diff --git a/blacklist.conf b/blacklist.conf index 05d5afe..0de3b5d 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2700,3 +2700,6 @@ df6d4f9db79c1a5d6f48b59db35ccd1e9ff9adfc # 08529078d8d9 not present 9ef8690be13d8ae3130749fbcc0cc21e4e3f738c # adds logging 98d11291d189cb5adf49694d0ad1b971c0212697 # fix for 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") 9d52727f8043cfda241ae96896628d92fa9c50bb # a refinement where to write errors, intrusive prerequisites +7ba6b09fda5e0cb741ee56f3264665e0edc64822 # hardware this is relevant for not supported in SLE12 +76e1ef1d81a4129d7e2fb8c48c83b166d1c8e040 # not a fix, too risky for an optimization +269777aa530f3438ec1781586cdac0b5fe47b061 # all builds in SLE12 are SMP, patc irrelevant diff --git a/patches.kabi/intel_pmc_ipc-restore-ability-to-call-functions-with.patch b/patches.kabi/intel_pmc_ipc-restore-ability-to-call-functions-with.patch new file mode 100644 index 0000000..fce7379 --- /dev/null +++ b/patches.kabi/intel_pmc_ipc-restore-ability-to-call-functions-with.patch @@ -0,0 +1,90 @@ +From d0aaed3d980915a32be512ae6adbd07144e87900 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 12 Apr 2023 16:04:37 +0200 +Subject: [PATCH] intel_pmc_ipc: restore ability to call functions with irq + enabled +Patch-mainline: Never (local fix,driver shifted to another framework) +References: git-fixes + +the most recent fix converted locking from a mutex +to a spinlock. It was used in such a way that the caller was +now responsible for switching off interrupts. + +Fixing this upstream is impossible as the driver has been converted +to the MFD framework upstream. +Hence we need a local fix restores the calling context in +the driver. + +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/intel_pmc_ipc.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/platform/x86/intel_pmc_ipc.c ++++ b/drivers/platform/x86/intel_pmc_ipc.c +@@ -226,18 +226,19 @@ static inline int is_gcr_valid(u32 offse + int intel_pmc_gcr_read(u32 offset, u32 *data) + { + int ret; ++ unsigned long flags; + +- spin_lock(&ipcdev.gcr_lock); ++ spin_lock_irqsave(&ipcdev.gcr_lock, flags); + + ret = is_gcr_valid(offset); + if (ret < 0) { +- spin_unlock(&ipcdev.gcr_lock); ++ spin_unlock_irqrestore(&ipcdev.gcr_lock, flags); + return ret; + } + + *data = readl(ipcdev.gcr_mem_base + offset); + +- spin_unlock(&ipcdev.gcr_lock); ++ spin_unlock_irqrestore(&ipcdev.gcr_lock, flags); + + return 0; + } +@@ -256,18 +257,19 @@ EXPORT_SYMBOL_GPL(intel_pmc_gcr_read); + int intel_pmc_gcr_write(u32 offset, u32 data) + { + int ret; ++ unsigned long flags; + +- spin_lock(&ipcdev.gcr_lock); ++ spin_lock_irqsave(&ipcdev.gcr_lock, flags); + + ret = is_gcr_valid(offset); + if (ret < 0) { +- spin_unlock(&ipcdev.gcr_lock); ++ spin_unlock_irqrestore(&ipcdev.gcr_lock, flags); + return ret; + } + + writel(data, ipcdev.gcr_mem_base + offset); + +- spin_unlock(&ipcdev.gcr_lock); ++ spin_unlock_irqrestore(&ipcdev.gcr_lock, flags); + + return 0; + } +@@ -288,8 +290,9 @@ int intel_pmc_gcr_update(u32 offset, u32 + { + u32 new_val; + int ret = 0; ++ unsigned long flags; + +- spin_lock(&ipcdev.gcr_lock); ++ spin_lock_irqsave(&ipcdev.gcr_lock, flags); + + ret = is_gcr_valid(offset); + if (ret < 0) +@@ -311,7 +314,7 @@ int intel_pmc_gcr_update(u32 offset, u32 + } + + gcr_ipc_unlock: +- spin_unlock(&ipcdev.gcr_lock); ++ spin_unlock_irqrestore(&ipcdev.gcr_lock, flags); + return ret; + } + EXPORT_SYMBOL_GPL(intel_pmc_gcr_update); diff --git a/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch b/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch new file mode 100644 index 0000000..3988918 --- /dev/null +++ b/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch @@ -0,0 +1,38 @@ +From 1e9ac114c4428fdb7ff4635b45d4f46017e8916f Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 9 Mar 2023 16:07:39 +0800 +Subject: [PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work +Git-commit: 1e9ac114c4428fdb7ff4635b45d4f46017e8916f +Patch-mainline: v6.3-rc4 +References: CVE-2023-1989 bsc#1210336 + +In btsdio_probe, &data->work was bound with btsdio_work.In +btsdio_send_frame, it was started by schedule_work. + +If we call btsdio_remove