diff --git a/blacklist.conf b/blacklist.conf index 89db604..c614433 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -170,6 +170,10 @@ CVE-2019-13233 # bsc#1140454, needed only for SLE15-SP1+ CVE-2019-15099 # bsc#1146368, needed only for SLE15-SP1+ CVE-2019-19078 # bsc#1157032, needed only for SLE15-SP1+ CVE-2019-19046 # bsc#1157304, needed only for SLE15-SP1+ +CVE-2019-19080 # bsc#1157044, needed only for SLE15-SP1+ +CVE-2019-19081 # bsc#1157045, needed only for SLE15-SP1+ +CVE-2019-19082 # bsc#1157046, needed only for SLE15-SP1+ +CVE-2019-19083 # bsc#1157049, needed only for SLE15-SP1+ # Blacklisted Commits # ------------------- @@ -1429,3 +1433,7 @@ d17f1bbb3aa9631429fa0fe325ad12661d6b226b # obsoleted by later patch 700c1018b86d0d4b3f1f2d459708c0cdf42b521d # we don't use gawk 5.x yet bef69dd87828ef5d8ecdab8d857cd3a33cf98675 # excessive backport requirements for a corner case optimisation 04e7712f4460585e5eed5b853fd8b82a9943958f # as commit msg says, only cosmetic +bc6f2a757d525e001268c3658bd88822e768f8db # module: memory leak when module_add_modinfo_attrs() fails; should not normally happen; not worth it +83b44fe343b5abfcb1b2261289bd0cfcfcfd60a8 # drivers/base: breaks kABI, changing enum cpuhp_state +6282edb72bed5324352522d732080d4c1b9dfed6 # clocksource: breaks kABI, changing enum cpuhp_state +069e47823fff2c634b2d46a328b5096fdc8c2a0c # requires a FW update diff --git a/patches.kabi/kABI-add-_q-suffix-to-exports-that-take-struct-dh.patch b/patches.kabi/kABI-add-_q-suffix-to-exports-that-take-struct-dh.patch new file mode 100644 index 0000000..8415b6f --- /dev/null +++ b/patches.kabi/kABI-add-_q-suffix-to-exports-that-take-struct-dh.patch @@ -0,0 +1,224 @@ +From f67b2860c00d242223c83ebb9cf78a409d94173a Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Mon, 16 Dec 2019 19:05:35 +0100 +Subject: [PATCH] kABI: add _q suffix to exports that take struct dh + +References: bsc#1155331 +Patch-mainline: never, kABI + +Also provide the old API with exports without suffix. + +Signed-off-by: Michal Suchanek +--- + crypto/dh_helper.c | 105 ++++++++++++++++++++++++++++++++++++++------ + include/crypto/dh.h | 25 +++++++++++ + 3 files changed, 123 insertions(+), 16 deletions(-) + +diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c +index 8625cb0c2af9..50d3d0c8734f 100644 +--- a/crypto/dh_helper.c ++++ b/crypto/dh_helper.c +@@ -14,6 +14,32 @@ + #include + #include + ++#undef dh ++#undef crypto_dh_key_len ++#define DH_KPP_SECRET_MIN_SIZE_NO_Q (sizeof(struct kpp_secret) + 3 * sizeof(int)) ++ ++static inline int dh_data_size(const struct dh *p) ++{ ++ return p->key_size + p->p_size + p->g_size; ++} ++ ++int crypto_dh_key_len(const struct dh *p) ++{ ++ return DH_KPP_SECRET_MIN_SIZE_NO_Q + dh_data_size(p); ++} ++EXPORT_SYMBOL_GPL(crypto_dh_key_len); ++ ++/* Old calculation with new structure */ ++static inline int dh_data_size_no_q(const struct dh_q *p) ++{ ++ return p->key_size + p->p_size + p->g_size; ++} ++ ++int crypto_dh_key_len_no_q(const struct dh_q *p) ++{ ++ return DH_KPP_SECRET_MIN_SIZE_NO_Q + dh_data_size_no_q(p); ++} ++ + #define DH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 4 * sizeof(int)) + + static inline u8 *dh_pack_data(void *dst, const void *src, size_t size) +@@ -28,20 +54,21 @@ static inline const u8 *dh_unpack_data(void *dst, const void *src, size_t size) + return src + size; + } + +-static inline int dh_data_size(const struct dh *p) ++static inline int dh_data_size_q(const struct dh_q *p) + { + return p->key_size + p->p_size + p->q_size + p->g_size; + } + +-int crypto_dh_key_len(const struct dh *p) ++int crypto_dh_key_len_q(const struct dh_q *p) + { +- return DH_KPP_SECRET_MIN_SIZE + dh_data_size(p); ++ return DH_KPP_SECRET_MIN_SIZE + dh_data_size_q(p); + } +-EXPORT_SYMBOL_GPL(crypto_dh_key_len); ++EXPORT_SYMBOL_GPL(crypto_dh_key_len_q); + +-int crypto_dh_encode_key(char *buf, unsigned int len, const struct dh *params) ++int crypto_dh_encode_key(char *buf, unsigned int len, const struct dh_q *params) + { + u8 *ptr = buf; ++ bool do_q = true; + struct kpp_secret secret = { + .type = CRYPTO_KPP_SECRET_TYPE_DH, + .len = len +@@ -50,29 +77,33 @@ int crypto_dh_encode_key(char *buf, unsigned int len, const struct dh *params) + if (unlikely(!buf)) + return -EINVAL; + +- if (len != crypto_dh_key_len(params)) ++ if (len == crypto_dh_key_len_no_q(params) && !params->q_size) ++ do_q = false; ++ else if (len != crypto_dh_key_len_q(params)) + return -EINVAL; + + ptr = dh_pack_data(ptr, &secret, sizeof(secret)); + ptr = dh_pack_data(ptr, ¶ms->key_size, sizeof(params->key_size)); + ptr = dh_pack_data(ptr, ¶ms->p_size, sizeof(params->p_size)); +- ptr = dh_pack_data(ptr, ¶ms->q_size, sizeof(params->q_size)); ++ if (do_q) ++ ptr = dh_pack_data(ptr, ¶ms->q_size, sizeof(params->q_size)); + ptr = dh_pack_data(ptr, ¶ms->g_size, sizeof(params->g_size)); + ptr = dh_pack_data(ptr, params->key, params->key_size); + ptr = dh_pack_data(ptr, params->p, params->p_size); +- ptr = dh_pack_data(ptr, params->q, params->q_size); ++ if (do_q) ++ ptr = dh_pack_data(ptr, params->q, params->q_size); + dh_pack_data(ptr, params->g, params->g_size); + + return 0; + } + EXPORT_SYMBOL_GPL(crypto_dh_encode_key); + +-int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params) ++int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh_q *params) + { + const u8 *ptr = buf; + struct kpp_secret secret; + +- if (unlikely(!buf || len < DH_KPP_SECRET_MIN_SIZE)) ++ if (unlikely(!buf || len < DH_KPP_SECRET_MIN_SIZE_NO_Q)) + return -EINVAL; + + ptr = dh_unpack_data(&secret, ptr, sizeof(secret)); +@@ -81,10 +112,21 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params) + + ptr = dh_unpack_data(¶ms->key_size, ptr, sizeof(params->key_size)); + ptr = dh_unpack_data(¶ms->p_size, ptr, sizeof(params->p_size)); +- ptr = dh_unpack_data(¶ms->q_size, ptr, sizeof(params->q_size)); + ptr = dh_unpack_data(¶ms->g_size, ptr, sizeof(params->g_size)); +- if (secret.len != crypto_dh_key_len(params)) +- return -EINVAL; ++ params->q_size = 0; ++ /* ++ * G is not optional so if we assigned q_size to g_size here when ++ * decoding a new key with Q parameter the length will not match on ++ * well-formed key. ++ */ ++ if (secret.len != crypto_dh_key_len_no_q(params)) { ++ if (len < DH_KPP_SECRET_MIN_SIZE) ++ return -EINVAL; ++ params->q_size = params->g_size; ++ ptr = dh_unpack_data(¶ms->g_size, ptr, sizeof(params->g_size)); ++ if (secret.len != crypto_dh_key_len_q(params)) ++ return -EINVAL; ++ } + + /* + * Don't permit the buffer for 'key' or 'g' to be larger than 'p', since +@@ -118,3 +160,40 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params) + return 0; + } + EXPORT_SYMBOL_GPL(crypto_dh_decode_key); ++ ++#undef crypto_dh_encode_key ++#undef crypto_dh_decode_key ++ ++int crypto_dh_encode_key(char *buf, unsigned int len, const struct dh *old_params) ++{ ++ struct dh_q params = { ++ .q_size = 0, .q = NULL, ++ .key_size = old_params->key_size, ++ .p_size = old_params->p_size, ++ .g_size = old_params->g_size, ++ .key = old_params->key, ++ .p = old_params->p, ++ .g = old_params->g, ++ }; ++ return crypto_dh_encode_key_q(buf, len, ¶ms); ++ ++} ++EXPORT_SYMBOL_GPL(crypto_dh_encode_key); ++ ++int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *old_params) ++{ ++ struct dh_q params; ++ int ret = crypto_dh_decode_key_q(buf, len, ¶ms); ++ if (ret) ++ return ret; ++ if (params.q_size) ++ return -EOPNOTSUPP; ++ old_params->key_size = params.key_size; ++ old_params->p_size = params.p_size; ++ old_params->g_size = params.g_size; ++ old_params->key = params.key; ++ old_params->p = params.p; ++ old_params->g = params.g; ++ return ret; ++} ++EXPORT_SYMBOL_GPL(crypto_dh_decode_key); +diff --git a/include/crypto/dh.h b/include/crypto/dh.h +index 6952b63f2957..b6b269878b57 100644 +--- a/include/crypto/dh.h ++++ b/include/crypto/dh.h +@@ -13,6 +13,31 @@ + #ifndef _CRYPTO_DH_ + #define _CRYPTO_DH_ + ++/** ++ * struct dh - define a DH private key for old API without Q parameter ++ * ++ * @key: Private DH key ++ * @p: Diffie-Hellman parameter P ++ * @g: Diffie-Hellman generator G ++ * @key_size: Size of the private DH key ++ * @p_size: Size of DH parameter P ++ * @g_size: Size of DH generator G ++ */ ++struct dh { ++ void *key; ++ void *p; ++ void *g; ++ unsigned int key_size; ++ unsigned int p_size; ++ unsigned int g_size; ++}; ++ ++/* kABI we added the q parameter to struct dh so interface of these functions changed. */ ++#define dh dh_q ++#define crypto_dh_key_len crypto_dh_key_len_q ++#define crypto_dh_encode_key crypto_dh_encode_key_q ++#define crypto_dh_decode_key crypto_dh_decode_key_q ++ + /** + * DOC: DH Helper Functions + * +-- +2.23.0 + diff --git a/patches.suse/0001-btrfs-harden-agaist-duplicate-fsid-on-scanned-device.patch b/patches.suse/0001-btrfs-harden-agaist-duplicate-fsid-on-scanned-device.patch new file mode 100644 index 0000000..6dc19c2 --- /dev/null +++ b/patches.suse/0001-btrfs-harden-agaist-duplicate-fsid-on-scanned-device.patch @@ -0,0 +1,112 @@ +From a9261d4125c97ce8624e9941b75dee1b43ad5df9 Mon Sep 17 00:00:00 2001 +Patch-mainline: v5.1 +References: bsc#1134973 +Git-commit: a9261d4125c97ce8624e9941b75dee1b43ad5df9 +From: Anand Jain +Date: Mon, 15 Oct 2018 10:45:17 +0800 +Subject: [PATCH] btrfs: harden agaist duplicate fsid on scanned devices + +It's not that impossible to imagine that a device OR a btrfs image is +copied just by using the dd or the cp command. Which in case both the +copies of the btrfs will have the same fsid. If on the system with +automount enabled, the copied FS gets scanned. + +We have a known bug in btrfs, that we let the device path be changed +after the device has been mounted. So using this loop hole the new +copied device would appears as if its mounted immediately after it's +been copied. + +For example: + +Initially.. /dev/mmcblk0p4 is mounted as / + + $ lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT + mmcblk0 179:0 0 29.2G 0 disk + |-mmcblk0p4 179:4 0 4G 0 part / + |-mmcblk0p2 179:2 0 500M 0 part /boot + |-mmcblk0p3 179:3 0 256M 0 part [SWAP] + `-mmcblk0p1 179:1 0 256M 0 part /boot/efi + + $ btrfs fi show + Label: none uuid: 07892354-ddaa-4443-90ea-f76a06accaba + Total devices 1 FS bytes used 1.40GiB + devid 1 size 4.00GiB used 3.00GiB path /dev/mmcblk0p4 + +Copy mmcblk0 to sda + + $ dd if=/dev/mmcblk0 of=/dev/sda + +And immediately after the copy completes the change in the device +superblock is notified which the automount scans using btrfs device scan +and the new device sda becomes the mounted root device. + + $ lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT + sda 8:0 1 14.9G 0 disk + |-sda4 8:4 1 4G 0 part / + |-sda2 8:2 1 500M 0 part + |-sda3 8:3 1 256M 0 part + `-sda1 8:1 1 256M 0 part + mmcblk0 179:0 0 29.2G 0 disk + |-mmcblk0p4 179:4 0 4G 0 part + |-mmcblk0p2 179:2 0 500M 0 part /boot + |-mmcblk0p3 179:3 0 256M 0 part [SWAP] + `-mmcblk0p1 179:1 0 256M 0 part /boot/efi + + $ btrfs fi show / + Label: none uuid: 07892354-ddaa-4443-90ea-f76a06accaba + Total devices 1 FS bytes used 1.40GiB + devid 1 size 4.00GiB used 3.00GiB path /dev/sda4 + +The bug is quite nasty that you can't either unmount /dev/sda4 or +/dev/mmcblk0p4. And the problem does not get solved until you take sda +out of the system on to another system to change its fsid using the +'btrfstune -u' command. + +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Qu Wenruo +--- + fs/btrfs/volumes.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -641,6 +641,35 @@ static noinline int device_list_add(cons + return PTR_ERR(device); + } + ++ /* ++ * We are going to replace the device path for a given devid, ++ * make sure it's the same device if the device is mounted ++ */ ++ if (device->bdev) { ++ struct block_device *path_bdev; ++ ++ path_bdev = lookup_bdev(path); ++ if (IS_ERR(path_bdev)) { ++ mutex_unlock(&fs_devices->device_list_mutex); ++ return PTR_ERR(path_bdev); ++ } ++ ++ if (device->bdev != path_bdev) { ++ bdput(path_bdev); ++ mutex_unlock(&fs_devices->device_list_mutex); ++ btrfs_warn_in_rcu(device->fs_info, ++ "duplicate device fsid:devid for %pU:%llu old:%s new:%s", ++ disk_super->fsid, devid, ++ rcu_str_deref(device->name), path); ++ return -EEXIST; ++ } ++ bdput(path_bdev); ++ btrfs_info_in_rcu(device->fs_info, ++ "device fsid %pU devid %llu moved old:%s new:%s", ++ disk_super->fsid, devid, ++ rcu_str_deref(device->name), path); ++ } ++ + name = rcu_string_strdup(path, GFP_NOFS); + if (!name) { + kfree(device); diff --git a/patches.suse/0001-btrfs-qgroup-Always-free-PREALLOC-META-reserve-in-bt.patch b/patches.suse/0001-btrfs-qgroup-Always-free-PREALLOC-META-reserve-in-bt.patch index f4ba443..653ed01 100644 --- a/patches.suse/0001-btrfs-qgroup-Always-free-PREALLOC-META-reserve-in-bt.patch +++ b/patches.suse/0001-btrfs-qgroup-Always-free-PREALLOC-META-reserve-in-bt.patch @@ -1,8 +1,7 @@ -From 8702ba9396bf7bbae2ab93c94acd4bd37cfa4f09 Mon Sep 17 00:00:00 2001 From: Qu Wenruo Date: Mon, 14 Oct 2019 14:34:51 +0800 -Patch-mainline: v5.4-rc5 Git-commit: 8702ba9396bf7bbae2ab93c94acd4bd37cfa4f09 +Patch-mainline: 5.4 References: bsc#1155179 Subject: [PATCH] btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() @@ -95,19 +94,22 @@ CC: stable@vger.kernel.org # 4.19+ Reviewed-by: Filipe Manana Signed-off-by: Qu Wenruo Signed-off-by: David Sterba +Signed-off-by: Filipe Manana --- - fs/btrfs/ctree.h | 3 +-- - fs/btrfs/extent-tree.c | 6 ++---- - fs/btrfs/file.c | 7 +++---- - fs/btrfs/inode-map.c | 4 ++-- - fs/btrfs/inode.c | 12 ++++++------ - fs/btrfs/ioctl.c | 6 ++---- - fs/btrfs/relocation.c | 5 ++--- - 7 files changed, 18 insertions(+), 25 deletions(-) + fs/btrfs/ctree.h | 3 +-- + fs/btrfs/extent-tree.c | 6 ++---- + fs/btrfs/file.c | 7 +++---- + fs/btrfs/inode-map.c | 4 ++-- + fs/btrfs/inode.c | 12 ++++++------ + fs/btrfs/ioctl.c | 6 ++---- + fs/btrfs/relocation.c | 7 +++---- + 7 files changed, 19 insertions(+), 26 deletions(-) +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 98e5d815a92c..d835442d67ff 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h -@@ -2833,8 +2833,7 @@ int btrfs_subvolume_reserve_metadata(str +@@ -2834,8 +2834,7 @@ int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, u64 *qgroup_reserved, bool use_global_rsv); void btrfs_subvolume_release_metadata(struct btrfs_fs_info *fs_info, struct btrfs_block_rsv *rsv); @@ -117,9 +119,11 @@ Signed-off-by: David Sterba int btrfs_delalloc_reserve_metadata(struct btrfs_inode *inode, u64 num_bytes); void btrfs_delalloc_release_metadata(struct btrfs_inode *inode, u64 num_bytes, +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 0e122631e99b..cbd86ffaa2fb 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c -@@ -6166,7 +6166,6 @@ void btrfs_delalloc_release_metadata(str +@@ -6168,7 +6168,6 @@ void btrfs_delalloc_release_metadata(struct btrfs_inode *inode, u64 num_bytes, * btrfs_delalloc_release_extents - release our outstanding_extents * @inode: the inode to balance the reservation for. * @num_bytes: the number of bytes we originally reserved with @@ -127,7 +131,7 @@ Signed-off-by: David Sterba * * When we reserve space we increase outstanding_extents for the extents we may * add. Once we've set the range as delalloc or created our ordered extents we -@@ -6174,8 +6173,7 @@ void btrfs_delalloc_release_metadata(str +@@ -6176,8 +6175,7 @@ void btrfs_delalloc_release_metadata(struct btrfs_inode *inode, u64 num_bytes, * temporarily tracked outstanding_extents. This _must_ be used in conjunction * with btrfs_delalloc_reserve_metadata. */ @@ -137,7 +141,7 @@ Signed-off-by: David Sterba { struct btrfs_fs_info *fs_info = btrfs_sb(inode->vfs_inode.i_sb); unsigned num_extents; -@@ -6189,7 +6187,7 @@ void btrfs_delalloc_release_extents(stru +@@ -6191,7 +6189,7 @@ void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes, if (btrfs_is_testing(fs_info)) return; @@ -146,9 +150,11 @@ Signed-off-by: David Sterba } /** +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 0d2f7528947e..0cbc3e9cbdfb 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c -@@ -1702,7 +1702,7 @@ again: +@@ -1702,7 +1702,7 @@ static noinline ssize_t __btrfs_buffered_write(struct file *file, force_page_uptodate); if (ret) { btrfs_delalloc_release_extents(BTRFS_I(inode), @@ -157,7 +163,7 @@ Signed-off-by: David Sterba break; } -@@ -1714,7 +1714,7 @@ again: +@@ -1714,7 +1714,7 @@ static noinline ssize_t __btrfs_buffered_write(struct file *file, if (extents_locked == -EAGAIN) goto again; btrfs_delalloc_release_extents(BTRFS_I(inode), @@ -166,7 +172,7 @@ Signed-off-by: David Sterba ret = extents_locked; break; } -@@ -1772,8 +1772,7 @@ again: +@@ -1772,8 +1772,7 @@ static noinline ssize_t __btrfs_buffered_write(struct file *file, unlock_extent_cached(&BTRFS_I(inode)->io_tree, lockstart, lockend, &cached_state, GFP_NOFS); @@ -176,9 +182,11 @@ Signed-off-by: David Sterba if (ret) { btrfs_drop_pages(pages, num_pages); break; +diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c +index 9409dcc7020d..022b19336fee 100644 --- a/fs/btrfs/inode-map.c +++ b/fs/btrfs/inode-map.c -@@ -500,12 +500,12 @@ again: +@@ -500,12 +500,12 @@ int btrfs_save_ino_cache(struct btrfs_root *root, ret = btrfs_prealloc_file_range_trans(inode, trans, 0, 0, prealloc, prealloc, prealloc, &alloc_hint); if (ret) { @@ -193,9 +201,11 @@ Signed-off-by: David Sterba out_put: iput(inode); out_release: +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index e18bd0ef846f..8dda701f2dea 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c -@@ -2118,7 +2118,7 @@ again: +@@ -2118,7 +2118,7 @@ static void btrfs_writepage_fixup_worker(struct btrfs_work *work) 0); ClearPageChecked(page); set_page_dirty(page); @@ -204,7 +214,7 @@ Signed-off-by: David Sterba out: unlock_extent_cached(&BTRFS_I(inode)->io_tree, page_start, page_end, &cached_state, GFP_NOFS); -@@ -4621,7 +4621,7 @@ again: +@@ -4621,7 +4621,7 @@ int btrfs_truncate_block(struct inode *inode, loff_t from, loff_t len, if (!page) { btrfs_delalloc_release_space(inode, data_reserved, block_start, blocksize, true); @@ -213,7 +223,7 @@ Signed-off-by: David Sterba ret = -ENOMEM; goto out; } -@@ -4690,7 +4690,7 @@ out_unlock: +@@ -4690,7 +4690,7 @@ int btrfs_truncate_block(struct inode *inode, loff_t from, loff_t len, if (ret) btrfs_delalloc_release_space(inode, data_reserved, block_start, blocksize, true); @@ -222,7 +232,7 @@ Signed-off-by: David Sterba unlock_page(page); put_page(page); out: -@@ -8614,7 +8614,7 @@ static ssize_t btrfs_direct_IO(struct ki +@@ -8614,7 +8614,7 @@ static ssize_t btrfs_direct_IO(struct kiocb *iocb, struct iov_iter *iter) } else if (ret >= 0 && (size_t)ret < count) btrfs_delalloc_release_space(inode, data_reserved, offset, count - (size_t)ret, true); @@ -231,7 +241,7 @@ Signed-off-by: David Sterba } out: if (wakeup) -@@ -8984,14 +8984,14 @@ again: +@@ -8984,14 +8984,14 @@ int btrfs_page_mkwrite(struct vm_fault *vmf) out_unlock: if (!ret) { @@ -248,9 +258,11 @@ Signed-off-by: David Sterba btrfs_delalloc_release_space(inode, data_reserved, page_start, reserved_space, (ret != 0)); out_noreserve: +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 1a2ea0d188f1..5ae2eb94b9ad 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c -@@ -1262,8 +1262,7 @@ again: +@@ -1262,8 +1262,7 @@ static int cluster_pages_for_defrag(struct inode *inode, unlock_page(pages[i]); put_page(pages[i]); } @@ -260,7 +272,7 @@ Signed-off-by: David Sterba extent_changeset_free(data_reserved); return i_done; out: -@@ -1274,8 +1273,7 @@ out: +@@ -1274,8 +1273,7 @@ static int cluster_pages_for_defrag(struct inode *inode, btrfs_delalloc_release_space(inode, data_reserved, start_index << PAGE_SHIFT, page_cnt << PAGE_SHIFT, true); @@ -270,9 +282,20 @@ Signed-off-by: David Sterba extent_changeset_free(data_reserved); return ret; +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 3d51064e3619..ba1d259f7394 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c -@@ -3340,7 +3340,7 @@ static int relocate_file_extent_cluster( +@@ -3321,7 +3321,7 @@ static int relocate_file_extent_cluster(struct inode *inode, + btrfs_delalloc_release_metadata(BTRFS_I(inode), + PAGE_SIZE, true); + btrfs_delalloc_release_extents(BTRFS_I(inode), +- PAGE_SIZE, true); ++ PAGE_SIZE); + ret = -ENOMEM; + goto out; + } +@@ -3342,7 +3342,7 @@ static int relocate_file_extent_cluster(struct inode *inode, btrfs_delalloc_release_metadata(BTRFS_I(inode), PAGE_SIZE, true); btrfs_delalloc_release_extents(BTRFS_I(inode), @@ -281,7 +304,7 @@ Signed-off-by: David Sterba ret = -EIO; goto out; } -@@ -3371,8 +3371,7 @@ static int relocate_file_extent_cluster( +@@ -3373,8 +3373,7 @@ static int relocate_file_extent_cluster(struct inode *inode, put_page(page); index++; @@ -291,3 +314,6 @@ Signed-off-by: David Sterba balance_dirty_pages_ratelimited(inode->i_mapping); btrfs_throttle(fs_info); } +-- +2.16.4 + diff --git a/patches.suse/0001-btrfs-volumes-Use-more-straightforward-way-to-calcul.patch b/patches.suse/0001-btrfs-volumes-Use-more-straightforward-way-to-calcul.patch new file mode 100644 index 0000000..587175b --- /dev/null +++ b/patches.suse/0001-btrfs-volumes-Use-more-straightforward-way-to-calcul.patch @@ -0,0 +1,48 @@ +From 2d974619a77f106f3d1341686dea95c0eaad601f Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 23 Oct 2019 21:57:26 +0800 +Patch-mainline: v5.5-rc1 +Git-commit: 2d974619a77f106f3d1341686dea95c0eaad601f +References: bsc#1151910 +Subject: [PATCH 1/2] btrfs: volumes: Use more straightforward way to calculate + map length + +The old code goes: + + offset = logical - em->start; + length = min_t(u64, em->len - offset, length); + +Where @length calculation is dependent on offset, it can take reader +several more seconds to find it's just the same code as: + + offset = logical - em->start; + length = min_t(u64, em->start + em->len - logical, length); + +Use above code to make the length calculate independent from other +variable, thus slightly increase the readability. + +Reviewed-by: Johannes Thumshirn +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +--- + fs/btrfs/volumes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index f534a6a5553e..6a0288d17b7d 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5412,7 +5412,7 @@ static int __btrfs_map_block_for_discard(struct btrfs_fs_info *fs_info, + } + + offset = logical - em->start; +- length = min_t(u64, em->len - offset, length); ++ length = min_t(u64, em->start + em->len - logical, length); + + stripe_len = map->stripe_len; + /* +-- +2.24.1 + diff --git a/patches.suse/0001-xen-blkback-Avoid-unmapping-unmapped-grant-pages.patch b/patches.suse/0001-xen-blkback-Avoid-unmapping-unmapped-grant-pages.patch new file mode 100644 index 0000000..f060225 --- /dev/null +++ b/patches.suse/0001-xen-blkback-Avoid-unmapping-unmapped-grant-pages.patch @@ -0,0 +1,70 @@ +Patch-mainline: v5.5-rc1 +Git-commit: f9bd84a8a845d82f9b5a081a7ae68c98a11d2e84 +References: bsc#1065600 +From: SeongJae Park +Date: Tue, 26 Nov 2019 16:36:05 +0100 +Subject: [PATCH] xen/blkback: Avoid unmapping unmapped grant pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For each I/O request, blkback first maps the foreign pages for the +request to its local pages. If an allocation of a local page for the +mapping fails, it should unmap every mapping already made for the +request. + +However, blkback's handling mechanism for the allocation failure does +not mark the remaining foreign pages as unmapped. Therefore, the unmap +function merely tries to unmap every valid grant page for the request, +including the pages not mapped due to the allocation failure. On a +system that fails the allocation frequently, this problem leads to +following kernel crash. + + [ 372.012538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 + [ 372.012546] IP: [] gnttab_unmap_refs.part.7+0x1c/0x40 + [ 372.012557] PGD 16f3e9067 PUD 16426e067 PMD 0 + [ 372.012562] Oops: 0002 [#1] SMP + [ 372.012566] Modules linked in: act_police sch_ingress cls_u32 + ... + [ 372.012746] Call Trace: + [ 372.012752] [] gnttab_unmap_refs+0x34/0x40 + [ 372.012759] [] xen_blkbk_unmap+0x83/0x150 [xen_blkback] + ... + [ 372.012802] [] dispatch_rw_block_io+0x970/0x980 [xen_blkback] + ... + Decompressing Linux... Parsing ELF... done. + Booting the kernel. + [ 0.000000] Initializing cgroup subsys cpuset + +This commit fixes this problem by marking the grant pages of the given +request that didn't mapped due to the allocation failure as invalid. + +Fixes: c6cc142dac52 ("xen-blkback: use balloon pages for all mappings") + +Reviewed-by: David Woodhouse +Reviewed-by: Maximilian Heyne +Reviewed-by: Paul Durrant +Reviewed-by: Roger Pau Monné +Signed-off-by: SeongJae Park +Signed-off-by: Jens Axboe +Signed-off-by: Juergen Gross +--- + drivers/block/xen-blkback/blkback.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index fd1e19f1a49f..3666afa639d1 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -936,6 +936,8 @@ static int xen_blkbk_map(struct xen_blkif_ring *ring, + out_of_memory: + pr_alert("%s: out of memory\n", __func__); + put_free_pages(ring, pages_to_gnt, segs_to_map); ++ for (i = last_map; i < num; i++) ++ pages[i]->handle = BLKBACK_INVALID_HANDLE; + return -ENOMEM; + } + +-- +2.16.4 + diff --git a/patches.suse/0002-btrfs-Ensure-we-trim-ranges-across-block-group-bound.patch b/patches.suse/0002-btrfs-Ensure-we-trim-ranges-across-block-group-bound.patch new file mode 100644 index 0000000..92a33a9 --- /dev/null +++ b/patches.suse/0002-btrfs-Ensure-we-trim-ranges-across-block-group-bound.patch @@ -0,0 +1,190 @@ +From 6b7faadd985c990324b5b5bd18cc4ba5c395eb65 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 23 Oct 2019 21:57:27 +0800 +Patch-mainline: v5.5-rc1 +Git-commit: 6b7faadd985c990324b5b5bd18cc4ba5c395eb65 +References: bsc#1151910 +Subject: [PATCH 2/2] btrfs: Ensure we trim ranges across block group boundary + +[BUG] +When deleting large files (which cross block group boundary) with +discard mount option, we find some btrfs_discard_extent() calls only +trimmed part of its space, not the whole range: + + btrfs_discard_extent: type=0x1 start=19626196992 len=2144530432 trimmed=1073741824 ratio=50% + +type: bbio->map_type, in above case, it's SINGLE DATA. +start: Logical address of this trim +len: Logical length of this trim +trimmed: Physically trimmed bytes +ratio: trimmed / len + +Thus leaving some unused space not discarded. + +[CAUSE] +When discard mount option is specified, after a transaction is fully +committed (super block written to disk), we begin to cleanup pinned +extents in the following call chain: + +btrfs_commit_transaction() +|- btrfs_finish_extent_commit() + |- find_first_extent_bit(unpin, 0, &start, &end, EXTENT_DIRTY); + |- btrfs_discard_extent() + +However, pinned extents are recorded in an extent_io_tree, which can +merge adjacent extent states. + +When a large file gets deleted and it has adjacent file extents across +block group boundary, we will get a large merged range like this: + + |<--- BG1 --->|<--- BG2 --->| + |//////|<-- Range to discard --->|/////| + +To discard that range, we have the following calls: + + btrfs_discard_extent() + |- btrfs_map_block() + | Returned bbio will end at BG1's end. As btrfs_map_block() + | never returns result across block group boundary. + |- btrfs_issuse_discard() + Issue discard for each stripe. + +So we will only discard the range in BG1, not the remaining part in BG2. + +Furthermore, this bug is not that reliably observed, for above case, if +there is no other extent in BG2, BG2 will be empty and btrfs will trim +all space of BG2, covering up the bug. + +[FIX] +- Allow __btrfs_map_block_for_discard() to modify @length parameter + btrfs_map_block() uses its @length paramter to notify the caller how + many bytes are mapped in current call. + With __btrfs_map_block_for_discard() also modifing the @length, + btrfs_discard_extent() now understands when to do extra trim. + +- Call btrfs_map_block() in a loop until we hit the range end Since we + now know how many bytes are mapped each time, we can iterate through + each block group boundary and issue correct trim for each range. + +Reviewed-by: Filipe Manana +Reviewed-by: Nikolay Borisov +Tested-by: Nikolay Borisov +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +--- + fs/btrfs/extent-tree.c | 41 +++++++++++++++++++++++++++++++---------- + fs/btrfs/volumes.c | 6 ++++-- + 2 files changed, 35 insertions(+), 12 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -2137,8 +2137,10 @@ static int btrfs_issue_discard(struct bl + int btrfs_discard_extent(struct btrfs_fs_info *fs_info, u64 bytenr, + u64 num_bytes, u64 *actual_bytes) + { +- int ret; ++ int ret = 0; + u64 discarded_bytes = 0; ++ u64 end = bytenr + num_bytes; ++ u64 cur = bytenr; + struct btrfs_bio *bbio = NULL; + + +@@ -2147,15 +2149,23 @@ int btrfs_discard_extent(struct btrfs_fs + * associated to its stripes that don't go away while we are discarding. + */ + btrfs_bio_counter_inc_blocked(fs_info); +- /* Tell the block device(s) that the sectors can be discarded */ +- ret = btrfs_map_block(fs_info, BTRFS_MAP_DISCARD, bytenr, &num_bytes, +- &bbio, 0); +- /* Error condition is -ENOMEM */ +- if (!ret) { +- struct btrfs_bio_stripe *stripe = bbio->stripes; ++ while (cur < end) { ++ struct btrfs_bio_stripe *stripe; + int i; + ++ num_bytes = end - cur; ++ /* Tell the block device(s) that the sectors can be discarded */ ++ ret = btrfs_map_block(fs_info, BTRFS_MAP_DISCARD, cur, ++ &num_bytes, &bbio, 0); ++ /* ++ * Error can be -ENOMEM, -ENOENT (no such chunk mapping) or ++ * -EOPNOTSUPP. For any such error, @num_bytes is not updated, ++ * thus we can't continue anyway. ++ */ ++ if (ret < 0) ++ goto out; + ++ stripe = bbio->stripes; + for (i = 0; i < bbio->num_stripes; i++, stripe++) { + u64 bytes; + if (!stripe->dev->can_discard) +@@ -2165,10 +2175,19 @@ int btrfs_discard_extent(struct btrfs_fs + stripe->physical, + stripe->length, + &bytes); +- if (!ret) ++ if (!ret) { + discarded_bytes += bytes; +- else if (ret != -EOPNOTSUPP) +- break; /* Logic errors or -ENOMEM, or -EIO but I don't know how that could happen JDM */ ++ } else if (ret != -EOPNOTSUPP) { ++ /* ++ * Logic errors or -ENOMEM, or -EIO, but ++ * unlikely to happen. ++ * ++ * And since there are two loops, explicitly ++ * go to out to avoid confusion. ++ */ ++ btrfs_put_bbio(bbio); ++ goto out; ++ } + + /* + * Just in case we get back EOPNOTSUPP for some reason, +@@ -2178,7 +2197,9 @@ int btrfs_discard_extent(struct btrfs_fs + ret = 0; + } + btrfs_put_bbio(bbio); ++ cur += num_bytes; + } ++out: + btrfs_bio_counter_dec(fs_info); + + if (actual_bytes) +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5412,12 +5412,13 @@ void btrfs_put_bbio(struct btrfs_bio *bb + * replace. + */ + static int __btrfs_map_block_for_discard(struct btrfs_fs_info *fs_info, +- u64 logical, u64 length, ++ u64 logical, u64 *length_ret, + struct btrfs_bio **bbio_ret) + { + struct extent_map *em; + struct map_lookup *map; + struct btrfs_bio *bbio; ++ u64 length = *length_ret; + u64 offset; + u64 stripe_nr; + u64 stripe_nr_end; +@@ -5451,6 +5452,7 @@ static int __btrfs_map_block_for_discard + + offset = logical - em->start; + length = min_t(u64, em->start + em->len - logical, length); ++ *length_ret = length; + + stripe_len = map->stripe_len; + /* +@@ -5762,7 +5764,7 @@ static int __btrfs_map_block(struct btrf + + if (op == BTRFS_MAP_DISCARD) + return __btrfs_map_block_for_discard(fs_info, logical, +- *length, bbio_ret); ++ length, bbio_ret); + + em = get_chunk_map(fs_info, logical, *length); + if (IS_ERR(em)) diff --git a/patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch b/patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch new file mode 100644 index 0000000..1b034fc --- /dev/null +++ b/patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch @@ -0,0 +1,165 @@ +From 0c8b22399c344807517f3bf5cdd0a582acaf6d68 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Tue, 27 Dec 2016 23:29:59 +0100 +Subject: [PATCH 8/8] random: move FIPS continuous test to output functions +Patch-mainline: Never, handled differently +References: bsc#1155334 + +The current location of the FIPS continuous self test covers the +input_pool only. However, the FIPS continuous self test shall cover the +output of the random number generator, i.e. the blocking pool and the +ChaCha20 DRNG. + +This patch therefore moves the continuous test to the output function +used for /dev/random. In addition, it adds the continuous test to the +ChaCha20 output function. + +Signed-off-by: Stephan Mueller +Acked-by: Torsten Duwe +--- + drivers/char/random.c | 71 +++++++++++++++++++++++++++++++-------------------- + 1 file changed, 43 insertions(+), 28 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -415,6 +415,8 @@ struct crng_state { + __u32 state[16]; + unsigned long init_time; + spinlock_t lock; ++ unsigned int last_data_init:1; ++ __u8 last_data[CHACHA20_BLOCK_SIZE]; + }; + + struct crng_state primary_crng = { +@@ -481,7 +483,7 @@ struct entropy_store { + static ssize_t extract_entropy(struct entropy_store *r, void *buf, + size_t nbytes, int min, int rsvd); + static ssize_t _extract_entropy(struct entropy_store *r, void *buf, +- size_t nbytes, int fips); ++ size_t nbytes); + + static void crng_reseed(struct crng_state *crng, struct entropy_store *r); + static void push_to_pool(struct work_struct *work); +@@ -787,7 +789,7 @@ static void crng_initialize(struct crng_ + memcpy(&crng->state[0], "expand 32-byte k", 16); + if (crng == &primary_crng) + _extract_entropy(&input_pool, &crng->state[4], +- sizeof(__u32) * 12, 0); ++ sizeof(__u32) * 12); + else + get_random_bytes(&crng->state[4], sizeof(__u32) * 12); + for (i = 4; i < 16; i++) { +@@ -968,11 +970,25 @@ static void _extract_crng(struct crng_st + time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) + crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); + spin_lock_irqsave(&crng->lock, flags); ++ ++ if (fips_enabled && !crng->last_data_init) { ++ crng->last_data_init = 1; ++ chacha20_block(&crng->state[0], out); ++ memcpy(crng->last_data, out, CHACHA20_BLOCK_SIZE); ++ } ++ + if (arch_get_random_long(&v)) + crng->state[14] ^= v; + chacha20_block(&crng->state[0], out); + if (crng->state[12] == 0) + crng->state[13]++; ++ ++ if (fips_enabled) { ++ if (!memcmp(out, crng->last_data, CHACHA20_BLOCK_SIZE)) ++ panic("ChaCha20 RNG duplicated output!\n"); ++ memcpy(crng->last_data, out, CHACHA20_BLOCK_SIZE); ++ } ++ + spin_unlock_irqrestore(&crng->lock, flags); + } + +@@ -1468,22 +1484,14 @@ static void extract_buf(struct entropy_s + } + + static ssize_t _extract_entropy(struct entropy_store *r, void *buf, +- size_t nbytes, int fips) ++ size_t nbytes) + { + ssize_t ret = 0, i; + __u8 tmp[EXTRACT_SIZE]; +- unsigned long flags; + + while (nbytes) { + extract_buf(r, tmp); + +- if (fips) { +- spin_lock_irqsave(&r->lock, flags); +- if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) +- panic("Hardware RNG duplicated output!\n"); +- memcpy(r->last_data, tmp, EXTRACT_SIZE); +- spin_unlock_irqrestore(&r->lock, flags); +- } + i = min_t(int, nbytes, EXTRACT_SIZE); + memcpy(buf, tmp, i); + nbytes -= i; +@@ -1509,7 +1517,22 @@ static ssize_t _extract_entropy(struct e + static ssize_t extract_entropy(struct entropy_store *r, void *buf, + size_t nbytes, int min, int reserved) + { ++ trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); ++ nbytes = account(r, nbytes, min, reserved); ++ ++ return _extract_entropy(r, buf, nbytes); ++} ++ ++/* ++ * This function extracts randomness from the "entropy pool", and ++ * returns it in a userspace buffer. ++ */ ++static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, ++ size_t nbytes) ++{ ++ ssize_t ret = 0, i; + __u8 tmp[EXTRACT_SIZE]; ++ int large_request = (nbytes > 256); + unsigned long flags; + + /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ +@@ -1528,24 +1551,6 @@ static ssize_t extract_entropy(struct en + spin_unlock_irqrestore(&r->lock, flags); + } + +- trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); +- xfer_secondary_pool(r, nbytes); +- nbytes = account(r, nbytes, min, reserved); +- +- return _extract_entropy(r, buf, nbytes, fips_enabled); +-} +- +-/* +- * This function extracts randomness from the "entropy pool", and +- * returns it in a userspace buffer. +- */ +-static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +- size_t nbytes) +-{ +- ssize_t ret = 0, i; +- __u8 tmp[EXTRACT_SIZE]; +- int large_request = (nbytes > 256); +- + trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); + xfer_secondary_pool(r, nbytes); + nbytes = account(r, nbytes, 0, 0); +@@ -1561,6 +1566,15 @@ static ssize_t extract_entropy_user(stru + } + + extract_buf(r, tmp); ++ ++ if (fips_enabled) { ++ spin_lock_irqsave(&r->lock, flags); ++ if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) ++ panic("Hardware RNG duplicated output!\n"); ++ memcpy(r->last_data, tmp, EXTRACT_SIZE); ++ spin_unlock_irqrestore(&r->lock, flags); ++ } ++ + i = min_t(int, nbytes, EXTRACT_SIZE); + if (copy_to_user(buf, tmp, i)) { + ret = -EFAULT; diff --git a/patches.suse/ACPI-bus-Fix-NULL-pointer-check-in-acpi_bus_get_priv.patch b/patches.suse/ACPI-bus-Fix-NULL-pointer-check-in-acpi_bus_get_priv.patch new file mode 100644 index 0000000..752db29 --- /dev/null +++ b/patches.suse/ACPI-bus-Fix-NULL-pointer-check-in-acpi_bus_get_priv.patch @@ -0,0 +1,64 @@ +From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001 +From: Vamshi K Sthambamkadi +Date: Thu, 28 Nov 2019 15:58:29 +0530 +Subject: [PATCH] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() +Git-commit: 627ead724eff33673597216f5020b72118827de4 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +kmemleak reported backtrace: + [] kmem_cache_alloc_trace+0x128/0x260 + [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0 + [<1180f4fc>] i2c_register_adapter+0x186/0x400 + [<6083baf7>] i2c_add_adapter+0x4e/0x70 + [] intel_gmbus_setup+0x1a2/0x2c0 [i915] + [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915] + [<81911d4b>] i915_pci_probe+0x48/0x160 [i915] + [<4b159af1>] pci_device_probe+0xdc/0x160 + [] really_probe+0x1ee/0x450 + [] driver_probe_device+0x142/0x1b0 + [] device_driver_attach+0x49/0x50 + [] __driver_attach+0xc9/0x150 + [] bus_for_each_dev+0x56/0xa0 + [<80089bba>] driver_attach+0x19/0x20 + [] bus_add_driver+0x177/0x220 + [<7b29d8c7>] driver_register+0x56/0xf0 + +In i2c_acpi_remove_space_handler(), a leak occurs whenever the +"data" parameter is initialized to 0 before being passed to +acpi_bus_get_private_data(). + +This is because the NULL pointer check in acpi_bus_get_private_data() +(condition->if(!*data)) returns EINVAL and, in consequence, memory is +never freed in i2c_acpi_remove_space_handler(). + +Fix the NULL pointer check in acpi_bus_get_private_data() to follow +the analogous check in acpi_get_data_full(). + +Signed-off-by: Vamshi K Sthambamkadi +[ rjw: Subject & changelog ] + +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Acked-by: Takashi Iwai + +--- + drivers/acpi/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index 48bc96d45bab..54002670cb7a 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -153,7 +153,7 @@ int acpi_bus_get_private_data(acpi_handle handle, void **data) + { + acpi_status status; + +- if (!*data) ++ if (!data) + return -EINVAL; + + status = acpi_get_data(handle, acpi_bus_private_data_handler, data); +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-Downgrade-error-message-for-single-cmd-fall.patch b/patches.suse/ALSA-hda-Downgrade-error-message-for-single-cmd-fall.patch new file mode 100644 index 0000000..5861d78 --- /dev/null +++ b/patches.suse/ALSA-hda-Downgrade-error-message-for-single-cmd-fall.patch @@ -0,0 +1,41 @@ +From 475feec0c41ad71cb7d02f0310e56256606b57c5 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 16 Dec 2019 16:12:24 +0100 +Subject: [PATCH] ALSA: hda - Downgrade error message for single-cmd fallback +Git-commit: 475feec0c41ad71cb7d02f0310e56256606b57c5 +Patch-mainline: v5.5-rc3 +References: git-fixes + +We made the error message for the CORB/RIRB communication clearer by +upgrading to dev_WARN() so that user can notice better. But this +struck us like a boomerang: now it caught syzbot and reported back as +a fatal issue although it's not really any too serious bug that worth +for stopping the whole system. + +OK, OK, let's be softy, downgrade it to the standard dev_err() again. + +Fixes: dd65f7e19c69 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly") +Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index 2f3b7a35f2d9..ba56b59b3e17 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -883,7 +883,7 @@ static int azx_rirb_get_response(struct hdac_bus *bus, unsigned int addr, + return -EAGAIN; /* give a chance to retry */ + } + +- dev_WARN(chip->card->dev, ++ dev_err(chip->card->dev, + "azx_get_response timeout, switching to single_cmd mode: last cmd=0x%08x\n", + bus->last_cmd[addr]); + chip->single_cmd = 1; +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-ca0132-Avoid-endless-loop.patch b/patches.suse/ALSA-hda-ca0132-Avoid-endless-loop.patch new file mode 100644 index 0000000..bde56e8 --- /dev/null +++ b/patches.suse/ALSA-hda-ca0132-Avoid-endless-loop.patch @@ -0,0 +1,45 @@ +From cb04fc3b6b076f67d228a0b7d096c69ad486c09c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 13 Dec 2019 09:51:10 +0100 +Subject: [PATCH] ALSA: hda/ca0132 - Avoid endless loop +Git-commit: cb04fc3b6b076f67d228a0b7d096c69ad486c09c +Patch-mainline: v5.5-rc3 +References: git-fixes + +Introduce a timeout to dspio_clear_response_queue() so that it won't +be caught in an endless loop even if the hardware doesn't respond +properly. + +Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection") +Cc: +Link: https://lore.kernel.org/r/20191213085111.22855-3-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_ca0132.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index c3d34ff3d9ec..8d0209fff8f5 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1809,13 +1809,14 @@ struct scp_msg { + + static void dspio_clear_response_queue(struct hda_codec *codec) + { ++ unsigned long timeout = jiffies + msecs_to_jiffies(1000); + unsigned int dummy = 0; +- int status = -1; ++ int status; + + /* clear all from the response queue */ + do { + status = dspio_read(codec, &dummy); +- } while (status == 0); ++ } while (status == 0 && time_before(jiffies, timeout)); + } + + static int dspio_get_response_data(struct hda_codec *codec) +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-ca0132-Fix-work-handling-in-delayed-HP-dete.patch b/patches.suse/ALSA-hda-ca0132-Fix-work-handling-in-delayed-HP-dete.patch new file mode 100644 index 0000000..926f294 --- /dev/null +++ b/patches.suse/ALSA-hda-ca0132-Fix-work-handling-in-delayed-HP-dete.patch @@ -0,0 +1,68 @@ +From 42fb6b1d41eb5905d77c06cad2e87b70289bdb76 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 13 Dec 2019 09:51:11 +0100 +Subject: [PATCH] ALSA: hda/ca0132 - Fix work handling in delayed HP detection +Git-commit: 42fb6b1d41eb5905d77c06cad2e87b70289bdb76 +Patch-mainline: v5.5-rc3 +References: git-fixes + +CA0132 has the delayed HP jack detection code that is invoked from the +unsol handler, but it does a few weird things: it contains the cancel +of a work inside the work handler, and yet it misses the cancel-sync +call at (runtime-)suspend. This patch addresses those issues. + +Fixes: 15c2b3cc09a3 ("ALSA: hda/ca0132 - Fix possible workqueue stall") +Cc: +Link: https://lore.kernel.org/r/20191213085111.22855-4-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_ca0132.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 8d0209fff8f5..32ed46464af7 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7607,11 +7607,10 @@ static void hp_callback(struct hda_codec *codec, struct hda_jack_callback *cb) + /* Delay enabling the HP amp, to let the mic-detection + * state machine run. + */ +- cancel_delayed_work(&spec->unsol_hp_work); +- schedule_delayed_work(&spec->unsol_hp_work, msecs_to_jiffies(500)); + tbl = snd_hda_jack_tbl_get(codec, cb->nid); + if (tbl) + tbl->block_report = 1; ++ schedule_delayed_work(&spec->unsol_hp_work, msecs_to_jiffies(500)); + } + + static void amic_callback(struct hda_codec *codec, struct hda_jack_callback *cb) +@@ -8457,12 +8456,25 @@ static void ca0132_reboot_notify(struct hda_codec *codec) + codec->patch_ops.free(codec); + } + ++#ifdef CONFIG_PM ++static int ca0132_suspend(struct hda_codec *codec) ++{ ++ struct ca0132_spec *spec = codec->spec; ++ ++ cancel_delayed_work_sync(&spec->unsol_hp_work); ++ return 0; ++} ++#endif ++ + static const struct hda_codec_ops ca0132_patch_ops = { + .build_controls = ca0132_build_controls, + .build_pcms = ca0132_build_pcms, + .init = ca0132_init, + .free = ca0132_free, + .unsol_event = snd_hda_jack_unsol_event, ++#ifdef CONFIG_PM ++ .suspend = ca0132_suspend, ++#endif + .reboot_notify = ca0132_reboot_notify, + }; + +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-ca0132-Keep-power-on-during-processing-DSP-.patch b/patches.suse/ALSA-hda-ca0132-Keep-power-on-during-processing-DSP-.patch new file mode 100644 index 0000000..44d364d --- /dev/null +++ b/patches.suse/ALSA-hda-ca0132-Keep-power-on-during-processing-DSP-.patch @@ -0,0 +1,44 @@ +From 377bc0cfabce0244632dada19060839ced4e6949 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 13 Dec 2019 09:51:09 +0100 +Subject: [PATCH] ALSA: hda/ca0132 - Keep power on during processing DSP response +Git-commit: 377bc0cfabce0244632dada19060839ced4e6949 +Patch-mainline: v5.5-rc3 +References: git-fixes + +We need to keep power on while processing the DSP response via unsol +event. Each snd_hda_codec_read() call does the power management, so +it should work normally, but still it's safer to keep the power up for +the whole function. + +Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection") +Cc: +Link: https://lore.kernel.org/r/20191213085111.22855-2-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_ca0132.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index b7a1abb3e231..c3d34ff3d9ec 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7588,12 +7588,14 @@ static void ca0132_process_dsp_response(struct hda_codec *codec, + struct ca0132_spec *spec = codec->spec; + + codec_dbg(codec, "ca0132_process_dsp_response\n"); ++ snd_hda_power_up_pm(codec); + if (spec->wait_scp) { + if (dspio_get_response_data(codec) >= 0) + spec->wait_scp = 0; + } + + dspio_clear_response_queue(codec); ++ snd_hda_power_down_pm(codec); + } + + static void hp_callback(struct hda_codec *codec, struct hda_jack_callback *cb) +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-hdmi-fix-atpx_present-when-CLASS-is-not-VGA.patch b/patches.suse/ALSA-hda-hdmi-fix-atpx_present-when-CLASS-is-not-VGA.patch new file mode 100644 index 0000000..8d24084 --- /dev/null +++ b/patches.suse/ALSA-hda-hdmi-fix-atpx_present-when-CLASS-is-not-VGA.patch @@ -0,0 +1,47 @@ +From 8cc0991c09bfd11fd878b0321a7a06724520d879 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 20 Dec 2019 19:17:02 -0500 +Subject: [PATCH] ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA +Git-commit: 8cc0991c09bfd11fd878b0321a7a06724520d879 +Patch-mainline: v5.5-rc5 +References: bsc#1051510 + +You can't use PCI_BASE_CLASS with pci_get_class(). This +happens to work by luck on devices with PCI_CLASS_DISPLAY_VGA, but +misses PCI_CLASS_DISPLAY_OTHER. Add a check for those as well. + +Fixes: 586bc4aab878 ("ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD") +Signed-off-by: Alex Deucher +Link: https://lore.kernel.org/r/20191221001702.1338587-1-alexander.deucher@amd.