diff --git a/blacklist.conf b/blacklist.conf index 0043a19..7141d74 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1446,7 +1446,6 @@ f28439db470cca8b6b082239314e9fd10bd39034 # sparse warning fix only 2e4c6c1a9db5e12556a12ea722df71096247e178 # not applicable c6883985d46319e0d4f159de8932b09ff93e877d # not applicable 5a184d959d5a5a66b377cb5cd4c95a80388e0c88 # not applicable -b601c16b7ba8f3bb7a7e773b238da6b63657fa1d # not applicable c9d9fdbc108af8915d3f497bbdf3898bf8f321b8 # not applicable 5810323ba692895b045e3f1b3e107605c3717dab # not applicable 93b713304188844b8514074dc13ffd56d12235d3 # not applicable @@ -1497,3 +1496,9 @@ ec9d78070de986ecf581ea204fd322af4d2477ec # Fixes Clang build issue: https://revi b2423184ac3352a52fc7562fa0e7d23435fe67b9 # not applicable 11e3c676683c340966b9467da7d09080e522e181 # Changes kABI for no good reason 0abb33bfca0fb74df76aac03e90ce685016ef7be # not applicable +860dafa902595fb5f1d23bbcce1215188c3341e6 # does not apply: vt: Fix character height handling with VT_RESIZEX +7b0e2c4f6be3ec68bf807c84e985e81c21404cd1 # cleanup only +91b96f0008a2d66d76b525556e4818f5a4a089e4 # Duplicate of 3dd6c11b60d2f1e4082221a8831f91093c4494aa: drm/i915: Drop all references to DRM IRQ midlayer +faf890985e30d5e88cc3a7c50c1bcad32f89ab7c # Duplicate of a63bcf08f0efb5348105bb8e0e1e8c6671077753: drm/i915: Fix syncmap memory leak +4579509ef181480f4e4510d436c691519167c5c2 # Duplicate of f15863b27752682bb700c21de5f83f613a0fb77e: Revert "drm/i915/tgl/dsi: Gate the ddi clocks after pll mapping" +d210919dbdc8a82c676cc3e3c370b1802be63124 # Duplicate of d5185965c3b59073c4520bad7dd2adf725b9abba: drm/tegra: Add back arm_iommu_detach_device() diff --git a/patches.kabi/block-fixup-kabi-blk_mq_sched_try_insert_merge.patch b/patches.kabi/block-fixup-kabi-blk_mq_sched_try_insert_merge.patch index cbd2a8f..a6ef6a2 100644 --- a/patches.kabi/block-fixup-kabi-blk_mq_sched_try_insert_merge.patch +++ b/patches.kabi/block-fixup-kabi-blk_mq_sched_try_insert_merge.patch @@ -17,10 +17,10 @@ Signed-off-by: Jan Kara --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c -@@ -5522,7 +5522,7 @@ static void bfq_insert_request(struct bl - bfqg_stats_update_legacy_io(q, rq); +@@ -5663,7 +5663,7 @@ static void bfq_insert_request(struct bl #endif spin_lock_irq(&bfqd->lock); + bfqq = bfq_init_rq(rq); - if (blk_mq_sched_try_insert_merge(q, rq, &free)) { + if (blk_mq_sched_try_insert_merge_list(q, rq, &free)) { spin_unlock_irq(&bfqd->lock); @@ -28,7 +28,7 @@ Signed-off-by: Jan Kara return; --- a/block/blk-mq-sched.c +++ b/block/blk-mq-sched.c -@@ -372,11 +372,24 @@ bool __blk_mq_sched_bio_merge(struct req +@@ -485,11 +485,24 @@ bool __blk_mq_sched_bio_merge(struct req return ret; } @@ -57,7 +57,7 @@ Signed-off-by: Jan Kara void blk_mq_sched_request_inserted(struct request *rq) --- a/block/blk-mq-sched.h +++ b/block/blk-mq-sched.h -@@ -15,8 +15,9 @@ bool blk_mq_sched_try_merge(struct reque +@@ -16,8 +16,9 @@ bool blk_mq_sched_try_merge(struct reque unsigned int nr_segs, struct request **merged_request); bool __blk_mq_sched_bio_merge(struct request_queue *q, struct bio *bio, unsigned int nr_segs); diff --git a/patches.suse/0001-SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch b/patches.suse/0001-SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch new file mode 100644 index 0000000..9a2e48b --- /dev/null +++ b/patches.suse/0001-SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch @@ -0,0 +1,102 @@ +From 18ae2a800516f79c05d495fc91afca8a46041dab Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 14 Apr 2022 14:22:21 +0200 +Subject: [PATCH] SUNRPC: Ensure we flush any closed sockets before + xs_xprt_free() + + We must ensure that all sockets are closed before we call + xprt_free() and release the reference to the net namespace. The problem is + that calling fput() will defer closing the socket until delayed_fput() gets + called. Let's fix the situation by allowing rpciod and the transport teardown + code (which runs on the system wq) to call __fput_sync(), and directly close + the socket. +Git-commit: f00432063db1a0db484e85193eccc6845435b80e +Patch-mainline: v5.18-rc2 +References: bsc#1198330 CVE-2022-28893 + +Reported-by: Felix Fu +Acked-by: Al Viro +Fixes: a73881c96d73 ("SUNRPC: Fix an Oops in udp_poll()") +Cc: stable@vger.kernel.org # 5.1.x: 3be232f11a3c: SUNRPC: Prevent immediate close+reconnect +Cc: stable@vger.kernel.org # 5.1.x: 89f42494f92f: SUNRPC: Don't call connect() more than once on a TCP socket +Cc: stable@vger.kernel.org # 5.1.x +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown +Signed-off-by: Vasant Karasulli + +--- + fs/file_table.c | 1 + + net/sunrpc/xprt.c | 5 +---- + net/sunrpc/xprtsock.c | 16 +++++++++++++--- + 3 files changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/file_table.c ++++ b/fs/file_table.c +@@ -375,6 +375,7 @@ void __fput_sync(struct file *file) + } + + EXPORT_SYMBOL(fput); ++EXPORT_SYMBOL(__fput_sync); + + void __init files_init(void) + { +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -877,10 +877,7 @@ void xprt_connect(struct rpc_task *task) + if (!xprt_lock_write(xprt, task)) + return; + +- if (test_and_clear_bit(XPRT_CLOSE_WAIT, &xprt->state)) +- xprt->ops->close(xprt); +- +- if (!xprt_connected(xprt)) { ++ if (!xprt_connected(xprt) && !test_bit(XPRT_CLOSE_WAIT, &xprt->state)) { + task->tk_rqstp->rq_connect_cookie = xprt->connect_cookie; + rpc_sleep_on_timeout(&xprt->pending, task, NULL, + xprt_request_timeout(task->tk_rqstp)); +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -965,7 +965,7 @@ static int xs_local_send_request(struct + + /* Close the stream if the previous transmission was incomplete */ + if (xs_send_request_was_aborted(transport, req)) { +- xs_close(xprt); ++ xprt_force_disconnect(xprt); + return -ENOTCONN; + } + +@@ -1003,7 +1003,7 @@ static int xs_local_send_request(struct + -status); + /* fall through */ + case -EPIPE: +- xs_close(xprt); ++ xprt_force_disconnect(xprt); + status = -ENOTCONN; + } + +@@ -1279,6 +1279,16 @@ static void xs_reset_transport(struct so + + if (sk == NULL) + return; ++ /* ++ * Make sure we're calling this in a context from which it is safe ++ * to call __fput_sync(). In practice that means rpciod and the ++ * system workqueue. ++ */ ++ if (!(current->flags & PF_WQ_WORKER)) { ++ WARN_ON_ONCE(1); ++ set_bit(XPRT_CLOSE_WAIT, &xprt->state); ++ return; ++ } + + if (atomic_read(&transport->xprt.swapper)) + sk_clear_memalloc(sk); +@@ -1302,7 +1312,7 @@ static void xs_reset_transport(struct so + mutex_unlock(&transport->recv_mutex); + + trace_rpc_socket_close(xprt, sock); +- fput(filp); ++ __fput_sync(filp); + + xprt_disconnect_done(xprt); + } diff --git a/patches.suse/0001-drm-i915-Drop-all-references-to-DRM-IRQ-midlayer.patch b/patches.suse/0001-drm-i915-Drop-all-references-to-DRM-IRQ-midlayer.patch new file mode 100644 index 0000000..d1e86b3 --- /dev/null +++ b/patches.suse/0001-drm-i915-Drop-all-references-to-DRM-IRQ-midlayer.patch @@ -0,0 +1,68 @@ +From 3dd6c11b60d2f1e4082221a8831f91093c4494aa Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Thu, 1 Jul 2021 19:36:18 +0200 +Subject: drm/i915: Drop all references to DRM IRQ midlayer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 3dd6c11b60d2f1e4082221a8831f91093c4494aa +Patch-mainline: v5.14-rc1 +References: bsc#1152489 + +Remove all references to DRM's IRQ midlayer. i915 uses Linux' interrupt +functions directly. + +v2: + * also remove an outdated comment + * move IRQ fix into separate patch + * update Fixes tag (Daniel) + +Signed-off-by: Thomas Zimmermann +Fixes: b318b82455bd ("drm/i915: Nuke drm_driver irq vfuncs") +Cc: Ville Syrjälä +Cc: Chris Wilson +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: intel-gfx@lists.freedesktop.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210701173618.10718-3-tzimmermann@suse.de +(cherry picked from commit 91b96f0008a2d66d76b525556e4818f5a4a089e4) +Signed-off-by: Rodrigo Vivi +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/i915/i915_drv.c | 1 - + drivers/gpu/drm/i915/i915_irq.c | 5 ----- + 2 files changed, 6 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -42,7 +42,6 @@ + + #include + #include +-#include + #include + #include + +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -33,7 +33,6 @@ + #include + + #include +-#include + + #include "display/intel_display_types.h" + #include "display/intel_fifo_underrun.h" +@@ -4187,10 +4186,6 @@ void intel_runtime_pm_enable_interrupts( + + bool intel_irqs_enabled(struct drm_i915_private *dev_priv) + { +- /* +- * We only use drm_irq_uninstall() at unload and VT switch, so +- * this is the only thing we need to check. +- */ + return dev_priv->runtime_pm.irqs_enabled; + } + diff --git a/patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch b/patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch index 6358650..3cdeb37 100644 --- a/patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch +++ b/patches.suse/0001-drm-vgem-Close-use-after-free-race-in-vgem_gem_creat.patch @@ -4,7 +4,7 @@ Date: Sun, 2 Feb 2020 14:21:33 +0100 Subject: drm/vgem: Close use-after-free race in vgem_gem_create Git-commit: 4b848f20eda5974020f043ca14bacf7a7e634fc8 Patch-mainline: v5.6-rc2 -References: jsc#SLE-12680, jsc#SLE-12880, jsc#SLE-12882, jsc#SLE-12883, jsc#SLE-13496, jsc#SLE-15322 +References: CVE-2022-1419 bsc#1198742 bsc#1152472 There's two references floating around here (for the object reference, not the handle_count reference, that's a different thing): diff --git a/patches.suse/0001-drm-vmwgfx-Remove-unused-compile-options.patch b/patches.suse/0001-drm-vmwgfx-Remove-unused-compile-options.patch new file mode 100644 index 0000000..a95ac4d --- /dev/null +++ b/patches.suse/0001-drm-vmwgfx-Remove-unused-compile-options.patch @@ -0,0 +1,97 @@ +From 50ca8cc7c0fdd9ab16b8b66ffb301fface101fac Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Wed, 15 Dec 2021 13:41:47 -0500 +Subject: drm/vmwgfx: Remove unused compile options +Git-commit: 50ca8cc7c0fdd9ab16b8b66ffb301fface101fac +Patch-mainline: v5.17-rc1 +References: bsc#1152472 + +Before the driver had screen targets support we had to disable explicit +bringup of its infrastructure because it was breaking screen objects +support. +Since the implementation of screen targets landed there hasn't been a +reason to explicitly disable it and the options were never used. +Remove of all that unused code. + +Signed-off-by: Zack Rusin +Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20211215184147.3688785-3-zack@kde.org +(cherry picked from commit 11343099d5ae6c7411da1425b6b162c89fb5bf10) +Signed-off-by: Thomas Zimmermann +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 3 --- + drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | 12 +++--------- + drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 ++-- + 3 files changed, 5 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +@@ -61,11 +61,8 @@ + #define VMWGFX_DRIVER_MINOR 18 + #define VMWGFX_DRIVER_PATCHLEVEL 0 + #define VMWGFX_FIFO_STATIC_SIZE (1024*1024) +-#define VMWGFX_MAX_RELOCATIONS 2048 +-#define VMWGFX_MAX_VALIDATIONS 2048 + #define VMWGFX_MAX_DISPLAYS 16 + #define VMWGFX_CMD_BOUNCE_INIT_SIZE 32768 +-#define VMWGFX_ENABLE_SCREEN_TARGET_OTABLE 1 + + /* + * Perhaps we should have sysfs entries for these. +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 OR MIT + /************************************************************************** + * +- * Copyright 2012-2015 VMware, Inc., Palo Alto, CA., USA ++ * Copyright 2012-2021 VMware, Inc., Palo Alto, CA., USA + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the +@@ -29,12 +29,6 @@ + + #include "vmwgfx_drv.h" + +-/* +- * If we set up the screen target otable, screen objects stop working. +- */ +- +-#define VMW_OTABLE_SETUP_SUB ((VMWGFX_ENABLE_SCREEN_TARGET_OTABLE ? 0 : 1)) +- + #ifdef CONFIG_64BIT + #define VMW_PPN_SIZE 8 + #define VMW_MOBFMT_PTDEPTH_0 SVGA3D_MOBFMT_PTDEPTH64_0 +@@ -75,7 +69,7 @@ static const struct vmw_otable pre_dx_ta + {VMWGFX_NUM_GB_CONTEXT * SVGA3D_OTABLE_CONTEXT_ENTRY_SIZE, NULL, true}, + {VMWGFX_NUM_GB_SHADER * SVGA3D_OTABLE_SHADER_ENTRY_SIZE, NULL, true}, + {VMWGFX_NUM_GB_SCREEN_TARGET * SVGA3D_OTABLE_SCREEN_TARGET_ENTRY_SIZE, +- NULL, VMWGFX_ENABLE_SCREEN_TARGET_OTABLE} ++ NULL, true} + }; + + static const struct vmw_otable dx_tables[] = { +@@ -84,7 +78,7 @@ static const struct vmw_otable dx_tables + {VMWGFX_NUM_GB_CONTEXT * SVGA3D_OTABLE_CONTEXT_ENTRY_SIZE, NULL, true}, + {VMWGFX_NUM_GB_SHADER * SVGA3D_OTABLE_SHADER_ENTRY_SIZE, NULL, true}, + {VMWGFX_NUM_GB_SCREEN_TARGET * SVGA3D_OTABLE_SCREEN_TARGET_ENTRY_SIZE, +- NULL, VMWGFX_ENABLE_SCREEN_TARGET_OTABLE}, ++ NULL, true}, + {VMWGFX_NUM_DXCONTEXT * sizeof(SVGAOTableDXContextEntry), NULL, true}, + }; + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +@@ -1865,8 +1865,8 @@ int vmw_kms_stdu_init_display(struct vmw + int i, ret; + + +- /* Do nothing if Screen Target support is turned off */ +- if (!VMWGFX_ENABLE_SCREEN_TARGET_OTABLE || !dev_priv->has_mob) ++ /* Do nothing if there's no support for MOBs */ ++ if (!dev_priv->has_mob) + return -ENOSYS; + + if (!(dev_priv->capabilities & SVGA_CAP_GBOBJECTS)) diff --git a/patches.suse/0002-backlight-qcom-wled-Respect-enabled-strings-in-set_b.patch b/patches.suse/0002-backlight-qcom-wled-Respect-enabled-strings-in-set_b.patch new file mode 100644 index 0000000..cfb0a84 --- /dev/null +++ b/patches.suse/0002-backlight-qcom-wled-Respect-enabled-strings-in-set_b.patch @@ -0,0 +1,131 @@ +From ec961cf3241153e0f27d850f1bf0f172e7d27a21 Mon Sep 17 00:00:00 2001 +From: Marijn Suijten +Date: Mon, 15 Nov 2021 21:34:59 +0100 +Subject: backlight: qcom-wled: Respect enabled-strings in set_brightness +Git-commit: ec961cf3241153e0f27d850f1bf0f172e7d27a21 +Patch-mainline: v5.17-rc1 +References: bsc#1152489 + +The hardware is capable of controlling any non-contiguous sequence of +LEDs specified in the DT using qcom,enabled-strings as u32 +array, and this also follows from the DT-bindings documentation. The +numbers specified in this array represent indices of the LED strings +that are to be enabled and disabled. + +Its value is appropriately used to setup and enable string modules, but +completely disregarded in the set_brightness paths which only iterate +over the number of strings linearly. +Take an example where only string 2 is enabled with +qcom,enabled_strings=<2>: this string is appropriately enabled but +subsequent brightness changes would have only touched the zero'th +brightness register because num_strings is 1 here. This is simply +addressed by looking up the string for this index in the enabled_strings +array just like the other codepaths that iterate over num_strings. + +Likewise enabled_strings is now also used in the autodetection path for +consistent behaviour: when a list of strings is specified in DT only +those strings will be probed for autodetection, analogous to how the +number of strings that need to be probed is already bound by +qcom,num-strings. After all autodetection uses the set_brightness +helpers to set an initial value, which could otherwise end up changing +brightness on a different set of strings. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Fixes: 03b2b5e86986 ("backlight: qcom-wled: Add support for WLED4 peripheral") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-10-marijn.suijten@somainline.org +Acked-by: Thomas Zimmermann +--- + drivers/video/backlight/qcom-wled.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -238,7 +238,8 @@ static int wled3_set_brightness(struct w + + for (i = 0; i < wled->cfg.num_strings; ++i) { + rc = regmap_bulk_write(wled->regmap, wled->ctrl_addr + +- WLED3_SINK_REG_BRIGHT(i), v, 2); ++ WLED3_SINK_REG_BRIGHT(wled->cfg.enabled_strings[i]), ++ v, 2); + if (rc < 0) + return rc; + } +@@ -261,7 +262,8 @@ static int wled4_set_brightness(struct w + + for (i = 0; i < wled->cfg.num_strings; ++i) { + rc = regmap_bulk_write(wled->regmap, wled->sink_addr + +- WLED4_SINK_REG_BRIGHT(i), v, 2); ++ WLED4_SINK_REG_BRIGHT(wled->cfg.enabled_strings[i]), ++ v, 2); + if (rc < 0) + return rc; + } +@@ -559,7 +561,7 @@ unlock_mutex: + + static void wled_auto_string_detection(struct wled *wled) + { +- int rc = 0, i, delay_time_us; ++ int rc = 0, i, j, delay_time_us; + u32 sink_config = 0; + u8 sink_test = 0, sink_valid = 0, val; + bool fault_set; +@@ -606,14 +608,15 @@ static void wled_auto_string_detection(s + + /* Iterate through the strings one by one */ + for (i = 0; i < wled->cfg.num_strings; i++) { +- sink_test = BIT((WLED4_SINK_REG_CURR_SINK_SHFT + i)); ++ j = wled->cfg.enabled_strings[i]; ++ sink_test = BIT((WLED4_SINK_REG_CURR_SINK_SHFT + j)); + + /* Enable feedback control */ + rc = regmap_write(wled->regmap, wled->ctrl_addr + +- WLED3_CTRL_REG_FEEDBACK_CONTROL, i + 1); ++ WLED3_CTRL_REG_FEEDBACK_CONTROL, j + 1); + if (rc < 0) { + dev_err(wled->dev, "Failed to enable feedback for SINK %d rc = %d\n", +- i + 1, rc); ++ j + 1, rc); + goto failed_detect; + } + +@@ -622,7 +625,7 @@ static void wled_auto_string_detection(s + WLED4_SINK_REG_CURR_SINK, sink_test); + if (rc < 0) { + dev_err(wled->dev, "Failed to configure SINK %d rc=%d\n", +- i + 1, rc); ++ j + 1, rc); + goto failed_detect; + } + +@@ -649,7 +652,7 @@ static void wled_auto_string_detection(s + + if (fault_set) + dev_dbg(wled->dev, "WLED OVP fault detected with SINK %d\n", +- i + 1); ++ j + 1); + else + sink_valid |= sink_test; + +@@ -689,15 +692,16 @@ static void wled_auto_string_detection(s + /* Enable valid sinks */ + if (wled->version == 4) { + for (i = 0; i < wled->cfg.num_strings; i++) { ++ j = wled->cfg.enabled_strings[i]; + if (sink_config & +- BIT(WLED4_SINK_REG_CURR_SINK_SHFT + i)) ++ BIT(WLED4_SINK_REG_CURR_SINK_SHFT + j)) + val = WLED4_SINK_REG_STR_MOD_MASK; + else + /* Disable modulator_en for unused sink */ + val = 0; + + rc = regmap_write(wled->regmap, wled->sink_addr + +- WLED4_SINK_REG_STR_MOD_EN(i), val); ++ WLED4_SINK_REG_STR_MOD_EN(j), val); + if (rc < 0) { + dev_err(wled->dev, "Failed to configure MODULATOR_EN rc=%d\n", + rc); diff --git a/patches.suse/0002-drm-i915-Keep-gem-ctx-vm-alive-until-the-final-put.patch b/patches.suse/0002-drm-i915-Keep-gem-ctx-vm-alive-until-the-final-put.patch new file mode 100644 index 0000000..fb1351a --- /dev/null +++ b/patches.suse/0002-drm-i915-Keep-gem-ctx-vm-alive-until-the-final-put.patch @@ -0,0 +1,157 @@ +From 8cf97637ff8891be040bac37b96dd97e5996ca93 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Thu, 2 Sep 2021 16:20:49 +0200 +Subject: drm/i915: Keep gem ctx->vm alive until the final put +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 8cf97637ff8891be040bac37b96dd97e5996ca93 +Patch-mainline: v5.16-rc1 +References: bsc#1152489 + +The comment added in + + commit b81dde719439c8f09bb61e742ed95bfc4b33946b + Author: Chris Wilson +__ Date: Tue May 21 22:11:29 2019 +0100 + + drm/i915: Allow userspace to clone contexts on creation + +and moved in + + commit 27dbae8f36c1c25008b7885fc07c57054b7dfba3 + Author: Chris Wilson +__ Date: Wed Nov 6 09:13:12 2019 +0000 + + drm/i915/gem: Safely acquire the ctx->vm when copying + +suggested that i915_address_space were at least intended to be managed +through SLAB_TYPESAFE_BY_RCU: + + * This ppgtt may have be reallocated between + * the read and the kref, and reassigned to a third + * context. In order to avoid inadvertent sharing + * of this ppgtt with that third context (and not + * src), we have to confirm that we have the same + * ppgtt after passing through the strong memory + * barrier implied by a successful + * kref_get_unless_zero(). + +But extensive git history search has not brough any such reuse to +light. + +What has come to light though is that ever since + +commit 2850748ef8763ab46958e43a4d1c445f29eeb37d +Author: Chris Wilson +__Date: Fri Oct 4 14:39:58 2019 +0100 + + drm/i915: Pull i915_vma_pin under the vm->mutex + +(yes this commit is earlier) the final i915_vma_put call has been +moved from i915_gem_context_free (now called _release) to +context_close, which means it's not actually safe anymore to access +the ctx->vm pointer without lock helds, because it might disappear at +any moment. Note that superficially things all still work, because the +i915_address_space is RCU protected since + + commit b32fa811156328aea5a3c2ff05cc096490382456 + Author: Chris Wilson +__ Date: Thu Jun 20 19:37:05 2019 +0100 + + drm/i915/gtt: Defer address space cleanup to an RCU worker + +except the very clever macro above (which is designed to protected +against object reuse due to SLAB_TYPESAFE_BY_RCU or similar tricks) +results in an endless loop if the refcount of the ctx->vm ever +permanently drops to 0. Which it totally now can. + +Fix that by moving the final i915_vm_put to where it should be. + +Note that i915_gem_context is rcu protected, but _only_ the final +kfree. This means anyone who chases a pointer to a gem ctx solely +under the protection can pretty only call kref_get_unless_zero(). This +seems to be pretty much the case, aside from a bunch of cases that +consult the scheduling information without any further protection. + +Reviewed-by: Maarten Lankhorst +Cc: Jason Ekstrand +Cc: Chris Wilson +Cc: Tvrtko Ursulin +Cc: Joonas Lahtinen +Cc: Matthew Brost +Cc: Matthew Auld +Cc: Maarten Lankhorst +Cc: "Thomas Hellström" +Cc: Lionel Landwerlin +Cc: Dave Airlie +Fixes: 2850748ef876 ("drm/i915: Pull i915_vma_pin under the vm->mutex") +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210902142057.929669-3-daniel.vetter@ffwll.ch +Acked-by: Thomas Zimmermann +--- + +A message from ksd-import-patch: + + Hello dear friend, + + I'm ksd-import-patch, the tool that imported this patch + file. + + I had to prefix at least one line in the commit message + with __ to work around a bug in the commit hook of + kernel-sources, which thinks the line contains a patch + tag. + + If you think the patch should have been merged as it is + in upstream, please send this file via email to + + kernel-cvs@suse.de + + and request the problem to be fixed. + + Yours truely, + ksd-import-patch + +--- + drivers/gpu/drm/i915/gem/i915_gem_context.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_context.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c +@@ -335,12 +335,18 @@ static struct i915_gem_engines *default_ + + static void i915_gem_context_free(struct i915_gem_context *ctx) + { ++ struct i915_address_space *vm; ++ + GEM_BUG_ON(!i915_gem_context_is_closed(ctx)); + + spin_lock(&ctx->i915->gem.contexts.lock); + list_del(&ctx->link); + spin_unlock(&ctx->i915->gem.contexts.lock); + ++ vm = i915_gem_context_vm(ctx); ++ if (vm) ++ i915_vm_put(vm); ++ + mutex_destroy(&ctx->engines_mutex); + mutex_destroy(&ctx->lut_mutex); + +@@ -607,8 +613,15 @@ static void context_close(struct i915_ge + set_closed_name(ctx); + + vm = i915_gem_context_vm(ctx); +- if (vm) ++ if (vm) { ++ /* i915_vm_close drops the final reference, which is a bit too ++ * early and could result in surprises with concurrent ++ * operations racing with thist ctx close. Keep a full reference ++ * until the end. ++ */ ++ i915_vm_get(vm); + i915_vm_close(vm); ++ } + + ctx->file_priv = ERR_PTR(-EBADF); + diff --git a/patches.suse/0002-vgacon-Propagate-console-boot-parameters-before-call.patch b/patches.suse/0002-vgacon-Propagate-console-boot-parameters-before-call.patch new file mode 100644 index 0000000..ed1f44f --- /dev/null +++ b/patches.suse/0002-vgacon-Propagate-console-boot-parameters-before-call.patch @@ -0,0 +1,81 @@ +From 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 26 Oct 2021 00:26:22 +0200 +Subject: vgacon: Propagate console boot parameters before calling `vc_resize' +Git-commit: 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b +Patch-mainline: v5.16-rc4 +References: bsc#1152489 + +Fix a division by zero in `vgacon_resize' with a backtrace like: + +vgacon_resize +vc_do_resize +vgacon_init +do_bind_con_driver +do_unbind_con_driver +fbcon_fb_unbind +do_unregister_framebuffer +do_register_framebuffer +register_framebuffer +__drm_fb_helper_initial_config_and_unlock +drm_helper_hpd_irq_event +dw_hdmi_irq +irq_thread +kthread + +caused by `c->vc_cell_height' not having been initialized. This has +only started to trigger with commit 860dafa90259 ("vt: Fix character +height handling with VT_RESIZEX"), however the ultimate offender is +commit 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow +retaking of the console"). + +Said commit has added a call to `vc_resize' whenever `vgacon_init' is +called with the `init' argument set to 0, which did not happen before. +And the call is made before a key vgacon boot parameter retrieved in +`vgacon_startup' has been propagated in `vgacon_init' for `vc_resize' to +use to the console structure being worked on. Previously the parameter +was `c->vc_font.height' and now it is `c->vc_cell_height'. + +In this particular scenario the registration of fbcon has failed and vt +resorts to vgacon. Now fbcon does have initialized `c->vc_font.height' +somehow, unlike `c->vc_cell_height', which is why this code did not +crash before, but either way the boot parameters should have been copied +to the console structure ahead of the call to `vc_resize' rather than +afterwards, so that first the call has a chance to use them and second +they do not change the console structure to something possibly different +from what was used by `vc_resize'. + +Move the propagation of the vgacon boot parameters ahead of the call to +`vc_resize' then. Adjust the comment accordingly. + +Fixes: 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow retaking of the console") +Cc: stable@vger.kernel.org # v2.6.18+ +Reported-by: Wim Osterholt +Reported-by: Pavel V. Panteleev +Signed-off-by: Maciej W. Rozycki +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2110252317110.58149@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +Acked-by: Thomas Zimmermann +--- + drivers/video/console/vgacon.