diff --git a/blacklist.conf b/blacklist.conf index 7c0d893..3efde30 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2795,3 +2795,6 @@ fe5b6aaef72a0f7daa06e7960e0bee45c2984e41 # relevant only on SPARC a157802359f7451ed8046b2b6dbaca187797e062 # build cleanup 03f5eb300ad1241f854269a3e521b119189a4493 # build cleanup 7e7e1541c91615e9950d0b96bcd1806d297e970e # build cleanup +b648ab487f31bc4c38941bc770ea97fe394304bb # we don't have the original commit, nor do we care for 32bit +a1ae8d4d9be0178132df7c4931a1ba77d0e76039 # no nvme core/fabric fixes to missing infrastructure +2a587b9ad052e7e92e508aea90c1e2ae433c1908 # ARCH_ASPEED=n diff --git a/patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch b/patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch new file mode 100644 index 0000000..8c9d9fc --- /dev/null +++ b/patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch @@ -0,0 +1,31 @@ +From e0b347f1acbe9b1dc8f25298c84496b49960263e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 2 May 2023 15:26:57 +0200 +Subject: [PATCH] struct ci_hdrc: hide new member at end +References: git-fixes +Patch-mainline: Never, kABI fixup + +We can just hide the new member at the end + +Signed-off-by: Oliver Neukum +--- + drivers/usb/chipidea/ci.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/chipidea/ci.h b/drivers/usb/chipidea/ci.h +index 1c2393644..e140e3b6a 100644 +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -260,7 +260,9 @@ struct ci_hdrc { + bool in_lpm; + bool wakeup_int; + enum ci_revision rev; ++#ifndef __GENKSYMS__ + struct mutex mutex; ++#endif + }; + + static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci) +-- +2.40.1 + diff --git a/patches.kabi/xhci-hide-include-of-iommu.h.patch b/patches.kabi/xhci-hide-include-of-iommu.h.patch new file mode 100644 index 0000000..93e7486 --- /dev/null +++ b/patches.kabi/xhci-hide-include-of-iommu.h.patch @@ -0,0 +1,31 @@ +From 9b84925f68d29844116d29ad421acb03176b15da Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 2 May 2023 18:10:54 +0200 +Subject: [PATCH] xhci: hide include of iommu.h +References: git-fixes +Patch-mainline: Never, kABI fixup + +The include confuses the kABI checker by making symbols defined + +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index de4d25557..226883fd9 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -21,7 +21,9 @@ + */ + + #include ++#ifndef __GENKSYMS__ + #include ++#endif + #include + #include + #include +-- +2.40.1 + diff --git a/patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch b/patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch new file mode 100644 index 0000000..dc920a4 --- /dev/null +++ b/patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch @@ -0,0 +1,208 @@ +From: Paul Moore +Date: Thu, 13 Jan 2022 18:54:38 -0500 +Subject: [PATCH] audit: improve audit queue handling when "audit=1" on cmdline +Git-commit: f26d04331360d42dbd6b58448bd98e4edbfbe1c5 +References: bsc#1209969 +Patch-mainline: v5.17-rc2 + +When an admin enables audit at early boot via the "audit=1" kernel +command line the audit queue behavior is slightly different; the +audit subsystem goes to greater lengths to avoid dropping records, +which unfortunately can result in problems when the audit daemon is +forcibly stopped for an extended period of time. + +This patch makes a number of changes designed to improve the audit +queuing behavior so that leaving the audit daemon in a stopped state +for an extended period does not cause a significant impact to the +system. + +- kauditd_send_queue() is now limited to looping through the + passed queue only once per call. This not only prevents the + function from looping indefinitely when records are returned + to the current queue, it also allows any recovery handling in + kauditd_thread() to take place when kauditd_send_queue() + returns. + +- Transient netlink send errors seen as -EAGAIN now cause the + record to be returned to the retry queue instead of going to + the hold queue. The intention of the hold queue is to store, + perhaps for an extended period of time, the events which led + up to the audit daemon going offline. The retry queue remains + a temporary queue intended to protect against transient issues + between the kernel and the audit daemon. + +- The retry queue is now limited by the audit_backlog_limit + setting, the same as the other queues. This allows admins + to bound the size of all of the audit queues on the system. + +- kauditd_rehold_skb() now returns records to the end of the + hold queue to ensure ordering is preserved in the face of + recent changes to kauditd_send_queue(). + +Cc: stable@vger.kernel.org +Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking") +Fixes: f4b3ee3c85551 ("audit: improve robustness of the audit queue handling") +Reported-by: Gaosheng Cui +Tested-by: Gaosheng Cui +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Acked-by: Enzo Matsumiya +--- + kernel/audit.c | 64 +++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 44 insertions(+), 20 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -509,20 +509,22 @@ static void kauditd_printk_skb(struct sk + /** + * kauditd_rehold_skb - Handle a audit record send failure in the hold queue + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * This should only be used by the kauditd_thread when it fails to flush the + * hold queue. + */ +-static void kauditd_rehold_skb(struct sk_buff *skb) ++static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error) + { +- /* put the record back in the queue at the same place */ +- skb_queue_head(&audit_hold_queue, skb); ++ /* put the record back in the queue */ ++ skb_queue_tail(&audit_hold_queue, skb); + } + + /** + * kauditd_hold_skb - Queue an audit record, waiting for auditd + * @skb: audit record ++ * @error: error code + * + * Description: + * Queue the audit record, waiting for an instance of auditd. When this +@@ -532,19 +534,31 @@ static void kauditd_rehold_skb(struct sk + * and queue it, if we have room. If we want to hold on to the record, but we + * don't have room, record a record lost message. + */ +-static void kauditd_hold_skb(struct sk_buff *skb) ++static void kauditd_hold_skb(struct sk_buff *skb, int error) + { + /* at this point it is uncertain if we will ever send this to auditd so + * try to send the message via printk before we go any further */ + kauditd_printk_skb(skb); + + /* can we just silently drop the message? */ +- if (!audit_default) { +- kfree_skb(skb); +- return; ++ if (!audit_default) ++ goto drop; ++ ++ /* the hold queue is only for when the daemon goes away completely, ++ * not -EAGAIN failures; if we are in a -EAGAIN state requeue the ++ * record on the retry queue unless it's full, in which case drop it ++ */ ++ if (error == -EAGAIN) { ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ audit_log_lost("kauditd retry queue overflow"); ++ goto drop; + } + +- /* if we have room, queue the message */ ++ /* if we have room in the hold queue, queue the message */ + if (!audit_backlog_limit || + skb_queue_len(&audit_hold_queue) < audit_backlog_limit) { + skb_queue_tail(&audit_hold_queue, skb); +@@ -553,24 +567,32 @@ static void kauditd_hold_skb(struct sk_b + + /* we have no other options - drop the message */ + audit_log_lost("kauditd hold queue overflow"); ++drop: + kfree_skb(skb); + } + + /** + * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * Not as serious as kauditd_hold_skb() as we still have a connected auditd, + * but for some reason we are having problems sending it audit records so + * queue the given record and attempt to resend. + */ +-static void kauditd_retry_skb(struct sk_buff *skb) ++static void kauditd_retry_skb(struct sk_buff *skb, __always_unused int error) + { +- /* NOTE: because records should only live in the retry queue for a +- * short period of time, before either being sent or moved to the hold +- * queue, we don't currently enforce a limit on this queue */ +- skb_queue_tail(&audit_retry_queue, skb); ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ ++ /* we have to drop the record, send it via printk