diff --git a/blacklist.conf b/blacklist.conf index 99e9a1d..3b81587 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1633,3 +1633,9 @@ d7c93a903f33ff35aa0e6b5a8032eb9755b00826 # would need e492ce9bcaa1c9661cd3dd6cff 81fb55e500a82a070da20f02b2e252d6a09a34c3 # rejected for complexity: drm/vc4: hdmi: Add a spinlock to protect register access 82cb88af12d29eaa5350d9ba83f9c376f65b7fec # rejected for complexity: drm/vc4: hdmi: Use a mutex to prevent concurrent framework access 633be8c3c0c5e0cf176ce904083a4728ae8e4025 # rejected for complexity: drm/vc4: hdmi: Prevent access to crtc->state outside of KMS +97884ca8c2925d14c32188e865069f21378b4b4f # Requires back-porting a lot of changes in a whole VDSO subsystem. +57569c37f0add1b6489e1a1563c71519daf732cf # requires infrastructure not present +4534dee941056a4ab9dca4a9e2edff28692800b2 # unimportant, scsi/appid must be set by privileged user anyway +f95b2c45d5f785f069d186b11b798f9c1d37dcda # no functional change +5d3516b3647621d5a1180672ea9e0817fb718ada # build fix that does not matter on a released kernel +2e3df523256cb9836de8441e9c791a796759bb3c # needed only by 1366992e16bddd5e2d9a561687f367f9f802e2e4 diff --git a/patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged b/patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged new file mode 100644 index 0000000..6d624b0 --- /dev/null +++ b/patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged @@ -0,0 +1,49 @@ +From: Dario Faggioli +Date: Thu Oct 13 18:19:43 2022 +Subject: kABI: fix kABI after "KVM: Add infrastructure and macro to mark VM as bugged" +Patch-mainline: never, SUSE kABI +References: bsc#1200788 CVE-2022-2153 + +Patch "KVM: Add infrastructure and macro to mark VM as bugged" +breaks kABI. The kvm struct has several holes, e.g.: + + /* --- cacheline 1355 boundary (86720 bytes) was 32 bytes ago --- */ + long unsigned int mmu_notifier_seq; /* 86752 8 */ + long int mmu_notifier_count; /* 86760 8 */ + long int tlbs_dirty; /* 86768 8 */ + struct list_head devices; /* 86776 16 */ + /* --- cacheline 1356 boundary (86784 bytes) was 8 bytes ago --- */ + bool manual_dirty_log_protect; /* 86792 1 */ + + /* XXX 7 bytes hole, try to pack */ + + struct dentry * debugfs_dentry; /* 86800 8 */ + struct kvm_stat_data * * debugfs_stat_data; /* 86808 8 */ + struct srcu_struct srcu; /* 86816 50336 */ + /* --- cacheline 2143 boundary (137152 bytes) --- */ + +Move the new member there as a workaround. + +Signed-off-by: Dario Faggioli +--- + include/linux/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -500,12 +500,14 @@ + long tlbs_dirty; + struct list_head devices; + bool manual_dirty_log_protect; ++#ifndef __GENKSYMS__ ++ bool vm_bugged; ++#endif + struct dentry *debugfs_dentry; + struct kvm_stat_data **debugfs_stat_data; + struct srcu_struct srcu; + struct srcu_struct irq_srcu; + pid_t userspace_pid; +- bool vm_bugged; + }; + + #define kvm_err(fmt, ...) \ diff --git a/patches.kabi/kABI-arm64-crypto-sha512-Preserve-function-signature.patch b/patches.kabi/kABI-arm64-crypto-sha512-Preserve-function-signature.patch new file mode 100644 index 0000000..296a867 --- /dev/null +++ b/patches.kabi/kABI-arm64-crypto-sha512-Preserve-function-signature.patch @@ -0,0 +1,42 @@ +From: "Ivan T. Ivanov" +Date: Mon, 24 Oct 2022 21:35:12 +0300 +Subject: kABI: arm64/crypto/sha512 Preserve function signature +Patch-mainline: Never, kABI workaround +References: git-fixes + +Assembler function implementation has not been changed. +Caller of the function passes u64 aligned pointer anyway. +Roll-back old function prototype declaration to avoid +kABI breakage after patch [1]. + +[1] 6320a15e98301 ("crypto: arm64/sha - fix function types") + +Signed-off-by: Ivan T. Ivanov +--- + arch/arm64/crypto/sha512-glue.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/crypto/sha512-glue.c b/arch/arm64/crypto/sha512-glue.c +index 2acff1c7df5d..2441d5f977bd 100644 +--- a/arch/arm64/crypto/sha512-glue.c ++++ b/arch/arm64/crypto/sha512-glue.c +@@ -19,14 +19,14 @@ MODULE_LICENSE("GPL v2"); + MODULE_ALIAS_CRYPTO("sha384"); + MODULE_ALIAS_CRYPTO("sha512"); + +-asmlinkage void sha512_block_data_order(u64 *digest, const void *data, ++asmlinkage void sha512_block_data_order(u32 *digest, const void *data, + unsigned int num_blks); + EXPORT_SYMBOL(sha512_block_data_order); + + static void __sha512_block_data_order(struct sha512_state *sst, u8 const *src, + int blocks) + { +- sha512_block_data_order(sst->state, src, blocks); ++ sha512_block_data_order((u32 *) sst->state, src, blocks); + } + + static int sha512_update(struct shash_desc *desc, const u8 *data, +-- +2.35.3 + diff --git a/patches.suse/0001-KVM-x86-do-not-report-a-vCPU-as-preempted-outside-in.patch b/patches.suse/0001-KVM-x86-do-not-report-a-vCPU-as-preempted-outside-in.patch new file mode 100644 index 0000000..4fda5d6 --- /dev/null +++ b/patches.suse/0001-KVM-x86-do-not-report-a-vCPU-as-preempted-outside-in.patch @@ -0,0 +1,131 @@ +From: Vasant Karasulli +Date: Fri, 21 Oct 2022 18:37:02 +0200 +Subject: [PATCH] KVM: x86: do not report a vCPU as preempted outside + instruction boundaries +Git-commit: 6cd88243c7e03845a450795e134b488fc2afb736 +Patch-mainline: v5.19-rc2 +References: bsc#1203066 CVE-2022-39189 + +If a vCPU is outside guest mode and is scheduled out, it might be in the +process of making a memory access. A problem occurs if another vCPU uses +the PV TLB flush feature during the period when the vCPU is scheduled +out, and a virtual address has already been translated but has not yet +been accessed, because this is equivalent to using a stale TLB entry. + +To avoid this, only report a vCPU as preempted if sure that the guest +is at an instruction boundary. A rescheduling request will be delivered +to the host physical CPU as an external interrupt, so for simplicity +consider any vmexit *not* instruction boundary except for external +interrupts. + +It would in principle be okay to report the vCPU as preempted also +if it is sleeping in kvm_vcpu_block(): a TLB flush IPI will incur the +vmentry/vmexit overhead unnecessarily, and optimistic spinning is +also unlikely to succeed. However, leave it for later because right +now kvm_vcpu_check_block() is doing memory accesses. Even +though the TLB flush issue only applies to virtual memory address, +it's very much preferrable to be conservative. + +Reported-by: Jann Horn +Signed-off-by: Paolo Bonzini +Acked-by: Vasant Karasulli +--- + arch/x86/include/asm/kvm_host.h | 8 ++++++++ + arch/x86/kvm/svm.c | 3 ++- + arch/x86/kvm/vmx/vmx.c | 1 + + arch/x86/kvm/x86.c | 20 ++++++++++++++++++++ + 4 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 8c15f6e22..924dc1218 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -794,6 +794,10 @@ struct kvm_vcpu_arch { + + /* AMD MSRC001_0015 Hardware Configuration */ + u64 msr_hwcr; ++ ++#ifndef __GENKSYMS__ ++ bool at_instruction_boundary; ++#endif + }; + + struct kvm_lpage_info { +@@ -992,6 +996,10 @@ struct kvm_vcpu_stat { + u64 irq_injections; + u64 nmi_injections; + u64 req_event; ++#ifndef __GENKSYMS__ ++ u64 preemption_reported; ++ u64 preemption_other; ++#endif + }; + + struct x86_instruction_info; +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 3e23938a0..757630c23 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -6272,7 +6272,8 @@ static int svm_check_intercept(struct kvm_vcpu *vcpu, + + static void svm_handle_exit_irqoff(struct kvm_vcpu *vcpu) + { +- ++ if (to_svm(vcpu)->vmcb->control.exit_code == SVM_EXIT_INTR) ++ vcpu->arch.at_instruction_boundary = true; + } + + static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu) +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index c9d95b67f..2fdb0c10b 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6407,6 +6407,7 @@ static void handle_external_interrupt_irqoff(struct kvm_vcpu *vcpu) + ); + + kvm_after_interrupt(vcpu); ++ vcpu->arch.at_instruction_boundary = true; + } + STACK_FRAME_NON_STANDARD(handle_external_interrupt_irqoff); + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 1613f7695..8843a298d 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3461,6 +3461,19 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu) + struct kvm_host_map map; + struct kvm_steal_time *st; + ++ /* ++ * The vCPU can be marked preempted if and only if the VM-Exit was on ++ * an instruction boundary and will not trigger guest emulation of any ++ * kind (see vcpu_run). Vendor specific code controls (conservatively) ++ * when this is true, for example allowing the vCPU to be marked ++ * preempted if and only if the VM-Exit was due to a host interrupt. ++ */ ++ if (!vcpu->arch.at_instruction_boundary) { ++ vcpu->stat.preemption_other++; ++ return; ++ } ++ ++ vcpu->stat.preemption_reported++; + if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) + return; + +@@ -8285,6 +8298,13 @@ static int vcpu_run(struct kvm_vcpu *vcpu) + vcpu->arch.l1tf_flush_l1d = true; + + for (;;) { ++ /* ++ * If another guest vCPU requests a PV TLB flush in the middle ++ * of instruction emulation, the rest of the emulation could ++ * use a stale page translation. Assume that any code after ++ * this point can start executing an instruction. ++ */ ++ vcpu->arch.at_instruction_boundary = false; + if (kvm_vcpu_running(vcpu)) { + r = vcpu_enter_guest(vcpu); + } else { +-- +2.34.1 + diff --git a/patches.suse/ACPI-extlog-Handle-multiple-records.patch b/patches.suse/ACPI-extlog-Handle-multiple-records.patch new file mode 100644 index 0000000..4f93269 --- /dev/null +++ b/patches.suse/ACPI-extlog-Handle-multiple-records.patch @@ -0,0 +1,93 @@ +From f6ec01da40e4139b41179f046044ee7c4f6370dc Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Mon, 10 Oct 2022 13:34:23 -0700 +Subject: [PATCH] ACPI: extlog: Handle multiple records +Git-commit: f6ec01da40e4139b41179f046044ee7c4f6370dc +Patch-mainline: v6.1-rc2 +References: git-fixes + +If there is no user space consumer of extlog_mem trace records, then +Linux properly handles multiple error records in an ELOG block + + extlog_print() + print_extlog_rcd() + __print_extlog_rcd() + cper_estatus_print() + apei_estatus_for_each_section() + +But the other code path hard codes looking for a single record to +output a trace record. + +Fix by using the same apei_estatus_for_each_section() iterator +to step over all records. + +Fixes: 2dfb7d51a61d ("trace, RAS: Add eMCA trace event interface") +Signed-off-by: Tony Luck +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/acpi_extlog.c | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c +index 72f1fb77abcd..e648158368a7 100644 +--- a/drivers/acpi/acpi_extlog.c ++++ b/drivers/acpi/acpi_extlog.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -138,8 +139,8 @@ static int extlog_print(struct notifier_block *nb, unsigned long val, + int cpu = mce->extcpu; + struct acpi_hest_generic_status *estatus, *tmp; + struct acpi_hest_generic_data *gdata; +- const guid_t *fru_id = &guid_null; +- char *fru_text = ""; ++ const guid_t *fru_id; ++ char *fru_text; + guid_t *sec_type; + static u32 err_seq; + +@@ -160,17 +161,23 @@ static int extlog_print(struct notifier_block *nb, unsigned long val, + + /* log event via trace */ + err_seq++; +- gdata = (struct acpi_hest_generic_data *)(tmp + 1); +- if (gdata->validation_bits & CPER_SEC_VALID_FRU_ID) +- fru_id = (guid_t *)gdata->fru_id; +- if (gdata->validation_bits & CPER_SEC_VALID_FRU_TEXT) +- fru_text = gdata->fru_text; +- sec_type = (guid_t *)gdata->section_type; +- if (guid_equal(sec_type, &CPER_SEC_PLATFORM_MEM)) { +- struct cper_sec_mem_err *mem = (void *)(gdata + 1); +- if (gdata->error_data_length >= sizeof(*mem)) +- trace_extlog_mem_event(mem, err_seq, fru_id, fru_text, +- (u8)gdata->error_severity); ++ apei_estatus_for_each_section(tmp, gdata) { ++ if (gdata->validation_bits & CPER_SEC_VALID_FRU_ID) ++ fru_id = (guid_t *)gdata->fru_id; ++ else ++ fru_id = &guid_null; ++ if (gdata->validation_bits & CPER_SEC_VALID_FRU_TEXT) ++ fru_text = gdata->fru_text; ++ else ++ fru_text = ""; ++ sec_type = (guid_t *)gdata->section_type; ++ if (guid_equal(sec_type, &CPER_SEC_PLATFORM_MEM)) { ++ struct cper_sec_mem_err *mem = (void *)(gdata + 1); ++ ++ if (gdata->error_data_length >= sizeof(*mem)) ++ trace_extlog_mem_event(mem, err_seq, fru_id, fru_text, ++ (u8)gdata->error_severity); ++ } + } + + out: +-- +2.35.3 + diff --git a/patches.suse/ACPI-video-Add-Toshiba-Satellite-Portege-Z830-quirk.patch b/patches.suse/ACPI-video-Add-Toshiba-Satellite-Portege-Z830-quirk.patch new file mode 100644 index 0000000..dd41bc9 --- /dev/null +++ b/patches.suse/ACPI-video-Add-Toshiba-Satellite-Portege-Z830-quirk.patch @@ -0,0 +1,59 @@ +From 574160b8548deff8b80b174f03201e94ab8431e2 Mon Sep 17 00:00:00 2001 +From: Arvid Norlander +Date: Wed, 24 Aug 2022 20:49:50 +0200 +Subject: [PATCH] ACPI: video: Add Toshiba Satellite/Portege Z830 quirk +Git-commit: 574160b8548deff8b80b174f03201e94ab8431e2 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Toshiba Satellite Z830 needs the quirk video_disable_backlight_sysfs_if +for proper backlight control after suspend/resume cycles. + +Toshiba Portege Z830 is simply the same laptop rebranded for certain +markets (I looked through the manual to other language sections to confirm +this) and thus also needs this quirk. + +Thanks to Hans de Goede for suggesting this fix. + +Link: https://www.spinics.net/lists/platform-driver-x86/msg34394.html +Suggested-by: Hans de Goede +Signed-off-by: Arvid Norlander +Reviewed-by: Hans de Goede +Tested-by: Arvid Norlander +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/acpi_video.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 5cbe2196176d..2a4990733cf0 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -496,6 +496,22 @@ static const struct dmi_system_id video_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE R830"), + }, + }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Satellite Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE Z830"), ++ }, ++ }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Portege Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE Z830"), ++ }, ++ }, + /* + * Some machine's _DOD IDs don't have bit 31(Device ID Scheme) set + * but the IDs actually follow the Device ID Scheme. +-- +2.35.3 + diff --git a/patches.suse/ALSA-Use-del_timer_sync-before-freeing-timer.patch b/patches.suse/ALSA-Use-del_timer_sync-before-freeing-timer.patch new file mode 100644 index 0000000..0d688a5 --- /dev/null +++ b/patches.suse/ALSA-Use-del_timer_sync-before-freeing-timer.patch @@ -0,0 +1,68 @@ +From f0a868788fcbf63cdab51f5adcf73b271ede8164 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Wed, 26 Oct 2022 23:12:36 -0400 +Subject: [PATCH] ALSA: Use del_timer_sync() before freeing timer +Git-commit: f0a868788fcbf63cdab51f5adcf73b271ede8164 +Patch-mainline: v6.1-rc3 +References: git-fixes + +The current code for freeing the emux timer is extremely dangerous: + + CPU0 CPU1 + ---- ---- +snd_emux_timer_callback() + snd_emux_free() + spin_lock(&emu->voice_lock) + del_timer(&emu->tlist); <-- returns immediately + spin_unlock(&emu->voice_lock); + [..] + kfree(emu); + + spin_lock(&emu->voice_lock); + + [BOOM!] + +Instead just use del_timer_sync() which will wait for the timer to finish +before continuing. No need to check if the timer is active or not when +doing so. + +This doesn't fix the race of a possible re-arming of the timer, but at +least it won't use the data that has just been freed. + +[ Fixed unused variable warning by tiwai ] + +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Steven Rostedt (Google) +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20221026231236.6834b551@gandalf.local.home +Signed-off-by: Takashi Iwai + +--- + sound/synth/emux/emux.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/sound/synth/emux/emux.c b/sound/synth/emux/emux.c +index 5ed8e36d2e04..a870759d179e 100644 +--- a/sound/synth/emux/emux.c ++++ b/sound/synth/emux/emux.c +@@ -126,15 +126,10 @@ EXPORT_SYMBOL(snd_emux_register); + */ + int snd_emux_free(struct snd_emux *emu) + { +- unsigned long flags; +- + if (! emu) + return -EINVAL; + +- spin_lock_irqsave(&emu->voice_lock, flags); +- if (emu->timer_active) +- del_timer(&emu->tlist); +- spin_unlock_irqrestore(&emu->voice_lock, flags); ++ del_timer_sync(&emu->tlist); + + snd_emux_proc_free(emu); + snd_emux_delete_virmidi(emu); +-- +2.35.3 + diff --git a/patches.suse/ALSA-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch b/patches.suse/ALSA-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch new file mode 100644 index 0000000..ab5abf4 --- /dev/null +++ b/patches.suse/ALSA-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch @@ -0,0 +1,31 @@ +From 4881bda5ea05c8c240fc8afeaa928e2bc43f61fa Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 19 Oct 2022 17:30:25 +0800 +Subject: [PATCH] ALSA: ac97: fix possible memory leak in snd_ac97_dev_register() +Git-commit: 4881bda5ea05c8c240fc8afeaa928e2bc43f61fa +Patch-mainline: v6.1-rc3 +References: git-fixes + +If device_register() fails in snd_ac97_dev_register(), it should +call put_device() to give up reference, or the name allocated in +dev_set_name() is leaked. + +Fixes: 0ca06a00e206 ("[ALSA] AC97 bus interface for ad-hoc drivers") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221019093025.1179475-1-yangyingliang@huawei.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/ac97/ac97_codec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -1946,6 +1946,7 @@ static int snd_ac97_dev_register(struct + snd_ac97_get_short_name(ac97)); + if ((err = device_register(&ac97->dev)) < 0) { + ac97_err(ac97, "Can't register ac97 bus\n"); ++ put_device(&ac97->dev); + ac97->dev.bus = NULL; + return err; + } diff --git a/patches.suse/ALSA-aoa-Fix-I2S-device-accounting.patch b/patches.suse/ALSA-aoa-Fix-I2S-device-accounting.patch new file mode 100644 index 0000000..78fa56b --- /dev/null +++ b/patches.suse/ALSA-aoa-Fix-I2S-device-accounting.patch @@ -0,0 +1,48 @@ +From f1fae475f10a26b7e34da4ff2e2f19b7feb3548e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 27 Oct 2022 08:52:33 +0200 +Subject: [PATCH] ALSA: aoa: Fix I2S device accounting +Git-commit: f1fae475f10a26b7e34da4ff2e2f19b7feb3548e +Patch-mainline: v6.1-rc3 +References: git-fixes + +i2sbus_add_dev() is supposed to return the number of probed devices, +i.e. either 1 or 0. However, i2sbus_add_dev() has one error handling +that returns -ENODEV; this will screw up the accumulation number +counted in the caller, i2sbus_probe(). + +Fix the return value to 0 and add the comment for better understanding +for readers. + +Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa") +Link: https://lore.kernel.org/r/20221027065233.13292-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/aoa/soundbus/i2sbus/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/aoa/soundbus/i2sbus/core.c b/sound/aoa/soundbus/i2sbus/core.c +index f6841daf9e3b..51ed2f34b276 100644 +--- a/sound/aoa/soundbus/i2sbus/core.c ++++ b/sound/aoa/soundbus/i2sbus/core.c +@@ -147,6 +147,7 @@ static int i2sbus_get_and_fixup_rsrc(struct device_node *np, int index, + return rc; + } + ++/* Returns 1 if added, 0 for otherwise; don't return a negative value! */ + /* FIXME: look at device node refcounting */ + static int i2sbus_add_dev(struct macio_dev *macio, + struct i2sbus_control *control, +@@ -213,7 +214,7 @@ static int i2sbus_add_dev(struct macio_dev *macio, + * either as the second one in that case is just a modem. */ + if (!ok) { + kfree(dev); +- return -ENODEV; ++ return 0; + } + + mutex_init(&dev->lock); +-- +2.35.3 + diff --git a/patches.suse/ALSA-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch b/patches.suse/ALSA-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch new file mode 100644 index 0000000..b71b092 --- /dev/null +++ b/patches.suse/ALSA-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch @@ -0,0 +1,41 @@ +From 4a4c8482e370d697738a78dcd7bf2780832cb712 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Thu, 27 Oct 2022 09:34:38 +0800 +Subject: [PATCH] ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev() +Git-commit: 4a4c8482e370d697738a78dcd7bf2780832cb712 +Patch-mainline: v6.1-rc3 +References: git-fixes + +dev_set_name() in soundbus_add_one() allocates memory for name, it need be +freed when of_device_register() fails, call soundbus_dev_put() to give up +the reference that hold in device_initialize(), so that it can be freed in +kobject_cleanup() when the refcount hit to 0. And other resources are also +freed in i2sbus_release_dev(), so it can return 0 directly. + +Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221027013438.991920-1-yangyingliang@huawei.com +Signed-off-by: Takashi Iwai + +--- + sound/aoa/soundbus/i2sbus/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/aoa/soundbus/i2sbus/core.c b/sound/aoa/soundbus/i2sbus/core.c +index faf6b03131ee..f6841daf9e3b 100644 +--- a/sound/aoa/soundbus/i2sbus/core.c ++++ b/sound/aoa/soundbus/i2sbus/core.c +@@ -302,6 +302,10 @@ static int i2sbus_add_dev(struct macio_dev *macio, + + if (soundbus_add_one(&dev->sound)) { + printk(KERN_DEBUG "i2sbus: device registration error!\n"); ++ if (dev->sound.ofdev.dev.kobj.state_initialized) { ++ soundbus_dev_put(&dev->sound); ++ return 0; ++ } + goto err; + } + +-- +2.35.3 + diff --git a/patches.suse/ALSA-au88x0-use-explicitly-signed-char.patch b/patches.suse/ALSA-au88x0-use-explicitly-signed-char.patch new file mode 100644 index 0000000..62bd3a7 --- /dev/null +++ b/patches.suse/ALSA-au88x0-use-explicitly-signed-char.patch @@ -0,0 +1,70 @@ +From ee03c0f200eb0d9f22dd8732d9fb7956d91019c2 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Mon, 24 Oct 2022 18:29:29 +0200 +Subject: [PATCH] ALSA: au88x0: use explicitly signed char +Git-commit: ee03c0f200eb0d9f22dd8732d9fb7956d91019c2 +Patch-mainline: v6.1-rc3 +References: git-fixes + +With char becoming unsigned by default, and with `char` alone being +ambiguous and based on architecture, signed chars need to be marked +explicitly as such. This fixes warnings like: + +sound/pci/au88x0/au88x0_core.c:2029 vortex_adb_checkinout() warn: signedness bug returning '(-22)' +sound/pci/au88x0/au88x0_core.c:2046 vortex_adb_checkinout() warn: signedness bug returning '(-12)' +sound/pci/au88x0/au88x0_core.c:2125 vortex_adb_allocroute() warn: 'vortex_adb_checkinout(vortex, (0), en, 0)' is unsigned +sound/pci/au88x0/au88x0_core.c:2170 vortex_adb_allocroute() warn: 'vortex_adb_checkinout(vortex, stream->resources, en, 4)' is unsigned + +As well, since one function returns errnos, return an `int` rather than +a `signed char`. + +Signed-off-by: Jason A. Donenfeld +Cc: +Link: https://lore.kernel.org/r/20221024162929.536004-1-Jason@zx2c4.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/au88x0/au88x0.h | 6 +++--- + sound/pci/au88x0/au88x0_core.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/pci/au88x0/au88x0.h b/sound/pci/au88x0/au88x0.h +index 0aa7af049b1b..6cbb2bc4a048 100644 +--- a/sound/pci/au88x0/au88x0.h ++++ b/sound/pci/au88x0/au88x0.h +@@ -141,7 +141,7 @@ struct snd_vortex { + #ifndef CHIP_AU8810 + stream_t dma_wt[NR_WT]; + wt_voice_t wt_voice[NR_WT]; /* WT register cache. */ +- char mixwt[(NR_WT / NR_WTPB) * 6]; /* WT mixin objects */ ++ s8 mixwt[(NR_WT / NR_WTPB) * 6]; /* WT mixin objects */ + #endif + + /* Global resources */ +@@ -235,8 +235,8 @@ static int vortex_alsafmt_aspfmt(snd_pcm_format_t alsafmt, vortex_t *v); + static void vortex_connect_default(vortex_t * vortex, int en); + static int vortex_adb_allocroute(vortex_t * vortex, int dma, int nr_ch, + int dir, int type, int subdev); +-static char vortex_adb_checkinout(vortex_t * vortex, int resmap[], int out, +- int restype); ++static int vortex_adb_checkinout(vortex_t * vortex, int resmap[], int out, ++ int restype); + #ifndef CHIP_AU8810 + static int vortex_wt_allocroute(vortex_t * vortex, int dma, int nr_ch); + static void vortex_wt_connect(vortex_t * vortex, int en); +diff --git a/sound/pci/au88x0/au88x0_core.c b/sound/pci/au88x0/au88x0_core.c +index 2ed5100b8cae..f217c02dfdfa 100644 +--- a/sound/pci/au88x0/au88x0_core.c ++++ b/sound/pci/au88x0/au88x0_core.c +@@ -1998,7 +1998,7 @@ static const int resnum[VORTEX_RESOURCE_LAST] = + out: Mean checkout if != 0. Else mean Checkin resource. + restype: Indicates type of resource to be checked in or out. + */ +-static char ++static int + vortex_adb_checkinout(vortex_t * vortex, int resmap[], int out, int restype) + { + int i, qty = resnum[restype], resinuse = 0; +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-Intel-Reference-SSID-to-support.patch b/patches.suse/ALSA-hda-realtek-Add-Intel-Reference-SSID-to-support.patch new file mode 100644 index 0000000..867f34b --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-Intel-Reference-SSID-to-support.patch @@ -0,0 +1,38 @@ +From 4f2e56a59b9947b3e698d3cabcb858765c12b1e8 Mon Sep 17 00:00:00 2001 +From: Saranya Gopal +Date: Tue, 11 Oct 2022 10:19:16 +0530 +Subject: [PATCH] ALSA: hda/realtek: Add Intel Reference SSID to support headset keys +Git-commit: 4f2e56a59b9947b3e698d3cabcb858765c12b1e8 +Patch-mainline: v6.1-rc1 +References: git-fixes + +This patch fixes the issue with 3.5mm headset keys +on RPL-P platform. + +[ Rearranged the entry in SSID order by tiwai ] + +Signed-off-by: Saranya Gopal +Signed-off-by: Ninad Naik +Cc: +Link: https://lore.kernel.org/r/20221011044916.2278867-1-saranya.gopal@intel.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 54a0f6b4ffc7..4b076912bbf4 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9445,6 +9445,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE), + SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE), + SND_PCI_QUIRK(0x10ec, 0x1230, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), ++ SND_PCI_QUIRK(0x10ec, 0x124c, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE), +-- +2.35.3 + diff --git a/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-GV601R-laptop.patch b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-GV601R-laptop.patch new file mode 100644 index 0000000..94bf8b7 --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-GV601R-laptop.patch @@ -0,0 +1,38 @@ +From 2ea8e1297801f7b0220ebf6ae61a5b74ca83981e Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Mon, 10 Oct 2022 20:03:47 +1300 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for ASUS GV601R laptop +Git-commit: 2ea8e1297801f7b0220ebf6ae61a5b74ca83981e +Patch-mainline: v6.1-rc1 +References: git-fixes + +The ASUS ROG X16 (GV601R) series laptop has the same node-to-DAC pairs +as early models and the G14, this includes bass speakers which are by +default mapped incorrectly to the 0x06 node. + +Add a quirk to use the same DAC pairs as the G14. + +Signed-off-by: Luke D. Jones +Cc: +Link: https://lore.kernel.org/r/20221010070347.36883-1-luke@ljones.dev +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 77a308a71cd4..54a0f6b4ffc7 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9423,6 +9423,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1e8e, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c52, "ASUS Zephyrus G15 2022", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_GA401), ++ SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x834a, "ASUS S101", ALC269_FIXUP_STEREO_DMIC), +-- +2.35.3 + diff --git a/patches.suse/ALSA-oss-Fix-potential-deadlock-at-unregistration.patch b/patches.suse/ALSA-oss-Fix-potential-deadlock-at-unregistration.patch new file mode 100644 index 0000000..4396cb4 --- /dev/null +++ b/patches.suse/ALSA-oss-Fix-potential-deadlock-at-unregistration.patch @@ -0,0 +1,65 @@ +From 97d917879d7f92df09c3f21fd54609a8bcd654b2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 11 Oct 2022 09:01:47 +0200 +Subject: [PATCH] ALSA: oss: Fix potential deadlock at unregistration +Git-commit: 97d917879d7f92df09c3f21fd54609a8bcd654b2 +Patch-mainline: v6.1-rc1 +References: git-fixes + +We took sound_oss_mutex around the calls of unregister_sound_special() +at unregistering OSS devices. This may, however, lead to a deadlock, +because we manage the card release via the card's device object, and +the release may happen at unregister_sound_special() call -- which +will take sound_oss_mutex again in turn. + +Although the deadlock might be fixed by relaxing the rawmidi mutex in +the previous commit, it's safer to move unregister_sound_special() +calls themselves out of the sound_oss_mutex, too. The call is +race-safe as the function has a spinlock protection by itself. + +Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com +Cc: +Link: https://lore.kernel.org/r/20221011070147.7611-2-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/sound_oss.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/sound/core/sound_oss.c b/sound/core/sound_oss.c +index 7ed0a2a91035..2751bf2ff61b 100644 +--- a/sound/core/sound_oss.c ++++ b/sound/core/sound_oss.c +@@ -162,7 +162,6 @@ int snd_unregister_oss_device(int type, struct snd_card *card, int dev) + mutex_unlock(&sound_oss_mutex); + return -ENOENT; + } +- unregister_sound_special(minor); + switch (SNDRV_MINOR_OSS_DEVICE(minor)) { + case SNDRV_MINOR_OSS_PCM: + track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_AUDIO); +@@ -174,12 +173,18 @@ int snd_unregister_oss_device(int type, struct snd_card *card, int dev) + track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_DMMIDI1); + break; + } +- if (track2 >= 0) { +- unregister_sound_special(track2); ++ if (track2 >= 0) + snd_oss_minors[track2] = NULL; +- } + snd_oss_minors[minor] = NULL; + mutex_unlock(&sound_oss_mutex); ++ ++ /* call unregister_sound_special() outside sound_oss_mutex; ++ * otherwise may deadlock, as it can trigger the release of a card ++ */ ++ unregister_sound_special(minor); ++ if (track2 >= 0) ++ unregister_sound_special(track2); ++ + kfree(mptr); + return 0; + } +-- +2.35.3 + diff --git a/patches.suse/ALSA-rawmidi-Drop-register_mutex-in-snd_rawmidi_free.patch b/patches.suse/ALSA-rawmidi-Drop-register_mutex-in-snd_rawmidi_free.patch new file mode 100644 index 0000000..e591dce --- /dev/null +++ b/patches.suse/ALSA-rawmidi-Drop-register_mutex-in-snd_rawmidi_free.patch @@ -0,0 +1,42 @@ +From a70aef7982b012e86dfd39fbb235e76a21ae778a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 11 Oct 2022 09:01:46 +0200 +Subject: [PATCH] ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() +Git-commit: a70aef7982b012e86dfd39fbb235e76a21ae778a +Patch-mainline: v6.1-rc1 +References: git-fixes + +The register_mutex taken around the dev_unregister callback call in +snd_rawmidi_free() may potentially lead to a mutex deadlock, when OSS +emulation and a hot unplug are involved. + +Since the mutex doesn't protect the actual race (as the registration +itself is already protected by another means), let's drop it. + +Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com +Cc: +Link: https://lore.kernel.org/r/20221011070147.7611-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/rawmidi.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c +index 6963d5a487b3..d8edb6055072 100644 +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -1899,10 +1899,8 @@ static int snd_rawmidi_free(struct snd_rawmidi *rmidi) + + snd_info_free_entry(rmidi->proc_entry); + rmidi->proc_entry = NULL; +- mutex_lock(®ister_mutex); + if (rmidi->ops && rmidi->ops->dev_unregister) + rmidi->ops->dev_unregister(rmidi); +- mutex_unlock(®ister_mutex); + + snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_INPUT]); + snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_OUTPUT]); +-- +2.35.3 + diff --git a/patches.suse/ALSA-rme9652-use-explicitly-signed-char.patch b/patches.suse/ALSA-rme9652-use-explicitly-signed-char.patch new file mode 100644 index 0000000..4def6f9 --- /dev/null +++ b/patches.suse/ALSA-rme9652-use-explicitly-signed-char.patch @@ -0,0 +1,250 @@ +From 50895a55bcfde8ac6f22a37c6bc8cff506b3c7c6 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Tue, 25 Oct 2022 02:03:13 +0200 +Subject: [PATCH] ALSA: rme9652: use explicitly signed char +Git-commit: 50895a55bcfde8ac6f22a37c6bc8cff506b3c7c6 +Patch-mainline: v6.1-rc3 +References: git-fixes + +With char becoming unsigned by default, and with `char` alone being +ambiguous and based on architecture, signed chars need to be marked +explicitly as such. This fixes warnings like: + +sound/pci/rme9652/hdsp.c:3953 hdsp_channel_buffer_location() warn: 'hdsp->channel_map[channel]' is unsigned +sound/pci/rme9652/hdsp.c:4153 snd_hdsp_channel_info() warn: impossible condition '(hdsp->channel_map[channel] < 0) => (0-255 < 0)' +sound/pci/rme9652/rme9652.c:1833 rme9652_channel_buffer_location() warn: 'rme9652->channel_map[channel]' is unsigned + +Signed-off-by: Jason A. Donenfeld +Cc: +Link: https://lore.kernel.org/r/20221025000313.546261-1-Jason@zx2c4.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/rme9652/hdsp.c | 26 +++++++++++++------------- + sound/pci/rme9652/rme9652.c | 22 +++++++++++----------- + 2 files changed, 24 insertions(+), 24 deletions(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index dcc43a81ae0e..65add92c88aa 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -433,7 +433,7 @@ struct hdsp_midi { + struct snd_rawmidi *rmidi; + struct snd_rawmidi_substream *input; + struct snd_rawmidi_substream *output; +- char istimer; /* timer in use */ ++ signed char istimer; /* timer in use */ + struct timer_list timer; + spinlock_t lock; + int pending; +@@ -480,7 +480,7 @@ struct hdsp { + pid_t playback_pid; + int running; + int system_sample_rate; +- const char *channel_map; ++ const signed char *channel_map; + int dev; + int irq; + unsigned long port; +@@ -502,7 +502,7 @@ struct hdsp { + where the data for that channel can be read/written from/to. + */ + +-static const char channel_map_df_ss[HDSP_MAX_CHANNELS] = { ++static const signed char channel_map_df_ss[HDSP_MAX_CHANNELS] = { + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, + 18, 19, 20, 21, 22, 23, 24, 25 + }; +@@ -517,7 +517,7 @@ static const char channel_map_mf_ss[HDSP_MAX_CHANNELS] = { /* Multiface */ + -1, -1, -1, -1, -1, -1, -1, -1 + }; + +-static const char channel_map_ds[HDSP_MAX_CHANNELS] = { ++static const signed char channel_map_ds[HDSP_MAX_CHANNELS] = { + /* ADAT channels are remapped */ + 1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, + /* channels 12 and 13 are S/PDIF */ +@@ -526,7 +526,7 @@ static const char channel_map_ds[HDSP_MAX_CHANNELS] = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 + }; + +-static const char channel_map_H9632_ss[HDSP_MAX_CHANNELS] = { ++static const signed char channel_map_H9632_ss[HDSP_MAX_CHANNELS] = { + /* ADAT channels */ + 0, 1, 2, 3, 4, 5, 6, 7, + /* SPDIF */ +@@ -540,7 +540,7 @@ static const char channel_map_H9632_ss[HDSP_MAX_CHANNELS] = { + -1, -1 + }; + +-static const char channel_map_H9632_ds[HDSP_MAX_CHANNELS] = { ++static const signed char channel_map_H9632_ds[HDSP_MAX_CHANNELS] = { + /* ADAT */ + 1, 3, 5, 7, + /* SPDIF */ +@@ -554,7 +554,7 @@ static const char channel_map_H9632_ds[HDSP_MAX_CHANNELS] = { + -1, -1, -1, -1, -1, -1 + }; + +-static const char channel_map_H9632_qs[HDSP_MAX_CHANNELS] = { ++static const signed char channel_map_H9632_qs[HDSP_MAX_CHANNELS] = { + /* ADAT is disabled in this mode */ + /* SPDIF */ + 8, 9, +@@ -3939,7 +3939,7 @@ static snd_pcm_uframes_t snd_hdsp_hw_pointer(struct snd_pcm_substream *substream + return hdsp_hw_pointer(hdsp); + } + +-static char *hdsp_channel_buffer_location(struct hdsp *hdsp, ++static signed char *hdsp_channel_buffer_location(struct hdsp *hdsp, + int stream, + int channel) + +@@ -3964,7 +3964,7 @@ static int snd_hdsp_playback_copy(struct snd_pcm_substream *substream, + void __user *src, unsigned long count) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + if (snd_BUG_ON(pos + count > HDSP_CHANNEL_BUFFER_BYTES)) + return -EINVAL; +@@ -3982,7 +3982,7 @@ static int snd_hdsp_playback_copy_kernel(struct snd_pcm_substream *substream, + void *src, unsigned long count) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + channel_buf = hdsp_channel_buffer_location(hdsp, substream->pstr->stream, channel); + if (snd_BUG_ON(!channel_buf)) +@@ -3996,7 +3996,7 @@ static int snd_hdsp_capture_copy(struct snd_pcm_substream *substream, + void __user *dst, unsigned long count) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + if (snd_BUG_ON(pos + count > HDSP_CHANNEL_BUFFER_BYTES)) + return -EINVAL; +@@ -4014,7 +4014,7 @@ static int snd_hdsp_capture_copy_kernel(struct snd_pcm_substream *substream, + void *dst, unsigned long count) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + channel_buf = hdsp_channel_buffer_location(hdsp, substream->pstr->stream, channel); + if (snd_BUG_ON(!channel_buf)) +@@ -4028,7 +4028,7 @@ static int snd_hdsp_hw_silence(struct snd_pcm_substream *substream, + unsigned long count) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + channel_buf = hdsp_channel_buffer_location (hdsp, substream->pstr->stream, channel); + if (snd_BUG_ON(!channel_buf)) +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c +index 1d614fe89a6a..e7c320afefe8 100644 +--- a/sound/pci/rme9652/rme9652.c ++++ b/sound/pci/rme9652/rme9652.c +@@ -230,7 +230,7 @@ struct snd_rme9652 { + int last_spdif_sample_rate; /* so that we can catch externally ... */ + int last_adat_sample_rate; /* ... induced rate changes */ + +- const char *channel_map; ++ const signed char *channel_map; + + struct snd_card *card; + struct snd_pcm *pcm; +@@ -247,12 +247,12 @@ struct snd_rme9652 { + where the data for that channel can be read/written from/to. + */ + +-static const char channel_map_9652_ss[26] = { ++static const signed char channel_map_9652_ss[26] = { + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, + 18, 19, 20, 21, 22, 23, 24, 25 + }; + +-static const char channel_map_9636_ss[26] = { ++static const signed char channel_map_9636_ss[26] = { + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, + /* channels 16 and 17 are S/PDIF */ + 24, 25, +@@ -260,7 +260,7 @@ static const char channel_map_9636_ss[26] = { + -1, -1, -1, -1, -1, -1, -1, -1 + }; + +-static const char channel_map_9652_ds[26] = { ++static const signed char channel_map_9652_ds[26] = { + /* ADAT channels are remapped */ + 1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, + /* channels 12 and 13 are S/PDIF */ +@@ -269,7 +269,7 @@ static const char channel_map_9652_ds[26] = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 + }; + +-static const char channel_map_9636_ds[26] = { ++static const signed char channel_map_9636_ds[26] = { + /* ADAT channels are remapped */ + 1, 3, 5, 7, 9, 11, 13, 15, + /* channels 8 and 9 are S/PDIF */ +@@ -1819,7 +1819,7 @@ static snd_pcm_uframes_t snd_rme9652_hw_pointer(struct snd_pcm_substream *substr + return rme9652_hw_pointer(rme9652); + } + +-static char *rme9652_channel_buffer_location(struct snd_rme9652 *rme9652, ++static signed char *rme9652_channel_buffer_location(struct snd_rme9652 *rme9652, + int stream, + int channel) + +@@ -1847,7 +1847,7 @@ static int snd_rme9652_playback_copy(struct snd_pcm_substream *substream, + void __user *src, unsigned long count) + { + struct snd_rme9652 *rme9652 = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + if (snd_BUG_ON(pos + count > RME9652_CHANNEL_BUFFER_BYTES)) + return -EINVAL; +@@ -1867,7 +1867,7 @@ static int snd_rme9652_playback_copy_kernel(struct snd_pcm_substream *substream, + void *src, unsigned long count) + { + struct snd_rme9652 *rme9652 = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + channel_buf = rme9652_channel_buffer_location(rme9652, + substream->pstr->stream, +@@ -1883,7 +1883,7 @@ static int snd_rme9652_capture_copy(struct snd_pcm_substream *substream, + void __user *dst, unsigned long count) + { + struct snd_rme9652 *rme9652 = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + if (snd_BUG_ON(pos + count > RME9652_CHANNEL_BUFFER_BYTES)) + return -EINVAL; +@@ -1903,7 +1903,7 @@ static int snd_rme9652_capture_copy_kernel(struct snd_pcm_substream *substream, + void *dst, unsigned long count) + { + struct snd_rme9652 *rme9652 = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + channel_buf = rme9652_channel_buffer_location(rme9652, + substream->pstr->stream, +@@ -1919,7 +1919,7 @@ static int snd_rme9652_hw_silence(struct snd_pcm_substream *substream, + unsigned long count) + { + struct snd_rme9652 *rme9652 = snd_pcm_substream_chip(substream); +- char *channel_buf; ++ signed char *channel_buf; + + channel_buf = rme9652_channel_buffer_location (rme9652, + substream->pstr->stream, +-- +2.35.3 + diff --git a/patches.suse/ALSA-usb-audio-Fix-NULL-dererence-at-error-path.patch b/patches.suse/ALSA-usb-audio-Fix-NULL-dererence-at-error-path.patch new file mode 100644 index 0000000..658b5f0 --- /dev/null +++ b/patches.suse/ALSA-usb-audio-Fix-NULL-dererence-at-error-path.patch @@ -0,0 +1,47 @@ +From 568be8aaf8a535f79c4db76cabe17b035aa2584d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 30 Sep 2022 12:01:29 +0200 +Subject: [PATCH] ALSA: usb-audio: Fix NULL dererence at error path +Git-commit: 568be8aaf8a535f79c4db76cabe17b035aa2584d +Patch-mainline: v6.1-rc1 +References: git-fixes + +At an error path to release URB buffers and contexts, the driver might +hit a NULL dererence for u->urb pointer, when u->buffer_size has been +already set but the actual URB allocation failed. + +Fix it by adding the NULL check of urb. Also, make sure that +buffer_size is cleared after the error path or the close. + +Cc: +Reported-by: Sabri N. Ferreiro +Link: https://lore.kernel.org/r/CAKG+3NRjTey+fFfUEGwuxL-pi_=T4cUskYG9OzpzHytF+tzYng@mail.gmail.com +Link: https://lore.kernel.org/r/20220930100129.19445-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/usb/endpoint.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index b2d0b42b581f..36f753a28341 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -95,12 +95,13 @@ static inline unsigned get_usb_high_speed_rate(unsigned int rate) + */ + static void release_urb_ctx(struct snd_urb_ctx *u) + { +- if (u->buffer_size) ++ if (u->urb && u->buffer_size) + usb_free_coherent(u->ep->chip->dev, u->buffer_size, + u->urb->transfer_buffer, + u->urb->transfer_dma); + usb_free_urb(u->urb); + u->urb = NULL; ++ u->buffer_size = 0; + } + + static const char *usb_error_string(int err) +-- +2.35.3 + diff --git a/patches.suse/ALSA-usb-audio-Fix-potential-memory-leaks.patch b/patches.suse/ALSA-usb-audio-Fix-potential-memory-leaks.patch new file mode 100644 index 0000000..1366c96 --- /dev/null +++ b/patches.suse/ALSA-usb-audio-Fix-potential-memory-leaks.patch @@ -0,0 +1,49 @@ +From 6382da0828995af87aa8b8bef28cc61aceb4aff3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 30 Sep 2022 12:01:51 +0200 +Subject: [PATCH] ALSA: usb-audio: Fix potential memory leaks +Git-commit: 6382da0828995af87aa8b8bef28cc61aceb4aff3 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When the driver hits -ENOMEM at allocating a URB or a buffer, it +aborts and goes to the error path that releases the all previously +allocated resources. However, when -ENOMEM hits at the middle of the +sync EP URB allocation loop, the partially allocated URBs might be +left without released, because ep->nurbs is still zero at that point. + +Fix it by setting ep->nurbs at first, so that the error handler loops +over the full URB list. + +Cc: +Link: https://lore.kernel.org/r/20220930100151.19461-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/usb/endpoint.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 36f753a28341..48a3843a08f1 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -1268,6 +1268,7 @@ static int sync_ep_set_params(struct snd_usb_endpoint *ep) + if (!ep->syncbuf) + return -ENOMEM; + ++ ep->nurbs = SYNC_URBS; + for (i = 0; i < SYNC_URBS; i++) { + struct snd_urb_ctx *u = &ep->urb[i]; + u->index = i; +@@ -1287,8 +1288,6 @@ static int sync_ep_set_params(struct snd_usb_endpoint *ep) + u->urb->complete = snd_complete_urb; + } + +- ep->nurbs = SYNC_URBS; +- + return 0; + + out_of_memory: +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-L2CAP-Fix-user-after-free.patch b/patches.suse/Bluetooth-L2CAP-Fix-user-after-free.patch new file mode 100644 index 0000000..93b085f --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-user-after-free.patch @@ -0,0 +1,61 @@ +From 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 29 Sep 2022 13:27:13 -0700 +Subject: [PATCH] Bluetooth: L2CAP: Fix user-after-free +Git-commit: 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f +Patch-mainline: v6.1-rc1 +References: git-fixes + +This uses l2cap_chan_hold_unless_zero() after calling +__l2cap_get_chan_blah() to prevent the following trace: + +Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref +*kref) +Bluetooth: chan 0000000023c4974d +Bluetooth: parent 00000000ae861c08 +================================================================== +Bug: KASAN: use-after-free in __mutex_waiter_is_first +kernel/locking/mutex.c:191 [inline] +Bug: KASAN: use-after-free in __mutex_lock_common +kernel/locking/mutex.c:671 [inline] +Bug: KASAN: use-after-free in __mutex_lock+0x278/0x400 +kernel/locking/mutex.c:729 +Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389 + +Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sungwoo Kim +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 770891f68703..1f34b82ca0ec 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4309,6 +4309,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + } + ++ chan = l2cap_chan_hold_unless_zero(chan); ++ if (!chan) { ++ err = -EBADSLT; ++ goto unlock; ++ } ++ + err = 0; + + l2cap_chan_lock(chan); +@@ -4338,6 +4344,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + unlock: + mutex_unlock(&conn->chan_lock); +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch b/patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch new file mode 100644 index 0000000..19fd396 --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch @@ -0,0 +1,142 @@ +From 42cf46dea905a80f6de218e837ba4d4cc33d6979 Mon Sep 17 00:00:00 2001 +From: Zhengchao Shao +Date: Mon, 17 Oct 2022 15:58:13 +0800 +Subject: [PATCH] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() +Git-commit: 42cf46dea905a80f6de218e837ba4d4cc33d6979 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2022-3640 bsc#1204619 + +When l2cap_recv_frame() is invoked to receive data, and the cid is +L2CAP_CID_A2MP, if the channel does not exist, it will create a channel. +However, after a channel is created, the hold operation of the channel +is not performed. In this case, the value of channel reference counting +is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del() +invokes the close hook function of A2MP to release the channel. Then + l2cap_chan_unlock(chan) will trigger UAF issue. + +The process is as follows: +Receive data: +l2cap_data_channel() + a2mp_channel_create() --->channel ref is 2 + l2cap_chan_put() --->channel ref is 1 + +Triger event: + hci_error_reset() + hci_dev_do_close() + ... + l2cap_disconn_cfm() + l2cap_conn_del() + l2cap_chan_hold() --->channel ref is 2 + l2cap_chan_del() --->channel ref is 1 + a2mp_chan_close_cb() --->channel ref is 0, release channel + l2cap_chan_unlock() --->UAF of channel + +The detailed Call Trace is as follows: +Bug: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 +Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593 +Workqueue: hci0 hci_error_reset +Call Trace: + + dump_stack_lvl+0xcd/0x134 + print_report.cold+0x2ba/0x719 + kasan_report+0xb1/0x1e0 + kasan_check_range+0x140/0x190 + __mutex_unlock_slowpath+0xa6/0x5e0 + l2cap_conn_del+0x404/0x7b0 + l2cap_disconn_cfm+0x8c/0xc0 + hci_conn_hash_flush+0x11f/0x260 + hci_dev_close_sync+0x5f5/0x11f0 + hci_dev_do_close+0x2d/0x70 + hci_error_reset+0x9e/0x140 + process_one_work+0x98a/0x1620 + worker_thread+0x665/0x1080 + kthread+0x2e4/0x3a0 + ret_from_fork+0x1f/0x30 + + +Allocated by task 7593: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0xa9/0xd0 + l2cap_chan_create+0x40/0x930 + amp_mgr_create+0x96/0x990 + a2mp_channel_create+0x7d/0x150 + l2cap_recv_frame+0x51b8/0x9a70 + l2cap_recv_acldata+0xaa3/0xc00 + hci_rx_work+0x702/0x1220 + process_one_work+0x98a/0x1620 + worker_thread+0x665/0x1080 + kthread+0x2e4/0x3a0 + ret_from_fork+0x1f/0x30 + +Freed by task 7593: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_set_free_info+0x20/0x30 + ____kasan_slab_free+0x167/0x1c0 + slab_free_freelist_hook+0x89/0x1c0 + kfree+0xe2/0x580 + l2cap_chan_put+0x22a/0x2d0 + l2cap_conn_del+0x3fc/0x7b0 + l2cap_disconn_cfm+0x8c/0xc0 + hci_conn_hash_flush+0x11f/0x260 + hci_dev_close_sync+0x5f5/0x11f0 + hci_dev_do_close+0x2d/0x70 + hci_error_reset+0x9e/0x140 + process_one_work+0x98a/0x1620 + worker_thread+0x665/0x1080 + kthread+0x2e4/0x3a0 + ret_from_fork+0x1f/0x30 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0xbe/0xd0 + call_rcu+0x99/0x740 + netlink_release+0xe6a/0x1cf0 + __sock_release+0xcd/0x280 + sock_close+0x18/0x20 + __fput+0x27c/0xa90 + task_work_run+0xdd/0x1a0 + exit_to_user_mode_prepare+0x23c/0x250 + syscall_exit_to_user_mode+0x19/0x50 + do_syscall_64+0x42/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Second to last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0xbe/0xd0 + call_rcu+0x99/0x740 + netlink_release+0xe6a/0x1cf0 + __sock_release+0xcd/0x280 + sock_close+0x18/0x20 + __fput+0x27c/0xa90 + task_work_run+0xdd/0x1a0 + exit_to_user_mode_prepare+0x23c/0x250 + syscall_exit_to_user_mode+0x19/0x50 + do_syscall_64+0x42/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put") +Signed-off-by: Zhengchao Shao +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 2283871d3f01..9a32ce634919 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7615,6 +7615,7 @@ static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, + return; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + } else { + BT_DBG("unknown cid 0x%4.4x", cid); +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-L2CAP-initialize-delayed-works-at-l2cap_ch.patch b/patches.suse/Bluetooth-L2CAP-initialize-delayed-works-at-l2cap_ch.patch new file mode 100644 index 0000000..007b4f3 --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-initialize-delayed-works-at-l2cap_ch.patch @@ -0,0 +1,82 @@ +From 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sun, 4 Sep 2022 00:32:56 +0900 +Subject: [PATCH] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() +Git-commit: 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 +Patch-mainline: v6.1-rc1 +References: git-fixes + +syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at +l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent +l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer +which fires before l2cap_chan_del() is called by closing file descriptor +created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP). + +l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP) +are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which +clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded. + +l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets +CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when +connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds + from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4 +seconds from connect() request, for l2cap_conn_start() from +l2cap_info_timeout() callback scheduled by + + schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); + +in l2cap_connect() is calling l2cap_chan_ready(). + +Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM +mode as soon as l2cap_chan_create() allocates a channel, like I did in +commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at +l2cap_chan_create()"). + +Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 2c9de67daadc..770891f68703 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -61,6 +61,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); + + static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff_head *skbs, u8 event); ++static void l2cap_retrans_timeout(struct work_struct *work); ++static void l2cap_monitor_timeout(struct work_struct *work); ++static void l2cap_ack_timeout(struct work_struct *work); + + static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) + { +@@ -476,6 +479,9 @@ struct l2cap_chan *l2cap_chan_create(void) + write_unlock(&chan_list_lock); + + INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); ++ INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); ++ INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); ++ INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); + + chan->state = BT_OPEN; + +@@ -3320,10 +3326,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan) + chan->rx_state = L2CAP_RX_STATE_RECV; + chan->tx_state = L2CAP_TX_STATE_XMIT; + +- INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); +- INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); +- INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); +- + skb_queue_head_init(&chan->srej_q); + + err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch b/patches.suse/Bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch new file mode 100644 index 0000000..536b540 --- /dev/null +++ b/patches.suse/Bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch @@ -0,0 +1,67 @@ +From 448a496f760664d3e2e79466aa1787e6abc922b5 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 19 Sep 2022 10:56:59 -0700 +Subject: [PATCH] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times +Git-commit: 448a496f760664d3e2e79466aa1787e6abc922b5 +Patch-mainline: v6.1-rc1 +References: git-fixes + +device_add shall not be called multiple times as stated in its +Documentation: + + 'Do not call this routine or device_register() more than once for + any device structure' + +Syzkaller reports a bug as follows [1]: + +Acked-by: Takashi Iwai + +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:33! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +[...] +Call Trace: + + __list_add include/linux/list.h:69 [inline] + list_add_tail include/linux/list.h:102 [inline] + kobj_kset_join lib/kobject.c:164 [inline] + kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214 + kobject_add_varg lib/kobject.c:358 [inline] + kobject_add+0x150/0x1c0 lib/kobject.c:410 + device_add+0x368/0x1e90 drivers/base/core.c:3452 + hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53 + hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799 + hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110 + hci_event_func net/bluetooth/hci_event.c:7440 [inline] + hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495 + hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007 + process_one_work+0x991/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e4/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Hawkins Jiawei +--- + net/bluetooth/hci_sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c +index 4e3e0451b08c..08542dfc2dc5 100644 +--- a/net/bluetooth/hci_sysfs.c ++++ b/net/bluetooth/hci_sysfs.c +@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn) + + BT_DBG("conn %p", conn); + ++ if (device_is_registered(&conn->dev)) ++ return; ++ + dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle); + + if (device_add(&conn->dev) < 0) { +-- +2.35.3 + diff --git a/patches.suse/HID-bigben-fix-slab-out-of-bounds-Write-in-bigben_pr.patch b/patches.suse/HID-bigben-fix-slab-out-of-bounds-Write-in-bigben_pr.patch index 73b1b26..af8fa89 100644 --- a/patches.suse/HID-bigben-fix-slab-out-of-bounds-Write-in-bigben_pr.patch +++ b/patches.suse/HID-bigben-fix-slab-out-of-bounds-Write-in-bigben_pr.patch @@ -4,7 +4,7 @@ Date: Fri, 6 May 2022 15:24:25 +0800 Subject: [PATCH] HID: bigben: fix slab-out-of-bounds Write in bigben_probe Git-commit: fc4ef9d5724973193bfa5ebed181dba6de3a56db Patch-mainline: v5.19-rc1 -References: git-fixes +References: CVE-2022-3577 bsc#1204470 There is a slab-out-of-bounds Write bug in hid-bigbenff driver. The problem is the driver assumes the device must have an input but diff --git a/patches.suse/HID-hidraw-fix-memory-leak-in-hidraw_release.patch b/patches.suse/HID-hidraw-fix-memory-leak-in-hidraw_release.patch new file mode 100644 index 0000000..c0a8453 --- /dev/null +++ b/patches.suse/HID-hidraw-fix-memory-leak-in-hidraw_release.patch @@ -0,0 +1,68 @@ +From a5623a203cffe2d2b84d2f6c989d9017db1856af Mon Sep 17 00:00:00 2001 +From: Karthik Alapati +Date: Thu, 28 Jul 2022 21:13:17 +0530 +Subject: [PATCH] HID: hidraw: fix memory leak in hidraw_release() +Git-commit: a5623a203cffe2d2b84d2f6c989d9017db1856af +Patch-mainline: v6.0-rc4 +References: git-fixes + +Free the buffered reports before deleting the list entry. + +Bug: memory leak +unreferenced object 0xffff88810e72f180 (size 32): + comm "softirq", pid 0, jiffies 4294945143 (age 16.080s) + hex dump (first 32 bytes): + 64 f3 c6 6a d1 88 07 04 00 00 00 00 00 00 00 00 d..j............ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemdup+0x23/0x50 mm/util.c:128 + [] kmemdup include/linux/fortify-string.h:440 [inline] + [] hidraw_report_event+0xa2/0x150 drivers/hid/hidraw.c:521 + [] hid_report_raw_event+0x27d/0x740 drivers/hid/hid-core.c:1992 + [] hid_input_report+0x1ae/0x270 drivers/hid/hid-core.c:2065 + [] hid_irq_in+0x1ff/0x250 drivers/hid/usbhid/hid-core.c:284 + [] __usb_hcd_giveback_urb+0xf9/0x230 drivers/usb/core/hcd.c:1670 + [] usb_hcd_giveback_urb+0x1b6/0x1d0 drivers/usb/core/hcd.c:1747 + [] dummy_timer+0x8e4/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1988 + [] call_timer_fn+0x38/0x200 kernel/time/timer.c:1474 + [] expire_timers kernel/time/timer.c:1519 [inline] + [] __run_timers.part.0+0x316/0x430 kernel/time/timer.c:1790 + [] __run_timers kernel/time/timer.c:1768 [inline] + [] run_timer_softirq+0x44/0x90 kernel/time/timer.c:1803 + [] __do_softirq+0xe6/0x2ea kernel/softirq.c:571 + [] invoke_softirq kernel/softirq.c:445 [inline] + [] __irq_exit_rcu kernel/softirq.c:650 [inline] + [] irq_exit_rcu+0xc0/0x110 kernel/softirq.c:662 + [] sysvec_apic_timer_interrupt+0xa2/0xd0 arch/x86/kernel/apic/apic.c:1106 + [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649 + [] native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] + [] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] + [] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] + [] acpi_idle_do_entry+0xc0/0xd0 drivers/acpi/processor_idle.c:554 + +Link: https://syzkaller.appspot.com/bug?id=19a04b43c75ed1092021010419b5e560a8172c4f +Reported-by: syzbot+f59100a0428e6ded9443@syzkaller.appspotmail.com +Signed-off-by: Karthik Alapati +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hidraw.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -346,10 +346,13 @@ static int hidraw_release(struct inode * + unsigned int minor = iminor(inode); + struct hidraw_list *list = file->private_data; + unsigned long flags; ++ int i; + + mutex_lock(&minors_lock); + + spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags); ++ for (i = list->tail; i < list->head; i++) ++ kfree(list->buffer[i].value); + list_del(&list->node); + spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); + kfree(list); diff --git a/patches.suse/HID-magicmouse-Do-not-set-BTN_MOUSE-on-double-report.patch b/patches.suse/HID-magicmouse-Do-not-set-BTN_MOUSE-on-double-report.patch new file mode 100644 index 0000000..f8f61ce --- /dev/null +++ b/patches.suse/HID-magicmouse-Do-not-set-BTN_MOUSE-on-double-report.patch @@ -0,0 +1,48 @@ +From bb5f0c855dcfc893ae5ed90e4c646bde9e4498bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Sun, 9 Oct 2022 20:27:47 +0200 +Subject: [PATCH] HID: magicmouse: Do not set BTN_MOUSE on double report +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: bb5f0c855dcfc893ae5ed90e4c646bde9e4498bf +Patch-mainline: v6.1-rc2 +References: git-fixes + +Under certain conditions the Magic Trackpad can group 2 reports in a +single packet. The packet is split and the raw event function is +invoked recursively for each part. + +However, after processing each part, the BTN_MOUSE status is updated, +sending multiple click events. [1] + +Return after processing double reports to avoid this issue. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/811 # [1] +Fixes: a462230e16ac ("HID: magicmouse: enable Magic Trackpad support") +Reported-by: Nulo +Signed-off-by: José Expósito +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20221009182747.90730-1-jose.exposito89@gmail.com +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-magicmouse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c +index 664a624a363d..c9c968d4b36a 100644 +--- a/drivers/hid/hid-magicmouse.c ++++ b/drivers/hid/hid-magicmouse.c +@@ -480,7 +480,7 @@ static int magicmouse_raw_event(struct hid_device *hdev, + magicmouse_raw_event(hdev, report, data + 2, data[1]); + magicmouse_raw_event(hdev, report, data + 2 + data[1], + size - 2 - data[1]); +- break; ++ return 0; + default: + return 0; + } +-- +2.35.3 + diff --git a/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch b/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch new file mode 100644 index 0000000..77a0982 --- /dev/null +++ b/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch @@ -0,0 +1,108 @@ +From cacdb14b1c8d3804a3a7d31773bc7569837b71a4 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Sun, 4 Sep 2022 12:31:15 -0700 +Subject: [PATCH] HID: roccat: Fix use-after-free in roccat_read() +Git-commit: cacdb14b1c8d3804a3a7d31773bc7569837b71a4 +Patch-mainline: v6.1-rc1 +References: git-fixes + +roccat_report_event() is responsible for registering +roccat-related reports in struct roccat_device. + +int roccat_report_event(int minor, u8 const *data) +{ + struct roccat_device *device; + struct roccat_reader *reader; + struct roccat_report *report; + uint8_t *new_value; + + device = devices[minor]; + + new_value = kmemdup(data, device->report_size, GFP_ATOMIC); + if (!new_value) + return -ENOMEM; + + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ + kfree(report->value); + ... + +The registered report is stored in the struct roccat_device member +"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];". +If more reports are received than the "ROCCAT_CBUF_SIZE" value, +kfree() the saved report from cbuf[0] and allocates a new reprot. +Since there is no lock when this kfree() is performed, +kfree() can be performed even while reading the saved report. + +static ssize_t roccat_read(struct file *file, char __user *buffer, + size_t count, loff_t *ppos) +{ + struct roccat_reader *reader = file->private_data; + struct roccat_device *device = reader->device; + struct roccat_report *report; + ssize_t retval = 0, len; + DECLARE_WAITQUEUE(wait, current); + + mutex_lock(&device->cbuf_lock); + + ... + + report = &device->cbuf[reader->cbuf_start]; + /* + * If report is larger than requested amount of data, rest of report + * is lost! + */ + len = device->report_size > count ? count : device->report_size; + + if (copy_to_user(buffer, report->value, len)) { + retval = -EFAULT; + goto exit_unlock; + } + ... + +The roccat_read() function receives the device->cbuf report and +delivers it to the user through copy_to_user(). +If the N+ROCCAT_CBUF_SIZE th report is received while copying of +the Nth report->value is in progress, the pointer that copy_to_user() +is working on is kfree()ed and UAF read may occur. (race condition) + +Since the device node of this driver does not set separate permissions, +this is not a security vulnerability, but because it is used for +requesting screen display of profile or dpi settings, +a user using the roccat device can apply udev to this device node or +There is a possibility to use it by giving. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-roccat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 26373b82fe81..6da80e442fdd 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,8 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->cbuf_lock); ++ + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ +@@ -276,6 +278,8 @@ int roccat_report_event(int minor, u8 const *data) + reader->cbuf_start = (reader->cbuf_start + 1) % ROCCAT_CBUF_SIZE; + } + ++ mutex_unlock(&device->cbuf_lock); ++ + wake_up_interruptible(&device->wait); + return 0; + } +-- +2.35.3 + diff --git a/patches.suse/HSI-omap_ssi-Fix-refcount-leak-in-ssi_probe.patch b/patches.suse/HSI-omap_ssi-Fix-refcount-leak-in-ssi_probe.patch new file mode 100644 index 0000000..bbfeca0 --- /dev/null +++ b/patches.suse/HSI-omap_ssi-Fix-refcount-leak-in-ssi_probe.patch @@ -0,0 +1,36 @@ +From 9a2ea132df860177b33c9fd421b26c4e9a0a9396 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 4 Apr 2022 08:52:32 +0000 +Subject: [PATCH] HSI: omap_ssi: Fix refcount leak in ssi_probe +Git-commit: 9a2ea132df860177b33c9fd421b26c4e9a0a9396 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When returning or breaking early from a +for_each_available_child_of_node() loop, we need to explicitly call +of_node_put() on the child node to possibly release the node. + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Miaoqian Lin +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/hsi/controllers/omap_ssi_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 44a3f5660c10..eb9820158318 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -524,6 +524,7 @@ static int ssi_probe(struct platform_device *pd) + if (!childpdev) { + err = -ENODEV; + dev_err(&pd->dev, "failed to create ssi controller port\n"); ++ of_node_put(child); + goto out3; + } + } +-- +2.35.3 + diff --git a/patches.suse/HSI-omap_ssi_port-Fix-dma_map_sg-error-check.patch b/patches.suse/HSI-omap_ssi_port-Fix-dma_map_sg-error-check.patch new file mode 100644 index 0000000..da5bda7 --- /dev/null +++ b/patches.suse/HSI-omap_ssi_port-Fix-dma_map_sg-error-check.patch @@ -0,0 +1,55 @@ +From 551e325bbd3fb8b5a686ac1e6cf76e5641461cf2 Mon Sep 17 00:00:00 2001 +From: Jack Wang +Date: Fri, 26 Aug 2022 12:12:27 +0200 +Subject: [PATCH] HSI: omap_ssi_port: Fix dma_map_sg error check +Git-commit: 551e325bbd3fb8b5a686ac1e6cf76e5641461cf2 +Patch-mainline: v6.1-rc1 +References: git-fixes + +dma_map_sg return 0 on error, in case of error return -EIO +to caller. + +Cc: Sebastian Reichel +Cc: linux-kernel@vger.kernel.org (open list) +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Jack Wang +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/hsi/controllers/omap_ssi_port.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_port.c b/drivers/hsi/controllers/omap_ssi_port.c +index a0cb5be246e1..b9495b720f1b 100644 +--- a/drivers/hsi/controllers/omap_ssi_port.c ++++ b/drivers/hsi/controllers/omap_ssi_port.c +@@ -230,10 +230,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + if (msg->ttype == HSI_MSG_READ) { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_FROM_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_DST_BURST_4x32_BIT | SSI_DST_MEMORY_PORT | + SSI_SRC_SINGLE_ACCESS0 | SSI_SRC_PERIPHERAL_PORT | +@@ -247,10 +247,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + } else { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_TO_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_SRC_BURST_4x32_BIT | SSI_SRC_MEMORY_PORT | + SSI_DST_SINGLE_ACCESS0 | SSI_DST_PERIPHERAL_PORT | +-- +2.35.3 + diff --git a/patches.suse/IB-cm-Cancel-mad-on-the-DREQ-event-when-the-state-is.patch b/patches.suse/IB-cm-Cancel-mad-on-the-DREQ-event-when-the-state-is.patch new file mode 100644 index 0000000..5be88c6 --- /dev/null +++ b/patches.suse/IB-cm-Cancel-mad-on-the-DREQ-event-when-the-state-is.patch @@ -0,0 +1,49 @@ +From 107dd7beba403a363adfeb3ffe3734fe38a05cce Mon Sep 17 00:00:00 2001 +From: Mark Zhang +Date: Mon, 4 Apr 2022 11:58:05 +0300 +Subject: [PATCH 1/1] IB/cm: Cancel mad on the DREQ event when the state is + MRA_REP_RCVD +Git-commit: 107dd7beba403a363adfeb3ffe3734fe38a05cce +Patch-mainline: v5.18 +References: git-fixes + +On the passive side when the disconnectReq event comes, if the current +state is MRA_REP_RCVD, it needs to cancel the MAD before entering the +DREQ_RCVD and TIMEWAIT states, otherwise the destroy_id may block until +this mad will reach timeout. + +Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation") +Link: https://lore.kernel.org/r/75261c00c1d82128b1d981af9ff46e994186e621.1649062436.git.leonro@nvidia.com +Signed-off-by: Mark Zhang +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 35f0d5e7533d..1c107d6d03b9 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -2824,6 +2824,7 @@ static int cm_dreq_handler(struct cm_work *work) + switch (cm_id_priv->id.state) { + case IB_CM_REP_SENT: + case IB_CM_DREQ_SENT: ++ case IB_CM_MRA_REP_RCVD: + ib_cancel_mad(cm_id_priv->av.port->mad_agent, cm_id_priv->msg); + break; + case IB_CM_ESTABLISHED: +@@ -2831,8 +2832,6 @@ static int cm_dreq_handler(struct cm_work *work) + cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD) + ib_cancel_mad(cm_id_priv->av.port->mad_agent, cm_id_priv->msg); + break; +- case IB_CM_MRA_REP_RCVD: +- break; + case IB_CM_TIMEWAIT: + atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_DREQ_COUNTER]); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-cma-Allow-XRC-INI-QPs-to-set-their-local-ACK-time.patch b/patches.suse/IB-cma-Allow-XRC-INI-QPs-to-set-their-local-ACK-time.patch new file mode 100644 index 0000000..d155300 --- /dev/null +++ b/patches.suse/IB-cma-Allow-XRC-INI-QPs-to-set-their-local-ACK-time.patch @@ -0,0 +1,40 @@ +From 748663c8ccf6b2e5a800de19127c2cc1c4423fd2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Wed, 9 Feb 2022 16:39:35 +0100 +Subject: [PATCH 1/1] IB/cma: Allow XRC INI QPs to set their local ACK timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 748663c8ccf6b2e5a800de19127c2cc1c4423fd2 +Patch-mainline: v5.18 +References: git-fixes + +XRC INI QPs should be able to adjust their local ACK timeout. + +Fixes: 2c1619edef61 ("IB/cma: Define option to set ack timeout and pack tos_set") +Link: https://lore.kernel.org/r/1644421175-31943-1-git-send-email-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Suggested-by: Avneesh Pant +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 27a00ce2e101..288ff0735875 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -2640,7 +2640,7 @@ int rdma_set_ack_timeout(struct rdma_cm_id *id, u8 timeout) + { + struct rdma_id_private *id_priv; + +- if (id->qp_type != IB_QPT_RC) ++ if (id->qp_type != IB_QPT_RC && id->qp_type != IB_QPT_XRC_INI) + return -EINVAL; + + id_priv = container_of(id, struct rdma_id_private, id); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-core-Only-update-PKEY-and-GID-caches-on-respectiv.patch b/patches.suse/IB-core-Only-update-PKEY-and-GID-caches-on-respectiv.patch new file mode 100644 index 0000000..42accb9 --- /dev/null +++ b/patches.suse/IB-core-Only-update-PKEY-and-GID-caches-on-respectiv.patch @@ -0,0 +1,106 @@ +From d58c23c9254894d438ce5c516745cf694eac86b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Tue, 25 May 2021 19:49:09 +0200 +Subject: [PATCH 1/1] IB/core: Only update PKEY and GID caches on respective + events +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: d58c23c9254894d438ce5c516745cf694eac86b7 +Patch-mainline: v5.14 +References: git-fixes + +Both the PKEY and GID tables in an HCA can hold in the order of hundreds +entries. Reading them is expensive. Partly because the API for retrieving +them only returns a single entry at a time. Further, on certain +implementations, e.g., CX-3, the VFs are paravirtualized in this respect +and have to rely on the PF driver to perform the read. This again demands +VF to PF communication. + +IB Core's cache is refreshed on all events. Hence, filter the refresh of +the PKEY and GID caches based on the event received being +IB_EVENT_PKEY_CHANGE and IB_EVENT_GID_CHANGE respectively. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/1621964949-28484-1-git-send-email-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cache.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c +index 3b0991fedd81..d32045986109 100644 +--- a/drivers/infiniband/core/cache.c ++++ b/drivers/infiniband/core/cache.c +@@ -1465,10 +1465,12 @@ err: + } + + static int +-ib_cache_update(struct ib_device *device, u8 port, bool enforce_security) ++ib_cache_update(struct ib_device *device, u8 port, bool update_gids, ++ bool update_pkeys, bool enforce_security) + { + struct ib_port_attr *tprops = NULL; +- struct ib_pkey_cache *pkey_cache = NULL, *old_pkey_cache; ++ struct ib_pkey_cache *pkey_cache = NULL; ++ struct ib_pkey_cache *old_pkey_cache = NULL; + int i; + int ret; + +@@ -1432,14 +1434,16 @@ ib_cache_update(struct ib_device *device, u8 port, bool enforce_security) + goto err; + } + +- if (!rdma_protocol_roce(device, port)) { ++ if (!rdma_protocol_roce(device, port) && update_gids) { + ret = config_non_roce_gid_cache(device, port, + tprops->gid_tbl_len); + if (ret) + goto err; + } + +- if (tprops->pkey_tbl_len) { ++ update_pkeys &= !!tprops->pkey_tbl_len; ++ ++ if (update_pkeys) { + pkey_cache = kmalloc(struct_size(pkey_cache, table, + tprops->pkey_tbl_len), + GFP_KERNEL); +@@ -1517,9 +1521,10 @@ ib_cache_update(struct ib_device *device, u32 port, bool enforce_security) + + write_lock_irq(&device->cache_lock); + +- old_pkey_cache = device->port_data[port].cache.pkey; +- +- device->port_data[port].cache.pkey = pkey_cache; ++ if (update_pkeys) { ++ old_pkey_cache = device->port_data[port].cache.pkey; ++ device->port_data[port].cache.pkey = pkey_cache; ++ } + device->port_data[port].cache.lmc = tprops->lmc; + device->port_data[port].cache.port_state = tprops->state; + +@@ -1551,6 +1556,8 @@ static void ib_cache_event_task(struct work_struct *_work) + * the cache. + */ + ret = ib_cache_update(work->event.device, work->event.element.port_num, ++ work->event.event == IB_EVENT_GID_CHANGE, ++ work->event.event == IB_EVENT_PKEY_CHANGE, + work->enforce_security); + + /* GID event is notified already for individual GID entries by +@@ -1624,7 +1631,7 @@ int ib_cache_setup_one(struct ib_device *device) + return err; + + rdma_for_each_port (device, p) { +- err = ib_cache_update(device, p, true); ++ err = ib_cache_update(device, p, true, true, true); + if (err) + return err; + } +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch b/patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch new file mode 100644 index 0000000..43fd621 --- /dev/null +++ b/patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch @@ -0,0 +1,67 @@ +From 62004871e1fa7f9a60797595c03477af5b5ec36f Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Thu, 15 Jul 2021 12:04:45 -0400 +Subject: [PATCH 1/1] IB/hfi1: Adjust pkey entry in index 0 +Git-commit: 62004871e1fa7f9a60797595c03477af5b5ec36f +Patch-mainline: v5.15 +References: git-fixes + +It is possible for the primary IPoIB network device associated with any +RDMA device to fail to join certain multicast groups preventing IPv6 +neighbor discovery and possibly other network ULPs from working +correctly. The IPv4 broadcast group is not affected as the IPoIB network +device handles joining that multicast group directly. + +This is because the primary IPoIB network device uses the pkey at ndex 0 +in the associated RDMA device's pkey table. Anytime the pkey value of +index 0 changes, the primary IPoIB network device automatically modifies +it's broadcast address (i.e. /sys/class/net/[ib0]/broadcast), since the +broadcast address includes the pkey value, and then bounces carrier. This +includes initial pkey assignment, such as when the pkey at index 0 +transitions from the opa default of invalid (0x0000) to some value such as +the OPA default pkey for Virtual Fabric 0: 0x8001 or when the fabric +manager is restarted with a configuration change causing the pkey at index +0 to change. Many network ULPs are not sensitive to the carrier bounce and +are not expecting the broadcast address to change including the linux IPv6 +stack. This problem does not affect IPoIB child network devices as their +pkey value is constant for all time. + +To mitigate this issue, change the default pkey in at index 0 to 0x8001 to +cover the predominant case and avoid issues as ipoib comes up and the FM +sweeps. + +At some point, ipoib multicast support should automatically fix +non-broadcast addresses as it does with the primary broadcast address. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20210715160445.142451.47651.stgit@awfm-01.cornelisnetworks.com +Suggested-by: Josh Collier +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/init.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c +index 0986aa065418..34106e5be679 100644 +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -650,12 +650,7 @@ void hfi1_init_pportdata(struct pci_dev *pdev, struct hfi1_pportdata *ppd, + + ppd->pkeys[default_pkey_idx] = DEFAULT_P_KEY; + ppd->part_enforce |= HFI1_PART_ENFORCE_IN; +- +- if (loopback) { +- dd_dev_err(dd, "Faking data partition 0x8001 in idx %u\n", +- !default_pkey_idx); +- ppd->pkeys[!default_pkey_idx] = 0x8001; +- } ++ ppd->pkeys[0] = 0x8001; + + INIT_WORK(&ppd->link_vc_work, handle_verify_cap); + INIT_WORK(&ppd->link_up_work, handle_link_up); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-hfi1-Fix-abba-locking-issue-with-sc_disable.patch b/patches.suse/IB-hfi1-Fix-abba-locking-issue-with-sc_disable.patch new file mode 100644 index 0000000..9b13607 --- /dev/null +++ b/patches.suse/IB-hfi1-Fix-abba-locking-issue-with-sc_disable.patch @@ -0,0 +1,69 @@ +From 13bac861952a78664907a0f927d3e874e9a59034 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Wed, 13 Oct 2021 10:18:52 -0400 +Subject: [PATCH 1/1] IB/hfi1: Fix abba locking issue with sc_disable() +Git-commit: 13bac861952a78664907a0f927d3e874e9a59034 +Patch-mainline: v5.15 +References: git-fixes + +sc_disable() after having disabled the send context wakes up any waiters +by calling hfi1_qp_wakeup() while holding the waitlock for the sc. + +This is contrary to the model for all other calls to hfi1_qp_wakeup() +where the waitlock is dropped and a local is used to drive calls to +hfi1_qp_wakeup(). + +Fix by moving the sc->piowait into a local list and driving the wakeup +calls from the list. + +Fixes: 099a884ba4c0 ("IB/hfi1: Handle wakeup of orphaned QPs for pio") +Link: https://lore.kernel.org/r/20211013141852.128104.2682.stgit@awfm-01.cornelisnetworks.com +Signed-off-by: Mike Marciniszyn +Reported-by: TOTE Robot +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/pio.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c +index 489b436f19bb..3d42bd2b36bd 100644 +--- a/drivers/infiniband/hw/hfi1/pio.c ++++ b/drivers/infiniband/hw/hfi1/pio.c +@@ -878,6 +878,7 @@ void sc_disable(struct send_context *sc) + { + u64 reg; + struct pio_buf *pbuf; ++ LIST_HEAD(wake_list); + + if (!sc) + return; +@@ -912,19 +913,21 @@ void sc_disable(struct send_context *sc) + spin_unlock(&sc->release_lock); + + write_seqlock(&sc->waitlock); +- while (!list_empty(&sc->piowait)) { ++ if (!list_empty(&sc->piowait)) ++ list_move(&sc->piowait, &wake_list); ++ write_sequnlock(&sc->waitlock); ++ while (!list_empty(&wake_list)) { + struct iowait *wait; + struct rvt_qp *qp; + struct hfi1_qp_priv *priv; + +- wait = list_first_entry(&sc->piowait, struct iowait, list); ++ wait = list_first_entry(&wake_list, struct iowait, list); + qp = iowait_to_qp(wait); + priv = qp->priv; + list_del_init(&priv->s_iowait.list); + priv->s_iowait.lock = NULL; + hfi1_qp_wakeup(qp, RVT_S_WAIT_PIO | HFI1_S_WAIT_PIO_DRAIN); + } +- write_sequnlock(&sc->waitlock); + + spin_unlock_irq(&sc->alloc_lock); + } +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch b/patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch new file mode 100644 index 0000000..f632837 --- /dev/null +++ b/patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch @@ -0,0 +1,64 @@ +From cbe71c61992c38f72c2b625b2ef25916b9f0d060 Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Fri, 6 Aug 2021 06:30:29 -0700 +Subject: [PATCH 1/1] IB/hfi1: Fix possible null-pointer dereference in + _extend_sdma_tx_descs() +Git-commit: cbe71c61992c38f72c2b625b2ef25916b9f0d060 +Patch-mainline: v5.14 +References: git-fixes + +kmalloc_array() is called to allocate memory for tx->descp. If it fails, +the function __sdma_txclean() is called: + __sdma_txclean(dd, tx); + +However, in the function __sdma_txclean(), tx-descp is dereferenced if +tx->num_desc is not zero: + sdma_unmap_desc(dd, &tx->descp[0]); + +To fix this possible null-pointer dereference, assign the return value of +kmalloc_array() to a local variable descp, and then assign it to tx->descp +if it is not NULL. Otherwise, go to enomem. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20210806133029.194964-1-islituo@gmail.com +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Tested-by: Mike Marciniszyn +Acked-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/sdma.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index eb15c310d63d..e83dc562629e 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3055,6 +3055,7 @@ static void __sdma_process_event(struct sdma_engine *sde, + static int _extend_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int i; ++ struct sdma_desc *descp; + + /* Handle last descriptor */ + if (unlikely((tx->num_desc == (MAX_DESC - 1)))) { +@@ -3075,12 +3076,10 @@ static int _extend_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + if (unlikely(tx->num_desc == MAX_DESC)) + goto enomem; + +- tx->descp = kmalloc_array( +- MAX_DESC, +- sizeof(struct sdma_desc), +- GFP_ATOMIC); +- if (!tx->descp) ++ descp = kmalloc_array(MAX_DESC, sizeof(struct sdma_desc), GFP_ATOMIC); ++ if (!descp) + goto enomem; ++ tx->descp = descp; + + /* reserve last descriptor for coalescing */ + tx->desc_limit = MAX_DESC - 1; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-mlx4-Add-support-for-REJ-due-to-timeout.patch b/patches.suse/IB-mlx4-Add-support-for-REJ-due-to-timeout.patch new file mode 100644 index 0000000..759ab79 --- /dev/null +++ b/patches.suse/IB-mlx4-Add-support-for-REJ-due-to-timeout.patch @@ -0,0 +1,285 @@ +From 227a0e142e375909959a74b7782403e14331f6f3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Mon, 3 Aug 2020 08:19:40 +0200 +Subject: [PATCH 1/1] IB/mlx4: Add support for REJ due to timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 227a0e142e375909959a74b7782403e14331f6f3 +Patch-mainline: v5.10 +References: git-fixes + +A CM REJ packet with its reason equal to timeout is a special beast in the +sense that it doesn't have a Remote Communication ID nor does it have a +Remote Port GID. + +Using CX-3 virtual functions, either from a bare-metal machine or +pass-through from a VM, MAD packets are proxied through the PF driver. + +Since the VF drivers have separate name spaces for MAD Transaction Ids +(TIDs), the PF driver has to re-map the TIDs and keep the book keeping +in a cache. + +This proxying doesn't not handle said REJ packets. + +If the active side abandons its connection attempt after having sent a +REQ, it will send a REJ with the reason being timeout. This example can be +provoked by a simple user-verbs program, which ends up doing: + + rdma_connect(cm_id, &conn_param); + rdma_destroy_id(cm_id); + +using the async librdmacm API. + +Having dynamic debug prints enabled in the mlx4_ib driver, we will then +see: + +mlx4_ib_demux_cm_handler: Couldn't find an entry for pv_cm_id 0x0, attr_id 0x12 + +The solution is to introduce a radix-tree. When a REQ packet is received +and handled in mlx4_ib_demux_cm_handler(), we know the connecting peer's +para-virtual cm_id and the destination slave. We then insert an entry into +the tree with said information. We also schedule work to remove this entry +from the tree and free it, in order to avoid memory leak. + +When a REJ packet with reason timeout is received, we can look up the +slave in the tree, and deliver the packet to the correct slave. + +When a duplicate REQ packet is received, the entry is in the tree. In this +case, we adjust the delayed work in order to avoid a too premature +eviction of the entry. + +When cleaning up, we simply traverse the tree and modify any delayed work +to use a zero delay. A subsequent flush of the system_wq will ensure all +entries being wiped out. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-6-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx4/cm.c | 135 ++++++++++++++++++++++++++- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 3 + + 2 files changed, 137 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index 6f0ffd0906e6..b10737f74449 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -54,11 +54,22 @@ struct id_map_entry { + struct delayed_work timeout; + }; + ++struct rej_tmout_entry { ++ int slave; ++ u32 rem_pv_cm_id; ++ struct delayed_work timeout; ++ struct radix_tree_root *rej_tmout_root; ++ /* Points to the mutex protecting this radix-tree */ ++ struct mutex *lock; ++}; ++ + struct cm_generic_msg { + struct ib_mad_hdr hdr; + + __be32 local_comm_id; + __be32 remote_comm_id; ++ unsigned char unused[2]; ++ __be16 rej_reason; + }; + + struct cm_sidr_generic_msg { +@@ -285,6 +296,7 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id) + spin_unlock(&sriov->id_map_lock); + } + ++#define REJ_REASON(m) be16_to_cpu(((struct cm_generic_msg *)(m))->rej_reason) + int mlx4_ib_multiplex_cm_handler(struct ib_device *ibdev, int port, int slave_id, + struct ib_mad *mad) + { +@@ -295,7 +307,8 @@ int mlx4_ib_multiplex_cm_handler(struct ib_device *ibdev, int port, int slave_id + if (mad->mad_hdr.attr_id == CM_REQ_ATTR_ID || + mad->mad_hdr.attr_id == CM_REP_ATTR_ID || + mad->mad_hdr.attr_id == CM_MRA_ATTR_ID || +- mad->mad_hdr.attr_id == CM_SIDR_REQ_ATTR_ID) { ++ mad->mad_hdr.attr_id == CM_SIDR_REQ_ATTR_ID || ++ (mad->mad_hdr.attr_id == CM_REJ_ATTR_ID && REJ_REASON(mad) == IB_CM_REJ_TIMEOUT)) { + sl_cm_id = get_local_comm_id(mad); + id = id_map_get(ibdev, &pv_cm_id, slave_id, sl_cm_id); + if (id) +@@ -328,11 +341,88 @@ cont: + return 0; + } + ++static void rej_tmout_timeout(struct work_struct *work) ++{ ++ struct delayed_work *delay = to_delayed_work(work); ++ struct rej_tmout_entry *item = container_of(delay, struct rej_tmout_entry, timeout); ++ struct rej_tmout_entry *deleted; ++ ++ mutex_lock(item->lock); ++ deleted = radix_tree_delete_item(item->rej_tmout_root, item->rem_pv_cm_id, NULL); ++ mutex_unlock(item->lock); ++ ++ if (deleted != item) ++ pr_debug("deleted(%p) != item(%p)\n", deleted, item); ++ ++ kfree(item); ++} ++ ++static int alloc_rej_tmout(struct mlx4_ib_sriov *sriov, u32 rem_pv_cm_id, int slave) ++{ ++ struct rej_tmout_entry *item; ++ int sts; ++ ++ mutex_lock(&sriov->rej_tmout_lock); ++ item = radix_tree_lookup(&sriov->rej_tmout_root, (unsigned long)rem_pv_cm_id); ++ mutex_unlock(&sriov->rej_tmout_lock); ++ if (item) { ++ if (IS_ERR(item)) ++ return PTR_ERR(item); ++ /* If a retry, adjust delayed work */ ++ mod_delayed_work(system_wq, &item->timeout, CM_CLEANUP_CACHE_TIMEOUT); ++ return 0; ++ } ++ ++ item = kmalloc(sizeof(*item), GFP_KERNEL); ++ if (!item) ++ return -ENOMEM; ++ ++ INIT_DELAYED_WORK(&item->timeout, rej_tmout_timeout); ++ item->slave = slave; ++ item->rem_pv_cm_id = rem_pv_cm_id; ++ item->rej_tmout_root = &sriov->rej_tmout_root; ++ item->lock = &sriov->rej_tmout_lock; ++ ++ mutex_lock(&sriov->rej_tmout_lock); ++ sts = radix_tree_insert(&sriov->rej_tmout_root, (unsigned long)rem_pv_cm_id, item); ++ mutex_unlock(&sriov->rej_tmout_lock); ++ if (sts) ++ goto err_insert; ++ ++ schedule_delayed_work(&item->timeout, CM_CLEANUP_CACHE_TIMEOUT); ++ ++ return 0; ++ ++err_insert: ++ kfree(item); ++ return sts; ++} ++ ++static int lookup_rej_tmout_slave(struct mlx4_ib_sriov *sriov, u32 rem_pv_cm_id) ++{ ++ struct rej_tmout_entry *item; ++ ++ mutex_lock(&sriov->rej_tmout_lock); ++ item = radix_tree_lookup(&sriov->rej_tmout_root, (unsigned long)rem_pv_cm_id); ++ mutex_unlock(&sriov->rej_tmout_lock); ++ ++ if (!item || IS_ERR(item)) { ++ pr_debug("Could not find slave. rem_pv_cm_id 0x%x error: %d\n", ++ rem_pv_cm_id, (int)PTR_ERR(item)); ++ return !item ? -ENOENT : PTR_ERR(item); ++ } ++ ++ return item->slave; ++} ++ + int mlx4_ib_demux_cm_handler(struct ib_device *ibdev, int port, int *slave, + struct ib_mad *mad) + { ++ struct mlx4_ib_sriov *sriov = &to_mdev(ibdev)->sriov; ++ u32 rem_pv_cm_id = get_local_comm_id(mad); + u32 pv_cm_id; + struct id_map_entry *id; ++ int sts; + + if (mad->mad_hdr.attr_id == CM_REQ_ATTR_ID || + mad->mad_hdr.attr_id == CM_SIDR_REQ_ATTR_ID) { +@@ -348,6 +438,13 @@ int mlx4_ib_demux_cm_handler(struct ib_device *ibdev, int port, int *slave, + be64_to_cpu(gid.global.interface_id)); + return -ENOENT; + } ++ ++ sts = alloc_rej_tmout(sriov, rem_pv_cm_id, *slave); ++ if (sts) ++ /* Even if this fails, we pass on the REQ to the slave */ ++ pr_debug("Could not allocate rej_tmout entry. rem_pv_cm_id 0x%x slave %d status %d\n", ++ rem_pv_cm_id, *slave, sts); ++ + return 0; + } + +@@ -355,6 +452,12 @@ int mlx4_ib_demux_cm_handler(struct ib_device *ibdev, int port, int *slave, + id = id_map_get(ibdev, (int *)&pv_cm_id, -1, -1); + + if (!id) { ++ if (mad->mad_hdr.attr_id == CM_REJ_ATTR_ID && ++ REJ_REASON(mad) == IB_CM_REJ_TIMEOUT && slave) { ++ *slave = lookup_rej_tmout_slave(sriov, rem_pv_cm_id); ++ ++ return (*slave < 0) ? *slave : 0; ++ } + pr_debug("Couldn't find an entry for pv_cm_id 0x%x, attr_id 0x%x\n", + pv_cm_id, be16_to_cpu(mad->mad_hdr.attr_id)); + return -ENOENT; +@@ -377,6 +480,34 @@ void mlx4_ib_cm_paravirt_init(struct mlx4_ib_dev *dev) + INIT_LIST_HEAD(&dev->sriov.cm_list); + dev->sriov.sl_id_map = RB_ROOT; + xa_init_flags(&dev->sriov.pv_id_table, XA_FLAGS_ALLOC); ++ mutex_init(&dev->sriov.rej_tmout_lock); ++ INIT_RADIX_TREE(&dev->sriov.rej_tmout_root, GFP_KERNEL); ++} ++ ++static void rej_tmout_tree_cleanup(struct mlx4_ib_sriov *sriov, int slave) ++{ ++ struct radix_tree_iter iter; ++ bool flush_needed = false; ++ __rcu void **slot; ++ int cnt = 0; ++ ++ mutex_lock(&sriov->rej_tmout_lock); ++ radix_tree_for_each_slot(slot, &sriov->rej_tmout_root, &iter, 0) { ++ struct rej_tmout_entry *item = *slot; ++ ++ if (slave < 0 || slave == item->slave) { ++ mod_delayed_work(system_wq, &item->timeout, 0); ++ flush_needed = true; ++ ++cnt; ++ } ++ } ++ mutex_unlock(&sriov->rej_tmout_lock); ++ ++ if (flush_needed) { ++ flush_scheduled_work(); ++ pr_debug("Deleted %d entries in radix_tree for slave %d during cleanup\n", ++ slave, cnt); ++ } + } + + /* slave = -1 ==> all slaves */ +@@ -446,4 +577,6 @@ void mlx4_ib_cm_paravirt_clean(struct mlx4_ib_dev *dev, int slave) + list_del(&map->list); + kfree(map); + } ++ ++ rej_tmout_tree_cleanup(sriov, slave); + } +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index 27bb23756663..bcac8fc50317 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -495,6 +495,9 @@ struct mlx4_ib_sriov { + spinlock_t id_map_lock; + struct rb_root sl_id_map; + struct list_head cm_list; ++ /* Protects the radix-tree */ ++ struct mutex rej_tmout_lock; ++ struct radix_tree_root rej_tmout_root; + }; + + struct gid_cache_context { +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-mlx4-Use-port-iterator-and-validation-APIs.patch b/patches.suse/IB-mlx4-Use-port-iterator-and-validation-APIs.patch new file mode 100644 index 0000000..ae0b7e3 --- /dev/null +++ b/patches.suse/IB-mlx4-Use-port-iterator-and-validation-APIs.patch @@ -0,0 +1,59 @@ +From 6504c772551e809b4cc21fa720d6bba703d5c199 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Wed, 27 Jan 2021 17:00:09 +0200 +Subject: [PATCH 1/1] IB/mlx4: Use port iterator and validation APIs +Git-commit: 6504c772551e809b4cc21fa720d6bba703d5c199 +Patch-mainline: v5.12 +References: git-fixes + +Use IB core provided routine to check if the port is valid or not and to +iterate over IB ports. + +Link: https://lore.kernel.org/r/20210127150010.1876121-10-leon@kernel.org +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx4/main.c | 2 +- + drivers/infiniband/hw/mlx4/sysfs.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index e3cd402c079a..f26a0d920842 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1699,7 +1699,7 @@ static struct ib_flow *mlx4_ib_create_flow(struct ib_qp *qp, + struct mlx4_dev *dev = (to_mdev(qp->device))->dev; + int is_bonded = mlx4_is_bonded(dev); + +- if (flow_attr->port < 1 || flow_attr->port > qp->device->phys_port_cnt) ++ if (!rdma_is_port_valid(qp->device, flow_attr->port)) + return ERR_PTR(-EINVAL); + + if (flow_attr->flags & ~IB_FLOW_ATTR_FLAGS_DONT_TRAP) +diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx4/sysfs.c +index 1b5891130aab..24ee79aa2122 100644 +--- a/drivers/infiniband/hw/mlx4/sysfs.c ++++ b/drivers/infiniband/hw/mlx4/sysfs.c +@@ -798,7 +798,7 @@ static void unregister_pkey_tree(struct mlx4_ib_dev *device) + + int mlx4_ib_device_register_sysfs(struct mlx4_ib_dev *dev) + { +- int i; ++ unsigned int i; + int ret = 0; + + if (!mlx4_is_master(dev->dev)) +@@ -817,7 +817,7 @@ int mlx4_ib_device_register_sysfs(struct mlx4_ib_dev *dev) + goto err_ports; + } + +- for (i = 1; i <= dev->ib_dev.phys_port_cnt; ++i) { ++ rdma_for_each_port(&dev->ib_dev, i) { + ret = add_port_entries(dev, i); + if (ret) + goto err_add_entries; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch b/patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch new file mode 100644 index 0000000..99671a3 --- /dev/null +++ b/patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch @@ -0,0 +1,120 @@ +From d39bf40e55e666b5905fdbd46a0dced030ce87be Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Tue, 12 Oct 2021 13:55:19 -0400 +Subject: [PATCH 1/1] IB/qib: Protect from buffer overflow in struct + qib_user_sdma_pkt fields +Git-commit: d39bf40e55e666b5905fdbd46a0dced030ce87be +Patch-mainline: v5.15 +References: git-fixes + +Overflowing either addrlimit or bytes_togo can allow userspace to trigger +a buffer overflow of kernel memory. Check for overflows in all the places +doing math on user controlled buffers. + +Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters") +Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com +Reported-by: Ilja Van Sprundel +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/qib/qib_user_sdma.c | 33 ++++++++++++++++------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c +index a67599b5a550..ac11943a5ddb 100644 +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -602,7 +602,7 @@ done: + /* + * How many pages in this iovec element? + */ +-static int qib_user_sdma_num_pages(const struct iovec *iov) ++static size_t qib_user_sdma_num_pages(const struct iovec *iov) + { + const unsigned long addr = (unsigned long) iov->iov_base; + const unsigned long len = iov->iov_len; +@@ -658,7 +658,7 @@ static void qib_user_sdma_free_pkt_frag(struct device *dev, + static int qib_user_sdma_pin_pages(const struct qib_devdata *dd, + struct qib_user_sdma_queue *pq, + struct qib_user_sdma_pkt *pkt, +- unsigned long addr, int tlen, int npages) ++ unsigned long addr, int tlen, size_t npages) + { + struct page *pages[8]; + int i, j; +@@ -722,7 +722,7 @@ static int qib_user_sdma_pin_pkt(const struct qib_devdata *dd, + unsigned long idx; + + for (idx = 0; idx < niov; idx++) { +- const int npages = qib_user_sdma_num_pages(iov + idx); ++ const size_t npages = qib_user_sdma_num_pages(iov + idx); + const unsigned long addr = (unsigned long) iov[idx].iov_base; + + ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr, +@@ -824,8 +824,8 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + unsigned pktnw; + unsigned pktnwc; + int nfrags = 0; +- int npages = 0; +- int bytes_togo = 0; ++ size_t npages = 0; ++ size_t bytes_togo = 0; + int tiddma = 0; + int cfur; + +@@ -885,7 +885,11 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + + npages += qib_user_sdma_num_pages(&iov[idx]); + +- bytes_togo += slen; ++ if (check_add_overflow(bytes_togo, slen, &bytes_togo) || ++ bytes_togo > type_max(typeof(pkt->bytes_togo))) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } + pktnwc += slen >> 2; + idx++; + nfrags++; +@@ -904,8 +908,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + } + + if (frag_size) { +- int tidsmsize, n; +- size_t pktsize; ++ size_t tidsmsize, n, pktsize, sz, addrlimit; + + n = npages*((2*PAGE_SIZE/frag_size)+1); + pktsize = struct_size(pkt, addr, n); +@@ -923,14 +926,24 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + else + tidsmsize = 0; + +- pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL); ++ if (check_add_overflow(pktsize, tidsmsize, &sz)) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } ++ pkt = kmalloc(sz, GFP_KERNEL); + if (!pkt) { + ret = -ENOMEM; + goto free_pbc; + } + pkt->largepkt = 1; + pkt->frag_size = frag_size; +- pkt->addrlimit = n + ARRAY_SIZE(pkt->addr); ++ if (check_add_overflow(n, ARRAY_SIZE(pkt->addr), ++ &addrlimit) || ++ addrlimit > type_max(typeof(pkt->addrlimit))) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } ++ pkt->addrlimit = addrlimit; + + if (tiddma) { + char *tidsm = (char *)pkt + pktsize; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-rdmavt-Add-__init-__exit-annotations-to-module-in.patch b/patches.suse/IB-rdmavt-Add-__init-__exit-annotations-to-module-in.patch new file mode 100644 index 0000000..9e0de27 --- /dev/null +++ b/patches.suse/IB-rdmavt-Add-__init-__exit-annotations-to-module-in.patch @@ -0,0 +1,45 @@ +From 78657a445ca7603024348781c921f8ecaee10a49 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Sat, 24 Sep 2022 17:14:57 +0800 +Subject: [PATCH 1/1] IB/rdmavt: Add __init/__exit annotations to module + init/exit funcs +Git-commit: 78657a445ca7603024348781c921f8ecaee10a49 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Add missing __init/__exit annotations to module init/exit funcs. + +Fixes: 0194621b2253 ("IB/rdmavt: Create module framework and handle driver registration") +Link: https://lore.kernel.org/r/20220924091457.52446-1-xiujianfeng@huawei.com +Signed-off-by: Xiu Jianfeng +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rdmavt/vt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c +index 59481ae39505..d61f8de7f21c 100644 +--- a/drivers/infiniband/sw/rdmavt/vt.c ++++ b/drivers/infiniband/sw/rdmavt/vt.c +@@ -15,7 +15,7 @@ + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_DESCRIPTION("RDMA Verbs Transport Library"); + +-static int rvt_init(void) ++static int __init rvt_init(void) + { + int ret = rvt_driver_cq_init(); + +@@ -26,7 +26,7 @@ static int rvt_init(void) + } + module_init(rvt_init); + +-static void rvt_cleanup(void) ++static void __exit rvt_cleanup(void) + { + rvt_cq_exit(); + } +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/IB-srpt-Remove-redundant-assignment-to-ret.patch b/patches.suse/IB-srpt-Remove-redundant-assignment-to-ret.patch new file mode 100644 index 0000000..18a846f --- /dev/null +++ b/patches.suse/IB-srpt-Remove-redundant-assignment-to-ret.patch @@ -0,0 +1,48 @@ +From 74ec2424737a9d5ffa6e4f957e57fb1baff19a5c Mon Sep 17 00:00:00 2001 +From: Yang Li +Date: Thu, 6 May 2021 18:15:05 +0800 +Subject: [PATCH 1/1] IB/srpt: Remove redundant assignment to ret +Git-commit: 74ec2424737a9d5ffa6e4f957e57fb1baff19a5c +Patch-mainline: v5.14 +References: git-fixes + +Variable 'ret' is set to -ENOMEM but this value is never read as it is +overwritten with a new value later on, hence it is a redundant assignment +and can be removed + +In 'commit b79fafac70fc ("target: make queue_tm_rsp() return void")' +srpt_queue_response() has been changed to return void, so after "goto +out", there is no need to return ret. + +Clean up the following clang-analyzer warning: + +drivers/infiniband/ulp/srpt/ib_srpt.c:2860:3: warning: Value stored to +'ret' is never read [clang-analyzer-deadcode.DeadStores] + +Fixes: b99f8e4d7bcd ("IB/srpt: convert to the generic RDMA READ/WRITE API") +Link: https://lore.kernel.org/r/1620296105-121964-1-git-send-email-yang.lee@linux.alibaba.com +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Reviewed-by: Leon Romanovsky +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index ea447805d4ea..3cadf1295417 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2858,7 +2858,6 @@ static void srpt_queue_response(struct se_cmd *cmd) + &ch->sq_wr_avail) < 0)) { + pr_warn("%s: IB send queue full (needed %d)\n", + __func__, ioctx->n_rdma); +- ret = -ENOMEM; + goto out; + } + +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged b/patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged new file mode 100644 index 0000000..b9a104f --- /dev/null +++ b/patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged @@ -0,0 +1,123 @@ +From: Sean Christopherson +Date: Fri, 2 Jul 2021 15:04:23 -0700 +Subject: KVM: Add infrastructure and macro to mark VM as bugged +Git-commit: 0b8f11737cffc1a406d1134b58687abc29d76b52 +Patch-mainline: v5.15-rc1 +References: bsc#1200788 CVE-2022-2153 + +Signed-off-by: Sean Christopherson +Signed-off-by: Isaku Yamahata +Reviewed-by: Paolo Bonzini +Message-Id: <3a0998645c328bf0895f1290e61821b70f048549.1625186503.git.isaku.yamahata@intel.com> +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + include/linux/kvm_host.h | 28 +++++++++++++++++++++++++++- + virt/kvm/kvm_main.c | 10 +++++----- + 2 files changed, 32 insertions(+), 6 deletions(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -146,6 +146,7 @@ + #define KVM_REQ_MMU_RELOAD (1 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP) + #define KVM_REQ_PENDING_TIMER 2 + #define KVM_REQ_UNHALT 3 ++#define KVM_REQ_VM_BUGGED (4 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP) + #define KVM_REQUEST_ARCH_BASE 8 + + #define KVM_ARCH_REQ_FLAGS(nr, flags) ({ \ +@@ -501,6 +502,7 @@ + struct srcu_struct srcu; + struct srcu_struct irq_srcu; + pid_t userspace_pid; ++ bool vm_bugged; + }; + + #define kvm_err(fmt, ...) \ +@@ -529,6 +531,31 @@ + #define vcpu_err(vcpu, fmt, ...) \ + kvm_err("vcpu%i " fmt, (vcpu)->vcpu_id, ## __VA_ARGS__) + ++bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req); ++static inline void kvm_vm_bugged(struct kvm *kvm) ++{ ++ kvm->vm_bugged = true; ++ kvm_make_all_cpus_request(kvm, KVM_REQ_VM_BUGGED); ++} ++ ++#define KVM_BUG(cond, kvm, fmt...) \ ++({ \ ++ int __ret = (cond); \ ++ \ ++ if (WARN_ONCE(__ret && !(kvm)->vm_bugged, fmt)) \ ++ kvm_vm_bugged(kvm); \ ++ unlikely(__ret); \ ++}) ++ ++#define KVM_BUG_ON(cond, kvm) \ ++({ \ ++ int __ret = (cond); \ ++ \ ++ if (WARN_ON_ONCE(__ret && !(kvm)->vm_bugged)) \ ++ kvm_vm_bugged(kvm); \ ++ unlikely(__ret); \ ++}) ++ + static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) + { + return srcu_dereference_check(kvm->buses[idx], &kvm->srcu, +@@ -817,7 +844,6 @@ + + bool kvm_make_vcpus_request_mask(struct kvm *kvm, unsigned int req, + unsigned long *vcpu_bitmap, cpumask_var_t tmp); +-bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req); + + long kvm_arch_dev_ioctl(struct file *filp, + unsigned int ioctl, unsigned long arg); +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2893,7 +2893,7 @@ + struct kvm_fpu *fpu = NULL; + struct kvm_sregs *kvm_sregs = NULL; + +- if (vcpu->kvm->mm != current->mm) ++ if (vcpu->kvm->mm != current->mm || vcpu->kvm->vm_bugged) + return -EIO; + + if (unlikely(_IOC_TYPE(ioctl) != KVMIO)) +@@ -3100,7 +3100,7 @@ + void __user *argp = compat_ptr(arg); + int r; + +- if (vcpu->kvm->mm != current->mm) ++ if (vcpu->kvm->mm != current->mm || vcpu->kvm->vm_bugged) + return -EIO; + + switch (ioctl) { +@@ -3165,7 +3165,7 @@ + { + struct kvm_device *dev = filp->private_data; + +- if (dev->kvm->mm != current->mm) ++ if (dev->kvm->mm != current->mm || dev->kvm->vm_bugged) + return -EIO; + + switch (ioctl) { +@@ -3366,7 +3366,7 @@ + void __user *argp = (void __user *)arg; + int r; + +- if (kvm->mm != current->mm) ++ if (kvm->mm != current->mm || kvm->vm_bugged) + return -EIO; + switch (ioctl) { + case KVM_CREATE_VCPU: +@@ -3564,7 +3564,7 @@ + struct kvm *kvm = filp->private_data; + int r; + +- if (kvm->mm != current->mm) ++ if (kvm->mm != current->mm || kvm->vm_bugged) + return -EIO; + switch (ioctl) { + case KVM_GET_DIRTY_LOG: { diff --git a/patches.suse/KVM-s390-Clarify-SIGP-orders-versus-STOP-RESTART b/patches.suse/KVM-s390-Clarify-SIGP-orders-versus-STOP-RESTART new file mode 100644 index 0000000..e47da8d --- /dev/null +++ b/patches.suse/KVM-s390-Clarify-SIGP-orders-versus-STOP-RESTART @@ -0,0 +1,119 @@ +From: Eric Farman +Date: Mon, 13 Dec 2021 22:05:50 +0100 +Subject: KVM: s390: Clarify SIGP orders versus STOP/RESTART +Git-commit: 812de04661c4daa7ac385c0dfd62594540538034 +Patch-mainline: v5.17-rc1 +References: git-fixes + +With KVM_CAP_S390_USER_SIGP, there are only five Signal Processor +orders (CONDITIONAL EMERGENCY SIGNAL, EMERGENCY SIGNAL, EXTERNAL CALL, +SENSE, and SENSE RUNNING STATUS) which are intended for frequent use +and thus are processed in-kernel. The remainder are sent to userspace +with the KVM_CAP_S390_USER_SIGP capability. Of those, three orders +(RESTART, STOP, and STOP AND STORE STATUS) have the potential to +inject work back into the kernel, and thus are asynchronous. + +Let's look for those pending IRQs when processing one of the in-kernel +SIGP orders, and return BUSY (CC2) if one is in process. This is in +agreement with the Principles of Operation, which states that only one +order can be "active" on a CPU at a time. + +Cc: stable@vger.kernel.org +Suggested-by: David Hildenbrand +Signed-off-by: Eric Farman +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Link: https://lore.kernel.org/r/20211213210550.856213-2-farman@linux.ibm.com +[borntraeger@linux.ibm.com: add stable tag] +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/interrupt.c | 7 +++++++ + arch/s390/kvm/kvm-s390.c | 9 +++++++-- + arch/s390/kvm/kvm-s390.h | 1 + + arch/s390/kvm/sigp.c | 28 ++++++++++++++++++++++++++++ + 4 files changed, 43 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -2116,6 +2116,13 @@ int kvm_s390_is_stop_irq_pending(struct + return test_bit(IRQ_PEND_SIGP_STOP, &li->pending_irqs); + } + ++int kvm_s390_is_restart_irq_pending(struct kvm_vcpu *vcpu) ++{ ++ struct kvm_s390_local_interrupt *li = &vcpu->arch.local_int; ++ ++ return test_bit(IRQ_PEND_RESTART, &li->pending_irqs); ++} ++ + void kvm_s390_clear_stop_irq(struct kvm_vcpu *vcpu) + { + struct kvm_s390_local_interrupt *li = &vcpu->arch.local_int; +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -4590,10 +4590,15 @@ int kvm_s390_vcpu_stop(struct kvm_vcpu * + } + } + +- /* SIGP STOP and SIGP STOP AND STORE STATUS has been fully processed */ ++ /* ++ * Set the VCPU to STOPPED and THEN clear the interrupt flag, ++ * now that the SIGP STOP and SIGP STOP AND STORE STATUS orders ++ * have been fully processed. This will ensure that the VCPU ++ * is kept BUSY if another VCPU is inquiring with SIGP SENSE. ++ */ ++ kvm_s390_set_cpuflags(vcpu, CPUSTAT_STOPPED); + kvm_s390_clear_stop_irq(vcpu); + +- kvm_s390_set_cpuflags(vcpu, CPUSTAT_STOPPED); + __disable_ibs_on_vcpu(vcpu); + + for (i = 0; i < online_vcpus; i++) { +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -418,6 +418,7 @@ void kvm_s390_destroy_adapters(struct kv + int kvm_s390_ext_call_pending(struct kvm_vcpu *vcpu); + extern struct kvm_device_ops kvm_flic_ops; + int kvm_s390_is_stop_irq_pending(struct kvm_vcpu *vcpu); ++int kvm_s390_is_restart_irq_pending(struct kvm_vcpu *vcpu); + void kvm_s390_clear_stop_irq(struct kvm_vcpu *vcpu); + int kvm_s390_set_irq_state(struct kvm_vcpu *vcpu, + void __user *buf, int len); +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -288,6 +288,34 @@ static int handle_sigp_dst(struct kvm_vc + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + ++ /* ++ * SIGP RESTART, SIGP STOP, and SIGP STOP AND STORE STATUS orders ++ * are processed asynchronously. Until the affected VCPU finishes ++ * its work and calls back into KVM to clear the (RESTART or STOP) ++ * interrupt, we need to return any new non-reset orders "busy". ++ * ++ * This is important because a single VCPU could issue: ++ * 1) SIGP STOP $DESTINATION ++ * 2) SIGP SENSE $DESTINATION ++ * ++ * If the SIGP SENSE would not be rejected as "busy", it could ++ * return an incorrect answer as to whether the VCPU is STOPPED ++ * or OPERATING. ++ */ ++ if (order_code != SIGP_INITIAL_CPU_RESET && ++ order_code != SIGP_CPU_RESET) { ++ /* ++ * Lockless check. Both SIGP STOP and SIGP (RE)START ++ * properly synchronize everything while processing ++ * their orders, while the guest cannot observe a ++ * difference when issuing other orders from two ++ * different VCPUs. ++ */ ++ if (kvm_s390_is_stop_irq_pending(dst_vcpu) || ++ kvm_s390_is_restart_irq_pending(dst_vcpu)) ++ return SIGP_CC_BUSY; ++ } ++ + switch (order_code) { + case SIGP_SENSE: + vcpu->stat.instruction_sigp_sense++; diff --git a/patches.suse/KVM-s390-VSIE-fix-MVPG-handling-for-prefixing-and-MSO b/patches.suse/KVM-s390-VSIE-fix-MVPG-handling-for-prefixing-and-MSO new file mode 100644 index 0000000..a2e70b1 --- /dev/null +++ b/patches.suse/KVM-s390-VSIE-fix-MVPG-handling-for-prefixing-and-MSO @@ -0,0 +1,50 @@ +From: Claudio Imbrenda +Date: Mon, 22 Mar 2021 15:05:59 +0100 +Subject: KVM: s390: VSIE: fix MVPG handling for prefixing and MSO +Git-commit: c3171e94cc1cdcc3229565244112e869f052b8d9 +Patch-mainline: v5.13-rc1 +References: git-fixes + +Prefixing needs to be applied to the guest real address to translate it +into a guest absolute address. + +The value of MSO needs to be added to a guest-absolute address in order to +obtain the host-virtual. + +Fixes: bdf7509bbefa ("s390/kvm: VSIE: correctly handle MVPG when in VSIE") +Reported-by: Janosch Frank +Signed-off-by: Claudio Imbrenda +Reviewed-by: David Hildenbrand +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210322140559.500716-3-imbrenda@linux.ibm.com +[borntraeger@de.ibm.com simplify mso] +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/vsie.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -1001,7 +1001,7 @@ static u64 vsie_get_register(struct kvm_ + static int vsie_handle_mvpg(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) + { + struct kvm_s390_sie_block *scb_s = &vsie_page->scb_s; +- unsigned long pei_dest, pei_src, src, dest, mask; ++ unsigned long pei_dest, pei_src, src, dest, mask, prefix; + u64 *pei_block = &vsie_page->scb_o->mcic; + int edat, rc_dest, rc_src; + union ctlreg0 cr0; +@@ -1009,9 +1009,12 @@ static int vsie_handle_mvpg(struct kvm_v + cr0.val = vcpu->arch.sie_block->gcr[0]; + edat = cr0.edat && test_kvm_facility(vcpu->kvm, 8); + mask = _kvm_s390_logical_to_effective(&scb_s->gpsw, PAGE_MASK); ++ prefix = scb_s->prefix << GUEST_PREFIX_SHIFT; + + dest = vsie_get_register(vcpu, vsie_page, scb_s->ipb >> 20) & mask; ++ dest = _kvm_s390_real_to_abs(prefix, dest) + scb_s->mso; + src = vsie_get_register(vcpu, vsie_page, scb_s->ipb >> 16) & mask; ++ src = _kvm_s390_real_to_abs(prefix, src) + scb_s->mso; + + rc_dest = kvm_s390_shadow_fault(vcpu, vsie_page->gmap, dest, &pei_dest); + rc_src = kvm_s390_shadow_fault(vcpu, vsie_page->gmap, src, &pei_src); diff --git a/patches.suse/KVM-s390-clear-kicked_mask-before-sleeping-again b/patches.suse/KVM-s390-clear-kicked_mask-before-sleeping-again new file mode 100644 index 0000000..6f10e32 --- /dev/null +++ b/patches.suse/KVM-s390-clear-kicked_mask-before-sleeping-again @@ -0,0 +1,48 @@ +From: Halil Pasic +Date: Tue, 19 Oct 2021 19:53:59 +0200 +Subject: KVM: s390: clear kicked_mask before sleeping again +Git-commit: 9b57e9d5010bbed7c0d9d445085840f7025e6f9a +Patch-mainline: v5.15 +References: git-fixes + +The idea behind kicked mask is that we should not re-kick a vcpu that +is already in the "kick" process, i.e. that was kicked and is +is about to be dispatched if certain conditions are met. + +The problem with the current implementation is, that it assumes the +kicked vcpu is going to enter SIE shortly. But under certain +circumstances, the vcpu we just kicked will be deemed non-runnable and +will remain in wait state. This can happen, if the interrupt(s) this +vcpu got kicked to deal with got already cleared (because the interrupts +got delivered to another vcpu). In this case kvm_arch_vcpu_runnable() +would return false, and the vcpu would remain in kvm_vcpu_block(), +but this time with its kicked_mask bit set. So next time around we +wouldn't kick the vcpu form __airqs_kick_single_vcpu(), but would assume +that we just kicked it. + +Let us make sure the kicked_mask is cleared before we give up on +re-dispatching the vcpu. + +Fixes: 9f30f6216378 ("KVM: s390: add gib_alert_irq_handler()") +Reported-by: Matthew Rosato +Signed-off-by: Halil Pasic +Reviewed-by: Christian Borntraeger +Reviewed-by: Michael Mueller +Reviewed-by: Claudio Imbrenda +Link: https://lore.kernel.org/r/20211019175401.3757927-2-pasic@linux.ibm.com +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/kvm-s390.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3319,6 +3319,7 @@ out: + + int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu) + { ++ clear_bit(vcpu->vcpu_idx, vcpu->kvm->arch.gisa_int.kicked_mask); + return kvm_s390_vcpu_has_irq(vcpu, 0); + } + diff --git a/patches.suse/KVM-s390-preserve-deliverable_mask-in-__airqs_kick_single_vcpu b/patches.suse/KVM-s390-preserve-deliverable_mask-in-__airqs_kick_single_vcpu new file mode 100644 index 0000000..ea5e60d --- /dev/null +++ b/patches.suse/KVM-s390-preserve-deliverable_mask-in-__airqs_kick_single_vcpu @@ -0,0 +1,44 @@ +From: Halil Pasic +Date: Tue, 19 Oct 2021 19:54:00 +0200 +Subject: KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu +Git-commit: 0e9ff65f455dfd0a8aea5e7843678ab6fe097e21 +Patch-mainline: v5.15 +References: git-fixes + +Changing the deliverable mask in __airqs_kick_single_vcpu() is a bug. If +one idle vcpu can't take the interrupts we want to deliver, we should +look for another vcpu that can, instead of saying that we don't want +to deliver these interrupts by clearing the bits from the +deliverable_mask. + +Fixes: 9f30f6216378 ("KVM: s390: add gib_alert_irq_handler()") +Signed-off-by: Halil Pasic +Reviewed-by: Christian Borntraeger +Reviewed-by: Michael Mueller +Reviewed-by: Claudio Imbrenda +Link: https://lore.kernel.org/r/20211019175401.3757927-3-pasic@linux.ibm.com +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/interrupt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -3054,13 +3054,14 @@ static void __airqs_kick_single_vcpu(str + int vcpu_idx, online_vcpus = atomic_read(&kvm->online_vcpus); + struct kvm_s390_gisa_interrupt *gi = &kvm->arch.gisa_int; + struct kvm_vcpu *vcpu; ++ u8 vcpu_isc_mask; + + for_each_set_bit(vcpu_idx, kvm->arch.idle_mask, online_vcpus) { + vcpu = kvm_get_vcpu(kvm, vcpu_idx); + if (psw_ioint_disabled(vcpu)) + continue; +- deliverable_mask &= (u8)(vcpu->arch.sie_block->gcr[6] >> 24); +- if (deliverable_mask) { ++ vcpu_isc_mask = (u8)(vcpu->arch.sie_block->gcr[6] >> 24); ++ if (deliverable_mask & vcpu_isc_mask) { + /* lately kicked but not yet running */ + if (test_and_set_bit(vcpu_idx, gi->kicked_mask)) + return; diff --git a/patches.suse/KVM-s390-pv-don-t-present-the-ecall-interrupt-twice b/patches.suse/KVM-s390-pv-don-t-present-the-ecall-interrupt-twice new file mode 100644 index 0000000..8ef4deb --- /dev/null +++ b/patches.suse/KVM-s390-pv-don-t-present-the-ecall-interrupt-twice @@ -0,0 +1,98 @@ +From: Nico Boehr +Date: Mon, 18 Jul 2022 15:04:34 +0200 +Subject: KVM: s390: pv: don't present the ecall interrupt twice +Git-commit: c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8 +Patch-mainline: v6.0-rc1 +References: git-fixes + +When the SIGP interpretation facility is present and a VCPU sends an +ecall to another VCPU in enabled wait, the sending VCPU receives a 56 +intercept (partial execution), so KVM can wake up the receiving CPU. +Note that the SIGP interpretation facility will take care of the +interrupt delivery and KVM's only job is to wake the receiving VCPU. + +For PV, the sending VCPU will receive a 108 intercept (pv notify) and +should continue like in the non-PV case, i.e. wake the receiving VCPU. + +For PV and non-PV guests the interrupt delivery will occur through the +SIGP interpretation facility on SIE entry when SIE finds the X bit in +the status field set. + +However, in handle_pv_notification(), there was no special handling for +SIGP, which leads to interrupt injection being requested by KVM for the +next SIE entry. This results in the interrupt being delivered twice: +once by the SIGP interpretation facility and once by KVM through the +IICTL. + +Add the necessary special handling in handle_pv_notification(), similar +to handle_partial_execution(), which simply wakes the receiving VCPU and +leave interrupt delivery to the SIGP interpretation facility. + +In contrast to external calls, emergency calls are not interpreted but +also cause a 108 intercept, which is why we still need to call +handle_instruction() for SIGP orders other than ecall. + +Since kvm_s390_handle_sigp_pei() is now called for all SIGP orders which +cause a 108 intercept - even if they are actually handled by +handle_instruction() - move the tracepoint in kvm_s390_handle_sigp_pei() +to avoid possibly confusing trace messages. + +Signed-off-by: Nico Boehr +Cc: # 5.7 +Fixes: da24a0cc58ed ("KVM: s390: protvirt: Instruction emulation") +Reviewed-by: Claudio Imbrenda +Reviewed-by: Janosch Frank +Reviewed-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20220718130434.73302-1-nrb@linux.ibm.com +Message-Id: <20220718130434.73302-1-nrb@linux.ibm.com> +Signed-off-by: Claudio Imbrenda +Acked-by: Petr Tesarik +--- + arch/s390/kvm/intercept.c | 15 +++++++++++++++ + arch/s390/kvm/sigp.c | 4 ++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -522,12 +522,27 @@ static int handle_pv_uvc(struct kvm_vcpu + + static int handle_pv_notification(struct kvm_vcpu *vcpu) + { ++ int ret; ++ + if (vcpu->arch.sie_block->ipa == 0xb210) + return handle_pv_spx(vcpu); + if (vcpu->arch.sie_block->ipa == 0xb220) + return handle_pv_sclp(vcpu); + if (vcpu->arch.sie_block->ipa == 0xb9a4) + return handle_pv_uvc(vcpu); ++ if (vcpu->arch.sie_block->ipa >> 8 == 0xae) { ++ /* ++ * Besides external call, other SIGP orders also cause a ++ * 108 (pv notify) intercept. In contrast to external call, ++ * these orders need to be emulated and hence the appropriate ++ * place to handle them is in handle_instruction(). ++ * So first try kvm_s390_handle_sigp_pei() and if that isn't ++ * successful, go on with handle_instruction(). ++ */ ++ ret = kvm_s390_handle_sigp_pei(vcpu); ++ if (!ret) ++ return ret; ++ } + + return handle_instruction(vcpu); + } +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -492,9 +492,9 @@ int kvm_s390_handle_sigp_pei(struct kvm_ + struct kvm_vcpu *dest_vcpu; + u8 order_code = kvm_s390_get_base_disp_rs(vcpu, NULL); + +- trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); +- + if (order_code == SIGP_EXTERNAL_CALL) { ++ trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); ++ + dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + BUG_ON(dest_vcpu == NULL); + diff --git a/patches.suse/KVM-s390-split-kvm_s390_real_to_abs b/patches.suse/KVM-s390-split-kvm_s390_real_to_abs new file mode 100644 index 0000000..fe94cd8 --- /dev/null +++ b/patches.suse/KVM-s390-split-kvm_s390_real_to_abs @@ -0,0 +1,69 @@ +From: Claudio Imbrenda +Date: Mon, 22 Mar 2021 15:05:58 +0100 +Subject: KVM: s390: split kvm_s390_real_to_abs +Git-commit: c5d1f6b531e68888cbe6718b3f77a60115d58b9c +Patch-mainline: v5.13-rc1 +References: git-fixes + +A new function _kvm_s390_real_to_abs will apply prefixing to a real address +with a given prefix value. + +The old kvm_s390_real_to_abs becomes now a wrapper around the new function. + +This is needed to avoid code duplication in vSIE. + +Signed-off-by: Claudio Imbrenda +Reviewed-by: David Hildenbrand +Reviewed-by: Thomas Huth +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210322140559.500716-2-imbrenda@linux.ibm.com +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/gaccess.h | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/arch/s390/kvm/gaccess.h ++++ b/arch/s390/kvm/gaccess.h +@@ -18,17 +18,14 @@ + + /** + * kvm_s390_real_to_abs - convert guest real address to guest absolute address +- * @vcpu - guest virtual cpu ++ * @prefix - guest prefix + * @gra - guest real address + * + * Returns the guest absolute address that corresponds to the passed guest real +- * address @gra of a virtual guest cpu by applying its prefix. ++ * address @gra of by applying the given prefix. + */ +-static inline unsigned long kvm_s390_real_to_abs(struct kvm_vcpu *vcpu, +- unsigned long gra) ++static inline unsigned long _kvm_s390_real_to_abs(u32 prefix, unsigned long gra) + { +- unsigned long prefix = kvm_s390_get_prefix(vcpu); +- + if (gra < 2 * PAGE_SIZE) + gra += prefix; + else if (gra >= prefix && gra < prefix + 2 * PAGE_SIZE) +@@ -37,6 +34,20 @@ static inline unsigned long kvm_s390_rea + } + + /** ++ * kvm_s390_real_to_abs - convert guest real address to guest absolute address ++ * @vcpu - guest virtual cpu ++ * @gra - guest real address ++ * ++ * Returns the guest absolute address that corresponds to the passed guest real ++ * address @gra of a virtual guest cpu by applying its prefix. ++ */ ++static inline unsigned long kvm_s390_real_to_abs(struct kvm_vcpu *vcpu, ++ unsigned long gra) ++{ ++ return _kvm_s390_real_to_abs(kvm_s390_get_prefix(vcpu), gra); ++} ++ ++/** + * _kvm_s390_logical_to_effective - convert guest logical to effective address + * @psw: psw of the guest + * @ga: guest logical address diff --git a/patches.suse/KVM-s390x-fix-SCK-locking b/patches.suse/KVM-s390x-fix-SCK-locking new file mode 100644 index 0000000..a570abd --- /dev/null +++ b/patches.suse/KVM-s390x-fix-SCK-locking @@ -0,0 +1,124 @@ +From: Claudio Imbrenda +Date: Tue, 1 Mar 2022 15:33:40 +0100 +Subject: KVM: s390x: fix SCK locking +Git-commit: c0573ba5c5a2244dc02060b1f374d4593c1d20b7 +Patch-mainline: v5.18-rc1 +References: git-fixes + +When handling the SCK instruction, the kvm lock is taken, even though +the vcpu lock is already being held. The normal locking order is kvm +lock first and then vcpu lock. This is can (and in some circumstances +does) lead to deadlocks. + +The function kvm_s390_set_tod_clock is called both by the SCK handler +and by some IOCTLs to set the clock. The IOCTLs will not hold the vcpu +lock, so they can safely take the kvm lock. The SCK handler holds the +vcpu lock, but will also somehow need to acquire the kvm lock without +relinquishing the vcpu lock. + +The solution is to factor out the code to set the clock, and provide +two wrappers. One is called like the original function and does the +locking, the other is called kvm_s390_try_set_tod_clock and uses +trylock to try to acquire the kvm lock. This new wrapper is then used +in the SCK handler. If locking fails, -EAGAIN is returned, which is +eventually propagated to userspace, thus also freeing the vcpu lock and +allowing for forward progress. + +This is not the most efficient or elegant way to solve this issue, but +the SCK instruction is deprecated and its performance is not critical. + +The goal of this patch is just to provide a simple but correct way to +fix the bug. + +Fixes: 6a3f95a6b04c ("KVM: s390: Intercept SCK instruction") +Signed-off-by: Claudio Imbrenda +Reviewed-by: Christian Borntraeger +Reviewed-by: Janis Schoetterl-Glausch +Link: https://lore.kernel.org/r/20220301143340.111129-1-imbrenda@linux.ibm.com +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/kvm-s390.c | 19 ++++++++++++++++--- + arch/s390/kvm/kvm-s390.h | 4 ++-- + arch/s390/kvm/priv.c | 15 ++++++++++++++- + 3 files changed, 32 insertions(+), 6 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3869,14 +3869,12 @@ retry: + return 0; + } + +-void kvm_s390_set_tod_clock(struct kvm *kvm, +- const struct kvm_s390_vm_tod_clock *gtod) ++static void __kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod) + { + struct kvm_vcpu *vcpu; + struct kvm_s390_tod_clock_ext htod; + int i; + +- mutex_lock(&kvm->lock); + preempt_disable(); + + get_tod_clock_ext((char *)&htod); +@@ -3897,7 +3895,22 @@ void kvm_s390_set_tod_clock(struct kvm * + + kvm_s390_vcpu_unblock_all(kvm); + preempt_enable(); ++} ++ ++void kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod) ++{ ++ mutex_lock(&kvm->lock); ++ __kvm_s390_set_tod_clock(kvm, gtod); ++ mutex_unlock(&kvm->lock); ++} ++ ++int kvm_s390_try_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod) ++{ ++ if (!mutex_trylock(&kvm->lock)) ++ return 0; ++ __kvm_s390_set_tod_clock(kvm, gtod); + mutex_unlock(&kvm->lock); ++ return 1; + } + + /** +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -326,8 +326,8 @@ int kvm_s390_handle_sigp(struct kvm_vcpu + int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu); + + /* implemented in kvm-s390.c */ +-void kvm_s390_set_tod_clock(struct kvm *kvm, +- const struct kvm_s390_vm_tod_clock *gtod); ++void kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod); ++int kvm_s390_try_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod); + long kvm_arch_fault_in_page(struct kvm_vcpu *vcpu, gpa_t gpa, int writable); + int kvm_s390_store_status_unloaded(struct kvm_vcpu *vcpu, unsigned long addr); + int kvm_s390_vcpu_store_status(struct kvm_vcpu *vcpu, unsigned long addr); +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -103,7 +103,20 @@ static int handle_set_clock(struct kvm_v + return kvm_s390_inject_prog_cond(vcpu, rc); + + VCPU_EVENT(vcpu, 3, "SCK: setting guest TOD to 0x%llx", gtod.tod); +- kvm_s390_set_tod_clock(vcpu->kvm, >od); ++ /* ++ * To set the TOD clock the kvm lock must be taken, but the vcpu lock ++ * is already held in handle_set_clock. The usual lock order is the ++ * opposite. As SCK is deprecated and should not be used in several ++ * cases, for example when the multiple epoch facility or TOD clock ++ * steering facility is installed (see Principles of Operation), a ++ * slow path can be used. If the lock can not be taken via try_lock, ++ * the instruction will be retried via -EAGAIN at a later point in ++ * time. ++ */ ++ if (!kvm_s390_try_set_tod_clock(vcpu->kvm, >od)) { ++ kvm_s390_retry_instr(vcpu); ++ return -EAGAIN; ++ } + + kvm_s390_set_psw_cc(vcpu, 0); + return 0; diff --git a/patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de b/patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de new file mode 100644 index 0000000..2480820 --- /dev/null +++ b/patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de @@ -0,0 +1,37 @@ +From: Vitaly Kuznetsov +Date: Fri, 25 Mar 2022 14:21:39 +0100 +Subject: KVM: x86: Avoid theoretical NULL pointer dereference in + kvm_irq_delivery_to_apic_fast() +Git-commit: 00b5f37189d24ac3ed46cb7f11742094778c46ce +Patch-mainline: v5.18-rc1 +References: bsc#1200788 CVE-2022-2153 + +When kvm_irq_delivery_to_apic_fast() is called with APIC_DEST_SELF +shorthand, 'src' must not be NULL. Crash the VM with KVM_BUG_ON() +instead of crashing the host. + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20220325132140.25650-3-vkuznets@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + arch/x86/kvm/lapic.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 80a2020c4db4..66b0eb0bda94 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1024,6 +1024,10 @@ bool kvm_irq_delivery_to_apic_fast(struct kvm *kvm, struct kvm_lapic *src, + *r = -1; + + if (irq->shorthand == APIC_DEST_SELF) { ++ if (KVM_BUG_ON(!src, kvm)) { ++ *r = 0; ++ return true; ++ } + *r = kvm_apic_set_irq(src->vcpu, irq, dest_map); + return true; + } + diff --git a/patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i b/patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i new file mode 100644 index 0000000..2f055f0 --- /dev/null +++ b/patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i @@ -0,0 +1,41 @@ +From: Vitaly Kuznetsov +Date: Fri, 25 Mar 2022 14:21:38 +0100 +Subject: KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC + irq +Git-commit: 7ec37d1cbe17d8189d9562178d8b29167fe1c31a +Patch-mainline: v5.18-rc1 +References: bsc#1200788 CVE-2022-2153 + +When KVM_CAP_HYPERV_SYNIC{,2} is activated, KVM already checks for +irqchip_in_kernel() so normally SynIC irqs should never be set. It is, +however, possible for a misbehaving VMM to write to SYNIC/STIMER MSRs +causing erroneous behavior. + +The immediate issue being fixed is that kvm_irq_delivery_to_apic() +(kvm_irq_delivery_to_apic_fast()) crashes when called with +'irq.shorthand = APIC_DEST_SELF' and 'src == NULL'. + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20220325132140.25650-2-vkuznets@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + arch/x86/kvm/hyperv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index a32f54ab84a2..f715b5a2b0e4 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -449,6 +449,9 @@ static int synic_set_irq(struct kvm_vcpu_hv_synic *synic, u32 sint) + struct kvm_lapic_irq irq; + int ret, vector; + ++ if (KVM_BUG_ON(!lapic_in_kernel(vcpu), vcpu->kvm)) ++ return -EINVAL; ++ + if (sint >= ARRAY_SIZE(synic->sint)) + return -EINVAL; + + diff --git a/patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac b/patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac new file mode 100644 index 0000000..8bbd6a9 --- /dev/null +++ b/patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac @@ -0,0 +1,65 @@ +From: Vitaly Kuznetsov +Date: Fri, 25 Mar 2022 14:21:40 +0100 +Subject: KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't + activated +Git-commit: b1e34d325397a33d97d845e312d7cf2a8b646b44 +Patch-mainline: v5.18-rc1 +References: bsc#1200788 CVE-2022-2153 + +Setting non-zero values to SYNIC/STIMER MSRs activates certain features, +this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated. + +Note, it would've been better to forbid writing anything to SYNIC/STIMER +MSRs, including zeroes, however, at least QEMU tries clearing +HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat +'special' as writing zero there triggers an action, this also should not +happen when SynIC wasn't activated. + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20220325132140.25650-4-vkuznets@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Acked-by: Dario Faggioli +--- + arch/x86/kvm/hyperv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -205,7 +205,7 @@ + struct kvm_vcpu *vcpu = synic_to_vcpu(synic); + int ret; + +- if (!synic->active && !host) ++ if (!synic->active && (!host || data)) + return 1; + + trace_kvm_hv_synic_set_msr(vcpu->vcpu_id, msr, data, host); +@@ -251,6 +251,9 @@ + case HV_X64_MSR_EOM: { + int i; + ++ if (!synic->active) ++ break; ++ + for (i = 0; i < ARRAY_SIZE(synic->sint); i++) + kvm_hv_notify_acked_sint(vcpu, i); + break; +@@ -520,7 +523,7 @@ + struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); + struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); + +- if (!synic->active && !host) ++ if (!synic->active && (!host || config)) + return 1; + + trace_kvm_hv_stimer_set_config(stimer_to_vcpu(stimer)->vcpu_id, +@@ -544,7 +547,7 @@ + struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); + struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); + +- if (!synic->active && !host) ++ if (!synic->active && (!host || count)) + return 1; + + trace_kvm_hv_stimer_set_count(stimer_to_vcpu(stimer)->vcpu_id, diff --git a/patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC b/patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC new file mode 100644 index 0000000..76652b8 --- /dev/null +++ b/patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC @@ -0,0 +1,48 @@ +From: Vitaly Kuznetsov +Date: Thu, 24 Sep 2020 16:57:52 +0200 +Patch-mainline: v5.10-rc1 +References: jsc#sle-12891 +Subject: KVM: x86: hyper-v: disallow configuring SynIC timers with no SynIC +Git-commit: dbcf3f96fa662bd5e1f93ea7c10a8dd0dce180ae + +Hyper-V Synthetic timers require SynIC but we don't seem to check that +upon HV_X64_MSR_STIMER[X]_CONFIG/HV_X64_MSR_STIMER0_COUNT writes. Make +the behavior match synic_set_msr(). + +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20200924145757.1035782-3-vkuznets@redhat.com> +Signed-off-by: Paolo Bonzini +Acked-by: Olaf Hering +--- + arch/x86/kvm/hyperv.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -633,6 +633,11 @@ static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config, + { + union hv_stimer_config new_config = {.as_uint64 = config}, + old_config = {.as_uint64 = stimer->config.as_uint64}; ++ struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); ++ struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); ++ ++ if (!synic->active && !host) ++ return 1; + + trace_kvm_hv_stimer_set_config(stimer_to_vcpu(stimer)->vcpu_id, + stimer->index, config, host); +@@ -652,6 +657,12 @@ static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config, + static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, + bool host) + { ++ struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); ++ struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); ++ ++ if (!synic->active && !host) ++ return 1; ++ + trace_kvm_hv_stimer_set_count(stimer_to_vcpu(stimer)->vcpu_id, + stimer->index, count, host); + + diff --git a/patches.suse/PM-domains-Fix-handling-of-unavailable-disabled-idle.patch b/patches.suse/PM-domains-Fix-handling-of-unavailable-disabled-idle.patch new file mode 100644 index 0000000..b465070 --- /dev/null +++ b/patches.suse/PM-domains-Fix-handling-of-unavailable-disabled-idle.patch @@ -0,0 +1,44 @@ +From e0c57a5c70c13317238cb19a7ded0eab4a5f7de5 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 25 Oct 2022 13:34:32 +0100 +Subject: [PATCH] PM: domains: Fix handling of unavailable/disabled idle states +Git-commit: e0c57a5c70c13317238cb19a7ded0eab4a5f7de5 +Patch-mainline: v6.1-rc3 +References: git-fixes + +Platforms can provide the information about the availability of each +idle states via status flag. Platforms may have to disable one or more +idle states for various reasons like broken firmware or other unmet +dependencies. + +Fix handling of such unavailable/disabled idle states by ignoring them +while parsing the states. + +Fixes: a3381e3a65cb ("PM / domains: Fix up domain-idle-states OF parsing") +Signed-off-by: Sudeep Holla +Reviewed-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/base/power/domain.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index ead135c7044c..6471b559230e 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2952,6 +2952,10 @@ static int genpd_iterate_idle_states(struct device_node *dn, + np = it.node; + if (!of_match_node(idle_state_match, np)) + continue; ++ ++ if (!of_device_is_available(np)) ++ continue; ++ + if (states) { + ret = genpd_parse_state(&states[i], np); + if (ret) { +-- +2.35.3 + diff --git a/patches.suse/PM-hibernate-Allow-hybrid-sleep-to-work-with-s2idle.patch b/patches.suse/PM-hibernate-Allow-hybrid-sleep-to-work-with-s2idle.patch new file mode 100644 index 0000000..cf1beeb --- /dev/null +++ b/patches.suse/PM-hibernate-Allow-hybrid-sleep-to-work-with-s2idle.patch @@ -0,0 +1,43 @@ +From 85850af4fc47132f3f2f0dd698b90f67906600b4 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 12 Oct 2022 22:50:17 -0500 +Subject: [PATCH] PM: hibernate: Allow hybrid sleep to work with s2idle +Git-commit: 85850af4fc47132f3f2f0dd698b90f67906600b4 +Patch-mainline: v6.1-rc3 +References: git-fixes + +Hybrid sleep is currently hardcoded to only operate with S3 even +on systems that might not support it. + +Instead of assuming this mode is what the user wants to use, for +hybrid sleep follow the setting of `mem_sleep_current` which +will respect mem_sleep_default kernel command line and policy +decisions made by the presence of the FADT low power idle bit. + +Fixes: 81d45bdf8913 ("PM / hibernate: Untangle power_down()") +Reported-and-tested-by: kolAflash +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216574 +Signed-off-by: Mario Limonciello +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + kernel/power/hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index f58a0aa92310..793c55a2becb 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -645,7 +645,7 @@ static void power_down(void) + int error; + + if (hibernation_mode == HIBERNATION_SUSPEND) { +- error = suspend_devices_and_enter(PM_SUSPEND_MEM); ++ error = suspend_devices_and_enter(mem_sleep_current); + if (error) { + hibernation_mode = hibernation_ops ? + HIBERNATION_PLATFORM : +-- +2.35.3 + diff --git a/patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch b/patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch new file mode 100644 index 0000000..9a5383c --- /dev/null +++ b/patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch @@ -0,0 +1,85 @@ +From 2adcb4c5a52a2623cd2b43efa7041e74d19f3a5e Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Thu, 10 Jun 2021 10:34:25 +0300 +Subject: [PATCH 1/1] RDMA: Verify port when creating flow rule +Git-commit: 2adcb4c5a52a2623cd2b43efa7041e74d19f3a5e +Patch-mainline: v5.13 +References: git-fixes + +Validate port value provided by the user and with that remove no longer +needed validation by the driver. The missing check in the mlx5_ib driver +could cause to the below oops. + +Call trace: + _create_flow_rule+0x2d4/0xf28 [mlx5_ib] + mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib] + ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs] + ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs] + ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs] + ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs] + do_vfs_ioctl+0xd0/0xaf0 + ksys_ioctl+0x84/0xb4 + __arm64_sys_ioctl+0x28/0xc4 + el0_svc_common.constprop.3+0xa4/0x254 + el0_svc_handler+0x84/0xa0 + el0_svc+0x10/0x26c + Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a) + +Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs") +Link: https://lore.kernel.org/r/faad30dc5219a01727f47db3dc2f029d07c82c00.1623309971.git.leonro@nvidia.com +Reviewed-by: Mark Bloch +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/uverbs_cmd.c | 5 +++++ + drivers/infiniband/hw/mlx4/main.c | 3 --- + drivers/infiniband/hw/mlx5/fs.c | 1 - + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index d5e15a8c870d..64e4be1cbec7 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -3248,6 +3248,11 @@ static int ib_uverbs_ex_create_flow(struct uverbs_attr_bundle *attrs) + goto err_free_attr; + } + ++ if (!rdma_is_port_valid(uobj->context->device, cmd.flow_attr.port)) { ++ err = -EINVAL; ++ goto err_uobj; ++ } ++ + qp = uobj_get_obj_read(qp, UVERBS_OBJECT_QP, cmd.qp_handle, attrs); + if (!qp) { + err = -EINVAL; +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index 16704262fc3a..230a6ae0ab5a 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1699,9 +1699,6 @@ static struct ib_flow *mlx4_ib_create_flow(struct ib_qp *qp, + struct mlx4_dev *dev = (to_mdev(qp->device))->dev; + int is_bonded = mlx4_is_bonded(dev); + +- if (!rdma_is_port_valid(qp->device, flow_attr->port)) +- return ERR_PTR(-EINVAL); +- + if (flow_attr->flags & ~IB_FLOW_ATTR_FLAGS_DONT_TRAP) + return ERR_PTR(-EOPNOTSUPP); + +diff --git a/drivers/infiniband/hw/mlx5/fs.c b/drivers/infiniband/hw/mlx5/fs.c +index f84441ff0c81..18ee2f293825 100644 +--- a/drivers/infiniband/hw/mlx5/fs.c ++++ b/drivers/infiniband/hw/mlx5/fs.c +@@ -1198,7 +1198,6 @@ static struct ib_flow *mlx5_ib_create_flow(struct ib_qp *qp, + } + + if (domain != IB_FLOW_DOMAIN_USER || +- flow_attr->port > dev->num_ports || + (flow_attr->flags & ~(IB_FLOW_ATTR_FLAGS_DONT_TRAP | + IB_FLOW_ATTR_FLAGS_EGRESS))) { + err = -EINVAL; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-bnxt_re-Add-missing-spin-lock-initialization.patch b/patches.suse/RDMA-bnxt_re-Add-missing-spin-lock-initialization.patch new file mode 100644 index 0000000..e052e76 --- /dev/null +++ b/patches.suse/RDMA-bnxt_re-Add-missing-spin-lock-initialization.patch @@ -0,0 +1,35 @@ +From 17f2569dce1848080825b8336e6b7c6900193b44 Mon Sep 17 00:00:00 2001 +From: Naresh Kumar PBS +Date: Wed, 18 Aug 2021 20:25:52 -0700 +Subject: [PATCH 1/1] RDMA/bnxt_re: Add missing spin lock initialization +Git-commit: 17f2569dce1848080825b8336e6b7c6900193b44 +Patch-mainline: v5.14 +References: git-fixes + +Add the missing initialization of srq lock. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Link: https://lore.kernel.org/r/1629343553-5843-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Naresh Kumar PBS +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 283b6b81563c..ea0054c60fbc 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1681,6 +1681,7 @@ int bnxt_re_create_srq(struct ib_srq *ib_srq, + if (nq) + nq->budget++; + atomic_inc(&rdev->srq_count); ++ spin_lock_init(&srq->lock); + + return 0; + +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-bnxt_re-Fix-query-SRQ-failure.patch b/patches.suse/RDMA-bnxt_re-Fix-query-SRQ-failure.patch new file mode 100644 index 0000000..7cb7d22 --- /dev/null +++ b/patches.suse/RDMA-bnxt_re-Fix-query-SRQ-failure.patch @@ -0,0 +1,42 @@ +From 598d16fa1bf93431ad35bbab3ed1affe4fb7b562 Mon Sep 17 00:00:00 2001 +From: Selvin Xavier +Date: Wed, 15 Sep 2021 05:32:38 -0700 +Subject: [PATCH 1/1] RDMA/bnxt_re: Fix query SRQ failure +Git-commit: 598d16fa1bf93431ad35bbab3ed1affe4fb7b562 +Patch-mainline: v5.16 +References: git-fixes + +Fill the missing parameters for the FW command while querying SRQ. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Link: https://lore.kernel.org/r/1631709163-2287-8-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 539b1a2f9008..ca88849559bf 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -707,12 +707,13 @@ int bnxt_qplib_query_srq(struct bnxt_qplib_res *res, + int rc = 0; + + RCFW_CMD_PREP(req, QUERY_SRQ, cmd_flags); +- req.srq_cid = cpu_to_le32(srq->id); + + /* Configure the request */ + sbuf = bnxt_qplib_rcfw_alloc_sbuf(rcfw, sizeof(*sb)); + if (!sbuf) + return -ENOMEM; ++ req.resp_size = sizeof(*sb) / BNXT_QPLIB_CMDQE_UNITS; ++ req.srq_cid = cpu_to_le32(srq->id); + sb = sbuf->sb; + rc = bnxt_qplib_rcfw_send_message(rcfw, (void *)&req, (void *)&resp, + (void *)sbuf, 0); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-cm-Fix-memory-leak-in-ib_cm_insert_listen.patch b/patches.suse/RDMA-cm-Fix-memory-leak-in-ib_cm_insert_listen.patch new file mode 100644 index 0000000..8418d32 --- /dev/null +++ b/patches.suse/RDMA-cm-Fix-memory-leak-in-ib_cm_insert_listen.patch @@ -0,0 +1,41 @@ +From 2990f223ffa7bb25422956b9f79f9176a5b38346 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 21 Jun 2022 09:25:44 +0400 +Subject: [PATCH 1/1] RDMA/cm: Fix memory leak in ib_cm_insert_listen +Git-commit: 2990f223ffa7bb25422956b9f79f9176a5b38346 +Patch-mainline: v5.19 +References: git-fixes + +cm_alloc_id_priv() allocates resource for the cm_id_priv. When +cm_init_listen() fails it doesn't free it, leading to memory leak. + +Add the missing error unwind. + +Fixes: 98f67156a80f ("RDMA/cm: Simplify establishing a listen cm_id") +Link: https://lore.kernel.org/r/20220621052546.4821-1-linmq006@gmail.com +Signed-off-by: Miaoqian Lin +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 1c107d6d03b9..b985e0d9bc05 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -1252,8 +1252,10 @@ struct ib_cm_id *ib_cm_insert_listen(struct ib_device *device, + return ERR_CAST(cm_id_priv); + + err = cm_init_listen(cm_id_priv, service_id, 0); +- if (err) ++ if (err) { ++ ib_destroy_cm_id(&cm_id_priv->id); + return ERR_PTR(err); ++ } + + spin_lock_irq(&cm_id_priv->lock); + listen_id_priv = cm_insert_listen(cm_id_priv, cm_handler); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch b/patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch new file mode 100644 index 0000000..58241e9 --- /dev/null +++ b/patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch @@ -0,0 +1,132 @@ +From 305d568b72f17f674155a2a8275f865f207b3808 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Thu, 16 Sep 2021 15:34:46 -0300 +Subject: [PATCH 1/1] RDMA/cma: Ensure rdma_addr_cancel() happens before + issuing more requests +Git-commit: 305d568b72f17f674155a2a8275f865f207b3808 +Patch-mainline: v5.15 +References: git-fixes + +The FSM can run in a circle allowing rdma_resolve_ip() to be called twice +on the same id_priv. While this cannot happen without going through the +work, it violates the invariant that the same address resolution +background request cannot be active twice. + + CPU 1 CPU 2 + +rdma_resolve_addr(): + RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY + rdma_resolve_ip(addr_handler) #1 + + process_one_req(): for #1 + addr_handler(): + RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND + mutex_unlock(&id_priv->handler_mutex); + [.. handler still running ..] + +rdma_resolve_addr(): + RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY + rdma_resolve_ip(addr_handler) + !! two requests are now on the req_list + +rdma_destroy_id(): + destroy_id_handler_unlock(): + _destroy_id(): + cma_cancel_operation(): + rdma_addr_cancel() + + // process_one_req() self removes it + spin_lock_bh(&lock); + cancel_delayed_work(&req->work); + if (!list_empty(&req->list)) == true + + ! rdma_addr_cancel() returns after process_on_req #1 is done + + kfree(id_priv) + + process_one_req(): for #2 + addr_handler(): + mutex_lock(&id_priv->handler_mutex); + !! Use after free on id_priv + +rdma_addr_cancel() expects there to be one req on the list and only +cancels the first one. The self-removal behavior of the work only happens +after the handler has returned. This yields a situations where the +req_list can have two reqs for the same "handle" but rdma_addr_cancel() +only cancels the first one. + +The second req remains active beyond rdma_destroy_id() and will +use-after-free id_priv once it inevitably triggers. + +Fix this by remembering if the id_priv has called rdma_resolve_ip() and +always cancel before calling it again. This ensures the req_list never +gets more than one item in it and doesn't cost anything in the normal flow +that never uses this strange error path. + +Link: https://lore.kernel.org/r/0-v1-3bc675b8006d+22-syz_cancel_uaf_jgg@nvidia.com +Cc: stable@vger.kernel.org +Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager") +Reported-by: syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cma.c | 23 +++++++++++++++++++++++ + drivers/infiniband/core/cma_priv.h | 1 + + 2 files changed, 24 insertions(+) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 8862b0e572f0..704ce595542c 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1783,6 +1783,14 @@ static void cma_cancel_operation(struct rdma_id_private *id_priv, + { + switch (state) { + case RDMA_CM_ADDR_QUERY: ++ /* ++ * We can avoid doing the rdma_addr_cancel() based on state, ++ * only RDMA_CM_ADDR_QUERY has a work that could still execute. ++ * Notice that the addr_handler work could still be exiting ++ * outside this state, however due to the interaction with the ++ * handler_mutex the work is guaranteed not to touch id_priv ++ * during exit. ++ */ + rdma_addr_cancel(&id_priv->id.route.addr.dev_addr); + break; + case RDMA_CM_ROUTE_QUERY: +@@ -3425,6 +3433,21 @@ int rdma_resolve_addr(struct rdma_cm_id *id, struct sockaddr *src_addr, + if (dst_addr->sa_family == AF_IB) { + ret = cma_resolve_ib_addr(id_priv); + } else { ++ /* ++ * The FSM can return back to RDMA_CM_ADDR_BOUND after ++ * rdma_resolve_ip() is called, eg through the error ++ * path in addr_handler(). If this happens the existing ++ * request must be canceled before issuing a new one. ++ * Since canceling a request is a bit slow and this ++ * oddball path is rare, keep track once a request has ++ * been issued. The track turns out to be a permanent ++ * state since this is the only cancel as it is ++ * immediately before rdma_resolve_ip(). ++ */ ++ if (id_priv->used_resolve_ip) ++ rdma_addr_cancel(&id->route.addr.dev_addr); ++ else ++ id_priv->used_resolve_ip = 1; + ret = rdma_resolve_ip(cma_src_addr(id_priv), dst_addr, + &id->route.addr.dev_addr, + timeout_ms, addr_handler, +diff --git a/drivers/infiniband/core/cma_priv.h b/drivers/infiniband/core/cma_priv.h +index 5c463da99845..f92f101ea981 100644 +--- a/drivers/infiniband/core/cma_priv.h ++++ b/drivers/infiniband/core/cma_priv.h +@@ -89,6 +89,7 @@ struct rdma_id_private { + u8 reuseaddr; + u8 afonly; + u8 timeout; ++ u8 used_resolve_ip; + enum ib_gid_type gid_type; + + /* +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-cma-Fix-arguments-order-in-net-device-validatio.patch b/patches.suse/RDMA-cma-Fix-arguments-order-in-net-device-validatio.patch new file mode 100644 index 0000000..1ac7205 --- /dev/null +++ b/patches.suse/RDMA-cma-Fix-arguments-order-in-net-device-validatio.patch @@ -0,0 +1,47 @@ +From 27cfde795a96aef1e859a5480489944b95421e46 Mon Sep 17 00:00:00 2001 +From: Michael Guralnik +Date: Tue, 23 Aug 2022 13:51:50 +0300 +Subject: [PATCH 1/1] RDMA/cma: Fix arguments order in net device validation +Git-commit: 27cfde795a96aef1e859a5480489944b95421e46 +Patch-mainline: v6.0 +References: git-fixes + +Fix the order of source and destination addresses when resolving the +route between server and client to validate use of correct net device. + +The reverse order we had so far didn't actually validate the net device +as the server would try to resolve the route to itself, thus always +getting the server's net device. + +The issue was discovered when running cm applications on a single host +between 2 interfaces with same subnet and source based routing rules. +When resolving the reverse route the source based route rules were +ignored. + +Fixes: f887f2ac87c2 ("IB/cma: Validate routing of incoming requests") +Link: https://lore.kernel.org/r/1c1ec2277a131d277ebcceec987fd338d35b775f.1661251872.git.leonro@nvidia.com +Signed-off-by: Michael Guralnik +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/cma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 46d06678dfbe..be317f2665a9 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1841,8 +1841,8 @@ cma_ib_id_from_event(struct ib_cm_id *cm_id, + } + + if (!validate_net_dev(*net_dev, +- (struct sockaddr *)&req->listen_addr_storage, +- (struct sockaddr *)&req->src_addr_storage)) { ++ (struct sockaddr *)&req->src_addr_storage, ++ (struct sockaddr *)&req->listen_addr_storage)) { + id_priv = ERR_PTR(-EHOSTUNREACH); + goto err; + } +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-core-Sanitize-WQ-state-received-from-the-usersp.patch b/patches.suse/RDMA-core-Sanitize-WQ-state-received-from-the-usersp.patch new file mode 100644 index 0000000..70a9880 --- /dev/null +++ b/patches.suse/RDMA-core-Sanitize-WQ-state-received-from-the-usersp.patch @@ -0,0 +1,103 @@ +From f97442887275d11c88c2899e720fe945c1f61488 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 19 May 2021 11:37:31 +0300 +Subject: [PATCH 1/1] RDMA/core: Sanitize WQ state received from the userspace +Git-commit: f97442887275d11c88c2899e720fe945c1f61488 +Patch-mainline: v5.14 +References: git-fixes + +The mlx4 and mlx5 implemented differently the WQ input checks. Instead of +duplicating mlx4 logic in the mlx5, let's prepare the input in the central +place. + +The mlx5 implementation didn't check for validity of state input. It is +not real bug because our FW checked that, but still worth to fix. + +Fixes: f213c0527210 ("IB/uverbs: Add WQ support") +Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com +Reported-by: Jiapeng Chong +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++-- + drivers/infiniband/hw/mlx4/qp.c | 9 ++------- + drivers/infiniband/hw/mlx5/qp.c | 6 ++---- + 3 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index d5e15a8c870d..74ab018a306e 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -3034,12 +3034,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs) + if (!wq) + return -EINVAL; + +- wq_attr.curr_wq_state = cmd.curr_wq_state; +- wq_attr.wq_state = cmd.wq_state; + if (cmd.attr_mask & IB_WQ_FLAGS) { + wq_attr.flags = cmd.flags; + wq_attr.flags_mask = cmd.flags_mask; + } ++ ++ if (cmd.attr_mask & IB_WQ_CUR_STATE) { ++ if (cmd.curr_wq_state > IB_WQS_ERR) ++ return -EINVAL; ++ ++ wq_attr.curr_wq_state = cmd.curr_wq_state; ++ } else { ++ wq_attr.curr_wq_state = wq->state; ++ } ++ ++ if (cmd.attr_mask & IB_WQ_STATE) { ++ if (cmd.wq_state > IB_WQS_ERR) ++ return -EINVAL; ++ ++ wq_attr.wq_state = cmd.wq_state; ++ } else { ++ wq_attr.wq_state = wq_attr.curr_wq_state; ++ } ++ + ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask, + &attrs->driver_udata); + rdma_lookup_put_uobject(&wq->uobject->uevent.uobject, +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 92ddbcc00eb2..2ae22bf50016 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -4251,13 +4251,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr, + if (wq_attr_mask & IB_WQ_FLAGS) + return -EOPNOTSUPP; + +- cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state : +- ibwq->state; +- new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state; +- +- if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR || +- new_state < IB_WQS_RESET || new_state > IB_WQS_ERR) +- return -EINVAL; ++ cur_state = wq_attr->curr_wq_state; ++ new_state = wq_attr->wq_state; + + if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR)) + return -EINVAL; +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index 08491bdf62c7..8dd953af323e 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -5318,10 +5318,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr, + + rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx); + +- curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ? +- wq_attr->curr_wq_state : wq->state; +- wq_state = (wq_attr_mask & IB_WQ_STATE) ? +- wq_attr->wq_state : curr_wq_state; ++ curr_wq_state = wq_attr->curr_wq_state; ++ wq_state = wq_attr->wq_state; + if (curr_wq_state == IB_WQS_ERR) + curr_wq_state = MLX5_RQC_STATE_ERR; + if (wq_state == IB_WQS_ERR) +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-cxgb4-Remove-MW-support.patch b/patches.suse/RDMA-cxgb4-Remove-MW-support.patch new file mode 100644 index 0000000..3adf271 --- /dev/null +++ b/patches.suse/RDMA-cxgb4-Remove-MW-support.patch @@ -0,0 +1,169 @@ +From a5c29a262ebe4c5b85643bac833b9e7e00ebe8a4 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Sat, 3 Oct 2020 20:20:01 -0300 +Subject: [PATCH 1/1] RDMA/cxgb4: Remove MW support +Git-commit: a5c29a262ebe4c5b85643bac833b9e7e00ebe8a4 +Patch-mainline: v5.11 +References: git-fixes + +This driver never enabled IB_USER_VERBS_CMD_ALLOC_MW so memory windows +were not usable from userspace. The kernel side was removed long ago. Drop +this dead code. + +Fixes: feb7c1e38bcc ("IB: remove in-kernel support for memory windows") +Link: https://lore.kernel.org/r/1-v1-caa70ba3d1ab+1436e-ucmd_mask_jgg@nvidia.com +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 3 - + drivers/infiniband/hw/cxgb4/mem.c | 93 -------------------------- + drivers/infiniband/hw/cxgb4/provider.c | 2 - + 3 files changed, 98 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h +index a27899402f59..f85477f3b037 100644 +--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h ++++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h +@@ -983,10 +983,7 @@ struct ib_mr *c4iw_alloc_mr(struct ib_pd *pd, enum ib_mr_type mr_type, + u32 max_num_sg); + int c4iw_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents, + unsigned int *sg_offset); +-int c4iw_dealloc_mw(struct ib_mw *mw); + void c4iw_dealloc(struct uld_ctx *ctx); +-struct ib_mw *c4iw_alloc_mw(struct ib_pd *pd, enum ib_mw_type type, +- struct ib_udata *udata); + struct ib_mr *c4iw_reg_user_mr(struct ib_pd *pd, u64 start, + u64 length, u64 virt, int acc, + struct ib_udata *udata); +diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c +index 42234df896fb..a2c71a1d93d5 100644 +--- a/drivers/infiniband/hw/cxgb4/mem.c ++++ b/drivers/infiniband/hw/cxgb4/mem.c +@@ -365,22 +365,6 @@ static int dereg_mem(struct c4iw_rdev *rdev, u32 stag, u32 pbl_size, + pbl_size, pbl_addr, skb, wr_waitp); + } + +-static int allocate_window(struct c4iw_rdev *rdev, u32 *stag, u32 pdid, +- struct c4iw_wr_wait *wr_waitp) +-{ +- *stag = T4_STAG_UNSET; +- return write_tpt_entry(rdev, 0, stag, 0, pdid, FW_RI_STAG_MW, 0, 0, 0, +- 0UL, 0, 0, 0, 0, NULL, wr_waitp); +-} +- +-static int deallocate_window(struct c4iw_rdev *rdev, u32 stag, +- struct sk_buff *skb, +- struct c4iw_wr_wait *wr_waitp) +-{ +- return write_tpt_entry(rdev, 1, &stag, 0, 0, 0, 0, 0, 0, 0UL, 0, 0, 0, +- 0, skb, wr_waitp); +-} +- + static int allocate_stag(struct c4iw_rdev *rdev, u32 *stag, u32 pdid, + u32 pbl_size, u32 pbl_addr, + struct c4iw_wr_wait *wr_waitp) +@@ -611,83 +595,6 @@ struct ib_mr *c4iw_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + return ERR_PTR(err); + } + +-struct ib_mw *c4iw_alloc_mw(struct ib_pd *pd, enum ib_mw_type type, +- struct ib_udata *udata) +-{ +- struct c4iw_dev *rhp; +- struct c4iw_pd *php; +- struct c4iw_mw *mhp; +- u32 mmid; +- u32 stag = 0; +- int ret; +- +- if (type != IB_MW_TYPE_1) +- return ERR_PTR(-EINVAL); +- +- php = to_c4iw_pd(pd); +- rhp = php->rhp; +- mhp = kzalloc(sizeof(*mhp), GFP_KERNEL); +- if (!mhp) +- return ERR_PTR(-ENOMEM); +- +- mhp->wr_waitp = c4iw_alloc_wr_wait(GFP_KERNEL); +- if (!mhp->wr_waitp) { +- ret = -ENOMEM; +- goto free_mhp; +- } +- +- mhp->dereg_skb = alloc_skb(SGE_MAX_WR_LEN, GFP_KERNEL); +- if (!mhp->dereg_skb) { +- ret = -ENOMEM; +- goto free_wr_wait; +- } +- +- ret = allocate_window(&rhp->rdev, &stag, php->pdid, mhp->wr_waitp); +- if (ret) +- goto free_skb; +- mhp->rhp = rhp; +- mhp->attr.pdid = php->pdid; +- mhp->attr.type = FW_RI_STAG_MW; +- mhp->attr.stag = stag; +- mmid = (stag) >> 8; +- mhp->ibmw.rkey = stag; +- if (xa_insert_irq(&rhp->mrs, mmid, mhp, GFP_KERNEL)) { +- ret = -ENOMEM; +- goto dealloc_win; +- } +- pr_debug("mmid 0x%x mhp %p stag 0x%x\n", mmid, mhp, stag); +- return &(mhp->ibmw); +- +-dealloc_win: +- deallocate_window(&rhp->rdev, mhp->attr.stag, mhp->dereg_skb, +- mhp->wr_waitp); +-free_skb: +- kfree_skb(mhp->dereg_skb); +-free_wr_wait: +- c4iw_put_wr_wait(mhp->wr_waitp); +-free_mhp: +- kfree(mhp); +- return ERR_PTR(ret); +-} +- +-int c4iw_dealloc_mw(struct ib_mw *mw) +-{ +- struct c4iw_dev *rhp; +- struct c4iw_mw *mhp; +- u32 mmid; +- +- mhp = to_c4iw_mw(mw); +- rhp = mhp->rhp; +- mmid = (mw->rkey) >> 8; +- xa_erase_irq(&rhp->mrs, mmid); +- deallocate_window(&rhp->rdev, mhp->attr.stag, mhp->dereg_skb, +- mhp->wr_waitp); +- kfree_skb(mhp->dereg_skb); +- c4iw_put_wr_wait(mhp->wr_waitp); +- pr_debug("ib_mw %p mmid 0x%x ptr %p\n", mw, mmid, mhp); +- kfree(mhp); +- return 0; +-} + + struct ib_mr *c4iw_alloc_mr(struct ib_pd *pd, enum ib_mr_type mr_type, + u32 max_num_sg) +diff --git a/drivers/infiniband/hw/cxgb4/provider.c b/drivers/infiniband/hw/cxgb4/provider.c +index 8138c57a1e43..b7fe4b47357c 100644 +--- a/drivers/infiniband/hw/cxgb4/provider.c ++++ b/drivers/infiniband/hw/cxgb4/provider.c +@@ -455,13 +455,11 @@ static const struct ib_device_ops c4iw_dev_ops = { + + .alloc_hw_stats = c4iw_alloc_stats, + .alloc_mr = c4iw_alloc_mr, +- .alloc_mw = c4iw_alloc_mw, + .alloc_pd = c4iw_allocate_pd, + .alloc_ucontext = c4iw_alloc_ucontext, + .create_cq = c4iw_create_cq, + .create_qp = c4iw_create_qp, + .create_srq = c4iw_create_srq, +- .dealloc_mw = c4iw_dealloc_mw, + .dealloc_pd = c4iw_deallocate_pd, + .dealloc_ucontext = c4iw_dealloc_ucontext, + .dereg_mr = c4iw_dereg_mr, +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-efa-Free-IRQ-vectors-on-error-flow.patch b/patches.suse/RDMA-efa-Free-IRQ-vectors-on-error-flow.patch new file mode 100644 index 0000000..dc2e2d8 --- /dev/null +++ b/patches.suse/RDMA-efa-Free-IRQ-vectors-on-error-flow.patch @@ -0,0 +1,37 @@ +From dbe986bdfd6dfe6ef24b833767fff4151e024357 Mon Sep 17 00:00:00 2001 +From: Gal Pressman +Date: Wed, 11 Aug 2021 18:11:28 +0300 +Subject: [PATCH 1/1] RDMA/efa: Free IRQ vectors on error flow +Git-commit: dbe986bdfd6dfe6ef24b833767fff4151e024357 +Patch-mainline: v5.14 +References: git-fixes + +Make sure to free the IRQ vectors in case the allocation doesn't return +the expected number of IRQs. + +Fixes: b7f5e880f377 ("RDMA/efa: Add the efa module") +Link: https://lore.kernel.org/r/20210811151131.39138-2-galpress@amazon.com +Reviewed-by: Firas JahJah +Reviewed-by: Yossi Leybovich +Signed-off-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/efa/efa_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c +index 203e6ddcacbc..be4a07bd268a 100644 +--- a/drivers/infiniband/hw/efa/efa_main.c ++++ b/drivers/infiniband/hw/efa/efa_main.c +@@ -357,6 +357,7 @@ static int efa_enable_msix(struct efa_dev *dev) + } + + if (irq_num != msix_vecs) { ++ efa_disable_msix(dev); + dev_err(&dev->pdev->dev, + "Allocated %d MSI-X (out of %d requested)\n", + irq_num, msix_vecs); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-efa-Remove-double-QP-type-assignment.patch b/patches.suse/RDMA-efa-Remove-double-QP-type-assignment.patch new file mode 100644 index 0000000..b4cb7f6 --- /dev/null +++ b/patches.suse/RDMA-efa-Remove-double-QP-type-assignment.patch @@ -0,0 +1,35 @@ +From f9193d266347fe9bed5c173e7a1bf96268142a79 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Fri, 23 Jul 2021 14:39:45 +0300 +Subject: [PATCH 1/1] RDMA/efa: Remove double QP type assignment +Git-commit: f9193d266347fe9bed5c173e7a1bf96268142a79 +Patch-mainline: v5.15 +References: git-fixes + +The QP type is set by the IB/core and shouldn't be set in the driver. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://lore.kernel.org/r/838c40134c1590167b888ca06ad51071139ff2ae.1627040189.git.leonro@nvidia.com +Acked-by: Gal Pressman +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index b4cfb656ddd5..b1c4780e86be 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -727,7 +727,6 @@ struct ib_qp *efa_create_qp(struct ib_pd *ibpd, + + qp->qp_handle = create_qp_resp.qp_handle; + qp->ibqp.qp_num = create_qp_resp.qp_num; +- qp->ibqp.qp_type = init_attr->qp_type; + qp->max_send_wr = init_attr->cap.max_send_wr; + qp->max_recv_wr = init_attr->cap.max_recv_wr; + qp->max_send_sge = init_attr->cap.max_send_sge; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-efa-Use-ib_umem_num_dma_pages.patch b/patches.suse/RDMA-efa-Use-ib_umem_num_dma_pages.patch new file mode 100644 index 0000000..0d47eed --- /dev/null +++ b/patches.suse/RDMA-efa-Use-ib_umem_num_dma_pages.patch @@ -0,0 +1,49 @@ +From 1f9b6827c85f9d9786f31a1434a16c917aae23b2 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Fri, 4 Sep 2020 19:41:48 -0300 +Subject: [PATCH 1/1] RDMA/efa: Use ib_umem_num_dma_pages() +Git-commit: 1f9b6827c85f9d9786f31a1434a16c917aae23b2 +Patch-mainline: v5.10 +References: git-fixes + +If ib_umem_find_best_pgsz() returns > PAGE_SIZE then the equation here is +not correct. 'start' should be 'virt'. Change it to use the core code for +page_num and the canonical calculation of page_shift. + +Fixes: 40ddb3f02083 ("RDMA/efa: Use API to get contiguous memory blocks aligned to device supported page size") +Link: https://lore.kernel.org/r/7-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com +Tested-by: Gal Pressman +Acked-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 81db565c098a..52b7ea9fd4ee 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -4,6 +4,7 @@ + */ + + #include ++#include + + #include + #include +@@ -1540,9 +1541,8 @@ struct ib_mr *efa_reg_mr(struct ib_pd *ibpd, u64 start, u64 length, + goto err_unmap; + } + +- params.page_shift = __ffs(pg_sz); +- params.page_num = DIV_ROUND_UP(length + (start & (pg_sz - 1)), +- pg_sz); ++ params.page_shift = order_base_2(pg_sz); ++ params.page_num = ib_umem_num_dma_blocks(mr->umem, pg_sz); + + ibdev_dbg(&dev->ibdev, + "start %#llx length %#llx params.page_shift %u params.page_num %u\n", +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-hfi1-Fix-potential-integer-multiplication-overf.patch b/patches.suse/RDMA-hfi1-Fix-potential-integer-multiplication-overf.patch new file mode 100644 index 0000000..be9d745 --- /dev/null +++ b/patches.suse/RDMA-hfi1-Fix-potential-integer-multiplication-overf.patch @@ -0,0 +1,45 @@ +From f93e91a0372c922c20d5bee260b0f43b4b8a1bee Mon Sep 17 00:00:00 2001 +From: Dennis Dalessandro +Date: Fri, 20 May 2022 14:37:12 -0400 +Subject: [PATCH 1/1] RDMA/hfi1: Fix potential integer multiplication overflow + errors +Git-commit: f93e91a0372c922c20d5bee260b0f43b4b8a1bee +Patch-mainline: v5.19 +References: git-fixes + +When multiplying of different types, an overflow is possible even when +storing the result in a larger type. This is because the conversion is +done after the multiplication. So arithmetic overflow and thus in +incorrect value is possible. + +Correct an instance of this in the inter packet delay calculation. Fix by +ensuring one of the operands is u64 which will promote the other to u64 as +well ensuring no overflow. + +Cc: stable@vger.kernel.org +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20220520183712.48973.29855.stgit@awfm-01.cornelisnetworks.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hfi1/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c +index 4436ed41547c..436372b31431 100644 +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -489,7 +489,7 @@ void set_link_ipg(struct hfi1_pportdata *ppd) + u16 shift, mult; + u64 src; + u32 current_egress_rate; /* Mbits /sec */ +- u32 max_pkt_time; ++ u64 max_pkt_time; + /* + * max_pkt_time is the maximum packet egress time in units + * of the fabric clock period 1/(805 MHz). +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-hns-Remove-unnecessary-check-for-the-sgid_attr-.patch b/patches.suse/RDMA-hns-Remove-unnecessary-check-for-the-sgid_attr-.patch new file mode 100644 index 0000000..5b57393 --- /dev/null +++ b/patches.suse/RDMA-hns-Remove-unnecessary-check-for-the-sgid_attr-.patch @@ -0,0 +1,39 @@ +From c2fcafa78a33576b7fe47f5e4f85d413a62c2fe2 Mon Sep 17 00:00:00 2001 +From: Chengchang Tang +Date: Sat, 9 Apr 2022 16:32:50 +0800 +Subject: [PATCH 1/1] RDMA/hns: Remove unnecessary check for the sgid_attr when + modifying QP +Git-commit: c2fcafa78a33576b7fe47f5e4f85d413a62c2fe2 +Patch-mainline: v5.19 +References: git-fixes + +The sgid_attr cannot be null in this scenario. This judgment is redundant. + +Fixes: 606bf89e98ef ("RDMA/hns: Refactor for hns_roce_v2_modify_qp function") +Link: https://lore.kernel.org/r/20220409083254.9696-2-liangwenpeng@huawei.com +Signed-off-by: Chengchang Tang +Signed-off-by: Wenpeng Liang +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 2b0cef17ad45..cd87e6e86720 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4966,9 +4966,7 @@ static int hns_roce_v2_set_path(struct ib_qp *ibqp, + if (ret) + return ret; + +- if (gid_attr) +- is_udp = (gid_attr->gid_type == +- IB_GID_TYPE_ROCE_UDP_ENCAP); ++ is_udp = (gid_attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP); + } + + if (vlan_id < VLAN_N_VID) { +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-i40iw-Use-ib_umem_num_dma_pages.patch b/patches.suse/RDMA-i40iw-Use-ib_umem_num_dma_pages.patch new file mode 100644 index 0000000..c9e915f --- /dev/null +++ b/patches.suse/RDMA-i40iw-Use-ib_umem_num_dma_pages.patch @@ -0,0 +1,63 @@ +From 22123a0e4974fe03d1d8446b132a6c455f95a516 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Fri, 4 Sep 2020 19:41:49 -0300 +Subject: [PATCH 1/1] RDMA/i40iw: Use ib_umem_num_dma_pages() +Git-commit: 22123a0e4974fe03d1d8446b132a6c455f95a516 +Patch-mainline: v5.10 +References: git-fixes + +If ib_umem_find_best_pgsz() returns > PAGE_SIZE then the equation here is +not correct. 'start' should be 'virt'. Change it to use the core code for +page_num and the canonical calculation of page_shift. + +Fixes: eb52c0333f06 ("RDMA/i40iw: Use core helpers to get aligned DMA address within a supported page size") +Link: https://lore.kernel.org/r/8-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +index a9278ef10ace..4511e175c498 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -1745,15 +1745,12 @@ static struct ib_mr *i40iw_reg_user_mr(struct ib_pd *pd, + struct i40iw_mr *iwmr; + struct ib_umem *region; + struct i40iw_mem_reg_req req; +- u64 pbl_depth = 0; + u32 stag = 0; + u16 access; +- u64 region_length; + bool use_pbles = false; + unsigned long flags; + int err = -ENOSYS; + int ret; +- int pg_shift; + + if (!udata) + return ERR_PTR(-EOPNOTSUPP); +@@ -1788,18 +1785,13 @@ static struct ib_mr *i40iw_reg_user_mr(struct ib_pd *pd, + if (req.reg_type == IW_MEMREG_TYPE_MEM) + iwmr->page_size = ib_umem_find_best_pgsz(region, SZ_4K | SZ_2M, + virt); +- +- region_length = region->length + (start & (iwmr->page_size - 1)); +- pg_shift = ffs(iwmr->page_size) - 1; +- pbl_depth = region_length >> pg_shift; +- pbl_depth += (region_length & (iwmr->page_size - 1)) ? 1 : 0; + iwmr->length = region->length; + + iwpbl->user_base = virt; + palloc = &iwpbl->pble_alloc; + + iwmr->type = req.reg_type; +- iwmr->page_cnt = (u32)pbl_depth; ++ iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size); + + switch (req.reg_type) { + case IW_MEMREG_TYPE_QP: +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch b/patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch new file mode 100644 index 0000000..214f547 --- /dev/null +++ b/patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch @@ -0,0 +1,72 @@ +From e677b72a0647249370f2635862bf0241c86f66ad Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Fri, 23 Jul 2021 17:08:55 +0300 +Subject: [PATCH 1/1] RDMA/iwcm: Release resources if iw_cm module + initialization fails +Git-commit: e677b72a0647249370f2635862bf0241c86f66ad +Patch-mainline: v5.15 +References: git-fixes + +The failure during iw_cm module initialization partially left the system +with unreleased memory and other resources. Rewrite the module init/exit +routines in such way that netlink commands will be opened only after +successful initialization. + +Fixes: b493d91d333e ("iwcm: common code for port mapper") +Link: https://lore.kernel.org/r/b01239f99cb1a3e6d2b0694c242d89e6410bcd93.1627048781.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/iwcm.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 42261152b489..2b47073c61a6 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -1186,29 +1186,34 @@ static int __init iw_cm_init(void) + + ret = iwpm_init(RDMA_NL_IWCM); + if (ret) +- pr_err("iw_cm: couldn't init iwpm\n"); +- else +- rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table); ++ return ret; ++ + iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0); + if (!iwcm_wq) +- return -ENOMEM; ++ goto err_alloc; + + iwcm_ctl_table_hdr = register_net_sysctl(&init_net, "net/iw_cm", + iwcm_ctl_table); + if (!iwcm_ctl_table_hdr) { + pr_err("iw_cm: couldn't register sysctl paths\n"); +- destroy_workqueue(iwcm_wq); +- return -ENOMEM; ++ goto err_sysctl; + } + ++ rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table); + return 0; ++ ++err_sysctl: ++ destroy_workqueue(iwcm_wq); ++err_alloc: ++ iwpm_exit(RDMA_NL_IWCM); ++ return -ENOMEM; + } + + static void __exit iw_cm_cleanup(void) + { ++ rdma_nl_unregister(RDMA_NL_IWCM); + unregister_net_sysctl_table(iwcm_ctl_table_hdr); + destroy_workqueue(iwcm_wq); +- rdma_nl_unregister(RDMA_NL_IWCM); + iwpm_exit(RDMA_NL_IWCM); + } + +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch b/patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch new file mode 100644 index 0000000..d3a4058 --- /dev/null +++ b/patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch @@ -0,0 +1,42 @@ +From f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 12 Oct 2021 10:28:43 +0300 +Subject: [PATCH 1/1] RDMA/mlx4: Return missed an error if device doesn't + support steering +Git-commit: f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b +Patch-mainline: v5.16 +References: git-fixes + +The error flow fixed in this patch is not possible because all kernel +users of create QP interface check that device supports steering before +set IB_QP_CREATE_NETIF_QP flag. + +Fixes: c1c98501121e ("IB/mlx4: Add support for steerable IB UD QPs") +Link: https://lore.kernel.org/r/91c61f6e60eb0240f8bbc321fda7a1d2986dd03c.1634023677.git.leonro@nvidia.com +Reported-by: Dan Carpenter +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx4/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 8662f462e2a5..3a1a4ac9dd33 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -1099,8 +1099,10 @@ static int create_qp_common(struct ib_pd *pd, struct ib_qp_init_attr *init_attr, + if (dev->steering_support == + MLX4_STEERING_MODE_DEVICE_MANAGED) + qp->flags |= MLX4_IB_QP_NETIF; +- else ++ else { ++ err = -EINVAL; + goto err; ++ } + } + + err = set_kernel_sq_size(dev, &init_attr->cap, qp_type, qp); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-mlx5-Add-missing-check-for-return-value-in-get-.patch b/patches.suse/RDMA-mlx5-Add-missing-check-for-return-value-in-get-.patch new file mode 100644 index 0000000..fcaa647 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Add-missing-check-for-return-value-in-get-.patch @@ -0,0 +1,46 @@ +From c9776457bd5eaad4ce4ecb17af8d8f3cc6957c0b Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Sun, 31 Jul 2022 11:29:08 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Add missing check for return value in get + namespace flow +Git-commit: c9776457bd5eaad4ce4ecb17af8d8f3cc6957c0b +Patch-mainline: v6.0 +References: git-fixes + +Add missing check for return value when calling to +mlx5_ib_ft_type_to_namespace, even though it can't really fail in this +specific call. + +Fixes: 52438be44112 ("RDMA/mlx5: Allow inserting a steering rule to the FDB") +Link: https://lore.kernel.org/r/7b9ceda217d9368a51dc47a46b769bad4af9ac92.1659256069.git.leonro@nvidia.com +Reviewed-by: Itay Aveksis +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/fs.