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/hda_intel.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index b856b89378ac..f69c8de64bd6 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1410,7 +1410,17 @@ static bool atpx_present(void) + acpi_handle dhandle, atpx_handle; + acpi_status status; + +- while ((pdev = pci_get_class(PCI_BASE_CLASS_DISPLAY << 16, pdev)) != NULL) { ++ while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) { ++ dhandle = ACPI_HANDLE(&pdev->dev); ++ if (dhandle) { ++ status = acpi_get_handle(dhandle, "ATPX", &atpx_handle); ++ if (!ACPI_FAILURE(status)) { ++ pci_dev_put(pdev); ++ return true; ++ } ++ } ++ } ++ while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) { + dhandle = ACPI_HANDLE(&pdev->dev); + if (dhandle) { + status = acpi_get_handle(dhandle, "ATPX", &atpx_handle); +-- +2.16.4 + diff --git a/patches.suse/ALSA-hda-realtek-Add-headset-Mic-no-shutup-for-ALC28.patch b/patches.suse/ALSA-hda-realtek-Add-headset-Mic-no-shutup-for-ALC28.patch new file mode 100644 index 0000000..e12bdac --- /dev/null +++ b/patches.suse/ALSA-hda-realtek-Add-headset-Mic-no-shutup-for-ALC28.patch @@ -0,0 +1,35 @@ +From 66c5d718e5a6f80153b5e8d6ad8ba8e9c3320839 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 9 Dec 2019 15:56:15 +0800 +Subject: [PATCH] ALSA: hda/realtek - Add headset Mic no shutup for ALC283 +Git-commit: 66c5d718e5a6f80153b5e8d6ad8ba8e9c3320839 +Patch-mainline: v5.5-rc5 +References: bsc#1051510 + +Chrome machine had humming noise from external speaker plugin at +codec D3 state. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/2692449396954c6c968f5b75e2660358@realtek.com +Signed-off-by: Takashi Iwai + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index dbfafee97931..5bc1a6d24333 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -501,6 +501,7 @@ static void alc_shutup_pins(struct hda_codec *codec) + struct alc_spec *spec = codec->spec; + + switch (codec->core.vendor_id) { ++ case 0x10ec0283: + case 0x10ec0286: + case 0x10ec0288: + case 0x10ec0298: +-- +2.16.4 + diff --git a/patches.suse/ALSA-ice1724-Fix-sleep-in-atomic-in-Infrasonic-Quart.patch b/patches.suse/ALSA-ice1724-Fix-sleep-in-atomic-in-Infrasonic-Quart.patch new file mode 100644 index 0000000..127f013 --- /dev/null +++ b/patches.suse/ALSA-ice1724-Fix-sleep-in-atomic-in-Infrasonic-Quart.patch @@ -0,0 +1,68 @@ +From 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 18 Dec 2019 20:26:06 +0100 +Subject: [PATCH] ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet + support code +Git-commit: 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd +Patch-mainline: v5.5-rc5 +References: bsc#1051510 + +Jia-Ju Bai reported a possible sleep-in-atomic scenario in the ice1724 +driver with Infrasonic Quartet support code: namely, ice->set_rate +callback gets called inside ice->reg_lock spinlock, while the callback +in quartet.c holds ice->gpio_mutex. + +This patch fixes the invalid call: it simply moves the calls of +ice->set_rate and ice->set_mclk callbacks outside the spinlock. + +Reported-by: Jia-Ju Bai +Cc: +Link: https://lore.kernel.org/r/5d43135e-73b9-a46a-2155-9e91d0dcdf83@gmail.com +Link: https://lore.kernel.org/r/20191218192606.12866-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/pci/ice1712/ice1724.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/ice1712/ice1724.c b/sound/pci/ice1712/ice1724.c +index c80a16ee6e76..242542e23d28 100644 +--- a/sound/pci/ice1712/ice1724.c ++++ b/sound/pci/ice1712/ice1724.c +@@ -647,6 +647,7 @@ static int snd_vt1724_set_pro_rate(struct snd_ice1712 *ice, unsigned int rate, + unsigned long flags; + unsigned char mclk_change; + unsigned int i, old_rate; ++ bool call_set_rate = false; + + if (rate > ice->hw_rates->list[ice->hw_rates->count - 1]) + return -EINVAL; +@@ -670,7 +671,7 @@ static int snd_vt1724_set_pro_rate(struct snd_ice1712 *ice, unsigned int rate, + * setting clock rate for internal clock mode */ + old_rate = ice->get_rate(ice); + if (force || (old_rate != rate)) +- ice->set_rate(ice, rate); ++ call_set_rate = true; + else if (rate == ice->cur_rate) { + spin_unlock_irqrestore(&ice->reg_lock, flags); + return 0; +@@ -678,12 +679,14 @@ static int snd_vt1724_set_pro_rate(struct snd_ice1712 *ice, unsigned int rate, + } + + ice->cur_rate = rate; ++ spin_unlock_irqrestore(&ice->reg_lock, flags); ++ ++ if (call_set_rate) ++ ice->set_rate(ice, rate); + + /* setting master clock */ + mclk_change = ice->set_mclk(ice, rate); + +- spin_unlock_irqrestore(&ice->reg_lock, flags); +- + if (mclk_change && ice->gpio.i2s_mclk_changed) + ice->gpio.i2s_mclk_changed(ice); + if (ice->gpio.set_pro_rate) +-- +2.16.4 + diff --git a/patches.suse/ALSA-pcm-Avoid-possible-info-leaks-from-PCM-stream-b.patch b/patches.suse/ALSA-pcm-Avoid-possible-info-leaks-from-PCM-stream-b.patch new file mode 100644 index 0000000..68ad692 --- /dev/null +++ b/patches.suse/ALSA-pcm-Avoid-possible-info-leaks-from-PCM-stream-b.patch @@ -0,0 +1,41 @@ +From add9d56d7b3781532208afbff5509d7382fb6efe Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 11 Dec 2019 16:57:42 +0100 +Subject: [PATCH] ALSA: pcm: Avoid possible info leaks from PCM stream buffers +Git-commit: add9d56d7b3781532208afbff5509d7382fb6efe +Patch-mainline: v5.5-rc3 +References: git-fixes + +The current PCM code doesn't initialize explicitly the buffers +allocated for PCM streams, hence it might leak some uninitialized +kernel data or previous stream contents by mmapping or reading the +buffer before actually starting the stream. + +Since this is a common problem, this patch simply adds the clearance +of the buffer data at hw_params callback. Although this does only +zero-clear no matter which format is used, which doesn't mean the +silence for some formats, but it should be OK because the intention is +just to clear the previous data on the buffer. + +Reported-by: Lionel Koenig +Cc: +Link: https://lore.kernel.org/r/20191211155742.3213-1-tiwai@suse.de +Signed-off-by: Takashi Iwai + +--- + sound/core/pcm_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -592,6 +592,10 @@ static int snd_pcm_hw_params(struct snd_ + while (runtime->boundary * 2 <= LONG_MAX - runtime->buffer_size) + runtime->boundary *= 2; + ++ /* clear the buffer for avoiding possible kernel info leaks */ ++ if (runtime->dma_area && !substream->ops->copy_user) ++ memset(runtime->dma_area, 0, runtime->dma_bytes); ++ + snd_pcm_timer_resolution_change(substream); + snd_pcm_set_state(substream, SNDRV_PCM_STATE_SETUP); + diff --git a/patches.suse/ALSA-usb-audio-fix-set_format-altsetting-sanity-chec.patch b/patches.suse/ALSA-usb-audio-fix-set_format-altsetting-sanity-chec.patch new file mode 100644 index 0000000..aef375b --- /dev/null +++ b/patches.suse/ALSA-usb-audio-fix-set_format-altsetting-sanity-chec.patch @@ -0,0 +1,40 @@ +From 0141254b0a74b37aa7eb13d42a56adba84d51c73 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 20 Dec 2019 10:31:34 +0100 +Subject: [PATCH] ALSA: usb-audio: fix set_format altsetting sanity check +Git-commit: 0141254b0a74b37aa7eb13d42a56adba84d51c73 +Patch-mainline: v5.5-rc5 +References: bsc#1051510 + +Make sure to check the return value of usb_altnum_to_altsetting() to +avoid dereferencing a NULL pointer when the requested alternate settings +is missing. + +The format altsetting number may come from a quirk table and there does +not seem to be any other validation of it (the corresponding index is +checked however). + +Fixes: b099b9693d23 ("ALSA: usb-audio: Avoid superfluous usb_set_interface() calls") +Cc: stable # 4.18 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191220093134.1248-1-johan@kernel.org +Signed-off-by: Takashi Iwai + +--- + sound/usb/pcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -511,9 +511,9 @@ static int set_format(struct snd_usb_sub + if (WARN_ON(!iface)) + return -EINVAL; + alts = usb_altnum_to_altsetting(iface, fmt->altsetting); +- altsd = get_iface_desc(alts); +- if (WARN_ON(altsd->bAlternateSetting != fmt->altsetting)) ++ if (WARN_ON(!alts)) + return -EINVAL; ++ altsd = get_iface_desc(alts); + + if (fmt == subs->cur_audiofmt) + return 0; diff --git a/patches.suse/ASoC-Jack-Fix-NULL-pointer-dereference-in-snd_soc_ja.patch b/patches.suse/ASoC-Jack-Fix-NULL-pointer-dereference-in-snd_soc_ja.patch new file mode 100644 index 0000000..03bf289 --- /dev/null +++ b/patches.suse/ASoC-Jack-Fix-NULL-pointer-dereference-in-snd_soc_ja.patch @@ -0,0 +1,41 @@ +From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001 +From: Pawel Harlozinski +Date: Tue, 12 Nov 2019 14:02:36 +0100 +Subject: [PATCH] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report +Git-commit: 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Check for existance of jack before tracing. +NULL pointer dereference has been reported by KASAN while unloading +machine driver (snd_soc_cnl_rt274). + +Signed-off-by: Pawel Harlozinski +Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + sound/soc/soc-jack.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-jack.c b/sound/soc/soc-jack.c +index a71d2340eb05..b5748dcd490f 100644 +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -82,10 +82,9 @@ void snd_soc_jack_report(struct snd_soc_jack *jack, int status, int mask) + unsigned int sync = 0; + int enable; + +- trace_snd_soc_jack_report(jack, mask, status); +- + if (!jack) + return; ++ trace_snd_soc_jack_report(jack, mask, status); + + dapm = &jack->card->dapm; + +-- +2.16.4 + diff --git a/patches.suse/ASoC-wm8962-fix-lambda-value.patch b/patches.suse/ASoC-wm8962-fix-lambda-value.patch new file mode 100644 index 0000000..808991e --- /dev/null +++ b/patches.suse/ASoC-wm8962-fix-lambda-value.patch @@ -0,0 +1,47 @@ +From 556672d75ff486e0b6786056da624131679e0576 Mon Sep 17 00:00:00 2001 +From: Shengjiu Wang +Date: Wed, 11 Dec 2019 19:57:22 +0800 +Subject: [PATCH] ASoC: wm8962: fix lambda value +Git-commit: 556672d75ff486e0b6786056da624131679e0576 +Patch-mainline: v5.5-rc3 +References: git-fixes + +According to user manual, it is required that FLL_LAMBDA > 0 +in all cases (Integer and Franctional modes). + +Fixes: 9a76f1ff6e29 ("ASoC: Add initial WM8962 CODEC driver") +Signed-off-by: Shengjiu Wang +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/1576065442-19763-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Acked-by: Takashi Iwai + +--- + sound/soc/codecs/wm8962.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index 3e5c69fbc33a..d9d59f45833f 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -2788,7 +2788,7 @@ static int fll_factors(struct _fll_div *fll_div, unsigned int Fref, + + if (target % Fref == 0) { + fll_div->theta = 0; +- fll_div->lambda = 0; ++ fll_div->lambda = 1; + } else { + gcd_fll = gcd(target, fratio * Fref); + +@@ -2858,7 +2858,7 @@ static int wm8962_set_fll(struct snd_soc_component *component, int fll_id, int s + return -EINVAL; + } + +- if (fll_div.theta || fll_div.lambda) ++ if (fll_div.theta) + fll1 |= WM8962_FLL_FRAC; + + /* Stop the FLL while we reconfigure */ +-- +2.16.4 + diff --git a/patches.suse/Btrfs-avoid-fallback-to-transaction-commit-during-fs.patch b/patches.suse/Btrfs-avoid-fallback-to-transaction-commit-during-fs.patch new file mode 100644 index 0000000..79d6758 --- /dev/null +++ b/patches.suse/Btrfs-avoid-fallback-to-transaction-commit-during-fs.patch @@ -0,0 +1,86 @@ +From: Filipe Manana +Date: Mon, 6 May 2019 16:43:51 +0100 +Git-commit: ebb929060aeb162417b4c1307e63daee47b208d9 +Patch-mainline: 5.2 +Subject: [PATCH] Btrfs: avoid fallback to transaction commit during fsync of + files with holes +References: bsc#1159569 + +When we are doing a full fsync (bit BTRFS_INODE_NEEDS_FULL_SYNC set) of a +file that has holes and has file extent items spanning two or more leafs, +we can end up falling to back to a full transaction commit due to a logic +bug that leads to failure to insert a duplicate file extent item that is +meant to represent a hole between the last file extent item of a leaf and +the first file extent item in the next leaf. The failure (EEXIST error) +leads to a transaction commit (as most errors when logging an inode do). + +For example, we have the two following leafs: + +Leaf N: + + ----------------------------------------------- + | ..., ..., ..., (257, FILE_EXTENT_ITEM, 64K) | + ----------------------------------------------- + The file extent item at the end of leaf N has a length of 4Kb, + representing the file range from 64K to 68K - 1. + +Leaf N + 1: + + ----------------------------------------------- + | (257, FILE_EXTENT_ITEM, 72K), ..., ..., ... | + ----------------------------------------------- + The file extent item at the first slot of leaf N + 1 has a length of + 4Kb too, representing the file range from 72K to 76K - 1. + +During the full fsync path, when we are at tree-log.c:copy_items() with +leaf N as a parameter, after processing the last file extent item, that +represents the extent at offset 64K, we take a look at the first file +extent item at the next leaf (leaf N + 1), and notice there's a 4K hole +between the two extents, and therefore we insert a file extent item +representing that hole, starting at file offset 68K and ending at offset +72K - 1. However we don't update the value of *last_extent, which is used +to represent the end offset (plus 1, non-inclusive end) of the last file +extent item inserted in the log, so it stays with a value of 68K and not +with a value of 72K. + +Then, when copy_items() is called for leaf N + 1, because the value of +*last_extent is smaller then the offset of the first extent item in the +leaf (68K < 72K), we look at the last file extent item in the previous +leaf (leaf N) and see it there's a 4K gap between it and our first file +extent item (again, 68K < 72K), so we decide to insert a file extent item +representing the hole, starting at file offset 68K and ending at offset +72K - 1, this insertion will fail with -EEXIST being returned from +btrfs_insert_file_extent() because we already inserted a file extent item +representing a hole for this offset (68K) in the previous call to +copy_items(), when processing leaf N. + +The -EEXIST error gets propagated to the fsync callback, btrfs_sync_file(), +which falls back to a full transaction commit. + +Fix this by adjusting *last_extent after inserting a hole when we had to +look at the next leaf. + +Fixes: 4ee3fad34a9c ("Btrfs: fix fsync after hole punching when using no-holes feature") +Cc: stable@vger.kernel.org # 4.14+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 4bc1d5999931..a3b99e7d0730 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4263,6 +4263,7 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, + *last_extent, 0, + 0, len, 0, len, + 0, 0, 0); ++ *last_extent += len; + } + } + } +-- +2.16.4 + diff --git a/patches.suse/CDC-NCM-handle-incomplete-transfer-of-MTU.patch b/patches.suse/CDC-NCM-handle-incomplete-transfer-of-MTU.patch new file mode 100644 index 0000000..0c2b78a --- /dev/null +++ b/patches.suse/CDC-NCM-handle-incomplete-transfer-of-MTU.patch @@ -0,0 +1,44 @@ +From: Oliver Neukum +Date: Thu, 7 Nov 2019 09:48:01 +0100 +Subject: CDC-NCM: handle incomplete transfer of MTU +Git-commit: 332f989a3b0041b810836c5c3747e59aad7e9d0b +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +A malicious device may give half an answer when asked +for its MTU. The driver will proceed after this with +a garbage MTU. Anything but a complete answer must be treated +as an error. + +V2: used sizeof as request by Alexander + +Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/usb/cdc_ncm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -576,8 +576,8 @@ static void cdc_ncm_set_dgram_size(struc + /* read current mtu value from device */ + err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE, + USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE, +- 0, iface_no, &max_datagram_size, 2); +- if (err < 0) { ++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size)); ++ if (err < sizeof(max_datagram_size)) { + dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n"); + goto out; + } +@@ -588,7 +588,7 @@ static void cdc_ncm_set_dgram_size(struc + max_datagram_size = cpu_to_le16(ctx->max_datagram_size); + err = usbnet_write_cmd(dev, USB_CDC_SET_MAX_DATAGRAM_SIZE, + USB_TYPE_CLASS | USB_DIR_OUT | USB_RECIP_INTERFACE, +- 0, iface_no, &max_datagram_size, 2); ++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size)); + if (err < 0) + dev_dbg(&dev->intf->dev, "SET_MAX_DATAGRAM_SIZE failed\n"); + diff --git a/patches.suse/IB-mlx5-Fix-steering-rule-of-drop-and-count.patch b/patches.suse/IB-mlx5-Fix-steering-rule-of-drop-and-count.patch new file mode 100644 index 0000000..1d04e8c --- /dev/null +++ b/patches.suse/IB-mlx5-Fix-steering-rule-of-drop-and-count.patch @@ -0,0 +1,58 @@ +From: Maor Gottlieb +Date: Thu, 12 Dec 2019 11:12:14 +0200 +Subject: IB/mlx5: Fix steering rule of drop and count +Patch-mainline: v5.5-rc2 +Git-commit: ed9085fed9d95d5921582e3c8474f3736c5d2782 +References: bsc#1103991 FATE#326007 + +There are two flow rule destinations: QP and packet. While users are +setting DROP packet rule, the QP should not be set as a destination. + +Fixes: 3b3233fbf02e ("IB/mlx5: Add flow counters binding support") +Signed-off-by: Maor Gottlieb +Reviewed-by: Raed Salem +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20191212091214.315005-4-leon@kernel.org +Signed-off-by: Doug Ledford +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/mlx5/main.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3257,10 +3257,6 @@ static struct mlx5_ib_flow_handler *_cre + } + + INIT_LIST_HEAD(&handler->list); +- if (dst) { +- memcpy(&dest_arr[0], dst, sizeof(*dst)); +- dest_num++; +- } + + for (spec_index = 0; spec_index < flow_attr->num_of_specs; spec_index++) { + err = parse_flow_attr(dev->mdev, spec->match_criteria, +@@ -3274,6 +3270,11 @@ static struct mlx5_ib_flow_handler *_cre + ib_flow += ((union ib_flow_spec *)ib_flow)->size; + } + ++ if (dst && !(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP)) { ++ memcpy(&dest_arr[0], dst, sizeof(*dst)); ++ dest_num++; ++ } ++ + if (!flow_is_multicast_only(flow_attr)) + set_underlay_qp(dev, spec, underlay_qpn); + +@@ -3314,10 +3315,8 @@ static struct mlx5_ib_flow_handler *_cre + } + + if (flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP) { +- if (!(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_COUNT)) { ++ if (!dest_num) + rule_dst = NULL; +- dest_num = 0; +- } + } else { + if (is_egress) + flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_ALLOW; diff --git a/patches.suse/IB-mlx5-Remove-dead-code.patch b/patches.suse/IB-mlx5-Remove-dead-code.patch new file mode 100644 index 0000000..4893dbb --- /dev/null +++ b/patches.suse/IB-mlx5-Remove-dead-code.patch @@ -0,0 +1,57 @@ +From: Ran Rozenstein +Date: Sun, 20 Oct 2019 09:44:54 +0300 +Subject: IB/mlx5: Remove dead code +Patch-mainline: v5.5-rc1 +Git-commit: 68abaa765e410dc1583de1fa285ec7b0c58c6252 +References: bsc#1103991 FATE#326007 + +mlx5_ib_dc_atomic_is_supported function is not used anywhere. Remove the +dead code. + +Fixes: a60109dc9a95 ("IB/mlx5: Add support for extended atomic operations") +Link: https://lore.kernel.org/r/20191020064454.8551-1-leon@kernel.org +Signed-off-by: Ran Rozenstein +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/mlx5/main.c | 15 --------------- + drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 - + 2 files changed, 16 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -588,21 +588,6 @@ static void get_atomic_caps_qp(struct ml + get_atomic_caps(dev, atomic_size_qp, props); + } + +-static void get_atomic_caps_dc(struct mlx5_ib_dev *dev, +- struct ib_device_attr *props) +-{ +- u8 atomic_size_qp = MLX5_CAP_ATOMIC(dev->mdev, atomic_size_dc); +- +- get_atomic_caps(dev, atomic_size_qp, props); +-} +- +-bool mlx5_ib_dc_atomic_is_supported(struct mlx5_ib_dev *dev) +-{ +- struct ib_device_attr props = {}; +- +- get_atomic_caps_dc(dev, &props); +- return (props.atomic_cap == IB_ATOMIC_HCA) ? true : false; +-} + static int mlx5_query_system_image_guid(struct ib_device *ibdev, + __be64 *sys_image_guid) + { +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h +@@ -1147,7 +1147,6 @@ struct ib_rwq_ind_table *mlx5_ib_create_ + struct ib_rwq_ind_table_init_attr *init_attr, + struct ib_udata *udata); + int mlx5_ib_destroy_rwq_ind_table(struct ib_rwq_ind_table *wq_ind_table); +-bool mlx5_ib_dc_atomic_is_supported(struct mlx5_ib_dev *dev); + struct ib_dm *mlx5_ib_alloc_dm(struct ib_device *ibdev, + struct ib_ucontext *context, + struct ib_dm_alloc_attr *attr, diff --git a/patches.suse/Input-cyttsp4_core-fix-use-after-free-bug.patch b/patches.suse/Input-cyttsp4_core-fix-use-after-free-bug.patch new file mode 100644 index 0000000..4b11a18 --- /dev/null +++ b/patches.suse/Input-cyttsp4_core-fix-use-after-free-bug.patch @@ -0,0 +1,51 @@ +From 79aae6acbef16f720a7949f8fc6ac69816c79d62 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Tue, 12 Nov 2019 17:04:54 -0800 +Subject: [PATCH] Input: cyttsp4_core - fix use after free bug +Git-commit: 79aae6acbef16f720a7949f8fc6ac69816c79d62 +Patch-mainline: v5.4-rc8 +References: bsc#1051510 + +The device md->input is used after it is released. Setting the device +data to NULL is unnecessary as the device is never used again. Instead, +md->input should be assigned NULL to avoid accessing the freed memory +accidently. Besides, checking md->si against NULL is superfluous as it +points to a variable address, which cannot be NULL. + +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/1572936379-6423-1-git-send-email-bianpan2016@163.com +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/cyttsp4_core.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c +index 4b22d49a0f49..6bcffc930384 100644 +--- a/drivers/input/touchscreen/cyttsp4_core.c ++++ b/drivers/input/touchscreen/cyttsp4_core.c +@@ -1990,11 +1990,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd) + + /* get sysinfo */ + md->si = &cd->sysinfo; +- if (!md->si) { +- dev_err(dev, "%s: Fail get sysinfo pointer from core p=%p\n", +- __func__, md->si); +- goto error_get_sysinfo; +- } + + rc = cyttsp4_setup_input_device(cd); + if (rc) +@@ -2004,8 +1999,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd) + + error_init_input: + input_free_device(md->input); +-error_get_sysinfo: +- input_set_drvdata(md->input, NULL); + error_alloc_failed: + dev_err(dev, "%s failed.\n", __func__); + return rc; +-- +2.16.4 + diff --git a/patches.suse/Input-goodix-add-upside-down-quirk-for-Teclast-X89-t.patch b/patches.suse/Input-goodix-add-upside-down-quirk-for-Teclast-X89-t.patch new file mode 100644 index 0000000..dff7e4f --- /dev/null +++ b/patches.suse/Input-goodix-add-upside-down-quirk-for-Teclast-X89-t.patch @@ -0,0 +1,47 @@ +From df5b5e555b356662a5e4a23c6774fdfce8547d54 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 2 Dec 2019 09:36:15 -0800 +Subject: [PATCH] Input: goodix - add upside-down quirk for Teclast X89 tablet +Git-commit: df5b5e555b356662a5e4a23c6774fdfce8547d54 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +The touchscreen on the Teclast X89 is mounted upside down in relation to +the display orientation (the touchscreen itself is mounted upright, but the +display is mounted upside-down). Add a quirk for this so that we send +coordinates which match the display orientation. + +Signed-off-by: Hans de Goede +Reviewed-by: Bastien Nocera +Link: https://lore.kernel.org/r/20191202085636.6650-1-hdegoede@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/touchscreen/goodix.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c +index fb43aa708660..0403102e807e 100644 +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -128,6 +128,15 @@ static const unsigned long goodix_irq_flags[] = { + */ + static const struct dmi_system_id rotated_screen[] = { + #if defined(CONFIG_DMI) && defined(CONFIG_X86) ++ { ++ .ident = "Teclast X89", ++ .matches = { ++ /* tPAD is too generic, also match on bios date */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"), ++ DMI_MATCH(DMI_BOARD_NAME, "tPAD"), ++ DMI_MATCH(DMI_BIOS_DATE, "12/19/2014"), ++ }, ++ }, + { + .ident = "WinBook TW100", + .matches = { +-- +2.16.4 + diff --git a/patches.suse/Input-synaptics-rmi4-don-t-increment-rmiaddr-for-SMB.patch b/patches.suse/Input-synaptics-rmi4-don-t-increment-rmiaddr-for-SMB.patch new file mode 100644 index 0000000..8510709 --- /dev/null +++ b/patches.suse/Input-synaptics-rmi4-don-t-increment-rmiaddr-for-SMB.patch @@ -0,0 +1,63 @@ +From a284e11c371e446371675668d8c8120a27227339 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 2 Dec 2019 10:08:12 -0800 +Subject: [PATCH] Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers +Git-commit: a284e11c371e446371675668d8c8120a27227339 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +This increment of rmi_smbus in rmi_smb_read/write_block() causes +garbage to be read/written. + +The first read of SMB_MAX_COUNT bytes is fine, but after that +it is nonsense. Trial-and-error showed that by dropping the +increment of rmiaddr everything is fine and the F54 function +properly works. + +I tried a hack with rmi_smb_write_block() as well (writing to the +same F54 touchpad data area, then reading it back), and that +suggests that there too the rmiaddr increment has to be dropped. +It makes sense that if it has to be dropped for read, then it has +to be dropped for write as well. + +It looks like the initial work with F54 was done using i2c, not smbus, +and it seems nobody ever tested F54 with smbus. The other functions +all read/write less than SMB_MAX_COUNT as far as I can tell, so this +issue was never noticed with non-F54 functions. + +With this change I can read out the touchpad data correctly on my +Lenovo X1 Carbon 6th Gen laptop. + +Signed-off-by: Hans Verkuil +Link: https://lore.kernel.org/r/8dd22e21-4933-8e9c-a696-d281872c8de7@xs4all.nl +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/rmi4/rmi_smbus.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_smbus.c b/drivers/input/rmi4/rmi_smbus.c +index 2407ea43de59..b313c579914f 100644 +--- a/drivers/input/rmi4/rmi_smbus.c ++++ b/drivers/input/rmi4/rmi_smbus.c +@@ -163,7 +163,6 @@ static int rmi_smb_write_block(struct rmi_transport_dev *xport, u16 rmiaddr, + /* prepare to write next block of bytes */ + cur_len -= SMB_MAX_COUNT; + databuff += SMB_MAX_COUNT; +- rmiaddr += SMB_MAX_COUNT; + } + exit: + mutex_unlock(&rmi_smb->page_mutex); +@@ -215,7 +214,6 @@ static int rmi_smb_read_block(struct rmi_transport_dev *xport, u16 rmiaddr, + /* prepare to read next block of bytes */ + cur_len -= SMB_MAX_COUNT; + databuff += SMB_MAX_COUNT; +- rmiaddr += SMB_MAX_COUNT; + } + + retval = 0; +-- +2.16.4 + diff --git a/patches.suse/Input-synaptics-switch-another-X1-Carbon-6-to-RMI-SM.patch b/patches.suse/Input-synaptics-switch-another-X1-Carbon-6-to-RMI-SM.patch new file mode 100644 index 0000000..4c0934e --- /dev/null +++ b/patches.suse/Input-synaptics-switch-another-X1-Carbon-6-to-RMI-SM.patch @@ -0,0 +1,36 @@ +From fc1156f373e3927e0dcf06678906c367588bfdd6 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 22 Nov 2019 16:17:08 -0800 +Subject: [PATCH] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus +Git-commit: fc1156f373e3927e0dcf06678906c367588bfdd6 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Some Lenovo X1 Carbon Gen 6 laptops report LEN0091. Add this +to the smbus_pnp_ids list. + +Signed-off-by: Hans Verkuil +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191119105118.54285-2-hverkuil-cisco@xs4all.nl +Signed-off-by: Dmitry Torokhov +Acked-by: Takashi Iwai + +--- + drivers/input/mouse/synaptics.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index 56fae3472114..1ae6f8bba9ae 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -172,6 +172,7 @@ static const char * const smbus_pnp_ids[] = { + "LEN0071", /* T480 */ + "LEN0072", /* X1 Carbon Gen 5 (2017) - Elan/ALPS trackpoint */ + "LEN0073", /* X1 Carbon G5 (Elantech) */ ++ "LEN0091", /* X1 Carbon 6 */ + "LEN0092", /* X1 Carbon 6 */ + "LEN0093", /* T480 */ + "LEN0096", /* X280 */ +-- +2.16.4 + diff --git a/patches.suse/NFC-fdp-fix-incorrect-free-object.patch b/patches.suse/NFC-fdp-fix-incorrect-free-object.patch new file mode 100644 index 0000000..9aa0d90 --- /dev/null +++ b/patches.suse/NFC-fdp-fix-incorrect-free-object.patch @@ -0,0 +1,29 @@ +From: Pan Bian +Date: Tue, 5 Nov 2019 16:34:07 +0800 +Subject: NFC: fdp: fix incorrect free object +Git-commit: 517ce4e93368938b204451285e53014549804868 +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is +incorrect, which may result in a system crash or other security impacts. +The expected object to free is *fw_vsc_cfg. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/nfc/fdp/i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/fdp/i2c.c ++++ b/drivers/nfc/fdp/i2c.c +@@ -268,7 +268,7 @@ static void fdp_nci_i2c_read_device_prop + *fw_vsc_cfg, len); + + if (r) { +- devm_kfree(dev, fw_vsc_cfg); ++ devm_kfree(dev, *fw_vsc_cfg); + goto vsc_read_err; + } + } else { diff --git a/patches.suse/NFC-st21nfca-fix-double-free.patch b/patches.suse/NFC-st21nfca-fix-double-free.patch new file mode 100644 index 0000000..f7d43e3 --- /dev/null +++ b/patches.suse/NFC-st21nfca-fix-double-free.patch @@ -0,0 +1,29 @@ +From: Pan Bian +Date: Thu, 7 Nov 2019 09:33:20 +0800 +Subject: NFC: st21nfca: fix double free +Git-commit: 99a8efbb6e30b72ac98cecf81103f847abffb1e5 +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +The variable nfcid_skb is not changed in the callee nfc_hci_get_param() +if error occurs. Consequently, the freed variable nfcid_skb will be +freed again, resulting in a double free bug. Set nfcid_skb to NULL after +releasing it to fix the bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/nfc/st21nfca/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nfc/st21nfca/core.c ++++ b/drivers/nfc/st21nfca/core.c +@@ -719,6 +719,7 @@ static int st21nfca_hci_complete_target_ + NFC_PROTO_FELICA_MASK; + } else { + kfree_skb(nfcid_skb); ++ nfcid_skb = NULL; + /* P2P in type A */ + r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE, + ST21NFCA_RF_READER_F_NFCID1, diff --git a/patches.suse/RDMA-hns-Bugfix-for-qpc-cqc-timer-configuration.patch b/patches.suse/RDMA-hns-Bugfix-for-qpc-cqc-timer-configuration.patch new file mode 100644 index 0000000..96f674b --- /dev/null +++ b/patches.suse/RDMA-hns-Bugfix-for-qpc-cqc-timer-configuration.patch @@ -0,0 +1,34 @@ +From: Yangyang Li +Date: Thu, 24 Oct 2019 17:21:57 +0800 +Subject: RDMA/hns: Bugfix for qpc/cqc timer configuration +Patch-mainline: v5.5-rc1 +Git-commit: 887803db866a7a4e1817a3cb8a3eee4e9879fed2 +References: bsc#1104427 FATE#326416 bsc#1126206 + +qpc/cqc timer entry size needs one page, but currently they are fixedly +configured to 4096, which is not appropriate in 64K page scenarios. So +they should be modified to PAGE_SIZE. + +Fixes: 0e40dc2f70cd ("RDMA/hns: Add timer allocation support for hip08") +Link: https://lore.kernel.org/r/1571908917-16220-3-git-send-email-liweihang@hisilicon.com +Signed-off-by: Yangyang Li +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -87,8 +87,8 @@ + #define HNS_ROCE_V2_MTT_ENTRY_SZ 64 + #define HNS_ROCE_V2_CQE_ENTRY_SIZE 32 + #define HNS_ROCE_V2_SCCC_ENTRY_SZ 32 +-#define HNS_ROCE_V2_QPC_TIMER_ENTRY_SZ 4096 +-#define HNS_ROCE_V2_CQC_TIMER_ENTRY_SZ 4096 ++#define HNS_ROCE_V2_QPC_TIMER_ENTRY_SZ PAGE_SIZE ++#define HNS_ROCE_V2_CQC_TIMER_ENTRY_SZ PAGE_SIZE + #define HNS_ROCE_V2_PAGE_SIZE_SUPPORTED 0xFFFFF000 + #define HNS_ROCE_V2_MAX_INNER_MTPT_NUM 2 + #define HNS_ROCE_INVALID_LKEY 0x100 diff --git a/patches.suse/RDMA-hns-Correct-the-value-of-srq_desc_size.patch b/patches.suse/RDMA-hns-Correct-the-value-of-srq_desc_size.patch new file mode 100644 index 0000000..92b2c6c --- /dev/null +++ b/patches.suse/RDMA-hns-Correct-the-value-of-srq_desc_size.patch @@ -0,0 +1,31 @@ +From: Wenpeng Liang +Date: Fri, 1 Nov 2019 10:33:30 +0800 +Subject: RDMA/hns: Correct the value of srq_desc_size +Patch-mainline: v5.4-rc8 +Git-commit: 411c1e6774e2e1f96b1ccce4f119376b94ade3e4 +References: bsc#1104427 FATE#326416 + +srq_desc_size should be rounded up to pow of two before used, or related +calculation may cause allocating wrong size of memory for srq buffer. + +Fixes: c7bcb13442e1 ("RDMA/hns: Add SRQ support for hip08 kernel mode") +Link: https://lore.kernel.org/r/1572575610-52530-3-git-send-email-liweihang@hisilicon.com +Signed-off-by: Wenpeng Liang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -233,7 +233,7 @@ struct ib_srq *hns_roce_create_srq(struc + srq->max = roundup_pow_of_two(srq_init_attr->attr.max_wr + 1); + srq->max_gs = srq_init_attr->attr.max_sge; + +- srq_desc_size = max(16, 16 * srq->max_gs); ++ srq_desc_size = roundup_pow_of_two(max(16, 16 * srq->max_gs)); + + srq->wqe_shift = ilog2(srq_desc_size); + diff --git a/patches.suse/RDMA-hns-Fix-to-support-64K-page-for-srq.patch b/patches.suse/RDMA-hns-Fix-to-support-64K-page-for-srq.patch new file mode 100644 index 0000000..a0b10c6 --- /dev/null +++ b/patches.suse/RDMA-hns-Fix-to-support-64K-page-for-srq.patch @@ -0,0 +1,36 @@ +From: Lijun Ou +Date: Thu, 24 Oct 2019 17:21:56 +0800 +Subject: RDMA/hns: Fix to support 64K page for srq +Patch-mainline: v5.5-rc1 +Git-commit: 5c7e76fb7cb5071be800c938ebf2c475e140d3f0 +References: bsc#1104427 FATE#326416 + +SRQ's page size configuration of BA and buffer should depend on current +PAGE_SHIFT, or it can't work in scenario of 64K page. + +Fixes: c7bcb13442e1 ("RDMA/hns: Add SRQ support for hip08 kernel mode") +Link: https://lore.kernel.org/r/1571908917-16220-2-git-send-email-liweihang@hisilicon.com +Signed-off-by: Lijun Ou +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -5995,11 +5995,11 @@ static void hns_roce_v2_write_srqc(struc + roce_set_field(srq_context->byte_44_idxbufpgsz_addr, + SRQC_BYTE_44_SRQ_IDX_BA_PG_SZ_M, + SRQC_BYTE_44_SRQ_IDX_BA_PG_SZ_S, +- hr_dev->caps.idx_ba_pg_sz); ++ hr_dev->caps.idx_ba_pg_sz + PG_SHIFT_OFFSET); + roce_set_field(srq_context->byte_44_idxbufpgsz_addr, + SRQC_BYTE_44_SRQ_IDX_BUF_PG_SZ_M, + SRQC_BYTE_44_SRQ_IDX_BUF_PG_SZ_S, +- hr_dev->caps.idx_buf_pg_sz); ++ hr_dev->caps.idx_buf_pg_sz + PG_SHIFT_OFFSET); + + srq_context->idx_nxt_blk_addr = (u32)(mtts_idx[1] >> PAGE_ADDR_SHIFT); + srq_context->idx_nxt_blk_addr = diff --git a/patches.suse/RDMA-hns-Prevent-memory-leaks-of-eq-buf_list.patch b/patches.suse/RDMA-hns-Prevent-memory-leaks-of-eq-buf_list.patch new file mode 100644 index 0000000..4db6e52 --- /dev/null +++ b/patches.suse/RDMA-hns-Prevent-memory-leaks-of-eq-buf_list.patch @@ -0,0 +1,35 @@ +From: Lijun Ou +Date: Sat, 26 Oct 2019 14:56:35 +0800 +Subject: RDMA/hns: Prevent memory leaks of eq->buf_list +Patch-mainline: v5.4-rc6 +Git-commit: b681a0529968d2261aa15d7a1e78801b2c06bb07 +References: bsc#1104427 FATE#326416 + +eq->buf_list->buf and eq->buf_list should also be freed when eqe_hop_num +is set to 0, or there will be memory leaks. + +Fixes: a5073d6054f7 ("RDMA/hns: Add eq support of hip08") +Link: https://lore.kernel.org/r/1572072995-11277-3-git-send-email-liweihang@hisilicon.com +Signed-off-by: Lijun Ou +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4120,9 +4120,9 @@ static void hns_roce_v2_free_eq(struct h + return; + } + +- if (eq->buf_list) +- dma_free_coherent(hr_dev->dev, buf_chk_sz, +- eq->buf_list->buf, eq->buf_list->map); ++ dma_free_coherent(hr_dev->dev, buf_chk_sz, eq->buf_list->buf, ++ eq->buf_list->map); ++ kfree(eq->buf_list); + } + + static void hns_roce_config_eqc(struct hns_roce_dev *hr_dev, diff --git a/patches.suse/Revert-mmc-sdhci-Fix-incorrect-switch-to-HS-mode.patch b/patches.suse/Revert-mmc-sdhci-Fix-incorrect-switch-to-HS-mode.patch new file mode 100644 index 0000000..29d1de1 --- /dev/null +++ b/patches.suse/Revert-mmc-sdhci-Fix-incorrect-switch-to-HS-mode.patch @@ -0,0 +1,46 @@ +From 07bcc411567cb96f9d1fc84fff8d387118a2920d Mon Sep 17 00:00:00 2001 +From: Faiz Abbas +Date: Thu, 28 Nov 2019 16:34:22 +0530 +Subject: [PATCH] Revert "mmc: sdhci: Fix incorrect switch to HS mode" +Git-commit: 07bcc411567cb96f9d1fc84fff8d387118a2920d +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +This reverts commit c894e33ddc1910e14d6f2a2016f60ab613fd8b37. + +This commit aims to treat SD High speed and SDR25 as the same while +setting UHS Timings in HOST_CONTROL2 which leads to failures with some +SD cards in AM65x. Revert this commit. + +The issue this commit was trying to fix can be implemented in a platform +specific callback instead of common sdhci code. + +Cc: +Signed-off-by: Faiz Abbas +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20191128110422.25917-1-faiz_abbas@ti.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c +index 3140fe2e5dba..296d955ede59 100644 +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1882,9 +1882,7 @@ void sdhci_set_uhs_signaling(struct sdhci_host *host, unsigned timing) + ctrl_2 |= SDHCI_CTRL_UHS_SDR104; + else if (timing == MMC_TIMING_UHS_SDR12) + ctrl_2 |= SDHCI_CTRL_UHS_SDR12; +- else if (timing == MMC_TIMING_SD_HS || +- timing == MMC_TIMING_MMC_HS || +- timing == MMC_TIMING_UHS_SDR25) ++ else if (timing == MMC_TIMING_UHS_SDR25) + ctrl_2 |= SDHCI_CTRL_UHS_SDR25; + else if (timing == MMC_TIMING_UHS_SDR50) + ctrl_2 |= SDHCI_CTRL_UHS_SDR50; +-- +2.16.4 + diff --git a/patches.suse/USB-adutux-fix-interface-sanity-check.patch b/patches.suse/USB-adutux-fix-interface-sanity-check.patch new file mode 100644 index 0000000..39ad502 --- /dev/null +++ b/patches.suse/USB-adutux-fix-interface-sanity-check.patch @@ -0,0 +1,41 @@ +From 3c11c4bed02b202e278c0f5c319ae435d7fb9815 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:25:59 +0100 +Subject: [PATCH] USB: adutux: fix interface sanity check +Git-commit: 3c11c4bed02b202e278c0f5c319ae435d7fb9815 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices") +Cc: stable # 2.6.19 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/misc/adutux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c +index 6f5edb9fc61e..d8d157c4c271 100644 +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -669,7 +669,7 @@ static int adu_probe(struct usb_interface *interface, + init_waitqueue_head(&dev->read_wait); + init_waitqueue_head(&dev->write_wait); + +- res = usb_find_common_endpoints_reverse(&interface->altsetting[0], ++ res = usb_find_common_endpoints_reverse(interface->cur_altsetting, + NULL, NULL, + &dev->interrupt_in_endpoint, + &dev->interrupt_out_endpoint); +-- +2.16.4 + diff --git a/patches.suse/USB-documentation-flags-on-usb-storage-versus-UAS.patch b/patches.suse/USB-documentation-flags-on-usb-storage-versus-UAS.patch new file mode 100644 index 0000000..a7fdf86 --- /dev/null +++ b/patches.suse/USB-documentation-flags-on-usb-storage-versus-UAS.patch @@ -0,0 +1,79 @@ +From 65cc8bf99349f651a0a2cee69333525fe581f306 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 14 Nov 2019 12:27:58 +0100 +Subject: [PATCH] USB: documentation: flags on usb-storage versus UAS +Git-commit: 65cc8bf99349f651a0a2cee69333525fe581f306 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Document which flags work storage, UAS or both + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20191114112758.32747-4-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + Documentation/admin-guide/kernel-parameters.txt | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index a84a83f8881e..a02b1799a756 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4998,13 +4998,13 @@ + Flags is a set of characters, each corresponding + to a common usb-storage quirk flag as follows: + a = SANE_SENSE (collect more than 18 bytes +- of sense data); ++ of sense data, not on uas); + b = BAD_SENSE (don't collect more than 18 +- bytes of sense data); ++ bytes of sense data, not on uas); + c = FIX_CAPACITY (decrease the reported + device capacity by one sector); + d = NO_READ_DISC_INFO (don't use +- READ_DISC_INFO command); ++ READ_DISC_INFO command, not on uas); + e = NO_READ_CAPACITY_16 (don't use + READ_CAPACITY_16 command); + f = NO_REPORT_OPCODES (don't use report opcodes +@@ -5019,17 +5019,18 @@ + j = NO_REPORT_LUNS (don't use report luns + command, uas only); + l = NOT_LOCKABLE (don't try to lock and +- unlock ejectable media); ++ unlock ejectable media, not on uas); + m = MAX_SECTORS_64 (don't transfer more +- than 64 sectors = 32 KB at a time); ++ than 64 sectors = 32 KB at a time, ++ not on uas); + n = INITIAL_READ10 (force a retry of the +- initial READ(10) command); ++ initial READ(10) command, not on uas); + o = CAPACITY_OK (accept the capacity +- reported by the device); ++ reported by the device, not on uas); + p = WRITE_CACHE (the device cache is ON +- by default); ++ by default, not on uas); + r = IGNORE_RESIDUE (the device reports +- bogus residue values); ++ bogus residue values, not on uas); + s = SINGLE_LUN (the device has only one + Logical Unit); + t = NO_ATA_1X (don't allow ATA(12) and ATA(16) +@@ -5038,7 +5039,8 @@ + w = NO_WP_DETECT (don't test whether the + medium is write-protected). + y = ALWAYS_SYNC (issue a SYNCHRONIZE_CACHE +- even if the device claims no cache) ++ even if the device claims no cache, ++ not on uas) + Example: quirks=0419:aaf5:rl,0421:0433:rc + + user_debug= [KNL,ARM] +-- +2.16.4 + diff --git a/patches.suse/USB-idmouse-fix-interface-sanity-checks.patch b/patches.suse/USB-idmouse-fix-interface-sanity-checks.patch new file mode 100644 index 0000000..0ee09c6 --- /dev/null +++ b/patches.suse/USB-idmouse-fix-interface-sanity-checks.patch @@ -0,0 +1,41 @@ +From 59920635b89d74b9207ea803d5e91498d39e8b69 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:26:00 +0100 +Subject: [PATCH] USB: idmouse: fix interface sanity checks +Git-commit: 59920635b89d74b9207ea803d5e91498d39e8b69 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/misc/idmouse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c +index 4afb5ddfd361..e9437a176518 100644 +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -322,7 +322,7 @@ static int idmouse_probe(struct usb_interface *interface, + int result; + + /* check if we have gotten the data or the hid interface */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0x0A) + return -ENODEV; + +-- +2.16.4 + diff --git a/patches.suse/USB-serial-io_edgeport-fix-epic-endpoint-lookup.patch b/patches.suse/USB-serial-io_edgeport-fix-epic-endpoint-lookup.patch new file mode 100644 index 0000000..d50a458 --- /dev/null +++ b/patches.suse/USB-serial-io_edgeport-fix-epic-endpoint-lookup.patch @@ -0,0 +1,55 @@ +From 7c5a2df3367a2c4984f1300261345817d95b71f8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:26:01 +0100 +Subject: [PATCH] USB: serial: io_edgeport: fix epic endpoint lookup +Git-commit: 7c5a2df3367a2c4984f1300261345817d95b71f8 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Make sure to use the current alternate setting when looking up the +endpoints on epic devices to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") +Cc: stable # 2.6.21 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/serial/io_edgeport.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c +index 48a439298a68..9690a5f4b9d6 100644 +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2901,16 +2901,18 @@ static int edge_startup(struct usb_serial *serial) + response = 0; + + if (edge_serial->is_epic) { ++ struct usb_host_interface *alt; ++ ++ alt = serial->interface->cur_altsetting; ++ + /* EPIC thing, set up our interrupt polling now and our read + * urb, so that the device knows it really is connected. */ + interrupt_in_found = bulk_in_found = bulk_out_found = false; +- for (i = 0; i < serial->interface->altsetting[0] +- .desc.bNumEndpoints; ++i) { ++ for (i = 0; i < alt->desc.bNumEndpoints; ++i) { + struct usb_endpoint_descriptor *endpoint; + int buffer_size; + +- endpoint = &serial->interface->altsetting[0]. +- endpoint[i].desc; ++ endpoint = &alt->endpoint[i].desc; + buffer_size = usb_endpoint_maxp(endpoint); + if (!interrupt_in_found && + (usb_endpoint_is_int_in(endpoint))) { +-- +2.16.4 + diff --git a/patches.suse/USB-uas-heed-CAPACITY_HEURISTICS.patch b/patches.suse/USB-uas-heed-CAPACITY_HEURISTICS.patch new file mode 100644 index 0000000..b390cea --- /dev/null +++ b/patches.suse/USB-uas-heed-CAPACITY_HEURISTICS.patch @@ -0,0 +1,42 @@ +From 335cbbd5762d5e5c67a8ddd6e6362c2aa42a328f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 14 Nov 2019 12:27:57 +0100 +Subject: [PATCH] USB: uas: heed CAPACITY_HEURISTICS +Git-commit: 335cbbd5762d5e5c67a8ddd6e6362c2aa42a328f +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +There is no need to ignore this flag. We should be as close +to storage in that regard as makes sense, so honor flags whose +cost is tiny. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20191114112758.32747-3-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/storage/uas.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index def2d4aba549..475b9c692827 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -837,6 +837,12 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_FIX_CAPACITY) + sdev->fix_capacity = 1; + ++ /* ++ * in some cases we have to guess ++ */ ++ if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) ++ sdev->guess_capacity = 1; ++ + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +-- +2.16.4 + diff --git a/patches.suse/USB-uas-honor-flag-to-avoid-CAPACITY16.patch b/patches.suse/USB-uas-honor-flag-to-avoid-CAPACITY16.patch new file mode 100644 index 0000000..3e03e90 --- /dev/null +++ b/patches.suse/USB-uas-honor-flag-to-avoid-CAPACITY16.patch @@ -0,0 +1,38 @@ +From bff000cae1eec750d62e265c4ba2db9af57b17e1 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 14 Nov 2019 12:27:56 +0100 +Subject: [PATCH] USB: uas: honor flag to avoid CAPACITY16 +Git-commit: bff000cae1eec750d62e265c4ba2db9af57b17e1 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Copy the support over from usb-storage to get feature parity + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20191114112758.32747-2-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/storage/uas.