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -370,9 +370,13 @@ static void vgacon_init(struct vc_data * + struct uni_pagedir *p; + + /* +- * We cannot be loaded as a module, therefore init is always 1, +- * but vgacon_init can be called more than once, and init will +- * not be 1. ++ * We cannot be loaded as a module, therefore init will be 1 ++ * if we are the default console, however if we are a fallback ++ * console, for example if fbcon has failed registration, then ++ * init will be 0, so we need to make sure our boot parameters ++ * have been copied to the console structure for vgacon_resize ++ * ultimately called by vc_resize. Any subsequent calls to ++ * vgacon_init init will have init set to 0 too. + */ + c->vc_can_do_color = vga_can_do_color; + diff --git a/patches.suse/0003-drm-cma-helper-Set-VM_DONTEXPAND-for-mmap.patch b/patches.suse/0003-drm-cma-helper-Set-VM_DONTEXPAND-for-mmap.patch new file mode 100644 index 0000000..71a0f4f --- /dev/null +++ b/patches.suse/0003-drm-cma-helper-Set-VM_DONTEXPAND-for-mmap.patch @@ -0,0 +1,42 @@ +From 59f39bfa6553d598cb22f694d45e89547f420d85 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Wed, 13 Oct 2021 10:36:54 -0400 +Subject: drm/cma-helper: Set VM_DONTEXPAND for mmap +Git-commit: 59f39bfa6553d598cb22f694d45e89547f420d85 +Patch-mainline: v5.17-rc5 +References: bsc#1152472 + +drm_gem_cma_mmap() cannot assume every implementation of dma_mmap_wc() +will end up calling remap_pfn_range() (which happens to set the relevant +vma flag, among others), so in order to make sure expectations around +VM_DONTEXPAND are met, let it explicitly set the flag like most other +GEM mmap implementations do. + +This avoids repeated warnings on a small minority of systems where the +display is behind an IOMMU, and has a simple driver which does not +override drm_gem_cma_default_funcs. Arm hdlcd is an in-tree affected +driver. Out-of-tree, the Apple DCP driver is affected; this fix is +required for DCP to be mainlined. + +[Alyssa: Update commit message.] + +Fixes: c40069cb7bd6 ("drm: add mmap() to drm_gem_object_funcs") +Acked-by: Daniel Vetter +Signed-off-by: Robin Murphy +Signed-off-by: Alyssa Rosenzweig +Link: https://patchwork.freedesktop.org/patch/msgid/20211013143654.39031-1-alyssa@rosenzweig.io +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/drm_gem_cma_helper.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_gem_cma_helper.c ++++ b/drivers/gpu/drm/drm_gem_cma_helper.c +@@ -277,6 +277,7 @@ static int drm_gem_cma_mmap_obj(struct d + * the whole buffer. + */ + vma->vm_flags &= ~VM_PFNMAP; ++ vma->vm_flags |= VM_DONTEXPAND; + vma->vm_pgoff = 0; + + ret = dma_mmap_wc(cma_obj->base.dev->dev, vma, cma_obj->vaddr, diff --git a/patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch b/patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch new file mode 100644 index 0000000..1a86d51 --- /dev/null +++ b/patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch @@ -0,0 +1,58 @@ +From 8244a3bc27b3efd057da154b8d7e414670d5044f Mon Sep 17 00:00:00 2001 +From: Anand K Mistry +Date: Thu, 30 Sep 2021 09:00:07 +1000 +Subject: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap +Git-commit: 8244a3bc27b3efd057da154b8d7e414670d5044f +Patch-mainline: v5.16-rc1 +References: bsc#1152472 + +drm_gem_ttm_mmap() drops a reference to the gem object on success. If +the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that +drop will free the gem object, and the subsequent drm_gem_object_get() +will be a UAF. Fix by grabbing a reference before calling the mmap +helper. + +This issue was forseen when the reference dropping was adding in +commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): + "For that to work properly the drm_gem_object_get() call in + drm_gem_ttm_mmap() must be moved so it happens before calling + obj->funcs->mmap(), otherwise the gem refcount would go down + to zero." + +Signed-off-by: Anand K Mistry +Fixes: 9786b65bc61a ("drm/ttm: fix mmap refcounting") +Cc: Gerd Hoffmann +Cc: Daniel Vetter +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: Daniel Vetter +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.5+ +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20210930085932.1.I8043d61cc238e0168e2f4ca5f4783223434aa587@changeid +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/drm_prime.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_prime.c ++++ b/drivers/gpu/drm/drm_prime.c +@@ -719,11 +719,13 @@ int drm_gem_prime_mmap(struct drm_gem_ob + vma->vm_pgoff += drm_vma_node_start(&obj->vma_node); + + if (obj->funcs && obj->funcs->mmap) { ++ drm_gem_object_get(obj); + ret = obj->funcs->mmap(obj, vma); +- if (ret) +- return ret; ++ if (ret) { ++ drm_gem_object_put(obj); ++ return ret; ++ } + vma->vm_private_data = obj; +- drm_gem_object_get(obj); + return 0; + } + diff --git a/patches.suse/0003-video-fbdev-udlfb-properly-check-endpoint-type.patch b/patches.suse/0003-video-fbdev-udlfb-properly-check-endpoint-type.patch new file mode 100644 index 0000000..adb5f5b --- /dev/null +++ b/patches.suse/0003-video-fbdev-udlfb-properly-check-endpoint-type.patch @@ -0,0 +1,91 @@ +From aaf7dbe07385e0b8deb7237eca2a79926bbc7091 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 22 Mar 2022 23:04:38 +0300 +Subject: video: fbdev: udlfb: properly check endpoint type +Git-commit: aaf7dbe07385e0b8deb7237eca2a79926bbc7091 +Patch-mainline: v5.18-rc5 +References: bsc#1152489 + +syzbot reported warning in usb_submit_urb, which is caused by wrong +endpoint type. + +This driver uses out bulk endpoint for communication, so +let's check if this endpoint is present and bail out early if not. + +Fail log: + +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 0 PID: 4822 at drivers/usb/core/urb.c:493 usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493 +Modules linked in: +CPU: 0 PID: 4822 Comm: kworker/0:3 Tainted: G W 5.13.0-syzkaller #0 +... +Workqueue: usb_hub_wq hub_event +RIP: 0010:usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493 +... +Call Trace: + dlfb_submit_urb+0x89/0x160 drivers/video/fbdev/udlfb.c:1969 + dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 + dlfb_ops_set_par+0x2a3/0x840 drivers/video/fbdev/udlfb.c:1110 + dlfb_usb_probe.cold+0x113e/0x1f4a drivers/video/fbdev/udlfb.c:1732 + usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 + +Fixes: 88e58b1a42f8 ("Staging: add udlfb driver") +Reported-and-tested-by: syzbot+53ce4a4246d0fe0fee34@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/udlfb.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c +index b6ec0b8e2b725..d280733f283b1 100644 +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1650,8 +1650,9 @@ static int dlfb_usb_probe(struct usb_interface *intf, + const struct device_attribute *attr; + struct dlfb_data *dlfb; + struct fb_info *info; +- int retval = -ENOMEM; ++ int retval; + struct usb_device *usbdev = interface_to_usbdev(intf); ++ struct usb_endpoint_descriptor *out; + + /* usb initialization */ + dlfb = kzalloc(sizeof(*dlfb), GFP_KERNEL); +@@ -1665,6 +1666,12 @@ static int dlfb_usb_probe(struct usb_interface *intf, + dlfb->udev = usb_get_dev(usbdev); + usb_set_intfdata(intf, dlfb); + ++ retval = usb_find_common_endpoints(intf->cur_altsetting, NULL, &out, NULL, NULL); ++ if (retval) { ++ dev_err(&intf->dev, "Device should have at lease 1 bulk endpoint!\n"); ++ goto error; ++ } ++ + dev_dbg(&intf->dev, "console enable=%d\n", console); + dev_dbg(&intf->dev, "fb_defio enable=%d\n", fb_defio); + dev_dbg(&intf->dev, "shadow enable=%d\n", shadow); +@@ -1674,6 +1681,7 @@ static int dlfb_usb_probe(struct usb_interface *intf, + if (!dlfb_parse_vendor_descriptor(dlfb, intf)) { + dev_err(&intf->dev, + "firmware not recognized, incompatible device?\n"); ++ retval = -ENODEV; + goto error; + } + +@@ -1687,8 +1695,10 @@ static int dlfb_usb_probe(struct usb_interface *intf, + + /* allocates framebuffer driver structure, not framebuffer memory */ + info = framebuffer_alloc(0, &dlfb->udev->dev); +- if (!info) ++ if (!info) { ++ retval = -ENOMEM; + goto error; ++ } + + dlfb->info = info; + info->par = dlfb; +-- +2.36.0 + diff --git a/patches.suse/0004-Revert-drm-i915-tgl-dsi-Gate-the-ddi-clocks-after-pl.patch b/patches.suse/0004-Revert-drm-i915-tgl-dsi-Gate-the-ddi-clocks-after-pl.patch new file mode 100644 index 0000000..0ad612a --- /dev/null +++ b/patches.suse/0004-Revert-drm-i915-tgl-dsi-Gate-the-ddi-clocks-after-pl.patch @@ -0,0 +1,58 @@ +From f15863b27752682bb700c21de5f83f613a0fb77e Mon Sep 17 00:00:00 2001 +From: Vandita Kulkarni +Date: Tue, 9 Nov 2021 17:34:28 +0530 +Subject: Revert "drm/i915/tgl/dsi: Gate the ddi clocks after pll mapping" +Git-commit: f15863b27752682bb700c21de5f83f613a0fb77e +Patch-mainline: v5.16-rc2 +References: bsc#1152489 + +This reverts commit 991d9557b0c4 ("drm/i915/tgl/dsi: Gate the ddi clocks +after pll mapping"). The Bspec was updated recently with the pll ungate +sequence similar to that of icl dsi enable sequence. Hence reverting. + +Bspec: 49187 +Fixes: 991d9557b0c4 ("drm/i915/tgl/dsi: Gate the ddi clocks after pll mapping") +Cc: # v5.4+ +Signed-off-by: Vandita Kulkarni +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20211109120428.15211-1-vandita.kulkarni@intel.com +(cherry picked from commit 4579509ef181480f4e4510d436c691519167c5c2) +Signed-off-by: Rodrigo Vivi +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/i915/display/icl_dsi.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/display/icl_dsi.c ++++ b/drivers/gpu/drm/i915/display/icl_dsi.c +@@ -646,10 +646,7 @@ static void gen11_dsi_map_pll(struct int + intel_de_write(dev_priv, ICL_DPCLKA_CFGCR0, val); + + for_each_dsi_phy(phy, intel_dsi->phys) { +- if (INTEL_GEN(dev_priv) >= 12) +- val |= ICL_DPCLKA_CFGCR0_DDI_CLK_OFF(phy); +- else +- val &= ~ICL_DPCLKA_CFGCR0_DDI_CLK_OFF(phy); ++ val &= ~ICL_DPCLKA_CFGCR0_DDI_CLK_OFF(phy); + } + intel_de_write(dev_priv, ICL_DPCLKA_CFGCR0, val); + +@@ -1085,8 +1082,6 @@ static void + gen11_dsi_enable_port_and_phy(struct intel_encoder *encoder, + const struct intel_crtc_state *crtc_state) + { +- struct drm_i915_private *dev_priv = to_i915(encoder->base.dev); +- + /* step 4a: power up all lanes of the DDI used by DSI */ + gen11_dsi_power_up_lanes(encoder); + +@@ -1112,8 +1107,7 @@ gen11_dsi_enable_port_and_phy(struct int + gen11_dsi_configure_transcoder(encoder, crtc_state); + + /* Step 4l: Gate DDI clocks */ +- if (IS_GEN(dev_priv, 11)) +- gen11_dsi_gate_clocks(encoder); ++ gen11_dsi_gate_clocks(encoder); + } + + static void gen11_dsi_powerup_panel(struct intel_encoder *encoder) diff --git a/patches.suse/0004-drm-i915-s-JSP2-ICP2-PCH.patch b/patches.suse/0004-drm-i915-s-JSP2-ICP2-PCH.patch new file mode 100644 index 0000000..98d1652 --- /dev/null +++ b/patches.suse/0004-drm-i915-s-JSP2-ICP2-PCH.patch @@ -0,0 +1,75 @@ +From 08783aa7693f55619859f4f63f384abf17cb58c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 24 Feb 2022 15:21:42 +0200 +Subject: drm/i915: s/JSP2/ICP2/ PCH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 08783aa7693f55619859f4f63f384abf17cb58c5 +Patch-mainline: v5.17-rc7 +References: bsc#1152489 + +This JSP2 PCH actually seems to be some special Apple +specific ICP variant rather than a JSP. Make it so. Or at +least all the references to it seem to be some Apple ICL +machines. Didn't manage to find these PCI IDs in any +public chipset docs unfortunately. + +The only thing we're losing here with this JSP->ICP change +is Wa_14011294188, but based on the HSD that isn't actually +needed on any ICP based design (including JSP), only TGP +based stuff (including MCC) really need it. The documented +w/a just never made that distinction because Windows didn't +want to differentiate between JSP and MCC (not sure how +they handle hpd/ddc/etc. then though...). + +Cc: stable@vger.kernel.org +Cc: Matt Roper +Cc: Vivek Kasireddy +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4226 +Fixes: 943682e3bd19 ("drm/i915: Introduce Jasper Lake PCH") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220224132142.12927-1-ville.syrjala@linux.intel.com +Acked-by: Vivek Kasireddy +Tested-by: Tomas Bzatek +(cherry picked from commit 53581504a8e216d435f114a4f2596ad0dfd902fc) +Signed-off-by: Tvrtko Ursulin +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/i915/intel_pch.c | 2 +- + drivers/gpu/drm/i915/intel_pch.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_pch.c ++++ b/drivers/gpu/drm/i915/intel_pch.c +@@ -110,6 +110,7 @@ intel_pch_type(const struct drm_i915_pri + /* Comet Lake V PCH is based on KBP, which is SPT compatible */ + return PCH_SPT; + case INTEL_PCH_ICP_DEVICE_ID_TYPE: ++ case INTEL_PCH_ICP2_DEVICE_ID_TYPE: + drm_dbg_kms(&dev_priv->drm, "Found Ice Lake PCH\n"); + drm_WARN_ON(&dev_priv->drm, !IS_ICELAKE(dev_priv)); + return PCH_ICP; +@@ -125,7 +126,6 @@ intel_pch_type(const struct drm_i915_pri + !IS_GEN9_BC(dev_priv)); + return PCH_TGP; + case INTEL_PCH_JSP_DEVICE_ID_TYPE: +- case INTEL_PCH_JSP2_DEVICE_ID_TYPE: + drm_dbg_kms(&dev_priv->drm, "Found Jasper Lake PCH\n"); + drm_WARN_ON(&dev_priv->drm, !IS_ELKHARTLAKE(dev_priv)); + return PCH_JSP; +--- a/drivers/gpu/drm/i915/intel_pch.h ++++ b/drivers/gpu/drm/i915/intel_pch.h +@@ -48,11 +48,11 @@ enum intel_pch { + #define INTEL_PCH_CMP2_DEVICE_ID_TYPE 0x0680 + #define INTEL_PCH_CMP_V_DEVICE_ID_TYPE 0xA380 + #define INTEL_PCH_ICP_DEVICE_ID_TYPE 0x3480 ++#define INTEL_PCH_ICP2_DEVICE_ID_TYPE 0x3880 + #define INTEL_PCH_MCC_DEVICE_ID_TYPE 0x4B00 + #define INTEL_PCH_TGP_DEVICE_ID_TYPE 0xA080 + #define INTEL_PCH_TGP2_DEVICE_ID_TYPE 0x4380 + #define INTEL_PCH_JSP_DEVICE_ID_TYPE 0x4D80 +-#define INTEL_PCH_JSP2_DEVICE_ID_TYPE 0x3880 + #define INTEL_PCH_P2X_DEVICE_ID_TYPE 0x7100 + #define INTEL_PCH_P3X_DEVICE_ID_TYPE 0x7000 + #define INTEL_PCH_QEMU_DEVICE_ID_TYPE 0x2900 /* qemu q35 has 2918 */ diff --git a/patches.suse/0004-drm-mediatek-Fix-aal-size-config.patch b/patches.suse/0004-drm-mediatek-Fix-aal-size-config.patch new file mode 100644 index 0000000..c7efa72 --- /dev/null +++ b/patches.suse/0004-drm-mediatek-Fix-aal-size-config.patch @@ -0,0 +1,32 @@ +From 71dcadba34203d8dd35152e368720f977e9cdb81 Mon Sep 17 00:00:00 2001 +From: Yongqiang Niu +Date: Mon, 11 Jan 2021 15:43:47 +0800 +Subject: drm/mediatek: Fix aal size config +Git-commit: 71dcadba34203d8dd35152e368720f977e9cdb81 +Patch-mainline: v5.12-rc1 +References: git-fixes + +The orginal setting is not correct, fix it to follow hardware data sheet. +If keep this error setting, mt8173/mt8183 display ok +but mt8192 display abnormal. + +Fixes: 0664d1392c26 ("drm/mediatek: Add AAL engine basic function") + +Signed-off-by: Yongqiang Niu +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Patrik Jakobsson +--- + drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c +@@ -178,7 +178,7 @@ + unsigned int h, unsigned int vrefresh, + unsigned int bpc, struct cmdq_pkt *cmdq_pkt) + { +- mtk_ddp_write(cmdq_pkt, h << 16 | w, comp, DISP_AAL_SIZE); ++ mtk_ddp_write(cmdq_pkt, w << 16 | h, comp, DISP_AAL_SIZE); + } + + static void mtk_aal_start(struct mtk_ddp_comp *comp) diff --git a/patches.suse/0005-drm-amdgpu-fix-amdgpu_ras_block_late_init-error-hand.patch b/patches.suse/0005-drm-amdgpu-fix-amdgpu_ras_block_late_init-error-hand.patch new file mode 100644 index 0000000..6f25809 --- /dev/null +++ b/patches.suse/0005-drm-amdgpu-fix-amdgpu_ras_block_late_init-error-hand.patch @@ -0,0 +1,74 @@ +From 779596ce6a79e187995f04f143fc5ea44a565ea9 Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Thu, 17 Feb 2022 07:38:42 -0800 +Subject: drm/amdgpu: fix amdgpu_ras_block_late_init error handler +Git-commit: 779596ce6a79e187995f04f143fc5ea44a565ea9 +Patch-mainline: v5.18-rc1 +References: bsc#1152489 + +Clang build fails with +amdgpu_ras.c:2416:7: error: variable 'ras_obj' is used uninitialized + whenever 'if' condition is true + if (adev->in_suspend || amdgpu_in_reset(adev)) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +amdgpu_ras.c:2453:6: note: uninitialized use occurs here + if (ras_obj->ras_cb) + ^~~~~~~ + +There is a logic error in the error handler's labels. +ex/ The sysfs: is the last goto label in the normal code but +is the middle of error handler. Rework the error handler. + +cleanup: is the first error, so it's handler should be last. + +interrupt: is the second error, it's handler is next. interrupt: +handles the failure of amdgpu_ras_interrupt_add_hander() by +calling amdgpu_ras_interrupt_remove_handler(). This is wrong, +remove() assumes the interrupt has been setup, not torn down by +add(). Change the goto label to cleanup. + +sysfs is the last error, it's handler should be first. sysfs: +handles the failure of amdgpu_ras_sysfs_create() by calling +amdgpu_ras_sysfs_remove(). But when the create() fails there +is nothing added so there is nothing to remove. This error +handler is not needed. Remove the error handler and change +goto label to interrupt. + +Fixes: b293e891b057 ("drm/amdgpu: add helper function to do common ras_late_init/fini (v3)") +Reviewed-by: Luben Tuikov +Signed-off-by: Tom Rix +Signed-off-by: Alex Deucher +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +@@ -1998,20 +1998,19 @@ int amdgpu_ras_late_init(struct amdgpu_d + if (ih_info->cb) { + r = amdgpu_ras_interrupt_add_handler(adev, ih_info); + if (r) +- goto interrupt; ++ goto cleanup; + } + + r = amdgpu_ras_sysfs_create(adev, fs_info); + if (r) +- goto sysfs; ++ goto interrupt; + + return 0; +-cleanup: +- amdgpu_ras_sysfs_remove(adev, ras_block); +-sysfs: ++ ++interrupt: + if (ih_info->cb) + amdgpu_ras_interrupt_remove_handler(adev, ih_info); +-interrupt: ++cleanup: + amdgpu_ras_feature_enable(adev, ras_block, 0); + return r; + } diff --git a/patches.suse/0006-drm-fb-helper-Mark-screen-buffers-in-system-memory-w.patch b/patches.suse/0006-drm-fb-helper-Mark-screen-buffers-in-system-memory-w.patch new file mode 100644 index 0000000..371d635 --- /dev/null +++ b/patches.suse/0006-drm-fb-helper-Mark-screen-buffers-in-system-memory-w.patch @@ -0,0 +1,53 @@ +From cd9f7f7ac5932129fe81b4c7559cfcb226ec7c5c Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Tue, 1 Feb 2022 12:53:05 +0100 +Subject: drm/fb-helper: Mark screen buffers in system memory with + FBINFO_VIRTFB +Git-commit: cd9f7f7ac5932129fe81b4c7559cfcb226ec7c5c +Patch-mainline: v5.18-rc1 +References: bsc#1152472 + +Mark screen buffers in system memory with FBINFO_VIRTFB. Otherwise, fbdev +deferred I/O marks mmap'ed areas of system memory with VM_IO. (There's an +inverse relationship between the two flags.) + +For shadow buffers, also set the FBINFO_READS_FAST hint. + +v3: + * change FB_ to FBINFO_ in commit description +v2: + * updated commit description (Daniel) + * added Fixes tag + +Signed-off-by: Thomas Zimmermann +Fixes: d536540f304c ("drm/fb-helper: Add generic fbdev emulation .fb_probe function") +Reviewed-by: Daniel Vetter +Cc: dri-devel@lists.freedesktop.org +Cc: # v4.19+ +Link: https://patchwork.freedesktop.org/patch/msgid/20220201115305.9333-1-tzimmermann@suse.de +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/drm_fb_helper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -2104,6 +2104,7 @@ static int drm_fb_helper_generic_probe(s + fbi->fbops = &drm_fbdev_fb_ops; + fbi->screen_size = fb->height * fb->pitches[0]; + fbi->fix.smem_len = fbi->screen_size; ++ fbi->flags = FBINFO_DEFAULT; + + drm_fb_helper_fill_info(fbi, fb_helper, sizes); + +@@ -2111,9 +2112,9 @@ static int drm_fb_helper_generic_probe(s + fbi->screen_buffer = vzalloc(fbi->screen_size); + if (!fbi->screen_buffer) + return -ENOMEM; ++ fbi->flags |= FBINFO_VIRTFB | FBINFO_READS_FAST; + + fbi->fbdefio = &drm_fbdev_defio; +- + fb_deferred_io_init(fbi); + } else { + /* buffer is mapped for HW framebuffer */ diff --git a/patches.suse/0008-USB-hcd-pci-Use-PCI_STD_NUM_BARS-when-checking-stand.patch b/patches.suse/0008-USB-hcd-pci-Use-PCI_STD_NUM_BARS-when-checking-stand.patch new file mode 100644 index 0000000..ad88513 --- /dev/null +++ b/patches.suse/0008-USB-hcd-pci-Use-PCI_STD_NUM_BARS-when-checking-stand.patch @@ -0,0 +1,43 @@ +From 5d0c4393b207660fb9d6b08caed03ac85435fcd9 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Fri, 21 Jan 2022 12:33:30 -0600 +Subject: USB: hcd-pci: Use PCI_STD_NUM_BARS when checking standard BARs +Git-commit: 5d0c4393b207660fb9d6b08caed03ac85435fcd9 +Patch-mainline: v5.18-rc1 +References: bsc#1152489 + +usb_hcd_pci_probe() searches for an I/O BAR using a combination of +PCI_STD_NUM_BARS (to control loop iteration) and PCI_ROM_RESOURCE (to check +whether the loop exits without finding anything). + +Use PCI_STD_NUM_BARS consistently. + +No functional change since PCI_STD_NUM_BARS == PCI_ROM_RESOURCE, but this +removes a dependency on that relationship and makes the code read better. + +Fixes: c9c13ba428ef ("PCI: Add PCI_STD_NUM_BARS for the number of standard BARs") +Cc: Denis Efremov +Signed-off-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20220121183330.1141702-1-helgaas@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Thomas Zimmermann +--- + drivers/usb/core/hcd-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c +index d630cccd2e6ea..784466117c92f 100644 +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -248,7 +248,7 @@ int usb_hcd_pci_probe(struct pci_dev *dev, const struct pci_device_id *id, + hcd->rsrc_len, driver->description)) + break; + } +- if (region == PCI_ROM_RESOURCE) { ++ if (region == PCI_STD_NUM_BARS) { + dev_dbg(&dev->dev, "no i/o regions available\n"); + retval = -EBUSY; + goto put_hcd; +-- +2.36.0 + diff --git a/patches.suse/0009-drm-amd-display-Fix-memory-leak-in-dcn21_clock_sourc.patch b/patches.suse/0009-drm-amd-display-Fix-memory-leak-in-dcn21_clock_sourc.patch new file mode 100644 index 0000000..c7c664b --- /dev/null +++ b/patches.suse/0009-drm-amd-display-Fix-memory-leak-in-dcn21_clock_sourc.patch @@ -0,0 +1,33 @@ +From 65e54987508b6f0771f56bdfa3ee1926d52785ae Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 21 Apr 2022 17:03:09 +0800 +Subject: drm/amd/display: Fix memory leak in dcn21_clock_source_create +Git-commit: 65e54987508b6f0771f56bdfa3ee1926d52785ae +Patch-mainline: v5.18-rc5 +References: bsc#1152472 + +When dcn20_clk_src_construct() fails, we need to release clk_src. + +Fixes: 6f4e6361c3ff ("drm/amd/display: Add Renoir resource (v2)") +Signed-off-by: Miaoqian Lin +Signed-off-by: Alex Deucher +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +index 3fe4bfbb98a07..faab59508d829 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +@@ -997,6 +997,7 @@ static struct clock_source *dcn21_clock_source_create( + return &clk_src->base; + } + ++ kfree(clk_src); + BREAK_TO_DEBUGGER(); + return NULL; + } +-- +2.36.0 + diff --git a/patches.suse/Revert-drm-add-a-locked-version-of-drm_is_current_ma.patch b/patches.suse/Revert-drm-add-a-locked-version-of-drm_is_current_ma.patch deleted file mode 100644 index 85f0e44..0000000 --- a/patches.suse/Revert-drm-add-a-locked-version-of-drm_is_current_ma.patch +++ /dev/null @@ -1,209 +0,0 @@ -From f54b3ca7ea1e5e02f481cf4ca54568e57bd66086 Mon Sep 17 00:00:00 2001 -From: Daniel Vetter -Date: Tue, 22 Jun 2021 09:54:09 +0200 -Subject: [PATCH] Revert "drm: add a locked version of drm_is_current_master" -Git-commit: f54b3ca7ea1e5e02f481cf4ca54568e57bd66086 -Patch-mainline: v5.13 -References: git-fixes - -This reverts commit 1815d9c86e3090477fbde066ff314a7e9721ee0f. - -Unfortunately this inverts the locking hierarchy, so back to the -drawing board. Full lockdep splat below: - -====================================================== -Warning: possible circular locking dependency detected -5.13.0-rc7-CI-CI_DRM_10254+ #1 Not tainted - -Acked-by: Takashi Iwai - ------------------------------------------------------- -kms_frontbuffer/1087 is trying to acquire lock: -ffff88810dcd01a8 (&dev->master_mutex){+.+.}-{3:3}, at: drm_is_current_master+0x1b/0x40 -but task is already holding lock: -ffff88810dcd0488 (&dev->mode_config.mutex){+.+.}-{3:3}, at: drm_mode_getconnector+0x1c6/0x4a0 -which lock already depends on the new lock. -the existing dependency chain (in reverse order) is: --> #2 (&dev->mode_config.mutex){+.+.}-{3:3}: - __mutex_lock+0xab/0x970 - drm_client_modeset_probe+0x22e/0xca0 - __drm_fb_helper_initial_config_and_unlock+0x42/0x540 - intel_fbdev_initial_config+0xf/0x20 [i915] - async_run_entry_fn+0x28/0x130 - process_one_work+0x26d/0x5c0 - worker_thread+0x37/0x380 - kthread+0x144/0x170 - ret_from_fork+0x1f/0x30 --> #1 (&client->modeset_mutex){+.+.}-{3:3}: - __mutex_lock+0xab/0x970 - drm_client_modeset_commit_locked+0x1c/0x180 - drm_client_modeset_commit+0x1c/0x40 - __drm_fb_helper_restore_fbdev_mode_unlocked+0x88/0xb0 - drm_fb_helper_set_par+0x34/0x40 - intel_fbdev_set_par+0x11/0x40 [i915] - fbcon_init+0x270/0x4f0 - visual_init+0xc6/0x130 - do_bind_con_driver+0x1e5/0x2d0 - do_take_over_console+0x10e/0x180 - do_fbcon_takeover+0x53/0xb0 - register_framebuffer+0x22d/0x310 - __drm_fb_helper_initial_config_and_unlock+0x36c/0x540 - intel_fbdev_initial_config+0xf/0x20 [i915] - async_run_entry_fn+0x28/0x130 - process_one_work+0x26d/0x5c0 - worker_thread+0x37/0x380 - kthread+0x144/0x170 - ret_from_fork+0x1f/0x30 --> #0 (&dev->master_mutex){+.+.}-{3:3}: - __lock_acquire+0x151e/0x2590 - lock_acquire+0xd1/0x3d0 - __mutex_lock+0xab/0x970 - drm_is_current_master+0x1b/0x40 - drm_mode_getconnector+0x37e/0x4a0 - drm_ioctl_kernel+0xa8/0xf0 - drm_ioctl+0x1e8/0x390 - __x64_sys_ioctl+0x6a/0xa0 - do_syscall_64+0x39/0xb0 - entry_SYSCALL_64_after_hwframe+0x44/0xae -other info that might help us debug this: -Chain exists of: &dev->master_mutex --> &client->modeset_mutex --> &dev->mode_config.mutex - Possible unsafe locking scenario: - CPU0 CPU1 - ---- ---- - lock(&dev->mode_config.mutex); - lock(&client->modeset_mutex); - lock(&dev->mode_config.mutex); - lock(&dev->master_mutex); -*** DEADLOCK *** -1 lock held by kms_frontbuffer/1087: - #0: ffff88810dcd0488 (&dev->mode_config.mutex){+.+.