +2.32.0 + diff --git a/patches.suse/kvm-nvmx-ensure-64-bit-shift-when-checking-vmfunc-bi.patch b/patches.suse/kvm-nvmx-ensure-64-bit-shift-when-checking-vmfunc-bi.patch new file mode 100644 index 0000000..7904d40 --- /dev/null +++ b/patches.suse/kvm-nvmx-ensure-64-bit-shift-when-checking-vmfunc-bi.patch @@ -0,0 +1,52 @@ +From: Sean Christopherson +Date: Wed, 9 Jun 2021 16:42:22 -0700 +Subject: KVM: nVMX: Ensure 64-bit shift when checking VMFUNC bitmap +Git-commit: 0e75225dfa4c5d5d51291f54a3d2d5895bad38da +Patch-mainline: v5.14-rc1 +References: bsc#1188774 + +Use BIT_ULL() instead of an open-coded shift to check whether or not a +function is enabled in L1's VMFUNC bitmap. This is a benign bug as KVM +supports only bit 0, and will fail VM-Enter if any other bits are set, +i.e. bits 63:32 are guaranteed to be zero. + +Note, "function" is bounded by hardware as VMFUNC will #UD before taking +a VM-Exit if the function is greater than 63. + +Before: + if ((vmcs12->vm_function_control & (1 << function)) == 0) + 0x000000000001a916 <+118>: mov $0x1,%eax + 0x000000000001a91b <+123>: shl %cl,%eax + 0x000000000001a91d <+125>: cltq + 0x000000000001a91f <+127>: and 0x128(%rbx),%rax + +After: + if (!(vmcs12->vm_function_control & BIT_ULL(function & 63))) + 0x000000000001a955 <+117>: mov 0x128(%rbx),%rdx + 0x000000000001a95c <+124>: bt %rax,%rdx + +Fixes: 27c42a1bb867 ("KVM: nVMX: Enable VMFUNC for the L1 hypervisor") +Signed-off-by: Sean Christopherson +Message-Id: <20210609234235.1244004-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jose R. Ziviani +--- + arch/x86/kvm/vmx/nested.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 14093234438f..f3f4cc7f8e09 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -5121,7 +5121,7 @@ static int handle_vmfunc(struct kvm_vcpu *vcpu) + } + + vmcs12 = get_vmcs12(vcpu); +- if ((vmcs12->vm_function_control & (1 << function)) == 0) ++ if (!(vmcs12->vm_function_control & BIT_ULL(function))) + goto fail; + + switch (function) { +-- +2.32.0 + diff --git a/patches.suse/kvm-nvmx-preserve-exception-priority-irrespective-of.patch b/patches.suse/kvm-nvmx-preserve-exception-priority-irrespective-of.patch new file mode 100644 index 0000000..b63b363 --- /dev/null +++ b/patches.suse/kvm-nvmx-preserve-exception-priority-irrespective-of.patch @@ -0,0 +1,82 @@ +From: Sean Christopherson +Date: Wed, 22 Apr 2020 19:25:38 -0700 +Subject: KVM: nVMX: Preserve exception priority irrespective of exiting + behavior +Git-commit: 6ce347af1499deff5890a52aedacd451330af706 +Patch-mainline: v5.8-rc1 +References: bsc#1188777 + +Short circuit vmx_check_nested_events() if an exception is pending and +needs to be injected into L2, priority between coincident events is not +dependent on exiting behavior. This fixes a bug where a single-step #DB +that is not intercepted by L1 is incorrectly dropped due to servicing a +VMX Preemption Timer VM-Exit. + +Injected exceptions also need to be blocked if nested VM-Enter is +pending or an exception was already injected, otherwise injecting the +exception could overwrite an existing event injection from L1. +Technically, this scenario should be impossible, i.e. KVM shouldn't +inject its own exception during nested VM-Enter. This will be addressed +in a future patch. + +Note, event priority between SMI, NMI and INTR is incorrect for L2, e.g. +SMI should take priority over VM-Exit on NMI/INTR, and NMI that is +injected into L2 should take priority over VM-Exit INTR. This will also +be addressed in a future patch. + +Fixes: b6b8a1451fc4 ("KVM: nVMX: Rework interception of IRQs and NMIs") +Reported-by: Jim Mattson +Cc: Oliver Upton +Cc: Peter Shier +Signed-off-by: Sean Christopherson +Message-Id: <20200423022550.15113-2-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jose R. Ziviani +--- + arch/x86/kvm/vmx/nested.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index bd96be3ca456..f047940c1795 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3455,11 +3455,11 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool __unused) + /* + * Process any exceptions that are not debug traps before MTF. + */ +- if (vcpu->arch.exception.pending && +- !vmx_pending_dbg_trap(vcpu) && +- nested_vmx_check_exception(vcpu, &exit_qual)) { ++ if (vcpu->arch.exception.pending && !vmx_pending_dbg_trap(vcpu)) { + if (block_nested_events) + return -EBUSY; ++ if (!nested_vmx_check_exception(vcpu, &exit_qual)) ++ goto no_vmexit; + nested_vmx_inject_exception_vmexit(vcpu, exit_qual); + return 0; + } +@@ -3472,10 +3472,11 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool __unused) + return 0; + } + +- if (vcpu->arch.exception.pending && +- nested_vmx_check_exception(vcpu, &exit_qual)) { ++ if (vcpu->arch.exception.pending) { + if (block_nested_events) + return -EBUSY; ++ if (!nested_vmx_check_exception(vcpu, &exit_qual)) ++ goto no_vmexit; + nested_vmx_inject_exception_vmexit(vcpu, exit_qual); + return 0; + } +@@ -3510,6 +3511,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool __unused) + return 0; + } + ++no_vmexit: + vmx_complete_nested_posted_interrupt(vcpu); + return 0; + } +-- +2.32.0 + diff --git a/patches.suse/mvpp2-suppress-warning.patch b/patches.suse/mvpp2-suppress-warning.patch new file mode 100644 index 0000000..cb0d139 --- /dev/null +++ b/patches.suse/mvpp2-suppress-warning.patch @@ -0,0 +1,37 @@ +From: Matteo Croce +Date: Mon, 10 May 2021 18:52:32 +0200 +Subject: mvpp2: suppress warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: v5.14-rc1 +Git-commit: 4c598e5e679c31106914b63b5e3877994dfbba19 +References: git-fixes + +Remove some unreachable code, so to suppress this warning: + +drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c: In function ‘mvpp2_prs_tcam_first_free’: +drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c:397:10: warning: comparison is always false due to limited range of data type [-Wtype-limits] + 397 | if (end >= MVPP2_PRS_TCAM_SRAM_SIZE) + | ^~ + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Matteo Croce +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -394,9 +394,6 @@ static int mvpp2_prs_tcam_first_free(str + if (start > end) + swap(start, end); + +- if (end >= MVPP2_PRS_TCAM_SRAM_SIZE) +- end = MVPP2_PRS_TCAM_SRAM_SIZE - 1; +- + for (tid = start; tid <= end; tid++) { + if (!priv->prs_shadow[tid].valid) + return tid; diff --git a/patches.suse/net-mac802154-Fix-general-protection-fault.patch b/patches.suse/net-mac802154-Fix-general-protection-fault.patch new file mode 100644 index 0000000..5e5fd16 --- /dev/null +++ b/patches.suse/net-mac802154-Fix-general-protection-fault.patch @@ -0,0 +1,58 @@ +From 1165affd484889d4986cf3b724318935a0b120d8 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 4 Mar 2021 18:21:25 +0300 +Subject: [PATCH] net: mac802154: Fix general protection fault +Git-commit: 1165affd484889d4986cf3b724318935a0b120d8 +Patch-mainline: v5.12-rc7 +References: CVE-2021-3659 bsc#1188876 + +syzbot found general protection fault in crypto_destroy_tfm()[1]. +It was caused by wrong clean up loop in llsec_key_alloc(). +If one of the tfm array members is in IS_ERR() range it will +cause general protection fault in clean up function [1]. + +Call Trace: + crypto_free_aead include/crypto/aead.h:191 [inline] [1] + llsec_key_alloc net/mac802154/llsec.c:156 [inline] + mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249 + ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338 + rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline] + nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584 + genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 + genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Signed-off-by: Pavel Skripkin +Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210304152125.1052825-1-paskripkin@gmail.com +Signed-off-by: Stefan Schmidt +Acked-by: Takashi Iwai + +--- + net/mac802154/llsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac802154/llsec.c ++++ b/net/mac802154/llsec.c +@@ -152,7 +152,7 @@ err_tfm0: + crypto_free_sync_skcipher(key->tfm0); + err_tfm: + for (i = 0; i < ARRAY_SIZE(key->tfm); i++) +- if (key->tfm[i]) ++ if (!IS_ERR_OR_NULL(key->tfm[i])) + crypto_free_aead(key->tfm[i]); + + kzfree(key); diff --git a/patches.suse/net-mlx5e-Block-offload-of-outer-header-csum-for-GRE.patch b/patches.suse/net-mlx5e-Block-offload-of-outer-header-csum-for-GRE.patch new file mode 100644 index 0000000..6b0dc97 --- /dev/null +++ b/patches.suse/net-mlx5e-Block-offload-of-outer-header-csum-for-GRE.patch @@ -0,0 +1,38 @@ +From: Aya Levin +Date: Wed, 26 May 2021 10:40:36 +0300 +Subject: net/mlx5e: Block offload of outer header csum for GRE tunnel +Patch-mainline: v5.13-rc7 +Git-commit: 54e1217b90486c94b26f24dcee1ee5ef5372f832 +References: git-fixes + +The device is able to offload either the outer header csum or inner +header csum. The driver utilizes the inner csum offload. So, prohibit +setting of tx-gre-csum-segmentation and let it be: off[fixed]. + +Fixes: 2729984149e6 ("net/mlx5e: Support TSO and TX checksum offloads for GRE tunnels") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4908,12 +4908,9 @@ static void mlx5e_build_nic_netdev(struc + } + + if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_GRE)) { +- netdev->hw_features |= NETIF_F_GSO_GRE | +- NETIF_F_GSO_GRE_CSUM; +- netdev->hw_enc_features |= NETIF_F_GSO_GRE | +- NETIF_F_GSO_GRE_CSUM; +- netdev->gso_partial_features |= NETIF_F_GSO_GRE | +- NETIF_F_GSO_GRE_CSUM; ++ netdev->hw_features |= NETIF_F_GSO_GRE; ++ netdev->hw_enc_features |= NETIF_F_GSO_GRE; ++ netdev->gso_partial_features |= NETIF_F_GSO_GRE; + } + + if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_IPIP)) { diff --git a/patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch b/patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch new file mode 100644 index 0000000..821e1dc --- /dev/null +++ b/patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch @@ -0,0 +1,33 @@ +From: Andy Shevchenko +Date: Mon, 10 May 2021 12:58:05 +0300 +Subject: net: mvpp2: Put fwnode in error case during ->probe() +Patch-mainline: v5.14-rc1 +Git-commit: 71f0891c84dfdc448736082ab0a00acd29853896 +References: git-fixes + +In each iteration fwnode_for_each_available_child_node() bumps a reference +counting of a loop variable followed by dropping in on a next iteration, + +Since in error case the loop is broken, we have to drop a reference count +by ourselves. Do it for port_fwnode in error case during ->probe(). + +Fixes: 248122212f68 ("net: mvpp2: use device_*/fwnode_* APIs instead of of_*") +Cc: Marcin Wojtas +Signed-off-by: Andy Shevchenko +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5917,6 +5917,8 @@ static int mvpp2_probe(struct platform_d + return 0; + + err_port_probe: ++ fwnode_handle_put(port_fwnode); ++ + i = 0; + fwnode_for_each_available_child_node(fwnode, port_fwnode) { + if (priv->port_list[i]) diff --git a/patches.suse/nfc-nfcsim-fix-use-after-free-during-module-unload.patch b/patches.suse/nfc-nfcsim-fix-use-after-free-during-module-unload.patch new file mode 100644 index 0000000..f6d4e34 --- /dev/null +++ b/patches.suse/nfc-nfcsim-fix-use-after-free-during-module-unload.patch @@ -0,0 +1,98 @@ +From 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jul 2021 08:49:09 +0200 +Subject: [PATCH] nfc: nfcsim: fix use after free during module unload +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 +Patch-mainline: v5.14-rc4 +References: git-fixes + +There is a use after free memory corruption during module exit: + - nfcsim_exit() + - nfcsim_device_free(dev0) + - nfc_digital_unregister_device() + This iterates over command queue and frees all commands, + - dev->up = false + - nfcsim_link_shutdown() + - nfcsim_link_recv_wake() + This wakes the sleeping thread nfcsim_link_recv_skb(). + + - nfcsim_link_recv_skb() + Wake from wait_event_interruptible_timeout(), + call directly the deb->cb callback even though (dev->up == false), + - digital_send_cmd_complete() + Dereference of "struct digital_cmd" cmd which was freed earlier by + nfc_digital_unregister_device(). + +This causes memory corruption shortly after (with unrelated stack +Trace): + + nfc nfc0: NFC: nfcsim_recv_wq: Device is down + llcp: nfc_llcp_recv: err -19 + nfc nfc1: NFC: nfcsim_recv_wq: Device is down + BUG: unable to handle page fault for address: ffffffffffffffed + Call Trace: + fsnotify+0x54b/0x5c0 + __fsnotify_parent+0x1fe/0x300 + ? vfs_write+0x27c/0x390 + vfs_write+0x27c/0x390 + ksys_write+0x63/0xe0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +KASAN report: + + BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50 + Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71 + Workqueue: events nfcsim_recv_wq [nfcsim] + Call Trace: +  dump_stack_lvl+0x45/0x59 +  print_address_description.constprop.0+0x21/0x140 +  ? digital_send_cmd_complete+0x16/0x50 +  ? digital_send_cmd_complete+0x16/0x50 +  kasan_report.cold+0x7f/0x11b +  ? digital_send_cmd_complete+0x16/0x50 +  ? digital_dep_link_down+0x60/0x60 +  digital_send_cmd_complete+0x16/0x50 +  nfcsim_recv_wq+0x38f/0x3d5 [nfcsim] +  ? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim] +  ? lock_is_held_type+0x98/0x110 +  ? finish_wait+0x110/0x110 +  ? rcu_read_lock_sched_held+0x9c/0xd0 +  ? rcu_read_lock_bh_held+0xb0/0xb0 +  ? lockdep_hardirqs_on_prepare+0x12e/0x1f0 + +This flow of calling digital_send_cmd_complete() callback on driver exit +is specific to nfcsim which implements reading and sending work queues. +Since the NFC digital device was unregistered, the callback should not +be called. + +Fixes: 204bddcb508f ("NFC: nfcsim: Make use of the Digital layer") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + drivers/nfc/nfcsim.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/nfc/nfcsim.c b/drivers/nfc/nfcsim.c +index a9864fcdfba6..dd27c85190d3 100644 +--- a/drivers/nfc/nfcsim.c ++++ b/drivers/nfc/nfcsim.c +@@ -192,8 +192,7 @@ static void nfcsim_recv_wq(struct work_struct *work) + + if (!IS_ERR(skb)) + dev_kfree_skb(skb); +- +- skb = ERR_PTR(-ENODEV); ++ return; + } + + dev->cb(dev->nfc_digital_dev, dev->arg, skb); +-- +2.26.2 + diff --git a/patches.suse/platform-chrome-cros_ec_lightbar-Reduce-ligthbar-get.patch b/patches.suse/platform-chrome-cros_ec_lightbar-Reduce-ligthbar-get.patch new file mode 100644 index 0000000..6021270 --- /dev/null +++ b/patches.suse/platform-chrome-cros_ec_lightbar-Reduce-ligthbar-get.patch @@ -0,0 +1,41 @@ +From 1e7913ff5f9f1b73146ad8522958bd266f22a510 Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Sat, 29 Aug 2020 23:59:37 -0700 +Subject: [PATCH] platform/chrome: cros_ec_lightbar: Reduce ligthbar get + version command +Git-commit: 1e7913ff5f9f1b73146ad8522958bd266f22a510 +References: git-fixes +Patch-mainline: v5.10-rc1 + +By default, the lightbar commands are set to the biggest lightbar command +and response. That length is greater than 128 bytes and may not work on +all machines. But all EC are probed for lightbar by sending a get version +request. Set that request size precisely. + +Before the command would be: + + cros_ec_cmd: version: 0, command: EC_CMD_LIGHTBAR_CMD, outsize: 194, insize: 128, result: 0 + +Afer: + + cros_ec_cmd: version: 0, command: EC_CMD_LIGHTBAR_CMD, outsize: 1, insize: 8, result: 0 + +Fixes: a841178445bb7 ("mfd: cros_ec: Use a zero-length array for command data") +Signed-off-by: Gwendal Grignou +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Oliver Neukum +--- + drivers/platform/chrome/cros_ec_lightbar.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/platform/chrome/cros_ec_lightbar.c ++++ b/drivers/platform/chrome/cros_ec_lightbar.c +@@ -116,6 +116,8 @@ static int get_lightbar_version(struct c + + param = (struct ec_params_lightbar *)msg->data; + param->cmd = LIGHTBAR_CMD_VERSION; ++ msg->outsize = sizeof(param->cmd); ++ msg->result = sizeof(resp->version); + ret = cros_ec_cmd_xfer(ec->ec_dev, msg); + if (ret < 0) { + ret = 0; diff --git a/patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch b/patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch new file mode 100644 index 0000000..2fbc93b --- /dev/null +++ b/patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch @@ -0,0 +1,52 @@ +From 3a53587423d25c87af4b4126a806a0575104b45e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 18 May 2021 14:50:27 +0200 +Subject: [PATCH] platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios +Git-commit: 3a53587423d25c87af4b4126a806a0575104b45e +References: git-fixes +Patch-mainline: v5.13-rc3 + +init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems +where the Dell WMI interface is supported. While exit_dell_smbios_wmi() +unregisters it unconditionally, this leads to the following oops: + +[ 175.722921] ------------[ cut here ]------------ +[ 175.722925] Unexpected driver unregister! +[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40 +... +[ 175.723089] Call Trace: +[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios] +... +[ 175.723148] ---[ end trace 064c34e1ad49509d ]--- + +Make the unregister happen on the same condition the register happens +to fix this. + +Cc: Mario Limonciello +Fixes: 1a258e670434 ("platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver") +Signed-off-by: Hans de Goede +Reviewed-by: Mario Limonciello +Reviewed-by: Mark Gross +Link: https://lore.kernel.org/r/20210518125027.21824-1-hdegoede@redhat.com +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/dell/dell-smbios-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell/dell-smbios-wmi.c b/drivers/platform/x86/dell/dell-smbios-wmi.c +index a1753485159c..33f823772733 100644 +--- a/drivers/platform/x86/dell-smbios-wmi.c ++++ b/drivers/platform/x86/dell-smbios-wmi.c +@@ -270,7 +270,8 @@ int init_dell_smbios_wmi(void) + + void exit_dell_smbios_wmi(void) + { +- wmi_driver_unregister(&dell_smbios_wmi_driver); ++ if (wmi_supported) ++ wmi_driver_unregister(&dell_smbios_wmi_driver); + } + + MODULE_DEVICE_TABLE(wmi, dell_smbios_wmi_id_table); +-- +2.26.2 + diff --git a/patches.suse/platform-x86-intel_int0002_vgpio-Only-call-enable_ir.patch b/patches.suse/platform-x86-intel_int0002_vgpio-Only-call-enable_ir.patch index 8af775a..744ad82 100644 --- a/patches.suse/platform-x86-intel_int0002_vgpio-Only-call-enable_ir.patch +++ b/patches.suse/platform-x86-intel_int0002_vgpio-Only-call-enable_ir.patch @@ -144,9 +144,9 @@ Acked-by: Takashi Iwai int irq, ret; /* Menlow has a different INT0002 device? */ -@@ -187,10 +184,13 @@ static int int0002_probe(struct platform +@@ -185,10 +182,13 @@ static int int0002_probe(struct platform + if (irq < 0) return irq; - } - chip = devm_kzalloc(dev, sizeof(*chip), GFP_KERNEL); - if (!chip) @@ -160,7 +160,7 @@ Acked-by: Takashi Iwai chip->label = DRV_NAME; chip->parent = dev; chip->owner = THIS_MODULE; -@@ -216,7 +216,7 @@ static int int0002_probe(struct platform +@@ -214,7 +214,7 @@ static int int0002_probe(struct platform } girq = &chip->irq; @@ -169,7 +169,7 @@ Acked-by: Takashi Iwai /* This let us handle the parent IRQ in the driver */ girq->parent_handler = NULL; girq->num_parents = 0; -@@ -232,6 +232,7 @@ static int int0002_probe(struct platform +@@ -230,6 +230,7 @@ static int int0002_probe(struct platform acpi_register_wakeup_handler(irq, int0002_check_wake, NULL); device_init_wakeup(dev, true); @@ -177,7 +177,7 @@ Acked-by: Takashi Iwai return 0; } -@@ -242,6 +243,36 @@ static int int0002_remove(struct platfor +@@ -240,6 +241,36 @@ static int int0002_remove(struct platfor return 0; } @@ -214,7 +214,7 @@ Acked-by: Takashi Iwai static const struct acpi_device_id int0002_acpi_ids[] = { { "INT0002", 0 }, { }, -@@ -252,6 +283,7 @@ static struct platform_driver int0002_dr +@@ -250,6 +281,7 @@ static struct platform_driver int0002_dr .driver = { .name = DRV_NAME, .acpi_match_table = int0002_acpi_ids, diff --git a/patches.suse/platform-x86-intel_int0002_vgpio-Remove-dev_err-usag.patch b/patches.suse/platform-x86-intel_int0002_vgpio-Remove-dev_err-usag.patch new file mode 100644 index 0000000..e2bc87a --- /dev/null +++ b/patches.suse/platform-x86-intel_int0002_vgpio-Remove-dev_err-usag.patch @@ -0,0 +1,78 @@ +From f839b4b549a65e1c611f911654012ac65e6d1610 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Tue, 30 Jul 2019 11:15:55 -0700 +Subject: [PATCH] platform/x86: intel_int0002_vgpio: Remove dev_err() usage + after platform_get_irq() +Git-commit: f839b4b549a65e1c611f911654012ac65e6d1610 +References: git-fixes +Patch-mainline: v5.4-rc1 + +We don't need dev_err() messages when platform_get_irq() fails now that +platform_get_irq() prints an error message itself when something goes +wrong. Let's remove these prints with a simple semantic patch. + +// +@@ +expression ret; +struct platform_device *E; +@@ + +ret = +( +platform_get_irq(E, ...) +| +platform_get_irq_byname(E, ...) +); + +if ( \( ret < 0 \| ret <= 0 \) ) +{ +( +-if (ret != -EPROBE_DEFER) +-{ ... +-dev_err(...); +-... } +| +... +-dev_err(...); +) +... +} +// + +While we're here, remove braces on if statements that only have one +statement (manually). + +Cc: Andy Shevchenko +Cc: Greg Kroah-Hartman +Cc: Enric Balletbo i Serra +Cc: Hans de Goede +Cc: "Darren Hart (VMware)" +Cc: Roman Kiryanov +Cc: Vadim Pasternak +Cc: Greg Kroah-Hartman +Signed-off-by: Stephen Boyd +Signed-off-by: Andy Shevchenko +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/intel_int0002_vgpio.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/intel_int0002_vgpio.c b/drivers/platform/x86/intel_int0002_vgpio.c +index d9542c661ddc..4f3f30152a27 100644 +--- a/drivers/platform/x86/intel_int0002_vgpio.c ++++ b/drivers/platform/x86/intel_int0002_vgpio.c +@@ -166,10 +166,8 @@ static int int0002_probe(struct platform_device *pdev) + return -ENODEV; + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) { +- dev_err(dev, "Error getting IRQ: %d\n", irq); ++ if (irq < 0) + return irq; +- } + + chip = devm_kzalloc(dev, sizeof(*chip), GFP_KERNEL); + if (!chip) +-- +2.26.2 + diff --git a/patches.suse/powerpc-pesries-Get-STF-barrier-requirement-from-H_G.patch b/patches.suse/powerpc-pesries-Get-STF-barrier-requirement-from-H_G.patch new file mode 100644 index 0000000..9e4e8ba --- /dev/null +++ b/patches.suse/powerpc-pesries-Get-STF-barrier-requirement-from-H_G.patch @@ -0,0 +1,51 @@ +From 393eff5a7b357a23db3e786e24b5ba8762cc6820 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 3 May 2021 23:02:42 +1000 +Subject: [PATCH] powerpc/pesries: Get STF barrier requirement from + H_GET_CPU_CHARACTERISTICS + +References: bsc#1188885 ltc#193722 +Patch-mainline: v5.14-rc1 +Git-commit: 393eff5a7b357a23db3e786e24b5ba8762cc6820 + +This allows the hypervisor / firmware to describe this workarounds to +the guest. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210503130243.891868-4-npiggin@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/hvcall.h | 1 + + arch/powerpc/platforms/pseries/setup.c | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index d769ffbb04f2..2a6346b6472f 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -402,6 +402,7 @@ + #define H_CPU_BEHAV_FLUSH_LINK_STACK (1ull << 57) // IBM bit 6 + #define H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY (1ull << 56) // IBM bit 7 + #define H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS (1ull << 55) // IBM bit 8 ++#define H_CPU_BEHAV_NO_STF_BARRIER (1ull << 54) // IBM bit 9 + + /* Flag values used in H_REGISTER_PROC_TBL hcall */ + #define PROC_TABLE_OP_MASK 0x18 +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index 287f33645419..631a0d57b6cd 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -555,6 +555,9 @@ static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) + if (result->behaviour & H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS) + security_ftr_clear(SEC_FTR_L1D_FLUSH_UACCESS); + ++ if (result->behaviour & H_CPU_BEHAV_NO_STF_BARRIER) ++ security_ftr_clear(SEC_FTR_STF_BARRIER); ++ + if (!(result->behaviour & H_CPU_BEHAV_BNDS_CHK_SPEC_BAR)) + security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR); + } +-- +2.26.2 + diff --git a/patches.suse/powerpc-pseries-Get-entry-and-uaccess-flush-required.patch b/patches.suse/powerpc-pseries-Get-entry-and-uaccess-flush-required.patch new file mode 100644 index 0000000..cf8f2a0 --- /dev/null +++ b/patches.suse/powerpc-pseries-Get-entry-and-uaccess-flush-required.patch @@ -0,0 +1,55 @@ +From 65c7d070850e109a8a75a431f5a7f6eb4c007b77 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 3 May 2021 23:02:40 +1000 +Subject: [PATCH] powerpc/pseries: Get entry and uaccess flush required bits + from H_GET_CPU_CHARACTERISTICS + +References: bsc#1188885 ltc#193722 +Patch-mainline: v5.14-rc1 +Git-commit: 65c7d070850e109a8a75a431f5a7f6eb4c007b77 + +This allows the hypervisor / firmware to describe these workarounds to +the guest. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210503130243.891868-2-npiggin@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/hvcall.h | 2 ++ + arch/powerpc/platforms/pseries/setup.c | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index 7c3418d1b5e9..d769ffbb04f2 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -400,6 +400,8 @@ + #define H_CPU_BEHAV_FAVOUR_SECURITY_H (1ull << 60) // IBM bit 3 + #define H_CPU_BEHAV_FLUSH_COUNT_CACHE (1ull << 58) // IBM bit 5 + #define H_CPU_BEHAV_FLUSH_LINK_STACK (1ull << 57) // IBM bit 6 ++#define H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY (1ull << 56) // IBM bit 7 ++#define H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS (1ull << 55) // IBM bit 8 + + /* Flag values used in H_REGISTER_PROC_TBL hcall */ + #define PROC_TABLE_OP_MASK 0x18 +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index 754e493b7c05..287f33645419 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -549,6 +549,12 @@ static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) + if (!(result->behaviour & H_CPU_BEHAV_L1D_FLUSH_PR)) + security_ftr_clear(SEC_FTR_L1D_FLUSH_PR); + ++ if (result->behaviour & H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY) ++ security_ftr_clear(SEC_FTR_L1D_FLUSH_ENTRY); ++ ++ if (result->behaviour & H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS) ++ security_ftr_clear(SEC_FTR_L1D_FLUSH_UACCESS); ++ + if (!(result->behaviour & H_CPU_BEHAV_BNDS_CHK_SPEC_BAR)) + security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR); + } +-- +2.26.2 + diff --git a/patches.suse/powerpc-pseries-export-LPAR-security-flavor-in-lparc.patch b/patches.suse/powerpc-pseries-export-LPAR-security-flavor-in-lparc.patch new file mode 100644 index 0000000..81e2b38 --- /dev/null +++ b/patches.suse/powerpc-pseries-export-LPAR-security-flavor-in-lparc.patch @@ -0,0 +1,110 @@ +From 6ce56e1ac380eaa088d3f4c01446e15e195bd541 Mon Sep 17 00:00:00 2001 +From: Laurent Dufour +Date: Fri, 5 Mar 2021 13:55:54 +0100 +Subject: [PATCH] powerpc/pseries: export LPAR security flavor in lparcfg + +References: bsc#1188885 ltc#193722 +Patch-mainline: v5.13-rc1 +Git-commit: 6ce56e1ac380eaa088d3f4c01446e15e195bd541 + +This is helpful to read the security flavor from inside the LPAR. + +In /sys/kernel/debug/powerpc/security_features it can be seen if +mitigations are on or off but not the level set through the ASMI menu. +Furthermore, reporting it through /proc/powerpc/lparcfg allows an easy +processing by the lparstat command [1]. + +Export it like this in /proc/powerpc/lparcfg: + + $ grep security_flavor /proc/powerpc/lparcfg + security_flavor=1 + +Value follows what is documented on the IBM support page [2]: + + 0 Speculative execution fully enabled + 1 Speculative execution controls to mitigate user-to-kernel attacks + 2 Speculative execution controls to mitigate user-to-kernel and + user-to-user side-channel attacks + +[1] https://groups.google.com/g/powerpc-utils-devel/c/NaKXvdyl_UI/m/wa2stpIDAQAJ +[2] https://www.ibm.com/support/pages/node/715841 + +Signed-off-by: Laurent Dufour +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210305125554.5165-1-ldufour@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/hvcall.h | 1 + + arch/powerpc/platforms/pseries/lparcfg.c | 2 ++ + arch/powerpc/platforms/pseries/pseries.h | 1 + + arch/powerpc/platforms/pseries/setup.c | 7 +++++++ + 4 files changed, 11 insertions(+) + +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index ed6086d57b22..455e188da26d 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -389,6 +389,7 @@ + #define H_CPU_BEHAV_FAVOUR_SECURITY (1ull << 63) // IBM bit 0 + #define H_CPU_BEHAV_L1D_FLUSH_PR (1ull << 62) // IBM bit 1 + #define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR (1ull << 61) // IBM bit 2 ++#define H_CPU_BEHAV_FAVOUR_SECURITY_H (1ull << 60) // IBM bit 3 + #define H_CPU_BEHAV_FLUSH_COUNT_CACHE (1ull << 58) // IBM bit 5 + #define H_CPU_BEHAV_FLUSH_LINK_STACK (1ull << 57) // IBM bit 6 + +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index e278390ab28d..f71eac74ea92 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -537,6 +537,8 @@ static int pseries_lparcfg_data(struct seq_file *m, void *v) + parse_em_data(m); + maxmem_data(m); + ++ seq_printf(m, "security_flavor=%u\n", pseries_security_flavor); ++ + return 0; + } + +diff --git a/arch/powerpc/platforms/pseries/pseries.h b/arch/powerpc/platforms/pseries/pseries.h +index a13438fca10a..8925a0fac15f 100644 +--- a/arch/powerpc/platforms/pseries/pseries.h ++++ b/arch/powerpc/platforms/pseries/pseries.h +@@ -108,6 +108,7 @@ static inline unsigned long cmo_get_page_size(void) + + int dlpar_workqueue_init(void); + ++extern u32 pseries_security_flavor; + void pseries_setup_security_mitigations(void); + void pseries_lpar_read_hblkrm_characteristics(void); + +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index 145e3f4c999a..754e493b7c05 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -86,6 +86,7 @@ EXPORT_SYMBOL(CMO_PageSize); + + int fwnmi_active; /* TRUE if an FWNMI handler is present */ + int ibm_nmi_interlock_token; ++u32 pseries_security_flavor; + + static void pSeries_show_cpuinfo(struct seq_file *m) + { +@@ -535,9 +536,15 @@ static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) + /* + * The features below are enabled by default, so we instead look to see + * if firmware has *disabled* them, and clear them if so. ++ * H_CPU_BEHAV_FAVOUR_SECURITY_H could be set only if ++ * H_CPU_BEHAV_FAVOUR_SECURITY is. + */ + if (!(result->behaviour & H_CPU_BEHAV_FAVOUR_SECURITY)) + security_ftr_clear(SEC_FTR_FAVOUR_SECURITY); ++ else if (result->behaviour & H_CPU_BEHAV_FAVOUR_SECURITY_H) ++ pseries_security_flavor = 1; ++ else ++ pseries_security_flavor = 2; + + if (!(result->behaviour & H_CPU_BEHAV_L1D_FLUSH_PR)) + security_ftr_clear(SEC_FTR_L1D_FLUSH_PR); +-- +2.26.2 + diff --git a/patches.suse/powerpc-security-Add-a-security-feature-for-STF-barr.patch b/patches.suse/powerpc-security-Add-a-security-feature-for-STF-barr.patch new file mode 100644 index 0000000..66f6f30 --- /dev/null +++ b/patches.suse/powerpc-security-Add-a-security-feature-for-STF-barr.patch @@ -0,0 +1,71 @@ +From 84ed26fd00c514da57cd46aa3728a48f1f9b35cd Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 3 May 2021 23:02:41 +1000 +Subject: [PATCH] powerpc/security: Add a security feature for STF barrier + +References: bsc#1188885 ltc#193722 +Patch-mainline: v5.14-rc1 +Git-commit: 84ed26fd00c514da57cd46aa3728a48f1f9b35cd + +Rather than tying this mitigation to RFI L1D flush requirement, add a +new bit for it. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210503130243.891868-3-npiggin@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/security_features.h | 4 ++++ + arch/powerpc/kernel/security.c | 7 ++----- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h +index b774a4477d5f..792eefaf230b 100644 +--- a/arch/powerpc/include/asm/security_features.h ++++ b/arch/powerpc/include/asm/security_features.h +@@ -92,6 +92,9 @@ static inline bool security_ftr_enabled(u64 feature) + // The L1-D cache should be flushed after user accesses from the kernel + #define SEC_FTR_L1D_FLUSH_UACCESS 0x0000000000008000ull + ++// The STF flush should be executed on privilege state switch ++#define SEC_FTR_STF_BARRIER 0x0000000000010000ull ++ + // Features enabled by default + #define SEC_FTR_DEFAULT \ + (SEC_FTR_L1D_FLUSH_HV | \ +@@ -99,6 +102,7 @@ static inline bool security_ftr_enabled(u64 feature) + SEC_FTR_BNDS_CHK_SPEC_BAR | \ + SEC_FTR_L1D_FLUSH_ENTRY | \ + SEC_FTR_L1D_FLUSH_UACCESS | \ ++ SEC_FTR_STF_BARRIER | \ + SEC_FTR_FAVOUR_SECURITY) + + #endif /* _ASM_POWERPC_SECURITY_FEATURES_H */ +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c +index 9c2f7b909911..cc51fa52e783 100644 +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -300,9 +300,7 @@ static void stf_barrier_enable(bool enable) + void setup_stf_barrier(void) + { + enum stf_barrier_type type; +- bool enable, hv; +- +- hv = cpu_has_feature(CPU_FTR_HVMODE); ++ bool enable; + + /* Default to fallback in case fw-features are not available */ + if (cpu_has_feature(CPU_FTR_ARCH_300)) +@@ -315,8 +313,7 @@ void setup_stf_barrier(void) + type = STF_BARRIER_NONE; + + enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && +- (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) || +- (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv)); ++ security_ftr_enabled(SEC_FTR_STF_BARRIER); + + if (type == STF_BARRIER_FALLBACK) { + pr_info("stf-barrier: fallback barrier available\n"); +-- +2.26.2 + diff --git a/patches.suse/regulator-hi6421-Fix-getting-wrong-drvdata.patch b/patches.suse/regulator-hi6421-Fix-getting-wrong-drvdata.patch new file mode 100644 index 0000000..766778d --- /dev/null +++ b/patches.suse/regulator-hi6421-Fix-getting-wrong-drvdata.patch @@ -0,0 +1,119 @@ +From 1c73daee4bf30ccdff5e86dc400daa6f74735da5 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Wed, 30 Jun 2021 17:59:59 +0800 +Subject: [PATCH] regulator: hi6421: Fix getting wrong drvdata +Git-commit: 1c73daee4bf30ccdff5e86dc400daa6f74735da5 +Patch-mainline: v5.14-rc3 +References: git-fixes + +Since config.dev = pdev->dev.parent in current code, so +dev_get_drvdata(rdev->dev.parent) call in hi6421_regulator_enable +returns the drvdata of the mfd device rather than the regulator. Fix it. + +This was broken while converting to use simplified DT parsing because the +config.dev changed from pdev->dev to pdev->dev.parent for parsing the +parent's of_node. + +Fixes: 29dc269a85ef ("regulator: hi6421: Convert to use simplified DT parsing") +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210630095959.2411543-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/regulator/hi6421-regulator.