with an unfinished job, there may +be a race condition and cause UAF bug on hdev. + +Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") +Signed-off-by: Zheng Wang +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/btsdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index 795be33f2892..02893600db39 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -354,6 +354,7 @@ static void btsdio_remove(struct sdio_func *func) + + BT_DBG("func %p", func); + ++ cancel_work_sync(&data->work); + if (!data) + return; + +-- +2.35.3 + diff --git a/patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch b/patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch index a1b439b..dd2f55c 100644 --- a/patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch +++ b/patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch @@ -3,6 +3,7 @@ From: Daniele Palmas Date: Thu, 2 Sep 2021 12:51:22 +0200 Subject: [PATCH] net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 Git-commit: aabbdc67f3485b5db27ab4eba01e5fbf1ffea62c +Alt-commit: 418383e6ed6b4624a54ec05c535f13d184fbf33b References: git-fixes Patch-mainline: v5.15-rc1 diff --git a/patches.suse/net-usb-qmi_wwan-add-Telit-0x1080-composition.patch b/patches.suse/net-usb-qmi_wwan-add-Telit-0x1080-composition.patch new file mode 100644 index 0000000..dfb9a26 --- /dev/null +++ b/patches.suse/net-usb-qmi_wwan-add-Telit-0x1080-composition.patch @@ -0,0 +1,30 @@ +From 382e363d5bed0cec5807b35761d14e55955eee63 Mon Sep 17 00:00:00 2001 +From: Enrico Sau +Date: Mon, 6 Mar 2023 13:05:28 +0100 +Subject: [PATCH] net: usb: qmi_wwan: add Telit 0x1080 composition +Git-commit: 382e363d5bed0cec5807b35761d14e55955eee63 +References: git-fixes +Patch-mainline: v6.3-rc2 + +Add the following Telit FE990 composition: + +0x1080: tty, adb, rmnet, tty, tty, tty, tty + +Signed-off-by: Enrico Sau +Link: https://lore.kernel.org/r/20230306120528.198842-1-enrico.sau@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1312,6 +1312,7 @@ static const struct usb_device_id produc + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ diff --git a/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch b/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch new file mode 100644 index 0000000..f93e2d3 --- /dev/null +++ b/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch @@ -0,0 +1,71 @@ +From 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Mon, 13 Mar 2023 00:08:37 +0800 +Subject: [PATCH] nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition +Git-commit: 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 +Patch-mainline: v6.3-rc3 +References: git-fixes bsc#1210337 CVE-2023-1990 + +This bug influences both st_nci_i2c_remove and st_nci_spi_remove. +Take st_nci_i2c_remove as an example. + +In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work +with llt_ndlc_sm_work. + +When it calls ndlc_recv or timeout handler, it will finally call +schedule_work to start the work. + +When we call st_nci_i2c_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in ndlc_remove + +CPU0 CPU1 + + |llt_ndlc_sm_work +st_nci_i2c_remove | + ndlc_remove | + st_nci_remove | + nci_free_device| + kfree(ndev) | +//free ndlc->ndev | + |llt_ndlc_rcv_queue + |nci_recv_frame + |//use ndlc->ndev + +Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip") +Signed-off-by: Zheng Wang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai +Acked-by: Chester Lin +--- + drivers/nfc/st-nci/ndlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c +index 755460a73c0d..d2aa9f766738 100644 +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -282,13 +282,15 @@ EXPORT_SYMBOL(ndlc_probe); + + void ndlc_remove(struct llt_ndlc *ndlc) + { +- st_nci_remove(ndlc->ndev); +- + /* cancel timers */ + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; + ndlc->t1_active = false; ++ /* cancel work */ ++ cancel_work_sync(&ndlc->sm_work); ++ ++ st_nci_remove(ndlc->ndev); + + skb_queue_purge(&ndlc->rcv_q); + skb_queue_purge(&ndlc->send_q); +-- +2.35.3 + diff --git a/patches.suse/platform-x86-intel_pmc_ipc-Use-devm_-calls-in-driver.patch b/patches.suse/platform-x86-intel_pmc_ipc-Use-devm_-calls-in-driver.patch new file mode 100644 