diff --git a/blacklist.conf b/blacklist.conf index b28d335..3e3e62a 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -549,7 +549,6 @@ d0a8d9378d16eb3c69bd8e6d23779fbdbee3a8c7 # Breaks build 9aee5f8a7e30330d0a8f4c626dc924ca5590aba5 # Doesn't fix a bug, breaks kABI 45b575c00d8e72d69d75dd8c112f044b7b01b069 # Doesn't fix a bug, breaks kABI 78ce241099bb363b19dbd0245442e66c8de8f567 # Not relevant -def98c84b6cdf2eeea19ec5736e90e316df5206b # workqueue: Too intrusive. Could the rescuer be needed to drain the queue? Anyway, the most likely reason for sanity check failure was hopefully fixed by commit e66b39af00f426b3356b ("workqueue: Fix pwq ref leak in rescuer_thread()") 65099ea85e885c3ea1272eca8774b771419d8ce8 # iio: revert: not applicable 12f92866f13f9ca12e158c07978246ed83d52ed0 # media: revert: not applicable 99fb0f25c448ab72481bd700b66e0e48c583ef5a # mfd: cros_ec: not applicable @@ -564,7 +563,9 @@ c3fee60908db4a8594f2e4a2131998384b8fa006 # printk: cosmetic; anyway, it fixes a 0f7636e1654338c34e3c220c02b2ffad78b6ccc0 # printk: cosmetic; documentation 89ccf18f032f26946e2ea6258120472eec6aa745 # printk: not critical; allow to use the full buffer when using log dumpers b665eae7a788c5e2bc10f9ac3c0137aa0ad1fc97 # printk: cosmetic problem +d2130e82e9454304e9b91ba9da551b5989af8c27 # printk: cosmetic problem; wrong value shown in log 57116ce17b04fde2fe30f0859df69d8dbe5809f6 # printk/workqueue: very hard to hit; works well with lockless ringuffer; but it might cause wrong timestamps or even lost messages on 4.12 where per-CPU buffers are used +900fdc4573766dd43b847b4f54bd4a1ee2bc7360 # vsprintf: non-trivial change that modifies the behavior a bit; it should be safe because it is in the mainline for a long time without regression reports; but who knows; it is rather a corner case; it does not look worth the risk 075e1a0c50f59ea210561d0d0fedbd945615df78 # sysrq: prehistoric bug, non-critical, found by code review b642e44e8ab335868b549fe5753b783ca47bf3a3 # kstrto*: comment fix ef0f2685336bbc334e8b6997ce9b155e5f7edd31 # kstrto*: comment fix @@ -573,6 +574,9 @@ b60706644282af04e4aa57da5af57470d453cd1f # vsprintf: cosmetic 741a76b350897604c48fb12beff1c9b77724dc96 # kthread: fixes rather rare races in CPU hotplug; there are several followup fixes on top of it to get it actually right; does not worth the risk 4ca1085c9573ea08767521dabce62456e3fc2fd0 # kthread: comment fix 0687c66b5f666b5ad433f4e94251590d9bc9d10e # kthread: Fixes debugging of the life cycle of work struct. Broken for ages. Disabled in our configuration. +1cf12e08bc4d50a76b80c42a3109c53d8794a0c9 # sched/hotplug: added here just to make sure that it will not be backported without followup fixes, e.g. ac687e6e8c26181a33 +ac687e6e8c26181a33270efd1a2e2241377924b0 # kthread: not needed; part of a regression fix for the commit 1cf12e08bc4d ("sched/hotplug: Consolidate task migration on CPU unplug"); the regression commit is blacklisted as well +01341fbd0d8d4e717fc1231cdffe00343088ce0b # workqueue: Non-trivial reasoning why the change is correct. Fixing a corner case. Workqueues are typically allocated only once during boot so that the problem should not happen at runtime. 4950276672fce5c241857540f8561c440663673d # kmemcheck removal; not for released products d8be75663cec0069b85f80191abd2682ce4a512f # related to kmemcheck removal; not for released products a6da0024ffc19e0d47712bb5ca4fd083f76b07df # blktrace: fix unlocked registration of tracepoints; racy for ages; found by syzcaller; not worth it @@ -2706,3 +2710,7 @@ df6d4f9db79c1a5d6f48b59db35ccd1e9ff9adfc # 08529078d8d9 not present 6a2cbc58d6c9d90cd74288cc497c2b45815bc064 # our code never uses more than 8B, impact is incorrect output only 39f985c8f667c80a3d1eb19d31138032fa36b09e # we don't have c7510ab2cf5c ("mm: abstract out wake_page_match() from wake_page_function()") 910603818c6c0558fe9b5e056a3bd5195aaae1a5 # already applied +6bae9de622d3ef4805aba40e763eb4b0975c4f6d # utterly destroys kABI +4fa42adebe5b77215e50eaad701663c8702d3c88 # feature and interrupt mitigation +9cec1d547cb739f8bac2de833487116e0fe896d2 # irrelevant for our compiler version +68c5634c4a7278672a3bed00eb5646884257c413 # Greg's political wipeout of patches from unm.edu diff --git a/patches.kabi/struct-wmi_svc_avail_ev_arg-new-member-to-end.patch b/patches.kabi/struct-wmi_svc_avail_ev_arg-new-member-to-end.patch new file mode 100644 index 0000000..7a56cbf --- /dev/null +++ b/patches.kabi/struct-wmi_svc_avail_ev_arg-new-member-to-end.patch @@ -0,0 +1,34 @@ +From 5b6bd2f7ac7030c6614ddc9709b7a806fe3de7c2 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 17 Apr 2023 13:14:41 +0200 +Subject: [PATCH] struct wmi_svc_avail_ev_arg: new member to end +Patch-mainline: Never, kABI fixup +References: git-fixes + +Shifting the new flag to the end + +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/wmi.