}-{3:3}, at: drm_mode_getconnector+0x1c6/0x4a0 -stack backtrace: -CPU: 7 PID: 1087 Comm: kms_frontbuffer Not tainted 5.13.0-rc7-CI-CI_DRM_10254+ #1 -Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.3234.A01.1906141750 06/14/2019 -Call Trace: - dump_stack+0x7f/0xad - check_noncircular+0x12e/0x150 - __lock_acquire+0x151e/0x2590 - lock_acquire+0xd1/0x3d0 - __mutex_lock+0xab/0x970 - drm_is_current_master+0x1b/0x40 - drm_mode_getconnector+0x37e/0x4a0 - drm_ioctl_kernel+0xa8/0xf0 - drm_ioctl+0x1e8/0x390 - __x64_sys_ioctl+0x6a/0xa0 - do_syscall_64+0x39/0xb0 - entry_SYSCALL_64_after_hwframe+0x44/0xae - -Note that this broke the intel-gfx CI pretty much across the board -because it has to reboot machines after it hits a lockdep splat. - -Testcase: igt/debugfs_test/read_all_entries -Acked-by: Petri Latvala -Fixes: 1815d9c86e30 ("drm: add a locked version of drm_is_current_master") -Cc: Desmond Cheong Zhi Xi -Cc: Emil Velikov -Cc: stable@vger.kernel.org -Signed-off-by: Daniel Vetter -Cc: Maarten Lankhorst -Cc: Maxime Ripard -Cc: Thomas Zimmermann -Cc: David Airlie -Cc: Daniel Vetter -Link: https://patchwork.freedesktop.org/patch/msgid/20210622075409.2673805-1-daniel.vetter@ffwll.ch ---- - drivers/gpu/drm/drm_auth.c | 51 ++++++++++++++------------------------ - 1 file changed, 19 insertions(+), 32 deletions(-) - -diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c -index 86d4b72e95cb..232abbba3686 100644 ---- a/drivers/gpu/drm/drm_auth.c -+++ b/drivers/gpu/drm/drm_auth.c -@@ -61,35 +61,6 @@ - * trusted clients. - */ - --static bool drm_is_current_master_locked(struct drm_file *fpriv) --{ -- lockdep_assert_held_once(&fpriv->master->dev->master_mutex); -- -- return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; --} -- --/** -- * drm_is_current_master - checks whether @priv is the current master -- * @fpriv: DRM file private -- * -- * Checks whether @fpriv is current master on its device. This decides whether a -- * client is allowed to run DRM_MASTER IOCTLs. -- * -- * Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting -- * - the current master is assumed to own the non-shareable display hardware. -- */ --bool drm_is_current_master(struct drm_file *fpriv) --{ -- bool ret; -- -- mutex_lock(&fpriv->master->dev->master_mutex); -- ret = drm_is_current_master_locked(fpriv); -- mutex_unlock(&fpriv->master->dev->master_mutex); -- -- return ret; --} --EXPORT_SYMBOL(drm_is_current_master); -- - int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) - { - struct drm_auth *auth = data; -@@ -252,7 +223,7 @@ int drm_setmaster_ioctl(struct drm_device *dev, void *data, - if (ret) - goto out_unlock; - -- if (drm_is_current_master_locked(file_priv)) -+ if (drm_is_current_master(file_priv)) - goto out_unlock; - - if (dev->master) { -@@ -301,7 +272,7 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void *data, - if (ret) - goto out_unlock; - -- if (!drm_is_current_master_locked(file_priv)) { -+ if (!drm_is_current_master(file_priv)) { - ret = -EINVAL; - goto out_unlock; - } -@@ -350,7 +321,7 @@ void drm_master_release(struct drm_file *file_priv) - if (file_priv->magic) - idr_remove(&file_priv->master->magic_map, file_priv->magic); - -- if (!drm_is_current_master_locked(file_priv)) -+ if (!drm_is_current_master(file_priv)) - goto out; - - drm_legacy_lock_master_cleanup(dev, master); -@@ -371,6 +342,22 @@ void drm_master_release(struct drm_file *file_priv) - mutex_unlock(&dev->master_mutex); - } - -+/** -+ * drm_is_current_master - checks whether @priv is the current master -+ * @fpriv: DRM file private -+ * -+ * Checks whether @fpriv is current master on its device. This decides whether a -+ * client is allowed to run DRM_MASTER IOCTLs. -+ * -+ * Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting -+ * - the current master is assumed to own the non-shareable display hardware. -+ */ -+bool drm_is_current_master(struct drm_file *fpriv) -+{ -+ return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; -+} -+EXPORT_SYMBOL(drm_is_current_master); -+ - /** - * drm_master_get - reference a master pointer - * @master: &struct drm_master --- -2.26.2 - diff --git a/patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch b/patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch new file mode 100644 index 0000000..47b94cf --- /dev/null +++ b/patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch @@ -0,0 +1,258 @@ +From ea94e7b11702e12d44ba6b0525aee4a55e52c825 Mon Sep 17 00:00:00 2001 +From: Dany Madden +Date: Wed, 27 Apr 2022 18:51:46 -0500 +Subject: [PATCH] Revert "ibmvnic: Add ethtool private flag for driver-defined + queue limits" + +References: bsc#1121726 ltc#174633 git-fixes +Patch-mainline: v5.18-rc5 +Git-commit: aeaf59b78712c7a1827c76f086acff4f586e072f + +This reverts commit 723ad916134784b317b72f3f6cf0f7ba774e5dae + +When client requests channel or ring size larger than what the server +can support the server will cap the request to the supported max. So, +the client would not be able to successfully request resources that +exceed the server limit. + +Fixes: 723ad9161347 ("ibmvnic: Add ethtool private flag for driver-defined queue limits") +Signed-off-by: Dany Madden +Link: https://lore.kernel.org/r/20220427235146.23189-1-drt@linux.ibm.com +Signed-off-by: Jakub Kicinski +Acked-by: Michal Suchanek +--- + drivers/net/ethernet/ibm/ibmvnic.c | 129 ++++++++--------------------- + drivers/net/ethernet/ibm/ibmvnic.h | 6 -- + 2 files changed, 35 insertions(+), 100 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index a84d459f204f..13acff619cf4 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2918,13 +2918,8 @@ static void ibmvnic_get_ringparam(struct net_device *netdev, + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); + +- if (adapter->priv_flags & IBMVNIC_USE_SERVER_MAXES) { +- ring->rx_max_pending = adapter->max_rx_add_entries_per_subcrq; +- ring->tx_max_pending = adapter->max_tx_entries_per_subcrq; +- } else { +- ring->rx_max_pending = IBMVNIC_MAX_QUEUE_SZ; +- ring->tx_max_pending = IBMVNIC_MAX_QUEUE_SZ; +- } ++ ring->rx_max_pending = adapter->max_rx_add_entries_per_subcrq; ++ ring->tx_max_pending = adapter->max_tx_entries_per_subcrq; + ring->rx_mini_max_pending = 0; + ring->rx_jumbo_max_pending = 0; + ring->rx_pending = adapter->req_rx_add_entries_per_subcrq; +@@ -2937,23 +2932,21 @@ static int ibmvnic_set_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring) + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- int ret; + +- ret = 0; ++ if (ring->rx_pending > adapter->max_rx_add_entries_per_subcrq || ++ ring->tx_pending > adapter->max_tx_entries_per_subcrq) { ++ netdev_err(netdev, "Invalid request.\n"); ++ netdev_err(netdev, "Max tx buffers = %llu\n", ++ adapter->max_rx_add_entries_per_subcrq); ++ netdev_err(netdev, "Max rx buffers = %llu\n", ++ adapter->max_tx_entries_per_subcrq); ++ return -EINVAL; ++ } ++ + adapter->desired.rx_entries = ring->rx_pending; + adapter->desired.tx_entries = ring->tx_pending; + +- ret = wait_for_reset(adapter); +- +- if (!ret && +- (adapter->req_rx_add_entries_per_subcrq != ring->rx_pending || +- adapter->req_tx_entries_per_subcrq != ring->tx_pending)) +- netdev_info(netdev, +- "Could not match full ringsize request. Requested: RX %d, TX %d; Allowed: RX %llu, TX %llu\n", +- ring->rx_pending, ring->tx_pending, +- adapter->req_rx_add_entries_per_subcrq, +- adapter->req_tx_entries_per_subcrq); +- return ret; ++ return wait_for_reset(adapter); + } + + static void ibmvnic_get_channels(struct net_device *netdev, +@@ -2961,14 +2954,8 @@ static void ibmvnic_get_channels(struct net_device *netdev, + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); + +- if (adapter->priv_flags & IBMVNIC_USE_SERVER_MAXES) { +- channels->max_rx = adapter->max_rx_queues; +- channels->max_tx = adapter->max_tx_queues; +- } else { +- channels->max_rx = IBMVNIC_MAX_QUEUES; +- channels->max_tx = IBMVNIC_MAX_QUEUES; +- } +- ++ channels->max_rx = adapter->max_rx_queues; ++ channels->max_tx = adapter->max_tx_queues; + channels->max_other = 0; + channels->max_combined = 0; + channels->rx_count = adapter->req_rx_queues; +@@ -2981,22 +2968,11 @@ static int ibmvnic_set_channels(struct net_device *netdev, + struct ethtool_channels *channels) + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- int ret; + +- ret = 0; + adapter->desired.rx_queues = channels->rx_count; + adapter->desired.tx_queues = channels->tx_count; + +- ret = wait_for_reset(adapter); +- +- if (!ret && +- (adapter->req_rx_queues != channels->rx_count || +- adapter->req_tx_queues != channels->tx_count)) +- netdev_info(netdev, +- "Could not match full channels request. Requested: RX %d, TX %d; Allowed: RX %llu, TX %llu\n", +- channels->rx_count, channels->tx_count, +- adapter->req_rx_queues, adapter->req_tx_queues); +- return ret; ++ return wait_for_reset(adapter); + } + + static void ibmvnic_get_strings(struct net_device *dev, u32 stringset, u8 *data) +@@ -3004,43 +2980,32 @@ static void ibmvnic_get_strings(struct net_device *dev, u32 stringset, u8 *data) + struct ibmvnic_adapter *adapter = netdev_priv(dev); + int i; + +- switch (stringset) { +- case ETH_SS_STATS: +- for (i = 0; i < ARRAY_SIZE(ibmvnic_stats); +- i++, data += ETH_GSTRING_LEN) +- memcpy(data, ibmvnic_stats[i].name, ETH_GSTRING_LEN); ++ if (stringset != ETH_SS_STATS) ++ return; + +- for (i = 0; i < adapter->req_tx_queues; i++) { +- snprintf(data, ETH_GSTRING_LEN, "tx%d_packets", i); +- data += ETH_GSTRING_LEN; ++ for (i = 0; i < ARRAY_SIZE(ibmvnic_stats); i++, data += ETH_GSTRING_LEN) ++ memcpy(data, ibmvnic_stats[i].name, ETH_GSTRING_LEN); + +- snprintf(data, ETH_GSTRING_LEN, "tx%d_bytes", i); +- data += ETH_GSTRING_LEN; ++ for (i = 0; i < adapter->req_tx_queues; i++) { ++ snprintf(data, ETH_GSTRING_LEN, "tx%d_packets", i); ++ data += ETH_GSTRING_LEN; + +- snprintf(data, ETH_GSTRING_LEN, +- "tx%d_dropped_packets", i); +- data += ETH_GSTRING_LEN; +- } ++ snprintf(data, ETH_GSTRING_LEN, "tx%d_bytes", i); ++ data += ETH_GSTRING_LEN; + +- for (i = 0; i < adapter->req_rx_queues; i++) { +- snprintf(data, ETH_GSTRING_LEN, "rx%d_packets", i); +- data += ETH_GSTRING_LEN; ++ snprintf(data, ETH_GSTRING_LEN, "tx%d_dropped_packets", i); ++ data += ETH_GSTRING_LEN; ++ } + +- snprintf(data, ETH_GSTRING_LEN, "rx%d_bytes", i); +- data += ETH_GSTRING_LEN; ++ for (i = 0; i < adapter->req_rx_queues; i++) { ++ snprintf(data, ETH_GSTRING_LEN, "rx%d_packets", i); ++ data += ETH_GSTRING_LEN; + +- snprintf(data, ETH_GSTRING_LEN, "rx%d_interrupts", i); +- data += ETH_GSTRING_LEN; +- } +- break; ++ snprintf(data, ETH_GSTRING_LEN, "rx%d_bytes", i); ++ data += ETH_GSTRING_LEN; + +- case ETH_SS_PRIV_FLAGS: +- for (i = 0; i < ARRAY_SIZE(ibmvnic_priv_flags); i++) +- strcpy(data + i * ETH_GSTRING_LEN, +- ibmvnic_priv_flags[i]); +- break; +- default: +- return; ++ snprintf(data, ETH_GSTRING_LEN, "rx%d_interrupts", i); ++ data += ETH_GSTRING_LEN; + } + } + +@@ -3053,8 +3018,6 @@ static int ibmvnic_get_sset_count(struct net_device *dev, int sset) + return ARRAY_SIZE(ibmvnic_stats) + + adapter->req_tx_queues * NUM_TX_STATS + + adapter->req_rx_queues * NUM_RX_STATS; +- case ETH_SS_PRIV_FLAGS: +- return ARRAY_SIZE(ibmvnic_priv_flags); + default: + return -EOPNOTSUPP; + } +@@ -3107,26 +3070,6 @@ static void ibmvnic_get_ethtool_stats(struct net_device *dev, + } + } + +-static u32 ibmvnic_get_priv_flags(struct net_device *netdev) +-{ +- struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- +- return adapter->priv_flags; +-} +- +-static int ibmvnic_set_priv_flags(struct net_device *netdev, u32 flags) +-{ +- struct ibmvnic_adapter *adapter = netdev_priv(netdev); +- bool which_maxes = !!(flags & IBMVNIC_USE_SERVER_MAXES); +- +- if (which_maxes) +- adapter->priv_flags |= IBMVNIC_USE_SERVER_MAXES; +- else +- adapter->priv_flags &= ~IBMVNIC_USE_SERVER_MAXES; +- +- return 0; +-} +- + static const struct ethtool_ops ibmvnic_ethtool_ops = { + .get_drvinfo = ibmvnic_get_drvinfo, + .get_msglevel = ibmvnic_get_msglevel, +@@ -3140,8 +3083,6 @@ static const struct ethtool_ops ibmvnic_ethtool_ops = { + .get_sset_count = ibmvnic_get_sset_count, + .get_ethtool_stats = ibmvnic_get_ethtool_stats, + .get_link_ksettings = ibmvnic_get_link_ksettings, +- .get_priv_flags = ibmvnic_get_priv_flags, +- .set_priv_flags = ibmvnic_set_priv_flags, + }; + + /* Routines for managing CRQs/sCRQs */ +diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h +index 9fc4d3068018..d87f88d1552d 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.h ++++ b/drivers/net/ethernet/ibm/ibmvnic.h +@@ -52,11 +52,6 @@ + + #define IBMVNIC_RESET_DELAY 100 + +-static const char ibmvnic_priv_flags[][ETH_GSTRING_LEN] = { +-#define IBMVNIC_USE_SERVER_MAXES 0x1 +- "use-server-maxes" +-}; +- + struct ibmvnic_login_buffer { + __be32 len; + __be32 version; +@@ -895,7 +890,6 @@ struct ibmvnic_adapter { + struct ibmvnic_control_ip_offload_buffer ip_offload_ctrl; + dma_addr_t ip_offload_ctrl_tok; + u32 msg_enable; +- u32 priv_flags; + + /* Vital Product Data (VPD) */ + struct ibmvnic_vpd *vpd; +-- +2.34.1 + diff --git a/patches.suse/SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch b/patches.suse/SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch deleted file mode 100644 index fda19c0..0000000 --- a/patches.suse/SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch +++ /dev/null @@ -1,101 +0,0 @@ -From: Trond Myklebust -Date: Sun, 3 Apr 2022 15:58:11 -0400 -Subject: [PATCH] SUNRPC: Ensure we flush any closed sockets before - xs_xprt_free() -Git-commit: f00432063db1a0db484e85193eccc6845435b80e -Patch-mainline: v5.18 -References: git-fixes - -We must ensure that all sockets are closed before we call xprt_free() -and release the reference to the net namespace. The problem is that -calling fput() will defer closing the socket until delayed_fput() gets -called. -Let's fix the situation by allowing rpciod and the transport teardown -code (which runs on the system wq) to call __fput_sync(), and directly -close the socket. - -Reported-by: Felix Fu -Acked-by: Al Viro -Fixes: a73881c96d73 ("SUNRPC: Fix an Oops in udp_poll()") -Cc: stable@vger.kernel.org # 5.1.x: 3be232f11a3c: SUNRPC: Prevent immediate close+reconnect -Cc: stable@vger.kernel.org # 5.1.x: 89f42494f92f: SUNRPC: Don't call connect() more than once on a TCP socket -Cc: stable@vger.kernel.org # 5.1.x -Signed-off-by: Trond Myklebust -Acked-by: NeilBrown - ---- - fs/file_table.c | 1 + - net/sunrpc/xprt.c | 5 +---- - net/sunrpc/xprtsock.c | 16 +++++++++++++--- - 3 files changed, 15 insertions(+), 7 deletions(-) - ---- a/fs/file_table.c -+++ b/fs/file_table.c -@@ -375,6 +375,7 @@ void __fput_sync(struct file *file) - } - - EXPORT_SYMBOL(fput); -+EXPORT_SYMBOL(__fput_sync); - - void __init files_init(void) - { ---- a/net/sunrpc/xprt.c -+++ b/net/sunrpc/xprt.c -@@ -877,10 +877,7 @@ void xprt_connect(struct rpc_task *task) - if (!xprt_lock_write(xprt, task)) - return; - -- if (test_and_clear_bit(XPRT_CLOSE_WAIT, &xprt->state)) -- xprt->ops->close(xprt); -- -- if (!xprt_connected(xprt)) { -+ if (!xprt_connected(xprt) && !test_bit(XPRT_CLOSE_WAIT, &xprt->state)) { - task->tk_rqstp->rq_connect_cookie = xprt->connect_cookie; - rpc_sleep_on_timeout(&xprt->pending, task, NULL, - xprt_request_timeout(task->tk_rqstp)); ---- a/net/sunrpc/xprtsock.c -+++ b/net/sunrpc/xprtsock.c -@@ -965,7 +965,7 @@ static int xs_local_send_request(struct - - /* Close the stream if the previous transmission was incomplete */ - if (xs_send_request_was_aborted(transport, req)) { -- xs_close(xprt); -+ xprt_force_disconnect(xprt); - return -ENOTCONN; - } - -@@ -1003,7 +1003,7 @@ static int xs_local_send_request(struct - -status); - /* fall through */ - case -EPIPE: -- xs_close(xprt); -+ xprt_force_disconnect(xprt); - status = -ENOTCONN; - } - -@@ -1279,6 +1279,16 @@ static void xs_reset_transport(struct so - - if (sk == NULL) - return; -+ /* -+ * Make sure we're calling this in a context from which it is safe -+ * to call __fput_sync(). In practice that means rpciod and the -+ * system workqueue. -+ */ -+ if (!(current->flags & PF_WQ_WORKER)) { -+ WARN_ON_ONCE(1); -+ set_bit(XPRT_CLOSE_WAIT, &xprt->state); -+ return; -+ } - - if (atomic_read(&transport->xprt.swapper)) - sk_clear_memalloc(sk); -@@ -1302,7 +1312,7 @@ static void xs_reset_transport(struct so - mutex_unlock(&transport->recv_mutex); - - trace_rpc_socket_close(xprt, sock); -- fput(filp); -+ __fput_sync(filp); - - xprt_disconnect_done(xprt); - } diff --git a/patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch b/patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch new file mode 100644 index 0000000..807f4db --- /dev/null +++ b/patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch @@ -0,0 +1,58 @@ +From e91ac20889d1a26d077cc511365cd7ff4346a6f3 Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Fri, 8 Apr 2022 16:48:21 +0300 +Subject: [PATCH] USB: Fix xhci event ring dequeue pointer ERDP update issue +Git-commit: e91ac20889d1a26d077cc511365cd7ff4346a6f3 +References: git-fixes +Patch-mainline: v5.18-rc5 + +In some situations software handles TRB events slower than adding TRBs. +If the number of TRB events to be processed in a given interrupt is exactly +the same as the event ring size 256, then the local variable +"event_ring_deq" that holds the initial dequeue position is equal to +software_dequeue after handling all 256 interrupts. + +It will cause driver to not update ERDP to hardware, + +Software dequeue pointer is out of sync with ERDP on interrupt exit. +On the next interrupt, the event ring may full but driver will not +update ERDP as software_dequeue is equal to ERDP. + +[ 536.377115] xhci_hcd 0000:00:12.0: ERROR unknown event type 37 +[ 566.933173] sd 8:0:0:0: [sdb] tag#27 uas_eh_abort_handler 0 uas-tag 7 inflight: CMD OUT +[ 566.933181] sd 8:0:0:0: [sdb] tag#27 CDB: Write(10) 2a 00 17 71 e6 78 00 00 08 00 +[ 572.041186] xhci_hcd On some situataions,the0000:00:12.0: xHCI host not responding to stop endpoint command. +[ 572.057193] xhci_hcd 0000:00:12.0: Host halt failed, -110 +[ 572.057196] xhci_hcd 0000:00:12.0: xHCI host controller not responding, assume dead +[ 572.057236] sd 8:0:0:0: [sdb] tag#26 uas_eh_abort_handler 0 uas-tag 6 inflight: CMD +[ 572.057240] sd 8:0:0:0: [sdb] tag#26 CDB: Write(10) 2a 00 38 eb cc d8 00 00 08 00 +[ 572.057244] sd 8:0:0:0: [sdb] tag#25 uas_eh_abort_handler 0 uas-tag 5 inflight: CMD + +Hardware ERDP is updated mid event handling if there are more than 128 +events in an interrupt (half of ring size). +Fix this by updating the software local variable at the same time as +hardware ERDP. + +[commit message rewording -Mathias] + +Fixes: dc0ffbea5729 ("usb: host: xhci: update event ring dequeue pointer on purpose") +Reviewed-by: Peter Chen +Signed-off-by: Weitao Wang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220408134823.2527272-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/xhci-ring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2916,6 +2916,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd + } + + xhci_update_erst_dequeue(xhci, event_ring_deq); ++ event_ring_deq = xhci->event_ring->dequeue; + ret = IRQ_HANDLED; + + out: diff --git a/patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch b/patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch new file mode 100644 index 0000000..5baff36 --- /dev/null +++ b/patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch @@ -0,0 +1,50 @@ +From 05c2a61d69ea306e891884a86486e1ef37c4b78d Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Fri, 4 Dec 2020 16:47:17 +0800 +Subject: [PATCH] adm8211: fix error return code in adm8211_probe() +Git-commit: 05c2a61d69ea306e891884a86486e1ef37c4b78d +References: git-fixes +Patch-mainline: v5.11-rc1 + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: cc0b88cf5ecf ("[PATCH] Add adm8211 802.11b wireless driver") +Reported-by: Hulk Robot +Signed-off-by: Zhang Changzhong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1607071638-33619-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/admtek/adm8211.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/admtek/adm8211.c ++++ b/drivers/net/wireless/admtek/adm8211.c +@@ -1799,6 +1799,7 @@ static int adm8211_probe(struct pci_dev + if (io_len < 256 || mem_len < 1024) { + printk(KERN_ERR "%s (adm8211): Too short PCI resources\n", + pci_name(pdev)); ++ err = -ENOMEM; + goto err_disable_pdev; + } + +@@ -1808,6 +1809,7 @@ static int adm8211_probe(struct pci_dev + if (reg != ADM8211_SIG1 && reg != ADM8211_SIG2) { + printk(KERN_ERR "%s (adm8211): Invalid signature (0x%x)\n", + pci_name(pdev), reg); ++ err = -EINVAL; + goto err_disable_pdev; + } + +@@ -1818,8 +1820,8 @@ static int adm8211_probe(struct pci_dev + return err; /* someone else grabbed it? don't disable it */ + } + +- if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) || +- pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(32))) { ++ err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32)); ++ if (err) { + printk(KERN_ERR "%s (adm8211): No suitable DMA available\n", + pci_name(pdev)); + goto err_free_reg; diff --git a/patches.suse/bfq-Avoid-merging-queues-with-different-parents.patch b/patches.suse/bfq-Avoid-merging-queues-with-different-parents.patch new file mode 100644 index 0000000..a9732f5 --- /dev/null +++ b/patches.suse/bfq-Avoid-merging-queues-with-different-parents.patch @@ -0,0 +1,83 @@ +From fb889bf5d394f9de2326e33a2a24e9aacafd1509 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 21 Dec 2021 19:37:32 +0100 +Subject: [PATCH 2/9] bfq: Avoid merging queues with different parents +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +It can happen that the parent of a bfqq changes between the moment we +decide two queues are worth to merge (and set bic->stable_merge_bfqq) +and the moment bfq_setup_merge() is called. This can happen e.g. because +the process submitted IO for a different cgroup and thus bfqq got +reparented. It can even happen that the bfqq we are merging with has +parent cgroup that is already offline and going to be destroyed in which +case the merge can lead to use-after-free issues such as: + +Bug: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50 +Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544 + +Cpu: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x46/0x5a + print_address_description.constprop.0+0x1f/0x140 + ? __bfq_deactivate_entity+0x9cb/0xa50 + kasan_report.cold+0x7f/0x11b + ? __bfq_deactivate_entity+0x9cb/0xa50 + __bfq_deactivate_entity+0x9cb/0xa50 + ? update_curr+0x32f/0x5d0 + bfq_deactivate_entity+0xa0/0x1d0 + bfq_del_bfqq_busy+0x28a/0x420 + ? resched_curr+0x116/0x1d0 + ? bfq_requeue_bfqq+0x70/0x70 + ? check_preempt_wakeup+0x52b/0xbc0 + __bfq_bfqq_expire+0x1a2/0x270 + bfq_bfqq_expire+0xd16/0x2160 + ? try_to_wake_up+0x4ee/0x1260 + ? bfq_end_wr_async_queues+0xe0/0xe0 + ? _raw_write_unlock_bh+0x60/0x60 + ? _raw_spin_lock_irq+0x81/0xe0 + bfq_idle_slice_timer+0x109/0x280 + ? bfq_dispatch_request+0x4870/0x4870 + __hrtimer_run_queues+0x37d/0x700 + ? enqueue_hrtimer+0x1b0/0x1b0 + ? kvm_clock_get_cycles+0xd/0x10 + ? ktime_get_update_offsets_now+0x6f/0x280 + hrtimer_interrupt+0x2c8/0x740 + +Fix the problem by checking that the parent of the two bfqqs we are +merging in bfq_setup_merge() is the same. + +Link: https://lore.kernel.org/linux-block/20211125172809.GC19572@quack2.suse.cz/ +Cc: stable@vger.kernel.org +Fixes: 430a67f9d616 ("block, bfq: merge bursts of newly-created queues") +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-iosched.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 6d122c28086e..7d00b21ebe5d 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2758,6 +2758,14 @@ bfq_setup_merge(struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) + if (process_refs == 0 || new_process_refs == 0) + return NULL; + ++ /* ++ * Make sure merged queues belong to the same parent. Parents could ++ * have changed since the time we decided the two queues are suitable ++ * for merging. ++ */ ++ if (new_bfqq->entity.parent != bfqq->entity.parent) ++ return NULL; ++ + bfq_log_bfqq(bfqq->bfqd, bfqq, "scheduling merge with queue %d", + new_bfqq->pid); + +-- +2.34.1 + diff --git a/patches.suse/bfq-Drop-pointless-unlock-lock-pair.patch b/patches.suse/bfq-Drop-pointless-unlock-lock-pair.patch new file mode 100644 index 0000000..b6f5a3e --- /dev/null +++ b/patches.suse/bfq-Drop-pointless-unlock-lock-pair.patch @@ -0,0 +1,34 @@ +From e11c514a349976622293a43f3328107470fa3fc9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 10 Feb 2022 16:21:39 +0100 +Subject: [PATCH 5/9] bfq: Drop pointless unlock-lock pair +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +In bfq_insert_request() we unlock bfqd->lock only to call +trace_block_rq_insert() and then lock bfqd->lock again. This is really +pointless since tracing is disabled if we really care about performance +and even if the tracepoint is enabled, it is a quick call. + +Cc: stable@vger.kernel.org +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-iosched.