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/fs.c b/drivers/infiniband/hw/mlx5/fs.c +index 691d00c89f33..490ec308e309 100644 +--- a/drivers/infiniband/hw/mlx5/fs.c ++++ b/drivers/infiniband/hw/mlx5/fs.c +@@ -2078,12 +2078,10 @@ static int mlx5_ib_matcher_ns(struct uverbs_attr_bundle *attrs, + if (err) + return err; + +- if (flags) { +- mlx5_ib_ft_type_to_namespace( ++ if (flags) ++ return mlx5_ib_ft_type_to_namespace( + MLX5_IB_UAPI_FLOW_TABLE_TYPE_NIC_TX, + &obj->ns_type); +- return 0; +- } + } + + obj->ns_type = MLX5_FLOW_NAMESPACE_BYPASS; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-mlx5-Block-FDB-rules-when-not-in-switchdev-mode.patch b/patches.suse/RDMA-mlx5-Block-FDB-rules-when-not-in-switchdev-mode.patch new file mode 100644 index 0000000..27ec378 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Block-FDB-rules-when-not-in-switchdev-mode.patch @@ -0,0 +1,46 @@ +From edc0b0bccc9c80d9a44d3002dcca94984b25e7cf Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Mon, 7 Jun 2021 11:03:12 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Block FDB rules when not in switchdev mode +Git-commit: edc0b0bccc9c80d9a44d3002dcca94984b25e7cf +Patch-mainline: v5.13 +References: git-fixes + +Allow creating FDB steering rules only when in switchdev mode. + +The only software model where a userspace application can manipulate +FDB entries is when it manages the eswitch. This is only possible in +switchdev mode where we expose a single RDMA device with representors +for all the vports that are connected to the eswitch. + +Fixes: 52438be44112 ("RDMA/mlx5: Allow inserting a steering rule to the FDB") +Link: https://lore.kernel.org/r/e928ae7c58d07f104716a2a8d730963d1bd01204.1623052923.git.leonro@nvidia.com +Reviewed-by: Maor Gottlieb +Signed-off-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/fs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx5/fs.c b/drivers/infiniband/hw/mlx5/fs.c +index 2fc6a60c4e77..f84441ff0c81 100644 +--- a/drivers/infiniband/hw/mlx5/fs.c ++++ b/drivers/infiniband/hw/mlx5/fs.c +@@ -2134,6 +2134,12 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_FLOW_MATCHER_CREATE)( + if (err) + goto end; + ++ if (obj->ns_type == MLX5_FLOW_NAMESPACE_FDB && ++ mlx5_eswitch_mode(dev->mdev->priv.eswitch) != MLX5_ESWITCH_OFFLOADS) { ++ err = -EINVAL; ++ goto end; ++ } ++ + uobj->object = obj; + obj->mdev = dev->mdev; + atomic_set(&obj->usecnt, 0); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-mlx5-Fix-memory-leak-in-error-flow-for-subscrib.patch b/patches.suse/RDMA-mlx5-Fix-memory-leak-in-error-flow-for-subscrib.patch new file mode 100644 index 0000000..60d12bd --- /dev/null +++ b/patches.suse/RDMA-mlx5-Fix-memory-leak-in-error-flow-for-subscrib.patch @@ -0,0 +1,40 @@ +From 087f9c3f2309ed183f7e4b85ae57121d8663224d Mon Sep 17 00:00:00 2001 +From: Yongzhi Liu +Date: Fri, 11 Mar 2022 09:06:01 -0800 +Subject: [PATCH 1/1] RDMA/mlx5: Fix memory leak in error flow for subscribe + event routine +Git-commit: 087f9c3f2309ed183f7e4b85ae57121d8663224d +Patch-mainline: v5.18 +References: git-fixes + +In case the second xa_insert() fails, the obj_event is not released. Fix +the error unwind flow to free that memory to avoid a memory leak. + +Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") +Link: https://lore.kernel.org/r/1647018361-18266-1-git-send-email-lyz_cs@pku.edu.cn +Signed-off-by: Yongzhi Liu +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/devx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index 08b7f6bc56c3..15c0884d1f49 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -1886,8 +1886,10 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table, + key_level2, + obj_event, + GFP_KERNEL); +- if (err) ++ if (err) { ++ kfree(obj_event); + return err; ++ } + INIT_LIST_HEAD(&obj_event->obj_sub_list); + } + +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-mlx5-Make-mkeys-always-owned-by-the-kernel-s-PD.patch b/patches.suse/RDMA-mlx5-Make-mkeys-always-owned-by-the-kernel-s-PD.patch new file mode 100644 index 0000000..ced0b9c --- /dev/null +++ b/patches.suse/RDMA-mlx5-Make-mkeys-always-owned-by-the-kernel-s-PD.patch @@ -0,0 +1,119 @@ +From 5eb29f0d13a66502b91954597270003c90fb66c5 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 14 Sep 2020 14:26:51 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Make mkeys always owned by the kernel's PD + when not enabled +Git-commit: 5eb29f0d13a66502b91954597270003c90fb66c5 +Patch-mainline: v5.10 +References: git-fixes + +Any mkey that is not enabled and assigned to userspace should have the PD +set to a kernel owned PD. + +When cache entries are created for the first time the PDN is set to 0, +which is probably a kernel PD, but be explicit. + +When a MR is registered using the hybrid reg_create with UMR xlt & enable +the disabled mkey is pointing at the user PD, keep it pointing at the +kernel until a UMR enables it and sets the user PD. + +Fixes: 9ec4483a3f0f ("IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache") +Link: https://lore.kernel.org/r/20200914112653.345244-4-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/mr.c | 51 +++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 25 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 9fc76734dfcd..f795fbc52d5d 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -50,6 +50,29 @@ enum { + static void + create_mkey_callback(int status, struct mlx5_async_work *context); + ++static void set_mkc_access_pd_addr_fields(void *mkc, int acc, u64 start_addr, ++ struct ib_pd *pd) ++{ ++ struct mlx5_ib_dev *dev = to_mdev(pd->device); ++ ++ MLX5_SET(mkc, mkc, a, !!(acc & IB_ACCESS_REMOTE_ATOMIC)); ++ MLX5_SET(mkc, mkc, rw, !!(acc & IB_ACCESS_REMOTE_WRITE)); ++ MLX5_SET(mkc, mkc, rr, !!(acc & IB_ACCESS_REMOTE_READ)); ++ MLX5_SET(mkc, mkc, lw, !!(acc & IB_ACCESS_LOCAL_WRITE)); ++ MLX5_SET(mkc, mkc, lr, 1); ++ ++ if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_write)) ++ MLX5_SET(mkc, mkc, relaxed_ordering_write, ++ !!(acc & IB_ACCESS_RELAXED_ORDERING)); ++ if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read)) ++ MLX5_SET(mkc, mkc, relaxed_ordering_read, ++ !!(acc & IB_ACCESS_RELAXED_ORDERING)); ++ ++ MLX5_SET(mkc, mkc, pd, to_mpd(pd)->pdn); ++ MLX5_SET(mkc, mkc, qpn, 0xffffff); ++ MLX5_SET64(mkc, mkc, start_addr, start_addr); ++} ++ + static void + assign_mkey_variant(struct mlx5_ib_dev *dev, struct mlx5_core_mkey *mkey, + u32 *in) +@@ -152,12 +175,12 @@ static struct mlx5_ib_mr *alloc_cache_mr(struct mlx5_cache_ent *ent, void *mkc) + mr->cache_ent = ent; + mr->dev = ent->dev; + ++ set_mkc_access_pd_addr_fields(mkc, 0, 0, ent->dev->umrc.pd); + MLX5_SET(mkc, mkc, free, 1); + MLX5_SET(mkc, mkc, umr_en, 1); + MLX5_SET(mkc, mkc, access_mode_1_0, ent->access_mode & 0x3); + MLX5_SET(mkc, mkc, access_mode_4_2, (ent->access_mode >> 2) & 0x7); + +- MLX5_SET(mkc, mkc, qpn, 0xffffff); + MLX5_SET(mkc, mkc, translations_octword_size, ent->xlt); + MLX5_SET(mkc, mkc, log_page_size, ent->page); + return mr; +@@ -774,29 +797,6 @@ int mlx5_mr_cache_cleanup(struct mlx5_ib_dev *dev) + return 0; + } + +-static void set_mkc_access_pd_addr_fields(void *mkc, int acc, u64 start_addr, +- struct ib_pd *pd) +-{ +- struct mlx5_ib_dev *dev = to_mdev(pd->device); +- +- MLX5_SET(mkc, mkc, a, !!(acc & IB_ACCESS_REMOTE_ATOMIC)); +- MLX5_SET(mkc, mkc, rw, !!(acc & IB_ACCESS_REMOTE_WRITE)); +- MLX5_SET(mkc, mkc, rr, !!(acc & IB_ACCESS_REMOTE_READ)); +- MLX5_SET(mkc, mkc, lw, !!(acc & IB_ACCESS_LOCAL_WRITE)); +- MLX5_SET(mkc, mkc, lr, 1); +- +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_write)) +- MLX5_SET(mkc, mkc, relaxed_ordering_write, +- !!(acc & IB_ACCESS_RELAXED_ORDERING)); +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read)) +- MLX5_SET(mkc, mkc, relaxed_ordering_read, +- !!(acc & IB_ACCESS_RELAXED_ORDERING)); +- +- MLX5_SET(mkc, mkc, pd, to_mpd(pd)->pdn); +- MLX5_SET(mkc, mkc, qpn, 0xffffff); +- MLX5_SET64(mkc, mkc, start_addr, start_addr); +-} +- + struct ib_mr *mlx5_ib_get_dma_mr(struct ib_pd *pd, int acc) + { + struct mlx5_ib_dev *dev = to_mdev(pd->device); +@@ -1190,7 +1190,8 @@ static struct mlx5_ib_mr *reg_create(struct ib_mr *ibmr, struct ib_pd *pd, + MLX5_SET(create_mkey_in, in, pg_access, !!(pg_cap)); + + mkc = MLX5_ADDR_OF(create_mkey_in, in, memory_key_mkey_entry); +- set_mkc_access_pd_addr_fields(mkc, access_flags, virt_addr, pd); ++ set_mkc_access_pd_addr_fields(mkc, access_flags, virt_addr, ++ populate ? pd : dev->umrc.pd); + MLX5_SET(mkc, mkc, free, !populate); + MLX5_SET(mkc, mkc, access_mode_1_0, MLX5_MKC_ACCESS_MODE_MTT); + MLX5_SET(mkc, mkc, umr_en, 1); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-mlx5-Set-user-priority-for-DCT.patch b/patches.suse/RDMA-mlx5-Set-user-priority-for-DCT.patch new file mode 100644 index 0000000..8b92f30 --- /dev/null +++ b/patches.suse/RDMA-mlx5-Set-user-priority-for-DCT.patch @@ -0,0 +1,41 @@ +From 1ab52ac1e9bc9391f592c9fa8340a6e3e9c36286 Mon Sep 17 00:00:00 2001 +From: Patrisious Haddad +Date: Wed, 6 Oct 2021 12:31:53 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Set user priority for DCT +Git-commit: 1ab52ac1e9bc9391f592c9fa8340a6e3e9c36286 +Patch-mainline: v5.15 +References: git-fixes + +Currently, the driver doesn't set the PCP-based priority for DCT, hence +DCT response packets are transmitted without user priority. + +Fix it by setting user provided priority in the eth_prio field in the DCT +context, which in turn sets the value in the transmitted packet. + +Fixes: 776a3906b692 ("IB/mlx5: Add support for DC target QP") +Link: https://lore.kernel.org/r/5fd2d94a13f5742d8803c218927322257d53205c.1633512672.git.leonro@nvidia.com +Signed-off-by: Patrisious Haddad +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/qp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index b2fca110346c..e5abbcfc1d57 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -4458,6 +4458,8 @@ static int mlx5_ib_modify_dct(struct ib_qp *ibqp, struct ib_qp_attr *attr, + MLX5_SET(dctc, dctc, mtu, attr->path_mtu); + MLX5_SET(dctc, dctc, my_addr_index, attr->ah_attr.grh.sgid_index); + MLX5_SET(dctc, dctc, hop_limit, attr->ah_attr.grh.hop_limit); ++ if (attr->ah_attr.type == RDMA_AH_ATTR_TYPE_ROCE) ++ MLX5_SET(dctc, dctc, eth_prio, attr->ah_attr.sl & 0x7); + + err = mlx5_core_create_dct(dev, &qp->dct.mdct, qp->dct.in, + MLX5_ST_SZ_BYTES(create_dct_in), out, +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-mlx5-Use-set_mkc_access_pd_addr_fields-in-reg_c.patch b/patches.suse/RDMA-mlx5-Use-set_mkc_access_pd_addr_fields-in-reg_c.patch new file mode 100644 index 0000000..0ee733d --- /dev/null +++ b/patches.suse/RDMA-mlx5-Use-set_mkc_access_pd_addr_fields-in-reg_c.patch @@ -0,0 +1,57 @@ +From 1c97ca3da0d12e0156a177f48ed3184c3f202002 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 14 Sep 2020 14:26:50 +0300 +Subject: [PATCH 1/1] RDMA/mlx5: Use set_mkc_access_pd_addr_fields() in + reg_create() +Git-commit: 1c97ca3da0d12e0156a177f48ed3184c3f202002 +Patch-mainline: v5.10 +References: git-fixes + +reg_create() open codes this helper, use the shared code. + +Link: https://lore.kernel.org/r/20200914112653.345244-3-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mlx5/mr.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 3b040f639563..9fc76734dfcd 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1190,29 +1190,16 @@ static struct mlx5_ib_mr *reg_create(struct ib_mr *ibmr, struct ib_pd *pd, + MLX5_SET(create_mkey_in, in, pg_access, !!(pg_cap)); + + mkc = MLX5_ADDR_OF(create_mkey_in, in, memory_key_mkey_entry); ++ set_mkc_access_pd_addr_fields(mkc, access_flags, virt_addr, pd); + MLX5_SET(mkc, mkc, free, !populate); + MLX5_SET(mkc, mkc, access_mode_1_0, MLX5_MKC_ACCESS_MODE_MTT); +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_write)) +- MLX5_SET(mkc, mkc, relaxed_ordering_write, +- !!(access_flags & IB_ACCESS_RELAXED_ORDERING)); +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read)) +- MLX5_SET(mkc, mkc, relaxed_ordering_read, +- !!(access_flags & IB_ACCESS_RELAXED_ORDERING)); +- MLX5_SET(mkc, mkc, a, !!(access_flags & IB_ACCESS_REMOTE_ATOMIC)); +- MLX5_SET(mkc, mkc, rw, !!(access_flags & IB_ACCESS_REMOTE_WRITE)); +- MLX5_SET(mkc, mkc, rr, !!(access_flags & IB_ACCESS_REMOTE_READ)); +- MLX5_SET(mkc, mkc, lw, !!(access_flags & IB_ACCESS_LOCAL_WRITE)); +- MLX5_SET(mkc, mkc, lr, 1); + MLX5_SET(mkc, mkc, umr_en, 1); + +- MLX5_SET64(mkc, mkc, start_addr, virt_addr); + MLX5_SET64(mkc, mkc, len, length); +- MLX5_SET(mkc, mkc, pd, to_mpd(pd)->pdn); + MLX5_SET(mkc, mkc, bsf_octword_size, 0); + MLX5_SET(mkc, mkc, translations_octword_size, + get_octo_len(virt_addr, length, page_shift)); + MLX5_SET(mkc, mkc, log_page_size, page_shift); +- MLX5_SET(mkc, mkc, qpn, 0xffffff); + if (populate) { + MLX5_SET(create_mkey_in, in, translations_octword_actual_size, + get_octo_len(virt_addr, length, page_shift)); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch b/patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch new file mode 100644 index 0000000..6b88c90 --- /dev/null +++ b/patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch @@ -0,0 +1,95 @@ +From 4f960393a0ee9a39469ceb7c8077ae8db665cc12 Mon Sep 17 00:00:00 2001 +From: Alok Prasad +Date: Wed, 27 Oct 2021 18:43:29 +0000 +Subject: [PATCH 1/1] RDMA/qedr: Fix NULL deref for query_qp on the GSI QP +Git-commit: 4f960393a0ee9a39469ceb7c8077ae8db665cc12 +Patch-mainline: v5.16 +References: git-fixes + +This patch fixes a crash caused by querying the QP via netlink, and +corrects the state of GSI qp. GSI qp's have a NULL qed_qp. + +The call trace is generated by: + $ rdma res show + + BUG: kernel NULL pointer dereference, address: 0000000000000034 + Hardware name: Dell Inc. PowerEdge R720/0M1GCR, BIOS 1.2.6 05/10/2012 + RIP: 0010:qed_rdma_query_qp+0x33/0x1a0 [qed] + RSP: 0018:ffffba560a08f580 EFLAGS: 00010206 + RAX: 0000000200000000 RBX: ffffba560a08f5b8 RCX: 0000000000000000 + RDX: ffffba560a08f5b8 RSI: 0000000000000000 RDI: ffff9807ee458090 + RBP: ffffba560a08f5a0 R08: 0000000000000000 R09: ffff9807890e7048 + R10: ffffba560a08f658 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff9807ee458090 R14: ffff9807f0afb000 R15: ffffba560a08f7ec + FS: 00007fbbf8bfe740(0000) GS:ffff980aafa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000034 CR3: 00000001720ba001 CR4: 00000000000606f0 + Call Trace: + qedr_query_qp+0x82/0x360 [qedr] + ib_query_qp+0x34/0x40 [ib_core] + ? ib_query_qp+0x34/0x40 [ib_core] + fill_res_qp_entry_query.isra.26+0x47/0x1d0 [ib_core] + ? __nla_put+0x20/0x30 + ? nla_put+0x33/0x40 + fill_res_qp_entry+0xe3/0x120 [ib_core] + res_get_common_dumpit+0x3f8/0x5d0 [ib_core] + ? fill_res_cm_id_entry+0x1f0/0x1f0 [ib_core] + nldev_res_get_qp_dumpit+0x1a/0x20 [ib_core] + netlink_dump+0x156/0x2f0 + __netlink_dump_start+0x1ab/0x260 + rdma_nl_rcv+0x1de/0x330 [ib_core] + ? nldev_res_get_cm_id_dumpit+0x20/0x20 [ib_core] + netlink_unicast+0x1b8/0x270 + netlink_sendmsg+0x33e/0x470 + sock_sendmsg+0x63/0x70 + __sys_sendto+0x13f/0x180 + ? setup_sgl.isra.12+0x70/0xc0 + __x64_sys_sendto+0x28/0x30 + do_syscall_64+0x3a/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Cc: stable@vger.kernel.org +Fixes: cecbcddf6461 ("qedr: Add support for QP verbs") +Link: https://lore.kernel.org/r/20211027184329.18454-1-palok@marvell.com +Signed-off-by: Ariel Elior +Signed-off-by: Shai Malin +Signed-off-by: Prabhakar Kushwaha +Signed-off-by: Alok Prasad +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/qedr/verbs.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index dcb3653db72d..3d4e4a766574 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2744,15 +2744,18 @@ int qedr_query_qp(struct ib_qp *ibqp, + int rc = 0; + + memset(¶ms, 0, sizeof(params)); +- +- rc = dev->ops->rdma_query_qp(dev->rdma_ctx, qp->qed_qp, ¶ms); +- if (rc) +- goto err; +- + memset(qp_attr, 0, sizeof(*qp_attr)); + memset(qp_init_attr, 0, sizeof(*qp_init_attr)); + +- qp_attr->qp_state = qedr_get_ibqp_state(params.state); ++ if (qp->qp_type != IB_QPT_GSI) { ++ rc = dev->ops->rdma_query_qp(dev->rdma_ctx, qp->qed_qp, ¶ms); ++ if (rc) ++ goto err; ++ qp_attr->qp_state = qedr_get_ibqp_state(params.state); ++ } else { ++ qp_attr->qp_state = qedr_get_ibqp_state(QED_ROCE_QP_STATE_RTS); ++ } ++ + qp_attr->cur_qp_state = qedr_get_ibqp_state(params.state); + qp_attr->path_mtu = ib_mtu_int_to_enum(params.mtu); + qp_attr->path_mig_state = IB_MIG_MIGRATED; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-qedr-Fix-potential-memory-leak-in-__qedr_alloc_.patch b/patches.suse/RDMA-qedr-Fix-potential-memory-leak-in-__qedr_alloc_.patch new file mode 100644 index 0000000..18cc708 --- /dev/null +++ b/patches.suse/RDMA-qedr-Fix-potential-memory-leak-in-__qedr_alloc_.patch @@ -0,0 +1,66 @@ +From b3236a64ddd125a455ef5b5316c1b9051b732974 Mon Sep 17 00:00:00 2001 +From: Jianglei Nie +Date: Thu, 14 Jul 2022 14:15:05 +0800 +Subject: [PATCH 1/1] RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: b3236a64ddd125a455ef5b5316c1b9051b732974 +Patch-mainline: v6.0 +References: git-fixes + +__qedr_alloc_mr() allocates a memory chunk for "mr->info.pbl_table" with +init_mr_info(). When rdma_alloc_tid() and rdma_register_tid() fail, "mr" +is released while "mr->info.pbl_table" is not released, which will lead +to a memory leak. + +We should release the "mr->info.pbl_table" with qedr_free_pbl() when error +occurs to fix the memory leak. + +Fixes: e0290cce6ac0 ("qedr: Add support for memory registeration verbs") +Link: https://lore.kernel.org/r/20220714061505.2342759-1-niejianglei2021@163.com +Signed-off-by: Jianglei Nie +Acked-by: Michal Kalderon  +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/qedr/verbs.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index f0f43b6db89e..3ecb472c9217 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2978,7 +2978,7 @@ static struct qedr_mr *__qedr_alloc_mr(struct ib_pd *ibpd, + rc = dev->ops->rdma_alloc_tid(dev->rdma_ctx, &mr->hw_mr.itid); + if (rc) { + DP_ERR(dev, "roce alloc tid returned an error %d\n", rc); +- goto err0; ++ goto err1; + } + + /* Index only, 18 bit long, lkey = itid << 8 | key */ +@@ -3106,7 +3106,7 @@ static struct qedr_mr *__qedr_alloc_mr(struct ib_pd *ibpd, + rc = dev->ops->rdma_register_tid(dev->rdma_ctx, &mr->hw_mr); + if (rc) { + DP_ERR(dev, "roce register tid returned an error %d\n", rc); +- goto err1; ++ goto err2; + } + + mr->ibmr.lkey = mr->hw_mr.itid << 8 | mr->hw_mr.key; +@@ -3115,8 +3115,10 @@ static struct qedr_mr *__qedr_alloc_mr(struct ib_pd *ibpd, + DP_DEBUG(dev, QEDR_MSG_MR, "alloc frmr: %x\n", mr->ibmr.lkey); + return mr; + +-err1: ++err2: + dev->ops->rdma_free_tid(dev->rdma_ctx, mr->hw_mr.itid); ++err1: ++ qedr_free_pbl(dev, &mr->info.pbl_info, mr->info.pbl_table); + err0: + kfree(mr); + return ERR_PTR(rc); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-qedr-Fix-reporting-QP-timeout-attribute.patch b/patches.suse/RDMA-qedr-Fix-reporting-QP-timeout-attribute.patch new file mode 100644 index 0000000..c62870a --- /dev/null +++ b/patches.suse/RDMA-qedr-Fix-reporting-QP-timeout-attribute.patch @@ -0,0 +1,64 @@ +From 118f767413ada4eef7825fbd4af7c0866f883441 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Wed, 25 May 2022 16:20:29 +0300 +Subject: [PATCH 1/1] RDMA/qedr: Fix reporting QP timeout attribute +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 118f767413ada4eef7825fbd4af7c0866f883441 +Patch-mainline: v5.19 +References: git-fixes + +Make sure to save the passed QP timeout attribute when the QP gets modified, +so when calling query QP the right value is reported and not the +converted value that is required by the firmware. This issue was found +while running the pyverbs tests. + +Fixes: cecbcddf6461 ("qedr: Add support for QP verbs") +Link: https://lore.kernel.org/r/20220525132029.84813-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Acked-by: Michal Kalderon  +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/qedr/qedr.h | 1 + + drivers/infiniband/hw/qedr/verbs.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/qedr.h b/drivers/infiniband/hw/qedr/qedr.h +index 8def88cfa300..db9ef3e1eb97 100644 +--- a/drivers/infiniband/hw/qedr/qedr.h ++++ b/drivers/infiniband/hw/qedr/qedr.h +@@ -418,6 +418,7 @@ struct qedr_qp { + u32 sq_psn; + u32 qkey; + u32 dest_qp_num; ++ u8 timeout; + + /* Relevant to qps created from kernel space only (ULPs) */ + u8 prev_wqe_size; +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index f0f43b6db89e..03ed7c0fae50 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2613,6 +2613,8 @@ int qedr_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + 1 << max_t(int, attr->timeout - 8, 0); + else + qp_params.ack_timeout = 0; ++ ++ qp->timeout = attr->timeout; + } + + if (attr_mask & IB_QP_RETRY_CNT) { +@@ -2772,7 +2774,7 @@ int qedr_query_qp(struct ib_qp *ibqp, + rdma_ah_set_dgid_raw(&qp_attr->ah_attr, ¶ms.dgid.bytes[0]); + rdma_ah_set_port_num(&qp_attr->ah_attr, 1); + rdma_ah_set_sl(&qp_attr->ah_attr, 0); +- qp_attr->timeout = params.timeout; ++ qp_attr->timeout = qp->timeout; + qp_attr->rnr_retry = params.rnr_retry; + qp_attr->retry_cnt = params.retry_cnt; + qp_attr->min_rnr_timer = params.min_rnr_nak_timer; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-qib-Remove-superfluous-fallthrough-statements.patch b/patches.suse/RDMA-qib-Remove-superfluous-fallthrough-statements.patch new file mode 100644 index 0000000..3e03ef0 --- /dev/null +++ b/patches.suse/RDMA-qib-Remove-superfluous-fallthrough-statements.patch @@ -0,0 +1,50 @@ +From d2598bb809d13a47e48a39a96ae8599ee8468025 Mon Sep 17 00:00:00 2001 +From: Alex Dewar +Date: Tue, 25 Aug 2020 18:12:42 +0100 +Subject: [PATCH 1/1] RDMA/qib: Remove superfluous fallthrough statements +Git-commit: d2598bb809d13a47e48a39a96ae8599ee8468025 +Patch-mainline: v5.10 +References: git-fixes + +Commit 36a8f01cd24b ("IB/qib: Add congestion control agent +implementation") erroneously marked a couple of switch cases as /* +FALLTHROUGH */, which were later converted to fallthrough statements by +commit df561f6688fe ("treewide: Use fallthrough pseudo-keyword"). This +triggered a Coverity warning about unreachable code. + +Remove the fallthrough statements. + +Link: https://lore.kernel.org/r/20200825171242.448447-1-alex.dewar90@gmail.com +Addresses-Coverity: ("Unreachable code") +Fixes: 36a8f01cd24b ("IB/qib: Add congestion control agent implementation") +Signed-off-by: Alex Dewar +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/qib/qib_mad.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/hw/qib/qib_mad.c b/drivers/infiniband/hw/qib/qib_mad.c +index e7789e724f56..f972e559a8a7 100644 +--- a/drivers/infiniband/hw/qib/qib_mad.c ++++ b/drivers/infiniband/hw/qib/qib_mad.c +@@ -2322,7 +2322,6 @@ static int process_cc(struct ib_device *ibdev, int mad_flags, + ret = cc_get_congestion_control_table(ccp, ibdev, port); + goto bail; + +- /* FALLTHROUGH */ + default: + ccp->status |= IB_SMP_UNSUP_METH_ATTR; + ret = reply((struct ib_smp *) ccp); +@@ -2339,7 +2338,6 @@ static int process_cc(struct ib_device *ibdev, int mad_flags, + ret = cc_set_congestion_control_table(ccp, ibdev, port); + goto bail; + +- /* FALLTHROUGH */ + default: + ccp->status |= IB_SMP_UNSUP_METH_ATTR; + ret = reply((struct ib_smp *) ccp); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-remove-useless-condition-in-siw_create_cq.patch b/patches.suse/RDMA-remove-useless-condition-in-siw_create_cq.patch new file mode 100644 index 0000000..d5b762f --- /dev/null +++ b/patches.suse/RDMA-remove-useless-condition-in-siw_create_cq.patch @@ -0,0 +1,40 @@ +From aeea6cc067525103301fb7a6ba5c861b631f2086 Mon Sep 17 00:00:00 2001 +From: Andrey Strachuk +Date: Mon, 11 Jul 2022 18:12:51 +0300 +Subject: [PATCH 1/1] RDMA: remove useless condition in siw_create_cq() +Git-commit: aeea6cc067525103301fb7a6ba5c861b631f2086 +Patch-mainline: v6.0 +References: git-fixes + +Comparison of 'cq' with NULL is useless since +'cq' is a result of container_of and cannot be NULL +in any reasonable scenario. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") +Link: https://lore.kernel.org/r/20220711151251.17089-1-strochuk@ispras.ru +Signed-off-by: Andrey Strachuk +Acked-by: Bernard Metzler +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index 09316072b789..8dedae7ae79e 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -1167,7 +1167,7 @@ int siw_create_cq(struct ib_cq *base_cq, const struct ib_cq_init_attr *attr, + err_out: + siw_dbg(base_cq->device, "CQ creation failed: %d", rv); + +- if (cq && cq->queue) { ++ if (cq->queue) { + struct siw_ucontext *ctx = + rdma_udata_to_drv_context(udata, struct siw_ucontext, + base_ucontext); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rtrs-srv-Pass-the-correct-number-of-entries-for.patch b/patches.suse/RDMA-rtrs-srv-Pass-the-correct-number-of-entries-for.patch new file mode 100644 index 0000000..d7022e5 --- /dev/null +++ b/patches.suse/RDMA-rtrs-srv-Pass-the-correct-number-of-entries-for.patch @@ -0,0 +1,77 @@ +From 56c310de0b4b3aca1c4fdd9c1093fc48372a7335 Mon Sep 17 00:00:00 2001 +From: Jack Wang +Date: Thu, 18 Aug 2022 12:53:55 +0200 +Subject: [PATCH 1/1] RDMA/rtrs-srv: Pass the correct number of entries for dma + mapped SGL +Git-commit: 56c310de0b4b3aca1c4fdd9c1093fc48372a7335 +Patch-mainline: v6.0 +References: git-fixes + +ib_dma_map_sg() augments the SGL into a 'dma mapped SGL'. This process +may change the number of entries and the lengths of each entry. + +Code that touches dma_address is iterating over the 'dma mapped SGL' +and must use dma_nents which returned from ib_dma_map_sg(). + +We should use the return count from ib_dma_map_sg for futher usage. + +Fixes: 9cb837480424e ("RDMA/rtrs: server: main functionality") +Link: https://lore.kernel.org/r/20220818105355.110344-4-haris.iqbal@ionos.com +Signed-off-by: Jack Wang +Reviewed-by: Aleksei Marov +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/ulp/rtrs/rtrs-srv.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +index 34c03bde5064..4894e7329d88 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +@@ -595,7 +595,7 @@ static int map_cont_bufs(struct rtrs_srv_path *srv_path) + struct sg_table *sgt = &srv_mr->sgt; + struct scatterlist *s; + struct ib_mr *mr; +- int nr, chunks; ++ int nr, nr_sgt, chunks; + + chunks = chunks_per_mr * mri; + if (!always_invalidate) +@@ -610,19 +610,19 @@ static int map_cont_bufs(struct rtrs_srv_path *srv_path) + sg_set_page(s, srv->chunks[chunks + i], + max_chunk_size, 0); + +- nr = ib_dma_map_sg(sess->s.dev->ib_dev, sgt->sgl, ++ nr_sgt = ib_dma_map_sg(sess->s.dev->ib_dev, sgt->sgl, + sgt->nents, DMA_BIDIRECTIONAL); +- if (nr < sgt->nents) { +- err = nr < 0 ? nr : -EINVAL; ++ if (!nr_sgt) { ++ err = -EINVAL; + goto free_sg; + } + mr = ib_alloc_mr(sess->s.dev->ib_pd, IB_MR_TYPE_MEM_REG, +- sgt->nents); ++ nr_sgt); + if (IS_ERR(mr)) { + err = PTR_ERR(mr); + goto unmap_sg; + } +- nr = ib_map_mr_sg(mr, sgt->sgl, sgt->nents, ++ nr = ib_map_mr_sg(mr, sgt->sgl, nr_sgt, + NULL, max_chunk_size); + if (nr < 0 || nr < sgt->nents) { + err = nr < 0 ? nr : -EINVAL; +@@ -641,7 +641,7 @@ static int map_cont_bufs(struct rtrs_srv_path *srv_path) + } + } + /* Eventually dma addr for each chunk can be cached */ +- for_each_sg(sgt->sgl, s, sgt->orig_nents, i) ++ for_each_sg(sgt->sgl, s, nr_sgt, i) + sess->dma_addr[chunks + i] = sg_dma_address(s); + + ib_update_fast_reg_key(mr, ib_inc_rkey(mr->rkey)); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch b/patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch new file mode 100644 index 0000000..ddef385 --- /dev/null +++ b/patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch @@ -0,0 +1,39 @@ +From 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 Mon Sep 17 00:00:00 2001 +From: Xiao Yang +Date: Mon, 21 Jun 2021 15:14:56 +0800 +Subject: [PATCH 1/1] RDMA/rxe: Don't overwrite errno from ib_umem_get() +Git-commit: 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 +Patch-mainline: v5.14 +References: git-fixes + +rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get() +fails so it's hard for user to know which actual error happens in +ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when +trying to pin pages on a DAX file. + +Return actual error as mlx4/mlx5 does. + +Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com +Signed-off-by: Xiao Yang +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c +index 7f169329a8bf..6aabcb4de235 100644 +--- a/drivers/infiniband/sw/rxe/rxe_mr.c ++++ b/drivers/infiniband/sw/rxe/rxe_mr.c +@@ -118,7 +118,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, + if (IS_ERR(umem)) { + pr_warn("err %d from rxe_umem_get\n", + (int)PTR_ERR(umem)); +- err = -EINVAL; ++ err = PTR_ERR(umem); + goto err1; + } + +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-error-unwind-in-rxe_create_qp.patch b/patches.suse/RDMA-rxe-Fix-error-unwind-in-rxe_create_qp.patch new file mode 100644 index 0000000..c3cfb46 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-error-unwind-in-rxe_create_qp.patch @@ -0,0 +1,68 @@ +From fd5382c5805c4bcb50fd25b7246247d3f7114733 Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun +Date: Sun, 31 Jul 2022 02:36:21 -0400 +Subject: [PATCH 1/1] RDMA/rxe: Fix error unwind in rxe_create_qp() +Git-commit: fd5382c5805c4bcb50fd25b7246247d3f7114733 +Patch-mainline: v6.0 +References: git-fixes + +In the function rxe_create_qp(), rxe_qp_from_init() is called to +initialize qp, internally things like the spin locks are not setup until +rxe_qp_init_req(). + +If an error occures before this point then the unwind will call +rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() +which will oops when trying to access the uninitialized spinlock. + +Move the spinlock initializations earlier before any failures. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220731063621.298405-1-yanjun.zhu@linux.dev +Reported-by: syzbot+833061116fa28df97f3b@syzkaller.appspotmail.com +Signed-off-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index c6519b9b94fb..516bf9b95e48 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -212,6 +212,14 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp, + spin_lock_init(&qp->grp_lock); + spin_lock_init(&qp->state_lock); + ++ spin_lock_init(&qp->req.task.state_lock); ++ spin_lock_init(&qp->resp.task.state_lock); ++ spin_lock_init(&qp->comp.task.state_lock); ++ ++ spin_lock_init(&qp->sq.sq_lock); ++ spin_lock_init(&qp->rq.producer_lock); ++ spin_lock_init(&qp->rq.consumer_lock); ++ + atomic_set(&qp->ssn, 0); + atomic_set(&qp->skb_out, 0); + } +@@ -267,7 +275,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, + qp->req.opcode = -1; + qp->comp.opcode = -1; + +- spin_lock_init(&qp->sq.sq_lock); + skb_queue_head_init(&qp->req_pkts); + + rxe_init_task(rxe, &qp->req.task, qp, +@@ -317,9 +324,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, + } + } + +- spin_lock_init(&qp->rq.producer_lock); +- spin_lock_init(&qp->rq.consumer_lock); +- + skb_queue_head_init(&qp->resp_pkts); + + rxe_init_task(rxe, &qp->resp.task, qp, +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-extra-copies-in-build_rdma_network_hdr.patch b/patches.suse/RDMA-rxe-Fix-extra-copies-in-build_rdma_network_hdr.patch new file mode 100644 index 0000000..27db1e6 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-extra-copies-in-build_rdma_network_hdr.patch @@ -0,0 +1,75 @@ +From 1993cbed65bb590a3479d175fc1ac3c775b6bba8 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:40 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix extra copies in build_rdma_network_hdr +Git-commit: 1993cbed65bb590a3479d175fc1ac3c775b6bba8 +Patch-mainline: v5.14 +References: git-fixes + +build_rdma_network_hdr() in rxe_resp.c does more copying than is +needed. Remove this subroutine and eliminate the extra copies for IPV6 and +reduce the extra copying for IPV4. + +Fixes: e404f945a610 ("IB/rxe: improved debug prints & code cleanup") +Link: https://lore.kernel.org/r/20210618045742.204195-4-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 29 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 17 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 5565d88e0261..5718c8bb28ac 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -766,34 +766,29 @@ static enum resp_states read_reply(struct rxe_qp *qp, + return state; + } + +-static void build_rdma_network_hdr(union rdma_network_hdr *hdr, +- struct rxe_pkt_info *pkt) +-{ +- struct sk_buff *skb = PKT_TO_SKB(pkt); +- +- memset(hdr, 0, sizeof(*hdr)); +- if (skb->protocol == htons(ETH_P_IP)) +- memcpy(&hdr->roce4grh, ip_hdr(skb), sizeof(hdr->roce4grh)); +- else if (skb->protocol == htons(ETH_P_IPV6)) +- memcpy(&hdr->ibgrh, ipv6_hdr(skb), sizeof(hdr->ibgrh)); +-} +- + /* Executes a new request. A retried request never reach that function (send + * and writes are discarded, and reads and atomics are retried elsewhere. + */ + static enum resp_states execute(struct rxe_qp *qp, struct rxe_pkt_info *pkt) + { + enum resp_states err; ++ struct sk_buff *skb = PKT_TO_SKB(pkt); ++ union rdma_network_hdr hdr; + + if (pkt->mask & RXE_SEND_MASK) { + if (qp_type(qp) == IB_QPT_UD || + qp_type(qp) == IB_QPT_SMI || + qp_type(qp) == IB_QPT_GSI) { +- union rdma_network_hdr hdr; +- +- build_rdma_network_hdr(&hdr, pkt); +- +- err = send_data_in(qp, &hdr, sizeof(hdr)); ++ if (skb->protocol == htons(ETH_P_IP)) { ++ memset(&hdr.reserved, 0, ++ sizeof(hdr.reserved)); ++ memcpy(&hdr.roce4grh, ip_hdr(skb), ++ sizeof(hdr.roce4grh)); ++ err = send_data_in(qp, &hdr, sizeof(hdr)); ++ } else { ++ err = send_data_in(qp, ipv6_hdr(skb), ++ sizeof(hdr)); ++ } + if (err) + return err; + } +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch b/patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch new file mode 100644 index 0000000..03c2216 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch @@ -0,0 +1,49 @@ +From 3896bde92d036de4376b9b4dfa3753ea23659f30 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:42 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix extra copy in prepare_ack_packet +Git-commit: 3896bde92d036de4376b9b4dfa3753ea23659f30 +Patch-mainline: v5.14 +References: git-fixes + +Currently prepare_ack_packet writes almost all the fields of the BTH in +the ack packet twice. Replace code with the subroutine init_bth(). + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210618045742.204195-6-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 93322d20c0ab..72cdb170b67b 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -637,18 +637,11 @@ static struct sk_buff *prepare_ack_packet(struct rxe_qp *qp, + ack->opcode = opcode; + ack->mask = rxe_opcode[opcode].mask; + ack->paylen = paylen; +- +- /* fill in bth using the request packet headers */ +- memcpy(ack->hdr, pkt->hdr, RXE_BTH_BYTES); +- +- bth_set_opcode(ack, opcode); +- bth_set_qpn(ack, qp->attr.dest_qp_num); +- bth_set_pad(ack, pad); +- bth_set_se(ack, 0); +- bth_set_psn(ack, psn); +- bth_set_ack(ack, 0); + ack->psn = psn; + ++ bth_init(ack, opcode, 0, 0, pad, IB_DEFAULT_PKEY_FULL, ++ qp->attr.dest_qp_num, 0, psn); ++ + if (ack->mask & RXE_AETH_MASK) { + aeth_set_syn(ack, syndrome); + aeth_set_msn(ack, qp->resp.msn); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch b/patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch new file mode 100644 index 0000000..0a77d2b --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch @@ -0,0 +1,57 @@ +From 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Thu, 3 Jun 2021 12:01:12 +0300 +Subject: [PATCH 1/1] RDMA/rxe: Fix failure during driver load +Git-commit: 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 +Patch-mainline: v5.14 +References: git-fixes + +To avoid the following failure when trying to load the rdma_rxe module +while IPv6 is disabled, add a check for EAFNOSUPPORT and ignore the +failure, also delete the needless debug print from rxe_setup_udp_tunnel(). + +$ modprobe rdma_rxe +modprobe: ERROR: could not insert 'rdma_rxe': Operation not permitted + +Fixes: dfdd6158ca2c ("IB/rxe: Fix kernel panic in udp_setup_tunnel") +Link: https://lore.kernel.org/r/20210603090112.36341-1-kamalheib1@gmail.com +Reported-by: Yi Zhang +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index 01662727dca0..fc1ba4904279 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -207,10 +207,8 @@ static struct socket *rxe_setup_udp_tunnel(struct net *net, __be16 port, + + /* Create UDP socket */ + err = udp_sock_create(net, &udp_cfg, &sock); +- if (err < 0) { +- pr_err("failed to create udp socket. err = %d\n", err); ++ if (err < 0) + return ERR_PTR(err); +- } + + tnl_cfg.encap_type = 1; + tnl_cfg.encap_rcv = rxe_udp_encap_recv; +@@ -619,6 +617,12 @@ static int rxe_net_ipv6_init(void) + + recv_sockets.sk6 = rxe_setup_udp_tunnel(&init_net, + htons(ROCE_V2_UDP_DPORT), true); ++ if (PTR_ERR(recv_sockets.sk6) == -EAFNOSUPPORT) { ++ recv_sockets.sk6 = NULL; ++ pr_warn("IPv6 is not supported, can not create a UDPv6 socket\n"); ++ return 0; ++ } ++ + if (IS_ERR(recv_sockets.sk6)) { + recv_sockets.sk6 = NULL; + pr_err("Failed to create IPv6 UDP tunnel\n"); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-kernel-NULL-pointer-dereference-error.patch b/patches.suse/RDMA-rxe-Fix-kernel-NULL-pointer-dereference-error.patch new file mode 100644 index 0000000..5b0cd2b --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-kernel-NULL-pointer-dereference-error.patch @@ -0,0 +1,47 @@ +From a625ca30eff806395175ebad3ac1399014bdb280 Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun +Date: Sun, 21 Aug 2022 21:16:13 -0400 +Subject: [PATCH 1/1] RDMA/rxe: Fix "kernel NULL pointer dereference" error +Git-commit: a625ca30eff806395175ebad3ac1399014bdb280 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When rxe_queue_init in the function rxe_qp_init_req fails, +both qp->req.task.func and qp->req.task.arg are not initialized. + +Because of creation of qp fails, the function rxe_create_qp will +call rxe_qp_do_cleanup to handle allocated resource. + +Before calling __rxe_do_task, both qp->req.task.func and +qp->req.task.arg should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev +Reported-by: syzbot+ab99dc4c6e961eed8b8e@syzkaller.appspotmail.com +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 516bf9b95e48..fda03f9f03ed 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -797,7 +797,9 @@ static void rxe_qp_do_cleanup(struct work_struct *work) + rxe_cleanup_task(&qp->comp.task); + + /* flush out any receive wr's or pending requests */ +- __rxe_do_task(&qp->req.task); ++ if (qp->req.task.func) ++ __rxe_do_task(&qp->req.task); ++ + if (qp->sq.queue) { + __rxe_do_task(&qp->comp.task); + __rxe_do_task(&qp->req.task); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch b/patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch new file mode 100644 index 0000000..fbbe959 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch @@ -0,0 +1,56 @@ +From ec0fa2445c18ec49a0b7ee0aaa82d1ec00968fc9 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:41 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix over copying in get_srq_wqe +Git-commit: ec0fa2445c18ec49a0b7ee0aaa82d1ec00968fc9 +Patch-mainline: v5.14 +References: git-fixes + +Currently get_srq_wqe() in rxe_resp.c copies the maximum possible number +of bytes from the wqe into the QPs copy of the SRQ wqe. This is usually +extra work and risks reading past the end of the SRQ circular buffer if +the SRQ is configured with less than the maximum possible number of SGEs. + +Check the number of SGEs is not too large. +Compute the actual number of bytes in the WR and copy only those. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210618045742.204195-5-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 5718c8bb28ac..93322d20c0ab 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -319,6 +319,7 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp) + struct rxe_queue *q = srq->rq.queue; + struct rxe_recv_wqe *wqe; + struct ib_event ev; ++ size_t size; + + if (srq->error) + return RESPST_ERR_RNR; +@@ -311,8 +312,13 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp) + return RESPST_ERR_RNR; + } + +- /* note kernel and user space recv wqes have same size */ +- memcpy(&qp->resp.srq_wqe, wqe, sizeof(qp->resp.srq_wqe)); ++ /* don't trust user space data */ ++ if (unlikely(wqe->dma.num_sge > srq->rq.max_sge)) { ++ pr_warn("%s: invalid num_sge in SRQ entry\n", __func__); ++ return RESPST_ERR_MALFORMED_WQE; ++ } ++ size = sizeof(wqe) + wqe->dma.num_sge*sizeof(struct rxe_sge); ++ memcpy(&qp->resp.srq_wqe, wqe, size); + + qp->resp.wqe = &qp->resp.srq_wqe.wqe; + advance_consumer(q); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch b/patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch new file mode 100644 index 0000000..d7dc294 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch @@ -0,0 +1,41 @@ +From 230bb836ee88683052b01e3bff3885c440a785b1 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:39 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix redundant call to ip_send_check +Git-commit: 230bb836ee88683052b01e3bff3885c440a785b1 +Patch-mainline: v5.14 +References: git-fixes + +For IPV4 packets sent on the wire the rxe driver calls ip_local_out() +which immediately calls __ip_local_out() which sets iph->tot_len and calls +ip_send_check(). This code is duplicated in prepare4(). On the loopback +path the IP header checksum and tot_len fields are not used so they do not +need to be set. + +Remove this redundant code. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210618045742.204195-3-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index fc1ba4904279..c4350ce3b306 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -267,8 +267,6 @@ static void prepare_ipv4_hdr(struct dst_entry *dst, struct sk_buff *skb, + iph->ttl = ttl; + __ip_select_ident(dev_net(dst->dev), iph, + skb_shinfo(skb)->gso_segs ?: 1); +- iph->tot_len = htons(skb->len); +- ip_send_check(iph); + } + + static void prepare_ipv6_hdr(struct dst_entry *dst, struct sk_buff *skb, +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-redundant-skb_put_zero.patch b/patches.suse/RDMA-rxe-Fix-redundant-skb_put_zero.patch new file mode 100644 index 0000000..0b7e92f --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-redundant-skb_put_zero.patch @@ -0,0 +1,37 @@ +From 2d3b2e4427e2d74085bd2c17ffd737875871c983 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 17 Jun 2021 23:57:43 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix redundant skb_put_zero +Git-commit: 2d3b2e4427e2d74085bd2c17ffd737875871c983 +Patch-mainline: v5.14 +References: git-fixes + +rxe_init_packet() in rxe_net.c calls skb_put_zero() to reserve space for +the payload and zero it out. All these bytes are then re-written with RoCE +headers and payload. Remove this useless extra copy. + +Fixes: ecb238f6a7f3 ("IB/cxgb4: use skb_put_zero()/__skb_put_zero") +Link: https://lore.kernel.org/r/20210618045742.204195-7-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index c4350ce3b306..dec92928a1cd 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -468,7 +468,7 @@ struct sk_buff *rxe_init_packet(struct rxe_dev *rxe, struct rxe_av *av, + + pkt->rxe = rxe; + pkt->port_num = port_num; +- pkt->hdr = skb_put_zero(skb, paylen); ++ pkt->hdr = skb_put(skb, paylen); + pkt->mask |= RXE_GRH_MASK; + + out: +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-rnr-retry-behavior.patch b/patches.suse/RDMA-rxe-Fix-rnr-retry-behavior.patch new file mode 100644 index 0000000..5f0a007 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-rnr-retry-behavior.patch @@ -0,0 +1,128 @@ +From 445fd4f4fb76d513de6b05b08b3a4d0bb980fc80 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 30 Jun 2022 14:04:22 -0500 +Subject: [PATCH 1/1] RDMA/rxe: Fix rnr retry behavior +Git-commit: 445fd4f4fb76d513de6b05b08b3a4d0bb980fc80 +Patch-mainline: v6.0 +References: git-fixes + +Currently the completer tasklet when retransmit timer or the rnr timer +fires the same flag (qp->req.need_retry) is set so that if either timer +fires it will attempt to perform a retry flow on the send queue. This has +the effect of responding to an RNR NAK at the first retransmit timer event +which might not allow the requested rnr timeout. + +This patch adds a new flag (qp->req.wait_for_rnr_timer) which, if set, +prevents a retry flow until the rnr nak timer fires. + +This patch fixes rnr retry errors which can be observed by running the +pyverbs test_rdmacm_async_traffic_external_qp multiple times. With this +patch applied they do not occur. + +Link: https://lore.kernel.org/linux-rdma/a8287823-1408-4273-bc22-99a0678db640@gmail.com/ +Link: https://lore.kernel.org/linux-rdma/2bafda9e-2bb6-186d-12a1-179e8f6a2678@talpey.com/ +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220630190425.2251-6-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 8 +++++++- + drivers/infiniband/sw/rxe/rxe_qp.c | 1 + + drivers/infiniband/sw/rxe/rxe_req.c | 15 +++++++++++++-- + drivers/infiniband/sw/rxe/rxe_verbs.h | 1 + + 4 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c +index da3a398053b8..4fc31bb7eee6 100644 +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -114,6 +114,8 @@ void retransmit_timer(struct timer_list *t) + { + struct rxe_qp *qp = from_timer(qp, t, retrans_timer); + ++ pr_debug("%s: fired for qp#%d\n", __func__, qp->pelem.index); ++ + if (qp->valid) { + qp->comp.timeout = 1; + rxe_run_task(&qp->comp.task, 1); +@@ -730,11 +732,15 @@ int rxe_completer(void *arg) + break; + + case COMPST_RNR_RETRY: ++ /* we come here if we received an RNR NAK */ + if (qp->comp.rnr_retry > 0) { + if (qp->comp.rnr_retry != 7) + qp->comp.rnr_retry--; + +- qp->req.need_retry = 1; ++ /* don't start a retry flow until the ++ * rnr timer has fired ++ */ ++ qp->req.wait_for_rnr_timer = 1; + pr_debug("qp#%d set rnr nak timer\n", + qp_num(qp)); + mod_timer(&qp->rnr_nak_timer, +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 65d75eea460f..eef91b8cb4ed 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -505,6 +505,7 @@ static void rxe_qp_reset(struct rxe_qp *qp) + atomic_set(&qp->ssn, 0); + qp->req.opcode = -1; + qp->req.need_retry = 0; ++ qp->req.wait_for_rnr_timer = 0; + qp->req.noack_pkts = 0; + qp->resp.msn = 0; + qp->resp.opcode = -1; +diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c +index 12a4a47ed969..f33699a094e0 100644 +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -100,7 +100,11 @@ void rnr_nak_timer(struct timer_list *t) + { + struct rxe_qp *qp = from_timer(qp, t, rnr_nak_timer); + +- pr_debug("qp#%d rnr nak timer fired\n", qp_num(qp)); ++ pr_debug("%s: fired for qp#%d\n", __func__, qp_num(qp)); ++ ++ /* request a send queue retry */ ++ qp->req.need_retry = 1; ++ qp->req.wait_for_rnr_timer = 0; + rxe_run_task(&qp->req.task, 1); + } + +@@ -641,10 +645,17 @@ next_wqe: + qp->req.need_rd_atomic = 0; + qp->req.wait_psn = 0; + qp->req.need_retry = 0; ++ qp->req.wait_for_rnr_timer = 0; + goto exit; + } + +- if (unlikely(qp->req.need_retry)) { ++ /* we come here if the retransmot timer has fired ++ * or if the rnr timer has fired. If the retransmit ++ * timer fires while we are processing an RNR NAK wait ++ * until the rnr timer has fired before starting the ++ * retry flow ++ */ ++ if (unlikely(qp->req.need_retry && !qp->req.wait_for_rnr_timer)) { + req_retry(qp); + qp->req.need_retry = 0; + } +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.h b/drivers/infiniband/sw/rxe/rxe_verbs.h +index 628e40c1714b..9fd5861f28fb 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.h ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.h +@@ -123,6 +123,7 @@ struct rxe_req_info { + int need_rd_atomic; + int wait_psn; + int need_retry; ++ int wait_for_rnr_timer; + int noack_pkts; + struct rxe_task task; + }; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-the-error-caused-by-qp-sk.patch b/patches.suse/RDMA-rxe-Fix-the-error-caused-by-qp-sk.patch new file mode 100644 index 0000000..565f7a5 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-the-error-caused-by-qp-sk.patch @@ -0,0 +1,47 @@ +From 548ce2e66725dcba4e27d1e8ac468d5dd17fd509 Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun +Date: Sun, 21 Aug 2022 21:16:14 -0400 +Subject: [PATCH 1/1] RDMA/rxe: Fix the error caused by qp->sk +Git-commit: 548ce2e66725dcba4e27d1e8ac468d5dd17fd509 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When sock_create_kern in the function rxe_qp_init_req fails, +qp->sk is set to NULL. + +Then the function rxe_create_qp will call rxe_qp_do_cleanup +to handle allocated resource. + +Before handling qp->sk, this variable should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-3-yanjun.zhu@linux.dev +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index fda03f9f03ed..d776dfda43b1 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -835,8 +835,10 @@ static void rxe_qp_do_cleanup(struct work_struct *work) + + free_rd_atomic_resources(qp); + +- kernel_sock_shutdown(qp->sk, SHUT_RDWR); +- sock_release(qp->sk); ++ if (qp->sk) { ++ kernel_sock_shutdown(qp->sk, SHUT_RDWR); ++ sock_release(qp->sk); ++ } + } + + /* called when the last reference to the qp is dropped */ +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch b/patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch new file mode 100644 index 0000000..cf33087 --- /dev/null +++ b/patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch @@ -0,0 +1,38 @@ +From dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e Mon Sep 17 00:00:00 2001 +From: Junji Wei +Date: Tue, 31 Aug 2021 16:32:23 +0800 +Subject: [PATCH 1/1] RDMA/rxe: Fix wrong port_cap_flags +Git-commit: dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e +Patch-mainline: v5.16 +References: git-fixes + +The port->attr.port_cap_flags should be set to enum +ib_port_capability_mask_bits in ib_mad.h, not +RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210831083223.65797-1-weijunji@bytedance.com +Signed-off-by: Junji Wei +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_param.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_param.h b/drivers/infiniband/sw/rxe/rxe_param.h +index 742e6ec93686..b5a70cbe94aa 100644 +--- a/drivers/infiniband/sw/rxe/rxe_param.h ++++ b/drivers/infiniband/sw/rxe/rxe_param.h +@@ -113,7 +113,7 @@ enum rxe_device_param { + /* default/initial rxe port parameters */ + enum rxe_port_param { + RXE_PORT_GID_TBL_LEN = 1024, +- RXE_PORT_PORT_CAP_FLAGS = RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP, ++ RXE_PORT_PORT_CAP_FLAGS = IB_PORT_CM_SUP, + RXE_PORT_MAX_MSG_SZ = 0x800000, + RXE_PORT_BAD_PKEY_CNTR = 0, + RXE_PORT_QKEY_VIOL_CNTR = 0, +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Generate-a-completion-for-unsupported-inval.patch b/patches.suse/RDMA-rxe-Generate-a-completion-for-unsupported-inval.patch new file mode 100644 index 0000000..b5ac549 --- /dev/null +++ b/patches.suse/RDMA-rxe-Generate-a-completion-for-unsupported-inval.patch @@ -0,0 +1,40 @@ +From 2f917af777011c88e977b9b9a5d00b280d3a59ce Mon Sep 17 00:00:00 2001 +From: Xiao Yang +Date: Sun, 10 Apr 2022 19:35:13 +0800 +Subject: [PATCH 1/1] RDMA/rxe: Generate a completion for unsupported/invalid + opcode +Git-commit: 2f917af777011c88e977b9b9a5d00b280d3a59ce +Patch-mainline: v5.19 +References: git-fixes + +Current rxe_requester() doesn't generate a completion when processing an +unsupported/invalid opcode. If rxe driver doesn't support a new opcode +(e.g. RDMA Atomic Write) and RDMA library supports it, an application +using the new opcode can reproduce this issue. Fix the issue by calling +"goto err;". + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220410113513.27537-1-yangx.jy@fujitsu.com +Signed-off-by: Xiao Yang +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_req.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c +index 5f7348b11268..e2659663b283 100644 +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -659,7 +659,7 @@ next_wqe: + opcode = next_opcode(qp, wqe, wqe->wr.opcode); + if (unlikely(opcode < 0)) { + wqe->status = IB_WC_LOC_QP_OP_ERR; +- goto exit; ++ goto err; + } + + mask = rxe_opcode[opcode].mask; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Remove-unused-pkt-offset.patch b/patches.suse/RDMA-rxe-Remove-unused-pkt-offset.patch new file mode 100644 index 0000000..ccb2da6 --- /dev/null +++ b/patches.suse/RDMA-rxe-Remove-unused-pkt-offset.patch @@ -0,0 +1,523 @@ +From bf139b58af09eaed8828510adc094fc281deaf73 Mon Sep 17 00:00:00 2001 +From: Bob Pearson +Date: Thu, 11 Feb 2021 15:04:56 -0600 +Subject: [PATCH 1/1] RDMA/rxe: Remove unused pkt->offset +Git-commit: bf139b58af09eaed8828510adc094fc281deaf73 +Patch-mainline: v5.12 +References: git-fixes + +The pkt->offset field is never used except to assign it to 0. But it adds +lots of unneeded code. This patch removes the field and related code. This +causes a measurable improvement in performance. + +Link: https://lore.kernel.org/r/20210211210455.3274-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_hdr.h | 178 +++++++++++++-------------- + drivers/infiniband/sw/rxe/rxe_recv.c | 4 +- + drivers/infiniband/sw/rxe/rxe_req.c | 1 - + drivers/infiniband/sw/rxe/rxe_resp.c | 3 +- + 4 files changed, 90 insertions(+), 96 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_hdr.h b/drivers/infiniband/sw/rxe/rxe_hdr.h +index 3b483b75dfe3..e432f9e37795 100644 +--- a/drivers/infiniband/sw/rxe/rxe_hdr.h ++++ b/drivers/infiniband/sw/rxe/rxe_hdr.h +@@ -22,7 +22,6 @@ struct rxe_pkt_info { + u16 paylen; /* length of bth - icrc */ + u8 port_num; /* port pkt received on */ + u8 opcode; /* bth opcode of packet */ +- u8 offset; /* bth offset from pkt->hdr */ + }; + + /* Macros should be used only for received skb */ +@@ -280,134 +279,134 @@ static inline void __bth_set_psn(void *arg, u32 psn) + + static inline u8 bth_opcode(struct rxe_pkt_info *pkt) + { +- return __bth_opcode(pkt->hdr + pkt->offset); ++ return __bth_opcode(pkt->hdr); + } + + static inline void bth_set_opcode(struct rxe_pkt_info *pkt, u8 opcode) + { +- __bth_set_opcode(pkt->hdr + pkt->offset, opcode); ++ __bth_set_opcode(pkt->hdr, opcode); + } + + static inline u8 bth_se(struct rxe_pkt_info *pkt) + { +- return __bth_se(pkt->hdr + pkt->offset); ++ return __bth_se(pkt->hdr); + } + + static inline void bth_set_se(struct rxe_pkt_info *pkt, int se) + { +- __bth_set_se(pkt->hdr + pkt->offset, se); ++ __bth_set_se(pkt->hdr, se); + } + + static inline u8 bth_mig(struct rxe_pkt_info *pkt) + { +- return __bth_mig(pkt->hdr + pkt->offset); ++ return __bth_mig(pkt->hdr); + } + + static inline void bth_set_mig(struct rxe_pkt_info *pkt, u8 mig) + { +- __bth_set_mig(pkt->hdr + pkt->offset, mig); ++ __bth_set_mig(pkt->hdr, mig); + } + + static inline u8 bth_pad(struct rxe_pkt_info *pkt) + { +- return __bth_pad(pkt->hdr + pkt->offset); ++ return __bth_pad(pkt->hdr); + } + + static inline void bth_set_pad(struct rxe_pkt_info *pkt, u8 pad) + { +- __bth_set_pad(pkt->hdr + pkt->offset, pad); ++ __bth_set_pad(pkt->hdr, pad); + } + + static inline u8 bth_tver(struct rxe_pkt_info *pkt) + { +- return __bth_tver(pkt->hdr + pkt->offset); ++ return __bth_tver(pkt->hdr); + } + + static inline void bth_set_tver(struct rxe_pkt_info *pkt, u8 tver) + { +- __bth_set_tver(pkt->hdr + pkt->offset, tver); ++ __bth_set_tver(pkt->hdr, tver); + } + + static inline u16 bth_pkey(struct rxe_pkt_info *pkt) + { +- return __bth_pkey(pkt->hdr + pkt->offset); ++ return __bth_pkey(pkt->hdr); + } + + static inline void bth_set_pkey(struct rxe_pkt_info *pkt, u16 pkey) + { +- __bth_set_pkey(pkt->hdr + pkt->offset, pkey); ++ __bth_set_pkey(pkt->hdr, pkey); + } + + static inline u32 bth_qpn(struct rxe_pkt_info *pkt) + { +- return __bth_qpn(pkt->hdr + pkt->offset); ++ return __bth_qpn(pkt->hdr); + } + + static inline void bth_set_qpn(struct rxe_pkt_info *pkt, u32 qpn) + { +- __bth_set_qpn(pkt->hdr + pkt->offset, qpn); ++ __bth_set_qpn(pkt->hdr, qpn); + } + + static inline int bth_fecn(struct rxe_pkt_info *pkt) + { +- return __bth_fecn(pkt->hdr + pkt->offset); ++ return __bth_fecn(pkt->hdr); + } + + static inline void bth_set_fecn(struct rxe_pkt_info *pkt, int fecn) + { +- __bth_set_fecn(pkt->hdr + pkt->offset, fecn); ++ __bth_set_fecn(pkt->hdr, fecn); + } + + static inline int bth_becn(struct rxe_pkt_info *pkt) + { +- return __bth_becn(pkt->hdr + pkt->offset); ++ return __bth_becn(pkt->hdr); + } + + static inline void bth_set_becn(struct rxe_pkt_info *pkt, int becn) + { +- __bth_set_becn(pkt->hdr + pkt->offset, becn); ++ __bth_set_becn(pkt->hdr, becn); + } + + static inline u8 bth_resv6a(struct rxe_pkt_info *pkt) + { +- return __bth_resv6a(pkt->hdr + pkt->offset); ++ return __bth_resv6a(pkt->hdr); + } + + static inline void bth_set_resv6a(struct rxe_pkt_info *pkt) + { +- __bth_set_resv6a(pkt->hdr + pkt->offset); ++ __bth_set_resv6a(pkt->hdr); + } + + static inline int bth_ack(struct rxe_pkt_info *pkt) + { +- return __bth_ack(pkt->hdr + pkt->offset); ++ return __bth_ack(pkt->hdr); + } + + static inline void bth_set_ack(struct rxe_pkt_info *pkt, int ack) + { +- __bth_set_ack(pkt->hdr + pkt->offset, ack); ++ __bth_set_ack(pkt->hdr, ack); + } + + static inline void bth_set_resv7(struct rxe_pkt_info *pkt) + { +- __bth_set_resv7(pkt->hdr + pkt->offset); ++ __bth_set_resv7(pkt->hdr); + } + + static inline u32 bth_psn(struct rxe_pkt_info *pkt) + { +- return __bth_psn(pkt->hdr + pkt->offset); ++ return __bth_psn(pkt->hdr); + } + + static inline void bth_set_psn(struct rxe_pkt_info *pkt, u32 psn) + { +- __bth_set_psn(pkt->hdr + pkt->offset, psn); ++ __bth_set_psn(pkt->hdr, psn); + } + + static inline void bth_init(struct rxe_pkt_info *pkt, u8 opcode, int se, + int mig, int pad, u16 pkey, u32 qpn, int ack_req, + u32 psn) + { +- struct rxe_bth *bth = (struct rxe_bth *)(pkt->hdr + pkt->offset); ++ struct rxe_bth *bth = (struct rxe_bth *)(pkt->hdr); + + bth->opcode = opcode; + bth->flags = (pad << 4) & BTH_PAD_MASK; +@@ -448,14 +447,14 @@ static inline void __rdeth_set_een(void *arg, u32 een) + + static inline u8 rdeth_een(struct rxe_pkt_info *pkt) + { +- return __rdeth_een(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RDETH]); ++ return __rdeth_een(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RDETH]); + } + + static inline void rdeth_set_een(struct rxe_pkt_info *pkt, u32 een) + { +- __rdeth_set_een(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RDETH], een); ++ __rdeth_set_een(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RDETH], een); + } + + /****************************************************************************** +@@ -499,26 +498,26 @@ static inline void __deth_set_sqp(void *arg, u32 sqp) + + static inline u32 deth_qkey(struct rxe_pkt_info *pkt) + { +- return __deth_qkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_DETH]); ++ return __deth_qkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_DETH]); + } + + static inline void deth_set_qkey(struct rxe_pkt_info *pkt, u32 qkey) + { +- __deth_set_qkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_DETH], qkey); ++ __deth_set_qkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_DETH], qkey); + } + + static inline u32 deth_sqp(struct rxe_pkt_info *pkt) + { +- return __deth_sqp(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_DETH]); ++ return __deth_sqp(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_DETH]); + } + + static inline void deth_set_sqp(struct rxe_pkt_info *pkt, u32 sqp) + { +- __deth_set_sqp(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_DETH], sqp); ++ __deth_set_sqp(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_DETH], sqp); + } + + /****************************************************************************** +@@ -574,38 +573,38 @@ static inline void __reth_set_len(void *arg, u32 len) + + static inline u64 reth_va(struct rxe_pkt_info *pkt) + { +- return __reth_va(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RETH]); ++ return __reth_va(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RETH]); + } + + static inline void reth_set_va(struct rxe_pkt_info *pkt, u64 va) + { +- __reth_set_va(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RETH], va); ++ __reth_set_va(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RETH], va); + } + + static inline u32 reth_rkey(struct rxe_pkt_info *pkt) + { +- return __reth_rkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RETH]); ++ return __reth_rkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RETH]); + } + + static inline void reth_set_rkey(struct rxe_pkt_info *pkt, u32 rkey) + { +- __reth_set_rkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RETH], rkey); ++ __reth_set_rkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RETH], rkey); + } + + static inline u32 reth_len(struct rxe_pkt_info *pkt) + { +- return __reth_len(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RETH]); ++ return __reth_len(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RETH]); + } + + static inline void reth_set_len(struct rxe_pkt_info *pkt, u32 len) + { +- __reth_set_len(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_RETH], len); ++ __reth_set_len(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_RETH], len); + } + + /****************************************************************************** +@@ -676,50 +675,50 @@ static inline void __atmeth_set_comp(void *arg, u64 comp) + + static inline u64 atmeth_va(struct rxe_pkt_info *pkt) + { +- return __atmeth_va(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); ++ return __atmeth_va(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); + } + + static inline void atmeth_set_va(struct rxe_pkt_info *pkt, u64 va) + { +- __atmeth_set_va(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH], va); ++ __atmeth_set_va(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH], va); + } + + static inline u32 atmeth_rkey(struct rxe_pkt_info *pkt) + { +- return __atmeth_rkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); ++ return __atmeth_rkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); + } + + static inline void atmeth_set_rkey(struct rxe_pkt_info *pkt, u32 rkey) + { +- __atmeth_set_rkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH], rkey); ++ __atmeth_set_rkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH], rkey); + } + + static inline u64 atmeth_swap_add(struct rxe_pkt_info *pkt) + { +- return __atmeth_swap_add(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); ++ return __atmeth_swap_add(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); + } + + static inline void atmeth_set_swap_add(struct rxe_pkt_info *pkt, u64 swap_add) + { +- __atmeth_set_swap_add(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH], swap_add); ++ __atmeth_set_swap_add(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH], swap_add); + } + + static inline u64 atmeth_comp(struct rxe_pkt_info *pkt) + { +- return __atmeth_comp(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); ++ return __atmeth_comp(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH]); + } + + static inline void atmeth_set_comp(struct rxe_pkt_info *pkt, u64 comp) + { +- __atmeth_set_comp(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMETH], comp); ++ __atmeth_set_comp(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMETH], comp); + } + + /****************************************************************************** +@@ -780,26 +779,26 @@ static inline void __aeth_set_msn(void *arg, u32 msn) + + static inline u8 aeth_syn(struct rxe_pkt_info *pkt) + { +- return __aeth_syn(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_AETH]); ++ return __aeth_syn(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_AETH]); + } + + static inline void aeth_set_syn(struct rxe_pkt_info *pkt, u8 syn) + { +- __aeth_set_syn(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_AETH], syn); ++ __aeth_set_syn(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_AETH], syn); + } + + static inline u32 aeth_msn(struct rxe_pkt_info *pkt) + { +- return __aeth_msn(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_AETH]); ++ return __aeth_msn(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_AETH]); + } + + static inline void aeth_set_msn(struct rxe_pkt_info *pkt, u32 msn) + { +- __aeth_set_msn(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_AETH], msn); ++ __aeth_set_msn(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_AETH], msn); + } + + /****************************************************************************** +@@ -825,14 +824,14 @@ static inline void __atmack_set_orig(void *arg, u64 orig) + + static inline u64 atmack_orig(struct rxe_pkt_info *pkt) + { +- return __atmack_orig(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMACK]); ++ return __atmack_orig(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMACK]); + } + + static inline void atmack_set_orig(struct rxe_pkt_info *pkt, u64 orig) + { +- __atmack_set_orig(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_ATMACK], orig); ++ __atmack_set_orig(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_ATMACK], orig); + } + + /****************************************************************************** +@@ -858,14 +857,14 @@ static inline void __immdt_set_imm(void *arg, __be32 imm) + + static inline __be32 immdt_imm(struct rxe_pkt_info *pkt) + { +- return __immdt_imm(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_IMMDT]); ++ return __immdt_imm(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_IMMDT]); + } + + static inline void immdt_set_imm(struct rxe_pkt_info *pkt, __be32 imm) + { +- __immdt_set_imm(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_IMMDT], imm); ++ __immdt_set_imm(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_IMMDT], imm); + } + + /****************************************************************************** +@@ -891,14 +890,14 @@ static inline void __ieth_set_rkey(void *arg, u32 rkey) + + static inline u32 ieth_rkey(struct rxe_pkt_info *pkt) + { +- return __ieth_rkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_IETH]); ++ return __ieth_rkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_IETH]); + } + + static inline void ieth_set_rkey(struct rxe_pkt_info *pkt, u32 rkey) + { +- __ieth_set_rkey(pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_IETH], rkey); ++ __ieth_set_rkey(pkt->hdr + ++ rxe_opcode[pkt->opcode].offset[RXE_IETH], rkey); + } + + enum rxe_hdr_length { +@@ -915,13 +914,12 @@ enum rxe_hdr_length { + + static inline size_t header_size(struct rxe_pkt_info *pkt) + { +- return pkt->offset + rxe_opcode[pkt->opcode].length; ++ return rxe_opcode[pkt->opcode].length; + } + + static inline void *payload_addr(struct rxe_pkt_info *pkt) + { +- return pkt->hdr + pkt->offset +- + rxe_opcode[pkt->opcode].offset[RXE_PAYLOAD]; ++ return pkt->hdr + rxe_opcode[pkt->opcode].offset[RXE_PAYLOAD]; + } + + static inline size_t payload_size(struct rxe_pkt_info *pkt) +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 8a48a33d587b..45d2f711bce2 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -353,9 +353,7 @@ void rxe_rcv(struct sk_buff *skb) + __be32 *icrcp; + u32 calc_icrc, pack_icrc; + +- pkt->offset = 0; +- +- if (unlikely(skb->len < pkt->offset + RXE_BTH_BYTES)) ++ if (unlikely(skb->len < RXE_BTH_BYTES)) + goto drop; + + if (rxe_match_dgid(rxe, skb) < 0) { +diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c +index d4917646641a..889290793d75 100644 +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -375,7 +375,6 @@ static struct sk_buff *init_req_packet(struct rxe_qp *qp, + pkt->psn = qp->req.psn; + pkt->mask = rxe_opcode[opcode].mask; + pkt->paylen = paylen; +- pkt->offset = 0; + pkt->wqe = wqe; + + /* init skb */ +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 5fd26786d79b..1ae94f2cb336 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -586,11 +586,10 @@ static struct sk_buff *prepare_ack_packet(struct rxe_qp *qp, + ack->qp = qp; + ack->opcode = opcode; + ack->mask = rxe_opcode[opcode].mask; +- ack->offset = pkt->offset; + ack->paylen = paylen; + + /* fill in bth using the request packet headers */ +- memcpy(ack->hdr, pkt->hdr, pkt->offset + RXE_BTH_BYTES); ++ memcpy(ack->hdr, pkt->hdr, RXE_BTH_BYTES); + + bth_set_opcode(ack, opcode); + bth_set_qpn(ack, qp->attr.dest_qp_num); +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-rxe-Return-CQE-error-if-invalid-lkey-was-suppli.patch b/patches.suse/RDMA-rxe-Return-CQE-error-if-invalid-lkey-was-suppli.patch new file mode 100644 index 0000000..98b1f74 --- /dev/null +++ b/patches.suse/RDMA-rxe-Return-CQE-error-if-invalid-lkey-was-suppli.patch @@ -0,0 +1,101 @@ +From dc07628bd2bbc1da768e265192c28ebd301f509d Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 11 May 2021 08:48:31 +0300 +Subject: [PATCH 1/1] RDMA/rxe: Return CQE error if invalid lkey was supplied +Git-commit: dc07628bd2bbc1da768e265192c28ebd301f509d +Patch-mainline: v5.13 +References: git-fixes + +RXE is missing update of WQE status in LOCAL_WRITE failures. This caused +the following kernel panic if someone sent an atomic operation with an +explicitly wrong lkey. + +[leonro@vm ~]$ mkt test +test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... + WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] + Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core + CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] + Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff + RSP: 0018:ffff8880158af090 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 + RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 + RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b + R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 + R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c + FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + rxe_do_task+0x130/0x230 [rdma_rxe] + rxe_rcv+0xb11/0x1df0 [rdma_rxe] + rxe_loopback+0x157/0x1e0 [rdma_rxe] + rxe_responder+0x5532/0x7620 [rdma_rxe] + rxe_do_task+0x130/0x230 [rdma_rxe] + rxe_rcv+0x9c8/0x1df0 [rdma_rxe] + rxe_loopback+0x157/0x1e0 [rdma_rxe] + rxe_requester+0x1efd/0x58c0 [rdma_rxe] + rxe_do_task+0x130/0x230 [rdma_rxe] + rxe_post_send+0x998/0x1860 [rdma_rxe] + ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] + ib_uverbs_write+0x847/0xc80 [ib_uverbs] + vfs_write+0x1c5/0x840 + ksys_write+0x176/0x1d0 + do_syscall_64+0x3f/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/11e7b553f3a6f5371c6bb3f57c494bb52b88af99.1620711734.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Acked-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c +index 2af26737d32d..a6712e373eed 100644 +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -346,13 +346,15 @@ static inline enum comp_state do_read(struct rxe_qp *qp, + ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE, + &wqe->dma, payload_addr(pkt), + payload_size(pkt), to_mem_obj, NULL); +- if (ret) ++ if (ret) { ++ wqe->status = IB_WC_LOC_PROT_ERR; + return COMPST_ERROR; ++ } + + if (wqe->dma.resid == 0 && (pkt->mask & RXE_END_MASK)) + return COMPST_COMP_ACK; +- else +- return COMPST_UPDATE_COMP; ++ ++ return COMPST_UPDATE_COMP; + } + + static inline enum comp_state do_atomic(struct rxe_qp *qp, +@@ -366,10 +368,12 @@ static inline enum comp_state do_atomic(struct rxe_qp *qp, + ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE, + &wqe->dma, &atomic_orig, + sizeof(u64), to_mem_obj, NULL); +- if (ret) ++ if (ret) { ++ wqe->status = IB_WC_LOC_PROT_ERR; + return COMPST_ERROR; +- else +- return COMPST_COMP_ACK; ++ } ++ ++ return COMPST_COMP_ACK; + } + + static void make_send_cqe(struct rxe_qp *qp, struct rxe_send_wqe *wqe, +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-sa_query-Use-strscpy_pad-instead-of-memcpy-to-c.patch b/patches.suse/RDMA-sa_query-Use-strscpy_pad-instead-of-memcpy-to-c.patch new file mode 100644 index 0000000..2835e68 --- /dev/null +++ b/patches.suse/RDMA-sa_query-Use-strscpy_pad-instead-of-memcpy-to-c.patch @@ -0,0 +1,89 @@ +From 64733956ebba7cc629856f4a6ee35a52bc9c023f Mon Sep 17 00:00:00 2001 +From: Mark Zhang +Date: Sun, 24 Oct 2021 09:08:20 +0300 +Subject: [PATCH 1/1] RDMA/sa_query: Use strscpy_pad instead of memcpy to copy + a string +Git-commit: 64733956ebba7cc629856f4a6ee35a52bc9c023f +Patch-mainline: v5.15 +References: git-fixes + +When copying the device name, the length of the data memcpy copied exceeds +the length of the source buffer, which cause the KASAN issue below. Use +strscpy_pad() instead. + + BUG: KASAN: slab-out-of-bounds in ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core] + Read of size 64 at addr ffff88811a10f5e0 by task rping/140263 + CPU: 3 PID: 140263 Comm: rping Not tainted 5.15.0-rc1+ #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack_lvl+0x57/0x7d + print_address_description.constprop.0+0x1d/0xa0 + kasan_report+0xcb/0x110 + kasan_check_range+0x13d/0x180 + memcpy+0x20/0x60 + ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core] + ib_nl_make_request+0x1c6/0x380 [ib_core] + send_mad+0x20a/0x220 [ib_core] + ib_sa_path_rec_get+0x3e3/0x800 [ib_core] + cma_query_ib_route+0x29b/0x390 [rdma_cm] + rdma_resolve_route+0x308/0x3e0 [rdma_cm] + ucma_resolve_route+0xe1/0x150 [rdma_ucm] + ucma_write+0x17b/0x1f0 [rdma_ucm] + vfs_write+0x142/0x4d0 + ksys_write+0x133/0x160 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f26499aa90f + Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48 + RSP: 002b:00007f26495f2dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 00000000000007d0 RCX: 00007f26499aa90f + RDX: 0000000000000010 RSI: 00007f26495f2e00 RDI: 0000000000000003 + RBP: 00005632a8315440 R08: 0000000000000000 R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000293 R12: 00007f26495f2e00 + R13: 00005632a83154e0 R14: 00005632a8315440 R15: 00005632a830a810 + + Allocated by task 131419: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc+0x7c/0x90 + proc_self_get_link+0x8b/0x100 + pick_link+0x4f1/0x5c0 + step_into+0x2eb/0x3d0 + walk_component+0xc8/0x2c0 + link_path_walk+0x3b8/0x580 + path_openat+0x101/0x230 + do_filp_open+0x12e/0x240 + do_sys_openat2+0x115/0x280 + __x64_sys_openat+0xce/0x140 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink") +Link: https://lore.kernel.org/r/72ede0f6dab61f7f23df9ac7a70666e07ef314b0.1635055496.git.leonro@nvidia.com +Signed-off-by: Mark Zhang +Reviewed-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/core/sa_query.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c +index a20b8108e160..c00f8e28aab7 100644 +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -706,8 +706,9 @@ static void ib_nl_set_path_rec_attrs(struct sk_buff *skb, + + /* Construct the family header first */ + header = skb_put(skb, NLMSG_ALIGN(sizeof(*header))); +- memcpy(header->device_name, dev_name(&query->port->agent->device->dev), +- LS_DEVICE_NAME_MAX); ++ strscpy_pad(header->device_name, ++ dev_name(&query->port->agent->device->dev), ++ LS_DEVICE_NAME_MAX); + header->port_num = query->port->port_num; + + if ((comp_mask & IB_SA_PATH_REC_REVERSIBLE) && +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-siw-Always-consume-all-skbuf-data-in-sk_data_re.patch b/patches.suse/RDMA-siw-Always-consume-all-skbuf-data-in-sk_data_re.patch new file mode 100644 index 0000000..6786255 --- /dev/null +++ b/patches.suse/RDMA-siw-Always-consume-all-skbuf-data-in-sk_data_re.patch @@ -0,0 +1,99 @@ +From 754209850df8367c954ac1de7671c7430b1f342c Mon Sep 17 00:00:00 2001 +From: Bernard Metzler +Date: Tue, 20 Sep 2022 10:12:02 +0200 +Subject: [PATCH 1/1] RDMA/siw: Always consume all skbuf data in + sk_data_ready() upcall. +Git-commit: 754209850df8367c954ac1de7671c7430b1f342c +Patch-mainline: v6.1-rc1 +References: git-fixes + +For header and trailer/padding processing, siw did not consume new +skb data until minimum amount present to fill current header or trailer +structure, including potential payload padding. Not consuming any +data during upcall may cause a receive stall, since tcp_read_sock() +is not upcalling again if no new data arrive. +A NFSoRDMA client got stuck at RDMA Write reception of unaligned +payload, if the current skb did contain only the expected 3 padding +bytes, but not the 4 bytes CRC trailer. Expecting 4 more bytes already +arrived in another skb, and not consuming those 3 bytes in the current +upcall left the Write incomplete, waiting for the CRC forever. + +Fixes: 8b6a361b8c48 ("rdma/siw: receive path") +Reported-by: Olga Kornievskaia +Tested-by: Olga Kornievskaia +Signed-off-by: Bernard Metzler +Link: https://lore.kernel.org/r/20220920081202.223629-1-bmt@zurich.ibm.com +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_qp_rx.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_qp_rx.c b/drivers/infiniband/sw/siw/siw_qp_rx.c +index 875ea6f1b04a..fd721cc19682 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_rx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c +@@ -961,27 +961,28 @@ out: + static int siw_get_trailer(struct siw_qp *qp, struct siw_rx_stream *srx) + { + struct sk_buff *skb = srx->skb; ++ int avail = min(srx->skb_new, srx->fpdu_part_rem); + u8 *tbuf = (u8 *)&srx->trailer.crc - srx->pad; + __wsum crc_in, crc_own = 0; + + siw_dbg_qp(qp, "expected %d, available %d, pad %u\n", + srx->fpdu_part_rem, srx->skb_new, srx->pad); + +- if (srx->skb_new < srx->fpdu_part_rem) +- return -EAGAIN; +- +- skb_copy_bits(skb, srx->skb_offset, tbuf, srx->fpdu_part_rem); ++ skb_copy_bits(skb, srx->skb_offset, tbuf, avail); + +- if (srx->mpa_crc_hd && srx->pad) +- crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad); ++ srx->skb_new -= avail; ++ srx->skb_offset += avail; ++ srx->skb_copied += avail; ++ srx->fpdu_part_rem -= avail; + +- srx->skb_new -= srx->fpdu_part_rem; +- srx->skb_offset += srx->fpdu_part_rem; +- srx->skb_copied += srx->fpdu_part_rem; ++ if (srx->fpdu_part_rem) ++ return -EAGAIN; + + if (!srx->mpa_crc_hd) + return 0; + ++ if (srx->pad) ++ crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad); + /* + * CRC32 is computed, transmitted and received directly in NBO, + * so there's never a reason to convert byte order. +@@ -1083,10 +1084,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx) + * completely received. + */ + if (iwarp_pktinfo[opcode].hdr_len > sizeof(struct iwarp_ctrl_tagged)) { +- bytes = iwarp_pktinfo[opcode].hdr_len - MIN_DDP_HDR; ++ int hdrlen = iwarp_pktinfo[opcode].hdr_len; + +- if (srx->skb_new < bytes) +- return -EAGAIN; ++ bytes = min_t(int, hdrlen - MIN_DDP_HDR, srx->skb_new); + + skb_copy_bits(skb, srx->skb_offset, + (char *)c_hdr + srx->fpdu_part_rcvd, bytes); +@@ -1096,6 +1096,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx) + srx->skb_new -= bytes; + srx->skb_offset += bytes; + srx->skb_copied += bytes; ++ ++ if (srx->fpdu_part_rcvd < hdrlen) ++ return -EAGAIN; + } + + /* +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-siw-Fix-a-condition-race-issue-in-MPA-request-p.patch b/patches.suse/RDMA-siw-Fix-a-condition-race-issue-in-MPA-request-p.patch new file mode 100644 index 0000000..3bc1048 --- /dev/null +++ b/patches.suse/RDMA-siw-Fix-a-condition-race-issue-in-MPA-request-p.patch @@ -0,0 +1,71 @@ +From ef91271c65c12d36e4c2b61c61d4849fb6d11aa0 Mon Sep 17 00:00:00 2001 +From: Cheng Xu +Date: Sun, 24 Apr 2022 16:01:03 +0800 +Subject: [PATCH 1/1] RDMA/siw: Fix a condition race issue in MPA request + processing +Git-commit: ef91271c65c12d36e4c2b61c61d4849fb6d11aa0 +Patch-mainline: v5.18 +References: git-fixes + +The calling of siw_cm_upcall and detaching new_cep with its listen_cep +should be atomistic semantics. Otherwise siw_reject may be called in a +temporary state, e,g, siw_cm_upcall is called but the new_cep->listen_cep +has not being cleared. + +This fixes a WARN: + + WARNING: CPU: 7 PID: 201 at drivers/infiniband/sw/siw/siw_cm.c:255 siw_cep_put+0x125/0x130 [siw] + CPU: 2 PID: 201 Comm: kworker/u16:22 Kdump: loaded Tainted: G E 5.17.0-rc7 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + Workqueue: iw_cm_wq cm_work_handler [iw_cm] + RIP: 0010:siw_cep_put+0x125/0x130 [siw] + Call Trace: + + siw_reject+0xac/0x180 [siw] + iw_cm_reject+0x68/0xc0 [iw_cm] + cm_work_handler+0x59d/0xe20 [iw_cm] + process_one_work+0x1e2/0x3b0 + worker_thread+0x50/0x3a0 + ? rescuer_thread+0x390/0x390 + kthread+0xe5/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Fixes: 6c52fdc244b5 ("rdma/siw: connection management") +Link: https://lore.kernel.org/r/d528d83466c44687f3872eadcb8c184528b2e2d4.1650526554.git.chengyou@linux.alibaba.com +Reported-by: Luis Chamberlain +Reviewed-by: Bernard Metzler +Signed-off-by: Cheng Xu +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_cm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c +index 7acdd3c3a599..17f34d584cd9 100644 +--- a/drivers/infiniband/sw/siw/siw_cm.c ++++ b/drivers/infiniband/sw/siw/siw_cm.c +@@ -968,14 +968,15 @@ static void siw_accept_newconn(struct siw_cep *cep) + + siw_cep_set_inuse(new_cep); + rv = siw_proc_mpareq(new_cep); +- siw_cep_set_free(new_cep); +- + if (rv != -EAGAIN) { + siw_cep_put(cep); + new_cep->listen_cep = NULL; +- if (rv) ++ if (rv) { ++ siw_cep_set_free(new_cep); + goto error; ++ } + } ++ siw_cep_set_free(new_cep); + } + return; + +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-siw-Fix-duplicated-reported-IW_CM_EVENT_CONNECT.patch b/patches.suse/RDMA-siw-Fix-duplicated-reported-IW_CM_EVENT_CONNECT.patch new file mode 100644 index 0000000..4a14ff3 --- /dev/null +++ b/patches.suse/RDMA-siw-Fix-duplicated-reported-IW_CM_EVENT_CONNECT.patch @@ -0,0 +1,73 @@ +From 3056fc6c32e613b760422b94c7617ac9a24a4721 Mon Sep 17 00:00:00 2001 +From: Cheng Xu +Date: Thu, 14 Jul 2022 09:30:47 +0800 +Subject: [PATCH 1/1] RDMA/siw: Fix duplicated reported + IW_CM_EVENT_CONNECT_REPLY event +Git-commit: 3056fc6c32e613b760422b94c7617ac9a24a4721 +Patch-mainline: v6.0 +References: git-fixes + +If siw_recv_mpa_rr returns -EAGAIN, it means that the MPA reply hasn't +been received completely, and should not report IW_CM_EVENT_CONNECT_REPLY +in this case. This may trigger a call trace in iw_cm. A simple way to +trigger this: + server: ib_send_lat + client: ib_send_lat -R + +The call trace looks like this: + + kernel BUG at drivers/infiniband/core/iwcm.c:894! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + <...> + Workqueue: iw_cm_wq cm_work_handler [iw_cm] + Call Trace: + + cm_work_handler+0x1dd/0x370 [iw_cm] + process_one_work+0x1e2/0x3b0 + worker_thread+0x49/0x2e0 + ? rescuer_thread+0x370/0x370 + kthread+0xe5/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Fixes: 6c52fdc244b5 ("rdma/siw: connection management") +Link: https://lore.kernel.org/r/dae34b5fd5c2ea2bd9744812c1d2653a34a94c67.1657706960.git.chengyou@linux.alibaba.com +Signed-off-by: Cheng Xu +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_cm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c +index 17f34d584cd9..f88d2971c2c6 100644 +--- a/drivers/infiniband/sw/siw/siw_cm.c ++++ b/drivers/infiniband/sw/siw/siw_cm.c +@@ -725,11 +725,11 @@ static int siw_proc_mpareply(struct siw_cep *cep) + enum mpa_v2_ctrl mpa_p2p_mode = MPA_V2_RDMA_NO_RTR; + + rv = siw_recv_mpa_rr(cep); +- if (rv != -EAGAIN) +- siw_cancel_mpatimer(cep); + if (rv) + goto out_err; + ++ siw_cancel_mpatimer(cep); ++ + rep = &cep->mpa.hdr; + + if (__mpa_rr_revision(rep->params.bits) > MPA_REVISION_2) { +@@ -895,7 +895,8 @@ static int siw_proc_mpareply(struct siw_cep *cep) + } + + out_err: +- siw_cm_upcall(cep, IW_CM_EVENT_CONNECT_REPLY, -EINVAL); ++ if (rv != -EAGAIN) ++ siw_cm_upcall(cep, IW_CM_EVENT_CONNECT_REPLY, -EINVAL); + + return rv; + } +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-siw-Pass-a-pointer-to-virt_to_page.patch b/patches.suse/RDMA-siw-Pass-a-pointer-to-virt_to_page.patch new file mode 100644 index 0000000..5ede049 --- /dev/null +++ b/patches.suse/RDMA-siw-Pass-a-pointer-to-virt_to_page.patch @@ -0,0 +1,87 @@ +From 0d1b756acf60da5004c1e20ca4462f0c257bf6e1 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 2 Sep 2022 23:59:18 +0200 +Subject: [PATCH 1/1] RDMA/siw: Pass a pointer to virt_to_page() +Git-commit: 0d1b756acf60da5004c1e20ca4462f0c257bf6e1 +Patch-mainline: v6.0 +References: git-fixes + +Functions that work on a pointer to virtual memory such as +virt_to_pfn() and users of that function such as +virt_to_page() are supposed to pass a pointer to virtual +memory, ideally a (void *) or other pointer. However since +many architectures implement virt_to_pfn() as a macro, +this function becomes polymorphic and accepts both a +(unsigned long) and a (void *). + +If we instead implement a proper virt_to_pfn(void *addr) +function the following happens (occurred on arch/arm): + +drivers/infiniband/sw/siw/siw_qp_tx.c:32:23: warning: incompatible + integer to pointer conversion passing 'dma_addr_t' (aka 'unsigned int') + to parameter of type 'const void *' [-Wint-conversion] +drivers/infiniband/sw/siw/siw_qp_tx.c:32:37: warning: passing argument + 1 of 'virt_to_pfn' makes pointer from integer without a cast + [-Wint-conversion] +drivers/infiniband/sw/siw/siw_qp_tx.c:538:36: warning: incompatible + integer to pointer conversion passing 'unsigned long long' + to parameter of type 'const void *' [-Wint-conversion] + +Fix this with an explicit cast. In one case where the SIW +SGE uses an unaligned u64 we need a double cast modifying the +virtual address (va) to a platform-specific uintptr_t before +casting to a (void *). + +Fixes: b9be6f18cf9e ("rdma/siw: transmit path") +Cc: linux-rdma@vger.kernel.org +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20220902215918.603761-1-linus.walleij@linaro.org +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/sw/siw/siw_qp_tx.