index 0000000..c6e4de3 --- /dev/null +++ b/patches.suse/platform-x86-intel_pmc_ipc-Use-devm_-calls-in-driver.patch @@ -0,0 +1,199 @@ +From 83beee5c88a6c71ded70e2eef5ca7406a02605cc Mon Sep 17 00:00:00 2001 +From: Kuppuswamy Sathyanarayanan +Date: Mon, 4 Sep 2017 22:37:21 -0700 +Subject: [PATCH] platform/x86: intel_pmc_ipc: Use devm_* calls in driver probe + function +Git-commit: 83beee5c88a6c71ded70e2eef5ca7406a02605cc +References: git-fixes +Patch-mainline: v4.14-rc7 + +This patch cleans up unnecessary free/alloc calls in ipc_plat_probe(), +ipc_pci_probe() and ipc_plat_get_res() functions by using devm_* +calls. + +This patch also adds proper error handling for failure cases in +ipc_pci_probe() function. + +Signed-off-by: Kuppuswamy Sathyanarayanan +[andy: fixed style issues, missed devm_free_irq(), removed unnecessary log message] +Signed-off-by: Andy Shevchenko +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/intel_pmc_ipc.c | 94 +++++++++------------------- + 1 file changed, 28 insertions(+), 66 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmc_ipc.c b/drivers/platform/x86/intel_pmc_ipc.c +index bb792a52248b..751b1212d01c 100644 +--- a/drivers/platform/x86/intel_pmc_ipc.c ++++ b/drivers/platform/x86/intel_pmc_ipc.c +@@ -480,52 +480,39 @@ static irqreturn_t ioc(int irq, void *dev_id) + + static int ipc_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { +- resource_size_t pci_resource; ++ struct intel_pmc_ipc_dev *pmc = &ipcdev; + int ret; +- int len; + +- ipcdev.dev = &pci_dev_get(pdev)->dev; +- ipcdev.irq_mode = IPC_TRIGGER_MODE_IRQ; ++ /* Only one PMC is supported */ ++ if (pmc->dev) ++ return -EBUSY; + +- ret = pci_enable_device(pdev); ++ pmc->irq_mode = IPC_TRIGGER_MODE_IRQ; ++ ++ ret = pcim_enable_device(pdev); + if (ret) + return ret; + +- ret = pci_request_regions(pdev, "intel_pmc_ipc"); ++ ret = pcim_iomap_regions(pdev, 1 << 0, pci_name(pdev)); + if (ret) + return ret; + +- pci_resource = pci_resource_start(pdev, 0); +- len = pci_resource_len(pdev, 0); +- if (!pci_resource || !len) { +- dev_err(&pdev->dev, "Failed to get resource\n"); +- return -ENOMEM; +- } ++ init_completion(&pmc->cmd_complete); + +- init_completion(&ipcdev.cmd_complete); ++ pmc->ipc_base = pcim_iomap_table(pdev)[0]; + +- if (request_irq(pdev->irq, ioc, 0, "intel_pmc_ipc", &ipcdev)) { ++ ret = devm_request_irq(&pdev->dev, pdev->irq, ioc, 0, "intel_pmc_ipc", ++ pmc); ++ if (ret) { + dev_err(&pdev->dev, "Failed to request irq\n"); +- return -EBUSY; ++ return ret; + } + +- ipcdev.ipc_base = ioremap_nocache(pci_resource, len); +- if (!ipcdev.ipc_base) { +- dev_err(&pdev->dev, "Failed to ioremap ipc base\n"); +- free_irq(pdev->irq, &ipcdev); +- ret = -ENOMEM; +- } ++ pmc->dev = &pdev->dev; + +- return ret; +-} ++ pci_set_drvdata(pdev, pmc); + +-static void ipc_pci_remove(struct pci_dev *pdev) +-{ +- free_irq(pdev->irq, &ipcdev); +- pci_release_regions(pdev); +- pci_dev_put(pdev); +- iounmap(ipcdev.ipc_base); +- ipcdev.dev = NULL; ++ return 0; + } + + static const struct pci_device_id ipc_pci_ids[] = { +@@ -540,7 +527,6 @@ static struct pci_driver ipc_pci_driver = { + .name = "intel_pmc_ipc", + .id_table = ipc_pci_ids, + .probe = ipc_pci_probe, +- .remove = ipc_pci_remove, + }; + + static ssize_t intel_pmc_ipc_simple_cmd_store(struct device *dev, +@@ -850,17 +836,12 @@ static int ipc_plat_get_res(struct platform_device *pdev) + return -ENXIO; + } + size = PLAT_RESOURCE_IPC_SIZE + PLAT_RESOURCE_GCR_SIZE; ++ res->end = res->start + size - 1; ++ ++ addr = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(addr)) ++ return PTR_ERR(addr); + +- if (!request_mem_region(res->start, size, pdev->name)) { +- dev_err(&pdev->dev, "Failed to request ipc resource\n"); +- return -EBUSY; +- } +- addr = ioremap_nocache(res->start, size); +- if (!addr) { +- dev_err(&pdev->dev, "I/O memory remapping failed\n"); +- release_mem_region(res->start, size); +- return -ENOMEM; +- } + ipcdev.ipc_base = addr; + + ipcdev.gcr_mem_base = addr + PLAT_RESOURCE_GCR_OFFSET; +@@ -917,7 +898,6 @@ MODULE_DEVICE_TABLE(acpi, ipc_acpi_ids); + + static int ipc_plat_probe(struct platform_device *pdev) + { +- struct resource *res; + int ret; + + ipcdev.dev = &pdev->dev; +@@ -939,11 +919,11 @@ static int ipc_plat_probe(struct platform_device *pdev) + ret = ipc_create_pmc_devices(); + if (ret) { + dev_err(&pdev->dev, "Failed to create pmc devices\n"); +- goto err_device; ++ return ret; + } + +- if (request_irq(ipcdev.irq, ioc, IRQF_NO_SUSPEND, +- "intel_pmc_ipc", &ipcdev)) { ++ if (devm_request_irq(&pdev->dev, ipcdev.irq, ioc, IRQF_NO_SUSPEND, ++ "intel_pmc_ipc", &ipcdev)) { + dev_err(&pdev->dev, "Failed to request irq\n"); + ret = -EBUSY; + goto err_irq; +@@ -960,40 +940,22 @@ static int ipc_plat_probe(struct platform_device *pdev) + + return 0; + err_sys: +- free_irq(ipcdev.irq, &ipcdev); ++ devm_free_irq(&pdev->dev, ipcdev.irq, &ipcdev); + err_irq: + platform_device_unregister(ipcdev.tco_dev); + platform_device_unregister(ipcdev.punit_dev); + platform_device_unregister(ipcdev.telemetry_dev); +-err_device: +- iounmap(ipcdev.ipc_base); +- res = platform_get_resource(pdev, IORESOURCE_MEM, +- PLAT_RESOURCE_IPC_INDEX); +- if (res) { +- release_mem_region(res->start, +- PLAT_RESOURCE_IPC_SIZE + +- PLAT_RESOURCE_GCR_SIZE); +- } ++ + return ret; + } + + static int ipc_plat_remove(struct platform_device *pdev) + { +- struct resource *res; +- + sysfs_remove_group(&pdev->dev.kobj, &intel_ipc_group); +- free_irq(ipcdev.irq, &ipcdev); ++ devm_free_irq(&pdev->dev, ipcdev.irq, &ipcdev); + platform_device_unregister(ipcdev.tco_dev); + platform_device_unregister(ipcdev.punit_dev); + platform_device_unregister(ipcdev.telemetry_dev); +- iounmap(ipcdev.ipc_base); +- res = platform_get_resource(pdev, IORESOURCE_MEM, +- PLAT_RESOURCE_IPC_INDEX); +- if (res) { +- release_mem_region(res->start, +- PLAT_RESOURCE_IPC_SIZE + +- PLAT_RESOURCE_GCR_SIZE); +- } + ipcdev.dev = NULL; + return 0; + } +-- +2.40.0 + diff --git a/patches.suse/platform-x86-intel_pmc_ipc-Use-spin_lock-to-protect-.patch b/patches.suse/platform-x86-intel_pmc_ipc-Use-spin_lock-to-protect-.patch new file mode 100644 index 0000000..36dfb3a --- /dev/null +++ b/patches.suse/platform-x86-intel_pmc_ipc-Use-spin_lock-to-protect-.patch @@ -0,0 +1,125 @@ +From 6687aeb9cd3d40904d1f9e884d2145603c23adfa Mon Sep 17 00:00:00 2001 +From: Kuppuswamy Sathyanarayanan +Date: Sat, 7 Oct 2017 15:19:51 -0700 +Subject: [PATCH] platform/x86: intel_pmc_ipc: Use spin_lock to protect GCR + updates +Git-commit: 6687aeb9cd3d40904d1f9e884d2145603c23adfa +Alt-commit: e3075fd6f80c9a6ce678fa2f5bbdb2824c506c6c +References: git-fixes +Patch-mainline: v4.14-rc7 + +Currently, update_no_reboot_bit() function implemented in this driver +uses mutex_lock() to protect its register updates. But this function is +called with in atomic context in iTCO_wdt_start() and iTCO_wdt_stop() +functions in iTCO_wdt.c driver, which in turn causes "sleeping into +atomic context" issue. This patch fixes this issue by replacing the +mutex_lock() with spin_lock() to protect the GCR read/write/update APIs. + +Fixes: 9d855d4 ("platform/x86: intel_pmc_ipc: Fix iTCO_wdt GCS memory mapping failure") +Signed-off-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Andy Shevchenko +Signed-off-by: Oliver Neukum +--- + drivers/platform/x86/intel_pmc_ipc.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmc_ipc.c b/drivers/platform/x86/intel_pmc_ipc.c +index 751b1212d01c..e03fa31446ca 100644 +--- a/drivers/platform/x86/intel_pmc_ipc.c ++++ b/drivers/platform/x86/intel_pmc_ipc.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #include + +@@ -131,6 +132,7 @@ static struct intel_pmc_ipc_dev { + /* gcr */ + void __iomem *gcr_mem_base; + bool has_gcr_regs; ++ spinlock_t gcr_lock; + + /* punit */ + struct platform_device *punit_dev; +@@ -225,17 +227,17 @@ int intel_pmc_gcr_read(u32 offset, u32 *data) + { + int ret; + +- mutex_lock(&ipclock); ++ spin_lock(&ipcdev.gcr_lock); + + ret = is_gcr_valid(offset); + if (ret < 0) { +- mutex_unlock(&ipclock); ++ spin_unlock(&ipcdev.gcr_lock); + return ret; + } + + *data = readl(ipcdev.gcr_mem_base + offset); + +- mutex_unlock(&ipclock); ++ spin_unlock(&ipcdev.gcr_lock); + + return 0; + } +@@ -255,17 +257,17 @@ int intel_pmc_gcr_write(u32 offset, u32 data) + { + int ret; + +- mutex_lock(&ipclock); ++ spin_lock(&ipcdev.gcr_lock); + + ret = is_gcr_valid(offset); + if (ret < 0) { +- mutex_unlock(&ipclock); ++ spin_unlock(&ipcdev.gcr_lock); + return ret; + } + + writel(data, ipcdev.gcr_mem_base + offset); + +- mutex_unlock(&ipclock); ++ spin_unlock(&ipcdev.gcr_lock); + + return 0; + } +@@ -287,7 +289,7 @@ int intel_pmc_gcr_update(u32 offset, u32 mask, u32 val) + u32 new_val; + int ret = 0; + +- mutex_lock(&ipclock); ++ spin_lock(&ipcdev.gcr_lock); + + ret = is_gcr_valid(offset); + if (ret < 0) +@@ -309,7 +311,7 @@ int intel_pmc_gcr_update(u32 offset, u32 mask, u32 val) + } + + gcr_ipc_unlock: +- mutex_unlock(&ipclock); ++ spin_unlock(&ipcdev.gcr_lock); + return ret; + } + EXPORT_SYMBOL_GPL(intel_pmc_gcr_update); +@@ -489,6 +491,8 @@ static int ipc_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + + pmc->irq_mode = IPC_TRIGGER_MODE_IRQ; + ++ spin_lock_init(&ipcdev.gcr_lock); ++ + ret = pcim_enable_device(pdev); + if (ret) + return ret; +@@ -903,6 +907,7 @@ static int ipc_plat_probe(struct platform_device *pdev) + ipcdev.dev = &pdev->dev; + ipcdev.irq_mode = IPC_TRIGGER_MODE_IRQ; + init_completion(&ipcdev.cmd_complete); ++ spin_lock_init(&ipcdev.gcr_lock); + + ipcdev.irq = platform_get_irq(pdev, 0); + if (ipcdev.irq < 0) { +-- +2.40.0 + diff --git a/patches.suse/s390-percpu-add-READ_ONCE-to-arch_this_cpu_to_op_sim.patch b/patches.suse/s390-percpu-add-READ_ONCE-to-arch_this_cpu_to_op_sim.patch new file mode 100644 index 0000000..2076bb0 --- /dev/null +++ b/patches.suse/s390-percpu-add-READ_ONCE-to-arch_this_cpu_to_op_sim.patch @@ -0,0 +1,31 @@ +From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 9 Jan 2023 11:51:20 +0100 +Subject: [PATCH] s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() +Git-commit: e3f360db08d55a14112bd27454e616a24296a8b0 +References: git-fixes +Patch-mainline: v6.2-rc4 + +Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only +dereferenced once by using READ_ONCE(). Otherwise the compiler could +generate incorrect code. + +Cc: +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Oliver Neukum +--- + arch/s390/include/asm/percpu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/percpu.h ++++ b/arch/s390/include/asm/percpu.h +@@ -30,7 +30,7 @@ + pcp_op_T__ *ptr__; \ + preempt_disable(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ +- prev__ = *ptr__; \ ++ prev__ = READ_ONCE(*ptr__); \ + do { \ + old__ = prev__; \ + new__ = old__ op (val); \ diff --git a/patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch b/patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch new file mode 100644 index 0000000..2e6053f --- /dev/null +++ b/patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch @@ -0,0 +1,86 @@ +From 4bf584a03eec674975ee9fe36c8583d9d470dab1 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 8 Jun 2021 18:56:56 +0800 +Subject: [PATCH] usb: dwc3: core: fix kernel panic when do reboot +Git-commit: 4bf584a03eec674975ee9fe36c8583d9d470dab1 +References: git-fixes +Patch-mainline: v5.13-rc7 + +When do system reboot, it calls dwc3_shutdown and the whole debugfs +for dwc3 has removed first, when the gadget tries to do deinit, and +remove debugfs for its endpoints, it meets NULL pointer dereference +issue when call debugfs_lookup. Fix it by removing the whole dwc3 +debugfs later than dwc3_drd_exit. + +[ 2924.958838] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000002 +.... +[ 2925.030994] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) +[ 2925.037005] pc : inode_permission+0x2c/0x198 +[ 2925.041281] lr : lookup_one_len_common+0xb0/0xf8 +[ 2925.045903] sp : ffff80001276ba70 +[ 2925.049218] x29: ffff80001276ba70 x28: ffff0000c01f0000 x27: 0000000000000000 +[ 2925.056364] x26: ffff800011791e70 x25: 0000000000000008 x24: dead000000000100 +[ 2925.063510] x23: dead000000000122 x22: 0000000000000000 x21: 0000000000000001 +[ 2925.070652] x20: ffff8000122c6188 x19: 0000000000000000 x18: 0000000000000000 +[ 2925.077797] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000004 +[ 2925.084943] x14: ffffffffffffffff x13: 0000000000000000 x12: 0000000000000030 +[ 2925.092087] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f x9 : ffff8000102b2420 +[ 2925.099232] x8 : 7f7f7f7f7f7f7f7f x7 : feff73746e2f6f64 x6 : 0000000000008080 +[ 2925.106378] x5 : 61c8864680b583eb x4 : 209e6ec2d263dbb7 x3 : 000074756f307065 +[ 2925.113523] x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff8000122c6188 +[ 2925.120671] Call trace: +[ 2925.123119] inode_permission+0x2c/0x198 +[ 2925.127042] lookup_one_len_common+0xb0/0xf8 +[ 2925.131315] lookup_one_len_unlocked+0x34/0xb0 +[ 2925.135764] lookup_positive_unlocked+0x14/0x50 +[ 2925.140296] debugfs_lookup+0x68/0xa0 +[ 2925.143964] dwc3_gadget_free_endpoints+0x84/0xb0 +[ 2925.148675] dwc3_gadget_exit+0x28/0x78 +[ 2925.152518] dwc3_drd_exit+0x100/0x1f8 +[ 2925.156267] dwc3_remove+0x11c/0x120 +[ 2925.159851] dwc3_shutdown+0x14/0x20 +[ 2925.163432] platform_shutdown+0x28/0x38 +[ 2925.167360] device_shutdown+0x15c/0x378 +[ 2925.171291] kernel_restart_prepare+0x3c/0x48 +[ 2925.175650] kernel_restart+0x1c/0x68 +[ 2925.179316] __do_sys_reboot+0x218/0x240 +[ 2925.183247] __arm64_sys_reboot+0x28/0x30 +[ 2925.187262] invoke_syscall+0x48/0x100 +[ 2925.191017] el0_svc_common.constprop.0+0x48/0xc8 +[ 2925.195726] do_el0_svc+0x28/0x88 +[ 2925.199045] el0_svc+0x20/0x30 +[ 2925.202104] el0_sync_handler+0xa8/0xb0 +[ 2925.205942] el0_sync+0x148/0x180 +[ 2925.209270] Code: a9025bf5 2a0203f5 121f0056 370802b5 (79400660) +[ 2925.215372] ---[ end trace 124254d8e485a58b ]--- +[ 2925.220012] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +[ 2925.227676] Kernel Offset: disabled +[ 2925.231164] CPU features: 0x00001001,20000846 +[ 2925.235521] Memory Limit: none +[ 2925.238580] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- + +Fixes: 8d396bb0a5b6 ("usb: dwc3: debugfs: Add and remove endpoint dirs dynamically") +Cc: Jack Pham +Tested-by: Jack Pham +Signed-off-by: Peter Chen +Link: https://lore.kernel.org/r/20210608105656.10795-1-peter.chen@kernel.org +(cherry picked from commit 2a042767814bd0edf2619f06fecd374e266ea068) +Link: https://lore.kernel.org/r/20210615080847.GA10432@jackp-linux.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/dwc3/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1333,8 +1333,8 @@ static int dwc3_remove(struct platform_d + */ + res->start -= DWC3_GLOBALS_REGS_START; + +- dwc3_debugfs_exit(dwc); + dwc3_core_exit_mode(dwc); ++ dwc3_debugfs_exit(dwc); + + dwc3_core_exit(dwc); + dwc3_ulpi_exit(dwc); diff --git a/patches.suse/usb-host-ohci-pxa27x-Fix-and-vs-typo.patch b/patches.suse/usb-host-ohci-pxa27x-Fix-and-vs-typo.patch new file mode 100644 index 0000000..b1c1559 --- /dev/null +++ b/patches.suse/usb-host-ohci-pxa27x-Fix-and-vs-typo.patch @@ -0,0 +1,38 @@ +From 0709831a50d31b3caf2237e8d7fe89e15b0d919d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 17 Aug 2019 09:55:20 +0300 +Subject: [PATCH] usb: host: ohci-pxa27x: Fix and & vs | typo +Git-commit: 0709831a50d31b3caf2237e8d7fe89e15b0d919d +References: git-fixes +Patch-mainline: v5.4-rc1 + +The code is supposed to clear the RH_A_NPS and RH_A_PSM bits, but it's +a no-op because of the & vs | typo. This bug predates git and it was +only discovered using static analysis so it must not affect too many +people in real life. + +Signed-off-by: Dan Carpenter +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20190817065520.GA29951@mwanda +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/ohci-pxa27x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/ohci-pxa27x.c b/drivers/usb/host/ohci-pxa27x.c +index 3e2474959735..7679fb583e41 100644 +--- a/drivers/usb/host/ohci-pxa27x.c ++++ b/drivers/usb/host/ohci-pxa27x.c +@@ -148,7 +148,7 @@ static int pxa27x_ohci_select_pmm(struct pxa27x_ohci *pxa_ohci, int mode) + uhcrhda |= RH_A_NPS; + break; + case PMM_GLOBAL_MODE: +- uhcrhda &= ~(RH_A_NPS & RH_A_PSM); ++ uhcrhda &= ~(RH_A_NPS | RH_A_PSM); + break; + case PMM_PERPORT_MODE: + uhcrhda &= ~(RH_A_NPS); +-- +2.40.0 + diff --git a/patches.suse/usb-ohci-platform-Fix-a-warning-when-hibernating.patch b/patches.suse/usb-ohci-platform-Fix-a-warning-when-hibernating.patch new file mode 100644 index 0000000..e778c54 --- /dev/null +++ b/patches.suse/usb-ohci-platform-Fix-a-warning-when-hibernating.patch @@ -0,0 +1,101 @@ +From 1cb3b0095c3d0bb96912bfbbce4fc006d41f367c Mon Sep 17 00:00:00 2001 +From: Qais