diff --git a/blacklist.conf b/blacklist.conf index 66918da..c63f83e 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2795,3 +2795,5 @@ a157802359f7451ed8046b2b6dbaca187797e062 # build cleanup 03f5eb300ad1241f854269a3e521b119189a4493 # build cleanup 7e7e1541c91615e9950d0b96bcd1806d297e970e # build cleanup b648ab487f31bc4c38941bc770ea97fe394304bb # we don't have the original commit, nor do we care for 32bit +a1ae8d4d9be0178132df7c4931a1ba77d0e76039 # no nvme core/fabric fixes to missing infrastructure +2a587b9ad052e7e92e508aea90c1e2ae433c1908 # ARCH_ASPEED=n diff --git a/patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch b/patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch new file mode 100644 index 0000000..8c9d9fc --- /dev/null +++ b/patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch @@ -0,0 +1,31 @@ +From e0b347f1acbe9b1dc8f25298c84496b49960263e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 2 May 2023 15:26:57 +0200 +Subject: [PATCH] struct ci_hdrc: hide new member at end +References: git-fixes +Patch-mainline: Never, kABI fixup + +We can just hide the new member at the end + +Signed-off-by: Oliver Neukum +--- + drivers/usb/chipidea/ci.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/chipidea/ci.h b/drivers/usb/chipidea/ci.h +index 1c2393644..e140e3b6a 100644 +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -260,7 +260,9 @@ struct ci_hdrc { + bool in_lpm; + bool wakeup_int; + enum ci_revision rev; ++#ifndef __GENKSYMS__ + struct mutex mutex; ++#endif + }; + + static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci) +-- +2.40.1 + diff --git a/patches.kabi/xhci-hide-include-of-iommu.h.patch b/patches.kabi/xhci-hide-include-of-iommu.h.patch new file mode 100644 index 0000000..93e7486 --- /dev/null +++ b/patches.kabi/xhci-hide-include-of-iommu.h.patch @@ -0,0 +1,31 @@ +From 9b84925f68d29844116d29ad421acb03176b15da Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 2 May 2023 18:10:54 +0200 +Subject: [PATCH] xhci: hide include of iommu.h +References: git-fixes +Patch-mainline: Never, kABI fixup + +The include confuses the kABI checker by making symbols defined + +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index de4d25557..226883fd9 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -21,7 +21,9 @@ + */ + + #include ++#ifndef __GENKSYMS__ + #include ++#endif + #include + #include + #include +-- +2.40.1 + diff --git a/patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch b/patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch new file mode 100644 index 0000000..dc920a4 --- /dev/null +++ b/patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch @@ -0,0 +1,208 @@ +From: Paul Moore +Date: Thu, 13 Jan 2022 18:54:38 -0500 +Subject: [PATCH] audit: improve audit queue handling when "audit=1" on cmdline +Git-commit: f26d04331360d42dbd6b58448bd98e4edbfbe1c5 +References: bsc#1209969 +Patch-mainline: v5.17-rc2 + +When an admin enables audit at early boot via the "audit=1" kernel +command line the audit queue behavior is slightly different; the +audit subsystem goes to greater lengths to avoid dropping records, +which unfortunately can result in problems when the audit daemon is +forcibly stopped for an extended period of time. + +This patch makes a number of changes designed to improve the audit +queuing behavior so that leaving the audit daemon in a stopped state +for an extended period does not cause a significant impact to the +system. + +- kauditd_send_queue() is now limited to looping through the + passed queue only once per call. This not only prevents the + function from looping indefinitely when records are returned + to the current queue, it also allows any recovery handling in + kauditd_thread() to take place when kauditd_send_queue() + returns. + +- Transient netlink send errors seen as -EAGAIN now cause the + record to be returned to the retry queue instead of going to + the hold queue. The intention of the hold queue is to store, + perhaps for an extended period of time, the events which led + up to the audit daemon going offline. The retry queue remains + a temporary queue intended to protect against transient issues + between the kernel and the audit daemon. + +- The retry queue is now limited by the audit_backlog_limit + setting, the