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c +index 1f4e60257700..7d47b521070b 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -29,7 +29,7 @@ static struct page *siw_get_pblpage(struct siw_mem *mem, u64 addr, int *idx) + dma_addr_t paddr = siw_pbl_get_buffer(pbl, offset, NULL, idx); + + if (paddr) +- return virt_to_page(paddr); ++ return virt_to_page((void *)paddr); + + return NULL; + } +@@ -523,13 +523,23 @@ static int siw_tx_hdt(struct siw_iwarp_tx *c_tx, struct socket *s) + kunmap(p); + } + } else { +- u64 va = sge->laddr + sge_off; ++ /* ++ * Cast to an uintptr_t to preserve all 64 bits ++ * in sge->laddr. ++ */ ++ uintptr_t va = (uintptr_t)(sge->laddr + sge_off); + +- page_array[seg] = virt_to_page(va & PAGE_MASK); ++ /* ++ * virt_to_page() takes a (void *) pointer ++ * so cast to a (void *) meaning it will be 64 ++ * bits on a 64 bit platform and 32 bits on a ++ * 32 bit platform. ++ */ ++ page_array[seg] = virt_to_page((void *)(va & PAGE_MASK)); + if (do_crc) + crypto_shash_update( + c_tx->mpa_crc_hd, +- (void *)(uintptr_t)va, ++ (void *)va, + plen); + } + +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMA-usnic-fix-set-but-not-unused-variable-flags-war.patch b/patches.suse/RDMA-usnic-fix-set-but-not-unused-variable-flags-war.patch new file mode 100644 index 0000000..d99dd13 --- /dev/null +++ b/patches.suse/RDMA-usnic-fix-set-but-not-unused-variable-flags-war.patch @@ -0,0 +1,45 @@ +From 4b83ddc0924752ebb5f99e84e00d1cb725a9aa51 Mon Sep 17 00:00:00 2001 +From: Zeng Heng +Date: Thu, 29 Sep 2022 11:12:00 +0800 +Subject: [PATCH 1/1] RDMA/usnic: fix set-but-not-unused variable 'flags' + warning +Git-commit: 4b83ddc0924752ebb5f99e84e00d1cb725a9aa51 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Remove unused local variable 'flag' +without any logic changes. + +Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") +Signed-off-by: Zeng Heng +Link: https://lore.kernel.org/r/20220929031200.4060891-1-zengheng4@huawei.com +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/usnic/usnic_uiom.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/infiniband/hw/usnic/usnic_uiom.c b/drivers/infiniband/hw/usnic/usnic_uiom.c +index 67a1b4562dc2..67923ced6e2d 100644 +--- a/drivers/infiniband/hw/usnic/usnic_uiom.c ++++ b/drivers/infiniband/hw/usnic/usnic_uiom.c +@@ -95,7 +95,6 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable, + int ret; + int off; + int i; +- int flags; + dma_addr_t pa; + unsigned int gup_flags; + struct mm_struct *mm; +@@ -132,8 +131,6 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable, + goto out; + } + +- flags = IOMMU_READ | IOMMU_CACHE; +- flags |= (writable) ? IOMMU_WRITE : 0; + gup_flags = FOLL_WRITE; + gup_flags |= (writable) ? 0 : FOLL_FORCE; + cur_base = addr & PAGE_MASK; +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/RDMa-mthca-Work-around-Wenum-conversion-warning.patch b/patches.suse/RDMa-mthca-Work-around-Wenum-conversion-warning.patch new file mode 100644 index 0000000..7a70b58 --- /dev/null +++ b/patches.suse/RDMa-mthca-Work-around-Wenum-conversion-warning.patch @@ -0,0 +1,60 @@ +From fbb7dc5db6dee553b5a07c27e86364a5223e244c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 26 Oct 2020 22:12:30 +0100 +Subject: [PATCH 1/1] RDMa/mthca: Work around -Wenum-conversion warning +Git-commit: fbb7dc5db6dee553b5a07c27e86364a5223e244c +Patch-mainline: v5.11 +References: git-fixes + +gcc points out a suspicious mixing of enum types in a function that +converts from MTHCA_OPCODE_* values to IB_WC_* values: + +drivers/infiniband/hw/mthca/mthca_cq.c: In function 'mthca_poll_one': +drivers/infiniband/hw/mthca/mthca_cq.c:607:21: warning: implicit conversion from 'enum ' to 'enum ib_wc_opcode' [-Wenum-conversion] + 607 | entry->opcode = MTHCA_OPCODE_INVALID; + +Nothing seems to ever check for MTHCA_OPCODE_INVALID again, no idea if +this is meaningful, but it seems harmless as it deals with an invalid +input. + +Remove MTHCA_OPCODE_INVALID and set the ib_wc_opcode to 0xFF, which is +still bogus, but at least doesn't make compiler warnings. + +Fixes: 2a4443a69934 ("[PATCH] IB/mthca: fill in opcode field for send completions") +Link: https://lore.kernel.org/r/20201026211311.3887003-1-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Jason Gunthorpe +Acked-by: Nicolas Morey-Chaisemartin +--- + drivers/infiniband/hw/mthca/mthca_cq.c | 2 +- + drivers/infiniband/hw/mthca/mthca_dev.h | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mthca/mthca_cq.c b/drivers/infiniband/hw/mthca/mthca_cq.c +index c3cfea243af8..36416f937b69 100644 +--- a/drivers/infiniband/hw/mthca/mthca_cq.c ++++ b/drivers/infiniband/hw/mthca/mthca_cq.c +@@ -604,7 +604,7 @@ static inline int mthca_poll_one(struct mthca_dev *dev, + entry->byte_len = MTHCA_ATOMIC_BYTE_LEN; + break; + default: +- entry->opcode = MTHCA_OPCODE_INVALID; ++ entry->opcode = 0xFF; + break; + } + } else { +diff --git a/drivers/infiniband/hw/mthca/mthca_dev.h b/drivers/infiniband/hw/mthca/mthca_dev.h +index 9dbbf4d16796..a445160de3e1 100644 +--- a/drivers/infiniband/hw/mthca/mthca_dev.h ++++ b/drivers/infiniband/hw/mthca/mthca_dev.h +@@ -105,7 +105,6 @@ enum { + MTHCA_OPCODE_ATOMIC_CS = 0x11, + MTHCA_OPCODE_ATOMIC_FA = 0x12, + MTHCA_OPCODE_BIND_MW = 0x18, +- MTHCA_OPCODE_INVALID = 0xff + }; + + enum { +-- +2.38.0.1.gee35aeee4b76 + diff --git a/patches.suse/arm64-assembler-add-cond_yield-macro.patch b/patches.suse/arm64-assembler-add-cond_yield-macro.patch new file mode 100644 index 0000000..3c51221 --- /dev/null +++ b/patches.suse/arm64-assembler-add-cond_yield-macro.patch @@ -0,0 +1,47 @@ +From: Ard Biesheuvel +Date: Wed, 3 Feb 2021 12:36:18 +0100 +Subject: arm64: assembler: add cond_yield macro +Git-commit: d13c613f136c9090f3863c49b2306d57ab59feba +Patch-mainline: v5.12-rc1 +References: git-fixes + +Add a macro cond_yield that branches to a specified label when called if +the TIF_NEED_RESCHED flag is set and decreasing the preempt count would +make the task preemptible again, resulting in a schedule to occur. This +can be used by kernel mode SIMD code that keeps a lot of state in SIMD +registers, which would make chunking the input in order to perform the +cond_resched() check from C code disproportionately costly. + +Signed-off-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20210203113626.220151-2-ardb@kernel.org +Signed-off-by: Will Deacon +Acked-by: Ivan T. Ivanov +--- + arch/arm64/include/asm/assembler.h | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -708,6 +708,22 @@ USER(\label, ic ivau, \tmp2) // invali + .endif + .endm + ++ /* ++ * Check whether preempt-disabled code should yield as soon as it ++ * is able. This is the case if re-enabling preemption a single ++ * time results in a preempt count of zero, and the TIF_NEED_RESCHED ++ * flag is set. (Note that the latter is stored negated in the ++ * top word of the thread_info::preempt_count field) ++ */ ++ .macro cond_yield, lbl:req, tmp:req ++#ifdef CONFIG_PREEMPTION ++ get_current_task \tmp ++ ldr \tmp, [\tmp, #TSK_TI_PREEMPT] ++ sub \tmp, \tmp, #PREEMPT_DISABLE_OFFSET ++ cbz \tmp, \lbl ++#endif ++ .endm ++ + /* + * Check whether to yield to another runnable task from kernel mode NEON code + * (which runs with preemption disabled). diff --git a/patches.suse/ata-libahci_platform-Sanity-check-the-DT-child-nodes.patch b/patches.suse/ata-libahci_platform-Sanity-check-the-DT-child-nodes.patch new file mode 100644 index 0000000..545962b --- /dev/null +++ b/patches.suse/ata-libahci_platform-Sanity-check-the-DT-child-nodes.patch @@ -0,0 +1,67 @@ +From 3c132ea6508b34956e5ed88d04936983ec230601 Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Fri, 9 Sep 2022 22:36:06 +0300 +Subject: [PATCH] ata: libahci_platform: Sanity check the DT child nodes number +Git-commit: 3c132ea6508b34956e5ed88d04936983ec230601 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Having greater than AHCI_MAX_PORTS (32) ports detected isn't that critical +from the further AHCI-platform initialization point of view since +exceeding the ports upper limit will cause allocating more resources than +will be used afterwards. But detecting too many child DT-nodes doesn't +seem right since it's very unlikely to have it on an ordinary platform. In +accordance with the AHCI specification there can't be more than 32 ports +implemented at least due to having the CAP.NP field of 5 bits wide and the +PI register of dword size. Thus if such situation is found the DTB must +have been corrupted and the data read from it shouldn't be reliable. Let's +consider that as an erroneous situation and halt further resources +allocation. + +Note it's logically more correct to have the nports set only after the +initialization value is checked for being sane. So while at it let's make +sure nports is assigned with a correct value. + +Signed-off-by: Serge Semin +Reviewed-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Acked-by: Takashi Iwai + +--- + drivers/ata/libahci_platform.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index 7366eb0adf41..bacb974c1b16 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -450,14 +450,24 @@ struct ahci_host_priv *ahci_platform_get_resources(struct platform_device *pdev, + } + } + +- hpriv->nports = child_nodes = of_get_child_count(dev->of_node); ++ /* ++ * Too many sub-nodes most likely means having something wrong with ++ * the firmware. ++ */ ++ child_nodes = of_get_child_count(dev->of_node); ++ if (child_nodes > AHCI_MAX_PORTS) { ++ rc = -EINVAL; ++ goto err_out; ++ } + + /* + * If no sub-node was found, we still need to set nports to + * one in order to be able to use the + * ahci_platform_[en|dis]able_[phys|regulators] functions. + */ +- if (!child_nodes) ++ if (child_nodes) ++ hpriv->nports = child_nodes; ++ else + hpriv->nports = 1; + + hpriv->phys = devm_kcalloc(dev, hpriv->nports, sizeof(*hpriv->phys), GFP_KERNEL); +-- +2.35.3 + diff --git a/patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch b/patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch new file mode 100644 index 0000000..d13adcf --- /dev/null +++ b/patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch @@ -0,0 +1,33 @@ +From: Jianglei Nie +Date: Fri, 30 Sep 2022 14:28:43 +0800 +Subject: bnx2x: fix potential memory leak in bnx2x_tpa_stop() +Patch-mainline: v6.1-rc1 +Git-commit: b43f9acbb8942b05252be83ac25a81cec70cc192 +References: bsc#1204402 CVE-2022-3542 + +bnx2x_tpa_stop() allocates a memory chunk from new_data with +bnx2x_frag_alloc(). The new_data should be freed when gets some error. +But when "pad + len > fp->rx_buf_size" is true, bnx2x_tpa_stop() returns +without releasing the new_data, which will lead to a memory leak. + +We should free the new_data with bnx2x_frag_free() when "pad + len > +fp->rx_buf_size" is true. + +Fixes: 07b0f00964def8af9321cfd6c4a7e84f6362f728 ("bnx2x: fix possible panic under memory stress") +Signed-off-by: Jianglei Nie +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -787,6 +787,7 @@ static void bnx2x_tpa_stop(struct bnx2x + BNX2X_ERR("skb_put is about to fail... pad %d len %d rx_buf_size %d\n", + pad, len, fp->rx_buf_size); + bnx2x_panic(); ++ bnx2x_frag_free(fp, new_data); + return; + } + #endif diff --git a/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch b/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch new file mode 100644 index 0000000..556e014 --- /dev/null +++ b/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch @@ -0,0 +1,99 @@ +From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 +From: Chen Yu +Date: Fri, 10 Jul 2020 12:12:01 +0800 +Subject: [PATCH] intel_idle: Customize IceLake server support +Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 +Patch-mainline: v5.9-rc1 +References: jsc#SLE-12679 + +On ICX platform, the C1E auto-promotion is enabled by default. +As a result, the CPU might fall into C1E more offen than previous +platforms. Besides, the C1E is not exposed to sysfs on ICX, which +is inconsistent with previous server platforms. + +So disable C1E auto-promotion and expose C1E as a separate idle +state, so the C1E and C6 can be disabled via sysfs when necessary. + +Beside C1 and C1E, the exit latency of C6 was measured +by a dedicated tool. However the exit latency(41us) exposed +by _CST is much smaller than the one we measured(128us). This +is probably due to the _CST uses the exit latency when woken +up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose +the latter as we need the longest latency in theory. + +Reported-by: kernel test robot +Tested-by: Artem Bityutskiy +Acked-by: Artem Bityutskiy +Reviewed-by: Zhang Rui +Signed-off-by: Chen Yu +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c +index 3f86f36dab2b..fd0fa9e7900b 100644 +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { + .enter = NULL } + }; + ++static struct cpuidle_state icx_cstates[] __initdata = { ++ { ++ .name = "C1", ++ .desc = "MWAIT 0x00", ++ .flags = MWAIT2flg(0x00), ++ .exit_latency = 1, ++ .target_residency = 1, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C1E", ++ .desc = "MWAIT 0x01", ++ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, ++ .exit_latency = 4, ++ .target_residency = 4, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C6", ++ .desc = "MWAIT 0x20", ++ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .exit_latency = 128, ++ .target_residency = 384, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .enter = NULL } ++}; ++ + static struct cpuidle_state atom_cstates[] __initdata = { + { + .name = "C1E", +@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { + .use_acpi = true, + }; + ++static const struct idle_cpu idle_cpu_icx __initconst = { ++ .state_table = icx_cstates, ++ .disable_promotion_to_c1e = true, ++ .use_acpi = true, ++}; ++ + static const struct idle_cpu idle_cpu_avn __initconst = { + .state_table = avn_cstates, + .disable_promotion_to_c1e = true, +@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), ++ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), +-- +2.16.4 + diff --git a/patches.suse/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch b/patches.suse/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch new file mode 100644 index 0000000..07814e6 --- /dev/null +++ b/patches.suse/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch @@ -0,0 +1,53 @@ +From 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Thu, 15 Sep 2022 09:55:56 +0800 +Subject: [PATCH] can: bcm: check the result of can_send() in bcm_can_tx() +Git-commit: 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e +Patch-mainline: v6.1-rc1 +References: git-fixes + +If can_send() fail, it should not update frames_abs counter +in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx(). + +Suggested-by: Marc Kleine-Budde +Suggested-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + net/can/bcm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 0a2adb844280..27706f6ace34 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -274,6 +274,7 @@ static void bcm_can_tx(struct bcm_op *op) + struct sk_buff *skb; + struct net_device *dev; + struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe; ++ int err; + + /* no target device? => exit */ + if (!op->ifindex) +@@ -298,11 +299,11 @@ static void bcm_can_tx(struct bcm_op *op) + /* send with loopback */ + skb->dev = dev; + can_skb_set_owner(skb, op->sk); +- can_send(skb, 1); ++ err = can_send(skb, 1); ++ if (!err) ++ op->frames_abs++; + +- /* update statistics */ + op->currframe++; +- op->frames_abs++; + + /* reached last frame? */ + if (op->currframe >= op->nframes) +-- +2.35.3 + diff --git a/patches.suse/can-kvaser_usb-Fix-possible-completions-during-init_.patch b/patches.suse/can-kvaser_usb-Fix-possible-completions-during-init_.patch new file mode 100644 index 0000000..4c77a39 --- /dev/null +++ b/patches.suse/can-kvaser_usb-Fix-possible-completions-during-init_.patch @@ -0,0 +1,86 @@ +From 2871edb32f4622c3a25ce4b3977bad9050b91974 Mon Sep 17 00:00:00 2001 +From: Anssi Hannula +Date: Mon, 10 Oct 2022 20:52:27 +0200 +Subject: [PATCH] can: kvaser_usb: Fix possible completions during init_completion +Git-commit: 2871edb32f4622c3a25ce4b3977bad9050b91974 +Patch-mainline: v6.1-rc3 +References: git-fixes + +kvaser_usb uses completions to signal when a response event is received +for outgoing commands. + +However, it uses init_completion() to reinitialize the start_comp and +stop_comp completions before sending the start/stop commands. + +In case the device sends the corresponding response just before the +actual command is sent, complete() may be called concurrently with +init_completion() which is not safe. + +This might be triggerable even with a properly functioning device by +stopping the interface (CMD_STOP_CHIP) just after it goes bus-off (which +also causes the driver to send CMD_STOP_CHIP when restart-ms is off), +but that was not tested. + +Fix the issue by using reinit_completion() instead. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Tested-by: Jimmy Assarsson +Signed-off-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-2-extja@kvaser.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 4 ++-- + drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +index 7b52fda73d82..66f672ea631b 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +@@ -1875,7 +1875,7 @@ static int kvaser_usb_hydra_start_chip(struct kvaser_usb_net_priv *priv) + { + int err; + +- init_completion(&priv->start_comp); ++ reinit_completion(&priv->start_comp); + + err = kvaser_usb_hydra_send_simple_cmd(priv->dev, CMD_START_CHIP_REQ, + priv->channel); +@@ -1893,7 +1893,7 @@ static int kvaser_usb_hydra_stop_chip(struct kvaser_usb_net_priv *priv) + { + int err; + +- init_completion(&priv->stop_comp); ++ reinit_completion(&priv->stop_comp); + + /* Make sure we do not report invalid BUS_OFF from CMD_CHIP_STATE_EVENT + * see comment in kvaser_usb_hydra_update_state() +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 50f2ac8319ff..19958037720f 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -1320,7 +1320,7 @@ static int kvaser_usb_leaf_start_chip(struct kvaser_usb_net_priv *priv) + { + int err; + +- init_completion(&priv->start_comp); ++ reinit_completion(&priv->start_comp); + + err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_START_CHIP, + priv->channel); +@@ -1338,7 +1338,7 @@ static int kvaser_usb_leaf_stop_chip(struct kvaser_usb_net_priv *priv) + { + int err; + +- init_completion(&priv->stop_comp); ++ reinit_completion(&priv->stop_comp); + + err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_STOP_CHIP, + priv->channel); +-- +2.35.3 + diff --git a/patches.suse/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch b/patches.suse/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch new file mode 100644 index 0000000..49b2a33 --- /dev/null +++ b/patches.suse/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch @@ -0,0 +1,59 @@ +From 3e5b3418827cefb5e1cc658806f02965791b8f07 Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Mon, 24 Oct 2022 19:48:07 +0800 +Subject: [PATCH] can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error path +Git-commit: 3e5b3418827cefb5e1cc658806f02965791b8f07 +Patch-mainline: v6.1-rc3 +References: git-fixes + +The commit 1149108e2fbf ("can: mscan: improve clock API use") only +adds put_clock() in mpc5xxx_can_remove() function, forgetting to add +put_clock() in the error handling code. + +Fix this bug by adding put_clock() in the error handling code. + +Fixes: 1149108e2fbf ("can: mscan: improve clock API use") +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/all/20221024133828.35881-1-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/mscan/mpc5xxx_can.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/mscan/mpc5xxx_can.c b/drivers/net/can/mscan/mpc5xxx_can.c +index c469b2f3e57d..b0ed798ae70f 100644 +--- a/drivers/net/can/mscan/mpc5xxx_can.c ++++ b/drivers/net/can/mscan/mpc5xxx_can.c +@@ -322,14 +322,14 @@ static int mpc5xxx_can_probe(struct platform_device *ofdev) + &mscan_clksrc); + if (!priv->can.clock.freq) { + dev_err(&ofdev->dev, "couldn't get MSCAN clock properties\n"); +- goto exit_free_mscan; ++ goto exit_put_clock; + } + + err = register_mscandev(dev, mscan_clksrc); + if (err) { + dev_err(&ofdev->dev, "registering %s failed (err=%d)\n", + DRV_NAME, err); +- goto exit_free_mscan; ++ goto exit_put_clock; + } + + dev_info(&ofdev->dev, "MSCAN at 0x%p, irq %d, clock %d Hz\n", +@@ -337,7 +337,9 @@ static int mpc5xxx_can_probe(struct platform_device *ofdev) + + return 0; + +-exit_free_mscan: ++exit_put_clock: ++ if (data->put_clock) ++ data->put_clock(ofdev); + free_candev(dev); + exit_dispose_irq: + irq_dispose_mapping(irq); +-- +2.35.3 + diff --git a/patches.suse/cfg80211-hold-bss_lock-while-updating-nontrans_list.patch b/patches.suse/cfg80211-hold-bss_lock-while-updating-nontrans_list.patch index 8025a4d..998e4ca 100644 --- a/patches.suse/cfg80211-hold-bss_lock-while-updating-nontrans_list.patch +++ b/patches.suse/cfg80211-hold-bss_lock-while-updating-nontrans_list.patch @@ -4,7 +4,7 @@ Date: Mon, 11 Apr 2022 14:37:51 +0530 Subject: [PATCH] cfg80211: hold bss_lock while updating nontrans_list Git-commit: a5199b5626cd6913cf8776a835bc63d40e0686ad Patch-mainline: v5.18-rc3 -References: git-fixes +References: CVE-2022-42719 bsc#1204051 Synchronize additions to nontrans_list of transmitting BSS with bss_lock to avoid races. Also when cfg80211_add_nontrans_list() fails @@ -41,5 +41,5 @@ index b2fdac96bab0..4a6d86432910 100644 trace_cfg80211_return_bss(&res->pub); -- -2.31.1 +2.35.3 diff --git a/patches.suse/cgroup-cpuset-Enable-update_tasks_cpumask-on-top_cpuset.patch b/patches.suse/cgroup-cpuset-Enable-update_tasks_cpumask-on-top_cpuset.patch new file mode 100644 index 0000000..5175e2f --- /dev/null +++ b/patches.suse/cgroup-cpuset-Enable-update_tasks_cpumask-on-top_cpuset.patch @@ -0,0 +1,65 @@ +From: Waiman Long +Date: Thu, 1 Sep 2022 16:57:36 -0400 +Subject: cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset +Git-commit: ec5fbdfb99d18482619ac42605cb80fbb56068ee +Patch-mainline: v6.1-rc1 +References: bsc#1204753 + +Previously, update_tasks_cpumask() is not supposed to be called with +top cpuset. With cpuset partition that takes CPUs away from the top +cpuset, adjusting the cpus_mask of the tasks in the top cpuset is +necessary. Percpu kthreads, however, are ignored. + +Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +[mkoutny: Adjust context] +Acked-by: Michal Koutný +--- + kernel/cgroup/cpuset.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1048,10 +1049,18 @@ static void update_tasks_cpumask(struct + { + struct css_task_iter it; + struct task_struct *task; ++ bool top_cs = cs == &top_cpuset; + + css_task_iter_start(&cs->css, 0, &it); +- while ((task = css_task_iter_next(&it))) ++ while ((task = css_task_iter_next(&it))) { ++ /* ++ * Percpu kthreads in top_cpuset are ignored ++ */ ++ if (top_cs && (task->flags & PF_KTHREAD) && ++ kthread_is_per_cpu(task)) ++ continue; + set_cpus_allowed_ptr(task, cs->effective_cpus); ++ } + css_task_iter_end(&it); + } + +@@ -2005,12 +2014,7 @@ static int update_prstate(struct cpuset + update_flag(CS_CPU_EXCLUSIVE, cs, 0); + } + +- /* +- * Update cpumask of parent's tasks except when it is the top +- * cpuset as some system daemons cannot be mapped to other CPUs. +- */ +- if (parent != &top_cpuset) +- update_tasks_cpumask(parent); ++ update_tasks_cpumask(parent); + + if (parent->child_ecpus_count) + update_sibling_cpumasks(parent, cs, &tmp); diff --git a/patches.suse/clk-bcm2835-Make-peripheral-PLLC-critical.patch b/patches.suse/clk-bcm2835-Make-peripheral-PLLC-critical.patch new file mode 100644 index 0000000..cef169d --- /dev/null +++ b/patches.suse/clk-bcm2835-Make-peripheral-PLLC-critical.patch @@ -0,0 +1,50 @@ +From 6c5422851d8be8c7451e968fd2e6da41b6109e17 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Mon, 26 Sep 2022 10:45:09 +0200 +Subject: [PATCH] clk: bcm2835: Make peripheral PLLC critical +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 6c5422851d8be8c7451e968fd2e6da41b6109e17 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When testing for a series affecting the VEC, it was discovered that +turning off and on the VEC clock is crashing the system. + +It turns out that, when disabling the VEC clock, it's the only child of +the PLLC-per clock which will also get disabled. The source of the crash +is PLLC-per being disabled. + +It's likely that some other device might not take a clock reference that +it actually needs, but it's unclear which at this point. Let's make +PLLC-per critical so that we don't have that crash. + +Reported-by: Noralf Trønnes +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220926084509.12233-1-maxime@cerno.tech +Reviewed-by: Stefan Wahren +Acked-by: Noralf Trønnes +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/bcm/clk-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 48a1eb9f2d55..19de0e83b65d 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1784,7 +1784,7 @@ static const struct bcm2835_clk_desc clk_desc_array[] = { + .load_mask = CM_PLLC_LOADPER, + .hold_mask = CM_PLLC_HOLDPER, + .fixed_divider = 1, +- .flags = CLK_SET_RATE_PARENT), ++ .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT), + + /* + * PLLD is the display PLL, used to drive DSI display panels. +-- +2.35.3 + diff --git a/patches.suse/clk-zynqmp-Fix-stack-out-of-bounds-in-strncpy.patch b/patches.suse/clk-zynqmp-Fix-stack-out-of-bounds-in-strncpy.patch new file mode 100644 index 0000000..41841d7 --- /dev/null +++ b/patches.suse/clk-zynqmp-Fix-stack-out-of-bounds-in-strncpy.patch @@ -0,0 +1,118 @@ +From dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 Mon Sep 17 00:00:00 2001 +From: Ian Nam +Date: Tue, 10 May 2022 12:31:54 +0530 +Subject: [PATCH] clk: zynqmp: Fix stack-out-of-bounds in strncpy` +Git-commit: dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 +Patch-mainline: v6.1-rc1 +References: git-fixes + +"bug: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" + +Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is +longer than 15 bytes, string terminated NULL character will not be received +by Linux. Add explicit NULL character at last byte to fix issues when clock +name is longer. + +This fixes below bug reported by KASAN: + + ================================================================== + BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 + Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 + + CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 + Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) + Call trace: + dump_backtrace+0x0/0x1e8 + show_stack+0x14/0x20 + dump_stack+0xd4/0x108 + print_address_description.isra.0+0xbc/0x37c + __kasan_report+0x144/0x198 + kasan_report+0xc/0x18 + __asan_load1+0x5c/0x68 + strncpy+0x30/0x68 + zynqmp_clock_probe+0x238/0x7b8 + platform_drv_probe+0x6c/0xc8 + really_probe+0x14c/0x418 + driver_probe_device+0x74/0x130 + __device_attach_driver+0xc4/0xe8 + bus_for_each_drv+0xec/0x150 + __device_attach+0x160/0x1d8 + device_initial_probe+0x10/0x18 + bus_probe_device+0xe0/0xf0 + device_add+0x528/0x950 + of_device_add+0x5c/0x80 + of_platform_device_create_pdata+0x120/0x168 + of_platform_bus_create+0x244/0x4e0 + of_platform_populate+0x50/0xe8 + zynqmp_firmware_probe+0x370/0x3a8 + platform_drv_probe+0x6c/0xc8 + really_probe+0x14c/0x418 + driver_probe_device+0x74/0x130 + device_driver_attach+0x94/0xa0 + __driver_attach+0x70/0x108 + bus_for_each_dev+0xe4/0x158 + driver_attach+0x30/0x40 + bus_add_driver+0x21c/0x2b8 + driver_register+0xbc/0x1d0 + __platform_driver_register+0x7c/0x88 + zynqmp_firmware_driver_init+0x1c/0x24 + do_one_initcall+0xa4/0x234 + kernel_init_freeable+0x1b0/0x24c + kernel_init+0x10/0x110 + ret_from_fork+0x10/0x18 + + The buggy address belongs to the page: + page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 + raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff + page dumped because: kasan: bad access detected + + addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: + zynqmp_clock_probe+0x0/0x7b8 + + this frame has 3 objects: + [32, 44) 'response' + [64, 80) 'ret_payload' + [96, 112) 'name' + + Memory state around the buggy address: + ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 + >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + ^ + ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ================================================================== + +Signed-off-by: Ian Nam +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20220510070154.29528-3-shubhrajyoti.datta@xilinx.com +Acked-by: Michal Simek +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/zynqmp/clkc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/clk/zynqmp/clkc.c b/drivers/clk/zynqmp/clkc.c +index eb25303eefed..2c9da6623b84 100644 +--- a/drivers/clk/zynqmp/clkc.c ++++ b/drivers/clk/zynqmp/clkc.c +@@ -710,6 +710,13 @@ static void zynqmp_get_clock_info(void) + FIELD_PREP(CLK_ATTR_NODE_INDEX, i); + + zynqmp_pm_clock_get_name(clock[i].clk_id, &name); ++ ++ /* ++ * Terminate with NULL character in case name provided by firmware ++ * is longer and truncated due to size limit. ++ */ ++ name.name[sizeof(name.name) - 1] = '\0'; ++ + if (!strcmp(name.name, RESERVED_CLK_NAME)) + continue; + strncpy(clock[i].clk_name, name.name, MAX_NAME_LEN); +-- +2.35.3 + diff --git a/patches.suse/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch b/patches.suse/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch new file mode 100644 index 0000000..ec2ae33 --- /dev/null +++ b/patches.suse/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch @@ -0,0 +1,92 @@ +From 30eaf02149ecc3c5815e45d27187bf09e925071d Mon Sep 17 00:00:00 2001 +From: Quanyang Wang +Date: Fri, 26 Aug 2022 22:20:30 +0800 +Subject: [PATCH] clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate +Git-commit: 30eaf02149ecc3c5815e45d27187bf09e925071d +Patch-mainline: v6.1-rc1 +References: git-fixes + +The function zynqmp_pll_round_rate is used to find a most appropriate +PLL frequency which the hardware can generate according to the desired +frequency. For example, if the desired frequency is 297MHz, considering +the limited range from PS_PLL_VCO_MIN (1.5GHz) to PS_PLL_VCO_MAX (3.0GHz) +of PLL, zynqmp_pll_round_rate should return 1.872GHz (297MHz * 5). + +There are two problems with the current code of zynqmp_pll_round_rate: + +1) When the rate is below PS_PLL_VCO_MIN, it can't find a correct rate +when the parameter "rate" is an integer multiple of *prate, in other words, +if "f" is zero, zynqmp_pll_round_rate won't return a valid frequency which +is from PS_PLL_VCO_MIN to PS_PLL_VCO_MAX. For example, *prate is 33MHz +and the rate is 660MHz, zynqmp_pll_round_rate will not boost up rate and +just return 660MHz, and this will cause clk_calc_new_rates failure since +zynqmp_pll_round_rate returns an invalid rate out of its boundaries. + +2) Even if the rate is higher than PS_PLL_VCO_MIN, there is still a risk +that zynqmp_pll_round_rate returns an invalid rate because the function +DIV_ROUND_CLOSEST makes some loss in the fractional part. If the parent +clock *prate is 33333333Hz and we want to set the PLL rate to 1.5GHz, +this function will return 1499999985Hz by using the formula below: + value = *prate * DIV_ROUND_CLOSEST(rate, *prate)). +This value is also invalid since it's slightly smaller than PS_PLL_VCO_MIN. +because DIV_ROUND_CLOSEST makes some loss in the fractional part. + +Signed-off-by: Quanyang Wang +Link: https://lore.kernel.org/r/20220826142030.213805-1-quanyang.wang@windriver.com +Reviewed-by: Shubhrajyoti Datta +Signed-off-by: Stephen Boyd +Acked-by: Takashi Iwai + +--- + drivers/clk/zynqmp/pll.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/zynqmp/pll.c b/drivers/clk/zynqmp/pll.c +index 91a6b4cc910e..0d3e1377b092 100644 +--- a/drivers/clk/zynqmp/pll.c ++++ b/drivers/clk/zynqmp/pll.c +@@ -102,26 +102,25 @@ static long zynqmp_pll_round_rate(struct clk_hw *hw, unsigned long rate, + unsigned long *prate) + { + u32 fbdiv; +- long rate_div, f; ++ u32 mult, div; + +- /* Enable the fractional mode if needed */ +- rate_div = (rate * FRAC_DIV) / *prate; +- f = rate_div % FRAC_DIV; +- if (f) { +- if (rate > PS_PLL_VCO_MAX) { +- fbdiv = rate / PS_PLL_VCO_MAX; +- rate = rate / (fbdiv + 1); +- } +- if (rate < PS_PLL_VCO_MIN) { +- fbdiv = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate); +- rate = rate * fbdiv; +- } +- return rate; ++ /* Let rate fall inside the range PS_PLL_VCO_MIN ~ PS_PLL_VCO_MAX */ ++ if (rate > PS_PLL_VCO_MAX) { ++ div = DIV_ROUND_UP(rate, PS_PLL_VCO_MAX); ++ rate = rate / div; ++ } ++ if (rate < PS_PLL_VCO_MIN) { ++ mult = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate); ++ rate = rate * mult; + } + + fbdiv = DIV_ROUND_CLOSEST(rate, *prate); +- fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX); +- return *prate * fbdiv; ++ if (fbdiv < PLL_FBDIV_MIN || fbdiv > PLL_FBDIV_MAX) { ++ fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX); ++ rate = *prate * fbdiv; ++ } ++ ++ return rate; + } + + /** +-- +2.35.3 + diff --git a/patches.suse/crypto-arm64-sha-fix-function-types.patch b/patches.suse/crypto-arm64-sha-fix-function-types.patch new file mode 100644 index 0000000..0e7907e --- /dev/null +++ b/patches.suse/crypto-arm64-sha-fix-function-types.patch @@ -0,0 +1,341 @@ +From: Sami Tolvanen +Date: Wed, 27 Nov 2019 15:55:03 -0800 +Subject: crypto: arm64/sha - fix function types +Git-commit: 6320a15e98301b67ff9ba8512e1e3a4033007851 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Instead of casting pointers to callback functions, add C wrappers +to avoid type mismatch failures with Control-Flow Integrity (CFI) +checking. + +Signed-off-by: Sami Tolvanen +Reviewed-by: Ard Biesheuvel +Reviewed-by: Eric Biggers +Signed-off-by: Herbert Xu +Acked-by: Ivan T. Ivanov +--- + arch/arm64/crypto/sha1-ce-glue.c | 17 +++++++++++------ + arch/arm64/crypto/sha2-ce-glue.c | 34 +++++++++++++++++++++------------- + arch/arm64/crypto/sha256-glue.c | 32 ++++++++++++++++++++------------ + arch/arm64/crypto/sha512-ce-glue.c | 26 ++++++++++++++------------ + arch/arm64/crypto/sha512-glue.c | 15 ++++++++++----- + 5 files changed, 76 insertions(+), 48 deletions(-) + +--- a/arch/arm64/crypto/sha1-ce-glue.c ++++ b/arch/arm64/crypto/sha1-ce-glue.c +@@ -28,6 +28,13 @@ struct sha1_ce_state { + asmlinkage void sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src, + int blocks); + ++static void __sha1_ce_transform(struct sha1_state *sst, u8 const *src, ++ int blocks) ++{ ++ sha1_ce_transform(container_of(sst, struct sha1_ce_state, sst), src, ++ blocks); ++} ++ + const u32 sha1_ce_offsetof_count = offsetof(struct sha1_ce_state, sst.count); + const u32 sha1_ce_offsetof_finalize = offsetof(struct sha1_ce_state, finalize); + +@@ -41,8 +48,7 @@ static int sha1_ce_update(struct shash_d + + sctx->finalize = 0; + kernel_neon_begin(); +- sha1_base_do_update(desc, data, len, +- (sha1_block_fn *)sha1_ce_transform); ++ sha1_base_do_update(desc, data, len, __sha1_ce_transform); + kernel_neon_end(); + + return 0; +@@ -64,10 +70,9 @@ static int sha1_ce_finup(struct shash_de + sctx->finalize = finalize; + + kernel_neon_begin(); +- sha1_base_do_update(desc, data, len, +- (sha1_block_fn *)sha1_ce_transform); ++ sha1_base_do_update(desc, data, len, __sha1_ce_transform); + if (!finalize) +- sha1_base_do_finalize(desc, (sha1_block_fn *)sha1_ce_transform); ++ sha1_base_do_finalize(desc, __sha1_ce_transform); + kernel_neon_end(); + return sha1_base_finish(desc, out); + } +@@ -81,7 +86,7 @@ static int sha1_ce_final(struct shash_de + + sctx->finalize = 0; + kernel_neon_begin(); +- sha1_base_do_finalize(desc, (sha1_block_fn *)sha1_ce_transform); ++ sha1_base_do_finalize(desc, __sha1_ce_transform); + kernel_neon_end(); + return sha1_base_finish(desc, out); + } +--- a/arch/arm64/crypto/sha2-ce-glue.c ++++ b/arch/arm64/crypto/sha2-ce-glue.c +@@ -28,6 +28,13 @@ struct sha256_ce_state { + asmlinkage void sha2_ce_transform(struct sha256_ce_state *sst, u8 const *src, + int blocks); + ++static void __sha2_ce_transform(struct sha256_state *sst, u8 const *src, ++ int blocks) ++{ ++ sha2_ce_transform(container_of(sst, struct sha256_ce_state, sst), src, ++ blocks); ++} ++ + const u32 sha256_ce_offsetof_count = offsetof(struct sha256_ce_state, + sst.count); + const u32 sha256_ce_offsetof_finalize = offsetof(struct sha256_ce_state, +@@ -35,6 +42,12 @@ const u32 sha256_ce_offsetof_finalize = + + asmlinkage void sha256_block_data_order(u32 *digest, u8 const *src, int blocks); + ++static void __sha256_block_data_order(struct sha256_state *sst, u8 const *src, ++ int blocks) ++{ ++ sha256_block_data_order(sst->state, src, blocks); ++} ++ + static int sha256_ce_update(struct shash_desc *desc, const u8 *data, + unsigned int len) + { +@@ -42,12 +55,11 @@ static int sha256_ce_update(struct shash + + if (!crypto_simd_usable()) + return sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); ++ __sha256_block_data_order); + + sctx->finalize = 0; + kernel_neon_begin(); +- sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha2_ce_transform); ++ sha256_base_do_update(desc, data, len, __sha2_ce_transform); + kernel_neon_end(); + + return 0; +@@ -62,9 +74,8 @@ static int sha256_ce_finup(struct shash_ + if (!crypto_simd_usable()) { + if (len) + sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha256_block_data_order); ++ __sha256_block_data_order); ++ sha256_base_do_finalize(desc, __sha256_block_data_order); + return sha256_base_finish(desc, out); + } + +@@ -75,11 +86,9 @@ static int sha256_ce_finup(struct shash_ + sctx->finalize = finalize; + + kernel_neon_begin(); +- sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha2_ce_transform); ++ sha256_base_do_update(desc, data, len, __sha2_ce_transform); + if (!finalize) +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha2_ce_transform); ++ sha256_base_do_finalize(desc, __sha2_ce_transform); + kernel_neon_end(); + return sha256_base_finish(desc, out); + } +@@ -89,14 +98,13 @@ static int sha256_ce_final(struct shash_ + struct sha256_ce_state *sctx = shash_desc_ctx(desc); + + if (!crypto_simd_usable()) { +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha256_block_data_order); ++ sha256_base_do_finalize(desc, __sha256_block_data_order); + return sha256_base_finish(desc, out); + } + + sctx->finalize = 0; + kernel_neon_begin(); +- sha256_base_do_finalize(desc, (sha256_block_fn *)sha2_ce_transform); ++ sha256_base_do_finalize(desc, __sha2_ce_transform); + kernel_neon_end(); + return sha256_base_finish(desc, out); + } +--- a/arch/arm64/crypto/sha256-glue.c ++++ b/arch/arm64/crypto/sha256-glue.c +@@ -27,14 +27,26 @@ asmlinkage void sha256_block_data_order( + unsigned int num_blks); + EXPORT_SYMBOL(sha256_block_data_order); + ++static void __sha256_block_data_order(struct sha256_state *sst, u8 const *src, ++ int blocks) ++{ ++ sha256_block_data_order(sst->state, src, blocks); ++} ++ + asmlinkage void sha256_block_neon(u32 *digest, const void *data, + unsigned int num_blks); + ++static void __sha256_block_neon(struct sha256_state *sst, u8 const *src, ++ int blocks) ++{ ++ sha256_block_neon(sst->state, src, blocks); ++} ++ + static int crypto_sha256_arm64_update(struct shash_desc *desc, const u8 *data, + unsigned int len) + { + return sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); ++ __sha256_block_data_order); + } + + static int crypto_sha256_arm64_finup(struct shash_desc *desc, const u8 *data, +@@ -42,9 +54,8 @@ static int crypto_sha256_arm64_finup(str + { + if (len) + sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha256_block_data_order); ++ __sha256_block_data_order); ++ sha256_base_do_finalize(desc, __sha256_block_data_order); + + return sha256_base_finish(desc, out); + } +@@ -87,7 +98,7 @@ static int sha256_update_neon(struct sha + + if (!crypto_simd_usable()) + return sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); ++ __sha256_block_data_order); + + while (len > 0) { + unsigned int chunk = len; +@@ -103,8 +114,7 @@ static int sha256_update_neon(struct sha + sctx->count % SHA256_BLOCK_SIZE; + + kernel_neon_begin(); +- sha256_base_do_update(desc, data, chunk, +- (sha256_block_fn *)sha256_block_neon); ++ sha256_base_do_update(desc, data, chunk, __sha256_block_neon); + kernel_neon_end(); + data += chunk; + len -= chunk; +@@ -118,15 +128,13 @@ static int sha256_finup_neon(struct shas + if (!crypto_simd_usable()) { + if (len) + sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha256_block_data_order); ++ __sha256_block_data_order); ++ sha256_base_do_finalize(desc, __sha256_block_data_order); + } else { + if (len) + sha256_update_neon(desc, data, len); + kernel_neon_begin(); +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha256_block_neon); ++ sha256_base_do_finalize(desc, __sha256_block_neon); + kernel_neon_end(); + } + return sha256_base_finish(desc, out); +--- a/arch/arm64/crypto/sha512-ce-glue.c ++++ b/arch/arm64/crypto/sha512-ce-glue.c +@@ -29,16 +29,21 @@ asmlinkage void sha512_ce_transform(stru + + asmlinkage void sha512_block_data_order(u64 *digest, u8 const *src, int blocks); + ++static void __sha512_block_data_order(struct sha512_state *sst, u8 const *src, ++ int blocks) ++{ ++ sha512_block_data_order(sst->state, src, blocks); ++} ++ + static int sha512_ce_update(struct shash_desc *desc, const u8 *data, + unsigned int len) + { + if (!crypto_simd_usable()) + return sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); ++ __sha512_block_data_order); + + kernel_neon_begin(); +- sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_ce_transform); ++ sha512_base_do_update(desc, data, len, sha512_ce_transform); + kernel_neon_end(); + + return 0; +@@ -50,16 +55,14 @@ static int sha512_ce_finup(struct shash_ + if (!crypto_simd_usable()) { + if (len) + sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); +- sha512_base_do_finalize(desc, +- (sha512_block_fn *)sha512_block_data_order); ++ __sha512_block_data_order); ++ sha512_base_do_finalize(desc, __sha512_block_data_order); + return sha512_base_finish(desc, out); + } + + kernel_neon_begin(); +- sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_ce_transform); +- sha512_base_do_finalize(desc, (sha512_block_fn *)sha512_ce_transform); ++ sha512_base_do_update(desc, data, len, sha512_ce_transform); ++ sha512_base_do_finalize(desc, sha512_ce_transform); + kernel_neon_end(); + return sha512_base_finish(desc, out); + } +@@ -67,13 +70,12 @@ static int sha512_ce_finup(struct shash_ + static int sha512_ce_final(struct shash_desc *desc, u8 *out) + { + if (!crypto_simd_usable()) { +- sha512_base_do_finalize(desc, +- (sha512_block_fn *)sha512_block_data_order); ++ sha512_base_do_finalize(desc, __sha512_block_data_order); + return sha512_base_finish(desc, out); + } + + kernel_neon_begin(); +- sha512_base_do_finalize(desc, (sha512_block_fn *)sha512_ce_transform); ++ sha512_base_do_finalize(desc, sha512_ce_transform); + kernel_neon_end(); + return sha512_base_finish(desc, out); + } +--- a/arch/arm64/crypto/sha512-glue.c ++++ b/arch/arm64/crypto/sha512-glue.c +@@ -20,15 +20,21 @@ MODULE_LICENSE("GPL v2"); + MODULE_ALIAS_CRYPTO("sha384"); + MODULE_ALIAS_CRYPTO("sha512"); + +-asmlinkage void sha512_block_data_order(u32 *digest, const void *data, ++asmlinkage void sha512_block_data_order(u64 *digest, const void *data, + unsigned int num_blks); + EXPORT_SYMBOL(sha512_block_data_order); + ++static void __sha512_block_data_order(struct sha512_state *sst, u8 const *src, ++ int blocks) ++{ ++ sha512_block_data_order(sst->state, src, blocks); ++} ++ + static int sha512_update(struct shash_desc *desc, const u8 *data, + unsigned int len) + { + return sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); ++ __sha512_block_data_order); + } + + static int sha512_finup(struct shash_desc *desc, const u8 *data, +@@ -36,9 +42,8 @@ static int sha512_finup(struct shash_des + { + if (len) + sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); +- sha512_base_do_finalize(desc, +- (sha512_block_fn *)sha512_block_data_order); ++ __sha512_block_data_order); ++ sha512_base_do_finalize(desc, __sha512_block_data_order); + + return sha512_base_finish(desc, out); + } diff --git a/patches.suse/crypto-arm64-sha1-ce-simplify-NEON-yield.patch b/patches.suse/crypto-arm64-sha1-ce-simplify-NEON-yield.patch new file mode 100644 index 0000000..731d447 --- /dev/null +++ b/patches.suse/crypto-arm64-sha1-ce-simplify-NEON-yield.patch @@ -0,0 +1,200 @@ +From: Ard Biesheuvel +Date: Wed, 3 Feb 2021 12:36:19 +0100 +Subject: crypto: arm64/sha1-ce - simplify NEON yield +Git-commit: 5a69e1b73d5460953b8198ab03e9e1c86c5aeb11 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Instead of calling into kernel_neon_end() and kernel_neon_begin() (and +potentially into schedule()) from the assembler code when running in +task mode and a reschedule is pending, perform only the preempt count +check in assembler, but simply return early in this case, and let the C +code deal with the consequences. + +This reverts commit 7df8d164753e6e6f229b72767595072bc6a71f48. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Acked-by: Ivan T. Ivanov +--- + arch/arm64/crypto/sha1-ce-core.S | 81 ++++++++++++++++----------------------- + arch/arm64/crypto/sha1-ce-glue.c | 22 +++++----- + 2 files changed, 46 insertions(+), 57 deletions(-) + +--- a/arch/arm64/crypto/sha1-ce-core.S ++++ b/arch/arm64/crypto/sha1-ce-core.S +@@ -62,41 +62,35 @@ + .endm + + /* +- * void sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src, +- * int blocks) ++ * int sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src, ++ * int blocks) + */ + ENTRY(sha1_ce_transform) +- frame_push 3 ++ /* load round constants */ ++ loadrc k0.4s, 0x5a827999, w6 ++ loadrc k1.4s, 0x6ed9eba1, w6 ++ loadrc k2.4s, 0x8f1bbcdc, w6 ++ loadrc k3.4s, 0xca62c1d6, w6 ++ ++ /* load state */ ++ ld1 {dgav.4s}, [x0] ++ ldr dgb, [x0, #16] ++ ++ /* load sha1_ce_state::finalize */ ++ ldr_l w4, sha1_ce_offsetof_finalize, x4 ++ ldr w4, [x0, x4] ++ ++ /* load input */ ++0: ld1 {v8.4s-v11.4s}, [x1], #64 ++ sub w2, w2, #1 ++ ++ CPU_LE( rev32 v8.16b, v8.16b ) ++ CPU_LE( rev32 v9.16b, v9.16b ) ++ CPU_LE( rev32 v10.16b, v10.16b ) ++ CPU_LE( rev32 v11.16b, v11.16b ) + +- mov x19, x0 +- mov x20, x1 +- mov x21, x2 +- +- /* load round constants */ +-0: loadrc k0.4s, 0x5a827999, w6 +- loadrc k1.4s, 0x6ed9eba1, w6 +- loadrc k2.4s, 0x8f1bbcdc, w6 +- loadrc k3.4s, 0xca62c1d6, w6 +- +- /* load state */ +- ld1 {dgav.4s}, [x19] +- ldr dgb, [x19, #16] +- +- /* load sha1_ce_state::finalize */ +- ldr_l w4, sha1_ce_offsetof_finalize, x4 +- ldr w4, [x19, x4] +- +- /* load input */ +-1: ld1 {v8.4s-v11.4s}, [x20], #64 +- sub w21, w21, #1 +- +-CPU_LE( rev32 v8.16b, v8.16b ) +-CPU_LE( rev32 v9.16b, v9.16b ) +-CPU_LE( rev32 v10.16b, v10.16b ) +-CPU_LE( rev32 v11.16b, v11.16b ) +- +-2: add t0.4s, v8.4s, k0.4s +- mov dg0v.16b, dgav.16b ++1: add t0.4s, v8.4s, k0.4s ++ mov dg0v.16b, dgav.16b + + add_update c, ev, k0, 8, 9, 10, 11, dgb + add_update c, od, k0, 9, 10, 11, 8 +@@ -126,25 +120,18 @@ CPU_LE( rev32 v11.16b, v11.16b ) + add dgbv.2s, dgbv.2s, dg1v.2s + add dgav.4s, dgav.4s, dg0v.4s + +- cbz w21, 3f +- +- if_will_cond_yield_neon +- st1 {dgav.4s}, [x19] +- str dgb, [x19, #16] +- do_cond_yield_neon ++ cbz w2, 2f ++ cond_yield 3f, x5 + b 0b +- endif_yield_neon +- +- b 1b + + /* + * Final block: add padding and total bit count. + * Skip if the input size was not a round multiple of the block size, + * the padding is handled by the C code in that case. + */ +-3: cbz x4, 4f ++2: cbz x4, 3f + ldr_l w4, sha1_ce_offsetof_count, x4 +- ldr x4, [x19, x4] ++ ldr x4, [x0, x4] + movi v9.2d, #0 + mov x8, #0x80000000 + movi v10.2d, #0 +@@ -153,11 +140,11 @@ CPU_LE( rev32 v11.16b, v11.16b ) + mov x4, #0 + mov v11.d[0], xzr + mov v11.d[1], x7 +- b 2b ++ b 1b + + /* store new state */ +-4: st1 {dgav.4s}, [x19] +- str dgb, [x19, #16] +- frame_pop ++3: st1 {dgav.4s}, [x0] ++ str dgb, [x0, #16] ++ mov w0, w2 + ret + ENDPROC(sha1_ce_transform) +--- a/arch/arm64/crypto/sha1-ce-glue.c ++++ b/arch/arm64/crypto/sha1-ce-glue.c +@@ -26,14 +26,22 @@ struct sha1_ce_state { + u32 finalize; + }; + +-asmlinkage void sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src, +- int blocks); ++asmlinkage int sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src, ++ int blocks); + + static void __sha1_ce_transform(struct sha1_state *sst, u8 const *src, + int blocks) + { +- sha1_ce_transform(container_of(sst, struct sha1_ce_state, sst), src, +- blocks); ++ while (blocks) { ++ int rem; ++ ++ kernel_neon_begin(); ++ rem = sha1_ce_transform(container_of(sst, struct sha1_ce_state, ++ sst), src, blocks); ++ kernel_neon_end(); ++ src += (blocks - rem) * SHA1_BLOCK_SIZE; ++ blocks = rem; ++ } + } + + const u32 sha1_ce_offsetof_count = offsetof(struct sha1_ce_state, sst.count); +@@ -48,9 +56,7 @@ static int sha1_ce_update(struct shash_d + return crypto_sha1_update(desc, data, len); + + sctx->finalize = 0; +- kernel_neon_begin(); + sha1_base_do_update(desc, data, len, __sha1_ce_transform); +- kernel_neon_end(); + + return 0; + } +@@ -70,11 +76,9 @@ static int sha1_ce_finup(struct shash_de + */ + sctx->finalize = finalize; + +- kernel_neon_begin(); + sha1_base_do_update(desc, data, len, __sha1_ce_transform); + if (!finalize) + sha1_base_do_finalize(desc, __sha1_ce_transform); +- kernel_neon_end(); + return sha1_base_finish(desc, out); + } + +@@ -86,9 +90,7 @@ static int sha1_ce_final(struct shash_de + return crypto_sha1_finup(desc, NULL, 0, out); + + sctx->finalize = 0; +- kernel_neon_begin(); + sha1_base_do_finalize(desc, __sha1_ce_transform); +- kernel_neon_end(); + return sha1_base_finish(desc, out); + } + diff --git a/patches.suse/crypto-arm64-sha2-ce-simplify-NEON-yield.patch b/patches.suse/crypto-arm64-sha2-ce-simplify-NEON-yield.patch new file mode 100644 index 0000000..0a42413 --- /dev/null +++ b/patches.suse/crypto-arm64-sha2-ce-simplify-NEON-yield.patch @@ -0,0 +1,188 @@ +From: Ard Biesheuvel +Date: Wed, 3 Feb 2021 12:36:20 +0100 +Subject: crypto: arm64/sha2-ce - simplify NEON yield +Git-commit: b2eadbf40e8f82279f145aa841727b2e01f7dc1d +Patch-mainline: v5.12-rc1 +References: git-fixes + +Instead of calling into kernel_neon_end() and kernel_neon_begin() (and +potentially into schedule()) from the assembler code when running in +task mode and a reschedule is pending, perform only the preempt count +check in assembler, but simply return early in this case, and let the C +code deal with the consequences. + +This reverts commit d82f37ab5e2426287013eba38b1212e8b71e5be3. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Acked-by: Ivan T. Ivanov +--- + arch/arm64/crypto/sha2-ce-core.S | 70 ++++++++++++++++----------------------- + arch/arm64/crypto/sha2-ce-glue.c | 22 ++++++------ + 2 files changed, 41 insertions(+), 51 deletions(-) + +--- a/arch/arm64/crypto/sha2-ce-core.S ++++ b/arch/arm64/crypto/sha2-ce-core.S +@@ -76,36 +76,30 @@ + */ + .text + ENTRY(sha2_ce_transform) +- frame_push 3 +- +- mov x19, x0 +- mov x20, x1 +- mov x21, x2 +- + /* load round constants */ +-0: adr_l x8, .Lsha2_rcon +- ld1 { v0.4s- v3.4s}, [x8], #64 +- ld1 { v4.4s- v7.4s}, [x8], #64 +- ld1 { v8.4s-v11.4s}, [x8], #64 +- ld1 {v12.4s-v15.4s}, [x8] +- +- /* load state */ +- ld1 {dgav.4s, dgbv.4s}, [x19] +- +- /* load sha256_ce_state::finalize */ +- ldr_l w4, sha256_ce_offsetof_finalize, x4 +- ldr w4, [x19, x4] +- +- /* load input */ +-1: ld1 {v16.4s-v19.4s}, [x20], #64 +- sub w21, w21, #1 +- +-CPU_LE( rev32 v16.16b, v16.16b ) +-CPU_LE( rev32 v17.16b, v17.16b ) +-CPU_LE( rev32 v18.16b, v18.16b ) +-CPU_LE( rev32 v19.16b, v19.16b ) ++ adr_l x8, .Lsha2_rcon ++ ld1 { v0.4s- v3.4s}, [x8], #64 ++ ld1 { v4.4s- v7.4s}, [x8], #64 ++ ld1 { v8.4s-v11.4s}, [x8], #64 ++ ld1 {v12.4s-v15.4s}, [x8] ++ ++ /* load state */ ++ ld1 {dgav.4s, dgbv.4s}, [x0] ++ ++ /* load sha256_ce_state::finalize */ ++ ldr_l w4, sha256_ce_offsetof_finalize, x4 ++ ldr w4, [x0, x4] ++ ++ /* load input */ ++0: ld1 {v16.4s-v19.4s}, [x1], #64 ++ sub w2, w2, #1 ++ ++ CPU_LE( rev32 v16.16b, v16.16b ) ++ CPU_LE( rev32 v17.16b, v17.16b ) ++ CPU_LE( rev32 v18.16b, v18.16b ) ++ CPU_LE( rev32 v19.16b, v19.16b ) + +-2: add t0.4s, v16.4s, v0.4s ++1: add t0.4s, v16.4s, v0.4s + mov dg0v.16b, dgav.16b + mov dg1v.16b, dgbv.16b + +@@ -134,24 +128,18 @@ CPU_LE( rev32 v19.16b, v19.16b ) + add dgbv.4s, dgbv.4s, dg1v.4s + + /* handled all input blocks? */ +- cbz w21, 3f +- +- if_will_cond_yield_neon +- st1 {dgav.4s, dgbv.4s}, [x19] +- do_cond_yield_neon ++ cbz w2, 2f ++ cond_yield 3f, x5 + b 0b +- endif_yield_neon +- +- b 1b + + /* + * Final block: add padding and total bit count. + * Skip if the input size was not a round multiple of the block size, + * the padding is handled by the C code in that case. + */ +-3: cbz x4, 4f ++2: cbz x4, 3f + ldr_l w4, sha256_ce_offsetof_count, x4 +- ldr x4, [x19, x4] ++ ldr x4, [x0, x4] + movi v17.2d, #0 + mov x8, #0x80000000 + movi v18.2d, #0 +@@ -160,10 +148,10 @@ CPU_LE( rev32 v19.16b, v19.16b ) + mov x4, #0 + mov v19.d[0], xzr + mov v19.d[1], x7 +- b 2b ++ b 1b + + /* store new state */ +-4: st1 {dgav.4s, dgbv.4s}, [x19] +- frame_pop ++3: st1 {dgav.4s, dgbv.4s}, [x0] ++ mov w0, w2 + ret + ENDPROC(sha2_ce_transform) +--- a/arch/arm64/crypto/sha2-ce-glue.c ++++ b/arch/arm64/crypto/sha2-ce-glue.c +@@ -27,14 +27,22 @@ struct sha256_ce_state { + u32 finalize; + }; + +-asmlinkage void sha2_ce_transform(struct sha256_ce_state *sst, u8 const *src, +- int blocks); ++asmlinkage int sha2_ce_transform(struct sha256_ce_state *sst, u8 const *src, ++ int blocks); + + static void __sha2_ce_transform(struct sha256_state *sst, u8 const *src, + int blocks) + { +- sha2_ce_transform(container_of(sst, struct sha256_ce_state, sst), src, +- blocks); ++ while (blocks) { ++ int rem; ++ ++ kernel_neon_begin(); ++ rem = sha2_ce_transform(container_of(sst, struct sha256_ce_state, ++ sst), src, blocks); ++ kernel_neon_end(); ++ src += (blocks - rem) * SHA256_BLOCK_SIZE; ++ blocks = rem; ++ } + } + + const u32 sha256_ce_offsetof_count = offsetof(struct sha256_ce_state, +@@ -60,9 +68,7 @@ static int sha256_ce_update(struct shash + __sha256_block_data_order); + + sctx->finalize = 0; +- kernel_neon_begin(); + sha256_base_do_update(desc, data, len, __sha2_ce_transform); +- kernel_neon_end(); + + return 0; + } +@@ -87,11 +93,9 @@ static int sha256_ce_finup(struct shash_ + */ + sctx->finalize = finalize; + +- kernel_neon_begin(); + sha256_base_do_update(desc, data, len, __sha2_ce_transform); + if (!finalize) + sha256_base_do_finalize(desc, __sha2_ce_transform); +- kernel_neon_end(); + return sha256_base_finish(desc, out); + } + +@@ -105,9 +109,7 @@ static int sha256_ce_final(struct shash_ + } + + sctx->finalize = 0; +- kernel_neon_begin(); + sha256_base_do_finalize(desc, __sha2_ce_transform); +- kernel_neon_end(); + return sha256_base_finish(desc, out); + } + diff --git a/patches.suse/crypto-arm64-sha3-ce-simplify-NEON-yield.patch b/patches.suse/crypto-arm64-sha3-ce-simplify-NEON-yield.patch new file mode 100644 index 0000000..de902e7 --- /dev/null +++ b/patches.suse/crypto-arm64-sha3-ce-simplify-NEON-yield.patch @@ -0,0 +1,202 @@ +From: Ard Biesheuvel +Date: Wed, 3 Feb 2021 12:36:21 +0100 +Subject: crypto: arm64/sha3-ce - simplify NEON yield +Git-commit: 9ecc9f31d0a43d538d80f51debfb25d75da44892 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Instead of calling into kernel_neon_end() and kernel_neon_begin() (and +potentially into schedule()) from the assembler code when running in +task mode and a reschedule is pending, perform only the preempt count +check in assembler, but simply return early in this case, and let the C +code deal with the consequences. + +This reverts commit 7edc86cb1c18b4c274672232117586ea2bef1d9a. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Acked-by: Ivan T. Ivanov +--- + arch/arm64/crypto/sha3-ce-core.S | 81 ++++++++++++++------------------------- + arch/arm64/crypto/sha3-ce-glue.c | 14 ++++-- + 2 files changed, 39 insertions(+), 56 deletions(-) + +--- a/arch/arm64/crypto/sha3-ce-core.S ++++ b/arch/arm64/crypto/sha3-ce-core.S +@@ -37,20 +37,13 @@ + .endm + + /* +- * sha3_ce_transform(u64 *st, const u8 *data, int blocks, int dg_size) ++ * int sha3_ce_transform(u64 *st, const u8 *data, int blocks, int dg_size) + */ + .text + ENTRY(sha3_ce_transform) +- frame_push 4 +- +- mov x19, x0 +- mov x20, x1 +- mov x21, x2 +- mov x22, x3 +- +-0: /* load state */ +- add x8, x19, #32 +- ld1 { v0.1d- v3.1d}, [x19] ++ /* load state */ ++ add x8, x0, #32 ++ ld1 { v0.1d- v3.1d}, [x0] + ld1 { v4.1d- v7.1d}, [x8], #32 + ld1 { v8.1d-v11.1d}, [x8], #32 + ld1 {v12.1d-v15.1d}, [x8], #32 +@@ -58,13 +51,13 @@ ENTRY(sha3_ce_transform) + ld1 {v20.1d-v23.1d}, [x8], #32 + ld1 {v24.1d}, [x8] + +-1: sub w21, w21, #1 ++0: sub w2, w2, #1 + mov w8, #24 + adr_l x9, .Lsha3_rcon + + /* load input */ +- ld1 {v25.8b-v28.8b}, [x20], #32 +- ld1 {v29.8b-v31.8b}, [x20], #24 ++ ld1 {v25.8b-v28.8b}, [x1], #32 ++ ld1 {v29.8b-v31.8b}, [x1], #24 + eor v0.8b, v0.8b, v25.8b + eor v1.8b, v1.8b, v26.8b + eor v2.8b, v2.8b, v27.8b +@@ -73,10 +66,10 @@ ENTRY(sha3_ce_transform) + eor v5.8b, v5.8b, v30.8b + eor v6.8b, v6.8b, v31.8b + +- tbnz x22, #6, 3f // SHA3-512 ++ tbnz x3, #6, 2f // SHA3-512 + +- ld1 {v25.8b-v28.8b}, [x20], #32 +- ld1 {v29.8b-v30.8b}, [x20], #16 ++ ld1 {v25.8b-v28.8b}, [x1], #32 ++ ld1 {v29.8b-v30.8b}, [x1], #16 + eor v7.8b, v7.8b, v25.8b + eor v8.8b, v8.8b, v26.8b + eor v9.8b, v9.8b, v27.8b +@@ -84,34 +77,34 @@ ENTRY(sha3_ce_transform) + eor v11.8b, v11.8b, v29.8b + eor v12.8b, v12.8b, v30.8b + +- tbnz x22, #4, 2f // SHA3-384 or SHA3-224 ++ tbnz x3, #4, 1f // SHA3-384 or SHA3-224 + + // SHA3-256 +- ld1 {v25.8b-v28.8b}, [x20], #32 ++ ld1 {v25.8b-v28.8b}, [x1], #32 + eor v13.8b, v13.8b, v25.8b + eor v14.8b, v14.8b, v26.8b + eor v15.8b, v15.8b, v27.8b + eor v16.8b, v16.8b, v28.8b +- b 4f ++ b 3f + +-2: tbz x22, #2, 4f // bit 2 cleared? SHA-384 ++1: tbz x3, #2, 3f // bit 2 cleared? SHA-384 + + // SHA3-224 +- ld1 {v25.8b-v28.8b}, [x20], #32 +- ld1 {v29.8b}, [x20], #8 ++ ld1 {v25.8b-v28.8b}, [x1], #32 ++ ld1 {v29.8b}, [x1], #8 + eor v13.8b, v13.8b, v25.8b + eor v14.8b, v14.8b, v26.8b + eor v15.8b, v15.8b, v27.8b + eor v16.8b, v16.8b, v28.8b + eor v17.8b, v17.8b, v29.8b +- b 4f ++ b 3f + + // SHA3-512 +-3: ld1 {v25.8b-v26.8b}, [x20], #16 ++2: ld1 {v25.8b-v26.8b}, [x1], #16 + eor v7.8b, v7.8b, v25.8b + eor v8.8b, v8.8b, v26.8b + +-4: sub w8, w8, #1 ++3: sub w8, w8, #1 + + eor3 v29.16b, v4.16b, v9.16b, v14.16b + eor3 v26.16b, v1.16b, v6.16b, v11.16b +@@ -190,33 +183,19 @@ ENTRY(sha3_ce_transform) + + eor v0.16b, v0.16b, v31.16b + +- cbnz w8, 4b +- cbz w21, 5f +- +- if_will_cond_yield_neon +- add x8, x19, #32 +- st1 { v0.1d- v3.1d}, [x19] +- st1 { v4.1d- v7.1d}, [x8], #32 +- st1 { v8.1d-v11.1d}, [x8], #32 +- st1 {v12.1d-v15.1d}, [x8], #32 +- st1 {v16.1d-v19.1d}, [x8], #32 +- st1 {v20.1d-v23.1d}, [x8], #32 +- st1 {v24.1d}, [x8] +- do_cond_yield_neon +- b 0b +- endif_yield_neon +- +- b 1b ++ cbnz w8, 3b ++ cond_yield 3f, x8 ++ cbnz w2, 0b + + /* save state */ +-5: st1 { v0.1d- v3.1d}, [x19], #32 +- st1 { v4.1d- v7.1d}, [x19], #32 +- st1 { v8.1d-v11.1d}, [x19], #32 +- st1 {v12.1d-v15.1d}, [x19], #32 +- st1 {v16.1d-v19.1d}, [x19], #32 +- st1 {v20.1d-v23.1d}, [x19], #32 +- st1 {v24.1d}, [x19] +- frame_pop ++3: st1 { v0.1d- v3.1d}, [x0], #32 ++ st1 { v4.1d- v7.1d}, [x0], #32 ++ st1 { v8.1d-v11.1d}, [x0], #32 ++ st1 {v12.1d-v15.1d}, [x0], #32 ++ st1 {v16.1d-v19.1d}, [x0], #32 ++ st1 {v20.1d-v23.1d}, [x0], #32 ++ st1 {v24.1d}, [x0] ++ mov w0, w2 + ret + ENDPROC(sha3_ce_transform) + +--- a/arch/arm64/crypto/sha3-ce-glue.c ++++ b/arch/arm64/crypto/sha3-ce-glue.c +@@ -28,8 +28,8 @@ MODULE_ALIAS_CRYPTO("sha3-256"); + MODULE_ALIAS_CRYPTO("sha3-384"); + MODULE_ALIAS_CRYPTO("sha3-512"); + +-asmlinkage void sha3_ce_transform(u64 *st, const u8 *data, int blocks, +- int md_len); ++asmlinkage int sha3_ce_transform(u64 *st, const u8 *data, int blocks, ++ int md_len); + + static int sha3_update(struct shash_desc *desc, const u8 *data, + unsigned int len) +@@ -59,11 +59,15 @@ static int sha3_update(struct shash_desc + blocks = len / sctx->rsiz; + len %= sctx->rsiz; + +- if (blocks) { ++ while (blocks) { ++ int rem; ++ + kernel_neon_begin(); +- sha3_ce_transform(sctx->st, data, blocks, digest_size); ++ rem = sha3_ce_transform(sctx->st, data, blocks, ++ digest_size); + kernel_neon_end(); +- data += blocks * sctx->rsiz; ++ data += (blocks - rem) * sctx->rsiz; ++ blocks = rem; + } + } + diff --git a/patches.suse/crypto-arm64-sha512-ce-simplify-NEON-yield.patch b/patches.suse/crypto-arm64-sha512-ce-simplify-NEON-yield.patch new file mode 100644 index 0000000..e6fe296 --- /dev/null +++ b/patches.suse/crypto-arm64-sha512-ce-simplify-NEON-yield.patch @@ -0,0 +1,176 @@ +From: Ard Biesheuvel +Date: Wed, 3 Feb 2021 12:36:22 +0100 +Subject: crypto: arm64/sha512-ce - simplify NEON yield +Git-commit: 5f6cb2e6176815cf631593eb7a94a2725d8528e5 +Patch-mainline: v5.12-rc1 +References: git-fixes + +Instead of calling into kernel_neon_end() and kernel_neon_begin() (and +potentially into schedule()) from the assembler code when running in +task mode and a reschedule is pending, perform only the preempt count +check in assembler, but simply return early in this case, and let the C +code deal with the consequences. + +This reverts commit 6caf7adc5e458f77f550b6c6ca8effa152d61b4a. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Acked-by: Ivan T. Ivanov +--- + arch/arm64/crypto/sha512-ce-core.S | 45 +++++++++++-------------------- + arch/arm64/crypto/sha512-ce-glue.c | 53 ++++++++++++++++++------------------- + 2 files changed, 42 insertions(+), 56 deletions(-) + +--- a/arch/arm64/crypto/sha512-ce-core.S ++++ b/arch/arm64/crypto/sha512-ce-core.S +@@ -102,28 +102,22 @@ + .endm + + /* +- * void sha512_ce_transform(struct sha512_state *sst, u8 const *src, +- * int blocks) ++ * int sha512_ce_transform(struct sha512_state *sst, u8 const *src, ++ * int blocks) + */ + .text + ENTRY(sha512_ce_transform) +- frame_push 3 ++ /* load state */ ++ ld1 {v8.2d-v11.2d}, [x0] + +- mov x19, x0 +- mov x20, x1 +- mov x21, x2 +- +- /* load state */ +-0: ld1 {v8.2d-v11.2d}, [x19] +- +- /* load first 4 round constants */ +- adr_l x3, .Lsha512_rcon +- ld1 {v20.2d-v23.2d}, [x3], #64 +- +- /* load input */ +-1: ld1 {v12.2d-v15.2d}, [x20], #64 +- ld1 {v16.2d-v19.2d}, [x20], #64 +- sub w21, w21, #1 ++ /* load first 4 round constants */ ++ adr_l x3, .Lsha512_rcon ++ ld1 {v20.2d-v23.2d}, [x3], #64 ++ ++ /* load input */ ++0: ld1 {v12.2d-v15.2d}, [x1], #64 ++ ld1 {v16.2d-v19.2d}, [x1], #64 ++ sub w2, w2, #1 + + CPU_LE( rev64 v12.16b, v12.16b ) + CPU_LE( rev64 v13.16b, v13.16b ) +@@ -201,19 +195,12 @@ CPU_LE( rev64 v19.16b, v19.16b ) + add v10.2d, v10.2d, v2.2d + add v11.2d, v11.2d, v3.2d + ++ cond_yield 3f, x4 + /* handled all input blocks? */ +- cbz w21, 3f +- +- if_will_cond_yield_neon +- st1 {v8.2d-v11.2d}, [x19] +- do_cond_yield_neon +- b 0b +- endif_yield_neon +- +- b 1b ++ cbnz w2, 0b + + /* store new state */ +-3: st1 {v8.2d-v11.2d}, [x19] +- frame_pop ++3: st1 {v8.2d-v11.2d}, [x0] ++ mov w0, w2 + ret + ENDPROC(sha512_ce_transform) +--- a/arch/arm64/crypto/sha512-ce-glue.c ++++ b/arch/arm64/crypto/sha512-ce-glue.c +@@ -26,11 +26,25 @@ MODULE_LICENSE("GPL v2"); + MODULE_ALIAS_CRYPTO("sha384"); + MODULE_ALIAS_CRYPTO("sha512"); + +-asmlinkage void sha512_ce_transform(struct sha512_state *sst, u8 const *src, +- int blocks); ++asmlinkage int sha512_ce_transform(struct sha512_state *sst, u8 const *src, ++ int blocks); + + asmlinkage void sha512_block_data_order(u64 *digest, u8 const *src, int blocks); + ++static void __sha512_ce_transform(struct sha512_state *sst, u8 const *src, ++ int blocks) ++{ ++ while (blocks) { ++ int rem; ++ ++ kernel_neon_begin(); ++ rem = sha512_ce_transform(sst, src, blocks); ++ kernel_neon_end(); ++ src += (blocks - rem) * SHA512_BLOCK_SIZE; ++ blocks = rem; ++ } ++} ++ + static void __sha512_block_data_order(struct sha512_state *sst, u8 const *src, + int blocks) + { +@@ -40,45 +54,30 @@ static void __sha512_block_data_order(st + static int sha512_ce_update(struct shash_desc *desc, const u8 *data, + unsigned int len) + { +- if (!crypto_simd_usable()) +- return sha512_base_do_update(desc, data, len, +- __sha512_block_data_order); +- +- kernel_neon_begin(); +- sha512_base_do_update(desc, data, len, sha512_ce_transform); +- kernel_neon_end(); ++ sha512_block_fn *fn = crypto_simd_usable() ? __sha512_ce_transform ++ : __sha512_block_data_order; + ++ sha512_base_do_update(desc, data, len, fn); + return 0; + } + + static int sha512_ce_finup(struct shash_desc *desc, const u8 *data, + unsigned int len, u8 *out) + { +- if (!crypto_simd_usable()) { +- if (len) +- sha512_base_do_update(desc, data, len, +- __sha512_block_data_order); +- sha512_base_do_finalize(desc, __sha512_block_data_order); +- return sha512_base_finish(desc, out); +- } ++ sha512_block_fn *fn = crypto_simd_usable() ? __sha512_ce_transform ++ : __sha512_block_data_order; + +- kernel_neon_begin(); +- sha512_base_do_update(desc, data, len, sha512_ce_transform); +- sha512_base_do_finalize(desc, sha512_ce_transform); +- kernel_neon_end(); ++ sha512_base_do_update(desc, data, len, fn); ++ sha512_base_do_finalize(desc, fn); + return sha512_base_finish(desc, out); + } + + static int sha512_ce_final(struct shash_desc *desc, u8 *out) + { +- if (!crypto_simd_usable()) { +- sha512_base_do_finalize(desc, __sha512_block_data_order); +- return sha512_base_finish(desc, out); +- } ++ sha512_block_fn *fn = crypto_simd_usable() ? __sha512_ce_transform ++ : __sha512_block_data_order; + +- kernel_neon_begin(); +- sha512_base_do_finalize(desc, sha512_ce_transform); +- kernel_neon_end(); ++ sha512_base_do_finalize(desc, fn); + return sha512_base_finish(desc, out); + } + diff --git a/patches.suse/device-property-Fix-documentation-for-_match_string-.patch b/patches.suse/device-property-Fix-documentation-for-_match_string-.patch new file mode 100644 index 0000000..ada57ab --- /dev/null +++ b/patches.suse/device-property-Fix-documentation-for-_match_string-.patch @@ -0,0 +1,46 @@ +From 92e10465acaffcf65e803f40e884ffa86fd3ff2f Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Thu, 6 Oct 2022 15:38:07 +0300 +Subject: [PATCH] device property: Fix documentation for *_match_string() APIs +Git-commit: 92e10465acaffcf65e803f40e884ffa86fd3ff2f +Patch-mainline: v6.1-rc3 +References: git-fixes + +The returned value on success is an index of the matching string, +starting from 0. Reflect this in the documentation. + +Fixes: 3f5c8d318785 ("device property: Add fwnode_property_match_string()") +Signed-off-by: Andy Shevchenko +Reviewed-by: Sakari Ailus +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/base/property.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/property.c b/drivers/base/property.c +index 4d6278a84868..2a5a37fcd998 100644 +--- a/drivers/base/property.c ++++ b/drivers/base/property.c +@@ -229,7 +229,7 @@ EXPORT_SYMBOL_GPL(device_property_read_string); + * Find a given string in a string array and if it is found return the + * index back. + * +- * Return: %0 if the property was found (success), ++ * Return: index, starting from %0, if the property was found (success), + * %-EINVAL if given arguments are not valid, + * %-ENODATA if the property does not have a value, + * %-EPROTO if the property is not an array of strings, +@@ -450,7 +450,7 @@ EXPORT_SYMBOL_GPL(fwnode_property_read_string); + * Find a given string in a string array and if it is found return the + * index back. + * +- * Return: %0 if the property was found (success), ++ * Return: index, starting from %0, if the property was found (success), + * %-EINVAL if given arguments are not valid, + * %-ENODATA if the property does not have a value, + * %-EPROTO if the property is not an array of strings, +-- +2.35.3 + diff --git a/patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch b/patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch index 60c7a10..1d740db 100644 --- a/patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch +++ b/patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch @@ -4,7 +4,7 @@ Date: Tue, 9 Aug 2022 14:35:06 +0300 Subject: [PATCH] devlink: Fix use-after-free after a failed reload Git-commit: 6b4db2e528f650c7fb712961aac36455468d5902 Patch-mainline: v6.0-rc1 -References: git-fixes +References: bsc#1204637 CVE-2022-3625 After a failed devlink reload, devlink parameters are still registered, which means user space can set and get their values. In the case of the @@ -102,6 +102,6 @@ index 5da5c7cca98a..b50bcc18b8d9 100644 return -EOPNOTSUPP; return param->set(devlink, param->id, ctx); } --- +-- 2.35.3 diff --git a/patches.suse/drm-Prevent-drm_copy_field-to-attempt-copying-a-NULL.patch b/patches.suse/drm-Prevent-drm_copy_field-to-attempt-copying-a-NULL.patch new file mode 100644 index 0000000..98a327d --- /dev/null +++ b/patches.suse/drm-Prevent-drm_copy_field-to-attempt-copying-a-NULL.patch @@ -0,0 +1,87 @@ +From f6ee30407e883042482ad4ad30da5eaba47872ee Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 5 Jul 2022 12:02:14 +0200 +Subject: [PATCH] drm: Prevent drm_copy_field() to attempt copying a NULL pointer +Git-commit: f6ee30407e883042482ad4ad30da5eaba47872ee +Patch-mainline: v6.1-rc1 +References: git-fixes + +There are some struct drm_driver fields that are required by drivers since +drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. + +But it can be possible that a driver has a bug and did not set some of the +fields, which leads to drm_copy_field() attempting to copy a NULL pointer: + +[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 +[ +0.010955] Mem abort info: +[ +0.002835] ESR = 0x0000000096000004 +[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits +[ +0.005395] SET = 0, FnV = 0 +[ +0.003113] EA = 0, S1PTW = 0 +[ +0.003182] FSC = 0x04: level 0 translation fault +[ +0.004964] Data abort info: +[ +0.002919] ISV = 0, ISS = 0x00000004 +[ +0.003886] CM = 0, WnR = 0 +[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 +[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 +[ +0.006925] Internal error: Oops: 96000004 [#1] SMP +... +[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ +0.007061] pc : __pi_strlen+0x14/0x150 +[ +0.003895] lr : drm_copy_field+0x30/0x1a4 +[ +0.004156] sp : ffff8000094b3a50 +[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 +[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 +[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 +[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 +[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 +[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 +[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 +[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 +[ +0.007240] Call trace: +[ +0.002475] __pi_strlen+0x14/0x150 +[ +0.003537] drm_version+0x84/0xac +[ +0.003448] drm_ioctl_kernel+0xa8/0x16c +[ +0.003975] drm_ioctl+0x270/0x580 +[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc +[ +0.003978] invoke_syscall+0x78/0x100 +[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 +[ +0.004767] do_el0_svc+0x38/0x4c +[ +0.003357] el0_svc+0x34/0x100 +[ +0.003185] el0t_64_sync_handler+0x11c/0x150 +[ +0.004418] el0t_64_sync+0x190/0x194 +[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) +[ +0.006180] ---[ end trace 0000000000000000 ]--- + +Reported-by: Peter Robinson +Signed-off-by: Javier Martinez Canillas +Acked-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index e1b9a03e619c..ca2a6e6101dc 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -474,6 +474,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { + size_t len; + ++ /* don't attempt to copy a NULL pointer */ ++ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) { ++ *buf_len = 0; ++ return 0; ++ } ++ + /* don't overflow userbuf */ + len = strlen(value); + if (len > *buf_len) +-- +2.35.3 + diff --git a/patches.suse/drm-Use-size_t-type-for-len-variable-in-drm_copy_fie.patch b/patches.suse/drm-Use-size_t-type-for-len-variable-in-drm_copy_fie.patch new file mode 100644 index 0000000..15d8ce2 --- /dev/null +++ b/patches.suse/drm-Use-size_t-type-for-len-variable-in-drm_copy_fie.patch @@ -0,0 +1,48 @@ +From 94dc3471d1b2b58b3728558d0e3f264e9ce6ff59 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 5 Jul 2022 12:02:13 +0200 +Subject: [PATCH] drm: Use size_t type for len variable in drm_copy_field() +Git-commit: 94dc3471d1b2b58b3728558d0e3f264e9ce6ff59 +Patch-mainline: v6.1-rc1 +References: git-fixes + +The strlen() function returns a size_t which is an unsigned int on 32-bit +arches and an unsigned long on 64-bit arches. But in the drm_copy_field() +function, the strlen() return value is assigned to an 'int len' variable. + +Later, the len variable is passed as copy_from_user() third argument that +is an unsigned long parameter as well. + +In theory, this can lead to an integer overflow via type conversion. Since +the assignment happens to a signed int lvalue instead of a size_t lvalue. + +In practice though, that's unlikely since the values copied are set by DRM +drivers and not controlled by userspace. But using a size_t for len is the +correct thing to do anyways. + +Signed-off-by: Javier Martinez Canillas +Tested-by: Peter Robinson +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-2-javierm@redhat.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index 8faad23dc1d8..e1b9a03e619c 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -472,7 +472,7 @@ EXPORT_SYMBOL(drm_invalid_op); + */ + static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { +- int len; ++ size_t len; + + /* don't overflow userbuf */ + len = strlen(value); +-- +2.35.3 + diff --git a/patches.suse/drm-amdgpu-fix-initial-connector-audio-value.patch b/patches.suse/drm-amdgpu-fix-initial-connector-audio-value.patch new file mode 100644 index 0000000..94c2e04 --- /dev/null +++ b/patches.suse/drm-amdgpu-fix-initial-connector-audio-value.patch @@ -0,0 +1,64 @@ +From 4bb71fce58f30df3f251118291d6b0187ce531e6 Mon Sep 17 00:00:00 2001 +From: hongao +Date: Tue, 20 Sep 2022 17:24:53 +0800 +Subject: [PATCH] drm/amdgpu: fix initial connector audio value +Git-commit: 4bb71fce58f30df3f251118291d6b0187ce531e6 +Patch-mainline: v6.1-rc1 +References: git-fixes + +This got lost somewhere along the way, This fixes +audio not working until set_property was called. + +Signed-off-by: hongao +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index b7933c2ce765..491d4846fc02 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -1674,10 +1674,12 @@ amdgpu_connector_add(struct amdgpu_device *adev, + adev->mode_info.dither_property, + AMDGPU_FMT_DITHER_DISABLE); + +- if (amdgpu_audio != 0) ++ if (amdgpu_audio != 0) { + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; ++ } + + subpixel_order = SubPixelHorizontalRGB; + connector->interlace_allowed = true; +@@ -1799,6 +1801,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1852,6 +1855,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1902,6 +1906,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +-- +2.35.3 + diff --git a/patches.suse/drm-msm-Fix-return-type-of-mdp4_lvds_connector_mode_.patch b/patches.suse/drm-msm-Fix-return-type-of-mdp4_lvds_connector_mode_.patch new file mode 100644 index 0000000..6e526cd --- /dev/null +++ b/patches.suse/drm-msm-Fix-return-type-of-mdp4_lvds_connector_mode_.patch @@ -0,0 +1,54 @@ +From 0b33a33bd15d5bab73b87152b220a8d0153a4587 Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry +Date: Tue, 13 Sep 2022 13:55:48 -0700 +Subject: [PATCH] drm/msm: Fix return type of mdp4_lvds_connector_mode_valid +Git-commit: 0b33a33bd15d5bab73b87152b220a8d0153a4587 +Patch-mainline: v6.1-rc3 +References: git-fixes + +The mode_valid field in drm_connector_helper_funcs is expected to be of +Type: +enum drm_mode_status (* mode_valid) (struct drm_connector *connector, + struct drm_display_mode *mode); + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of mdp4_lvds_connector_mode_valid should be changed from +int to enum drm_mode_status. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Fixes: 3e87599b68e7 ("drm/msm/mdp4: add LVDS panel support") +Reviewed-by: Abhinav Kumar +Reviewed-by: Nathan Chancellor +Patchwork: https://patchwork.freedesktop.org/patch/502878/ +Link: https://lore.kernel.org/r/20220913205551.155128-1-nhuck@google.com +Signed-off-by: Abhinav Kumar +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/msm/disp/mdp4/mdp4_lvds_connector.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_lvds_connector.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_lvds_connector.c +index 7288041dd86a..7444b75c4215 100644 +--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_lvds_connector.c ++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_lvds_connector.c +@@ -56,8 +56,9 @@ static int mdp4_lvds_connector_get_modes(struct drm_connector *connector) + return ret; + } + +-static int mdp4_lvds_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++mdp4_lvds_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + struct mdp4_lvds_connector *mdp4_lvds_connector = + to_mdp4_lvds_connector(connector); +-- +2.35.3 + diff --git a/patches.suse/drm-msm-dsi-fix-memory-corruption-with-too-many-brid.patch b/patches.suse/drm-msm-dsi-fix-memory-corruption-with-too-many-brid.patch new file mode 100644 index 0000000..f4f55ed --- /dev/null +++ b/patches.suse/drm-msm-dsi-fix-memory-corruption-with-too-many-brid.patch @@ -0,0 +1,47 @@ +From 2e786eb2f9cebb07e317226b60054df510b60c65 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 13 Sep 2022 10:53:13 +0200 +Subject: [PATCH] drm/msm/dsi: fix memory corruption with too many bridges +Git-commit: 2e786eb2f9cebb07e317226b60054df510b60c65 +Patch-mainline: v6.1-rc3 +References: git-fixes + +Add the missing sanity check on the bridge counter to avoid corrupting +data beyond the fixed-sized bridge array in case there are ever more +than eight bridges. + +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Cc: stable@vger.kernel.org # 4.1 +Signed-off-by: Johan Hovold +Tested-by: Kuogee Hsieh +Reviewed-by: Kuogee Hsieh +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/502668/ +Link: https://lore.kernel.org/r/20220913085320.8577-4-johan+linaro@kernel.org +Signed-off-by: Abhinav Kumar +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/msm/dsi/dsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c +index 39bbabb5daf6..8a95c744972a 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi.c ++++ b/drivers/gpu/drm/msm/dsi/dsi.c +@@ -218,6 +218,12 @@ int msm_dsi_modeset_init(struct msm_dsi *msm_dsi, struct drm_device *dev, + return -EINVAL; + + priv = dev->dev_private; ++ ++ if (priv->num_bridges == ARRAY_SIZE(priv->bridges)) { ++ DRM_DEV_ERROR(dev->dev, "too many bridges\n"); ++ return -ENOSPC; ++ } ++ + msm_dsi->dev = dev; + + ret = msm_dsi_host_modeset_init(msm_dsi->host, dev); +-- +2.35.3 + diff --git a/patches.suse/drm-msm-hdmi-fix-memory-corruption-with-too-many-bri.patch b/patches.suse/drm-msm-hdmi-fix-memory-corruption-with-too-many-bri.patch new file mode 100644 index 0000000..e1dd578 --- /dev/null +++ b/patches.suse/drm-msm-hdmi-fix-memory-corruption-with-too-many-bri.patch @@ -0,0 +1,46 @@ +From 4c1294da6aed1f16d47a417dcfe6602833c3c95c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 13 Sep 2022 10:53:14 +0200 +Subject: [PATCH] drm/msm/hdmi: fix memory corruption with too many bridges +Git-commit: 4c1294da6aed1f16d47a417dcfe6602833c3c95c +Patch-mainline: v6.1-rc3 +References: git-fixes + +Add the missing sanity check on the bridge counter to avoid corrupting +data beyond the fixed-sized bridge array in case there are ever more +than eight bridges. + +Fixes: a3376e3ec81c ("drm/msm: convert to drm_bridge") +Cc: stable@vger.kernel.org # 3.12 +Signed-off-by: Johan Hovold +Tested-by: Kuogee Hsieh +Reviewed-by: Kuogee Hsieh +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/502670/ +Link: https://lore.kernel.org/r/20220913085320.8577-5-johan+linaro@kernel.org +Signed-off-by: Abhinav Kumar +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/msm/hdmi/hdmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c +index 93fe61b86967..a0ed6aa8e4e1 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c +@@ -300,6 +300,11 @@ int msm_hdmi_modeset_init(struct hdmi *hdmi, + struct platform_device *pdev = hdmi->pdev; + int ret; + ++ if (priv->num_bridges == ARRAY_SIZE(priv->bridges)) { ++ DRM_DEV_ERROR(dev->dev, "too many bridges\n"); ++ return -ENOSPC; ++ } ++ + hdmi->dev = dev; + hdmi->encoder = encoder; + +-- +2.35.3 + diff --git a/patches.suse/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch b/patches.suse/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch new file mode 100644 index 0000000..15d4a67 --- /dev/null +++ b/patches.suse/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch @@ -0,0 +1,44 @@ +From 6dc548745d5b5102e3c53dc5097296ac270b6c69 Mon Sep 17 00:00:00 2001 +From: Jianglei Nie +Date: Tue, 5 Jul 2022 17:43:06 +0800 +Subject: [PATCH] drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc() +Git-commit: 6dc548745d5b5102e3c53dc5097296ac270b6c69 +Patch-mainline: v6.1-rc1 +References: git-fixes + +nouveau_bo_alloc() allocates a memory chunk for "nvbo" with kzalloc(). +When some error occurs, "nvbo" should be released. But when +WARN_ON(pi < 0)) equals true, the function return ERR_PTR without +releasing the "nvbo", which will lead to a memory leak. + +We should release the "nvbo" with kfree() if WARN_ON(pi < 0)) equals true. + +Signed-off-by: Jianglei Nie +Signed-off-by: Lyude Paul +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20220705094306.2244103-1-niejianglei2021@163.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/nouveau/nouveau_bo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c +index 05076e530e7d..d0887438b07e 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_bo.c ++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c +@@ -281,8 +281,10 @@ nouveau_bo_alloc(struct nouveau_cli *cli, u64 *size, int *align, u32 domain, + break; + } + +- if (WARN_ON(pi < 0)) ++ if (WARN_ON(pi < 0)) { ++ kfree(nvbo); + return ERR_PTR(-EINVAL); ++ } + + /* Disable compression if suitable settings couldn't be found. */ + if (nvbo->comp && !vmm->page[pi].comp) { +-- +2.35.3 + diff --git a/patches.suse/drm-panel-orientation-quirks-Add-quirk-for-Anbernic-.patch b/patches.suse/drm-panel-orientation-quirks-Add-quirk-for-Anbernic-.patch new file mode 100644 index 0000000..21243ad --- /dev/null +++ b/patches.suse/drm-panel-orientation-quirks-Add-quirk-for-Anbernic-.patch @@ -0,0 +1,41 @@ +From 770e19076065e079a32f33eb11be2057c87f1cde Mon Sep 17 00:00:00 2001 +From: Maya Matuszczyk +Date: Wed, 3 Aug 2022 20:24:03 +0200 +Subject: [PATCH] drm: panel-orientation-quirks: Add quirk for Anbernic Win600 +Git-commit: 770e19076065e079a32f33eb11be2057c87f1cde +Patch-mainline: v6.1-rc1 +References: git-fixes + +This device is another x86 gaming handheld, and as (hopefully) there is +only one set of DMI IDs it's using DMI_EXACT_MATCH + +Signed-off-by: Maya Matuszczyk +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20220803182402.1217293-1-maccraft123mc@gmail.