Yousef +Date: Mon, 18 May 2020 16:49:29 +0100 +Subject: [PATCH] usb/ohci-platform: Fix a warning when hibernating +Git-commit: 1cb3b0095c3d0bb96912bfbbce4fc006d41f367c +References: git-fixes +Patch-mainline: v5.8-rc1 + +The following warning was observed when attempting to suspend to disk +using a USB flash as a swap device. + +[ 111.779649] ------------[ cut here ]------------ +[ 111.788382] URB (____ptrval____) submitted while active +[ 111.796646] WARNING: CPU: 3 PID: 365 at drivers/usb/core/urb.c:363 usb_submit_urb+0x3d8/0x590 +[ 111.805417] Modules linked in: +[ 111.808584] CPU: 3 PID: 365 Comm: kworker/3:2 Not tainted 5.6.0-rc6-00002-gdfd1731f9a3e-dirty #545 +[ 111.817796] Hardware name: ARM Juno development board (r2) (DT) +[ 111.823896] Workqueue: usb_hub_wq hub_event +[ 111.828217] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 111.833156] pc : usb_submit_urb+0x3d8/0x590 +[ 111.837471] lr : usb_submit_urb+0x3d8/0x590 +[ 111.841783] sp : ffff800018de38b0 +[ 111.845205] x29: ffff800018de38b0 x28: 0000000000000003 +[ 111.850682] x27: ffff000970530b20 x26: ffff8000133fd000 +[ 111.856159] x25: ffff8000133fd000 x24: ffff800018de3b38 +[ 111.861635] x23: 0000000000000004 x22: 0000000000000c00 +[ 111.867112] x21: 0000000000000000 x20: 00000000fffffff0 +[ 111.872589] x19: ffff0009704e7a00 x18: ffffffffffffffff +[ 111.878065] x17: 00000000a7c8f4bc x16: 000000002af33de8 +[ 111.883542] x15: ffff8000133fda88 x14: 0720072007200720 +[ 111.889019] x13: 0720072007200720 x12: 0720072007200720 +[ 111.894496] x11: 0000000000000000 x10: 00000000a5286134 +[ 111.899973] x9 : 0000000000000002 x8 : ffff000970c837a0 +[ 111.905449] x7 : 0000000000000000 x6 : ffff800018de3570 +[ 111.910926] x5 : 0000000000000001 x4 : 0000000000000003 +[ 111.916401] x3 : 0000000000000000 x2 : ffff800013427118 +[ 111.921879] x1 : 9d4e965b4b7d7c00 x0 : 0000000000000000 +[ 111.927356] Call trace: +[ 111.929892] usb_submit_urb+0x3d8/0x590 +[ 111.933852] hub_activate+0x108/0x7f0 +[ 111.937633] hub_resume+0xac/0x148 +[ 111.941149] usb_resume_interface.isra.10+0x60/0x138 +[ 111.946265] usb_resume_both+0xe4/0x140 +[ 111.950225] usb_runtime_resume+0x24/0x30 +[ 111.954365] __rpm_callback+0xdc/0x138 +[ 111.958236] rpm_callback+0x34/0x98 +[ 111.961841] rpm_resume+0x4a8/0x720 +[ 111.965445] rpm_resume+0x50c/0x720 +[ 111.969049] __pm_runtime_resume+0x4c/0xb8 +[ 111.973276] usb_autopm_get_interface+0x28/0x60 +[ 111.977948] hub_event+0x80/0x16d8 +[ 111.981466] process_one_work+0x2a4/0x748 +[ 111.985604] worker_thread+0x48/0x498 +[ 111.989387] kthread+0x13c/0x140 +[ 111.992725] ret_from_fork+0x10/0x18 +[ 111.996415] irq event stamp: 354 +[ 111.999756] hardirqs last enabled at (353): [] console_unlock+0x504/0x5b8 +[ 112.008441] hardirqs last disabled at (354): [] do_debug_exception+0x1a8/0x258 +[ 112.017479] softirqs last enabled at (350): [] __do_softirq+0x4bc/0x568 +[ 112.025984] softirqs last disabled at (343): [] irq_exit+0x144/0x150 +[ 112.034129] ---[ end trace dc96030b9cf6c8a3 ]--- + +The problem was tracked down to a missing call to +pm_runtime_set_active() on resume in ohci-platform. + +Link: https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/ +Acked-by: Alan Stern +Signed-off-by: Qais Yousef +CC: Tony Prisk +CC: Greg Kroah-Hartman +CC: Mathias Nyman +CC: Oliver Neukum +CC: linux-arm-kernel@lists.infradead.org +CC: linux-usb@vger.kernel.org +CC: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20200518154931.6144-1-qais.yousef@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/host/ohci-platform.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/host/ohci-platform.c b/drivers/usb/host/ohci-platform.c +index 7addfc2cbadc..4a8456f12a73 100644 +--- a/drivers/usb/host/ohci-platform.c ++++ b/drivers/usb/host/ohci-platform.c +@@ -299,6 +299,11 @@ static int ohci_platform_resume(struct device *dev) + } + + ohci_resume(hcd, false); ++ ++ pm_runtime_disable(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + return 0; + } + #endif /* CONFIG_PM_SLEEP */ +-- +2.40.0 + diff --git a/series.conf b/series.conf index b4ab068..03a6555 100644 --- a/series.conf +++ b/series.conf @@ -11595,6 +11595,8 @@ patches.suse/staging-bcm2835-audio-Fix-memory-corruption