same as the other queues. This allows admins + to bound the size of all of the audit queues on the system. + +- kauditd_rehold_skb() now returns records to the end of the + hold queue to ensure ordering is preserved in the face of + recent changes to kauditd_send_queue(). + +Cc: stable@vger.kernel.org +Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking") +Fixes: f4b3ee3c85551 ("audit: improve robustness of the audit queue handling") +Reported-by: Gaosheng Cui +Tested-by: Gaosheng Cui +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Acked-by: Enzo Matsumiya +--- + kernel/audit.c | 64 +++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 44 insertions(+), 20 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -509,20 +509,22 @@ static void kauditd_printk_skb(struct sk + /** + * kauditd_rehold_skb - Handle a audit record send failure in the hold queue + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * This should only be used by the kauditd_thread when it fails to flush the + * hold queue. + */ +-static void kauditd_rehold_skb(struct sk_buff *skb) ++static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error) + { +- /* put the record back in the queue at the same place */ +- skb_queue_head(&audit_hold_queue, skb); ++ /* put the record back in the queue */ ++ skb_queue_tail(&audit_hold_queue, skb); + } + + /** + * kauditd_hold_skb - Queue an audit record, waiting for auditd + * @skb: audit record ++ * @error: error code + * + * Description: + * Queue the audit record, waiting for an instance of auditd. When this +@@ -532,19 +534,31 @@ static void kauditd_rehold_skb(struct sk + * and queue it, if we have room. If we want to hold on to the record, but we + * don't have room, record a record lost message. + */ +-static void kauditd_hold_skb(struct sk_buff *skb) ++static void kauditd_hold_skb(struct sk_buff *skb, int error) + { + /* at this point it is uncertain if we will ever send this to auditd so + * try to send the message via printk before we go any further */ + kauditd_printk_skb(skb); + + /* can we just silently drop the message? */ +- if (!audit_default) { +- kfree_skb(skb); +- return; ++ if (!audit_default) ++ goto drop; ++ ++ /* the hold queue is only for when the daemon goes away completely, ++ * not -EAGAIN failures; if we are in a -EAGAIN state requeue the ++ * record on the retry queue unless it's full, in which case drop it ++ */ ++ if (error == -EAGAIN) { ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ audit_log_lost("kauditd retry queue overflow"); ++ goto drop; + } + +- /* if we have room, queue the message */ ++ /* if we have room in the hold queue, queue the message */ + if (!audit_backlog_limit || + skb_queue_len(&audit_hold_queue) < audit_backlog_limit) { + skb_queue_tail(&audit_hold_queue, skb); +@@ -553,24 +567,32 @@ static void kauditd_hold_skb(struct sk_b + + /* we have no other options - drop the message */ + audit_log_lost("kauditd hold queue overflow"); ++drop: + kfree_skb(skb); + } + + /** + * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * Not as serious as kauditd_hold_skb() as we still have a connected auditd, + * but for some reason we are having problems sending it audit records so + * queue the given record and attempt to resend. + */ +-static void kauditd_retry_skb(struct sk_buff *skb) ++static void kauditd_retry_skb(struct sk_buff *skb, __always_unused int error) + { +- /* NOTE: because records should only live in the retry queue for a +- * short period of time, before either being sent or moved to the hold +- * queue, we don't currently enforce a limit on this queue */ +- skb_queue_tail(&audit_retry_queue, skb); ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ ++ /* we have to drop the record, send it via printk as a last effort */ ++ kauditd_printk_skb(skb); ++ audit_log_lost("kauditd retry queue overflow"); ++ kfree_skb(skb); + } + + /** +@@ -607,9 +629,9 @@ static void auditd_reset(const struct au + + /* flush all of the main and retry queues to the hold queue */ + while ((skb = skb_dequeue(&audit_retry_queue))) +- kauditd_hold_skb(skb); ++ kauditd_hold_skb(skb, -ECONNREFUSED); + while ((skb = skb_dequeue(&audit_queue))) +- kauditd_hold_skb(skb); ++ kauditd_hold_skb(skb, -ECONNREFUSED); + } + + /** +@@ -683,16 +705,18 @@ static