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index bff8c515dcde..d144a4bdb76d 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -366,9 +366,8 @@ static struct hi6421_regulator_info + + static int hi6421_regulator_enable(struct regulator_dev *rdev) + { +- struct hi6421_regulator_pdata *pdata; ++ struct hi6421_regulator_pdata *pdata = rdev_get_drvdata(rdev); + +- pdata = dev_get_drvdata(rdev->dev.parent); + /* hi6421 spec requires regulator enablement must be serialized: + * - Because when BUCK, LDO switching from off to on, it will have + * a huge instantaneous current; so you can not turn on two or +@@ -385,9 +384,10 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_IDLE; +@@ -397,9 +397,10 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_STANDBY; +@@ -410,9 +411,10 @@ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -434,9 +436,10 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -459,7 +462,9 @@ static unsigned int + hi6421_regulator_ldo_get_optimum_mode(struct regulator_dev *rdev, + int input_uV, int output_uV, int load_uA) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; ++ ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + + if (load_uA > info->eco_microamp) + return REGULATOR_MODE_NORMAL; +@@ -543,14 +548,13 @@ static int hi6421_regulator_probe(struct platform_device *pdev) + if (!pdata) + return -ENOMEM; + mutex_init(&pdata->lock); +- platform_set_drvdata(pdev, pdata); + + for (i = 0; i < ARRAY_SIZE(hi6421_regulator_info); i++) { + /* assign per-regulator data */ + info = &hi6421_regulator_info[i]; + + config.dev = pdev->dev.parent; +- config.driver_data = info; ++ config.driver_data = pdata; + config.regmap = pmic->regmap; + + rdev = devm_regulator_register(&pdev->dev, &info->desc, +-- +2.26.2 + diff --git a/patches.suse/regulator-hi6421-Use-correct-variable-type-for-regma.patch b/patches.suse/regulator-hi6421-Use-correct-variable-type-for-regma.patch new file mode 100644 index 0000000..816671a --- /dev/null +++ b/patches.suse/regulator-hi6421-Use-correct-variable-type-for-regma.patch @@ -0,0 +1,63 @@ +From ae60e6a9d24e89a74e2512204ad04de94921bdd2 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Sat, 19 Jun 2021 20:41:33 +0800 +Subject: [PATCH] regulator: hi6421: Use correct variable type for regmap api val argument +Git-commit: ae60e6a9d24e89a74e2512204ad04de94921bdd2 +Patch-mainline: v5.14-rc1 +References: git-fixes + +Use unsigned int instead of u32 for regmap_read/regmap_update_bits val +argument. + +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210619124133.4096683-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/regulator/hi6421-regulator.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index dc631c1a46b4..bff8c515dcde 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -386,7 +386,7 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -398,7 +398,7 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -411,7 +411,7 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +@@ -435,7 +435,7 @@ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +-- +2.26.2 + diff --git a/patches.suse/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch b/patches.suse/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch new file mode 100644 index 0000000..a6a85ad --- /dev/null +++ b/patches.suse/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch @@ -0,0 +1,138 @@ +From 4df2f5e1372e9eec8f9e1b4a3025b9be23487d36 Mon Sep 17 00:00:00 2001 +From: Clark Wang +Date: Thu, 8 Apr 2021 18:33:47 +0800 +Subject: [PATCH] spi: imx: add a check for speed_hz before calculating the clock +Git-commit: 4df2f5e1372e9eec8f9e1b4a3025b9be23487d36 +Patch-mainline: v5.13-rc1 +References: git-fixes + +When some drivers use spi to send data, spi_transfer->speed_hz is +not assigned. If spidev->max_speed_hz is not assigned as well, it +will cause an error in configuring the clock. +Add a check for these two values before configuring the clock. An +error will be returned when they are not assigned. + +Signed-off-by: Clark Wang +Link: https://lore.kernel.org/r/20210408103347.244313-2-xiaoning.wang@nxp.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + drivers/spi/spi-imx.c | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index cf5519227dbd..64e8f0828e85 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -66,8 +66,7 @@ struct spi_imx_data; + struct spi_imx_devtype_data { + void (*intctrl)(struct spi_imx_data *, int); + int (*prepare_message)(struct spi_imx_data *, struct spi_message *); +- int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *, +- struct spi_transfer *); ++ int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *); + void (*trigger)(struct spi_imx_data *); + int (*rx_available)(struct spi_imx_data *); + void (*reset)(struct spi_imx_data *); +@@ -572,11 +571,10 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL); +- u32 clk = t->speed_hz, delay; ++ u32 clk, delay; + + /* Clear BL field and set the right value */ + ctrl &= ~MX51_ECSPI_CTRL_BL_MASK; +@@ -590,7 +588,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + /* set clock speed */ + ctrl &= ~(0xf << MX51_ECSPI_CTRL_POSTDIV_OFFSET | + 0xf << MX51_ECSPI_CTRL_PREDIV_OFFSET); +- ctrl |= mx51_ecspi_clkdiv(spi_imx, t->speed_hz, &clk); ++ ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->spi_bus_clk, &clk); + spi_imx->spi_bus_clk = clk; + + if (spi_imx->usedma) +@@ -702,13 +700,12 @@ static int mx31_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx31_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX31_CSPICTRL_ENABLE | MX31_CSPICTRL_MASTER; + unsigned int clk; + +- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) << ++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) << + MX31_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -807,14 +804,13 @@ static int mx21_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx21_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX21_CSPICTRL_ENABLE | MX21_CSPICTRL_MASTER; + unsigned int max = is_imx27_cspi(spi_imx) ? 16 : 18; + unsigned int clk; + +- reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, t->speed_hz, max, &clk) ++ reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, spi_imx->spi_bus_clk, max, &clk) + << MX21_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -883,13 +879,12 @@ static int mx1_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx1_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX1_CSPICTRL_ENABLE | MX1_CSPICTRL_MASTER; + unsigned int clk; + +- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) << ++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) << + MX1_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -1168,6 +1163,16 @@ static int spi_imx_setupxfer(struct spi_device *spi, + if (!t) + return 0; + ++ if (!t->speed_hz) { ++ if (!spi->max_speed_hz) { ++ dev_err(&spi->dev, "no speed_hz provided!\n"); ++ return -EINVAL; ++ } ++ dev_dbg(&spi->dev, "using spi->max_speed_hz!\n"); ++ spi_imx->spi_bus_clk = spi->max_speed_hz; ++ } else ++ spi_imx->spi_bus_clk = t->speed_hz; ++ + spi_imx->bits_per_word = t->bits_per_word; + + /* +@@ -1209,7 +1214,7 @@ static int spi_imx_setupxfer(struct spi_device *spi, + spi_imx->slave_burst = t->len; + } + +- spi_imx->devtype_data->prepare_transfer(spi_imx, spi, t); ++ spi_imx->devtype_data->prepare_transfer(spi_imx, spi); + + return 0; + } +-- +2.26.2 + diff --git a/patches.suse/usb-hub-Disable-USB-3-device-initiated-lpm-if-exit-l.patch b/patches.suse/usb-hub-Disable-USB-3-device-initiated-lpm-if-exit-l.patch new file mode 100644 index 0000000..7b66435 --- /dev/null +++ b/patches.suse/usb-hub-Disable-USB-3-device-initiated-lpm-if-exit-l.patch @@ -0,0 +1,125 @@ +From 1b7f56fbc7a1b66967b6114d1b5f5a257c3abae6 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 15 Jul 2021 18:01:22 +0300 +Subject: [PATCH] usb: hub: Disable USB 3 device initiated lpm if exit latency is too high +Git-commit: 1b7f56fbc7a1b66967b6114d1b5f5a257c3abae6 +Patch-mainline: v5.14-rc3 +References: git-fixes + +The device initiated link power management U1/U2 states should not be +enabled in case the system exit latency plus one bus interval (125us) is +greater than the shortest service interval of any periodic endpoint. + +This is the case for both U1 and U2 sytstem exit latencies and link states. + +See USB 3.2 section 9.4.9 "Set Feature" for more details + +Note, before this patch the host and device initiated U1/U2 lpm states +were both enabled with lpm. After this patch it's possible to end up with +only host inititated U1/U2 lpm in case the exit latencies won't allow +device initiated lpm. + +If this case we still want to set the udev->usb3_lpm_ux_enabled flag so +that sysfs users can see the link may go to U1/U2. + +Signed-off-by: Mathias Nyman +Cc: stable +Link: https://lore.kernel.org/r/20210715150122.1995966-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/hub.c | 68 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 56 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index a35d0bedafa3..86658a81d284 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4116,6 +4116,47 @@ static int usb_set_lpm_timeout(struct usb_device *udev, + return 0; + } + ++/* ++ * Don't allow device intiated U1/U2 if the system exit latency + one bus ++ * interval is greater than the minimum service interval of any active ++ * periodic endpoint. See USB 3.2 section 9.4.9 ++ */ ++static bool usb_device_may_initiate_lpm(struct usb_device *udev, ++ enum usb3_link_state state) ++{ ++ unsigned int sel; /* us */ ++ int i, j; ++ ++ if (state == USB3_LPM_U1) ++ sel = DIV_ROUND_UP(udev->u1_params.sel, 1000); ++ else if (state == USB3_LPM_U2) ++ sel = DIV_ROUND_UP(udev->u2_params.sel, 1000); ++ else ++ return false; ++ ++ for (i = 0; i < udev->actconfig->desc.bNumInterfaces; i++) { ++ struct usb_interface *intf; ++ struct usb_endpoint_descriptor *desc; ++ unsigned int interval; ++ ++ intf = udev->actconfig->interface[i]; ++ if (!intf) ++ continue; ++ ++ for (j = 0; j < intf->cur_altsetting->desc.bNumEndpoints; j++) { ++ desc = &intf->cur_altsetting->endpoint[j].desc; ++ ++ if (usb_endpoint_xfer_int(desc) || ++ usb_endpoint_xfer_isoc(desc)) { ++ interval = (1 << (desc->bInterval - 1)) * 125; ++ if (sel + 125 > interval) ++ return false; ++ } ++ } ++ } ++ return true; ++} ++ + /* + * Enable the hub-initiated U1/U2 idle timeouts, and enable device-initiated + * U1/U2 entry. +@@ -4188,20 +4229,23 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev, + * U1/U2_ENABLE + */ + if (udev->actconfig && +- usb_set_device_initiated_lpm(udev, state, true) == 0) { +- if (state == USB3_LPM_U1) +- udev->usb3_lpm_u1_enabled = 1; +- else if (state == USB3_LPM_U2) +- udev->usb3_lpm_u2_enabled = 1; +- } else { +- /* Don't request U1/U2 entry if the device +- * cannot transition to U1/U2. +- */ +- usb_set_lpm_timeout(udev, state, 0); +- hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state); ++ usb_device_may_initiate_lpm(udev, state)) { ++ if (usb_set_device_initiated_lpm(udev, state, true)) { ++ /* ++ * Request to enable device initiated U1/U2 failed, ++ * better to turn off lpm in this case. ++ */ ++ usb_set_lpm_timeout(udev, state, 0); ++ hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state); ++ return; ++ } + } +-} + ++ if (state == USB3_LPM_U1) ++ udev->usb3_lpm_u1_enabled = 1; ++ else if (state == USB3_LPM_U2) ++ udev->usb3_lpm_u2_enabled = 1; ++} + /* + * Disable the hub-initiated U1/U2 idle timeouts, and disable device-initiated + * U1/U2 entry. +-- +2.26.2 + diff --git a/patches.suse/usb-hub-Fix-link-power-management-max-exit-latency-M.patch b/patches.suse/usb-hub-Fix-link-power-management-max-exit-latency-M.patch new file mode 100644 index 0000000..bda16ff --- /dev/null +++ b/patches.suse/usb-hub-Fix-link-power-management-max-exit-latency-M.patch @@ -0,0 +1,119 @@ +From 1bf2761c837571a66ec290fb66c90413821ffda2 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 15 Jul 2021 18:01:21 +0300 +Subject: [PATCH] usb: hub: Fix link power management max exit latency (MEL) calculations +Git-commit: 1bf2761c837571a66ec290fb66c90413821ffda2 +Patch-mainline: v5.14-rc3 +References: git-fixes + +Maximum Exit Latency (MEL) value is used by host to know how much in +advance it needs to start waking up a U1/U2 suspended link in order to +service a periodic transfer in time. + +Current MEL calculation only includes the time to wake up the path from +U1/U2 to U0. This is called tMEL1 in USB 3.1 section C 1.5.2 + +Total MEL = tMEL1 + tMEL2 +tMEL3 + tMEL4 which should additinally include: +- tMEL2 which is the time it takes for PING message to reach device +- tMEL3 time for device to process the PING and submit a PING_RESPONSE +- tMEL4 time for PING_RESPONSE to traverse back upstream to host. + +Add the missing tMEL2, tMEL3 and tMEL4 to MEL calculation. + +Cc: # v3.5 +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210715150122.1995966-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/hub.c | 52 +++++++++++++++++++++++------------------- + 1 file changed, 28 insertions(+), 24 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index d1efc7141333..a35d0bedafa3 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -48,6 +48,7 @@ + + #define USB_TP_TRANSMISSION_DELAY 40 /* ns */ + #define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */ ++#define USB_PING_RESPONSE_TIME 400 /* ns */ + + /* Protect struct usb_device->state and ->children members + * Note: Both are also protected by ->dev.sem, except that ->state can +@@ -182,8 +183,9 @@ int usb_device_supports_lpm(struct usb_device *udev) + } + + /* +- * Set the Maximum Exit Latency (MEL) for the host to initiate a transition from +- * either U1 or U2. ++ * Set the Maximum Exit Latency (MEL) for the host to wakup up the path from ++ * U1/U2, send a PING to the device and receive a PING_RESPONSE. ++ * See USB 3.1 section C.1.5.2 + */ + static void usb_set_lpm_mel(struct usb_device *udev, + struct usb3_lpm_parameters *udev_lpm_params, +@@ -193,35 +195,37 @@ static void usb_set_lpm_mel(struct usb_device *udev, + unsigned int hub_exit_latency) + { + unsigned int total_mel; +- unsigned int device_mel; +- unsigned int hub_mel; + + /* +- * Calculate the time it takes to transition all links from the roothub +- * to the parent hub into U0. The parent hub must then decode the +- * packet (hub header decode latency) to figure out which port it was +- * bound for. +- * +- * The Hub Header decode latency is expressed in 0.1us intervals (0x1 +- * means 0.1us). Multiply that by 100 to get nanoseconds. ++ * tMEL1. time to transition path from host to device into U0. ++ * MEL for parent already contains the delay up to parent, so only add ++ * the exit latency for the last link (pick the slower exit latency), ++ * and the hub header decode latency. See USB 3.1 section C 2.2.1 ++ * Store MEL in nanoseconds + */ + total_mel = hub_lpm_params->mel + +- (hub->descriptor->u.ss.bHubHdrDecLat * 100); ++ max(udev_exit_latency, hub_exit_latency) * 1000 + ++ hub->descriptor->u.ss.bHubHdrDecLat * 100; + + /* +- * How long will it take to transition the downstream hub's port into +- * U0? The greater of either the hub exit latency or the device exit +- * latency. +- * +- * The BOS U1/U2 exit latencies are expressed in 1us intervals. +- * Multiply that by 1000 to get nanoseconds. ++ * tMEL2. Time to submit PING packet. Sum of tTPTransmissionDelay for ++ * each link + wHubDelay for each hub. Add only for last link. ++ * tMEL4, the time for PING_RESPONSE to traverse upstream is similar. ++ * Multiply by 2 to include it as well. + */ +- device_mel = udev_exit_latency * 1000; +- hub_mel = hub_exit_latency * 1000; +- if (device_mel > hub_mel) +- total_mel += device_mel; +- else +- total_mel += hub_mel; ++ total_mel += (__le16_to_cpu(hub->descriptor->u.ss.wHubDelay) + ++ USB_TP_TRANSMISSION_DELAY) * 2; ++ ++ /* ++ * tMEL3, tPingResponse. Time taken by device to generate PING_RESPONSE ++ * after receiving PING. Also add 2100ns as stated in USB 3.1 C 1.5.2.4 ++ * to cover the delay if the PING_RESPONSE is queued behind a Max Packet ++ * Size DP. ++ * Note these delays should be added only once for the entire path, so ++ * add them to the MEL of the device connected to the roothub. ++ */ ++ if (!hub->hdev->parent) ++ total_mel += USB_PING_RESPONSE_TIME + 2100; + + udev_lpm_params->mel = total_mel; + } +-- +2.26.2 + diff --git a/patches.suse/virtio_net-move-tx-vq-operation-under-tx-queue-lock.patch b/patches.suse/virtio_net-move-tx-vq-operation-under-tx-queue-lock.patch new file mode 100644 index 0000000..dc032a8 --- /dev/null +++ b/patches.suse/virtio_net-move-tx-vq-operation-under-tx-queue-lock.patch @@ -0,0 +1,64 @@ +From: "Michael S. Tsirkin" +Date: Tue, 13 Apr 2021 01:35:26 -0400 +Subject: virtio_net: move tx vq operation under tx queue lock +Patch-mainline: v5.14-rc1 +Git-commit: 5a2f966d0f3fa0ef6dada7ab9eda74cacee96b8a +References: git-fixes + +It's unsafe to operate a vq from multiple threads. +Unfortunately this is exactly what we do when invoking +clean tx poll from rx napi. +Same happens with napi-tx even without the +opportunistic cleaning from the receive interrupt: that races +with processing the vq in start_xmit. + +As a fix move everything that deals with the vq to under tx lock. + +Fixes: b92f1e6751a6 ("virtio-net: transmit napi") +Signed-off-by: Michael S. Tsirkin +Acked-by: Thomas Bogendoerfer +--- + drivers/net/virtio_net.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1488,6 +1488,8 @@ static int virtnet_poll_tx(struct napi_s + struct virtnet_info *vi = sq->vq->vdev->priv; + unsigned int index = vq2txq(sq->vq); + struct netdev_queue *txq; ++ int opaque; ++ bool done; + + if (unlikely(is_xdp_raw_buffer_queue(vi, index))) { + /* We don't need to enable cb for XDP */ +@@ -1497,10 +1499,28 @@ static int virtnet_poll_tx(struct napi_s + + txq = netdev_get_tx_queue(vi->dev, index); + __netif_tx_lock(txq, raw_smp_processor_id()); ++ virtqueue_disable_cb(sq->vq); + free_old_xmit_skbs(sq, true); ++ ++ opaque = virtqueue_enable_cb_prepare(sq->vq); ++ ++ done = napi_complete_done(napi, 0); ++ ++ if (!done) ++ virtqueue_disable_cb(sq->vq); ++ + __netif_tx_unlock(txq); + +- virtqueue_napi_complete(napi, sq->vq, 0); ++ if (done) { ++ if (unlikely(virtqueue_poll(sq->vq, opaque))) { ++ if (napi_schedule_prep(napi)) { ++ __netif_tx_lock(txq, raw_smp_processor_id()); ++ virtqueue_disable_cb(sq->vq); ++ __netif_tx_unlock(txq); ++ __napi_schedule(napi); ++ } ++ } ++ } + + if (sq->vq->num_free >= 2 + MAX_SKB_FRAGS) + netif_tx_wake_queue(txq); diff --git a/patches.suse/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch b/patches.suse/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch new file mode 100644 index 0000000..cc23cd2 --- /dev/null +++ b/patches.suse/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch @@ -0,0 +1,77 @@ +From: Eric Dumazet +Date: Mon, 21 Jun 2021 07:44:17 -0700 +Subject: vxlan: add missing rcu_read_lock() in neigh_reduce() +Patch-mainline: v5.14-rc1 +Git-commit: 85e8b032d6ebb0f698a34dd22c2f13443d905888 +References: git-fixes + +syzbot complained in neigh_reduce(), because rcu_read_lock_bh() +is treated differently than rcu_read_lock() + +WARNING: suspicious RCU usage +5.13.0-rc6-syzkaller #0 Not tainted +----------------------------- +include/net/addrconf.h:313 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +3 locks held by kworker/0:0/5: + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247 + #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251 + #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180 + +stack backtrace: +CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events ipvlan_process_multicast +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + __in6_dev_get include/net/addrconf.h:313 [inline] + __in6_dev_get include/net/addrconf.h:311 [inline] + neigh_reduce drivers/net/vxlan.c:2167 [inline] + vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919 + __netdev_start_xmit include/linux/netdevice.h:4944 [inline] + netdev_start_xmit include/linux/netdevice.h:4958 [inline] + xmit_one net/core/dev.c:3654 [inline] + dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670 + __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246 + ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287 + process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 + worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 + kthread+0x3b1/0x4a0 kernel/kthread.c:313 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 + +Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/vxlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1994,6 +1994,7 @@ static int neigh_reduce(struct net_devic + struct neighbour *n; + struct nd_msg *msg; + ++ rcu_read_lock(); + in6_dev = __in6_dev_get(dev); + if (!in6_dev) + goto out; +@@ -2045,6 +2046,7 @@ static int neigh_reduce(struct net_devic + } + + out: ++ rcu_read_unlock(); + consume_skb(skb); + return NETDEV_TX_OK; + } diff --git a/patches.suse/workqueue-fix-UAF-in-pwq_unbound_release_workfn.patch