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h +index 1292f3235..4b56c37a6 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.h ++++ b/drivers/net/wireless/ath/ath10k/wmi.h +@@ -6713,9 +6713,11 @@ struct wmi_svc_rdy_ev_arg { + }; + + struct wmi_svc_avail_ev_arg { +- bool service_map_ext_valid; + __le32 service_map_ext_len; + const __le32 *service_map_ext; ++#ifndef __GENKSYMS__ ++ bool service_map_ext_valid; ++#endif + }; + + struct wmi_rdy_ev_arg { +-- +2.40.0 + diff --git a/patches.suse/ath10k-Fix-error-handling-in-case-of-CE-pipe-init-fa.patch b/patches.suse/ath10k-Fix-error-handling-in-case-of-CE-pipe-init-fa.patch new file mode 100644 index 0000000..af6c00e --- /dev/null +++ b/patches.suse/ath10k-Fix-error-handling-in-case-of-CE-pipe-init-fa.patch @@ -0,0 +1,45 @@ +From 31561e8557cd1eeba5806ac9ce820f8323b2201b Mon Sep 17 00:00:00 2001 +From: Rakesh Pillai +Date: Sat, 12 Dec 2020 00:30:10 +0530 +Subject: [PATCH] ath10k: Fix error handling in case of CE pipe init failure +Git-commit: 31561e8557cd1eeba5806ac9ce820f8323b2201b +References: git-fixes +Patch-mainline: v5.12-rc1 + +Currently if the copy engine pipe init fails for snoc based +chipsets, the rri is not freed. + +Fix this error handling for copy engine pipe init +failure. + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1 + +Fixes: 4945af5b264f ("ath10k: enable SRRI/DRRI support on ddr for WCN3990") +Signed-off-by: Rakesh Pillai +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1607713210-18320-1-git-send-email-pillair@codeaurora.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/snoc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/snoc.c ++++ b/drivers/net/wireless/ath/ath10k/snoc.c +@@ -789,13 +789,14 @@ static int ath10k_snoc_hif_power_up(stru + ret = ath10k_snoc_init_pipes(ar); + if (ret) { + ath10k_err(ar, "failed to initialize CE: %d\n", ret); +- goto err_wlan_enable; ++ goto err_free_rri; + } + + napi_enable(&ar->napi); + return 0; + +-err_wlan_enable: ++err_free_rri: ++ ath10k_ce_free_rri(ar); + ath10k_snoc_wlan_disable(ar); + + return ret; diff --git a/patches.suse/ath10k-Fix-the-parsing-error-in-service-available-ev.patch b/patches.suse/ath10k-Fix-the-parsing-error-in-service-available-ev.patch new file mode 100644 index 0000000..01bf380 --- /dev/null +++ b/patches.suse/ath10k-Fix-the-parsing-error-in-service-available-ev.patch @@ -0,0 +1,91 @@ +From c7cee9c0f499f27ec6de06bea664b61320534768 Mon Sep 17 00:00:00 2001 +From: Rakesh Pillai +Date: Tue, 24 Nov 2020 17:59:17 +0200 +Subject: [PATCH] ath10k: Fix the parsing error in service available event +Git-commit: c7cee9c0f499f27ec6de06bea664b61320534768 +References: git-fixes +Patch-mainline: v5.11-rc1 + +The wmi service available event has been +extended to contain extra 128 bit for new services +to be indicated by firmware. + +Currently the presence of any optional TLVs in +the wmi service available event leads to a parsing +error with the below error message: +ath10k_snoc 18800000.wifi: failed to parse svc_avail tlv: -71 + +The wmi service available event parsing should +not return error for the newly added optional TLV. +Fix this parsing for service available event message. + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2-00720-QCAHLSWMTPL-1 + +Fixes: cea19a6ce8bf ("ath10k: add WMI_SERVICE_AVAILABLE_EVENT support") +Signed-off-by: Rakesh Pillai +Reviewed-by: Douglas Anderson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1605501291-23040-1-git-send-email-pillair@codeaurora.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 +++- + drivers/net/wireless/ath/ath10k/wmi.c | 9 +++++++-- + drivers/net/wireless/ath/ath10k/wmi.h | 1 + + 3 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +index 932266d1111b..7b5834157fe5 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -1401,13 +1401,15 @@ static int ath10k_wmi_tlv_svc_avail_parse(struct ath10k *ar, u16 tag, u16 len, + + switch (tag) { + case WMI_TLV_TAG_STRUCT_SERVICE_AVAILABLE_EVENT: ++ arg->service_map_ext_valid = true; + arg->service_map_ext_len = *(__le32 *)ptr; + arg->service_map_ext = ptr + sizeof(__le32); + return 0; + default: + break; + } +- return -EPROTO; ++ ++ return 0; + } + + static int ath10k_wmi_tlv_op_pull_svc_avail(struct ath10k *ar, +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index c521f0b27831..c491acebdb46 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -5751,8 +5751,13 @@ void ath10k_wmi_event_service_available(struct ath10k *ar, struct sk_buff *skb) + ret); + } + +- ath10k_wmi_map_svc_ext(ar, arg.service_map_ext, ar->wmi.svc_map, +- __le32_to_cpu(arg.service_map_ext_len)); ++ /* ++ * Initialization of "arg.service_map_ext_valid" to ZERO is necessary ++ * for the below logic to work. ++ */ ++ if (arg.service_map_ext_valid) ++ ath10k_wmi_map_svc_ext(ar, arg.service_map_ext, ar->wmi.svc_map, ++ __le32_to_cpu(arg.service_map_ext_len)); + } + + static int ath10k_wmi_event_temperature(struct ath10k *ar, struct sk_buff *skb) +diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h +index c32aabea8293..d870f7067cb7 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.h ++++ b/drivers/net/wireless/ath/ath10k/wmi.h +@@ -6919,6 +6919,7 @@ struct wmi_svc_rdy_ev_arg { + }; + + struct wmi_svc_avail_ev_arg { ++ bool service_map_ext_valid; + __le32 service_map_ext_len; + const __le32 *service_map_ext; + }; +-- +2.40.0 + diff --git a/patches.suse/ath10k-add-missing-error-return-code-in-ath10k_pci_p.patch b/patches.suse/ath10k-add-missing-error-return-code-in-ath10k_pci_p.patch new file mode 100644 index 0000000..6bf3fe5 --- /dev/null +++ b/patches.suse/ath10k-add-missing-error-return-code-in-ath10k_pci_p.patch @@ -0,0 +1,50 @@ +From e2783e2f39ba99178dedfc1646d5cc0979d1bab3 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 31 May 2021 17:41:28 +0300 +Subject: [PATCH] ath10k: add missing error return code in ath10k_pci_probe() +Git-commit: e2783e2f39ba99178dedfc1646d5cc0979d1bab3 +References: git-fixes +Patch-mainline: v5.14-rc1 + +When chip_id is not supported, the resources will be freed +on path err_unsupported, these resources will also be freed +when calling ath10k_pci_remove(), it will cause double free, +so return -ENODEV when it doesn't support the device with wrong +chip_id. + +Fixes: c0c378f9907c ("ath10k: remove target soc ps code") +Fixes: 7505f7c3ec1d ("ath10k: create a chip revision whitelist") +Fixes: f8914a14623a ("ath10k: restore QCA9880-AR1A (v1) detection") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210522105822.1091848-3-yangyingliang@huawei.