int kauditd_send_queue(struct soc + struct sk_buff_head *queue, + unsigned int retry_limit, + void (*skb_hook)(struct sk_buff *skb), +- void (*err_hook)(struct sk_buff *skb)) ++ void (*err_hook)(struct sk_buff *skb, int error)) + { + int rc = 0; +- struct sk_buff *skb; ++ struct sk_buff *skb = NULL; ++ struct sk_buff *skb_tail; + unsigned int failed = 0; + + /* NOTE: kauditd_thread takes care of all our locking, we just use + * the netlink info passed to us (e.g. sk and portid) */ + +- while ((skb = skb_dequeue(queue))) { ++ skb_tail = skb_peek_tail(queue); ++ while ((skb != skb_tail) && (skb = skb_dequeue(queue))) { + /* call the skb_hook for each skb we touch */ + if (skb_hook) + (*skb_hook)(skb); +@@ -700,7 +724,7 @@ static int kauditd_send_queue(struct soc + /* can we send to anyone via unicast? */ + if (!sk) { + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, -ECONNREFUSED); + continue; + } + +@@ -714,7 +738,7 @@ retry: + rc == -ECONNREFUSED || rc == -EPERM) { + sk = NULL; + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, rc); + if (rc == -EAGAIN) + rc = 0; + /* continue to drain the queue */ diff --git a/patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch b/patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch new file mode 100644 index 0000000..4e22b5b --- /dev/null +++ b/patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch @@ -0,0 +1,73 @@ +From: Zhang Yuchen +Date: Wed, 12 Apr 2023 15:49:07 +0800 +Subject: ipmi: fix SSIF not responding under certain cond. +Git-commit: 6d2555cde2918409b0331560e66f84a0ad4849c6 +Patch-mainline: v6.4-rc1 +References: git-fixes + +The ipmi communication is not restored after a specific version of BMC is +upgraded on our server. +The ipmi driver does not respond after printing the following log: + + ipmi_ssif: Invalid response getting flags: 1c 1 + +I found that after entering this branch, ssif_info->ssif_state always +holds SSIF_GETTING_FLAGS and never return to IDLE. + +As a result, the driver cannot be loaded, because the driver status is +checked during the unload process and must be IDLE in shutdown_ssif(): + + while (ssif_info->ssif_state != SSIF_IDLE) + schedule_timeout(1); + +The process trigger this problem is: + +1. One msg timeout and next msg start send, and call +ssif_set_need_watch(). + +2. ssif_set_need_watch()->watch_timeout()->start_flag_fetch() change +ssif_state to SSIF_GETTING_FLAGS. + +3. In msg_done_handler() ssif_state == SSIF_GETTING_FLAGS, if an error +message is received, the second branch does not modify the ssif_state. + +4. All retry action need IS_SSIF_IDLE() == True. Include retry action in +watch_timeout(), msg_done_handler(). Sending msg does not work either. +SSIF_IDLE is also checked in start_next_msg(). + +5. The only thing that can be triggered in the SSIF driver is +watch_timeout(), after destory_user(), this timer will stop too. + +So, if enter this branch, the ssif_state will remain SSIF_GETTING_FLAGS +and can't send msg, no timer started, can't unload. + +We did a comparative test before and after adding this patch, and the +result is effective. + +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") + +[js] the constant is named SSIF_NORMAL in 4.* + +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Yuchen +Message-Id: <20230412074907.80046-1-zhangyuchen.lcr@bytedance.com> +Signed-off-by: Corey Minyard +Signed-off-by: Jiri Slaby +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -774,9 +774,9 @@ static void msg_done_handler(struct ssif + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +- * Don't abort here, maybe it was a queued +- * response to a previous command. ++ * Recv error response, give up. + */ ++ ssif_info->ssif_state = SSIF_NORMAL; + ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Invalid response getting flags: %x %x\n", + data[0], data[1]); diff --git a/patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch b/patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch new file mode 100644 index 0000000..2db1b6f --- /dev/null +++ b/patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch @@ -0,0 +1,76 @@ +From: Zhihao Cheng +Date: Mon, 5 Jul 2021 21:38:29 +0800 +Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not + RESETTING +Patch-mainline: v5.14-rc3 +Git-commit: 7764656b108cd308c39e9a8554353b8f9ca232a3 +References: git-fixes + +Followling process: +nvme_probe + nvme_reset_ctrl + nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING) + queue_work(nvme_reset_wq, &ctrl->reset_work) + +--------------> nvme_remove + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING) +worker_thread + process_one_work + nvme_reset_work + WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING) + +, which will trigger WARN_ON in nvme_reset_work(): +[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594 +[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0 +[ 127.552518] Call Trace: +[ 127.552840] ? kvm_sched_clock_read+0x25/0x40 +[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30 +[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130 +[ 127.556263] ? __smp_call_single_queue+0x48/0x60 +[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0 +[ 127.558231] ? try_to_wake_up+0x265/0x9d0 +[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290 +[ 127.560118] process_one_work+0x28c/0x640 +[ 127.561002] worker_thread+0x39a/0x700 +[ 127.561833] ? rescuer_thread+0x580/0x580 +[ 127.562714] kthread+0x18c/0x1e0 +[ 127.563444] ? set_kthread_struct+0x70/0x70 +[ 127.564347] ret_from_fork+0x1f/0x30 + +The preceding problem can be easily reproduced by executing following +script (based on blktests suite): +test() { + pdev="$(_get_pci_dev_from_blkdev)" + sysfs="/sys/bus/pci/devices/${pdev}" + for ((i = 0; i < 10; i++)); do + echo 1 > "$sysfs/remove" + echo 1 > /sys/bus/pci/rescan + done +} + +Since the device ctrl could be updated as an non-RESETTING state by +repeating probe/remove in userspace (which is a normal situation), we +can replace stack dumping WARN_ON with a warnning message. + +Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin") +Signed-off-by: Zhihao Cheng +Acked-by: Daniel Wagner +--- + drivers/nvme/host/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2252,8 +2252,11 @@ static void nvme_reset_work(struct work_ + int result = -ENODEV; + enum nvme_ctrl_state new_state = NVME_CTRL_LIVE; + +- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) ++ if (dev->ctrl.state != NVME_CTRL_RESETTING) { ++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n", ++ dev->ctrl.state); + goto out; ++ } + + /* + * If we're called to reset a live controller first shut it down before diff --git a/patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch b/patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch new file mode 100644 index 0000000..93ea4ec --- /dev/null +++ b/patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch @@ -0,0 +1,93 @@ +From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:16 +0800 +Subject: [PATCH] usb: chipidea: core: fix possible concurrent when switch role +Git-commit: 451b15ed138ec15bffbebb58a00ebdd884c3e659 +References: git-fixes +Patch-mainline: v6.3-rc4 + +The user may call role_store() when driver is handling +ci_handle_id_switch() which is triggerred by otg event or power lost +event. Unfortunately, the controller may go into chaos in this case. +Fix this by protecting it with mutex lock. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/chipidea/ci.h | 2 ++ + drivers/usb/chipidea/core.c | 4 ++++ + drivers/usb/chipidea/otg.c | 5 ++++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -205,6 +205,7 @@ struct hw_bank { + * @in_lpm: if the core in low power mode + * @wakeup_int: if wakeup interrupt occur + * @rev: The revision number for controller ++ * @mutex: protect code from concorrent running when doing role switch + */ + struct ci_hdrc { + struct device *dev; +@@ -259,6 +260,7 @@ struct ci_hdrc { + bool in_lpm; + bool wakeup_int; + enum ci_revision rev; ++ struct mutex mutex; + }; + + static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci) +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -878,6 +878,8 @@ static ssize_t ci_role_store(struct devi + if (role == CI_ROLE_END || role == ci->role) + return -EINVAL; + ++ mutex_lock(&ci->mutex); ++ + pm_runtime_get_sync(dev); + disable_irq(ci->irq); + ci_role_stop(ci); +@@ -886,6 +888,7 @@ static ssize_t ci_role_store(struct devi + ci_handle_vbus_change(ci); + enable_irq(ci->irq); + pm_runtime_put_sync(dev); ++ mutex_unlock(&ci->mutex); + + return (ret == 0) ? n : ret; + } +@@ -924,6 +927,7 @@ static int ci_hdrc_probe(struct platform + return -ENOMEM; + + spin_lock_init(&ci->lock); ++ mutex_init(&ci->mutex); + ci->dev = dev; + ci->platdata = dev_get_platdata(dev); + ci->imx28_write_fix = !!