b/patches.suse/workqueue-fix-UAF-in-pwq_unbound_release_workfn.patch new file mode 100644 index 0000000..a0113a4 --- /dev/null +++ b/patches.suse/workqueue-fix-UAF-in-pwq_unbound_release_workfn.patch @@ -0,0 +1,154 @@ +From b42b0bddcbc87b4c66f6497f66fc72d52b712aa7 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 14 Jul 2021 17:19:33 +0800 +Subject: [PATCH] workqueue: fix UAF in pwq_unbound_release_workfn() +Git-commit: b42b0bddcbc87b4c66f6497f66fc72d52b712aa7 +Patch-mainline: v5.14-rc4 +References: bsc#1188973 + +I got a UAF report when doing fuzz test: + +[ 152.880091][ T8030] ================================================================== +[ 152.881240][ T8030] BUG: KASAN: use-after-free in pwq_unbound_release_workfn+0x50/0x190 +[ 152.882442][ T8030] Read of size 4 at addr ffff88810d31bd00 by task kworker/3:2/8030 +[ 152.883578][ T8030] +[ 152.883932][ T8030] CPU: 3 PID: 8030 Comm: kworker/3:2 Not tainted 5.13.0+ #249 +[ 152.885014][ T8030] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +[ 152.886442][ T8030] Workqueue: events pwq_unbound_release_workfn +[ 152.887358][ T8030] Call Trace: +[ 152.887837][ T8030] dump_stack_lvl+0x75/0x9b +[ 152.888525][ T8030] ? pwq_unbound_release_workfn+0x50/0x190 +[ 152.889371][ T8030] print_address_description.constprop.10+0x48/0x70 +[ 152.890326][ T8030] ? pwq_unbound_release_workfn+0x50/0x190 +[ 152.891163][ T8030] ? pwq_unbound_release_workfn+0x50/0x190 +[ 152.891999][ T8030] kasan_report.cold.15+0x82/0xdb +[ 152.892740][ T8030] ? pwq_unbound_release_workfn+0x50/0x190 +[ 152.893594][ T8030] __asan_load4+0x69/0x90 +[ 152.894243][ T8030] pwq_unbound_release_workfn+0x50/0x190 +[ 152.895057][ T8030] process_one_work+0x47b/0x890 +[ 152.895778][ T8030] worker_thread+0x5c/0x790 +[ 152.896439][ T8030] ? process_one_work+0x890/0x890 +[ 152.897163][ T8030] kthread+0x223/0x250 +[ 152.897747][ T8030] ? set_kthread_struct+0xb0/0xb0 +[ 152.898471][ T8030] ret_from_fork+0x1f/0x30 +[ 152.899114][ T8030] +[ 152.899446][ T8030] Allocated by task 8884: +[ 152.900084][ T8030] kasan_save_stack+0x21/0x50 +[ 152.900769][ T8030] __kasan_kmalloc+0x88/0xb0 +[ 152.901416][ T8030] __kmalloc+0x29c/0x460 +[ 152.902014][ T8030] alloc_workqueue+0x111/0x8e0 +[ 152.902690][ T8030] __btrfs_alloc_workqueue+0x11e/0x2a0 +[ 152.903459][ T8030] btrfs_alloc_workqueue+0x6d/0x1d0 +[ 152.904198][ T8030] scrub_workers_get+0x1e8/0x490 +[ 152.904929][ T8030] btrfs_scrub_dev+0x1b9/0x9c0 +[ 152.905599][ T8030] btrfs_ioctl+0x122c/0x4e50 +[ 152.906247][ T8030] __x64_sys_ioctl+0x137/0x190 +[ 152.906916][ T8030] do_syscall_64+0x34/0xb0 +[ 152.907535][ T8030] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 152.908365][ T8030] +[ 152.908688][ T8030] Freed by task 8884: +[ 152.909243][ T8030] kasan_save_stack+0x21/0x50 +[ 152.909893][ T8030] kasan_set_track+0x20/0x30 +[ 152.910541][ T8030] kasan_set_free_info+0x24/0x40 +[ 152.911265][ T8030] __kasan_slab_free+0xf7/0x140 +[ 152.911964][ T8030] kfree+0x9e/0x3d0 +[ 152.912501][ T8030] alloc_workqueue+0x7d7/0x8e0 +[ 152.913182][ T8030] __btrfs_alloc_workqueue+0x11e/0x2a0 +[ 152.913949][ T8030] btrfs_alloc_workqueue+0x6d/0x1d0 +[ 152.914703][ T8030] scrub_workers_get+0x1e8/0x490 +[ 152.915402][ T8030] btrfs_scrub_dev+0x1b9/0x9c0 +[ 152.916077][ T8030] btrfs_ioctl+0x122c/0x4e50 +[ 152.916729][ T8030] __x64_sys_ioctl+0x137/0x190 +[ 152.917414][ T8030] do_syscall_64+0x34/0xb0 +[ 152.918034][ T8030] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 152.918872][ T8030] +[ 152.919203][ T8030] The buggy address belongs to the object at ffff88810d31bc00 +[ 152.919203][ T8030] which belongs to the cache kmalloc-512 of size 512 +[ 152.921155][ T8030] The buggy address is located 256 bytes inside of +[ 152.921155][ T8030] 512-byte region [ffff88810d31bc00, ffff88810d31be00) +[ 152.922993][ T8030] The buggy address belongs to the page: +[ 152.923800][ T8030] page:ffffea000434c600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d318 +[ 152.925249][ T8030] head:ffffea000434c600 order:2 compound_mapcount:0 compound_pincount:0 +[ 152.926399][ T8030] flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) +[ 152.927515][ T8030] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888009c42c80 +[ 152.928716][ T8030] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +[ 152.929890][ T8030] page dumped because: kasan: bad access detected +[ 152.930759][ T8030] +[ 152.931076][ T8030] Memory state around the buggy address: +[ 152.931851][ T8030] ffff88810d31bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 152.932967][ T8030] ffff88810d31bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 152.934068][ T8030] >ffff88810d31bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 152.935189][ T8030] ^ +[ 152.935763][ T8030] ffff88810d31bd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 152.936847][ T8030] ffff88810d31be00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 152.937940][ T8030] ================================================================== + +If apply_wqattrs_prepare() fails in alloc_workqueue(), it will call put_pwq() +which invoke a work queue to call pwq_unbound_release_workfn() and use the 'wq'. +The 'wq' allocated in alloc_workqueue() will be freed in error path when +apply_wqattrs_prepare() fails. So it will lead a UAF. + +CPU0 CPU1 +alloc_workqueue() +alloc_and_link_pwqs() +apply_wqattrs_prepare() fails +apply_wqattrs_cleanup() +schedule_work(&pwq->unbound_release_work) +kfree(wq) + worker_thread() + pwq_unbound_release_workfn() <- trigger uaf here + +If apply_wqattrs_prepare() fails, the new pwq are not linked, it doesn't +hold any reference to the 'wq', 'wq' is invalid to access in the worker, +so add check pwq if linked to fix this. + +Fixes: 2d5f0764b526 ("workqueue: split apply_workqueue_attrs() into 3 stages") +Cc: stable@vger.kernel.org # v4.2+ +Reported-by: Hulk Robot +Suggested-by: Lai Jiangshan +Signed-off-by: Yang Yingliang +Reviewed-by: Lai Jiangshan +Tested-by: Pavel Skripkin +Signed-off-by: Tejun Heo +Acked-by: Petr Mladek + +--- + kernel/workqueue.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 50142fc08902..f148eacda55a 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -3676,15 +3676,21 @@ static void pwq_unbound_release_workfn(struct work_struct *work) + unbound_release_work); + struct workqueue_struct *wq = pwq->wq; + struct worker_pool *pool = pwq->pool; +- bool is_last; ++ bool is_last = false; + +- if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND))) +- return; ++ /* ++ * when @pwq is not linked, it doesn't hold any reference to the ++ * @wq, and @wq is invalid to access. ++ */ ++ if (!list_empty(&pwq->pwqs_node)) { ++ if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND))) ++ return; + +- mutex_lock(&wq->mutex); +- list_del_rcu(&pwq->pwqs_node); +- is_last = list_empty(&wq->pwqs); +- mutex_unlock(&wq->mutex); ++ mutex_lock(&wq->mutex); ++ list_del_rcu(&pwq->pwqs_node); ++ is_last = list_empty(&wq->pwqs); ++ mutex_unlock(&wq->mutex); ++ } + + mutex_lock(&wq_pool_mutex); + put_unbound_pool(pool); +-- +2.26.2 + diff --git a/patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch b/patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch new file mode 100644 index 0000000..5a11a1f --- /dev/null +++ b/patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch @@ -0,0 +1,103 @@ +From: Sabrina Dubroca +Subject: xfrm: xfrm_state_mtu should return at least 1280 for ipv6 +Git-commit: b515d2637276a3810d6595e10ab02c13bfd0b63a +Patch-mainline: v5.14-rc1 +References: bsc#1185377 +Acked-by: Jiri Bohac + +Jianwen reported that IPv6 Interoperability tests are failing in an +IPsec case where one of the links between the IPsec peers has an MTU +of 1280. The peer generates a packet larger than this MTU, the router +replies with a "Packet too big" message indicating an MTU of 1280. +When the peer tries to send another large packet, xfrm_state_mtu +returns 1280 - ipsec_overhead, which causes ip6_setup_cork to fail +with EINVAL. + +We can fix this by forcing xfrm_state_mtu to return IPV6_MIN_MTU when +IPv6 is used. After going through IPsec, the packet will then be +fragmented to obey the actual network's PMTU, just before leaving the +host. + +Currently, TFC padding is capped to PMTU - overhead to avoid +fragementation: after padding and encapsulation, we still fit within +the PMTU. That behavior is preserved in this patch. + +Fixes: 91657eafb64b ("xfrm: take net hdr len into account for esp payload size calculation") +Reported-by: Jianwen Ji +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index c58a6d4eb610..6232a5f048bd 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1546,6 +1546,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si); + void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); + u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); + int xfrm_init_replay(struct xfrm_state *x); ++u32 __xfrm_state_mtu(struct xfrm_state *x, int mtu); + u32 xfrm_state_mtu(struct xfrm_state *x, int mtu); + int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload); + int xfrm_init_state(struct xfrm_state *x); +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 4b834bbf95e0..ed9857b2875d 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -673,7 +673,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb); + u32 padto; + +- padto = min(x->tfcpad, xfrm_state_mtu(x, dst->child_mtu_cached)); ++ padto = min(x->tfcpad, __xfrm_state_mtu(x, dst->child_mtu_cached)); + if (skb->len < padto) + esp.tfclen = padto - skb->len; + } +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 727d791ed5e6..9d1327b36bd3 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -708,7 +708,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) + struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb); + u32 padto; + +- padto = min(x->tfcpad, xfrm_state_mtu(x, dst->child_mtu_cached)); ++ padto = min(x->tfcpad, __xfrm_state_mtu(x, dst->child_mtu_cached)); + if (skb->len < padto) + esp.tfclen = padto - skb->len; + } +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 4496f7efa220..c25586156c6a 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2518,7 +2518,7 @@ void xfrm_state_delete_tunnel(struct xfrm_state *x) + } + EXPORT_SYMBOL(xfrm_state_delete_tunnel); + +-u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) ++u32 __xfrm_state_mtu(struct xfrm_state *x, int mtu) + { + const struct xfrm_type *type = READ_ONCE(x->type); + struct crypto_aead *aead; +@@ -2549,7 +2549,18 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) + return ((mtu - x->props.header_len - crypto_aead_authsize(aead) - + net_adj) & ~(blksize - 1)) + net_adj - 2; + } +-EXPORT_SYMBOL_GPL(xfrm_state_mtu); ++EXPORT_SYMBOL_GPL(__xfrm_state_mtu); ++ ++u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) ++{ ++ mtu = __xfrm_state_mtu(x, mtu); ++ ++ if (x->props.family == AF_INET6 && mtu < IPV6_MIN_MTU) ++ return IPV6_MIN_MTU; ++ ++ return mtu; ++} ++EXPORT_SYMBOL_GPL(xfrm_state_mtu); + + int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) + { +-- +2.32.0 + diff --git