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -3630,18 +3630,21 @@ static int ath10k_pci_probe(struct pci_d + ret = ath10k_pci_chip_reset(ar); + if (ret) { + ath10k_err(ar, "failed to reset chip: %d\n", ret); ++ ret = -ENODEV; + goto err_free_irq; + } + + chip_id = ath10k_pci_soc_read32(ar, SOC_CHIP_ID_ADDRESS); + if (chip_id == 0xffffffff) { + ath10k_err(ar, "failed to get chip id\n"); ++ ret = -ENODEV; + goto err_free_irq; + } + + if (!ath10k_pci_chip_is_supported(pdev->device, chip_id)) { + ath10k_err(ar, "device %04x with chip_id %08x isn't supported\n", + pdev->device, chip_id); ++ ret = -ENODEV; + goto err_free_irq; + } + diff --git a/patches.suse/ath10k-fix-control-message-timeout.patch b/patches.suse/ath10k-fix-control-message-timeout.patch new file mode 100644 index 0000000..4d40be7 --- /dev/null +++ b/patches.suse/ath10k-fix-control-message-timeout.patch @@ -0,0 +1,38 @@ +From 5286132324230168d3fab6ffc16bfd7de85bdfb4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:05:19 +0200 +Subject: [PATCH] ath10k: fix control-message timeout +Git-commit: 5286132324230168d3fab6ffc16bfd7de85bdfb4 +References: git-fixes +Patch-mainline: v5.16-rc1 + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 4db66499df91 ("ath10k: add initial USB support") +Cc: stable@vger.kernel.org # 4.14 +Cc: Erik Stromdahl +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025120522.6045-2-johan@kernel.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c +index 19b9c27e30e2..6d831b098cbb 100644 +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -525,7 +525,7 @@ static int ath10k_usb_submit_ctrl_in(struct ath10k *ar, + req, + USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, buf, +- size, 2 * HZ); ++ size, 2000); + + if (ret < 0) { + ath10k_warn(ar, "Failed to read usb control message: %d\n", +-- +2.40.0 + diff --git a/patches.suse/ath10k-fix-division-by-zero-in-send-path.patch b/patches.suse/ath10k-fix-division-by-zero-in-send-path.patch new file mode 100644 index 0000000..a5fa366 --- /dev/null +++ b/patches.suse/ath10k-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,47 @@ +From a006acb931317aad3a8dd41333ebb0453caf49b8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 10:08:17 +0200 +Subject: [PATCH] ath10k: fix division by zero in send path +Git-commit: a006acb931317aad3a8dd41333ebb0453caf49b8 +References: git-fixes +Patch-mainline: v5.16-rc1 + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in ath10k_usb_hif_tx_sg() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 4db66499df91 ("ath10k: add initial USB support") +Cc: stable@vger.kernel.org # 4.14 +Cc: Erik Stromdahl +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027080819.6675-2-johan@kernel.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c +index 6d831b098cbb..3d98f19c6ec8 100644 +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -853,6 +853,11 @@ static int ath10k_usb_setup_pipe_resources(struct ath10k *ar, + le16_to_cpu(endpoint->wMaxPacketSize), + endpoint->bInterval); + } ++ ++ /* Ignore broken descriptors. */ ++ if (usb_endpoint_maxp(endpoint) == 0) ++ continue; ++ + urbcount = 0; + + pipe_num = +-- +2.40.0 + diff --git a/patches.suse/ath10k-fix-memory-overwrite-of-the-WoWLAN-wakeup-pac.patch b/patches.suse/ath10k-fix-memory-overwrite-of-the-WoWLAN-wakeup-pac.patch new file mode 100644 index 0000000..2aac80f --- /dev/null +++ b/patches.suse/ath10k-fix-memory-overwrite-of-the-WoWLAN-wakeup-pac.patch @@ -0,0 +1,56 @@ +From e3fb3d4418fce5484dfe7995fcd94c18b10a431a Mon Sep 17 00:00:00 2001 +From: Wen Gong +Date: Mon, 10 Jan 2022 16:24:13 +0200 +Subject: [PATCH] ath10k: fix memory overwrite of the WoWLAN wakeup packet + pattern +Git-commit: e3fb3d4418fce5484dfe7995fcd94c18b10a431a +References: git-fixes +Patch-mainline: v5.18-rc1 + +In function ath10k_wow_convert_8023_to_80211(), it will do memcpy for +the new->pattern, and currently the new->pattern and new->mask is same +with the old, then the memcpy of new->pattern will also overwrite the +old->pattern, because the header format of new->pattern is 802.11, +its length is larger than the old->pattern which is 802.3. Then the +operation of "Copy frame body" will copy a mistake value because the +body memory has been overwrite when memcpy the new->pattern. + +Assign another empty value to new_pattern to avoid the overwrite issue. + +Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 + +Fixes: fa3440fa2fa1 ("ath10k: convert wow pattern from 802.3 to 802.11") +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211222031347.25463-1-quic_wgong@quicinc.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/wow.