as a last effort */ ++ kauditd_printk_skb(skb); ++ audit_log_lost("kauditd retry queue overflow"); ++ kfree_skb(skb); + } + + /** +@@ -607,9 +629,9 @@ static void auditd_reset(const struct au + + /* flush all of the main and retry queues to the hold queue */ + while ((skb = skb_dequeue(&audit_retry_queue))) +- kauditd_hold_skb(skb); ++ kauditd_hold_skb(skb, -ECONNREFUSED); + while ((skb = skb_dequeue(&audit_queue))) +- kauditd_hold_skb(skb); ++ kauditd_hold_skb(skb, -ECONNREFUSED); + } + + /** +@@ -683,16 +705,18 @@ static int kauditd_send_queue(struct soc + struct sk_buff_head *queue, + unsigned int retry_limit, + void (*skb_hook)(struct sk_buff *skb), +- void (*err_hook)(struct sk_buff *skb)) ++ void (*err_hook)(struct sk_buff *skb, int error)) + { + int rc = 0; +- struct sk_buff *skb; ++ struct sk_buff *skb = NULL; ++ struct sk_buff *skb_tail; + unsigned int failed = 0; + + /* NOTE: kauditd_thread takes care of all our locking, we just use + * the netlink info passed to us (e.g. sk and portid) */ + +- while ((skb = skb_dequeue(queue))) { ++ skb_tail = skb_peek_tail(queue); ++ while ((skb != skb_tail) && (skb = skb_dequeue(queue))) { + /* call the skb_hook for each skb we touch */ + if (skb_hook) + (*skb_hook)(skb); +@@ -700,7 +724,7 @@ static int kauditd_send_queue(struct soc + /* can we send to anyone via unicast? */ + if (!sk) { + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, -ECONNREFUSED); + continue; + } + +@@ -714,7 +738,7 @@ retry: + rc == -ECONNREFUSED || rc == -EPERM) { + sk = NULL; + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, rc); + if (rc == -EAGAIN) + rc = 0; + /* continue to drain the queue */ diff --git a/patches.suse/crypto-x86-ghash-fix-unaligned-access-in-ghash_setkey.patch b/patches.suse/crypto-x86-ghash-fix-unaligned-access-in-ghash_setkey.patch new file mode 100644 index 0000000..9ed4057 --- /dev/null +++ b/patches.suse/crypto-x86-ghash-fix-unaligned-access-in-ghash_setkey.patch @@ -0,0 +1,46 @@ +From: Eric Biggers +Date: Mon, 19 Dec 2022 21:40:40 -0800 +Subject: crypto: x86/ghash - fix unaligned access in ghash_setkey() +Git-commit: 116db2704c193fff6d73ea6c2219625f0c9bdfc8 +Patch-mainline: v6.3-rc1 +References: git-fixes + +The key can be unaligned, so use the unaligned memory access helpers. + +Fixes: 8ceee72808d1 ("crypto: ghash-clmulni-intel - use C implementation for setkey()") +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Acked-by: Nikolay Borisov +--- + arch/x86/crypto/ghash-clmulni-intel_glue.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/crypto/ghash-clmulni-intel_glue.c ++++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #define GHASH_BLOCK_SIZE 16 + #define GHASH_DIGEST_SIZE 16 +@@ -56,7 +57,6 @@ static int ghash_setkey(struct crypto_sh + const u8 *key, unsigned int keylen) + { + struct ghash_ctx *ctx = crypto_shash_ctx(tfm); +- be128 *x = (be128 *)key; + u64 a, b; + + if (keylen != GHASH_BLOCK_SIZE) { +@@ -65,8 +65,8 @@ static int ghash_setkey(struct crypto_sh + } + + /* perform multiplication by 'x' in GF(2^128) */ +- a = be64_to_cpu(x->a); +- b = be64_to_cpu(x->b); ++ a = get_unaligned_be64(key); ++ b = get_unaligned_be64(key+8); + + ctx->shash.a = (b << 1) | (a >> 63); + ctx->shash.b = (a << 1) | (b >> 63); diff --git a/patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch b/patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch new file mode 100644 index 0000000..4e22b5b --- /dev/null +++ b/patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch @@ -0,0 +1,73 @@ +From: Zhang Yuchen +Date: Wed, 12 Apr 2023 15:49:07 +0800 +Subject: ipmi: fix SSIF not responding under certain cond. +Git-commit: 6d2555cde2918409b0331560e66f84a0ad4849c6 +Patch-mainline: v6.4-rc1 +References: git-fixes + +The ipmi communication is not restored after a specific version of BMC is +upgraded on our server. +The ipmi driver does not respond after printing the following log: + + ipmi_ssif: Invalid response getting flags: 1c 1 + +I found that after entering this branch, ssif_info->ssif_state always +holds SSIF_GETTING_FLAGS and never return to IDLE. + +As a result, the driver cannot be loaded, because the driver status is +checked during the unload process and must be IDLE in shutdown_ssif(): + + while (ssif_info->ssif_state != SSIF_IDLE) + schedule_timeout(1); + +The process trigger this problem is: + +1. One msg timeout and next msg start send, and call +ssif_set_need_watch(). + +2. ssif_set_need_watch()->watch_timeout()->start_flag_fetch() change +ssif_state to SSIF_GETTING_FLAGS. + +3. In msg_done_handler() ssif_state == SSIF_GETTING_FLAGS, if an error +message is received, the second branch does not modify the ssif_state. + +4. All retry action need IS_SSIF_IDLE() == True. Include retry action in +watch_timeout(), msg_done_handler(). Sending msg does not work either. +SSIF_IDLE is also checked in start_next_msg(). + +5. The only thing that can be triggered in the SSIF driver is +watch_timeout(), after destory_user(), this timer will stop too. + +So, if enter this branch, the ssif_state will remain SSIF_GETTING_FLAGS +and can't send msg, no timer started, can't unload. + +We did a comparative test before and after adding this patch, and the +result is effective. + +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") + +[js] the constant is named SSIF_NORMAL in 4.* + +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Yuchen +Message-Id: <20230412074907.80046-1-zhangyuchen.lcr@bytedance.com> +Signed-off-by: Corey Minyard +Signed-off-by: Jiri Slaby +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -774,9 +774,9 @@ static void msg_done_handler(struct ssif + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +- * Don't abort here, maybe it was a queued +- * response to a previous command. ++ * Recv error response, give up. + */ ++ ssif_info->ssif_state = SSIF_NORMAL; + ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Invalid response getting flags: %x %x\n", + data[0], data[1]); diff --git a/patches.suse/kcm-Only-allow-TCP-sockets-to-be-attached-to-a-KCM-m.patch b/patches.suse/kcm-Only-allow-TCP-sockets-to-be-attached-to-a-KCM-m.patch new file mode 100644 index 0000000..9c4257a --- /dev/null +++ b/patches.suse/kcm-Only-allow-TCP-sockets-to-be-attached-to-a-KCM-m.patch @@ -0,0 +1,44 @@ +From 3acd879fb272b36a8137aae0b591221fed3837a0 Mon Sep 17 00:00:00 2001 +From: Tom Herbert +Date: Wed, 24 Jan 2018 12:35:40 -0800 +Subject: [PATCH] kcm: Only allow TCP sockets to be attached to a KCM mux +Git-commit: 581e7226a5d43f629eb6399a121f85f6a15f81be +Patch-mainline: v4.15 +References: git-fixes + +TCP sockets for IPv4 and IPv6 that are not listeners or in closed +stated are allowed to be attached to a KCM mux. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Reported-by: syzbot+8865eaff7f9acd593945@syzkaller.appspotmail.com +Signed-off-by: Tom Herbert +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/kcm/kcmsock.