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index fc1728d46ac2..64b194af003c 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -128,6 +128,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "One S1003"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* Anbernic Win600 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Anbernic"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Win600"), ++ }, ++ .driver_data = (void *)&lcd720x1280_rightside_up, + }, { /* Asus T100HA */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +-- +2.35.3 + diff --git a/patches.suse/exfat-Return-ENAMETOOLONG-consistently-for-oversized.patch b/patches.suse/exfat-Return-ENAMETOOLONG-consistently-for-oversized.patch new file mode 100644 index 0000000..740dca6 --- /dev/null +++ b/patches.suse/exfat-Return-ENAMETOOLONG-consistently-for-oversized.patch @@ -0,0 +1,50 @@ +From 86da53e8ff5dcfbbbd345edc0caef7d21ce567ae Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 26 Jul 2022 10:39:25 +0200 +Subject: [PATCH] exfat: Return ENAMETOOLONG consistently for oversized paths +Git-commit: 86da53e8ff5dcfbbbd345edc0caef7d21ce567ae +Patch-mainline: v6.0-rc1 +References: bsc#1204053 bsc#1201725 + +LTP has a test for oversized file path renames and it expects the +return value to be ENAMETOOLONG. However, exfat returns EINVAL +unexpectedly in some cases, hence LTP test fails. The further +investigation indicated that the problem happens only when iocharset +isn't set to utf8. + +The difference comes from that, in the case of utf8, +exfat_utf8_to_utf16() returns the error -ENAMETOOLONG directly and +it's treated as the final error code. Meanwhile, on other iocharsets, +exfat_nls_to_ucs2() returns the max path size but it sets +NLS_NAME_OVERLEN to lossy flag instead; the caller side checks only +whether lossy flag is set or not, resulting in always -EINVAL +unconditionally. + +This patch aligns the return code for both cases by checking the lossy +flag bit and returning ENAMETOOLONG when NLS_NAME_OVERLEN bit is set. + +Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1201725 +Reviewed-by: Petr Vorel +Signed-off-by: Takashi Iwai +Signed-off-by: Namjae Jeon + +--- + fs/exfat/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c +index 7fac9c4b60cf..b617bebc3d0f 100644 +--- a/fs/exfat/namei.c ++++ b/fs/exfat/namei.c +@@ -442,7 +442,7 @@ static int __exfat_resolve_path(struct inode *inode, const unsigned char *path, + return namelen; /* return error value */ + + if ((lossy && !lookup) || !namelen) +- return -EINVAL; ++ return (lossy & NLS_NAME_OVERLEN) ? -ENAMETOOLONG : -EINVAL; + + exfat_chain_set(p_dir, ei->start_clu, + EXFAT_B_TO_CLU(i_size_read(inode), sbi), ei->flags); +-- +2.35.3 + diff --git a/patches.suse/fbdev-cyber2000fb-fix-missing-pci_disable_device.patch b/patches.suse/fbdev-cyber2000fb-fix-missing-pci_disable_device.patch new file mode 100644 index 0000000..f97d3f3 --- /dev/null +++ b/patches.suse/fbdev-cyber2000fb-fix-missing-pci_disable_device.patch @@ -0,0 +1,42 @@ +From 3c6bf6bddc84888c0ce163b09dee0ddd23b5172a Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 24 Oct 2022 22:00:28 +0800 +Subject: [PATCH] fbdev: cyber2000fb: fix missing pci_disable_device() +Git-commit: 3c6bf6bddc84888c0ce163b09dee0ddd23b5172a +Patch-mainline: v6.1-rc3 +References: git-fixes + +Add missing pci_disable_device() in error path of probe() and remove() path. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Acked-by: Takashi Iwai + +--- + drivers/video/fbdev/cyber2000fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/cyber2000fb.c b/drivers/video/fbdev/cyber2000fb.c +index 585af90a68a5..31ff1da82c05 100644 +--- a/drivers/video/fbdev/cyber2000fb.c ++++ b/drivers/video/fbdev/cyber2000fb.c +@@ -1796,6 +1796,7 @@ static int cyberpro_pci_probe(struct pci_dev *dev, + failed_regions: + cyberpro_free_fb_info(cfb); + failed_release: ++ pci_disable_device(dev); + return err; + } + +@@ -1812,6 +1813,7 @@ static void cyberpro_pci_remove(struct pci_dev *dev) + int_cfb_info = NULL; + + pci_release_regions(dev); ++ pci_disable_device(dev); + } + } + +-- +2.35.3 + diff --git a/patches.suse/fbdev-da8xx-fb-Fix-error-handling-in-.remove.patch b/patches.suse/fbdev-da8xx-fb-Fix-error-handling-in-.remove.patch new file mode 100644 index 0000000..f2a8726 --- /dev/null +++ b/patches.suse/fbdev-da8xx-fb-Fix-error-handling-in-.remove.patch @@ -0,0 +1,45 @@ +From 3c6174f9ffcb63ac8b54809c8043d7800b185bfb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Mon, 17 Oct 2022 21:52:50 +0200 +Subject: [PATCH] fbdev: da8xx-fb: Fix error handling in .remove() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 3c6174f9ffcb63ac8b54809c8043d7800b185bfb +Patch-mainline: v6.1-rc3 +References: git-fixes + +Even in the presence of problems (here: regulator_disable() might fail), +it's important to unregister all resources acquired during .probe() and +disable the device (i.e. DMA activity) because even if .remove() returns +an error code, the device is removed and the .remove() callback is never +called again later to catch up. + +This is a preparation for making platform remove callbacks return void. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Helge Deller +Fixes: 611097d5daea ("fbdev: da8xx: add support for a regulator") +Acked-by: Takashi Iwai + +--- + drivers/video/fbdev/da8xx-fb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/da8xx-fb.c b/drivers/video/fbdev/da8xx-fb.c +index ae76a2111c77..11922b009ed7 100644 +--- a/drivers/video/fbdev/da8xx-fb.c ++++ b/drivers/video/fbdev/da8xx-fb.c +@@ -1076,7 +1076,8 @@ static int fb_remove(struct platform_device *dev) + if (par->lcd_supply) { + ret = regulator_disable(par->lcd_supply); + if (ret) +- return ret; ++ dev_warn(&dev->dev, "Failed to disable regulator (%pe)\n", ++ ERR_PTR(ret)); + } + + lcd_disable_raster(DA8XX_FRAME_WAIT); +-- +2.35.3 + diff --git a/patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch b/patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch new file mode 100644 index 0000000..bc89f85 --- /dev/null +++ b/patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch @@ -0,0 +1,45 @@ +From ac6800e279a22b28f4fc21439843025a0d5bf03e Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Thu, 14 Jul 2022 14:11:26 +0800 +Subject: [PATCH] fs: Add missing umask strip in vfs_tmpfile +Git-commit: ac6800e279a22b28f4fc21439843025a0d5bf03e +Patch-mainline: v6.0-rc1 +References: bsc#1198702 CVE-2021-4037 + +All creation paths except for O_TMPFILE handle umask in the vfs directly +if the filesystem doesn't support or enable POSIX ACLs. If the filesystem +does then umask handling is deferred until posix_acl_create(). +Because, O_TMPFILE misses umask handling in the vfs it will not honor +umask settings. Fix this by adding the missing umask handling. + +Link: https://lore.kernel.org/r/1657779088-2242-2-git-send-email-xuyang2018.jy@fujitsu.com +Fixes: 60545d0d4610 ("[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...") +Cc: # 4.19+ +Reported-by: Christian Brauner (Microsoft) +Reviewed-by: Darrick J. Wong +Reviewed-and-tested-by: Jeff Layton +Acked-by: Christian Brauner (Microsoft) +Signed-off-by: Yang Xu +Signed-off-by: Christian Brauner (Microsoft) +Acked-by: Anthony Iliopoulos + +--- + fs/namei.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/namei.c b/fs/namei.c +index 7ce6ba7bf735..ce72838cb40d 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3460,6 +3460,8 @@ struct dentry *vfs_tmpfile(struct dentry *dentry, umode_t mode, int open_flag) + child = d_alloc(dentry, &slash_name); + if (unlikely(!child)) + goto out_err; ++ if (!IS_POSIXACL(dir)) ++ mode &= ~current_umask(); + error = dir->i_op->tmpfile(dir, child, mode); + if (error) + goto out_err; +-- +2.35.3 + diff --git a/patches.suse/fs-add-mode_strip_sgid-helper.patch b/patches.suse/fs-add-mode_strip_sgid-helper.patch new file mode 100644 index 0000000..dd2dbaf --- /dev/null +++ b/patches.suse/fs-add-mode_strip_sgid-helper.patch @@ -0,0 +1,107 @@ +From 2b3416ceff5e6bd4922f6d1c61fb68113dd82302 Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Thu, 14 Jul 2022 14:11:25 +0800 +Subject: [PATCH] fs: add mode_strip_sgid() helper +Git-commit: 2b3416ceff5e6bd4922f6d1c61fb68113dd82302 +Patch-mainline: v6.0-rc1 +References: bsc#1198702 CVE-2021-4037 + +Add a dedicated helper to handle the setgid bit when creating a new file +in a setgid directory. This is a preparatory patch for moving setgid +stripping into the vfs. The patch contains no functional changes. + +Currently the setgid stripping logic is open-coded directly in +inode_init_owner() and the individual filesystems are responsible for +handling setgid inheritance. Since this has proven to be brittle as +evidenced by old issues we uncovered over the last months (see [1] to +[3] below) we will try to move this logic into the vfs. + +Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [1] +Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [2] +Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [3] +Link: https://lore.kernel.org/r/1657779088-2242-1-git-send-email-xuyang2018.jy@fujitsu.com +Reviewed-by: Darrick J. Wong +Reviewed-by: Christian Brauner (Microsoft) +Reviewed-and-tested-by: Jeff Layton +Signed-off-by: Yang Xu +Signed-off-by: Christian Brauner (Microsoft) +Acked-by: Anthony Iliopoulos + +--- + fs/inode.c | 34 ++++++++++++++++++++++++++++++---- + include/linux/fs.h | 3 +++ + 2 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 6485e6ba391f..57558236b6cb 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -2056,10 +2056,8 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, + /* Directories are special, and always inherit S_ISGID */ + if (S_ISDIR(mode)) + mode |= S_ISGID; +- else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && +- !in_group_p(inode->i_gid) && +- !capable_wrt_inode_uidgid(dir, CAP_FSETID)) +- mode &= ~S_ISGID; ++ else ++ mode = mode_strip_sgid(dir, mode); + } else + inode->i_gid = current_fsgid(); + inode->i_mode = mode; +@@ -2284,3 +2282,31 @@ int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, + return 0; + } + EXPORT_SYMBOL(vfs_ioc_fssetxattr_check); ++ ++/** ++ * mode_strip_sgid - handle the sgid bit for non-directories ++ * @dir: parent directory inode ++ * @mode: mode of the file to be created in @dir ++ * ++ * If the @mode of the new file has both the S_ISGID and S_IXGRP bit ++ * raised and @dir has the S_ISGID bit raised ensure that the caller is ++ * either in the group of the parent directory or they have CAP_FSETID ++ * in their user namespace and are privileged over the parent directory. ++ * In all other cases, strip the S_ISGID bit from @mode. ++ * ++ * Return: the new mode to use for the file ++ */ ++umode_t mode_strip_sgid(const struct inode *dir, umode_t mode) ++{ ++ if ((mode & (S_ISGID | S_IXGRP)) != (S_ISGID | S_IXGRP)) ++ return mode; ++ if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID)) ++ return mode; ++ if (in_group_p(dir->i_gid)) ++ return mode; ++ if (capable_wrt_inode_uidgid(dir, CAP_FSETID)) ++ return mode; ++ ++ return mode & ~S_ISGID; ++} ++EXPORT_SYMBOL(mode_strip_sgid); +diff --git a/include/linux/fs.h b/include/linux/fs.h +index bacc0b416843..24f2f8da9b7c 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1725,6 +1725,7 @@ extern long compat_ptr_ioctl(struct file *file, unsigned int cmd, + extern void inode_init_owner(struct inode *inode, const struct inode *dir, + umode_t mode); + extern bool may_open_dev(const struct path *path); ++ + /* + * VFS FS_IOC_FIEMAP helper definitions. + */ +@@ -1739,6 +1740,8 @@ int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical, + u64 phys, u64 len, u32 flags); + int fiemap_check_flags(struct fiemap_extent_info *fieinfo, u32 fs_flags); + ++umode_t mode_strip_sgid(const struct inode *dir, umode_t mode); ++ + /* + * This is the "filldir" function type, used by readdir() to let + * the kernel specify what kind of dirent layout it wants to have. +-- +2.35.3 + diff --git a/patches.suse/fs-fix-UAF-GPF-bug-in-nilfs_mdt_destroy.patch b/patches.suse/fs-fix-UAF-GPF-bug-in-nilfs_mdt_destroy.patch new file mode 100644 index 0000000..634079c --- /dev/null +++ b/patches.suse/fs-fix-UAF-GPF-bug-in-nilfs_mdt_destroy.patch @@ -0,0 +1,66 @@ +From aa5b151dc63fcb97244321257a29da2b8a1511e1 Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Tue, 16 Aug 2022 12:08:58 +0800 +Subject: [PATCH] fs: fix UAF/GPF bug in nilfs_mdt_destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: CVE-2022-2978 bsc#1202700 +Git-commit: 2e488f13755ffbb60f307e991b27024716a33b29 +Patch-mainline: v6.1-rc1 + +In alloc_inode, inode_init_always() could return -ENOMEM if +security_inode_alloc() fails, which causes inode->i_private +uninitialized. Then nilfs_is_metadata_file_inode() returns +true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), +which frees the uninitialized inode->i_private +and leads to crashes(e.g., UAF/GPF). + +Fix this by moving security_inode_alloc just prior to +this_cpu_inc(nr_inodes) + +Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com +Reported-by: butt3rflyh4ck +Reported-by: Hao Sun +Reported-by: Jiacheng Xu +Reviewed-by: Christian Brauner (Microsoft) +Signed-off-by: Dongliang Mu +Cc: Al Viro +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Acked-by: David Disseldorp +--- + fs/inode.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 659e27226feca..8c473c1c93d01 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -167,8 +167,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) + inode->i_wb_frn_history = 0; + #endif + +- if (security_inode_alloc(inode)) +- goto out; + spin_lock_init(&inode->i_lock); + lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); + +@@ -205,11 +203,12 @@ int inode_init_always(struct super_block *sb, struct inode *inode) + inode->i_fsnotify_mask = 0; + #endif + inode->i_flctx = NULL; ++ ++ if (unlikely(security_inode_alloc(inode))) ++ return -ENOMEM; + this_cpu_inc(nr_inodes); + + return 0; +-out: +- return -ENOMEM; + } + EXPORT_SYMBOL(inode_init_always); + +-- +2.35.3 + diff --git a/patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch b/patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch new file mode 100644 index 0000000..61f672e --- /dev/null +++ b/patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch @@ -0,0 +1,364 @@ +From 1639a49ccdce58ea248841ed9b23babcce6dbb0b Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Thu, 14 Jul 2022 14:11:27 +0800 +Subject: [PATCH] fs: move S_ISGID stripping into the vfs_*() helpers +Git-commit: 1639a49ccdce58ea248841ed9b23babcce6dbb0b +Patch-mainline: v6.0-rc1 +References: bsc#1198702 CVE-2021-4037 + +Move setgid handling out of individual filesystems and into the VFS +itself to stop the proliferation of setgid inheritance bugs. + +Creating files that have both the S_IXGRP and S_ISGID bit raised in +directories that themselves have the S_ISGID bit set requires additional +privileges to avoid security issues. + +When a filesystem creates a new inode it needs to take care that the +caller is either in the group of the newly created inode or they have +CAP_FSETID in their current user namespace and are privileged over the +parent directory of the new inode. If any of these two conditions is +true then the S_ISGID bit can be raised for an S_IXGRP file and if not +it needs to be stripped. + +However, there are several key issues with the current implementation: + +* S_ISGID stripping logic is entangled with umask stripping. + + If a filesystem doesn't support or enable POSIX ACLs then umask + stripping is done directly in the vfs before calling into the + filesystem. + If the filesystem does support POSIX ACLs then unmask stripping may be + done in the filesystem itself when calling posix_acl_create(). + + Since umask stripping has an effect on S_ISGID inheritance, e.g., by + stripping the S_IXGRP bit from the file to be created and all relevant + filesystems have to call posix_acl_create() before inode_init_owner() + where we currently take care of S_ISGID handling S_ISGID handling is + order dependent. IOW, whether or not you get a setgid bit depends on + POSIX ACLs and umask and in what order they are called. + + Note that technically filesystems are free to impose their own + ordering between posix_acl_create() and inode_init_owner() meaning + that there's additional ordering issues that influence S_SIGID + inheritance. + +* Filesystems that don't rely on inode_init_owner() don't get S_ISGID + stripping logic. + + While that may be intentional (e.g. network filesystems might just + defer setgid stripping to a server) it is often just a security issue. + +This is not just ugly it's unsustainably messy especially since we do +still have bugs in this area years after the initial round of setgid +bugfixes. + +So the current state is quite messy and while we won't be able to make +it completely clean as posix_acl_create() is still a filesystem specific +call we can improve the S_SIGD stripping situation quite a bit by +hoisting it out of inode_init_owner() and into the vfs creation +operations. This means we alleviate the burden for filesystems to handle +S_ISGID stripping correctly and can standardize the ordering between +S_ISGID and umask stripping in the vfs. + +We add a new helper vfs_prepare_mode() so S_ISGID handling is now done +in the VFS before umask handling. This has S_ISGID handling is +unaffected unaffected by whether umask stripping is done by the VFS +itself (if no POSIX ACLs are supported or enabled) or in the filesystem +in posix_acl_create() (if POSIX ACLs are supported). + +The vfs_prepare_mode() helper is called directly in vfs_*() helpers that +create new filesystem objects. We need to move them into there to make +sure that filesystems like overlayfs hat have callchains like: + +sys_mknod() +-> do_mknodat(mode) + -> .mknod = ovl_mknod(mode) + -> ovl_create(mode) + -> vfs_mknod(mode) + +get S_ISGID stripping done when calling into lower filesystems via +vfs_*() creation helpers. Moving vfs_prepare_mode() into e.g. +vfs_mknod() takes care of that. This is in any case semantically cleaner +because S_ISGID stripping is VFS security requirement. + +Security hooks so far have seen the mode with the umask applied but +without S_ISGID handling done. The relevant hooks are called outside of +vfs_*() creation helpers so by calling vfs_prepare_mode() from vfs_*() +helpers the security hooks would now see the mode without umask +stripping applied. For now we fix this by passing the mode with umask +settings applied to not risk any regressions for LSM hooks. IOW, nothing +changes for LSM hooks. It is worth pointing out that security hooks +never saw the mode that is seen by the filesystem when actually creating +the file. They have always been completely misplaced for that to work. + +The following filesystems use inode_init_owner() and thus relied on +S_ISGID stripping: spufs, 9p, bfs, btrfs, ext2, ext4, f2fs, hfsplus, +hugetlbfs, jfs, minix, nilfs2, ntfs3, ocfs2, omfs, overlayfs, ramfs, +reiserfs, sysv, ubifs, udf, ufs, xfs, zonefs, bpf, tmpfs. + +All of the above filesystems end up calling inode_init_owner() when new +filesystem objects are created through the ->mkdir(), ->mknod(), +->create(), ->tmpfile(), ->rename() inode operations. + +Since directories always inherit the S_ISGID bit with the exception of +xfs when irix_sgid_inherit mode is turned on S_ISGID stripping doesn't +apply. The ->symlink() and ->link() inode operations trivially inherit +the mode from the target and the ->rename() inode operation inherits the +mode from the source inode. All other creation inode operations will get +S_ISGID handling via vfs_prepare_mode() when called from their relevant +vfs_*() helpers. + +In addition to this there are filesystems which allow the creation of +filesystem objects through ioctl()s or - in the case of spufs - +circumventing the vfs in other ways. If filesystem objects are created +through ioctl()s the vfs doesn't know about it and can't apply regular +permission checking including S_ISGID logic. Therfore, a filesystem +relying on S_ISGID stripping in inode_init_owner() in their ioctl() +callpath will be affected by moving this logic into the vfs. We audited +those filesystems: + +* btrfs allows the creation of filesystem objects through various + ioctls(). Snapshot creation literally takes a snapshot and so the mode + is fully preserved and S_ISGID stripping doesn't apply. + + Creating a new subvolum relies on inode_init_owner() in + btrfs_new_subvol_inode() but only creates directories and doesn't + raise S_ISGID. + +* ocfs2 has a peculiar implementation of reflinks. In contrast to e.g. + xfs and btrfs FICLONE/FICLONERANGE ioctl() that is only concerned with + the actual extents ocfs2 uses a separate ioctl() that also creates the + target file. + + Iow, ocfs2 circumvents the vfs entirely here and did indeed rely on + inode_init_owner() to strip the S_ISGID bit. This is the only place + where a filesystem needs to call mode_strip_sgid() directly but this + is self-inflicted pain. + +* spufs doesn't go through the vfs at all and doesn't use ioctl()s + either. Instead it has a dedicated system call spufs_create() which + allows the creation of filesystem objects. But spufs only creates + directories and doesn't allo S_SIGID bits, i.e. it specifically only + allows 0777 bits. + +* bpf uses vfs_mkobj() but also doesn't allow S_ISGID bits to be created. + +The patch will have an effect on ext2 when the EXT2_MOUNT_GRPID mount +option is used, on ext4 when the EXT4_MOUNT_GRPID mount option is used, +and on xfs when the XFS_FEAT_GRPID mount option is used. When any of +these filesystems are mounted with their respective GRPID option then +newly created files inherit the parent directories group +unconditionally. In these cases non of the filesystems call +inode_init_owner() and thus did never strip the S_ISGID bit for newly +created files. Moving this logic into the VFS means that they now get +the S_ISGID bit stripped. This is a user visible change. If this leads +to regressions we will either need to figure out a better way or we need +to revert. However, given the various setgid bugs that we found just in +the last two years this is a regression risk we should take. + +Associated with this change is a new set of fstests to enforce the +semantics for all new filesystems. + +Link: https://lore.kernel.org/ceph-devel/20220427092201.wvsdjbnc7b4dttaw@wittgenstein [1] +Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [2] +Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [3] +Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [4] +Link: https://lore.kernel.org/r/1657779088-2242-3-git-send-email-xuyang2018.jy@fujitsu.com +Suggested-by: Dave Chinner +Suggested-by: Christian Brauner (Microsoft) +Reviewed-by: Darrick J. Wong +Reviewed-and-tested-by: Jeff Layton +Signed-off-by: Yang Xu +[: rewrote commit message] +Signed-off-by: Christian Brauner (Microsoft) +Acked-by: Anthony Iliopoulos + +--- + fs/inode.c | 2 - + fs/namei.c | 95 +++++++++++++++++++++++++++++++++++++++++------- + fs/ocfs2/namei.c | 1 + + 3 files changed, 83 insertions(+), 15 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 57558236b6cb..f99a0b6c99ff 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -2056,8 +2056,6 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, + /* Directories are special, and always inherit S_ISGID */ + if (S_ISDIR(mode)) + mode |= S_ISGID; +- else +- mode = mode_strip_sgid(dir, mode); + } else + inode->i_gid = current_fsgid(); + inode->i_mode = mode; +diff --git a/fs/namei.c b/fs/namei.c +index ce72838cb40d..69d151e8bd5a 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2908,6 +2908,78 @@ void unlock_rename(struct dentry *p1, struct dentry *p2) + } + EXPORT_SYMBOL(unlock_rename); + ++/** ++ * mode_strip_umask - handle vfs umask stripping ++ * @dir: parent directory of the new inode ++ * @mode: mode of the new inode to be created in @dir ++ * ++ * Umask stripping depends on whether or not the filesystem supports POSIX ++ * ACLs. If the filesystem doesn't support it umask stripping is done directly ++ * in here. If the filesystem does support POSIX ACLs umask stripping is ++ * deferred until the filesystem calls posix_acl_create(). ++ * ++ * Returns: mode ++ */ ++static inline umode_t mode_strip_umask(const struct inode *dir, umode_t mode) ++{ ++ if (!IS_POSIXACL(dir)) ++ mode &= ~current_umask(); ++ return mode; ++} ++ ++/** ++ * vfs_prepare_mode - prepare the mode to be used for a new inode ++ * @dir: parent directory of the new inode ++ * @mode: mode of the new inode ++ * @mask_perms: allowed permission by the vfs ++ * @type: type of file to be created ++ * ++ * This helper consolidates and enforces vfs restrictions on the @mode of a new ++ * object to be created. ++ * ++ * Umask stripping depends on whether the filesystem supports POSIX ACLs (see ++ * the kernel documentation for mode_strip_umask()). Moving umask stripping ++ * after setgid stripping allows the same ordering for both non-POSIX ACL and ++ * POSIX ACL supporting filesystems. ++ * ++ * Note that it's currently valid for @type to be 0 if a directory is created. ++ * Filesystems raise that flag individually and we need to check whether each ++ * filesystem can deal with receiving S_IFDIR from the vfs before we enforce a ++ * non-zero type. ++ * ++ * Returns: mode to be passed to the filesystem ++ */ ++static inline umode_t vfs_prepare_mode(const struct inode *dir, umode_t mode, ++ umode_t mask_perms, umode_t type) ++{ ++ mode = mode_strip_sgid(dir, mode); ++ mode = mode_strip_umask(dir, mode); ++ ++ /* ++ * Apply the vfs mandated allowed permission mask and set the type of ++ * file to be created before we call into the filesystem. ++ */ ++ mode &= (mask_perms & ~S_IFMT); ++ mode |= (type & S_IFMT); ++ ++ return mode; ++} ++ ++/** ++ * vfs_create - create new file ++ * @dir: inode of @dentry ++ * @dentry: pointer to dentry of the base directory ++ * @mode: mode of the new file ++ * @want_excl: whether the file must not yet exist ++ * ++ * Create a new file. ++ * ++ * If the inode has been found through an idmapped mount the user namespace of ++ * the vfsmount must be passed through @mnt_userns. This function will then take ++ * care to map the inode according to @mnt_userns before checking permissions. ++ * On non-idmapped mounts or if permission checking is to be performed on the ++ * raw inode simply passs init_user_ns. ++ */ + int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, + bool want_excl) + { +@@ -2917,8 +2989,8 @@ int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, + + if (!dir->i_op->create) + return -EACCES; /* shouldn't it be ENOSYS? */ +- mode &= S_IALLUGO; +- mode |= S_IFREG; ++ ++ mode = vfs_prepare_mode(dir, mode, S_IALLUGO, S_IFREG); + error = security_inode_create(dir, dentry, mode); + if (error) + return error; +@@ -3188,8 +3260,7 @@ static int lookup_open(struct nameidata *nd, struct path *path, + * O_EXCL open we want to return EEXIST not EROFS). + */ + if (open_flag & O_CREAT) { +- if (!IS_POSIXACL(dir->d_inode)) +- mode &= ~current_umask(); ++ mode = vfs_prepare_mode(dir->d_inode, mode, mode, mode); + if (unlikely(!got_write)) { + create_error = -EROFS; + open_flag &= ~O_CREAT; +@@ -3460,8 +3531,7 @@ struct dentry *vfs_tmpfile(struct dentry *dentry, umode_t mode, int open_flag) + child = d_alloc(dentry, &slash_name); + if (unlikely(!child)) + goto out_err; +- if (!IS_POSIXACL(dir)) +- mode &= ~current_umask(); ++ mode = vfs_prepare_mode(dir, mode, mode, mode); + error = dir->i_op->tmpfile(dir, child, mode); + if (error) + goto out_err; +@@ -3720,6 +3790,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) + if (!dir->i_op->mknod) + return -EPERM; + ++ mode = vfs_prepare_mode(dir, mode, mode, mode); + error = devcgroup_inode_mknod(mode, dev); + if (error) + return error; +@@ -3768,9 +3839,8 @@ long do_mknodat(int dfd, const char __user *filename, umode_t mode, + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + +- if (!IS_POSIXACL(path.dentry->d_inode)) +- mode &= ~current_umask(); +- error = security_path_mknod(&path, dentry, mode, dev); ++ error = security_path_mknod(&path, dentry, ++ mode_strip_umask(path.dentry->d_inode, mode), dev); + if (error) + goto out; + switch (mode & S_IFMT) { +@@ -3818,7 +3888,7 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) + if (!dir->i_op->mkdir) + return -EPERM; + +- mode &= (S_IRWXUGO|S_ISVTX); ++ mode = vfs_prepare_mode(dir, mode, S_IRWXUGO | S_ISVTX, 0); + error = security_inode_mkdir(dir, dentry, mode); + if (error) + return error; +@@ -3845,9 +3915,8 @@ long do_mkdirat(int dfd, const char __user *pathname, umode_t mode) + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + +- if (!IS_POSIXACL(path.dentry->d_inode)) +- mode &= ~current_umask(); +- error = security_path_mkdir(&path, dentry, mode); ++ error = security_path_mkdir(&path, dentry, ++ mode_strip_umask(path.dentry->d_inode, mode)); + if (!error) + error = vfs_mkdir(path.dentry->d_inode, dentry, mode); + done_path_create(&path, dentry); +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index 6f8e1c4fdb9c..f68c3b674763 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -198,6 +198,7 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) + * callers. */ + if (S_ISDIR(mode)) + set_nlink(inode, 2); ++ mode = mode_strip_sgid(dir, mode); + inode_init_owner(inode, dir, mode); + status = dquot_initialize(inode); + if (status) +-- +2.35.3 + diff --git a/patches.suse/hwmon-coretemp-Handle-large-core-ID-value.patch b/patches.suse/hwmon-coretemp-Handle-large-core-ID-value.patch new file mode 100644 index 0000000..efe8dd8 --- /dev/null +++ b/patches.suse/hwmon-coretemp-Handle-large-core-ID-value.patch @@ -0,0 +1,175 @@ +From 7108b80a542b9d65e44b36d64a700a83658c0b73 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Fri, 14 Oct 2022 17:01:45 +0800 +Subject: [PATCH] hwmon/coretemp: Handle large core ID value +Git-commit: 7108b80a542b9d65e44b36d64a700a83658c0b73 +Patch-mainline: v6.1-rc2 +References: git-fixes + +The coretemp driver supports up to a hard-coded limit of 128 cores. + +Today, the driver can not support a core with an ID above that limit. +Yet, the encoding of core ID's is arbitrary (BIOS APIC-ID) and so they +may be sparse and they may be large. + +Update the driver to map arbitrary core ID numbers into appropriate +array indexes so that 128 cores can be supported, no matter the encoding +of core ID's. + +Signed-off-by: Zhang Rui +Signed-off-by: Dave Hansen +Acked-by: Len Brown +Acked-by: Guenter Roeck +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20221014090147.1836-3-rui.zhang@intel.com +Acked-by: Takashi Iwai + +--- + drivers/hwmon/coretemp.c | 56 +++++++++++++++++++++++++++++----------- + 1 file changed, 41 insertions(+), 15 deletions(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index ccf0af5b988a..8bf32c6c85d9 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -46,9 +46,6 @@ MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius"); + #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1) + #define MAX_CORE_DATA (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO) + +-#define TO_CORE_ID(cpu) (cpu_data(cpu).cpu_core_id) +-#define TO_ATTR_NO(cpu) (TO_CORE_ID(cpu) + BASE_SYSFS_ATTR_NO) +- + #ifdef CONFIG_SMP + #define for_each_sibling(i, cpu) \ + for_each_cpu(i, topology_sibling_cpumask(cpu)) +@@ -91,6 +88,8 @@ struct temp_data { + struct platform_data { + struct device *hwmon_dev; + u16 pkg_id; ++ u16 cpu_map[NUM_REAL_CORES]; ++ struct ida ida; + struct cpumask cpumask; + struct temp_data *core_data[MAX_CORE_DATA]; + struct device_attribute name_attr; +@@ -441,7 +440,7 @@ static struct temp_data *init_temp_data(unsigned int cpu, int pkg_flag) + MSR_IA32_THERM_STATUS; + tdata->is_pkg_data = pkg_flag; + tdata->cpu = cpu; +- tdata->cpu_core_id = TO_CORE_ID(cpu); ++ tdata->cpu_core_id = topology_core_id(cpu); + tdata->attr_size = MAX_CORE_ATTRS; + mutex_init(&tdata->update_lock); + return tdata; +@@ -454,7 +453,7 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + struct platform_data *pdata = platform_get_drvdata(pdev); + struct cpuinfo_x86 *c = &cpu_data(cpu); + u32 eax, edx; +- int err, attr_no; ++ int err, index, attr_no; + + /* + * Find attr number for sysfs: +@@ -462,14 +461,26 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + * The attr number is always core id + 2 + * The Pkgtemp will always show up as temp1_*, if available + */ +- attr_no = pkg_flag ? PKG_SYSFS_ATTR_NO : TO_ATTR_NO(cpu); ++ if (pkg_flag) { ++ attr_no = PKG_SYSFS_ATTR_NO; ++ } else { ++ index = ida_alloc(&pdata->ida, GFP_KERNEL); ++ if (index < 0) ++ return index; ++ pdata->cpu_map[index] = topology_core_id(cpu); ++ attr_no = index + BASE_SYSFS_ATTR_NO; ++ } + +- if (attr_no > MAX_CORE_DATA - 1) +- return -ERANGE; ++ if (attr_no > MAX_CORE_DATA - 1) { ++ err = -ERANGE; ++ goto ida_free; ++ } + + tdata = init_temp_data(cpu, pkg_flag); +- if (!tdata) +- return -ENOMEM; ++ if (!tdata) { ++ err = -ENOMEM; ++ goto ida_free; ++ } + + /* Test if we can access the status register */ + err = rdmsr_safe_on_cpu(cpu, tdata->status_reg, &eax, &edx); +@@ -505,6 +516,9 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu, + exit_free: + pdata->core_data[attr_no] = NULL; + kfree(tdata); ++ida_free: ++ if (!pkg_flag) ++ ida_free(&pdata->ida, index); + return err; + } + +@@ -524,6 +538,9 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx) + + kfree(pdata->core_data[indx]); + pdata->core_data[indx] = NULL; ++ ++ if (indx >= BASE_SYSFS_ATTR_NO) ++ ida_free(&pdata->ida, indx - BASE_SYSFS_ATTR_NO); + } + + static int coretemp_probe(struct platform_device *pdev) +@@ -537,6 +554,7 @@ static int coretemp_probe(struct platform_device *pdev) + return -ENOMEM; + + pdata->pkg_id = pdev->id; ++ ida_init(&pdata->ida); + platform_set_drvdata(pdev, pdata); + + pdata->hwmon_dev = devm_hwmon_device_register_with_groups(dev, DRVNAME, +@@ -553,6 +571,7 @@ static int coretemp_remove(struct platform_device *pdev) + if (pdata->core_data[i]) + coretemp_remove_core(pdata, i); + ++ ida_destroy(&pdata->ida); + return 0; + } + +@@ -647,7 +666,7 @@ static int coretemp_cpu_offline(unsigned int cpu) + struct platform_device *pdev = coretemp_get_pdev(cpu); + struct platform_data *pd; + struct temp_data *tdata; +- int indx, target; ++ int i, indx = -1, target; + + /* + * Don't execute this on suspend as the device remove locks +@@ -660,12 +679,19 @@ static int coretemp_cpu_offline(unsigned int cpu) + if (!pdev) + return 0; + +- /* The core id is too big, just return */ +- indx = TO_ATTR_NO(cpu); +- if (indx > MAX_CORE_DATA - 1) ++ pd = platform_get_drvdata(pdev); ++ ++ for (i = 0; i < NUM_REAL_CORES; i++) { ++ if (pd->cpu_map[i] == topology_core_id(cpu)) { ++ indx = i + BASE_SYSFS_ATTR_NO; ++ break; ++ } ++ } ++ ++ /* Too many cores and this core is not populated, just return */ ++ if (indx < 0) + return 0; + +- pd = platform_get_drvdata(pdev); + tdata = pd->core_data[indx]; + + cpumask_clear_cpu(cpu, &pd->cpumask); +-- +2.35.3 + diff --git a/patches.suse/iio-adc-mcp3911-use-correct-id-bits.patch b/patches.suse/iio-adc-mcp3911-use-correct-id-bits.patch new file mode 100644 index 0000000..109027d --- /dev/null +++ b/patches.suse/iio-adc-mcp3911-use-correct-id-bits.patch @@ -0,0 +1,38 @@ +From 815f1647a603a822d66630bbe22cab4bc097c8c3 Mon Sep 17 00:00:00 2001 +From: Marcus Folkesson +Date: Mon, 10 Oct 2022 21:46:41 +0200 +Subject: [PATCH] iio: adc: mcp3911: use correct id bits +Git-commit: 815f1647a603a822d66630bbe22cab4bc097c8c3 +Patch-mainline: v6.1-rc3 +References: git-fixes + +The device ID should be shifted 6 bits to left according to datasheet. + +Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911") +Signed-off-by: Marcus Folkesson +Link: https://lore.kernel.org/r/20221010194641.676484-1-marcus.folkesson@gmail.com +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/iio/adc/mcp3911.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/mcp3911.c b/drivers/iio/adc/mcp3911.c +index 7f0b37994fe5..f57f5eb23d49 100644 +--- a/drivers/iio/adc/mcp3911.c ++++ b/drivers/iio/adc/mcp3911.c +@@ -55,8 +55,8 @@ + /* Internal voltage reference in mV */ + #define MCP3911_INT_VREF_MV 1200 + +-#define MCP3911_REG_READ(reg, id) ((((reg) << 1) | ((id) << 5) | (1 << 0)) & 0xff) +-#define MCP3911_REG_WRITE(reg, id) ((((reg) << 1) | ((id) << 5) | (0 << 0)) & 0xff) ++#define MCP3911_REG_READ(reg, id) ((((reg) << 1) | ((id) << 6) | (1 << 0)) & 0xff) ++#define MCP3911_REG_WRITE(reg, id) ((((reg) << 1) | ((id) << 6) | (0 << 0)) & 0xff) + + #define MCP3911_NUM_CHANNELS 2 + +-- +2.35.3 + diff --git a/patches.suse/iio-light-tsl2583-Fix-module-unloading.patch b/patches.suse/iio-light-tsl2583-Fix-module-unloading.patch new file mode 100644 index 0000000..55febfe --- /dev/null +++ b/patches.suse/iio-light-tsl2583-Fix-module-unloading.patch @@ -0,0 +1,40 @@ +From 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 Mon Sep 17 00:00:00 2001 +From: Shreeya Patel +Date: Fri, 26 Aug 2022 17:53:52 +0530 +Subject: [PATCH] iio: light: tsl2583: Fix module unloading +Git-commit: 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 +Patch-mainline: v6.1-rc3 +References: git-fixes + +tsl2583 probe() uses devm_iio_device_register() and calling +iio_device_unregister() causes the unregister to occur twice. s +Switch to iio_device_register() instead of devm_iio_device_register() +in probe to avoid the device managed cleanup. + +Fixes: 371894f5d1a0 ("iio: tsl2583: add runtime power management support") +Signed-off-by: Shreeya Patel +Link: https://lore.kernel.org/r/20220826122352.288438-1-shreeya.patel@collabora.com +Cc: +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/iio/light/tsl2583.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/light/tsl2583.c b/drivers/iio/light/tsl2583.c +index 0a2ca1a8146d..7bcb5c718922 100644 +--- a/drivers/iio/light/tsl2583.c ++++ b/drivers/iio/light/tsl2583.c +@@ -858,7 +858,7 @@ static int tsl2583_probe(struct i2c_client *clientp, + TSL2583_POWER_OFF_DELAY_MS); + pm_runtime_use_autosuspend(&clientp->dev); + +- ret = devm_iio_device_register(indio_dev->dev.parent, indio_dev); ++ ret = iio_device_register(indio_dev); + if (ret) { + dev_err(&clientp->dev, "%s: iio registration failed\n", + __func__); +-- +2.35.3 + diff --git a/patches.suse/iio-pressure-dps310-Refactor-startup-procedure.patch b/patches.suse/iio-pressure-dps310-Refactor-startup-procedure.patch new file mode 100644 index 0000000..0bd43b6 --- /dev/null +++ b/patches.suse/iio-pressure-dps310-Refactor-startup-procedure.patch @@ -0,0 +1,244 @@ +From c2329717bdd3fa62f8a2f3d8d85ad0bee4556bd7 Mon Sep 17 00:00:00 2001 +From: Eddie James +Date: Thu, 15 Sep 2022 14:57:18 -0500 +Subject: [PATCH] iio: pressure: dps310: Refactor startup procedure +Git-commit: c2329717bdd3fa62f8a2f3d8d85ad0bee4556bd7 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Move the startup procedure into a function, and correct a missing +check on the return code for writing the PRS_CFG register. + +Cc: +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220915195719.136812-2-eajames@linux.ibm.com +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/iio/pressure/dps310.c | 188 ++++++++++++++++++---------------- + 1 file changed, 99 insertions(+), 89 deletions(-) + +diff --git a/drivers/iio/pressure/dps310.c b/drivers/iio/pressure/dps310.c +index 36fb7ae0d0a9..c706a8b423b5 100644 +--- a/drivers/iio/pressure/dps310.c ++++ b/drivers/iio/pressure/dps310.c +@@ -159,6 +159,102 @@ static int dps310_get_coefs(struct dps310_data *data) + return 0; + } + ++/* ++ * Some versions of the chip will read temperatures in the ~60C range when ++ * it's actually ~20C. This is the manufacturer recommended workaround ++ * to correct the issue. The registers used below are undocumented. ++ */ ++static int dps310_temp_workaround(struct dps310_data *data) ++{ ++ int rc; ++ int reg; ++ ++ rc = regmap_read(data->regmap, 0x32, ®); ++ if (rc) ++ return rc; ++ ++ /* ++ * If bit 1 is set then the device is okay, and the workaround does not ++ * need to be applied ++ */ ++ if (reg & BIT(1)) ++ return 0; ++ ++ rc = regmap_write(data->regmap, 0x0e, 0xA5); ++ if (rc) ++ return rc; ++ ++ rc = regmap_write(data->regmap, 0x0f, 0x96); ++ if (rc) ++ return rc; ++ ++ rc = regmap_write(data->regmap, 0x62, 0x02); ++ if (rc) ++ return rc; ++ ++ rc = regmap_write(data->regmap, 0x0e, 0x00); ++ if (rc) ++ return rc; ++ ++ return regmap_write(data->regmap, 0x0f, 0x00); ++} ++ ++static int dps310_startup(struct dps310_data *data) ++{ ++ int rc; ++ int ready; ++ ++ /* ++ * Set up pressure sensor in single sample, one measurement per second ++ * mode ++ */ ++ rc = regmap_write(data->regmap, DPS310_PRS_CFG, 0); ++ if (rc) ++ return rc; ++ ++ /* ++ * Set up external (MEMS) temperature sensor in single sample, one ++ * measurement per second mode ++ */ ++ rc = regmap_write(data->regmap, DPS310_TMP_CFG, DPS310_TMP_EXT); ++ if (rc) ++ return rc; ++ ++ /* Temp and pressure shifts are disabled when PRC <= 8 */ ++ rc = regmap_write_bits(data->regmap, DPS310_CFG_REG, ++ DPS310_PRS_SHIFT_EN | DPS310_TMP_SHIFT_EN, 0); ++ if (rc) ++ return rc; ++ ++ /* MEAS_CFG doesn't update correctly unless first written with 0 */ ++ rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG, ++ DPS310_MEAS_CTRL_BITS, 0); ++ if (rc) ++ return rc; ++ ++ /* Turn on temperature and pressure measurement in the background */ ++ rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG, ++ DPS310_MEAS_CTRL_BITS, DPS310_PRS_EN | ++ DPS310_TEMP_EN | DPS310_BACKGROUND); ++ if (rc) ++ return rc; ++ ++ /* ++ * Calibration coefficients required for reporting temperature. ++ * They are available 40ms after the device has started ++ */ ++ rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready, ++ ready & DPS310_COEF_RDY, 10000, 40000); ++ if (rc) ++ return rc; ++ ++ rc = dps310_get_coefs(data); ++ if (rc) ++ return rc; ++ ++ return dps310_temp_workaround(data); ++} ++ + static int dps310_get_pres_precision(struct dps310_data *data) + { + int rc; +@@ -677,52 +773,12 @@ static const struct iio_info dps310_info = { + .write_raw = dps310_write_raw, + }; + +-/* +- * Some verions of chip will read temperatures in the ~60C range when +- * its actually ~20C. This is the manufacturer recommended workaround +- * to correct the issue. The registers used below are undocumented. +- */ +-static int dps310_temp_workaround(struct dps310_data *data) +-{ +- int rc; +- int reg; +- +- rc = regmap_read(data->regmap, 0x32, ®); +- if (rc < 0) +- return rc; +- +- /* +- * If bit 1 is set then the device is okay, and the workaround does not +- * need to be applied +- */ +- if (reg & BIT(1)) +- return 0; +- +- rc = regmap_write(data->regmap, 0x0e, 0xA5); +- if (rc < 0) +- return rc; +- +- rc = regmap_write(data->regmap, 0x0f, 0x96); +- if (rc < 0) +- return rc; +- +- rc = regmap_write(data->regmap, 0x62, 0x02); +- if (rc < 0) +- return rc; +- +- rc = regmap_write(data->regmap, 0x0e, 0x00); +- if (rc < 0) +- return rc; +- +- return regmap_write(data->regmap, 0x0f, 0x00); +-} +- + static int dps310_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { + struct dps310_data *data; + struct iio_dev *iio; +- int rc, ready; ++ int rc; + + iio = devm_iio_device_alloc(&client->dev, sizeof(*data)); + if (!iio) +@@ -747,54 +803,8 @@ static int dps310_probe(struct i2c_client *client, + if (rc) + return rc; + +- /* +- * Set up pressure sensor in single sample, one measurement per second +- * mode +- */ +- rc = regmap_write(data->regmap, DPS310_PRS_CFG, 0); +- +- /* +- * Set up external (MEMS) temperature sensor in single sample, one +- * measurement per second mode +- */ +- rc = regmap_write(data->regmap, DPS310_TMP_CFG, DPS310_TMP_EXT); +- if (rc < 0) +- return rc; +- +- /* Temp and pressure shifts are disabled when PRC <= 8 */ +- rc = regmap_write_bits(data->regmap, DPS310_CFG_REG, +- DPS310_PRS_SHIFT_EN | DPS310_TMP_SHIFT_EN, 0); +- if (rc < 0) +- return rc; +- +- /* MEAS_CFG doesn't update correctly unless first written with 0 */ +- rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG, +- DPS310_MEAS_CTRL_BITS, 0); +- if (rc < 0) +- return rc; +- +- /* Turn on temperature and pressure measurement in the background */ +- rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG, +- DPS310_MEAS_CTRL_BITS, DPS310_PRS_EN | +- DPS310_TEMP_EN | DPS310_BACKGROUND); +- if (rc < 0) +- return rc; +- +- /* +- * Calibration coefficients required for reporting temperature. +- * They are available 40ms after the device has started +- */ +- rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready, +- ready & DPS310_COEF_RDY, 10000, 40000); +- if (rc < 0) +- return rc; +- +- rc = dps310_get_coefs(data); +- if (rc < 0) +- return rc; +- +- rc = dps310_temp_workaround(data); +- if (rc < 0) ++ rc = dps310_startup(data); ++ if (rc) + return rc; + + rc = devm_iio_device_register(&client->dev, iio); +-- +2.35.3 + diff --git a/patches.suse/iio-pressure-dps310-Reset-chip-after-timeout.patch b/patches.suse/iio-pressure-dps310-Reset-chip-after-timeout.patch new file mode 100644 index 0000000..347f7f1 --- /dev/null +++ b/patches.suse/iio-pressure-dps310-Reset-chip-after-timeout.patch @@ -0,0 +1,153 @@ +From 7b4ab4abcea4c0c10b25187bf2569e5a07e9a20c Mon Sep 17 00:00:00 2001 +From: Eddie James +Date: Thu, 15 Sep 2022 14:57:19 -0500 +Subject: [PATCH] iio: pressure: dps310: Reset chip after timeout +Git-commit: 7b4ab4abcea4c0c10b25187bf2569e5a07e9a20c +Patch-mainline: v6.1-rc1 +References: git-fixes + +The DPS310 chip has been observed to get "stuck" such that pressure +and temperature measurements are never indicated as "ready" in the +MEAS_CFG register. The only solution is to reset the device and try +again. In order to avoid continual failures, use a boolean flag to +only try the reset after timeout once if errors persist. + +Fixes: ba6ec48e76bc ("iio: Add driver for Infineon DPS310") +Cc: +Signed-off-by: Eddie James +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220915195719.136812-3-eajames@linux.ibm.com +Signed-off-by: Jonathan Cameron +Acked-by: Takashi Iwai + +--- + drivers/iio/pressure/dps310.c | 74 ++++++++++++++++++++++++++++++----- + 1 file changed, 64 insertions(+), 10 deletions(-) + +diff --git a/drivers/iio/pressure/dps310.c b/drivers/iio/pressure/dps310.c +index c706a8b423b5..984a3f511a1a 100644 +--- a/drivers/iio/pressure/dps310.c ++++ b/drivers/iio/pressure/dps310.c +@@ -89,6 +89,7 @@ struct dps310_data { + s32 c00, c10, c20, c30, c01, c11, c21; + s32 pressure_raw; + s32 temp_raw; ++ bool timeout_recovery_failed; + }; + + static const struct iio_chan_spec dps310_channels[] = { +@@ -393,11 +394,69 @@ static int dps310_get_temp_k(struct dps310_data *data) + return scale_factors[ilog2(rc)]; + } + ++static int dps310_reset_wait(struct dps310_data *data) ++{ ++ int rc; ++ ++ rc = regmap_write(data->regmap, DPS310_RESET, DPS310_RESET_MAGIC); ++ if (rc) ++ return rc; ++ ++ /* Wait for device chip access: 2.5ms in specification */ ++ usleep_range(2500, 12000); ++ return 0; ++} ++ ++static int dps310_reset_reinit(struct dps310_data *data) ++{ ++ int rc; ++ ++ rc = dps310_reset_wait(data); ++ if (rc) ++ return rc; ++ ++ return dps310_startup(data); ++} ++ ++static int dps310_ready_status(struct dps310_data *data, int ready_bit, int timeout) ++{ ++ int sleep = DPS310_POLL_SLEEP_US(timeout); ++ int ready; ++ ++ return regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready, ready & ready_bit, ++ sleep, timeout); ++} ++ ++static int dps310_ready(struct dps310_data *data, int ready_bit, int timeout) ++{ ++ int rc; ++ ++ rc = dps310_ready_status(data, ready_bit, timeout); ++ if (rc) { ++ if (rc == -ETIMEDOUT && !data->timeout_recovery_failed) { ++ /* Reset and reinitialize the chip. */ ++ if (dps310_reset_reinit(data)) { ++ data->timeout_recovery_failed = true; ++ } else { ++ /* Try again to get sensor ready status. */ ++ if (dps310_ready_status(data, ready_bit, timeout)) ++ data->timeout_recovery_failed = true; ++ else ++ return 0; ++ } ++ } ++ ++ return rc; ++ } ++ ++ data->timeout_recovery_failed = false; ++ return 0; ++} ++ + static int dps310_read_pres_raw(struct dps310_data *data) + { + int rc; + int rate; +- int ready; + int timeout; + s32 raw; + u8 val[3]; +@@ -409,9 +468,7 @@ static int dps310_read_pres_raw(struct dps310_data *data) + timeout = DPS310_POLL_TIMEOUT_US(rate); + + /* Poll for sensor readiness; base the timeout upon the sample rate. */ +- rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready, +- ready & DPS310_PRS_RDY, +- DPS310_POLL_SLEEP_US(timeout), timeout); ++ rc = dps310_ready(data, DPS310_PRS_RDY, timeout); + if (rc) + goto done; + +@@ -448,7 +505,6 @@ static int dps310_read_temp_raw(struct dps310_data *data) + { + int rc; + int rate; +- int ready; + int timeout; + + if (mutex_lock_interruptible(&data->lock)) +@@ -458,10 +514,8 @@ static int dps310_read_temp_raw(struct dps310_data *data) + timeout = DPS310_POLL_TIMEOUT_US(rate); + + /* Poll for sensor readiness; base the timeout upon the sample rate. */ +- rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready, +- ready & DPS310_TMP_RDY, +- DPS310_POLL_SLEEP_US(timeout), timeout); +- if (rc < 0) ++ rc = dps310_ready(data, DPS310_TMP_RDY, timeout); ++ if (rc) + goto done; + + rc = dps310_read_temp_ready(data); +@@ -756,7 +810,7 @@ static void dps310_reset(void *action_data) + { + struct dps310_data *data = action_data; + +- regmap_write(data->regmap, DPS310_RESET, DPS310_RESET_MAGIC); ++ dps310_reset_wait(data); + } + + static const struct regmap_config dps310_regmap_config = { +-- +2.35.3 + diff --git a/patches.suse/intel_idle-Customize-IceLake-server-support.patch b/patches.suse/intel_idle-Customize-IceLake-server-support.patch deleted file mode 100644 index 556e014..0000000 --- a/patches.suse/intel_idle-Customize-IceLake-server-support.patch +++ /dev/null @@ -1,99 +0,0 @@ -From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 -From: Chen Yu -Date: Fri, 10 Jul 2020 12:12:01 +0800 -Subject: [PATCH] intel_idle: Customize IceLake server support -Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 -Patch-mainline: v5.9-rc1 -References: jsc#SLE-12679 - -On ICX platform, the C1E auto-promotion is enabled by default. -As a result, the CPU might fall into C1E more offen than previous -platforms. Besides, the C1E is not exposed to sysfs on ICX, which -is inconsistent with previous server platforms. - -So disable C1E auto-promotion and expose C1E as a separate idle -state, so the C1E and C6 can be disabled via sysfs when necessary. - -Beside C1 and C1E, the exit latency of C6 was measured -by a dedicated tool. However the exit latency(41us) exposed -by _CST is much smaller than the one we measured(128us). This -is probably due to the _CST uses the exit latency when woken -up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose -the latter as we need the longest latency in theory. - -Reported-by: kernel test robot -Tested-by: Artem Bityutskiy -Acked-by: Artem Bityutskiy -Reviewed-by: Zhang Rui -Signed-off-by: Chen Yu -Signed-off-by: Rafael J. Wysocki -Acked-by: Takashi Iwai - ---- - drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c -index 3f86f36dab2b..fd0fa9e7900b 100644 ---- a/drivers/idle/intel_idle.c -+++ b/drivers/idle/intel_idle.c -@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { - .enter = NULL } - }; - -+static struct cpuidle_state icx_cstates[] __initdata = { -+ { -+ .name = "C1", -+ .desc = "MWAIT 0x00", -+ .flags = MWAIT2flg(0x00), -+ .exit_latency = 1, -+ .target_residency = 1, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C1E", -+ .desc = "MWAIT 0x01", -+ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, -+ .exit_latency = 4, -+ .target_residency = 4, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C6", -+ .desc = "MWAIT 0x20", -+ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, -+ .exit_latency = 128, -+ .target_residency = 384, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .enter = NULL } -+}; -+ - static struct cpuidle_state atom_cstates[] __initdata = { - { - .name = "C1E", -@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { - .use_acpi = true, - }; - -+static const struct idle_cpu idle_cpu_icx __initconst = { -+ .state_table = icx_cstates, -+ .disable_promotion_to_c1e = true, -+ .use_acpi = true, -+}; -+ - static const struct idle_cpu idle_cpu_avn __initconst = { - .state_table = avn_cstates, - .disable_promotion_to_c1e = true, -@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), -+ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), --- -2.16.4 - diff --git a/patches.suse/io_uring-disable-polling-signalfd-pollfree-files.patch b/patches.suse/io_uring-disable-polling-signalfd-pollfree-files.patch new file mode 100644 index 0000000..1c49e50 --- /dev/null +++ b/patches.suse/io_uring-disable-polling-signalfd-pollfree-files.patch @@ -0,0 +1,59 @@ +From e71be55b86a61afd39e90363919cec7ca9912197 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Tue, 27 Sep 2022 11:01:53 +0200 +Subject: [PATCH] io_uring: disable polling signalfd pollfree files +Patch-mainline: Never, patch based on stable-5.4 (commit fc78b2fc21f10) +References: CVE-2022-3176 bsc#1203391 + +Older kernels lack io_uring POLLFREE handling, which is added via +791f3465c4afd ("io_uring: fix UAF due to missing POLLFREE handling"). +As only affected files are signalfd and android binder the safest option +would be to disable polling those files via io_uring and hope there are +no users. + +Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL") +Signed-off-by: Pavel Begunkov +Signed-off-by: Greg Kroah-Hartman +[ddiss: preserve kABI by checking for signalfd_poll in file_operations. + Binder is disabled for SLE so can be ignored] +Signed-off-by: David Disseldorp +Acked-by: Jan Kara +--- + fs/io_uring.c | 7 +++++++ + fs/signalfd.c | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 31057f44257cc..31a3a00ef48e2 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1753,6 +1753,13 @@ static int io_poll_add(struct io_kiocb *req, const struct io_uring_sqe *sqe) + bool cancel = false; + __poll_t mask; + u16 events; ++#ifdef CONFIG_SIGNALFD ++ extern __poll_t signalfd_poll(struct file *file, poll_table *wait); ++ ++ /* unhandled pollfree: Binder (SLE-disabled) and signalfd only */ ++ if (req->file->f_op->poll == &signalfd_poll) ++ return -EOPNOTSUPP; ++#endif + + if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL)) + return -EINVAL; +diff --git a/fs/signalfd.c b/fs/signalfd.c +index 2d815ab9ecc2d..9ddd1c593b146 100644 +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -48,7 +48,7 @@ static int signalfd_release(struct inode *inode, struct file *file) + return 0; + } + +-static __poll_t signalfd_poll(struct file *file, poll_table *wait) ++__poll_t signalfd_poll(struct file *file, poll_table *wait) + { + struct signalfd_ctx *ctx = file->private_data; + __poll_t events = 0; +-- +2.35.3 + diff --git a/patches.suse/kbuild-Add-skip_encoding_btf_enum64-option-to-pahole.patch b/patches.suse/kbuild-Add-skip_encoding_btf_enum64-option-to-pahole.patch new file mode 100644 index 0000000..742d6aa --- /dev/null +++ b/patches.suse/kbuild-Add-skip_encoding_btf_enum64-option-to-pahole.patch @@ -0,0 +1,52 @@ +From 4ef602bb5d386d55c3094b48a313c971b6fbfe8c Mon Sep 17 00:00:00 2001 +From: Martin Rodriguez Reboredo +Date: Tue, 6 Sep 2022 15:31:23 +0200 +Subject: [PATCH] kbuild: Add skip_encoding_btf_enum64 option to pahole + +References: git-fixes +Patch-mainline: never, mainline supports BTF_KIND_ENUM64 since 6.0 + +New pahole (version 1.24) generates by default new BTF_KIND_ENUM64 BTF tag, +which is not supported by stable kernel. + +As a result the kernel with CONFIG_DEBUG_INFO_BTF option will fail to +compile with following error: + + BTFIDS vmlinux +FAILED: load BTF from vmlinux: Invalid argument + +New pahole provides --skip_encoding_btf_enum64 option to skip BTF_KIND_ENUM64 +generation and produce BTF supported by stable kernel. + +Adding this option to scripts/pahole-flags.sh. + +This change does not have equivalent commit in linus tree, because linus tree +has support for BTF_KIND_ENUM64 tag, so it does not need to be disabled. + +Backport-by: NeilBrown +Link: https://lore.kernel.org/all/20220906132826.180891759@linuxfoundation.org/ +Signed-off-by: Martin Rodriguez Reboredo +Signed-off-by: Jiri Olsa +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Michal Suchanek +--- + scripts/link-vmlinux.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh +index 4799108cad51..03ecdb8f447c 100755 +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -122,6 +122,9 @@ gen_btf() + # pahole 1.18 through 1.21 can't handle zero-sized per-CPU vars + extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_vars" + fi ++ if [ "${pahole_ver}" -ge "124" ]; then ++ extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_enum64" ++ fi + + info "BTF" ${2} + LLVM_OBJCOPY=${OBJCOPY} ${PAHOLE} -J ${extra_paholeopt} ${1} +-- +2.35.3 + diff --git a/patches.suse/kbuild-remove-the-target-in-signal-traps-when-interr.patch b/patches.suse/kbuild-remove-the-target-in-signal-traps-when-interr.patch new file mode 100644 index 0000000..1deb1b8 --- /dev/null +++ b/patches.suse/kbuild-remove-the-target-in-signal-traps-when-interr.patch @@ -0,0 +1,172 @@ +From a7f3257da8a86b96fb9bf1bba40ae0bbd7f1885a Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sun, 7 Aug 2022 09:48:09 +0900 +Subject: [PATCH] kbuild: remove the target in signal traps when interrupted + +References: git-fixes +Patch-mainline: v6.1-rc1 +Git-commit: a7f3257da8a86b96fb9bf1bba40ae0bbd7f1885a + +When receiving some signal, GNU Make automatically deletes the target if +it has already been changed by the interrupted recipe. + +If the target is possibly incomplete due to interruption, it must be +deleted so that it will be remade from scratch on the next run of make. +Otherwise, the target would remain corrupted permanently because its +timestamp had already been updated. + +Thanks to this behavior of Make, you can stop the build any time by +pressing Ctrl-C, and just run 'make' to resume it. + +Kbuild also relies on this feature, but it is equivalently important +for any build systems that make decisions based on timestamps (if you +want to support Ctrl-C reliably). + +However, this does not always work as claimed; Make immediately dies +with Ctrl-C if its stderr goes into a pipe. + + [Test Makefile] + + foo: + echo hello > $@ + sleep 3 + echo world >> $@ + + [Test Result] + + $ make # hit Ctrl-C + echo hello > foo + sleep 3 + ^Cmake: *** Deleting file 'foo' + make: *** [Makefile:3: foo] Interrupt + + $ make 2>&1 | cat # hit Ctrl-C + echo hello > foo + sleep 3 + ^C$ # 'foo' is often left-over + +The reason is because SIGINT is sent to the entire process group. +In this example, SIGINT kills 'cat', and 'make' writes the message to +the closed pipe, then dies with SIGPIPE before cleaning the target. + +A typical bad scenario (as reported by [1], [2]) is to save build log +by using the 'tee' command: + + $ make 2>&1 | tee log + +This can be problematic for any build systems based on Make, so I hope +it will be fixed in GNU Make. The maintainer of GNU Make stated this is +a long-standing issue and difficult to fix [3]. It has not been fixed +yet as of writing. + +So, we cannot rely on Make cleaning the target. We can do it by +ourselves, in signal traps. + +As far as I understand, Make takes care of SIGHUP, SIGINT, SIGQUIT, and +SITERM for the target removal. I added the traps for them, and also for +SIGPIPE just in case cmd_* rule prints something to stdout or stderr +(but I did not observe an actual case where SIGPIPE was triggered). + +[Note 1] + +The trap handler might be worth explaining. + + rm -f $@; trap - $(sig); kill -s $(sig) $$ + +This lets the shell kill itself by the signal it caught, so the parent +process can tell the child has exited on the signal. Generally, this is +a proper manner for handling signals, in case the calling program (like +Bash) may monitor WIFSIGNALED() and WTERMSIG() for WCE although this may +not be a big deal here because GNU Make handles SIGHUP, SIGINT, SIGQUIT +in WUE and SIGTERM in IUE. + + IUE - Immediate Unconditional Exit + WUE - Wait and Unconditional Exit + WCE - Wait and Cooperative Exit + +For details, see "Proper handling of SIGINT/SIGQUIT" [4]. + +[Note 2] + +Reverting 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd +files") would directly address [1], but it only saves if_changed_dep. +As reported in [2], all commands that use redirection can potentially +leave an empty (i.e. broken) target. + +[Note 3] + +Another (even safer) approach might be to always write to a temporary +file, and rename it to $@ at the end of the recipe. + + > $(tmp-target) + mv $(tmp-target) $@ + +It would require a lot of Makefile changes, and result in ugly code, +so I did not take it. + +[Note 4] + +A little more thoughts about a pattern rule with multiple targets (or +a grouped target). + + %.x %.y: %.z + + +When interrupted, GNU Make deletes both %.x and %.y, while this solution +only deletes $@. Probably, this is not a big deal. The next run of make +will execute the rule again to create $@ along with the other files. + +[1]: https://lore.kernel.org/all/YLeot94yAaM4xbMY@gmail.com/ +[2]: https://lore.kernel.org/all/20220510221333.2770571-1-robh@kernel.org/ +[3]: https://lists.gnu.org/archive/html/help-make/2021-06/msg00001.html +[4]: https://www.cons.org/cracauer/sigint.html + +Fixes: 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd files") +Reported-by: Ingo Molnar +Reported-by: Rob Herring +Signed-off-by: Masahiro Yamada +Tested-by: Ingo Molnar +Reviewed-by: Nicolas Schier +Acked-by: Michal Suchanek +--- + scripts/Kbuild.include | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index ece44b735061..2bc08ace38a3 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -100,8 +100,29 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\ + quiet_redirect := + silent_redirect := exec >/dev/null; + ++# Delete the target on interruption ++# ++# GNU Make automatically deletes the target if it has already been changed by ++# the interrupted recipe. So, you can safely stop the build by Ctrl-C (Make ++# will delete incomplete targets), and resume it later. ++# ++# However, this does not work when the stderr is piped to another program, like ++# $ make >&2 | tee log ++# Make dies with SIGPIPE before cleaning the targets. ++# ++# To address it, we clean the target in signal traps. ++# ++# Make deletes the target when it catches SIGHUP, SIGINT, SIGQUIT, SIGTERM. ++# So, we cover them, and also SIGPIPE just in case. ++# ++# Of course, this is unneeded for phony targets. ++delete-on-interrupt = \ ++ $(if $(filter-out $(PHONY), $@), \ ++ $(foreach sig, HUP INT QUIT TERM PIPE, \ ++ trap 'rm -f $@; trap - $(sig); kill -s $(sig) $$$$' $(sig);)) ++ + # printing commands +-cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(cmd_$(1)) ++cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(delete-on-interrupt) $(cmd_$(1)) + + ### + # if_changed - execute command if any prerequisite is newer than +-- +2.35.3 + diff --git a/patches.suse/kbuild-sink-stdout-from-cmd-for-silent-build.patch b/patches.suse/kbuild-sink-stdout-from-cmd-for-silent-build.patch new file mode 100644 index 0000000..39bc8a6 --- /dev/null +++ b/patches.suse/kbuild-sink-stdout-from-cmd-for-silent-build.patch @@ -0,0 +1,99 @@ +From 174a1dcc96429efce4ef7eb2f5c4506480da2182 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Mon, 17 May 2021 16:03:13 +0900 +Subject: [PATCH] kbuild: sink stdout from cmd for silent build + +References: git-fixes +Patch-mainline: v5.14-rc1 +Git-commit: 174a1dcc96429efce4ef7eb2f5c4506480da2182 + +When building with 'make -s', no output to stdout should be printed. + +As Arnd Bergmann reported [1], mkimage shows the detailed information +of the generated images. + +I think this should be suppressed by the 'cmd' macro instead of by +individual scripts. + +Insert 'exec >/dev/null;' in order to redirect stdout to /dev/null for +silent builds. + +[Note about this implementation] + +'exec >/dev/null;' may look somewhat tricky, but this has a reason. + +Appending '>/dev/null' at the end of command line is a common way for +redirection, so I first tried this: + + cmd = @set -e; $(echo-cmd) $(cmd_$(1)) >/dev/null + +... but it would not work if $(cmd_$(1)) itself contains a redirection. + +For example, cmd_wrap in scripts/Makefile.asm-generic redirects the +output from the 'echo' command into the target file. + +It would be expanded into: + + echo "#include " > $@ >/dev/null + +Then, the target file gets empty because the string will go to /dev/null +instead of $@. + +Next, I tried this: + + cmd = @set -e; $(echo-cmd) { $(cmd_$(1)); } >/dev/null + +The form above would be expanded into: + + { echo "#include " > $@; } >/dev/null + +This works as expected. However, it would be a syntax error if +$(cmd_$(1)) is empty. + +When CONFIG_TRIM_UNUSED_KSYMS is disabled, $(call cmd,gen_ksymdeps) in +scripts/Makefile.build would be expanded into: + + set -e; { ; } >/dev/null + +..., which causes an syntax error. + +I also tried this: + + cmd = @set -e; $(echo-cmd) ( $(cmd_$(1)) ) >/dev/null + +... but this causes a syntax error for the same reason. + +So, finally I adopted: + + cmd = @set -e; $(echo-cmd) exec >/dev/null; $(cmd_$(1)) + +[1]: https://lore.kernel.org/lkml/20210514135752.2910387-1-arnd@kernel.org/ + +Signed-off-by: Masahiro Yamada +Acked-by: Michal Suchanek +--- + scripts/Kbuild.include | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index 82dd1b65b7a8..f247e691562d 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -90,8 +90,13 @@ clean := -f $(srctree)/scripts/Makefile.clean obj + echo-cmd = $(if $($(quiet)cmd_$(1)),\ + echo ' $(call escsq,$($(quiet)cmd_$(1)))$(echo-why)';) + ++# sink stdout for 'make -s' ++ redirect := ++ quiet_redirect := ++silent_redirect := exec >/dev/null; ++ + # printing commands +-cmd = @set -e; $(echo-cmd) $(cmd_$(1)) ++cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(cmd_$(1)) + + ### + # if_changed - execute command if any prerequisite is newer than +-- +2.35.3 + diff --git a/patches.suse/kbuild-skip-per-CPU-BTF-generation-for-pahole-v1.18-.patch b/patches.suse/kbuild-skip-per-CPU-BTF-generation-for-pahole-v1.18-.patch new file mode 100644 index 0000000..15ecf4e --- /dev/null +++ b/patches.suse/kbuild-skip-per-CPU-BTF-generation-for-pahole-v1.18-.patch @@ -0,0 +1,74 @@ +From c8c739fb4b6d58d9a72bae03910d9e9ed55c98b2 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Mon, 28 Jun 2021 19:41:34 -0700 +Subject: [PATCH] kbuild: skip per-CPU BTF generation for pahole v1.18-v1.21 + +References: jsc#SLE-24559 +Patch-mainline: v5.14-rc1 +Git-commit: a0b8200d06ad6450c179407baa5f0f52f8cfcc97 + +Commit "mm/page_alloc: convert per-cpu list protection to local_lock" will +introduce a zero-sized per-CPU variable, which causes pahole to generate +invalid BTF. Only pahole versions 1.18 through 1.21 are impacted, as +before 1.18 pahole doesn't know anything about per-CPU variables, and 1.22 +contains the proper fix for the issue. + +Luckily, pahole 1.18 got --skip_encoding_btf_vars option disabling BTF +generation for per-CPU variables in anticipation of some unanticipated +problems. So use this escape hatch to disable per-CPU var BTF info on +those problematic pahole versions. Users relying on availability of +per-CPU var BTFs would need to upgrade to pahole 1.22+, but everyone won't +notice any regressions. + +Link: https://lkml.kernel.org/r/20210530002536.3193829-1-andrii@kernel.org +Signed-off-by: Andrii Nakryiko +Acked-by: Mel Gorman +Cc: Arnaldo Carvalho de Melo +Cc: Hao Luo +Cc: Michal Suchanek +Cc: Jiri Olsa +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds + +Add boilerplate from commit db16c1fe92d7 ("bpf: Generate BTF_KIND_FLOAT when linking vmlinux") +which is itself not applicable to Linux 5.3 because it does not support +BTF_KIND_FLOAT. + +Signed-off-by: Michal Suchanek +--- + scripts/link-vmlinux.sh | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh +index 40c2476e38e1..4799108cad51 100755 +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -103,6 +103,7 @@ vmlinux_link() + gen_btf() + { + local pahole_ver ++ local extra_paholeopt= + + if ! [ -x "$(command -v ${PAHOLE})" ]; then + echo >&2 "BTF: ${1}: pahole (${PAHOLE}) is not available" +@@ -115,9 +116,15 @@ gen_btf() + return 1 + fi + +- info "BTF" ${2} + vmlinux_link ${1} +- LLVM_OBJCOPY=${OBJCOPY} ${PAHOLE} -J ${1} ++ ++ if [ "${pahole_ver}" -ge "118" ] && [ "${pahole_ver}" -le "121" ]; then ++ # pahole 1.18 through 1.21 can't handle zero-sized per-CPU vars ++ extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_vars" ++ fi ++ ++ info "BTF" ${2} ++ LLVM_OBJCOPY=${OBJCOPY} ${PAHOLE} -J ${extra_paholeopt} ${1} + + # Create ${2} which contains just .BTF section but no symbols. Add + # SHF_ALLOC because .BTF will be part of the vmlinux image. --strip-all +-- +2.35.3 + diff --git a/patches.suse/kthread-Extract-KTHREAD_IS_PER_CPU.patch b/patches.suse/kthread-Extract-KTHREAD_IS_PER_CPU.patch new file mode 100644 index 0000000..0a9704d --- /dev/null +++ b/patches.suse/kthread-Extract-KTHREAD_IS_PER_CPU.patch @@ -0,0 +1,108 @@ +From: Peter Zijlstra +Date: Tue, 12 Jan 2021 11:24:04 +0100 +Subject: kthread: Extract KTHREAD_IS_PER_CPU +Git-commit: ac687e6e8c26181a33270efd1a2e2241377924b0 +Patch-mainline: v5.11-rc5 +References: bsc#1204753 + +There is a need to distinguish geniune per-cpu kthreads from kthreads +that happen to have a single CPU affinity. + +Geniune per-cpu kthreads are kthreads that are CPU affine for +correctness, these will obviously have PF_KTHREAD set, but must also +have PF_NO_SETAFFINITY set, lest userspace modify their affinity and +ruins things. + +However, these two things are not sufficient, PF_NO_SETAFFINITY is +also set on other tasks that have their affinities controlled through +other means, like for instance workqueues. + +Therefore another bit is needed; it turns out kthread_create_per_cpu() +already has such a bit: KTHREAD_IS_PER_CPU, which is used to make +kthread_park()/kthread_unpark() work correctly. + +Expose this flag and remove the implicit setting of it from +kthread_create_on_cpu(); the io_uring usage of it seems dubious at +best. + +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Tested-by: Valentin Schneider +Link: https://lkml.kernel.org/r/20210121103506.557620262@infradead.org + +Acked-by: Michal Koutný +--- + include/linux/kthread.h | 3 +++ + kernel/kthread.c | 27 ++++++++++++++++++++++++++- + kernel/smpboot.c | 1 + + 3 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/include/linux/kthread.h b/include/linux/kthread.h +index 65b81e0c494d..2484ed97e72f 100644 +--- a/include/linux/kthread.h ++++ b/include/linux/kthread.h +@@ -33,6 +33,9 @@ struct task_struct *kthread_create_on_cpu(int (*threadfn)(void *data), + unsigned int cpu, + const char *namefmt); + ++void kthread_set_per_cpu(struct task_struct *k, int cpu); ++bool kthread_is_per_cpu(struct task_struct *k); ++ + /** + * kthread_run - create and wake a thread. + * @threadfn: the function to run until signal_pending(current). +diff --git a/kernel/kthread.c b/kernel/kthread.c +index a5eceecd4513..e0e4a423f184 100644 +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -493,11 +493,36 @@ struct task_struct *kthread_create_on_cpu(int (*threadfn)(void *data), + return p; + kthread_bind(p, cpu); + /* CPU hotplug need to bind once again when unparking the thread. */ +- set_bit(KTHREAD_IS_PER_CPU, &to_kthread(p)->flags); + to_kthread(p)->cpu = cpu; + return p; + } + ++void kthread_set_per_cpu(struct task_struct *k, int cpu) ++{ ++ struct kthread *kthread = to_kthread(k); ++ if (!kthread) ++ return; ++ ++ WARN_ON_ONCE(!(k->flags & PF_NO_SETAFFINITY)); ++ ++ if (cpu < 0) { ++ clear_bit(KTHREAD_IS_PER_CPU, &kthread->flags); ++ return; ++ } ++ ++ kthread->cpu = cpu; ++ set_bit(KTHREAD_IS_PER_CPU, &kthread->flags); ++} ++ ++bool kthread_is_per_cpu(struct task_struct *k) ++{ ++ struct kthread *kthread = to_kthread(k); ++ if (!kthread) ++ return false; ++ ++ return test_bit(KTHREAD_IS_PER_CPU, &kthread->flags); ++} ++ + /** + * kthread_unpark - unpark a thread created by kthread_create(). + * @k: thread created by kthread_create(). +diff --git a/kernel/smpboot.c b/kernel/smpboot.c +index 2efe1e206167..f25208e8df83 100644 +--- a/kernel/smpboot.c ++++ b/kernel/smpboot.c +@@ -188,6 +188,7 @@ __smpboot_create_thread(struct smp_hotplug_thread *ht, unsigned int cpu) + kfree(td); + return PTR_ERR(tsk); + } ++ kthread_set_per_cpu(tsk, cpu); + /* + * Park the thread so that it could start right on the CPU + * when it is available. + diff --git a/patches.suse/mISDN-fix-use-after-free-bugs-in-l1oip-timer-handler.patch b/patches.suse/mISDN-fix-use-after-free-bugs-in-l1oip-timer-handler.patch index 7a789a1..6f4af7f 100644 --- a/patches.suse/mISDN-fix-use-after-free-bugs-in-l1oip-timer-handler.patch +++ b/patches.suse/mISDN-fix-use-after-free-bugs-in-l1oip-timer-handler.patch @@ -4,7 +4,7 @@ Date: Wed, 28 Sep 2022 21:39:38 +0800 Subject: [PATCH] mISDN: fix use-after-free bugs in l1oip timer handlers Git-commit: 2568a7e0832ee30b0a351016d03062ab4e0e0a3f Patch-mainline: v6.1-rc1 -References: git-fixes +References: CVE-2022-3565 bsc#1204431 The l1oip_cleanup() traverses the l1oip_ilist and calls release_card() to cleanup module and stack. However, diff --git a/patches.suse/mac80211-don-t-re-parse-elems-in-ieee80211_assoc_suc.patch b/patches.suse/mac80211-don-t-re-parse-elems-in-ieee80211_assoc_suc.patch index 9333ccc..f0b04a4 100644 --- a/patches.suse/mac80211-don-t-re-parse-elems-in-ieee80211_assoc_suc.patch +++ b/patches.suse/mac80211-don-t-re-parse-elems-in-ieee80211_assoc_suc.patch @@ -4,7 +4,7 @@ Date: Mon, 28 Oct 2019 12:52:42 +0100 Subject: [PATCH] mac80211: don't re-parse elems in ieee80211_assoc_success() Git-commit: f61d7884cef8f1a46ed676adac313b7b53211a8a Patch-mainline: v5.5-rc1 -References: jsc#SLE-13430 +References: CVE-2022-42719 bsc#1204051 We've already parsed the same data in the caller, so we can pass it. The only thing is that we might fill in more details diff --git a/patches.suse/mac802154-Fix-LQI-recording.patch b/patches.suse/mac802154-Fix-LQI-recording.patch new file mode 100644 index 0000000..41bc548 --- /dev/null +++ b/patches.suse/mac802154-Fix-LQI-recording.patch @@ -0,0 +1,65 @@ +From 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 20 Oct 2022 16:25:35 +0200 +Subject: [PATCH] mac802154: Fix LQI recording +Git-commit: 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b +Patch-mainline: v6.1-rc3 +References: git-fixes + +Back in 2014, the LQI was saved in the skb control buffer (skb->cb, or +mac_cb(skb)) without any actual reset of this area prior to its use. + +As part of a useful rework of the use of this region, 32edc40ae65c +("ieee802154: change _cb handling slightly") introduced mac_cb_init() to +basically memset the cb field to 0. In particular, this new function got +called at the beginning of mac802154_parse_frame_start(), right before +the location where the buffer got actually filled. + +What went through unnoticed however, is the fact that the very first +helper called by device drivers in the receive path already used this +area to save the LQI value for later extraction. Resetting the cb field +"so late" led to systematically zeroing the LQI. + +If we consider the reset of the cb field needed, we can make it as soon +as we get an skb from a device driver, right before storing the LQI, +as is the very first time we need to write something there. + +Cc: stable@vger.kernel.org +Fixes: 32edc40ae65c ("ieee802154: change _cb handling slightly") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20221020142535.1038885-1-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Acked-by: Takashi Iwai + +--- + net/mac802154/rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/mac802154/rx.c b/net/mac802154/rx.c +index c439125ef2b9..726b47a4611b 100644 +--- a/net/mac802154/rx.c ++++ b/net/mac802154/rx.c +@@ -132,7 +132,7 @@ static int + ieee802154_parse_frame_start(struct sk_buff *skb, struct ieee802154_hdr *hdr) + { + int hlen; +- struct ieee802154_mac_cb *cb = mac_cb_init(skb); ++ struct ieee802154_mac_cb *cb = mac_cb(skb); + + skb_reset_mac_header(skb); + +@@ -294,8 +294,9 @@ void + ieee802154_rx_irqsafe(struct ieee802154_hw *hw, struct sk_buff *skb, u8 lqi) + { + struct ieee802154_local *local = hw_to_local(hw); ++ struct ieee802154_mac_cb *cb = mac_cb_init(skb); + +- mac_cb(skb)->lqi = lqi; ++ cb->lqi = lqi; + skb->pkt_type = IEEE802154_RX_MSG; + skb_queue_tail(&local->skb_queue, skb); + tasklet_schedule(&local->tasklet); +-- +2.35.3 + diff --git a/patches.suse/media-cx88-Fix-a-null-ptr-deref-bug-in-buffer_prepar.patch b/patches.suse/media-cx88-Fix-a-null-ptr-deref-bug-in-buffer_prepar.patch new file mode 100644 index 0000000..7dabe8f --- /dev/null +++ b/patches.suse/media-cx88-Fix-a-null-ptr-deref-bug-in-buffer_prepar.patch @@ -0,0 +1,134 @@ +From 2b064d91440b33fba5b452f2d1b31f13ae911d71 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Thu, 28 Jul 2022 04:23:38 +0200 +Subject: [PATCH] media: cx88: Fix a null-ptr-deref bug in buffer_prepare() +Git-commit: 2b064d91440b33fba5b452f2d1b31f13ae911d71 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When the driver calls cx88_risc_buffer() to prepare the buffer, the +function call may fail, resulting in a empty buffer and null-ptr-deref +later in buffer_queue(). + +The following log can reveal it: + +[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +[ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +[ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500 +[ 41.836311] Call Trace: +[ 41.836945] __enqueue_in_driver+0x141/0x360 +[ 41.837262] vb2_start_streaming+0x62/0x4a0 +[ 41.838216] vb2_core_streamon+0x1da/0x2c0 +[ 41.838516] __vb2_init_fileio+0x981/0xbc0 +[ 41.839141] __vb2_perform_fileio+0xbf9/0x1120 +[ 41.840072] vb2_fop_read+0x20e/0x400 +[ 41.840346] v4l2_read+0x215/0x290 +[ 41.840603] vfs_read+0x162/0x4c0 + +Fix this by checking the return value of cx88_risc_buffer() + +[hverkuil: fix coding style issues] + +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/pci/cx88/cx88-vbi.c | 9 +++---- + drivers/media/pci/cx88/cx88-video.c | 43 ++++++++++++++++++------------------ + 2 files changed, 26 insertions(+), 26 deletions(-) + +--- a/drivers/media/pci/cx88/cx88-vbi.c ++++ b/drivers/media/pci/cx88/cx88-vbi.c +@@ -144,11 +144,10 @@ static int buffer_prepare(struct vb2_buf + return -EINVAL; + vb2_set_plane_payload(vb, 0, size); + +- cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, +- 0, VBI_LINE_LENGTH * lines, +- VBI_LINE_LENGTH, 0, +- lines); +- return 0; ++ return cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, ++ 0, VBI_LINE_LENGTH * lines, ++ VBI_LINE_LENGTH, 0, ++ lines); + } + + static void buffer_finish(struct vb2_buffer *vb) +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -443,6 +443,7 @@ static int queue_setup(struct vb2_queue + + static int buffer_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct cx8800_dev *dev = vb->vb2_queue->drv_priv; + struct cx88_core *core = dev->core; +@@ -457,35 +458,35 @@ static int buffer_prepare(struct vb2_buf + + switch (core->field) { + case V4L2_FIELD_TOP: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, UNSET, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, UNSET, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_BOTTOM: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, UNSET, 0, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, UNSET, 0, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_SEQ_TB: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- 0, buf->bpl * (core->height >> 1), +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ 0, buf->bpl * (core->height >> 1), ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- buf->bpl * (core->height >> 1), 0, +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ buf->bpl * (core->height >> 1), 0, ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_INTERLACED: + default: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, buf->bpl, +- buf->bpl, buf->bpl, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, buf->bpl, ++ buf->bpl, buf->bpl, ++ core->height >> 1); + break; + } + dprintk(2, +@@ -493,7 +494,7 @@ static int buffer_prepare(struct vb2_buf + buf, buf->vb.vb2_buf.index, + core->width, core->height, dev->fmt->depth, dev->fmt->name, + (unsigned long)buf->risc.dma); +- return 0; ++ return ret; + } + + static void buffer_finish(struct vb2_buffer *vb) diff --git a/patches.suse/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch b/patches.suse/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch new file mode 100644 index 0000000..ff4f5b0 --- /dev/null +++ b/patches.suse/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch @@ -0,0 +1,48 @@ +From 4b6d66a45ed34a15721cb9e11492fa1a24bc83df Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 13 Oct 2022 09:00:34 +0100 +Subject: [PATCH] media: v4l2-dv-timings: add sanity checks for blanking values +Git-commit: 4b6d66a45ed34a15721cb9e11492fa1a24bc83df +Patch-mainline: v6.1-rc3 +References: git-fixes + +Add sanity checks to v4l2_valid_dv_timings() to ensure that the provided +blanking values are reasonable. + +Signed-off-by: Hans Verkuil +Fixes: b18787ed1ce3 ([media] v4l2-dv-timings: add new helper module) +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/media/v4l2-core/v4l2-dv-timings.c b/drivers/media/v4l2-core/v4l2-dv-timings.c +index af48705c704f..003c32fed3f7 100644 +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -161,6 +161,20 @@ bool v4l2_valid_dv_timings(const struct v4l2_dv_timings *t, + (bt->interlaced && !(caps & V4L2_DV_BT_CAP_INTERLACED)) || + (!bt->interlaced && !(caps & V4L2_DV_BT_CAP_PROGRESSIVE))) + return false; ++ ++ /* sanity checks for the blanking timings */ ++ if (!bt->interlaced && ++ (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch)) ++ return false; ++ if (bt->hfrontporch > 2 * bt->width || ++ bt->hsync > 1024 || bt->hbackporch > 1024) ++ return false; ++ if (bt->vfrontporch > 4096 || ++ bt->vsync > 128 || bt->vbackporch > 4096) ++ return false; ++ if (bt->interlaced && (bt->il_vfrontporch > 4096 || ++ bt->il_vsync > 128 || bt->il_vbackporch > 4096)) ++ return false; + return fnc == NULL || fnc(t, fnc_handle); + } + EXPORT_SYMBOL_GPL(v4l2_valid_dv_timings); +-- +2.35.3 + diff --git a/patches.suse/media-videodev2.h-V4L2_DV_BT_BLANKING_HEIGHT-should-.patch b/patches.suse/media-videodev2.h-V4L2_DV_BT_BLANKING_HEIGHT-should-.patch new file mode 100644 index 0000000..c8ed847 --- /dev/null +++ b/patches.suse/media-videodev2.h-V4L2_DV_BT_BLANKING_HEIGHT-should-.patch @@ -0,0 +1,37 @@ +From 8da7f0976b9071b528c545008de9d10cc81883b1 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 12 Oct 2022 16:46:17 +0100 +Subject: [PATCH] media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check 'interlaced' +Git-commit: 8da7f0976b9071b528c545008de9d10cc81883b1 +Patch-mainline: v6.1-rc3 +References: git-fixes + +If it is a progressive (non-interlaced) format, then ignore the +interlaced timing values. + +Signed-off-by: Hans Verkuil +Fixes: 7f68127fa11f ([media] videodev2.h: defines to calculate blanking and frame sizes) +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + include/uapi/linux/videodev2.