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wow.c b/drivers/net/wireless/ath/ath10k/wow.c +index 7d65c115669f..20b9aa8ddf7d 100644 +--- a/drivers/net/wireless/ath/ath10k/wow.c ++++ b/drivers/net/wireless/ath/ath10k/wow.c +@@ -337,14 +337,15 @@ static int ath10k_vif_wow_set_wakeups(struct ath10k_vif *arvif, + if (patterns[i].mask[j / 8] & BIT(j % 8)) + bitmask[j] = 0xff; + old_pattern.mask = bitmask; +- new_pattern = old_pattern; + + if (ar->wmi.rx_decap_mode == ATH10K_HW_TXRX_NATIVE_WIFI) { +- if (patterns[i].pkt_offset < ETH_HLEN) ++ if (patterns[i].pkt_offset < ETH_HLEN) { + ath10k_wow_convert_8023_to_80211(&new_pattern, + &old_pattern); +- else ++ } else { ++ new_pattern = old_pattern; + new_pattern.pkt_offset += WOW_HDR_LEN - ETH_HLEN; ++ } + } + + if (WARN_ON(new_pattern.pattern_len > WOW_MAX_PATTERN_SIZE)) +-- +2.40.0 + diff --git a/patches.suse/iwlwifi-Fix-EIO-error-code-that-is-never-returned.patch b/patches.suse/iwlwifi-Fix-EIO-error-code-that-is-never-returned.patch new file mode 100644 index 0000000..cb1871b --- /dev/null +++ b/patches.suse/iwlwifi-Fix-EIO-error-code-that-is-never-returned.patch @@ -0,0 +1,38 @@ +From c305c94bdc18e45b5ad1db54da4269f8cbfdff6b Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 7 Sep 2021 11:46:58 +0100 +Subject: [PATCH] iwlwifi: Fix -EIO error code that is never returned +Git-commit: c305c94bdc18e45b5ad1db54da4269f8cbfdff6b +References: git-fixes +Patch-mainline: v5.18-rc1 + +Currently the error -EIO is being assinged to variable ret when +the READY_BIT is not set but the function iwlagn_mac_start returns +0 rather than ret. Fix this by returning ret instead of 0. + +Addresses-Coverity: ("Unused value") +Fixes: 7335613ae27a ("iwlwifi: move all mac80211 related functions to one place") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210907104658.14706-1-colin.king@canonical.com +Signed-off-by: Luca Coelho +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c +index 754876cd27ce..e8bd4f0e3d2d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c +@@ -299,7 +299,7 @@ static int iwlagn_mac_start(struct ieee80211_hw *hw) + + priv->is_open = 1; + IWL_DEBUG_MAC80211(priv, "leave\n"); +- return 0; ++ return ret; + } + + static void iwlagn_mac_stop(struct ieee80211_hw *hw) +-- +2.40.0 + diff --git a/patches.suse/iwlwifi-fw-make-pos-static-in-iwl_sar_get_ewrd_table.patch b/patches.suse/iwlwifi-fw-make-pos-static-in-iwl_sar_get_ewrd_table.patch new file mode 100644 index 0000000..4ff0e5a --- /dev/null +++ b/patches.suse/iwlwifi-fw-make-pos-static-in-iwl_sar_get_ewrd_table.patch @@ -0,0 +1,47 @@ +From fb3c06cfda0db68f6082f05c43d63c1fb1761af0 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Mon, 23 Dec 2019 13:00:59 +0200 +Subject: [PATCH] iwlwifi: fw: make pos static in iwl_sar_get_ewrd_table() loop +Git-commit: fb3c06cfda0db68f6082f05c43d63c1fb1761af0 +References: git-fixes +Patch-mainline: v5.5 + +In the for loop where we are supposed to go through the entire table, +we are using a non-static local to keep the pos index. This makes +each iteration start with 3, so we always access the first item on the +table. Fix this by moving the variable outside of the loo so it +doesn't lose its value at every iteration. + +Reported-by: Colin Ian King +Signed-off-by: Luca Coelho +Fixes: ba3224db7803 ("iwlwifi: mvm: fix an out-of-bound access") +Signed-off-by: Luca Coelho +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -690,7 +690,7 @@ static int iwl_mvm_sar_get_ewrd_table(st + { + union acpi_object *wifi_pkg, *data; + bool enabled; +- int i, n_profiles, ret; ++ int i, n_profiles, ret, pos; + + data = iwl_acpi_get_object(mvm->dev, ACPI_EWRD_METHOD); + if (IS_ERR(data)) +@@ -722,10 +722,9 @@ static int iwl_mvm_sar_get_ewrd_table(st + goto out_free; + } + ++ /* the tables start at element 3 */ ++ pos = 3; + for (i = 0; i < n_profiles; i++) { +- /* the tables start at element 3 */ +- int pos = 3; +- + /* The EWRD profiles officially go from 2 to 4, but we + * save them in sar_profiles[1-3] (because we don't + * have profile 0). So in the array we start from 1. diff --git a/patches.suse/iwlwifi-pcie-fix-locking-when-HW-not-ready.patch b/patches.suse/iwlwifi-pcie-fix-locking-when-HW-not-ready.patch new file mode 100644 index 0000000..51f3ef5 --- /dev/null +++ b/patches.suse/iwlwifi-pcie-fix-locking-when-HW-not-ready.patch @@ -0,0 +1,38 @@ +From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:52 +0200 +Subject: [PATCH] iwlwifi: pcie: fix locking when "HW not ready" +Git-commit: e9848aed147708a06193b40d78493b0ef6abccf2 +References: git-fixes +Patch-mainline: v5.17-rc5 + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this. + +Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index a63386a01232..ef14584fc0a1 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1329,8 +1329,7 @@ static int iwl_trans_pcie_start_fw(struct iwl_trans *trans, + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); +-- +2.40.0 + diff --git a/patches.suse/iwlwifi-pcie-gen2-fix-locking-when-HW-not-ready.patch b/patches.suse/iwlwifi-pcie-gen2-fix-locking-when-HW-not-ready.patch new file mode 100644 index 0000000..e4833e0 --- /dev/null +++ b/patches.suse/iwlwifi-pcie-gen2-fix-locking-when-HW-not-ready.patch @@ -0,0 +1,38 @@ +From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:53 +0200 +Subject: [PATCH] iwlwifi: pcie: gen2: fix locking when "HW not ready" +Git-commit: 4c29c1e27a1e178a219b3877d055e6dd643bdfda +References: git-fixes +Patch-mainline: v5.17-rc5 + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this in the gen2 code as well. + +Fixes: eda50cde58de ("iwlwifi: pcie: add context information support") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +index 0febdcacbd42..94f40c4d2421 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +@@ -385,8 +385,7 @@ int iwl_trans_pcie_gen2_start_fw(struct iwl_trans *trans, + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); +-- +2.40.0 + diff --git a/patches.suse/iwlwifi-pcie-reschedule-in-long-running-memory-reads.patch b/patches.suse/iwlwifi-pcie-reschedule-in-long-running-memory-reads.patch new file mode 100644 index 0000000..eddc78e --- /dev/null +++ b/patches.suse/iwlwifi-pcie-reschedule-in-long-running-memory-reads.patch @@ -0,0 +1,63 @@ +From 3d372c4edfd4dffb7dea71c6b096fb414782b776 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 15 Jan 2021 13:05:58 +0200 +Subject: [PATCH] iwlwifi: pcie: reschedule in long-running memory reads +Git-commit: 3d372c4edfd4dffb7dea71c6b096fb414782b776 +References: git-fixes +Patch-mainline: v5.11-rc6 + +If we spin for a long time in memory reads that (for some reason in +hardware) take a long time, then we'll eventually get messages such +as + + watchdog: BUG: soft lockup - CPU#2 stuck for 24s! [kworker/2:2:272] + +This is because the reading really does take a very long time, and +we don't schedule, so we're hogging the CPU with this task, at least +if CONFIG_PREEMPT is not set, e.g. with CONFIG_PREEMPT_VOLUNTARY=y. + +Previously I misinterpreted the situation and thought that this was +only going to happen if we had interrupts disabled, and then fixed +this (which is good anyway, however), but that didn't always help; +looking at it again now I realized that the spin unlock will only +reschedule if CONFIG_PREEMPT is used. + +In order to avoid this issue, change the code to cond_resched() if +we've been spinning for too long here. + +Signed-off-by: Johannes Berg +Fixes: 04516706bb99 ("iwlwifi: pcie: limit memory read spin time") +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20210115130253.217a9d6a6a12.If964cb582ab0aaa94e81c4ff3b279eaafda0fd3f@changeid +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -2133,6 +2133,7 @@ static int iwl_trans_pcie_read_mem(struc + u32 *vals = buf; + + while (offs < dwords) { ++ bool resched = false; + /* limit the time we spin here under lock to 1/2s */ + ktime_t timeout = ktime_add_us(ktime_get(), 500 * USEC_PER_MSEC); + +@@ -2149,10 +2150,14 @@ static int iwl_trans_pcie_read_mem(struc + * do it once in 128 reads + */ + if (offs % 128 == 0 && ktime_after(ktime_get(), +- timeout)) ++ timeout)) { ++ resched = true; + break; ++ } + } + iwl_trans_release_nic_access(trans, &flags); ++ if (resched) ++ cond_resched(); + } else { + return -EBUSY; + } diff --git a/patches.suse/printk-Give-error-on-attempt-to-set-log-buffer-lengt.patch b/patches.suse/printk-Give-error-on-attempt-to-set-log-buffer-lengt.patch new file mode 100644 index 0000000..4222a6f --- /dev/null +++ b/patches.suse/printk-Give-error-on-attempt-to-set-log-buffer-lengt.patch @@ -0,0 +1,89 @@ +From e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Sun, 30 Sep 2018 00:45:53 +0800 +Subject: [PATCH] printk: Give error on attempt to set log buffer length to + over 2G +Git-commit: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e +Patch-mainline: v4.20-rc1 +References: bsc#1210534 + +The current printk() is ready to handle log buffer size up to 2G. +Give an explicit error for users who want to use larger log buffer. + +Also fix printk formatting to show the 2G as a positive number. + +Link: http://lkml.kernel.org/r/20181008135916.gg4kkmoki5bgtco5@pathway.suse.cz +Cc: rostedt@goodmis.org +Cc: linux-kernel@vger.kernel.org +Suggested-by: Sergey Senozhatsky +Signed-off-by: He Zhe +Reviewed-by: Sergey Senozhatsky +[pmladek: Fixed to the really safe limit 2GB.] +Signed-off-by: Petr Mladek + +--- + kernel/printk/printk.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 15f3e70be448..fce696d80e09 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -440,6 +440,7 @@ static u32 clear_idx; + /* record buffer */ + #define LOG_ALIGN __alignof__(struct printk_log) + #define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT) ++#define LOG_BUF_LEN_MAX (u32)(1 << 31) + static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN); + static char *log_buf = __log_buf; + static u32 log_buf_len = __LOG_BUF_LEN; +@@ -1040,18 +1041,23 @@ void log_buf_vmcoreinfo_setup(void) + static unsigned long __initdata new_log_buf_len; + + /* we practice scaling the ring buffer by powers of 2 */ +-static void __init log_buf_len_update(unsigned size) ++static void __init log_buf_len_update(u64 size) + { ++ if (size > (u64)LOG_BUF_LEN_MAX) { ++ size = (u64)LOG_BUF_LEN_MAX; ++ pr_err("log_buf over 2G is not supported.\n"); ++ } ++ + if (size) + size = roundup_pow_of_two(size); + if (size > log_buf_len) +- new_log_buf_len = size; ++ new_log_buf_len = (unsigned long)size; + } + + /* save requested log_buf_len since it's too early to process it */ + static int __init log_buf_len_setup(char *str) + { +- unsigned int size; ++ u64 size; + + if (!str) + return -EINVAL; +@@ -1121,7 +1127,7 @@ void __init setup_log_buf(int early) + } + + if (unlikely(!new_log_buf)) { +- pr_err("log_buf_len: %ld bytes not available\n", ++ pr_err("log_buf_len: %lu bytes not available\n", + new_log_buf_len); + return; + } +@@ -1134,8 +1140,8 @@ void __init setup_log_buf(int early) + memcpy(log_buf, __log_buf, __LOG_BUF_LEN); + logbuf_unlock_irqrestore(flags); + +- pr_info("log_buf_len: %d bytes\n", log_buf_len); +- pr_info("early log buf free: %d(%d%%)\n", ++ pr_info("log_buf_len: %u bytes\n", log_buf_len); ++ pr_info("early log buf free: %u(%u%%)\n", + free, (free * 100) / __LOG_BUF_LEN); + } + +-- +2.35.3 + diff --git a/patches.suse/workqueue-Fix-missing-kfree-rescuer-in-destroy_workq.patch b/patches.suse/workqueue-Fix-missing-kfree-rescuer-in-destroy_workq.patch new file mode 100644 index 0000000..7bed0ba --- /dev/null +++ b/patches.suse/workqueue-Fix-missing-kfree-rescuer-in-destroy_workq.patch @@ -0,0 +1,32 @@ +From 8efe1223d73c218ce7e8b2e0e9aadb974b582d7f Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 20 Sep 2019 13:39:57 -0700 +Subject: [PATCH] workqueue: Fix missing kfree(rescuer) in destroy_workqueue() +Git-commit: 8efe1223d73c218ce7e8b2e0e9aadb974b582d7f +Patch-mainline: v5.5-rc1 +References: bsc#1210460 + +Signed-off-by: Tejun Heo +Reported-by: Qian Cai +Fixes: def98c84b6cd ("workqueue: Fix spurious