a/patches.suse/xhci-Fix-lost-USB-2-remote-wake.patch b/patches.suse/xhci-Fix-lost-USB-2-remote-wake.patch new file mode 100644 index 0000000..3b58f88 --- /dev/null +++ b/patches.suse/xhci-Fix-lost-USB-2-remote-wake.patch @@ -0,0 +1,75 @@ +From 72f68bf5c756f5ce1139b31daae2684501383ad5 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 15 Jul 2021 18:06:51 +0300 +Subject: [PATCH] xhci: Fix lost USB 2 remote wake +Git-commit: 72f68bf5c756f5ce1139b31daae2684501383ad5 +Patch-mainline: v5.14-rc3 +References: git-fixes + +There's a small window where a USB 2 remote wake may be left unhandled +due to a race between hub thread and xhci port event interrupt handler. + +When the resume event is detected in the xhci interrupt handler it kicks +the hub timer, which should move the port from resume to U0 once resume +has been signalled for long enough. + +To keep the hub "thread" running we set a bus_state->resuming_ports flag. +This flag makes sure hub timer function kicks itself. + +checking this flag was not properly protected by the spinlock. Flag was +copied to a local variable before lock was taken. The local variable was +then checked later with spinlock held. + +If interrupt is handled right after copying the flag to the local variable +we end up stopping the hub thread before it can handle the USB 2 resume. + +CPU0 CPU1 +(hub thread) (xhci event handler) + +xhci_hub_status_data() +status = bus_state->resuming_ports; + + handle_port_status() + spin_lock() + bus_state->resuming_ports = 1 + set_flag(HCD_FLAG_POLL_RH) + spin_unlock() +spin_lock() +if (!status) + clear_flag(HCD_FLAG_POLL_RH) +spin_unlock() + +Fix this by taking the lock a bit earlier so that it covers +the resuming_ports flag copy in the hub thread + +Cc: +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210715150651.1996099-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index e9b18fc17617..151e93c4bd57 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1638,11 +1638,12 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf) + * Inform the usbcore about resume-in-progress by returning + * a non-zero value even if there are no status changes. + */ ++ spin_lock_irqsave(&xhci->lock, flags); ++ + status = bus_state->resuming_ports; + + mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC | PORT_CEC; + +- spin_lock_irqsave(&xhci->lock, flags); + /* For each port, did anything change? If so, set that bit in buf. */ + for (i = 0; i < max_ports; i++) { + temp = readl(ports[i]->addr); +-- +2.26.2 + diff --git a/rpm/dtb.spec.in.in b/rpm/dtb.spec.in.in index a56a143..edff110 100644 --- a/rpm/dtb.spec.in.in +++ b/rpm/dtb.spec.in.in @@ -36,7 +36,7 @@ Release: .g@COMMIT@ Release: @RELEASE@ %endif Summary: Device Tree files for $MACHINES -License: GPL-2.0 +License: GPL-2.0-only Group: System/Boot Url: http://www.kernel.org/ $ARCH_RESTRICTIONS diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index da0599c..6ddbe94 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -84,7 +84,7 @@ Name: kernel-@FLAVOR@ Summary: @SUMMARY@ -License: GPL-2.0 +License: GPL-2.0-only Group: System/Kernel Version: @RPMVERSION@ %if 0%{?is_kotd} diff --git a/rpm/kernel-default-base.spec.txt b/rpm/kernel-default-base.spec.txt index 58a7cae..75385dd 100644 --- a/rpm/kernel-default-base.spec.txt +++ b/rpm/kernel-default-base.spec.txt @@ -100,7 +100,7 @@ BuildRequires: kernel-subpackage-macros Summary: %summary URL: %url Group: %group -License: GPL-2.0 +License: GPL-2.0-only # Internal stuff begins %define rpm_kver %(rpm -q --qf '%%{VERSION}' %kernel_package_name) diff --git a/rpm/kernel-docs.spec.in b/rpm/kernel-docs.spec.in index c6ff547..423ea18 100644 --- a/rpm/kernel-docs.spec.in +++ b/rpm/kernel-docs.spec.in @@ -29,7 +29,7 @@ Name: kernel-docs@VARIANT@ Summary: Kernel Documentation -License: GPL-2.0 +License: GPL-2.0-only Group: Documentation/Man Version: @RPMVERSION@ %if 0%{?is_kotd} diff --git a/rpm/kernel-obs-build.spec.in b/rpm/kernel-obs-build.spec.in index 88acd79..5c8aee7 100644 --- a/rpm/kernel-obs-build.spec.in +++ b/rpm/kernel-obs-build.spec.in @@ -62,7 +62,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: dracut %endif Summary: package kernel and initrd for OBS VM builds -License: GPL-2.0 +License: GPL-2.0-only Group: SLES Version: @RPMVERSION@ %if 0%{?is_kotd} diff --git a/rpm/kernel-obs-qa.spec.in b/rpm/kernel-obs-qa.spec.in index fa8234e..fd9c0c6 100644 --- a/rpm/kernel-obs-qa.spec.in +++ b/rpm/kernel-obs-qa.spec.in @@ -34,7 +34,7 @@ ExclusiveArch: @ARCHS@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %endif Summary: Basic QA tests for the kernel -License: GPL-2.0 +License: GPL-2.0-only Group: SLES Version: @RPMVERSION@ %if 0%{?is_kotd} diff --git a/rpm/kernel-source.spec.in b/rpm/kernel-source.spec.in index 3a3a196..0166f72 100644 --- a/rpm/kernel-source.spec.in +++ b/rpm/kernel-source.spec.in @@ -28,7 +28,7 @@ Name: kernel-source@VARIANT@ Summary: The Linux Kernel Sources -License: GPL-2.0 +License: GPL-2.0-only Group: Development/Sources Version: @RPMVERSION@ %if 0%{?is_kotd} diff --git a/rpm/kernel-syms.spec.in b/rpm/kernel-syms.spec.in index 7307990..8189609 100644 --- a/rpm/kernel-syms.spec.in +++ b/rpm/kernel-syms.spec.in @@ -22,7 +22,7 @@ Name: kernel-syms@VARIANT@ Summary: Kernel Symbol Versions (modversions) -License: GPL-2.0 +License: GPL-2.0-only Group: Development/Sources Version: @RPMVERSION@ %if %using_buildservice diff --git a/series.conf b/series.conf index 9b908f1..0076e97 100644 --- a/series.conf +++ b/series.conf @@ -541,6 +541,7 @@ patches.suse/platform-x86-ISST-Use-dev_get_drvdata.patch patches.suse/platform-x86-intel_pmc_ipc-remove-dev_err-usage-after-platform_get_irq.patch patches.suse/platform-mellanox-mlxreg-hotplug-Remove-dev_err-usag.patch + patches.suse/platform-x86-intel_int0002_vgpio-Remove-dev_err-usag.patch patches.suse/platform-x86-intel_pmc_core-Do-not-ioremap-RAM.patch patches.suse/platform-x86-intel_pmc_core_pltdrv-Module-removal-wa.patch patches.suse/platform-x86-pmc_atom-Add-Siemens-SIMATIC-IPC227E-to.patch @@ -18831,6 +18832,7 @@ patches.suse/staging-rtl8188eu-cleanup-comparsions-to-NULL-in-rtw.patch patches.suse/staging-rtl8188eu-add-spaces-around-operators-in-rtw.patch patches.suse/staging-rtl8188eu-use-break-to-exit-while-loop.patch + patches.suse/iio-accel-bma180-Use-explicit-member-assignment.patch patches.suse/staging-rtl8188-avoid-excessive-stack-usage.patch patches.suse/staging-rtl8188eu-remove-else-after-return.patch patches.suse/staging-rtl8188eu-refactor-rtl88eu_dm_update_rx_idle.patch @@ -31594,6 +31596,7 @@ patches.suse/msft-hv-2092-Drivers-hv-vmbus-Resolve-race-between-init_vp_index-.patch patches.suse/msft-hv-2093-Drivers-hv-vmbus-Resolve-more-races-involving-init_v.patch patches.suse/kvm-svm-avoid-infinite-loop-on-npf-from-bad-address + patches.suse/kvm-nvmx-preserve-exception-priority-irrespective-of.patch patches.suse/rcuwait-Let-rcuwait_wake_up-return-whether-or-not-a-.patch patches.suse/kvm-x86-only-do-l1tf-workaround-on-affected-processors patches.suse/kvm-x86-mmu-set-mmio_value-to-0-if-reserved-pf-can-t-be-generated @@ -35257,6 +35260,8 @@ patches.suse/build-kcsan-Add-KCSAN-build-exceptions.patch patches.suse/0001-xen-pvcalls-back-test-for-errors-when-calling-backen.patch patches.suse/KVM-x86-Fix-APIC-page-invalidation-race.patch + patches.suse/kvm-nvmx-consult-only-the-basic-exit-reason-when-rou.patch + patches.suse/kvm-i8254-remove-redundant-assignment-to-pointer-s.patch patches.suse/KVM-arm64-Stop-writing-aarch32-s-CSSELR-into-ACTLR.patch patches.suse/KVM-arm64-Make-vcpu_cp1x-work-on-Big-Endian-hosts.patch patches.suse/iommu-amd-move-amd-iommu-driver-into-subdirectory @@ -36508,6 +36513,7 @@ patches.suse/selftests-bpf-Extend-map-in-map-selftest-to-detect-m.patch patches.suse/net-bpfilter-Initialize-pos-in-__bpfilter_process_so.patch patches.suse/vxlan-fix-memleak-of-fdb.patch + patches.suse/kvm-lapic-prevent-setting-the-tscdeadline-timer-if-t.patch patches.suse/x86-i8259-Use-printk_deferred-to-prevent-deadlock.patch patches.suse/tpm-Require-that-all-digests-are-present-in-TCG_PCR_.patch patches.suse/tpm-Unify-the-mismatching-TPM-space-buffer-sizes.patch @@ -44993,6 +44999,7 @@ patches.suse/Werror-return-type.patch patches.suse/arm64-mm-use-single-quantity-to-represent-the-PA-to-.patch patches.suse/arm64-link-with-z-norelro-regardless-of-CONFIG_RELOC.patch + patches.suse/platform-chrome-cros_ec_lightbar-Reduce-ligthbar-get.patch patches.suse/msft-hv-2162-KVM-x86-hyper-v-disallow-configuring-SynIC-timers-wi.patch patches.suse/KVM-x86-mmu-Commit-zap-of-remaining-invalid-pages-wh.patch patches.suse/kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails @@ -48652,6 +48659,7 @@ patches.suse/iwlwifi-fix-11ax-disabled-bit-in-the-regulatory-capa.patch patches.suse/iwlwifi-pcie-properly-set-LTR-workarounds-on-22000-d.patch patches.suse/iwlwifi-add-support-for-Qu-with-AX201-device.patch + patches.suse/net-mac802154-Fix-general-protection-fault.patch patches.suse/mac80211-clear-sta-fast_rx-when-STA-removed-from-4-a.patch patches.suse/mac80211-fix-TXQ-AC-confusion.patch patches.suse/cfg80211-remove-WARN_ON-in-cfg80211_sme_connect.patch @@ -48912,6 +48920,7 @@ patches.suse/spi-dln2-Fix-reference-leak-to-master.patch patches.suse/spi-fsl-lpspi-Fix-PM-reference-leak-in-lpspi_prepare.patch patches.suse/spi-omap-100k-Fix-reference-leak-to-master.patch + patches.suse/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch patches.suse/spi-qup-fix-PM-reference-leak-in-spi_qup_remove.patch patches.suse/ceph-fix-up-error-handling-with-snapdirs.patch patches.suse/0001-x86-sched-Treat-Intel-SNC-topology-as-default-COD-as.patch @@ -49256,6 +49265,7 @@ patches.suse/selftests-powerpc-Fix-L1D-flushing-tests-for-Power10.patch patches.suse/powerpc-fadump-Mark-fadump_calculate_reserve_size-as.patch patches.suse/powerpc-prom-Mark-identical_pvr_fixup-as-__init.patch + patches.suse/powerpc-pseries-export-LPAR-security-flavor-in-lparc.patch patches.suse/powerpc-asm-offsets-GPR14-is-not-needed-either.patch patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch patches.suse/powerpc-perf-Fix-PMU-constraint-check-for-EBB-events.patch @@ -49424,6 +49434,7 @@ patches.suse/ceph-fix-inode-leak-on-getattr-error-in-_fh_to_dentry.patch patches.suse/Input-elants_i2c-do-not-bind-to-i2c-hid-compatible-A.patch patches.suse/Input-silead-add-workaround-for-x86-BIOS-es-which-br.patch + patches.suse/Input-ili210x-add-missing-negation-for-touch-indicat.patch patches.suse/fs-epoll-restore-waking-from-ep_done_scan.patch patches.suse/kernel-kexec_file-fix-error-return-code-of-kexec_calculate_store_digests patches.suse/NFSv4.2-Always-flush-out-writes-in-nfs42_proc_falloc.patch @@ -49580,6 +49591,7 @@ patches.suse/platform-mellanox-mlxbf-tmfifo-Fix-a-memory-barrier-.patch patches.suse/platform-x86-intel_int0002_vgpio-Only-call-enable_ir.patch patches.suse/platform-x86-hp-wireless-add-AMD-s-hardware-id-to-th.patch + patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch patches.suse/platform-x86-intel_punit_ipc-Append-MODULE_DEVICE_TA.patch patches.suse/platform-x86-touchscreen_dmi-Add-info-for-the-Mediac.patch