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 473ad3ebdff2..c6e325199495 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1387,8 +1387,13 @@ static int kcm_attach(struct socket *soc + if (!csk) + return -EINVAL; + +- /* We must prevent loops or risk deadlock ! */ +- if (csk->sk_family == PF_KCM) ++ /* Only allow TCP sockets to be attached for now */ ++ if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) || ++ csk->sk_protocol != IPPROTO_TCP) ++ return -EOPNOTSUPP; ++ ++ /* Don't allow listeners or closed sockets */ ++ if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) + return -EOPNOTSUPP; + + psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL); +-- +2.16.4 + diff --git a/patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch b/patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch index 395291b..7b2c171 100644 --- a/patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch +++ b/patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch @@ -21,7 +21,7 @@ Signed-off-by: Jiri Slaby --- a/net/kcm/kcmsock.c +++ b/net/kcm/kcmsock.c -@@ -1381,19 +1381,25 @@ static int kcm_attach(struct socket *soc +@@ -1381,24 +1381,33 @@ static int kcm_attach(struct socket *soc .parse_msg = kcm_parse_func_strparser, .read_sock_done = kcm_read_sock_done, }; @@ -34,25 +34,32 @@ Signed-off-by: Jiri Slaby + lock_sock(csk); + - /* We must prevent loops or risk deadlock ! */ -- if (csk->sk_family == PF_KCM) -- return -EOPNOTSUPP; -+ if (csk->sk_family == PF_KCM) { -+ err = -EOPNOTSUPP; + /* Only allow TCP sockets to be attached for now */ + if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) || +- csk->sk_protocol != IPPROTO_TCP) ++ csk->sk_protocol != IPPROTO_TCP) { + return -EOPNOTSUPP; + goto out; + } + /* Don't allow listeners or closed sockets */ +- if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) ++ if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) { + return -EOPNOTSUPP; ++ goto out; ++ } ++ + psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL); - if (!psock) -- return -ENOMEM; + if (!psock) { -+ err = -ENOMEM; + return -ENOMEM; + goto out; + } psock->mux = mux; psock->sk = csk; -@@ -1402,7 +1408,7 @@ static int kcm_attach(struct socket *soc +@@ -1407,7 +1416,7 @@ static int kcm_attach(struct socket *soc err = strp_init(&psock->strp, csk, &cb); if (err) { kmem_cache_free(kcm_psockp, psock); @@ -61,7 +68,7 @@ Signed-off-by: Jiri Slaby } sock_hold(csk); -@@ -1438,7 +1444,10 @@ static int kcm_attach(struct socket *soc +@@ -1443,7 +1452,10 @@ static int kcm_attach(struct socket *soc /* Schedule RX work in case there are already bytes queued */ strp_check_rcv(&psock->strp); diff --git a/patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch b/patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch new file mode 100644 index 0000000..2db1b6f --- /dev/null +++ b/patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch @@ -0,0 +1,76 @@ +From: Zhihao Cheng +Date: Mon, 5 Jul 2021 21:38:29 +0800 +Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not + RESETTING +Patch-mainline: v5.14-rc3 +Git-commit: 7764656b108cd308c39e9a8554353b8f9ca232a3 +References: git-fixes + +Followling process: +nvme_probe + nvme_reset_ctrl + nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING) + queue_work(nvme_reset_wq, &ctrl->reset_work) + +--------------> nvme_remove + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING) +worker_thread + process_one_work + nvme_reset_work + WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING) + +, which will trigger WARN_ON in nvme_reset_work(): +[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594 +[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0 +[ 127.552518] Call Trace: +[ 127.552840] ? kvm_sched_clock_read+0x25/0x40 +[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30 +[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130 +[ 127.556263] ? __smp_call_single_queue+0x48/0x60 +[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0 +[ 127.558231] ? try_to_wake_up+0x265/0x9d0 +[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290 +[ 127.560118] process_one_work+0x28c/0x640 +[ 127.561002] worker_thread+0x39a/0x700 +[ 127.561833] ? rescuer_thread+0x580/0x580 +[ 127.562714] kthread+0x18c/0x1e0 +[ 127.563444] ? set_kthread_struct+0x70/0x70 +[ 127.564347] ret_from_fork+0x1f/0x30 + +The preceding problem can be easily reproduced by executing following +script (based on blktests suite): +test() { + pdev="$(_get_pci_dev_from_blkdev)" + sysfs="/sys/bus/pci/devices/${pdev}" + for ((i = 0; i < 10; i++)); do + echo 1 > "$sysfs/remove" + echo 1 > /sys/bus/pci/rescan + done +} + +Since the device ctrl could be updated as an non-RESETTING state by +repeating probe/remove in userspace (which is a normal situation), we +can replace stack dumping WARN_ON with a warnning message. + +Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin") +Signed-off-by: Zhihao Cheng +Acked-by: Daniel Wagner +--- + drivers/nvme/host/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2252,8 +2252,11 @@ static void nvme_reset_work(struct work_ + int result = -ENODEV; + enum nvme_ctrl_state new_state = NVME_CTRL_LIVE; + +- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) ++ if (dev->ctrl.state != NVME_CTRL_RESETTING) { ++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n", ++ dev->ctrl.state); + goto out; ++ } + + /* + * If we're called to reset a live controller first shut it down before diff --git a/patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch b/patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch new file mode 100644 index 0000000..93ea4ec --- /dev/null +++ b/patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch @@ -0,0 +1,93 @@ +From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:16 +0800 +Subject: [PATCH] usb: chipidea: core: fix possible concurrent when switch role +Git-commit: 451b15ed138ec15bffbebb58a00ebdd884c3e659 +References: git-fixes +Patch-mainline: v6.3-rc4 + +The user may call role_store() when driver is handling +ci_handle_id_switch() which is triggerred by otg event or power lost +event. Unfortunately, the controller may go into chaos in this case. +Fix this by protecting it with mutex lock. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/chipidea/ci.h | 2 ++ + drivers/usb/chipidea/core.c | 4 ++++ + drivers/usb/chipidea/otg.c | 5 ++++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -205,6 +205,7 @@ struct hw_bank { + * @in_lpm: if the core in low power mode + * @wakeup_int: if wakeup interrupt occur + * @rev: The revision number for controller ++ * @mutex: protect code from concorrent running when doing role switch + */ + struct ci_hdrc { + struct device *dev; +@@ -259,6 +260,7 @@ struct ci_hdrc { + bool in_lpm; + bool wakeup_int; + enum ci_revision rev; ++ struct mutex mutex; + }; + + static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci) +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -878,6 +878,8 @@ static ssize_t ci_role_store(struct devi + if (role == CI_ROLE_END || role == ci->role) + return -EINVAL; + ++ mutex_lock(&ci->mutex); ++ + pm_runtime_get_sync(dev); + disable_irq(ci->irq); + ci_role_stop(ci); +@@ -886,6 +888,7 @@ static ssize_t ci_role_store(struct devi + ci_handle_vbus_change(ci); + enable_irq(ci->irq); + pm_runtime_put_sync(dev); ++ mutex_unlock(&ci->mutex); + + return (ret == 0) ? n : ret; + } +@@ -924,6 +927,7 @@ static int ci_hdrc_probe(struct platform + return -ENOMEM; + + spin_lock_init(&ci->lock); ++ mutex_init(&ci->mutex); + ci->dev = dev; + ci->platdata = dev_get_platdata(dev); + ci->imx28_write_fix = !!(ci->platdata->flags & +--- a/drivers/usb/chipidea/otg.c ++++ b/drivers/usb/chipidea/otg.c +@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct + + static void ci_handle_id_switch(struct ci_hdrc *ci) + { +- enum ci_role role = ci_otg_role(ci); ++ enum ci_role role; + ++ mutex_lock(&ci->mutex); ++ role = ci_otg_role(ci); + if (role != ci->role) { + dev_dbg(ci->dev, "switching from %s to %s\n", + ci_role(ci)->name, ci->roles[role]->name); +@@ -191,6 +193,7 @@ static void ci_handle_id_switch(struct c + if (role == CI_ROLE_GADGET) + ci_handle_vbus_change(ci); + } ++ mutex_unlock(&ci->mutex); + } + /** + * ci_otg_work - perform otg (vbus/id) event handle diff --git a/patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch b/patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch new file mode 100644 index 0000000..003f84a --- /dev/null +++ b/patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch @@ -0,0 +1,32 @@ +From: Dan Carpenter +Date: Mon, 6 Feb 2023 16:15:48 +0300 +Subject: wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list() +Git-commit: 4c856ee12df85aabd437c3836ed9f68d94268358 +Patch-mainline: v6.4-rc1 +References: git-fixes + +This loop checks that i < max at the start of loop but then it does +i++ which could put it past the end of the array. It's harmless to +check again and prevent a potential out of bounds. + +Fixes: 1048643ea94d ("ath5k: Clean up eeprom parsing and add missing calibration data") +Signed-off-by: Dan Carpenter +Reviewed-by: Luis Chamberlain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Y+D9hPQrHfWBJhXz@kili +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath5k/eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath5k/eeprom.c ++++ b/drivers/net/wireless/ath/ath5k/eeprom.c +@@ -529,7 +529,7 @@ ath5k_eeprom_read_freq_list(struct ath5k + ee->ee_n_piers[mode]++; + + freq2 = (val >> 8) & 0xff; +- if (!freq2) ++ if (!freq2 || i >= max) + break; + + pc[i++].freq = ath5k_eeprom_bin2freq(ee, diff --git a/patches.suse/x86-boot-avoid-using-intel-mnemonics-in-at-t-syntax-asm.patch b/patches.suse/x86-boot-avoid-using-intel-mnemonics-in-at-t-syntax-asm.patch new file mode 100644 index 0000000..cb8bc5a --- /dev/null +++ b/patches.suse/x86-boot-avoid-using-intel-mnemonics-in-at-t-syntax-asm.patch @@ -0,0 +1,72 @@ +From: Peter Zijlstra +Date: Tue, 10 Jan 2023 12:15:40 +0100 +Subject: x86/boot: Avoid using Intel mnemonics in AT&T syntax asm +Git-commit: 7c6dd961d0c8e7e8f9fdc65071fb09ece702e18d +Patch-mainline: v6.2-rc4 +References: git-fixes + +With 'GNU assembler (GNU Binutils for Debian) 2.39.90.20221231' the +build now reports: + + arch/x86/realmode/rm/../../boot/bioscall.S: Assembler messages: + arch/x86/realmode/rm/../../boot/bioscall.S:35: Warning: found `movsd'; assuming `movsl' was meant + arch/x86/realmode/rm/../../boot/bioscall.S:70: Warning: found `movsd'; assuming `movsl' was meant + + arch/x86/boot/bioscall.S: Assembler messages: + arch/x86/boot/bioscall.S:35: Warning: found `movsd'; assuming `movsl' was meant + arch/x86/boot/bioscall.S:70: Warning: found `movsd'; assuming `movsl' was meant + +Which is due to: + + PR gas/29525 + + Note that with the dropped CMPSD and MOVSD Intel Syntax string insn + templates taking operands, mixed IsString/non-IsString template groups + (with memory operands) cannot occur anymore. With that + maybe_adjust_templates() becomes unnecessary (and is hence being + removed). + +More details: https://sourceware.org/bugzilla/show_bug.cgi?id=29525 + +Borislav Petkov further explains: + + " the particular problem here is is that the 'd' suffix is + "conflicting" in the sense that you can have SSE mnemonics like movsD %xmm... + and the same thing also for string ops (which is the case here) so apparently + the agreement in binutils land is to use the always accepted suffixes 'l' or 'q' + and phase out 'd' slowly... " + +Fixes: 7a734e7dd93b ("x86, setup: "glove box" BIOS calls -- infrastructure") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Acked-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/Y71I3Ex2pvIxMpsP@hirez.programming.kicks-ass.net + +Acked-by: Nikolay Borisov +--- + arch/x86/boot/bioscall.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/boot/bioscall.S b/arch/x86/boot/bioscall.S +index 5521ea12f44e..aa9b96457584 100644 +--- a/arch/x86/boot/bioscall.S ++++ b/arch/x86/boot/bioscall.S +@@ -32,7 +32,7 @@ + movw %dx, %si + movw %sp, %di + movw $11, %cx +- rep; movsd ++ rep; movsl + + /* Pop full state from the stack */ + popal +@@ -67,7 +67,7 @@ + jz 4f + movw %sp, %si + movw $11, %cx +- rep; movsd ++ rep; movsl + 4: addw $44, %sp + + /* Restore state and return */ + diff --git a/patches.suse/x86-fpu-prevent-fpu-state-corruption.patch b/patches.suse/x86-fpu-prevent-fpu-state-corruption.patch new file mode 100644 index 0000000..a73f119 --- /dev/null +++ b/patches.suse/x86-fpu-prevent-fpu-state-corruption.patch @@ -0,0 +1,139 @@ +From: Thomas Gleixner +Date: Sun, 1 May 2022 21:31:43 +0200 +Subject: x86/fpu: Prevent FPU state corruption +Git-commit: 59f5ede3bc0f00eb856425f636dab0c10feb06d8 +Patch-mainline: v5.18-rc6 +References: git-fixes + +The FPU usage related to task FPU management is either protected by +disabling interrupts (switch_to, return to user) or via fpregs_lock() which +is a wrapper around local_bh_disable(). When kernel code wants to use the +FPU then it has to check whether it is possible by calling irq_fpu_usable(). + +But the condition in irq_fpu_usable() is wrong. It allows FPU to be used +when: + + !in_interrupt() || interrupted_user_mode() || interrupted_kernel_fpu_idle() + +The latter is checking whether some other context already uses FPU in the +kernel, but if that's not the case then it allows FPU to be used +unconditionally even if the calling context interrupted a fpregs_lock() +critical region. If that happens then the FPU state of the interrupted +context becomes corrupted. + +Allow in kernel FPU usage only when no other context has in kernel FPU +usage and either the calling context is not hard interrupt context or the +hard interrupt did not interrupt a local bottomhalf disabled region. + +It's hard to find a proper Fixes tag as the condition was broken in one way +or the other for a very long time and the eager/lazy FPU changes caused a +lot of churn. Picked something remotely connected from the history. + +This survived undetected for quite some time as FPU usage in interrupt +context is rare, but the recent changes to the random code unearthed it at +least on a kernel which had FPU debugging enabled. There is probably a +higher rate of silent corruption as not all issues can be detected by the +FPU debugging code. This will be addressed in a subsequent change. + +Fixes: 5d2bd7009f30 ("x86, fpu: decouple non-lazy/eager fpu restore from xsave") +Reported-by: Filipe Manana +Signed-off-by: Thomas Gleixner +Tested-by: Filipe Manana +Reviewed-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220501193102.588689270@linutronix.de + +Acked-by: Nikolay Borisov +--- + arch/x86/kernel/fpu/core.c | 67 +++++++++++++++++---------------------------- + 1 file changed, 26 insertions(+), 41 deletions(-) + +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -23,17 +23,7 @@ + */ + union fpregs_state init_fpstate __read_mostly; + +-/* +- * Track whether the kernel is using the FPU state +- * currently. +- * +- * This flag is used: +- * +- * - by IRQ context code to potentially use the FPU +- * if it's unused. +- * +- * - to debug kernel_fpu_begin()/end() correctness +- */ ++/* Track in-kernel FPU usage */ + static DEFINE_PER_CPU(bool, in_kernel_fpu); + + /* +@@ -53,42 +43,37 @@ static void kernel_fpu_enable(void) + this_cpu_write(in_kernel_fpu, false); + } + +-static bool kernel_fpu_disabled(void) +-{ +- return this_cpu_read(in_kernel_fpu); +-} +- +-static bool interrupted_kernel_fpu_idle(void) +-{ +- return !kernel_fpu_disabled(); +-} +- +-/* +- * Were we in user mode (or vm86 mode) when we were +- * interrupted? +- * +- * Doing kernel_fpu_begin/end() is ok if we are running +- * in an interrupt context from user mode - we'll just +- * save the FPU state as required. +- */ +-static bool interrupted_user_mode(void) +-{ +- struct pt_regs *regs = get_irq_regs(); +- return regs && user_mode(regs); +-} +- + /* + * Can we use the FPU in kernel mode with the + * whole "kernel_fpu_begin/end()" sequence? +- * +- * It's always ok in process context (ie "not interrupt") +- * but it is sometimes ok even from an irq. + */ + bool irq_fpu_usable(void) + { +- return !in_interrupt() || +- interrupted_user_mode() || +- interrupted_kernel_fpu_idle(); ++ if (WARN_ON_ONCE(in_nmi())) ++ return false; ++ ++ /* In kernel FPU usage already active? */ ++ if (this_cpu_read(in_kernel_fpu)) ++ return false; ++ ++ /* ++ * When not in NMI or hard interrupt context, FPU can be used in: ++ * ++ * - Task context except from within fpregs_lock()'ed critical ++ * regions. ++ * ++ * - Soft interrupt processing context which cannot happen ++ * while in a fpregs_lock()'ed critical region. ++ */ ++ if (!in_irq()) ++ return true; ++ ++ /* ++ * In hard interrupt context it's safe when soft interrupts ++ * are enabled, which means the interrupt did not hit in ++ * a fpregs_lock()'ed critical region. ++ */ ++ return !softirq_count(); + } + EXPORT_SYMBOL(irq_fpu_usable); + diff --git a/patches.suse/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch b/patches.suse/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch new file mode 100644 index 0000000..e507bfc --- /dev/null +++ b/patches.suse/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch @@ -0,0 +1,44 @@ +From: Sean Christopherson +Date: Fri, 8 Oct 2021 17:11:04 -0700 +Subject: x86/irq: Ensure PI wakeup handler is unregistered before module unload +Git-commit: 6ff53f6a438f72998f56e82e76694a1df9d1ea2c +Patch-mainline: v5.16-rc1 +References: git-fixes + +Add a synchronize_rcu() after clearing the posted interrupt wakeup handler +to ensure all readers, i.e. in-flight IRQ handlers, see the new handler +before returning to the caller. If the caller is an exiting module and +is unregistering its handler, failure to wait could result in the IRQ +handler jumping into an unloaded module. + +The registration path doesn't require synchronization, as it's the +caller's responsibility to not generate interrupts it cares about until +after its handler is registered. + +Fixes: f6b3c72c2366 ("x86/irq: Define a global vector for VT-d Posted-Interrupts") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211009001107.3936588-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Acked-by: Nikolay Borisov +--- + arch/x86/kernel/irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c +index e28f6a5d14f1..766ffe3ba313 100644 +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -291,8 +291,10 @@ void kvm_set_posted_intr_wakeup_handler(void (*handler)(void)) + { + if (handler) + kvm_posted_intr_wakeup_handler = handler; +- else ++ else { + kvm_posted_intr_wakeup_handler = dummy_handler; ++ synchronize_rcu(); ++ } + } + EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler); + + diff --git a/patches.suse/x86-kprobes-fix-to-check-non-boostable-prefixes-correctly.patch b/patches.suse/x86-kprobes-fix-to-check-non-boostable-prefixes-correctly.patch new file mode 100644 index 0000000..0aa36db --- /dev/null +++ b/patches.suse/x86-kprobes-fix-to-check-non-boostable-prefixes-correctly.patch @@ -0,0 +1,67 @@ +From: Masami Hiramatsu +Date: Thu, 25 Mar 2021 19:08:31 +0900 +Subject: x86/kprobes: Fix to check non boostable prefixes correctly +Git-commit: 6dd3b8c9f58816a1354be39559f630cd1bd12159 +Patch-mainline: v5.13-rc1 +References: git-fixes + +There are 2 bugs in the can_boost() function because of using +x86 insn decoder. Since the insn->opcode never has a prefix byte, +it can not find CS override prefix in it. And the insn->attr is +the attribute of the opcode, thus inat_is_address_size_prefix( +insn->attr) always returns false. + +Fix those by checking each prefix bytes with for_each_insn_prefix +loop and getting the correct attribute for each prefix byte. +Also, this removes unlikely, because this is a slow path. + +Fixes: a8d11cd0714f ("kprobes/x86: Consolidate insn decoder users for copying code") +Signed-off-by: Masami Hiramatsu +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/161666691162.1120877.2808435205294352583.stgit@devnote2 + +Acked-by: Nikolay Borisov +--- + arch/x86/kernel/kprobes/core.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -172,6 +172,8 @@ NOKPROBE_SYMBOL(skip_prefixes); + int can_boost(struct insn *insn, void *addr) + { + kprobe_opcode_t opcode; ++ insn_byte_t prefix; ++ int i; + + if (search_exception_tables((unsigned long)addr)) + return 0; /* Page fault may occur on this address. */ +@@ -184,9 +186,14 @@ int can_boost(struct insn *insn, void *a + if (insn->opcode.nbytes != 1) + return 0; + +- /* Can't boost Address-size override prefix */ +- if (unlikely(inat_is_address_size_prefix(insn->attr))) +- return 0; ++ for_each_insn_prefix(insn, i, prefix) { ++ insn_attr_t attr; ++ ++ attr = inat_get_opcode_attribute(prefix); ++ /* Can't boost Address-size override prefix and CS override prefix */ ++ if (prefix == 0x2e || inat_is_address_size_prefix(attr)) ++ return 0; ++ } + + opcode = insn->opcode.bytes[0]; + +@@ -211,8 +218,8 @@ int can_boost(struct insn *insn, void *a + /* clear and set flags are boostable */ + return (opcode == 0xf5 || (0xf7 < opcode && opcode < 0xfe)); + default: +- /* CS override prefix and call are not boostable */ +- return (opcode != 0x2e && opcode != 0x9a); ++ /* call is not boostable */ ++ return opcode != 0x9a; + } + } + diff --git a/patches.suse/x86-kprobes-restore-btf-if-the-single-stepping-is-cancelled.patch b/patches.suse/x86-kprobes-restore-btf-if-the-single-stepping-is-cancelled.patch new file mode 100644 index 0000000..43755bd --- /dev/null +++ b/patches.suse/x86-kprobes-restore-btf-if-the-single-stepping-is-cancelled.patch @@ -0,0 +1,43 @@ +From: Masami Hiramatsu +Date: Wed, 28 Oct 2020 23:31:10 +0900 +Subject: x86/kprobes: Restore BTF if the single-stepping is cancelled +Git-commit: 78ff2733ff352175eb7f4418a34654346e1b6cd2 +Patch-mainline: v5.11-rc1 +References: git-fixes + +Fix to restore BTF if single-stepping causes a page fault and +it is cancelled. + +Usually the BTF flag was restored when the single stepping is done +(in resume_execution()). However, if a page fault happens on the +single stepping instruction, the fault handler is invoked and +the single stepping is cancelled. Thus, the BTF flag is not +restored. + +Fixes: 1ecc798c6764 ("x86: debugctlmsr kprobes") +Signed-off-by: Masami Hiramatsu +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/160389546985.106936.12727996109376240993.stgit@devnote2 + +Acked-by: Nikolay Borisov +--- + arch/x86/kernel/kprobes/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 547c7abb39f5..39f7d8c3c064 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -937,6 +937,11 @@ int kprobe_fault_handler(struct pt_regs *regs, int trapnr) + * So clear it by resetting the current kprobe: + */ + regs->flags &= ~X86_EFLAGS_TF; ++ /* ++ * Since the single step (trap) has been cancelled, ++ * we need to restore BTF here. ++ */ ++ restore_btf(); + + /* + * If the TF flag was set before the kprobe hit, + diff --git a/patches.suse/x86-mce-inject-avoid-out-of-bounds-write-when-setting-flags.patch b/patches.suse/x86-mce-inject-avoid-out-of-bounds-write-when-setting-flags.patch new file mode 100644 index 0000000..fce456a --- /dev/null +++ b/patches.suse/x86-mce-inject-avoid-out-of-bounds-write-when-setting-flags.patch @@ -0,0 +1,49 @@ +From: Zhang Zixun +Date: Mon, 27 Dec 2021 22:02:49 +0100 +Subject: x86/mce/inject: Avoid out-of-bounds write when setting flags +Git-commit: de768416b203ac84e02a757b782a32efb388476f +Patch-mainline: v5.17-rc1 +References: git-fixes + +A contrived zero-length write, for example, by using write(2): + + ... + ret = write(fd, str, 0); + ... + +to the "flags" file causes: + + BUG: KASAN: stack-out-of-bounds in flags_write + Write of size 1 at addr ffff888019be7ddf by task writefile/3787 + + CPU: 4 PID: 3787 Comm: writefile Not tainted 5.16.0-rc7+ #12 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + +due to accessing buf one char before its start. + +Prevent such out-of-bounds access. + + [ bp: Productize into a proper patch. Link below is the next best + thing because the original mail didn't get archived on lore. ] + +Fixes: 0451d14d0561 ("EDAC, mce_amd_inj: Modify flags attribute to use string arguments") +Signed-off-by: Zhang Zixun +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/linux-edac/YcnePfF1OOqoQwrX@zn.tnic/ + +Acked-by: Nikolay Borisov +--- + arch/x86/ras/mce_amd_inj.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/ras/mce_amd_inj.c ++++ b/arch/x86/ras/mce_amd_inj.c +@@ -151,7 +151,7 @@ static ssize_t flags_write(struct file * + char buf[MAX_FLAG_OPT_SIZE], *__buf; + int err; + +- if (cnt > MAX_FLAG_OPT_SIZE) ++ if (!cnt || cnt > MAX_FLAG_OPT_SIZE) + return -EINVAL; + + if (copy_from_user(&buf, ubuf, cnt)) diff --git a/patches.suse/x86-tools-fix-objdump-version-check-again.patch b/patches.suse/x86-tools-fix-objdump-version-check-again.patch new file mode 100644 index 0000000..de34c0b --- /dev/null +++ b/patches.suse/x86-tools-fix-objdump-version-check-again.patch @@ -0,0 +1,39 @@ +From: Randy Dunlap +Date: Fri, 30 Jul 2021 17:01:46 -0700 +Subject: x86/tools: Fix objdump version check again +Git-commit: 839ad22f755132838f406751439363c07272ad87 +Patch-mainline: v5.14-rc6 +References: git-fixes + +Skip (omit) any version string info that is parenthesized. + +Warning: objdump version 15) is older than 2.19 +Warning: Skipping posttest. + +where 'objdump -v' says: +GNU objdump (GNU Binutils; SUSE Linux Enterprise 15) 2.35.1.20201123-7.18 + +Fixes: 8bee738bb1979 ("x86: Fix objdump version check in chkobjdump.awk for different formats.") +Signed-off-by: Randy Dunlap +Signed-off-by: Thomas Gleixner +Reviewed-by: Masami Hiramatsu +Link: https://lore.kernel.org/r/20210731000146.2720-1-rdunlap@infradead.org + +Acked-by: Nikolay Borisov +--- + arch/x86/tools/chkobjdump.awk | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/tools/chkobjdump.awk b/arch/x86/tools/chkobjdump.awk +index fd1ab80be0de..a4cf678cf5c8 100644 +--- a/arch/x86/tools/chkobjdump.awk ++++ b/arch/x86/tools/chkobjdump.awk +@@ -10,6 +10,7 @@ BEGIN { + + /^GNU objdump/ { + verstr = "" ++ gsub(/\(.