sanity check failures in destroy_workqueue()") +Acked-by: Petr Mladek + +--- + kernel/workqueue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 93e20f5330fc..3f067f1d72e3 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -4345,6 +4345,7 @@ void destroy_workqueue(struct workqueue_struct *wq) + + /* rescuer will empty maydays list before exiting */ + kthread_stop(rescuer->task); ++ kfree(rescuer); + } + + /* sanity checks */ +-- +2.35.3 + diff --git a/patches.suse/workqueue-Fix-spurious-sanity-check-failures-in-dest.patch b/patches.suse/workqueue-Fix-spurious-sanity-check-failures-in-dest.patch new file mode 100644 index 0000000..294a6e1 --- /dev/null +++ b/patches.suse/workqueue-Fix-spurious-sanity-check-failures-in-dest.patch @@ -0,0 +1,88 @@ +From def98c84b6cdf2eeea19ec5736e90e316df5206b Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 18 Sep 2019 18:43:40 -0700 +Subject: [PATCH] workqueue: Fix spurious sanity check failures in + destroy_workqueue() +Git-commit: def98c84b6cdf2eeea19ec5736e90e316df5206b +Patch-mainline: v5.5-rc1 +References: bsc#1210460 + +Before actually destrying a workqueue, destroy_workqueue() checks +whether it's actually idle. If it isn't, it prints out a bunch of +warning messages and leaves the workqueue dangling. It unfortunately +has a couple issues. + +* Mayday list queueing increments pwq's refcnts which gets detected as + busy and fails the sanity checks. However, because mayday list + queueing is asynchronous, this condition can happen without any + actual work items left in the workqueue. + +* Sanity check failure leaves the sysfs interface behind too which can + lead to init failure of newer instances of the workqueue. + +This patch fixes the above two by + +* If a workqueue has a rescuer, disable and kill the rescuer before + sanity checks. Disabling and killing is guaranteed to flush the + existing mayday list. + +* Remove sysfs interface before sanity checks. + +Signed-off-by: Tejun Heo +Reported-by: Marcin Pawlowski +Reported-by: "Williams, Gerald S" +Cc: stable@vger.kernel.org +Acked-by: Petr Mladek + +--- + kernel/workqueue.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index bc2e09a8ea61..93e20f5330fc 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -4325,9 +4325,28 @@ void destroy_workqueue(struct workqueue_struct *wq) + struct pool_workqueue *pwq; + int node; + ++ /* ++ * Remove it from sysfs first so that sanity check failure doesn't ++ * lead to sysfs name conflicts. ++ */ ++ workqueue_sysfs_unregister(wq); ++ + /* drain it before proceeding with destruction */ + drain_workqueue(wq); + ++ /* kill rescuer, if sanity checks fail, leave it w/o rescuer */ ++ if (wq->rescuer) { ++ struct worker *rescuer = wq->rescuer; ++ ++ /* this prevents new queueing */ ++ spin_lock_irq(&wq_mayday_lock); ++ wq->rescuer = NULL; ++ spin_unlock_irq(&wq_mayday_lock); ++ ++ /* rescuer will empty maydays list before exiting */ ++ kthread_stop(rescuer->task); ++ } ++ + /* sanity checks */ + mutex_lock(&wq->mutex); + for_each_pwq(pwq, wq) { +@@ -4359,11 +4378,6 @@ void destroy_workqueue(struct workqueue_struct *wq) + list_del_rcu(&wq->list); + mutex_unlock(&wq_pool_mutex); + +- workqueue_sysfs_unregister(wq); +- +- if (wq->rescuer) +- kthread_stop(wq->rescuer->task); +- + if (!(wq->flags & WQ_UNBOUND)) { + /* + * The base ref is never dropped on per-cpu pwqs. Directly +-- +2.35.3 + diff --git a/patches.suse/wq-handle-VM-suspension-in-stall-detection.patch b/patches.suse/wq-handle-VM-suspension-in-stall-detection.patch new file mode 100644 index 0000000..e461fa7 --- /dev/null +++ b/patches.suse/wq-handle-VM-suspension-in-stall-detection.patch @@ -0,0 +1,89 @@ +From 940d71c6462e8151c78f28e4919aa8882ff2054e Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Thu, 20 May 2021 19:14:22 +0900 +Subject: [PATCH] wq: handle VM suspension in stall detection +Git-commit: 940d71c6462e8151c78f28e4919aa8882ff2054e +Patch-mainline: v5.13-rc4 +References: bsc#1210466 + +If VCPU is suspended (VM suspend) in wq_watchdog_timer_fn() then +once this VCPU resumes it will see the new jiffies value, while it +may take a while before IRQ detects PVCLOCK_GUEST_STOPPED on this +VCPU and updates all the watchdogs via pvclock_touch_watchdogs(). +There is a small chance of misreported WQ stalls in the meantime, +because new jiffies is time_after() old 'ts + thresh'. + +wq_watchdog_timer_fn() +{ + for_each_pool(pool, pi) { + if (time_after(jiffies, ts + thresh)) { + pr_emerg("BUG: workqueue lockup - pool"); + } + } +} + +Save jiffies at the beginning of this function and use that value +for stall detection. If VM gets suspended then we continue using +"old" jiffies value and old WQ touch timestamps. If IRQ at some +point restarts the stall detection cycle (pvclock_touch_watchdogs()) +then old jiffies will always be before new 'ts + thresh'. + +Signed-off-by: Sergey Senozhatsky +Signed-off-by: Tejun Heo +Acked-by: Petr Mladek + +--- + kernel/workqueue.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index b19d759e55a5..50142fc08902 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include + + #include "workqueue_internal.h" + +@@ -5772,6 +5773,7 @@ static void wq_watchdog_timer_fn(struct timer_list *unused) + { + unsigned long thresh = READ_ONCE(wq_watchdog_thresh) * HZ; + bool lockup_detected = false; ++ unsigned long now = jiffies; + struct worker_pool *pool; + int pi; + +@@ -5786,6 +5788,12 @@ static void wq_watchdog_timer_fn(struct timer_list *unused) + if (list_empty(&pool->worklist)) + continue; + ++ /* ++ * If a virtual machine is stopped by the host it can look to ++ * the watchdog like a stall. ++ */ ++ kvm_check_and_clear_guest_paused(); ++ + /* get the latest of pool and touched timestamps */ + pool_ts = READ_ONCE(pool->watchdog_ts); + touched = READ_ONCE(wq_watchdog_touched); +@@ -5799,12 +5807,12 @@ static void wq_watchdog_timer_fn(struct timer_list *unused) + } + + /* did we stall? */ +- if (time_after(jiffies, ts + thresh)) { ++ if (time_after(now, ts + thresh)) { + lockup_detected = true; + pr_emerg("BUG: workqueue lockup - pool"); + pr_cont_pool_info(pool); + pr_cont(" stuck for %us!