patches.suse/ALSA-hda-realtek-reset-eapd-coeff-to-default-value-f.patch @@ -49882,6 +49894,7 @@ patches.suse/dmaengine-mediatek-free-the-proper-desc-in-desc_free.patch patches.suse/dmaengine-mediatek-do-not-issue-a-new-desc-if-one-is.patch patches.suse/dmaengine-mediatek-use-GFP_NOWAIT-instead-of-GFP_ATO.patch + patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch patches.suse/usb-chipidea-imx-Fix-Battery-Charger-1.2-CDP-detecti.patch patches.suse/usb-core-hub-Disable-autosuspend-for-Cypress-CY7C656.patch @@ -49907,6 +49920,7 @@ patches.suse/net-mlx5e-Fix-page-reclaim-for-dead-peer-hairpin.patch patches.suse/net-mlx5-Consider-RoCE-cap-before-init-RDMA-resource.patch patches.suse/net-mlx5e-Block-offload-of-outer-header-csum-for-UDP.patch + patches.suse/net-mlx5e-Block-offload-of-outer-header-csum-for-GRE.patch patches.suse/alx-Fix-an-error-handling-path-in-alx_probe.patch patches.suse/cxgb4-fix-endianness-when-flashing-boot-image.patch patches.suse/cxgb4-fix-sleep-in-atomic-when-flashing-PHY-firmware.patch @@ -49977,6 +49991,7 @@ patches.suse/mmc-via-sdmmc-add-a-check-against-NULL-pointer-deref.patch patches.suse/regulator-hi655x-Fix-pass-wrong-pointer-to-config.dr.patch patches.suse/regulator-uniphier-Add-missing-MODULE_DEVICE_TABLE.patch + patches.suse/regulator-hi6421-Use-correct-variable-type-for-regma.patch patches.suse/regulator-da9052-Ensure-enough-delay-time-for-.set_v.patch patches.suse/spi-Make-of_register_spi_device-also-set-the-fwnode.patch patches.suse/spi-spi-sun6i-Fix-chipselect-clock-bug.patch @@ -49990,6 +50005,7 @@ patches.suse/hwmon-max31790-Report-correct-current-pwm-duty-cycle.patch patches.suse/hwmon-max31790-Fix-pwmX_enable-attributes.patch patches.suse/x86-elf-use-bitul-macro-in-uapi-headers.patch + patches.suse/kvm-nvmx-ensure-64-bit-shift-when-checking-vmfunc-bi.patch patches.suse/media-mdk-mdp-fix-pm_runtime_get_sync-usage-count.patch patches.suse/media-sh_vou-fix-pm_runtime_get_sync-usage-count.patch patches.suse/media-mtk-vcodec-fix-PM-runtime-get-logic.patch @@ -50061,6 +50077,8 @@ patches.suse/block-return-the-correct-bvec-when-checking-for-gaps.patch patches.suse/nvme-verify-MNAN-value-if-ANA-is-enabled.patch patches.suse/qemu_fw_cfg-Make-fw_cfg_rev_attr-a-proper-kobj_attri.patch + patches.suse/net-mvpp2-Put-fwnode-in-error-case-during-probe.patch + patches.suse/mvpp2-suppress-warning.patch patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch patches.suse/ibmvnic-remove-default-label-from-to_string-switch.patch patches.suse/can-hi311x-hi3110_can_probe-silence-clang-warning.patch @@ -50143,6 +50161,8 @@ patches.suse/gve-DQO-Fix-off-by-one-in-gve_rx_dqo.patch patches.suse/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch patches.suse/can-gw-synchronize-rcu-operations-before-removing-gw.patch + patches.suse/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch + patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch patches.suse/xfrm-policy-Read-seqcount-outside-of-rcu-read-side-i.patch patches.suse/xfrm-Fix-xfrm-offload-fallback-fail-case.patch patches.suse/xsk-Fix-missing-validation-for-skb-and-unaligned-mod.patch @@ -50156,9 +50176,13 @@ patches.suse/ibmvnic-free-tx_pool-if-tso_pool-alloc-fails.patch patches.suse/ibmvnic-parenthesize-a-check.patch patches.suse/can-peak_pciefd-pucan_handle_status-fix-a-potential-.patch + patches.suse/i40e-Fix-error-handling-in-i40e_vsi_open.patch + patches.suse/i40e-Fix-autoneg-disabling-for-non-10GBaseT-links.patch patches.suse/i40e-fix-PTP-on-5Gb-links.patch patches.suse/i40e-Fix-missing-rtnl-locking-when-setting-up-pf-swi.patch + patches.suse/e1000e-Check-the-PCIm-state.patch patches.suse/gve-Fix-swapped-vars-when-fetching-max-queues.patch + patches.suse/Revert-be2net-disable-bh-with-spin_lock-in-be_proces.patch patches.suse/drm-tegra-Don-t-set-allow_fb_modifiers-explicitly.patch patches.suse/drm-bridge-sii8620-fix-dependency-on-extcon.patch patches.suse/drm-bridge-Fix-the-stop-condition-of-drm_bridge_chai.patch @@ -50245,6 +50269,9 @@ patches.suse/lib-decompress_unlz4.c-correctly-handle-zero-padding.patch patches.suse/lib-decompressors-remove-set-but-not-used-variabled-.patch patches.suse/mwifiex-re-fix-for-unaligned-accesses.patch + patches.suse/powerpc-pseries-Get-entry-and-uaccess-flush-required.patch + patches.suse/powerpc-security-Add-a-security-feature-for-STF-barr.patch + patches.suse/powerpc-pesries-Get-STF-barrier-requirement-from-H_G.patch patches.suse/powerpc-Offline-CPU-in-stop_this_cpu.patch patches.suse/powerpc-papr_scm-Properly-handle-UUID-types-and-API.patch patches.suse/powerpc-stacktrace-Fix-spurious-stale-traces-in-rais.patch @@ -50462,6 +50489,7 @@ patches.suse/drm-gma500-Add-the-missed-drm_gem_object_put-in-psb_.patch patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch patches.suse/virtio_console-Assure-used-length-from-device-is-lim.patch + patches.suse/virtio_net-move-tx-vq-operation-under-tx-queue-lock.patch patches.suse/tracing-histograms-Fix-parsing-of-sym-offset-modifier.patch patches.suse/ALSA-isa-Fix-error-return-code-in-snd_cmi8330_probe.patch patches.suse/ALSA-intel8x0-Fix-breakage-at-ac97-clock-measurement.patch @@ -50484,7 +50512,17 @@ patches.suse/rtc-stm32-Fix-unbalanced-clk_disable_unprepare-on-pr.patch patches.suse/rtc-pcf2127-handle-timestamp-interrupts.patch patches.suse/ibmvnic-retry-reset-if-there-are-no-other-resets.patch + patches.suse/igc-Fix-use-after-free-error-during-reset.patch + patches.suse/igb-Fix-use-after-free-error-during-reset.patch + patches.suse/igc-change-default-return-of-igc_read_phy_reg.patch + patches.suse/ixgbe-Fix-an-error-handling-path-in-ixgbe_probe.patch + patches.suse/igc-Fix-an-error-handling-path-in-igc_probe.patch + patches.suse/igb-Fix-an-error-handling-path-in-igb_probe.patch patches.suse/fm10k-Fix-an-error-handling-path-in-fm10k_probe.patch + patches.suse/e1000e-Fix-an-error-handling-path-in-e1000_probe.patch + patches.suse/iavf-Fix-an-error-handling-path-in-iavf_probe.patch + patches.suse/igb-Check-if-num-of-q_vectors-is-smaller-than-max-be.patch + patches.suse/igb-Fix-position-of-assignment-to-ring.patch patches.suse/gve-Fix-an-error-handling-path-in-gve_probe.patch patches.suse/gve-Propagate-error-codes-to-caller.patch patches.suse/gve-Simplify-code-and-axe-the-use-of-a-deprecated-AP.patch @@ -50505,42 +50543,73 @@ patches.suse/0001-netfilter-conntrack-improve-RST-handling-when-tuple-.patch patches.suse/0001-netfilter-conntrack-add-new-sysctl-to-disable-RST-ch.patch patches.suse/skbuff-Fix-build-with-SKB-extensions-disabled.patch + patches.suse/cxgb4-fix-IRQ-free-race-during-driver-unload.patch patches.suse/bpftool-Properly-close-va_list-ap-by-va_end-on-error.patch patches.suse/drm-panel-nt35510-Do-not-fail-if-DSI-read-fails.patch patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch patches.suse/tracing-Do-not-reference-char-as-a-string-in-histograms.patch + patches.suse/firmware-arm_scmi-Fix-possible-scmi_linux_errmap-buf.patch + patches.suse/firmware-arm_scmi-Fix-range-check-for-the-maximum-nu.patch patches.suse/seq_file-Disallow-extremely-large-seq-buffer-allocations.patch + patches.suse/regulator-hi6421-Fix-getting-wrong-drvdata.patch patches.suse/spi-mediatek-fix-fifo-rx-mode.patch patches.suse/spi-cadence-Correct-initialisation-of-runtime-PM-aga.patch patches.suse/r8152-Fix-potential-PM-refcount-imbalance.patch patches.suse/r8152-Fix-a-deadlock-by-doubly-PM-resume.patch patches.suse/liquidio-Fix-unintentional-sign-extension-issue-on-l.patch patches.suse/bonding-fix-build-issue.patch + patches.suse/bnxt_en-don-t-disable-an-already-disabled-PCI-device.patch + patches.suse/bnxt_en-Refresh-RoCE-capabilities-in-bnxt_ulp_probe.patch + patches.suse/bnxt_en-Add-missing-check-for-BNXT_STATE_ABORT_ERR-i.patch + patches.suse/bnxt_en-Check-abort-error-state-in-bnxt_half_open_ni.patch + patches.suse/ixgbe-Fix-packet-corruption-due-to-missing-DMA-sync.patch patches.suse/ibmvnic-Remove-the-proper-scrq-flush.patch patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch patches.suse/drm-amdgpu-update-golden-setting-for-sienna_cichlid-3e94b59.patch patches.suse/drm-i915-gvt-Clear-d3_entered-on-elsp-cmd-submission.patch patches.suse/Revert-drm-i915-Propagate-errors-on-awaiting-already.patch + patches.suse/drm-Return-ENOTTY-for-non-drm-ioctls.patch patches.suse/drm-panel-raspberrypi-touchscreen-Prevent-double-fre.patch patches.suse/ALSA-pcm-Call-substream-ack-method-upon-compat-mmap-.patch patches.suse/ALSA-usb-audio-Add-missing-proc-text-entry-for-BESPO.patch + patches.suse/ALSA-sb-Fix-potential-ABBA-deadlock-in-CSP-driver.patch + patches.suse/ALSA-hdmi-Expose-all-pins-on-MSI-MS-7C94-board.patch patches.suse/ALSA-hda-realtek-Fix-pop-noise-and-2-Front-Mic-issue.patch patches.suse/ALSA-hda-intel-dsp-cfg-add-missing-ElkhartLake-PCI-I.patch patches.suse/ALSA-pcm-Fix-mmap-capability-check.patch patches.suse/ASoC-wm_adsp-Correct-wm_coeff_tlv_get-handling.patch + patches.suse/ASoC-rt5631-Fix-regcache-sync-errors-on-resume.patch + patches.suse/ALSA-usb-audio-Add-registration-quirk-for-JBL-Quantu.patch + patches.suse/xhci-Fix-lost-USB-2-remote-wake.patch + patches.suse/usb-hub-Fix-link-power-management-max-exit-latency-M.patch + patches.suse/usb-hub-Disable-USB-3-device-initiated-lpm-if-exit-l.patch + patches.suse/USB-usb-storage-Add-LaCie-Rugged-USB3-FW-to-IGNORE_U.patch patches.suse/usb-max-3421-Prevent-corruption-of-freed-memory.patch patches.suse/usb-renesas_usbhs-Fix-superfluous-irqs-happen-after-.patch patches.suse/usb-dwc2-gadget-Fix-sending-zero-length-packet-in-DD.patch patches.suse/Revert-USB-quirks-ignore-remote-wake-up-on-Fibocom-L.patch + patches.suse/USB-serial-option-add-support-for-u-blox-LARA-R6-fam.patch patches.suse/USB-serial-cp210x-fix-comments-for-GE-CS1000.patch + patches.suse/USB-serial-cp210x-add-ID-for-CEL-EM3588-USB-ZigBee-s.patch patches.suse/rbd-always-kick-acquire-on-acquired-and-released-notifications.patch patches.suse/rbd-don-t-hold-lock_rwsem-while-running_list-is-being-drained.patch patches.suse/ceph-don-t-warn-if-we-re-still-opening-a-session-to-an-mds.patch patches.suse/efi-tpm-Differentiate-missing-and-invalid-final-even.patch + patches.suse/firmware-efi-Tell-memblock-about-EFI-iomem-reservati.patch patches.suse/timers-Fix-get_next_timer_interrupt-with-no-timers-p.patch + patches.suse/KVM-PPC-Book3S-Fix-H_RTAS-rets-buffer-overflow.patch + patches.suse/workqueue-fix-UAF-in-pwq_unbound_release_workfn.patch patches.suse/drm-msm-dpu-Fix-sm8250_mdp-register-length.patch + patches.suse/Revert-ACPI-resources-Add-checks-for-ACPI-IRQ-overri.patch patches.suse/ACPI-DPTF-Fix-reading-of-attributes.patch + patches.suse/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-UA.patch + patches.suse/nfc-nfcsim-fix-use-after-free-during-module-unload.patch + patches.suse/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch + patches.suse/can-mcba_usb_start-add-missing-urb-transfer_dma-init.patch + patches.suse/can-usb_8dev-fix-memory-leak.patch + patches.suse/can-ems_usb-fix-memory-leak.patch + patches.suse/can-esd_usb2-fix-memory-leak.patch # jejb/scsi for-next patches.suse/scsi-ibmvfc-Fix-command-state-accounting-and-stale-r.patch