*\)/, ""); + for (i = 3; i <= NF; i++) + if (match($(i), "^[0-9]")) { + verstr = $(i); + diff --git a/patches.suse/x86-tools-relocs-fix-non-posix-regexp.patch b/patches.suse/x86-tools-relocs-fix-non-posix-regexp.patch new file mode 100644 index 0000000..4855af7 --- /dev/null +++ b/patches.suse/x86-tools-relocs-fix-non-posix-regexp.patch @@ -0,0 +1,60 @@ +From: "H. Nikolaus Schaller" +Date: Thu, 8 Jul 2021 10:57:09 +0200 +Subject: x86/tools/relocs: Fix non-POSIX regexp +Git-commit: fa953adfad7cf9c7e30d9ea0e4ccfd38cfb5495d +Patch-mainline: v5.14-rc5 +References: git-fixes + +Trying to run a cross-compiled x86 relocs tool on a BSD based +HOSTCC leads to errors like + + VOFFSET arch/x86/boot/compressed/../voffset.h - due to: vmlinux + CC arch/x86/boot/compressed/misc.o - due to: arch/x86/boot/compressed/../voffset.h + OBJCOPY arch/x86/boot/compressed/vmlinux.bin - due to: vmlinux + RELOCS arch/x86/boot/compressed/vmlinux.relocs - due to: vmlinux +empty (sub)expressionarch/x86/boot/compressed/Makefile:118: recipe for target 'arch/x86/boot/compressed/vmlinux.relocs' failed +make[3]: *** [arch/x86/boot/compressed/vmlinux.relocs] Error 1 + +It turns out that relocs.c uses patterns like + + "something(|_end)" + +This is not valid syntax or gives undefined results according +to POSIX 9.5.3 ERE Grammar + + https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html + +It seems to be silently accepted by the Linux regexp() implementation +while a BSD host complains. + +Such patterns can be replaced by a transformation like + + "(|p1|p2)" -> "(p1|p2)?" + +Fixes: fd952815307f ("x86-32, relocs: Whitelist more symbols for ld bug workaround") +Signed-off-by: H. Nikolaus Schaller +Signed-off-by: Masahiro Yamada +Acked-by: Nikolay Borisov +--- + arch/x86/tools/relocs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -54,12 +54,12 @@ static const char * const sym_regex_kern + [S_REL] = + "^(__init_(begin|end)|" + "__x86_cpu_dev_(start|end)|" +- "(__parainstructions|__alt_instructions)(|_end)|" +- "(__iommu_table|__apicdrivers|__smp_locks)(|_end)|" ++ "(__parainstructions|__alt_instructions)(_end)?|" ++ "(__iommu_table|__apicdrivers|__smp_locks)(_end)?|" + "__(start|end)_pci_.*|" + "__(start|end)_builtin_fw|" +- "__(start|stop)___ksymtab(|_gpl|_unused|_unused_gpl|_gpl_future)|" +- "__(start|stop)___kcrctab(|_gpl|_unused|_unused_gpl|_gpl_future)|" ++ "__(start|stop)___ksymtab(_gpl|_unused|_unused_gpl|_gpl_future)?|" ++ "__(start|stop)___kcrctab(_gpl|_unused|_unused_gpl|_gpl_future)?|" + "__(start|stop)___param|" + "__(start|stop)___modver|" + "__(start|stop)___bug_table|" diff --git a/patches.suse/x86-virt-eat-faults-on-vmxoff-in-reboot-flows.patch b/patches.suse/x86-virt-eat-faults-on-vmxoff-in-reboot-flows.patch new file mode 100644 index 0000000..bdacfc3 --- /dev/null +++ b/patches.suse/x86-virt-eat-faults-on-vmxoff-in-reboot-flows.patch @@ -0,0 +1,62 @@ +From: Sean Christopherson +Date: Wed, 30 Dec 2020 16:26:54 -0800 +Subject: x86/virt: Eat faults on VMXOFF in reboot flows +Git-commit: aec511ad153556640fb1de38bfe00c69464f997f +Patch-mainline: v5.12-rc1 +References: git-fixes + +Silently ignore all faults on VMXOFF in the reboot flows as such faults +are all but guaranteed to be due to the CPU not being in VMX root. +Because (a) VMXOFF may be executed in NMI context, e.g. after VMXOFF but +before CR4.VMXE is cleared, (b) there's no way to query the CPU's VMX +state without faulting, and (c) the whole point is to get out of VMX +root, eating faults is the simplest way to achieve the desired behaior. + +Technically, VMXOFF can fault (or fail) for other reasons, but all other +fault and failure scenarios are mode related, i.e. the kernel would have +to magically end up in RM, V86, compat mode, at CPL>0, or running with +the SMI Transfer Monitor active. The kernel is beyond hosed if any of +those scenarios are encountered; trying to do something fancy in the +error path to handle them cleanly is pointless. + +Fixes: 1e9931146c74 ("x86: asm/virtext.h: add cpu_vmxoff() inline function") +Reported-by: David P. Reed +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20201231002702.2223707-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Acked-by: Nikolay Borisov +--- + arch/x86/include/asm/virtext.h | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/arch/x86/include/asm/virtext.h ++++ b/arch/x86/include/asm/virtext.h +@@ -32,15 +32,22 @@ static inline int cpu_has_vmx(void) + } + + +-/** Disable VMX on the current CPU ++/** ++ * cpu_vmxoff() - Disable VMX on the current CPU + * +- * vmxoff causes a undefined-opcode exception if vmxon was not run +- * on the CPU previously. Only call this function if you know VMX +- * is enabled. ++ * Disable VMX and clear CR4.VMXE (even if VMXOFF faults) ++ * ++ * Note, VMXOFF causes a #UD if the CPU is !post-VMXON, but it's impossible to ++ * atomically track post-VMXON state, e.g. this may be called in NMI context. ++ * Eat all faults as all other faults on VMXOFF faults are mode related, i.e. ++ * faults are guaranteed to be due to the !post-VMXON check unless the CPU is ++ * magically in RM, VM86, compat mode, or at CPL>0. + */ + static inline void cpu_vmxoff(void) + { +- asm volatile (ASM_VMX_VMXOFF : : : "cc"); ++ asm_volatile_goto("1: vmxoff\n\t" ++ _ASM_EXTABLE(1b, %l[fault]) :::: fault); ++fault: + cr4_clear_bits(X86_CR4_VMXE); + } + diff --git a/patches.suse/x86-virt-mark-flags-and-memory-as-clobbered-by-vmxoff.patch b/patches.suse/x86-virt-mark-flags-and-memory-as-clobbered-by-vmxoff.patch new file mode 100644 index 0000000..c4a667b --- /dev/null +++ b/patches.suse/x86-virt-mark-flags-and-memory-as-clobbered-by-vmxoff.patch @@ -0,0 +1,52 @@ +From: "David P. Reed" +Date: Wed, 30 Dec 2020 16:26:56 -0800 +Subject: x86/virt: Mark flags and memory as clobbered by VMXOFF +Git-commit: 53666664a3052e4ea3ddcb183460dfbc30f1d056 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Explicitly tell the compiler that VMXOFF modifies flags (like all VMX +instructions), and mark memory as clobbered since VMXOFF must not be +reordered and also may have memory side effects (though the kernel +really shouldn't be accessing the root VMCS anyways). + +Practically speaking, adding the clobbers is most likely a nop; the +primary motivation is to properly document VMXOFF's behavior. + +For the flags clobber, both Clang and GCC automatically mark flags as +clobbered; this is noted in commit 4b1e54786e48 ("KVM/x86: Use assembly +instruction mnemonics instead of .byte streams"), which intentionally +removed the previous clobber. But, neither Clang nor GCC documents +this behavior, and there's no downside to including the clobber. + +For the memory clobber, the RFLAGS.IF and CR4.VMXE manipulations that +immediately follow VMXOFF have compiler barriers of their own, i.e. +VMXOFF can't get reordered after clearing CR4.VMXE, which is really +what's of interest. + +Cc: Randy Dunlap +Signed-off-by: David P. Reed +[sean: rewrote changelog, dropped comment adjustments] +Signed-off-by: Sean Christopherson +Message-Id: <20201231002702.2223707-4-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Acked-by: Nikolay Borisov +--- + arch/x86/include/asm/virtext.