\n", +- jiffies_to_msecs(jiffies - pool_ts) / 1000); ++ jiffies_to_msecs(now - pool_ts) / 1000); + } + } + +-- +2.35.3 + diff --git a/patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch b/patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch new file mode 100644 index 0000000..7cdcc45 --- /dev/null +++ b/patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch @@ -0,0 +1,94 @@ +From: KP Singh +Date: Mon, 27 Feb 2023 07:05:40 +0100 +Subject: x86/speculation: Allow enabling STIBP with legacy IBRS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 6921ed9049bc7457f66c1596c5b78aec0dae4a9d +Patch-mainline: 6.3-rc1 +References: bsc#1210506 CVE-2023-1998 + +When plain IBRS is enabled (not enhanced IBRS), the logic in +spectre_v2_user_select_mitigation() determines that STIBP is not needed. + +The IBRS bit implicitly protects against cross-thread branch target +injection. However, with legacy IBRS, the IBRS bit is cleared on +returning to userspace for performance reasons which leaves userspace +threads vulnerable to cross-thread branch target injection against which +STIBP protects. + +Exclude IBRS from the spectre_v2_in_ibrs_mode() check to allow for +enabling STIBP (through seccomp/prctl() by default or always-on, if +selected by spectre_v2_user kernel cmdline parameter). + + [ bp: Massage. ] + +Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS") +Reported-by: José Oliveira +Reported-by: Rodrigo Branco +Signed-off-by: KP Singh +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230220120127.1975241-1-kpsingh@kernel.org +Link: https://lore.kernel.org/r/20230221184908.2349578-1-kpsingh@kernel.org +Signed-off-by: Jiri Slaby +--- + arch/x86/kernel/cpu/bugs.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1037,14 +1037,18 @@ spectre_v2_parse_user_cmdline(void) + return SPECTRE_V2_USER_CMD_AUTO; + } + +-static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) ++static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) + { +- return mode == SPECTRE_V2_IBRS || +- mode == SPECTRE_V2_EIBRS || ++ return mode == SPECTRE_V2_EIBRS || + mode == SPECTRE_V2_EIBRS_RETPOLINE || + mode == SPECTRE_V2_EIBRS_LFENCE; + } + ++static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) ++{ ++ return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS; ++} ++ + static void __init + spectre_v2_user_select_mitigation(void) + { +@@ -1107,12 +1111,19 @@ spectre_v2_user_select_mitigation(void) + } + + /* +- * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, +- * STIBP is not required. ++ * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP ++ * is not required. ++ * ++ * Enhanced IBRS also protects against cross-thread branch target ++ * injection in user-mode as the IBRS bit remains always set which ++ * implicitly enables cross-thread protections. However, in legacy IBRS ++ * mode, the IBRS bit is set only on kernel entry and cleared on return ++ * to userspace. This disables the implicit cross-thread protection, ++ * so allow for STIBP to be selected in that case. + */ + if (!boot_cpu_has(X86_FEATURE_STIBP) || + !smt_possible || +- spectre_v2_in_ibrs_mode(spectre_v2_enabled)) ++ spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return; + + /* +@@ -2173,7 +2184,7 @@ static ssize_t mmio_stale_data_show_stat + + static char *stibp_state(void) + { +- if (spectre_v2_in_ibrs_mode(spectre_v2_enabled)) ++ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return ""; + + switch (spectre_v2_user_stibp) { diff --git a/series.conf b/series.conf index a85e0c1..5af9789 100644 --- a/series.conf +++ b/series.conf @@ -43047,6 +43047,7 @@ patches.suse/0456-crypto-caam-qi-simplify-CGR-allocation-freeing.patch patches.suse/crypto-chelsio-Update-ntx-queue-received-from-cxgb4.patch patches.suse/printk-Fix-panic-caused-by-passing-log_buf_len-to-co.patch + patches.suse/printk-Give-error-on-attempt-to-set-log-buffer-lengt.patch patches.suse/cgroup-netclassid-add-a-preemption-point-to-write_cl.patch patches.suse/kvm-s390-set-host-program-identifier.patch patches.suse/s390-sles15sp1-00-07-01-KVM-s390-vsie-simulate-VCPU-SIE-entry-exit.patch @@ -53697,6 +53698,8 @@ patches.suse/edac-amd64-save-max-number-of-controllers-to-family-type.patch patches.suse/edac-ghes-fix-locking-and-memory-barrier-issues.patch patches.suse/edac-ghes-do-not-warn-when-incrementing-refcount-on-0.patch + patches.suse/workqueue-Fix-spurious-sanity-check-failures-in-dest.patch + patches.suse/workqueue-Fix-missing-kfree-rescuer-in-destroy_workq.patch patches.suse/0001-workqueue-Fix-pwq-ref-leak-in-rescuer_thread.patch patches.suse/cgroup-pids-use-atomic64_t-for-pids-limit.patch patches.suse/livepatch-keep-replaced-patches-until-post_patch-callback-is-called.patch @@ -54750,6 +54753,7 @@ patches.suse/tun-add-mutex_unlock-call-and-napi.skb-clearing-in-t.patch patches.suse/libertas-Fix-two-buffer-overflows-at-parsing-bss-des.patch patches.suse/iwlwifi-mvm-fix-NVM-check-for-3168-devices.patch + patches.suse/iwlwifi-fw-make-pos-static-in-iwl_sar_get_ewrd_table.patch patches.suse/0004-net-sonic-Add-mutual-exclusion-for-accessing-shared-.patch