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index 34538253f12c..def2d4aba549 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -825,6 +825,10 @@ static int uas_slave_configure(struct scsi_device *sdev) + sdev->wce_default_on = 1; + } + ++ /* Some disks cannot handle READ_CAPACITY_16 */ ++ if (devinfo->flags & US_FL_NO_READ_CAPACITY_16) ++ sdev->no_read_capacity_16 = 1; ++ + /* + * Some disks return the total number of blocks in response + * to READ CAPACITY rather than the highest block number. +-- +2.16.4 + diff --git a/patches.suse/ar5523-check-NULL-before-memcpy-in-ar5523_cmd.patch b/patches.suse/ar5523-check-NULL-before-memcpy-in-ar5523_cmd.patch new file mode 100644 index 0000000..df7fbb7 --- /dev/null +++ b/patches.suse/ar5523-check-NULL-before-memcpy-in-ar5523_cmd.patch @@ -0,0 +1,44 @@ +From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Mon, 30 Sep 2019 23:31:47 +0300 +Subject: [PATCH] ar5523: check NULL before memcpy() in ar5523_cmd() +Git-commit: 315cee426f87658a6799815845788fde965ddaad +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +memcpy() call with "idata == NULL && ilen == 0" results in undefined +behavior in ar5523_cmd(). For example, NULL is passed in callchain +"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch +adds ilen check before memcpy() call in ar5523_cmd() to prevent an +undefined behavior. + +Cc: Pontus Fuchs +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: David Laight +Cc: stable@vger.kernel.org +Signed-off-by: Denis Efremov +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index b94759daeacc..da2d179430ca 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata, + + if (flags & AR5523_CMD_FLAG_MAGIC) + hdr->magic = cpu_to_be32(1 << 24); +- memcpy(hdr + 1, idata, ilen); ++ if (ilen) ++ memcpy(hdr + 1, idata, ilen); + + cmd->odata = odata; + cmd->olen = olen; +-- +2.16.4 + diff --git a/patches.suse/ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch b/patches.suse/ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch new file mode 100644 index 0000000..5ea94a4 --- /dev/null +++ b/patches.suse/ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch @@ -0,0 +1,74 @@ +From 08d80e4cd27ba19f9bee9e5f788f9a9fc440a22f Mon Sep 17 00:00:00 2001 +From: Miaoqing Pan +Date: Fri, 24 May 2019 11:16:22 +0800 +Subject: [PATCH] ath10k: fix fw crash by moving chip reset after napi disabled +Git-commit: 08d80e4cd27ba19f9bee9e5f788f9a9fc440a22f +Patch-mainline: v5.3-rc1 +References: bsc#1051510 + +On SMP platform, when continuously running wifi up/down, the napi +poll can be scheduled during chip reset, which will call +ath10k_pci_has_fw_crashed() to check the fw status. But in the reset +period, the value from FW_INDICATOR_ADDRESS register will return +0xdeadbeef, which also be treated as fw crash. Fix the issue by +moving chip reset after napi disabled. + +ath10k_pci 0000:01:00.0: firmware crashed! (guid 73b30611-5b1e-4bdd-90b4-64c81eb947b6) +ath10k_pci 0000:01:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe +ath10k_pci 0000:01:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal otp max-sta 512 raw 0 hwcrypto 1 +ath10k_pci 0000:01:00.0: failed to get memcpy hi address for firmware address 4: -16 +ath10k_pci 0000:01:00.0: failed to read firmware dump area: -16 +ath10k_pci 0000:01:00.0: Copy Engine register dump: +ath10k_pci 0000:01:00.0: [00]: 0x0004a000 0 0 0 0 +ath10k_pci 0000:01:00.0: [01]: 0x0004a400 0 0 0 0 +ath10k_pci 0000:01:00.0: [02]: 0x0004a800 0 0 0 0 +ath10k_pci 0000:01:00.0: [03]: 0x0004ac00 0 0 0 0 +ath10k_pci 0000:01:00.0: [04]: 0x0004b000 0 0 0 0 +ath10k_pci 0000:01:00.0: [05]: 0x0004b400 0 0 0 0 +ath10k_pci 0000:01:00.0: [06]: 0x0004b800 0 0 0 0 +ath10k_pci 0000:01:00.0: [07]: 0x0004bc00 1 0 1 0 +ath10k_pci 0000:01:00.0: [08]: 0x0004c000 0 0 0 0 +ath10k_pci 0000:01:00.0: [09]: 0x0004c400 0 0 0 0 +ath10k_pci 0000:01:00.0: [10]: 0x0004c800 0 0 0 0 +ath10k_pci 0000:01:00.0: [11]: 0x0004cc00 0 0 0 0 + +Tested HW: QCA9984,QCA9887,WCN3990 + +Signed-off-by: Miaoqing Pan +Signed-off-by: Kalle Valo +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath10k/pci.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 2bd6cbad19e4..80bcb2ef5926 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -2059,6 +2059,11 @@ static void ath10k_pci_hif_stop(struct ath10k *ar) + + ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif stop\n"); + ++ ath10k_pci_irq_disable(ar); ++ ath10k_pci_irq_sync(ar); ++ napi_synchronize(&ar->napi); ++ napi_disable(&ar->napi); ++ + /* Most likely the device has HTT Rx ring configured. The only way to + * prevent the device from accessing (and possible corrupting) host + * memory is to reset the chip now. +@@ -2072,10 +2077,6 @@ static void ath10k_pci_hif_stop(struct ath10k *ar) + */ + ath10k_pci_safe_chip_reset(ar); + +- ath10k_pci_irq_disable(ar); +- ath10k_pci_irq_sync(ar); +- napi_synchronize(&ar->napi); +- napi_disable(&ar->napi); + ath10k_pci_flush(ar); + + spin_lock_irqsave(&ar_pci->ps_lock, flags); +-- +2.16.4 + diff --git a/patches.suse/bonding-fix-active-backup-transition-after-link-fail.patch b/patches.suse/bonding-fix-active-backup-transition-after-link-fail.patch new file mode 100644 index 0000000..6916fb9 --- /dev/null +++ b/patches.suse/bonding-fix-active-backup-transition-after-link-fail.patch @@ -0,0 +1,45 @@ +From: Mahesh Bandewar +Date: Fri, 6 Dec 2019 15:44:55 -0800 +Subject: bonding: fix active-backup transition after link failure +Git-commit: 5d485ed88d48f8101a2067348e267c0aaf4ed486 +Patch-mainline: 5.5-rc3 +References: git-fixes + +After the recent fix in commit 1899bb325149 ("bonding: fix state +transition issue in link monitoring"), the active-backup mode with +miimon initially come-up fine but after a link-failure, both members +transition into backup state. + +Following steps to reproduce the scenario (eth1 and eth2 are the +slaves of the bond): + + ip link set eth1 up + ip link set eth2 down + sleep 1 + ip link set eth2 up + ip link set eth1 down + cat /sys/class/net/eth1/bonding_slave/state + cat /sys/class/net/eth2/bonding_slave/state + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +CC: Jay Vosburgh +Signed-off-by: Mahesh Bandewar +Acked-by: Jay Vosburgh +Signed-off-by: Jakub Kicinski +Signed-off-by: Jiri Slaby +--- + drivers/net/bonding/bond_main.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2177,9 +2177,6 @@ static void bond_miimon_commit(struct bo + } else if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) { + /* make it immediately active */ + bond_set_active_slave(slave); +- } else if (slave != primary) { +- /* prevent it from being the active one */ +- bond_set_backup_slave(slave); + } + + netdev_info(bond->dev, "link status definitely up for interface %s, %u Mbps %s duplex\n", diff --git a/patches.suse/bonding-fix-slave-stuck-in-BOND_LINK_FAIL-state.patch b/patches.suse/bonding-fix-slave-stuck-in-BOND_LINK_FAIL-state.patch new file mode 100644 index 0000000..59a8d80 --- /dev/null +++ b/patches.suse/bonding-fix-slave-stuck-in-BOND_LINK_FAIL-state.patch @@ -0,0 +1,57 @@ +From: Jay Vosburgh +Date: Tue, 7 Nov 2017 19:50:07 +0900 +Subject: bonding: fix slave stuck in BOND_LINK_FAIL state +Git-commit: 055db6957e4735b16cd2fa94a5bbfb754c9b8023 +Patch-mainline: 4.14 +References: networking-stable-19_11_10 + +The bonding miimon logic has a flaw, in that a failure of the +rtnl_trylock can cause a slave to become permanently stuck in +BOND_LINK_FAIL state. + + The sequence of events to cause this is as follows: + + 1) bond_miimon_inspect finds that a slave's link is down, and so +calls bond_propose_link_state, setting slave->new_link_state to +BOND_LINK_FAIL, then sets slave->new_link to BOND_LINK_DOWN and returns +non-zero. + + 2) In bond_mii_monitor, the rtnl_trylock fails, and the timer is +rescheduled. No change is committed. + + 3) bond_miimon_inspect is called again, but this time the slave +from step 1 has recovered. slave->new_link is reset to NOCHANGE, and, as +slave->link was never changed, the switch enters the BOND_LINK_UP case, +and does nothing. The pending BOND_LINK_FAIL state from step 1 remains +pending, as new_link_state is not reset. + + 4) The state from step 3 persists until another slave changes link +state and causes bond_miimon_inspect to return non-zero. At this point, +the BOND_LINK_FAIL state change on the slave from steps 1-3 is committed, +and the slave will remain stuck in BOND_LINK_FAIL state even though it +is actually link up. + + The remedy for this is to initialize new_link_state on each entry +to bond_miimon_inspect, as is already done with new_link. + +Fixes: fb9eb899a6dc ("bonding: handle link transition from FAIL to UP correctly") +Reported-by: Alex Sidorenko +Reviewed-by: Jarod Wilson +Signed-off-by: Jay Vosburgh +Acked-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2039,6 +2039,7 @@ static int bond_miimon_inspect(struct bo + + bond_for_each_slave_rcu(bond, slave, iter) { + slave->new_link = BOND_LINK_NOCHANGE; ++ slave->link_new_state = slave->link; + + link_state = bond_check_dev_link(bond, slave->dev, 0); + diff --git a/patches.suse/bonding-fix-state-transition-issue-in-link-monitorin.patch b/patches.suse/bonding-fix-state-transition-issue-in-link-monitorin.patch new file mode 100644 index 0000000..745762b --- /dev/null +++ b/patches.suse/bonding-fix-state-transition-issue-in-link-monitorin.patch @@ -0,0 +1,213 @@ +From: Jay Vosburgh +Date: Fri, 1 Nov 2019 21:56:42 -0700 +Subject: bonding: fix state transition issue in link monitoring +Git-commit: 1899bb325149e481de31a4f32b59ea6f24e176ea +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +Since de77ecd4ef02 ("bonding: improve link-status update in +mii-monitoring"), the bonding driver has utilized two separate variables +to indicate the next link state a particular slave should transition to. +Each is used to communicate to a different portion of the link state +change commit logic; one to the bond_miimon_commit function itself, and +another to the state transition logic. + + Unfortunately, the two variables can become unsynchronized, +resulting in incorrect link state transitions within bonding. This can +cause slaves to become stuck in an incorrect link state until a +subsequent carrier state transition. + + The issue occurs when a special case in bond_slave_netdev_event +sets slave->link directly to BOND_LINK_FAIL. On the next pass through +bond_miimon_inspect after the slave goes carrier up, the BOND_LINK_FAIL +case will set the proposed next state (link_new_state) to BOND_LINK_UP, +but the new_link to BOND_LINK_DOWN. The setting of the final link state +from new_link comes after that from link_new_state, and so the slave +will end up incorrectly in _DOWN state. + + Resolve this by combining the two variables into one. + +Reported-by: Aleksei Zakharov +Reported-by: Sha Zhang +Cc: Mahesh Bandewar +Fixes: de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/bonding/bond_main.c | 44 ++++++++++++++++++++-------------------- + include/net/bonding.h | 3 -- + 2 files changed, 23 insertions(+), 24 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2048,8 +2048,7 @@ static int bond_miimon_inspect(struct bo + ignore_updelay = !rcu_dereference(bond->curr_active_slave); + + bond_for_each_slave_rcu(bond, slave, iter) { +- slave->new_link = BOND_LINK_NOCHANGE; +- slave->link_new_state = slave->link; ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + + link_state = bond_check_dev_link(bond, slave->dev, 0); + +@@ -2085,7 +2084,7 @@ static int bond_miimon_inspect(struct bo + } + + if (slave->delay <= 0) { +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + commit++; + continue; + } +@@ -2124,7 +2123,7 @@ static int bond_miimon_inspect(struct bo + slave->delay = 0; + + if (slave->delay <= 0) { +- slave->new_link = BOND_LINK_UP; ++ bond_propose_link_state(slave, BOND_LINK_UP); + commit++; + ignore_updelay = false; + continue; +@@ -2144,7 +2143,7 @@ static void bond_miimon_commit(struct bo + struct slave *slave, *primary; + + bond_for_each_slave(bond, slave, iter) { +- switch (slave->new_link) { ++ switch (slave->link_new_state) { + case BOND_LINK_NOCHANGE: + /* For 802.3ad mode, check current slave speed and + * duplex again in case its port was disabled after +@@ -2237,8 +2236,8 @@ static void bond_miimon_commit(struct bo + + default: + netdev_err(bond->dev, "invalid new link %d on slave %s\n", +- slave->new_link, slave->dev->name); +- slave->new_link = BOND_LINK_NOCHANGE; ++ slave->link_new_state, slave->dev->name); ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + + continue; + } +@@ -2637,13 +2636,13 @@ static void bond_loadbalance_arp_mon(str + bond_for_each_slave_rcu(bond, slave, iter) { + unsigned long trans_start = dev_trans_start(slave->dev); + +- slave->new_link = BOND_LINK_NOCHANGE; ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, trans_start, 1) && + bond_time_in_interval(bond, slave->last_rx, 1)) { + +- slave->new_link = BOND_LINK_UP; ++ bond_propose_link_state(slave, BOND_LINK_UP); + slave_state_changed = 1; + + /* primary_slave has no meaning in round-robin +@@ -2670,7 +2669,7 @@ static void bond_loadbalance_arp_mon(str + if (!bond_time_in_interval(bond, trans_start, 2) || + !bond_time_in_interval(bond, slave->last_rx, 2)) { + +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + slave_state_changed = 1; + + if (slave->link_failure_count < UINT_MAX) +@@ -2702,8 +2701,8 @@ static void bond_loadbalance_arp_mon(str + goto re_arm; + + bond_for_each_slave(bond, slave, iter) { +- if (slave->new_link != BOND_LINK_NOCHANGE) +- slave->link = slave->new_link; ++ if (slave->link_new_state != BOND_LINK_NOCHANGE) ++ slave->link = slave->link_new_state; + } + + if (slave_state_changed) { +@@ -2726,9 +2725,9 @@ re_arm: + } + + /* Called to inspect slaves for active-backup mode ARP monitor link state +- * changes. Sets new_link in slaves to specify what action should take +- * place for the slave. Returns 0 if no changes are found, >0 if changes +- * to link states must be committed. ++ * changes. Sets proposed link state in slaves to specify what action ++ * should take place for the slave. Returns 0 if no changes are found, >0 ++ * if changes to link states must be committed. + * + * Called with rcu_read_lock held. + */ +@@ -2740,12 +2739,12 @@ static int bond_ab_arp_inspect(struct bo + int commit = 0; + + bond_for_each_slave_rcu(bond, slave, iter) { +- slave->new_link = BOND_LINK_NOCHANGE; ++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + last_rx = slave_last_rx(bond, slave); + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, last_rx, 1)) { +- slave->new_link = BOND_LINK_UP; ++ bond_propose_link_state(slave, BOND_LINK_UP); + commit++; + } + continue; +@@ -2773,7 +2772,7 @@ static int bond_ab_arp_inspect(struct bo + if (!bond_is_active_slave(slave) && + !rcu_access_pointer(bond->current_arp_slave) && + !bond_time_in_interval(bond, last_rx, 3)) { +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + commit++; + } + +@@ -2786,7 +2785,7 @@ static int bond_ab_arp_inspect(struct bo + if (bond_is_active_slave(slave) && + (!bond_time_in_interval(bond, trans_start, 2) || + !bond_time_in_interval(bond, last_rx, 2))) { +- slave->new_link = BOND_LINK_DOWN; ++ bond_propose_link_state(slave, BOND_LINK_DOWN); + commit++; + } + } +@@ -2806,7 +2805,7 @@ static void bond_ab_arp_commit(struct bo + struct slave *slave; + + bond_for_each_slave(bond, slave, iter) { +- switch (slave->new_link) { ++ switch (slave->link_new_state) { + case BOND_LINK_NOCHANGE: + continue; + +@@ -2858,8 +2857,9 @@ static void bond_ab_arp_commit(struct bo + continue; + + default: +- netdev_err(bond->dev, "impossible: new_link %d on slave %s\n", +- slave->new_link, slave->dev->name); ++ netdev_err(bond->dev, ++ "impossible: new_link %d on slave %s\n", ++ slave->link_new_state, slave->dev->name); + continue; + } + +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -149,7 +149,6 @@ struct slave { + unsigned long target_last_arp_rx[BOND_MAX_ARP_TARGETS]; + s8 link; /* one of BOND_LINK_XXXX */ + s8 link_new_state; /* one of BOND_LINK_XXXX */ +- s8 new_link; + u8 backup:1, /* indicates backup slave. Value corresponds with + BOND_STATE_ACTIVE and BOND_STATE_BACKUP */ + inactive:1, /* indicates inactive slave */ +@@ -523,7 +522,7 @@ static inline void bond_propose_link_sta + + static inline void bond_commit_link_state(struct slave *slave, bool notify) + { +- if (slave->link == slave->link_new_state) ++ if (slave->link_new_state == BOND_LINK_NOCHANGE) + return; + + slave->link = slave->link_new_state; diff --git a/patches.suse/bpf-Sync-bpf.h-to-tools-96871b9f.patch b/patches.suse/bpf-Sync-bpf.h-to-tools-96871b9f.patch index 9201e70..fbcb1ed 100644 --- a/patches.suse/bpf-Sync-bpf.h-to-tools-96871b9f.patch +++ b/patches.suse/bpf-Sync-bpf.h-to-tools-96871b9f.patch @@ -52,16 +52,16 @@ Acked-by: Thomas Bogendoerfer * Description * Emulate a call to **getsockopt()** on the socket associated to * *bpf_socket*, which must be a full socket. The *level* at -@@ -1588,7 +1588,7 @@ union bpf_attr { +@@ -1563,7 +1563,7 @@ union bpf_attr { * Return - * 0 + * 0 on success, or a negative error in case of failure. * - * int bpf_sock_ops_cb_flags_set(struct bpf_sock_ops_kern *bpf_sock, int argval) + * int bpf_sock_ops_cb_flags_set(struct bpf_sock_ops *bpf_sock, int argval) * Description * Attempt to set the value of the **bpf_sock_ops_cb_flags** field * for the full TCP socket associated to *bpf_sock_ops* to -@@ -1721,7 +1721,7 @@ union bpf_attr { +@@ -1696,7 +1696,7 @@ union bpf_attr { * Return * 0 on success, or a negative error in case of failure. * diff --git a/patches.suse/bpf-add-selftest-for-tcpbpf.patch b/patches.suse/bpf-add-selftest-for-tcpbpf.patch index ca79eca..44fad60 100644 --- a/patches.suse/bpf-add-selftest-for-tcpbpf.patch +++ b/patches.suse/bpf-add-selftest-for-tcpbpf.patch @@ -43,7 +43,7 @@ Acked-by: Thomas Bogendoerfer #define BPF_XADD 0xc0 /* exclusive add */ /* alu/jmp fields */ -@@ -634,6 +634,14 @@ union bpf_attr { +@@ -642,6 +642,14 @@ union bpf_attr { * @optlen: length of optval in bytes * Return: 0 or negative error * @@ -58,17 +58,17 @@ Acked-by: Thomas Bogendoerfer * int bpf_skb_adjust_room(skb, len_diff, mode, flags) * Grow or shrink room in sk_buff. * @skb: pointer to skb -@@ -740,7 +748,8 @@ union bpf_attr { +@@ -743,7 +751,8 @@ union bpf_attr { + FN(xdp_adjust_meta), \ FN(perf_event_read_value), \ FN(perf_prog_read_value), \ - FN(getsockopt), \ -- FN(override_return), -+ FN(override_return), \ +- FN(getsockopt), ++ FN(getsockopt), \ + FN(sock_ops_cb_flags_set), /* integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call -@@ -944,8 +953,9 @@ struct bpf_map_info { +@@ -947,8 +956,9 @@ struct bpf_map_info { struct bpf_sock_ops { __u32 op; union { @@ -80,7 +80,7 @@ Acked-by: Thomas Bogendoerfer }; __u32 family; __u32 remote_ip4; /* Stored in network byte order */ -@@ -960,8 +970,39 @@ struct bpf_sock_ops { +@@ -963,8 +973,39 @@ struct bpf_sock_ops { */ __u32 snd_cwnd; __u32 srtt_us; /* Averaged RTT << 3 in usecs */ @@ -120,7 +120,7 @@ Acked-by: Thomas Bogendoerfer /* List of known BPF sock_ops operators. * New entries can only be added at the end */ -@@ -995,6 +1036,43 @@ enum { +@@ -998,6 +1039,43 @@ enum { * a congestion threshold. RTTs above * this indicate congestion */ diff --git a/patches.suse/bpf-offload-Unlock-on-error-in-bpf_offload_dev_creat.patch b/patches.suse/bpf-offload-Unlock-on-error-in-bpf_offload_dev_creat.patch new file mode 100644 index 0000000..e8c403a --- /dev/null +++ b/patches.suse/bpf-offload-Unlock-on-error-in-bpf_offload_dev_creat.patch @@ -0,0 +1,33 @@ +From: Dan Carpenter +Date: Mon, 4 Nov 2019 12:15:36 +0300 +Subject: bpf, offload: Unlock on error in bpf_offload_dev_create() +Patch-mainline: v5.4 +Git-commit: d0fbb51dfaa612f960519b798387be436e8f83c5 +References: bsc#1109837 + +We need to drop the bpf_devs_lock on error before returning. + +Fixes: 9fd7c5559165 ("bpf: offload: aggregate offloads per-device") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Borkmann +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20191104091536.GB31509@mwanda +Acked-by: Thomas Bogendoerfer +--- + kernel/bpf/offload.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/offload.c ++++ b/kernel/bpf/offload.c +@@ -663,8 +663,10 @@ struct bpf_offload_dev *bpf_offload_dev_ + down_write(&bpf_devs_lock); + if (!offdevs_inited) { + err = rhashtable_init(&offdevs, &offdevs_params); +- if (err) ++ if (err) { ++ up_write(&bpf_devs_lock); + return ERR_PTR(err); ++ } + offdevs_inited = true; + } + up_write(&bpf_devs_lock); diff --git a/patches.suse/bpf-selftest-additions-for-SOCKHASH.patch b/patches.suse/bpf-selftest-additions-for-SOCKHASH.patch index 2b3a96b..3ce7da2 100644 --- a/patches.suse/bpf-selftest-additions-for-SOCKHASH.patch +++ b/patches.suse/bpf-selftest-additions-for-SOCKHASH.patch @@ -38,7 +38,7 @@ Acked-by: Thomas Bogendoerfer }; enum bpf_prog_type { -@@ -1827,6 +1829,52 @@ union bpf_attr { +@@ -1802,6 +1804,52 @@ union bpf_attr { * Return * 0 on success, or a negative error in case of failure. * @@ -91,7 +91,7 @@ Acked-by: Thomas Bogendoerfer */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ -@@ -1897,7 +1945,10 @@ union bpf_attr { +@@ -1871,7 +1919,10 @@ union bpf_attr { FN(xdp_adjust_tail), \ FN(skb_get_xfrm_state), \ FN(get_stack), \ @@ -131,8 +131,8 @@ Acked-by: Thomas Bogendoerfer static int (*bpf_perf_event_read_value)(void *map, unsigned long long flags, void *buf, unsigned int buf_size) = (void *) BPF_FUNC_perf_event_read_value; -@@ -87,6 +92,9 @@ static int (*bpf_override_return)(void * - (void *) BPF_FUNC_override_return; +@@ -85,6 +90,9 @@ static int (*bpf_perf_prog_read_value)(v + (void *) BPF_FUNC_perf_prog_read_value; static int (*bpf_msg_redirect_map)(void *ctx, void *map, int key, int flags) = (void *) BPF_FUNC_msg_redirect_map; +static int (*bpf_msg_redirect_hash)(void *ctx, diff --git a/patches.suse/bpf-skmsg-fix-potential-psock-NULL-pointer-dereferen.patch b/patches.suse/bpf-skmsg-fix-potential-psock-NULL-pointer-dereferen.patch new file mode 100644 index 0000000..3485433 --- /dev/null +++ b/patches.suse/bpf-skmsg-fix-potential-psock-NULL-pointer-dereferen.patch @@ -0,0 +1,59 @@ +From: John Fastabend +Date: Thu, 21 Nov 2019 08:25:09 -0800 +Subject: bpf: skmsg, fix potential psock NULL pointer dereference +Patch-mainline: v5.5-rc1 +Git-commit: 8163999db445021f2651a8a47b5632483e8722ea +References: bsc#1109837 + +Report from Dan Carpenter, + + net/core/skmsg.c:792 sk_psock_write_space() + error: we previously assumed 'psock' could be null (see line 790) + + net/core/skmsg.c + 789 psock = sk_psock(sk); + 790 if (likely(psock && sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))) + Check for NULL + 791 schedule_work(&psock->work); + 792 write_space = psock->saved_write_space; + ^^^^^^^^^^^^^^^^^^^^^^^^ + 793 rcu_read_unlock(); + 794 write_space(sk); + +Ensure psock dereference on line 792 only occurs if psock is not null. + +Reported-by: Dan Carpenter +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: John Fastabend +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/core/skmsg.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -757,15 +757,18 @@ static void sk_psock_strp_data_ready(str + static void sk_psock_write_space(struct sock *sk) + { + struct sk_psock *psock; +- void (*write_space)(struct sock *sk); ++ void (*write_space)(struct sock *sk) = NULL; + + rcu_read_lock(); + psock = sk_psock(sk); +- if (likely(psock && sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))) +- schedule_work(&psock->work); +- write_space = psock->saved_write_space; ++ if (likely(psock)) { ++ if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) ++ schedule_work(&psock->work); ++ write_space = psock->saved_write_space; ++ } + rcu_read_unlock(); +- write_space(sk); ++ if (write_space) ++ write_space(sk); + } + + int sk_psock_init_strp(struct sock *sk, struct sk_psock *psock) diff --git a/patches.suse/bpf-sockmap-add-sample-option-to-test-apply_bytes-he.patch b/patches.suse/bpf-sockmap-add-sample-option-to-test-apply_bytes-he.patch index 255a57e..81cabc7 100644 --- a/patches.suse/bpf-sockmap-add-sample-option-to-test-apply_bytes-he.patch +++ b/patches.suse/bpf-sockmap-add-sample-option-to-test-apply_bytes-he.patch @@ -24,8 +24,8 @@ Acked-by: Thomas Bogendoerfer --- samples/sockmap/sockmap_kern.c | 54 ++++++++++++++++++++++++++---- samples/sockmap/sockmap_user.c | 19 ++++++++++ - tools/testing/selftests/bpf/bpf_helpers.h | 3 + - 3 files changed, 68 insertions(+), 8 deletions(-) + tools/testing/selftests/bpf/bpf_helpers.h | 2 + + 3 files changed, 68 insertions(+), 7 deletions(-) --- a/samples/sockmap/sockmap_kern.c +++ b/samples/sockmap/sockmap_kern.c @@ -179,11 +179,10 @@ Acked-by: Thomas Bogendoerfer err = forever_ping_pong(rate, &options); --- a/tools/testing/selftests/bpf/bpf_helpers.h +++ b/tools/testing/selftests/bpf/bpf_helpers.h -@@ -87,7 +87,8 @@ static int (*bpf_override_return)(void * - (void *) BPF_FUNC_override_return; +@@ -85,6 +85,8 @@ static int (*bpf_perf_prog_read_value)(v + (void *) BPF_FUNC_perf_prog_read_value; static int (*bpf_msg_redirect_map)(void *ctx, void *map, int key, int flags) = (void *) BPF_FUNC_msg_redirect_map; -- +static int (*bpf_msg_apply_bytes)(void *ctx, int len) = + (void *) BPF_FUNC_msg_apply_bytes; diff --git a/patches.suse/bpf-sockmap-sample-add-option-to-attach-SK_MSG-progr.patch b/patches.suse/bpf-sockmap-sample-add-option-to-attach-SK_MSG-progr.patch index 7ca0b3d..97abd69 100644 --- a/patches.suse/bpf-sockmap-sample-add-option-to-attach-SK_MSG-progr.patch +++ b/patches.suse/bpf-sockmap-sample-add-option-to-attach-SK_MSG-progr.patch @@ -17,8 +17,8 @@ Acked-by: Thomas Bogendoerfer samples/sockmap/sockmap_user.c | 67 +++++++++++++++++++++++++++--- tools/include/uapi/linux/bpf.h | 13 +++++ tools/lib/bpf/libbpf.c | 1 - tools/testing/selftests/bpf/bpf_helpers.h | 3 + - 6 files changed, 135 insertions(+), 9 deletions(-) + tools/testing/selftests/bpf/bpf_helpers.h | 3 - + 6 files changed, 134 insertions(+), 10 deletions(-) --- a/samples/bpf/bpf_load.c +++ b/samples/bpf/bpf_load.c @@ -248,10 +248,10 @@ Acked-by: Thomas Bogendoerfer else if (test == SENDMSG) --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h -@@ -718,6 +718,15 @@ union bpf_attr { - * int bpf_override_return(pt_regs, rc) - * @pt_regs: pointer to struct pt_regs - * @rc: the return value to set +@@ -716,6 +716,15 @@ union bpf_attr { + * @buf: buf to fill + * @buf_size: size of the buf + * Return : 0 on success or negative error code + * + * int bpf_msg_redirect_map(map, key, flags) + * Redirect msg to a sock in map using key as a lookup key for the @@ -264,10 +264,10 @@ Acked-by: Thomas Bogendoerfer */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ -@@ -779,7 +788,9 @@ union bpf_attr { +@@ -776,7 +785,9 @@ union bpf_attr { + FN(perf_event_read_value), \ FN(perf_prog_read_value), \ FN(getsockopt), \ - FN(override_return), \ - FN(sock_ops_cb_flags_set), + FN(sock_ops_cb_flags_set), \ + FN(msg_redirect_map), \ @@ -287,13 +287,13 @@ Acked-by: Thomas Bogendoerfer --- a/tools/testing/selftests/bpf/bpf_helpers.h +++ b/tools/testing/selftests/bpf/bpf_helpers.h -@@ -85,6 +85,9 @@ static int (*bpf_perf_prog_read_value)(v +@@ -83,7 +83,8 @@ static int (*bpf_perf_event_read_value)( + static int (*bpf_perf_prog_read_value)(void *ctx, void *buf, + unsigned int buf_size) = (void *) BPF_FUNC_perf_prog_read_value; - static int (*bpf_override_return)(void *ctx, unsigned long rc) = - (void *) BPF_FUNC_override_return; +- +static int (*bpf_msg_redirect_map)(void *ctx, void *map, int key, int flags) = + (void *) BPF_FUNC_msg_redirect_map; -+ /* llvm builtin functions that eBPF C program may use to * emit BPF_LD_ABS and BPF_LD_IND instructions diff --git a/patches.suse/bpf-sockmap-sample-support-for-bpf_msg_cork_bytes.patch b/patches.suse/bpf-sockmap-sample-support-for-bpf_msg_cork_bytes.patch index c83012a..6271c1b 100644 --- a/patches.suse/bpf-sockmap-sample-support-for-bpf_msg_cork_bytes.patch +++ b/patches.suse/bpf-sockmap-sample-support-for-bpf_msg_cork_bytes.patch @@ -184,8 +184,8 @@ Acked-by: Thomas Bogendoerfer err = forever_ping_pong(rate, &options); --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h -@@ -790,7 +790,8 @@ union bpf_attr { - FN(override_return), \ +@@ -787,7 +787,8 @@ union bpf_attr { + FN(getsockopt), \ FN(sock_ops_cb_flags_set), \ FN(msg_redirect_map), \ - FN(msg_apply_bytes), @@ -196,7 +196,7 @@ Acked-by: Thomas Bogendoerfer * function eBPF program intends to call --- a/tools/testing/selftests/bpf/bpf_helpers.h +++ b/tools/testing/selftests/bpf/bpf_helpers.h -@@ -89,6 +89,8 @@ static int (*bpf_msg_redirect_map)(void +@@ -87,6 +87,8 @@ static int (*bpf_msg_redirect_map)(void (void *) BPF_FUNC_msg_redirect_map; static int (*bpf_msg_apply_bytes)(void *ctx, int len) = (void *) BPF_FUNC_msg_apply_bytes; diff --git a/patches.suse/bpf-update-bpf.h-uapi-header-for-tools-9cde0c88.patch b/patches.suse/bpf-update-bpf.h-uapi-header-for-tools-9cde0c88.patch index d2b1d98..3f929e5 100644 --- a/patches.suse/bpf-update-bpf.h-uapi-header-for-tools-9cde0c88.patch +++ b/patches.suse/bpf-update-bpf.h-uapi-header-for-tools-9cde0c88.patch @@ -13,12 +13,12 @@ Signed-off-by: Quentin Monnet Signed-off-by: Daniel Borkmann Acked-by: Thomas Bogendoerfer --- - tools/include/uapi/linux/bpf.h | 1774 +++++++++++++++++++++++++++++++---------- - 1 file changed, 1379 insertions(+), 395 deletions(-) + tools/include/uapi/linux/bpf.h | 1745 +++++++++++++++++++++++++++++++---------- + 1 file changed, 1354 insertions(+), 391 deletions(-) --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h -@@ -377,412 +377,1396 @@ union bpf_attr { +@@ -377,408 +377,1371 @@ union bpf_attr { }; } __attribute__((aligned(8))); @@ -1295,10 +1295,6 @@ Acked-by: Thomas Bogendoerfer - * @buf_size: size of the buf - * Return : 0 on success or negative error code - * -- * int bpf_override_return(pt_regs, rc) -- * @pt_regs: pointer to struct pt_regs -- * @rc: the return value to set -- * - * int bpf_msg_redirect_map(map, key, flags) - * Redirect msg to a sock in map using key as a lookup key for the - * sock in map. @@ -1603,31 +1599,6 @@ Acked-by: Thomas Bogendoerfer + * Return + * 0 on success, or a negative error in case of failure. + * -+ * int bpf_override_return(struct pt_reg *regs, u64 rc) -+ * Description -+ * Used for error injection, this helper uses kprobes to override -+ * the return value of the probed function, and to set it to *rc*. -+ * The first argument is the context *regs* on which the kprobe -+ * works. -+ * -+ * This helper works by setting setting the PC (program counter) -+ * to an override function which is run in place of the original -+ * probed function. This means the probed function is not run at -+ * all. The replacement function just returns with the required -+ * value. -+ * -+ * This helper has security implications, and thus is subject to -+ * restrictions. It is only available if the kernel was compiled -+ * with the **CONFIG_BPF_KPROBE_OVERRIDE** configuration -+ * option, and in this case it only works on functions tagged with -+ * **ALLOW_ERROR_INJECTION** in the kernel code. -+ * -+ * Also, the helper is only available for the architectures having -+ * the CONFIG_FUNCTION_ERROR_INJECTION option. As of this writing, -+ * x86 architecture is the only one to support this feature. -+ * Return -+ * 0 -+ * + * int bpf_sock_ops_cb_flags_set(struct bpf_sock_ops_kern *bpf_sock, int argval) + * Description + * Attempt to set the value of the **bpf_sock_ops_cb_flags** field diff --git a/patches.suse/btrfs-add-missing-extents-release-on-file-extent-clu.patch b/patches.suse/btrfs-add-missing-extents-release-on-file-extent-clu.patch new file mode 100644 index 0000000..e0f22c5 --- /dev/null +++ b/patches.suse/btrfs-add-missing-extents-release-on-file-extent-clu.patch @@ -0,0 +1,40 @@ +From: Filipe Manana +Date: Wed, 9 Oct 2019 17:43:45 +0100 +Git-commit: 44db1216efe37bf670f8d1019cdc41658d84baf5 +Patch-mainline: 5.4 +Subject: [PATCH] Btrfs: add missing extents release on file extent cluster + relocation error +References: bsc#1159483 + +If we error out when finding a page at relocate_file_extent_cluster(), we +need to release the outstanding extents counter on the relocation inode, +set by the previous call to btrfs_delalloc_reserve_metadata(), otherwise +the inode's block reserve size can never decrease to zero and metadata +space is leaked. Therefore add a call to btrfs_delalloc_release_extents() +in case we can't find the target page. + +Fixes: 8b62f87bad9c ("Btrfs: rework outstanding_extents") +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +--- + fs/btrfs/relocation.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 94651898c559..3d51064e3619 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -3320,6 +3320,8 @@ static int relocate_file_extent_cluster(struct inode *inode, + if (!page) { + btrfs_delalloc_release_metadata(BTRFS_I(inode), + PAGE_SIZE, true); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), ++ PAGE_SIZE, true); + ret = -ENOMEM; + goto out; + } +-- +2.16.4 + diff --git a/patches.suse/btrfs-rename-and-export-get_chunk_map.patch b/patches.suse/btrfs-rename-and-export-get_chunk_map.patch index d57143d..d104e11 100644 --- a/patches.suse/btrfs-rename-and-export-get_chunk_map.patch +++ b/patches.suse/btrfs-rename-and-export-get_chunk_map.patch @@ -102,7 +102,7 @@ Acked-by: Nikolay Borisov @@ -5906,7 +5913,7 @@ static int __btrfs_map_block(struct btrf return __btrfs_map_block_for_discard(fs_info, logical, - *length, bbio_ret); + length, bbio_ret); - em = get_chunk_map(fs_info, logical, *length); + em = btrfs_get_chunk_map(fs_info, logical, *length); diff --git a/patches.suse/btrfs-simplify-inode-locking-for-RWF_NOWAIT.patch b/patches.suse/btrfs-simplify-inode-locking-for-RWF_NOWAIT.patch new file mode 100644 index 0000000..171b221 --- /dev/null +++ b/patches.suse/btrfs-simplify-inode-locking-for-RWF_NOWAIT.patch @@ -0,0 +1,39 @@ +From 9cf35f673583ccc9f3e2507498b3079d56614ad3 Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues +Date: Wed Sep 11 11:45:15 2019 -0500 +Subject: [PATCH] btrfs: simplify inode locking for RWF_NOWAIT +Git-commit: 9cf35f673583ccc9f3e2507498b3079d56614ad3 +References: git-fixes +Patch-mainline: v5.5-rc1 + +This is similar to 942491c9e6d6 ("xfs: fix AIM7 regression"). Apparently +our current rwsem code doesn't like doing the trylock, then lock for +real scheme. This causes extra contention on the lock and can be +measured eg. by AIM7 benchmark. So change our read/write methods to +just do the trylock for the RWF_NOWAIT case. + +Fixes: edf064e7c6fe ("btrfs: nowait aio support") +Signed-off-by: Goldwyn Rodrigues +Reviewed-by: David Sterba +[ update changelog ] +Signed-off-by: David Sterba + +--- + fs/btrfs/file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1899,9 +1899,10 @@ + loff_t oldsize; + int clean_page = 0; + +- if (!inode_trylock(inode)) { +- if (iocb->ki_flags & IOCB_NOWAIT) ++ if (iocb->ki_flags & IOCB_NOWAIT) { ++ if (!inode_trylock(inode)) + return -EAGAIN; ++ } else { + inode_lock(inode); + } + diff --git a/patches.suse/can-slcan-Fix-use-after-free-Read-in-slcan_open.patch b/patches.suse/can-slcan-Fix-use-after-free-Read-in-slcan_open.patch new file mode 100644 index 0000000..37fcca2 --- /dev/null +++ b/patches.suse/can-slcan-Fix-use-after-free-Read-in-slcan_open.patch @@ -0,0 +1,69 @@ +From 9ebd796e24008f33f06ebea5a5e6aceb68b51794 Mon Sep 17 00:00:00 2001 +From: Jouni Hogander +Date: Wed, 27 Nov 2019 08:40:26 +0200 +Subject: [PATCH] can: slcan: Fix use-after-free Read in slcan_open +Git-commit: 9ebd796e24008f33f06ebea5a5e6aceb68b51794 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Slcan_open doesn't clean-up device which registration failed from the +slcan_devs device list. On next open this list is iterated and freed +device is accessed. Fix this by calling slc_free_netdev in error path. + +Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was +identified in slip_open by syzboz. Same bug is in slcan.c. Here is the +trace from the Syzbot slip report: + +__dump_stack lib/dump_stack.c:77 [inline] +dump_stack+0x197/0x210 lib/dump_stack.c:118 +print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 +__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 +kasan_report+0x12/0x20 mm/kasan/common.c:634 +__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 +sl_sync drivers/net/slip/slip.c:725 [inline] +slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801 +tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469 +tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596 +tiocsetd drivers/tty/tty_io.c:2334 [inline] +tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594 +vfs_ioctl fs/ioctl.c:46 [inline] +file_ioctl fs/ioctl.c:509 [inline] +do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 +ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 +__do_sys_ioctl fs/ioctl.c:720 [inline] +__se_sys_ioctl fs/ioctl.c:718 [inline] +__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 +do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 +entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path") +Cc: Wolfgang Grandegger +Cc: Marc Kleine-Budde +Cc: David Miller +Cc: Oliver Hartkopp +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Cc: linux-stable # >= v5.4 +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Acked-by: Takashi Iwai + +--- + drivers/net/can/slcan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c +index 0a9f42e5fedf..2e57122f02fb 100644 +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -617,6 +617,7 @@ static int slcan_open(struct tty_struct *tty) + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ slc_free_netdev(sl->dev); + free_netdev(sl->dev); + + err_exit: +-- +2.16.4 + diff --git a/patches.suse/configfs_register_group-shouldn-t-be-and-isn-t-calle.patch b/patches.suse/configfs_register_group-shouldn-t-be-and-isn-t-calle.patch new file mode 100644 index 0000000..64181ee --- /dev/null +++ b/patches.suse/configfs_register_group-shouldn-t-be-and-isn-t-calle.patch @@ -0,0 +1,55 @@ +From f19e4ed1e1edbfa3c9ccb9fed17759b7d6db24c6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 29 Aug 2019 23:13:30 -0400 +Subject: [PATCH] configfs_register_group() shouldn't be (and isn't) called in rmdirable parts +Git-commit: f19e4ed1e1edbfa3c9ccb9fed17759b7d6db24c6 +Patch-mainline: v5.3-rc8 +References: bsc#1051510 + +revert cc57c07343bd "configfs: fix registered group removal" +It was an attempt to handle something that fundamentally doesn't +work - configfs_register_group() should never be done in a part +of tree that can be rmdir'ed. And in mainline it never had been, +so let's not borrow trouble; the fix was racy anyway, it would take +a lot more to make that work and desired semantics is not clear. + +Signed-off-by: Al Viro +Signed-off-by: Christoph Hellwig +Acked-by: Takashi Iwai + +--- + fs/configfs/dir.c | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index 92112915de8e..21a795679e20 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -1771,16 +1771,6 @@ void configfs_unregister_group(struct config_group *group) + struct dentry *dentry = group->cg_item.ci_dentry; + struct dentry *parent = group->cg_item.ci_parent->ci_dentry; + +- mutex_lock(&subsys->su_mutex); +- if (!group->cg_item.ci_parent->ci_group) { +- /* +- * The parent has already been unlinked and detached +- * due to a rmdir. +- */ +- goto unlink_group; +- } +- mutex_unlock(&subsys->su_mutex); +- + inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); + spin_lock(&configfs_dirent_lock); + configfs_detach_prep(dentry, NULL); +@@ -1796,7 +1786,6 @@ void configfs_unregister_group(struct config_group *group) + dput(dentry); + + mutex_lock(&subsys->su_mutex); +-unlink_group: + unlink_group(group); + mutex_unlock(&subsys->su_mutex); + } +-- +2.16.4 + diff --git a/patches.suse/crypto-ccp-fix-uninitialized-list-head.patch b/patches.suse/crypto-ccp-fix-uninitialized-list-head.patch new file mode 100644 index 0000000..756de79 --- /dev/null +++ b/patches.suse/crypto-ccp-fix-uninitialized-list-head.patch @@ -0,0 +1,91 @@ +From 691505a803a7f223b2af621848d581259c61f77d Mon Sep 17 00:00:00 2001 +From: Mark Salter +Date: Mon, 21 Oct 2019 11:29:49 -0400 +Subject: [PATCH] crypto: ccp - fix uninitialized list head +Git-commit: 691505a803a7f223b2af621848d581259c61f77d +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +A NULL-pointer dereference was reported in fedora bz#1762199 while +reshaping a raid6 array after adding a fifth drive to an existing +array. + +[ 47.343549] md/raid:md0: raid level 6 active with 3 out of 5 devices, algorithm 2 +[ 47.804017] md0: detected capacity change from 0 to 7885289422848 +[ 47.822083] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000 +... +[ 47.940477] CPU: 1 PID: 14210 Comm: md0_raid6 Tainted: G W 5.2.18-200.fc30.aarch64 #1 +[ 47.949594] Hardware name: AMD Overdrive/Supercharger/To be filled by O.E.M., BIOS ROD1002C 04/08/2016 +[ 47.958886] pstate: 00400085 (nzcv daIf +PAN -UAO) +[ 47.963668] pc : __list_del_entry_valid+0x2c/0xa8 +[ 47.968366] lr : ccp_tx_submit+0x84/0x168 [ccp] +[ 47.972882] sp : ffff00001369b970 +[ 47.976184] x29: ffff00001369b970 x28: ffff00001369bdb8 +[ 47.981483] x27: 00000000ffffffff x26: ffff8003b758af70 +[ 47.986782] x25: ffff8003b758b2d8 x24: ffff8003e6245818 +[ 47.992080] x23: 0000000000000000 x22: ffff8003e62450c0 +[ 47.997379] x21: ffff8003dfd6add8 x20: 0000000000000003 +[ 48.002678] x19: ffff8003e6245100 x18: 0000000000000000 +[ 48.007976] x17: 0000000000000000 x16: 0000000000000000 +[ 48.013274] x15: 0000000000000000 x14: 0000000000000000 +[ 48.018572] x13: ffff7e000ef83a00 x12: 0000000000000001 +[ 48.023870] x11: ffff000010eff998 x10: 00000000000019a0 +[ 48.029169] x9 : 0000000000000000 x8 : ffff8003e6245180 +[ 48.034467] x7 : 0000000000000000 x6 : 000000000000003f +[ 48.039766] x5 : 0000000000000040 x4 : ffff8003e0145080 +[ 48.045064] x3 : dead000000000200 x2 : 0000000000000000 +[ 48.050362] x1 : 0000000000000000 x0 : ffff8003e62450c0 +[ 48.055660] Call trace: +[ 48.058095] __list_del_entry_valid+0x2c/0xa8 +[ 48.062442] ccp_tx_submit+0x84/0x168 [ccp] +[ 48.066615] async_tx_submit+0x224/0x368 [async_tx] +[ 48.071480] async_trigger_callback+0x68/0xfc [async_tx] +[ 48.076784] ops_run_biofill+0x178/0x1e8 [raid456] +[ 48.081566] raid_run_ops+0x248/0x818 [raid456] +[ 48.086086] handle_stripe+0x864/0x1208 [raid456] +[ 48.090781] handle_active_stripes.isra.0+0xb0/0x278 [raid456] +[ 48.096604] raid5d+0x378/0x618 [raid456] +[ 48.100602] md_thread+0xa0/0x150 +[ 48.103905] kthread+0x104/0x130 +[ 48.107122] ret_from_fork+0x10/0x18 +[ 48.110686] Code: d2804003 f2fbd5a3 eb03003f 54000320 (f9400021) +[ 48.116766] ---[ end trace 23f390a527f7ad77 ]--- + +ccp_tx_submit is passed a dma_async_tx_descriptor which is contained in +a ccp_dma_desc and adds it to a ccp channel's pending list: + + list_del(&desc->entry); + list_add_tail(&desc->entry, &chan->pending); + +The problem is that desc->entry may be uninitialized in the +async_trigger_callback path where the descriptor was gotten +from ccp_prep_dma_interrupt which got it from ccp_alloc_dma_desc +which doesn't initialize the desc->entry list head. So, just +initialize the list head to avoid the problem. + +Cc: +Reported-by: Sahaj Sarup +Signed-off-by: Mark Salter +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Acked-by: Takashi Iwai + +--- + drivers/crypto/ccp/ccp-dmaengine.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c +index a54f9367a580..0770a83bf1a5 100644 +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -342,6 +342,7 @@ static struct ccp_dma_desc *ccp_alloc_dma_desc(struct ccp_dma_chan *chan, + desc->tx_desc.flags = flags; + desc->tx_desc.tx_submit = ccp_tx_submit; + desc->ccp = chan->ccp; ++ INIT_LIST_HEAD(&desc->entry); + INIT_LIST_HEAD(&desc->pending); + INIT_LIST_HEAD(&desc->active); + desc->status = DMA_IN_PROGRESS; +-- +2.16.4 + diff --git a/patches.suse/crypto-ccp-release-all-allocated-memory-if-sha-type-is-invalid.patch b/patches.suse/crypto-ccp-release-all-allocated-memory-if-sha-type-is-invalid.patch new file mode 100644 index 0000000..cf148cb --- /dev/null +++ b/patches.suse/crypto-ccp-release-all-allocated-memory-if-sha-type-is-invalid.patch @@ -0,0 +1,37 @@ +From: Navid Emamdoost +Date: Thu, 19 Sep 2019 11:04:48 -0500 +Subject: crypto: ccp - Release all allocated memory if sha type is invalid +Git-commit: 128c66429247add5128c03dc1e144ca56f05a4e2 +Patch-mainline: v5.5-rc1 +References: bsc#1156259 CVE-2019-18808 + +Release all allocated memory if sha type is invalid: +In ccp_run_sha_cmd, if the type of sha is invalid, the allocated +hmac_buf should be released. + +v2: fix the goto. + +Signed-off-by: Navid Emamdoost +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Acked-by: Borislav Petkov +--- + drivers/crypto/ccp/ccp-ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index c8da8eb160da..422193690fd4 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -1777,8 +1777,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + LSB_ITEM_SIZE); + break; + default: ++ kfree(hmac_buf); + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + + memset(&hmac_cmd, 0, sizeof(hmac_cmd)); + diff --git a/patches.suse/crypto-dh-add-public-key-verification-test.patch b/patches.suse/crypto-dh-add-public-key-verification-test.patch new file mode 100644 index 0000000..1983b7d --- /dev/null +++ b/patches.suse/crypto-dh-add-public-key-verification-test.patch @@ -0,0 +1,220 @@ +Git-commit: e3fe0ae129622b78e710e75ecbf7aca7af5dda47 +From: Stephan Mueller +Date: Wed, 27 Jun 2018 08:15:31 +0200 +Subject: [PATCH] crypto: dh - add public key verification test +Patch-mainline: v4.19-rc1 +References: bsc#1155331 + +According to SP800-56A section 5.6.2.1, the public key to be processed +for the DH operation shall be checked for appropriateness. The check +shall covers the full verification test in case the domain parameter Q +is provided as defined in SP800-56A section 5.6.2.3.1. If Q is not +provided, the partial check according to SP800-56A section 5.6.2.3.2 is +performed. + +The full verification test requires the presence of the domain parameter +Q. Thus, the patch adds the support to handle Q. It is permissible to +not provide the Q value as part of the domain parameters. This implies +that the interface is still backwards-compatible where so far only P and +G are to be provided. However, if Q is provided, it is imported. + +Without the test, the NIST ACVP testing fails. After adding this check, +the NIST ACVP testing passes. Testing without providing the Q domain +parameter has been performed to verify the interface has not changed. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe +--- + crypto/dh.