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h +index fda3e7747c22..2cc585467667 100644 +--- a/arch/x86/include/asm/virtext.h ++++ b/arch/x86/include/asm/virtext.h +@@ -44,7 +44,8 @@ static inline int cpu_has_vmx(void) + static inline void cpu_vmxoff(void) + { + asm_volatile_goto("1: vmxoff\n\t" +- _ASM_EXTABLE(1b, %l[fault]) :::: fault); ++ _ASM_EXTABLE(1b, %l[fault]) ++ ::: "cc", "memory" : fault); + fault: + cr4_clear_bits(X86_CR4_VMXE); + } + diff --git a/patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch b/patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch new file mode 100644 index 0000000..1f9f818 --- /dev/null +++ b/patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch @@ -0,0 +1,113 @@ +From 22ed903eee23a5b174e240f1cdfa9acf393a5210 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Wed, 12 Apr 2023 15:49:23 +1000 +Subject: [PATCH] xfs: verify buffer contents when we skip log replay +Git-commit: 22ed903eee23a5b174e240f1cdfa9acf393a5210 +Patch-mainline: v6.4-rc1 +References: bsc#1210498 CVE-2023-2124 + +syzbot detected a crash during log recovery: + +XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791 +XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200. +XFS (loop0): Starting recovery (logdev: internal) +================================================================== +Bug: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813 +Read of size 8 at addr ffff88807e89f258 by task syz-executor132/5074 + +Cpu: 0 PID: 5074 Comm: syz-executor132 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813 + xfs_btree_lookup+0x346/0x12c0 fs/xfs/libxfs/xfs_btree.c:1913 + xfs_btree_simple_query_range+0xde/0x6a0 fs/xfs/libxfs/xfs_btree.c:4713 + xfs_btree_query_range+0x2db/0x380 fs/xfs/libxfs/xfs_btree.c:4953 + xfs_refcount_recover_cow_leftovers+0x2d1/0xa60 fs/xfs/libxfs/xfs_refcount.c:1946 + xfs_reflink_recover_cow+0xab/0x1b0 fs/xfs/xfs_reflink.c:930 + xlog_recover_finish+0x824/0x920 fs/xfs/xfs_log_recover.c:3493 + xfs_log_mount_finish+0x1ec/0x3d0 fs/xfs/xfs_log.c:829 + xfs_mountfs+0x146a/0x1ef0 fs/xfs/xfs_mount.c:933 + xfs_fs_fill_super+0xf95/0x11f0 fs/xfs/xfs_super.c:1666 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7f89fa3f4aca +Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +Rsp: 002b:00007fffd5fb5ef8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +Rax: ffffffffffffffda RBX: 00646975756f6e2c RCX: 00007f89fa3f4aca +Rdx: 0000000020000100 RSI: 0000000020009640 RDI: 00007fffd5fb5f10 +Rbp: 00007fffd5fb5f10 R08: 00007fffd5fb5f50 R09: 000000000000970d +R10: 0000000000200800 R11: 0000000000000206 R12: 0000000000000004 +R13: 0000555556c6b2c0 R14: 0000000000200800 R15: 00007fffd5fb5f50 + + +The fuzzed image contains an AGF with an obviously garbage +agf_refcount_level value of 32, and a dirty log with a buffer log item +for that AGF. The ondisk AGF has a higher LSN than the recovered log +item. xlog_recover_buf_commit_pass2 reads the buffer, compares the +LSNs, and decides to skip replay because the ondisk buffer appears to be +newer. + +Unfortunately, the ondisk buffer is corrupt, but recovery just read the +buffer with no buffer ops specified: + + error = xfs_buf_read(mp->m_ddev_targp, buf_f->blf_blkno, + buf_f->blf_len, buf_flags, &bp, NULL); + +Skipping the buffer leaves its contents in memory unverified. This sets +us up for a kernel crash because xfs_refcount_recover_cow_leftovers +reads the buffer (which is still around in XBF_DONE state, so no read +verification) and creates a refcountbt cursor of height 32. This is +impossible so we run off the end of the cursor object and crash. + +Fix this by invoking the verifier on all skipped buffers and aborting +log recovery if the ondisk buffer is corrupt. It might be smarter to +force replay the log item atop the buffer and then see if it'll pass the +write verifier (like ext4 does) but for now let's go with the +conservative option where we stop immediately. + +Link: https://syzkaller.appspot.com/bug?extid=7e9494b8b399902e994e +Signed-off-by: Darrick J. Wong +Reviewed-by: Dave Chinner +Signed-off-by: Dave Chinner +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_log_recover.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c +index de6aeb6f5dd4..ee6c71ea4194 100644 +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -2786,6 +2786,15 @@ xlog_recover_buffer_pass2( + if (lsn && lsn != -1 && XFS_LSN_CMP(lsn, current_lsn) >= 0) { + trace_xfs_log_recover_buf_skip(log, buf_f); + xlog_recover_validate_buf_type(mp, bp, buf_f, NULLCOMMITLSN); ++ /* ++ * We're skipping replay of this buffer log item due to the log ++ * item LSN being behind the ondisk buffer. Verify the buffer ++ * contents since we aren't going to run the write verifier. ++ */ ++ if (bp->b_ops) { ++ bp->b_ops->verify_read(bp); ++ error = bp->b_error; ++ } + goto out_release; + } + +-- +2.35.3 + diff --git a/patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch b/patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch new file mode 100644 index 0000000..cc14fb7 --- /dev/null +++ b/patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch @@ -0,0 +1,57 @@ +From ecaa4902439298f6b0e29f47424a86b310a9ff4f Mon Sep 17 00:00:00 2001 +From: D Scott Phillips +Date: Thu, 30 Mar 2023 17:30:54 +0300 +Subject: [PATCH] xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a + passthrough iommu +Git-commit: ecaa4902439298f6b0e29f47424a86b310a9ff4f +References: git-fixes +Patch-mainline: v6.3-rc6 + +Previously the quirk was skipped when no iommu was present. The same +rationale for skipping the quirk also applies in the iommu.passthrough=1 +case. + +Skip applying the XHCI_ZERO_64B_REGS quirk if the device's iommu domain is +passthrough. + +Fixes: 12de0a35c996 ("xhci: Add quirk to zero 64bit registers on Renesas PCIe controllers") +Cc: stable +Signed-off-by: D Scott Phillips +Acked-by: Marc Zyngier +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230330143056.1390020-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -21,6 +21,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -237,6 +238,7 @@ int xhci_reset(struct xhci_hcd *xhci) + static void xhci_zero_64b_regs(struct xhci_hcd *xhci) + { + struct device *dev = xhci_to_hcd(xhci)->self.sysdev; ++ struct iommu_domain *domain; + int err, i; + u64 val; + +@@ -254,7 +256,9 @@ static void xhci_zero_64b_regs(struct xh + * an iommu. Doing anything when there is no iommu is definitely + * unsafe... + */ +- if (!(xhci->quirks & XHCI_ZERO_64B_REGS) || !dev->iommu_group) ++ domain = iommu_get_domain_for_dev(dev); ++ if (!(xhci->quirks & XHCI_ZERO_64B_REGS) || !dev->iommu_group || ++ domain->type == IOMMU_DOMAIN_IDENTITY) + return; + + xhci_info(xhci, "Zeroing 64bit base registers, expecting fault\n"); diff --git a/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch b/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch new file mode 100644 index 0000000..625324f --- /dev/null +++ b/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch @@ -0,0 +1,51 @@ +From: Zheng Wang +Date: Fri, 17 Mar 2023 00:15:26 +0800 +Subject: xirc2ps_cs: Fix use after free bug in xirc2ps_detach +Patch-mainline: v6.3-rc4 +Git-commit: e8d20c3ded59a092532513c9bd030d1ea66f5f44 +References: bsc#1209871 CVE-2023-1670 + +In xirc2ps_probe, the local->tx_timeout_task was bounded +with xirc2ps_tx_timeout_task. When timeout occurs, +it will call xirc_tx_timeout->schedule_work to start the +work. + +When we call xirc2ps_detach to remove the driver, there +may be a sequence as follows: + +Stop responding to timeout tasks and complete scheduled +tasks before cleanup in xirc2ps_detach, which will fix +the problem. + +CPU0 CPU1 + + |xirc2ps_tx_timeout_task +xirc2ps_detach | + free_netdev | + kfree(dev); | + | + | do_reset + | //use dev + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zheng Wang +Signed-off-by: David S. Miller +Acked-by: Lee, Chun-Yi +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -503,6 +503,11 @@ static void + xirc2ps_detach(struct pcmcia_device *link) + { + struct net_device *dev = link->priv; ++ struct local_info *local = netdev_priv(dev); ++ ++ netif_carrier_off(dev); ++ netif_tx_disable(dev); ++ cancel_work_sync(&local->tx_timeout_task); + + dev_dbg(&link->dev, "detach\n"); + diff --git a/series.conf b/series.conf index 2b48637..51df473 100644 --- a/series.conf +++ b/series.conf @@ -19519,6 +19519,7 @@ patches.suse/mlxsw-spectrum_router-Don-t-log-an-error-on-missing-.patch patches.suse/net-sched-em_nbyte-don-t-add-the-data-offset-twice.patch