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5668,11 +5668,8 @@ static void bfq_insert_request(struct bl + return; + } + +- spin_unlock_irq(&bfqd->lock); +- + blk_mq_sched_request_inserted(rq); + +- spin_lock_irq(&bfqd->lock); + bfqq = bfq_init_rq(rq); + if (!bfqq || at_head || blk_rq_is_passthrough(rq)) { + if (at_head) diff --git a/patches.suse/bfq-Get-rid-of-__bio_blkcg-usage.patch b/patches.suse/bfq-Get-rid-of-__bio_blkcg-usage.patch new file mode 100644 index 0000000..d1ab681 --- /dev/null +++ b/patches.suse/bfq-Get-rid-of-__bio_blkcg-usage.patch @@ -0,0 +1,191 @@ +From cb5e5543e67afb6ee9670075531107884021da3f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 4 Mar 2022 18:57:35 +0100 +Subject: [PATCH 8/9] bfq: Get rid of __bio_blkcg() usage +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +BFQ usage of __bio_blkcg() is a relict from the past. Furthermore if bio +would not be associated with any blkcg, the usage of __bio_blkcg() in +BFQ is prone to races with the task being migrated between cgroups as +__bio_blkcg() calls at different places could return different blkcgs. + +Convert BFQ to the new situation where bio->bi_blkg is initialized in +bio_set_dev() and thus practically always valid. This allows us to save +blkcg_gq lookup and noticeably simplify the code. + +Cc: stable@vger.kernel.org +Fixes: 0fe061b9f03c ("blkcg: fix ref count issue with bio_blkcg() using task_css") +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-cgroup.c | 63 ++++++++++++++++++---------------------------------- + block/bfq-iosched.c | 10 -------- + block/bfq-iosched.h | 3 -- + 3 files changed, 25 insertions(+), 51 deletions(-) + +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -582,27 +582,11 @@ static void bfq_group_set_parent(struct + entity->sched_data = &parent->sched_data; + } + +-static struct bfq_group *bfq_lookup_bfqg(struct bfq_data *bfqd, +- struct blkcg *blkcg) ++static void bfq_link_bfqg(struct bfq_data *bfqd, struct bfq_group *bfqg) + { +- struct blkcg_gq *blkg; +- +- blkg = blkg_lookup(blkcg, bfqd->queue); +- if (likely(blkg)) +- return blkg_to_bfqg(blkg); +- return NULL; +-} +- +-struct bfq_group *bfq_find_set_group(struct bfq_data *bfqd, +- struct blkcg *blkcg) +-{ +- struct bfq_group *bfqg, *parent; ++ struct bfq_group *parent; + struct bfq_entity *entity; + +- bfqg = bfq_lookup_bfqg(bfqd, blkcg); +- if (unlikely(!bfqg)) +- return NULL; +- + /* + * Update chain of bfq_groups as we might be handling a leaf group + * which, along with some of its relatives, has not been hooked yet +@@ -619,8 +603,15 @@ struct bfq_group *bfq_find_set_group(str + bfq_group_set_parent(curr_bfqg, parent); + } + } ++} + +- return bfqg; ++struct bfq_group *bfq_bio_bfqg(struct bfq_data *bfqd, struct bio *bio) ++{ ++ struct blkcg_gq *blkg = bio->bi_blkg; ++ ++ if (!blkg) ++ return bfqd->root_group; ++ return blkg_to_bfqg(blkg); + } + + /** +@@ -690,25 +681,15 @@ void bfq_bfqq_move(struct bfq_data *bfqd + * Move bic to blkcg, assuming that bfqd->lock is held; which makes + * sure that the reference to cgroup is valid across the call (see + * comments in bfq_bic_update_cgroup on this issue) +- * +- * NOTE: an alternative approach might have been to store the current +- * cgroup in bfqq and getting a reference to it, reducing the lookup +- * time here, at the price of slightly more complex code. + */ +-static struct bfq_group *__bfq_bic_change_cgroup(struct bfq_data *bfqd, +- struct bfq_io_cq *bic, +- struct blkcg *blkcg) ++static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, ++ struct bfq_io_cq *bic, ++ struct bfq_group *bfqg) + { + struct bfq_queue *async_bfqq = bic_to_bfqq(bic, 0); + struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, 1); +- struct bfq_group *bfqg; + struct bfq_entity *entity; + +- bfqg = bfq_find_set_group(bfqd, blkcg); +- +- if (unlikely(!bfqg)) +- bfqg = bfqd->root_group; +- + if (async_bfqq) { + entity = &async_bfqq->entity; + +@@ -760,20 +741,24 @@ static struct bfq_group *__bfq_bic_chang + void bfq_bic_update_cgroup(struct bfq_io_cq *bic, struct bio *bio) + { + struct bfq_data *bfqd = bic_to_bfqd(bic); +- struct bfq_group *bfqg = NULL; ++ struct bfq_group *bfqg = bfq_bio_bfqg(bfqd, bio); + uint64_t serial_nr; + +- rcu_read_lock(); +- serial_nr = __bio_blkcg(bio)->css.serial_nr; ++ serial_nr = bfqg_to_blkg(bfqg)->blkcg->css.serial_nr; + + /* + * Check whether blkcg has changed. The condition may trigger + * spuriously on a newly created cic but there's no harm. + */ + if (unlikely(!bfqd) || likely(bic->blkcg_serial_nr == serial_nr)) +- goto out; ++ return; + +- bfqg = __bfq_bic_change_cgroup(bfqd, bic, __bio_blkcg(bio)); ++ /* ++ * New cgroup for this process. Make sure it is linked to bfq internal ++ * cgroup hierarchy. ++ */ ++ bfq_link_bfqg(bfqd, bfqg); ++ __bfq_bic_change_cgroup(bfqd, bic, bfqg); + /* + * Update blkg_path for bfq_log_* functions. We cache this + * path, and update it here, for the following +@@ -826,8 +811,6 @@ void bfq_bic_update_cgroup(struct bfq_io + */ + blkg_path(bfqg_to_blkg(bfqg), bfqg->blkg_path, sizeof(bfqg->blkg_path)); + bic->blkcg_serial_nr = serial_nr; +-out: +- rcu_read_unlock(); + } + + /** +@@ -1445,7 +1428,7 @@ void bfq_end_wr_async(struct bfq_data *b + bfq_end_wr_async_queues(bfqd, bfqd->root_group); + } + +-struct bfq_group *bfq_find_set_group(struct bfq_data *bfqd, struct blkcg *blkcg) ++struct bfq_group *bfq_bio_bfqg(struct bfq_data *bfqd, struct bio *bio) + { + return bfqd->root_group; + } +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5267,14 +5267,7 @@ static struct bfq_queue *bfq_get_queue(s + struct bfq_queue *bfqq; + struct bfq_group *bfqg; + +- rcu_read_lock(); +- +- bfqg = bfq_find_set_group(bfqd, __bio_blkcg(bio)); +- if (!bfqg) { +- bfqq = &bfqd->oom_bfqq; +- goto out; +- } +- ++ bfqg = bfq_bio_bfqg(bfqd, bio); + if (!is_sync) { + async_bfqq = bfq_async_queue_prio(bfqd, bfqg, ioprio_class, + ioprio); +@@ -5318,7 +5311,6 @@ static struct bfq_queue *bfq_get_queue(s + out: + bfqq->ref++; /* get a process reference to this queue */ + bfq_log_bfqq(bfqd, bfqq, "get_queue, at end: %p, %d", bfqq, bfqq->ref); +- rcu_read_unlock(); + return bfqq; + } + +--- a/block/bfq-iosched.h ++++ b/block/bfq-iosched.h +@@ -985,8 +985,7 @@ void bfq_bfqq_move(struct bfq_data *bfqd + void bfq_init_entity(struct bfq_entity *entity, struct bfq_group *bfqg); + void bfq_bic_update_cgroup(struct bfq_io_cq *bic, struct bio *bio); + void bfq_end_wr_async(struct bfq_data *bfqd); +-struct bfq_group *bfq_find_set_group(struct bfq_data *bfqd, +- struct blkcg *blkcg); ++struct bfq_group *bfq_bio_bfqg(struct bfq_data *bfqd, struct bio *bio); + struct blkcg_gq *bfqg_to_blkg(struct bfq_group *bfqg); + struct bfq_group *bfqq_group(struct bfq_queue *bfqq); + struct bfq_group *bfq_create_group_hierarchy(struct bfq_data *bfqd, int node); diff --git a/patches.suse/bfq-Make-sure-bfqg-for-which-we-are-queueing-request.patch b/patches.suse/bfq-Make-sure-bfqg-for-which-we-are-queueing-request.patch new file mode 100644 index 0000000..73d8303 --- /dev/null +++ b/patches.suse/bfq-Make-sure-bfqg-for-which-we-are-queueing-request.patch @@ -0,0 +1,55 @@ +From 54897528d0334bcde48fdc0a6725790f5de86c01 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 4 Mar 2022 15:50:29 +0100 +Subject: [PATCH 9/9] bfq: Make sure bfqg for which we are queueing requests is + online +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +Bios queued into BFQ IO scheduler can be associated with a cgroup that +was already offlined. This may then cause insertion of this bfq_group +into a service tree. But this bfq_group will get freed as soon as last +bio associated with it is completed leading to use after free issues for +service tree users. Fix the problem by making sure we always operate on +online bfq_group. If the bfq_group associated with the bio is not +online, we pick the first online parent. + +Cc: stable@vger.kernel.org +Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support") +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-cgroup.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 32d2c2a47480..09574af83566 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -612,10 +612,19 @@ static void bfq_link_bfqg(struct bfq_data *bfqd, struct bfq_group *bfqg) + struct bfq_group *bfq_bio_bfqg(struct bfq_data *bfqd, struct bio *bio) + { + struct blkcg_gq *blkg = bio->bi_blkg; ++ struct bfq_group *bfqg; + +- if (!blkg) +- return bfqd->root_group; +- return blkg_to_bfqg(blkg); ++ while (blkg) { ++ bfqg = blkg_to_bfqg(blkg); ++ if (bfqg->online) { ++ bio_associate_blkg_from_css(bio, &blkg->blkcg->css); ++ return bfqg; ++ } ++ blkg = blkg->parent; ++ } ++ bio_associate_blkg_from_css(bio, ++ &bfqg_to_blkg(bfqd->root_group)->blkcg->css); ++ return bfqd->root_group; + } + + /** +-- +2.34.1 + diff --git a/patches.suse/bfq-Remove-pointless-bfq_init_rq-calls.patch b/patches.suse/bfq-Remove-pointless-bfq_init_rq-calls.patch new file mode 100644 index 0000000..267d212 --- /dev/null +++ b/patches.suse/bfq-Remove-pointless-bfq_init_rq-calls.patch @@ -0,0 +1,79 @@ +From a8c18ae0f456638eec0f8c4206cad5cec11cfc5d Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 10 Feb 2022 16:30:22 +0100 +Subject: [PATCH 6/9] bfq: Remove pointless bfq_init_rq() calls +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +We call bfq_init_rq() from request merging functions where requests we +get should have already gone through bfq_init_rq() during insert and +anyway we want to do anything only if the request is already tracked by +BFQ. So replace calls to bfq_init_rq() with RQ_BFQQ() instead to simply +skip requests untracked by BFQ. We move bfq_init_rq() call in +bfq_insert_request() a bit earlier to cover request merging and thus +can transfer FIFO position in case of a merge. + +Cc: stable@vger.kernel.org +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-iosched.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2374,8 +2374,6 @@ static int bfq_request_merge(struct requ + return ELEVATOR_NO_MERGE; + } + +-static struct bfq_queue *bfq_init_rq(struct request *rq); +- + static void bfq_request_merged(struct request_queue *q, struct request *req, + enum elv_merge type) + { +@@ -2384,7 +2382,7 @@ static void bfq_request_merged(struct re + blk_rq_pos(req) < + blk_rq_pos(container_of(rb_prev(&req->rb_node), + struct request, rb_node))) { +- struct bfq_queue *bfqq = bfq_init_rq(req); ++ struct bfq_queue *bfqq = RQ_BFQQ(req); + struct bfq_data *bfqd; + struct request *prev, *next_rq; + +@@ -2436,8 +2434,8 @@ static void bfq_request_merged(struct re + static void bfq_requests_merged(struct request_queue *q, struct request *rq, + struct request *next) + { +- struct bfq_queue *bfqq = bfq_init_rq(rq), +- *next_bfqq = bfq_init_rq(next); ++ struct bfq_queue *bfqq = RQ_BFQQ(rq), ++ *next_bfqq = RQ_BFQQ(next); + + if (!bfqq) + goto remove; +@@ -5647,6 +5645,8 @@ static inline void bfq_update_insert_sta + unsigned int cmd_flags) {} + #endif /* CONFIG_BFQ_CGROUP_DEBUG */ + ++static struct bfq_queue *bfq_init_rq(struct request *rq); ++ + static void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq, + bool at_head) + { +@@ -5662,6 +5662,7 @@ static void bfq_insert_request(struct bl + bfqg_stats_update_legacy_io(q, rq); + #endif + spin_lock_irq(&bfqd->lock); ++ bfqq = bfq_init_rq(rq); + if (blk_mq_sched_try_insert_merge(q, rq, &free)) { + spin_unlock_irq(&bfqd->lock); + blk_mq_free_requests(&free); +@@ -5670,7 +5671,6 @@ static void bfq_insert_request(struct bl + + blk_mq_sched_request_inserted(rq); + +- bfqq = bfq_init_rq(rq); + if (!bfqq || at_head || blk_rq_is_passthrough(rq)) { + if (at_head) + list_add(&rq->queuelist, &bfqd->dispatch); diff --git a/patches.suse/bfq-Split-shared-queues-on-move-between-cgroups.patch b/patches.suse/bfq-Split-shared-queues-on-move-between-cgroups.patch new file mode 100644 index 0000000..29e940c --- /dev/null +++ b/patches.suse/bfq-Split-shared-queues-on-move-between-cgroups.patch @@ -0,0 +1,94 @@ +From 4a1254ae1f3f698239bba8ef4c730f5f2fc73ff0 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 21 Dec 2021 20:33:16 +0100 +Subject: [PATCH 3/9] bfq: Split shared queues on move between cgroups +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +When bfqq is shared by multiple processes it can happen that one of the +processes gets moved to a different cgroup (or just starts submitting IO +for different cgroup). In case that happens we need to split the merged +bfqq as otherwise we will have IO for multiple cgroups in one bfqq and +we will just account IO time to wrong entities etc. + +Similarly if the bfqq is scheduled to merge with another bfqq but the +merge didn't happen yet, cancel the merge as it need not be valid +anymore. + +Cc: stable@vger.kernel.org +Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support") +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-cgroup.c | 36 +++++++++++++++++++++++++++++++++--- + block/bfq-iosched.c | 2 +- + block/bfq-iosched.h | 1 + + 3 files changed, 35 insertions(+), 4 deletions(-) + +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -719,9 +719,39 @@ static struct bfq_group *__bfq_bic_chang + } + + if (sync_bfqq) { +- entity = &sync_bfqq->entity; +- if (entity->sched_data != &bfqg->sched_data) +- bfq_bfqq_move(bfqd, sync_bfqq, bfqg); ++ if (!sync_bfqq->new_bfqq && !bfq_bfqq_coop(sync_bfqq)) { ++ /* We are the only user of this bfqq, just move it */ ++ if (sync_bfqq->entity.sched_data != &bfqg->sched_data) ++ bfq_bfqq_move(bfqd, sync_bfqq, bfqg); ++ } else { ++ struct bfq_queue *bfqq; ++ ++ /* ++ * The queue was merged to a different queue. Check ++ * that the merge chain still belongs to the same ++ * cgroup. ++ */ ++ for (bfqq = sync_bfqq; bfqq; bfqq = bfqq->new_bfqq) ++ if (bfqq->entity.sched_data != ++ &bfqg->sched_data) ++ break; ++ if (bfqq) { ++ /* ++ * Some queue changed cgroup so the merge is ++ * not valid anymore. We cannot easily just ++ * cancel the merge (by clearing new_bfqq) as ++ * there may be other processes using this ++ * queue and holding refs to all queues below ++ * sync_bfqq->new_bfqq. Similarly if the merge ++ * already happened, we need to detach from ++ * bfqq now so that we cannot merge bio to a ++ * request from the old cgroup. ++ */ ++ bfq_put_cooperator(sync_bfqq); ++ bfq_release_process_ref(bfqd, sync_bfqq); ++ bic_set_bfqq(bic, NULL, 1); ++ } ++ } + } + + return bfqg; +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5030,7 +5030,7 @@ void bfq_put_queue(struct bfq_queue *bfq + #endif + } + +-static void bfq_put_cooperator(struct bfq_queue *bfqq) ++void bfq_put_cooperator(struct bfq_queue *bfqq) + { + struct bfq_queue *__bfqq, *next; + +--- a/block/bfq-iosched.h ++++ b/block/bfq-iosched.h +@@ -955,6 +955,7 @@ void bfq_weights_tree_remove(struct bfq_ + void bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq, + bool compensate, enum bfqq_expiration reason); + void bfq_put_queue(struct bfq_queue *bfqq); ++void bfq_put_cooperator(struct bfq_queue *bfqq); + void bfq_end_wr_async_queues(struct bfq_data *bfqd, struct bfq_group *bfqg); + void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq); + void bfq_schedule_dispatch(struct bfq_data *bfqd); diff --git a/patches.suse/bfq-Track-whether-bfq_group-is-still-online.patch b/patches.suse/bfq-Track-whether-bfq_group-is-still-online.patch new file mode 100644 index 0000000..da2ebc0 --- /dev/null +++ b/patches.suse/bfq-Track-whether-bfq_group-is-still-online.patch @@ -0,0 +1,67 @@ +From abca8b2072779efa72ef2f45bad405c95c1eba1d Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 4 Mar 2022 15:35:37 +0100 +Subject: [PATCH 7/9] bfq: Track whether bfq_group is still online +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +Track whether bfq_group is still online. We cannot rely on +blkcg_gq->online because that gets cleared only after all policies are +offlined and we need something that gets updated already under +bfqd->lock when we are cleaning up our bfq_group to be able to guarantee +that when we see online bfq_group, it will stay online while we are +holding bfqd->lock lock. + +Cc: stable@vger.kernel.org +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-cgroup.c | 3 ++- + block/bfq-iosched.h | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 9352f3cc2377..879380c2bc7e 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -557,6 +557,7 @@ static void bfq_pd_init(struct blkg_policy_data *pd) + */ + bfqg->bfqd = bfqd; + bfqg->active_entities = 0; ++ bfqg->online = true; + bfqg->rq_pos_tree = RB_ROOT; + } + +@@ -603,7 +604,6 @@ struct bfq_group *bfq_find_set_group(struct bfq_data *bfqd, + struct bfq_entity *entity; + + bfqg = bfq_lookup_bfqg(bfqd, blkcg); +- + if (unlikely(!bfqg)) + return NULL; + +@@ -979,6 +979,7 @@ static void bfq_pd_offline(struct blkg_policy_data *pd) + + put_async_queues: + bfq_put_async_queues(bfqd, bfqg); ++ bfqg->online = false; + + spin_unlock_irqrestore(&bfqd->lock, flags); + /* +diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h +index a56763045d19..4664e2f3e828 100644 +--- a/block/bfq-iosched.h ++++ b/block/bfq-iosched.h +@@ -928,6 +928,8 @@ struct bfq_group { + + /* reference counter (see comments in bfq_bic_update_cgroup) */ + int ref; ++ /* Is bfq_group still online? */ ++ bool online; + + struct bfq_entity entity; + struct bfq_sched_data sched_data; +-- +2.34.1 + diff --git a/patches.suse/bfq-Update-cgroup-information-before-merging-bio.patch b/patches.suse/bfq-Update-cgroup-information-before-merging-bio.patch new file mode 100644 index 0000000..9838c76 --- /dev/null +++ b/patches.suse/bfq-Update-cgroup-information-before-merging-bio.patch @@ -0,0 +1,51 @@ +From 5eabbf4eed4a10bc5a0b28436ed79e87d25b008b Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 5 Jan 2022 14:21:04 +0100 +Subject: [PATCH 4/9] bfq: Update cgroup information before merging bio +References: bsc#1197926 +Patch-mainline: submitted, in linux-block tree + +When the process is migrated to a different cgroup (or in case of +writeback just starts submitting bios associated with a different +cgroup) bfq_merge_bio() can operate with stale cgroup information in +bic. Thus the bio can be merged to a request from a different cgroup or +it can result in merging of bfqqs for different cgroups or bfqqs of +already dead cgroups and causing possible use-after-free issues. Fix the +problem by updating cgroup information in bfq_merge_bio(). + +Cc: stable@vger.kernel.org +Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support") +Tested-by: "yukuai (C)" +Signed-off-by: Jan Kara + +--- + block/bfq-iosched.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 89fe3f85eb3c..1fc4d4628fba 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2457,10 +2457,17 @@ static bool bfq_bio_merge(struct request_queue *q, struct bio *bio, + + spin_lock_irq(&bfqd->lock); + +- if (bic) ++ if (bic) { ++ /* ++ * Make sure cgroup info is uptodate for current process before ++ * considering the merge. ++ */ ++ bfq_bic_update_cgroup(bic, bio); ++ + bfqd->bio_bfqq = bic_to_bfqq(bic, op_is_sync(bio->bi_opf)); +- else ++ } else { + bfqd->bio_bfqq = NULL; ++ } + bfqd->bio_bic = bic; + + ret = blk_mq_sched_try_merge(q, bio, nr_segs, &free); +-- +2.34.1 + diff --git a/patches.suse/bnx2x-fix-napi-API-usage-sequence.patch b/patches.suse/bnx2x-fix-napi-API-usage-sequence.patch new file mode 100644 index 0000000..49b0ba5 --- /dev/null +++ b/patches.suse/bnx2x-fix-napi-API-usage-sequence.patch @@ -0,0 +1,145 @@ +From: Manish Chopra +Date: Tue, 26 Apr 2022 08:39:13 -0700 +Subject: bnx2x: fix napi API usage sequence +Patch-mainline: v5.18-rc5 +Git-commit: af68656d66eda219b7f55ce8313a1da0312c79e1 +References: bsc#1198217 + +While handling PCI errors (AER flow) driver tries to +disable NAPI [napi_disable()] after NAPI is deleted +[__netif_napi_del()] which causes unexpected system +hang/crash. + +System message log shows the following: +======================================= +[ 3222.537510] EEH: Detected PCI bus error on PHB#384-PE#800000 [ 3222.537511] EEH: This PCI device has failed 2 times in the last hour and will be permanently disabled after 5 failures. +[ 3222.537512] EEH: Notify device drivers to shutdown [ 3222.537513] EEH: Beginning: 'error_detected(IO frozen)' +[ 3222.537514] EEH: PE#800000 (PCI 0384:80:00.0): Invoking +bnx2x->error_detected(IO frozen) +[ 3222.537516] bnx2x: [bnx2x_io_error_detected:14236(eth14)]IO error detected [ 3222.537650] EEH: PE#800000 (PCI 0384:80:00.0): bnx2x driver reports: +'need reset' +[ 3222.537651] EEH: PE#800000 (PCI 0384:80:00.1): Invoking +bnx2x->error_detected(IO frozen) +[ 3222.537651] bnx2x: [bnx2x_io_error_detected:14236(eth13)]IO error detected [ 3222.537729] EEH: PE#800000 (PCI 0384:80:00.1): bnx2x driver reports: +'need reset' +[ 3222.537729] EEH: Finished:'error_detected(IO frozen)' with aggregate recovery state:'need reset' +[ 3222.537890] EEH: Collect temporary log [ 3222.583481] EEH: of node=0384:80:00.0 [ 3222.583519] EEH: PCI device/vendor: 168e14e4 [ 3222.583557] EEH: PCI cmd/status register: 00100140 [ 3222.583557] EEH: PCI-E capabilities and status follow: +[ 3222.583744] EEH: PCI-E 00: 00020010 012c8da2 00095d5e 00455c82 [ 3222.583892] EEH: PCI-E 10: 10820000 00000000 00000000 00000000 [ 3222.583893] EEH: PCI-E 20: 00000000 [ 3222.583893] EEH: PCI-E AER capability register set follows: +[ 3222.584079] EEH: PCI-E AER 00: 13c10001 00000000 00000000 00062030 [ 3222.584230] EEH: PCI-E AER 10: 00002000 000031c0 000001e0 00000000 [ 3222.584378] EEH: PCI-E AER 20: 00000000 00000000 00000000 00000000 [ 3222.584416] EEH: PCI-E AER 30: 00000000 00000000 [ 3222.584416] EEH: of node=0384:80:00.1 [ 3222.584454] EEH: PCI device/vendor: 168e14e4 [ 3222.584491] EEH: PCI cmd/status register: 00100140 [ 3222.584492] EEH: PCI-E capabilities and status follow: +[ 3222.584677] EEH: PCI-E 00: 00020010 012c8da2 00095d5e 00455c82 [ 3222.584825] EEH: PCI-E 10: 10820000 00000000 00000000 00000000 [ 3222.584826] EEH: PCI-E 20: 00000000 [ 3222.584826] EEH: PCI-E AER capability register set follows: +[ 3222.585011] EEH: PCI-E AER 00: 13c10001 00000000 00000000 00062030 [ 3222.585160] EEH: PCI-E AER 10: 00002000 000031c0 000001e0 00000000 [ 3222.585309] EEH: PCI-E AER 20: 00000000 00000000 00000000 00000000 [ 3222.585347] EEH: PCI-E AER 30: 00000000 00000000 [ 3222.586872] RTAS: event: 5, Type: Platform Error (224), Severity: 2 [ 3222.586873] EEH: Reset without hotplug activity [ 3224.762767] EEH: Beginning: 'slot_reset' +[ 3224.762770] EEH: PE#800000 (PCI 0384:80:00.0): Invoking +bnx2x->slot_reset() +[ 3224.762771] bnx2x: [bnx2x_io_slot_reset:14271(eth14)]IO slot reset initializing... +[ 3224.762887] bnx2x 0384:80:00.0: enabling device (0140 -> 0142) [ 3224.768157] bnx2x: [bnx2x_io_slot_reset:14287(eth14)]IO slot reset +--> driver unload + +Uninterruptible tasks +===================== +crash> ps | grep UN + 213 2 11 c000000004c89e00 UN 0.0 0 0 [eehd] + 215 2 0 c000000004c80000 UN 0.0 0 0 +[kworker/0:2] + 2196 1 28 c000000004504f00 UN 0.1 15936 11136 wickedd + 4287 1 9 c00000020d076800 UN 0.0 4032 3008 agetty + 4289 1 20 c00000020d056680 UN 0.0 7232 3840 agetty + 32423 2 26 c00000020038c580 UN 0.0 0 0 +[kworker/26:3] + 32871 4241 27 c0000002609ddd00 UN 0.1 18624 11648 sshd + 32920 10130 16 c00000027284a100 UN 0.1 48512 12608 sendmail + 33092 32987 0 c000000205218b00 UN 0.1 48512 12608 sendmail + 33154 4567 16 c000000260e51780 UN 0.1 48832 12864 pickup + 33209 4241 36 c000000270cb6500 UN 0.1 18624 11712 sshd + 33473 33283 0 c000000205211480 UN 0.1 48512 12672 sendmail + 33531 4241 37 c00000023c902780 UN 0.1 18624 11648 sshd + +EEH handler hung while bnx2x sleeping and holding RTNL lock +=========================================================== +crash> bt 213 +PID: 213 TASK: c000000004c89e00 CPU: 11 COMMAND: "eehd" + #0 [c000000004d477e0] __schedule at c000000000c70808 + #1 [c000000004d478b0] schedule at c000000000c70ee0 + #2 [c000000004d478e0] schedule_timeout at c000000000c76dec + #3 [c000000004d479c0] msleep at c0000000002120cc + #4 [c000000004d479f0] napi_disable at c000000000a06448 + ^^^^^^^^^^^^^^^^ + #5 [c000000004d47a30] bnx2x_netif_stop at c0080000018dba94 [bnx2x] + #6 [c000000004d47a60] bnx2x_io_slot_reset at c0080000018a551c [bnx2x] + #7 [c000000004d47b20] eeh_report_reset at c00000000004c9bc + #8 [c000000004d47b90] eeh_pe_report at c00000000004d1a8 + #9 [c000000004d47c40] eeh_handle_normal_event at c00000000004da64 + +And the sleeping source code +============================ +crash> dis -ls c000000000a06448 +FILE: ../net/core/dev.c +LINE: 6702 + + 6697 { + 6698 might_sleep(); + 6699 set_bit(NAPI_STATE_DISABLE, &n->state); + 6700 + 6701 while (test_and_set_bit(NAPI_STATE_SCHED, &n->state)) +* 6702 msleep(1); + 6703 while (test_and_set_bit(NAPI_STATE_NPSVC, &n->state)) + 6704 msleep(1); + 6705 + 6706 hrtimer_cancel(&n->timer); + 6707 + 6708 clear_bit(NAPI_STATE_DISABLE, &n->state); + 6709 } + +EEH calls into bnx2x twice based on the system log above, first through +bnx2x_io_error_detected() and then bnx2x_io_slot_reset(), and executes +the following call chains: + +bnx2x_io_error_detected() + +-> bnx2x_eeh_nic_unload() + +-> bnx2x_del_all_napi() + +-> __netif_napi_del() + +bnx2x_io_slot_reset() + +-> bnx2x_netif_stop() + +-> bnx2x_napi_disable() + +->napi_disable() + +Fix this by correcting the sequence of NAPI APIs usage, +that is delete the NAPI after disabling it. + +Fixes: 7fa6f34081f1 ("bnx2x: AER revised") +Reported-by: David Christensen +Tested-by: David Christensen +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Link: https://lore.kernel.org/r/20220426153913.6966-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -14195,10 +14195,6 @@ static int bnx2x_eeh_nic_unload(struct b + + /* Stop Tx */ + bnx2x_tx_disable(bp); +- /* Delete all NAPI objects */ +- bnx2x_del_all_napi(bp); +- if (CNIC_LOADED(bp)) +- bnx2x_del_all_napi_cnic(bp); + netdev_reset_tc(bp->dev); + + del_timer_sync(&bp->timer); +@@ -14303,6 +14299,11 @@ static pci_ers_result_t bnx2x_io_slot_re + bnx2x_drain_tx_queues(bp); + bnx2x_send_unload_req(bp, UNLOAD_RECOVERY); + bnx2x_netif_stop(bp, 1); ++ bnx2x_del_all_napi(bp); ++ ++ if (CNIC_LOADED(bp)) ++ bnx2x_del_all_napi_cnic(bp); ++ + bnx2x_free_irq(bp); + + /* Report UNLOAD_DONE to MCP */ diff --git a/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch b/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch new file mode 100644 index 0000000..556e014 --- /dev/null +++ b/patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch @@ -0,0 +1,99 @@ +From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 +From: Chen Yu +Date: Fri, 10 Jul 2020 12:12:01 +0800 +Subject: [PATCH] intel_idle: Customize IceLake server support +Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 +Patch-mainline: v5.9-rc1 +References: jsc#SLE-12679 + +On ICX platform, the C1E auto-promotion is enabled by default. +As a result, the CPU might fall into C1E more offen than previous +platforms. Besides, the C1E is not exposed to sysfs on ICX, which +is inconsistent with previous server platforms. + +So disable C1E auto-promotion and expose C1E as a separate idle +state, so the C1E and C6 can be disabled via sysfs when necessary. + +Beside C1 and C1E, the exit latency of C6 was measured +by a dedicated tool. However the exit latency(41us) exposed +by _CST is much smaller than the one we measured(128us). This +is probably due to the _CST uses the exit latency when woken +up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose +the latter as we need the longest latency in theory. + +Reported-by: kernel test robot +Tested-by: Artem Bityutskiy +Acked-by: Artem Bityutskiy +Reviewed-by: Zhang Rui +Signed-off-by: Chen Yu +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c +index 3f86f36dab2b..fd0fa9e7900b 100644 +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { + .enter = NULL } + }; + ++static struct cpuidle_state icx_cstates[] __initdata = { ++ { ++ .name = "C1", ++ .desc = "MWAIT 0x00", ++ .flags = MWAIT2flg(0x00), ++ .exit_latency = 1, ++ .target_residency = 1, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C1E", ++ .desc = "MWAIT 0x01", ++ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, ++ .exit_latency = 4, ++ .target_residency = 4, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .name = "C6", ++ .desc = "MWAIT 0x20", ++ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .exit_latency = 128, ++ .target_residency = 384, ++ .enter = &intel_idle, ++ .enter_s2idle = intel_idle_s2idle, }, ++ { ++ .enter = NULL } ++}; ++ + static struct cpuidle_state atom_cstates[] __initdata = { + { + .name = "C1E", +@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { + .use_acpi = true, + }; + ++static const struct idle_cpu idle_cpu_icx __initconst = { ++ .state_table = icx_cstates, ++ .disable_promotion_to_c1e = true, ++ .use_acpi = true, ++}; ++ + static const struct idle_cpu idle_cpu_avn __initconst = { + .state_table = avn_cstates, + .disable_promotion_to_c1e = true, +@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), + X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), ++ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), + X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), +-- +2.16.4 + diff --git a/patches.suse/cgroup-verify-that-source-is-a-string.patch b/patches.suse/cgroup-verify-that-source-is-a-string.patch index e266e82..674082f 100644 --- a/patches.suse/cgroup-verify-that-source-is-a-string.patch +++ b/patches.suse/cgroup-verify-that-source-is-a-string.patch @@ -3,7 +3,7 @@ Date: Wed, 14 Jul 2021 15:47:49 +0200 Subject: cgroup: verify that source is a string Git-commit: 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b Patch-mainline: v5.14-rc2 -References: bsc#1190131 +References: bsc#1190131 bsc#1193842 CVE-2021-4154 The following sequence can be used to trigger a UAF: diff --git a/patches.suse/drm-add-a-locked-version-of-drm_is_current_master-1f7ef07cfa14.patch b/patches.suse/drm-add-a-locked-version-of-drm_is_current_master-1f7ef07cfa14.patch deleted file mode 100644 index 3d2b849..0000000 --- a/patches.suse/drm-add-a-locked-version-of-drm_is_current_master-1f7ef07cfa14.