(ci->platdata->flags & +--- a/drivers/usb/chipidea/otg.c ++++ b/drivers/usb/chipidea/otg.c +@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct + + static void ci_handle_id_switch(struct ci_hdrc *ci) + { +- enum ci_role role = ci_otg_role(ci); ++ enum ci_role role; + ++ mutex_lock(&ci->mutex); ++ role = ci_otg_role(ci); + if (role != ci->role) { + dev_dbg(ci->dev, "switching from %s to %s\n", + ci_role(ci)->name, ci->roles[role]->name); +@@ -191,6 +193,7 @@ static void ci_handle_id_switch(struct c + if (role == CI_ROLE_GADGET) + ci_handle_vbus_change(ci); + } ++ mutex_unlock(&ci->mutex); + } + /** + * ci_otg_work - perform otg (vbus/id) event handle diff --git a/patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch b/patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch new file mode 100644 index 0000000..003f84a --- /dev/null +++ b/patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch @@ -0,0 +1,32 @@ +From: Dan Carpenter +Date: Mon, 6 Feb 2023 16:15:48 +0300 +Subject: wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list() +Git-commit: 4c856ee12df85aabd437c3836ed9f68d94268358 +Patch-mainline: v6.4-rc1 +References: git-fixes + +This loop checks that i < max at the start of loop but then it does +i++ which could put it past the end of the array. It's harmless to +check again and prevent a potential out of bounds. + +Fixes: 1048643ea94d ("ath5k: Clean up eeprom parsing and add missing calibration data") +Signed-off-by: Dan Carpenter +Reviewed-by: Luis Chamberlain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Y+D9hPQrHfWBJhXz@kili +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath5k/eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath5k/eeprom.c ++++ b/drivers/net/wireless/ath/ath5k/eeprom.c +@@ -529,7 +529,7 @@ ath5k_eeprom_read_freq_list(struct ath5k + ee->ee_n_piers[mode]++; + + freq2 = (val >> 8) & 0xff; +- if (!freq2) ++ if (!freq2 || i >= max) + break; + + pc[i++].freq = ath5k_eeprom_bin2freq(ee, diff --git a/patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch b/patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch new file mode 100644 index 0000000..1f9f818 --- /dev/null +++ b/patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch @@ -0,0 +1,113 @@ +From 22ed903eee23a5b174e240f1cdfa9acf393a5210 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Wed, 12 Apr 2023 15:49:23 +1000 +Subject: [PATCH] xfs: verify buffer contents when we skip log replay +Git-commit: 22ed903eee23a5b174e240f1cdfa9acf393a5210 +Patch-mainline: v6.4-rc1 +References: bsc#1210498 CVE-2023-2124 + +syzbot detected a crash during log recovery: + +XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791 +XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200. +XFS (loop0): Starting recovery (logdev: internal) +================================================================== +Bug: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813 +Read of size 8 at addr ffff88807e89f258 by task syz-executor132/5074 + +Cpu: 0 PID: 5074 Comm: syz-executor132 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813 + xfs_btree_lookup+0x346/0x12c0 fs/xfs/libxfs/xfs_btree.c:1913 + xfs_btree_simple_query_range+0xde/0x6a0 fs/xfs/libxfs/xfs_btree.c:4713 + xfs_btree_query_range+0x2db/0x380 fs/xfs/libxfs/xfs_btree.c:4953 + xfs_refcount_recover_cow_leftovers+0x2d1/0xa60 fs/xfs/libxfs/xfs_refcount.c:1946 + xfs_reflink_recover_cow+0xab/0x1b0 fs/xfs/xfs_reflink.c:930 + xlog_recover_finish+0x824/0x920 fs/xfs/xfs_log_recover.c:3493 + xfs_log_mount_finish+0x1ec/0x3d0 fs/xfs/xfs_log.c:829 + xfs_mountfs+0x146a/0x1ef0 fs/xfs/xfs_mount.c:933 + xfs_fs_fill_super+0xf95/0x11f0 fs/xfs/xfs_super.c:1666 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7f89fa3f4aca +Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +Rsp: 002b:00007fffd5fb5ef8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +Rax: ffffffffffffffda RBX: 00646975756f6e2c RCX: 00007f89fa3f4aca +Rdx: 0000000020000100 RSI: 0000000020009640 RDI: 00007fffd5fb5f10 +Rbp: 00007fffd5fb5f10 R08: 00007fffd5fb5f50 R09: 