patches.suse/pinctrl-amd-fix-masking-of-GPIO-interrupts.patch patches.suse/workqueue-replace-pool-manager_arb-mutex-with-a-flag.patch + patches.suse/platform-x86-intel_pmc_ipc-Use-devm_-calls-in-driver.patch + patches.suse/platform-x86-intel_pmc_ipc-Use-spin_lock-to-protect-.patch patches.suse/KVM-PPC-Fix-oops-when-checking-KVM_CAP_PPC_HTM.patch patches.suse/KVM-PPC-Book3S-HV-POWER9-more-doorbell-fixes.patch patches.suse/KVM-PPC-Book3S-Protect-kvmppc_gpa_to_ua-with-SRCU.patch @@ -52493,6 +52495,7 @@ patches.suse/KVM-x86-set-ctxt-have_exception-in-x86_decode_insn.patch patches.suse/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op patches.suse/usb-host-xhci-hub-fix-extra-endianness-conversion.patch + patches.suse/usb-host-ohci-pxa27x-Fix-and-vs-typo.patch patches.suse/usb-dwc3-don-t-set-gadget-is_otg-flag.patch patches.suse/usb-xhci-dbc-Simplify-error-handling-in-xhci_dbc_all.patch patches.suse/usb-xhci-dbc-Use-GFP_KERNEL-instead-of-GFP_ATOMIC-in.patch @@ -56854,6 +56857,7 @@ patches.suse/0007-PCI-vmd-Filter-resource-type-bits-from-shadow-regist.patch patches.suse/usblp-poison-URBs-upon-disconnect.patch patches.suse/USB-EHCI-ehci-mv-fix-error-handling-in-mv_ehci_probe.patch + patches.suse/usb-ohci-platform-Fix-a-warning-when-hibernating.patch patches.suse/USB-EHCI-ehci-mv-fix-less-than-zero-comparison-of-an.patch patches.suse/USB-host-ehci-mxc-Add-error-handling-in-ehci_mxc_drv.patch patches.suse/phy-samsung-s5pv210-usb2-Add-delay-after-reset.patch @@ -60725,6 +60729,7 @@ patches.suse/dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch patches.suse/mm-thp-unmap_mapping_page-to-fix-THP-truncate_cleanu.patch patches.suse/kvm-svm-call-sev-guest-decommission-if-asid-binding-fails.patch + patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch patches.suse/tracing-Do-no-increment-trace_clock_global-by-one.patch patches.suse/PCI-Mark-TI-C667X-to-avoid-bus-reset.patch patches.suse/PCI-Mark-some-NVIDIA-GPUs-to-avoid-bus-reset.patch @@ -63093,6 +63098,7 @@ patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch patches.suse/SUNRPC-ensure-the-matching-upcall-is-in-flight-upon-.patch patches.suse/pNFS-filelayout-Fix-coalescing-test-for-single-DS.patch + patches.suse/s390-percpu-add-READ_ONCE-to-arch_this_cpu_to_op_sim.patch patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch patches.suse/ipv6-raw-Deduct-extension-header-length-in-rawv6_pus.patch patches.suse/arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch @@ -63155,9 +63161,11 @@ patches.suse/powerpc-rtas-ensure-4KB-alignment-for-rtas_data_buf.patch patches.suse/media-platform-ti-Add-missing-check-for-devm_regulat.patch patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch + patches.suse/net-usb-qmi_wwan-add-Telit-0x1080-composition.patch patches.suse/SUNRPC-Fix-a-server-shutdown-leak.patch patches.suse/scsi-qla2xxx-Add-option-to-disable-FC2-Target-suppor.patch patches.suse/ftrace-Fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch + patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch patches.suse/net-usb-smsc75xx-Limit-packet-length-to-skb-len.patch patches.suse/net-usb-smsc75xx-Move-packet-length-check-to-prevent.patch patches.suse/ring-buffer-remove-obsolete-comment-for-free_buffer_page.patch @@ -63165,6 +63173,7 @@ patches.suse/scsi-qla2xxx-Synchronize-the-IOCB-count-to-be-in-ord.patch patches.suse/net-usb-smsc95xx-Limit-packet-length-to-skb-len.patch patches.suse/net-usb-lan78xx-Limit-packet-length-to-skb-len.patch + patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch patches.suse/s390-vfio-ap-fix-memory-leak-in-vfio_ap-device-drive.patch patches.suse/NFSv4-Fix-hangs-when-recovering-open-state-after-a-s.patch patches.suse/ring-buffer-Fix-race-while-reader-and-writer-are-on-the-same-page.patch @@ -64206,6 +64215,7 @@ patches.kabi/SUNRPC-Fix-priority-queue-fairness.patch patches.kabi/NFS-Pass-error-information-to-the-pgio-error-cleanup.patch patches.kabi/PCI-endpoint-Fix-for-concurrent-memory-allocation-in.patch + patches.kabi/intel_pmc_ipc-restore-ability-to-call-functions-with.patch ######################################################## # You'd better have a good reason for adding a patch