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++--- + crypto/dh_helper.c | 15 +++++++++--- + include/crypto/dh.h | 4 ++++ + 3 files changed, 79 insertions(+), 6 deletions(-) + +--- a/crypto/dh.c ++++ b/crypto/dh.c +@@ -16,14 +16,16 @@ + #include + + struct dh_ctx { +- MPI p; +- MPI g; +- MPI xa; ++ MPI p; /* Value is guaranteed to be set. */ ++ MPI q; /* Value is optional. */ ++ MPI g; /* Value is guaranteed to be set. */ ++ MPI xa; /* Value is guaranteed to be set. */ + }; + + static void dh_clear_ctx(struct dh_ctx *ctx) + { + mpi_free(ctx->p); ++ mpi_free(ctx->q); + mpi_free(ctx->g); + mpi_free(ctx->xa); + memset(ctx, 0, sizeof(*ctx)); +@@ -63,6 +65,12 @@ static int dh_set_params(struct dh_ctx * + if (!ctx->p) + return -EINVAL; + ++ if (params->q && params->q_size) { ++ ctx->q = mpi_read_raw_data(params->q, params->q_size); ++ if (!ctx->q) ++ return -EINVAL; ++ } ++ + ctx->g = mpi_read_raw_data(params->g, params->g_size); + if (!ctx->g) + return -EINVAL; +@@ -96,6 +104,55 @@ err_clear_ctx: + return -EINVAL; + } + ++/* ++ * SP800-56A public key verification: ++ * ++ * * If Q is provided as part of the domain paramenters, a full validation ++ * according to SP800-56A section 5.6.2.3.1 is performed. ++ * ++ * * If Q is not provided, a partial validation according to SP800-56A section ++ * 5.6.2.3.2 is performed. ++ */ ++static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y) ++{ ++ if (unlikely(!ctx->p)) ++ return -EINVAL; ++ ++ /* ++ * Step 1: Verify that 2 <= y <= p - 2. ++ * ++ * The upper limit check is actually y < p instead of y < p - 1 ++ * as the mpi_sub_ui function is yet missing. ++ */ ++ if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0) ++ return -EINVAL; ++ ++ /* Step 2: Verify that 1 = y^q mod p */ ++ if (ctx->q) { ++ MPI val = mpi_alloc(0); ++ int ret; ++ ++ if (!val) ++ return -ENOMEM; ++ ++ ret = mpi_powm(val, y, ctx->q, ctx->p); ++ ++ if (ret) { ++ mpi_free(val); ++ return ret; ++ } ++ ++ ret = mpi_cmp_ui(val, 1); ++ ++ mpi_free(val); ++ ++ if (ret != 0) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static int dh_compute_value(struct kpp_request *req) + { + struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); +@@ -118,6 +175,9 @@ static int dh_compute_value(struct kpp_r + ret = -EINVAL; + goto err_free_val; + } ++ ret = dh_is_pubkey_valid(ctx, base); ++ if (ret) ++ goto err_free_val; + } else { + base = ctx->g; + } +--- a/crypto/dh_helper.c ++++ b/crypto/dh_helper.c +@@ -30,7 +30,7 @@ static inline const u8 *dh_unpack_data(v + + static inline int dh_data_size(const struct dh *p) + { +- return p->key_size + p->p_size + p->g_size; ++ return p->key_size + p->p_size + p->q_size + p->g_size; + } + + int crypto_dh_key_len(const struct dh *p) +@@ -56,9 +56,11 @@ int crypto_dh_encode_key(char *buf, unsi + ptr = dh_pack_data(ptr, &secret, sizeof(secret)); + ptr = dh_pack_data(ptr, ¶ms->key_size, sizeof(params->key_size)); + ptr = dh_pack_data(ptr, ¶ms->p_size, sizeof(params->p_size)); ++ ptr = dh_pack_data(ptr, ¶ms->q_size, sizeof(params->q_size)); + ptr = dh_pack_data(ptr, ¶ms->g_size, sizeof(params->g_size)); + ptr = dh_pack_data(ptr, params->key, params->key_size); + ptr = dh_pack_data(ptr, params->p, params->p_size); ++ ptr = dh_pack_data(ptr, params->q, params->q_size); + dh_pack_data(ptr, params->g, params->g_size); + + return 0; +@@ -79,6 +81,7 @@ int crypto_dh_decode_key(const char *buf + + ptr = dh_unpack_data(¶ms->key_size, ptr, sizeof(params->key_size)); + ptr = dh_unpack_data(¶ms->p_size, ptr, sizeof(params->p_size)); ++ ptr = dh_unpack_data(¶ms->q_size, ptr, sizeof(params->q_size)); + ptr = dh_unpack_data(¶ms->g_size, ptr, sizeof(params->g_size)); + if (secret.len != crypto_dh_key_len(params)) + return -EINVAL; +@@ -88,7 +91,7 @@ int crypto_dh_decode_key(const char *buf + * some drivers assume otherwise. + */ + if (params->key_size > params->p_size || +- params->g_size > params->p_size) ++ params->g_size > params->p_size || params->q_size > params->p_size) + return -EINVAL; + + /* Don't allocate memory. Set pointers to data within +@@ -96,7 +99,9 @@ int crypto_dh_decode_key(const char *buf + */ + params->key = (void *)ptr; + params->p = (void *)(ptr + params->key_size); +- params->g = (void *)(ptr + params->key_size + params->p_size); ++ params->q = (void *)(ptr + params->key_size + params->p_size); ++ params->g = (void *)(ptr + params->key_size + params->p_size + ++ params->q_size); + + /* + * Don't permit 'p' to be 0. It's not a prime number, and it's subject +@@ -106,6 +111,10 @@ int crypto_dh_decode_key(const char *buf + if (memchr_inv(params->p, 0, params->p_size) == NULL) + return -EINVAL; + ++ /* It is permissible to not provide Q. */ ++ if (params->q_size == 0) ++ params->q = NULL; ++ + return 0; + } + EXPORT_SYMBOL_GPL(crypto_dh_decode_key); +--- a/include/crypto/dh.h ++++ b/include/crypto/dh.h +@@ -29,17 +29,21 @@ + * + * @key: Private DH key + * @p: Diffie-Hellman parameter P ++ * @q: Diffie-Hellman parameter Q + * @g: Diffie-Hellman generator G + * @key_size: Size of the private DH key + * @p_size: Size of DH parameter P ++ * @q_size: Size of DH parameter Q + * @g_size: Size of DH generator G + */ + struct dh { + void *key; + void *p; ++ void *q; + void *g; + unsigned int key_size; + unsigned int p_size; ++ unsigned int q_size; + unsigned int g_size; + }; + diff --git a/patches.suse/crypto-dh-fix-calculating-encoded-key-size.patch b/patches.suse/crypto-dh-fix-calculating-encoded-key-size.patch new file mode 100644 index 0000000..274b9e2 --- /dev/null +++ b/patches.suse/crypto-dh-fix-calculating-encoded-key-size.patch @@ -0,0 +1,84 @@ +From: Eric Biggers +Subject: crypto: dh - fix calculating encoded key size +Git-commit: 35f7d5225ffcbf1b759f641aec1735e3a89b1914 +Patch-mainline: v4.19-rc1 +References: bsc#1155331 + + crypto: dh - fix calculating encoded key size + + It was forgotten to increase DH_KPP_SECRET_MIN_SIZE to include 'q_size', + causing an out-of-bounds write of 4 bytes in crypto_dh_encode_key(), and + an out-of-bounds read of 4 bytes in crypto_dh_decode_key(). Fix it, and + fix the lengths of the test vectors to match this. + +Reported-by: syzbot+6d38d558c25b53b8f4ed@syzkaller.appspotmail.com +Fixes: e3fe0ae12962 ("crypto: dh - add public key verification test") +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Acked-by: Torsten Duwe + +--- a/crypto/dh_helper.c ++++ b/crypto/dh_helper.c +@@ -14,7 +14,7 @@ + #include + #include + +-#define DH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 3 * sizeof(int)) ++#define DH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 4 * sizeof(int)) + + static inline u8 *dh_pack_data(void *dst, const void *src, size_t size) + { +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -543,14 +543,14 @@ static const struct kpp_testvec dh_tv_te + .secret = + #ifdef __LITTLE_ENDIAN + "\x01\x00" /* type */ +- "\x11\x02" /* len */ ++ "\x15\x02" /* len */ + "\x00\x01\x00\x00" /* key_size */ + "\x00\x01\x00\x00" /* p_size */ + "\x00\x00\x00\x00" /* q_size */ + "\x01\x00\x00\x00" /* g_size */ + #else + "\x00\x01" /* type */ +- "\x02\x11" /* len */ ++ "\x02\x15" /* len */ + "\x00\x00\x01\x00" /* key_size */ + "\x00\x00\x01\x00" /* p_size */ + "\x00\x00\x00\x00" /* q_size */ +@@ -643,7 +643,7 @@ static const struct kpp_testvec dh_tv_te + "\xd3\x34\x49\xad\x64\xa6\xb1\xc0\x59\x28\x75\x60\xa7\x8a\xb0\x11" + "\x56\x89\x42\x74\x11\xf5\xf6\x5e\x6f\x16\x54\x6a\xb1\x76\x4d\x50" + "\x8a\x68\xc1\x5b\x82\xb9\x0d\x00\x32\x50\xed\x88\x87\x48\x92\x17", +- .secret_size = 529, ++ .secret_size = 533, + .b_public_size = 256, + .expected_a_public_size = 256, + .expected_ss_size = 256, +@@ -652,14 +652,14 @@ static const struct kpp_testvec dh_tv_te + .secret = + #ifdef __LITTLE_ENDIAN + "\x01\x00" /* type */ +- "\x11\x02" /* len */ ++ "\x15\x02" /* len */ + "\x00\x01\x00\x00" /* key_size */ + "\x00\x01\x00\x00" /* p_size */ + "\x00\x00\x00\x00" /* q_size */ + "\x01\x00\x00\x00" /* g_size */ + #else + "\x00\x01" /* type */ +- "\x02\x11" /* len */ ++ "\x02\x15" /* len */ + "\x00\x00\x01\x00" /* key_size */ + "\x00\x00\x01\x00" /* p_size */ + "\x00\x00\x00\x00" /* q_size */ +@@ -752,7 +752,7 @@ static const struct kpp_testvec dh_tv_te + "\x5e\x5a\x64\xbd\xf6\x85\x04\xe8\x28\x6a\xac\xef\xce\x19\x8e\x9a" + "\xfe\x75\xc0\x27\x69\xe3\xb3\x7b\x21\xa7\xb1\x16\xa4\x85\x23\xee" + "\xb0\x1b\x04\x6e\xbd\xab\x16\xde\xfd\x86\x6b\xa9\x95\xd7\x0b\xfd", +- .secret_size = 529, ++ .secret_size = 533, + .b_public_size = 256, + .expected_a_public_size = 256, + .expected_ss_size = 256, diff --git a/patches.suse/crypto-dh-fix-memory-leak.patch b/patches.suse/crypto-dh-fix-memory-leak.patch new file mode 100644 index 0000000..91b4af2 --- /dev/null +++ b/patches.suse/crypto-dh-fix-memory-leak.patch @@ -0,0 +1,32 @@ +From: Gustavo A. R. Silva +Subject: crypto: dh - fix memory leak +Git-commit: 3fd8093b41e745448ffeb0a0d3becc2cd1f9d7ad +Patch-mainline: v4.19-rc1 +References: bsc#1155331 + + + crypto: dh - fix memory leak + + In case memory resources for *base* were allocated, release them + before return. + +Addresses-Coverity-ID: 1471702 ("Resource leak") +Fixes: e3fe0ae12962 ("crypto: dh - add public key verification test") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Stephan Müller +Signed-off-by: Herbert Xu +Acked-by: Torsten Duwe + +diff --git a/crypto/dh.c b/crypto/dh.c +index 8f79269db2b7..09a44de4209d 100644 +--- a/crypto/dh.c ++++ b/crypto/dh.c +@@ -174,7 +174,7 @@ static int dh_compute_value(struct kpp_request *req) + } + ret = dh_is_pubkey_valid(ctx, base); + if (ret) +- goto err_free_val; ++ goto err_free_base; + } else { + base = ctx->g; + } diff --git a/patches.suse/crypto-dh-update-test-for-public-key-verification.patch b/patches.suse/crypto-dh-update-test-for-public-key-verification.patch new file mode 100644 index 0000000..aaea74a --- /dev/null +++ b/patches.suse/crypto-dh-update-test-for-public-key-verification.patch @@ -0,0 +1,48 @@ +From: Stephan Mueller +Subject: crypto: dh - update test for public key verification +Git-commit: c98fae5e29fad0a4990e20b14bf0a4526518c4ed +Patch-mainline: v4.19-rc1 +References: bsc#1155331 + + crypto: dh - update test for public key verification + + By adding a zero byte-length for the DH parameter Q value, the public + key verification test is disabled for the given test. + +Reported-by: Eric Biggers +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Acked-by: Torsten Duwe + +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -546,12 +546,14 @@ static const struct kpp_testvec dh_tv_te + "\x11\x02" /* len */ + "\x00\x01\x00\x00" /* key_size */ + "\x00\x01\x00\x00" /* p_size */ ++ "\x00\x00\x00\x00" /* q_size */ + "\x01\x00\x00\x00" /* g_size */ + #else + "\x00\x01" /* type */ + "\x02\x11" /* len */ + "\x00\x00\x01\x00" /* key_size */ + "\x00\x00\x01\x00" /* p_size */ ++ "\x00\x00\x00\x00" /* q_size */ + "\x00\x00\x00\x01" /* g_size */ + #endif + /* xa */ +@@ -653,12 +655,14 @@ static const struct kpp_testvec dh_tv_te + "\x11\x02" /* len */ + "\x00\x01\x00\x00" /* key_size */ + "\x00\x01\x00\x00" /* p_size */ ++ "\x00\x00\x00\x00" /* q_size */ + "\x01\x00\x00\x00" /* g_size */ + #else + "\x00\x01" /* type */ + "\x02\x11" /* len */ + "\x00\x00\x01\x00" /* key_size */ + "\x00\x00\x01\x00" /* p_size */ ++ "\x00\x00\x00\x00" /* q_size */ + "\x00\x00\x00\x01" /* g_size */ + #endif + /* xa */ diff --git a/patches.suse/crypto-ecdh-add-public-key-verification-test.patch b/patches.suse/crypto-ecdh-add-public-key-verification-test.patch new file mode 100644 index 0000000..1678d4a --- /dev/null +++ b/patches.suse/crypto-ecdh-add-public-key-verification-test.patch @@ -0,0 +1,155 @@ +Git-commit: ea169a30a6bf6782a05a51d2b9cf73db151eab8b +From: Stephan Mueller +Date: Mon, 25 Jun 2018 12:00:18 +0200 +Subject: [PATCH] crypto: ecdh - add public key verification test +Patch-mainline: v4.19-rc1 +References: bsc#1155331 + +According to SP800-56A section 5.6.2.1, the public key to be processed +for the ECDH operation shall be checked for appropriateness. When the +public key is considered to be an ephemeral key, the partial validation +test as defined in SP800-56A section 5.6.2.3.4 can be applied. + +The partial verification test requires the presence of the field +elements of a and b. For the implemented NIST curves, b is defined in +FIPS 186-4 appendix D.1.2. The element a is implicitly given with the +Weierstrass equation given in D.1.2 where a = p - 3. + +Without the test, the NIST ACVP testing fails. After adding this check, +the NIST ACVP testing passes. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe +--- + crypto/ecc.c | 42 ++++++++++++++++++++++++++++++++++++++---- + crypto/ecc_curve_defs.h | 22 ++++++++++++++++++---- + 2 files changed, 56 insertions(+), 8 deletions(-) + +--- a/crypto/ecc.c ++++ b/crypto/ecc.c +@@ -966,6 +966,36 @@ out: + return ret; + } + ++/* SP800-56A section 5.6.2.3.4 partial verification: ephemeral keys only */ ++static int ecc_is_pubkey_valid_partial(const struct ecc_curve *curve, ++ struct ecc_point *pk) ++{ ++ u64 yy[ECC_MAX_DIGITS], xxx[ECC_MAX_DIGITS], w[ECC_MAX_DIGITS]; ++ ++ /* Check 1: Verify key is not the zero point. */ ++ if (ecc_point_is_zero(pk)) ++ return -EINVAL; ++ ++ /* Check 2: Verify key is in the range [1, p-1]. */ ++ if (vli_cmp(curve->p, pk->x, pk->ndigits) != 1) ++ return -EINVAL; ++ if (vli_cmp(curve->p, pk->y, pk->ndigits) != 1) ++ return -EINVAL; ++ ++ /* Check 3: Verify that y^2 == (x^3 + a·x + b) mod p */ ++ vli_mod_square_fast(yy, pk->y, curve->p, pk->ndigits); /* y^2 */ ++ vli_mod_square_fast(xxx, pk->x, curve->p, pk->ndigits); /* x^2 */ ++ vli_mod_mult_fast(xxx, xxx, pk->x, curve->p, pk->ndigits); /* x^3 */ ++ vli_mod_mult_fast(w, curve->a, pk->x, curve->p, pk->ndigits); /* a·x */ ++ vli_mod_add(w, w, curve->b, curve->p, pk->ndigits); /* a·x + b */ ++ vli_mod_add(w, w, xxx, curve->p, pk->ndigits); /* x^3 + a·x + b */ ++ if (vli_cmp(yy, w, pk->ndigits) != 0) /* Equation */ ++ return -EINVAL; ++ ++ return 0; ++ ++} ++ + int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, + const u8 *private_key, unsigned int private_key_len, + const u8 *public_key, unsigned int public_key_len, +@@ -993,16 +1023,20 @@ int crypto_ecdh_shared_secret(unsigned i + goto out; + } + ++ ecc_swap_digits((const u64 *)public_key, pk->x, ndigits); ++ ecc_swap_digits((const u64 *)&public_key[nbytes], pk->y, ndigits); ++ ret = ecc_is_pubkey_valid_partial(curve, pk); ++ if (ret) ++ goto err_alloc_product; ++ ++ ecc_swap_digits((const u64 *)private_key, priv, ndigits); ++ + product = ecc_alloc_point(ndigits); + if (!product) { + ret = -ENOMEM; + goto err_alloc_product; + } + +- ecc_swap_digits((const u64 *)public_key, pk->x, ndigits); +- ecc_swap_digits((const u64 *)&public_key[nbytes], pk->y, ndigits); +- ecc_swap_digits((const u64 *)private_key, priv, ndigits); +- + ecc_point_mult(product, pk, priv, rand_z, curve->p, ndigits); + + ecc_swap_digits(product->x, (u64 *)secret, ndigits); +--- a/crypto/ecc_curve_defs.h ++++ b/crypto/ecc_curve_defs.h +@@ -12,9 +12,11 @@ struct ecc_curve { + struct ecc_point g; + u64 *p; + u64 *n; ++ u64 *a; ++ u64 *b; + }; + +-/* NIST P-192 */ ++/* NIST P-192: a = p - 3 */ + static u64 nist_p192_g_x[] = { 0xF4FF0AFD82FF1012ull, 0x7CBF20EB43A18800ull, + 0x188DA80EB03090F6ull }; + static u64 nist_p192_g_y[] = { 0x73F977A11E794811ull, 0x631011ED6B24CDD5ull, +@@ -23,6 +25,10 @@ static u64 nist_p192_p[] = { 0xFFFFFFFFF + 0xFFFFFFFFFFFFFFFFull }; + static u64 nist_p192_n[] = { 0x146BC9B1B4D22831ull, 0xFFFFFFFF99DEF836ull, + 0xFFFFFFFFFFFFFFFFull }; ++static u64 nist_p192_a[] = { 0xFFFFFFFFFFFFFFFCull, 0xFFFFFFFFFFFFFFFEull, ++ 0xFFFFFFFFFFFFFFFEull }; ++static u64 nist_p192_b[] = { 0xFEB8DEECC146B9B1ull, 0x0FA7E9AB72243049ull, ++ 0x64210519E59C80E7ull }; + static struct ecc_curve nist_p192 = { + .name = "nist_192", + .g = { +@@ -31,10 +37,12 @@ static struct ecc_curve nist_p192 = { + .ndigits = 3, + }, + .p = nist_p192_p, +- .n = nist_p192_n ++ .n = nist_p192_n, ++ .a = nist_p192_a, ++ .b = nist_p192_b + }; + +-/* NIST P-256 */ ++/* NIST P-256: a = p - 3 */ + static u64 nist_p256_g_x[] = { 0xF4A13945D898C296ull, 0x77037D812DEB33A0ull, + 0xF8BCE6E563A440F2ull, 0x6B17D1F2E12C4247ull }; + static u64 nist_p256_g_y[] = { 0xCBB6406837BF51F5ull, 0x2BCE33576B315ECEull, +@@ -43,6 +51,10 @@ static u64 nist_p256_p[] = { 0xFFFFFFFFF + 0x0000000000000000ull, 0xFFFFFFFF00000001ull }; + static u64 nist_p256_n[] = { 0xF3B9CAC2FC632551ull, 0xBCE6FAADA7179E84ull, + 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFF00000000ull }; ++static u64 nist_p256_a[] = { 0xFFFFFFFFFFFFFFFCull, 0x00000000FFFFFFFFull, ++ 0x0000000000000000ull, 0xFFFFFFFF00000001ull }; ++static u64 nist_p256_b[] = { 0x3BCE3C3E27D2604Bull, 0x651D06B0CC53B0F6ull, ++ 0xB3EBBD55769886BCull, 0x5AC635D8AA3A93E7ull }; + static struct ecc_curve nist_p256 = { + .name = "nist_256", + .g = { +@@ -51,7 +63,9 @@ static struct ecc_curve nist_p256 = { + .ndigits = 4, + }, + .p = nist_p256_p, +- .n = nist_p256_n ++ .n = nist_p256_n, ++ .a = nist_p256_a, ++ .b = nist_p256_b + }; + + #endif diff --git a/patches.suse/crypto-ecdh-fix-typo-of-P-192-b-value.patch b/patches.suse/crypto-ecdh-fix-typo-of-P-192-b-value.patch new file mode 100644 index 0000000..15721e0 --- /dev/null +++ b/patches.suse/crypto-ecdh-fix-typo-of-P-192-b-value.patch @@ -0,0 +1,33 @@ +Git-commit: aef66587f19c7ecc52717328a4c5484f1d2268e9 +From: Stephan Mueller +Date: Wed, 11 Jul 2018 20:36:23 +0200 +Subject: [PATCH] crypto: ecdh - fix typo of P-192 b value +Patch-mainline: v4.19-rc1 +References: bsc#1155331 + +Fix the b value to be compliant with FIPS 186-4 D.1.2.1. This fix is +required to make sure the SP800-56A public key test passes for P-192. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe +--- + crypto/ecc_curve_defs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/ecc_curve_defs.h b/crypto/ecc_curve_defs.h +index 94e883a9403f..336ab1805639 100644 +--- a/crypto/ecc_curve_defs.h ++++ b/crypto/ecc_curve_defs.h +@@ -27,7 +27,7 @@ static u64 nist_p192_p[] = { 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFEull, + static u64 nist_p192_n[] = { 0x146BC9B1B4D22831ull, 0xFFFFFFFF99DEF836ull, + 0xFFFFFFFFFFFFFFFFull }; + static u64 nist_p192_a[] = { 0xFFFFFFFFFFFFFFFCull, 0xFFFFFFFFFFFFFFFEull, +- 0xFFFFFFFFFFFFFFFEull }; ++ 0xFFFFFFFFFFFFFFFFull }; + static u64 nist_p192_b[] = { 0xFEB8DEECC146B9B1ull, 0x0FA7E9AB72243049ull, + 0x64210519E59C80E7ull }; + static struct ecc_curve nist_p192 = { +-- +2.16.4 + diff --git a/patches.suse/cxgb4-request-the-TX-CIDX-updates-to-status-page.patch b/patches.suse/cxgb4-request-the-TX-CIDX-updates-to-status-page.patch index d2af9d6..3d19dfd 100644 --- a/patches.suse/cxgb4-request-the-TX-CIDX-updates-to-status-page.patch +++ b/patches.suse/cxgb4-request-the-TX-CIDX-updates-to-status-page.patch @@ -28,7 +28,7 @@ Acked-by: Thomas Bogendoerfer --- a/drivers/net/ethernet/chelsio/cxgb4/sge.c +++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c -@@ -3792,15 +3792,11 @@ int t4_sge_alloc_eth_txq(struct adapter +@@ -3698,15 +3698,11 @@ int t4_sge_alloc_eth_txq(struct adapter * write the CIDX Updates into the Status Page at the end of the * TX Queue. */ diff --git a/patches.suse/dccp-Fix-memleak-in-__feat_register_sp.patch b/patches.suse/dccp-Fix-memleak-in-__feat_register_sp.patch index 741eaae..3c3734d 100644 --- a/patches.suse/dccp-Fix-memleak-in-__feat_register_sp.patch +++ b/patches.suse/dccp-Fix-memleak-in-__feat_register_sp.patch @@ -4,7 +4,7 @@ Date: Mon, 1 Apr 2019 09:35:54 +0800 Subject: [PATCH] dccp: Fix memleak in __feat_register_sp Git-commit: 1d3ff0950e2b40dc861b1739029649d03f591820 Patch-mainline: v5.1-rc4 -References: bsc#1051510 +References: CVE-2019-20096 bsc#1159908 bsc#1051510 If dccp_feat_push_change fails, we forget free the mem which is alloced by kmemdup in dccp_feat_clone_sp_val. diff --git a/patches.suse/drm-meson-venc-cvbs-fix-CVBS-mode-matching.patch b/patches.suse/drm-meson-venc-cvbs-fix-CVBS-mode-matching.patch new file mode 100644 index 0000000..56c9d72 --- /dev/null +++ b/patches.suse/drm-meson-venc-cvbs-fix-CVBS-mode-matching.patch @@ -0,0 +1,125 @@ +From 43cb86799ff03e9819c07f37f72f80f8246ad7ed Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sun, 8 Dec 2019 18:18:31 +0100 +Subject: [PATCH] drm: meson: venc: cvbs: fix CVBS mode matching +Git-commit: 43cb86799ff03e9819c07f37f72f80f8246ad7ed +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +With commit 222ec1618c3ace ("drm: Add aspect ratio parsing in DRM +layer") the drm core started honoring the picture_aspect_ratio field +when comparing two drm_display_modes. Prior to that it was ignored. +When the CVBS encoder driver was initially submitted there was no aspect +ratio check. + +Switch from drm_mode_equal() to drm_mode_match() without +DRM_MODE_MATCH_ASPECT_RATIO to fix "kmscube" and X.org output using the +CVBS connector. When (for example) kmscube sets the output mode when +using the CVBS connector it passes HDMI_PICTURE_ASPECT_NONE, making the +drm_mode_equal() fail as it include the aspect ratio. + +Prior to this patch kmscube reported: + failed to set mode: Invalid argument + +The CVBS mode checking in the sun4i (drivers/gpu/drm/sun4i/sun4i_tv.c +sun4i_tv_mode_to_drm_mode) and ZTE (drivers/gpu/drm/zte/zx_tvenc.c +tvenc_mode_{pal,ntsc}) drivers don't set the "picture_aspect_ratio" at +all. The Meson VPU driver does not rely on the aspect ratio for the CVBS +output so we can safely decouple it from the hdmi_picture_aspect +setting. + +Cc: +Fixes: 222ec1618c3ace ("drm: Add aspect ratio parsing in DRM layer") +Fixes: bbbe775ec5b5da ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Martin Blumenstingl +Acked-by: Neil Armstrong +[narmstrong: squashed with drm: meson: venc: cvbs: deduplicate the meson_cvbs_mode lookup code] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20191208171832.1064772-3-martin.blumenstingl@googlemail.com +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/meson/meson_venc_cvbs.c | 48 ++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_venc_cvbs.c b/drivers/gpu/drm/meson/meson_venc_cvbs.c +index 9ab27aecfcf3..1bd6b6d15ffb 100644 +--- a/drivers/gpu/drm/meson/meson_venc_cvbs.c ++++ b/drivers/gpu/drm/meson/meson_venc_cvbs.c +@@ -64,6 +64,25 @@ struct meson_cvbs_mode meson_cvbs_modes[MESON_CVBS_MODES_COUNT] = { + }, + }; + ++static const struct meson_cvbs_mode * ++meson_cvbs_get_mode(const struct drm_display_mode *req_mode) ++{ ++ int i; ++ ++ for (i = 0; i < MESON_CVBS_MODES_COUNT; ++i) { ++ struct meson_cvbs_mode *meson_mode = &meson_cvbs_modes[i]; ++ ++ if (drm_mode_match(req_mode, &meson_mode->mode, ++ DRM_MODE_MATCH_TIMINGS | ++ DRM_MODE_MATCH_CLOCK | ++ DRM_MODE_MATCH_FLAGS | ++ DRM_MODE_MATCH_3D_FLAGS)) ++ return meson_mode; ++ } ++ ++ return NULL; ++} ++ + /* Connector */ + + static void meson_cvbs_connector_destroy(struct drm_connector *connector) +@@ -136,14 +155,8 @@ static int meson_venc_cvbs_encoder_atomic_check(struct drm_encoder *encoder, + struct drm_crtc_state *crtc_state, + struct drm_connector_state *conn_state) + { +- int i; +- +- for (i = 0; i < MESON_CVBS_MODES_COUNT; ++i) { +- struct meson_cvbs_mode *meson_mode = &meson_cvbs_modes[i]; +- +- if (drm_mode_equal(&crtc_state->mode, &meson_mode->mode)) +- return 0; +- } ++ if (meson_cvbs_get_mode(&crtc_state->mode)) ++ return 0; + + return -EINVAL; + } +@@ -191,24 +204,17 @@ static void meson_venc_cvbs_encoder_mode_set(struct drm_encoder *encoder, + struct drm_display_mode *mode, + struct drm_display_mode *adjusted_mode) + { ++ const struct meson_cvbs_mode *meson_mode = meson_cvbs_get_mode(mode); + struct meson_venc_cvbs *meson_venc_cvbs = + encoder_to_meson_venc_cvbs(encoder); + struct meson_drm *priv = meson_venc_cvbs->priv; +- int i; + +- for (i = 0; i < MESON_CVBS_MODES_COUNT; ++i) { +- struct meson_cvbs_mode *meson_mode = &meson_cvbs_modes[i]; ++ if (meson_mode) { ++ meson_venci_cvbs_mode_set(priv, meson_mode->enci); + +- if (drm_mode_equal(mode, &meson_mode->mode)) { +- meson_venci_cvbs_mode_set(priv, +- meson_mode->enci); +- +- /* Setup 27MHz vclk2 for ENCI and VDAC */ +- meson_vclk_setup(priv, MESON_VCLK_TARGET_CVBS, +- MESON_VCLK_CVBS, MESON_VCLK_CVBS, +- MESON_VCLK_CVBS, true); +- break; +- } ++ /* Setup 27MHz vclk2 for ENCI and VDAC */ ++ meson_vclk_setup(priv, MESON_VCLK_TARGET_CVBS, MESON_VCLK_CVBS, ++ MESON_VCLK_CVBS, MESON_VCLK_CVBS, true); + } + } + +-- +2.16.4 + diff --git a/patches.suse/e100-Fix-passing-zero-to-PTR_ERR-warning-in-e100_loa.patch b/patches.suse/e100-Fix-passing-zero-to-PTR_ERR-warning-in-e100_loa.patch new file mode 100644 index 0000000..b13f789 --- /dev/null +++ b/patches.suse/e100-Fix-passing-zero-to-PTR_ERR-warning-in-e100_loa.patch @@ -0,0 +1,39 @@ +From cd0d465bb697a9c7bf66a9fe940f7981232f1676 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 19 Nov 2018 20:48:19 +0800 +Subject: [PATCH] e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait +Git-commit: cd0d465bb697a9c7bf66a9fe940f7981232f1676 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +Fix a static code checker warning: +drivers/net/ethernet/intel/e100.c:1349 + e100_load_ucode_wait() warn: passing zero to 'PTR_ERR' + +Signed-off-by: YueHaibing +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Acked-by: Takashi Iwai + +--- + drivers/net/ethernet/intel/e100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 5e5c57db0d3f..0fd268070fb4 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1345,8 +1345,8 @@ static inline int e100_load_ucode_wait(struct nic *nic) + + fw = e100_request_firmware(nic); + /* If it's NULL, then no ucode is required */ +- if (!fw || IS_ERR(fw)) +- return PTR_ERR(fw); ++ if (IS_ERR_OR_NULL(fw)) ++ return PTR_ERR_OR_ZERO(fw); + + if ((err = e100_exec_cb(nic, (void *)fw, e100_setup_ucode))) + netif_err(nic, probe, nic->netdev, +-- +2.16.4 + diff --git a/patches.suse/ext4-add-more-paranoia-checking-in-ext4_expand_extra.patch b/patches.suse/ext4-add-more-paranoia-checking-in-ext4_expand_extra.patch new file mode 100644 index 0000000..d063dae --- /dev/null +++ b/patches.suse/ext4-add-more-paranoia-checking-in-ext4_expand_extra.patch @@ -0,0 +1,91 @@ +From 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 7 Nov 2019 21:43:41 -0500 +Subject: [PATCH] ext4: add more paranoia checking in ext4_expand_extra_isize + handling +Git-commit: 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a +Patch-mainline: v5.5-rc1 +References: bsc#1159297 CVE-2019-19767 + +It's possible to specify a non-zero s_want_extra_isize via debugging +option, and this can cause bad things(tm) to happen when using a file +system with an inode size of 128 bytes. + +Add better checking when the file system is mounted, as well as when +we are actually doing the trying to do the inode expansion. + +Link: https://lore.kernel.org/r/20191110121510.GH23325@mit.edu +Reported-by: syzbot+f8d6f8386ceacdbfff57@syzkaller.appspotmail.com +Reported-by: syzbot+33d7ea72e47de3bdf4e1@syzkaller.appspotmail.com +Reported-by: syzbot+44b6763edfc17144296f@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 15 +++++++++++++++ + fs/ext4/super.c | 21 ++++++++++++--------- + 2 files changed, 27 insertions(+), 9 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5736,6 +5736,21 @@ static int ext4_expand_extra_isize(struc + { + struct ext4_inode *raw_inode; + struct ext4_xattr_ibody_header *header; ++ unsigned int inode_size = EXT4_INODE_SIZE(inode->i_sb); ++ struct ext4_inode_info *ei = EXT4_I(inode); ++ ++ /* this was checked at iget time, but double check for good measure */ ++ if ((EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > inode_size) || ++ (ei->i_extra_isize & 3)) { ++ EXT4_ERROR_INODE(inode, "bad extra_isize %u (inode size %u)", ++ ei->i_extra_isize, ++ EXT4_INODE_SIZE(inode->i_sb)); ++ return -EFSCORRUPTED; ++ } ++ if ((new_extra_isize < ei->i_extra_isize) || ++ (new_extra_isize < 4) || ++ (new_extra_isize > inode_size - EXT4_GOOD_OLD_INODE_SIZE)) ++ return -EINVAL; /* Should never happen */ + + if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) + return 0; +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3429,12 +3429,15 @@ static void ext4_clamp_want_extra_isize( + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; ++ unsigned def_extra_isize = sizeof(struct ext4_inode) - ++ EXT4_GOOD_OLD_INODE_SIZE; + +- /* determine the minimum size of new large inodes, if present */ +- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE && +- sbi->s_want_extra_isize == 0) { +- sbi->s_want_extra_isize = sizeof(struct ext4_inode) - +- EXT4_GOOD_OLD_INODE_SIZE; ++ if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) { ++ sbi->s_want_extra_isize = 0; ++ return; ++ } ++ if (sbi->s_want_extra_isize < 4) { ++ sbi->s_want_extra_isize = def_extra_isize; + if (ext4_has_feature_extra_isize(sb)) { + if (sbi->s_want_extra_isize < + le16_to_cpu(es->s_want_extra_isize)) +@@ -3447,10 +3450,10 @@ static void ext4_clamp_want_extra_isize( + } + } + /* Check if enough inode space is available */ +- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > +- sbi->s_inode_size) { +- sbi->s_want_extra_isize = sizeof(struct ext4_inode) - +- EXT4_GOOD_OLD_INODE_SIZE; ++ if ((sbi->s_want_extra_isize > sbi->s_inode_size) || ++ (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > ++ sbi->s_inode_size)) { ++ sbi->s_want_extra_isize = def_extra_isize; + ext4_msg(sb, KERN_INFO, + "required extra inode space not available"); + } diff --git a/patches.suse/ext4-avoid-declaring-fs-inconsistent-due-to-invalid-.patch b/patches.suse/ext4-avoid-declaring-fs-inconsistent-due-to-invalid-.patch new file mode 100644 index 0000000..8dffc3e --- /dev/null +++ b/patches.suse/ext4-avoid-declaring-fs-inconsistent-due-to-invalid-.patch @@ -0,0 +1,305 @@ +From 8a363970d1dc38c4ec4ad575c862f776f468d057 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 19 Dec 2018 12:29:13 -0500 +Subject: [PATCH] ext4: avoid declaring fs inconsistent due to invalid file + handles +Git-commit: 8a363970d1dc38c4ec4ad575c862f776f468d057 +Patch-mainline: v5.0-rc1 +References: bsc#1158021 CVE-2019-19319 + +If we receive a file handle, either from NFS or open_by_handle_at(2), +and it points at an inode which has not been initialized, and the file +system has metadata checksums enabled, we shouldn't try to get the +inode, discover the checksum is invalid, and then declare the file +system as being inconsistent. + +This can be reproduced by creating a test file system via "mke2fs -t +ext4 -O metadata_csum /tmp/foo.img 8M", mounting it, cd'ing into that +directory, and then running the following program. + +#define _GNU_SOURCE +#include + +struct handle { + struct file_handle fh; + unsigned char fid[MAX_HANDLE_SZ]; +}; + +int main(int argc, char **argv) +{ + struct handle h = {{8, 1 }, { 12, }}; + + open_by_handle_at(AT_FDCWD, &h.fh, O_RDONLY); + return 0; +} + +Google-bug-id: 120690101 +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/ext4.h | 15 +++++++++++++-- + fs/ext4/ialloc.c | 2 +- + fs/ext4/inode.c | 49 ++++++++++++++++++++++++++++++++++--------------- + fs/ext4/ioctl.c | 2 +- + fs/ext4/namei.c | 4 ++-- + fs/ext4/resize.c | 5 +++-- + fs/ext4/super.c | 19 +++++-------------- + 7 files changed, 59 insertions(+), 37 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2458,8 +2458,19 @@ int do_journal_get_write_access(handle_t + #define FALL_BACK_TO_NONDELALLOC 1 + #define CONVERT_INLINE_DATA 2 + +-extern struct inode *ext4_iget(struct super_block *, unsigned long); +-extern struct inode *ext4_iget_normal(struct super_block *, unsigned long); ++typedef enum { ++ EXT4_IGET_NORMAL = 0, ++ EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */ ++ EXT4_IGET_HANDLE = 0x0002 /* Inode # is from a handle */ ++} ext4_iget_flags; ++ ++extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ++ ext4_iget_flags flags, const char *function, ++ unsigned int line); ++ ++#define ext4_iget(sb, ino, flags) \ ++ __ext4_iget((sb), (ino), (flags), __func__, __LINE__) ++ + extern int ext4_write_inode(struct inode *, struct writeback_control *); + extern int ext4_setattr(struct dentry *, struct iattr *); + extern int ext4_getattr(const struct path *, struct kstat *, u32, unsigned int); +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -1182,7 +1182,7 @@ struct inode *ext4_orphan_get(struct sup + if (!ext4_test_bit(bit, bitmap_bh->b_data)) + goto bad_orphan; + +- inode = ext4_iget(sb, ino); ++ inode = ext4_iget(sb, ino, EXT4_IGET_NORMAL); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + ext4_error(sb, "couldn't read orphan inode %lu (err %d)", +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4661,7 +4661,9 @@ int ext4_get_projid(struct inode *inode, + return 0; + } + +-struct inode *ext4_iget(struct super_block *sb, unsigned long ino) ++struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ++ ext4_iget_flags flags, const char *function, ++ unsigned int line) + { + struct ext4_iloc iloc; + struct ext4_inode *raw_inode; +@@ -4675,6 +4677,18 @@ struct inode *ext4_iget(struct super_blo + gid_t i_gid; + projid_t i_projid; + ++ if (((flags & EXT4_IGET_NORMAL) && ++ (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)) || ++ (ino < EXT4_ROOT_INO) || ++ (ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))) { ++ if (flags & EXT4_IGET_HANDLE) ++ return ERR_PTR(-ESTALE); ++ __ext4_error(sb, function, line, ++ "inode #%lu: comm %s: iget: illegal inode #", ++ ino, current->comm); ++ return ERR_PTR(-EFSCORRUPTED); ++ } ++ + inode = iget_locked(sb, ino); + if (!inode) + return ERR_PTR(-ENOMEM); +@@ -4690,18 +4704,26 @@ struct inode *ext4_iget(struct super_blo + raw_inode = ext4_raw_inode(&iloc); + + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { +- EXT4_ERROR_INODE(inode, "root inode unallocated"); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: root inode unallocated"); + ret = -EFSCORRUPTED; + goto bad_inode; + } + ++ if ((flags & EXT4_IGET_HANDLE) && ++ (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) { ++ ret = -ESTALE; ++ goto bad_inode; ++ } ++ + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { + ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > + EXT4_INODE_SIZE(inode->i_sb) || + (ei->i_extra_isize & 3)) { +- EXT4_ERROR_INODE(inode, +- "bad extra_isize %u (inode size %u)", ++ ext4_error_inode(inode, function, line, 0, ++ "iget: bad extra_isize %u " ++ "(inode size %u)", + ei->i_extra_isize, + EXT4_INODE_SIZE(inode->i_sb)); + ret = -EFSCORRUPTED; +@@ -4723,7 +4745,8 @@ struct inode *ext4_iget(struct super_blo + } + + if (!ext4_inode_csum_verify(inode, raw_inode, ei)) { +- EXT4_ERROR_INODE(inode, "checksum invalid"); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: checksum invalid"); + ret = -EFSBADCRC; + goto bad_inode; + } +@@ -4780,7 +4803,8 @@ struct inode *ext4_iget(struct super_blo + ((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32; + inode->i_size = ext4_isize(raw_inode); + if ((size = i_size_read(inode)) < 0) { +- EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: bad i_size value: %lld", size); + ret = -EFSCORRUPTED; + goto bad_inode; + } +@@ -4856,7 +4880,8 @@ struct inode *ext4_iget(struct super_blo + ret = 0; + if (ei->i_file_acl && + !ext4_data_block_valid(EXT4_SB(sb), ei->i_file_acl, 1)) { +- EXT4_ERROR_INODE(inode, "bad extended attribute block %llu", ++ ext4_error_inode(inode, function, line, 0, ++ "iget: bad extended attribute block %llu", + ei->i_file_acl); + ret = -EFSCORRUPTED; + goto bad_inode; +@@ -4911,7 +4936,8 @@ struct inode *ext4_iget(struct super_blo + make_bad_inode(inode); + } else { + ret = -EFSCORRUPTED; +- EXT4_ERROR_INODE(inode, "bogus i_mode (%o)", inode->i_mode); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: bogus i_mode (%o)", inode->i_mode); + goto bad_inode; + } + brelse(iloc.bh); +@@ -4924,13 +4950,6 @@ bad_inode: + return ERR_PTR(ret); + } + +-struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino) +-{ +- if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO) +- return ERR_PTR(-EFSCORRUPTED); +- return ext4_iget(sb, ino); +-} +- + static int ext4_inode_blocks_set(handle_t *handle, + struct ext4_inode *raw_inode, + struct ext4_inode_info *ei) +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -125,7 +125,7 @@ static long swap_inode_boot_loader(struc + !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) + return -EPERM; + +- inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO); ++ inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); + if (IS_ERR(inode_bl)) + return PTR_ERR(inode_bl); + ei_bl = EXT4_I(inode_bl); +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1580,7 +1580,7 @@ static struct dentry *ext4_lookup(struct + dentry); + return ERR_PTR(-EFSCORRUPTED); + } +- inode = ext4_iget_normal(dir->i_sb, ino); ++ inode = ext4_iget(dir->i_sb, ino, EXT4_IGET_NORMAL); + if (inode == ERR_PTR(-ESTALE)) { + EXT4_ERROR_INODE(dir, + "deleted inode referenced: %u", +@@ -1622,7 +1622,7 @@ struct dentry *ext4_get_parent(struct de + return ERR_PTR(-EFSCORRUPTED); + } + +- return d_obtain_alias(ext4_iget_normal(child->d_sb, ino)); ++ return d_obtain_alias(ext4_iget(child->d_sb, ino, EXT4_IGET_NORMAL)); + } + + /* +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1607,7 +1607,7 @@ int ext4_group_add(struct super_block *s + "No reserved GDT blocks, can't resize"); + return -EPERM; + } +- inode = ext4_iget(sb, EXT4_RESIZE_INO); ++ inode = ext4_iget(sb, EXT4_RESIZE_INO, EXT4_IGET_SPECIAL); + if (IS_ERR(inode)) { + ext4_warning(sb, "Error opening resize inode"); + return PTR_ERR(inode); +@@ -1934,7 +1934,8 @@ retry: + } + + if (!resize_inode) +- resize_inode = ext4_iget(sb, EXT4_RESIZE_INO); ++ resize_inode = ext4_iget(sb, EXT4_RESIZE_INO, ++ EXT4_IGET_SPECIAL); + if (IS_ERR(resize_inode)) { + ext4_warning(sb, "Error opening resize inode"); + return PTR_ERR(resize_inode); +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1089,20 +1089,11 @@ static struct inode *ext4_nfs_get_inode( + { + struct inode *inode; + +- if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO) +- return ERR_PTR(-ESTALE); +- if (ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) +- return ERR_PTR(-ESTALE); +- +- /* iget isn't really right if the inode is currently unallocated!! +- * +- * ext4_read_inode will return a bad_inode if the inode had been +- * deleted, so we should be safe. +- * ++ /* + * Currently we don't know the generation for parent directory, so + * a generation of 0 means "accept any" + */ +- inode = ext4_iget_normal(sb, ino); ++ inode = ext4_iget(sb, ino, EXT4_IGET_HANDLE); + if (IS_ERR(inode)) + return ERR_CAST(inode); + if (generation && inode->i_generation != generation) { +@@ -4216,7 +4207,7 @@ no_journal: + * so we can safely mount the rest of the filesystem now. + */ + +- root = ext4_iget(sb, EXT4_ROOT_INO); ++ root = ext4_iget(sb, EXT4_ROOT_INO, EXT4_IGET_SPECIAL); + if (IS_ERR(root)) { + ext4_msg(sb, KERN_ERR, "get root inode failed"); + ret = PTR_ERR(root); +@@ -4478,7 +4469,7 @@ static struct inode *ext4_get_journal_in + * happen if we iget() an unused inode, as the subsequent iput() + * will try to delete it. + */ +- journal_inode = ext4_iget(sb, journal_inum); ++ journal_inode = ext4_iget(sb, journal_inum, EXT4_IGET_SPECIAL); + if (IS_ERR(journal_inode)) { + ext4_msg(sb, KERN_ERR, "no journal found"); + return NULL; +@@ -5543,7 +5534,7 @@ static int ext4_quota_enable(struct supe + if (!qf_inums[type]) + return -EPERM; + +- qf_inode = ext4_iget(sb, qf_inums[type]); ++ qf_inode = ext4_iget(sb, qf_inums[type], EXT4_IGET_SPECIAL); + if (IS_ERR(qf_inode)) { + ext4_error(sb, "Bad quota inode # %lu", qf_inums[type]); + return PTR_ERR(qf_inode); diff --git a/patches.suse/ext4-don-t-perform-block-validity-checks-on-the-jour.patch b/patches.suse/ext4-don-t-perform-block-validity-checks-on-the-jour.patch new file mode 100644 index 0000000..7f444dc --- /dev/null +++ b/patches.suse/ext4-don-t-perform-block-validity-checks-on-the-jour.patch @@ -0,0 +1,60 @@ +From 0a944e8a6c66ca04c7afbaa17e22bf208a8b37f0 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 22 May 2019 10:27:01 -0400 +Subject: [PATCH] ext4: don't perform block validity checks on the journal + inode +Git-commit: 0a944e8a6c66ca04c7afbaa17e22bf208a8b37f0 +Patch-mainline: v5.2-rc2 +References: bsc#1158021 CVE-2019-19319 + +Since the journal inode is already checked when we added it to the +block validity's system zone, if we check it again, we'll just trigger +a failure. + +This was causing failures like this: + +[ 53.897001] EXT4-fs error (device sda): ext4_find_extent:909: inode +#8: comm jbd2/sda-8: pblk 121667583 bad header/extent: invalid extent entries - magic f30a, entries 8, max 340(340), depth 0(0) +[ 53.931430] jbd2_journal_bmap: journal block not found at offset 49 on sda-8 +[ 53.938480] Aborting journal on device sda-8. + +... but only if the system was under enough memory pressure that +logical->physical mapping for the journal inode gets pushed out of the +extent cache. (This is why it wasn't noticed earlier.) + +Fixes: 345c0dbf3a30 ("ext4: protect journal inode's blocks using block_validity") +Reported-by: Dan Rue +Signed-off-by: Theodore Ts'o +Tested-by: Naresh Kamboju +Acked-by: Jan Kara + +--- + fs/ext4/extents.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index f2c62e2a0c98..d40ed940001e 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -518,10 +518,14 @@ __read_extent_tree_block(const char *function, unsigned int line, + } + if (buffer_verified(bh) && !(flags & EXT4_EX_FORCE_CACHE)) + return bh; +- err = __ext4_ext_check(function, line, inode, +- ext_block_hdr(bh), depth, pblk); +- if (err) +- goto errout; ++ if (!ext4_has_feature_journal(inode->i_sb) || ++ (inode->i_ino != ++ le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) { ++ err = __ext4_ext_check(function, line, inode, ++ ext_block_hdr(bh), depth, pblk); ++ if (err) ++ goto errout; ++ } + set_buffer_verified(bh); + /* + * If this is a leaf block, cache all of its entries +-- +2.16.4 + diff --git a/patches.suse/ext4-fix-block-validity-checks-for-journal-inodes-us.patch b/patches.suse/ext4-fix-block-validity-checks-for-journal-inodes-us.patch new file mode 100644 index 0000000..4bedee6 --- /dev/null +++ b/patches.suse/ext4-fix-block-validity-checks-for-journal-inodes-us.patch @@ -0,0 +1,47 @@ +From 170417c8c7bb2cbbdd949bf5c443c0c8f24a203b Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 15 May 2019 00:51:19 -0400 +Subject: [PATCH] ext4: fix block validity checks for journal inodes using + indirect blocks +Git-commit: 170417c8c7bb2cbbdd949bf5c443c0c8f24a203b +Patch-mainline: v5.2-rc1 +References: bsc#1158021 CVE-2019-19319 + +Commit 345c0dbf3a30 ("ext4: protect journal inode's blocks using +block_validity") failed to add an exception for the journal inode in +ext4_check_blockref(), which is the function used by ext4_get_branch() +for indirect blocks. This caused attempts to read from the ext3-style +journals to fail with: + +[ 848.968550] EXT4-fs error (device sdb7): ext4_get_branch:171: inode #8: block 30343695: comm jbd2/sdb7-8: invalid block + +Fix this by adding the missing exception check. + +Fixes: 345c0dbf3a30 ("ext4: protect journal inode's blocks using block_validity") +Reported-by: Arthur Marsh +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/block_validity.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 8d03550aaae3..8e83741b02e0 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -277,6 +277,11 @@ int ext4_check_blockref(const char *function, unsigned int line, + __le32 *bref = p; + unsigned int blk; + ++ if (ext4_has_feature_journal(inode->i_sb) && ++ (inode->i_ino == ++ le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ return 0; ++ + while (bref < p+max) { + blk = le32_to_cpu(*bref++); + if (blk && +-- +2.16.4 + diff --git a/patches.suse/ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch b/patches.suse/ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch index 345d374..b43c040 100644 --- a/patches.suse/ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch +++ b/patches.suse/ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch @@ -36,7 +36,7 @@ Acked-by: Jan Kara - !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) - return -EPERM; - - inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO); + inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); if (IS_ERR(inode_bl)) return PTR_ERR(inode_bl); @@ -137,6 +129,18 @@ static long swap_inode_boot_loader(struc diff --git a/patches.suse/ext4-fix-special-inode-number-checks-in-__ext4_iget.patch b/patches.suse/ext4-fix-special-inode-number-checks-in-__ext4_iget.patch new file mode 100644 index 0000000..74f3e39 --- /dev/null +++ b/patches.suse/ext4-fix-special-inode-number-checks-in-__ext4_iget.patch @@ -0,0 +1,41 @@ +From 191ce17876c9367819c4b0a25b503c0f6d9054d8 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 31 Dec 2018 22:34:31 -0500 +Subject: [PATCH] ext4: fix special inode number checks in __ext4_iget() +Git-commit: 191ce17876c9367819c4b0a25b503c0f6d9054d8 +Patch-mainline: v5.0-rc1 +References: bsc#1158021 CVE-2019-19319 + +The check for special (reserved) inode number checks in __ext4_iget() +was broken by commit 8a363970d1dc: ("ext4: avoid declaring fs +inconsistent due to invalid file handles"). This was caused by a +botched reversal of the sense of the flag now known as +EXT4_IGET_SPECIAL (when it was previously named EXT4_IGET_NORMAL). +Fix the logic appropriately. + +Fixes: 8a363970d1dc ("ext4: avoid declaring fs inconsistent...") +Signed-off-by: Theodore Ts'o +Reported-by: Dan Carpenter +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 165ff331d998..34d7e0703cc6 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4834,7 +4834,7 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + gid_t i_gid; + projid_t i_projid; + +- if (((flags & EXT4_IGET_NORMAL) && ++ if ((!(flags & EXT4_IGET_SPECIAL) && + (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)) || + (ino < EXT4_ROOT_INO) || + (ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))) { +-- +2.16.4 + diff --git a/patches.suse/ext4-protect-journal-inode-s-blocks-using-block_vali.patch b/patches.suse/ext4-protect-journal-inode-s-blocks-using-block_vali.patch new file mode 100644 index 0000000..a67de11 --- /dev/null +++ b/patches.suse/ext4-protect-journal-inode-s-blocks-using-block_vali.patch @@ -0,0 +1,100 @@ +From 345c0dbf3a30872d9b204db96b5857cd00808cae Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 9 Apr 2019 23:37:08 -0400 +Subject: [PATCH] ext4: protect journal inode's blocks using block_validity +Git-commit: 345c0dbf3a30872d9b204db96b5857cd00808cae +Patch-mainline: v5.2-rc1 +References: bsc#1158021 CVE-2019-19319 + +Add the blocks which belong to the journal inode to block_validity's +system zone so attempts to deallocate or overwrite the journal due a +corrupted file system where the journal blocks are also claimed by +another inode. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202879 +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Acked-by: Jan Kara + +--- + fs/ext4/block_validity.