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb Mon Sep 17 00:00:00 2001 -From: Desmond Cheong Zhi Xi -Date: Mon, 12 Jul 2021 12:35:06 +0800 -Subject: [PATCH] drm: add a locked version of drm_is_current_master -Git-commit: 1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb -Patch-mainline: v5.15-rc1 -References: CVE-2022-1280 bsc#1197914 - -While checking the master status of the DRM file in -drm_is_current_master(), the device's master mutex should be -held. Without the mutex, the pointer fpriv->master may be freed -concurrently by another process calling drm_setmaster_ioctl(). This -could lead to use-after-free errors when the pointer is subsequently -dereferenced in drm_lease_owner(). - -The callers of drm_is_current_master() from drm_auth.c hold the -device's master mutex, but external callers do not. Hence, we implement -drm_is_current_master_locked() to be used within drm_auth.c, and -modify drm_is_current_master() to grab the device's master mutex -before checking the master status. - -Reported-by: Daniel Vetter -Signed-off-by: Desmond Cheong Zhi Xi -Reviewed-by: Emil Velikov -Signed-off-by: Daniel Vetter -Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-4-desmondcheongzx@gmail.com -Acked-by: Takashi Iwai - ---- - drivers/gpu/drm/drm_auth.c | 51 ++++++++++++++++++++++++++++----------------- - 1 file changed, 32 insertions(+), 19 deletions(-) - ---- a/drivers/gpu/drm/drm_auth.c -+++ b/drivers/gpu/drm/drm_auth.c -@@ -61,6 +61,35 @@ - * trusted clients. - */ - -+static bool drm_is_current_master_locked(struct drm_file *fpriv) -+{ -+ lockdep_assert_held_once(&fpriv->minor->dev->master_mutex); -+ -+ return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; -+} -+ -+/** -+ * drm_is_current_master - checks whether @priv is the current master -+ * @fpriv: DRM file private -+ * -+ * Checks whether @fpriv is current master on its device. This decides whether a -+ * client is allowed to run DRM_MASTER IOCTLs. -+ * -+ * Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting -+ * - the current master is assumed to own the non-shareable display hardware. -+ */ -+bool drm_is_current_master(struct drm_file *fpriv) -+{ -+ bool ret; -+ -+ mutex_lock(&fpriv->minor->dev->master_mutex); -+ ret = drm_is_current_master_locked(fpriv); -+ mutex_unlock(&fpriv->minor->dev->master_mutex); -+ -+ return ret; -+} -+EXPORT_SYMBOL(drm_is_current_master); -+ - int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) - { - struct drm_auth *auth = data; -@@ -223,7 +252,7 @@ int drm_setmaster_ioctl(struct drm_devic - if (ret) - goto out_unlock; - -- if (drm_is_current_master(file_priv)) -+ if (drm_is_current_master_locked(file_priv)) - goto out_unlock; - - if (dev->master) { -@@ -272,7 +301,7 @@ int drm_dropmaster_ioctl(struct drm_devi - if (ret) - goto out_unlock; - -- if (!drm_is_current_master(file_priv)) { -+ if (!drm_is_current_master_locked(file_priv)) { - ret = -EINVAL; - goto out_unlock; - } -@@ -321,7 +350,7 @@ void drm_master_release(struct drm_file - if (file_priv->magic) - idr_remove(&file_priv->master->magic_map, file_priv->magic); - -- if (!drm_is_current_master(file_priv)) -+ if (!drm_is_current_master_locked(file_priv)) - goto out; - - drm_legacy_lock_master_cleanup(dev, master); -@@ -343,22 +372,6 @@ out: - } - - /** -- * drm_is_current_master - checks whether @priv is the current master -- * @fpriv: DRM file private -- * -- * Checks whether @fpriv is current master on its device. This decides whether a -- * client is allowed to run DRM_MASTER IOCTLs. -- * -- * Most of the modern IOCTL which require DRM_MASTER are for kernel modesetting -- * - the current master is assumed to own the non-shareable display hardware. -- */ --bool drm_is_current_master(struct drm_file *fpriv) --{ -- return fpriv->is_master && drm_lease_owner(fpriv->master) == fpriv->minor->dev->master; --} --EXPORT_SYMBOL(drm_is_current_master); -- --/** - * drm_master_get - reference a master pointer - * @master: &struct drm_master - * diff --git a/patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch b/patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch index b891905..5f28611 100644 --- a/patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch +++ b/patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch @@ -1,10 +1,10 @@ -From 1815d9c86e3090477fbde066ff314a7e9721ee0f Mon Sep 17 00:00:00 2001 +From 1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb Mon Sep 17 00:00:00 2001 From: Desmond Cheong Zhi Xi -Date: Sun, 20 Jun 2021 19:03:26 +0800 +Date: Mon, 12 Jul 2021 12:35:06 +0800 Subject: [PATCH] drm: add a locked version of drm_is_current_master -Git-commit: 1815d9c86e3090477fbde066ff314a7e9721ee0f -Patch-mainline: v5.13 -References: git-fixes +Git-commit: 1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb +Patch-mainline: v5.15-rc1 +References: CVE-2022-1280 bsc#1197914 While checking the master status of the DRM file in drm_is_current_master(), the device's master mutex should be diff --git a/patches.suse/drm-mediatek-Fix-aal-size-config.patch b/patches.suse/drm-mediatek-Fix-aal-size-config.patch deleted file mode 100644 index c7efa72..0000000 --- a/patches.suse/drm-mediatek-Fix-aal-size-config.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 71dcadba34203d8dd35152e368720f977e9cdb81 Mon Sep 17 00:00:00 2001 -From: Yongqiang Niu -Date: Mon, 11 Jan 2021 15:43:47 +0800 -Subject: drm/mediatek: Fix aal size config -Git-commit: 71dcadba34203d8dd35152e368720f977e9cdb81 -Patch-mainline: v5.12-rc1 -References: git-fixes - -The orginal setting is not correct, fix it to follow hardware data sheet. -If keep this error setting, mt8173/mt8183 display ok -but mt8192 display abnormal. - -Fixes: 0664d1392c26 ("drm/mediatek: Add AAL engine basic function") - -Signed-off-by: Yongqiang Niu -Signed-off-by: Chun-Kuang Hu -Signed-off-by: Patrik Jakobsson ---- - drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c -+++ b/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c -@@ -178,7 +178,7 @@ - unsigned int h, unsigned int vrefresh, - unsigned int bpc, struct cmdq_pkt *cmdq_pkt) - { -- mtk_ddp_write(cmdq_pkt, h << 16 | w, comp, DISP_AAL_SIZE); -+ mtk_ddp_write(cmdq_pkt, w << 16 | h, comp, DISP_AAL_SIZE); - } - - static void mtk_aal_start(struct mtk_ddp_comp *comp) diff --git a/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch b/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch index 665622f..8a14e65 100644 --- a/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch +++ b/patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch @@ -7,7 +7,7 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 5de5b6ecf97a021f29403aa272cb4e03318ef586 Patch-mainline: v5.9-rc1 -References: jsc#SLE-12680, jsc#SLE-12880, jsc#SLE-12882, jsc#SLE-12883, jsc#SLE-13496, jsc#SLE-15322 +References: jsc#SLE-12680, jsc#SLE-12880, jsc#SLE-12882, jsc#SLE-12883, jsc#SLE-13496, jsc#SLE-15322 bsc#1175232 CVE-2021-20292 bsc#1183723 git-fixes This is confusing, and from my reading of all the drivers only nouveau got this right. diff --git a/patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch b/patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch index 039a9d4..fca1d42 100644 --- a/patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch +++ b/patches.suse/drm-use-the-lookup-lock-in-drm_is_current_master.patch @@ -29,7 +29,7 @@ Acked-by: Takashi Iwai static bool drm_is_current_master_locked(struct drm_file *fpriv) { -- lockdep_assert_held_once(&fpriv->minor->dev->master_mutex); +- lockdep_assert_held_once(&fpriv->master->dev->master_mutex); - + /* Either drm_device.master_mutex or drm_file.master_lookup_lock + * should be held here. @@ -41,10 +41,10 @@ Acked-by: Takashi Iwai { bool ret; -- mutex_lock(&fpriv->minor->dev->master_mutex); +- mutex_lock(&fpriv->master->dev->master_mutex); + spin_lock(&fpriv->master_lookup_lock); ret = drm_is_current_master_locked(fpriv); -- mutex_unlock(&fpriv->minor->dev->master_mutex); +- mutex_unlock(&fpriv->master->dev->master_mutex); + spin_unlock(&fpriv->master_lookup_lock); return ret; diff --git a/patches.suse/drm-vc4-crtc-Lookup-the-encoder-from-the-register-at-boot.patch b/patches.suse/drm-vc4-crtc-Lookup-the-encoder-from-the-register-at-boot.patch new file mode 100644 index 0000000..d526e7d --- /dev/null +++ b/patches.suse/drm-vc4-crtc-Lookup-the-encoder-from-the-register-at-boot.patch @@ -0,0 +1,107 @@ +From: Maxime Ripard +Date: Fri, 7 May 2021 17:05:08 +0200 +Subject: drm/vc4: crtc: Lookup the encoder from the register at boot +Git-commit: b601c16b7ba8f3bb7a7e773b238da6b63657fa1d +Patch-mainline: v5.14-rc1 +References: bsc#1198534 + +At boot, we can't rely on the vc4_get_crtc_encoder since we don't have a +state yet and thus will not be able to figure out which connector is +attached to our CRTC. + +However, we have a muxing bit in the CRTC register we can use to get the +encoder currently connected to the pixelvalve. We can thus read that +register, lookup the associated register through the vc4_pv_data +structure, and then pass it to vc4_crtc_disable so that we can perform +the proper operations. + +Fixes: 875a4d536842 ("drm/vc4: drv: Disable the CRTC at boot time") +Signed-off-by: Maxime Ripard +Reviewed-by: Dave Stevenson +Link: https://patchwork.freedesktop.org/patch/msgid/20210507150515.257424-6-maxime@cerno.tech +[iivanov: adapted on top of SLE15-SP3] +Acked-by: Ivan T. Ivanov +--- + drivers/gpu/drm/vc4/vc4_crtc.c | 39 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 35 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -420,9 +420,10 @@ static void require_hvs_enabled(struct d + SCALER_DISPCTRL_ENABLE); + } + +-static int vc4_crtc_disable(struct drm_crtc *crtc, unsigned int channel) ++static int vc4_crtc_disable(struct drm_crtc *crtc, ++ struct drm_encoder *encoder, ++ unsigned int channel) + { +- struct drm_encoder *encoder = vc4_get_crtc_encoder(crtc); + struct vc4_encoder *vc4_encoder = to_vc4_encoder(encoder); + struct vc4_crtc *vc4_crtc = to_vc4_crtc(crtc); + struct drm_device *dev = crtc->dev; +@@ -463,10 +464,29 @@ static int vc4_crtc_disable(struct drm_c + return 0; + } + ++static struct drm_encoder *vc4_crtc_get_encoder_by_type(struct drm_crtc *crtc, ++ enum vc4_encoder_type type) ++{ ++ struct drm_encoder *encoder; ++ ++ drm_for_each_encoder(encoder, crtc->dev) { ++ struct vc4_encoder *vc4_encoder = to_vc4_encoder(encoder); ++ ++ if (vc4_encoder->type == type) ++ return encoder; ++ } ++ ++ return NULL; ++} ++ + int vc4_crtc_disable_at_boot(struct drm_crtc *crtc) + { + struct drm_device *drm = crtc->dev; + struct vc4_crtc *vc4_crtc = to_vc4_crtc(crtc); ++ enum vc4_encoder_type encoder_type; ++ const struct vc4_pv_data *pv_data; ++ struct drm_encoder *encoder; ++ unsigned encoder_sel; + int channel; + + if (!(of_device_is_compatible(vc4_crtc->pdev->dev.of_node, +@@ -485,13 +505,24 @@ int vc4_crtc_disable_at_boot(struct drm_ + if (channel < 0) + return 0; + +- return vc4_crtc_disable(crtc, channel); ++ encoder_sel = VC4_GET_FIELD(CRTC_READ(PV_CONTROL), PV_CONTROL_CLK_SELECT); ++ if (WARN_ON(encoder_sel != 0)) ++ return 0; ++ ++ pv_data = vc4_crtc_to_vc4_pv_data(vc4_crtc); ++ encoder_type = pv_data->encoder_types[encoder_sel]; ++ encoder = vc4_crtc_get_encoder_by_type(crtc, encoder_type); ++ if (WARN_ON(!encoder)) ++ return 0; ++ ++ return vc4_crtc_disable(crtc, encoder, channel); + } + + static void vc4_crtc_atomic_disable(struct drm_crtc *crtc, + struct drm_crtc_state *old_state) + { + struct vc4_crtc_state *old_vc4_state = to_vc4_crtc_state(old_state); ++ struct drm_encoder *encoder = vc4_get_crtc_encoder(crtc); + struct drm_device *dev = crtc->dev; + + require_hvs_enabled(dev); +@@ -499,7 +530,7 @@ static void vc4_crtc_atomic_disable(stru + /* Disable vblank irq handling before crtc is disabled. */ + drm_crtc_vblank_off(crtc); + +- vc4_crtc_disable(crtc, old_vc4_state->assigned_channel); ++ vc4_crtc_disable(crtc, encoder, old_vc4_state->assigned_channel); + + /* + * Make sure we issue a vblank event after disabling the CRTC if diff --git a/patches.suse/drm-vc4-crtc-Make-sure-the-HDMI-controller-is-powere.patch b/patches.suse/drm-vc4-crtc-Make-sure-the-HDMI-controller-is-powere.patch index db7bae3..09a7ba6 100644 --- a/patches.suse/drm-vc4-crtc-Make-sure-the-HDMI-controller-is-powere.patch +++ b/patches.suse/drm-vc4-crtc-Make-sure-the-HDMI-controller-is-powere.patch @@ -27,8 +27,8 @@ Tested-by: Nicolas Saenz Julienne Link: https://patchwork.freedesktop.org/patch/msgid/20210923185013.826679-1-maxime@cerno.tech Signed-off-by: Patrik Jakobsson --- - drivers/gpu/drm/vc4/vc4_crtc.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) + drivers/gpu/drm/vc4/vc4_crtc.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -48,30 +48,28 @@ Signed-off-by: Patrik Jakobsson #include "vc4_regs.h" #define HVS_FIFO_LATENCY_PIX 6 -@@ -465,9 +467,12 @@ static int vc4_crtc_disable(struct drm_c - - int vc4_crtc_disable_at_boot(struct drm_crtc *crtc) - { -+ struct drm_encoder *encoder = vc4_get_crtc_encoder(crtc); - struct drm_device *drm = crtc->dev; - struct vc4_crtc *vc4_crtc = to_vc4_crtc(crtc); +@@ -486,8 +488,10 @@ int vc4_crtc_disable_at_boot(struct drm_ + enum vc4_encoder_type encoder_type; + const struct vc4_pv_data *pv_data; + struct drm_encoder *encoder; + struct vc4_hdmi *vc4_hdmi; + unsigned encoder_sel; int channel; + int ret; if (!(of_device_is_compatible(vc4_crtc->pdev->dev.of_node, "brcm,bcm2711-pixelvalve2") || -@@ -485,7 +490,20 @@ int vc4_crtc_disable_at_boot(struct drm_ - if (channel < 0) +@@ -515,7 +519,20 @@ int vc4_crtc_disable_at_boot(struct drm_ + if (WARN_ON(!encoder)) return 0; -- return vc4_crtc_disable(crtc, channel); +- return vc4_crtc_disable(crtc, encoder, channel); + vc4_hdmi = encoder_to_vc4_hdmi(encoder); + ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev); + if (ret) + return ret; + -+ ret = vc4_crtc_disable(crtc, channel); ++ ret = vc4_crtc_disable(crtc, encoder, channel); + if (ret) + return ret; + diff --git a/patches.suse/intel_idle-Customize-IceLake-server-support.patch b/patches.suse/intel_idle-Customize-IceLake-server-support.patch deleted file mode 100644 index 556e014..0000000 --- a/patches.suse/intel_idle-Customize-IceLake-server-support.patch +++ /dev/null @@ -1,99 +0,0 @@ -From a472ad2bcea479ba068880125d7273fc95c14b70 Mon Sep 17 00:00:00 2001 -From: Chen Yu -Date: Fri, 10 Jul 2020 12:12:01 +0800 -Subject: [PATCH] intel_idle: Customize IceLake server support -Git-commit: a472ad2bcea479ba068880125d7273fc95c14b70 -Patch-mainline: v5.9-rc1 -References: jsc#SLE-12679 - -On ICX platform, the C1E auto-promotion is enabled by default. -As a result, the CPU might fall into C1E more offen than previous -platforms. Besides, the C1E is not exposed to sysfs on ICX, which -is inconsistent with previous server platforms. - -So disable C1E auto-promotion and expose C1E as a separate idle -state, so the C1E and C6 can be disabled via sysfs when necessary. - -Beside C1 and C1E, the exit latency of C6 was measured -by a dedicated tool. However the exit latency(41us) exposed -by _CST is much smaller than the one we measured(128us). This -is probably due to the _CST uses the exit latency when woken -up from PC0+C6, rather than PC6+C6 when C6 was measured. Choose -the latter as we need the longest latency in theory. - -Reported-by: kernel test robot -Tested-by: Artem Bityutskiy -Acked-by: Artem Bityutskiy -Reviewed-by: Zhang Rui -Signed-off-by: Chen Yu -Signed-off-by: Rafael J. Wysocki -Acked-by: Takashi Iwai - ---- - drivers/idle/intel_idle.c | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c -index 3f86f36dab2b..fd0fa9e7900b 100644 ---- a/drivers/idle/intel_idle.c -+++ b/drivers/idle/intel_idle.c -@@ -752,6 +752,35 @@ static struct cpuidle_state skx_cstates[] __initdata = { - .enter = NULL } - }; - -+static struct cpuidle_state icx_cstates[] __initdata = { -+ { -+ .name = "C1", -+ .desc = "MWAIT 0x00", -+ .flags = MWAIT2flg(0x00), -+ .exit_latency = 1, -+ .target_residency = 1, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C1E", -+ .desc = "MWAIT 0x01", -+ .flags = MWAIT2flg(0x01) | CPUIDLE_FLAG_ALWAYS_ENABLE, -+ .exit_latency = 4, -+ .target_residency = 4, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .name = "C6", -+ .desc = "MWAIT 0x20", -+ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, -+ .exit_latency = 128, -+ .target_residency = 384, -+ .enter = &intel_idle, -+ .enter_s2idle = intel_idle_s2idle, }, -+ { -+ .enter = NULL } -+}; -+ - static struct cpuidle_state atom_cstates[] __initdata = { - { - .name = "C1E", -@@ -1056,6 +1085,12 @@ static const struct idle_cpu idle_cpu_skx __initconst = { - .use_acpi = true, - }; - -+static const struct idle_cpu idle_cpu_icx __initconst = { -+ .state_table = icx_cstates, -+ .disable_promotion_to_c1e = true, -+ .use_acpi = true, -+}; -+ - static const struct idle_cpu idle_cpu_avn __initconst = { - .state_table = avn_cstates, - .disable_promotion_to_c1e = true, -@@ -1110,6 +1145,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE_L, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(KABYLAKE, &idle_cpu_skl), - X86_MATCH_INTEL_FAM6_MODEL(SKYLAKE_X, &idle_cpu_skx), -+ X86_MATCH_INTEL_FAM6_MODEL(ICELAKE_X, &idle_cpu_icx), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNL, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(XEON_PHI_KNM, &idle_cpu_knl), - X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, &idle_cpu_bxt), --- -2.16.4 - diff --git a/patches.suse/kvm-x86-mmu-do-compare-and-exchange-of-gpte-via-the-user-address b/patches.suse/kvm-x86-mmu-do-compare-and-exchange-of-gpte-via-the-user-address new file mode 100644 index 0000000..1a4e88a --- /dev/null +++ b/patches.suse/kvm-x86-mmu-do-compare-and-exchange-of-gpte-via-the-user-address @@ -0,0 +1,151 @@ +From: Paolo Bonzini +Date: Tue, 29 Mar 2022 12:56:24 -0400 +Subject: KVM: x86/mmu: do compare-and-exchange of gPTE via the user address +Git-commit: 2a8859f373b0a86f0ece8ec8312607eacf12485d +Patch-mainline: v5.18-rc1 +References: CVE-2022-1158 bsc#1197660 + +FNAME(cmpxchg_gpte) is an inefficient mess. It is at least decent if it +can go through get_user_pages_fast(), but if it cannot then it tries to +use memremap(); that is not just terribly slow, it is also wrong because +it assumes that the VM_PFNMAP VMA is contiguous. + +The right way to do it would be to do the same thing as +hva_to_pfn_remapped() does since commit add6a0cd1c5b ("KVM: MMU: try to +fix up page faults before giving up", 2016-07-05), using follow_pte() +and fixup_user_fault() to determine the correct address to use for +memremap(). To do this, one could for example extract hva_to_pfn() +for use outside virt/kvm/kvm_main.c. But really there is no reason to +do that either, because there is already a perfectly valid address to +do the cmpxchg() on, only it is a userspace address. That means doing +user_access_begin()/user_access_end() and writing the code in assembly +to handle exceptions correctly. Worse, the guest PTE can be 8-byte +even on i686 so there is the extra complication of using cmpxchg8b to +account for. But at least it is an efficient mess. + +(Thanks to Linus for suggesting improvement on the inline assembly). + +Reported-by: Qiuhao Li +Reported-by: Gaoning Pan +Reported-by: Yongkang Jia +Reported-by: syzbot+6cde2282daa792c49ab8@syzkaller.appspotmail.com +Debugged-by: Tadeusz Struk +Tested-by: Maxim Levitsky +Cc: stable@vger.kernel.org +Fixes: bd53cb35a3e9 ("X86/KVM: Handle PFNs outside of kernel reach when touching GPTEs") +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/paging_tmpl.h | 78 +++++++++++++++++++++------------------------ + 1 file changed, 38 insertions(+), 40 deletions(-) + +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -34,9 +34,8 @@ + #define PT_HAVE_ACCESSED_DIRTY(mmu) true + #ifdef CONFIG_X86_64 + #define PT_MAX_FULL_LEVELS PT64_ROOT_MAX_LEVEL +- #define CMPXCHG cmpxchg ++ #define CMPXCHG "cmpxchgq" + #else +- #define CMPXCHG cmpxchg64 + #define PT_MAX_FULL_LEVELS 2 + #endif + #elif PTTYPE == 32 +@@ -52,7 +51,7 @@ + #define PT_GUEST_DIRTY_SHIFT PT_DIRTY_SHIFT + #define PT_GUEST_ACCESSED_SHIFT PT_ACCESSED_SHIFT + #define PT_HAVE_ACCESSED_DIRTY(mmu) true +- #define CMPXCHG cmpxchg ++ #define CMPXCHG "cmpxchgl" + #elif PTTYPE == PTTYPE_EPT + #define pt_element_t u64 + #define guest_walker guest_walkerEPT +@@ -65,7 +64,9 @@ + #define PT_GUEST_DIRTY_SHIFT 9 + #define PT_GUEST_ACCESSED_SHIFT 8 + #define PT_HAVE_ACCESSED_DIRTY(mmu) ((mmu)->ept_ad) +- #define CMPXCHG cmpxchg64 ++ #ifdef CONFIG_X86_64 ++ #define CMPXCHG "cmpxchgq" ++ #endif + #define PT_MAX_FULL_LEVELS 4 + #else + #error Invalid PTTYPE value +@@ -132,43 +133,40 @@ static int FNAME(cmpxchg_gpte)(struct kv + pt_element_t __user *ptep_user, unsigned index, + pt_element_t orig_pte, pt_element_t new_pte) + { +- int npages; +- pt_element_t ret; +- pt_element_t *table; +- struct page *page; +- +- npages = get_user_pages_fast((unsigned long)ptep_user, 1, FOLL_WRITE, &page); +- if (likely(npages == 1)) { +- table = kmap_atomic(page); +- ret = CMPXCHG(&table[index], orig_pte, new_pte); +- kunmap_atomic(table); +- +- kvm_release_page_dirty(page); +- } else { +- struct vm_area_struct *vma; +- unsigned long vaddr = (unsigned long)ptep_user & PAGE_MASK; +- unsigned long pfn; +- unsigned long paddr; +- +- down_read(¤t->mm->mmap_sem); +- vma = find_vma_intersection(current->mm, vaddr, vaddr + PAGE_SIZE); +- if (!vma || !