patches.suse/net-sched-fix-TCF_LAYER_LINK-case-in-tcf_get_base_pt.patch + patches.suse/kcm-Only-allow-TCP-sockets-to-be-attached-to-a-KCM-m.patch patches.suse/qed-Remove-reserveration-of-dpi-for-kernel.patch patches.suse/qed-Free-reserved-MR-tid.patch patches.suse/i40e-flower-check-if-TC-offload-is-enabled-on-a-netd.patch @@ -59087,6 +59088,7 @@ patches.suse/x86-mm-ident_map-check-for-errors-from-ident_pud_init.patch patches.suse/s390-cio-fix-use-after-free-in-ccw_device_destroy_console patches.suse/s390-smp-perform-initial-cpu-reset-also-for-smt-siblings + patches.suse/x86-kprobes-restore-btf-if-the-single-stepping-is-cancelled.patch patches.suse/x86-apic-Fix-x2apic-enablement-without-interrupt-rem.patch patches.suse/x86-msi-Only-use-high-bits-of-MSI-address-for-DMAR-u.patch patches.suse/x86-ioapic-Handle-Extended-Destination-ID-field-in-R.patch @@ -59734,7 +59736,9 @@ patches.suse/arm64-Extend-workaround-for-erratum-1024718-to-all-versions-of-Cortex-A55.patch patches.suse/msft-hv-2226-Drivers-hv-vmbus-Avoid-use-after-free-in-vmbus_onoff.patch patches.suse/kvm-do-not-assume-pte-is-writable-after-follow_pfn.patch + patches.suse/x86-virt-eat-faults-on-vmxoff-in-reboot-flows.patch patches.suse/x86-reboot-force-all-cpus-to-exit-vmx-root-if-vmx-is-supported.patch + patches.suse/x86-virt-mark-flags-and-memory-as-clobbered-by-vmxoff.patch patches.suse/kvm-use-kvm_pfn_t-for-local-pfn-variable-in-hva_to_p.patch patches.suse/media-v4l-ioctl-Fix-memory-leak-in-video_usercopy.patch patches.suse/media-vsp1-Fix-an-error-handling-path-in-the-probe-f.patch @@ -60285,6 +60289,7 @@ patches.suse/0010-overflow-Correct-check_shl_overflow-comment.patch patches.suse/do_cifs_create-don-t-set-i_mode-of-something-we-had-not-created.patch patches.suse/cifs-have-mkdir-handle-race-with-another-client-sanely.patch + patches.suse/x86-kprobes-fix-to-check-non-boostable-prefixes-correctly.patch patches.suse/s390-disassembler-increase-ebpf-disasm-buffer-size patches.suse/media-ite-cir-check-for-receive-overflow.patch patches.suse/media-omap4iss-return-error-code-when-omap4iss_get-f.patch @@ -61231,6 +61236,7 @@ patches.suse/USB-serial-cp210x-add-ID-for-CEL-EM3588-USB-ZigBee-s.patch patches.suse/tracing-Fix-bug-in-rb_per_cpu_empty-that-might-cause.patch patches.suse/ceph-don-t-warn-if-we-re-still-opening-a-session-to-an-mds.patch + patches.suse/nvme-pci-don-t-WARN_ON-in-nvme_reset_work-if-ctrl.st.patch patches.suse/scsi-iscsi-Fix-iface-sysfs-attr-detection patches.suse/cifs-only-write-64kb-at-a-time-when-fallocating-a-small-region-of-a.patch patches.suse/cifs-support-share-failover-when-remounting.patch @@ -61285,6 +61291,7 @@ patches.suse/RDMA-rxe-Use-the-correct-size-of-wqe-when-processing.patch patches.suse/RDMA-rxe-Restore-setting-tot_len-in-the-IPv4-header.patch patches.suse/spi-mediatek-Fix-fifo-transfer.patch + patches.suse/x86-tools-relocs-fix-non-posix-regexp.patch patches.suse/0011-md-raid10-properly-indicate-failure-when-ending-a-fa.patch patches.suse/USB-usbtmc-Fix-RCU-stall-warning.patch patches.suse/USB-serial-ch341-fix-character-loss-at-high-transfer.patch @@ -61310,6 +61317,7 @@ patches.suse/iio-adc-Fix-incorrect-exit-of-for-loop.patch patches.suse/ACPI-NFIT-Fix-support-for-virtual-SPA-ranges.patch patches.suse/scsi-lpfc-Move-initialization-of-phba-poll_list-earl.patch + patches.suse/x86-tools-fix-objdump-version-check-again.patch patches.suse/x86-resctrl-fix-default-monitoring-groups-reporting.patch patches.suse/PCI-MSI-Enable-and-mask-MSI-X-early.patch patches.suse/PCI-MSI-Mask-all-unused-MSI-X-entries.patch @@ -61796,6 +61804,7 @@ patches.suse/ibmvnic-Process-crqs-after-enabling-interrupts.patch patches.suse/ibmvnic-delay-complete.patch patches.suse/Revert-x86-kvm-fix-vcpu-id-indexed-array-sizes.patch + patches.suse/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch patches.suse/s390-gmap-validate-VMA-in-__gmap_zap patches.suse/s390-gmap-don-t-unconditionally-call-pte_unmap_unlock-in-__gmap_zap patches.suse/s390-mm-validate-VMA-in-PGSTE-manipulation-functions @@ -62038,6 +62047,7 @@ patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch patches.suse/arm64-clear_page-shouldn-t-use-DC-ZVA-when-DCZID_EL0.DZP-1.patch + patches.suse/x86-mce-inject-avoid-out-of-bounds-write-when-setting-flags.patch patches.suse/random-fix-data-race-on-crng_node_pool.patch patches.suse/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch patches.suse/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch @@ -62185,6 +62195,7 @@ patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch patches.suse/ucsi_ccg-Check-DEV_INT-bit-only-when-starting-CCG4.patch patches.suse/usb-common-ulpi-Fix-crash-in-ulpi_match.patch + patches.suse/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch patches.suse/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-co.patch patches.suse/cgroup-v1-Require-capabilities-to-set-release_agent.patch patches.suse/Revert-module-async-async_synchronize_full-on-module.patch @@ -62530,6 +62541,7 @@ patches.suse/SUNRPC-Ensure-gss-proxy-connects-on-setup.patch patches.suse/Revert-SUNRPC-attempt-AF_LOCAL-connect-on-setup.patch patches.suse/floppy-use-a-statically-allocated-error-counter.patch + patches.suse/x86-fpu-prevent-fpu-state-corruption.patch patches.suse/writeback-Avoid-skipping-inode-writeback-846a3351ddfe.patch patches.suse/cgroup-cpuset-Remove-cpus_allowed-mems_allowed-setup-in-cpuset_init_smp.patch patches.suse/s390-ctcm-fix-variable-dereferenced-before-check @@ -63161,6 +63173,7 @@ patches.suse/ipv6-raw-Deduct-extension-header-length-in-rawv6_pus.patch patches.suse/arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch + patches.suse/x86-boot-avoid-using-intel-mnemonics-in-at-t-syntax-asm.patch patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch patches.suse/HID-betop-check-shape-of-output-reports.patch patches.suse/net-usb-sr9700-Handle-negative-len.patch @@ -63182,6 +63195,7 @@ patches.suse/block-bio-integrity-Copy-flags-when-bio_integrity_pa.patch patches.suse/powercap-fix-possible-name-leak-in-powercap_register.patch patches.suse/arm64-cpufeature-Fix-field-sign-for-DIT-hwcap-detection.patch + patches.suse/crypto-x86-ghash-fix-unaligned-access-in-ghash_setkey.patch patches.suse/net-add-sock_init_data_uid.patch patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch @@ -63236,17 +63250,23 @@ patches.suse/scsi-qla2xxx-Perform-lockless-command-completion-in-.patch patches.suse/scsi-qla2xxx-Synchronize-the-IOCB-count-to-be-in-ord.patch patches.suse/net-usb-smsc95xx-Limit-packet-length-to-skb-len.patch + patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch patches.suse/net-usb-lan78xx-Limit-packet-length-to-skb-len.patch patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch + patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch patches.suse/s390-vfio-ap-fix-memory-leak-in-vfio_ap-device-drive.patch patches.suse/NFSv4-Fix-hangs-when-recovering-open-state-after-a-s.patch patches.suse/ring-buffer-Fix-race-while-reader-and-writer-are-on-the-same-page.patch patches.suse/ftrace-Mark-get_lock_parent_ip-__always_inline.patch patches.suse/scsi-qla2xxx-Fix-memory-leak-in-qla2x00_probe_one.patch + patches.suse/xhci-also-avoid-the-XHCI_ZERO_64B_REGS-quirk-with-a-.patch patches.suse/cgroup-cpuset-Wake-up-cpuset_attach_wq-tasks-in-cpuset_cancel_attach.patch patches.suse/cifs-fix-negotiate-context-parsing.patch patches.suse/powerpc-papr_scm-Update-the-NUMA-distance-table-for-.patch + patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch + patches.suse/ipmi-fix-SSIF-not-responding-under-certain-cond.patch + patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -64294,6 +64314,8 @@ patches.kabi/PCI-endpoint-Fix-for-concurrent-memory-allocation-in.patch patches.kabi/intel_pmc_ipc-restore-ability-to-call-functions-with.patch patches.kabi/struct-wmi_svc_avail_ev_arg-new-member-to-end.patch + patches.kabi/struct-ci_hdrc-hide-new-member-at-end.patch + patches.kabi/xhci-hide-include-of-iommu.h.patch ######################################################## # You'd better have a good reason for adding a patch