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ + fs/ext4/inode.c | 4 +++ + 2 files changed, 52 insertions(+) + +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -136,6 +136,48 @@ static void debug_print_tree(struct ext4 + printk(KERN_CONT "\n"); + } + ++static int ext4_protect_reserved_inode(struct super_block *sb, u32 ino) ++{ ++ struct inode *inode; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ struct ext4_map_blocks map; ++ u32 i = 0, err = 0, num, n; ++ ++ if ((ino < EXT4_ROOT_INO) || ++ (ino > le32_to_cpu(sbi->s_es->s_inodes_count))) ++ return -EINVAL; ++ inode = ext4_iget(sb, ino, EXT4_IGET_SPECIAL); ++ if (IS_ERR(inode)) ++ return PTR_ERR(inode); ++ num = (inode->i_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits; ++ while (i < num) { ++ map.m_lblk = i; ++ map.m_len = num - i; ++ n = ext4_map_blocks(NULL, inode, &map, 0); ++ if (n < 0) { ++ err = n; ++ break; ++ } ++ if (n == 0) { ++ i++; ++ } else { ++ if (!ext4_data_block_valid(sbi, map.m_pblk, n)) { ++ ext4_error(sb, "blocks %llu-%llu from inode %u " ++ "overlap system zone", map.m_pblk, ++ map.m_pblk + map.m_len - 1, ino); ++ err = -EFSCORRUPTED; ++ break; ++ } ++ err = add_system_zone(sbi, map.m_pblk, n); ++ if (err < 0) ++ break; ++ i += n; ++ } ++ } ++ iput(inode); ++ return err; ++} ++ + int ext4_setup_system_zone(struct super_block *sb) + { + ext4_group_t ngroups = ext4_get_groups_count(sb); +@@ -170,6 +212,12 @@ int ext4_setup_system_zone(struct super_ + if (ret) + return ret; + } ++ if (ext4_has_feature_journal(sb) && sbi->s_es->s_journal_inum) { ++ ret = ext4_protect_reserved_inode(sb, ++ le32_to_cpu(sbi->s_es->s_journal_inum)); ++ if (ret) ++ return ret; ++ } + + if (test_opt(sb, DEBUG)) + debug_print_tree(EXT4_SB(sb)); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -384,6 +384,10 @@ static int __check_block_validity(struct + unsigned int line, + struct ext4_map_blocks *map) + { ++ if (ext4_has_feature_journal(inode->i_sb) && ++ (inode->i_ino == ++ le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ return 0; + if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk, + map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, diff --git a/patches.suse/ext4-unsigned-int-compared-against-zero.patch b/patches.suse/ext4-unsigned-int-compared-against-zero.patch new file mode 100644 index 0000000..bd91470 --- /dev/null +++ b/patches.suse/ext4-unsigned-int-compared-against-zero.patch @@ -0,0 +1,39 @@ +From fbbbbd2f28aec991f3fbc248df211550fbdfd58c Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 10 May 2019 22:06:38 -0400 +Subject: [PATCH] ext4: unsigned int compared against zero +Git-commit: fbbbbd2f28aec991f3fbc248df211550fbdfd58c +Patch-mainline: v5.2-rc1 +References: bsc#1158021 CVE-2019-19319 + +There are two cases where u32 variables n and err are being checked +for less than zero error values, the checks is always false because +the variables are not signed. Fix this by making the variables ints. + +Addresses-coverity: ("Unsigned compared against 0") +Fixes: 345c0dbf3a30 ("ext4: protect journal inode's blocks using block_validity") +Signed-off-by: Colin Ian King +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/block_validity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 968f163b5feb..8d03550aaae3 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -142,7 +142,8 @@ static int ext4_protect_reserved_inode(struct super_block *sb, u32 ino) + struct inode *inode; + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_map_blocks map; +- u32 i = 0, err = 0, num, n; ++ u32 i = 0, num; ++ int err = 0, n; + + if ((ino < EXT4_ROOT_INO) || + (ino > le32_to_cpu(sbi->s_es->s_inodes_count))) +-- +2.16.4 + diff --git a/patches.suse/ext4-update-quota-information-while-swapping-boot-lo.patch b/patches.suse/ext4-update-quota-information-while-swapping-boot-lo.patch index aa2fc43..11e80eb 100644 --- a/patches.suse/ext4-update-quota-information-while-swapping-boot-lo.patch +++ b/patches.suse/ext4-update-quota-information-while-swapping-boot-lo.patch @@ -40,9 +40,9 @@ Acked-by: Jan Kara + blkcnt_t blocks; + unsigned short bytes; - inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO); + inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); if (IS_ERR(inode_bl)) -@@ -183,6 +183,13 @@ static long swap_inode_boot_loader(struc +@@ -182,6 +182,13 @@ static long swap_inode_boot_loader(struc memset(ei_bl->i_data, 0, sizeof(ei_bl->i_data)); } @@ -56,7 +56,7 @@ Acked-by: Jan Kara swap_inode_data(inode, inode_bl); inode->i_ctime = inode_bl->i_ctime = current_time(inode); -@@ -199,24 +206,46 @@ static long swap_inode_boot_loader(struc +@@ -198,24 +205,46 @@ static long swap_inode_boot_loader(struc err = ext4_mark_inode_dirty(handle, inode); if (err < 0) { diff --git a/patches.suse/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch b/patches.suse/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch new file mode 100644 index 0000000..ac24786 --- /dev/null +++ b/patches.suse/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch @@ -0,0 +1,65 @@ +From c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 11 Nov 2019 22:18:13 -0500 +Subject: [PATCH] ext4: work around deleting a file with i_nlink == 0 safely +Git-commit: c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 +Patch-mainline: v5.5-rc1 +References: bsc#1158819 CVE-2019-19447 + +If the file system is corrupted such that a file's i_links_count is +too small, then it's possible that when unlinking that file, i_nlink +will already be zero. Previously we were working around this kind of +corruption by forcing i_nlink to one; but we were doing this before +trying to delete the directory entry --- and if the file system is +corrupted enough that ext4_delete_entry() fails, then we exit with +i_nlink elevated, and this causes the orphan inode list handling to be +FUBAR'ed, such that when we unmount the file system, the orphan inode +list can get corrupted. + +A better way to fix this is to simply skip trying to call drop_nlink() +if i_nlink is already zero, thus moving the check to the place where +it makes the most sense. + +https://bugzilla.kernel.org/show_bug.cgi?id=205433 + +Link: https://lore.kernel.org/r/20191112032903.8828-1-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Reviewed-by: Andreas Dilger +Acked-by: Jan Kara + +--- + fs/ext4/namei.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index a67cae3c8ff5..a856997d87b5 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3196,18 +3196,17 @@ static int ext4_unlink(struct inode *dir, struct dentry *dentry) + if (IS_DIRSYNC(dir)) + ext4_handle_sync(handle); + +- if (inode->i_nlink == 0) { +- ext4_warning_inode(inode, "Deleting file '%.*s' with no links", +- dentry->d_name.len, dentry->d_name.name); +- set_nlink(inode, 1); +- } + retval = ext4_delete_entry(handle, dir, de, bh); + if (retval) + goto end_unlink; + dir->i_ctime = dir->i_mtime = current_time(dir); + ext4_update_dx_flag(dir); + ext4_mark_inode_dirty(handle, dir); +- drop_nlink(inode); ++ if (inode->i_nlink == 0) ++ ext4_warning_inode(inode, "Deleting file '%.*s' with no links", ++ dentry->d_name.len, dentry->d_name.name); ++ else ++ drop_nlink(inode); + if (!inode->i_nlink) + ext4_orphan_add(handle, inode); + inode->i_ctime = current_time(inode); +-- +2.16.4 + diff --git a/patches.suse/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch b/patches.suse/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch index 87476c1..418124b 100644 --- a/patches.suse/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch +++ b/patches.suse/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch @@ -4,7 +4,7 @@ Date: Thu, 25 Apr 2019 22:24:05 -0700 Subject: [PATCH] fs/proc/proc_sysctl.c: Fix a NULL pointer dereference Git-commit: 89189557b47b35683a27c80ee78aef18248eefb4 Patch-mainline: v5.1-rc7 -References: bsc#1140887 +References: CVE-2019-20054 bsc#1159910 bsc#1140887 Syzkaller report this: diff --git a/patches.suse/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch b/patches.suse/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch index e8cda58..9af58b8 100644 --- a/patches.suse/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch +++ b/patches.suse/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch @@ -5,7 +5,7 @@ Subject: [PATCH] fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links Git-commit: 23da9588037ecdd4901db76a5b79a42b529c4ec3 Patch-mainline: v5.1-rc3 -References: bsc#1140887 +References: CVE-2019-20054 bsc#1159910 bsc#1140887 Syzkaller reports: diff --git a/patches.suse/genirq-Prevent-NULL-pointer-dereference-in-resend_ir.patch b/patches.suse/genirq-Prevent-NULL-pointer-dereference-in-resend_ir.patch new file mode 100644 index 0000000..273b331 --- /dev/null +++ b/patches.suse/genirq-Prevent-NULL-pointer-dereference-in-resend_ir.patch @@ -0,0 +1,80 @@ +From eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a Mon Sep 17 00:00:00 2001 +From: Yunfeng Ye +Date: Wed, 4 Sep 2019 20:46:25 +0800 +Subject: [PATCH] genirq: Prevent NULL pointer dereference in resend_irqs() +Git-commit: eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a +Patch-mainline: v5.3 +References: bsc#1051510 + +The following crash was observed: + + Unable to handle kernel NULL pointer dereference at 0000000000000158 + Internal error: Oops: 96000004 [#1] SMP + pc : resend_irqs+0x68/0xb0 + lr : resend_irqs+0x64/0xb0 + ... + Call trace: + resend_irqs+0x68/0xb0 + tasklet_action_common.isra.6+0x84/0x138 + tasklet_action+0x2c/0x38 + __do_softirq+0x120/0x324 + run_ksoftirqd+0x44/0x60 + smpboot_thread_fn+0x1ac/0x1e8 + kthread+0x134/0x138 + ret_from_fork+0x10/0x18 + +The reason for this is that the interrupt resend mechanism happens in soft +interrupt context, which is a asynchronous mechanism versus other +operations on interrupts. free_irq() does not take resend handling into +account. Thus, the irq descriptor might be already freed before the resend +tasklet is executed. resend_irqs() does not check the return value of the +interrupt descriptor lookup and derefences the return value +unconditionally. + + 1): + __setup_irq + irq_startup + check_irq_resend // activate softirq to handle resend irq + 2): + irq_domain_free_irqs + irq_free_descs + free_desc + call_rcu(&desc->rcu, delayed_free_desc) + 3): + __do_softirq + tasklet_action + resend_irqs + desc = irq_to_desc(irq) + desc->handle_irq(desc) // desc is NULL --> Ooops + +Fix this by adding a NULL pointer check in resend_irqs() before derefencing +the irq descriptor. + +Fixes: a4633adcdbc1 ("[PATCH] genirq: add genirq sw IRQ-retrigger") +Signed-off-by: Yunfeng Ye +Signed-off-by: Thomas Gleixner +Reviewed-by: Zhiqiang Liu +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1630ae13-5c8e-901e-de09-e740b6a426a7@huawei.com +Acked-by: Takashi Iwai + +--- + kernel/irq/resend.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c +index 95414ad3506a..98c04ca5fa43 100644 +--- a/kernel/irq/resend.c ++++ b/kernel/irq/resend.c +@@ -36,6 +36,8 @@ static void resend_irqs(unsigned long arg) + irq = find_first_bit(irqs_resend, nr_irqs); + clear_bit(irq, irqs_resend); + desc = irq_to_desc(irq); ++ if (!desc) ++ continue; + local_irq_disable(); + desc->handle_irq(desc); + local_irq_enable(); +-- +2.16.4 + diff --git a/patches.suse/genirq-Properly-pair-kobject_del-with-kobject_add.patch b/patches.suse/genirq-Properly-pair-kobject_del-with-kobject_add.patch new file mode 100644 index 0000000..3c8d8bb --- /dev/null +++ b/patches.suse/genirq-Properly-pair-kobject_del-with-kobject_add.patch @@ -0,0 +1,77 @@ +From d0ff14fdc987303aeeb7de6f1bd72c3749ae2a9b Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Thu, 1 Aug 2019 23:53:53 +0000 +Subject: [PATCH] genirq: Properly pair kobject_del() with kobject_add() +Git-commit: d0ff14fdc987303aeeb7de6f1bd72c3749ae2a9b +Patch-mainline: v5.3-rc6 +References: bsc#1051510 + +If alloc_descs() fails before irq_sysfs_init() has run, free_desc() in the +cleanup path will call kobject_del() even though the kobject has not been +added with kobject_add(). + +Fix this by making the call to kobject_del() conditional on whether +irq_sysfs_init() has run. + +This problem surfaced because commit aa30f47cf666 ("kobject: Add support +for default attribute groups to kobj_type") makes kobject_del() stricter +about pairing with kobject_add(). If the pairing is incorrrect, a WARNING +and backtrace occur in sysfs_remove_group() because there is no parent. + +[ tglx: Add a comment to the code and make it work with CONFIG_SYSFS=n ] + +Fixes: ecb3f394c5db ("genirq: Expose interrupt information through sysfs") +Signed-off-by: Michael Kelley +Signed-off-by: Thomas Gleixner +Acked-by: Greg Kroah-Hartman +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1564703564-4116-1-git-send-email-mikelley@microsoft.com +Acked-by: Takashi Iwai + +--- + kernel/irq/irqdesc.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c +index 9484e88dabc2..9be995fc3c5a 100644 +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -295,6 +295,18 @@ static void irq_sysfs_add(int irq, struct irq_desc *desc) + } + } + ++static void irq_sysfs_del(struct irq_desc *desc) ++{ ++ /* ++ * If irq_sysfs_init() has not yet been invoked (early boot), then ++ * irq_kobj_base is NULL and the descriptor was never added. ++ * kobject_del() complains about a object with no parent, so make ++ * it conditional. ++ */ ++ if (irq_kobj_base) ++ kobject_del(&desc->kobj); ++} ++ + static int __init irq_sysfs_init(void) + { + struct irq_desc *desc; +@@ -325,6 +337,7 @@ static struct kobj_type irq_kobj_type = { + }; + + static void irq_sysfs_add(int irq, struct irq_desc *desc) {} ++static void irq_sysfs_del(struct irq_desc *desc) {} + + #endif /* CONFIG_SYSFS */ + +@@ -438,7 +451,7 @@ static void free_desc(unsigned int irq) + * The sysfs entry must be serialized against a concurrent + * irq_sysfs_init() as well. + */ +- kobject_del(&desc->kobj); ++ irq_sysfs_del(desc); + delete_irq_desc(irq); + + /* +-- +2.16.4 + diff --git a/patches.suse/ibmveth-Detect-unsupported-packets-before-sending-to.patch b/patches.suse/ibmveth-Detect-unsupported-packets-before-sending-to.patch new file mode 100644 index 0000000..9f3266d --- /dev/null +++ b/patches.suse/ibmveth-Detect-unsupported-packets-before-sending-to.patch @@ -0,0 +1,71 @@ +From 6f2275433a2f4ce5161dbd8a8b24b379d90bc150 Mon Sep 17 00:00:00 2001 +From: Cris Forno +Date: Wed, 13 Nov 2019 15:06:16 -0600 +Subject: [PATCH] ibmveth: Detect unsupported packets before sending to the + hypervisor + +References: bsc#1159484 ltc#182983 +Patch-mainline: v5.5-rc1 +Git-commit: 6f2275433a2f4ce5161dbd8a8b24b379d90bc150 + +Currently, when ibmveth receive a loopback packet, it reports an +ambiguous error message "tx: h_send_logical_lan failed with rc=-4" +because the hypervisor rejects those types of packets. This fix +detects loopback packet and assures the source packet's MAC address +matches the driver's MAC address before transmitting to the +hypervisor. + +Signed-off-by: Cris Forno +Signed-off-by: David S. Miller +Acked-by: Michal Suchanek +--- + drivers/net/ethernet/ibm/ibmveth.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index c5be4ebd8437..84121aab7ff1 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1011,6 +1011,29 @@ static int ibmveth_send(struct ibmveth_adapter *adapter, + return 0; + } + ++static int ibmveth_is_packet_unsupported(struct sk_buff *skb, ++ struct net_device *netdev) ++{ ++ struct ethhdr *ether_header; ++ int ret = 0; ++ ++ ether_header = eth_hdr(skb); ++ ++ if (ether_addr_equal(ether_header->h_dest, netdev->dev_addr)) { ++ netdev_dbg(netdev, "veth doesn't support loopback packets, dropping packet.\n"); ++ netdev->stats.tx_dropped++; ++ ret = -EOPNOTSUPP; ++ } ++ ++ if (!ether_addr_equal(ether_header->h_source, netdev->dev_addr)) { ++ netdev_dbg(netdev, "source packet MAC address does not match veth device's, dropping packet.\n"); ++ netdev->stats.tx_dropped++; ++ ret = -EOPNOTSUPP; ++ } ++ ++ return ret; ++} ++ + static netdev_tx_t ibmveth_start_xmit(struct sk_buff *skb, + struct net_device *netdev) + { +@@ -1022,6 +1045,9 @@ static netdev_tx_t ibmveth_start_xmit(struct sk_buff *skb, + dma_addr_t dma_addr; + unsigned long mss = 0; + ++ if (ibmveth_is_packet_unsupported(skb, netdev)) ++ goto out; ++ + /* veth doesn't handle frag_list, so linearize the skb. + * When GRO is enabled SKB's can have frag_list. + */ +-- +2.23.0 + diff --git a/patches.suse/ibmvnic-Fix-typo-in-retry-check.patch b/patches.suse/ibmvnic-Fix-typo-in-retry-check.patch deleted file mode 100644 index 6634bba..0000000 --- a/patches.suse/ibmvnic-Fix-typo-in-retry-check.patch +++ /dev/null @@ -1,33 +0,0 @@ -From patchwork Wed Dec 11 15:38:39 2019 -X-Patchwork-Id: 1207723 -Subject: [PATCH net v2] net/ibmvnic: Fix typo in retry check -Date: Wed, 11 Dec 2019 09:38:39 -0600 -From: Thomas Falcon - -References: bsc#1155689 ltc#182047 -Patch-mainline: submitted http://patchwork.ozlabs.org/patch/1207723/ - -This conditional is missing a bang, with the intent -being to break when the retry count reaches zero. - -Fixes: 476d96ca9c ("ibmvnic: Bound waits for device queries") -Suggested-by: Juliet Kim -Signed-off-by: Thomas Falcon -Acked-by: Michal Suchanek ---- - drivers/net/ethernet/ibm/ibmvnic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c -index efb0f10..2d84523 100644 ---- a/drivers/net/ethernet/ibm/ibmvnic.c -+++ b/drivers/net/ethernet/ibm/ibmvnic.c -@@ -184,7 +184,7 @@ static int ibmvnic_wait_for_completion(struct ibmvnic_adapter *adapter, - netdev_err(netdev, "Device down!\n"); - return -ENODEV; - } -- if (retry--) -+ if (!retry--) - break; - if (wait_for_completion_timeout(comp_done, div_timeout)) - return 0; diff --git a/patches.suse/ice-fix-stack-leakage.patch b/patches.suse/ice-fix-stack-leakage.patch new file mode 100644 index 0000000..e8b7987 --- /dev/null +++ b/patches.suse/ice-fix-stack-leakage.patch @@ -0,0 +1,41 @@ +From: Jesse Brandeburg +Date: Fri, 8 Nov 2019 06:23:21 -0800 +Subject: ice: fix stack leakage +Patch-mainline: v5.5-rc1 +Git-commit: 949375de945f7042df2b6488228a1a2b36e69f35 +References: bsc#1118661 FATE#325277 + +In the case of an invalid virtchannel request the driver +would return uninitialized data to the VF from the PF stack +which is a bug. Fix by initializing the stack variable +earlier in the function before any return paths can be taken. + +Fixes: 1071a8358a28 ("ice: Implement virtchnl commands for AVF support") +Signed-off-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -1651,8 +1651,8 @@ static int ice_vc_get_stats_msg(struct i + enum virtchnl_status_code v_ret = VIRTCHNL_STATUS_SUCCESS; + struct virtchnl_queue_select *vqs = + (struct virtchnl_queue_select *)msg; ++ struct ice_eth_stats stats = { 0 }; + struct ice_pf *pf = vf->pf; +- struct ice_eth_stats stats; + struct ice_vsi *vsi; + + if (!test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states)) { +@@ -1671,7 +1671,6 @@ static int ice_vc_get_stats_msg(struct i + goto error_param; + } + +- memset(&stats, 0, sizeof(struct ice_eth_stats)); + ice_update_eth_stats(vsi); + + stats = vsi->eth_stats; diff --git a/patches.suse/ipv4-Fix-table-id-reference-in-fib_sync_down_addr.patch b/patches.suse/ipv4-Fix-table-id-reference-in-fib_sync_down_addr.patch new file mode 100644 index 0000000..bccbfd9 --- /dev/null +++ b/patches.suse/ipv4-Fix-table-id-reference-in-fib_sync_down_addr.patch @@ -0,0 +1,33 @@ +From: David Ahern +Date: Thu, 7 Nov 2019 18:29:52 +0000 +Subject: ipv4: Fix table id reference in fib_sync_down_addr +Git-commit: e0a312629fefa943534fc46f7bfbe6de3fdaf463 +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +Hendrik reported routes in the main table using source address are not +removed when the address is removed. The problem is that fib_sync_down_addr +does not account for devices in the default VRF which are associated +with the main table. Fix by updating the table id reference. + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Reported-by: Hendrik Donner +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + net/ipv4/fib_semantics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1347,8 +1347,8 @@ int fib_sync_down_addr(struct net_device + int ret = 0; + unsigned int hash = fib_laddr_hashfn(local); + struct hlist_head *head = &fib_info_laddrhash[hash]; ++ int tb_id = l3mdev_fib_table(dev) ? : RT_TABLE_MAIN; + struct net *net = dev_net(dev); +- int tb_id = l3mdev_fib_table(dev); + struct fib_info *fi; + + if (!fib_info_laddrhash || local == 0) diff --git a/patches.suse/iwlwifi-mvm-Send-non-offchannel-traffic-via-AP-sta.patch b/patches.suse/iwlwifi-mvm-Send-non-offchannel-traffic-via-AP-sta.patch new file mode 100644 index 0000000..4555094 --- /dev/null +++ b/patches.suse/iwlwifi-mvm-Send-non-offchannel-traffic-via-AP-sta.patch @@ -0,0 +1,51 @@ +From dc1aca22f8f38b7e2ad7b118db87404d11e68771 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Tue, 24 Jul 2018 21:57:50 +0300 +Subject: [PATCH] iwlwifi: mvm: Send non offchannel traffic via AP sta +Git-commit: dc1aca22f8f38b7e2ad7b118db87404d11e68771 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +TDLS discovery response frame is a unicast direct frame to the peer. +Since we don't have a STA for this peer, this frame goes through +iwl_tx_skb_non_sta(). As the result aux_sta and some completely +arbitrary queue would be selected for this frame, resulting in a queue +hang. Fix that by sending such frames through AP sta instead. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 5bdc638fc999..55b965629e33 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -809,6 +809,21 @@ static void iwl_mvm_mac_tx(struct ieee80211_hw *hw, + !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) + sta = NULL; + ++ /* If there is no sta, and it's not offchannel - send through AP */ ++ if (info->control.vif->type == NL80211_IFTYPE_STATION && ++ info->hw_queue != IWL_MVM_OFFCHANNEL_QUEUE && !sta) { ++ struct iwl_mvm_vif *mvmvif = ++ iwl_mvm_vif_from_mac80211(info->control.vif); ++ u8 ap_sta_id = READ_ONCE(mvmvif->ap_sta_id); ++ ++ if (ap_sta_id < IWL_MVM_STATION_COUNT) { ++ /* mac80211 holds rcu read lock */ ++ sta = rcu_dereference(mvm->fw_id_to_mac_id[ap_sta_id]); ++ if (IS_ERR_OR_NULL(sta)) ++ goto drop; ++ } ++ } ++ + if (sta) { + if (iwl_mvm_defer_tx(mvm, sta, skb)) + return; +-- +2.16.4 + diff --git a/patches.suse/iwlwifi-mvm-synchronize-TID-queue-removal.patch b/patches.suse/iwlwifi-mvm-synchronize-TID-queue-removal.patch new file mode 100644 index 0000000..2d9c2e0 --- /dev/null +++ b/patches.suse/iwlwifi-mvm-synchronize-TID-queue-removal.patch @@ -0,0 +1,47 @@ +From 06bc6f6ed4ae0246a5e52094d1be90906a1361c7 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 4 Jul 2018 23:12:33 +0200 +Subject: [PATCH] iwlwifi: mvm: synchronize TID queue removal +Git-commit: 06bc6f6ed4ae0246a5e52094d1be90906a1361c7 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +When we mark a TID as no longer having a queue, there's no +guarantee the TX path isn't using this txq_id right now, +having accessed it just before we reset the value. To fix +this, add synchronize_net() when we change the TIDs from +having a queue to not having one, so that we can then be +sure that the TX path is no longer accessing that queue. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 1887d2b9f185..c2b7bb5d107c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -545,6 +545,16 @@ static int iwl_mvm_remove_sta_queue_marking(struct iwl_mvm *mvm, int queue) + + rcu_read_unlock(); + ++ /* ++ * The TX path may have been using this TXQ_ID from the tid_data, ++ * so make sure it's no longer running so that we can safely reuse ++ * this TXQ later. We've set all the TIDs to IWL_MVM_INVALID_QUEUE ++ * above, but nothing guarantees we've stopped using them. Thus, ++ * without this, we could get to iwl_mvm_disable_txq() and remove ++ * the queue while still sending frames to it. ++ */ ++ synchronize_net(); ++ + return disable_agg_tids; + } + +-- +2.16.4 + diff --git a/patches.suse/kernfs-Fix-range-checks-in-kernfs_get_target_path.patch b/patches.suse/kernfs-Fix-range-checks-in-kernfs_get_target_path.patch new file mode 100644 index 0000000..94534ae --- /dev/null +++ b/patches.suse/kernfs-Fix-range-checks-in-kernfs_get_target_path.patch @@ -0,0 +1,50 @@ +From a75e78f21f9ad4b810868c89dbbabcc3931591ca Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sat, 7 Jul 2018 17:52:47 +0000 +Subject: [PATCH] kernfs: Fix range checks in kernfs_get_target_path +Git-commit: a75e78f21f9ad4b810868c89dbbabcc3931591ca +Patch-mainline: v4.20-rc1 +References: bsc#1051510 + +The terminating NUL byte is only there because the buffer is +allocated with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the +range-check is off-by-one, and PAGE_SIZE==PATH_MAX, the +returned string may not be zero-terminated if it is exactly +PATH_MAX characters long. Furthermore also the initial loop +may theoretically exceed PATH_MAX and cause a fault. + +Signed-off-by: Bernd Edlinger +Acked-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + fs/kernfs/symlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/kernfs/symlink.c b/fs/kernfs/symlink.c +index 305b220af45d..162f43b80c84 100644 +--- a/fs/kernfs/symlink.c ++++ b/fs/kernfs/symlink.c +@@ -72,6 +72,9 @@ static int kernfs_get_target_path(struct kernfs_node *parent, + if (base == kn) + break; + ++ if ((s - path) + 3 >= PATH_MAX) ++ return -ENAMETOOLONG; ++ + strcpy(s, "../"); + s += 3; + base = base->parent; +@@ -88,7 +91,7 @@ static int kernfs_get_target_path(struct kernfs_node *parent, + if (len < 2) + return -EINVAL; + len--; +- if ((s - path) + len > PATH_MAX) ++ if ((s - path) + len >= PATH_MAX) + return -ENAMETOOLONG; + + /* reverse fillup of target string from target to base */ +-- +2.16.4 + diff --git a/patches.suse/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl b/patches.suse/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl new file mode 100644 index 0000000..3359731 --- /dev/null +++ b/patches.suse/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl @@ -0,0 +1,75 @@ +From: Thomas Huth +Date: Thu, 12 Sep 2019 13:54:38 +0200 +Subject: KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT + ioctl +Git-commit: 53936b5bf35e140ae27e4bbf0447a61063f400da +Patch-mainline: v5.3 +References: git-fixes + +When the userspace program runs the KVM_S390_INTERRUPT ioctl to inject +an interrupt, we convert them from the legacy struct kvm_s390_interrupt +to the new struct kvm_s390_irq via the s390int_to_s390irq() function. +However, this function does not take care of all types of interrupts +that we can inject into the guest later (see do_inject_vcpu()). Since we +do not clear out the s390irq values before calling s390int_to_s390irq(), +there is a chance that we copy random data from the kernel stack which +could be leaked to the userspace later. + +Specifically, the problem exists with the KVM_S390_INT_PFAULT_INIT +interrupt: s390int_to_s390irq() does not handle it, and the function +__inject_pfault_init() later copies irq->u.ext which contains the +random kernel stack data. This data can then be leaked either to +the guest memory in __deliver_pfault_init(), or the userspace might +retrieve it directly with the KVM_S390_GET_IRQ_STATE ioctl. + +Fix it by handling that interrupt type in s390int_to_s390irq(), too, +and by making sure that the s390irq struct is properly pre-initialized. +And while we're at it, make sure that s390int_to_s390irq() now +directly returns -EINVAL for unknown interrupt types, so that we +immediately get a proper error code in case we add more interrupt +types to do_inject_vcpu() without updating s390int_to_s390irq() +sometime in the future. + +Cc: stable@vger.kernel.org +Reviewed-by: David Hildenbrand +Reviewed-by: Christian Borntraeger +Reviewed-by: Janosch Frank +Signed-off-by: Thomas Huth +Link: https://lore.kernel.org/kvm/20190912115438.25761-1-thuth@redhat.com +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/interrupt.c | 10 ++++++++++ + arch/s390/kvm/kvm-s390.c | 2 +- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1714,6 +1714,16 @@ int s390int_to_s390irq(struct kvm_s390_i + case KVM_S390_MCHK: + irq->u.mchk.mcic = s390int->parm64; + break; ++ case KVM_S390_INT_PFAULT_INIT: ++ irq->u.ext.ext_params = s390int->parm; ++ irq->u.ext.ext_params2 = s390int->parm64; ++ break; ++ case KVM_S390_RESTART: ++ case KVM_S390_INT_CLOCK_COMP: ++ case KVM_S390_INT_CPU_TIMER: ++ break; ++ default: ++ return -EINVAL; + } + return 0; + } +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3775,7 +3775,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi + } + case KVM_S390_INTERRUPT: { + struct kvm_s390_interrupt s390int; +- struct kvm_s390_irq s390irq; ++ struct kvm_s390_irq s390irq = {}; + + r = -EFAULT; + if (copy_from_user(&s390int, argp, sizeof(s390int))) diff --git a/patches.suse/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op b/patches.suse/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op new file mode 100644 index 0000000..b4d583f --- /dev/null +++ b/patches.suse/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op @@ -0,0 +1,48 @@ +From: Thomas Huth +Date: Thu, 29 Aug 2019 14:25:17 +0200 +Subject: KVM: s390: Test for bad access register and size at the start of + S390_MEM_OP +Git-commit: a13b03bbb4575b350b46090af4dfd30e735aaed1 +Patch-mainline: v5.4-rc1 +References: git-fixes + +If the KVM_S390_MEM_OP ioctl is called with an access register >= 16, +then there is certainly a bug in the calling userspace application. +We check for wrong access registers, but only if the vCPU was already +in the access register mode before (i.e. the SIE block has recorded +it). The check is also buried somewhere deep in the calling chain (in +the function ar_translation()), so this is somewhat hard to find. + +It's better to always report an error to the userspace in case this +field is set wrong, and it's safer in the KVM code if we block wrong +values here early instead of relying on a check somewhere deep down +the calling chain, so let's add another check to kvm_s390_guest_mem_op() +directly. + +We also should check that the "size" is non-zero here (thanks to Janosch +Frank for the hint!). If we do not check the size, we could call vmalloc() +with this 0 value, and this will cause a kernel warning. + +Signed-off-by: Thomas Huth +Link: https://lkml.kernel.org/r/20190829122517.31042-1-thuth@redhat.com +Reviewed-by: Cornelia Huck +Reviewed-by: Janosch Frank +Reviewed-by: David Hildenbrand +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +Acked-by: Petr Tesarik +--- + arch/s390/kvm/kvm-s390.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3703,7 +3703,7 @@ static long kvm_s390_guest_mem_op(struct + const u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION + | KVM_S390_MEMOP_F_CHECK_ONLY; + +- if (mop->flags & ~supported_flags) ++ if (mop->flags & ~supported_flags || mop->ar >= NUM_ACRS || !mop->size) + return -EINVAL; + + if (mop->size > MEM_OP_MAX_SIZE) diff --git a/patches.suse/lpfc-size-cpu-map-by-last-cpu-id-set.patch b/patches.suse/lpfc-size-cpu-map-by-last-cpu-id-set.patch index 97fb2a8..d48a205 100644 --- a/patches.suse/lpfc-size-cpu-map-by-last-cpu-id-set.patch +++ b/patches.suse/lpfc-size-cpu-map-by-last-cpu-id-set.patch @@ -1,7 +1,8 @@ From: James Smart Date: Thu, 21 Nov 2019 09:55:56 -0800 Subject: [PATCH] lpfc: size cpu map by last cpu id set -Patch-Mainline: submitted linux-scsi 2019/11/20 +Patch-mainline: v5.5-rc1 +Git-commit: eede4970fb6c29f2056d7d016a3764c90e9d8a65 References: bsc#1157160 Currently the lpfc driver sizes its cpu_map array based on diff --git a/patches.suse/media-cec-report-Vendor-ID-after-initialization.patch b/patches.suse/media-cec-report-Vendor-ID-after-initialization.patch new file mode 100644 index 0000000..f2d316a --- /dev/null +++ b/patches.suse/media-cec-report-Vendor-ID-after-initialization.patch @@ -0,0 +1,42 @@ +From 7f02ac77c768ba2bcdd0ce719c1fca0870ffe2fb Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 16 Oct 2018 03:44:20 -0400 +Subject: [PATCH] media: cec: report Vendor ID after initialization +Git-commit: 7f02ac77c768ba2bcdd0ce719c1fca0870ffe2fb +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +The CEC specification requires that the Vendor ID (if any) is reported +after a logical address was claimed. + +This was never done, so add support for this. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/cec/cec-adap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c +index 65a933a21e68..5b7fe4796022 100644 +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -1432,6 +1432,13 @@ static int cec_config_thread_func(void *arg) + las->log_addr[i], + cec_phys_addr_exp(adap->phys_addr)); + cec_transmit_msg_fh(adap, &msg, NULL, false); ++ ++ /* Report Vendor ID */ ++ if (adap->log_addrs.vendor_id != CEC_VENDOR_ID_NONE) { ++ cec_msg_device_vendor_id(&msg, ++ adap->log_addrs.vendor_id); ++ cec_transmit_msg_fh(adap, &msg, NULL, false); ++ } + } + adap->kthread_config = NULL; + complete(&adap->config_completion); +-- +2.16.4 + diff --git a/patches.suse/media-cec.h-CEC_OP_REC_FLAG_-values-were-swapped.patch b/patches.suse/media-cec.h-CEC_OP_REC_FLAG_-values-were-swapped.patch new file mode 100644 index 0000000..f162aec --- /dev/null +++ b/patches.suse/media-cec.h-CEC_OP_REC_FLAG_-values-were-swapped.patch @@ -0,0 +1,39 @@ +From 806e0cdfee0b99efbb450f9f6e69deb7118602fc Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 16 Sep 2019 02:47:41 -0300 +Subject: [PATCH] media: cec.h: CEC_OP_REC_FLAG_ values were swapped +Git-commit: 806e0cdfee0b99efbb450f9f6e69deb7118602fc +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +CEC_OP_REC_FLAG_NOT_USED is 0 and CEC_OP_REC_FLAG_USED is 1, not the +other way around. + +Signed-off-by: Hans Verkuil +Reported-by: Jiunn Chang +Cc: # for v4.10 and up +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + include/uapi/linux/cec.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/cec.h b/include/uapi/linux/cec.h +index d8c04eb79d89..7a5d843af8c9 100644 +--- a/include/uapi/linux/cec.h ++++ b/include/uapi/linux/cec.h +@@ -768,8 +768,8 @@ struct cec_event { + #define CEC_MSG_SELECT_DIGITAL_SERVICE 0x93 + #define CEC_MSG_TUNER_DEVICE_STATUS 0x07 + /* Recording Flag Operand (rec_flag) */ +-#define CEC_OP_REC_FLAG_USED 0 +-#define CEC_OP_REC_FLAG_NOT_USED 1 ++#define CEC_OP_REC_FLAG_NOT_USED 0 ++#define CEC_OP_REC_FLAG_USED 1 + /* Tuner Display Info Operand (tuner_display_info) */ + #define CEC_OP_TUNER_DISPLAY_INFO_DIGITAL 0 + #define CEC_OP_TUNER_DISPLAY_INFO_NONE 1 +-- +2.16.4 + diff --git a/patches.suse/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch b/patches.suse/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch index e46f309..100f751 100644 --- a/patches.suse/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch +++ b/patches.suse/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch @@ -4,7 +4,7 @@ Date: Wed, 6 Mar 2019 07:45:08 -0500 Subject: [PATCH] media: cpia2: Fix use-after-free in cpia2_exit Git-commit: dea37a97265588da604c6ba80160a287b72c7bfd Patch-mainline: v5.2-rc1 -References: bsc#1051510 +References: CVE-2019-19966 bsc#1159841 bsc#1051510 Syzkaller report this: diff --git a/patches.suse/media-pulse8-cec-return-0-when-invalidating-the-logi.patch b/patches.suse/media-pulse8-cec-return-0-when-invalidating-the-logi.patch new file mode 100644 index 0000000..84e6be7 --- /dev/null +++ b/patches.suse/media-pulse8-cec-return-0-when-invalidating-the-logi.patch @@ -0,0 +1,37 @@ +From 2e84eb9affac43eeaf834992888b72426a8cd442 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 14 Nov 2018 08:25:53 -0500 +Subject: [PATCH] media: pulse8-cec: return 0 when invalidating the logical address +Git-commit: 2e84eb9affac43eeaf834992888b72426a8cd442 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +Return 0 when invalidating the logical address. The cec core produces +a warning for drivers that do this. + +Signed-off-by: Hans Verkuil +Reported-by: Torbjorn Jansson +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/pulse8-cec/pulse8-cec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/pulse8-cec/pulse8-cec.c b/drivers/media/usb/pulse8-cec/pulse8-cec.c +index 365c78b748dd..b085b14f3f87 100644 +--- a/drivers/media/usb/pulse8-cec/pulse8-cec.c ++++ b/drivers/media/usb/pulse8-cec/pulse8-cec.c +@@ -586,7 +586,7 @@ static int pulse8_cec_adap_log_addr(struct cec_adapter *adap, u8 log_addr) + else + pulse8->config_pending = true; + mutex_unlock(&pulse8->config_lock); +- return err; ++ return log_addr == CEC_LOG_ADDR_INVALID ? 0 : err; + } + + static int pulse8_cec_adap_transmit(struct cec_adapter *adap, u8 attempts, +-- +2.16.4 + diff --git a/patches.suse/media-stkwebcam-Bugfix-for-wrong-return-values.patch b/patches.suse/media-stkwebcam-Bugfix-for-wrong-return-values.patch new file mode 100644 index 0000000..fc2eeaa --- /dev/null +++ b/patches.suse/media-stkwebcam-Bugfix-for-wrong-return-values.patch @@ -0,0 +1,42 @@ +From 3c28b91380dd1183347d32d87d820818031ebecf Mon Sep 17 00:00:00 2001 +From: Andreas Pape +Date: Fri, 23 Nov 2018 11:14:54 -0500 +Subject: [PATCH] media: stkwebcam: Bugfix for wrong return values +Git-commit: 3c28b91380dd1183347d32d87d820818031ebecf +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +usb_control_msg returns in case of a successfully sent message the number +of sent bytes as a positive number. Don't use this value as a return value +for stk_camera_read_reg, as a non-zero return value is used as an error +condition in some cases when stk_camera_read_reg is called. + +Signed-off-by: Andreas Pape +Reviewed-by: Kieran Bingham +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/usb/stkwebcam/stk-webcam.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c +index e61427e50525..b8ec74d98e8d 100644 +--- a/drivers/media/usb/stkwebcam/stk-webcam.c ++++ b/drivers/media/usb/stkwebcam/stk-webcam.c +@@ -171,7 +171,11 @@ int stk_camera_read_reg(struct stk_camera *dev, u16 index, u8 *value) + *value = *buf; + + kfree(buf); +- return ret; ++ ++ if (ret < 0) ++ return ret; ++ else ++ return 0; + } + + static int stk_start_stream(struct stk_camera *dev) +-- +2.16.4 + diff --git a/patches.suse/mlxsw-spectrum_router-Fix-determining-underlay-for-a.patch b/patches.suse/mlxsw-spectrum_router-Fix-determining-underlay-for-a.patch new file mode 100644 index 0000000..1824a09 --- /dev/null +++ b/patches.suse/mlxsw-spectrum_router-Fix-determining-underlay-for-a.patch @@ -0,0 +1,68 @@ +From: Petr Machata +Date: Mon, 18 Nov 2019 09:18:42 +0200 +Subject: mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel +Patch-mainline: v5.4 +Git-commit: 1fc1657775dc1b19e9ac1d46b4054ed8ae5d99ab +References: bsc#1112374 + +The helper mlxsw_sp_ipip_dev_ul_tb_id() determines the underlay VRF of a +GRE tunnel. For a tunnel without a bound device, it uses the same VRF that +the tunnel is in. However in Linux, a GRE tunnel without a bound device +uses the main VRF as the underlay. Fix the function accordingly. + +mlxsw further assumed that moving a tunnel to a different VRF could cause +conflict in local tunnel endpoint address, which cannot be offloaded. +However, the only way that an underlay could be changed by moving the +tunnel device itself is if the tunnel device does not have a bound device. +But in that case the underlay is always the main VRF, so there is no +opportunity to introduce a conflict by moving such device. Thus this check +constitutes a dead code, and can be removed, which do. + +Fixes: 6ddb7426a7d4 ("mlxsw: spectrum_router: Introduce loopback RIFs") +Signed-off-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 19 ------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -984,7 +984,7 @@ u32 mlxsw_sp_ipip_dev_ul_tb_id(const str + if (d) + return l3mdev_fib_table(d) ? : RT_TABLE_MAIN; + else +- return l3mdev_fib_table(ol_dev) ? : RT_TABLE_MAIN; ++ return RT_TABLE_MAIN; + } + + static struct mlxsw_sp_rif * +@@ -1589,27 +1589,10 @@ static int mlxsw_sp_netdevice_ipip_ol_vr + { + struct mlxsw_sp_ipip_entry *ipip_entry = + mlxsw_sp_ipip_entry_find_by_ol_dev(mlxsw_sp, ol_dev); +- enum mlxsw_sp_l3proto ul_proto; +- union mlxsw_sp_l3addr saddr; +- u32 ul_tb_id; + + if (!ipip_entry) + return 0; + +- /* For flat configuration cases, moving overlay to a different VRF might +- * cause local address conflict, and the conflicting tunnels need to be +- * demoted. +- */ +- ul_tb_id = mlxsw_sp_ipip_dev_ul_tb_id(ol_dev); +- ul_proto = mlxsw_sp->router->ipip_ops_arr[ipip_entry->ipipt]->ul_proto; +- saddr = mlxsw_sp_ipip_netdev_saddr(ul_proto, ol_dev); +- if (mlxsw_sp_ipip_demote_tunnel_by_saddr(mlxsw_sp, ul_proto, +- saddr, ul_tb_id, +- ipip_entry)) { +- mlxsw_sp_ipip_entry_demote_tunnel(mlxsw_sp, ipip_entry); +- return 0; +- } +- + return __mlxsw_sp_ipip_entry_update_tunnel(mlxsw_sp, ipip_entry, + true, false, false, extack); + } diff --git a/patches.suse/mmc-mediatek-fix-CMD_TA-to-2-for-MT8173-HS200-HS400-.patch b/patches.suse/mmc-mediatek-fix-CMD_TA-to-2-for-MT8173-HS200-HS400-.patch new file mode 100644 index 0000000..fc658f2 --- /dev/null +++ b/patches.suse/mmc-mediatek-fix-CMD_TA-to-2-for-MT8173-HS200-HS400-.patch @@ -0,0 +1,43 @@ +From 8f34e5bd7024d1ffebddd82d7318b1be17be9e9a Mon Sep 17 00:00:00 2001 +From: Chaotian Jing +Date: Wed, 4 Dec 2019 15:19:58 +0800 +Subject: [PATCH] mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode +Git-commit: 8f34e5bd7024d1ffebddd82d7318b1be17be9e9a +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +there is a chance that always get response CRC error after HS200 tuning, +the reason is that need set CMD_TA to 2. this modification is only for +MT8173. + +Signed-off-by: Chaotian Jing +Tested-by: Hsin-Yi Wang +Cc: stable@vger.kernel.org +Fixes: 1ede5cb88a29 ("mmc: mediatek: Use data tune for CMD line tune") +Link: https://lore.kernel.org/r/20191204071958.18553-1-chaotian.jing@mediatek.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/mtk-sd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -212,6 +212,8 @@ + #define MSDC_PATCH_BIT_SPCPUSH (0x1 << 29) /* RW */ + #define MSDC_PATCH_BIT_DECRCTMO (0x1 << 30) /* RW */ + ++#define MSDC_PATCH_BIT1_CMDTA (0x7 << 3) /* RW */ ++ + #define MSDC_PAD_TUNE_DATWRDLY (0x1f << 0) /* RW */ + #define MSDC_PAD_TUNE_DATRRDLY (0x1f << 8) /* RW */ + #define MSDC_PAD_TUNE_CMDRDLY (0x1f << 16) /* RW */ +@@ -1442,6 +1444,7 @@ static int hs400_tune_response(struct mm + + /* select EMMC50 PAD CMD tune */ + sdr_set_bits(host->base + PAD_CMD_TUNE, BIT(0)); ++ sdr_set_field(host->base + MSDC_PATCH_BIT1, MSDC_PATCH_BIT1_CMDTA, 2); + + if (mmc->ios.timing == MMC_TIMING_MMC_HS200 || + mmc->ios.timing == MMC_TIMING_UHS_SDR104) diff --git a/patches.suse/mmc-sdhci-of-esdhc-Revert-mmc-sdhci-of-esdhc-add-err.patch b/patches.suse/mmc-sdhci-of-esdhc-Revert-mmc-sdhci-of-esdhc-add-err.patch new file mode 100644 index 0000000..9d3c910 --- /dev/null +++ b/patches.suse/mmc-sdhci-of-esdhc-Revert-mmc-sdhci-of-esdhc-add-err.patch @@ -0,0 +1,54 @@ +From 8b6dc6b2d60221e90703babbc141f063b8a07e72 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Wed, 4 Dec 2019 09:54:46 +0100 +Subject: [PATCH] mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" +Git-commit: 8b6dc6b2d60221e90703babbc141f063b8a07e72 +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +This reverts commit 5dd195522562542bc6ebe6e7bd47890d8b7ca93c. + +First, the fix seems to be plain wrong, since the erratum suggests +waiting 5ms before setting setting SYSCTL[RSTD], but this msleep() +happens after the call of sdhci_reset() which is where that bit gets +set (if SDHCI_RESET_DATA is in mask). + +Second, walking the whole device tree to figure out if some node has a +"fsl,p2020-esdhc" compatible string is hugely expensive - about 70 to +100 us on our mpc8309 board. Walking the device tree is done under a +raw_spin_lock, so this is obviously really bad on an -rt system, and a +waste of time on all. + +In fact, since esdhc_reset() seems to get called around 100 times per +second, that mpc8309 now spends 0.8% of its time determining that +it is not a p2020. Whether those 100 calls/s are normal or due to some +other bug or misconfiguration, regularly hitting a 100 us +non-preemptible window is unacceptable. + +Signed-off-by: Rasmus Villemoes +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191204085447.27491-1-linux@rasmusvillemoes.dk +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-of-esdhc.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c +index 5cca3fa4610b..7f87a90bf56a 100644 +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -764,9 +764,6 @@ static void esdhc_reset(struct sdhci_host *host, u8 mask) + sdhci_writel(host, host->ier, SDHCI_INT_ENABLE); + sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE); + +- if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) +- mdelay(5); +- + if (mask & SDHCI_RESET_ALL) { + val = sdhci_readl(host, ESDHC_TBCTL); + val &= ~ESDHC_TB_EN; +-- +2.16.4 + diff --git a/patches.suse/mmc-sdhci-of-esdhc-fix-P2020-errata-handling.patch b/patches.suse/mmc-sdhci-of-esdhc-fix-P2020-errata-handling.patch new file mode 100644 index 0000000..695ce5c --- /dev/null +++ b/patches.suse/mmc-sdhci-of-esdhc-fix-P2020-errata-handling.patch @@ -0,0 +1,51 @@ +From fe0acab448f68c3146235afe03fb932e242ec94c Mon Sep 17 00:00:00 2001 +From: Yangbo Lu +Date: Mon, 16 Dec 2019 11:18:42 +0800 +Subject: [PATCH] mmc: sdhci-of-esdhc: fix P2020 errata handling +Git-commit: fe0acab448f68c3146235afe03fb932e242ec94c +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +Two previous patches introduced below quirks for P2020 platforms. +- SDHCI_QUIRK_RESET_AFTER_REQUEST +- SDHCI_QUIRK_BROKEN_TIMEOUT_VAL + +The patches made a mistake to add them in quirks2 of sdhci_host +structure, while they were defined for quirks. + host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; + host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + +This patch is to fix them. + host->quirks |= SDHCI_QUIRK_RESET_AFTER_REQUEST; + host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + +Fixes: 05cb6b2a66fa ("mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support") +Fixes: a46e42712596 ("mmc: sdhci-of-esdhc: add erratum eSDHC5 support") +Signed-off-by: Yangbo Lu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191216031842.40068-1-yangbo.lu@nxp.