(vma->vm_flags & VM_PFNMAP)) { +- up_read(¤t->mm->mmap_sem); +- return -EFAULT; +- } +- pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; +- paddr = pfn << PAGE_SHIFT; +- table = memremap(paddr, PAGE_SIZE, MEMREMAP_WB); +- if (!table) { +- up_read(¤t->mm->mmap_sem); +- return -EFAULT; +- } +- ret = CMPXCHG(&table[index], orig_pte, new_pte); +- memunmap(table); +- up_read(¤t->mm->mmap_sem); +- } + +- return (ret != orig_pte); ++ int r = -EFAULT; ++ ++ if (!user_access_begin(ptep_user, sizeof(pt_element_t))) ++ return -EFAULT; ++ ++#ifdef CMPXCHG ++ asm volatile("1:" LOCK_PREFIX CMPXCHG " %[new], %[ptr]\n" ++ "mov $0, %[r]\n" ++ "setnz %b[r]\n" ++ "2:" ++ _ASM_EXTABLE_UA(1b, 2b) ++ : [ptr] "+m" (*ptep_user), ++ [old] "+a" (orig_pte), ++ [r] "+q" (r) ++ : [new] "r" (new_pte) ++ : "memory"); ++#else ++ asm volatile("1:" LOCK_PREFIX "cmpxchg8b %[ptr]\n" ++ "movl $0, %[r]\n" ++ "jz 2f\n" ++ "incl %[r]\n" ++ "2:" ++ _ASM_EXTABLE_UA(1b, 2b) ++ : [ptr] "+m" (*ptep_user), ++ [old] "+A" (orig_pte), ++ [r] "+rm" (r) ++ : [new_lo] "b" ((u32)new_pte), ++ [new_hi] "c" ((u32)(new_pte >> 32)) ++ : "memory"); ++#endif ++ ++ user_access_end(); ++ return r; + } + + static bool FNAME(prefetch_invalid_gpte)(struct kvm_vcpu *vcpu, diff --git a/patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch b/patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch index ddc26d3..db4ac80 100644 --- a/patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch +++ b/patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch @@ -6,7 +6,7 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: v5.18-rc1 Git-commit: 764f4eb6846f5475f1244767d24d25dd86528a4a -References: git-fixes +References: CVE-2022-28356 bsc#1197391 Whenever llc_ui_bind() and/or llc_ui_autobind() took a reference on a netdevice but subsequently fail, diff --git a/patches.suse/msft-hv-2514-net-mana-Use-struct_size-helper-in-mana_gd_create_dm.patch b/patches.suse/msft-hv-2514-net-mana-Use-struct_size-helper-in-mana_gd_create_dm.patch new file mode 100644 index 0000000..9f23eed --- /dev/null +++ b/patches.suse/msft-hv-2514-net-mana-Use-struct_size-helper-in-mana_gd_create_dm.patch @@ -0,0 +1,44 @@ +From: "Gustavo A. R. Silva" +Date: Mon, 24 Jan 2022 15:43:47 -0600 +Patch-mainline: v5.18-rc1 +Subject: net: mana: Use struct_size() helper in mana_gd_create_dma_region() +Git-commit: 10cdc794dae890fb3149e90854e8440cf5bf615e +References: bsc#1195651 + +Make use of the struct_size() helper instead of an open-coded version, +in order to avoid any potential type mistakes or integer overflows that, +in the worst scenario, could lead to heap overflows. + +Also, address the following sparse warnings: +drivers/net/ethernet/microsoft/mana/gdma_main.c:677:24: warning: using sizeof on a flexible structure + +Link: https://github.com/KSPP/linux/issues/174 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Dexuan Cui +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -663,7 +663,7 @@ static int mana_gd_create_dma_region(struct gdma_dev *gd, + struct gdma_context *gc = gd->gdma_context; + struct hw_channel_context *hwc; + u32 length = gmi->length; +- u32 req_msg_size; ++ size_t req_msg_size; + int err; + int i; + +@@ -674,7 +674,7 @@ static int mana_gd_create_dma_region(struct gdma_dev *gd, + return -EINVAL; + + hwc = gc->hwc.driver_data; +- req_msg_size = sizeof(*req) + num_page * sizeof(u64); ++ req_msg_size = struct_size(req, page_addr_list, num_page); + if (req_msg_size > hwc->max_req_msg_size) + return -EINVAL; + diff --git a/patches.suse/msft-hv-2516-net-mana-Add-counter-for-packet-dropped-by-XDP.patch b/patches.suse/msft-hv-2516-net-mana-Add-counter-for-packet-dropped-by-XDP.patch new file mode 100644 index 0000000..4f10422 --- /dev/null +++ b/patches.suse/msft-hv-2516-net-mana-Add-counter-for-packet-dropped-by-XDP.patch @@ -0,0 +1,221 @@ +From: Haiyang Zhang +Date: Fri, 28 Jan 2022 18:03:36 -0800 +Patch-mainline: v5.18-rc1 +Subject: net: mana: Add counter for packet dropped by XDP +Git-commit: f90f84201edde2bca25a73226ff0ebe765273890 +References: bsc#1195651 + +This counter will show up in ethtool stat data. + +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/ethernet/microsoft/mana/mana.h | 13 ++++++-- + drivers/net/ethernet/microsoft/mana/mana_en.c | 35 +++++++++++++--------- + drivers/net/ethernet/microsoft/mana/mana_ethtool.c | 30 +++++++++++-------- + 3 files changed, 49 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana.h b/drivers/net/ethernet/microsoft/mana/mana.h +--- a/drivers/net/ethernet/microsoft/mana/mana.h ++++ b/drivers/net/ethernet/microsoft/mana/mana.h +@@ -48,7 +48,14 @@ enum TRI_STATE { + + #define MAX_PORTS_IN_MANA_DEV 256 + +-struct mana_stats { ++struct mana_stats_rx { ++ u64 packets; ++ u64 bytes; ++ u64 xdp_drop; ++ struct u64_stats_sync syncp; ++}; ++ ++struct mana_stats_tx { + u64 packets; + u64 bytes; + struct u64_stats_sync syncp; +@@ -76,7 +83,7 @@ struct mana_txq { + + atomic_t pending_sends; + +- struct mana_stats stats; ++ struct mana_stats_tx stats; + }; + + /* skb data and frags dma mappings */ +@@ -298,7 +305,7 @@ struct mana_rxq { + + u32 buf_index; + +- struct mana_stats stats; ++ struct mana_stats_rx stats; + + struct bpf_prog __rcu *bpf_prog; + struct xdp_rxq_info xdp_rxq; +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -136,7 +136,7 @@ int mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + bool ipv4 = false, ipv6 = false; + struct mana_tx_package pkg = {}; + struct netdev_queue *net_txq; +- struct mana_stats *tx_stats; ++ struct mana_stats_tx *tx_stats; + struct gdma_queue *gdma_sq; + unsigned int csum_type; + struct mana_txq *txq; +@@ -299,7 +299,8 @@ static void mana_get_stats64(struct net_device *ndev, + { + struct mana_port_context *apc = netdev_priv(ndev); + unsigned int num_queues = apc->num_queues; +- struct mana_stats *stats; ++ struct mana_stats_rx *rx_stats; ++ struct mana_stats_tx *tx_stats; + unsigned int start; + u64 packets, bytes; + int q; +@@ -310,26 +311,26 @@ static void mana_get_stats64(struct net_device *ndev, + netdev_stats_to_stats64(st, &ndev->stats); + + for (q = 0; q < num_queues; q++) { +- stats = &apc->rxqs[q]->stats; ++ rx_stats = &apc->rxqs[q]->stats; + + do { +- start = u64_stats_fetch_begin_irq(&stats->syncp); +- packets = stats->packets; +- bytes = stats->bytes; +- } while (u64_stats_fetch_retry_irq(&stats->syncp, start)); ++ start = u64_stats_fetch_begin_irq(&rx_stats->syncp); ++ packets = rx_stats->packets; ++ bytes = rx_stats->bytes; ++ } while (u64_stats_fetch_retry_irq(&rx_stats->syncp, start)); + + st->rx_packets += packets; + st->rx_bytes += bytes; + } + + for (q = 0; q < num_queues; q++) { +- stats = &apc->tx_qp[q].txq.stats; ++ tx_stats = &apc->tx_qp[q].txq.stats; + + do { +- start = u64_stats_fetch_begin_irq(&stats->syncp); +- packets = stats->packets; +- bytes = stats->bytes; +- } while (u64_stats_fetch_retry_irq(&stats->syncp, start)); ++ start = u64_stats_fetch_begin_irq(&tx_stats->syncp); ++ packets = tx_stats->packets; ++ bytes = tx_stats->bytes; ++ } while (u64_stats_fetch_retry_irq(&tx_stats->syncp, start)); + + st->tx_packets += packets; + st->tx_bytes += bytes; +@@ -986,7 +987,7 @@ static struct sk_buff *mana_build_skb(void *buf_va, uint pkt_len, + static void mana_rx_skb(void *buf_va, struct mana_rxcomp_oob *cqe, + struct mana_rxq *rxq) + { +- struct mana_stats *rx_stats = &rxq->stats; ++ struct mana_stats_rx *rx_stats = &rxq->stats; + struct net_device *ndev = rxq->ndev; + uint pkt_len = cqe->ppi[0].pkt_len; + u16 rxq_idx = rxq->rxq_idx; +@@ -1007,7 +1008,7 @@ static void mana_rx_skb(void *buf_va, struct mana_rxcomp_oob *cqe, + act = mana_run_xdp(ndev, rxq, &xdp, buf_va, pkt_len); + + if (act != XDP_PASS && act != XDP_TX) +- goto drop; ++ goto drop_xdp; + + skb = mana_build_skb(buf_va, pkt_len, &xdp); + +@@ -1048,9 +1049,15 @@ static void mana_rx_skb(void *buf_va, struct mana_rxcomp_oob *cqe, + u64_stats_update_end(&rx_stats->syncp); + return; + ++drop_xdp: ++ u64_stats_update_begin(&rx_stats->syncp); ++ rx_stats->xdp_drop++; ++ u64_stats_update_end(&rx_stats->syncp); ++ + drop: + free_page((unsigned long)buf_va); + ++ndev->stats.rx_dropped; ++ + return; + } + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c +--- a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c +@@ -23,7 +23,7 @@ static int mana_get_sset_count(struct net_device *ndev, int stringset) + if (stringset != ETH_SS_STATS) + return -EINVAL; + +- return ARRAY_SIZE(mana_eth_stats) + num_queues * 4; ++ return ARRAY_SIZE(mana_eth_stats) + num_queues * 5; + } + + static void mana_get_strings(struct net_device *ndev, u32 stringset, u8 *data) +@@ -46,6 +46,8 @@ static void mana_get_strings(struct net_device *ndev, u32 stringset, u8 *data) + p += ETH_GSTRING_LEN; + sprintf(p, "rx_%d_bytes", i); + p += ETH_GSTRING_LEN; ++ sprintf(p, "rx_%d_xdp_drop", i); ++ p += ETH_GSTRING_LEN; + } + + for (i = 0; i < num_queues; i++) { +@@ -62,9 +64,11 @@ static void mana_get_ethtool_stats(struct net_device *ndev, + struct mana_port_context *apc = netdev_priv(ndev); + unsigned int num_queues = apc->num_queues; + void *eth_stats = &apc->eth_stats; +- struct mana_stats *stats; ++ struct mana_stats_rx *rx_stats; ++ struct mana_stats_tx *tx_stats; + unsigned int start; + u64 packets, bytes; ++ u64 xdp_drop; + int q, i = 0; + + if (!apc->port_is_up) +@@ -74,26 +78,28 @@ static void mana_get_ethtool_stats(struct net_device *ndev, + data[i++] = *(u64 *)(eth_stats + mana_eth_stats[q].offset); + + for (q = 0; q < num_queues; q++) { +- stats = &apc->rxqs[q]->stats; ++ rx_stats = &apc->rxqs[q]->stats; + + do { +- start = u64_stats_fetch_begin_irq(&stats->syncp); +- packets = stats->packets; +- bytes = stats->bytes; +- } while (u64_stats_fetch_retry_irq(&stats->syncp, start)); ++ start = u64_stats_fetch_begin_irq(&rx_stats->syncp); ++ packets = rx_stats->packets; ++ bytes = rx_stats->bytes; ++ xdp_drop = rx_stats->xdp_drop; ++ } while (u64_stats_fetch_retry_irq(&rx_stats->syncp, start)); + + data[i++] = packets; + data[i++] = bytes; ++ data[i++] = xdp_drop; + } + + for (q = 0; q < num_queues; q++) { +- stats = &apc->tx_qp[q].txq.stats; ++ tx_stats = &apc->tx_qp[q].txq.stats; + + do { +- start = u64_stats_fetch_begin_irq(&stats->syncp); +- packets = stats->packets; +- bytes = stats->bytes; +- } while (u64_stats_fetch_retry_irq(&stats->syncp, start)); ++ start = u64_stats_fetch_begin_irq(&tx_stats->syncp); ++ packets = tx_stats->packets; ++ bytes = tx_stats->bytes; ++ } while (u64_stats_fetch_retry_irq(&tx_stats->syncp, start)); + + data[i++] = packets; + data[i++] = bytes; diff --git a/patches.suse/msft-hv-2517-net-mana-Add-counter-for-XDP_TX.patch b/patches.suse/msft-hv-2517-net-mana-Add-counter-for-XDP_TX.patch new file mode 100644 index 0000000..aab3335 --- /dev/null +++ b/patches.suse/msft-hv-2517-net-mana-Add-counter-for-XDP_TX.patch @@ -0,0 +1,102 @@ +From: Haiyang Zhang +Date: Fri, 28 Jan 2022 18:03:37 -0800 +Patch-mainline: v5.18-rc1 +Subject: net: mana: Add counter for XDP_TX +Git-commit: d356abb95b9883198b1ba0db678659369701e17d +References: bsc#1195651 + +This counter will show up in ethtool stat. It is the +number of packets received and forwarded by XDP program. + +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/ethernet/microsoft/mana/mana.h | 1 + + drivers/net/ethernet/microsoft/mana/mana_en.c | 12 ++++++++---- + drivers/net/ethernet/microsoft/mana/mana_ethtool.c | 7 ++++++- + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana.h b/drivers/net/ethernet/microsoft/mana/mana.h +--- a/drivers/net/ethernet/microsoft/mana/mana.h ++++ b/drivers/net/ethernet/microsoft/mana/mana.h +@@ -52,6 +52,7 @@ struct mana_stats_rx { + u64 packets; + u64 bytes; + u64 xdp_drop; ++ u64 xdp_tx; + struct u64_stats_sync syncp; + }; + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1035,6 +1035,14 @@ static void mana_rx_skb(void *buf_va, struct mana_rxcomp_oob *cqe, + skb_set_hash(skb, hash_value, PKT_HASH_TYPE_L3); + } + ++ u64_stats_update_begin(&rx_stats->syncp); ++ rx_stats->packets++; ++ rx_stats->bytes += pkt_len; ++ ++ if (act == XDP_TX) ++ rx_stats->xdp_tx++; ++ u64_stats_update_end(&rx_stats->syncp); ++ + if (act == XDP_TX) { + skb_set_queue_mapping(skb, rxq_idx); + mana_xdp_tx(skb, ndev); +@@ -1043,10 +1051,6 @@ static void mana_rx_skb(void *buf_va, struct mana_rxcomp_oob *cqe, + + napi_gro_receive(napi, skb); + +- u64_stats_update_begin(&rx_stats->syncp); +- rx_stats->packets++; +- rx_stats->bytes += pkt_len; +- u64_stats_update_end(&rx_stats->syncp); + return; + + drop_xdp: +diff --git a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c +--- a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c +@@ -23,7 +23,7 @@ static int mana_get_sset_count(struct net_device *ndev, int stringset) + if (stringset != ETH_SS_STATS) + return -EINVAL; + +- return ARRAY_SIZE(mana_eth_stats) + num_queues * 5; ++ return ARRAY_SIZE(mana_eth_stats) + num_queues * 6; + } + + static void mana_get_strings(struct net_device *ndev, u32 stringset, u8 *data) +@@ -48,6 +48,8 @@ static void mana_get_strings(struct net_device *ndev, u32 stringset, u8 *data) + p += ETH_GSTRING_LEN; + sprintf(p, "rx_%d_xdp_drop", i); + p += ETH_GSTRING_LEN; ++ sprintf(p, "rx_%d_xdp_tx", i); ++ p += ETH_GSTRING_LEN; + } + + for (i = 0; i < num_queues; i++) { +@@ -69,6 +71,7 @@ static void mana_get_ethtool_stats(struct net_device *ndev, + unsigned int start; + u64 packets, bytes; + u64 xdp_drop; ++ u64 xdp_tx; + int q, i = 0; + + if (!apc->port_is_up) +@@ -85,11 +88,13 @@ static void mana_get_ethtool_stats(struct net_device *ndev, + packets = rx_stats->packets; + bytes = rx_stats->bytes; + xdp_drop = rx_stats->xdp_drop; ++ xdp_tx = rx_stats->xdp_tx; + } while (u64_stats_fetch_retry_irq(&rx_stats->syncp, start)); + + data[i++] = packets; + data[i++] = bytes; + data[i++] = xdp_drop; ++ data[i++] = xdp_tx; + } + + for (q = 0; q < num_queues; q++) { diff --git a/patches.suse/msft-hv-2518-net-mana-Reuse-XDP-dropped-page.patch b/patches.suse/msft-hv-2518-net-mana-Reuse-XDP-dropped-page.patch new file mode 100644 index 0000000..46a3993 --- /dev/null +++ b/patches.suse/msft-hv-2518-net-mana-Reuse-XDP-dropped-page.patch @@ -0,0 +1,68 @@ +From: Haiyang Zhang +Date: Fri, 28 Jan 2022 18:03:38 -0800 +Patch-mainline: v5.18-rc1 +Subject: net: mana: Reuse XDP dropped page +Git-commit: a6bf5703f17bdbd775c0e6837dd2d5b1c344e28c +References: bsc#1195651 + +Reuse the dropped page in RX path to save page allocation +overhead. + +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/ethernet/microsoft/mana/mana.h | 1 + + drivers/net/ethernet/microsoft/mana/mana_en.c | 15 +++++++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana.h b/drivers/net/ethernet/microsoft/mana/mana.h +--- a/drivers/net/ethernet/microsoft/mana/mana.h ++++ b/drivers/net/ethernet/microsoft/mana/mana.h +@@ -310,6 +310,7 @@ struct mana_rxq { + + struct bpf_prog __rcu *bpf_prog; + struct xdp_rxq_info xdp_rxq; ++ struct page *xdp_save_page; + + /* MUST BE THE LAST MEMBER: + * Each receive buffer has an associated mana_recv_buf_oob. +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1059,7 +1059,9 @@ drop_xdp: + u64_stats_update_end(&rx_stats->syncp); + + drop: +- free_page((unsigned long)buf_va); ++ WARN_ON_ONCE(rxq->xdp_save_page); ++ rxq->xdp_save_page = virt_to_page(buf_va); ++ + ++ndev->stats.rx_dropped; + + return; +@@ -1116,7 +1118,13 @@ static void mana_process_rx_cqe(struct mana_rxq *rxq, struct mana_cq *cq, + rxbuf_oob = &rxq->rx_oobs[curr]; + WARN_ON_ONCE(rxbuf_oob->wqe_inf.wqe_size_in_bu != 1); + +- new_page = alloc_page(GFP_ATOMIC); ++ /* Reuse XDP dropped page if available */ ++ if (rxq->xdp_save_page) { ++ new_page = rxq->xdp_save_page; ++ rxq->xdp_save_page = NULL; ++ } else { ++ new_page = alloc_page(GFP_ATOMIC); ++ } + + if (new_page) { + da = dma_map_page(dev, new_page, XDP_PACKET_HEADROOM, rxq->datasize, +@@ -1403,6 +1411,9 @@ static void mana_destroy_rxq(struct mana_port_context *apc, + + mana_deinit_cq(apc, &rxq->rx_cq); + ++ if (rxq->xdp_save_page) ++ __free_page(rxq->xdp_save_page); ++ + for (i = 0; i < rxq->num_rx_buf; i++) { + rx_oob = &rxq->rx_oobs[i]; + diff --git a/patches.suse/msft-hv-2523-net-mana-Add-handling-of-CQE_RX_TRUNCATED.patch b/patches.suse/msft-hv-2523-net-mana-Add-handling-of-CQE_RX_TRUNCATED.patch new file mode 100644 index 0000000..3ab9552 --- /dev/null +++ b/patches.suse/msft-hv-2523-net-mana-Add-handling-of-CQE_RX_TRUNCATED.patch @@ -0,0 +1,42 @@ +From: Haiyang Zhang +Date: Fri, 4 Feb 2022 14:45:44 -0800 +Patch-mainline: v5.18-rc1 +Subject: net: mana: Add handling of CQE_RX_TRUNCATED +Git-commit: e4b7621982d29f26ff4d39af389e5e675a4ffed4 +References: bsc#1195651 + +The proper way to drop this kind of CQE is advancing rxq tail +without indicating the packet to the upper network layer. + +Signed-off-by: Haiyang Zhang +Reviewed-by: Dexuan Cui +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1085,8 +1085,10 @@ static void mana_process_rx_cqe(struct mana_rxq *rxq, struct mana_cq *cq, + break; + + case CQE_RX_TRUNCATED: +- netdev_err(ndev, "Dropped a truncated packet\n"); +- return; ++ ++ndev->stats.rx_dropped; ++ rxbuf_oob = &rxq->rx_oobs[rxq->buf_index]; ++ netdev_warn_once(ndev, "Dropped a truncated packet\n"); ++ goto drop; + + case CQE_RX_COALESCED_4: + netdev_err(ndev, "RX coalescing is unsupported\n"); +@@ -1154,6 +1156,7 @@ static void mana_process_rx_cqe(struct mana_rxq *rxq, struct mana_cq *cq, + + mana_rx_skb(old_buf, oob, rxq); + ++drop: + mana_move_wq_tail(rxq->gdma_rq, rxbuf_oob->wqe_inf.wqe_size_in_bu); + + mana_post_pkt_rxq(rxq); diff --git a/patches.suse/msft-hv-2524-net-mana-Remove-unnecessary-check-of-cqe_type-in-man.patch b/patches.suse/msft-hv-2524-net-mana-Remove-unnecessary-check-of-cqe_type-in-man.patch new file mode 100644 index 0000000..0f544f7 --- /dev/null +++ b/patches.suse/msft-hv-2524-net-mana-Remove-unnecessary-check-of-cqe_type-in-man.patch @@ -0,0 +1,31 @@ +From: Haiyang Zhang +Date: Fri, 4 Feb 2022 14:45:45 -0800 +Patch-mainline: v5.18-rc1 +Subject: net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() +Git-commit: 68f831355052706e1f8498653f6c4d36643c0db8 +References: bsc#1195651 + +The switch statement already ensures cqe_type == CQE_RX_OKAY at that +point. + +Signed-off-by: Haiyang Zhang +Reviewed-by: Dexuan Cui +Signed-off-by: David S. Miller +Acked-by: Olaf Hering +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1104,9 +1104,6 @@ static void mana_process_rx_cqe(struct mana_rxq *rxq, struct mana_cq *cq, + return; + } + +- if (oob->cqe_hdr.cqe_type != CQE_RX_OKAY) +- return; +- + pktlen = oob->ppi[0].pkt_len; + + if (pktlen == 0) { diff --git a/patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch b/patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch new file mode 100644 index 0000000..6f8055c --- /dev/null +++ b/patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch @@ -0,0 +1,37 @@ +From a8e083ee8e2a6c94c29733835adae8bf5b832748 Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Fri, 2 Apr 2021 11:26:27 -0700 +Subject: [PATCH] mwl8k: Fix a double Free in mwl8k_probe_hw +Git-commit: a8e083ee8e2a6c94c29733835adae8bf5b832748 +References: git-fixes +Patch-mainline: v5.13-rc1 + +In mwl8k_probe_hw, hw->priv->txq is freed at the first time by +dma_free_coherent() in the call chain: +if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i). + +Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed +at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent(). + +My patch set txq->txd to NULL after the first free to avoid the +double free. + +Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") +Signed-off-by: Lv Yunlong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210402182627.4256-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/marvell/mwl8k.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -1469,6 +1469,7 @@ static int mwl8k_txq_init(struct ieee802 + txq->skb = kcalloc(MWL8K_TX_DESCS, sizeof(*txq->skb), GFP_KERNEL); + if (txq->skb == NULL) { + pci_free_consistent(priv->pdev, size, txq->txd, txq->txd_dma); ++ txq->txd = NULL; + return -ENOMEM; + } + diff --git a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch index 70322c5..07c5992 100644 --- a/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch +++ b/patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch @@ -4,7 +4,7 @@ Date: Wed, 26 Jan 2022 14:14:52 +0100 Subject: [PATCH] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Git-commit: 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 -References: bsc#1196018 +References: bsc#1196018 CVE-2022-28748 Patch-mainline: v5.17-rc4 ax88179_rx_fixup() contains several out-of-bounds accesses that can be diff --git a/patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch b/patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch new file mode 100644 index 0000000..b86e806 --- /dev/null +++ b/patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch @@ -0,0 +1,64 @@ +From d6f4bdc3bca4ddcdc60c0544d85ecf7670ee1c53 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Sat, 26 Mar 2022 18:43:46 +0800 +Subject: [PATCH] net/x25: Fix null-ptr-deref caused by x25_disconnect +Git-commit: 7781607938c8371d4c2b243527430241c62e39c2 +Patch-mainline: v5.18-rc1 +References: CVE-2022-1516 bsc#1199012 + +When the link layer is terminating, x25->neighbour will be set to NULL +in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in +x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is +shown below. + + (Thread 1) | (Thread 2) +x25_link_terminated() | x25_recvmsg() + x25_kill_by_neigh() | ... + x25_disconnect() | lock_sock(sk) + ... | ... + x25->neighbour = NULL //(1) | + ... | x25->neighbour->extended //(2) + +The code sets NULL to x25->neighbour in position (1) and dereferences +x25->neighbour in position (2), which could cause null-ptr-deref bug. + +This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize +with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the +sock held by lock_sock() is not NULL, because it is extracted from x25_list +and uses x25_list_lock to synchronize. + +Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") +Signed-off-by: Duoming Zhou +Reviewed-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/x25/af_x25.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index b7e91af375a9..bdf6e80c8597 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1789,10 +1789,15 @@ void x25_kill_by_neigh(struct x25_neigh *nb) + + write_lock_bh(&x25_list_lock); + +- sk_for_each(s, &x25_list) +- if (x25_sk(s)->neighbour == nb) ++ sk_for_each(s, &x25_list) { ++ if (x25_sk(s)->neighbour == nb) { ++ write_unlock_bh(&x25_list_lock); ++ lock_sock(s); + x25_disconnect(s, ENETUNREACH, 0, 0); +- ++ release_sock(s); ++ write_lock_bh(&x25_list_lock); ++ } ++ } + write_unlock_bh(&x25_list_lock); + + /* Remove any related forwards */ +-- +2.16.4 + diff --git a/patches.suse/nvme-pci-disable-the-write-zeros-command-for-Intel-6.patch b/patches.suse/nvme-pci-disable-the-write-zeros-command-for-Intel-6.patch index ac56d02..de7c408 100644 --- a/patches.suse/nvme-pci-disable-the-write-zeros-command-for-Intel-6.patch +++ b/patches.suse/nvme-pci-disable-the-write-zeros-command-for-Intel-6.patch @@ -11,7 +11,7 @@ The write zeros command does not work with 4k range. bash-4.4# ./blkdiscard /dev/nvme0n1p2 bash-4.4# strace -efallocate xfs_io -c "fzero 536895488 2048" /dev/nvme0n1p2 fallocate(3, FALLOC_FL_ZERO_RANGE, 536895488, 2048) = 0 -+++ exited with 0 +++ + ++ exited with 0 +++ bash-4.4# dd bs=1 if=/dev/nvme0n1p2 skip=536895488 count=512 | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * @@ -20,7 +20,7 @@ bash-4.4# dd bs=1 if=/dev/nvme0n1p2 skip=536895488 count=512 | hexdump -C bash-4.4# ./blkdiscard /dev/nvme0n1p2 bash-4.4# strace -efallocate xfs_io -c "fzero 536895488 4096" /dev/nvme0n1p2 fallocate(3, FALLOC_FL_ZERO_RANGE, 536895488, 4096) = 0 -+++ exited with 0 +++ + ++ exited with 0 +++ bash-4.4# dd bs=1 if=/dev/nvme0n1p2 skip=536895488 count=512 | hexdump -C 00000000 5c 61 5c b0 96 21 1b 5e 85 0c 07 32 9c 8c eb 3c |\a\..!.^...2...<| 00000010 4a a2 06 ca 67 15 2d 8e 29 8d a8 a0 7e 46 8c 62 |J...g.-.)...~F.b| diff --git a/patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch b/patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch new file mode 100644 index 0000000..9be812c --- /dev/null +++ b/patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch @@ -0,0 +1,66 @@ +From 76179b4dae212143faa023b71e44554c2854c2c0 Mon Sep 17 00:00:00 2001 +From: Zheng Liang +Date: Fri, 24 Sep 2021 09:16:27 +0800 +Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename() +Git-commit: a295aef603e109a47af355477326bd41151765b6 +Patch-mainline: v5.15-rc5 +References: CVE-2021-20321 bsc#1191647 + +The following reproducer + + mkdir lower upper work merge + touch lower/old + touch lower/new + mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge + rm merge/new + mv merge/old merge/new & unlink upper/new + +may result in this race: + +PROCESS A: + rename("merge/old", "merge/new"); + overwrite=true,ovl_lower_positive(old)=true, + ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE + +PROCESS B: + unlink("upper/new"); + +PROCESS A: + lookup newdentry in new_upperdir + call vfs_rename() with negative newdentry and RENAME_EXCHANGE + +Fix by adding the missing check for negative newdentry. + +Signed-off-by: Zheng Liang +Fixes: e9be9d5e76e3 ("overlay filesystem") +Cc: # v3.18 +Signed-off-by: Miklos Szeredi +Acked-by: David Disseldorp +--- + fs/overlayfs/dir.