000000000000970d +R10: 0000000000200800 R11: 0000000000000206 R12: 0000000000000004 +R13: 0000555556c6b2c0 R14: 0000000000200800 R15: 00007fffd5fb5f50 + + +The fuzzed image contains an AGF with an obviously garbage +agf_refcount_level value of 32, and a dirty log with a buffer log item +for that AGF. The ondisk AGF has a higher LSN than the recovered log +item. xlog_recover_buf_commit_pass2 reads the buffer, compares the +LSNs, and decides to skip replay because the ondisk buffer appears to be +newer. + +Unfortunately, the ondisk buffer is corrupt, but recovery just read the +buffer with no buffer ops specified: + + error = xfs_buf_read(mp->m_ddev_targp, buf_f->blf_blkno, + buf_f->blf_len, buf_flags, &bp, NULL); + +Skipping the buffer leaves its contents in memory unverified. This sets +us up for a kernel crash because xfs_refcount_recover_cow_leftovers +reads the buffer (which is still around in XBF_DONE state, so no read +verification) and creates a refcountbt cursor of height 32. This is +impossible so we run off the end of the cursor object and crash. + +Fix this by invoking the verifier on all skipped buffers and aborting +log recovery if the ondisk buffer is corrupt. It might be smarter to +force replay the log item atop the buffer and then see if it'll pass the +write verifier (like ext4 does) but for now let's go with the +conservative option where we stop immediately. + +Link: https://syzkaller.appspot.com/bug?extid=7e9494b8b399902e994e +Signed-off-by: Darrick J. Wong +Reviewed-by: Dave Chinner +Signed-off-by: Dave Chinner +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_log_recover.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c +index de6aeb6f5dd4..ee6c71ea4194 100644 +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -2786,6 +2786,15 @@ xlog_recover_buffer_pass2( + if (lsn && lsn != -1 && XFS_LSN_CMP(lsn, current_lsn) >= 0) { + trace_xfs_log_recover_buf_skip(log, buf_f); + xlog_recover_validate_buf_type(mp, bp, buf_f, NULLCOMMITLSN); ++ /* ++ * We're skipping replay of this buffer log item due to the log ++ * item LSN being behind the ondisk buffer. Verify the buffer ++ * contents since we aren't going to run the write verifier. ++ */ ++ if (bp->b_ops) { ++ bp->b_ops->verify_read(bp); ++ error = bp->b_error; ++ } + goto out_release; + } + +-- +2.35.3 + diff --git a/patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch b/patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch new file mode 100644 index 0000000..cc14fb7 --- /dev/null +++ b/patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch @@ -0,0 +1,57 @@ +From ecaa4902439298f6b0e29f47424a86b310a9ff4f Mon Sep 17 00:00:00 2001 +From: D Scott Phillips +Date: Thu, 30 Mar 2023 17:30:54 +0300 +Subject: [PATCH] xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a + passthrough iommu +Git-commit: ecaa4902439298f6b0e29f47424a86b310a9ff4f +References: git-fixes +Patch-mainline: v6.3-rc6 + +Previously the quirk was skipped when no iommu was present. The same +rationale for skipping the quirk also applies in the iommu.passthrough=1 +case. + +Skip applying the XHCI_ZERO_64B_REGS quirk if the device's iommu domain is +passthrough. + +Fixes: 12de0a35c996 ("xhci: Add quirk to zero 64bit registers on Renesas PCIe controllers") +Cc: stable +Signed-off-by: D Scott Phillips +Acked-by: Marc Zyngier +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230330143056.1390020-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -21,6 +21,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -237,6 +238,7 @@ int xhci_reset(struct xhci_hcd *xhci) + static void xhci_zero_64b_regs(struct xhci_hcd *xhci) + { + struct device *dev = xhci_to_hcd(xhci)->self.sysdev; ++ struct iommu_domain *domain; + int err, i; + u64 val; + +@@ -254,7 +256,9 @@ static void xhci_zero_64b_regs(struct xh + * an iommu. Doing anything when there is no iommu is definitely + * unsafe... + */ +- if (!(xhci->quirks & XHCI_ZERO_64B_REGS) || !dev->iommu_group) ++ domain = iommu_get_domain_for_dev(dev); ++ if (!