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/mmc/host/sdhci-of-esdhc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c +index 7f87a90bf56a..4ca640e6fd55 100644 +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -1300,8 +1300,8 @@ static int sdhci_esdhc_probe(struct platform_device *pdev) + host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ; + + if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) { +- host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; +- host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; ++ host->quirks |= SDHCI_QUIRK_RESET_AFTER_REQUEST; ++ host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + } + + if (of_device_is_compatible(np, "fsl,p5040-esdhc") || +-- +2.16.4 + diff --git a/patches.suse/mqprio-Fix-out-of-bounds-access-in-mqprio_dump.patch b/patches.suse/mqprio-Fix-out-of-bounds-access-in-mqprio_dump.patch new file mode 100644 index 0000000..bbf689d --- /dev/null +++ b/patches.suse/mqprio-Fix-out-of-bounds-access-in-mqprio_dump.patch @@ -0,0 +1,40 @@ +From: Vladyslav Tarasiuk +Date: Fri, 6 Dec 2019 13:51:05 +0000 +Subject: mqprio: Fix out-of-bounds access in mqprio_dump +Patch-mainline: v5.5-rc1 +Git-commit: 9f104c7736904ac72385bbb48669e0c923ca879b +References: bsc#1109837 + +When user runs a command like +tc qdisc add dev eth1 root mqprio +KASAN stack-out-of-bounds warning is emitted. +Currently, NLA_ALIGN macro used in mqprio_dump provides too large +buffer size as argument for nla_put and memcpy down the call stack. +The flow looks like this: +1. nla_put expects exact object size as an argument; +2. Later it provides this size to memcpy; +3. To calculate correct padding for SKB, nla_put applies NLA_ALIGN + macro itself. + +Therefore, NLA_ALIGN should not be applied to the nla_put parameter. +Otherwise it will lead to out-of-bounds memory access in memcpy. + +Fixes: 4e8b86c06269 ("mqprio: Introduce new hardware offload mode and shaper in mqprio") +Signed-off-by: Vladyslav Tarasiuk +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/sched/sch_mqprio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -436,7 +436,7 @@ static int mqprio_dump(struct Qdisc *sch + opt.offset[tc] = dev->tc_to_txq[tc].offset; + } + +- if (nla_put(skb, TCA_OPTIONS, NLA_ALIGN(sizeof(opt)), &opt)) ++ if (nla_put(skb, TCA_OPTIONS, sizeof(opt), &opt)) + goto nla_put_failure; + + if ((priv->flags & TC_MQPRIO_F_MODE) && diff --git a/patches.suse/mwifiex-Fix-mem-leak-in-mwifiex_tm_cmd.patch b/patches.suse/mwifiex-Fix-mem-leak-in-mwifiex_tm_cmd.patch index 0cbcbd5..572d957 100644 --- a/patches.suse/mwifiex-Fix-mem-leak-in-mwifiex_tm_cmd.patch +++ b/patches.suse/mwifiex-Fix-mem-leak-in-mwifiex_tm_cmd.patch @@ -4,7 +4,7 @@ Date: Tue, 12 Mar 2019 15:03:58 +0800 Subject: [PATCH] mwifiex: Fix mem leak in mwifiex_tm_cmd Git-commit: 003b686ace820ce2d635a83f10f2d7f9c147dabc Patch-mainline: v5.2-rc1 -References: bsc#1051510 +References: CVE-2019-20095 bsc#1159909 bsc#1051510 'hostcmd' is alloced by kzalloc, should be freed before leaving from the error handling cases, otherwise it will diff --git a/patches.suse/net-cdc_ncm-Signedness-bug-in-cdc_ncm_set_dgram_size.patch b/patches.suse/net-cdc_ncm-Signedness-bug-in-cdc_ncm_set_dgram_size.patch new file mode 100644 index 0000000..78e0a10 --- /dev/null +++ b/patches.suse/net-cdc_ncm-Signedness-bug-in-cdc_ncm_set_dgram_size.patch @@ -0,0 +1,31 @@ +From: Dan Carpenter +Date: Wed, 13 Nov 2019 21:28:31 +0300 +Subject: net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() +Git-commit: a56dcc6b455830776899ce3686735f1172e12243 +Patch-mainline: 5.4-rc8 +References: git-fixes + +This code is supposed to test for negative error codes and partial +reads, but because sizeof() is size_t (unsigned) type then negative +error codes are type promoted to high positive values and the condition +doesn't work as expected. + +Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/usb/cdc_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -577,7 +577,7 @@ static void cdc_ncm_set_dgram_size(struc + err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE, + USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE, + 0, iface_no, &max_datagram_size, sizeof(max_datagram_size)); +- if (err < sizeof(max_datagram_size)) { ++ if (err != sizeof(max_datagram_size)) { + dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n"); + goto out; + } diff --git a/patches.suse/net-ethernet-octeon_mgmt-Account-for-second-possible.patch b/patches.suse/net-ethernet-octeon_mgmt-Account-for-second-possible.patch new file mode 100644 index 0000000..adf5934 --- /dev/null +++ b/patches.suse/net-ethernet-octeon_mgmt-Account-for-second-possible.patch @@ -0,0 +1,29 @@ +From: Alexander Sverdlin +Date: Fri, 8 Nov 2019 10:00:44 +0000 +Subject: net: ethernet: octeon_mgmt: Account for second possible VLAN header +Git-commit: e4dd5608033efe7b6030cde359bfdbaeb73bc22d +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +Octeon's input ring-buffer entry has 14 bits-wide size field, so to account +for second possible VLAN header max_mtu must be further reduced. + +Fixes: 109cc16526c6d ("ethernet/cavium: use core min/max MTU checking") +Signed-off-by: Alexander Sverdlin +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/cavium/octeon/octeon_mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c ++++ b/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c +@@ -1497,7 +1497,7 @@ static int octeon_mgmt_probe(struct plat + netdev->ethtool_ops = &octeon_mgmt_ethtool_ops; + + netdev->min_mtu = 64 - OCTEON_MGMT_RX_HEADROOM; +- netdev->max_mtu = 16383 - OCTEON_MGMT_RX_HEADROOM; ++ netdev->max_mtu = 16383 - OCTEON_MGMT_RX_HEADROOM - VLAN_HLEN; + + mac = of_get_mac_address(pdev->dev.of_node); + diff --git a/patches.suse/net-fix-data-race-in-neigh_event_send.patch b/patches.suse/net-fix-data-race-in-neigh_event_send.patch new file mode 100644 index 0000000..1fe6657 --- /dev/null +++ b/patches.suse/net-fix-data-race-in-neigh_event_send.patch @@ -0,0 +1,84 @@ +From: Eric Dumazet +Date: Thu, 7 Nov 2019 20:08:19 -0800 +Subject: net: fix data-race in neigh_event_send() +Git-commit: 1b53d64435d56902fc234ff2507142d971a09687 +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +KCSAN reported the following data-race [1] + +The fix will also prevent the compiler from optimizing out +the condition. + +[1] + +BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output + +write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1: + neigh_event_send include/net/neighbour.h:443 [inline] + neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474 + neigh_output include/net/neighbour.h:511 [inline] + ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 + __ip_finish_output net/ipv4/ip_output.c:308 [inline] + __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 + ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 + dst_output include/net/dst.h:436 [inline] + ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 + __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 + ip_queue_xmit+0x45/0x60 include/net/ip.h:237 + __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 + tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] + __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 + tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 + tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618 + +read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0: + neigh_event_send include/net/neighbour.h:442 [inline] + neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474 + neigh_output include/net/neighbour.h:511 [inline] + ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 + __ip_finish_output net/ipv4/ip_output.c:308 [inline] + __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 + ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 + dst_output include/net/dst.h:436 [inline] + ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 + __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 + ip_queue_xmit+0x45/0x60 include/net/ip.h:237 + __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 + tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] + __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 + tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 + tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/net/neighbour.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -427,8 +427,8 @@ static inline int neigh_event_send(struc + { + unsigned long now = jiffies; + +- if (neigh->used != now) +- neigh->used = now; ++ if (READ_ONCE(neigh->used) != now) ++ WRITE_ONCE(neigh->used, now); + if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE))) + return __neigh_event_send(neigh, skb); + return 0; diff --git a/patches.suse/net-hns3-fix-ETS-bandwidth-validation-bug.patch b/patches.suse/net-hns3-fix-ETS-bandwidth-validation-bug.patch new file mode 100644 index 0000000..5171962 --- /dev/null +++ b/patches.suse/net-hns3-fix-ETS-bandwidth-validation-bug.patch @@ -0,0 +1,33 @@ +From: Yonglong Liu +Date: Thu, 14 Nov 2019 10:32:41 +0800 +Subject: net: hns3: fix ETS bandwidth validation bug +Patch-mainline: v5.4-rc8 +Git-commit: c2d56897819338eb0ba8b93184f7d10329b36653 +References: bsc#1104353 FATE#326415 + +Some device only support 4 TCs, but the driver check the total +bandwidth of 8 TCs, so may cause wrong configurations write to +the hw. + +This patch uses hdev->tc_max to instead HNAE3_MAX_TC to fix it. + +Fixes: e432abfb99e5 ("net: hns3: add common validation in hclge_dcb") +Signed-off-by: Yonglong Liu +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +@@ -124,7 +124,7 @@ static int hclge_ets_validate(struct hcl + if (ret) + return ret; + +- for (i = 0; i < HNAE3_MAX_TC; i++) { ++ for (i = 0; i < hdev->tc_max; i++) { + switch (ets->tc_tsa[i]) { + case IEEE_8021QAZ_TSA_STRICT: + if (hdev->tm_info.tc_info[i].tc_sch_mode != diff --git a/patches.suse/net-ibmvnic-Fix-typo-in-retry-check.patch b/patches.suse/net-ibmvnic-Fix-typo-in-retry-check.patch new file mode 100644 index 0000000..7e076cd --- /dev/null +++ b/patches.suse/net-ibmvnic-Fix-typo-in-retry-check.patch @@ -0,0 +1,37 @@ +From 8f9cc1ee296275d27770245cbd247a4952bbb2be Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Wed, 11 Dec 2019 09:38:39 -0600 +Subject: [PATCH] net/ibmvnic: Fix typo in retry check + +References: bsc#1155689 ltc#182047 +Patch-mainline: v5.5-rc3 +Git-commit: 8f9cc1ee296275d27770245cbd247a4952bbb2be + +This conditional is missing a bang, with the intent +being to break when the retry count reaches zero. + +Fixes: 476d96ca9cc5 ("ibmvnic: Bound waits for device queries") +Suggested-by: Juliet Kim +Signed-off-by: Thomas Falcon +Signed-off-by: Jakub Kicinski +Acked-by: Michal Suchanek +--- + drivers/net/ethernet/ibm/ibmvnic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index c90080781924..830791ab4619 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -184,7 +184,7 @@ static int ibmvnic_wait_for_completion(struct ibmvnic_adapter *adapter, + netdev_err(netdev, "Device down!\n"); + return -ENODEV; + } +- if (retry--) ++ if (!retry--) + break; + if (wait_for_completion_timeout(comp_done, div_timeout)) + return 0; +-- +2.23.0 + diff --git a/patches.suse/net-mlx4_en-Fix-wrong-limitation-for-number-of-TX-ri.patch b/patches.suse/net-mlx4_en-Fix-wrong-limitation-for-number-of-TX-ri.patch new file mode 100644 index 0000000..004193b --- /dev/null +++ b/patches.suse/net-mlx4_en-Fix-wrong-limitation-for-number-of-TX-ri.patch @@ -0,0 +1,73 @@ +From: Tariq Toukan +Date: Mon, 18 Nov 2019 11:41:04 +0200 +Subject: net/mlx4_en: Fix wrong limitation for number of TX rings +Patch-mainline: v5.4 +Git-commit: 2744bf42680f64ebf2ee8a00354897857c073331 +References: bsc#1103989 FATE#326004 + +XDP_TX rings should not be limited by max_num_tx_rings_p_up. +To make sure total number of TX rings never exceed MAX_TX_RINGS, +add similar check in mlx4_en_alloc_tx_queue_per_tc(), where +a new value is assigned for num_up. + +Fixes: 7e1dc5e926d5 ("net/mlx4_en: Limit the number of TX rings") +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 8 ++++---- + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++++ + 2 files changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1811,6 +1811,7 @@ static int mlx4_en_set_channels(struct n + struct mlx4_en_dev *mdev = priv->mdev; + struct mlx4_en_port_profile new_prof; + struct mlx4_en_priv *tmp; ++ int total_tx_count; + int port_up = 0; + int xdp_count; + int err = 0; +@@ -1825,13 +1826,12 @@ static int mlx4_en_set_channels(struct n + + mutex_lock(&mdev->state_lock); + xdp_count = priv->tx_ring_num[TX_XDP] ? channel->rx_count : 0; +- if (channel->tx_count * priv->prof->num_up + xdp_count > +- priv->mdev->profile.max_num_tx_rings_p_up * priv->prof->num_up) { ++ total_tx_count = channel->tx_count * priv->prof->num_up + xdp_count; ++ if (total_tx_count > MAX_TX_RINGS) { + err = -EINVAL; + en_err(priv, + "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n", +- channel->tx_count * priv->prof->num_up + xdp_count, +- MAX_TX_RINGS); ++ total_tx_count, MAX_TX_RINGS); + goto out; + } + +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -91,6 +91,7 @@ int mlx4_en_alloc_tx_queue_per_tc(struct + struct mlx4_en_dev *mdev = priv->mdev; + struct mlx4_en_port_profile new_prof; + struct mlx4_en_priv *tmp; ++ int total_count; + int port_up = 0; + int err = 0; + +@@ -104,6 +105,14 @@ int mlx4_en_alloc_tx_queue_per_tc(struct + MLX4_EN_NUM_UP_HIGH; + new_prof.tx_ring_num[TX] = new_prof.num_tx_rings_p_up * + new_prof.num_up; ++ total_count = new_prof.tx_ring_num[TX] + new_prof.tx_ring_num[TX_XDP]; ++ if (total_count > MAX_TX_RINGS) { ++ err = -EINVAL; ++ en_err(priv, ++ "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n", ++ total_count, MAX_TX_RINGS); ++ goto out; ++ } + err = mlx4_en_try_alloc_resources(priv, tmp, &new_prof, true); + if (err) + goto out; diff --git a/patches.suse/net-mlx5-Accumulate-levels-for-chains-prio-namespace.patch b/patches.suse/net-mlx5-Accumulate-levels-for-chains-prio-namespace.patch new file mode 100644 index 0000000..9f368b9 --- /dev/null +++ b/patches.suse/net-mlx5-Accumulate-levels-for-chains-prio-namespace.patch @@ -0,0 +1,62 @@ +From: Paul Blakey +Date: Tue, 12 Nov 2019 00:34:27 +0100 +Subject: net/mlx5: Accumulate levels for chains prio namespaces +Patch-mainline: v5.5-rc1 +Git-commit: 34b13cb3eaa5ad205f4497da6420262da4940b9e +References: bsc#1103990 FATE#326006 + +Tc chains are implemented by creating a chained prio steering type, and +inside it there is a namespace for each chain (FDB_TC_MAX_CHAINS). Each +of those has a list of priorities. + +Currently, all namespaces in a prio start at the parent prio level. +But since we can jump from chain (namespace) to another chain in the +same prio, we need the levels for higher chains to be higher as well. +So we created unused prios to account for levels in previous namespaces. + +Fix that by accumulating the namespaces levels if we are inside a chained +type prio, and removing the unused prios. + +Fixes: 328edb499f99 ('net/mlx5: Split FDB fast path prio to multiple namespaces') +Signed-off-by: Paul Blakey +Reviewed-by: Mark Bloch +Acked-by: Pablo Neira Ayuso +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -696,7 +696,7 @@ esw_get_prio_table(struct mlx5_eswitch * + flags |= (MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT | + MLX5_FLOW_TABLE_TUNNEL_EN_DECAP); + +- table_prio = (chain * FDB_MAX_PRIO) + prio - 1; ++ table_prio = prio - 1; + + /* create earlier levels for correct fs_core lookup when + * connecting tables +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2288,9 +2288,17 @@ static void set_prio_attrs_in_prio(struc + int acc_level_ns = acc_level; + + prio->start_level = acc_level; +- fs_for_each_ns(ns, prio) ++ fs_for_each_ns(ns, prio) { + /* This updates start_level and num_levels of ns's priority descendants */ + acc_level_ns = set_prio_attrs_in_ns(ns, acc_level); ++ ++ /* If this a prio with chains, and we can jump from one chain ++ * (namepsace) to another, so we accumulate the levels ++ */ ++ if (prio->node.type == FS_TYPE_PRIO_CHAINS) ++ acc_level = acc_level_ns; ++ } ++ + if (!prio->num_levels) + prio->num_levels = acc_level_ns - prio->start_level; + WARN_ON(prio->num_levels < acc_level_ns - prio->start_level); diff --git a/patches.suse/net-mlx5-Update-the-list-of-the-PCI-supported-device-b7eca940.patch b/patches.suse/net-mlx5-Update-the-list-of-the-PCI-supported-device-b7eca940.patch new file mode 100644 index 0000000..4e6e69b --- /dev/null +++ b/patches.suse/net-mlx5-Update-the-list-of-the-PCI-supported-device-b7eca940.patch @@ -0,0 +1,28 @@ +From: Shani Shapp +Date: Tue, 12 Nov 2019 15:10:00 +0200 +Subject: net/mlx5: Update the list of the PCI supported devices +Patch-mainline: v5.4 +Git-commit: b7eca940322f47fd30dafb70da04d193a0154090 +References: bsc#1127611 + +Add the upcoming ConnectX-6 LX device ID. + +Fixes: 85327a9c4150 ("net/mlx5: Update the list of the PCI supported devices") +Signed-off-by: Shani Shapp +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1651,6 +1651,7 @@ static const struct pci_device_id mlx5_c + { PCI_VDEVICE(MELLANOX, 0x101c), MLX5_PCI_DEV_IS_VF}, /* ConnectX-6 VF */ + { PCI_VDEVICE(MELLANOX, 0x101d) }, /* ConnectX-6 Dx */ + { PCI_VDEVICE(MELLANOX, 0x101e), MLX5_PCI_DEV_IS_VF}, /* ConnectX Family mlx5Gen Virtual Function */ ++ { PCI_VDEVICE(MELLANOX, 0x101f) }, /* ConnectX-6 LX */ + { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */ + { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */ + { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */ diff --git a/patches.suse/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch b/patches.suse/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch new file mode 100644 index 0000000..1dc2e1d --- /dev/null +++ b/patches.suse/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch @@ -0,0 +1,32 @@ +From: Navid Emamdoost +Date: Tue, 24 Sep 2019 22:20:34 -0500 +Subject: net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq +Patch-mainline: v5.4-rc6 +Git-commit: c8c2a057fdc7de1cd16f4baa51425b932a42eb39 +References: bsc#1046303 FATE#322944 + +In mlx5_fpga_conn_create_cq if mlx5_vector2eqn fails the allocated +memory should be released. + +Fixes: 537a50574175 ("net/mlx5: FPGA, Add high-speed connection routines") +Signed-off-by: Navid Emamdoost +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c +@@ -461,8 +461,10 @@ static int mlx5_fpga_conn_create_cq(stru + } + + err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn, &irqn); +- if (err) ++ if (err) { ++ kvfree(in); + goto err_cqwq; ++ } + + cqc = MLX5_ADDR_OF(create_cq_in, in, cq_context); + MLX5_SET(cqc, cqc, log_cq_size, ilog2(cq_size)); diff --git a/patches.suse/net-mlx5e-Fix-SFF-8472-eeprom-length.patch b/patches.suse/net-mlx5e-Fix-SFF-8472-eeprom-length.patch new file mode 100644 index 0000000..6f26696 --- /dev/null +++ b/patches.suse/net-mlx5e-Fix-SFF-8472-eeprom-length.patch @@ -0,0 +1,30 @@ +From: Eran Ben Elisha +Date: Thu, 5 Dec 2019 10:30:22 +0200 +Subject: net/mlx5e: Fix SFF 8472 eeprom length +Git-commit: c431f8597863a91eea6024926e0c1b179cfa4852 +Patch-mainline: 5.5-rc1 +References: git-fixes + +SFF 8472 eeprom length is 512 bytes. Fix module info return value to +support 512 bytes read. + +Fixes: ace329f4ab3b ("net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query") +Signed-off-by: Eran Ben Elisha +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1636,7 +1636,7 @@ static int mlx5e_get_module_info(struct + break; + case MLX5_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = MLX5_EEPROM_PAGE_LENGTH; ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; + break; + default: + netdev_err(priv->netdev, "%s: cable type not recognized:0x%x\n", diff --git a/patches.suse/net-mlx5e-Query-global-pause-state-before-setting-pr.patch b/patches.suse/net-mlx5e-Query-global-pause-state-before-setting-pr.patch new file mode 100644 index 0000000..e6bb1a7 --- /dev/null +++ b/patches.suse/net-mlx5e-Query-global-pause-state-before-setting-pr.patch @@ -0,0 +1,76 @@ +From: Huy Nguyen +Date: Fri, 6 Sep 2019 09:28:46 -0500 +Subject: net/mlx5e: Query global pause state before setting prio2buffer +Patch-mainline: v5.5-rc1 +Git-commit: 73e6551699a32fac703ceea09214d6580edcf2d5 +References: bsc#1103990 FATE#326006 + +When the user changes prio2buffer mapping while global pause is +enabled, mlx5 driver incorrectly sets all active buffers +(buffer that has at least one priority mapped) to lossy. + +Solution: +If global pause is enabled, set all the active buffers to lossless +in prio2buffer command. +Also, add error message when buffer size is not enough to meet +xoff threshold. + +Fixes: 0696d60853d5 ("net/mlx5e: Receive buffer configuration") +Signed-off-by: Huy Nguyen +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 27 +++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +@@ -155,8 +155,11 @@ static int update_xoff_threshold(struct + } + + if (port_buffer->buffer[i].size < +- (xoff + max_mtu + (1 << MLX5E_BUFFER_CELL_SHIFT))) ++ (xoff + max_mtu + (1 << MLX5E_BUFFER_CELL_SHIFT))) { ++ pr_err("buffer_size[%d]=%d is not enough for lossless buffer\n", ++ i, port_buffer->buffer[i].size); + return -ENOMEM; ++ } + + port_buffer->buffer[i].xoff = port_buffer->buffer[i].size - xoff; + port_buffer->buffer[i].xon = +@@ -232,6 +235,26 @@ static int update_buffer_lossy(unsigned + return 0; + } + ++static int fill_pfc_en(struct mlx5_core_dev *mdev, u8 *pfc_en) ++{ ++ u32 g_rx_pause, g_tx_pause; ++ int err; ++ ++ err = mlx5_query_port_pause(mdev, &g_rx_pause, &g_tx_pause); ++ if (err) ++ return err; ++ ++ /* If global pause enabled, set all active buffers to lossless. ++ * Otherwise, check PFC setting. ++ */ ++ if (g_rx_pause || g_tx_pause) ++ *pfc_en = 0xff; ++ else ++ err = mlx5_query_port_pfc(mdev, pfc_en, NULL); ++ ++ return err; ++} ++ + #define MINIMUM_MAX_MTU 9216 + int mlx5e_port_manual_buffer_config(struct mlx5e_priv *priv, + u32 change, unsigned int mtu, +@@ -277,7 +300,7 @@ int mlx5e_port_manual_buffer_config(stru + + if (change & MLX5E_PORT_BUFFER_PRIO2BUFFER) { + update_prio2buffer = true; +- err = mlx5_query_port_pfc(priv->mdev, &curr_pfc_en, NULL); ++ err = fill_pfc_en(priv->mdev, &curr_pfc_en); + if (err) + return err; + diff --git a/patches.suse/net-sched-ensure-opts_len-IP_TUNNEL_OPTS_MAX-in-act_.patch b/patches.suse/net-sched-ensure-opts_len-IP_TUNNEL_OPTS_MAX-in-act_.patch new file mode 100644 index 0000000..ad23a9a --- /dev/null +++ b/patches.suse/net-sched-ensure-opts_len-IP_TUNNEL_OPTS_MAX-in-act_.patch @@ -0,0 +1,48 @@ +From: Xin Long +Date: Mon, 18 Nov 2019 17:39:34 +0800 +Subject: net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key +Patch-mainline: v5.4 +Git-commit: 4f0e97d070984d487df027f163e52bb72d1713d8 +References: bsc#1109837 + +info->options_len is 'u8' type, and when opts_len with a value > +IP_TUNNEL_OPTS_MAX, 'info->options_len = opts_len' will cast int +to u8 and set a wrong value to info->options_len. + +Kernel crashed in my test when doing: + + # opts="0102:80:00800022" + # for i in {1..99}; do opts="$opts,0102:80:00800022"; done + # ip link add name geneve0 type geneve dstport 0 external + # tc qdisc add dev eth0 ingress + # tc filter add dev eth0 protocol ip parent ffff: \ + flower indev eth0 ip_proto udp action tunnel_key \ + set src_ip 10.0.99.192 dst_ip 10.0.99.193 \ + dst_port 6081 id 11 geneve_opts $opts \ + action mirred egress redirect dev geneve0 + +So we should do the similar check as cls_flower does, return error +when opts_len > IP_TUNNEL_OPTS_MAX in tunnel_key_copy_opts(). + +Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key") +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/sched/act_tunnel_key.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sched/act_tunnel_key.c ++++ b/net/sched/act_tunnel_key.c +@@ -137,6 +137,10 @@ static int tunnel_key_copy_opts(const st + if (opt_len < 0) + return opt_len; + opts_len += opt_len; ++ if (opts_len > IP_TUNNEL_OPTS_MAX) { ++ NL_SET_ERR_MSG(extack, "Tunnel options exceeds max size"); ++ return -EINVAL; ++ } + if (dst) { + dst_len -= opt_len; + dst += opt_len; diff --git a/patches.suse/net-sched-fix-dump-qlen-for-sch_mq-sch_mqprio-with-N.patch b/patches.suse/net-sched-fix-dump-qlen-for-sch_mq-sch_mqprio-with-N.patch new file mode 100644 index 0000000..6eae750 --- /dev/null +++ b/patches.suse/net-sched-fix-dump-qlen-for-sch_mq-sch_mqprio-with-N.patch @@ -0,0 +1,40 @@ +From: Dust Li +Date: Tue, 3 Dec 2019 11:17:40 +0800 +Subject: net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues +Patch-mainline: v5.5-rc1 +Git-commit: 2f23cd42e19c22c24ff0e221089b7b6123b117c5 +References: bsc#1109837 + +sch->q.len hasn't been set if the subqueue is a NOLOCK qdisc + in mq_dump() and mqprio_dump(). + +Fixes: ce679e8df7ed ("net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio") +Signed-off-by: Dust Li +Signed-off-by: Tony Lu +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/sched/sch_mq.c | 1 + + net/sched/sch_mqprio.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/sched/sch_mq.c ++++ b/net/sched/sch_mq.c +@@ -158,6 +158,7 @@ static int mq_dump(struct Qdisc *sch, st + __gnet_stats_copy_queue(&sch->qstats, + qdisc->cpu_qstats, + &qdisc->qstats, qlen); ++ sch->q.qlen += qlen; + } else { + sch->q.qlen += qdisc->q.qlen; + sch->bstats.bytes += qdisc->bstats.bytes; +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -413,6 +413,7 @@ static int mqprio_dump(struct Qdisc *sch + __gnet_stats_copy_queue(&sch->qstats, + qdisc->cpu_qstats, + &qdisc->qstats, qlen); ++ sch->q.qlen += qlen; + } else { + sch->q.qlen += qdisc->q.qlen; + sch->bstats.bytes += qdisc->bstats.bytes; diff --git a/patches.suse/net-usb-qmi_wwan-add-support-for-DW5821e-with-eSIM-s.patch b/patches.suse/net-usb-qmi_wwan-add-support-for-DW5821e-with-eSIM-s.patch new file mode 100644 index 0000000..ebd9d2c --- /dev/null +++ b/patches.suse/net-usb-qmi_wwan-add-support-for-DW5821e-with-eSIM-s.patch @@ -0,0 +1,41 @@ +From: Aleksander Morgado +Date: Thu, 7 Nov 2019 11:57:01 +0100 +Subject: net: usb: qmi_wwan: add support for DW5821e with eSIM support +Git-commit: e497df686e8fed8c1dd69179010656362858edb3 +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +Exactly same layout as the default DW5821e module, just a different +vid/pid. + +The QMI interface is exposed in USB configuration #1: + +P: Vendor=413c ProdID=81e0 Rev=03.18 +S: Manufacturer=Dell Inc. +S: Product=DW5821e-eSIM Snapdragon X20 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + +Signed-off-by: Aleksander Morgado +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1352,6 +1352,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */ ++ {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/ + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ diff --git a/patches.suse/netfilter-nf_queue-enqueue-skbs-with-NULL-dst.patch b/patches.suse/netfilter-nf_queue-enqueue-skbs-with-NULL-dst.patch new file mode 100644 index 0000000..da99eba --- /dev/null +++ b/patches.suse/netfilter-nf_queue-enqueue-skbs-with-NULL-dst.patch @@ -0,0 +1,37 @@ +From: Marco Oliverio +Date: Mon, 2 Dec 2019 19:54:30 +0100 +Subject: netfilter: nf_queue: enqueue skbs with NULL dst +Git-commit: 0b9173f4688dfa7c5d723426be1d979c24ce3d51 +Patch-mainline: 5.5-rc3 +References: git-fixes + +Bridge packets that are forwarded have skb->dst == NULL and get +dropped by the check introduced by +b60a77386b1d4868f72f6353d35dabe5fbe981f2 (net: make skb_dst_force +return true when dst is refcounted). + +To fix this we check skb_dst() before skb_dst_force(), so we don't +drop skb packet with dst == NULL. This holds also for skb at the +PRE_ROUTING hook so we remove the second check. + +Fixes: b60a77386b1d ("net: make skb_dst_force return true when dst is refcounted") +Signed-off-by: Marco Oliverio +Signed-off-by: Rocco Folino +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Jiri Slaby +--- + net/netfilter/nf_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -136,7 +136,7 @@ static int __nf_queue(struct sk_buff *sk + goto err; + } + +- if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) { ++ if (skb_dst(skb) && !skb_dst_force(skb)) { + status = -ENETDOWN; + goto err; + } diff --git a/patches.suse/platform-x86-hp-wmi-Make-buffer-for-HPWMI_FEATURE2_Q.patch b/patches.suse/platform-x86-hp-wmi-Make-buffer-for-HPWMI_FEATURE2_Q.patch new file mode 100644 index 0000000..fa139e7 --- /dev/null +++ b/patches.suse/platform-x86-hp-wmi-Make-buffer-for-HPWMI_FEATURE2_Q.patch @@ -0,0 +1,46 @@ +From 133b2acee3871ae6bf123b8fe34be14464aa3d2c Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 17 Dec 2019 20:06:04 +0100 +Subject: [PATCH] platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes +Git-commit: 133b2acee3871ae6bf123b8fe34be14464aa3d2c +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +At least on the HP Envy x360 15-cp0xxx model the WMI interface +for HPWMI_FEATURE2_QUERY requires an outsize of at least 128 bytes, +otherwise it fails with an error code 5 (HPWMI_RET_INVALID_PARAMETERS): + +Dec 06 00:59:38 kernel: hp_wmi: query 0xd returned error 0x5 + +We do not care about the contents of the buffer, we just want to know +if the HPWMI_FEATURE2_QUERY command is supported. + +This commits bumps the buffer size, fixing the error. + +Fixes: 8a1513b4932 ("hp-wmi: limit hotkey enable") +Cc: stable@vger.kernel.org +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703 +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Acked-by: Takashi Iwai + +--- + drivers/platform/x86/hp-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index 9579a706fc08..a881b709af25 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -300,7 +300,7 @@ static int __init hp_wmi_bios_2008_later(void) + + static int __init hp_wmi_bios_2009_later(void) + { +- int state = 0; ++ u8 state[128]; + int ret = hp_wmi_perform_query(HPWMI_FEATURE2_QUERY, HPWMI_READ, &state, + sizeof(state), sizeof(state)); + if (!ret) +-- +2.16.4 + diff --git a/patches.suse/platform-x86-pmc_atom-Add-Siemens-CONNECT-X300-to-cr.patch b/patches.suse/platform-x86-pmc_atom-Add-Siemens-CONNECT-X300-to-cr.patch new file mode 100644 index 0000000..4d526a1 --- /dev/null +++ b/patches.suse/platform-x86-pmc_atom-Add-Siemens-CONNECT-X300-to-cr.patch @@ -0,0 +1,44 @@ +From e8796c6c69d129420ee94a1906b18d86b84644d4 Mon Sep 17 00:00:00 2001 +From: Michael Haener +Date: Fri, 29 Nov 2019 10:16:49 +0100 +Subject: [PATCH] platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table +Git-commit: e8796c6c69d129420ee94a1906b18d86b84644d4 +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +The CONNECT X300 uses the PMC clock for on-board components and gets +stuck during boot if the clock is disabled. Therefore, add this +device to the critical systems list. +Tested on CONNECT X300. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Signed-off-by: Michael Haener +Signed-off-by: Andy Shevchenko +Acked-by: Takashi Iwai + +--- + drivers/platform/x86/pmc_atom.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index 07d1b911e72f..52ef1419b671 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -429,6 +429,14 @@ static const struct dmi_system_id critclk_systems[] = { + DMI_MATCH(DMI_PRODUCT_VERSION, "6AV7882-0"), + }, + }, ++ { ++ .ident = "CONNECT X300", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "SIEMENS AG"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "A5E45074588"), ++ }, ++ }, ++ + { /*sentinel*/ } + }; + +-- +2.16.4 + diff --git a/patches.suse/powerpc-Fix-vDSO-clock_getres.patch b/patches.suse/powerpc-Fix-vDSO-clock_getres.patch new file mode 100644 index 0000000..a3a1c99 --- /dev/null +++ b/patches.suse/powerpc-Fix-vDSO-clock_getres.patch @@ -0,0 +1,129 @@ +From 552263456215ada7ee8700ce022d12b0cffe4802 Mon Sep 17 00:00:00 2001 +From: Vincenzo Frascino +Date: Mon, 2 Dec 2019 07:57:29 +0000 +Subject: [PATCH] powerpc: Fix vDSO clock_getres() + +References: bsc#1065729 +Patch-mainline: v5.5-rc1 +Git-commit: 552263456215ada7ee8700ce022d12b0cffe4802 + +clock_getres in the vDSO library has to preserve the same behaviour +of posix_get_hrtimer_res(). + +In particular, posix_get_hrtimer_res() does: + sec = 0; + ns = hrtimer_resolution; +and hrtimer_resolution depends on the enablement of the high +resolution timers that can happen either at compile or at run time. + +Fix the powerpc vdso implementation of clock_getres keeping a copy of +hrtimer_resolution in vdso data and using that directly. + +Fixes: a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to 32 bits kernel") +Cc: stable@vger.kernel.org +Signed-off-by: Vincenzo Frascino +Reviewed-by: Christophe Leroy +Acked-by: Shuah Khan +[chleroy: changed CLOCK_REALTIME_RES to CLOCK_HRTIMER_RES] +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/a55eca3a5e85233838c2349783bcb5164dae1d09.1575273217.git.christophe.leroy@c-s.fr +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/vdso_datapage.h | 2 ++ + arch/powerpc/kernel/asm-offsets.c | 2 +- + arch/powerpc/kernel/time.c | 1 + + arch/powerpc/kernel/vdso32/gettimeofday.S | 7 +++++-- + arch/powerpc/kernel/vdso64/gettimeofday.S | 7 +++++-- + 5 files changed, 14 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/include/asm/vdso_datapage.h ++++ b/arch/powerpc/include/asm/vdso_datapage.h +@@ -86,6 +86,7 @@ struct vdso_data { + __s32 wtom_clock_nsec; /* Wall to monotonic clock nsec */ + __s64 wtom_clock_sec; /* Wall to monotonic clock sec */ + struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ ++ __u32 hrtimer_res; /* hrtimer resolution */ + __u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls */ + __u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */ + }; +@@ -107,6 +108,7 @@ struct vdso_data { + __s32 wtom_clock_nsec; + struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ + __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */ ++ __u32 hrtimer_res; /* hrtimer resolution */ + __u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */ + __u32 dcache_block_size; /* L1 d-cache block size */ + __u32 icache_block_size; /* L1 i-cache block size */ +--- a/arch/powerpc/kernel/asm-offsets.c ++++ b/arch/powerpc/kernel/asm-offsets.c +@@ -374,6 +374,7 @@ int main(void) + OFFSET(WTOM_CLOCK_NSEC, vdso_data, wtom_clock_nsec); + OFFSET(STAMP_XTIME, vdso_data, stamp_xtime); + OFFSET(STAMP_SEC_FRAC, vdso_data, stamp_sec_fraction); ++ OFFSET(CLOCK_HRTIMER_RES, vdso_data, hrtimer_res); + OFFSET(CFG_ICACHE_BLOCKSZ, vdso_data, icache_block_size); + OFFSET(CFG_DCACHE_BLOCKSZ, vdso_data, dcache_block_size); + OFFSET(CFG_ICACHE_LOGBLOCKSZ, vdso_data, icache_log_block_size); +@@ -402,7 +403,6 @@ int main(void) + DEFINE(CLOCK_REALTIME, CLOCK_REALTIME); + DEFINE(CLOCK_MONOTONIC, CLOCK_MONOTONIC); + DEFINE(NSEC_PER_SEC, NSEC_PER_SEC); +- DEFINE(CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC); + + #ifdef CONFIG_BUG + DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry)); +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -876,6 +876,7 @@ void update_vsyscall_old(struct timespec + vdso_data->wtom_clock_nsec = wtm->tv_nsec; + vdso_data->stamp_xtime = *wall_time; + vdso_data->stamp_sec_fraction = frac_sec; ++ vdso_data->hrtimer_res = hrtimer_resolution; + smp_wmb(); + ++(vdso_data->tb_update_count); + } +diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S +index c8e6902cb01b..3306672f57a9 100644 +--- a/arch/powerpc/kernel/vdso32/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S +@@ -154,12 +154,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres) + cror cr0*4+eq,cr0*4+eq,cr1*4+eq + bne cr0,99f + ++ mflr r12 ++ .cfi_register lr,r12 ++ bl __get_datapage@local /* get data page */ ++ lwz r5, CLOCK_HRTIMER_RES(r3) ++ mtlr r12 + li r3,0 + cmpli cr0,r4,0 + crclr cr0*4+so + beqlr +- lis r5,CLOCK_REALTIME_RES@h +- ori r5,r5,CLOCK_REALTIME_RES@l + stw r3,TSPC32_TV_SEC(r4) + stw r5,TSPC32_TV_NSEC(r4) + blr +diff --git a/arch/powerpc/kernel/vdso64/gettimeofday.S b/arch/powerpc/kernel/vdso64/gettimeofday.S +index 1f24e411af80..1c9a04703250 100644 +--- a/arch/powerpc/kernel/vdso64/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso64/gettimeofday.S +@@ -186,12 +186,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres) + cror cr0*4+eq,cr0*4+eq,cr1*4+eq + bne cr0,99f + ++ mflr r12 ++ .cfi_register lr,r12 ++ bl V_LOCAL_FUNC(__get_datapage) ++ lwz r5, CLOCK_HRTIMER_RES(r3) ++ mtlr r12 + li r3,0 + cmpldi cr0,r4,0 + crclr cr0*4+so + beqlr +- lis r5,CLOCK_REALTIME_RES@h +- ori r5,r5,CLOCK_REALTIME_RES@l + std r3,TSPC64_TV_SEC(r4) + std r5,TSPC64_TV_NSEC(r4) + blr diff --git a/patches.suse/powerpc-archrandom-fix-arch_get_random_seed_int.patch b/patches.suse/powerpc-archrandom-fix-arch_get_random_seed_int.patch new file mode 100644 index 0000000..4b88ed9 --- /dev/null +++ b/patches.suse/powerpc-archrandom-fix-arch_get_random_seed_int.patch @@ -0,0 +1,47 @@ +From b6afd1234cf93aa0d71b4be4788c47534905f0be Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 4 Dec 2019 11:50:15 +0000 +Subject: [PATCH] powerpc/archrandom: fix arch_get_random_seed_int() + +References: bsc#1065729 +Patch-mainline: v5.5-rc1 +Git-commit: b6afd1234cf93aa0d71b4be4788c47534905f0be + +Commit 01c9348c7620ec65 + + powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_* + +updated arch_get_random_[int|long]() to be NOPs, and moved the hardware +RNG backing to arch_get_random_seed_[int|long]() instead. However, it +failed to take into account that arch_get_random_int() was implemented +in terms of arch_get_random_long(), and so we ended up with a version +of the former that is essentially a NOP as well. + +Fix this by calling arch_get_random_seed_long() from +arch_get_random_seed_int() instead. + +Fixes: 01c9348c7620ec65 ("powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_*") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191204115015.18015-1-ardb@kernel.org +Acked-by: Michal Suchanek +--- + arch/powerpc/include/asm/archrandom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/archrandom.h b/arch/powerpc/include/asm/archrandom.h +index 9c63b596e6ce..a09595f00cab 100644 +--- a/arch/powerpc/include/asm/archrandom.h ++++ b/arch/powerpc/include/asm/archrandom.h +@@ -28,7 +28,7 @@ static inline int arch_get_random_seed_int(unsigned int *v) + unsigned long val; + int rc; + +- rc = arch_get_random_long(&val); ++ rc = arch_get_random_seed_long(&val); + if (rc) + *v = val; + +-- +2.23.0 + diff --git a/patches.suse/powerpc-powernv-Disable-native-PCIe-port-management.patch b/patches.suse/powerpc-powernv-Disable-native-PCIe-port-management.patch new file mode 100644 index 0000000..83c6ac4 --- /dev/null +++ b/patches.suse/powerpc-powernv-Disable-native-PCIe-port-management.patch @@ -0,0 +1,80 @@ +From 9d72dcef891030545f39ad386a30cf91df517fb2 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Mon, 18 Nov 2019 17:55:53 +1100 +Subject: [PATCH] powerpc/powernv: Disable native PCIe port management + +References: bsc#1065729 +Patch-mainline: v5.5-rc1 +Git-commit: 9d72dcef891030545f39ad386a30cf91df517fb2 + +On PowerNV the PCIe topology is (currently) managed by the powernv platform +code in Linux in cooperation with the platform firmware. Linux's native +PCIe port service drivers operate independently of both and this can cause +problems. + +The main issue is that the portbus driver will conflict with the platform +specific hotplug driver (pnv_php) over ownership of the MSI used to notify +the host when a hotplug event occurs. The portbus driver claims this MSI on +behalf of the individual port services because the same interrupt is used +for hotplug events, PMEs (on root ports), and link bandwidth change +notifications. The portbus driver will always claim the interrupt even if +the individual port service drivers, such as pciehp, are compiled out. + +The second, bigger, problem is that the hotplug port service driver +fundamentally does not work on PowerNV. The platform assumes that all +PCI devices have a corresponding arch-specific handle derived from the DT +node for the device (pci_dn) and without one the platform will not allow +a PCI device to be enabled. This problem is largely due to historical +baggage, but it can't be resolved without significant re-factoring of the +platform PCI support. + +We can fix these problems in the interim by setting the +"pcie_ports_disabled" flag during platform initialisation. The flag +indicates the platform owns the PCIe ports which stops the portbus driver +from being registered. + +This does have the side effect of disabling all port services drivers +that is: AER, PME, BW notifications, hotplug, and DPC. However, this is +not a huge disadvantage on PowerNV since these services are either unused +or handled through other means. + +Fixes: 66725152fb9f ("PCI/hotplug: PowerPC PowerNV PCI hotplug driver") +Signed-off-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191118065553.30362-1-oohall@gmail.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/powernv/pci.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/arch/powerpc/platforms/powernv/pci.c b/arch/powerpc/platforms/powernv/pci.c +index 2825d004dece..c0bea75ac27b 100644 +--- a/arch/powerpc/platforms/powernv/pci.c ++++ b/arch/powerpc/platforms/powernv/pci.c +@@ -945,6 +945,23 @@ void __init pnv_pci_init(void) + if (!firmware_has_feature(FW_FEATURE_OPAL)) + return; + ++#ifdef CONFIG_PCIEPORTBUS ++ /* ++ * On PowerNV PCIe devices are (currently) managed in cooperation ++ * with firmware. This isn't *strictly* required, but there's enough ++ * assumptions baked into both firmware and the platform code that ++ * it's unwise to allow the portbus services to be used. ++ * ++ * We need to fix this eventually, but for now set this flag to disable ++ * the portbus driver. The AER service isn't required since that AER ++ * events are handled via EEH. The pciehp hotplug driver can't work ++ * without kernel changes (and portbus binding breaks pnv_php). The ++ * other services also require some thinking about how we're going ++ * to integrate them. ++ */ ++ pcie_ports_disabled = true; ++#endif ++ + /* Look for IODA IO-Hubs. */ + for_each_compatible_node(np, NULL, "ibm,ioda-hub") { + pnv_pci_init_ioda_hub(np); +-- +2.23.0 + diff --git a/patches.suse/powerpc-pseries-Drop-pointless-static-qualifier-in-v.patch b/patches.suse/powerpc-pseries-Drop-pointless-static-qualifier-in-v.patch new file mode 100644 index 0000000..54fa983 --- /dev/null +++ b/patches.suse/powerpc-pseries-Drop-pointless-static-qualifier-in-v.patch @@ -0,0 +1,39 @@ +From 11dd34f3eae5a468013bb161a1dcf1fecd2ca321 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 18 Feb 2019 12:56:44 +0000 +Subject: [PATCH] powerpc/pseries: Drop pointless static qualifier in + vpa_debugfs_init() + +References: FATE#326394 git-fixes +Patch-mainline: v5.5-rc1 +Git-commit: 11dd34f3eae5a468013bb161a1dcf1fecd2ca321 + +There is no need to have the 'struct dentry *vpa_dir' variable static +since new value always be assigned before use it. + +Fixes: c6c26fb55e8e ("powerpc/pseries: Export raw per-CPU VPA data via debugfs") +Signed-off-by: YueHaibing +Reviewed-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190218125644.87448-1-yuehaibing@huawei.com +Acked-by: Michal Suchanek +--- + arch/powerpc/platforms/pseries/lpar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index 74c59a1e9627..8c5af2cd95a7 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -2000,7 +2000,7 @@ static int __init vpa_debugfs_init(void) + { + char name[16]; + long i; +- static struct dentry *vpa_dir; ++ struct dentry *vpa_dir; + + if (!firmware_has_feature(FW_FEATURE_SPLPAR)) + return 0; +-- +2.23.0 + diff --git a/patches.suse/prevent-active-list-thrashing.patch b/patches.suse/prevent-active-list-thrashing.patch new file mode 100644 index 0000000..b273d27 --- /dev/null +++ b/patches.suse/prevent-active-list-thrashing.patch @@ -0,0 +1,46 @@ +From: Vlastimil Babka +Subject: prevent active file list thrashing due to refault detection +Patch-mainline: Never, discussing proper upstream solution +References: VM Performance, bsc#1156286 + +In bsc#1156286 we found that 12SP4 kernel regression compared to 12SP3 is due +to commit 2a2e48854d70 ("mm: vmscan: fix IO/refault regression in cache +workingset transition") causing active file list thrashing, as the refault +counter may increase since the last snapshot between kswapd runs and cause +the second kswapd run to focus all reclaim on the active list. + +Proper upstreamable solution needs to be discussed, but we need to fix the +regression meanwhile, so effectively disabling commit 2a2e48854d70 is the +simplest option. There has been positive feedback from the customer, and +performance team found no obvious regressions from this change. + +Signed-off-by: Vlastimil Babka + +--- + mm/vmscan.