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c +index 6509ec3cb373..3284363ebdfb 100644 +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -1160,9 +1160,13 @@ static int ovl_rename(struct inode *olddir, struct dentry *old, + goto out_dput; + } + } else { +- if (!d_is_negative(newdentry) && +- (!new_opaque || !ovl_is_whiteout(newdentry))) +- goto out_dput; ++ if (!d_is_negative(newdentry)) { ++ if (!new_opaque || !ovl_is_whiteout(newdentry)) ++ goto out_dput; ++ } else { ++ if (flags & RENAME_EXCHANGE) ++ goto out_dput; ++ } + } + + if (olddentry == trap) +-- +2.34.1 + diff --git a/patches.suse/powerpc-perf-Fix-power10-event-alternatives.patch b/patches.suse/powerpc-perf-Fix-power10-event-alternatives.patch new file mode 100644 index 0000000..301e238 --- /dev/null +++ b/patches.suse/powerpc-perf-Fix-power10-event-alternatives.patch @@ -0,0 +1,99 @@ +From c6cc9a852f123301d5271f1484df8e961b2b64f1 Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Tue, 19 Apr 2022 17:18:28 +0530 +Subject: [PATCH] powerpc/perf: Fix power10 event alternatives + +References: jsc#SLE-13513 git-fixes +Patch-mainline: v5.18-rc4 +Git-commit: c6cc9a852f123301d5271f1484df8e961b2b64f1 + +When scheduling a group of events, there are constraint checks done to +make sure all events can go in a group. Example, one of the criteria is +that events in a group cannot use the same PMC. But platform specific +PMU supports alternative event for some of the event codes. During +perf_event_open(), if any event group doesn't match constraint check +criteria, further lookup is done to find alternative event. + +By current design, the array of alternatives events in PMU code is +expected to be sorted by column 0. This is because in +find_alternative() the return criteria is based on event code +comparison. ie. "event < ev_alt[i][0])". This optimisation is there +since find_alternative() can be called multiple times. In power10 PMU +code, the alternative event array is not sorted properly and hence there +is breakage in finding alternative event. + +To work with existing logic, fix the alternative event array to be +sorted by column 0 for power10-pmu.c + +Results: + +In case where an alternative event is not chosen when we could, events +will be multiplexed. ie, time sliced where it could actually run +concurrently. + +Example, in power10 PM_INST_CMPL_ALT(0x00002) has alternative event, +PM_INST_CMPL(0x500fa). Without the fix, if a group of events with PMC1 +to PMC4 is used along with PM_INST_CMPL_ALT, it will be time sliced +since all programmable PMC's are consumed already. But with the fix, +when it picks alternative event on PMC5, all events will run +concurrently. + +Before: + + # perf stat -e r00002,r100fc,r200fa,r300fc,r400fc + + Performance counter stats for 'system wide': + + 328668935 r00002 (79.94%) + 56501024 r100fc (79.95%) + 49564238 r200fa (79.95%) + 376 r300fc (80.19%) + 660 r400fc (79.97%) + + 4.039150522 seconds time elapsed + +With the fix, since alternative event is chosen to run on PMC6, events +will be run concurrently. + +After: + + # perf stat -e r00002,r100fc,r200fa,r300fc,r400fc + + Performance counter stats for 'system wide': + + 23596607 r00002 + 4907738 r100fc + 2283608 r200fa + 135 r300fc + 248 r400fc + + 1.664671390 seconds time elapsed + +Fixes: a64e697cef23 ("powerpc/perf: power10 Performance Monitoring support") +Signed-off-by: Athira Rajeev +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220419114828.89843-2-atrajeev@linux.vnet.ibm.com +Acked-by: Michal Suchanek +Acked-by: Michal Suchanek +--- + arch/powerpc/perf/power10-pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/perf/power10-pmu.c b/arch/powerpc/perf/power10-pmu.c +index d3398100a60f..c6d51e7093cf 100644 +--- a/arch/powerpc/perf/power10-pmu.c ++++ b/arch/powerpc/perf/power10-pmu.c +@@ -91,8 +91,8 @@ extern u64 PERF_REG_EXTENDED_MASK; + + /* Table of alternatives, sorted by column 0 */ + static const unsigned int power10_event_alternatives[][MAX_ALT] = { +- { PM_CYC_ALT, PM_CYC }, + { PM_INST_CMPL_ALT, PM_INST_CMPL }, ++ { PM_CYC_ALT, PM_CYC }, + }; + + static int power10_get_alternatives(u64 event, unsigned int flags, u64 alt[]) +-- +2.34.1 + diff --git a/patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch b/patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch new file mode 100644 index 0000000..a14b684 --- /dev/null +++ b/patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch @@ -0,0 +1,90 @@ +From 0dcad700bb2776e3886fe0a645a4bf13b1e747cd Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Tue, 19 Apr 2022 17:18:27 +0530 +Subject: [PATCH] powerpc/perf: Fix power9 event alternatives + +References: bsc#1137728, LTC#178106, git-fixes +Patch-mainline: v5.18-rc4 +Git-commit: 0dcad700bb2776e3886fe0a645a4bf13b1e747cd + +When scheduling a group of events, there are constraint checks done to +make sure all events can go in a group. Example, one of the criteria is +that events in a group cannot use the same PMC. But platform specific +PMU supports alternative event for some of the event codes. During +perf_event_open(), if any event group doesn't match constraint check +criteria, further lookup is done to find alternative event. + +By current design, the array of alternatives events in PMU code is +expected to be sorted by column 0. This is because in +find_alternative() the return criteria is based on event code +comparison. ie. "event < ev_alt[i][0])". This optimisation is there +since find_alternative() can be called multiple times. In power9 PMU +code, the alternative event array is not sorted properly and hence there +is breakage in finding alternative events. + +To work with existing logic, fix the alternative event array to be +sorted by column 0 for power9-pmu.c + +Results: + +With alternative events, multiplexing can be avoided. That is, for +example, in power9 PM_LD_MISS_L1 (0x3e054) has alternative event, +PM_LD_MISS_L1_ALT (0x400f0). This is an identical event which can be +programmed in a different PMC. + +Before: + + # perf stat -e r3e054,r300fc + + Performance counter stats for 'system wide': + + 1057860 r3e054 (50.21%) + 379 r300fc (49.79%) + + 0.944329741 seconds time elapsed + +Since both the events are using PMC3 in this case, they are +multiplexed here. + +After: + + # perf stat -e r3e054,r300fc + + Performance counter stats for 'system wide': + + 1006948 r3e054 + 182 r300fc + +Fixes: 91e0bd1e6251 ("powerpc/perf: Add PM_LD_MISS_L1 and PM_BR_2PATH to power9 event list") +Signed-off-by: Athira Rajeev +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220419114828.89843-1-atrajeev@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/perf/power9-pmu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/perf/power9-pmu.c b/arch/powerpc/perf/power9-pmu.c +index c9eb5232e68b..c393e837648e 100644 +--- a/arch/powerpc/perf/power9-pmu.c ++++ b/arch/powerpc/perf/power9-pmu.c +@@ -133,11 +133,11 @@ int p9_dd22_bl_ev[] = { + + /* Table of alternatives, sorted by column 0 */ + static const unsigned int power9_event_alternatives[][MAX_ALT] = { +- { PM_INST_DISP, PM_INST_DISP_ALT }, +- { PM_RUN_CYC_ALT, PM_RUN_CYC }, +- { PM_RUN_INST_CMPL_ALT, PM_RUN_INST_CMPL }, +- { PM_LD_MISS_L1, PM_LD_MISS_L1_ALT }, + { PM_BR_2PATH, PM_BR_2PATH_ALT }, ++ { PM_INST_DISP, PM_INST_DISP_ALT }, ++ { PM_RUN_CYC_ALT, PM_RUN_CYC }, ++ { PM_LD_MISS_L1, PM_LD_MISS_L1_ALT }, ++ { PM_RUN_INST_CMPL_ALT, PM_RUN_INST_CMPL }, + }; + + static int power9_get_alternatives(u64 event, unsigned int flags, u64 alt[]) +-- +2.34.1 + diff --git a/patches.suse/usb-dwc3-core-Fix-tx-rx-threshold-settings.patch b/patches.suse/usb-dwc3-core-Fix-tx-rx-threshold-settings.patch new file mode 100644 index 0000000..bae68bd --- /dev/null +++ b/patches.suse/usb-dwc3-core-Fix-tx-rx-threshold-settings.patch @@ -0,0 +1,40 @@ +From f28ad9069363dec7deb88032b70612755eed9ee6 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Mon, 11 Apr 2022 18:33:47 -0700 +Subject: [PATCH] usb: dwc3: core: Fix tx/rx threshold settings +Git-commit: f28ad9069363dec7deb88032b70612755eed9ee6 +References: git-fixes +Patch-mainline: v5.18-rc5 + +The current driver logic checks against 0 to determine whether the +periodic tx/rx threshold settings are set, but we may get bogus values +from uninitialized variables if no device property is set. Properly +default these variables to 0. + +Fixes: 938a5ad1d305 ("usb: dwc3: Check for ESS TX/RX threshold config") +Cc: +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/cccfce990b11b730b0dae42f9d217dc6fb988c90.1649727139.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/dwc3/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1256,10 +1256,10 @@ static void dwc3_get_properties(struct d + u8 lpm_nyet_threshold; + u8 tx_de_emphasis; + u8 hird_threshold; +- u8 rx_thr_num_pkt_prd; +- u8 rx_max_burst_prd; +- u8 tx_thr_num_pkt_prd; +- u8 tx_max_burst_prd; ++ u8 rx_thr_num_pkt_prd = 0; ++ u8 rx_max_burst_prd = 0; ++ u8 tx_thr_num_pkt_prd = 0; ++ u8 tx_max_burst_prd = 0; + + /* default to highest possible threshold */ + lpm_nyet_threshold = 0xf; diff --git a/patches.suse/usb-dwc3-core-Only-handle-soft-reset-in-DCTL.patch b/patches.suse/usb-dwc3-core-Only-handle-soft-reset-in-DCTL.patch new file mode 100644 index 0000000..da18dc1 --- /dev/null +++ b/patches.suse/usb-dwc3-core-Only-handle-soft-reset-in-DCTL.patch @@ -0,0 +1,40 @@ +From f4fd84ae0765a80494b28c43b756a95100351a94 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Thu, 21 Apr 2022 19:33:56 -0700 +Subject: [PATCH] usb: dwc3: core: Only handle soft-reset in DCTL +Git-commit: f4fd84ae0765a80494b28c43b756a95100351a94 +References: git-fixes +Patch-mainline: v5.18-rc5 + +Make sure not to set run_stop bit or link state change request while +initiating soft-reset. Register read-modify-write operation may +unintentionally start the controller before the initialization completes +with its previous DCTL value, which can cause initialization failure. + +Fixes: f59dcab17629 ("usb: dwc3: core: improve reset sequence") +Cc: +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/6aecbd78328f102003d40ccf18ceeebd411d3703.1650594792.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/dwc3/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 1ca9dae57855..d28cd1a6709b 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -274,7 +274,8 @@ int dwc3_core_soft_reset(struct dwc3 *dwc) + + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + reg |= DWC3_DCTL_CSFTRST; +- dwc3_writel(dwc->regs, DWC3_DCTL, reg); ++ reg &= ~DWC3_DCTL_RUN_STOP; ++ dwc3_gadget_dctl_write_safe(dwc, reg); + + /* + * For DWC_usb31 controller 1.90a and later, the DCTL.CSFRST bit +-- +2.35.3 + diff --git a/patches.suse/usb-dwc3-gadget-Return-proper-request-status.patch b/patches.suse/usb-dwc3-gadget-Return-proper-request-status.patch new file mode 100644 index 0000000..86e0d12 --- /dev/null +++ b/patches.suse/usb-dwc3-gadget-Return-proper-request-status.patch @@ -0,0 +1,79 @@ +From c7428dbddcf4ea1919e1c8e15f715b94ca359268 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 22 Apr 2022 17:36:28 -0700 +Subject: [PATCH] usb: dwc3: gadget: Return proper request status +Git-commit: c7428dbddcf4ea1919e1c8e15f715b94ca359268 +References: git-fixes +Patch-mainline: v5.18-rc5 + +If the user sets the usb_request's no_interrupt, then there will be no +completion event for the request. Currently the driver incorrectly uses +the event status of a different request to report the status for a +request with no_interrupt. The dwc3 driver needs to check the TRB status +associated with the request when reporting its status. + +Note: this is only applicable to missed_isoc TRB completion status, but +the other status are also listed for completeness/documentation. + +Fixes: 6d8a019614f3 ("usb: dwc3: gadget: check for Missed Isoc from event status") +Cc: +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/db2c80108286cfd108adb05bad52138b78d7c3a7.1650673655.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/dwc3/gadget.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index ab725d2262d6..0b9c2493844a 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3274,6 +3274,7 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep, + const struct dwc3_event_depevt *event, + struct dwc3_request *req, int status) + { ++ int request_status; + int ret; + + if (req->request.num_mapped_sgs) +@@ -3294,7 +3295,35 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep, + req->needs_extra_trb = false; + } + +- dwc3_gadget_giveback(dep, req, status); ++ /* ++ * The event status only reflects the status of the TRB with IOC set. ++ * For the requests that don't set interrupt on completion, the driver ++ * needs to check and return the status of the completed TRBs associated ++ * with the request. Use the status of the last TRB of the request. ++ */ ++ if (req->request.no_interrupt) { ++ struct dwc3_trb *trb; ++ ++ trb = dwc3_ep_prev_trb(dep, dep->trb_dequeue); ++ switch (DWC3_TRB_SIZE_TRBSTS(trb->size)) { ++ case DWC3_TRBSTS_MISSED_ISOC: ++ /* Isoc endpoint only */ ++ request_status = -EXDEV; ++ break; ++ case DWC3_TRB_STS_XFER_IN_PROG: ++ /* Applicable when End Transfer with ForceRM=0 */ ++ case DWC3_TRBSTS_SETUP_PENDING: ++ /* Control endpoint only */ ++ case DWC3_TRBSTS_OK: ++ default: ++ request_status = 0; ++ break; ++ } ++ } else { ++ request_status = status; ++ } ++ ++ dwc3_gadget_giveback(dep, req, request_status); + + out: + return ret; +-- +2.35.3 + diff --git a/patches.suse/usb-gadget-uvc-Fix-crash-when-encoding-data-for-usb-.patch b/patches.suse/usb-gadget-uvc-Fix-crash-when-encoding-data-for-usb-.patch new file mode 100644 index 0000000..a0888c6 --- /dev/null +++ b/patches.suse/usb-gadget-uvc-Fix-crash-when-encoding-data-for-usb-.patch @@ -0,0 +1,64 @@ +From 71d471e3faf90c9674cadc7605ac719e82cb7fac Mon Sep 17 00:00:00 2001 +From: Dan Vacura +Date: Thu, 31 Mar 2022 13:40:23 -0500 +Subject: [PATCH] usb: gadget: uvc: Fix crash when encoding data for usb + request +Git-commit: 71d471e3faf90c9674cadc7605ac719e82cb7fac +References: git-fixes +Patch-mainline: v5.18-rc5 + +During the uvcg_video_pump() process, if an error occurs and +uvcg_queue_cancel() is called, the buffer queue will be cleared out, but +the current marker (queue->buf_used) of the active buffer (no longer +active) is not reset. On the next iteration of uvcg_video_pump() the +stale buf_used count will be used and the logic of min((unsigned +int)len, buf->bytesused - queue->buf_used) may incorrectly calculate a +nbytes size, causing an invalid memory access. + +[80802.185460][ T315] configfs-gadget gadget: uvc: VS request completed +with status -18. +[80802.185519][ T315] configfs-gadget gadget: uvc: VS request completed +with status -18. +... +uvcg_queue_cancel() is called and the queue is cleared out, but the +marker queue->buf_used is not reset. +... +[80802.262328][ T8682] Unable to handle kernel paging request at virtual +address ffffffc03af9f000 +... +... +[80802.263138][ T8682] Call trace: +[80802.263146][ T8682] __memcpy+0x12c/0x180 +[80802.263155][ T8682] uvcg_video_pump+0xcc/0x1e0 +[80802.263165][ T8682] process_one_work+0x2cc/0x568 +[80802.263173][ T8682] worker_thread+0x28c/0x518 +[80802.263181][ T8682] kthread+0x160/0x170 +[80802.263188][ T8682] ret_from_fork+0x10/0x18 +[80802.263198][ T8682] Code: a8c12829 a88130cb a8c130 + +Fixes: d692522577c0 ("usb: gadget/uvc: Port UVC webcam gadget to use videobuf2 framework") +Cc: +Signed-off-by: Dan Vacura +Link: https://lore.kernel.org/r/20220331184024.23918-1-w36195@motorola.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/gadget/function/uvc_queue.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/function/uvc_queue.c b/drivers/usb/gadget/function/uvc_queue.c +index d852ac9e47e7..2cda982f3765 100644 +--- a/drivers/usb/gadget/function/uvc_queue.c ++++ b/drivers/usb/gadget/function/uvc_queue.c +@@ -264,6 +264,8 @@ void uvcg_queue_cancel(struct uvc_video_queue *queue, int disconnect) + buf->state = UVC_BUF_STATE_ERROR; + vb2_buffer_done(&buf->buf.vb2_buf, VB2_BUF_STATE_ERROR); + } ++ queue->buf_used = 0; ++ + /* This must be protected by the irqlock spinlock to avoid race + * conditions between uvc_queue_buffer and the disconnection event that + * could result in an interruptible wait in uvc_dequeue_buffer. Do not +-- +2.34.1 + diff --git a/patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch b/patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch new file mode 100644 index 0000000..12bf486 --- /dev/null +++ b/patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch @@ -0,0 +1,55 @@ +From: Pawan Gupta +Date: Mon, 4 Apr 2022 17:34:19 -0700 +Subject: x86/pm: Save the MSR validity status at context setup +Git-commit: 73924ec4d560257004d5b5116b22a3647661e364 +Patch-mainline: v5.18 or v5.18-rc2 (next release) +References: bsc#1198400 + +The mechanism to save/restore MSRs during S3 suspend/resume checks for +the MSR validity during suspend, and only restores the MSR if its a +valid MSR. This is not optimal, as an invalid MSR will unnecessarily +throw an exception for every suspend cycle. The more invalid MSRs, +higher the impact will be. + +Check and save the MSR validity at setup. This ensures that only valid +MSRs that are guaranteed to not throw an exception will be attempted +during suspend. + +Fixes: 7a9c2dd08ead ("x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume") +Suggested-by: Dave Hansen +Signed-off-by: Pawan Gupta +Reviewed-by: Dave Hansen +Acked-by: Borislav Petkov +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +--- + arch/x86/power/cpu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index 9f2b251e83c5..eaec0cb3fe04 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -40,7 +40,8 @@ static void msr_save_context(struct saved_context *ctxt) + struct saved_msr *end = msr + ctxt->saved_msrs.num; + + while (msr < end) { +- msr->valid = !rdmsrl_safe(msr->info.msr_no, &msr->info.reg.q); ++ if (msr->valid) ++ rdmsrl(msr->info.msr_no, msr->info.reg.q); + msr++; + } + } +@@ -424,8 +425,10 @@ static int msr_build_context(const u32 *msr_id, const int num) + } + + for (i = saved_msrs->num, j = 0; i < total_num; i++, j++) { ++ u64 dummy; ++ + msr_array[i].info.msr_no = msr_id[j]; +- msr_array[i].valid = false; ++ msr_array[i].valid = !rdmsrl_safe(msr_id[j], &dummy); + msr_array[i].info.reg.q = 0; + } + saved_msrs->num = total_num; + diff --git a/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch b/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch new file mode 100644 index 0000000..144fa15 --- /dev/null +++ b/patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch @@ -0,0 +1,60 @@ +From: Pawan Gupta +Date: Mon, 4 Apr 2022 17:35:45 -0700 +Subject: x86/speculation: Restore speculation related MSRs during S3 resume +Git-commit: e2a1256b17b16f9b9adf1b6fea56819e7b68e463 +Patch-mainline: v5.18 or v5.18-rc2 (next release) +References: bsc#1198400 + +After resuming from suspend-to-RAM, the MSRs that control CPU's +speculative execution behavior are not being restored on the boot CPU. + +These MSRs are used to mitigate speculative execution vulnerabilities. +Not restoring them correctly may leave the CPU vulnerable. Secondary +CPU's MSRs are correctly being restored at S3 resume by +identify_secondary_cpu(). + +During S3 resume, restore these MSRs for boot CPU when restoring its +processor state. + +Fixes: 772439717dbf ("x86/bugs/intel: Set proper CPU features and setup RDS") +Reported-by: Neelima Krishnan +Signed-off-by: Pawan Gupta +Tested-by: Neelima Krishnan +Acked-by: Borislav Petkov +Reviewed-by: Dave Hansen +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +--- + arch/x86/power/cpu.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index eaec0cb3fe04..3822666fb73d 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -503,10 +503,24 @@ static int pm_cpu_check(const struct x86_cpu_id *c) + return ret; + } + ++static void pm_save_spec_msr(void) ++{ ++ u32 spec_msr_id[] = { ++ MSR_IA32_SPEC_CTRL, ++ MSR_IA32_TSX_CTRL, ++ MSR_TSX_FORCE_ABORT, ++ MSR_IA32_MCU_OPT_CTRL, ++ MSR_AMD64_LS_CFG, ++ }; ++ ++ msr_build_context(spec_msr_id, ARRAY_SIZE(spec_msr_id)); ++} ++ + static int pm_check_save_msr(void) + { + dmi_check_system(msr_save_dmi_table); + pm_cpu_check(msr_save_cpu_table); ++ pm_save_spec_msr(); + + return 0; + } + diff --git a/patches.suse/xprtrdma-fix-incorrect-header-size-calculations.patch b/patches.suse/xprtrdma-fix-incorrect-header-size-calculations.patch index 4c1e748..19772b7 100644 --- a/patches.suse/xprtrdma-fix-incorrect-header-size-calculations.patch +++ b/patches.suse/xprtrdma-fix-incorrect-header-size-calculations.patch @@ -3,7 +3,7 @@ Date: Wed, 15 Jul 2020 17:26:04 +0100 Subject: [PATCH] xprtrdma: fix incorrect header size calculations Git-commit: 912288442cb2f431bf3c8cb097a5de83bc6dbac1 Patch-mainline: v5.8-rc6 -References: git-fixes +References: CVE-2022-0812 bsc#1196639 git-fixes Currently the header size calculations are using an assignment operator instead of a += operator when accumulating the header diff --git a/rpm/constraints.in b/rpm/constraints.in index b189414..712a0f8 100644 --- a/rpm/constraints.in +++ b/rpm/constraints.in @@ -38,6 +38,7 @@ 8 + SLOW_DISK @@ -91,7 +92,7 @@ @BINARY_PACKAGES_XML@ - 8 + 8 @@ -104,7 +105,7 @@ @BINARY_PACKAGES_XML@ - 4 + 4 @@ -117,7 +118,7 @@ @BINARY_PACKAGES_XML@ - 2 + 2 diff --git a/rpm/dtb.spec.in.in b/rpm/dtb.spec.in.in index 100a985..01b9e77 100644 --- a/rpm/dtb.spec.in.in +++ b/rpm/dtb.spec.in.in @@ -65,9 +65,9 @@ cd linux-%srcversion %build source=linux-%srcversion cp $source/COPYING . -SRCDIR=`pwd`/$source +SRCDIR=$PWD/$source mkdir pp -PPDIR=`pwd`/pp +PPDIR=$PWD/pp export DTC_FLAGS="-R 4 -p 0x1000" %if 0%{?dtc_symbols} DTC_FLAGS="$DTC_FLAGS -@" diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 9d88440..4b59f29 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -114,6 +114,9 @@ Release: .g@COMMIT@ Release: @RELEASE@ %endif URL: https://www.kernel.org/ +%if 0%{?suse_version} > 1500 || 0%{?sle_version} > 150300 +BuildRequires: bash-sh +%endif BuildRequires: bc BuildRequires: bison BuildRequires: coreutils @@ -837,7 +840,7 @@ if [ %CONFIG_MODULES = y ]; then # pointless to rely on its contents. Replacing by zeros to make the # checksums always the same for several builds of the same package. test -s %buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep && \ - dd if=/dev/zero of=%buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep ibs=`stat -c%s %buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep` count=1 + dd if=/dev/zero of=%buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep ibs=$(stat -c%s %buildroot/lib/modules/%kernelrelease-%build_flavor/modules.dep) count=1 res=0 if test -e %my_builddir/kabi/%cpu_arch/symvers-%build_flavor; then @@ -1111,14 +1114,14 @@ fi %endif %preun %if "%build_flavor" != "zfcpdump" -/usr/lib/module-init-tools/kernel-scriptlets/rpm-preun --name "%name" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/rpm-preun --name "%name" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" %endif %postun %if "%build_flavor" != "zfcpdump" -/usr/lib/module-init-tools/kernel-scriptlets/rpm-postun --name "%name" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/rpm-postun --name "%name" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" @@ -1175,13 +1178,13 @@ This package contains additional modules not supported by SUSE. --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" %preun extra -/usr/lib/module-init-tools/kernel-scriptlets/inkmp-preun --name "%name-extra" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/inkmp-preun --name "%name-extra" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" %postun extra -/usr/lib/module-init-tools/kernel-scriptlets/inkmp-postun --name "%name-extra" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/inkmp-postun --name "%name-extra" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" @@ -1239,13 +1242,13 @@ This package contains optional modules only for openSUSE Leap. --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" %preun optional -/usr/lib/module-init-tools/kernel-scriptlets/inkmp-preun --name "%name-optional" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/inkmp-preun --name "%name-optional" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" %postun optional -/usr/lib/module-init-tools/kernel-scriptlets/inkmp-postun --name "%name-optional" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/inkmp-postun --name "%name-optional" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" @@ -1406,13 +1409,13 @@ Requires(post): suse-module-tools >= 12.4 --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" %preun -n @KMP_NAME@-%build_flavor -/usr/lib/module-init-tools/kernel-scriptlets/inkmp-preun --name "@KMP_NAME@-%build_flavor" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/inkmp-preun --name "@KMP_NAME@-%build_flavor" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" %postun -n @KMP_NAME@-%build_flavor -/usr/lib/module-init-tools/kernel-scriptlets/inkmp-postun --name "@KMP_NAME@-%build_flavor" \ +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/inkmp-postun --name "@KMP_NAME@-%build_flavor" \ --version "%version" --release "%release" --kernelrelease "%kernelrelease" \ --image "%image" --flavor "%build_flavor" --variant "%variant" \ --usrmerged "0%{?usrmerged}" --certs "%certs" "$@" diff --git a/rpm/kernel-cert-subpackage b/rpm/kernel-cert-subpackage index 44aaa05..04a71b3 100644 --- a/rpm/kernel-cert-subpackage +++ b/rpm/kernel-cert-subpackage @@ -7,6 +7,15 @@ Requires(postun): suse-kernel-rpm-scriptlets This package contains the UEFI Secure Boot certificate used to sign modules in the %{-n*}-kmp packages. +%define run_if_exists run_if_exists() { \ +if [ -x "$1" ] ; then \ + "$@" \ +else \ + echo Cannot execute "$1" >&2 \ +fi \ +} \ +run_if_exists + %pre -n %{-n*}-ueficert /usr/lib/module-init-tools/kernel-scriptlets/cert-pre --certs "@CERTS@" "$@" @@ -14,10 +23,10 @@ modules in the %{-n*}-kmp packages. /usr/lib/module-init-tools/kernel-scriptlets/cert-post --certs "@CERTS@" "$@" %preun -n %{-n*}-ueficert -/usr/lib/module-init-tools/kernel-scriptlets/cert-preun --certs "@CERTS@" "$@" +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/cert-preun --certs "@CERTS@" "$@" %postun -n %{-n*}-ueficert -/usr/lib/module-init-tools/kernel-scriptlets/cert-postun --certs "@CERTS@" "$@" +%run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/cert-postun --certs "@CERTS@" "$@" %posttrans -n %{-n*}-ueficert /usr/lib/module-init-tools/kernel-scriptlets/cert-posttrans --certs "@CERTS@" "$@" diff --git a/rpm/kernel-docs.spec.in b/rpm/kernel-docs.spec.in index 9310e27..14a8bf6 100644 --- a/rpm/kernel-docs.spec.in +++ b/rpm/kernel-docs.spec.in @@ -37,6 +37,9 @@ Release: .g@COMMIT@ %else Release: @RELEASE@ %endif +%if 0%{?suse_version} > 1500 || 0%{?sle_version} > 150300 +BuildRequires: bash-sh +%endif # TW (4.13 or later) no longer needs xmlto %if 0%{?sle_version} BuildRequires: xmlto diff --git a/rpm/kernel-module-subpackage b/rpm/kernel-module-subpackage index d00434f..6645965 100644 --- a/rpm/kernel-module-subpackage +++ b/rpm/kernel-module-subpackage @@ -48,6 +48,16 @@ Obsoletes: %{-n*}-kmp-xen Obsoletes: %{-n*}-kmp-desktop %endif AutoReqProv: on + +%define run_if_exists run_if_exists() { \ +if [ -x "$1" ] ; then \ + "$@" \ +else \ + echo Cannot execute "$1" >&2 \ +fi \ +} \ +run_if_exists + %{-p:%{expand:%(cd %_sourcedir; cat %{-p*})}} %description -n %{-n*}-kmp-%1 %( @@ -80,11 +90,11 @@ END { exit(! good) } --version "%_this_kmp_version" --release "%{-r*}" --kernelrelease "%2" \ --flavor "%1" --usrmerged "0%{?usrmerged}" "$@" %preun -n %{-n*}-kmp-%1 -%{-b:KMP_NEEDS_MKINITRD=1} /usr/lib/module-init-tools/kernel-scriptlets/kmp-preun --name "%{-n*}-kmp-%1" \ +%{-b:KMP_NEEDS_MKINITRD=1} %run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/kmp-preun --name "%{-n*}-kmp-%1" \ --version "%_this_kmp_version" --release "%{-r*}" --kernelrelease "%2" \ --flavor "%1" --usrmerged "0%{?usrmerged}" "$@" %postun -n %{-n*}-kmp-%1 -%{-b:KMP_NEEDS_MKINITRD=1} /usr/lib/module-init-tools/kernel-scriptlets/kmp-postun --name "%{-n*}-kmp-%1" \ +%{-b:KMP_NEEDS_MKINITRD=1} %run_if_exists /usr/lib/module-init-tools/kernel-scriptlets/kmp-postun --name "%{-n*}-kmp-%1" \ --version "%_this_kmp_version" --release "%{-r*}" --kernelrelease "%2" \ --flavor "%1" --usrmerged "0%{?usrmerged}" "$@" %posttrans -n %{-n*}-kmp-%1 diff --git a/rpm/kernel-obs-build.spec.in b/rpm/kernel-obs-build.spec.in index e73b418..711bd2d 100644 --- a/rpm/kernel-obs-build.spec.in +++ b/rpm/kernel-obs-build.spec.in @@ -154,11 +154,13 @@ ROOT="" dracut --reproducible --host-only --no-hostonly-cmdline \ --no-early-microcode --nofscks --strip --hardlink \ --drivers="$KERNEL_MODULES" --force /tmp/initrd.kvm \ -%if 0%{?suse_version} > 1550 || 0%{?sle_version} > 150200 +%if 0%{?suse_version} > 1550 --modules="obs qemu base rootfs-block" \ +%endif +%if 0%{?suse_version} > 1550 || 0%{?sle_version} > 150200 --compress "zstd -19 -T0" \ %endif - `echo /boot/%{kernel_name}-*%{kernel_flavor} | sed -n -e 's,[^-]*-\(.