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index 86cae23cc446..29da1f4b4578 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -1601,7 +1601,8 @@ struct v4l2_bt_timings { + ((bt)->width + V4L2_DV_BT_BLANKING_WIDTH(bt)) + #define V4L2_DV_BT_BLANKING_HEIGHT(bt) \ + ((bt)->vfrontporch + (bt)->vsync + (bt)->vbackporch + \ +- (bt)->il_vfrontporch + (bt)->il_vsync + (bt)->il_vbackporch) ++ ((bt)->interlaced ? \ ++ ((bt)->il_vfrontporch + (bt)->il_vsync + (bt)->il_vbackporch) : 0)) + #define V4L2_DV_BT_FRAME_HEIGHT(bt) \ + ((bt)->height + V4L2_DV_BT_BLANKING_HEIGHT(bt)) + +-- +2.35.3 + diff --git a/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch new file mode 100644 index 0000000..faec977 --- /dev/null +++ b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch @@ -0,0 +1,144 @@ +From: Zheng Wang +Date: Thu, 6 Oct 2022 23:26:43 +0800 +Subject: [PATCH] misc: sgi-gru: fix use-after-free error in + gru_set_context_option, gru_fault and gru_handle_user_call_os +Message-Id: <20221006152643.1694235-1-zyytlz.wz@163.com> +Patch-mainline: Submitted, LKML +References: CVE-2022-3424 bsc#1204166 + +Gts may be freed in gru_check_chiplet_assignment. +The caller still use it after that, UAF happens. + +Fix it by introducing a return value to see if it's in error path or not. +Free the gts in caller if gru_check_chiplet_assignment check failed. + +Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2") +Reported-by: Zheng Wang +Signed-off-by: Zheng Wang +Signed-off-by: Takashi Iwai + +--- + drivers/misc/sgi-gru/grufault.c | 15 ++++++++++++--- + drivers/misc/sgi-gru/grumain.c | 17 +++++++++++++---- + drivers/misc/sgi-gru/grutables.h | 2 +- + 3 files changed, 26 insertions(+), 8 deletions(-) + +diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c +index d7ef61e602ed..f1e5b96fef4b 100644 +--- a/drivers/misc/sgi-gru/grufault.c ++++ b/drivers/misc/sgi-gru/grufault.c +@@ -656,7 +656,9 @@ int gru_handle_user_call_os(unsigned long cb) + if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE) + goto exit; + +- gru_check_context_placement(gts); ++ ret = gru_check_context_placement(gts); ++ if (ret) ++ goto err; + + /* + * CCH may contain stale data if ts_force_cch_reload is set. +@@ -677,6 +679,10 @@ int gru_handle_user_call_os(unsigned long cb) + exit: + gru_unlock_gts(gts); + return ret; ++err: ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ return -EINVAL; + } + + /* +@@ -874,7 +880,7 @@ int gru_set_context_option(unsigned long arg) + } else { + gts->ts_user_blade_id = req.val1; + gts->ts_user_chiplet_id = req.val0; +- gru_check_context_placement(gts); ++ ret = gru_check_context_placement(gts); + } + break; + case sco_gseg_owner: +@@ -889,6 +895,9 @@ int gru_set_context_option(unsigned long arg) + ret = -EINVAL; + } + gru_unlock_gts(gts); +- ++ if (ret) { ++ gru_unload_context(gts, 1); ++ ret = -EINVAL; ++ } + return ret; + } +diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c +index 9afda47efbf2..79903cf7e706 100644 +--- a/drivers/misc/sgi-gru/grumain.c ++++ b/drivers/misc/sgi-gru/grumain.c +@@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru, + * chiplet. Misassignment can occur if the process migrates to a different + * blade or if the user changes the selected blade/chiplet. + */ +-void gru_check_context_placement(struct gru_thread_state *gts) ++int gru_check_context_placement(struct gru_thread_state *gts) + { + struct gru_state *gru; ++ int ret = 0; + + /* + * If the current task is the context owner, verify that the +@@ -727,14 +728,16 @@ void gru_check_context_placement(struct gru_thread_state *gts) + */ + gru = gts->ts_gru; + if (!gru || gts->ts_tgid_owner != current->tgid) +- return; ++ return ret; + + if (!gru_check_chiplet_assignment(gru, gts)) { + STAT(check_context_unload); +- gru_unload_context(gts, 1); ++ ret = -EINVAL; + } else if (gru_retarget_intr(gts)) { + STAT(check_context_retarget_intr); + } ++ ++ return ret; + } + + +@@ -919,6 +922,7 @@ vm_fault_t gru_fault(struct vm_fault *vmf) + struct gru_thread_state *gts; + unsigned long paddr, vaddr; + unsigned long expires; ++ int ret; + + vaddr = vmf->address; + gru_dbg(grudev, "vma %p, vaddr 0x%lx (0x%lx)\n", +@@ -934,7 +938,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf) + mutex_lock(>s->ts_ctxlock); + preempt_disable(); + +- gru_check_context_placement(gts); ++ ret = gru_check_context_placement(gts); ++ if (ret) { ++ mutex_unlock(>s->ts_ctxlock); ++ gru_unload_context(gts, 1); ++ return ret; ++ } + + if (!gts->ts_gru) { + STAT(load_user_context); +diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h +index 5efc869fe59a..f4a5a787685f 100644 +--- a/drivers/misc/sgi-gru/grutables.h ++++ b/drivers/misc/sgi-gru/grutables.h +@@ -632,7 +632,7 @@ extern int gru_user_flush_tlb(unsigned long arg); + extern int gru_user_unload_context(unsigned long arg); + extern int gru_get_exception_detail(unsigned long arg); + extern int gru_set_context_option(unsigned long address); +-extern void gru_check_context_placement(struct gru_thread_state *gts); ++extern int gru_check_context_placement(struct gru_thread_state *gts); + extern int gru_cpu_fault_map_id(void); + extern struct vm_area_struct *gru_find_vma(unsigned long vaddr); + extern void gru_flush_all_tlb(struct gru_state *gru); +-- +2.35.3 + diff --git a/patches.suse/mm-hugetlb-fix-races-when-looking-up-a-CONT-PTE-PMD-.patch b/patches.suse/mm-hugetlb-fix-races-when-looking-up-a-CONT-PTE-PMD-.patch new file mode 100644 index 0000000..38d3137 --- /dev/null +++ b/patches.suse/mm-hugetlb-fix-races-when-looking-up-a-CONT-PTE-PMD-.patch @@ -0,0 +1,169 @@ +From fac35ba763ed07ba93154c95ffc0c4a55023707f Mon Sep 17 00:00:00 2001 +From: Baolin Wang +Date: Thu, 1 Sep 2022 18:41:31 +0800 +Subject: [PATCH] mm/hugetlb: fix races when looking up a CONT-PTE/PMD size + hugetlb page +Patch-mainline: v6.1-rc1 +Git-commit: fac35ba763ed07ba93154c95ffc0c4a55023707f +References: bsc#1204575 + +On some architectures (like ARM64), it can support CONT-PTE/PMD size +hugetlb, which means it can support not only PMD/PUD size hugetlb (2M and +1G), but also CONT-PTE/PMD size(64K and 32M) if a 4K page size specified. + +So when looking up a CONT-PTE size hugetlb page by follow_page(), it will +use pte_offset_map_lock() to get the pte entry lock for the CONT-PTE size +hugetlb in follow_page_pte(). However this pte entry lock is incorrect +for the CONT-PTE size hugetlb, since we should use huge_pte_lock() to get +the correct lock, which is mm->page_table_lock. + +That means the pte entry of the CONT-PTE size hugetlb under current pte +lock is unstable in follow_page_pte(), we can continue to migrate or +poison the pte entry of the CONT-PTE size hugetlb, which can cause some +potential race issues, even though they are under the 'pte lock'. + +For example, suppose thread A is trying to look up a CONT-PTE size hugetlb +page by move_pages() syscall under the lock, however antoher thread B can +migrate the CONT-PTE hugetlb page at the same time, which will cause +thread A to get an incorrect page, if thread A also wants to do page +migration, then data inconsistency error occurs. + +Moreover we have the same issue for CONT-PMD size hugetlb in +follow_huge_pmd(). + +To fix above issues, rename the follow_huge_pmd() as follow_huge_pmd_pte() +to handle PMD and PTE level size hugetlb, which uses huge_pte_lock() to +get the correct pte entry lock to make the pte entry stable. + +Mike said: + +Support for CONT_PMD/_PTE was added with bb9dd3df8ee9 ("arm64: hugetlb: +refactor find_num_contig()"). Patch series "Support for contiguous pte +hugepages", v4. However, I do not believe these code paths were +executed until migration support was added with 5480280d3f2d ("arm64/mm: +enable HugeTLB migration for contiguous bit HugeTLB pages") I would go +with 5480280d3f2d for the Fixes: targe. + +Link: https://lkml.kernel.org/r/635f43bdd85ac2615a58405da82b4d33c6e5eb05.1662017562.git.baolin.wang@linux.alibaba.com +Fixes: 5480280d3f2d ("arm64/mm: enable HugeTLB migration for contiguous bit HugeTLB pages") +Signed-off-by: Baolin Wang +Suggested-by: Mike Kravetz +Reviewed-by: Mike Kravetz +Cc: David Hildenbrand +Cc: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Oscar Salvador +--- + include/linux/hugetlb.h | 6 +++--- + mm/gup.c | 13 ++++++++++++- + mm/hugetlb.c | 30 +++++++++++++++--------------- + 3 files changed, 30 insertions(+), 19 deletions(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -127,8 +127,8 @@ struct page *follow_huge_addr(struct mm_ + struct page *follow_huge_pd(struct vm_area_struct *vma, + unsigned long address, hugepd_t hpd, + int flags, int pdshift); +-struct page *follow_huge_pmd(struct mm_struct *mm, unsigned long address, +- pmd_t *pmd, int flags); ++struct page *follow_huge_pmd_pte(struct vm_area_struct *vma, unsigned long address, ++ int flags); + struct page *follow_huge_pud(struct mm_struct *mm, unsigned long address, + pud_t *pud, int flags); + struct page *follow_huge_pgd(struct mm_struct *mm, unsigned long address, +@@ -175,7 +175,7 @@ static inline void hugetlb_show_meminfo( + { + } + #define follow_huge_pd(vma, addr, hpd, flags, pdshift) NULL +-#define follow_huge_pmd(mm, addr, pmd, flags) NULL ++#define follow_huge_pmd_pte(vma, addr, flags) NULL + #define follow_huge_pud(mm, addr, pud, flags) NULL + #define follow_huge_pgd(mm, addr, pgd, flags) NULL + #define prepare_hugepage_range(file, addr, len) (-EINVAL) +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -180,6 +180,17 @@ static struct page *follow_page_pte(stru + pte_t *ptep, pte; + int ret; + ++ /* ++ * Considering PTE level hugetlb, like continuous-PTE hugetlb on ++ * ARM64 architecture. ++ */ ++ if (is_vm_hugetlb_page(vma)) { ++ page = follow_huge_pmd_pte(vma, address, flags); ++ if (page) ++ return page; ++ return no_page_table(vma, flags); ++ } ++ + retry: + if (unlikely(pmd_bad(*pmd))) + return no_page_table(vma, flags); +@@ -334,7 +345,7 @@ static struct page *follow_pmd_mask(stru + if (pmd_none(pmdval)) + return no_page_table(vma, flags); + if (pmd_huge(pmdval) && vma->vm_flags & VM_HUGETLB) { +- page = follow_huge_pmd(mm, address, pmd, flags); ++ page = follow_huge_pmd_pte(vma, address, flags); + if (page) + return page; + return no_page_table(vma, flags); +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5013,30 +5013,30 @@ follow_huge_pd(struct vm_area_struct *vm + } + + struct page * __weak +-follow_huge_pmd(struct mm_struct *mm, unsigned long address, +- pmd_t *pmd, int flags) ++follow_huge_pmd_pte(struct vm_area_struct *vma, unsigned long address, ++ int flags) + { ++ struct hstate *h = hstate_vma(vma); ++ struct mm_struct *mm = vma->vm_mm; + struct page *page = NULL; + spinlock_t *ptl; +- pte_t pte; ++ pte_t *ptep, pte; + retry: +- ptl = pmd_lockptr(mm, pmd); +- spin_lock(ptl); +- /* +- * make sure that the address range covered by this pmd is not +- * unmapped from other threads. +- */ +- if (!pmd_huge(*pmd)) +- goto out; +- pte = huge_ptep_get((pte_t *)pmd); ++ ptep = huge_pte_offset(mm, address, huge_page_size(h)); ++ if (!ptep) ++ return NULL; ++ ++ ptl = huge_pte_lock(h, mm, ptep); ++ pte = huge_ptep_get(ptep); + if (pte_present(pte)) { +- page = pmd_page(*pmd) + ((address & ~PMD_MASK) >> PAGE_SHIFT); ++ page = pte_page(pte) + ++ ((address & ~huge_page_mask(h)) >> PAGE_SHIFT); + if (flags & FOLL_GET) + get_page(page); + } else { + if (is_hugetlb_entry_migration(pte)) { + spin_unlock(ptl); +- __migration_entry_wait(mm, (pte_t *)pmd, ptl); ++ __migration_entry_wait(mm, ptep, ptl); + goto retry; + } + /* +@@ -5044,7 +5044,7 @@ retry: + * follow_page_mask(). + */ + } +-out: ++ + spin_unlock(ptl); + return page; + } diff --git a/patches.suse/mm-memcg-avoid-stale-protection-values-when-cgroup-is-above-protection.patch b/patches.suse/mm-memcg-avoid-stale-protection-values-when-cgroup-is-above-protection.patch new file mode 100644 index 0000000..85bd145 --- /dev/null +++ b/patches.suse/mm-memcg-avoid-stale-protection-values-when-cgroup-is-above-protection.patch @@ -0,0 +1,202 @@ +From: Yafang Shao +Date: Thu, 6 Aug 2020 23:22:01 -0700 +Subject: mm, memcg: avoid stale protection values when cgroup is above + protection +Git-commit: 22f7496f0b901249f23c5251eb8a10aae126b909 +Patch-mainline: v5.9-rc1 +References: bsc#1204754 + +Patch series "mm, memcg: memory.{low,min} reclaim fix & cleanup", v4. + +This series contains a fix for a edge case in my earlier protection +calculation patches, and a patch to make the area overall a little more +robust to hopefully help avoid this in future. + +This patch (of 2): + +A cgroup can have both memory protection and a memory limit to isolate it +from its siblings in both directions - for example, to prevent it from +being shrunk below 2G under high pressure from outside, but also from +growing beyond 4G under low pressure. + +Commit 9783aa9917f8 ("mm, memcg: proportional memory.{low,min} reclaim") +implemented proportional scan pressure so that multiple siblings in excess +of their protection settings don't get reclaimed equally but instead in +accordance to their unprotected portion. + +During limit reclaim, this proportionality shouldn't apply of course: +there is no competition, all pressure is from within the cgroup and should +be applied as such. Reclaim should operate at full efficiency. + +However, mem_cgroup_protected() never expected anybody to look at the +effective protection values when it indicated that the cgroup is above its +protection. As a result, a query during limit reclaim may return stale +protection values that were calculated by a previous reclaim cycle in +which the cgroup did have siblings. + +When this happens, reclaim is unnecessarily hesitant and potentially slow +to meet the desired limit. In theory this could lead to premature OOM +kills, although it's not obvious this has occurred in practice. + +Workaround the problem by special casing reclaim roots in +mem_cgroup_protection. These memcgs are never participating in the +reclaim protection because the reclaim is internal. + +We have to ignore effective protection values for reclaim roots because +mem_cgroup_protected might be called from racing reclaim contexts with +different roots. Calculation is relying on root -> leaf tree traversal +therefore top-down reclaim protection invariants should hold. The only +exception is the reclaim root which should have effective protection set +to 0 but that would be problematic for the following setup: + + Let's have global and A's reclaim in parallel: + | + A (low=2G, usage = 3G, max = 3G, children_low_usage = 1.5G) + |\ + | C (low = 1G, usage = 2.5G) + B (low = 1G, usage = 0.5G) + + for A reclaim we have + B.elow = B.low + C.elow = C.low + + For the global reclaim + A.elow = A.low + B.elow = min(B.usage, B.low) because children_low_usage <= A.elow + C.elow = min(C.usage, C.low) + + With the effective values resetting we have A reclaim + A.elow = 0 + B.elow = B.low + C.elow = C.low + + and global reclaim could see the above and then + B.elow = C.elow = 0 because children_low_usage > A.elow + +Which means that protected memcgs would get reclaimed. + +In future we would like to make mem_cgroup_protected more robust against +racing reclaim contexts but that is likely more complex solution than this +simple workaround. + +[hannes@cmpxchg.org - large part of the changelog] +[mhocko@suse.com - workaround explanation] +[chris@chrisdown.name - retitle] + +Fixes: 9783aa9917f8 ("mm, memcg: proportional memory.{low,min} reclaim") +Signed-off-by: Yafang Shao +Signed-off-by: Chris Down +Signed-off-by: Andrew Morton +Acked-by: Michal Hocko +Acked-by: Johannes Weiner +Acked-by: Chris Down +Acked-by: Roman Gushchin +Link: http://lkml.kernel.org/r/cover.1594638158.git.chris@chrisdown.name +Link: http://lkml.kernel.org/r/044fb8ecffd001c7905d27c0c2ad998069fdc396.1594638158.git.chris@chrisdown.name +Signed-off-by: Linus Torvalds +Acked-by: Michal Koutný +--- + include/linux/memcontrol.h | 42 ++++++++++++++++++++++++++++++++++++++++-- + mm/memcontrol.c | 8 ++++++++ + mm/vmscan.c | 3 ++- + 3 files changed, 50 insertions(+), 3 deletions(-) + +diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h +index 3f8ff6519c9d..0301b231fd02 100644 +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -355,12 +355,49 @@ static inline bool mem_cgroup_disabled(void) + return !cgroup_subsys_enabled(memory_cgrp_subsys); + } + +-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *memcg, ++static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root, ++ struct mem_cgroup *memcg, + bool in_low_reclaim) + { + if (mem_cgroup_disabled()) + return 0; + ++ /* ++ * There is no reclaim protection applied to a targeted reclaim. ++ * We are special casing this specific case here because ++ * mem_cgroup_protected calculation is not robust enough to keep ++ * the protection invariant for calculated effective values for ++ * parallel reclaimers with different reclaim target. This is ++ * especially a problem for tail memcgs (as they have pages on LRU) ++ * which would want to have effective values 0 for targeted reclaim ++ * but a different value for external reclaim. ++ * ++ * Example ++ * Let's have global and A's reclaim in parallel: ++ * | ++ * A (low=2G, usage = 3G, max = 3G, children_low_usage = 1.5G) ++ * |\ ++ * | C (low = 1G, usage = 2.5G) ++ * B (low = 1G, usage = 0.5G) ++ * ++ * For the global reclaim ++ * A.elow = A.low ++ * B.elow = min(B.usage, B.low) because children_low_usage <= A.elow ++ * C.elow = min(C.usage, C.low) ++ * ++ * With the effective values resetting we have A reclaim ++ * A.elow = 0 ++ * B.elow = B.low ++ * C.elow = C.low ++ * ++ * If the global reclaim races with A's reclaim then ++ * B.elow = C.elow = 0 because children_low_usage > A.elow) ++ * is possible and reclaiming B would be violating the protection. ++ * ++ */ ++ if (root == memcg) ++ return 0; ++ + if (in_low_reclaim) + return READ_ONCE(memcg->memory.emin); + +@@ -891,7 +928,8 @@ static inline void memcg_memory_event_mm(struct mm_struct *mm, + { + } + +-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *memcg, ++static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root, ++ struct mem_cgroup *memcg, + bool in_low_reclaim) + { + return 0; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index b4cb1bb61d46..c610617bb19a 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -6605,6 +6605,14 @@ enum mem_cgroup_protection mem_cgroup_protected(struct mem_cgroup *root, + + if (!root) + root = root_mem_cgroup; ++ ++ /* ++ * Effective values of the reclaim targets are ignored so they ++ * can be stale. Have a look at mem_cgroup_protection for more ++ * details. ++ * TODO: calculation should be more robust so that we do not need ++ * that special casing. ++ */ + if (memcg == root) + return MEMCG_PROT_NONE; + +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 2ac43664aba4..9f0811d24255 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2331,7 +2331,8 @@ static void get_scan_count(struct lruvec *lruvec, struct scan_control *sc, + unsigned long protection; + + lruvec_size = lruvec_lru_size(lruvec, lru, sc->reclaim_idx); +- protection = mem_cgroup_protection(memcg, ++ protection = mem_cgroup_protection(sc->target_mem_cgroup, ++ memcg, + sc->memcg_low_reclaim); + + if (protection) { + diff --git a/patches.suse/mm-memcontrol-fix-occasional-OOMs-due-to-proportional-memory.low-reclaim.patch b/patches.suse/mm-memcontrol-fix-occasional-OOMs-due-to-proportional-memory.low-reclaim.patch new file mode 100644 index 0000000..0d90077 --- /dev/null +++ b/patches.suse/mm-memcontrol-fix-occasional-OOMs-due-to-proportional-memory.low-reclaim.patch @@ -0,0 +1,156 @@ +From: Johannes Weiner +Date: Thu, 19 Aug 2021 19:04:21 -0700 +Subject: mm: memcontrol: fix occasional OOMs due to proportional memory.low + reclaim +Git-commit: f56ce412a59d7d938b81de8878faef128812482c +Patch-mainline: v5.14-rc7 +References: bsc#1204754 + +We've noticed occasional OOM killing when memory.low settings are in +effect for cgroups. This is unexpected and undesirable as memory.low is +supposed to express non-OOMing memory priorities between cgroups. + +The reason for this is proportional memory.low reclaim. When cgroups +are below their memory.low threshold, reclaim passes them over in the +first round, and then retries if it couldn't find pages anywhere else. +But when cgroups are slightly above their memory.low setting, page scan +force is scaled down and diminished in proportion to the overage, to the +point where it can cause reclaim to fail as well - only in that case we +currently don't retry, and instead trigger OOM. + +To fix this, hook proportional reclaim into the same retry logic we have +in place for when cgroups are skipped entirely. This way if reclaim +fails and some cgroups were scanned with diminished pressure, we'll try +another full-force cycle before giving up and OOMing. + +[akpm@linux-foundation.org: coding-style fixes] + +Link: https://lkml.kernel.org/r/20210817180506.220056-1-hannes@cmpxchg.org +Fixes: 9783aa9917f8 ("mm, memcg: proportional memory.{low,min} reclaim") +Signed-off-by: Johannes Weiner +Reported-by: Leon Yang +Reviewed-by: Rik van Riel +Reviewed-by: Shakeel Butt +Acked-by: Roman Gushchin +Acked-by: Chris Down +Acked-by: Michal Hocko +Cc: [5.4+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[mkoutny: Adjust context] +Acked-by: Michal Koutný +--- + include/linux/memcontrol.h | 29 +++++++++++++++-------------- + mm/vmscan.c | 27 +++++++++++++++++++-------- + 2 files changed, 34 insertions(+), 22 deletions(-) + +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -344,12 +344,15 @@ static inline bool mem_cgroup_disabled(v + return !cgroup_subsys_enabled(memory_cgrp_subsys); + } + +-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root, +- struct mem_cgroup *memcg, +- bool in_low_reclaim) ++static inline void mem_cgroup_protection(struct mem_cgroup *root, ++ struct mem_cgroup *memcg, ++ unsigned long *min, ++ unsigned long *low) + { ++ *min = *low = 0; ++ + if (mem_cgroup_disabled()) +- return 0; ++ return; + + /* + * There is no reclaim protection applied to a targeted reclaim. +@@ -385,13 +388,10 @@ static inline unsigned long mem_cgroup_p + * + */ + if (root == memcg) +- return 0; +- +- if (in_low_reclaim) +- return READ_ONCE(memcg->memory.emin); ++ return; + +- return max(READ_ONCE(memcg->memory.emin), +- READ_ONCE(memcg->memory.elow)); ++ *min = READ_ONCE(memcg->memory.emin); ++ *low = READ_ONCE(memcg->memory.elow); + } + + enum mem_cgroup_protection mem_cgroup_protected(struct mem_cgroup *root, +@@ -880,11 +880,12 @@ static inline void memcg_memory_event_mm + { + } + +-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root, +- struct mem_cgroup *memcg, +- bool in_low_reclaim) ++static inline void mem_cgroup_protection(struct mem_cgroup *root, ++ struct mem_cgroup *memcg, ++ unsigned long *min, ++ unsigned long *low) + { +- return 0; ++ *min = *low = 0; + } + + static inline enum mem_cgroup_protection mem_cgroup_protected( +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -96,9 +96,12 @@ struct scan_control { + unsigned int may_swap:1; + + /* +- * Cgroups are not reclaimed below their configured memory.low, +- * unless we threaten to OOM. If any cgroups are skipped due to +- * memory.low and nothing was reclaimed, go back for memory.low. ++ * Cgroup memory below memory.low is protected as long as we ++ * don't threaten to OOM. If any cgroup is reclaimed at ++ * reduced force or passed over entirely due to its memory.low ++ * setting (memcg_low_skipped), and nothing is reclaimed as a ++ * result, then go back for one more cycle that reclaims the protected ++ * memory (memcg_low_reclaim) to avert OOM. + */ + unsigned int memcg_low_reclaim:1; + unsigned int memcg_low_skipped:1; +@@ -2307,15 +2310,14 @@ out: + for_each_evictable_lru(lru) { + int file = is_file_lru(lru); + unsigned long lruvec_size; ++ unsigned long low, min; + unsigned long scan; +- unsigned long protection; + + lruvec_size = lruvec_lru_size(lruvec, lru, sc->reclaim_idx); +- protection = mem_cgroup_protection(sc->target_mem_cgroup, +- memcg, +- sc->memcg_low_reclaim); ++ mem_cgroup_protection(sc->target_mem_cgroup, memcg, ++ &min, &low); + +- if (protection) { ++ if (min || low) { + /* + * Scale a cgroup's reclaim pressure by proportioning + * its current usage to its memory.low or memory.min +@@ -2346,6 +2348,15 @@ out: + * hard protection. + */ + unsigned long cgroup_size = mem_cgroup_size(memcg); ++ unsigned long protection; ++ ++ /* memory.low scaling, make sure we retry before OOM */ ++ if (!sc->memcg_low_reclaim && low > min) { ++ protection = low; ++ sc->memcg_low_skipped = 1; ++ } else { ++ protection = min; ++ } + + /* Avoid TOCTOU with earlier protection check */ + cgroup_size = max(cgroup_size, protection); diff --git a/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch b/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch index 6004343..4c70ab2 100644 --- a/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch +++ b/patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch @@ -3,7 +3,7 @@ Date: Wed, 31 Aug 2022 19:06:00 +0200 Subject: mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse Git-commit: 2555283eb40df89945557273121e9393ef9b542b Patch-mainline: v6.0 or v6.0-rc4 (next release) -References: git-fixes, bsc#1203098 +References: CVE-2022-42703, bsc#1204168, git-fixes, bsc#1203098 anon_vma->degree tracks the combined number of child anon_vmas and VMAs that use the anon_vma as their ->anon_vma. diff --git a/patches.suse/mmc-core-Fix-kernel-panic-when-remove-non-standard-S.patch b/patches.suse/mmc-core-Fix-kernel-panic-when-remove-non-standard-S.patch new file mode 100644 index 0000000..f255994 --- /dev/null +++ b/patches.suse/mmc-core-Fix-kernel-panic-when-remove-non-standard-S.patch @@ -0,0 +1,44 @@ +From 9972e6b404884adae9eec7463e30d9b3c9a70b18 Mon Sep 17 00:00:00 2001 +From: Matthew Ma +Date: Fri, 14 Oct 2022 11:49:51 +0800 +Subject: [PATCH] mmc: core: Fix kernel panic when remove non-standard SDIO card +Git-commit: 9972e6b404884adae9eec7463e30d9b3c9a70b18 +Patch-mainline: v6.1-rc3 +References: git-fixes + +SDIO tuple is only allocated for standard SDIO card, especially it causes +memory corruption issues when the non-standard SDIO card has removed, which +is because the card device's reference counter does not increase for it at +sdio_init_func(), but all SDIO card device reference counter gets decreased +at sdio_release_func(). + +Fixes: 6f51be3d37df ("sdio: allow non-standard SDIO cards") +Signed-off-by: Matthew Ma +Reviewed-by: Weizhao Ouyang +Reviewed-by: John Wang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221014034951.2300386-1-ouyangweizhao@zeku.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/core/sdio_bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/sdio_bus.c b/drivers/mmc/core/sdio_bus.c +index c6268c38c69e..babf21a0adeb 100644 +--- a/drivers/mmc/core/sdio_bus.c ++++ b/drivers/mmc/core/sdio_bus.c +@@ -291,7 +291,8 @@ static void sdio_release_func(struct device *dev) + { + struct sdio_func *func = dev_to_sdio_func(dev); + +- sdio_free_func_cis(func); ++ if (!(func->card->quirks & MMC_QUIRK_NONSTD_SDIO)) ++ sdio_free_func_cis(func); + + kfree(func->info); + kfree(func->tmpbuf); +-- +2.35.3 + diff --git a/patches.suse/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch b/patches.suse/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch new file mode 100644 index 0000000..0072875 --- /dev/null +++ b/patches.suse/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch @@ -0,0 +1,33 @@ +From 4de95950d970c71a9e82a24573bb7a44fd95baa1 Mon Sep 17 00:00:00 2001 +From: Richard Acayan +Date: Thu, 22 Sep 2022 21:43:22 -0400 +Subject: [PATCH] mmc: sdhci-msm: add compatible string check for sdm670 +Git-commit: 4de95950d970c71a9e82a24573bb7a44fd95baa1 +Patch-mainline: v6.1-rc1 +References: git-fixes + +The Snapdragon 670 has the same quirk as Snapdragon 845 (needing to +restore the dll config). Add a compatible string check to detect the need +for this. + +Signed-off-by: Richard Acayan +Reviewed-by: Bhupesh Sharma +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220923014322.33620-3-mailingradian@gmail.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-msm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -1738,6 +1738,7 @@ static const struct sdhci_msm_variant_in + static const struct of_device_id sdhci_msm_dt_match[] = { + {.compatible = "qcom,sdhci-msm-v4", .data = &sdhci_msm_mci_var}, + {.compatible = "qcom,sdhci-msm-v5", .data = &sdhci_msm_v5_var}, ++ {.compatible = "qcom,sdm670-sdhci", .data = &sdm845_sdhci_var}, + {.compatible = "qcom,sdm845-sdhci", .data = &sdm845_sdhci_var}, + {}, + }; diff --git a/patches.suse/msft-hv-2162-KVM-x86-hyper-v-disallow-configuring-SynIC-timers-wi.patch b/patches.suse/msft-hv-2162-KVM-x86-hyper-v-disallow-configuring-SynIC-timers-wi.patch deleted file mode 100644 index d54993a..0000000 --- a/patches.suse/msft-hv-2162-KVM-x86-hyper-v-disallow-configuring-SynIC-timers-wi.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Vitaly Kuznetsov -Date: Thu, 24 Sep 2020 16:57:52 +0200 -Patch-mainline: v5.10-rc1 -References: jsc#sle-12891 -Subject: KVM: x86: hyper-v: disallow configuring SynIC timers with no SynIC -Git-commit: dbcf3f96fa662bd5e1f93ea7c10a8dd0dce180ae - -Hyper-V Synthetic timers require SynIC but we don't seem to check that -upon HV_X64_MSR_STIMER[X]_CONFIG/HV_X64_MSR_STIMER0_COUNT writes. Make -the behavior match synic_set_msr(). - -Signed-off-by: Vitaly Kuznetsov -Message-Id: <20200924145757.1035782-3-vkuznets@redhat.com> -Signed-off-by: Paolo Bonzini -Acked-by: Olaf Hering ---- - arch/x86/kvm/hyperv.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c ---- a/arch/x86/kvm/hyperv.c -+++ b/arch/x86/kvm/hyperv.c -@@ -633,6 +633,11 @@ static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config, - { - union hv_stimer_config new_config = {.as_uint64 = config}, - old_config = {.as_uint64 = stimer->config.as_uint64}; -+ struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); -+ struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); -+ -+ if (!synic->active && !host) -+ return 1; - - trace_kvm_hv_stimer_set_config(stimer_to_vcpu(stimer)->vcpu_id, - stimer->index, config, host); -@@ -652,6 +657,12 @@ static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config, - static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, - bool host) - { -+ struct kvm_vcpu *vcpu = stimer_to_vcpu(stimer); -+ struct kvm_vcpu_hv_synic *synic = vcpu_to_synic(vcpu); -+ -+ if (!synic->active && !host) -+ return 1; -+ - trace_kvm_hv_stimer_set_count(stimer_to_vcpu(stimer)->vcpu_id, - stimer->index, count, host); - diff --git a/patches.suse/mtd-rawnand-marvell-Use-correct-logic-for-nand-keep-.patch b/patches.suse/mtd-rawnand-marvell-Use-correct-logic-for-nand-keep-.patch new file mode 100644 index 0000000..070ba89 --- /dev/null +++ b/patches.suse/mtd-rawnand-marvell-Use-correct-logic-for-nand-keep-.patch @@ -0,0 +1,44 @@ +From ce107713b722af57c4b7f2477594d445b496420e Mon Sep 17 00:00:00 2001 +From: Tony O'Brien +Date: Tue, 27 Sep 2022 15:47:28 +1300 +Subject: [PATCH] mtd: rawnand: marvell: Use correct logic for nand-keep-config +Git-commit: ce107713b722af57c4b7f2477594d445b496420e +Patch-mainline: v6.1-rc3 +References: git-fixes + +Originally the absence of the marvell,nand-keep-config property caused +the setup_data_interface function to be provided. However when +setup_data_interface was moved into nand_controller_ops the logic was +unintentionally inverted. Update the logic so that only if the +marvell,nand-keep-config property is present the bootloader NAND config +kept. + +Cc: stable@vger.kernel.org +Fixes: 7a08dbaedd36 ("mtd: rawnand: Move ->setup_data_interface() to nand_controller_ops") +Signed-off-by: Tony O'Brien +Signed-off-by: Chris Packham +Reviewed-by: Boris Brezillon +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220927024728.28447-1-chris.packham@alliedtelesis.co.nz +Acked-by: Takashi Iwai + +--- + drivers/mtd/nand/raw/marvell_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c +index d9f2f1d0b5ef..b9d1e96e3334 100644 +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -2678,7 +2678,7 @@ static int marvell_nand_chip_init(struct device *dev, struct marvell_nfc *nfc, + chip->controller = &nfc->controller; + nand_set_flash_node(chip, np); + +- if (!of_property_read_bool(np, "marvell,nand-keep-config")) ++ if (of_property_read_bool(np, "marvell,nand-keep-config")) + chip->options |= NAND_KEEP_TIMINGS; + + mtd = nand_to_mtd(chip); +-- +2.35.3 + diff --git a/patches.suse/net-mvpp2-fix-mvpp2-debugfs-leak.patch b/patches.suse/net-mvpp2-fix-mvpp2-debugfs-leak.patch new file mode 100644 index 0000000..0879db2 --- /dev/null +++ b/patches.suse/net-mvpp2-fix-mvpp2-debugfs-leak.patch @@ -0,0 +1,96 @@ +From: "Russell King (Oracle)" +Date: Mon, 3 Oct 2022 17:19:27 +0100 +Subject: net: mvpp2: fix mvpp2 debugfs leak +Patch-mainline: v6.1-rc1 +Git-commit: 0152dfee235e87660f52a117fc9f70dc55956bb4 +References: bsc#1204417 CVE-2022-3535 + +When mvpp2 is unloaded, the driver specific debugfs directory is not +removed, which technically leads to a memory leak. However, this +directory is only created when the first device is probed, so the +hardware is present. Removing the module is only something a developer +would to when e.g. testing out changes, so the module would be +reloaded. So this memory leak is minor. + +The original attempt in commit fe2c9c61f668 ("net: mvpp2: debugfs: fix +memory leak when using debugfs_lookup()") that was labelled as a memory +leak fix was not, it fixed a refcount leak, but in doing so created a +problem when the module is reloaded - the directory already exists, but +mvpp2_root is NULL, so we lose all debugfs entries. This fix has been +reverted. + +This is the alternative fix, where we remove the offending directory +whenever the driver is unloaded. + +Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser") +Signed-off-by: Russell King (Oracle) +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Marcin Wojtas +Link: https://lore.kernel.org/r/E1ofOAB-00CzkG-UO@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 1 + + drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 10 ++++++++-- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 13 ++++++++++++- + 3 files changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -1202,5 +1202,6 @@ u32 mvpp2_read(struct mvpp2 *priv, u32 o + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name); + + void mvpp2_dbgfs_cleanup(struct mvpp2 *priv); ++void mvpp2_dbgfs_exit(void); + + #endif +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -691,6 +691,13 @@ static int mvpp2_dbgfs_port_init(struct + return 0; + } + ++static struct dentry *mvpp2_root; ++ ++void mvpp2_dbgfs_exit(void) ++{ ++ debugfs_remove(mvpp2_root); ++} ++ + void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + { + debugfs_remove_recursive(priv->dbgfs_dir); +@@ -700,10 +707,9 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *p + + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + { +- struct dentry *mvpp2_dir, *mvpp2_root; ++ struct dentry *mvpp2_dir; + int ret, i; + +- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); + if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -6019,7 +6019,18 @@ static struct platform_driver mvpp2_driv + }, + }; + +-module_platform_driver(mvpp2_driver); ++static int __init mvpp2_driver_init(void) ++{ ++ return platform_driver_register(&mvpp2_driver); ++} ++module_init(mvpp2_driver_init); ++ ++static void __exit mvpp2_driver_exit(void) ++{ ++ platform_driver_unregister(&mvpp2_driver); ++ mvpp2_dbgfs_exit(); ++} ++module_exit(mvpp2_driver_exit); + + MODULE_DESCRIPTION("Marvell PPv2 Ethernet Driver - www.marvell.com"); + MODULE_AUTHOR("Marcin Wojtas "); diff --git a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch index 07c5992..98f0d50 100644 --- a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch +++ b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch @@ -4,7 +4,7 @@ Date: Wed, 26 Jan 2022 14:14:52 +0100 Subject: [PATCH] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Git-commit: 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 -References: bsc#1196018 CVE-2022-28748 +References: bsc#1196018 CVE-2022-28748 CVE-2022-2964 Patch-mainline: v5.17-rc4 ax88179_rx_fixup() contains several out-of-bounds accesses that can be diff --git a/patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch b/patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch new file mode 100644 index 0000000..becb4d8 --- /dev/null +++ b/patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch @@ -0,0 +1,72 @@ +From: Jialiang Wang +Date: Wed, 10 Aug 2022 15:30:57 +0800 +Subject: nfp: fix use-after-free in area_cache_get() +Patch-mainline: v6.0-rc1 +Git-commit: 02e1a114fdb71e59ee6770294166c30d437bf86a +References: bsc#1204415 CVE-2022-3545 + +area_cache_get() is used to distribute cache->area and set cache->id, + and if cache->id is not 0 and cache->area->kref refcount is 0, it will + release the cache->area by nfp_cpp_area_release(). area_cache_get() + set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire(). + +But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is + is already set but the refcount is not increased as expected. At this + time, calling the nfp_cpp_area_release() will cause use-after-free. + +To avoid the use-after-free, set cache->id after area_init() and + nfp_cpp_area_acquire() complete successfully. + +Note: This vulnerability is triggerable by providing emulated device + equipped with specified configuration. + + BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1 + + Call Trace: + + nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884) + + Allocated by task 1: + nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303) + nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802) + nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230) + nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215) + nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744) + + Freed by task 1: + kfree (mm/slub.c:4562) + area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873) + nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973) + nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48) + +Signed-off-by: Jialiang Wang +Reviewed-by: Yinjun Zhang +Acked-by: Simon Horman +Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c +@@ -874,7 +874,6 @@ area_cache_get(struct nfp_cpp *cpp, u32 + } + + /* Adjust the start address to be cache size aligned */ +- cache->id = id; + cache->addr = addr & ~(u64)(cache->size - 1); + + /* Re-init to the new ID and address */ +@@ -894,6 +893,8 @@ area_cache_get(struct nfp_cpp *cpp, u32 + return NULL; + } + ++ cache->id = id; ++ + exit: + /* Adjust offset */ + *offset = addr - cache->addr; diff --git a/patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch b/patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch new file mode 100644 index 0000000..48fa498 --- /dev/null +++ b/patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch @@ -0,0 +1,46 @@ +From 21a87d88c2253350e115029f14fe2a10a7e6c856 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sun, 2 Oct 2022 12:08:04 +0900 +Subject: [PATCH] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() +Git-commit: 21a87d88c2253350e115029f14fe2a10a7e6c856 +Patch-mainline: v6.1-rc1 +References: CVE-2022-3621 bsc#1204574 + +If the i_mode field in inode of metadata files is corrupted on disk, it +can cause the initialization of bmap structure, which should have been +called from nilfs_read_inode_common(), not to be called. This causes a +lockdep warning followed by a NULL pointer dereference at +nilfs_bmap_lookup_at_level(). + +This patch fixes these issues by adding a missing sanitiy check for the +i_mode field of metadata file's inode. + +Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com +Reported-by: Tetsuo Handa +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Acked-by: Takashi Iwai + +--- + fs/nilfs2/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c +index b074144f6f83..232dd7b6cca1 100644 +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -455,6 +455,8 @@ int nilfs_read_inode_common(struct inode *inode, + inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); + inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec); + inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); ++ if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode)) ++ return -EIO; /* this inode is for metadata and corrupted */ + if (inode->i_nlink == 0) + return -ESTALE; /* this inode is deleted */ + +-- +2.35.3 + diff --git a/patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch b/patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch new file mode 100644 index 0000000..d22fe37 --- /dev/null +++ b/patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch @@ -0,0 +1,71 @@ +From d0d51a97063db4704a5ef6bc978dddab1636a306 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 7 Oct 2022 17:52:26 +0900 +Subject: [PATCH] nilfs2: fix leak of nilfs_root in case of writer thread creation failure +Git-commit: d0d51a97063db4704a5ef6bc978dddab1636a306 +Patch-mainline: v6.1-rc1 +References: CVE-2022-3646 bsc#1204646 + +If nilfs_attach_log_writer() failed to create a log writer thread, it +frees a data structure of the log writer without any cleanup. After +commit e912a5b66837 ("nilfs2: use root object to get ifile"), this causes +a leak of struct nilfs_root, which started to leak an ifile metadata inode +and a kobject on that struct. + +In addition, if the kernel is booted with panic_on_warn, the above +ifile metadata inode leak will cause the following panic when the +nilfs2 kernel module is removed: + + kmem_cache_destroy nilfs2_inode_cache: Slab cache still has objects when + called from nilfs_destroy_cachep+0x16/0x3a [nilfs2] + WARNING: CPU: 8 PID: 1464 at mm/slab_common.c:494 kmem_cache_destroy+0x138/0x140 + ... + RIP: 0010:kmem_cache_destroy+0x138/0x140 + Code: 00 20 00 00 e8 a9 55 d8 ff e9 76 ff ff ff 48 8b 53 60 48 c7 c6 20 70 65 86 48 c7 c7 d8 69 9c 86 48 8b 4c 24 28 e8 ef 71 c7 00 <0f> 0b e9 53 ff ff ff c3 48 81 ff ff 0f 00 00 77 03 31 c0 c3 53 48 + ... + Call Trace: + + ? nilfs_palloc_freev.cold.24+0x58/0x58 [nilfs2] + nilfs_destroy_cachep+0x16/0x3a [nilfs2] + exit_nilfs_fs+0xa/0x1b [nilfs2] + __x64_sys_delete_module+0x1d9/0x3a0 + ? __sanitizer_cov_trace_pc+0x1a/0x50 + ? syscall_trace_enter.isra.19+0x119/0x190 + do_syscall_64+0x34/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + ... + + Kernel panic - not syncing: panic_on_warn set ... + +This patch fixes these issues by calling nilfs_detach_log_writer() cleanup +function if spawning the log writer thread fails. + +Link: https://lkml.kernel.org/r/20221007085226.57667-1-konishi.ryusuke@gmail.com +Fixes: e912a5b66837 ("nilfs2: use root object to get ifile") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+7381dc4ad60658ca4c05@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Acked-by: Takashi Iwai + +--- + fs/nilfs2/segment.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2781,10 +2781,9 @@ int nilfs_attach_log_writer(struct super + return -ENOMEM; + + err = nilfs_segctor_start_thread(nilfs->ns_writer); +- if (err) { +- kfree(nilfs->ns_writer); +- nilfs->ns_writer = NULL; +- } ++ if (unlikely(err)) ++ nilfs_detach_log_writer(sb); ++ + return err; + } + diff --git a/patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch new file mode 100644 index 0000000..5ee9516 --- /dev/null +++ b/patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch @@ -0,0 +1,68 @@ +From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Tue, 4 Oct 2022 00:05:19 +0900 +Subject: [PATCH] nilfs2: fix use-after-free bug of struct nilfs_root +Git-commit: d325dc6eb763c10f591c239550b8c7e5466a5d09 +Patch-mainline: v6.1-rc1 +References: CVE-2022-3649 bsc#1204647 + +If the beginning of the inode bitmap area is corrupted on disk, an inode +with the same inode number as the root inode can be allocated and fail +soon after. In this case, the subsequent call to nilfs_clear_inode() on +that bogus root inode will wrongly decrement the reference counter of +struct nilfs_root, and this will erroneously free struct nilfs_root, +causing kernel oopses. + +This fixes the problem by changing nilfs_new_inode() to skip reserved +inode numbers while repairing the inode bitmap. + +Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com +Reported-by: Khalid Masum +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Acked-by: Takashi Iwai + +--- + fs/nilfs2/inode.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -335,6 +335,7 @@ struct inode *nilfs_new_inode(struct ino + struct inode *inode; + struct nilfs_inode_info *ii; + struct nilfs_root *root; ++ struct buffer_head *bh; + int err = -ENOMEM; + ino_t ino; + +@@ -350,11 +351,25 @@ struct inode *nilfs_new_inode(struct ino + ii->i_state = BIT(NILFS_I_NEW); + ii->i_root = root; + +- err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + /* reference count of i_bh inherits from nilfs_mdt_read_block() */ + ++ if (unlikely(ino < NILFS_USER_INO)) { ++ nilfs_msg(sb, KERN_WARNING, ++ "inode bitmap is inconsistent for reserved inodes"); ++ do { ++ brelse(bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); ++ if (unlikely(err)) ++ goto failed_ifile_create_inode; ++ } while (ino < NILFS_USER_INO); ++ ++ nilfs_msg(sb, KERN_INFO, "repaired inode bitmap for reserved inodes"); ++ } ++ ii->i_bh = bh; ++ + atomic64_inc(&root->inodes_count); + inode_init_owner(inode, dir, mode); + inode->i_ino = ino; diff --git a/patches.suse/openvswitch-Fix-double-reporting-of-drops-in-dropwat.patch b/patches.suse/openvswitch-Fix-double-reporting-of-drops-in-dropwat.patch new file mode 100644 index 0000000..27abc72 --- /dev/null +++ b/patches.suse/openvswitch-Fix-double-reporting-of-drops-in-dropwat.patch @@ -0,0 +1,47 @@ +From 1100248a5c5ccd57059eb8d02ec077e839a23826 Mon Sep 17 00:00:00 2001 +From: Mike Pattrick +Date: Wed, 17 Aug 2022 11:06:34 -0400 +Subject: [PATCH] openvswitch: Fix double reporting of drops in dropwatch +Git-commit: 1100248a5c5ccd57059eb8d02ec077e839a23826 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Frames sent to userspace can be reported as dropped in +ovs_dp_process_packet, however, if they are dropped in the netlink code +then netlink_attachskb will report the same frame as dropped. + +This patch checks for error codes which indicate that the frame has +already been freed. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946 +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/openvswitch/datapath.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -236,10 +236,17 @@ void ovs_dp_process_packet(struct sk_buf + upcall.portid = ovs_vport_find_upcall_portid(p, skb); + upcall.mru = OVS_CB(skb)->mru; + error = ovs_dp_upcall(dp, skb, key, &upcall, 0); +- if (unlikely(error)) +- kfree_skb(skb); +- else ++ switch (error) { ++ case 0: ++ case -EAGAIN: ++ case -ERESTARTSYS: ++ case -EINTR: + consume_skb(skb); ++ break; ++ default: ++ kfree_skb(skb); ++ break; ++ } + stats_counter = &stats->n_missed; + goto out; + } diff --git a/patches.suse/openvswitch-Fix-overreporting-of-drops-in-dropwatch.patch b/patches.suse/openvswitch-Fix-overreporting-of-drops-in-dropwatch.patch new file mode 100644 index 0000000..199a9eb --- /dev/null +++ b/patches.suse/openvswitch-Fix-overreporting-of-drops-in-dropwatch.patch @@ -0,0 +1,42 @@ +From c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e Mon Sep 17 00:00:00 2001 +From: Mike Pattrick +Date: Wed, 17 Aug 2022 11:06:35 -0400 +Subject: [PATCH] openvswitch: Fix overreporting of drops in dropwatch +Git-commit: c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e +Patch-mainline: v6.1-rc1 +References: git-fixes + +Currently queue_userspace_packet will call kfree_skb for all frames, +whether or not an error occurred. This can result in a single dropped +frame being reported as multiple drops in dropwatch. This functions +caller may also call kfree_skb in case of an error. This patch will +consume the skbs instead and allow caller's to use kfree_skb. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957 +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/openvswitch/datapath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index ca22aa73c6e0..45f9a7b3410e 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -558,8 +558,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, + out: + if (err) + skb_tx_error(skb); +- kfree_skb(user_skb); +- kfree_skb(nskb); ++ consume_skb(user_skb); ++ consume_skb(nskb); ++ + return err; + } + +-- +2.35.3 + diff --git a/patches.suse/openvswitch-switch-from-WARN-to-pr_warn.patch b/patches.suse/openvswitch-switch-from-WARN-to-pr_warn.patch new file mode 100644 index 0000000..7bccf91 --- /dev/null +++ b/patches.suse/openvswitch-switch-from-WARN-to-pr_warn.patch @@ -0,0 +1,42 @@ +From fd954cc1919e35cb92f78671cab6e42d661945a3 Mon Sep 17 00:00:00 2001 +From: Aaron Conole +Date: Tue, 25 Oct 2022 06:50:17 -0400 +Subject: [PATCH] openvswitch: switch from WARN to pr_warn +Git-commit: fd954cc1919e35cb92f78671cab6e42d661945a3 +Patch-mainline: v6.1-rc3 +References: git-fixes + +As noted by Paolo Abeni, pr_warn doesn't generate any splat and can still +preserve the warning to the user that feature downgrade occurred. We +likely cannot introduce other kinds of checks / enforcement here because +syzbot can generate different genl versions to the datapath. + +Reported-by: syzbot+31cde0bef4bbf8ba2d86@syzkaller.appspotmail.com +Fixes: 44da5ae5fbea ("openvswitch: Drop user features if old user space attempted to create datapath") +Cc: Thomas Graf +Signed-off-by: Aaron Conole +Acked-by: Ilya Maximets +Signed-off-by: Paolo Abeni +Acked-by: Takashi Iwai + +--- + net/openvswitch/datapath.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index c8a9075ddd0a..155263e73512 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -1616,7 +1616,8 @@ static void ovs_dp_reset_user_features(struct sk_buff *skb, + if (IS_ERR(dp)) + return; + +- WARN(dp->user_features, "Dropping previously announced user features\n"); ++ pr_warn("%s: Dropping previously announced user features\n", ++ ovs_dp_name(dp)); + dp->user_features = 0; + } + +-- +2.35.3 + diff --git a/patches.suse/platform-x86-msi-laptop-Change-DMI-match-alias-strin.patch b/patches.suse/platform-x86-msi-laptop-Change-DMI-match-alias-strin.patch new file mode 100644 index 0000000..6e2fed1 --- /dev/null +++ b/patches.suse/platform-x86-msi-laptop-Change-DMI-match-alias-strin.patch @@ -0,0 +1,57 @@ +From 2a2565272a3628e45d61625e36ef17af7af4e3de Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 17 Sep 2022 23:04:07 +0200 +Subject: [PATCH] platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading +Git-commit: 2a2565272a3628e45d61625e36ef17af7af4e3de +Patch-mainline: v6.1-rc1 +References: git-fixes + +On a MSI S270 with Fedora 37 x86_64 / systemd-251.4 the module does not +properly autoload. + +This is likely caused by issues with how systemd-udevd handles the single +quote char (') which is part of the sys_vendor / chassis_vendor strings +on this laptop. As a workaround remove the single quote char + everything +behind it from the sys_vendor + chassis_vendor matches. This fixes +the module not autoloading. + +Link: https://github.com/systemd/systemd/issues/24715 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220917210407.647432-1-hdegoede@redhat.com +Acked-by: Takashi Iwai + +--- + drivers/platform/x86/msi-laptop.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 1c29678e5727..2f850396e9a7 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -602,11 +602,10 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = { + { + .ident = "MSI S270", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT'L CO.,LTD"), ++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"), + DMI_MATCH(DMI_PRODUCT_NAME, "MS-1013"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +@@ -639,8 +638,7 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = { + DMI_MATCH(DMI_SYS_VENDOR, "NOTEBOOK"), + DMI_MATCH(DMI_PRODUCT_NAME, "SAM2000"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +-- +2.35.3 + diff --git a/patches.suse/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch b/patches.suse/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch new file mode 100644 index 0000000..4d6b1b2 --- /dev/null +++ b/patches.suse/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch @@ -0,0 +1,43 @@ +From 9d47e01b9d807808224347935562f7043a358054 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Sat, 27 Aug 2022 07:32:23 +0000 +Subject: [PATCH] power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() +Git-commit: 9d47e01b9d807808224347935562f7043a358054 +Patch-mainline: v6.1-rc1 +References: git-fixes + +ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length +of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements +beyond the end of the adp5061_chg_type[] array. + +Signed-off-by: Wei Yongjun +Acked-by: Michael Hennerich +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/power/supply/adp5061.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/supply/adp5061.c b/drivers/power/supply/adp5061.c +index 003557043ab3..daee1161c305 100644 +--- a/drivers/power/supply/adp5061.c ++++ b/drivers/power/supply/adp5061.c +@@ -427,11 +427,11 @@ static int adp5061_get_chg_type(struct adp5061_state *st, + if (ret < 0) + return ret; + +- chg_type = adp5061_chg_type[ADP5061_CHG_STATUS_1_CHG_STATUS(status1)]; +- if (chg_type > ADP5061_CHG_FAST_CV) ++ chg_type = ADP5061_CHG_STATUS_1_CHG_STATUS(status1); ++ if (chg_type >= ARRAY_SIZE(adp5061_chg_type)) + val->intval = POWER_SUPPLY_STATUS_UNKNOWN; + else +- val->intval = chg_type; ++ val->intval = adp5061_chg_type[chg_type]; + + return ret; + } +-- +2.35.3 + diff --git a/patches.suse/powerpc-64-Remove-unused-SYS_CALL_TABLE-symbol.patch b/patches.suse/powerpc-64-Remove-unused-SYS_CALL_TABLE-symbol.patch new file mode 100644 index 0000000..9d5abbe --- /dev/null +++ b/patches.suse/powerpc-64-Remove-unused-SYS_CALL_TABLE-symbol.patch @@ -0,0 +1,44 @@ +From e74611aa91bb9939dfc4a41b045a1a19227cff98 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 13 Sep 2022 22:45:45 +1000 +Subject: [PATCH] powerpc/64: Remove unused SYS_CALL_TABLE symbol + +References: jsc#SLE-9246 git-fixes +Patch-mainline: v6.1-rc1 +Git-commit: e74611aa91bb9939dfc4a41b045a1a19227cff98 + +In interrupt_64.S, formerly entry_64.S, there are two toc entries +created for sys_call_table and compat_sys_call_table. + +These are no longer used, since the system call entry was converted from +asm to C, so remove them. + +Fixes: 68b34588e202 ("powerpc/64/sycall: Implement syscall entry/exit logic in C") +Acked-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220913124545.2817825-1-mpe@ellerman.id.au +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/interrupt_64.S | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -45,17 +45,7 @@ + #include + #include + +-/* +- * System calls. +- */ + .section ".toc","aw" +-SYS_CALL_TABLE: +- .tc sys_call_table[TC],sys_call_table +- +-#ifdef CONFIG_COMPAT +-COMPAT_SYS_CALL_TABLE: +- .tc compat_sys_call_table[TC],compat_sys_call_table +-#endif + + /* This value is used to mark exception frames on the stack. */ + exception_marker: diff --git a/patches.suse/powerpc-fadump-align-destination-address-to-pagesize.patch b/patches.suse/powerpc-fadump-align-destination-address-to-pagesize.patch new file mode 100644 index 0000000..6128352 --- /dev/null +++ b/patches.suse/powerpc-fadump-align-destination-address-to-pagesize.patch @@ -0,0 +1,62 @@ +From 9cf3b3a33a36ef4a988be0a770edd3555297f2a9 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Wed, 6 Apr 2022 15:08:38 +0530 +Subject: [PATCH] powerpc/fadump: align destination address to pagesize + +References: bsc#1204728 ltc#200074 +Patch-mainline: v5.19-rc1 +Git-commit: 9cf3b3a33a36ef4a988be0a770edd3555297f2a9 + +On crash, boot memory area is copied to a destination address by f/w. +This region is setup as separate PT_LOAD segment with appropriate +offset to handle the different physical address and offset in vmcore. +If this destination address is not page aligned, reading the vmcore +with mmap is likely to fail forcing tools like makedumpfile to fall +back to regular read. Avoid mmap read failure by ensuring that the +destination address is always page aligned. + +Signed-off-by: Hari Bathini +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220406093839.206608-3-hbathini@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/fadump.c | 5 +++++ + arch/powerpc/platforms/pseries/rtas-fadump.c | 6 ++++++ + 2 files changed, 11 insertions(+) + +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +index 044fbf7e4d8a..4f2bd7952604 100644 +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -365,6 +365,11 @@ static unsigned long __init get_fadump_area_size(void) + + size += fw_dump.cpu_state_data_size; + size += fw_dump.hpte_region_size; ++ /* ++ * Account for pagesize alignment of boot memory area destination address. ++ * This faciliates in mmap reading of first kernel's memory. ++ */ ++ size = PAGE_ALIGN(size); + size += fw_dump.boot_memory_size; + size += sizeof(struct fadump_crash_info_header); + size += sizeof(struct elfhdr); /* ELF core header.*/ +diff --git a/arch/powerpc/platforms/pseries/rtas-fadump.c b/arch/powerpc/platforms/pseries/rtas-fadump.c +index 617c0f3b1f4f..bc8d1ce20f8f 100644 +--- a/arch/powerpc/platforms/pseries/rtas-fadump.c ++++ b/arch/powerpc/platforms/pseries/rtas-fadump.c +@@ -108,6 +108,12 @@ static u64 rtas_fadump_init_mem_struct(struct fw_dump *fadump_conf) + fdm.hpte_region.destination_address = cpu_to_be64(addr); + addr += fadump_conf->hpte_region_size; + ++ /* ++ * Align boot memory area destination address to page boundary to ++ * be able to mmap read this area in the vmcore. ++ */ ++ addr = PAGE_ALIGN(addr); ++ + /* RMA region section */ + fdm.rmr_region.request_flag = cpu_to_be32(RTAS_FADUMP_REQUEST_FLAG); + fdm.rmr_region.source_data_type = +-- +2.35.3 + diff --git a/patches.suse/powerpc-kprobes-Fix-null-pointer-reference-in-arch_p.patch b/patches.suse/powerpc-kprobes-Fix-null-pointer-reference-in-arch_p.patch new file mode 100644 index 0000000..c63c21b --- /dev/null +++ b/patches.suse/powerpc-kprobes-Fix-null-pointer-reference-in-arch_p.patch @@ -0,0 +1,99 @@ +From 97f88a3d723162781d6cbfdc7b9617eefab55b19 Mon Sep 17 00:00:00 2001 +From: Li Huafei +Date: Fri, 23 Sep 2022 17:32:53 +0800 +Subject: [PATCH] powerpc/kprobes: Fix null pointer reference in + arch_prepare_kprobe() + +References: jsc#SLE-13847 git-fixes +Patch-mainline: v6.1-rc1 +Git-commit: 97f88a3d723162781d6cbfdc7b9617eefab55b19 + +I found a null pointer reference in arch_prepare_kprobe(): + + # echo 'p cmdline_proc_show' > kprobe_events + # echo 'p cmdline_proc_show+16' >> kprobe_events + Kernel attempted to read user page (0) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000000 + Faulting instruction address: 0xc000000000050bfc + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV + Modules linked in: + CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 + NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc + REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) + MSR: 9000000000009033 CR: 88002444 XER: 20040006 + CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 + ... + NIP arch_prepare_kprobe+0x10c/0x2d0 + LR arch_prepare_kprobe+0xfc/0x2d0 + Call Trace: + 0xc0000000012f77a0 (unreliable) + register_kprobe+0x3c0/0x7a0 + __register_trace_kprobe+0x140/0x1a0 + __trace_kprobe_create+0x794/0x1040 + trace_probe_create+0xc4/0xe0 + create_or_delete_trace_kprobe+0x2c/0x80 + trace_parse_run_command+0xf0/0x210 + probes_write+0x20/0x40 + vfs_write+0xfc/0x450 + ksys_write+0x84/0x140 + system_call_exception+0x17c/0x3a0 + system_call_vectored_common+0xe8/0x278 + --- interrupt: 3000 at 0x7fffa5682de0 + NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 + REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) + MSR: 900000000280f033 CR: 44002408 XER: 00000000 + +The address being probed has some special: + + cmdline_proc_show: Probe based on ftrace + cmdline_proc_show+16: Probe for the next instruction at the ftrace location + +The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets +set to NULL. In arch_prepare_kprobe() it will check for: + + ... + prev = get_kprobe(p->addr - 1); + preempt_enable_no_resched(); + if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { + ... + +If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur +with a null pointer reference. At this point prev->addr will not be a +prefixed instruction, so the check can be skipped. + +Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' +to fix this problem. + +Fixes: b4657f7650ba ("powerpc/kprobes: Don't allow breakpoints on suffixes") +Signed-off-by: Li Huafei +[mpe: Trim oops] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220923093253.177298-1-lihuafei1@huawei.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/kprobes.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c +index 912d4f8a13be..bd7b1a035459 100644 +--- a/arch/powerpc/kernel/kprobes.c ++++ b/arch/powerpc/kernel/kprobes.c +@@ -161,7 +161,13 @@ int arch_prepare_kprobe(struct kprobe *p) + preempt_disable(); + prev = get_kprobe(p->addr - 1); + preempt_enable_no_resched(); +- if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { ++ ++ /* ++ * When prev is a ftrace-based kprobe, we don't have an insn, and it ++ * doesn't probe for prefixed instruction. ++ */ ++ if (prev && !kprobe_ftrace(prev) && ++ ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { + printk("Cannot register a kprobe on the second word of prefixed instruction\n"); + ret = -EINVAL; + } +-- +2.35.3 + diff --git a/patches.suse/powerpc-mm-64s-Drop-pgd_huge.patch b/patches.suse/powerpc-mm-64s-Drop-pgd_huge.patch new file mode 100644 index 0000000..400bd5c --- /dev/null +++ b/patches.suse/powerpc-mm-64s-Drop-pgd_huge.patch @@ -0,0 +1,115 @@ +From 51da853e3708852f47cd95e6f5e1821c3d54c3ef Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Sat, 3 Sep 2022 22:36:39 +1000 +Subject: [PATCH] powerpc/mm/64s: Drop pgd_huge() + +References: bsc#1065729 +Patch-mainline: v6.1-rc1 +Git-commit: 51da853e3708852f47cd95e6f5e1821c3d54c3ef + +On powerpc there are two ways for huge pages to be represented in the +top level page table, aka PGD (Page Global Directory). + +If the address space mapped by an individual PGD entry does not +correspond to a given huge page size, then the PGD entry points to a +non-standard page table, known as a "hugepd" (Huge Page Directory). +The hugepd contains some number of huge page PTEs sufficient to map the +address space with the given huge page size. + +On the other hand, if the address space mapped by an individual PGD +entry does correspond exactly to a given huge page size, that PGD entry +is used to directly encode the huge page PTE in place. In this case the +pgd_huge() wrapper indicates to generic code that the PGD entry is +actually a huge page PTE. + +This commit deals with the pgd_huge() case only, it does nothing with +respect to the hugepd case. + +Over time the size of the virtual address space supported on powerpc has +increased several times, which means the location at which huge pages +can sit in the tree has also changed. There have also been new huge page +sizes added, with the introduction of the Radix MMU. + +On Power9 and later with the Radix MMU, the largest huge page size in +any implementation is 1GB. + +Since the introduction of Radix, 1GB entries have been supported at the +PUD level, with both 4K and 64K base page size. Radix has never had a +supported huge page size at the PGD level. + +On Power8 or earlier, which uses the Hash MMU, or Power9 or later with +the Hash MMU enabled, the largest huge page size is 16GB. + +Using the Hash MMU and a base page size of 4K, 16GB has never been a +supported huge page size at the PGD level, due to the geometry being +incompatible. The two supported huge page sizes (16M & 16GB) both use +the hugepd format. + +Using the Hash MMU and a base page size of 64K, 16GB pages were +supported in the past at the PGD level. + +However in commit ba95b5d03596 ("powerpc/mm/book3s/64: Rework page table +geometry for lower memory usage") the page table layout was reworked to +shrink the size of the PGD. + +As a result the 16GB page size now fits at the PUD level when using 64K +base page size. + +Therefore there are no longer any supported configurations where +pgd_huge() can be true, so drop the definitions for pgd_huge(), and +fallback to the generic definition which is always false. + +Fixes: ba95b5d03596 ("powerpc/mm/book3s/64: Rework page table geometry for lower memory usage") +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220903123640.719846-1-mpe@ellerman.id.au +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/book3s/64/pgtable-4k.h | 10 ---------- + arch/powerpc/include/asm/book3s/64/pgtable-64k.h | 9 --------- + 2 files changed, 19 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable-4k.h b/arch/powerpc/include/asm/book3s/64/pgtable-4k.h +index 4e697bc2f4cd..48f21820afe2 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable-4k.h +@@ -26,16 +26,6 @@ static inline int pud_huge(pud_t pud) + return 0; + } + +-static inline int pgd_huge(pgd_t pgd) +-{ +- /* +- * leaf pte for huge page +- */ +- if (radix_enabled()) +- return !!(pgd_raw(pgd) & cpu_to_be64(_PAGE_PTE)); +- return 0; +-} +-#define pgd_huge pgd_huge + /* + * With radix , we have hugepage ptes in the pud and pmd entries. We don't + * need to setup hugepage directory for them. Our pte and page directory format +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable-64k.h b/arch/powerpc/include/asm/book3s/64/pgtable-64k.h +index 34d1018896b3..2fce3498b000 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable-64k.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable-64k.h +@@ -30,15 +30,6 @@ static inline int pud_huge(pud_t pud) + return !!(pud_raw(pud) & cpu_to_be64(_PAGE_PTE)); + } + +-static inline int pgd_huge(pgd_t pgd) +-{ +- /* +- * leaf pte for huge page +- */ +- return !!(pgd_raw(pgd) & cpu_to_be64(_PAGE_PTE)); +-} +-#define pgd_huge pgd_huge +- + /* + * With 64k page size, we have hugepage ptes in the pgd and pmd entries. We don't + * need to setup hugepage directory for them. Our pte and page directory format +-- +2.35.3 + diff --git a/patches.suse/powerpc-mm-radix-Create-separate-mappings-for-hot-pl.patch b/patches.suse/powerpc-mm-radix-Create-separate-mappings-for-hot-pl.patch index 07409ff..c1a857e 100644 --- a/patches.suse/powerpc-mm-radix-Create-separate-mappings-for-hot-pl.patch +++ b/patches.suse/powerpc-mm-radix-Create-separate-mappings-for-hot-pl.patch @@ -65,8 +65,8 @@ Acked-by: Michal Suchanek --- a/arch/powerpc/mm/book3s64/radix_pgtable.c +++ b/arch/powerpc/mm/book3s64/radix_pgtable.c @@ -14,6 +14,7 @@ - #include #include + #include #include +#include diff --git a/patches.suse/powerpc-mm-radix-Remove-split_kernel_mapping.patch b/patches.suse/powerpc-mm-radix-Remove-split_kernel_mapping.patch index 7f3d398..990db34 100644 --- a/patches.suse/powerpc-mm-radix-Remove-split_kernel_mapping.patch +++ b/patches.suse/powerpc-mm-radix-Remove-split_kernel_mapping.patch @@ -52,8 +52,8 @@ Acked-by: Michal Suchanek --- a/arch/powerpc/mm/book3s64/radix_pgtable.c +++ b/arch/powerpc/mm/book3s64/radix_pgtable.c @@ -14,7 +14,6 @@ - #include #include + #include #include -#include diff --git a/patches.suse/powerpc-mm-remove-pmd_huge-pud_huge-stubs-and-includ.patch b/patches.suse/powerpc-mm-remove-pmd_huge-pud_huge-stubs-and-includ.patch new file mode 100644 index 0000000..51eca03 --- /dev/null +++ b/patches.suse/powerpc-mm-remove-pmd_huge-pud_huge-stubs-and-includ.patch @@ -0,0 +1,88 @@ +From 997cdcb068eb58d37f9f9b1d219368000066d272 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Sat, 30 Nov 2019 17:56:37 -0800 +Subject: [PATCH] powerpc/mm: remove pmd_huge/pud_huge stubs and include + hugetlb.h + +References: bsc#1065729 +Patch-mainline: v5.5-rc1 +Git-commit: 997cdcb068eb58d37f9f9b1d219368000066d272 + +Patch series "hugetlbfs: convert macros to static inline, fix sparse +warning". + +The definition for huge_pte_offset() in causes a +sparse warning in the !CONFIG_HUGETLB_PAGE. Fix this as well as +converting all macros in this block of definitions to static inlines for +better type checking. + +When making the above changes, build errors were found in powerpc due to +duplicate definitions. A separate powerpc specific patch is included as +a requisite to remove the definitions and get them from +. + +This patch (of 2): + +This removes the power specific stubs created by commit aad71e3928be +("powerpc/mm: Fix build break with RADIX=y & HUGETLBFS=n") used when +!CONFIG_HUGETLB_PAGE. Instead, it addresses the build break by getting +the definitions from . This allows the macros in + to be replaced with static inlines. + +Link: http://lkml.kernel.org/r/20191112194558.139389-2-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Acked-by: Michael Ellerman +Cc: Ben Dooks +Cc: Jason Gunthorpe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/book3s/64/pgtable-4k.h | 3 --- + arch/powerpc/include/asm/book3s/64/pgtable-64k.h | 3 --- + arch/powerpc/mm/book3s64/radix_pgtable.c | 1 + + 3 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable-4k.h b/arch/powerpc/include/asm/book3s/64/pgtable-4k.h +index a069dfcac9a9..4e697bc2f4cd 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable-4k.h +@@ -70,9 +70,6 @@ static inline int get_hugepd_cache_index(int index) + /* should not reach */ + } + +-#else /* !CONFIG_HUGETLB_PAGE */ +-static inline int pmd_huge(pmd_t pmd) { return 0; } +-static inline int pud_huge(pud_t pud) { return 0; } + #endif /* CONFIG_HUGETLB_PAGE */ + + #endif /* __ASSEMBLY__ */ +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable-64k.h b/arch/powerpc/include/asm/book3s/64/pgtable-64k.h +index e3d4dd4ae2fa..34d1018896b3 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable-64k.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable-64k.h +@@ -59,9 +59,6 @@ static inline int get_hugepd_cache_index(int index) + BUG(); + } + +-#else /* !CONFIG_HUGETLB_PAGE */ +-static inline int pmd_huge(pmd_t pmd) { return 0; } +-static inline int pud_huge(pud_t pud) { return 0; } + #endif /* CONFIG_HUGETLB_PAGE */ + + static inline int remap_4k_pfn(struct vm_area_struct *vma, unsigned long addr, +diff --git a/arch/powerpc/mm/book3s64/radix_pgtable.c b/arch/powerpc/mm/book3s64/radix_pgtable.c +index 6ee17d09649c..974109bb85db 100644 +--- a/arch/powerpc/mm/book3s64/radix_pgtable.c ++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +-- +2.35.3 + diff --git a/patches.suse/powerpc-pci_dn-Add-missing-of_node_put.patch b/patches.suse/powerpc-pci_dn-Add-missing-of_node_put.patch new file mode 100644 index 0000000..16595fd --- /dev/null +++ b/patches.suse/powerpc-pci_dn-Add-missing-of_node_put.patch @@ -0,0 +1,38 @@ +From 110a1fcb6c4d55144d8179983a475f17a1d6f832 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Fri, 1 Jul 2022 21:17:50 +0800 +Subject: [PATCH] powerpc/pci_dn: Add missing of_node_put() + +References: bsc#1065729 +Patch-mainline: v6.1-rc1 +Git-commit: 110a1fcb6c4d55144d8179983a475f17a1d6f832 + +In pci_add_device_node_info(), use of_node_put() to drop the reference +to 'parent' returned by of_get_parent() to keep refcount balance. + +Fixes: cca87d303c85 ("powerpc/pci: Refactor pci_dn") +Co-authored-by: Miaoqian Lin +Signed-off-by: Liang He +Signed-off-by: Michael Ellerman +Reviewed-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20220701131750.240170-1-windhl@126.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/pci_dn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c +index 7a35fc25a304..38561d6a2079 100644 +--- a/arch/powerpc/kernel/pci_dn.c ++++ b/arch/powerpc/kernel/pci_dn.c +@@ -330,6 +330,7 @@ struct pci_dn *pci_add_device_node_info(struct pci_controller *hose, + INIT_LIST_HEAD(&pdn->list); + parent = of_get_parent(dn); + pdn->parent = parent ? PCI_DN(parent) : NULL; ++ of_node_put(parent); + if (pdn->parent) + list_add_tail(&pdn->list, &pdn->parent->child_list); + +-- +2.35.3 + diff --git a/patches.suse/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch b/patches.suse/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch new file mode 100644 index 0000000..fba3d94 --- /dev/null +++ b/patches.suse/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch @@ -0,0 +1,37 @@ +From 71a92e99c47900cc164620948b3863382cec4f1a Mon Sep 17 00:00:00 2001 +From: Zheng Yongjun +Date: Tue, 6 Sep 2022 14:17:03 +0000 +Subject: [PATCH] powerpc/powernv: add missing of_node_put() in + opal_export_attrs() + +References: bsc#1065729 +Patch-mainline: v6.1-rc1 +Git-commit: 71a92e99c47900cc164620948b3863382cec4f1a + +After using 'np' returned by of_find_node_by_path(), of_node_put() +need be called to decrease the refcount. + +Fixes: 11fe909d2362 ("powerpc/powernv: Add OPAL exports attributes to sysfs") +Signed-off-by: Zheng Yongjun +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220906141703.118192-1-zhengyongjun3@huawei.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/powernv/opal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c +index e536a6a3c801..cdf3838f08d3 100644 +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -892,6 +892,7 @@ static void opal_export_attrs(void) + kobj = kobject_create_and_add("exports", opal_kobj); + if (!kobj) { + pr_warn("kobject_create_and_add() of exports failed\n"); ++ of_node_put(np); + return; + } + +-- +2.35.3 + diff --git a/patches.suse/powerpc-pseries-Interface-to-represent-PAPR-firmware.patch b/patches.suse/powerpc-pseries-Interface-to-represent-PAPR-firmware.patch new file mode 100644 index 0000000..30875a9 --- /dev/null +++ b/patches.suse/powerpc-pseries-Interface-to-represent-PAPR-firmware.patch @@ -0,0 +1,565 @@ +From 3c14b73454cf9f6e2146443fdfbdfb912c0efed3 Mon Sep 17 00:00:00 2001 +From: "Pratik R. Sampat" +Date: Thu, 17 Feb 2022 16:23:20 +0530 +Subject: [PATCH] powerpc/pseries: Interface to represent PAPR firmware + attributes + +References: bsc#1200465 ltc#197256 jsc#PED-1931 +Patch-mainline: v5.18-rc1 +Git-commit: 3c14b73454cf9f6e2146443fdfbdfb912c0efed3 + +Adds a syscall interface to represent the energy and frequency related +PAPR attributes on the system using the new H_CALL +"H_GET_ENERGY_SCALE_INFO". + +H_GET_EM_PARMS H_CALL was previously responsible for exporting this +information in the lparcfg, however the H_GET_EM_PARMS H_CALL +will be deprecated P10 onwards. + +The H_GET_ENERGY_SCALE_INFO H_CALL is of the following call format: +hcall( + uint64 H_GET_ENERGY_SCALE_INFO, // Get energy scale info + uint64 flags, // Per the flag request + uint64 firstAttributeId,// The attribute id + uint64 bufferAddress, // Guest physical address of the output buffer + uint64 bufferSize // The size in bytes of the output buffer +); +As specified in PAPR+ v2.11, section 14.14.3. + +This H_CALL can query either all the attributes at once with +firstAttributeId = 0, flags = 0 as well as query only one attribute +at a time with firstAttributeId = id, flags = 1. + +The output buffer consists of the following +1. number of attributes - 8 bytes +2. array offset to the data location - 8 bytes +3. version info - 1 byte +4. A data array of size num attributes, which contains the following: + a. attribute ID - 8 bytes + b. attribute value in number - 8 bytes + c. attribute name in string - 64 bytes + d. attribute value in string - 64 bytes + +The new H_CALL exports information in direct string value format, hence +a new interface has been introduced in +/sys/firmware/papr/energy_scale_info to export this information to +userspace so that the firmware can add new values without the need for +the kernel to be changed. + +The H_CALL returns the name, numeric value and string value (if exists) + +The format of exposing the sysfs information is as follows: +/sys/firmware/papr/energy_scale_info/ + |-- / + |-- desc + |-- value + |-- value_desc (if exists) + |-- / + |-- desc + |-- value + |-- value_desc (if exists) +... + +The energy information that is exported is useful for userspace tools +such as powerpc-utils. Currently these tools infer the +"power_mode_data" value in the lparcfg, which in turn is obtained from +the to be deprecated H_GET_EM_PARMS H_CALL. + +On future platforms, such userspace utilities will have to look at the +data returned from the new H_CALL being populated in this new sysfs +interface and report this information directly without the need of +interpretation. + +Signed-off-by: Pratik R. Sampat +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220217105321.52941-2-psampat@linux.ibm.com +Acked-by: Michal Suchanek +--- + .../sysfs-firmware-papr-energy-scale-info | 29 ++ + arch/powerpc/include/asm/firmware.h | 4 +- + arch/powerpc/include/asm/hvcall.h | 3 +- + arch/powerpc/kvm/trace_hv.h | 1 + + arch/powerpc/platforms/pseries/Makefile | 3 +- + arch/powerpc/platforms/pseries/firmware.c | 1 + + .../pseries/papr_platform_attributes.c | 361 ++++++++++++++++++ + 7 files changed, 399 insertions(+), 3 deletions(-) + create mode 100644 Documentation/ABI/testing/sysfs-firmware-papr-energy-scale-info + create mode 100644 arch/powerpc/platforms/pseries/papr_platform_attributes.c + +diff --git a/Documentation/ABI/testing/sysfs-firmware-papr-energy-scale-info b/Documentation/ABI/testing/sysfs-firmware-papr-energy-scale-info +new file mode 100644 +index 000000000000..141a6b371469 +--- /dev/null ++++ b/Documentation/ABI/testing/sysfs-firmware-papr-energy-scale-info +@@ -0,0 +1,29 @@ ++What: /sys/firmware/papr/energy_scale_info ++Date: February 2022 ++Contact: Linux for PowerPC mailing list ++Description: Directory hosting a set of platform attributes like ++ energy/frequency on Linux running as a PAPR guest. ++ ++ Each file in a directory contains a platform ++ attribute hierarchy pertaining to performance/ ++ energy-savings mode and processor frequency. ++ ++What: /sys/firmware/papr/energy_scale_info/ ++Date: February 2022 ++Contact: Linux for PowerPC mailing list ++Description: Energy, frequency attributes directory for POWERVM servers ++ ++What: /sys/firmware/papr/energy_scale_info//desc ++Date: February 2022 ++Contact: Linux for PowerPC mailing list ++Description: String description of the energy attribute of ++ ++What: /sys/firmware/papr/energy_scale_info//value ++Date: February 2022 ++Contact: Linux for PowerPC mailing list ++Description: Numeric value of the energy attribute of ++ ++What: /sys/firmware/papr/energy_scale_info//value_desc ++Date: February 2022 ++Contact: Linux for PowerPC mailing list ++Description: String value of the energy attribute of +diff --git a/arch/powerpc/include/asm/firmware.h b/arch/powerpc/include/asm/firmware.h +--- a/arch/powerpc/include/asm/firmware.h ++++ b/arch/powerpc/include/asm/firmware.h +@@ -54,6 +54,7 @@ + #define FW_FEATURE_BLOCK_REMOVE ASM_CONST(0x0000001000000000) + #define FW_FEATURE_PAPR_SCM ASM_CONST(0x0000002000000000) + #define FW_FEATURE_RPT_INVALIDATE ASM_CONST(0x0000010000000000) ++#define FW_FEATURE_ENERGY_SCALE_INFO ASM_CONST(0x0000040000000000) + + #ifndef __ASSEMBLY__ + +@@ -74,7 +75,8 @@ enum { + FW_FEATURE_TYPE1_AFFINITY | FW_FEATURE_PRRN | + FW_FEATURE_HPT_RESIZE | FW_FEATURE_DRMEM_V2 | + FW_FEATURE_DRC_INFO | FW_FEATURE_BLOCK_REMOVE | +- FW_FEATURE_PAPR_SCM | FW_FEATURE_RPT_INVALIDATE, ++ FW_FEATURE_PAPR_SCM | FW_FEATURE_RPT_INVALIDATE | ++ FW_FEATURE_ENERGY_SCALE_INFO, + FW_FEATURE_PSERIES_ALWAYS = 0, + FW_FEATURE_POWERNV_POSSIBLE = FW_FEATURE_OPAL, + FW_FEATURE_POWERNV_ALWAYS = 0, +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index 9bcf345cb208..48f510ba9f4a 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -323,7 +323,8 @@ + #define H_SCM_PERFORMANCE_STATS 0x418 + #define H_RPT_INVALIDATE 0x448 + #define H_SCM_FLUSH 0x44C +-#define MAX_HCALL_OPCODE H_SCM_FLUSH ++#define H_GET_ENERGY_SCALE_INFO 0x450 ++#define MAX_HCALL_OPCODE H_GET_ENERGY_SCALE_INFO + + /* Scope args for H_SCM_UNBIND_ALL */ + #define H_UNBIND_SCOPE_ALL (0x1) +diff --git a/arch/powerpc/kvm/trace_hv.h b/arch/powerpc/kvm/trace_hv.h +index 830a126e095d..38cd0ed0a617 100644 +--- a/arch/powerpc/kvm/trace_hv.h ++++ b/arch/powerpc/kvm/trace_hv.h +@@ -115,6 +115,7 @@ + {H_VASI_STATE, "H_VASI_STATE"}, \ + {H_ENABLE_CRQ, "H_ENABLE_CRQ"}, \ + {H_GET_EM_PARMS, "H_GET_EM_PARMS"}, \ ++ {H_GET_ENERGY_SCALE_INFO, "H_GET_ENERGY_SCALE_INFO"}, \ + {H_SET_MPP, "H_SET_MPP"}, \ + {H_GET_MPP, "H_GET_MPP"}, \ + {H_HOME_NODE_ASSOCIATIVITY, "H_HOME_NODE_ASSOCIATIVITY"}, \ +diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile +--- a/arch/powerpc/platforms/pseries/Makefile ++++ b/arch/powerpc/platforms/pseries/Makefile +@@ -6,7 +6,8 @@ obj-y := lpar.o hvCall.o nvram.o reconfig.o \ + of_helpers.o \ + setup.o iommu.o event_sources.o ras.o \ + firmware.o power.o dlpar.o mobility.o rng.o \ +- pci.o pci_dlpar.o eeh_pseries.o msi.o ++ pci.o pci_dlpar.o eeh_pseries.o msi.o \ ++ papr_platform_attributes.o + obj-$(CONFIG_SMP) += smp.o + obj-$(CONFIG_SCANLOG) += scanlog.o + obj-$(CONFIG_KEXEC_CORE) += kexec.o +diff --git a/arch/powerpc/platforms/pseries/firmware.c b/arch/powerpc/platforms/pseries/firmware.c +index f162156b7b68..09c119b2f623 100644 +--- a/arch/powerpc/platforms/pseries/firmware.c ++++ b/arch/powerpc/platforms/pseries/firmware.c +@@ -66,6 +66,7 @@ hypertas_fw_features_table[] = { + {FW_FEATURE_BLOCK_REMOVE, "hcall-block-remove"}, + {FW_FEATURE_PAPR_SCM, "hcall-scm"}, + {FW_FEATURE_RPT_INVALIDATE, "hcall-rpt-invalidate"}, ++ {FW_FEATURE_ENERGY_SCALE_INFO, "hcall-energy-scale-info"}, + }; + + /* Build up the firmware features bitmask using the contents of +diff --git a/arch/powerpc/platforms/pseries/papr_platform_attributes.c b/arch/powerpc/platforms/pseries/papr_platform_attributes.c +new file mode 100644 +index 000000000000..515150417bb3 +--- /dev/null ++++ b/arch/powerpc/platforms/pseries/papr_platform_attributes.c +@@ -0,0 +1,361 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++/* ++ * Platform energy and frequency attributes driver ++ * ++ * This driver creates a sys file at /sys/firmware/papr/ which encapsulates a ++ * directory structure containing files in keyword - value pairs that specify ++ * energy and frequency configuration of the system. ++ * ++ * The format of exposing the sysfs information is as follows: ++ * /sys/firmware/papr/energy_scale_info/ ++ * |-- / ++ * |-- desc ++ * |-- value ++ * |-- value_desc (if exists) ++ * |-- / ++ * |-- desc ++ * |-- value ++ * |-- value_desc (if exists) ++ * ++ * Copyright 2022 IBM Corp. ++ */ ++ ++#include ++#include ++ ++#include "pseries.h" ++ ++/* ++ * Flag attributes to fetch either all or one attribute from the HCALL ++ * flag = BE(0) => fetch all attributes with firstAttributeId = 0 ++ * flag = BE(1) => fetch a single attribute with firstAttributeId = id ++ */ ++#define ESI_FLAGS_ALL 0 ++#define ESI_FLAGS_SINGLE (1ull << 63) ++ ++#define KOBJ_MAX_ATTRS 3 ++ ++#define ESI_HDR_SIZE sizeof(struct h_energy_scale_info_hdr) ++#define ESI_ATTR_SIZE sizeof(struct energy_scale_attribute) ++#define CURR_MAX_ESI_ATTRS 8 ++ ++struct energy_scale_attribute { ++ __be64 id; ++ __be64 val; ++ u8 desc[64]; ++ u8 value_desc[64]; ++} __packed; ++ ++struct h_energy_scale_info_hdr { ++ __be64 num_attrs; ++ __be64 array_offset; ++ u8 data_header_version; ++} __packed; ++ ++struct papr_attr { ++ u64 id; ++ struct kobj_attribute kobj_attr; ++}; ++ ++struct papr_group { ++ struct attribute_group pg; ++ struct papr_attr pgattrs[KOBJ_MAX_ATTRS]; ++}; ++ ++static struct papr_group *papr_groups; ++/* /sys/firmware/papr */ ++static struct kobject *papr_kobj; ++/* /sys/firmware/papr/energy_scale_info */ ++static struct kobject *esi_kobj; ++ ++/* ++ * Energy modes can change dynamically hence making a new hcall each time the ++ * information needs to be retrieved ++ */ ++static int papr_get_attr(u64 id, struct energy_scale_attribute *esi) ++{ ++ int esi_buf_size = ESI_HDR_SIZE + (CURR_MAX_ESI_ATTRS * ESI_ATTR_SIZE); ++ int ret, max_esi_attrs = CURR_MAX_ESI_ATTRS; ++ struct energy_scale_attribute *curr_esi; ++ struct h_energy_scale_info_hdr *hdr; ++ char *buf; ++ ++ buf = kmalloc(esi_buf_size, GFP_KERNEL); ++ if (buf == NULL) ++ return -ENOMEM; ++ ++retry: ++ ret = plpar_hcall_norets(H_GET_ENERGY_SCALE_INFO, ESI_FLAGS_SINGLE, ++ id, virt_to_phys(buf), ++ esi_buf_size); ++ ++ /* ++ * If the hcall fails with not enough memory for either the ++ * header or data, attempt to allocate more ++ */ ++ if (ret == H_PARTIAL || ret == H_P4) { ++ char *temp_buf; ++ ++ max_esi_attrs += 4; ++ esi_buf_size = ESI_HDR_SIZE + (CURR_MAX_ESI_ATTRS * max_esi_attrs); ++ ++ temp_buf = krealloc(buf, esi_buf_size, GFP_KERNEL); ++ if (temp_buf) ++ buf = temp_buf; ++ else ++ return -ENOMEM; ++ ++ goto retry; ++ } ++ ++ if (ret != H_SUCCESS) { ++ pr_warn("hcall failed: H_GET_ENERGY_SCALE_INFO"); ++ ret = -EIO; ++ goto out_buf; ++ } ++ ++ hdr = (struct h_energy_scale_info_hdr *) buf; ++ curr_esi = (struct energy_scale_attribute *) ++ (buf + be64_to_cpu(hdr->array_offset)); ++ ++ if (esi_buf_size < ++ be64_to_cpu(hdr->array_offset) + (be64_to_cpu(hdr->num_attrs) ++ * sizeof(struct energy_scale_attribute))) { ++ ret = -EIO; ++ goto out_buf; ++ } ++ ++ *esi = *curr_esi; ++ ++out_buf: ++ kfree(buf); ++ ++ return ret; ++} ++ ++/* ++ * Extract and export the description of the energy scale attributes ++ */ ++static ssize_t desc_show(struct kobject *kobj, ++ struct kobj_attribute *kobj_attr, ++ char *buf) ++{ ++ struct papr_attr *pattr = container_of(kobj_attr, struct papr_attr, ++ kobj_attr); ++ struct energy_scale_attribute esi; ++ int ret; ++ ++ ret = papr_get_attr(pattr->id, &esi); ++ if (ret) ++ return ret; ++ ++ return sysfs_emit(buf, "%s\n", esi.desc); ++} ++ ++/* ++ * Extract and export the numeric value of the energy scale attributes ++ */ ++static ssize_t val_show(struct kobject *kobj, ++ struct kobj_attribute *kobj_attr, ++ char *buf) ++{ ++ struct papr_attr *pattr = container_of(kobj_attr, struct papr_attr, ++ kobj_attr); ++ struct energy_scale_attribute esi; ++ int ret; ++ ++ ret = papr_get_attr(pattr->id, &esi); ++ if (ret) ++ return ret; ++ ++ return sysfs_emit(buf, "%llu\n", be64_to_cpu(esi.val)); ++} ++ ++/* ++ * Extract and export the value description in string format of the energy ++ * scale attributes ++ */ ++static ssize_t val_desc_show(struct kobject *kobj, ++ struct kobj_attribute *kobj_attr, ++ char *buf) ++{ ++ struct papr_attr *pattr = container_of(kobj_attr, struct papr_attr, ++ kobj_attr); ++ struct energy_scale_attribute esi; ++ int ret; ++ ++ ret = papr_get_attr(pattr->id, &esi); ++ if (ret) ++ return ret; ++ ++ return sysfs_emit(buf, "%s\n", esi.value_desc); ++} ++ ++static struct papr_ops_info { ++ const char *attr_name; ++ ssize_t (*show)(struct kobject *kobj, struct kobj_attribute *kobj_attr, ++ char *buf); ++} ops_info[KOBJ_MAX_ATTRS] = { ++ { "desc", desc_show }, ++ { "value", val_show }, ++ { "value_desc", val_desc_show }, ++}; ++ ++static void add_attr(u64 id, int index, struct papr_attr *attr) ++{ ++ attr->id = id; ++ sysfs_attr_init(&attr->kobj_attr.attr); ++ attr->kobj_attr.attr.name = ops_info[index].attr_name; ++ attr->kobj_attr.attr.mode = 0444; ++ attr->kobj_attr.show = ops_info[index].show; ++} ++ ++static int add_attr_group(u64 id, struct papr_group *pg, bool show_val_desc) ++{ ++ int i; ++ ++ for (i = 0; i < KOBJ_MAX_ATTRS; i++) { ++ if (!strcmp(ops_info[i].attr_name, "value_desc") && ++ !show_val_desc) { ++ continue; ++ } ++ add_attr(id, i, &pg->pgattrs[i]); ++ pg->pg.attrs[i] = &pg->pgattrs[i].kobj_attr.attr; ++ } ++ ++ return sysfs_create_group(esi_kobj, &pg->pg); ++} ++ ++ ++static int __init papr_init(void) ++{ ++ int esi_buf_size = ESI_HDR_SIZE + (CURR_MAX_ESI_ATTRS * ESI_ATTR_SIZE); ++ int ret, idx, i, max_esi_attrs = CURR_MAX_ESI_ATTRS; ++ struct h_energy_scale_info_hdr *esi_hdr; ++ struct energy_scale_attribute *esi_attrs; ++ uint64_t num_attrs; ++ char *esi_buf; ++ ++ if (!firmware_has_feature(FW_FEATURE_LPAR) || ++ !firmware_has_feature(FW_FEATURE_ENERGY_SCALE_INFO)) { ++ return -ENXIO; ++ } ++ ++ esi_buf = kmalloc(esi_buf_size, GFP_KERNEL); ++ if (esi_buf == NULL) ++ return -ENOMEM; ++ /* ++ * hcall( ++ * uint64 H_GET_ENERGY_SCALE_INFO, // Get energy scale info ++ * uint64 flags, // Per the flag request ++ * uint64 firstAttributeId, // The attribute id ++ * uint64 bufferAddress, // Guest physical address of the output buffer ++ * uint64 bufferSize); // The size in bytes of the output buffer ++ */ ++retry: ++ ++ ret = plpar_hcall_norets(H_GET_ENERGY_SCALE_INFO, ESI_FLAGS_ALL, 0, ++ virt_to_phys(esi_buf), esi_buf_size); ++ ++ /* ++ * If the hcall fails with not enough memory for either the ++ * header or data, attempt to allocate more ++ */ ++ if (ret == H_PARTIAL || ret == H_P4) { ++ char *temp_esi_buf; ++ ++ max_esi_attrs += 4; ++ esi_buf_size = ESI_HDR_SIZE + (CURR_MAX_ESI_ATTRS * max_esi_attrs); ++ ++ temp_esi_buf = krealloc(esi_buf, esi_buf_size, GFP_KERNEL); ++ if (temp_esi_buf) ++ esi_buf = temp_esi_buf; ++ else ++ return -ENOMEM; ++ ++ goto retry; ++ } ++ ++ if (ret != H_SUCCESS) { ++ pr_warn("hcall failed: H_GET_ENERGY_SCALE_INFO, ret: %d\n", ret); ++ goto out_free_esi_buf; ++ } ++ ++ esi_hdr = (struct h_energy_scale_info_hdr *) esi_buf; ++ num_attrs = be64_to_cpu(esi_hdr->num_attrs); ++ esi_attrs = (struct energy_scale_attribute *) ++ (esi_buf + be64_to_cpu(esi_hdr->array_offset)); ++ ++ if (esi_buf_size < ++ be64_to_cpu(esi_hdr->array_offset) + ++ (num_attrs * sizeof(struct energy_scale_attribute))) { ++ goto out_free_esi_buf; ++ } ++ ++ papr_groups = kcalloc(num_attrs, sizeof(*papr_groups), GFP_KERNEL); ++ if (!papr_groups) ++ goto out_free_esi_buf; ++ ++ papr_kobj = kobject_create_and_add("papr", firmware_kobj); ++ if (!papr_kobj) { ++ pr_warn("kobject_create_and_add papr failed\n"); ++ goto out_papr_groups; ++ } ++ ++ esi_kobj = kobject_create_and_add("energy_scale_info", papr_kobj); ++ if (!esi_kobj) { ++ pr_warn("kobject_create_and_add energy_scale_info failed\n"); ++ goto out_kobj; ++ } ++ ++ /* Allocate the groups before registering */ ++ for (idx = 0; idx < num_attrs; idx++) { ++ papr_groups[idx].pg.attrs = kcalloc(KOBJ_MAX_ATTRS + 1, ++ sizeof(*papr_groups[idx].pg.attrs), ++ GFP_KERNEL); ++ if (!papr_groups[idx].pg.attrs) ++ goto out_pgattrs; ++ ++ papr_groups[idx].pg.name = kasprintf(GFP_KERNEL, "%lld", ++ be64_to_cpu(esi_attrs[idx].id)); ++ if (papr_groups[idx].pg.name == NULL) ++ goto out_pgattrs; ++ } ++ ++ for (idx = 0; idx < num_attrs; idx++) { ++ bool show_val_desc = true; ++ ++ /* Do not add the value desc attr if it does not exist */ ++ if (strnlen(esi_attrs[idx].value_desc, ++ sizeof(esi_attrs[idx].value_desc)) == 0) ++ show_val_desc = false; ++ ++ if (add_attr_group(be64_to_cpu(esi_attrs[idx].id), ++ &papr_groups[idx], ++ show_val_desc)) { ++ pr_warn("Failed to create papr attribute group %s\n", ++ papr_groups[idx].pg.name); ++ idx = num_attrs; ++ goto out_pgattrs; ++ } ++ } ++ ++ kfree(esi_buf); ++ return 0; ++out_pgattrs: ++ for (i = 0; i < idx ; i++) { ++ kfree(papr_groups[i].pg.attrs); ++ kfree(papr_groups[i].pg.name); ++ } ++ kobject_put(esi_kobj); ++out_kobj: ++ kobject_put(papr_kobj); ++out_papr_groups: ++ kfree(papr_groups); ++out_free_esi_buf: ++ kfree(esi_buf); ++ ++ return -ENOMEM; ++} ++ ++machine_device_initcall(pseries, papr_init); +-- +2.35.3 + diff --git a/patches.suse/r8152-Rate-limit-overflow-messages.patch b/patches.suse/r8152-Rate-limit-overflow-messages.patch new file mode 100644 index 0000000..9d8f515 --- /dev/null +++ b/patches.suse/r8152-Rate-limit-overflow-messages.patch @@ -0,0 +1,38 @@ +From 93e2be344a7db169b7119de21ac1bf253b8c6907 Mon Sep 17 00:00:00 2001 +From: Andrew Gaul +Date: Sun, 2 Oct 2022 12:41:28 +0900 +Subject: [PATCH] r8152: Rate limit overflow messages +Git-commit: 93e2be344a7db169b7119de21ac1bf253b8c6907 +Patch-mainline: v6.1-rc1 +References: CVE-2022-3594 bsc#1204479 + +My system shows almost 10 million of these messages over a 24-hour +period which pollutes my logs. + +Signed-off-by: Andrew Gaul +Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/net/usb/r8152.