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2061,6 +2061,12 @@ static bool inactive_list_is_low(struct + unsigned long refaults; + unsigned long gb; + ++ /* ++ * spurious refault detection results in active list thrashing, ++ * disable it - bsc#1156286 ++ */ ++ actual_reclaim = false; ++ + /* + * If we don't have swap space, anonymous page deactivation + * is pointless. +@@ -2091,6 +2097,8 @@ static bool inactive_list_is_low(struct + inactive_ratio = 1; + } + ++ /* bsc#1156286 - don't lose the tracepoint */ ++ actual_reclaim = true; + if (actual_reclaim) + trace_mm_vmscan_inactive_list_is_low(pgdat->node_id, sc->reclaim_idx, + lruvec_lru_size(lruvec, inactive_lru, MAX_NR_ZONES), inactive, diff --git a/patches.suse/qede-fix-NULL-pointer-deref-in-__qede_remove.patch b/patches.suse/qede-fix-NULL-pointer-deref-in-__qede_remove.patch new file mode 100644 index 0000000..b28223e --- /dev/null +++ b/patches.suse/qede-fix-NULL-pointer-deref-in-__qede_remove.patch @@ -0,0 +1,99 @@ +From: Manish Chopra +Date: Fri, 8 Nov 2019 02:42:30 -0800 +Subject: qede: fix NULL pointer deref in __qede_remove() +Git-commit: deabc87111c690097c03765ea017cd500f7376fc +Patch-mainline: 5.4-rc7 +References: networking-stable-19_11_10 + +While rebooting the system with SR-IOV vfs enabled leads +to below crash due to recurrence of __qede_remove() on the VF +devices (first from .shutdown() flow of the VF itself and +another from PF's .shutdown() flow executing pci_disable_sriov()) + +This patch adds a safeguard in __qede_remove() flow to fix this, +so that driver doesn't attempt to remove "already removed" devices. + +[ 194.360134] BUG: unable to handle kernel NULL pointer dereference at 00000000000008dc +[ 194.360227] IP: [] __qede_remove+0x24/0x130 [qede] +[ 194.360304] PGD 0 +[ 194.360325] Oops: 0000 [#1] SMP +[ 194.360360] Modules linked in: tcp_lp fuse tun bridge stp llc devlink bonding ip_set nfnetlink ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_umad rpcrdma sunrpc rdma_ucm ib_uverbs ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi dell_smbios iTCO_wdt iTCO_vendor_support dell_wmi_descriptor dcdbas vfat fat pcc_cpufreq skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd qedr ib_core pcspkr ses enclosure joydev ipmi_ssif sg i2c_i801 lpc_ich mei_me mei wmi ipmi_si ipmi_devintf ipmi_msghandler tpm_crb acpi_pad acpi_power_meter xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel mgag200 +[ 194.361044] qede i2c_algo_bit drm_kms_helper qed syscopyarea sysfillrect nvme sysimgblt fb_sys_fops ttm nvme_core mpt3sas crc8 ptp drm pps_core ahci raid_class scsi_transport_sas libahci libata drm_panel_orientation_quirks nfit libnvdimm dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ip_tables] +[ 194.361297] CPU: 51 PID: 7996 Comm: reboot Kdump: loaded Not tainted 3.10.0-1062.el7.x86_64 #1 +[ 194.361359] Hardware name: Dell Inc. PowerEdge MX840c/0740HW, BIOS 2.4.6 10/15/2019 +[ 194.361412] task: ffff9cea9b360000 ti: ffff9ceabebdc000 task.ti: ffff9ceabebdc000 +[ 194.361463] RIP: 0010:[] [] __qede_remove+0x24/0x130 [qede] +[ 194.361534] RSP: 0018:ffff9ceabebdfac0 EFLAGS: 00010282 +[ 194.361570] RAX: 0000000000000000 RBX: ffff9cd013846098 RCX: 0000000000000000 +[ 194.361621] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9cd013846098 +[ 194.361668] RBP: ffff9ceabebdfae8 R08: 0000000000000000 R09: 0000000000000000 +[ 194.361715] R10: 00000000bfe14201 R11: ffff9ceabfe141e0 R12: 0000000000000000 +[ 194.361762] R13: ffff9cd013846098 R14: 0000000000000000 R15: ffff9ceab5e48000 +[ 194.361810] FS: 00007f799c02d880(0000) GS:ffff9ceacb0c0000(0000) knlGS:0000000000000000 +[ 194.361865] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 194.361903] CR2: 00000000000008dc CR3: 0000001bdac76000 CR4: 00000000007607e0 +[ 194.361953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 194.362002] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 194.362051] PKRU: 55555554 +[ 194.362073] Call Trace: +[ 194.362109] [] qede_remove+0x10/0x20 [qede] +[ 194.362180] [] pci_device_remove+0x3e/0xc0 +[ 194.362240] [] __device_release_driver+0x82/0xf0 +[ 194.362285] [] device_release_driver+0x23/0x30 +[ 194.362343] [] pci_stop_bus_device+0x84/0xa0 +[ 194.362388] [] pci_stop_and_remove_bus_device+0x12/0x20 +[ 194.362450] [] pci_iov_remove_virtfn+0xaf/0x160 +[ 194.362496] [] sriov_disable+0x3c/0xf0 +[ 194.362534] [] pci_disable_sriov+0x23/0x30 +[ 194.362599] [] qed_sriov_disable+0x5e3/0x650 [qed] +[ 194.362658] [] ? kfree+0x106/0x140 +[ 194.362709] [] ? qed_free_stream_mem+0x70/0x90 [qed] +[ 194.362754] [] ? kfree+0x106/0x140 +[ 194.362803] [] qed_slowpath_stop+0x1a9/0x1d0 [qed] +[ 194.362854] [] __qede_remove+0xae/0x130 [qede] +[ 194.362904] [] qede_shutdown+0x10/0x20 [qede] +[ 194.362956] [] pci_device_shutdown+0x3a/0x60 +[ 194.363010] [] device_shutdown+0xfb/0x1f0 +[ 194.363066] [] kernel_restart_prepare+0x36/0x40 +[ 194.363107] [] kernel_restart+0x12/0x60 +[ 194.363146] [] SYSC_reboot+0x229/0x260 +[ 194.363196] [] ? handle_mm_fault+0x39d/0x9b0 +[ 194.363253] [] ? __switch_to+0x151/0x580 +[ 194.363304] [] ? __schedule+0x448/0x9c0 +[ 194.363343] [] SyS_reboot+0xe/0x10 +[ 194.363387] [] system_call_fastpath+0x25/0x2a +[ 194.363430] Code: f9 e9 37 ff ff ff 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 4c 8d af 98 00 00 00 41 54 4c 89 ef 41 89 f4 53 e8 4c e4 55 f9 <80> b8 dc 08 00 00 01 48 89 c3 4c 8d b8 c0 08 00 00 4c 8b b0 c0 +[ 194.363712] RIP [] __qede_remove+0x24/0x130 [qede] +[ 194.363764] RSP +[ 194.363791] CR2: 00000000000008dc + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: Sudarsana Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -1062,8 +1062,16 @@ enum qede_remove_mode { + static void __qede_remove(struct pci_dev *pdev, enum qede_remove_mode mode) + { + struct net_device *ndev = pci_get_drvdata(pdev); +- struct qede_dev *edev = netdev_priv(ndev); +- struct qed_dev *cdev = edev->cdev; ++ struct qede_dev *edev; ++ struct qed_dev *cdev; ++ ++ if (!ndev) { ++ dev_info(&pdev->dev, "Device has already been removed\n"); ++ return; ++ } ++ ++ edev = netdev_priv(ndev); ++ cdev = edev->cdev; + + DP_INFO(edev, "Starting qede_remove\n"); + diff --git a/patches.suse/samples-bpf-add-a-test-for-bpf_override_return.patch b/patches.suse/samples-bpf-add-a-test-for-bpf_override_return.patch deleted file mode 100644 index 364dbcd..0000000 --- a/patches.suse/samples-bpf-add-a-test-for-bpf_override_return.patch +++ /dev/null @@ -1,165 +0,0 @@ -From: Josef Bacik -Date: Mon, 11 Dec 2017 11:36:49 -0500 -Subject: samples/bpf: add a test for bpf_override_return -Patch-mainline: v4.16-rc1 -Git-commit: 965de87e54b803223bff703ea6b2a76c056695ae -References: bsc#1109837 - -This adds a basic test for bpf_override_return to verify it works. We -override the main function for mounting a btrfs fs so it'll return --ENOMEM and then make sure that trying to mount a btrfs fs will fail. - -Acked-by: Alexei Starovoitov -Acked-by: Ingo Molnar -Signed-off-by: Josef Bacik -Signed-off-by: Alexei Starovoitov -Acked-by: Thomas Bogendoerfer ---- - samples/bpf/Makefile | 4 ++++ - samples/bpf/test_override_return.sh | 15 +++++++++++++++ - samples/bpf/tracex7_kern.c | 16 ++++++++++++++++ - samples/bpf/tracex7_user.c | 28 ++++++++++++++++++++++++++++ - tools/include/uapi/linux/bpf.h | 7 ++++++- - tools/testing/selftests/bpf/bpf_helpers.h | 3 ++- - 6 files changed, 71 insertions(+), 2 deletions(-) - create mode 100755 samples/bpf/test_override_return.sh - create mode 100644 samples/bpf/tracex7_kern.c - create mode 100644 samples/bpf/tracex7_user.c - ---- a/samples/bpf/Makefile -+++ b/samples/bpf/Makefile -@@ -14,6 +14,7 @@ hostprogs-y += tracex3 - hostprogs-y += tracex4 - hostprogs-y += tracex5 - hostprogs-y += tracex6 -+hostprogs-y += tracex7 - hostprogs-y += test_probe_write_user - hostprogs-y += trace_output - hostprogs-y += lathist -@@ -60,6 +61,7 @@ tracex3-objs := bpf_load.o $(LIBBPF) tra - tracex4-objs := bpf_load.o $(LIBBPF) tracex4_user.o - tracex5-objs := bpf_load.o $(LIBBPF) tracex5_user.o - tracex6-objs := bpf_load.o $(LIBBPF) tracex6_user.o -+tracex7-objs := bpf_load.o $(LIBBPF) tracex7_user.o - load_sock_ops-objs := bpf_load.o $(LIBBPF) load_sock_ops.o - test_probe_write_user-objs := bpf_load.o $(LIBBPF) test_probe_write_user_user.o - trace_output-objs := bpf_load.o $(LIBBPF) trace_output_user.o -@@ -103,6 +105,7 @@ always += tracex3_kern.o - always += tracex4_kern.o - always += tracex5_kern.o - always += tracex6_kern.o -+always += tracex7_kern.o - always += sock_flags_kern.o - always += test_probe_write_user_kern.o - always += trace_output_kern.o -@@ -157,6 +160,7 @@ HOSTLOADLIBES_tracex3 += -lelf - HOSTLOADLIBES_tracex4 += -lelf -lrt - HOSTLOADLIBES_tracex5 += -lelf - HOSTLOADLIBES_tracex6 += -lelf -+HOSTLOADLIBES_tracex7 += -lelf - HOSTLOADLIBES_test_cgrp2_sock2 += -lelf - HOSTLOADLIBES_load_sock_ops += -lelf - HOSTLOADLIBES_test_probe_write_user += -lelf ---- /dev/null -+++ b/samples/bpf/test_override_return.sh -@@ -0,0 +1,15 @@ -+#!/bin/bash -+ -+rm -f testfile.img -+dd if=/dev/zero of=testfile.img bs=1M seek=1000 count=1 -+DEVICE=$(losetup --show -f testfile.img) -+mkfs.btrfs -f $DEVICE -+mkdir tmpmnt -+./tracex7 $DEVICE -+if [ $? -eq 0 ] -+then -+ echo "SUCCESS!" -+else -+ echo "FAILED!" -+fi -+losetup -d $DEVICE ---- /dev/null -+++ b/samples/bpf/tracex7_kern.c -@@ -0,0 +1,16 @@ -+#include -+#include -+#include -+#include "bpf_helpers.h" -+ -+SEC("kprobe/open_ctree") -+int bpf_prog1(struct pt_regs *ctx) -+{ -+ unsigned long rc = -12; -+ -+ bpf_override_return(ctx, rc); -+ return 0; -+} -+ -+char _license[] SEC("license") = "GPL"; -+u32 _version SEC("version") = LINUX_VERSION_CODE; ---- /dev/null -+++ b/samples/bpf/tracex7_user.c -@@ -0,0 +1,28 @@ -+#define _GNU_SOURCE -+ -+#include -+#include -+#include -+#include "libbpf.h" -+#include "bpf_load.h" -+ -+int main(int argc, char **argv) -+{ -+ FILE *f; -+ char filename[256]; -+ char command[256]; -+ int ret; -+ -+ snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]); -+ -+ if (load_bpf_file(filename)) { -+ printf("%s", bpf_log_buf); -+ return 1; -+ } -+ -+ snprintf(command, 256, "mount %s tmpmnt/", argv[1]); -+ f = popen(command, "r"); -+ ret = pclose(f); -+ -+ return ret ? 0 : 1; -+} ---- a/tools/include/uapi/linux/bpf.h -+++ b/tools/include/uapi/linux/bpf.h -@@ -674,6 +674,10 @@ union bpf_attr { - * @buf: buf to fill - * @buf_size: size of the buf - * Return : 0 on success or negative error code -+ * -+ * int bpf_override_return(pt_regs, rc) -+ * @pt_regs: pointer to struct pt_regs -+ * @rc: the return value to set - */ - #define __BPF_FUNC_MAPPER(FN) \ - FN(unspec), \ -@@ -733,7 +737,8 @@ union bpf_attr { - FN(xdp_adjust_meta), \ - FN(perf_event_read_value), \ - FN(perf_prog_read_value), \ -- FN(getsockopt), -+ FN(getsockopt), \ -+ FN(override_return), - - /* integer value in 'imm' field of BPF_CALL instruction selects which helper - * function eBPF program intends to call ---- a/tools/testing/selftests/bpf/bpf_helpers.h -+++ b/tools/testing/selftests/bpf/bpf_helpers.h -@@ -81,7 +81,8 @@ static int (*bpf_perf_event_read_value)( - static int (*bpf_perf_prog_read_value)(void *ctx, void *buf, - unsigned int buf_size) = - (void *) BPF_FUNC_perf_prog_read_value; -- -+static int (*bpf_override_return)(void *ctx, unsigned long rc) = -+ (void *) BPF_FUNC_override_return; - - /* llvm builtin functions that eBPF C program may use to - * emit BPF_LD_ABS and BPF_LD_IND instructions diff --git a/patches.suse/samples-bpf-compile-and-link-against-full-libbpf.patch b/patches.suse/samples-bpf-compile-and-link-against-full-libbpf.patch index 868f10f..bc5e807 100644 --- a/patches.suse/samples-bpf-compile-and-link-against-full-libbpf.patch +++ b/patches.suse/samples-bpf-compile-and-link-against-full-libbpf.patch @@ -19,7 +19,7 @@ Acked-by: Thomas Bogendoerfer --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile -@@ -50,7 +50,7 @@ hostprogs-y += xdp_adjust_tail +@@ -49,7 +49,7 @@ hostprogs-y += xdp_adjust_tail hostprogs-y += xdpsock # Libbpf dependencies @@ -28,7 +28,7 @@ Acked-by: Thomas Bogendoerfer CGROUP_HELPERS := ../../tools/testing/selftests/bpf/cgroup_helpers.o TRACE_HELPERS := ../../tools/testing/selftests/bpf/trace_helpers.o -@@ -75,10 +75,10 @@ offwaketime-objs := bpf_load.o $(LIBBPF) +@@ -73,10 +73,10 @@ offwaketime-objs := bpf_load.o $(LIBBPF) spintest-objs := bpf_load.o $(LIBBPF) spintest_user.o $(TRACE_HELPERS) map_perf_test-objs := bpf_load.o $(LIBBPF) map_perf_test_user.o test_overhead-objs := bpf_load.o $(LIBBPF) test_overhead_user.o @@ -43,7 +43,7 @@ Acked-by: Thomas Bogendoerfer test_cgrp2_sock2-objs := bpf_load.o $(LIBBPF) test_cgrp2_sock2.o xdp1-objs := bpf_load.o $(LIBBPF) xdp1_user.o # reuse xdp1 source intentionally -@@ -92,7 +92,7 @@ tc_l2_redirect-objs := bpf_load.o $(LIBB +@@ -90,7 +90,7 @@ tc_l2_redirect-objs := bpf_load.o $(LIBB lwt_len_hist-objs := bpf_load.o $(LIBBPF) lwt_len_hist_user.o xdp_tx_iptunnel-objs := bpf_load.o $(LIBBPF) xdp_tx_iptunnel_user.o test_map_in_map-objs := bpf_load.o $(LIBBPF) test_map_in_map_user.o @@ -52,7 +52,7 @@ Acked-by: Thomas Bogendoerfer xdp_redirect-objs := bpf_load.o $(LIBBPF) xdp_redirect_user.o xdp_redirect_map-objs := bpf_load.o $(LIBBPF) xdp_redirect_map_user.o xdp_redirect_cpu-objs := bpf_load.o $(LIBBPF) xdp_redirect_cpu_user.o -@@ -163,6 +163,8 @@ HOSTCFLAGS += -I$(srctree)/tools/lib/ -I +@@ -161,6 +161,8 @@ HOSTCFLAGS += -I$(srctree)/tools/lib/ -I HOSTCFLAGS += -I$(srctree)/tools/perf HOSTCFLAGS_bpf_load.o += -I$(objtree)/usr/include -Wno-unused-variable @@ -61,10 +61,10 @@ Acked-by: Thomas Bogendoerfer HOSTLOADLIBES_fds_example += -lelf HOSTLOADLIBES_sockex1 += -lelf HOSTLOADLIBES_sockex2 += -lelf -@@ -174,6 +176,10 @@ HOSTLOADLIBES_tracex4 += -lelf -lrt +@@ -171,6 +173,10 @@ HOSTLOADLIBES_tracex3 += -lelf + HOSTLOADLIBES_tracex4 += -lelf -lrt HOSTLOADLIBES_tracex5 += -lelf HOSTLOADLIBES_tracex6 += -lelf - HOSTLOADLIBES_tracex7 += -lelf +HOSTLOADLIBES_test_cgrp2_array_pin += -lelf +HOSTLOADLIBES_test_cgrp2_attach += -lelf +HOSTLOADLIBES_test_cgrp2_attach2 += -lelf @@ -72,7 +72,7 @@ Acked-by: Thomas Bogendoerfer HOSTLOADLIBES_test_cgrp2_sock2 += -lelf HOSTLOADLIBES_load_sock_ops += -lelf HOSTLOADLIBES_test_probe_write_user += -lelf -@@ -193,6 +199,7 @@ HOSTLOADLIBES_tc_l2_redirect += -l elf +@@ -190,6 +196,7 @@ HOSTLOADLIBES_tc_l2_redirect += -l elf HOSTLOADLIBES_lwt_len_hist += -l elf HOSTLOADLIBES_xdp_tx_iptunnel += -lelf HOSTLOADLIBES_test_map_in_map += -lelf @@ -80,7 +80,7 @@ Acked-by: Thomas Bogendoerfer HOSTLOADLIBES_xdp_redirect += -lelf HOSTLOADLIBES_xdp_redirect_map += -lelf HOSTLOADLIBES_xdp_redirect_cpu += -lelf -@@ -223,7 +230,7 @@ clean: +@@ -220,7 +227,7 @@ clean: @rm -f *~ $(LIBBPF): FORCE diff --git a/patches.suse/samples-bpf-include-bpf-bpf.h-instead-of-local-libbp.patch b/patches.suse/samples-bpf-include-bpf-bpf.h-instead-of-local-libbp.patch index 18da732..dbcb9ba 100644 --- a/patches.suse/samples-bpf-include-bpf-bpf.h-instead-of-local-libbp.patch +++ b/patches.suse/samples-bpf-include-bpf-bpf.h-instead-of-local-libbp.patch @@ -41,7 +41,6 @@ Acked-by: Thomas Bogendoerfer samples/bpf/tracex4_user.c | 2 +- samples/bpf/tracex5_user.c | 2 +- samples/bpf/tracex6_user.c | 2 +- - samples/bpf/tracex7_user.c | 2 +- samples/bpf/xdp_monitor_user.c | 2 +- samples/bpf/xdp_redirect_cpu_user.c | 2 +- samples/bpf/xdp_redirect_map_user.c | 2 +- @@ -49,7 +48,7 @@ Acked-by: Thomas Bogendoerfer samples/bpf/xdp_router_ipv4_user.c | 2 +- samples/bpf/xdp_tx_iptunnel_user.c | 2 +- samples/bpf/xdpsock_user.c | 2 +- - 34 files changed, 33 insertions(+), 34 deletions(-) + 33 files changed, 32 insertions(+), 33 deletions(-) --- a/samples/bpf/bpf_load.c +++ b/samples/bpf/bpf_load.c @@ -336,17 +335,6 @@ Acked-by: Thomas Bogendoerfer #include "perf-sys.h" #define SAMPLE_PERIOD 0x7fffffffffffffffULL ---- a/samples/bpf/tracex7_user.c -+++ b/samples/bpf/tracex7_user.c -@@ -3,7 +3,7 @@ - #include - #include - #include --#include "libbpf.h" -+#include - #include "bpf_load.h" - - int main(int argc, char **argv) --- a/samples/bpf/xdp_monitor_user.c +++ b/samples/bpf/xdp_monitor_user.c @@ -26,7 +26,7 @@ static const char *__doc_err_only__= diff --git a/patches.suse/samples-bpf-move-common-purpose-trace-functions-to-s.patch b/patches.suse/samples-bpf-move-common-purpose-trace-functions-to-s.patch index 2859f7c..1f2c67d 100644 --- a/patches.suse/samples-bpf-move-common-purpose-trace-functions-to-s.patch +++ b/patches.suse/samples-bpf-move-common-purpose-trace-functions-to-s.patch @@ -32,7 +32,7 @@ Acked-by: Thomas Bogendoerfer --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile -@@ -51,6 +51,7 @@ hostprogs-y += xdp_adjust_tail +@@ -50,6 +50,7 @@ hostprogs-y += xdp_adjust_tail # Libbpf dependencies LIBBPF := ../../tools/lib/bpf/bpf.o ../../tools/lib/bpf/nlattr.o CGROUP_HELPERS := ../../tools/testing/selftests/bpf/cgroup_helpers.o @@ -40,8 +40,8 @@ Acked-by: Thomas Bogendoerfer test_lru_dist-objs := test_lru_dist.o $(LIBBPF) sock_example-objs := sock_example.o $(LIBBPF) -@@ -67,10 +68,10 @@ tracex6-objs := bpf_load.o $(LIBBPF) tra - tracex7-objs := bpf_load.o $(LIBBPF) tracex7_user.o +@@ -65,10 +66,10 @@ tracex5-objs := bpf_load.o $(LIBBPF) tra + tracex6-objs := bpf_load.o $(LIBBPF) tracex6_user.o load_sock_ops-objs := bpf_load.o $(LIBBPF) load_sock_ops.o test_probe_write_user-objs := bpf_load.o $(LIBBPF) test_probe_write_user_user.o -trace_output-objs := bpf_load.o $(LIBBPF) trace_output_user.o @@ -54,7 +54,7 @@ Acked-by: Thomas Bogendoerfer map_perf_test-objs := bpf_load.o $(LIBBPF) map_perf_test_user.o test_overhead-objs := bpf_load.o $(LIBBPF) test_overhead_user.o test_cgrp2_array_pin-objs := $(LIBBPF) test_cgrp2_array_pin.o -@@ -84,8 +85,8 @@ xdp2-objs := bpf_load.o $(LIBBPF) xdp1_u +@@ -82,8 +83,8 @@ xdp2-objs := bpf_load.o $(LIBBPF) xdp1_u xdp_router_ipv4-objs := bpf_load.o $(LIBBPF) xdp_router_ipv4_user.o test_current_task_under_cgroup-objs := bpf_load.o $(LIBBPF) $(CGROUP_HELPERS) \ test_current_task_under_cgroup_user.o @@ -67,7 +67,7 @@ Acked-by: Thomas Bogendoerfer xdp_tx_iptunnel-objs := bpf_load.o $(LIBBPF) xdp_tx_iptunnel_user.o --- a/samples/bpf/bpf_load.c +++ b/samples/bpf/bpf_load.c -@@ -633,66 +633,3 @@ void read_trace_pipe(void) +@@ -647,66 +647,3 @@ void read_trace_pipe(void) } } } diff --git a/patches.suse/samples-bpf-move-libbpf-from-object-dependencies-to-.patch b/patches.suse/samples-bpf-move-libbpf-from-object-dependencies-to-.patch index 728196d..c84f6db 100644 --- a/patches.suse/samples-bpf-move-libbpf-from-object-dependencies-to-.patch +++ b/patches.suse/samples-bpf-move-libbpf-from-object-dependencies-to-.patch @@ -17,12 +17,12 @@ Acked-by: Jesper Dangaard Brouer Signed-off-by: Alexei Starovoitov Acked-by: Thomas Bogendoerfer --- - samples/bpf/Makefile | 142 +++++++++++++++++---------------------------------- - 1 file changed, 50 insertions(+), 92 deletions(-) + samples/bpf/Makefile | 139 +++++++++++++++++---------------------------------- + 1 file changed, 49 insertions(+), 90 deletions(-) --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile -@@ -57,54 +57,52 @@ LIBBPF = $(TOOLS_PATH)/lib/bpf/libbpf.a +@@ -56,53 +56,51 @@ LIBBPF = $(TOOLS_PATH)/lib/bpf/libbpf.a CGROUP_HELPERS := ../../tools/testing/selftests/bpf/cgroup_helpers.o TRACE_HELPERS := ../../tools/testing/selftests/bpf/trace_helpers.o @@ -38,7 +38,6 @@ Acked-by: Thomas Bogendoerfer -tracex4-objs := bpf_load.o $(LIBBPF) tracex4_user.o -tracex5-objs := bpf_load.o $(LIBBPF) tracex5_user.o -tracex6-objs := bpf_load.o $(LIBBPF) tracex6_user.o --tracex7-objs := bpf_load.o $(LIBBPF) tracex7_user.o -load_sock_ops-objs := bpf_load.o $(LIBBPF) load_sock_ops.o -test_probe_write_user-objs := bpf_load.o $(LIBBPF) test_probe_write_user_user.o -trace_output-objs := bpf_load.o $(LIBBPF) trace_output_user.o $(TRACE_HELPERS) @@ -63,7 +62,6 @@ Acked-by: Thomas Bogendoerfer +tracex4-objs := bpf_load.o tracex4_user.o +tracex5-objs := bpf_load.o tracex5_user.o +tracex6-objs := bpf_load.o tracex6_user.o -+tracex7-objs := bpf_load.o tracex7_user.o +load_sock_ops-objs := bpf_load.o load_sock_ops.o +test_probe_write_user-objs := bpf_load.o test_probe_write_user_user.o +trace_output-objs := bpf_load.o trace_output_user.o $(TRACE_HELPERS) @@ -121,7 +119,7 @@ Acked-by: Thomas Bogendoerfer # Tell kbuild to always build the programs always := $(hostprogs-y) -@@ -174,52 +172,12 @@ HOSTCFLAGS_spintest_user.o += -I$(srctre +@@ -172,51 +170,12 @@ HOSTCFLAGS_spintest_user.o += -I$(srctre HOSTCFLAGS_trace_event_user.o += -I$(srctree)/tools/lib/bpf/ HOSTCFLAGS_sampleip_user.o += -I$(srctree)/tools/lib/bpf/ @@ -137,7 +135,6 @@ Acked-by: Thomas Bogendoerfer -HOSTLOADLIBES_tracex4 += -lelf -lrt -HOSTLOADLIBES_tracex5 += -lelf -HOSTLOADLIBES_tracex6 += -lelf --HOSTLOADLIBES_tracex7 += -lelf -HOSTLOADLIBES_test_cgrp2_array_pin += -lelf -HOSTLOADLIBES_test_cgrp2_attach += -lelf -HOSTLOADLIBES_test_cgrp2_attach2 += -lelf diff --git a/patches.suse/usb-Allow-USB-device-to-be-warm-reset-in-suspended-s.patch b/patches.suse/usb-Allow-USB-device-to-be-warm-reset-in-suspended-s.patch new file mode 100644 index 0000000..5c2fcf5 --- /dev/null +++ b/patches.suse/usb-Allow-USB-device-to-be-warm-reset-in-suspended-s.patch @@ -0,0 +1,109 @@ +From e76b3bf7654c3c94554c24ba15a3d105f4006c80 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 6 Nov 2019 14:27:10 +0800 +Subject: [PATCH] usb: Allow USB device to be warm reset in suspended state +Git-commit: e76b3bf7654c3c94554c24ba15a3d105f4006c80 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +On Dell WD15 dock, sometimes USB ethernet cannot be detected after plugging +cable to the ethernet port, the hub and roothub get runtime resumed and +runtime suspended immediately: +... +[ 433.315169] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0 +[ 433.315204] usb usb4: usb auto-resume +[ 433.315226] hub 4-0:1.0: hub_resume +[ 433.315239] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10202e2, return 0x10343 +[ 433.315264] usb usb4-port1: status 0343 change 0001 +[ 433.315279] xhci_hcd 0000:3a:00.0: clear port1 connect change, portsc: 0x10002e2 +[ 433.315293] xhci_hcd 0000:3a:00.0: Get port status 4-2 read: 0x2a0, return 0x2a0 +[ 433.317012] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.422282] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343 +[ 433.422307] usb usb4-port1: do warm reset +[ 433.422311] usb 4-1: device reset not allowed in state 8 +[ 433.422339] hub 4-0:1.0: state 7 ports 2 chg 0002 evt 0000 +[ 433.422346] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343 +[ 433.422356] usb usb4-port1: do warm reset +[ 433.422358] usb 4-1: device reset not allowed in state 8 +[ 433.422428] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 0 status = 0xf0002e2 +[ 433.422455] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 1 status = 0xe0002a0 +[ 433.422465] hub 4-0:1.0: hub_suspend +[ 433.422475] usb usb4: bus auto-suspend, wakeup 1 +[ 433.426161] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.466209] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.510204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.554051] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.598235] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.642154] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.686204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.730205] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.774203] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.818207] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.862040] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.862053] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.862077] xhci_hcd 0000:3a:00.0: xhci_suspend: stopping port polling. +[ 433.862096] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001 +[ 433.862312] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_suspend: 0 +[ 433.862445] xhci_hcd 0000:3a:00.0: PME# enabled +[ 433.902376] xhci_hcd 0000:3a:00.0: restoring config space at offset 0xc (was 0x0, writing 0x20) +[ 433.902395] xhci_hcd 0000:3a:00.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100403) +[ 433.902490] xhci_hcd 0000:3a:00.0: PME# disabled +[ 433.902504] xhci_hcd 0000:3a:00.0: enabling bus mastering +[ 433.902547] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001 +[ 433.902649] pcieport 0000:00:1b.0: PME: Spurious native interrupt! +[ 433.902839] xhci_hcd 0000:3a:00.0: Port change event, 4-1, id 3, portsc: 0xb0202e2 +[ 433.902842] xhci_hcd 0000:3a:00.0: resume root hub +[ 433.902845] xhci_hcd 0000:3a:00.0: handle_port_status: starting port polling. +[ 433.902877] xhci_hcd 0000:3a:00.0: xhci_resume: starting port polling. +[ 433.902889] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.902891] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0 +[ 433.902919] usb usb4: usb wakeup-resume +[ 433.902942] usb usb4: usb auto-resume +[ 433.902966] hub 4-0:1.0: hub_resume +... + +As Mathias pointed out, the hub enters Cold Attach Status state and +requires a warm reset. However usb_reset_device() bails out early when +the device is in suspended state, as its callers port_event() and +hub_event() don't always resume the device. + +Since there's nothing wrong to reset a suspended device, allow +usb_reset_device() to do so to solve the issue. + +Signed-off-by: Kai-Heng Feng +Acked-by: Alan Stern +Cc: stable +Link: https://lore.kernel.org/r/20191106062710.29880-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/hub.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index fdcfa85b5b12..1709895387b9 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5840,7 +5840,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + + /** + * usb_reset_device - warn interface drivers and perform a USB port reset +- * @udev: device to reset (not in SUSPENDED or NOTATTACHED state) ++ * @udev: device to reset (not in NOTATTACHED state) + * + * Warns all drivers bound to registered interfaces (using their pre_reset + * method), performs the port reset, and then lets the drivers know that +@@ -5868,8 +5868,7 @@ int usb_reset_device(struct usb_device *udev) + struct usb_host_config *config = udev->actconfig; + struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); + +- if (udev->state == USB_STATE_NOTATTACHED || +- udev->state == USB_STATE_SUSPENDED) { ++ if (udev->state == USB_STATE_NOTATTACHED) { + dev_dbg(&udev->dev, "device reset not allowed in state %d\n", + udev->state); + return -EINVAL; +-- +2.16.4 + diff --git a/patches.suse/usb-core-urb-fix-URB-structure-initialization-functi.patch b/patches.suse/usb-core-urb-fix-URB-structure-initialization-functi.patch new file mode 100644 index 0000000..fd0b4af --- /dev/null +++ b/patches.suse/usb-core-urb-fix-URB-structure-initialization-functi.patch @@ -0,0 +1,39 @@ +From 1cd17f7f0def31e3695501c4f86cd3faf8489840 Mon Sep 17 00:00:00 2001 +From: Emiliano Ingrassia +Date: Wed, 27 Nov 2019 17:03:55 +0100 +Subject: [PATCH] usb: core: urb: fix URB structure initialization function +Git-commit: 1cd17f7f0def31e3695501c4f86cd3faf8489840 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Explicitly initialize URB structure urb_list field in usb_init_urb(). +This field can be potentially accessed uninitialized and its +initialization is coherent with the usage of list_del_init() in +usb_hcd_unlink_urb_from_ep() and usb_giveback_urb_bh() and its +explicit initialization in usb_hcd_submit_urb() error path. + +Signed-off-by: Emiliano Ingrassia +Cc: stable +Link: https://lore.kernel.org/r/20191127160355.GA27196@ingrassia.epigenesys.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/core/urb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 0eab79f82ce4..da923ec17612 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -45,6 +45,7 @@ void usb_init_urb(struct urb *urb) + if (urb) { + memset(urb, 0, sizeof(*urb)); + kref_init(&urb->kref); ++ INIT_LIST_HEAD(&urb->urb_list); + INIT_LIST_HEAD(&urb->anchor_list); + } + } +-- +2.16.4 + diff --git a/patches.suse/usb-dwc3-debugfs-Properly-print-set-link-state-for-H.patch b/patches.suse/usb-dwc3-debugfs-Properly-print-set-link-state-for-H.patch new file mode 100644 index 0000000..8b15cc1 --- /dev/null +++ b/patches.suse/usb-dwc3-debugfs-Properly-print-set-link-state-for-H.patch @@ -0,0 +1,113 @@ +From 0d36dede457873404becd7c9cb9d0f2bcfd0dcd9 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 7 Nov 2018 17:55:19 -0800 +Subject: [PATCH] usb: dwc3: debugfs: Properly print/set link state for HS +Git-commit: 0d36dede457873404becd7c9cb9d0f2bcfd0dcd9 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +Highspeed device and below has different state names than superspeed and +higher. Add proper checks and printouts of link states for highspeed and +below. + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc3/debug.h | 29 +++++++++++++++++++++++++++++ + drivers/usb/dwc3/debugfs.c | 19 +++++++++++++++++-- + 2 files changed, 46 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc3/debug.h b/drivers/usb/dwc3/debug.h +index c66d216dcc30..4f75ab3505b7 100644 +--- a/drivers/usb/dwc3/debug.h ++++ b/drivers/usb/dwc3/debug.h +@@ -116,6 +116,35 @@ dwc3_gadget_link_string(enum dwc3_link_state link_state) + } + } + ++/** ++ * dwc3_gadget_hs_link_string - returns highspeed and below link name ++ * @link_state: link state code ++ */ ++static inline const char * ++dwc3_gadget_hs_link_string(enum dwc3_link_state link_state) ++{ ++ switch (link_state) { ++ case DWC3_LINK_STATE_U0: ++ return "On"; ++ case DWC3_LINK_STATE_U2: ++ return "Sleep"; ++ case DWC3_LINK_STATE_U3: ++ return "Suspend"; ++ case DWC3_LINK_STATE_SS_DIS: ++ return "Disconnected"; ++ case DWC3_LINK_STATE_RX_DET: ++ return "Early Suspend"; ++ case DWC3_LINK_STATE_RECOV: ++ return "Recovery"; ++ case DWC3_LINK_STATE_RESET: ++ return "Reset"; ++ case DWC3_LINK_STATE_RESUME: ++ return "Resume"; ++ default: ++ return "UNKNOWN link state\n"; ++ } ++} ++ + /** + * dwc3_trb_type_string - returns TRB type as a string + * @type: the type of the TRB +diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c +index 1da012f105d7..e613a61ae58a 100644 +--- a/drivers/usb/dwc3/debugfs.c ++++ b/drivers/usb/dwc3/debugfs.c +@@ -539,13 +539,17 @@ static int dwc3_link_state_show(struct seq_file *s, void *unused) + unsigned long flags; + enum dwc3_link_state state; + u32 reg; ++ u8 speed; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_DSTS); + state = DWC3_DSTS_USBLNKST(reg); +- spin_unlock_irqrestore(&dwc->lock, flags); ++ speed = reg & DWC3_DSTS_CONNECTSPD; + +- seq_printf(s, "%s\n", dwc3_gadget_link_string(state)); ++ seq_printf(s, "%s\n", (speed >= DWC3_DSTS_SUPERSPEED) ? ++ dwc3_gadget_link_string(state) : ++ dwc3_gadget_hs_link_string(state)); ++ spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; + } +@@ -563,6 +567,8 @@ static ssize_t dwc3_link_state_write(struct file *file, + unsigned long flags; + enum dwc3_link_state state = 0; + char buf[32]; ++ u32 reg; ++ u8 speed; + + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; +@@ -583,6 +589,15 @@ static ssize_t dwc3_link_state_write(struct file *file, + return -EINVAL; + + spin_lock_irqsave(&dwc->lock, flags); ++ reg = dwc3_readl(dwc->regs, DWC3_DSTS); ++ speed = reg & DWC3_DSTS_CONNECTSPD; ++ ++ if (speed < DWC3_DSTS_SUPERSPEED && ++ state != DWC3_LINK_STATE_RECOV) { ++ spin_unlock_irqrestore(&dwc->lock, flags); ++ return -EINVAL; ++ } ++ + dwc3_gadget_set_link_state(dwc, state); + spin_unlock_irqrestore(&dwc->lock, flags); + +-- +2.16.4 + diff --git a/patches.suse/usb-dwc3-don-t-log-probe-deferrals-but-do-log-other-.patch b/patches.suse/usb-dwc3-don-t-log-probe-deferrals-but-do-log-other-.patch new file mode 100644 index 0000000..6a891da --- /dev/null +++ b/patches.suse/usb-dwc3-don-t-log-probe-deferrals-but-do-log-other-.patch @@ -0,0 +1,37 @@ +From 408d3ba006af57380fa48858b39f72fde6405031 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 7 Nov 2018 12:40:29 -0800 +Subject: [PATCH] usb: dwc3: don't log probe deferrals; but do log other error codes +Git-commit: 408d3ba006af57380fa48858b39f72fde6405031 +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +It's not very useful to repeat a bunch of probe deferral errors. And +it's also not very useful to log "failed" without telling the error +code. + +Signed-off-by: Brian Norris +Signed-off-by: Felipe Balbi +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc3/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 0807353f3b07..6acadd647dc3 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1486,7 +1486,8 @@ static int dwc3_probe(struct platform_device *pdev) + + ret = dwc3_core_init(dwc); + if (ret) { +- dev_err(dev, "failed to initialize core\n"); ++ if (ret != -EPROBE_DEFER) ++ dev_err(dev, "failed to initialize core: %d\n", ret); + goto err4; + } + +-- +2.16.4 + diff --git a/patches.suse/usb-dwc3-ep0-Clear-started-flag-on-completion.patch b/patches.suse/usb-dwc3-ep0-Clear-started-flag-on-completion.patch new file mode 100644 index 0000000..f71f162 --- /dev/null +++ b/patches.suse/usb-dwc3-ep0-Clear-started-flag-on-completion.patch @@ -0,0 +1,51 @@ +From 2d7b78f59e020b07fc6338eefe286f54ee2d6773 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 27 Nov 2019 13:10:54 -0800 +Subject: [PATCH] usb: dwc3: ep0: Clear started flag on completion +Git-commit: 2d7b78f59e020b07fc6338eefe286f54ee2d6773 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Clear ep0's DWC3_EP_TRANSFER_STARTED flag if the END_TRANSFER command is +completed. Otherwise, we can't start control transfer again after +END_TRANSFER. + +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Acked-by: Takashi Iwai + +--- + drivers/usb/dwc3/ep0.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c +index 3996b9c4ff8d..fd1b100d2927 100644 +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -1117,6 +1117,9 @@ static void dwc3_ep0_xfernotready(struct dwc3 *dwc, + void dwc3_ep0_interrupt(struct dwc3 *dwc, + const struct dwc3_event_depevt *event) + { ++ struct dwc3_ep *dep = dwc->eps[event->endpoint_number]; ++ u8 cmd; ++ + switch (event->endpoint_event) { + case DWC3_DEPEVT_XFERCOMPLETE: + dwc3_ep0_xfer_complete(dwc, event); +@@ -1129,7 +1132,12 @@ void dwc3_ep0_interrupt(struct dwc3 *dwc, + case DWC3_DEPEVT_XFERINPROGRESS: + case DWC3_DEPEVT_RXTXFIFOEVT: + case DWC3_DEPEVT_STREAMEVT: ++ break; + case DWC3_DEPEVT_EPCMDCMPLT: ++ cmd = DEPEVT_PARAMETER_CMD(event->parameters); ++ ++ if (cmd == DWC3_DEPCMD_ENDTRANSFER) ++ dep->flags &= ~DWC3_EP_TRANSFER_STARTED; + break; + } + } +-- +2.16.4 + diff --git a/patches.suse/usb-gadget-pch_udc-fix-use-after-free.patch b/patches.suse/usb-gadget-pch_udc-fix-use-after-free.patch new file mode 100644 index 0000000..520ea72 --- /dev/null +++ b/patches.suse/usb-gadget-pch_udc-fix-use-after-free.patch @@ -0,0 +1,40 @@ +From 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 6 Nov 2019 14:28:21 -0600 +Subject: [PATCH] usb: gadget: pch_udc: fix use after free +Git-commit: 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +Remove pointer dereference after free. + +pci_pool_free doesn't care about contents of td. +It's just a void* for it + +Addresses-coverity-id: 1091173 ("Use after free") +Cc: stable@vger.kernel.org +Acked-by: Michal Nazarewicz +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20191106202821.GA20347@embeddedor +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/udc/pch_udc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c +index 265dab2bbfac..3344fb8c4181 100644 +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -1519,7 +1519,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev, + td = phys_to_virt(addr); + addr2 = (dma_addr_t)td->next; + dma_pool_free(dev->data_requests, td, addr); +- td->next = 0x00; + addr = addr2; + } + req->chain_len = 1; +-- +2.16.4 + diff --git a/patches.suse/usb-gadget-u_serial-add-missing-port-entry-locking.patch b/patches.suse/usb-gadget-u_serial-add-missing-port-entry-locking.patch new file mode 100644 index 0000000..b922ad8 --- /dev/null +++ b/patches.suse/usb-gadget-u_serial-add-missing-port-entry-locking.patch @@ -0,0 +1,43 @@ +From daf82bd24e308c5a83758047aff1bd81edda4f11 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Sat, 10 Aug 2019 10:42:48 +0200 +Subject: [PATCH] usb: gadget: u_serial: add missing port entry locking +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: daf82bd24e308c5a83758047aff1bd81edda4f11 +Patch-mainline: v5.5-rc1 +References: bsc#1051510 + +gserial_alloc_line() misses locking (for a release barrier) while +resetting port entry on TTY allocation failure. Fix this. + +Cc: stable@vger.kernel.org +Signed-off-by: Michał Mirosław +Reviewed-by: Greg Kroah-Hartman +Tested-by: Ladislav Michl +Signed-off-by: Felipe Balbi +Acked-by: Takashi Iwai + +--- + drivers/usb/gadget/function/u_serial.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c +index 65f634ec7fc2..bb1e2e1d0076 100644 +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1239,8 +1239,10 @@ int gserial_alloc_line(unsigned char *line_num) + __func__, port_num, PTR_ERR(tty_dev)); + + ret = PTR_ERR(tty_dev); ++ mutex_lock(&ports[port_num].lock); + port = ports[port_num].port; + ports[port_num].port = NULL; ++ mutex_unlock(&ports[port_num].lock); + gserial_free_port(port); + goto err; + } +-- +2.16.4 + diff --git a/patches.suse/usb-mon-Fix-a-deadlock-in-usbmon-between-mmap-and-re.patch b/patches.suse/usb-mon-Fix-a-deadlock-in-usbmon-between-mmap-and-re.patch new file mode 100644 index 0000000..b995b73 --- /dev/null +++ b/patches.suse/usb-mon-Fix-a-deadlock-in-usbmon-between-mmap-and-re.patch @@ -0,0 +1,109 @@ +From 19e6317d24c25ee737c65d1ffb7483bdda4bb54a Mon Sep 17 00:00:00 2001 +From: Pete Zaitcev +Date: Wed, 4 Dec 2019 20:39:41 -0600 +Subject: [PATCH] usb: mon: Fix a deadlock in usbmon between mmap and read +Git-commit: 19e6317d24c25ee737c65d1ffb7483bdda4bb54a +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +The problem arises because our read() function grabs a lock of the +circular buffer, finds something of interest, then invokes copy_to_user() +straight from the buffer, which in turn takes mm->mmap_sem. In the same +time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem. +It attempts to take the fetch lock and deadlocks. + +This patch does away with protecting of our page list with any +semaphores, and instead relies on the kernel not close the device +while mmap is active in a process. + +In addition, we prohibit re-sizing of a buffer while mmap is active. +This way, when (now unlocked) fault is processed, it works with the +page that is intended to be mapped-in, and not some other random page. +Note that this may have an ABI impact, but hopefully no legitimate +program is this wrong. + +Signed-off-by: Pete Zaitcev +Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com +Reviewed-by: Alan Stern +Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger") +Cc: +Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/mon/mon_bin.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c +index ac2b4fcc265f..f48a23adbc35 100644 +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1039,12 +1039,18 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg + + mutex_lock(&rp->fetch_lock); + spin_lock_irqsave(&rp->b_lock, flags); +- mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); +- kfree(rp->b_vec); +- rp->b_vec = vec; +- rp->b_size = size; +- rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; +- rp->cnt_lost = 0; ++ if (rp->mmap_active) { ++ mon_free_buff(vec, size/CHUNK_SIZE); ++ kfree(vec); ++ ret = -EBUSY; ++ } else { ++ mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); ++ kfree(rp->b_vec); ++ rp->b_vec = vec; ++ rp->b_size = size; ++ rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; ++ rp->cnt_lost = 0; ++ } + spin_unlock_irqrestore(&rp->b_lock, flags); + mutex_unlock(&rp->fetch_lock); + } +@@ -1216,13 +1222,21 @@ mon_bin_poll(struct file *file, struct poll_table_struct *wait) + static void mon_bin_vma_open(struct vm_area_struct *vma) + { + struct mon_reader_bin *rp = vma->vm_private_data; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&rp->b_lock, flags); + rp->mmap_active++; ++ spin_unlock_irqrestore(&rp->b_lock, flags); + } + + static void mon_bin_vma_close(struct vm_area_struct *vma) + { ++ unsigned long flags; ++ + struct mon_reader_bin *rp = vma->vm_private_data; ++ spin_lock_irqsave(&rp->b_lock, flags); + rp->mmap_active--; ++ spin_unlock_irqrestore(&rp->b_lock, flags); + } + + /* +@@ -1234,16 +1248,12 @@ static vm_fault_t mon_bin_vma_fault(struct vm_fault *vmf) + unsigned long offset, chunk_idx; + struct page *pageptr; + +- mutex_lock(&rp->fetch_lock); + offset = vmf->pgoff << PAGE_SHIFT; +- if (offset >= rp->b_size) { +- mutex_unlock(&rp->fetch_lock); ++ if (offset >= rp->b_size) + return VM_FAULT_SIGBUS; +- } + chunk_idx = offset / CHUNK_SIZE; + pageptr = rp->b_vec[chunk_idx].pg; + get_page(pageptr); +- mutex_unlock(&rp->fetch_lock); + vmf->page = pageptr; + return 0; + } +-- +2.16.4 + diff --git a/patches.suse/usb-mtu3-fix-dbginfo-in-qmu_tx_zlp_error_handler.patch b/patches.suse/usb-mtu3-fix-dbginfo-in-qmu_tx_zlp_error_handler.patch new file mode 100644 index 0000000..e5abe13 --- /dev/null +++ b/patches.suse/usb-mtu3-fix-dbginfo-in-qmu_tx_zlp_error_handler.patch @@ -0,0 +1,41 @@ +From f770e3bc236ee954a3b4052bdf55739e26ee25db Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 7 Dec 2018 03:52:43 +0000 +Subject: [PATCH] usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler +Git-commit: f770e3bc236ee954a3b4052bdf55739e26ee25db +Patch-mainline: v5.0-rc1 +References: bsc#1051510 + +Fixes gcc '-Wunused-but-set-variable' warning: + +Drivers/usb/mtu3/mtu3_qmu.c: In function 'qmu_tx_zlp_error_handler': +drivers/usb/mtu3/mtu3_qmu.c:385:22: warning: + variable 'req' set but not used [-Wunused-but-set-variable] + +It seems dbginfo original intention is print 'req' other than 'mreq' + +Acked-by: Chunfeng Yun +Signed-off-by: YueHaibing +Signed-off-by: Felipe Balbi +Acked-by: Takashi Iwai + +--- + drivers/usb/mtu3/mtu3_qmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/mtu3/mtu3_qmu.c b/drivers/usb/mtu3/mtu3_qmu.c +index 73ac042c45a8..09f19f70fe8f 100644 +--- a/drivers/usb/mtu3/mtu3_qmu.c ++++ b/drivers/usb/mtu3/mtu3_qmu.c +@@ -402,7 +402,7 @@ static void qmu_tx_zlp_error_handler(struct mtu3 *mtu, u8 epnum) + return; + } + +- dev_dbg(mtu->dev, "%s send ZLP for req=%p\n", __func__, mreq); ++ dev_dbg(mtu->dev, "%s send ZLP for req=%p\n", __func__, req); + + mtu3_clrbits(mbase, MU3D_EP_TXCR0(mep->epnum), TX_DMAREQEN); + +-- +2.16.4 + diff --git a/patches.suse/usb-xhci-Fix-build-warning-seen-with-CONFIG_PM-n.patch b/patches.suse/usb-xhci-Fix-build-warning-seen-with-CONFIG_PM-n.patch new file mode 100644 index 0000000..baf0f92 --- /dev/null +++ b/patches.suse/usb-xhci-Fix-build-warning-seen-with-CONFIG_PM-n.patch @@ -0,0 +1,49 @@ +From 6056a0f8ede27b296d10ef46f7f677cc9d715371 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 17 Dec 2019 17:19:11 -0800 +Subject: [PATCH] usb: xhci: Fix build warning seen with CONFIG_PM=n +Git-commit: 6056a0f8ede27b296d10ef46f7f677cc9d715371 +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +The following build warning is seen if CONFIG_PM is disabled. + +drivers/usb/host/xhci-pci.c:498:13: warning: + unused function 'xhci_pci_shutdown' + +Fixes: f2c710f7dca8 ("usb: xhci: only set D3hot for pci device") +Cc: Henry Lin +Cc: stable@vger.kernel.org # all stable releases with f2c710f7dca8 +Signed-off-by: Guenter Roeck +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191218011911.6907-1-linux@roeck-us.net +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 2907fe4d78dd..4917c5b033fa 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -519,7 +519,6 @@ static int xhci_pci_resume(struct usb_hcd *hcd, bool hibernated) + retval = xhci_resume(xhci, hibernated); + return retval; + } +-#endif /* CONFIG_PM */ + + static void xhci_pci_shutdown(struct usb_hcd *hcd) + { +@@ -532,6 +531,7 @@ static void xhci_pci_shutdown(struct usb_hcd *hcd) + if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) + pci_set_power_state(pdev, PCI_D3hot); + } ++#endif /* CONFIG_PM */ + + /*-------------------------------------------------------------------------*/ + +-- +2.16.4 + diff --git a/patches.suse/usb-xhci-only-set-D3hot-for-pci-device.patch b/patches.suse/usb-xhci-only-set-D3hot-for-pci-device.patch new file mode 100644 index 0000000..218bd07 --- /dev/null +++ b/patches.suse/usb-xhci-only-set-D3hot-for-pci-device.patch @@ -0,0 +1,99 @@ +From f2c710f7dca8457e88b4ac9de2060f011254f9dd Mon Sep 17 00:00:00 2001 +From: Henry Lin +Date: Wed, 11 Dec 2019 16:20:04 +0200 +Subject: [PATCH] usb: xhci: only set D3hot for pci device +Git-commit: f2c710f7dca8457e88b4ac9de2060f011254f9dd +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +Xhci driver cannot call pci_set_power_state() on non-pci xhci host +controllers. For example, NVIDIA Tegra XHCI host controller which acts +as platform device with XHCI_SPURIOUS_WAKEUP quirk set in some platform +hits this issue during shutdown. + +Cc: +Fixes: 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell") +Signed-off-by: Henry Lin +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-pci.c | 13 +++++++++++++ + drivers/usb/host/xhci.c | 7 ++----- + drivers/usb/host/xhci.h | 1 + + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index a0025d23b257..2907fe4d78dd 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -521,6 +521,18 @@ static int xhci_pci_resume(struct usb_hcd *hcd, bool hibernated) + } + #endif /* CONFIG_PM */ + ++static void xhci_pci_shutdown(struct usb_hcd *hcd) ++{ ++ struct xhci_hcd *xhci = hcd_to_xhci(hcd); ++ struct pci_dev *pdev = to_pci_dev(hcd->self.controller); ++ ++ xhci_shutdown(hcd); ++ ++ /* Yet another workaround for spurious wakeups at shutdown with HSW */ ++ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) ++ pci_set_power_state(pdev, PCI_D3hot); ++} ++ + /*-------------------------------------------------------------------------*/ + + /* PCI driver selection metadata; PCI hotplugging uses this */ +@@ -556,6 +568,7 @@ static int __init xhci_pci_init(void) + #ifdef CONFIG_PM + xhci_pci_hc_driver.pci_suspend = xhci_pci_suspend; + xhci_pci_hc_driver.pci_resume = xhci_pci_resume; ++ xhci_pci_hc_driver.shutdown = xhci_pci_shutdown; + #endif + return pci_register_driver(&xhci_pci_driver); + } +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 6721d059f58a..c5ee562c4c74 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -770,7 +770,7 @@ static void xhci_stop(struct usb_hcd *hcd) + * + * This will only ever be called with the main usb_hcd (the USB3 roothub). + */ +-static void xhci_shutdown(struct usb_hcd *hcd) ++void xhci_shutdown(struct usb_hcd *hcd) + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + +@@ -789,11 +789,8 @@ static void xhci_shutdown(struct usb_hcd *hcd) + xhci_dbg_trace(xhci, trace_xhci_dbg_init, + "xhci_shutdown completed - status = %x", + readl(&xhci->op_regs->status)); +- +- /* Yet another workaround for spurious wakeups at shutdown with HSW */ +- if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) +- pci_set_power_state(to_pci_dev(hcd->self.sysdev), PCI_D3hot); + } ++EXPORT_SYMBOL_GPL(xhci_shutdown); + + #ifdef CONFIG_PM + static void xhci_save_registers(struct xhci_hcd *xhci) +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index dc6f62a4b197..13d8838cd552 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -2050,6 +2050,7 @@ int xhci_start(struct xhci_hcd *xhci); + int xhci_reset(struct xhci_hcd *xhci); + int xhci_run(struct usb_hcd *hcd); + int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks); ++void xhci_shutdown(struct usb_hcd *hcd); + void xhci_init_driver(struct hc_driver *drv, + const struct xhci_driver_overrides *over); + int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id); +-- +2.16.4 + diff --git a/patches.suse/usbip-Fix-receive-error-in-vhci-hcd-when-using-scatt.patch b/patches.suse/usbip-Fix-receive-error-in-vhci-hcd-when-using-scatt.patch new file mode 100644 index 0000000..f21fd19 --- /dev/null +++ b/patches.suse/usbip-Fix-receive-error-in-vhci-hcd-when-using-scatt.patch @@ -0,0 +1,51 @@ +From d986294ee55d719562b20aabe15a39bf8f863415 Mon Sep 17 00:00:00 2001 +From: Suwan Kim +Date: Fri, 13 Dec 2019 11:30:54 +0900 +Subject: [PATCH] usbip: Fix receive error in vhci-hcd when using scatter-gather +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: d986294ee55d719562b20aabe15a39bf8f863415 +Patch-mainline: v5.5-rc3 +References: bsc#1051510 + +When vhci uses SG and receives data whose size is smaller than SG +buffer size, it tries to receive more data even if it acutally +receives all the data from the server. If then, it erroneously adds +error event and triggers connection shutdown. + +vhci-hcd should check if it received all the data even if there are +more SG entries left. So, check if it receivces all the data from +the server in for_each_sg() loop. + +Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver") +Reported-by: Marek Marczykowski-Górecki +Tested-by: Marek Marczykowski-Górecki +Signed-off-by: Suwan Kim +Acked-by: Shuah Khan +Cc: stable +Link: https://lore.kernel.org/r/20191213023055.19933-2-suwan.kim027@gmail.