*'%{kernel_flavor}'\),\1,p'` + $(echo /boot/%{kernel_name}-*%{kernel_flavor} | sed -n -e 's,[^-]*-\(.*'%{kernel_flavor}'\),\1,p') %endif #cleanup diff --git a/rpm/kernel-source.spec.in b/rpm/kernel-source.spec.in index bbbf9dc..2647269 100644 --- a/rpm/kernel-source.spec.in +++ b/rpm/kernel-source.spec.in @@ -42,6 +42,9 @@ License: GPL-2.0-only Group: Development/Sources URL: https://www.kernel.org/ AutoReqProv: off +%if 0%{?suse_version} > 1500 || 0%{?sle_version} > 150300 +BuildRequires: bash-sh +%endif BuildRequires: coreutils BuildRequires: fdupes BuildRequires: sed diff --git a/rpm/kernel-spec-macros b/rpm/kernel-spec-macros index 998b337..3f087e7 100644 --- a/rpm/kernel-spec-macros +++ b/rpm/kernel-spec-macros @@ -72,4 +72,14 @@ %define kernel_module_directory /lib/modules %endif +# Very basic macro for conditional execution. +%define run_if_exists run_if_exists() { \ +if [ -x "$1" ] ; then \ + "$@" \ +else \ + echo Cannot execute "$1" >&2 \ +fi \ +} \ +run_if_exists + # vim: ft=spec diff --git a/rpm/macros.kernel-source b/rpm/macros.kernel-source index 81ed8ae..6bc027d 100644 --- a/rpm/macros.kernel-source +++ b/rpm/macros.kernel-source @@ -1,6 +1,13 @@ # A few cross-distro definitions: +%kernel_build_shell_package %{lua: \ +if ((tonumber(rpm.expand("0%{?suse_version}")) > 1500) or (tonumber(rpm.expand("0%{?sle_version}")) > 150300)) then \ + print( "bash-sh" ) \ +else \ + print( "" ) \ +end \ +} %kernel_module_package_release 1 -%kernel_module_package_buildreqs modutils kernel-syms kmod-compat +%kernel_module_package_buildreqs modutils kernel-syms kmod-compat %kernel_build_shell_package %cpu_arch %(case %_target_cpu in \ # from rpm --eval '%ix86' \ diff --git a/scripts/bs-upload-kernel b/scripts/bs-upload-kernel index b592cc8..c97c25a 100755 --- a/scripts/bs-upload-kernel +++ b/scripts/bs-upload-kernel @@ -103,6 +103,9 @@ my @macros = ("%is_kotd 1"); if ($ignore_kabi) { push(@macros, "%ignore_kabi_badness 1"); } +if (-e "$dir/klp-symbols") { + push(@macros, "%klp_symbols 1"); +} my @remove_packages = qw(kernel-dummy); if (!$enable_checks) { push(@remove_packages, "post-build-checks", "rpmlint-Factory", diff --git a/scripts/git_sort/lib.py b/scripts/git_sort/lib.py index 9442b37..c656116 100644 --- a/scripts/git_sort/lib.py +++ b/scripts/git_sort/lib.py @@ -280,6 +280,11 @@ class InputEntry(object): if not commit_tags: self.dest_head = git_sort.oot mainline = mainline_tags[0] + if re.match("^(v[1-9]|Queued)", mainline, re.IGNORECASE): + raise exc.KSError( + "There is a problem with patch \"%s\". " + "The Patch-mainline tag \"%s\" requires Git-commit." % ( + name, mainline,)) if not re.match("^(Submitted|Not yet)", mainline, re.IGNORECASE): raise exc.KSError( "There is a problem with patch \"%s\". " diff --git a/scripts/git_sort/tests/test_series_sort.py b/scripts/git_sort/tests/test_series_sort.py index 96f54e8..f0ffe5b 100755 --- a/scripts/git_sort/tests/test_series_sort.py +++ b/scripts/git_sort/tests/test_series_sort.py @@ -955,6 +955,18 @@ class TestFromPatch(unittest.TestCase): "Error: There is a problem with patch \"%s\". The Git-repo tag is incorrect or the patch is in the wrong section of series.conf and (the Git-commit tag is incorrect or the relevant remote is outdated or not available locally) or an entry for this repository is missing from \"remotes\". In the last case, please edit \"remotes\" in \"scripts/git_sort/git_sort.py\" and commit the result. Manual intervention is required.\n" % (name,)) + def test_malformed(self): + """ + Generate a series and destroy the Git-commit tag on one of the patches + This should report a specific error so that this situation is not conflated with wrong Patch-mainline tag in out-of-tree section + """ + + name, series2 = self.prepare_found_indexed_upstream_good() + subprocess.call(['sed', '-i', '-e', 's/commit/comit/', name]) + self.check_failure( +'Error: There is a problem with patch "%s". The Patch-mainline tag "Queued in subsystem maintainer repository" requires Git-commit.\n' % (name)) + + if __name__ == '__main__': # Run a single testcase suite = unittest.TestLoader().loadTestsFromTestCase(TestFromPatch) diff --git a/scripts/gitlog2changes b/scripts/gitlog2changes index 7f59a5d..15435c5 100755 --- a/scripts/gitlog2changes +++ b/scripts/gitlog2changes @@ -63,11 +63,22 @@ sub parse_gitlog { my $cur = { message => [] }; my @states = qw(commit tree parent author committer blank message); my $st = 0; + my $gpgsig = 0; while (my $line = <$fh>) { next if $line =~ /^#/; chomp($line); my $expect = $states[$st]; if ($expect eq "blank") { + if ($gpgsig > 0) { + if ($line =~ /-----END PGP SIGNATURE-----/) { + $gpgsig = 0; + } + next; + } + if ($line =~ /^gpgsig/) { + $gpgsig = 1; + next; + } if ($line ne "") { die "Malformed git rev-parse output ($cur->{commit}): expected blank line, got \"$line\"\n"; } diff --git a/scripts/python/check-patchhdr b/scripts/python/check-patchhdr index 0f8f89e..165eae2 100755 --- a/scripts/python/check-patchhdr +++ b/scripts/python/check-patchhdr @@ -1,9 +1,5 @@ -#!/usr/bin/python3 -# -*- coding: utf-8 -*-, - -from __future__ import absolute_import -from __future__ import print_function -from __future__ import division +#!/usr/bin/env python3 +# vim: sw=4 ts=4 et si: import sys from optparse import OptionParser diff --git a/scripts/python/suse_git/header.py b/scripts/python/suse_git/header.py index 1cbf0a9..43d4406 100755 --- a/scripts/python/suse_git/header.py +++ b/scripts/python/suse_git/header.py @@ -1,5 +1,5 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*-, +#!/usr/bin/env python3 +# vim: sw=4 ts=4 et si: import sys import re @@ -331,7 +331,7 @@ class HeaderChecker(patch.PatchChecker): target[tag].append(new_req) def do_patch(self): - for line in self.stream: + for line in self.stream.readlines(): if diffstart.match(line): break diff --git a/scripts/python/suse_git/patch.py b/scripts/python/suse_git/patch.py index 13ff659..2116d15 100644 --- a/scripts/python/suse_git/patch.py +++ b/scripts/python/suse_git/patch.py @@ -1,5 +1,5 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*-, +#!/usr/bin/env python3 +# vim: sw=4 ts=4 et si: import sys diff --git a/scripts/python/test-all.sh b/scripts/python/test-all.sh old mode 100644 new mode 100755 index 77cb2eb..8308965 --- a/scripts/python/test-all.sh +++ b/scripts/python/test-all.sh @@ -1 +1,2 @@ -python3 -m unittest discover +#! /bin/sh +python3 -m unittest discover "$@" diff --git a/scripts/python/tests/test_header.py b/scripts/python/tests/test_header.py index 59a2906..5051b39 100755 --- a/scripts/python/tests/test_header.py +++ b/scripts/python/tests/test_header.py @@ -1,10 +1,10 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 # -*- coding: utf-8 -*-, +# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79: import sys import os.path import unittest -from io import StringIO from suse_git import header diff --git a/scripts/run_oldconfig.sh b/scripts/run_oldconfig.sh index fe50a1a..357692a 100755 --- a/scripts/run_oldconfig.sh +++ b/scripts/run_oldconfig.sh @@ -423,6 +423,9 @@ for config in $config_files; do esac if [ -d scripts/dummy-tools ] ; then MAKE_ARGS="$MAKE_ARGS CROSS_COMPILE=scripts/dummy-tools/" + if [ -e scripts/dummy-tools/pahole ]; then + MAKE_ARGS="$MAKE_ARGS PAHOLE=scripts/dummy-tools/pahole" + fi chmod 755 scripts/dummy-tools/* chmod 755 scripts/* fi diff --git a/series.conf b/series.conf index 3929921..383b31f 100644 --- a/series.conf +++ b/series.conf @@ -37291,7 +37291,7 @@ patches.suse/cpuidle-psci-Fix-error-path-via-converting-to-a-plat.patch patches.suse/cpuidle-psci-Convert-PM-domain-to-platform-driver.patch patches.suse/cpuidle-psci-Prevent-domain-idlestates-until-consume.patch - patches.suse/intel_idle-Customize-IceLake-server-support.patch + patches.suse/bsc1175543-intel_idle-Customize-IceLake-server-support.patch patches.suse/powercap-intel_rapl-add-support-for-Sapphire-Rapids.patch patches.suse/powercap-Add-Power-Limit4-support.patch patches.suse/ACPICA-Replace-one-element-array-with-flexible-array.patch @@ -46914,6 +46914,7 @@ patches.suse/can-flexcan-convert-the-driver-to-DT-only.patch patches.suse/nl80211-validate-key-indexes-for-cfg80211_registered.patch patches.suse/mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch + patches.suse/adm8211-fix-error-return-code-in-adm8211_probe.patch patches.suse/mwifiex-Fix-possible-buffer-overflows-in-mwifiex_2.patch patches.suse/mt76-add-back-the-SUPPORTS_REORDERING_BUFFER-flag.patch patches.suse/mt76-mt7915-set-fops_sta_stats.owner-to-THIS_MODULE.patch @@ -48769,7 +48770,7 @@ patches.suse/drm-i915-gen11-Only-load-DRAM-information-from-pcode.patch patches.suse/drm-i915-Rename-is_16gb_dimm-to-wm_lv_0_adjust_neede.patch patches.suse/drm-mediatek-Check-if-fb-is-null.patch - patches.suse/drm-mediatek-Fix-aal-size-config.patch + patches.suse/0004-drm-mediatek-Fix-aal-size-config.patch patches.suse/drm-amd-display-Guard-against-NULL-pointer-deref-whe.patch patches.suse/drm-amd-display-Fix-10-12-bpc-setup-in-DCE-output-bi.patch patches.suse/drm-amd-display-Fix-HDMI-deep-color-output-for-DCE-6.patch @@ -50363,6 +50364,7 @@ patches.suse/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_e.patch patches.suse/rsi-Use-resume_noirq-for-SDIO.patch patches.suse/rtw88-Fix-array-overrun-in-rtw_get_tx_power_params.patch + patches.suse/mwl8k-Fix-a-double-Free-in-mwl8k_probe_hw.patch patches.suse/msft-hv-2332-net-mana-Add-a-driver-for-Microsoft-Azure-Network-Ad.patch patches.suse/mac80211-clear-the-beacon-s-CRC-after-channel-switch.patch patches.suse/mac80211-bail-out-if-cipher-schemes-are-invalid.patch @@ -51219,8 +51221,6 @@ patches.suse/mmc-meson-gx-use-memcpy_to-fromio-for-dram-access-qu.patch patches.suse/drm-vc4-hdmi-Move-the-HSM-clock-enable-to-runtime_pm.patch patches.suse/0007-drm-vc4-hdmi-Make-sure-the-controller-is-powered-in-.patch - patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch - patches.suse/Revert-drm-add-a-locked-version-of-drm_is_current_ma.patch patches.suse/drm-nouveau-wait-for-moving-fence-after-pinning-v2.patch patches.suse/drm-radeon-wait-for-moving-fence-after-pinning.patch patches.suse/drm-amdgpu-wait-for-moving-fence-after-pinning.patch @@ -51573,6 +51573,7 @@ patches.suse/drm-vc4-Fix-clock-source-for-VEC-PixelValve-on-BCM27.patch patches.suse/drm-vc4-txp-Properly-set-the-possible_crtcs-mask.patch patches.suse/drm-vc4-crtc-Skip-the-TXP.patch + patches.suse/drm-vc4-crtc-Lookup-the-encoder-from-the-register-at-boot.patch patches.suse/drm-vc4-hdmi-Prevent-clock-unbalance.patch patches.suse/drm-vc4-hdmi-Fix-PM-reference-leak-in-vc4_hdmi_encod.patch patches.suse/drm-bridge-cdns-Fix-PM-reference-leak-in-cdns_dsi_tr.patch @@ -51947,6 +51948,7 @@ patches.suse/drm-radeon-Add-the-missed-drm_gem_object_put-in-rade.patch patches.suse/drm-amdgpu-Update-NV-SIMD-per-CU-to-2.patch patches.suse/drm-i915-display-Do-not-zero-past-infoframes.vsc.patch + patches.suse/0001-drm-i915-Drop-all-references-to-DRM-IRQ-midlayer.patch patches.suse/drm-gma500-Add-the-missed-drm_gem_object_put-in-psb_.patch patches.suse/NFSv4-Initialise-connection-to-the-server-in-nfs4_al.patch patches.suse/SUNRPC-prevent-port-reuse-on-transports-which-don-t-.patch @@ -52640,7 +52642,7 @@ patches.suse/drm-of-free-the-iterator-object-on-failure.patch patches.suse/video-fbdev-kyro-fix-a-DoS-bug-by-restricting-user-i.patch patches.suse/drm-avoid-blocking-in-drm_clients_info-s-rcu-section.patch - patches.suse/drm-add-a-locked-version-of-drm_is_current_master-1f7ef07cfa14.patch + patches.suse/drm-add-a-locked-version-of-drm_is_current_master.patch patches.suse/drm-serialize-drm_file.master-with-a-new-spinlock.patch patches.suse/drm-protect-drm_master-pointers-in-drm_lease.c.patch patches.suse/drm-bridge-nwl-dsi-Avoid-potential-multiplication-ov.patch @@ -53056,6 +53058,7 @@ patches.suse/hwmon-tmp421-report-PVLD-condition-as-fault.patch patches.suse/hwmon-tmp421-fix-rounding-for-negative-values.patch patches.suse/ext4-fix-reserved-space-counter-leakage.patch + patches.suse/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch patches.suse/phy-mdio-fix-memory-leak.patch patches.suse/ath5k-fix-building-with-LEDS-m.patch patches.suse/iwlwifi-pcie-add-configuration-of-a-Wi-Fi-adapter-on.patch @@ -53424,6 +53427,7 @@ patches.suse/drm-amdgpu-fix-warning-for-overflow-check.patch patches.suse/drm-amdgpu-revert-Add-autodump-debugfs-node-for-gpu-.patch patches.suse/drm-ttm-stop-calling-tt_swapin-in-vm_access.patch + patches.suse/0002-drm-i915-Keep-gem-ctx-vm-alive-until-the-final-put.patch patches.suse/drm-i915-Remove-memory-frequency-calculation.patch patches.suse/drm-msm-prevent-NULL-dereference-in-msm_gpu_crashsta.patch patches.suse/drm-msm-potential-error-pointer-dereference-in-init.patch @@ -53635,6 +53639,7 @@ patches.suse/Input-iforce-fix-control-message-timeout.patch patches.suse/drm-plane-helper-fix-uninitialized-variable-referenc.patch patches.suse/drm-i915-fb-Fix-rounding-error-in-subsampled-plane-s.patch + patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch patches.suse/drm-nouveau-svm-Fix-refcount-leak-bug-and-missing-ch.patch patches.suse/drm-nouveau-use-drm_dev_unplug-during-device-removal.patch patches.suse/drm-nouveau-Add-a-dedicated-mutex-for-the-clients-li.patch @@ -53731,6 +53736,7 @@ patches.suse/thermal-core-Reset-previous-low-and-high-trip-during.patch patches.suse/drm-nouveau-hdmigv100.c-fix-corrupted-HDMI-Vendor-In.patch patches.suse/drm-sun4i-fix-unmet-dependency-on-RESET_CONTROLLER-f.patch + patches.suse/0004-Revert-drm-i915-tgl-dsi-Gate-the-ddi-clocks-after-pl.patch patches.suse/drm-amdgpu-fix-set-scaling-mode-Full-Full-aspect-Cen.patch patches.suse/scsi-qla2xxx-Fix-mailbox-direction-flags-in-qla2xxx_.patch patches.suse/ata-ahci-Add-Green-Sardine-vendor-ID-as-board_ahci_m.patch @@ -53843,6 +53849,7 @@ patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch patches.suse/serial-pl011-Add-ACPI-SBSA-UART-match-id.patch patches.suse/tty-serial-msm_serial-Deactivate-RX-DMA-for-polling-.patch + patches.suse/0002-vgacon-Propagate-console-boot-parameters-before-call.patch patches.suse/serial-8250-Fix-RTS-modem-control-while-in-rs485-mod.patch patches.suse/serial-8250_pci-Fix-ACCES-entries-in-pci_serial_quir.patch patches.suse/serial-8250_pci-rewrite-pericom_do_set_divisor.patch @@ -54074,6 +54081,7 @@ patches.suse/drm-tegra-vic-Fix-DMA-API-misuse.patch patches.suse/gpu-host1x-Add-back-arm_iommu_detach_device.patch patches.suse/drm-etnaviv-limit-submit-sizes.patch + patches.suse/0001-drm-vmwgfx-Remove-unused-compile-options.patch patches.suse/drm-msm-dpu-fix-safe-status-debugfs-file.patch patches.suse/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch patches.suse/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch @@ -54211,6 +54219,7 @@ patches.suse/backlight-qcom-wled-Pass-number-of-elements-to-read-.patch patches.suse/backlight-qcom-wled-Fix-off-by-one-maximum-with-defa.patch patches.suse/backlight-qcom-wled-Override-default-length-with-qco.patch + patches.suse/0002-backlight-qcom-wled-Respect-enabled-strings-in-set_b.patch patches.suse/mmc-core-Fixup-storing-of-OCR-for-MMC_QUIRK_NONSTD_S.patch patches.suse/mmc-sdhci-pci-Add-PCI-ID-for-Intel-ADL.patch patches.suse/mmc-meson-mx-sdio-add-IRQ-check.patch @@ -54557,6 +54566,7 @@ patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch patches.suse/bonding-force-carrier-update-when-releasing-slave.patch patches.suse/drm-radeon-Fix-backlight-control-on-iMac-12-1.patch + patches.suse/0003-drm-cma-helper-Set-VM_DONTEXPAND-for-mmap.patch patches.suse/drm-i915-gvt-clean-up-kernel-doc-in-gtt.c.patch patches.suse/drm-i915-gvt-Make-DRM_I915_GVT-depend-on-X86.patch patches.suse/drm-i915-Fix-dbuf-slice-config-lookup.patch @@ -54668,6 +54678,7 @@ patches.suse/net-fix-up-skbs-delta_truesize-in-UDP-GRO-frag_list.patch patches.suse/selftests-mlxsw-tc_police_scale-Make-test-more-robus.patch patches.suse/ixgbe-xsk-change-netif_carrier_ok-handling-in-ixgbe_.patch + patches.suse/0004-drm-i915-s-JSP2-ICP2-PCH.patch patches.suse/drm-vrr-Set-VRR-capable-prop-only-if-it-is-attached-.patch patches.suse/ASoC-ops-Shift-tested-values-in-snd_soc_put_volsw-by.patch patches.suse/ASoC-cs4265-Fix-the-duplicated-control-name.patch @@ -54833,7 +54844,13 @@ patches.suse/memory-emif-Add-check-for-setup_interrupts.patch patches.suse/memory-emif-check-the-pointer-temp-in-get_device_det.patch patches.suse/pinctrl-samsung-drop-pin-banks-references-on-error-p.patch + patches.suse/msft-hv-2514-net-mana-Use-struct_size-helper-in-mana_gd_create_dm.patch patches.suse/Bluetooth-hci_serdev-call-init_rwsem-before-p-open.patch + patches.suse/msft-hv-2516-net-mana-Add-counter-for-packet-dropped-by-XDP.patch + patches.suse/msft-hv-2517-net-mana-Add-counter-for-XDP_TX.patch + patches.suse/msft-hv-2518-net-mana-Reuse-XDP-dropped-page.patch + patches.suse/msft-hv-2523-net-mana-Add-handling-of-CQE_RX_TRUNCATED.patch + patches.suse/msft-hv-2524-net-mana-Remove-unnecessary-check-of-cqe_type-in-man.patch patches.suse/net-asix-add-proper-error-handling-of-usb-read-error.patch patches.suse/ath10k-fix-memory-overwrite-of-the-WoWLAN-wakeup-pac.patch patches.suse/ath5k-fix-OOB-in-ath5k_eeprom_read_pcal_info_5111.patch @@ -54875,6 +54892,8 @@ patches.suse/drm-amd-pm-return-ENOTSUPP-if-there-is-no-get_dpm_ul.patch patches.suse/drm-amdgpu-Fix-recursive-locking-warning.patch patches.suse/drm-amd-display-Add-affected-crtcs-to-atomic-state-f.patch + patches.suse/0005-drm-amdgpu-fix-amdgpu_ras_block_late_init-error-hand.patch + patches.suse/0006-drm-fb-helper-Mark-screen-buffers-in-system-memory-w.patch patches.suse/drm-bridge-dw-hdmi-use-safe-format-when-first-in-bri.patch patches.suse/drm-amdkfd-make-CRAT-table-missing-message-informati.patch patches.suse/drm-amd-display-Remove-vupdate_int_entry-definition.patch @@ -54932,23 +54951,6 @@ patches.suse/scsi-lpfc-Fix-typos-in-comments.patch patches.suse/scsi-qla2xxx-Fix-typos-in-comments.patch patches.suse/scsi-lpfc-Use-kcalloc.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-lpfc_iocbq.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-fast-and-slow-path.patch - patches.suse/scsi-lpfc-SLI-path-split-Introduce-lpfc_prep_wqe.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-base-ELS-paths-and.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-PLOGI-PRLI-ADISC-L.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-the-RSCN-SCR-RDF-E.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-LS_ACC-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-LS_RJT-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-FDISC-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-VMID-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-misc-ELS-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-CT-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-SCSI-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-Abort-paths.patch - patches.suse/scsi-lpfc-SLI-path-split-Refactor-BSG-paths.patch - patches.suse/scsi-lpfc-Update-lpfc-version-to-14.2.0.0.patch - patches.suse/scsi-lpfc-Copyright-updates-for-14.2.0.0-patches.patch patches.suse/powerpc-add-link-stack-flush-mitigation-status-in-de.patch patches.suse/powerpc-pseries-read-the-lpar-name-from-the-firmware.patch patches.suse/powerpc-64-Move-paca-allocation-later-in-boot.patch @@ -54983,6 +54985,7 @@ patches.suse/mfd-asic3-Add-missing-iounmap-on-error-asic3_mfd_pro.patch patches.suse/drm-edid-check-basic-audio-support-on-CEA-extension-.patch patches.suse/ext2-correct-max-file-size-computing.patch + patches.suse/0008-USB-hcd-pci-Use-PCI_STD_NUM_BARS-when-checking-stand.patch patches.suse/xhci-fix-garbage-USBSTS-being-logged-in-some-cases.patch patches.suse/xhci-fix-uninitialized-string-returned-by-xhci_decod.patch patches.suse/xhci-fix-runtime-PM-imbalance-in-USB2-resume.patch @@ -55025,6 +55028,7 @@ patches.suse/xen-fix-is_xen_pmu.patch patches.suse/livepatch-Don-t-block-removal-of-patches-that-are-safe-to-unload.patch patches.suse/net-phy-broadcom-Fix-brcm_fet_config_init.patch + patches.suse/net-x25-Fix-null-ptr-deref-caused-by-x25_disconnect.patch patches.suse/ptrace-Check-PTRACE_O_SUSPEND_SECCOMP-permission-on-PTRACE_SEIZE.patch patches.suse/dma-debug-fix-return-value-of-__setup-handlers.patch patches.suse/NFS-Use-of-mapping_set_error-results-in-spurious-err.patch @@ -55071,7 +55075,10 @@ patches.suse/cifs-do-not-skip-link-targets-when-an-I-O-fails.patch patches.suse/cifs-fix-bad-fids-sent-over-wire.patch patches.suse/xen-blkfront-fix-comment-for-need_copy.patch + patches.suse/kvm-x86-mmu-do-compare-and-exchange-of-gpte-via-the-user-address patches.suse/x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io + patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch + patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch patches.suse/ata-sata_dwc_460ex-Fix-crash-due-to-OOB-write.patch patches.suse/ata-libata-core-Disable-READ-LOG-DMA-EXT-for-Samsung.patch patches.suse/random-check-for-signal_pending-outside-of-need_resc.patch @@ -55093,7 +55100,7 @@ patches.suse/spi-bcm-qspi-fix-MSPI-only-access-with-bcm_qspi_exec.patch patches.suse/Revert-NFSv4-Handle-the-special-Linux-file-open-acce.patch patches.suse/NFSv4-fix-open-failure-with-O_ACCMODE-flag.patch - patches.suse/SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch + patches.suse/0001-SUNRPC-Ensure-we-flush-any-closed-sockets-before-xs_.patch patches.suse/SUNRPC-Handle-ENOMEM-in-call_transmit_status.patch patches.suse/SUNRPC-Handle-low-memory-situations-in-call_status.patch patches.suse/lz4-fix-LZ4_decompress_safe_partial-read-out-of-boun.patch @@ -55133,6 +55140,17 @@ patches.suse/drm-panel-raspberrypi-touchscreen-Avoid-NULL-deref-i.patch patches.suse/drm-panel-raspberrypi-touchscreen-Initialise-the-bri.patch patches.suse/drm-vc4-Use-pm_runtime_resume_and_get-to-fix-pm_runt.patch + patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch + patches.suse/powerpc-perf-Fix-power10-event-alternatives.patch + patches.suse/0003-video-fbdev-udlfb-properly-check-endpoint-type.patch + patches.suse/bnx2x-fix-napi-API-usage-sequence.patch + patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch + patches.suse/0009-drm-amd-display-Fix-memory-leak-in-dcn21_clock_sourc.patch + patches.suse/USB-Fix-xhci-event-ring-dequeue-pointer-ERDP-update-.patch + patches.suse/usb-gadget-uvc-Fix-crash-when-encoding-data-for-usb-.patch + patches.suse/usb-dwc3-core-Fix-tx-rx-threshold-settings.patch + patches.suse/usb-dwc3-core-Only-handle-soft-reset-in-DCTL.patch + patches.suse/usb-dwc3-gadget-Return-proper-request-status.patch # out-of-tree patches patches.suse/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch @@ -55177,12 +55195,31 @@ patches.suse/VFS-filename_create-fix-incorrect-intent.patch # mkp/scsi staging - patches.suse/scsi-lpfc-improve-pci-eeh-error-and-recovery-handling.patch - patches.suse/scsi-lpfc-fix-unload-hang-after-back-to-back-pci-eeh-faults.patch - patches.suse/scsi-lpfc-fix-queue-failures-when-recovering-from-pci-parity-error.patch - patches.suse/scsi-lpfc-update-lpfc-version-to-14.2.0.1.patch - patches.suse/scsi-lpfc-fix-broken-sli4-abort-path.patch - patches.suse/scsi-lpfc-fix-locking-for-lpfc_sli_iocbq_lookup.patch + # mwilck: series-sort.py doesn't like guards in the sorted section + # moved lpfc 14.2.0.x patches down here ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-lpfc_iocbq.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-fast-and-slow-path.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Introduce-lpfc_prep_wqe.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-base-ELS-paths-and.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-PLOGI-PRLI-ADISC-L.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-the-RSCN-SCR-RDF-E.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-LS_ACC-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-LS_RJT-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-FDISC-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-VMID-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-misc-ELS-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-CT-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-SCSI-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-Abort-paths.patch ++dwagner patches.suse/scsi-lpfc-SLI-path-split-Refactor-BSG-paths.patch ++dwagner patches.suse/scsi-lpfc-Update-lpfc-version-to-14.2.0.0.patch ++dwagner patches.suse/scsi-lpfc-Copyright-updates-for-14.2.0.0-patches.patch ++dwagner patches.suse/scsi-lpfc-improve-pci-eeh-error-and-recovery-handling.patch ++dwagner patches.suse/scsi-lpfc-fix-unload-hang-after-back-to-back-pci-eeh-faults.patch ++dwagner patches.suse/scsi-lpfc-fix-queue-failures-when-recovering-from-pci-parity-error.patch ++dwagner patches.suse/scsi-lpfc-update-lpfc-version-to-14.2.0.1.patch ++dwagner patches.suse/scsi-lpfc-fix-broken-sli4-abort-path.patch ++dwagner patches.suse/scsi-lpfc-fix-locking-for-lpfc_sli_iocbq_lookup.patch ######################################################## # kbuild/module infrastructure fixes @@ -55356,6 +55393,14 @@ patches.suse/bfq-Store-full-bitmap-depth-in-bfq_data.patch patches.suse/bfq-Limit-number-of-requests-consumed-by-each-cgroup.patch patches.suse/block-do-not-send-a-rezise-udev-event-for-hidden-block.patch + patches.suse/bfq-Avoid-merging-queues-with-different-parents.patch + patches.suse/bfq-Split-shared-queues-on-move-between-cgroups.patch + patches.suse/bfq-Update-cgroup-information-before-merging-bio.patch + patches.suse/bfq-Drop-pointless-unlock-lock-pair.patch + patches.suse/bfq-Remove-pointless-bfq_init_rq-calls.patch + patches.suse/bfq-Track-whether-bfq_group-is-still-online.patch + patches.suse/bfq-Get-rid-of-__bio_blkcg-usage.patch + patches.suse/bfq-Make-sure-bfqg-for-which-we-are-queueing-request.patch ######################################################## # Networking core