patches.suse/net_sched-fix-datalen-for-ematch.patch patches.suse/net-cxgb3_main-Add-CAP_NET_ADMIN-check-to-CHELSIO_GE.patch @@ -59076,6 +59080,7 @@ patches.suse/orinoco-Move-context-allocation-after-processing-the.patch patches.suse/cw1200-fix-missing-destroy_workqueue-on-error-in-cw1.patch patches.suse/ath6kl-fix-enum-conversion-warning.patch + patches.suse/ath10k-Fix-the-parsing-error-in-service-available-ev.patch patches.suse/ath10k-Fix-an-error-handling-path.patch patches.suse/ath10k-Release-some-resources-in-an-error-handling-p.patch patches.suse/ibmvnic-add-some-debugs.patch @@ -59542,6 +59547,7 @@ patches.suse/NFC-fix-possible-resource-leak.patch patches.suse/NFC-fix-resource-leak-when-target-index-is-invalid.patch patches.suse/mt7601u-fix-rx-buffer-refcounting.patch + patches.suse/iwlwifi-pcie-reschedule-in-long-running-memory-reads.patch patches.suse/team-protect-features-update-by-RCU-to-avoid-deadloc.patch patches.suse/igc-fix-link-speed-advertising.patch patches.suse/can-dev-prevent-potential-information-leak-in-can_fi.patch @@ -59610,6 +59616,7 @@ patches.suse/vmxnet3-Remove-buf_info-from-device-accessible-struc.patch patches.suse/ibmvnic-rework-to-ensure-SCRQ-entry-reads-are-proper.patch patches.suse/ibmvnic-remove-unnecessary-rmb-inside-ibmvnic_poll.patch + patches.suse/ath10k-Fix-error-handling-in-case-of-CE-pipe-init-fa.patch patches.suse/ath-Use-safer-key-clearing-with-key-cache-entries.patch patches.suse/ath9k-Clear-key-cache-explicitly-on-disabling-hardwa.patch patches.suse/ath-Export-ath_hw_keysetmac.patch @@ -60624,6 +60631,7 @@ patches.suse/xen-pciback-reconfigure-also-from-backend-watch-hand.patch patches.suse/nvme-fc-clear-q_live-at-beginning-of-association-tea.patch patches.suse/locking-mutex-clear-MUTEX_FLAGS-if-wait_list-is-empt.patch + patches.suse/wq-handle-VM-suspension-in-stall-detection.patch patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch patches.suse/net-netcp-Fix-an-error-message.patch patches.suse/net-mlx4-Fix-EEPROM-dump-support.patch @@ -60912,6 +60920,7 @@ patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch patches.suse/cw1200-add-missing-MODULE_DEVICE_TABLE.patch patches.suse/ath9k-Fix-kernel-NULL-pointer-dereference-during-ath.patch + patches.suse/ath10k-add-missing-error-return-code-in-ath10k_pci_p.patch patches.suse/wireless-carl9170-fix-LEDS-build-errors-warnings.patch patches.suse/wcn36xx-Move-hal_buf-allocation-to-devm_kmalloc-in-p.patch patches.suse/ath10k-Fix-an-error-code-in-ath10k_add_interface.patch @@ -61743,7 +61752,9 @@ patches.suse/libertas-Fix-possible-memory-leak-in-probe-and-disco.patch patches.suse/wcn36xx-Fix-HT40-capability-for-2Ghz-band.patch patches.suse/wcn36xx-add-proper-DMA-memory-barriers-in-rx-path.patch + patches.suse/ath10k-fix-control-message-timeout.patch patches.suse/ath6kl-fix-control-message-timeout.patch + patches.suse/ath10k-fix-division-by-zero-in-send-path.patch patches.suse/ath6kl-fix-division-by-zero-in-send-path.patch patches.suse/rtl8187-fix-control-message-timeouts.patch patches.suse/msft-hv-2473-net-mana-Fix-the-netdev_err-s-vPort-argument-in-mana.patch @@ -62185,6 +62196,8 @@ patches.suse/cifs-mark-sessions-for-reconnection-in-helper-function.patch patches.suse/msft-hv-2522-PCI-hv-Fix-NUMA-node-assignment-when-kernel-boots-wi.patch patches.suse/mmc-block-fix-read-single-on-recovery-logic.patch + patches.suse/iwlwifi-pcie-fix-locking-when-HW-not-ready.patch + patches.suse/iwlwifi-pcie-gen2-fix-locking-when-HW-not-ready.patch patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch patches.suse/USB-zaurus-support-another-broken-Zaurus.patch patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Teli2.patch @@ -62290,6 +62303,7 @@ patches.suse/msft-hv-2523-net-mana-Add-handling-of-CQE_RX_TRUNCATED.patch patches.suse/msft-hv-2524-net-mana-Remove-unnecessary-check-of-cqe_type-in-man.patch patches.suse/net-asix-add-proper-error-handling-of-usb-read-error.patch + patches.suse/ath10k-fix-memory-overwrite-of-the-WoWLAN-wakeup-pac.patch patches.suse/ath5k-fix-OOB-in-ath5k_eeprom_read_pcal_info_5111.patch patches.suse/net-ibmvnic-Cleanup-workaround-doing-an-EOI-after-pa.patch patches.suse/ipv6-annotate-some-data-races-around-sk-sk_prot.patch @@ -62298,6 +62312,7 @@ patches.suse/ixgbe-add-the-ability-for-the-PF-to-disable-VF-link-.patch patches.suse/ixgbe-add-improvement-for-MDD-response-functionality.patch patches.suse/ixgbevf-add-disable-link-state.patch + patches.suse/iwlwifi-Fix-EIO-error-code-that-is-never-returned.patch patches.suse/msft-hv-2552-net-netvsc-remove-break-after-return.patch patches.suse/drivers-net-xgene-Fix-regression-in-CRC-stripping.patch patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch @@ -63168,6 +63183,7 @@ patches.suse/powerpc-rtas-ensure-4KB-alignment-for-rtas_data_buf.patch patches.suse/media-platform-ti-Add-missing-check-for-devm_regulat.patch patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch + patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch patches.suse/net-usb-qmi_wwan-add-Telit-0x1080-composition.patch patches.suse/SUNRPC-Fix-a-server-shutdown-leak.patch patches.suse/scsi-qla2xxx-Add-option-to-disable-FC2-Target-suppor.patch @@ -64224,6 +64240,7 @@ patches.kabi/NFS-Pass-error-information-to-the-pgio-error-cleanup.patch patches.kabi/PCI-endpoint-Fix-for-concurrent-memory-allocation-in.patch patches.kabi/intel_pmc_ipc-restore-ability-to-call-functions-with.patch + patches.kabi/struct-wmi_svc_avail_ev_arg-new-member-to-end.patch ######################################################## # You'd better have a good reason for adding a patch