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/usbip/usbip_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index 6532d68e8808..e4b96674c405 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -727,6 +727,9 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + + copy -= recv; + ret += recv; ++ ++ if (!copy) ++ break; + } + + if (ret != size) +-- +2.16.4 + diff --git a/patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch b/patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch new file mode 100644 index 0000000..3328ae9 --- /dev/null +++ b/patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch @@ -0,0 +1,201 @@ +From cfd04a840941a4aa59174ad14f04a37b53eeb16a Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Fri, 3 May 2019 21:54:46 +0200 +Subject: [PATCH v5] crypto: DRBG - add FIPS 140-2 CTRNG for noise source +Patch-mainline: Never, handled differently +References: bsc#1155334 + +FIPS 140-2 section 4.9.2 requires a continuous self test of the noise +source. Up to kernel 4.8 drivers/char/random.c provided this continuous +self test. Afterwards it was moved to a location that is inconsistent +with the FIPS 140-2 requirements. The relevant patch was +e192be9d9a30555aae2ca1dc3aad37cba484cd4a . + +Thus, the FIPS 140-2 CTRNG is added to the DRBG when it obtains the +seed. This patch resurrects the function drbg_fips_continous_test that +existed some time ago and applies it to the noise sources. The patch +that removed the drbg_fips_continous_test was +b3614763059b82c26bdd02ffcb1c016c1132aad0 . + +The Jitter RNG implements its own FIPS 140-2 self test and thus does not +need to be subjected to the test in the DRBG. + +The patch contains a tiny fix to ensure proper zeroization in case of an +error during the Jitter RNG data gathering. + +Signed-off-by: Stephan Mueller +Acked-by: Torsten Duwe +--- + crypto/drbg.c | 84 +++++++++++++++++++++++++++++++++++++++++-- + include/crypto/drbg.h | 2 ++ + 2 files changed, 83 insertions(+), 3 deletions(-) + +diff --git a/crypto/drbg.c b/crypto/drbg.c +index 2a5b16bb000c..8328d7d9b42e 100644 +--- a/crypto/drbg.c ++++ b/crypto/drbg.c +@@ -219,6 +219,57 @@ static inline unsigned short drbg_sec_strength(drbg_flag_t flags) + } + } + ++/* ++ * FIPS 140-2 continuous self test for the noise source ++ * The test is performed on the noise source input data. Thus, the function ++ * implicitly knows the size of the buffer to be equal to the security ++ * strength. ++ * ++ * Note, this function disregards the nonce trailing the entropy data during ++ * initial seeding. ++ * ++ * drbg->drbg_mutex must have been taken. ++ * ++ * @drbg DRBG handle ++ * @entropy buffer of seed data to be checked ++ * ++ * return: ++ * 0 on success ++ * -EAGAIN on when the CTRNG is not yet primed ++ * < 0 on error ++ */ ++static int drbg_fips_continuous_test(struct drbg_state *drbg, ++ const unsigned char *entropy) ++{ ++ if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { ++ unsigned short entropylen = drbg_sec_strength(drbg->core->flags); ++ int ret = 0; ++ ++ /* skip test if we test the overall system */ ++ if (list_empty(&drbg->test_data.list)) ++ return 0; ++ /* only perform test in FIPS mode */ ++ if (!fips_enabled) ++ return 0; ++ ++ if (!drbg->fips_primed) { ++ /* Priming of FIPS test */ ++ memcpy(drbg->prev, entropy, entropylen); ++ drbg->fips_primed = true; ++ /* priming: another round is needed */ ++ return -EAGAIN; ++ } ++ ret = memcmp(drbg->prev, entropy, entropylen); ++ if (!ret) ++ panic("DRBG continuous self test failed\n"); ++ memcpy(drbg->prev, entropy, entropylen); ++ /* the test shall pass when the two values are not equal */ ++ return (ret != 0) ? 0 : -EFAULT; ++ } else { ++ return 0; ++ } ++} ++ + /* + * Convert an integer into a byte representation of this integer. + * The byte representation is big-endian +@@ -1006,16 +1057,23 @@ static void drbg_async_seed(struct work_struct *work) + seed_work); + unsigned int entropylen = drbg_sec_strength(drbg->core->flags); + unsigned char entropy[32]; ++ int ret; + + BUG_ON(!entropylen); + BUG_ON(entropylen > sizeof(entropy)); +- get_random_bytes(entropy, entropylen); + + drbg_string_fill(&data, entropy, entropylen); + list_add_tail(&data.list, &seedlist); + + mutex_lock(&drbg->drbg_mutex); + ++ do { ++ get_random_bytes(entropy, entropylen); ++ ret = drbg_fips_continuous_test(drbg, entropy); ++ if (ret && ret != -EAGAIN) ++ goto unlock; ++ } while (ret); ++ + /* If nonblocking pool is initialized, deactivate Jitter RNG */ + crypto_free_rng(drbg->jent); + drbg->jent = NULL; +@@ -1030,6 +1088,7 @@ static void drbg_async_seed(struct work_struct *work) + if (drbg->seeded) + drbg->reseed_threshold = drbg_max_requests(drbg); + ++unlock: + mutex_unlock(&drbg->drbg_mutex); + + memzero_explicit(entropy, entropylen); +@@ -1081,7 +1140,12 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, + BUG_ON((entropylen * 2) > sizeof(entropy)); + + /* Get seed from in-kernel /dev/urandom */ +- get_random_bytes(entropy, entropylen); ++ do { ++ get_random_bytes(entropy, entropylen); ++ ret = drbg_fips_continuous_test(drbg, entropy); ++ if (ret && ret != -EAGAIN) ++ goto out; ++ } while (ret); + + if (!drbg->jent) { + drbg_string_fill(&data1, entropy, entropylen); +@@ -1094,7 +1158,7 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, + entropylen); + if (ret) { + pr_devel("DRBG: jent failed with %d\n", ret); +- return ret; ++ goto out; + } + + drbg_string_fill(&data1, entropy, entropylen * 2); +@@ -1121,6 +1185,7 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, + + ret = __drbg_seed(drbg, &seedlist, reseed); + ++out: + memzero_explicit(entropy, entropylen * 2); + + return ret; +@@ -1142,6 +1207,11 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) + drbg->reseed_ctr = 0; + drbg->d_ops = NULL; + drbg->core = NULL; ++ if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { ++ kzfree(drbg->prev); ++ drbg->prev = NULL; ++ drbg->fips_primed = false; ++ } + } + + /* +@@ -1211,6 +1281,14 @@ static inline int drbg_alloc_state(struct drbg_state *drbg) + drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); + } + ++ if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { ++ drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), ++ GFP_KERNEL); ++ if (!drbg->prev) ++ goto fini; ++ drbg->fips_primed = false; ++ } ++ + return 0; + + fini: +diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h +index 3fb581bf3b87..8c9af21efce1 100644 +--- a/include/crypto/drbg.h ++++ b/include/crypto/drbg.h +@@ -129,6 +129,8 @@ struct drbg_state { + + bool seeded; /* DRBG fully seeded? */ + bool pr; /* Prediction resistance enabled? */ ++ bool fips_primed; /* Continuous test primed? */ ++ unsigned char *prev; /* FIPS 140-2 continuous test value */ + struct work_struct seed_work; /* asynchronous seeding support */ + struct crypto_rng *jent; + const struct drbg_state_ops *d_ops; +-- +2.21.0 + diff --git a/patches.suse/xhci-Increase-STS_HALT-timeout-in-xhci_suspend.patch b/patches.suse/xhci-Increase-STS_HALT-timeout-in-xhci_suspend.patch new file mode 100644 index 0000000..f51b44c --- /dev/null +++ b/patches.suse/xhci-Increase-STS_HALT-timeout-in-xhci_suspend.patch @@ -0,0 +1,48 @@ +From 7c67cf6658cec70d8a43229f2ce74ca1443dc95e Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 11 Dec 2019 16:20:05 +0200 +Subject: [PATCH] xhci: Increase STS_HALT timeout in xhci_suspend() +Git-commit: 7c67cf6658cec70d8a43229f2ce74ca1443dc95e +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +I've recently observed failed xHCI suspend attempt on AMD Raven Ridge +System: +Kernel: xhci_hcd 0000:04:00.4: WARN: xHC CMD_RUN timeout +Kernel: PM: suspend_common(): xhci_pci_suspend+0x0/0xd0 returns -110 +Kernel: PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -110 +Kernel: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x150 returns -110 +Kernel: PM: Device 0000:04:00.4 failed to suspend async: error -110 + +Similar to commit ac343366846a ("xhci: Increase STS_SAVE timeout in +xhci_suspend()") we also need to increase the HALT timeout to make it be +able to suspend again. + +Cc: # 5.2+ +Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()") +Signed-off-by: Kai-Heng Feng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index c5ee562c4c74..dbac0fa9748d 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -970,7 +970,7 @@ static bool xhci_pending_portevent(struct xhci_hcd *xhci) + int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup) + { + int rc = 0; +- unsigned int delay = XHCI_MAX_HALT_USEC; ++ unsigned int delay = XHCI_MAX_HALT_USEC * 2; + struct usb_hcd *hcd = xhci_to_hcd(xhci); + u32 command; + u32 res; +-- +2.16.4 + diff --git a/patches.suse/xhci-handle-some-XHCI_TRUST_TX_LENGTH-quirks-cases-a.patch b/patches.suse/xhci-handle-some-XHCI_TRUST_TX_LENGTH-quirks-cases-a.patch new file mode 100644 index 0000000..ab1dcc0 --- /dev/null +++ b/patches.suse/xhci-handle-some-XHCI_TRUST_TX_LENGTH-quirks-cases-a.patch @@ -0,0 +1,57 @@ +From 7ff11162808cc2ec66353fc012c58bb449c892c3 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 11 Dec 2019 16:20:06 +0200 +Subject: [PATCH] xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour. +Git-commit: 7ff11162808cc2ec66353fc012c58bb449c892c3 +Patch-mainline: v5.5-rc2 +References: bsc#1051510 + +xhci driver claims it needs XHCI_TRUST_TX_LENGTH quirk for both +Broadcom/Cavium and a Renesas xHC controllers. + +The quirk was inteded for handling false "success" complete event for +transfers that had data left untransferred. +These transfers should complete with "short packet" events instead. + +In these two new cases the false "success" completion is reported +after a "short packet" if the TD consists of several TRBs. +xHCI specs 4.10.1.1.2 say remaining TRBs should report "short packet" +as well after the first short packet in a TD, but this issue seems so +common it doesn't make sense to add the quirk for all vendors. + +Turn these events into short packets automatically instead. + +This gets rid of the "The WARN Successful completion on short TX for +slot 1 ep 1: needs XHCI_TRUST_TX_LENGTH quirk" warning in many cases. + +Cc: +Reported-by: Eli Billauer +Reported-by: Ard Biesheuvel +Tested-by: Eli Billauer +Tested-by: Ard Biesheuvel +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 9ebaa8e132a9..d23f7408c81f 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2381,7 +2381,8 @@ static int handle_tx_event(struct xhci_hcd *xhci, + case COMP_SUCCESS: + if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) + break; +- if (xhci->quirks & XHCI_TRUST_TX_LENGTH) ++ if (xhci->quirks & XHCI_TRUST_TX_LENGTH || ++ ep_ring->last_td_was_short) + trb_comp_code = COMP_SHORT_PACKET; + else + xhci_warn_ratelimited(xhci, +-- +2.16.4 + diff --git a/rpm/kernel-subpackage-spec b/rpm/kernel-subpackage-spec index 0bab366..3f2bea6 100644 --- a/rpm/kernel-subpackage-spec +++ b/rpm/kernel-subpackage-spec @@ -16,6 +16,10 @@ %define kernel_requires_preun %(rpm -q --queryformat '[%%{REQUIREFLAGS:deptype},%%{REQUIRENEVRS}\\n]' %kernel_package_name | grep -vE 'rpmlib,|interp,' | grep -E 'preun,' | sed -e 's/.*,//' | tr '\\n' ' ') %define kernel_requires_post %(rpm -q --queryformat '[%%{REQUIREFLAGS:deptype},%%{REQUIRENEVRS}\\n]' %kernel_package_name | grep -vE 'rpmlib,|interp,' | grep -E 'post,' | sed -e 's/.*,//' | tr '\\n' ' ') %define kernel_requires_postun %(rpm -q --queryformat '[%%{REQUIREFLAGS:deptype},%%{REQUIRENEVRS}\\n]' %kernel_package_name | grep -vE 'rpmlib,|interp,' | grep -E 'postun,' | sed -e 's/.*,//' | tr '\\n' ' ') +%define kernel_base_provides %(rpm -q --queryformat '[%%{PROVIDENEVRS}\\n]' %kernel_package_name | sed -E 's/^%kernel_package_name(-srchash| =)/%name\\1/g' | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\\n' ' )') +%define kernel_base_obsoletes %(rpm -q --queryformat '[%%{OBSOLETENEVRS}\\n]' %kernel_package_name | sed -E 's/^%kernel_package_name(-srchash| =)/%name\\1/g' | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\\n' ' )') +%define kernel_base_conflicts %(rpm -q --queryformat '[%%{CONFLICTNEVRS}\\n]' %kernel_package_name | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\\n' ' )') +%define kernel_base_recommends %(rpm -q --queryformat '[%%{RECOMMENDNEVRS}\\n]' %kernel_package_name | grep -v '^kernel-firmware' | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\\n' ' )') %if ! %(expr 1 - 1) %if "%{kernel_requires}" != "" @@ -34,10 +38,18 @@ Requires(post): %kernel_requires_post Requires(postun):%kernel_requires_postun %endif %endif -Provides: %(rpm -q --queryformat '[%%{PROVIDENEVRS}\n]' %kernel_package_name | sed -E 's/^%kernel_package_name(-srchash| =)/%name\1/g' | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\n' ' )') -Obsoletes: %(rpm -q --queryformat '[%%{OBSOLETENEVRS}\n]' %kernel_package_name | sed -E 's/^%kernel_package_name(-srchash| =)/%name\1/g' | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\n' ' )') -Conflicts: %(rpm -q --queryformat '[%%{CONFLICTNEVRS}\n]' %kernel_package_name | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\n' ' )') -Recommends: %(rpm -q --queryformat '[%%{RECOMMENDNEVRS}\n]' %kernel_package_name | grep -vE '^(ksym|kmod|firmware)[(]' | tr '\n' ' )') +%if "%{kernel_base_provides}" != "" +Provides: %{kernel_base_provides} +%endif +%if "%{kernel_base_obsoletes}" != "" +Obsoletes: %{kernel_base_obsoletes} +%endif +%if "%{kernel_base_conflicts}" != "" +Conflicts: %{kernel_base_conflicts} +%endif +%if "%{kernel_base_recommends}" != "" +Recommends: %{kernel_base_recommends} +%endif # This is in place of obsolete_rebuilds. This should give Conflicts: %%kernel_package_name = %%source_rel as old kernel-default-base did. Conflicts: %(rpm -q --queryformat '[%%{PROVIDENEVRS}\n]' %kernel_package_name | grep '^%kernel_package_name =' | sort -V | head -n 1) diff --git a/rpm/modules.fips b/rpm/modules.fips index 82719fd..55c2d37 100644 --- a/rpm/modules.fips +++ b/rpm/modules.fips @@ -1,8 +1,10 @@ ablk_helper aes_s390 +aes_ti +aes_x86_64 +aesni-intel af_alg algif_hash -ansi_cprng anubis arc4 authenc @@ -22,16 +24,20 @@ crypto_user ctr cts deflate +des3_ede-x86_64 des_generic des_s390 drbg ecb +ecdh_generic fcrypt gcm gf128mul +ghash-clmulni-intel ghash_generic ghash_s390 glue_helper +keywrap khazad lrw md4 @@ -46,9 +52,14 @@ salsa20_x86_64 seed serpent_generic serpent_sse2_x86_64 +sha1-mb sha1_s390 +sha1_ssse3 +sha256-mb sha256_s390 +sha256_ssse3 sha3_generic +sha512-mb sha512_generic sha512_s390 sha512_ssse3 diff --git a/series.conf b/series.conf index 0cc834c..6ad6484 100644 --- a/series.conf +++ b/series.conf @@ -11668,6 +11668,7 @@ patches.suse/bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch patches.suse/0001-net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch patches.suse/0001-net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch + patches.suse/bonding-fix-slave-stuck-in-BOND_LINK_FAIL-state.patch patches.suse/qmi_wwan-Add-missing-skb_reset_mac_header-call.patch patches.suse/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch patches.suse/Revert-net_sched-hold-netns-refcnt-for-each-action.patch @@ -20863,7 +20864,6 @@ patches.suse/selftests-bpf-Adding-config-fragment-CONFIG_CGROUP_B.patch patches.suse/bpf-tracing-allow-user-space-to-query-prog-array-on-.patch patches.suse/bpf-tracing-add-a-bpf-test-for-new-ioctl-query-inter.patch - patches.suse/samples-bpf-add-a-test-for-bpf_override_return.patch patches.suse/bpf-tracing-fix-kernel-events-core.c-compilation-err.patch patches.suse/libbpf-add-ability-to-guess-program-type-based-on-se.patch patches.suse/libbpf-prefer-global-symbols-as-bpf-program-name-sou.patch @@ -37259,7 +37259,9 @@ patches.suse/crypto-vmac-separate-tfm-and-request-context patches.suse/crypto-virtio-read-crypto-services-and-algorithm-masks patches.suse/crypto-virtio-register-an-algo-only-if-it-s-supported + patches.suse/crypto-ecdh-add-public-key-verification-test.patch patches.suse/crypto-skcipher-Fix-Wstringop-truncation-warnings.patch + patches.suse/crypto-dh-add-public-key-verification-test.patch patches.suse/crypto-x86-sha256-mb-fix-digest-copy-in-sha256_mb_mg patches.suse/crypto-ccp-Fix-command-completion-detection-race patches.suse/crypto-ccp-add-psp-enabled-message-when-initialization-succeeds.patch @@ -37267,6 +37269,9 @@ patches.suse/crypto-ccp-support-register-differences-between-psp-devices.patch patches.suse/crypto-ccp-add-support-for-new-ccp-psp-device-id.patch patches.suse/crypto-chtls-use-64-bit-arithmetic-instead-of-32-bit.patch + patches.suse/crypto-dh-fix-memory-leak.patch + patches.suse/crypto-dh-update-test-for-public-key-verification.patch + patches.suse/crypto-ecdh-fix-typo-of-P-192-b-value.patch patches.suse/crypto-sharah-Unregister-correct-algorithms-for-SAHA.patch patches.suse/0001-crypto-qat-adf_aer-Replace-GFP_ATOMIC-with-GFP_KERNE.patch patches.suse/crypto-skcipher-fix-aligning-block-size-in-skcipher_ @@ -37275,6 +37280,7 @@ patches.suse/crypto-blkcipher-fix-crash-flushing-dcache-in-error- patches.suse/crypto-ablkcipher-fix-crash-flushing-dcache-in-error.patch patches.suse/crypto-ccp-Check-for-NULL-PSP-pointer-at-module-unlo + patches.suse/crypto-dh-fix-calculating-encoded-key-size.patch patches.suse/7425-drm-i915-shrink-search-list-for-active-timelines patches.suse/7426-drm-i915-dp-fix-spelling-mistakes-seqeuncer-and-seqeuencer patches.suse/7427-drm-i915-remove-tasklet-flush-before-disable @@ -42635,6 +42641,7 @@ patches.suse/usbip-vudc-BUG-kmalloc-2048-Not-tainted-Poison-overw.patch patches.suse/kernfs-update-comment-about-kernfs_path-return-value.patch patches.suse/component-fix-loop-condition-to-call-unbind-if-bind-.patch + patches.suse/kernfs-Fix-range-checks-in-kernfs_get_target_path.patch patches.suse/msft-hv-1756-vmbus-add-driver_override-support.patch patches.suse/msft-hv-1757-uio_hv_generic-increase-size-of-receive-and-send-buf.patch patches.suse/msft-hv-1758-uio_hv_generic-drop-ifdef-DEBUG.patch @@ -44336,7 +44343,9 @@ patches.suse/jffs2-Fix-use-of-uninitialized-delayed_work-lockdep-.patch patches.suse/0039-mtd-spi-nor-add-entry-for-mt35xu512aba-flash.patch patches.suse/media-mtk-vcodec-Release-device-nodes-in-mtk_vcodec_.patch + patches.suse/media-pulse8-cec-return-0-when-invalidating-the-logi.patch patches.suse/media-vb2-vb2_mmap-move-lock-up.patch + patches.suse/media-cec-report-Vendor-ID-after-initialization.patch patches.suse/media-vivid-fix-error-handling-of-kthread_run.patch patches.suse/media-vivid-set-min-width-height-to-a-value-0.patch patches.suse/media-adv-tc358743-ths8200-fill-in-min-width-height-.patch @@ -44345,6 +44354,7 @@ patches.suse/media-vb2-be-sure-to-unlock-mutex-on-errors.patch patches.suse/media-DaVinci-VPBE-fix-error-handling-in-vpbe_initia.patch patches.suse/media-firewire-Fix-app_info-parameter-type-in-avc_ca.patch + patches.suse/media-stkwebcam-Bugfix-for-wrong-return-values.patch patches.suse/ALSA-usb-audio-Define-registers-for-CM6206.patch patches.suse/ALSA-hda-ca0132-Optimize-for-non-PCI-configuration.patch patches.suse/ALSA-oxfw-add-support-for-APOGEE-duet-FireWire.patch @@ -44722,8 +44732,10 @@ patches.suse/ath9k-dynack-use-authentication-messages-for-late-ac.patch patches.suse/ath9k-dynack-check-da-enabled-first-in-sampling-rout.patch patches.suse/ath9k-dynack-make-ewma-estimation-faster.patch + patches.suse/iwlwifi-mvm-synchronize-TID-queue-removal.patch patches.suse/iwlwifi-fw-do-not-set-sgi-bits-for-HE-connection.patch patches.suse/iwlwifi-pcie-don-t-reset-TXQ-write-pointer.patch + patches.suse/iwlwifi-mvm-Send-non-offchannel-traffic-via-AP-sta.patch patches.suse/iwlwifi-add-new-cards-for-9560-9462-9461-and-killer-.patch patches.suse/0001-iwlwifi-fw-use-helper-to-determine-whether-to-dump-p.patch patches.suse/iwlwifi-fix-cfg-structs-for-22000-with-different-RF-.patch @@ -44820,6 +44832,7 @@ patches.suse/bnxt_en-Adjust-default-RX-coalescing-ticks-to-10-us.patch patches.suse/igb-reduce-CPU0-latency-when-updating-statistics.patch patches.suse/igb-Change-RXPBSIZE-size-when-setting-Qav-mode.patch + patches.suse/e100-Fix-passing-zero-to-PTR_ERR-warning-in-e100_loa.patch patches.suse/i40e-define-proper-net_device-neigh_priv_len.patch patches.suse/ice-Do-not-enable-NAPI-on-q_vectors-that-have-no-rin.patch patches.suse/igb-Fix-an-issue-that-PME-is-not-enabled-during-runt.patch @@ -44875,6 +44888,7 @@ patches.suse/crypto-mxc-scc-fix-build-warnings-on-ARM64.patch patches.suse/gfs2-Get-rid-of-potential-double-freeing-in-gfs2_cre.patch patches.suse/gfs2-Fix-loop-in-gfs2_rbm_find.patch + patches.suse/0001-btrfs-harden-agaist-duplicate-fsid-on-scanned-device.patch patches.suse/0001-Btrfs-fix-fsync-of-files-with-multiple-hard-links-in.patch patches.suse/btrfs-fix-error-handling-in-btrfs_cleanup_ordered_extents.patch patches.suse/0003-btrfs-add-cleanup_ref_head_accounting-helper.patch @@ -44892,6 +44906,7 @@ patches.suse/ext4-missing-unlock-put_page-in-ext4_try_to_write_in.patch patches.suse/ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch patches.suse/ext4-include-terminating-u32-in-size-of-xattr-entrie.patch + patches.suse/ext4-avoid-declaring-fs-inconsistent-due-to-invalid-.patch patches.suse/ext4-force-inode-writes-when-nfsd-calls-commit_metad.patch patches.suse/ext4-check-for-shutdown-and-r-o-file-system-in-ext4_.patch patches.suse/dasd-remove-dead-code.patch @@ -45219,10 +45234,13 @@ patches.suse/0001-usb-typec-tcpm-charge-current-handling-for-sink-duri.patch patches.suse/usb-hub-delay-hub-autosuspend-if-USB3-port-is-still-.patch patches.suse/phy-sun4i-usb-add-support-for-missing-USB-PHY-index.patch + patches.suse/usb-dwc3-debugfs-Properly-print-set-link-state-for-H.patch + patches.suse/usb-dwc3-don-t-log-probe-deferrals-but-do-log-other-.patch patches.suse/usb-dwc3-Correct-the-logic-for-checking-TRB-full-in-.patch patches.suse/usb-mtu3-fix-the-issue-about-SetFeature-U1-U2_Enable.patch patches.suse/usb-dwc2-host-use-hrtimer-for-nak-retries.patch patches.suse/0001-usb-dwc3-trace-add-missing-break-statement-to-make-c.patch + patches.suse/usb-mtu3-fix-dbginfo-in-qmu_tx_zlp_error_handler.patch patches.suse/usb-dwc3-gadget-Disable-CSP-for-stream-OUT-ep.patch patches.suse/usb-musb-dsps-fix-otg-state-machine.patch patches.suse/0001-usb-musb-dsps-fix-runtime-pm-for-peripheral-mode.patch @@ -45460,6 +45478,7 @@ patches.suse/ext4-fix-a-potential-fiemap-page-fault-deadlock-w-in.patch patches.suse/ext4-avoid-kernel-warning-when-writing-the-superbloc.patch patches.suse/ext4-track-writeback-errors-using-the-generic-tracki.patch + patches.suse/ext4-fix-special-inode-number-checks-in-__ext4_iget.patch patches.suse/fork-record-start_time-late.patch patches.suse/0002-fork-memcg-fix-cached_stacks-case.patch patches.suse/slab-alien-caches-must-not-be-initialized-if-the-allocation-of-the-alien-cache-failed.patch @@ -48042,6 +48061,7 @@ patches.suse/audit-fix-a-memory-leak-bug.patch patches.suse/ext4-make-sanity-check-in-mballoc-more-strict.patch patches.suse/jbd2-check-superblock-mapped-prior-to-committing.patch + patches.suse/ext4-protect-journal-inode-s-blocks-using-block_vali.patch patches.suse/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch patches.suse/ext4-actually-request-zeroing-of-inode-table-after-g.patch patches.suse/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch @@ -48963,6 +48983,8 @@ patches.suse/cifs-add-support-for-SEEK_DATA-and-SEEK_HOLE.patch patches.suse/ext4-zero-out-the-unused-memory-region-in-the-extent.patch patches.suse/ext4-fix-data-corruption-caused-by-overlapping-unali.patch + patches.suse/ext4-unsigned-int-compared-against-zero.patch + patches.suse/ext4-fix-block-validity-checks-for-journal-inodes-us.patch patches.suse/ext4-avoid-panic-during-forced-reboot-due-to-aborted.patch patches.suse/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-.patch patches.suse/net-mlx4_core-Change-the-error-print-to-info-print.patch @@ -48985,6 +49007,7 @@ patches.suse/btrfs-don-t-double-unlock-on-error-in-btrfs_punch_ho.patch patches.suse/Btrfs-do-not-abort-transaction-at-btrfs_update_root-.patch patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch + patches.suse/Btrfs-avoid-fallback-to-transaction-commit-during-fs.patch patches.suse/btrfs-fix-race-between-ranged-fsync-and-writeback-of.patch patches.suse/btrfs-tree-checker-detect-file-extent-items-with-ove.patch patches.suse/crypto-vmx-CTR-always-increment-IV-as-quadword.patch @@ -49021,6 +49044,7 @@ patches.suse/scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch patches.suse/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-RR.patch patches.suse/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-operation + patches.suse/ext4-don-t-perform-block-validity-checks-on-the-jour.patch patches.suse/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch patches.suse/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch patches.suse/KVM-s390-fix-typo-in-parameter-description.patch @@ -49710,6 +49734,7 @@ patches.suse/0001-iwlwifi-pcie-don-t-service-an-interrupt-that-was-mas.patch patches.suse/iwlwifi-don-t-WARN-when-calling-iwl_get_shared_mem_c.patch patches.suse/ath10k-add-missing-error-handling.patch + patches.suse/ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch patches.suse/ath10k-Change-the-warning-message-string.patch patches.suse/ath10k-fix-PCIE-device-wake-up-failed.patch patches.suse/ath9k-correctly-handle-short-radar-pulses.patch @@ -50440,6 +50465,7 @@ patches.suse/gpiolib-never-report-open-drain-source-lines-as-inpu.patch patches.suse/gpio-Fix-build-error-of-function-redefinition.patch patches.suse/mm-page_owner-handle-thp-splits-correctly.patch + patches.suse/genirq-Properly-pair-kobject_del-with-kobject_add.patch patches.suse/x86-cpu-amd-clear-rdrand-cpuid-bit-on-amd-family-15h-16h.patch patches.suse/ubifs-Correctly-initialize-c-min_log_bytes.patch patches.suse/ubifs-Limit-the-number-of-pages-in-shrink_liability.patch @@ -50516,11 +50542,13 @@ patches.suse/drm-vmwgfx-Fix-double-free-in-vmw_recv_msg.patch patches.suse/iommu-amd-flush-old-domains-in-kdump-kernel patches.suse/iommu-amd-fix-race-in-increase_address_space + patches.suse/configfs_register_group-shouldn-t-be-and-isn-t-calle.patch patches.suse/Input-elan_i2c-remove-Lenovo-Legion-Y7000-PnpID.patch patches.suse/scsi-lpfc-Raise-config-max-for-lpfc_fcp_mq_threshold.patch patches.suse/gpio-fix-line-flag-validation-in-linehandle_create.patch patches.suse/gpio-fix-line-flag-validation-in-lineevent_create.patch patches.suse/gpiolib-acpi-Add-gpiolib_acpi_run_edge_events_on_boo.patch + patches.suse/genirq-Prevent-NULL-pointer-dereference-in-resend_ir.patch patches.suse/vhost-make-sure-log_num-in_num.patch patches.suse/Btrfs-fix-assertion-failure-during-fsync-and-use-of-.patch patches.suse/0001-drm-i915-Restore-relaxed-padding-OCL_OOB_SUPPRES_ENA.patch @@ -50549,6 +50577,7 @@ patches.suse/sctp-Fix-the-link-time-qualifier-of-sctp_ctrlsock_ex.patch patches.suse/ixgbevf-Fix-secpath-usage-for-IPsec-Tx-offload.patch patches.suse/cdc_ether-fix-rndis-support-for-Mediatek-based-smart.patch + patches.suse/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl patches.suse/tpm_tis_core-Set-TPM_CHIP_FLAG_IRQ-before-probing-fo.patch patches.suse/edac-amd64-decode-syndrome-before-translating-address.patch patches.suse/hwmon-lm75-Fix-write-operations-for-negative-tempera.patch @@ -50684,6 +50713,7 @@ patches.suse/powerpc-xive-Implement-get_irqchip_state-method-for-.patch patches.suse/KVM-PPC-Book3S-HV-Check-for-MMU-ready-on-piggybacked.patch patches.suse/KVM-PPC-Book3S-HV-Don-t-lose-pending-doorbell-reques.patch + patches.suse/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op patches.suse/0001-usbip-Implement-SG-support-to-vhci-hcd-and-stub-driv.patch patches.suse/USB-usbcore-Fix-slab-out-of-bounds-bug-during-device.patch patches.suse/tty-serial-fsl_lpuart-Use-appropriate-lpuart32_-I-O-.patch @@ -51204,6 +51234,7 @@ patches.suse/x86-boot-64-Make-level2_kernel_pgt-pages-invalid-out.patch patches.suse/x86-boot-64-Round-memory-hole-size-up-to-next-PMD-pa.patch patches.suse/pinctrl-cherryview-restore-Strago-DMI-workaround-for.patch + patches.suse/btrfs-add-missing-extents-release-on-file-extent-clu.patch patches.suse/0001-btrfs-block-group-Fix-a-memory-leak-due-to-missing-b.patch patches.suse/0001-btrfs-qgroup-Always-free-PREALLOC-META-reserve-in-bt.patch patches.suse/0001-btrfs-tracepoints-Fix-wrong-parameter-order-for-qgro.patch @@ -51243,8 +51274,10 @@ patches.suse/ALSA-bebob-Fix-prototype-of-helper-function-to-retur.patch patches.suse/Revert-ALSA-hda-Flush-interrupts-on-disabling.patch patches.suse/ALSA-timer-Fix-mutex-deadlock-at-releasing-card.patch + patches.suse/RDMA-hns-Prevent-memory-leaks-of-eq-buf_list.patch patches.suse/drm-amdgpu-powerplay-vega10-allow-undervolting-in-p7.patch patches.suse/KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch + patches.suse/net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch patches.suse/r8152-add-device-id-for-Lenovo-ThinkPad-USB-C-Dock-G.patch patches.suse/net-openvswitch-free-vport-unless-register_netdevice.patch patches.suse/net-smc-fix-closing-of-fallback-smc-sockets @@ -51326,12 +51359,21 @@ patches.suse/can-rx-offload-can_rx_offload_irq_offload_timestamp-.patch patches.suse/can-rx-offload-can_rx_offload_irq_offload_fifo-conti.patch patches.suse/powerpc-bpf-Fix-tail-call-implementation.patch + patches.suse/bonding-fix-state-transition-issue-in-link-monitorin.patch + patches.suse/NFC-fdp-fix-incorrect-free-object.patch patches.suse/net-smc-fix-ethernet-interface-refcounting patches.suse/net-mlx5e-Fix-eswitch-debug-print-of-max-fdb-flow.patch + patches.suse/NFC-st21nfca-fix-double-free.patch patches.suse/nfc-netlink-fix-double-device-reference-drop.patch + patches.suse/CDC-NCM-handle-incomplete-transfer-of-MTU.patch + patches.suse/net-usb-qmi_wwan-add-support-for-DW5821e-with-eSIM-s.patch patches.suse/net-hns-Fix-the-stray-netpoll-locks-causing-deadlock.patch + patches.suse/ipv4-Fix-table-id-reference-in-fib_sync_down_addr.patch + patches.suse/net-ethernet-octeon_mgmt-Account-for-second-possible.patch patches.suse/mac80211-fix-station-inactive_time-shortly-after-boo.patch patches.suse/vsock-virtio-fix-sock-refcnt-holding-during-the-shut.patch + patches.suse/net-fix-data-race-in-neigh_event_send.patch + patches.suse/qede-fix-NULL-pointer-deref-in-__qede_remove.patch patches.suse/ice-fix-potential-infinite-loop-because-loop-counter.patch patches.suse/watchdog-meson-Fix-the-wrong-value-of-left-time.patch patches.suse/pinctrl-cherryview-Allocate-IRQ-chip-dynamic.patch @@ -51376,6 +51418,8 @@ patches.suse/Input-synaptics-rmi4-disable-the-relative-position-I.patch patches.suse/Input-synaptics-rmi4-do-not-consume-more-data-than-w.patch patches.suse/Input-synaptics-rmi4-clear-IRQ-enables-for-F54.patch + patches.suse/Input-cyttsp4_core-fix-use-after-free-bug.patch + patches.suse/RDMA-hns-Correct-the-value-of-srq_desc_size.patch patches.suse/ecryptfs_lookup_interpose-lower_dentry-d_inode-is-no.patch patches.suse/ecryptfs_lookup_interpose-lower_dentry-d_parent-is-n.patch patches.suse/drm-i915-gvt-fix-dropping-obj-reference-twice.patch @@ -51390,7 +51434,9 @@ patches.suse/NFC-nxp-nci-Fix-NULL-pointer-dereference-after-I2C-c.patch patches.suse/net-smc-fix-refcount-non-blocking-connect-part-2 patches.suse/slip-Fix-memory-leak-in-slip_open-error-path.patch + patches.suse/net-cdc_ncm-Signedness-bug-in-cdc_ncm_set_dgram_size.patch patches.suse/slcan-Fix-memory-leak-in-error-path.patch + patches.suse/net-hns3-fix-ETS-bandwidth-validation-bug.patch patches.suse/ax88172a-fix-information-leak-on-short-answers.patch patches.suse/net-smc-fix-fastopen-for-non-blocking-connect patches.suse/x86-resctrl-fix-potential-lockdep-warning.patch @@ -51398,8 +51444,13 @@ patches.suse/gpiolib-acpi-Add-Terra-Pad-1061-to-the-run_edge_even.patch patches.suse/0001-drm-amd-powerplay-issue-no-PPSMC_MSG_GetCurrPkgPwr-o.patch patches.suse/0002-drm-i915-pmu-Frequency-is-reported-as-accumulated-cy.patch + patches.suse/bpf-offload-Unlock-on-error-in-bpf_offload_dev_creat.patch + patches.suse/mlxsw-spectrum_router-Fix-determining-underlay-for-a.patch + patches.suse/net-sched-ensure-opts_len-IP_TUNNEL_OPTS_MAX-in-act_.patch + patches.suse/net-mlx4_en-Fix-wrong-limitation-for-number-of-TX-ri.patch patches.suse/s390-qeth-return-proper-errno-on-io-error patches.suse/net-ibmvnic-Ignore-H_FUNCTION-return-from-H_EOI-to-t.patch + patches.suse/net-mlx5-Update-the-list-of-the-PCI-supported-device-b7eca940.patch patches.suse/0001-nfc-port100-handle-command-failure-cleanly.patch patches.suse/0001-virtio_ring-fix-return-code-on-DMA-mapping-fails.patch patches.suse/virtio_console-allocate-inbufs-in-add_port-only-if-i.patch @@ -51408,6 +51459,9 @@ patches.suse/nbd-prevent-memory-leak.patch patches.suse/mtd-spear_smi-Fix-Write-Burst-mode.patch patches.suse/mtd-spi-nor-fix-silent-truncation-in-spi_nor_read.patch + patches.suse/btrfs-simplify-inode-locking-for-RWF_NOWAIT.patch + patches.suse/0001-btrfs-volumes-Use-more-straightforward-way-to-calcul.patch + patches.suse/0002-btrfs-Ensure-we-trim-ranges-across-block-group-bound.patch patches.suse/s390-mm-properly-clear-page_noexec-bit-when-it-is-not-supported patches.suse/kvm-svm-serialize-access-to-the-sev-asid-bitmap.patch patches.suse/kvm-svm-guard-against-deactivate-when-performing-wbinvd-df_flush.patch @@ -51424,10 +51478,12 @@ patches.suse/livepatch-allow-to-distinguish-different-version-of-system-state-changes.patch patches.suse/livepatch-selftests-of-the-api-for-tracking-system-state-changes.patch patches.suse/hwrng-omap3-rom-Call-clk_disable_unprepare-on-exit-o.patch + patches.suse/crypto-ccp-release-all-allocated-memory-if-sha-type-is-invalid.patch patches.suse/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch patches.suse/crypto-user-fix-memory-leak-in-crypto_report.patch patches.suse/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fall.patch patches.suse/hwrng-omap-Fix-RNG-wait-loop-timeout.patch + patches.suse/crypto-ccp-fix-uninitialized-list-head.patch patches.suse/crypto-ecdh-fix-big-endian-bug-in-ECC-library.patch patches.suse/crypto-crypto4xx-fix-double-free-in-crypto4xx_destro.patch patches.suse/crypto-tgr192-remove-unneeded-semicolon.patch @@ -51447,10 +51503,13 @@ patches.suse/cw1200-Fix-a-signedness-bug-in-cw1200_load_firmware.patch patches.suse/ath10k-fix-memory-leak.patch patches.suse/ath9k_hw-fix-uninitialized-variable-data.patch + patches.suse/ar5523-check-NULL-before-memcpy-in-ar5523_cmd.patch patches.suse/mwifiex-pcie-Fix-memory-leak-in-mwifiex_pcie_alloc_c.patch patches.suse/mwifiex-pcie-Fix-memory-leak-in-mwifiex_pcie_init_ev.patch patches.suse/rtlwifi-Remove-unnecessary-NULL-check-in-rtl_regd_in.patch patches.suse/0001-Bluetooth-Fix-invalid-free-in-bcsp_close.patch + patches.suse/ibmveth-Detect-unsupported-packets-before-sending-to.patch + patches.suse/net-mlx5-Accumulate-levels-for-chains-prio-namespace.patch patches.suse/tun-fix-data-race-in-gro_normal_list.patch patches.suse/ath10k-Correct-error-handling-of-dma_map_single.patch patches.suse/net-ath10k-Fix-a-NULL-ptr-deref-bug.patch @@ -51458,7 +51517,9 @@ patches.suse/rtlwifi-rtl8192de-Fix-missing-code-to-retrieve-RX-bu.patch patches.suse/rtlwifi-rtl8192de-Fix-missing-callback-that-tests-fo.patch patches.suse/rtlwifi-rtl8192de-Fix-missing-enable-interrupt-flag.patch + patches.suse/bpf-skmsg-fix-potential-psock-NULL-pointer-dereferen.patch patches.suse/mac80211-consider-QoS-Null-frames-for-STA_NULLFUNC_A.patch + patches.suse/ice-fix-stack-leakage.patch patches.suse/iwlwifi-check-kasprintf-return-value.patch patches.suse/Bluetooth-btusb-fix-PM-leak-in-error-case-of-setup.patch patches.suse/Bluetooth-delete-a-stray-unlock.patch @@ -51491,10 +51552,12 @@ patches.suse/ALSA-usb-audio-Fix-NULL-dereference-at-parsing-BADD.patch patches.suse/ALSA-cs4236-fix-error-return-comparison-of-an-unsign.patch patches.suse/ALSA-hda-hdmi-Clear-codec-relaxed_resume-flag-at-unb.patch + patches.suse/ASoC-Jack-Fix-NULL-pointer-dereference-in-snd_soc_ja.patch patches.suse/ALSA-hda-realtek-Enable-internal-speaker-of-ASUS-UX4.patch patches.suse/ALSA-usb-audio-Fix-Focusrite-Scarlett-6i6-gen1-input.patch patches.suse/media-vivid-Set-vid_cap_streaming-and-vid_out_stream.patch patches.suse/media-vim2m-Fix-abort-issue.patch + patches.suse/media-cec.h-CEC_OP_REC_FLAG_-values-were-swapped.patch patches.suse/0001-media-ov6650-Fix-control-handler-not-freed-on-init-e.patch patches.suse/media-usbvision-Fix-races-among-open-close-and-disco.patch patches.suse/media-ti-vpe-vpe-Fix-Motion-Vector-vpdma-stride.patch @@ -51519,9 +51582,14 @@ patches.suse/net-wireless-ti-wl1251-use-new-SDIO_VENDOR_ID_TI_WL1.patch patches.suse/net-wireless-ti-remove-local-VENDOR_ID-and-DEVICE_ID.patch patches.suse/RDMA-bnxt_re-Enable-SRIOV-VF-support-on-Broadcom-s-5.patch + patches.suse/IB-mlx5-Remove-dead-code.patch + patches.suse/RDMA-hns-Fix-to-support-64K-page-for-srq.patch + patches.suse/RDMA-hns-Bugfix-for-qpc-cqc-timer-configuration.patch patches.suse/RDMA-bnxt_re-Fix-chip-number-validation-Broadcom-s-G.patch patches.suse/RDMA-bnxt_re-Fix-stat-push-into-dma-buffer-on-gen-p5-devices.patch patches.suse/RDMA-bnxt_re-Fix-missing-le16_to_cpu.patch + patches.suse/usb-gadget-pch_udc-fix-use-after-free.patch + patches.suse/usb-Allow-USB-device-to-be-warm-reset-in-suspended-s.patch patches.suse/0001-appledisplay-fix-error-handling-in-the-scheduled-wor.patch patches.suse/usbip-tools-fix-fd-leakage-in-the-function-of-read_a.patch patches.suse/0001-USB-chaoskey-fix-error-case-of-a-timeout.patch @@ -51532,7 +51600,11 @@ patches.suse/USB-serial-mos7840-fix-remote-wakeup.patch patches.suse/USB-serial-option-add-support-for-Foxconn-T77W968-LT.patch patches.suse/USB-serial-ftdi_sio-add-device-IDs-for-U-Blox-C099-F.patch + patches.suse/usb-gadget-u_serial-add-missing-port-entry-locking.patch patches.suse/usb-serial-cp201x-support-Mark-10-digital-force-gaug.patch + patches.suse/USB-uas-honor-flag-to-avoid-CAPACITY16.patch + patches.suse/USB-uas-heed-CAPACITY_HEURISTICS.patch + patches.suse/USB-documentation-flags-on-usb-storage-versus-UAS.patch patches.suse/mei-fix-modalias-documentation.patch patches.suse/mei-bus-prefix-device-names-on-bus-with-the-bus-name.patch patches.suse/ppdev-fix-PPGETTIME-PPSETTIME-ioctls.patch @@ -51578,6 +51650,8 @@ patches.suse/0006-drm-amdgpu-fix-bad-DMA-from-INTERRUPT_CNTL2.patch patches.suse/iomap-Fix-pipe-page-leakage-during-splicing.patch patches.suse/ext4-update-direct-I-O-read-lock-pattern-for-IOCB_NO.patch + patches.suse/ext4-add-more-paranoia-checking-in-ext4_expand_extra.patch + patches.suse/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch patches.suse/powerpc-papr_scm-Fix-an-off-by-one-check-in-papr_scm.patch @@ -51588,8 +51662,10 @@ patches.suse/powerpc-pseries-safely-roll-back-failed-DLPAR-cpu-ad.patch patches.suse/powerpc-security-book3s64-Report-L1TF-status-in-sysf.patch patches.suse/powerpc-security-Fix-wrong-message-when-RFI-Flush-is.patch + patches.suse/powerpc-pseries-Drop-pointless-static-qualifier-in-v.patch patches.suse/powerpc-xive-Prevent-page-fault-issues-in-the-machin.patch patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch + patches.suse/powerpc-powernv-Disable-native-PCIe-port-management.patch patches.suse/compat_ioctl-handle-SIOCOUTQNSD.patch patches.suse/clk-samsung-exynos5420-Preserve-CPU-clocks-configura.patch patches.suse/clk-pxa-fix-one-of-the-pxa-RTC-clocks.patch @@ -51598,6 +51674,7 @@ patches.suse/platform-x86-hp-wmi-Fix-ACPI-errors-caused-by-too-sm.patch patches.suse/platform-x86-hp-wmi-Fix-ACPI-errors-caused-by-passin.patch patches.suse/libnvdimm-export-the-target_node-attribute-for-regions-and-namespaces.patch + patches.suse/Input-synaptics-switch-another-X1-Carbon-6-to-RMI-SM.patch patches.suse/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch patches.suse/ocfs2-fix-passing-zero-to-PTR_ERR-warning.patch patches.suse/scsi-lpfc-Fix-pt2pt-discovery-on-SLI3-HBAs.patch @@ -51701,10 +51778,12 @@ patches.suse/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch patches.suse/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch patches.suse/ACPI-OSL-only-free-map-once-in-osl.c.patch + patches.suse/ACPI-bus-Fix-NULL-pointer-check-in-acpi_bus_get_priv.patch patches.suse/ACPI-sysfs-Change-ACPI_MASKABLE_GPE_MAX-to-0x100.patch patches.suse/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332 patches.suse/thermal-Fix-deadlock-in-thermal-thermal_zone_device_.patch patches.suse/moduleparam-fix-parameter-description-mismatch.patch + patches.suse/0001-xen-blkback-Avoid-unmapping-unmapped-grant-pages.patch patches.suse/0001-drm-msm-include-linux-sched-task.h.patch patches.suse/ALSA-hda-hdmi-fix-vgaswitcheroo-detection-for-AMD.patch patches.suse/ALSA-hda-hdmi-Add-new-pci-ids-for-AMD-GPU-display-au.patch @@ -51712,17 +51791,37 @@ patches.suse/ALSA-hda-realtek-Fix-inverted-bass-GPIO-pin-on-Acer-.patch patches.suse/ALSA-hda-fixup-for-the-bass-speaker-on-Lenovo-Carbon.patch patches.suse/ALSA-pcm-oss-Avoid-potential-buffer-overflows.patch + patches.suse/powerpc-Fix-vDSO-clock_getres.patch + patches.suse/powerpc-archrandom-fix-arch_get_random_seed_int.patch + patches.suse/Input-goodix-add-upside-down-quirk-for-Teclast-X89-t.patch + patches.suse/Input-synaptics-rmi4-don-t-increment-rmiaddr-for-SMB.patch + patches.suse/lpfc-size-cpu-map-by-last-cpu-id-set.patch patches.suse/scsi-qla2xxx-fix-rports-not-being-mark-as-lost-in-sy.patch patches.suse/scsi-qla2xxx-unregister-ports-after-GPN_FT-failure.patch patches.suse/scsi-qla2xxx-Fix-qla2x00_request_irqs-for-MSI.patch + patches.suse/can-slcan-Fix-use-after-free-Read-in-slcan_open.patch + patches.suse/net-sched-fix-dump-qlen-for-sch_mq-sch_mqprio-with-N.patch patches.suse/s390-qeth-guard-against-runt-packets patches.suse/s390-qeth-ensure-linear-access-to-packet-headers + patches.suse/mqprio-Fix-out-of-bounds-access-in-mqprio_dump.patch + patches.suse/net-mlx5e-Query-global-pause-state-before-setting-pr.patch + patches.suse/net-mlx5e-Fix-SFF-8472-eeprom-length.patch patches.suse/dma-buf-Fix-memory-leak-in-sync_file_merge.patch + patches.suse/drm-meson-venc-cvbs-fix-CVBS-mode-matching.patch patches.suse/ALSA-echoaudio-simplify-get_audio_levels.patch patches.suse/ALSA-oxfw-fix-return-value-in-error-path-of-isochron.patch patches.suse/ALSA-fireface-fix-return-value-in-error-path-of-isoc.patch patches.suse/ALSA-hda-hdmi-Fix-duplicate-unref-of-pci_dev.patch patches.suse/ALSA-hda-realtek-Line-out-jack-doesn-t-work-on-a-Del.patch + patches.suse/usb-core-urb-fix-URB-structure-initialization-functi.patch + patches.suse/usb-mon-Fix-a-deadlock-in-usbmon-between-mmap-and-re.patch + patches.suse/USB-serial-io_edgeport-fix-epic-endpoint-lookup.patch + patches.suse/USB-idmouse-fix-interface-sanity-checks.patch + patches.suse/USB-adutux-fix-interface-sanity-check.patch + patches.suse/usb-dwc3-ep0-Clear-started-flag-on-completion.patch + patches.suse/usb-xhci-only-set-D3hot-for-pci-device.patch + patches.suse/xhci-Increase-STS_HALT-timeout-in-xhci_suspend.patch + patches.suse/xhci-handle-some-XHCI_TRUST_TX_LENGTH-quirks-cases-a.patch patches.suse/scsi-qla2xxx-Correctly-retrieve-and-interpret-active.patch patches.suse/scsi-qla2xxx-Added-support-for-MPI-and-PEP-regions-f.patch patches.suse/scsi-qla2xxx-Fix-incorrect-SFUB-length-used-for-Secu.patch @@ -51739,6 +51838,28 @@ patches.suse/0011-scsi-qla2xxx-Don-t-defer-relogin-unconditonally.patch patches.suse/0012-scsi-qla2xxx-Ignore-PORT-UPDATE-after-N2N-PLOGI.patch patches.suse/0013-scsi-qla2xxx-Add-debug-dump-of-LOGO-payload-and-ELS-.patch + patches.suse/IB-mlx5-Fix-steering-rule-of-drop-and-count.patch + patches.suse/ALSA-pcm-Avoid-possible-info-leaks-from-PCM-stream-b.patch + patches.suse/ALSA-hda-ca0132-Keep-power-on-during-processing-DSP-.patch + patches.suse/ALSA-hda-ca0132-Avoid-endless-loop.patch + patches.suse/ALSA-hda-ca0132-Fix-work-handling-in-delayed-HP-dete.patch + patches.suse/ALSA-hda-Downgrade-error-message-for-single-cmd-fall.patch + patches.suse/ASoC-wm8962-fix-lambda-value.patch + patches.suse/usbip-Fix-receive-error-in-vhci-hcd-when-using-scatt.patch + patches.suse/usb-xhci-Fix-build-warning-seen-with-CONFIG_PM-n.patch + patches.suse/Revert-mmc-sdhci-Fix-incorrect-switch-to-HS-mode.patch + patches.suse/mmc-mediatek-fix-CMD_TA-to-2-for-MT8173-HS200-HS400-.patch + patches.suse/mmc-sdhci-of-esdhc-Revert-mmc-sdhci-of-esdhc-add-err.patch + patches.suse/mmc-sdhci-of-esdhc-fix-P2020-errata-handling.patch + patches.suse/platform-x86-hp-wmi-Make-buffer-for-HPWMI_FEATURE2_Q.patch + patches.suse/platform-x86-pmc_atom-Add-Siemens-CONNECT-X300-to-cr.patch + patches.suse/netfilter-nf_queue-enqueue-skbs-with-NULL-dst.patch + patches.suse/net-ibmvnic-Fix-typo-in-retry-check.patch + patches.suse/bonding-fix-active-backup-transition-after-link-fail.patch + patches.suse/ALSA-hda-realtek-Add-headset-Mic-no-shutup-for-ALC28.patch + patches.suse/ALSA-usb-audio-fix-set_format-altsetting-sanity-chec.patch + patches.suse/ALSA-hda-hdmi-fix-atpx_present-when-CLASS-is-not-VGA.patch + patches.suse/ALSA-ice1724-Fix-sleep-in-atomic-in-Infrasonic-Quart.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -51751,10 +51872,8 @@ patches.suse/firmware-arm_sdei-fix-wrong-of_node_put-in-init-function.patch patches.suse/net-mvpp2-fix-condition-for-setting-up-link-interrup.patch patches.suse/cifs-handle-netapp-error-codes.patch - patches.suse/lpfc-size-cpu-map-by-last-cpu-id-set.patch patches.suse/powerpc-add-link-stack-flush-mitigation-in-debugfs.patch patches.suse/powerpc-pseries-mobility-notify-network-peers-after-.patch - patches.suse/ibmvnic-Fix-typo-in-retry-check.patch ######################################################## # end of sorted patches @@ -51944,6 +52063,9 @@ # bsc#1159096 patches.suse/temp-disable-debug-pagealloc.patch + # bsc#1156286 + patches.suse/prevent-active-list-thrashing.patch + ######################################################## # misc small fixes ######################################################## @@ -51977,6 +52099,7 @@ patches.suse/v2-powerpc-Allow-flush_-inval_-dcache_range-to-work-across-ranges-4GB.patch patches.suse/Fix-build-error-in-drmem.c.patch patches.suse/powerpc-disable_fixed_phb_option.patch + patches.suse/powerpc-Add-pmem.h.patch ######################################################## @@ -52343,6 +52466,12 @@ patches.suse/apparmor-fix-quieting-of-audit-messages-for-network-mediation.patch patches.suse/apparmor-basic-networking-rules-4.11-rc1.patch + ########################################################## + # FIPS patches not (yet) upstream + ########################################################## + patches.suse/0008-random-move-FIPS-continuous-test-to-output-functions.patch + patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch + ######################################################## # Lock down functions for UEFI secure boot , FATE#314486 ######################################################### @@ -52445,6 +52574,7 @@ patches.kabi/media-em28xx-stop-rewriting-device-s-struct.patch patches.kabi/media-em28xx-fix-handler-for-vidioc_s_input.patch + patches.kabi/kABI-add-_q-suffix-to-exports-that-take-struct-dh.patch # KVM patches.suse/0001-kvm-Introduce-nopvspin-kernel-parameter.patch @@ -52458,6 +52588,7 @@ patches.kabi/kabi-fix-struct-ufs_reg-removal-of-unused-field patches.kabi/kABI-Fix-kABI-for-x86-pci-dma-code.patch + patches.kabi/NFSv4-Fix-OPEN-CLOSE-race.patch patches.kabi/net-sched-act_sample-fix-psample-group-handling-on-o.patch