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 688905ea0a6d..e7b0b59e2bc8 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1874,7 +1874,9 @@ static void intr_callback(struct urb *urb) + "Stop submitting intr, status %d\n", status); + return; + case -EOVERFLOW: +- netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n"); ++ if (net_ratelimit()) ++ netif_info(tp, intr, tp->netdev, ++ "intr status -EOVERFLOW\n"); + goto resubmit; + /* -EPIPE: should clear the halt */ + default: +-- +2.35.3 + diff --git a/patches.suse/sch_sfb-Also-store-skb-len-before-calling-child-enqu.patch b/patches.suse/sch_sfb-Also-store-skb-len-before-calling-child-enqu.patch new file mode 100644 index 0000000..480dd91 --- /dev/null +++ b/patches.suse/sch_sfb-Also-store-skb-len-before-calling-child-enqu.patch @@ -0,0 +1,52 @@ +From 2f09707d0c972120bf794cfe0f0c67e2c2ddb252 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Mon, 5 Sep 2022 21:21:36 +0200 +Subject: [PATCH] sch_sfb: Also store skb len before calling child enqueue +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 2f09707d0c972120bf794cfe0f0c67e2c2ddb252 +Patch-mainline: v6.0-rc5 +References: CVE-2022-3586 bsc#1204439 + +Cong Wang noticed that the previous fix for sch_sfb accessing the queued +skb after enqueueing it to a child qdisc was incomplete: the SFB enqueue +function was also calling qdisc_qstats_backlog_inc() after enqueue, which +reads the pkt len from the skb cb field. Fix this by also storing the skb +len, and using the stored value to increment the backlog after enqueueing. + +Fixes: 9efd23297cca ("sch_sfb: Don't assume the skb is still around after enqueueing to child") +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Cong Wang +Link: https://lore.kernel.org/r/20220905192137.965549-1-toke@toke.dk +Signed-off-by: Paolo Abeni +Acked-by: Takashi Iwai + +--- + net/sched/sch_sfb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c +index 0d761f454ae8..2829455211f8 100644 +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -281,6 +281,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + { + + struct sfb_sched_data *q = qdisc_priv(sch); ++ unsigned int len = qdisc_pkt_len(skb); + struct Qdisc *child = q->qdisc; + struct tcf_proto *fl; + struct sfb_skb_cb cb; +@@ -403,7 +404,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + memcpy(&cb, sfb_skb_cb(skb), sizeof(cb)); + ret = qdisc_enqueue(skb, child, to_free); + if (likely(ret == NET_XMIT_SUCCESS)) { +- qdisc_qstats_backlog_inc(sch, skb); ++ sch->qstats.backlog += len; + sch->q.qlen++; + increment_qlen(&cb, q); + } else if (net_xmit_drop_count(ret)) { +-- +2.35.3 + diff --git a/patches.suse/sch_sfb-Don-t-assume-the-skb-is-still-around-after-e.patch b/patches.suse/sch_sfb-Don-t-assume-the-skb-is-still-around-after-e.patch new file mode 100644 index 0000000..cdd64eb --- /dev/null +++ b/patches.suse/sch_sfb-Don-t-assume-the-skb-is-still-around-after-e.patch @@ -0,0 +1,81 @@ +From 9efd23297cca530bb35e1848665805d3fcdd7889 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Wed, 31 Aug 2022 23:52:18 +0200 +Subject: [PATCH] sch_sfb: Don't assume the skb is still around after enqueueing to child +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 9efd23297cca530bb35e1848665805d3fcdd7889 +Patch-mainline: v6.0-rc5 +References: CVE-2022-3586 bsc#1204439 + +The sch_sfb enqueue() routine assumes the skb is still alive after it has +been enqueued into a child qdisc, using the data in the skb cb field in the +increment_qlen() routine after enqueue. However, the skb may in fact have +been freed, causing a use-after-free in this case. In particular, this +happens if sch_cake is used as a child of sfb, and the GSO splitting mode +of CAKE is enabled (in which case the skb will be split into segments and +the original skb freed). + +Fix this by copying the sfb cb data to the stack before enqueueing the skb, +and using this stack copy in increment_qlen() instead of the skb pointer +itself. + +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231 +Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler") +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Acked-by: Takashi Iwai + +--- + net/sched/sch_sfb.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c +index 3d061a13d7ed..0d761f454ae8 100644 +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -135,15 +135,15 @@ static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q) + } + } + +-static void increment_qlen(const struct sk_buff *skb, struct sfb_sched_data *q) ++static void increment_qlen(const struct sfb_skb_cb *cb, struct sfb_sched_data *q) + { + u32 sfbhash; + +- sfbhash = sfb_hash(skb, 0); ++ sfbhash = cb->hashes[0]; + if (sfbhash) + increment_one_qlen(sfbhash, 0, q); + +- sfbhash = sfb_hash(skb, 1); ++ sfbhash = cb->hashes[1]; + if (sfbhash) + increment_one_qlen(sfbhash, 1, q); + } +@@ -283,6 +283,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + struct sfb_sched_data *q = qdisc_priv(sch); + struct Qdisc *child = q->qdisc; + struct tcf_proto *fl; ++ struct sfb_skb_cb cb; + int i; + u32 p_min = ~0; + u32 minqlen = ~0; +@@ -399,11 +400,12 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + + enqueue: ++ memcpy(&cb, sfb_skb_cb(skb), sizeof(cb)); + ret = qdisc_enqueue(skb, child, to_free); + if (likely(ret == NET_XMIT_SUCCESS)) { + qdisc_qstats_backlog_inc(sch, skb); + sch->q.qlen++; +- increment_qlen(skb, q); ++ increment_qlen(&cb, q); + } else if (net_xmit_drop_count(ret)) { + q->stats.childdrop++; + qdisc_qstats_drop(sch); +-- +2.35.3 + diff --git a/patches.suse/scsi-libsas-Fix-use-after-free-bug-in-smp_execute_task_sg.patch b/patches.suse/scsi-libsas-Fix-use-after-free-bug-in-smp_execute_task_sg.patch new file mode 100644 index 0000000..9f0007a --- /dev/null +++ b/patches.suse/scsi-libsas-Fix-use-after-free-bug-in-smp_execute_task_sg.patch @@ -0,0 +1,50 @@ +From: Duoming Zhou +Date: Tue, 20 Sep 2022 22:42:13 +0800 +Subject: scsi: libsas: Fix use-after-free bug in smp_execute_task_sg() +Git-commit: 46ba53c30666717cb06c2b3c5d896301cd00d0c0 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When executing SMP task failed, the smp_execute_task_sg() calls del_timer() +to delete "slow_task->timer". However, if the timer handler +sas_task_internal_timedout() is running, the del_timer() in +smp_execute_task_sg() will not stop it and a UAF will happen. The process +is shown below: + + (thread 1) | (thread 2) +smp_execute_task_sg() | sas_task_internal_timedout() + ... | + del_timer() | + ... | ... + sas_free_task(task) | + kfree(task->slow_task) //FREE| + | task->slow_task->... //USE + +Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure +the timer handler have finished before the "task->slow_task" is +deallocated. + +Link: https://lore.kernel.org/r/20220920144213.10536-1-duoming@zju.edu.cn +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Reviewed-by: Jason Yan +Signed-off-by: Duoming Zhou +Signed-off-by: Martin K. Petersen +Acked-by: Lee Duncan +--- + drivers/scsi/libsas/sas_expander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index fa2209080cc2..5ce251830104 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -67,7 +67,7 @@ static int smp_execute_task_sg(struct domain_device *dev, + res = i->dft->lldd_execute_task(task, GFP_KERNEL); + + if (res) { +- del_timer(&task->slow_task->timer); ++ del_timer_sync(&task->slow_task->timer); + pr_notice("executing SMP task failed:%d\n", res); + break; + } + diff --git a/patches.suse/scsi-mpt3sas-Fix-return-value-check-of-dma_get_required_mask.patch b/patches.suse/scsi-mpt3sas-Fix-return-value-check-of-dma_get_required_mask.patch new file mode 100644 index 0000000..5ca223c --- /dev/null +++ b/patches.suse/scsi-mpt3sas-Fix-return-value-check-of-dma_get_required_mask.patch @@ -0,0 +1,32 @@ +From: Sreekanth Reddy +Date: Tue, 13 Sep 2022 17:35:38 +0530 +Subject: scsi: mpt3sas: Fix return value check of dma_get_required_mask() +Git-commit: e0e0747de0ea3dd87cdbb0393311e17471a9baf1 +Patch-mainline: v6.0-rc7 +References: git-fixes + +Fix the incorrect return value check of dma_get_required_mask(). Due to +this incorrect check, the driver was always setting the DMA mask to 63 bit. + +[lduncan: modified and refreshed to apply.] + +Link: https://lore.kernel.org/r/20220913120538.18759-2-sreekanth.reddy@broadcom.com +Fixes: ba27c5cf286d ("scsi: mpt3sas: Don't change the DMA coherent mask after allocations") +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Acked-by: Lee Duncan +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -2818,7 +2818,7 @@ _base_config_dma_addressing(struct MPT3S + + if (ioc->is_mcpu_endpoint || + sizeof(dma_addr_t) == 4 || ioc->use_32bit_dma || +- dma_get_required_mask(&pdev->dev) <= 32) ++ dma_get_required_mask(&pdev->dev) <= DMA_BIT_MASK(32)) + dma_mask = 32; + /* Set 63 bit DMA mask for all SAS3 and SAS35 controllers */ + else if (ioc->hba_mpi_version_belonged > MPI2_VERSION) diff --git a/patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch b/patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch new file mode 100644 index 0000000..1efdfde --- /dev/null +++ b/patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch @@ -0,0 +1,77 @@ +From: Quinn Tran +Date: Thu, 10 Mar 2022 01:25:53 -0800 +Subject: scsi: qla2xxx: Fix disk failure to rediscover +Git-commit: 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99 +Patch-mainline: v5.18-rc1 +References: git-fixes + +User experienced some of the LUN failed to get rediscovered after long +cable pull test. The issue is triggered by a race condition between driver +setting session online state vs starting the LUN scan process at the same +time. Current code set the online state after notifying the session is +available. In this case, trigger to start the LUN scan process happened +before driver could set the session in online state. LUN scan ends up with +failure due to the session online check was failing. + +Set the online state before reporting of the availability of the session. + +Link: https://lore.kernel.org/r/20220310092604.22950-3-njavali@marvell.com +Fixes: aecf043443d3 ("scsi: qla2xxx: Fix Remote port registration") +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Acked-by: Lee Duncan +--- + drivers/scsi/qla2xxx/qla_init.c | 5 +++-- + drivers/scsi/qla2xxx/qla_nvme.c | 5 +++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 2f3a3cd31bd6..e468b05f90c0 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5758,6 +5758,8 @@ qla2x00_reg_remote_port(scsi_qla_host_t *vha, fc_port_t *fcport) + if (atomic_read(&fcport->state) == FCS_ONLINE) + return; + ++ qla2x00_set_fcport_state(fcport, FCS_ONLINE); ++ + rport_ids.node_name = wwn_to_u64(fcport->node_name); + rport_ids.port_name = wwn_to_u64(fcport->port_name); + rport_ids.port_id = fcport->d_id.b.domain << 16 | +@@ -5858,6 +5860,7 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport) + qla2x00_reg_remote_port(vha, fcport); + break; + case MODE_TARGET: ++ qla2x00_set_fcport_state(fcport, FCS_ONLINE); + if (!vha->vha_tgt.qla_tgt->tgt_stop && + !vha->vha_tgt.qla_tgt->tgt_stopped) + qlt_fc_port_added(vha, fcport); +@@ -5875,8 +5878,6 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport) + if (NVME_TARGET(vha->hw, fcport)) + qla_nvme_register_remote(vha, fcport); + +- qla2x00_set_fcport_state(fcport, FCS_ONLINE); +- + if (IS_IIDMA_CAPABLE(vha->hw) && vha->hw->flags.gpsc_supported) { + if (fcport->id_changed) { + fcport->id_changed = 0; +diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c +index 718c761ff5f8..5723082d94d6 100644 +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -37,6 +37,11 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport) + (fcport->nvme_flag & NVME_FLAG_REGISTERED)) + return 0; + ++ if (atomic_read(&fcport->state) == FCS_ONLINE) ++ return 0; ++ ++ qla2x00_set_fcport_state(fcport, FCS_ONLINE); ++ + fcport->nvme_flag &= ~NVME_FLAG_RESETTING; + + memset(&req, 0, sizeof(struct nvme_fc_port_info)); + diff --git a/patches.suse/selftest-powerpc-Add-PAPR-sysfs-attributes-sniff-tes.patch b/patches.suse/selftest-powerpc-Add-PAPR-sysfs-attributes-sniff-tes.patch new file mode 100644 index 0000000..7e8151a --- /dev/null +++ b/patches.suse/selftest-powerpc-Add-PAPR-sysfs-attributes-sniff-tes.patch @@ -0,0 +1,176 @@ +From 57201d657eb76d735298405d3200a3b1f67197e1 Mon Sep 17 00:00:00 2001 +From: "Pratik R. Sampat" +Date: Thu, 17 Feb 2022 16:23:21 +0530 +Subject: [PATCH] selftest/powerpc: Add PAPR sysfs attributes sniff test + +References: bsc#1200465 ltc#197256 jsc#PED-1931 +Patch-mainline: v5.18-rc1 +Git-commit: 57201d657eb76d735298405d3200a3b1f67197e1 + +Include a testcase to check if the sysfs files for energy and frequency +related have its related attribute files exist and populated + +Signed-off-by: Pratik R. Sampat +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220217105321.52941-3-psampat@linux.ibm.com +Acked-by: Michal Suchanek +--- + tools/testing/selftests/powerpc/Makefile | 1 + + .../powerpc/papr_attributes/.gitignore | 2 + + .../powerpc/papr_attributes/Makefile | 7 ++ + .../powerpc/papr_attributes/attr_test.c | 107 ++++++++++++++++++ + 4 files changed, 117 insertions(+) + create mode 100644 tools/testing/selftests/powerpc/papr_attributes/.gitignore + create mode 100644 tools/testing/selftests/powerpc/papr_attributes/Makefile + create mode 100644 tools/testing/selftests/powerpc/papr_attributes/attr_test.c + +diff --git a/tools/testing/selftests/powerpc/Makefile b/tools/testing/selftests/powerpc/Makefile +index 4830372d7416..6ba95cd19e42 100644 +--- a/tools/testing/selftests/powerpc/Makefile ++++ b/tools/testing/selftests/powerpc/Makefile +@@ -30,6 +30,7 @@ SUB_DIRS = alignment \ + tm \ + vphn \ + math \ ++ papr_attributes \ + ptrace \ + security + +diff --git a/tools/testing/selftests/powerpc/papr_attributes/.gitignore b/tools/testing/selftests/powerpc/papr_attributes/.gitignore +new file mode 100644 +index 000000000000..d5f42b6d9e99 +--- /dev/null ++++ b/tools/testing/selftests/powerpc/papr_attributes/.gitignore +@@ -0,0 +1,2 @@ ++# SPDX-License-Identifier: GPL-2.0-only ++attr_test +diff --git a/tools/testing/selftests/powerpc/papr_attributes/Makefile b/tools/testing/selftests/powerpc/papr_attributes/Makefile +new file mode 100644 +index 000000000000..e899712d49db +--- /dev/null ++++ b/tools/testing/selftests/powerpc/papr_attributes/Makefile +@@ -0,0 +1,7 @@ ++# SPDX-License-Identifier: GPL-2.0 ++TEST_GEN_PROGS := attr_test ++ ++top_srcdir = ../../../../.. ++include ../../lib.mk ++ ++$(TEST_GEN_PROGS): ../harness.c ../utils.c +\ No newline at end of file +diff --git a/tools/testing/selftests/powerpc/papr_attributes/attr_test.c b/tools/testing/selftests/powerpc/papr_attributes/attr_test.c +new file mode 100644 +index 000000000000..bab0dc06e90b +--- /dev/null ++++ b/tools/testing/selftests/powerpc/papr_attributes/attr_test.c +@@ -0,0 +1,107 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++/* ++ * PAPR Energy attributes sniff test ++ * This checks if the papr folders and contents are populated relating to ++ * the energy and frequency attributes ++ * ++ * Copyright 2022, Pratik Rajesh Sampat, IBM Corp. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "utils.h" ++ ++enum energy_freq_attrs { ++ POWER_PERFORMANCE_MODE = 1, ++ IDLE_POWER_SAVER_STATUS = 2, ++ MIN_FREQ = 3, ++ STAT_FREQ = 4, ++ MAX_FREQ = 6, ++ PROC_FOLDING_STATUS = 8 ++}; ++ ++enum type { ++ INVALID, ++ STR_VAL, ++ NUM_VAL ++}; ++ ++int value_type(int id) ++{ ++ int val_type; ++ ++ switch (id) { ++ case POWER_PERFORMANCE_MODE: ++ case IDLE_POWER_SAVER_STATUS: ++ val_type = STR_VAL; ++ break; ++ case MIN_FREQ: ++ case STAT_FREQ: ++ case MAX_FREQ: ++ case PROC_FOLDING_STATUS: ++ val_type = NUM_VAL; ++ break; ++ default: ++ val_type = INVALID; ++ } ++ ++ return val_type; ++} ++ ++int verify_energy_info(void) ++{ ++ const char *path = "/sys/firmware/papr/energy_scale_info"; ++ struct dirent *entry; ++ struct stat s; ++ DIR *dirp; ++ ++ if (stat(path, &s) || !S_ISDIR(s.st_mode)) ++ return -1; ++ dirp = opendir(path); ++ ++ while ((entry = readdir(dirp)) != NULL) { ++ char file_name[64]; ++ int id, attr_type; ++ FILE *f; ++ ++ if (strcmp(entry->d_name, ".") == 0 || ++ strcmp(entry->d_name, "..") == 0) ++ continue; ++ ++ id = atoi(entry->d_name); ++ attr_type = value_type(id); ++ if (attr_type == INVALID) ++ return -1; ++ ++ /* Check if the files exist and have data in them */ ++ sprintf(file_name, "%s/%d/desc", path, id); ++ f = fopen(file_name, "r"); ++ if (!f || fgetc(f) == EOF) ++ return -1; ++ ++ sprintf(file_name, "%s/%d/value", path, id); ++ f = fopen(file_name, "r"); ++ if (!f || fgetc(f) == EOF) ++ return -1; ++ ++ if (attr_type == STR_VAL) { ++ sprintf(file_name, "%s/%d/value_desc", path, id); ++ f = fopen(file_name, "r"); ++ if (!f || fgetc(f) == EOF) ++ return -1; ++ } ++ } ++ ++ return 0; ++} ++ ++int main(void) ++{ ++ return test_harness(verify_energy_info, "papr_attributes"); ++} +-- +2.35.3 + diff --git a/patches.suse/selftests-powerpc-Skip-energy_scale_info-test-on-old.patch b/patches.suse/selftests-powerpc-Skip-energy_scale_info-test-on-old.patch new file mode 100644 index 0000000..04aa7ab --- /dev/null +++ b/patches.suse/selftests-powerpc-Skip-energy_scale_info-test-on-old.patch @@ -0,0 +1,105 @@ +From 4228a996b072d36f3baafb4afdc2d2d66d2cbadf Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 20 Jun 2022 09:31:03 +1000 +Subject: [PATCH] selftests/powerpc: Skip energy_scale_info test on older + firmware + +References: git-fixes +Patch-mainline: v6.0-rc1 +Git-commit: 4228a996b072d36f3baafb4afdc2d2d66d2cbadf + +Older machines don't have the firmware feature that enables the code +this test is testing. Skip the test if the sysfs directory doesn't +exist. Also use the FAIL_IF() macro to provide more verbose error +reporting if an error is encountered. + +Fixes: 57201d657eb7 ("selftest/powerpc: Add PAPR sysfs attributes sniff test") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220619233103.2666171-1-mpe@ellerman.id.au +Acked-by: Michal Suchanek +--- + .../powerpc/papr_attributes/attr_test.c | 30 +++++++++++-------- + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/papr_attributes/attr_test.c b/tools/testing/selftests/powerpc/papr_attributes/attr_test.c +index bab0dc06e90b..9b655be641c9 100644 +--- a/tools/testing/selftests/powerpc/papr_attributes/attr_test.c ++++ b/tools/testing/selftests/powerpc/papr_attributes/attr_test.c +@@ -7,6 +7,7 @@ + * Copyright 2022, Pratik Rajesh Sampat, IBM Corp. + */ + ++#include + #include + #include + #include +@@ -32,7 +33,7 @@ enum type { + NUM_VAL + }; + +-int value_type(int id) ++static int value_type(int id) + { + int val_type; + +@@ -54,15 +55,21 @@ int value_type(int id) + return val_type; + } + +-int verify_energy_info(void) ++static int verify_energy_info(void) + { + const char *path = "/sys/firmware/papr/energy_scale_info"; + struct dirent *entry; + struct stat s; + DIR *dirp; + +- if (stat(path, &s) || !S_ISDIR(s.st_mode)) +- return -1; ++ errno = 0; ++ if (stat(path, &s)) { ++ SKIP_IF(errno == ENOENT); ++ FAIL_IF(errno); ++ } ++ ++ FAIL_IF(!S_ISDIR(s.st_mode)); ++ + dirp = opendir(path); + + while ((entry = readdir(dirp)) != NULL) { +@@ -76,25 +83,24 @@ int verify_energy_info(void) + + id = atoi(entry->d_name); + attr_type = value_type(id); +- if (attr_type == INVALID) +- return -1; ++ FAIL_IF(attr_type == INVALID); + + /* Check if the files exist and have data in them */ + sprintf(file_name, "%s/%d/desc", path, id); + f = fopen(file_name, "r"); +- if (!f || fgetc(f) == EOF) +- return -1; ++ FAIL_IF(!f); ++ FAIL_IF(fgetc(f) == EOF); + + sprintf(file_name, "%s/%d/value", path, id); + f = fopen(file_name, "r"); +- if (!f || fgetc(f) == EOF) +- return -1; ++ FAIL_IF(!f); ++ FAIL_IF(fgetc(f) == EOF); + + if (attr_type == STR_VAL) { + sprintf(file_name, "%s/%d/value_desc", path, id); + f = fopen(file_name, "r"); +- if (!f || fgetc(f) == EOF) +- return -1; ++ FAIL_IF(!f); ++ FAIL_IF(fgetc(f) == EOF); + } + } + +-- +2.35.3 + diff --git a/patches.suse/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch b/patches.suse/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch new file mode 100644 index 0000000..ad49acb --- /dev/null +++ b/patches.suse/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch @@ -0,0 +1,73 @@ +From 708056fba733a73d926772ea4ce9a42d240345da Mon Sep 17 00:00:00 2001 +From: Xiaoke Wang +Date: Fri, 9 Sep 2022 19:27:21 +0800 +Subject: [PATCH] staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv() +Git-commit: 708056fba733a73d926772ea4ce9a42d240345da +Patch-mainline: v6.1-rc1 +References: git-fixes + +In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated +in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly +released. Besides, considering there are only two error paths and the +first one can directly return, so we do not need implicitly jump to the +`exit` tag to execute the error handler. + +So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error +path to release the resource and simplified the return logic of +rtw_init_cmd_priv(). As there is no proper device to test with, no runtime +testing was performed. + +Signed-off-by: Xiaoke Wang +Link: https://lore.kernel.org/r/tencent_2B7931B79BA38E22205C5A09EFDF11E48805@qq.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/rtl8723bs/core/rtw_cmd.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c ++++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c +@@ -165,8 +165,6 @@ No irqsave is necessary. + + int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv) + { +- int res = 0; +- + init_completion(&pcmdpriv->cmd_queue_comp); + init_completion(&pcmdpriv->terminate_cmdthread_comp); + +@@ -178,18 +176,16 @@ int rtw_init_cmd_priv(struct cmd_priv *p + + pcmdpriv->cmd_allocated_buf = rtw_zmalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ); + +- if (!pcmdpriv->cmd_allocated_buf) { +- res = -ENOMEM; +- goto exit; +- } ++ if (!pcmdpriv->cmd_allocated_buf) ++ return -ENOMEM; + + pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf + CMDBUFF_ALIGN_SZ - ((SIZE_PTR)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ-1)); + + pcmdpriv->rsp_allocated_buf = rtw_zmalloc(MAX_RSPSZ + 4); + + if (!pcmdpriv->rsp_allocated_buf) { +- res = -ENOMEM; +- goto exit; ++ kfree(pcmdpriv->cmd_allocated_buf); ++ return -ENOMEM; + } + + pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3); +@@ -199,8 +195,8 @@ int rtw_init_cmd_priv(struct cmd_priv *p + pcmdpriv->rsp_cnt = 0; + + mutex_init(&pcmdpriv->sctx_mutex); +-exit: +- return res; ++ ++ return 0; + } + + static void c2h_wk_callback(_workitem * work); diff --git a/patches.suse/staging-vt6655-fix-potential-memory-leak.patch b/patches.suse/staging-vt6655-fix-potential-memory-leak.patch new file mode 100644 index 0000000..7c32cf6 --- /dev/null +++ b/patches.suse/staging-vt6655-fix-potential-memory-leak.patch @@ -0,0 +1,42 @@ +From c8ff91535880d41b49699b3829fb6151942de29e Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Fri, 9 Sep 2022 16:13:39 +0200 +Subject: [PATCH] staging: vt6655: fix potential memory leak +Git-commit: c8ff91535880d41b49699b3829fb6151942de29e +Patch-mainline: v6.1-rc1 +References: git-fixes + +In function device_init_td0_ring, memory is allocated for member +td_info of priv->apTD0Rings[i], with i increasing from 0. In case of +allocation failure, the memory is freed in reversed order, with i +decreasing to 0. However, the case i=0 is left out and thus memory is +leaked. + +Modify the memory freeing loop to include the case i=0. + +Tested-by: Philipp Hortmann +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/20220909141338.19343-1-namcaov@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/vt6655/device_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index 0d8876278953..04d737012cef 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -742,7 +742,7 @@ static int device_init_td0_ring(struct vnt_private *priv) + return 0; + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->apTD0Rings[i]; + kfree(desc->td_info); + } +-- +2.35.3 + diff --git a/patches.suse/thermal-intel_powerclamp-Use-first-online-CPU-as-con.patch b/patches.suse/thermal-intel_powerclamp-Use-first-online-CPU-as-con.patch new file mode 100644 index 0000000..a73af31 --- /dev/null +++ b/patches.suse/thermal-intel_powerclamp-Use-first-online-CPU-as-con.patch @@ -0,0 +1,44 @@ +From 4bb7f6c2781e46fc5bd00475a66df2ea30ef330d Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 13 Oct 2022 14:50:28 +0200 +Subject: [PATCH] thermal: intel_powerclamp: Use first online CPU as control_cpu +Git-commit: 4bb7f6c2781e46fc5bd00475a66df2ea30ef330d +Patch-mainline: v6.1-rc2 +References: git-fixes + +Commit 68b99e94a4a2 ("thermal: intel_powerclamp: Use get_cpu() instead +of smp_processor_id() to avoid crash") fixed an issue related to using +smp_processor_id() in preemptible context by replacing it with a pair +of get_cpu()/put_cpu(), but what is needed there really is any online +CPU and not necessarily the one currently running the code. Arguably, +getting the one that's running the code in there is confusing. + +For this reason, simply give the control CPU role to the first online +one which automatically will be CPU0 if it is online, so one check +can be dropped from the code for an added benefit. + +Link: https://lore.kernel.org/linux-pm/20221011113646.GA12080@duo.ucw.cz/ +Fixes: 68b99e94a4a2 ("thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Chen Yu +Acked-by: Takashi Iwai + +--- + drivers/thermal/intel/intel_powerclamp.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -534,11 +534,7 @@ static int start_power_clamp(void) + get_online_cpus(); + + /* prefer BSP */ +- control_cpu = 0; +- if (!cpu_online(control_cpu)) { +- control_cpu = get_cpu(); +- put_cpu(); +- } ++ control_cpu = cpumask_first(cpu_online_mask); + + clamping = true; + schedule_delayed_work(&poll_pkg_cstate_work, 0); diff --git a/patches.suse/thermal-intel_powerclamp-Use-get_cpu-instead-of-smp_.patch b/patches.suse/thermal-intel_powerclamp-Use-get_cpu-instead-of-smp_.patch new file mode 100644 index 0000000..ef8fc67 --- /dev/null +++ b/patches.suse/thermal-intel_powerclamp-Use-get_cpu-instead-of-smp_.patch @@ -0,0 +1,61 @@ +From 68b99e94a4a2db6ba9b31fe0485e057b9354a640 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Tue, 20 Sep 2022 04:06:57 -0700 +Subject: [PATCH] thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash +Git-commit: 68b99e94a4a2db6ba9b31fe0485e057b9354a640 +Patch-mainline: v6.1-rc1 +References: git-fixes + +When CPU 0 is offline and intel_powerclamp is used to inject +idle, it generates kernel BUG: + +Bug: using smp_processor_id() in preemptible [00000000] code: bash/15687 +caller is debug_smp_processor_id+0x17/0x20 +Cpu: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57 +Call Trace: + +dump_stack_lvl+0x49/0x63 +dump_stack+0x10/0x16 +check_preemption_disabled+0xdd/0xe0 +debug_smp_processor_id+0x17/0x20 +powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp] +... +... + +Here CPU 0 is the control CPU by default and changed to the current CPU, +if CPU 0 offlined. This check has to be performed under cpus_read_lock(), +hence the above warning. + +Use get_cpu() instead of smp_processor_id() to avoid this BUG. + +Suggested-by: Chen Yu +Signed-off-by: Srinivas Pandruvada +[ rjw: Subject edits ] + +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/thermal/intel/intel_powerclamp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c +index c841ab37e7c6..46cd799af148 100644 +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -532,8 +532,10 @@ static int start_power_clamp(void) + + /* prefer BSP */ + control_cpu = 0; +- if (!cpu_online(control_cpu)) +- control_cpu = smp_processor_id(); ++ if (!cpu_online(control_cpu)) { ++ control_cpu = get_cpu(); ++ put_cpu(); ++ } + + clamping = true; + schedule_delayed_work(&poll_pkg_cstate_work, 0); +-- +2.35.3 + diff --git a/patches.suse/usb-add-quirks-for-Lenovo-OneLink-Dock-37d49519b414.patch b/patches.suse/usb-add-quirks-for-Lenovo-OneLink-Dock-37d49519b414.patch new file mode 100644 index 0000000..f6f248f --- /dev/null +++ b/patches.suse/usb-add-quirks-for-Lenovo-OneLink-Dock-37d49519b414.patch @@ -0,0 +1,153 @@ +From 37d49519b41405b08748392c6a7f193d9f77ecd2 Mon Sep 17 00:00:00 2001 +From: Jean-Francois Le Fillatre +Date: Tue, 27 Sep 2022 09:34:07 +0200 +Subject: [PATCH] usb: add quirks for Lenovo OneLink+ Dock +Git-commit: 37d49519b41405b08748392c6a7f193d9f77ecd2 +Patch-mainline: v6.1-rc1 +References: git-fixes + +The Lenovo OneLink+ Dock contains two VL812 USB3.0 controllers: +17ef:1018 upstream +17ef:1019 downstream + +These hubs suffer from two separate problems: + +1) After the host system was suspended and woken up, the hubs appear to + be in a random state. Some downstream ports (both internal to the + built-in audio and network controllers, and external to USB sockets) + may no longer be functional. The exact list of disabled ports (if + any) changes from wakeup to wakeup. Ports remain in that state until + the dock is power-cycled, or until the laptop is rebooted. + + Wakeup sources connected to the hubs (keyboard, WoL on the integrated + gigabit controller) will wake the system up from suspend, but they + may no longer work after wakeup (and in that case will no longer work + as wakeup source in a subsequent suspend-wakeup cycle). + + This issue appears in the logs with messages such as: + + usb 1-6.1-port4: cannot disable (err = -71) + usb 1-6-port2: cannot disable (err = -71) + usb 1-6.1: clear tt 1 (80c0) error -71 + usb 1-6-port4: cannot disable (err = -71) + usb 1-6.4: PM: dpm_run_callback(): usb_dev_resume+0x0/0x10 [usbcore] returns -71 + usb 1-6.4: PM: failed to resume async: error -71 + usb 1-7: reset full-speed USB device number 5 using xhci_hcd + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: Cannot enable. Maybe the USB cable is bad? + usb 1-6.1-port1: cannot disable (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: cannot reset (err = -71) + usb 1-6.1-port1: Cannot enable. Maybe the USB cable is bad? + usb 1-6.1-port1: cannot disable (err = -71) + +2) Some USB devices cannot be enumerated properly. So far I have only + seen the issue with USB 3.0 devices. The same devices work without + problem directly connected to the host system, to other systems or to + other hubs (even when those hubs are connected to the OneLink+ dock). + + One very reliable reproducer is this USB 3.0 HDD enclosure: + 152d:9561 JMicron Technology Corp. / JMicron USA Technology Corp. Mobius + + I have seen it happen sporadically with other USB 3.0 enclosures, + with controllers from different manufacturers, all self-powered. + + Typical messages in the logs: + + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + usb 2-1.4: device not accepting address 6, error -62 + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + usb 2-1.4: device not accepting address 7, error -62 + usb 2-1-port4: attempt power cycle + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + usb 2-1.4: device not accepting address 8, error -62 + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command + usb 2-1.4: device not accepting address 9, error -62 + usb 2-1-port4: unable to enumerate USB device + +Through trial and error, I found that the USB_QUIRK_RESET_RESUME solved +the second issue. Further testing then uncovered the first issue. Test +results are summarized in this table: + +======================================================================================= +Settings USB2 hotplug USB3 hotplug State after waking up + +Acked-by: Takashi Iwai + +--------------------------------------------------------------------------------------- + +power/control=auto works fails broken + +usbcore.autosuspend=-1 works works broken +OR power/control=on + +power/control=auto works (1) works (1) works +and USB_QUIRK_RESET_RESUME + +power/control=on works works works +and USB_QUIRK_RESET_RESUME + +HUB_QUIRK_DISABLE_AUTOSUSPEND works works works +and USB_QUIRK_RESET_RESUME + +======================================================================================= + +In those results, the power/control settings are applied to both hubs, +both on the USB2 and USB3 side, before each test. + +From those results, USB_QUIRK_RESET_RESUME is required to reset the hubs +properly after a suspend-wakeup cycle, and the hubs must not autosuspend +to work around the USB3 issue. + +A secondary effect of USB_QUIRK_RESET_RESUME is to prevent the hubs' +upstream links from suspending (the downstream ports can still suspend). +This secondary effect is used in results (1). It is enough to solve the +USB3 problem. + +Setting USB_QUIRK_RESET_RESUME on those hubs is the smallest patch that +solves both issues. + +Prior to creating this patch, I have used the USB_QUIRK_RESET_RESUME via +the kernel command line for over a year without noticing any side +effect. + +Thanks to Oliver Neukum @Suse for explanations of the operations of +USB_QUIRK_RESET_RESUME, and requesting more testing. + +Signed-off-by: Jean-Francois Le Fillatre +Cc: stable +Link: https://lore.kernel.org/r/20220927073407.5672-1-jflf_kernel@gmx.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 11b27953ccd0..0722d2131305 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -446,6 +446,10 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x1532, 0x0116), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Lenovo ThinkPad OneLink+ Dock twin hub controllers (VIA Labs VL812) */ ++ { USB_DEVICE(0x17ef, 0x1018), .driver_info = USB_QUIRK_RESET_RESUME }, ++ { USB_DEVICE(0x17ef, 0x1019), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Lenovo USB-C to Ethernet Adapter RTL8153-04 */ + { USB_DEVICE(0x17ef, 0x720c), .driver_info = USB_QUIRK_NO_LPM }, + +-- +2.35.3 + diff --git a/patches.suse/usb-bdc-change-state-when-port-disconnected.patch b/patches.suse/usb-bdc-change-state-when-port-disconnected.patch new file mode 100644 index 0000000..2a99068 --- /dev/null +++ b/patches.suse/usb-bdc-change-state-when-port-disconnected.patch @@ -0,0 +1,39 @@ +From fb8f60dd1b67520e0e0d7978ef17d015690acfc1 Mon Sep 17 00:00:00 2001 +From: Justin Chen +Date: Wed, 5 Oct 2022 12:13:55 -0700 +Subject: [PATCH] usb: bdc: change state when port disconnected +Git-commit: fb8f60dd1b67520e0e0d7978ef17d015690acfc1 +Patch-mainline: v6.1-rc3 +References: git-fixes + +When port is connected and then disconnected, the state stays as +configured. Which is incorrect as the port is no longer configured, +but in a not attached state. + +Signed-off-by: Justin Chen +Acked-by: Florian Fainelli +Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC") +Cc: stable +Link: https://lore.kernel.org/r/1664997235-18198-1-git-send-email-justinpopo6@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/udc/bdc/bdc_udc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_udc.c b/drivers/usb/gadget/udc/bdc/bdc_udc.c +index 5ac0ef88334e..53ffaf4e2e37 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_udc.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_udc.c +@@ -151,6 +151,7 @@ static void bdc_uspc_disconnected(struct bdc *bdc, bool reinit) + bdc->delayed_status = false; + bdc->reinit = reinit; + bdc->test_mode = false; ++ usb_gadget_set_state(&bdc->gadget, USB_STATE_NOTATTACHED); + } + + /* TNotify wkaeup timer */ +-- +2.35.3 + diff --git a/patches.suse/usb-dwc3-gadget-Don-t-set-IMI-for-no_interrupt.patch b/patches.suse/usb-dwc3-gadget-Don-t-set-IMI-for-no_interrupt.patch new file mode 100644 index 0000000..cced472 --- /dev/null +++ b/patches.suse/usb-dwc3-gadget-Don-t-set-IMI-for-no_interrupt.patch @@ -0,0 +1,45 @@ +From 308c316d16cbad99bb834767382baa693ac42169 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Tue, 25 Oct 2022 15:10:20 -0700 +Subject: [PATCH] usb: dwc3: gadget: Don't set IMI for no_interrupt +Git-commit: 308c316d16cbad99bb834767382baa693ac42169 +Patch-mainline: v6.1-rc3 +References: git-fixes + +The gadget driver may have a certain expectation of how the request +completion flow should be from to its configuration. Make sure the +controller driver respect that. That is, don't set IMI (Interrupt on +Missed Isoc) when usb_request->no_interrupt is set. Also, the driver +should only set IMI to the last TRB of a chain. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Reviewed-by: Jeff Vanhoof +Tested-by: Jeff Vanhoof +Link: https://lore.kernel.org/r/ced336c84434571340c07994e3667a0ee284fefe.1666735451.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc3/gadget.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 230b3c660054..5fe2d136dff5 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1292,8 +1292,8 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep, + trb->ctrl = DWC3_TRBCTL_ISOCHRONOUS; + } + +- /* always enable Interrupt on Missed ISOC */ +- trb->ctrl |= DWC3_TRB_CTRL_ISP_IMI; ++ if (!no_interrupt && !chain) ++ trb->ctrl |= DWC3_TRB_CTRL_ISP_IMI; + break; + + case USB_ENDPOINT_XFER_BULK: +-- +2.35.3 + diff --git a/patches.suse/usb-dwc3-gadget-Stop-processing-more-requests-on-IMI.patch b/patches.suse/usb-dwc3-gadget-Stop-processing-more-requests-on-IMI.patch new file mode 100644 index 0000000..c862264 --- /dev/null +++ b/patches.suse/usb-dwc3-gadget-Stop-processing-more-requests-on-IMI.patch @@ -0,0 +1,52 @@ +From f78961f8380b940e0cfc7e549336c21a2ad44f4d Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Tue, 25 Oct 2022 15:10:14 -0700 +Subject: [PATCH] usb: dwc3: gadget: Stop processing more requests on IMI +Git-commit: f78961f8380b940e0cfc7e549336c21a2ad44f4d +Patch-mainline: v6.1-rc3 +References: git-fixes + +When servicing a transfer completion event, the dwc3 driver will reclaim +TRBs of started requests up to the request associated with the interrupt +event. Currently we don't check for interrupt due to missed isoc, and +the driver may attempt to reclaim TRBs beyond the associated event. This +causes invalid memory access when the hardware still owns the TRB. If +there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure +to stop servicing further. + +Note that only the last TRB of chained TRBs has its status updated with +missed isoc. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable@vger.kernel.org +Reported-by: Jeff Vanhoof +Reported-by: Dan Vacura +Signed-off-by: Thinh Nguyen +Reviewed-by: Jeff Vanhoof +Tested-by: Jeff Vanhoof +Link: https://lore.kernel.org/r/b29acbeab531b666095dfdafd8cb5c7654fbb3e1.1666735451.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc3/gadget.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index dd8ecbe61bec..230b3c660054 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, + if (event->status & DEPEVT_STATUS_SHORT && !chain) + return 1; + ++ if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && ++ DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) ++ return 1; ++ + if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || + (trb->ctrl & DWC3_TRB_CTRL_LST)) + return 1; +-- +2.35.3 + diff --git a/patches.suse/usb-host-xhci-Fix-potential-memory-leak-in-xhci_allo.patch b/patches.suse/usb-host-xhci-Fix-potential-memory-leak-in-xhci_allo.patch new file mode 100644 index 0000000..c8c9c76 --- /dev/null +++ b/patches.suse/usb-host-xhci-Fix-potential-memory-leak-in-xhci_allo.patch @@ -0,0 +1,55 @@ +From 7e271f42a5cc3768cd2622b929ba66859ae21f97 Mon Sep 17 00:00:00 2001 +From: Jianglei Nie +Date: Wed, 21 Sep 2022 15:34:45 +0300 +Subject: [PATCH] usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() +Git-commit: 7e271f42a5cc3768cd2622b929ba66859ae21f97 +Patch-mainline: v6.1-rc1 +References: git-fixes + +xhci_alloc_stream_info() allocates stream context array for stream_info +->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs, +stream_info->stream_ctx_array is not released, which will lead to a +memory leak. + +We can fix it by releasing the stream_info->stream_ctx_array with +xhci_free_stream_ctx() on the error path to avoid the potential memory +leak. + +Signed-off-by: Jianglei Nie +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220921123450.671459-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-mem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 8c19e151a945..9e56aa28efcd 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -641,7 +641,7 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + num_stream_ctxs, &stream_info->ctx_array_dma, + mem_flags); + if (!stream_info->stream_ctx_array) +- goto cleanup_ctx; ++ goto cleanup_ring_array; + memset(stream_info->stream_ctx_array, 0, + sizeof(struct xhci_stream_ctx)*num_stream_ctxs); + +@@ -702,6 +702,11 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + } + xhci_free_command(xhci, stream_info->free_streams_command); + cleanup_ctx: ++ xhci_free_stream_ctx(xhci, ++ stream_info->num_stream_ctxs, ++ stream_info->stream_ctx_array, ++ stream_info->ctx_array_dma); ++cleanup_ring_array: + kfree(stream_info->stream_rings); + cleanup_info: + kfree(stream_info); +-- +2.35.3 + diff --git a/patches.suse/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch b/patches.suse/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch new file mode 100644 index 0000000..92407fd --- /dev/null +++ b/patches.suse/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch @@ -0,0 +1,59 @@ +From bce2b0539933e485d22d6f6f076c0fcd6f185c4c Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Thu, 22 Sep 2022 21:48:44 +0800 +Subject: [PATCH] usb: idmouse: fix an uninit-value in idmouse_open +Git-commit: bce2b0539933e485d22d6f6f076c0fcd6f185c4c +Patch-mainline: v6.1-rc1 +References: git-fixes + +In idmouse_create_image, if any ftip_command fails, it will +go to the reset label. However, this leads to the data in +bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check +for valid image incurs an uninitialized dereference. + +Fix this by moving the check before reset label since this +check only be valid if the data after bulk_in_buffer[HEADER] +has concrete data. + +Note that this is found by KMSAN, so only kernel compilation +is tested. + +Reported-by: syzbot+79832d33eb89fb3cd092@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20220922134847.1101921-1-dzm91@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/misc/idmouse.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c +index e9437a176518..ea39243efee3 100644 +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -177,10 +177,6 @@ static int idmouse_create_image(struct usb_idmouse *dev) + bytes_read += bulk_read; + } + +- /* reset the device */ +-reset: +- ftip_command(dev, FTIP_RELEASE, 0, 0); +- + /* check for valid image */ + /* right border should be black (0x00) */ + for (bytes_read = sizeof(HEADER)-1 + WIDTH-1; bytes_read < IMGSIZE; bytes_read += WIDTH) +@@ -192,6 +188,10 @@ static int idmouse_create_image(struct usb_idmouse *dev) + if (dev->bulk_in_buffer[bytes_read] != 0xFF) + return -EAGAIN; + ++ /* reset the device */ ++reset: ++ ftip_command(dev, FTIP_RELEASE, 0, 0); ++ + /* should be IMGSIZE == 65040 */ + dev_dbg(&dev->interface->dev, "read %d bytes fingerprint data\n", + bytes_read); +-- +2.35.3 + diff --git a/patches.suse/usb-mon-make-mmapped-memory-read-only.patch b/patches.suse/usb-mon-make-mmapped-memory-read-only.patch index ff530f7..1af5916 100644 --- a/patches.suse/usb-mon-make-mmapped-memory-read-only.patch +++ b/patches.suse/usb-mon-make-mmapped-memory-read-only.patch @@ -3,8 +3,8 @@ From: Tadeusz Struk Date: Mon, 19 Sep 2022 14:59:57 -0700 Subject: [PATCH] usb: mon: make mmapped memory read only Git-commit: a659daf63d16aa883be42f3f34ff84235c302198 +References: bsc#1204653 CVE-2022-43750 Patch-mainline: v6.1-rc1 -References: git-fixes Syzbot found an issue in usbmon module, where the user space client can corrupt the monitor's internal memory, causing the usbmon module to diff --git a/patches.suse/usb-musb-Fix-musb_gadget.c-rxstate-overflow-bug.patch b/patches.suse/usb-musb-Fix-musb_gadget.c-rxstate-overflow-bug.patch new file mode 100644 index 0000000..d456ad0 --- /dev/null +++ b/patches.suse/usb-musb-Fix-musb_gadget.c-rxstate-overflow-bug.patch @@ -0,0 +1,42 @@ +From eea4c860c3b366369eff0489d94ee4f0571d467d Mon Sep 17 00:00:00 2001 +From: Robin Guo +Date: Tue, 6 Sep 2022 10:21:19 +0800 +Subject: [PATCH] usb: musb: Fix musb_gadget.c rxstate overflow bug +Git-commit: eea4c860c3b366369eff0489d94ee4f0571d467d +Patch-mainline: v6.1-rc1 +References: git-fixes + +The usb function device call musb_gadget_queue() adds the passed +request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) +and (is_buffer_mapped(req) return false),the rxstate() will copy all data +in fifo to request->buf which may cause request->buf out of bounds. + +Fix it by add the length check : +fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); + +Signed-off-by: Robin Guo +Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/musb/musb_gadget.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c +index daada4b66a92..6704a62a1665 100644 +--- a/drivers/usb/musb/musb_gadget.c ++++ b/drivers/usb/musb/musb_gadget.c +@@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req) + musb_writew(epio, MUSB_RXCSR, csr); + + buffer_aint_mapped: ++ fifo_count = min_t(unsigned int, ++ request->length - request->actual, ++ (unsigned int)fifo_count); + musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *) + (request->buf + request->actual)); + request->actual += fifo_count; +-- +2.35.3 + diff --git a/patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch b/patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch index 6aef07a..471a377 100644 --- a/patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch +++ b/patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch @@ -4,7 +4,7 @@ Date: Mon, 8 Aug 2022 11:04:47 -0700 Subject: [PATCH] vsock: Fix memory leak in vsock_connect() Git-commit: 7e97cfed9929eaabc41829c395eb0d1350fccb9d Patch-mainline: v6.0-rc1 -References: git-fixes +References: CVE-2022-3629 bsc#1204635 An O_NONBLOCK vsock_connect() request may try to reschedule @connect_work. Imagine the following sequence of vsock_connect() diff --git a/patches.suse/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch b/patches.suse/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch new file mode 100644 index 0000000..6f489ba --- /dev/null +++ b/patches.suse/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch @@ -0,0 +1,152 @@ +From b383e8abed41cc6ff1a3b34de75df9397fa4878c Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 16 Aug 2022 23:46:13 +0900 +Subject: [PATCH] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: b383e8abed41cc6ff1a3b34de75df9397fa4878c +Patch-mainline: v6.1-rc1 +References: git-fixes + +syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for +ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with +pkt_len = 0 but ath9k_hif_usb_rx_stream() uses +__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that +pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb +with uninitialized memory and ath9k_htc_rx_msg() is reading from +uninitialized memory. + +Since bytes accessed by ath9k_htc_rx_msg() is not known until +ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid +pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in +ath9k_hif_usb_rx_stream(). + +We have two choices. One is to workaround by adding __GFP_ZERO so that +ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let +ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose +the latter. + +Note that I'm not sure threshold condition is correct, for I can't find +details on possible packet length used by this protocol. + +Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 43 +++++++++++++++--------- + 1 file changed, 28 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 994ec48b2f66..ca05b07a45e6 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -364,33 +364,27 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + } + + static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, +- struct sk_buff *skb) ++ struct sk_buff *skb, u32 len) + { + uint32_t *pattern = (uint32_t *)skb->data; + +- switch (*pattern) { +- case 0x33221199: +- { ++ if (*pattern == 0x33221199 && len >= sizeof(struct htc_panic_bad_vaddr)) { + struct htc_panic_bad_vaddr *htc_panic; + htc_panic = (struct htc_panic_bad_vaddr *) skb->data; + dev_err(htc_handle->dev, "ath: firmware panic! " + "exccause: 0x%08x; pc: 0x%08x; badvaddr: 0x%08x.\n", + htc_panic->exccause, htc_panic->pc, + htc_panic->badvaddr); +- break; +- } +- case 0x33221299: +- { ++ return; ++ } ++ if (*pattern == 0x33221299) { + struct htc_panic_bad_epid *htc_panic; + htc_panic = (struct htc_panic_bad_epid *) skb->data; + dev_err(htc_handle->dev, "ath: firmware panic! " + "bad epid: 0x%08x\n", htc_panic->epid); +- break; +- } +- default: +- dev_err(htc_handle->dev, "ath: unknown panic pattern!\n"); +- break; ++ return; + } ++ dev_err(htc_handle->dev, "ath: unknown panic pattern!\n"); + } + + /* +@@ -411,16 +405,26 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + if (!htc_handle || !skb) + return; + ++ /* A valid message requires len >= 8. ++ * ++ * sizeof(struct htc_frame_hdr) == 8 ++ * sizeof(struct htc_ready_msg) == 8 ++ * sizeof(struct htc_panic_bad_vaddr) == 16 ++ * sizeof(struct htc_panic_bad_epid) == 8 ++ */ ++ if (unlikely(len < sizeof(struct htc_frame_hdr))) ++ goto invalid; + htc_hdr = (struct htc_frame_hdr *) skb->data; + epid = htc_hdr->endpoint_id; + + if (epid == 0x99) { +- ath9k_htc_fw_panic_report(htc_handle, skb); ++ ath9k_htc_fw_panic_report(htc_handle, skb, len); + kfree_skb(skb); + return; + } + + if (epid < 0 || epid >= ENDPOINT_MAX) { ++invalid: + if (pipe_id != USB_REG_IN_PIPE) + dev_kfree_skb_any(skb); + else +@@ -432,21 +436,30 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + + /* Handle trailer */ + if (htc_hdr->flags & HTC_FLAGS_RECV_TRAILER) { +- if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) ++ if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) { + /* Move past the Watchdog pattern */ + htc_hdr = (struct htc_frame_hdr *)(skb->data + 4); ++ len -= 4; ++ } + } + + /* Get the message ID */ ++ if (unlikely(len < sizeof(struct htc_frame_hdr) + sizeof(__be16))) ++ goto invalid; + msg_id = (__be16 *) ((void *) htc_hdr + + sizeof(struct htc_frame_hdr)); + + /* Now process HTC messages */ + switch (be16_to_cpu(*msg_id)) { + case HTC_MSG_READY_ID: ++ if (unlikely(len < sizeof(struct htc_ready_msg))) ++ goto invalid; + htc_process_target_rdy(htc_handle, htc_hdr); + break; + case HTC_MSG_CONNECT_SERVICE_RESPONSE_ID: ++ if (unlikely(len < sizeof(struct htc_frame_hdr) + ++ sizeof(struct htc_conn_svc_rspmsg))) ++ goto invalid; + htc_process_conn_rsp(htc_handle, htc_hdr); + break; + default: +-- +2.35.3 + diff --git a/patches.suse/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch b/patches.suse/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch new file mode 100644 index 0000000..6b0ad34 --- /dev/null +++ b/patches.suse/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch @@ -0,0 +1,109 @@ +From aa666b68e73fc06d83c070d96180b9010cf5a960 Mon Sep 17 00:00:00 2001 +From: Wright Feng +Date: Fri, 22 Jul 2022 13:56:28 +0200 +Subject: [PATCH] wifi: brcmfmac: fix invalid address access when enabling SCAN log level +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: aa666b68e73fc06d83c070d96180b9010cf5a960 +Patch-mainline: v6.1-rc1 +References: git-fixes + +The variable i is changed when setting random MAC address and causes +invalid address access when printing the value of pi->reqs[i]->reqid. + +We replace reqs index with ri to fix the issue. + +[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 +[ 136.737365] Mem abort info: +[ 136.740172] ESR = 0x96000004 +[ 136.743359] Exception class = DABT (current EL), IL = 32 bits +[ 136.749294] SET = 0, FnV = 0 +[ 136.752481] EA = 0, S1PTW = 0 +[ 136.755635] Data abort info: +[ 136.758514] ISV = 0, ISS = 0x00000004 +[ 136.762487] CM = 0, WnR = 0 +[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 +[ 136.772265] [0000000000000000] pgd=0000000000000000 +[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) +[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) +[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 +[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) +[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) +[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] +[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] +[ 136.828162] sp : ffff00000e9a3880 +[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 +[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 +[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 +[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 +[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 +[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 +[ 136.863343] x17: 0000000000000000 x16: 0000000000000000 +[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 +[ 136.873966] x13: 0000000000003135 x12: 0000000000000000 +[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 +[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 +[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d +[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 +[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 +[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 +[ 136.911146] Call trace: +[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] +[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] +[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] +[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] +[ 136.937298] genl_rcv_msg+0x358/0x3f4 +[ 136.940960] netlink_rcv_skb+0xb4/0x118 +[ 136.944795] genl_rcv+0x34/0x48 +[ 136.947935] netlink_unicast+0x264/0x300 +[ 136.951856] netlink_sendmsg+0x2e4/0x33c +[ 136.955781] __sys_sendto+0x120/0x19c + +Signed-off-by: Wright Feng +Signed-off-by: Chi-hsien Lin +Signed-off-by: Ahmad Fatoum +Signed-off-by: Alvin Å ipraga +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220722115632.620681-4-alvin@pqrs.dk +Acked-by: Takashi Iwai + +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +index fabfbb0b40b0..d0a7465be586 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +@@ -158,12 +158,12 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi) + struct brcmf_pno_macaddr_le pfn_mac; + u8 *mac_addr = NULL; + u8 *mac_mask = NULL; +- int err, i; ++ int err, i, ri; + +- for (i = 0; i < pi->n_reqs; i++) +- if (pi->reqs[i]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) { +- mac_addr = pi->reqs[i]->mac_addr; +- mac_mask = pi->reqs[i]->mac_addr_mask; ++ for (ri = 0; ri < pi->n_reqs; ri++) ++ if (pi->reqs[ri]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) { ++ mac_addr = pi->reqs[ri]->mac_addr; ++ mac_mask = pi->reqs[ri]->mac_addr_mask; + break; + } + +@@ -185,7 +185,7 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi) + pfn_mac.mac[0] |= 0x02; + + brcmf_dbg(SCAN, "enabling random mac: reqid=%llu mac=%pM\n", +- pi->reqs[i]->reqid, pfn_mac.mac); ++ pi->reqs[ri]->reqid, pfn_mac.mac); + err = brcmf_fil_iovar_data_set(ifp, "pfn_macaddr", &pfn_mac, + sizeof(pfn_mac)); + if (err) +-- +2.35.3 + diff --git a/patches.suse/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch b/patches.suse/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch new file mode 100644 index 0000000..7ad4ea5 --- /dev/null +++ b/patches.suse/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch @@ -0,0 +1,140 @@ +From 3f42faf6db431e04bf942d2ebe3ae88975723478 Mon Sep 17 00:00:00 2001 +From: Alexander Coffin +Date: Mon, 8 Aug 2022 10:49:26 -0700 +Subject: [PATCH] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() +Git-commit: 3f42faf6db431e04bf942d2ebe3ae88975723478 +Patch-mainline: v6.1-rc1 +References: git-fixes + +> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); + +may be schedule, and then complete before the line + +> ndev->stats.tx_bytes += skb->len; + +[ 46.912801] ================================================================== +[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] +[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 +[ 46.935991] +[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 +[ 46.947255] Hardware name: [REDACTED] +[ 46.954568] Call trace: +[ 46.957037] dump_backtrace+0x0/0x2b8 +[ 46.960719] show_stack+0x24/0x30 +[ 46.964052] dump_stack+0x128/0x194 +[ 46.967557] print_address_description.isra.0+0x64/0x380 +[ 46.972877] __kasan_report+0x1d4/0x240 +[ 46.976723] kasan_report+0xc/0x18 +[ 46.980138] __asan_report_load4_noabort+0x18/0x20 +[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] +[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 +[ 46.994894] sch_direct_xmit+0x198/0xd08 +[ 46.998827] __qdisc_run+0x37c/0x1dc0 +[ 47.002500] __dev_queue_xmit+0x1528/0x21f8 +[ 47.006692] dev_queue_xmit+0x24/0x30 +[ 47.010366] neigh_resolve_output+0x37c/0x678 +[ 47.014734] ip_finish_output2+0x598/0x2458 +[ 47.018927] __ip_finish_output+0x300/0x730 +[ 47.023118] ip_output+0x2e0/0x430 +[ 47.026530] ip_local_out+0x90/0x140 +[ 47.030117] igmpv3_sendpack+0x14c/0x228 +[ 47.034049] igmpv3_send_cr+0x384/0x6b8 +[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 +[ 47.042262] call_timer_fn+0x1cc/0xbe8 +[ 47.046021] __run_timers+0x4d8/0xb28 +[ 47.049693] run_timer_softirq+0x24/0x40 +[ 47.053626] __do_softirq+0x2c0/0x117c +[ 47.057387] irq_exit+0x2dc/0x388 +[ 47.060715] __handle_domain_irq+0xb4/0x158 +[ 47.064908] gic_handle_irq+0x58/0xb0 +[ 47.068581] el0_irq_naked+0x50/0x5c +[ 47.072162] +[ 47.073665] Allocated by task 328: +[ 47.077083] save_stack+0x24/0xb0 +[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 +[ 47.084776] kasan_slab_alloc+0x14/0x20 +[ 47.088622] kmem_cache_alloc+0x15c/0x468 +[ 47.092643] __alloc_skb+0xa4/0x498 +[ 47.096142] igmpv3_newpack+0x158/0xd78 +[ 47.099987] add_grhead+0x210/0x288 +[ 47.103485] add_grec+0x6b0/0xb70 +[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 +[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 +[ 47.115027] call_timer_fn+0x1cc/0xbe8 +[ 47.118785] __run_timers+0x4d8/0xb28 +[ 47.122457] run_timer_softirq+0x24/0x40 +[ 47.126389] __do_softirq+0x2c0/0x117c +[ 47.130142] +[ 47.131643] Freed by task 180: +[ 47.134712] save_stack+0x24/0xb0 +[ 47.138041] __kasan_slab_free+0x108/0x180 +[ 47.142146] kasan_slab_free+0x10/0x18 +[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 +[ 47.150444] kmem_cache_free+0x8c/0x528 +[ 47.154292] kfree_skbmem+0x94/0x108 +[ 47.157880] consume_skb+0x10c/0x5a8 +[ 47.161466] __dev_kfree_skb_any+0x88/0xa0 +[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] +[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] +[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] +[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] +[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] +[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] +[ 47.197859] process_one_work+0x7fc/0x1a80 +[ 47.201965] worker_thread+0x31c/0xc40 +[ 47.205726] kthread+0x2d8/0x370 +[ 47.208967] ret_from_fork+0x10/0x18 +[ 47.212546] +[ 47.214051] The buggy address belongs to the object at ffffff803f588280 +[ 47.214051] which belongs to the cache skbuff_head_cache of size 208 +[ 47.227086] The buggy address is located 104 bytes inside of +[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) +[ 47.238814] The buggy address belongs to the page: +[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0 +[ 47.255007] flags: 0x10200(slab|head) +[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800 +[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000 +[ 47.274180] page dumped because: kasan: bad access detected +[ 47.279752] +[ 47.281251] Memory state around the buggy address: +[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 47.307723] ^ +[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc +[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +[ 47.328789] ================================================================== + +Signed-off-by: Alexander Coffin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 2627221c90de..595ae3ae561e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -292,6 +292,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + struct brcmf_pub *drvr = ifp->drvr; + struct ethhdr *eh; + int head_delta; ++ unsigned int tx_bytes = skb->len; + + brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); + +@@ -366,7 +367,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + ndev->stats.tx_dropped++; + } else { + ndev->stats.tx_packets++; +- ndev->stats.tx_bytes += skb->len; ++ ndev->stats.tx_bytes += tx_bytes; + } + + /* Return ok: we always eat the packet */ +-- +2.35.3 + diff --git a/patches.suse/wifi-rt2x00-correctly-set-BBP-register-86-for-MT7620.patch b/patches.suse/wifi-rt2x00-correctly-set-BBP-register-86-for-MT7620.patch new file mode 100644 index 0000000..c491913 --- /dev/null +++ b/patches.suse/wifi-rt2x00-correctly-set-BBP-register-86-for-MT7620.patch @@ -0,0 +1,40 @@ +From c9aada64fe6493461127f1522d7e2f01792d2424 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sat, 17 Sep 2022 21:30:09 +0100 +Subject: [PATCH] wifi: rt2x00: correctly set BBP register 86 for MT7620 +Git-commit: c9aada64fe6493461127f1522d7e2f01792d2424 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Instead of 0 set the correct value for BBP register 86 for MT7620. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/257267247ee4fa7ebc6a5d0c4948b3f8119c0d77.1663445157.git.daniel@makrotopia.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index ecd475e7c021..cbbb1a4849cf 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -4225,7 +4225,10 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + rt2800_bbp_write(rt2x00dev, 62, 0x37 - rt2x00dev->lna_gain); + rt2800_bbp_write(rt2x00dev, 63, 0x37 - rt2x00dev->lna_gain); + rt2800_bbp_write(rt2x00dev, 64, 0x37 - rt2x00dev->lna_gain); +- rt2800_bbp_write(rt2x00dev, 86, 0); ++ if (rt2x00_rt(rt2x00dev, RT6352)) ++ rt2800_bbp_write(rt2x00dev, 86, 0x38); ++ else ++ rt2800_bbp_write(rt2x00dev, 86, 0); + } + + if (rf->channel <= 14) { +-- +2.35.3 + diff --git a/patches.suse/wifi-rt2x00-don-t-run-Rt5592-IQ-calibration-on-MT762.patch b/patches.suse/wifi-rt2x00-don-t-run-Rt5592-IQ-calibration-on-MT762.patch new file mode 100644 index 0000000..3c5520d --- /dev/null +++ b/patches.suse/wifi-rt2x00-don-t-run-Rt5592-IQ-calibration-on-MT762.patch @@ -0,0 +1,33 @@ +From d3aad83d05aec0cfd7670cf0028f2ad4b81de92e Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sat, 17 Sep 2022 21:28:29 +0100 +Subject: [PATCH] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 +Git-commit: d3aad83d05aec0cfd7670cf0028f2ad4b81de92e +Patch-mainline: v6.1-rc1 +References: git-fixes + +The function rt2800_iq_calibrate is intended for Rt5592 only. +Don't call it for MT7620 which has it's own calibration functions. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -4352,7 +4352,8 @@ static void rt2800_config_channel(struct + reg = (rf->channel <= 14 ? 0x1c : 0x24) + 2*rt2x00dev->lna_gain; + rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg); + +- rt2800_iq_calibrate(rt2x00dev, rf->channel); ++ if (rt2x00_rt(rt2x00dev, RT5592)) ++ rt2800_iq_calibrate(rt2x00dev, rf->channel); + } + + bbp = rt2800_bbp_read(rt2x00dev, 4); diff --git a/patches.suse/wifi-rt2x00-set-SoC-wmac-clock-register.patch b/patches.suse/wifi-rt2x00-set-SoC-wmac-clock-register.patch new file mode 100644 index 0000000..8aee1fd --- /dev/null +++ b/patches.suse/wifi-rt2x00-set-SoC-wmac-clock-register.patch @@ -0,0 +1,58 @@ +From cbde6ed406a51092d9e8a2df058f5f8490f27443 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sat, 17 Sep 2022 21:29:55 +0100 +Subject: [PATCH] wifi: rt2x00: set SoC wmac clock register +Git-commit: cbde6ed406a51092d9e8a2df058f5f8490f27443 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Instead of using the default value 33 (pci), set US_CYC_CNT init based +on Programming guide: +If available, set chipset bus clock with fallback to cpu clock/3. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/3e275d259f476f597dab91a9c395015ef3fe3284.1663445157.git.daniel@makrotopia.org +Acked-by: Takashi Iwai + +--- + .../net/wireless/ralink/rt2x00/rt2800lib.c | 21 +++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index f25ab41f5805..ecd475e7c021 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -6229,6 +6229,27 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev) + reg = rt2800_register_read(rt2x00dev, US_CYC_CNT); + rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, 125); + rt2800_register_write(rt2x00dev, US_CYC_CNT, reg); ++ } else if (rt2x00_is_soc(rt2x00dev)) { ++ struct clk *clk = clk_get_sys("bus", NULL); ++ int rate; ++ ++ if (IS_ERR(clk)) { ++ clk = clk_get_sys("cpu", NULL); ++ ++ if (IS_ERR(clk)) { ++ rate = 125; ++ } else { ++ rate = clk_get_rate(clk) / 3000000; ++ clk_put(clk); ++ } ++ } else { ++ rate = clk_get_rate(clk) / 1000000; ++ clk_put(clk); ++ } ++ ++ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT); ++ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, rate); ++ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg); + } + + reg = rt2800_register_read(rt2x00dev, HT_FBK_CFG0); +-- +2.35.3 + diff --git a/patches.suse/wifi-rt2x00-set-VGC-gain-for-both-chains-of-MT7620.patch b/patches.suse/wifi-rt2x00-set-VGC-gain-for-both-chains-of-MT7620.patch new file mode 100644 index 0000000..55c263a --- /dev/null +++ b/patches.suse/wifi-rt2x00-set-VGC-gain-for-both-chains-of-MT7620.patch @@ -0,0 +1,38 @@ +From 0e09768c085709e10ece3b68f6ac921d3f6a9caa Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sat, 17 Sep 2022 21:29:40 +0100 +Subject: [PATCH] wifi: rt2x00: set VGC gain for both chains of MT7620 +Git-commit: 0e09768c085709e10ece3b68f6ac921d3f6a9caa +Patch-mainline: v6.1-rc1 +References: git-fixes + +Set bbp66 for all chains of the MT7620. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/29e161397e5c9d9399da0fe87d44458aa2b90a78.1663445157.git.daniel@makrotopia.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index 48c695bf69a5..f25ab41f5805 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -5743,7 +5743,8 @@ static inline void rt2800_set_vgc(struct rt2x00_dev *rt2x00dev, + if (qual->vgc_level != vgc_level) { + if (rt2x00_rt(rt2x00dev, RT3572) || + rt2x00_rt(rt2x00dev, RT3593) || +- rt2x00_rt(rt2x00dev, RT3883)) { ++ rt2x00_rt(rt2x00dev, RT3883) || ++ rt2x00_rt(rt2x00dev, RT6352)) { + rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, + vgc_level); + } else if (rt2x00_rt(rt2x00dev, RT5592)) { +-- +2.35.3 + diff --git a/patches.suse/wifi-rt2x00-set-correct-TX_SW_CFG1-MAC-register-for-.patch b/patches.suse/wifi-rt2x00-set-correct-TX_SW_CFG1-MAC-register-for-.patch new file mode 100644 index 0000000..decf41e --- /dev/null +++ b/patches.suse/wifi-rt2x00-set-correct-TX_SW_CFG1-MAC-register-for-.patch @@ -0,0 +1,39 @@ +From eeb50acf15762b61921f9df18663f839f387c054 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sat, 17 Sep 2022 21:29:26 +0100 +Subject: [PATCH] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 +Git-commit: eeb50acf15762b61921f9df18663f839f387c054 +Patch-mainline: v6.1-rc1 +References: git-fixes + +Set correct TX_SW_CFG1 MAC register as it is done also in v3 of the +vendor driver[1]. + +[1]: https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531 +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/4be38975ce600a34249e12d09a3cb758c6e71071.1663445157.git.daniel@makrotopia.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index b20c5aae9aae..48c695bf69a5 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -5966,7 +5966,7 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev) + rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000404); + } else if (rt2x00_rt(rt2x00dev, RT6352)) { + rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000401); +- rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0000); ++ rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0001); + rt2800_register_write(rt2x00dev, TX_SW_CFG2, 0x00000000); + rt2800_register_write(rt2x00dev, TX_ALC_VGA3, 0x00000000); + rt2800_register_write(rt2x00dev, TX0_BB_GAIN_ATTEN, 0x0); +-- +2.35.3 + diff --git a/patches.suse/xfs-add-missing-assert-in-xfs_fsmap_owner_from_rmap.patch b/patches.suse/xfs-add-missing-assert-in-xfs_fsmap_owner_from_rmap.patch new file mode 100644 index 0000000..b8782bf --- /dev/null +++ b/patches.suse/xfs-add-missing-assert-in-xfs_fsmap_owner_from_rmap.patch @@ -0,0 +1,34 @@ +From 110f09cb705af8c53f2a457baf771d2935ed62d4 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Sat, 2 Nov 2019 09:41:18 -0700 +Subject: [PATCH] xfs: add missing assert in xfs_fsmap_owner_from_rmap +Git-commit: 110f09cb705af8c53f2a457baf771d2935ed62d4 +Patch-mainline: v5.5-rc1 +References: git-fixes + +The fsmap handler shouldn't fail silently if the rmap code ever feeds it +a special owner number that isn't known to the fsmap handler. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_fsmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c +index 54ba446d2209..cc35c36296dd 100644 +--- a/fs/xfs/xfs_fsmap.c ++++ b/fs/xfs/xfs_fsmap.c +@@ -146,6 +146,7 @@ xfs_fsmap_owner_from_rmap( + dest->fmr_owner = XFS_FMR_OWN_FREE; + break; + default: ++ ASSERT(0); + return -EFSCORRUPTED; + } + return 0; +-- +2.35.3 + diff --git a/patches.suse/xfs-fix-memory-corruption-during-remote-attr-value-b.patch b/patches.suse/xfs-fix-memory-corruption-during-remote-attr-value-b.patch new file mode 100644 index 0000000..064cc83 --- /dev/null +++ b/patches.suse/xfs-fix-memory-corruption-during-remote-attr-value-b.patch @@ -0,0 +1,195 @@ +From e8db2aafcedb7d88320ab83f1000f1606b26d4d7 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 7 Jan 2020 16:11:45 -0800 +Subject: [PATCH] xfs: fix memory corruption during remote attr value buffer + invalidation +Git-commit: e8db2aafcedb7d88320ab83f1000f1606b26d4d7 +Patch-mainline: v5.6-rc1 +References: git-fixes + +While running generic/103, I observed what looks like memory corruption +and (with slub debugging turned on) a slub redzone warning on i386 when +inactivating an inode with a 64k remote attr value. + +On a v5 filesystem, maximally sized remote attr values require one block +more than 64k worth of space to hold both the remote attribute value +header (64 bytes). On a 4k block filesystem this results in a 68k +buffer; on a 64k block filesystem, this would be a 128k buffer. Note +that even though we'll never use more than 65,600 bytes of this buffer, +XFS_MAX_BLOCKSIZE is 64k. + +This is a problem because the definition of struct xfs_buf_log_format +allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k). On i386 when we +invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of +the dirty map, writing right off the end of the log item and corrupting +memory. We've gotten away with this on x86_64 for years because the +compiler inserts a u32 padding on the end of struct xfs_buf_log_format. + +Fortunately for us, remote attribute values are written to disk with +xfs_bwrite(), which is to say that they are not logged. Fix the problem +by removing all places where we could end up creating a buffer log item +for a remote attribute value and leave a note explaining why. Next, +replace the open-coded buffer invalidation with a call to the helper we +created in the previous patch that does better checking for bad metadata +before marking the buffer stale. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/libxfs/xfs_attr_remote.c | 37 ++++++++++++++++++++---- + fs/xfs/xfs_attr_inactive.c | 50 ++++++++++----------------------- + 2 files changed, 46 insertions(+), 41 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_remote.c b/fs/xfs/libxfs/xfs_attr_remote.c +index 649316b3663f..5226b54084a9 100644 +--- a/fs/xfs/libxfs/xfs_attr_remote.c ++++ b/fs/xfs/libxfs/xfs_attr_remote.c +@@ -24,6 +24,23 @@ + + #define ATTR_RMTVALUE_MAPSIZE 1 /* # of map entries at once */ + ++/* ++ * Remote Attribute Values ++ * ======================= ++ * ++ * Remote extended attribute values are conceptually simple -- they're written ++ * to data blocks mapped by an inode's attribute fork, and they have an upper ++ * size limit of 64k. Setting a value does not involve the XFS log. ++ * ++ * However, on a v5 filesystem, maximally sized remote attr values require one ++ * block more than 64k worth of space to hold both the remote attribute value ++ * header (64 bytes). On a 4k block filesystem this results in a 68k buffer; ++ * on a 64k block filesystem, this would be a 128k buffer. Note that the log ++ * format can only handle a dirty buffer of XFS_MAX_BLOCKSIZE length (64k). ++ * Therefore, we /must/ ensure that remote attribute value buffers never touch ++ * the logging system and therefore never have a log item. ++ */ ++ + /* + * Each contiguous block has a header, so it is not just a simple attribute + * length to FSB conversion. +@@ -398,17 +415,25 @@ xfs_attr_rmtval_get( + (map[i].br_startblock != HOLESTARTBLOCK)); + dblkno = XFS_FSB_TO_DADDR(mp, map[i].br_startblock); + dblkcnt = XFS_FSB_TO_BB(mp, map[i].br_blockcount); +- error = xfs_trans_read_buf(mp, args->trans, +- mp->m_ddev_targp, +- dblkno, dblkcnt, 0, &bp, +- &xfs_attr3_rmt_buf_ops); +- if (error) ++ bp = xfs_buf_read(mp->m_ddev_targp, dblkno, dblkcnt, 0, ++ &xfs_attr3_rmt_buf_ops); ++ if (!bp) ++ return -ENOMEM; ++ error = bp->b_error; ++ if (error) { ++ xfs_buf_ioerror_alert(bp, __func__); ++ xfs_buf_relse(bp); ++ ++ /* bad CRC means corrupted metadata */ ++ if (error == -EFSBADCRC) ++ error = -EFSCORRUPTED; + return error; ++ } + + error = xfs_attr_rmtval_copyout(mp, bp, args->dp->i_ino, + &offset, &valuelen, + &dst); +- xfs_trans_brelse(args->trans, bp); ++ xfs_buf_relse(bp); + if (error) + return error; + +diff --git a/fs/xfs/xfs_attr_inactive.c b/fs/xfs/xfs_attr_inactive.c +index a98034b93459..6a5fdcb63841 100644 +--- a/fs/xfs/xfs_attr_inactive.c ++++ b/fs/xfs/xfs_attr_inactive.c +@@ -25,22 +25,20 @@ + #include "xfs_error.h" + + /* +- * Look at all the extents for this logical region, +- * invalidate any buffers that are incore/in transactions. ++ * Invalidate any incore buffers associated with this remote attribute value ++ * extent. We never log remote attribute value buffers, which means that they ++ * won't be attached to a transaction and are therefore safe to mark stale. ++ * The actual bunmapi will be taken care of later. + */ + STATIC int +-xfs_attr3_leaf_freextent( +- struct xfs_trans **trans, ++xfs_attr3_rmt_stale( + struct xfs_inode *dp, + xfs_dablk_t blkno, + int blkcnt) + { + struct xfs_bmbt_irec map; +- struct xfs_buf *bp; + xfs_dablk_t tblkno; +- xfs_daddr_t dblkno; + int tblkcnt; +- int dblkcnt; + int nmap; + int error; + +@@ -57,35 +55,19 @@ xfs_attr3_leaf_freextent( + nmap = 1; + error = xfs_bmapi_read(dp, (xfs_fileoff_t)tblkno, tblkcnt, + &map, &nmap, XFS_BMAPI_ATTRFORK); +- if (error) { ++ if (error) + return error; +- } +- ASSERT(nmap == 1); +- ASSERT(map.br_startblock != DELAYSTARTBLOCK); ++ if (XFS_IS_CORRUPT(dp->i_mount, nmap != 1)) ++ return -EFSCORRUPTED; + + /* +- * If it's a hole, these are already unmapped +- * so there's nothing to invalidate. ++ * Mark any incore buffers for the remote value as stale. We ++ * never log remote attr value buffers, so the buffer should be ++ * easy to kill. + */ +- if (map.br_startblock != HOLESTARTBLOCK) { +- +- dblkno = XFS_FSB_TO_DADDR(dp->i_mount, +- map.br_startblock); +- dblkcnt = XFS_FSB_TO_BB(dp->i_mount, +- map.br_blockcount); +- bp = xfs_trans_get_buf(*trans, +- dp->i_mount->m_ddev_targp, +- dblkno, dblkcnt, 0); +- if (!bp) +- return -ENOMEM; +- xfs_trans_binval(*trans, bp); +- /* +- * Roll to next transaction. +- */ +- error = xfs_trans_roll_inode(trans, dp); +- if (error) +- return error; +- } ++ error = xfs_attr_rmtval_stale(dp, &map, 0); ++ if (error) ++ return error; + + tblkno += map.br_blockcount; + tblkcnt -= map.br_blockcount; +@@ -174,9 +156,7 @@ xfs_attr3_leaf_inactive( + */ + error = 0; + for (lp = list, i = 0; i < count; i++, lp++) { +- tmp = xfs_attr3_leaf_freextent(trans, dp, +- lp->valueblk, lp->valuelen); +- ++ tmp = xfs_attr3_rmt_stale(dp, lp->valueblk, lp->valuelen); + if (error == 0) + error = tmp; /* save only the 1st errno */ + } +-- +2.35.3 + diff --git a/patches.suse/xfs-fix-s_maxbytes-computation-on-32-bit-kernels.patch b/patches.suse/xfs-fix-s_maxbytes-computation-on-32-bit-kernels.patch new file mode 100644 index 0000000..2e4d77e --- /dev/null +++ b/patches.suse/xfs-fix-s_maxbytes-computation-on-32-bit-kernels.patch @@ -0,0 +1,111 @@ +From 932befe39ddea29cf47f4f1dc080d3dba668f0ca Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Thu, 2 Jan 2020 13:20:13 -0800 +Subject: [PATCH] xfs: fix s_maxbytes computation on 32-bit kernels +Git-commit: 932befe39ddea29cf47f4f1dc080d3dba668f0ca +Patch-mainline: v5.6-rc1 +References: git-fixes + +I observed a hang in generic/308 while running fstests on a i686 kernel. +The hang occurred when trying to purge the pagecache on a large sparse +file that had a page created past MAX_LFS_FILESIZE, which caused an +integer overflow in the pagecache xarray and resulted in an infinite +loop. + +I then noticed that Linus changed the definition of MAX_LFS_FILESIZE in +commit 0cc3b0ec23ce ("Clarify (and fix) MAX_LFS_FILESIZE macros") so +that it is now one page short of the maximum page index on 32-bit +kernels. Because the XFS function to compute max offset open-codes the +2005-era MAX_LFS_FILESIZE computation and neither the vfs nor mm perform +any sanity checking of s_maxbytes, the code in generic/308 can create a +page above the pagecache's limit and kaboom. + +Fix all this by setting s_maxbytes to MAX_LFS_FILESIZE directly and +aborting the mount with a warning if our assumptions ever break. I have +no answer for why this seems to have been broken for years and nobody +noticed. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_super.c | 48 ++++++++++++++++++++-------------------------- + 1 file changed, 21 insertions(+), 27 deletions(-) + +diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c +index f02b5a23b6d7..c813f47a0e24 100644 +--- a/fs/xfs/xfs_super.c ++++ b/fs/xfs/xfs_super.c +@@ -556,32 +556,6 @@ xfs_showargs( + seq_puts(m, ",noquota"); + } + +-static uint64_t +-xfs_max_file_offset( +- unsigned int blockshift) +-{ +- unsigned int pagefactor = 1; +- unsigned int bitshift = BITS_PER_LONG - 1; +- +- /* Figure out maximum filesize, on Linux this can depend on +- * the filesystem blocksize (on 32 bit platforms). +- * __block_write_begin does this in an [unsigned] long long... +- * page->index << (PAGE_SHIFT - bbits) +- * So, for page sized blocks (4K on 32 bit platforms), +- * this wraps at around 8Tb (hence MAX_LFS_FILESIZE which is +- * (((u64)PAGE_SIZE << (BITS_PER_LONG-1))-1) +- * but for smaller blocksizes it is less (bbits = log2 bsize). +- */ +- +-#if BITS_PER_LONG == 32 +- ASSERT(sizeof(sector_t) == 8); +- pagefactor = PAGE_SIZE; +- bitshift = BITS_PER_LONG; +-#endif +- +- return (((uint64_t)pagefactor) << bitshift) - 1; +-} +- + /* + * Set parameters for inode allocation heuristics, taking into account + * filesystem size and inode32/inode64 mount options; i.e. specifically +@@ -1694,6 +1668,26 @@ xfs_fs_fill_super( + if (error) + goto out_free_sb; + ++ /* ++ * XFS block mappings use 54 bits to store the logical block offset. ++ * This should suffice to handle the maximum file size that the VFS ++ * supports (currently 2^63 bytes on 64-bit and ULONG_MAX << PAGE_SHIFT ++ * bytes on 32-bit), but as XFS and VFS have gotten the s_maxbytes ++ * calculation wrong on 32-bit kernels in the past, we'll add a WARN_ON ++ * to check this assertion. ++ * ++ * Avoid integer overflow by comparing the maximum bmbt offset to the ++ * maximum pagecache offset in units of fs blocks. ++ */ ++ if (XFS_B_TO_FSBT(mp, MAX_LFS_FILESIZE) > XFS_MAX_FILEOFF) { ++ xfs_warn(mp, ++"MAX_LFS_FILESIZE block offset (%llu) exceeds extent map maximum (%llu)!", ++ XFS_B_TO_FSBT(mp, MAX_LFS_FILESIZE), ++ XFS_MAX_FILEOFF); ++ error = -EINVAL; ++ goto out_free_sb; ++ } ++ + error = xfs_filestream_mount(mp); + if (error) + goto out_free_sb; +@@ -1705,7 +1699,7 @@ xfs_fs_fill_super( + sb->s_magic = XFS_SUPER_MAGIC; + sb->s_blocksize = mp->m_sb.sb_blocksize; + sb->s_blocksize_bits = ffs(sb->s_blocksize) - 1; +- sb->s_maxbytes = xfs_max_file_offset(sb->s_blocksize_bits); ++ sb->s_maxbytes = MAX_LFS_FILESIZE; + sb->s_max_links = XFS_MAXLINK; + sb->s_time_gran = 1; + sb->s_iflags |= SB_I_CGROUPWB; +-- +2.35.3 + diff --git a/patches.suse/xfs-hoist-out-xfs_resizefs_init_new_ags.patch b/patches.suse/xfs-hoist-out-xfs_resizefs_init_new_ags.patch new file mode 100644 index 0000000..76d5aed --- /dev/null +++ b/patches.suse/xfs-hoist-out-xfs_resizefs_init_new_ags.patch @@ -0,0 +1,172 @@ +From c789c83c7ef8f98f9f6f0864ce6a58dc4c4012d1 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Tue, 23 Mar 2021 19:05:38 -0700 +Subject: [PATCH] xfs: hoist out xfs_resizefs_init_new_ags() +Git-commit: c789c83c7ef8f98f9f6f0864ce6a58dc4c4012d1 +Patch-mainline: v5.13-rc1 +References: git-fixes + +Move out related logic for initializing new added AGs to a new helper +in preparation for shrinking. No logic changes. + +Reviewed-by: Darrick J. Wong +Signed-off-by: Gao Xiang +Signed-off-by: Darrick J. Wong +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_fsops.c | 107 +++++++++++++++++++++++++++------------------ + 1 file changed, 64 insertions(+), 43 deletions(-) + +diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c +index 67a0c957a017..f5518c0b34b1 100644 +--- a/fs/xfs/xfs_fsops.c ++++ b/fs/xfs/xfs_fsops.c +@@ -20,6 +20,64 @@ + #include "xfs_ag.h" + #include "xfs_ag_resv.h" + ++/* ++ * Write new AG headers to disk. Non-transactional, but need to be ++ * written and completed prior to the growfs transaction being logged. ++ * To do this, we use a delayed write buffer list and wait for ++ * submission and IO completion of the list as a whole. This allows the ++ * IO subsystem to merge all the AG headers in a single AG into a single ++ * IO and hide most of the latency of the IO from us. ++ * ++ * This also means that if we get an error whilst building the buffer ++ * list to write, we can cancel the entire list without having written ++ * anything. ++ */ ++static int ++xfs_resizefs_init_new_ags( ++ struct xfs_trans *tp, ++ struct aghdr_init_data *id, ++ xfs_agnumber_t oagcount, ++ xfs_agnumber_t nagcount, ++ xfs_rfsblock_t delta, ++ bool *lastag_extended) ++{ ++ struct xfs_mount *mp = tp->t_mountp; ++ xfs_rfsblock_t nb = mp->m_sb.sb_dblocks + delta; ++ int error; ++ ++ *lastag_extended = false; ++ ++ INIT_LIST_HEAD(&id->buffer_list); ++ for (id->agno = nagcount - 1; ++ id->agno >= oagcount; ++ id->agno--, delta -= id->agsize) { ++ ++ if (id->agno == nagcount - 1) ++ id->agsize = nb - (id->agno * ++ (xfs_rfsblock_t)mp->m_sb.sb_agblocks); ++ else ++ id->agsize = mp->m_sb.sb_agblocks; ++ ++ error = xfs_ag_init_headers(mp, id); ++ if (error) { ++ xfs_buf_delwri_cancel(&id->buffer_list); ++ return error; ++ } ++ } ++ ++ error = xfs_buf_delwri_submit(&id->buffer_list); ++ if (error) ++ return error; ++ ++ xfs_trans_agblocks_delta(tp, id->nfree); ++ ++ if (delta) { ++ *lastag_extended = true; ++ error = xfs_ag_extend_space(mp, tp, id, delta); ++ } ++ return error; ++} ++ + /* + * growfs operations + */ +@@ -34,6 +92,7 @@ xfs_growfs_data_private( + xfs_agnumber_t nagimax = 0; + xfs_rfsblock_t nb, nb_div, nb_mod; + xfs_rfsblock_t delta; ++ bool lastag_extended; + xfs_agnumber_t oagcount; + xfs_trans_t *tp; + struct aghdr_init_data id = {}; +@@ -74,48 +133,11 @@ xfs_growfs_data_private( + if (error) + return error; + +- /* +- * Write new AG headers to disk. Non-transactional, but need to be +- * written and completed prior to the growfs transaction being logged. +- * To do this, we use a delayed write buffer list and wait for +- * submission and IO completion of the list as a whole. This allows the +- * IO subsystem to merge all the AG headers in a single AG into a single +- * IO and hide most of the latency of the IO from us. +- * +- * This also means that if we get an error whilst building the buffer +- * list to write, we can cancel the entire list without having written +- * anything. +- */ +- INIT_LIST_HEAD(&id.buffer_list); +- for (id.agno = nagcount - 1; +- id.agno >= oagcount; +- id.agno--, delta -= id.agsize) { +- +- if (id.agno == nagcount - 1) +- id.agsize = nb - +- (id.agno * (xfs_rfsblock_t)mp->m_sb.sb_agblocks); +- else +- id.agsize = mp->m_sb.sb_agblocks; +- +- error = xfs_ag_init_headers(mp, &id); +- if (error) { +- xfs_buf_delwri_cancel(&id.buffer_list); +- goto out_trans_cancel; +- } +- } +- error = xfs_buf_delwri_submit(&id.buffer_list); ++ error = xfs_resizefs_init_new_ags(tp, &id, oagcount, nagcount, ++ delta, &lastag_extended); + if (error) + goto out_trans_cancel; + +- xfs_trans_agblocks_delta(tp, id.nfree); +- +- /* If there are new blocks in the old last AG, extend it. */ +- if (delta) { +- error = xfs_ag_extend_space(mp, tp, &id, delta); +- if (error) +- goto out_trans_cancel; +- } +- + /* + * Update changed superblock fields transactionally. These are not + * seen by the rest of the world until the transaction commit applies +@@ -123,9 +145,8 @@ xfs_growfs_data_private( + */ + if (nagcount > oagcount) + xfs_trans_mod_sb(tp, XFS_TRANS_SB_AGCOUNT, nagcount - oagcount); +- if (nb > mp->m_sb.sb_dblocks) +- xfs_trans_mod_sb(tp, XFS_TRANS_SB_DBLOCKS, +- nb - mp->m_sb.sb_dblocks); ++ if (delta) ++ xfs_trans_mod_sb(tp, XFS_TRANS_SB_DBLOCKS, delta); + if (id.nfree) + xfs_trans_mod_sb(tp, XFS_TRANS_SB_FDBLOCKS, id.nfree); + xfs_trans_set_sync(tp); +@@ -143,7 +164,7 @@ xfs_growfs_data_private( + * If we expanded the last AG, free the per-AG reservation + * so we can reinitialize it with the new size. + */ +- if (delta) { ++ if (lastag_extended) { + struct xfs_perag *pag; + + pag = xfs_perag_get(mp, id.agno); +-- +2.35.3 + diff --git a/patches.suse/xfs-move-incore-structures-out-of-xfs_da_format.h.patch b/patches.suse/xfs-move-incore-structures-out-of-xfs_da_format.h.patch new file mode 100644 index 0000000..c3fc175 --- /dev/null +++ b/patches.suse/xfs-move-incore-structures-out-of-xfs_da_format.h.patch @@ -0,0 +1,230 @@ +From a39f089a25e75c3d17b955d8eb8bc781f23364f3 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 8 Nov 2019 14:52:06 -0800 +Subject: [PATCH] xfs: move incore structures out of xfs_da_format.h +Git-commit: a39f089a25e75c3d17b955d8eb8bc781f23364f3 +Patch-mainline: v5.5-rc1 +References: git-fixes + +Move the abstract in-memory version of various btree block headers +out of xfs_da_format.h as they aren't on-disk formats. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/libxfs/xfs_attr_leaf.h | 23 ++++++++++++++ + fs/xfs/libxfs/xfs_da_btree.h | 13 ++++++++ + fs/xfs/libxfs/xfs_da_format.c | 1 + + fs/xfs/libxfs/xfs_da_format.h | 57 ----------------------------------- + fs/xfs/libxfs/xfs_dir2.h | 2 ++ + fs/xfs/libxfs/xfs_dir2_priv.h | 19 ++++++++++++ + 6 files changed, 58 insertions(+), 57 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.h b/fs/xfs/libxfs/xfs_attr_leaf.h +index bb0880057ee3..16208a7743df 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.h ++++ b/fs/xfs/libxfs/xfs_attr_leaf.h +@@ -16,6 +16,29 @@ struct xfs_da_state_blk; + struct xfs_inode; + struct xfs_trans; + ++/* ++ * Incore version of the attribute leaf header. ++ */ ++struct xfs_attr3_icleaf_hdr { ++ uint32_t forw; ++ uint32_t back; ++ uint16_t magic; ++ uint16_t count; ++ uint16_t usedbytes; ++ /* ++ * Firstused is 32-bit here instead of 16-bit like the on-disk variant ++ * to support maximum fsb size of 64k without overflow issues throughout ++ * the attr code. Instead, the overflow condition is handled on ++ * conversion to/from disk. ++ */ ++ uint32_t firstused; ++ __u8 holes; ++ struct { ++ uint16_t base; ++ uint16_t size; ++ } freemap[XFS_ATTR_LEAF_MAPSIZE]; ++}; ++ + /* + * Used to keep a list of "remote value" extents when unlinking an inode. + */ +diff --git a/fs/xfs/libxfs/xfs_da_btree.h b/fs/xfs/libxfs/xfs_da_btree.h +index 84dd865b6c3d..876378a52f34 100644 +--- a/fs/xfs/libxfs/xfs_da_btree.h ++++ b/fs/xfs/libxfs/xfs_da_btree.h +@@ -122,6 +122,19 @@ typedef struct xfs_da_state { + /* for dirv2 extrablk is data */ + } xfs_da_state_t; + ++/* ++ * In-core version of the node header to abstract the differences in the v2 and ++ * v3 disk format of the headers. Callers need to convert to/from disk format as ++ * appropriate. ++ */ ++struct xfs_da3_icnode_hdr { ++ uint32_t forw; ++ uint32_t back; ++ uint16_t magic; ++ uint16_t count; ++ uint16_t level; ++}; ++ + /* + * Utility macros to aid in logging changed structure fields. + */ +diff --git a/fs/xfs/libxfs/xfs_da_format.c b/fs/xfs/libxfs/xfs_da_format.c +index b1ae572496b6..31bb250c1899 100644 +--- a/fs/xfs/libxfs/xfs_da_format.c ++++ b/fs/xfs/libxfs/xfs_da_format.c +@@ -13,6 +13,7 @@ + #include "xfs_mount.h" + #include "xfs_inode.h" + #include "xfs_dir2.h" ++#include "xfs_dir2_priv.h" + + /* + * Shortform directory ops +diff --git a/fs/xfs/libxfs/xfs_da_format.h b/fs/xfs/libxfs/xfs_da_format.h +index ae654e06b2fb..548806060f45 100644 +--- a/fs/xfs/libxfs/xfs_da_format.h ++++ b/fs/xfs/libxfs/xfs_da_format.h +@@ -93,19 +93,6 @@ struct xfs_da3_intnode { + struct xfs_da_node_entry __btree[]; + }; + +-/* +- * In-core version of the node header to abstract the differences in the v2 and +- * v3 disk format of the headers. Callers need to convert to/from disk format as +- * appropriate. +- */ +-struct xfs_da3_icnode_hdr { +- uint32_t forw; +- uint32_t back; +- uint16_t magic; +- uint16_t count; +- uint16_t level; +-}; +- + /* + * Directory version 2. + * +@@ -434,14 +421,6 @@ struct xfs_dir3_leaf_hdr { + __be32 pad; /* 64 bit alignment */ + }; + +-struct xfs_dir3_icleaf_hdr { +- uint32_t forw; +- uint32_t back; +- uint16_t magic; +- uint16_t count; +- uint16_t stale; +-}; +- + /* + * Leaf block entry. + */ +@@ -520,19 +499,6 @@ struct xfs_dir3_free { + + #define XFS_DIR3_FREE_CRC_OFF offsetof(struct xfs_dir3_free, hdr.hdr.crc) + +-/* +- * In core version of the free block header, abstracted away from on-disk format +- * differences. Use this in the code, and convert to/from the disk version using +- * xfs_dir3_free_hdr_from_disk/xfs_dir3_free_hdr_to_disk. +- */ +-struct xfs_dir3_icfree_hdr { +- uint32_t magic; +- uint32_t firstdb; +- uint32_t nvalid; +- uint32_t nused; +- +-}; +- + /* + * Single block format. + * +@@ -709,29 +675,6 @@ struct xfs_attr3_leafblock { + */ + }; + +-/* +- * incore, neutral version of the attribute leaf header +- */ +-struct xfs_attr3_icleaf_hdr { +- uint32_t forw; +- uint32_t back; +- uint16_t magic; +- uint16_t count; +- uint16_t usedbytes; +- /* +- * firstused is 32-bit here instead of 16-bit like the on-disk variant +- * to support maximum fsb size of 64k without overflow issues throughout +- * the attr code. Instead, the overflow condition is handled on +- * conversion to/from disk. +- */ +- uint32_t firstused; +- __u8 holes; +- struct { +- uint16_t base; +- uint16_t size; +- } freemap[XFS_ATTR_LEAF_MAPSIZE]; +-}; +- + /* + * Special value to represent fs block size in the leaf header firstused field. + * Only used when block size overflows the 2-bytes available on disk. +diff --git a/fs/xfs/libxfs/xfs_dir2.h b/fs/xfs/libxfs/xfs_dir2.h +index f54244779492..e170792c0acc 100644 +--- a/fs/xfs/libxfs/xfs_dir2.h ++++ b/fs/xfs/libxfs/xfs_dir2.h +@@ -18,6 +18,8 @@ struct xfs_dir2_sf_entry; + struct xfs_dir2_data_hdr; + struct xfs_dir2_data_entry; + struct xfs_dir2_data_unused; ++struct xfs_dir3_icfree_hdr; ++struct xfs_dir3_icleaf_hdr; + + extern struct xfs_name xfs_name_dotdot; + +diff --git a/fs/xfs/libxfs/xfs_dir2_priv.h b/fs/xfs/libxfs/xfs_dir2_priv.h +index 59f9fb2241a5..d2eaea663e7f 100644 +--- a/fs/xfs/libxfs/xfs_dir2_priv.h ++++ b/fs/xfs/libxfs/xfs_dir2_priv.h +@@ -8,6 +8,25 @@ + + struct dir_context; + ++/* ++ * In-core version of the leaf and free block headers to abstract the ++ * differences in the v2 and v3 disk format of the headers. ++ */ ++struct xfs_dir3_icleaf_hdr { ++ uint32_t forw; ++ uint32_t back; ++ uint16_t magic; ++ uint16_t count; ++ uint16_t stale; ++}; ++ ++struct xfs_dir3_icfree_hdr { ++ uint32_t magic; ++ uint32_t firstdb; ++ uint32_t nvalid; ++ uint32_t nused; ++}; ++ + /* xfs_dir2.c */ + extern int xfs_dir2_grow_inode(struct xfs_da_args *args, int space, + xfs_dir2_db_t *dbp); +-- +2.35.3 + diff --git a/patches.suse/xfs-refactor-remote-attr-value-buffer-invalidation.patch b/patches.suse/xfs-refactor-remote-attr-value-buffer-invalidation.patch new file mode 100644 index 0000000..b70da68 --- /dev/null +++ b/patches.suse/xfs-refactor-remote-attr-value-buffer-invalidation.patch @@ -0,0 +1,120 @@ +From 8edbb26b06023de31ad7d4c9b984d99f66577929 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Wed, 8 Jan 2020 09:08:07 -0800 +Subject: [PATCH] xfs: refactor remote attr value buffer invalidation +Git-commit: 8edbb26b06023de31ad7d4c9b984d99f66577929 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Hoist the code that invalidates remote extended attribute value buffers +into a separate helper function. This prepares us for a memory +corruption fix in the next patch. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/libxfs/xfs_attr_remote.c | 52 ++++++++++++++++++++------------- + fs/xfs/libxfs/xfs_attr_remote.h | 2 ++ + 2 files changed, 34 insertions(+), 20 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_remote.c b/fs/xfs/libxfs/xfs_attr_remote.c +index 4eb30d357045..649316b3663f 100644 +--- a/fs/xfs/libxfs/xfs_attr_remote.c ++++ b/fs/xfs/libxfs/xfs_attr_remote.c +@@ -549,6 +549,33 @@ xfs_attr_rmtval_set( + return 0; + } + ++/* Mark stale any incore buffers for the remote value. */ ++int ++xfs_attr_rmtval_stale( ++ struct xfs_inode *ip, ++ struct xfs_bmbt_irec *map, ++ xfs_buf_flags_t incore_flags) ++{ ++ struct xfs_mount *mp = ip->i_mount; ++ struct xfs_buf *bp; ++ ++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); ++ ++ if (XFS_IS_CORRUPT(mp, map->br_startblock == DELAYSTARTBLOCK) || ++ XFS_IS_CORRUPT(mp, map->br_startblock == HOLESTARTBLOCK)) ++ return -EFSCORRUPTED; ++ ++ bp = xfs_buf_incore(mp->m_ddev_targp, ++ XFS_FSB_TO_DADDR(mp, map->br_startblock), ++ XFS_FSB_TO_BB(mp, map->br_blockcount), incore_flags); ++ if (bp) { ++ xfs_buf_stale(bp); ++ xfs_buf_relse(bp); ++ } ++ ++ return 0; ++} ++ + /* + * Remove the value associated with an attribute by deleting the + * out-of-line buffer that it is stored on. +@@ -557,7 +584,6 @@ int + xfs_attr_rmtval_remove( + struct xfs_da_args *args) + { +- struct xfs_mount *mp = args->dp->i_mount; + xfs_dablk_t lblkno; + int blkcnt; + int error; +@@ -572,9 +598,6 @@ xfs_attr_rmtval_remove( + blkcnt = args->rmtblkcnt; + while (blkcnt > 0) { + struct xfs_bmbt_irec map; +- struct xfs_buf *bp; +- xfs_daddr_t dblkno; +- int dblkcnt; + int nmap; + + /* +@@ -585,22 +608,11 @@ xfs_attr_rmtval_remove( + blkcnt, &map, &nmap, XFS_BMAPI_ATTRFORK); + if (error) + return error; +- ASSERT(nmap == 1); +- ASSERT((map.br_startblock != DELAYSTARTBLOCK) && +- (map.br_startblock != HOLESTARTBLOCK)); +- +- dblkno = XFS_FSB_TO_DADDR(mp, map.br_startblock), +- dblkcnt = XFS_FSB_TO_BB(mp, map.br_blockcount); +- +- /* +- * If the "remote" value is in the cache, remove it. +- */ +- bp = xfs_buf_incore(mp->m_ddev_targp, dblkno, dblkcnt, XBF_TRYLOCK); +- if (bp) { +- xfs_buf_stale(bp); +- xfs_buf_relse(bp); +- bp = NULL; +- } ++ if (XFS_IS_CORRUPT(args->dp->i_mount, nmap != 1)) ++ return -EFSCORRUPTED; ++ error = xfs_attr_rmtval_stale(args->dp, &map, XBF_TRYLOCK); ++ if (error) ++ return error; + + lblkno += map.br_blockcount; + blkcnt -= map.br_blockcount; +diff --git a/fs/xfs/libxfs/xfs_attr_remote.h b/fs/xfs/libxfs/xfs_attr_remote.h +index 9d20b66ad379..6fb4572845ce 100644 +--- a/fs/xfs/libxfs/xfs_attr_remote.h ++++ b/fs/xfs/libxfs/xfs_attr_remote.h +@@ -11,5 +11,7 @@ int xfs_attr3_rmt_blocks(struct xfs_mount *mp, int attrlen); + int xfs_attr_rmtval_get(struct xfs_da_args *args); + int xfs_attr_rmtval_set(struct xfs_da_args *args); + int xfs_attr_rmtval_remove(struct xfs_da_args *args); ++int xfs_attr_rmtval_stale(struct xfs_inode *ip, struct xfs_bmbt_irec *map, ++ xfs_buf_flags_t incore_flags); + + #endif /* __XFS_ATTR_REMOTE_H__ */ +-- +2.35.3 + diff --git a/patches.suse/xfs-remove-obsolete-AGF-counter-debugging.patch b/patches.suse/xfs-remove-obsolete-AGF-counter-debugging.patch new file mode 100644 index 0000000..738e081 --- /dev/null +++ b/patches.suse/xfs-remove-obsolete-AGF-counter-debugging.patch @@ -0,0 +1,254 @@ +From 1aec7c3d05670b92b7339b19999009a93808efb9 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 23 Apr 2021 16:02:00 -0700 +Subject: [PATCH] xfs: remove obsolete AGF counter debugging +Git-commit: 1aec7c3d05670b92b7339b19999009a93808efb9 +Patch-mainline: v5.13-rc1 +References: git-fixes + +In commit f8f2835a9cf3 we changed the behavior of XFS to use EFIs to +remove blocks from an overfilled AGFL because there were complaints +about transaction overruns that stemmed from trying to free multiple +blocks in a single transaction. + +Unfortunately, that commit missed a subtlety in the debug-mode +transaction accounting when a realtime volume is attached. If a +realtime file undergoes a data fork mapping change such that realtime +extents are allocated (or freed) in the same transaction that a data +device block is also allocated (or freed), we can trip a debugging +assertion. This can happen (for example) if a realtime extent is +allocated and it is necessary to reshape the bmbt to hold the new +mapping. + +When we go to allocate a bmbt block from an AG, the first thing the data +device block allocator does is ensure that the freelist is the proper +length. If the freelist is too long, it will trim the freelist to the +proper length. + +In debug mode, trimming the freelist calls xfs_trans_agflist_delta() to +record the decrement in the AG free list count. Prior to f8f28 we would +put the free block back in the free space btrees in the same +transaction, which calls xfs_trans_agblocks_delta() to record the +increment in the AG free block count. Since AGFL blocks are included in +the global free block count (fdblocks), there is no corresponding +fdblocks update, so the AGFL free satisfies the following condition in +Xfs_trans_apply_sb_deltas: + + /* + * Check that superblock mods match the mods made to AGF counters. + */ + ASSERT((tp->t_fdblocks_delta + tp->t_res_fdblocks_delta) == + (tp->t_ag_freeblks_delta + tp->t_ag_flist_delta + + tp->t_ag_btree_delta)); + +The comparison here used to be: (X + 0) == ((X+1) + -1 + 0), where X is +the number blocks that were allocated. + +After commit f8f28 we defer the block freeing to the next chained +transaction, which means that the calls to xfs_trans_agflist_delta and +xfs_trans_agblocks_delta occur in separate transactions. The (first) +transaction that shortens the free list trips on the comparison, which +has now become: + +(X + 0) == ((X) + -1 + 0) + +because we haven't freed the AGFL block yet; we've only logged an +intention to free it. When the second transaction (the deferred free) +commits, it will evaluate the expression as: + +(0 + 0) == (1 + 0 + 0) + +and trip over that in turn. + +At this point, the astute reader may note that the two commits tagged by +this patch have been in the kernel for a long time but haven't generated +any bug reports. How is it that the author became aware of this bug? + +This originally surfaced as an intermittent failure when I was testing +realtime rmap, but a different bug report by Zorro Lang reveals the same +assertion occuring on !lazysbcount filesystems. + +The common factor to both reports (and why this problem wasn't +previously reported) becomes apparent if we consider when +xfs_trans_apply_sb_deltas is called by __xfs_trans_commit(): + + if (tp->t_flags & XFS_TRANS_SB_DIRTY) + xfs_trans_apply_sb_deltas(tp); + +With a modern lazysbcount filesystem, transactions update only the +percpu counters, so they don't need to set XFS_TRANS_SB_DIRTY, hence +xfs_trans_apply_sb_deltas is rarely called. + +However, updates to the count of free realtime extents are not part of +lazysbcount, so XFS_TRANS_SB_DIRTY will be set on transactions adding or +removing data fork mappings to realtime files; similarly, +XFS_TRANS_SB_DIRTY is always set on !lazysbcount filesystems. + +Dave mentioned in response to an earlier version of this patch: + +"IIUC, what you are saying is that this debug code is simply not +exercised in normal testing and hasn't been for the past decade? And it +still won't be exercised on anything other than realtime device testing? + +"...it was debugging code from 1994 that was largely turned into dead +code when lazysbcounters were introduced in 2007. Hence I'm not sure it +holds any value anymore." + +This debugging code isn't especially helpful - you can modify the +flcount on one AG and the freeblks of another AG, and it won't trigger. +Add the fact that nobody noticed for a decade, and let's just get rid of +it (and start testing realtime :P). + +This bug was found by running generic/051 on either a V4 filesystem +lacking lazysbcount; or a V5 filesystem with a realtime volume. + +Cc: bfoster@redhat.com, zlang@redhat.com +Fixes: f8f2835a9cf3 ("xfs: defer agfl block frees when dfops is available") +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/libxfs/xfs_alloc.c | 3 --- + fs/xfs/libxfs/xfs_alloc_btree.c | 2 -- + fs/xfs/libxfs/xfs_rmap_btree.c | 2 -- + fs/xfs/xfs_fsops.c | 2 -- + fs/xfs/xfs_trans.c | 7 ------- + fs/xfs/xfs_trans.h | 15 --------------- + 6 files changed, 31 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c +index ebc5a1d111dd..91a1e40e2517 100644 +--- a/fs/xfs/libxfs/xfs_alloc.c ++++ b/fs/xfs/libxfs/xfs_alloc.c +@@ -682,7 +682,6 @@ xfs_alloc_update_counters( + pag->pagf_freeblks += len; + be32_add_cpu(&agf->agf_freeblks, len); + +- xfs_trans_agblocks_delta(tp, len); + if (unlikely(be32_to_cpu(agf->agf_freeblks) > + be32_to_cpu(agf->agf_length))) { + xfs_buf_mark_corrupt(agbp); +@@ -2448,7 +2447,6 @@ xfs_alloc_get_freelist( + pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno)); + ASSERT(!pag->pagf_agflreset); + be32_add_cpu(&agf->agf_flcount, -1); +- xfs_trans_agflist_delta(tp, -1); + pag->pagf_flcount--; + + logflags = XFS_AGF_FLFIRST | XFS_AGF_FLCOUNT; +@@ -2560,7 +2558,6 @@ xfs_alloc_put_freelist( + pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno)); + ASSERT(!pag->pagf_agflreset); + be32_add_cpu(&agf->agf_flcount, 1); +- xfs_trans_agflist_delta(tp, 1); + pag->pagf_flcount++; + + logflags = XFS_AGF_FLLAST | XFS_AGF_FLCOUNT; +diff --git a/fs/xfs/libxfs/xfs_alloc_btree.c b/fs/xfs/libxfs/xfs_alloc_btree.c +index 2a94543857a1..a006626204cc 100644 +--- a/fs/xfs/libxfs/xfs_alloc_btree.c ++++ b/fs/xfs/libxfs/xfs_alloc_btree.c +@@ -74,7 +74,6 @@ xfs_allocbt_alloc_block( + + xfs_extent_busy_reuse(cur->bc_mp, cur->bc_private.a.agno, bno, 1, false); + +- xfs_trans_agbtree_delta(cur->bc_tp, 1); + new->s = cpu_to_be32(bno); + + *stat = 1; +@@ -98,7 +97,6 @@ xfs_allocbt_free_block( + + xfs_extent_busy_insert(cur->bc_tp, be32_to_cpu(agf->agf_seqno), bno, 1, + XFS_EXTENT_BUSY_SKIP_DISCARD); +- xfs_trans_agbtree_delta(cur->bc_tp, -1); + return 0; + } + +diff --git a/fs/xfs/libxfs/xfs_rmap_btree.c b/fs/xfs/libxfs/xfs_rmap_btree.c +index fc78efa52c94..6a835cf18a2d 100644 +--- a/fs/xfs/libxfs/xfs_rmap_btree.c ++++ b/fs/xfs/libxfs/xfs_rmap_btree.c +@@ -104,7 +104,6 @@ xfs_rmapbt_alloc_block( + xfs_extent_busy_reuse(cur->bc_mp, cur->bc_private.a.agno, bno, 1, + false); + +- xfs_trans_agbtree_delta(cur->bc_tp, 1); + new->s = cpu_to_be32(bno); + be32_add_cpu(&agf->agf_rmap_blocks, 1); + xfs_alloc_log_agf(cur->bc_tp, agbp, XFS_AGF_RMAP_BLOCKS); +@@ -136,7 +135,6 @@ xfs_rmapbt_free_block( + + xfs_extent_busy_insert(cur->bc_tp, be32_to_cpu(agf->agf_seqno), bno, 1, + XFS_EXTENT_BUSY_SKIP_DISCARD); +- xfs_trans_agbtree_delta(cur->bc_tp, -1); + + xfs_ag_resv_rmapbt_free(cur->bc_mp, cur->bc_private.a.agno); + +diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c +index f5518c0b34b1..3e2bfb86496c 100644 +--- a/fs/xfs/xfs_fsops.c ++++ b/fs/xfs/xfs_fsops.c +@@ -69,8 +69,6 @@ xfs_resizefs_init_new_ags( + if (error) + return error; + +- xfs_trans_agblocks_delta(tp, id->nfree); +- + if (delta) { + *lastag_extended = true; + error = xfs_ag_extend_space(mp, tp, id, delta); +diff --git a/fs/xfs/xfs_trans.c b/fs/xfs/xfs_trans.c +index 9100f0c20515..5cbca62b04c6 100644 +--- a/fs/xfs/xfs_trans.c ++++ b/fs/xfs/xfs_trans.c +@@ -476,13 +476,6 @@ xfs_trans_apply_sb_deltas( + bp = xfs_trans_getsb(tp, tp->t_mountp); + sbp = XFS_BUF_TO_SBP(bp); + +- /* +- * Check that superblock mods match the mods made to AGF counters. +- */ +- ASSERT((tp->t_fdblocks_delta + tp->t_res_fdblocks_delta) == +- (tp->t_ag_freeblks_delta + tp->t_ag_flist_delta + +- tp->t_ag_btree_delta)); +- + /* + * Only update the superblock counters if we are logging them + */ +diff --git a/fs/xfs/xfs_trans.h b/fs/xfs/xfs_trans.h +index 64d7f171ebd3..308028fd01eb 100644 +--- a/fs/xfs/xfs_trans.h ++++ b/fs/xfs/xfs_trans.h +@@ -124,11 +124,6 @@ typedef struct xfs_trans { + int64_t t_res_fdblocks_delta; /* on-disk only chg */ + int64_t t_frextents_delta;/* superblock freextents chg*/ + int64_t t_res_frextents_delta; /* on-disk only chg */ +-#if defined(DEBUG) || defined(XFS_WARN) +- int64_t t_ag_freeblks_delta; /* debugging counter */ +- int64_t t_ag_flist_delta; /* debugging counter */ +- int64_t t_ag_btree_delta; /* debugging counter */ +-#endif + int64_t t_dblocks_delta;/* superblock dblocks change */ + int64_t t_agcount_delta;/* superblock agcount change */ + int64_t t_imaxpct_delta;/* superblock imaxpct change */ +@@ -149,16 +144,6 @@ typedef struct xfs_trans { + */ + #define xfs_trans_set_sync(tp) ((tp)->t_flags |= XFS_TRANS_SYNC) + +-#if defined(DEBUG) || defined(XFS_WARN) +-#define xfs_trans_agblocks_delta(tp, d) ((tp)->t_ag_freeblks_delta += (int64_t)d) +-#define xfs_trans_agflist_delta(tp, d) ((tp)->t_ag_flist_delta += (int64_t)d) +-#define xfs_trans_agbtree_delta(tp, d) ((tp)->t_ag_btree_delta += (int64_t)d) +-#else +-#define xfs_trans_agblocks_delta(tp, d) +-#define xfs_trans_agflist_delta(tp, d) +-#define xfs_trans_agbtree_delta(tp, d) +-#endif +- + /* + * XFS transaction mechanism exported interfaces. + */ +-- +2.35.3 + diff --git a/patches.suse/xfs-rename-new-to-delta-in-xfs_growfs_data_private.patch b/patches.suse/xfs-rename-new-to-delta-in-xfs_growfs_data_private.patch new file mode 100644 index 0000000..8a7d958 --- /dev/null +++ b/patches.suse/xfs-rename-new-to-delta-in-xfs_growfs_data_private.patch @@ -0,0 +1,89 @@ +From ce5e1062e2539c7f7d311548494ea2705184c784 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Tue, 2 Feb 2021 18:24:06 -0800 +Subject: [PATCH] xfs: rename `new' to `delta' in xfs_growfs_data_private() +Git-commit: ce5e1062e2539c7f7d311548494ea2705184c784 +Patch-mainline: v5.12-rc1 +References: git-fixes + +It actually means the delta block count of growfs. Rename it in order +to make it clear. Also introduce nb_div to avoid reusing `delta`. + +Reviewed-by: Darrick J. Wong +Signed-off-by: Gao Xiang +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_fsops.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c +index 3e61d0cc23f8..67a0c957a017 100644 +--- a/fs/xfs/xfs_fsops.c ++++ b/fs/xfs/xfs_fsops.c +@@ -32,8 +32,8 @@ xfs_growfs_data_private( + int error; + xfs_agnumber_t nagcount; + xfs_agnumber_t nagimax = 0; +- xfs_rfsblock_t nb, nb_mod; +- xfs_rfsblock_t new; ++ xfs_rfsblock_t nb, nb_div, nb_mod; ++ xfs_rfsblock_t delta; + xfs_agnumber_t oagcount; + xfs_trans_t *tp; + struct aghdr_init_data id = {}; +@@ -50,16 +50,16 @@ xfs_growfs_data_private( + return error; + xfs_buf_relse(bp); + +- new = nb; /* use new as a temporary here */ +- nb_mod = do_div(new, mp->m_sb.sb_agblocks); +- nagcount = new + (nb_mod != 0); ++ nb_div = nb; ++ nb_mod = do_div(nb_div, mp->m_sb.sb_agblocks); ++ nagcount = nb_div + (nb_mod != 0); + if (nb_mod && nb_mod < XFS_MIN_AG_BLOCKS) { + nagcount--; + nb = (xfs_rfsblock_t)nagcount * mp->m_sb.sb_agblocks; + if (nb < mp->m_sb.sb_dblocks) + return -EINVAL; + } +- new = nb - mp->m_sb.sb_dblocks; ++ delta = nb - mp->m_sb.sb_dblocks; + oagcount = mp->m_sb.sb_agcount; + + /* allocate the new per-ag structures */ +@@ -89,7 +89,7 @@ xfs_growfs_data_private( + INIT_LIST_HEAD(&id.buffer_list); + for (id.agno = nagcount - 1; + id.agno >= oagcount; +- id.agno--, new -= id.agsize) { ++ id.agno--, delta -= id.agsize) { + + if (id.agno == nagcount - 1) + id.agsize = nb - +@@ -110,8 +110,8 @@ xfs_growfs_data_private( + xfs_trans_agblocks_delta(tp, id.nfree); + + /* If there are new blocks in the old last AG, extend it. */ +- if (new) { +- error = xfs_ag_extend_space(mp, tp, &id, new); ++ if (delta) { ++ error = xfs_ag_extend_space(mp, tp, &id, delta); + if (error) + goto out_trans_cancel; + } +@@ -143,7 +143,7 @@ xfs_growfs_data_private( + * If we expanded the last AG, free the per-AG reservation + * so we can reinitialize it with the new size. + */ +- if (new) { ++ if (delta) { + struct xfs_perag *pag; + + pag = xfs_perag_get(mp, id.agno); +-- +2.35.3 + diff --git a/patches.suse/xfs-reserve-data-and-rt-quota-at-the-same-time.patch b/patches.suse/xfs-reserve-data-and-rt-quota-at-the-same-time.patch new file mode 100644 index 0000000..d6a20b0 --- /dev/null +++ b/patches.suse/xfs-reserve-data-and-rt-quota-at-the-same-time.patch @@ -0,0 +1,47 @@ +From 02b7ee4eb613240d2bb3f6a67723f94ceda19eb6 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 26 Jan 2021 17:20:42 -0800 +Subject: [PATCH] xfs: reserve data and rt quota at the same time +Git-commit: 02b7ee4eb613240d2bb3f6a67723f94ceda19eb6 +Patch-mainline: v5.12-rc1 +References: bsc#1203496 + +Modify xfs_trans_reserve_quota_nblks so that we can reserve data and +realtime blocks from the dquot at the same time. This change has the +theoretical side effect that for allocations to realtime files we will +reserve from the dquot both the number of rtblocks being allocated and +the number of bmbt blocks that might be needed to add the mapping. +However, since the mount code disables quota if it finds a realtime +device, this should not result in any behavior changes. + +Now that we've moved the inode creation callers away from using the +_nblks function, we can repurpose the (now unused) ninos argument for +realtime blocks, so make that change. This also replaces the flags +argument with a boolean parameter to force the reservation since we +don't need to distinguish between data and rt quota reservations any +more, and the only flag being passed in was FORCE_RES. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Brian Foster +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_iomap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c +index 94e49e3b6f21..62311149bb57 100644 +--- a/fs/xfs/xfs_iomap.c ++++ b/fs/xfs/xfs_iomap.c +@@ -254,6 +254,7 @@ xfs_iomap_write_direct( + if (IS_DAX(VFS_I(ip))) { + bmapi_flags = XFS_BMAPI_CONVERT | XFS_BMAPI_ZERO; + if (imap->br_state == XFS_EXT_UNWRITTEN) { ++ quota_flag |= XFS_QMOPT_FORCE_RES; + tflags |= XFS_TRANS_RESERVE; + resblks = qblocks = XFS_DIOSTRAT_SPACE_RES(mp, 0) << 1; + } +-- +2.35.3 + diff --git a/patches.suse/xfs-slightly-tweak-an-assert-in-xfs_fs_map_blocks.patch b/patches.suse/xfs-slightly-tweak-an-assert-in-xfs_fs_map_blocks.patch new file mode 100644 index 0000000..f58fee7 --- /dev/null +++ b/patches.suse/xfs-slightly-tweak-an-assert-in-xfs_fs_map_blocks.patch @@ -0,0 +1,41 @@ +From 88cdb7147b21b2d8b4bd3f3d95ce0bffd73e1ac3 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 30 Oct 2019 12:24:58 -0700 +Subject: [PATCH] xfs: slightly tweak an assert in xfs_fs_map_blocks +Git-commit: 88cdb7147b21b2d8b4bd3f3d95ce0bffd73e1ac3 +Patch-mainline: v5.5-rc1 +References: git-fixes + +We should never see delalloc blocks for a pNFS layout, write or not. +Adjust the assert to check for that. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/xfs_pnfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/xfs/xfs_pnfs.c b/fs/xfs/xfs_pnfs.c +index f63fe8d924a3..058af699e046 100644 +--- a/fs/xfs/xfs_pnfs.c ++++ b/fs/xfs/xfs_pnfs.c +@@ -147,11 +147,11 @@ xfs_fs_map_blocks( + if (error) + goto out_unlock; + ++ ASSERT(!nimaps || imap.br_startblock != DELAYSTARTBLOCK); ++ + if (write) { + enum xfs_prealloc_flags flags = 0; + +- ASSERT(imap.br_startblock != DELAYSTARTBLOCK); +- + if (!nimaps || imap.br_startblock == HOLESTARTBLOCK) { + /* + * xfs_iomap_write_direct() expects to take ownership of +-- +2.35.3 + diff --git a/patches.suse/xfs-streamline-xfs_attr3_leaf_inactive.patch b/patches.suse/xfs-streamline-xfs_attr3_leaf_inactive.patch new file mode 100644 index 0000000..55656db --- /dev/null +++ b/patches.suse/xfs-streamline-xfs_attr3_leaf_inactive.patch @@ -0,0 +1,196 @@ +From 0bb9d159bd018b271e783d3b2d3bc82fa0727321 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 14 Jan 2020 14:31:49 -0800 +Subject: [PATCH] xfs: streamline xfs_attr3_leaf_inactive +Git-commit: 0bb9d159bd018b271e783d3b2d3bc82fa0727321 +Patch-mainline: v5.6-rc1 +References: git-fixes + +Now that we know we don't have to take a transaction to stale the incore +buffers for a remote value, get rid of the unnecessary memory allocation +in the leaf walker and call the rmt_stale function directly. Flatten +the loop while we're at it. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Acked-by: Anthony Iliopoulos + +--- + fs/xfs/libxfs/xfs_attr_leaf.h | 9 --- + fs/xfs/xfs_attr_inactive.c | 101 ++++++++++------------------------ + 2 files changed, 29 insertions(+), 81 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.h b/fs/xfs/libxfs/xfs_attr_leaf.h +index 16208a7743df..39afedec33af 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.h ++++ b/fs/xfs/libxfs/xfs_attr_leaf.h +@@ -39,15 +39,6 @@ struct xfs_attr3_icleaf_hdr { + } freemap[XFS_ATTR_LEAF_MAPSIZE]; + }; + +-/* +- * Used to keep a list of "remote value" extents when unlinking an inode. +- */ +-typedef struct xfs_attr_inactive_list { +- xfs_dablk_t valueblk; /* block number of value bytes */ +- int valuelen; /* number of bytes in value */ +-} xfs_attr_inactive_list_t; +- +- + /*======================================================================== + * Function prototypes for the kernel. + *========================================================================*/ +diff --git a/fs/xfs/xfs_attr_inactive.c b/fs/xfs/xfs_attr_inactive.c +index 6a5fdcb63841..344dccbfd060 100644 +--- a/fs/xfs/xfs_attr_inactive.c ++++ b/fs/xfs/xfs_attr_inactive.c +@@ -37,8 +37,6 @@ xfs_attr3_rmt_stale( + int blkcnt) + { + struct xfs_bmbt_irec map; +- xfs_dablk_t tblkno; +- int tblkcnt; + int nmap; + int error; + +@@ -46,14 +44,12 @@ xfs_attr3_rmt_stale( + * Roll through the "value", invalidating the attribute value's + * blocks. + */ +- tblkno = blkno; +- tblkcnt = blkcnt; +- while (tblkcnt > 0) { ++ while (blkcnt > 0) { + /* + * Try to remember where we decided to put the value. + */ + nmap = 1; +- error = xfs_bmapi_read(dp, (xfs_fileoff_t)tblkno, tblkcnt, ++ error = xfs_bmapi_read(dp, (xfs_fileoff_t)blkno, blkcnt, + &map, &nmap, XFS_BMAPI_ATTRFORK); + if (error) + return error; +@@ -69,8 +65,8 @@ xfs_attr3_rmt_stale( + if (error) + return error; + +- tblkno += map.br_blockcount; +- tblkcnt -= map.br_blockcount; ++ blkno += map.br_blockcount; ++ blkcnt -= map.br_blockcount; + } + + return 0; +@@ -84,84 +80,45 @@ xfs_attr3_rmt_stale( + */ + STATIC int + xfs_attr3_leaf_inactive( +- struct xfs_trans **trans, +- struct xfs_inode *dp, +- struct xfs_buf *bp) ++ struct xfs_trans **trans, ++ struct xfs_inode *dp, ++ struct xfs_buf *bp) + { +- struct xfs_attr_leafblock *leaf; +- struct xfs_attr3_icleaf_hdr ichdr; +- struct xfs_attr_leaf_entry *entry; ++ struct xfs_attr3_icleaf_hdr ichdr; ++ struct xfs_mount *mp = bp->b_mount; ++ struct xfs_attr_leafblock *leaf = bp->b_addr; ++ struct xfs_attr_leaf_entry *entry; + struct xfs_attr_leaf_name_remote *name_rmt; +- struct xfs_attr_inactive_list *list; +- struct xfs_attr_inactive_list *lp; +- int error; +- int count; +- int size; +- int tmp; +- int i; +- struct xfs_mount *mp = bp->b_mount; ++ int error; ++ int i; + +- leaf = bp->b_addr; + xfs_attr3_leaf_hdr_from_disk(mp->m_attr_geo, &ichdr, leaf); + + /* +- * Count the number of "remote" value extents. ++ * Find the remote value extents for this leaf and invalidate their ++ * incore buffers. + */ +- count = 0; + entry = xfs_attr3_leaf_entryp(leaf); + for (i = 0; i < ichdr.count; entry++, i++) { +- if (be16_to_cpu(entry->nameidx) && +- ((entry->flags & XFS_ATTR_LOCAL) == 0)) { +- name_rmt = xfs_attr3_leaf_name_remote(leaf, i); +- if (name_rmt->valueblk) +- count++; +- } +- } +- +- /* +- * If there are no "remote" values, we're done. +- */ +- if (count == 0) { +- xfs_trans_brelse(*trans, bp); +- return 0; +- } ++ int blkcnt; + +- /* +- * Allocate storage for a list of all the "remote" value extents. +- */ +- size = count * sizeof(xfs_attr_inactive_list_t); +- list = kmem_alloc(size, 0); ++ if (!entry->nameidx || (entry->flags & XFS_ATTR_LOCAL)) ++ continue; + +- /* +- * Identify each of the "remote" value extents. +- */ +- lp = list; +- entry = xfs_attr3_leaf_entryp(leaf); +- for (i = 0; i < ichdr.count; entry++, i++) { +- if (be16_to_cpu(entry->nameidx) && +- ((entry->flags & XFS_ATTR_LOCAL) == 0)) { +- name_rmt = xfs_attr3_leaf_name_remote(leaf, i); +- if (name_rmt->valueblk) { +- lp->valueblk = be32_to_cpu(name_rmt->valueblk); +- lp->valuelen = xfs_attr3_rmt_blocks(dp->i_mount, +- be32_to_cpu(name_rmt->valuelen)); +- lp++; +- } +- } +- } +- xfs_trans_brelse(*trans, bp); /* unlock for trans. in freextent() */ ++ name_rmt = xfs_attr3_leaf_name_remote(leaf, i); ++ if (!name_rmt->valueblk) ++ continue; + +- /* +- * Invalidate each of the "remote" value extents. +- */ +- error = 0; +- for (lp = list, i = 0; i < count; i++, lp++) { +- tmp = xfs_attr3_rmt_stale(dp, lp->valueblk, lp->valuelen); +- if (error == 0) +- error = tmp; /* save only the 1st errno */ ++ blkcnt = xfs_attr3_rmt_blocks(dp->i_mount, ++ be32_to_cpu(name_rmt->valuelen)); ++ error = xfs_attr3_rmt_stale(dp, ++ be32_to_cpu(name_rmt->valueblk), blkcnt); ++ if (error) ++ goto err; + } + +- kmem_free(list); ++ xfs_trans_brelse(*trans, bp); ++err: + return error; + } + +-- +2.35.3 + diff --git a/series.conf b/series.conf index d4b6003..18dad2d 100644 --- a/series.conf +++ b/series.conf @@ -14499,6 +14499,7 @@ patches.suse/mm-vmscan-enforce-inactive-active-ratio-at-the-reclaim-root.patch patches.suse/mm-vmscan.c-fix-typo-in-comment.patch patches.suse/hugetlbfs-hugetlb_fault_mutex_hash-cleanup.patch + patches.suse/powerpc-mm-remove-pmd_huge-pud_huge-stubs-and-includ.patch patches.suse/hugetlbfs-take-read_lock-on-i_mmap-for-PMD-sharing.patch patches.suse/hugetlb-region_chg-provides-only-cache-entry.patch patches.suse/hugetlb-remove-duplicated-code.patch @@ -14800,11 +14801,14 @@ patches.suse/xfs-namecheck-directory-entry-names-before-listing-t.patch patches.suse/xfs-replace-EIO-with-EFSCORRUPTED-for-corrupt-metada.patch patches.suse/xfs-properly-serialise-fallocate-against-AIO-DIO.patch + patches.suse/xfs-slightly-tweak-an-assert-in-xfs_fs_map_blocks.patch patches.suse/xfs-constify-the-buffer-pointer-arguments-to-error-f.patch patches.suse/xfs-always-log-corruption-errors.patch + patches.suse/xfs-add-missing-assert-in-xfs_fsmap_owner_from_rmap.patch patches.suse/xfs-make-the-assertion-message-functions-take-a-moun.patch patches.suse/xfs-range-check-ri_cnt-when-recovering-log-items.patch patches.suse/xfs-convert-EIO-to-EFSCORRUPTED-when-log-contents-ar.patch + patches.suse/xfs-move-incore-structures-out-of-xfs_da_format.h.patch patches.suse/xfs-attach-dquots-and-reserve-quota-blocks-during-un.patch patches.suse/xfs-attach-dquots-before-performing-xfs_swap_extents.patch patches.suse/xfs-add-a-XFS_IS_CORRUPT-macro.patch @@ -17041,6 +17045,7 @@ patches.suse/crypto-caam-do-not-reset-pointer-size-from-mcfgr-register.patch patches.suse/crypto-ccree-fix-backlog-memory-leak.patch patches.suse/crypto-ccp-set-max-RSA-modulus-size-for-v3-platform-.patch + patches.suse/crypto-arm64-sha-fix-function-types.patch patches.suse/crypto-arm64-ghash-neon-bump-priority-to-150.patch patches.suse/crypto-pcrypt-Do-not-clear-MAY_SLEEP-flag-in-origina.patch patches.suse/crypto-testmgr-don-t-try-to-decrypt-uninitialized-bu.patch @@ -20998,6 +21003,10 @@ patches.suse/xfs-also-remove-cached-ACLs-when-removing-the-underl.patch patches.suse/xfs-introduce-XFS_MAX_FILEOFF.patch patches.suse/xfs-truncate-should-remove-all-blocks-not-just-to-th.patch + patches.suse/xfs-fix-s_maxbytes-computation-on-32-bit-kernels.patch + patches.suse/xfs-refactor-remote-attr-value-buffer-invalidation.patch + patches.suse/xfs-fix-memory-corruption-during-remote-attr-value-b.patch + patches.suse/xfs-streamline-xfs_attr3_leaf_inactive.patch patches.suse/xfs-check-log-iovec-size-to-make-sure-it-s-plausibly.patch patches.suse/xfs-remove-unused-variable-done.patch patches.suse/reiserfs-Fix-memory-leak-of-journal-device-string.patch @@ -37375,7 +37384,7 @@ patches.suse/cpuidle-psci-Fix-error-path-via-converting-to-a-plat.patch patches.suse/cpuidle-psci-Convert-PM-domain-to-platform-driver.patch patches.suse/cpuidle-psci-Prevent-domain-idlestates-until-consume.patch - patches.suse/intel_idle-Customize-IceLake-server-support.patch + patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch patches.suse/powercap-intel_rapl-add-support-for-Sapphire-Rapids.patch patches.suse/powercap-Add-Power-Limit4-support.patch patches.suse/ACPICA-Replace-one-element-array-with-flexible-array.patch @@ -41781,6 +41790,7 @@ patches.suse/mm-slab-slub-move-and-improve-cache_from_obj.patch patches.suse/mm-slab-slub-improve-error-reporting-and-overhead-of-cache_from_obj.patch patches.suse/mm-filemap-clear-idle-flag-for-writes.patch + patches.suse/mm-memcg-avoid-stale-protection-values-when-cgroup-is-above-protection.patch patches.suse/mm-fix-protection-usage-propagation.patch patches.suse/0001-proc-meminfo-avoid-open-coded-reading-of-mv_committed_as.patch patches.suse/0002-mm-util-make-vm_memory_comitted-more-accurate.patch @@ -45457,6 +45467,7 @@ patches.suse/IB-mlx4-Add-support-for-MRA.patch patches.suse/IB-mlx4-Separate-tunnel-and-wire-bufs-parameters.patch patches.suse/IB-mlx4-Fix-starvation-in-paravirt-mux-demux.patch + patches.suse/IB-mlx4-Add-support-for-REJ-due-to-timeout.patch patches.suse/IB-mlx4-Adjust-delayed-work-when-a-dup-is-observed.patch patches.suse/RDMA-efa-Remove-redundant-udata-check-from-alloc-uco.patch patches.suse/RDMA-core-Move-the-rdma_show_ib_cm_event-macro.patch @@ -45475,6 +45486,7 @@ patches.suse/RDMA-ucma-Rework-how-new-connections-are-passed-thro.patch patches.suse/RDMA-ucma-Remove-closing-and-the-close_wq.patch patches.suse/RDMA-hns-Add-a-check-for-current-state-before-modify.patch + patches.suse/RDMA-qib-Remove-superfluous-fallthrough-statements.patch patches.suse/RDMA-ucma-Fix-resource-leak-on-error-path.patch patches.suse/RDMA-mlx5-Fix-potential-race-between-destroy-and-CQE.patch patches.suse/RDMA-rtrs-srv-Incorporate-ib_register_client-into-rt.patch @@ -45484,6 +45496,8 @@ patches.suse/RDMA-umem-Prevent-small-pages-from-being-returned-by.patch patches.suse/RDMA-umem-Add-rdma_umem_for_each_dma_block.patch patches.suse/RDMA-umem-Split-ib_umem_num_pages-into-ib_umem_num_d.patch + patches.suse/RDMA-efa-Use-ib_umem_num_dma_pages.patch + patches.suse/RDMA-i40iw-Use-ib_umem_num_dma_pages.patch patches.suse/RDMA-bnxt-Do-not-use-ib_umem_page_count-or-ib_umem_n.patch patches.suse/RDMA-qedr-Fix-qp-structure-memory-leak.patch patches.suse/RDMA-qedr-Fix-doorbell-setting.patch @@ -45504,6 +45518,8 @@ patches.suse/RDMA-qedr-Fix-resource-leak-in-qedr_create_qp.patch patches.suse/RDMA-hns-Set-the-unsupported-wr-opcode.patch patches.suse/RDMA-mlx5-Remove-dead-check-for-EAGAIN-after-alloc_m.patch + patches.suse/RDMA-mlx5-Use-set_mkc_access_pd_addr_fields-in-reg_c.patch + patches.suse/RDMA-mlx5-Make-mkeys-always-owned-by-the-kernel-s-PD.patch patches.suse/RDMA-mlx5-Disable-IB_DEVICE_MEM_MGT_EXTENSIONS-if-IB.patch patches.suse/RDMA-ucma-Rework-ucma_migrate_id-to-avoid-races-with.patch patches.suse/i40iw-Add-support-to-make-destroy-QP-synchronous.patch @@ -45713,7 +45729,7 @@ patches.suse/arm64-mm-use-single-quantity-to-represent-the-PA-to-.patch patches.suse/arm64-link-with-z-norelro-regardless-of-CONFIG_RELOC.patch patches.suse/platform-chrome-cros_ec_lightbar-Reduce-ligthbar-get.patch - patches.suse/msft-hv-2162-KVM-x86-hyper-v-disallow-configuring-SynIC-timers-wi.patch + patches.suse/KVM-x86-hyper-v-disallow-configuring-SynIC-timers-with-no-SynIC patches.suse/KVM-x86-mmu-Commit-zap-of-remaining-invalid-pages-wh.patch patches.suse/kvm-nvmx-reset-the-segment-cache-when-stuffing-guest.patch patches.suse/kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails @@ -47640,6 +47656,7 @@ patches.suse/scsi-qla2xxx-Fix-device-loss-on-4G-and-older-HBAs.patch patches.suse/scsi-qla2xxx-Update-version-to-10.02.00.104-k.patch patches.suse/RDMA-bnxt_re-Set-queue-pair-state-when-being-queried.patch + patches.suse/RDMA-cxgb4-Remove-MW-support.patch patches.suse/RDMA-bnxt_re-Fix-entry-size-during-SRQ-create.patch patches.suse/RDMA-core-Fix-error-return-in-_ib_modify_qp.patch patches.suse/RDMA-rxe-Compute-PSN-windows-correctly.patch @@ -47653,6 +47670,7 @@ patches.suse/RDMA-rtrs-Remove-unnecessary-argument-dir-of-rtrs_iu.patch patches.suse/RDMA-rtrs-Introduce-rtrs_post_send.patch patches.suse/RDMA-mlx5-Fix-corruption-of-reg_pages-in-mlx5_ib_rer.patch + patches.suse/RDMa-mthca-Work-around-Wenum-conversion-warning.patch patches.suse/RDMA-cma-Add-missing-error-handling-of-listen_id.patch patches.suse/RDMA-cxgb4-Validate-the-number-of-CQEs.patch patches.suse/RDMA-cma-Fix-deadlock-on-lock-in-rdma_cma_listen_on_.patch @@ -48365,6 +48383,7 @@ patches.suse/x86-cpu-amd-set-_max_die_per_package-on-amd.patch patches.suse/x86-sev-fix-nonistr-violation.patch patches.suse/x86-topology-make-_max_die_per_package-available-unconditionally.patch + patches.suse/kthread-Extract-KTHREAD_IS_PER_CPU.patch patches.suse/objtool-don-t-fail-on-missing-symbol-table.patch patches.suse/ehci-fix-EHCI-host-controller-initialization-sequenc.patch patches.suse/USB-ehci-fix-an-interrupt-calltrace-error.patch @@ -48836,6 +48855,8 @@ patches.suse/xfs-Fix-assert-failure-in-xfs_setattr_size.patch patches.suse/xfs-sync-lazy-sb-accounting-on-quiesce-of-read-only-.patch patches.suse/xfs-reduce-quota-reservation-when-doing-a-dax-unwrit.patch + patches.suse/xfs-reserve-data-and-rt-quota-at-the-same-time.patch + patches.suse/xfs-rename-new-to-delta-in-xfs_growfs_data_private.patch patches.suse/ata-ahci_brcm-Add-back-regulators-management.patch patches.suse/block-bfq-set-next_rq-to-waker_bfqq-next_rq-in-waker.patch patches.suse/0003-bcache-don-t-pass-BIOSET_NEED_BVECS-for-the-bio_set-.patch @@ -48883,6 +48904,7 @@ patches.suse/0007-xen-netback-don-t-handle-error-by-BUG.patch patches.suse/0008-xen-scsiback-don-t-handle-error-by-BUG.patch patches.suse/0009-xen-blkback-fix-error-handling-in-xen_blkbk_map.patch + patches.suse/arm64-assembler-add-cond_yield-macro.patch patches.suse/arm64-Extend-workaround-for-erratum-1024718-to-all-versions-of-Cortex-A55.patch patches.suse/arm64-mm-Always-update-TCR_EL1-from-__cpu_set_tcr_t0sz.patch patches.suse/msft-hv-2226-Drivers-hv-vmbus-Avoid-use-after-free-in-vmbus_onoff.patch @@ -49051,6 +49073,10 @@ patches.suse/crypto-talitos-Work-around-SEC6-ERRATA-AES-CTR-mode-.patch patches.suse/hwrng-timeriomem-Fix-cooldown-period-calculation.patch patches.suse/crypto-ecdh_helper-Ensure-len-secret.len-in-decode_k.patch + patches.suse/crypto-arm64-sha1-ce-simplify-NEON-yield.patch + patches.suse/crypto-arm64-sha2-ce-simplify-NEON-yield.patch + patches.suse/crypto-arm64-sha3-ce-simplify-NEON-yield.patch + patches.suse/crypto-arm64-sha512-ce-simplify-NEON-yield.patch patches.suse/Platform-OLPC-Fix-probe-error-handling.patch patches.suse/watchdog-intel-mid_wdt-Postpone-IRQ-handler-registra.patch patches.suse/platform-x86-intel_pmt-Make-INTEL_PMT_CLASS-non-user.patch @@ -49192,6 +49218,7 @@ patches.suse/IB-umad-Return-EPOLLERR-in-case-of-when-device-disas.patch patches.suse/IB-mlx5-Return-appropriate-error-code-instead-of-ENO.patch patches.suse/IB-cm-Avoid-a-loop-when-device-has-255-ports.patch + patches.suse/IB-mlx4-Use-port-iterator-and-validation-APIs.patch patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_recv.c.patch patches.suse/RDMA-rxe-Remove-useless-code-in-rxe_recv.c.patch patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch @@ -49200,6 +49227,7 @@ patches.suse/RDMA-hns-Fix-type-of-sq_signal_bits.patch patches.suse/RDMA-hns-Disable-RQ-inline-by-default.patch patches.suse/RDMA-ucma-Fix-use-after-free-bug-in-ucma_create_ueve.patch + patches.suse/RDMA-rxe-Remove-unused-pkt-offset.patch patches.suse/RDMA-rtrs-srv-Fix-stack-out-of-bounds.patch patches.suse/RDMA-rtrs-Only-allow-addition-of-path-to-an-already-.patch patches.suse/RDMA-rtrs-srv-fix-memory-leak-by-missing-kobject-fre.patch @@ -50586,6 +50614,7 @@ patches.suse/scsi-smartpqi-Remove-unused-functions patches.suse/exfat-fix-erroneous-discard-when-clear-cluster-bit.patch patches.suse/xfs-mark-a-data-structure-sick-if-there-are-cross-re.patch + patches.suse/xfs-hoist-out-xfs_resizefs_init_new_ags.patch patches.suse/netdevice-Add-missing-IFF_PHONY_HEADROOM-self-defini.patch patches.suse/xsk-Respect-device-s-headroom-and-tailroom-on-generi.patch patches.suse/FDDI-defxx-Bail-out-gracefully-with-unassigned-PCI-r.patch @@ -50874,6 +50903,8 @@ patches.suse/KVM-s390-split-kvm_s390_logical_to_effective.patch patches.suse/KVM-s390-extend-kvm_s390_shadow_fault-to-return-entr.patch patches.suse/KVM-s390-VSIE-correctly-handle-MVPG-when-in-VSIE.patch + patches.suse/KVM-s390-split-kvm_s390_real_to_abs + patches.suse/KVM-s390-VSIE-fix-MVPG-handling-for-prefixing-and-MSO patches.suse/KVM-s390-fix-guarded-storage-control-register-handli.patch patches.suse/kvm-nvmx-truncate-bits-63-32-of-vmcs-field-on-nested.patch patches.suse/0010-dm-persistent-data-packed-struct-should-have-an-alig.patch @@ -50931,6 +50962,7 @@ patches.suse/Input-elants_i2c-do-not-bind-to-i2c-hid-compatible-A.patch patches.suse/Input-silead-add-workaround-for-x86-BIOS-es-which-br.patch patches.suse/Input-ili210x-add-missing-negation-for-touch-indicat.patch + patches.suse/xfs-remove-obsolete-AGF-counter-debugging.patch patches.suse/xfs-don-t-allow-log-writes-if-the-data-device-is-rea.patch patches.suse/fs-epoll-restore-waking-from-ep_done_scan.patch patches.suse/kernel-kexec_file-fix-error-return-code-of-kexec_calculate_store_digests @@ -51132,6 +51164,7 @@ patches.suse/RDMA-siw-Release-xarray-entry.patch patches.suse/RDMA-rxe-Clear-all-QP-fields-if-creation-failed.patch patches.suse/RDMA-mlx5-Recover-from-fatal-event-in-dual-port-mode.patch + patches.suse/RDMA-rxe-Return-CQE-error-if-invalid-lkey-was-suppli.patch patches.suse/RDMA-core-Don-t-access-cm_id-after-its-destruction.patch patches.suse/RDMA-mlx5-Fix-query-DCT-via-DEVX.patch patches.suse/RDMA-uverbs-Fix-a-NULL-vs-IS_ERR-bug.patch @@ -51414,6 +51447,8 @@ patches.suse/spi-stm32-qspi-Always-wait-BUSY-bit-to-be-cleared-in.patch patches.suse/vmlinux.lds.h-Avoid-orphan-section-with-SMP.patch patches.suse/kvm-x86-mmu-use-the-correct-inherited-permissions-to-get-shadow-page + patches.suse/RDMA-mlx5-Block-FDB-rules-when-not-in-switchdev-mode.patch + patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch patches.suse/cgroup1-don-t-allow-n-in-renaming.patch patches.suse/hwmon-scpi-hwmon-shows-the-negative-temperature-prop.patch patches.suse/ALSA-hda-realtek-fix-mute-micmute-LEDs-and-speaker-f-15d295b.patch @@ -51707,6 +51742,7 @@ patches.suse/dax-fix-ENOMEM-handling-in-grab_mapping_entry.patch patches.suse/mm-add-vma_lookup-update-find_vma_intersection-comments patches.suse/drm-i915-selftests-use-vma_lookup-in-__igt_mmap.patch + patches.suse/kbuild-skip-per-CPU-BTF-generation-for-pahole-v1.18-.patch patches.suse/cifs-fix-ipv6-formating-in-cifs_ses_add_channel.patch patches.suse/cifs-remove-duplicated-prototype.patch patches.suse/cifs-Remove-unused-inline-function-is_sysvol_or_netlogon-.patch @@ -51984,10 +52020,12 @@ patches.suse/clk-actions-Fix-bisp_factor_table-based-clocks-on-Ow.patch patches.suse/clk-si5341-Avoid-divide-errors-due-to-bogus-register.patch patches.suse/clk-si5341-Update-initialization-magic.patch + patches.suse/IB-srpt-Remove-redundant-assignment-to-ret.patch patches.suse/RDMA-hns-Remove-unused-parameter-udata.patch patches.suse/RDMA-mlx4-Remove-unused-parameter-udata.patch patches.suse/RDMA-mlx5-Remove-unused-parameter-udata.patch patches.suse/RDMA-srp-Fix-a-recently-introduced-memory-leak.patch + patches.suse/IB-core-Only-update-PKEY-and-GID-caches-on-respectiv.patch patches.suse/RDMA-rtrs-clt-Check-state-of-the-rtrs_clt_sess-befor.patch patches.suse/RDMA-rtrs-srv-Replace-atomic_t-with-percpu_ref-for-i.patch patches.suse/RDMA-rtrs-Do-not-reset-hb_missed_max-after-re-connec.patch @@ -51995,7 +52033,15 @@ patches.suse/RDMA-rtrs-srv-Fix-memory-leak-when-having-multiple-s.patch patches.suse/RDMA-rtrs-clt-Check-if-the-queue_depth-has-changed-d.patch patches.suse/RDMA-rtrs-clt-Fix-memory-leak-of-not-freed-sess-stat.patch + patches.suse/RDMA-core-Sanitize-WQ-state-received-from-the-usersp.patch + patches.suse/RDMA-rxe-Fix-failure-during-driver-load.patch patches.suse/RDMA-rtrs-srv-Set-minimal-max_send_wr-and-max_recv_w.patch + patches.suse/RDMA-rxe-Don-t-overwrite-errno-from-ib_umem_get.patch + patches.suse/RDMA-rxe-Fix-redundant-call-to-ip_send_check.patch + patches.suse/RDMA-rxe-Fix-extra-copies-in-build_rdma_network_hdr.patch + patches.suse/RDMA-rxe-Fix-over-copying-in-get_srq_wqe.patch + patches.suse/RDMA-rxe-Fix-extra-copy-in-prepare_ack_packet.patch + patches.suse/RDMA-rxe-Fix-redundant-skb_put_zero.patch patches.suse/RDMA-cma-Protect-RMW-with-qp_mutex.patch patches.suse/RDMA-cma-Fix-incorrect-Packet-Lifetime-calculation.patch patches.suse/RDMA-core-Always-release-restrack-object.patch @@ -52373,6 +52419,7 @@ patches.suse/reset-bail-if-try_module_get-fails.patch patches.suse/s390-mm-Fix-secure-storage-access-exception-handling patches.suse/s390-AP-support-new-dynamic-AP-bus-size-limit + patches.suse/kbuild-sink-stdout-from-cmd-for-silent-build.patch patches.suse/thermal-core-Correct-function-name-thermal_zone_devi.patch patches.suse/thermal-drivers-rcar_gen3_thermal-Fix-coefficient-ca.patch patches.suse/thermal-drivers-int340x-processor_thermal-Fix-tcc-se.patch @@ -52763,6 +52810,7 @@ patches.suse/drm-nouveau-disp-power-down-unused-DP-links-during-i.patch patches.suse/drm-nouveau-kms-nv50-workaround-EFI-GOP-window-chann.patch patches.suse/drm-mediatek-Add-AAL-output-size-configuration.patch + patches.suse/mm-memcontrol-fix-occasional-OOMs-due-to-proportional-memory.low-reclaim.patch patches.suse/blk-mq-don-t-grab-rq-s-refcount-in-blk_mq_check_expi.patch patches.suse/blk-mq-fix-kernel-panic-during-iterating-over-flush-.patch patches.suse/blk-mq-fix-is_flush_rq.patch @@ -52770,7 +52818,10 @@ patches.suse/slimbus-messaging-start-transaction-ids-from-1-inste.patch patches.suse/slimbus-messaging-check-for-valid-transaction-id.patch patches.suse/slimbus-ngd-reset-dma-setup-during-runtime-pm.patch + patches.suse/RDMA-bnxt_re-Add-missing-spin-lock-initialization.patch + patches.suse/IB-hfi1-Fix-possible-null-pointer-dereference-in-_ex.patch patches.suse/RDMA-bnxt_re-Remove-unpaired-rtnl-unlock-in-bnxt_re_.patch + patches.suse/RDMA-efa-Free-IRQ-vectors-on-error-flow.patch patches.suse/ice-do-not-abort-devlink-info-if-board-identifier-ca.patch patches.suse/net-qrtr-fix-another-OOB-Read-in-qrtr_endpoint_post.patch patches.suse/xgene-v2-Fix-a-resource-leak-in-the-error-handling-p.patch @@ -53120,7 +53171,10 @@ patches.suse/HID-input-do-not-report-stylus-battery-state-as-full.patch patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch patches.suse/IB-hfi1-Indicate-DMA-wait-when-txq-is-queued-for-wak.patch + patches.suse/IB-hfi1-Adjust-pkey-entry-in-index-0.patch + patches.suse/RDMA-iwcm-Release-resources-if-iw_cm-module-initiali.patch patches.suse/docs-Fix-infiniband-uverbs-minor-number.patch + patches.suse/RDMA-efa-Remove-double-QP-type-assignment.patch patches.suse/RDMA-mlx5-Delete-not-available-udata-check.patch patches.suse/RDMA-rtrs-Remove-a-useless-kfree.patch patches.suse/RDMA-hns-Fix-QP-s-resp-incomplete-assignment.patch @@ -53275,6 +53329,7 @@ patches.suse/mfd-tqmx86-Clear-GPIO-IRQ-resource-when-no-IRQ-is-se.patch patches.suse/mfd-lpc_sch-Rename-GPIOBASE-to-prevent-build-error.patch patches.suse/backlight-pwm_bl-Improve-bootloader-kernel-device-ha.patch + patches.suse/KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged patches.suse/KVM-nVMX-Set-LDTR-to-its-architecturally-defined-val.patch patches.suse/KVM-x86-Migrate-the-PIT-only-if-vcpu0-is-migrated-no.patch patches.suse/KVM-x86-Don-t-force-set-BSP-bit-when-local-APIC-is-m.patch @@ -53464,6 +53519,7 @@ patches.suse/IB-cma-Do-not-send-IGMP-leaves-for-sendonly-Multicas.patch patches.suse/RDMA-cma-Fix-listener-leak-in-rdma_cma_listen_on_all.patch patches.suse/RDMA-cma-Do-not-change-route.addr.src_addr.ss_family.patch + patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch patches.suse/Revert-ibmvnic-check-failover_pending-in-login-respo.patch patches.suse/mac80211-Fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch patches.suse/mac80211-Drop-frames-from-invalid-MAC-address-in-ad-.patch @@ -53656,6 +53712,10 @@ patches.suse/ARM-9141-1-only-warn-about-XIP-address-when-not-compile-testing.patch patches.suse/arm64-dts-allwinner-h5-NanoPI-Neo-2-Fix-ethernet-node.patch patches.suse/reset-socfpga-add-empty-driver-allowing-consumers-to.patch + patches.suse/RDMA-mlx5-Set-user-priority-for-DCT.patch + patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch + patches.suse/IB-hfi1-Fix-abba-locking-issue-with-sc_disable.patch + patches.suse/RDMA-sa_query-Use-strscpy_pad-instead-of-memcpy-to-c.patch patches.suse/watchdog-Fix-OMAP-watchdog-early-handling.patch patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch patches.suse/spi-spl022-fix-Microwire-full-duplex-mode.patch @@ -53687,6 +53747,8 @@ patches.suse/nvme-tcp-fix-possible-req-offset-corruption.patch patches.suse/nvme-tcp-fix-data-digest-pointer-calculation.patch patches.suse/scsi-ibmvfc-Fix-up-duplicate-response-detection.patch + patches.suse/KVM-s390-clear-kicked_mask-before-sleeping-again + patches.suse/KVM-s390-preserve-deliverable_mask-in-__airqs_kick_single_vcpu patches.suse/tpm-Check-for-integer-overflow-in-tpm2_map_response_.patch patches.suse/blk-cgroup-synchronize-blkg-creation-against-policy-.patch patches.suse/nvmet-make-discovery-NQN-configurable.patch @@ -53928,7 +53990,11 @@ patches.suse/ASoC-cs42l42-Correct-configuring-of-switch-inversion.patch patches.suse/ALSA-hda-realtek-Add-quirk-for-Clevo-PC70HS.patch patches.suse/ALSA-usb-audio-Add-Audient-iD14-to-mixer-map-quirk-t.patch + patches.suse/RDMA-rxe-Fix-wrong-port_cap_flags.patch patches.suse/RDMA-bnxt_re-Update-statistics-counter-name.patch + patches.suse/RDMA-bnxt_re-Fix-query-SRQ-failure.patch + patches.suse/RDMA-mlx4-Return-missed-an-error-if-device-doesn-t-s.patch + patches.suse/RDMA-qedr-Fix-NULL-deref-for-query_qp-on-the-GSI-QP.patch patches.suse/JFS-fix-memleak-in-jfs_mount.patch patches.suse/vfio-ccw-Remove-unneeded-GFP_DMA patches.suse/ARM-s3c-irq-s3c24xx-Fix-return-value-check-for-s3c24xx_init_intc.patch @@ -54909,6 +54975,7 @@ patches.suse/tracing-Add-test-for-user-space-strings-when-filtering-on-string-pointers.patch patches.suse/tracing-kprobes-nmissed-not-showed-correctly-for-kretprobe.patch patches.suse/tracing-Add-ustring-operation-to-filtering-string-pointers.patch + patches.suse/KVM-s390-Clarify-SIGP-orders-versus-STOP-RESTART patches.suse/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch patches.suse/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch patches.suse/Input-ti_am335x_tsc-set-ADCREFM-for-X-configuration.patch @@ -55522,6 +55589,7 @@ patches.suse/arm64-dts-rockchip-Fix-SDIO-regulator-supply-properties-on-rk3399-firefly.patch patches.suse/KVM-x86-Fix-emulation-in-writing-cr8.patch patches.suse/KVM-x86-emulator-Defer-not-present-segment-check-in-.patch + patches.suse/KVM-s390x-fix-SCK-locking patches.suse/ionic-fix-type-complaint-in-ionic_dev_cmd_clean.patch patches.suse/ionic-start-watchdog-after-all-is-setup.patch patches.suse/ionic-Don-t-send-reset-commands-if-FW-isn-t-running.patch @@ -55593,8 +55661,10 @@ patches.suse/drm-msm-dpu-add-DSPP-blocks-teardown.patch patches.suse/drm-i915-gem-add-missing-boundary-check-in-vm_access.patch patches.suse/RDMA-core-Set-MR-type-in-ib_reg_user_mr.patch + patches.suse/IB-cma-Allow-XRC-INI-QPs-to-set-their-local-ACK-time.patch patches.suse/RDMA-mlx5-Fix-the-flow-of-a-miss-in-the-allocation-o.patch patches.suse/IB-hfi1-Allow-larger-MTU-without-AIP.patch + patches.suse/RDMA-mlx5-Fix-memory-leak-in-error-flow-for-subscrib.patch patches.suse/0025-dm-crypt-fix-get_key_size-compiler-warning-if-CONFIG.patch patches.suse/scsi-qla2xxx-Refactor-asynchronous-command-initializ.patch patches.suse/scsi-qla2xxx-Implement-ref-count-for-SRB.patch @@ -55640,6 +55710,7 @@ patches.suse/scsi-lpfc-Use-rport-as-argument-for-lpfc_chk_tgt_map.patch patches.suse/scsi-lpfc-Remove-failing-soft_wwn-support.patch patches.suse/scsi-qla2xxx-Fix-incorrect-reporting-of-task-managem.patch + patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch patches.suse/scsi-qla2xxx-Fix-loss-of-NVMe-namespaces-after-drive.patch patches.suse/scsi-qla2xxx-Fix-missed-DMA-unmap-for-NVMe-ls-reques.patch patches.suse/scsi-qla2xxx-Fix-crash-during-module-load-unload-tes.patch @@ -55685,6 +55756,8 @@ patches.suse/powerpc-lib-sstep-Fix-sthcx-instruction.patch patches.suse/KVM-PPC-Fix-vmx-vsx-mixup-in-mmio-emulation.patch patches.suse/powerpc-sysdev-fix-incorrect-use-to-determine-if-lis.patch + patches.suse/powerpc-pseries-Interface-to-represent-PAPR-firmware.patch + patches.suse/selftest-powerpc-Add-PAPR-sysfs-attributes-sniff-tes.patch patches.suse/powerpc-xive-fix-return-value-of-__setup-handler.patch patches.suse/powerpc-tm-Fix-more-userspace-r13-corruption.patch patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch @@ -55841,6 +55914,9 @@ patches.suse/nvme-fix-RCU-hole-that-allowed-for-endless-looping-i.patch patches.suse/drbd-fix-potential-silent-data-corruption.patch patches.suse/platform-chrome-cros_ec_debugfs-detach-log-reader-wq.patch + patches.suse/KVM-x86-Check-lapic_in_kernel-before-attempting-to-set-a-SynIC-i + patches.suse/KVM-x86-Avoid-theoretical-NULL-pointer-dereference-in-kvm_irq_de + patches.suse/KVM-x86-Forbid-VMM-to-set-SYNIC-STIMER-MSRs-when-SynIC-wasn-t-ac patches.suse/kvm-x86-mmu-do-compare-and-exchange-of-gpte-via-the-user-address patches.suse/ARM-9187-1-JIVE-fix-return-value-of-__setup-handler.patch patches.suse/x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io @@ -55882,6 +55958,7 @@ patches.suse/lz4-fix-LZ4_decompress_safe_partial-read-out-of-boun.patch patches.suse/RDMA-mlx5-Don-t-remove-cache-MRs-when-a-delay-is-nee.patch patches.suse/RDMA-mlx5-Add-a-missing-update-of-cache-last_add.patch + patches.suse/IB-cm-Cancel-mad-on-the-DREQ-event-when-the-state-is.patch patches.suse/RDMA-hfi1-Fix-use-after-free-bug-for-mm-struct.patch patches.suse/drbd-Fix-five-use-after-free-bugs-in-get_initial_state patches.suse/drbd-fix-an-invalid-memory-access-caused-by-incorrect-use-of-list-iterator @@ -56052,6 +56129,7 @@ patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch patches.suse/NFC-netlink-fix-sleep-in-atomic-bug-when-firmware-do.patch patches.suse/KVM-s390-vsie-gmap-reduce-gmap_rmap-overhead + patches.suse/RDMA-siw-Fix-a-condition-race-issue-in-MPA-request-p.patch patches.suse/kvm-x86-cpuid-Only-provide-CPUID-leaf-0xA-if-host-ha.patch patches.suse/NFSv4-Don-t-invalidate-inode-attributes-on-delegatio.patch patches.suse/SUNRPC-Don-t-leak-sockets-in-xs_local_connect.patch @@ -56339,6 +56417,9 @@ patches.suse/drivers-base-memory-fix-an-unlikely-reference-counti.patch patches.suse/nfsd-Fix-null-ptr-deref-in-nfsd_fill_super.patch patches.suse/NFSD-Fix-possible-sleep-during-nfsd4_release_lockown.patch + patches.suse/RDMA-hns-Remove-unnecessary-check-for-the-sgid_attr-.patch + patches.suse/RDMA-rxe-Generate-a-completion-for-unsupported-inval.patch + patches.suse/RDMA-hfi1-Fix-potential-integer-multiplication-overf.patch patches.suse/0030-dm-stats-add-cond_resched-when-looping-over-entries.patch patches.suse/0031-dm-integrity-fix-error-code-in-dm_integrity_ctr.patch patches.suse/0032-dm-crypt-make-printing-of-the-key-constant-time.patch @@ -56389,6 +56470,7 @@ patches.suse/pinctrl-mvebu-Fix-irq_of_parse_and_map-return-value.patch patches.suse/misc-ocxl-fix-possible-double-free-in-ocxl_file_regi.patch patches.suse/powerpc-fadump-fix-PT_LOAD-segment-for-boot-memory-a.patch + patches.suse/powerpc-fadump-align-destination-address-to-pagesize.patch patches.suse/powerpc-idle-Fix-return-value-of-__setup-handler.patch patches.suse/powerpc-powernv-Get-L1D-flush-requirements-from-devi.patch patches.suse/powerpc-powernv-Get-STF-barrier-requirements-from-de.patch @@ -56540,6 +56622,7 @@ patches.suse/x86-kexec-fix-memory-leak-of-elf-header-buffer.patch patches.suse/mmc-block-Fix-CQE-recovery-reset-success.patch patches.suse/Input-bcm5974-set-missing-URB_NO_TRANSFER_DMA_MAP-ur.patch + patches.suse/0001-KVM-x86-do-not-report-a-vCPU-as-preempted-outside-in.patch patches.suse/drm-imx-fix-compiler-warning-with-gcc-12.patch patches.suse/nfc-st21nfca-fix-incorrect-validating-logic-in-EVT_T.patch patches.suse/nfc-st21nfca-fix-memory-leaks-in-EVT_TRANSACTION-han.patch @@ -56648,6 +56731,8 @@ patches.suse/virtio_mmio-Add-missing-PM-calls-to-freeze-restore.patch patches.suse/virtio_mmio-Restore-guest-page-size-on-resume.patch patches.suse/platform-x86-hp-wmi-Ignore-Sanitization-Mode-event.patch + patches.suse/RDMA-qedr-Fix-reporting-QP-timeout-attribute.patch + patches.suse/RDMA-cm-Fix-memory-leak-in-ib_cm_insert_listen.patch patches.suse/linux-dim-Fix-divide-by-0-in-RDMA-DIM.patch patches.suse/nfc-nfcmrvl-Fix-irq_of_parse_and_map-return-value.patch patches.suse/NFC-nxp-nci-Don-t-issue-a-zero-length-i2c_master_rea.patch @@ -56833,6 +56918,7 @@ patches.suse/usbnet-smsc95xx-Fix-deadlock-on-runtime-resume.patch patches.suse/ath10k-do-not-enforce-interrupt-trigger-type.patch patches.suse/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch + patches.suse/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch patches.suse/wifi-mac80211_hwsim-fix-race-condition-in-pending-pa.patch patches.suse/wifi-mac80211_hwsim-add-back-erroneously-removed-cas.patch patches.suse/vmxnet3-Record-queue-number-to-incoming-packets.patch @@ -56982,6 +57068,7 @@ patches.suse/KVM-nVMX-Snapshot-pre-VM-Enter-DEBUGCTL-for-nested_r.patch patches.suse/KVM-x86-Mark-TSS-busy-during-LTR-emulation-_after_-a.patch patches.suse/KVM-x86-Set-error-code-to-segment-selector-on-LLDT-L.patch + patches.suse/KVM-s390-pv-don-t-present-the-ecall-interrupt-twice patches.suse/KVM-nVMX-Let-userspace-set-nVMX-MSR-to-any-_host_-su.patch patches.suse/HID-wacom-Only-report-rotation-for-art-pen.patch patches.suse/HID-wacom-Don-t-register-pad_input-for-touch-switch.patch @@ -57075,6 +57162,12 @@ patches.suse/scsi-qla2xxx-Update-manufacturer-details.patch patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.800-k.patch patches.suse/scsi-sg-Allow-waiting-for-commands-to-complete-on-removed-device.patch + patches.suse/RDMA-remove-useless-condition-in-siw_create_cq.patch + patches.suse/RDMA-qedr-Fix-potential-memory-leak-in-__qedr_alloc_.patch + patches.suse/RDMA-siw-Fix-duplicated-reported-IW_CM_EVENT_CONNECT.patch + patches.suse/RDMA-rxe-Fix-rnr-retry-behavior.patch + patches.suse/RDMA-mlx5-Add-missing-check-for-return-value-in-get-.patch + patches.suse/RDMA-rxe-Fix-error-unwind-in-rxe_create_qp.patch patches.suse/md-unlock-mddev-before-reap-sync_thread-in-action_st.patch patches.suse/md-raid10-fix-KASAN-warning.patch patches.suse/jbd2-fix-outstanding-credits-assert-in-jbd2_journal_.patch @@ -57112,6 +57205,7 @@ patches.suse/iommu-exynos-Handle-failed-IOMMU-device-registration-properly patches.suse/iommu-arm-smmu-qcom_iommu-Add-of_node_put-when-breaking-out-of-l patches.suse/iommu-amd-Simplify-and-Consolidate-Virtual-APIC-AVIC-Enablement + patches.suse/selftests-powerpc-Skip-energy_scale_info-test-on-old.patch patches.suse/powerpc-perf-Optimize-clearing-the-pending-PMI-and-r.patch patches.suse/powerpc-mobility-wait-for-memory-transfer-to-complet.patch patches.suse/watchdog-export-lockup_detector_reconfigure.patch @@ -57134,6 +57228,7 @@ patches.suse/kfifo-fix-kfifo_to_user-return-type.patch patches.suse/iommu-vt-d-avoid-invalid-memory-access-via-node_online-NUMA_NO_N patches.suse/x86-olpc-fix-logical-not-is-only-applied-to-the-left.patch + patches.suse/exfat-Return-ENAMETOOLONG-consistently-for-oversized.patch patches.suse/fuse-limit-nsec.patch patches.suse/fuse-ioctl-translate-ENOSYS.patch patches.suse/fuse-Remove-the-control-interface-for-virtio-fs.patch @@ -57149,6 +57244,9 @@ patches.suse/remoteproc-qcom-q6v5-mss-add-powerdomains-to-MSM8996.patch patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch patches.suse/x86-speculation-Add-LFENCE-to-RSB-fill-sequence.patch + patches.suse/fs-add-mode_strip_sgid-helper.patch + patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch + patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch patches.suse/Revert-scripts-mod-modpost.c-permit-.cranges-secton-.patch patches.suse/kbuild-dummy-tools-avoid-tmpdir-leak-in-dummy-gcc.patch patches.suse/pinctrl-nomadik-Fix-refcount-leak-in-nmk_pinctrl_dt_.patch @@ -57178,6 +57276,7 @@ patches.suse/vsock-Set-socket-state-back-to-SS_UNCONNECTED-in-vso.patch patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch patches.suse/net_sched-cls_route-remove-from-list-when-handle-is-.patch + patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch patches.suse/drm-gem-Properly-annotate-WW-context-on-drm_gem_lock.patch patches.suse/ALSA-hda-realtek-Add-quirk-for-another-Asus-K42JZ-mo.patch patches.suse/ALSA-hda-conexant-Add-quirk-for-LENOVO-20149-Noteboo.patch @@ -57218,6 +57317,7 @@ patches.suse/ACPI-processor-Remove-freq-Qos-request-for-all-CPUs.patch patches.suse/asm-generic-sections-refactor-memory_intersects.patch patches.suse/HID-steam-Prevent-NULL-pointer-dereference-in-steam_.patch + patches.suse/HID-hidraw-fix-memory-leak-in-hidraw_release.patch patches.suse/HID-ishtp-hid-clientHID-ishtp-hid-client-Fix-comment.patch patches.suse/hid-intel-ish-hid-ishtp-Fix-ishtp-client-sending-dis.patch patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch @@ -57279,9 +57379,11 @@ patches.suse/gpio-pca953x-Add-mutex_lock-for-regcache-sync-in-PM.patch patches.suse/soc-brcmstb-pm-arm-Fix-refcount-leak-and-__iomem-lea.patch patches.suse/efi-capsule-loader-Fix-use-after-free-in-efi_capsule.patch + patches.suse/sch_sfb-Don-t-assume-the-skb-is-still-around-after-e.patch patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch patches.suse/wifi-iwlegacy-4965-corrected-fix-for-potential-off-b.patch patches.suse/net-usb-qmi_wwan-add-Quectel-RM520N.patch + patches.suse/sch_sfb-Also-store-skb-len-before-calling-child-enqu.patch patches.suse/regulator-core-Clean-up-on-enable-failure.patch patches.suse/regulator-pfuze100-Fix-the-global-out-of-bounds-acce.patch patches.suse/tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch @@ -57296,6 +57398,9 @@ patches.suse/ALSA-usb-audio-Fix-an-out-of-bounds-bug-in-__snd_usb.patch patches.suse/ALSA-emu10k1-Fix-out-of-bounds-access-in-snd_emu10k1.patch patches.suse/ASoC-nau8824-Fix-semaphore-unbalance-at-error-paths.patch + patches.suse/RDMA-rtrs-srv-Pass-the-correct-number-of-entries-for.patch + patches.suse/RDMA-cma-Fix-arguments-order-in-net-device-validatio.patch + patches.suse/RDMA-siw-Pass-a-pointer-to-virt_to_page.patch patches.suse/scsi-lpfc-Return-DID_TRANSPORT_DISRUPTED-instead-of-.patch patches.suse/scsi-lpfc-Add-missing-destroy_workqueue-in-error-pat.patch patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch @@ -57327,6 +57432,7 @@ patches.suse/arm64-dts-rockchip-Set-RK3399-Gru-PCLK_EDP-to-24-MHz.patch patches.suse/arm64-dts-rockchip-Remove-enable-active-low-from-rk3399-puma.patch patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch + patches.suse/scsi-mpt3sas-Fix-return-value-check-of-dma_get_required_mask.patch patches.suse/drm-amdgpu-don-t-register-a-dirty-callback-for-non-a.patch patches.suse/USB-core-Fix-RST-error-in-hub.c.patch patches.suse/USB-serial-option-add-Quectel-BG95-0x0203-compositio.patch @@ -57357,18 +57463,37 @@ patches.suse/usb-storage-Add-Hiksemi-USB3-FW-to-IGNORE_UAS.patch patches.suse/uas-ignore-UAS-for-Thinkplus-chips.patch patches.suse/docs-update-mediator-information-in-CoC-docs.patch + patches.suse/ACPI-video-Add-Toshiba-Satellite-Portege-Z830-quirk.patch + patches.suse/thermal-intel_powerclamp-Use-get_cpu-instead-of-smp_.patch patches.suse/efi-Correct-Macmini-DMI-match-in-uefi-cert-quirk.patch + patches.suse/openvswitch-Fix-double-reporting-of-drops-in-dropwat.patch + patches.suse/openvswitch-Fix-overreporting-of-drops-in-dropwatch.patch + patches.suse/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch patches.suse/wifi-mac80211-allow-bw-change-during-channel-switch-.patch patches.suse/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch + patches.suse/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch patches.suse/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch + patches.suse/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch + patches.suse/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch patches.suse/wifi-rtl8xxxu-Fix-skb-misuse-in-TX-queue-selection.patch patches.suse/wifi-rtl8xxxu-gen2-Fix-mistake-in-path-B-IQ-calibrat.patch patches.suse/wifi-rtl8xxxu-Remove-copy-paste-leftover-in-gen2_upd.patch + patches.suse/wifi-rt2x00-don-t-run-Rt5592-IQ-calibration-on-MT762.patch + patches.suse/wifi-rt2x00-set-correct-TX_SW_CFG1-MAC-register-for-.patch + patches.suse/wifi-rt2x00-set-VGC-gain-for-both-chains-of-MT7620.patch + patches.suse/wifi-rt2x00-set-SoC-wmac-clock-register.patch + patches.suse/wifi-rt2x00-correctly-set-BBP-register-86-for-MT7620.patch patches.suse/wifi-rtl8xxxu-Fix-AIFS-written-to-REG_EDCA_-_PARAM.patch patches.suse/wifi-rtl8xxxu-Improve-rtl8xxxu_queue_select.patch + patches.suse/Bluetooth-L2CAP-initialize-delayed-works-at-l2cap_ch.patch + patches.suse/Bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch patches.suse/Bluetooth-hci_core-Fix-not-handling-link-timeouts-pr.patch + patches.suse/Bluetooth-L2CAP-Fix-user-after-free.patch patches.suse/vhost-vsock-Use-kvmalloc-kvfree-for-larger-packets.patch patches.suse/mISDN-fix-use-after-free-bugs-in-l1oip-timer-handler.patch + patches.suse/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch + patches.suse/r8152-Rate-limit-overflow-messages.patch + patches.suse/net-mvpp2-fix-mvpp2-debugfs-leak.patch patches.suse/regulator-qcom_rpm-Fix-circular-deferral-regression.patch patches.suse/spi-mt7621-Fix-an-error-message-in-mt7621_spi_probe.patch patches.suse/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch @@ -57377,12 +57502,17 @@ patches.suse/spi-s3c64xx-Fix-large-transfers-with-DMA.patch patches.suse/mmc-au1xmmc-Fix-an-error-handling-path-in-au1xmmc_pr.patch patches.suse/mmc-wmt-sdmmc-Fix-an-error-handling-path-in-wmt_mci_.patch + patches.suse/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch patches.suse/platform-x86-msi-laptop-Fix-old-ec-check-for-backlig.patch patches.suse/platform-x86-msi-laptop-Fix-resource-cleanup.patch + patches.suse/platform-x86-msi-laptop-Change-DMI-match-alias-strin.patch patches.suse/drm-bridge-adv7511-fix-CEC-power-down-control-regist.patch patches.suse/drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prim.patch + patches.suse/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch patches.suse/drm-bridge-Avoid-uninitialized-variable-warning.patch patches.suse/drm-mipi-dsi-Detach-devices-when-removing-the-host.patch + patches.suse/drm-Use-size_t-type-for-len-variable-in-drm_copy_fie.patch + patches.suse/drm-Prevent-drm_copy_field-to-attempt-copying-a-NULL.patch patches.suse/drm-bridge-parade-ps8640-Fix-regulator-supply-order.patch patches.suse/drm-pl111-Add-of_node_put-when-breaking-out-of-for_e.patch patches.suse/drm-msm-Make-.remove-and-.shutdown-HW-shutdown-consi.patch @@ -57393,10 +57523,14 @@ patches.suse/drm-msm-dpu-Fix-comment-typo.patch patches.suse/drm-omap-dss-Fix-refcount-leak-bugs.patch patches.suse/drm-udl-Restore-display-mode-on-resume.patch + patches.suse/drm-panel-orientation-quirks-Add-quirk-for-Anbernic-.patch + patches.suse/drm-amdgpu-fix-initial-connector-audio-value.patch patches.suse/ASoC-wcd9335-fix-order-of-Slimbus-unprepare-disable.patch patches.suse/ASoC-wcd934x-fix-order-of-Slimbus-unprepare-disable.patch patches.suse/ALSA-asihpi-Remove-useless-code-in-hpi_meter_get_pea.patch patches.suse/ALSA-dmaengine-increment-buffer-pointer-atomically.patch + patches.suse/ALSA-usb-audio-Fix-NULL-dererence-at-error-path.patch + patches.suse/ALSA-usb-audio-Fix-potential-memory-leaks.patch patches.suse/ALSA-hda-hdmi-Don-t-skip-notification-handling-durin.patch patches.suse/ALSA-hda-Fix-position-reporting-on-Poulsbo.patch patches.suse/ASoC-fsl_sai-Remove-unnecessary-FIFO-reset-in-ISR.patch @@ -57410,16 +57544,20 @@ patches.suse/memory-of-Fix-refcount-leak-bug-in-of_get_ddr_timing.patch patches.suse/soc-qcom-smsm-Fix-refcount-leak-bugs-in-qcom_smsm_pr.patch patches.suse/soc-qcom-smem_state-Add-refcounting-for-the-state-of.patch + patches.suse/fs-fix-UAF-GPF-bug-in-nilfs_mdt_destroy.patch patches.suse/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch patches.suse/sbitmap-Avoid-leaving-waitqueue-in-invalid-state-in-.patch patches.suse/nvme-restrict-management-ioctls-to-admin.patch patches.suse/nvme-ensure-subsystem-reset-is-single-threaded.patch + patches.suse/ata-libahci_platform-Sanity-check-the-DT-child-nodes.patch patches.suse/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch patches.suse/ata-fix-ata_id_has_devslp.patch patches.suse/ata-fix-ata_id_has_ncq_autosense.patch patches.suse/ata-fix-ata_id_has_dipm.patch + patches.suse/media-cx88-Fix-a-null-ptr-deref-bug-in-buffer_prepar.patch patches.suse/media-cedrus-Set-the-platform-driver-data-earlier.patch patches.suse/media-xilinx-vipp-Fix-refcount-leak-in-xvip_graph_dm.patch + patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch patches.suse/hid-hid-logitech-hidpp-avoid-unnecessary-assignments.patch patches.suse/HID-multitouch-Add-memory-barriers.patch patches.suse/mfd-intel_soc_pmic-Fix-an-error-handling-path-in-int.patch @@ -57427,9 +57565,17 @@ patches.suse/mfd-lp8788-Fix-an-error-handling-path-in-lp8788_prob.patch patches.suse/mfd-lp8788-Fix-an-error-handling-path-in-lp8788_irq_.patch patches.suse/mfd-sm501-Add-check-for-platform_driver_register.patch + patches.suse/HSI-omap_ssi-Fix-refcount-leak-in-ssi_probe.patch + patches.suse/HSI-omap_ssi_port-Fix-dma_map_sg-error-check.patch + patches.suse/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch patches.suse/mtd-devices-docg3-check-the-return-value-of-devm_ior.patch patches.suse/mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch patches.suse/mtd-rawnand-atmel-Unmap-streaming-DMA-mappings.patch + patches.suse/RDMA-rxe-Fix-kernel-NULL-pointer-dereference-error.patch + patches.suse/RDMA-rxe-Fix-the-error-caused-by-qp-sk.patch + patches.suse/RDMA-siw-Always-consume-all-skbuf-data-in-sk_data_re.patch + patches.suse/IB-rdmavt-Add-__init-__exit-annotations-to-module-in.patch + patches.suse/RDMA-usnic-fix-set-but-not-unused-variable-flags-war.patch patches.suse/scsi-lpfc-Fix-unsolicited-FLOGI-receive-handling-dur.patch patches.suse/scsi-lpfc-Fix-null-ndlp-ptr-dereference-in-abnormal-.patch patches.suse/scsi-lpfc-Rework-MIB-Rx-Monitor-debug-info-logic.patch @@ -57464,6 +57610,7 @@ patches.suse/scsi-lpfc-add-reporting-capability-for-link-degrade-signaling.patch patches.suse/scsi-lpfc-fix-various-issues-reported-by-tools.patch patches.suse/scsi-lpfc-update-lpfc-version-to-14.2.0.7.patch + patches.suse/scsi-libsas-Fix-use-after-free-bug-in-smp_execute_task_sg.patch patches.suse/scsi-stex-Properly-zero-out-the-passthrough-command-structure.patch patches.suse/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch patches.suse/phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch @@ -57472,10 +57619,14 @@ patches.suse/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch patches.suse/USB-serial-ftdi_sio-fix-300-bps-rate-for-SIO.patch patches.suse/USB-serial-console-move-mutex_unlock-before-usb_seri.patch + patches.suse/usb-host-xhci-Fix-potential-memory-leak-in-xhci_allo.patch patches.suse/xhci-Don-t-show-warning-for-reinit-on-known-broken-s.patch patches.suse/usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch patches.suse/usb-mon-make-mmapped-memory-read-only.patch + patches.suse/usb-musb-Fix-musb_gadget.c-rxstate-overflow-bug.patch patches.suse/Revert-usb-storage-Add-quirk-for-Samsung-Fit-flash.patch + patches.suse/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch + patches.suse/usb-add-quirks-for-Lenovo-OneLink-Dock-37d49519b414.patch patches.suse/USB-serial-qcserial-add-new-usb-id-for-Dell-branded-.patch patches.suse/dyndbg-fix-module.dyndbg-handling.patch patches.suse/dyndbg-let-query-modname-override-actual-module-name.patch @@ -57489,6 +57640,10 @@ patches.suse/firmware-google-Test-spinlock-on-panic-path-to-avoid.patch patches.suse/iio-dac-ad5593r-Fix-i2c-read-protocol-requirements.patch patches.suse/iio-adc-ad7923-fix-channel-readings-for-some-variant.patch + patches.suse/iio-pressure-dps310-Refactor-startup-procedure.patch + patches.suse/iio-pressure-dps310-Reset-chip-after-timeout.patch + patches.suse/staging-vt6655-fix-potential-memory-leak.patch + patches.suse/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch patches.suse/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch patches.suse/clk-oxnas-Hold-reference-returned-by-of_get_parent.patch patches.suse/clk-qoriq-Hold-reference-returned-by-of_get_parent.patch @@ -57497,13 +57652,23 @@ patches.suse/clk-tegra-Fix-refcount-leak-in-tegra114_clock_init.patch patches.suse/clk-tegra20-Fix-refcount-leak-in-tegra20_clock_init.patch patches.suse/clk-ti-dra7-atl-Fix-reference-leak-in-of_dra7_atl_cl.patch + patches.suse/clk-zynqmp-Fix-stack-out-of-bounds-in-strncpy.patch + patches.suse/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch patches.suse/clk-mediatek-mt8183-mfgcfg-Propagate-rate-changes-to.patch patches.suse/clk-qcom-gcc-msm8916-use-ARRAY_SIZE-instead-of-speci.patch + patches.suse/clk-bcm2835-Make-peripheral-PLLC-critical.patch patches.suse/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch patches.suse/mailbox-bcm-ferxrm-mailbox-Fix-error-check-for-dma_m.patch patches.suse/efi-libstub-drop-pointless-get_memory_map-call.patch patches.suse/KVM-x86-emulator-Fix-handing-of-POP-SS-to-correctly-.patch patches.suse/KVM-nVMX-Unconditionally-purge-queued-injected-event.patch + patches.suse/powerpc-pci_dn-Add-missing-of_node_put.patch + patches.suse/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch + patches.suse/powerpc-64-Remove-unused-SYS_CALL_TABLE-symbol.patch + patches.suse/powerpc-mm-64s-Drop-pgd_huge.patch + patches.suse/powerpc-kprobes-Fix-null-pointer-reference-in-arch_p.patch + patches.suse/cgroup-cpuset-Enable-update_tasks_cpumask-on-top_cpuset.patch + patches.suse/kbuild-remove-the-target-in-signal-traps-when-interr.patch patches.suse/crypto-hisilicon-zip-fix-mismatch-in-get-set-sgl_sge.patch patches.suse/crypto-akcipher-default-implementation-for-setting-a.patch patches.suse/crypto-ccp-Release-dma-channels-before-dmaengine-unr.patch @@ -57521,6 +57686,10 @@ patches.suse/PCI-Fix-used_buses-calculation-in-pci_scan_child_bus.patch patches.suse/PCI-Sanitise-firmware-BAR-assignments-behind-a-PCI-P.patch patches.suse/irqchip-ls-extirq-Fix-invalid-wait-context-by-avoidi.patch + patches.suse/mm-hugetlb-fix-races-when-looking-up-a-CONT-PTE-PMD-.patch + patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch + patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch + patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch patches.suse/drm-i915-gvt-fix-a-memory-leak-in-intel_gvt_init_vgp.patch patches.suse/watchdog-ftwdt010_wdt-fix-test-for-platform_get_irq-.patch patches.suse/watchdog-armada_37xx_wdt-Fix-.set_timeout-callback.patch @@ -57545,8 +57714,43 @@ patches.suse/mmc-sdhci-sprd-Fix-minimum-clock-limit.patch patches.suse/ALSA-hda-realtek-remove-ALC289_FIXUP_DUAL_SPK-for-De.patch patches.suse/ALSA-hda-realtek-Correct-pin-configs-for-ASUS-G533Z.patch + patches.suse/ALSA-hda-realtek-Add-quirk-for-ASUS-GV601R-laptop.patch + patches.suse/ALSA-hda-realtek-Add-Intel-Reference-SSID-to-support.patch + patches.suse/ALSA-rawmidi-Drop-register_mutex-in-snd_rawmidi_free.patch + patches.suse/ALSA-oss-Fix-potential-deadlock-at-unregistration.patch patches.suse/rtc-stmp3xxx-Add-failure-handling-for-stmp3xxx_wdt_r.patch patches.suse/ACPI-HMAT-Release-platform-device-in-case-of-platfor.patch + patches.suse/HID-magicmouse-Do-not-set-BTN_MOUSE-on-double-report.patch + patches.suse/ACPI-extlog-Handle-multiple-records.patch + patches.suse/thermal-intel_powerclamp-Use-first-online-CPU-as-con.patch + patches.suse/hwmon-coretemp-Handle-large-core-ID-value.patch + patches.suse/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch + patches.suse/media-videodev2.h-V4L2_DV_BT_BLANKING_HEIGHT-should-.patch + patches.suse/mac802154-Fix-LQI-recording.patch + patches.suse/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch + patches.suse/openvswitch-switch-from-WARN-to-pr_warn.patch + patches.suse/can-kvaser_usb-Fix-possible-completions-during-init_.patch + patches.suse/drm-msm-Fix-return-type-of-mdp4_lvds_connector_mode_.patch + patches.suse/drm-msm-dsi-fix-memory-corruption-with-too-many-brid.patch + patches.suse/drm-msm-hdmi-fix-memory-corruption-with-too-many-bri.patch + patches.suse/ALSA-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch + patches.suse/ALSA-au88x0-use-explicitly-signed-char.patch + patches.suse/ALSA-rme9652-use-explicitly-signed-char.patch + patches.suse/ALSA-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch + patches.suse/ALSA-Use-del_timer_sync-before-freeing-timer.patch + patches.suse/ALSA-aoa-Fix-I2S-device-accounting.patch + patches.suse/mtd-rawnand-marvell-Use-correct-logic-for-nand-keep-.patch + patches.suse/mmc-core-Fix-kernel-panic-when-remove-non-standard-S.patch + patches.suse/PM-hibernate-Allow-hybrid-sleep-to-work-with-s2idle.patch + patches.suse/PM-domains-Fix-handling-of-unavailable-disabled-idle.patch + patches.suse/device-property-Fix-documentation-for-_match_string-.patch + patches.suse/usb-bdc-change-state-when-port-disconnected.patch + patches.suse/usb-dwc3-gadget-Stop-processing-more-requests-on-IMI.patch + patches.suse/usb-dwc3-gadget-Don-t-set-IMI-for-no_interrupt.patch + patches.suse/iio-light-tsl2583-Fix-module-unloading.patch + patches.suse/iio-adc-mcp3911-use-correct-id-bits.patch + patches.suse/fbdev-da8xx-fb-Fix-error-handling-in-.remove.patch + patches.suse/fbdev-cyber2000fb-fix-missing-pci_disable_device.patch # out-of-tree patches patches.suse/ppc64-kdump-Limit-kdump-base-to-512MB.patch @@ -57588,17 +57792,19 @@ patches.suse/nvme-tcp-handle-number-of-queue-changes.patch patches.suse/nvme-rdma-handle-number-of-queue-changes.patch patches.suse/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch - patches.suse/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch patches.suse/netfilter-nf_tables-stricter-validation-of-element-d.patch patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch + patches.suse/Bluetooth-L2CAP-fix-use-after-free-in-l2cap_conn_del.patch + patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch ######################################################## # kbuild/module infrastructure fixes ######################################################## + patches.suse/kbuild-Add-skip_encoding_btf_enum64-option-to-pahole.patch # SUSE specific build tweaks patches.suse/rpm-kernel-config @@ -57757,6 +57963,7 @@ patches.suse/pstore_disable_efi_backend_by_default.patch patches.suse/io_uring-ensure-req-submit-is-copied-when-req-is-def.patch patches.suse/io_uring-Fix-current-fs-handling-in-io_sq_wq_submit_.patch + patches.suse/io_uring-disable-polling-signalfd-pollfree-files.patch ######################################################## # Block layer @@ -58156,6 +58363,8 @@ patches.kabi/struct-otg_fsm-hide-new-boolean-member-in-gap.patch patches.kabi/struct-ehci_hcd-hide-new-member.patch patches.kabi/struct-pci_config_window-kABI-workaround.patch + patches.kabi/kABI-arm64-crypto-sha512-Preserve-function-signature.patch + patches.kabi/fix-kABI-after-KVM-Add-infrastructure-and-macro-to-mark-VM-as-bugged ######################################################## # You'd better have a good reason for adding a patch