(xhci->quirks & XHCI_ZERO_64B_REGS) || !dev->iommu_group || ++ domain->type == IOMMU_DOMAIN_IDENTITY) + return; + + xhci_info(xhci, "Zeroing 64bit base registers, expecting fault\n"); diff --git a/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch b/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch new file mode 100644 index 0000000..625324f --- /dev/null +++ b/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch @@ -0,0 +1,51 @@ +From: Zheng Wang +Date: Fri, 17 Mar 2023 00:15:26 +0800 +Subject: xirc2ps_cs: Fix use after free bug in xirc2ps_detach +Patch-mainline: v6.3-rc4 +Git-commit: e8d20c3ded59a092532513c9bd030d1ea66f5f44 +References: bsc#1209871 CVE-2023-1670 + +In xirc2ps_probe, the local->tx_timeout_task was bounded +with xirc2ps_tx_timeout_task. When timeout occurs, +it will call xirc_tx_timeout->schedule_work to start the +work. + +When we call xirc2ps_detach to remove the driver, there +may be a sequence as follows: + +Stop responding to timeout tasks and complete scheduled +tasks before cleanup in xirc2ps_detach, which will fix +the problem. + +CPU0 CPU1 + + |xirc2ps_tx_timeout_task +xirc2ps_detach | + free_netdev | + kfree(dev); | + | + | do_reset + | //use dev + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zheng Wang +Signed-off-by: David S. Miller +Acked-by: Lee, Chun-Yi +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -503,6 +503,11 @@ static void + xirc2ps_detach(struct pcmcia_device *link) + { + struct net_device *dev = link->priv; ++ struct local_info *local = netdev_priv(dev); ++ ++ netif_carrier_off(dev); ++ netif_tx_disable(dev); ++ cancel_work_sync(&local->tx_timeout_task); + + dev_dbg(&link->dev, "detach\n"); + diff --git a/series.conf b/series.conf index ccff6f0..0dafde1 100644 --- a/series.conf +++ b/series.conf @@ -61236,6 +61236,7 @@ patches.suse/USB-serial-cp210x-add-ID-for-CEL-EM3588-USB-ZigBee-s.patch patches.suse/tracing-Fix-bug-in-rb_per_cpu_empty-that-might-cause.patch patches.suse/ceph-don-t-warn-if-we-re-still-opening-a-session-to-an-mds.patch + patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch patches.suse/scsi-iscsi-Fix-iface-sysfs-attr-detection patches.suse/cifs-only-write-64kb-at-a-time-when-fallocating-a-small-region-of-a.patch patches.suse/cifs-support-share-failover-when-remounting.patch @@ -62194,6 +62195,7 @@ patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch patches.suse/ucsi_ccg-Check-DEV_INT-bit-only-when-starting-CCG4.patch patches.suse/usb-common-ulpi-Fix-crash-in-ulpi_match.patch + patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch patches.suse/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-co.patch patches.suse/cgroup-v1-Require-capabilities-to-set-release_agent.patch patches.suse/Revert-module-async-async_synchronize_full-on-module.patch @@ -63248,17 +63250,23 @@ patches.suse/scsi-qla2xxx-Perform-lockless-command-completion-in-.patch patches.suse/scsi-qla2xxx-Synchronize-the-IOCB-count-to-be-in-ord.patch patches.suse/net-usb-smsc95xx-Limit-packet-length-to-skb-len.patch + patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch patches.suse/net-usb-lan78xx-Limit-packet-length-to-skb-len.patch patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch + patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch patches.suse/s390-vfio-ap-fix-memory-leak-in-vfio_ap-device-drive.patch patches.suse/NFSv4-Fix-hangs-when-recovering-open-state-after-a-s.patch patches.suse/ring-buffer-Fix-race-while-reader-and-writer-are-on-the-same-page.patch patches.suse/ftrace-Mark-get_lock_parent_ip-__always_inline.patch patches.suse/scsi-qla2xxx-Fix-memory-leak-in-qla2x00_probe_one.patch + patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch patches.suse/cgroup-cpuset-Wake-up-cpuset_attach_wq-tasks-in-cpuset_cancel_attach.patch patches.suse/cifs-fix-negotiate-context-parsing.patch patches.suse/powerpc-papr_scm-Update-the-NUMA-distance-table-for-.patch + patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch + patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch + patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -64304,6 +64312,8 @@ patches.kabi/PCI-endpoint-Fix-for-concurrent-memory-allocation-in.patch patches.kabi/intel_pmc_ipc-restore-ability-to-call-functions-with.patch patches.kabi/struct-wmi_svc_avail_ev_arg-new-member-to-end.patch + patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch + patches.kabi/xhci-hide-include-of-iommu.h.patch ######################################################## # You'd better have a good reason for adding a patch